figure a

1 Introduction

Fault-tolerant distributed protocols play an important role in the avionic and automotive industries, medical devices, cloud systems, blockchains, etc. Their unexpected behavior might put human lives at risk or cause a huge financial loss. Therefore, their correctness is of ultimate importance.

Ensuring correctness of distributed protocols is a notoriously difficult task, due to the unbounded number of processes and messages, as well as the non-deterministic behavior caused by the presence of faults, concurrency, and message delays. In general, the problem of verifying such protocols is undecidable. This imposes two directions for attacking the problem: (i) developing fully-automatic verification techniques for restricted classes of protocols, or (ii) designing deductive techniques for a wide range of systems that require user assistance. Within the latter approach, recently emerging techniques [29] leverage decidable logics that are supported by mature automated solvers to significantly reduce user effort, and increase verification productivity. Such logics bring several key benefits: (i) their solvers usually enjoy stable performance, and (ii) whenever annotations provided by the user are incorrect, the automated solvers can provide a counterexample for the user to examine.

Deductive verification based on decidable logic requires a logical formalism that satisfies two conflicting criteria: the formalism should be expressive enough to capture the protocol, its correctness properties, its inductive invariants, and ultimately its verification conditions. At the same time, the formalism should be decidable and have an effective automated tool for checking verification conditions.

In this paper we develop a methodology for deductive verification of threshold-based distributed protocols using decidable logic, well-established decidable logics to settle the tension explained above.

In threshold-based protocols, a process may take different actions based on the number of processes from which it received certain messages. This is often used to achieve fault-tolerance. For example, a process may take a certain step once it has received an acknowledgment from a strict majority of its peers, that is, from more than \(\mathbf{n}/2\) processes, where \(\mathbf{n}\) is the total number of processes. Such expressions as \(\mathbf{n}/2\), are called thresholds, and in general they can depend on additional parameters, such as the maximal number of crashed processes, or the maximal number of Byzantine processes.

Verification of such protocols requires two flavors of reasoning, as demonstrated by the following example. Consider the Paxos [20] protocol, in which each process proposes a value and all must agree on a common proposal. The protocol tolerates up to \(\mathbf{t}\) process crashes, and ensures that every two processes that decide agree on the decided value. The protocol requires \(\mathbf{n}>2\mathbf{t}\) processes, and each process must obtain confirmation messages from \(\mathbf{n}-\mathbf{t}\) processes before making a decision. The protocol is correct due to, among others, the fact that if \(\mathbf{n}>2\mathbf{t}\) then any two sets of \(\mathbf{n}-\mathbf{t}\) processes have a process in common. To verify this protocol we need to express (i) relationships between an unbounded number of processes and values, which typically requires quantification over uninterpreted domains (“every two processes”), and (ii) properties of sets of certain cardinalities (“any two sets of \(\mathbf{n}-\mathbf{t}\) processes intersect”). Crucially, these two types of reasoning are intertwined, as the sets of processes for which we need to capture cardinalities may be defined by their relations with other state components (“messages from at least \(\mathbf{n}-\mathbf{t}\) processes”). While uninterpreted first-order logic (FOL) seems like the natural fit for the first type of reasoning, it is seemingly a poor fit for the second type, since it cannot express set cardinalities and the arithmetic used to define thresholds. Typically, logics that combine both types of reasoning are either undecidable or not flexible enough to capture protocols as intricate as the ones we consider.

The approach we present relies on the observation that threshold-based protocols and their correctness proofs use set cardinality thresholds in a restricted way as a means to obtain certain properties between sets, and that these properties can be expressed in FOL via a suitable encoding. In the example above, the important property is that every two sets of cardinality at least \(\mathbf{n}-\mathbf{t}\) have a non-empty intersection. This property can be encoded in FOL by modeling sets of cardinality at least \(\mathbf{n}-\mathbf{t}\) using an uninterpreted sort along with a membership relation between this sort and the sort for processes. However, the validity of the property under the assumption that \(\mathbf{n}> 2\mathbf{t}\) cannot be verified in FOL.

The key idea of this paper is, hence, to decompose the verification problem of threshold-based protocols into the following problems: (i) Checking protocol correctness assuming certain intersection properties, which can be reduced to verification conditions expressed in the Effectively Propositional (EPR) fragment of FOL [25, 35]. (ii) Checking that sets with cardinalities adhering to the thresholds satisfy the intersection properties (under the protocol assumptions), which can be reduced to validity checks in quantifier-free Boolean Algebra with Presburger Arithmetic (BAPA) [19]. Both BAPA and EPR are decidable logics, and are supported by mature solvers.

A crucial step in employing this decomposition is finding suitable intersection properties that are strong enough to imply the protocol’s correctness (i.e., imply the FOL verification conditions), and are also implied by the precise definitions of the thresholds and the protocol’s assumptions. Thus, these intersection properties can be viewed as interpolants between the FOL verification conditions and the thresholds in the context of the protocol’s assumptions. We present fully automated procedures to find such intersection property interpolants, either eagerly or lazily.

The main contributions of this paper areFootnote 1:

  1. 1.

    We define a threshold intersection property (TIP) language for expressing properties of sets whose cardinalities adhere to certain thresholds; TIP is expressive enough to capture the properties required to prove the correctness of challenging threshold-based protocols.

  2. 2.

    We develop two encodings of TIP, one in BAPA, and another in EPR. These encodings facilitate decomposition of protocol verification into decidable EPR and (quantifier-free) BAPA queries.

  3. 3.

    We show that there are only finitely many TIP formulas (up to equivalence) that are valid for any given protocol. Moreover, we present an effective algorithm for computing all TIP formulas valid for a given protocol, as well as an algorithm for lazily finding a set of TIP formulas that suffice to prove a given protocol.

  4. 4.

    Put together, we obtain an effective deductive verification approach for threshold-based protocols: the user models the protocol and its inductive invariants in EPR using a suitable encoding of thresholds, and defines the thresholds and the protocol’s assumptions using arithmetic; verification is carried out automatically via decomposition to well-established decidable logics.

  5. 5.

    We implement the approach, leveraging mature existing solvers (Z3 and CVC4), and evaluate it by verifying several challenging threshold-based protocols with sophisticated thresholds and assumptions. Our evaluation shows the effectiveness and flexibility of our approach in modeling and verifying complex protocols, including the feasibility of automatically inferring threshold intersection properties.

