Characterizing consensus in the Heard-Of model

The Heard-Of model is a simple and relatively expressive model of distributed computation. Because of this, it has gained a considerable attention of the verification community. We give a characterization of all algorithms solving consensus in a fragment of this model. The fragment is big enough to cover many prominent consensus algorithms. The characterization is purely syntactic: it is expressed in terms of some conditions on the text of the algorithm. One of the recent methods of verification of distributed algorithms is to abstract an algorithm to the Heard-Of model and then to verify the abstract algorithm using semi-automatic procedures. Our results allow, in some cases, to avoid the second step in this methodology.


Introduction
Most distributed algorithms solving problems like consensus, leader election, set agreement, or renaming are essentially one iterated loop. Yet, their behavior is difficult to understand due to unbounded number of processes, asynchrony, failures, and other aspects of the execution model. The general context of this work is to be able to say what happens when we change some of the parameters: modify an algorithm or the execution model. Ideally we would like to characterize the space of all algorithms solving a particular problem.
To approach this kind of questions, one needs to restrict to a well defined space of all distributed algorithms and execution contexts. In general this is an impossible requirement. Yet the distributed algorithms community has come up with some settings that are expressive enough to represent interesting cases and limited enough to start quantifying over "all possible" distributed algorithms [10,39,1].
In this work we consider the consensus problem in the Heard-Of model [10]. Consensus problem is a central problem in the field of distributed algorithms; it requires that all correct processes eventually decide on one of the initial values.
The Heard-Of model is a round-and message-passing-based model. It can represent many intricacies of various execution models and yet is simple enough to attempt to analyze it algorithmically [8,13,14,27,26]. Initially, our goal was to continue the quest from [27] of examining what is algorithmically possible to verify in the Heard-Of model. While working on this problem we have realized that a much more ambitious goal can be achieved: to give a simple, and in particular decidable, characterization of all consensus algorithms in well-defined fragments of the Heard-Of model.
The Heard-Of model is an open ended model: it does not specify what operations processes can perform and what kinds of communication predicates are allowed. Communication predicates in the Heard-Of model capture in an elegant way both synchrony degree and failure model. In this work we fix the set of atomic communication predicates and atomic operations. We opted for a set sufficient to express most prominent consensus algorithms (cf. Section 7), but we do not cover all operations found in the literature on the Heard-Of model.
Our characterization of algorithms that solve consensus is expressed in terms of syntactic conditions both on the text of the algorithm, and in the constraints given by the communication predicate. It exhibits an interesting way all consensus algorithms should behave. One could imagine that there can be a consensus algorithm that makes processes gradually converge to a consensus: more and more processes adopting the same value. This is not the case. A consensus algorithm, in models we study here, should have a fixed number of crucial rounds where precise things are guaranteed to happen. Special rounds have been identified for existing algorithms [32], but not their distribution over different phases. Additionally, here we show that all algorithms should have this structure.
As an application of our characterization we can think of using it as an intermediate step in analysis of more complicated settings than the Heard-Of model. An algorithm in a given setting can be abstracted to an algorithm in the Heard-Of model, and then our characterization can be applied. Instead of proving the original algorithm correct it is enough to show that the abstraction is sound. For example, an approach reducing asynchronous semantics to round based semantics under some conditions is developed in [7]. A recent paper [12] gives a reduction methodology in a much larger context, and shows its applicability. The goal language of the reduction is an extension of the Heard-Of model that is not covered by our characterization. As another application, our characterization can be used to quickly see if an algorithm can be improved by taking a less constrained communication predicate, by adapting threshold constants, or by removing parts of code (c.f. Section 7).

Related work
The celebrated FLP result [17] states that consensus is impossible to achieve in an asynchronous system, even in the presence of a single failure. There is a considerable literature investigating the models in which the consensus problem is solvable. Even closer in spirit to the present paper are results on weakest failure detectors required to solve the problem [5,18]. Another step closer are works providing generic consensus algorithms that can be instantiated to give several known concrete algorithms [30,21,20,4,33,32]. The present paper considers a relatively simple model, but gives a characterization result of all possible consensus algorithms.
The cornerstone idea of the Heard-Of model is that both asynchrony and failures can be modeled by the constraints on the message loss captured by a notion of communication predicates. This greatly simplifies the model that is essential for a kind of characterization we present here. Unavoidably, not all aspects of partial synchrony [16,11] or failures [6] are covered by the model. For example, after a crash it may be difficult for a process to get into initial state, or in terms of the Heard-of model, do the same round as other processes [37,7]. These observations just underline that there is no universal model for distributed algorithms. There exists several other proposals of relatively simple and expressible models [19,39,1,31]. The Heard-Of model, while not perfect, is in our opinion representative enough to study in more detail.
On the verification side there are at least three approaches to analysis of the Heard-Of or similar models. One is to use automatic theorem provers, like Isabelle [9,8,13]. Another is deductive verification methods applied to annotated programs [15,14]. The closest to this work is a model-checking approach [36,27,26,2]. Particularly relevant here is the work of Maric et al. [27]. who show cut-off results for a fragment of the Heard-Of model and then perform verification on a resulting finite state system. Our fragment of the Heard-Of model is incomparable with the one from that work, and arguably it has less restrictions coming from purely technical issues in proofs. While trying to extend the scope of automatic methods we have realized that we could actually bypass them completely and get a stronger characterization result.
Of course there are also other models of distributed systems that are considered in the context of verification. For example there has been big progress on verification of threshold automata [25,23,24,34,3]. There are also other methods, as automatically generating invariants for distributed algorithms [22,38,35], or verification in Coq proof assistant [40,41].

Organization of the paper
In the next section we introduce the Heard-Of model and formulate the consensus problem. In the four consecutive sections we present the characterizations for the core model as well as for the extensions with timestamps, coordinators, as both timestamps and coordinators at the same time. We then give examples of algorithms that are covered by this model, and discuss their optimality given our characterization. The next for sections contain the proofs for the four characterizations.

Heard-Of model and the consensus problem
In a Heard-Of model a certain number of processes execute the same code synchronously. An algorithm consists of a sequence of rounds, every process executes the same round at the same time. The sequence of rounds, called phase, is repeated forever. In a round every process sends the value of one of its variables to a communication medium, receives a multiset of values, and uses it to adopt a new value (cf. Figure 2).

Com. medium
15 lutego 2020, godzina 7: 20 1 . . . 15 lutego 2020, godzina 7: 40 1 . . . · · · 15 lutego 2020, godzina 7: 30 1 . . . 15 lutego 2020, godzina 7: 40 1 . . . · · · 15 lutego 2020, godzina 7: 30 1 . . .  Figure 1: A schema of an execution of a round and of a phase. In every round i every process sends a value of its variable x i , and sets its variable x i+1 depending on the received multiset of values: H j i . At the beginning of the phase the value of inp is sent, at some round inp may be updated; we use ir for the index of this round. In the last round dec may be set. Both inp and dec are not updated if the value is ?, standing for undefined.
At the beginning every process has its initial value in variable inp. Every process is expected to eventually set its decision variable dec. Every round is communication closed meaning that a value sent in a round can only be received in the same round; if it is not received it is lost. A communication predicate is used to express a constraint on acceptable message losses. Algorithm 1 is a concrete simple example of a 2-round algorithm.
We proceed with a description of the syntax and semantics of Heard-Of algorithms. Next we define the consensus problem. In later sections we will extend the core language with timestamps and coordinators.

Syntax
An algorithm has one phase that consists of two or more rounds. In the first round each process sends the value of inp variable, in the last round it can set the value of dec variable. A phase is repeated forever, all processes execute the same round at the same time. A round i is a send statement followed by a sequence of conditionals: The variables are used in a sequence: first x 0 , which is inp, is sent and x 1 is set, then x 1 is sent and x 2 is set, etc. (cf. Figure 2). There should be exactly one round (before the last round) where inp is updated; the conditional lines in this round are: Since this is a special round, we use the index ir to designate this round number. In the last round, only instructions setting variable dec can be present: This is why a phase needs to have at least two rounds. Of course one can also have a syntax and a characterization for one round algorithms, but unifying the two hinders readability. Our fragment roughly corresponds to the fragment from [27], without extra restrictions but with a less liberty at the fork point.
As an example, consider Algorithm 1. It has two rounds, each begins with a send statement. In the first round both x 1 and inp are set, in the second round dec is set. The conditions talk about properties of the received H multiset, that we describe below.
As the above syntax suggests, in round i every process first sends the value of variable x i−1 , and then receives a multiset of values H that it uses to set the value of the variable x i . The possible tests on the received set H are uni, mult, and |H| > thr · |Π| saying respectively that: the multiset has only one value; has more than one value; and that is of size > thr · n where n is the number of processes and 0 ≤ thr < 1. The possible operations are min(H) resulting in the minimal value in H, and smor(H) resulting in the minimal most frequent value in H. For example, the first conditional line in Algorithm 1 tests if there is only one value in H, and if this value has multiplicity at least thr 1 · n in H; if so inp and x 1 are set to this value, it does not matter if min or smor operation is used in this case.
In addition to description of rounds, an algorithm has also a communication predicate putting constraints on the behavior of the communication medium. A communication predicate for a phase with r rounds is a tuple ψ = (ψ 1 , . . . , ψ r ), where each ψ l is a conjunction of atomic communication predicates that we specify later. A communication predicate for an algorithm is where ψ and ψ i are communication predicates for a phase. Predicate ψ is global predicate, and ψ 1 . . . , ψ k are sporadic predicates. So the global predicate specifies constraints on every phase of execution, while sporadic predicates specify a sequence of special phases that should happen: first ψ 1 , followed later by ψ 2 , etc. We have two types of atomic communication predicates: ϕ = says that every process receives the same multiset; ϕ thr says that every process receives a multiset of size at least thr ·n where n is the number of processes. In Algorithm 1 the global predicate is trivial, and we require two special phases. In the first of them, in its first round every process should receive exactly the same H multiset, and the multiset should contain values from at least thr 1 fraction of all processes.

Semantics
The values of variables come from a fixed linearly ordered set D. Additionally, we take a special value ? / ∈ D standing for undefined. We write D ? for D ∪ {?}. We describe the semantics of an algorithm for n processes. A state of an algorithm is a pair of n-tuples of values; denoted (f, d). Intuitively, f specifies the value of the inp variable for each process, and d specifies the value of the dec variable. The value of inp can never be ?, while initially the value of dec is ? for every process. We denote by mset(f ) the multiset of values appearing in the tuple f , and by set(f ) the set of values in f . Only values of inp and dec survive between phases. All the other variables are reset to ? at the beginning of each phase.
There are two kinds of transitions: The first is a phase transition, while the second is a transition for round i. So in a transition of the second type f describes the values of x i , and f the values of x i+1 . Phase transition is labeled with a phase communication predicate, while a round transition has a round number and a conjunction of atomic predicates as labels.
Before defining these transitions we need to describe the semantics of communication predicates. At every round processes send values of their variable to a communication medium, and then receive a multiset of values from the medium (cf. Figure 2). Communication medium is not assumed to be perfect, it can send a different multiset of values to every process, provided it is a sub-multiset of received values. An atomic communication predicate puts constraints on multisets that every process receives. So a predicate specifies constraints on a tuple of multisets H = (H 1 , . . . , H n ). Predicate ϕ = is satisfied if all the multisets are the same. Predicate ϕ thr requires that every multiset is bigger than thr · n for some number 0 ≤ thr < 1. Predicate true is always satisifed. We write H ϕ when the tuple of multisets H satisfies the conjunction of atomic predicates ϕ.
Once a process p receives a multiset H p , it uses it to do an update of one of its variables. For this it finds the first conditional that H p satisfies and performs the operation from the corresponding assignment.
A condition is a conjunction of atomic conditions: uni, mult, |H| > thr · |Π|. A multiset H satisfies uni when it contains just one value; it satisfies mult if it contains more than one value. A multiset H satisfies |H| > thr · |Π| when the size of H is bigger than thr · n, where n is the number of processes. Observe that only predicates of the last type take into account possible repetitions of the same value.
We can now define the update value update i (H), describing to which value the process sets its variable in round i upon receiving the multiset H. For this the process finds the first conditional statement in the sequence of instructions for round i whose condition is satisfied by H − {?} and looks at the operation in the statement: • if no condition is satisfied then update i (H) =?.
A transition f ϕ =⇒ i f is possible when there exists a tuple of multisets (H 1 , . . . , H n ) ϕ such that for all p = 1, . . . , n: H p ⊆ mset(f ), and f (p) = update i (H p ). Observe that ? value in H p is ignored by the update function, but not by the communication predicate.
Finally, a transition (f, d) ψ −→ (f , d ), for ψ = (ϕ 1 , . . . , ϕ n ), is possible when there is a sequence This means that inp is updated with the value from the input updating round ir, but only if the update is not ?. The value of dec cannot be updated, it can only be set if it has not been set before. For setting the value of dec, the value from the last round is used.
An execution is a sequence of phase transitions. An execution of an algorithm respecting a communication predicate (Gψ) ∧ (F(ψ 1 ∧ F(ψ 2 ∧ . . . (Fψ k ) . . . ))) is an infinite sequence: stands for a finite sequence of ψ −→ transitions, and ψ −→ ω for an infinite sequence. For every execution there is some fixed n standing for the number of processes, f 0 is any n-tuple of values without ?, and d 0 is the ntuple of ? values. Observe that the size of the first tuple determines the size of every other tuple. There is always a transition from every configuration, so an execution cannot block.
Definition 1 (Consensus problem) An algorithm has agreement property if for every number of processes n, and for every state (f, d) reachable by an execution of the algorithm, for all processes p 1 and p 2 , either d(p 1 ) = d(p 2 ) or one of the two values is ?. An algorithm has termination property if for every n, and for every execution there is a state (f, d) on this execution with d(p) =? for all p = 1, . . . , n. An algorithm solves consensus if it has agreement and termination properties.
Remark 2 Normally, the consensus problem also requires irrevocability and integrity properties, but these are always guaranteed by the semantics: once set, a process cannot change its dec value, and a variable can be set only to one of the values that has been received.

