We presented several knowledge-based programs in Chapter6, and here review the formalism itself. As we have presented it, KBPs are a programming formalism where guards are allowed to contain explicit tests for knowledge. This is something of a pleasant combination as we can conveniently use programming constructs such as sequential composition and datatypes rather than having to encode them into a logic, and knowledge operators are useful for making inferences about state that agents cannot directly observe.
This formalism is a stylised subset of the full synthesis task (van der Meyden and Vardi 1998) where the behaviour of the agents is specified using linear temporal logic (LTL) augmented with epistemic modalities. This task is computationally intractable even when restricted to the LTL sub-language (Pnueli and Rosner 1989). We might argue that pure logic is not an ideal starting point for synthesis as it lacks the programming constructs that even specifications require, which can lead to the specification being less comprehensible than the implementation. Moreover one must somehow indicate the system architecture to such tools to avoid it producing trivial centralised solutions (Wolper 1998). We contend that the KBP formalism sketched here is a decent compromise: we specify the system architecture and automatically analyse the information flow between the components. The automation helps greatly with exploring the epistemic properties of the system being designed.
As we discussed in §6.4.2, the KBP formalism might usefully be extended with temporal operators, with the aspiration that constructing implementations remains possible. We showed there that the existing approach is easily extended withpast-timeoperators if these are used in a suitably
restricted way. The full combination requires adding propositions to the state, which can be done as a pre-processing step; the algorithm does not require adjustment.
Much more difficult is to addfuture-timeoperators as these would require a consideration of infinitary behavior that is beyond the inductive construction presented here. A promising direction for future research is to integrate the recent work ofPiterman, Pnueli, and Sa’ar(2006) (etc.) for sub-languages of LTL into a KBP formalism.
A limitation of the KBP formalism we use here is that we need to specify exactly what actions to perform. For this reason we cannot give an interesting treatment of the bit transmission problem followingHalpern and Zuck(1992); while they do present synchronous implementations of their KBP, such as the AUY protocols (Aho, Ullman, and Yannakakis 1979), the relation between specification and implementation involvesaction refinement, where an action in the KBP is realised as several steps in the implementation. It is beyond the reach of our tool to perform this step automatically, and we found that the specification is far too concrete if we perform it manually.
We conclude with some suggestions for future application domains. Distributed protocols for termination, garbage collection and mutual exclusion all rely on agents reasoning about incompletely observed state, as does the scheme for matching hardware bus protocols proposed byAvnit, D’Silva, Sowmya, Ramesh, and Parameswaran(2009). The synthesis of fault-tolerant discrete controllers may benefit from a treatment of unobservable state offered by an epistemic formalism (Attie, Arora, and Emerson 2004;Girault and Rutten 2009). Wireless networks are a setting where computation is far cheaper than communication, so making maximal use of information is important; the perfect-recall semantics may prove useful here. Vasudevan, DeCleene, Immerman, Kurose, and Towsley (2003) develop a leadership election protocol for such networks, starting with a synchronous design that is mapped to an asynchronous implementation. KBPs may prove useful in the first of these steps, as we suggested in §1.1.
Model Checking Knowledge and Linear
Time: PSPACE Cases
W
ITHKai Engelhardt and Ron van der Meyden, I showed some complexity results for the related problem of model checking systems using linear temporal logic and knowledge (Engelhardt et al. 2007). It provides another example of using simulations to reduce the redun- dancy in Kripke structures along the lines of Chapter3. I contributed to the proofs of the results in §§A.4-A.6.This appendix contains the paper as published with complete proofs in line.
Abstract We present a general algorithm scheme for model checking logics of knowledge, common knowledge and linear time, based on bisimulations to a class of structures that capture the way that agents update their knowledge. We show that the scheme leads to PSPACE implementations of model checking the logic of knowledge and linear time in sev- eral special cases: perfect recall systems with a single agent or in which all communication is by synchronous broadcast, and systems in which knowledge is interpreted using either the agents’ current observation only or its current observation and clock value. In all these results, common knowledge operators may be included in the language. Matching lower bounds are provided, and it is shown that although the complexity bound matches the PSPACE complexity of the linear time temporal logic LTL, as a function of the model size the problems considered have a higher complexity than LTL.
