Constructive Logical Characterizations of Bisimilarity for Reactive - - PowerPoint PPT Presentation

Constructive Logical Characterizations of Bisimilarity for Reactive Probabilistic Systems

Marco Bernardo

University of Urbino – Italy joint work with: Marino Miculan

c June 2017

Process Model

A reactive probabilistic labeled transition system (RPLTS) is a triple (S, A, !) where:

S is a countable set of states. A is a countable set of actions.

• ! ✓ S ⇥ A ⇥ Distr(S) is a transition relation such that,

whenever s

a

• ! ∆1 and s

a

• ! ∆2, then ∆1 = ∆2.

No internal nondeterminism. Rabin probabilistic automata (as opposed to Segala ones). Distr(S) is the set of discrete probability distributions over S having finite support, i.e., supp(∆) , {s 2 S | ∆(s) > 0} is finite. Probabilistic counterpart of image finiteness.

Process Semantics

Larsen & Skou defined probabilistic bisimilarity ⇠PB over RPLTS. An equivalence relation B over S is a probabilistic bisimulation iff, whenever (s1, s2) 2 B, then for all actions a 2 A:

If s1

a

• ! ∆1 then there exists s2

a

• ! ∆2 such that ∆2(C) = ∆1(C)

for all equivalence classes C 2 S/B. If s2

a

• ! ∆2 then there exists s1

a

• ! ∆1 such that ∆1(C) = ∆2(C)

for all equivalence classes C 2 S/B.

States s1, s2 2 S are probabilistically bisimilar, written s1 ⇠PB s2, iff there exists a probabilistic bisimulation including (s1, s2). Probabilistic extension of Milner strong bisimilarity. Ordinary lumpability for (discrete-time) Markov chains.

Process Logic

Larsen & Skou defined probabilistic modal logic PML over RPLTS. Probabilistic extension of Hennessy & Milner logic (>, ¬, ^, hai) in which haip is decorated with a probabilistic lower bound p 2 R[0,1]. s | = haipφ iff there exists s

a

• ! ∆ s.t. ∆({s0 2 S | s0 |

= φ}) p. Variants of PML: PML¬^ φ ::= > | ¬φ | φ ^ φ | haipφ PML¬_ φ ::= > | ¬φ | φ _ φ | haipφ PML^ φ ::= > | φ ^ φ | haipφ PML_ φ ::= > | φ _ φ | haipφ Which equivalences are induced by these logics? Do they coincide with known behavioral equivalences?

Logical Characterization Results for ⇠PB over RPLTS

Larsen & Skou showed that PML¬^ characterizes ⇠PB. Minimal deviation assumption: the probability associated with any state in the support of the target distribution of a transition is a multiple of some value (stronger than finite support, no irrationals). Desharnais, Edalat & Panangaden showed that also the logic PML^ characterizes ⇠PB, i.e., negation is not necessary over RPLTS. Surprising! The elimination of negation in a nondeterministic setting results in the characterization of simulation equivalence. Bisimilarity and simulation equivalence coincide over RPLTS. No assumptions: neither finite branching, nor infinitary conjunctions. Measure theory: continuous states in the form of analytic spaces. Category theory: bisimilarity defined via spans of zig-zag morphisms.

Generalizations and Specializations

Danos, Desharnais, Laviolette & Panangaden extended the result based on PML^ to general measure spaces by introducing event bisimilarity in terms of cospans of morphisms. Jacobs & Sokolova proved this generalized result again in the coalgebraic framework of dual adjunctions between spaces and logics. Desharnais, Edalat & Panangaden proved their result also directly

• ver finite-state RPLTS by keeping measure theory to a minimum:
• nly the π-λ theorem of Dynkin is employed.

Deng & Wu provided a simplified proof over discrete state spaces that still uses only the π-λ theorem of Dynkin. Unpublished note by Worrell mentioning the possibility of avoiding the use of measure theory altogether in the discrete case.

