Specification and Analysis of Contracts Lecture 7 Specification of - - PowerPoint PPT Presentation

specification and analysis of contracts lecture 7
SMART_READER_LITE
LIVE PREVIEW

Specification and Analysis of Contracts Lecture 7 Specification of - - PowerPoint PPT Presentation

Oct 24, 2023 316 likes •875 views

Specification and Analysis of Contracts Lecture 7 Specification of Deontic Contracts Using CL Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov. 7,

slide-1
SLIDE 1

university-logo

Specification and Analysis of Contracts Lecture 7 Specification of ’Deontic’ Contracts Using CL

Gerardo Schneider

gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov. 7, 2008 Cape Town, South Africa

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 1 / 27

slide-2
SLIDE 2

university-logo

Plan of the Course

1 Introduction 2 Components, Services and Contracts 3 Background: Modal Logics 1 4 Background: Modal Logics 2 5 Deontic Logic 6 Challenges in Defining a Good Contract language 7 Specification of ’Deontic’ Contracts (CL) 8 Verification of ’Deontic’ Contracts 9 Exercises 10 Exercises and Summary Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 2 / 27

slide-3
SLIDE 3

university-logo

Plan

1

The Contract Language CL

2

Properties of the Language

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 3 / 27

slide-4
SLIDE 4

university-logo

Plan

1

The Contract Language CL

2

Properties of the Language

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 4 / 27

slide-5
SLIDE 5

university-logo

Aim and Motivation

Use deontic e-contracts to ‘rule’ services exchange (e.g., web services and component-based development)

1 Give a formal language for specifying/writing contracts 2 Analyze contracts “internally”

Detect contradictions/inconsistencies statically Determine the obligations (permissions, prohibitions) of a signatory Detect superfluous contract clauses

3 Tackle the negotiation process (automatically?) 4 Develop a theory of contracts

Contract composition Subcontracting Conformance between a contract and the governing policies Meta-contracts (policies)

5 Monitor contracts

Run-time system to ensure the contract is respected In case of contract violations, act accordingly

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 5 / 27

slide-6
SLIDE 6

university-logo

Aim and Motivation

Use deontic e-contracts to ‘rule’ services exchange (e.g., web services and component-based development)

1 Give a formal language for specifying/writing contracts 2 Analyze contracts “internally”

Detect contradictions/inconsistencies statically Determine the obligations (permissions, prohibitions) of a signatory Detect superfluous contract clauses

3 Tackle the negotiation process (automatically?) 4 Develop a theory of contracts

Contract composition Subcontracting Conformance between a contract and the governing policies Meta-contracts (policies)

5 Monitor contracts

Run-time system to ensure the contract is respected In case of contract violations, act accordingly

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 5 / 27

slide-7
SLIDE 7

university-logo

Aim and Motivation

Use deontic e-contracts to ‘rule’ services exchange (e.g., web services and component-based development)

1 Give a formal language for specifying/writing contracts 2 Analyze contracts “internally”

Detect contradictions/inconsistencies statically Determine the obligations (permissions, prohibitions) of a signatory Detect superfluous contract clauses

3 Tackle the negotiation process (automatically?) 4 Develop a theory of contracts

Contract composition Subcontracting Conformance between a contract and the governing policies Meta-contracts (policies)

5 Monitor contracts

Run-time system to ensure the contract is respected In case of contract violations, act accordingly

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 5 / 27

slide-8
SLIDE 8

university-logo

Aim and Motivation

Use deontic e-contracts to ‘rule’ services exchange (e.g., web services and component-based development)

1 Give a formal language for specifying/writing contracts 2 Analyze contracts “internally”

Detect contradictions/inconsistencies statically Determine the obligations (permissions, prohibitions) of a signatory Detect superfluous contract clauses

3 Tackle the negotiation process (automatically?) 4 Develop a theory of contracts

Contract composition Subcontracting Conformance between a contract and the governing policies Meta-contracts (policies)