2 Preliminaries

Transition Systems in FOL. We model distributed protocols as transition systems expressed in many-sorted FOL. A state of the system is a first-order (FO) structure \(s= ({\mathcal {D}}, {\mathcal {I}})\) over a vocabulary \(\varSigma \) that consists of sorted constant, function and relation symbols, s.t. \(s\) satisfies a finite set of axioms \(\varTheta \) in the form of closed formulas over \(\varSigma \). \({\mathcal {D}}\) is the domain of \(s\) mapping each sort to a set of objects (elements), and \({\mathcal {I}}\) is the interpretation function. A FO transition system is a tuple \((\varSigma , \varTheta , I, \textit{TR})\), where \(\varSigma \) and \(\varTheta \) are as above, \(I\) is a closed formula over \(\varSigma \) that defines the initial states, and \(\textit{TR}\) is a closed formula over \(\varSigma \uplus \varSigma '\) that defines the transition relation where \(\varSigma \) describes the source state of a transition and \(\varSigma ' = \{a' \mid a \in \varSigma \}\) describes the target state. We require that \(\textit{TR}\) does not modify any symbol that appears in \(\varTheta \). The set of reachable states is defined as usual. In practice, we define FO transition systems using a modeling language with a convenient syntax [29].

Properties and Inductive Invariants. A safety property is expressed by a closed FO formula \(P\) over \(\varSigma \). The system is safe if all of its reachable states satisfy \(P\). A closed FO formula \(\textit{Inv}\) over \(\varSigma \) is an inductive invariant for a transition system \((\varSigma , \varTheta , I, \textit{TR})\) and property \(P\) if the following formulas, called the verification conditions, are valid (equivalently, their negations are unsatisfiable): (i) \(\varTheta \rightarrow (I\rightarrow \textit{Inv})\), (ii) \(\varTheta \rightarrow (\textit{Inv}\wedge \textit{TR}\rightarrow \textit{Inv}')\) and (iii) \(\varTheta \rightarrow (\textit{Inv}\rightarrow P)\), where \(\textit{Inv}'\) results from substituting every symbol in \(\textit{Inv}\) by its primed version. We also use inductive invariants to verify arbitrary first-order LTL formulas via the reduction of [30, 31].

Effectively Propositional Logic (EPR). The effectively-propositional (EPR) fragment of FOL is restricted to formulas without function symbols and with a quantifier prefix \(\exists ^* \forall ^*\) in prenex normal form. Satisfiability of EPR formulas is decidable [25]. Moreover, EPR formulas enjoy the finite model property, i.e., \(\varphi \) is satisfiable iff it has a finite model. We consider a straightforward extension of EPR that maintains these properties and is supported by solvers such as Z3 [5]. The extension allows function symbols and quantifier alternations as long as the formula’s quantifier alternation graph, denoted \(\textit{QA}(\varphi )\), is acyclic. For \(\varphi \) in negation normal form, \(\textit{QA}(\varphi )\) is a directed graph where the set of vertices is the set of sorts and the set of edges is defined as follows: every function symbol introduces edges from its arguments’ sorts to its image’s sort, and every existential quantifier \(\exists x\) that resides in the scope of universal quantifiers introduces edges from the sorts of the universally quantified variables to the sort of x. The quantifier alternation graph is extended to sets of formulas as expected.

Boolean Algebra with Presburger Arithmetic (BAPA). Boolean Algebra with Presburger Arithmetic (BAPA) [19] is a FO theory defined over two sorts: \(\mathsf {int}\) (for integers), and \(\mathsf {set}\) (for subsets of a finite universe). The language is defined as follows:

$$\begin{aligned} F{:}{:}=&B_1 = B_2 \mid L_1 = L_2 \mid L_1 < L_2 \mid F_1 \wedge F_2 \mid F_1 \vee F_2 \mid \lnot F\mid \exists x.F\mid \forall x.F\mid \exists u.F\mid \forall u.F\\ B{:}{:}=&x \mid \emptyset \mid \mathbf{a}\mid B_1 \cup B_2 \mid B_1 \cap B_2 \mid B^c \qquad L{:}{:}= u \mid K\mid \mathbf{n}\mid i\mid L_1 + L_2 \mid K\cdot L\mid |B| \end{aligned}$$

where \(L\) defines linear integer terms, where u denotes an integer variable, \(k \in K\) defines an (interpreted) integer constant symbol \(\ldots , -2,-1,0,1,2 \ldots \), \(\mathbf{n}\) is an integer constant symbol that represents the size of the finite set universe, \(i\) is an uninterpreted integer constant symbol (as opposed to the constant symbols from \(K\)), and \(|b|\) denotes set cardinality; \(B\) defines set terms, where x denotes a set variable, \(\emptyset \) is a (interpreted) set constant symbol that represents the empty set, and \(\mathbf{a}\) is an uninterpreted set constant symbol; and \(F\) defines the set of BAPA formulas, where \(\ell _1 = \ell _2\) and \(\ell _1 < \ell _2\) are atomic arithmetic formulas and \(b_1 = b_2\) is an atomic set formula. (Other set constraints such as \(b_1 \subseteq b_2\) can be encoded in the usual way). In the sequel, we also allow arithmetic terms of the form \(\frac{\ell }{k}\) where \(k \in K\) is a positive integer and \(\ell \in L\), as any formula that contains such terms can be translated to an equivalent BAPA formula by multiplying by k.

A BAPA structure is \(s_B= ({\mathcal {D}}, {\mathcal {I}})\) where the domain \({\mathcal {D}}\) maps sort \(\mathsf {int}\) to the set of all integers and maps sort \(\mathsf {set}\) to the set of all subsets of a finite universe U, called the universal set. The semantics of terms and formulas is as expected, where the interpretation of the complement operation is defined with respect to U (e.g., \({\mathcal {I}}(\emptyset ^c) = U\)), and the integer constant \(\mathbf{n}\) is interpreted to the size of U, i.e. \({\mathcal {I}}(\mathbf{n}) = {\left| {U}\right| }\).

Both validity and satisfiability of BAPA formulas (with arbitrary quantification) are decidable [19], and the quantifier-free fragment is supported by CVC4 [2].

3 First-Order Modeling of Threshold-Based Protocols

Next we explain our modeling of threshold-based protocols as transition systems in FOL (Note that FOL cannot directly express set cardinality constraints). The idea is to capture each threshold by a designated sort, such that elements of this sort represent sets of nodes that satisfy the threshold. Elements of the threshold sort are then used instead of the actual threshold in the description of the protocol and in the verification conditions. For verification to succeed, some properties of the sets satisfying the cardinality threshold must be captured in FOL. This is done by introducing additional assumptions (formally, axioms of the transition system) expressed in FOL, as discussed in Sect. 4.

Fig. 1.
figure 1

Bosco: a one-step asynchronous Byzantine consensus algorithm [39], and an excerpt RML (relational modeling language) code of the main transition. Note that we overload the \({\textit{member}}\) relation for all threshold sorts. The formula \(\exists ! x.\,\varphi (x)\) is a shorthand for exists and unique.

Full size image

Running Example. We illustrate our approach using the example of Bosco—an asynchronous Byzantine fault-tolerant (BFT) consensus algorithm [39]. Its modeling in first-order logic using our technique appears alongside an informal pseudo-code in Fig. 1.

