PP 2008 30: Modal Logic and Invariance

Modal Logic and Invariance

Johan van Benthem

Denis Bonnay

Abstract

In a model-theoretic perspective, logics differ by the power they make available to describe structures. The limits to this expressive power are given by ‘similarity’ relations over structures: similar structures cannot be distin-guished in the relevant language. The notion of bisimulation for modal logic (ML) is a case in point: bisimilar Kripke models have the same modal the-ory, though getting a converse involves some complications. But also other well-known types of result characterize logics in terms of similarity relations: Lindstr¨om’s Theorem says that first-order logic (FOL) is the logic one gets from invariance for potential isomorphisms when adding compactness, van Benthem’s characterization theorem says that ML is the logic one gets from bisimulations inside the complete logic FOL, and so on.

But one might wish to go the other way around. Consider a logic with predicate atoms that has at least existential quantification and boolean com-bination, what is its natural notion of similarity between structures? ‘Be-ing potentially isomorphic’ is one answer, but is there more to it than some mathematical facts linking logics like FOL or the infinitary logicL∞,ωwith potential isomorphisms? In Section 1, we summarize an earlier character-ization of potential isomorphism as the ‘coarsest’ similarity relation whose invariants are closed under existential quantification. Section 2 provides a new abstract version of this result, and a characterization of bisimulation follows naturally: bisimulations are the natural match for a logic based on modal existential quantification. Section 3 analyzes the connection between these results for potential isomorphisms and bisimulations by transforming first-order structures into Kripke models and back. In Section 4, we extend the analysis to dynamic logic, and present a new characterization result for operations on accessibility relations. We prove that safety under bisimulation for operations added on top of a logic based on invariance under bisimulation provides a sufficient and necessary condition for preservation of invariance under bisimulation.

In all, these results are a sort of ‘abstract model theory’ characterizing structural invariance relations in more general terms, instead of taking them for granted. We see this as shedding some new light on the logical constants of first-order and modal logic, and the relations between these two perspec-tives.

1

Invariance and first-order operations

1.1

Invariance for logical notions

Following Frege’s well-known insight, quantifiers can be viewed as second order predicates. For example, let us have a look at the satisfaction clause for existential quantification (for a modelM, a formulaφand an assignmentσ):

M∃x φ(x)σ

there is ana∈ |M|s.t.Mφ(x)σ[x:=a]

iff

||φ(x)||M,σ ={a∈M/Mφ(x)σ[x:=a]}is not empty

whereσ[x := a]is the assignment one gets fromσby resetting the value of xtoa. Reading off from the satisfaction clause, there is a natural in-terpretationQ∃to give to∃, namely the class of structures which represent

formula interpretations||φ||M,σ which are semantically fine as far as exis-tential quantification goes. So we setQ∃={hM, Pi/ P ⊆MandP 6=∅}.

This licenses the following phrasing of the satisfaction clause for existential quantification:

M∃x φ(x)σ

iff

hM,||φ(x)||M,σi ∈Q∃

∃is a unary monadic quantifier, so thatQ∃is a class of sets equipped with

a predicate extension. The idea can be generalized to quantifiers of arbitrary syntactic type. Let us consider a class1_{Qof relational structures of the form}

hM, Ri.Qcan be taken to be the interpretation of a (generalized) relational quantifierQendowed with the following satisfaction clause:

MQxy φ(x, y)σ

iff

hM,||φ(x, y)||M,σi ∈Q

Propositional connectives fit in the picture if we let booleans be part of the structures. Now, the following question arises: what are the natural classes of structuresQto be used as the interpretation of logical constants (first-order quantifiers or propositional connectives)? Under different names,invariance under isomorphismhas been widely accepted as a necessary condition. Since

Qis now any class of structures of the same similarity type that is meant to interpret a logical constant, it should satisfy:

IfMandM0_{are isomorphic, thenM ∈QiffM}0_∈Q.

This means that two structures which are isomorphic are ‘logically similar’ and that no logical notion should be able to distinguish them. However, other notions of similarity between structures could be considered as candidates. Some recent proposals argue that various kinds of homomorphisms would be a better fit.2 In what follows, we consider invariance under an arbitrary ‘similarity relation’S, being just an equivalence relation over structures re-specting their types.

1

In general, the structures interpreting a quantifier will not form a set, so we are implicitly work-ing in a background theory of classes in order to describe our structures.

2_{See [6], [5] for invariance under homomorphism and [9] for a general assessment of the}

Definition 1. LetSbe a similarity relation andQa class of structures. We say thatQisS-invariant iff, wheneverMSM0_{, thenM ∈QiffM}0_∈Q.

The restriction to equivalence relationsS is harmless, since by our defini-tion, a relation and the smallest equivalence relation containing it have the same invariants. We define theordering≤on similarity relations as reverse inclusion3_{, that isS≤S}0_iffS0_⊆S.

1.2

Existential quantification and potential isomorphisms

Now assume that we want a ‘first-order like’ logic, endowed with existential quantification. Which invariance relationSshould we pick? Given the meta-logical results mentioned in the introduction, potential isomorphisms are a natural choice. We shall turn this intuition into a precise characterization. But first, we recall the following fundamental notion:4

Definition 2. A potential isomorphism I between two structures M and

M0_{(notation: M≈ M}I 0_{) is a non empty set of (possibly partial) functions} from|M|to|M0_{|such that:}

– every functionf ∈ I is a partial isomorphism, that is, an isomorphism betweenMrestricted to the domain offandM0_{restricted to its range,} – for all functionsf ∈Iand objectsa∈ |M|(resp. a0 ∈ |M0_{|), there is a} functiong∈Iwithf ⊆ganda∈dom(g)(resp.a0 ∈rng(g)).

We use the notationIsopfor the similarity relation of ‘being potentially iso-morphic’. Let us furthermore introduce two relevant properties of similarity relations:

Definition 3. A similarity relationSpreserves atoms iff

wheneverhM, R1, ..., Rn, a1, ..., amiShM0, R01, ..., R0n, a01, ..., a0mi, then –aj1 =aj2iffa

0

j1 =a 0

j2, for all objectsaj1,aj2 amonga1, ..., amanda 0

j1,

a0_j

2 amonga 0

1, ..., a0m, –haj1, ..., ajki ∈ Riiffha

0

j1, ..., a 0

jki ∈R

0

i, for allk-tupleshaj1, ..., ajkiof

objects amonga1, ..., amandha0j1, ..., a 0

jkiamong{a

0

1, ..., a0m}, wherekis the arity ofRiandRi0.