5 Monitor contracts

Run-time system to ensure the contract is respected In case of contract violations, act accordingly

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 5 / 27

slide-9
SLIDE 9

university-logo

Aim and Motivation

Use deontic e-contracts to ‘rule’ services exchange (e.g., web services and component-based development)

1 Give a formal language for specifying/writing contracts 2 Analyze contracts “internally”

Detect contradictions/inconsistencies statically Determine the obligations (permissions, prohibitions) of a signatory Detect superfluous contract clauses

3 Tackle the negotiation process (automatically?) 4 Develop a theory of contracts

Contract composition Subcontracting Conformance between a contract and the governing policies Meta-contracts (policies)

5 Monitor contracts

Run-time system to ensure the contract is respected In case of contract violations, act accordingly

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 5 / 27

slide-10
SLIDE 10

university-logo

Aim and Motivation

Use deontic e-contracts to ‘rule’ services exchange (e.g., web services and component-based development)

1 Give a formal language for specifying/writing contracts 2 Analyze contracts “internally”

Detect contradictions/inconsistencies statically Determine the obligations (permissions, prohibitions) of a signatory Detect superfluous contract clauses

3 Tackle the negotiation process (automatically?) 4 Develop a theory of contracts

Contract composition Subcontracting Conformance between a contract and the governing policies Meta-contracts (policies)

5 Monitor contracts

Run-time system to ensure the contract is respected In case of contract violations, act accordingly

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 5 / 27

slide-11
SLIDE 11

university-logo

A Formal Language for Contracts

A precise and concise syntax and a formal semantics Expressive enough as to capture natural contract clauses Restrictive enough to avoid (deontic) paradoxes and be amenable to formal analysis

Model checking Deductive verification

Allow representation of complex clauses: conditional obligations, permissions, and prohibitions Allow specification of (nested) contrary-to-duty (CTD) and contrary-to-prohibition (CTP)

CTD: when an obligation is not fulfilled CTP: when a prohibition is violated

We want to combine

The logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 6 / 27

slide-12
SLIDE 12

university-logo

A Formal Language for Contracts

A precise and concise syntax and a formal semantics Expressive enough as to capture natural contract clauses Restrictive enough to avoid (deontic) paradoxes and be amenable to formal analysis

Model checking Deductive verification

Allow representation of complex clauses: conditional obligations, permissions, and prohibitions Allow specification of (nested) contrary-to-duty (CTD) and contrary-to-prohibition (CTP)

CTD: when an obligation is not fulfilled CTP: when a prohibition is violated

We want to combine

The logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 6 / 27

slide-13
SLIDE 13

university-logo

The Contract Specification Language CL

Definition (CL)

Contract := D ; C C := CO | CP | CF | C ∧ C | [α]C | αC | C U C | C | C CO := O(α) | CO ⊕ CO CP := P(α) | CP ⊕ CP CF := F(α) | CF ∨ [α]CF O(α), P(α), F(α) specify obligation, permission (rights), and prohibition (forbidden) over actions α are actions given in the definition part D

+ choice · concatenation (sequencing) & concurrency φ? test

∧, ∨, and ⊕ are conjunction, disjunction, and exclusive disjunction [α] and α are the action parameterized modalities of dynamic logic U , , and correspond to temporal logic operators

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 7 / 27

slide-14
SLIDE 14

university-logo

The Contract Specification Language CL

Definition (CL)

Contract := D ; C C := CO | CP | CF | C ∧ C | [α]C | αC | C U C | C | C CO := O(α) | CO ⊕ CO CP := P(α) | CP ⊕ CP CF := F(α) | CF ∨ [α]CF O(α), P(α), F(α) specify obligation, permission (rights), and prohibition (forbidden) over actions α are actions given in the definition part D

+ choice · concatenation (sequencing) & concurrency φ? test

∧, ∨, and ⊕ are conjunction, disjunction, and exclusive disjunction [α] and α are the action parameterized modalities of dynamic logic U , , and correspond to temporal logic operators

