LNCS 10083

Borzoo Bonakdarpour
Franck Petit (Eds.)

Stabilization, Safety,
and Security
of Distributed Systems
18th International Symposium, SSS 2016
Lyon, France, November 7–10, 2016
Proceedings

123


Lecture Notes in Computer Science
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland

John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany

10083


More information about this series at />

Borzoo Bonakdarpour Franck Petit (Eds.)
•

Stabilization, Safety,
and Security
of Distributed Systems
18th International Symposium, SSS 2016
Lyon, France, November 7–10, 2016
Proceedings


123


Editors
Borzoo Bonakdarpour
McMaster University
Hamilton, ON
Canada

Franck Petit
LIP6, INRIA, UPMC Sorbonne Universities
Paris
France

ISSN 0302-9743
ISSN 1611-3349 (electronic)
Lecture Notes in Computer Science
ISBN 978-3-319-49258-2
ISBN 978-3-319-49259-9 (eBook)
DOI 10.1007/978-3-319-49259-9
Library of Congress Control Number: 2015943848
LNCS Sublibrary: SL1 – Theoretical Computer Science and General Issues
© Springer International Publishing AG 2016
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant

protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made.
Printed on acid-free paper
This Springer imprint is published by Springer Nature
The registered company is Springer International Publishing AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland


Preface

The papers in this volume were presented at the 18th International Symposium on
Stabilization, Safety, and Security of Distributed Systems (SSS), held November 8–10,
2016, in Lyon, France.
SSS is an international forum for researchers and practitioners in the design and
development of distributed systems with self-* properties: self-stabilizing, selfconfiguring, self-organizing, self-managing, self-healing, self-optimizing, self-adaptive,
self-repairing, self-protecting, etc. They mainly aim to tolerate different kinds of undesirable phenomena without human intervention. Research in distributed systems is now at
a crucial point in its evolution, marked by the importance of dynamic systems such as
peer-to-peer networks, large-scale wireless sensor networks, mobile ad hoc networks,
cloud computing, mobile agent computing, opportunistic networks, and robotic networks.
Moreover, new applications with self-* requirements are currently coming up in different
fields such as grid and Web services, banking and e-commerce, e-health and robotics,
aerospace and avionics, automotive, and industrial process control, among others.
SSS started as the Workshop on Self-Stabilizing Systems (WSS), the first two of
which were held in Austin in 1989 and in Las Vegas in 1995. Since 1995, the
workshop has been held biennially; it was held in Santa Barbara (1997), Austin (1999),
and Lisbon (2001). As interest grew and the community expanded, in 2003, the title
of the forum was changed to the Symposium on Self-Stabilizing Systems (SSS). SSS

was organized in San Francisco in 2003 and in Barcelona in 2005. As SSS broadened
its scope and attracted researchers from other communities, significant changes were
made in 2006. It became an annual event, and the name of the conference was changed
to the International Symposium on Stabilization, Safety, and Security of Distributed
Systems (SSS). From then, SSS conferences were held in Dallas (2006), Paris (2007),
Detroit (2008), Lyon (2009), New York (2010), Grenoble (2011), Toronto (2012),
Osaka (2013), Paderborn (2014), and Edmonton (2015).
This year the Program Committee was organized into three groups reflecting the
major trends related to self-* systems: (a) Self-* and Autonomic Computing,
(b) Foundations, and (c) Networks, Multi-Agent Systems, and Mobility.
We received 53 submissions from 30 countries. Each submission was reviewed by
at least three Program Committee members with the help of external reviewers. Out
of the 53 submitted papers, 23 papers were selected for presentation. The symposium
also included nine short papers. Selected papers from the symposium will be published
in a special issue of Theory of Computing Systems (TOCS) journal. This year, we were
very fortunate to have three distinguished invited speakers: Hagit Attiya (Technion,
Israel), Joseph Halpern (Cornell University, USA), and Maurice Herlihy (Brown
University, USA).
We would like to deeply thank the program vice chairs, Stéphane Devismes, Vijay
Garg, Manish Parashar, Yvonne-Anne Pignolet, Sergio Rajsbaum, and Roger
Wattenhofer. We sincerely acknowledge the tremendous time and effort that the


VI

Preface

Program Committee members have put in for the symposium. We are grateful to the
external reviewers for their valuable and insightful comments. We also thank the
members of the Steering Committee for their invaluable advice. We gratefully

acknowledge the publicity chair, Janna Burman, local organization chair, Eddy Caron,
and the Organizing Committee members for their time and invaluable effort that greatly
contributed to the success of this symposium. Last but not least, on behalf of the
Program Committee, we thank all the authors who submitted their work to SSS.
Finally, the process of paper submission, selection, and compilation of the proceedings was greatly simplified thanks to the strong and friendly interface of the
EasyChair system ().
November 2016

Borzoo Bonakdarpour
Franck Petit


Organization

General Chair
Franck Petit

UPMC, Sorbonne Universities, France

Program Chair
Borzoo Bonakdarpour

McMaster University, Canada

Vice Chairs
Track 1: Self-* and Autonomic Computing
Stéphane Devismes
Manish Parashar