Remark 3
The original definition of the Heard-Of model is open ended: it does not limit possible forms of a communication predicate, conditions, or operations. Clearly, for the kind of result we present here, we need to fix them. The original semantics uses process identifiers. We do not need them for the set of operations we consider here.

Remark 4
In the original definition processes are allowed to have identifiers. We do not need them for the set of operations we consider. Later we will add coordinators without referring to identifiers. This is a relatively standard way of avoiding identifiers while having reasonable expressivity.

A characterization for the core language
We present a characterization of all the algorithms in our language that solve consensus. In later sections we will extend it to include timestamps and coordinators. As it will turn out, for our analysis we will need to consider only two values a, b with a fixed order between them: we take a smaller than b. This order influences the semantics of instructions: the result of min is a on a multiset containing at least one a; the result of smor is a on a multiset with the same number of a's and b's. Because of this asymmetry we mostly focus on the number of b's in a tuple. In our analysis we will consider tuples of the form bias(θ) for θ < 1, i.e., a tuple where we have n processes (for some large enough n), out of which θ · n of them have their value set to b; and the remaining ones to a. The tuple containing only b's (resp. only a's) is called solo (resp. solo a ).
We show that there is essentially one way to solve consensus. The text of the algorithm together with the form of the global predicate determines a threshold thr . We prove that in the language we consider here, there should be a unifier phase which guarantees that the tuple of inp values after the phase belongs to one of the following four types: solo, solo a , bias(θ), or bias(1 − θ) where θ ≥ thr . Intuitively, this means that there is a dominant value in the tuple. This phase should be followed by a decider phase which guarantees that if the tuple of inp is of one of the above mentioned types, then all the processes decide. While this ensures termination, agreement is ensured by proving that some simple structural properties on the algorithm should always hold. In the rest of this section we give some observations and definitions in order to state the result formally.
Before stating the characterization, we will make some observations that allow us to simplify the structure of an algorithm, and in consequence simplify the statements.
It is easy to see that in our languge we can assume that the list of conditional instructions in each round can have at most one uni conditional followed by a sequence of mult conditionals with non-increasing thresholds: We use superscript i to denote the round number: so thr 1 u is a threshold associated to uni instruction in the first round, etc. If round i does not have a uni instruction, then thr 1 u will be −1. For the sake of brevity, thr i,k m will always denote the minimal threshold appearing in any of the mult instructions in round i and −1 if no mult instructions exist in round i.
We fix a communication predicate: Without loss of generality we can assume that every sporadic predicate implies the global predicate; in consequence, ψ ∧ ψ i is equivalent to ψ i . Recall that each of ψ, ψ 1 , . . . , ψ k is an r-tuple of conjunctions of atomic predicates. We write ψ i for the i-th element of the tuple and so ψ is (ψ 1 , . . . , ψ r ). By thr i (ψ) we denote the threshold constant appearing in the predicate ψ i , i.e., if ψ i has ϕ thr as a conjunct, then thr i (ψ) = thr, if it has no such conjunct then thr i (ψ) = −1 just to avoid treating this case separately. We call ψ i an equalizer if it has ϕ = as a conjunct. In this case we also say that ψ has an equalizer. Recall (cf. page 2) that a transition f ψ =⇒ i f for a round i under a phase predicate ψ is possible when there is a tuple of multisets (H 1 , . . . , H n ) ψ i such that for all p = 1, . . . , n: H p ∈ mset(f ) and f (p) = update i (H p ).
Definition 6 A round i is preserving w.r.t. ψ iff one of the three conditions hold: (i) it does not have an uni instruction, (ii) it does not have a mult instruction, or (iii) thr i (ψ) < max(thr i u , thr i,k m ). Otherwise the round is nonpreserving. The round is solo safe w.r.t. ψ if 0 ≤ thr i u ≤ thr i (ψ). If i is a preserving round, then there exists a tuple f having no ? value, such that we can produce ? out of f after round i, this allows us to not update inp in the phase with such a round, i.e., to preserve the old values. If i is a non-preserving round no such tuple exists. A solo safe round cannot alter the solo state. These two properties are stated formally in the next lemma that follows directly from the definitions.
∈ set(f ) and ? ∈ fire i (f, ψ). If a round i is solo safe and solo ψ =⇒ i f then f is solo.
Remark 8 Given a global predicate ψ we can remove mult instructions that will never be executed because there is an instruction with a bigger threshold that is bound to be executed. To see this, suppose rounds 1, . . . , i − 1 are non- contains no ? then f i−1 contains no ? as well. Hence, no heard-of multi-set H constructed from f i−1 can have ? value. Consequently, if round i is such that, say, thr i (ψ) > thr i,2 m then we can be sure that only the first two mult instructions in round i can be executed under the predicate ψ: a process will always receive at least thr i,2 m fraction of values, and as there will be no ? value among them the second threshold constraint will be satisfied. This implies that we can adopt the following assumption.
We put some restrictions on the form of algorithms we consider in our characterization. They greatly simplify the statements, and as we argue, are removing cases that are not that interesting anyway.

Proviso 1
We adopt the following additional syntactic restrictions: • We require that the global predicate does not have an equalizer.
• We assume that there is no mult instruction in the round ir + 1.
Concerning the first of the above requirements, if the global predicate has an equalizer then it is quite easy to construct an algorithm for consensus because equalizer guarantees that in a given round all the processes receive the same value. The characterization below can be extended to this case but would require to mention it separately in all the statements. Concerning the second requirement. We prove in Lemma 35 that if such a mult instruction exists then either the algorithm violates consensus, or the instruction will never be fired in any execution of the algorithm and so can be removed without making an algorithm incorrect. In order to state our characterization we need to give formal definitions of concepts we have discussed at the beginning of the section.

Definition 10 A predicate ψ is a
• Decider, if all rounds are solo safe w.r.t. ψ • Unifier, if the three conditions hold: thr 1 (ψ) ≥ thr 1,k m and either thr 1 (ψ) ≥ thr 1 u or thr 1 (ψ) ≥ thr , -there exists i such that 1 ≤ i ≤ ir and ψ i is an equalizer, -rounds 2, . . . , i are non-preserving w.r.t. ψ and rounds i + 1, . . . ir are solo-safe w.r.t. ψ Finally, we list some syntactic properties of algorithms that, as we will see later, imply the agreement property.
Definition 11 An algorithm is syntactically safe when: 1. First round has a mult instruction.
2. Every round has a uni instruction.
3. In the first round the operation in every mult instruction is smor.
Recall that ψ 1 , . . . , ψ k are the set of sporadic predicates from the communication predicate. Without loss of generality we can assume that there is at least one sporadic predicate, at a degenerate case it is always possible to take a sporadic predicate that is the same as the global predicate. With these definitions we can state our characterization: Theorem 12 Consider algorithms in the core language satisfying syntactic constraints from Assumption 1 and Proviso 1. An algorithm solves consensus iff it is syntactically safe according to Definition 11, and it satisfies the condition: T There is i ≤ j such that ψ i is a unifier and ψ j is a decider.
A two value principle is a corollary from the proof of the above theorem: an algorithm solves consensus iff it solves consensus for two values. Indeed, it turns out that it is enough to work with three values a, b, and ?. The proof considers separately safety and liveness aspects of the consensus problem.
Lemma 13 An algorithm violating structural properties from Definition 11 cannot solve consensus. An algorithm with the structural properties has the agreement property.
Lemma 14 An algorithm with the structural properties from Definition 11 has the termination property iff it satisfies condition T from Theorem 12.

A characterization for algorithms with timestamps
We extend our characterization to algorithms with timestamps. Now, variable inp stores not only the value but also a timestamp, that is the number of the last phase at which inp was updated. These timestamps are used in the first round, as a process considers only values with the most recent timestamp. The syntax is the same as before except that we introduce a new operation, called maxts, that must be used in the first round and nowhere else. So the form of the first round becomes: send (inp, ts) if cond 1 1 (H) then x 1 := maxts(H); . . . The form of a phase transition changes to (f, t, d) Value t(p) is the timestamp of the last update of inp of process p (whose value is f (p)). We do not need to keep timestamps for d since the value of dec can be set only once. Phase transitions are defined as before, taking into account the above mentioned change for the first round transition, and the fact that in the round ir when inp is updated then so is its timestamp. Some examples of algorithms with timestamps are presented in Section 7.
As in the case of the core language, without loss of generality we can assume conditions from Assumption 1 from the assumption on page 10. Concerning Proviso 1 on page 10, we assume almost the same conditions, but now the second one refers to the round ir and not to the round ir + 1, and is a bit stronger.
Proviso 2 We adopt the following syntactic restrictions: • We require that the global predicate does not have an equalizer.
• We assume that there is no mult instruction in the round ir, and that thr ir u ≥ 1/2. We prove (Lemma 54) that if these two assumptions do not hold then either the algorithm violates consensus, or we can remove the mult instruction and increase thr ir u without making an algorithm incorrect. Our characterization resembles the one for the core language. The structural conditions get slightly modified: the condition on constants is weakened, and there is no need to talk about smor operations in the fist round.
Definition 15 An algorithm is syntactically t-safe when: 1. Every round has a uni instruction.
2. First round has a mult instruction.
We consider the same shape of a communication predicate as in the case of the core language: We also adopt the same straightforward simplifying assumptions about the predicate as on page 9.
A characterization for the case with timestamps uses a stronger version of a unifier that we define now. The intuition is that we do not have thr constant because of maxts operations in the first round. In other words, the conditions are the same as before but when taking thr > 1.

Definition 16
A predicate ψ is a strong unifier ψ if it is a unifier in a sense of Definition 10 and thr 1 u ≤ thr 1 (ψ). Modulo the above two changes, the characterization stays the same.
Theorem 17 Consider algorithms in the language with timestamps satisfying syntactic constraints from Assumption 1 and Proviso 2. An algorithm satisfies consensus iff it is syntactically t-safe according to the structural properties from Definition 15, and it satisfies: sT There are i ≤ j such that ψ i is a strong unifier and ψ j is a decider.

