Maximum Metric Spanning Tree made Byzantine Tolerant

Maxim um Metric Spanning T ree made By zan tine T oleran t Sw an Dub ois ∗ T oshimitsu Masuza w a † S ´ ebastien Tixeuil ‡ Abstract Self-stabilization is a versatile appro ach to fault-tolera nce since it pe r mits a distributed system to recover from any transient fault that arbitrarily corrupts the conten ts o f all memories in the system. Byzantine tolerance is an attractive feature of distributed systems that p ermits to cop e with arbitra ry malicio us behaviors. This pap er fo cus on systems that are b oth self- stabilizing and Byzantine to lerant. W e co nsider the w ell known pro blem of constructing a maxim um metric tree in this context. Combining these tw o prop erties is kno wn to induce man y imp ossibility results. In this paper , we provide first t wo impo ssibility results ab out the construction o f maximum metric tr e e in pres ence of trans ient s and (p erma nen t) Byzan tine faults. Then, we provide a new self-stabilizing pro to c ol that provides optimal co n tainment of an arbitra ry num ber of Byz a nt ine faults. Keyw ords Byzan tine fault, Distributed proto col, F ault tolerance, Stabilization, Spannin g tree construction 1 In tro duction The adv en t of u biquitous large-scale distr ibuted systems advocates that to lerance to v arious kinds of faults and h azards must b e included from the v ery early design of suc h systems. Self- stabilization [2, 3, 16] is a v ersatile tec h nique that p ermits forw ard reco v ery fr om any kind of tr ansient faults, while Byzantine F ault-toler anc e [12] is traditionally used to mask the effect of a limited n umber of malicious faults. Making distributed systems toleran t to b oth transient and malicious faults is app ealing y et pro v ed d iffi cu lt [4, 1 , 15] as imp ossibilit y results are exp ected in man y cases. Related W orks A promizing path tow ards multito lerance to b oth transien t and Byzan tine faults is Byzantine c ontainment . F or lo c al tasks ( i.e. tasks whose correctness can b e c hec ked lo cally , suc h as vertex c oloring, link c oloring, or d ining ph ilosophers), the notion of strict stabiliza tion w as prop osed [15, 14]. Strict stabilization guaran tees that there exists a c ontainment r adius outside whic h the effect of p erm anen t faults is mask ed, pr ovided that the problem sp ecification mak es it p ossible to break the causalit y c hain that is ca used by the faults. As man y problems are not lo cal, it turns out that it is imp ossible to pro vide strict s tabilizati on for those. T o circumv ent imp ossibilit y results, the w eak er notion of str ong stabilization was p rop osed [13, 7]: here, correct no d es outsid e ∗ UPMC S orbonn e Universit ´ es & IN RIA, F rance, swa n.dub ois@lip6.fr † Osak a Universit y , Ja pan, masuzaw a@ist.osak a-u .ac.jp ‡ UPMC S orbonn e Universit ´ es & In stitut Universitaire de F rance, F rance, sebastien.tixeuil@lip6.fr 1 the con tainmen t r adius ma y b e p ertu r bated by the actions of Byzant ine n o de, but only a fi nite n umber of times. Recen tly , the idea of generalizing strict and strong stabilization to an area that dep ends on the graph top ology and the p roblem to b e solv ed rather than an arbitrary fixed con tainmen t radiu s w as prop osed [5, 6] and d enoted by top olo g y awar e strict (and strong) stabilizatio n. When maximizable metric trees are considered, [5] p r op osed an optimal (with resp ect to imp ossibilit y results) proto col for topology-a w are strict stabilization, and for the simpler case of b reath-first-searc h metric trees, [6] presente d a proto col that is optimal b oth with resp ect to strict and strong v ariant s of top ology- a ware stabilizati on. The case of optimalit y for top ology-a ware strong stabilizati on in the general maximal metric case r emains op en. Our Contribution In this pap er, w e in v estigat e the p ossibilit y of top ology-a wa re strong stabi- lizatio n for tasks that are global ( i.e. for with th er e exists a causalit y chain of size r , where r dep en ds on n the size of the net work), and fo cu s on the maxim u m metric tree problem. O u r con trib u tion in this pap er is threefold. First, w e provide tw o imp ossibilit y results for self-stabilizing maxim um metric tree construction in presence of Byzan tine faults. I n more details, we c haracterize a sp ecific class of maximizable metrics (whic h includes breath-first-searc h and shortest path metrics) that prev en ts the existence of strong stabilizing solutions and w e generalize an imp ossibilty result of [6] that pro vides a lo w er b ound on the con tainmem t area for top ology-a w are str on g stabilizatio n (Section 3). Second, we pr o vid e a top ology-a w are str on gly stabilizing proto col that matc hes th is lo wer b ound on the con tainmen t area (Section 4). Finally , we pro vide a n ecessary and sufficient condition for the existence of a strongly stabilizing solution (Section 5). 2 Mo d el, Definitions and Previous Results 2.1 State Mo del A distribute d sy stem S = ( V , L ) consists of a set V = { v 1 , v 2 , . . . , v n } of pr o cesses and a set L of bidirectional communicatio n links (simply called link s ). A link is an unorder ed pair of distinct pro cesses. A distribu ted sys tem S can b e regarded as a graph wh ose v ertex set is V and w h ose link set is L , so w e use graph terminology to describ e a distributed sys tem S . W e use the follo wing notations: n = | V | , m = | L | and d ( u, v ) d en otes the distance b etw een t w o pro cesses u and v ( i.e the length of the shortest path b et w een u and v ). Pro cesses u and v are called neighb ors if ( u, v ) ∈ L . The set of neigh b ors of a pro cess v is denoted by N v . W e do not assum e existence of a un ique identifier for eac h pro cess. In stead w e assume eac h pro cess can distinguish its neigh b ors fr om eac h other b y lo cally lab eling them. In this p ap er, w e consider distr ibuted systems of arbitrary top ology . W e assume that a sin gle pro cess is distinguished as a r o ot , and all the other pro cesses are iden tical. W e adopt the shar e d state mo del as a communicatio n mo del in this pap er, wh ere eac h pro cess can dir ectly read the states of its neighb ors . The v ariables that are main tained by pro cesses denote pro cess states. A pro cess m ay tak e actions dur ing th e execution of the system. An action is simply a function that is executed in an atomic mann er by the p r o cess. The action executed by eac h pro cess is d escrib ed by a finite set of guarded actions of the form h guard i − → h statemen t i . Eac h guard of pro cess u is a b o olean expression inv olving the v ariables of u and its neigh b ors. 2 A global state of a distrib uted system is called a c onfigur ation and is sp ecified by a pro duct of states of all pro cesses. W e define C to b e the set of all p ossible configurations of a distributed system S . F or a pro cess set R ⊆ V and t w o confi gurations ρ and ρ ′ , w e d enote ρ R 7→ ρ ′ when ρ c h anges to ρ ′ b y executing an action of eac h p ro cess in R simultaneo usly . Notice that ρ and ρ ′ can b e differen t only in the states of pro cesses in R . F or completeness of execution seman tics, we should clarify the configur ation resu lting from simulta neous actio ns of neigh b oring pr o cesses. T he action of a pro cess dep ends only on its state at ρ and the states of its neighbors at ρ , and the result of th e actio n reflects on the state of th e pro cess at ρ ′ . W e sa y that a pro cess is e nable d in a configuration ρ if the guard of at least one of its actions is ev aluated as true in ρ . A sche dule of a distributed system is an infi nite sequence of pro cess sets. Let Q = R 1 , R 2 , . . . b e a schedule, w here R i ⊆ V holds f or eac h i ( i ≥ 1). An infi n ite sequence of configurations e = ρ 0 , ρ 1 , . . . is called an exe cution f rom an initial configur ation ρ 0 b y a sc hedule Q , if e satisfies ρ i − 1 R i 7→ ρ i for eac h i ( i ≥ 1). Pro cess actions are executed atomically , and we d istinguish some prop erties on the sc h eduler (or daemon). A distribute d daemon sc hedules the acti ons of pro cesses suc h that an y sub s et of pro cesses can sim ultaneously execute their actions. W e sa y that the daemon is c entr al if it sc hedules action of only one pr o cess at an y step. Th e set of all p ossible executions from ρ 0 ∈ C is denoted by E ρ 0 . The set of all possib le executions is denoted b y E , that is, E = S ρ ∈ C E ρ . W e consider asynchr onous distributed systems b ut w e add the follo wing assu mption on sc hedu les: any sc hedule is strongly fair (that is, it is imp ossible for any pro cess to b e infinitely often enabled without executing its action in an execution) and k -b ounded (that is, it is imp ossible for any pro cess to execute more th an k actions b et w een t w o consecutiv e action executio ns of any other p ro cess). In this pap er , w e consider (p erman ent) Byzantine f aults : a Byzan tine pro cess ( i.e. a Byzan tine- fault y pro cess) can make arb itrary b eha vior indep en den tly fr om its actions. If v is a Byzan tine pro cess, v can rep eatedly c hange its v ariables arbitrarily . F or a given execution, the num b er of fault y p ro cesses is arbitrary bu t we assume that the ro ot pr o cess is n ev er faulty . 