The complexity of verifying population protocols

Population protocols (Angluin et al. in PODC, 2004) are a model of distributed computation in which indistinguishable, finite-state agents interact in pairs to decide if their initial configuration, i.e., the initial number of agents in each state, satisfies a given property. In a seminal paper Angluin et al. classified population protocols according to their communication mechanism, and conducted an exhaustive study of the expressive power of each class, that is, of the properties they can decide (Angluin et al. in Distrib Comput 20(4):279–304, 2007). In this paper we study the correctness problem for population protocols, i.e., whether a given protocol decides a given property. A previous paper (Esparza et al. in Acta Inform 54(2):191–215, 2017) has shown that the problem is decidable for the main population protocol model, but at least as hard as the reachability problem for Petri nets, which has recently been proved to have non-elementary complexity. Motivated by this result, we study the computational complexity of the correctness problem for all other classes introduced by Angluin et al., some of which are less powerful than the main model. Our main results show that for the class of observation models the complexity of the problem is much lower, ranging from \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\varPi _2^p$$\end{document}Π2p to PSPACE.


Introduction
Population protocols are a theoretical model for the study of ad hoc networks of tiny computing devices without any infrastructure [5,6]. The model postulates a "soup" of indistinguishable, finite-state agents that behave identically. Agents repeatedly interact in pairs, changing their states according to a joint transition function. A global fairness condition ensures that every global configuration that is reachable infinitely often is also reached infinitely often. The purpose of a population protocol is to allow agents to collectively compute some information about their initial configuration, defined as the function that assigns to each local state the number of agents that initially occupy it. For example, assume that initially each agent picks a boolean value by choosing, say, q 0 or q 1 as its initial state. The (many) Previous versions of some of the results of this paper were published in [33] and [34]. B Javier Esparza esparza@in.tum.de 1 Technical University of Munich, Munich, Germany majority protocols described in the literature allow the agents to eventually reach a stable consensus on the value chosen by a majority of the agents. More formally, let x 0 and x 1 denote the initial numbers of agents in states q 0 and q 1 ; majority protocols compute the predicate ϕ(x 0 , x 1 ) : N × N → {0, 1} given by ϕ(x 0 , x 1 ) = (x 1 ≥ x 0 ). Throughout the paper, we use the term "predicate" as an abbreviation for "function from N k to {0, 1} for some k".
The expressive power of population protocols (that is, which predicates they can compute), and their efficiency (how fast they can compute them) have been both extensively studied (see e.g. [2][3][4]28]). In a seminal paper [7], Angluin et al. showed that population protocols can compute exactly the predicates definable in Presburger arithmetic. In the same publication, they observed that while the two-way communication discipline of the standard population protocol model is adequate for natural computing applications, where agents represent molecules or cells that communicate by means of physical encounters, it is less so when agents represent electronic devices, where communication usually takes place by asynchronous message-passing, and information flows only from the sender to the receiver. For this reason, they also conducted a thorough investigation of the expressive power of the population protocol model when two-way communica-tion is replaced by one-way communication. They classified one-way communication models into transmission models, where the sender is allowed to change its state as a result of sending a message, and observation models, where it is not. Intuitively, in observation models the receiver observes the state of the sender, who may not even be aware that it is being observed. Further, they distinguished between immediate delivery models, where a send event and its corresponding receive event occur simultaneously, delayed delivery models, where delivery may take time, but receivers are always willing to receive any message, and queued delivery models, where delivery may take time, and receivers may choose to postpone incoming messages until they have sent a message themselves. This results in five one-way models: immediate and delayed observation, immediate and delayed transmission, and queued transmission. Angluin et al. showed that no one-way model is more expressive than the two-way model, and some of them are strictly less expressive. In fact, they characterized the expressive power of each model in terms of natural classes of Presburger predicates.
In this paper we investigate the correctness problem for population protocols, that is, the problem of deciding if a given protocol computes a given Presburger predicate. For each possible input, deciding if the protocol reaches a consensus only requires to inspect one of these finite transition systems, and can be done automatically using a model checker. This approach has been followed in [19,21,45,49], but it only proves the correctness of a protocol for a finite number of (typically small) inputs. The question whether the protocol reaches the right consensus for all inputs remained open until 2015, when Esparza et al. showed that the problem is decidable [32]. However, in the same paper they proved that the correctness problem is at least as hard as the reachability problem for Petri nets. This problem, which was known to be EXPSPACE-hard since the 1970s [42], has recently been shown to be TOWER-hard [24], where TOWER is the union of the classes of problems solvable in k-EXPTIME for every k ≥ 0. Motivated by this high complexity of the two-way model, we examine the complexity of the problem for the one-way models studied in [7]. We show that, very satisfactorily, for observation models the complexity decreases dramatically. In our two main positive results, we prove that correctness is Π p 2 -complete for the delayed observation model, and PSPACE-complete for the immediate observation model, when predicates are specified as quantifier-free formulas of Presburger arithmetic 1 . Surprisingly, we show that this is also the complexity of checking that the protocol is correct for one single given input. So, loosely speaking, in observation models checking correctness for one input and for all infinitely many possible inputs has the same complexity.
In the second part of the paper we present negative results on the transmission models: In all of them, correctness is at least as hard as the reachability problem for Petri nets, and thus TOWER-hard. Further, for the delayed delivery and queued delivery models the single input case is already TOWER-hard, while for the immediate transmission model the single-input problem is PSPACE-complete. On the positive side, we show that the decidability proof of [32] can be easily extended to the immediate and delayed transmission models, but not to the queued transmission model. In fact, for the queued transmission model we leave the decidability of the correctness problem as an open question. However, we also show that this question is less relevant for queued models than for the others. Indeed, in this model the fairness condition of [7] bears no immediate relation to the probabilistic interpretation of population protocols used in the literature in order to study their efficiency. Table 1 summarizes the results and shows their places in the paper.
The paper is organized as follows. Section 2 recalls the protocol models introduced in [7]. Section 3 presents our lower bounds for observation models. Sections 4, 5 and 6, the most involved part of the paper, prove the results leading to the upper bounds for observation models. Section 7 contains the decidability and TOWER-hardness results for transmission-based models. Section 8 gives a brief overview of the most closely related models and approaches that we are aware of.
Previous versions of some of the results of this paper were published in [33] and [34].

Protocol models
After some preliminaries (Sect. 2.1), we recall the definitions of the models introduced by Angluin et al. in [7] (Sects. 2.2 to 2.4), formalize the correctness problem (Sect. 2.5), and rephrase it in two different ways as a reachability problem (Sect. 2.6).

Multisets and populations
A multiset on a finite set E is a mapping C : E → N, i.e. C(e) denotes the number of occurrences of an element e ∈ E in C. Operations on N are extended to multisets by defining them componentwise on each element of E. We define in this way the sum C 1 + C 2 , comparison C 1 ≤ C 2 , or maximum max{C 1 , C 2 } of two multisets C 1 , C 2 . Subtraction, denoted C 1 − C 2 , is allowed only if C 1 ≥ C 2 . We let |C| def = e∈E C(e) denote the total number of occurrences of elements in C, also called the size of C. We sometimes write  [32] TOWER-hard, decidable [32] multisets using set-like notation. For example, both a, 2 · b and a, b, b denote the multiset C such that C(a) = 1, C(b) = 2 and C(e) = 0 for every e ∈ E \ {a, b}. Sometimes we use yet another representation, by assuming a total order e 1 ≺ e 2 ≺ · · · ≺ e n on E, and representing a multiset C by the vector (C(e 1 ), . . . , C(e n )) ∈ N n . A population P is a multiset on a finite set E with at least two elements, i.e. P(E) ≥ 2. The set of all populations on E is denoted Pop(E).

A unified model
We recall the unified framework for protocols introduced by Angluin et al. in [7], which allows us to give a generic definition of the predicate computed by a protocol. Step ⊆ Conf × Conf is a reflexive step relation, capturing when a first configuration can reach another one in one step. -I : Pop(Σ) → Conf is an input function that assigns to every input an initial configuration. -O : Conf → {0, 1} is a partial output function that assigns an output to each configuration on which it is defined.
We write C − → C and C * − → C to denote (C, C ) ∈ Step and (C, C ) ∈ Step * , respectively. We say C is reachable from C if C * − → C . An execution of P is a (finite or infinite) sequence of configurations C 0 , C 1 , . . . such that C j − → C j+1 for every j ≥ 0. Observe that, since we assume that the step relation is reflexive, all maximal executions (i.e., all executions that cannot be extended) are infinite.
An execution C 0 , C 1 , . . . is fair if for every C ∈ Conf the following property holds: If there exist infinitely many indices i ≥ 0 such that C i * − → C, then there exist infinitely many indices j ≥ 0 such that C j = C. In words, in fair sequences every configuration which can be reached infinitely often is reached infinitely often.
A The correctness problem for a class of protocols consists of deciding for a given protocol P in the class, and a given predicate ϕ : Pop(Σ) → {0, 1}, where Σ is the alphabet of P, whether P computes ϕ. The goal of this paper is to determine the decidability and complexity of the correctness problem for the classes of protocols introduced by Angluin et al. in [7].
In the rest of the section we formally define the six protocol classes studied by Angluin et al., and summarize the results of [7] that characterize the predicates they can compute. Angluin et al. distinguish between models in which agents interact directly with each other, with zero-delay, and models in which agents interact through messages with possibly non-zero transit time. We describe them in Sects. 2.3 and 2.4, respectively.

Immediate delivery models
In immediate interaction models, a configuration only needs to specify the current state of each agent. In delayed models, the configuration must also specify which messages are in transit. Angluin et al. study three immediate delivery models.

Standard Population Protocols (PP).
Population protocols describe the evolution of a population of finite-state agents. Agents are indistinguishable, and interaction is two-way. When two agents meet, they exchange full information about their current states, and update their states in reaction to this information.

Definition 2.2
A standard population protocol is a quintuple P = (Q, δ, Σ, ι, o) where Q is a finite set of states, δ : Q 2 → Q 2 is the transition function, Σ is a finite set of input symbols, ι : Σ → Q is the initial state mapping, and o : Q → {0, 1} is the state output mapping.
Observe that δ is a total function, and so we assume that every pair of agents can interact, although the result of the interaction can be that the agents do not change their states. Every standard population protocol determines a protocol in the sense of Definition 2.1 as follows, where C, C ∈ Pop(Q), D ∈ Pop(Σ), and b ∈ {0, 1}: -the configurations are the populations over Q, that is, Step if there exist states q 1 , q 2 , q 3 , q 4 ∈ Q such that δ(q 1 , q 2 ) = (q 3 , q 4 ), C ≥ q 1 , q 2 , and C = C − q 1 , q 2 + q 3 , q 4 . The inequality cannot be omitted because some of the states can coincide. The two other models with immediate delivery are oneway. They are defined as subclasses of the standard population protocol model.

Immediate Transmission Protocols (IT).
In these protocols, at each step an agent (the sender) sends its state to another agent (the receiver). Communication is immediate, that is, sending and receiving happen in one atomic step. The new state of the receiver depends on both its old state and the old state of the sender, but the new state of the sender depends only on its own old state, and not on the old state of the receiver. Formally: Definition 2.3 A standard population protocol P = (Q, δ, Σ, ι, o) is an immediate transmission protocol if there exist two functions δ 1 : Q → Q, δ 2 : Q 2 → Q satisfying δ(q 1 , q 2 ) = (δ 1 (q 1 ), δ 2 (q 1 , q 2 )) for every q 1 , q 2 ∈ Q.
Immediate Observation Protocol (IO). In these protocols, the state of a first agent can be observed by a second agent, which updates its state using this information. Unlike in the immediate transmission model, the first agent does not update its state (intuitively, it may not even know that it has been observed). Formally: Definition 2.4 A standard population protocol P = (Q, δ, Σ, ι, o) is an immediate observation protocol if there exists a function δ 2 : Q 2 → Q satisfying δ(q 1 , q 2 ) = (q 1 , δ 2 (q 1 , q 2 )) for every q 1 , q 2 ∈ Q.

Delayed delivery models
In delayed delivery models agents communicate by sending and receiving messages. The set of messages that can be sent (and received) is finite. Messages are sent to and received from one single pool of messages; in particular, the sender does not choose the recipient of the message. The pool can contain an unbounded number of copies of a message. Agents update their state after sending or receiving a message. Angluin et al. define the following three delayed delivery models.

Queued Transmission Protocols (QT).
The set of messages an agent is willing to receive depends on its current state. In particular, in some states the agent may not be willing to receive any message.
Step if there exist states q 1 , q 2 and a message m such that -I (D) = σ ∈Σ C(σ )ι(σ ); notice that since ι does not map symbols of Σ to M, the configuration I (D) has no messages; Delayed Transmission Protocols (DT). DT protocols are the subclass of QT protocols in which, loosely speaking, agents can never refuse to receive a message. This is modeled by requiring the receive transition function to be total. Definition 2.6 A queued transmission protocol P is a delayed transmission protocol if its receive function δ r is a total function.

Delayed Observation Protocols (DO).
Intuitively, DO protocols are the subclass of DT-protocols in which "sender" and "receiver" actually means "observee" and "observer". This is modeled by forbidding the sender to change its state when it sends a message (since the observee many not even know it is being observed). Definition 2.7 Let P = (Q, M, δ s , δ r , Σ, ι, o) be a queued transmision protocol. P is a delayed observation protocol if δ r is a total function and for every q ∈ Q the send funtion δ s satisfies δ s (q) = (m, q) for some m ∈ M.
Notation. We write q 1 m+ − − → q 2 when δ s (q 1 ) = (m, q 2 ), and q 1 m− − − → q 2 when δ r (q 1 , m) = q 2 , denoting that the message m is added to or removed from the pool of messages. In the case of DO protocols, we sometimes write simply q 1 m+ − − →. The following fact follows immediately from the definitions, but is very important.
Fact. In immediate delivery protocols (PP, IT, IO), if C * − → C then |C| = |C |. Indeed, in these models configurations are elements of Pop(Q), and so the size of a configuration is the total number of agents, which does not change when transitions occur. In particular, for every configuration C the number of configurations reachable from C is finite.
In delayed delivery protocols (QT, DT, DO), configurations are elements of Pop(Q ∪ M), and so the size of a configurations is the number of agents plus the number of messages sent but not yet received. Since transitions can increase or decrease the number of messages, the number of configurations reachable from a given configuration can be infinite. Table 2 summarizes the different transition functions and restrictions of the models.
A population P ∈ Pop(Σ) is completely characterized by the number k i of occurrences of each input symbol σ i in P, and so we can identify P with the vector (k 1 , . . . , k n ). A predicate ϕ : The class of Presburger predicates is the closure of the threshold predicates under boolean operations and existential quantification. By the well-known result that Presburger arithmetic has a quantifier elimination procedure, a predicate is Presburger iff it is a boolean combination of threshold and modulo predicates, defined as the predicates of the form n i=1 a i · k i ≡ c b (see e.g. [22]). Abusing language, we call a boolean combination of threshold and modulo terms a quantifier-free Presburger predicate.
In [7], Angluin et al. characterize the predicates computable by the six models of protocols we have introduced. Remarkably, all the classes compute only Presburger predicates. More precisely: -DO computes the boolean combinations of predicates of the form x ≥ 1, where x is an input symbol. This is the class of predicates that depend only on the presence or absence of each input symbol. -IO computes the boolean combinations of predicates of the form x ≥ c, where x is an input symbol and c ∈ N. -IT and DT compute the Presburger predicates that are similar to a boolean combination of modulo predicates for sufficiently large inputs; for the exact definition of similarity we refer the reader to [7]. -PP and QT compute exactly the Presburger predicates.
The results of [7] are important in order to define the correctness problem. The inputs to the problem are a protocol Table 2 Transition functions and restrictions of the five models New sender state does not depend on receiver state and a predicate. The protocol is represented by giving its sets of places, transitions, etc. However, we still need a finite representation for Presburger predicates. There are three possible candidates: full Presburger arithmetic, quantifier-free Presburger arithmetic, and semilinear sets. Semilinear sets are difficult to parse by humans, and no paper on population protocols uses them to describe predicates. Full Presburger arithmetic is very succinct, but its satisfiability problem lies between 2-NEXP and 2-EXPSPACE [10,35,37]. Since the satisfiability problem can be easily reduced to the correctness problem, choosing full Presburger arithmetic would "mask" the complexity of the correctness problem in the size of the protocol for several protocol classes. This leaves quantifierfree Presburger arithmetic, which also has several advantages of its own. First, standard predicates studied in the literature (like majority, threshold, or remainder predicates) are naturally expressed without quantifiers. Second, there is a synthesis algorithm for population protocols that takes a quantifier-free Presburger predicate as input and outputs a population protocol (not necessarily efficient or succinct) that computes it [5,6]; a recent, more involved algorithm even outputs a protocol with polynomially many states in the size of the predicate [13]. Third, the satisfiability problem for quantifier-free Presburger predicates is "only" NP-complete, and, as we shall see, the complexity in the size of the protocol will always be higher for all protocol classes. Taking these considerations into account, we formally define the correctness problem as follows: Correctness problem Given: A protocol P over an alphabet Σ, belonging to one of the six classes PP, DO, IO, DT, IT, QT; a quantifier-free Presburger predicate ϕ over Σ. Decide: Does P compute the predicate represented by ϕ?
We also study the correctness problem over a single input. We refer to it as the single-instance correctness problem and define it in the following way: Single-instance correctness problem Given: A protocol P over an alphabet Σ and with initial state mapping ι, belonging to one of the six classes PP, DO, IO, DT, IT, QT; an input D ∈ Pop(Σ), and a boolean b. Decide: Do all fair executions of P starting at I (D) converge to b ?

