Negotiation as concurrency primitive

Abstract

This paper introduces negotiations, a model of concurrency close to Petri nets, with multi-party negotiations as concurrency primitive. We study two fundamental analysis problems. The soundness problem consists in deciding if it is always possible for a negotiation to terminate successfully, whatever the current state is. Given a sound negotiation, the summarization problem aims at computing an equivalent one-step negotiation with the same input/output behavior. The soundness and summarization problems can be solved by means of simple algorithms acting on the state space of the negotiation, which however face the well-known state explosion problem. We study alternative algorithms that avoid the construction of the state space. In particular, we define reduction rules that simplify a negotiation while preserving the sound/non-sound character of the negotiation and its summary. In a first result we show that our rules are complete for the class of weakly deterministic acyclic negotiations, meaning that they reduce all sound negotiations in this class, and only them, to equivalent one-step negotiations. This provides algorithms for both the soundness and the summarization problem that avoid the construction of the state space. We then study the class of deterministic negotiations. Our second main result shows that the rules are also complete for this class, even if the negotiations contain cycles. Moreover, we present an algorithm that completely reduces all sound deterministic negotiations, and only them, in polynomial time.

Appendices

Appendix A: Complexity of soundness

Theorem 10

The soundness problem is PSPACE-complete. For acyclic negotiations, the problem is co-NP-hard and in DP (and so at level \(\Delta ^P_2\) of the polynomial hierarchy).

Proof

The soundness problem is in PSPACE.

Membership in PSPACE could be proved by observing that the soundness problem can be formulated in CTL, and then applying the PSPACE algorithm for CTL and 1-safe Petri nets of [14]. This algorithm only assumes that, given a marking, one can compute a successor marking in polynomial time, which is the case both for Petri nets and for negotiations. However, since we only need a very special case of the CTL algorithm, we provide a self-contained proof.

We show that both conditions for soundness can be checked in nondeterministic polynomial space. The result then follows from Savitch’s theorem (NPSPACE=PSPACE).

The first condition is: every atom is enabled at some reachable marking. For this we consider each atom n in turn, and guess step by step an occurrence sequence ending with an occurrence of n. This only requires to store the marking reached by the sequence executed so far.

The second condition is: every occurrence sequence from the initial marking is either a large step or can be extended to a large step. This case is a bit more involved. Let S denote the problem of checking this second condition. We prove \(S \in \text {PSPACE}\).

1. (1)

   The following problem is in PSPACE: given some marking \({\varvec{x}}\), check that no occurrence sequence starting at \({\varvec{x}}\) ends with the final atom.

   Let us call this problem NO-OCC. We have \(\overline{\text {NO-OCC}} \in \text {NPSPACE}\), because we can nondeterministically guess an occurrence sequence starting at \({\varvec{x}}\) that ends with the final atom (we guess one step at a time). Since NPSPACE=PSPACE=co-PSPACE, we get \(\text {NO-OCC} \in \text {PSPACE}\).

2. (2)

   \(\overline{S} \in \text {NPSPACE}\).

   \(\overline{S}\) consists of checking the existence of a sequence \(\sigma \), fireable from the initial marking, that is neither a large step nor can be extended to it. For this we guess a sequence \(\sigma \) step by step that does not end with the final atom. Then we consider the marking \({\varvec{x}}\) reached by the occurrence of \(\sigma \). Clearly, we have \(\sigma \in \overline{S}\) iff \({\varvec{x}}\in \text {NO-OCC}\). So it suffices to apply our deterministic polynomial-space algorithm for NO-OCC (see (1)).

3. (3)

   \(S \in PSPACE\).

   Follows from (2) and NPSPACE=PSPACE=co-PSPACE.

The soundness problem is PSPACE-hard.

For PSPACE-hardness, we reduce the problem of deciding if a deterministic linearly bounded automaton (DLBA) recognizes an input to the soundness problem. Let \(A=(Q,\Sigma ,\delta ,q_0,F)\) be a DLBA, and consider an input \(w=a_1 \ldots a_k \in \Sigma ^*\). The construction is very similar to that of [14] for proving PSPACE-hardness of the reachability problem for 1-safe Petri nets, and so we do not provide all details. The negotiation has a control agent C, a head agent H, and a cell agent \(T_i\) for every tape cell (i.e., \(1 \le i \le k\)). All agents have only one internal state, i.e., the internal states are irrelevant. The negotiation has an atom n[q, h, a] (with only one result) for every state q, every head position \(1 \le h \le k\), and every \(a \in \Sigma \), plus an initial atom \(n_0\) and a final atom \(n_f\). The parties of n[q, h, a] are C, H, and \(T_h\). The transition function is defined so that simulates A in the following sense: If A is currently in state q with the head at position h, and the contents of the tape are \(b_1 \ldots b_k\), then the current marking \({\varvec{x}}\) of the negotiation satisfies the following properties:

• if \(q\ne q_f\), then \({\varvec{x}}(C)\) is the set of atoms \(n[h',q', a]\) such that \(q'=q\), and both \(h'\) and a are arbitrary; if \(q = q_f\), then \({\varvec{x}}(C) = \{ n_f\}\);

• \({\varvec{x}}(H)\) is the set of atoms \(n[h',q', a]\) such that \(h'=h\) and \(q',a\) are arbitrary, plus the final atom;

• \({\varvec{x}}(T_i)\) is the set of atoms \(n[h',q', a]\) such that \(h'=i\), \(q'\) is arbitrary, and \(a=b_i\), plus the final atom.

Intuitively, agent C is only ready to engage in atoms for the state q; agent H is only ready to engage in atoms for the position h; and \(T_h\) is only ready to engage in atoms for the letter \(b_h\). These properties guarantee that the only atom enabled by \({\varvec{x}}\) is \(n[h,q,b_h]\) if \(q \ne q_f\), or the atom \(n_f\) if \(q=q_f\). So the negotiation has only one initial occurrence sequence, which corresponds to the execution of A on w.

It remains to define so that it satisfies these properties. For the initial atom we take (recall that the input of the DLBA A is the word \(w=a_1 \ldots a_k\)):

For the transition function of an atom n[q, h, a] we must consider the three possible cases of the transition relation (head moves to the right, to the left, or stays put). We only deal with the case in which the machine moves to the right, the others being analogous. Assume \(\delta (q,a)=(\hat{q},\hat{a},R)\). Then we take

Since A is deterministic, has only one maximal occurrence sequence, which is a large step iff A accepts. So is sound iff A accepts.

The soundness problem for acyclic negotiations is in DP.

We first observe that no occurrence of an acyclic negotiation contains an atom more than once (loosely speaking, once the tokens of the parties of the atom have “passed” beyond it, they cannot return). It follows that the length of an occurrence sequence is at most equal to the number of atoms. It also follows that there are no livelocks, but there may be deadlocks. To check soundness we must check that (1) every atom can be enabled, and that (2) every occurrence sequence can be extended to a large step. Checking (1) can be done by guessing in polynomial time enabling sequences for all atoms, and so (1) is in NP. Checking the negation of (2) can be done by guessing in polynomial time an occurrence sequence that cannot be extended to a large step because it leads to a deadlock, and so (2) is in coNP. So the conjunction of (1) and (2) is in DP.

The soundness problem for acyclic negotiations is co-NP-hard.

We reduce 3-CNF-UNSAT to soundness. Given a Boolean formula \(\phi \) with variables \(x_i\), \(1 \le i \le n\) and clauses \(c_j\), \(1 \le j \le m\), we construct a negotiation with an agent \(X_i\) for each \(x_i\), and an agent J (for judge). W.l.o.g. we assume that no clause of \(\phi \) is a tautology. For each variable \(x_i\), has an atom \( Set\_x _i\) with \(X_i\) as only party and results \(\texttt {true}\) and \(\texttt {false}\). For each clause \(c_j\), the negotiation has an atom \( False _j\) whose parties are the variables appearing in \(c_j\) and the judge J. The atom has only one result \(\texttt {false}\).

After the initial atom, agent \(X_i\) engages in \( Set\_x _i\) and sets \(x_i\) to a value b with \(b \in \{\texttt {true},\texttt {false}\}\) by choosing the appropriate result. After that, \(X_i\) is ready to engage in the atoms \( False _j\) satisfying the following condition: the clause \(c_j\) is not made true by setting \(x_i\) to b; moreover, it is also ready to engage in the final atom. As a consequence, \( False _j\) becomes enabled iff the assignment chosen by the \(X_i\)’s makes \(c_j\) false. Finally, after the occurrence of a \( False _j\), its parties are only ready to engage in the final atom.

After the initial atom, the judge J is ready to engage in all atoms \( False _j\), and then, if any of them occurs, in the final atom.

We argue that is sound iff \(\phi \) is unsatisfiable. Notice first that, since by assumption no clause is a tautology, every \( False _j\) atom is enabled by some occurrence sequence. So all atoms but perhaps the final atom can be enabled by some sequence. So is sound iff every occurrence sequence can be extended to a large step, and therefore it suffices to show that \(\phi \) is unsatisfiable iff every occurrence sequence of can be extended to a large step.

If \(\phi \) is unsatisfiable then, whatever the assignment determined by the outcome of the \( Set\_x _i\)’s, some clause is false, and so at least one of the \( False _j\) atoms is enabled. After some \( False _j\) occurs, the final atom becomes enabled, and so the computation can be extended to a large step.

If \(\phi \) is satisfiable, then consider an initial occurrence sequence in which the atoms \( Set\_x _i\) occur, and then choose the outcomes corresponding to a satisfying assignment. This way none of the \( False _j\) atoms become enabled. Moreover, the final atom is not enabled either, because the judge J is not ready to engage in it. So the occurrence sequence cannot be extended to a large step. \(\square \)

Appendix B: A lemma on irreducible acyclic negotiations

Lemma 35

Let be an irreducible sound and deterministic acyclic negotiation and let \(n \ne n_f\) be an atom of with more than one result. Then every agent participates in n.

Proof

Recall that “irreducible” in this context means that neither the merge rule nor the d-shortcut rule can be applied. We proceed in two steps.

(a) We show: the atom n has a result \({\mathtt{r}}\) such that either \((n,{\mathtt{r}})\) unconditionally enables \(n_f\) or \((n,{\mathtt{r}})\) unconditionally enables some atom with more than one result.

