Self-Stabilizing Byzantine Asynchronous Unison

Self-Stabilizing Byzan tine Asyn hronous Unison Sw an Dub ois 1 , 3 Maria Gradinariu P otop-Butuaru 1 , 4 Mikhail Nesterenk o 2 , 5 Sébastien Tixeuil 1 , 6 Abstrat W e explore asyn hronous unison in the presene of systemi transien t and p ermanen t Byzan- tine faults in shared memory . W e observ e that the problem is not solv able under less than strongly fair s heduler or for system top ologies with maxim um no de degree greater than t w o. W e presen t a self-stabilizing Byzan tine-toleran t solution to asyn hronous unison for  hain and ring top ologies. Our algorithm has minim um p ossible on tainmen t radius and optimal stabi- lization time. 1 In tro dution Asyn hronous unison [22 ℄ r e quir es pr o  essors to maintain synhr onization b etwe en their  ounters  al le d lo  ks . Sp e i al ly, e ah pr o  essor has to inr ement its lo k indenitely while the lo k drift fr om its neighb ors should not ex e e d 1 . Asynhr onous unison is a fundamental building blo k for a numb er of prinip al tasks in distribute d systems suh as distribute d snapshots [ 6℄ and synhr onization [1 , 2 ℄. A pr ati al lar ge-s ale distribute d system must  ounter a variety of tr ansient and p ermanent faults. A systemi tr ansient fault may p erturb the  ongur ation of the system and le ave it in the arbitr ary  ongur ation. Self-stabilization [10 , 12 , 25 ℄ is a versatile te hnique for tr ansient fault forwar d r e  overy. Byzan tine fault [ 18 ℄ is the most generi p ermanent fault mo del: a faulty pr o  essor may b ehave arbitr arily. However, designing distribute d systems that hand le b oth tr an- sient and p ermanent faults pr ove d to b e r ather diult [8 , 13 , 23℄. Some of the diulty is due to the inability of the system to  ounter Byzantine b ehavior by r elying on the information en o de d in the glob al system  ongur ation: a tr ansient fault may pla e the system in an arbitr ary  ongur ation. In this  ontext  onsidering joint Byzantine and systemi tr ansient fault toler an e for asyn- hr onous unison app e ars futile. Inde e d, the Byzantine pr o  essor may ke ep setting its lo k to an arbitr ary value while the lo ks of the  orr e t pr o  essors ar e  ompletely out of synhr ony. Hen e, we ar e happy to r ep ort that the pr oblem is solvable. In this p ap er we pr esent a shar e d-memory Byzantine-toler ant self-stabilizing asynhr onous unison algorithm that op er ates hain and ring system top olo gies. The algorithm op er ates under a str ongly fair she duler. W e show that the pr oblem is unsolvable for any other top olo gy or for less stringent she duler. Our algorithm ahieves minimal fault- ontainment r adius: e ah  orr e t pr o  essor eventual ly synhr onizes with its  orr e t neighb ors. W e pr ove our algorithm  orr e t and demonstr ate that its stabilization time is asymptoti al ly optimal. 1 The author is with Univ ersité Pierre & Marie Curie and INRIA , F rane. 2 The author is with Ken t State Univ ersit y , USA. 3 sw an.dub oislip6.fr 4 maria.gradinariulip6.fr 5 mikhails.k en t.edu 6 sebastien.tixeuillip6.fr 1 R elate d work. The imp etus of this work is the study by Dub ois et al [14 ℄. They  onsider joint toler an e to r ash faults and systemi tr ansient faults. The key observation that enables this avenue of r ese ar h is that the denition of asynhr onous unison do es not pr e lude the  or- r e t pr o  essors fr om de r ementing their lo ks. This al lows the pr o  essors to synhr onize and maintain unison even while their neighb ors may r ash or b ehave arbitr arily. Ther e ar e sever al pur e self-stabilizing solutions to the unison pr oblem [ 4 , 5 , 7, 15 ℄. None of those toler ate Byzantine faults. Classi Byzantine fault toler an e fo uses on masking the fault. Ther e ar e self-stabilizing Byzantine-toler ant lo k synhr onization algorithms for  ompletely  onne te d synhr onous sys- tems b oth pr ob abilisti [3 , 13 ℄ and deterministi [11 , 17 ℄. The pr ob abilisti and deterministi solutions toler ate up to one-thir d and one-fourth of faulty pr o  essors r esp e tively. A nother appr o ah to joint tr ansient and Byzantine toler an e is on tainmen t . F or tasks whose  orr e tness  an b e he ke d lo  al ly, suh as vertex  oloring, link  oloring or dining philoso- phers, the fault may b e isolate d within a r e gion of the system. Strit-stabilization guar ante es that ther e exists a  ontainment r adius outside of whih the pr o  essors ar e not ae te d by the fault [20 , 23 , 24℄. Y et some pr oblems ar e not lo  al and do not admit strit stabilization. How- ever, the toler an e r e quir ements may we akene d to strong-stabilization [19 , 21 ℄ whih al lows the pr o  essors arbitr arily far fr om the faulty pr o  essor to b e ae te d. The faulty pr o  essor  an ae t the  orr e t pr o  essors only a nite numb er of times. Str ong-stabilization enables solution to sever al pr oblems, suh as tr e e orientation and tr e e  onstrution. 