Correctness as a reachability problem
In the coming sections we will obtain matching upper and lower bounds on the complexity of the correctness problem for different protocol classes. The upper bounds are obtained by reducing the correctness problem to two different reach-ability problems. The reductions require the protocols to be well behaved. We first define well-behaved protocols, and then present the two reductions.
Well-behaved protocols. Let P be a generalized protocol. A configuration C of P is a bottom configuration if C * − → C implies C * − → C for every configuration C . In other words, C is a bottom configuration if it belongs to a bottom strongly connected component (SCC) of the configuration graph of the protocol. We show that all our protocols are well behaved, with the exception of queued-transmission protocols. Essentially, this is the reason why the decidability of the correctness problem for QT is still open.

Lemma 2.9 Standard population protocols (PP) and delayedtransmission protocols (DT) are well behaved.
Proof In standard population protocols, if C * − → C then |C| = |C |. It follows that for every configuration C ∈ Conf the set of configurations reachable from C is finite. So every fair execution eventually visits a bottom configuration.
In delayed-transmision protocols, the size of a configuration is equal to the number of agents plus the number of messages in transit. So there is no bound on the size of the configurations reachable from a given configuration C, and in particular the set of configurations reachable from C can be infinite. However, since agents can always receive any message, for every configuration C there is at least one reachable configuration Z without any message in transit. Since the number of such configurations with a given number of agents is finite, for every fair execution π = C 0 , C 1 , . . . there is a configuration Z without messages in transit such that C i = Z for infinitely many i. By fairness, every configuration C reachable from Z also appears infinitely often in π , and so every configuration C reachable from Z verifies C * − → Z . So Z is a bottom configuration.
Since IT and IO are subclasses of PP and DO is a subclass of DT, the proof is valid for IT, IO, and DT as well. The following example shows that queued-transmission protocols are not necessarily well-behaved.

Example 2.10
Consider a queued-transmission protocol in which an agent in state q can send a message m, staying in q. Assume further that no agent can ever receive a message m (because, for example, there are no receiving transitions for it). Then any execution in which the agent in state q sends the message m infinitely often and never receives any messages is fair: Indeed, after k steps the system can only reach configurations with at least k messages, and so no configuration is reachable from infinitely many configurations in the execution. Since this fair execution does not visit any bottom configuration, the protocol is not well-behaved. Moreover, if q is the only state of the protocol, there are no bottom configurations at all.
Characterizing correctness of well-behaved protocols. We start with a useful lemma valid for arbitrary protocols. ([7]) Every finite execution of a generalized protocol can be extended to a fair execution.

Lemma 2.11
Proof Let Conf be the set of configurations of the protocol, and let π be a finite execution. Fix an infinite sequence ρ = C 0 , C 1 , . . . of configurations such that every configuration of Conf appears infinitely often in ρ. Define the infinite execution π 0 π 1 π 2 . . . and the infinite subsequence . . of ρ inductively as follows. For i = 0, let π 0 := π and C i 0 := C 0 . For every j ≥ 0, let π 0 . . . π j π j+1 be any execution leading to the first configuration of ρ after C i j that is reachable from the last configuration of π 0 . . . π j . It is easy to see that π 0 π 1 π 2 . . . is fair. Now we introduce some notations. Let P = (Conf, Σ, Step, I , O) be a generalized protocol, and let ϕ be a predicate.
-The sets of predecessors and successors of a set M of configurations of P are defined as follows: , the set of configurations with output b. We call Con b the set of b-consensus configurations.
-For every b ∈ {0, 1}, we let St b denote the set of configurations C such that every configuration reachable from C (including C itself) has output b. St stands for stable output. It follows easily from the definitions of pre * and post * that where M def = Conf \ M for every set of configurations M ⊆ Conf. Indeed, the equation states that a configuration belongs to St b iff it cannot reach any configuration with output 1 − b, or with no output.
In other words, I b is the set of initial configurations for which P should output b in order to compute ϕ. Proposition 2.12 Let P = (Conf, Σ, Step, I , O) be a wellbehaved generalized protocol and let ϕ be a predicate. P computes ϕ iff We show that π converges to b. Protocol P is well-behaved, so π contains a bottom configuration C of a bottom SCC B ⊆ B. By assumption, we know that Assume that P computes ϕ, i.e. that every fair execution starting in . There exists C 0 ∈ I b such that C 0 * − → C and, by Lemma 2.11, this finite execution can be extended to a fair infinite execution π . Since P is well-behaved, the execution contains a bottom configuration C of a bottom SCC B ⊆ B. If B ⊆ St b then C ∈ pre * (St b ) and our proof is done. Suppose this is not the case, i.e. B ∩ St b = ∅. This means that there is a configurationĈ / ∈ Con b that is in B. It is thus reachable from any configuration of π and so by fairness it is reached infinitely often. Thus π does not converge to b, contradicting the correctness assumption.
A second characterization. Proposition 2.12 is useful when it is possible to compute adequate finite representations of the sets post * (I b ) and pre * (St b ). We will later see that this is the case for IO and DO protocols. Unfortunately, such finite representations have not yet been found for PP or for transmission protocols. For this reason, our results for these classes will be based on a second characterization.
Let P = (Conf, Σ, Step, I , O) be a well-behaved generalized protocol, and let B denote the set of bottom configurations of P. Further, for every b ∈ {0, 1}, let B b denote the set of configurations C ∈ B such that every Observe that every fair execution of a well-behaved protocol eventually gets trapped in a bottom strongly-connected component of the configuration graph and, by fairness, visits all its configurations infinitely often. Further, if any configuration of the SCC belongs to B b , then all of them belong to B b . This occurs independently of whether the SCC contains finitely or infinitely many configurations. Proposition 2.13 Let P be a well-behaved generalized protocol and let ϕ be a predicate. P computes ϕ iff for every b ∈ {0, 1} the set B \ B b is not reachable from I b .
Proof Assume that B\B b is reachable from ϕ −1 (b) for some b ∈ {0, 1}. Then there exists an input a ∈ Pop(Σ) and an execution C 0 , C 1 , . . . , C i such that ϕ(a) = b, I (a) = C 0 , and C i ∈ B \ B b . By Lemma 2.11 the execution can be extended to a fair execution C 0 , C 1 , . . .. Since C i+k * − → C i for every k ≥ 0, the execution visits C i and all its successors infinitely often. Since C i / ∈ B b , the execution does not converge to b. So P does not compute ϕ.
Assume that P does not compute ϕ. Then there exists an input a ∈ Pop(Σ), a boolean b ∈ {0, 1}, and a fair execution π = C 0 , C 1 , . . . such that ϕ(a) = b and I (a) = C 0 , but π does not converge to b. Since P is well-behaved, π contains a configuration C i ∈ B. Since π does not converge to b, there is j > i such that O(C j ) is undefined, or defined but different from b. Since C j belongs to the same SCC as C i ,

Lower bounds for observation models
We prove that the correctness problem is PSPACE-hard for IO protocols and Π p 2 -hard for DO protocols, and that these results also hold for the single-instance problem.

Correctness of IO protocols is PSPACE-hard
We prove that the single-instance correctness and correctness problems for IO protocols are PSPACE-hard by reduction from the acceptance problem for bounded-tape Turing machines. We show that the standard simulation of boundedtape Turing machines by 1-safe Petri nets, as described for example in [20,29], can be modified to produce an IO protocol. This can be done for IO protocols but not for DO protocols: the simulation of the Turing machine relies on the fact that a transition will only occur in an IO protocol if an agent observes another agent in a certain state at the present moment.
We fix a deterministic Turing machine M with set of control states Q, alphabet Σ containing the empty symbol , and partial transition function δ : Q × Σ → Q × Σ × D (D = {−1, +1}). Let K denote an upper bound on the number of tape cells visited by the computation of M on empty tape. We assume that K is provided with M in unary encoding.
The implementation of M is the IO protocol P M described below. Strictly speaking, P M is not a complete protocol, only two sets of states and transitions. The rest of the protocol, which is slightly different for the single-instance correctness and the correctness problems, is described in the proofs. States of P M . The protocol P M contains two sets of cell states and head states modeling the state of the tape cells and the head, respectively. The cell states are: off[σ, n] for each σ ∈ Σ and 1 ≤ n ≤ K . An agent in off[σ, n] denotes that cell n contains symbol σ , and the cell is "off", i.e., the head is not on it. on[σ, n] for each σ ∈ Σ and 1 ≤ n ≤ K , with analogous intended meaning.
The head states are: at[q, n] for each q ∈ Q and 1 ≤ n ≤ K . An agent in at [q, n] denotes that the head is in control state q and at cell n.
and every d ∈ D such that 1 ≤ n + d ≤ K . An agent in move[q, σ, n, d] denotes that head is in control state q, has left cell n after writing symbol σ on it, and is currently moving in the direction given by d.
Finally, the protocol also contains two special states observer and success. Intuitively, P M uses them to detect that M has accepted.   The head, currently on cell n, observes that the cell is on, writes the new symbol on it, and leaves.
-Type 2b: A transition move [q, σ, n, d] off [σ,n] − −−− → at[q, n + d] for every q ∈ Q, σ ∈ Σ, and 1 ≤ n ≤ K such that 1 ≤ n + d ≤ K . The head, currently moving, observes that the old cell has turned off, and places itself on the new cell. Figure 1 graphically represents some of the states and transitions of P M ; the double arcs indicates the states being observed. We define the configuration of P M that corresponds to a given configuration of the Turing machine. Definition 3.1 Given a configuration c of M with control state q, tape content σ 1 σ 2 · · · σ K , and head on cell n ≤ K , let C c be the configuration that puts one agent in off[σ i , i] for each 1 ≤ i ≤ K , one agent in at [q, n], and no agents elsewhere.  Proof By Lemma A.3, for all c there is either zero or one possibility for the sequence t 1 , t 2 , t 3 , t 4 starting in C c . It is easy to see from the definition of steps configuration move[·, ·, ·, ·] states that if such a sequence exists, it results in c such that c − → c . If such a sequence doesn't exist, the failure must occur when trying to populate a move[·, ·, ·, ·] state. In that case the configuration c must be blocked, either by the transition being undefined or by going out of bounds. Now we can finally prove the PSPACE lower bound.

Theorem 3.3
The single-instance correctness and correctness problems for IO protocols are PSPACE-hard.
Proof By reduction from the following problem: Given a polynomially space-bounded deterministic Turing machine M with two distinguished states q acc , q rej , such that the computation of M on empty tape ends when the head enters for the first time q acc or q rej (and one of the two occurs), decide whether M accepts, i.e., whether the computation on empty tape reaches q acc . The problem is known to be PSPACE-hard.
Single-instance correctness. We construct a protocol P and an input D 0 such that M accepts on empty tape iff all fair executions of P starting at the configuration I (D 0 ) converge to 1.
Definition of P. Let P M be the IO protocol implementation of M. We add two states to P M , called observer and success. We also add transitions allowing an agent in state observer to move to success by observing any agent in a state of the form at[q acc , i], as well as transitions allowing an agent in success to "attract" agents in all other states to success: Further, we set the output function to 1 for the state success, and to 0 for all other states. Finally, we choose the alphabet of input symbols of P as {1, 2, . . . , K +2}, and define the input function as follows: Definition of D 0 . We choose D 0 as the input satisfying D 0 (i) = 1 for every input symbol of P. It follows that I (D 0 ) is the configuration of P corresponding to the initial configuration of M on empty tape. By Theorem 3.2, the fair executions of P from I (D 0 ) simulate the execution of M on empty tape.
Correctness of the reduction. If M accepts, then, since P simulates the execution of M on empty tape, every fair execution of P starting at I (D 0 ) eventually puts an agent in a state of the form at[q acc , i]. This agent stays there until the agent in state observer eventually moves to success (transitions of (i)), after which all agents are eventually attracted to success (transitions of (ii)). So all fair computations of P starting at I (D 0 ) converge to 1. If M rejects, then no computation of P starting at I (D 0 ) (fair or not) ever puts an agent in success. Since all other states have output 0, all fair computations of P starting at I (D 0 ) converge to 0.
Correctness. Notice that the hardness proof for singleinstance correctness establishes PSPACE-hardness already for restricted instances (P, D) satisfying D(q) ∈ {0, 1} for every state q. Call this restricted variant the 0/1-singleinstance correctness problem for IO. We claim that the 0/1single-instance correctness problem for IO is polynomialtime reducible to the correctness problem for IO. By PSPACE-hardness of the 0/1-single-instance correctness problem for IO, the claim entails PSPACE-hardness for the latter.
Let us now show the claim. Given an IO protocol P and some configuration D for the 0/1-instance-correctness problem, we provide a polynomial-time construction of an IO protocol P such that P computes the constant predicate ϕ(x) = 0 if and only if every fair run of P starting in D stabilizes to 0. It is well known that, given two protocols P 1 and P 2 with n 1 and n 2 states and computing two predicates ϕ 1 and ϕ 2 , it is possible to construct a third protocol computing ϕ 1 ∧ ϕ 2 , often called the synchronous product, whose states are pair of states of P 1 and P 2 , and has therefore O(n 1 · n 2 ) states (see e.g. [6]). We define P as the synchronous product of P with a protocol P D that computes whether the input is equal to D. The output function of P maps the product state (q 1 , q 2 ) to 1 if and only if both q 1 and q 2 map to output 1 in their respective protocols. Thus, a fair run of P stabilizes to 1 if and only if the input configuration equals D and P stabilizes to 1 for input D, which is precisely the case if (P, D) is a positive instance for the 0/1-single-instance problem.
It remains to show that P D is polynomial-time constructible. Such a protocol is well-known, but we repeat the definition. Let D = (d 1 , . . . , d m ) with d i ∈ {0, 1}, and let i 1 ≤ i 2 ≤ . . . ≤ i k be the maximal sequence of indices satisfying d i j = 1 for every j. Since every population has at least two agents, we have k ≥ 2. We first construct an IO protocol P ψ that computes the predicate ψ = d i 1 ≥ 1 ∧ d i 2 ≥ 1 ∧ . . . ∧ d i k ≥ 1, using m + k − 1 states: The states of P ψ are Q P {2, . . . , k} where Q P is the set of states of P. The input mapping of P ψ is identical to the input mapping of P. Let q i j denote the state that corresponds to the entry d i j in D. The transitions of P ψ are given by All states except k shall map to output 0. It is readily seen that P ψ computes ψ. Further notice that the predicate x = D is equivalent to ψ ∧ |x| ≤ k. Moreover, it is well-known that the right conjunct |x| ≤ k is computable with k states in an immediate observation protocol (see e.g. [6]), and thus we can define P D as the synchronous product of the protocol P ψ with the protocol that computes |x| ≤ k, using poly(k) states. This completes the proof.

-hard
We show that the single-instance correctness and the correctness problems are Π p 2 -hard for DO protocols, where Π p 2 = coNP coNP is one of the two classes at the second level of the polynomial hierarchy [48]. Consider the natural complete problem for Σ p 2 : Given a boolean circuit Γ with inputs x = (x 1 , . . . , x n ) and y = (y 1 , . . . , y m ), is there a valuation of x such that for every valuation of y the circuit outputs 1? We call the inputs of x and y existential and universal, respectively. Given Γ with inputs x and y, we construct in polynomial time a DO protocol P Γ with input symbols {x 1 , . . . , x n } that computes the false predicate, i.e., the predicate answering 0 for all inputs, iff Γ does not satisfy the property above. This shows that the correctness problem for DO protocols is Π p 2 -hard. A little modification of the proof shows that single-instance correctness is also Π p 2 -hard. The section is divided in several parts. We first introduce basic notations about boolean circuits. Then we sketch a construction that, given a boolean circuit Γ , returns a circuit evaluation protocol P Γ that nondeterministically chooses values for the input nodes, and simulates an execution of Γ on these inputs. In a third step we add some states and transitions to P Γ to produce the final DO protocol P Γ . The fourth and final step proves the correctness of the reduction.

