A Simple Distributed Algorithm for the Maintenance of a Spanning Tree

This work is devoted to the problem of spanning tree maintenance in the presence of crash failures in a distributed environment using only local knowledge. Using a pre-constructed spanning tree of a k-connected graph, we present a protocol to maintain a spanning tree in the presence of k−1 consecutive failures. The contribution of this paper is twofold. First, the problem is formalized as an occurrence of the Menger’s theorem in distributed setting. The second result shows an implementation of the protocol which is composed of a set of modules encoded in the asynchronous message passing model. After each failure occurrence, our algorithm maintains a spanning tree in O(N) time using O(M +N) messages and O(∆) bits per node. Here ∆ is the degree, M the number of edges and N the number of nodes of the graph to be maintained. Furthermore, the studied network is semi-anonymous: Only the root needs to be identified.


INTRODUCTION
Many applications in distributed environments are based on the network topology or structure knowledge.The designed protocols often used this knowledge as input information.In our case, the knowledge is the vertex connectivity applied to design protocols on unreliable networks modeled by graphs.For routing applications [11], each node uses information about its neighborhood to update the routing tables when the topology changes.So, it is suitable to maintain dedicated structures to guarantee the perennity of the routing.An important measure in this routing schemes is the number of nodes (or processors) to be updated upon a topology change.In our context, we use a spanning tree of the network described as a graph: A distributed system is represented as a connected, undirected graph denoted by G = (V, E) where a node in V represents a process and an edge in E represents bidirectional communication link.
The Problem.Consider a system modeled by a graph G = (V, E).Let T = (V, E T ) be a spanning tree of G rooted at a distinguished node v 0 .We denote by N, where N ≥ 2, the number of the nodes of G and by M its number of edges.The degree of G is denoted by ∆.It is known that for a graph with a distinguished node, a distributed computation of a spanning tree can be easily performed [6].Therefore, the assumption of a pre-constructed spanning tree is not a loss of generality.The studied spanning tree maintenance problem is stated as follows.After the crash of a node v, we have to rebuild another spanning tree of G deprived of v with a minimum of changes.Obviously, if G becomes disconnected this fails.It is assumed that a crash detection service is implemented using unreliable failure detectors [4,5], satisfying: After the crash of some node, the crash detection service reaches a stable state and then all the neighbors are informed about the crash.The stability of the crash detection service is assumed to be reached in a finite time after the stability of its failure detectors.We consider a decentralized setting where nodes may crash by permanently halting and can perform only computations based on local knowledge.
Previous Works.The specific protocols devoted to maintain a spanning tree are proposed in [1,3,7,9].In [1], the authors studied the tree maintenance problem as the graph's topological changes after edge failures.The maintained spanning tree is obtained using incremental update procedures, the time complexity of their solution is O(∆ log M +N ).In [3], an algorithm to maintain a common data is presented.It operates in a communication network where nodes are arranged in a chain is presented.The solution is an improvement of some previous solutions including those based on Full Broadcast and on Broadcast with Partial Knowledge [2].The time complexity in both is O(N +M ).Therefore, the solution presented in [3] solved the Broadcast with Partial Knowledge problem in O((M + N ) log 3 M ).The protocol presented in [7] is composed of iterations to rebuild a spanning tree of a maximal connected component when an edge fails.The time complexity of such a protocol is in O("actual size ) of the biggest connected component adding an extra polylogarithmic time.Nevertheless these algorithms, either assume the network to be complete or the nodes have identities and deal with edge failures.Moreover, the notification service of failures are assumed to be reliable.In [9], the last assumption is not taken into account and node failures are considered.They, as described previously, use stable failure detectors.In order to encode such an algorithm, a structure called "expander graph" is implemented.This structure is more expensive than a simple spanning tree construction.
Our Contribution.In the presented work, we consider node failures in arbitrary network modeled by a graph.Here we assume that the graph G is k-connected.This guarantees the success of the maintenance of a spanning tree in the presence of k − 1 consecutive crashes.Our protocol uses only local knowledge.That is, to perform a computing step, only information related to the states of the neighbors is required.Especially, each node knows its neighbors in G and in the current spanning tree T the "position" of a node is done by its f ather except for the root, and a set of ordered sons.
Our algorithm works without any more assumption for any node failure except the root.Moreover, this protocol does not need a completely identified network.Only the root needs to be identified: the network is semi-anonymous.To take into account the particular case of a root failure, we just need to have an extra information: A son of the root has been chosen to start the algorithm, in the sequel it will be called the "succorer son".In the worst case, our algorithm takes O(N ) times and uses O(M + N ) messages and O(∆) bits per node.Note that the complete used memory is O(N × ∆) bits.
The rest of the paper is organized as follows.The model used to encode distributed algorithms is explained in Section 2. In Section 3, we present our approach, using formal modules, to deal with the problem of a maintenance of a spanning tree for 2-connected graphs in the presence of one failure.Section 4 shows the correctness of the presented protocol.Then, we extend the algorithm to treat k − 1 failures in k-connected graphs in Section 5. Analysis of the algorithm is given.Section 6 concludes the paper with a discussion about extended works.

