Identifiers in Registers - Describing Network Algorithms with Logic

We propose a formal model of distributed computing based on register automata that captures a broad class of synchronous network algorithms. The local memory of each process is represented by a finite-state controller and a fixed number of registers, each of which can store the unique identifier of some process in the network. To underline the naturalness of our model, we show that it has the same expressive power as a certain extension of first-order logic on graphs whose nodes are equipped with a total order. Said extension lets us define new functions on the set of nodes by means of a so-called partial fixpoint operator. In spirit, our result bears close resemblance to a classical theorem of descriptive complexity theory that characterizes the complexity class PSPACE in terms of partial fixpoint logic (a proper superclass of the logic we consider here).


Introduction
This paper is part of an ongoing research project aiming to develop a descriptive complexity theory for distributed computing.
In classical sequential computing, descriptive complexity is a well-established field that connects computational complexity classes to equi-expressive classes of logical formulas.It began in the 1970s, when Fagin showed in [6] that the graph properties decidable by nondeterministic Turing machines in polynomial time are exactly those definable in existential second-order logic.This provided a logicaland thus machine-independent-characterization of the complexity class np.Subsequently, many other popular classes, such as p, pspace, and exptime were characterized in a similar manner (see for instance the textbooks [8,12,15]).
Of particular interest to us is a result due to Abiteboul, Vianu [1], and Vardi [18], which states that on structures equipped with a total order relation, the properties decidable in pspace coincide with those definable in partial fixpoint logic.The latter is an extension of first-order logic with an operator that allows us to inductively define new relations of arbitrary arity.Basically, this means that new relations can occur as free (second-order) variables in the logical formulas that define them.Those variables are initially interpreted as empty relations and then iteratively updated, using the defining formulas as update rules.If the sequence of updates converges to a fixpoint, then the ultimate interpretations are the relations reached in the limit.Otherwise, the variables are simply interpreted as empty relations.Hence the term "partial fixpoint".
While well-developed in the classical case, descriptive complexity has so far not received much attention in the setting of distributed network computing.As far as the authors are aware, the first step in this direction was taken by Hella et al. in [10,11], where they showed that basic modal logic evaluated on finite graphs has the same expressive power as a particular class of distributed automata operating in constant time.Those automata constitute a weak model of distributed computing in arbitrary network topologies, where all nodes synchronously execute the same finite-state machine and communicate with each other by broadcasting messages to their neighbors.Motivated by this result, several variants of distributed automata were investigated by Kuusisto and Reiter in [14], [17] and [16] to establish similar connections with standard logics such as the modal µ-calculus and monadic second-order logic.However, since the models of computation investigated in those works are based on anonymous finite-state machines, they are much too weak to solve many of the problems typically considered in distributed computing, such as leader election or constructing a spanning tree.It would thus be desirable to also characterize stronger models.
A common assumption underlying many distributed algorithms is that each node of the considered network is given a unique identifier.This allows us, for instance, to elect a leader by making the nodes broadcast their identifiers and then choose the one with the smallest identifier as the leader.To formalize such algorithms, we need to go beyond finite-state machines because the number of bits required to encode a unique identifier grows logarithmically with the number of nodes in the network.Recently, in [2,3], Aiswarya, Bollig and Gastin introduced a synchronous model where, in addition to a finite-state controller, nodes also have a fixed number of registers in which they can store the identifiers of other nodes.Access to those registers is rather limited in the sense that their contents can be compared with respect to a total order, but their numeric values are unknown to the nodes.Similarly, register contents can be copied, but no new values can be generated.Since the original motivation for this model was to automatically verify certain distributed algorithms running on ring networks, its formal definition is tailored to that particular setting.However, the underlying principle can be generalized to arbitrary networks of unbounded maximum degree, which was the starting point for the present work.

Contributions.
While on an intuitive level, the idea of finite-state machines equipped with additional registers might seem very natural, it does not immediately yield a formal model for distributed algorithms in arbitrary networks.In particular, it is not clear what would be the canonical way for nodes to communicate with a non-constant number of peers, if we require that they all follow the same, finitely representable set of rules.
The model we propose here, dubbed distributed register automata, is an attempt at a solution.As in [2,3], nodes proceed in synchronous rounds and have a fixed number of registers, which they can compare and update without having access to numeric values.The new key ingredient that allows us to formalize communication between nodes of unbounded degree is a local computing device we call transition maker.This is a special kind of register machine that the nodes can use to scan the states and register values of their entire neighborhood in a sequential manner.In every round, each node runs the transition maker to update its own local configuration (i.e., its state and register valuation) based on a snapshot of the local configurations of its neighbors in the previous round.A way of interpreting this is that the nodes communicate by broadcasting their local configurations as messages to their neighbors.Although the resulting model of computation is by no means universal, it allows formalizing algorithms for a wide range of problems, such as constructing a spanning tree (see Example 5) or testing whether a graph is Hamiltonian (see Example 6).
Nevertheless, our model is somewhat arbitrary, since it could be just one particular choice among many other similar definitions capturing different classes of distributed algorithms.What justifies our choice?This is where descriptive complexity comes into play.By identifying a logical formalism that has the same expressive power as distributed register automata, we provide substantial evidence for the naturalness of that model.Our formalism, referred to as functional fixpoint logic, is a fragment of the above-mentioned partial fixpoint logic.Like the latter, it also extends first-order logic with a partial fixpoint operator, but a weaker one that can only define unary functions instead of arbitrary relations.We show that on totally ordered graphs, this logic allows one to express precisely the properties that can be decided by distributed register automata.The connection is strongly reminiscent of Abiteboul, Vianu and Vardi's characterization of pspace, and thus contributes to the broader objective of extending classical descriptive complexity to the setting of distributed computing.Moreover, given that logical formulas are often more compact and easier to understand than abstract machines (compare Examples 6 and 8), logic could also become a useful tool in the formal specification of distributed algorithms.
The remainder of this paper is structured around our main result: Theorem 1.When restricted to finite graphs whose nodes are equipped with a total order, distributed register automata are effectively equivalent to functional fixpoint logic.
After giving some preliminary definitions in Section 2, we formally introduce distributed register automata in Section 3 and functional fixpoint logic in Section 4.
We then sketch the proof of Theorem 1 in Section 5, and conclude in Section 6.
In analogy to the commonly used notation for real intervals, we define the notation To indicate that an endpoint is excluded, we replace the corresponding square bracket with a parenthesis, e.g., (m : n] := [m : n] \ {m}.Furthermore, if we omit the first endpoint, it defaults to 0. This gives us shorthand notations such as All graphs we consider are finite, simple, undirected, and connected.For notational convenience, we identify their nodes with nonnegative integers, which also serve as unique identifiers.That is, when we talk about the identifier of a node, we mean its numerical representation.A graph is formally represented as a pair G = (V, E), where the set V of nodes is equal to [n), for some integer n ≥ 2, and the set E consists of undirected edges of the form e = {u, v} ⊆ V such that u = v.Additionally, E must satisfy that every pair of nodes is connected by a sequence of edges.The restriction to graphs of size at least two is for technical reasons; it ensures that we can always encode Boolean values as nodes.
We refer the reader to [5] for standard graph theoretic terms such as neighbor, degree, maximum degree, distance, and spanning tree.
Graphs are used to model computer networks, where nodes correspond to processes and edges to communication links.To represent the current configuration of a system as a graph, we equip each node with some additional information: the current state of the corresponding process, taken from a nonempty finite set Q, and some pointers to other processes, modeled by a finite set R of registers.
We call Σ = (Q, R) a signature and define a Σ-configuration as a tuple C = (G, q, r), where G = (V, E) is a graph, called the underlying graph of C, q : V → Q is a state function that assigns to each node a state q ∈ Q, and r : V → V R is a register valuation function that associates with each node a register valuation ρ ∈ V R .The set of all Σ-configurations is denoted by C(Σ). Figure 1 on page 6 illustrates part of a ({q 1 , q 2 , q 3 }, {r 1 , r 2 , r 3 })-configuration.
If R = ∅, then we are actually dealing with a tuple (G, q), which we call a Q-labeled graph.Accordingly, the elements of Q may also be called labels.A set P of labeled graphs will be referred to as a graph property.Moreover, if the labels are irrelevant, we set Q equal to the singleton 1 := {ε}, where ε is our dummy label.In this case, we identify (G, q) with G and call it an unlabeled graph.