Boolean circuits.
A boolean circuit Γ is a directed acyclic graph. The nodes of Γ are either input nodes, which have no incoming edges, or gates, which have at least one incoming edge. A gate with k incoming edges is labeled by a boolean operation of arity k. We assume that k is bounded by some constant. This assumption is innocuous since it is well known that every boolean function can be implemented using a combination of gates of constant arity. The nodes with outgoing edges leading to a a gate g are called the arguments of g. There is a distinguished output gate g o without outgoing edges. We assume that every node is connected to the output gate by at least one path.
A circuit configuration assigns to each input node a boolean value, 0 or 1, and to each gate a value, 0, 1, or , where denotes that the value has not yet been computed and so it is still unknown. A configuration is initial if it assigns to all gates. The step relation between circuit configurations is defined as usual: a gate can change its value to the result of applying the boolean operation to the arguments; if at least one of the arguments has value , then by definition the result of the boolean operation is also .
The protocol P Γ . Given a circuit Γ with output node g o , we define the circuit evaluation protocol P Γ = (Q, M, δ s , δ r , Σ, ι, o). As mentioned above, P Γ nondeterministically chooses input values for Γ , and simulates an execution on them.
States. The set Q of states contains all tuples (n, v n , arg, v o ), where: n is a node of Γ (either an input node or a gate); -v n ∈ {0, 1, } represents the current opinion of the agent about the value of n; -arg ∈ {0, 1, } k , where k is the number of arguments of n, represents the current opinion of the agent about the values of the arguments of n (if n is an input node then arg is the empty tuple); -v o ∈ {0, 1, } represents the current opinion of the agent about the value of the output gate g o .
Alphabet, input and output functions. The set Σ of input symbols is the set of nodes of Γ . The initial state mapping ι maps each node n to the state ι(n) := (n, , ( , . . . , ), ), i.e., to the state with node n, and with all values still unknown. The output function is defined by Intuitively, agents have opinion 1 if they think the circuit outputs 1, and 0 if they think the circuit outputs 0 or has not yet produced an output.

Messages. The set M of messages contains all pairs (n, v),
where n is a node, and v ∈ {0, 1, } is a value.
Transitions. An agent in state (n, v n , arg, v o ) can -Send the message (n, v n ), i.e., an agent can send its node and its current opinion on the value of the node. -Receive a message (m, v m ), after which the agent updates its state as follows: (1) If n is an input node and v n = , then if m = n the agent moves to state (n, 0, arg, v o ), i.e., updates its value to 0, and if m = g o it moves to state (n, 1, arg, v o ), i.e., updates its value to 1. Intuitively, this is an artificial but simple way of ensuring that each input node nondeterministically chooses a value, 0, or 1, depending on whether it first receives a message from itself, or from the output node. Notice that if an agent is initially in state ι(n), then it remains forever in states having n as node. So it makes sense to speak of the node of an agent. Let us examine the behaviour of P Γ from the initial configuration C 0 that puts exactly one agent in state ι(n) for every node n. The executions of P Γ from C 0 exactly simulate the executions of the circuit. Indeed, the transitions of (1) ensure that each input agent (i.e., every agent whose node is an input node) eventually chooses a value, 0 or 1. The transitions of (2) simulate the computations of the gates. Finally, the transitions of (3) ensure that every node eventually updates its opinion of the value of g o to the value computed by Γ for the chosen input. The following lemma, proved in the "Appendix B", formalizes this.

Lemma 3.4
Let Γ be a circuit and let P Γ be its evaluation protocol. Let C 0 be the initial configuration that puts exactly one agent in state ι(n) for every node n. A fair execution starting at C 0 eventually reaches a configuration C where each input agent is in a state with value 0 or 1, and these values do not change afterwards. The tail of the execution starting at C converges to a stable consensus equal to the output of Γ on these assigned inputs.
Observe, however, that P Γ also has initial configurations whose executions may not simulate any execution of Γ . For example, this is the case of an initial configuration that puts two agents in state ι(n) for some node n, and the executions in which one of these agents chooses input 0 for n, and the other input 1. It is also the case of an initial configuration that puts zero agents in state ι(n) for some node n. Observe further that P Γ can only select values for the inputs, and simulate an execution of Γ . We need a protocol that selects values for the existential inputs, and can then repeatedly simulate the circuit for different values of the universal inputs. These two problems are solved by appropriately extending P Γ with new states and transitions.
The protocol P 0 . We add a new state and some transitions to P Γ in order to obtain the final protocol P Γ . (4) An agent in state ⊥ can send the message m ⊥ . (5) An agent in state ⊥ that receives any message (including m ⊥ ) stays in state ⊥; an agent (in any state, including ⊥) that receives m ⊥ moves to state ⊥.
(In particular, if some agent ever reaches state ⊥, then all agents eventually reach state ⊥ and stay there, and so the protocol converges to 0.) (6) If an agent in state (n, v n , arg, v o ), where n is an existential input node and v n = , receives a message (n, v n ) such that v n = v n = , then the agent moves to state ⊥.
(Intuitively, if an agent discovers that another agent has chosen a different value for the same existential input, then the agent moves to ⊥, and so, by the observation above, the protocol converges to 0.) (7) If an agent in state (n, v n , arg, v o ), where n is a universal input node and v n = , receives a message (g o , 1), then the agent moves to state (n, (Intuitively, this allows the protocol to flip the values of any universal inputs whenever the output gate takes value 1.) Proof of the reduction. We claim that P Γ does not compute the false predicate (i.e., the predicate that answers 0 for every input) iff ∃x∀yΓ (x, y) = 1, that is, if there is a valuation of the existential inputs of Γ such that, for every valuation of the universal inputs, Γ returns 1. Let us sketch the proof of the claim. We consider two cases: ∃x∀yΓ (x, y) = 1 is true. Let C 0 be the initial configuration that puts exactly one agent in state ι(n) for every node n. We show that not every fair execution from C 0 converges to 0, and so that P Γ does not compute the 0 predicate. Let x 0 be a valuation of x such that ∀yΓ (x 0 , y) = 1. The execution proceeds as follows: first, the agents for the inputs of x receive messages, sent either by themselves or by the output node, that make them choose the values of x 0 . An inspection of the transitions of P Γ shows that these values cannot change anymore. Let C be the configuration reached after the agents have received the messages. Since Γ (x 0 , y) = 1 holds for every y, by Lemma 3.4 every configuration C reachable from C can reach a consensus of 1. Indeed, it suffices to first let the agents receive all messages of C (which does not change the values of the existential inputs), then let the agents for y that still have value pick a boolean value (nondeterministically), and then let all agents simulate the circuit. Since Γ (x 0 , y) = 1 holds for every y, after the simulation the node for g o has value 1. Finally, we let all agents move to states satisfying v o = 1.
∃x∀yΓ (x, y) = 1 is false. This case requires a finer analysis. We have to show that P Γ computes the false predicate, i.e., that every fair execution from every initial configuration converges to 0. By fairness, it suffices to show that for every initial configuration C 0 and for every configuration C reachable from C 0 , it is possible to reach from C a stable consensus of 0.
Thanks to the ⊥ state, which is introduced for this purpose, configurations C in which two agents for the same existen-tial input node choose inconsistent values eventually reach the configuration with all agents in state ⊥, which is a stable consensus of 0. Thanks to the assumption that every node is connected to the output gate by at least one path, configurations C in which there are no agents for some node cannot reach any configuration in which some agent populates a state with v o = 1, and so C itself is a stable consensus of 0. So, loosely speaking, configurations in which the agents pick more than one value, or can pick no value at all, for some existential input eventually reach a stable consensus of 0.
Consider the case in which, for every node n, the configuration C has at least one agent in a state with node n. By fairness, C eventually reaches a configuration C at which each agent for an existential input has chosen a boolean value, and we can assume that all agents for the same input choose the same value. This fixes a valuation x 0 of the existential inputs. Recall that this valuation cannot change any more, since the protocol has no transitions for that. By assumption, there is y 0 such that Γ (x 0 , y 0 ) = 0. We sketch how to reach a stable consensus of 0 from C . First, let the agents consume all messages of C , and let C be the resulting configuration. If C cannot reach any configuration with circuit output 1, then the configuration reached after informing each agent about the value of g o is a stable consensus of 0, and we are done. Otherwise, starting from such a configuration with output 1, let the agents send and receive the appropriate messages so that all agents for y choose the values of y 0 . After that, let the agent for g o consume all remaining messages, if any, and let the protocol simulate Γ on x 0 , y 0 . Notice that the simulation can be carried out even if there are multiple agents for the same gate g. Indeed, in this case, for every argument g of g, we let at least one of the agents corresponding to g send the message with the correct value for g to all the agents for n. Since Γ (x 0 , y 0 ) = 0 by assumption, the agents for g o eventually update their value to 0, and eventually all agents change their opinion about the output of the circuit to 0. Let C be the configuration so reached. We claim that C is a stable consensus of 0. Indeed, the state of a gate cannot change without a change in the argument values or the output gate g o . Therefore it is enough to prove that the input values cannot change. Since no transition can change x 0 , this can only happen by changing the values y 0 of the universal inputs. But these values can only change by the transitions of (7), which require the agent to receive a message (g o , 1). This is not possible because the current value of g o is 0, and the claim is proved.
This concludes the reduction to the correctness problem for DO protocols. We can easily transform it into a reduction to the single-instance correctness problem. Indeed, it suffices to observe that the executions of the circuit Γ correspond to the fair executions of P Γ from the unique initial configuration C 0 with exactly one agent in state ι(n) for every node n.
So P Γ computes 0 from C 0 iff ∃x∀yΓ (x, y) = 1, and we are done. So we have:

Reachability in observation models: the pruning and shortening theorems
In the next three sections we prove that the correctness problem is PSPACE-complete for IO protocols and Π p 2 -complete for DO protocols. These are the most involved results of this paper. They can only be obtained after a detailed study of the reachability problem of IO and DO protocols, which we believe to be of independent interest. The roadmap for the three sections is as follows.
Section 4. Section 4.1 introduces message-free delayedobservation protocols (MFDO), an auxiliary model very close to DO protocols, but technically more convenient. As its name indicates, agents of MFDO protocols do not communicate by messages. Instead, they directly observe the current or past states of other agents. As a consequence, a configuration of an MFDO protocol is completely determined by the states of its agents, which has technical advantages. At the same time, MFDO and DO protocols are very close, in the following sense. We call a configuration of a DO protocol a zero-message configuration if all messages sent by the agents have already been received. Given a DO protocol P we can construct an MFDO protocol P, with the same set of states, such that for any two zero-message configurations (Observe that, since P and P have the same set of states, a zero-message configuration of P is also a configuration of P.) So, any question about the reachability relation between zero-message configurations of P can be "transferred" to P, and answered there.
The rest of the section is devoted to the Pruning and Shortening Theorems. Say that a configuration C is coverable from C if there exists a configuration C such that C * − → C ≥ C. The Pruning Theorems state that if a configuration C of a protocol with n states is coverable from C , then it is also coverable from a "small" configuration D ≤ C , where small means |D| ≤ |C| + f (n) for a lowdegree polynomial f . The Shortening Theorem states that every execution C * − → C can be "shortened" to an execution for some low-degree polynomial f that depends only on n, not on C or C . Intuitively, if we assume that the k i occurrences of t i are executed synchronously in one step, then the execution only takes m steps. Section 5. This section applies the Pruning and Shortening Theorems to the reachability problem between counting sets of configurations. Intuitively, a counting set of configurations is a union of cubes, and a cube is the set of all configurations C lying between a lower bound configuration L and an upper bound configuration U with possibly infinite components. Observe that counting sets may be infinite, but always have a finite representation. The reachability problem for counting sets asks, given two counting sets C and C , whether some configuration of C is reachable from some configuration of C . The section proves two very powerful Closure Theorems for IO and DO. The Closure Theorems state that for every counting set C , the set post * (C ) of all configurations reachable from C is also a counting set; further, the same holds for the set pre * (C ) of all configurations from which C can be reached. So, loosely speaking, counting sets are closed under reachability. Furthermore, the section shows that if C has a representation with "small" cubes, in a sense to be determined, then so do pre * (C ) and post * (C ). Section 6. This section applies the Pruning, Shortening, and Closure Theorems to prove the PSPACE and Π p 2 upper bounds for the correctness problems of IO and DO protocols, respectively. The section shows that this is also the complexity of the single-instance correctness problems.
Notation. Throughout these sections, the last three components of the tuples describing protocols (input symbol set Σ, initial set mapping ι, and output mapping o) play no role. Therefore we represent a DO protocol by the simplified tuple (Q, M, δ s , δ r ), and an IO protocol as just a pair (Q, δ). Section 4.2 proves the Pruning Theorems for IO and MFDO protocols. Section 4.3 proves the Shortening Theorem for MFDO protocols. Finally, making use of the tight connection between MFDO and DO protocols, Sect. 4.4 proves the Pruning and Shortening Theorems for DO protocols.

An auxiliary model: message-free delayed-observation protocols
Immediate observation and delayed observation protocols present similarities. Essentially, in an immediate observation protocol an agent updates its state when it observes that another agent is currently in a certain state q, while in a delayed observation protocol the agent observes that another agent was in a certain state q, provided that agent emitted a message when it was in q. In a message-free delayed observation protocol we assume that a sufficient amount of such messages is always emitted by default; this allows us to dispense with the message, and directly postulate that an agent can observe whether another agent went through a given state in the past. So the model is message-free, and, since agents can observe events that happened in the past, we call it "message-free delayed observation".

Definition 4.1 A message-free delayed observation (MFDO)
protocol is a pair P = (Q, δ), where Q is a set of states and δ : Q 2 → Q is a transition function. Considering δ as a set of transitions, we write q o − → q for ((q, o), q ) ∈ δ. The set of finite executions of P is the set of finite sequences of configurations defined inductively as follows. Every configuration C 0 is a finite execution. A finite execution An infinite sequence of configurations is an execution of P if all its finite prefixes are finite executions.
We assign to every DO protocol an MFDO protocol. Notice that an agent of a DO protocol can "choose" not to send a message when it goes through a state, and thus not enable a future transition that consumes such a message. This does not happen in MFDO protocols. In particular, if a configuration C of an MFDO protocol enables a transition q o − → q, then the transition remains enabled forever, and in particular C ω is an execution. This is not the case for a transition q o− − → q of a DO protocol, because each occurrence of the transition consumes one message, and eventually there are no messages left.

Definition 4.2 Let
Despite this difference, a DO protocol and its corresponding MFDO protocol are equivalent with respect to reachability questions in the following sense. Observe that a configuration of P DO with zero messages is also a configuration of P MFDO . From now on, given a DO protocol, we denote by Z the set of its zero-message configurations. For every Z ∈ Z , we overload the notation Z by also using it to denote the configuration of the corresponding MFDO protocol which is the restriction of Z to a multiset over Q.
The following lemma shows that for any two configurations Z and Z with zero messages, Z is reachable from Z in P DO iff it is reachable in P MFDO .
. . , C n be the configurations describing the number of agents in each state along ξ . In particular, C 0 = Z and C n = Z . Define the sequence τ as follows. For every transition t i : Observe that, since the occurrence of t i does not change the state of any agent, we have C i = C i+1 , and so in particular Observe that the transition t j must exist, because every message received has been sent. Further, since both t i and q o − → q move an agent from q to q , we have C i The result follows from the fact that in both cases we have For each message m ∈ M in ξ , denote by q m the state such that δ s (q m ) = (m, q m ) and let #(m, ξ) denote the number of times m is consumed along ξ . If there are multiple states with such property, we choose the state that occurs earliest in the original execution. Add #(m, ξ) iterations of q m m+ − − → q m at the first configuration along ξ in which state q m is populated. This ensures that the messages that the agents need to move from q i to q i+1 are always available to be received and that all the messages will be consumed at the end of the execution.
Thus ξ is enabled and goes from Z to Z .

Pruning theorems for IO and MFDO protocols
The Pruning Theorems for IO and MFDO protocols are proved in the same way. Given an execution C ξ − → C ≥ C, we examine the trajectories of the different agents during the execution of ξ . For this, we assign trajectories to the agents in an arbitrary way, but consistent with the configurations reached during the execution. For example, consider a protocol with states q 1 , q 2 , q, q 1 , q 2 in which two agents, initially in states q 1 and q 2 , first move to q, after which one of them moves to q 1 and the other to q 2 . Since the two agents are indistinguishable, we can choose to assume that their trajectories were q 1 , q, q 1 and q 2 , q, q 2 , or that they were q 1 , q, q 2 and q 2 , q, q 1 . After "splitting" the execution into a multiset of trajectories, one for each agent, we "prune" the multiset, keeping only those trajectories that are "necessary" to cover C. This yields a smaller multiset, which we then "transform back" into an execution.

Pruning theorem for IO protocols
is a sequence τ = q 1 . . . q n of states. We let τ (i) denote the i-th state of τ . The i-th step of τ is the pair τ (i)τ (i + 1) of adjacent states.
A history is a multiset of trajectories of the same length. The length of a history is the common length of its trajectories. Given a history H of length n and index 1 ≤ i ≤ n, the i-th configuration of H , denoted C i H , is defined as follows: for every state p, C i H (q) is the number of trajectories τ ∈ H such that τ (i) = q. The configurations C 1 H and C n H are called the initial and final configurations of H .
We use this protocol as running example throuhout the section. Histories of P can be graphically represented. Figure 2 shows a history H of length 7. It consists of five trajectories: one trajectory from q 3 to q 3 passing only through q 3 , and four trajectories from q 1 to q 3 which follow different state sequences. The first configuration of H is C 1 H = (4, 0, 1) and the seventh and last configuration is C 7 H = (0, 0, 5).
where for every transition t we define C

Remark 4.8
Notice that histories of length 1 are always realizable. Observe also that there may be more than one realizable history corresponding to a firing sequence, because the firing sequence does not keep track of which agent visits which states, while the history does.