University of Grenoble, France

Rutgers University, USA

Track 2: Foundations
Vijay Garg
Sergio Rajsbaum

University of Texas Austin, USA
UNAM, Mexico

Track 3: Networks, Multi-Agent Systems, and Mobility
Yvonne Anne Pignolet
Roger Wattenhofer

ABB Corporate Research, Switzerland
ETH-Zurich, Switzerland

Local Arrangements Chairs
Eddy Caron
Sara Bouchenak

ENS de Lyon, LIP, France
INSA Lyon LIRIS, France

Publicity Committee
Janna Burman (Chair)
Anissa Lamani
Fahiyeh Faghih

University of Paris-Sud, France
Kyushu University, Japan

McMaster University, Canada

Webmasters
Daniel Balouek-Thomert
Violaine Villebonnet

ENS de Lyon/NewGeneration-SR, LIP, France
Inria, LIP, Lyon, France


VIII

Organization

Program Committee
Self-* and Autonomic Computing
Chairs: Stéphane Devismes and Manish Parashar
Eddy Caron
Abhishek Chandra
Sylvie Delaet
Simon Dobson
Swan Dubois
Pascal Felber
Salima Hassas
Taisuke Izumi
Yoonhee Kim
Adrian Lebre
David Peleg
Omer Rana
Elad Schiller

Alexander Schwarzmann
Naveen Sharma
Alan Sill
Rafael Tolosana
Volker Turau
Giuseppe Valetto
Vladimir Vlassov
Yukiko Yamauchi
Franco Zambonelli

ENS de Lyon, LIP, France
University of Minnesota, USA
Université Paris Sud, LRI, France
University of St. Andrews, UK
Université Pierre et Marie Curie, LIP6, France
University of Neuchatel, Switzerland
LIRIS, France
Nagoya Institute of Technology, Japan
Sookmyung Women’s University, South Korea
Inria, France
Weizmann Institute, Israel
Cardiff University, UK
Chalmers University, Sweden
University of Connecticut, USA
Rochester Institute of Technology, USA
Texas Tech University, USA
University of Zaragoza, Spain
Hamburg University of Technology, Germany
Fondazione Bruno Kessler, Italy
KTH, Sweden

Kyushu University, Japan
University of Modena and Reggio Emilia, Italy

Foundations
Chairs: Vijay Garg and Sergio Rajsbaum
Costas Busch
Fathiyeh Faghih
Ylies Falcone
Panagiota Fatourou
Leszek Gasieniec
Danny Hendler
Ted Herman
Prasad Jayanti
Kishore Kothapalli
Evangelos Kranakis
Fabian Kuhn
Petr Kuznetsov
Hammurabi Mendes
Neeraj Mittal
Achour Mostefaoui

Louisiana State University, USA
McMaster University, Canada
University of Grenoble, France
University of Ioannina, Greece
University of Liverpool, UK
Ben-Gurion University, Israel
University of Iowa, USA
Dartmouth College, USA
IIIT Hyderabad, India

Carleton University, Canada
University of Freiburg, Germany
Telecom ParisTech, France
University of Rochester, USA
University of Texas Dallas, USA
University of Nantes, France


Organization

David Peleg
Alper Sen
Josef Widder
Philipp Woelfel

Weizmann Institute, Israel
Bogazici University, Turkey
TU Vienna, Austria
University of Calgary, Canada

Networks, Multi-Agent Systems, and Mobility
Chairs: Yvonne Anne Pignolet and Roger Wattenhofer
Lelia Blin
Michael Borokhovich
Shiri Chechik
Yuval Emek
Olga Goussevskaia
Kim Larsen
Stephan Holzer
Francis Lau

Erwan Le Merrer
Uwe Nestmann
Merav Parter
Paolo Santi
Christian Scheideler
Gilles Tredan
Masafumi Yamashita

LIP6, France
AT&T, USA
Tel Aviv University, Israel
Technion, Israel
UFMG, Brazil
Aalborg University, Denmark
MIT, USA
Hong Kong University, SAR China
Technicolor, France
TU Berlin, Germany
MIT, USA
MIT, USA
University of Paderborn, Germany
LAAS CNRS, France
Kyushu University, Japan

Steering Committee
Anish Arora
Ajoy K. Datta (Chair)
Shlomi Dolev
Sukumar Ghosh
Mohamed Gouda

Ted Herman
Toshimitsu Masuzawa
Franck Petit
Sébastien Tixeuil

The Ohio State University, USA
University of Nevada, Las Vegas, USA
Ben-Gurion University of the Negev, Israel
University of Iowa, USA
National Science Foundation, USA
University of Iowa, USA
Osaka University, Japan
UPMC, Sorbonne Universities, France
UPMC, Sorbonne Universities, France

Additional Reviewers
Andrew Berns
Wyatt Clements
Hardy Corentin
Alain Cournier
Gianlorenzo D’Angelo
Ajoy K. Datta
Klaus-Tycho Förster
Robert Gmyr

Emmanuel Godard
Shreyas Gokhale
Zhenhua Han
Ladislas Jacobe de Naurois
Christina Kolb

