Proving Probabilistic Properties of Gossip Protocols for any

Proving Probabilistic Properties of Gossip Protocols for any Number of Processes Douglas Graham Department of Computing Science University of Glasgow

Overview n Parameterised model checking – – – n n Classical parameterised model checking problem Proof by induction: Firewire example Probabilistic parameterised model checking problem Gossip protocols SIR Gossip Protocol – PRISM model – Parameterised model checking – Induction proof n Replicated Databases Gossip Protocol – PRISM model – Parameterised model checking 1/16/2022 2

Parameterised Model Checking n For system M(N)=p(1) || p(2) || … || p(N) can only model check property P for fixed N What if we want to verify for any N? n Undecidable in general but techniques apply for subclasses of system n E. g. proof by induction n – Firewire leader election protocol 1/16/2022 3

Parameterised Model Checking 2 0 1 1/16/2022 4

Parameterised Model Checking 2 0 P 1 1/16/2022 5

Parameterised Model Checking 0 2 C P 1 1/16/2022 6

Parameterised Model Checking 0 2 A P 1 1/16/2022 7

Parameterised Model Checking 0 P 1 1/16/2022 8

Parameterised Model Checking 0 C 1 1/16/2022 9

Parameterised Model Checking 0 A 1 1/16/2022 10

Parameterised Model Checking 0 1/16/2022 11

Parameterised Model Checking Notice that once child node has sent ack it no longer takes part n System is described as degenerative n Can exploit this behaviour n Prove by induction that certain types of property hold for any number of nodes [Calder & Miller] n 1/16/2022 12

Probabilistic Parameterised Model Checking n Techniques to solve parameterised model checking problem for probabilistic systems? – in particular randomised distributed algorithms Several for proving qualitative properties based on classical methods n Some manual proofs n 1/16/2022 13

Probabilistic Parameterised Model Checking 1/16/2022 14

Probabilistic Parameterised Model Checking n Find bounds for curve – In particular for “monotonic” properties i. e. probability is increasing or decreasing as N increases – Find upper or lower bound by model checking n Tightness of bound restricted by state space explosion – Show all instances satisfy bound n n n How do we know this? Constraints on model & property? Technique suited to degenerative systems? 1/16/2022 15

Gossip Protocols n Based on SIR model of epidemics: population of (S)usceptible, (I)nfective and (R)emoved individuals b r S n n I R Disseminate information in distributed peer-to-peer network of processes Each process that receives information randomly selects processes to forward information to Simple, scalable, robust, probabilistically reliable but unpredictable? Garbage collection, Membership management, Failure detection, Database updates, Message broadcast, … 1/16/2022 16

Example 1: SIR Gossip Protocol

SIR Gossip Protocol Closely related to SIR model n Consider single `infection’ n Population of N network sites n Fully connected network n 1/16/2022 18

SIR Gossip Protocol Initially one process is infective; N 1 others are susceptible 1/16/2022 19

SIR Gossip Protocol Infective process sends message to susceptible process 1/16/2022 20

SIR Gossip Protocol Susceptible process becomes infective with probability B 1/16/2022 21

SIR Gossip Protocol Infective process transmits message to a susceptible site 1/16/2022 22

SIR Gossip Protocol Process chooses to remain susceptible with probability (1 -B) 1/16/2022 23

SIR Gossip Protocol X Infective process chooses to become removed with probability R 1/16/2022 24

SIR Gossip Protocol System now behaves as N-1 processes (system degenerates) 1/16/2022 25

SIR Gossip Protocol const int N=3; const double B=1/2; const double R=1/2; module population s : [0. . N] init N-1; i : [0. . N] init 1; // susceptibles // infectives [] (s>0 & i>0) -> (B*s/(s+1)) : (s'=s-1) & (i'=i+1) + (R/(s+1)) : (i'=i-1) + (1 -((B*s+R)/(s+1))) : (s'=s); [] (s=0 & i>0) -> (R/ (s+1)) : (i'=i-1) + (1 -(R/(s+1))) : (s'=s); [] (i=0) -> 1 : (i'=i); endmodule 1/16/2022 26