We first prove a preliminary claim: if some outcome \((n,{\mathtt{r}})\) unconditionally enables an atom \(n' \ne n_f\), then \(n'\) has more than one result (i.e., then (a) holds). If \((n,{\mathtt{r}})\) has exclusive access to \(n'\) then \(n'\) has more than one result, because otherwise the d-shortcut rule was applicable, contradicting that is irreducible. If \((n,{\mathtt{r}})\) does not have exclusive access to \(n'\), then some port of \(n'\) has an additional ingoing arc. Since is deterministic, we have for some outcome \((n'',{\mathtt{r}}'') \ne (n,{\mathtt{r}})\) and some \(p \in P_{n'}\); so \((n'', {\mathtt{r}}'')\) commits to \(n'\). Also in this case we obtain that \(n'\) has more than one result, because otherwise the d-shortcut rule was applicable. This proves the claim.

It remains to show that some outcome \((n,{\mathtt{r}})\) unconditionally enables some atom. For this, we assume the contrary, and prove that then contains a cycle, contradicting that is acyclic.

Since the merge rule is not applicable to , the atom n has two results \({\mathtt{r}}_1, {\mathtt{r}}_2\) such that for some party p. We proceed in three steps.

(a1) We show: for every reachable marking \({\varvec{x}}\) that enables n there is a sequence \(\sigma \) such that \({\varvec{x}}\xrightarrow []{(n,{\mathtt{r}}_1) \, \sigma } {\varvec{x}}_1\) and \({\varvec{x}}\xrightarrow []{(n,{\mathtt{r}}_2) \, \sigma } {\varvec{x}}_2\) for some markings \({\varvec{x}}_1\) and \({\varvec{x}}_2\) satisfying the property that the sets \(N_1\) and \(N_2\) of atoms enabled by \({\varvec{x}}_1\) and \({\varvec{x}}_2\) are nonempty and disjoint.

Let \(\sigma \) be a longest occurrence sequence such that \({\varvec{x}}\xrightarrow []{(n,{\mathtt{r}}_1)} {\varvec{x}}_1' \xrightarrow []{\sigma } {\varvec{x}}_1\) and \({\varvec{x}}\xrightarrow []{(n,{\mathtt{r}}_2)} {\varvec{x}}_2' \xrightarrow []{\sigma } {\varvec{x}}_2\) for some markings \({\varvec{x}}_1', {\varvec{x}}_1, {\varvec{x}}_2', {\varvec{x}}_2\) (notice that \(\sigma \) exists because all occurrence sequences of are finite by acyclicity). We have \(N_1 \cap N_2 = \emptyset \) because otherwise we can extend \(\sigma \) with the occurrence of an atom enabled by both markings. It remains to prove \(N_1 \ne \emptyset \ne N_2\). By symmetry, it suffices to show \(N_1 \ne \emptyset \). We proceed indirectly and assume \(N_1 = \emptyset \). Then, since is sound, we have \({\varvec{x}}_1 = {\varvec{x}}_f\) (the final marking), which implies that the last step of \(\sigma \) is of the form \((n_f, {\mathtt{r}}_f)\). So \({\varvec{x}}_1 = {\varvec{x}}_2 = {\varvec{x}}_f\). It is easy to see that then \({\varvec{x}}_1' = {\varvec{x}}_2'\), because \(\sigma \) leads both markings to the same marking \({\varvec{x}}_f\). Therefore, and since is deterministic, for every party p of n, and the merge rule is applicable, contradicting that is irreducible.

(a2) Let \(N_1\) and \(N_2\) be defined as in (a1). For every \(n_1 \in N_1\) there is a path leading from some \(n_2 \in N_2\) to \(n_1\), and for every \(n_2 \in N_2\) there is a path leading from some \(n_1 \in N_1\) to \(n_2\).

By symmetry it suffices to prove the first part. Let \(n_1\) be an atom in \(N_1\). Since \(N_1\) and \(N_2\) are disjoint, \(n_1\) is enabled at \({\varvec{x}}_1\), but not at \({\varvec{x}}_2\). Moreover, since is acyclic, every atom can occur at most once in an occurrence sequence, and so neither \(n_1\) nor \(n_2\) appear in \(\sigma \). Since the sequences \((n,{\mathtt{r}}_1)\, \sigma \) and \((n,{\mathtt{r}}_2)\, \sigma \) only differ in their first element and \(\sigma \) removes the same tokens in both sequences, there is an agent p such that and for some \(n_2' \ne n_1\) (\(n_2'\) is not necessarily the \(n_2 \in N_2\) we are looking for). So we have \({\varvec{x}}_1(p) = \{n_1\}\) and \({\varvec{x}}_2(p)= \{n_2'\}\) (see Fig. 26).

Fig. 26

Illustration of the proof of Lemma 35

We first show that there is a path from \(n_2'\) to \(n_1\). By assumption, no outcome of n unconditionally enables any atom, and so \((n,{\mathtt{r}}_1)\) does not unconditionally enable \(n_1\). So \(n_1\) has a party \(q \ne p\) such that either \(q\notin P_n\) or \(q \in P_n\), but . Therefore, and since \({\varvec{x}}_1(q)= \{n_1\}\) (\({\varvec{x}}_1\) enables \(n_1\)) the input token of the q-port of \(n_1\) is generated by an outcome in \(\sigma \). Hence we have \({\varvec{x}}_2(q)=\{n_1\}\) as well. Since is a sound and deterministic acyclic negotiation, there is an occurrence sequence leading from \({\varvec{x}}_2\) to \({\varvec{x}}_f\). Since \({\varvec{x}}_2(q)=\{n_1\}\), the atom \(\{n_1\}\) occurs in this sequence; assume \({\varvec{x}}_2 \xrightarrow []{\tau } {\varvec{x}}_2'\) and \({\varvec{x}}_2'\) enables \(n_1\). Since the (in Fig. 26 white) input token to the p-port of \(n_2'\) can only be moved to \(n_1\) by the occurrence of \(n_2'\) ( is deterministic), there is a path from \(n_2'\) to \(n_1\)

We now prove that there is a path from some \(n_2 \in N_2\) to \(n_2'\). If \(n_2'\) is enabled at \({\varvec{x}}_2\), then \(n_2' \in N_2\) and we are done. If \(n_2'\) is not enabled at \({\varvec{x}}_2\) (as in the figure) then, since \({\varvec{x}}_2(p)= \{n_2'\}\) and is a sound and deterministic acyclic negotiation, there is an occurrence sequence from \({\varvec{x}}_2\) to \({\varvec{x}}_f\). The (white) input token of the p-port of \(n_2'\) can only be moved by the occurrence of \(n_2'\) ( is deterministic), whence \((n_2', {\mathtt{r}}_2')\) occurs in the sequence for some result \({\mathtt{r}}_2'\) of \(n_2'\). Let \({\varvec{x}}_2 \xrightarrow []{(n_2, {\mathtt{r}}_2) \, \tau \,(n_2', {\mathtt{r}}_2')} {\varvec{x}}_2'\). Since \(N_2\) is the set of transitions enabled at \({\varvec{x}}_2\), we have \(n_2 \in N_2\). Observe that for each atom occurring in \(\tau \,(n_2', {\mathtt{r}}_2')\) there is a path from \(n_2\) to this atom, because otherwise the atom would already be enabled at \({\varvec{x}}_2\) and also at \({\varvec{x}}_1\), against the maximality of \(\sigma \). Hence there is a path from \(n_2\) to \(n'_2\).

(a3) contains a cycle.

By (a2), we can construct an infinite alternating sequence of atoms \(n_1, n_2, n_3, \ldots \) of atoms such that, for odd i, \(n_i \in N_1\) and, for even i, \(n_i \in N_2\) such that, for each i, there is a path from \(n_{i+1}\) to \(n_i\). Since \(N_1\) and \(N_2\) are finite, there must exist \(n_j\) and \(n_k\), \(j<k\), such that \(n_j = n_k\), i.e., a cycle.

(b) Every agent participates in n.

By repeated application of (a) we find a chain \((n_1, r_1) \ldots (n_k, r_k)\) such that \(n_1 = n\), \(n_k = n_f\), and \((n_i, r_i)\) unconditionally enables \(n_{i+1}\) for \(1 \le i \le k-1\). By the definition of an unconditionally enabled atom we have \(P_{n_1} \supseteq P_{n_2} \supseteq \cdots \supseteq P_{n_k} = P_{n_f}\). Since \(P_{n_f} = A\), we obtain \(P_{n_1} = A\). \(\square \)

Appendix C: Unique targets of maximal sequences

The proof of Proposition 46 is very involved and requires some preliminaries. In Sect. C.1 we introduce the notions of loop of a negotiation, and synchronizer of a loop. Loosely speaking, a loop is an occurrence sequence leading from a marking to itself, and a synchronizer of a loop is an atom having as parties all the agents that participate in any of the atoms of the loop. We prove an important result stating that every minimal loop of a sound deterministic negotiation has a synchronizer (Proposition 64). In Sect. C.2 we use this result to prove Proposition 68, stating that every cycle of a negotiation has a dominating atom, which is an atom having as parties all the agents that participate in any of the atoms of the cycle. Equipped with these propositions, in Sect. C.3 we prove Proposition 46.

1.1 Loops and synchronizers

A loop is an occurrence sequence leading back to the marking from which it started.

Definition 60

A loop of a negotiation is a nonempty sequence \(\sigma \) of outcomes such that \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}\) for some marking \({\varvec{x}}\) of . We say that \({\varvec{x}}\)enables\(\sigma \). Given a loop \(\sigma \), we denote by \(N_\sigma \) the set of atoms of that appear in some outcome of \(\sigma \), and by \(P_\sigma \) the set of agents that participate in at least one atom of \(N_\sigma \). A loop \(\sigma \) is minimal if no loop \(\sigma '\) satisfies \(N_{\sigma '} \subset N_\sigma \).

The sequences

$$\begin{aligned} \sigma _1= & {} (n_1, \texttt {a})\, (n_2, \texttt {a}) \, (n_4, \texttt {b}) \, (n_5, \texttt {a})\\ \sigma _2= & {} (n_6, \texttt {a}) \, (n_7, \texttt {b}) \\ \sigma _3= & {} (n_1, \texttt {b}) \, (n_3, \texttt {a}) \, (n_4, \texttt {c}) \, (n_3, \texttt {a}) \, (n_4, \texttt {b}) \, (n_5, \texttt {a}) \end{aligned}$$

are loops of the negotiation of Fig. 21. We have \(N_{\sigma _3} = \{ n_1, n_3, n_4, n_5 \}\). Numbering the agents of the negotiation from left to right, the set \(P_{\sigma _2}\) contains only the third agent, while \(P_{\sigma _1}\) and \(P_{\sigma _3}\) contain the first and the second agent.

