Verification of population protocols
 770 Downloads
 4 Citations
Abstract
Population protocols (Angluin et al. in PODC, 2004) are a formal model of sensor networks consisting of identical mobile devices. Two devices can interact and thereby change their states. Computations are infinite sequences of interactions satisfying a strong fairness constraint. A population protocol is well specified if for every initial configuration C of devices, and every computation starting at C, all devices eventually agree on a consensus value depending only on C. If a protocol is well specified, then it is said to compute the predicate that assigns to each initial configuration its consensus value. While the computational power of wellspecified protocols has been extensively studied, the two basic verification problems remain open: Is a given protocol well specified? Does a given protocol compute a given predicate? We prove that both problems are decidable by reduction to the reachability problem of Petri nets. We also give a new proof of the fact that the predicates computed by welldefined protocols are those definable in Presburger arithmetic (Angluin et al. in PODC, 2006).
Mathematics Subject Classification
C.2.2 D.2.4 F.3.11 Introduction
Population protocols [2, 3] are a model of distributed computation by anonymous, identical finitestate agents. While they were initially introduced to model networks of passively mobile sensors [2, 3], they capture the essence of distributed computation in diverse areas such as trust propagation [13] and chemical reactions [31].
In each computation step of a population protocol, a fixed number of agents are chosen nondeterministically, and their states are updated according to a joint transition function. Since agents are anonymous and identical, the global state of a protocol is completely determined by the number of agents at each local state, called a configuration. A protocol computes a boolean value for a given initial configuration if in all fair executions starting at it, all agents eventually agree to this value—so, intuitively, population protocols compute by reaching consensus. An execution is fair if it is finite and cannot be extended, or it is infinite and satisfies the following condition: if \(C\) appears infinitely often in the execution, then every step enabled at \(C\) is taken infinitely often in the execution. Given a set of inputs (typically a set of vectors of natural numbers), and a mapping that assigns to each input an initial configuration, the predicate computed by a protocol is the function that assigns to each input the boolean value computed by the protocol from the corresponding initial configuration. If the protocol does not reach consensus for some input, then we say it is ill specified and does not compute any predicate.
Much of the work on population protocols has concentrated on characterizing the predicates computable by wellspecified protocols. In particular, Angluin et al. [2, 3] gave explicit wellspecified protocols to compute every predicate definable in Presburger arithmetic, and showed in a later paper (with a different set of authors) that they cannot compute anything else, i.e., wellspecified population protocols compute exactly the Presburgerdefinable predicates [5, 7].
Since it is easy to erroneously design protocols that are not well specified, one can ask two natural verification questions: Given a population protocol, is it well specified? Given a population protocol and a Presburger predicate (represented by a Presburger formula), does the protocol compute the predicate? We call them the wellspecification and fitting problems.
The semantics of a population protocol is an infinite family of finitestate transition systems, one for each possible input. Deciding if the protocol reaches consensus for a fixed input only requires to inspect one of these finite transition systems, and can be done automatically using a model checker. This approach has been followed in [10, 11, 32, 33], but it only proves the correctness of a protocol for a finite number of (typically small) inputs. Alternatively, one can also formalize a proof of well specification in a theorem prover [12], but this approach is not automatic: a human prover must first come up with a proof for each particular protocol.
Since the wellspecification problem asks if consensus is reached for all inputs, and there are infinitely many of them, it is not obviously decidable; in fact, similar questions are undecidable for many parameterized systems [8]. Moreover, techniques based on algorithms for the coverability problem of Petri nets, or on wellquasiorders—which have been used to prove decidability of many parameterized verification problems [1, 17]—cannot be directly applied to the well specification and fitting problems. Loosely speaking, the reason is that the set of initial configurations from which all agents eventually agree on a value is not necessarily upward nor downwardclosed.
Despite these difficulties, in the first part of the paper we show that the wellspecification and fitting problems are decidable and recursively equivalent to the reachability problem for Petri nets.
In the second part of the paper we study the tailor problem: Given a wellspecified protocol, returns a Presburger formula for the predicate computed by it. To solve the problem, we introduce a notion of certificate (of wellspecification) of a protocol. We provide algorithms that, given a protocol and an advice string decide if the string is a certificate, and extract from it a Presburger formula of the predicate computed by the protocol. The overall algorithm for the tailor problem just enumerates all advice strings, checks if they are a certificate, and if so computes a formula. However, this algorithm may not terminate if a protocol happens to have no certificates. So we also show that this is not the case: every wellspecified protocol has at least one certificate. The proof relies on several recent results from the theory of Petri nets: the existence of Presburgerdefinable inductive sets that separate unreachable markings [22], the effective Presburgerdefinability of the mutual reachability relation [23, 26], and a result from the theory of accelerations [25]. Finally, along the way we obtain a new proof of the main theorem of [5, 7] showing that wellspecified protocols can only compute Presburgerdefinable predicates.
The paper is organized as follows. Section 2 presents some preliminaries. Section 3 introduces population protocols and defines the wellspecification, fitting, and tailor problems. Section 4 describes the connection between population protocols and Petri nets. Sections 5 and 6 reduce the wellspecification and fitting problems to the reachability problem for Petri nets, and Sect. 7 presents reductions in the other direction. Finally, Sect. 8 presents our certificatebased algorithm for the tailor problem.
2 Preliminaries: Presburger sets, semilinear sets, multisets
Presburger arithmetic and Presburger sets Presburger arithmetic is the firstorder theory of addition, i.e., the firstorder theory of the natural numbers with addition as only function, and equality as only predicate. A set \(\mathbf{S} \subseteq {\mathbb {N}}^d\) is a Presburgerdefinable, or just a Presburger set, if there exists a formula \(\texttt {F}(x_1, \ldots , x_d)\) with free variables \(x_1, \ldots , x_d\) such that \(\texttt {F}(n_1, \ldots , n_d)\) is true iff \((n_1, \ldots , n_d) \in \mathbf{S}\).
Semilinear sets A set \(\mathbf {L} \subseteq {\mathbb {N}}^d\) is linear if there is a base or root vector \(\mathbf {b}\) and a finite set \(\mathbf {P}=\{\mathbf {p}_1, \ldots , \mathbf {p}_n\}\) of periods such that \(\mathbf {L}=\{\mathbf {b}+ \sum _{i=1}^n \lambda _i \mathbf {p}_i \mid (\lambda _1, \ldots , \lambda _n) \in {\mathbb {N}}^d\}\). We write \(\mathbf {L} = (\mathbf {b}; \mathbf {P})\), and say that the pair \((\mathbf {b}; \mathbf {P})\) is a linear representation of \(\mathbf {L}\). A set \(\mathbf {S}\) is semilinear set if it is a finite union of linear sets, and the set of its linear representations is called a semilinear representation of \(\mathbf {S}\).
It is well known that the semilinear sets and the Presburger sets coincide [19]. In particular, semilinear sets are effectively closed under Boolean operations and emptiness, inclusion, and equivalence of semilinear sets are all decidable.
Multisets A multiset on a finite set \(E\) is a mapping \(M :E \rightarrow {\mathbb {N}}\). For \(e\in E, M(e)\) denotes the number of occurrences of element \(e\) in \(M\). Operations on \({\mathbb {N}}\) like addition, subtraction, or comparison, are extended to multisets by defining them component wise. The set of all multisets over \(E\) is denoted \({\mathbb {N}}^E\). Given \(e \in E\), we denote \(\mathbf {e}\in {\mathbb {N}}^E\) the multiset consisting of one occurrence of element e, that is, the multiset satisfying \(\mathbf {e}(e)=1\) and \(\mathbf {e}(e')=0\) for every \(e' \ne e\). The support of a multiset \(M \in {\mathbb {N}}^E\), denoted by \({\text {Sup}}(M)\), is the set \(\{ e \in E \mid M(e) > 0 \} \).
Given a total order \(e_1 \prec e_2 \prec \cdots \prec e_n\) on E, a multiset M can be represented by the vector \((M(e_1), \ldots , M(e_n))\), and a set \({\mathcal {M}}\) of multisets by a set of vectors. A set of multisets over a finite set \(E\) is Presburger (resp. linear, semilinear) if its corresponding set of vectors is Presburger (resp. linear, semilinear)
3 Population protocols
A population \(P\) on a finite set \(E\) is a nonempty multiset on \(E\), i.e., \(P\in {\mathbb {N}}^{E}\) and \(P\ne \emptyset \). Thus \(P(e) > 0\) for some \(e\in E\), which is equivalent to \(\varSigma _{e\in E} P(e) > 0\). The set of all populations on E is denoted by \({\text {Pop}}(E)\).
Example 1
Let \(E= \{a,b\}\). The set of populations \(\{P \in {\text {Pop}}(E) \mid P(a) \ge P(b)\}\) is Presburger, since it is denoted by the Presburger formula \(\exists Y :X_a = Y + X_b \wedge X_b>0\). It is easy to see that the set of populations \(\{P \in {\text {Pop}}(E) \mid P(a) = P(b)^2 \}\) is not Presburger. \(\square \)
3.1 Protocol schemes
Lemma 1
For every configuration C, the set of configurations reachable from C is finite.
Proof
Follows immediately from the fact that an interaction does not create or destroy agents, just changes their current states. Since Q is finite, there are only finitely many configurations \(C'\) satisfying \(\sum _{q \in Q} C(q) = \sum _{q \in Q} C'(q)\). \(\square \)
Example 2
 (i)
Philosophers with the same opinion do not debate and stay in their current state.
 (ii)
Rested philosophers convince tired opponents of anything.
 (iii)
If two philosophers in the same physical condition debate, the one for animal rights convinces the one against and they both are tired after the debate.
3.2 Configuration graphs
The configuration graph of a protocol scheme \(\mathcal {A}\) is the infinite directed graph (\({\text {Pop}}(Q), \rightarrow \) having the populations over Q as nodes and the pairs \((C, C')\) such that \(C\rightarrow C'\) as edges. Consider the partition \(\{{\text {Pop}}(Q)_i\}_{i\ge 1}\) of \({\text {Pop}}(Q)\), where \( {\text {Pop}}(Q)_i = \{ C \in {\text {Pop}}(Q) \mid \sum _{q \in Q} C(q) = i\} \). (Note that \(i\) starts at \(1\) because every population contains at least one agent. Populations with ony one agent are not interesting, but they make the definition of the predicate computed by a population protocol more natural, see page 9.) Since interactions do not create or destroy agents, the set \(\{ \rightarrow _i \}_{i\ge 1} \), where \(\rightarrow _i = \rightarrow \cap {\text {Pop}}(Q)_i^2\), is also a partition of \(\rightarrow \). Therefore \( ({\text {Pop}}(Q), \rightarrow ) \) consists of the infinitely many disjoint and finite subgraphs \( \{({\text {Pop}}(Q)_i, \rightarrow _i)\}_{i\ge 1} \).
A strongly connected component (SCC) of the configuration graph is a maximal set of mutually reachable configurations. An SCC is a bottom SCC if it is closed under reachability, i.e., if C belongs to the SCC and \(C'\) is reachable from C, then \(C'\) also belongs to the SCC. A configuration is a bottom configuration if it belongs to a bottom SCC of the configuration graph.
Example 3
(Debating philosophers) In the step sequence of Example 2 the number of philosophers remains constant at 6, and so all its configurations belong to \({\text {Pop}}(Q)_6\).