Definition 4. A similarity relation commutes with object expansions iff if M S M0_{, then for all a ∈ |M|, there is an a}0 _{∈ |M}0_{| such that}

M, a SM0_{, a}0_.

whereM, aisMexpanded with the extra distinguished objecta.

Note that no vice versa condition is needed in this definition sinceS is assumed to be symmetric. Potential isomorphisms can be uniquely defined in terms of atom preservation and object commutation:

3

The motivation for taking areverseinclusionS ≤ S0 is to get a Galois connection between similarity relations and classes of invariants. See [3] for more.

4_{‘Potential isomorphisms’ are also called ‘partial isomorphisms’ in the literature; but we prefer}

Fact 5. Isopis the smallest similarity relation which preserves atoms and commutes with objects expansions.

Proof. Clearly,Isoppreserves atoms and commutes with object expansions. Next, take anSthat preserves atoms and commutes with object expansions. We wantIsop ≤ S. LetM, M0 be two structures with MS M0. We need to show thatM Isop M0. By the definition of Isop, this amounts to finding a non-empty setI of partial isomorphisms betweenMandM0

satisfying the back and forth properties. We set I = {f : |M| → |M0_{|/M, a}

1, ..., anSM0, f(a1), ..., f(an)}.

By hypothesis, MS M0_{, soI is non-empty, as it contains the empty}

function. Commutation with object expansions then yields the back and forth property. Letfbe a function inI, it comes from twoS-similar structuresM

andM0 whose distinguished objects provide the arguments and values for

f. Letabe an object in|M|which is not already a distinguished one. By commutation with object expansion, we can find ana0∈ |M0_{|such thatM, a}

andM0_{, a}0_{are againS-similar. Because of that, there is a function inIwhich}

extendsfby sendingatoa0. We can do the same starting from ana0∈ |M0_|.

Finally, sinceSpreserves atoms, thefinIare partial isomorphisms.

We would like to connect Fact 5 with a property of first-orderlanguages. LetInv(S)be the class of classes of structures which areS-invariant, what is the property ofInv(S)corresponding to commutation with object expan-sion? What does commutation with object expansions, which makes sense at the level of structures and similarity relations, amount to in terms of the associated logics, that is at the level of classes of structures and invariants ?

Definition 6. LetQbe a class of structures of the formM, a. The object projection ofQ,∃(Q), is defined byM ∈ ∃(Q)iff there is ab ∈ |M|such thatM, b∈Q.

Given a similarity relationS, we shall say that object projection preservesS -invariance iff, wheneverQ∈Inv(S),∃(Q)∈Inv(S)as well. Preservation ofS-invariance under∃(−)says that existential quantification can be applied to invariant operations while staying inside the class of invariant operations. In other words, it says that existential quantification is available in the logic. In particular, ifQ∃∈Inv(S)and classes of structures definable from logical

constants interpreted by classes of structures inInv(S)are again inInv(S), then∃(−)preserves invariance.5 This is equivalent to commutation with object expansion:

Theorem 7. S commutes with object expansions iff object projection pre-servesS-invariance.

5

Proof. For the original direct proof, see [3], Theorem 3.10 and Fact 3.14. A more general new proof will be provided in the next section.

Putting together Fact 5 and Theorem 7, we get:

Corollary 8. Isopis the smallest similarity relationSsuch thatSpreserves atoms and object projection preservesS-invariance.

Imagine that we want to build a first-order language and that we want to base the interpretation of its logical constants on some appropriate notion of invariance. The Corollary says that if we want our language to admit of first-order existential quantification and to deal with atomic formulas in the standard way,Isopis the smallest similarity relation we can pick. So, in that sense, potential isomorphisms provide us with the most economic notion of similarity between structures making existential quantification available in the resulting logic.

What happens if we want second-order existential quantification as well? Then we shift from potential isomorphisms to isomorphisms. Here is the theorem which tells us this, whereIsois the similarity relation corresponding to ‘being isomorphic’ and ‘set projection’ is the same as object projection with subsets of the domain or relations over the domain replacing objects in the domain:6

Theorem 9. Isois the smallest similarity relationSsuch thatSpreserves atoms, and object and set projections preserveS-invariance.

2

Invariance, commutation, and the modal case

2.1

Invariance and commutation: a general lemma

Theorem 7 rests upon a duality between two ‘inverse’ operations, (a) ex-panding a structure with an object, and (b) projecting a class of structures. We shall show that this idea of having two inverse operations in tandem, the second defined at a higher level, is all that is needed for commutation and preservation of invariance to be equivalent. One reason for going abstract here is that a characterization result for modal logic and bisimulation will follow automatically.

LetEbe a relation over a classAof objects7_{, with an associated ‘inverse’} functionE−1 : ℘(A) → ℘(A) on the powerclass of A, defined for any

6_{The Theorem is due to the first author; it has been presented in the dissertation by the second}

author [2] with preservation of invariance under object projection and under set projection being called respectively closure under level 1 projection projection and closure under level 2 projection. Though Theorem 9 is quite analogous to Corollary 8, the proof does not rest on a commutation result like Theorem 7.

7

subclassX ofA byE−1(X) = {a ∈ A /∃b ∈ X withaEb}. We shall be interested in the behavior ofE andE−1with respect to an equivalence relationSoverA:

Definition 10. Scommutes withEiff, for alla,a0,b∈A, ifaSbandaEa0, then there is ab0_{such thata}0_Sb0_andbEb0_.8

Following the notion of invariance introduced in the previous section, a sub-classX ofAisS-invariantifaSbimpliesa∈X iffb ∈X. We introduce preservation of invariance forE−1_:

Definition 11. E−1_{preservesS-invariance iff for any subclassXofA, ifX}

isS-invariant, thenE−1_{(X)isS-invariant.}

Now, for arbitrarySandE, commutation and preservation of invariance are equivalent – as may be shown by a little exercise in basic set theory:

Theorem 12. Scommutes withEiffE−1preservesS-invariance.

