A Distributed Consensus Algorithm for Decision Making in Service-Oriented Internet of Things

2023年全国硕士研究生招生考试英语（一）试题Section I Use of EnglishDirections:Read the following text.Choose the best word(s)for each numbered blank and mark A,B,C or D on the ANSWER SHEET.(10points)Caravanserais were roadside inns that were built along the Silk Road in areas including China, North Africa and the Middle East.They were typically__1__outside the walls of a city or village and were usually funded by governments or__2__.This word"Caravanserais"is a__3__of the Persian word"karvan",which means a group of travellers or a caravan,and seray,a palace or enclosed building.The Perm caravan was used to __4__groups of people who travelled together across the ancient network for safety reasons, __5__merchants,travellers or pilgrims.From the10th century onwards,as merchant and travel routes become more developed,the __6__of the Caravanserais increased and they served as a safe place for people to rest at night. Travellers on the Silk Road__7__possibility of being attacked by thieves or being__8__to extreme conditions.For this reason,Caravanserais were strategically placed__9__they could be reached in a day's travel time.Caravanserais served as an informal__10__point for the various people who travelled the Silk Road.__11__,those structures became important centers for culture__12__and interaction, with travelers sharing their cultures,ideas and beliefs,__13__talking knowledge with them, greatly__14__the development of several civilizations.Caravanserais were also an important marketplace for commodities and__15__in the trade of goods along the Silk Road.__16__,it was frequently the first stop merchants looking to sell their wares and__17__supplies for their own journeys.It is__18__that around120,000to15, 000caravanserais were built along the Silk Road,__19__only about3000are known to remain today,many of which are in__20__.1.[A]displayed[B]occupied[C]located[D]equipped2.[A]privately[B]regularly[C]respectively[D]permanently3.[A]definition[B]transition[C]substitution[D]combination4.[A]classify[B]record[C]describe[D]connect5.[A]apart from[B]instead of[C]such as[D]along with6.[A]construction[B]restoration[C]impression[D]evaluation7.[A]doubted[B]faced[C]accepted[D]reduced8.[A]assigned[B]subjected[C]accustomed[D]opposed9.[A]so that[B]even if[C]now that[D]in case10.[A]talking[B]starting[C]breaking[D]meeting11.[A]By the way[B]On occasion[C]In comparison[D]As a result12.[A]heritage[B]revival[C]exchange[D]status13.[A]with regard to[B]in spite of[C]as well as[D]in line with14.[A]completing[B]influencing[C]resuming[D]pioneering15.[A]aided[B]invested[C]failed[D]competed16.[A]rather[B]indeed[C]otherwise[D]however17.[A]go in for[B]stand up for[C]close in on[D]stock up on18.[A]believed[B]predicted[C]recalled[D]implied19.[A]until[B]because[C]unless[D]although20.[A]ruins[B]debt[C]fashion[D]seriesSection II Reading ComprehensionPart ADirections:Read the following four texts.Answer the questions after each text by Choosing A,B,C or D. Mark your answers on the ANSWER SHEET.(40points)Text1The weather in Texas may have cooled since the recent extreme heat,but the temperature will be high at the State Board of Education meeting in Austin this month as officials debate how climate change is taught in Texas schools.Pat Hardy,a conservative member of the board who sympathises with the views of the energy sector,is resisting proposed changes to science standards for pre-teen pupils.These would emphasise the primacy of human activity in recent climate change and encourage discussion of mitigation measures.“In the national standards,everything has to do with climate change—that’s very lopsided,”she claims.“There are as many scientists working against all the panic of global climate change as there are those who are pushing it.Texas is an energy state and we need to recognise that.You need to remember where your bread is buttered.”Most scientists and independent experts sharply dispute her views.“What millions of Texas kids learn in their public schools is determined too often by the political ideology of partisan boardmembers,rather than facts and sound scholarship,”says Dan Quinn,senior communications strategist at the Texas Freedom Network,a non-profit group that monitors public education.“They casually dismiss the career work of scholars and scientists as just another misguided opinion.”Such debates reflect fierce discussions across the US and around the world,as researchers, policymakers,teachers and students step up demands for a greater focus on teaching about the facts of climate change in schools.A study last year by the National Center for Science Education,a non-profit group of scientists and teachers,looking at how state public schools across the country address climate change in science classes,gave barely half of US states a grade B+or higher.Among the10worst performers were some of the most populous states,including Texas,which was given the lowest grade(F)and has a disproportionate influence because its textbooks are widely sold elsewhere.Glenn Branch,the centre’s deputy director,cautions that setting state-level science standards is only one limited benchmark in a country that decentralises decisions to local school boards. Even if a state is considered a high performer in its science standards,“that does not mean it will be taught”,he says.Another issue is that,while climate change is well integrated into some subjects and at some ages—such as earth and space sciences in high schools—it is not as well represented in curricula for younger children and in subjects that are more widely taught,such as biology and chemistry.It is also less prominent in many social studies courses.Branch points out that,even if a growing number of official guidelines and textbooks reflect scientific consensus on climate change,unofficial educational materials that convey more slanted perspectives are being distributed to teachers.They include materials sponsored by libertarian think-tanks and energy industry associations.21.In paragraph1,the weather in Texas is mentioned toA.forecast a policy shift in Texas schools.B.stress the consequences of climate change.C.indicate the atmosphere at the board meeting.D.draw the public's attention to energy shortages.22.What does Quinn think of Hardy?A.she exaggerates the existing panic.B.she denies the value of scientific work.C.she shows no concern for pre-teens.D.she expresses self-contradictory views.23.The study mentioned in Paragraph5A.climate education is insufficient at state public schools.B.policy makers have little drive for science education.C.Texas is reluctant to rewrite its science textbooks.D.environmental teaching in some states lacks supervision.24.According to Branch,state-level science standards in the USA.call for regular revisionB.require urgent applicationC.have limited influenceD.cater to local needs25.It is implied in the last paragraph that climate change teaching in some schoolsA.agree to major public demandsB.reflects teachers'personal biasC.may mispresent the energy sectorD.can be swayed by external forcesText2Communities throughout New England have been attempting to regulate short-term rentals since sites like Airbnb took off in the2010s.Now,with record-high home prices and historically low inventory,there’s an increased urgency in such regulation,particularly among those who worry that developers will come in and buy up swaths of housing to flip for a fortune on the short-term rental market.In New Hampshire,where the rental vacancy rate has dropped below1percent,housing advocates fear unchecked short-term rentals will put further pressure on an already strained market. The state Legislature recently voted against a bill that would’ve made it illegal for towns to create legislation restricting short-term rentals.“We are at a crisis level on the supply of rental housing,”said Nick Taylor,executive director of the Workforce Housing Coalition of the Greater Seacoast.Without enough affordable housing in southern New Hampshire towns,“employers are having a hard time attracting employees,and workers are having a hard time finding a place to live,”Taylor said.However,short-term rentals also provide housing for tourists,pointed out Ryan Castle,CEO of a local association of realter.“A lot of workers are servicing the tourist industry,and the tourism industry is serviced by those people coming in short term,”Castle said,“and so it’s a cyclical effect.”Short-term rentals themselves are not the crux of the issue,said Keren Horn,an affordable housing policy expert at the University of Massachusetts Boston.“I think individuals being able to rent out their second home is a good thing.If it’s their vacation home anyway,and it’s just empty, why can’t you make money off it?”Horn said.Issues arise,however,when developers attempt tocreate large-scale short-term rental facilities—de facto hotels—to bypass taxes and regulations.“I think the question is,shouldn’t a developer who’s really building a hotel,but disguising it as not a hotel,be treated and taxed and regulated like a hotel?”Horn said.At the end of2018,Governor Charlie Baker signed a bill to rein in those potential investor-buyers.“The bill requires every rental host to register with the state,mandates they carry insurance,and opens the potential for local taxes on top of a new state levy,”the Globe reported. Boston took things even further,limiting who is authorized to rent out their home,and requiring renters to register with the city’s Inspectional Services Department.Horn said similar registration requirements could benefit other struggling cities and towns. The only way to solve the issue,however,is by creating more housing.“If we want to make a change in the housing market,the main one is we have to build a lot more.”26.Which of the following is true of New England?A.Its housing supply is at a very low level.B.Its communities are in need of funding.C.Its rental vacancy rate is going up slowly.D.Its home prices are under strict control.27.The bill mentioned in Paragraph2was intended toA.curb short-term rental speculation.B.ensure the supply of cheap housing.C.punish illegal dealings in housing.D.allow a free short-term rental market.pared with Castle,Taylor is more likely to supportA.further investment in local tourism.B.an increase in affordable housing.C.strict management of real estate agents.D.a favorable policy for short-term workers.29.What does Horn emphasize in Paragraph5?A.The urgency to upgrade short-term rental facilities.B.The efficient operation of the local housing market.C.The necessity to stop developers from evading taxes.D.The proper procedures for renting out spare houses.30.Horn holds that imposing registration requirements isA.an irrational decision.B.an unfeasible proposal.C.an unnecessary measure.D.an inadequate solution.Text3If you’re heading for your nearest branch of Waterstones in search of the Duchess of Sussex’s new children’s book The Bench,you might have to be prepared to hunt around a bit;the same may be true of The President's Daughter,the new thriller by Bill Clinton and James Patterson.Both of these books are published next week by Penguin Random House,a company currently involved in a stand-off with Waterstones.The problem began late last year,when Penguin Random House confirmed that it had introduced a credit limit with Waterstones“at a very significant level”.The trade magazine The Bookseller reported that Waterstones branch managers were being told to remove PRH books from prominent areas such as tables,display spaces and windows,and were“quietly retiring them to their relevant sections”.PRH declined to comment on the issue,but a spokesperson for Waterstones told me:“Waterstones are currently operating with reduced credit terms from PRH,the only publisher in the UK to place any limitations on our ability to trade.We are not boycotting PRH titles but we are doing our utmost to ensure that availability for customers remains good despite the lower overall levels of stock.We do this generally by giving their titles less prominent positioning within our bookshops.In the meantime,PRH authors have been the losers-as have customers,who might expect the new titles from the country’s biggest publisher to be prominently displayed by its biggest book retailer.Big-name PRH authors may suffer a bit,but it’s those mid-list authors,who normally rely on Waterstones staff’s passion for promoting books by lesser-known writers,who will be praying for an end to the dispute.It comes at a time when authors are already worried about the consequences of the proposed merger between PRH and another big publisher,Simon&Schuster-the reduction in the number of unaligned UK publishers is likely to lead to fewer bidding wars,lower advances,and more conformity in terms of what is published.And one wonders if PRH would have been confident enough to deal with Waterstones in the way it has if it weren’t quite such a big company(it was formed with the merger of Penguin and Random House in2013)and likely to get bigger.“This is all part of a wider change towards concentration of power and cartels.Literary agencies are getting bigger to have the clout to negotiate better terms with publishers,publishers consolidating to deal with Amazon,”says Lownie.“The publishing industry talks about diversity in terms of authors and staff but it also needs a plurality of ways of delivering intellectual contact, choice and different voices.After all,many of the most interesting books in recent years have come from small publishers.”We shall see whether that plurality is a casualty of the current need among publishers to be big enough to take on all-comers.31.the author mentions two books in the paragraph1to presentA.an ongoing conflictB.an intellectual conceptC.a prevailing sentimentD.a literary phenomenon32.Why did Waterstones shops retire PRH books to their relevant sections?A.To make them easily noticeable.B.To comply with PRH's requirement.C.To respond to PRH's business move.D.To arrange them in a systematic way.33.What message did the spokesman of Waterstones seem to convey?A.their customers remain royalB the credit limit will be removedC.their stock is underestimatedD.the book market is rather slack34.What can be one consequence of the current dispute?A Sales of books by mid-list PRH writers fall off considerablyB Lesser-known PRH writers become the target of criticismC Waterstones staff hesitate to promote big-name author's booksD Waterstones branches sutter a severe reduction in revenue35.Which of the following statements best represents Lownie's view?A Small publishers ought to stick togetherB Big publishers will lose their dominanceC The publishing industry is having a hard timeD The merger of publishers is a worrying trendText4Scientific papers are the recordkeepers of progress in research.Each year researchers publish millions of papers in more than30,000journals.The scientific community measures the quality of those papers in a number of ways,including the perceived quality of the journal(as reflected bythe title’s impact factor)and the number of citations a specific paper accumulates.The careers of scientists and the reputation of their institutions depend on the number and prestige of the papers they produce,but even more so on the citations attracted by these papers.Citation cartels,where journals,authors,and institutions conspire to inflate citation numbers, have existed for a long time.In2016,researchers developed an algorithm to recognize suspicious citation patterns,including groups of authors that disproportionately cite one another and groups of journals that cite each other frequently to increase the impact factors of their publications. Recently,another expression of this predatory behavior:so-called support service consultancies that provide language and other editorial support to individual authors and to journals sometimes advise contributors to add a number of citations to their articles.The advent of electronic publishing and authors’need to find outlets for their papers resulted in thousands of new journals.The birth of predatory journals wasn’t far behind.These journals can act as milk cows where every single article in an issue may cite a specific paper or a series of papers.In other instances,there is absolutely no relationship between the content of the article and the citations.The peculiar part is that the journal that the editor is supposedly working for is not profiting at all—it is just providing citations to other journals.Such practices can lead an article to accrue more than150citations in the same year that it was published.How insidious is this type of citation manipulation?In one example,an individual—acting as author,editor,and consultant—was able to use at least15journals as citation providers to articles published by five scientists at three universities.The problem is rampant in Scopus,which includes a high number of the new“international”journals.In fact,a listing in Scopus seems to be a criterion to be targeted in this type of citation manipulation.Scopus itself has all the data necessary to detect this malpractice.Red flags include a large number of citations to an article within the first year.And for authors who wish to steer clear of citation cartel activities:when an editor,a reviewer,or a support service asks you to add inappropriate references,do not oblige and do report the request to the journal.36.According to Paragraph1,the careers of scientists can be determined by[A]how many citations their works contain[B]how many times their papers are cited[C]the prestige of the people they work with[D]the status they have in scientific circles37.The support service consultancies tend to[A]recommend journals to their clients.[B]list citation patterns their clients.[C]ask authors to include extra citations[D]advise contributors to cite each other38.The Function of the“milk cow”journals is to[A]boost citation counts for certain authors[B]help scholars publish articles at low cost[C]instruct First-time contributors in citation[D]increase the readership of new journals.39.What can be learned about Scopus From the last two paragraphs?[A]It fosters competition among citation providers[B]It has the capability to identify suspicious citations[C]It hinders the growth of"international"journals[D]It established to prevent citation manipulation40.What Should an author do to deal with citation manipulators?[A]Take legal action[B]Demand an apology.[C]Seek professional advice[D]Reveal their misconductPart BDirections:Read the following text and answer the questions by choosing the most suitable subheading from the list A-G for each of the numbered paragraphs(41-45).There are two extra subheadings which you do not need to use.Mark your answers on the ANSWER SHEET.(10points)[A]Last year marked the150th anniversary of a series of Yellowstone photographs by the renowned landscape photographer William Henry Jackson.Jackson snapped the1st-ever shots of iconic landmarks such as the Tetons,Old Faithful and the Colorado Rockies.On a late19th-century expedition through the Yellowstone Basin that was conducted by the head of the U.S. Geological and Geographical Survey of the Territories,Ferdinand V.Hayden.The team included a meteorologist,a zoologist,a mineralogist,and an agricultural statistician.[B]Two centuries ago,the idea of preserving nature,rather than exploiting it,was a novel one to many U.S.settlers.One of the turning points in public support for land conservation efforts—and recognizing the magnificence of the Yellowstone region in particular—came in the form of vivid photographs.[C]As an effective Washington operator,Hayden sensed that he could capitalize on the expedition’s stunning visuals.He asked Jackson to print out large copies and distributed them, along with reproductions of Moran’s paintings,to each member of Congress.“The visualization, particularly those photographs,really hit home that this is something that has to be protected,”says Murphy.[D]Throughout the trip,Jackson juggled multiple cameras and plate sizes using the“collodion process”that required him to coat the plates with a chemical mixture,then expose them and develop the resulting images with a portable darkroom.The crude technique required educated guesses on exposure times,and involved heavy,awkward equipment—several men had to assist in its transportation.Despite these challenges,Jackson captured dozens of striking photos, ranging from majestic images like his now-famous snapshot of Old Faithful,to casual portraits of expedition members at the camp.While veterans of previous expeditions wrote at length about stunning trail sights,these vivid photographs were another thing entirely.[E]The journey officially began in Ogden,Utah on June8,1871.Over nearly four months, dozens of men made their way on horseback into Montana and traversed along the Yellowstone River and around Yellowstone Lake.That fall,they concluded the survey in Fort Bridger, Wyoming.[F]Though Native Americans(and later miners and fur trappers)had long recognized the area’s riches,most Americans did not.That’s why Hayden’s expedition aimed to produce a fuller understanding of the Yellowstone River region,from its hot springs and waterfalls to its variety of flora and fauna.In addition to the entourage of scientists,the team also included artists:PainterThomas Moran and photographer William Henry Jackson were charged with capturing this astounding natural beauty and sharing it with the world.[G]The bill proved largely popular and sailed through Congress with large majorities in favor.In quick succession,the Senate and House passed legislation protecting Yellowstone in early1872. That March,President Ulysses S.Grant signed an act into law that established Yellowstone as the world’s first national park.Some locals opposed the designation,the decision was largely accepted—and Jackson’s photos played a key role in the fight to protect the area.“I don’t believe that the legal protection would have happened in the time frame that it did without those images,”says Hansen,journalist and author of Prophets and Moguls,Rangers and Rogues, Bisonord Bears:100years of the national Park Service.[H]Perhaps most importantly,these images provided documentary evidence of the park’s sights that later made its way to government officials.Weeks after completing the expedition,Haydencollected his team’s observations into an extensive report aimed at convincing senators and representatives,along with colleagues at government agencies like the Department of the Interior, that Yellowstone ought to be preserved(and that his department deserved additional funds).41.B—A—42.F—E—43.D—H—44.C—45.GPart CDirections:Read the following text carefully and then translate the underlined segments into Chinese.Write your answers on the ANSWER SHEET.(10points)There has been some exploration around the use of AI in digital marketing.For example,AI can be used to analyse what type of advertising content or copy would be appropriate to'speak'to a specific target customer group by revealing information about trends and preferences through the analysis of big data.46)AI can also be used to identify the lifestyle choices of customers regarding their hobbies,favourite celebrities,and fashions to provide unique content in marketing messages put out through social media.At the same time,AI can also be used to generate content for social media posts and chat sites.AI can also provide a bridge between the need of the brand to communicate emotionally with the customer and identifying their rapidly changing needs.While working at PWC,Norbert Wirth wrote an article on AI where identified that marketers are equally eager and hesitant in adopting Al,because synthesizing all these different functions presents them with new challenges.Al can help marketers to create clear marketing messages and choose the most attractive marketing mix for each target segment.A specific example would be the use of AI in developing the customer journey by automating all the different touchpoints (when the organization should contact the potential customer)through behavioural analytics so that they are the most effective for that customer or customer group.The main disadvantage of using AI to respond to customers is that there are concerns about trusting personal interactions to machines,which could lead not only to the subsequent loss of interpersonal connections,but also to a decrease in marketing personnel.47)Some believe that AI is negatively impacting on the marketer’s role by reducing creativity and removing jobs,but they are aware that it is a way of reducing costs and creating new information.By allowing Al to develop content some brand marketers may find that they are losing control over the brand narrative.48)Algorithms that are used to simulate human interactions are creating many of these concerns,especially as no-one is quite sure what the outcomes of using AI to interact with customers will be.For Al to be successful,data needs to be accessible,but the use of personal data is becoming more regulated and the automated sharing of data is becoming more difficult.49)lf customers are not willing to share data,Al will be starved of essential information and will not be able to function effectively or employ machine learning to improve its marketing content and communication. Therefore,unless customers are prepared to sign release agreements,the use of Al may become somewhat restricted in the future.Not only can Al help to create the marketing content,but it can also provide a non-intrusive way of delivering the content to the target customers.Data can be gathered on where the customer can be engaged,such as location,devices used,website interactions,and sites visited,to display marketing messages in appropriate forms,including emails,social media posts,pop-up advertisements,and banners at an appropriate frequency.50) The non-intrusive delivery of the marketing messages in a way that is sensitive to the needs of the target customer is one of the critical challenges to the digital marketer.Understanding humans may be complicated,but we reveal a considerable amount about what appeals to us through our browsing history.(46)AI can also be used to identify the lifestyles choices of customers regarding their hobbies, favorite celebrities,and fashions to provide unique content in marketing messages put out through social media.【参考译文】社交媒体还可以识别包括消费者的爱好、最爱的名人和时尚等的生活习惯的选择，从而在通过社交媒体发布的营销信息中提供独一无二的内容。