2.2 Self-Stabilizing Proto cols R esilien t to Byz antine F aults Problems considered in this pap er are so-called static pr oblems , i.e. they require the system to find static solutions. F or example, the spanning-tree construction p roblem is a static p r oblem, while the m utual exclusion problem is not. Some static problems can b e defined by a sp e cific ation pr e dic ate (shortly , sp ecification), sp ec ( v ), for eac h p ro cess v : a configuration is a desired one (with a solution) if eve ry pr o cess satisfies spec ( v ). A sp ecification spec ( v ) is a b o olean expression on v ariables of P v ( ⊆ V ) where P v is the s et of p ro cesses w h ose v ariables app ear in spec ( v ). The v ariables app earing in the sp ecification are calle d output variables (shortly , O-variables ). In what follo ws, we consider a static problem d efined by sp ecification spec ( v ). A self-stabilizing pr oto c ol ([2]) is a proto col that ev entually reac hes a le gitimate c onfigur ation , where spec ( v ) holds at every pro cess v , r egardless of the initial configuration. On ce it reac hes a legitimat e confi gu r ation, ev ery p ro cess n ev er c hanges its O-v ariables and alw a ys satisfies spec ( v ). F rom this defin ition, a self-stabilizing pr otocol is exp ected to tolerate an y num b er and any t yp e of transient f au lts since it can ev en tu ally reco v er fr om any configuration affected by the transien t faults. Ho w ev er, the reco v ery f rom any configu r ation is guaranteed only when ev ery pro cess cor- rectly executes its action from the configuration, i.e. , we do not consid er existence of p ermanentl y 3 fault y p ro cesses. When (p ermanen t) Byzant ine pro cesses exist, Byzantine pr o cesses may not satisfy s pec ( v ). In addition, correct pr o cesses near the Byzan tine pro cesses can b e in fluenced and ma y b e unable to satisfy spec ( v ). Nesterenk o and Arora [15] define a strictly stabilizing pr oto c ol a s a self-stabilizing proto col resilient to un b ound ed num b er of Byzanti ne pro cesses. Giv en an in teger c , a c -c orr e ct pr o c ess is a p ro cess defined as follo ws . Definition 1 ( c -correct pro cess) A pr o c ess is c -c orr e ct if it i s c orr e ct ( i.e. not Byzantine) and lo c ate d at distanc e mor e than c fr om any Byzantine pr o c ess. Definition 2 ( ( c, f ) -containmen t) A c onfigur ation ρ is ( c, f )-con tained for sp e cific ation spec if, given at most f Byzantine pr o c e sses, in any exe c u tion starting fr om ρ , every c -c orr e ct pr o c ess v always satisfies spec ( v ) and never changes its O-variables. The parameter c of Definition 2 refers to the c ontainment r adius defined in [15]. The parameter f refers explicitly to the n u m b er of Byzan tine pro cesses, while [15] dealt with unb ou n ded n um b er of Byzanti ne faults (that is f ∈ { 0 . . . n } ). Definition 3 ( ( c, f ) -st rict stabilization) A pr oto c ol is ( c, f )-strictly stabilizing for sp e cific ation spec if, given at most f Byzantine pr o c esses, any exe cution e = ρ 0 , ρ 1 , . . . c ontains a c onfigur ation ρ i that is ( c, f ) -c ontaine d for spec . An imp ortant limitation of the mo del of [15] is the notion of r - r estrictive sp ecifications. In- tuitiv ely , a sp ecificatio n is r -restrictive if it prev en ts com binations of states that b elong to tw o pro cesses u and v that are at least r hops a wa y . An imp ortan t consequence related to Byzan tine tolerance is that the cont ainmen t r adius of pr otocols solving those sp ecifications is at least r . F or some (global) pr oblems r can not b e b oun d ed by a constan t. In consequence, w e can sh o w that there exists no ( c, 1)-strictly stabilizing p roto col f or such a problem for an y (finite) in teger c . Strong stabilization T o circum ven t suc h imp ossibilit y results, [7] defin es a w eak er notion than the strict stabilizat ion. Here, the requiremen t to th e con tainment radius is relaxed, i.e. there ma y exist pr o cesses outside the cont ainmen t radius that inv alidate the sp ecification predicate, d u e to Byzan tine actions. Ho w ev er , th e impact of Byzantine triggered action is limited in times: the set of Byzan tine pro cesses may only imp act pro cesses outside the conta inment radius a b ounded num b er of times, ev en if Byzan tine pro cesses execute an infinite num b er of actio ns. In the follo wing of this section, we recall the formal definition of strong stabilization adopted in [7]. F r om the states of c -correct pro cesses, c -le gitimate c onfigur ations and c -stable c onfigur ations are d efined as follo ws. Definition 4 ( c -legitimate configuration) A c onfigur ation ρ is c -le g i timate for sp ec if every c -c orr e ct pr o c ess v satisfies spec ( v ) . Definition 5 ( c -stable configuration) A c onfigur ation ρ is c -stable if every c - c orr e ct pr o c ess never changes the values of its O-variables as long as Byzantine pr o c esses make no action. 4 Roughly sp eaking, the aim of s elf-stabilizat ion is to guarantee that a d istributed system ev en- tually reac hes a c -legi timate and c -stable configuration. Ho w ev er, a self-stabilizing s ystem can b e disturb ed by Byzanti ne processes after reac hin g a c -legiti mate a nd c -stable configuration. The c -disruption rep resen ts the p erio d where c -co rrect p ro cesses are disturb ed b y Byzan tine p ro cesses and is defined as follo ws Definition 6 ( c -disruption) A p ortion of exe cution e = ρ 0 , ρ 1 , . . . , ρ t ( t > 1 ) is a c -disruption if and only if the fol lowing holds: 1. e is finite, 2. e c ontains at le ast one action of a c -c orr e ct pr o c ess for changing the value of an O-variable, 3. ρ 0 is c -le gitimate f or sp ec and c -stable, and 4. ρ t is the first c onfigur ation after ρ 0 such that ρ t is c -le gitimate f or sp ec and c -stable. No w we can define a self-stabilizing proto col suc h that Byzant ine pr o cesses m a y only impact pro cesses outside the con tainmen t radius a b ounded num b er of times, ev en if Byzanti ne pr o cesses execute an infinite num b er of actio ns. Definition 7 ( ( t, k, c, f ) -time con tained configuration) A c onfigur ation ρ 0 is ( t, k , c, f ) -time c ontaine d for sp ec if given at most f Byz antine pr o c esses, the fol lowing pr op erties ar e satisfie d: 1. ρ 0 is c -le gitimate f or sp ec and c -stable, 2. every exe cution starting fr om ρ 0 c ontains a c -le gitimate c onfigur ation for sp ec after which the values of al l the O-variables of c -c orr e ct pr o c esses r emain unchange d (ev en when Byzantine pr o c esses make actions r ep e ate d ly and for ev e r), 3. every exe cution starting fr om ρ 0 c ontains at most t c -disruptions, and 4. every e xe cution st arting fr om ρ 0 c ontains a t most k a ctions of cha nging th e values o f O- variables for e ach c - c orr e ct pr o c ess. Definition 8 ( ( t, c, f ) -strongly st a bilizing proto col) A pr oto c ol A is ( t, c, f ) -str ongly stabiliz- ing i f and only if starting fr om any arbitr ary c onfigur ation, every exe cution involving at most f Byzantine pr o c esses c ontains a ( t, k , c, f ) -time c ontaine d c onfigur ation that is r e ache d after at most l r ounds. Par ameters l and k ar e r esp e c tiv ely the ( t, c, f ) -stabilizatio n time and the ( t, c, f ) -pr o c ess- disruption times of A . Note that a ( t, k , c, f )-time contai ned configuration is a ( c, f )-co nt ained configuration when t = k = 0, and th us, ( t, k , c, f )-time con tained configur ation is a generalizati on (relaxation) of a ( c, f )-con tained configuration. T hus, a strongly stabilizing proto col is wea k er than a s tr ictly stabilizing one (as p ro cesses outside th e con tainmen t radius m a y ta k e incorrect actions due to Byzan tine influence). Ho wev er, a strongly stabilizing p rotocol is s tr onger th an a cl assical self- stabilizing on e (that m ay neve r meet their s p ecification in the p r esence of Byzan tine pro cesses). The p arameters t , k and c are int ro du ced to quantify the stren gth of fault cont ainmen t, w e do not r equire eac h pro cess to k n o w the v alues of the parameters. 5 T op ology-a ware Byzantine resilience W e sa w previously that there exist a num b er of imp os- sibilit y r esults on strict stabilization due to the n otion of r -r estrictiv e sp ecifications. T o circumv ent this imp ossibilit y result, w e describ e here another w eak er notion than the strict stabilization: the top olo gy- awar e strict stabilization (den oted by T A str ict s tabilization f or sh ort) in trod uced b y [5]. Here, the requ iremen t to the con tainmen t radius is relaxed, i.e. the set of pro cesses whic h may b e disturb ed by Byzan tine ones is not reduced to the union of c -neigh b orho o d of Byzan tine p ro- cesses ( i.e. the set of pro cesses at d istance at most c fr om a Byzan tine pro cess) but can b e defined dep endin g on the graph top ology and Byzan tine pro cesses location. In the follo wing, w e giv e formal definition of this n ew kind of Byzantine con tainmen t. F rom no w, B denotes th e set of Byzan tine pr o cesses and S B (whic h is fu nction of B ) d enotes a subset of V (in tuitiv ely , this set gathers all p ro cesses which ma y b e disturb ed b y Byzant ine pro cesses). Definition 9 ( S B -correct no de) A no de is S B -correct if it i s a c orr e ct no de ( i.e. not Byzantine) which not b elongs to S B . Definition 10 ( S B -legitimate configuration) A c onfigur ation ρ i s S B -legitima te for spec if ev- ery S B -c orr e ct no de v is le gitimate for s pec ( i.e. if spec ( v ) holds). Definition 11 ( ( S B , f ) -top ology-a ware con tainment) A c onfigur ation ρ 0 is ( S B , f )-topology- a