Distributed register automata
Many distributed algorithms can be seen as transducers.A leader-election algorithm, for instance, takes as input a network and outputs the same network, but with every process storing the identifier of the unique leader in some dedicated register r.Thus, the algorithm transforms a (1, ∅)-configuration into a (1, {r})configuration.We say that it defines a (1, ∅)-(1, {r})-transduction.By the same token, if we consider distributed algorithms that decide graph properties (e.g., whether a graph is Hamiltonian), then we are dealing with a (I, ∅)-({yes, no}, ∅)transduction, where I is some set of labels.The idea is that a graph will be accepted if and only if every process eventually outputs yes.
Let us now formalize the notion of transduction.For any two signatures ) such that, if defined, T (G, q, r) = (G, q , r ) for some q and r .That is, a transduction does not modify the underlying graph but only the states and register valuations.We denote the set of all Σ in -Σ outtransductions by T(Σ in , Σ out ) and refer to Σ in and Σ out as the input and output signatures of T .By extension, I and O are called the sets of input and output labels, and R in and R out the sets of input and output registers.Similarly, any Σ in -configuration C can be referred to as an input configuration of T and T (C) as an output configuration.
Next, we introduce our formal model of distributed algorithms.
Definition 2 (Distributed register automaton).Let Σ in = (I, R in ) and Σ out = (O, R out ) be two signatures.A distributed register automaton (or simply automaton) with input signature Σ in and output signature Σ out is a tuple A = (Q, R, ι, ∆, H, o) consisting of a nonempty finite set Q of states, a finite set R of registers that includes both R in and R out , an input function ι : I → Q, a transition maker ∆ whose specification will be given in Definition 3 below, a set H ⊆ Q of halting states, and an output function o : Automaton A computes a transduction T A ∈ T(Σ in , Σ out ).To do so, it runs in a sequence of synchronous rounds on the input configuration's underlying graph G = (V, E).After each round, the automaton's global configuration is a (Q, R)-configuration C = (G, q, r), i.e., the underlying graph is always G. As mentioned before, for a node v ∈ V , we interpret q(v) ∈ Q as the current state of v and r(v) ∈ V R as the current register valuation of v. Abusing notation, we let C(v) := (q(v), r(v)) and say that C(v) is the local configuration of v.In Figure 1, the local configuration of node 17 is (q 1 , {r 1 , r 2 , r 3 → 17, 34, 98}).
For a given input configuration C = (G, q, r) ∈ C(Σ in ), the automaton's initial configuration is C = (G, ι • q, r ), where for all v ∈ V , we have r This means that every node v is initialized to state ι(q(v)), and v's initial register valuation r (v) assigns v's own identifier (provided by G) to all non-input registers while keeping the given values assigned by r(v) to the input registers.
Each subsequent configuration is obtained by running the transition maker ∆ synchronously on all nodes.As we will see, ∆ computes a function that maps from nonempty sequences of local configurations to local configurations.This allows the automaton A to transition from a given configuration C to the next configuration C as follows.For every node u ∈ V of degree d, we consider the list v 1 , . . .v d of u's neighbors sorted in ascending (identifier) order, i.e., v i < v i+1 for i ∈ [1 : d).(See Figure 1 for an example, where u corresponds to node 17.)If u is already in a halting state, i.e., if C(u) = (q, ρ) ∈ H × V R , then its local configuration does not change anymore, i.e., C (u) = C(u).Otherwise, we define C (u) = ∆ C(u), C(v 1 ), . . ., C(v d ) , which we may write more suggestively as Fig. 1.Part of a configuration, as seen by a single node.Assuming the identifiers of the nodes are the values represented in black boxes (i.e., those stored in register r1), the automaton at node 17 will update its own local configuration (q1, {r1, r2, r3 → 17, 34, 98}) by running the transition maker on the sequence consisting of the local configurations of nodes 17, 2, 34, and 98 (in that exact order).
Intuitively, node u updates its own local configuration by using ∆ to scan a snapshot of its neighbors' local configurations.As the system is synchronous, this update procedure is performed simultaneously by all nodes.
A configuration C = (G, q, r) is called a halting configuration if all nodes are in a halting state, i.e., if q(v) ∈ H for all v ∈ V .We say that A halts if it reaches a halting configuration.
The output configuration produced by a halting configuration C = (G, q, r) is the Σ out -configuration C = (G, o • q, r ), where for all v ∈ V and r ∈ R out , we have r (v)(r) = r(v)(r).In other words, each node v outputs the state o(q(v)) and keeps in its output registers the values assigned by r(v).
It is now obvious that A defines a transduction T A : C(Σ in ) → C(Σ out ).If A receives the input configuration C ∈ C(Σ in ) and eventually halts and produces the output configuration C ∈ C(Σ out ), then T A (C) = C .Otherwise (if A does not halt), T A (C) is undefined.
Deciding graph properties.Our primary objective is to use distributed register automata as decision procedures for graph properties.Therefore, we will focus on automata A that halt in a finite number of rounds on every input configuration, and we often restrict to input signatures of the form (I, ∅) and the output signature ({yes, no}, ∅).For example, for I = {a, b}, we may be interested in the set of I-labeled graphs that have exactly one a-labeled node v (the "leader").We stipulate that A accepts an input configuration C with underlying graph ) such that q(v) = no for some v ∈ V .This corresponds to the usual definition chosen in the emerging field of distributed decision [7].Accordingly, a graph property P is decided by A if the automaton accepts all input configurations that satisfy P and rejects all the others.It remains to explain how the transition maker ∆ works internally.