DoS 攻击下具备隐私保护的多智能体系统均值趋同控制胡沁伶 1郑 宁 1徐 明 1伍益明 1何熊熊2摘 要 均值趋同是一种广泛应用于分布式计算和控制的算法, 旨在系统通过相邻节点间信息交互、更新, 最终促使系统中所有节点以它们初始值的均值达成一致. 研究拒绝服务(Denial-of-service, DoS)攻击下的分布式离散时间多智能体系统均值趋同问题. 首先, 给出一种基于状态分解思想的分布式网络节点状态信息处理机制, 可保证系统中所有节点输出值的隐私. 然后, 利用分解后的节点状态值及分析给出的网络通信拓扑条件, 提出一种适用于无向通信拓扑的多智能体系统均值趋同控制方法. 理论分析表明, 该方法能够有效抵御DoS 攻击的影响, 且实现系统输出值均值趋同. 最后, 通过仿真实例验证了该方法的有效性.关键词 多智能体系统, 均值趋同, 拒绝服务攻击, 隐私保护, 网络安全引用格式 胡沁伶, 郑宁, 徐明, 伍益明, 何熊熊. DoS 攻击下具备隐私保护的多智能体系统均值趋同控制. 自动化学报, 2022,48(8): 1961−1971DOI 10.16383/j.aas.c201019Privacy-preserving Average Consensus Control forMulti-agent Systems Under DoS AttacksHU Qin-Ling 1 ZHENG Ning 1 XU Ming 1 WU Yi-Ming 1 HE Xiong-Xiong 2Abstract Average consensus is a widely used algorithm for distributed computing and control, where all the nodes in the network constantly communicate and update their states in order to achieve an agreement. In this paper, we study the average consensus problem for discrete-time multi-agent systems under DoS attacks. First, a distributed network node state value processing mechanism based on state decomposition is given, which can ensure the pri-vacy of the output values of all nodes in the system. Then, through using the decomposed node state values and the network topology conditions given by the analysis, an average output consensus control law for distributed discrete-time multi-agent systems is proposed. Theoretical analysis shows that the proposed method can effectively resist the influence of DoS attacks on the system, and achieve the convergence of the average value of system initial outputs.Finally, numerical examples are presented to show the validity of the proposed method.Key words Multi-agent systems, average consensus, denial-of-service attack, privacy-preserving, cyber securityCitation Hu Qin-Ling, Zheng Ning, Xu Ming, Wu Yi-Ming, He Xiong-Xiong. Privacy-preserving average con-sensus control for multi-agent systems under DoS attacks. Acta Automatica Sinica , 2022, 48(8): 1961−1971多智能体系统是由多个具有一定传感、计算、执行和通信能力的智能个体组成的网络系统, 作为分布式人工智能的重要分支, 已成为解决大型、复杂、分布式及难预测问题的重要手段[1−2]. 趋同问题作为多智能体系统分布式协调控制领域中一个最基本的研究课题, 是指在没有协调中心的情况下, 系统中每个节点仅根据相互间传递的信息, 将智能体动力学与网络通信拓扑耦合成复杂网络, 并设计合适的分布式控制方法, 从而在有限时间内实现所有节点状态值的一致或同步.然而具备分布式网络特点的多智能体系统由于普遍规模庞大, 单个节点结构简单且节点地理位置分散等原因, 使得系统中易产生脆弱点, 这就使其在推广应用中面临两项基本挑战: 1)节点状态信息的隐私泄露问题; 2)节点或节点间的通信链路可能会遭受网络攻击的问题, 如欺骗攻击、拒绝服务(Denial-of-service, DoS)攻击等.针对节点状态信息的隐私泄露问题, 即在考虑多智能体网络趋同的同时, 保证系统中节点的初始状态值不被泄露, 已有较多研究人员开展相关的工作. 其中, 有学者借助于传统的安全多方计算方法,收稿日期 2020-12-09 录用日期 2021-03-02Manuscript received December 9, 2020; accepted March 2, 2021国家自然科学基金(61803135, 61873239, 62073109)和浙江省公益技术应用研究项目(LGF21F020011)资助Supported by National Natural Science Foundation of China (61803135, 61873239, 62073109) and Zhejiang Provincial Public Welfare Research Project of China (LGF21F020011)本文责任编委 鲁仁全Recommended by Associate Editor LU Ren-Quan1. 杭州电子科技大学网络空间安全学院 杭州 3100182. 浙江工业大学信息工程学院 杭州 3100231. School of Cyberspace, Hangzhou Dianzi University, Hang-zhou 3100182. College of Information Engineering, Zhejiang University of Technology, Hangzhou 310023第 48 卷 第 8 期自 动 化 学 报Vol. 48, No. 82022 年 8 月ACTA AUTOMATICA SINICAAugust, 2022例如Yao等[3]提出混淆电路算法, Shamir等[4]提出秘钥共享算法等. 然而这类通用的隐私保护方法因计算和通信消耗较大, 不适用于单个智能体节点结构较为简单的分布式系统, 尤其是受到硬实时约束的一类多智能体系统应用. 如上述的混淆电路的计算延迟为秒级[5], 而对于多智能体系统一些典型应用如多无人飞行器编队的实时控制, 其容许的计算延迟仅为毫秒级[6]. 针对多智能体系统均值趋同过程中节点信息泄露问题, 有研究人员提出了一系列专门的隐私保护策略[7−10]. 这些方法大多基于模糊处理的思想, 即通过加入噪声来掩盖真实的状态值.其中一种常用的手段是差分隐私方法[11], 然而这种差分隐私下的模糊处理方法会影响最终趋同值的精度, 即使系统无法收敛到精确的节点初始状态的平均值. 最近文献[12]提出的一种基于相关噪声混淆技术的改进方法, 克服了传统差分隐私方法中精度下降的问题, 但却需要较多的算力. 最近的文献[13]采用一种基于状态分解的方法, 将每个节点的初始状态分解为两个随机的子状态, 只令其中一个子状态参与相邻节点间的信息交互, 而另一子状态保留在本节点内部, 不参与邻居间信息传递. 只要两个随机子状态的和满足特定条件, 在作者所设计的趋同算法下, 系统能够达成均值趋同, 且保护每个节点的状态信息不被泄露.此外, 有学者研究基于可观测性的方法用来保护多智能体系统中节点的隐私[14−16]. 基本思想是设计网络的交互拓扑结构以最小化某个节点的观测性, 本质上相当于最小化该节点推断网络中其他节点初始状态的能力. 然而, 这类基于可观测性的方法仍然存在隐私泄露的风险. 为了提高对隐私攻击的抵御能力, 另一种常见的方法是使用加密技术.然而, 虽然基于密码学的方法可以很容易地在聚合器或第三方[17]的帮助下实现隐私保护, 例如基于云的控制或运算[18−20], 但是由于分散密钥管理的困难,在没有聚合器或第三方的情况下, 将基于密码学的方法应用到完全分散的均值趋同问题是很困难的.同时, 基于密码学的方法也将显著增加通信和计算开销[21], 往往不适用于资源有限或受硬实时约束的分布式网络控制系统.以上的工作均是在安全的通信环境下完成的,然而在实际应用场景中, 由于物理设备和通信拓扑结构都有可能遭受网络攻击, 导致以往有关多智能体系统趋同研究的失效, 这使得针对多智能体系统在网络攻击下的趋同研究发展迅速, 并取得了一些显著成果[22−26]. 目前多智能体系统中常见的网络攻击主要有两种形式: 欺骗攻击[22, 25, 27−28]和DoS攻击[29−33].r其中DoS攻击是多智能体系统中最常见也是最容易实现的攻击形式, 只要攻击者掌握系统元器件之间的通信协议, 即可利用攻击设备开展干扰、阻塞通信信道、用数据淹没网络等方式启动DoS攻击.在DoS攻击影响下, 智能体间交互的状态信息因传递受阻而致使系统无法达成一致. 近年来, 研究者们从控制理论的角度对DoS攻击下的系统趋同问题进行了研究. 其中, 有研究人员通过构建依赖于参数的通用Lyapunov函数设计一种趋同方法[31],使其能够适用于因通信链路存在随机攻击导致通信拓扑随机切换的情况. 此外, 有研究者通过设计一个独立于全局信息的可靠分布式事件触发器[32], 很好地解决了大规模DoS攻击下的一致性问题. 更有研究者开始研究异构多智能体系统在通信链路遭受攻击时的趋同问题[33], 通过设计基于观测器的控制器, 实现在通信链路存在DoS攻击时两层节点间的趋同问题. 而在本文中, 考虑多智能体之间通信链路遭受DoS攻击的情况, 通过攻击开始时刻与攻击链路矩阵刻画DoS攻击模型, 通过增强网络拓扑以满足所谓的-鲁棒图来刻画信息流的局部冗余量[34],从而抵御DoS攻击的影响.然而, 针对趋同问题, 将网络攻击和隐私保护两者结合起来考虑的研究还鲜有见文献报道. 2019年Fiore等[24]率先开展了同时考虑隐私保护和网络攻击的研究工作, 但所得成果仍存在一定的局限性: 1)所提方法虽能保护节点隐私且最终达成状态值趋同, 却无法确保系统达成均值趋同; 2)作者仅考虑了欺骗攻击下的控制器设计问题, 因此所得结论并不适用于网络中存有DoS攻击的系统.y基于上述观察与分析, 本文主要致力于研究DoS 攻击下具备节点信息隐私保护的多智能体系统均值趋同问题, 从而补充现有趋同算法的相关结果. 同时, 考虑实际环境对测量条件等的限制, 不易直接获取节点的真实状态值[35], 为此本文围绕节点的输出值, 即通过观测矩阵获取的系统输出, 进行趋同控制器的设计工作. 本文的主要贡献包括:1)针对DoS攻击在多智能体系统分布式协同控制中的攻击特性和发生范围, 及对网络拓扑连通性的影响, 建立相应数学模型;2)针对一类DoS攻击下的无向通信网络多智能体系统, 提出一种基于状态分解的节点信息隐私保护策略. 当满足特定条件时, 所提策略可确保系统输出状态不被窃听者准确推断出来;y3)针对DoS攻击的影响, 分析给出了系统中节点通信拓扑的鲁棒性条件, 并据此设计一种基于输出量测值的分布式控制方法, 理论分析并证明1962自 动 化 学 报48 卷系统可容忍特定数目的链路遭受DoS 破坏, 并实现输出均值趋同.本文内容结构为: 第1节介绍本文所需要用到的图论知识, 网络拓扑图的相关性质以及均值趋同算法; 第2节主要对DoS 攻击模型和拟解决问题进行描述; 第3节提出系统在DoS 攻击下的隐私保护均值趋同控制方法, 并分别对在攻击下的网络拓扑鲁棒性、系统收敛性以及隐私保护能力进行分析;第4节通过一组仿真实例验证算法的有效性; 第5节是总结与展望.1 预备知识1.1 图论知识M G =(V ,E ,A )V ={v 1,v 2,···,v M }E ⊂V ×V A =[a ij ]∈R M ×M (v j ,v i )∈E a ij >0a ij =0(v j ,v i )∈E (v i ,v j )∈E a ij =a ji a ii =0v i N i ={v j ∈V|(v j ,v i )∈E}G L =D −A 考虑由 个智能体组成的多智能体系统, 节点之间为双向传递信息, 其通信网络可抽象地用一个无向加权图 表示. 其中 表示节点集合, 表示边集. 两个节点之间的连接关系用邻接矩阵(权重矩阵) 表示, 如果 , 则 ; 否则 . 在无向图中, 邻接矩阵是对称的, 即如果, 则同时有 , 且 . 本文不考虑节点自环情况, 即令 . 节点 的邻居集合表示为 . 无向图 对应的Laplacian 矩阵为 , 其中D 为度矩阵, 定义为:除了上述无向图的基本知识, 本文的研究工作还用到了r -可达集合和r -鲁棒图的概念. 这两个概念最早由文献[36]提出, 随后被文献[22, 27]等利用并扩展, 主要用于分析节点间拓扑抵御网络攻击的鲁棒性. 经笔者少许修改, 具体定义如下:G =(V ,E )S ⊂V S v i N i \S r S 定义1[36]. r -可达集合: 对于图 及其中一非空子集 , 如果 中至少有一个节点 在集合 中有不少于 个节点, 则称 为r -可达集合.G =(V ,E )V S 1,S 2⊂V S 1∩S 2=∅G 定义 2[36]. r -鲁棒图: 对于图 , 如果对 中任意一对非空子集 , , 保证至少有一个子集为r -可达集合, 则称 为r -鲁棒图.以下是一些关于r -鲁棒图的基本性质.G =(V ,E )ˆGG s (s <r )ˆG(r −s )引理1[22]. 考虑一个r -鲁棒图 , 令 表示 中每个节点至多移除 条边后的图,则 是一个 -鲁棒图.G G 引理2[22]. 对于一个无向图 , 如果 满足1-鲁G 棒图, 则有 为连通图.1.2 均值趋同算法M x i [k ]∑Mi =1x i [0]/M 考虑有 个节点组成的无向加权多智能体系统. 为了让系统实现均值趋同, 也就是所有节点的状态 最终收敛到它们初始状态的平均值, 根据文献[13, 37], 其节点动态更新方程可设计为:x i [k ]v i k ε∈(0,1/∆)∆式中, 为节点 在 时刻的状态值, 为系统增益系数, 通常定义为:η>0η≤a ij <1文献[38]表明, 当系统拓扑满足连通图, 且存在 使得 时,系统可在更新规则(1)下实现均值趋同, 即:2 问题描述M 本文研究对象为如下 个智能个体组成的一阶离散时间多智能体系统, 其动力学模型为:x i [k ]∈R N u i y i [k ]∈R Q y i [k ]nC i ∈R Q ×N n n ∈R +式中, 为系统的状态值, 为控制输入, 为系统经通信链路传输得到的量测信号, 需要注意的是, 由于通信链路中存在DoS 攻击, 可能遭受影响而无法被邻居节点接收到. 为观测矩阵, 其中 为从观测矩阵中抽取出的系数, 为大于0的正实数.2.1 攻击模型本文所讨论的DoS 攻击表现为某种传输尝试失败的情况[39], 其存在于多智能体系统中各智能体之间的通信链路中, 即当通信图中两个节点间的链路发生DoS 攻击时, 其通信链路将会被切断, 此时两个节点无法通过该链路进行信息交互, 进而达到攻击多智能体系统的目的. 在多智能体系统分布式协同控制中, 运载节点输出量测值的通信链路遭遇DoS 攻击的示意图如图1所示.(P,k 0)P =[p ij [k ]]∈R M ×M v i v j k 本文以Adeversory 刻画系统遭遇DoS攻击的情况. 其中 表示攻击状态矩阵, 当节点 和节点 之间在 时刻发生DoS8 期胡沁伶等: DoS 攻击下具备隐私保护的多智能体系统均值趋同控制1963p ij [k ]=0p ij [k ]=1k 0攻击时, ; 否则 . 为系统遭遇DoS 攻击的开始时刻.考虑攻击者资源的有限, 本文假设攻击发生范围满足f -本地有界[22]的定义, 该假设在文献[22−23,25]中被广泛采用. 结合DoS 攻击, 具体定义如下:f 定义3 (f -本地有界DoS 攻击) . 对于系统中的任一节点, 如果与其相邻节点的通信链路中, 任意时刻遭遇DoS 攻击的链路条数至多不超过 条, 则称此类攻击模型为f -本地有界DoS 攻击.2.2 系统假设(P,k 0)结合上述给出的Adeversory 和攻击发生范围模型, 本文对所研究的系统作出如下假设:f 3v i ∈V k 假设1. 系统中任意一个节点的通信链路中在任意时刻至多有 条链路同时遭受DoS 攻击, 即满足定义 攻击模型. 具体地, 则对于任意 , 在任意时刻 , 都有下式成立:G [k ]=(V ,E [k ],A [k ])虽然本文考虑的是固定无向拓扑, 但在DoS攻击影响下, 可以看到系统的通信图却会与之发生变化. 因此, 本文接下去用时变图符号 表示系统在DoS 攻击影响下的真实通信情况.η0<η<1i,j ∈{1,···,M }a ij [k ]>0η≤a ij [k ]<1假设2. 存在一个标量 满足 , 对于所有的 , 如果 , 那么 .x i ∈R N X i ∈R N X =∩M i =1X i X =∅假设3. 系统任意节点状态值 受限于一个非空闭凸集, 表示为 , 令 ,则 .根据上述假设, 可以得出系统具备如下属性:引理3[38]. 当系统的网络通信图为有向连通图v i ∈V (1)且邻接矩阵为双随机矩阵时, 并且满足假设2和3时, 那么对于系统中任意节点 在动态更新式 下, 有:{h [k ]}式中, 为一个定义的辅助序列, 对于每个时根据文献[38], 因邻接矩阵为双随机矩阵, 由式(7) ~ (8)可得:v i ∈V 引理4. 当系统的网络通信图为无向连通图, 并且满足假设2和3时, 那么由引理3可知, 对于系统中任意节点 在动态更新式(1)下, 式(10)仍然成立.证明. 根据引理3可知, 在网络通信图为有向图情况下, 邻接矩阵为双随机矩阵表明在该网络通信图中, 所有节点通信链路满足出度等于入度的条件, 而在无向图中, 该条件同样成立, 因此在无向图中, 式(10)仍然成立. □针对上述建立的网络攻击模型和相关的系统假设, 本文的研究目标是, 设计一种控制策略, 使得:1)系统的输出达到趋同并且趋同值是等于所有智能体初始输出状态的平均值; 2)在整个趋同过程中保护每个节点的信息值隐私.3 控制器设计3.1 DoS 攻击下网络拓扑鲁棒性条件首先对网络通信链路图的鲁棒性条件进行讨论, 以便于开展后续控制器的设计工作.引理5. 考虑多智能体系统(4), 如果其网络拓图 1 DoS 攻击下的多智能系统框图Fig. 1 The diagram of the multi-agent systemunder DoS attacks1964自 动 化 学 报48 卷(f +1)扑结构满足 -鲁棒的无向图, 那么系统在遭受f -本地有界DoS 攻击下, 即满足假设1, 其通信图仍可保持连通性.f 证明. 根据假设1可知, 网络中每个节点任意时刻至多有 条通信链路遭受DoS 攻击破坏. 再由引理1可知, 此时网络拓扑结构至少是1-鲁棒图.最后由引理2可知, 系统网络拓扑仍然能够保持连通性. □3.2 DoS 攻击下隐私保护控制上述小节给出了系统遭受DoS 攻击下通信网络仍旧保持连通的条件, 接下去本小节给出本文核心的控制器设计方法.x i x αi x βi x αi [0]x βi [0]x αi [0]+x βi [0]=2x i [0]受文献[13]启发, 此处引入状态分解方法: 将每个节点的状态值 分解成两个子状态, 用 和 表示. 值得注意的是, 初始状态的子状态值 和 可在所有实数中任取, 但需满足条件: .x αi x i v i x βi x αi x βi v i v 1x α1x 1x β1v 1x α1x αi x βi a i,αβ[k ]a i,αβ[k ]η≤a i,αβ[k ]<1为便于理解, 本文以5个节点的无向连通图为例, 通信拓扑如图2所示. 从示例图中可以看出: 子状态 充当原 的作用, 即与邻居节点进行信息交互, 并且实际上是节点 的邻居节点唯一可以获知的状态信息. 而另一个子状态 同样存在于该分布式信息交互中, 但是其仅与 进行信息交互. 也就是说子状态 的存在, 对于节点 的邻居节点是不可见的. 例如, 在图2(b)中, 节点 中的 相当于图2(a)中 的角色和邻居节点进行信息交互,而 仅对节点 自身可见, 而对其他节点不可见.但是它又可以影响 的变化. 两个子状态 和 之间的耦合权重是对称的, 表示为 , 并且所有的 满足 .基于上述方法, 本文给出具体的具备隐私保护的输出均值趋同控制协议:并且I L ′[k ]式中, 为单位矩阵, 为DoS 攻击下的Lapla-cian 矩阵,其满足:A ′[k ]=[′]式中, DoS 攻击下系统对应的邻接矩阵为D ′[k ]A ′[k ] 为对应于邻接矩阵 的度矩阵.y [k ]=nCx α[k ]C 另外, 在协议(11)中, 为系统的状态输出方程, 为输出方程的观测矩阵, 定义为:e i R M i i 式中, 表示 中第 个规范基向量, 该向量中第个位置数为1, 其他位置数为0.n ∈(0,1)n =1n ∈(1,∞)注1. 考虑实际环境中不同情况, 当 时, 系统输出方程将会缩小状态值进行信息交互,适用于节点状态值过大的情况; 当 时, 系统状态输出方程将会输出原本节点需要进行信息交互的状态值; 当 时, 系统状态输出方程将会放大状态值进行信息交互, 适用于节点状态值过小的情况.x α[k ]值得注意的是, 对于系统中的节点, 用于和邻居节点进行信息交互的状态值 是无法被邻居节点获取的, 需通过系统状态输出方程传递给邻居图 2 5个节点组成的示例图Fig. 2 Example of network with 5 nodes8 期胡沁伶等: DoS 攻击下具备隐私保护的多智能体系统均值趋同控制1965x α[k ]y [k ]节点. 简言之每个节点经过信息交互接收到的邻居节点的值并不是 , 而是经过输出方程输出的 .A αβ[k ]v i ,i =1,2,···,M x αi [k ]x βi [k ]a i,αβ[k ]令 为每个节点 的和两个子状态之间的耦合权重N =1,Q =1为便于叙述, 本文考虑节点的状态值及输出值为一维的情况, 即令 . 从而, 基于输出状态值的控制协议可表示为:事实上, 只要向量状态中的每个标量状态元素都有独立的耦合权重, 本节所提出的控制方法所有分析及结果同样适用于向量状态的情况.()ε1/∆1/(∆+1)注2. 与文献[13, 37]的更新式(1)相比, 本文给出的协议(19)中, 由于每个可见子状态的邻居数增加了一个 不可见子状态 , 因此 的上限从 降低为 .注3. 相比于文献[13, 37]设计的更新式(1),本文在协议(19)的设计过程中考虑了系统通信链路中存在DoS 攻击的情况, 可确保在存在一定能力DoS 攻击时, 系统在协议(19)的约束下实现均值趋同.3.3 输出均值趋同分析在给出本文主要结论前, 需要下述引理知识.引理6. 考虑多智能体系统(4), 如果其网络通信图是一个无向连通图, 则对于状态分解后的网络,所有节点子状态总和是固定不变的.y i [k ]=nx αi [k ]证明. 由输出方程 , 推导可得:再将式(20)代入式(19), 可得:进一步, 由式(21), 可得:因此有:∑M i =1{∑Mj =1a ′ij[k ](y j [k ]−y i [k ])}而在式(23)中的部分, 可进一步分解为下式:a ′ij [k ]=a ′ji [k ]v i ,v j ∈V 根据无向图属性: , 对于任意 , 有:将式(25)代入式(24), 可得:1966自 动 化 学 报48 卷(26)(23)将式 代入式 , 可得:由式(27)容易看出, 对于进行状态分解后的网络, 系统节点子状态的和是固定不变的. □下面给出本文的主要结论.(f +1)定理1. 考虑DoS 攻击下多智能体系统(4), 在满足假设1、2和3条件下, 若其通信拓扑满足 -鲁棒图, 且系统节点在所给的分布式协议(19)下进行状态更新, 则系统可实现输出值均值趋同.(f +1)证明. 由于系统的通信图是一个 -鲁棒图, 根据引理5可知, 系统在满足假设1的DoS 攻击下, 其网络图仍能够保持连通. 显然, 经过状态分解之后的系统同样能够保证网络图的连通性. 根据x αi [k ]x βi [k ]随后, 根据引理4和式(28)可知, 系统可以实现均值趋同, 即任意节点的子状态 和都x αi [0]+β再根据式(28)和状态分解约束条件y i [k ]=nx αi [k ]最后, 根据式(29)和输出方程 , 可得: □y 注4. 相比于文献[13]设计的隐私保护状态更新协议, 本文在协议(19)的设计过程中进一步考虑了在实际环境对测量条件等的限制导致难以获得系统中节点的真实状态值的情况, 引入了节点输出值的概念, 通过观测矩阵获取的系统输出 进行协议(19)的设计, 可确保系统在该协议下实现输出值均值趋同.3.4 隐私保护分析本节对趋同控制过程中单个节点信息的隐私保护进行分析. 本文考虑两种隐私窃听者: 好奇窃听者和外部窃听者. 好奇窃听者是指一类能够正确遵循所有控制协议步骤但具有好奇性的节点, 这类节点会收集接收到的数据并试图猜测其他节点的状态信息. 而外部窃听者是指一类了解整个网络拓扑结构的外部节点, 并能够窃听某些内部节点的通信链路从而获得在该通信链路交互的信息.一般来说, 这里的外部窃听者比好奇窃听者更具有破坏力, 因为外部窃听者会窃听多个节点通信链路上交互的信息, 而好奇窃听者只能窃听该节点通信链路交互的信息, 但好奇窃听者有一个外部窃听者无法得知的信息, 即该好奇窃听者的初始状态值.v i ∈V k I i [k ]={a ′ip [k ]|v p ∈N i ,y p [k ]|v p ∈N i ,x i [k ],x αi [k ],x βi [k ],a i,αβ[k ]}v i I i =∪∞k =0I i [k ]定义好奇窃听者 在第 次迭代时所获得的信息为: . 随着状态值迭代更新, 窃听者 收集获得的信息表示为 .x i [0]v i 定义4. 如果窃听者无法以任何精度保证估计节点状态信息 的值, 则称节点 得到了隐私保护.在给出结论前, 需要用到下述引理.v j v i v m v j x j [0]=x j [0]v i I i =I i 引理7[13]. 在采用状态分解方法的信息交互通信中, 如果正常节点 具有至少一个不与好奇窃听节点 直接相连的正常邻居节点 , 则对于节点 的任意初始状态 , 窃听节点 获得的信息始终满足 .v j v m a jm [0]v j a jm [0]a j,αβ[0]a m,αβ[0]v j x j [0]引理8[13]. 在采用状态分解方法的信息交互通信中, 如果正常节点 存在至少一个正常邻居节点, 其 的值对于外部窃听者不可见, 则节点 的任意初始状态的任何变化都可以完全通过对外部窃听者不可见的 , 和 的变化来补偿, 因此外部窃听者无法以任何精度保证估计正常节点 的初始状态值 .v j ∈V v j x j [0]定理2. 考虑DoS 攻击下多智能体系统(4), 对于系统中任意正常节点 , 如果 在所给的分布式协议(19)下进行状态更新, 则在整个信息交互过程中, 其状态信息值 具备隐私保护.v i v j x j [0]=x j [0]I i =I i v j v j x j [0]证明. 首先, 分析系统存在好奇窃听者 的情况. 对于任意正常节点 , 在所给的分布式协议(19)下, 其初始状态显然满足 , .再由引理6可知, 该条件下好奇窃听者无法准确估计节点 的初始值, 因此节点 的状态值 得到了隐私保护.v j ∈V v j v j 随后, 分析系统存在外部窃听者的情况. 在本文所提的分布式算法(19)下, 外部窃听者对于系统中任意正常节点 的其中之一子状态不可见. 根据引理7, 初始状态值的变化则对于外部窃听者不可见, 故外部窃听者无法准确估计正常节点 的8 期胡沁伶等: DoS 攻击下具备隐私保护的多智能体系统均值趋同控制1967。