Definition 61

Let \(\sigma \) be a loop of a negotiation. An atom \(n \in N_\sigma \) is a synchronizer of\(\sigma \) if \(P_{n'} \subseteq P_n\) for every atom \(n' \in N_\sigma \). We say that \(\sigma \) is synchronized by n. An atom is a synchronizer if it synchronizes at least one loop of .

The loop \(\sigma _1\) above is synchronized by \(n_1\) and \(n_4\), but not by \(n_2\) or \(n_5\). The atoms \(n_1\), \(n_3\), \(n_4\), \(n_6\) and \(n_7\) are synchronizers of the negotiation, while \(n_0\), \(n_2\), \(n_5\), \(n_8\), and \(n_f\) are not; the atoms \(n_0\), \(n_8\), and \(n_f\) do not belong to any loop, whereas atoms \(n_2\) and \(n_5\) do belong to loops, but only to loops that contain atoms with strictly more parties.

We prove two properties of a sound cyclic deterministic negotiation : it has at least one loop, and every loop has at least one synchronizer.

Proposition 62

Every sound cyclic deterministic negotiation has a loop.

Proof

Let \(\pi \) be a cycle of . Let \(n_1\) be an arbitrary atom occurring in \(\pi \), and let \(n_2\) be its successor in \(\pi \). Observe that \(n_1 \ne n_f\) because \(n_f\) has no successor, and hence no cycle contains \(n_f\). By soundness, some reachable marking \({\varvec{x}}_1\) enables \(n_1\), and so for at least one party p and one result \({\mathtt{r}}\). Since is deterministic, we have . Let \({\varvec{x}}_1 \xrightarrow []{(n_1,{\mathtt{r}})} {\varvec{x}}_1'\). Again by soundness, some occurrence sequence leads from \({\varvec{x}}_1'\) to the final marking. This sequence must contain an occurrence of \(n_2\), because this is the only atom agent p is ready to engage in. In particular, some prefix of this sequence leads to a marking \({\varvec{x}}_2\) that enables \(n_2\).

Repeating this argument for the nodes \(n_1\), \(n_2\), \(n_3\), ..., \(n_k = n_1\) of the cycle \(\pi \), we conclude that has an infinite occurrence sequence \(\sigma \). Since the set of reachable markings is finite, we have \(\sigma = \sigma _1 \, \sigma _2 \, \sigma _3\) such that the markings reached after \(\sigma _1 \) and after \(\sigma _1 \, \sigma _2\) are equal. So this marking enables the loop \(\sigma _2\). \(\square \)

Now we prove that every minimal loop has a synchronizer. We start with a technical lemma. Intuitively, it states that the occurrence of an outcome of a loop \(\sigma \) never decreases the set of agents ready to engage in atoms of \(N_\sigma \).

Lemma 63

Let \(\sigma \) be a loop of a negotiation, let \((n, {\mathtt{r}})\) be an outcome appearing in \(\sigma \), and let \({\varvec{x}}_1, {\varvec{x}}_2\) be arbitrary markings such that \({\varvec{x}}_1 \xrightarrow []{(n, {\mathtt{r}})} {\varvec{x}}_2\). For every agent p holds: if \({\varvec{x}}_1(p) \cap N_\sigma \ne \emptyset \), then \({\varvec{x}}_2(p) \cap N_\sigma \ne \emptyset \).

Proof

Assume \({\varvec{x}}_1(p) \cap N_\sigma \ne \emptyset \). If \(p\notin P_n\) then \({\varvec{x}}_1(p) = {\varvec{x}}_2(p)\), and so \({\varvec{x}}_2(p) \cap N_\sigma \ne \emptyset \). So assume \(p\in P_n\). Since \({\varvec{x}}_1 \xrightarrow []{(n, {\mathtt{r}})} {\varvec{x}}_2\), we have \(n \in {\varvec{x}}_1(p)\). By the definition of a loop, there is a sequence \(\tau \) and reachable markings \({\varvec{x}},{\varvec{x}}'\) such that \({\varvec{x}}\xrightarrow []{(n,{\mathtt{r}})} {\varvec{x}}' \xrightarrow []{\tau } {\varvec{x}}\) (the sequence \((n, {\mathtt{r}}) \, \tau \) is a circular permutation of \(\sigma \)). Since we have , it suffices to show \({\varvec{x}}'(p) \cap N_\sigma \ne \emptyset \).

If \(n \in {\varvec{x}}'(p)\), then we are done. If \(n \notin {\varvec{x}}'(p)\) then, since \(n \in {\varvec{x}}(p)\) and \({\varvec{x}}' \xrightarrow []{\tau } {\varvec{x}}\), the sequence \(\tau \) contains an outcome \((n', {\mathtt{r}}')\) such that \(n' \in {\varvec{x}}'(p)\). Since, by definition, only atoms of \(N_\sigma \) occur in \(\tau \), we have \(n' \in N_\sigma \), and so \({\varvec{x}}'(p) \cap N_\sigma \ne \emptyset \). \(\square \)

Proposition 64

Every minimal loop of a sound deterministic negotiation is synchronized by at least one of its atoms.

Proof

Let \(\sigma \) be a minimal loop enabled at a reachable marking \({\varvec{x}}\), i.e., \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}\). Since is sound, there is an occurrence sequence \({\varvec{x}}\xrightarrow []{\sigma _f} {\varvec{x}}_f\). Let \(\sigma _f = (n_1, {\mathtt{r}}_1), \, \ldots , (n_k, {\mathtt{r}}_k)\), where \(n_k = n_f\). Choose an arbitrary agent \(\hat{p}\) of \(P_\sigma \), and let \(n_{j_0}\) be the last occurrence in \(\sigma _f\) of an atom of \(N_\sigma \) having \(\hat{p}\) as party. Since \({\varvec{x}}\) enables \(\sigma \), we have \({\varvec{x}}(\hat{p}) \cap N_\sigma \ne \emptyset \). By determinism, \({\varvec{x}}(\hat{p}) = \{n'\} \subseteq N_\sigma \) for some atom \(n' \in N_\sigma \). Clearly, \(\hat{p}\) is a party of \(n'\). Since \(\hat{p}\) is a party also of \(n_f\), an outcome \((n', {\mathtt{r}}')\) occurs in \(\sigma _f\). Therefore, \(n_{j_0}\) as defined above exists. We will prove that \(n_{j_0}\) is a synchronizer of \(\sigma \).

We iteratively construct a path \(\pi \) of containing only atoms having \(\hat{p}\) as party. We begin with the sequence of atoms occurring in \(\pi \). All these atoms occur in \(\sigma _f\). The first atom is \(n_{j_0}\), defined above. Assume now that we already constructed a sequence of atoms \(n_{j_0}, n_{j_1}, \ldots , n_{j_i}\) for some \(j_0< j_1< \cdots < j_i\) and \(n_{j_i} \ne n_f\). We choose \(n_{j_{i+1}}\) as the last occurrence of an atom in \(\sigma _f\) that has \(\hat{p}\) as party and is an immediate successor of \(n_{j_i}\), meaning that for some result \({\mathtt{r}}'_i\). The definition of \(n_{j_0}\) guarantees that the only atom of this sequence that belongs to \(N_\sigma \) is \(n_{j_0}\). The construction of the sequence guarantees that all its atoms are distinct. Since \(\hat{p}\) participates in \(n_f\) and \(\sigma \) ends with an occurrence of \(n_f\), the sequence ends with \(n_f\). By construction, the sequence can be extended to a path \((n_{j_0}, \hat{p}, {\mathtt{r}}'_0) \, (n_{j_1}, \hat{p}, {\mathtt{r}}'_1) \ldots (n_f, \hat{p}, {\mathtt{r}}'_f)\) (where \({\mathtt{r}}'_f\) is any final result).

In the rest of the proof we rename \(n_{j_0}\) as \(n_\pi \). Since \({\varvec{x}}\) enables the loop \(\sigma \) and since \(n_\pi \in N_\sigma \), after some prefix of \(\sigma \) a marking \({\varvec{x}}_\pi \) is reached which enables \(n_\pi \). The loop \(\sigma \) continues with some outcome \((n_\pi ,{\mathtt{r}})\), where \({\mathtt{r}}\) is one possible result of \(n_\pi \). By construction of \(\pi \), there is another result \({\mathtt{r}}'_0\) of \(n_\pi \) such that is the second atom of \(\pi \), and this atom does not belong to \(N_\sigma \).

Let \({\varvec{x}}_\pi '\) be the marking such that \({\varvec{x}}_\pi \xrightarrow []{(n_\pi ,{\mathtt{r}}'_0)}{\varvec{x}}_\pi '\). We iteratively construct an occurrence sequence enabled at \({\varvec{x}}_\pi '\) as follows. Let \(\tau \) be the occurrence sequence constructed so far and let \({\varvec{x}}_\tau \) be the marking reached by \(\tau \) (initially \(\tau = \epsilon \) and \({\varvec{x}}_\tau = {\varvec{x}}_\pi '\)):

1. (0)

   If \({\varvec{x}}_\tau \) is the final marking, stop.

2. (1)

   Else, if \({\varvec{x}}_\tau \) enables an atom n of \(N_\sigma \), then at least one outcome \((n,{\mathtt{r}})\) occurs in \(\sigma \). Let \(\tau := \tau \, (n, {\mathtt{r}})\).

3. (2)

   Else, if \({\varvec{x}}_\tau \) enables an atom n of \(\pi \), then let \({\mathtt{r}}\) be the result such that where \(n'\) is the successor of n in \(\pi \). Let \(\tau := \tau \, (n, {\mathtt{r}})\).

4. (3)

   Else, let \(\rho \) be a shortest occurrence sequence that either leads to the final marking or enables an atom that appears in \(\sigma \), or enables an atom that appears in \(\pi \) (so that after this sequence (0), (1), or (2) can be applied). Such an occurrence sequence exists because is sound. Further, \(\rho \) is not empty because otherwise we would have taken branch (0), (1), or (2). Let \(\tau := \tau \rho \).

For the rest of the proof, let \(\tau \) be the sequence generated by this procedure. We claim that \(\tau \) is finite (i.e., that the procedure terminates) and leads to the final marking. For this we prove that the procedure takes branches (1)–(3) only finitely often.

