Model Checking for Coalition Announcement Logic Rustam GALIMULLIN 1 - - PowerPoint PPT Presentation

Model Checking for Coalition Announcement Logic

Rustam GALIMULLIN 1 Natasha ALECHINA 1 Hans VAN DITMARSCH 2

1University of Nottingham, Nottingham, UK 2CNRS, LORIA, University of Lorraine, France & ReLaX, Chennai, India

What this talk is about

What agents know and don’t know (through the lens of epistemic logic1) The effect of public announcements2 on agent’s knowledge How agents can achieve certain goals by teaming up in coalitions and making joint announcements3 Model checking for such a framework

1Hans van Ditmarsch et al., eds. Handbook of Epistemic Logic. College

Publications, 2015.

2Hans van Ditmarsch, Wiebe van der Hoek, and Barteld Kooi. Dynamic

Epistemic Logic. Vol. 337. Synthese Library. Springer, 2008.

3Thomas ˚

Agotnes and Hans van Ditmarsch. “Coalitions and Announcements”. In: Proceedings of AAMAS 2008. Ed. by Lin Padgham et al. IFAAMAS, 2008, pp. 673–680.

KI 2018 Model Checking for CAL 2 / 53

What this talk is about

What agents know and don’t know (through the lens of epistemic logic1) The effect of public announcements2 on agent’s knowledge How agents can achieve certain goals by teaming up in coalitions and making joint announcements3 Model checking for such a framework

1Hans van Ditmarsch et al., eds. Handbook of Epistemic Logic. College

Publications, 2015.

2Hans van Ditmarsch, Wiebe van der Hoek, and Barteld Kooi. Dynamic

Epistemic Logic. Vol. 337. Synthese Library. Springer, 2008.

3Thomas ˚

Agotnes and Hans van Ditmarsch. “Coalitions and Announcements”. In: Proceedings of AAMAS 2008. Ed. by Lin Padgham et al. IFAAMAS, 2008, pp. 673–680.

KI 2018 Model Checking for CAL 3 / 53

Example

There are two households, a and b, and an electricity substation c that requires information about how many households consume

• power. Moreover, it is imperative that individual household’s

consumption remains unknown.

KI 2018 Model Checking for CAL 4 / 53

Example

There are two households, a and b, and an electricity substation c that requires information about how many households consume

• power. Moreover, it is imperative that individual household’s

consumption remains unknown.

KI 2018 Model Checking for CAL 5 / 53

Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 c c c c c a, b, c a, b, c a, b, c a, b, c (M, w1) | = pa ∧ ¬pb, (M, w1) | = Kapa, (M, w1) | = Kapb, (M, w1) | = ¬Kcpa.

KI 2018 Model Checking for CAL 6 / 53

Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 c c c c c a, b, c a, b, c a, b, c a, b, c (M, w1) | = pa ∧ ¬pb, (M, w1) | = Kapa, (M, w1) | = Kapb, (M, w1) | = ¬Kcpa.

KI 2018 Model Checking for CAL 7 / 53

Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 c c c c c a, b, c a, b, c a, b, c a, b, c (M, w1) | = pa ∧ ¬pb, (M, w1) | = Kapa, (M, w1) | = Kapb, (M, w1) | = ¬Kcpa.

KI 2018 Model Checking for CAL 8 / 53

Public Announcements

In the continuation of the example, suppose that a announces that Exactly one of us, a and b, uses electricity, i.e. (pa ∧ ¬pb) ∨ (¬pa ∧ pb).

KI 2018 Model Checking for CAL 9 / 53

Public Announcements

In the continuation of the example, suppose that a announces that Exactly one of us, a and b, uses electricity, i.e. (pa ∧ ¬pb) ∨ (¬pa ∧ pb).