多智能体系统一致性综述一 引言多智能体系统在20世纪80年代后期成为分布式人工智能研究中的主要研究对象。

研究多智能体系统的主要目的就是期望功能相对简单的智能体系统之间进行分布式合作协调控制，最终完成复杂任务。

多智能体系统由于其强健、可靠、高效、可扩展等特性，在科学计算、计算机网络、机器人、制造业、电力系统、交通控制、社会仿真、虚拟现实、计算机游戏、军事等方面广泛应用。

多智能体的分布式协调合作能力是多智能体系统的基础，是发挥多智能体系统优势的关键，也是整个系统智能性的体现。

在多智能体分布式协调合作控制问题中，一致性问题作为智能体之间合作协调控制的基础，具有重要的现实意义和理论价值。

所谓一致性是指随着时间的演化，一个多智能体系统中所有智能体的某一个状态趋于一致。

一致性协议是智能体之间相互作用、传递信息的规则，它描述了每个智能体和其相邻的智能体的信息交互过程。

当一组智能体要合作共同去完成一项任务，合作控制策略的有效性表现在多智能体必须能够应对各种不可预知的形式和突然变化的环境，必须对任务达成一致意见，这就要求智能体系统随着环境的变化能够达到一致。

因此，智能体之间协调合作控制的一个首要条件是多智能体达到一致。

近年来，一致性问题的研究发展迅速，包括生物科学、物理科学、系统与控制科学、计算机科学等各个领域都对一致性问题从不同层面进行了深入分析，研究进展主要集中在群体集、蜂涌、聚集、传感器网络估计等问题。

目前，许多学科的研究人员都开展了多智能体系统的一致性问题的研究，比如多智能体分布式一致性协议、多智能体协作、蜂涌问题、聚集问题等等。

下面，主要对现有文献中多智能体一致性协议进行了总结，并对相关应用进行简单的介绍。

1.1 图论基础多智能体系统是指由多个具有独立自主能力的智能体通过一定的信息传递方式相互作用形成的系统；如果把系统中的每一个智能体看成是一个节点，任意两个节点传递的智能体之间用有向边来连接的话，智能体的拓扑结构就可以用相应的有向图来表示。

etcd high number of leader changesetcd is a distributed key-value store that is widely used incloud-native applications for service discovery, configuration management, and coordination. One of the challenges faced by etcd is the occurrence of a high number of leader changes. In this article, we will explore this issue in detail, step by step.Before we dive into the reasons behind the high number of leader changes in etcd, let's first understand the role of a leader in etcd's distributed consensus algorithm. Etcd uses the Raft consensus algorithm, where a leader is responsible for accepting client requests, replicating them to other nodes in the cluster, and responding to clients. The leader is crucial for maintaining consistency and availability in the etcd cluster.Now, let's explore the possible reasons for a high number of leader changes in etcd:1. Network Issues: Network disruptions, latency, or instability can cause communication problems among etcd nodes. If a leader node fails to communicate with a majority of followers or other nodes in the cluster, it will trigger a leader change. Frequentnetwork issues can lead to a high number of leader changes.2. Node Failures: If a leader node crashes or becomes unresponsive, the remaining nodes in the cluster will detect the failure and initiate a new leader election. If there are frequent node failures due to hardware or software issues, it can result in an increased number of leader changes.3. Performance Degradation: When an etcd node experiences degraded performance due to high load or resource constraints, it may cause delays in heartbeat communication with other nodes. If the delay exceeds a certain threshold, a follower node may suspect the leader's failure and trigger a leader change.4. Network Partitions: In distributed systems, network partitions can occur due to various reasons such as network failures, misconfigurations, or deliberate actions. A network partition can lead to multiple subgroups of etcd nodes, with each subgroup electing its own leader. When the network partition is resolved, the subgroups may merge, resulting in leader changes.Now that we have identified some common reasons for high leaderchanges in etcd, let's discuss the impact of this issue on the overall system.1. Increased Latency: Leader changes require time for leader election and state synchronization among etcd nodes. Frequent leader changes can increase the latency of client requests, delaying the overall responsiveness of the system.2. Inconsistencies: Leader changes can result in temporary inconsistencies in etcd's distributed state. During the state synchronization process, some transactions may be lost or delayed, leading to data inconsistencies across the cluster.3. Service Disruptions: As leader changes cause temporary unavailability of the etcd cluster, applications relying on etcd for service discovery or configuration may experience disruptions. This can impact the overall availability of the system.To mitigate the issues caused by a high number of leader changes in etcd, here are some best practices:1. Network Stability: Ensure that the network infrastructuresupporting the etcd cluster is stable and resilient. Employ network monitoring and redundancy mechanisms to minimizenetwork-related problems.2. Fault Tolerance: Design the etcd cluster to handle node failures gracefully. Configure etcd with an appropriate number of replicas and enable automatic leader election to ensure high availability.3. Performance Optimization: Monitor the performance of the etcd cluster and proactively address resource bottlenecks. Regularly tune etcd's configuration parameters to optimize its performance.4. Network Partition Detection: Implement network partition detection mechanisms to identify and handle network splits effectively. Use tools like partition detectors or automated healing systems to minimize the impact of network partitions.In conclusion, a high number of leader changes in etcd can indicate underlying issues with network stability, node failures, performance degradation, or network partitions. Understanding and addressing these challenges through proper monitoring, fault tolerancemechanisms, and performance optimization can ensure the overall stability and availability of etcd in cloud-native applications.。

分布式⽆线传感器⽹络定位算法MDS_MAP_D_2008年6⽉Journal on CommunicationsJune 2008第29卷第6期通信学报 V ol.29 No.6分布式⽆线传感器⽹络定位算法MDS-MAP(D)马震，刘云，沈波（北京交通⼤学通信与信息系统北京市重点实验室，北京 100044）摘要：针对⽆线传感器⽹络的定位问题，提出了⼀种分布式的算法MDS-MAP(D)，明确给出了节点相对坐标计算和局部⽹络融合的过程，并对算法进⾏了计算复杂性分析和仿真。