PRELIMINARIES
The network is represented by an undirected graph in which each node represents a processor, and each edge is present between two nodes if their corresponding processors may "communicate".An algorithm in such a system consists of a local program at each node.The program encodes the local actions that processor may make.

Graphs
V is a set of nodes and E a set of edges connecting nodes.A graph is a couple (V, E) where E ⊆ V 2 .We use sometimes the notations V G , E G to denote respectively V, E where The integer l is called the length of p.A path P = (v 0 , ...., v l ) is simple if it does not contain cycles.The set of neighbors of node u is denoted by We use d(u, v) to denote the length of the shortest path in G between u and v.Then, the diameter of a graph G, denoted by D(G), is the longest distance among all pairs of nodes in G.
We say that the graph A graph is connected if for any pair of its nodes, there exists a path between them.Let V ⊆ V , we denote by G|V the restriction of G to the subgraph (V , {(u, v) ∈ E ∩ V 2 }).We also denote by G \ V the graph G|(V \ V ).When V is a singleton V = {v}, by abuse, we will use the notations G|v and G \ v.
A tree T = (V T , E T ) is a connected graph G that has no cycle and an elected node v 0 called the root.As usual, we associate with a tree, a partial order ≤ on V T defined by u ≤ v iff there exists a simple path u is the father of v and v is a son of u.We denote by Sons(v) the set of the sons of v.In the sequel, we assume that the list "Sons" of v is ordered.A node u ∈ V T with no son is called a leaf of T.Then, a spanning tree T = (V T , E T ) of a graph G is a tree such that V T = V G and E T ⊆ E G .The tree can be defined also by T (F ather, Sons).
the simple path in T where v l = v 0 then the tree T with v 0 as root, associates with the partial order ≤ defined by : is also a spanning tree of G.
We denote by T v a tree with root v. Formally, ∀ u ∈ V Tv , u ≤ v.We denote by T (u) \ v the maximal subtree of T that contains the node u, but not v.A vertex v of a connected graph G is a "cut-node" iff G \ v is not connected.

Definition 2.2 We denote by
for any pair u, v ∈ V there exists k disjoint paths linking u and v.

Message Passing Model
The model of the distributed system we will deal with is a point-to-point network of communicating entities.This system is modeled by a connected simple graph where each node represents an autonomous entity of calculation (e.g.thread, process, machine) and each edge a communication channel.The system is asynchronous; i.e. there is no global clock.The vertices have only local vision of the graph and communicate only with their neighbors by asynchronous messages.More precisely, a vertex v is equipped with ports, numbered from 0 to (deg(v) − 1), which will be used to communicate with neighbors.The attribution of these numbers is completely arbitrary and does not depend on the identities of the neighboring nodes.For a sake of clarity, in the explanation of the algorithms we refer to a node instead of its corresponding port number.Note, however, that in our solution the indentities of nodes are not required.We assume that, for a couple of neighboring vertices, the order of sending messages is the same as that of receiving them.For the algorithms presented in this paper, the network is anonymous which means that vertices have no identities.
Complexity measures in the message passing model are related to the number of messages and the amount of time as the local computations model.We will focus on the worst-case.So, we assume that each processor's state includes a subset of states to denote terminated states.After the reach of such states, actions of the program maps terminated states only to terminated states.Thus, we say that the algorithm has terminated (or ended) when all processors are in the terminated states and all messages are delivered.The message complexity of an algorithm implemented in the message passing model is the maximum of the total number of messages sent during all the possible executions of this algorithm.For the time complexity, we adopt the common approach assuming that the maximum message delay in any execution is one unit of time.Note that such a measure is not used to prove the correctness of such algorithms.Then, to calculate the time complexity of an algorithm it suffices to take the running time until the termination.A measure of a space complexity of a distributed algorithm is the size of the data stored at each node of the graph.Obviously, the concrete memory used is the size of all the data in the graph.