We first prove that the procedure takes branch (2) only finitely often. Since every time (2) is taken \(\tau \) is extended with an outcome of an atom of \(\pi \), it suffices to show that these atoms occur only finitely often in \(\tau \). Recall that \(\pi \) is a finite path ending with \(n_f\), and that all atoms of \(\pi \) involve \(\hat{p}\). By determinism, \(\hat{p}\) is always ready to engage in at most one atom of \(\pi \). By construction, after an occurrence of an atom of \(\pi \) in \(\tau \), say \(n_{j_i}\) the agent \(\hat{p}\) is ready to engage only in an atom \(n_{j_k}\) with \(k>i\). Therefore, the atoms of \(\pi \) can occur only finitely often in \(\tau \).

We now prove that the procedure takes branch (3) only finitely often. Since branch (2) is taken only finitely often, some suffix \(\tau '\) of \(\tau \) does not contain any occurrence of atoms of \(\pi \). For every marking \(\overline{{\varvec{x}}_1}\) reached along the execution of \(\tau '\), let \(P_\sigma (\overline{{\varvec{x}}_1})\) be the set of agents p such that \(\overline{{\varvec{x}}_1}(p) \in N_\sigma \) (that is, the agents that at \(\overline{{\varvec{x}}_1}\) are ready to engage in an atom of \(N_\sigma \)). We show that along the execution of \(\tau '\) these sets never decrease, and strictly increase each time the procedure takes branch (3); since the set of agents is finite, this concludes the proof.

Let \({\varvec{x}}_1\) be a marking reached within \(\tau '\) at which the procedure chooses either branch (1) or branch (3). If the procedure takes branch (1), then the procedure selects a result \((n, {\mathtt{r}})\) that occurs in \(\sigma \), and extends the current sequence with the step \({\varvec{x}}_1 \xrightarrow []{(n,{\mathtt{r}})} {\varvec{x}}_2\). By Lemma 63 we have \(P_\sigma ({\varvec{x}}_1) \subseteq P_\sigma ({\varvec{x}}_2)\). If the procedure takes branch (3), then the current sequence is extended with a shortest sequence \({\varvec{x}}_1 \xrightarrow []{(\overline{n_1}, \overline{{\mathtt{r}}_1})} {\varvec{x}}_2 \xrightarrow []{(\overline{n_2}, \overline{{\mathtt{r}}_2})} \cdots \xrightarrow []{(\overline{n_{k-1}}, \overline{{\mathtt{r}}_{k-1}})} {\varvec{x}}_k\) such that \(\{\overline{n_1}, \ldots , \overline{n_k}\} \cap N_\sigma = \emptyset \), and \({\varvec{x}}_k\) enables an atom of \(N_\sigma \) or an atom of \(\pi \). By determinism, and since \(\{\overline{n_1}, \ldots , \overline{n_k}\} \cap N_\sigma = \emptyset \), we have \(P_\sigma ({\varvec{x}}_1) \subseteq P_\sigma ({\varvec{x}}_2) \subseteq \cdots \subseteq P_\sigma ({\varvec{x}}_k)\). Since \({\varvec{x}}_k\) enables an atom of \(N_\sigma \) or an atom of \(\pi \), but no atom of \(\pi \) occurs in \(\tau '\), the marking \({\varvec{x}}_k\) enables an atom of \(N_\sigma \) and, since the sequence is a shortest one, \({\varvec{x}}_{k-1}\) does not enable any atom of \(N_\sigma \). So there is an agent \(p \in P_\sigma \) such that \({\varvec{x}}_1(p) \notin N_\sigma \) and \({\varvec{x}}_k(p) \in N_\sigma \), which proves \(P_\sigma ({\varvec{x}}_1) \subset P_\sigma ({\varvec{x}}_k)\), and we are done.

Finally, we prove that the procedure takes branch (1) only finitely often. Since branches (2) and (3) are taken only finitely often, from some point on the algorithm only takes branch (1) (if at all), and so some suffix \(\tau ''\) of \(\tau \) contains only outcomes of \(A_\sigma \). Let \(\hat{p}\) be the agent of \(P_\sigma \) we used for the construction of \(\pi \). Since all the atoms of \(\pi \) have already been executed before reaching \(\tau ''\), no atom of \(N_\sigma \) in which \(\hat{p}\) participates, and in particular the atom \(n_\pi \), can occur in \(\tau ''\). So all the atoms occurring in \(\tau ''\) belong to \(N_\sigma \setminus \{n_\pi \}\). Assume \(\tau ''\) is infinite. Then, since the number of reachable markings is finite, \(N_\sigma \setminus \{n_\pi \}\) contains a loop (more precisely, there is a loop in which only atoms of \(N_\sigma \setminus \{n_\pi \}\) occur). But this contradicts the minimality of \(\sigma \). So \(\tau ''\) is finite, which concludes the proof of the claim.

By the claim, the procedure constructs an occurrence sequence \(\tau \) reaching the final marking. Since all agents participate in the final atom, no agent was able to remain in the loop. This implies that all agents of \(P_\sigma \) left the loop when \((n_\pi , {\mathtt{r}}_{j_0})\) has occurred. As a consequence, all these agents are parties of \(n_\pi \), and so \(n_\pi \) is a synchronizer of the loop \(\sigma \). \(\square \)

1.2 Dominating atoms

Loosely speaking, an atom n of a path of a negotiation dominates the path if every agent that participates in some atom of the path also participates in n.

Definition 65

Let be a negotiation and let \(\pi = (n_1, p_1, {\mathtt{r}}_1) \, (n_2, p_2, {\mathtt{r}}_2) \cdots (n_k, p_k, {\mathtt{r}}_k)\) be a path of . An atom \(n_i\)dominates\(\pi \) if \(P_{n_j} \subseteq P_{n_i}\) for \(1 \le j \le k\).

We prove that every cycle of a sound deterministic negotiation has a dominating atom. This result is a syntactic counterpart to Proposition 64, stating that every loop has a synchronizer. Roughly speaking, the proof shows that every cycle can be “executed”, meaning that one can find an arbitrarily long occurrence sequence that executes the outcomes of the cycle arbitrarily often and never executes any other outcome of the atoms in the cycle.

Definition 66

Let \(\pi = (n_1, p_1, {\mathtt{r}}_1) \, (n_2, p_2, {\mathtt{r}}_2) \cdots (n_k, p_k, {\mathtt{r}}_k)\) be a path of a negotiation. An execution of \(\pi \) is an occurrence sequence \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}'\) where \({\varvec{x}}\) is a reachable marking, \(\sigma = \sigma _0 \, (n_1, {\mathtt{r}}_1) \, \sigma _1 \, (n_2, {\mathtt{r}}_2) \, \sigma _2 \cdots \sigma _{k-1} \, (n_k, {\mathtt{r}}_k)\), and for every outcome \((n,{\mathtt{r}})\) in \(\sigma \) satisfying \(n \in \{n_1, \ldots , n_k\}\), there is a triple \((n,p,{\mathtt{r}})\) in \(\pi \) for some party p of n.

A path \(\pi \) of is executable if it has an execution \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}'\).

Lemma 67

Let be a sound deterministic negotiation.

1. (a)

   Every cycle of is executable.

2. (b)

   Every path of ending with a triple \((n_f, p, {\mathtt{r}})\) for some party p of \(n_f\) and some result \({\mathtt{r}}\) of \(n_f\) is executable.

Proof

For each triple \((n, p, {\mathtt{r}})\) of a path \(\pi \), we call the outcome \((n, {\mathtt{r}})\) an outcome of \(\pi \). The atoms occurring in the triples of \(\pi \) will be called atoms of \(\pi \). We call an occurrence sequence \(\sigma \) a \(\pi \)-sequence for a path \(\pi \) if, for every atom n of \(\pi \), all outcomes \((n,{\mathtt{r}})\) occurring in \(\sigma \) are outcomes of \(\pi \).

Let \(\pi = (n_1, p_1, {\mathtt{r}}_1) \ldots (n_k, p_k, {\mathtt{r}}_k)\) be a path of . Notice that the atoms \(n_1 \ldots n_k\) are not necessarily pairwise distinct. Before proving (a) and (b) we make a first claim.

Claim: Let \({\varvec{x}}\) be a marking such that, for some agent p, \({\varvec{x}}(p)\) contains an atom of \(\pi \). Then \({\varvec{x}}\) enables a \(\pi \)-sequence leading to a marking which enables an outcome of \(\pi \).

Proof of the claim: By soundness, \({\varvec{x}}\) enables an occurrence sequence \(\sigma \) ending with a final outcome, i.e., with an outcome \((n_f, {\mathtt{r}}_f)\). Since all agents participate in \(n_f\), so does agent p. Since p is only ready to participate in an atom of \(\pi \) at \({\varvec{x}}\), at least one outcome of \(\pi \) occurs in \(\sigma \). Let \(\sigma = \sigma _1 \, \sigma _2\) such that \(\sigma _1\) contains no outcome with an atom of \(\pi \) and \(\sigma _2\) begins with an outcome with an atom \(n_i\) of \(\pi \). The sequence \(\sigma _1\) can be empty, and it is clearly a \(\pi \)-sequence. The first outcome of \(\sigma _2\) is not necessarily an outcome of \(\pi \). However, the marking reached by \(\sigma _1\) enables all outcomes of \(n_i\), in particular \((n_i, {\mathtt{r}}_i)\), which proves the claim.

(a) Assume \(\pi \) is a cycle. By soundness, some reachable marking \({\varvec{x}}_1\) enables the atom \(n_1\). Clearly, \({\varvec{x}}_1 (p) = \{n_1\}\) for each party p of \(n_1\), and therefore this property holds for at least one party p of \(n_1\). Now we repeat the following procedure, starting from a reachable marking \({\varvec{x}}\) satisfying \({\varvec{x}}(p) = \{n_i\}\) for some atom \(n_i\) of \(\pi \) and for some party p of n. In particular, the first run of the procedure starts at \({\varvec{x}}_1\).

From the marking \({\varvec{x}}\), we choose a \(\pi \)-sequence containing no atoms of \(\pi \), and leading to a marking that enables at least one atom \(n_i\) of \(\pi \), as constructed in the claim above. Then we extend the sequence with an outcome \((n_i,{\mathtt{r}}_i)\) of \(\pi \), leading to a marking \({\varvec{x}}'\). By the property of a cycle, \({\varvec{x}}' (p)\) contains a successor of \(n_i\) in \(\pi \) for some agent p, and so the procedure can start again from \({\varvec{x}}'\) (\(n_1\) is a successor of \(n_k\)). Notice that the successor of \(n_i\) is not necessarily unique because we might have \(n_i = n_j\) for some \(i \ne j\). Therefore, \(\pi \) might have different outcomes \((n_i, {\mathtt{r}}_i)\) and \((n_i, {\mathtt{r}}_j)\). The procedure chooses these outcomes in a fair manner.