\({ rf}> 0\) and \({ ra}> 0\). Then \(C \rightarrow C'\) for \(C'=({ rf}1,{ ra}1,{ tf}+2,{ ta})\) (two rested philosophers debate and get tired) but, since no rules turn a tired philosopher into a rested one, C is not reachable from \(C'\).

\({ rf}> 0\) and \({ ra}=0\). Since \(C \notin {\mathcal {B}}\) we have \({ ta}>0\), and so \(C'=({ rf},0,{ tf}+{ ta}, 0)\) is reachable from C (a rested philosopher for animal rights convinces all tired philosophers against them), but not vice versa.

\({ rf}= 0\) and \({ ra}> 0\). Since \(C \notin {\mathcal {B}}\) we have \({ tf}>0\), and so \(C'=(0,{ ra},0, { tf}+{ ta})\) is reachable from C (a rested philosopher against animal rights convinces all tired philosophers in favor of them), but not vice versa.

\({ rf}=0\) and \({ ra}=0\). Since \(C \notin {\mathcal {B}}\) we have \({ tf}, { ta}> 0\), and so \(C'=(0,0,{ tf}+{ ta}, 0)\) is reachable from C (a tired philosopher for animal rights convinces all tired philosophers against them), but not vice versa. \(\square \)
3.3 Executions and fair executions
An execution of \(\mathcal {A}\) is a finite or infinite sequence of configurations \(C_0, C_1, \ldots \) such that \(C_i \rightarrow C_{i+1}\) for each \(i\ge 0\). Following Angluin et al. [2, 3], we introduce a notion of fair execution. Loosely speaking, if \(C\) appears infinitely often in a fair execution, then every step enabled at \(C\) is taken infinitely often in the execution. Formally, an execution \(C_0, C_1, \ldots \) is fair if it is finite and cannot be extended, or it is infinite and for every step \(C \rightarrow C'\), if \(C_i =C\) for infinitely many indices \(i \ge 0\), then \(C_j = C\) and \(C_{j+1} = C'\) for infinitely many indices \(j \ge 0\). Thanks to Lemma 1 we show in Lemma 3 that every fair execution reaches a strongly connected component (SCC) of \( ({\text {Pop}}(Q), \rightarrow )\) and never leaves it. Observe that the fairness condition subsumes transitionbased weak fairness.
Remark 2
The following Lemma 3 formalizes a fundamental property of fair executions: they eventually reach a bottom SCC of the configuration graph, and then visit each of its states infinitely often (actually, if the execution is finite, then the bottom SCC consists of just one state without successors; intuitively, the execution reaches this state, and stays there “forever”).
Lemma 3
For every fair execution \(C_0, C_1, \ldots \) there is an index \(i \ge 0\) such that \(C_i\) is a bottom configuration, and the set \(\{C_j \mid j \ge i\}\) is a bottom SCC of the configuration graph.
Proof
If the execution is finite, then, since it cannot be extended, its last configuration is a bottom SCC with one single node and no outgoing transitions. If the execution is infinite, then the fairness condition forces it to eventually leave every nonbottom SCC it enters. So there is an index \(i \ge 0\) such that \(C_j\) is a bottom configuration for every \(j\ge i\), and so \(\{C_j \mid j \ge i\}\) is included in a bottom SCC \({\mathcal {S}}\). Now let C be an arbitrary configuration of \({\mathcal {S}}\). By Lemma 1 the set \({\mathcal {S}}\) is finite, and so there is a number k such that for every \(j \ge i\), the configuration C is reachable from \(C_j\) in at most k steps. A simple induction on k shows that, by fairness, C is contained in the execution. So \({\mathcal {S}}=\{C_j \mid j \ge i\}\). \(\square \)
Example 4
(Debating philosophers) It is easy to see that the infinite sequence of steps shown in Example 2 is a fair execution. Many other executions are not fair (for example, the infinite execution \((2,1,0,0)^\omega \) where no two philosophers with diverging opinions get to debate). A less trivial example is \((3,3,0,0) \, \big ( \, (2,2,2,0) \, (2,2,1,1) \, \big )^\omega \). \(\square \)
3.4 Population protocols
We define what it means for a protocol scheme to compute a predicate \(\varPi :{\text {Pop}}(\varSigma )\rightarrow \{0,1\}\), where \(\varSigma \) is a nonempty, finite set of input variables. Before presenting formal definitions, we give some intuition.
The first step is to add to a protocol scheme an input mapping \(I:{\text {Pop}}(\varSigma )\rightarrow {\text {Pop}}(Q)\) and an output mapping \(O :{\text {Pop}}(Q)\rightarrow \{0,\bot , 1\}\). The input mapping assigns to an input \(X \in {\text {Pop}}(\varSigma )\) an initial configuration I(X) of the protocol scheme, and the output mapping assigns to a configuration C an output, which can be either 0, 1, or \(\bot \). Here \(\bot \) stands for “undefined” or “no output”.
Intuitively, imagine that an operator is in charge of computing a boolean for each input \(X \in {\text {Pop}}(\varSigma )\) with the help of a machine implementing the protocol scheme. Upon receiving X, the operator first applies the input mapping to it, obtains the configuration \(C=I(X)\), allocates C(q) agents to each state q of the scheme/machine, and runs it from this initial configuration, letting it produce a fair execution. The machine has two lamps for the outputs 1 and 0. The blamp is switched on whenever the current configuration C satisfies \(O(C)=b\), and switched off otherwise. By definition, the execution of the machine outputs \(b \in \{0,1\}\) if it eventually stabilizes to b, meaning that from some moment on the blamp stays on forever (that is, from some moment on the execution only visits configurations C such that \(O(C)=b\)).
For a given input X some fair execution starting at C(X) may not stabilize to 0 or 1. Or two different fair executions starting at C(X) may stabilize to 0 and 1, respectively. Then we say that the scheme is ill specified. More precisely: If there is at least one input for which at least one fair execution does not stabilize to 0 or 1, or for which two fair executions stabilize to 0 and to 1, respectively, then the scheme is ill specified, and “does not compute any predicate”.
If a scheme is well specified, then for every input X all fair computations from I(X) stabilize to the same boolean \(b_X\), and we define the predicate computed by the protocol as the mapping \(\varPi \) given by \(\varPi (X)=b_X\).
Example 5
(Debating philosophers) We define input and output mappings for the debating philosophers. For the set of inputs we choose \(\varSigma = \{ \texttt {F}, \texttt {A}\}\) (For and Against). So a population over \(\varSigma \) models a population of philosophers, specifying how many are for and against animal rights. We represent a population with f philosophers for and a philosophers against animal rights by the pair (f, a).
After this informal introduction, we now present some formal definitions.
Input and output mappings Formally, an input mapping of a protocol scheme \(\mathcal {A}=(Q,\varDelta )\) is a function \(I:{\text {Pop}}(\varSigma )\rightarrow {\text {Pop}}(Q)\) that maps each input population X to a configuration of \(\mathcal {A}\). The set of initial configurations is \({\mathcal {I}} = \{I(X) \mid X\in {\text {Pop}}(\varSigma )\}\). An output mapping of O is a function \(O:{\text {Pop}}(Q)\rightarrow \{0,\bot ,1\}\) that associates to each configuration C of \(\mathcal {A}\) an output value in \(\{0,\bot ,1\}\). A configuration C on Q such that \(O(C)=b\) for some \(b\in \{0,\bot ,1\}\) is called a bconfiguration.
If input and output mappings can be arbitrary functions, even non computable ones, then any problem involving them is bound to be undecidable. For this reason we introduce “reasonable” classes of input and output mappings.
An input mapping I is Presburger if the set of pairs \((X, C) \in {\text {Pop}}(\varSigma ) \times {\text {Pop}}(Q)\) such that \(C=I(X)\) is definable in Presburger arithmetic. An output mapping O is Presburger if the same holds for the set of pairs \((C,b) \in {\text {Pop}}(Q) \times \{0,\bot ,1\}\) such that \(O(C)=b\).
A population protocol is a triple \((\mathcal {A}, \mathtt {I},\mathtt {O})\), where \(\mathcal {A}\) is a protocol scheme, and \(\mathtt {I}(X,C)\) and \(\mathtt {O}(C,b)\) are formulas of Presburger arithmetic denoting a Presburger input mapping I and a Presburger output mapping O, respectively.
Example 6
Remark 4
A particular case of protocols with Presburger input and output mappings are population protocols with leader [4, 6]. In these protocols the initial configuration contains one agent, called the leader, occupying a distinguished initial state \(q_l\) not initially occupied by any other agent. This corresponds to the input mapping \(I(X) = \mathbf {q}_l + \sum _{\sigma \in \varSigma }X(\sigma ) \, \mathbf {q}_\sigma \) which is obviously Presburger. \(\square \)
Stabilization and wellspecified protocols An execution \(C_0,C_1,\ldots \) stabilizes to b for a given \(b\in \{0,\bot ,1\}\) if there exists \(n\in {\mathbb {N}}\) such that \(O(C_m)=b\) for every \(m\ge n\) (if the execution is finite, then this means for every m between n and the length of the execution). Notice that there may be many different executions from a given configuration \(C_0\), each of which may stabilize to 0, 1, or \(\bot \), or not stabilize at all.
A population protocol \((\mathcal {A}, \mathtt {I},\mathtt {O})\) is well specified if for every input population \(X\in {\text {Pop}}(\varSigma )\), every fair execution of \(\mathcal {A}\) starting at I(X) stabilizes to the same value \(b \in \{0,1\}\). Otherwise, the protocol is ill specified. Finally, population protocol computes a predicate \(\varPi \) if for every \(X\in {\text {Pop}}(\varSigma )\), every fair execution of \(\mathcal {A}\) starting at I(X) stabilizes to \(\varPi (X)\). It follows easily from the definitions that a protocol computes a predicate iff it is well specified.
Example 7
It remains to show that for every fixed initial configuration \(C_0=({ rf}_0,{ ra}_0,0,0)\), either all fair executions starting at \(C_0\) get trapped in \({\mathcal {B}}_\texttt {F}\), or they all get trapped in \({\mathcal {B}}_\texttt {A}\). We prove that they get trapped in \({\mathcal {B}}_\texttt {A}\) if \({ rf}_0 \ge { ra}_0\), and in \({\mathcal {B}}_\texttt {F}\) otherwise.
Let \(\mathcal{C}_1 = \{ ({ tf},{ ra},{ rf},{ ta}) \mid { rf}< { ra}\}\). By direct inspection of the transitions, if \(C \in \mathcal{C}_1\) and \(C \rightarrow C'\), then \(C' \in \mathcal{C}_1\). Therefore, if \({ rf}_0 \ge { ra}_0\) then a fair execution starting at \(C_0\) gets trapped in configurations of \({\mathcal {B}} \cap \mathcal{C}_1\), and so only in configurations of \({\mathcal {B}}_\texttt {A}\).
Let \(\mathcal{C}_2 = \{ ({ tf},{ ra},{ rf},{ ta}) \mid { tf}\ge { ra}\wedge { tf}+{ rf}> 0\}\) By direct inspection of the transitions, if \(C \in \mathcal{C}_2\) and \(C \rightarrow C'\), then \(C' \in \mathcal{C}_2\). (For the transition \((\texttt {R}\alpha , \texttt {T}\beta ) \mapsto (\texttt {R}\alpha , \texttt {T}\alpha )\), observe that if the transition is enabled then \({ rf}> 0\).) Assume \(C_0=({ tf}_0 ,{ ra}_0 ,0,0)\) satisfies \({ tf}_0 \ge { ra}_0\). Since configurations contain at least one agent, we have \({ tf}_0 >0\) and so \(C_0 \in \mathcal{C}_2\). Therefore, a fair execution starting at \(C_0\) gets trapped in configurations of \({\mathcal {B}} \cap \mathcal{C}_2\), and so only in configurations of \({\mathcal {B}}_\texttt {F}\).
So the protocol of the debating philosophers is well specified, hence it computes a predicate \(\varPi :{\text {Pop}}(\{\texttt {F}, \texttt {A}\}) \rightarrow \{0,1\}\). This predicate is just the majority predicate: \(\varPi (f,a)=1\) iff \(f \ge a\). \(\square \)
3.5 Verification problems