2 Mo del, Denitions and Notation Program syn tax and seman tis. A distribute d system  onsists of n pr o  essors that form a  ommuni ation gr aph. The pr o  essors ar e no des in this gr aph. The e dges of this gr aph ar e p airs of pr o  essors that  an  ommuni ate with e ah other. Suh p airs ar e neigh b ors . A distane b etwe en two pr o  essors is the length of the shortest p ath b etwe en them in this  ommuni ation gr aph. Eah pr o  essor  ontains variables and rules. A variable r anges over a xe d domain of values. A rule is of the form h la bel i : h g uard i − → h comma nd i . A guard is a b o ole an pr e di ate over pr o  essor variables. A ommand is a se quen e of assignment statements. Pr o  essor p may mention its variables anywher e in its guar ds and  ommands. That is, p  an r e ad and up date its variables. However, p may not mention the variables of its neighb ors on the left-hand-sides of the assignment statements of its  ommands. That is, p may only r e ad the variables of its neighb ors. A pr o  essor is either orret or fault y . In this p ap er we  onsider rash faults and Byzan tine faults . A r ashe d pr o  essor stop the exe ution of its rules for the r emainder of the run. A pr o  essor ae te d by Byzantine fault disr e gar ds its pr o gr am and it may write arbitr ary values to variables. Note that, in a given state, a Byzantine pr o  essor exhibits the same state to al l its neighb ors. When the fault typ e is not expliitly mentione d, the fault is Byzantine. A n assignment of values to al l variables of the system is onguration . A rule whose guar d is true in some system  ongur ation is enabled in this  ongur ation, the rule is disabled otherwise. A n atomi exe ution of a subset of enable d rules tr ansitions the system fr om one  ongur ation to another. This tr ansition is a step . Note that a faulty pr o  essor is assume d to always have an enable d rule and its step  onsists of writing arbitr ary values to its variables. A run of a distribute d system is a maximal se quen e of suh tr ansitions. By maximality we me an that the se quen e is either innite or ends in a state wher e none of the rules ar e enable d. S hedulers. A s heduler (also  al le d daemon ) is a r estrition on the runs to b e  onsider e d. The she dulers dier by exe ution semantis and by fairness. The she duler is syn hronous if in every run e ah step  ontains the exe ution of every enable d rule. The she duler is asynhr onous otherwise. Ther e ar e sever al typ es of asynhr onous she dulers. In the runs of distributed (also  al le d p o w erset ) she duler, a step may  ontain the exe ution of an arbitr ary subset of enable d 2 rules. This is the lest r estritive she duler. In the runs of a en tral she duler, every step  ontains the exe ution of exatly one enable d rule. In the runs of lo ally en tral she duler, the step may  ontain the exe ution of multiple enable d rules as long as none of the rules b elong to neighb or pr o  essors. Centr al and lo  al ly  entr al she dulers ar e e quivalent. That is, they dene the same set of runs. In this p ap er we  onsider these two typ es of she dulers. With r esp e t to fairness, the she dulers ar e lassie d as fol lows. The most r estritive is a strongly fair s heduler . In every run of this she duler, a rule is exe ute d innitely often if it is enable d in innitely many  ongur ations of the run. Note that the str ongly fair she duler r e quir es that the rule is exe ute d even if it  ontinuously ke eps b eing enable d and disable d thr oughout the run. A less r estritive is w eakly fair s heduler . In every run of this she duler, a rule is exe ute d innitely often if it is enable d in al l but nitely many  ongur ations of the run. That is, the rule has to b e exe ute d only if it is  ontinuously enable d. A n unfair s heduler pla es no fairness r estritions on the runs of the distribute d system. F aulty pr o  essors ar e not subje t to she duling r estritions of any of the she dulers: a faulty pr o  essor may take no steps during a run or it may take an innitely many steps. Prediates and sp eiations. A pr e di ate is a b o ole an funtion over pr o gr am  ongur a- tions. A  ongur ation onforms to some pr e di ate R , if R evaluates to true in this  ongur ation. The  ongur ation violates the pr e di ate otherwise. Pr e di ate R is losed in a  ertain pr o gr am P , if every  ongur ation of a run of P  onforms to R pr ovide d that the pr o gr am starts fr om a  ongur ation  onforming to R . Note that if a pr o gr am  ongur ation  onforms to R and, after the exe ution of any step of P , the r esultant  ongur ation also  onforms to R , then R is lose d in P . A pro essor sp eiation for a pr o  essor p denes a set of  ongur ation se quen es. These se quen es ar e forme d by variables of some subset of pr o  essors in the system. This subset al- ways inludes p itself. A problem sp eiation , or just problem , denes sp e i ations for e ah pr o  essor of the system. A pr oblem sp e i ation in the pr esen e of faults denes sp e i ations for  orr e t pr o  essors only. Pr o gr am P solv es pr oblem S under a  ertain she duler if every run of P satises the sp e i ations dene d by S . A lose d pr e di ate I is an in v arian t of pr o gr am P with r esp e t to pr oblem S if every run of P that starts in a state  onforming to I satises S . A n f -fault d -distan e invariant I f d is a p artiular invariant of P suh that if the system has no mor e than f pr o  essors then in every run that starts in a  ongur ation  onforming to I f d , e ah pr o  essor in the distan e of at le ast d away fr om the fault satises the pr oblem S . That is, only  orr e t pr o  essors at distan e d or higher have to satisfy the sp e i ation. A pr o gr am P is self-stabilizing to sp e i ation S if every run of P that starts in an arbitr ary  ongur ation  ontains a  ongur ation  onforming to an invariant of P . A pr o gr am P is stritly- stabilizing for f faults and distan e d , denote d ( f , d ) - stritly-stabilizing , to pr oblem S if P  onver ges to an f -fault d -distan e invariant I f d . Unison sp eiation. Consider the system of pr o  essors e ah of whih has a natur al num- b er variable c  al le d lo  k . The lo k drift b etwe en two pr o  essors is the dier en e b etwe en their lo k values. Two neighb or pr o  essor ar e in unison if their drift is no mor e than