Summary of New Results in the Discrete Case

Also PML_ characterizes ⇠PB, i.e., (negation is not necessary and) disjunction is enough for reactive probabilistic processes. In a nondeterministic setting, this characterizes trace equivalence! Therefore ^ and _ are interchangeable for probabilistic (bi)similarity, while they are both necessary for probabilistic simulation preorder. An alternative proof that PML¬^ characterizes ⇠PB, where the minimal deviation assumption is relaxed to finite support. An alternative proof that PML^ characterizes ⇠PB, which directly addresses discrete state spaces without measure theory. All proofs are based on a coalgebraic representation of RPLTS that allows us to work with finite acyclic models and thus to use induction. All proofs are constructive because build distinguishing formulas and hence lead to algorithms for automatically explaining ⇠PB-inequivalence inspired by Cleaveland algorithm.

Coalgebraic Representation of RPLTS

Each RPLTS can be given a semantics in a canonical form, which we call reactive probabilistic tree (unfolding & merging). Probabilistic counterpart of Winskel synchronization trees. Use a coalgebraic construction for probabilistic systems based on results of de Vink & Rutten and Worrell. Extend Distr to functor Distr : Set ! Set with morphisms: Distr(f : X ! Y ) : Distr(X) ! Distr(Y ) Distr(f)(∆) = λy . ∆(f1(y)) Any RPLTS corresponds to a coalgebra of functor BRP : Set ! Set such that: BRP(X) = (Distr(X) + 1)A

Fully Abstract Semantics

The functor BRP permits the use of the coalgebraic bisimilarity

• f Aczel and Mendler.

In our setting, it coincides with ⇠PB. The functor BRP has a final coalgebra (Z, ζ), where the elements

• f Z are canonical representatives of the behavior of any RPLTS.

For each RPLTS (S, A, !) there exists a unique coalgebra morphism J·K : S ! Z, where s1 ⇠PB s2 ( ) Js1K = Js2K for all s1, s2 2 S. Characterizing ⇠PB on RPLTS is equivalent to characterizing = on Z. But the elements of Z are possibly infinite objects, so how can we give a more concrete and compact description?

Reactive Probabilistic Trees

An A-labeled reactive probabilistic tree (RPT) is a pair (X, succ) where X 2 Set and succ : X ⇥ A ! Pf(X ⇥ R]0,1]) are such that the relation  over X induced by succ: x  x x  y z 2 succ(y, a) x  z is a partial order with a least element (root) and for all x, x1, x2 2 X, a 2 A, p1, p2 2 R]0,1]:

{y 2 X | y  x} is finite and well-ordered; for all (x1, p1), (x2, p2) 2 succ(x, a), if x1 = x2 then p1 = p2; for all (x1, p1), (x2, p2) 2 succ(x, a), if the subtrees rooted at x1 and x2 are isomorphic then x1 = x2; if succ(x, a) 6= ; then P

(y,p)2succ(x,a) p = 1.

Finite Approximations and Compactness

The set of RPT is the carrier of the final BRP-coalgebra. Thus J·K maps states to trees. Let t|n be the pruning of the RPT t at height n 2 N. Possible isomorphic subtrees resulting from the truncation process have to be collapsed. t1 = t2 ( ) 8n 2 N. t1|n = t2|n for all RPT t1, t2. s1 ⇠PB s2 ( ) 8n 2 N. Js1K|n = Js2K|n for all states s1, s2. Finding a logical characterization of ⇠PB over RPLTS reduces to finding a logical characterization of = over finite RPT.

Working with Finite RPT in our Proofs

If t1 = t2, then they obviously satisfy the same formulas. When t1 6= t2, build a distinguishing formula by induction on their finite height, but be careful! An additional constraint has to be met to infer a characterization

• f ⇠PB over RPLTS from a characterization of = over finite RPT.

If a variant of PML characterizes = over finite RPT and for any two finite RPT t1 and t2 such that t1 6= t2 there exists a formula φ distinguishing t1 from t2 such that: depth(φ)  max(height(t1), height(t2)) then the variant of PML characterizes ⇠PB over RPLTS.

