Why Extension-Based Proofs Fail

# Why Extension-Based Proofs Fail

Dan Alistarh
IST Austria
dan.alistarh@ist.ac.at
James Aspnes
Yale
james.aspnes@gmail.com
Faith Ellen
University of Toronto
faith@cs.toronto.edu
Rati Gelashvili
University of Toronto
gelash@cs.toronto.edu
Leqi Zhu
University of Toronto
lezhu@cs.toronto.edu
###### Abstract

We prove that a class of fundamental shared memory tasks are not amenable to certain standard proof techniques in the field. We formally define a class of extension-based proofs, which contains impossibility arguments like the valency proof by Fisher, Lynch and Paterson of the impossibility of wait-free consensus in an asynchronous system. We introduce a framework which models such proofs as an interaction between a prover and an adversarial protocol. Our main contribution is showing that extension-based proofs are inherently limited in power: for instance, they cannot establish the impossibility of solving -set agreement among processes in a wait-free manner. This impossibility result does have proofs based on combinatorial topology. However, it was unknown whether proofs based on simpler techniques were possible.

## 1 Introduction

One of the most well-known results in the theory of distributed computing, due to Fischer, Lynch, and Paterson [FLP85], is that there is no deterministic, wait-free protocol solving consensus among processes in an asynchronous message passing system. In fact, they showed that, even if at most one process may crash, it is possible to construct an infinite execution in which no process terminates. Their result has been extended to asynchronous shared memory systems where processes communicate by reading from and writing to shared registers [Abr88, CIL87, Her91, LA87].

Chaudhuri [Cha93] conjectured that these impossibility results could be generalized to the -set agreement problem: given , each of the processes begins with an input in . Each process that does not crash must output a value that is the input of some process (validity) and, collectively, at most different values may be output (agreement). In particular, consensus is just 1-set agreement. Chaudhuri’s conjecture was eventually proved in three concurrent papers by Borowsky and Gafni [BG93], Herlihy and Shavit [HS99], and Saks and Zaharoglou [SZ00]. These papers all relied on sophisticated machinery from combinatorial topology, which they used to model the space of all reachable configurations of the system. Later on, Attiya and Castañeda [AC11] and Attiya and Paz [AP12] showed how to obtain the same results using purely combinatorial techniques, without explicitly using topology. A common feature of these impossibility proofs is that they assume the existence of a deterministic, wait-free protocol, and first argue that it has only finitely many executions, and then show that at least different values are output in one of the executions. This implies that any deterministic protocol for -set agreement among processes in an asynchronous system has an execution in which some process takes infinitely many steps, without returning a value. However, these proofs do not construct such an infinite execution.

In contrast, impossibility proofs for deterministic, wait-free consensus in asynchronous systems explicitly construct an infinite execution by repeatedly extending a finite execution by the steps of some processes. Fischer, Lynch, and Paterson introduced valency arguments to show that such extensions are possible in the case of consensus. A natural question arises: is there a “constructive” proof of the impossibility of -set agreement that explicitly constructs an infinite execution by repeated extensions?

Our contributions. In this paper, we formally define the class of extension-based proofs. We also prove that that there is no extension-based proof of the impossibility of a deterministic, wait-free protocol solving -set agreement among processes in an asynchronous system using only registers.

We view a proof of the impossibility of solving a task as an interaction between a prover and any protocol that claims to solve the task. The prover has to refute this claim. To do so, it repeatedly queries the protocol about the states of processes in configurations that can be reached in a small number of steps from configurations it already knows about. The goal of the prover is to construct a bad execution, i.e. an execution in which some processes take infinitely many steps without terminating, or output values that do not satisfy the specifications of the task. The definition of extension-based proofs is presented in Section 3. An extension-based proof of the impossibility of deterministic, wait-free solutions to consensus among 2 processes in an asynchronous shared memory system appears in Section 3.

A key observation is that, from the results of its queries, many protocols are indistinguishable to the prover. It must construct a single execution that is bad for all these protocols. To prove that no prover can construct a bad execution, in Section 4, we show how an adversary can adaptively define a protocol in response to any specific prover’s queries. In this adversarial protocol, all processes eventually terminate and output correct values in executions consistent with the results of the prover’s queries.