MDS-MAP(D)以分布式节点分簇为基础，利⽤⽹络的连接关系，在不需要⾼精度测距技术⽀持的条件下对节点坐标进⾏估计，减⼩了节点定位的计算复杂度和能量消耗。

分析与仿真结果表明，算法的计算复杂度由3()O N 下降到2(),O Nm m N <，并且定位精度提⾼了1%～3%。

关键词：⽆线传感器⽹络；定位；多维标度；分布式中图分类号：TP393 ⽂献标识码：A ⽂章编号：1000-436X(2008)06-0057-06Distributed locating algorithm for wireless sensornetworks- MDS-MAP(D)MA Zhen, LIU Yun, SHEN Bo(Key Laboratory of Communication & Information Systems, Beijing Jiaotong University,Beijing Municipal Commission of Education, Beijing 100044, China)Abstract: A new distributed locating algorithm MDS-MAP(D) was proposed, which attempted to improve the perform-ance of node localization in wireless sensor networks. The process of the computation about node relative coordinates and the aggregation from local network to global network are introduced explicitly. Further, the analyses to computational complexity and the simulations of the algorithm are also present. MDS-MAP(D), which is based on node clustering mechanism and uses connectivity of nodes to estimate the coordinates of nodes, reduces the complexity and energy con-sumption of node localization on the absence of distance measurement with high precision. The simulation and analysis results indicate that the complexity of node localization algorithm falls to 2(),O Nm m N < from 3()O N and the accu-racy is improved 1%～3%.Key words: wireless networks; location; multidimensional scaling; distribution1 引⾔⽆线传感器⽹络(WSN, wireless sensor network)技术在最近⼏年得到了迅速发展，正逐渐被⼴泛⽤于军事、交通、环境和⼯业⽣产等领域，完成对温度、湿度、压⼒和速度等许多物理量的测量[1]。

The Chubby lock service for loosely-coupled distributed systemsMike Burrows,Google Inc.AbstractWe describe our experiences with the Chubby lock ser-vice,which is intended to provide coarse-grained lock-ing as well as reliable(though low-volume)storage for a loosely-coupled distributed system.Chubby provides an interface much like a distributedfile system with ad-visory locks,but the design emphasis is on availability and reliability,as opposed to high performance.Many instances of the service have been used for over a year, with several of them each handling a few tens of thou-sands of clients concurrently.The paper describes the initial design and expected use,compares it with actual use,and explains how the design had to be modified to accommodate the differences.1IntroductionThis paper describes a lock service called Chubby.It is intended for use within a loosely-coupled distributed sys-tem consisting of moderately large numbers of small ma-chines connected by a high-speed network.For example, a Chubby instance(also known as a Chubby cell)might serve ten thousand4-processor machines connected by 1Gbit/s Ethernet.Most Chubby cells are confined to a single data centre or machine room,though we do run at least one Chubby cell whose replicas are separated by thousands of kilometres.The purpose of the lock service is to allow its clients to synchronize their activities and to agree on basic in-formation about their environment.The primary goals included reliability,availability to a moderately large set of clients,and easy-to-understand semantics;through-put and storage capacity were considered secondary. Chubby’s client interface is similar to that of a simplefile system that performs whole-file reads and writes,aug-mented with advisory locks and with notification of var-ious events such asfile modification.We expected Chubby to help developers deal with coarse-grained synchronization within their systems,and in particular to deal with the problem of electing a leader from among a set of otherwise equivalent servers.For example,the Google File System[7]uses a Chubby lock to appoint a GFS master server,and Bigtable[3]uses Chubby in several ways:to elect a master,to allow the master to discover the servers it controls,and to permit clients tofind the master.In addition,both GFS and Bigtable use Chubby as a well-known and available loca-tion to store a small amount of meta-data;in effect they use Chubby as the root of their distributed data struc-tures.Some services use locks to partition work(at a coarse grain)between several servers.Before Chubby was deployed,most distributed sys-tems at Google used ad hoc methods for primary elec-tion(when work could be duplicated without harm),or required operator intervention(when correctness was es-sential).In the former case,Chubby allowed a small sav-ing in computing effort.In the latter case,it achieved a significant improvement in availability in systems that no longer required human intervention on failure. Readers familiar with distributed computing will rec-ognize the election of a primary among peers as an in-stance of the distributed consensus problem,and realize we require a solution using asynchronous communica-tion;this term describes the behaviour of the vast ma-jority of real networks,such as Ethernet or the Internet, which allow packets to be lost,delayed,and reordered. (Practitioners should normally beware of protocols based on models that make stronger assumptions on the en-vironment.)Asynchronous consensus is solved by the Paxos protocol[12,13].The same protocol was used by Oki and Liskov(see their paper on viewstamped replica-tion[19,§4]),an equivalence noted by others[14,§6]. Indeed,all working protocols for asynchronous consen-sus we have so far encountered have Paxos at their core. Paxos maintains safety without timing assumptions,but clocks must be introduced to ensure liveness;this over-comes the impossibility result of Fischer et al.[5,§1]. Building Chubby was an engineering effort required tofill the needs mentioned above;it was not research. We claim no new algorithms or techniques.The purpose of this paper is to describe what we did and why,rather than to advocate it.In the sections that follow,we de-scribe Chubby’s design and implementation,and how ithas changed in the light of experience.We describe un-expected ways in which Chubby has been used,and fea-tures that proved to be mistakes.We omit details that are covered elsewhere in the literature,such as the details of a consensus protocol or an RPC system.2Design2.1RationaleOne might argue that we should have built a library em-bodying Paxos,rather than a library that accesses a cen-tralized lock service,even a highly reliable one.A client Paxos library would depend on no other servers(besides the name service),and would provide a standard frame-work for programmers,assuming their services can be implemented as state machines.Indeed,we provide such a client library that is independent of Chubby. Nevertheless,a lock service has some advantages over a client library.First,our developers sometimes do not plan for high availability in the way one would wish.Of-ten their systems start as prototypes with little load and loose availability guarantees;invariably the code has not been specially structured for use with a consensus proto-col.As the service matures and gains clients,availability becomes more important;replication and primary elec-tion are then added to an existing design.While this could be done with a library that provides distributed consensus,a lock server makes it easier to maintain exist-ing program structure and communication patterns.For example,to elect a master which then writes to an ex-istingfile server requires adding just two statements and one RPC parameter to an existing system:One would acquire a lock to become master,pass an additional inte-ger(the lock acquisition count)with the write RPC,and add an if-statement to thefile server to reject the write if the acquisition count is lower than the current value(to guard against delayed packets).We have found this tech-nique easier than making existing servers participate in a consensus protocol,and especially so if compatibility must be maintained during a transition period. Second,many of our services that elect a primary or that partition data between their components need a mechanism for advertising the results.This suggests that we should allow clients to store and fetch small quanti-ties of data—that is,to read and write smallfiles.This could be done with a name service,but our experience has been that the lock service itself is well-suited for this task,both because this reduces the number of servers on which a client depends,and because the consistency fea-tures of the protocol are shared.Chubby’s success as a name server owes much to its use of consistent client caching,rather than time-based caching.In particular, we found that developers greatly appreciated not having to choose a cache timeout such as the DNS time-to-live value,which if chosen poorly can lead to high DNS load, or long client fail-over times.Third,a lock-based interface is more familiar to our programmers.Both the replicated state machine of Paxos and the critical sections associated with exclusive locks can provide the programmer with the illusion of sequen-tial programming.However,many programmers have come across locks before,and think they know to use them.Ironically,such programmers are usually wrong, especially when they use locks in a distributed system; few consider the effects of independent machine fail-ures on locks in a system with asynchronous communi-cations.Nevertheless,the apparent familiarity of locks overcomes a hurdle in persuading programmers to use a reliable mechanism for distributed decision making. Last,distributed-consensus algorithms use quorums to make decisions,so they use several replicas to achieve high availability.For example,Chubby itself usually has five replicas in each cell,of which three must be run-ning for the cell to be up.In contrast,if a client system uses a lock service,even a single client can obtain a lock and make progress safely.Thus,a lock service reduces the number of servers needed for a reliable client system to make progress.In a loose sense,one can view the lock service as a way of providing a generic electorate that allows a client system to make decisions correctly when less than a majority of its own members are up. One might imagine solving this last problem in a dif-ferent way:by providing a“consensus service”,using a number of servers to provide the“acceptors”in the Paxos protocol.Like a lock service,a consensus service would allow clients to make progress safely even with only one active client process;a similar technique has been used to reduce the number of state machines needed for Byzan-tine fault tolerance[24].However,assuming a consensus service is not used exclusively to provide locks(which reduces it to a lock service),this approach solves none of the other problems described above.These arguments suggest two key design decisions:•We chose a lock service,as opposed to a library or service for consensus,and•we chose to serve small-files to permit elected pri-maries to advertise themselves and their parameters, rather than build and maintain a second service. Some decisions follow from our expected use and from our environment:•A service advertising its primary via a Chubbyfile may have thousands of clients.Therefore,we must allow thousands of clients to observe thisfile,prefer-ably without needing many servers.•Clients and replicas of a replicated service may wish to know when the service’s primary changes.Thissuggests that an event notification mechanism would be useful to avoid polling.•Even if clients need not pollfiles periodically,many will;this is a consequence of supporting many devel-opers.Thus,caching offiles is desirable.•Our developers are confused by non-intuitive caching semantics,so we prefer consistent caching.•To avoid bothfinancial loss and jail time,we provide security mechanisms,including access control.A choice that may surprise some readers is that we do not expect lock use to befine-grained,in which they might be held only for a short duration(seconds or less); instead,we expect coarse-grained use.For example,an application might use a lock to elect a primary,which would then handle all access to that data for a consider-able time,perhaps hours or days.These two styles of use suggest different requirements from a lock server. Coarse-grained locks impose far less load on the lock server.In particular,the lock-acquisition rate is usu-ally only weakly related to the transaction rate of the client applications.Coarse-grained locks are acquired only rarely,so temporary lock server unavailability de-lays clients less.On the other hand,the transfer of a lock from client to client may require costly recovery proce-dures,so one would not wish a fail-over of a lock server to cause locks to be lost.Thus,it is good for coarse-grained locks to survive lock server failures,there is little concern about the overhead of doing so,and such locks allow many clients to be adequately served by a modest number of lock servers with somewhat lower availability. Fine-grained locks lead to different conclusions.Even brief unavailability of the lock server may cause many clients to stall.Performance and the ability to add new servers at will are of great concern because the trans-action rate at the lock service grows with the combined transaction rate of clients.It can be advantageous to re-duce the overhead of locking by not maintaining locks across lock server failure,and the time penalty for drop-ping locks every so often is not severe because locks are held for short periods.(Clients must be prepared to lose locks during network partitions,so the loss of locks on lock server fail-over introduces no new recovery paths.) Chubby is intended to provide only coarse-grained locking.Fortunately,it is straightforward for clients to implement their ownfine-grained locks tailored to their application.An application might partition its locks into groups and use Chubby’s coarse-grained locks to allocate these lock groups to application-specific lock servers. Little state is needed to maintain thesefine-grain locks; the servers need only keep a non-volatile,monotonically-increasing acquisition counter that is rarely updated. Clients can learn of lost locks at unlock time,and if a simplefixed-length lease is used,the protocol can be simple and efficient.The most important benefits of thisclient processes5servers of a Chubby cellclientapplicationchubbylibraryclientapplicationchubbylibrary...mRPCs m mastermmmqIFigure1:System structurescheme are that our client developers become responsible for the provisioning of the servers needed to support their load,yet are relieved of the complexity of implementing consensus themselves.2.2System structureChubby has two main components that communicate via RPC:a server,and a library that client applications link against;see Figure1.All communication between Chubby clients and the servers is mediated by the client library.An optional third component,a proxy server,is discussed in Section3.1.A Chubby cell consists of a small set of servers(typi-callyfive)known as replicas,placed so as to reduce the likelihood of correlated failure(for example,in different racks).The replicas use a distributed consensus protocol to elect a master;the master must obtain votes from a majority of the replicas,plus promises that those replicas will not elect a different master for an interval of a few seconds known as the master lease.The master lease is periodically renewed by the replicas provided the master continues to win a majority of the vote.The replicas maintain copies of a simple database,but only the master initiates reads and writes of this database. All other replicas simply copy updates from the master, sent using the consensus protocol.Clientsfind the master by sending master location requests to the replicas listed in the DNS.Non-master replicas respond to such requests by returning the iden-tity of the master.Once a client has located the master, the client directs all requests to it either until it ceases to respond,or until it indicates that it is no longer the master.Write requests are propagated via the consensus protocol to all replicas;such requests are acknowledged when the write has reached a majority of the replicas in the cell.Read requests are satisfied by the master alone; this is safe provided the master lease has not expired,as no other master can possibly exist.If a master fails,the other replicas run the election protocol when their master leases expire;a new master will typically be elected in a few seconds.For example,two recent elections took6s and4s,but we see values as high as30s(§4.1).If a replica fails and does not recover for a few hours,a simple replacement system selects a fresh machine from a free pool and starts the lock server binary on it.It then updates the DNS tables,replacing the IP address of the failed replica with that of the new one.The current mas-ter polls the DNS periodically and eventually notices the change.It then updates the list of the cell’s members in the cell’s database;this list is kept consistent across all the members via the normal replication protocol.In the meantime,the new replica obtains a recent copy of the database from a combination of backups stored onfile servers and updates from active replicas.Once the new replica has processed a request that the current master is waiting to commit,the replica is permitted to vote in the elections for new master.2.3Files,directories,and handlesChubby exports afile system interface similar to,but simpler than that of UNIX[22].It consists of a strict tree offiles and directories in the usual way,with name components separated by slashes.A typical name is:/ls/foo/wombat/pouchThe ls prefix is common to all Chubby names,and stands for lock service.The second component(foo)is the name of a Chubby cell;it is resolved to one or more Chubby servers via DNS lookup.A special cell name local indicates that the client’s local Chubby cell should be used;this is usually one in the same building and thus the one most likely to be accessible.The remain-der of the name,/wombat/pouch,is interpreted within the named Chubby cell.Again following UNIX,each di-rectory contains a list of childfiles and directories,while eachfile contains a sequence of uninterpreted bytes. Because Chubby’s naming structure resembles afile system,we were able to make it available to applications both with its own specialized API,and via interfaces used by our otherfile systems,such as the Google File System.This significantly reduced the effort needed to write basic browsing and name space manipulation tools, and reduced the need to educate casual Chubby users. The design differs from UNIX in a ways that ease dis-tribution.To allow thefiles in different directories to be served from different Chubby masters,we do not expose operations that can movefiles from one directory to an-other,we do not maintain directory modified times,and we avoid path-dependent permission semantics(that is, access to afile is controlled by the permissions on the file itself rather than on directories on the path leading to thefile).To make it easier to cachefile meta-data,the system does not reveal last-access times.The name space contains onlyfiles and directories, collectively called nodes.Every such node has only one name within its cell;there are no symbolic or hard links.Nodes may be either permanent or ephemeral.Any node may be deleted explicitly,but ephemeral nodes are also deleted if no client has them open(and,for directo-ries,they are empty).Ephemeralfiles are used as tempo-raryfiles,and as indicators to others that a client is alive. Any node can act as an advisory reader/writer lock;these locks are described in more detail in Section2.4.Each node has various meta-data,including three names of access control lists(ACLs)used to control reading,writing and changing the ACL names for the node.Unless overridden,a node inherits the ACL names of its parent directory on creation.ACLs are themselves files located in an ACL directory,which is a well-known part of the cell’s local name space.These ACLfiles con-sist of simple lists of names of principals;readers may be reminded of Plan9’s groups[21].Thus,iffile F’s write ACL name is foo,and the ACL directory contains afile foo that contains an entry bar,then user bar is permit-ted to write ers are authenticated by a mechanism built into the RPC system.Because Chubby’s ACLs are simplyfiles,they are automatically available to other ser-vices that wish to use similar access control mechanisms. The per-node meta-data includes four monotonically-increasing64-bit numbers that allow clients to detect changes easily:•an instance number;greater than the instance number of any previous node with the same name.•a content generation number(files only);this in-creases when thefile’s contents are written.•a lock generation number;this increases when the node’s lock transitions from free to held.•an ACL generation number;this increases when the node’s ACL names are written.Chubby also exposes a64-bitfile-content checksum so clients may tell whetherfiles differ.Clients open nodes to obtain handles that are analo-gous to UNIXfile descriptors.Handles include:•check digits that prevent clients from creating or guessing handles,so full access control checks need be performed only when handles are created(com-pare with UNIX,which checks its permissions bits at open time,but not at each read/write becausefile de-scriptors cannot be forged).•a sequence number that allows a master to tell whethera handle was generated by it or by a previous master.•mode information provided at open time to allow the master to recreate its state if an old handle is presented to a newly restarted master.2.4Locks and sequencersEach Chubbyfile and directory can act as a reader-writer lock:either one client handle may hold the lock in exclu-sive(writer)mode,or any number of client handles mayhold the lock in shared(reader)mode.Like the mutexes known to most programmers,locks are advisory.That is,they conflict only with other attempts to acquire the same lock:holding a lock called F neither is necessary to access thefile F,nor prevents other clients from do-ing so.We rejected mandatory locks,which make locked objects inaccessible to clients not holding their locks:•Chubby locks often protect resources implemented by other services,rather than just thefile associated with the lock.To enforce mandatory locking in a meaning-ful way would have required us to make more exten-sive modification of these services.•We did not wish to force users to shut down appli-cations when they needed to access lockedfiles for debugging or administrative purposes.In a complex system,it is harder to use the approach employed on most personal computers,where administrative soft-ware can break mandatory locks simply by instructing the user to shut down his applications or to reboot.•Our developers perform error checking in the conven-tional way,by writing assertions such as“lock X is held”,so they benefit little from mandatory checks.Buggy or malicious processes have many opportuni-ties to corrupt data when locks are not held,so wefind the extra guards provided by mandatory locking to be of no significant value.In Chubby,acquiring a lock in either mode requires write permission so that an unprivileged reader cannot prevent a writer from making progress.Locking is complex in distributed systems because communication is typically uncertain,and processes may fail independently.Thus,a process holding a lock L may issue a request R,but then fail.Another process may ac-quire L and perform some action before R arrives at its destination.If R later arrives,it may be acted on without the protection of L,and potentially on inconsistent data. The problem of receiving messages out of order has been well studied;solutions include virtual time[11],and vir-tual synchrony[1],which avoids the problem by ensuring that messages are processed in an order consistent with the observations of every participant.It is costly to introduce sequence numbers into all the interactions in an existing complex system.Instead, Chubby provides a means by which sequence numbers can be introduced into only those interactions that make use of locks.At any time,a lock holder may request a se-quencer,an opaque byte-string that describes the state of the lock immediately after acquisition.It contains the name of the lock,the mode in which it was acquired (exclusive or shared),and the lock generation number. The client passes the sequencer to servers(such asfile servers)if it expects the operation to be protected by the lock.The recipient server is expected to test whether the sequencer is still valid and has the appropriate mode;if not,it should reject the request.The validity of a sequencer can be checked against the server’s Chubby cache or,if the server does not wish to maintain a ses-sion with Chubby,against the most recent sequencer that the server has observed.The sequencer mechanism re-quires only the addition of a string to affected messages, and is easily explained to our developers.Although wefind sequencers simple to use,important protocols evolve slowly.Chubby therefore provides an imperfect but easier mechanism to reduce the risk of de-layed or re-ordered requests to servers that do not sup-port sequencers.If a client releases a lock in the normal way,it is immediately available for other clients to claim, as one would expect.However,if a lock becomes free because the holder has failed or become inaccessible, the lock server will prevent other clients from claiming the lock for a period called the lock-delay.Clients may specify any lock-delay up to some bound,currently one minute;this limit prevents a faulty client from making a lock(and thus some resource)unavailable for an arbitrar-ily long time.While imperfect,the lock-delay protects unmodified servers and clients from everyday problems caused by message delays and restarts.2.5EventsChubby clients may subscribe to a range of events when they create a handle.These events are delivered to the client asynchronously via an up-call from the Chubby li-brary.Events include:•file contents modified—often used to monitor the lo-cation of a service advertised via thefile.•child node added,removed,or modified—used to im-plement mirroring(§2.12).(In addition to allowing newfiles to be discovered,returning events for child nodes makes it possible to monitor ephemeralfiles without affecting their reference counts.)•Chubby master failed over—warns clients that other events may have been lost,so data must be rescanned.•a handle(and its lock)has become invalid—this typi-cally suggests a communications problem.•lock acquired—can be used to determine when a pri-mary has been elected.•conflicting lock request from another client—allows the caching of locks.Events are delivered after the corresponding action has taken place.Thus,if a client is informed thatfile contents have changed,it is guaranteed to see the new data(or data that is yet more recent)if it subsequently reads thefile. The last two events mentioned are rarely used,and with hindsight could have been omitted.After primary election for example,clients typically need to commu-nicate with the new primary,rather than simply know that a primary exists;thus,they wait for afile modifi-cation event indicating that the new primary has written its address in afile.The conflicting lock event in theory permits clients to cache data held on other servers,using Chubby locks to maintain cache consistency.A notifi-cation of a conflicting lock request would tell a client to finish using data associated with the lock:it wouldfinish pending operations,flush modifications to a home loca-tion,discard cached data,and release.So far,no one has adopted this style of use.2.6APIClients see a Chubby handle as a pointer to an opaque structure that supports various operations.Handles are created only by Open(),and destroyed with Close(). Open()opens a namedfile or directory to produce a handle,analogous to a UNIXfile descriptor.Only this call takes a node name;all others operate on handles. The name is evaluated relative to an existing directory handle;the library provides a handle on”/”that is always valid.Directory handles avoid the difficulties of using a program-wide current directory in a multi-threaded pro-gram that contains many layers of abstraction[18].The client indicates various options:•how the handle will be used(reading;writing and locking;changing the ACL);the handle is created only if the client has the appropriate permissions.•events that should be delivered(see§2.5).•the lock-delay(§2.4).•whether a newfile or directory should(or must)be created.If afile is created,the caller may supply ini-tial contents and initial ACL names.The return value indicates whether thefile was in fact created.Close()closes an open handle.Further use of the han-dle is not permitted.This call never fails.A related call Poison()causes outstanding and subsequent operations on the handle to fail without closing it;this allows a client to cancel Chubby calls made by other threads without fear of deallocating the memory being accessed by them. The main calls that act on a handle are: GetContentsAndStat()returns both the contents and meta-data of afile.The contents of afile are read atom-ically and in their entirety.We avoided partial reads and writes to discourage largefiles.A related call GetStat() returns just the meta-data,while ReadDir()returns the names and meta-data for the children of a directory. SetContents()writes the contents of afile.Option-ally,the client may provide a content generation number to allow the client to simulate compare-and-swap on a file;the contents are changed only if the generation num-ber is current.The contents of afile are always written atomically and in their entirety.A related call SetACL() performs a similar operation on the ACL names associ-ated with the node.Delete()deletes the node if it has no children. Acquire(),TryAcquire(),Release()acquire and release locks.GetSequencer()returns a sequencer(§2.4)that de-scribes any lock held by this handle.SetSequencer()associates a sequencer with a handle. Subsequent operations on the handle fail if the sequencer is no longer valid.CheckSequencer()checks whether a sequencer is valid(see§2.4).Calls fail if the node has been deleted since the han-dle was created,even if thefile has been subsequently recreated.That is,a handle is associated with an instance of afile,rather than with afile name.Chubby may ap-ply access control checks on any call,but always checks Open()calls(see§2.3).All the calls above take an operation parameter in ad-dition to any others needed by the call itself.The oper-ation parameter holds data and control information that may be associated with any call.In particular,via the operation parameter the client may:•supply a callback to make the call asynchronous,•wait for the completion of such a call,and/or •obtain extended error and diagnostic information. Clients can use this API to perform primary election as follows:All potential primaries open the lockfile and attempt to acquire the lock.One succeeds and becomes the primary,while the others act as replicas.The primary writes its identity into the lockfile with SetContents() so that it can be found by clients and replicas,which read thefile with GetContentsAndStat(),perhaps in response to afile-modification event(§2.5).Ideally, the primary obtains a sequencer with GetSequencer(), which it then passes to servers it communicates with; they should confirm with CheckSequencer()that it is still the primary.A lock-delay may be used with services that cannot check sequencers(§2.4).2.7CachingTo reduce read traffic,Chubby clients cachefile data and node meta-data(includingfile absence)in a consis-tent,write-through cache held in memory.The cache is maintained by a lease mechanism described below,and kept consistent by invalidations sent by the master,which keeps a list of what each client may be caching.The pro-tocol ensures that clients see either a consistent view of Chubby state,or an error.Whenfile data or meta-data is to be changed,the mod-ification is blocked while the master sends invalidations for the data to every client that may have cached it;this mechanism sits on top of KeepAlive RPCs,discussed more fully in the next section.On receipt of an invali-dation,a clientflushes the invalidated state and acknowl-。