one. Asyn hronous unison sp e ies that, for every pr o  essor p , every pr o gr am run has to  omply with the fol lowing two pr op erties. Safet y: in every  ongur ation, pr o  essor p is in unison with its neighb ors; Liv eness: the lo k of pr o  essor p is inr emente d innitely often. A pr o gr am that solves the asynhr onous unison pr oblem is minimal if the only variable that e ah pr o  essor has it its lo k. 3 pro essor p onstan ts l, r : left and righ t neigh b ors of p dg p : degree of p v ariable c p : natural n um b er, lo  k v alue of p rules end pro essor rules leftEndUp : ( dg p = 1) ∧ ( c p ≤ c r ) − → c p := c r + 1 leftEndDown : ( dg p = 1) ∧ ( c p > c r ) − → c p := c r − 1 rightEndUp and rightEndDown are similar middle pro essor op eration rules midd leL eftUp : ( dg p = 2) ∧ ( c p = c l ∨ c p = c l − 1) ∧ ( c p ≤ c r ) − → c p := c p + 1 midd leL eftDown : ( dg p = 2) ∧ ( c p = c l ∨ c p = c l + 1) ∧ ( c p > c r ) − → c p := c p − 1 midd leR ightUp and midd leR ightDown are similar middle pro essor syn hronization rules synUp : ( dg p = 2) ∧ ( c p < c l − 1) ∧ ( c p < c r − 1) − → c p := min { c l , c r } synDown : ( dg p = 2) ∧ ( c p > c l + 1) ∧ ( c p > c r + 1) − → c p := max { c l , c r } Figure 1: S S U : (1 , 0) -strit-stabilizing asyn hronous unison algorithm for  hains and rings. 3 Imp ossibilit y Results and Mo del Justiation Dub ois et al [14 ℄ establishe d a numb er of imp ossibility r esults for asynhr onous unison and r ash faults. These r esults ar e imme diately appli able to Byzantine faults as a Byzantine pr o  ess may emulate the r ash fault by never exe uting a step. W e summarize their r esults in the b elow the or em. Theorem 1 ([14 ℄) Ther e do es not exist a minimal ( f , d ) -stritly-stabilizing solution to the asynhr onous unison pr oblem in shar e d memory for any distan e d ≥ 0 if the  ommuni ation gr aph of the distribute d system  ontains pr o  essors of de gr e e gr e ater than two or if the numb er of faults is gr e ater than one or if the she duler is either unfair or we akly fair. The intuition b ehind the imp ossibility r esults is as fol lows. If the system  ontains a pr o  essor p with at le ast thr e e neighb ors, the neighb ors  an yle thr ough their states suh that al l thr e e ar e always in unison with p yet p  annot up date its lo k without br e aking unison with at le ast one neighb or. If the system al lows two faults, then the faulty pr o  essors may  ontain suh lo k values so far ap art that if the  orr e t pr o  essors stay in unison with the faulty ones then they ar e not able to synhr onize with e ah other. If the exe ution she duler is either unfair or we akly fair then, one  orr e t pr o  essors may yle thr ough its unison states suh that its neighb or is never given an opp ortunity to up date its lo k. The r esults of The or em 1 le ave the fol lowing exe ution mo del that is stil l op en for solutions: system top olo gy with maximum de gr e e at most two (i.e. a hain or a ring), at most one fault, and a str ongly fair she duler. W e pursue solutions for this p artiular mo del in the r emainder of the p ap er. 4 4 S S U : A Strit-Stabilizing Unison for Chains and Rings In this se tion we pr esent the (1 , 0) -stritly-stabilizing minimal priority algorithm unison algo- rithm, pr ove its  orr e tness and evaluate its stabilization p erforman e. 4.1 Algorithm Desription The algorithm  an op er ate on either hain or ring system top olo gies. F or the desription of the algorithm, let us intr o du e some top olo gi al terminolo gy. A middle pr o  essor has two neighb ors. A n end pr o  essor has only one. In a ring every pr o  essor is a midd le pr o  essor. A hain has two end pr o  essors. W e  onsider the system of pr o  essors to b e laid out horizontal ly left to right. W e, ther efor e, sp e ak of left and right neighb or for a pr o  essor and left and right ends of a hain. R e  al l that drift b etwe en two pr o  essors p and q is the dier en e b etwe en their lo k values. Two pr o  essors p and q ar e in unison if the drift b etwe en them is no mor e than 1 . A n island is a se gment of  orr e t pr o  essors suh that for e ah pr o  essor p , if its neighb or q is also in this island, then p and q ar e in unison. A pr o  essor with no in-unison neighb ors is assume d to b e a single-pr o  essor island. Note that a faulty pr o  essor never b elongs to an island. The width of an island is the numb er of pr o  essors in this island. The main ide a of the algorithm is as fol lows. Pr o  essors form islands of pr o  essors with syn- hr onize d lo ks. The algorithm is designe d suh that the lo ks of the pr o  essors with adja ent islands drift loser to e ah other and the islands eventual ly mer ge. If a faulty pr o  essor r estrits the drift of one suh island, for example by never hanging its lo k, the other islands stil l drift and synhr onize with the ae te d island. Op eration desription. A detaile d desription of S S U is shown in Figur e 1 . Sp e i al ly, S S U op er ates as fol lows. Eah pr o  essor p maintains a single variable c p wher e it stor es its urr ent lo k value. That is, our algorithm is minimal. W e gr oup e d the pr o  essor rules into end pr o  essor rules and midd le pr o  essor rules. Midd le pr o  essor rules ar e further gr oup e d into: op er ation  exe ute d when the pr o  essor is in unison with at le ast one of its neighb ors, and synhr onization  exe ute d otherwise. A t le ast one rule is always enable d at an end pr o  essor. Dep ending on the lo k value of its neighb or, the left end pr o  essor either inr ements or de r ements its own lo k using rules leftEndUp and leftEndDo wn . The