We use basic combinatorial topology to represent reachable configurations of a protocol. This is described in Section 2. In this view, when an extension-based prover makes queries, it is essentially performing local search on the configuration space of the protocol. Because the prover obtains incomplete information about the protocol, the adversary has some flexibility when specifying the protocol’s behaviour in configurations not yet queried by the prover.

An additional type of query is added to the definition of extension based proof in Section 5. This query makes the prover stronger and simplifies modeling valency arguments as extension-based proofs. We extend the proof in Section 4 to handle this additional type of query.

We provide a formal way of reasoning about proofs of impossibility in shared memory. This opens the door for a number of interesting directions for future work, such as generalizations of the extension-based proof model, reasoning about lower bound proofs, better understanding the exact sources of limitations of certain techniques, and exploring connections to the results in the theory of proof complexity. This is discussed in Section 7.

## 2 Preliminaries

### 2.1 NIIS Model

We consider the non-uniform iterated immediate snapshot (NIIS) model with processes, introduced by Hoest and Shavit [HS2006]. For wait-free computability, it is known that the NIIS model is equivalent to the standard asynchronous shared memory model, in which processes communicate by reading from and writing to shared registers. Specifically, any task that has a wait-free solution in one of these models has a wait-free solution in the other [HS2006].

In the NIIS model, processes, , communicate using an infinite sequence, , of shared single-writer atomic snapshot objects. Each snapshot object has components, which are all initially , and supports two operations, and . An operation by process performed on a snapshot object updates component of the object to have value , where is an element of an arbitrarily large set that does not contain . A operation returns a vector containing the value of each component of the object.

In the NIIS model, processes remember their entire history. This is called a full information protocol. Initially, ’s state is its input. It accesses each snapshot object at most twice, starting with . The first time, it performs an to set the ’th component of the object to its current state. At its next step, it performs a of the same object. The result of this is its new state. It then checks if it can output a value by consulting a map, , that takes its process identifier, , and its new state as input. If returns , then, at its next step, accesses the next snapshot object. If it returns a value , then outputs and terminates. A protocol in the NIIS model is completely specified by the map .

A scheduler decides the order in which the processes take steps. It repeatedly selects a set of processes that are all poised to perform s on the same snapshot object, schedules all of their s, in order of their identifiers, and then schedules all of their next s, in the same order. Note that the scheduler never selects processes that have terminated. A schedule is a sequence containing subsets of processes selected by the scheduler. For example, is a schedule in which the scheduler selects , followed by . After this schedule, has updated and scanned one more snapshot object than . A protocol is wait-free if it does not have an infinite schedule.

A configuration contains the contents of each shared object and the state of each process. A process is active in a configuration if it has not terminated. A configuration is terminal if it has no active processes. An initial configuration is specified by the input of each process. Each finite schedule from an initial configuration results in a reachable configuration. The following observation is a key property of full information protocols.

###### Observation 2.1.

A reachable configuration is fully specified by the set of states of all processes in the configuration (including the processes that have terminated).

Two configurations and are indistinguishable to a set of processes if every process in has the same state in and . Given a schedule from a reachable configuration , we use to denote the resulting configuration. Two finite schedules and from are indistinguishable to a set of processes if the resulting configurations and are indistinguishable to .

###### Observation 2.2.

Suppose and are two reachable configurations that are indistinguishable to , every active process in is poised to update in , each snapshot object has the same contents in and for all , and is a finite schedule from containing only processes in . Then is a schedule from and the configurations and are indistinguishable to .

Suppose is a reachable configuration in which all active processes are poised to the same snapshot object. For any set of processes , a P-only 1-round schedule from is an ordered partition of the processes in that are active in . If none of the processes in are active in , then the empty schedule is the only -round schedule. A (full) -round schedule from is simply a -only 1-round schedule, where is the set of all processes. Observe that, in the NIIS model, if is a -only -round schedule from and is any full -round schedule from such that , then and are indistinguishable to the processes in .