A characterization for algorithms with coordinators
We consider algorithms equipped with coordinators. The novelty is that we can now have rounds where there is a unique process that receives values from other processes, as well as rounds where there is a unique process that sends values to other processes. For this we extend the syntax by introducing a round type that can be: every, lr (leader receive), or ls (leader-send): • A round of type every behaves as before.
• In a round of type lr only one arbitrarily selected process receives values.
• In a round of type ls, the process selected in the immediately preceding lr round sends its value to all other processes.
If an ls round is not preceded by an lr round then an arbitrarily chosen process sends its value. We assume that every lr round is immediately followed by an ls round, because otherwise the lr round would be useless. We also assume that inp and dec are not updated during lr rounds, as only one process is active in these rounds. For ls rounds we introduce a new communication predicate. The predicate ϕ ls says that the leader successfully sends its message to everybody; it makes sense only for ls rounds.
These extensions of the syntax are reflected in the semantics. For convenience we introduce two new names for tuples: one b is a tuple where all the entries are ? except for one entry which is b; similarly for one a . Abusing the notation we also write one ? for solo ? , namely the tuple consisting only of ? values.
If i-th round is of type lr, we have a transition f Suppose i-th round is of type ls. If ψ i contains ϕ ls as a conjunct then When ψ i does not contain ϕ ls then independently of the type of the round We consider the same shape of a communication predicate as in the case of the core language: We also adopt the same straightforward simplifying assumptions about the predicate as on page 9.
The semantics allows us to adopt some more simplifying assumptions about the syntax of the algorithm, and the form of the communication predicate.

Assumption 2
We assume that ls rounds do not have a mult instruction. Indeed, from the above semantics it follows that mult instruction is never used in a round of type ls. It also does not make much sense to use ϕ ls in rounds other than of type ls. So to shorten some definitions we require that ϕ ls can appear only in communication predicates for ls-rounds. For similar reasons we require that ϕ = predicate is not used in ls-rounds. As we have observed in the first paragraph, we can assume that neither round ir nor the last round are of type lr.
The notions of preserving and solo-safe rounds get extended to incorporate the new syntax Definition 18 A round of type ls is c-solo-safe w.r.t. ψ if ψ i has ϕ ls as a conjunct, it is c-preserving otherwise. A round of type other than ls is cpreserving or c-solo-safe w.r.t ψ if it is so in the sense of Definition 6.

Definition 19
A c-equalizer is a conjunction containing a term of the form ϕ = or ϕ ls .

Proviso 3
We assume the same proviso as on page 10, but using the concepts of c-equalizers instead of equalizers.
To justify the proviso we prove that mult instruction in round ir + 1 cannot be useful; cf. Lemma 70.
Assumption on page 10 is also updated to using the notion of c-preserving instead of preserving. We restate it for convenience.
Finally, the above modifications imply modifications of terms from Definition 10.
With these modifications, we get an analog of Theorem 12 for the case with coordinators subject to the modified provisos as explained above.
Theorem 21 Consider algorithms in the language with timestamps satisfying syntactic constraints from Assumptions 2, 3 and Proviso 3. An algorithm satisfies consensus iff the first round and the (ir + 1) th round are not of type ls, it is syntactically safe according to Definition 11, and it satisfies the condition: cT There are i ≤ j such that ψ i is a c-unifier and ψ j is a c-decider.

A characterization for algorithms with coordinators and timestamps
Finally, we consider the extension of the core language with both coordinators and with timestamps. Formally, we extend the coordinator model with timestamps in the same way we have extended the core model. So now inp variables store pairs (value, timestamp), and all the instructions in the first round are maxts (cf. page 12).

Proviso 4
We assume the same proviso as for timestamps: Proviso 2 on page 13, but using the notion of c-equalizer.
As in the previous cases we justify our proviso by showing that the algorithm violating the second condition would not be correct or the condition could be removed (Lemma 87). The characterization is a mix of conditions from timestamps and coordinator cases.

Definition 22
A predicate ψ is a strong c-unifier if it is a c-unifier (cf. Definition 16) and thr 1 u ≤ thr 1 (ψ).
Theorem 23 Consider algorithms in the language with timestamps satisfying syntactic constraints from Assumptions 2, 3 and Proviso 4. An algorithm satisfies consensus iff the first round and the (ir + 1) th round are not of type ls, it has the structural properties from Definition 15, and it satisfies: scT There are i ≤ j such that ψ i is a strong c-unifier and ψ j is a c-decider.

Examples
We apply the characterizations from the previous sections to some consensus algorithms studied in the literature, and their variants. We show some modified versions of these algorithms, and some impossibility results, that are easy to obtain thanks to our characterization. Finally, we a show an algorithm that is new as far as we can tell. It is obtained by eliminating timestamps from a version of Paxos algorithm, and using bigger thresholds instead.

Core language
First, we can revisit the parametrized Algorithm 1 from page 4. This is an algorithm in the core language, and it depends on two thresholds. Theorem 12 implies that it solves consensus iff thr 1 /2 ≥ 1−thr 2 . In case of thr 1 = thr 2 = 2/3 we obtain the well known OneThird algorithm. But, for example, thr 1 = 1/2 and thr 2 = 3/4 are also possible solutions for this inequality. So Algorithm 1 solves consensus for these values of thresholds.
Because of the conditions on constants, thr 1,k m /2 ≥ 1 − thr ir+1 u coming from Definition 11, it is not possible to have an algorithm in the core language where all constants are at most 1/2. This answers a question from [10] for the language we consider here.
The above condition on constants is weakened to thr 1,k m ≥ 1 − thr ir+1 u when we have timestamps. In this case indeed it is possible to use only 1/2 thresholds. An algorithm from [26] is discussed later in this section.
We can go further with a parametrization of the OneThird algorithm. The one below is a general form of an algorithm with at most one mult instruction and two phases.
if uni(H) ∧ |H| > thr 2 u · |Π| then dec := smor(H); Communication predicate: F(ψ 1 ∧ Fψ 2 ) Let us list all the constraints on the constants that would make this algorithm solve consensus. Observe, that if we want an algorithm with 2 rounds, by structural constraints from Definition 11, there must be mult instruction in the first round and there cannot be mult instruction in the second round. The operation in the mult instruction must be smor. Both rounds need to have uni instruction.
The structural constraints from Definition 11 imply Recall that the formula for border threshold is We will consider only the case when the global predicate is (true, true) so there are no constraints coming from the proviso. Let us see what can be ψ 1 and ψ 2 so that we have a unifier and a decider.
For a unifier we need ψ 1 := (ϕ = ∧ ϕ θ , true), but we may have a choice for θ with respect to the constants thr 1 u , thr 1 m , thr 2 u . • Suppose thr 1 u ≤ thr 1 m . Then the constraints on unifier reduce to θ ≥ thr 1 m . • Suppose thr 1 u > thr 1 m and all the constrains for the algorithm to solve consensus are satisfied. Then we can decrease thr 1 u to thr 1 m , and they will be still satisfied. Actually, one can show that one can decrease thr 1 u to thr 1 m /2. To sum up, the constraints are θ ≥ thr 1 m , thr 1 If we want to keep the constants as small as possible we take θ = thr 1 m . We get the best constraints as a function of thr 1 m :

Remark 24
The notion of a unifier (Definition 10) suggests that there are two types of algorithms for consensus. The first type has a round that guarantees that every process has the same value (a unifier with thr 1 u ≤ thr 1,k m ), and a later round that makes all the processes decide (decider). The second type has a weaker form of unifier (thr 1 u > thr 1,k m ) that only guarantees bias between values to be above thr (or below 1 − thr ). Then the decider is stronger and makes every process decide even if not all processes have the same value.
We do not see algorithms of the second type in the literature, and indeed the characterization says why. The second type appears when thr 1 u > thr 1,k m , but our characterization implies that in this case we can decrease thr 1 u to thr 1,k m /2 and the algorithm will be still correct. So unless there are some constrains external to the model, algorithms with a weaker form of unifier are not interesting.
If we do not want to have ϕ = requirement on the first round where we check timestamps, we can consider the following modification of the above.
Algorithm 4: A modification of a timestamp algorithm from [26] send Note that by Theorem 17, when we move the equalizer to the second round, there necessarily has to be a mult instruction in the second round.

Timestamps and coordinators
When we have both timestamps and coordinators, we get variants of Paxos algorithm.
The algorithm is correct by Theorem 23. One can observe that without modifying the code there is not much room for improvement in this algorithm. A decider phase is needed to solve consensus, and ψ 1 is a minimal requirement for a decider phase. A possible modification is to change the thresholds in the first round to, say, 1/3 and in the third round to 2/3 (both in the algorithm and in the communication predicate).
Chandra-Toueg algorithm in the Heard-Of model is actually syntactically the same as four round Paxos [26]. The communication predicate is even stronger so it clearly satisfies our constraints.
The next example is a three round version of Paxos algorithm.
The algorithm is correct by Theorem 23. Once again it is possible to change constants in the first round to 1/3 and in the last round to 2/3 (both in the algorithm and in the communication predicate).

Coordinators without timestamps
One can ask if it is possible to have an algorithm with coordinators without timestamps. Here is a possibility that resembles three round Paxos: The algorithm solves consensus by Theorem 21. The constants are bigger than in Paxos because we do not have timestamps: the constraints on constants come from Definition 11, and not from Definition 15. The advantage is that we do not need time-stamps, while keeping the same structure as for threeround Paxos. We can parametrize this algorithm in the same way as we did for Algorithm 4.

Proof of the characterization for the core language
In this section we prove Theorem 12, namely a characterization of algorithms in the core language that solve consensus.
We fix a communication predicate Recall that each of ψ, ψ 1 , . . . , ψ k is an r-tuple of atomic predicates. We write ψ i for the i-th element of the tuple. So ψ is (ψ 1 , . . . , ψ r ). Often we will write ψ i instead of ψ i , in particular when ψ i appears as a subscript; for example f ψi =⇒ f . If ϕ is a conjunction of atomic predicates, then by thr (ϕ) we denote the threshold constant appearing in ϕ, i.e., if ϕ has ϕ thr as a conjunct then thr (ϕ) = thr, if it has no such conjunct then thr (ϕ) = −1.

Definition 25
We define several tuples of values. All these tuples will be ntuples for some fixed but large enough n and will be over {a, b}, or {?, b} or {?, a}. For θ < 1, the tuple bias(θ) is a tuple containing only a's and b's with |b| = θ · n. Tuple bias(1/2) is also called spread to emphasize that there is the same number of a's and b's. A tuple consisting only of b's is denoted solo. Similarly, bias ? (θ) is a tuple over {?, b} with |b| = thr · n and bias ? a (θ) is a tuple over {?, a} with |a| = thr · n. We also write solo ? for a tuple consisting only of ?'s. Finally, we write solo a for a tuple consisting only of a's.

Notations:
• For a tuple of values f and a predicate ψ we write fire i (f, ψ) instead of fire i (f, ψ i ). Similarly we write thr i (ψ) for thr (ψ i ).
• If f, f are tuples of values, we write f Recall that the border threshold for an algorithm, by Definition 9, is Observe that thr > 1/2 as thr 1,k m < 1. The proof of Theorem 12 is divided into three parts. First we show that if an algorithm does not satisfy the structural properties then it violates agreement. Then we restrict our attention to algorithms with the structural properties. We show that if condition T holds, then consensus is satisfied. Finally, we prove that if condition T does not hold then the algorithm does not have the termination property.
To simplify the statements of the lemmas, we adopt the following convention. If some condition is proved as necessary for consensus, then for the forthcoming lemmas, that condition is assumed. For example, in Lemma 27, we prove that all rounds should have a uni instruction. Hence after Lemma 27, it it implicitly assumed that all algorithms considered have a uni instruction in every round. Before considering the remaining structural requirements we state some useful lemmas.
Lemma 28 Suppose all mult instructions in the first round have smor as the operation. Then for every predicate ψ we have {a, b} ⊆ fire 1 (spread , ψ).

Proof
From spread , it is easy to see that we can construct a multiset H containing more a's than b's such that the size of H is bigger than thr 1 (ψ) and thr 1,1 m . Similarly we can construct a multiset having more b's than a's. This then implies that {a, b} ⊆ fire 1 (spread , ψ).

Proof
Let θ > max(thr i u , thr i (ψ)). Because of the uni instruction, it is then clear that b ∈ fire i (bias(θ), ψ). Since the round is preserving (and since uni instructions are present in every round), either there is no mult instruction in round i or thr i (ψ) < thr i u , or thr i (ψ) < thr i,k m . In the first case, let H be the entire tuple. In the second case, let H be a multi-set consisting only of b's but of size smaller than thr i u and bigger than thr i (ψ). In the third case, let H be a multi-set of size smaller than thr i,k m (and bigger than thr i (ψ)) with at least one a, and one b. In all the cases, it is clear that ? = update i (H) and so ? ∈ fire i (bias(θ), ψ). We can argue similarly for the other case as well.