op er ation of the right end pr o  essor is similar. L et us desrib e the rules of a midd le pr o  essor. If pr o  essor p is in unison with its left neigh- b or, p  an adjust c p to math its right neighb or using rules middleLeftUp or middleLeftDo wn . The exe ution of neither rule br e aks the unison of p and its left neighb or. Similar adjustment is done for the left neighb or using middleRigh tUp and middleRigh tDo wn . Note that if p is in unison with b oth of its neighb ors and c l and c r dier by 2, none of these rules of p ar e enable d as any hanges of c p br e ak the unison with a neighb or of p . If p is in unison with neither of its neighb ors, and the lo ks of the two neighb ors ar e either b oth gr e ater or b oth less than the lo k of p , the pr o  essor synhr onizes its lo k with one of the neighb ors using rule synDo wn or synUp . Example op eration. The op er ation of our algorithm is b est understo o d with an example. Figur e 2 shows the op er ation of S S U on a hain without a p ermanent fault. Figur e 3 il lustr ates the op er ation of S S U on a hain with a faulty pr o  essor. Figur es 4 and 5 show the op er ation of S S U on rings r esp e tively without and with a faulty pr o  essor. 4.2 Corretness Pro of Chains. F or hains it is suient to  onsider the op er ation of the algorithm for the  ase wher e the faulty pr o  essor is at the end of the hain. Inde e d, if the faulty pr o  essor is in the midd le of the hain, the synhr onization of the two se gments of  orr e t pr o  essors is indep endent 5 ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✲ ✛ ❄ ❄ ✲ 4 6 7 6 7 s 1 s 2 s 3 s 4 s 5 s 6 ✒✑ ✓✏ ✒✑ ✓✏ 6 6 6 6 8 8 9 8 9 8 7 7 6 8 7 7 7 7 6 lef tE ndU p r ig htE ndD ow n lef tE ndU p middleRig htU p middleAl ig n Figure 2: An example op eration sequene of S S U on a  hain with no faults. Num b ers represen t lo  k v alues. Squared pro essor has an enabled rule to b e exeuted. ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✲ ✛ ❄ ❄ ✲ ✒✑ ✓✏ 5 10 8 4 8 5 10 8 5 6 8 8 7 5 0 7 5 0 7 5 9 7 6 lef tE ndU p 9 lef tE ndD own middleLef tD own lef tE ndD own middleLef tD own s 0 s 1 s 2 s 3 s 4 s 5 Figure 3: An example op eration sequene of S S U on a  hain with a fault y pro essor. Num b ers are pro essor lo  k v alues. The fault y pro essor is in double irle. Squared pro essor has an enabled rule to b e exeuted. 6 ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✲ ✛ ❄ ❄ ✲ s 1 s 2 s 3 s 4 s 5 s 6 ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ 7 8 12 5 sy ncD ow n 7 8 8 5 7 8 7 5 middleLef tD own middleLef tD own 5 7 7 7 middleRig htD ow n 6 7 7 5 middleLef tU p 6 7 7 6 Figure 4: An example op eration sequene of S S U on a ring with no faults. Num b ers represen t lo  k v alues. Squared pro essor has an enabled rule to b e exeuted. ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✲ ✛ ❄ ❄ ✲ ✒✑ ✓✏ s 0 s 1 s 2 s 3 s 4 s 5 7 8 3 1 sy ncU p 7 8 3 3 middleLef tD own 7 7 3 0 middleRig htD ow n 6 7 3 0 middleLef tD own 6 6 9 3 sy ncU p 6 6 6 9 Figure 5: An example op eration sequene of S S U on a  hain with a fault y pro essor. Num b ers are pro essor lo  k v alues. The fault y pro essor is in double irle. Squared pro essor has an enabled rule to b e exeuted. 7 Figure 6: The transitions of in-unison neigh b or pro essors l and p . An illustration for the pro of of Lemma 2. of e ah other. Thus, without loss of gener ality, we assume that if ther e exists a faulty pr o  essor in the system, it is always the right end pr o  essor. Lemma 1 If a run of S S U on a hain starts fr om a  ongur ation wher e two pr o  essors p and q b elong to the same island, then the two pr o  essors b elong to the same island in every  ongur ation of this run. In other wor ds, L emma 1 states that an island is never br oken. The validity of the lemma  an b e e asily as ertaine d by the examination of the algorithm's rules as a pr o  essor never de- synhr onizes fr om its in-unison neighb or. Lemma 2 In every run of S S U on a hain, e ah pr o  essor in the leftmost island takes an innite numb er of steps. Pro of. The pr o of is by indution on the width of the island. In every  ongur ation, the left end pr o  essor has either leftEndUp or leftEndDo wn enable d. Due to the str ongly fair she duler, this pr o  essor takes an innite numb er of steps in every run. Assume that the left neighb or l of pr o  essor p that b elongs to the leftmost island takes an innite numb er of steps in the run. A   or ding to L emma 1, l and p ar e in unison in every  ongur ation of this run. That is, l and p tr ansition b etwe en the thr e e sets of states: c l = c p + 1 , c l = c p and c l = c p − 1 . Se e Figur e 6 for il lustr ation. Observe that, r e gar d less of the lo k value of the right neighb or of p , if c l = c p then p has either middleLeftUp or middleLeftDo wn rule enable d. If p exe utes this rule, the system go es either in the state wher e c l = c p + 1 or c l = c p − 1 . Sin e l exe utes innitely many steps in the run then a  ongur ation wher e c l = c p r ep e ats innitely often. That is, one of p 's rules ar e enable d innitely often in this run. Sin e the she duler is str ongly fair, p exe utes innitely many steps.  Lemma 3 If a run of S S U on a hain starts fr om a  ongur ation wher e pr o  essor p b elongs to the leftmost island while its right  orr e t neighb or r do es not, then this run  ontains a  ongu- r ation wher e b oth p and r b elong to the same island. In other wor ds, L emma 3 laims that every two adja ent islands eventual ly mer ge. Pro of. W e pr ove the lemma by demonstr ating that the drift b etwe en p and r de r e ases to zer o in every run of S S U . L et us  onsider the rules of r . The exe ution of any rule by r  an only de r e ase the drift b etwe en the two pr o  essors. The exe ution of the rules by p always de r e ases the drift as wel l. A   or ding to L emma 2, p takes innitely many steps in this run. This me ans that this run  ontains a  ongur ation wher e the drift b etwe en p and r is zer o.  