Obviously, the constructed sequence is a \(\pi \)-sequence. Since the repetitive construction does not terminate, there exists an infinite \(\pi \)-sequence in which outcomes of \(\pi \) occur infinitely often. Therefore, at least one outcome of \(\pi \) occurs infinitely often. So does the successor of its atom in \(\pi \), or—in the case of several successors—all successors because of their fair selection. Since \(\pi \) is a cycle, thus all its outcomes occur infinitely often in the sequence. By definition of executability, the constructed sequence proves that \(\pi \) is executable.

(b) Assume \(\pi \) ends with a triple \((n_f, p, {\mathtt{r}})\) for some party p of \(n_f\) and some result \({\mathtt{r}}\) The proof is similar to the proof of (a). Some reachable marking \({\varvec{x}}_1\) enables the atom \(n_1\). Hence \({\varvec{x}}_1 (p) = \{n_1\}\) for a party p of \(n_1\). Now we repeat the following procedure, starting from a reachable marking \({\varvec{x}}\) satisfying \({\varvec{x}}(p) = \{n_i\}\) for some atom \(n_i\) of \(\pi \) and for some party p of n. In particular, the first run of the procedure starts at \({\varvec{x}}_1\).

From the marking \({\varvec{x}}\), we choose a \(\pi \)-sequence containing no atoms of \(\pi \), leading to a marking that enables at least one atom \(n_i\) of \(\pi \), as constructed in the above claim. Then we extend the sequence with an outcome \((n_i,{\mathtt{r}}_i)\) of \(\pi \), leading to a marking \({\varvec{x}}'\). If \(n_i = n_f\),we are finished and exit the procedure. Otherwise, by the property of a path, \({\varvec{x}}' (p)\) contains a successor of \(n_i\) in \(\pi \) for some agent p, and we can start the procedure again. Notice that the successor of \(n_i\) is not necessarily unique because we might have \(n_i = n_j\) for some \(i \ne j\). Therefore, \(\pi \) might have different outcomes \((n_i, {\mathtt{r}}_i)\) and \((n_i, {\mathtt{r}}_j)\). The procedure chooses these outcomes in a fair manner.

Obviously, the constructed sequence is a \(\pi \)-sequence. We show that it terminates. Assume the contrary. Then there exists an infinite \(\pi \)-sequence in which outcomes of \(\pi \) occur infinitely often. Therefore, at least one \(\pi \)-outcome occurs infinitely often. So does its successor in \(\pi \), or—in the case of several successors—all successors because of their fair selection. Since \(\pi \) is a path ending with the atom \(n_f\), outcomes of \(n_f\) occur infinitely often, but the loop stops after the first such outcome—a contradiction. By definition of executability, the path \(\pi \) is executable. \(\square \)

Proposition 68

Every cycle of a sound deterministic negotiation has a dominating atom.

Proof

In the proof we use the following notations. Given an occurrence sequence \(\sigma \), we let \(O_\sigma \) denote the set of outcomes that occur in \(\sigma \), and \(N_\sigma \) denote the set of atoms of these outcomes. We say that a loop \(\sigma \) is connected if any two atoms of \(N_\sigma \) are connected by a path containing only edges \((n,p,{\mathtt{r}})\) such that \((n,{\mathtt{r}}) \in O_\sigma \).

Let be a sound deterministic negotiation and let \(\pi = (n_1, p_1, {\mathtt{r}}_1) \cdots (n_k, p_k, {\mathtt{r}}_k)\) be a cycle of . We construct a minimal loop of containing \((n_i, r_i)\) for every \(1 \le i \le k\). We proceed in three steps.

Claim 1

There is a connected loop \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}\) of such that

• \((n_1, {\mathtt{r}}_1), \ldots , (n_k, {\mathtt{r}}_k) \in O_\sigma \), and

• every atom that becomes enabled during the execution of \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}\) belongs to \(N_\sigma \).

Proof of Claim 1

Observe that \(\pi ^i\) (the result of concatenating i copies of \(\pi \)) is a cycle of for every \(i \ge 1\). By Lemma 67(a), \(\pi ^i\) is executable for every \(i \ge 1\). Let \(\ell \) be the number of reachable markings of the negotiation. Then some reachable marking \({\varvec{y}}\) enables an occurrence sequence \(\tau _\ell \) which executes \(\pi ^\ell \), i.e., which contains the outcomes \((n_1, {\mathtt{r}}_1), \ldots , (n_k, {\mathtt{r}}_k)\), in this order, \(\ell \) times, and which does not contain any other outcome of \(n_1, \ldots , n_k\). The \(\ell +1\) markings reached after i occurrences of \((n_1, {\mathtt{r}}_1), \ldots , (n_k, {\mathtt{r}}_k)\) (\(0 \le i \le \ell \)) can not be pairwise distinct. So the sequence \({\varvec{y}}\xrightarrow []{\tau _\ell } {\varvec{y}}_\ell \) is of the form \({\varvec{y}}\xrightarrow []{\tau '}~{\varvec{y}}'~\xrightarrow []{\sigma }~{\varvec{y}}'~\xrightarrow []{\tau ''}~{\varvec{y}}_\ell \), where \(\sigma \) is a connected loop and \((n_1, {\mathtt{r}}_1), \ldots , (n_k, {\mathtt{r}}_k) \in O_\sigma \).

If every atom that becomes enabled during the execution of \({\varvec{y}}' \xrightarrow []{\sigma } {\varvec{y}}'\) belongs to \(N_\sigma \), we can take \({\varvec{x}}:= {\varvec{y}}'\). Otherwise, let \(P_{\sigma }\) be the union of the parties of all the atoms of \(N_\sigma \). Let \(\rho \) be a maximal finite occurrence sequence enabled at \({\varvec{y}}'\) containing only outcomes of atoms with no parties in \(P_{\sigma }\) (such a sequence exists by soundness), and let \({\varvec{y}}' \xrightarrow []{\rho } {\varvec{x}}\). By the maximality of \(\rho \), every atom n enabled at \({\varvec{x}}\) satisfies \(P_{n} \cap P_\sigma \ne \emptyset \). Since \({\varvec{y}}'(p) ={\varvec{x}}(p)\) for every \(p \in P_{\sigma }\), we get \({\varvec{y}}' \xrightarrow []{\rho } {\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}\).

We show that every atom that is not enabled at \({\varvec{x}}\) but becomes enabled during the execution of \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}\) belongs to \(N_\sigma \). Let \({\varvec{x}}'\) be any intermediate marking reached during the execution of \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}\), i.e., \({\varvec{x}}\xrightarrow []{\sigma '} {\varvec{x}}' \xrightarrow []{\sigma ''} {\varvec{x}}\) for some \(\sigma ', \sigma ''\) such that \(\sigma = \sigma '\sigma ''\). Let n be an atom enabled at \({\varvec{x}}'\). If \(P_{n} \cap P_\sigma = \emptyset \) then, by the definition of \(P_\sigma \), we have \({\varvec{x}}(p)={\varvec{x}}'(p)\) for every \(p \in P_n\), and so n is already enabled at \({\varvec{x}}\), a contradiction. So \(P_{n} \cap P_\sigma \ne \emptyset \). Let \(n'\) be the first node of \(\sigma '' \sigma '\) satisfying \(P_{n'} \cap P_n \ne \emptyset \), and let \(p \in P_{n'} \cap P_n\). Since \({\varvec{x}}'(p) = {\{n\}}\), \({\varvec{x}}' \xrightarrow []{\sigma '} {\varvec{x}}\xrightarrow []{\sigma ''} {\varvec{x}}'\), and is deterministic, we have \(n'=n\), and so \(n' \in N_\sigma \).

Claim 2

There is a connected loop \({\varvec{x}}\xrightarrow []{\tau } {\varvec{x}}\) of such that

• \((n_1, {\mathtt{r}}_1), \ldots , (n_k, {\mathtt{r}}_k) \in O_\tau \), and

• for every atom n of , at most one outcome of n belongs to \(O_\tau \).

Proof of Claim 2

Let \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}\) be a loop of satisfying the properties of Claim 1. We assign an outcome \((n, \alpha (n)) \in O_\sigma \) to each atom \(n \in N_\sigma \). For this we describe a procedure that assigns to every node \(n \in N_\sigma \) one of its results \(\alpha (n)\). Initially \(\alpha (n)\) is undefined for every \(n \in N_\sigma \). We proceed in two phases.

• While there is an index \(1 \le i \le k\) such that \(\alpha (n_i)\) is still undefined, set \(\alpha (n_i) := {\mathtt{r}}_i\).

• While there is \(n \in N_\sigma \) such that

  • \(\alpha (n)\) is still undefined, and

  • there are \(p \in P_n\) and \({\mathtt{r}}\in R_n\) such that for some atom \(n'\) such that \(\alpha (n')\) is defined,

  set \(\alpha (n):={\mathtt{r}}\).

We say that \(\alpha (n)\) is the result allocated to n. Further, we call the edges of the form \((n, p, \alpha (n))\)allocated. It is easy to see that, since \(\sigma \) is a connected loop, the allocation procedure above allocates a result to every atom of \(N_\sigma \). Further, for every atom \(n\in N_\sigma \) there is a path leading from n to some \(n_i\) that only contains allocated edges. Observe that, if an atom appears more than once in the cycle \(\pi \) then not all outcomes \((n_i, {\mathtt{r}}_i)\) are allocated, but in this case some subcycle of \(\pi \) contains only allocated outcomes.

Starting at \({\varvec{x}}\), construct a maximal occurrence sequence \(\rho \) as follows: Pick an atom enabled at the current marking, let \((n, \alpha (n))\) occur, and iterate. By definition of an allocation, for every atom n at most one outcome of n belongs to \(O_\rho \). We prove that \(\rho \) is infinite. Assume \(\rho \) is finite and maximal, and let \({\varvec{x}}\xrightarrow []{\rho } {\varvec{z}}\). Then \({\varvec{z}}\) enables no atom of \(N_\sigma \). We prove that is not sound, contradicting the hypothesis.