Yavuz Koroglu
Hari Krishnan
Ivan Li

IX


X

Organization

K. Alex Mills
Mikhail Nesterenko
Fukuhito Ooshita
Kenneth Platz
Tobias Prehn
Tsvetomira Radeva
Christina Rickmann
Stefan Schmid

Alexander Setzer
Anthony Simonet
Devan Sohier
Thim Strothmann
Hsin-Hao Su
Cesar A. Uribe
Christoph Wagner
Yong Zhang



Contents

Leader Election in Rings with Bounded Multiplicity (Short Paper) . . . . . . . .
Karine Altisen, Ajoy K. Datta, Stéphane Devismes, Anaïs Durand,
and Lawrence L. Larmore
Synchronous Gathering Without Multiplicity Detection: A Certified
Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Thibaut Balabonski, Amélie Delga, Lionel Rieg, Sébastien Tixeuil,
and Xavier Urbain
On the Power of Oracle X? for Self-Stabilizing Leader Election
in Population Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Joffroy Beauquier, Peva Blanchard, Janna Burman,
and Oksana Denysyuk

1

7

20

Self-stabilizing Byzantine-Tolerant Distributed Replicated State Machine . . . .
Alexander Binun, Thierry Coupaye, Shlomi Dolev,
Mohammed Kassi-Lahlou, Marc Lacoste, Alex Palesandro,
Reuven Yagel, and Leonid Yankulin

36

Self-stabilizing Robots in Highly Dynamic Environments. . . . . . . . . . . . . . .
Marjorie Bournat, Ajoy K. Datta, and Swan Dubois


54

Packet Efficient Implementation of the Omega Failure Detector . . . . . . . . . .
Quentin Bramas, Dianne Foreback, Mikhail Nesterenko,
and Sébastien Tixeuil

70

Probabilistic Asynchronous Arbitrary Pattern Formation (Short Paper) . . . . . .
Quentin Bramas and Sébastien Tixeuil

88

Flocking with Oblivious Robots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Davide Canepa, Xavier Defago, Taisuke Izumi,
and Maria Potop-Butucaru

94

Making Local Algorithms Wait-Free: The Case of Ring Coloring . . . . . . . . .
Armando Castañeda, Carole Delporte, Hugues Fauconnier,
Sergio Rajsbaum, and Michel Raynal

109

Meta-algorithm to Choose a Good On-Line Prediction (Short Paper) . . . . . . .
Alexandre Dambreville, Joanna Tomasik, and Johanne Cohen

126


On-Line Path Computation and Function Placement in SDNs . . . . . . . . . . . .
Guy Even, Moti Medina, and Boaz Patt-Shamir

131


XII

Contents

Infinite Unlimited Churn (Short Paper) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dianne Foreback, Mikhail Nesterenko, and Sébastien Tixeuil

148

Perfect Failure Detection with Very Few Bits . . . . . . . . . . . . . . . . . . . . . . .
Pierre Fraigniaud, Sergio Rajsbaum, Corentin Travers, Petr Kuznetsov,
and Thibault Rieutord

154

Snap-Stabilizing Tasks in Anonymous Networks. . . . . . . . . . . . . . . . . . . . .
Emmanuel Godard

170

Polynomial Silent Self-Stabilizing p-Star Decomposition (Short Paper) . . . . .
Mohammed Haddad, Colette Johnen, and Sven Köhler

185


Analysis of Computing Policies Using SAT Solvers (Short Paper) . . . . . . . .
Marijn J.H. Heule, Rezwana Reaz, H.B. Acharya,
and Mohamed G. Gouda

190

An Efficient Silent Self-stabilizing 1-Maximal Matching Algorithm Under
Distributed Daemon Without Global Identifiers. . . . . . . . . . . . . . . . . . . . . .
Michiko Inoue, Fukuhito Ooshita, and Sébastien Tixeuil
Self-stabilizing Byzantine Clock Synchronization with Optimal Precision . . . .
Pankaj Khanchandani and Christoph Lenzen
DecTDMA: A Decentralized-TDMA: With Link Quality Estimation
for WSNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Olaf Landsiedel, Thomas Petig, and Elad M. Schiller

195
213

231

Self-stabilizing Metric Graphs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Robert Gmyr, Jonas Lefèvre, and Christian Scheideler

248

Near-Optimal Self-stabilising Counting and Firing Squads . . . . . . . . . . . . . .
Christoph Lenzen and Joel Rybicki

263


Snap-Stabilizing PIF on Arbitrary Connected Networks in Message
Passing Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Florence Levé, Khaled Mohamed, and Vincent Villain
Towards Efficient and Robust BFT Protocols with ER-BFT (Short Paper) . . .
Lucas Perronne and Sara Bouchenak
Global Versus Local Computations: Fast Computing with Identifiers
(Short Paper) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mikaël Rabie
Automatic Addition of Conflicting Properties . . . . . . . . . . . . . . . . . . . . . . .
Mohammad Roohitavaf and Sandeep S. Kulkarni