Definition 3 (Transition maker).
Suppose that A = (Q, R, ι, ∆, H, o) is a distributed register automaton.Then its transition maker ∆ = ( Q, R, ι, δ, õ) consists of a nonempty finite set Q of inner states, a finite set R of inner registers that is disjoint from R, an inner initial state ι ∈ Q, an inner transition function δ : Q×Q×2 ( R∪R) 2 → Q×( R∪R) R, and an inner output function õ : Q → Q× RR .
Basically, a transition maker ∆ = ( Q, R, ι, δ, õ) is a sequential register automaton (in the spirit of [13]) that reads a nonempty sequence (q 0 , ρ 0 ), . . ., (q d , ρ d ) ∈ (Q × V R ) + of local configurations of A in order to produce a new local configuration (q , ρ ).While reading this sequence, it traverses itself a sequence (q 0 , ρ0 ), . . ., (q d+1 , ρd+1 ) of inner configurations, which each consist of an inner state qi ∈ Q and an inner register valuation ρi ∈ (V ∪ {⊥}) R, where the symbol ⊥ represents an undefined value.For the initial inner configuration, we set q0 = ι and ρ0 (r) = ⊥ for all r ∈ R. Now for i ∈ [d], when ∆ is in the inner configuration (q i , ρi ) and reads the local configuration (q i , ρ i ), it can compare all values assigned to the inner registers and registers by ρi and ρ i (with respect to the order relation on V ).In other words, it has access to the binary relation 2 such that for r, s ∈ R and r, s ∈ R, we have r ≺ i r if and only if ρi (r) < ρ i (r), and analogously for r ≺ i r, r ≺ i s, and r ≺ i s.In particular, if ρi (r) = ⊥, then r is incomparable with respect to ≺ i .Equipped with this relation, ∆ transitions to (q i+1 , ρi+1 ) by evaluating δ(q i , q i , ≺ i ) = (q i+1 , α) and computing ρi+1 such that ρi+1 (r) = ρi (s) if α(r) = s, and ρi+1 (r) = ρ i (s) if α(r) = s, where r, s ∈ R and s ∈ R. Finally, after having read the entire input sequence and reached the inner configuration (q d+1 , ρd+1 ), the transition maker outputs the local configuration (q , ρ ) such that õ(q d+1 ) = (q , β) and β(r) = r implies ρ (r) = ρd+1 (r).Here we assume without loss of generality that ∆ guarantees that ρ (r) = ⊥ for all r ∈ R.
Remark 4. Recall that V = [n) for any graph G = (V, E) with n nodes.However, as registers cannot be compared with constants, this actually represents an arbitrary assignment of unique, totally ordered identifiers.To determine the smallest identifier (i.e., 0), the nodes can run an algorithm such as the following.
Example 5 (Spanning tree).We present a simple automaton A = (Q, R, ι, ∆, H, o) with input signature Σ in = (1, ∅) and output signature Σ out = (1, {parent, root}) that computes a (breadth-first) spanning tree of its input graph G = (V, E), rooted at the node with the smallest identifier.More precisely, in the computed output configuration C = (G, q, r), every node will store the identifier of its tree parent in register parent and the identifier of the root (i.e., the smallest identifier) in register root.Thus, as a side effect, A also solves the leader election problem by electing the root as the leader.
The automaton operates in three phases, which are represented by the set of states Q = {1, 2, 3}.A node terminates as soon as it reaches the third phase, i.e., we set H = {3}.Accordingly, the (trivial) input and output functions are ι : ε → 1 and o : 3 → ε.In addition to the output registers, each node has an auxiliary register self that will always store its own identifier.Thus, we choose For the sake of simplicity, we describe the transition maker ∆ in Algorithm 1 using pseudocode rules.However, it should be clear that these rules could be relatively easily implemented according to Definition 3.All nodes start in state 1, which represents the tree-construction phase.By Rule 1, whenever an active node (i.e., a node in state 1 or 2) sees a neighbor whose root register contains a smaller identifier than the node's own root register, it updates its parent and root registers accordingly and switches to state 1.To resolve the nondeterminism in Rule 1, we stipulate that nb is chosen to be the neighbor with the smallest identifier among those whose root register contains the smallest value seen so far.
As can be easily shown by induction on the number of communication rounds, the nodes have to apply Rule 1 no more than diameter(G) times in order for the pointers in register parent to represent a valid spanning tree (where the root points to itself).However, since the nodes do not know when diameter(G) rounds have elapsed, they must also check that the current configuration does indeed represent a single tree, as opposed to a forest.They do so by propagating a signal, in form of state 2, from the leaves up to the root.
By Rule 2, if an active node whose neighbors all agree on the same root realizes that it is a leaf or that all of its children are in state 2, then it switches to state 2 itself.Assuming the parent pointers in the current configuration already represent a single tree, Rule 2 ensures that the root will eventually be notified of this fact (when all of its children are in state 2).Otherwise, the parent pointers represent a forest, and every tree contains at least one node that has a neighbor outside of the tree (as we assume the underlying graph is connected).
Depending on the input graph, a node can switch arbitrarily often between states 1 and 2. Once the spanning tree has been constructed and every node is in state 2, the only node that knows this is the root.In order for the algorithm to terminate, Rule 3 then makes the root broadcast an acknowledgment message down the tree, which causes all nodes to switch to the halting state 3.
(An example run and a proof of correctness can be found in Appendix A.) Building on the automaton from Example 5, we now give an example of a graph property that can be decided in our model of distributed computing.The following automaton should be compared to the logical formula presented later in Example 8, which is much more compact and much easier to specify.
Example 6 (Hamiltonian cycle).We describe an automaton with input signature Σ in = (1, {parent, root}) and output signature Σ out = ({yes, no}, ∅) that decides if the underlying graph G = (V, E) of its input configuration C = (G, q, r) is Hamiltonian, i.e., whether G contains a cycle that goes through each node exactly once.The automaton works under the assumption that r encodes a valid spanning tree of G in the registers parent and root, as constructed by the automaton from Example 5. Hence, by combining the two automata, we could easily construct a third one that decides the graph property of Hamiltonicity.
The automaton A = (Q, R, ι, ∆, H, o) presented here implements a simple backtracking algorithm that tries to traverse G along a Hamiltonian cycle.Its set of states is Q = {unvisited , visited , backtrack } × {idle, request, good , bad } ∪ H, with the set of halting states H = {yes, no}.Each non-halting state consists of two components, the first one serving for the backtracking procedure and the second one for communicating in the spanning tree.The input function ι initializes every node to the state (unvisited , idle), while the output function simply returns the answers chosen by the nodes, i.e., o : yes → yes, no → no.In addition to the input registers, each node has a register self storing its own identifier and a register successor to point to its successor in a (partially constructed) Hamiltonian path.That is, R = {self , parent, root, successor }.We now describe the algorithm in an informal way.It is, in principle, easy to implement in the transition maker ∆, but a thorough formalization would be rather cumbersome.
In the first round, the root marks itself as visited and updates its successor register to point towards its smallest neighbor (the one with the smallest identifier).Similarly, in each subsequent round, any unvisited node that is pointed to by one of its neighbors marks itself as visited and points towards its smallest unvisited neighbor.However, if all neighbors are already visited , the node instead sends the backtrack signal to its predecessor and switches back to unvisited (in the following round).Whenever a visited node receives the backtrack signal from its successor , it tries to update its successor to the next-smallest unvisited neighbor.If no such neighbor exists, it resets its successor pointer to itself, propagates the backtrack signal to its predecessor, and becomes unvisited in the following round.
There is only one exception to the above rules: if a node that is adjacent to the root cannot find any unvisited neighbor, it chooses the root as its successor .This way, the constructed path becomes a cycle.In order to check whether that cycle is Hamiltonian, the root now broadcast a request down the spanning tree.If the request reaches an unvisited node, that node replies by sending the message bad towards the root.On the other hand, every visited leaf replies with the message good .While bad is always forwarded up to the root, good is only forwarded by nodes that receive this message from all of their children.If the root receives only good , then it knows that the current cycle is Hamiltonian and it switches to the halting state yes.The information is then broadcast through the entire graph, so that all nodes eventually accept.Otherwise, the root sends the backtrack signal to its predecessor, and the search for a Hamiltonian cycle continues.In case there is none (in particular, if there is not even an arbitrary cycle), the root will eventually receive the backtrack signal from its greatest neighbor, which indicates that all possibilities have been exhausted.If this happens, the root switches to the halting state no, and all other nodes eventually do the same.

Functional fixpoint logic
In order to introduce functional fixpoint logic, we first give a definition of firstorder logic that suits our needs.Formulas will always be evaluated on ordered, undirected, connected, I-labeled graphs, where I is a fixed finite set of labels.
Throughout this paper, let N be an infinite supply of node variables and F be an infinite supply of function variables; we refer to them collectively as variables.The corresponding set of terms is generated by the grammar t ::= x | f (t), where x ∈ N and f ∈ F. With this, the set of formulas of first-order logic over I is given by the grammar where s and t are terms, a ∈ I, and x ∈ N .As usual, we may also use the additional operators ∧, ⇒, ⇔, ∀ to make our formulas more readable, and we define the notations s ≤ t, s = t, and s = t as abbreviations for ¬(t < s), (s ≤ t) ∧ (t ≤ s), and ¬(s = t), respectively.The sets of free variables of a term t and a formula ϕ are denoted by free(t) and free(ϕ), respectively.While node variables can be bound by the usual quantifiers ∃ and ∀, function variables can be bound by a partial fixpoint operator that we will introduce below.
To interpret a formula ϕ on an I-labeled graph (G, q) with G = (V, E), we are given a variable assignment σ for the variables that occur freely in ϕ.This is a partial function σ : is a free function variable.We call σ(x) and σ(f ) the interpretations of x and f under σ, and denote them by x σ and f σ , respectively.For a composite term t, the corresponding interpretation t σ under σ is defined in the obvious way.
We write (G, q), σ |= ϕ to denote that (G, q) satisfies ϕ under assignment σ.If ϕ does not contain any free variables, we simply write (G, q) |= ϕ and refer to the set P of I-labeled graphs that satisfy ϕ as the graph property defined by ϕ.Naturally enough, we say that two devices (i.e., automata or formulas) are equivalent if they specify (i.e., decide or define) the same graph property and that two classes of devices are equivalent if their members specify the same class of graph properties.
As we assume that the reader is familiar with first-order logic, we only define the semantics of the atomic formulas (whose syntax is not completely standard): ("s and t are adjacent").
We now turn to functional fixpoint logic.Syntactically, it is defined as the extension of first-order logic that allows us to write formulas of the form pfp where f 1 , . . ., f ∈ F, in, out ∈ N , and ϕ 1 , . . ., ϕ , ψ are formulas.We use the notation "ϕ i (f 1 , . . ., f , in, out)" to emphasize that f 1 , . . ., f , in, out may occur freely in ϕ i (possibly among other variables).The free variables of formula ( * ) are given by i∈( ] free The idea is that the partial fixpoint operator pfp binds the function variables f 1 , . . ., f .The lines in square brackets constitute a system of function definitions that provide an interpretation of f 1 , . . ., f , using the special node variables in and out as helpers to represent input and output values.This is why pfp also binds any free occurrences of in and out in ϕ 1 , . . ., ϕ , but not in ψ. To specify the semantics of ( * ), we first need to make some preliminary observations.As before, we consider a fixed I-labeled graph (G, q) with G = (V, E) and assume that we are given a variable assignment σ for the free variables of ( * ).With respect to (G, q) and σ, each formula ϕ i induces an operator F ϕi : (V V ) → V V that takes some interpretation of the function variables f 1 , . . ., f and outputs a new interpretation of f i , corresponding to the function graph defined by ϕ i via the node variables in and out.For inputs on which ϕ i does not define a functional relationship, the new interpretation of f i behaves like the identity function.More formally, given a variable assignment σ that extends σ with interpretations of f 1 , . . ., f , the operator F ϕi maps f σ 1 , . . ., f σ to the function f new i such that for all u ∈ V , Here, σ[in, out → u, v] is the extension of σ interpreting in as u and out as v.
In this way, the operators F ϕ1 , . . ., F ϕ give rise to an infinite sequence (f k 1 , . . ., f k ) k≥0 of tuples of functions, called stages, where the initial stage contains solely the identity function id V and each subsequent stage is obtained from its predecessor by componentwise application of the operators.More formally, for i ∈ ( ] and k ≥ 0. Now, since we have not imposed any restrictions on the formulas ϕ i , this sequence might never stabilize, i.e, it is possible that ) for all k ≥ 0. Otherwise, the sequence reaches a (simultaneous) fixpoint at some position k no greater than |V | |V |• (the number of -tuples of functions on V ).
We define the partial fixpoint (f ∞ 1 , . . ., f ∞ ) of the operators F ϕ1 , . . ., F ϕ to be the reached fixpoint if it exists, and the tuple of identity functions otherwise.
That is, for i ∈ ( ], Having introduced the necessary background, we can finally provide the semantics of the formula pfp[f i : In other words, the formula pfp[f i : ϕ i ] i∈( ] ψ can intuitively be read as "if f 1 , . . ., f are interpreted as the partial fixpoint of ϕ 1 , . . ., ϕ , then ψ holds".