Recall that \({\varvec{x}}\) only enables atoms of \(N_\sigma \). We claim that the same holds for \({\varvec{z}}\). The proof is by induction on \(|\rho |\). For \(|\rho |=0\) we have \({\varvec{x}}={\varvec{z}}\) and the result follows. Assume \(\rho = (n, \alpha (n)) \rho '\) and \({\varvec{x}}\xrightarrow []{(n, \alpha (n)} {\varvec{x}}' \xrightarrow []{\rho '} {\varvec{z}}\). We first show that \({\varvec{x}}'\) only enables atoms of \(N_\sigma \). Assume \({\varvec{x}}'\) enables an atom \(n' \notin N_\sigma \). Since \({\varvec{x}}\) does not enable \(n'\), there is \(p \in P_{n'} \cap P_n\) such that \({\varvec{x}}(p) =\{ n\}\) and \({\varvec{x}}'(p)=\{n'\}\). Since \(n \in N_\sigma \) and \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}\) is a loop, \(O_\sigma \) contains a path that returns p to n. Since is deterministic, \(O_\sigma \) contains some outcome of \(n'\), and so \(n' \in N_\sigma \). Since \({\varvec{x}}'\) only enables atoms of \(N_\sigma \), and \({\varvec{x}}' \xrightarrow []{\rho '} {\varvec{z}}\), applying the induction hypothesis to \(\rho '\) we obtain that \({\varvec{z}}\) only enables atoms of \(N_\sigma \), and the claim is proved. Since \({\varvec{z}}\) enables no atom of \(N_\sigma \) by definition, it follows from the claim that \({\varvec{z}}\) enables no atoms at all. Since , we have \({\varvec{z}}\ne {\varvec{x}}_f\), and so is unsound, contradicting the hypothesis. So \(\rho \) is infinite.

Since the number of reachable markings of is finite, we have \(\rho = \rho '\tau \rho ''\) for occurrence sequences \(\rho '\) and \(\tau \) such that \({\varvec{x}}\xrightarrow []{\rho '}{\varvec{y}}\xrightarrow []{\tau } {\varvec{y}}\) and every outcome appearing in \(\rho \) also appears in \(\tau \). Further, \({\varvec{y}}\xrightarrow []{\tau } {\varvec{y}}\) is a connected loop such that for every atom n at most one outcome of n belongs to \(O_\tau \). So to prove the claim it only remains to show \((n_1, {\mathtt{r}}_1), \ldots , (n_k, {\mathtt{r}}_k) \in O_\rho \). Recall that for every atom \(n \in N_\rho \) there is a path leading from n to some \(n_i\) that only contains allocated edges. Since all edges \((n_j, {\mathtt{r}}_j)\) are allocated, the path can be extended to contain all edges of \(\pi \). It follows that all the nodes in the path are executed infinitely often in \(\rho \), and so \(\rho \) contains all outcomes of \(\pi \) infinitely often, which concludes the proof of the claim.

Claim 3

The loop \({\varvec{x}}\xrightarrow []{\tau } {\varvec{x}}\) constructed in the proof of Claim 2 is minimal.

Proof of Claim 3

Let \({\varvec{y}}\xrightarrow []{\rho } {\varvec{z}}\) be an arbitrary occurrence sequence such that \(N_\rho \subset N_\tau \). Since for every atom n at most one outcome of n occurs in \(\tau \), the same holds for \(\rho \). Since \(N_\rho \ne N_\tau \) there is an outcome \((n, r) \in O_\rho \) and a party p such that the unique atom . It follows \({\varvec{y}}(p) \ne {\varvec{z}}(p)\), and so \({\varvec{y}}\xrightarrow []{\rho } {\varvec{z}}\) is not a loop.

Proof of the proposition

By Proposition 64 and Claim 3, the loop \({\varvec{x}}\xrightarrow []{\tau } {\varvec{x}}\) constructed in Claim 2 has a synchronizer n. We show that n is necessarily in \(\{n_1, n_2, \ldots , n_k\}\). Assume the contrary, and let \({\varvec{y}}\) be a marking of the loop that enables n. Since n is a synchronizer, we have \({\varvec{y}}(p) = \{n\}\) for every party p of \(n_1, \ldots , n_k\). Let \({\varvec{x}}\xrightarrow []{\sigma } {\varvec{x}}' \xrightarrow []{(n_i, {\mathtt{r}}_i)} {\varvec{x}}'' \xrightarrow []{\rho } {\varvec{y}}\) be the unique prefix of \({\varvec{x}}\xrightarrow []{\tau } {\varvec{x}}\) such that no outcome of \(\pi \) occurs in \(\rho \). Since \((n_i, {\mathtt{r}}_i)\) is the only outcome of \(n_i\) that appears in \(\tau \), no outcome of \(n_i\) appears in \(\sigma \). Since is deterministic, we have \({\varvec{x}}'(p)= {\varvec{y}}(p)\) for every party p of \(n_i\). But, by the definition of the cycle \(\pi \), we have \({\varvec{x}}'(p_i)=\{n_{i+ 1}\}\). So we get \(\{n_{i+1}\} = {\varvec{x}}'(p_i) = {\varvec{y}}(p_i) = \{n\}\), which implies \(n = n_{i+1}\). So \(n_{i+1}\) is a dominating atom of \(\pi \). \(\square \)

1.3 Proof of Proposition 46

We first prove a lemma.

Lemma 69

Let be a sound deterministic negotiation with a set of agents A. Let B, C be a partition of A, i.e., \(A = B \cup C\) and \(B \cap C = \emptyset \). Let \({\varvec{x}}_1, {\varvec{x}}_2\) be two reachable markings such that

• for each \(b \in B\), \({\varvec{x}}_1(b) = {\varvec{x}}_2(b)\), and

• every atom enabled at \({\varvec{x}}_1\) or \({\varvec{x}}_2\) has at least one party in B and at least one party in C.

Then, for each \(c \in C\), \({\varvec{x}}_1(c) = {\varvec{x}}_2(c)\), and so \({\varvec{x}}_1={\varvec{x}}_2\).

Proof

The proof is by induction on the size of C. If \(|C|= 0\) then there is nothing to show. So assume \(|C| > 0\). For \(i=1,2\), let \(N_i\) be the set of atoms enabled at \({\varvec{x}}_i\).

Claim 1

\(N_1 \cap N_2 \ne \emptyset \).

We show that if \(N_1 \cap N_2 = \emptyset \) then contains a cycle without a dominating atom, contradicting Proposition 68. Let \(n_1 \in N_1\). By soundness, there is a shortest occurrence sequence \({\varvec{x}}_2 \xrightarrow []{\sigma } {\varvec{x}}_2'\) such that \({\varvec{x}}_2'\) enables \(n_1\). We prove two subclaims.

Claim 1a

No atom of \(\sigma \) dominates \(n_1\).

Since \(n_1\) is enabled at \({\varvec{x}}_1\) and at least one of its parties belongs to B, we have \({\varvec{x}}_1(b) = \{n_1\}\) for some agent \(b \in B\), and so, by the definition of B, also \({\varvec{x}}_2(b) = \{n_1\}\). Since \(\sigma \) is a shortest sequence enabling \(n_1\), it does not contain any occurrence of an outcome of \(n_1\). So, since is deterministic, we also have \({\varvec{y}}(b) = \{n_1\}\) for every intermediate marking \({\varvec{y}}\) reached during the execution of \(\sigma \). It follows that b does not participate in any atom occurring in \(\sigma \). So no atom of \(\sigma \) dominates \(n_1\).

Claim 1b

There exists \(m_0 \in N_2\) and a path \(\pi = (m_0, p_0, {\mathtt{r}}_0) \ldots (m_k, p_k, {\mathtt{r}}_k)\) such that and none of \(m_0, \ldots , m_k\) dominates \(n_1\).

By Claim  1a, it suffices to construct a path such that \(m_0 \in N_2\), , and all of \(m_0, \ldots , m_k\) occur in \(\sigma \). Let \(\sigma = (n, {\mathtt{r}}) \sigma '\). We proceed by induction on the length of \(\sigma \).

If \(|\sigma | = 1\) then \(\sigma = (n, {\mathtt{r}})\), and so \({\varvec{x}}_2 \xrightarrow []{(n,{\mathtt{r}})} {\varvec{x}}_2'\). Since \({\varvec{x}}_2\) does not enable \(n_1\) but \({\varvec{x}}_2'\) does, we have for some \(p \in P_n\). Choose \(\pi = (n, p, {\mathtt{r}})\). Since n is enabled at \({\varvec{x}}_2\), we have \(n \in N_2\), and we are done.

If \(|\sigma | > 1\), let \({\varvec{y}}\) be the marking given by \({\varvec{x}}_2 \xrightarrow []{(n, {\mathtt{r}})} {\varvec{y}}\xrightarrow []{\sigma '} {\varvec{x}}_2'\). Then \(\sigma '\) is a shortest occurrence sequence enabling \(n_1\) from \({\varvec{y}}\) and so, by induction hypothesis, there is a path \(\pi ' = (m_1, p_1, {\mathtt{r}}_1) \cdots (m_k, p_k, {\mathtt{r}}_k)\) such that \(m_1\) is enabled at \({\varvec{y}}\), and all of \(m_1, \ldots , m_k\) occur in \(\sigma '\). If \(m_1 \in N_2\) then we can take \(\pi := \pi '\). If \(m_1 \notin N_2\) then \(m_1\) is not enabled at \({\varvec{x}}_2\). Since \(m_1\) is enabled at \({\varvec{y}}\), we have \({\varvec{x}}_2(p) = \{n\}\) and \({\varvec{y}}(p) = \{m_1\}\) for some party p of both n and \(m_0\). It follows that . So we can take \(\pi = (n, p, {\mathtt{r}}) \, \pi '\), which concludes the proof of Claim 1b.

Observe that Claim 1b holds for every atom of \(N_1\). By symmetry, for every \(n_2 \in N_2\) there is \(m_0 \in N_1\) and a path \(\pi = (m_0, p_0, {\mathtt{r}}_0) \ldots (m_k, p_k, {\mathtt{r}}_k)\) such that and none of \(m_0, \ldots , m_k\) dominates \(n_2\). Since has only finitely many atoms, there are \(n_{11}, \ldots , n_{1k} \in N_1\), \(n_{21}, \ldots , n_{2k} \in N_2\) and a cycle that visits the sequence of atoms \(n_{11}, n_{21}, n_{12}, n_{22}, \ldots , n_{1k}, n_{2k}\) in that order, and such that no atom of the cycle dominates all others. So the cycle does not contain a dominating atom, contradicting Proposition 68. This proves Claim 1.