281
298

304
310


Contents

Complete Visibility for Robots with Lights in O(1) Time. . . . . . . . . . . . . . .
Gokarna Sharma, Ramachandran Vaidyanathan, Jerry L. Trahan,
Costas Busch, and Suresh Rai
PSVR- Self-stabilizing Publish/Subscribe Communication for Ad-Hoc
Networks (Short Paper) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
G. Siegemund and V. Turau
Asynchronous Non-Bayesian Learning in the Presence of Crash Failures . . . .
Lili Su and Nitin H. Vaidya
Robust Multi-agent Optimization: Coping with Byzantine Agents with

Input Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Lili Su and Nitin H. Vaidya
Plane Formation by Semi-synchronous Robots in the Three Dimensional
Euclidean Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Taichi Uehara, Yukiko Yamauchi, Shuji Kijima,
and Masafumi Yamashita
Searching for an Evader in an Unknown Graph by an Optimal Number
of Searchers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Takahiro Yakami, Yukiko Yamauchi, Shuji Kijima,
and Masafumi Yamashita

XIII

327

346
352

368

383

399

Wait-Free Solvability of Colorless Tasks in Anonymous
Shared-Memory Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Nayuta Yanagisawa

415


Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

431


Leader Election in Rings
with Bounded Multiplicity
(Short Paper)
Karine Altisen1 , Ajoy K. Datta2 , St´ephane Devismes1 , Ana¨ıs Durand1(B) ,
and Lawrence L. Larmore2
1
Universit´e Grenoble Alpes, Grenoble, France
{karine.altisen,stephane.devismes,anais.durand}@imag.fr
2
UNLV, Las Vegas, USA
{ajoy.datta,lawrence.larmore}@unlv.edu

Abstract. We study leader election in unidirectional rings of homonym
processes that have no a priori knowledge on the number of processes.
We show that message-terminating leader election is impossible for any
class of rings Kk with bounded multiplicity k ≥ 2. However, we show that
process-terminating leader election is possible in the sub-class U ∗ ∩ Kk ,
where U ∗ is the class of rings which contain a process with a unique label.

1

Introduction

We consider deterministic leader election in unidirectional rings of homonym
processes. The model of homonym processes [1,3] has been introduced as a generalization of the classical fully identified model. Each process has an identifier,

called here label, which may not be unique. Let L be the set of labels present in
a system of n processes. Then, |L| = 1 (resp., |L| = n) corresponds to the fully
anonymous (resp., fully identified) model.
Related Work. Homonyms have been mainly studied for solving the consensus problem in networks where processes are subjected to Byzantine failures [1].
However, Delporte et al. [2] have recently considered the leader election problem
in bidirectional rings of homonym processes. They have given a necessary and sufficient condition on the number of distinct labels needed to design a leader election algorithm. Precisely, they show that there exists a deterministic solution for
message-terminating (i.e., processes do not terminate but only a finite number of
messages are exchanged) leader election on a bidirectional ring if and only if the
number of labels is strictly greater than the greatest proper divisor of n. Assuming this condition, they give two algorithms. The first one is message-terminating
and does not assume any further extra knowledge. The second one assumes the
processes know n, is process-terminating (i.e., every process eventually halts),
and is asymptotically optimal in messages. In [3], Dobrev and Pelc investigate
a generalization of the process-terminating leader election in both bidirectional
c Springer International Publishing AG 2016
B. Bonakdarpour and F. Petit (Eds.): SSS 2016, LNCS 10083, pp. 1–6, 2016.
DOI: 10.1007/978-3-319-49259-9 1


2

K. Altisen et al.

and unidirectional rings of homonym processes. In their model, processes a priori know a lower bound m and an upper bound M on the (unknown) number
of processes n. They propose algorithms that decide whether the election is possible and perform it, if so. They give synchronous algorithms for bidirectional
and unidirectional rings working in time O(M ) using O(n log n) messages. They
also give an asynchronous algorithm for bidirectional rings that uses O(nM )
messages, and show that it is optimal; no time complexity is given.
Contribution. We explore the design of process-terminating leader election
algorithms in unidirectional rings of homonym processes which, contrary to [2,3],
know neither the number of processes n, nor any bound on it. We study two different classes of unidirectional rings with homonym processes, denoted by U ∗

and Kk . U ∗ is the class of all ring networks in which at least one label is unique.
Kk is the class of all ring networks where no label occurs more than k times,
so k is an upper bound on the multiplicity of the labels. We prove that there
are no message-terminating leader elections for any class Kk with k ≥ 2 despite
processes know k, since Kk includes symmetric labeled rings. However, we give
a process-terminating leader election algorithm for the sub-class U ∗ ∩ Kk . Interestingly, there are labeled rings (e.g., a ring of three processes with labels 1, 2,
and 2) for which we can solve process-terminating leader election, whereas it
cannot be solved in the model of [2,3].