Syntactic sugar
Before we consider a concrete formula (in Example 8), we first introduce some "syntactic sugar" to make using functional fixpoint logic more pleasant.
Set variables.According to our definition of functional fixpoint logic, the operator pfp can bind only function variables.However, functions can be used to encode sets of nodes in a straightforward manner: any set U may be represented by a function that maps nodes outside of U to themselves and nodes inside U to nodes distinct from themselves.Therefore, we may fix an infinite supply S of set variables, and extend the syntax of first-order logic to allow atomic formulas of the form t ∈ X, where t is a term and X is a set variable in S. Naturally, the semantics is that "t is an element of X".To bind set variables, we can then write partial fixpoint formulas of the form pfp (f i : ϕ i ) i∈( ] , (X i : ϑ i ) i∈(m] ψ, where f 1 , . . ., f ∈ F, X 1 , . . ., X m ∈ S, and ϕ 1 , . . ., ϕ , ϑ 1 , . . ., ϑ m , ψ are formulas.The stages of the partial fixpoint induction are computed as before, but each set variable X i is initialized to ∅, and falls back to ∅ in case the sequence of stages does not converge to a fixpoint.(More details can be found in Appendix B.1.)Quantifiers over functions and sets.Partial fixpoint inductions allow us to iterate over various interpretations of function and set variables and thus provide a way of expressing (second-order) quantification over functions and sets.Since we restrict ourselves to graphs whose nodes are totally ordered, we can easily define a suitable order of iteration and a corresponding partial fixpoint induction that traverses all possible interpretations of a given function or set variable.To make this more convenient, we enrich the language of functional fixpoint logic with second-order quantifiers, allowing us to write formulas of the form ∃f ϕ and ∃X ϕ, where f ∈ F, X ∈ S, and ϕ is a formula.The semantics is the standard one.(More details can be found in Appendix B.2.) As a consequence, it is possible to express any graph property definable in monadic second-order logic, the extension of first-order logic with set quantifiers.
Corollary 7. When restricted to finite graphs equipped with a total order, functional fixpoint logic is strictly more expressive than monadic second-order logic.
The strictness of the inclusion in the above corollary follows from the fact that even on totally ordered graphs, Hamiltonicity cannot be defined in monadic second-order logic (see, e.g., the proof in [4,Prp. 5.13]).As the following example shows, this property is easy to express in functional fixpoint logic.

Example 8 (Hamiltonian cycle).
The following formula of functional fixpoint logic defines the graph property of Hamiltonicity.That is, an unlabeled graph G satisfies this formula if and only if there exists a cycle in G that goes through each node exactly once.
Here, x, y, z ∈ N , X ∈ S, and f ∈ F. Intuitively, we represent a given Hamiltonian cycle by a function f that tells us for each node x, which of x's neighbors we should visit next in order to traverse the entire cycle.Thus, f actually represents a directed version of the cycle.
To ensure the existence of a Hamiltonian cycle, our formula states that there is a function f satisfying the following two conditions.By the first line, each node x must have exactly one f -predecessor and one f -successor, both of which must be neighbors of x.By the second line, if we start at any node x and collect into a set X all the nodes reachable from x (by following the path specified by f ), then X must contain all nodes.

Translating between automata and logic
Having introduced both automata and logic, we can proceed to explain the first part of Theorem 1 (stated in Section 1), i.e., how distributed register automata can be translated into functional fixpoint logic (see Appendix C for a full proof).Proposition 9.For every distributed register automaton that decides a graph property, we can construct an equivalent formula of functional fixpoint logic.
Proof (sketch).Given a distributed register automaton A = (Q, R, ι, ∆, H, o) deciding a graph property P over label set I, we can construct a formula ϕ A of functional fixpoint logic that defines P .For each state q ∈ Q, our formula uses a set variable X q to represent the set of nodes of the input graph that are in state q.Also, for each register r ∈ R, it uses a function variable f r to represent the function that maps each node u to the node v whose identifier is stored in u's register r.By means of a partial fixpoint operator, we enforce that on any I-labeled graph (G, q), the final interpretations of (X q ) q∈Q and (f r ) r∈R represent the halting configuration reached by A on (G, q).The main formula is simply which states that all nodes end up in a halting state that outputs yes.
Basically, the subformulas (ϕ q ) q∈Q and (ϕ r ) r∈R can be constructed in such a way that for all i ∈ N, the (i + 1)-th stage of the partial fixpoint induction represents the configuration reached by A in the i-th round.To achieve this, each of the subformulas contains a nested partial fixpoint formula describing the result computed by the transition maker ∆ between two consecutive synchronous rounds, using additional set and function variables to encode the inner configurations of ∆ at each node.Thus, each stage of the nested partial fixpoint induction corresponds to a single step in the transition maker's sequential scanning process.
Let us now consider the opposite direction and sketch how to go from functional fixpoint logic to distributed register automata (see Appendix D for a full proof).
Proposition 10.For every formula of functional fixpoint logic that defines a graph property, we can construct an equivalent distributed register automaton.
Proof (sketch).We proceed by structural induction: each subformula ϕ will be evaluated by a dedicated automaton A ϕ , and several such automata can then be combined to build an automaton for a composite formula.For this purpose, it is convenient to design centralized automata, which operate on a given spanning tree (as computed in Example 5) and are coordinated by the root in a fairly sequential manner.In A ϕ , each free node variable x of ϕ is represented by a corresponding input register x whose value at the root is the current interpretation x σ of x.Similarly, to represent a function variable f , every node v has a register f storing f σ (v).The nodes also possess some auxiliary registers whose purpose will be explained below.In the end, for any formula ϕ (potentially with free variables), we will have an automaton A ϕ computing a transduction T Aϕ : C(I, {parent, root} ∪ free(ϕ)) → C({yes, no}, ∅), where parent and root are supposed to constitute a spanning tree.The computation is triggered by the root, which means that the other nodes are waiting for a signal to wake up.Essentially, the nodes involved in the evaluation of ϕ collect some information, send it towards the root, and go back to sleep.The root then returns yes or no, depending on whether or not ϕ holds in the input graph under the variable assignment provided by the input registers.Centralizing A ϕ in that way makes it very convenient (albeit not efficient) to evaluate composite formulas.For example, in A ϕ∨ψ , the root will first run A ϕ , and then A ψ in case A ϕ returns no.
The evaluation of atomic formulas is straightforward.So let us focus on the most interesting case, namely when ϕ = pfp[f i : ϕ i ] i∈( ] ψ.The root's program is outlined in Algorithm 2. Line 1 initializes a counter that ranges from 0 to n n − 1, where n is the number of nodes in the input graph.This counter is distributed in the sense that every node has some dedicated registers that together store the current counter value.Every execution of A inc will increment the counter by 1, or return no if its maximum value has been exceeded.Now, in each iteration of the loop starting at Line 2, all registers f i and f new i are updated in such a way that they represent the current and next stage, respectively, of the partial fixpoint induction.For the former, it suffices that every node copies, for all i, the contents of if @every node (∀i ∈ [1 : ] : whose effect is that ) for all i, where F ϕi : (V V ) → V V is the operator defined in Section 4. Line 5 checks whether we have reached a fixpoint: The root asks every node to compare, for all i, its registers f new i and f i .The corresponding truth value is propagated back to the root, where false is given preference over true.If the result is true, we exit the loop and proceed with calling A ψ to evaluate ψ (Line 8).Otherwise, we try to increment the global counter by executing A inc (Line 6).If the latter returns no, the fixpoint computation is aborted because we know that it has reached a cycle.In accordance with the partial fixpoint semantics, all nodes then write their own identifier to every register f i (Line 7) before ψ is evaluated (Line 8).