paxos协议Paxos Protocol。

The Paxos protocol is a consensus algorithm used in distributed systems to ensure the consistency of data across multiple nodes. It was first introduced by Leslie Lamport in 1989 and has since become a fundamental building block for distributed systems.At its core, the Paxos protocol is designed to allow a group of nodes to agree on a single value even in the presence of failures and network partitions. This is crucial for maintaining the integrity and consistency of data in distributed systems, where nodes may fail or become unreachable at any time.The Paxos protocol operates in phases, with each phase serving a specific purpose in the process of reaching a consensus. The three main phases of the Paxos protocol are:1. Prepare Phase: In this phase, a node called the "proposer" sends a prepare request to all other nodes with a proposal number. The nodes then respond with their current highest proposal number and the value associated with it. The proposer then selects the highest proposal number and corresponding value from the responses.2. Accept Phase: If the proposer successfully obtains the highest proposal number and value in the prepare phase, it sends an accept request to all nodes with the chosen value. The nodes then respond with either an acknowledgment or a rejection based on their current state. If the majority of nodes acknowledge the value, the proposer can proceed to the next phase.3. Learn Phase: In this final phase, the proposer informs all nodes of the chosen value, and they update their state accordingly. Once a majority of nodes have acknowledged the value in the accept phase, the consensus is reached, and the chosen value is considered decided.The Paxos protocol ensures safety, meaning that no two nodes will decide on different values, and liveness, meaning that the system will eventually reach a consensus as long as the network is functioning and the nodes are not all faulty.While the Paxos protocol is highly effective in achieving consensus in distributed systems, it is also complex and can be challenging to implement and understand. As a result, variations and simplifications of the Paxos protocol, such as Multi-Paxos and Fast Paxos, have been developed to make it more practical for real-world applications.In conclusion, the Paxos protocol is a crucial tool for achieving consensus in distributed systems, ensuring the consistency and reliability of data across multiple nodes. While it may be complex, its ability to handle failures and network partitions makes it an essential algorithm for building robust and reliable distributed systems.。

2023年考研英语一真题及答案解析之阅读理解Text 1阅读理解：Text 1The weather in Texas may have cooled since the recent extreme heat, but the temperature will be high at the State Board of Education meeting in Austin this month as officials debate how climate change is taught in Texas schools.Pat Hardy, who sympathized with views of the energy sector, is resisting the proposed change to science standards for pre-teen pupils. These would emphasise the primacy of human activity in recent climate change and encourage discussion of mitigation measures.Most scientists and experts sharply dispute Hardy’s views. “They casually dismiss the career work of scholars and scientists as just another misgui ded opinion.” says Dan Quinn, senior communications strategist at the Texas Freedom Network, a non-profit group that monitors public education，“What millions of Texas kids learn in their public schools is determined too often by the political ideology of partisan board members, rather than facts and sound scholarship.”Such debate reflects fierce discussion discussions across the US and around the world, as researchers, policymakers, teachers and students step up demands for a greater focus on teaching about the facts of climate change in schools.A study last year by the National Center for Science Education, a non-profit group of scientists and teachers, looking at how state public schools across the country address climate change in science classes, gave barely half of US states a grade B+ or higher. Among the 10 worst performers were some of the most populous states, including Texas, which was given the lowest grade (F) and has a disproportionate influence because its textbooks are widely sold elsewhere.Glenn Branch, the centre’s deputy director, cautions that setting state-level science standards is only one limited benchmark in a country that decentralises decisions to local school boards. Even if a state is considered a high performer in its science st andards, “that does not mean it will be taught”, he says.Another issue is that while climate change is well integrated into some subjectsand at some ages — such as earth and space sciences in high schools — it is not as well represented in curricula for younger children and in subjects that are more widely taught, such as biology and chemistry. It is also less prominent in many social studies courses.Branch points out that, even if a growing number of official guidelines and textbooks reflect scientific consensus on climate change, unofficial educational materials that convey more slanted perspectives are being distributed to teachers. They include materials sponsored by libertarian think-tanks and energy industry associations.21. In paragraph 1, the weather in Texas is mentioned to答案：C. indicate the atmosphere at the board meeting22. What does Quinn think of Hardy?答案：B. She denies the value of scientific work.23. The study mentioned in Paragraph 5答案：A. Climate education is insufficient at state public school24. According to Branch, state-level science standards in the US答案：C. have limited influence25. It is implied in the last paragraph that climate change teaching in some schools答案：D. can be swayed by external forces。