The wellspecification problem: given a population protocol \((\mathcal {A}, \mathtt {I},\mathtt {O})\), is it well specified?

The fitting problem: given a population protocol \((\mathcal {A}, \mathtt {I}, \mathtt {O})\) and a Presburger predicate \(\varPi \), does \((\mathcal {A}, \mathtt {I}, \mathtt {O})\) compute \(\varPi \)?

The tailor problem: given a wellspecified population protocol \((\mathcal {A}, \mathtt {I}, \mathtt {O})\), compute (in the standard sense) a Presburger formula for the predicate computed (in the population protocol sense) by \((\mathcal {A}, \mathtt {I}, \mathtt {O})\).

The wellspecification and fitting problems are Turingreducible in to the reachability problem for Petri nets.
In other words, we show that both problems can be solved with the help of an oracle for the reachability problem for Petri nets. In particular, this proves that both problems are decidable.

The reachability problem for Petri nets can be reduced in polynomial time to the (complements of the) wellspecification or the fitting problems.

There is an algorithm for the tailor problem.
This algorithm can also be used to solve the wellspecification and fitting problems. However, it consists of two semidecision algorithms, and currently we do not know of any reduction to the reachability problem. As a corollary of this algorithm we obtain an alternative proof to the result of Angluin et al. [5, 7].
4 Population protocols as Petri nets
The computation of a population protocol can be simulated by an associated Petri net. This allows us to apply results on Petri nets to population protocols.
A Petri net \(N = (P, T, F)\) consists of a finite set P of places, a finite set T of transitions, and a flow function \(F :(P \times T) \cup (T\times P) \rightarrow {\mathbb {N}}\). The preset of a transition \(t\) is the multiset \({}^\bullet t\) of places given by \({}^\bullet t(p) = F(p,t)\) and its postset the multiset \({}^\bullet t\) given by \({t}^\bullet (p) = F(t,p)\). A marking \(M \in {\mathbb {N}}^{P}\) is a multiset on the set \(P\) of places and we say that M puts \(M(p)\) tokens in place \(p\). A transition \(t\in T\) is enabled at marking M, written \(M\left[ {t}\right\rangle \), if \({}^\bullet t \le M\). A transition t that is enabled at M can fire, yielding the marking \(M' = M  {}^\bullet t + {t}^\bullet \). We denote this fact as \(M\left[ {t}\right\rangle M'\). We extend enabledness and firing inductively to words of transitions as follows. Let \(w=t_1\ldots t_k\) be a finite word of transitions \(t_j\in T\). We write \(M\left[ {w}\right\rangle M'\) if there exists a sequence \(M_0,\ldots ,M_k\) of markings such that \(M=M_0\left[ {t_1}\right\rangle M_1\cdots \left[ {t_k}\right\rangle M_k=M'\), and say that \(M'\) is reachable from M.
The study of the complexity of problems on Petri nets requires we define the size of the input. It is not necessary to define these sizes in details since they are quite standard. It suffices to know that numbers are encoded in binary.
The reachability problem for Petri nets asks, given a Petri net N and two markings \(M, M'\) of N, whether \(M'\) is reachable from M, or equivalenty whether \(M'\in { post}_N(\{M\})\). The problem is known to be decidable [30], with a cubic Ackermanian complexity upper bound [27], and EXPSPACEhard [29]. It is open whether the problem has an algorithm that runs in elementary time, i.e., in kEXPTIME for some number k independent of the input.
Given two sets \({\mathcal {M}}, {\mathcal {M}}'\) of markings, we say that \({\mathcal {M}}'\) is reachable from \({\mathcal {M}}, {\mathcal {M}}'\) if there are \(M \in {\mathcal {M}}\) and \(M' \in {\mathcal {M}}'\) such that \(M'\) is reachable from M. The reachability problem for Presburgerdefinable sets of markings is also decidable:
Theorem 5
Let N be a Petri net, and let \(\phi , \phi '\) be two Presburger formulas denoting sets \({\mathcal {M}}, {\mathcal {M}'}\) of markings of N. The problem whether \({\mathcal {M}}'\) is reachable from \({\mathcal {M}}\) can be reduced to the reachability problem for Petri nets, and is thus decidable.
Proof
Since similar reductions are well known (see e.g. [20]), we only sketch the argument. Let d be the number of places of N. Markings of N can then be represented as vectors of \({\mathbb {N}}^d\). Since \({\mathcal {M}}\) and \({\mathcal {M}'}\) are Presburger definable, they are semilinear [19], and we can compute in triple exponential time in N semilinear representations for \({\mathcal {M}}\) and \({\mathcal {M}'}\).
Let \(\{(r_1; P_1), \ldots , (r_n; P_n)\}\) and \(\{(r_1', P_1'), \ldots , (r_m', P_m')\}\) be semilinear representations of \({\mathcal {M}}\) and \({\mathcal {M}'}\). We sketch the behavior of a Petri net \(\widehat{N}\) with an initial marking \(\widehat{M}\) that, loosely speaking, nondeterministically generates an initial marking \(M_0\) of N, simulates N on this marking, nondeterministically stops the simulation at some point in time, and nondeterministically checks if the marking M reached by N when the simulation is stopped belongs to \({\mathcal {M}'}\).
The marking \(M_0\) is generated as follows. Initially \(\widehat{N}\) nondeterministically fires a transition from a set \(\{t_1, \ldots , t_n\}\), containing a transition for each linear set in the representation of \({\mathcal {M}}\). After firing, say, transition \(t_i\), the net proceeds to nondeterministically generate a marking of \((r_i, P_i)\) where, say, \(P_i = \{p_{i1}, \ldots , p_{ik}\}\). For this it first fires a transition that puts \(r_i\) tokens in the places of N, and then it proceeds to repeatedly fire transitions \(t_{i1}, \ldots , t_{ik}\) such that the firing of \(t_{ij}\) adds \(p_{ij}\) tokens to the places of N. The net can stop these firings at any time by nondeterministically choosing to fire a transition start, after which it starts simulating N.
The simulation is stopped nondeterministically by firing a transition stop. Let M be the marking of N after the simulation stops. The net nondeterministically guesses that M belongs to the linear set \((r_j', P_j')\) of the representation of \({\mathcal {M}'}\) by firing a transition \(t'_i\) for some \(1 \le i \le m\). Assume \(P_i' = \{p_{i1}', \ldots , p'_{ik'} \}\). The net proceeds to nondeterministically check the guess by first firing a transition that removes \(r_i'\) tokens from the places of N, and then repeatedly firing transitions \(t'_{i1}, \ldots , t'_{ik'}\), where the firing of \(t'_{il}\) removes \(p'_{ij}\) tokens from the places of N. If the guess is correct, i.e., if M belongs to the linear set \((r_j', P_j')\), then the net can reach the empty marking; otherwise, the nondeterministic check gets stuck at some marking different from the empty marking. Therefore, the empty marking can be reached from \(\widehat{M}\) iff some marking of \({\mathcal {M}'}\) is reachable from some marking of \({\mathcal {M}}\). \(\square \)
5 The wellspecification problem is decidable
We first characterize the ill specified population protocols in terms of the bottom configurations of their configuration graphs.
Definition 6
Let \((\mathcal {A}, \mathtt {I}, \mathtt {O})\) be a population protocol, and let \(\mathcal {B}\) be the set of bottom configurations of its configuration graph. We define \(\mathcal {B}_0\) as the set of configurations \(C \in {\mathcal {B}}\) such that for every configuration \(C'\) in the same SCC as C the equality \(O(C)=0\) holds^{2}. The set \(\mathcal {B}_1\) is defined analogously.
Lemma 7
 (1)
\(\mathcal {B} \setminus (\mathcal {B}_0 \cup \mathcal {B}_1 )\) is reachable from \({\mathcal {I}}\), or
 (2)
\({\mathcal {I}}\) contains a configuration \(C \in {\mathcal {I}}\) such that both \(\mathcal {B}_0\) and \(\mathcal {B}_1\) are reachable from C.
Proof
 (a)
some fair execution starting at a configuration of \({\mathcal {I}}\) does not stabilize to either 0 or 1; or
 (b)
two fair executions starting at the same configuration of \({\mathcal {I}}\) stabilize to 0 and 1, respectively.