Proof
Let I be the mult instruction in round i with the biggest threshold. This threshold is called thr i,1 m in our notation. If the operation of I is smor then we take θ = 1/2 and argue similar to the proof of Lemma 28. If the operation of I is min then we take θ > max(thr i (ψ), thr 1 u , 1/2). Because of the uni instruction, we can get b by sending a multi-set H consisting of all the b's in bias(θ). Further because of the instruction I, if we send the entire tuple as a multi-set, we get a.
Lemma 31 Suppose the first round has a mult instruction with min as operation. Then a ∈ fire 1 (bias(θ), ψ) for every θ > 0.

Proof
Let the j th mult instruction be the instruction with the min operation. Let H be any multiset containing at least one a and one b and is of size just above thr 1,j m . By observation (1) we have thr 1,j m ≥ thr 1 (ψ) and so we have that H |= ψ 1 and a = update 1 (H).
The next sequence of lemmas tells us what can happen in a sequence of rounds.

Proof
The proof is by induction on k−l. If k = l then the lemma is clearly true since we can produce both b and ? values, and ψ k is not an equalizer. For the induction step, consider the last round l, and let θ = thr l u + ε for some small ε. We have b ∈ fire l (bias ? (θ ), ψ l ) because of the uni instruction. We can also construct a multiset H from bias ? (θ ) of size 1 − ε > thr (ψ l ) for some small ε > ε containing θ − ε fraction of b's and 1 − θ fraction of ?. This multiset shows that ? ∈ fire l (bias ? (θ), ψ l ). So from bias ? (θ ) in round l we can get bias ? (θ ) for any θ . The induction assumption gives us f ψ k =⇒ k . . .

Proof
We proceed by induction on l − k. The lemma is clear when k = l. Suppose k = l. Consider three cases: Suppose f is solo a or solo. By induction hypothesis we can reach f after round l − 1. Since round l has a uni instruction it is clear that f ψ l =⇒ l f . Suppose a, b ∈ set(f ). Lemma 30 says that there is θ for which {a, b} ∈ fire l (bias(θ), ψ l ). Hence bias(θ) ψ l =⇒ l f . By induction hypothesis we can reach bias(θ) after round l − 1.
Lemma 34 Suppose none of ψ k , . . . , ψ l is an equalizer, and some round k, . . . , l does not have a mult instruction. For every θ and every f such that {a, b} ∈

Proof
Let i be the first round without mult instruction. Using Lemma 33, from the tuple f at round k, we can arrive at round i with the tuple bias(θ) for any θ.
We choose θ according to Lemma 29 so that {b, ?} ⊆ fire i (bias(θ), ψ i ). Then we can apply Lemma 32 to prove the claim. The reasoning for bias ? a is analogous.

Lemma 35
If round ir + 1 contains a mult instruction then the algorithm does not satisfy agreement, or the mult instruction can be removed without altering the correctness of the algorithm.

Proof
Suppose round ir + 1 contains a mult instruction The first case is when there does not exist any tuple f and an execution It is then clear that the mult instructions in round ir + 1 will never be fired and so we can remove all these instructions in round ir + 1.
So it remains to examine the case when there exists a tuple f with f In this case we get f ir−1 ψ ir =⇒ ir bias(θ) for arbitrary θ. Let I be the mult instruction in round ir + 1 with the highest threshold value. Recall that, by proviso from page 1, ψ is not an equalizer. We consider two sub-cases: Suppose I has smor as its operation. Then we consider f ir−1 ψ ir =⇒ ir spread . As I has smor as operation, from spread we can construct a multiset H containing more a's than b's such that the size of H is bigger than thr ir+1 (ψ) and thr ir+1,1 m . Similarly we can construct a multiset having more b's than a's. Hence we get spread ψ ir+1 =⇒ ir+1 bias(θ ) for arbitrary θ . If all rounds after ir + 1 have mult instructions, then we can apply Lemma 33 to conclude that we can reach the tuple spread after round r, thereby deciding on both a and b and violating agreement. Otherwise we can use Lemma 34 to conclude that we can reach the tuple spread ? after round r and hence make half the processes decide on b. Notice that after this phase the state of the algorithm is (spread , spread ? ). We know, by Lemma 26 that the first round has a mult instruction. This instruction has smor or min as its operation, it is clear that in either case, a ∈ fire 1 (spread , ψ) and so we can get spread ψ 1 =⇒ 1 solo a and solo a ψ i =⇒ i solo a for i > 1, thereby making the rest of the undecided processes decide on a. Hence agreement is violated.
Suppose I has min as its operation. Then we consider f ir−1 (bias(θ), ψ). Further if we take our multi-set H to be bias(θ) itself, then (because of the instruction I) we have a ∈ fire ir+1 (bias(θ), ψ). Hence we get bias(θ) ψ ir+1 =⇒ ir+1 bias(θ ) for arbitrary θ . As in the previous case, either this immediately allows us to conclude that agreement is violated, or this allows us to make half the processes decide on a. In the latter case, note that the state of the algorithm after this phase will be (bias(θ), spread ? a ). Since θ ≥ thr 1 u and since thr 1 u ≥ thr 1 (ψ) by observation (1), it follows that b ∈ fire 1 (bias(θ), ψ). Hence we can get solo as the tuple after the first round and decide on b, as in the previous case.
Lemma 36 If the first round has mult instruction with min as the operation then the algorithm does not satisfy agreement.

Proof
Suppose that indeed the first round does have a mult instruction with min operation. Thanks to our proviso, the global predicate does not have an equalizer, hence we can freely apply Lemmas 33 and 34.
If all the rounds 2, . . . , ir have a mult instruction then Lemma 33 allows us to get bias(θ ), for arbitrary θ , after round ir. By Lemma 35 there is no mult instruction in round ir + 1. By Lemma 29 there is θ such that {b, ?} ⊆ fire ir+1 (bias(θ ), ψ). Using Lemma 32 we can make some process decide on b, while keeping the other processes undecided. Hence the state of the algorithm after this phase is (bias(θ ), spread ? ). By Lemma 31, a ∈ fire 1 (bias(θ ), ψ), and so we can get solo a as the tuple after the first round and make all the other processes decide on a.
The second case is when one of the rounds 2, . . . , ir does not have a mult instruction. For arbitrary θ , Lemma 34 allows us to get bias ? (θ ) after round ir. As in the above case, we use it to decide on b for some process while leaving other undecided. In the next phase we make other processes decide on a.
Lemma 37 If property of constants from Definition 11 is not satisfied then the algorithm does not satisfy agreement.

Proof
We consider an execution of a phase under the global predicate and so we can freely use Lemmas 33 and 34. We have seen in Lemma 36 that in the first round all the mult instructions must be smor. We start with the state (spread , solo ? ).
We consider two cases.
Second case: There is a round j < ir + 1 such that round j is preserving. Let j be the first such round. By Lemma 33 from spread we can get bias(thr j u + ε ) (for some small ε ) before round j. Since round j is preserving it follows that either round j has no mult instruction or thr j (ψ) < max(thr j u , thr j,k m ). It is then clear that ? ∈ fire j (bias(thr j u + ε )). It is also clear that b ∈ fire j (bias(thr j u + ε )). Notice that by Lemma 34 we can get bias ? (θ) (for any θ) as the tuple before round ir + 1. Choose θ = thr ir+1 u + ε for some small . It is clear that we can construct a multi-set H of size 1 − consisting of thr ir+1 u fraction of b's and the remaining as ?'s from the tuple bias(θ). Notice that H does not satisfy any instructions and (for a small enough ε) is bigger than thr ir+1 (ψ). Further by sending the entire tuple as a multi-set we get that b ∈ fire ir+1 (bias ? (θ), ψ). Hence {b, ?} ⊆ fire ir+1 (bias ? (θ), ψ).
In both cases, we can then use Lemma 34 to ensure that half the processes remain undecided and half the processes decide on b. Further, in both cases, we can arrange the execution in such a way that the state after this phase is either (bias(θ), spread ? ) or (spread , spread ? ).
If the state is (spread , spread ? ) then by Lemma 28 a ∈ fire 1 (spread , ψ) and so in the next phase we can get solo a as the tuple after the first round and make the other processes decide on a. In the remaining case we consider separately the two conditions on constants that can be violated.
If thr 1,k m /2 < 1−thr ir+1 u then in the first round of the next phase consider the H set containing all the a's in bias(θ) and the number of b's smaller by ε than the number of a's. The size of this set is (1−θ)+(1−θ−ε) = 2(1−thr ir+1 u )−3ε. For a suitably small ε, this quantity is bigger than thr 1,k m which by observation (1) is bigger than thr 1 (ψ). So we can get solo a as the tuple after the first round and then use this to make the undecided processes decide on a.
If thr 1 u < 1 − thr ir+1 u , then just take H set in bias(θ) consisting only of all the a's. Once again for a small enough ε, the size of this set is bigger than thr 1 u which by observation (1) is bigger than thr 1 (ψ). Hence, we can get solo a as the tuple after the first round and use this to make the undecided processes decide on a.
Lemma 38 If all the structural properties are satisfied then the algorithm satisfies agreement.

Proof
It is clear that the algorithm satisfies agreement when the state of the inp variable is either solo or solo a . Suppose we have an execution (bias(θ), d) ψ −→ · · · ψ −→ (bias(θ ), d ) such that (bias(θ ), d ) is the first state in this execution with a process p which has decided on a value. We consider the case when a is this value. The other case is analogous.
Since thr 1,k m /2 ≥ 1−thr ir+1 u we have that thr ir+1 u ≥ 1/2. Further round ir+1 does not have a mult instruction. It then follows directly from the semantics that if q is a process then either d (q) = a or d (q) =?. Further notice that since a was decided by some process, it has to be the case that at least thr ir+1 u processes have a as their inp value. Hence θ < 1 − thr ir+1 u .
Since θ < 1 − thr ir+1 u ≤ thr 1 u , it follows that b cannot be fired from bias(θ ) using the uni instruction in the first round. Since θ < 1 − thr ir+1 u ≤ thr 1,k m /2 and since every mult instruction in the first round has smor as its operator, it follows that b cannot be fired from bias(θ ) using the mult instruction as well. Hence the number of b's in the inp tuple can only decrease from this point onwards and so it follows that no process from this point onwards can decide on b. The same argument applies if there are more than two values.

Part 2: termination
We consider only two values a, b. It is direct form the arguments below that the termination proof also works if there are more values.

Proof
In order for a multi-set H to be such that a = update 1 (H) there are two possibilities: (i) it should be of size > thr 1 u and contain only a's, or (ii) of size > thr 1,k m and contain at least as many a's as b's. Recall that by observation (1) on page 10 we have thr 1 u ≥ thr 1 (ψ) and thr 1,k m ≥ thr 1 (ψ). The number of a's in bias(θ) is 1 − θ. So the first case is possible only iff 1 − θ > thr 1 u , i.e., when θ < 1 − thr 1 u . Further if θ < 1 − thr 1 u , then we can send a set H consisting only of a's, such that |H| > thr 1 u ≥ thr 1 (ψ) and so a ∈ fire 1 (bias(θ), ψ). The second case, is possible only if 1 − θ > thr 1,k m /2, or equivalently, θ < 1 − thr 1,k m /2. Further if θ < 1 − thr 1,k m /2, then we can send a set H of size thr 1,k m consisting of both a's and b's, which will ensure that a ∈ fire 1 (bias(θ), ψ). To sum up, a ∈ fire 1 (bias(θ), ψ) iff θ < thr . The proof for b ∈ fire 1 (bias(θ), ψ) iff 1 − thr < θ is similar.

Proof
We have assumed that every predicate implies the global predicate, so every H set that is admissible w.r.t. some predicate, is also admissible w.r.t. the global predicate. Lemma 39, says that a cannot be obtained under the global predicate if θ ≥ thr . Similar proof holds for the other claim as well.