For , a (full) t-round schedule from is a schedule such that is a 1-round schedule from and, for , is a 1-round schedule from . A P-only t-round schedule from is a schedule such that there exists a (full) -round schedule from where is a prefix of for , is a -only 1-round schedule from , and is a -only -round schedule from for . Notice that some processes in may have terminated during . These processes are not included in . If is a -only -round schedule from , is any full -round schedule from , and is a prefix of for all , then these two schedules are indistinguishable to the processes in .

Let be the set of all active processes in some reachable configuration and suppose that every process in is poised to the same snapshot object . For any nonempty finite schedule from , let denote the set of processes in that are poised to in the resulting configuration . Let . Then there exists a schedule from that is indistinguishable to all processes such that is a -only 1-round schedule.

### 2.2 Topological Representation of a Protocol

An (abstract) simplicial complex is a collection of sets, , that is closed under subset: for any set , if , then . Each set is called a simplex of . If , then is called a vertex. if , then is called an edge. A subcomplex of is a subset of that is also a simplicial complex.

Let be a simplicial complex and let and be non-empty subcomplexes of . A path between and in of length is a sequence of vertices such that , , and, for , is an edge in . Notice that a vertex may appear more than once in a path and, if and both consist of a single vertex, then we have the standard definition of a (non-simple) path in a graph. is connected if for any two vertices , there is path between and in . If is connected, then the distance between and in , denoted , is the minimum such that there is a path between and in of length .

In the topological view of a protocol (specified by a map ) in the NIIS model, there is a simplicial complex for each . represents all configurations reachable from initial configurations by -round schedules. In particular, the input complex of the protocol, , represents all possible initial configurations.

Consider any configuration reachable from an initial configuration by a (full) -round schedule. For every process , there is a unique vertex in , where is the state of in . The process identifier is called the colour of the vertex. It is needed because multiple processes may have the same state in (i.e. they have the same input and see the same results from all their scans). The -element set is a simplex in . It is called the full simplex of corresponding to configuration . By Observation 2.1, each full simplex corresponds to only one configuration. Every simplex of is a subset of a full simplex of . Thus, all the vertices in a simplex of have different colors.

The non-uniform chromatic subdivision operation maps every subcomplex of to a subcomplex of . It has the property that is the union of over all simplexes . Hoest and Shavit [HS2006] proved that is the non-uniform chromatic subdivision of .

Suppose is a full simplex in corresponding to a configuration . Then every full simplex in corresponds to a configuration reachable from by a 1-round schedule. If and , then each simplex in consists of the set of states of a subset of the processes in in a configuration resulting from by a -only -round schedule. Although can be also be subset of a full simplex in corresponding to a different configuration, Observation 2.2 says that the definition does not depend on the choice of this configuration.

Hoest and Shavit also showed that, if is connected, then, for , is connected and, thus, the distance between any two vertices in is well-defined. We note that the input complex of any -set agreement protocol is connected.

Figure 1 contains an example of the non-uniform chromatic subdivision of a simplicial complex with processes, , , and . In the configuration represented by the left face of , , , and have states , , and , respectively, none of which have terminated. In the configuration represented by the right face, and have the same state, but has state , in which it terminates and outputs . We also illustrate two subcomplexes and of and their subdivisions.

### 2.3 Non-uniform Chromatic Subdivision

In this section, we define the non-uniform chromatic subdivision operation. But, for a more comprehensive definition of the non-uniform chromatic subdivision, which is quite technical, we refer the reader to  [HS2006]. We prove that the non-uniform subdivision operation has the following useful property relating the distances between subcomplexes and the distances between the nonuniform chromatic subdivisions of these subcomplexes. This lemma can also be used to fix a technical problem in one of the arguments of Hoest and Shavit [HS97conf, HS2006]. This is discussed in Section 6.

###### Lemma 2.3.

Let and be nonempty, disjoint subcomplexes of , let , and let . Then . Furthermore, if every path between and in contains at least one edge between unterminated vertices, then .

