## Abstract

We introduce Peregrine, the first tool for the analysis and parameterized verification of population protocols. Population protocols are a model of computation very much studied by the distributed computing community, in which mobile anonymous agents interact stochastically to achieve a common task. Peregrine allows users to design protocols, to simulate them both manually and automatically, to gather statistics of properties such as convergence speed, and to verify correctness automatically. This paper describes the features of Peregrine and their implementation.

M. Blondin was supported by the Fonds de recherche du Québec – Nature et technologies (FRQNT).

You have full access to this open access chapter, Download conference paper PDF

### Similar content being viewed by others

## Keywords

## 1 Introduction

Population protocols [1, 3, 4] are a model of distributed computing in which replicated, mobile agents with limited computational power interact stochastically to achieve a common task. They provide a simple and elegant formalism to model, e.g., networks of passively mobile sensors [1, 5], trust propagation [13], evolutionary dynamics [14], and chemical systems, under the name chemical reaction networks [12, 16, 19].

Population protocols are parameterized: the number of agents does not change during the execution of the protocol, but is *a priori* unbounded. A protocol is correct if it behaves correctly for all of its infinitely many initial configurations. For this reason, it is challenging to design correct and efficient protocols.

In this paper we introduce Peregrine^{Footnote 1}, the first tool for the parameterized analysis of population protocols. Peregrine is intended for use by researchers in distributed computing and systems biology. It allows the user to specify protocols either through an editor or as simple scripts, and to analyze them via a graphical interface. The analysis features of Peregrine include manual step-by-step simulation; automatic sampling; statistics generation of average convergence speed; detection of incorrect executions through simulation; and formal verification of correctness. The first four features are supported for all protocols, while verification is supported for silent protocols, a large subclass of protocols [6]. Verification is performed automatically over *all* of the infinitely many initial configurations using the recent approach of [6] for solving the so-called well-specification problem.

*Related Work.* The problem of automatically verifying that a population protocol conforms to its specification for *one fixed initial configuration* has been considered in [10, 11, 17, 20]. In [10], *ad hoc* search algorithms are used. In [11, 17], the authors show how to model the problem in the probabilistic model checker Prism, and under certain conditions in Spin. In [20], the problem is modeled with the Pat toolkit for model checking under fairness assumptions. All these tools increase our confidence in the correctness of a protocol. However, compared to Peregrine, they are not visual tools, they do not offer simulation capabilities, and they can only verify the correctness of a protocol for a finite number of initial configurations, with typically a small number of agents. Peregrine proves correctness for all of the infinitely many initial configurations, with an arbitrarily large number of agents.

As mentioned in the introduction, population protocols are isomorphic to chemical reaction networks (CRNs), a popular model in natural computing. Cardelli et al. have recently developed model checking techniques and analysis algorithms for *stochastic* CRNs [7,8,9]. The problems studied therein are incomparable to the parameterized questions addressed by Peregrine.

The verification algorithm of Peregrine is based on [6], where a novel approach for the parameterized verification of silent population protocols has been presented. The command-line tool of [6] only offers support for proving correctness, with no functionality for visualization or simulation. Further, contrary to Peregrine, the tool cannot produce counterexamples when correctness fails.

## 2 Population Protocols

We introduce population protocols through a simple example and then briefly formalize the model. We refer the reader to [4] for a more thorough but still intuitive presentation. Suppose anonymous and mobile agents wish to take a majority vote. Intuitively, *anonymous* means that agents have no identity, and *mobile* that agents are “wandering around”, and can only interact whenever they bump into each other. In order to vote, all agents conduct the following protocol. Each agent is in one out of four states \(\{Y,N, y, n\}\). Initially all agents are in the states *Y* or *N*, corresponding to how they want to vote (states *y*, *n* are auxiliary states). Agents repeatedly interact pairwise according to the following rules:

For example, if the population initially has two agents of opinion “yes” and one agent of opinion “no”, then a possible execution is:

where e.g. denotes the multiset with two agents in state *Y* and one agent in state *N*.

The goal of every population protocol is to ensure that the agents eventually reach a lasting consensus, i.e., a multiset in which (1) either all agents are in “yes”-states, or all agents are in “no”-states, and (2) further interactions do not destroy the consensus. On top of this universal specification, each protocol has an individual goal, determining which initial configurations should reach the “yes” and the “no” lasting consensus. In the majority protocol above, the agents should reach a “yes”-consensus iff 50% or more agents vote “yes”.

Execution (1) above leads to a lasting “yes”-consensus; further, the consensus is the right one, since 2 out of 3 agents voted “yes”. In fact, assuming agents interact uniformly and independently at random, the above protocol is correct: executions almost surely reach a correct lasting consensus.