Proof
We first show that the value ? cannot be produced in the first round. Since ψ is a unifier we have thr 1 (ψ) ≥ thr 1,k m . If thr 1 (ψ) ≥ thr 1 u then we are done. Otherwise thr 1 (ψ) < thr 1 u , implying thr 1 (ψ) ≥ thr , by the definition of unifier. We consider 1 − thr ≤ θ ≤ thr , and the tuple bias(θ). In this case, every heard-of multiset H strictly bigger than the threshold thr (and hence bigger than thr 1 (ψ)) must contain both a and b. Since there is a mult instruction in the first round (and since thr 1 (ψ) ≥ thr 1,k m ), the first round cannot produce ?, i.e., after the first round the value of the variable x 1 of each process is either a or b.
Let i be the round such that ψ i is an equalizer and rounds 2, . . . , i are nonpreserving. This round exists by the definition of a unifier. Thanks to above, we know that after the first round no process has ? as their x 1 value. Since rounds 2, . . . , i are non-preserving, it follows that till round i we cannot produce ? under the predicate ψ. Because ψ i has an equalizer, after round i we either have the tuple solo or solo a . This tuple stays till round ir as the rounds i + 1, . . . , ir are solo-safe.
Observe that if rounds ir + 1, . . . , r of a unifier ψ are solo-safe then ψ is also a decider and all processes decide. Otherwise some processes may not decide. So unifier by itself is not sufficient to guarantee termination.

Proof
The first two statements are direct from the definition as all the rounds in a decider are solo safe. We only prove the third statement, as the proof of the fourth statement is similar. For the third statement, by Corollary 40 after the first round we cannot produce a's under ψ 1 . Because the first round is solo-safe, we get thr 1 u ≤ thr 1 (ψ); and since thr 1,k m ≤ thr 1 u , we get thr 1,k m ≤ thr 1 (ψ). Hence, the first round cannot produce ? neither. This means that from bias(θ) as the input tuple, we can only get solo as the tuple after the first round under the predicate ψ 1 . Since rounds 2, . . . , r are solo-safe it follows that all the processes decide on b in round r.
We are now ready to show one direction of Theorem 12.
Lemma 43 If an algorithm in a core language has structural properties from Definition 11, and satisfies condition T then it solves consensus.

Proof
Lemma 38 says that the algorithm satisfies agreement. If condition T holds, there is a unifier followed by a decider. If thr 1 u ≤ thr 1,k m then after a unifier the inp tuple becomes solo or solo a thanks to Lemma 41. After a decider all processes decide thanks to Lemma 42.
Otherwise thr 1,k m < thr 1 u . If before the unifier the inp tuple was bias(θ) with 1 − thr ≤ θ ≤ thr then after the unifier inp becomes solo or solo a thanks to Lemma 41. We once again conclude as above. If θ > thr (or θ < 1 − thr ) then by Corollary 40, the number of b's (resp. number of a's) can only increase after this point. Hence till the decider, the state of the inp tuple remains as bias(θ ) with θ > thr (resp. θ < 1 − thr ). After a decider all processes decide thanks to Lemma 42.

Part 3: non-termination
Lemma 44 If ψ is a not a decider then solo ψ −→ solo and solo a ψ −→ solo a ; namely, no process may decide.

Proof
If ψ is not a decider then there is a round, say i, that is not solo-safe. By definition this means thr i (ψ) < thr i u . It is then easy to verify that for j < i, solo ψj =⇒ j solo, solo ψi =⇒ i solo ? and solo ? ψ k =⇒ k solo ? for k > i. Hence this ensures that no process decides during this phase. Similar proof holds when the inp tuple is solo a .
Suppose there are mult instructions in rounds 2, . . . , ir. Then Lemma 33 allows us to get bias(θ ) as the tuple after round ir. Moreover, our proviso from page 10 says that there is no mult instruction in round ir + 1. So we can get solo ? as the tuple after round ir + 1 by sending the whole multiset. We can then propagate the tuple solo ? all the way till the last round. This ensures that no process decides and we are done in this case.
Otherwise there is a round j such that 2 ≤ j ≤ ir and j does not have any mult instruction. By Lemma 34 we can get bias ? (θ ) as well as bias ? a (θ ) (for any θ ) after round ir. There are two cases depending if θ ≥ θ or not.
If θ ≥ θ, then we consider the tuple bias ? (θ ) for some 1/2 ≤ θ < min(thr ir+1 u −ε, θ), (where ε is some small number). Notice that by Lemma 37 we have thr 1,k m /2 ≥ 1−thr ir+1 u and since thr 1,k m < 1, this implies that thr ir+1 u > 1/2, and so such a θ exists. It is clear that ? ∈ fire ir+1 (bias ? (θ ), ψ) and so we can get solo ? as the tuple after round ir + 1 thereby ensuring that no process decides. To terminate, we need to arrange this execution so that the state of inp becomes bias(θ ) after this phase. Since θ ≥ 1/2 we have enough b's to change θ − θ fraction of a's to b's. We leave the other values unchanged. This changes the state of inp from bias(θ) to bias(θ ).
Suppose θ < θ. By Lemma 34, after round ir we can reach the tuple bias ? a (θ ) for θ = θ − θ . Arguing as before, we can ensure that the state of the inp can be converted to bias(θ ). We just have to show that all processes can choose to not decide in the last round.
We observe that θ ≤ thr ir+1 u . Indeed since θ < thr ≤ 1 and θ ≥ 1/2, it follows that θ < 1/2 ≤ thr ir+1 u , where the last inequality follows from the discussion in the previous paragraph. Now, as θ ≤ thr ir+1 u , if we send the entire tuple bias ? a (θ ) to every process, we get solo ? as the tuple after round ir + 1, hence making the processes not decide on anything in the last round.

Proof
We examine all the reasons why ψ may not be a unifier.
First let us look at conditions on constants. If thr 1 (ψ) < thr 1,k m then let θ = 1/2. In the first round, we can then send to every process a multi-set H with both a's and b's, and of size in between thr 1 (ψ) and thr 1,k m . This allows us to get solo ? as the tuple after the first round, and ensures that neither the inp tuple nor the dec tuple gets updated in this phase.
The second reason is that there is no equalizer in ψ up to round ir. We take θ = 1/2. By Lemmas 28 and 36, we have a, b ∈ fire 1 (spread , ψ). If all the rounds 1, . . . , ir have a mult instruction then Lemma 33 allows us to get spread as the tuple after round ir. Lemma 35 says that there cannot be a mult instruction in round ir + 1, so by sending the whole multiset in this round, we get solo ? as the tuple after round ir + 1. This ensures that no process decides in this phase. The other case is when there is a round among 1, . . . , ir without the mult instruction. Lemma 34 allows to get solo ? after round ir and so neither inp nor dec of any process gets updated.
The last reason is that there is a round before an equalizer that is preserving, or a round after the equalizer that is not solo-safe. In both cases we can get solo ? as the tuple at round ir and conclude as before.
The next lemma gives the main non-termination argument.
Lemma 47 If the structural conditions from Definition 11 hold, but condition T does not hold then the algorithm does not terminate.

Proof
We recall that the communication predicate is: and that we have assumed that the global predicate implies all sporadic predicates. This means, for example, that if the global predicate is a decider then all sporadic predicates are deciders.
We construct an execution −→ (f , solo ? ), so indeed the run as above is a witness to nontermination.
We examine several cases. If none of ψ 1 , . . . , ψ k , ψ is a decider, then we take f i = f i = solo for all i = 1, . . . , k. By Lemma 44 we get the desired execution.
Suppose the last decider in the sequence ψ 1 , . . . , ψ k is ψ l . (Notice that if the global predicate ψ is a decider then l = k). By our assumption, none of ψ 1 , . . . , ψ l are unifiers. By Lemma 46, for every ψ i , i = 1, . . . , l, there is We can then use Lemma 45 to get f i ψ −→ f i+1 , for all i = 1, . . . , l − 1. This gives us an execution up to f l .
To complete the execution we consider two cases. If l = k, then by Lemma 45 we have f k ψ −→ f k and so we are done. Otherwise l < k, and we use Lemma 45 to get f l ψ −→ solo. We set f j = f j = solo for j > l. Since l < k, neither the global predicate, nor any one of ψ l+1 , . . . , ψ k are deciders, and so by Lemma 44 we get the desired execution.

Proofs for algorithms with timestamps
We prove the characterization from Theorem 17. Recall that in this extension we add timestamps to the inp variable, i.e., timestamps are sent along with inp and are updated whenever inp is updated. The semantics of rounds is different only in the first round where we have (f 0 , t) =⇒ 1 f 1 instead of the f 0 =⇒ 1 f 1 in the core language. Further, whenever the inp of a process is updated, the timestamp is updated as well. (In particular, if the value of inp of a process was a and later it was updated to a once again, then in principle the value of inp does not change but the time stamp is updated).
Definition 48 We introduce some abbreviations for tuples of values with timestamps. For every tuple of values f , and every i ∈ N define (f, i) to be a inptimestamp tuple where the value of inp for process p is f (p) and the value of the timestamp is i. So, for example, (spread , 0) denotes the tuple where the value of inp for half of the process is a, for the other half it is b, and the timestamp for every process is 0.
Similarly to the core case, we give the proof of Theorem 17 in three parts: we deal first with structural properties and then with termination, and nontermination.

Part 1: Structural properties for timestamps
The structure of the argument is similar to the core case.
Lemma 49 If no mult instruction in the first round then the algorithm does not have termination property.

Proof
It is easy to verify that (spread , 0) ψ −→ (spread , 0) is a phase transition, for every communication predicate ψ.
Lemma 50 If there is a round without uni instruction then the algorithm does not have termination property.

Proof
Let l be the first round without uni instruction. If l ≤ ir, we have (solo a , 0) The next Lemma points out a crucial difference with the case without timestamps (cf. Lemma 39) Lemma 51 For every ψ, we have {a, b} ⊆ fire 1 ((bias(θ), i), ψ) for every i and sufficiently big θ.

Proof
We let θ = max(thr 1 u , thr 1 (ψ))+ε for small enough ε. So b ∈ fire 1 ((bias(θ), i), ψ), when we take H to contain all the b's. Since all the mult instructions have maxts as their operator, it follows that if we take a multi-set H consisting of all the values in the tuple then a = update 1 (H).
Since the semantics of the rounds remains the same except for the first one, Lemmas 32, 33 and 34 apply for timestamp algorithms for k > 2. For the first round, we get the following reformulations.
Lemma 53 Suppose none of ψ 1 , . . . , ψ l is an equalizer, and some round 1, . . . , l does not have a mult instruction. For every θ and every (f, t) such that {a, b} ∈

Proof
The same argument as for Lemmas 32 and 34; replacing replace Lemma 33 with Lemma 52.
We can now deal with the case when there is mult instruction in round ir. This is an analog of Lemma 35.
Lemma 54 Suppose round ir either contains a mult instruction or thr ir u < 1/2. Then either the algorithm violates consensus or we can remove the mult instruction and make thr ir u = 1/2 without affecting the semantics of the algorithm.

Proof
Suppose round ir either contains a mult instruction or thr ir u < 1/2. We consider two cases: The first case is when there does not exist any tuple (f, t) with (f, t) It is then clear that the mult instructions in round ir will never be fired and so we can remove all these instructions in round ir. Further it is also clear that setting thr ir u = 1/2 does not affect the semantics of the algorithm in this case.
So it remains to examine the case when there exists a tuple (f, t) with (f, t) . It is clear that in this case, we also have, (bias(thr 1 u + ε), 0) Also we get f ir−2 ψ ir−1 =⇒ ir−1 bias(θ) for arbitrary θ.
In this case, we will show the following: Depending on the structure of rounds ir and ir + 1 we will define two tuples f ir−1 and f ir with the following properties: • f ir contains no ? and at least one a, Notice that if a, b ∈ fire ir+1 (f ir , ψ ir+1 ) and all rounds after round ir have a mult instruction, then we can use Lemma 33 to conclude that we can decide on both a and b. In the other case, i.e., if some round after round ir does not have a mult instruction, or b, ? ∈ fire ir+1 (f ir , ψ ir+1 ) we use Lemmas 34 and 32 to show that we can make half the processes decide on b and the other half undecided. Now the state of the algorithm after this phase will be (f ir , 1, spread ? ) where f ir contains at least one a. Since all the mult instructions have maxts as operator it follows that we can then get solo a after the first round and decide on a.
So it remains to come up with f ir−1 and f ir with the required properties. We will do a case analysis, and for each case provide both these tuples. In each of these cases, it can be easily verified that the provided tuples satisfy the required properties.
• thr ir u < 1/2 or the mult instruction with the highest threshold in round ir has smor as operator.
-The mult instruction with the highest threshold in round ir + 1 has smor as operator: Take f ir−1 = f ir = spread .
• The mult instruction with the highest threshold in round ir has min as operator.
Corollary 55 If round ir + 1 has a mult instruction or thr ir+1 u < 1/2, then the mult instruction can be removed and thr ir+1 u can be made 1/2 without altering the semantics of the algorithm.

