Consensus in rooted dynamic networks with short-lived stability

We consider the problem of solving consensus using deterministic algorithms in a synchronous dynamic network with unreliable, directional point-to-point links, which are under the control of a message adversary. In contrast to the large body of existing work that focuses on message adversaries that pick the communication graphs from a predefined set of candidate graphs arbitrarily, we consider message adversaries that also allow to express eventual properties, like stable periods that occur only eventually. Such message adversaries can model systems that exhibit erratic boot-up phases or recover after repeatedly occurring, massive transient faults. We precisely determine how much eventual stability is necessary and sufficient, and provide an optimal consensus algorithm. Unlike in the case of longer stability periods, where standard algorithms can be adapted for solving consensus, different algorithmic techniques are needed in the case of short-lived stability.


INTRODUCTION
We consider deterministic consensus algorithms in synchronous dynamic networks, where a potentially unknown number n of processes that never fail 1 communicate via unacknowledged messages over unreliable pointto-point links. Consensus, which is a pivotal service in truly distributed applications, is the problem of computing a common decision value based on local input values of all the processes. An execution of a consensus algorithm in our system proceeds in a sequence of lockstep synchronous 2 rounds, where message loss is mod- 1 Nevertheless, a crash of some process p in some round could easily be modelled by p sending no messages in any later round. 2 It assumes that all processes simultaneously broadcast elled using an omniscient message adversary that determines the directed communication graph G r for each round r. A directed edge (p, q) present in G r means that the message sent by p in round r is successfully received by q.
In most existing work in this area, e.g. [2,9,19,20], the message adversary is oblivious, i.e., may choose each G r from the same set of admissible graphs arbitrarily in each round. For instance, the classic result from Santoro and Widmayer [19] states that consensus is impossible if the adversary may suppress n − 1 or more messages in every round. More recently, [9] introduced an equivalence relation on the set of admissible communication graphs such that consensus is solvable if and only if for each equivalence class there is a common source (a node that has a directed path to every other node) in every graph. These (and similar) approaches characterize the solvability of consensus by means of properties of the set of admissible graphs.
We also explore the solvability/impossibility border of consensus, albeit under non-oblivious message adversaries that support eventual stabilization [3,4,22]: Here, the set of admissible choices for G r may change with evolving round numbers r. Rather than constraining the set of admissible graphs, we hence constrain admissible graph sequences. As it turns out, consensus can be solved for graph sequences where the set of graphs occurring in the sequence would render consensus impossible under an oblivious message adversary [9,19].
Apart from being theoretically interesting, considering eventually stabilizing dynamic networks is also useful from a practical perspective: Algorithms that work correctly under eventually stabilizing message adversaries are particularly suitable for systems that suffer from uncoordinated boot-up sequences or systems that must recover from massive transient faults: Network connectivity can be expected to improve over time here, e.g., due to improving clock synchronization quality.
Since it is usually difficult to determine the time when a message at the beginning of a round, receive the messages from each other, and then simultaneously make a state transition at the end of the round, thereby proceeding to the next round.
(1) We provide a novel algorithm in Section 5, along with its correctness proof, which solves consensus for a message adversary that generates graph sequences consisting of graphs that (i) are rooted, i.e., have exactly one root component (a strongly connected component without any incoming edges from outside of the component), and (ii) contain a subsequence of x = D + 1 consecutive graphs whose root component is formed by the same set of nodes ("stable root component"). Herein, the system parameter D n−1 is the dynamic diameter, i.e., the number of rounds required for any node in a stable root component to reach all nodes in the system. Thanks to (i), our algorithm is always safe in the sense that agreement is never violated; (ii) is only needed to ensure termination. Compared to all existing algorithms for non-oblivious mes-sage adversaries like [3,4,22], where the processes more or less wait for the stability window to occur, our algorithm uses quite different algorithmic techniques.
(2) In previous work [3,5], it has been shown that x = D−1 is a lower bound for the stability interval for any consensus algorithm working under message adversaries that guarantee a stable root component to occur eventually, and that (a bound on) D must be a priori known. 3 In Section 4 of this paper, we improve the lower bound to x = D, which reveals that the previous bound was not tight and that our new algorithm is optimal. This result also shows that the mere propagation of some input value to every process does not suffice to solve consensus in this setting.