2

Preliminaries

Ring Networks. We assume unidirectional rings of n ≥ 2 processes, p1 , . . . ,
pn , operating in asynchronous message-passing model, where links are FIFO and
reliable. pi can only receive messages from its left neighbor, pi−1 , and can only
send messages to its right neighbor, pi+1 . Subscripts are modulo n.
We assume that each process p has a label, p.id ; labels may not be distinct.
For any label in the ring R, let mlty[ ] = |{p : p.id = }|, the multiplicity of
in R. Comparison is the only operator permitted on labels.
Leader Election. An algorithm Alg solves the message-terminating leader
election problem, noted MT-LE, in a ring network R if every execution of Alg
on R satisfies the following conditions:
1. The execution is finite.
2. Each process p has a Boolean variable p.isLeader s.t. when the execution
terminates, L.isLeader is true for a unique process (i.e., the leader).
3. Every process p has a variable p.leader s.t. when the execution terminates,
p.leader = L.id , where L satisfies L.isLeader .
An algorithm Alg solves the process-terminating leader election problem, noted
PT-LE, in a ring network R if it solves MT-LE and satisfies the following

additional conditions:


Leader Election in Rings with Bounded Multiplicity

3

4. p.isLeader is initially false and never switched from true to false: each
decision of being the leader is irrevocable. Consequently, there should be at
most one leader in each configuration.
5. Every process p ∈ R has a Boolean variable p.done, initially false, such that
p.done is eventually true for all p, indicating that p knows that the leader
has been elected. More precisely, once p.done becomes true, it will never
again become false, L.isLeader is equal to true for a unique process L, and
p.leader is permanently set to L.id .
6. Every process p eventually halts (local termination decision) after p.done
becomes true.
Ring Network Classes. An algorithm Alg is MT-LE (resp., PT-LE) for the
class of ring network R if Alg solves MT-LE (resp., PT-LE) for every network
R ∈ R. It is important to note that, for Alg to be MT-LE (resp., PT-LE) for a
class R, Alg cannot be given any specific information about the network (such
as its cardinality) unless that information holds for all members of R, since we
require that Alg works for every R ∈ R without any change in its code.
We consider two main classes of ring networks. U ∗ is the class of all ring
networks in which at least one label is unique. Kk is the class of all ring networks
such that no label occurs more than k times, where k ≥ 1.

3

Impossibility Result


A labeled ring network R is symmetric if it has a non-trivial rotational symmetry,
i.e., there is some integer 0 < d < n such that pi+d and pi have the same label
for all i. In our model, it is straightforward to see that there is no solution to the
leader election problem for a symmetric ring. Now, for any k ≥ 2, Kk contains
symmetric rings. Hence, follows.
Theorem 1. For any k ≥ 2, there is no algorithm that solves MT-LE for Kk .

4

Leader Election in U ∗ ∩ Kk

For any k ≥ 2, we give the algorithm Uk that solves PT-LE for the class U ∗ ∩Kk
(see Table 1). Uk always elects the process of minimum unique label to be the
leader, namely the process L such that L.id = min {x : mlty[ x ] = 1}. In Uk ,
each process p has the following variables.
1. p.id , constant of unspecified label type, the label of p.
2. p.init, Boolean, initially true.
3. p.active, Boolean, which indicates that p is active. If ¬p.active, we say p is
passive. Initially, all processes are active, and when Uk is done, the leader is
the only active process. A passive process never becomes active.
4. p.cnt, an integer in the range 0 . . . k + 1. Initially, p.cnt = 0. p.cnt will give
to p a rough estimate of the frequency of its label in the ring.
5. p.leader , of label type. When Uk is done, p.leader = L.id .


4

K. Altisen et al.


6. p.isLeader , Boolean, initially false, follows the problem specification. Eventually, L.isLeader becomes true and remains true, while, for all p = L,
p.isLeader remains f alse for the entire execution.
7. p.done, Boolean, initially false, follows the problem specification.
Uk uses only one kind of message. Each message is the forwarding of a token
which is generated at the initialization of the algorithm, and is of the form x, c ,
where x is the label of the originating process, and c is a counter, an integer in
the range 0 . . . k + 1, initially zero.
Table 1. Actions of Process p in Algorithm Uk

Overview of Uk . The explanation below is illustrated by the example in Fig. 1.
The fundamental idea of Uk is that a process becomes passive, i.e., is no more
candidate for the election, if it receives a message that proves its label is not
unique or is not the smallest unique label. Initially, every process initiates a token
with its own label and counter zero (see (a)). No tokens are initiated afterwards.
The token continually moves around the ring – every time it is forwarded, its
counter and the local counter of the process are incremented if the forwarding
process has the same label as the token (e.g., Step (a)→(b)). Thus, if the message


Leader Election in Rings with Bounded Multiplicity
(a)

B,0

A1

0

0


B

A,0

A3 A8

B

A2 A6

(h)

4

A

B
B
1

1

A

A

B,1

A2


1

C
2

B

B

B
1

1

B
1

A,3
A 1

(i)

C

2
A10

1

C,0


3

1

1

B,1

B

A

B

A,0

B

A

(f)

1

1

B
4


1

C

2
A10

B

B
C,1

A,4

1

C

0

A,1

B

A

1

A,4


B

A3 A4 A8

0

B,1

1

1
2

0

(c)