Proof. Only if. Assume that (1)Scommutes withE, (2)X isS-invariant, (3) aSb and (4)a ∈ E−1_{(X). We wantb ∈ E}−1_{(X). By (4) and the}

definition ofE−1_{, there is ana}0 _withaEa0 _anda0 _{∈ X. Hence by (3), we}

can apply (1) to get ab0such thata0Sb0andbEb0. By (2) anda0 ∈X,b0∈X

as well. ButbEb0, thereforeb∈E−1_{(X)as required.}

If. Assume that (1)E−1_{preservesS-invariance and that for somea,b}

anda0, (2)aSb, (3)aEa0. We want ab0 witha0Sb0 andbEb0. So, consider

[a0]S, theS-equivalence class ofa0. By definition, it isS-invariant. Hence by (1), E−1([a0]S)isS-invariant. By the definition of E−1 and (3), a ∈

E−1([a0]S). ByS-invariance ofE−1([a0]S)and (2),b∈E−1([a0]S). Hence by the definition ofE−1_{, there has to be a objectb}0_withbEb0_andb0_∈[a0_]

S, that isa0_Sb0_.

Now take as our classAthe class of all first-order structures. LetE be the relation of ‘expanding with one object’,i.e. MEM0 _iffM0 _{=M, a}

for some objecta∈ |M|. Commutation with object expansion in the sense of Definition 4 is then commutation withE. And the ‘inverse’E−1ofEis nothing but object projection∃(−). We get Theorem 7, which says thatS

commutes with object expansion iff object projection preservesS-invariance, as an instance of Theorem 12, which says thatScommutes withEiffE−1

preservesS-invariance.

2.2

A modal application: diamonds and bisimulations

Moving on to our specific area of interest in this paper, Andr´eka, van Ben-them and N´emeti have claimed that bisimulations are to modal logic what

8_{Note the formal similarity between this notion of relational linkage and that of a modal}

potential isomorphisms are to predicate logic [1]. There are quite a number of meta-logical theorems and transfer results to back up such a claim. Is it then possible to characterize bisimulations as the good match for modal logic, just like we characterized potential isomorphisms as the good match for predicate logic, or plain isomorphisms as the good match for second-order logic? We provide a positive answer in this paragraph, by a direct application of Theorem 12.

Modal logic gets interpreted in Kripke models, that is, in the mono-modal case, structureshW, R, P1, ..., PniwithW a set of ‘worlds’,R ⊆W ×W the accessibility relation, and thePi ⊆W interpretations for atoms. Modal formulas are evaluated at worlds in Kripke models, so their interpretation in a model is the set of worlds at which they are true. In line with our earlier gen-eral view, then, modal logical constants get interpreted by classes of pointed structures. As an example,_♦is the unary constant which is interpreted by the classQ_♦of structureshW, R, P, wiwith{w0∈W / wRw0andw0∈P} 6=

∅. In terms of truth clauses, our earlier analysis of quantifiers then comes to look as follows:

M, w _♦φ

iff

∃w0wRw0andM, w0 φ

iff

hW, R,||φ||M, wi ∈Q♦

where||φ||M={v∈ |M|/M, vφ}.

Modal similarity relations, such as bisimulations, link two worlds in two models: they are equivalence relations betweenpointedKripke structures. As before, a classQof pointed Kripke structures isinvariant under a simi-larity relationSon such structures iffM, w S M0_{, w}0_{impliesM, w ∈ Q}

iffM0_{, w}0_{∈Q. Given a modal similarity relationS, we shall noteInv}

M(S) the class of classes of pointed structures which areS-invariant. Note that our previous ordering on similarity relations, as well as the property of atom preservation, apply straightforwardly to the particular case of modal similar-ity relations.

The two essential properties of bisimulations are commutation with ‘guarded object expansion’ (moves along the accessibility relation) and preservation of atoms. By commutation with guarded object expansion, we mean the following:

Definition 13. A similarity relationScommutes with guarded object expan-sion iff

ifM, w SM0_{, w}0_{, then for allv∈ |M|withwRv, there is av}0 _{∈ |M}0_|such thatM, v SM0_{, v}0_andw0_R0_v0_.

the following modal version of Fact 5 (we writeBiS for the relation ‘be-ing bisimilar’, which holds between any two pointed structures which have a bisimulation between them):

Fact 14. BiSis the smallest modal similarity relation which preserves atoms and commutes with guarded object expansion.

Proof. First it is clear thatBiSpreserves atoms (worlds which are related by a simulation belong to the same unary predicate extensions) and commutes with guarded object expansion (by the back and forth properties of modal bisimulation).

Now let S be a similarity relation over pointed Kripke models which preserves atoms and commutes with guarded object expansion. We want

BiS ≤ S. AssumeM, w S M0_{, w}0_{. We show thatM, w BiSM}0_{, w}0_{. S}

‘is’ the bisimulation we need: we define a relationZoverW×W0byuZu0

iffM, u S M0_{, u}0_{. Z containshw, w}0_{iby hypothesis. It preserves atoms}

becauseSdoes and it satisfies the back and forth condition in the definition of bisimulations precisely becauseScommutes with guarded object expansion.

Guarded object expansion can be viewed as a relationE over the class of pointed structures, defined byM, w EM0, w0 iffM=M0andwRw0. Its associated inverseE−1 _{on classes of pointed structures isguarded}

ob-ject proob-jection, defined byE−1_{(Q) = {M, w /M, w}0 _{∈Qfor somew}0 _∈

|M|withwRw0}. As before with object projection and first-order existential quantification, guarded object projection is the result of applying existential modal quantification. To see this, assume thatQ_♦ is inInvM(S)and that classes of pointed structures which are definable from modal constants inter-preted by classes of pointed structures inInvM(S)are again inInvM(S). It follows thatE−1_{preservesS-invariance.}9

Thus, as an instance of Theorem 12, we get the equivalence between a) the core property of bisimulations, namely commutation with moves along the accessibility relation, and b) the invariants ofSbeing closed under appli-cations of_♦:

Theorem 15. Scommutes with guarded object expansion iff guarded object projection preservesS-invariance.

Now putting together Fact 14 and Theorem 15, we get:

Corollary 16. BiS is the smallest similarity relation S such that S pre-serves propositional atoms, while guarded object projection prepre-serves S -invariance.

9_{For example, letQbe a class of structures of the formhM, R, P, aiwhich is the interpretation}

As before with potential isomorphisms and first-order logic, this tells us that bisimulations are the right match for modal logic. For a logic to be a modal logic, it seems clear that it should deal with atoms in the standard way and have_♦as a logical symbol (so that application of _♦preserves in-variance). BiS is the least demanding notion of similarity between pointed models which fits the bill.