Dene the fol lowing pr e di ate: I N V ≡ e ah  orr e t pr o  essor is in unison with its  orr e t neighb ors 8 Theorem 2 A lgorithm S S U on hains stabilizes to I N V . Pro of. ( sk et h ) If every  orr e t pr o  essor is in unison with its neighb ors, al l  orr e t pr o  essors b elong to a single island. The losur e of INV fol lows fr om L emma 1 . Note that L emma 3 guar ante es that the two leftmost islands eventual ly mer ge. The  onver gen e if S S U to INV  an b e pr oven by indution on the numb er of islands in the initial  ongur ation.  Theorem 3 Pr e di ate I N V is an (1 , 0) -invariant of S S U on hains with r esp e t to the asyn- hr onous unison pr oblem. In other wor ds, The or em 3 states that every run of S S U starting fr om a  ongur ation  on- forming to INV satises the sp e i ation of asynhr onous unison. Pro of. The safety pr op erty of the asynhr onous unison fol lows imme diately fr om the losur e of INV . L et us  onsider the liveness pr op erty. On e in unison the only op er ation that a pr o  es- sor  an exe ute on its lo k is inr ement or de r ement. A   or ding to L emma 2, every  orr e t pr o  essor of the system takes an innite numb er of steps. Sin e the lo k values ar e natur al numb ers, e ah pr o  essor is b ound to exe ute an innite numb er lo k inr ements. Hen e the liveness.  Rings. Sin e ther e ar e no end pr o  essors on a ring, we only have to  onsider the midd le pr o  essor rules. Lemma 4 If a run of S S U on a ring starts fr om a  ongur ation wher e two pr o  essors p and q b elong to the same island, then the two pr o  essors b elong to the same island in every  ongur ation of this run. The ab ove lemma is pr oven similarly to L emma 1 . Lemma 5 In every run of S S U on a ring, ther e is an island wher e every pr o  essor takes an innite numb er of steps. Pro of. ( sk et h ) Observe that in every  ongur ation of S S U on a ring, ther e is at le ast one  orr e t pr o  essor whose lo k holds the lar gest or the smal lest value in the system. This pr o  essor has a rule enable d. Sin e we  onsider a str ongly fair she duler, ther e ar e innitely many steps exe ute d by  orr e t pr o  essors in every run of S S U . Sin e ther e ar e nitely many  orr e t pr o  essors, at le ast one  orr e t pr o  essor takes innitely many steps. L et us  onsider the island to whih this pr o  essor b elongs. The r est of the lemma is pr oven by indution on the width of this island similar to L emma 2 .  Lemma 6 If a run of S S U starts fr om a  ongur ation wher e ther e is mor e than one island, then this run  ontains a  ongur ation wher e some two islands mer ge. Pro of. ( sk et h ) L et us  onsider the initial  ongur ation of S S U on a ring with mor e than one island. A   or ding to L emma 5 , ther e is at le ast one island in this  ongur ation wher e every pr o  essor takes an innite numb er of steps. Assume, without loss of gener ality, that this island has an adja ent island to the right. A n ar gument similar to the one employe d in the pr o of of L emma 3 demonstr ates that these islands eventual ly mer ge.  The b elow two the or ems ar e pr oven similarly to their e quivalents for the hain top olo gy. Theorem 4 A lgorithm S S U on rings stabilizes to I N V . Theorem 5 Pr e di ate I N V is an (1 , 0) -invariant of S S U on rings with r esp e t to the asyn- hr onous unison pr oblem. 9 4.3 Stabilization Time In this se tion, we  ompute the stabilization time of S S U . W e estimate the stabilization time in the numb er of asynhr onous r ounds. In gener al, this notion is somewhat triky to dene for str ongly fair she duler, at the ations of pr o  essors may b e  ome disable d and then enable d an arbitr ary many times b efor e exe ution. However, this denition simplies for the  ase of S S U as every  orr e t pr o  essor takes an innite numb er of steps. W e dene an asyn hronous round to b e the smal lest se gment of a run of the algorithm wher e every  orr e t pr o  ess exe utes a step. Upp er b ound of S S U . First, we show that S S U ne e ds at most L r ounds to stabilize wher e L is the lar gest lo k drift b etwe en  orr e t pr o  essors in the system. Theorem 6 The stabilization time of S S U is in O ( L ) r ounds b oth on hains and rings wher e L is the maximum lo k drift b etwe en two  orr e t neighb ors in the initial  ongur ation. Pro of. Assume that ther e exists an exe ution ω suh that ther e exists at le ast two distint islands I 1 and I 2 at the end of the r ound L ω (wher e L ω is the maximum lo k drift b etwe en two  orr e t neighb ors in the initial  ongur ation of ω ). Note that L ω ≥ 2 . Otherwise, any pr o  essor is in unison with its neighb or in the initial  ongur ation and L emma 1 or 4 implies I 1 and I 2 ar e never distint. L et p and q b e two neighb or pr o  essors suh that p ∈ I 1 and q ∈ I 2 . Without loss of gener ality, we  an assume that c q < c p in the initial  ongur ation of ω . By  onstrution, we have c p − c q ≤ L ω . While I 1 and I 2 ar e distint, a  or ding to the pr o of of L emma 3 or 6, the fol lowing pr op erty holds: c q < c p . In the  ase wher e the system is a hain, note that p and q ar e not end pr o  essors. Otherwise, p and q ar e in unison at the end of the rst r ound sin e the end pr o  essor synhr onizes its lo k with the one of its neighb or at its rst ativation and this  ontr adits the  onstrution of ω and the fat that L ω ≥ 2 . Now, we  an observe that any ativation of p by a midd le pr o  essor op er ation or synhr o- nization rule  an only de r e ase the lo k value of p by at le ast one. F ol lowing the denition of asynhr onous r ound, ther e is at le ast one ativation of p during e ah r ound of ω . Then, we  an  onlude that, at the end of the r ound i ( 1 ≤ i ≤ L ω ), we have: c p − c q ≤ L ω − i . W e  an de du e that p and q ar e ne  essarily in unison at the end of the r ound L ω − 1 whih  ontr adits the  onstrution of ω . Then, the stabilization time of S S U is in O ( L ) r ounds b oth on hains and rings. Hen e the r esult.  