(3) To complement earlier results [22] about consensus algorithms that work for stability periods longer than 2D + 1, we show in Section 6 that very large periods of stability, namely, at least 3n − 3, also allow to adopt the well-known uniform voting algorithm [8] for solving consensus in our setting.
Some conclusions and directions of future work in Section 7 complete the paper.
As a final remark, we note that our methodology is in stark contrast to the approach advocated in [18], which shows, among other insightful results, that the message adversary SOURCE + QUORUM allows to simulate an asynchronous message passing system with process crashes augmented by the failure detector (Σ, Ω). Since this is a weakest failure detector for consensus [10], it is possible to use classic consensus algorithms on top of this simulation. Furthermore, as Σ is the weakest failure detector to simulate shared memory on top of waitfree asynchronous message passing [10], even shared memory algorithms that rely on Ω could be employed.
In [5,Sec. 8], we hence investigated the potential of simulating (Σ, Ω) on top of eventually stabilizing message adversaries, as this would allow us to employ such well-established consensus solutions instead of specifically tailored algorithms. Unfortunately, it turned out that Σ cannot be implemented here, even in the case of message adversaries that eventually guarantee an infinite period of stability -not to speak of message adversaries that guarantee only a finite period of stability like the one presented in this paper. Therefore, we had to conclude that, for this type of message adversaries, failure detector simulations are no viable alternative to the approach taken here.

Related work
Research on consensus in synchronous message passing systems subject to link failures dates back at least to the seminal paper [19] by Santoro and Widmayer; generalizations have been provided in [6][7][8][9]20]. In all these papers, consensus, resp. variants thereof, are solved in systems where, in each round, a digraph is picked from a set of possible communication graphs. The term message adversary was coined by Afek and Gafni in [2] for this abstraction.
A different approach for modeling dynamic networks has been proposed in [13]: T -interval connectivity guarantees a common subgraph in the communication graphs of every T consecutive rounds. [14] studies agreement problems in this setting. Note that solving consensus is relatively easy here, since the model assumes bidirectional and always connected communication graphs. In particular, 1-interval-connectivity, the weakest form of T -interval connectivity, corresponds to all nodes constituting a perpetually constant set of source nodes.
In both lines of research, there is no notion of eventually stabilizing behavior of dynamic networks. To the best of our knowledge, the first instance of a message adversary that guarantees eventual stable root components has been considered in [3]: It assumed communication graphs with a non-empty set of sources and long-living periods of stability x = 4D +1. [4,23] studies consensus under a message adversary with comparably long-lived stability, which gracefully degrades to general k-set agreement in case of unfavorable conditions. However, this message adversary must also guarantee a certain influence relation between subsequently existing partitions. [22] established a characterization of uniform consensus solvability/impossibility for longer stability periods. In particular, it provides a consensus algorithm that works for stability periods of at least 2D + 1 but does not require graph sequences where all graphs are rooted.
Finally, [18] used message adversaries that allow a notion of "eventually forever" to establish a relation to failure detectors. Albeit we do not consider this "extremal" case in this paper, which solely addresses shortlived stability, we note that interesting insights can be drawn from this relation.

MODEL
We consider a set Π of n deterministic state machines, called processes, which communicate via message passing over unreliable point-to-point links. Processes have unique identifiers and are typically denoted by p, q. We call algorithms that do not depend on n uniform algorithms, whereas algorithms that rely on at least some bound on n are called non-uniform. In this paper, we will consider exclusively non-uniform algorithms, except for Theorem 1, where we touch upon uniform algorithms as well. Processes never fail and operate synchronously in lock-step rounds r = 1, 2, . . . , where each round consists of a phase of communication followed by a local state transition of every process. In the communication phase of a round, every process sends a message (possibly empty) to every other process in the system, and records the messages successfully received from the other processes. A message adversary (see Section 3 for the detailed definitions) is a set of graph sequences that determine which messages are lost in each round.