Example 4.9
The history H of Fig. 2 is realizable in P.
We introduce well structured histories. Intuitively, they are the histories in which at every step all agents that move execute the same transition, and so there are states q, q such that all the agents move from q to q . Definition 4.10 A step τ (i)τ (i + 1) of a trajectory τ is horizontal if τ (i) = τ (i + 1), and non-horizontal otherwise.
A history H of length n is well structured if for every 1 ≤ i ≤ n − 1 one of the two following conditions hold: (i) For every trajectory τ ∈ H , the i-th step of τ is horizontal. (ii) For every two trajectories τ 1 , τ 2 ∈ H , if the i-th steps of τ 1 and τ 2 are non-horizontal, then they are equal.

Example 4.11
The history of Fig. 2 is well structured. The third step of all five trajectories is horizontal. The second step is horizontal for three trajectories, and non-horizontal for the other two; the two non-horizontal steps are equal, namely q 1 q 2 .
Characterizing histories. We show that the set of executions of an IO protocol is completely determined by its well-structured and realizable histories. The proof is purely technical, and can be found in the "Appendix C".

Lemma 4.12
Let P be an IO protocol. For every configuration C, C the following holds: C * − → C iff there exists a well-structured and realizable history in P with C and C as initial and final configurations.
We now proceed to give a syntactic characterization of the well-structured and realizable histories.

Definition 4.13
A history H is compatible with an IO protocol P if for every trajectory τ of H and for every non-horizontal step τ (i)τ (i + 1) of τ , the protocol P contains a transition τ (i) Intuitively, a history is compatible with a protocol if for every non-horizontal step from, say, q to q , the protocol has a transition of the form q o − → q for some observed state o. Since the transition can only happen if an agent in q observes o, there must be another agent in state o (the one with trajectory τ ). Fig. 2 is compatible with the IO protocol of Example 4.6. Consider for example the trajectory τ = q 1 q 1 q 2 q 2 q 2 q 3 q 3 . It has two non-horizontal steps, namely τ (2)τ (3) = q 1 q 2 and τ (5)τ (6) = q 2 q 3 . The corresponding transitions are q 1

Lemma 4.15 Let P be an IO protocol. A well-structured history is realizable in
Pruning. We introduce bunches of trajectories, and present a lemma about pruning bunches. Then, we prove the Pruning Theorem for IO protocols.

Definition 4.16
A bunch is a multiset of trajectories of the same length and with the same initial and final states.

Example 4.17
The history of Fig. 2 consists of a trajectory from q 3 to q 3 (which can be considered a bunch of size 1), and a bunch of four trajectories with initial state q 1 and final state q 3 .
We show that every well-structured and realizable history containing a bunch of more than |Q| trajectories can be "pruned", meaning that the bunch can be replaced by a smaller one, while keeping the history well-structured and realizable. Proof Let Q B be a set of all states visited by at least one trajectory in the bunch B. For every q ∈ Q B , let f (q) and l(q) be the earliest and the latest moment in time at which q is visited by any of the trajectories (the first and last occurrences can belong to different trajectories).
For every q ∈ Q B , let τ q = τ q,1 τ q,2 τ q, 3 , where τ q,1 is a prefix of length f (q) − 1 of some trajectory of B with q at the moment f (q); τ q,2 = q l(q)− f (q) ; and τ q,3 is a suffix of some trajectory of B with the state q at the moment l(q), starting at the moment l(q). The prefix and the suffix exist by the definition of f (q) and l(q).
Let B = {τ q | q ∈ Q B }, and let H = H − B + B . We prove that H is well structured and compatible with P. By Lemma 4.15, this proves that H is well structured and realizable in P.
Let us first show that H is well structured. Notice that every trajectory of B is the concatenation of a prefix of a trajectory of B, a sequence of horizontal steps, and a suffix of another trajectory of B. Hence, if B contains a trajectory whose i-th step is non-horizontal, then the same holds for B. Let us now show that H is compatible with P. Let τ be a trajectory of H , and let τ (i)τ (i +1) be a non-horizontal step of τ . We show that P has a transition τ (i) Since τ (i)τ (i + 1) is a non-horizontal step, by the argument above H contains a trajectory τ such that τ (i)τ (i +1) = τ (i)τ (i + 1). Further, H is realizable in P by assumption, and so by Lemma 4.15 H is compatible with P. So P has a transition τ (i)   19 Consider the well-structured and realizable history of Fig. 2. It leads from configuration (4, 0, 1) to (0, 0, 5). The bunch B from q 1 to q 3 is of size four, and so bigger than |Q| = 3. The set Q B of states visited by trajectories of B is equal to Q. Figure 3 shows for every state q ∈ Q B the first and last moments f (q) and l(q). Lemma 4.18 shows that we can replace B in H by the smaller bunch B consisting of the trajectories τ q 1 , τ q 2 , τ q 3 , drawn in dashed lines in Fig. 3. Notice that the non-horizontal 5-th step in H does not appear in the new well-structured and realizable history Using Lemma 4.18 we can now prove the Pruning Theorem for IO protocols:

Remark 4.21
We will often use the theorem when L or L is empty, which is why we call them multisets of states instead of configurations. where the sum represents multiset addition, such that |H p, p | ≤ |Q| for every p, p ∈ Q, and such that the history H + H 0 is well structured and realizable.
Let D and D be the initial and final configurations of H + H 0 . We show that D and D satisfy the required properties: This concludes the proof.

Remark 4.22
A slight modification of our construction allows one to prove Theorem 4.20 (but not Lemma 4.18) with 2|Q| 2 overhead instead of |Q| 3 . We provide more details in the "Appendix C". However, since some results of Sect. 5 explicitly rely on Lemma 4.18, we prove Theorem 4.20 as a consequence of Lemma 4.18 for simplicity.

Pruning theorem for MFDO protocols
The proof of the Pruning Theorem for MFDO protocols is similar to the one for IO protocols. It follows the same sequence of steps, but with some differences.
Trajectories and histories of MFDO protocols are defined as for DO protocols. Well-structured and realizable histories also have the same definition, and Lemma 4.12 holds, with the same proof. Let us see an example: Figure 4 shows a graphical representation of a history H of P MFDO . It consists of five trajectories: one trajectory from a to ab, and four trajectories from b to ab, following different state sequences. The first configuration of H is C 1 H = (1, 4, 0), and the fourth and last configuration is C 4 H = (0, 0, 5). The history is well structured and realizable. In particular, we have For MFDO-protocols we also need the notion of the sets of states visited along a history.

Definition 4.24
Let H be a history of an MFDO protocol of length n. The set of states visited in the first i steps of H is Pruning. We prove that the construction of the Pruning Theorem for IO protocols yields the same results for MFDO protocols.

Remark 4.31
For MFDO protocols we can also obtain a linear bound. Intuitively, the reason is that in order to construct the smaller history H from H we no longer need to concatenate prefixes and suffixes of trajectories of H , but just pick an adequate subset of them. We provide more details in the "Appendix C". One can apply the improved bound to the results of Sect. 5, but some technical special cases arise in the proofs, therefore we use theorem 4.30 for simplicity and uniformity.

Shortening theorem for MFDO protocols
We introduce a new measure of the length of executions, the aggregated length of an execution.

Definition 4.32
Let P = (Q, δ) be an MFDO protocol, and let ξ be a nonempty sequence of transitions of P. Let (k 1 , . . . , k m ) be the unique tuple of positive natural numbers such that ξ = t k 1 1 t k 2 2 . . . t k m m and t i = t i+1 for every i = 1, . . . , m − 1. We say that ξ has aggregated length m, and let |ξ | a denote the aggregated length of ξ .
The Shortening Theorem states that we can replace "long" executions of an MFDO protocol with shorter executions in terms of aggregated length. There exists a sequence ξ such that C ξ − → C and |ξ | a ≤ |Q| 4 .
Proof Let H be a well-structured and realizable history for the execution C * − → C , and let n be the length of H . We have S 1 H ⊆ S 2 H ⊆ · · · ⊆ S n H . Since H is well structured, for H contains exactly one more state than S i H . Let T 0 = 1, let T 1 , T 2 , . . . , T k−1 be the time moments immediately before the set of visited states increases, that is, the set of indices satisfying S T i H ⊂ S T i+1 H , and let T k = n. Observe that k ≤ |Q|.
For every 0 ≤ j ≤ k, let H j be the initial segment of H of length T j . We prove by induction over j that there is a wellformed and realizable history H j satisfying the following conditions: The theorem then follows from the fact that, since H k has length at most |Q|(|Q|(|Q| − 1) 2 + 1) < |Q| 4 and is realizable, it can be realized by an execution of aggregated length at most |Q| 4 .
The base case of the induction is j = 0. Since T 0 = 1, we can set H 0 def = H 0 . For the induction step, assume we have already constructed H j satisfying conditions (i)-(iii). We construct H j+1 by extending each trajectory of H j . We illustrate how to perform the extensions on the example of Fig. 5. Figure 5 shows at the top the fragment of a history H between times T j and T j+1 = T j + 6. The history H consists of three trajectories τ 1 , τ 2 , τ 3 . We assume that S Let τ be an arbitrary trajectory of H , and for every 0 ≤ i ≤ j let τ i be the prefix of τ of length T i . By condition (ii), there exists a bijection b that assigns to τ a trajectory τ j def = b(τ ) of H j . Further, τ j and τ j have the same initial and final states. We describe an algorithm that extends the history H j to H j+1 with the same final configuration as H j+1 .

Example 4.34
The algorithm initializes a variableτ := τ j for each trajectory τ ∈ H . In a first step, the algorithm setsτ := τ j τ (T j + 1). In our example, the three trajectories of H j are extended as shown in the bottom part of Fig. 5.
Let H + j be the history obtained after applying this first step. It is easy to see that, since H j and H j satisfy conditions (i)-(iii), so do H + j and the prefix of H of length T j + 1. The algorithm now proceeds to execute a loop. Let B[q, q , j] be the bunch of trajectories τ ∈ H such that τ (T j + 1) = q and τ (T j+1 ) = q , and let E be be an arbitrary but fixed enumeration of the pairs (q, q ) of states such that B[q, q , j] is nonempty. The algorithm loops through every pair (q, q ) ∈ E, extending eachτ in a way to be described later. After the loop, the algorithm sets τ j+1 to the final value ofτ . Observe that each variableτ gets extended |Q|(|Q| − 1) times. In what follows we assume that E = (q 3 , q 1 ) (q 5 , q 3 ).
Before describing the body of the loop for a given pair (q, q ) of states, we need to state and prove a claim. Claim. For every (q, q ) ∈ E there exists a sequence sh(q, q ) (where sh stands for "short") leading from q to q and satisfying the following properties: -each state in sh(q, q ) is in S   Fig. 5, the segment of τ 1 between times T j + 1 and T j + 6 = T j+1 is the sequence q 3 q 2 q 3 q 3 q 1 q 1 of states. The trajectory sh(q 3 , q 1 ) obtained from τ 1 by "cutting out the cycles" is q 3 q 1 .
For each pair (q, q ) ∈ E, the algorithm picks an arbitrary trajectory of B[q, q , j], constructs the shortened trajectory sh(q, q ), and for every trajectory τ ∈ H it extends the current trajectoryτ as follows: (1) If τ ∈ B[q, q , j], then the algorithm extendsτ with sh(q, q ) (more precisely, with the result of dropping the first state in sh(q, q )). (2) Otherwise, the algorithm extendsτ by replicating its final state |sh(q, q )| − 1 times. In other words, it extendsτ with |sh(q, q )| − 1 horizontal steps.
Observe that after each iteration of the loop all trajectories have the same length. The histories consisting of all the trajectories after the same iteration are well-formed (all added non-horizontal steps are copies of the same one) and realizable (because of the second condition in the claim). In particular, after the last iteration of the algorithm, we obtain a wellformed and realizable history.
Let us show that the realizable history H j+1 constructed by the algorithm satisfies properties (i)-(iii). Property (i) follows directly from the fact that the algorithm only extends the trajectories of H j with steps taken from the trajectories of H j+1 . For property (ii), we observe that for every pair of states (q, q ), the bunches B[q, q , j +1] and B [q, q , j +1] (defined as B[q, q , j + 1], but for the history H j+1 ) have the same size. So the bijection can be obtained as the union of bijections between these bunches. Finally, let us prove property (iii). Since the sequences sh(q, q ) have length at most |Q|, they consist of at most |Q| − 1 steps. Since |E| ≤ |Q|(|Q| − 1), during the loop every trajectory gets extended at most |Q|(|Q| − 1) times. So the trajectories of H j+1 have at most |Q|(|Q| − 1) 2 + 1 more steps than the trajectories of H j , and at most ( j + 1)(|Q|(|Q| − 1) 2 + 1) steps. Since H j+1 is well structured, its aggregated length is bounded by the number of steps of its trajectories, and we are done.

Remark 4.38
An optimised version of the construction allows to obtain a quadratic bound for the aggregated length of the history after shortening. We provide a rough outline in the "Appendix C" in case the reader is interested in carrying out such optimisation.

Pruning and shortening theorems for DO protocols
In Sect. 4.1 we showed that reachability in MFDO and zero-message reachability in DO are essentially equivalent notions. Using this correspondence, we derive Pruning and Shortening Theorems for DO protocols from the corresponding results for MFDO protocols. Recall that we denote by Z the set of zero-message configurations of a DO protocol, and that a configuration Z ∈ Z can be seen both as a DO configuration and (by abuse of notation) as an MFDO configuration.  Following the construction of a DO sequence from an MFDO sequence described in the proof of Lemma 4.4, we show that we can construct a sequence ξ in P such that Z ξ − → Z and |ξ | a ≤ |ξ | a +|M|. In the first step of the construction, we replace each transition of ξ by a corresponding receive transition in P. Then for each message m ∈ M that appears in these receive transitions, we add a sequence of identical send transitions q m m+ − − → q m the first time that state q m that can send m is reached. Thus the constructed DO sequence ξ has an aggregated length of at most |ξ | a + |M|, and since |ξ | a ≤ |Q| 4 and |M| ≤ |Q| we get our result.

Set reachability in observation models: the closure theorems
We introduce counting sets, a class of possibly infinite sets of configurations with a finite representation in terms of so-called counting constraints. We then prove the Closure Theorems for IO and MFDO, stating that the sets of predecessors and successors of a counting set are also counting sets. Further, we show that if the original counting set has a representation with "small" cubes, then the sets of predecessors and successors also have succinct representations.
Counting constraints and counting sets. Let P be an IO or MFDO protocol with set of states Q. A set C of configurations of P is a cube if there exist mappings L : Q → N and  U 1 ), . . . , (L n , U n )} of representations of cubes. We say that Γ represents the set Γ def = L 1 , U 1 ∪ · · · ∪ L n , U n . A set S is a counting set if S = Γ for some counting constraint Γ .
Measures of counting constraints. We introduce two measures of the size of a counting constraint. Let C be a cube with representation (L, U ). The l-norm of C , denoted C l , is the sum of the components of L. The u-norm of C , denoted C u , is the sum of the components of U that are not equal to ∞, if there are any, and 0 otherwise.
The l-norm and u-norm of a counting constraint Γ = {C 1 , . . . , C m } are defined by The l-norm (respectively u-norm) of a counting set S is the smallest l-norm (respectively u-norm) of a counting constraint representing S , that is The following proposition, whose proof is given in the "Appendix D", shows that a Boolean combination of counting sets is still a counting set and bounds the size of the counting constraints representing such combinations.
Loosely speaking, Proposition 5.2 shows that applying boolean operations to counting sets does not increase much the size of its representation. Now we prove the Closure Theorem, showing that this is also the case for the operations of computing the set of successors or predecessors of a counting set.
Closure Theorem for IO protocols. The Closure Theorem for IO protocols is an easy consequence of the following lemma:

Lemma 5.3 Let P be an IO protocol with state set Q and let C ⊆ Pop(Q) be a cube.
For all C ∈ pre * (C ), there exists a cube C such that 1. C ∈ C ⊆ pre * (C ), and 2. C l ≤ C l + |Q| 3 and C u ≤ C u .
Proof Let L, U be mappings such that C = L, U . Let C be a configuration of pre * (C ). There exists a configuration C ∈ C such that C −→ C, and C ≥ L. By the Pruning Theorem there exist configurations D and D such that So D ∈ C , and therefore D ∈ pre * (C ). We find a cube C satisfying conditions (1) and (2). For this, we choose appropriate lower and upper bounds L , U , and set C = L , U . First, we set L def = D . For the definition of U , we use the tools of the Pruning Theorem section, in which the movements of the agents are de-anonymized into trajectories. Let H C be a well-structured realizable history of P leading from C to C, and let q be a state of Q. We define U (q) as follows: (i) If some trajectory of H C starting at q leads to a state r such that U (r ) = ∞, then set U (q) def = ∞.
(ii) If every trajectory of H C starting at q leads to states r such that U (r ) < ∞, then set U (q) = C (q).
We prove that C def = L , U satisfies the conditions of the lemma. Property 1: C ∈ C ⊆ pre * (C ).
Since C def = L , U , we first prove L ≤ C ≤ U . The inequality L ≤ C follows from C ≥ D (see the diagram above) and L def = D . Let us now show that C (q) ≤ U (q) holds for every state q. If U (q) = ∞ there is nothing to show. If U (q) is finite, i.e., if Case 2 above holds, then U (q) = C (q), and we are done.
It remains to prove L , U ⊆ pre * (C ), which requires more effort. We show that for every configuration R ∈ L , U there exists a history H R leading from R to a configuration R ∈ C , i.e., to a configuration R satisfying L ≤ R ≤ U . Since R ∈ L , U and L def = D , we have R ≥ D . So we construct H R by adding trajectories to H D : Since H D leads to D, this guarantees that H R leads to a configuration R such that R ≥ D ≥ L (see Fig. 6). Further, Fig. 6 Construction of the proof of Lemma 5.3 to ensure that H R starts at R , for every q ∈ Q we add to H D exactly (R (q) − D (q)) trajectories starting at q. It remains to choose these trajectories in such a way that R ≤ U holds.
We add trajectories to H D by replication, i.e., we only add copies of trajectories already present in H D . Recall that for every state q ∈ Q we have to add (R (q)− D (q)) trajectories starting at q. We decide which trajectories to add according to two cases, very similar to the cases (i) and (ii) above: (i ) H D contains a trajectory τ leading from q to a state r such that U (r ) = ∞. In this case we add (R (q) − D (q)) copies of τ . (ii ) Every trajectory of H D leading from q to some state r satisfies U (r ) < ∞. In this case, by the definition of U (see (ii) above), we have U (q) = C (q). Since R ≤ U by hypothesis, we get D (q) ≤ R (q) ≤ C (q), and so (R (q) − D (q)) ≤ (C (q) − D (q)), i.e., we need to add at most C (q) − D (q) trajectories. For each state r ∈ Q, let n C [q, r ] and n D [q, r ] be the sizes of the bunches of trajectories of H C and H D leading from q to r , respectively. By this definition, and the definition of the pruning operation, we have We add trajectories as follows: we loop through the states r such that n C [q, r ] ≥ 1. We take any trajectory of H D leading from q to r (which exists by (c)), and replicate it n C [q, r ] − n D [q, r ] times or less, until the quota of R (q) − D (q) trajectories has been reached. The quota is eventually reached by (a).
We claim that this procedure produces a history H R such that n R [q, r ] ≤ n C [q, r ] for every q, r ∈ Q such that U (r ) < ∞. Indeed, fix r such that U (r ) < ∞. If q satisfies (i ), then no trajectory from q to r is replicated, i.e., n R [q, r ] = n C [q, r ]. If q satisfies (ii ), then n R [q, r ] ≤ n C [q, r ]. By the claim, R(r ) ≤ C(r ) for every state r such that U (r ) < ∞. Since C ≤ U , we have R ≤ U , and we are done. Property 2: C l ≤ C l + |Q| 3 and C u ≤ C u .
For the l-norm, recall that L def = D . Since H D leads from D to D, we have |L | = |D | = |D|. By the Pruning Theorem For the u-norm, notice that by (i) and (ii), every trajectory of H C starting at a state q satisfying U (q) < ∞ leads to a state r satsfying U (r ) < ∞. Using this observation, we get:

Theorem 5.4 (IO Closure) Let P be an IO protocol with a set Q of states, and let S be a counting set of configurations of P represented by a counting constraint Γ . Then pre * (S )
is also a counting set, and there exists a counting constraint Γ satisfying Γ = pre * (S ) and The same holds for post * .
Proof By the definition of a counting set, there exist cubes C 1 , . . . , C k such that S = k i=1 C i , and therefore pre * (S ) = k i=1 pre * (C i ) By Lemma 5.3, for every configuration C ∈ pre * (S ) there is a cube C such that C ∈ C , C ⊆ pre * (S ), and C l ≤ C i l + |Q| 3 , and C u ≤ C i u for some 1 ≤ i ≤ k. So pre * (S ) = C ∈pre * (S ) C . Since there are only finitely many cubes C with a given bound on their lower and upper norms, pre * (S ) = k i=1 C i for some k , and so a counting set.
Let Γ and Γ be the counting constraint defined as the set of the representations of {C 1 , . . . , C k } and {C 1 , . . . , C k }, respectively. By the definition of the norm of a counting constraint, we have C i l ≤ Γ l + |Q| 3 and C i u ≤ Γ u for every 1 ≤ i ≤ k . So Γ u ≤ Γ u and Γ l ≤ Γ l + |Q| 3 .
The result for post * (S ) can be proven in the exact same way, as the pruning theorem is symmetric.
Closure Theorem for MFDO protocols. The Closure Theorem for MFDO protocols can be proved in the same way as for IO protocols.

Lemma 5.5
Let C be a cube of an MFDO protocol P of with state set Q. For all C ∈ pre * (C ), there exists a cube C such that 1. C ∈ C ⊆ pre * (C ), and 2. C l ≤ C l + |Q| 3 and C u ≤ C u . Theorem 5.6 (MFDO Closure) Let P be an MFDO protocol with a set Q of states, and let S be a counting set defined by a counting constraint Γ . Then pre * (S ) is also a counting set and there exists a counting constraint Γ satisfying Γ = pre * (S ), and The same holds for post * .
The Closure Theorem for MFDO protocols yields a Closure Theorem for DO protocols. In DO protocols, counting constraints are still defined as bounds associated to elements of Q, and thus they define counting sets which are sets of zero-message configurations. To express the following result we need operators on zero-message configurations.

Zero-message predecessors and successors.
Let P be a DO protocol, and let Z be the set of its zero-message configurations. For every set M ⊆ Z , we respectively define the set of zero-message predecessors and the set of zero-message successors as

Corollary 5.7 (DO Closure) Let P be a DO protocol with a set Q of states, and let S be a counting set of zeromessage configurations defined by a counting constraint Γ .
Then pre * z (S ) is also a counting set and there exists a counting constraint Γ satisfying Γ = pre * z (S ), and Γ u ≤ Γ u and Γ l ≤ Γ l + |Q| 3 The same holds for post * z .

Upper bounds for observation models
We use the Pruning, Shortening, and Closure Theorems proved in the past sections to prove that the correctness problem for IO protocols is in PSPACE, and that the correctness problem for DO protocols is in Π p 2 . These upper bounds match the lower bounds proved in Theorem 3.3 and Theorem 3.5.
For the following results, we need the predicates ϕ we consider to be describable by counting constraints. A predicate ϕ : N k → {0, 1} is describable by counting constraint if there is a counting constraint Γ such that ϕ(v) = 1 iff v satisfies Γ . If ϕ is a predicate over Pop(Σ) that is describable by counting constraint, k is the dimension of the symbol alphabet Σ, and populations D ∈ Pop(Σ) are seen as vectors v ∈ N k . Fortunately, as mentioned in Sect. 2.5, Angluin et al. show in [7] that IO protocols compute exactly the predicates representable by counting constraints, and DO protocols compute a subset of these. Lemma 6.1 Let P be an IO or DO protocol with Q its set of states, and let ϕ be a predicate describable by a counting constraint Γ . Then I b | Q and Con b | Q , the restrictions of I b and Con b to their components over Q, are describable by counting constraints for b ∈ {0, 1}. Moreover, the norms of these counting constraints are bounded in the norms of the counting constraint associated to ϕ and in n = |Q|: Proof Let P be an IO or DO protocol over an alphabet Σ with initial state mapping ι, and Q its set of states. Predicate ϕ is a predicate describable by counting constraint Γ which is over Pop(Σ), i.e. the bounds of the cubes of Γ are mappings Σ to N. We extend this to a counting constraint over agent configurations of P by having the bounds of the cubes be mappings from Q to N: states of ι(Σ) map to N as before, and states to which no input symbols are mapped by ι have upper and lower bounds equal to 0. Without loss of generality we assume that each symbol of Σ is mapped to one state, i.e. ι is injective. Notice that the norms of this extension of Γ are still equal to Γ l and Γ u . We abusively also note this extension Γ . Recall that I b = I (ϕ −1 (b)) in the generalized protocol notation. In the IO or DO notation, where ι(D) is the agent configuration σ ∈Σ D(σ )ι(σ ). Then I b | Q is describable by the counting constraint Γ for b = 1 and by the counting constraint corresponding to 1 − ϕ for b = 0. The bounds on the norm of I 0 | Q are a consequence of Proposition 5.2.
The set Con b | Q is given by the cube of upper bound equal to 0 on all states q with output 1 − b and ∞ otherwise, and the lower bound equal to 0 everywhere. This cube is of upper and lower norm 0. Remark 6.2 Initial configurations are zero-message in all protocol models, so I b | Q is exactly I b . For P an IO protocol, Con b | Q is exactly Con b for b ∈ {0, 1}.

Correctness of IO protocols is in PSPACE
Since IO protocols are well-behaved protocols (by Lemma 2.9), we can apply the reformulation of correctness as a reachability problem of Proposition 2.12. An IO protocol P is correct for a predicate ϕ if and only if  (1) formulates the problem of correctness of an IO protocol as a predicate with boolean and reachability operators over counting sets. We use the results of Sect. 5 to show that we only need to examine "small" configurations to verify such predicates, thus yielding a PSPACE algorithm for checking correctness. We start by giving a lemma for general predicates with boolean and reachability operators over counting sets, then apply it to the predicate for correctness. Lemma 6.3 Let S 1 and S 2 be two functions that take as arguments an IO protocol P and a counting constraint X , and return counting sets S 1 (P, X ) and S 2 (P, X ) respectively.
Assume that S 1 (P, X ) and S 2 (P, X ) have norms at most exponential in the size of the (P, X ), as well as PSPACE-decidable membership (given input (C, P, X ), decide whether C ∈ S i (P, X )).
Then the same is true about the counting sets S 1 (P, X )∩ S 2 (P, X ), S 1 (P, X ) ∪ S 2 (P, X ), S 1 (P, X ), pre * (S 1 (P, X )), and post * (S 1 (P, X )). Furthermore, given P and X , the emptiness problem for these sets is in PSPACE.

Proof
The exponential bounds for the norms follow immediately from Proposition 5.2 and Theorem 5.4. The membership complexity for union, intersection and complement is easy to see. Without loss of generality it suffices to prove that membership in post * (S 1 (P, X )) is in PSPACE.
By Savitch's Theorem NPSPACE=PSPACE, so we provide a nondeterministic algorithm. Given (C, P, X ), we want to decide whether C ∈ post * (S 1 (P, X )). The algorithm first guesses a configuration C 0 ∈ S 1 (P, X ) of the same size as C, verifies that C 0 belongs to S 1 (P, X ), and then guesses an execution starting at C 0 , step by step, checking after each step if the reached configuration is C. Notice that all intermediate configurations of such an execution have the same size as C. At any moment in time the algorithm only stores three configurations, the current one, the next configuration in the execution, and the input one.
We can now observe that the emptiness problem is in PSPACE for any counting set with exponentially bounded norm and PSPACE-decidable membership. We again use Savitch's Theorem. If the counting set is nonempty, it has an element of size equal to the l-norm of the set. Such an element can be described in polynomial space. Therefore we can guess it and verify the set membership.

Correctness of DO protocols is in 5 p 2
We show that both the single-instance correctness and the correctness problem for DO protocols are in Π p 2 . Throughout the section we use the symbol Z , possibly with accents or subscripts, to denote zero-message configurations. As before we denote the set of zero-message configurations by Z .
We start with a characterization of non-correctness of a protocol for a given input. Proof (⇐) Assume that there exist Z , Z nc satisfying (i)-(iii). We show that no configuration reachable from Z is a stable ϕ(D)-consensus, which implies that P does not compute ϕ(D). LetC be an arbitrary configuration reachable from Z . By consuming all messages ofC, the protocol can move fromC to some zero-message configurationZ and, by (iii), to a configuration C such that C| Q = Z . By (i), there exists a transition sequence ξ such that Z ξ − → Z nc . Since C| Q = Z , we have C ξ − → C nc for some configuration C nc such that C nc | Q = Z nc (the sequence just "ignores" the messages of C). Summarizing, we have and so in particularC * − → C nc . By (ii) and C nc | Q = Z nc , the configuration C nc is not a ϕ(D)-consensus, and soC is not a stable ϕ(D)-consensus. (⇒) Assume that P does not compute ϕ(D) on input D. Let B be a bottom configuration reachable from I (D) with no stable consensus reachable from it. Let Z be an arbitrary zeromessage configuration reachable from B. By the assumption that B cannot reach a stable consensus, there is a configuration Z * − → C nc which contains an agent with the output 1 − ϕ(D). Recall that we always have at least two agents, because configurations of our protocol models are defined as the populations over Q or Q ∪ M, and populations are multisets with at least two elements. Given a configuration C ∈ Con ϕ(D) , we can keep one agent of C "aside" that has output 1 − ϕ(D) and let the other agents of C consume all the messages. This method applied to C = C nc yields a zero-message configuration Z nc such that Z * − → C nc * − → Z nc which is not a ϕ(D)-consensus. This proves properties (i) and (ii). To prove the property (iii) observe that B was a bottom configuration and therefore for every Z * − → Z we have B * − → Z * − → Z and therefore Z * − → B * − → Z . We can now define C = Z . M, δ r , δ s , Σ, ι, o) be a DO protocol, let ϕ a predicate over Pop(Σ), and let D ∈ Pop(Σ) be an input to P. We show that the problem of checking whether P with input D computes ϕ(D) lies in Π p 2 . It suffices to show that the problem of checking the existence of Z and Z nc satisfying conditions (i)-(iii) of Lemma 6.5 is in Σ p 2 . By the Shortening Theorem for DO protocols (Corollary 4.40), we can guess two configurations Z and Z nc satisfying (i) and (ii) in polynomial time, by nondeterministically traversing a computation of polynomial length (recall that all configurations reachable from I (D) have the same size as I (D)), and checking in linear time that Z nc is not a ϕ(D)-consensus. The rest of the proof shows that checking (iii) is in co-NP. We proceed in three steps:

Theorem 6.6 Single-instance correctness of DO protocols is in
-We define the saturation of a zero-message configuration.
-We replace condition (iii) by an equivalent condition (iv) on the saturation of Z (see Claim 2 below) -We show that checking (iv) is in co-NP.

Saturation.
Let Z be an arbitrary zero-message configuration, and let |Z | be the number of agents of Z . For every state q ∈ Q such that Z (q) > 0, let one of the agents in q send |Z ||Q| + |Q| 2 messages δ s (q). As long as there are reachable states q that have not yet sent |Z ||Q| + |Q| 2 messages, let an agent go to q by a shortest path (which is of length at most |Q| − 1, see proof of Theorem 4.33) and let the agent send |Z ||Q| + |Q| 2 messages δ s (q). The resulting configuration S(Z ), called the saturation of Z , has the following properties: ξ − → C for some configuration C such that C | Q = C| Q , and some sequence ξ that does not send any messages. Indeed, no new message types can be added to S(Z ) because otherwise we would have added them during the saturation step. There are enough messages of each type for |Z | agents to move to new states by less than |Q| steps (along the shortest paths), so no new messages are needed to reach C.

From condition (iii) to condition (iv). We claim:
Claim 1 Let Z be a zero-message configuration. Condition (iii) of Lemma 6.5 is equivalent to: (iv) for every Z reachable from Z there exists C such that S(Z ) * − → C and C| Q = Z .
To show that (iv) implies (iii), let Z be reachable from Z . By (iv), there exists C such that S(Z ) * − → C and C| Q = Z .
Since Z * − → S(Z ), we have Z * − → C. So (iii) holds. To prove that (iii) implies (iv), let Z be reachable from Z . Since Z * − → S(Z ), we have Z * − → S(Z ). By (iii), there exists C such that S(Z ) * − → C and C| Q = Z , and we are done.

