Proving Probabilistic Properties of Gossip Protocols for any
Proving Probabilistic Properties of Gossip Protocols for any Number of Processes Douglas Graham Department of Computing Science University of Glasgow
Overview n Parameterised model checking – – – n n Classical parameterised model checking problem Proof by induction: Firewire example Probabilistic parameterised model checking problem Gossip protocols SIR Gossip Protocol – PRISM model – Parameterised model checking – Induction proof n Replicated Databases Gossip Protocol – PRISM model – Parameterised model checking 1/16/2022 2
Parameterised Model Checking n For system M(N)=p(1) || p(2) || … || p(N) can only model check property P for fixed N What if we want to verify for any N? n Undecidable in general but techniques apply for subclasses of system n E. g. proof by induction n – Firewire leader election protocol 1/16/2022 3
Parameterised Model Checking 2 0 1 1/16/2022 4
Parameterised Model Checking 2 0 P 1 1/16/2022 5
Parameterised Model Checking 0 2 C P 1 1/16/2022 6
Parameterised Model Checking 0 2 A P 1 1/16/2022 7
Parameterised Model Checking 0 P 1 1/16/2022 8
Parameterised Model Checking 0 C 1 1/16/2022 9
Parameterised Model Checking 0 A 1 1/16/2022 10
Parameterised Model Checking 0 1/16/2022 11
Parameterised Model Checking Notice that once child node has sent ack it no longer takes part n System is described as degenerative n Can exploit this behaviour n Prove by induction that certain types of property hold for any number of nodes [Calder & Miller] n 1/16/2022 12
Probabilistic Parameterised Model Checking n Techniques to solve parameterised model checking problem for probabilistic systems? – in particular randomised distributed algorithms Several for proving qualitative properties based on classical methods n Some manual proofs n 1/16/2022 13
Probabilistic Parameterised Model Checking 1/16/2022 14
Probabilistic Parameterised Model Checking n Find bounds for curve – In particular for “monotonic” properties i. e. probability is increasing or decreasing as N increases – Find upper or lower bound by model checking n Tightness of bound restricted by state space explosion – Show all instances satisfy bound n n n How do we know this? Constraints on model & property? Technique suited to degenerative systems? 1/16/2022 15
Gossip Protocols n Based on SIR model of epidemics: population of (S)usceptible, (I)nfective and (R)emoved individuals b r S n n I R Disseminate information in distributed peer-to-peer network of processes Each process that receives information randomly selects processes to forward information to Simple, scalable, robust, probabilistically reliable but unpredictable? Garbage collection, Membership management, Failure detection, Database updates, Message broadcast, … 1/16/2022 16
Example 1: SIR Gossip Protocol
SIR Gossip Protocol Closely related to SIR model n Consider single `infection’ n Population of N network sites n Fully connected network n 1/16/2022 18
SIR Gossip Protocol Initially one process is infective; N 1 others are susceptible 1/16/2022 19
SIR Gossip Protocol Infective process sends message to susceptible process 1/16/2022 20
SIR Gossip Protocol Susceptible process becomes infective with probability B 1/16/2022 21