By Claim 1, there is an atom \(n \in N_1 \cap N_2\). Recall that \(P_n\) is the set of parties of n. Let \(c \in C \cap P_n\), which exists by assumption, and let \(B' = B \cup \{c\}\) and \(C' = C \setminus \{c\}\). Since n is enabled at \({\varvec{x}}_1\) and \({\varvec{x}}_2\) we have \({\varvec{x}}_1(c) = \{n\} = {\varvec{x}}_2(c)\). Since \(|C'| = |C|-1\) we can apply the induction hypothesis to \(B'\) and \(C'\). So we have \({\varvec{x}}_1(C') = {\varvec{x}}_2(C')\), and therefore \({\varvec{x}}_1(C) = {\varvec{x}}_2(C)\). \(\square \)

We are now ready to prove that all maximal n-sequences have the same target, and that the same holds for maximal strict \((n, {\mathtt{r}})\)-sequences.

Proposition 46

Let be a sound and deterministic negotiation, and let n be an atom of .

1. (a)

   All maximal n-sequences have the same target.

   That is: there is a unique marking \({\varvec{x}}\) such that \({\varvec{x}}_n \xrightarrow []{\sigma } {\varvec{x}}\) for every maximal n-sequence \(\sigma \). We call \({\varvec{x}}\) the target of n.

2. (b)

   For every outcome \((n, {\mathtt{r}})\), all maximal strict \((n, {\mathtt{r}})\)-sequences have the same target.

   That is: there is a unique marking \({\varvec{x}}\) such that \({\varvec{x}}_n \xrightarrow []{\sigma } {\varvec{x}}\) for every maximal strict \((n, {\mathtt{r}})\)-sequence \(\sigma \). We call \({\varvec{x}}\) the target of \((n,{\mathtt{r}})\).

Proof

Given a set \(P \subseteq A\) of agents of and two markings \({\varvec{x}}, {\varvec{x}}'\), we write \({\varvec{x}}(P) = {\varvec{x}}'(P)\) to denote that \({\varvec{x}}_1(p) = {\varvec{x}}_2(p)\) for every \(p \in P\).

(a) Consider the occurrence sequences

$$\begin{aligned} {\varvec{x}}_0 \xrightarrow []{\sigma } {\varvec{y}}\xrightarrow []{\sigma _1} {\varvec{x}}_1 \qquad \text{ and } \qquad {\varvec{x}}_0 \xrightarrow []{\sigma } {\varvec{y}}\xrightarrow []{\sigma _2} {\varvec{x}}_2 \end{aligned}$$

where \({\varvec{x}}_0 \xrightarrow []{\sigma } {\varvec{y}}\) is an occurrence sequence that enables n for the first time, and \(\sigma _1, \sigma _2\) are maximal n-sequences. In particular we have:

1. (1)

   \({\varvec{y}}({A} \setminus P_n)={\varvec{x}}_1({A} \setminus P_n) ={\varvec{x}}_2({A} \setminus P_n)\).

   Because \(\sigma _1\) and \(\sigma _2\) are n-sequences.

2. (2)

   Neither \({\varvec{x}}_1\) nor \({\varvec{x}}_2\) enable any atom \(n'\) such that \(P_{n'} \subseteq P_n\).

   By the maximality of \(\sigma _1\) and \(\sigma _2\).

We prove \({\varvec{x}}_1 = {\varvec{x}}_2\), which shows that \(\sigma _1\) and \(\sigma _2\) have the same target. Let B, C be the partition of A defined by \(p \in B\) iff \({\varvec{x}}_1(p) = {\varvec{x}}_2(p)\). We have

1. (3)

   \(C \subseteq P_n\).

   Since \({\varvec{x}}_1({A} \setminus P_n) ={\varvec{x}}_2({A} \setminus P_n)\) by (1), we have \({A} \setminus P_n \subseteq B\), which, since B, C is a partition, is equivalent to \(C \subseteq P_n\).

By soundness there exists an occurrence sequence \({\varvec{x}}_1 \xrightarrow []{\rho } {\varvec{x}}_f\). Let \(\tau \) be the maximal B-prefix of \(\rho \), and let \({\varvec{x}}_1 \xrightarrow []{\tau } {\varvec{x}}_1'\). By the definition of B we have \({\varvec{x}}_1(B) = {\varvec{x}}_2(B)\), and so, since \(\tau \) is a B-prefix, we have \({\varvec{x}}_2 \xrightarrow []{\tau } {\varvec{x}}_2'\) for some marking \({\varvec{x}}_2'\), i.e.,

$$\begin{aligned} {\varvec{x}}_0 \xrightarrow []{\sigma } {\varvec{y}}\xrightarrow []{\sigma _1} {\varvec{x}}_1 \xrightarrow []{\tau } {\varvec{x}}_1' \qquad \text{ and } \qquad {\varvec{x}}_0 \xrightarrow []{\sigma } {\varvec{y}}\xrightarrow []{\sigma _2} {\varvec{x}}_2 \xrightarrow []{\tau } {\varvec{x}}_2'. \end{aligned}$$

We have the following properties:

1. (4)

   \({\varvec{x}}_1'(B) = {\varvec{x}}_2'(B)\),

   which follows from \({\varvec{x}}_1(B) = {\varvec{x}}_2(B)\), and the fact that we apply the same sequence \(\tau \) to \({\varvec{x}}_1\) and \({\varvec{x}}_2\).

2. (5)

   \({\varvec{x}}_1'(C)={\varvec{x}}_1(C)\) and \({\varvec{x}}_2(C) = {\varvec{x}}_2'(C)\),

   because \(\tau \) is a B-sequence.

Now we prove:

1. (6)

   For \(i=1, 2\), and for every atom \(n'\) enabled at \({\varvec{x}}_i'\), the set \(P_{n'}\) intersects both B and C.

   We prove the statement for \(i=1\), the case \(i=2\) follows by symmetry. Let \(n'\) be an atom enabled at \({\varvec{x}}_i'\). Since \(B\cap C = A\), it suffices to show that \(P_{n'}\) is not included in B and is not included in C. Since \(\tau \) is the maximal B-prefix of \(\rho \), there exists \(p \in P_{n'} \setminus B\), and so \(P_{n'}\) is not included in B. We now prove that \(P_{n'}\) is not included in C. Assume \(P_{n'} \subseteq C\). By (5) we have \({\varvec{x}}_1'(C) = {\varvec{x}}_1(C)\), and so, since \(n'\) is enabled at \({\varvec{x}}_1'\), it is also enabled at \({\varvec{x}}_1\). Since \(C \subseteq P_n\) by (3), we get \(P_{n'} \subseteq P_n\). Since \({\varvec{x}}_1\) enables \(n'\), we have reached a contradiction to (2).

By (6) every atom enabled at \({\varvec{x}}_1'\) and \({\varvec{x}}_2'\) has parties in both B and C. By (4) we have \({\varvec{x}}_1'(B) = {\varvec{x}}_2'(B)\). So we can apply Lemma 69 and conclude \({\varvec{x}}_1' = {\varvec{x}}_2'\). Since \({\varvec{x}}_1'\) and \({\varvec{x}}_2'\) are reached from \({\varvec{x}}_1\) and \({\varvec{x}}_2\) by means of the same sequence \(\tau \), we get \({\varvec{x}}_1 = {\varvec{x}}_2\).

(b) Consider the occurrence sequences

$$\begin{aligned} {\varvec{x}}_0 \xrightarrow []{\sigma } {\varvec{y}}\xrightarrow []{\sigma _1} {\varvec{x}}_1 \qquad \text{ and } \qquad {\varvec{x}}_0 \xrightarrow []{\sigma } {\varvec{y}}\xrightarrow []{\sigma _2} {\varvec{x}}_2 \end{aligned}$$

where \({\varvec{x}}_0 \xrightarrow []{\sigma } {\varvec{y}}\) is an occurrence sequence that enables n for the first time, and \(\sigma _1, \sigma _2\) are maximal strict \((n, {\mathtt{r}})\)-sequences. If \(\sigma _1\), \(\sigma _2\) are also maximal n-sequences, then the result follows from (a). W.l.o.g. we assume that \(\sigma _1\) is not a maximal \((n, {\mathtt{r}})\)-sequence. Then \({\varvec{x}}_1\) enables an atom \(\hat{n}_1\) such that \(P_{\hat{n}_1}= P_n\). Further, as in (a) we have:

1. (1)

   \({\varvec{y}}({A} \setminus P_n)={\varvec{x}}_1({A} \setminus P_n) ={\varvec{x}}_2({A} \setminus P_n)\),

   because \(\sigma _1\) and \(\sigma _2\) are strict \((n, {\mathtt{r}})\)-sequences.

2. (2)

   Neither \({\varvec{x}}_1\) nor \({\varvec{x}}_2\) enables any atom \(n'\) such that \(P_{n'} \subset P_n\) ( strict inclusion!),

   by the maximality of \(\sigma _1\) and \(\sigma _2\).

We prove \({\varvec{x}}_1 = {\varvec{x}}_2\), which shows that \(\sigma _1\) and \(\sigma _2\) have the same target. Let B, C be the partition of A defined by \(p \in B\) iff \({\varvec{x}}_1(p) = {\varvec{x}}_2(p)\). We have

1. (3)

   \(C \subseteq P_n\).

   Since \({\varvec{x}}_1({A} \setminus P_n) ={\varvec{x}}_2({A} \setminus P_n)\) by (1), we have \({A} \setminus P_n \subseteq B\), which, since B, C is a partition, is equivalent to \(C \subseteq P_n\).

We first consider two simple cases:

• \({\varvec{x}}_2\) enables \(\hat{n}_1\).

  Then, since \(P_{\hat{n}_1} = P_n\), we have \({\varvec{x}}_1(P_n) = {\varvec{x}}_2(P_n)\). Together with (1) this yields \({\varvec{x}}_1 = {\varvec{x}}_2\).

• Some atom \(n'\) enabled at \({\varvec{x}}_1\) or \({\varvec{x}}_2\) satisfies \(P_{n'} \subseteq B\).

  Then, by the definition of B, \(n'\) is enabled at both \({\varvec{x}}_1\) and \({\varvec{x}}_2\), and so \(n' = \hat{n}_1\), i.e., \(P_{n'} = P_n\). So \({\varvec{x}}_1(P_n) = {\varvec{x}}_2(P_n)\), which, together with (1), yields \({\varvec{x}}_1 = {\varvec{x}}_2\).

By (2), the remaining case is:

1. (4)

   \({\varvec{x}}_2\) enables at least one atom \(\hat{n}_2 \ne \hat{n}_1\) with a party \(\hat{p} \in C\).