3

Back and forth between back and forths

Our aim in this section is to provide a better understanding of the relation-ships between our two characterization results for FOL and ML (Corollaries 8 and 16).

3.1

Generalized assignment models

We follow the idea of ‘Modal Foundations for Predicate Logic’ (cf. [8]), and adopt a modal reading for first-order semantics. The starting point is the observation that key clauses of Tarskian semantics for first-order logic like:

M∃x φ(x)σ

iff

for somea∈ |M|,Mφ(x)σ[x:=a]

have a modal flavor which is revealed by the following rewriting:

M, σ∃x φ(x)

iff

for someτ,σRxτandM, τ φ(x)

with assignments σ, τ viewed as abstract states and Rx as a relation over these which corresponds to updating the value of x. Thus, any classical model M induces a (poly-modal) assignment model M∗ ₌

hS,{Rx}x∈V AR, IiwithS a set of states,10 Rx a binary relation for each variablex, andIa valuation function which gives a truth value to each atomic formulaP xin each stateσ, so thatM∗_{, σP xiffσ(x)∈P}

M. Then there

is a natural translation(−)∗ _{of FOL formulas into ML formulas such that}

Mφ σiffM∗, σφ∗.(−)∗is defined by induction and the clause for∃

turns it into a diamond. One can check that:

M∃x φ(x)σ

iff

M∗_{, σ}

♦x(φ(x))∗

10_{In general,Swill be the set of all assignments onM, but the point of ‘modal foundations’ is that}

This idea extends to generalized quantifiers as well. Without loss of gener-ality, recall the satisfaction clause for a binary quantifierQinterpreted by an operationQ:

MQxy φ(x, y)σ

iff

hM,||φ(x, y)||M,σi ∈Q

Once the bound variablesx,yare fixed, the action ofQonM consists in manipulating subsets of the set of allM-assignments_VM. Looking at these as abstract states connected by update relations, we have a class of pointed assignment modelsQ∗_xy:

{h_VM, Rxy, P, σi/hM,{hτ(x), τ(y)i/ σRxyτandτ ∈P}i ∈

Q}

whereRxy updates the values of bothxandy in one shot. Now,Q∗xyis a class of pointed Kripke structures just like those in section 2, so it interprets a generalized modal quantifierQ∗

xy, the modal translation ofQxy, and one can check that we still have what we had for∃xand_♦x, namely:

MQxy φ(x, y)σ

iff

M∗_{, σ}

Q∗

xy(φ(x, y))∗

Here, as before,M∗_{, σ}

Q∗

xy(φ(x, y))∗iffhM, Rxy,||(φ(x, y))∗||M, σi ∈

Q∗_xy.

Let us be more precise about the∗-models. Fix a countable set of vari-ablesV AR={x1, ..., xn, ...}. Any modelMinduces anassociated assign-ment modelM∗_:

– The domainVof M∗ is the set offinitepartial functions fromV ARto

|M|.

– Each finite11set of variablesX ⊂V ARinduces an accessibility relation

RX withσRXτ iffτ extendsσ at most on values for variables inX and differs fromσat most on variables inX. Thus,RX corresponds to updat-ing registers for some variables inX and creating new registers for other variables inX.

– For eachn-ary relationRon the structureM, and eachn-tuple of variables

xi1,...,xin, a new predicate extension Ri1,...,in on V is defined by setting

σ∈Ri1,...,iniff

hσ(xi1), ..., σ(xin)i ∈R.

Now, a first-order formulaφcan be evaluated with respect to any partial assignment σdefined on the freevariables in φ. If, when testing for the

11_{Indexing accessibility relations with sets of variables instead of one variable at a time is}

satisfaction ofφw.r.t. σ, a quantifierQoccurs and binds a variablexnot in the domain ofσ, one considers partial assignments extendingσby giving a value tox. This is what is captured by our definition ofRX on assignment models, which corresponds either to register updating (the partial assignment was already defined for the bound variable) or register opening (the partial assignment was not defined for the bound variable). Our ∗-translation of first-order structures into Kripke structures is compatible with the outlined matching∗-translation of a first-order language with generalized quantifiers into a modal language with generalized modal quantifiers.

3.2

From potential isomorphisms to bisimulations

M∗_{-models are very special structures: their domain consists ofallpartial}

assignments and the accessibility relationsRX makeallactions of updating and creating registers available. As in [8], one can explore what happens to generalized modal quantifiers when models can have ‘assignment gaps’. We leave this for future research, and focus on similarity relations for the above fullM∗_models.

Exactly like quantifiers, similarity relations on classical models can be exported to assignment models. Thus, to each similarity relationS, we define itsassociated similarity relationS∗_byM∗_{, σ S}∗_M0∗_{, σ}0_iffσandσ0_have

the same domain andM,−−−→σ(xi)SM0,

−−−→

σ0(xi)for thexisin their domain.

Theorem 17. Iso∗_p=BiS

Proof. We need to proveM∗_{, σ}

-M

0∗_{, σ}0_iffM,−−−→_σ(x

i)≈ M0,

−−−→

σ0(xi). From left to right. To match objects in the initial models, we have to look at the bisimulation and match objects according to their indexing by the

vari-ables. So assumeM∗_{, σ} Z

- M

0∗_{, σ}0_{. We setI = {f /∃ρ ∈ |M}∗_{|, ρ}0 _∈

|M0∗| s.t. ρZρ0andf = {hρ(x), ρ0(x)i / x ∈ Dom(ρ)T_Dom(ρ0_)}}.

Sinceσ Z σ0, I contains at least the empty function (thanks to the worst case scenario in which there is no variable at which bothσandσ0 are de-fined). The functions inIare partial isomorphisms, becauseZitself respects atoms.