KI 2018 Model Checking for CAL 10 / 53

Example Updated

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 c c c c c a, b, c a, b, c a, b, c a, b, c

KI 2018 Model Checking for CAL 11 / 53

Example Updated

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 c c c c c a, b, c a, b, c a, b, c a, b, c

KI 2018 Model Checking for CAL 12 / 53

Example Updated

pa, ¬pb w1 ¬pa, pb w3 c a, b, c a, b, c (M, w1)ann | = pa ∧ ¬pb, (M, w1)ann | = Kapa, (M, w1)ann | = Kapb, (M, w1)ann | = Kc((pa ∧ ¬pb) ∨ (¬pa ∧ pb)).

KI 2018 Model Checking for CAL 13 / 53

Example Updated

pa, ¬pb w1 ¬pa, pb w3 c a, b, c a, b, c (M, w1)ann | = pa ∧ ¬pb, (M, w1)ann | = Kapa, (M, w1)ann | = Kapb, (M, w1)ann | = Kc((pa ∧ ¬pb) ∨ (¬pa ∧ pb)).

KI 2018 Model Checking for CAL 14 / 53

Models

Definition (Epistemic Model) An epistemic model is a triple M = (W , ∼, V ), where W is a non-empty set of states, ∼: A → P(W × W ) assigns an equivalence relation to each agent, V : P → P(W ) is the valuation function. A pair (M, w) with w ∈ W is called a pointed model. An announcement in a pointed model (M, w) results in an updated pointed model (M, w)ϕ with W ϕ = ϕM, ∼ϕ

a =∼a ∩

(ϕM × ϕM), and V ϕ(p) = V (p) ∩ ϕM.

KI 2018 Model Checking for CAL 15 / 53

Models

Definition (Epistemic Model) An epistemic model is a triple M = (W , ∼, V ), where W is a non-empty set of states, ∼: A → P(W × W ) assigns an equivalence relation to each agent, V : P → P(W ) is the valuation function. A pair (M, w) with w ∈ W is called a pointed model. An announcement in a pointed model (M, w) results in an updated pointed model (M, w)ϕ with W ϕ = ϕM, ∼ϕ

a =∼a ∩

(ϕM × ϕM), and V ϕ(p) = V (p) ∩ ϕM.

KI 2018 Model Checking for CAL 16 / 53

Semantics

Definition (Semantics) (M, w) | = p iff w ∈ V (p) (M, w) | = ¬ϕ iff (M, w) | = ϕ (M, w) | = ϕ ∧ ψ iff (M, w) | = ϕ and (M, w) | = ψ (M, w) | = Kaϕ iff ∀v ∈ W : w ∼a v implies (M, v) | = ϕ (M, w) | = [ϕ]ψ iff (M, w) | = ϕ implies (M, w)ϕ | = ψ Formula [ϕ]ψ is read as after a public announcement of ϕ, ψ holds in the resulting model. Dual of [] (M, w) | = ϕψ iff (M, w) | = ϕ and (M, w)ϕ | = ψ

KI 2018 Model Checking for CAL 17 / 53

Semantics

Definition (Semantics) (M, w) | = p iff w ∈ V (p) (M, w) | = ¬ϕ iff (M, w) | = ϕ (M, w) | = ϕ ∧ ψ iff (M, w) | = ϕ and (M, w) | = ψ (M, w) | = Kaϕ iff ∀v ∈ W : w ∼a v implies (M, v) | = ϕ (M, w) | = [ϕ]ψ iff (M, w) | = ϕ implies (M, w)ϕ | = ψ Formula [ϕ]ψ is read as after a public announcement of ϕ, ψ holds in the resulting model. Dual of [] (M, w) | = ϕψ iff (M, w) | = ϕ and (M, w)ϕ | = ψ

KI 2018 Model Checking for CAL 18 / 53

Announcements by Coalitions

We are interested in the following restrictions on announcements: Announcements are made by agents Agents can only announce what they know Coalitions of agents can announce conjunctions of formulas, where each conjunct is a formula known by an agent in the coalition Agents outside of the coalitions also make an announcement that can preclude coalition to reach its goal