Lo w er b ound on  hains. Then, we show that any (1 , 0) -stritly-stabilizing deterministi minimal asynhr onous unison on a hain ne e ds at le ast L r ounds to stabilize wher e L is the lar gest lo k drift b etwe en  orr e t pr o  essors in the system. In the fol lowing lemmas, A denotes any (1 , 0) -stritly-stabilizing deterministi minimal asyn- hr onous unison on a hain under a  entr al str ongly fair she duler. Lemma 7 When a midd le pr o  essor is in unison with only one of its neighb ors, any enable d rule of A for this pr o  essor maintains this unison. Pro of. Assume that ther e exists a set of lo k values { a, b, c } (with | a − b | ≤ 1 and | b − c | ≥ 2 ) suh that a midd le pr o  essor p is enable d by a rule R of A when c p = b and neighb ors lo k ar e r esp e tively a and c and that R mo dies c p into a value b ′ (with | a − b ′ | ≥ 2 ). Then,  onsider the fol lowing initial  ongur ation: V = { l , p, r } , E = { { l, p } , { p, r }} , r is Byzantine and c l = a , c p = b , c r = c (se e Figur e 7). W e  an observe that this  ongur ation satises I N V . By  onstrution, p is enable d by R in this  ongur ation (r e  al l that A is minimal and deterministi). If the she duler ho oses p , then we obtain a  ongur ation whih do es not 10 ♠ ♠ ♠ l p r a b c Figure 7: Conguration used in pro of of Lemma 7 ♠ ♠ ♠ p r a b c ♠ l q c − 1 Figure 8: Conguration used in pro of of Lemma 8 satisfy I N V . Hen e, A do es not r esp e t the losur e of the safety pr op erty of asynhr onous unison. This is  ontr aditory with its  onstrution.  Lemma 8 When a midd le pr o  essor p is in unison with only one of its neighb ors (denote by q the other neighb or of p ), the fol lowing pr op erty holds: in any exe ution starting fr om this  ongur ation in whih q r emains not synhr onize d with p , p moves its lo k loser to the lo k of q in a nite time. Pro of. Assume that ther e exists a set of lo k values { a, b, c } (with | a − b | ≤ 1 and | b − c | ≥ 2 ) suh that ther e exists an exe ution ω starting fr om a  ongur ation (in whih c p = b and neighb ors lo k ar e r esp e tively a and c  denote by q the pr o  essor suh that c q = c ) in whih q r emains not synhr onize d with p and in whih p never moves its lo k loser to the lo k of q . W e de al with the  ase wher e b > c (the  ase wher e b < c is similar). Then,  onsider the fol lowing initial  ongur ation s 0 : V = { l , p, q , r } , E = {{ l , p } , { p , q } , { q , r }} , r is Byzantine and c l = a , c p = b , c q = c , c r = c − 1 (se e Figur e 8). If r ats as a r ashe d pr o  essor, its lo k value r emains  onstant. Then, by L emma 7, we have c q ∈ { c, c − 1 , c − 2 } in any state of any exe ution starting fr om s 0 . Hen e, p  an not distinguish this exe ution fr om ω (r e  al l that A is minimal and deterministi). Conse quently, ther e exists an exe ution starting fr om s 0 suh that c p ≥ b and c q ≤ c in any state. This  ontr adits the  onver gen e pr op erty of A .  Lemma 9 When an end pr o  essor is in unison with its neighb or, ther e exists an enable d rule of A for this pr o  essor. Pro of. Assume that ther e exists a set of lo k values { a, b } (with | a − b | ≤ 1 ) suh that an end pr o  essor p is not enable d by any rule of A when c p = a and its neighb or lo k is b . Then,  onsider the fol lowing initial  ongur ation: V = { p, r } , E = {{ p, r }} , r is Byzantine and c p = a , c r = b (se e Figur e 9). By  onstrution, p is not enable d in this  ongur ation (r e  al l that A is minimal and deterministi). Assume now that r ats as a r ashe d pr o  essor. Then, we  an observe that p is never enable d in this exe ution, that  ontr adits the liveness pr op erty of (1 , 0) -stritly-stabilizing asynhr onous unison.  ♠ ♠ p r a b Figure 9: Conguration used in pro of of Lemma 9 11 ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ s 0 s 1 s i for 2 ≤ i ≤ t p q q q r r r p p s s s a + 2 t a + 2 t a a a + 2 t a + 2 t − 1 a + 1 a + 1 a + 2 t − i + 1 a + 2 t − i a + i a + i Figure 10: Congurations used in pro of of Theorem 7 If we  onsider the exe ution desrib e d in the pr o of of L emma 9, we  an observe that p is innitely often ativate d (by fairness assumption) and that its lo k is always in the set { b − 1 , b, b + 1 } (by losur e of A ). Sin e A is minimal and deterministi, we  an de du e that values of c p over this exe ution fol low a given yle. W e har aterize now A by this yle. Mor e formal ly, we say that: 1. A is of typ e 1 if the yle is b, b + 1 , b, b + 1 , . . . . 2. A is of typ e 2 if the yle is b, b − 1 , b, b − 1 , . . . . 