Spanning Tree Module
We present here the classical distributed algorithm to compute a spanning tree T of a graph G, encoded in the message passing model.Since it will be used by our algorithm, it is presented as a "module" with parameters2 .This notion of module is similar to the interacting components used in [8].The spanning tree module is referenced as follows: STM(G, T; v 0 ; Stage, X, Y; Father; Sons), where G is the treated graph and the module builds a spanning tree T rooted at v 0 .The structure of T is stored locally in each node using the labels F ather and Sons described previously.Initially, all the nodes v have their variables "Stage" valued to X.At the end of the computation, each node v has its variable modified in such a way Stage(v) = Y.The following distributed algorithm describes an implementation of the spanning tree module.E) and v 0 the chosen root.

-Variables:
* B(v): the set of (locally) ordered immediate neighbors of v which is an initial data, * Stage(v): the state of v can take many values.The only used in this module is: "X" as the initial value, "W A" to mean that v has been included in the tree and "Y " to mean that v finished locally its computation; * F ather(v): is the father of v in the on-building spanning tree; Here, the variable F ather, set to ⊥, means that the corresponding node has no defined father.At any step of the computation, when a node v, not yet in the tree (Stage(v) = W A) receives a st tok message from its neighbor w, node v includes itself in the tree by changing its Stage to W A. Moreover, in the same time, F ather(v) is set to w, set "Included" is now composed of w and set "Terminated" is initialized to ∅.Finally, v informs w to be add in its set of sons sending a st son message.At the reception of such a message, w adds v in both its sets of sons and in the set of nodes that are included in the tree ("Included").So at each execution of the rule ST A2( 1), the number of nodes not yet in the tree decreases by 1.When v finds all its neighbors already included in the tree, it applies either the action ST A2( 2), ST A2 (6) or ST A4 (1) .So it means that v has locally terminated its computation, then it informs its father ST A4 (2).Note that this action is executed firstly by the leaves.
The computation finishes when all the nodes v are such that Stage(v) = Y.And obviously we have a spanning tree of G rooted at v 0 defined by the third components (or the fourth components) of the variables of the nodes.The root of the spanning tree is then the unique node with its father equals to ⊥ .
Then, the following property holds: E) and a chosen node v 0 .The spanning tree module constructs a spanning tree of G rooted at v 0 using (2#E + #V − 1) messages.
In the sequel, we will need to define some modules to encode our algorithms.For a sake of uniformity, modules will use the following standard header format.
The header is composed of its name and a set of optional parameters.Each of the sets is separated using the character ;.The first set of parameters is the structures of the manipulated graph, the second is a set of the distinguished nodes.The rest is related to used data (variables), their required initialization values and their expected values.

Crash Detection Module (CDM (G; Crashed)).
The crash detection module is based on an unreliable failure detection service.Such a service may be implemented in asynchronous distributed systems using timeout and heartbeat strategy for example (see [4,5]).The CDM informs, only after the stability of its corresponding failure detector, each node about the possible crash of one of its neighbors.Thus, after such an indication, the failure detector of any non crashed node v has detected all the crashed neighbors which are now stored in a list of crashed neighbors Crashed(v).Moreover, all the sets used to encode the state of each process will be avoided from crashed processes.For example, the set Sons(v) is composed of the sons of v without crashed sons.If the father of a node v is in Crashed(v), then it is set to ⊥ .Thus, we denote by GST 3 the time after which the failure detectors of all nodes stabilize.We assume that the time unit used to measure the failure detector stability is the same as the one used to measure our distributed algorithm.Therefore, the cost of the CDM is in O(GST ) times and then uses also O(GST ) messages for each failure occurrence.