KI 2018 Model Checking for CAL 19 / 53

Announcements by Coalitions

We are interested in the following restrictions on announcements: Announcements are made by agents Agents can only announce what they know Coalitions of agents can announce conjunctions of formulas, where each conjunct is a formula known by an agent in the coalition Agents outside of the coalitions also make an announcement that can preclude coalition to reach its goal

KI 2018 Model Checking for CAL 20 / 53

Announcements by Coalitions

Coalition Announcement Logic (CAL) allows us to reason about announcements by coalition of agents. This is Public Announcement Logic (PAL) with the following added operators:

• [G]

ϕ: ‘there is an announcement by agents from G such that whatever agents A \ G outside of the coalition announce, ϕ holds,’

• r

[ G ]ϕ: ‘whatever agents from G announce, there is an announcement by the agents from the outside of the coalition, such that ϕ holds.’

KI 2018 Model Checking for CAL 21 / 53

Announcements by Coalitions

Coalition Announcement Logic (CAL) allows us to reason about announcements by coalition of agents. This is Public Announcement Logic (PAL) with the following added operators:

• [G]

ϕ: ‘there is an announcement by agents from G such that whatever agents A \ G outside of the coalition announce, ϕ holds,’

• r

[ G ]ϕ: ‘whatever agents from G announce, there is an announcement by the agents from the outside of the coalition, such that ϕ holds.’

KI 2018 Model Checking for CAL 22 / 53

Semantics of CAL

Let ψG be a shorthand for a formula of the type Kaϕa ∧ . . . ∧ Kbϕb, where a, . . . , b ∈ G, and ϕa, . . . , ϕb are formulas of epistemic

• logic. For example, ψG may be Kap ∧ Kb(p → q) for G = {a, b}.

Definition (Semantics) (M, w) | = [ G ]ϕ iff ∀ψG∃χA\G : (M, w) | = ψG → ψG ∧ χA\Gϕ (M, w) | = [G] ϕ iff ∃ψG∀χA\G : (M, w) | = ψG ∧ [ψG ∧ χA\G]ϕ

KI 2018 Model Checking for CAL 23 / 53

Semantics of CAL

Let ψG be a shorthand for a formula of the type Kaϕa ∧ . . . ∧ Kbϕb, where a, . . . , b ∈ G, and ϕa, . . . , ϕb are formulas of epistemic

• logic. For example, ψG may be Kap ∧ Kb(p → q) for G = {a, b}.

Definition (Semantics) (M, w) | = [ G ]ϕ iff ∀ψG∃χA\G : (M, w) | = ψG → ψG ∧ χA\Gϕ (M, w) | = [G] ϕ iff ∃ψG∀χA\G : (M, w) | = ψG ∧ [ψG ∧ χA\G]ϕ

KI 2018 Model Checking for CAL 24 / 53

Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 c c c c c a, b, c a, b, c a, b, c a, b, c (M, w1) | = [{a, b}] (Kc((pa ∧ ¬pb) ∨ (¬pa ∧ pb)) ∧ ¬(Kc(pa ∧ ¬pb) ∨ Kc(¬pa ∧ pb))), (M, w1) | = ¬ [{a}] ϕ.

KI 2018 Model Checking for CAL 25 / 53

Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 c c c c c a, b, c a, b, c a, b, c a, b, c (M, w1) | = [{a, b}] (Kc((pa ∧ ¬pb) ∨ (¬pa ∧ pb)) ∧ ¬(Kc(pa ∧ ¬pb) ∨ Kc(¬pa ∧ pb))), (M, w1) | = ¬ [{a}] ϕ.

KI 2018 Model Checking for CAL 26 / 53

Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 c c c c c a, b, c a, b, c a, b, c a, b, c (M, w1) | = [{a, b}] (Kc((pa ∧ ¬pb) ∨ (¬pa ∧ pb)) ∧ ¬(Kc(pa ∧ ¬pb) ∨ Kc(¬pa ∧ pb))), (M, w1) | = ¬ [{a}] ϕ.