More formally, a population protocol is a tuple (*Q*, *T*, *I*, *O*) where *Q* is a finite set of *states*, \(T \subseteq Q^2 \times Q^2\) is a set of *transitions*, \(I \subseteq Q\) are the *initial states* and \(O :Q \rightarrow \{0, 1\}\) is the *output mapping*. A *configuration* is a non-empty multiset over *Q*, an *initial configuration* is a non-empty multiset over *I*, and a configuration is *terminal* if it cannot be altered by any transition. A configuration is in a *consensus* if all of its states map to the same output under *O*.

An *execution* is a finite or infinite sequence \(C_0 \xrightarrow {t_1} C_1 \xrightarrow {t_2} \cdots \) such that \(C_i\) is obtained from applying transition \(t_i\) to \(C_{i-1}\). A *fair execution* is either a finite execution that reaches a terminal configuration, or an infinite execution such that if \(\{i \in \mathbb {N}: C_i \xrightarrow {*} D\}\) is infinite, then \(\{i \in \mathbb {N}: C_i = D\}\) is infinite for any configuration *D*. In other words, fairness ensures that a configuration cannot be avoided forever if it is reachable infinitely often. Fairness is an abstraction of the random interactions occurring within a population. A configuration *C* is in a *lasting consensus* if every execution from *C* only leads to configurations of the same consensus.

If for every initial configuration *C*, all fair executions from *C* lead to a lasting consensus \(\varphi (C) \in \{0,1\}\), then we say that the protocol *computes* the predicate \(\varphi \). For example, the above majority protocol with \(O(Y) = O(y) = 1\) and \(O(N) = O(n) = 0\) computes the predicate \(C[Y] \ge C[N]\), where *C*[*x*] denotes the number of occurrences of state *x* in *C*. A protocol does not necessarily compute a predicate. For example, if we alter the majority protocol by removing transition *d*, then is a fair execution, but is not in a consensus. In other words, transition *d* acts as a tie-breaker which allows to reach the consensus configuration . A protocol that computes a predicate is said to be *well-specified*. It is well-known that well-specified population protocols compute precisely the predicates definable in Presburger arithmetic [3]. On top of different *majority protocols* for the predicate \(C[x] \ge C[y]\), the literature contains, e.g., different families of so-called *flock-of-birds protocols* for the predicates \(C[x] \ge c\), where *c* is an integer constant, and families of *threshold protocols* for the predicates \(a_1 \cdot C[x_1] + \cdots + a_n \cdot C[x_n] \ge c\), where \(a_1, \ldots , a_n, c\) are integer constants and \(x_1, \ldots , x_n\) are initial states.

## 3 Analyzing Population Protocols

Peregrine is a web tool with a JavaScript frontend and a Haskell backend. The backend makes use of the SMT solver Z3 [15] to test satisfiability of Presburger arithmetic formulas. The user has access to four main features through the graphical frontend. We present these features in the remainder of the section.

**Protocol Description.** Peregrine offers a description language for both single protocols and families of protocols depending on some parameters. Single protocols are described either through a graphical editor or as simple Python scripts. Families of protocols (called parametric protocols) can only be specified as scripts, but Peregrine assists the user by generating a code skeleton.

**Simulation.** Population protocols can be simulated through a graphical player depicted in Fig. 1. The user can pick an initial configuration and simulate the protocol by either manual selection of interactions, or by letting a scheduler pick interactions uniformly at random. The simulator keeps a history of the execution which can be rewound at any time, making it easy to experiment with the different behaviours of a protocol. Configurations can be displayed in two ways: either as explicit populations, as illustrated in Fig. 1, or as bar charts of the states count, more convenient for large populations.

**Statistics.** Peregrine can generate statistics from batch simulations. The user provides four parameters: \(s_\text {min}, s_\text {max}, m\) and *n*. Peregrine generates *n* random executions as follows. For each execution, a number *s* is picked uniformly at random from \([s_\text {min}, s_\text {max}]\), and an initial configuration of size *s* is then picked uniformly at random. Each step of an execution is picked uniformly at random among enabled interactions. If no terminal configuration is reached within *m* steps, then the simulation halts. In the end, *n* executions of length at most *m* are gathered. Peregrine classifies the generated executions according to their consensus, and computes statistics on the convergence speed (see the next two paragraphs). The results can be visualized in different ways, and the raw data can be exported as a JSON file.