Proof
By the previous lemma, round ir does not have any mult instruction and thr ir u ≥ 1/2. It then follows that if f ϕ =⇒ ir f for arbitrary predicate ϕ then there cannot be both a and b in f . Hence the mult instruction in round ir + 1 will never be fired. Consequently, it can be removed without affecting the correctness of the algorithm. It is also clear that we can raise the value of thr ir+1 u to 1/2 without affecting the semantics of the algorithm.
Lemma 56 If the property of constants from Definition 15 is not satisfied, then agreement is violated.

Proof
The proof starts similarly to the one of Lemma 37. We consider an execution under the global predicate ψ, and employ Lemmas 52 and 53. We start from configuration (bias(θ 1 ), 0) where θ 1 > thr 1 u big enough so that by Lemma 51 we get {a, b} ⊆ fire 1 (bias(θ 1 ), ψ). We consider also θ = thr ir+1 u + ε. By Lemma 54 there is a preserving round before round ir + 1. We proceed differently depending on wether thr 1,k m < 1 − thr ir+1 u or not. By the same argument as in Lemma 37, we can can get bias ? (θ) or bias ? a (θ) after round ir. If thr 1,k m < 1 − thr ir+1 u then we choose to get bias ? (θ). We use Lemma 34 to make some processes decide on b. After this phase there are 1 − θ processes with timestamp 0. We can ensure that among them there is at least one with value a and one with value b. Since there is mult instruction in the first round, in the next phase we send all the values with timestamp 0. This way we get solo a after the first round, and make some process decide on a.
The remaining case is when thr 1,k m ≥ 1 − thr ir+1 u . So we have thr 1 u < 1 − thr ir+1 u , since we have assumed that that the property of constants from Definition 15 does not hold. This time we choose to get bias ? a (θ) after round ir, and make some process decide on a. Since we have started with bias(θ 1 ) we can arrange updates so that we have at least min(θ 1 , 1 − θ) processes who have value b with timestamp 0. But min(θ 1 , 1 − θ) > thr 1 u , so by sending H set consisting of these b's we reach solo after the first round and make some processes decide on b.
Now we can state the sufficiency proof, similar to Lemma 38.
Lemma 57 If all the structural properties from Definition 15 are satisfied then the algorithm satisfies agreement.

Proof
It is clear that the algorithm satisfies agreement when the initial frequency is either solo or solo a . Suppose (bias(θ), t, d) ψ * −→ (bias(θ ), t , d ) such that (bias(θ ), t , d ) is the first state in this execution with a process p which has decided on a value. Without loss of generality let b be the value that p has decided on. By Lemma 54 round ir does not have any mult instructions and thr ir u ≥ 1/2 and so it follows that every other process could only decide on b or not decide at all. For the same reason it follows that every process either updated its inp value to b or did not update its inp value at all. Further notice that since b was decided by some process, it has to be the case that more than thr ir+1 u processes have b as their inp value with the most recent phase as their timestamps. This means that the number of a's in the configuration is less than 1 − thr ir+1 u . Moreover since every process either updated its inp to b or did not update all, no process with a has the latest timestamp.
Since thr 1 u ≥ 1 − thr ir+1 u , it follows that a cannot be fired from (bias(θ ), t ) using the uni instruction in the first round. Further since thr 1,k m ≥ 1 − thr ir+1 u it follows that any H set bigger than thr 1,k m has to contain a value with the latest timestamp. Since the only value with the latest timestamp is the value b, it follows that a cannot be fired from (bias(θ ), t ) using the mult instruction as well. In consequence, the number of a's can only decrease from this point onwards and so it follows that no process from this point onwards can decide on a.
The proof of termination is simpler compared to the proof of termination for core language. This is in part due to the use of maxts rather than smor as the operator in the first round.

Proof
We first observe that the value ? cannot be produced in the first round. Since ψ is a strong unifier we have thr 1,k m ≤ thr 1 (ψ) and thr 1 u ≤ thr 1 (ψ), so every H set above the threshold will satisfy an instruction of the first round.
Let i be the round such that ψ i is an equalizer and rounds 2, . . . , i are nonpreserving. This round exists by the definition of a unifier. Thanks to above, we know that till round i we cannot produce ? under the predicate ψ. Because ψ i has an equalizer, after round i we either have solo or solo a . This tuple stays till round ir as the rounds i + 1, . . . , ir are solo-safe.

Proof
Main positive Suppose there is a unifier followed by a decider. After the strong unifier we have solo or solo a thanks to Lemma 59. After decider all processes decide thanks to Lemma 58.

Part 3: Non-termination for timestamps
Lemma 60 If ψ is a not a decider then (solo, t) ψ −→ (solo, t) and (solo a , t) ψ −→ (solo a , t) for any timestamp t.

Proof
If ψ is not a decider then there is a round (say i) that is not solo-safe. So from both solo and solo a we can reach the tuple solo ? after round i. From solo ? no process can decide.
Suppose thr 1 (ψ) < thr 1,k m or thr 1 (ψ) < thr 1 u . Clearly we can get solo ? as the tuple after the first round and then use this to not decide on anything and retain the input tuple.
Suppose ψ does not have an equalizer. We can then apply Lemmas 53 and 54 to get solo ? after round ir and so we are done, because nothing is changed in the phase.
Suppose the k-th component of ψ is an equalizer and suppose there is a preserving round before round k (it can be round 1 as well). Let the first preserving round before round k be round l. Since no round before round l is preserving, it follows that all these rounds have mult instructions. Hence by Lemma 52 we can get to bias(θ ) (where θ > max(thr l u , thr l (ψ))) before round l (Notice that if l = 1 then we need to reach bias(θ ) with θ > max(thr 1 u , thr 1 (ψ)) which is where we start at). It is clear that bias(θ ) ψ l =⇒ l solo ? . We can then propagate solo ? all the way down to get the phase transition (bias(θ), i) ψ −→ (bias(θ), i).
Suppose the k-th component of ψ is an equalizer and suppose there is a non solo-safe round l after k. It is clear that we can reach solo after round k and using this get solo ? after round l. Hence we once again get the phase transition (bias(θ), i) ψ −→ (bias(θ), i).

Proof
Main non-termination We show that if there is no strong unifier followed by a decider, then the algorithm may not terminate. We start with (bias(θ), 0) where θ is large enough. If ψ is not a strong unifier then by Lemma 61 (bias(θ), i) ψ −→ (bias(θ), j) is possible for arbitrary i, and some j. Hence if there is no strong unifier the algorithm will not terminate.
Otherwise let ψ l be the first strong unifier. Notice that ψ l is not the global predicate as we have assumed the global predicate does not have equalizers. Till ψ l we can maintain bias(θ) thanks to Lemma 61. Suppose ψ l is not a decider. By Lemma 59 the state of inp after this phase will become solo or solo a . However, since ψ l is not a decider, we can choose to not decide on any value. Hence we get the transition (bias(θ), i) ψ −→ (solo, i + 1). Now, since none of the ψ l+1 , . . . , ψ k and neither the global predicate ψ are deciders, by Lemma 60 we can have a transition where no decision happens. Hence the algorithm does not terminate if there is no decider after a strong unifier.

Proofs for algorithms with coordinators
We give a proof of Theorem 21. The structure of the proof is quite similar to the previous cases.

Part 1: Structural properties for coordinators
Lemma 62 If there is a round without uni instruction then the algorithm does not terminate.

Proof
We get solo a −→ solo a for every communication predicate.
Compared to the core language, it is not easy to see that the first round of an algorithm with coordinators should have a mult instruction. However, this is indeed the case as we prove later. For the moment we make an observation.

Lemma 63
If the first round is not of type ls then the first round should have a mult instruction.

Proof
Otherwise we have spread ψ −→ spread for arbitrary communication predicate ψ.
Before considering the remaining structural requirements we state some useful lemmas.
Lemma 64 If round k is not of type ls and does not have a mult instruction then for all sufficiently big θ we have {b, ?} ∈ fire k (bias(θ), ϕ), for arbitrary predicate ϕ.
Lemma 65 Suppose the first round has a mult instruction with min as operation or is of type ls. Then for the global predicate ψ, we have {a, b} ⊆ fire 1 (bias(θ), ψ) for sufficiently big θ.

Proof
The claim is clear when the first round is of type ls. Suppose the first round has a mult instruction with min as operation. Let I be that instruction and let thr I be the threshold value appearing in instruction I.
Let θ > thr 1 u . Notice that b ∈ fire 1 (bias(θ), ψ) because of the uni instruction in the first round. Further notice that, from bias(θ) we can construct a multiset H having at least one a and is of size just above thr I . Since ψ is the global predicate, we know that this multi-set satisfies ψ because of assumption (1). Further it is clear that a = update 1 (H) and so we have a ∈ fire 1 (bias(θ), ψ).
Lemma 66 Suppose in the first round all mult instructions have smor as operation. Then for every predicate ψ we have {a, b} ⊆ fire 1 (spread , ψ).

Proof
Same proof as Lemma 28.
Lemma 67 Suppose none of ψ k , . . . , ψ l is a c-equalizer. Suppose round l is not of type lr. Then there is θ with bias ? (θ)

Proof
If the k th round is a ls round, consider arbitrary θ. By definition of transitions, we get bias ? (θ) ψ k =⇒ k bias ? (θ ) for arbitrary θ . If the k th round is a lr round, take θ = thr k u + ε for small ε. We can get b from bias ? (θ) because of the uni instruction. Since this is an lr round we have bias ? (θ) ψ k =⇒ k one b . This round must be followed by an ls round, so the argument from the previous paragraph applies, and we can get arbitrary bias ? (θ ) after round k + 1.
Otherwise k th round is neither ls nor lr. By Lemma 32, we can get arbitrary bias ? (θ ) after round k.
We can repeat this argument till round l.
Lemma 68 Suppose none of ψ k , . . . , ψ l is a c-equalizer, and all rounds k . . . l have mult instructions. Suppose round l is not of type lr. For every f and every f without ? such that

Proof
Notice that since all the considered rounds have mult instructions, none of these rounds are of type ls by assumption on page 15. Further, since every lr round is followed by a ls round, it follows that we have only two cases: either all rounds k, . . . , l are of type every, or rounds k, . . . , l − 1 are of type every and round l is of type lr. Since the second case is excluded by assumption, we only have the first case which holds by Lemma 33.
Lemma 69 Suppose none of ψ k , . . . , ψ l is an equalizer, and some round k, . . . , l does not have a mult instruction. Suppose round l is not of type lr. For every θ and every f such that {a, b} ∈ fire k (f, ψ k ) we have f