In the BFT consensus problem, each node proposes a value and correct nodes must decide on a unique proposal. BFT consensus algorithms typically require at least two communication rounds to reach a decision. In Bosco, nodes execute a preliminary communication step which, under favorable conditions, reaches an early decision, and then call an underlying BFT consensus algorithm to ensure reaching a decision even if these conditions are not met. Bosco is safe when \(\mathbf{n}> 3\mathbf{t}\); it guarantees that a preliminary decision will be reached if all nodes are non-faulty and propose the same value when \(\mathbf{n}> 5\mathbf{t}\) (weakly one-step condition), and even if some nodes are faulty, as long as all non-faulty nodes propose the same value, when \(\mathbf{n}> 7\mathbf{t}\) (strongly one-step condition).

Bosco achieves consensus by ensuring that (a) no two correct nodes decide differently in the preliminary step, and (b) if a correct node decides value v in the preliminary step then every correct process calls the underlying BFT consensus algorithm with proposal v. Property (a) is ensured by the fact that a node decides in the preliminary step only if more than \(\frac{\mathbf{n}+3\mathbf{t}}{2}\) nodes proposed the same value. When \(\mathbf{n}>3\mathbf{t}\), two sets of cardinality greater than \(\frac{\mathbf{n}+3\mathbf{t}}{2}\) have at least one non-faulty node in common, and therefore no two different values can be proposed by more than \(\frac{\mathbf{n}+3\mathbf{t}}{2}\) nodes. Similarly, we can derive property (b) from the fact that a set of more than \(\frac{\mathbf{n}+3\mathbf{t}}{2}\) nodes and a set of \(\mathbf{n}-\mathbf{t}\) nodes intersect in \(\frac{\mathbf{n}+\mathbf{t}}{2}\) nodes, which, after removing t nodes which may be faulty, still leaves us with more than \(\frac{\mathbf{n}-\mathbf{t}}{2}\) nodes, satisfying the condition in line 9.

3.1 Threshold-Based Protocols

Parameters and Resilience Conditions. We consider protocols whose definitions depend on a set of parameters, \(\textit{Prm}\), divided into integer parameters, \(\textit{Prm}_{I}\), and set parameters, \(\textit{Prm}_{S}\). \(\textit{Prm}_{I}\) always includes \(\mathbf{n}\), the total number of nodes (assumed to be finite). Protocol correctness is ensured under a set of assumptions \(\varGamma \) called resilience conditions, formulated as BAPA formulas over \(\textit{Prm}\) (this means that all the uninterpreted constants appearing in \(\varGamma \) are from \(\textit{Prm}\)). In Bosco, \(\textit{Prm}_{I}= \{\mathbf{n}, \mathbf{t}\}\), where \(\mathbf{t}\) is the maximal number of Byzantine failures tolerated by the algorithm, and \(\textit{Prm}_{S}= \{ \mathbf{f}\}\), where \(\mathbf{f}\) is the set of Byzantine nodes; \(\varGamma = \{ \mathbf{n}\ge 3 \mathbf{t}+ 1, {\left| {\mathbf{f}}\right| } \le \mathbf{t}\}\).

Threshold Conditions. Both the description of the protocol and the inductive invariant may include conditions that require the size of some set of nodes to be “at least t”, “at most t”, and so on, where the threshold t is of the form \(t=\frac{\ell }{k}\), where k is a positive integer, and \(\ell \) is a ground BAPA integer term over \(\textit{Prm}\) (we do not allow comparing sizes of two sets – we observe that it is not needed for threshold-based protocols). We denote the set of thresholds by \(T\). For example, in Bosco, \(T= \{ \mathbf{n}- \mathbf{t}, \frac{\mathbf{n}+ 3 \mathbf{t}+ 1}{2}, \frac{\mathbf{n}- \mathbf{t}+ 1}{2} \}\).

Wlog we assume that all conditions on set cardinalities are of the form “at least t” since every condition can be written this way, possibly by introducing new thresholds:

$$ {\left| {X}\right| } > \frac{\ell }{k} \equiv {\left| {X}\right| } \ge \frac{\ell +1}{k} \qquad {\left| {X}\right| } \le \frac{\ell }{k} \equiv {\left| {X^c}\right| } \ge \frac{k \cdot \mathbf{n}- \ell }{k} \qquad {\left| {X}\right| } < \frac{\ell }{k}\equiv {\left| {X}\right| } \le \frac{\ell -1}{k} $$

3.2 Modeling in FOL

FO Vocabulary for Modeling Threshold-Based Protocols. We describe the protocol’s states (e.g., pending messages, votes, etc.) using a core FO vocabulary \(\varSigma _C\) that includes sort \(\mathsf {node}\) and additional sorts and symbols. Parameters \(\textit{Prm}\) are not part of the FO vocabulary used to model the protocol. Also, we do not model set cardinality directly. Instead, we encode the cardinality thresholds in FOL by defining a FO vocabulary \(\varSigma _{T}^{\textit{Prm}}\):

  • For every threshold t we introduce a threshold sort \(\mathsf {set}_{\mathsf {t}}\) with the intended meaning that elements of this sort are sets of nodes whose size is at least t.

  • Each sort \(\mathsf {set}_{\mathsf {t}}\) is equipped with a binary relation symbol \({\textit{member}}_{t}\) between sorts \(\mathsf {node}\) and \(\mathsf {set}_{\mathsf {t}}\) that captures the membership relation of a node in a set.

  • For each set parameter \(\mathbf{a}\in \textit{Prm}_{S}\) we introduce a unary relation symbol \({\textit{member}}_{\mathbf{a}}\) over sort \(\mathsf {node}\) that captures membership of a node in the set \(\mathbf{a}\).

We then model the protocol as a transition system \((\varSigma , \varTheta , I, \textit{TR})\) where \(\varSigma =\varSigma _C\uplus \varSigma _{T}^{\textit{Prm}}\).