C,0

B
B,1

1

C
B

A

C,1


B

B

C

1

(g)

B
0

1

B,0

C

(e)

1

2

0

0


1

B

0

A,0

B,0

C
A

A9

0

(b)

B,0

B
B,0

A,1

A2 A8 2

B


A
0

(d)

C,0

C

5

A

B
4

A

A

B
B
A,4 1

1 A11

A

Fig. 1. Extracts from an example of execution of Uk where k = 3. The counter of a
process is next to the corresponding node. Crossed out nodes are passive. p.isLeader =

true if there is a star next to the node. The black bubble contains the elected label.

x, c is in a channel, that token was initiated by a process whose label is x, and
has been forwarded c times by processes whose labels are also x. The token could
also have been forwarded any number of times by processes with labels which
are not x. Thus, the counter in a message is a rough estimate of the frequency
of its label in the ring.
If a process receives a message whose counter is less than p.cnt, and p.cnt ≥ 1,
this proves its label is not unique since its counter grows faster than the one of
another label. In this case, p executes Action A4 and becomes passive (e.g.,
Step (b)→(c)). Similarly, if a process p has a unique label but not the smallest
one, it will become passive executing Action A6 when p receives a message with
the same non-zero counter but a label lower than p.id (e.g., Step (d)→(e)).
In both cases, it happens at the latest when the process receives the message
L.id , 1 , i.e., before the second time L receives its own token.
So, after the token of L has made two traversals of the ring, it is the only
surviving token (the others are consumed by Action A7) and every process but
L is passive. The execution continues until the leader L has seen its own label
return to it k + 1 times, otherwise L cannot be sure that what it has seen is not
part of a larger ring instead of several rounds of a small ring. Then, L designates
itself as leader by Action A9 (see Step (f)→(g)) and its token does a last traversal
of the ring to inform the other processes of its election (e.g., Step (g)→(h)). The
execution ends when L receives its token after k + 2 traversals (see (i)).


6

K. Altisen et al.

References

1. Delporte-Gallet, C., Fauconnier, H., Guerraoui, R., Kermarrec, A., Ruppert, E.,
Tran-The, H.: Byzantine agreement with homonyms. Distrib. Comput. 26(5–6),
321–340 (2013)
2. Delporte-Gallet, C., Fauconnier, H., Tran-The, H.: Leader election in rings with
homonyms. In: Networked Systems - 2nd International Conference, NETYS, pp.
9–24 (2014)
3. Dobrev, S., Pelc, A.: Leader election in rings with nonunique labels. Fundam. Inform.
59(4), 333–347 (2004)


Synchronous Gathering Without
Multiplicity Detection: A Certified Algorithm
Thibaut Balabonski3 , Am´elie Delga2,4 , Lionel Rieg1 , S´ebastien Tixeuil4,5 ,
and Xavier Urbain2,3(B)
2

1
Coll`ege de France, 75006 Paris, France
´
Ecole Nat. Sup. d’Informatique Pour l’Industrie et l’Entreprise (ENSIIE),
´
91025 Evry,
France
3
LRI, CNRS UMR 8623, Universit´e Paris-Sud,
Universit´e Paris-Saclay, Orsay, France

4
UPMC Sorbonne Universit´es, LIP6-CNRS 7606, Paris, France
5

Institut Universitaire de France, Paris, France

Abstract. In mobile robotic swarms, the gathering problem consists in
coordinating all the robots so that in finite time they occupy the same
location, not known beforehand. Multiplicity detection refers to the ability to detect that more than one robot can occupy a given position. When
the robotic swarm operates synchronously, a well-known result by Cohen
and Peleg permits to achieve gathering, provided robots are capable of
multiplicity detection.
We present a new algorithm for synchronous gathering, that does not
assume that robots are capable of multiplicity detection, nor make any
other extra assumption. Unlike previous approaches, our proof correctness is certified in the model where the protocol is defined, using the Coq
proof assistant.

1

Introduction

Networks of mobile robots have captured the attention of the distributed computing community, as they promise new applications (rescue, exploration, surveillance) in potentially dangerous (and harmful) environments. Since its initial
presentation [19], this computing model has grown in popularity1 and many
refinements have been proposed (see [14] for a recent state of the art). From a
theoretical point of view, the interest lies in characterising the exact conditions
for solving a particular task.
A computing model for mobile robots. In the model we consider, robots operate
in Look-Compute-Move cycles. In each cycle a robot “Looks” at its surroundings
and obtains (in its own coordinate system) a snapshot containing some information about the locations of all robots. Based on this visual information, the
1

The 2016 SIROCCO Prize for Innovation in Distributed Computing was awarded to
Masafumi Yamashita for this line of work.


c Springer International Publishing AG 2016
B. Bonakdarpour and F. Petit (Eds.): SSS 2016, LNCS 10083, pp. 7–19, 2016.
DOI: 10.1007/978-3-319-49259-9 2