Conclusion
This paper makes some progress in the development of a descriptive distributed complexity theory by establishing a logical characterization of a wide class of network algorithms, modeled as distributed register automata.
In our translation from logic to automata, we did not pay much attention to algorithmic efficiency.In particular, we made extensive use of centralized subroutines that are triggered and controlled by a leader process.A natural question for future research is to identify cases where we can understand a distributed architecture as an opportunity that allows us to evaluate formulas faster.In other words, is there an expressive fragment of functional fixpoint logic that gives rise to efficient distributed algorithms in terms of running time?What about the required number of messages?We are then entering the field of automatic synthesis of practical distributed algorithms from logical specifications.This is a worthwhile task, as it is often much easier to declare what should be done than how it should be done (cf.Examples 6 and 8).
As far as the authors are aware, this area is still relatively unexplored.However, one noteworthy advance was made by Grumbach and Wu in [9], where they investigated distributed evaluation of first-order formulas on bounded-degree graphs and planar graphs.We hope to follow up on this in future work.

A Spanning-tree automaton
A.1 Run of the spanning-tree automaton We consider again the spanning-tree automaton of Example 5 on page 7.For convenience, we recall its transition maker in Algorithm 1 above.An example run is illustrated in Figure 2. The natural number within a node is the current content of its register root (which, at the beginning of the run, equals the identifier of the respective node).The parent-relation is represented by thick arrows, where we omit self loops.Moreover, white nodes are in state 1, gray ones in state 2, and black ones in state 3.Note that nodes 2 and 7 toggle between states 1 and 2 before terminating in state 3.In the broadcast phase (last row), node 0 is the first one to enter state 3.The state is then propagated to all other nodes to announce successful termination.

A.2 Correctness of the spanning-tree automaton
First, we observe that in every graph G = (V, E), there must be a node that eventually enters state 3. Indeed, it is straightforward to show by induction that for every node v at distance i of node 0, if v has not reached state 3 by time i − 1, then for every time t ≥ i, we have v.root = 0 and v.parent points to some fixed node v at distance i − 1 of node 0 (or distance 0 in case v = 0).Note that v will never modify its registers again once v.root = 0, because the only rule that could potentially modify the registers, i.e., Rule 1, is not applicable.Hence, if no node has reached state 3 after at most diameter(G) rounds of communication, then the parent pointers represent a valid spanning tree rooted at node 0. (Remember that G is by definition connected.)Since this tree remains forever unchanged, it is easy to verify that node 0 will eventually enter state 3, which causes all other nodes to eventually do the same, and thus the automaton to halt.What remains to be shown is that no other node reaches state 3 before node 0 does.To this end, let us assume that u is the first node to enter state 3, and that it does so in the (t + 1)-th round.Therefore, according to Rule 3, at time t: u.state = 2 ∧ u.root = u .
(a) Our goal is to show that u is necessarily node 0. For i ∈ N, let U i be the set of nodes at distance exactly i from u.Moreover, for notational convenience, we set U −1 = U 0 (which is {u}).By a similar inductive argument as above, we can easily see that for all i ∈ N and v ∈ U i+1 , at every time t ∈ N: Based on (a) and (b), we now prove the following property: Lemma 11.For all i ∈ [t], we have Proof.We proceed by induction.P 0 is obvious, since it coincides with our assumption (a).So suppose that P i holds.We will show P i+1 .Take any node v ∈ U i .By induction hypothesis, at time t − i, we have v.state = 2 and v.root = u.Suppose that v reaches such a local configuration for the first time at time t ≤ t − i.Note that v cannot change its local configuration between times t and t − i (the only way to do so would be to choose another root, but then it could not return to root u anymore).Let v ∈ U i+1 be adjacent to v.According to Rule 2, at time t − 1, we must have v .root= u.Moreover, v continues to have v .root= u until time t − (i + 1) (otherwise, v would have a different root than u at time t − i).Now, take any v ∈ U i+1 .We just showed that, at time t − (i + 1), we have v .root= u.It remains to show that we also have v .state= 2 at time t − (i + 1).Let v be v .parentat time t − (i + 1).By (b), we know that v ∈ U i .Let t ≤ t − i be as above, i.e., be the first point in time where v.state = 2 and v.root = u.According to Rule 2, at time t − 1, we must have v .root= u.As v .root= u at time t − (i + 1), too, v .parent is the same for all t ∈ [t − 1 : t − (i + 1)].In particular, v .parent= v at time t − 1.By Rule 2, this implies v .state= 2 at time t −1, and therefore also v .state= 2 at time t−(i+1).This proves P i+1 .
To conclude, we argue that Lemma 11 implies u = 0.It suffices to observe that for every node v, if v.root = u at any point in time, then u ≤ v. Since Lemma 11 tells us that every node v has u in its register root at some point in time, we can deduce that u ≤ v for every node v ∈ V , which implies u = 0.

B.1 Encoding sets as functions
To simplify the exposition and some of the proofs, we have defined functional fixpoint logic in such a way that the operator pfp can bind only function variables.However, since it is straightforward to encode sets of nodes as functions, we often take the liberty of writing formulas in which pfp binds both function and set variables.We now justify this formally by showing how set variables can always be eliminated.
To this end, let us fix an infinite supply S of set variables.We extend the syntax of first-order logic to allow atomic formulas of the form t ∈ X, where t is a term and X is a set variable in S. Naturally, the semantics is that "t is an element of X", and we will use t / ∈ X as an abbreviation for ¬(t ∈ X).The definitions of free variables, variable assignment, interpretation, and satisfaction are generalized to set variables in the obvious way.
Since we consider only graphs that have at least two nodes and are equipped with a total order, any set of nodes U can be represented by a function that maps nodes in U to their direct successors and nodes outside of U to themselves.The reason for choosing the direct successor is simply because it is both easy to specify and well-defined for all nodes in all graphs, assuming we consider the minimum node to be the direct successor of the maximum node.The following first-order formula schema states that the node represented by term t is the direct successor of the node represented by term s: (We write, for instance, "succ[x, y]" to instantiate this schema with node variables x and y.) Now, let us consider a formula of the form pfp (f i : ϕ i ) i∈( ] , (X : ϑ) ψ, where X ∈ S, f 1 , . . ., f ∈ F, and ϕ 1 , . . ., ϕ , ϑ, ψ are formulas.We assume that the variable out does not occur freely in ϑ.On an intuitive level, since X is a set variable, the set membership defined by ϑ is with respect to a single special variable, namely in.A node v lies in the corresponding set precisely if ϑ is satisfied by interpreting in as v.The stages of the partial fixpoint induction are computed as before, the only novelty being that X is initialized to the empty set (while the function variables f 1 , . . ., f are still initialized to the identity function).If the sequence of stages does not converge to a fixpoint, the partial fixpoint is the same as the initial stage (i.e, ∅ for set variables and id V for function variables).
We can easily eliminate X by replacing it with a fresh function variable f X .More precisely, we rewrite the preceding formula as pfp (f i : ϕ i ) i∈( ] , (f X : ϑ ) ψ .To transform (ϕ i ) i∈( ] and ψ into their new forms (ϕ i ) i∈( ] and ψ , it suffices to replace every occurrence of an atomic formula of the form t ∈ X with its encoded representation f X (t) = t.That is, for instance, ψ := ψ t ∈ X → f X (t) = t .For the subformula ϑ , we additionally have to ensure that f X is interpreted as a function that maps a node to its direct successor if and only if it is contained in the new interpretation of X.Thus, we define Notice that our encoding scheme preserves the partial fixpoint of the original formula.In particular, if the sequence of stages does not converge, then f X is interpreted as id V , which represents the empty set.

B.2 Quantification over functions
Since partial fixpoint inductions allow us to iterate over various interpretations of a function variable, they provide a way of expressing (second-order) quantification over functions.To make this more convenient, we add function quantifiers as "syntactic sugar" to the language of functional fixpoint logic and show how they can be converted into pfp operators.
Consider a formula of the form ∃f ϕ, where f is a function variable and ϕ is a formula.Obviously, the semantics is that "there exists a function f such that ϕ holds".In the following, we simulate this existential quantification by a partial fixpoint induction that iterates over all possible interpretations of f .If there exists no interpretation satisfying ϕ, then the sequence of stages of our induction cycles forever through all functions, never reaching a fixpoint.Otherwise, it ends up looping on the first function that satisfies ϕ.This function therefore becomes the interpretation assigned to f by the partial fixpoint operator.
To perform the iteration described above, we need to define a cyclic order on the set of all functions.This is easy because we restrict ourselves to graphs whose nodes are totally ordered.Thus, each function on a given input graph G = (V, E) can be thought of as a |V |-digit number written in base |V |, where the i-th least significant digit represents the value taken by the function at the i-th smallest node.Based on this, the direct successor of a function is simply the function that corresponds to its number incremented by 1.Additionally, to make the order cyclic, we stipulate that the smallest function is the direct successor of the largest function; in other words, there is an "integer overflow".
It only remains to implement these ideas in functional fixpoint logic.Without loss of generality, we may assume that ϕ does not contain any free occurrences of in and out. 1 Hence, we can rewrite ∃f ϕ as the partial fixpoint formula pfp[f : ψ] ϕ, where The subformula ψ distinguishes between three cases in order to determine how to update the interpretation of f .First, as stated in the first line of the big conjunction, if the current interpretation already satisfies ϕ, then it is maintained.
Intuitively, this can be read as: "the new value out of f at in is equal to its current value f (in)".Second, even if f (or rather the number representing it) has to be incremented, the function may retain its current value at some nodes.In fact, "the value of digit in remains unchanged as long as there is some less significant digit x that can still be incremented".Third, as stated in the second line of the big conjunction, if none of the two previous cases apply, then "the value of digit in must be incremented if possible and otherwise reset".We express this using the formula schema succ[s, t] from Section B.1 to ensure that "the new value out is the direct successor of the current value f (in)."Now, when we evaluate the formula pfp[f : ψ] ϕ on a structure (G, q), σ, there are two possibilities.Either there exists no interpretation of f that satisfies ϕ, in which case the partial fixpoint induction does not reach a fixpoint.This means that f defaults to id V and pfp[f : ψ] ϕ evaluates to false.Or ϕ can be satisfied, in which case the induction reaches a satisfying fixpoint.This fixpoint is chosen as the interpretation of f , and pfp[f : ψ] ϕ evaluates to true.In both cases, the result is the same as when evaluating ∃f ϕ on (G, q), σ.