第27卷㊀第4期2023年4月㊀电㊀机㊀与㊀控㊀制㊀学㊀报Electri c ㊀Machines ㊀and ㊀Control㊀Vol.27No.4Apr.2023㊀㊀㊀㊀㊀㊀电能路由器交流侧模块化变流器分布式一致性协同控制施永,㊀张立博,㊀解宝,㊀苏建徽(合肥工业大学教育部光伏系统研究工程中心,安徽合肥230009)摘㊀要:针对电能路由器交流侧模块化变流器的协同控制,以及孤岛运行模式下提高系统频率稳定性的需求,提出基于虚拟同步机算法的电能路由器交流侧变流器本地控制策略,以及基于一致性算法的变流器分布式二次控制策略,实现了系统频率与电压的二次控制以及有功㊁无功功率按比例分配控制㊂所提分布式一致性协同控制策略结合了多智能体理论,只需建立稀疏通信网络完成相邻分布式发电单元的信息交互,系统灵活性高㊁冗余性好,可做到变流器模块即插即用,不受线路阻抗因素干扰,改进变流器的功率分配精度㊂最后,结合半实物实时仿真机和DSP 控制板搭建了三电平变流器的半实物实验平台,实验结果验证了所提控制策略的有效性㊂关键词:电能路由器;虚拟同步机;模块化接口;分布式二次控制;多智能体理论;功率均分DOI :10.15938/j.emc.2023.04.005中图分类号:TM464文献标志码:A文章编号:1007-449X(2023)04-0043-12㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀收稿日期:2022-07-08基金项目:中央高校基本科研业务费专项资金(PA2022GDGP0032);国家自然科学基金(51907045)作者简介:施㊀永(1985 ),男,博士,副教授,研究方向为可再生能源与微电网技术;张立博(1997 ),男,硕士研究生,研究方向为微电网控制;解㊀宝(1992 ),男,博士,研究方向为新能源并网发电控制;苏建徽(1963 ),男,博士,教授,博士生导师,研究方向为新能源发电技术㊂通信作者:张立博Distributed consistent coordinated control of modular converterson AC side of electric power routerSHI Yong,㊀ZHANG Libo,㊀XIE Bao,㊀SU Jianhui(Engineering Research Center of Ministry of Education of Photovoltaic System,Hefei University of Technology,Hefei 230009,China)Abstract :In order to realize the cooperative control of the modular converters on the AC side of the power router and to improve the frequency stability of the system in the island operation mode,a local control strategy for the converters on the AC side of the power router based on the virtual synchronous machine al-gorithm is proposed,and a consensus-based distributed secondary-control strategy of the converter based on the algorithm realizes the secondary control of the system frequency and voltage and the proportionaldistribution control of active and reactive power.The proposed distributed consensus-based cooperative control strategy combined with the multi-agent theory only needs to establish a sparse communication net-work to complete the information interaction between adjacent distributed power generation units.The sys-tem has high flexibility and good redundancy,and the converter module can support plug and play.It is not disturbed by line impedance factors and improves the power distribution accuracy of the converter.Fi-nally,a hardware-in-the-loop experimental platform of the three-level converter was built by combiningthe hardware-in-the-loop real-time simulator and the DSP control board.The experimental results verifythe effectiveness of the proposed control strategy.Keywords:electric power router;virtual synchronous machine;modular interface;distributed secondary control;multi-agent theory;power sharing0㊀引㊀言分布式发电因其具有合理消纳可再生能源的能力而在电力系统中的渗透率不断提高[1-4]㊂电能路由器(electric power router,EPR)作为能源互联网的核心装置,可以采集系统中的电气量,具备通信功能,能够主动进行潮流控制[5-9]㊂由分布式电源(distributed generation,DG)㊁负荷㊁储能以及控制装置汇集而成的电能路由器将在未来的电网能量管理㊁功率控制中起到关键作用㊂本文针对电能路由器交流侧模块化变流器稳定运行的关键问题进行研究㊂基于电力电子变换器构建的电能路由器由于其低惯性特点,系统的频率稳定性较差,且随着电能路由器以及其他基于电力电子变换器的分布式电源大量接入大电网,大电网的惯性势必会降低,进而影响整个电网的频率稳定性㊂虚拟同步发电机(virtual synchronous generator,VSG)技术模拟同步发电机转子惯性与阻尼特性[10-12],目前在微电网领域以及新能源发电领域都得到越来越广泛的应用㊂含调速器和励磁调节器的虚拟同步机控制是频率电压有差控制,在多机并联供电时,为提高供电频率和电压的稳定性,通常引入二次频率㊁电压控制㊂目前文献研究的二次频率㊁电压控制有集中式和分布式控制两大类㊂其中集中式控制的系统中,有一个中央控制器与系统内所有参与调频调压的分布式电源进行双向通信㊂中央控制器读取分布式电源的状态,并将二次调频㊁调压控制器运行的功率或者频率电压参考指令下发给变流器㊂这种结构的优点是控制原理简单,缺点是系统的二次控制的可靠性依赖于中央控制器的可靠性㊂另外在系统扩容的情况下,中央控制器的通信量和数据处理量会大大增加,系统的容量也会受限于中央控制器的运算处理能力[13-15]㊂随着通信技术的发展,分布式控制被引入到二次频率电压控制领域㊂例如文献[16]提出平均一致性概念,通过将各DG获取的频率和电压的平均值与系统参考值的误差信息传给每个DG对应的一次控制器来弥补频率与电压的偏差,不需要中央控制器,提高了系统的可靠性,但其通信结构仍较复杂㊂文献[17-18]提出了基于多智能体一致性算法的频率㊁电压二次控制,仅需相邻分布式电源间交换数据,通信结构简单,但未考虑各DG间功率均分以及线路阻抗不匹配对频率与电压二次控制的影响㊂文献[19-20]基于一致性算法在实现系统频率㊁电压二次控制的同时保证各DG承担功率按容量比例分配,但需要额外的虚拟阻抗控制,增加系统控制参数设计的难度,同时微电网中具体线路参数较难获取㊂由于传统一致性算法下电压控制策,文献[21-22]通过将预测机制整合到分布式发电中,二次控制被转换为分布式模型预测控制的跟踪器一致性问题,但相关参数的设计较为复杂㊂文献[23-25]中电能路由器交流侧接口为单一的三相桥式拓扑结构,仅适用于低压小功率场合㊂上述研究中,分布式频率㊁电压二次控制中功率均分易受到线路阻抗因素的干扰,同时电能路由器交流侧接口多为单一拓扑结构,不适用于中高压大功率场合㊂基于现有研究成果提出了一种基于频率㊁电压邻居通信的分布式一致性二次控制策略,对VSG控制中等效虚拟机械功率按容量比例进行一致性控制来保证有功功率均分,对输出无功按容量比例进行一致性控制来保证无功功率均分㊂本文无须保证各DG的等效输出阻抗成比例设置,在满足频率㊁电压的无差控制下,实现功率的按比例分配㊂最后通过理论分析和硬件在线仿真实验平台验证所提控制策略的正确性和有效性㊂1㊀VSG与多机并联控制策略研究1.1㊀电能路由器拓扑结构含多种交直流接口变换器以及通信和电能路由器控制系统的电能路由器拓扑结构如图1所示㊂为实现电能路由器的灵活配置,本文所研究电能路由器各交直流接口均采用即插即用的模块化结构,交流侧接口变流器是电能路由器运行的关键部件,本文针对接口变流器的模块控制算法以及多模块并联的协同控制进行研究㊂以6个三电平模块并44电㊀机㊀与㊀控㊀制㊀学㊀报㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀第27卷㊀联结构为例进行分析,每个变流器模块均为独立控制,模块之间通过菊花链结构通信网络相连,模块之间只需要交换相邻设备数据,保证了模块数量变化的时候,每个模块通信数据量以及算法的计算量不会发生变化,系统灵活性高,易于扩展,模块化交流侧接口变流器一端连接于电能路由器内部直流母线,一端连接于交流母线,交流母线通过接口断路器与电网相连,通过接口断路器的控制,可实现电能路由器并网运行与孤岛运行模式的相互切换㊂在电能路由器与配电网断开的情况下,电能路由器可作为一独立运行的弱电网系统,为系统交直流负荷供电㊂图1㊀电能路由器拓扑结构Fig.1㊀Electric power router topology1.2㊀电能路由器拓扑结构虚拟同步机控制算法可以将变流器输出特性模拟成具有惯性和阻尼的同步机特性,且是一种既可以实现并网也可以离网运行的控制算法㊂因此本文将虚拟同步机控制算法引入到交流侧接口变流器的控制中㊂电能路由器交流侧拓扑结构以及VSG 控制结构如图2所示㊂图2㊀单台VSG 整体控制结构Fig.2㊀Overall control structure of a single VSG图2中U dc 为电能路由器中的DC 母线,本文以恒定电压源替代㊂本文选用三电平拓扑,C 1和C 2为直流侧分压电容㊂L f1为逆变侧滤波电感,C f 为滤波电容,L f2为输出侧滤波电感㊂VSG 控制结构包括有功-频率控制㊁无功-电压控制㊁参考电压生成模块㊁电压电流内环模块以及调制发波模块㊂同步发电机的转子具备惯性,能阻止系统频率突变,根据其转子运动方程,将转动惯量引入到分布式电源的控制算法中,从而模拟出同步发电机的转子特性,得到分布式电源的有功-频率控制方程为JdΔωd t =P m ω0-P e ω0-D (ω-ω0);dΔδd t=ω-ω0㊂üþýïïïï(1)式中:ω㊁ω0分别为实际和额定转子角速度;J 和D 分别为转动惯量和阻尼系数;P m ㊁P e 分别为虚拟机械功率和电磁功率㊂原动机调节方程为P m =P ref +K ω(ω0-ω)㊂(2)式中:P ref 为给定有功;K ω为有功 频率调差系数㊂联立式(1)㊁式(2)可得ω0-ωP ref -P e =-1Jω0s +Dω0+K ω=-m P τs +1;(3)τ=Jω0Dω0+K ω;m P =1Dω0+K ω㊂üþýïïïï(4)式中:τ为一阶惯性时间常数;m p 为等效有功下垂系数㊂由上式可知将转子运动方程引入到变流器控制策略中可以为系统提供惯性和阻尼支撑㊂在调压控制方面,VSG 控制主要基于无功-电压下垂控制,使得变流器具备一次调压特性,其表达式为U ref =U N +m Q (Q ref -Q )㊂(5)式中:U N 为额定电压;U ref 为VSG 输出参考电压幅值;Q ref ㊁Q 分别为给定无功和输出无功;m Q 为无功-电压下垂系数㊂由VSG 基本原理可得VSG 功率外环控制的框图如图3所示㊂图3㊀VSG 控制结构Fig.3㊀VSG control structure54第4期施㊀永等:电能路由器交流侧模块化变流器分布式一致性协同控制VSG 控制的设计思路是在SG 模型的基础上加入调频和调压控制,在稳定频率和电压的同时,通过模拟SG 的转子惯性来提高系统的频率稳定性㊂1.3㊀多VSG 并联功率分配本文以电能路由器交流侧接口为背景,建立了6台VSG 并联的主电路拓扑结构㊂为简化分析,本文以两机并联模型为例分析功率分配㊂图4中E i 和θi 分别为VSG 电压幅值和相角,U L 为负载两端电压,I i 和I L 分别为VSG 输出电流和负载电流,Z i =R i +X i 为传输阻抗(线路阻抗与等效输出阻抗之和),阻抗角设为φi ,Z L 为公共负载,S i ㊁P i ㊁Q i 为VSG 视在㊁有功及无功功率㊂VSG 并联时功率传输方程为P i =U i U L cos(φi -θi )-U 2L cos φi Z i ;Q i =U i U L sin(φi -θi )-U 2L sin φiZ i㊂üþýïïïï(6)图4㊀VSG 孤岛并联等效电路图Fig.4㊀Equivalent circuit diagram of VSG island inparallel由式(6)可以看出,传输功率受电压幅值㊁相角和传输阻抗三者影响,且功率之间出现耦合,不利于系统的稳定运行㊂电能路由器的各变流器输出端口直接并联,不用经过很长的传输线,故可以省略线路阻抗,但由于多机并联稳定性的影响,需要在各变流器输出端口接入电感,由于篇幅限制,这一部分不过多阐述㊂设置传输阻抗为感性,此时Z i =jX i ,θ很小,近似认为sin θ=θ,得:P i =E i UL X iθi ,;Q i =U L (E i -U L )X i㊂üþýïïïï(7)由上式可知当传输阻抗呈感性时,有功P i 与θi 正相关,无功Q i 与(E i -U L )正相关㊂若要实现多机并联系统稳定运行,则参数需满足一定限制条件,假设2台VSG 的容量分别为S ∗1与S ∗2,容量比为1ʒN ,得S ∗1S ∗2=P ref1P ref2=Q ref1Q ref2=1N ㊂(8)若要满足功率按照容量分配,则VSG 输出功率需满足:P 1P 2=Q 1Q 2=1N㊂(9)为保证系统稳定运行,并联VSG 需有相同的频率ω和电压幅值E ,即ω1=ω2;E 1=E 2㊂}(10)将上式下垂方程变形为ωi =ω0-P ref1-P miK ωi;E 1=E ref -K qi (Q ref i-Q i )㊂üþýïïï(11)联立式(9)㊁式(10)㊁式(11),若要实现孤岛并联时功率按照容量分配,则需将有功-频率下垂系数设置为容量正比,无功-电压下垂系数设置为容量反比:K ω1K ω2=m Q2m Q1=1N㊂(12)多VSG 并联时,为避免功率抢发,惯性常数τ需设置相同,即τ1=τ2㊂(13)可得等效调频系数m 1和m 2之间满足m 1m 2=N ;(14)J 1ω0D 1ω0+K ω1=J 2ω0D 2ω0+K ω2;D 1ω0+K ω1D 2ω0+K ω2=1N㊂üþýïïïï(15)整理得J 1J 2=D 1D 2=1N㊂(16)同时将传输阻抗与容量呈反比设置来保证各变流器传输阻抗上得电压降相同,即X 2X 1=1N㊂(17)由上述分析可得出若使功率按照容量均分,需满足K ω1K ω2=m Q2m Q1=J 1J 2=D 1D 2=X 2X 1=1N㊂(18)2台DG 并联的结论可以推广至多台变流器并联,不同容量VSG 并联时,须满足的条件为:虚拟同64电㊀机㊀与㊀控㊀制㊀学㊀报㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀第27卷㊀步电抗㊁无功-电压下垂系数须和容量比成反比关系;虚拟转动惯量㊁阻尼系数㊁有功-频率调差系数须和容量比成正比关系㊂2㊀基于一致性的分布式协同控制2.1㊀分布式二次控制针对多变流器并联的电能路由器系统,借鉴传统电力系统的分层分级协同控制理论,提出了分布式分层协同控制体系结构如图5所示㊂图5㊀分布式分层控制结构Fig.5㊀Distributed hierarchical control structure在该分层控制体系结构中,按照功能将电能路由器系统分为本地控制层和二次控制层㊂本地控制主要进行DG 控制,通过检测变流器输出的电压电流量,经VSG 控制,电压电流内环控制以及PWM 发波,最后将所得控制信号送往变流器中;而二次控制对频率偏差以及电压偏差进行修正㊂电能路由器分布式分层控制系统中,本地控制器和二次控制器结合在一起,嵌入在每个DG 单元中,同时每个DG 单元独立控制,所有的二次控制器通过网络连接在一起,使得电能路由器易于实现标准化和模块化并联㊂两种通信拓扑结构如图6所示㊂图6㊀两种通信拓扑结构Fig.6㊀Two communication topologies模块化并联使拓扑结构变化,为了控制这种网络化系统,需要一种鲁棒算法使得系统在通信受限情况下仍能够正常运行,关键是寻找有效的分布式控制算法嵌入在分布式二次控制器中以实现多智能体的协同控制㊂为此,本文采用分布式一致性算法设计控制系统,控制系统中的每个节点单元只需要与其相邻的节点单元进行通信,即可得到全局的平均值,实现全局信息的一致性,从而减轻通信系统的负担㊂2.2㊀多智能体协调分布式理论若DG 间存在通信连接,并将DG 视为智能体通信网络中的节点,在分布式一致性控制中,令x i 代表节点i 的状态变量,节点只与其相邻节点通信,状态变量x i 可以表示为实际系统的频率㊁电压等物理量㊂节点状态x i 仅取决于自身以及相邻节点的状态x j ,最终达到所有节点状态的一致㊂为了使得多智能体系统达到各个分布式单元之间的一致性,需要针对系统中的某个参数(信息状态),设计一套所有单元共同遵守的算法,这种算法就称为一致性算法㊂分布式二次控制采用分布式一致性算法构造状态观测器,以此获得频率㊁电压的全局平均参考值,然后将这个平均参考值送往本地控制系统中,并作为校正偏差量的一致参考值,对本地控制系统中由于传统的VSG 控制产生的频率/电压偏差进行修正,从而实现频率㊁电压的无静差控制㊂当且仅当所有节点的状态变量相同时,系统达到一致收敛,一致性算法如下式:x ㊃i (t )=ðj ɪNia ij (x j (t )-x i (t ));(19)x -i (t )=x i +ʏðj ɪN ia ij(x -j(t )-x -i(t ))d t ㊂(20)式中,i =1,2, ,n ,若节点i 与节点j 之间有链路,则a ij =1,反之则为0㊂毯x j (t )㊁毯x i (t )分别为在节点j 和节点i 上由一致性算法得到的各状态变量对应的平均值㊂在二次控制层中各DG 反馈控制量为一致性算法得到的平均值,可在低带宽稀疏通信网络下实现,具有较高的鲁棒性㊂由此可得到基于一致性算法的二次控制补偿量计算原理图如图7所示㊂图7㊀基于分布式一致性算法的补偿量计算原理图Fig.7㊀Schematic diagram of compensation amountcalculation based on distributed consensus algorithm74第4期施㊀永等:电能路由器交流侧模块化变流器分布式一致性协同控制本文采取的电能路由器系统的通信网络是图6分布式拓扑结构所示双向环网结构,即每个DG 可以直接与其相邻的DG 通信㊂在上式的基础上设计输出频率一致性控制算法为f -i (t )=f i +ʏðj ɪN ia ij(f -j(t )-f -i(t ))d t ㊂(21)设计输出电压一致性控制算法为u -i (t )=u i +ʏðj ɪN ia ij(u -j(t )-u -i(t ))d t ㊂(22)由多VSG 并联功率分配理论可知各DG 输出功率按照容量比例均分的前提是线路阻抗与容量呈反比设置㊂但实际中各DG 等效输出阻抗无法做到严格与容量比呈反比设置,会存在偏差,影响变流器功率分配精度㊂本文频率㊁电压一致性控制算法中生成的频率㊁电压平均值反馈量与给定参考值通过PI 控制器进行分布式二次控制㊂由于各DG 频率㊁电压的二次控制中PI 调节器的存在,DG 二次控制环节PI 控制器的输出Δp i ,Δu i 没有固定的比例关系,导致稳态时各DG 输出的有功功率和无功功率也没有确定的比例关系,功率在各DG 间的分配不确定㊂由传统电力系统的一次调频和二次调频原理可知:因为二次频率控制一个补偿量的引入导致各VSG 等效输入虚拟机械功率不确定而使得有功不均分,若保证各DG 等效输入的虚拟机械功率和容量成比例,则可以保证各DG 有功按照容量分配㊂受一致性分布式频率二次控制思想启发,笔者提出一种对等效输入虚拟机械功率采用一致性的控制策略,保证各DG 输入虚拟机械功率按照容量比例趋于一致,即满足P m 1K ω1=P m 2K ω2= =Pmn K ωn㊂(23)式中:P mn 为各VSG 生成的等效虚拟机械功率;K ωn 为各VSG 的有功 频率调差系数㊂设计输出有功功率一致性控制算法为ΔP i (t )=ʏðj ɪNia ij (P mj (t )K ωj -P mi (t )K ωi)d t ㊂(24)图3所示VSG 无功电压环,二次电压控制来保证VSG 输出的参考电压幅值控制在额定电压幅值,由于PI 项的存在,分布式二次电压控制输出的补偿项不确定,于是使得各DG 调速器环节经过无功-电压下垂系数的量不确定,导致无功功率的分配不确定㊂由于各DG 间输出无功功率的分配应满足m Q1Q 1=m Q2Q 2= =m Q n Q n ㊂(25)式中:Q n 为各DG 的无功功率;m Q n 为各VSG 的无功-电压下垂系数㊂设计输出无功功率一致性控制算法为ΔQ i (t )=ʏðj ɪN ia ij(Q j(t )mQ j-Q i (t )m Q i )d t ㊂(26)将上述所提出的频率㊁电压㊁功率一致性控制算法与VSG 控制相结合可得图8所示基于一致性分布式二次控制框图㊂图8㊀基于一致性分布式二次控制框图Fig.8㊀Block diagram of secondary control based on distributed consistency㊀㊀在实现系统各DG 输出频率㊁电压二次控制的基础上提出对VSG 控制环中等效虚拟机械功率按比例进行一致性控制来实现各DG 有功均分,对各DG 输出无功功率按比例进行一致性控制来实现各84电㊀机㊀与㊀控㊀制㊀学㊀报㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀第27卷㊀DG 无功均分㊂本文所提分布式二次控制策略中控制反馈的是各DG 自身以及通信邻居通过一致性算法得出的电气量而非集中式控制的中央控制器统一下发的反馈量,可靠性高,可在稀疏通信网络下实现,具有较强鲁棒性㊂3㊀仿真分析搭建电能路由器交流侧接口的仿真模型如图9所示,以验证所提一致性分布式二次控制策略的有效性㊂图9㊀含6台DG 的系统仿真测试结构Fig.9㊀System simulation test structure with 6DGs图中6台DG 并联孤岛模式下运行,L f1为逆变侧滤波电感,C f 为滤波电容,L f2为输出侧滤波电感,由于电能路由器各DG 输出端口直接并联在一起,故忽略线路阻抗㊂增加电感Z n 来保证多VSG 变流器并联稳定性㊂设置系统额定频率为50Hz,输出线电压有效值为400V㊂DG 间通信拓扑为图6分布式拓扑结构所示㊂微电网各DG 仿真参数与控制系统参数按照式(18)与容量成比例设置如表1和表2所示㊂表1㊀各DG 系统参数Table 1㊀Parameters of each DG system参数DG1&DG2DG3&DG4DG5&DG6直流电压U dc /V 150015001500逆变侧滤波电感L f1/mH 111滤波电容C f /μF 101010输出侧滤波电感L f2/mH 0.20.20.2输出电感Z n /mH 2㊀4/1.84/1.6㊀4/1.44/1.2㊀4额定容量S /kW100㊀9080㊀7060㊀50表2㊀控制系统参数Table 2㊀Control system parameters参数DG1&DG2DG3&DG4DG5&DG6有功-频率调差系数K ω2/1.57ˑ10-41.6/1.57ˑ10-41.2/1.57ˑ10-41.8/1.57ˑ10-41.4/1.57ˑ10-41/1.57ˑ10-4无功-电压下垂系数m Q (1/2)ˑ10-5(1/1.6)ˑ10-5(1/1.2)ˑ10-5(1/1.8)ˑ10-5(1/1.4)ˑ10-51ˑ10-5转动惯量J 0.2㊀0.180.16㊀0.140.12㊀0.1阻尼系数D40㊀3632㊀2824㊀20算例一:负载变化6台并联运行的DG 均启动于VSG 一次控制和本文所提基于一致性的分布式频率㊁电压二次控制策略,在0~1s 负载有功为300kW,在1s 时投入有功为60kW 的额外负载,仿真结果如图10所示㊂图10㊀负载变化仿真结果Fig.10㊀Load variation simulation results从图10(a)㊁图10(b)可以看出,只有VSG 一次控制作用时,在有负载扰动情况下各DG 输出频率和电压会发生改变,同时图10(a)中输出频率超出94第4期施㊀永等:电能路由器交流侧模块化变流器分布式一致性协同控制了安全运行范围,DG输出频率㊁电压存在着越限的问题㊂由仿真结果可以看出频率和电压跌落幅度较小,动态响应过程较为缓慢,体现了VSG控制策略为系统增加了惯性与阻尼的特性㊂同时由仿真结果可知一次控制是有差控制,在有负载功率扰动的情况下,系统频率㊁电压与额定值存在偏差,所以进行电能路由器交流侧二次控制有重要意义㊂从图10(c)㊁图10(d)可以看出,增加了一致性分布式频率㊁电压二次控制时,各DG输出频率㊁电压可以稳定在参考值㊂在1s有负载功率扰动的情况下各DG输出频率和电压会偏离参考值,但由于二次控制的作用,在较短时间内就会恢复到参考值,使频率㊁电压运行在安全范围,保证系统安全稳定运行㊂算例二:线路阻抗变化对比实验由多VSG并联功率分配理论可知各DG输出功率按照容量比例均分的前提是线路阻抗与容量呈反比设置㊂电能路由器的各变流器输出端口直接并联,不用经过很长的传输线,故可以省略线路阻抗,但由于多机并联稳定性的影响,需要在各变流器输出端口接入电感,如表1中各DG输出电感所示㊂但实际中各DG等效输出阻抗无法严格做到与容量比呈反比设置,会存在偏差,影响变流器功率分配精度,同时由于频率㊁电压二次控制环节中PI调节器的存在,导致稳态时各DG输出的有功功率和无功功率没有确定的比例关系㊂本文在分布式频率㊁电压二次控制的基础上提出基于一致性的功率控制策略㊂6台DG并联运行在基于一致性算法的分布式二次频率㊁电压控制策略的基础上,对是否增加一致性功率控制进行对比仿真实验㊂DG2的输出电感设置为4/1.9mH㊁DG3的输出电感设置为4/1.7mH,在0~1s负载有功为300kW,在1s时投入有功为60kW的额外负载,仿真结果如图11所示㊂从图11(a)㊁图11(b)可以看出,DG2㊁DG3等效输出阻抗未按照容量比例进行设置时,同时由于频率㊁电压二次控制环节中PI调节器的存在,导致稳态时各DG输出的有功功率和无功功率没有确定的比例关系,输出的有功和无功不能按照容量比例分配㊂在分布式频率㊁电压二次控制的基础上增加基于一致性功率控制策略,从图11(c)㊁图11(d)可以看出,DG2㊁DG3等效输出阻抗即使未严格按照容量比例进行设置时,输出的有功和无功在功率控制下可以实现按照容量比例分配㊂从图11(e)㊁图11(f)可以看出,在1s有负载功率扰动的情况下各DG输出频率和电压会偏离参考值,但由于二次控制的作用,在较短时间内仍然可以恢复到参考值,实现频率㊁电压二次控制,使频率㊁电压运行在安全范围,保证系统安全稳定运行,验证了本文所提基于一致性分布式控制策略的有效性㊂图11㊀线路阻抗变化对比实验仿真结果Fig.11㊀Comparison of experimental simulation results of line impedance changes05电㊀机㊀与㊀控㊀制㊀学㊀报㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀㊀第27卷㊀算例三:分布式控制可靠性仿真实验在算例三以6台并联运行的DG 均启动基于一致性算法的分布式二次频率㊁电压㊁功率控制策略的基础上,模拟有DG 突然发生故障,切除运行的工况下,分布式控制是否可靠,系统能否继续稳定运行㊂仿真在0~1s 负载有功为300kW,在1s 时投入有功为60kW 的额外负载,1.5s 时DG1变流器模块发生故障,从系统中断开,仿真结果如图12所示㊂图12㊀分布式控制可靠性仿真结果Fig.12㊀Distributed control reliability simulation results集中式控制中易受到单点故障的影响,中央控制器一旦发生故障便会影响整个系统的安全稳定运行㊂由图5分布式控制构架可知,本地控制器和二次控制器结合在一起,嵌入在每个DG 单元中,DG 单元独立控制,所有的二次控制器通过网络连接在一起,当有DG 发生故障不会影响系统中其余DG 的运行,有更高的可靠性㊂从图12(a)㊁图13(b)可以看出在1.5s 时断开DG1之前各DG 已经经过调节运行在稳定状态,1.5s 时DG1发生故障从系统中断开,其他5台DG 输出的频率和电压经过较短时间内调节仍然可以稳定在参考值,从图12(c)㊁图12(d)可以看出在1.5s 时DG1从系统中断开,DG1的有功㊁无功功率会跌落至0,其余5台DG 产生更多的功率以补偿由DG1断开运行对功率分配的影响,同时仍然可以按照比例分担负载功率㊂由此验证了本文所提基于一致性分布式二次控制策略在有DG 发生故障的情况下系统其余DG 仍可稳定运行,有较高可靠性㊂4㊀实验验证基于分布式模块邻居通信的一致性算法,在理论上可以选取3台变流器模块为最小多机并联实验单位来验证一致性算法的正确性㊁有效性㊂在6台变流器并联仿真分析的基础上,以仿真分析表1和表2中DG1㊁DG2㊁DG3参数作为实验主电路参数,在以DSP(TMS320F28335)为核心控制器的半实物实验平台上进行实验分析验证,其中DG1的控制算法位于DSP 控制板中,其余2台变流器控制算法位于半实物仿真控制器中㊂首先进行基于一致性的分布式二次控制策略下3台变流器在恒定负载工况实验,示波器记录的输出电压㊁电流及有功㊁无功功率情况如图13所示㊂由图13(a)㊁图13(b)可以看出,单台变流器输出相电压幅值为326V,输出相电流幅值为100A 左右,符合主电路设置参数㊂由图13(c)㊁图13(d)可以看出,3台变流器模块并联实验运行过程中,输出功率按照各变流器模块容量比例进行分配,实现了功率均分㊂为了验证系统负载功率扰动情况下3台变流器模块并联运行变化,在系统稳定运行过程中突加额外负载,系统输出频率㊁电压幅值以及各变流器输出有功㊁无功的动态变化如图14所示㊂由仿真分析结果可以看出在基于一致性的分布式二次协同控制策略下,二次调频㊁调压控制算法使得变流器输出频率㊁电压幅值在系统受到扰动时幅值变化微小,动态响应较快㊂由图14(a)可以看出,3台变流器模块在发生负载变化时其输出频率稳定15第4期施㊀永等:电能路由器交流侧模块化变流器分布式一致性协同控制。