Checking (iv) is in co-NP. Condition (iv) states that every
We prove that the negation of (iv), i.e., the existence of Z reachable from Z satisfying ¬P(Z , Z ), is in NP. By property (c) of the saturation S(Z ) of Z , checking P(Z , Z ) reduces to deciding if there is a history of length |Q|−1 whose trajectories transfer the agents from their states in S(Z ) to their states in Z , while sending no messages, and consuming only messages in S(Z ). We reduce this question to an integer max-flow problem, which can be solved in polynomial time by e.g. Edmonds-Karp algorithm. Consider the following directed graph G Z ,Z with capacities: -The nodes of G Z ,Z are |Q| copies of Q, written q (1) , q (2) , . . . q (|Q|) for each q ∈ Q, plus a source node s, and a target node t. -G Z ,Z has edges from s to each q (1) with capacity S(Z )(q), and from each q (|Q|) to t with capacity Z (q). -For each i = 1, . . . , |Q|−1, G Z ,Z has an edge from q (i) to q (i+1) whenever the protocol has a receive transition from q to q that consumes a message of S(Z ), or when q = q . These edges have infinite capacity.
A flow value in this graph cannot exceed q∈Q S(Z )(q) = |Z |. Integer flows of value |Z | naturally correspond to histories of length |Q|−1 leading from S(Z ) to a configuration C such that C| Q = Z , and vice versa. The flow through an edge (q (i) , q (i+1) ) gives the number of trajectories τ of H such that τ (i)τ (i + 1) = q q . So we have: P(Z , Z ) holds iff the maximum integer flow of G Z ,Z is equal to |Z |.
We formulate a new characterization of DO correctness, which considers only the reachability of zero-message configurations. Proposition 6.7 A DO protocol P is correct for a predicate ϕ iff the following holds for b ∈ {0, 1}: where St Z b is the set of zero-message configurations Z such that every zero-message configuration reachable from Z has output b.
Proof Notice that post * z (I b ) is well-defined because DO initial configurations are always zero-message. By definition, St Z b is the set of zero-message configurations described by pre * z Con b ∩ Z ∩ Z . We prove the following claim Claim. The set equality St Z b = St b ∩ Z holds. This can be rewritten as and derive a contradiction. Since Z / ∈ pre * (Con b ), from Z we can reach a configuration of Con b . We show that we can also reach a configuration of Con b ∩ Z . We again use that a configuration contains at least two agents. Given a configuration C ∈ Con b , we can keep one agent of C "aside" that has output 1−b and let the other agents of C consume all the messages. This is possible because δ r is a total function, and thus every C ∈ Con b can reach a configuration of Con b ∩ Z , thus amounting to a contradiction for Z .
Conversely, let Z ∈ pre * (Con b ) ∩ Z , and assume Z / ∈ pre * z Con b ∩ Z . Then Z can reach a configuration of Con b ∩ Z , which is also a configuration of Con b . This is a contradiction, and so the claim is proved.
Recall the characterization of correctness in Proposition 2.12 which states that a DO protocol P is correct for a predicate ϕ if and only if for b ∈ {0, 1}. We use the claim above to show that Because δ r is a total function, we can let the agents of C consume all the messages so that C * − → Z for some zero-message configuration Z . All configurations by the claim, and we are done. Suppose holds. Let C be a configuration of post * (I b ). As before we let the agents of C consume all its messages so that C * − → Z for some zero-message configuration Z that is thus in post * z (I b ). By assumption, there exists some Proof We prove that the non-correctness problem for DO protocols is in Σ p 2 . Let P be a DO protocol and let ϕ be a predicate. By definition, P is not correct if there exists an input D ∈ Pop(Σ) such that P does not compute ϕ(D) on input D. (Observe that, by the definition of DO protocols, the initial configuration I (D) is a zero-message configuration.) We start with a claim: Claim. If such an input D exists, then it can be chosen of polynomial size in P and ϕ.
By Proposition 6.7, P computes ϕ if and only if We show that if (4) does not hold, then post * By Lemma 6.1, Con b | Q and I b | Q are counting sets with norms of linear size in the size of P and ϕ. Sets Con b | Q and I b | Q are the projections onto N Q of the sets Con b ∩ Z and I b , respectively. Thus, by Proposition 5.2 and Corollary 5.7, the set post * is represented by a counting constraint Γ whose l-norm is polynomial in P and ϕ. More precisely, we have So if (4) does not hold, then the set post * contains a a zero-message configuration with Γ l agents, and the claim is proved. By Lemma 6.5 and the claim, P does not compute ϕ iff there exist an input D of polynomial size in P and ϕ, such that there exist zero-message configurations Z , Z nc satisfying conditions (i)-(iii) of the lemma. By Theorem 6.6, checking the existence of Z and Z nc for a given input D lies in Σ p 2 . Since the input D and the boolean b ∈ {0, 1} can be guessed in polynomial time in P and ϕ, checking that P does not compute ϕ also lies in Σ p 2 .

Correctness of transmission-based models is TOWER-hard
In this section we establish lower bounds for the complexity of the correctness problem of the different variants of transmission protocols. We show that deciding correctness for delayed and queued transmission protocols is TOWER-hard, even in the single-instance case, and that the general correctness problem is TOWER-hard for the three variants (immediate, delayed, queued) of transmission protocols. In order to establish these lower bounds, we make use of the fact that the reachability problem for VASS (vector addition systems with states) is TOWER-hard [24]. A VASS of some fixed dimension k ∈ N can be described as a pair (Q, T ) where Q is a finite set of states, and T ⊆ Q×Z k ×Q is a transition relation. We write q v − → r whenever (q, v, r ) ∈ T . Furthermore, for two vectors w, w ∈ N k and states q, q ∈ Q, we write (q, w) − → (q , w ) whenever there exists a vector v such that q v − → q and w = w + v. As usual, by * − → we denote the reflexive-transitive closure of − →. The reachability problem for VASS is the following problem: Given vectors v, w ∈ N k in the dimension k of a given VASS, and given states q, r , does  N (r , 0) .

Proof
The reduction is rather straightforward; details can be found in the "Appendix E".
To simplify the coming proofs, we introduce nondeterministic delayed-transmission protocols. The definition of the nondeterministic version is identical to the deterministic version except that δ s now maps to sets of message/state pairs, δ r maps to a non-empty set of states, and the scheduler must choose nondeterministically from these sets whenever a message is sent or received.
Nondeterminism adds no expressive power to delayedtransmission protocols, as the following proposition shows: Proposition 7.2 For every nondeterministic DT protocol P there exists a deterministic DT protocol P that computes the same predicate as P. Moreover, P can be constructed in polynomial time.
Proof Let P = (Q, M, δ s , δ r , Σ, ι, o). In order to simulate the nondeterminism of P in P , each state q ∈ Q is annotated with a round counter i ranging from 1 to n, where n is the maximal number of nondeterministic choices per state. When an agent sends/receives a message from M, the counter i determines the choice to be made. Additionally, agents may send and receive a special message increment. Whenever an agent receives the message increment, its round counter is incremented by one, that is, i is set to (i modulo n) + 1. To ensure full simulation of nondeterminism, we must ensure that there are always enough increment messages in circulation. We achieve this by letting every agent emit an increment message at the start of the computation, and enforcing re-emission of increment messages after receiving an increment message. Whether an agent must send an increment message is governed by an additional bit, which the agent stores in its state. We provide the full construction in the "Appendix E".
We show: Proof Intuitively, the protocol P simulates the ±1-VASS in a population of size 1, with the current control state of N being stored in the state of the single agent, and the current counting vector represented in the message pool by messages denoted 1, . . . , k. For example, if the configuration of the machine is q, (6,4), then the agent is in state q, and the message pool contains 6 messages denoted by 1, and 4 messages denoted by 2. Decrementing/incrementing a counter is implemented by sending/receiving messages.
When the agent reaches state r , it can nondeterministically guess that the current vector is 0, and then alternate indefinitely between a false and a true state, say r ⊥ and r , which constitutes a non-stabilizing fair execution in the case where r 0 , 0 * − → r , 0 holds. If the agent makes a wrong guess, then the message pool is non-empty at that time, and by fairness the agent eventually receives a message which lets the the agent turn to a permanent true state, say, . This ensures that every fair execution converges to 1 in the case where . Let us now define P formally. Given the ±1-VASS N of some dimension k and the states r 0 , r , the protocol P = (Q, M, δ s , δ r , Σ, ι, o) is constructed as follows: δ r is given by: in all remaining cases.
We define the initial configuration by setting C 0 def = r 0 . We associate a configuration C ∈ Pop({1, . . . , k}) with its corresponding vector in N k via the bijection ϕ : Pop(Q) → N k given by ϕ(C) def = (C(1), . . . , C(k)). By construction, for every sequence of states q 1 , . . . , q m ∈ Q N , and every sequence of vectors v 1 , . . . , v m ∈ N k we have: It remains to prove that P does not converge to 1 for C 0 = r 0 if and only if r 0 , 0 * − → r , 0. We only prove the direction (⇐); the converse direction is similar. Assume r 0 , 0 * − → r , 0 holds. Then by the previous consideration we have: C 0 * − → r . Thus we obtain: The above execution is fair, but does not converge to a consensus, as o(r ) = o(r ⊥ ). Hence P does not converge to 1 for C 0 , which concludes the proof for this direction.
Formally, the population should have at least two agents. One of the ways to resolve this problem is to say that we have an extra state ⊥ with output 0, and an extra agent starting in the state ⊥. It never sends messages, and if it ever receives a message, it switches to . We can let send a special message m turning the other agent into . If there is a finite execution producing r ⊥ and leaving no messages, it can happen despite existence of the extra ⊥ agent; otherwise we reach like we did before.
Combining the previously established propositions, we obtain:

Theorem 7.4 The single-instance correctness problem is TOWER-hard for DT and QT protocols.
Proof Since delayed-transmission protocols are a subclass of queued-transmission protocols, it suffices to show the claim for delayed-transmission protocols. By propositions 7.1 and 7.3, the TOWER-hard reachability problem for VASS is polynomially Turing-reducible to 1-instance correctness of delayed-transmission protocols. This shows the theorem.
We establish the same hardness result for the general correctness problem:

Theorem 7.5 The correctness problem for DT and QT protocols is TOWER-hard.
Proof Since delayed-transmission protocols are a subclass of queued-transmission protocols, we only need to prove the theorem for delayed-transmission protocols. In the "Appendix E", we prove the following claim: For every delayed-transmission protocol P = (Q, M, δ r , δ s , Σ, ι, o) and every initial configuration C ∈ Pop(I ), one can construct in polynomial time a delayed-transmission protocol P = (Q , M , δ r , δ s , Σ, ι , o ) such that P computes constant 1 if and only if P converges to 1 for the single instance C. By Theorem 7.4, the claim entails Theorem 7.5, and we are done.
Perhaps surprisingly, even in the restricted setting of immediate-transmission protocols, the general correctness problem remains TOWER-hard:

Theorem 7.6 The correctness problem for IT protocols is TOWER-hard.
Proof Let N = (Q, T ) be a ±1-VASS and let q, r ∈ Q. We claim that we can construct in polynomial time an immediatetransmission protocol P that computes constant 1 if and only if q, 0 * − → r , 0 does not hold. The claim entails the theorem by Proposition 7.1 and TOWER-hardness of VASS-reachability. In the "Appendix E" we provide a construction that shows the claim.
On the other hand, the single-instance correctness problem for immediate transmission protocols is not TOWER-hard. It is in fact PSPACE-complete.

Theorem 7.7 The single-instance correctness problem for IT protocols is PSPACE-complete.
Proof Let P = (Q, δ, Σ, ι, o) be an IT protocol, ϕ a predicate over Pop(Σ) and C 0 a configuration. We reuse the notation of Sect. 6, and let C 0 be a configuration in I b for b ∈ {0, 1}, i.e. a fair execution starting in C 0 must converge to b if the protocol is correct. The proof is the same as for single-instance correctness of IO protocols in Theorem 6.4: using the correctness characterization of Proposition 2.12, we guess a configuration C of size |C 0 | and check that it is in the intersection post * (I b ) ∩ pre * (St b ) using NPSPACE procedures. The only difference with the IO proof lies in the step relation, which remains checkable in polynomial time.
PSPACE-hardness follows from the fact that IO protocols are IT protocols, and the hardness result of Theorem 3.3.

Decidability of correctness for PP and DT protocols
We present a generic result showing that the correctness problem is decidable for a class of protocols satisfying certain properties. All protocol models considered in the paper, with the exception of QT, satisfy the properties. The proof follows closely the one of [32] for standard population protocols. However, the presentation emphasizes the role played by each of the properties, allowing us to pinpoint why the proof of [32] can be generalized to DT protocols, but not to QT protocols. While we leave the decidabililty of correctness for QT open, we also argue that the notion of fairness chosen in [7], and also used in our paper, is questionable for QT, making the correctness problem for QT less interesting than for the other five models.
Recall the property defined in Sect. 2.6: a protocol is well-behaved if every fair execution contains a bottom configuration. We introduce some further properties of protocols: there is a finite set Δ ⊆ Z k such that (C, C ) ∈ Step iff C − C ∈ Δ; we say that Step is generated by Δ. We call a protocol that is well-behaved, finitely generated, and input/output-Presburger a WFP-protocol.
Recall the characterization of correctness for well-behaved protocols that we obtained in Proposition 2.13. Proposition 7.9 Let P be a well-behaved generalized protocol and let ϕ be a predicate. P computes ϕ iff for every b ∈ {0, 1} the set B \ B b is not reachable from I b .
We show that this reachability condition is decidable for WFP-protocols. Observe that a finitely generated protocol P = (Conf, Σ, Step, I , O) can be easily represented as a VAS. Indeed, if Conf ⊆ N k and Step is generated by Δ, then the VAS has dimension k and has Δ as set of transitions. Using this fact, and the powerful result stating the decidability of the reachability problem in a VAS between effectively Presburger sets of configurations, we obtain: Proposition 7.10 ([32]) Let C , C be two effectively Presburger sets of configurations of a finitely generated protocol. It is decidable if some of configuration of C is reachable from some configuration of C . By Proposition 7.10, in order to prove the decidability of correctness it suffices to show that the sets I (ϕ −1 (b)) and B \ B b of a WFP-protocol are effectively Presburger sets. I (ϕ −1 (b)) holds by the definition of WFP-protocols (recall that ϕ −1 (b) is always a Presburger set). It remains to show that B \ B b is effectively Presburger. Since effectively Presburger sets are closed under boolean operations, it suffices to show that B and B b are effectively Presburger. This is a nontrivial result, but already proved in [32]:

Proposition 7.11 ([32], Proposition 14)
There is an algorithm that takes as input a finitely generated, output-Presburger protocol, and returns Presburger predicates denoting the sets B, B 0 , and B 1 .
So we finally obtain: Theorem 7.12 The correctness problem is decidable for WFP-protocols. Applying Theorem 7.12 we can easily prove that the correctness problem is decidable for PP and DT. Indeed, PP protocols and DT protocols are WFP as they are well-behaved by Lemma 2.9, and finitely generated and input/output Presburger by hypothesis. Since IT and IO are subclasses of PP and DO is a subclass of DT, the proof is valid for them as well.

Corollary 7.13 The correctness problem is decidable for PP, DT, and their subclasses.
However, queued-transmission protocols are not necessarily well-behaved (as shown in Example 2.10), and so not necessarily WFP. Currently, to the best of our knowledge the decidability of the well-specification and correctness problems for queued-transmission protocols is open. At the same time, Example 2.10 shows that our fairness condition is questionable for queued-transmission models: An execution C 0 , C 1 , . . . in which only one agent acts, even if other agents have enabled actions in C i for every i ≥ 0, can still be fair. Is the fairness notion of [7] adequate for queued-transmission protocols?

Correctness in probabilistic models
In [7], Angluin et al. state that the fairness condition "may be viewed as an attempt to capture useful probability 1 properties in a probability-free model". Indeed, population protocols are often introduced in a probabilistic setting, which assigns a probability to the set of executions that converge to a value. Once a probabilistic model is fixed, we have two different definitions of when a protocol P computes a predicate ϕ: -P f-computes ϕ if for every input σ ∈ Pop(Σ), every fair execution starting at I (σ ) converges to ϕ(σ ). -P p-computes ϕ if for every input σ ∈ Pop(Σ), the set of all executions starting at I (σ ) that converge to ϕ(σ ) has probability 1.
The question whether the fairness condition is adequate for a class of protocols can now be rephrased as: Do fcomputation and p-computation coincide for the class? In this section we examine this question in some detail.
In order to formalize a probabilistic protocol model we must specify the random experiment that determines the next step carried out by the protocol. For standard population protocols there is agreement in the literature on the experiment: At each step two agents of the population are chosen uniformly at random, and they interact. However, for the delayed and queued-transmission models there is no canonical experiment. We consider the following family of random experiments parameterized by a probability p. Definition 7.14 Let P = (Q, M, δ s , δ r , I , O) be a queuedtransmission protocol, and let 0 < p < 1. For every state q ∈ Q, let R(q) denote the set of messages that an agent can receive in state q. The s:p/r:(1-p) probabilistic model 3 is described by the following random experiment. Assume the current configuration is C. First, choose an agent uniformly at random, and let q be its current state; then: -with probability p, let the agent send the message specified by the send function; -with probability 1 − p: if R(q) = ∅, choose a message from the multiset m∈R(q) C(m) uniformly at random, and let the agent receive it; otherwise, the agent does nothing.
Recall that in the delayed-transmission model we have R(q) = M for every state q, i.e., agents can never refuse receiving a message. 3 Short for "send with probability p, receive with probability (1 − p)".
In the rest of the section we examine the relation between f-computation and p-computation for our protocol models, and obtain the following results: -For standard population protocols and their subclasses, f-computation and p-computation coincide. -For delayed-transmission protocols and s:p/r:(1-p) models, f-computation and p-computation coincide iff p ≤ 1/2. -For queued-transmission protocols, f-computation and p-computation are incomparable notions under fairly general conditions on probabilistic models. In particular, there are protocols that f-compute a predicate but do not p-compute any predicate in any s:p/r:(1-p) model, and vice-versa.

