Algorithm for the classification of actions

In this section we present an algorithm, in Procedure 5.5.1, that im- plements a secrecy reasoner as defined in Definition 5.5.11. That is, it implements a function sr : Pfin(act) ⇥ LES ! Cl being parameterized

with a family (⌅, bel) of belief operators with credulity order that

takes as input a finite subset Act0

inf of Actinf and an epistemic state K

and outputs a classification cl of Act0 inf.

The main idea of the algorithm is to keep track of all not yet clas- sified actions, denoted by unclass, while it iteratively assigns the cur- rently considered (classification) rank to the actions of the input set of actions Act0

inf. To this end, starting with a classification rank of 0,

all actions for which there is no reason not to classify them with the current rank are assigned the current rank as their classification. In- tuitively, a reason not to classify an action a with the current rank is given if more secrets are potentially violated in combination after a than after another unclassified action b (Principle I.1), or another unclassified action b0_{has a lesser degree of violation than a, without}

a conflict (Principle I.2).

In addition to the definitions already introduced, the algorithm makes use of auxiliary sets to test the preconditions of Principle I.2, which we define in the following. For a given epistemic state K the

algorithm determines the set of equivalence classes with respect to the equivalence relation ⇠ defined in (5.5.12) for an inspected set of actions A; this set is denoted by A/⇠. Only pairs taken from the same equivalence class might satisfy the precondition of Principle I.2 by definition. Further, the algorithm has to be able to test conflict freeness of a pair of actions a, b with a vio b. For this, all (maximal) conflict

sets conflictSets(A, K) are computed for a given equivalence class A. Formally:

conflictSets(A, K) = max✓{A0✓ A | for all a, b 2 A0, a 6= b exist

a1, . . . , an2 A0such that a1= a, an= b

and for all i 2 {1, . . . , n - 1}: ai vioai+1.}

Note, that for any pair of actions {a, b} ✓ A0_{such that}

A0 2 conflictSets(A, K)

for some A and K with a viobthe condition conflict free of Principle

I.2 is violated.

Lemma 5.5.13. Given some set of actions A and an epistemic state K. The set conflictSets(A, K) is a partition of A, i. e.

1. SconflictSets(A, K) = A and

2. for all CS, CS0 _{2 conflictSets(A, K), CS 6= CS}0 _{it holds that CS \}

CS0 =_;.

Proof. See Appendix A.1.3, Page 247.

The algorithm presented in Procedure 5.5.1 consists of two nested repeat-until loops. The outer one determines in each execution the set of not yet classified actions for which Principle I.1 does not give a reason not to classify them with the currently considered classifi- cation rank. The inner one determines in each execution the set of actions out of the selected actions from the outer loop for which Prin- ciple I.2 does not give a reason not to classify them with the currently considered classification rank and classifies them.

The outer loop first determines the subset of currently unclassified actions best whose effects are not worse concerning combinations of potentially violated secrets than the effects of other unclassified ac- tions (Principle I.1). Then, it constructs the auxiliary sets to check the precondition for Principle I.2. In particular, it creates a partition- ing eqbest of the set best consisting of the equivalence classes wrt. ⇠. Then, an array rank[] is created that holds for each equivalence class A 2 eqbest its currently considered classification rank. Each rank[A] is initialized in Line 9 by the minimal classification rank for which Principle I.1 does not give a reason to classify any action of A higher than any action that is already classified. In the for-loop from Line 11

Procedure 5.5.1 Secrecy Reasoner Input: Act0

inf, K, (⌅, bel)

Output: Array cl of classification ranks for actions a 2 Act0 inf 1: unclass := Act0

inf 2: for each a 2 Act_inf0 do 3: cl[a] := 0

4: end for 5: repeat

6: _{best := {a 2 unclass | there is no b 2 unclass}

such that vioAfter(K, a)A vioAfter(K, b)}

7: eqbest := best/⇠

8: for each A 2 eqbest do

9: rank[A] := max1_{{cl[a] | a 2 Act}0

inf\unclass and (*)

there is b 2 A such that

vioAfter(K, b)A vioAfter(K, a)} + 1

10: end for

11: for each A 2 eqbest do

12: conflictSets := conflictSets(A, K)

13: repeat

14: _{classSets := ;}

15: for each CS 2 conflictSets do

16: if there is no CS0 _{2 conflictSets with CS}0_{6= CS such that}

a02 CS0 and a 2 CS exist with a0 vio athen 17: _{cla := rank[A] for all a 2 CS}

18: _{classSets := classSets [ {CS}}

19: end if

20: end for

21: conflictSets := conflictSets \ classSets

22: rank[A] := rank[A] + 1

23: until conflictSets = ; 24: end for

25: unclass := unclass \ best

26: _{until unclass = ;}

(*) We define max(;) := -1, which is needed in the first iteration only. to Line 24 each current equivalence class A is first partitioned into its conflict sets.