ware conta ined for sp e cific ation spec if, given at most f Byzantine pr o c esses, in any exe cution e = ρ 0 , ρ 1 , . . . , every c onfigur ation is S B -le gitimate and every S B -c orr e ct pr o c ess ne v er changes its O-variables. The parameter S B of Defin ition 11 refers to th e c ontainment ar e a . An y pr o cess which b elongs to th is set ma y b e infi nitely d istu rb ed b y Byzan tine pro cesses. The parameter f refers explicitly to the n umber of Byzan tine pro cesses. Definition 12 ( ( S B , f ) -top ology-a ware strict stabilization) A pr oto c ol is ( S B , f )-topology- a ware strictly stabilizing f or sp e c i fic ation s pec if, given at most f Byzantine pr o c esses, any exe cution e = ρ 0 , ρ 1 , . . . c ontains a c onfigur ation ρ i that is ( S B , f ) -top olo gy-awar e c ontaine d for sp ec . Note that, if B denotes the set of Byzan tine pro cesses and S B =  v ∈ V | min b ∈ B ( d ( v , b )) ≤ c  , then a ( S B , f )-topology-a ware strictly stabilizing proto col is a ( c, f )-strictly s tabilizing proto col. Then, the concept of top ology-a w are strict stabiliza tion is a generalizatio n of the strict stabilizat ion. Ho wev er, note that a T A strictly stabilizing pr otocol is stronger than a classical self-stabilizing proto col (that ma y nev er meet their sp ecification in the p resence of Byzant ine p ro cesses). The parameter S B is in tro duced to quan tify the strength of fault cont ainmen t, we do not require eac h pro cess to kno w the actual d efinition of th e set. Similarly to top ology-a wa re strict stabilization, w e can w eake n the notion of strong stabiliza tion using the notion of con tainmen t area. This idea w as in tro duced b y [6]. W e recall in the f ollo wing the f ormal definition of this concept. Definition 13 ( S B -stable configuration) A c onfigur ation ρ is S B -stable if every S B -c orr e ct pr o- c ess never changes the v alues of its O-variables as long as Byzantine pr o c esses make no action. 6 Definition 14 ( S B -T A-disruption) A p ortion of exe cution e = ρ 0 , ρ 1 , . . . , ρ t ( t > 1 ) is a S B - T A- disruption if and only if the fol lowings hold : 1. e is finite, 2. e c ontains at le ast one action of a S B -c orr e ct pr o c ess for changing the value of an O- variable, 3. ρ 0 is S B -le gitimate for s p ec and S B -stable, and 4. ρ t is the first c onfigur ation after ρ 0 such that ρ t is S B -le gitimate for s p ec and S B -stable. Definition 15 ( ( t, k , S B , f ) -T A time con ta ined configuration) A c onfigur ation ρ 0 is ( t, k , S B , f ) -T A time c ontaine d for sp ec if giv en at most f Byzantine pr o c esses, the fol lowing pr op erties ar e satisfie d: 1. ρ 0 is S B -le gitimate for sp ec and S B -stable, 2. every exe cution starting fr om ρ 0 c ontains a S B -le gitimate c onfigur ation for s p ec after which the values of al l the O-variables of S B -c orr e ct pr o c esses r emain unchange d (even when Byzan- tine pr o c esses make actions r ep e ate d ly and for eve r), 3. every exe cution starting fr om ρ 0 c ontains at most t S B -T A -disruptions, and 4. every e xe cution st arting fr om ρ 0 c ontains a t most k a ctions of cha nging th e values o f O- variables for e ach S B -c orr e ct pr o c ess. Definition 16 ( ( t, S B , f ) -T A strongly stabilizing proto col) A pr oto c ol A is ( t, S B , f ) -T A str ongly stabilizing if and only if starting fr om any arbitr ary c onfigur ation, every exe cution involv- ing at most f Byzantine pr o c esses c ontains a ( t, k , S B , f ) -T A-time c ontaine d c onfigur ation that is r e ache d after at most l r ounds of e ach S B -c orr e ct no de. Par ameters l and k ar e r esp e ctively the ( t, S B , f ) -stabilization time and the ( t, S B , f ) -pr o c ess-disruption time of A . 2.3 Maxim um Metric T ree Construction In this w ork, we d eal with maxim u m (routing) metric trees as defined in [10]. Inf ormally , the goal of a routing pr otocol is to construct a tree th at simultaneo usly maximizes the metric v alues of all of the no d es with resp ect to some total ordering ≺ . I n the follo win g, we recall all defi n itions and notations introdu ced in [10]. Definition 17 (Routing metric) A routing metric (or just metric ) is a five-tuple ( M , W , met, mr , ≺ ) wher e: 1. M is a set of metric values, 2. W is a set of e dge weights, 3. met is a metric function whose domain is M × W and whose r ange is M , 4. mr is the maximum metric value in M with r esp e ct to ≺ and is assigne d to the r o ot of the system, 7 5. ≺ is a less-than total or der r elation over M that satisfies the fol lowing thr e e c onditions f or arbitr ary metric values m , m ′ , and m ′′ in M : (a) irr eflexivity: m 6≺ m , (b) tr ansitivity : if m ≺ m ′ and m ′ ≺ m ′′ then m ≺ m ′′ , (c) tota lity: m ≺ m ′ or m ′ ≺ m or m = m ′ . Any metric value m ∈ M \ { mr } satisfies the utilit y condition (that is, ther e exist w 0 , . . . , w k − 1 in W and m 0 = mr, m 1 , . . . , m k − 1 , m k = m in M such that ∀ i ∈ { 1 , . . . , k } , m i = met ( m i − 1 , w i − 1 ) ). F or instance, we p ro vide the definition of four classical metrics with this m o del: the s hortest path metric ( S P ), the flo w metric ( F ), and the reliabilit y metric ( R ). Note also that we can mo delise the construction of a spann in g tree with n o particular constraint s in this mo del u sing the metric N C describ ed b elo w and the construction of a BFS spanning tree usin g the shortest path metric ( S P ) with W 1 = { 1 } (w e denoted this metric b y B F S in the follo w in g). S P = ( M 1 , W 1 , met 1 , mr 1 , ≺ 1 ) F = ( M 2 , W 2 , met 2 , mr 2 , ≺ 2 ) where M 1 = N where mr 2 ∈ N W 1 = N M 2 = { 0 , . . . , mr 2 } met 1 ( m, w ) = m + w W 2 = { 0 , . . . , mr 2 } mr 1 = 0 met 2 ( m, w ) = min { m, w } ≺ 1 is th e classical > relation ≺ 2 is the classical < relation R = ( M 3 , W 3 , met 3 , mr 3 , ≺ 3 ) N C = ( M 4 , W 4 , met 4 , mr 4 , ≺ 4 ) where M 3 = [0 , 1] where M 4 = { 0 } W 3 = [0 , 1] W 4 = { 0 } met 3 ( m, w ) = m ∗ w met 4 ( m, w ) = 0 mr 3 = 1 mr 4 = 0 ≺ 3 is th e classical < relation ≺ 4 is the classical < relation Definition 18 (Assigned metric) A n assigned metric over a system S is a six-tu ple ( M , W, me t, mr , ≺ , wf ) wher e ( M , W , met, mr , ≺ ) is a metric and w f is a function that assigns to e ach e dge of S a weight in W . Let a ro oted path (from v ) b e a simple path from a pro cess v to the ro ot r . The next set of definitions are with r esp ect to an assigned metric ( M , W , met, mr , ≺ , w f ) o v er a giv en s ystem S . Definition 19 (Metric of a root e d pat h) The metric of a ro oted path in S is the pr efix sum of met over the e dge weights in the p ath and mr . F or example, if a ro oted path p in S is v k , . . . , v 0 with v 0 = r , then the m etric of p is m k = met ( m k − 1 , wf ( { v k , v k − 1 } )) w ith ∀ i ∈ { 1 , . . . , k − 1 } , m i = met ( m i − 1 , wf ( { v i , v i − 1 } ) and m 0 = mr . Definition 20 (Maxim um metric pa th) A r o ote d p ath p fr om v i n S is c al le d a maxim um metric path with r esp e ct to an assigne d metric if and only if for every other r o ote d p ath q fr om v in S , the metric of p is gr e ater than or e qual to the metric of q with r esp e ct to the total or der ≺ . 8 Definition 21 (Maxim um metric of a no de) The maximum metric of a n o de v 6 = r (or simply metric v alue of v ) in S is define d by the metric of a maximum metric p ath fr om v . The maximum metric of r is mr . Definition 22 (Maxim um metric t ree) A sp anning tr e e T of S is a maxim u m metric tree with r esp e ct to an assigne d metric over S if and only if every r o ote d p ath in T is a maximum metric p ath in S with r esp e ct to the assigne d metric. The goal of the work of [10] is the study of metrics that alwa ys allo w the construction of a maxim um metric tree. More formally , the definition follo ws. Definition 23 (Maximizable metric) A metric is m aximizable if and only if for any assign- ment of this metric over any system S , ther e is a maximum metric tr e e for S with r e sp e ct to the assigne d metric. Giv en a maximizable metric M = ( M , W, mr , met, ≺ ), the aim of this work is to s tu dy the construction of a maxim um metric t ree with resp ect to M whic h span s the system in a self- stabilizing wa y in a system sub ject to p ermanent Byzan tine faults (but w e must assume that th e ro ot p ro cess is nev er a Byzan tine one). It is obvious th at th ese Byzan tine pro cesses ma y distur b some correct p ro cesses. It is why we r elax the problem in the follo win g w a y: we wa nt to construct a maxim um metric f orest with resp ect to M . T he ro ot of any tree of this f orest must b e either the real ro ot or a Byzan tine pro cess. Eac h pro cess v has three O-v ariables: a p ointe r to its p aren t in its tree ( pr nt v ∈ N v ∪ {⊥} ), a lev el wh ic h stores its current metric v alue ( lev el v ∈ M ) and an in teger whic h stores a distance ( dist v ∈ N ). O b viously , Byzan tine pro cess ma y d isturb (at least) th eir neigh b ors. W e use the follo win g sp ecification of the problem. W e introd u ce new n otatio ns as follo ws. Giv en an assigned metric ( M , W , met, mr, ≺ , w f ) ov er the system S and t w o p ro cesses u and v , we denote b y µ ( u, v ) th e m aximum metric of n o de u when v pla y s th e role of the ro ot of the system. If u and v are neigh b ors, w e d en ote b y w u,v the weigh t of th e edge { u, v } (that is, the v alue of w f ( { u, v } )). Definition 24 ( M -path) Given an assigne d metric M = ( M , W , m r , met, ≺ , w f ) over a system S , a p ath ( v 0 , . . . , v k ) ( k ≥ 1 ) of S is a M -path if and only if: 1. prn t v 0 = ⊥ , l ev el v 0 = mr , dist v 0 = 0 , and v 0 ∈ B ∪ { r } , 2. ∀ i ∈ { 1 , . . . , k } , pr nt v i = v i − 1 and lev el v i = met ( l ev el v i − 1 , w v i ,v i − 1 ) , 3. ∀ i ∈ { 1 , . . . , k } , met ( lev el v i − 1 , w v i ,v i − 1 ) = max ≺ u ∈ N v { met ( lev el u , w v i ,u ) } , 4. ∀ i ∈ { 1 , . . . , k } , dist v i = l eg al dist v i − 1 with ∀ u ∈ N v , l eg al dist u = ( dist u + 1 if l ev el v = l ev el u 0 otherwise , and 5. lev el v k = µ ( v k , v 0 ) . 