PROTOCOL FOR 2-CONNECTED GRAPHS AND ONE FAILURE
In this section we present a protocol to maintain a spanning tree of 2-connected graphs in the presence of one failure.Our algorithm starts with a spanning tree of the graph G associated with the network.Such a tree has been obtained using the same algorithm as the one given in the previous section.We will use an occurrence of the well-known Menger's theorem [12]: We consider a graph G with a spanning tree T rooted at v 0 .When a node v f crashes, using the crash detection module, the neighbors of v f know this crash.In this case when v f is not the root v 0 this information is propagated to v 0 .Then, v 0 is in charge to rebuild a spanning tree of G \ v f .In the particular case of a crash of v 0 , a pre-chosen son of v 0 called a "succorer son" will assure this charge.So during the construction of a spanning tree T of G, the root v 0 chooses locally one of its sons as its succorer son.We will use the label Suc to encode such an information.In T, there is only one node with Suc is equal to true.In the sequel, the node in charge of the construction of the new spanning tree will be called the "maintainer node".Now, we will first present an overview of our algorithm, referred to as MOST algorithm in the rest of the paper.Then, we describe the three steps of the algorithm in more detail, proving their correctness and analyzing their complexities using assumptions related to the asynchronous message passing model.Let v f be a crashed node.
1. detection of a crash.Neighbors of the crashed node detect that node v f is crashed.2. propagation.Father of the crashed node, if it exists, informs the root of the tree that some node in its sons is crashed.3. maintenance.Maintainer node updates the spanning tree of G \ v f .
Step two can be very short if it is the root that has crashed: The succorer son of the root becomes the maintainer node.It is the only one Suc is equal to true.If v f is not the root of T, the father of v f generates an information to be propagated along the simple path linking it to v 0 .Then v 0 becomes the maintainer node.Such a task is done using a simple path propagator module (see below).The third and last step is more delicate.It corresponds to the maintenance module detailed in the sequel.
Simple Path Propagator Module (SP P M (T ; v; T raversed, X, Y )).The aim of this module is to propagate an information along a simple path linking node v to the root of a tree T = (V, E T ).We will introduce the label T raversed to notice the expected distinguished simple path.Initially, all the nodes have their variables "Traversed" valued X.At the end of the application of this module each node u in the simple path has its variable "Traversed" set to Y.This module is implemented using the first part of the root changing module.Thus, the application of the SP P M to T requires, in the worst case, the use of #V − 1 messages.
Maintenance Module (M ST M (G, T ; r)).This module is applied by the maintainer node r.It works as follows.We denote by T the "on-building" spanning tree of G \ v f .The M ST M is composed of the following phases: 1. computes the base of the tree.This base of T is the subtree of T \ v f4 rooted at r.It is identified using a marking procedure (see below).2. search extension.Using a "depth-first trip" [10] on T each node v is visited until one of the neighbor of v is not yet included in the current tree T .3. connection is found.The visited node v finds a neighbor u that is not in the "on-building" tree.
Such a node is called a connection entry and v is named a connection node.Therefore, the edge (u, v) is added to T .The subtree of T containing u is reorganized in such a way that u becomes its root using the root changing module (see below).Then, this subtree is included in T and its nodes are marked as nodes of T .Now, the search of isolated subtrees is restarted on the extended T .
Since G is a 2-connected graph, when the "depth-first trip" is terminated all the nodes of G \ v f has been included in T and the algorithm terminated.
The full description of the maintenance module is given in the following.This module is composed of nine actions and uses two modules: The marking module and the root changing module.Such modules are shortly described below.