A.1 Introduction
The logic of knowledge (Fagin et al. 1995) has been proposed as a formalism to express infor- mation theoretic properties in distributed and multi-agent systems, and has been shown to be useful for the analysis of distributed systems protocols (Halpern and Moses 1990), information flow security properties (Halpern and O’Neill 2003;Syverson 1992;van der Meyden and Su 2004), as well as for problems such as diagnosis and recoverability (Cimatti, Pecheur, and Cavada 2003; Cimatti, Pecheur, and Lomuscio 2005).
The semantics for knowledge operators can be defined in a variety of ways, depending on what information agents use when computing what they know. At one extreme (the “observational semantics”) agents rely only on their current observation, at the other (the “synchronous perfect recall semantics”) agents rely on the log of all their past observations. In between lies a “clock semantics” in which agents rely on their current observation plus a clock value. These semantics have different motivations: the perfect recall semantics is most appropriate for security analyses and derivation of protocols that make optimal use of information; the other semantics are closer to system implementations.
A number of model checkers for the logic of knowledge have been recently developed, which embody different choices of semantics for the knowledge operators and different types of expressiveness for the temporal dynamics. MCMAS (Lomuscio and Raimondi 2006b) deals with the observational interpretation of knowledge and the branching time logic CTL. DEMO (van Eijck 2007) deals with the dynamic logic based “update logic” (Baltag and Moss 2004), which handles what is in effect the perfect recall semantics for knowledge. The system MCK (Gammie and van der Meyden 2004) covers a broad spectrum of definitions of knowledge (observational, clock, perfect recall), as well as dealing with both linear time and branching time temporal logic.
Where they deal with the perfect recall semantics for knowledge, these systems place severe con- straints on the interaction between knowledge and temporal operators, for reasons of inherent complexity. The complexity of model checking the combination of the linear time temporal logic LTL with knowledge operators interpreted according to the perfect recall semantics has been studied by van der Meyden and Shilov (van der Meyden and Shilov 1999), who show that this problem is decidable but with a non-elementary lower bound, and undecidable when operators for common knowledge (a type of fixed point over knowledge operators) are added to the language. (Shilov et al (Shilov and Garanina 2002,2006;Shilov, Garanina, and Choe 2006) have also studied branching time versions of these results.)
However, as we show in this paper, this general result does not preclude the existence of spe- cial cases in which this model checking problem has lower complexity, even when common knowledge operators are included in the language. We identify a number of cases where the problem (including common knowledge) is solvable in PSPACE. These include systems with a single agent (discussed in SectionA.5.1) and systems in which all communication is by syn- chronous broadcast (treated in SectionA.5.2). The result concerning a single agent improves the nonelementary upper bound for the single agent case obtained from the algorithm of van der Meyden and Shilov.
Our approach to the proof of these results is by means of a general algorithm scheme (presented in SectionA.4) that relies upon the existence of a bisimulation from the (in effect, infinite) systems being checked to a finite structure that represents the way that agents update their knowledge in the system. In addition to the results about the perfect recall semantics, we show that this scheme can be used to obtain PSPACE complexity results for model checking the logic of knowledge and linear time for other interpretations for knowledge: in particular, we show
that this complexity bound applies in the case of both the clock semantics and the observational semantics (see SectionA.6).
As the complexity of model checking the linear time temporal logic LTL alone is already PSPACE- complete, it may seem from these results that the extra expressiveness of the logic of knowledge in these cases comes at no extra cost. In fact, we show that there is a sense in which these model checking problems are harder than model checking LTL alone, by focussing on the complexity of model checking a fixed formula as a function of the size of the model. For LTL, this “model complexity” is linear-time for each formula (Lichtenstein and Pnueli 1985). We show that the model complexity can be as high as PSPACE-complete once the formula includes knowledge operators.