9 W e define the s p ecification p redicate sp ec ( v ) of the maximum metric tree construction with resp ect to a maximizable metric M as follo ws. spec ( v ) : ( pr nt v = ⊥ and l ev el v = mr, and dist v = 0 if v is the ro ot r there exists a M -path ( v 0 , . . . , v k ) su c h that v k = v otherwise 2.4 Previous results In this section, w e summarize kno w n results ab out maxim u m m etric tr ee constr u ction. The first in teresting result ab out maximizable metrics is du e to [10 ] that provides a fully c h aracterizat ion of maximizable m etrics as follo w. Definition 25 (Boundedness) A metric ( M , W, met, mr, ≺ ) is b ounded if and only if: ∀ m ∈ M , ∀ w ∈ W, met ( m, w ) ≺ m or met ( m, w ) = m Definition 26 (Monotonicit y) A metric ( M , W, met, mr , ≺ ) is mo notonic if and only if: ∀ ( m, m ′ ) ∈ M 2 , ∀ w ∈ W, m ≺ m ′ ⇒ ( met ( m, w ) ≺ met ( m ′ , w ) or met ( m, w ) = met ( m ′ , w )) Theorem 1 (Characterization of maximizable metrics [10]) A metric is maximizable if and only if this metric i s b ounde d and monotonic. Secondly , [9] pro vides a self-stabilizing protocol to constru ct a maxim um metric tr ee with r esp ect to an y maximizable metric. Now, w e fo cus on self-stabilizating solutions r esilien t to Byzan tine faults. F ollo wing discussion o f Section 2, it is obvi ous that there exists no strictly stabilizing proto col for this problem. If we consid er the weak er notion of top ology-a ware str ict stabilizatio n, [5] defin es the b est cont ainmen t area as: S B = { v ∈ V \ B | µ ( v , r )  max ≺ { µ ( v , b ) , b ∈ B } } \ { r } In tuitiv ely , S B gathers correct pro cesses that are closer (or at equal distance) from a Byzan tine pro cess th an the r o ot according to the metric. Moreo v er , [5] prov es that the algorithm introdu ced for the maxim um metric sp anning tree co nstruction in [9] p er f ormed this optima l con tainmen t area. More formally , [5] pro v es the follo wing results. Theorem 2 ([5]) Given a maximizable metric M = ( M , W, mr , met, ≺ ) , even u nder the c entr al daemon, ther e exists no ( A B , 1) -T A-strictly stabilizing pr oto c ol for maximum metric sp anning tr e e c onstruction with r esp e ct to M wher e A B S B . Theorem 3 ([5]) Given a maximizable metric M = ( M , W , m r, met, ≺ ) , the pr oto c ol of [9] i s a ( S B , n − 1) -T A str ictly stabilizing pr oto c ol for maximum metr ic sp anning tr e e c onstruction with r esp e ct to M . Some other works try to circu mv ent the imp ossibilit y result of strict stabilization using the concept ot strong stabiliza tion bu t d o n ot pro vid e results f or an y maximizable metric. Ind eed, [7 ] pro v es the follo w in g resu lt ab out spann in g tree. Theorem 4 ([7]) Ther e exists a ( t, 0 , n − 1) -str ongly stabilizing pr oto c ol for maximum metric sp an- ning tr e e c onstruction with r e sp e ct to N C (that is, for a sp anning tr e e with no p articular c onstr aints) with a finite t . 10 On th e other hand , r egarding BFS spanning tree construction, [6] pr o ved the follo wing imp os- sibilit y resu lt. Theorem 5 ([6]) Even under the c entr al daemon, ther e exists no ( t, c, 1) -str ongly stabilizing pr o- to c ol for maximum metric sp anning tr e e c onstruction with r esp e c t to B F S wher e t and c ar e two finite inte gers. No w , if w e fo cus on top ology-a wa re strong stabilizatio n, [6] introdu ced the follo wing cont ainmen t area: S ∗ B = { v ∈ V | min b ∈ B ( d ( v , b )) < d ( r , v ) } , and pro v ed the f ollo wing results. Theorem 6 ([6]) Even under the c entr al daemon, ther e exists no ( t, A ∗ B , 1) -T A str ongly stabilizing pr oto c ol for maximum metric sp anning tr e e c onstruction with r esp e ct to B F S wher e A ∗ B S ∗ B and t is a finite i nte ger. Theorem 7 ([6]) The pr oto c ol of [11] is a ( t, S ∗ B , n − 1) -T A str ongly stabilizing pr oto c ol for max- imum metric sp anning tr e e c onstruction with r esp e ct to B F S wher e t is a finite inte ger. The main motiv ation of this work is to fill the gap b et ween results ab out T A s tr ong and strong stabilizatio n in the general case (that is, for any maximizable m etric). Mainly , w e define the b est p ossible con tainmen t area for T A strong stabilization, we prop ose a proto col that provides this con tainmen t area and we c haracterize th e set of metrics that allo w strong stabilization. 3 Imp ossibilit y Results In this section, w e pro vide our imp ossibilit y results ab out cont ainmen t r adius (resp ectiv ely area) of any strongly stabilizi ng (resp ectiv ely T A strongly stabilizing) pr otocol for the maxim u m metric tree constru ction. 3.1 Strong Stabilization W e int ro du ce here some new definitions to c haracterize some imp ortant prop erties of maximiza ble metrics that are u sed in th e follo w ing. Definition 27 (Strictly decreasing metric) A metric M = ( M , W, mr , met, ≺ ) is strictly de- creasing if, for any metric value m ∈ M , the fol lowing pr op erty hol ds: either ∀ w ∈ W , met ( m, w ) ≺ m or ∀ w ∈ W , met ( m, w ) = m . Definition 28 (Fixed p oin t) A metric value m is a fixed p oin t of a metric M = ( M , W, mr , met, ≺ ) if m ∈ M and if for any v alue w ∈ W , we have: met ( m, w ) = m . Then, we define a sp ecific class of maximizable metrics and we pro v e that it is imp ossible to construct a maxim um metric tree in a str ongly-stabilizing wa y if we do not consider s uc h a m etric. Definition 29 (Strongly maximizable metric) A maximizable metric M = ( M , W, mr , m et, ≺ ) is str ongly maximizable if and only if | M | = 1 or if the fol lowing pr op erties holds: • | M | ≥ 2 , 11 • M is strictly de cr e asing, and • M has one and only one fixe d p oint. Note that N C is a strongly maximizable metric (since | M 4 | = 1) whereas B F S or S P are not (since the fi rst on e has no fixed p oint, the second is not strictly decreasing). If we consider the metric ME T defi n ed b elo w, w e can show that ME T is a strongly maximizable metric such that | M | ≥ 2. ME T = ( M 5 , W 5 , met 5 , mr 5 , ≺ 5 ) where M 5 = { 0 , 1 , 2 , 3 } W 5 = { 1 } met 5 ( m, w ) = max { 0 , m − w } mr 5 = 3 ≺ 5 is the classical < relation No w , we can state our first imp ossibilit y r esu lt. Theorem 8 Given a maximizable metric M = ( M , W, mr , met, ≺ ) , even under the c entr al dae- mon, ther e e xists no ( t, c, 1) -str ongly stabilizing pr oto c ol for maximum metric sp anning tr e e c on- struction with r esp e c t to M for any finite inte ger t if:  M is not a str ongly maximizable metric, or c < | M | − 2 Pro of W e pro v e this result b y cont radiction. W e assume t hat M = ( M , W, mr, m et, ≺ ) is a maximizable metric suc h that there exist a fin ite intege r t and a proto col P that is a ( t, c, 1)- strongly stabilizing proto col for maximum m etric spanning tree construction with resp ect to M . W e distinguish the follo wing cases (note that th ey are exhaustiv e): Case 1: M is a strongly maximizing metric an d c < | M | − 2. As c ≥ 0, we kn o w that | M | ≥ 2 and by defin ition of a strongly stabilizing metric, M is strictly decreasing and has one and only one fixed p oin t. By assumption on M , we kno w that there exist c + 3 distinct metric v alues m 0 = mr, m 1 , . . . , m c +2 in M and w 0 , w 1 , . . . , w c +1 in W suc h that: ∀ i ∈ { 1 , . . . , c + 2 } , m i = met ( m i − 1 , w i − 1 ) ≺ m i − 1 . Let S = ( V , E , W ) b e the follo wing we igh ted system V = { p 0 = r , p 1 , . . . , p 2 c +2 , p 2 c +3 = b } , E = {{ p i , p i +1 } , i ∈ { 0 , . . . , 2 c + 2 }} and ∀ i ∈ { 0 , c + 1 } , w p i ,p i +1 = w p 2 c +3 − i ,p 2 c +2 − i = w i . Note that the choice w p c +1 ,p c +2 = w c +1 ensures us the follo wing prop ert y when l ev el r = l ev el b = mr : µ ( p c +1 , b ) ≺ µ ( p c +1 , r ) (and b y sym metry , µ ( p c +2 , r ) ≺ µ ( p c +2 , b )). Pro cess p 0 is the real ro ot and pro cess b is a Byzanti ne one. Note that the construction of W ensur es the follo win g pr op erties when l ev el r = l ev el b = mr : ∀ i ∈ { 1 , . . . , c + 1 } , µ ( p i , r ) = µ ( p 2 c +3 − i , b ), µ ( p i , b ) ≺ µ ( p i , r ) and µ ( p 2 c +3 − i , r ) ≺ µ ( p 2 c +3 − i , b ). Assume that th e initial configuration ρ 0 of S satisfies: prnt r = pr nt b = ⊥ , l ev el r = l ev el b = mr , and other v ariables of b (in particular dist ) are id en tical to those of r (see Figure 1 , v ariables of other pro cesses ma y b e arbitrary). Assum e no w that b tak es exactly the same 12 ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ρ 0 p 0 = r p 1 p c p c +1 p c +2 p c +3 p 2 c +2 . . . . . . . . . . . . p 2 c +3 = b w 0 w 0 w c w c w c +1 ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✲ ✲ ✛ ✛ ✛ ✛ ✲ ρ 1 . . . . . . ✲ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✛ ✛ ✛ ✛ ✛ ✛ ✛ ✛ ✛ ρ 2 . . . . . . ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✛ ✛ ✛ ✛ ✛ ✛ ✛ ✛ ✛ ρ 3 . . . . . . mr mr ? ? ? ? ? ? mr mr µ ( p 1 , r ) µ ( p c , r ) µ ( p c +1 , r ) µ ( p c +2 , b ) µ ( p c +3 , b ) µ ( p 2 c +2 , b ) mr µ ( p 1 , r ) µ ( p c , r ) µ ( p c +1 , r ) µ ( p c +2 , r ) µ ( p c +3 , r ) µ ( p 2 c +2 , r ) µ ( p b , r ) mr µ ( p 1 , r ) µ ( p c , r ) µ ( p c +1 , r ) µ ( p c +2 , r ) µ ( p c +3 , r ) µ ( p 2 c +2 , r ) mr Figure 1: Configurations used in pr o of of Th eorem 8, case 1. actions as r (if an y) immediately after r . Then, by symmetry of the execution and b y con v ergence of P to spec , w e can d educe that the system reac hes in a finite time a configuration ρ 1 (see Figure 1) in wh ic h : ∀ i ∈ { 1 , . . . , c + 1 } , pr nt p i = p i − 1 , l ev el p i = µ ( p i , r ) = m i , dist p i = leg al dist pr nt p i and ∀ i ∈ { c + 2 , . . . , 2 c + 2 } , pr nt p i = p i +1 , l ev el p i = µ ( p i , b ) = m 2 c +3 − i , and dist p i = l eg al dist pr nt p i (b ecause this configu r ation is the only one in whic h all correct p ro cess v satisfies spec ( v ) when pr nt r = pr nt b = ⊥ and l ev el r = l ev el b = mr b y construction of W ). Note that ρ 1 is c -legitimate and c -stable. Assume n ow that the Byza nt ine pro cess acts as a correct pro cess a nd e xecutes co rrectly its algorithm. Then, b y conv ergence of P in fault-free systems (rememb er that a strongly- stabilizing algorithm is a sp ecial case of self-stabilizing algorithm), we can deduce that the system r eac h in a fin ite time a configuration ρ 2 (see Figure 1) in whic h: ∀ i ∈ { 1 , . . . , 2 c + 3 } , pr nt p i = p i − 1 , l ev el p i = µ ( p i , r ), and dist p i = l eg al dist pr nt p i (b ecause this confi gu r ation is the only one in whic h all p ro cess v satisfies spec ( v )). Note that the p ortion of execution b et w een ρ 1 and ρ 2 con tains at least one c -p ertu rbation ( p c +2 is a c -correct pr o cess and mo difies at least once its O-v ariables) and that ρ 2 is c -legitimate and c -stable. 13 S 1 ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ p 0 = r p 1 p c p c +1 p c +2 p c +3 p 2 c +2 . . . . . . . . . . . . p 2 c +3 = b w 0 w 0 ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ . . . . . . p k p k − 1 p k +1 p k +2 w ′ w w w w w w k − 1 w k − 1 p 2 c +3 − k p 2 c +2 − k p 2 c +4 − k p 2 c +1 − k ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ p 0 = r p 1 p c p c +1 p c +2 p c +3 p 2 c +2 . . . . . . . . . . . . p 2 c +3 = b w 0 ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ . . . . . . p k p k − 1 p k +1 p k +2 w w w w w w k − 1 S 2 w w ′ 0 w ′ k ′ − 1 p 2 c +3 − k ′ p 2 c +2 − k ′ p 2 c +4 − k ′ p 2 c +1 − k ′ . . . . . . . . . . . . w w Figure 2: Configurations u sed in pro of of Theorem 8, cases 2 and 3. Assume no w that the Byzan tine pro cess b tak es the follo wing state: pr n t b = ⊥ and l ev el b = mr . Th is step brin gs the s ystem in to configuration ρ 3 (see Figure 1). F rom this configuration, w e can rep eat the execution w e constructed from ρ 0 . By the same tok en, we obtain an execution of P wh ich con tains c -legitimate and c -stable configur ations (see ρ 1 ) and an infi nite n umber of c -p erturb ation whic h contradict s the ( t, c, 1)-strong stabilization of P . Case 2: M is n ot strictly decreasing. By d efinition, w e kno w that M is not a strongly m aximizable metric. Hence, we ha v e | M | ≥ 2. Then, the definition of a strictly decreasing metric imp lies that there exists a metric v alue m ∈ M suc h that: ∃ w ∈ W, met ( m, w ) = m and ∃ w ′ ∈ W , m ′ = met ( m, w ′ ) ≺ m (and thus m is n ot a fixed p oint of M ). By the utilit y cond ition on M , w e kno w that ther e exists a sequence of metric v alues m 0 = mr , m 1 , . . . , m l = m in M and w 0 , w 1 , . . . , w l − 1 in W such that ∀ i ∈ { 1 , . . . , l } , m i = met ( m i − 1 , w i − 1 ). Denote by k the length of the shortest su ch sequence. Note that this imp lies that ∀ i ∈ { 1 , . . . , k } , m i ≺ m i − 1 (otherwise we can r emo ve m i from the sequence and this is con tradictory with the construction of k ). W e distinguish the f ollo wing cases: Case 2.1: k ≥ c + 2. W e can use the s ame tok en as case 1 ab ov e by using w ′ instead of w c +1 in the case wh ere k = c + 2 (since we kno w that met ( m, w ′ ) ≺ m ). Case 2.2: k < c + 2. Let S 1 = ( V , E , W ) b e the follo w ing w eigh ted sy s tem V = { p 0 = r , p 1 , . . . , p 2 c +2 , p 2 c +3 = 14 b } , E = {{ p i , p i +1 } , i ∈ { 0 , . . . , 2 c + 2 }} , ∀ i ∈ { 0 , . . . , k − 1 } , w p i ,p i +1 = w p 2 c +3 − i ,p 2 c +2 − i = w i , ∀ i ∈ { k , . . . , c } , w p i ,p i +1 = w p 2 c +3 − i ,p 2 c +2 − i = w and w p c +1 ,p c +2 = w ′ (see Figure 2). Note that this c hoice ensures us the follo wing prop ert y when lev el r = l ev el b = mr : µ ( p c +1 , b ) ≺ µ ( p c +1 , r ) (and by symmetry , µ ( p c +2 , r ) ≺ µ ( p c +2 , b )). Pro cess p 0 is the real ro ot and p ro cess b is a Byzan tine one. Note th at the construction of W ensur es the follo wing prop erties w hen l ev el r = lev el b = mr : ∀ i ∈ { 1 , . . . , c + 1 } , µ ( p i , r ) = µ ( p 2 c +3 − i , b ), µ ( p i , b ) ≺ µ ( p i , r ) and µ ( p 2 c +3 − i , r ) ≺ µ ( p 2 c +3 − i , b ). This constru ction allo ws us to follo w the same pro of as in case 1 ab ov e. Case 3: M has no or more than tw o fixed p oin t, and is strictly decreasing. If M h as no fixed p oint and is strictly decreasing, then | M | is not fin ite and then, w e can apply the result of case 1 ab o v e since c is a finite intege r. If M h as t w o or m ore fixed p oin ts and is strictly decreasing, denote by Υ and Υ ′ t w o fi x ed p oint s of M . Without loss of generalit y , assume that Υ ≺ Υ ′ . By the utilit y condition on M , we know that there exists sequences of metric v alues m 0 = mr , m 1 , . . . , m l = Υ and m ′ 0 = mr, m ′ 1 , . . . , m ′ l ′ = Υ ′ in M and w 0 , w 1 , . . . , w l − 1 and w ′ 0 , w ′ 1 , . . . , w ′ l ′ − 1 in W suc h that ∀ i ∈ { 1 , . . . , l } , m i = met ( m i − 1 , w i − 1 ) and ∀ i ∈ { 1 , . . . , l ′ } , m ′ i = met ( m ′ i − 1 , w ′ i − 1 ). Denote by k and k ′ the length of shortest such sequences. Note that this implies that ∀ i ∈ { 1 , . . . , k } , m i ≺ m i − 1 and ∀ i ∈ { 1 , . . . , k ′ } , m ′ i ≺ m ′ i − 1 (otherwise w e can remov e m i or m ′ i from the corresp onding sequence). W e distinguish the follo wing cases: Case 3.1: k > c + 2 or k ′ > c + 2. Without loss of generalit y , assume that k > c + 2 (the second case is similar). W e can use the same toke n as case 1 ab ov e. Case 3.2: k ≤ c + 2 and k ′ ≤ c + 2. Let w b e an arbitrary v alue of W . Let S 2 = ( V , E , W ) b e the follo wing weig h ted system V = { p 0 = r , p 1 , . . . , p 2 c +2 , p 2 c +3 = b } , E = {{ p i , p i +1 } , i ∈ { 0 , . . . , 2 c + 2 }} , ∀ i ∈ { 0 , k − 1 } , w p i ,p i +1 = w i , ∀ i ∈ { 0 , k ′ − 1 } , w p 2 c +3 − i ,p 2 c +2 − i = w ′ i and ∀ i ∈ { k , 2 c + 2 − k ′ } , w p i ,p i +1 = w (see Figure 2). Note th at this c hoice ens u res us the f ollo wing prop ert y when l ev el r = lev el b = mr : µ ( p c +1 , r ) = Υ ≺ Υ ′ = µ ( p c +1 , b ) and µ ( p c +2 , r ) = Υ ≺ Υ ′ = µ ( p c +2 , b ). Pro cess p 0 is th e real root and p ro cess b is a Byzant ine one. This constru ction allo ws us to follo w a sim ilar pro of as in case 1 ab o ve (note that any pro cess u w hic h satisfies µ ( u, r ) ≺ Υ ′ will b e distu rb infinitely often, in particular at least p c +1 and p c +2 whic h contradict s the ( t, c, 1)-strong stabilization of P ). In an y case, we sho w that there exists a system whic h con tradicts the ( t, c, 1)-strong stabilization of P that end s the pro of.  3.2 T op ology Aw are Str ong Stabilization First, w e generalize the set S ∗ B previously defi ned for the B F S m etric in [6] to any maximizable metric M = ( M , W, mr , m et, ≺ ). S ∗ B =  v ∈ V \ B     µ ( v , r ) ≺ max ≺ b ∈ B { µ ( v , b ) }  15 ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ r r b b S ∗ B S B S B = S ∗ B mr=0 mr=0 lev el b = 0 lev el b = 0 7 6 5 4 10 8 6 32 16 0 0 0 0 0 0 0 0 0 Figure 3: Examples of con tainmen t areas for S P . In tuitiv ely , S ∗ B gathers the s et of corrects pr o cesses that are strictly closer (according to M ) to a Byzan tine pro cess than the ro ot. Figures from 3 to 5 pro vide some examples of con tainmen t areas with resp ect to sev eral maximizable m etrics and compare it to S B , th e optimal con tainmen t area for T A s trict stabilization. Note that w e assume for the sak e of clarit y that V \ S ∗ B induces a connected subsystem. If it is n ot the case, then S ∗ B is extend ed to include all pro cesses b elonging to connected sub s ystems of V \ S ∗ B that n ot include r . No w , we can state our generalization of Theorem 6 . Theorem 9 Given a maximizable metric M = ( M , W, mr , met, ≺ ) , even under the c entr al dae- mon, ther e exists no ( t, A ∗ B , 1) -T A-str ongly stabilizing pr oto c ol for maximum metric sp anning tr e e c onstruction with r esp e ct to M wher e A ∗ B S ∗ B and t is a g i ven finite inte ger. Pro of Let M = ( M , W, mr , m et, ≺ ) b e a maximizable metric and P b e a ( t, A ∗ B , 1)-T A-strongly stabilizing proto col for maximum metric sp an n ing tree construction proto col with resp ect to M where A ∗ B S ∗ B and t is a finite in teger. W e must d istinguish th e follo w ing cases: Case 1: | M | = 1. Denote by m the metric v alue suc h that M = { m } . F or an y system and for any pr o cess v , w e ha v e µ ( v , r ) = min ≺ b ∈ B { µ ( v , b ) } = m . Consequently , S ∗ B = ∅ for an y system. Then, it is absurd to hav e A ∗ B S ∗ B . Case 2: | M | ≥ 2. By d efinition of a b ounded metric, w e can deduce that there exists m ∈ M and w ∈ W such that