Marking Module (M M (T ; v 0 ; Stage, X, Y )).After the execution of the algorithm, the label of each node v has been changed into Stage(v) = Y.More precisely, assuming that each node has its variable "Stage" set to X in T. The node v 0 starts the module.It modifies its stage: At any time, a node v with "Stage" equal to W broadcasts a m tok message to all its sons in T. If v receives such a message, its stage will be set to W if it has sons.Otherwise, if it has no son or all its sons are marked: It marks itself Y and informs its father about this change sending a m back message.Then, when the father of such a node receives this message, it adds this son to its list of marked sons.The end of this module is detected by the root when it receives a m back message from each of its sons in T. The cost of this module when applied to a tree Root Changing Module (RCM (T ; r)).This module will be used to change the root of a tree T. So if a node r has to replace the root v 0 , it starts the module: It sets its variable "Stage" to W and sends a rc tok message to its father in the "old tree" 5 .At the reception of such a message by v = v 0 , it changes its stage from A to W and sends a rc tok message to its father in the "old tree".When v 0 , is attained from w, its son in the "old tree", v 0 sets its stage to A and its father to w and sends a rc son message to w.Then, the process is applied reversibly to all the nodes in the "to be modified path".The RCM uses, in the worst case, (2#V − 2) messages when applied to a tree T = (V, E).Now, we present an implementation of the maintenance module in the asynchronous message passing model where v f crashes 6 .
Maintenance Module : M ST M (G, T ; r) • Input: A graph G = (V, E) with a spanning tree T = (V, E T ), and a maintainer node r. -Variables: -Initialization: Let p be a port number in T o Explore(v); T o Explore(v) := T o Explore(v) \ {p}; 5 The subtree rooted at v 0 6 v f is stored in the Crashed list of its neighbors.send<mst son> via port q; 2: else T o Ignore(v) := T o Ignore(v) \ {q}; send<mst fail> via port q; MST A4 : {A message <mst son> has arrived at v from port q} Stage(v) := SC; Sons(v) := Sons(v) ∪ {q}; T o Explore(v) := T o Explore(v) ∪ {q}; MST A5 : {For each node v such that Stage(v) = F , execute once:} MST A6 : {A message <mst included> has arrived at v from port q } T o Ignore(v) := T o Ignore(v) ∪ {p}; MST A7 : {A message <mst fail> has arrived at v from port q} Stage(v) := SC; MST A8 : {A message <mst deleg> has arrived at v from port q} P otential(v) MST A9 : {A message <mst ended> has arrived at v from port q} 1: The maintainer node r initiates the computation: It is the only one that executes action M ST A1.So r executes the marking module.When r finishes the execution of this module, its subtree T r in T is marked F. It means that this subtree is included in the on-building tree.Node r switches to the "searching connection" phase (Stage(r) = SC).Then, step by step, a tree T r rooted at r is extended.At any time there is only one node in the "searching connection" phase and this node is in charge to extend the construction of the tree it belongs to.
Node v such that Stage(v) = SC with no empty "Potential" set starts the search of connection sending a mst sc message via one of its potential ports (sub-action M ST A2( 1)).If a node u is a connection entry (Stage(u) = A) received this message, it executes action M ST A3 (1) to prepare the extension of T .So its subtree is added to T after a reorganization.
Let T (u) \ v f be a tree that contains the connection entry u.Node u starts the execution of the root changing module.The marking module is then applied to the tree rooted at u. Now, u is ready to include the tree T , variable F ather of u is set to v and a mst son message is sent to v. When a mst son message has arrived at v from u, node u is added in both Sons(v) and T o Explored(v) (action M ST A4).That is, T is extended and v continues the search of another connection entry.
At any time, the actions M ST A5 and M ST A6 are used to update the lists "Potential" and to prepare their computations using the lists "To Ignore".These actions may be executed concurrently with the other actions.If Stage(v) = F then u cannot be a candidate for reconnection since it is yet in the tree and so it must be avoided from the lists "Potential" of its neighbors.Moreover, the neighbors of v yet in the tree (their variables Stage are valued F, W, SC) has to be ignored in its "Potential".
When a node v is in "searching connection" phase and has an empty list "Potential", which arises when it has no neighbor as connection entry (A) and all it neighbors are marked F have avoided themselves from its list "Potential", v executes action M SAT 2(2) to mean that it does not succeed to find an extension for T .So one of its sons, if possible, is chosen to become in the "searching connection" phase.To do this, v sends a mst deleg message to this son.The list of the candidate nodes to a reconnection from the "chosen" son is computed ("Potential") executing action M ST A8 followed by action M ST A2 .
Eventually, some node v in T has extended its subtree as much as possible (Stage(v) = Ended), so it informs, with action M ST A2(3) (or M ST A9( 3)), its father sending a mst ended message.At the reception of this message, the father can proceed the extension search from one of its other sons executing action M ST A9.
Furthermore, only r detects the end of the extension search ( F ather(r) =⊥ ): When Stage(r) = Ended a largest subtree rooted at r of G \ v f has been computed.