Depth of Formulas and Height of Trees

If depth(φ) were greater, then:

φ may not distinguish higher finite approximations of s1 and s2; no shorter formula derivable from φ may still distinguish t1 and t2.

s1

a

• ! s0

1 c

• ! s00

1 e

• ! s000

1 and s2 b

• ! s0

2 d

• ! s00

2 f

• ! s000

2

differ at height = 1, so we can focus on t1

a

• ! t0

1 and t2 b

• ! t0

2.

φ = hai1¬hci1, of depth = 2, distinguishes t1

a

• ! t0

1 and t2 b

• ! t0

2,

but does not distinguish t1

a

• ! t0

1 c

• ! t00

1 and t2 b

• ! t0

2 d

• ! t00

2

because neither of them satisfies it. φ = hai1 _ hbi1hci1, of depth = 2, tells apart t1

a

• ! t0

1 and t2 b

• ! t0

2,

but the derived shorter formula hai1 _ hbi1 of depth = 1 does not because both of them satisfy it.

A New Proof that PML¬^ Characterizes ⇠PB

Given t1 6= t2, if one enables an action a not possessed by the other, then hai1 tells them apart. If they enable the same actions, then there must exist an action a such that t1

a

• ! ∆1,a and t2

a

• ! ∆2,a with ∆1,a 6= ∆2,a.

Consider t0 2 supp(∆1,a) such that ∆1,a(t0) > ∆2,a(t0). Let supp(∆2,a)\{t0} = {t0

2,1, t0 2,2, . . . , t0 2,k}, which cannot be empty.

For each j = 1, 2, . . . , k, by the induction hypothesis there exists φ0

2,j 2 PML¬^ meeting depth(φ0 2,j)  max(height(t0), height(t0 2,j))

such that t0 | = φ0

2,j 6=

| t0

2,j.

We can impose direction of φ0

2,j-satisfaction thanks to negation!

Therefore: t1 | = hai∆1,a(t0) V

1jk

φ0

2,j 6=

| t2 The new proof of Larsen & Skou result fits in one single slide!

Proving that PML¬_ Characterizes ⇠PB

PML¬_ is obviously equivalent to PML¬^ due to De Morgan laws. Useful intermediate step to achieve our result for PML_. As before t0 2 supp(∆1,a) is such that ∆1,a(t0) > ∆2,a(t0) and supp(∆2,a)\{t0} = {t0

2,1, t0 2,2, . . . , t0 2,k} is not empty.

For each j = 1, 2, . . . , k, by the induction hypothesis there exists φ0

2,j 2 PML¬_ meeting depth(φ0 2,j)  max(height(t0), height(t0 2,j))

such that t0 6| = φ0

2,j =

| t0

2,j.

We can impose direction of φ0

2,j-satisfaction thanks to negation!

Therefore: t1 6| = hai1∆2,a(t0) W

1jk

φ0

2,j =

| t2 Reuse of the same proof structure!

Also PML_ Characterizes ⇠PB

Negation is no longer available ... ... but the structure of the proof for PML¬_ is still useful. The objective is to achieve: t1 6| = hai1(∆2,a(t0)+p) W

j2J

φ0

2,j =

| t2 where:

t0 is a derivative of t1 s.t. ∆1,a(t0) > ∆2,a(t0) and t0 6| = φ0

2,j =

| t0

2,j;

J is an index set identifying the derivatives t00 of t2 other than t0 such that ∆1,a(t00) 6= ∆2,a(t00); p is the probability that t2 reaches nodes t000 not in J such that t000 6| = W

j2J φ0 2,j.

The choice of t0 is crucial! To obtain t0 6| = φ0

2,j for all j 2 J, a good criterion for selecting t0

is that it should satisfy as few PML_ formulas as possible.

Intuition: From ^ to _ in Distinguishing Formulas

A disjunctive distinguishing formula can often (not always) be obtained from a conjunctive distinguishing formula by increasing some of its probabilistic lower bounds. Example:

t1

1

t’

1

t’ ’ t2 t’

2

t’ ’

2

a 0.5 0.5 b c a 0.5 0.5 b c

t1 | = hai0.5 (hbi1 ^ hci1) 6= | t2 t1 6| = hai1.0 (hbi1 _ hci1) = | t2 Few states with many transitions in the PML^ case (t0

1)

• vs. many states with few transitions in the PML_ case

whose probabilities are summed up (t0

2, t00 2).