Recall that distances are defined based on only the vertices and edges of the complex (also known as the -skeleton of the complex). However, the proof of this lemma relies on the higher dimensional structure of the complex and certain properties of non-uniform subdivision operation. These properties are listed immediately prior to its proof.

### 2.4 Non-uniform Chromatic Subdivision and Distance Lemma

Let and suppose that is defined for all vertices .

Consider any simplex in and suppose that for each vertex . Let be the set of colours of the vertices in . The standard chromatic subdivision of is the abstract simplicial complex whose vertices are of the form , where and is the colour of some vertex in . Intuitively, contains the set of process states that process sees in its next scan. Strictly speaking, the vertices are actually of the form , where if and if is not the colour of any vertex in . This corresponds to the actual values seen by the processes in their next scan. A set of vertices , for some set of identifiers , is a simplex in if and only if there is an ordering on such that implies that and, for each , if the colour of some vertex in , then .

Now consider a simplex where some vertices in have been terminated. Let be the set of terminated vertices in . The non-uniform chromatic subdivision of is the abstract simplicial complex whose vertices are the vertices in and the vertices in the standard chromatic subdivision of . Each simplex in is a simplex of . In addition, if and is a simplex, then is a simplex of .

For any subcomplex of , the non-uniform chromatic subdivision of is the union of for all simplices .

There is a natural geometric interpretation of an abstract simplicial complex and subdivision. Roughly speaking, a geometric simplex may be represented in Euclidean space as the set of convex combinations of affinely independent points (one per element of ). A face of is the set of convex combinations of a subset of the affininely independent points. A geometric simplicial complex is a collection of geometric simplices such that each face of is a simplex in and, for any two simplices , . The geometric realization of is the union of the simplices in (in Euclidean space). A geometric simplicial complex is a subdivision of if their geometric realizations are the same and each simplex in is the union of finitely many simplices in .

One of the key contributions of Hoest and Shavit [HS97conf] is their proof that the non-uniform chromatic subdivision of a simplicial complex is in fact a subdivision (in the geometric sense). The following properties all follow from this fact:

###### Proposition 2.4.

The non-uniform chromatic subdivision operation has the following properties:

• If is connected, then, for all , is connected.

• and are disjoint subcomplexes of if and only if and are disjoint subcomplexes of .

• If every path between and passes through a subcomplex , then every path between and passes through .

• If contains only unterminated vertices and and are disjoint nonempty subcomplexes of , then the distance between and is at least 2.

###### Lemma 2.3.

Let and be nonempty, disjoint subcomplexes of , let , and let . Then . Furthermore, if every path between and in contains at least one edge between unterminated vertices, then .

###### Proof.

By induction. First suppose that . Since and are disjoint, and are disjoint. Thus .

So, suppose and holds for all non-empty subcomplexes and of where . Let be the largest subcomplex of containing only vertices such that and let . Since , is non-empty and . Thus, by the induction hypothesis, and . Since every path between and passes through , every path between and in must pass through . Therefore, and the claim holds for and .

Now suppose that every path between and in contains at least one edge between unterminated vertices. Let be the smallest set of edges between unterminated vertices in such that every path between and contains at least one edge in . Viewing as a graph, the removal of from results in some number of connected components. Let be the set of vertices in the connected components that contain at least one vertex in and let be the set of remaining vertices in . Let and be the largest subcomplexes of containing only vertices in and , respectively, let , and let . Observe that is a subcomplex of and is a subcomplex of . Moreover, by the minimality of , the set of edges between and is exactly .