The state of a process p at the end of its round r computation is denoted by p r , and the collection of the round r states of all processes is called round r configuration C r . Those messages that are delivered by the message adversary in a given round r > 0 are specified via a digraph 4 G r = Π, E r , called the round r communication graph. An edge (p → q) is in G r if and only if the round r message of p sent to q is not lost. We assume that every process p always successfully receives from itself, so the self-loops (p → p) are in every G r . The in-neighborhood of p in G r , In p (G r ) = {q | (q, p) ∈ G r ) hence represents the processes from which p received a message in round r.
A message adversary is characterized by the set of infinite sequences of consecutive communication graphs that it may generate, which are called admissible. A sequence σ of consecutive communication graphs, ranging from round a to round b, is denoted as Since we actually identify a message adversary with its set of admissible sequences, we can compare different message adversaries via a simple set inclusion.
We consider the consensus problem, where each process p starts with some input value x p and has a dedicated write-once output variable y p ; eventually, every process needs to irrevocably decide, i.e., assign a value to y p (termination) that is the same at every process (agreement ) and was the input of some process (validity). The assignment of the input values for each process is summarized in some initial configuration C 0 . Given a message adversary MA and a deterministic consensus algorithm A, an (admissible) execution or run ε = C 0 , σ is uniquely determined by C 0 and an admissible graph sequence σ ∈ MA.
Applying A and a finite sequence σ ′ to a configuration C of A yields the configuration C ′ = C, σ ′ of A. As usual, we write ε ∼ p ε ′ if the finite or infinite executions ε and ε ′ are indistinguishable to p (i.e., the round r state of p is the same in both executions) until p decides.

Dynamic graph concepts
First, we introduce the pivotal notion of a root component R, often called root for brevity, which denotes the vertex-set of a strongly connected component of a graph where there is no edge from a process outside of R to a process in R. Definition 1 gives its formal definition.
It is easy to see that every graph has at least one root component. A graph G that has a single root component is called rooted ; its root component is denoted by root(G). Clearly, a graph G is rooted if and only if it has a rooted spanning tree: the root component is the union of the roots of all the spanning trees of G. Hence, there is a directed path from every node of root(G) to every other node of G.
Conceptually, root components have already been employed for solving consensus a long time ago: The asynchronous consensus algorithm for initially dead processes introduced in the classic paper [11] relies on a suitably constructed initial clique, which is just a special case of a root component.
In order to model stability, we rely on root components that are present in every member of a (sub)sequence of communication graphs. We call such a root component the stable root component of a sequence and stress that, albeit the set of processes remains the same, the interconnection topology between the processes of the root component and to the processes outside may vary greatly from round to round.

Definition 2 (Stable Root Component).
We say that a non-empty sequence (G r ) r∈I of graphs has a stable root component R, if and only if each G r of the sequence is rooted and ∀i, j ∈ I : root(G i ) = root(G j ) = R. We call such a sequence a R-rooted sequence.
We would like to clarify that while "rooted" describes a graph property, "R-rooted" describes a property of a sequence of graphs.
Given two graphs G = V, E , G ′ = V, E ′ with the same vertex-set V , let the compound graph G • G ′ := V, E ′′ where (p, q) ∈ E ′′ if and only if for some p ′ ∈ V : (p, p ′ ) ∈ E and (p ′ , q) ∈ E ′ . Since we assume self-loops the compound graph can be written as the product of the adjacency matrices of G and G ′ .
In order to model information propagation in the network, we use a notion of causal past : Intuitively, a process q is in p's causal past, denoted q ∈ CP r p (r ′ ) if q = p or if, by round r, p received information (either directly or via intermediate messages) that q sent in round r ′ +1.
Definition 3 (Causal past). Given a sequence σ of communication graphs that contains rounds a and b, the causal past of process p from (the end of ) round b down to (the end of ) round a is CP b A useful fact about the causal past is that in fullinformation protocols, where processes exchange their entire state history in every round, we have q ∈ CP r p (s) if and only if, in round r, p knows q s , the round s state of q.