Direction of Distinguishing Formula Satisfaction

The direction of distinguishing formula satisfaction is not always inverted when moving from ^ to _. Example:

t3 t4 b c b d c d a 0.2 0.2 0.1 0.1 b c b d a 0.1 0.3 0.2 0.2 0.2 c b d c b d 0.1 0.1 0.1 0.1 c d c b d

t3 | = hai0.2 (hbi1 ^ hci1 ^ hdi1) 6= | t4 t3 | = hai0.9 (hbi1 _ hci1 _ hdi1) 6= | t4

No Increase When ^ and _ Are Not Necessary

Increasing some of the probabilistic lower bounds in a conjunctive distinguishing formula does not always yield a disjunctive one, especially when ^ and _ are not necessary for discriminating. Example:

t6 t5 t’

5

t’ ’ t’ ’

5’

t’

6

t’ ’ a 0.5 0.5 b c a b c 0.25 0.5 0.25

t5 6| = hai0.5 (hbi1 ^ hci1) = | t6 t5 6| = hai0.5 hbi1 = | t6 t5 6| = hai0.5 hci1 = | t6

Set of PML_ Formulas Satisfied by a Finite RPT

For choosing t0 in hai1(∆2,a(t0)+p) W

j2J

φ0

2,j, we need to know

the set of PML_ formulas that are satisfied by each finite RPT t. Consider only the PML_ formulas satisfied by t featuring:

probabilistic lower bounds of diamonds that are maximal with respect to the satisfiability of a formula of that format by t

(so to keep the set finite);

diamonds that arise only from existing transitions departing from t

(to avoid useless diamonds in disjunctions & keep the set finite);

disjunctions that:

stem only from single transitions of different nodes in the support of a distribution reached by t; are preceded by a diamond decorated with the sum of the probabilities assigned to those nodes by the distribution reached by t.

Select t0 with a minimal Φ_-set.

Formalization of the Φ_-Set

If height(t) = 0, then Φ_(t) = ;. If height(t) 1 for t having transitions of the form t

ai

• ! ∆i

with supp(∆i) = {t0

i,j | j 2 Ji} and i 2 I 6= ;, then:

Φ_(t) = {haii1 | i 2 I} [ S

i2I

hplb( S

;6=J0✓Ji

{haii P

j2J0

∆i(t0

i,j)

.

W

j2J0 φ0 i,j,k |

t0

i,j 2 supp(∆i), φ0 i,j,k 2 Φ_(t0 i,j)})

where:

˙ _ is a variant of _ in which identical operands are not admitted

(i.e., idempotence is forced);

hplb keeps only the formula with the highest probabilistic lower bound decorating the initial ai-diamond among the formulas differring only for that bound.

Absence of Nondeterminism in the Φ_-Formulas

No formula can have a disjunction between two actions enabled by the same node, because it would be useless for discriminating. Example:

t8

8

t’ t7

7

t’ a b c a b

Φ_(t7) = {hai1, hai1hbi1} Φ_(t8) = {hai1, hai1hbi1, hai1hci1} hai1 (hbi1 _ hci1) / 2 Φ_(t8) Φ_(t0

7) = {hbi1}

Φ_(t0

8) = {hbi1, hci1}

Summing Up Probabilistic Lower Bounds

No disjunctions of formulas starting with same-action diamonds, better summing up their probabilistic lower bounds. Example:

t1

1

t’

1

t’ ’ t2 t’

2

t’ ’

2

a 0.5 0.5 b c a 0.5 0.5 b c

Φ_(t1) = {hai1, hai0.5hbi1, hai0.5hci1} Φ_(t2) = {hai1, hai0.5hbi1, hai0.5hci1, hai1 (hbi1 _ hci1)} hai0.5hbi1 _ hai0.5hci1 / 2 Φ_(t1) [ Φ_(t2) Φ_(t0

1) = {hbi1, hci1}

Φ_(t00

1) = ;