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 7 / 27

slide-15
SLIDE 15

university-logo

The Contract Specification Language CL

Definition (CL)

Contract := D ; C C := CO | CP | CF | C ∧ C | [α]C | αC | C U C | C | C CO := O(α) | CO ⊕ CO CP := P(α) | CP ⊕ CP CF := F(α) | CF ∨ [α]CF O(α), P(α), F(α) specify obligation, permission (rights), and prohibition (forbidden) over actions α are actions given in the definition part D

+ choice · concatenation (sequencing) & concurrency φ? test

∧, ∨, and ⊕ are conjunction, disjunction, and exclusive disjunction [α] and α are the action parameterized modalities of dynamic logic U , , and correspond to temporal logic operators

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 7 / 27

slide-16
SLIDE 16

university-logo

The Contract Specification Language CL

Definition (CL)

Contract := D ; C C := CO | CP | CF | C ∧ C | [α]C | αC | C U C | C | C CO := O(α) | CO ⊕ CO CP := P(α) | CP ⊕ CP CF := F(α) | CF ∨ [α]CF O(α), P(α), F(α) specify obligation, permission (rights), and prohibition (forbidden) over actions α are actions given in the definition part D

+ choice · concatenation (sequencing) & concurrency φ? test

∧, ∨, and ⊕ are conjunction, disjunction, and exclusive disjunction [α] and α are the action parameterized modalities of dynamic logic U , , and correspond to temporal logic operators

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 7 / 27

slide-17
SLIDE 17

university-logo

The Contract Specification Language CL

Definition (CL)

Contract := D ; C C := CO | CP | CF | C ∧ C | [α]C | αC | C U C | C | C CO := O(α) | CO ⊕ CO CP := P(α) | CP ⊕ CP CF := F(α) | CF ∨ [α]CF O(α), P(α), F(α) specify obligation, permission (rights), and prohibition (forbidden) over actions α are actions given in the definition part D

+ choice · concatenation (sequencing) & concurrency φ? test

∧, ∨, and ⊕ are conjunction, disjunction, and exclusive disjunction [α] and α are the action parameterized modalities of dynamic logic U , , and correspond to temporal logic operators

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 7 / 27

slide-18
SLIDE 18

university-logo

Actions

Test and Negation

Tests as actions: φ?

The behaviour of a test is like a guard; e.g. ϕ? · a if the test succeeds then action a is performed Tests are used to model implication: [ϕ?]C is the same as ϕ ⇒ C

Action negation α

It represents all immediate traces that take us outside the trace of α Involves the use of a canonic form of actions E.g.: consider two atomic actions a and b then a · b is b + a · a

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 8 / 27

slide-19
SLIDE 19

university-logo

Actions

Test and Negation

Tests as actions: φ?

The behaviour of a test is like a guard; e.g. ϕ? · a if the test succeeds then action a is performed Tests are used to model implication: [ϕ?]C is the same as ϕ ⇒ C

Action negation α

It represents all immediate traces that take us outside the trace of α Involves the use of a canonic form of actions E.g.: consider two atomic actions a and b then a · b is b + a · a

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 8 / 27

slide-20
SLIDE 20

university-logo

Actions

Concurrent actions

a&b “The client must pay immediately, or the client must notify the service provider by sending an e-mail specifying that he delays the payment” O(p) ⊕ O(d&n) O(d&n) ≡ O(d) ∧ O(n) Action algebra enriched with a conflict relation to represent incompatible actions

a = “increase Internet traffic” and b = “decrease Internet traffic”

a #C b O(a) ∧ O(b) gives an inconsistency

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 9 / 27

slide-21
SLIDE 21

university-logo

Actions

Concurrent actions

a&b “The client must pay immediately, or the client must notify the service provider by sending an e-mail specifying that he delays the payment” O(p) ⊕ O(d&n) O(d&n) ≡ O(d) ∧ O(n) Action algebra enriched with a conflict relation to represent incompatible actions