SIR Gossip Protocol Infective process transmits message to a susceptible site 1/16/2022 22
SIR Gossip Protocol Process chooses to remain susceptible with probability (1 -B) 1/16/2022 23
SIR Gossip Protocol X Infective process chooses to become removed with probability R 1/16/2022 24
SIR Gossip Protocol System now behaves as N-1 processes (system degenerates) 1/16/2022 25
SIR Gossip Protocol const int N=3; const double B=1/2; const double R=1/2; module population s : [0. . N] init N-1; i : [0. . N] init 1; // susceptibles // infectives [] (s>0 & i>0) -> (B*s/(s+1)) : (s'=s-1) & (i'=i+1) + (R/(s+1)) : (i'=i-1) + (1 -((B*s+R)/(s+1))) : (s'=s); [] (s=0 & i>0) -> (R/ (s+1)) : (i'=i-1) + (1 -(R/(s+1))) : (s'=s); [] (i=0) -> 1 : (i'=i); endmodule 1/16/2022 26
SIR Gossip Protocol 1/2 s=2 1/6 s=2 i=1 i=0 1/3 1/2 N=3 1 s=1 1/4 i=2 1/4 s=1 i=1 1/4 s=1 i=0 s=0 1/2 i=3 s=0 i=2 1/2 s=0 i=1 1/2 1/16/2022 1 1/2 s=0 i=0 1 1/2 27
SIR Gossip Protocol n With probability g. t. e. 1/2 eventually all processes will become removed – “init” => P>=1/2 [ true U (s=0 & i=0)] 1/16/2022 28
SIR Gossip Protocol 1/16/2022 29
SIR Gossip Protocol X Infective process chooses to become removed with probability R 1/16/2022 30
SIR Gossip Protocol System now behaves as N-1 processes (system degenerates) 1/16/2022 31
SIR Gossip Protocol s=0 i=1 1/2 1/16/2022 1/2 s=0 i=0 1 N=1 32
SIR Gossip Protocol 1/2 s=1 i=1 1/4 s=0 i=2 1/2 1/16/2022 s=1 i=0 s=0 i=1 1/2 N=2 s=0 i=0 1 N=1 33
SIR Gossip Protocol 1/2 1/2 s=2 1/6 s=2 i=1 i=0 1/3 1/2 s=1 1/4 i=2 1/4 s=1 i=1 1/4 s=0 1/2 i=3 s=0 i=2 1/2 1/16/2022 1 N=3 s=1 i=0 s=0 i=1 1/2 N=2 s=0 i=0 1 N=1 34
SIR Gossip Protocol s=N-1(N-1)/2 Ns=N-1 i=0 1 s=? i=0 s=2 i=N-2 1/3 s=1 i=N-1 1/4 s=0 i=N 1/16/2022 1 s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 35 1
SIR Gossip Protocol: Induction Proof P>=1/2 [ true U (s=0 & i=0)] s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 1/16/2022 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 36 1
SIR Gossip Protocol: Induction Proof P>=1/2 [ true U (s=0 & i=0)] s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 1/16/2022 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 37 1
SIR Gossip Protocol: Induction Proof P>=1/2 [ true U (s=0 & i=0)] s=N-1(N-1)/2 Ns=N-1 i=0 1 s=? i=0 s=2 i=N-2 1/3 s=1 i=N-1 1/4 s=0 i=N 1/16/2022 1 s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 38 1
SIR Gossip Protocol: Induction Proof P>=1/2 [ true U (s=0 & i=0)] s=N-1(N-1)/2 Ns=N-1 i=0 1 s=? i=0 s=2 i=N-2 1/3 s=1 i=N-1 1/4 s=0 i=N 1/16/2022 1 s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 39 1
SIR Gossip Protocol: Induction Proof s=N i=1 1/2(N+1) s=N i=0 P>=1/2 [ true U (s=0 & i=0)] 1 N/2(N+1) s=N-1(N-1)/2 Ns=N-1 i=2 i=1 i=0 1 s=? i=0 1/6 s=2 i=N-1 1/3 s=1 i=N s=2 i=N-2 1/3 1/4 s=0 1/2 i=N+1 1/16/2022 s=1 i=N-1 1/4 s=0 i=N 1 s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 40 1
SIR Gossip Protocol: Induction Proof s=N i=1 1/2(N+1) s=N i=0 P>=1/2 [ true U (s=0 & i=0)] 1 N/2(N+1) s=N-1(N-1)/2 Ns=N-1 i=2 i=1 i=0 1 s=? i=0 1/6 s=2 i=N-1 1/3 s=1 i=N s=2 i=N-2 1/3 1/4 s=0 1/2 i=N+1 1/16/2022 s=1 i=N-1 1/4 s=0 i=N 1 s=2 i=1 1/6 s=2 i=0 1 1/3 s=1 i=2 1/4 s=0 i=3 s=1 i=1 1/4 s=1 i=0 1 1/4 1/2 s=0 i=2 1/2 s=0 i=1 1/2 s=0 i=0 41 1