KI 2018 Model Checking for CAL 27 / 53

Model Checking for CAL: Introduction

Definition (Model Checking for CAL) Model-checking problem for CAL: given a pointed epistemic model (M, w) and a formula ϕ, determine whether (M, w) | = ϕ. Epistemic Planning: is there a strategy for a coalition such that some information is made known without revealing too much? Verification of Distributed Protocols: communication over a channel with an eavesdropper Producing the announcement that guarantees a certain output for a coalition (if possible)

KI 2018 Model Checking for CAL 28 / 53

Model Checking for CAL: Introduction

Definition (Model Checking for CAL) Model-checking problem for CAL: given a pointed epistemic model (M, w) and a formula ϕ, determine whether (M, w) | = ϕ. Epistemic Planning: is there a strategy for a coalition such that some information is made known without revealing too much? Verification of Distributed Protocols: communication over a channel with an eavesdropper Producing the announcement that guarantees a certain output for a coalition (if possible)

KI 2018 Model Checking for CAL 29 / 53

Model Checking for CAL: Introduction

Definition (Model Checking for CAL) Model-checking problem for CAL: given a pointed epistemic model (M, w) and a formula ϕ, determine whether (M, w) | = ϕ. Epistemic Planning: is there a strategy for a coalition such that some information is made known without revealing too much? Verification of Distributed Protocols: communication over a channel with an eavesdropper Producing the announcement that guarantees a certain output for a coalition (if possible)

KI 2018 Model Checking for CAL 30 / 53

Model Checking for CAL: General Idea

Problem: implementing the truth definition directly requires checking results of announcing infinitely many formulas Hint: models for model checking are finite; for every agent there are finitely many ways to modify a model, and the same model update is a result of infinitely many announcements Solution: systematically define ‘exemplar’ announcements by an agent for every possible model update4

4Similar ideas to model checking of GAL: Thomas ˚

Agotnes et al. “Group announcement logic”. In: Journal of Applied Logic 8.1 (2010), pp. 62–81

KI 2018 Model Checking for CAL 31 / 53

Model Checking for CAL: General Idea

Problem: implementing the truth definition directly requires checking results of announcing infinitely many formulas Hint: models for model checking are finite; for every agent there are finitely many ways to modify a model, and the same model update is a result of infinitely many announcements Solution: systematically define ‘exemplar’ announcements by an agent for every possible model update4

4Similar ideas to model checking of GAL: Thomas ˚

Agotnes et al. “Group announcement logic”. In: Journal of Applied Logic 8.1 (2010), pp. 62–81

KI 2018 Model Checking for CAL 32 / 53

Model Checking for CAL: Machinery I

Given a finite model (M, w), distinguishing formula δw is constructed recursively as follows: δk+1

w

::= δ0

w ∧

• a∈A

(

• w∼av
• Kaδk

v ∧ Ka

• w∼av

δk

v ),

where 0 ≤ k < |W |, and δ0

w is the conjunction of all literals that

are true in w, i.e. δ0

w ::= w∈V (p) p ∧ w∈V (p) ¬p.

Theorem Every pointed model (M, w) is distinguished from all other non-bisimilar pointed models (M, v) by some distinguishing formula δw ∈ LEL. A distinguishing formula for a set of states S is δS ::=

• w∈S

δw.

KI 2018 Model Checking for CAL 33 / 53

Model Checking for CAL: Machinery I

Given a finite model (M, w), distinguishing formula δw is constructed recursively as follows: δk+1

w

::= δ0

w ∧

• a∈A

(

• w∼av
• Kaδk

v ∧ Ka

• w∼av

δk

v ),

where 0 ≤ k < |W |, and δ0

w is the conjunction of all literals that

are true in w, i.e. δ0

w ::= w∈V (p) p ∧ w∈V (p) ¬p.

Theorem Every pointed model (M, w) is distinguished from all other non-bisimilar pointed models (M, v) by some distinguishing formula δw ∈ LEL. A distinguishing formula for a set of states S is δS ::=

• w∈S

δw.