Now for the back and forth condition: letf ∈Ianda∈ |M|be an object which is not in the domain off. We know there are two assignmentsτandτ0

withτ Zτ0that gave usf. Starting fromτ, we open a register for a variable

xwhich was not in the domain ofτ and give it the valuea. This is a move alongRxto an assignmentρwhich extendsτonx. Sinceτ Zτ0, the same move can be made alongR0_x, and we get an assignmentρ0 which extends

τ0 onx. Fromρ,ρ0and the fact thatρZρ0, we get a functiong inIwhich extendsf on abyg(a) = ρ0(x). ThereforeI is a potential isomorphism betweenMandM0 _{– and, by construction, these two structures extended}

with objects that are indexed by the same variable according toσandσ0 _are

From right to left. To match states in the assignment models, we have to look at the partial isomorphisms, and match assignments according to the

partial isomorphisms and the indexing by the variables. Assume thatM≈I M0_{. We define our intended bisimulationZover|M}∗_{| × |M}0∗_|byσZσ0_iff

Dom(σ) =Dom(σ0)and there is anf ∈Is.t.σ0=f ◦σ. Since thef inI

are partial isomorphisms,Z-related states verify exactly the same atoms. Now for the Zig-Zag condition. Assume thatσZσ0. By the definition of

Z, this means that there is anf ∈Isuch thatσ0=f◦σ. We check the Zig-Zag condition forRx. So assume thatσRxρfor someρ. Suppose thatxis not a fresh variable, being already in the domain ofσandσ0. We look atρ(x), say this isa. By the closure condition onI, there is a functiong ∈ Isuch thatf ⊆gandais in the domain ofg. Now considerρ0 =σ0[x:=g(a)]. It is clear thatσ0Rxρ0. Sincef ⊆g,ρ=σ[x:= a]andρ0 =σ0[x:=g(a)],

σ0=f◦σis sufficient to guarantee thatρ0 =g◦ρ. HenceρZρ0, as desired. Ifxis a fresh variable, things are similar with register opening (extending assignments) replacing register updating.

The left to right direction of the proof would not go through as it stands if we were to taketotalassignments as states. From right to left, if the relationsRx only correspond to updating (and not to register opening), a bisimulation be-tween the∗-models doesnotguarantee a potential isomorphism between the first-order structures. We leave possible generalizations to a future occasion. Theorem 17 confirms that bisimulations are a modal version of potential isomorphisms. Moreover, one can check that invariance is preserved by shift-ing to assignment models. So ‘genuine’ first-order operations, that is classes of structures invariant under potential isomorphisms, induce ‘genuine’ modal operations: classes of pointed assignment models invariant under bisimula-tion.

3.3

From bisimulations to potential isomorphisms

We can also go in the other direction and ‘upgrade’ bisimulations to potential isomorphisms by considering suitably richly structured Kripke models. We adapt a result from [1] that modal equivalence can be upgraded to full first-order elementary equivalence on trees with multiplied nodes. They leave a theorem for bisimulations and potential isomorphisms as an unproved claim. We prove it directly, for trees with suitably multiplied nodes.12

In what follows, we will work with the multiplied unraveled versionM+

of a Kripke modelMas in [1]. First, the standard transformation of tree unravelingis performed onM. We get a model whose worlds are finite

12

sequences of the formw0, ..., wn with w0 = w and each wi+1 is an R

-successor of wi (0 ≤ i < n), whose accessibility relation is ‘immediate succession’. Worlds in the new model bisimulate with worlds in the original model via their last element. In addition, infinite ‘multiplication’ is applied to each node except the root, as follows, maintaining a bisimulation at each stage. First, copy each successor ofwat level 1 infinitely many times and attach these disjoint copies tow. Identifying copies with originals is an ob-vious bisimulation. Next consider successors at level 2 on all branches of the previous stage and perform the same copying process at all level-1 worlds. Again, there is an obvious bisimulation. The intended modelM+_{, wis the}

result of iterating this process through all finite levels.

Theorem 18. Two pointed Kripke modelsM, wand M0, w0 are bisimilar iff their multiplied unraveled versionsM+_{, wandM}0+_{, w}0 _{are potentially} isomorphic.

Proof. It is clear that ifM+_{, w andM}0+_{, w}0 _{are potentially isomorphic,}

the original modelsM, wandM0_{, w}0_{are bisimilar. For, the unconstrained}

exploration which corresponds to a potential isomorphism is more than we need for the constrained exploration which corresponds to a bisimulation.

In the other direction, assume thatM, wandM0_{, w}0_{are bisimilar. Then}

there is a bisimulationZ between their unraveled multiplied versions. We need to show that there is a potential isomorphism as well.

Let us say that a partial isomorphismf fromM+ _toM0+ _{follows Z}

ifff relates worlds which are related byZ and the domain and range off

are closed under subsequences: ifhw0, ..., wji ∈ Dom(f),hw0, ..., wii ∈

Dom(f)for0≤i≤j(and similarly for the range). We show that the set of finitepartial isomorphisms followingZ is a potential isomorphism between

M+_{, wandM}0+_{, w}0_.

First, it is non-empty sincehw, w0_{iis trivially a partial isomorphism}

fol-lowingZ. Then consider any finite partial isomorphismf followingZand a new objecta. We need to find a finite partial isomorphismg which ex-tendsf, followsZ, and hasa in its domain. Now there is a unique path from the root toa, and on this path, a lowest node b to be in the domain of f. To get the image of a, one goes down from the image of b by fol-lowing alongZ the path frombtoa, taking new nodes on|M0+_{|to match}

the new nodes on|M+_{|. More precisely, letf be a finite partial}

isomor-phism followingZ anda = hw0, ..., wniwithw0 = wa world in |M+|

which is not in the domain off. Sincefis closed under subsequence, there is ani ∈ {0, ..., n} s.t. for all j ≤ i, hw0, ..., wji ∈ Dom(f), and for allk > i, hw0, ..., wki 6∈ Dom(f). Let hw00, ..., w0ii = f(hw0, ..., wii). Sincehw0, ..., wiiZhw00, ..., w0iiandhw0, ..., wiiR+hw0, ..., wi+1i, there is a w_i0₊₁s.t. hw00, ..., wi0iR0

+_hw0

0, ..., wi0+1iandhw0, ..., wi+1iZhw00, ..., wi0+1i.

Moreover, since M0+ _{is a tree whose nodes have been copied infinitely}

many times, we can choosew0

i+1 so that it was not already in the range

wi+1, ..., wn. We defineg=f∪ {hhw0, ..., wki,hw00, ..., w0kii/ i+ 1≤k≤

n}. It is crucial here that none of the added elements were already in the domain or in the range off, so thatgis a one-one function.