m = met ( mr , w ) ≺ mr . Then , w e must distinguish the follo win g cases: 16 ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ r r b b mr=10 mr=10 7 6 5 4 10 6 8 32 16 lev el b = 10 lev el b = 10 11 12 10 7 13 6 5 3 1 S ∗ B S B S B = S ∗ B Figure 4: Examples of con tainment areas for F . Case 2.1: m is a fixed p oin t of M . Let S b e a s ystem such th at an y edge inciden t to the ro ot or a Byzan tine pro cess has a w eigh t equals to w . Then, w e can d educe that we hav e: m = max ≺ b ∈ B { µ ( r , b ) } ≺ µ ( r, r ) = mr and for an y correct pro cess v 6 = r , µ ( v , r ) = max ≺ b ∈ B { µ ( v , b ) } = m . Hence, S ∗ B = ∅ for an y su c h system. Then, it is absur d to h a ve A ∗ B S ∗ B . Case 2.2: m is n ot a fixed p oint of M . This implies that there exists w ′ ∈ W such that: met ( m, w ′ ) ≺ m (rememb er that M is b oun ded). Consid er the follo w ing sys tem: V = { r, u, u ′ , v , v ′ , b } , E = {{ r , u } , { r , u ′ } , { u, v } , { u ′ , v ′ } , { v , b } , { v ′ , b }} , w r,u = w r,u ′ = w v,b = w v ′ ,b = w , and w u,v = w u ′ ,v ′ = w ′ ( b is a Byzan tin e pr o cess). W e can see th at S ∗ B = { v , v ′ } . Sin ce A ∗ B S B , w e hav e: v / ∈ A ∗ B or v ′ / ∈ A ∗ B . Consid er no w the follo wing configuration ρ 0 : pr nt r = pr nt b = ⊥ , lev el r = l ev el b = m r , dist r = dist b = 0 and p r nt , l ev el , and dist v ariables of other pro cesses are arbitrary (see Figure 6, other v ariables ma y ha ve arb itrary v alues but other v ariables of b are iden tical to those of r ). Assume now that b tak es exactly the same actions as r (if an y) immediately after r (note that r / ∈ A ∗ B and h ence p r nt r = ⊥ , lev el r = mr , and dist r = 0 still hold by closure and then pr nt b = ⊥ , l ev el b = mr , and dist r = 0 still hold to o). Then, by symmetry of the executio n and b y con v ergence of P to sp ec , we ca n deduce that the system reac h es in a fi nite time a configuration ρ 1 (see Figure 6) in wh ic h: prnt r = pr nt b = ⊥ , pr nt u = pr nt u ′ = r , pr nt v = pr nt v ′ = b , l ev el r = l ev el b = mr , l ev el u = l ev el u ′ = lev el v = l ev el v ′ = m , and ∀ v ∈ V , dist v = leg al dist pr nt v (b ecause this configuration is the only one in which all correct pro cess v satisfies s pec ( v ) when pr n t r = pr nt b = ⊥ and lev el r = lev el b = mr s ince met ( m, w ′ ) ≺ m ). Note th at ρ 1 is A ∗ B -legitima te f or spec and 17 ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ r r b b S ∗ B S B S B = S ∗ B mr=1 lev el b = 1 mr=1 lev el b = 1 0,75 0,75 0,75 0,75 1 1 0,8 0,4 0,3 0,25 0,25 0,75 1 0,5 1 0,25 0,75 0,5 Figure 5: Examples of con tainmen t areas for R . A ∗ B -stable (whatev er A ∗ B is). Assume now that b b eha v es as a corr ect pro cessor w ith resp ect to P . Th en, by con- v ergence of P in a fault-free system starting from ρ 1 whic h is n ot legit imate (remem b er that a T A-strongly stabilizing algorithm is a sp ecial case of self-stabilizing algorithm), w e can deduce that the system reac h in a finite time a configuration ρ 2 (see Figure 6) in whic h: pr nt r = ⊥ , pr n t u = pr nt u ′ = r , pr nt v = u , pr n t v ′ = u ′ , prn t b = v (or pr nt b = v ′ ), l ev el r = mr , lev el u = l ev el u ′ = m l ev el v = l ev el v ′ = met ( m, w ′ ) = m ′ , lev el b = met ( m ′ , w ) = m ′′ , and ∀ v ∈ V , dist v = l eg al dist pr nt v . Note th at pro cesses v and v ′ mo dify their O-v ariables in the p ortion of exec ution b et w een ρ 1 and ρ 2 and that ρ 2 is A ∗ B -legitima te f or spec and A ∗ B -stable (whatev er A ∗ B is). Consequ ently , this p ortion of execution con tains at least one A ∗ B -T A-disrup tion (whatev er A ∗ B is). Assume now that the Byzantine pro cess b tak es th e follo w ing state: pr nt b = ⊥ an d lev el b = mr . This s tep brings the system into configuration ρ 3 (see Figure 6). F rom this configuration, we can rep eat th e execution we constr u cted from ρ 0 . By th e same tok en , w e obtain an execution of P w hic h con tains c -legitimate and c -stable configurations (see ρ 1 ) and an infinite num b er of A ∗ B -T A-disrup tion (whatev er A ∗ B is) whic h con tradicts th e ( t, A ∗ B , 1)-T A-strong stabilization of P .  4 T op ology-Aw are Strongly Stabil izing Proto col The goa l of this section is to pr ovide a ( t, S ∗ B , n − 1)-T A strongly stabilizing proto col in ord er to matc h the lo w er b ound on co n tainmen t area pro vid ed by the Theorem 9. If w e f o cus on the proto col 18 ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ r r r r u u u u v v v v b b b b u’ u’ u’ u’ v’ v’ v’ v’ ρ 0 ρ 1 ρ 2 ρ 3 ✠ ■ ❘ ✒ ✠ ■ ✛ ✛ ■ ✠ ■ ✛ ✛ w w w w w w w w w w w w w w w w w’ w’ w’ w’ w’ w’ w’ w’ mr mr ? ? ? ? mr mr m m m m mr m m m’ m’ m” mr m m m’ m’ mr Figure 6: Configurations u sed in pro of of Theorem 9. pro vided by [5] (whic h is ( S B , n − 1)-T A strictly stabilizing), we can pro v e that this p r otocol do es not satisfy our constraint s since we ha v e the follo win g result. Theorem 10 Given a ma ximizable metric M = ( M , W , mr, met, ≺ ) , the pr oto c ol of [5] is not a ( t, S ∗ B , 2) -T A str ongly stabilizing pr oto c ol for maximum metric sp anning tr e e c onstruction with r esp e ct to M wher e t i s a given finite inte ger. Pro of T o pr ov e this r esult, it is su ffi cien t to construct an execution of the proto col of [5] for a give n metric M whic h conta ins an infin ite num b er of S ∗ B -T A disr uptions with t wo Byzan tine pro cesses. Consider the sh ortest path metric S P defined ab o v e and the we igh ted s ystem defined by Figure 7 ( r denotes the ro ot and b 1 and b 2 are tw o Byzan tine pr o cesses). W e recall that the proto col of [5] uses an u pp er b ound D on the length of an y p ath of the tree and that the proto col is built in suc h a w a y that a pro cess cannot c h o ose as parent a n eigh b or with a dist v ariable greater or equals to D − 1. Here, we assume that D = 10. If w e consider the in itial confi guration ρ 1 defined by Figure 8, w e can state that pr o cesses p 2 and p 3 cannot mo d if y their state as long as b 1 remains in its state. Moreo ver, r and p 1 are nev er enabled by the proto col. In this wa y , it is p ossible to constru ct the follo wing p ortion of execution e 1 : b 2 mo difies its lev el v ariable to 1. Then, p 5 and p 4 up d ate their lev el v ariable to obtain configuration ρ 2 of Figure 8. Note that e 1 con tains a S ∗ B -T A disruption since p 4 mo dified one of its O-v ariables (namely , lev el) and p 4 / ∈ S ∗ B . F rom ρ 2 , it is p ossible to construct the follo wing p ortion of execution e 2 : b 2 mo difies its lev el v ariable to 0. T hen, p 5 and p 4 up d ate their level v ariable to obtain confi gu r ation ρ 1 . 19 ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ b 1 b 2 r ✛ ✯ ✲ ✲ ✲ p 1 p 2 p 3 p 4 p 5 1 1 1 0 1 1 1 S B S ∗ B Figure 7: System used in p ro of of Theorem 10. ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ b 1 b 2 r ✛ ✯ ✲ ✲ ✲ p 1 p 2 p 3 p 4 p 5 ✇ e 1 ♦ e 2 ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ ✖✕ ✗✔ b 1 b 2 r ✛ ✯ ✲ ✲ ✲ p 1 p 2 p 3 p 4 p 5 0 / 0 1 / 1 0 / 7 1 / 8 2 / 9 0 / 0 1 / 1 2 / 2 0 / 0 1 / 1 2 / 9 1 / 8 0 / 7 1 / 0 ρ 1 ρ 2 2 / 2 3 / 3 Figure 8: Confi gu r ations used in pro of of Theorem 10 (for eac h pro cess v , we use th e n otation lev el v / dist v ). 20 Consequent ly , it is p ossible to construct an infi nite execution e 1 e 2 e 1 e 2 . . . s tarting from ρ 1 that con tains an infin ite num b er of S ∗ B -T A disrup tions w ith tw o Byzanti ne pro cesses. Th is finishes the pro of.  4.1 Presen tation of the Proto col In con tr ast of Th eorem 10, w e pro vid e in this p ap er a new proto col which is ( t, S ∗ B , n − 1)-T A strongly stabilizing for maxim um metric spanning tree construction. Ou r proto col needs a supplementary assumption on the sy s tem. W e in tr o duce the follo wing defi n ition. Definition 30 (Set of used met ric v alues) Given an assigne d metric AM = ( M , W, met, mr , ≺ , w f ) over a system S , the set of used metric v alues of AM is define d as M ( S ) = { m ∈ M |∃ v ∈ V , ( µ ( v , r ) = m ) ∨ ( ∃ b ∈ B , µ ( v , b ) = m ) } . W e assume that w e alw ays ha v e | M ( S ) | ≥ 2 (the necessit y of this assum ption is exp lained b elo w). Nev erth eless, note that th e contrary case ( | M ( S ) | = 1) is p ossible if and only if the assigned metric is equiv alent to N C . As the proto col of [7] p erform s ( t, 0 , n − 1)- strong stabilization with a fi nite t for this metric, we can achiev es the ( t, S ∗ B , n − 1)-T A strong stabilizati on when | M ( S ) | = 1 (since this implies that S ∗ B = ∅ ). In this w a y , th is assump tion do es not w eak en the p ossibilit y result. Although the protocol o f [5] is not T A strongly stabilizing ( see T heorem 10), our p r otocol b orrows fundament al strategy from it. In th is proto col, an y p ro cess try to maximize its lev el in the tree by c ho osing as its parent th e neigh b or that provi de the b est metric v alue. Th e key idea of th is proto col is to us e th e distance v ariable (upp er b ounded by a giv en constan t D ) to detect and break cycles of pro cess wh ic h has the same m axim u m metric. T o ac hiev e the T A strict stabilization, the proto col ensu res a fair selection along the set of its neigh b or w ith a rou n d-robin order. The p ossibilit y of infinite n um b er of disr u ptions of th e pr otocol of [5] mainly comes f r om the follo win g fact: a Byzan tine pro cess can indep end en tly lie ab out its l ev el and its dist v ariable. F or example, a Byzan tine pro