The for-loop from Line 15 to Line 20 is intended to determine all actions of the current equivalence class for which no other action in the same equivalence class exists such that this pair satisfies the pre- condition of Principle I.2. This is done by comparing the conflict sets and either classifying all elements of the conflict set or none. This way all elements of a conflict set are classified with the same classification rank. The classified conflict sets of the currently considered equiva- lence class are stored in classSets and removed from the current set of

conflict sets after the termination of the for-loop over all conflict sets in Line 21.

If all actions in best are classified the condition in Line 23 is true and they are removed from the set of unclassified actions in Line 25. If all input actions are classified the condition in Line 26 is true and the algorithm terminates.

Example 5.5.14. We consider the execution of Procedure 5.5.1 for the running example, continuing Example 5.5.10.

Iteration 1:

Initially we have unclass := {a1, a2, a3}in Line 1. As shown in Exam-

ple 5.5.6 it holds that

vioAfter(KD, a1) =vioAfter(KD, a2)and

vioAfter(KD, a1)A vioAfter(KD, a3)

such that best := {a3}and therefore also eqbest = {{a3}}.

Since Act0

inf\unclass = ; it holds for all A that rank[A] = 0. In Line 12

we get conflictSets = {{a3}}. The conflict set {a3} trivially satisfies the

condition in Line 16 such that cla3 = 0. Then {a3} is removed from

conflictSets such that conflictsSets = ;. In Line 22 rank[{a3}] := 1,

which does not have any effect in this special case, and the inner repeat-until loop terminates.

Iteration 2:

For the second execution of the outer repeat-until loop unclass = {a1, a2}. Since

vioAfter(KD, a1) =vioAfter(KD, a2)

it follows that best := {a1, a2} and eqbest = {{a1, a2}}. Then, in Line 9

we get rank[{a1, a2}] := 1.

We already showed in Example 5.5.10 that it holds that a2 vioa1

and that it does not hold that a1 vio a2. This means that a1 and a2

are not in a cyclic dependency such that they are in different conflict sets. Therefore conflictSets = {{a1}, {a2}} in Line 12. The condition in

Line 16 is satisfied for {a2}but not for {a1}such that action a2is clas-

sified with cla2 := 1 in Line 17. The set {a2} is added to classSets in

Line 18, and the set classSets is removed from conflictSets in Line 21. Hence, conflictSets := {{a1}} in Line 21. In Line 22 the currently con-

sidered rank is increased such that rank[{a1, a2}] := 2.

The next execution of the inner repeat-until loop begins. The only remaining conflict set {a1} trivially satisfies the condition of Line 16

such that cla1 = 2and conflictSets := ; in Line 21. The inner repeat-

until loop terminates. In Line 25 unclass := ; so that the outer repeat- until loop and thus the algorithm terminates. The output classifica- tion is

We can show that the proposed algorithm terminates with a com- plete classification.

Proposition 5.5.15. If for all elementary operations of Procedure 5.5.1 algorithms that always terminate are given, then the algorithm always terminates and returns a complete classification.

Proof. See Appendix A.1.3, Page 247.

Further, we can show that the secrecy reasoner implemented by our proposed algorithm satisfies the Principles I.1, I.2 and II, and thereby also Principles III and IV.

Proposition 5.5.16. Procedure 5.5.1 satisfies the Principles I.1, I.2 and II, as given in Definition 5.5.11.

Proof. See Appendix A.1.3, Page 250.

In this and the previous two sections we developed declarative prin- ciples and an algorithm for the classification of actions with respect to secrecy under incomplete information. This way, we can generate a preference relation on actions with respect to secrecy, which is then used in combination with other preference relations that express the preferences on actions with respect to e. g., the utility with respect to the current goal of the agent. If the aggregation function of the prefer- ence relations is the lexicographic one we used before, then the agent violates secrecy only as little as possible from its perspective. Other aggregation operators might enable the agent to weigh the violation of secrecy of an action against the utility of it with respect to other goals such that it decides to violate secrets.

In the next section we develop secrecy aware agents based on the BDI model we developed in Section 3.5. The resulting agents then make use of the results of this and the previous two sections.