a = “increase Internet traffic” and b = “decrease Internet traffic”

a #C b O(a) ∧ O(b) gives an inconsistency

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 9 / 27

slide-22
SLIDE 22

university-logo

More on the Contract Language

CTD and CTP

Expressing contrary-to-duty (CTD) OC(α) = O(α) ∧ [α]C

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 10 / 27

slide-23
SLIDE 23

university-logo

More on the Contract Language

CTD and CTP

Expressing contrary-to-duty (CTD) OC(α) = O(α) ∧ [α]C Expressing contrary-to-prohibition (CTP) FC(α) = F(α) ∧ [α]C

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 10 / 27

slide-24
SLIDE 24

university-logo

More on the Contract Language

CTD and CTP

Expressing contrary-to-duty (CTD) OC(α) = O(α) ∧ [α]C Expressing contrary-to-prohibition (CTP) FC(α) = F(α) ∧ [α]C

Example

“[...] the client must immediately lower the Internet traffic to the low level, and pay . If the client does not lower the Internet traffic immediately, then the client will have to pay three times the price” In CL: (OC(l) ∧ [l]♦(O(p&p))) where C = ♦O(p&p&p)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 10 / 27

slide-25
SLIDE 25

university-logo

CL Semantics

A first semantics given through a translation into a variant of µ-calculus (Cµ)

A Kripke-like modal semantics have been developed recently

Why µ-calculus?

µ-calculus is a combination of propositional logic, the action parameterized modal operator [a], and the fix point constructions Expressive – embeds most of the used temporal and process logics Well studied – has a complete axiomatic system and a complete proof system Very efficient algorithms for model checking Mathematically well founded in the results on fix points (Tarski, Knaster, Kleene, et al.) The modal variant of µ-calculus is based on actions (labels)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 11 / 27

slide-26
SLIDE 26

university-logo

CL Semantics

Cµ – A variant of the modal µ-calculus

Definition

The syntax of the Cµ calculus is defined as follows: ϕ := P | Z | Pc | ⊤ | ¬ϕ | ϕ ∧ ϕ | [γ]ϕ | µZ.ϕ(Z) Main differences with respect to the classical µ-calculus:

1 Pc is set of propositional constants Oa and Fa, one for each basic

action a

Semantic restriction: FaT

V ∩ OaT V = ∅,

∀a ∈ L

2 Multisets of basic actions: i.e. γ = {a, a, b} is a label Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 12 / 27

slide-27
SLIDE 27

university-logo

CL Semantics

Cµ – A variant of the modal µ-calculus

Definition

The syntax of the Cµ calculus is defined as follows: ϕ := P | Z | Pc | ⊤ | ¬ϕ | ϕ ∧ ϕ | [γ]ϕ | µZ.ϕ(Z) Main differences with respect to the classical µ-calculus:

1 Pc is set of propositional constants Oa and Fa, one for each basic

action a

Semantic restriction: FaT

V ∩ OaT V = ∅,

∀a ∈ L

2 Multisets of basic actions: i.e. γ = {a, a, b} is a label Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 12 / 27

slide-28
SLIDE 28

university-logo

CL Semantics

A Taste: Obligation

Obligation f T (O(a&b)) = {a, b}(Oa ∧ Ob)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 13 / 27

slide-29
SLIDE 29

university-logo

CL Semantics

A Taste: Obligation

Obligation f T (O(a&b)) = {a, b}(Oa ∧ Ob)

Oa {a, b} O(a&b) Ob

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 13 / 27

slide-30
SLIDE 30

university-logo

CL Semantics

Difficulties in the Encoding

We would like to have a compositional semantics and preserve the intuitive properties of obligations, permissions and prohibitions Also: get rid of paradoxes!

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 14 / 27

slide-31
SLIDE 31

university-logo

CL Semantics

Difficulties in the Encoding

We would like to have a compositional semantics and preserve the intuitive properties of obligations, permissions and prohibitions Also: get rid of paradoxes! Not easy!