Φ_(t0

2) = {hbi1}

Φ_(t00

2) = {hci1}

Focussing on Nodes with Different Probabilities

Nodes with the same probability in both distributions are useless for discriminating (even if they have a small Φ_-set), but count for J and p. Example:

t6 t5 t’

5

t’ ’ t’ ’

5’

t’

6

t’ ’ a 0.5 0.5 b c a b c 0.25 0.5 0.25

Φ_(t5) = {hai1, hai0.25hbi1, hai0.25hci1, hai0.5 (hbi1 _ hci1)} Φ_(t6) = {hai1, hai0.5hbi1, hai0.5hci1} ∆5,a(t00) = 0.5 = ∆6,a(t00) = ) t00 / 2 J Φ_(t0

5) = {hbi1}

Φ_(t000

5 ) = {hci1}

Φ_(t0

6) = {hbi1, hci1}

Φ_(t00) = ; 0.5 = 1 (∆6,a(t000

5 ) + ∆6,a(t00)) = 1 (0 + 0.5)

Importance of Short Formulas

Example:

t10 t11 t9 a b a a b 0.7 0.3

Φ_(t9) = {hai1} Φ_(t10) = {hai1, hai1hbi1} Φ_(t11) = {hai1, hai0.7hbi1} hai1 is present in Φ_(t10) and Φ_(t11) although its depth is less than that of the other formulas in the same sets. If it were absent, then t9 may not be selected if the three nodes were derivatives of other nodes, hence no distinguishing formula would be produced.

Role of ˙ _ and hplb in the Φ_-Construction

Example:

t’ ’ t’ ’ t12 t13 t’ ’

13

t’ ’’’

13

0.5 0.5 b c a a 0.1 0.1 b c 0.4 0.4 b c t’ t’ ’

Φ_(t12) = {hai1, hai0.5hbi1, hai0.5hci1} Φ_(t13) = {hai1, hai0.5hbi1, hai0.5hci1, hai0.6 (hbi1 _ hci1)} Φ_(t0) = {hbi1, hci1} Φ_(t00) = ; Φ_(t000

13) = {hbi1}

Φ_(t0000

13) = {hci1}

Using _ in place of ˙ _ would make Φ_(t13) larger because it would also contain the useless hai0.5 (hbi1 _ hbi1) and hai0.5 (hci1 _ hci1). If hplb were not used, then Φ_(t13) would be larger because it would also contain the useless hai0.1hbi1, hai0.4hbi1, hai0.1hci1, hai0.4hci1.

Comparing Formulas without Disjunctions

If two nodes have the same formulas without disjunctions in their Φ_-sets, then a distinguishing formula will have disjunctions in it. If the formulas without disjunctions are different between the two Φ_-sets, then one of those formulas will tell the two nodes apart. A particular instance of the second case is the one in which for each formula without disjunctions in one of the two Φ_-sets there is a variant in the other Φ_-set and vice versa. A formula without disjunctions that has the same format but may differ for the values of some probabilistic lower bounds. Focus on the node whose Φ_-set is a (, <)-variant of the other.

Minimality of Φ_-Sets and (, <)-Variants

Example:

t6 t5 t’

5

t’ ’ t’ ’

5’

t’

6

t’ ’ a 0.5 0.5 b c a b c 0.25 0.5 0.25

Φ_(t5) = {hai1, hai0.25hbi1, hai0.25hci1, hai0.5 (hbi1 _ hci1)} Φ_(t6) = {hai1, hai0.5hbi1, hai0.5hci1} Assuming that the two nodes are derivatives of other nodes, although Φ_(t6) is smaller that Φ_(t5) we focus on Φ_(t5) because Φ_(t5) is a (, <)-variant of Φ_(t6).