Let be the largest subcomplex of containing only vertices that are contained in some edge in and let . By definition of , every vertex in is unterminated. Observe that every path between and has to pass through and every path between and has to pass through . It follows that every path between and has to pass through and every path between and has to pass through . In particular, this implies that . By the first part of the lemma, which we have already proved, and . Now consider . Since every vertex in is unterminated, is the standard chromatic subdivision of , which fully subdivides every simplex in . In particular, any vertex in is not adjacent to any vertex in . It follows that . Since , we obtain that . ∎

## 3 Extension-Based Proofs

To prove that a task has no wait-free solution in the NIIS model, we consider a prover, which, given any protocol that supposedly solves the task, constructs a schedule from an initial configuration of the protocol such that either the schedule is finite and one of the specifications of the task is violated in the resulting configuration, or the schedule is infinite and some processes remain active. To learn information about the protocol, the prover queries the protocol about the states of processes in various reachable configurations. In the NIIS model, the only information a prover learns about the state of a process in a reachable configuration is whether that process has output a value and, if so, the value that it output. The rest of the information about its state is the same for all NIIS protocols. In other words, the protocol is entirely specified by and the prover is learning the value of the map , for various process states.

More formally, an extension-based proof in the NIIS model is an interaction between a prover and any protocol defined by a map . The prover starts with no knowledge about the protocol (except its initial configurations) and makes the protocol reveal information about the states of processes in various configurations by asking queries. Each query allows the prover to reach some configuration of the protocol. The interaction proceeds in phases.

In each phase , the prover starts with a finite schedule, , and a set, , of configurations that are reached by performing from initial configurations, which only differ from one another by the states of processes that do not appear in this schedule (as these processes might have different input values). It also maintains a set, , containing the configurations it reaches from configurations in during phase . This set is empty at the start of phase . At the start of phase , is the empty schedule and is the set of all initial configurations of the protocol.

The prover queries the protocol by specifying a configuration and a set of processes that are poised to update the same snapshot object in . For each process , let denote the state of in the configuration resulting from scheduling from . The protocol replies to this query with , for each . Notice that, by the definition of the NIIS model, this is enough for the prover to know the state of every process and the contents of every component of every snapshot object in . Then, the prover adds to , and we say that the prover has reached .

If the prover reaches a configuration in which the outputs of the processes do not satisfy the specifications of the task, it has demonstrated that the protocol is incorrect. In this case, the prover wins (and the interaction ends).

A chain of queries is a sequence of queries, , such that, for each , is the configuration resulting from scheduling from . If the prover constructs an infinite chain of queries, it has demonstrated that the protocol is not wait-free. In this case, the prover also wins (and the interaction ends). In particular, the prover wins against the trivial protocol in which no process ever outputs a value, by constructing any infinite chain of queries.

After making finitely many chains of queries in phase without winning, the prover must end the phase by committing to an extension of the schedule . More formally, at the end of phase , the prover must choose a configuration . Let be a (nonempty) schedule such that is reached by performing starting from some configuration . Let denote the schedule . Since , there is an initial configuration such that is reached by performing starting from . Thus is reached by performing starting from . Finally, let be the set of all configurations that are reached by performing from the initial configurations that only differ from by the states of processes that do not appear in this schedule. Then the prover begins phase .

If, in every configuration in , every process has terminated, then , the prover loses, and the interaction ends.

If the number of phases in the interaction is infinite, the prover has constructed an infinite schedule in which some processes remain active and, hence, the protocol is not wait-free. This is the third way that the prover can win.

To prove that a task is impossible using an extension-based proof, a prover must win against every protocol.

#### An example.

We give an extension-based proof of the impossibility of solving wait-free binary consensus among 2 processes.

###### Theorem 3.1.

Binary consensus among 2 processes is impossible in the NIIS model.

###### Proof.

Let denote the initial configuration in which has input 0 and has input 1. Then, by validity, the solo-execution by must decide and the solo-execution by must decide . The prover performs the query chain corresponding to the solo execution by from . The prover wins if this does not terminate or does not output 0. Similarly, the prover performs the query chain corresponding to the solo execution by from and wins if this does not terminate or does not output 1.

The prover will either construct an infinite query chain in some phase, reach a configuration in which both 0 and 1 have been output, or inductively construct an infinite sequence of configurations and a corresponding sequence of bits such that, for all , is reached from by scheduling one set of processes (either , , or ), the solo-execution by from outputs , and the solo-execution by from outputs . Let and suppose the claim is true for .

