Query-answer Protocol

We start with a simple query-answer Protocol in which in each round A is posing a question to D , who then responds with an answer to it. D’s only available actions are to answer to each question with one of the defined answer values. From the point of view of agent theory this scenario seems to be very restricted. The defending agent is only reacting to answers posed to it. However, from the point of secrecy, this is already a complex task. It is the typical protocol in database theory in which secrecy has been studied intensively, see, e. g., [46, 38, 32].

For our consideration of D as an epistemic agent this scenario is modeled by restricting the possible percepts and actions of D . The set of possible percepts of D is:

PerQA _{= {hA, D, query, i | 2 L} Base}.

And the set of possible actions of D is: ActQA_{= {hD, A, answer, i | 2 L}

Base}.

The used protocol on the basis of these actions and percepts is that a requesting speech act hA, D, query, i requests an answer of the form hD, A, answer, 0i with 0representing an evaluation of . We also in- dicate that a formula represents a formula with undetermined truth

value by ˆ . Formally it is 0 _{2 evals( ˆ ), whereby evals( ˆ ) is to be}

specified. In the following we consider evalsbool( ˆ ) = { , ¬ }, repre-

senting the two truth values true and false. These possible answers correspond to the setting of a complete database [46]. For incomplete databases a third answer value exists which expresses undecidedness with respect to the queried formula and is expressed by the value unkown.

From the game theoretic perspective, this setting gives the attacker A the possibility to ask a sequence of queries and D has to answer with an evaluation of the respective formula. If there is no combi- nation of answers to a sequence of queries such that the resulting epistemic state of D is safe, then A has a winning strategy, and D is in a hopeless situation. A secrecy preserving agent D has to make sure that none of its actions leads to this situation.

In the database setting an important result with respect to the in- ference problem is the following. It has been shown that, roughly speaking, if the attacker knows which are the potentially secret for- mulae of the defender, and that the disjunction of all of these holds, and the defender is only allowed to answer yes or no to a question, then the defender is in a hopeless situation [46]. More precisely, it has been shown that the defender is in a hopeless situation if and only if these conditions hold. Intuitively this is the case since if the attacker knows the potential secrets of the defender and if it knows that the disjunction of all these secret formulae holds, then it can query all secret formulae in a sequence. The defending agent has to reply yes or no and is not allowed to violate consistency, which is impossible without violating secrecy if the disjunction of all secrets is known to hold by the attacker. Consequently, to protect secrecy, the disjunction of secrets has to be protected. If we transfer the restrictions of the database setup to our model, we can show that the same result holds for the resulting setting. To model the query-answer protocol as it is given in the database scenario [46] we define a setting on the basis of a set of restrictions to the epistemic states and functional components. Definition 5.4.13. We define the query-answer setting TQA _{as the set-}

ting that comprises secrecy agent states and corresponding percepts, actions and belief operators that satisfy the following conditions:

1. All languages are instantiated by the standard propositional lan- guage: LW = LV = LBS= LBase= LpropAt

2. The belief operator family (⌅, bel)consists only of the proposi-

tional consequence operator:

⌅= {Cnprop}and _bel= (Cnprop, Cnprop)

a) queries do not have any effect: For all hA, D, query, i 2 PerQA _{it is t}

V(hA, D, query, i) = ;

b) answers are assumed to carry only their logical content as information: For all hD, A, answer, i 2 ActQA _{it is}

tV(hD, A, answer, i) = { }.

4. The inner revision operator ⇤LV is a propositional belief base

change operator that satisfies Inclusion and Vacuity, as defined in Section 2.5.

5. D only answers queries for a formula with either or ¬ : For all K 2 LES and hD, A, query, i 2 PerQAit holds that

act(K hA, D, query, i) 2 {hD, A, answer, i, hD, A, answer, ¬ i} 6. D does not give answers that lead to the violation of consistency

of the view on A :

For all K 2 LES and all p 2 PerQA it holds that

VA(K aact(K p)) is consistent.

In the database setting it is usually the case that secrets are static. Here this follows for our considered setting from the fact that the queries of the attacker do not lead to the violation of secrets of the defender. This is shown by the following lemma.

Lemma 5.4.14. For each initial agent state (K0_{, ⇠) 2 T}QA _{it holds for}

all K 2 ⌦⇠(K0, PerQA)that S(K) = S(K0).

Proof. See Appendix A.1.3, Page 240.

For the setting TQA_{we can now show that A has a winning strategy}

exactly if it believes the disjunction of all secret formulae. We use the following notation for the set of secret formulae:

F(S(K)) =_def{ |( , Bel, A) 2 S(K)}.

Remember that we assumed all secrets to be active.

Proposition 5.4.15. For each initial agent state (K0_{, ⇠) 2 T}QA _{it holds}

for all K 2 ⌦⇠(K0, PerQA)that K is not sound wrt.

(LES, K, PerQA, ActQA, , a)if and only if

( _

2F(S(K))

)2 Bel(VA(K)).

Proof. See Appendix A.1.3, Page 240.

This result is very important for the defined scenario since it re- duces the computation of winning strategies of attackers to the eval- uation of a logical formula.

Example 5.4.16. Suppose that Beatriz knows that if Emma wants to take a day off, then she wants to either attend a strike committee meeting or she has a job interview with another company. Both cases are secrets of Emma. Further suppose that Beatriz asks Emma if she wants to take a day off, and Emma is only allowed to answer with yes or no to questions.

If Emma answers yes, then she cannot answer to the questions if she intends to attend a strike committee meeting and if she intends to go to a job interview without violating a secret of her, or by contradicting the beliefs of Beatriz. Therefore, the only way to preserve secrecy for Emma is to answer with no to the first question; hereby avoiding that Beatriz beliefs in the disjunction of the two secret formulae. This way, however, Emma cannot satisfy her goal of getting the day of the strike committee meeting off. It is clear, that she has to violate one of her

secrets in order to satisfy her goal. }

Proposition 5.4.15 also implies that if we demand that agents have to protect the disjunction of their secret formulae by making it a secret formula itself, then we obtain a plain setting.

Corollary 5.4.17. Let TQA

_ ✓ TQA be the setting for which it holds

that for all (K0_{, ⇠) 2 T}QA

_ there is some 2 F(S(K0)) such that

⌘pW

2F(S(K0₎₎ . The setting T_{_}QAis plain.

Proof. See Appendix A.1.3, Page 243.

The result formulated in the corollary is important in the restricted scenario of a query-answer protocol with only boolean answer values. However, it does not hold if the restrictions of this scenario are only slightly weakened. For the scenario in which a third answer value un- known is allowed protecting the disjunction of secrets is still sufficient, but not necessary [46]. For more realistic scenarios of autonomous agents the restrictions of this scenario are way too strong such that the result cannot be applied. In the following we consider the prob- lem of preservation of secrets from the other side. That is, we do not consider what is necessary to protect a secret, but what is necessary to infer a secret for an attacking agent. We describe that if the empty action is an option for D than, in order to infer a secret, A has to make use of meta-inferences.