Again on the Role of hplb

Example:

t’ ’ t’ ’ t12 t13 t’ ’

13

t’ ’’’

13

0.5 0.5 b c a a 0.1 0.1 b c 0.4 0.4 b c t’ t’ ’

Φ_(t12) = {hai1, hai0.5hbi1, hai0.5hci1} Φ_(t13) = {hai1, hai0.5hbi1, hai0.5hci1, hai0.6 (hbi1 _ hci1)} If hplb were not used, then Φ_(t13) would also contain the useless hai0.1hbi1, hai0.4hbi1, hai0.1hci1, hai0.4hci1 and hence it would erroneously be considered as a (, <)-variant of Φ_(t12).

Selection of Parameters for the Distinguishing Formula

Among the nodes such that ∆1,a(t0) > ∆2,a(t0), avoid those for which there exists another node whose formulas without _ have the same format but higher probabilistic lower bounds. A good criterion for choosing t0 in hai1(∆2,a(t0)+p) W

j2J

φ0

2,j

is the minimality of its Φ_-set, so to obtain t0 6| = φ0

2,j =

| t0

2,j.

The set J only contains the derivatives of t2 different from t0 to which ∆1,a and ∆2,a assign two different probabilities. The excluded derivatives do not matter for discriminating: some of them satisfy W

j2J

φ0

2,j, the others do not.

The value p is the probability that t2 (same as for t1) reaches the excluded derivatives that do not satisfy W

j2J

φ0

2,j.

Logical Characterization Result for PML_

Let t1 and t2 be two finite RPT nodes. Then t1 = t2 ( ) 8φ 2 PML_. (t1 | = φ ( ) t2 | = φ). Moreover, if t1 6= t2, then there exists φ 2 PML_ distinguishing t1 from t2 such that depth(φ)  max(height(t1), height(t2)). Exploit full abstraction and compactness. Let s1 and s2 be two RPLTS states. Then s1 ⇠PB s2 ( ) 8φ 2 PML_. (s1 | = φ ( ) s2 | = φ).

A New Proof that PML^ Characterizes ⇠PB

Adaptation of the proof for PML_ based on the one for PML¬^. Remember that negation cannot be used. The objective is to achieve: t1 | = hai∆1,a(t0)+p V

j2J

φ0

2,j 6=

| t2 where:

t0 is a derivative of t1 s.t. ∆1,a(t0) > ∆2,a(t0) and t0 | = φ0

2,j 6=

| t0

2,j;

J is an index set identifying the derivatives of t2 other than t0 such that ∆1,a(t00) 6= ∆2,a(t00); p is the probability that t2 reaches nodes t000 not in J such that t000 | = V

j2J φ0 2,j.

Construction of the Φ^-set (focus on transitions departing from the same node). Choose t0 with a maximal Φ^-set. No use of measure theory!

Summary of New Results in the Discrete Case

Also PML_ characterizes ⇠PB, i.e., (negation is not necessary and) disjunction is enough for reactive probabilistic processes. In a nondeterministic setting, this characterizes trace equivalence! Therefore ^ and _ are interchangeable for probabilistic (bi)similarity, while they are both necessary for probabilistic simulation preorder. An alternative proof that PML¬^ characterizes ⇠PB, where the minimal deviation assumption is relaxed to finite support. An alternative proof that PML^ characterizes ⇠PB, which directly addresses discrete state spaces without measure theory. All proofs are based on a coalgebraic representation of RPLTS that allows us to work with finite acyclic models and thus to use induction. All proofs are constructive because build distinguishing formulas and hence lead to algorithms for automatically explaining ⇠PB-inequivalence inspired by Cleaveland algorithm.

Open Problems

Does the PML_-based logical characterization result hold also in the continuous case? So it seems: Desharnais, Klin (personal communications). Bernardo, Sangiorgi & Vignudelli studied the discriminating power

• ver RPLTS of three different testing equivalences respectively

using reactive probabilistic tests, fully nondeterministic tests, and nondeterministic and probabilistic tests (Segala probabilistic automata). Conjecture: testing equivalence based on nondeterministic and probabilistic tests has the same discriminating power as ⇠PB. Tentative proof: if s1 6⇠PB s2, build a distinguishing nondeterministic and probabilistic test from a distinguishing PML^ formula. Since choices within tests fit well together with disjunction rather than conjunction, it may be more convenient to start from a distinguishing PML_ formula instead.