PROOF OF CORRECTNESS AND ANALYSIS OF THE MOST ALGORITHM
We recall that after the detection of a crash of a node v f in G by the crash detection module (CDM ), the initial spanning tree of G is disconnected.The goal of our algorithm is to rebuild a spanning tree of G \ v f .Now, we show the correctness of the MOST algorithm using a scheme based on the modules properties and the graph connectivity.We use MOST instead of maintenance of a spanning tree.Our proofs assume that when the modules are executed in some action they are executed as atomic steps with the two following consequences: • Each module does its expected task, • Each module terminates during the execution of the action referencing it.
We will based our proof and analysis on the main module of our algorithm: The maintenance module.The analysis will be closed with space and time complexity measures.

Lemma 4.1
Let G be a 2-connected graph and T be a spanning tree of G rooted at v 0 .Then the tree T r rooted at r (the maintainer node) built by the M ST M is a spanning tree of G \ v f .
Overview of the Proof.The proof is by induction on the number of disconnected subtrees.We consider the two following cases.After the crash of a node v f , the tree T is disconnected.We denote by #strees the number of disconnected subtrees of T such that: We must show that after such event, the maintenance module will reconnect such subtrees to construct a spanning tree T of G \ v f .We define the property C on a graph G and a given node Since G is a 2-connected graph and then v f is not a "cut-node", the property C is verified for (G, v f ).If #strees = 1 : For case1, the root has only one son and the succorer son of v 0 becomes without any change the root of a spanning tree of G \ v f .The algorithm works correctly since starting from a graph G, the succorer son of v 0 executes action M ST A1 to mark its subtree, followed by action M ST A2(3) to detect the end of the maintenance procedure.In case2, v f is a leaf and then T \ v f is a spanning tree of G \ v f .The tree rooted at v 0 remains a spanning tree of G \ v f .As previously, the algorithm works correctly.
The induction property is stated as follows.Let G = (V, E) be a graph and v f ∈ V a crashed node.Then, for all spanning tree T of G, if T \ v f is disconnected into less than l ≥ 1 subtrees then the M ST M builds a spanning tree of G \ v f .Now, suppose that the algorithm works correctly for l ≥ 1.So let T be a spanning tree of For case1, u 0 is assumed to be the succorer son of v f .For case2, we can assume that u 0 = v 0 .So the M ST M algorithm starts with u 0 as a maintainer node (M ST A1).Since G is a 2-connected graph, there are w 0 ∈ V 0 and w j ∈ V j such that w 0 is a connection node and w j is its corresponding connection entry.These nodes are detected during the "depth-first trip" on T 0 induced by the application of the actions M ST A2(2), M ST A4, M ST A7, M ST A8, M ST A9.
Then, the actions M ST A3 (1) and M ST A4 are applied.These actions modifies T 0 adding a subtree T j = (V j , E j ) which is the result of the application of the RCM to T j = (V j , E j ) with a new root w j .
Let T 0 be the subtree T 0 augmented by T j and the edge (w 0 , w j ).Let T = (V, E ) be the spanning tree of G where E = {E T \ (E j ∪ (v f , u j ))} ∪ (E j ∪ (w 0 , w j )).Thus, consider the application of the M ST M on G and T when a crash of v f occurred.Then the tree T is splitted into exactly l disconnected subtrees.Hence by the induction hypothesis the M ST M succeeds to maintain a spanning tree of G \ v f .
The algorithm uses the same actions than the algorithm applied to G and T. It is easy to see that the "depth-first trip" leads the algorithm to treat the node w 0 since it has not found a connection before: Otherwise, w 0 would be a connection node when the algorithm is applied to G and T. So the application of the M ST M to G and T leads to the same structure than M ST M applied to G and T after the fusion of T j in T 0 .The application of the M ST M to G and T leads to the same result than M ST M applied to G and T .Since the execution of the M ST M on G and T succeeds the execution of the M ST M on G and T succeeds.
For the message complexity, we will show in the following the worst case of the execution of the M ST M : 1.The action M ST A1 can only be applied once.So its cost is due to the application of the marking module to the nodes of the subtree rooted at r : At most (2#V Tr − 2) messages.2. The action M ST A2 is applied by each node of the graph G \ v f such that its "Stage" variable is set to SC .The application of this action involves, in the worst case, c 1 mst sc messages, c 2 mst deleg messages, such that c 1 + c 2 = deg(G) − 1, and one mst ended message.So, in the worst case, the total cost of the action M ST A2 is 2#E messages.3. The action M ST A3 can be also applied only once for each node of the subtrees rooted at the sons of v f different from r.So its cost is due to the application of the marking module to each of these subtrees augmented by the cost of the root changing module.The number of calls of this modules is exactly the number of sons of v f .The modules cost is at most where v i ∈ Sons(v f ) : Adding the cost of M ST A1, this part of the action is bounded by 4#V − 4#Sons(v f ).At each reconnection one mst son message will be sent, otherwise one mst fail will be sent if the reconnection failed.At most the rule 4. The action M ST A4 does not involve messages.5.The action M ST A5 is applied once by each node to update the "To Ignore" and the "Potential" sets of its neighbors not in the tree.So, a priori, the cost of the application of this action is 2#E, but since we use the list "To Ignore" only #E, applications are necessary.Moreover, the edges of the tree have not to be taken into account and also the sons of v f .Finally, the cost of the use of Both the actions M ST A7, M ST A8 do not involve messages.7. The action M ST A9 sends one mst deleg message and one mst ended message over the edges of the tree without v f (induced by the use of the "depth-first trip").Thus, this action uses at most 2(#V − 2 − #Sons(v f )) messages.