SIR Gossip Protocol 1/2 s=2 1/6 s=2 i=1 i=0 1/3 1/2 N=3 1 s=1 1/4 i=2 1/4 s=1 i=1 1/4 s=1 i=0 s=0 1/2 i=3 s=0 i=2 1/2 s=0 i=1 1/2 1/16/2022 1 1/2 s=0 i=0 1 1/2 27

SIR Gossip Protocol n With probability g. t. e. 1/2 eventually all processes will become removed – “init” => P>=1/2 [ true U (s=0 & i=0)] 1/16/2022 28

SIR Gossip Protocol 1/16/2022 29

SIR Gossip Protocol X Infective process chooses to become removed with probability R 1/16/2022 30

SIR Gossip Protocol System now behaves as N-1 processes (system degenerates) 1/16/2022 31

SIR Gossip Protocol s=0 i=1 1/2 1/16/2022 1/2 s=0 i=0 1 N=1 32

SIR Gossip Protocol 1/2 s=1 i=1 1/4 s=0 i=2 1/2 1/16/2022 s=1 i=0 s=0 i=1 1/2 N=2 s=0 i=0 1 N=1 33

SIR Gossip Protocol 1/2 1/2 s=2 1/6 s=2 i=1 i=0 1/3 1/2 s=1 1/4 i=2 1/4 s=1 i=1 1/4 s=0 1/2 i=3 s=0 i=2 1/2 1/16/2022 1 N=3 s=1 i=0 s=0 i=1 1/2 N=2 s=0 i=0 1 N=1 34

SIR Gossip Protocol s=N-1(N-1)/2 Ns=N-1 i=0 1 s=? i=0 s=2 i=N-2 1/3 s=1 i=N-1 1/4 s=0 i=N 1/16/2022 1 s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 35 1

SIR Gossip Protocol: Induction Proof P>=1/2 [ true U (s=0 & i=0)] s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 1/16/2022 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 36 1

SIR Gossip Protocol: Induction Proof P>=1/2 [ true U (s=0 & i=0)] s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 1/16/2022 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 37 1

SIR Gossip Protocol: Induction Proof P>=1/2 [ true U (s=0 & i=0)] s=N-1(N-1)/2 Ns=N-1 i=0 1 s=? i=0 s=2 i=N-2 1/3 s=1 i=N-1 1/4 s=0 i=N 1/16/2022 1 s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 38 1

SIR Gossip Protocol: Induction Proof P>=1/2 [ true U (s=0 & i=0)] s=N-1(N-1)/2 Ns=N-1 i=0 1 s=? i=0 s=2 i=N-2 1/3 s=1 i=N-1 1/4 s=0 i=N 1/16/2022 1 s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 39 1

SIR Gossip Protocol: Induction Proof s=N i=1 1/2(N+1) s=N i=0 P>=1/2 [ true U (s=0 & i=0)] 1 N/2(N+1) s=N-1(N-1)/2 Ns=N-1 i=2 i=1 i=0 1 s=? i=0 1/6 s=2 i=N-1 1/3 s=1 i=N s=2 i=N-2 1/3 1/4 s=0 1/2 i=N+1 1/16/2022 s=1 i=N-1 1/4 s=0 i=N 1 s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 40 1

SIR Gossip Protocol: Induction Proof s=N i=1 1/2(N+1) s=N i=0 P>=1/2 [ true U (s=0 & i=0)] 1 N/2(N+1) s=N-1(N-1)/2 Ns=N-1 i=2 i=1 i=0 1 s=? i=0 1/6 s=2 i=N-1 1/3 s=1 i=N s=2 i=N-2 1/3 1/4 s=0 1/2 i=N+1 1/16/2022 s=1 i=N-1 1/4 s=0 i=N 1 s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 41 1