If process is terminated (outputting value ) in configuration , then the solo execution by from , which outputs , results in a configuration in which both 0 and 1 have been output. Similarly, if is terminated in configuration , then the prover has reached a configuration in which both 0 and 1 have been output. So, suppose that neither nor is terminated in .

From , the prover first performs the query chain corresponding to the schedule where is scheduled once and then is scheduled until it outputs a value . If that never happens, then the prover wins. If , then the prover ends phase , chooses , and sets . Note that the solo execution by from outputs and the solo execution by from outputs .

Otherwise, . In this case, the prover performs the query chain from corresponding to the schedule where is scheduled once and then is scheduled until it outputs a value . If that never happens, then the prover wins. If , then the prover ends the round, chooses , and sets . Note that the solo execution by from outputs and the solo execution by from outputs .

Otherwise, . Then the prover performs the query . Note that the configurations and are indistinguishable to , i.e.  has the same state in both configurations. Thus, it outputs in its solo execution from . Likewise, the configurations and are indistinguishable to , so it outputs in its solo execution from . Then the prover ends the round, chooses , and sets . Note that the solo execution by from outputs and the solo execution by from outputs . Thus, the claim is true for . Hence, by induction, the claim is true for all . ∎

## 4 What cannot be proved by extension!

In this section, we prove that no extension-based proof can show the impossibility of deterministically solving -set agreement in a wait-free manner in the NIIS model, for processes. Any protocol for processes is also a protocol for processes, since the remaining processes could crash before taking any steps. Therefore, it suffices to consider .

To show our result, we define an adversary that is able to win against every extension-based prover. The adversary maintains a partial specification of (the protocol it is adaptively constructing) and an integer . The integer represents the number of non-uniform chromatic subdivisions of the input complex, , that it has performed. Once the adversary has defined for each vertex in , then it may perform a non-uniform chromatic subdivision of (or, subdivide ) and construct .

For each and each input value , we define and as the largest subcomplexes of such that contains only vertices that do not contain and contains only vertices where . Notice that the definition of does not depend on the adversary’s current specification of , while the definition of does. From these definitions, it follows that non-uniform chromatic sudivisions of these subcomplexes have simple descriptions:

For , and .

#### Adversarial Strategy in Phase 1.

We define an adversarial strategy so that, after each query made by the prover in phase 1, the adversary is able to maintain the following invariants:

1. For each and each vertex , is defined. If is a vertex in , then either is undefined or . If is the state of a process in a configuration that was reached by the prover, then is a vertex in , for some , and is defined.

2. For any input , if is non-empty, then .

3. For any two inputs , if and are non-empty, then .

We note the following consequence of the invariants:

###### Lemma 4.2.

For any two inputs , if and are non-empty, then any path between and in contains at least one edge between unterminated vertices. Moreover, if the adversary defines for each vertex where is undefined and subdivides to construct , then and .

###### Proof.

Consider any path between and in . Let be the last vertex in . Since the invariant holds after each query and , invariants (3) and (2) imply that the distance between and is at least 2. Hence, . Since is the last vertex in , and are not in . Moreover, by invariant (3), and are not in for any input . Hence, is an edge between unterminated vertices. If the adversary defines for each vertex where is undefined and subdivides to construct , then the claim follows by Lemma 2.3 and Proposition 4.1. ∎

Initially, the adversary sets and for each vertex . It then subdivides to construct and increments . No vertices in have terminated, so is empty for each input . Before the first query, the prover has only reached the initial configurations. Hence, the invariants are satisfied.

Now suppose the invariants are satisfied immediately prior to a query by the prover, where is a configuration previously reached by the prover and is a set of active processes in poised to access the same snapshot object. Let be the configuration resulting from scheduling from . Since each process in is poised to access the same snapshot object, by invariant (1), there exists such that the state of each process in in configuration corresponds to a vertex in . Since is active in , for each such vertex . Hence, by invariant (1), . If , then invariant (1) implies that is defined for each vertex corresponding to the state of a process in . Hence, the adversary does not need to do anything.