(a) \(\Leftrightarrow \) (1). By Lemma 3, a fair execution eventually gets trapped in a bottom SCC \(\mathcal {S}\) of the configuration graph, and visits infinitely often every configuration of \(\mathcal {S}\). Therefore, the execution does not stabilize to either 0 or 1 iff either \(O(C) = \bot \) for some \(C \in \mathcal {S}\), or \(\mathcal {S}\) contains two configurations \(C_1, C_2\) such that \(O(C_1) \ne O(C_2)\). In both cases we have \(\mathcal {S} \cap (\mathcal {B}_0 \cup \mathcal {B}_1)= \emptyset \), and so \(\mathcal {S} \subseteq \mathcal {B} \setminus (\mathcal {B}_0 \cup \mathcal {B}_1 )\).
(b) \(\Leftrightarrow \) (2). By Lemma 3, two executions that stabilize to 0 and 1 get trapped in two bottom SCCs \(\mathcal {S}_0\) and \(\mathcal {S}_1\), and visit all configurations of these SCCs infinitely often. So, we have \(O(C_0)=0\) for every \(C_0 \in \mathcal {S}_0\), and \(O(C_1)=1\) for every \(C_1 \in \mathcal {S}_1\). It follows \(\mathcal {S}_0 \subseteq {\mathcal {B}}_0\) and \(\mathcal {S}_1 \subseteq {\mathcal {B}}_1\), and so both \(\mathcal {B}_0\) and \(\mathcal {B}_1\) are reachable from some \(C \in \mathcal {I}\). \(\square \)
This lemma reduces the ill specification problem to reachability questions for the sets \({\mathcal {I}}, \mathcal {B}, \mathcal {B}_0\), and \(\mathcal {B}_1\). We use some results of Petri net theory to prove that all these sets are effectively Presburger, which allows us to apply Theorem 5.
The reachability relation of a Petri net N is the binary relation over the markings of N containing the pairs \((M,M')\) such that \(M'\) is reachable from M. Similarly, the mutual reachability relation of N is the binary relation containing the pairs \((M,M')\) such that \(M'\) is reachable from M and M is reachable from \(M'\) (equivalently, the pairs \((M, M')\) such that M and \(M'\) belong to the same SCC of the reachability graph). It is easy to see that the reachability and mutual reachability relations are closed under addition: if \((M_1, M_1')\) and \((M_2, M_2')\) belong to the relation, then so does \((M_1+M_2, M_1'+M_2')\). Further, and contrary to the reachability relation, the mutual reachability relation is an equivalence relation. A result of Eilenberg and Schützenberger about rational sets in commutative monoids [14] shows that every equivalence relation closed under sum is Presburgerdefinable, and so the mutual reachability relation of any Petri net (but not the reachability relation!) is Presburgerdefinable (Hirshfeld [21] gave a short proof). However, the proofs of this result are nonconstructive. We show how to overcome this problem using results of Leroux [23, 26].
Definition 8
([23, 26]) A Petri net N is globally cyclic if for every two markings \(M, M'\), the marking \(M'\) is reachable from M iff M and \(M'\) are mutually reachable. (In other words: N is globally cyclic if its reachability and mutual reachability relations coincide.)
Leroux and Sutre [28] studied globally flat counter machines, and showed that their reachability relation is effectively semilinear (Theorem 4.3 and Corollary 4.4). Further, they show that globally cyclic Petri nets (seen as a class of counter machines with one single state and one counter for each place) are globally flat (Proposition 5.4). Since a relation is semilinear iff it is Presburgerdefinable [19], we obtain:
Theorem 9
([28]) The mutual reachability relation of a globally cyclic Petri net is effectively Presburgerdefinable.
It remains to extend this result to arbitrary Petri nets. For this we show that every Petri net can be effectively transformed into a globally cyclic Petri net with the same mutual reachability relation. The proof is based on the following notion:
Definition 10
([23, 26]) Let t be a transition of a Petri net N. The domain of reversibility of t, denoted \(D_t\), is the set of markings M such that there exists a firing sequence \(\sigma \) satisfying \(M \left[ {t}\right\rangle M' \left[ {\sigma }\right\rangle M\).
Since \(M \left[ {t}\right\rangle M' \left[ {\sigma }\right\rangle M\) implies \(M+L \left[ {t}\right\rangle M'+L \left[ {\sigma }\right\rangle M+L\) for every marking L, the domain of reversibility of a transition is an upwardclosed set of markings. By Dickson’s lemma, a domain of reversibility \(D_t\) has a finite set of minimal elements \(\min (D_t)\). We now resort to the following result of Leroux [26]:
Theorem 11
([26], Theorem 10.1) Let N be a Petri net of size n, and let t be a transition of N. Every marking of \(\min (D_t)\) has size at most \(2^{2^{O(n)}}\).
Closely following an idea of Bouziane and Finkel [9], we now can prove:
Theorem 12
There is an algorithm that, given a Petri net N, constructs a globally cyclic Petri net \(N'\) having the same mutual reachability relation as N.
Proof
We can easily extract from Theorem 11 an algorithm that constructs the set \(\min (D_t)\) for every transition t: Enumerate all markings M of size \(2^{2^{O(n)}}\) that enable t, compute for each of them the marking \(M'\) such that \(M \left[ {t}\right\rangle M'\), and check that M and \(M'\) are mutually reachable using the algorithm introduced in [23]. We now use the sets \(\min (D_t)\) to construct the globally cyclic net \(N'\).
The sets of places of \(N'\) and N coincide. For every transition t of N and for every marking \(L \in \min (D_t)\), we add to \(N'\) a transition \(t_L\) satisfying \({}^\bullet (t_L) = L\) and \((t_L)^\bullet = L'\), where \(L'\) is the marking such that \(L \left[ {t}\right\rangle L'\).
We show that N and \(N'\) have the same mutual reachability relation. Assume that M and \(M'\) are mutually reachable in \(N'\). Then there is a firing sequence \(M_1 \left[ {t^{(1)}_{L_1}}\right\rangle M_2 \cdots M_{n} \left[ {t^{(n)}_{L_{n}}}\right\rangle M_{n+1}\) in \(N'\) such that \(M_1 = M_{n+1} = M\) and \(M_i = M'\) for some \(1 \le i \le n\). By the observation above, we have \(M_1 \left[ {t^{(1)}}\right\rangle M_2 \cdots M_{n} \left[ {t^{(n)}}\right\rangle M_{n+1}\) in N, and so M and \(M'\) are mutually reachable.
Now, let \(M, M'\) be two mutually reachable markings of N. Then there is a firing sequence \(M_1 \left[ {t^{(1)}}\right\rangle M_2 \cdots M_{n} \left[ {t^{(n)}}\right\rangle M_{n+1}\) such that \(M_1 = M_{n+1} = M\) and \(M_i = M'\) for some \(1 \le i \le n\). Then \(M_{i}\) and \(M_{i+1}\) are mutually reachable for every \(1 \le i \le n\), and so \(M_i \in D_{t^{(i)}}\) for every \(1 \le i \le n\). It follows that \(M_1 \left[ {t^{(1)}_{L_1}}\right\rangle M_2 \cdots M_{n} \left[ {t^{(n)}_{L_{n}}}\right\rangle M_{n+1}\) is a firing sequence of \(N'\) for some markings \(L_1, \ldots , L_{n}\) such that \(L_i \le M_i\) and \(L_i \in \min (D_{t_i})\) for every \(1 \le i \le n\). So M and \(M'\) are also mutually reachable in \(N'\).
Finally, we show that \(N'\) is globally cyclic by considering two markings M and \(M'\) such that \(M\left[ {t_L}\right\rangle M'\) for some transition t of N and some marking \(L\in \min (D_t)\). From \(M\left[ {t_L}\right\rangle M'\) we derive \(M\ge L\). Hence \(M\in D_t\). It follows that M is in the domain of reversibility of t. Thus M and \(M'\) are mutually reachable in N. Since N and \(N'\) have the same mutal reachability relation, we derive that M and \(M'\) are mutually reachable in \(N'\). Thus \(N'\) is globally cyclic.
\(\square \)
Finally, combining Theorems 9 and 12 we obtain:
Theorem 13
The mutual reachability relation of a Petri net N is effectively Presburgerdefinable.
Using this theorem, we can easily derive an algorithm to construct Presburger formulas for \(\mathcal {B}, \mathcal {B}_0\), and \(\mathcal {B}_1\).
Proposition 14
There is an algorithm that takes as input a protocol scheme and returns Presburger formulas denoting the sets \(\mathcal {B}\), \(\mathcal {B}_0\), and \(\mathcal {B}_1\).
Proof
Together with Theorem 5, Proposition 14 shows that we decide reachability questions between \({\mathcal {I}}\) (which is a Presburger set by definition), and the sets of bottom configurations. The next theorem reduces conditions (1) and (2) of Lemma 7 to such questions.
Theorem 15
The ill specification problem is Turingreducible to the reachability problem for Petri nets, and thus decidable.
Proof

\(M_I \in {\mathcal {I}}, M_0 \in {\mathcal {B}}_0, M_1 \in {\mathcal {B}}_1\), and

\((M_0,M_1)\) is reachable from \((M_I, M_I)\) in \((N(\mathcal {A})\!~\parallel ~\!N(\mathcal {A}))\).