To familiarize the reader with our notation, we conclude this section with the following technical Lemma 1. It describes the information propagation in a graph sequence containing an ordered set G = {G r1 , . . . , G rn }, i = j ⇒ r i = r j , and i > j ⇒ r i > r j , of n distinct communication graphs, where any G, G ′ ∈ G are both rooted, but root(G) is not necessarily the same as root(G ′ ). As we have mentioned earlier, every G ∈ G has hence a rooted spanning tree and is therefore weakly connected. In essence, the lemma shows that, by the end of round r n , each process p received a message from some process q that was sent after q was member of a root component of some graph of G.
. . , G rn } be an ordered set of rooted communication graphs and let X ⊆ Π with X ∩ root(G r ) = ∅ for every G r ∈ G. For every p ∈ Π, there is some q ∈ X (q may depend on p) and a G r ∈ G s.t. q ∈ root(G r ) and q ∈ CP rn p (r). Proof. Let S ri be the set of those processes that, in round r i , have received information from a process of X after it was member of a root component so far in a graph in G. Formally, In order to show the lemma, we prove by induction on i from 1 to n that |S ri | i. We use the abbreviation X ri := X ∩ root(G ri ). The base of the induction, |S r1 | 1, follows from the observation that X r1 ⊆ S r1 . For the induction step, assume for 1 i < n that |S ri | i. We show that then |S ri+1 | i+1. If |S ri | n, as obviously S ri ⊆ S ri+1 , we are done. If |S ri | < n, consider that X ri+1 ⊆ S ri+1 . If |X ri+1 \ S ri | 1, we immediately have |S ri+1 | > |S ri |. If |X ri+1 \ S ri | = 0, note that there is a path in G ri+1 from every q ∈ X ri+1 to every p ∈ Π. Hence, (u → v) ∈ G ri+1 for some u ∈ S ri , v ∈ Π\S ri , since we assumed |S ri | < n. As u ∈ S ri , there is some q ∈ ri r=r1 X r with q ∈ CP ri u (r). By Definition 3, since (u → v) ∈ G ri+1 , we have q ∈ CP ri+1 v (r) and thus v ∈ S ri+1 \ S ri which implies |S ri+1 | > |S ri |.

MESSAGE ADVERSARIES
First, we introduce the adversary that adheres to dynamic diameter D, which gives a bound on the duration of the information propagation from a stable root component to the entire network. We showed in [21, Lem. 1] that always D n − 1; a priori restricting D < n − 1 also allows modelling dynamic networks where information propagation is guaranteed to be faster than in the worst case (as in expander graphs [5], for example).
The following liveness property, eventual stability, ensures that eventually every graph sequence σ has a Rrooted subsequence σ ′ ⊆ σ of length x. Here Σ denotes the unrestricted message adversary, i.e., the set of all communication graph sequences.
For finite x, ♦STABILITY(x) alone is insufficient for solving consensus: Arbitrarily long sequences of graphs that are not rooted before the stability phase occurs can fool any consensus algorithm to make wrong decisions. For this reason, we introduce a safety property in the form of the message adversary that generates only rooted graphs.
The short-lived eventually stabilizing message adversary ♦STABLE D (D + 1) used throughout the main part of our paper adheres to the dynamic diameter D, guarantees that every G r is rooted and that every sequence has a subsequence of at least x = D + 1 consecutive communication graphs with a stable root component. Since processes are aware under which adversary they are, they have common knowledge of the dynamic diameter D and the duration of the stability phase x. We observe that ♦STABILITY(x) ⊇ ♦STABILITY(D) for any 1 x D, hence it follows that ♦STABLE D (x) ⊇ ♦STABLE D (D). This simple set inclusion turns out to be quite useful for the next section.

IMPOSSIBILITY RESULTS AND LOWER BOUNDS
Even though processes know the dynamic diameter D, for very short stability periods, this is not enough to solve consensus. In Theorem 1, we prove that if processes do not have access to an upper bound on n (some N with N n), i.e., when the algorithm is uniform, solving consensus is impossible if the period x of eventual stability is shorter than 2D: Here, processes can never be sure whether a stable root component occurred for at least D rounds, albeit detecting such a stable root component is necessary to satisfy validity. Theorem 1. There is no uniform consensus algorithm for ♦STABLE D (x) with 0 < x < 2D.