*Consensus.* For each random execution, Peregrine checks whether the last configuration of an execution is in a consensus and, if so, whether the consensus corresponds to the expected output of the protocol. Peregrine reports which percentage of the executions reach a consensus, and whether the consensus is correct and/or lasting. In normal mode, Peregrine only classifies an execution as lasting consensus if it ends in a terminal configuration. In the *increased accuracy* mode, if the execution ends in a configuration *C* of consensus \(b \in \{0, 1\}\), then the model checker LoLA [18] is used to determine whether there exists a configuration \(C'\) such that \(C \xrightarrow {*} C'\) and \(C'\) is not of consensus *b*. If it is not the case, then Peregrine concludes that *C* is in a lasting consensus. Peregrine plots the percentage of executions in each category as a function of the population size, as illustrated on the left of Fig. 2.

*Average Convergence Speed.* Peregrine also provides statistics on the convergence speed of a protocol. Let \(C_0 \xrightarrow {t_1} C_1 \xrightarrow {t_2} \cdots \xrightarrow {t_\ell } C_\ell \) be an execution such that \(C_\ell \) is in a consensus \(b \in \{0, 1\}\). The *number of steps to convergence* of the execution is defined as 0 if all configurations are of consensus *b*, and otherwise as \(i + 1\), where *i* is the largest index such that \(C_i\) is not in consensus *b*. For each population size, Peregrine computes the average number of steps to convergence of all consensus executions of that population size, and plots the information as illustrated on the right of Fig. 2.

**Verification.** Peregrine can automatically verify that a population protocol computes a given predicate. Predicates can be specified by the user in quantifier-free Presburger arithmetic extended with the family of predicates \(\{x \equiv y\ (\text {mod } c)\}_{c \ge 2}\), which is equivalent to Presburger arithmetic. For example, for the majority protocol of Sect. 2, the user simply specifies C[Y]>= C[N].

Peregrine implements the approach of [6] to verify correctness of protocols which are silent. A protocol is said to be *silent* if from every initial configuration, every fair execution leads to a terminal configuration. The majority protocol of Sect. 2 and most existing protocols from the literature are silent [6]. We briefly describe the approach of [6] and how it is integrated into Peregrine.

Suppose we are given a population protocol \(\mathcal {P}\) and we wish to determine whether it computes a predicate \(\varphi \). The procedure first tries to prove that \(\mathcal {P}\) is silent. This is done by verifying a more restricted condition called *layered termination*. Verifying the latter property reduces to testing satisfiability of a Presburger arithmetic formula. If this formula holds, then the protocol is silent, otherwise no conclusion is derived. However, essentially all existing silent protocols satisfy layered termination [6].

Once \(\mathcal {P}\) is proven to be silent, the procedure attempts to prove that no “bad execution” exists. More precisely, it checks whether there exist configurations \(C_0\) and \(C_1\) such that \(C_0 \xrightarrow {*} C_1\), \(C_0\) is initial, \(C_1\) is terminal, and \(C_1\) is not in consensus \(\varphi (C_0) \in \{0,1\}\). Since reachability is not definable in Presburger arithmetic, a Presburger-definable over-approximation of reachability, borrowed from Petri net theory, is used instead. We obtain the following formula \(\varPhi _\text {bad-exec}\):

If \(\varPhi _\text {bad-exec}\) is unsatisfiable, then \(\mathcal {P}\) is correct. Otherwise, no conclusion is reached, and \(\varPhi _\text {bad-exec}\) is iteratively strengthened by enriching the over-approximation . Whenever \(\varPhi _\text {bad-exec}\) is satisfied by \((C_0, C_1)\), Peregrine calls the model-checker LoLA to test whether \(C_1\) is indeed reachable from \(C_0\). If so, then Peregrine reports \(\mathcal {P}\) to be incorrect, and generates a counter-example execution, which can be replayed or exported as a JSON file (see Fig. 3).

Currently Peregrine can verify protocols with up to a hundred states and a few thousands transitions. The bottleneck is the size of the constraint system. Due to lack of space, we refer the reader to [6] for detailed experimental results.

## Notes

- 1.
Peregrine can be found at https://peregrine.model.in.tum.de.

## References

Angluin, D., Aspnes, J., Diamadi, Z., Fischer, M.J., Peralta, R.: Computation in networks of passively mobile finite-state sensors. In: Proceedings of the 23rd Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 290–299 (2004). https://doi.org/10.1145/1011767.1011810

Angluin, D., Aspnes, J., Eisenstat, D.: A simple population protocol for fast robust approximate majority. Distrib. Comput.

**21**(2), 87–102 (2008). https://doi.org/10.1007/s00446-008-0059-zAngluin, D., Aspnes, J., Eisenstat, D., Ruppert, E.: The computational power of population protocols. Distrib. Comput.

**20**(4), 279–304 (2007). https://doi.org/10.1007/s00446-007-0040-2Aspnes, J., Ruppert, E.: An introduction to population protocols. In: Garbinato, B., Miranda, H., Rodrigues, L. (eds.) Middleware for Network Eccentric and Mobile Applications, pp. 97–120. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-89707-1_5

Beauquier, J., Blanchard, P., Burman, J., Delaët, S.: Tight complexity analysis of population protocols with cover times - the ZebraNet example. Theor. Comput. Sci.