We are interested only in states (FO structures over \(\varSigma \)) where the interpretation of the threshold sorts and membership relations is according to their intended meaning in a corresponding BAPA structure. Formally, these are \(T\)-extensions, defined as follows:

Definition 1

We say that a FO structure \(s_C= ({\mathcal {D}}_C, {\mathcal {I}}_C)\) over \(\varSigma _C\) and a BAPA structure \(s_B= ({\mathcal {D}}_B, {\mathcal {I}}_B)\) over \(\textit{Prm}\) are compatible if \({\mathcal {D}}_B(\mathsf {set}) = \mathcal {P}({\mathcal {D}}_C(\mathsf {node}))\), where \(\mathcal {P}\) is the powerset operator. For such compatible structures and a set of thresholds \(T\) over \(\textit{Prm}\), the \(T\)-extension of \(s_C\) by \(s_B\) is the structure \(s= ({\mathcal {D}}, {\mathcal {I}})\) over \(\varSigma \) defined as follows:

figure b

Note that for the \(T\)-extension \(s\) to be well defined as a FO structure, we must have that \({\mathcal {D}}(\mathsf {set}_{\mathsf {t}}) \ne \emptyset \) for every threshold \(t \in T\). This means that a \(T\)-extension by \(s_B\) only exists if \(\{A \subseteq {\mathcal {D}}(\mathsf {node}) \mid {\left| {A}\right| } \ge {\mathcal {I}}_B(t) \} \ne \emptyset \). This is ensured by the following condition:

Definition 2 (Feasibility)

\(T\) is \(\varGamma \)-feasible if \(\varGamma \models t \le \mathbf{n}\) for every \(t \in T\).

Expressing Threshold Constraints. Cardinality constraints can be expressed in FOL over the vocabulary \(\varSigma =\varSigma _C\uplus \varSigma _{T}^{\textit{Prm}}\) using quantification. To express that \({\left| {\{ n: \mathsf {node}\mid \varphi (n,\bar{u}) \}}\right| } \ge t\), i.e., that there are at least t nodes that satisfy the FO formula \(\varphi \) over \(\varSigma _C\) (where \(\bar{u}\) are free variables in \(\varphi \)), we use the following first-order formula over \(\varSigma \): \(\exists q : \mathsf {set}_{\mathsf {t}}. \; \forall n: \mathsf {node}. \; {\textit{member}}_t(n,q) \rightarrow \varphi (n,\bar{u})\). Similarly, to express the property that a node is a member of a set parameter \(\mathbf{a}\) (e.g., to check if \(n\in \mathbf{f}\), i.e., a node is faulty) we use the FO formula \({\textit{member}}_{\mathbf{a}}(n)\). For example, in Fig. 1, line 5 (right) uses the FO modeling to express the condition in line 5 (left). This modeling is sound in the following sense:

Lemma 1 (Soundness)

Let \(s_C= ({\mathcal {D}}_C, {\mathcal {I}}_C)\) be a FO structure over \(\varSigma _C\), \(s_B= ({\mathcal {D}}_B, {\mathcal {I}}_B)\) a compatible BAPA structure over \(\textit{Prm}\) s.t. \(s_B\models \varGamma \) and \(T\) a \(\varGamma \)-feasible set of thresholds over \(\textit{Prm}\). Then there exists a (unique) \(T\)-extension \(s\) of \(s_C\) by \(s_B\). Further:

  1. 1.

    For every \(\mathbf{a}\in \textit{Prm}_{S}\) and FO valuation \(\iota \): \(s, \iota \models {\textit{member}}_{\mathbf{a}}(n)\) iff \(\iota (n) \in {\mathcal {I}}_B(\mathbf{a})\),

  2. 2.

    For every \(t \in T\), formula \(\varphi \), and FO valuation \(\iota \): \(s, \iota \models \exists q : \mathsf {set}_{\mathsf {t}}. \; \forall n: \mathsf {node}. \; {\textit{member}}_t(n,q) \rightarrow \varphi (n,\bar{u})\) iff \({\left| {\{ e \in {\mathcal {D}}(\mathsf {node}) \mid s_C,\iota [n\mapsto e] \models \varphi (n,\bar{u}) \}}\right| } \ge {\mathcal {I}}_B(t)\).

Definition 3

A first-order structure \(s\) over \(\varSigma \) is threshold-faithful if it is a \(T\)-extension of some \(s_C\) by some \(s_B\models \varGamma \) (as in Lemma 1).

Incompleteness. Lemma 1 ensures that the FO modeling can be soundly used to verify the protocol. It also ensures that the modeling is precise on threshold-faithful structures (Def. 1). Yet, the FO transition system is not restricted to such states, hence it abstracts the actual protocol. To have any hope to verify the protocol, we must capture some of the intended meaning of the threshold sorts and relations. This is obtained by adding FO axioms to the FO transition system. Soundness is maintained as long as the axioms hold in all threshold-faithful structures. We note that the set of all such axioms is not recursively enumerable– this is where the essential incompleteness of our approach lies.

4 Decomposition via Threshold Intersection Properties

In this section, we identify a set of properties we call threshold intersection properties. When captured via FO axioms, these properties suffice for verifying many threshold-based protocols (all the ones we considered). Importantly, these are properties of sets adhering to the thresholds that do not involve the protocol state. As a result, they can be expressed both in FOL and in BAPA. This allows us to decompose the verification task into: (i) checking that certain threshold properties are valid in all threshold-faithful structures by checking that they are implied by \(\varGamma \) (carried out using quantifier free BAPA), and (ii) checking that the verification conditions of the FO transition-system with the same threshold properties taken as axioms are valid (carried out in first-order logic, and in EPR if quantifier alternations are acyclic).

4.1 Threshold Intersection Property Language

Threshold properties are expressed in the threshold intersection property language (TIP). TIP is essentially a subset of BAPA, specialized to have the properties listed above.

Syntax. We define TIP as follows, with \(t \in T\) a threshold (of the form \(\frac{\ell }{k}\)) and \(\mathbf{a}\in \textit{Prm}_{S}\):

$$\begin{aligned} F&{:}{:} = B \ne \emptyset \mid B^c = \emptyset \mid g_{\ge t}(B) \mid F_1 \wedge F_2 \mid \forall x:g_{\ge t}. F \\ B&{:}{:}= \mathbf{a}\mid \mathbf{a}^c \mid x \mid x^c \mid \emptyset \mid \emptyset ^c \mid B_1 \cap B_2 \end{aligned}$$

TIP restricts the use of set cardinality to threshold guards \(g_{\ge t}(b)\) with the meaning \({\left| {b}\right| } \ge t\). No other arithmetic atomic formulas are allowed. Comparison atomic formulas are restricted to \(b\ne \emptyset \) and \(b^c = \emptyset \). Quantifiers must be guarded, and negation, disjunction and existential quantification are excluded. We forbid set union and restrict complementation to atomic set terms. We refer to such formulas as intersection properties since they express properties of intersections of (atomic) sets.