3. A is of typ e 3 if the yle is b, b + 1 , b − 1 , b, b + 1 , b − 1 , . . . . Noti e that the pr oto  ol S S U is of typ e 1 . Theorem 7 The stabilization time of any (1 , 0) -stritly-stabilizing deterministi minimal asyn- hr onous unison on hains is in Ω( L ) wher e L is the maximum lo k drift b etwe en two  orr e t neighb ors in the initial  ongur ation. Pro of. Assume that A is a (1 , 0) -stritly-stabilizing deterministi minimal asynhr onous unison on hains. W e pr ovide the pr o of of this the or em in the  ase wher e A is of typ e 1 sin e other  ases ar e similar. L et a, t b e natur al numb ers. Consider the fol lowing initial  ongur ation s 0 : V = { p, q , r , s } , E = {{ p, q } , { q , r } , { r, s }} , s is Byzantine and c p = a + 2 t , c q = a + 2 t , c r = a , c s = a (se e Figur e 10 ). Hen e, we have a maximal lo k drift of L = 2 t . Note that p is enable d to take the value a + 2 t + 1 in s 0 (by L emma 9 and the fat that A is minimal and of typ e 1 ). By L emmas 8 , 7, and the fat that A is minimal, we  an de du e that q is enable d to take the value a + 2 t − 1 only when c p = a + 2 t . Similar r e asoning holds for r whih is enable d to take the value a + 1 when c s = a . Then, the fol lowing exe ution of A is p ossible: p is ativate d and takes value a + 2 t + 1 , p is ativate d and takes value a + 2 t ( p is enable d by L emma 9 and the new value is determine d by the typ e of A ), q is ativate d and takes value a + 2 t − 1 , r is ativate d and takes value a + 1 and s takes the value a + 1 (r e  al l that s is byzantine). W e obtain the  ongur ation s 1 depite d in Figur e 10 . W e  an observe that the rst r ound R 1 of our exe ution ends in s 1 and that we have now a maximal lo k drift of a + 2( t − 1) . By the same r e asoning, we  an  onstrut a se quen e of t − 1 r ounds R i = s i − 1 . . . s i ( 2 ≤ i ≤ t ) as fol lows: p is ativate d and takes value a + 2 t + 1 − i , q is ativate d and takes value a + 2 t − i , r is ativate d and takes value a + i and s takes the value i . W e obtain the  ongur ation s i at the end of r ound R i ( 2 ≤ i ≤ t ) depite d in Figur e 10 . A t the end of r ound R i ( 2 ≤ i ≤ t ), we have a maximal lo k drift of 2( t − i ) . 12 ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ ♠ s 0 s 1 s i for 2 ≤ i ≤ t p q q q r r r p p s s s a + 2 t a a a + 1 a + 1 a + 2 t − i a + i a + i ♠ ♠ ♠ t t t a a + 2 t a + 2 t − 1 a + 2 t − 1 a + 1 a + i a + 2 t − i Figure 11: Congurations used in pro of of Theorem 8 W e  an  onlude that, at the end of the r ound R t − 1 , the maximal lo k drift is 2 wher e as, at the end of the r ound R t , the maximal lo k drift is 1 (sin e we have c p − c q = 1 and c q − c r = 0 ). By  onstrution of t , we  an  onlude that A ne e ds Ω( L ) r ounds to stabilize.  Lo w er b ound on rings. Then, we show that any (1 , 0) -stritly-stabilizing deterministi minimal asynhr onous unison on a hain ne e ds at le ast L r ounds to stabilize wher e L is the lar gest lo k drift b etwe en  orr e t pr o  essors in the system. In the fol lowing lemmas, A denotes any (1 , 0) -stritly-stabilizing deterministi minimal asyn- hr onous unison on a ring under a  entr al str ongly fair she duler. Lemma 10 When a pr o  essor is in unison with only one of its neighb ors, any enable d rule of A for this pr o  essor maintains this unison. Pro of. The pr o of of L emma 7 dir e tly applies her e if we  onsider the fol lowing system: V = { p , q , r } and E = {{ p, q } , { q , r } , { r , p }} .  Lemma 11 When a pr o  essor p is in unison with only one of its neighb ors (denote by q the other neighb or of p ), the fol lowing pr op erty holds: in any exe ution starting fr om this  ongur ation in whih q r emains not synhr onize d with p , p moves its lo k loser to the lo k of q in a nite time. Pro of. The pr o of of L emma 8 dir e tly applies her e if we  onsider the fol lowing system: V = { p , q , r , s } and E = {{ p, q } , { q , r } , { r , s } , { s, p }} .  Theorem 8 The stabilization time of any (1 , 0) -stritly-stabilizing deterministi minimal asyn- hr onous unison on rings is in Ω( L ) wher e L is the maximum lo k drift b etwe en two  orr e t neighb ors in the initial  ongur ation. Pro of. Assume that A is a (1 , 0) -stritly-stabilizing deterministi minimal asynhr onous unison on rings. L et a, t b e natur al numb ers. Consider the fol lowing initial  ongur ation s 0 : V = { p , q , r , s, t } , E = {{ p, q } , { q , r } , { r, s } , { s, t } , { t, p }} , r is Byzantine and c p = c t = a + 2 t , c q = c s = c r = a (se e Figur e 11 ). Hen e, we have a maximal lo k drift of L = 2 t . Note that p and t ar e enable d to take the value a + 2 t − 1 in s 0 (by L emmas 11 and 10 and the fat that A is minimal).By similar r e asoning, we  an de du e that q and s ar e enable d to take the value a + 1 . Then, the fol lowing exe ution of A is p ossible: p is ativate d and takes value a + 2 t − 1 , t is ativate d and takes value a + 2 t − 1 , q is ativate d and takes value a + 1 , s is ativate d and takes 13 value a + 1 and s takes the value a + 1 (r e  al l that s is byzantine). W e obtain the  ongur ation s 1 depite d in Figur e 11 . W e  an observe that the rst r ound R 1 of our exe ution ends in s 1 and that we have now a maximal lo k drift of a + 2( t − 1) . By the same r e asoning, we  an  onstrut a se quen e of t − 1 r ounds R i = s i − 1 . . . s i ( 2 ≤ i ≤ t ) as fol lows: p is ativate d and takes value a + 2 t − i , t is ativate d and takes value a + 2 t − i , q is ativate d and takes value a + i , s is ativate d and takes value a + i and s takes the value a + i (r e  al l that s is byzantine). W e obtain the  ongur ation s i at the end of r ound R i ( 2 ≤ i ≤ t ) depite d in Figur e 11 . A t the end of r ound R i ( 2 ≤ i ≤ t ), we have a maximal lo k drift of 2( t − i ) . W e  an  onlude that, at the end of the r ound R t − 1 , the maximal lo k drift is 2 wher e as, at the end of the r ound R t , the maximal lo k drift is 0 . By  onstrution of t , we  an  onlude that A ne e ds Ω( L ) r ounds to stabilize.  