So, suppose that . Let denote the set of vertices in corresponding to the the states of in . For each vertex , if is undefined, the adversary defines as follows. If there exists an input such that the distance between and in is at least 2 and the distance between and in is at least 3, for all inputs , then the adversary sets . Otherwise, the adversary sets . This ensures that invariants (2) and (3) continue to hold.

If for every vertex , then invariant (1) holds. Otherwise, the adversary defines for each vertex where is undefined, subdivides to construct , and increments . Then invariant (1) holds. By Lemma 4.2, invariants (2) and (3) continue to hold.

Therefore, the invariants hold after the prover’s query.

#### No infinite chains of queries in phase 1.

Suppose that the invariants all hold after each query made by the prover in phase 1. By invariants (2) and (3), at most one value is output in any configuration reached by the prover and the value is the input of some process in the configuration. So, the prover cannot win in phase 1 by showing that the protocol violates some task specifications. We now show that the prover also cannot win by making an infinite chain of queries in phase 1.

###### Lemma 4.3.

Every chain of queries in phase 1 is finite.

###### Proof.

Assume, for a contradiction, that there is an infinite chain of queries, , for . Let be the set of processes that are scheduled infinitely often. Then, there exists such that, for all , . Let be the value of maintained by the adversary immediately prior to query . By invariant (1), the state of each process in corresponds to a vertex , for some . Hence, no process has accessed in and, during this chain of queries, only processes in access for . Since the processes in eventually access for all , and no process in ever terminates, the adversary eventually defines for each vertex where is undefined and subdivides to construct , for all .

Consider the first such that each process in is poised to access in , i.e.  is the first set of processes to access in the chain of queries. By definition of , the set of states of the processes in in correspond to a simplex in . Since the adversary does not terminate any new processes, , for any input and any . Thus, by applying Lemma 4.2 twice, for any inputs , whenever and are non-empty, and .

If there is a vertex that has distance at most 2 to some vertex in in , for some input , then the distance from to is at least 2 and the distance from to non-empty in is at least 3, for all . Hence the adversary defines after query , i.e. some process in terminates. This is a contradiction.

So, each vertex in has distance at least 3 to , for all inputs where is non-empty. Consider the first such that each process in is poised to access in . Let be the set of processes that have accessed in . Since each process in has already accessed , . Hence, the states of in forms a simplex in and . It follows that each vertex in has distance at least 2 to , for all inputs where is non-empty.

Let be the input of any process in . Since are the first set of processes to access and each process in has accessed , each vertex in contains and . Since the distance between and any terminated vertex in is at least 2, any path from a vertex to a vertex in must contain at least one edge between unterminated vertices (specifically, between and one of its neighbours). By Lemma 2.3 and Proposition 4.1, it follows that and , for any input where is non-empty. The state of each process in in corresponds to a vertex in . Hence, the adversary defines for at least one such vertex , i.e. some process in terminates. This is a contradiction. ∎

#### Checkmating the prover.

Since the invariants hold after every query, then the prover cannot perform an infinite chain of queries in phase 1 (Lemma 4.3). Hence, the prover does not win in phase 1 and, after performing finitely many chains of queries, the prover must choose a configuration at the end of phase 1. This determines the set of configurations it can initially query in phase 2. The adversary can update one final time so that it can answer all future queries by the prover. The prover will eventually be forced to choose a terminal configuration at the end of some phase and, consequently, will lose in the next phase.

By definition of , is a configuration reached by a schedule (from an initial configuration) that contains at least one set of processes. Consider the largest such that some set of processes accesses in . Let be the first set of processes to access in and let be the input of any process in . By invariant (1), . The set of states of processes in in corresponds to a simplex in .

Let be the largest subcomplex of containing only vertices that are distance at most 1 from every vertex in . By definition, contains every simplex corresponding to a configuration reachable by an -round schedule such that is indistinguishable from to . In particular, is the first set of processes to access in . Each process in sees when it accesses . Since is an -round schedule, each active process in has accessed in and sees . Hence, the distance between and in is at least 1. If , then, by applying Lemma 2.3 and Proposition 4.1 times, .

By invariant (1), for each vertex , is either undefined or