KI 2018 Model Checking for CAL 34 / 53

Model Checking for CAL: Machinery I

Given a finite model (M, w), distinguishing formula δw is constructed recursively as follows: δk+1

w

::= δ0

w ∧

• a∈A

(

• w∼av
• Kaδk

v ∧ Ka

• w∼av

δk

v ),

where 0 ≤ k < |W |, and δ0

w is the conjunction of all literals that

are true in w, i.e. δ0

w ::= w∈V (p) p ∧ w∈V (p) ¬p.

Theorem Every pointed model (M, w) is distinguished from all other non-bisimilar pointed models (M, v) by some distinguishing formula δw ∈ LEL. A distinguishing formula for a set of states S is δS ::=

• w∈S

δw.

KI 2018 Model Checking for CAL 35 / 53

A Modified Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 a, c c b, c c a, c a, b, c a, b, c a, b, c a, b, c Agents a and b are unaware of each others states.

KI 2018 Model Checking for CAL 36 / 53

A Modified Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 a, c c b, c c a, c a, b, c a, b, c a, b, c a, b, c Agents a and b are unaware of each others states.

KI 2018 Model Checking for CAL 37 / 53

A Modified Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 a, c c b, c c a, c a, b, c a, b, c a, b, c a, b, c Agent’s a equivalence class (announcement Kapa)

KI 2018 Model Checking for CAL 38 / 53

A Modified Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 a, c c b, c c a, c a, b, c a, b, c a, b, c a, b, c Agent’s b equivalence class (announcement Kb¬pb)

KI 2018 Model Checking for CAL 39 / 53

A Modified Example

pa, ¬pb w1 pa, pb w2 ¬pa, pb w3 ¬pa, ¬pb w4 a, c c b, c c a, c a, b, c a, b, c a, b, c a, b, c equivalence class ∩ equivalence class = equivalence class (announcement Kapa ∧ Kb¬pb)

KI 2018 Model Checking for CAL 40 / 53

Model Checking for CAL: Machinery II

Definition (Strategies) A strategy Xa for an agent a in a finite model (M, w) is a union of equivalence classes of a including [w]a. Let denote the set of all available strategies of a as S(a, w). Coalition strategy XG is defined as ∩a∈GXa for all a ∈ G. The set of available strategies for a coalition of agents G is denoted as S(G, w). A distinguishing formula δXG for XG is

w∈XG δw.

Given that the number of strategies is always finite, we can a new finitary definition to the coalition announcement operator: (M, w) | = [G] ϕ iff ∃XG ∈ S(G, w) ∀XA\G ∈ S(A \ G, w) : (M, w)XG ∩XA\G | = ϕ

KI 2018 Model Checking for CAL 41 / 53

Model Checking for CAL: Machinery II

Definition (Strategies) A strategy Xa for an agent a in a finite model (M, w) is a union of equivalence classes of a including [w]a. Let denote the set of all available strategies of a as S(a, w). Coalition strategy XG is defined as ∩a∈GXa for all a ∈ G. The set of available strategies for a coalition of agents G is denoted as S(G, w). A distinguishing formula δXG for XG is

w∈XG δw.

Given that the number of strategies is always finite, we can a new finitary definition to the coalition announcement operator: (M, w) | = [G] ϕ iff ∃XG ∈ S(G, w) ∀XA\G ∈ S(A \ G, w) : (M, w)XG ∩XA\G | = ϕ

KI 2018 Model Checking for CAL 42 / 53

Model Checking for CAL: The Algorithm

Algorithm mc(M, w, ϕ0) case ϕ0 p : if w ∈ V (p) then return true else return false; ¬ϕ : if ¬mc(M, w, ϕ) then return true else return false; ϕ ∧ ψ : if mc(M, w, ϕ) and mc(M, w, ψ) then return true else return false; Kaϕ : for all v ∼a w if ¬mc(M, v, ϕ) then return false; return true