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 14 / 27

slide-32
SLIDE 32

university-logo

CL Semantics

Difficulties in the Encoding

We would like to have a compositional semantics and preserve the intuitive properties of obligations, permissions and prohibitions Also: get rid of paradoxes! Not easy! Conjunction in dynamic logic is a branching What is the semantics of O(a) ∧ O(b)?

O(a) ∧ O(b) should be defined as O(a) and O(b) How to enforce it?

How to enforce some properties?

P(αβ) ≡ P(α) ∧ αP(β) O(a&b) ≡ O(a) ∧ O(b)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 14 / 27

slide-33
SLIDE 33

university-logo

CL Semantics

Difficulties in the Encoding

We would like to have a compositional semantics and preserve the intuitive properties of obligations, permissions and prohibitions Also: get rid of paradoxes! Not easy! Conjunction in dynamic logic is a branching What is the semantics of O(a) ∧ O(b)?

O(a) ∧ O(b) should be defined as O(a) and O(b) How to enforce it?

How to enforce some properties?

P(αβ) ≡ P(α) ∧ αP(β) O(a&b) ≡ O(a) ∧ O(b)

Solution

We will add some equivalences and rewriting rules to enforce the above

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 14 / 27

slide-34
SLIDE 34

university-logo

CL Semantics

Pre-processing

Compositional Rules

(1) O(α + β) ≡ O(α) ⊕ O(β) (2) O(a&b) ≡ O(a) ∧ O(b) (3) O(αβ) ≡ O(α) ∧ [α]O(β) (4) P(α + β) ≡ P(α) ⊕ P(β) (5) P(αβ) ≡ P(α) ∧ αP(β) (6) F(αβ) ≡ F(α) ∨ [α]F(β) Some of the above are intended to force “common sense” relationship

If we were to define an axiomatic system, we would aim the above to be axioms or theorems

Concurrent actions are compositional only under obligation —No similar rules for F and P

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 15 / 27

slide-35
SLIDE 35

university-logo

CL Semantics

Pre-processing

Rewriting Rules for Obligation

(1) O(a) ∧ O(b) O(a&b) (2) O(a) ∧ O(a&b) O(a&b) (3) O(a) ∧ (O(a) ⊕ O(b)) O(a) (4) O(a) ∧ O(a) O(a) (5) O(a) ⊕ O(a) O(a) (6) O(c) ∧ (O(a) ⊕ O(b)) (O(c) ∧ O(a)) ⊕ (O(c) ∧ O(b)) (7) (⊕iO(ai)) ∧ (⊕jO(bj)) ⊕i,j(O(ai) ∧ O(bj)) ai = bj Rules (1)-(3): guided by intuition Rules (4)-(5): usual contraction rules Rules (6)-(7): distributivity of conjunction over the exclusive disjunction

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 16 / 27

slide-36
SLIDE 36

university-logo

CL Semantics

Definition (The Semantic Encoding)

(1) f T (O(&n

i=1ai)) = {a1, . . . , an}(∧n i=1Oai)

(2) f T (CO ⊕ CO) = f T (CO) ∧ f T (CO) (3) f T (P(&n

i=1ai)) = {a1, . . . , an}(∧n i=1¬Fai)

(4) f T (CP ⊕ CP) = f T (CP) ∧ f T (CP) (5) f T (F(&n

i=1ai)) = [{a1, . . . , an}](∧n i=1Fai)

(6) f T (F(δ) ∨ [β]F(δ)) = f T (F(δ)) ∨ f T ([β]F(δ)) (7) f T (C1 ∧ C2) = f T (C1) ∧ f T (C2) (8) f T (C) = [any]f T (C) (9) f T (C1 U C2) = µZ.f T (C2) ∨ (f T (C1) ∧ [any]Z ∧ any⊤) (10) f T ([&n

i=1ai]C) = [{a1, . . . , an}]f T (C)

(11) f T ([(&n

i=1ai)α]C) = [{a1, . . . , an}]f T ([α]C)