Consider execution ε 1 = C 0 , σ 1 with σ 1 from Figure 1, where a dotted edge exists only in every second graph in a sequence, and all processes not depicted have an in-edge from every depicted process. σ 1 ∈ MA, since it guarantees eventual stability for 2D − 1 rounds, adheres to the dynamic diameter D and in every round the communication graph is rooted. By the assumed correctness of A, there is a round τ by which every process has decided in ε 1 . The decision must be 0 because p D+1 only ever saw processes that knew of input value 0. This is indistinguishable for p D+1 from the execution where all processes did indeed start with input 0, which, according to the validity property of consensus, implies a decision on 0. Now, consider the execution ε 2 = C 0 , σ 2 with σ 2 from Figure 1. Again, σ 2 ∈ MA, since p n is a stable root component for r τ + 1. In every round r τ , p ∈ {p D+1 , p D+2 } have the same view in ε 1 and ε 2 : This is immediately obvious for 1 r D − 1. For D r 2D − 1, the view of p 1 is different, but this difference is not revealed to p by the end of round 2D − 1. Finally, in rounds 2D r τ , the processes {p D+1 , p D+2 } hear only from themselves in both executions, hence maintain ε 1 ∼ pD+1 ε 2 .
Consequently, by round τ , p D+1 has decided 0. Yet, in executions where n > τ + D + 3, according to ε 2 in Figure 1, we have that p n never saw a process that had an input value different from 1. By validity and an analogous argument as above, p n must hence decide 1 in ε 2 here, which provides the required contradiction.
As our next result, we present a lower bound for the duration x of the stable period: We prove that even in the non-uniform case, consensus is impossible under ♦STABLE D (x) if x D (Theorem 2). Note that this result improves the lower bound x D − 1 established in [3] and thus reveals that the latter was not tight.
Our lower bound can be seen as a generalization of the "lossy-link" impossibility from [20, Theorem 2], a particular formalization of consensus for two processes. There, it was shown that consensus is impossible in a two-process system where all messages except one may get lost in every round. In our terminology, this means that, for n = 2 and D = 1, consensus is impossible under ♦STABLE D (1), even if processes are aware of the size of the system. For general D, Theorem 2 below shows that a stability period of D or less rounds is insufficient for solving consensus for any value of N as well. Informally, the reason is that there are executions where, even with a stability phase of D rounds, some process cannot precisely determine the root component σ 1 : Figure 1: Communication graph sequences of Theorem 1. A dotted edge represents and edge which is in G i if and only if it is not in G i−1 . We assume there is an edge from every process depicted in the graph to every process not depicted in the graph.
of the stability window. In Figure 2, for instance, p D+1 cannot determine whether p 1 alone or p 1 and p 2 together constitute the root component after a sequence of D successive occurrences of G a , respectively, G b . The determination of this root component is crucial, however, since any root component could be the "base" for a decision in the suffix of some indistinguishable execution.
Our impossibility proof relies on a bivalence argument: Consider some algorithm A that solves the binary consensus problem, where, for every process p, the initial value x p ∈ {0, 1}. Given some message adversary MA, in analogy to [11], we call a configuration C = C 0 , σ of A univalent or, more specifically, vvalent, if all processes decided v in C, σ ′ for any σ ′ where σσ ′ ∈ MA. We call C bivalent, if it is not univalent.
Before stating our main theorem, we need to establish an essential technical lemma. It shows for n > 2 that by adding/removing a single edge at a time, we can arrive at any desired rooted communication graph when starting from any other rooted communication graph. Furthermore, during this construction, we can avoid any graphs that contain a certain "undesirable" root component R ′′ . Lemma 2. Let n > 2, G be a rooted communication graph with root(G) = {R}, G ′ be a rooted communication graph with root(G ′ ) = {R ′ }, and R ′′ be some root component with R ′′ = R and R ′′ = R ′ . Then, there is a sequence of communication graphs, G = G 1 , . . . , G k = G ′ s.t. each G i of the sequence is rooted, root(G i ) = R ′′ , and, for 1 i < k, G i and G i+1 differ only in a single edge.