Proof
Let i be the first round without a mult instruction. There are two cases. Suppose rounds k, . . . , i − 1 are all of type every. In this case we use Lemma 68 to reach any bias(θ ) before round i. If round i is of type every then we can use Lemma 64 to get arbitrary bias ? (θ ) after round i. If round i is of type lr, then round i + 1 is of type ls and so we can use Lemma 64 to get one b after round i and (since ψ i+1 is not a c-equalizer) then use that to get arbitrary bias ? (θ) after round i + 1. If round i is of type ls, since ψ i is not a c-equalizer, so we can get arbitrary bias ? (θ) after round i. We can then use Lemma 67 to finish the proof.
In the remaining case, by the same reasoning as in the previous lemma we see that all rounds k, . . . , i − 2 must be of type every, and round i − 1 must be of type lr. We can use Lemma 68 to reach bias(max(thr i−1 u , thr (ψ i−1 )) + ε) before round i−1 and then using that reach one b before round i. Since i−1 is of type lr, i is of type ls and since there are no c-equalizers we can get arbitrary bias ? (θ) after round i. We can then use Lemma 67 to finish the proof.
Lemma 70 If round ir + 1 contains a mult instruction then the algorithm does not satisfy agreement, or it can be removed without altering the semantics of the algorithm Proof Suppose round ir + 1 contains a mult instruction. Recall that this implies that round ir + 1 is not of type ls (cf. assumption on page 15). Recall that ψ denotes the global predicate.
The first case is when there does not exist any tuple f having an execution It is then clear that the mult instructions in round ir + 1 will never be fired and so we can remove all these instructions in round ir + 1.
So it remains to examine the case when there exists a tuple f with f Notice that in this case, the first round cannot be of type ls. Since round ir cannot be of type lr (cf. assumption on page 15) we can get f ir−1 ψ ir =⇒ ir bias(θ) for arbitrary θ. We now consider two cases: Suppose round ir + 1 is of type every. Then we can proceed exactly as the proof of Lemma 35 and show that agreement is not satisfied.
Suppose round ir + 1 is of type lr. Hence round ir + 2 is of type ls. Let I be the mult instruction in round ir + 1 with the highest threshold value. Suppose I has smor as its operation. Then we consider f ir−1 ψ ir =⇒ ir spread . Since I has smor as operation, it is easy to see that spread ψ ir+1 =⇒ ir+1 one b . Since ψ is the global predicate, ψ ir+2 is not a c-equalizer, and so we get one b ψ ir+2 =⇒ ir+2 bias ? (θ ) for arbitrary θ . We can then use Lemma 67 to conclude that we can make one process decide on b and leave the rest undecided. In the next phase, the state of inp is spread . We know, by Lemma 63 that the first round has a mult instruction (since as observed above, the first round is not ls in this case). This instruction has smor (or) min as its operation, it is clear that in either case, a ∈ fire 1 (spread , ψ) and so we can get solo a after the first round and decide on a.
Suppose I has min as its operation. Then we consider f ir−1 ψ ir =⇒ ir bias(θ) where θ > thr 1 u is sufficiently big. If we send the entire tuple as a HO set, we can fire a. Hence we get bias(θ) ψ ir+1 =⇒ ir+1 one a . As in the previous case this allows us to make one process decide on a. Note that the state of inp will be bias(θ) after the end of the phase. Since the first round has a uni instruction (Lemma 62), and since θ > thr 1 u (and thr 1 u ≥ thr 1 (ψ) by equation 2), we can get solo after the first round and decide on b.
Lemma 71 If the first round is of type ls or has a mult instruction with min as operation, then the algorithm does not solve agreement.

Proof
Suppose that indeed in the first round we have a mult instruction with min operation or the first round is of type ls. We execute the phase under the global predicate ψ. By Lemma 65 we have {a, b} ⊆ fire 1 (bias(θ), ψ), for some sufficiently big θ. Consider θ ir+1 = max(thr ir+1 u , thr ir+1 (ψ)) + ε for some small ε. Thanks to our proviso, the global predicate does not have a c-equalizer, hence we can freely apply Lemmas 68 and 69 to get bias(θ ir+1 ) or bias ? (θ ir+1 ) after round ir. By Lemma 70, there is no mult instruction in round ir + 1. Hence {b, ?} ∈ fire ir+1 (bias(θ ir+1 ), ψ). We can apply Lemma 67 to set dec of one process to b in this phase and leave the other processes undecided. Moreover, in the round ir the variable inp is set to bias(max(θ, θ ir+1 )).
In the next phase, Lemma 65 says that {a, b} ∈ fire 1 (bias(max(θ, θ ir+1 )), ψ). We can get solo a as the tuple after the first round under global predicate, hence we can set some dec to a.
Lemma 72 If the first round does not have a mult instruction then the algorithm does not terminate.

Proof
Since the first round does not have type ls, if there are no mult instructions in the first round, then we have spread ϕ =⇒ 1 solo ? for any predicate ϕ.
Lemma 73 If round ir + 1 is of type ls, then the algorithm does not solve consensus.

Proof
Suppose round ir + 1 is of type ls. We consider an execution of a phase under the global predicate and so we can freely use Lemmas 68 and 69. We have seen in Lemma 71 that in the first round all the mult instructions must be smor. We start with spread . We can then use Lemmas 68 and 69 to get spread or spread ? after round ir. In either case, because round ir + 1 is of type ls and the global predicate does not have c-equalizers, it follows that we can get bias ? (θ) for arbitrary θ after round ir + 1. Applying Lemma 67 we can make one process decide on b and prevent the other processes from deciding.
Notice that the state of inp in the next phase is still spread . By Lemma 66 we have that a ∈ fire 1 (spread , ψ). Hence we can get solo a after the first round and use this to make the undecided processes decide on a.
Lemma 74 If the property of the constants is not satisfied, then the algorithm does not solve consensus.

Proof
We consider an execution of a phase under the global predicate and so we can freely use Lemmas 68 and 69. We have seen in Lemma 71 that in the first round all the mult instructions must be smor. We start with spread .
We have two cases, that resemble those of Lemma 37. The first case is when all the rounds 1, . . . , ir are not-c-preserving. Since we consider global predicate, there are not c-equalizers, so none of these rounds in an ls round. This implies that all these rounds have a mult instruction. We take θ ir+1 = thr ir+1 u + ε. From Lemma 68 we can get bias(θ ir+1 ) as a tuple before the round ir+1. By observation (1), we have thr ir+1 u ≥ thr ir+1 (ψ), so b ∈ fire ir+1 (bias(θ ir+1 ), ψ). We also have ? ∈ fire ir+1 (bias(θ ir+1 ), ψ), because round ir + 1 does not have any mult instructions. Then we can apply Lemma 67 to set dec of one process to b in this round and leave the other processes undecided.
The second case, is when there is a preserving round among 1, . . . , ir. Let j ≤ ir be the first such round. Since, all rounds before j are not-c-preserving, by Lemma 68, we can get bias(thr j u + ε) before round j. Since j is preserving, it is either of type ls, or has no mult instructions or thr j (ψ) < max(thr j u , thr j,k m ). In the first case, since the global predicate does not have c-equalizers, we have {b, ?} ⊆ fire j (bias(thr j u + ε), ψ). In the other cases the type of round j can be every or lr. For type every we also get {b, ?} ⊆ fire j (bias(thr j u + ε), ψ). For type lr, we have that the round j + 1 is ls. Since we have assumed that ψ does not have a c-equalizer, ψ j+1 does not have ϕ ls . So we can get bias ? (θ) for arbitrary θ after round j + 1. After all these cases we can use Lemma 67 to get bias ? (θ ir+1 ) before round ir + 1; where as before θ ir+1 = thr ir+1 u + ε. As in the first case, we employ Lemma 67 to make some process decide on b and leave other processes undecided.
In both cases we can arrange the execution so that the state of inp after this phase is (bias(θ ir+1 ), spread ? ) or (spread , spread ? ). The same argument as in Lemma 37 shows that some process can decide on a in the next phase.
Lemma 75 If all the structural properties are satisfied then the algorithm satisfies agreement.

Proof
It is clear that the algorithm satisfies agreement when the initial frequency is either solo or solo a . Suppose (bias(θ), d) ψ * −→ (bias(θ ), d ) such that for the first time in this transition sequence, some process has decided (say the process has decided on a). Since thr 1,k m /2 ≥ 1−thr ir+1 u we have that thr ir+1 u ≥ 1/2. Further, since round ir + 1 does not have any mult instructions (Lemma 70), it follows that every other process could only decide on a or not decide at all. Further notice that since a was decided by some process and since round ir + 1 is not of type ls (Lemma 92), it has to be the case that at least thr ir+1 u processes have a as their inp value. Hence θ < 1 − thr ir+1 u .
Recall that the first round is not of type ls (Lemma 71). Since θ < 1 − thr ir+1 u ≤ thr 1 u , it follows that b cannot be fired from bias(θ ) using the uni instruction in the first round. Since θ < 1 − thr ir+1 u ≤ thr 1,k m /2 and since every mult instruction in the first round has smor as its operator, it follows that b cannot be fired from bias(θ ) using the mult instruction as well. Hence the number of b's can only decrease from this point onwards, and so it follows that no process from this point onwards can decide on b.

Proof
Since the first round cannot be a ls round (Lemma 71), the proof of this lemma is the same as that of Lemma 39.
Lemma 78 Suppose ψ is a unifier and bias(θ)

Proof
The argument is the same as in Lemma 41, as the first round cannot be of type ls.

Proof
The same as in the case of the core language.
Lemma 80 If an algorithm in a core language has structural properties from Definition 11, and satisfies condition cT1 then it solves consensus.

Proof
The same as for the core language.

Part 3: non-termination for coordinators
Lemma 81 If ψ is a not a c-decider then solo ψ −→ solo and solo a ψ −→ solo a ; namely, no process may decide.

Proof
If ψ is not a decider then there is a round, say i, that is not c-solo-safe. By definition this means that either round i is of type ls with ψ i not containing ϕ ls or it has one of the two other types and thr i (ψ) < thr i u . It is then easy to verify that for j < i, solo ψj =⇒ j solo, solo ψi =⇒ i solo ? and solo ? ψ k =⇒ k solo ? for k > i. Hence this ensures that no process decides during this phase. Similar proof holds when the inp tuple is solo a .

Proof
The proof follows the same argument as in Lemma 45. There are some complications due to new types of rounds.
As in Lemma 45 we start by observing that {a, b} ⊆ fire 1 (bias(θ, ψ). This follows, as we have observed that the first round cannot be of type ls.
If there are mult instructions in rounds 2, . . . , ir then Lemma 68 ensures that for arbitrary θ we can get bias(θ ) after round ir (we have observed that round ir cannot be of type lr). Since there is no mult instruction in round ir + 1 (Proviso 1 and Lemma 70) we can get solo ? after round ir + 1 and decide on nothing. Hence we are done in this case.
If some round 2, . . . , ir does not have a mult instruction then we can use Lemma 69 to get bias ? (θ ) as well as bias ? a (θ ), for arbitrary θ , after round ir. There are two cases depending on θ ≥ θ or not.
If θ ≥ θ then we take θ = min(θ, thr ir+1 u − ε). For the same reasons as in Lemma 45 that θ ≥ 1/2, so we can get bias(θ ) as a state of inp after round ir. We show that bias(θ ) ψ =⇒ ir+1 solo ? . If round ir + 1 is of type ls then this is direct from definition since round ir is not of type lr. Otherwise, we can just set the whole multiset of values to every process, and there is not enough of b's to pass thr ir+1 u threshold. So we are done in this case. The remaining case is when θ < θ. As in Lemma 45 we reach bias ? a (θ ) for θ = θ − θ . This gives us some a's that we need, to convert bias(θ) to bias(θ ). As in the previous case we argue that we can get solo ? after round ir + 1. So we are done in this case too.
Lemma 83 If ψ is not a c-unifier then for some 1/2 ≤ θ < thr

Proof
As in the proof of an analogous lemma for the core language, Lemma 46, we examine all the reasons for ψ not to be a c-unifier. The case of conditions of constants is the same as in Lemma 46 as the round cannot be of type ls. If there is no equalizer in ψ up to round ir then the reasoning is the same but now using Lemmas 68 and 69.
We can conclude the non-termination case. The proof is the same in for the core language but now using Lemmas 81 and 82.
Lemma 84 If the structural properties from Definition 11 hold, but the condition cT1 does not hold then the algorithm does not terminate

Proofs for algorithms with coordinators and timestamps
We give a proof of Theorem 23. The structure of the proof is the same as in the other cases.

Part 1: Structural properties for coordinators with timestamps
Lemma 85 If there is a round without uni instruction then the algorithm does not terminate.

Proof
Let l be the first round without uni instruction and let ψ be any predicate.
Otherwise we get (solo a , i) ψ −→ (solo a , i + 1) for every communication predicate.
Lemma 86 If the first round is not of type ls then the first round should have a mult instruction.

Proof
Let ψ be any predicate. If the first round is not of type ls and does not have a mult instruction then we will have (spread , 0) ψ −→ (spread , 0).
The following lemma is an adaption of Lemma 54 to the extension with coordinators.
Lemma 87 If round ir is not a ls round and either contains a mult instruction or thr ir u < 1/2, then the algorithm does not satisfy agreement, or we can remove the mult instruction and make thr ir u = 1/2 without altering the semantics of the algorithm.