Conlusion. L et us r eview our  onlusions so far. The or em 6 pr oves that the stabiliza- tion  omplexity of S S U is in O ( L ) r ounds while The or ems 7 and 8 show that any (1 , 0) -strit- stabilizing algorithm r e quir es at le ast that many r ounds to stabilize. The fol lowing the or em summarizes these r esults. Theorem 9 The stabilization  omplexity of S S U is optimal. It stabilizes in Θ( L ) asynhr onous r ounds wher e L is the lar gest drift b etwe en  orr e t pr o  essors. 5 Conlusion In this p ap er we explor e d joint toler an e to Byzantine and systemi tr ansient faults for the asynhr onous unison pr oblem in shar e d memory. The pr esen e of algorithms that toler ate b oth fault lasses p oses the question for further study: what ar e the pr op erties of suh algorithms in mor e  onr ete exe ution mo dels of ner atomiity suh as shar e d r e gisters or message-p assing. L ower atomiity mo dels tend to emp ower faulty pr o  essors. Inde e d, in shar e d r e gister mo del, the Byzantine pr o  essor on a ring may r ep ort diering lo k values to its right and left neighb ors  ompli ating fault r e  overy. In our futur e work we would like to pursue this r ese ar h question. Referenes [1℄ Baruh A werbuh. Complexity of network synhr onization. J. A CM , 32(4):804823, 1985. [2℄ Baruh A werbuh, Shay Kutten, Yishay Mansour, Bo az Patt-Shamir, and Ge or ge V ar ghese. A time-optimal self-stabilizing synhr onizer using a phase lo k. IEEE T rans. Dep endable Se. Comput. , 4(3):180190, 2007. [3℄ Mihael Ben-Or, Danny Dolev, and Ezr a N. Ho h. F ast self-stabilizing byzantine toler ant digital lo k synhr onization. In R ida A. Bazzi and Bo az Patt-Shamir, e ditors, PODC , p ages 385394. A CM, 2008. [4℄ Christian Boulinier, F r ank Petit, and Vin ent Vil lain. When gr aph the ory helps self- stabilization. In Soma Chaudhuri and Shay Kutten, e ditors, PODC , p ages 150159. A CM, 2004. [5℄ Christian Boulinier, F r ank Petit, and Vin ent Vil lain. Synhr onous vs. asynhr onous unison. In Herman and Tixeuil [16 ℄, p ages 1832. [6℄ K. Mani Chandy and L eslie L amp ort. Distribute d snapshots: Determining glob al states of distribute d systems. A CM T rans. Comput. Syst. , 3(1):6375, 1985. [7℄ Je an-Mihel Couvr eur, Nissim F r an ez, and Mohame d G. Gouda. Asynhr onous unison (extende d abstr at). In ICDCS , p ages 486493, 1992. 14 [8℄ A riel Daliot and Danny Dolev. Self-stabilization of byzantine pr oto  ols. In Herman and Tixeuil [16 ℄, p ages 4867. [9℄ Ajoy Kumar Datta and Maria Gr adinariu, e ditors. Stabilization, Safet y , and Seurit y of Distributed Systems, 8th In ternational Symp osium, SSS 2006, Dallas, TX, USA, No v em b er 17-19, 2006, Pro eedings , volume 4280 of Leture Notes in Computer Siene . Springer, 2006. [10℄ Edsger W. Dijkstr a. Self-stabilizing systems in spite of distribute d  ontr ol. Comm un. A CM , 17(11):643644, 1974. [11℄ Danny Dolev and Ezr a N. Ho h. On self-stabilizing synhr onous ations despite byzantine attaks. In A ndrzej Pel, e ditor, DISC , volume 4731 of Leture Notes in Computer Siene , p ages 193207. Springer, 2007. [12℄ S. Dolev. Self-stabilization . MIT Pr ess, Mar h 2000. [13℄ Shlomi Dolev and Jennifer L. W elh. Self-stabilizing lo k synhr onization in the pr esen e of byzantine faults. J. A CM , 51(5):780799, 2004. [14℄ Swan Dub ois, Maria Potop-Butu aru, and Séb astien Tixeuil. Brief announ ement: Dy- nami FTSS in Asynhr onous Systems: the Case of Unison. In Pro eedings of DISC 2009 , L e tur e Notes in Computer Sien e, Elhe, Sp ain, Septemb er 2009. Springer Berlin / Heidelb er g. [15℄ Mohame d G. Gouda and T e d Herman. Stabilizing unison. Inf. Pro ess. Lett. , 35(4):171 175, 1990. [16℄ T e d Herman and Séb astien Tixeuil, e ditors. Self-Stabilizing Systems, 7th In ternational Symp osium, SSS 2005, Barelona, Spain, Otob er 26-27, 2005, Pro eedings , volume 3764 of Leture Notes in Computer Siene . Springer, 2005. [17℄ Ezr a N. Ho h, Danny Dolev, and A riel Daliot. Self-stabilizing byzantine digital lo k syn- hr onization. In Datta and Gr adinariu [9 ℄, p ages 350362. [18℄ L eslie L amp ort, R ob ert E. Shostak, and Marshal l C. Pe ase. The byzantine gener als pr oblem. A CM T rans. Program. Lang. Syst. , 4(3):382401, 1982. [19℄ T oshimitsu Masuzawa and Séb astien Tixeuil. Bounding the imp at of unb ounde d attaks in stabilization. In Datta and Gr adinariu [9 ℄, p ages 440453. [20℄ T oshimitsu Masuzawa and Séb astien Tixeuil. Stabilizing link- olor ation of arbitr ary net- works with unb ounde d byzantine faults. In ternational Journal of Priniples and Appliations of Information Siene and T e hnology (P AIST) , 1(1):113, De  emb er 2007. [21℄ T oshimitsu Masuzawa and Séb astien Tixeuil. Str ong stabilization: Bounding times ae te d by byzantine pr o  esses in stabilization. In Asian Asso iation for Algorithms and Compu- tation ann ual meeting (AAA C 2008) , Hong Kong, April 2008. [22℄ Jayadev Misr a. Phase synhr onization. Inf. Pro ess. Lett. , 38(2):101105, 1991. [23℄ Mikhail Nester enko and A nish A r or a. T oler an e to unb ounde d byzantine faults. In 21st Symp osium on Reliable Distributed Systems (SRDS 2002) , p age 22. IEEE Computer So- iety, 2002. [24℄ Y usuke Sakur ai, F ukuhito Ooshita, and T oshimitsu Masuzawa. A self-stabilizing link-  oloring pr oto  ol r esilient to byzantine faults in tr e e networks. In Priniples of Distributed Systems, 8th In ternational Conferene, OPODIS 2004 , volume 3544 of Leture Notes in Computer Siene , p ages 283298. Springer, 2005. [25℄ Séb astien Tixeuil. Algorithms and Theory of Computation Handb o ok, Seond Edition , hapter Self-stabilizing A lgorithms. Chapman & Hal l/CR C Applie d A lgorithms and Data Strutur es. T aylor & F r anis, Novemb er 2009. 15