(12) f T ([α + β]C) = f T ([α]C) ∧ f T ([β]C) (13) f T ([ϕ?]C) = f T (ϕ) = ⇒ f T (C)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 17 / 27

slide-37
SLIDE 37

university-logo

CL Semantics

Example

f T (O(&n

i=1ai)) = {a1, . . . , an}(∧n i=1Oai)

“The Provider is obliged to provide internet and telephony services (at the same time)”: f T (O(a&b)) = {a, b}(Oa ∧ Ob)

f T (F(&n

i=1ai)) = [{a1, . . . , an}](∧n i=1Fai)

“It is forbidden to send private information” f T (F(a)) = [a]Fa

f T (P(&n

i=1ai)) = {a1, . . . , an}(∧n i=1¬Fai)

“It is permitted to receive an acknowledgement” f T (P(a)) = a¬Fa

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 18 / 27

slide-38
SLIDE 38

university-logo

CL Semantics

Example

f T (O(&n

i=1ai)) = {a1, . . . , an}(∧n i=1Oai)

“The Provider is obliged to provide internet and telephony services (at the same time)”: f T (O(a&b)) = {a, b}(Oa ∧ Ob)

f T (F(&n

i=1ai)) = [{a1, . . . , an}](∧n i=1Fai)

“It is forbidden to send private information” f T (F(a)) = [a]Fa

f T (P(&n

i=1ai)) = {a1, . . . , an}(∧n i=1¬Fai)

“It is permitted to receive an acknowledgement” f T (P(a)) = a¬Fa

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 18 / 27

slide-39
SLIDE 39

university-logo

CL Semantics

Example

f T (O(&n

i=1ai)) = {a1, . . . , an}(∧n i=1Oai)

“The Provider is obliged to provide internet and telephony services (at the same time)”: f T (O(a&b)) = {a, b}(Oa ∧ Ob)

f T (F(&n

i=1ai)) = [{a1, . . . , an}](∧n i=1Fai)

“It is forbidden to send private information” f T (F(a)) = [a]Fa

f T (P(&n

i=1ai)) = {a1, . . . , an}(∧n i=1¬Fai)

“It is permitted to receive an acknowledgement” f T (P(a)) = a¬Fa

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 18 / 27

slide-40
SLIDE 40

university-logo

CL Semantics

Example

Contrary-to-duty (CTD): OO(b)(a) = O(a) ∧ [a]O(b) Applying the semantic encoding: f T (OO(b)(a)) = aOa ∧ [a]bOb

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 27

slide-41
SLIDE 41

university-logo

CL Semantics

Example

Contrary-to-duty (CTD): OO(b)(a) = O(a) ∧ [a]O(b) Applying the semantic encoding: f T (OO(b)(a)) = aOa ∧ [a]bOb

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 27

slide-42
SLIDE 42

university-logo

CL Semantics

Example

Contrary-to-duty (CTD): OO(b)(a) = O(a) ∧ [a]O(b) Applying the semantic encoding: f T (OO(b)(a)) = aOa ∧ [a]bOb Contrary-to-prohibition (CTP): FO(b)(a) = F(a) ∧ [a]O(b) Applying the semantic encoding: f T (FO(b)(a)) = [a]Fa ∧ [a]bOb

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 19 / 27

slide-43
SLIDE 43

university-logo

Plan

1

The Contract Language CL

2

Properties of the Language

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 20 / 27

slide-44
SLIDE 44

university-logo

Properties of the contract language

Theorem

The following paradoxes are avoided in CL: Ross’s paradox The Free Choice Permission paradox Sartre’s dilemma The Good Samaritan paradox Chisholm’s paradox The Gentle Murderer paradox

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 21 / 27

slide-45
SLIDE 45

university-logo

Ross’s paradox

1 It is obligatory that one mails the letter 2 It is obligatory that one mails the letter or one destroys the letter

In Standard Deontic Logic (SDL) these are expressed as:

1 O(p) 2 O(p ∨ q)

Problem

In SDL one can infer that O(p) ⇒ O(p ∨ q)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 22 / 27

slide-46
SLIDE 46

university-logo

Ross’s paradox

1 It is obligatory that one mails the letter 2 It is obligatory that one mails the letter or one destroys the letter

In Standard Deontic Logic (SDL) these are expressed as:

1 O(p) 2 O(p ∨ q)

Problem

In SDL one can infer that O(p) ⇒ O(p ∨ q)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 22 / 27

slide-47
SLIDE 47

university-logo

Ross’s paradox

1 It is obligatory that one mails the letter 2 It is obligatory that one mails the letter or one destroys the letter

In Standard Deontic Logic (SDL) these are expressed as:

1 O(p) 2 O(p ∨ q)

Problem

In SDL one can infer that O(p) ⇒ O(p ∨ q)

Avoided in CL

Proof Sketch: f T (O(a)) = aOa O(a + b) ≡ O(a) ⊕ O(b) f T = aOa ∧ bOb aOa ⇒ aOa ∧ bOb

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 22 / 27

slide-48
SLIDE 48

university-logo

Chisholm’s Paradox

1 John ought to go to the party. 2 If John goes to the party then he ought to tell them he is coming. 3 If John does not go to the party then he ought not to tell them he is

coming.

4 John does not go to the party.

In Standard Deontic Logic (SDL) these are expressed as:

1 O(p) 2 O(p ⇒ q) 3 ¬p ⇒ O(¬q) 4 ¬p

Problem

The problem is that in SDL one can infer O(q) ∧ O(¬q) (due to 2)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 23 / 27

slide-49
SLIDE 49

university-logo

Chisholm’s Paradox

1 John ought to go to the party. 2 If John goes to the party then he ought to tell them he is coming. 3 If John does not go to the party then he ought not to tell them he is

coming.

4 John does not go to the party.

In Standard Deontic Logic (SDL) these are expressed as:

1 O(p) 2 O(p ⇒ q) 3 ¬p ⇒ O(¬q) 4 ¬p

Problem

The problem is that in SDL one can infer O(q) ∧ O(¬q) (due to 2)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 23 / 27

slide-50
SLIDE 50

university-logo

Chisholm’s Paradox (cont.)

Avoided in CL

Expressed in CL as:

1 O(a) 2 [a]O(b) 3 [a]O(b)

(1) and (3) give the CTD formula Oϕ(a) of CL where ϕ = O(b) In CL O(b) and O(b) cannot hold in the same world

O(b) holds only after doing action a, where O(b) holds only after doing the contradictory action a

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 24 / 27

slide-51
SLIDE 51

university-logo

Properties of the contract language (II)

Theorem

The following hold in CL: P(α) ≡ ¬F(α) O(α) ⇒ P(α) P(a) ⇒ P(a&b) F(a) ⇒ F(a&b) F(a&b) ⇒ F(a) P(a&b) ⇒ P(a)

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 25 / 27

slide-52
SLIDE 52

university-logo

Final Remarks

We have seen...

CL: A formal language to write contracts The formal semantics given through an encoding into a µ-calculus variant It avoids the most important paradoxes of deontic logic Does not address all the issues of the ’ideal’ language presented in last lecture

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 26 / 27

slide-53
SLIDE 53

university-logo

Final Remarks

We have seen...

CL: A formal language to write contracts The formal semantics given through an encoding into a µ-calculus variant It avoids the most important paradoxes of deontic logic Does not address all the issues of the ’ideal’ language presented in last lecture

Next lecture

We will see how to model check contracts written in CL

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 26 / 27

slide-54
SLIDE 54

university-logo

Further Reading

  • C. Prisacariu and G. Schneider. A formal language for electronic
  • contracts. In FMOODS’07, vol. 4468 of LNCS, pp. 174-189, 2007

Gerardo Schneider (UiO) Specification and Analysis of e-Contracts SEFM, 3-7 Nov 2008 27 / 27