Then, Lemma 4.2 Let G = (V, E) be a graph.If the M ST M is applied to G then it uses at most 4(#E + #V ) messages.
For the space requirements, each node v has the following local variables.They may be decomposed into two components: 1. B(v), Sons(v), F eedbacks(v), T o Explore(v), P otential(v), T o Ignore(v), Crashed(v), 2. Stage(v), F ather(v), T raversed, Suc(v).The cost of the MOST algorithm is those of the maintenance module adding the cost of the failure detection module and the simple path propagator module.The last module is not invoked when the crashed node is the root.
To analyze the time complexity of algorithms based on graph exploration on asynchronous networks, we use a level number and a diameter defined in Section 2.1 to help us in the proofs of the worst case bound.We associate with leaves of a tree T level l 0 = 0 and the level of each node is the maximum level number of its sons plus 1.This number will be computed during the construction of the spanning tree of G using the spanning tree module (see Section 2.3).So the message st back is replaced by the level number.We introduce the function T o number(msg) (resp.T o message(level) ) to convert the st back message (resp.the level number) to a level number (resp. to an st back message).Thus, rules ST A2 and ST A4 of the spanning tree module are modified such as: • The level number level(v) is initialized to 0 in ST A2 (1).Then, the message T o message(level(v)) is used as a substitute for st back message.
• ST A4 : {A message <st back> has arrived at v from port q} T erminated(v The two following lemma follows the definition and the computation of the level: Proof.Initially, let T 0 be the tree containing the leaves of the tree to be build.Every leaf node v l has level level(v l ) = 0.At this step, the leaves are discovered (rule ST A2 ).The tree T l is obtained after the local termination of the nodes of level l − 1.This step involves the send of their level numbers (rule ST A4( 2) ).So, we can do this at most D(G) times before we get a spanning tree of G. Thus, the maximum level number obtained is D(G).Sketch of the Proof.Let t 0 be the time at which all the nodes of G are included in the on-building tree T (labeled W A).Then, by induction we show that each node v at level l in the graph, v will sent an st back message within t 0 + l time.
From the two previous lemmas, we deduce: Using the same proofs, we claim the following: Lemma 4.7 Given a tree T = (V, E).The application of the marking module (M M ) to T uses at most 2D(T ) time.
• Then the new root checks if it has a succorer son: -if the root is newly defined, it deactivates its status as the succorer son of the crashed root, and it chooses one of its sons to become its succorer son.-if the crashed node is a succorer son, then the root chooses, if it's possible, another son to become its succorer son.-otherwise, the maintenance module doesn't need to update the succorer son.
Assuming that the time between each consecutive failure occurrence is greater than the time needed to treat each failure, Theorem 5.1 Let G be a k-connected graph where k ≥ 2. The MOST k algorithm constructs a spanning tree of any graph G \ H such that H is a subgraph of G and #V H ≤ (k − 1).
Proof.We will prove this theorem by induction on the number of failures.Let P be a property that at any time, the root has its succorer son.That is, after the first crash, let v f 1 be the crashed node, the protocol works as mentioned above to update the spanning tree of G \ v f 1 adding the maintain of the property P.This property requires an updating if v f1 is the root which consists on associating a succorer son with the succorer son of v f1 .We denote by s i the step corresponding to the failure i and by r i the root of the corresponding spanning tree denoted by T r i .At step s 0 , T r 0 is the root of G \ ∅ 8 .Only r 0 admits a succorer son.We assume that a pre-chosen son of r 0 denoted r 1 is identified to become the succorer son of r 0 .
At the next step failure s 1 , if the crashed node is r 0 then the protocol updates a spanning tree of G \ r 0 .So, the tree T r1 , is a spanning tree of G \ r 0 and some son of r 1 is chosen to become its succorer son ( r 2 ).Otherwise, if the crashed node is not r 0 , we have two cases.If r 1 crashes, then r 0 chooses another son to become its succorer son.Otherwise, the property P remains verified without any requirement.Now, we suppose that at step s l such that l < k − 1, the protocol works correctly.To prove that the protocol works correctly for the next failure occurrence, we will consider the application of the algorithm on the resulting graph.Let H be a subgraph of G such that #V H = k − 1.The protocol works correctly for any subgraph of size less that k − 1.Let Q be a subgraph of H such that #V Q = k − 2. We denote by T (k − 2) the spanning tree of G \ Q.To show that the MOST k algorithm is able to build a spanning tree of G \ H, it suffices to consider the application of the algorithm on G \ Q after one failure.Therefore, the algorithm works correctly and the theorem holds.
Corollary 5.2 Let G = (V, E) be a k-connected graph and T be a spanning tree of G .After the crash of some set of nodes V H such that #V H ≤ k − 1, the MOST k algorithm maintains a spanning tree of G \ H in O(#V H × #V ) time using O(#V H × (#E + #V )) messages and O(deg(G)) bits per node.
Remark.Our algorithm works correctly for complete graphs tolerating any number of failures, since the graph remains connected.