Construct a Presburger formula \(\phi _{II}\) denoting the set of markings of \((N(\mathcal {A})\!~\parallel ~\!N(\mathcal {A}))\) of the form \(\{(M, M) \mid M \in {\mathcal {I}} \}\).
This is possible because the set \({\mathcal {I}}\) is Presburger.

Construct a Presburger formula \(\phi _{01}\) denoting the set of markings of \((N(\mathcal {A})\!~\parallel ~\!N(\mathcal {A}))\) of the form \(\{(M_0, M_1) \mid M_0 \in \mathcal {B}_0, M_1 \in \mathcal {B}_1 \}\).

Apply Theorem 5 to the net \((N(\mathcal {A})\!~\parallel ~\!N(\mathcal {A}))\) and the formulas \(\phi _{II}\) and \(\phi _{01}\). \(\square \)
6 The fitting problem is decidable
We show that the fitting problem is Turingreducible to the reachability problem for Petri nets.
Theorem 16
The fitting problem is Turingreducible to the reachability problem for Petri nets, and thus decidable.
Proof
Let \((\mathcal {A}, \mathtt {I},\mathtt {O})\) be a population protocol and let \(\varPi :{\text {Pop}}(\varSigma ) \rightarrow \{0,1\}\) be a Presburger predicate. We reduce the fitting problem to the (complement of the) reachability problem for Presburger sets of markings, and apply Theorem 5.
Let \({\mathcal {B}}, {\mathcal {B}}_0\), and \({\mathcal {B}}_1\) as in Definition 6. We claim that \((\mathcal {A}, \mathtt {I},\mathtt {O})\) computes \(\varPi \) iff \({\mathcal {B}}\setminus {\mathcal {B}}_0\) is not reachable from \({\mathcal {I}}_0\), and \({\mathcal {B}}\setminus {\mathcal {B}}_1\) is not reachable from \({\mathcal {I}}_1\). By Lemma 3 and the definition of \({\mathcal {B}}_0\) and \({\mathcal {B}}_1\), a fair computation stabilizes to \(b \in \{0,1\}\) iff it gets trapped in a bottom SCC contained in \({\mathcal {B}}_b\). Therefore, \({\mathcal {B}}\setminus {\mathcal {B}}_b\) is not reachable from \({\mathcal {I}}_b\) iff every fair computation from \({\mathcal {I}}_b\) stabilizes to b. This proves the claim.
Let \(N(\mathcal {A})\) be the Petri net associated to \(\mathcal {A}\). By the claim, \((\mathcal {A}, \mathtt {I},\mathtt {O})\) does not compute \(\varPi \) iff some marking of \({\mathcal {B}}\setminus {\mathcal {B}}_0\) is reachable in \(N(\mathcal {A})\) from some marking of \({\mathcal {I}}_0\), or some marking of \({\mathcal {B}}\setminus {\mathcal {B}}_1\) is reachable in \(N(\mathcal {A})\) from some marking of \({\mathcal {I}}_1\). Since, by Proposition 14, \({\mathcal {B}}, {\mathcal {B}}_0\) and \({\mathcal {B}}_1\) are effectively computable Presburger sets, so are \({\mathcal {B}}\setminus {\mathcal {B}}_0\) and \({\mathcal {B}}\setminus {\mathcal {B}}_1\). So the fitting problem reduces to (the complements of) two instances of the reachability problem for Presburger sets. \(\square \)
7 Lower bounds for the wellspecification and fitting problems
We show that the reachability problem for Petri nets can be reduced to the complements of the wellspecification and fitting problems.
Theorem 17
The reachability problem for Petri nets is polynomially reducible to illspecification problem and to the complement of the fitting problem for population protocols (in both cases even with simple output mappings).
Proof
We proceed by means of a sequence of reductions. First, the reachability problem for Petri nets can be reduced in polynomial time to the singleplace zeroreachability problem (or SPZRP) [20]:
Given: a Petri net \(N=(P,T,F)\), a marking \(M_0\in {\mathbb {N}}^P\), and a place \(z \in P\).
Decide: Is there a marking M reachable from \(M_0\) such that \(M(z)=0\) ?
 (a)
\(M_0(z) > 0\),
 (b)
no two transitions of N have the same input and output places (i.e., if \({}^\bullet t_1 = {}^\bullet t_2\) and \({t_1}^\bullet ={t_2}^\bullet \) then \(t_1 = t_2\)),
 (c)
the range of the flow function \(F\) is \(\{0,1\}\), and
 (d)
every transition \(t\) of N satisfies \(1\le \vert {{}^\bullet t}\vert \le 2\) and \( 1\le \vert {{t}^\bullet }\vert \le 2\),
Let \(N'=(P',T',F')\) and \(z'\) be the result of performing all these transformations. We have \(P' = P \cup P_{ aux}\), where \(P_{ aux}\) are the auxiliary places used in the gadgets, hence \(P_{ aux}\) includes \(r\). Let \(M'_0\in {\mathbb {N}}^{P'}\) be such that \(M'_0 = M_0 + \mathbf {r}\).
The following property is easy to prove. The reachable markings of N and the projections onto P of the reachable markings of \(N'\) that put one token in the place r coincide. Loosely speaking, the net \(N'\) simulates the firings of transitions of N by executing the corresponding gadget. If \(N'\) tries to simulate the firing of a transition of N that is not currently enabled, then the gadget cannot execute and \(N'\) reaches a deadlock. The markings of \(N'\) with one token in r are those in which every execution of a gadget could be successfully completed.
It follows easily from the previous that N has a reachable marking M such that \(M(z)=0\) iff \(N'\) has a reachable marking \(M'\) such that \(M'(z')=0\) and \(M'(r)=1\).
Next, we define a population protocol that is illspecified exactly when \(N'\) has a reachable marking with no token in \(z'\) and one token in \(r\).

a state \(q_p\) for every place \(p \in P'\);

a state \(q_t\) for every transition \(t \in T'\); and

two states Source and Sink.

n agents in \({ Source}\);

\(M_0'(p)\) agents in \(q_p\) for every place p; and

0 agents elsewhere.
 (1)for every Petri net transition \(t=(\{p_1, p_2\}, \{p_3, p_4\})\), two protocol transitions$$\begin{aligned} (q_{p_1}, q_{p_2})~\mapsto ~(q_t, { Sink}) \quad \text{ and } \quad \delta _t := (q_t, { Source})~\mapsto ~(q_{p_3}, q_{p_4}) \end{aligned}$$
 (2)for every Petri net transition \(t=(\{p_1, p_2\}, \{p_3\})\), two protocol transitions$$\begin{aligned} (q_{p_1}, q_{p_2})~\mapsto ~(q_t, { Sink}) \quad \text{ and } \quad \delta _t := (q_t, { Source})~\mapsto ~(q_{p_3}, { Sink}) \end{aligned}$$
 (3)for every Petri net transition \(t=(\{p_1 \}, \{p_2,p_3\})\), one protocol transition$$\begin{aligned} \delta _t:=(q_{p_1}, { Source})~\mapsto ~(q_{p_2}, q_{p_3}) \end{aligned}$$
 (4)for every Petri net transition \(t=(\{p_1 \}, \{p_2 \})\), one protocol transition$$\begin{aligned} \delta _t:= (q_{p_1}, { Source})~\mapsto ~(q_{p_2}, { Sink}) \end{aligned}$$
 (5)a transition$$\begin{aligned} (q_r, q_z)~\mapsto ~({ Sink}, q_z) . \end{aligned}$$
The transitions of (1)–(4) simulate the firing of the Petri net transition t (in the case of transitions in (1)–(2), firing t is simulated by the occurrence, one after the other, of two protocol transitions). Observe that the simulation of a transition t of type (1) can “get stuck”: after the occurrence of \((q_{p_1}, q_{p_2})~\mapsto ~(q_t, { Sink})\) there may be no agent in Source, and then \((q_t, { Source})~\mapsto ~(q_{p_3}, q_{p_4})\) cannot occur. This is also true for the transitions of type (2).
Intuitively, the transition \((q_r, q_z)~\mapsto ~({ Sink}, q_z)\) of (5) turns a configuration with undefined output into one with output \(0\) “as long as there is at least one token in z and no gadget is executing”.
In all cases, simulating the firing of t requires one agent to leave the \({ Source}\) state. Since, moreover, no agents ever enter \({ Source}\), each execution of \((\mathcal {A}, \mathtt {I}, \mathtt {O})\) contains only finitely many occurrences of transitions of (1)–(4). Further, since the transition of (5) moves an agent to Sink, and no agents ever leave Sink, the transitions of (5) also occur only finitely often, actually at most once since \(r\) never contains two or more tokens. Therefore all fair executions of \((\mathcal {A}, \mathtt {I}, \mathtt {O})\) are finite.
Assume that some reachable marking M of \(N'\) satisfies \(M(z')= 0\) and \(M(r)=1\). Let \(\tau \in T^*\) be such that \(M_0'\left[ {\tau }\right\rangle M\), and let k be the length of \(\tau \). Since \(M_0'(z)>0\), we have \(k > 0\). We claim that \(\mathcal {A}\) has a fair (finite) execution from \(I(k\, \varvec{\sigma })\) that does not stabilize. Consider the execution that starts by simulating \(\tau \) through transitions (1)–(4). At the end of this simulation the protocol reaches a configuration C such that \(C({ Source}){=}0{=}C(q_{z'})\), \(C(q_r)=1\) and \(C({ Sink}) > 0\) (this follows from \(k>0\)). Since \(C({ Source})=0\), none of the \(\{\delta _t\}_{t\in T'}\) transitions can occur from C, and so, by exhaustively executing transitions from (1)–(2), we reach a configuration \(C'\) that that does not enable any transition of (1)–(4), still satisfies \(C'({ Source}){=}0{=}C'(q_{z'})\), \(C'(q_r)=1\) and \(C'({ Sink})>0\). Since \(C'(q_{z'})=0\), the configuration \(C'\) does not enable the transition of (5) either. So the execution cannot be extended, hence it is fair. Because in \(C'\) one agent is in state \(q_r\) and some other in \({ Sink}\) we have \(O(C')=\bot \). So \( (\mathcal {A},\mathtt {I},\mathtt {O}) \) is ill specified.
Assume now that every reachable marking M of \(N'\) satisfies \(M(z')>0\) or \(M(r)=0\). We prove that every fair execution stabilizes to 0. Since all fair executions of \((\mathcal {A}, \mathtt {I}, \mathtt {O})\) are finite, given a fair execution \(C_0 C_1 \ldots C_n\) we have to prove \(O(C_n) = 0\) or, equivalently, \(C_n(q_r)=0\). A fair execution can either reach a deadlock with no agent in \(q_r\). In this case, the output of the resulting configuration \(C\) is defined to be \(0\) since \( C(q_r)=0 \) and \(Q_1 = \{q_r\}\), hence \(O(C) = 0\). Or, a fair execution reaches a deadlock with some agent in \(q_r\). Note that, by construction, it must be the case that some agent is in \(q_{z'}\) following our assumption on \(M\). But then transition (5) is enabled and thus the configuration with some agent in \(q_r\) is not a deadlock. Note that firing (5) necessarily results in a configuration whose output is defined to be \(0\).
The same reduction shows hardness for the complement of the fitting problem for the predicate \( false \). \(\square \)
8 An algorithm for the Tailor problem
 (1)
If a protocol has a certificate, then it is well specified. Moreover, there is an algorithm that, given a protocol and a certificate, returns a Presburger formula for the predicate computed by the protocol.
 (2)
There is an algorithm that, given a protocol and a string x, decides if x is a certificate of the protocol.
 (3)
If a protocol is well specified, then it has a certificate.
After defining certificates in Sect. 8.1, properties (1)–(3) are proved in in three different sections. Property (3) has the most involved proof, and requires to introduce some further results from the theory of Petri nets.
8.1 Certificates