Proof. We show that for any rooted communiaction graph G with root(G i ) = R, there is such a sequence G = G 1 , . . . , G j = G ′ for any communication graph G ′ with root(G ′ ) = R ′ if R ′ differs from R in at most one process, i.e., |R ′ ∪ R \ R ′ ∩ R| 1. Repeated application of this fact implies the lemma, because for n > 2 we can always find a sequence R = R 1 , . . . , R l = R ′ of subsets of Π s.t. for each R i of the sequence we have R i = R ′′ and, for 1 i < l, R i differs from R i+1 by exactly one process. To see this, we observe that in the Hasse diagram of the power set of Π, ordered by set inclusion, there are always two upstream paths leading from any two subsets of Π to a common successor.
We sketch how to construct the desired communication graphs G i of the sequence in three phases.
Phase 1: Remove all edges (one by one) between nodes of R until only a cycle (or, in general, a circuit) remains, remove all edges between nodes outside of R until only chains going out from R remain.
Phase 2: If we need to add a node p to R = root(G i ) to arrive at R ′ , for some q ∈ R, first add (q → p). For If we need to remove a node p from R to arrive at R ′ , for any (q → p), (p → q ′ ) ∈ G i , with q, q ′ ∈ R subsequently add (q → q ′ ) and (q ′ → q), then remove (p → q) and (p → q ′ ). Note that we perform this step also when q = q ′ .
Phase 3: Since we now already have some communication graph G i with root(G i ) = R ′ , it is easy to add/remove edges one by one to arrive at the topology of G ′ . First, we add edges until the nodes of R ′ are completely connected among each other, the nodes not in R ′ are completely connected among each other, and there is an edge from every node of R ′ to each node not in R ′ . Second, we remove the edges not present in Theorem 2. There is no non-uniform consensus algorithm for message adversary ♦STABLE D (x) with 1 x D. This holds even if the adversary must guarantee that, in addition to ♦STABLE D (x), the first D rounds are R-rooted (provided the processes do not know R a priori).
Proof. In the case where D = 1, we need to show the impossibility of ♦STABLE D (1). We immediately note that σ ∈ ♦STABLE D (1) if and only if we have that each G ∈ σ is rooted and a has graph diameter of  Figure 2: Communication graphs for Theorem 2. We assume there is an edge from every process depicted in the graph to every process not depicted in the graph.
1. Clearly, the graph sequence where (i) two fixed processes p, q have non-self-loop in-edges at most from each other and at least one of those present in every G r , and (ii) all other processes have an in-edge from both p and q is in ♦STABLE D (1). However, a trivial modification of [20,Theorem 2] shows that consensus (in particular, among p and q) is impossible in this setting.
For the remainder of the proof, let us thus assume For the induction base, we show that not all round D configurations of A can be univalent: Assume that some algorithm A solves consensus under ♦STABLE ′ D (D) and suppose that all round D configurations of A were univalent.
Let C 0 be some initial configuration of A with x p1 = 0 and x p2 = 1 and recall the graphs G a , G b , G c and G d from Figure 2.
denote the configuration which results from applying G i D times to C 0 . Let S(p) denote the star-like graph where there is an edge from the center vertex p to every other vertex and from every vertex to itself but there are no other edges in the graph. Clearly, C D a is 0-valent since C D a , (S(p 1 )) ∞ D+1 ∈ ♦STABLE ′ D (D) and for p 1 this is indistinguishable from the situation where all processes p have x p = 0. A similar argument shows that C D d is 1-valent.