On Lattices,Learning with Errors,Random Linear Codes,and CryptographyOded Regev∗May2,2009AbstractOur main result is a reduction from worst-case lattice problems such as G AP SVP and SIVP to a certain learning problem.This learning problem is a natural extension of the‘learning from parity witherror’problem to higher moduli.It can also be viewed as the problem of decoding from a random linearcode.This,we believe,gives a strong indication that these problems are hard.Our reduction,however,isquantum.Hence,an efficient solution to the learning problem implies a quantum algorithm for G AP SVPand SIVP.A main open question is whether this reduction can be made classical(i.e.,non-quantum).We also present a(classical)public-key cryptosystem whose security is based on the hardness of the learning problem.By the main result,its security is also based on the worst-case quantum hardness ofG AP SVP and SIVP.The new cryptosystem is much more efficient than previous lattice-based cryp-tosystems:the public key is of size˜O(n2)and encrypting a message increases its size by a factor of˜O(n)(in previous cryptosystems these values are˜O(n4)and˜O(n2),respectively).In fact,under theassumption that all parties share a random bit string of length˜O(n2),the size of the public key can bereduced to˜O(n).1IntroductionMain theorem.For an integer n≥1and a real numberε≥0,consider the‘learning from parity with error’problem,defined as follows:the goal is tofind an unknown s∈Z n2given a list of‘equations with errors’s,a1 ≈εb1(mod2)s,a2 ≈εb2(mod2)...where the a i’s are chosen independently from the uniform distribution on Z n2, s,a i =js j(a i)j is theinner product modulo2of s and a i,and each equation is correct independently with probability1−ε. More precisely,the input to the problem consists of pairs(a i,b i)where each a i is chosen independently and∗School of Computer Science,Tel Aviv University,Tel Aviv69978,Israel.Supported by an Alon Fellowship,by the Binational Science Foundation,by the Israel Science Foundation,by the Army Research Office grant DAAD19-03-1-0082,by the European Commission under the Integrated Project QAP funded by the IST directorate as Contract Number015848,and by a European Research Council(ERC)Starting Grant.uniformly from Z n 2and each b i is independently chosen to be equal to s ,a i with probability 1−ε.The goal is to find s .Notice that the case ε=0can be solved efficiently by,say,Gaussian elimination.This requires O (n )equations and poly(n )time.The problem seems to become significantly harder when we take any positive ε>0.For example,let us consider again the Gaussian elimination process and assume that we are interested in recovering only the first bit of s .Using Gaussian elimination,we can find a set S of O (n )equations such that S a i is (1,0,...,0).Summing the corresponding values b i gives us a guess for the first bit of s .However,a standard calculationshows that this guess is correct with probability 12+2−Θ(n ).Hence,in order to obtain the first bit with good confidence,we have to repeat the whole procedure 2Θ(n )times.This yields an algorithm that uses 2O (n )equations and 2O (n )time.In fact,it can be shown that given only O (n )equations,the s ∈Z n 2that maximizes the number of satisfied equations is with high probability s .This yields a simple maximum likelihood algorithm that requires only O (n )equations and runs in time 2O (n ).Blum,Kalai,and Wasserman [11]provided the first subexponential algorithm for this problem.Their algorithm requires only 2O (n/log n )equations/time and is currently the best known algorithm for the problem.It is based on a clever idea that allows to find a small set S of equations (say,O (√n ))among 2O (n/log n )equations,such that S a i is,say,(1,0,...,0).This gives us a guess for the first bit of s that is correct with probability 12+2−Θ(√n ).We can obtain the correct value with high probability by repeating the whole procedure only 2O (√n )times.Their idea was later shown to have other important applications,such as the first 2O (n )-time algorithm for solving the shortest vector problem [23,5].An important open question is to explain the apparent difficulty in finding efficient algorithms for this learning problem.Our main theorem explains this difficulty for a natural extension of this problem to higher moduli,defined next.Let p =p (n )≤poly(n )be some prime integer and consider a list of ‘equations with error’s ,a 1 ≈χb 1(mod p )s ,a 2 ≈χb 2(mod p )...where this time s ∈Z n p ,a i are chosen independently and uniformly from Z n p ,and b i ∈Z p .The errorin the equations is now specified by a probability distribution χ:Z p →R +on Z p .Namely,for each equation i ,b i = s ,a i +e i where each e i ∈Z p is chosen independently according to χ.We denote the problem of recovering s from such equations by LWE p,χ(learning with error).For example,the learning from parity problem with error εis the special case where p =2,χ(0)=1−ε,and χ(1)=ε.Under a reasonable assumption on χ(namely,that χ(0)>1/p +1/poly(n )),the maximum likelihood algorithm described above solves LWE p,χfor p ≤poly(n )using poly(n )equations and 2O (n log n )time.Under a similar assumption,an algorithm resembling the one by Blum et al.[11]requires only 2O (n )equations/time.This is the best known algorithm for the LWE problem.Our main theorem shows that for certain choices of p and χ,a solution to LWE p,χimplies a quantum solution to worst-case lattice problems.Theorem 1.1(Informal)Let n,p be integers and α∈(0,1)be such that αp >2√n .If there exists anefficient algorithm that solves LWE p,¯Ψαthen there exists an efficient quantum algorithm that approximatesthe decision version of the shortest vector problem (G AP SVP )and the shortest independent vectors problem(SIVP )to within ˜O(n/α)in the worst case.The exact definition of ¯Ψαwill be given later.For now,it is enough to know that it is a distribution on Z p that has the shape of a discrete Gaussian centered around 0with standard deviation αp ,as in Figure 1.Also,the probability of 0(i.e.,no error)is roughly 1/(αp ).A possible setting for the parameters is p =O (n 2)and α=1/(√n log 2n )(in fact,these are the parameters that we use in our cryptographic application).Figure 1:¯Ψαfor p =127with α=0.05(left)and α=0.1(right).The elements of Z p are arranged on a circle.G AP SVP and SIVP are two of the main computational problems on lattices.In G AP SVP,for instance,the input is a lattice,and the goal is to approximate the length of the shortest nonzero lattice vector.The best known polynomial time algorithms for them yield only mildly subexponential approximation factors[24,38,5].It is conjectured that there is no classical (i.e.,non-quantum)polynomial time algorithm that approximates them to within any polynomial ttice-based constructions of one-way functions,such as the one by Ajtai [2],are based on this conjecture.One might even conjecture that there is no quantum polynomial time algorithm that approximates G AP SVP (or SIVP)to within any polynomial factor.One can then interpret the main theorem as say-ing that based on this conjecture,the LWE problem is hard.The only evidence supporting this conjecture is that there are no known quantum algorithms for lattice problems that outperform classical algorithms,even though this is probably one of the most important open questions in the field of quantum computing.1In fact,one could also interpret our main theorem as a way to disprove this conjecture:if one finds an efficient algorithm for LWE,then one also obtains a quantum algorithm for approximating worst-case lattice problems.Such a result would be of tremendous importance on its own.Finally,we note that it is possible that our main theorem will one day be made classical.This would make all our results stronger and the above discussion unnecessary.The LWE problem can be equivalently presented as the problem of decoding random linear codes.More specifically,let m =poly(n )be arbitrary and let s ∈Z n p be some vector.Then,consider the followingproblem:given a random matrix Q ∈Z m ×n p and the vector t =Q s +e ∈Z m p where each coordinate of the error vector e ∈Z m p is chosen independently from ¯Ψα,recover s .The Hamming weight of e isroughly m (1−1/(αp ))(since a value chosen from ¯Ψαis 0with probability roughly 1/(αp )).Hence,the Hamming distance of t from Q s is roughly m (1−1/(αp )).Moreover,it can be seen that for large enough m ,for any other word s ,the Hamming distance of t from Q s is roughly m (1−1/p ).Hence,we obtain that approximating the nearest codeword problem to within factors smaller than (1−1/p )/(1−1/(αp ))on random codes is as hard as quantumly approximating worst-case lattice problems.This gives a partial 1If forced to make a guess,the author would say that the conjecture is true.answer to the important open question of understanding the hardness of decoding from random linear codes.It turns out that certain problems,which are seemingly easier than the LWE problem,are in fact equiv-alent to the LWE problem.We establish these equivalences in Section4using elementary reductions.For example,being able to distinguish a set of equations as above from a set of equations in which the b i’s are chosen uniformly from Z p is equivalent to solving LWE.Moreover,it is enough to correctly distinguish these two distributions for some non-negligible fraction of all s.The latter formulation is the one we use in our cryptographic applications.Cryptosystem.In Section5we present a public key cryptosystem and prove that it is secure based on the hardness of the LWE problem.We use the standard security notion of semantic,or IND-CPA,secu-rity(see,e.g.,[20,Chapter10]).The cryptosystem and its security proof are entirely classical.In fact, the cryptosystem itself is quite simple;the reader is encouraged to glimpse at the beginning of Section5. Essentially,the idea is to provide a list of equations as above as the public key;encryption is performed by summing some of the equations(forming another equation with error)and modifying the right hand side depending on the message to be transmitted.Security follows from the fact that a list of equations with error is computationally indistinguishable from a list of equations in which the b i’s are chosen uniformly.By using our main theorem,we obtain that the security of the system is based also on the worst-case quantum hardness of approximating SIVP and G AP SVP to within˜O(n1.5).In other words,breaking our cryptosystem implies an efficient quantum algorithm for approximating SIVP and G AP SVP to within ˜O(n1.5).Previous cryptosystems,such as the Ajtai-Dwork cryptosystem[4]and the one by Regev[36],are based on the worst-case(classical)hardness of the unique-SVP problem,which can be related to G AP SVP (but not SIVP)through the recent result of Lyubashevsky and Micciancio[26].Another important feature of our cryptosystem is its improved efficiency.In previous cryptosystems, the public key size is˜O(n4)and the encryption increases the size of messages by a factor of˜O(n2).In our cryptosystem,the public key size is only˜O(n2)and encryption increases the size of messages by a factor of only˜O(n).This possibly makes our cryptosystem practical.Moreover,using an idea of Ajtai[3],we can reduce the size of the public key to˜O(n).This requires all users of the cryptosystem to share some(trusted) random bit string of length˜O(n2).This can be achieved by,say,distributing such a bit string as part of the encryption and decryption software.We mention that learning problems similar to ours were already suggested as possible sources of cryp-tographic hardness in,e.g.,[10,7],although this was done without establishing any connection to lattice problems.In another related work[3],Ajtai suggested a cryptosystem that has several properties in common with ours(including its efficiency),although its security is not based on worst-case lattice problems.Why quantum?This paper is almost entirely classical.In fact,quantum is needed only in one step in the proof of the main theorem.Making this step classical would make the entire reduction classical.To demonstrate the difficulty,consider the following situation.Let L be some lattice and let d=λ1(L)/n10 whereλ1(L)is the length of the shortest nonzero vector in L.We are given an oracle that for any point x∈R n within distance d of Lfinds the closest lattice vector to x.If x is not within distance d of L, the output of the oracle is undefined.Intuitively,such an oracle seems quite powerful;the best known algorithms for performing such a task require exponential time.Nevertheless,we do not see any way to use this oracle classically.Indeed,it seems to us that the only way to generate inputs to the oracle is the following:somehow choose a lattice point y∈L and let x=y+z for some perturbation vector z of lengthat most d .Clearly,on input x the oracle outputs y .But this is useless since we already know y !It turns out that quantumly,such an oracle is quite useful.Indeed,being able to compute y from x allows us to uncompute y .More precisely,it allows us to transform the quantum state |x ,y to the state |x ,0 in a reversible (i.e.,unitary)way.This ability to erase the contents of a memory cell in a reversible way seems useful only in the quantum setting.Techniques.Unlike previous constructions of lattice-based public-key cryptosystems,the proof of our main theorem uses an ‘iterative construction’.Essentially,this means that instead of ‘immediately’finding very short vectors in a lattice,the reduction proceeds in steps where in each step shorter lattice vectors are found.So far,such iterative techniques have been used only in the construction of lattice-based one-way functions [2,12,27,29].Another novel aspect of our main theorem is its crucial use of quantum computation.Our cryptosystem is the first classical cryptosystem whose security is based on a quantum hardness assumption (see [30]for a somewhat related recent work).Our proof is based on the Fourier transform of Gaussian measures,a technique that was developed in previous papers [36,29,1].More specifically,we use a parameter known as the smoothing parameter,as introduced in [29].We also use the discrete Gaussian distribution and approximations to its Fourier transform,ideas that were developed in [1].Open questions.The main open question raised by this work is whether Theorem 1.1can be dequantized:can the hardness of LWE be established based on the classical hardness of SIVP and G AP SVP?We see no reason why this should be impossible.However,despite our efforts over the last few years,we were not able to show this.As mentioned above,the difficulty is that there seems to be no classical way to use an oracle that solves the closest vector problem within small distances.Quantumly,however,such an oracle turns out to be quite useful.Another important open question is to determine the hardness of the learning from parity with errors problem (i.e.,the case p =2).Our theorem only works for p >2√n .It seems that in order to prove similar results for smaller values of p ,substantially new ideas are required.Alternatively,one can interpret our inability to prove hardness for small p as an indication that the problem might be easier than believed.Finally,it would be interesting to relate the LWE problem to other average-case problems in the liter-ature,and especially to those considered by Feige in [15].See Alekhnovich’s paper [7]for some related work.Followup work.We now describe some of the followup work that has appeared since the original publi-cation of our results in 2005[37].One line of work focussed on improvements to our cryptosystem.First,Kawachi,Tanaka,and Xa-gawa [21]proposed a modification to our cryptosystem that slightly improves the encryption blowup to O (n ),essentially getting rid of a log factor.A much more significant improvement is described by Peikert,Vaikuntanathan,and Waters in [34].By a relatively simple modification to the cryptosystem,they managed to bring the encryption blowup down to only O (1),in addition to several equally significant improvements in running time.Finally,Akavia,Goldwasser,and Vaikuntanathan [6]show that our cryptosystem remains secure even if almost the entire secret key is leaked.Another line of work focussed on the design of other cryptographic protocols whose security is based on the hardness of the LWE problem.First,Peikert and Waters [35]constructed,among other things,CCA-secure cryptosystems (see also [33]for a simpler construction).These are cryptosystems that are secure even if the adversary is allowed access to a decryption oracle (see,e.g.,[20,Chapter 10]).All previous lattice-based cryptosystems (including the one in this paper)are not CCA-secure.Second,Peikert,Vaikuntanathan,and Waters [34]showed how to construct oblivious transfer protocols,which are useful,e.g.,for performing secure multiparty computation.Third,Gentry,Peikert,and Vaikuntanathan [16]constructed an identity-based encryption (IBE)scheme.This is a public-key encryption scheme in which the public key can be any unique identifier of the user;very few constructions of such schemes are known.Finally,Cash,Peikert,and Sahai [13]constructed a public-key cryptosystem that remains secure even when the encrypted messages may depend upon the secret key.The security of all the above constructions is based on the LWE problem and hence,by our main theorem,also on the worst-case quantum hardness of lattice problems.The LWE problem has also been used by Klivans and Sherstov to show hardness results related to learning halfspaces [22].As before,due to our main theorem,this implies hardness of learning halfspaces based on the worst-case quantum hardness of lattice problems.Finally,we mention two results giving further evidence for the hardness of the LWE problem.In the first,Peikert [32]somewhat strengthens our main theorem by replacing our worst-case lattice problems with their analogues for the q norm,where 2≤q ≤∞is arbitrary.Our main theorem only deals with the standard 2versions.In another recent result,Peikert [33]shows that the quantum part of our proof can be removed,leading to a classical reduction from G AP SVP to the LWE problem.As a result,Peikert is able to show that public-key cryptosystems (including many of the above LWE-based schemes)can be based on the classical hardness of G AP SVP,resolving a long-standing open question (see also [26]).Roughly speaking,the way Peikert circumvents the difficulty we described earlier is by noticing that the existence of an oracle that is able to recover y from y +z ,where y is a random lattice point and z is a random perturbation of length at most d ,is by itself a useful piece of information as it provides a lower bound on the length of the shortest nonzero vector.By trying to construct such oracles for several different values of d and checking which ones work,Peikert is able to obtain a good approximation of the length of the shortest nonzero vector.Removing the quantum part,however,comes at a cost:the construction can no longer be iterative,the hardness can no longer be based on SIVP,and even for hardness based on G AP SVP,the modulus p in the LWE problem must be exponentially big unless we assume the hardness of a non-standard variant of G AP SVP.Because of this,we believe that dequantizing our main theorem remains an important open problem.1.1OverviewIn this subsection,we give a brief informal overview of the proof of our main theorem,Theorem 1.1.The complete proof appears in Section 3.We do not discuss here the reductions in Section 4and the cryptosystem in Section 5as these parts of the paper are more similar to previous work.In addition to some very basic definitions related to lattices,we will make heavy use here of the discrete Gaussian distribution on L of width r ,denoted D L,r .This is the distribution whose support is L (which is typically a lattice),and in which the probability of each x ∈L is proportional to exp −π x /r 2 (see Eq.(6)and Figure 2).We also mention here the smoothing parameter ηε(L ).This is a real positive number associated with any lattice L (εis an accuracy parameter which we can safely ignore here).Roughly speaking,it gives the smallest r starting from which D L,r ‘behaves like’a continuous Gaussian distribution.For instance,for r ≥ηε(L ),vectors chosen from D L,r have norm roughly r √n with high probability.Incontrast,for sufficiently small r ,D L,r gives almost all its mass to the origin 0.Although not required for thisFigure 2:D L,2(left)and D L,1(right)for a two-dimensional lattice L .The z -axis represents probability.Let α,p,n be such that αp >2√n ,as required in Theorem 1.1,and assume we have an oracle that solvesLWE p,¯Ψα.For concreteness,we can think of p =n 2and α=1/n .Our goal is to show how to solve thetwo lattice problems mentioned in Theorem 1.1.As we prove in Subsection 3.3using standard reductions,it suffices to solve the following discrete Gaussian sampling problem (DGS):Given an n -dimensional lattice L and a number r ≥√2n ·ηε(L )/α,output a sample from D L,r .Intuitively,the connection to G AP SVP and SIVP comes from the fact that by taking r close to its lower limit √2n ·ηε(L )/α,we can obtain short lattice vectors (of length roughly √nr ).In the rest of this subsection we describe our algorithm for sampling from D L,r .We note that the exact lower bound on r is not that important for purposes of this overview,as it only affects the approximation factor we obtain for G AP SVP and SIVP.It suffices to keep in mind that our goal is to sample from D L,r for r that is rather small,say within a polynomial factor of ηε(L ).The core of the algorithm is the following procedure,which we call the ‘iterative step’.Its input consists of a number r (which is guaranteed to be not too small,namely,greater than √2pηε(L )),and n c samples from D L,r where c is some constant.Its output is a sample from the distribution D L,r for r =r √n/(αp ).Notice that since αp >2√n ,r <r/2.In order to perform this ‘magic’of converting vectors of norm √nr into shorter vectors of norm √nr ,the procedure of course needs to use the LWE oracle.Given the iterative step,the algorithm for solving DGS works as follows.Let r i denote r ·(αp/√n )i .The algorithm starts by producing n c samples from D L,r 3n .Because r 3n is so large,such samples can be computed efficiently by a simple procedure described in Lemma 3.2.Next comes the core of the algorithm:for i =3n,3n −1,...,1the algorithm uses its n c samples from D L,r i to produce n c samples from D L,r i −1by calling the iterative step n c times.Eventually,we end up with n c samples from D L,r 0=D L,r and we complete the algorithm by simply outputting the first of those.Note the following crucial fact:using n c samples from D L,r i ,we are able to generate the same number of samples n c from D L,r i −1(in fact,we couldeven generate more than n c samples).The algorithm would not work if we could only generate,say,n c /2samples,as this would require us to start with an exponential number of samples.We now finally get to describe the iterative step.Recall that as input we have n c samples from D L,r and we are supposed to generate a sample from D L,r where r =r √n/(αp ).Moreover,r is known and guaranteed to be at least √2pηε(L ),which can be shown to imply that p/r <λ1(L ∗)/2.As mentioned above,the exact lower bound on r does not matter much for this overview;it suffices to keep in mind that ris sufficiently larger thanηε(L),and that1/r is sufficiently smaller thanλ1(L∗).The iterative step is obtained by combining two parts(see Figure3).In thefirst part,we construct a classical algorithm that uses the given samples and the LWE oracle to solve the following closest vector problem,which we denote by CVP L∗,αp/r:given any point x∈R n within distanceαp/r of the dual lattice L∗,output the closest vector in L∗to x.2By our assumption on r,the distance between any two points in L∗is greater than2αp/r and hence the closest vector is unique.In the second part,we use this algorithm to generate samples from D L,r .This part is quantum(and in fact,the only quantum part of our proof). The idea here is to use the CVP L∗,αp/r algorithm to generate a certain quantum superposition which,after applying the quantum Fourier transform and performing a measurement,provides us with a sample from D L,r√n/(αp).In the following,we describe each of the two parts in more detail.Figure3:Two iterations of the algorithmPart1:We start by recalling the main idea in[1].Consider some probability distribution D on some lattice L and consider its Fourier transform f:R n→C,defined asf(x)=y∈L D(y)exp(2πi x,y )=Expy∼D[exp(2πi x,y )]where in the second equality we simply rewrite the sum as an expectation.By definition,f is L∗-periodic, i.e.,f(x)=f(x+y)for any x∈R n and y∈L∗.In[1]it was shown that given a polynomial number of samples from D,one can compute an approximation of f to within±1/poly(n).To see this,note that by the Chernoff-Hoeffding bound,if y1,...,y N are N=poly(n)independent samples from D,thenf(x)≈1NNj=1exp(2πi x,y j )where the approximation is to within±1/poly(n)and holds with probability exponentially close to1, assuming that N is a large enough polynomial.By applying this idea to the samples from D L,r given to us as input,we obtain a good approximation of the Fourier transform of D L,r,which we denote by f1/r.It can be shown that since1/r λ1(L∗)one hasthe approximationf1/r(x)≈exp−π(r·dist(L∗,x))2(1)2In fact,we only solve CVPL∗,αp/(√2r)but for simplicity we ignore the factor√2here.(see Figure 4).Hence,f 1/r (x )≈1for any x ∈L ∗(in fact an equality holds)and as one gets away from L ∗,its value decreases.For points within distance,say,1/r from the lattice,its value is still some positive constant (roughly exp (−π)).As the distance from L ∗increases,the value of the function soon becomes negligible.Since the distance between any two vectors in L ∗is at least λ1(L ∗) 1/r ,the Gaussians around each point of L ∗are well-separated.Figure 4:f 1/r for a two-dimensional latticeAlthough not needed in this paper,let us briefly outline how one can solve CVP L ∗,1/r using samples from D L,r .Assume that we are given some point x within distance 1/r of L ∗.Intuitively,this x is located on one of the Gaussians of f 1/r .By repeatedly computing an approximation of f 1/r using the samples from D L,r as described above,we ‘walk uphill’on f 1/r in an attempt to find its ‘peak’.This peak corresponds to the closest lattice point to x .Actually,the procedure as described here does not quite work:due to the error in our approximation of f 1/r ,we cannot find the closest lattice point exactly.It is possible to overcome this difficulty;see [25]for the details.The same procedure actually works for slightly longer distances,namely O (√log n/r ),but beyond that distance the value of f 1/r becomes negligible and no useful information can be extracted from our approximation of it.Unfortunately,solving CVP L ∗,1/r is not useful for the iterative step as it would lead to samples from D L,r √n ,which is a wider rather than a narrower distribution than the one we started with.This is not surprising,since our solution to CVP L ∗,1/r did not use the LWE ing the LWE oracle,we will now show that we can gain an extra αp factor in the radius,and obtain the desired CVP L ∗,αp/r algorithm.Notice that if we could somehow obtain samples from D L,r/p we would be done:using the procedure described above,we could solve CVP L ∗,p/r ,which is better than what we need.Unfortunately,it is not clear how to obtain such samples,even with the help of the LWE oracle.Nevertheless,here is an obvious way to obtain something similar to samples from D L,r/p :just take the given samples from D L,r and divide them by p .This provides us with samples from D L/p,r/p where L/p is the lattice L scaled down by a factor of p .In the following we will show how to use these samples to solve CVP L ∗,αp/r .Let us first try to understand what the distribution D L/p,r/p looks like.Notice that the lattice L/p consists of p n translates of the original lattice L .Namely,for each a ∈Z n p ,consider the setL +L a /p ={L b /p |b ∈Z n ,b mod p =a }.Then {L +L a /p |a ∈Z n p }forms a partition of L/p .Moreover,it can be shown that since r/p is larger。