To clinch matters, we show thatgis a finite partial isomorphism follow-ingZ:

– Sincegextendsfon a finite number of arguments andfis finite,gis finite. – The domain and range ofgare closed under subsequences, by the construc-tion and because those offwere. Also,grelates worlds which are related by

Z, by construction and becausef did. Hencegrespects unary predicates. –grespects the accessibility relations as well. For, takebandcin the domain ofg. We wantbR+_{c iffg(b)R}0+_{g(c). We reason by cases, depending on}

whether the worlds are new. Ifbandcwere already in the domain off, there is nothing to show. If they are both new, so areg(b)andg(c)by construction, and hence the equivalence follows from the definition ofg and the models being unraveled trees. Now assume (1) only one of them, sayb, was in the domain off. It follows that (2) g(b) was in the range off, but g(c)was not. The idea is thatbR+ciffb is the last node on the path from the root toa which is in the domain of f andc is its successor on the path, and similarly forg(b)andg(c)with respect toR0+ and the range off. More precisely, by (1),bR+_{ciffb =hw}

0, ..., wiiandc=hw0, ..., wi+1i. By (2), g(b)R0+_{g(c)iffg(b) =hw}0

0, ..., w0iiandg(c) =hw00, ..., w0i+1i. HencebR+c

iffg(b)R0+_g(c).

So M+_{, w and M}0+_{, w}0 _{are ‘potentially’ isomorphic. In fact, they}

are almost isomorphic except for the difference that the two initial mod-els may have successor sets of different infinite cardinalities. Potential isomorphisms are blind to differences in size for infinite sets, but to get isomorphic models, we could strengthen the copying procedure, for ex-ample by making not ℵ0 copies of each node but κ-copies, where κ = max(card(|M|), card(|M0_{|)). But even as we have stated things, our}

con-clusion is that modal bisimulations naturally induce basic first-order invari-ance relations.

4

Dynamic logic and safety

to the new program operations so as to make expressions of different types combine nicely? We shall first see how Theorem 12 works for dynamic op-erations and then connect this with the standard notion of ‘safety for bisim-ulation’. In the last paragraph, we draw a tentative parallel with first-order logic.

4.1

Invariance and commutation

In Section 2, classes of pointed structures were used to interpretmodal opera-tors. What is the interpretation ofdynamicoperators, such as relational com-position;or Boolean choice∪in PDL? Their role is to make new relations available, on the basis of the accessibility relations and predicate extensions which are already there in the Kripke structures. So a dynamic operationO

will associate to every setW a functionOW taking as arguments relations and predicate extensions overW and yielding a new relation overW as its value. To such an operationO will correspond a dynamic operatorOwith the following semantic clause for an arbitrary modelM:

||O−→χ||M=O|M|(||−→χ||M)

with−→χ a sequence of programs and formulas matching the syntactic type of

O(and the type of the functionO|M|), and||−→χ||Mthe sequence of relations

and predicate extensions overMwhich interpret the programs and formulas

−

→_{χ. For instance, Boolean choice∪gets interpreted by the dynamic operation}

O∪which yields for eachW a functionO∪,W :℘(W2), ℘(W2)→℘(W2) defined forR1, R2⊆W2byO∪,W(R1, R2) =R1SR2.

In the well-known syntax of dynamic logic, a programπand formulaφ

combine into a new formulahπiφ, withhπiinterpreted as a standard_♦for the accessibility relation defined byπ. When such operators are added to a modal language, it is natural to require that the new formulas retain the old semantic invariance. Indeed, PDL formulas are still invariant under bisimulations, and hence the increase in expressive power stays within the ‘natural limits’ of ML.

Thus, on classes of pointed structures which are invariant for bisimula-tion, dynamic operators should preserve that invariance when used to define new classes of structures. What dynamic operatorsO have this property? One answer is again provided by Theorem 12. In Section 2.2, we tookE

andE−1_{to be “moving along the accessibility relation” and “applying}

♦”, respectively. Now interpretEas “moving along the relation defined byO−”.

E−1will then be “applyinghO−i”. More precisely, let−→χ be a sequence of programs and formulas matching the type ofO13 _{andφa formula. We use} the notationM+||−→χ||M, w for the expansion ofM, wwith the relations

13

and sets which are the interpretations onMof the formulas and programs

−

→_{χ. DefineEbyM+||−}→_χ||

M, w E M+||−→χ||M, viffwOM(||−→χ||M)v.

ThenE−1(||φ||) =||hO−→χiφ||, sinceM+||−→χ||M, w∈E−1(||φ||)iff there

is a v ∈ |M| withwO|M|(||−→χ||M)v and M+||−→χ||M, v ∈ ||φ||M iff

M, w∈ ||hO−→χiφ||.

Let us say thatBiS commutes withOiff it commutes with the relations one gets for all values ofO.14 We say thatOpreserves invariance underBiS

iff applying the interpretation ofhO−→χipreserves invariance for all possible interpretations of the−→χ.15 In this setting, Theorem 12 tells us that com-mutation withOis precisely what guarantees that addingOdoes not break bisimulation invariance:

Theorem 19. BiScommutes withOiffOpreserves invariance underBiS. This result provides the key induction step in a proof that extending a modal logic by dynamic operators whose interpretations commute with bisimula-tion yields a dynamic logic whose formulas are again invariant under bisim-ulation. This would also work withBiS any kind of similarity relation for pointed Kripke structures.

4.2

Commutation and safety for bisimulation

The standard ‘invariance condition’ on PDL operations looks a bit different, however, and its is known as ‘safety under bisimulation’.16

Definition 20. A dynamic operationOis safe for bisimulation iff wheneverM, w

Z

-M

0_{, w}0_{, andwO(M)vfor somev∈ |M|, then there is a}

v0 ∈ |M0_{|such thatvZv}0_andw0_O(M0_)v0_{– as well as vice versa.}

We will now show that commutation and safety are equivalent.17 In what follows, it will be useful to work with ‘quasi-transitive’ bisimulations where

wZw0, vZw0 andvZv0 implieswZv0. More precisely, letW andW0 be

14_{Thus, for any sequence of programs and formulas}−→_{χ, ifM+||−}→_χ||

M, wandM0+||−→χ||M0, w0 are bisimilar,wO|M|(||−→χ||M)vimplies that there is av0 ∈ |M0|such thatM+||−→χ||M, vand

M0

+||−→χ||M0, v0are bisimilar andw0O_|M0_|(||−→χ||_M0)v0. 15

Let−→χbe a sequence of programs and formulas andQa bisimulation invariant class of structures of the formM+||−→χ||M, w. We want the interpretation ofhO−→χito be bisimulation invariant. This

is exactly requiring bisimulation invariance for the class of structuresM+||−→χ||M, vhaving aw

withvO|M|(||−→χ||M)wandM+||−→χ||M, w∈Q. 16

See the ’Safety Theorem’ of [8] characterizing the first-order safe operations as those operations which are definable in PDL without Kleene star.