A configuration C of \(\mathcal {A}\) is a 0configuration (resp. 1configuration) if \(O(C)=0\) (resp. \(O(C)=1\)).

A set \(\mathcal {C}\) of configurations of \(\mathcal {A}\) is inductive if \(C \in \mathcal {C}\) and \(C \rightarrow C'\) implies \(C'\in \mathcal {C}\).

Given a language \(W\subseteq \varDelta ^*\) and a set \(\mathcal {C}\) of configurations, \({ pre}_\mathcal {A}(\mathcal {C},W)\) denotes the set of configurations C such that \(C\xrightarrow {w}C'\) for some word \(w\in W\) and some \(C'\in \mathcal {C}\). We write \({ pre}^*_{\mathcal {A}}(\mathcal {C})\) to denote \({ pre}_{\mathcal {A}}(\mathcal {C}, \varDelta ^*)\). The definitions for \({ post}_{\mathcal {A}}(\mathcal {C},W) \) and \({ post}^*_{\mathcal {A}}(\mathcal {C})\) are as expected.
Definition 18
 (1)
\(\mathcal {S}_0,\mathcal {S}_1,\mathcal {D}_0,\mathcal {D}_1\) are inductive.
 (2)
The pair \((\mathcal {I}_0,\mathcal {I}_1)\), where \(\mathcal {I}_0=\mathcal {S}_0\cap \mathcal {I}\) and \(\mathcal {I}_1=\mathcal {S}_1\cap \mathcal {I}\), is a partition of \(\mathcal {I}\).
 (3)
\(\mathcal {D}_0\) is a set of 0configurations such that \(\mathcal {S}_0\subseteq { pre}_\mathcal {A}(\mathcal {D}_0,W)\).
 (4)
\(\mathcal {D}_1\) is a set of 1configurations such that \(\mathcal {S}_1\subseteq { pre}_\mathcal {A}(\mathcal {D}_1,W)\).
Observe that, by condition (2), all initial configurations belong to \(\mathcal {S}_0 \cup \mathcal {S}_1\). So, by condition (1), \(\mathcal {S}_0 \cup \mathcal {S}_1\) contains all configurations reachable from initial configurations. Condition (3) ensures that from every configuration of \(\mathcal {S}_0\) one can reach and get trapped in a set of 0configurations (because \(\mathcal{D}_0\) is inductive); condition (4) is a similar property for 1configurations.
8.2 Certificates ensure wellspecification
We show that if a protocol has a certificate, then it is well specified. Moreover, a Presburger formula for the predicate computed by the protocol can be easily extracted from the certificate.
Lemma 19
Proof
Let \(\mathcal {S}_0,\mathcal {S}_1,\mathcal {D}_0,\mathcal {D}_1\) be the Presburger sets of configurations denoted by \(\mathtt {S}_0,\mathtt {S}_1,\mathtt {D}_0,\mathtt {D}_1\), respectively. Let \(W=w_1^*\ldots w_k^*\). Since \(\mathcal {I}_0\) and \(\mathcal {I}_1\) form a partition of \({\mathcal {I}}\), it suffices to prove that every fair execution starting at \(\mathcal {I}_b\) stabilizes to b. Let \(C \in \mathcal {I}_b\) and let \(C_0,C_1,\ldots \) be a fair execution starting at C. By Lemma 3 the execution gets trapped in a bottom SCC. Hence, there exists \(n\in {\mathbb {N}}\) such that \(C_n\) is a bottom configuration. As \(\mathcal {S}_b\) is inductive, it follows that \(C_n \in \mathcal {S}_b\). Moreover, as \(\mathcal {S}_b\subseteq { pre}_\mathcal {A}(\mathcal {D}_b,W)\), there exists a word \(w\in W\) and a configuration \(C'\in \mathcal {D}_b\) such that \(C_n\xrightarrow {w}C'\). Since \(C_n\) is a bottom configuration, there exists a word \(w'\in \varDelta ^*\) such that \(C'\xrightarrow {w'}C_n\). Now, let \(m\ge n\). Since \(C_m\) is reachable from \(C_n\), it follows that \(C_m\) is reachable from \(C'\). As \(C'\in \mathcal {D}_b\) and \(\mathcal {D}_b\) is inductive, it follows that \(C_m\in \mathcal {D}_b\). As \(\mathcal {D}_b\) is a set of bconfigurations, it follows that \(O(C_m)=b\); thus, the execution stabilizes to b. \(\square \)
Example 8
(Certificate for the parity predicate) We describe a population protocol and show with the help of a certificate that it computes a given predicate. In the following \(b \in \{0,1\}\).
Let \(\varSigma = \{\sigma \}\). Abusing language, we identify the mapping \(X :{\text {Pop}}(\varSigma )\rightarrow {\mathbb {N}}\) given by \(X(\sigma ) = n\) with the number n. The parity predicate \(\varPi ~:~{\text {Pop}}(\varSigma )\rightarrow \{0,1\}\) is given by \(\varPi (n)=0\) if n is even, and \(\varPi (n)=1\) otherwise.

\(Q=\{A_0,A_1,P_0,P_1\}\). Agents in \(\{A_0, A_1\}\) are active, and those in \(\{P_0, P_1\}\) are passive. Further, agents in \(\{A_b, P_b\}\) carry (the value) b.
 \(\varDelta = \{\delta _{x,y},\delta _{x} \mid x, y \in \{0,1\} \}\), whereIntuitively, in \(\delta _{x,y}\) two active agents add their values modulo 2, and one of them becomes passive; in \(\delta _{x}\) an active agent changes the value of a passive agent.$$\begin{aligned} \delta _{x,y}~=~(A_x,A_y)\mapsto (A_{x+y},P_{x+y}) \quad \text{ and } \quad \delta _{x}~=~(A_x,P_{1x})\mapsto (A_x,P_x). \end{aligned}$$

\(I(n)~=~ n \mathbf {A}_1\) for every \(n \in {\mathbb {N}}\). That is, to compute the parity of n the protocol starts with n active agents carrying 1 (n agents in state \(A_1\), and no agents elsewhere).

\(O(C)~=~b\) if \({ Sup}(C) \subseteq \{A_b, P_b\}\), and \(O(C)~=~\bot \) otherwise. That is, a configuration has output \(b \in \{0,1\}\) if currently all agents carry b, otherwise it has output \(\bot \).

\(\mathtt {D}_b(C) := \big ( C(A_b)=1\wedge C(A_{1b})=0\wedge C(P_{1b})=0 \big )\).
Notice that the set of configurations \(\mathcal {D}_b\) denoted by \(\mathtt {D}_b\) is inductive. In fact, since configurations of \(\mathcal {D}_b\) only have one active agent, and all their agents carry the same value b, they enable no transitions.

\(\mathtt {S}_0(C)\) and \(\mathtt {S}_1(C)\) are Presburger formulas for “\(C(A_1)\) is even” and “\(C(A_1)\) is odd”.
Inspection of \(\varDelta \) immediately shows that the sets \(\mathcal {S}_0\) and \(\mathcal {S}_1\) denoted by \(\mathtt {S}_0(C)\) and \(\mathtt {S}_1(C)\) are inductive. Notice that \(\mathcal {I}\cap \mathcal {S}_0\) and \(\mathcal {I}\cap \mathcal {S}_1\) is a partition of \(\mathcal {I}\).

