Title: Proving Probabilistic Properties of Gossip Protocols for any Number of Processes
1Proving Probabilistic Properties of Gossip
Protocols for any Number of Processes
- Douglas Graham
- Department of Computing Science
- University of Glasgow
2Overview
- Parameterised model checking
- Classical parameterised model checking problem
- Proof by induction Firewire example
- Probabilistic parameterised model checking
problem - Gossip protocols
- SIR Gossip Protocol
- PRISM model
- Parameterised model checking
- Induction proof
- Replicated Databases Gossip Protocol
- PRISM model
- Parameterised model checking
3Parameterised Model Checking
- For system M(N)p(1) p(2) p(N) can
only model check property P for fixed N - What if we want to verify for any N?
- Undecidable in general but techniques apply for
subclasses of system - E.g. proof by induction
- Firewire leader election protocol
4Parameterised Model Checking
2
0
1
5Parameterised Model Checking
2
0
P
1
6Parameterised Model Checking
2
0
C
P
1
7Parameterised Model Checking
2
0
A
P
1
8Parameterised Model Checking
0
P
1
9Parameterised Model Checking
0
C
1
10Parameterised Model Checking
0
A
1
11Parameterised Model Checking
0
12Parameterised Model Checking
- Notice that once child node has sent ack it no
longer takes part - System is described as degenerative
- Can exploit this behaviour
- Prove by induction that certain types of property
hold for any number of nodes Calder Miller
13Probabilistic Parameterised Model Checking
- Techniques to solve parameterised model checking
problem for probabilistic systems? - in particular randomised distributed algorithms
- Several for proving qualitative properties based
on classical methods - Some manual proofs
14Probabilistic Parameterised Model Checking
15Probabilistic Parameterised Model Checking
- Find bounds for curve
- In particular for monotonic properties i.e.
probability is increasing or decreasing as N
increases - Find upper or lower bound by model checking
- Tightness of bound restricted by state space
explosion - Show all instances satisfy bound
- How do we know this?
- Constraints on model property?
- Technique suited to degenerative systems?
16Gossip Protocols
- Based on SIR model of epidemics population of
(S)usceptible, (I)nfective and (R)emoved
individuals - Disseminate information in distributed
peer-to-peer network of processes - Each process that receives information randomly
selects processes to forward information to - Simple, scalable, robust, probabilistically
reliable but unpredictable? - Garbage collection, Membership management,
Failure detection, Database updates, Message
broadcast,
b
r
17Example 1SIR Gossip Protocol
18SIR Gossip Protocol
- Closely related to SIR model
- Consider single infection
- Population of N network sites
- Fully connected network
19SIR Gossip Protocol
Initially one process is infective N-1 others
are susceptible
20SIR Gossip Protocol
Infective process sends message to susceptible
process
21SIR Gossip Protocol
Susceptible process becomes infective with