8

T. Balabonski et al.

robot “Computes” a destination location (still in its own coordinate system) and
then “Moves” towards the computed location. When the robots are oblivious,
the computed destination in each cycle depends only on the snapshot obtained
in the current cycle (and not on the past history of execution). The snapshots
obtained by the robots are not necessarily consistently oriented in any manner.
The execution model significantly impacts the solvability of collaborative
tasks. Three different levels of synchronisation have been considered. The
strongest model [19] is the fully synchronised (FSYNC) model where each
stage of each cycle is performed simultaneously by all robots. On the other
hand, the asynchronous model [14] (ASYNC) allows arbitrary delays between
the Look, Compute and Move stages and the movement itself may take an
arbitrary amount of time, possibly a different amount for each robot. In the
semi-synchronous (SSYNC) model [19], which lies somewhere between the two
extreme models, time is discretised into rounds and in each round an arbitrary
subset of the robots are active. The active robots in a round perform exactly one
atomic Look-Compute-Move cycle in that round. It is assumed that the scheduler (seen as an adversary) is fair in the sense that it guarantees that in any
configuration, any robot is activated within a finite number of steps.
Furthermore, the scheduler has the ability to stop a robot before it has
completed its move, provided the robot has already moved by some positive
distance δ. Now, if a robot r wants to move by some distance d < δ, once activated by the scheduler, the scheduler then cannot stop r until it completes its
movement. The value of δ is unknown to the robots, and is just meant to prevent

the scheduler to make them move by infinitely small distances. These stoppable
moves are referred to as flexible moves in the remainder of the paper.
The gathering problem. The gathering problem is one of the benchmarking tasks
in mobile robot networks, and has received a considerable amount of attention
(see [14] and references herein). The gathering task consists in making all robots
(considered as dimensionless points in a two dimensional Euclidean space) reach
a single point, not known beforehand, in finite time. A foundational result [19]
shows that in the SSYNC model, no oblivious deterministic algorithm can solve
gathering for two robots2 . This result can be extended [11] to the bivalent case,
that is, when an even number of robots is initially evenly split in exactly two
locations. In general, without extra assumptions in the execution model (e.g.
a common coordinate system, persistent memory, the ability to detect multiple
robots at a given location, use of probabilistic variables, etc.), it is impossible to
solve gathering [16] for any set of at least two robots in the SSYNC model. As all
possible executions in SSYNC are also possible in ASYNC, those impossibilities
also hold in ASYNC. Hence, the only possibility to solve gathering without extra
assumptions is to consider the FSYNC model.
Cohen and Peleg [9] proposed the center of gravity (a.k.a. CoG) algorithm (the robots aim for the location that is the barycenter of all observed
robot locations) for the purpose of convergence (a weaker requirement than
2

http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.InR.Impossibility.html.


Synchronous Gathering Without Multiplicity Detection

9

gathering, which mandates robots to reach locations that are arbitrarily close
to one another) in the SSYNC model. They demonstrate that for the FSYNC

model, robots actually solve gathering since they eventually all become closer
that δ from the barycenter, and hence all reach it in the next round.
However, the CoG algorithm does not prevent more than one robot to occupy
the exact same location before gathering, even if they start from distinct locations. For example, consider two robots r1 and r2 aligned toward the barycenter
at some round, at distances d1 and d2 (d1 < d2 ) that are both greater than δ,
respectively. Then, the scheduler stops r1 after δ and r2 at the same location.
Robots r1 and r2 now occupy the same location. One immediate consequence of
this observation is that in the next round, to compute the barycenter, observing
robots must take into account both r1 and r2 . That is, using the CoG algorithm,
robots must make use of multiplicity detection, i.e. be able to detect how many
robots occupy simultaneously a given location.
Overall, the question of gathering feasibility in FSYNC without multiplicity
detection (nor any other additional assumption) remained open.
Formal methods for mobile robots. Designing and proving mobile robot protocols is notoriously difficult. Formal methods encompass a long-lasting path of
research that is meant to overcome errors of human origin. Not surprisingly,
this mechanised approach to protocol correctness was successively used in the
context of mobile robots [2,3,5,6,11,13,15,17].
Model-checking proved useful to find bugs in existing literature [3] and assess
formally published algorithms [3,13,17], in a simpler setting where robots evolve
in a discrete space where the number of possible locations is finite. Automatic
program synthesis (for the problem of perpetual exclusive exploration in a ringshaped discrete space) is due to Bonnet et al. [5], and can be used to obtain
automatically algorithms that are “correct-by-design”. The approach was refined
by Millet et al. [15] for the problem of gathering in a discrete ring network. As
all aforementioned approaches are designed for a discrete setting where both the
number of locations and the number of robots are known, they cannot be used
in the continuous space where the robots locations take values in a set that is
not enumerable, and they cannot permit to establish results that are valid for
any number of robots.
The use of a mechanical proof assistant like Coq3 allows for more genericity
as this approach is not limited to particular instances of algorithms. Recent uses

of Coq in Distributed Computing include that of Cast´eran et al. [7], who use
Coq and their libray Loco to prove positive and negative results about subclasses
of LC systems, and that of Altisen et al. [1], who provide a Coq framework to
study self-stabilizing algorithms.
Developed for the Coq proof assistant,4 the Pactole5 framework enabled
the use of high-order logic to certify impossibility results [2] for the problem of
3
4
5

.
.
Available at .