\(W=\delta _{1,1}^*\;\delta _{0,0}^*\;\delta _{1,0}^*\;\delta _{0}^*\;\delta _{1}^*\).
W models a strategy to reach \(\mathcal {D}_0\cup \mathcal {D}_1\) from any configuration. First execute the transition \(\delta _{1,1}\) as long as possible, until there is at most one active agent carrying a 1. Then execute \(\delta _{0,0}\) as long as possible, until there is at most one active agent carrying a 0. Then execute \(\delta _{1,0}\) if possible, reaching a configuration with exactly one active agent carrying a value b. Finally, execute \(\delta _{0}\) as long as possible, followed by \(\delta _{1}\) as long as possible, leading to a configuration in which every passive agent also carries the value b. \(\square \)
8.3 Checking certificates
Using acceleration technics [16, 18, 25], we show that the problem of checking if a given tuple is a certificate reduces to the problem of checking if a closed formula of Presburger arithmetic is true, and so decidable.
Lemma 20
Given a protocol \((\mathcal {A},\mathtt {I},\mathtt {O})\) and a tuple \((\mathtt {S}_0,\mathtt {S}_1,\mathtt {D}_0,\mathtt {D}_1,w_1,\ldots ,w_k)\), it is decidable whether the tuple is a certificate of the protocol.
Proof
8.4 Every wellspecified protocol has a certificate
We prove that every wellspecified protocol has a certificate.
Let \((\mathcal {A},\mathtt {I},\mathtt {O})\) be a wellspecified protocol. Let \({\mathcal {I}}_0\) and \({\mathcal {I}}_1\) be the subsets of initial configurations for which the protocol computes 0 and 1, respectively. Since the protocol is well specified, the pair \(({\mathcal {I}}_0, {\mathcal {I}}_1)\) is a partition of \({\mathcal {I}}\).
We choose \(\mathtt {D}_0\) and \(\mathtt {D}_1\) as Presburger formulas denoting the sets \(\mathcal {B}_0\) and \(\mathcal {B}_1\) of \(\mathcal {A}\), as defined in Definition 6. These formulas exist and can be computed by Proposition 14, which shows that \(\mathcal {B}_0\) and \(\mathcal {B}_1\) are effectively Presburger. Observe that, with this choice, \(\mathcal{D}_b\) is a set of bconfigurations. Moreover, since any configuration reachable from a bottom configuration is also a bottom configuration, \(\mathcal{D}_b\) is inductive.
Before choosing the sets \({\mathcal {S}}_0\) and \({\mathcal {S}}_1\), let us consider the tentative choice \({\mathcal {S}}'_0 = { post}^*_{\mathcal {A}}({\mathcal {I}}_0)\), and \({\mathcal {S}}'_1 = { post}^*_{\mathcal {A}}({\mathcal {I}}_1)\). The sets \({\mathcal {S}}'_0\) and \({\mathcal {S}}'_1\) are clearly inductive. Moreover, since the protocol is well specified, we have \({\mathcal {S}}'_0 \cap {\mathcal {I}} = {\mathcal {I}}_0\) and \({\mathcal {S}}'_1 \cap {\mathcal {I}} = {\mathcal {I}}_1\). Indeed, since \(({\mathcal {I}}_0, {\mathcal {I}}_1)\) is a partition of \({\mathcal {I}}\), if \({\mathcal {S}}'_0 \cap {\mathcal {I}} \supsetneq {\mathcal {I}}_0\) then \({\mathcal {S}}'_0 \cap {\mathcal {I}}_1 \ne \emptyset \), and so there is a configuration with two fair computations stabilizing to 0 and to 1, contradicting the assumption that the protocol is well specified.
However, we still miss two important properties: \({\mathcal {S}}'_0\) and \({\mathcal {S}}'_1\) may not be Presburger sets, and there may be no language W satisfying conditions (3) and (4). At this point we get help from the following two results:
Theorem 21
([5, 7]) If \((\mathcal {A},\mathtt {I},\mathtt {O})\) is well specified, then \({\mathcal {I}}_0\) and \({\mathcal {I}}_1\) are Presburger sets.
Theorem 22
([24, Lemma 9.1]) Let N be a Petri net, and let \(\mathcal {M}\) and \(\mathcal {M}'\) be Presburger sets of markings of N such that \({ post}_N^*(\mathcal {M})\cap \mathcal {M}'=\emptyset \). There exists a Presburger inductive set of markings \(\mathcal {S}\) such that \(\mathcal {M}\subseteq \mathcal {S}\) and \(\mathcal {S}\cap \mathcal {M}'=\emptyset \).
Applying Theorem 22 to \(\mathcal {M}= {\mathcal {I}}_0\) and \(\mathcal {M}'= {\mathcal {I}}_1\) (which are Presburger by Theorem 21) yields an inductive and Presburger set \({\mathcal {S}}_0 \supseteq {\mathcal {S}}'_0\) such that \({\mathcal {S}}_0 \cap {\mathcal {I}}_1 = \emptyset \), and therefore \({\mathcal {S}}_0 \cap {\mathcal {I}}_1 = {\mathcal {I}}_0\). Similarly, applying the theorem to \(\mathcal {M}= {\mathcal {I}}_1\) and \(\mathcal {M}' = {\mathcal {I}}_0\), we obtain a corresponding set \({\mathcal {S}}_1\).
The existence of the bounded language W follows directly from another result of net theory:
Theorem 23
([25, Corollary XI.3]) For every Petri net \(N=(P,T,F)\) and for every Presburger sets of markings \(\mathcal {S}\) and \(\mathcal {D}\) such that \(\mathcal {S}\subseteq { pre}_N^*(\mathcal {D})\), there exists a sequence \(w_1,\ldots ,w_k\) of words in \(T^*\) such that the bounded language \(W\subseteq w_1^*\ldots w_k^*\) satisfies \(\mathcal {S}\subseteq { pre}_N(\mathcal {D},W)\).
Applying the theorem to \(\mathcal {S}_0\) and \(\mathcal {D}_0\) and to \(\mathcal {S}_1\) and \(\mathcal {D}_1\), we obtain two languages \(W_0, W_1\). It then suffices to take \(W = W_0 W_1\) since \(W \supseteq W_0 \cup W_1\).
8.5 Wellspecified protocols compute Presburger predicates: a new proof
Angluin et al. have shown—a celebrated result—that wellspecified population protocols compute exactly the Presburgerdefinable predicates [5, 7]. The proof that every Presburger definable predicate is computed by some protocol profits from the fact that every formula of Presburger arithmetic is equivalent to a quantifierfree formula with divisibility predicates [15]. Using this result, it suffices to exhibit protocols computing some simple predicates, and prove that predicates computed by population protocols are closed under conjunction and disjunction, which is achieved by a rather straightforward product construction. The other direction, showing that population protocols can only compute Presburger predicates, is far more involved. We show that this direction follows from recent results of Petri net theory obtained by one of the authors. In fact, we slightly generalize the results of Angluin et al. [5, 7], which hold for simple input and output mappings, to the more general Presburger mappings.
The proof is based on the notion of almost semilinear sets introduced in [24] that extends the class of semilinear sets. We do not recall the formal definition of almost semilinear sets but just results and intuitions about those sets. Formal definitions can be found in [24]. Intuitively, almost semilinear sets are subsets of \({\mathbb {N}}^d\) that can be precisely overapproximated by semilinear sets. Formally, the class of almostsemilinear sets contains all the semilinear sets and it is equipped with a function that maps any almost semilinear set \(\mathbf {X}\) to a semilinear set \({\text {lin}}(\mathbf {X})\) that contains \(\mathbf {X}\), and a function \({\text {dim}}\) that maps any almost semilinear sets \(\mathbf {X}\) to a number in \(\{1,\ldots ,d\}\) in such a way \({\text {dim}}(\mathbf {X})\le {\text {dim}}(\mathbf {Y})\) for every \(\mathbf {X}\subseteq \mathbf {Y}\) and \({\text {dim}}(\mathbf {X})=1\) implies \(\mathbf {X}=\emptyset \) for every \(\mathbf {X}\). Moreover, the class of almost semilinear sets satisfies the two following results:
Lemma 24
Theorem 25
([24, Corollary 6.3]) The sets \({ post}_N^*(\mathcal {X})\cap \mathcal {Y}\) and \({ pre}_N^*(\mathcal {Y})\cap \mathcal {X}\) are almost semilinear for every Petri net N and for every semilinear sets of markings \(\mathcal {X},\mathcal {Y}\).
Now, let us introduce the notion of decomposable sets defined as a subclass of the almost semilinear sets. A subset \(\mathbf {X}\) of \({\mathbb {N}}^d\) is said to be decomposable if \(\mathbf {X}\cap \mathbf {S}\) is almost semilinear for every semilinear set \(\mathbf {S}\). It follows from Theorem 25 that reachability sets of Petri nets are decomposable.
Lemma 26
Disjoint decomposable sets \(\mathbf {X},\mathbf {Y}\) such that \(\mathbf {X}\cup \mathbf {Y}\) is semilinear are semilinear.
Proof
Let us prove by induction on \(r\in {\mathbb {N}}\) that for every semilinear set \(\mathbf {A}\) such that \({\text {dim}}(\mathbf {A})< r\) and for every partition \(\mathbf {X},\mathbf {Y}\) of \(\mathbf {A}\) into decomposable sets, the sets \(\mathbf {X}\) and \(\mathbf {Y}\) are semilinear. The case \(r=0\) is immediate since in this case \(\mathbf {A}\) is empty. Assuming that the statement is true for \(r\), let us prove it for \(r+1\). Consider a semilinear set \(\mathbf {A}\) such that \({\text {dim}}(\mathbf {A})=r\), and a partition \(\mathbf {X},\mathbf {Y}\) of \(\mathbf {A}\) into decomposable sets. In particular \(\mathbf {X}\) and \(\mathbf {Y}\) are almost semilinear. If \(\mathbf {X}\) or \(\mathbf {Y}\) is empty, then \(\mathbf {X}\) and \(\mathbf {Y}\) are semilinear since those sets are either \(\emptyset \) or \(\mathbf {A}\). So, we can assume that \(\mathbf {X}\) and \(\mathbf {Y}\) are nonempty. We introduce \(\mathbf {S}={\text {lin}}(\mathbf {X})\) and \(\mathbf {T}={\text {lin}}(\mathbf {Y})\) and \(\mathbf {A}'=\mathbf {S}\cap \mathbf {T}\). Lemma 24 shows that \({\text {dim}}(\mathbf {A}')<r\). We introduce the decomposable sets \(\mathbf {X}'\) and \(\mathbf {Y}'\) defined as \(\mathbf {X}\cap \mathbf {A}'\) and \(\mathbf {Y}\cap \mathbf {A}'\). Notice that \(\mathbf {X}',\mathbf {Y}'\) is a partition of \(\mathbf {A}'\). By induction, it follows that \(\mathbf {X}'\) and \(\mathbf {Y}'\) are semilinear. Now, just notice that \(\mathbf {X}=(\mathbf {S}\backslash \mathbf {A}')\cup \mathbf {X}'\) and \(\mathbf {Y}=(\mathbf {T}\backslash \mathbf {A}')\cup \mathbf {Y}'\). We derive that \(\mathbf {X}\) and \(\mathbf {Y}\) are semilinear, and the induction is proved. \(\square \)