分布式算法详解Distributed algorithms are a crucial component of modern computing systems, allowing for complex tasks to be broken down and executed across multiple nodes in a network. These algorithms are designed to ensure efficiency, fault tolerance, and scalability in distributed systems. They play a foundational role in enabling the seamless functioning of applications that span across multiple servers and devices.分布式算法是现代计算系统的关键组成部分，允许将复杂任务分解并在网络中的多个节点上执行。

这些算法旨在确保分布系统的效率、容错性和可伸缩性。

它们在使跨多个服务器和设备的应用程序无缝运行方面发挥着基础性作用。

One of the key challenges faced by distributed algorithms is achieving consensus among the different nodes in the network. Consensus algorithms aim to ensure that all nodes agree on a certain value or decision, even in the presence of faults or failures. This is critical for maintaining the integrity and reliability of the system, especially in scenarios where nodes may fail or behave maliciously.分布式算法面临的关键挑战之一是在网络中的不同节点之间达成共识。

工作证明格式范文英语English Answer:Proof of Work.Proof of Work (PoW) is a distributed consensus mechanism that is used to verify transactions on a blockchain network. It requires miners to solve complex mathematical problems in order to add new blocks to the blockchain. The first miner to solve the problem receives a block reward, which is a payment in the form of cryptocurrency.PoW is a very energy-intensive process, and it has been criticized for its environmental impact. However, it is also a very secure mechanism, and it is considered to be one of the most reliable ways to verify transactions on a blockchain network.How does Proof of Work work?PoW works by requiring miners to solve a cryptographic puzzle. The puzzle is designed to be difficult to solve, but it is not impossible. Miners use specialized hardware to solve the puzzle, and the first miner to solve it receives a block reward.The block reward is a payment in the form of cryptocurrency. The amount of the block reward varies depending on the blockchain network.Once a miner has solved the puzzle, they add a new block to the blockchain. The block contains a list of all the transactions that have been verified by the miner.The blockchain is a distributed ledger that records all of the transactions that have been made on a blockchain network. The blockchain is constantly growing, and it is very difficult to alter or tamper with.Why is Proof of Work important?PoW is important because it is a secure and reliable way to verify transactions on a blockchain network. PoW also helps to decentralize the blockchain network, which makes it more resistant to censorship and fraud.What are the advantages of Proof of Work?Security: PoW is a very secure mechanism. It is very difficult for an attacker to alter or tamper with the blockchain.Decentralization: PoW helps to decentralize the blockchain network. This makes the network more resistant to censorship and fraud.Reliability: PoW is a very reliable mechanism. It is considered to be one of the most reliable ways to verify transactions on a blockchain network.What are the disadvantages of Proof of Work?Energy consumption: PoW is a very energy-intensiveprocess. This has led to criticism of PoW's environmental impact.Cost: PoW can be expensive to implement. Miners need to purchase specialized hardware in order to solve the cryptographic puzzle.Scalability: PoW is not very scalable. This means that it can be difficult to process a large number of transactions on a PoW-based blockchain network.Conclusion.PoW is a secure and reliable mechanism for verifying transactions on a blockchain network. However, PoW is also energy-intensive and expensive to implement. As a result, there is a growing interest in alternative consensus mechanisms, such as Proof of Stake (PoS).中文回答：工作证明。

etcd运行原理etcd is an open-source distributed key-value store that is widely used in distributed systems for storing configuration data, service discovery, and coordination. It plays a crucial role in the functioningof distributed systems by providing a reliable and highly available way to store critical data. etcd uses the Raft consensus algorithm to achieve fault-tolerance and consistency among the nodes in a cluster.etcd的运行原理主要围绕着Raft一致性算法展开，Raft算法是一种用于分布式系统中实现复制日志的一种算法。

在etcd中，节点之间通过Raft协议进行通信，确保在集群中的每个节点都具有相同的状态。

这种方式保证了数据的一致性和可靠性，即使部分节点发生故障或网络分区，集群也能够继续运行。

One of the key features of etcd is its ability to handle leader election dynamically. When a leader node fails or becomes unreachable, the remaining nodes in the cluster initiate a new leader election process to select a new leader. This ensures that there is always a leader node available to process client requests and maintain the consistency of the data across the cluster.etcd还具有动态选举主节点的能力，当主节点出现故障或不可达时，集群中的其他节点会发起新的选举过程以选择新的主节点。

神经网络同步与多智能体一致性问题研究的开题报告一、研究背景及意义随着科技的发展，神经网络和多智能体技术在各种领域中应用越来越广泛。

神经网络主要用于数据挖掘、图像处理、模式识别等方面，而多智能体则可以应用于交通调度、无人机控制、机器人协同等方面。

但是，在实际应用过程中，神经网络同步和多智能体一致性问题经常会出现，例如神经网络同步不完全会导致不能准确地预测结果，而多智能体没有达到一致性则会降低整个系统的效率。

因此，研究神经网络同步和多智能体一致性问题对于提高系统的性能具有重要意义。

二、研究内容和方法本文拟重点研究神经网络同步和多智能体一致性问题。

具体研究内容包括：（1）探究神经网络同步不完全的原因和机理，分析同步不完全对系统影响，并提出改进方法；（2）深入研究多智能体一致性的实现原理和机制，针对多智能体系统的特点，设计实用的一致性算法。

本文将采用数学建模和仿真实验相结合的方法进行研究。

首先，通过建立神经网络同步和多智能体一致性的数学模型，分析同步/一致性问题的本质，找出问题所在。

其次，利用MATLAB等仿真工具，对不同算法进行仿真模拟，验证算法的有效性和性能。

最后，通过实验对算法的性能进行测试验证以及评估，得出综合结论。

三、研究预期成果通过本研究，预期得到以下成果：（1）发现神经网络同步不完全的原因和机理，提出相应的改进方法，进一步提高神经网络的性能。

（2）研究多智能体一致性的实现原理和机制，提出实用的一致性算法，进一步提高多智能体系统的效率。

（3）实验验证算法的有效性和性能，得出综合结论，对实际应用具有指导意义。

四、研究进度安排第一年：1、文献综述阶段：查阅关于神经网络同步和多智能体一致性的文献，建立研究框架。

2、数学模型建立阶段：根据文献综述，建立神经网络同步和多智能体一致性的数学模型。

3、算法研究阶段: 在数学模型的基础上，设计、实现和优化神经网络同步和多智能体一致性算法。

第二年：4、仿真和实验阶段：利用MATLAB等工具进行仿真模拟，验证算法的有效性和性能，并对算法进行测试和改进。

minio高可用原理英文回答：MinIO is an open-source, distributed object storage system that provides high availability by utilizing a decentralized architecture. It is designed to be highly scalable and fault-tolerant, allowing users to store and retrieve large amounts of data with low latency.The high availability of MinIO is achieved through multiple mechanisms, including data replication and automatic failover. Let's explore these mechanisms in more detail:1. Data Replication: MinIO uses erasure coding and replication to ensure data durability and availability. By default, MinIO replicates data across multiple driveswithin a single server. This provides fault tolerance at the hardware level, as data can be recovered even if one or more drives fail. Additionally, MinIO supports distributedmode, where data can be replicated across multiple servers, providing redundancy and availability even in the event of server failures.2. Automatic Failover: MinIO employs a distributed consensus algorithm called Raft to achieve automatic failover. In a distributed MinIO deployment, multiple instances of MinIO servers form a cluster. Raft ensuresthat all servers in the cluster agree on the state of the system, including which server is the leader. If the leader server fails, Raft triggers an automatic election process to select a new leader. This ensures uninterrupted access to data even in the presence of server failures.3. Load Balancing: MinIO supports load balancing through its gateway layer. The gateway layer acts as afront-end for client requests and distributes the workload across multiple MinIO server instances. This helps in distributing the load evenly and improving overall system performance.4. Monitoring and Alerting: MinIO provides extensivemonitoring and alerting capabilities. It supports integration with various monitoring tools, such as Prometheus and Grafana, allowing administrators to monitor the health and performance of the MinIO cluster. Alerts can be configured to notify administrators in case of any anomalies or failures, enabling proactive troubleshooting and maintenance.In summary, MinIO achieves high availability through data replication, automatic failover, load balancing, and robust monitoring and alerting capabilities. These mechanisms ensure that data is always accessible and that the system can recover from failures without downtime.中文回答：MinIO是一个开源的分布式对象存储系统，通过利用分散式架构实现高可用性。