10

T. Balabonski et al.

convergence: for any positive ε, robots are required to reach locations that are
at most ε apart. Another classical impossibility result that was certified using
the Pactole framework is the impossibility of gathering starting from a bivalent
configuration [11]. Recently, positive certified results for SSYNC gathering with
multiplicity detection were provided by Courtieu et al. [12].
Our contribution. We propose a protocol for oblivious mobile robot gathering in
FSYNC that does not require multiplicity detection (nor any other extra assumption). Our protocol, called CoGiL (for Center of Gravity of inhabited Locations),
is derived from CoG as follows: robots aim to the barycenter of observed occupied locations (that is, without considering how many robots occupy a given
location). We also present a proof of correctness for our CoGiL protocol.
Unlike previous approaches, our proof is certified in the model where the
protocol is defined, using the Coq proof assistant. Throughout this paper, links

to the Coq development are italicised in the footnotes. The sources package is
available at , as well as its online html documentation.
Roadmap. Section 2 describes our formal framework, while our case study is
developed in Sect. 3. Section 4 gives some insights about the benefits of our
methodology for mobile robot protocol design.

2

A Formal Model to Prove Robot Protocols

To certify results and to guarantee the soundness of theorems, we use Coq, a
Curry-Howard-based interactive proof assistant enjoying a trustworthy kernel.
The (functional) language of Coq is a very expressive λ-calculus: the Calculus of Inductive Constructions (CIC) [10]. In this context, datatypes, objects,
algorithms, theorems and proofs can be expressed in a unified way, as terms.
The reader will find in [4] a very comprehensive overview and good practices
with reference to Coq. Developing a proof in a proof assistant may nonetheless
be tedious, or require expertise from the user. To make this task easier, we are
actively developing (under the name Pactole) a formal model, as well as lemmas and theorems, to specify and certify results about networks of autonomous
mobile robots. It is designed to be robust and flexible enough to express most of
the variety of assumptions in robots network, for example with reference to the
considered space: discrete or continuous, bounded or unbounded.
We do not expect the reader to be an expert in Coq but of course the
specification of a model for mobile robots in Coq requires some knowledge of
the proof assistant. We want to stress that the framework eases the developer’s
task. The notations and definitions we give hereafter should be simply read as
typed functional expressions.
The Pactole model has been sketched in [2,11]; we recall here its main
characteristics.
We use two important features of Coq: a formalism of higher-order logic
to quantify over programs, demons, etc., and the possibility to define inductive



Synchronous Gathering Without Multiplicity Detection

11

and coinductive types [18] to express inductive and coinductive datatypes and
properties. Coinductive types are in particular of invaluable help to express infinite behaviours, infinite datatypes and properties on them, as we shall see with
demons.
Robots6 are anonymous, however we need to identify some of them in the
proofs. Thus, we consider given a finite set of identifiers, isomorphic to a segment
of N. We hereafter omit this set G unless it is necessary to characterise the number
of robots. Robots are distributed in space, at places called locations. We call a
configuration 7 a function from the set of identifiers to the space of locations.
From that definition, there is information about identifiers contained in configurations, notably, equality between configurations does not boil down to the
equality of the multisets of inhabited locations.
Under the assumption that robots are anonymous and indistinguishable, we
have to make sure that the embedded algorithm does not make use of those
identifiers.
Spectrum.8 The computation of any robot’s target location is based on the perception they get from their environment, that is, in an FSYNC execution scheme,
from a configuration. The result of this observation may be more or less accurate, depending on sensors’ capabilities. A robot’s perception of a configuration
is called a spectrum. To allow for different assumptions to be studied, we leave
abstract the type spectrum (Spect.t) and the notion of spectrum of a location. Robograms, representing protocols, will then output a location when given
a spectrum (instead of a configuration), thus guaranteeing that assumptions
over sensors are fulfilled. For instance, the spectrum for anonymous robots with
strong global multiplicity detection (this capacity refers to the ability to count
exactly how many robots occupy any observed location) could be the multiset
of inhabited locations. In a setting where robots do not enjoy the detection of
multiplicity and just know if a location is inhabited or not, the set of inhabited
locations is a suitable spectrum.

In the following we will distinguish a demon configuration (resp. spectrum),
expressed in the global frame of reference, from a robot configuration (resp.
spectrum), expressed in the robot’s own frame of reference. At each step of
the distributed protocol the demon configuration and spectrum are transformed
(recentered, mirrored, rotated, and scaled) into the considered robots ones before
being given as parameters to the robogram. Depending on assumptions, zoom
and rotation factors may be constant or chosen by the demon at each step,
shared by all robots or not, etc.
Demon for flexible movements. As moves under consideration are flexible, robots
either reach their goal when it is at most at a certain absolute distance δ, or
travel at least δ towards their goal, stopping to an arbitrary location (possibly
the computed goal).
6
7
8

http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Robots.html#Robots.
http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Configurations.html#Configuration.
http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Configurations.html#Spectrum.