Standard population protocols.
Recall that in the probabilistic model at each step two agents are chosen uniformly at random. We have:

Proposition 7.15
Let P be a standard population protocol, and let ϕ be a predicate. P f-computes ϕ iff P p-computes ϕ.
Proof By Proposition 2.13, P f-computes ϕ iff for every input a the set B \ B ϕ(a) is not reachable from I (a). We show that this is the case iff P p-computes ϕ.
Since every configuration of a standard population protocol has a finite number of successors, an execution starting at I (a) almost surely visits a bottom configuration. So P p-computes ϕ if the set of executions visiting B ϕ(a) has probability 1. Since every finite execution leading from I (a) to a configuration of B has positive probability, this is the case iff B \ B ϕ(a) is not reachable from I (a).

Lemma 7.16 Let P be a delayed-transmission protocol in the s:p/r:(1-p) model with p ≤ 1/2. With probability 1, an execution of P visits infinitely often configurations with no messages in transit.
Proof We prove that the number k of messages in transit behaves similarly to a random walk in which the probability of reducing k is at least as high as the probability of increasing it.
For a configuration C, let Pr(C) denote the probability that an execution starting from C only visits configurations with at least one message in transit. Further, let Pr(n, k) be the maximum value of Pr(C) among all configurations with n agents and k messages in transit. Observe that Pr(n, 0) = 0, because in this case C itself has no messages in transit. We prove that Pr(n, k) = 0 for every k ≥ 0, which is equivalent to the statement of the lemma.
Let n and k > 0, and let C max be a configuration with n agents and k messages satisfying Pr(C max ) = Pr(n, k). A step from configuration C max consumes a message with probability at least 1 2 (in a delayed transmission protocol an agent can always receive any message), and produces a message with probability 0 ≤ p ≤ 1 2 . So we have Pr(n, k) = Pr(C max ) Pr(n, k − 1) + p Pr(n, k + 1) which can be rewritten as The right side is the weighted average of Pr(n, k − 1) and Pr(n, k + 1), with weight p between 0 and 1 2 . It can be bounded by the weighted average for one of the extremal values of p, and so we have Pr(n, k) < Pr(n, k − 1) or Pr(n, k) ≤ 1 2 Pr(n, k − 1) + 1 2 Pr(n, k + 1). Rewriting the second case, we finally obtain that the following disjunction holds for all n, k > 0: Pr(n, k) < Pr(n, k − 1) or Pr(n, k + 1) − Pr(n, k) ≥ Pr(n, k) − Pr(n, k − 1) .
Assume there is a smallest number z such that Pr(n, z) > 0 and Pr(n, z − 1) = 0. Then, by the disjunction above and Pr(n, z) − Pr(n, z − 1) = Pr(n, z), we have Pr(n, z + i) ≥ (i + 1)Pr(n, z) for every i ≥ 0 (easy induction on i). This contradicts that 1 ≥ Pr(n, z + i) holds for every i ≥ 0, and so z does not exist. Since Pr(n, 0) = 0 by definition, we have Pr(n, k) = 0 for every k ≥ 0.

Proposition 7.17
Let P be a delayed-transmission protocol in a s:p/r:(1-p) model with p ≤ 1/2, and let ϕ be a predicate. P f-computes ϕ iff P p-computes ϕ.
Proof Assume P f-computes ϕ. We show that it p-computes ϕ. For this it suffices to show that for every initial configuration C 0 the set of fair executions starting at C 0 has probability 1, or, in other words, that an execution is fair with probability 1.
Fix an initial configuration C 0 , and let C be an arbitrary configuration. Let Z be the set of configurations reachable from C 0 with zero messages in transit. Since the number of agents remains constant, Z is finite. For each Z ∈ Z , either C is unreachable from Z , or there is a shortest sequence of transitions leading from Z to C (possibly not unique). Such a sequence has a positive probability of occurring from Z . Let p min be the minimal probability of all the probabilities of shortest paths from any Z ∈ Z to C, and be the maximum length of a shortest path. By Lemma 7.16, an execution starting at C 0 reaches a configuration Z 1 ∈ Z with probability 1. Either C is unreachable from Z 1 , or the probability of reaching C in at most steps is at least p min . If C is not reached in steps but remains reachable, with probability 1 we reach a configuration Z 2 ∈ Z from Z 1 . Iterating this reasoning, we observe that the execution visits a sequence of configurations Z 1 , Z 2 , . . . ∈ Z such that for every Z i , the probability that in the next steps C is reached or becomes unreachable is at least p min . Therefore, the event "C becomes unreachable or it is reached infinitely often" has probability 1. So an execution is fair with probability 1.
Assume P does not f-compute ϕ. We show that it does not p-compute ϕ. Since P does not f-compute ϕ, there is a fair execution π that does not converge to the value specified by ϕ, call it b. Let C 0 be the initial configuration of π and, as above, let Z be the finite set of configurations reachable from C 0 with zero messages in transit. Further, let Rec(π ) be the set of configurations of Z that occur in π infinitely often.
Since P is a delayed-transmission protocol, every configuration of π can reach some configuration of Z . Therefore, by fairness and finiteness of Z , Rec(π ) = ∅, and Rec(π ) is closed under reachability. We claim that an execution that reaches Rec(π ) converges to b with probability 0. Since there is a positive probability that a execution reaches Rec(π ), it follows that P does not p-compute ϕ. To prove the claim, observe that, since π does not converge to b, some configuration C reachable from Rec(π ) is not a b-consensus. Since Rec(π ) is finite, there exists p > 0 such that C is reachable from every configuration of Rec(π ) with probability at least p. Therefore, an execution that reaches Rec(π ) visits C infinitely many times with probability 1, and so it converges to b with probability 0.
Consider the input configuration q 2 .
For the sake of simplicity we allow configurations with a single agent. The behaviour is qualitatively the same for multiple agents (as required by the definition of population), up to some technicalities in probablility calculations.
In each configuration of each execution the sum of the index of the state and the number of messages of type b is equal to 2. This protocol does not f-compute any value on q 2 because the configuration q 2 with no messages is reachable from each configuration in the execution, as well as the configuration q 0 , b, b with 2 messages of type b. These two configurations occur infinitely often in each fair execution and have different output values.
The proof that an execution from q 2 converges with probability 1 if p > 1 2 is based on the following observations.
-The number of messages changes independently of the configuration change, so it is a biased random walk with linear growth. -The state q 0 can always be reached with probability at least 1/4, and so it is reached infinitely many times. -Going from q 0 to q 2 requires receiving two bs without sending in-between. -The probability to receive two bs is proportional to 1/n 2 , where n is the number of messages. Since the series ∞ i=1 1/n 2 converges, so with probability 1 the state q 2 is only observed a finite number of times.
We show that therefore q 2 occurs only a finite number of times with probability 1, and that the protocol p-computes value 0. The rest of the proof presents this argument in detail; it is purely technical and can be found in the "Appendix F".
Queued-transmission protocols. Unfortunately, in queuedtransmission protocols there is no useful relation between f-computation and p-computation. We show this with the help of two examples. The first one computes a predicate in every model from a general class, but does not f-compute any predicate. The second f-computes a predicate, but does not compute a predicate in any probabilistic model from the same general class.

Definition 7.19 A probabilistic model of execution for queued-transmission protocols is
positive if for every configuration C every step C → C has positive probability. markovian if for every configuration C the probability of a step C → C is independent of the previous history. bounded if for every n ≥ 1 and α > 0 there is c(n, α) > 0 with the following property. Consider any configuration with n agents and at least one message in transit. If the fraction of messages receivable by at least one agent is larger than α, the probability of receiving a message is at least c(n, α). uniform if for every configuration C and agent a, every message in transit that can be received by a at C is received with the same probability.
In the following constructions we again use single-agent configurations. We implicitly assume that an agent in a special state that can neither send nor receive is always added to the configuration to obtain a valid population. In this protocol, the unique agent sends messages until it receives a message and moves to q 1 . Note that all the messages are receivable by the agent in state q 0 . In any positive, bounded markovian model the agent eventually reaches q 1 with probability 1 and stays there. So the protocol p-computes the value 1 on input q 0 . We show that the protocol does not f-compute any value on this input, because it has a fair execution converging to 0 and fair executions converging to 1. The fair executions converging to 1 are those in which the agent reaches q 1 . The unique fair execution converging to 0 is the one in which the agent stays in q 0 forever. To prove that this execution is fair observe that (a) along the execution the number of messages grows continuously, and (b) every configuration reachable from a configuration of the execution with m messages in transit has at least m − 1 messages in transit. So no configuration of the protocol is reachable from infinitely many configurations of the execution.

Proposition 7.22
There is a queued-transmission protocol P that f-computes the value 1 on a certain input, but that does not p-compute any value on this input in any positive, markovian and uniform model.
The output function maps q to 1 and all other states to 0. Consider the input configuration q 0 . In this protocol, starting from q 0 , every configuration can reach the configuration q in which the unique agent is in state q, and there are no messages in transit. So every fair execution eventually reaches q and, since no message can be sent from q, stays in it forever. Therefore, the protocol f-computes the value 1 on input q 0 . We now show that the protocol does not p-compute any value on the same input in any positive, markovian, uniform model. Indeed, after reaching the state q 0 the execution must proceed to reach the state q 2 creating two messages of types p and m. The only way to proceed is to receive either p or m, which in uniform models is equally likely. Afterwards, both p and m are consumed, and either three messages of type c or none are created. To proceed, the agent needs to receive a message of type c. The number of messages of type c follows a random walk with possible changes +2 and −1 until it tries to go below zero. There is a positive probability that it will never return to zero and grow linearly. In this case all the states will be observed infinitely many times, so the protocol does not compute any value.
These propositions show that the correctness problem for probabilistic queued-transmission protocols cannot be reduced to the same problem for the fairness model. So in the queued-transmission model fairness does not capture useful probability 1 properties, which questions the interest of the fairness-based model in a probability-free model. At the same time, it opens the question of the decidability of correctness for probabilistic queued-transmission protocols. Cummings, Doty and Soloveichik have recently proved that Chemical Reaction Networks can compute with probability 1 a superset of the Turing-computable functions [23], and using this result we can easily prove that correctness is undecidable.

Theorem 7.23
In any positive, markovian, and uniform probabilistic model, the single-instance correctness problem for queued-transmission protocols is undecidable.
Proof We only sketch the argument. According to [23], binary chemical reaction networks with uniform rates can pcompute all recursively enumerable predicates (in fact even more, see [23]). In such a network we are initially given set of chemical reactions, like e.g. A+ B → 2C + D+ E, a multiset of molecules of different species (A, B, C, …). At every step, two molecules are picked uniformly at random and allowed to interact according to one of the reactions, which results in an arbitrary number of product molecules. A binary chemical reaction network can be modelled by a queued-transmision protocol with a single agent. Molecules are modeled by messages. The agent sends an initial set of messages, which corresponds to the initial multiset of molecules, and moves to a new state, from which it repeatedly receives two randomly chosen messages, and sends the results of the reaction. At each stop the agent can either only send or only receive, and if it can receive it can receive any message. Uniformity and Markov property guarantee that each pair of messages is selected with equal probability regardless of the details of the model, and positivity ensures that the protocol will make progress in modelling the chemical reaction network. As every binary reaction network can be modeled in such a way, and the problem of checking whether a Turing machine computes the constant true function is undecidable, the result follows.

Related models and approaches
We have studied the correctness problem for the population protocol models introduced by Angluin et al. in [7]. Section 2 of [7] presents a detailed comparison with other models, focusing on expressivity questions. In this section we discuss work on models that are related to those of [7], and moreover address verification questions.
The IO and DO observation models of [7] are closely related to Reconfigurable Broadcast Networks (RBN), introduced by Delzanno et al. in [27], and further studied in [11,26]. 4 In RBNs, networks of finite-state agents communicate through broadcast. The network is modeled as an undirected graph G = (V , E), with an agent at each node of V . An agent in state q can execute a transition q a!! − → q , which broadcasts the message a to all neighbours, and updates the state of the agent to q . All neighbours of the agent must react to the message according to transitions of the form r a?? − − → r for every state r . The crucial feature of RBNs is that between any two broadcasts the network can nondeterministically reconfigure itself into any other network with the same set of nodes. This makes RBNs equivalent to symmetric, fully connected networks in which agents nondeterministically choose whether to react to a broadcast or not. Symmetry makes the agents indistinguishable, and so the configuration of an RBN is completely determined by the number of agents in each state. As a consequence, given an instance of an IO protocol with n agents, one can construct an equivalent RBN as follows. The network has n nodes. For every transition q 1 − − → q for every q = q 1 . So IO protocols are a special case of RBNs. However, the analysis problems we study are more general than the ones studied in [11,26,27]. The parameterized reachability problem studied in [27] corresponds to the problem whether a given counting set is reachable from a cube [L, U ] such that L(q) = 0 and U (q) ∈ {0, ∞} for every state q (i.e., from configurations that can put arbitrarily many agents in some states, and no agent in others). We solve the more general problem of reachability between two arbitrary counting sets. Further, our solution allows us to prove that counting sets are closed under reachability, a question not considered in [27]. The results of [11] on minimal length of covering executions have the same flavour as our Shortening Theorem for IO, but only consider the case in which the configuration C to be covered satisfies C(q) ∈ {0, 1} for every state q. We conjecture that at least some of our results extend to RBNs, and leave this question for future research.
The standard population protocol model is closely related to Petri nets and Vector Addition Systems. The decidability of correctness for PP is proved in [32] using results of Leroux and others on reversible and cyclic Petri nets [39,40]. The TOWER-hard lower bound is also proved in [32] by reduction to the reachability problem for Petri nets, which is shown to be TOWER-hard in [25]. Practical verification algorithms for PP have been given in [14,15,17]. The complexity of other verification problems beyond correctness is studied in [31].
Population protocols are also closely related to Chemical Reaction Networks [47]. Our result on the undecidability of correctness of queued-transmission protocols in positive, markovian and uniform probabilistic models is based on the results on the computational power of Chemical Reaction Networks by Cummings et al. [23].
After Angluin et al. proved in [7] that population protocols can only compute Presburger predicates, several models have been proposed that increase the expressive power. These include community protocols [36], passively mobile logarithmic space machines (PALOMA) [18], mediated protocols [44], clocked population protocols [8] and broadcast population protocols [16]. All these models can compute all predicates N k → {0, 1} in NSPACE(log n) or more, where n is the number of agents. This makes the correctness problem for all these models undecidable. To prove this we can for example reduce from the halting problem for Turing machines started on empty tape. Indeed, given a machine T , the predicate ϕ T (n) that holds for n if the computation of T on empty tape terminates and visits at most log n cells is a symmetric predicate in NSPACE(log n), and so it can be computed by a protocol. So T fails to terminate iff the protocol computes the false predicate.
From a verification point of view, the correctness problem for population protocols is a so-called parameterized verification problem, in which one has to show that a system of identical agents satisfies a property independently of the number of agents. Parameterized verification problems have been intensely studied, and we refer the reader to [1,12,30] for survey articles. Most work, however, concerns the verification of safety or liveness under adversarial schedulers; in other words, the property must hold even if the scheduler that selects which agents interact at each step tries to break it. Correctness of population protocols is however a liveness property under stochastic schedulers, which choose the agents at random. This distinguishes our work from recent contributions to parameterized verification [38,41].

