1. Introduction
Internet of Things (IoT) paradigm can be defined as [1]: ”The pervasive presence around us of a variety of things or objects which, through unique addressing schemes, are able to interact with each other and cooperate with their neighbors to reach common goals.” In this framework the smart objects, which are connected by an Internetlike structure, are able to communicate and exchange information and to enable new forms of interaction among things and people [5]. The core of every IoT system consists of its discovery and control service. Usually, the objects which participate in an IoT system have limited computing power, memory and power supply. It is the common thing that various heterogeneous devices participate in the same IoT system. Ordinarily, these devices are highly distributed, so they participate in a distributed, i.e. PeertoPeer (P2P), system.
In a homogeneous decentralized P2P system [16], many nodes (peers) execute the same application, and have equal rights during that execution. They might join or leave system at any time. In such a framework processes are dynamically distributed to peers, with no centralized control. Thus, P2P systems have no inherent bottlenecks and can potentially scale very well. Also, those systems are resilient to failures, attacks, etc., since there are no nodes which perform the critical functions of the systems. The main applications of P2Psystems involve: file sharing, redundant storage, realtime media streaming, etc.
P2P systems are frequently implemented in a form of overlay networks [20], a structure that is totally independent of the underlying network that is actually connecting devices. Overlay networks represent a logical look on organization of the system resources. Some of the overlay networks are realized in the form of a Distributed Hash Tables (DHTs), which provides a lookup service similar to a hash table; pairs are stored in a DHT, and any participating node can efficiently retrieve the value associated with a given key. Note that key is not used as a cryptographic notion, but (following the common practice in DHTrelated papers) to represent identifiers of objects. Responsibility for maintaining the mapping from keys to values is distributed among the peers, in such a way that any change in the set of participants causes a minimal amount of disruption. The Chord protocol [17, 18, 19] is one of the first, simplest and most popular DHTs. The paper [17] which introduces Chord was recently awarded the SIGCOMM 2011 TestofTime Award.
Because of the simplicity and popularity of the Chord protocol, it was used for the realization of the discovery and/or control service of IoT systems described in [4, 5, 6, 15, 22].
As we mentioned above, the discovery and control services are cores of an IoT system, and because of that, in this paper we will prove the correctness of the Chord protocol using the logic of time and knowledge. We consider the case when the nodes are not allowed to fail or leave and concern Chord actions that maintain ring topology.
We are aware of only a few attempts to formally verify behavior of DHTs and particularly Chord [2, 3, 9, 10, 23]. We consider them below and compare with our approach.
The rest of the paper is organized in the following way: in Section 2 we consider other approaches for proving the correctness of the Chord protocol and clearly present the contributions of this paper; Section 3 presents a short description of the Chord protocol; in Section 4 we present a logical framework which will be used to prove the correctness of the maintenance of the ring topology of the Chord protocol with the respect of the fact that nodes are not allowed to departure the system after they join it; the proof is given in Section 5; we conclude with Section 6. In A we provide detailed proofs of most lemmas and theorems from the paper.
2. Related Work and Contributions
2.1. Related Work
The Chord protocol is introduced in [17, 18, 19]. The papers analyze the protocol, its performance and robustness under the assumption that the nodes and keys are randomly chosen, and give several theorems that involve the phrase with high probability
, for example: ”With high probability, the number of nodes that must be contacted to find a successor in a
node network is ”.The only statement in the papers [17, 18, 19] which avoids the mentioned phrase about high probability is Theorem IV.3. It corresponds to our Lemma 5 and proves that inconsistent states produced by executing several concurrent joins of the new nodes are transient, i.e., that after the last node joins the network will form a cycle. More general sequences of concurrent joining and leaving are considered in [10], where a lower bound of the rate at which nodes need to maintain the system such that it works correctly is given with high probability. In this paper we are not considering possible failures and leaves of the nodes. Our intention is that include this segment in our future work.
Anyway, it is not quite clear how to compare these two approaches (deterministic and probabilistic), but in our opinion there is benefit from both of them. One can argue that the probabilistic approach, i.e. providing lower bounds of probabilities, is useful to study robustness of protocols. On the other hand, it will be useful to describe sequences of actions leading to (un)stable states of Chord networks, to be able to analyze properties of systems that incorporate Chord and assume its correctness, as it is the case with the discovery and/or control service of an IoT system.
In [9]
the theory of stochastic processes is used to estimate the probability that a Chord network is in a particular state. In
[2, 3] Chord’s stabilization algorithm is modelled using the calculus and it’s correctness is established by proving the equivalence of the corresponding specification and implementation. Possible departures of nodes from a network are not examined in this approach. In [23] the Alloy formal language is used to prove correctness of the pure join model. The same formalization present several counterexamples to correctness of Chord ringmaintenance in the general case.In [7] a joint frame for reasoning about knowledge and linear time is presented, and the proof of weak completeness for a logic which combines expressions about knowledge with linear time is provided.
As we mentioned in Introduction using DHT or Chord in IoT domain is not a novelty [4, 5, 6, 15, 22]. In [4] authors proposed distributed control plane. They consider the problem how to deliver control messages to the devices that are in sleeping mode most of the time. Proposed DHT algorithm is Chord. The paper [5] introduce scalable, selfconfiguring and automated service and resource discovery mechanism based on structured DHT architecture. The article [6] presents comparison of the discovery service mechanisms in IoT domain, both traditional and distributed approaches. In [15] authors give the description of a novel discovery service for IoT which adopts DHT approach with multidimensional search domain. Authors of [22] presented discovery service for objects carrying RFID tags based on double Chord ring. In all these articles, the correctness of the Chord protocol was accepted for granted.
2.2. Contributions
In this paper we:

provide axiomatization and prove the soundness, strong completeness and decidability of the logic of time and knowledge;

describe the Chord protocol using the logic of time and knowledge;

prove the correctness of the maintenance of the ring topology of the Chord protocol with the respect of the fact that nodes are not allowed to departure the system after they join it.
This work is motivated by the importance of the discovery and control service of an IoT system and the obvious fact that errors in concurrent systems are difficult to reproduce and find merely by program testing. This proof could be, also, the foundation for the formal proof created using a formal proof assistant (like, Coq or Isabelle/HOL).
3. Chord Protocol
The papers [17, 18, 19] introduce the Chord protocol and give the specification of it in Clike pseudocode. They present the correctness, performance and robustness of the Chord protocol. Here, we will provide a short description of it.
A number of nodes running the Chord protocol form a ringshaped network. The main operation supported by Chord is mapping the given key onto a node using consistent hashing.The consistent hashing [8] provides loadbalancing, i.e., every node receives roughly the same number of keys, and only a few keys are required to be moved when nodes join and leave the network. Chord networks are overlay systems. Thus, each node in a network, that consists of nodes, needs “routing” information about only a few other nodes, , and resolves all lookups via messages to other nodes.
As it is shown, the Chord’s stabilization algorithm maintains good lookup performance despite continuous failure and joining of nodes. When the network is not stable, i.e., the corresponding “routing” information is out of date since nodes join and leave arbitrarily, the performance degrades.
Identifiers are assigned to nodes and keys by the consistent hash function. The identifier for a node or a key, or , is produced by hashing IP of the node, or the value of the key. The length of identifiers, for example bits), must guarantee that the probability that two objects of the same type are assigned same identifiers is negligible. Identifiers are ordered in an identifier circle modulo . Then, the key is assigned to the node such that . If such a node does not exist, the key is assigned to the first node in the circle whose identifier is greater than .
Every node possesses information on its current successor and predecessor nodes in the identifier circle. To accelerate the lookup procedure, a node also maintains routing information in the form of the socalled Finger Table with up to entries. The entry in the table at the node contains the identifier of the first node that succeeds by at least in the identifier circle, i.e., , where , and all arithmetic is preformed modulo . Figure 1 presents Finger tables of nodes and .
One node can be aware of only a few other nodes in the system, like node from Figure 1 knows for the existence of only 3 other nodes. Some other can have different node identifier in almost every entry in its Finger table, like node from Figure 1.
During the lookup procedure, a node forwards a query to the largest element of the Finger table which is smaller than the key used in the query, respect to the used arithmetics. In the example illustrated with Figure 1, if is looking for the responsible node for the key with identifier , it will forward this query to node , the closes node from its finger table. After, that this query will be forwarded to and , until it finally ends at . The answer if contains the key and respected value with identifier will be returned to node that started query, in this case .
The stabilization procedure implemented by Chord must guarantee that each node’s finger table, predecessor and successor pointers are up to date. The procedure runs periodically in the background at each node. To increase robustness, each Chord node can create a successor list of size , containing the node’s first successors.
Figure 2 illustrates the process of joining of the node between nodes and . As a first step will set its successor to . During the stabilization process will set its predecessor to , then will set its successor to and, finally, will set its predecessor to .
Beside the mapping of keys onto the set of nodes, the only other operations realized by Chord are adding a node to network or removing a node from a network. When a node joins an existing network, certain keys previously assigned to ’s successor now become assigned to . When a node leaves the network regularly, it notifies its predecessor and successor and reassigns all of its keys to the successor.
4. Logic of Time and Knowledge
As we mentioned in the previous Section, a system which runs the Chord protocol is a dynamic multiagent system, where every agent has it own partial view of the surrounding environment. To be able to reason about such system, we need to introduce a framework for formal description of changes of the knowledge of an agent during the time. In this section we present logic of time and knowledge.
4.1. Syntax
Let be the set of nonnegative integers. We denote , where , and then let be the set of propositional variables.
The set of all formulas is the smallest superset of which is closed under the following formation rules:

where and ,

where ,

where ,

where .
The operators and represent relations successor and predecessor of a node. The tip of the ”arrow” is pointing to the node with ”greater” identifier, with respect to the ordering determined by the ring shaped Chord network. We will use abbreviation for iff there is an such that and , and for iff there is an such that and . Similarly, we can define , as well as for and . Figure 3 illustrates the relations , (Figure 2(a)) and (Figure 2(b)).
The operators and represent standard logical negation and conjunction. The operators , , and are standard temporal operators Next, Previous, Until and Since. The operator represents the knowledge of the agent .
The remaining logical and temporal connectivities , , , , , , are defined in the usual way:

,

,

,

,

,

,

,

,

.
Nonempty sets of formulas will be called theories.
In this paper we will consider time flow which is isomorphic to the set . We will take into account both future and past. Since we are dealing with a multiagent system were agents have to share knowledge among them the obvious choice is to use the logic of time and knowledge, similarly like in [7].
We define as a nested implication for the knowledge of an agent and for formula based on the sequence of formulas in the following recursive way:
4.2. Semantics
We will defined models as Kripke’s structures.
Definition 1.
A model is any tuple such that

Set of all possible runs :

,

,

Restriction: if then


set of time instances (the time flow isomorphic to ),

truth assignment, such that:

,



possibility relations: : iff .
Figure 4 illustrates a Kripke model which contains the runs , where is the sequence of , , , etc. and similarly for other runs. In this model, for example , etc.
An is in the time instant in the run if the Chord network node is active in the corresponding realization of the network. We define the set of propositional variables which represent the active nodes of Chord network as . For we define the relation which represents the fact that is the member of the ring interval as: is iff

,

and ,

and .
4.3. Satisfiability relation
A formula is satisfiable if it is possible to find an interpretation, i.e. model, that makes that formula true.
Definition 2.
Let be any model. The satisfiability relation (formula is satisfied in a time instance of a run ) is defined recursively as follows:

iff ,

iff and

iff not ( )

iff

iff


iff there is a such that , and for every , such that ,

iff there is a such that , and for every , such that ,

iff for all

iff

and

and

and

and and


iff

, and

and

and

and and

and

4.4. Axiomatization
The axioms of our theory are all instances of the following schemata:

instances of tautologies












,










Inference rules:

from and infer

from infer

from infer

from for all infer
[AT1 – AT10] are standard axioms of the linear temporal logic. [AT11] takes into consideration specificity of our model and the restriction that when some become , then it will never be . While [AK1] takes into consideration specificity of our model, [AK2 – AK5] are standard axioms for reasoning about knowledge. [AS1] says that a node can have only one successor. [AS2] says that a node can be predecessor of only one node. [AS3] says that a node can have only one predecessor. [AS4] says that if a node is predecessor of some other node, that other node has to be its successor. [AS5] says that if a node has the successor than it knows that is its successor. [AS6] says when the current successor will be the successor in the next time instance.
[MP] is modus ponens, [RTN] and [RKN] resemble necessitations,and [RI] is the infinitary inference rule that characterize the Until operator.
4.5. Soundness, Completeness and Decidability
In this part we will prove that our system is sound, complete and decidable. Informally speaking, the soundness means that we cannot prove anything that is wrong, the completeness means that we can prove everything that is right, and the decidability means that there is an effective method for determining whether arbitrary formula is a theorem of our logical system.
The inference relation is defined as follows:
Definition 3.
We say that is syntactical consequence of a set of formulas (or that is deducible or derivable from ) and write iff there exists an at most countably infinite sequence of , …, such that = and for all , is an instance of some axiom, , or can be obtained from some previous members of the sequence by an application of some inference rule. A formula is a theorem () if it is deducible from the empty set. The rules [RTN] and [RKN] can be applied only to theorems.
Definition 4.
A set T is inconsistent iff , otherwise it is consistent. A set of formulae is maximal if for every formula either or . A set is deductively closed if for every formula , if , then .
Theorem 1.
[Soundness] implies .
Theorem 2.
Every consistent set of formulas can be extended to a maximal consistent set .
Canonical structure. We define a special, so called canonical structure . Let be the set of all maximal consistent sets. Let . We define a run inductively as: , and .
We denote:

, where if , and otherwise,

,

.
Also:

,

iff .
Theorem 3.
[Strong completeness] Every consistent set of formulas is satisfiable.
Theorem 4.
.
Theorem 5 (Decidability theorem).
Checking the satisfiability of a given formula is decidable.
5. Proof of the Correctness
To be able to prove the correctness of the Chord protocol we need to introduce the following definitions:
Definition 5 (Stable pair).
The pair of nodes is stable (we denote it with ) at iff (, where .
Definition 6 (Stable network).
Network is stable (we denote it with ) at iff for all .
We introduce an integer constant , that will represent fairness condition, i.e. it guarantees that a formula will be realized at maximum of time instances.
The processes of the Chord network can be describe with:

: for one ,

: , ,

: , ,

: , .
[] describes the start of the new Chord network. [] represents the situation when a new node is joining the existing Chord network, while [] and [] characterize stabilization processes in one Chord network.
To be able to describe periodicity of the stabilization process, we introduce the following axioms:

ACF1: , ,

ACF2: , ,

ACF3: , ,

ACF4: , ,

ACF5: , ,

ACF6: , .
The correctness of the Chord protocol can be proved by the following Lemmas and Theorem.
Lemma 1.
Let a new node start a new Chord network. Then, there is a finite period of time after the network will be stable again, if no other nodes are trying to join in the meanwhile.
Lemma 2.
Let a new node join a stable Chord network which consists of only one node. Then, there is a finite period of time after the network will be stable again, if no other nodes are trying to join in the meanwhile.
Lemma 3.
Let a peer join a Chord network, between two nodes which constitute a stable pair, such that the second node is the successor of the first node. Then, there is a finite period of time after the starting pair will be stable again, if no other nodes are trying to join in the meanwhile.
Lemma 4.
Let a peer join a Chord network, between two nodes which constitute a stable pair. Then, there is a finite period of time after the starting pair will be stable again, if no other nodes are trying to join in the meanwhile.
Proof.
Since one new node is joining the stable pair, we can choose two nodes which are each others successor and predecessor and the new node is joining between them, so we can apply Lemma 3. ∎
Lemma 5.
Let a Chord network contain a stable pair. If a sequence of nodes join between the nodes that constitute this stable pair, then there is a finite period of time after the starting pair will be stable again.
Proof.
If we assume that all nodes that want to join the network have different successors, by Lemma 4 the statement holds.
If this is not the case, we can assume that and that set of nodes , such that , are joining this stable pair. Then, we can apply Lemma 4 on the tuples , , …. This process will have as a result , again. ∎
6. Conclusion
The core part of the every IoT system are its discovery and control services. In the distributed environment, these services can be realized using the Chord protocol.
In this paper we provide the axiomatization and prove the soundness, strong completeness and decidability of the logic of time and knowledge. Using this framework, we prove the correctness of the maintenance of the ring topology of the Chord protocol with the respect of the fact that nodes are not allowed to departure the system after they join it.
Our plan is to continue our research to prove the correctness in the general case. Also, one of the possible directions for further work is to apply the similar technique to describe other DHT protocols and other cloud processes.
Another challenge could be to verify the given proof in one of the formal proof assistants (e.g., Coq, Isabelle/HOL). It might also produce a certified program implementation from the proof of correctness.
Appendix A Proofs
See 1
Proof.

iff iff
iff iff

iff iff iff
or iff
or if
iff

iff
and and iff
or and and iff
or and and and iff
or and and and iff
or and iff

iff
and and if
and exists iff
[AT5 – AT7] similarly like [AT2 – AT4] regarding the subcase .

iff iff
[AT9] similarly like [AT8], regarding the subcase .

iff

Because of the restriction if then .

,
iff
and all iff

iff
and iff
for all and for all iff
for all if
for all iff

iff
and then

iff
and then
and iff
and iff

Similarly like [AK4]

Let .
If , by the definition of we have that
and by [AK3] and [A1] we have that
so, there is no candidate such that .
Let and let
and . Then, by the definition of relation we have
and
Last two facts are in contradiction.
Similarly in all other cases.

Similarly like [AS1].

Similarly like [AS1].

Comments
There are no comments yet.