17

two sets andZ a relation onW ×W0. We say thatv ∈ W andv0 ∈ W0

areZ-connectedif there is a sequence of objects v0, ..., vn withv0 = v, vn =v0 such that for eachi < n,viZvi+1 orvi+1Zvi. As a special case,

every object isZ-connected to itself. A bisimulationZbetween two Kripke structuresM, wandM0_{, wisquasi-transitiveiff, ifv∈ |M|andv}0_{∈ |M}0_|

areZ-connected, thenvZv0_{. The following lemma shows that there is no}

loss of generality as far as safety is concerned:

Lemma 21. An operationOis safe for arbitrary bisimulations iff it is safe for quasi-transitive bisimulations.

Proof. The direction from left to right is trivial, so we take on the converse. First, note that if Z is a bisimulation, then there is a smallest quasi-transitive relationZCl extendingZ (here two worlds, one in each model, are calledZCl_{-relatediff they areZ-connected).}

LetO be a dynamic operation which is safe for quasi-transitive bisim-ulation, M and M0 _{two models, Z a bisimulation between them; with}

w, v∈ |M|andw0∈ |M0_{|three worlds such thatwZw}0_{andwO(M)v. We}

need to find av0∈ |M0_{|such thatvZv}0_andw0_O(M0_)v0_{. Note that working}

directly withZCl_{would not do. By safety for quasi-transitive bisimulation,} there is av0 ∈ |M0_{|such thatv}0_{isZ-connected tovandw}0_O(M0_)v0_{. But}

thisv0 is not necesarilyZ-relatedtov, ifZ is not quasi-transitive. To cir-cumvent this difficulty, we shall define some model expansions in order to go ‘step by step’ fromv∈ |M|to av0 ∈ |M0_|withvZv0_{while preserving}

the property of beingO-related to the root. We cannot but take a roundabout way here: there are pairs of models and relations over them which are safe for quasi-transitive bisimulations, but not for arbitrary bisimulations between these models.

First, we defineM+v∗asMextended by a worldv∗which is a copy ofv: for all predicates P, v∗ _{∈ P}

M+v∗ iffv ∈ P_M, for all relationsR, wRM+v∗v∗ iff wR_Mv, for all relations R and for all worlds u ∈ |M|, v∗RM+v∗uiffvR_Mu. We can assume that itisthe case thatwO(M+v∗)v∗.

To see this, consider the identity onMextended byhv, v∗i. This is a quasi-transitive bisimulation betweenMandM+v∗. We know thatwO(M)v

and our bisimulation relatesvinMto only two worlds inM+v∗, namely

vitself andv∗. So by safety ofO for quasi-transitive bisimulation,whas to be related by O(M+v∗)to at least oneof these two worlds. But if

w was related byO(M+v∗) toonly one of v andv∗, we would get a counter-example to safety ofOfor quasi-transitive bisimulation by consider-ing the identity bisimulation betweenM+v∗and itself, withvandv∗being swapped. Therefore,wis related byO(M+v∗)tobothvandv∗.

Then we build a modelM0 _+v∗ _{by adding a copy ofv to the second}

model as well. To define this, we use the bisimulationZwe have: the copy is a world like the worlds to whichvisZ-similar. Thus, letZ(v)be the set of worlds inM0_{to whichvisZ-related. We start fromM}0_{and add a world}

R,w0RM0_+v∗v∗iffwR_Mv(wherew0is the world bisimilar towwe

intro-duced at the beginning), and for all relationsR, for all worldsu0 ∈ |M0_|,

v∗RM0_+v∗u0iff there is at0 ∈Z(v)witht0R_M0u0. We can useZto build

a quasi-transitive bisimulationZ∗betweenM+v∗andM0_+v∗_{. Consider}

firstZS

{hv∗_{, v}∗_{i}. BecauseZ was a bisimulation and by the definition of}

our expansions, it is a bisimulation again. Now(ZS

{hv∗_{, v}∗_i})Cl_{is again a} bisimulation and it is quasi-transitive. Moreover, it is clear thatv∗inM+v∗

is related only tov∗inM0_+v∗_{, so by safety for quasi-transitive bisimulation,}

w0O(M0_+v∗_)v∗_.

Finally, we compare M0 _andM0_+v∗_{. Consider the identity on M}0

extended by relating all worlds inZ(v)to all worlds inZ(v)S_{v∗_{}. Because}

of the properties we gave tov∗, this is a bisimulation betweenM0_andM0₊

v∗. And it is quasi-transitive by definition. Therefore, by safety ofO for quasi-transitive bisimulation again,w0O(M0_+v∗_)v∗ _{implies that there is}

au0 ∈ |M0_{|which is related by that bisimulation tov}∗ _{and which is such}

thatw0O(M0_)u0_{. Such au}0 _{is in Z(v). So we have au}0 _withvZu0 _and

w0O(M0_)u0_{, as required.}

We are now ready to prove that safety for bisimulation and commutation coincide:

Theorem 22. BiScommutes withOiffOis safe for bisimulation.

Proof. From right to left. Consider any two bisimilar pointed structuresM+

− →

K , wandM0 ₊−_K→0_{, w}0_{, where}−→_{K and}−→_{K are some sets and relations over}

|M|and|M0_{|(respectively) which expand two given structuresMandM}0_.

Assume that (a)wO|M|(

− →

K)vfor somev∈ |M|. We need to find an object

v0 ∈ |M0_{| such thatw}0_O |M0_|(

−→

K0)v0, with the structures M+−→K , v and

M0₊−_K→0_{, v}0_{still being bisimilar. Bisimilarity is preserved when some parts}

of structures are left out, so there is a bisimulationZbetweenh|M|,−→K , wi

andh|M0_|,−_K→0_{, w}0_{i. By safety for bisimulation and (a), there is av}0 _{∈ |M}0_|

such thatw0O|M0_|(

−→

K0)v0 andvZv0. SoZ itself is a bisimulation between

M+−→K , vandM0₊−_K→0_{, v}0_.