CONCLUSION AND FUTURE WORKS
The main focus of this work has been to design a distributed protocol which executes on kconnected networks to reorganize a spanning tree within those networks.The maintenance of this structure (spanning tree) by incremental updates is studied in unreliable networks in the presence of crash failures.
The paper has two major contributions.First, we present a new formalization of such a problem using an occurrence of the Menger's theorem and its relation with the possible construction of a spanning tree.The notion of succorer son is also introduced.Second, the protocol is 8 All the nodes of the graph G are alive nodes.implemented and analyzed in the asynchronous message passing model.To present easily the last contribution, we divided our protocol on a set of phases achieved using a set of modules.The algorithm tolerates k − 1 consecutive failures when applied to a k-connected graph.It's based on an incremental application of the maintenance-update module.So at any step, this module is responsible for both maintaining of the spanning tree and for updating the succorer son.For a given graph G = (V, E), after each failure occurrence, our algorithm maintains a spanning tree of the resulted graph and computes the succorer son of its root in O(#V ) time using at most O(#E + #V ) messages and O(deg(G)) bits per node.
The connectivity of a network can be used to measure the network's reliability.Our protocol is based on the knowledge of spacial connectivity structures within the network which leads to optimization of distributed control applications.But, for a k-connected network if more than k − 1 crashes occur, the network is splited and partitioned into many components.In this case only one connected component is taken into account by our algorithm.It would be desirable to maintain a dynamic forest of trees in such networks.
Our approach assumes that each process is equipped with an unreliable local failure detector, with a minimum required properties to solve a consensus problem [4].Even, such failure detectors guarantee the reach of "stable" periods: During such periods, the failure detectors are accurate.So, our applications work during these periods and such assumption may only make our applications delayed.Another extension is to deal with the case of unreliable failure detectors without assumptions.So, protocol to maintain spanning tree starts before the reach of the stabilization periods.We are interested to design approximation algorithms to deal with the maintenance problem with errors.

Lemma 4 . 4
Given a graph G with diameter D(G), the maximum node level number assigned during the execution of the ST M is bounded by D(G).

Lemma 4 . 5
During the execution of the ST M on the graph G, the node at level l will have sent a st back message within D(G) + l time.

Lemma 4 . 6
The execution of the ST M on the graph G uses at most 2D(G) time.
Thus, to encode the first component every node needs to maintain subsets of its neighbors as descendants, for the set of sons for example.So, every node v needs 7deg(v) bits to store this component, where deg(v) is the degree of v.By taking into account the other variables used in the second component, we can claim that the total memory requirement of each node v is 7 deg(v) + log 2 7 + 3 log 2 2. bits.Then,