Example 1

In Bosco, the following property captures the fact that the intersection of a set of at least \(\mathbf{n}-\mathbf{t}\) nodes and a set of more than \(\frac{\mathbf{n}+3\mathbf{t}}{2}\) nodes consists of at least \(\frac{\mathbf{n}-\mathbf{t}}{2}\) non-faulty nodes. This is needed for establishing correctness of the protocol.

$$\begin{aligned} \forall x:g_{\ge \mathbf{n}-\mathbf{t}}. \, \forall y:g_{\ge \frac{\mathbf{n}+ 3\mathbf{t}+ 1}{2}}. \; g_{\ge \frac{\mathbf{n}- \mathbf{t}+ 1}{2}}(x \cap y \cap \mathbf{f}^c) \end{aligned}$$

Semantics. As TIP is essentially a subset of BAPA, we define its semantics by translating its formulas to BAPA, where most constructs directly correspond to BAPA constructs, and guards are translated to cardinality constraints:

The notions of structures, satisfaction, equivalence, validity, satisfiability, etc. are inherited from BAPA. In particular, given a set of BAPA resilience conditions \(\varGamma \) over the parameters \(\textit{Prm}\), we say that a TIP formula \(\varphi \) is \(\varGamma \)-valid, denoted \(\varGamma \models \varphi \), if \(\varGamma \models \mathcal {B}(\varphi )\).

If \(\varGamma \) is quantifier-free (which is the typical case), \(\varGamma \)-validity of TIP formulas can be checked via validity checks of quantifier-free BAPA formulas, supported by mature solvers. Note that \(\varGamma \)-validity of a formula of the form \(\forall x:g_{\ge t_1}.\ {\left| {x \cap b}\right| } \ge t_2\) is equivalent to \(\varGamma \models \forall u.\ u \ge t_1 \rightarrow u + {\left| {b}\right| } -n \ge t_2\), allowing replacing quantification over sets by quantification over integers, thus improving performance of existing solvers.

4.2 Translation to FOL

To verify threshold-based protocols, we translate TIP formulas to FO axioms, using the threshold sorts and relations. To translate \(g_{\ge t}(b)\), we follow the principle in (Sect. 3.2):

figure c

We lift \(\mathcal {FO}\) to sets of formulas: \(\mathcal {FO}(\varDelta ) = \{\mathcal {FO}(\varphi ) \mid \varphi \in \varDelta \}\).

Next, we state the soundness of the translation, which intuitively means that \(\mathcal {FO}(\varphi )\) is “equivalent” to \(\varphi \) over threshold-faithful FO structures (Definition 1). This justifies adding \(\mathcal {FO}(\varphi )\) as a FO axiom whenever \(\varphi \) is \(\varGamma \)-valid.

Theorem 1 (Translation soundness)

Let \(s_C= ({\mathcal {D}}_C, {\mathcal {I}}_C)\) be a first-order structure over \(\varSigma _C\), \(s_B= ({\mathcal {D}}_B, {\mathcal {I}}_B)\) a compatible BAPA structure over \(\textit{Prm}\), and \(s\) the \(T\)-extension of \(s_C\) by \(s_B\). Then for every closed TIP formula \(\varphi \), we have \(s_B\models \varphi \Leftrightarrow s\models \mathcal {FO}(\varphi ).\)

Corollary 1

For every closed TIP formula \(\varphi \) such that \(\varGamma \models \varphi \), we have that \(\mathcal {FO}(\varphi )\) is satisfied by every threshold-faithful first-order structure.

5 Automatically Inferring Threshold Intersection Properties

To apply the approach described in Sects. 3 and 4, it is crucial to find suitable threshold properties. That is, given the resilience conditions \(\varGamma \) and a FO transition system modeling the protocol, we need to find a set \(\varDelta \) of TIP formulas such that (i) \(\varGamma \models \varphi \) for every \(\varphi \in \varDelta \), and (ii) the VCs of the transition system with the axioms \(\mathcal {FO}(\varDelta )\) are valid.

In this section, we address the problem of automatically inferring such a set \(\varDelta \). In particular, we prove that for any protocol that satisfies a natural condition, there are finitely many \(\varGamma \)-valid TIP formulas (up to equivalence), enabling a complete automatic inference algorithm. Furthermore, we show that (under certain reasonable conditions formalized in this section), the FO axioms resulting from the inferred TIP properties have an acyclic quantifier alternation graph, facilitating protocol verification in EPR.

Notation. For the rest of this section, we fix a set \(\textit{Prm}\) of parameters, a set \(\varGamma \) of resilience conditions over \(\textit{Prm}\), and a set \(T\) of thresholds. Note that \(b\ne \emptyset \equiv g_{\ge 1}(b)\) and \(b^c = \emptyset \equiv g_{\ge \mathbf{n}}(b)\). Therefore, for uniformity of the presentation, given a set \(T\) of thresholds, we define \(\hat{T}\buildrel {\tiny \mathrm def} \over =T\cup \{1, \mathbf{n}\}\) and replace atomic formulas of the form \(b\ne \emptyset \) and \(b^c = \emptyset \) by the corresponding guard formulas. As such, the only atomic formulas are of the form \(g_{\ge t}(b)\) where \(t \in \hat{T}\). Note that guards in quantifiers are still restricted to \(g_{\ge t}\) where \(t \in T\). Given a set \(\textit{Prm}_{S}\), we also denote \(\hat{\textit{Prm}_{S}} = \textit{Prm}_{S}\cup \{\mathbf{a}^c \mid \mathbf{a}\in \textit{Prm}_{S}\}\).

5.1 Finding Consequences in the Threshold Intersection Property Language

In this section, we present Aip– an algorithm for inferring all \(\varGamma \)-valid TIP formulas. A naïve (non-terminating) algorithm would iteratively check \(\varGamma \)-validity of every TIP formula. Instead, Aip prunes the search space relying on the following condition:

Definition 4

\(T\) is \(\varGamma \)-non-degenerate if for every \(t \in T\) it holds that \(\varGamma \not \models t \le 0\).

If \(\varGamma \models t \le 0\) then t is degenerate in the sense that \(g_{\ge t}(b)\) is always \(\varGamma \)-valid, and \(\forall x: g_{\ge t}. \ g_{\ge t'}(x \cap b)\) is never \(\varGamma \)-valid unless \(t'\) is also degenerate.

We observe that we can (i) push conjunctions outside of formulas (since \(\forall \) distributes over \(\wedge \)), and assuming non-degeneracy, (ii) ignore terms of the form \(x^c\):

Lemma 2

If \(T\) is \(\varGamma \)-feasible and \(\varGamma \)-non-degenerate, then for every \(\varGamma \)-valid \(\varphi \) in TIP, there exist \(\varphi _1,\ldots ,\varphi _m\) s.t. \(\varphi \equiv \bigwedge ^m_{i=1}\varphi _i\) and for every \(1 \le i \le m\), \(\varphi _i\) is of the form:

$$\begin{aligned} \forall x_1:g_{\ge t_1} \ldots \forall x_q:g_{\ge t_q}.\ g_{\ge t}(x_1 \cap \ldots \cap x_q \cap a_{1} \ldots \cap a_{k}) \end{aligned}$$

where \(q+k>0\), \(t_1,\ldots ,t_q \in T\), \(t \in \hat{T}\), \(a_1,\ldots ,a_k \in \hat{\textit{Prm}_{S}}\), and the \(a_i\)’s are distinct.