C From automata to logic
We now prove the first part of Theorem 1 (stated in Section 1), by showing that functional fixpoint logic is at least as expressive as distributed register automata: Proposition (9).For every distributed register automaton that decides a graph property, we can effectively construct an equivalent formula of functional fixpoint logic.
The rest of this section is devoted to the proof of Proposition 9. We consider a distributed register automaton A = (Q, R, ι, ∆, H, o) with transition maker ∆ = ( Q, R, ι, δ, õ) and assume that A decides a graph property P over label set I. In the remainder of this section, we construct a formula ϕ A of functional fixpoint logic that defines P .As our exposition goes into full detail, it is a bit lengthy.
To make it clear how all the pieces fit together, we present the construction in a top-down manner.
For each state q ∈ Q, our formula uses a set variable X q to represent the set of nodes of the input graph that are in state q.Furthermore, for each register r ∈ R, it uses a function variable f r to represent the function that maps each node u to the node v whose identifier is stored in u's register r.By means of a partial fixpoint operator, we will ensure that on any I-labeled graph (G, q), the interpretations of (X q ) q∈Q and (f r ) r∈R represent the halting configuration reached by A on (G, q).Hence, the final formula is simply which states that all nodes end up in a halting state that outputs yes.

C.1 Simulating the automaton
The real work is now to construct the formulas (ϕ q ) q∈Q and (ϕ r ) r∈R in such a way that for all i ∈ N, the (i + 1)-th stage of the partial fixpoint induction represents the configuration reached by A in the i-th round.Note that in doing so, we make sure that the infinite sequence of stages reaches a fixpoint (given our assumption that the automaton is a decider and thus eventually halts).
For each state q ∈ Q, we update the set variable X q with the formula only if q∈H Note that this formula makes use of the syntactic sugar introduced in Subsection B.1, which allows us to update set variables without any explicit reference to the variable out.The first disjunct of ϕ q ensures that stage 1 of the partial fixpoint induction corresponds to the initial configuration of the automaton.It does so by stating that a node (represented by the variable in) will belong to X q in the next stage if its input label a maps to q and it does not belong to any set X p in the current stage.The latter part holds only in stage 0, where all set variables are initialized to ∅.In the second disjunct, we use the subformula ϕ ∆ q defined below to ensure that if node in is currently active, i.e., in a non-halting state, then in switches to state q when executing the transition maker ∆.Finally, in case q is a halting state, the third disjunct of ϕ q states that in remains in q if it is already there.This formalizes the fact that halting states are never left.To implement the above-mentioned subformula ϕ ∆ q , we use another partial fixpoint induction, which simulates the behavior of the transition maker ∆ between two consecutive synchronous rounds.This second induction is thus nested within the main induction of ϕ A .Similarly to before, we introduce a set variable Y q for each inner state q and a function variable g r for each inner register r.These variables serve to encode the inner configurations of the transition maker at each node, in the same way as the variables (X q ) q∈Q and (f r ) r∈R encode the local configurations of the automaton.Furthermore, we introduce a function variable g to represent the transition maker's reading head at each node and a set variable Y end to represent the set of nodes that have finished scanning their neighborhood.We will make sure that once the nested partial fixpoint has been reached, the variables (Y q ) q∈ Q and (g r ) r∈ R represent the final inner configurations reached by the nodes.Relying on that, we define The first conjunct simply checks that in is currently in a non-halting state, which means that it is allowed to run the transition maker ∆.The second conjunct expresses that after running the transition maker, in is in some inner state q from which ∆ outputs state q.
Continuing with our top-down approach, we first complete the discussion of the outer partial fixpoint induction of ϕ A before turning to the nested one.For each register r ∈ R, the formula with which we update f r is Here, the subformula ϕ ∆ r states that in is still in a non-halting state and writes the identifier of out to its register r after running the transition maker.The second disjunct of ϕ r covers the case where in has already reached a halting state, forcing it to maintain its current valuation of r.Note that neither of the two disjuncts is satisfied if all set variables are interpreted as the empty set, as is the case in stage 0 of the (outer) partial fixpoint induction.Therefore, ϕ r does not define a functional relationship in stage 0, which means that the interpretation of f r in stage 1 defaults to the identity function.Rather conveniently, this is precisely what we want, i.e., stage 1 represents the initial configuration of the automaton.Here we rely on the assumption that A has no input registers (because it decides a graph property) and therefore initializes the registers of each node to the node's own identifier.
The implementation of ϕ ∆ r is very similar to that of ϕ ∆ q .In particular, it uses the same nested induction to simulate ∆: The only difference to ϕ ∆ q is the big disjunction within the scope of the pfp operator.It stipulates that in ends up in some inner state q that causes the transition maker to update in's register r to the identifier of out.For this to be true, the identifier of out must be stored in the inner register r that is used to update r.

C.2 Simulating the transition maker
We now come to the nested partial fixpoint induction.As briefly mentioned above, it uses two helper variables g and Y end to keep track of the transition maker's scanning process.In each stage of the induction, g is interpreted as a function that maps each node u to the node v that is currently scanned by (the transition maker at) u.In other words, this function gives us the current position of each node's reading head.Since every node starts by reading its own local configuration, it comes in handy that g is initialized to the identity function at stage 0 of the nested induction.The function is then updated with the following formula: Here, the first conjunct ensures that the reading head of in can be moved only to a neighbor of in, while the big disjunction below is responsible for selecting the smallest neighbor that has not yet been visited.The first line of the disjunction covers the initial step, where the reading head is still at in and must be moved to the smallest of all neighbors.The second line corresponds to the case where the head is moved from one neighbor to the next-smallest one.Finally, the third line states that once the head has reached the greatest neighbor, it remains there.This is important to ensure that the sequence of stages converges to a fixpoint.Also note that ψ always defines a total function because every node has at least one neighbor.(This follows from our restriction to connected graphs with at least two nodes.)Since the reading head of the transition maker remains at the last-visited node, we must prevent that node from being processed more than once.This is the purpose of the set variable Y end , which will be interpreted as the set of all nodes that have finished scanning their neighborhood.If in's reading head reaches the last neighbor in stage i, then in is added to Y end in stage i + 1: Having formalized how the transition maker ∆ scans its input, we now make use of the variables g and Y end to define how it updates its inner configuration.For each inner state q ∈ Q, the set variable Y q is updated with the formula The first disjunct states that ∆ remains in q if it has reached the end of its input and is currently in q, whereas the second disjunct describes an inner transition to q in case ∆ has not yet terminated.For such an inner transition to take place, q must be the inner state that is obtained when applying δ to the current inner state p of in, the current state p of g (in), and the relation ≺ that compares the inner register values of in with the register values of g (in).Our formula expresses this as a disjunction over all possible choices of p, p, and ≺ that lead to q, using the subformula ϑ curr ( p,p,≺) to check whether p, p, and ≺ do indeed correspond to the current inner configuration of in and local configuration of g (in).
Implementing ϑ curr ( p,p,≺) for any p ∈ Q, p ∈ Q, and ≺ ∈ 2 ( R∪R) 2 is straightforward: In the first line, we state that p is the inner state of in and p is the state of g (in).
For the former, we use the little helper formula ϑ curr p defined below.In the remaining two lines, we check that all inequalities specified by ≺ are satisfied.
The reason for using the helper formula ϑ curr p is that the inner state of in is not represented explicitly in stage 0 of the nested induction.Therefore, if in does not belong to any set Y q , we assume that it is in the inner initial state ι: Note that since we represent each inner register r by a function variable g r , our encoding does not take into account that inner registers can hold the undefined value ⊥.In particular, in stage 0 of the nested induction, g r is interpreted as the identity function, whereas the transition maker initializes r to ⊥.However, we may assume without loss of generality that when the transition maker starts in its initial inner configuration (ι, {r → ⊥} r∈ R) and reads the first local configuration (p, ρ) of its input sequence, then it updates each of its inner registers to some value provided by ρ (and thus distinct from ⊥) that depends only on p and the order relation between the register values of ρ.More formally, we assume that for every state p ∈ Q and all binary relations ≺, ≺ ⊆ ( R ∪ R) 2 such that r ≺ s if and only if r ≺ s for all r, s ∈ R, we are guaranteed that δ(ι, p, ≺) = δ(ι, p, ≺ ) = (q, α) such that α(r) ∈ R for all r ∈ R. On that basis, we may substitute the initial inner configuration at node v with the indistinguishable inner configuration (ι, {r → v} r∈ R), which is precisely what we do in stage 0.
To complete our construction, it only remains to specify how the inner registers are updated.For each r ∈ R, we define the formula , s∈R ∃q, α: δ( p,p,≺)=(q, α) ∧ α(r)=s ϑ curr ( p,p,≺) ∧ out = f s (g (in)) , whose basic structure is very similar to that of ψ q .The first line just states that the transition maker ∆ retains the current value of r if it has reached the end of its input.The second line covers the case where ∆ has to update in's inner register r to a new value out, based on what it sees from the current inner configuration of in and the current local configuration of g (in).When ∆ evaluates its inner transition function δ on the currently seen inner state p, state p, and relation ≺, there are two possibilities: either the new value of r is obtained from some inner register s of in, or it is obtained from some register s of g (in).These two possibilities are expressed by the two big disjunctions in the second line of ψ r .