cess can pr o v id e a lev el equals to mr and a dist arbitrarily large. In this w a y , it ma y lead a correct pro cess of S B \ S ∗ B to hav e a dist v ariable equals to D − 1 such that no other correct pr o cess can choose it as its parent (this ru le is necessary to br eak cycle) b ut it cannot mo d ify its state (this rule is only enabled wh en dist is equals to D ). Then, this pr o cess ma y alw a ys preven t some of its neigh b ors to join a M -path conn ected to the ro ot and hence allo w another Byzantine pr o cess to p erform an infinite num b er of disruptions. It is w hy we m o dified the man agement of the di st v ariable (note th at others v ariables a re managed exactly in t he same wa y a s in the protocol of [5 ]). In ord er to c on tain the e ffect of Byzan tine p r o cess on dist v ariables, ea c h pro cess th at has a l ev el different fr om the one of its paren t in the tree sets its dist v ariable to 0. I n this wa y , a Byzan tine pr o cess mo difying its dist v ariable can only affect correct p ro cess that hav e the same l ev el . Con s equen tly , in th e case where | M ( S ) | ≥ 2, w e are ensu red that correct pro cesses of S B \ S ∗ B cannot k eep a dist v ariable equ als or greater than D − 1 infi n itely . Hence, a correct p r o cess of S B \ S ∗ B cannot b e disturb ed infin itely often w ith ou t joining a M -path connected to the ro ot. W e can see that the assumption | M ( S ) | ≥ 2 is essential to p erform the top ology-a w are strong stabilizatio n. Indeed, in the case where | M ( S ) | = 1, Byza nt ine pr o cesses can pla y exactly the scenario describ ed ab o ve (in this case, our proto col is equiv alen t to the one of [5]). 21 The second mo dification w e b ring to the p rotocol of [5] follo ws. When a pro cess has an in con- sisten t dist v ariable with its parent , we allo w it only to increase its dist v ariable. If th e pro cess needs to decrease its dist v ariable (when it has a strictly greater distance than its parent), then th e pro cess must change its paren t. This rule allo ws us to b ound the maximal n um b er of steps of an y pro cess b et w een t wo mo d ifications of its parent (a Byzan tine pro cess cannot lead a correct one to infinitely often increase and decrease its distance with ou t mo difying its p ointe r). Our pr otocol is form ally describ ed in Algorithm 4.1. algorithm 4.1 S S MAX , T A strongly stabilizing pr otocol for maxim um m etric tree construction. Data: N v : tota lly ordered set of neighbors of v . D : upper bound of the n um b er of pro cesses in a simple path. V ariables: pr nt v ∈ ( {⊥} if v = r N v if v 6 = r : pointer on the paren t of v in th e tree. lev el v ∈ { m ∈ M | m  mr } : metric of th e node. dist v ∈ { 0 , . . . , D } : hop coun ter. F unctions: F or an y subset A ⊆ N v , choose v ( A ) r eturns the first element of A which is bigger than pr nt v (in a round-robin f ashion). cur r ent dist v () =  0 if le vel pr nt v 6 = l ev el v min ( dist pr nt v + 1 , D ) if leve l pr nt v = le v el v Rules: ( R r ) :: ( v = r ) ∧ (( leve l v 6 = mr ) ∨ ( dist v 6 = 0)) − → lev el v := mr ; dist v := 0 ( R 1 ) :: ( v 6 = r ) ∧ ( prn t v ∈ N v ) ∧ (( dist v < c ur re nt dist v ()) ∨ ( lev el v 6 = met ( lev el pr nt v , w v,pr nt v ))) − → lev el v := met ( lev el pr nt v , w v,pr nt v ); dist v := cur r ent dist v () ( R 2 ) :: ( v 6 = r ) ∧ (( dist v = D ) ∨ ( dist v > cur r ent dist v ())) ∧ ( ∃ u ∈ N v , dist u < D − 1) − → pr nt v := choose v ( { u ∈ N v | dist v < D − 1 } ); lev el v := met ( lev el pr nt v , w v,pr nt v ); dist v := cur r ent dist v () ( R 3 ) :: ( v 6 = r ) ∧ ( ∃ u ∈ N v , ( dist u < D − 1) ∧ ( leve l v ≺ met ( le vel u , w u,v ))) − → pr nt v := ch oos e v ( u ∈ N v    ( lev el u < D − 1) ∧ ( met ( level u , w u,v ) = max ≺ q ∈ N v /level q 0 and ( P d − 1 ) is true. Let v b e a pr o cess of E i B suc h that d E i B ( p, v ) = d . By construction, there exists a neighbor u of v which b elongs to E i B suc h that d E i B ( p, u ) = d − 1. By ( P d − 1 ) , we k n o w that u tak es at most Π( k , d − 1)∆ D actions in e . The k -b ou n dedness of the d aemon allo ws u s to conclude that v tak es at most k × Π( k, d − 1)∆ D actions b efore the last acti on of u . Then, a similar reasoning to the one of the initializa tion part allo ws u s to say that v tak es at most ∆ D actions after the last actio n of u (note that th e fact that | M ( S ) | ≥ 2, the constru ction of D and the managemen t of dist v ariables imply that dist u < D − 1 after the last step of u ). I n conclusion, v take s at most k × Π( k , d − 1)∆ D + ∆ D = Π( k , d )∆ D actions in e , that p ro v es ( P d ) . As δ denotes the maximal diameter of connected comp onent s of the subs y s tem indu ced by E B , then w e know that d E i B ( p, v ) ≤ δ for an y pro cess v in E i B . F or any pro cess v of E B , there exists i ∈ { 0 , . . . , ℓ } s uc h that v ∈ E i B . W e can d educe that any p ro cess of E B tak es at most Π( k , δ )∆ D actions in e , th at implies the result.  Lemma 12 If ρ is a c onfigur ation of LC and v i s a pr o c ess such that v ∈ E B , then for any e xe cution e starting fr om ρ either 1. th er e exists a c onfigur ation ρ ′ of e such that spec ( v ) is always satisfie d after ρ ′ , or 2. v is activate d in e . Pro of Let ρ b e a confi gu r ation of LC and v b e a p ro cess such that v ∈ E B . By con tradiction, assume that ther e exists an execution starting from ρ such that ( i ) spec ( v ) is infinitely often false in e and ( ii ) v is nev er activ ated in e . 29 F or any configuration ρ , let us denote by P v ( ρ ) = ( v 0 = v , v 1 = pr nt v , v 2 = pr nt v 1 , . . . , v k = pr nt v k − 1 , p v = pr nt v k ) the maximal s equ ence of pro cesses follo wing p ointers pr n t (maximal means here that either pr nt p v = ⊥ or p v is the fir st p ro cess su ch that there p v = v i for some i ∈ { 0 , . . . , k } ). Let u s study the follo wing cases: Case 1: pr n t v ∈ V \ S B in ρ . Since ρ ∈ LC , pr nt v satisfies s pec ( pr nt v ) in ρ and in any execution starting from ρ (b y Lemma 4). Hence, pr nt v is neve r activ ated in e . If v d o es not satisfy spec ( v ) in ρ , then we ha v e l ev el v 6 = met ( l ev el pr nt v , w v,p r nt v ) or dist v 6 = 0 in ρ . T hen, v is contin uously enabled in e and we hav e a con tradiction b et w een assu mption ( ii ) and the strong fairness of th e scheduling. This implies that v satisfies spec ( v ) in ρ . The fact that p r nt v is never activ ated in e and that the state of v is consisten t w ith the one of pr nt v ensures us that v is neve r enabled in any execution starting from ρ . Hence, spec ( v ) r emains true in an y execution starting from ρ . Th is con tradicts th e assum ption ( i ) on e . Case 2: pr n t v / ∈ V \ S B in ρ . By th e assumption ( i ) on e , we can dedu ce that there exists infinitely many configurations ρ ′ suc h th at a pro cess of P v ( ρ ′ ) is enabled (since spec ( v ) is false only wh en the state of a pro cess of P v ( ρ ′ ) is not consistent with the one of its paren t that made it enabled). By construction, the length of P v ( ρ ′ ) is finite for any configuration ρ ′ and there exists only a finite num b er of pro cesses in the system. C on s equen tly , there exists at least one pro cess wh ich is infinitely often enabled in e . Since th e sc h ed uler is strongly fair, w e can conclud e that there exists at least one pro cess wh ic h is infinitely often act iv ated in e . Let A e b e the s et of pro cesses whic h are in fi nitely often activ ated in e . Note that v / ∈ A e b y assump tion ( ii ) on e . Let e ′ = ρ ′ . . . b e the suffix of e whic h con tains only activ ations of pro cesses of A e . Let p b e the first pro cess of P v ( ρ ′ ) whic h b elongs to A e ( p exists since at least one pr o cess of P v is enabled when spec ( v ) is f alse). By construction, the prefix of P v ( ρ ′′ ) from v to p in an y configuration ρ ′′ of e r emains the s ame as the one of P v ( ρ ′ ). Let p ′ b e the pro cess such th at pr nt p ′ = p in e ′ ( p ′ exists since v 6 = p implies that the pr efix of P v ( ρ ′ ) f rom v to p coun ts at least tw o pro cesses). As p is infinitely often activ ated and as an y activ ation of p mo difi es the v alue of l ev el p or of dist p (at least one of these t wo v ariables take s at least t w o different v alues in e ′ ), w e can deduce that p ′ is infinitely often enabled in e ′ (since the v alue of l ev el p ′ is constan t by construction of e ′ and p ). Since the sc h eduler is strongly fair, p ′ is activ ated in a finite time in e ′ , th at con tradicts the constru ction of p . In the t wo cases, w e obtain a cont radiction with the construction of e , that pro v es the result.  Let LC ∗ b e the follo wing set of configurations: LC ∗ = { ρ ∈ C | ( ρ is S ∗ B -legitima te for spec ) ∧ ( I M m k ( ρ ) = tr ue ) } Note that, as S ∗ B ⊆ S B , w e can deduce that LC ∗ ⊆ LC . Hence, prop erties of Lemmas 11 and 12 also apply to configurations of LC ∗ . Lemma 13 A ny c onfigur ation of L C ∗ is ( n Π( k , δ )∆ D , Π( k , δ )∆ D , S ∗ B , n − 1) -T A time c ontaine d for spec . 30 Pro of L et ρ b e a configuration of L C ∗ . As S ∗ B ⊆ S B , we know by Lemma 4 that an y p ro cess v of V \ S B satisfies s pec ( v ) and tak es n o actio n in any execution starting from ρ . Let v b e a pr o cess of E B . By Lemmas 11 and 12, we kno w that v tak es at most Π( k , δ )∆ D actions in an y execution starting from ρ . Moreo ver, we kno w that v satisfies spec ( v ) after its last action (otherwise, w e obtain a con tradiction b et w een the tw o lemmas). Hence, an y pro cess of E B tak es at most Π( k , δ )∆ D actions and then, there are at most n Π( k , δ )∆ D S ∗ B -T A-disrup tions in an y execution starting fr om ρ (since | E B | ≤ n ). By d efinition of a T A time cont ained configuration, we obtain th e resu lt.  