We refer to \(\varphi _i\) of the form above as simple, and refer to \(g_{\ge t}\) as its atomic guard.

By Lemma 2, it suffices to generate all simple \(\varGamma \)-valid formulas. Next, we show that this can be done more efficiently by pruning the search space based on a subsumption relation that is checked syntactically avoiding \(\varGamma \)-validity checks.

Definition 5 (Subsumption)

For every \(h_1, h_2 \in \hat{T}\cup \hat{\textit{Prm}_{S}}\), we denote \(h_1 \sqsubseteq _\varGamma h_2\) if one of the following holds: (1) \(h_1 = h_2\), or (2) \(h_1, h_2 \in \hat{T}\) and \(\varGamma \models h_1 \ge h_2\), or (3) \(h_1 \in \hat{\textit{Prm}_{S}}\), \(h_2 \in \hat{T}\) and \(\varGamma \models {\left| {h_1}\right| } \ge h_2\).

For \(h_1,h_2 \in \hat{T}\) and \(h_3 \in \hat{\textit{Prm}_{S}}\), \(h_1 \sqsubseteq _\varGamma h_2\) means that \(\varGamma \models \forall x:g_{\ge h_1}.\ g_{\ge h_2}(x)\), and \(h_3 \sqsubseteq _\varGamma h_2\) means that \(\varGamma \models g_{\ge h_2}(h_3)\). We lift the relation \(\sqsubseteq _\varGamma \) to act on simple formulas:

Definition 6

Given simple formulas

$$\begin{aligned} \alpha =&\forall x_1:g_{\ge h_1} \ldots \forall x_q: g_{\ge h_q}.\ g_{\ge t}(x_1 \cap \ldots \cap x_q \cap h_{q+1} \ldots \cap h_{k})\\ \beta =&\forall x_1:g_{\ge h'_1} \ldots \forall x_{q'}:g_{\ge h'_{q'}}.\ g_{\ge t'}(x_1 \cap \ldots \cap x_{q'} \cap h'_{q'+1} \ldots \cap h'_{k'}) \end{aligned}$$

we say that \(\alpha \sqsubseteq _\varGamma \beta \) if (i) \(t \sqsubseteq _\varGamma t'\), and (ii) there exists an injective function \(f:\{1, \ldots , k'\} \rightarrow \{1, \ldots , k\}\) s.t. for any \(1 \le i \le k'\) it holds that \(h'_i \sqsubseteq _\varGamma h_{f(i)}\).

Lemma 3

Let \(\alpha , \beta \) be simple formulas such that \(\alpha \sqsubseteq _\varGamma \beta \). If \(\varGamma \models \alpha \) then \(\varGamma \models \beta \).

Corollary 2

If no simple formula with q quantifiers is \(\varGamma \)-valid then no simple formula with more than q quantifiers is \(\varGamma \)-valid.

Algorithm 1 depicts Aip that generates all \(\varGamma \)-valid simple formulas, relying on Lemma 3. Aip uses a naïve search strategy; different strategies can be used (e.g. [26]). Based on Corollary 2, Aip terminates if for some number of quantifiers no \(\varGamma \)-valid formula is discovered.

figure d

Lemma 4 (Soundness)

Every formula \(\varphi \) that is returned by the algorithm is \(\varGamma \)-valid.

Lemma 5 (Completeness)

If \(T\) is \(\varGamma \)-feasible and \(\varGamma \)-non-degenerate, then for every \(\varGamma \)-valid TIP formula \(\varphi \) there exist \(\varphi _1\ldots \varphi _m\) s.t. \(\varphi \equiv \bigwedge _{i=1}^m \varphi _i\) and \(\textsc {Aip} \) yields every \(\varphi _i\).

Next, we characterize the cases in which there are finitely many \(\varGamma \)-valid TIP formulas, up to equivalence, and thus, Aip is guaranteed to terminate.

Definition 7

\(T\) is \(\varGamma \)-sane if for every \(t_1, t_2 \in T\), \(\varGamma \not \models t_1 \le 0 \vee t_2 > \mathbf{n}- 1\). \((T,\textit{Prm}_{S})\) is \(\varGamma \)-sane if, in addition, for every \(t_1 \in T\), \(a \in \hat{\textit{Prm}_{S}}\), \(\varGamma \not \models t_1 \le 0 \vee {\left| {a}\right| } = \mathbf{n}\).

Theorem 2

Assume that \(T\) is \(\varGamma \)-feasible. Then the following conditions are equivalent: (1) There are finitely many \(\varGamma \)-valid simple formulas. (2) There are finitely many \(\varGamma \)-valid TIP formulas, up to equivalence. (3) \(T\) is \(\varGamma \)-sane.

Corollary 3 (Termination)

If \(T\) is \(\varGamma \)-feasible and \(\varGamma \)-sane, Aip terminates.

5.2 From TIP to Axioms in EPR

The set of simple formulas generated by Aip, \(\varDelta \), is translated to FOL axioms as described in Sect. 4.2. Next, we show how to ensure that the quantifier alternation graph (Sect. 2) of \(\mathcal {FO}(\varDelta )\) is acyclic. A simple formula induces quantifier alternation edges in \(\textit{QA}(\mathcal {FO}(\varphi ))\) from the sorts of its universal quantifiers to the sort of its atomic guard \(g_{\ge t}\) (or if \(t = 1\) to the \(\mathsf {node}\) sort). Therefore, from Lemma 3, for a \(\varGamma \)-valid \(\varphi \), cycles in \(\textit{QA}(\mathcal {FO}(\varphi ))\) may only occur if they occur in the graph obtained by \(\sqsubseteq _\varGamma \). Furthermore, if \(\textit{QA}(\mathcal {FO}(\varphi ))\) is not acyclic, then the atomic guard must be equal to one of the quantifier guards. We refer to such a formula as a cyclic formula. We show that, under the following assumption, we can eliminate all cyclic formulas from \(\varDelta \).

Definition 8

\(T\) is \(\varGamma \)-acyclic if for every \(t_1,t_2 \in T\), if \(\varGamma \models t_1 = t_2\) then \(t_1 = t_2\).

Intuitively, if \(T\) is not \(\varGamma \)-acyclic, then it has (at least) two “equivalent” thresholds, making one of them redundant. If that is the case, we can alter the protocol and its proof so that one of these guards is eliminated and the other one is used instead.

Theorem 3

Let \(T\) be \(\varGamma \)-feasible and \(\varGamma \)-acyclic and \((T,\textit{Prm}_{S})\) be \(\varGamma \)-sane. Let \(\varDelta \) be the set returned by Aip, and . Then the VCs of the FO transition system with axioms \(\mathcal {FO}(\varDelta )\) are valid iff they are valid with axioms \(\mathcal {FO}(\varDelta ')\). Further, \(\textit{QA}(\mathcal {FO}(\varDelta '))\) is acyclic.

