bwconsistency/Recherche/BFT-ARBover/3_GEO_CS/index.tex

\begin{definition}
    We assume a synchronous DenyList (\DL) object as in~\cite{frey:disc23} with the following properties.
  
    The DenyList object type supports three operations: $\APPEND$, $\PROVE$, and $\READ$. These operations appear as if executed in a sequence $\Seq$ such that:
    \begin{itemize}
      \item \textbf{Termination.} A $\PROVE$, an $\APPEND$, or a $\READ$ operation invoked by a correct process always returns.
      \item \textbf{APPEND Validity.} The invocation of $\APPEND(x)$ by a process $p$ is valid if:
      \begin{itemize}
        \item $p \in \Pi_M \subseteq \Pi$; \textbf{and}
        \item $x \in S$, where $S$ is a predefined set. 
      \end{itemize} 
      Otherwise, the operation is invalid.
      \item \textbf{PROVE Validity.} If the invocation of a $op = \PROVE(x)$ by a correct process $p$ is not valid, then:  
      \begin{itemize}
        \item $p \not\in \Pi_V \subseteq \Pi$; \textbf{or}
        \item A valid $\APPEND(x)$ appears before $op$ in $\Seq$. 
      \end{itemize}
      Otherwise, the operation is valid.
      \item \textbf{PROVE Anti-Flickering.} If the invocation of a operation $op = \PROVE(x)$ by a correct process $p \in \Pi_V$ is invalid, then any $\PROVE(x)$ operation that appears after $op$ in $\Seq$ is invalid.
      \item \textbf{READ Validity.} The invocation of $op = \READ()$ by a process $p \in \pi_V$ returns the list of valid invocations of $\PROVE$ that appears before $op$ in $\Seq$ along with the names of the processes that invoked each operation. 
      item \textbf{Anonymity.} Let us assume the process $p$ invokes a $\PROVE(v)$ operation. If the process $p'$ invokes a $\READ()$ operation, then $p'$ cannot learn the value $v$ unless $p$ leaks additional information.
    \end{itemize}
  
    We assume that $\Pi_M = \Pi_V = \Pi$ (all processes can invoke \APPEND and \PROVE).
  \end{definition}
  
  \begin{lemma}[From DenyList to Group Election]\label{lem:dl-to-ge}
    For any fixed value $r \in S$, one DenyList object can be used to wait-free implement a Group Election object $\GE[r]$.
  \end{lemma}
  
  \begin{proof}
    We implement the operations of $\GE[r]$ using the operations of the
    DenyList as follows.
    
    \begin{algorithmic}
      \Function{CANDIDATE}{$r$}
        \State $\PROVE(r)$
      \EndFunction
      \vspace{1em}
      \Function{CLOSE}{$r$}
        \State $\APPEND(r)$
      \EndFunction
      \vspace{1em}
      \Function{READGE}{$r$}
        \State $P \gets \READ()$
        \State \Return $\{ j : (j,\PROVEtrace(r)) \in P \}$
      \EndFunction
    \end{algorithmic}
    
    \paragraph{Termination.} Termination follows from the Termination property of DenyList operations. Consider now a fixed sequential history $\mathsf{Seq}$ of the DenyList.
    \paragraph{Prefix Inclusion.} Let $\APPEND(r)^\star$ denote the first valid $\APPEND(r)$ in $\mathsf{Seq}$, if it exists. From the PROVE Validity and anti-flickering properties of the DenyList, a process $p_j$ has a valid $\PROVE(r)$ in $\mathsf{Seq}$ if and only if its $\PROVE(r)$ invocation appears before $\APPEND(r)^\star$ in $\mathsf{Seq}$.
    Hence, by construction, $p_j \in \Winners_r$ iff $p_j$ invokes $\CANDIDATE(r)$ and its $\CANDIDATE(r)$ is linearized before $\CLOSE(r)^\star$ where we identify $\CLOSE(r)^\star$ with $\APPEND(r)^\star$. This is exactly the Prefix inclusion property.
    \paragraph{Stability.} Moreover, after $\APPEND(r)^\star$, no new $\PROVE(r)$ can become valid (anti-flickering), so every subsequent $\READ^\star()$
    returns the same set of valid $\PROVE(r)$ invocations. Consequently,
    every $\READGE(r)$ linearized after $\CLOSE(r)^\star$ returns the same
    set $\Winners_r$, which proves Stability.
    \paragraph{Election.} Finally, if some process invokes $\CANDIDATE(r)$ before $\CLOSE(r)^\star$, its proof is valid and thus appears in the set returned by $\READ^\star()$. Hence $\Winners_r \neq \emptyset$, which proves Election.
    \paragraph{Validity.} Validity is immediate from the construction of $\Winners_r$: a process belongs to $\Winners_r$ only if it invoked $\PROVE(r)$, i.e., only if it invoked $\CANDIDATE(r)$.
  