Proof
Suppose round ir is not of type ls and either contains a mult instruction or thr ir u < 1/2. We consider two cases: The first case is when there does not exist any tuple (f, t) with (f, t) . Notice that this happens in particular when some round before round ir are of type ls. It is then clear that the mult instructions in round ir will never be fired and so we can remove all these instructions in round ir. Further it is also clear that setting thr ir u = 1/2 does not affect the semantics of the algorithm in this case.
So it remains to examine the case when there exists a tuple (f, t) with (f, t) =⇒ f ir−2 such that a, b ∈ fire ir−1 (f ir−2 , ψ). By the above observation, none of the rounds before round ir are of type ls. Further, we have assumed that round ir is itself not of type ls. By our proviso, it also follows that round ir is not of type lr. Since every lr round should be followed by a ls round, it follows that in this case all the rounds up to and including round ir are of type every. Hence, the proof of this case is the same as the proof of Lemma 54.
The proof of the following Corollary is the similar to the proof of corollary 55.
Corollary 88 If round ir + 1 is not of type ls and has a mult instruction or thr ir+1 u < 1/2, then the mult instruction can be removed and thr ir+1 u can be made 1/2 without altering the semantics of the algorithm.
Lemma 89 The first round cannot be of type ls.

Proof
Suppose the first round is of type ls. We execute the phase under the global predicate ψ. By semantics we have {a, b} ⊆ fire 1 (bias(θ), ψ), for arbitrary θ. Consider θ ir+1 = max(thr ir+1 u , thr ir+1 (ψ)) + ε for some small ε. Thanks to our proviso, the global predicate does not have a c-equalizer, hence we can freely apply Lemmas 68 and 69 to get bias(θ ir+1 ) or bias ? (θ ir+1 ) after round ir. By Corollary 88, there is no mult instruction in round ir + 1. Hence {b, ?} ∈ fire ir+1 (bias(θ ir+1 ), ψ). We can apply Lemma 67 to set dec of one process to b in this phase and leave the other processes undecided. Moreover, in the round ir the variable inp is set to bias(max(θ, θ ir+1 )).
In the next phase, once again we have {a, b} ∈ fire 1 (bias(max(θ, θ ir+1 )), ψ). We can get solo a under global predicate, hence we can set some dec to a.
Lemma 90 The first round should have a mult instruction.

Proof
Follows from Lemmas 89 and 86.

Proof
Similar to that of Lemma 51.
Lemma 92 If round ir + 1 is of type ls, then the algorithm does not solve consensus.

Proof
Suppose round ir + 1 is of type ls. We consider an execution of a phase under the global predicate and so we can freely use Lemmas 68 and 69. We have seen that the first round cannot be of type ls. We can take θ big enough to have {a, b} ∈ fire 1 (bias(θ), ψ). We can then use Lemmas 68 and 69 to get bias(θ ) or bias ? (θ ) after round ir; for arbitrary θ . In either case, because round ir + 1 is of type ls and the global predicate does not have c-equalizers, it follows that we can get bias ? (θ ) for arbitrary θ after round ir + 1. Applying Lemma 67 we can make one process decide on b and prevent the other processes from deciding.
Notice that the state of inp in the next phase will have θ processes with value b and timestamp 1. Till now we have put no constraints on θ , so we can take it sufficiently small so that 1 − θ > thr 1 u . This enables us to get solo a after the first round. We use this to make the undecided processes decide on a.
Lemma 93 If the property of constants from Definition 15 is not satisfied, then agreement is violated.

Proof
The proof is similar to the one of Lemma 56. We consider an execution under the global predicate ψ, and employ Lemmas 68 and 91. We start from configuration (bias(θ 1 ), 0) where θ 1 > thr 1 u big enough so that by Lemma 91 we get {a, b} ⊆ fire 1 (bias(θ 1 ), ψ). Observe that the first round cannot be of type ls by Lemma 89 so we can get arbitrary bias after the first round.
Due to Lemma 87 we know that there is a c-preserving round before round ir + 1. Let j ≤ ir be the first c-preserving round. Since all rounds before j are non-c-preserving, by Lemma 68 we can get bias(thr j u + ε), as well as bias(1 − (thr j u + ε)) before round j (intuitively, we can get bias with many b's or many a's). Since j is preserving, it is either of type ls or thr j (ψ) < max(thr j u , thr j,k m ). If it is of type ls then we get {a, b, ?} ∈ fire j (bias((thr j u + ε)), ψ) since ψ j is not c-equalizer . In the other cases we use bias(thr j u + ε) if we want to get {b, ?} and bias(1 − (thr j u + ε)) if we want to get {a, ?}. If j is of type every we get it at round j. If j is of type lr then we get it at round j + 1 since round j + 1 must be necessarily of type ls. We then use Lemma 67 to reach bias ? (θ ir+1 ) or bias ? (1 − θ ir+1 ) before round ir + 1; where as before θ ir+1 = thr ir+1 u + ε. We have two cases depending on whether thr 1,k m < 1 − thr ir+1 u or not. If thr 1,k m < 1 − thr ir+1 u then we reach bias ? (θ ir+1 ) before round ir + 1, and then make some processes decide on b. After this phase there are 1 − θ ir+1 processes with timestamp 0. We can ensure that among them there is at least one with value a and one with value b. Since there is mult instruction in the first round (Lemma 90), in the next phase we send all the values with timestamp 0. This way we get solo a after the first round, and make some process decide on a.
The remaining case is when thr 1,k m ≥ 1 − thr ir+1 u . So we have thr 1 u < 1 − thr ir+1 u , since we have assumed that that the property of constants from Definition 15 does not hold. This time we choose to get bias ? a (θ ir+1 ) after round ir, and make some process decide on a. Since we have started with bias(θ 1 ) we can arrange updates so that at the beginning of the next phase we have at least min(θ 1 , 1 − θ ir+1 ) processes who have value b with timestamp 0. But thr 1 u < min(θ 1 , 1 − θ ir+1 ), so by sending H set consisting of these b's we reach solo after the first round and make some processes decide on b.
Lemma 94 If all the structural properties are satisfied then the algorithm satisfies agreement.

Proof
It is clear that the algorithm satisfies agreement when the initial frequency is either solo or solo a . Suppose (bias(θ), t, d) ψ * −→ (bias(θ ), t , d ) such that for the first time in this transition sequence, some process has decided (say the process has decided on b). Since there exists an ls round in the algorithm, it follows that every other process could only decide on b or not decide at all. Further notice that since b was decided by some process, it has to be the case that more than thr ir+1 u processes have b as their inp value and maximum timestamps. This means that the number of a's in the configuration is less than 1 − thr ir+1 u . Also notice that since round ir has no mult instructions and thr ir u ≥ 1/2, it follows that no process with value a has the latest timestamp.
Since thr 1 u ≥ 1 − thr ir+1 u , it follows that a cannot be fired from bias(θ ) using the uni instruction in the first round. Further since thr 1,k m ≥ 1 − thr ir+1 u it follows that any HO set bigger than thr 1,k m has to contain a value with the latest timestamp. As no a has the latest timestamp, a cannot be fired from bias(θ ) using the mult instruction as well. In consequence, the number of b's can only increase from this point onwards and so it follows that no process from this point onwards can decide on a. A similar argument applies if the first value decided was a.
Part 2: termination for coordinators with timestamps.
The proof for termination is very similar to the case of timestamps.

Proof
Let i be the round with c-equalizer. Till round i we cannot produce ?. After round i we have solo or solo a . This stays till round ir as the rounds after i are c-solo-safe.

Proof Main positive
Suppose there is a strong c-unifier followed by a c-decider. After the strong c-unifier we have solo or solo a thanks to Lemma 96. After c-decider all processes decide thanks to Lemma 95.

Part 3: Non-termination for coordinators with timestamps
Lemma 97 If ψ is a not a c-decider then (solo, t) ψ −→ (solo, t) and (solo a , t) ψ −→ (solo a , t) for every tuple of timestamps t.

Proof
If ψ is not a c-decider then there is a round that is not c-solo-safe. So we can go to solo ? both from solo and from solo a . From solo ? no process can decide.
Suppose thr 1 (ψ) < thr 1,k m or thr 1 (ψ) < thr 1 u . We can get solo ? after the first round and then use this to not decide on anything and retain the input tuple.
Suppose ψ does not have an c-equalizer. In this case can we apply Lemmas 91, 89, 69 and 87 to conclude that we can reach solo ? before round ir + 1 and so we are done, because nothing is changed after the phase.
The next possible situation is that i is the first component of ψ that is a c-equalizer, and there is a c-preserving round, call it j before round i (it can be round 1 as well). Every round before round j is non-c-preserving, so it cannot be of type ls. This is because non-c-preserving round of type ls is necessarily a c-equalizer, and the first c-equalizer is i. So every round up-to (j − 1) has to be of type every, and round j can be of either of type every or of type lr (because lr round must be followed by ls round thanks to assumption on page 15). In both cases, by Lemma 68 we can get to bias(θ ) (where θ > max(thr j u , thr j (ψ))) before round j (Notice that if j = 1 then we need to reach bias(θ ) with θ > max(thr 1 u , thr 1 (ψ)) which is where we start at). If round j is of type every, then since it is preserving it is easy to see that bias(θ ) ψj =⇒ j solo ? . The remaining possibility is that round j − 1 is of type lr. We can get one b after round j − 1, and because round j is necessarily of type ls and is not c-equalizer, we can get solo ? after round j. In both cases, as j < ir no process changes inp value, or decides in this phase.
The remaining possibility for ψ not to be strong c-unifier is that there is i-th round that is a c-equalizer followed by a non-c-solo safe round j ≤ ir. It is clear that we can reach solo after round i and using this get solo ? after round j. Hence nothing will change in the phase giving a transition (bias(θ), i) ψ −→ (bias(θ), i).

Proof Main non-termination
We show that if there is no strong c-unifier followed by a c-decider, then the algorithm will not terminate. We start with (bias(θ), 0) where θ is large enough. If ψ is not a strong c-unifier then by Lemma 98, for every i transition (bias(θ), i) ψ −→ (bias(θ), j) is possible for some j. Hence if there is no strong c-unifier in the communication predicate then the algorithm will not terminate.
Otherwise let ψ l be the first strong c-unifier. Notice that ψ l is not the global predicate. Till ψ l we can maintain (bias(θ), i) for some i. Suppose ψ l is not a c-decider. By Lemma 96 the state after this phase will become solo or solo a . However since ψ l is not a c-decider, we can choose to not decide on any value. Hence we get the transition (bias(θ), i) ψ −→ (solo, i + 1). Now, since none of the Lemma 97 we can have a transition where no decision happens. Hence the algorithm does not terminate if there is no c-decider after a strong c-unifier.

Conclusions
We have characterized all algorithms solving consensus in a fragment of the Heard-Of model. We have aimed at a fragment that can express most important algorithms while trying to avoid ad hoc restrictions (c.f. proviso on page 10). The fragment covers algorithms considered in the context of verification [27,9] with a notable exception of algorithms sending more than one variable. In this work we have considered only single phase algorithms while originally the model permits also to have initial phases. We believe that this is not a severe restriction. More severe and technically important restriction is that we allow to use only one variable at a time, in particular it is not possible to send pairs of variables.
One curious direction of further research would be to list all "best" consensus algorithms under some external constraints; for example the constraints can come from some properties of an execution platform external to the Heard-Of model. This problem assumes that there is some way to compare two algorithms. One guiding principle for such a measure could be efficient use of knowledge [29,28]: at every step the algorithm does maximum it can do, given its knowledge of the state of the system. This research is on the borderline between distributed computing and verification. From a distributed computing side it considers quite a simple model, but gives a characterization result. From a verification side, the systems are complicated because the number of processes is unbounded, there are timestamps, and interactions are based on a fraction of processes having a particular value. We do not advance on verification methods for such a setting. Instead, we observe that in the context considered here verification may be avoided. We believe that a similar phenomenon can appear also for other problems than consensus. It is also an intriguing question to explore how much we can enrich the current model and still get a characterization. We conjecture that a characterization is possible for an extension with randomness covering at least the Ben-Or algorithm. Of course, formalization of proofs, either in Coq or Isabelle, for such extensions would be very helpful.