5.3 Finding Minimal Properties Required for a Protocol

If \(\varDelta \) consists of all acyclic \(\varGamma \)-valid TIP formulas returned by Aip, using \(\mathcal {FO}(\varDelta )\) as FO axioms leads to divergence of the verifier. To overcome this, we propose two variants.

Minimal Equivalent. \(\varDelta _{min}\). Some of the formulas in \(\mathcal {FO}(\varDelta )\) are implied by others, making them redundant. We remove such formulas using a greedy procedure that for every \(\varphi _i \in \varDelta \), checks whether \(\mathcal {FO}(\varDelta \setminus \{\varphi _i\}) \models \mathcal {FO}(\varphi _i)\), and if so, removes \(\varphi _i\) from \(\varDelta \). Note that if \(\textit{QA}(\mathcal {FO}(\varDelta ))\) is acyclic, the check translates to (un)satisfiability in EPR.

This procedure results in \(\varDelta _{min} \subseteq \varDelta \) s.t. \(\mathcal {FO}(\varDelta _{min}) \models \mathcal {FO}(\varDelta )\) and no strict subset of \(\varDelta _{min}\) satisfies this condition. That is, \(\varDelta _{min}\) is a local minimum for that property.

Interpolant. \(\varDelta _{int}\). There may exist \(\varDelta _{int} \subseteq \varDelta \) s.t. \(\mathcal {FO}(\varDelta _{int}) \not \models \mathcal {FO}(\varDelta )\) but \(\mathcal {FO}(\varDelta _{int})\) suffices to prove the first-order VCs, and enables to discharge the VCs more efficiently. We compute such a set \(\varDelta _{int}\) iteratively. Initially, \(\varDelta _{int}= \emptyset \). In each iteration, we check the VCs. If a counterexample to induction (CTI) is found, we add to \(\varDelta _{int}\) a formula from \(\varDelta \) not satisfied by the CTI. In this approach, \(\varDelta \) is not pre-computed. Instead, Aip is invoked lazily to generate candidate formulas in reaction to CTIs.

6 Evaluation

We evaluate the approach by verifying several challenging threshold-based distributed protocols that use sophisticated thresholds: we verify the safety of Bosco [39] (presented in Sect. 3) under its 3 different resilience conditions, the safety and liveness (using the liveness to safety reduction presented in [30]) of Hybrid Reliable Broadcast [40], and the safety of Byzantine Fast Paxos [23]. Hybrid Reliable Broadcast tolerates four different types of faults, while Fast Byzantine Paxos is a fast-learning [21, 22] Byzantine fault-tolerant consensus protocol; fast-learning protocols are notorious because two such algorithms, Zyzzyva [17] and FaB [28], were recently revealed incorrect [1] despite having been published at major systems conferences.

Implementation. We implemented both algorithms described in Sect. 5.3. Aip \(_\textsc {Eager}\) eagerly constructs \(\varDelta \) by running Aip, and then uses EPR reasoning to remove redundant formulas (whose FO representation is implied by the FO representation of others). To reduce the number of EPR validity checks used during this minimization step, we implemented an optimization that allows us to prove redundancy of TIP formulas internally based on an extension of the notion of subsumption from Sect. 5. Aip \(_\textsc {Lazy}\) computes a subset of \(\varDelta \) while using Aip in a lazy fashion, guided by CTIs obtained from attempting to verify the FO transition system. Our implementations use CVC4 to discharge BAPA queries, and Z3 to discharge EPR queries. Verification of first-order transition systems is performed using Ivy, which internally uses Z3 as well. All experiments reported were performed on a laptop running 64-bit Windows 10, with a Core-i5 2.2 GHz CPU, using Z3 version 4.8.4, CVC4 version 1.7, and the latest version of Ivy.

Fig. 2.
figure 2

Protocols verified using our technique. For each protocol, \(T\) is the set of thresholds and \(\varGamma \) is the resilience condition. Aip\(_{\textsc {Eager}}\) lists metrics for the procedure of finding all \(\varGamma \)-valid TIP formulas (taking time \(\mathbf {t_C}\)), and verifying the transition system using the resulting properties (taking time \(\mathbf {t_v}\)). Obtaining a minimal subset that FO-implies the rest takes negligible time, so we did not include it in the table. The properties are given in , where \(g_i\) denotes \(g_{\ge t_i}\). In addition to the run times, V shows \(\frac{c}{v}\), where c is the number of \(\varGamma \)-valid simple formulas that were checked using the BAPA solver (CVC4), and v is the total number of \(\varGamma \)-valid simple formulas. Namely, \(v-c\) simple formulas were inferred to be valid via subsumption. I reports the analogous metric for \(\varGamma \)-invalid simple formulas. Finally, Q reports the maximal number of quantifiers considered (for which all formulas were \(\varGamma \)-invalid). Aip\(_{\textsc {Lazy}}\) lists metrics for the procedure of finding a set of \(\varGamma \)-valid TIP formulas sufficient to prove the protocol based on counterexamples. The resulting set is listed in , and \(\mathbf {t_I}\) lists the total Ivy runtime, with the standard deviation specified below. V (resp. I) lists the number of \(\varGamma \)-valid (resp. \(\varGamma \)-invalid) simple formulas considered before the final set was reached. CTI lists the number of counterexample iterations required, and Q lists the maximal number of quantifiers of any TIP formula considered. Finally, \(\mathbf {t_v}\) lists the time required to verify the first-order transition system assuming the obtained set of properties. T.O. indicates that a time out of 1 h was reached.

Full size image

Figure 2 lists the protocols we verified and the details of the evaluation. Each experiment was repeated 10 times, and we report the mean time (\(\mu \)) and standard deviation (\(\sigma \)). The figure’s caption explains the presented information, and we discuss the results below.

Aip\(_\textsc {Eager}\) For all protocols, running Aip took less than 1 min (column \(\mathbf {t_C}\)), and generated all \(\varGamma \)-valid simple TIP formulas. We observe that for most formulas, (in)validity is deduced from other formulas by subsumption, and less than 2%–5% of the formulas are actually checked using a BAPA query. With the optimization of the redundancy check, minimization of the set is performed in negligible time. The resulting set, \(\varDelta _\textsc {Eager}\), contains 3–5 formulas, compared to 39–79 before minimization.

Due to the optimization described in Sect. 4 for the BAPA validity queries, the number of quantifiers in the TIP formulas that are checked by Aip does not affect the time needed to compute the full \(\varDelta \). For example, Bosco under the Strongly One-step resilience condition contains \(\varGamma \)-valid simple TIP formulas with up to 7 quantifiers (as \(\mathbf{n}> 7\mathbf{t}\) and \(t_1 = \mathbf{n}- \mathbf{t}\)), but \(\textsc {Aip} \) does not take significantly longer to find \(\varDelta \). Interestingly, in this example the \(\varGamma \)-valid TIP formulas with more than 3 quantifiers are implied (in FOL) by formulas with at most 3 quantifiers, as indicated by the fact that these are the only formulas that remain in \(\varDelta _\textsc {Eager}^{\text {Bosco Strongly One-step}}\).