Conclusion
We have determined the computational complexity of the correctness problem for population protocols with different communication mechanisms, completing a research program initiated in [32]. We have followed the classification used by Angluin et al. in [7] to study the expressive power of the models.
Our main results concern the observation-based models IO and DO. A first surprise is the fact that checking correctness of a protocol for all inputs is not harder than checking it for one input. Further, both problems have the same complexity as many standard verification problems for concurrent systems, which are typically PSPACE-complete [46]. Moreover, our upper bounds are obtained by means of algorithms that suggest clean verification procedures. In particular, they show that the verification of properties of IO and DO protocols can be achieved by conducting symbolic state space exploration with counting sets represented by counting constraints. This opens the door to efficient implementations using SMT-solving technology [9].
From a more theoretical point of view, we have derived our upper bounds from a number of fundamental results about the dynamics of the IO and DO models. We have encapsulated them in the Pruning, Shortening, and Closure Theorems, which could be of independent interest. In particular, the connection between IO protocols and models for enzymatic reactions is intriguing [43].
The second surprise is the huge complexity gap between observation-based and transmission-based models. Thanks to the recent result by Czerwinski et al. [24], we can show that the correctness problem is TOWER-hard for all transmissionbased models. This is in contrast with the limited computational power of the model, and raises the question whether there exists a natural model of computation by indistinguishable agents which is able to compute all Presburger predicates, and has a more manageable correctness problem. Another important insight is the fact that for all delayedtransmission models the problem is already TOWER-hard in the single-instance case. This already makes the application of model-checking technology to checking correctness for a few instances very difficult, and suggests a number of questions for further research.
Our investigation leaves one question open, namely whether the correctness problem is decidable for queuedtransmission problems. We have explained that for this model the fairness assumption used by Angluin et al. in [7] is questionable, since it can no longer be seen as an "overapproximation" of the probabilistic behavior of the system. However, settling the question can be relevant for stochastic models with assumptions concerning the size of the pool of messages.
Acknowledgements Pierre Ganty and Rupak Majumdar co-authored one of the publications (reference [33]) on which part of this paper is based. We thank them for very useful discussions. We also thank the anonymous reviewers for helpful feedback.
Funding Open Access funding enabled and organized by Projekt DEAL.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/. input nodes will eventually all change their values from and keep these afterwards.
By induction over the depth of an operation node, we can see that the value of each operation node eventually converges to the value of this node in circuit C, without ever holding the opposite value; moreover, once a node adopts a value, the value stays stable. Once the output value converges, each node will eventually learn it.
Notice that since the transitions of the circuit evaluation protocol always depend only on current values of nodes, the DO protocol cannot have a problem with lack of old messages. Proof The proof is similar to the proofs of Lemma 4.18 and Theorem 4.20. The main difference is the following. In Lemma 4.18 we keep trajectories that belong to small bunches, and prune each large bunch separately. To prove the quadratic lower bound we keep trajectories from and to small states, then prune all the remaining trajectories together. The state is called small if it has less than |Q| incoming or outgoing trajectories.
Let L ≤ C * − → C ≥ C. By Lemma 4.12, there is a well-structured realizable history H with C and C as initial and final configurations, respectively. Let H 0 ⊂ H be an arbitrary minimal sub(multi)set of H with initial multiset of states at least L and final multiset of states at least L. Let also H = H − H 0 . We further reduce H by repeatedly removing all the trajectories with initial or final state having less than |Q| trajectories still in H . We can perform at most 2|Q| steps like that, removing at most |Q| − 1 trajectories per step. At the end, we will add back these trajectories as well as those of H 0 . Now we can define Q as the set of all states reached by the remaining trajectories in H , and f (q) and l(q) for q ∈ Q as the earliest and the latest moment in time when this state has been used by any of the trajectories (possibly on different trajectories, and possibly on trajectories with different initial and final state).
We now build a trajectory for every q ∈ Q by reaching it by the moment f (q) and leaving it after l(q). As all the trajectories in H have initial and final state with at least |Q| trajectories in H , the set of trajectories that we build will have the initial and final configurations covered by the corresponding configurations of H .
The rest of the proof is identical to the proofs of Lemma 4.18 and Theorem 4.20.
Theorem C.7 (Quadratic MFDO Shortening) Let P = (Q, δ) be an MFDO protocol, and let C * − → C be an execution of P. There exists a sequence ξ such that C ξ − → C and |ξ | a ≤ |Q| 2 .
Proof (Outline) We optimise separately the construction for the last segment and for the other ones.
We require that: In other words, instead of saying that the corresponding trajectories reach the same states, we say that the corresponding trajectories could reach the same states.
This can be maintained in the same way as in the proof of theorem 4.33 with two changes. We extend only one trajectory with the shortest path to the newly reachable state (this is possible because if state q is reached by τ ∈ H j+1 starting from q at the moment T j , the corresponding τ ∈ H j can reach q and then q from q). The remaining trajectories are extended with horizontal steps, and the new reachability requirement is also satisfied by transitivity of reachability.
There is a linear number of non-last segments, and each will correspond to a linear-length replacement segment. Therefore the aggregated length of all the segments (except the last) together is quadratic.
In the last segment we need to make all the trajectories to reach the final configuration of H from the final configuration in H n . Note that there is some feasible multiset of such trajectories because of the condition (iii). Also observe that as we don't change the set of visited states, the steps of the trajectories do not depend on each other.
Consider the multiset of trajectories leading from the final configuration of H n to the final configuration of H (maybe violating the initial trajectory correspondence) with the short- Fig. 7 History H of Fig. 4 after pruning est total number of steps across the trajectories. In such a multiset a union of all trajectories doesn't contain any cycles, as otherwise we would be able to cut and reconnect the trajectories to remove the steps along the cycle. Therefore we can consider topological ordering corresponding to the union of these trajectories. As each trajectory traverses the states in the ascending order according to the topological ordering, running the steps in the lexicographic order of the source and target states correctly traverses each trajectory. As all the equal steps are ran at the same time, we obtain quadratic aggregated length for the final segment.
-There exists a counting constraint Proof (Adapted from Proposition 5 of [33].) Union. Let Γ be the union of the two counting constraints Γ 1 , Γ 2 , i.e. the set of the cube representations of Γ 1 and of Γ 2 . It is still a counting constraint as a set of cube representations, and the result follows from the definition of representation and norms.
Intersection. For this proof, we consider a cube representation (L, U ) as a collection of constraints over n = |Q| variables x 1 , . . . , x n of the form [l i ≤ x i ] or [x i ≤ u i ] with l i ∈ N and u i ∈ N ∪ ∞. Each variable x i is associated to a state q i ∈ Q, for an arbitrary ordering of Q, and it intuitively denotes the number of agents in q i . A cube representation can now be seen as a conjunction of such constraints, one lower bound and one upper bound for each x i for i ∈ {1, . . . , n}. We call such a 2n-conjunction a minterm. Counting constraints Γ 1 , Γ 2 are thus disjunctions of minterms, noted γ 1 , γ 2 respectively. The intersection of Γ 1 , Γ 2 is the conjunction γ 1 ∧ γ 2 . We rearrange this conjunction into a disjunction of minterms by using the following steps: Put γ 1 ∧ γ 2 in disjunctive normal form. Remove conjunctions containing the unsatisfiable constraints l ≤ x i ∧ x i ≤ u with l > u. Remove redundant constraints inside conjunctions, e.g., replace (l 1 ≤ x ∧ l 2 ≤ x) by max{l 1 , l 2 } ≤ x. If a conjunction does not contain a lower bound (upper bound) for x i , add 0 ≤ x i (x i ≤ ∞), thus making it a minterm. The disjunction of these minterms is the counting constraint Γ we are looking for, and the norm bounds follow from the fact that the new bounds are a mix of the old bounds.
Complement. We reuse the constraint and minterm formalism above. The complement is represented by the negation of the disjunction of minterms. We rearrange it into a disjunction of minterms using the rules above as well as ¬( and remove the enclosing conjunction otherwise. We obtain n-conjunctions with lower bounds of the form u + 1, with u ≤ Γ 1 u an upper bound in a minterm of the original constraint. This yields Γ l ≤ n Γ 1 u +n and the reasoning is similar for the u-norm. Theorem 5.4 (IO Closure) Let P be an IO protocol with a set Q of states, and let S be a counting set of configurations of P represented by a counting constraint Γ . Then pre * (S ) is also a counting set, and there exists a counting constraint Γ satisfying Γ = pre * (S ) and The same holds for post * .
Proof Consider a finite decomposition into cubes S = ∪ k i=1 C i of counting set S , which exists by definition of a counting set. Lemma 5.3 states that for every cube C of this decomposition, for every configuration C in pre * (C ), there is a "small" cube C such that C ∈ C and C ⊆ pre * (C ). So pre * (C ) = ∪ C ∈pre * (C ) C . By the norm restrictions on the representation of C , there are only a finite number of such "small" cubes. So pre * (C ) is a finite union of cubes, and by extension pre * (S ) = ∪ k i=1 pre * (C i ) is too. Thus by definition, pre * (S ) is a counting set.
Let Γ be the counting constraint defined as the set of the representations of the C i . Let Γ be the counting constraint defined as the set of the representations of the "small" cubes whose unions equal the pre * (C i ). Then by the bounds in Lemma 5.3 and by definition of the norms, Γ u ≤ Γ u and Γ l ≤ Γ l + |Q| 3 .
The results also hold for post * (S ), as the pruning theorem and our use of it are symmetric. Lemma D.2 Let P be an IO protocol with state set Q and let C ⊆ Pop(Q) be a cube. For all C ∈ pre * (C ), there exists a cube C such that 1. C ∈ C ⊆ pre * (C ), and 2. C l ≤ C l + |Q| 3 and C u ≤ C u .
Proof The proof is exactly the same as for Lemma 5.3, as adding a copy of a trajectory into a well-structured realizable history produces a realizable history for MFDO protocols as well.
Theorem 5.6 (MFDO Closure) Let P be an MFDO protocol with a set Q of states, and let S be a counting set defined by a counting constraint Γ . Then pre * (S ) is also a counting set and there exists a counting constraint Γ satisfying Γ = pre * (S ), and Γ u ≤ Γ u and Γ l ≤ Γ l + |Q| 3 The same holds for post * .

Proof
The proof is the same as for Theorem 5.4, except that Lemma 5.5 is used instead of Lemma 5.3. This enforces that whenever the last bit is set to 1, an agent will send an increment message exactly once.
δ r is defined as follows: -For every (q, m) ∈ Q × M such that δ s ((q, m)) = {q 1 , . . . , q k } for some q 1 < . . . < q k , and every i, b, define: δ r ((q, i, b), m) def = (q j , i, b) with j = (i mod k) + 1 This resolves the nondeterminism for incoming messages from M. -Define for every (q, i, b) ∈ Q : δ r ((q, i, b), increment) def = (q, (i mod n) + 1, 1) This implements the incrementation of the round counter after receiving an increment message. Moreover, b is set to 1, so that at least one increment will eventually be put back into the message pool.
P can be constructed in polynomial time. It remains to prove that P and P compute identical predicates. To this end, fix some input X ∈ Pop(Σ) and let b ∈ {0, 1}. We must show that every fair execution of P starting in I (X ) stabilizes to b if and only if every fair of P starting in I (X ) stabilizes to b. Before we prove this equivalence, let us introduce some notation. For every C ∈ Pop(Q ), we define the projection π (C) ∈ Pop(Q) through π (C) (q) def = (i,b)∈{1,...,n}×{0,1} C ((q, i, b)) .
Let us now prove the equivalence.
We prove the claim made in the proof of Theorem 7.5. Each agent in P carries a state of P and simulates interactions from P. Moreover, each agent carries a boolean flag b ∈ {0, 1}. The flag b indicates that the initial configuration is ≥ C. Initially, b is set to 0 for every agent. If b is equal to 1 and the agent carries some state q ∈ Q, its opinion is equal to o(q). If b = 0, the agent has opinion 1. This ensures that the computation stabilizes to 1 if the initial configuration is strictly smaller than C.

Proposition E.3 For every delayed-transmission protocol
In order to be able to detect whether the initial configuration is ≥ C, the agents additionally store configuration from C. Initially, if an agent carries the state q from Q, it stores the configuration q . Agents can transfer states from one stored configuration to another agent through message passing. If the initial configuration is equal to C in P, by fairness a single agent will eventually store C in the corresponding execution of P , while all other agents store an empty configuration. When an agent stores C, it knows that the initial configuration must be ≥ C, and in this case it is allowed to send a message that flips the flag b of any receiving agent to 1, and by fairness, eventually all agents have their flag b set to 1. If the initial configuration is > C, then at some point a state is transferred to an agent that already stores C. Such an agent assumes an error state, say , that maps to opinion 1, and eats up all other states via message passing. This ensures that every execution starting in a configuration > C stabilizes to 1.
Formally, the delayed-transmission protocol P = (Q , M , δ r , δ s , Σ, ι , o ) is constructed as follows: -All remaining transitions to be defined transition to .
δ s is defined as follows: -For every (q, C , b) ∈ Q × C × {0, 1} and every q ∈ Q such that q ≤ C , add: -For every q ∈ Q, and every b ∈ {0, 1}, add: We prove the claim made in the proof of Theorem 7.6. N = (Q, T ) be a ±1-VASS and let r 0 , r ∈ Q. It is possible to construct in polynomial time an immediate-transmission protocol P that computes constant 1 if and only if (r 0 , 0) * − → (r , 0) does not hold.

Proposition E.4 Let
Proof Let the dimension of N = (Q, T ) be k. Like in the proof of Proposition 7.3, we represent the control state of N in a single agent. The remaining agents either represent a reservoir of tokens by assuming states of the form free i or token i for every vector component 1 ≤ i ≤ k, or they are of the form t, t for any given t ∈ T , or in some additional helper state. A configuration q, v of N is represented in a configuration C of P satisfying C(q) = 1, The states free i , t, t for every t ∈ T , and other helper states, may be populated by arbitrarily many agents. When the control agent interacts with an agent of the form t, a transition of N is simulated. For example, a transition t ∈ T of the form q i++ − − → q is implemented in P by a sequence of two transitions, namely (t, q) − → (t, t) followed by (t, free i ) − → (q , token i ) Similarly, a transition t ∈ T of the form q i−− − − → q is implemented in P by the sequence consisting of (t, q) − → (t, t) followed by (t, token i ) − → (q , free i ). Thus, incrementation at position i is implemented by turning free i into token i , and symmetrically, decrementation is implemented by transforming token i into free i . Initially, no agent is in a state of the form token i , which reflects the fact that the initial vector of N in the reachability query equals 0.
Moreover, there are states final and final. When the agent representing the control state of N assumes r , it can non-deterministically guess that the current vector is 0, and signal this guess via transitioning to state final through the step final, r − → final, final. The state final is the only state that maps to false. If the guess was right, then the agent permanently remains in state final, and thus the protocol does not compute constant 1. If the guess was wrong, then by fairness the agent eventually meets some agent in state token i for some i, and then turns into some error state, say , that maps to true and that converts all other states to , thus ensuring that the protocol eventually stabilizes to 1.
Formally, we define P = (Q P , δ P , I P , O P ) as follows: -We add the following states to Q P : -For every 1 ≤ i ≤ k, add states free i and token i . -Add an "error" state . -Add "final" states final, final.
-For every state q ∈ Q, add q to Q P . -For every transition t ∈ T , add t and t.
-For every 1 ≤ i ≤ k, add: This ensures that an agent only remains in final if the current marking is 0, otherwise everyone is sent to .
-For every x, y ∈ Q ∪ T ∪ {final}, set: This ensures that at most one agent is in a control state of N, otherwise everyone is sent to . In each configuration of each execution the sum of the index of the state and the number of messages of type b is equal to 2. This protocol does not f-compute any value on q 0 because the configuration with no messages and the agent in the state q 2 is reachable from each configuration in the execution, as well as the configuration with 2 messages of type b and the agent in the state q 0 . These two configurations occur infinitely often in each fair execution and have different output values.
The proof that an execution from q 0 converges with probability 1 if p > 1 2 is based on the following observations.
-The number of messages changes independently of the configuration change, so it is a biased random walk with linear growth. -The state q 0 can always be reached with probability at least 1/4, and so it is reached infinitely many times. -Going from q 0 to q 2 requires receiving two bs without sending in-between. -The probability to receive two bs is proportional to 1/n 2 , where n is the number of messages. Since the series ∞ i=1 1/n 2 converges, so with probability 1 the state q 2 is only observed a finite number of times.
Consider a step C → C . If C has no messages in transit, then the number or messages increases by 1; otherwise there is probability p > 1 2 to increase the number of messages by 1 and probability 1 − p to decrease the number of messages. This is a biased random walk. Let X i be the random variable equal to the number of messages at the i-th step. The expected value of X i is (2 p − 1)i and the standard deviation grows proportionally to √ i, and so in particular lim c→+∞ Pr[∀i > c : X i > (p − 1 2 )i] = 1. For any given configuration the probability of reaching a configuration with state q 0 is 1 (it is enough to send a message two times in a row which has probability larger than 1 4 at each step), therefore state q 0 occurs infinitely often with probability 1. To reach state q 2 from state q 1 before reaching q 0 the agent needs to receive messages without transmitting until it receives the only message of type b. The probability of reaching q 2 from q 1 before either returning to q 0 or getting below k messages is less than Note that probability of the transition from q 0 to q 1 with at least k messages in transit is at most (1 − p) 2 k < 1 k . Therefore the probability of the agent starting at q 0 and reaching q 2 before either returning to q 2 or having fewer than k messages is at most 1 k 2 .
Let N j q 0 →q 2 be the random variable equal to 1 if q 2 is visited after the j-th visit to q 0 , before q 0 is visited again, and before the number of messages in transit goes below ( p− 1 2 ) j (and 0 otherwise). Let N q 0 →q 2 be the sum ∞ j=1 N j q 0 →q 2 . We have shown that E N j q 0 →q 2 ∈ O( 1 (( p− 1 2 ) j) 2 ) and therefore E N q 0 →q 2 = c· ∞ j=0 1 (( p− 1 2 ) j) 2 for some constant c, which is finite.
Consider executions that reach q 2 after at least N different returns to q 0 . Such an execution must either have the number of messages go below ( p − 1 2 )i at the moment i > N 2 , or have the value N q 0 →q 2 to be at least N 2 . The probability of either option tends to zero when N grows. Therefore q 2 occurs only a finite number of times with probability 1, and so the execution converges to 0. So the protocol computes the value 0 on input q 0 .