D From logic to automata
We will now take the opposite direction and go from formulas to automata.Hence, this section is devoted to the proof of the following result: Proposition (10).For every formula of functional fixpoint logic that defines a graph property, we can effectively construct an equivalent distributed register automaton.
We proceed by induction, i.e., we construct automata for subformulas, which will then be put together to produce automata for composed formulas.The invocation of automata as subroutines will be more convenient if they are centralized.Intuitively, this means that a dedicated root initiates an execution and, at the end, collects an acknowledgment from all the other processes before terminating.Consider the set of registers R tree = {parent, root} and suppose C ∈ C(Q, R) is a configuration such that R tree ⊆ R. We call C a spanning-tree configuration if the valuations of parent and root form a spanning tree in C as computed by the algorithm from Example 5.

Definition 12 (Centralized automaton).
A centralized automaton is a distributed register automaton A with input registers R in and output registers R out such that R tree ⊆ (R in \ R out ) and all runs of A starting in a spanning-tree input configuration satisfy the following properties: 1.A non-root node can only leave its initial local configuration after its parent changed its local state for the first time.
2. The run eventually halts and the root is the last node to terminate (i.e., no node enters a halting state after the root does).3. The registers in (R in \ R out ) are not modifed during the run.
Essentially, the notion of centralized automaton provides a way to combine and reason about distributed register automata in a fully sequential way.Given a centralized automaton and output registers R out 1 , we can construct another centralized automaton ) that uses A 1 as a subroutine.To this end, we make sure that Q 2 is a Cartesian product of the form S × {main, call } × Q 1 and that R 2 includes R 1 .In any execution of A 2 , every node is initially in the main mode (by which we mean that the relevant component of its state is main).While in this mode, a node behaves according to the algorithm implemented by A 2 .The algorithm must be such that at some point in time, all nodes except the root of the spanning tree are idle, and the current configuration of A 2 yields a desired initial configuration of A 1 if we project all states to their Q 1 -component and consider only those registers that belong to R 1 .Then, the root can launch a nested execution of A 1 by entering the call mode.While in this mode, a node must simulate automaton A 1 , using only the Q 1 -component of its state and its R 1 -registers.Whenever a node in the main mode sees that one of its neighbors has entered the call mode, it does the same.Since A 1 is centralized, by Definition 12 (1), this approach yields a faithful simulation of A 1 , despite the fact that the nodes do not enter the call mode simultaneously.Moreover, by Definition 12 (2), once the root has reached a halting state of A 1 , it knows that the automaton has halted everywhere.The root can thus switch back to the main mode and resume executing A 2 .The other nodes do the same as soon as one of their neighbors has done so.As a result, automaton A 2 can use the output configuration produced by A 1 .Since by Definition 12 (3), A 1 does not modify the registers in R in 1 \ R out 1 , we can rely on them being the same as before calling A 1 .In particular, the spanning tree represented by the registers in R tree remains unchanged.
Note that while the preceding approach may lead to very inefficient algorithms from the perspective of distributed computing, it is sufficient for the purposes of this paper, since we only want to characterize the fundamental expressive power of distributed register automata.
As our proof of Proposition 10 will proceed by induction on the structure of formulas, we will have to cope with the interpretations of free node and function variables.To this end, we are going to encode interpretations into configurations.Consider a spanning-tree configuration C = ((V, E), q, r) ∈ C(Q, R), with root v 0 , such that the set R contains variables from N ∪ F.Then, C defines a variable assignment σ as follows: For a node variable x ∈ R, we let x σ = r(v 0 )(x).That is, the interpretation of variable x is the value of register x at the root.Moreover, each register f ∈ R ∩ F encodes an interpretation f σ of the function variable f by letting f σ (v) = r(v)(f ) for all v ∈ V .
The next preparatory proposition states that there is a centralized automaton that evaluates a term with respect to the variable assignment encoded in the input configuration.
Proposition 13 (Automata for terms).Let t be a term.There is a centralized automaton A t computing a transduction such that, given a spanning-tree input configuration C = (G, q, r) with G = (V, E) and root v 0 ∈ V encoding a variable assignment σ, the automaton eventually outputs a configuration C = (G, q, r ) satisfying r Given a spanning-tree input configuration C = ((V, E), q, r), the automaton A t will use auxiliary registers t i to compute and store the intermediary values t σ i = f σ i (. . .f σ 1 (x σ ) . ..).The register t = t is the only output register.We compute the values for t 1 , . . ., t successively.As an invariant, we maintain that, after computing t σ i , the root stores t σ i in its register t i .We reserve an auxiliary register self for storing the own identifier of a node.To compute t σ i+1 , we proceed as follows.Starting from the root, the value of t σ i is propagated to all nodes along the spanning tree down to the leaves.The leaves, in turn, initiate a back-propagation phase, where an internal node waits for signals from all its children, notifies its parent, and then terminates.However, during this back-propagation, the node whose identifier coincides with t i includes the contents of its register f i+1 in its message to its parent node, which propagates it further, until the value reaches the root.The latter stores it in its register t i+1 .
As further preparation for the inductive translation of formulas, we describe a subroutine that allows the root to increment a register by one.
Proposition 14 (Register incrementation).Let r be a register.There is a centralized automaton A r++ computing a transduction such that, given a spanning-tree input configuration C = (G, q, r) with G = (V, E) and root v 0 ∈ V , the automaton eventually outputs a configuration C = (G, q, r ) Proof.First, the current value w of v 0 's register r is broadcast through the entire graph.Then, every node u sends to its parent in the spanning tree the smallest value greater than w among the node identifiers in the subtree rooted at u (provided that this subtree contains such an identifier).This procedure starts at the leaves and works its way up to the root.There, the smallest value obtained must be w + 1.
We are now ready to transform any formula into an equivalent automaton.
Proposition 15.Let ϕ be a formula of functional fixpoint logic over some finite set of labels I.There is a centralized automaton A ϕ computing a transduction T Aϕ : C(I, R tree ∪ free(ϕ)) → C({yes, no}, ∅) such that, given a spanning-tree input configuration C = (G, q, r) with G = (V, E) and root v 0 encoding a variable assignment σ, the automaton eventually outputs a configuration C = (G, q , r ) satisfying q (v 0 ) = yes if and only if (G, q), σ |= ϕ.
Proof.We proceed by induction on the structure of formulas.
Case ϕ = a t.Given a spanning-tree input configuration C = ((V, E), q, r) encoding a variable assignment σ, the automaton A ϕ first applies, as a subroutine, A t from Proposition 13.The latter eventually outputs a configuration in C(1, {t}) such that the value of register t at the root is t σ .Similarly to the construction of Proposition 13, the root then broadcasts t σ to all other nodes along the spanning tree, down to the leaves.During a subsequent back-propagation phase, node t σ checks whether its label is equal to a. Accordingly, it sends either yes or no to its parent, which propagates it further until it reaches the root.Case ϕ = s < t.As a subroutine, the root first launches A s and then A t so that it eventually stores, in (auxiliary) registers s and t, the interpretation s σ and t σ , respectively.The root then compares both values and outputs the corresponding truth value.Case ϕ = s t.Like in the previous case, the root first launches A s and then A t so that it eventually stores s σ and t σ in registers s and t, respectively.Both are then propagated along the spanning tree.During a subsequent back-propagation, node s σ checks whether t σ is in its neighborhood.The corresponding truth value is forwarded back to the root.
Case ϕ = ¬ψ.As a subroutine, A ¬ψ first applies A ψ to the given spanning-tree input configuration.Upon termination, the root will just flip the node label from yes to no or vice versa.
Case ϕ = ϕ 1 ∨ ϕ 2 .The automaton A ϕ first applies A ϕ1 as a subroutine.If the root outputs yes, then it stops.Otherwise, A ϕ2 is launched.
Case ϕ = ∃x ψ.Automaton A ϕ has an auxiliary register x.It makes use of the subroutine A x++ from Proposition 14, which increments the value of x by one every time it is called.The root, initially storing its own identifier 0 in x, starts by launching A ψ .If the latter outputs yes (at the root), then the root outputs yes and stops.Otherwise, using A x++ , the root will increment its register x by one, launch A ψ again, and so on.If no increment is possible anymore, A ϕ outputs no.