From left to right. Our difficulty here is that, if two structures have ‘some’ bisimulation, commutation with moves alongOagain gives us the existence ofsomebisimulation. But safety wants thesameone. Our solution is a trick: we define a new predicate in terms of reachability using the given bisimu-lation. Since that predicate will be preserved by the new bisimulation, the ‘commutation world’ given by the new bisimulation must be a commutation world for the earlier one as well.

So letO be a dynamic operation commuting withBiS. Consider two modelsMandM0 _{withZ a bisimulation between them, and three worlds}

w, v ∈ |M|andw0 ∈ |M0_{| withwZw}0 _{and wO(M)v. By Lemma 21,}

thatvZv0 andw0O(M0_)v0_{. We define a predicateP}

M onMwhich holds

exactly at the points which areZ-connected tov. Similarly we define another predicatePM0 onM0byP_M0 ={u0 ∈ |M0|/ u0isZconnected tov}. Z

is still a bisimulation betweenM+PMandM0+PM0. By commutation

withO, there is av0 _{∈ |M}0_{|and a bisimulationZ}+_betweenM+P

Mand

M0_+P

M0 such thatw0O(M0)v0andvZ+v0. SinceZ+is a bisimulation, it

respects atomic predicates. Hencev ∈PMimpliesv0 ∈PM0: that is,v0 is Z-connected tov. ButZis quasi-transitive. SovZv0, as required.

Putting Theorems 19 and 22 together, we get that a abstract dynamic oper-ation preserves bisimuloper-ation invariance iff it is safe for bisimuloper-ation. This shows that safety, too, is a correct match for bisimulation invariance. Van Benthem 1996 only showed its sufficiency, our new results also showthe ne-cessity of this condition.18

4.3

Beyond safety: definability theorems

Safety essentially says that the values of dynamic operations get ’a free ride’

on bisimulations: ifM_-Z M0_{, thenM+O(M)} Z

-M

0_+O(M0_{). This idea}

makes sense in other settings too. In the case of first-order logic, letT be a first-order theory in a languageL+P. We say thatPisfree for isomorphism underT iff, for all modelsM,M0_{ofT, anL-isomorphism fromM −Pto}

M0_{−P is also anL+P-isomorphism fromMtoM}0_{(whereM −P is}

just the reduct ofMtoL). Beth’s well-known Definability Theorem can be viewed as a result about such ‘free’ predicates:19

Theorem 23. In first-order logic,P is free for isomorphisms underT iffT

explicitly definesP.

Proof. The right to left direction is immediate: expansion with definable predicates does not break an isomorphism. From left to right, consider the special case of two models ofT,MandM0, such thatM −P =M0−P. The identity is anL-isomorphism between them. Therefore, sinceP is free, the identity is anL+P-isomorphism betweenMandM0_{, henceP}

M =

PM0. That is to say,Timplicitly definesP, and therefore, by Beth theorem,

it explicitly definesPas well.

This raises many further questions. Can we connect modal safety and explicit first-order definability via Beth’s Theorem? What connections exist between being free for some notion of similarity and being definable from its invariants?

18

It may be of interest to compare our proof with that for the Safety Theorem in detail.

19_{For a standard statement and proof of Beth Theorem, including fully explicit definitions for}

5

Further prospects

This paper proposes pursuing a sort of ‘reverse’ meta-logic. Instead of char-acterizing a logical language in terms of general semantic properties, includ-ing invariance, we start with basic logical operations (first-order quantifica-tion, modal or dynamic operators) and identify semantic properties of invari-ance which match these operations best. Our main tool in doing so is the general equivalence between commutation and invariance in Theorem 12. This suggests a line of research into the duality between the ‘semantic’ level of structures and notions of similarity, and the ‘syntactic’ level of operations and notions of invariance for those operations. In particular, in future work, we intend to look atfixed-point logicsextendingM LorF OLto get a closer correspondence between definable operations and invariant ones.

In the same spirit, we think it worth investigatinggeneralized Lindstr¨om theoremswhere the structural invariance relation is no longer given before-hand as is usually done, but considered as a parameter to be freely chosen, just as the set of sentences and the truth relation of the abstract logic.

As for first-order logic versus modal logic, our results in Sections 1 and 2 highlight some new parallels beyond the many that are already known. Even so, one would like to see a still more general ’transfer theory’ between first-order languages with potential isomorphisms and modal languages with bisimulations, probably based on generalized assignment models. Are there still more generaluniform translationsbetween the two realms which have eluded us so far?

Finally, we see the great generality of our approach as a benefit also when it comes to more concrete systems beyond modal and first-order logic. One follow-up project, continuing the interest in dynamic logic in this paper, will be the study of the space of natural logical operations ongames, both se-quential and parallel, and the structural similarity relations appropriate to that much broader area.

References

[1] H. Andr´eka, J. van Benthem, and I. N´emeti. Modal languages and bounded fragments of predicate logic. Journal of Philosophical Logic, 27:217–274, 1998.

[2] D. Bonnay. Qu’est-ce qu’une constante logique ? University Paris I, PhD Dissertation, 2006.

[3] D. Bonnay. Logicality and invariance. Bulletin of Symbolic Logic, 14(6):29–68, 2008.

[4] G.S. Boolos, Burgess J.P., and R.C. Jeffrey. Computability and Logic. Cambridge University Press, fourth edition, 2002.

[6] S. Feferman. Logic, logics, and logicism.Notre Dame Journal of Formal Logic, 40(1):31–54, 1999.

[7] M. Hollenberg. Logic and Bisimulation. Publications of the Zeno Insti-tute of Philosophy, 1998.

[8] J. van Benthem. Exploring Logical Dynamics. Studies in Logic, Lan-guage and Information, CSLI Publications & Cambridge University Press, 1996.

[9] J. van Benthem. Logical constants, the variable fortunes of an elusive notion. In W. Sieg, R. Sommer, and C. Talcott, editors, Reflections on the Foundations of Mathematics: Essays in Honor of Solomon Feferman, pages 420–440. AK Peters, Ltd., 2002.

Johan van Benthem

ILLC, University of Amsterdam Plantage Muidergracht 24

1018 TV AMSTERDAM (Netherlands) & Stanford University

Department of Philosophy

STANFORD, California 94305 (USA) [email protected],

Denis Bonnay

D´epartement d’ ´Etudes Cognitives & IHPST ´

Ecole Normale Sup´erieure 29, rue d’Ulm