**512**, 15–27 (2013). https://doi.org/10.1016/j.tcs.2012.10.032Blondin, M., Esparza, J., Jaax, S., Meyer, P.J.: Towards efficient verification of population protocols. In: Proceedings of the 36th ACM Symposium on Principles of Distributed Computing (PODC), pp. 423–430 (2017). https://doi.org/10.1145/3087801.3087816

Cardelli, L., Češka, M., Fränzle, M., Kwiatkowska, M., Laurenti, L., Paoletti, N., Whitby, M.: Syntax-guided optimal synthesis for chemical reaction networks. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 375–395. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63390-9_20

Cardelli, L., Kwiatkowska, M., Laurenti, L.: Stochastic analysis of chemical reaction networks using linear noise approximation. Biosystems

**149**, 26–33 (2016). https://doi.org/10.1016/j.biosystems.2016.09.004Cardelli, L., Tribastone, M., Tschaikowski, M., Vandin, A.: Syntactic Markovian bisimulation for chemical reaction networks. In: Aceto, L., et al. (eds.) Models, Algorithms, Logics and Tools. LNCS, vol. 10460, pp. 466–483. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63121-9_23

Chatzigiannakis, I., Michail, O., Spirakis, P.G.: Algorithmic verification of population protocols. In: Dolev, S., Cobb, J., Fischer, M., Yung, M. (eds.) SSS 2010. LNCS, vol. 6366, pp. 221–235. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16023-3_19

Clément, J., Delporte-Gallet, C., Fauconnier, H., Sighireanu, M.: Guidelines for the verification of population protocols. In: ICDCS, pp. 215–224. IEEE Computer Society (2011). https://doi.org/10.1109/ICDCS.2011.36

Cummings, R., Doty, D., Soloveichik, D.: Probability 1 computation with chemical reaction networks. Nat. Comput.

**15**(2), 245–261 (2016). https://doi.org/10.1007/s11047-015-9501-xDiamadi, Z., Fischer, M.J.: A simple game for the study of trust in distributed systems. Wuhan Univ. J. Nat. Sci.

**6**(1), 72–82 (2001). https://doi.org/10.1007/BF03160228Moran, P.A.P.: Random processes in genetics. Math. Proc. Cambridge Philos. Soc.

**54**(1), 60–71 (1958). https://doi.org/10.1017/S0305004100033193de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24. z3 is available at https://github.com/Z3Prover/z3

Navlakha, S., Bar-Joseph, Z.: Distributed information processing in biological and computational systems. Commun. ACM

**58**(1), 94–102 (2014). https://doi.org/10.1145/2678280Pang, J., Luo, Z., Deng, Y.: On automatic verification of self-stabilizing population protocols. In: Proceedings of the 2nd IEEE/IFIP International Symposium on Theoretical Aspects of Software Engineering (TASE), pp. 185–192 (2008). https://doi.org/10.1109/TASE.2008.8

Schmidt, K.: LoLA a low level analyser. In: Nielsen, M., Simpson, D. (eds.) ICATPN 2000. LNCS, vol. 1825, pp. 465–474. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44988-4_27. LoLA is available at http://service-technology.org/lola/

Soloveichik, D., Cook, M., Winfree, E., Bruck, J.: Computation with finite stochastic chemical reaction networks. Nat. Comput.

**7**(4), 615–633 (2008). https://doi.org/10.1007/s11047-008-9067-ySun, J., Liu, Y., Dong, J.S., Pang, J.: PAT: towards flexible verification under fairness. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 709–714. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02658-4_59

## Author information

### Authors and Affiliations

### Corresponding author

## Editor information

### Editors and Affiliations

## Rights and permissions

<SimplePara><Emphasis Type="Bold">Open Access</Emphasis>This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.</SimplePara><SimplePara>The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.</SimplePara>

## Copyright information

© 2018 The Author(s)

## About this paper

### Cite this paper

Blondin, M., Esparza, J., Jaax, S. (2018). Peregrine: A Tool for the Analysis of Population Protocols. In: Chockler, H., Weissenbacher, G. (eds) Computer Aided Verification. CAV 2018. Lecture Notes in Computer Science(), vol 10981. Springer, Cham. https://doi.org/10.1007/978-3-319-96145-3_34

### Download citation

DOI: https://doi.org/10.1007/978-3-319-96145-3_34

Published:

Publisher Name: Springer, Cham

Print ISBN: 978-3-319-96144-6

Online ISBN: 978-3-319-96145-3

eBook Packages: Computer ScienceComputer Science (R0)