First of all, recall that free(ϕ) is the union of all sets free(ϕ i ) \ {f 1 , . . ., f , in, out} and free(ψ) \ {f 1 , . . ., f }.We are interested in a transduction T Aϕ : C(I, R tree ∪ free(ϕ)) → C({yes, no}, ∅).To implement the partial fixpoint computation, we introduce auxiliary registers f 1 , . . ., f (for the current interpretation) and f new 1 , . . ., f new (for the next interpretation).We also use auxiliary registers in and out, as well as a register self for storing the own identifier of each node.Furthermore, to test whether the partial fixpoint computation has reached a cycle with a period greater than one, we include an additional set of auxiliary registers that will allow us to implement a global counter.Since there are precisely n n different -tuples of functions on an input graph with n nodes, it is sufficient to count from 0 to n n − 1.The counter is taken for granted for now, but it will be explained below, and we shall define a helper automaton A inc that allows us to increment it by one.
In the following, in the interest of clarity, we abstract away from many implementation details and only describe our construction informally.Recall that A ϕ is a centralized automaton, which means that it is controlled by the root.The root's program is given by Algorithm 2, presented as pseudo code.First, the counter is initialized to zero in Line 1 (see below for an explanation).Then, in every iteration of the loop starting at Line 2, all registers f i and f new i are updated in such a way that they represent the current and next stage, respectively, of the partial fixpoint induction.For the former, it suffices that every node copies, for all i, the contents of f new i to f i (Line 3).To update f new i , Line 4 calls the subroutine provided by Algorithm 3 (which will be explained in the next paragraph).As a result of this algorithm, we have f new i = F ϕi ((f i ) i∈( ] ) for all i, where F ϕi : (V V ) → V V is the operator defined in Section 4. Line 5 checks whether we have reached a fixpoint: The root asks every node to compare, for all i, its registers f new i and f i .The corresponding truth value is propagated back to the root, where false is given preference over true.If the result is true, we exit the loop and proceed with calling A ψ to evaluate ψ (Line 8).Otherwise, we try to increment the global counter by executing A inc (Line 6).If the latter returns yes, i.e., incrementation was possible, then another iteration takes place.However, if A inc returns no, then the counter has reached its maximum.This implies that we have not reached (and will not reach) a fixpoint so that, according to the partial fixpoint semantics, each node writes its own identifier to every register f i (Line 7) before the automaton evaluates ψ (Line 8).
Let us now describe the subprocedure update(f new i ) given by Algorithm 3. Using A in++ and A out++ provided by Proposition 14, the root will gradually increment its register in and, in a nested fashion, out so as to let in and out range over V (lines 1 and 3 ).After each increment, it will launch A ϕi to evaluate ϕ i with the current interpretations of in and out (line 4 ).If the result is yes, then the root transfers the contents of out to out (Line 6 ).Moreover, it sets the flag found to true, which allows it to check whether the node henceforth stored in out is the only one to make ϕ i true for the given in.If it is not (i.e., the test in Line 5 eventually fails), we set out = in.Finally, the node whose identifier corresponds to in sets its register f new i to the computed value (Line 8 ).To implement Line 8 , the root will send out , along the spanning tree, to node in, which stores it in its register f new i .
A distributed counter.We now sketch how to implement A inc .On an underlying graph G = (V, E) of size |V | = n, this automaton can be used to count in a distributed manner from 0 to n n − 1.The basic idea is somewhat similar to the construction presented in Section B.2, as we will identify a register valuation function with a number written in base n.More precisely, each of the n nodes will have registers r 0 , . . ., r −1 , each storing a number between 0 and n − 1.Thus, a register valuation function r : V → V {r0,...,r −1 } can be seen as a n-digit number written in base n, where the i-th least significant digit is stored in register r (i mod ) of the i/ -th node, with respect to some total order on V .In the following, given a spanning tree of G, we will choose to be the order in which the nodes are visited in the post-order traversal of the tree (where the children of each node are visited in ascending identifier order).This way, the most significant digits are stored in the root.
It expects as input is a spanning-tree configuration C = (G, q, r) that encodes some number m ∈ [0 : n n − 1] in the registers r 0 , . . ., r −1 (as described above).
In addition, the largest identifier of G (i.e., n − 1) must be stored in each node's register max .If m < n n − 1, then the output configuration C produced by A inc is such that the new values of r 0 , . . ., r −1 represent the number m + 1 and the root outputs yes, indicating that the incrementation was successful.Otherwise, all registers are set to zero and the root outputs no.
In order to generate the first valid input configuration for A inc , the command init(A inc ) in Algorithm 2 (Line 1) sets all registers r i to 0 (thereby initializing the counter to zero) and all registers max to n − 1.While 0 is already known by each node (since this is the root's identifier), n − 1 can be determined by a simple subroutine that is very similar to the automaton described in Proposition 14: every node v sends to its parent in the spanning tree the greatest value among the node identifiers in the subtree rooted at v, which ensures that the largest value received by the root is n − 1.
After that, every execution of A inc performs incrementation by one as follows.First, the root sends the command "increment" in the direction of the leaf u that stores the least significant digits.More precisely, it sends the command to its smallest child (i.e., the one with the smallest identifier), and every node that receives the command forwards it to its own smallest child.
Upon receiving the command "increment", leaf u checks whether at least one of its registers r 0 , . . ., r −1 contains a value smaller than max .If not, it sets all of them to zero by copying the value 0 from register root.Then, u sends the command "increment" back to its parent, which will forward the "carry digit" to the next node in the order .On the other hand, if there exists a smallest index i such that r i contains a value smaller than max , then u sets to zero only the registers r 0 , . . ., r i−1 and increments r i by executing a subroutine that we will describe below.As soon as that subroutine has terminated, u sends an acknowledgment to the root, which then instructs all other nodes to terminate before switching itself to the halting state yes.
More generally, whenever a node v receives the command "increment", v tries to forward it to the smallest child that has not yet received it.(In particular, a command received from one child will be forwarded to the next smallest child.)If this is not possible, either because v is a leaf or because all of its children have already sent back the command, then v performs an incrementation itself.To do so, it proceeds in exactly the same way as described above for node u.
Since the root stores the most significant digit in its register r −1 , it is able to detect the integer overflow that occurs if the input value m is equal to n n − 1.In that case, instead of sending "increment" to its parent, it first instructs all other nodes to terminate and then switches to the halting state no.
It only remains to explain the subroutine that allows a node v to increment its register r i by one.To do so, v will send a request to the root including the value of register r i .The root stores the latter in some auxiliary register s, launches A s++ from Proposition 14, and then sends the result back to v, which writes it into r i .This completes the induction and thereby the proof of Proposition 15.
We now have the main building block to prove the result of this section: Proof (Proof of Proposition 10).Let ϕ be a formula of functional fixpoint logic without free variables.The automaton deciding the graph property defined by ϕ proceeds as follows: It first constructs a spanning tree on the given input graph by executing a variant of the automaton from Example 5 (where the root must be the last node to enter a halting state).Then, it launches A ϕ from Proposition 15, with set of input registers R tree .Finally, the root informs the other nodes, along the spanning tree, about the outcome, i.e., yes or no.

Fig. 2 .
Fig. 2. A run of the spanning-tree automaton from Example 5 Algorithm 1 Transition maker of the automaton from Example 5 goto 8 6 until execute(Ainc) returns no / * until global counter at maximum * / 7 @every node do for i ∈ [1 : ] do fi ← self 8 execute(A ψ ) Algorithm 1 Transition maker of the automaton from Example 5 if ∃ neighbor nb (nb.root < my.root) : my.state ← 1; my.parent ← nb.self ; my.root ← nb.root as controlled by the root