Example 2: Replicated Databases Gossip Protocol

Replicated Databases Gossip Protocol n n n Replicated Database Maintenance [Demers et al. ] Update made at a single site must be propagated to all other sites Rumour Mongering – Each site maintains a list of `infective’ updates – Periodically an infective site randomly chooses another site to share its updates with – If infective site contacts a site that already knows about an update then with probability 1/k that update becomes removed 1/16/2022 43

Replicated Databases n Simplifying assumptions n Only one update n Initially one infective site n No cycles/ periods n Fully connected topology (full membership) n Communication synchronous n No failures 1/16/2022 44

Replicated Databases Gossip Protocol Initially one site is infective; N-1 others are susceptible 1/16/2022 45

Replicated Databases Gossip Protocol Infective site randomly chooses a site to send ‘infect’ message to 1/16/2022 46

Replicated Databases Gossip Protocol Susceptible site receives message and becomes infective 1/16/2022 47

Replicated Databases Gossip Protocol 1/16/2022 Infective site is chosen nondeterministically & sends message to randomly chosen site 48

Replicated Databases Gossip Protocol Site receives message and becomes infective 1/16/2022 49

Replicated Databases Gossip Protocol Scheduled infective site randomly chooses site to transmit message to 1/16/2022 50

Replicated Databases Gossip Protocol X Receiving site is infected; sending site becomes removed with prob 1/k 1/16/2022 51

Replicated Databases Gossip Protocol X 1/16/2022 Removed site no longer transmits messages but can still receive messages 52

Replicated Databases Gossip Protocol const int N=3; const int k=1; module population s : [0. . N] init N-1; i : [0. . N] init 1; // susceptibles // infectives [] (s>0 & i>0) -> (s/(N-1)) : (s'=s-1) & (i'=i+1) + (N-1 -s)/((N-1)*k) : (i'=i-1) + (k-1)*(N-1 -s)/((N-1)*k) : (s'=s); [] (s=0 & i>0) -> (N-1 -s)/((N-1)*k) : (i'=i-1) + (k-1)*(N-1 -s)/((N-1)*k) : (s'=s); [] (i=0) -> 1 : (i'=i); endmodule 1/16/2022 53

Replicated Databases Gossip Protocol N=3 s=2 i=1 1 s=1 1/2 i=2 1/2 s=0 1 i=3 1/16/2022 s=1 i=1 1/2 s=0 i=2 1/2 s=1 i=0 1 s=0 i=1 1 1 s=0 i=0 1 54

Replicated Databases Gossip Protocol n With probability l. t. e. 3/4 eventually all processes will become removed – “init” => P<=3/4 [ true U (s=0 & i=0)] 1/16/2022 55

Replicated Databases Gossip Protocol 1/16/2022 56

Replicated Databases Gossip Protocol N=2 s=1 i=1 1 s=0 i=2 1/16/2022 1 s=0 i=1 1 s=0 i=0 1 57

Replicated Databases Gossip Protocol N=3 s=2 i=1 1 s=1 1/2 i=2 1/2 s=0 1 i=3 1/16/2022 s=1 i=1 1/2 s=0 i=2 1/2 s=1 i=0 1 s=0 i=1 N=2 1 1 s=0 i=0 1 58

Replicated Databases Gossip Protocol N=4 s=2 i=1 1 s=2 1/3 i=1 2/3 s=1 i=1 s=1 2/3 i=2 1/3 s=1 i=1 1/3 s=0 1 i=3 1/16/2022 s=0 1 i=3 s=0 i=2 N=3 1 2/3 s=1 i=0 1 s=0 i=1 N=2 1 1 s=0 i=0 1 59

Further Work n n n Proof for replicated databases example! Further analysis of gossip protocols Apply to other ‘pseudo’-degenerative systems – Randomised consensus weak shared coin protocol (Aspnes & Herlihy) – Asynchronous Leader Election in a Ring (Itai & Rodeh) – Other gossip protocols (Replicated distributed databases, message broadcast etc. ) 1/16/2022 60