Consider two cases: (1) C D b is 1-valent. But then, C D a cannot be 0-valent . Hence, not all round D configurations are univalent. For the induction step, let us assume that there exists a bivalent round r configuration C r at the end of round r D. For a contradiction, assume that all round r + 1 configurations reachable from C r are univalent. Thus, there exists a 0-valent round r + 1 configuration C r+1 0 = C r , G 0 that results from applying some communication graph G 0 to C r . Moreover, there is a 1-valent round r + 1 configuration C r+1 1 = C r , G 1 that results from applying some communication graph First, let us show that for G ∈ {G 0 , G 1 }, it holds that, if root(G) = root(G r ), there is an applicable graph G ′ s.t. C r , G ′ has the same valency as C r , G and root(G) = root(G ′ ). The reason for this is that we can construct G ′ from G by simply adding an edge (p → q) for some q = p, p ∈ root(G), q ∈ root(G) if |root(G)| = 1, respectively, by removing (p → q) for some q ∈ root(G) and all p = q if |root(G)| > 1. This yields a graph G ′ with the desired property because The applicability of G ′ follows because G ′ is rooted and root(G ′ ) = root(G r ) ensures that the resulting subsequence is a prefix of some sequence of DIAM(D) for any D > 1, because, for these choices of D, a changing root component trivially satisfies Definition 4.
Hence we can find graphs G ′ 0 , G ′ 1 such that root(G ′ 0 ) = root(G r ), root(G ′ 1 ) = root(G r ), and C r , G ′ 0 is 0-valent while C r , G ′ 1 is 1-valent. As we assumed D 2 it follows that n > 2. We can hence apply Lemma 2 to go from G ′ 0 to G ′ 1 by adding/removing a single edge at a time, without ever arriving at a graph that has more than one root component or has the same root component as G r . Somewhere during adding/removing a single edge, we transition from a graph G i to a graph G i+1 , by modifying an edge (p → q), where the valency of C = C r , G i differs from the valency of C ′ = C r , G i+1 . Nevertheless, G i and G i+1 , are applicable to C r because they are rooted and have a different root component as G r , hence guarantee the membership of the sequence in DIAM(D) for any D > 1. However, C and C ′ cannot have a different valency because C, (S(p)) ∞ r+1 ∼ p C ′ , (S(p)) ∞ r+1 . This is a contradiction and hence not all round r + 1 configurations can be univalent.

SOLVING CONSENSUS WITH D + 1 ROUNDS OF STABILITY
We now present Algorithm 1, which, under the message adversary ♦STABLE D (D + 1), solves consensus if D and a bound N n is known a priori. It relies on an underlying graph approximation algorithm used already in [4,21], which provides each process with a local estimate of past communication graphs. It is easily implemented on top of any full-information protocol 5 and has been omitted for brevity. As stated in Corollaries 1 and 2 below, the local graph estimates allow to faithfully detect the existence of root components with a latency of at most D rounds, with some restrictions.
In our consensus algorithm, processes operate in two alternating states ("not locked"and "locked"). Basically, in the "not locked" state, process p tries to find a root component and, if successful, locks on to it, i.e., considers it a potential base for its decision. This is realized by adapting the local prop p value to the value of the root component (which is the maximum of the proposal values of its members) and setting locked p ← true, thereby entering the "locked" state. Subsequently, p waits for contradictory evidence for a period of time that is long enough to guarantee that every process in the system has adapted to the value of the root component locked-on by p. If p finds contradictory evidence, it backs off by leaving the "locked" state through setting locked p ← false.
In more detail, p changes its state from "not locked"to "locked" when it detects a root component via Line 10 that was present D rounds before the current round. In this case, p enters the locked state by setting locked p ← true and prop p to prop ′ , the maximum value known to any process of the root component in round r − D, via Lines 13 and 14. It furthermore records the current round as ℓ, the so-called lock-round, via Line 15. This is an optimistic mechanism, i.e., the process "hopes" that this root component was already the stable root component promised by the adversary. In this sense, the process starts collecting evidence, possibly contradicting its hope, that stems from the lock-round itself or a more recent round.