Aip\(_\textsc {Lazy}\) With the lazy approach based on CTIs, the time for finding the set of TIP formulas, \(\varDelta _\textsc {Lazy}\), is generally longer. This is because the run time is dominated by calls to Ivy with FO axioms that are too weak for verifying the protocol. However, the resulting \(\varDelta _\textsc {Lazy}\) has a significant benefit: it lets Ivy prove the protocol much faster compared to using \(\varDelta _\textsc {Eager}\). Comparing \(\mathbf {t_V}\) in Aip \(_\textsc {Eager}\) vs. Aip \(_\textsc {Lazy}\) shows that when the former takes a minute, the latter takes a few seconds, and when the former times out after 1 h, the latter terminates, usually in under 1 min. Comparing the formulas of \(\varDelta _\textsc {Eager}\) and \(\varDelta _\textsc {Lazy}\) reveals the reason. While the FO translation of both yields EPR formulas, the formulas resulting from \(\varDelta _\textsc {Eager}\) contain more quantifiers and generate much more ground terms, which degrades the performance of Z3.

Another advantage of the lazy approach is that during the search, it avoids considering formulas with many quantifiers unless those are actually needed. Comparing the 3 versions of Bosco we see that Aip \(_\textsc {Lazy}\) is not sensitive to the largest number of quantifiers that may appear in a \(\varGamma \)-valid simple TIP formula. The downside is that Aip \(_\textsc {Lazy}\) performs many Ivy checks in order to compute the final \(\varDelta _\textsc {Lazy}\). The total duration of finding CTIs varies significantly (as demonstrated under the column \(\mathbf {t_I}\)), in part because it is very sensitive to the CTIs returned by Ivy, which are in turn affected by the random seed used in the heuristics of the underlying solver.

Finally, \(\varDelta _\textsc {Lazy}\) provides more insight into the protocol design, since it presents minimal assumptions that are required for protocol correctness. Thus, it may be useful in designing and understanding protocols.

7 Related Work

Fully Automatic Verification of Threshold-Based Protocols. Algorithms modeled as Threshold automata (TA) [14] have been studied in [13, 16], and verified using an automated tool ByMC [15]. The tool also automatically synthesizes thresholds as arithmetic expressions [24]. Reachability properties of TAs for more general thresholds are studied in [18]. There have been recent advances in verification of synchronous threshold-based algorithms using TAs [41], and of asynchronous randomized algorithms where TAs support coin tosses and an unbounded number of rounds [4]. Still, this modeling is very restrictive and not as faithful to the pseudo-code as our modeling.

Another approach for full automation is to use sound and incomplete procedures for deduction and invariant search for logics that combine quantifiers and set cardinalities [8, 10]. However, distributed systems of the level of complexity we consider here (e.g., Byzantine Fast Paxos) are beyond the reach of these techniques.

Verification of Distributed Protocols Using Decidable Logics. Padon et al. [33] introduced an interactive approach for the safety verification of distributed protocols based on EPR using the Ivy [29] verification tool. Later works extended the approach to more complex protocols [32], their implementations [42], and liveness properties [30, 31]. Those works verified some threshold protocols using ad-hoc first-order modeling and axiomatization of threshold-intersection properties, whereas we develop a systematic methodology. Moreover, the axioms were not mechanically verified, except in [42], where a simple intersection property—intersection of two sets with more than \(\frac{\mathbf{n}}{2}\) nodes—requires a proof by induction over \(\mathbf{n}\). The proof relies on a user provided induction hypothesis that is automatically checked using the FAU decidable fragment [9]. This approach requires user ingenuity even for a simple intersection property, and we expect that it would not scale to the more complex properties required for e.g. Bosco or Fast Byzantine Paxos. In contrast, our approach completely automates both verification and inference of threshold-intersection properties required to verify protocol correctness.

Dragoi et al. [6] propose a decidable logic supporting cardinalities, uninterpreted functions, and universal quantifiers for verifying consensus algorithms expressed in the partially synchronous Heard-Of Model. As in this paper, the user is expected to provide an inductive invariant. The PSync framework [7] extends the approach to protocol implementations. Compared to our approach, the approach of Dragoi et al. is less flexible due to the specialized logic used and the restrictions of the Heard-Of Model.

Our approach decomposes verification into EPR and BAPA. Piskac [34] presents a decidable logic that combines BAPA and EPR, with some restrictions. The verification conditions of the protocols we consider are outside the scope of this fragment since they include cardinality constraints in the scope of quantifiers. Furthermore, this logic is not supported by mature solvers. Instead of looking for a specialized logic per protocol, we rely on a decomposition which allows more flexibility.

Recently, [11] presented an approach for verifying asynchronous algorithms by reduction to synchronous verification. This technique is largely orthogonal and complementary to our approach, which is focused on the challenge of cardinality thresholds.

Verification using interactive theorem provers. We are not aware of works based on interactive theorem provers that verified protocols with complex thresholds as we do in this work (although doing so is of course possible). However, many works used interactive theorem provers to verify related protocols, e.g., [12, 27, 36,37,38, 43] (the most related protocols use either \(\frac{{n}}{{2}}\) or \(\frac{{2n}}{{3}}\) as the only thresholds, other protocols do not involve any thresholds). The downside of verification using interactive theorem provers is that it requires tremendous human efforts and skills. For example, the Verdi proof of Raft included  50,000 lines of proof in Coq for 500 lines of code [44].

8 Conclusion

This paper proposes a new deductive verification approach for threshold-based distributed protocols by decomposing the verification problem into two well-established decidable logics, BAPA and EPR, thus allowing greater flexibility compared to monolithic approaches based on domain-specific, specialized logics. The user models their protocol in EPR, defines the thresholds and resilience conditions using arithmetic in BAPA, and provides an inductive invariant. An automatic procedure infers threshold intersection properties expressed in TIP that are both (1) sound w.r.t. the resilience conditions (checked in quantifier-free BAPA) and (2) sufficient to discharge the VCs (checked in EPR). Both logics are supported by mature solvers, and allow providing the user with an understandable counterexample in case verification fails.

Our evaluation, which includes notoriously tricky fast-learning consensus protocols, shows that threshold intersection properties are inferred in a matter of minutes. While this may be too slow for interactive use, we expect improvements such as memoization and parallelism to provide response times of a few seconds in an iterative, interactive setting. Another potential future direction is combining our inference algorithm with automated invariant inference algorithms.