Example 2: Replicated Databases Gossip Protocol
Replicated Databases Gossip Protocol n n n Replicated Database Maintenance [Demers et al. ] Update made at a single site must be propagated to all other sites Rumour Mongering – Each site maintains a list of `infective’ updates – Periodically an infective site randomly chooses another site to share its updates with – If infective site contacts a site that already knows about an update then with probability 1/k that update becomes removed 1/16/2022 43
Replicated Databases n Simplifying assumptions n Only one update n Initially one infective site n No cycles/ periods n Fully connected topology (full membership) n Communication synchronous n No failures 1/16/2022 44
Replicated Databases Gossip Protocol Initially one site is infective; N-1 others are susceptible 1/16/2022 45
Replicated Databases Gossip Protocol Infective site randomly chooses a site to send ‘infect’ message to 1/16/2022 46
Replicated Databases Gossip Protocol Susceptible site receives message and becomes infective 1/16/2022 47
Replicated Databases Gossip Protocol 1/16/2022 Infective site is chosen nondeterministically & sends message to randomly chosen site 48
Replicated Databases Gossip Protocol Site receives message and becomes infective 1/16/2022 49
Replicated Databases Gossip Protocol Scheduled infective site randomly chooses site to transmit message to 1/16/2022 50
Replicated Databases Gossip Protocol X Receiving site is infected; sending site becomes removed with prob 1/k 1/16/2022 51
Replicated Databases Gossip Protocol X 1/16/2022 Removed site no longer transmits messages but can still receive messages 52
Replicated Databases Gossip Protocol const int N=3; const int k=1; module population s : [0. . N] init N-1; i : [0. . N] init 1; // susceptibles // infectives [] (s>0 & i>0) -> (s/(N-1)) : (s'=s-1) & (i'=i+1) + (N-1 -s)/((N-1)*k) : (i'=i-1) + (k-1)*(N-1 -s)/((N-1)*k) : (s'=s); [] (s=0 & i>0) -> (N-1 -s)/((N-1)*k) : (i'=i-1) + (k-1)*(N-1 -s)/((N-1)*k) : (s'=s); [] (i=0) -> 1 : (i'=i); endmodule 1/16/2022 53
Replicated Databases Gossip Protocol N=3 s=2 i=1 1 s=1 1/2 i=2 1/2 s=0 1 i=3 1/16/2022 s=1 i=1 1/2 s=0 i=2 1/2 s=1 i=0 1 s=0 i=1 1 1 s=0 i=0 1 54
Replicated Databases Gossip Protocol n With probability l. t. e. 3/4 eventually all processes will become removed – “init” => P<=3/4 [ true U (s=0 & i=0)] 1/16/2022 55
Replicated Databases Gossip Protocol 1/16/2022 56
Replicated Databases Gossip Protocol N=2 s=1 i=1 1 s=0 i=2 1/16/2022 1 s=0 i=1 1 s=0 i=0 1 57
Replicated Databases Gossip Protocol N=3 s=2 i=1 1 s=1 1/2 i=2 1/2 s=0 1 i=3 1/16/2022 s=1 i=1 1/2 s=0 i=2 1/2 s=1 i=0 1 s=0 i=1 N=2 1 1 s=0 i=0 1 58
Replicated Databases Gossip Protocol N=4 s=2 i=1 1 s=2 1/3 i=1 2/3 s=1 i=1 s=1 2/3 i=2 1/3 s=1 i=1 1/3 s=0 1 i=3 1/16/2022 s=0 1 i=3 s=0 i=2 N=3 1 2/3 s=1 i=0 1 s=0 i=1 N=2 1 1 s=0 i=0 1 59
Further Work n n n Proof for replicated databases example! Further analysis of gossip protocols Apply to other ‘pseudo’-degenerative systems – Randomised consensus weak shared coin protocol (Aspnes & Herlihy) – Asynchronous Leader Election in a Ring (Itai & Rodeh) – Other gossip protocols (Replicated distributed databases, message broadcast etc. ) 1/16/2022 60
- Slides: 60