If p finds a root component when it is already in the "locked" state, i.e, when it is already locked-on to some root component, it proceeds as follows: First, p checks whether it detected a relevant change in the members of the root component since its lock-round and whether the maximum value, known to the processes of the new root component at the time, is different from its current proposal value. If both checks succeed, there was enough instability for the process to conclude that the currently locked-on root component cannot belong to the stable period; it hence locks-on to the newly detected root component. If the values remained the same, it puts the current round in a queue of 5 Since we are mainly interested in the solvability aspect of consensus, we consider a full-information protocol where processes forward their entire state in every round. As will become apparent from the correctness proof of Algorithm 1, however, it would in fact suffice to exchange the relevant data structures for the last N (D + 2N ) rounds at most. Hence, the same engineering improvements as outlined in [21] can be used to get rid of the simplifying full-information-protocol assumption.
candidate lock-rounds in Line 16. Later, if the process finds evidence that indeed contradicts its hope (as detailed below), it will pick the next lock round from the candidate queue via Line 19, and tries to find contradictory evidence from this round on, thereby ensuring that it cannot miss the promised stable root component.
When p is still in a "locked" state after completing its root component detection, it searches for contradictory evidence. More precisely, contradictory evidence means that p learned of another process q s.t. q is not locked-on to a root component with the same value as p. This is realized via the guard of Line 17. If p finds such evidence, it leaves its locked state and enters the "not locked" state again. A decision occurs when p has received no contradictory evidence for such a long time that every other process has seen that p might be in this situation via Line 21. As we prove in Lemma 4 below, it is guaranteed that if p passes the guard in Line 22, then every other process has p's decision value as its local proposal value forever after. Hence, all future decisions will be based on this value, which leads the system to a safe configuration.

Correctness proof
We now prove the correctness of Algorithm 1 under ♦STABLE D (D + 1). As shown in [21,Lemmas 3 and 4], the simple graph approximation algorithm running underneath our consensus algorithm allows processes to faithfully detect root components under certain circumstances. Denoting process p's round r estimate of root(G s ) as root r p (s), the following two key features can be guaranteed algorithmically (we assume that root r p (s) returns {⊥} if p is unsure about its estimate): Corollary 1. If root r p (s) = {⊥}, then root(G s ) = root r p (s). Furthermore, in round r, process p knows the round s state q s for every q ∈ root(G s ).
We note that Corollary 1 relies critically on the fact that the graph approximation algorithm maintains an under-approximation of past communication graphs.
Corollary 2. If (G r ) s+D r=s is R-rooted, then we have root s+D p (s) = R for every process p.
Note that Corollary 2 is a consequence of the message adversary respecting the dynamic diameter D: In round s + D, for each process q ∈ R, every process received a message containing q s , the round s state of q.
We are now ready to formally analyze Algorithm 1. For this purpose, we introduce the useful term of vlocked root component to denote a root component where all members are v-locked for the same v, i.e., have the proposal v and are in the locked state.
Definition 8. The round r state p r of p is a v-locked state if locked r p = true ∧ prop r p = v. R = root(G r ) is a v-locked root component if all q r with q ∈ R are vlocked.
Algorithm 1: Consensus algorithm, code for process p Let r * q be the last round p heard from q in round r, i.e., q ∈ CP r p (r * q ) and q / ∈ CP r p (r * q + 1). Initialization: 1 prop ← xp /* initially, p proposes own input */ 2 locked ← true /* p starts 'locked-on' */ 3 ℓ ← 1 /* initialize lock-round to start round */ 4 queue ← ∅ /* we assume that max(∅) = 0 */ Round r computation: 5 R ← root r p (r − D) /* Find all roots that were detected since the (estimated) start of the stability phase */ 6 T ← {root r p (i) | max(max(queue), ℓ) − D i r − D} /* For each process, determine its known states within the last N rounds: */ 7 S ← {q s | q ∈ CP r p (r − N ) ∧ s ∈ [r − N, r * q ]} /* Find the proposal values of the locked-on processes of S */ 8 S ′ ← prop s q | q s ∈ S ∧ locked s q = true /* Collect all known states of the last N (D + 2N ) rounds */ 9 S ′′ ← q s | q ∈ CP r p The following technical lemma is key for the proof of the agreement property of consensus. It assures that if a sequence of at least D + 2N communication graphs occurs in which all root components happen to be vlocked by our algorithm, then all the processes' proposal values are v in all subsequent rounds.
Lemma 3. Let σ = (G r ) c r=a be a sequence of communication graphs such that, for some fixed value v, every G r ∈ σ has a v-locked root component and |σ| D+2N . Then, for any process p and all rounds r c, we have