    Thus the constructed object satisfies all properties of a Group Election object.
  \end{proof}
  
  \begin{lemma}[From Group Election to DenyList]\label{lem:ge-to-dl}
    Fix a value $r \in S$. A Group Election object $\GE[r]$ can be used to wait-free implement an DenyList.
  \end{lemma}
    
  \begin{proof}
    We implement the  DenyList for value $r$ as follows.
    We use one Group Election object $\GE[r]$.
    
    The operations are implemented as follows.
      
    \begin{algorithmic}
      \Function{APPEND}{$r$}
        \State $\CLOSE(r)$
      \EndFunction
      \vspace{1em}
      \Function{PROVE}{$r$}
        \State $\CANDIDATE(r)$
        \State $W_r \gets \READGE(r)$
        \If{$p \in W_r$}
          \State \Return \texttt{True}
        \Else
          \State \Return \texttt{False}
        \EndIf
      \EndFunction
      \vspace{1em}
      \Function{READ}{$ $}
        \State $W \gets \bigcup_{\forall r \in S}\READGE(r)$
        \State \Return $\{(p,r) \mid p \in W_r\}$
      \EndFunction
    \end{algorithmic}
  
    \paragraph{Termination.} Termination follows from the Termination property of Group Election operations. Consider now a fixed sequential history $\mathsf{Seq}$ of the Group Election.
  
    \paragraph{APPEND Validity.} By construction, any process invoking $\APPEND(r)$ invokes $\CLOSE(r)$. By definition of Group Election, $\CLOSE(r)$ is always valid.
  
    \paragraph{PROVE Validity.} By definition $\Pi_V = \Pi$, so any process invoking $\PROVE(r)$ is in $\Pi_V$. So the case $p \not\in \Pi_V$ cannot happen. Now, if some process invokes $\APPEND(r)$ before the invocation of $\PROVE(r)$ in $\mathsf{Seq}$, then by the Prefix Inclusion property of Group Election, the set $\Winners_r$ is already fixed and any subsequent $\CANDIDATE(r)$ cannot be in $\Winners_r$. Hence the invocation of $\PROVE(r)$ is invalid. Conversely, if no $\APPEND(r)$ appears before $\PROVE(r)$ in $\mathsf{Seq}$, then by the Election property of Group Election, if some correct process invoked $\CANDIDATE(r)$ before any $\CLOSE(r)$, then $\Winners_r \neq \emptyset$ and hence the invoking process belongs to $\Winners_r$. Thus its invocation of $\PROVE(r)$ is valid. This proves PROVE Validity.
  
    \paragraph{PROVE Anti-Flickering.} If some invocation of $\PROVE(r)$ is invalid, then some $\APPEND(r)$ must have appeared before it in $\mathsf{Seq}$. By the Prefix Inclusion property of Group Election, the set $\Winners_r$ is fixed after the first $\CLOSE(r)$, so any subsequent $\CANDIDATE(r)$ cannot be in $\Winners_r$. Hence any subsequent invocation of $\PROVE(r)$ is also invalid. This proves PROVE Anti-Flickering.
  
    \paragraph{READ Validity.} Finally, by construction, the invocation of $\READ()$ returns the list of valid invocations of $\PROVE$ that appear before it in $\mathsf{Seq}$ along with the names of the processes that invoked each operation. This proves READ Validity.
  
  \end{proof}  
  
  \begin{theorem}[Consensus number of Group Election]\label{thm:ge-consensus}
    Let $|\Pi_V| = k$. The Group Election object type with verifier set $\Pi_V$
    has consensus number $k$. In particular, when $\Pi_V = \Pi$, the consensus
    number of Group Election is $|\Pi|$.
  \end{theorem}
  
  \begin{proof}
    We first recall that, for a DenyList object with $|\Pi_V| = k$ (a
    $k$-DenyList), the consensus number is exactly $k$.
  
    \paragraph{Lower bound.}
    By Lemma~\ref{lem:dl-to-ge}, for any fixed value $r \in S$, one $k$-DenyList object can be used to wait-free implement a Group Election object $\GE[r]$ over the same set of processes. Since the k-DenyList has consensus number $k$, it follows that the Group Election type has consensus number at least $k$.
  
    \paragraph{Upper bound.}
    Conversely, by Lemma~\ref{lem:ge-to-dl}, one Group Election object 
    can be used to wait-free implement a DenyList object restricted to value $r$.
    This restricted DenyList satisfies the same specification as the original k-DenyList on value $r$, and in particular it has consensus number $k$. Therefore, the consensus
    number of the Group Election type cannot exceed $k$.
  
    \medskip
    Combining the two bounds, we obtain that the consensus number of the Group
    Election object type is exactly $k = |\Pi_V|$. When we instantiate
    $\Pi_V = \Pi$, we get that the consensus number of Group Election is $|\Pi|$.
  \end{proof}