probability B
22SIR Gossip Protocol
Infective process transmits message to a
susceptible site
23SIR Gossip Protocol
Process chooses to remain susceptible with
probability (1-B)
24SIR Gossip Protocol
X
Infective process chooses to become removed with
probability R
25SIR Gossip Protocol
System now behaves as N-1 processes (system
degenerates)
26SIR Gossip Protocol
- const int N3
- const double B1/2 const double R1/2
- module population
- s 0..N init N-1 // susceptibles
- i 0..N init 1 // infectives
- (sgt0 igt0) -gt (Bs/(s1)) (s's-1)
(i'i1) - (R/(s1)) (i'i-1)
- (1-((BsR)/(s1))) (s's)
- (s0 igt0) -gt (R/ (s1)) (i'i-1)
- (1-(R/(s1))) (s's)
- (i0) -gt 1 (i'i)
- endmodule
27SIR Gossip Protocol
N3
1
28SIR Gossip Protocol
- With probability g.t.e. 1/2 eventually all
processes will become removed - init gt Pgt1/2 true U (s0 i0)
29SIR Gossip Protocol
30SIR Gossip Protocol
X
Infective process chooses to become removed with
probability R
31SIR Gossip Protocol
System now behaves as N-1 processes (system
degenerates)
32SIR Gossip Protocol
1/2
s0 i1
s0 i0
1
N1
1/2
33SIR Gossip Protocol
1/2
1/4
s1 i1
s1 i0
1
N2
1/4
1/2
1/2
s0 i2
s0 i1
s0 i0
1
N1
1/2
1/2
34SIR Gossip Protocol
1/2
1/6
s2 i1
s2 i0
1
N3
1/3
1/2
1/2
1/4
1/4
s1 i1
s1 i0
s1 i2
1
N2
1/4
1/4
1/2
1/2
1/2
s0 i2
s0 i1
s0 i0
s0 i3
1/2
1
N1
1/2
1/2
35SIR Gossip Protocol
(N-1)/2N
sN-1 i1
sN-1 i0
1
s? i0
1
1/6
s2 i1
s2 i0
s2 iN-2
1
1/3
1/3
1/4
1/4
s1 i2
s1 i1
s1 i0
s1 iN-1
1
1/4
1/4
1/4
1/2
1/2
1/2
s0 i0
s0 i3
s0 i2
s0 i1
s0 iN
1
36SIR Gossip Protocol Induction Proof
Pgt1/2 true U (s0 i0)
1/6
s2 i1
s2 i0
1
1/3
1/4
1/4
s1 i2
s1 i1
s1 i0
1
1/4
1/4
1/2
1/2
1/2
s0 i0
s0 i3
s0 i2
s0 i1
1
37SIR Gossip Protocol Induction Proof
Pgt1/2 true U (s0 i0)
1/6
s2 i1
s2 i0
1
1/3
1/4
1/4
s1 i2
s1 i1
s1 i0
1
1/4
1/4
1/2
1/2
1/2
s0 i0
s0 i3
s0 i2
s0 i1
1
38SIR Gossip Protocol Induction Proof
Pgt1/2 true U (s0 i0)
(N-1)/2N
sN-1 i1
sN-1 i0
1
s? i0
1
1/6
s2 i1
s2 i0
s2 iN-2
1
1/3
1/3
1/4
1/4
s1 i2
s1 i1
s1 i0
s1 iN-1
1
1/4
1/4
1/4
1/2
1/2
1/2
s0 i0
s0 i3
s0 i2
s0 i1
s0 iN
1
39SIR Gossip Protocol Induction Proof
Pgt1/2 true U (s0 i0)
(N-1)/2N
sN-1 i1
sN-1 i0
1
s? i0
1
1/6
s2 i1
s2 i0
s2 iN-2
1
1/3
1/3
1/4
1/4
s1 i2
s1 i1
s1 i0
s1 iN-1
1
1/4
1/4
1/4
1/2
1/2
1/2
s0 i0
s0 i3
s0 i2
s0 i1
s0 iN
1
40SIR Gossip Protocol Induction Proof
1/2(N1)
Pgt1/2 true U (s0 i0)
sN i0
sN i1
1
N/2(N1)
(N-1)/2N
(N-1)/2N
sN-1 i1
sN-1 i0
sN-1 i2
1
s? i0
1
1/6
1/6
s2 i1
s2 i0
s2 iN-2
s2 iN-1
1
1/3
1/3
1/3
1/4
1/4
1/4
s1 i2
s1 i1
s1 i0
s1 iN-1
s1 iN
1
1/4
1/4
1/4
1/4
1/2
1/2
1/2
1/2
s0 i0
s0 i3
s0 i2
s0 i1
s0 iN
s0 iN1
1
41SIR Gossip Protocol Induction Proof
1/2(N1)
Pgt1/2 true U (s0 i0)
sN i0
sN i1
1
N/2(N1)
(N-1)/2N
(N-1)/2N
sN-1 i1
sN-1 i0
sN-1 i2
1
s? i0
1
1/6
1/6
s2 i1
s2 i0
s2 iN-2
s2 iN-1
1
1/3
1/3
1/3
1/4
1/4
1/4
s1 i2
s1 i1
s1 i0
s1 iN-1
s1 iN
1
1/4
1/4
1/4
1/4
1/2
1/2
1/2
1/2
s0 i0
s0 i3
s0 i2
s0 i1
s0 iN
s0 iN1
1
42Example 2Replicated Databases Gossip Protocol
43Replicated Databases Gossip Protocol
- Replicated Database Maintenance Demers et al.