Lemma 14 Starting f r om any c onfigur ation, any exe cution of S S MAX r e aches a c onfigur ation of LC ∗ in a finite time. Pro of Let ρ b e an arbitrary configuration. W e kno w by Lemma 10 that any executio n starting from ρ reac hes in a finite time a configuration ρ ′ of LC . Let v b e a pr o cess of E B . By Lemmas 11 and 12, we kno w that v tak es at most Π( k , δ )∆ D actions in an y execution starting from ρ ′ . Moreo ve r, w e know that v satisfies spec ( v ) after its last acti on (otherwise, w e obtain a con tradiction b et w een the t w o lemmas). This implies that any execution starting from ρ ′ reac h es a configuration ρ ′′ suc h that an y p ro cess v of E B satisfies spec ( v ). It is easy to see that ρ ′′ ∈ LC ∗ , that ends the pro of.  Theorem 12 S S MAX is a ( n Π( k , δ )∆ D , S ∗ B , n − 1) -T A str ongly stabilizing pr oto c ol for spec . Pro of This result is a direct consequence of Lemmas 13 and 14.  5 Concluding Remarks W e discuss no w ab out the relationship b etw een T A strong and strong stabilization on maxim um metric tree construction. W e c haracterize b y a necessary and sufficient condition the set of assigned metric that allo w strong stabilization. Indeed, p rop erties on the metric itself are not suffi cien t to conclude on the p ossibility of str on g stabilization: we must know information ab out the consid ered system (assig nation of the metric). Informally , it is p ossible to construct a maximum metric tree in a stron gly stabilizing wa y if and only if the considered metric is strongly maximiza ble and if the desired cont ainmen t radius is sufficien tly large. More formally , Theorem 13 Given an assigne d metric A M = ( M , W , mr, met, ≺ , wf ) over a system S , ther e exists a ( t, c, n − 1) -str ongly stabilizing pr oto c ol for maximum metric sp anning t r e e c onstruction with a finite t if and only if: ( ( M , W, met, mr, ≺ ) is a str ongly maximizable metric, and c ≥ max { 0 , | M ( S ) | − 2 } Pro of W e split this pro of into t w o parts: 1) Pro of of the “if ” part: De note ( M , W, m et, mr, ≺ ) by M and assume th at M is a strongly maximizable m etric and that c ≥ max { 0 , | M ( S ) | − 2 } . W e distinguish the follo wing cases: 31 Case 1: | M ( S ) | = 1 (and h ence c ≥ 0). Denote b y m the metric v alue such that M ( S ) = { m } . F or any correct pr o cess v , we hav e µ ( v , r ) = min ≺ b ∈ B { µ ( v , b ) } = m . W e can d educe that it is equiv alent to construct a maximum metric spann in g tr ee for M and f or N C o v er this system. By T heorem 4, we k n o w th at there exists a ( t, 0 , n − 1)-strongly s tabilizing p r otocol for this problem with a fi n ite t , that pro v es the r esult. Case 2: | M ( S ) | ≥ 2 (and h ence c ≥ | M ( S ) | − 2). By T heorem 12, w e k n o w that there exists a ( n Π( k , δ )∆ D , S ∗ B , n − 1)-T A-strongly stabilizi ng proto col P for maxim u m metric spanning tree construction in th is case. Denote by Υ the only fi xed p oint of M . Let v b e a correct p r o cess such th at v ∈ S ∗ B . By definition of S ∗ B , w e ha v e: µ ( v , r ) ≺ µ ( v , b ) for at least one Byzan tine pro cess b . As M is s trictly decreasing and has only one fixed p oin t, we can deduce that Υ  µ ( v , r ) and then µ ( v , b ) 6 = Υ. Assume that d ( v , b ) > c ≥ | M ( S ) | − 2. As M is strictly decreasing, has only one fixed p oin t Υ, and M has | M ( S ) | distinct metric v alues ov er S , w e can conclude th at µ ( v , b ) = Υ. This con tradiction allo ws u s to conclude that th ere exists a p ro cess b suc h th at d ( v , b ) ≤ c for any correct pro cess which b elongs to S ∗ B . In other w ords, S ∗ B =  v ∈ V | min b ∈ B { d ( v, b ) } ≤ c  and P is in fact a ( n Π( k, δ )∆ D , c, n − 1)- strongly s tabilizing proto col, th at pr ov es the r esult with t = n Π( k , δ )∆ D . 2) Proof of the “only if ” part : Th is resu lt is a dir ect consequence of Th eorem 8 wh en we observ e that | M ( S ) | ≤ | M | by defi nition.  W e can no w summarize all results ab ou t self-stabilizing maximum metric tree construction in presence of Byzan tine faults with the ab ov e table. Note that results p r o vided in th is pap er fi ll all gaps p oin ted out in related w ork s . M = ( M , W, mr, met, ≺ ) is a maximizable metric ( c, f )-strict stabilization Imp ossible (for any c and f ) ([15]) ( t, c, f )-strong stabilization P ossible ⇐ ⇒ ( M is a strongly maximizable met ric, and c ≥ max { 0 , | M ( S ) | − 2 } (for 0 ≤ f ≤ n − 1 and a finite t ) (Theorem 13) ( A B , f )-T A strict stabilization Imp ossible (for any f and A B S B ) ([5]) ( S B , f )-T A strict stabilization P ossible (for 0 ≤ f ≤ n − 1) ([5] and Theorem 11) ( t, A B , f )-T A strong stabilization Imp ossible (for any f and A B S ∗ B ) (T heorem 9 ) ( t, S ∗ B , f )-T A strong stabilization Possible (for 0 ≤ f ≤ n − 1 and a finite t ) (Theorem 12) T o conclude ab out results presented in this pap er, we m u s t bring some precisions ab out sp ec- ifications. W e c h ose to work with a sp ecification of th e problem that consider the dist v ariable as a O-v ariable. Th is c hoice m ay app ear strong but it seems us necessary to k eep the consistency 32 of results. Indeed, imp ossibilit y r esults of Section 3 can b e pr ov ed with a weak er sp ecification that do es n ot consider the dist v ariable as a O -v ariable (see [8]). On th e other hand , we n eed th e stronger sp ecification to b oun d the num b er of disruptions of the prop osed proto col. W e p ostulate that our p roto col is also T A s trongly stabilizing with the w eak er sp ecification but we do no succeed to b ound exactly the num b er of disruptions. The follo wing qu estions are s till op en. Is it p ossible to b ound the num b er of disr uptions with the weak er sp ecification? Is it p ossib le to p erform T A strong stabilization with a weak er daemon? Is it p ossible to decrease the num b er of disr uptions without lo ose the optimalit y of the con tainmen t area? References [1] Ariel Daliot and Dann y Dolev. Self-stabilization of b yzan tine protocols. In T ed Herman and S ´ ebastien T ixeuil, ed itors, Self-Stabilizing Systems , v olume 3764 of L e c tur e Notes in Computer Scienc e , p ages 48–67. Springer, 2005. [2] Edsger W. Dijkstra. S elf-stabilizing systems in spite of distribu ted con trol. Commun. ACM , 17(11 ):643–6 44, 1974. [3] Shlomi. Dolev. Self-stabilization . MIT Press, March 2000. [4] Shlomi Dolev and Jenn ifer L. W elc h. Self-stabilizing clock sync hronization in the p resence of b yzan tine faults. J. ACM , 51(5):7 80–799 , 2004. [5] Sw an Dub ois, T oshim itsu Masuzaw a, and S ´ ebastien Tixeuil. The impact of top ology on byzan- tine con tainment in stabilization. In Pr o c e e dings of DISC 2010 , Lecture Notes in Computer Science, Boston, Massac husetts, USA, September 2010 . Springer Berlin / Heidelb erg. [6] Sw an Dub ois, T oshimitsu Masuza w a, and S´ ebastien Tixeuil. On byza n tine con tainmen t p rop- erties of the min+1 p rotocol. In Pr o c e e dings of SSS 2010 , Lecture Notes in C omputer Science, New Y ork, NY, USA, Septem b er 201 0. Springer Berlin / Heidelb erg. [7] Sw an Dub ois, T oshimitsu Masuzaw a, and S ´ ebastien Tixeuil. Bounding the impact of un - b ound ed attac k s in stabiliza tion. IEEE T r ansactions on Par al lel and Distribute d Systems (TPDS) , 2011. [8] Sw an Dub ois, Toshimitsu Masuza wa , and S ´ ebastien Tixeuil. S elf-Stabilization, Byzan tine Con tainmen t, and Maximizable Metrics: Necessary Conditions. Researc h r ep ort (a v ailable at h ttp://hal.inria.fr/inria-005 77062 /p df/du b oismasuza w atixeuil.p df ), 03 2011. [9] Mohamed G. Gouda and Marco Schneider. Stabilization of maximal metric trees. In Anish Arora, editor, WSS , pages 10– 17. IEEE C omputer S o ciet y , 1999. [10] Mohamed G. Gouda an d Marco Sc hneider. Maximizable r outing metrics. IEEE/ACM T r ans. Netw. , 11(4):663 –675, 2003. [11] Shing-Tsaan Huang and Nian-Shin g Chen. A self-stabilizing algorithm for constru cting breadth-first trees. Inf. Pr o c ess. L ett. , 41(2):1 09–117 , 1992. 33 [12] Leslie Lamp ort, Rob ert E. S h ostak, and Marshall C. Pea se. The b yzan tine generals problem. ACM T r ans. Pr o gr am. L ang. Syst. , 4(3):382 –401, 1982. [13] T oshimitsu Masuzaw a and S ´ ebastien Tixeuil. Bounding the imp act of u nb ounded attac ks in stabilization. In Ajo y K u mar Datta and Maria Gradinariu , editors, SSS , volume 4280 of L e ctur e Notes in Computer Scienc e , pages 440 –453. Springer, 2006. [14] T oshimitsu Masuza wa and S ´ ebastien Tixeuil. Stabilizing link-coloration of arbitrary net w orks with unbou n ded b yzan tine faults. Internat ional Journal o f Principles and Applic ations of Information Scienc e and T e chnolo gy (P AIST) , 1(1):1– 13, Decem b er 2007 . [15] Mikhail Neste renk o and Anish Arora. T olerance to unboun d ed b yzan tine faults. In 2 1st Symp osium on R eliable Distribute d Systems (SRDS 2002) , page 22. IEEE Compu ter S o ciet y , 2002. [16] S ´ ebastien Tixeuil. Algorithm s and The ory of Computation Handb o ok, Se c ond E dition , c hapter Self-stabilizing Algorithms, p ages 26.1–26.4 5. Ch apman & Hall/CR C Applied Algorithms an d Data Str uctures. CRC Press, T a ylor & F r ancis Group , No v em b er 2009. 34