We are now ready to prove our main result.
Theorem 27
For every Petri net N, and for every semilinear sets of markings \(\mathcal {M}, \mathcal {F}_0,\mathcal {F}_1\): if \(\mathcal {M}_0=\mathcal {M}\cap { pre}_N^*(\mathcal {F}_0)\) and \(\mathcal {M}_1=\mathcal {M}\cap { pre}_N^*(\mathcal {F}_1)\) is a partition of \(\mathcal {M}\), then \(\mathcal {M}_0\) and \(\mathcal {M}_1\) are semilinear.
Proof
From Theorem 25, it follows that \(\mathcal {M}_0\) and \(\mathcal {M}_1\) are decomposable. Since those two sets are disjoint and the union is equal to the semilinear set \(\mathcal {M}\), it follows from Lemma 26 that \(\mathcal {M}_0\) and \(\mathcal {M}_1\) are semilinear. \(\square \)
Corollary 28
Wellspecified population protocols only compute Presburger predicates.
Proof
Let \((\mathcal {A},\mathtt {I},\mathtt {O})\) be a wellspecified protocol. Then \(\mathcal {I}, \mathcal {B}_0\), and \(\mathcal {B}_1\) are semilinear sets. Let \(\mathcal {I}_0=\mathcal {I}\cap { pre}_N^*(\mathcal {B}_0)\) and \(\mathcal {I}_1=\mathcal {I}\cap { pre}_N^*(\mathcal {B}_1)\). Since the protocol is well specified, each configuration of \(\mathcal {I}\) can reach exactly one of \(\mathcal {B}_0\) and \(\mathcal {B}_1\), it follows that \(\mathcal {I}_0\) and \(\mathcal {I}_1\) is a partition of the semilinear set \(\mathcal {I}\). From Theorem 27, we derive that \(\mathcal {I}_0\) and \(\mathcal {I}_1\) are semilinear. Thus the computed predicates are Presburger. \(\square \)
9 Certificatebased algorithms for wellspecification and correctness
Certificates provide an alternative algorithm to decide the wellspecification and fitting problems. If we apply our algorithm for the tailor problem to an arbitrary protocol, then two cases are possible: if the protocol is well specified, then the algorithm terminates and returns a Presburger formula for the computed predicate. If the protocol is ill specified, then it has no certificate, and the algorithm does not terminate. In other words, our algorithm for the tailor problem is at the same time a semidecision procedure for the wellspecification problem.
 (1)
a fair computation starting at the configuration I(X) that does not stabilize, or
 (2)
two fair computations starting atI(X), and stabilizing to opposite values.
Since the semidecision procedure for the wellspecification problem returns a Presburger formula for the computed predicate, we can also use this combination of semidecision procedures to solve the fitting problem: if the protocol is ill specified, then it does not fit any predicate; if the protocol is well specified, then we check whether the Presburger formulas for the intended predicate and the computed predicate are equivalent, which is a decidable problem.
Footnotes
Notes
Acknowledgments
We thank the CONCUR reviewers for their insightful feedback.
References
 1.Abdulla, P.A., Cerans, K., Jonsson, B., Tsay, Y.K.: General decidability theorems for infinitestate systems. In: LICS’96: Proceedings of the 11th Annual IEEE Symposium on Logic in Computer Science, pp. 313–321. IEEE Computer Society (1996)Google Scholar
 2.Angluin, D., Aspnes, J., Diamadi, Z., Fischer, M.J., Peralta, R.: Computation in networks of passively mobile finitestate sensors. In: PODC’04, pp. 290–299. ACM (2004)Google Scholar
 3.Angluin, D., Aspnes, J., Diamadi, Z., Fischer, M.J., Peralta, R.: Computation in networks of passively mobile finitestate sensors. Distrib. Comput. 18(4), 235–253 (2006)CrossRefMATHGoogle Scholar
 4.Angluin, D., Aspnes, J., Eisenstat, D.: Fast computation by population protocols with a leader. In: DISC’06, Volume 4167 of LNCS, pp. 61–75. Springer, Berlin (2006)Google Scholar
 5.Angluin, D., Aspnes, J., Eisenstat, D.: Stably computable predicates are semilinear. In: PODC’06, pp. 292–299. ACM (2006)Google Scholar
 6.Angluin, D., Aspnes, J., Eisenstat, D.: Fast computation by population protocols with a leader. Distrib. Comput. 21(3), 183–199 (2008)CrossRefMATHGoogle Scholar
 7.Angluin, D., Aspnes, J., Eisenstat, D., Ruppert, E.: The computational power of population protocols. Distrib. Comput. 20(4), 279–304 (2007)CrossRefMATHGoogle Scholar
 8.Apt, K.R., Kozen, D.C.: Limits for automatic verification of finitestate concurrent systems. Inf. Process. Lett. 22(6), 307–309 (1986)MathSciNetCrossRefGoogle Scholar
 9.Bouziane, Z., Finkel, A.: Cyclic petri net reachability sets are semilinear effectively constructible. Electron. Notes Theor. Comput. Sci. 9, 15–24 (1997)MathSciNetCrossRefMATHGoogle Scholar
 10.Chatzigiannakis, I., Michail, O., Spirakis, P.G.: Algorithmic verification of population protocols. In: SSS’10, Volume 6366 of LNCS, pp. 221–235. Springer, Berlin (2010)Google Scholar
 11.Clement, J., DelporteGallet, C., Fauconnier, H., Sighireanu, M.: Guidelines for the verification of population protocols. In: ICDCS’11, pp. 215–224 (2011)Google Scholar
 12.Deng, Y., Monin, J.: Verifying selfstabilizing population protocols with coq. In: TASE’09, pp. 201–208. IEEE Computer Society (2009)Google Scholar
 13.Diamadi, Z., Fischer, M.J.: A simple game for the study of trust in distributed systems. Wuhan Univ. J. Nat. Sci. 6(1–2), 72–82 (2001)CrossRefGoogle Scholar
 14.Eilenberg, S., Schützenberger, M.P.: Rational sets in commutative monoids. J. Algebra 13(2), 173–191 (1969)MathSciNetCrossRefMATHGoogle Scholar
 15.Enderton, H.B.: A Mathematical Introduction to Logic. Academic Press, San Diego (2001)MATHGoogle Scholar
 16.Finkel, A., Leroux, J.: How to compose presburgeraccelerations: Applications to broadcast protocols. In: FST TCS’02, Volume 2556 of Lecture Notes in Computer Science, pp. 145–156. Springer, Berlin (2002)Google Scholar
 17.Finkel, A., Schnoebelen, P.: Wellstructured transition systems everywhere!. Theor. Comput. Sci. 256(1–2), 63–92 (2001)MathSciNetCrossRefMATHGoogle Scholar
 18.Fribourg, L., Olsén, H.: Reductions of petri nets and unfolding of propositional logic programs. In: LOPSTR’96, Volume 1207 of Lecture Notes in Computer Science, pp. 187–203. Springer, Berlin (1996)Google Scholar
 19.Ginsburg, S., Spanier, E.H.: Semigroups, Presburger formulas, and languages. Pac. J. Math. 16(2), 285–296 (1966)MathSciNetCrossRefMATHGoogle Scholar
 20.Hack, M.H.T.: Decidability questions for Petri nets. Technical Report 161, MIT (1976)Google Scholar
 21.Hirshfeld, Y.: Congruences in Commutative Semigroups. LFCS, Department of Computer Science, University of Edinburgh, Edinburgh (1994)Google Scholar
 22.Leroux, J.: The general vector addition system reachability problem by Presburger inductive invariants. In: LICS’09, pp. 4–13. IEEE Computer Society (2009)Google Scholar
 23.Leroux, J.: Vector addition system reversible reachability problem. In: CONCUR’11, Volume 6901 of LNCS, pp. 327–341. Springer, Berlin (2011)Google Scholar
 24.Leroux, J.: Vector addition systems reachability problem (a simpler solution). In: Turing100: The Alan Turing Centenary Conference, Volume 10 of EPiC Series, pp. 214–228. EasyChair (2012)Google Scholar
 25.Leroux, J.: Presburger vector addition systems. In: LICS’13, pp. 23–32. IEEE Computer Society (2013)Google Scholar
 26.Leroux, J.: Vector addition system reversible reachability problem. Log. Methods Comput. Sci. 9(1) (2013)Google Scholar
 27.Leroux, J., Schmitz, S.: Demystifying reachability in vector addition systems. In: LICS’15, pp. 56–67. IEEE Computer Society (2015)Google Scholar
 28.Leroux, J., Sutre, G.: Flat counter automata almost everywhere!. In: Peled, D.A., Tsay, Y. (eds.), Automated Technology for Verification and Analysis, Third International Symposium, ATVA 2005, Taipei, Taiwan, October 4–7, 2005, Proceedings, Volume 3707 of Lecture Notes in Computer Science, pp. 489–503. Springer, Berlin (2005)Google Scholar
 29.Lipton, R.: The Reachability Problem is ExponentialSpace Hard. Technical Report 62, Department of Computer Science, Yale University (1976)Google Scholar
 30.Mayr, E.W.: An algorithm for the general petri net reachability problem. In: STOC’81, pp. 238–246. ACM (1981)Google Scholar
 31.Navlakha, S., BarJoseph, Z.: Distributed information processing in biological and computational systems. Commun. ACM 58(1), 94–102 (2014)CrossRefGoogle Scholar
 32.Pang, J., Luo, Z., Deng, Y.: On automatic verification of selfstabilizing population protocols. In: TASE’08, pp. 185–192. IEEE Computer Society (2008)Google Scholar
 33.Sun, J., Liu, Y., Dong, J.S., Pang, J.: PAT: towards flexible verification under fairness. In: CAV’09, Volume 5643 of LNCS, pp. 709–714. Springer, Berlin (2009)Google Scholar