- Update made at a single site must be propagated
to all other sites - Rumour Mongering
- Each site maintains a list of infective updates
- Periodically an infective site randomly chooses
another site to share its updates with - If infective site contacts a site that already
knows about an update then with probability 1/k
that update becomes removed
44Replicated Databases
- Simplifying assumptions
- Only one update
- Initially only one infective site
- No cycles/ periods
- Fully connected topology (full membership)
- Communication synchronous
- No failures
45Replicated Databases Gossip Protocol
Initially one site is infective N-1 others are
susceptible
46Replicated Databases Gossip Protocol
Infective site randomly chooses a site to send
infect message to
47Replicated Databases Gossip Protocol
Susceptible site receives message and becomes
infective
48Replicated Databases Gossip Protocol
Infective site is chosen non-deterministically
sends message to randomly chosen site
49Replicated Databases Gossip Protocol
Site receives message and becomes infective
50Replicated Databases Gossip Protocol
Scheduled infective site randomly chooses site to
transmit message to
51Replicated Databases Gossip Protocol
X
Receiving site is infected sending site becomes
removed with prob 1/k
52Replicated Databases Gossip Protocol
X
Removed site no longer transmits messages but can
still receive messages
53Replicated Databases Gossip Protocol
- const int N3
- const int k1
- module population
- s 0..N init N-1 // susceptibles
- i 0..N init 1 // infectives
- (sgt0 igt0) -gt (s/(N-1)) (s's-1)
(i'i1) - (N-1-s)/((N-1)k) (i'i-1)
- (k-1)(N-1-s)/((N-1)k) (s's)
- (s0 igt0) -gt (N-1-s)/((N-1)k) (i'i-1)
- (k-1)(N-1-s)/((N-1)k) (s's)
- (i0) -gt 1 (i'i)
- endmodule
54Replicated Databases Gossip Protocol
N3
s2 i1
1
1/2
1/2
s1 i2
s1 i1
s1 i0
1
1/2
1/2
1
1
1
s0 i3
s0 i2
s0 i1
s0 i0
1
55Replicated Databases Gossip Protocol
- With probability l.t.e. 3/4 eventually all
processes will become removed - init gt Plt3/4 true U (s0 i0)
56Replicated Databases Gossip Protocol
57Replicated Databases Gossip Protocol
N2
s1 i1
1
1
1
s0 i2
s0 i1
s0 i0
1
58Replicated Databases Gossip Protocol
N3
s2 i1
1
N2
1/2
1/2
s1 i1
s1 i0
s1 i2
1
1/2
1/2
1
1
1
s0 i2
s0 i1
s0 i0
s0 i3
1
59Replicated Databases Gossip Protocol
N4
s2 i1
1
N3
1/3
1/3
s2 i1
s2 i1
s1 i1
1
2/3
2/3
N2
2/3
2/3
2/3
s1 i1
s1 i0
s1 i2
s1 i2
1
1/3
1/3
1/3
1
1
1
1
s0 i2
s0 i1
s0 i0
s0 i3
s0 i3
1
60Further Work
- Proof for replicated databases example!
- Further analysis of gossip protocols
- Apply to other pseudo-degenerative systems
- Randomised consensus weak shared coin protocol
(Aspnes Herlihy) - Asynchronous Leader Election in a Ring (Itai
Rodeh) - Other gossip protocols (Replicated distributed
databases, message broadcast etc.)