By (3) we have \(\hat{p} \in P_{\hat{n}_1}\). So \({\varvec{x}}_1(\hat{p}) = \{\hat{n}_1 \}\) and \({\varvec{x}}_2(\hat{p}) = \{\hat{n}_2 \}\). Let \(\preceq \) be the prefix order on sequences, and extend it to pairs of sequences by defining \((\rho _1, \rho _2) \preceq (\rho _1', \rho _2')\) if \(\rho _1\) is a prefix of \(\rho _1'\) and \(\rho _2\) is a prefix of \(\rho _2'\). Let \((\tau _1, \tau _2)\) be a pair of prefixes of \((\sigma _1, \sigma _2)\), maximal with respect to \(\preceq \), such that the markings \({\varvec{y}}_1, {\varvec{y}}_2\) given by \({\varvec{y}}\xrightarrow []{\tau _1} {\varvec{y}}_1\) and \({\varvec{y}}\xrightarrow []{\tau _2} {\varvec{y}}_2\) satisfy \({\varvec{y}}_1(\hat{p}) = {\varvec{y}}_2(\hat{p})\). By the maximality of \((\tau _1, \tau _2)\), there are outcomes \((\hat{n}, {\mathtt{r}}_1)\) and \((\hat{n}, {\mathtt{r}}_2)\) such that \(\sigma = \tau _1 \, (\hat{n}, {\mathtt{r}}_1) \, \tau _1'\) and \(\sigma _2 = \tau _2 \, (\hat{n}, {\mathtt{r}}_2) \, \tau _2'\). So we have:

1. (5)

   \({\varvec{y}}\xrightarrow []{\tau _1} {\varvec{y}}_1 \xrightarrow []{(\hat{n}, {\mathtt{r}}_1)} {\varvec{y}}_1' \xrightarrow []{\tau _1'} {\varvec{x}}_1\) and \({\varvec{y}}\xrightarrow []{\tau _2} {\varvec{y}}_2 \xrightarrow []{(\hat{n}, {\mathtt{r}}_2)} {\varvec{y}}_2' \xrightarrow []{\tau _2'} {\varvec{x}}_2\) for some sequences \(\tau _1', \tau _2'\), where the markings \({\varvec{y}}_1'\) and \({\varvec{y}}_2'\) satisfy \({\varvec{y}}_1'(\hat{p}) \ne {\varvec{y}}_2'(\hat{p})\).

In the rest of the proof we say that a path \((n_1, p_1, {\mathtt{r}}_1) \cdots (n_k, p_k, {\mathtt{r}}_k)\) is a p-path if \(p=p_i\) for every \(1 \le i \le n\). Let \(\pi _2\) be the \(\hat{p}\)-path corresponding to the occurrence sequence \({\varvec{y}}_2 \xrightarrow []{(\hat{n}, {\mathtt{r}}_2)} {\varvec{y}}_2' \xrightarrow []{\tau _2'} {\varvec{x}}_2\). Since \(\sigma _2\) is a strict \((n, {\mathtt{r}})\)-sequence, there exists an agent \(\hat{q} \in P_n \setminus P_{\hat{n}}\). In particular, we have \({\varvec{y}}_2(\hat{q}) = {\varvec{y}}_2'(\hat{q})\). Let \(\pi _1\) be the \(\hat{q}\)-path corresponding to the occurrence sequence \({\varvec{y}}_1' \xrightarrow []{(\hat{n}, {\mathtt{r}}_1) \tau _1'} {\varvec{x}}_1\). By the maximality of \((\tau _1, \tau _2)\), the paths are disjoint, i.e., no atom occurs in both (otherwise, if some atom occurs in both, then that atom is enabled at some markings during the executions of \(\tau _1'\) and \(\tau _2'\)), respectively).

We construct a finite n-sequence \({\varvec{y}}_2' \xrightarrow []{\tau } {\varvec{z}}\) in which, intuitively, agent \(\hat{q}\) follows \(\pi _1\) and agent \(\hat{p}\) follows \(\pi _2\). Formally, we construct the sequence by means of the following algorithm:

The sequence \(\rho \) exists by soundness, and so this procedure terminates with a marking \({\varvec{z}}\) satisfying \({\varvec{z}}(\hat{p}) = \{ \hat{n}_2 \}\) and \({\varvec{z}}(\hat{q}) =\{ \hat{n}_1 \}\). If \(P_{\hat{n}_1} = P_{\hat{n}_2}\) then, since is deterministic, no occurrence sequence from \({\varvec{z}}\) contains an outcome of \(\hat{n}_1\) or \(\hat{n}_2\), contradicting soundness. So \(P_{\hat{n}_1} \ne P_{\hat{n}_2}\). Since \({\varvec{x}}_2\) is a maximal strict \((n, {\mathtt{r}})\)-sequence, there is an atom \(\hat{r} \in P_{\hat{n}_2} \setminus P_n\).

By soundness, there is a \(\hat{p}\)-path \(\pi _1\) from \(\hat{n}_1\) to \(n_f\) containing exactly one occurence of \(\hat{n}_1\). Consider two cases:

• \(\pi _1\) contains at least one occurrence of \(\hat{n}_2\).

  Let \(\pi _2\) be the suffix of \(\pi _1\) starting with the last occurrence of \(\hat{n}_2\) in \(\pi _1\). By Lemma 67(b), \(\pi _2\) is executable from \({\varvec{z}}\), and leads to a marking \({\varvec{z}}'\) satisfying \({\varvec{z}}'(\hat{p}) = n_f\), and \({\varvec{z}}'(\hat{q}) = \hat{n}_1\), contradicting soundness.

• \(\pi _1\) contains no occurrence of \(\hat{n}_2\).

  By Lemma 67(b), \(\pi _1\) is executable from \({\varvec{z}}\), and leads to a marking \({\varvec{z}}'\) satisfying \({\varvec{z}}'(\hat{p}) = n_f\), and \({\varvec{z}}'(\hat{r}) = \hat{n}_2\), contradicting soundness.

\(\square \)

Appendix D: Completeness of the reduction algorithm

Proposition 53

Let be a sound deterministic negotiation, and assume Algorithm 3 terminates for input . For every \(k \ge 0\), let be the negotiation produced by Algorithm 3 after k iterations of the for-loop.

1. (1)

   For every atom n of with at most k parties, the n-fragment of is atomic.

2. (2)

   For every outcome \((n, {\mathtt{r}})\) of with at most \(k+1\) parties, the \((n, {\mathtt{r}})\)-segment of is acyclic.

Proof

We prove (1) and (2) simultaneously by induction on k. If \(k=0\) then (1) is vacuously true. For (2) observe that if n has one party then the only strict \((n, {\mathtt{r}})\)-sequence is \((n, {\mathtt{r}})\), and so the \((n, {\mathtt{r}})\) segment is acyclic.

Assume now \(k > 0\), and let n be an atom of with \(\ell \le k\) parties. We prove (1) in four steps.

Claim 1

All segments of the n-fragment are acyclic.

By the definition of a fragment, every atom of the n-fragment of has at most \(\ell \) parties. By induction hypothesis on (2), all segments of the n-fragment of are acyclic, and therefore the same holds for .

Claim 2

All segments of the n-fragment are atomic.

By Theorem 48, the segments are sound and deterministic. Moreover, since every atom of a segment has at most \(\ell \) parties and no outcome with at most \(k-1\) parties is reducible, all segments are irreducible. By Claim 1 and Proposition 38, all segments are atomic.

Claim 3

The n-fragment is a replication.

Since every segment is atomic, all atoms of the n-fragment have the same set of parties as n. Now let \((n', {\mathtt{r}}')\) be an outcome of the n-fragment. By Claim 2 the \((n', {\mathtt{r}}')\)-segment is atomic, and so in the negotiation we have \({\varvec{x}}_{n'} \xrightarrow []{(n', {\mathtt{r}}')} {\varvec{x}}\) for a marking \({\varvec{x}}\) such that either \({\varvec{x}}= {\varvec{x}}_{n''}\) for some atom \(n''\) with the same parties as \(n'\), or \({\varvec{x}}\) does not enable any atom. In the first case we have \(n' {\mathop {\mapsto }\limits ^{{\mathtt{r}}'}} n''\), and we are done. In the second case, by the definition of a segment we have \(n' {\mathop {\mapsto }\limits ^{{\mathtt{r}}'}} \hat{n}\).

Claim 4

The n-fragment is atomic.

Assume the n-fragment is not atomic. Then by Claim 3 and Theorem 44 the n-fragment has at least one reducible outcome, and the outcome has \(\ell \le k\) parties. This contradicts the fact that the minimal reducible outcome has \(k+1\) parties, by definition of .

Now we proceed to prove (2). Let \((n, {\mathtt{r}})\) be an outcome of with at most \(k+1\) parties. Assume that the \((n, {\mathtt{r}})\)-segment has a cycle. By Proposition 48, the segment is sound and deterministic. By Lemma 67, the cycle has a dominating atom d. By the definition of a segment, d is neither the initial nor the final atom of the segment. Since, by definition, every atom of the \((n, {\mathtt{r}})\)-segment different from the initial and final atoms has strictly fewer parties than n, we get \(|P_d| \le k\). By induction hypothesis on (1), the d-fragment is atomic. But then the successor \(d'\) of d along the cycle does not satisfy \(P_{d'} \subseteq P_d\), which contradicts that d is a dominating atom. \(\square \)

Appendix E: A correction

The reduction algorithm of [10] is based on a lemma (Lemma 3 in [10]), which, rewritten in the terminology of this paper, states:

Lemma 72

(Incorrect Lemma 3 of [10]) A cyclic sound deterministic negotiation contains an atom n such that all loops of the n-fragment of contain n.

This lemma was used in [10] to prove the correctness of the summarization procedure that iterates the following three steps. First: identify an n-fragment satisfying the property stated in the lemma. Second: use the procedure for summarizing acyclic negotiations to reduce this n-fragment to a single atom, with possibly some self-loop outcomes (i.e., outcomes \((n, \texttt {r})\) such that for every party a of n). Third, use the iteration rule to remove such outcomes.

However, the lemma is wrong. Figure 27 shows a one-agent negotiation in which, for every atom n, the n-fragment contains a loop which does not contain n. As a consequence, the algorithm of [10] does not summarize this negotiation.

Fig. 27

Counterexample to Lemma 3 of [10]

In this paper we have corrected this mistake. The procedure of Sect. 6 correctly summarizes the negotiation of Fig. 27.