KI 2018 Model Checking for CAL 43 / 53

Model Checking for CAL: The Algorithm

Algorithm mc(M, w, ϕ0) case ϕ0 p : if w ∈ V (p) then return true else return false; ¬ϕ : if ¬mc(M, w, ϕ) then return true else return false; ϕ ∧ ψ : if mc(M, w, ϕ) and mc(M, w, ψ) then return true else return false; Kaϕ : for all v ∼a w if ¬mc(M, v, ϕ) then return false; return true

KI 2018 Model Checking for CAL 44 / 53

Model Checking for CAL: The Algorithm Continued

ψϕ if ¬mc(M, w, ψ) then return false, else compute the ψ-submodel of M and return mc(Mψ, w, ϕ).

• [G]

ϕ: compute (M, w) and sets of strategies S(G, w) and S(A \ G, w) for all XG ∈ S(G, w) check = true; for all XA\G ∈ S(A \ G, w) if ¬mc(MXG ∩XA\G , w, ϕ) then check = false if check then return true return false.

KI 2018 Model Checking for CAL 45 / 53

Complexity of The Model Checking Problem

Theorem The model checking problem for CAL is PSPACE-complete.

KI 2018 Model Checking for CAL 46 / 53

Complexity of The Model Checking Problem

Theorem The model checking problem for CAL is PSPACE-complete.

KI 2018 Model Checking for CAL 47 / 53

Conclusions and Further Research

PSPACE is a manageable complexity We can use model checking to verify consequences of coalition announcements (for example, communication protocols, or data collection) We can also use it to produce strategies (the right announcements to make) given the properties that should hold after the announcement The satisfiability problem for CAL is undecidable5. Finding its decidable fragments is an open problem

5Thomas ˚

Agotnes, Hans van Ditmarsch, and Timothy Stewart French. “The Undecidability of Quantified Announcements”. In: Studia Logica 104.4 (2016), pp. 597–640.

KI 2018 Model Checking for CAL 48 / 53

Conclusions and Further Research

PSPACE is a manageable complexity We can use model checking to verify consequences of coalition announcements (for example, communication protocols, or data collection) We can also use it to produce strategies (the right announcements to make) given the properties that should hold after the announcement The satisfiability problem for CAL is undecidable5. Finding its decidable fragments is an open problem

5Thomas ˚

Agotnes, Hans van Ditmarsch, and Timothy Stewart French. “The Undecidability of Quantified Announcements”. In: Studia Logica 104.4 (2016), pp. 597–640.

KI 2018 Model Checking for CAL 49 / 53

Thank you for attention!

KI 2018 Model Checking for CAL 50 / 53

Encore: Bisimulation

Let two models M = (W , ∼ V ) and M′ = (W ′, ∼′, V ′) be given. A non-empty binary relation Z ⊆ W × W ′ is called a bisimulation if and only if for all w ∈ W and w′ ∈ W ′ with (w, w′) ∈ Z: w and w′ satisfy the same propositional variables; for all a ∈ A and all v ∈ W : if w ∼a v, then there is a v′ such that w′ ∼a v′ and (v, v′) ∈ Z; for all a ∈ A and all v′ ∈ W ′: if w′ ∼a v′, then there is a v such that w ∼a v and (v, v′) ∈ Z.

KI 2018 Model Checking for CAL 51 / 53

Encore: Bisimulation Contraction

The quotient model of M with respect to some relation R is MR = (W R, ∼R, V R), where W R = {[w] | w ∈ W } and [w] = {v | wRv}, [w] ∼R

a [v] iff ∃w′ ∈ [w], ∃v′ ∈ [v] such

that w′ ∼a v′ in M, and [w] ∈ V R(p) iff ∀w′ ∈ [w] : w′ ∈ V (p). Bisimulation contraction of M (written M) is the quotient model of M with respect to the maximal bisimulation of M with itself. A model M is bisimulation contracted if M is isomorphic to M. (M, w) | = ϕ iff (M, w) | = ϕ for all ϕ ∈ LCAL.

KI 2018 Model Checking for CAL 52 / 53