hans van dimarsch, ji ruan to cite this version · 2020-07-10 · model checking logic puzzles hans...

HAL Id: hal-00188953https://hal.archives-ouvertes.fr/hal-00188953

Preprint submitted on 19 Nov 2007

HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.

Model Checking Logic PuzzlesHans van Dimarsch, Ji Ruan

To cite this version:

Hans van Dimarsch, Ji Ruan. Model Checking Logic Puzzles. 2007. �hal-00188953�

https://hal.archives-ouvertes.fr/hal-00188953

https://hal.archives-ouvertes.fr

Model Checking Logic Puzzles

Hans van Ditmarsch⋆

[email protected] Ruan†

[email protected]

⋆Computer Science, University of Otago, New Zealand†Computer Science, University of Liverpool, United Kingdom

Résumé :Dans les puzzles épistémiques les annonces d’igno-rance, ou des séquences de tels annonces, sou-vent résultent en connaissances. Nous présentonsle puzzle ‘Quelle Somme ?’, et le modèlisent dansla logique des annonces publiques – un langagelogique avec des opérateurs dynamiques et épisté-miques. La solution du puzzle est controlée avec laprogramme de vérification DEMO.

Mots-clés :communications multi-agent, vérifica-tion des modèles, logique dynamique épistémique,annonce publique

Abstract:A common theme in logic puzzles involvingknowledge and ignorance is that announcementsof ignorance may eventually result in knowledge.We present the ‘What Sum’ riddle. It is modelledin public announcement logic, a modal logic withboth dynamic and epistemic operators. We thensolve the riddle in the model checker DEMO.1

Keywords: agent communication, model check-ing, dynamic epistemic logic, public announce-ment

1 Introduction

The following riddle (transcribed in ourterminology) appeared in Math Horizonsin 2004, as ‘Problem 182’ in a regularproblem section of the journal, edited byA. Liu [8].

Each of agents Anne, Bill, and Cath has apositive integer on its forehead. They can

1We acknowledge input from David Atkinson, Jan van Eijck,Wiebe van der Hoek, Barteld Kooi, and Rineke Verbrugge. Wethank the anonymous MFI referees for their comments. Hansappreciates support from the NIAS (Netherlands Institute forAdvanced Study in the Humanities and Social Sciences) project‘Games, Action, and Social Software’ and the NWO (Nether-lands Organisation for Scientific Research) Cognition Programfor the Advanced Studies grant NWO 051-04-120.

only see the foreheads of others. One of thenumbers is the sum of the other two. Allthe previous is common knowledge. Theagents now successively make the truthfulannouncements:

i. Anne: “I do not know my number.”

ii. Bill: “I do not know my number.”

iii. Cath: “I do not know my number.”

iv. Anne: “I know my number. It is 50.”

What are the other numbers?

You know your own number if and only ifyou know which of the three numbers isthe sum. This ‘What is the sum?’, fromnow on ‘What Sum’, riddle combines fea-tures from wisemen or Muddy Childrenpuzzles [12] with features from the Sumand Product riddle [3, 10]. A common fea-ture in such riddles is that we are givena multi-agent interpreted system, and thatsuccessive announcements of ignorance fi-nally result in its opposite, typically fac-tual knowledge. In a global state of an in-terpreted system [2] each agent or proces-sor has a local state, and there is commonknowledge that each agent only knows itslocal state, and what the extent is of thedomain. If the domain consists of thefull cartesian product of the sets of lo-cal state values, it is common knowledgethat agents are ignorant about others’ lo-cal states. In that case an ignorance an-nouncement has no informative value. Forignorance statements to be informative, thedomain should be more restrictive than thefull cartesian product; and this is the case

139

in all such riddles. As in Muddy Chil-dren, we do not take the ‘real’ state ofthe agent (the number on its forehead) asits local state, but instead the informationseen on the foreheads of others (the othernumbers). This change of perspective is,clearly, inessential. ‘Sum and Product’2 isalso about numbers, and even about sumsof numbers, and the announcements aresimilar. But the structure of the back-ground knowledge is very different (whichwill become clearer after introducing thelogic to describe both riddles).

Other epistemic riddles involve cryptog-raphy and the verification of informationsecurity protocols (‘Russian Cards’, see[19]), or involve communication protocolswith private signals involving diffusion ofinformation in a distributed environment(‘100 prisoners and a lightbulb’, see [21]).

The understanding of such riddles is facili-tated by the availability of suitable specifi-cation languages. For ‘What Sum’ we pro-pose the logic of public announcements,wherein succinct descriptions in the log-ical language are combined with conve-nient relational structures on which to in-terpret them. We also benefit from theavailability of verification tools, to aid in-terpreting such descriptions on such struc-tures. In our case we have used DEMO,an epistemic model checker developed byVan Eijck (seehomepages.cwi.nl/~jve/demo/ and [20]). Some adjust-ments are required (we need a finite ver-sion of the model) to make this modelchecking work. This results in possibly in-

2A says toS andP : I have chosen two integersx, y suchthat1 < x < y andx+y ≤ 100. In a moment, I will informS

only ofs = x+y, andP only ofp = xy. These announcementsremain private. You are required to determine the pair(x, y).

He acts as said. The following conversation now takes place:

i. P says: “I do not know it.”

ii. S says: “I knew you didn’t.”

iii. P says: “I now know it.”

iv. S says: “I now also know it.”

Determine the pair(x, y).[3, translated]

teresting versions of the riddle.

Even though such riddles are often piv-otal to the development and spreading ofa specialisation area—who doesn’t knowabout the ‘Muddy Children’ puzzle?—thedetailed and rockbottom analysis of theirhighly proceduralised features is not nec-essarily considered a serious enough pur-suit to increase our understanding of mul-tiagent system dynamics. May our originalanalysis of ‘What Sum’ be seen as a wor-thy contribution.

Section 2 provides an introduction intopublic announcement logic, and in Sec-tion 3 we analyse ‘What Sum’ in thislogic. Section 4 ‘preprocesses’ the rid-dle for model checking and discusses someversions of the riddle. In Section 5 we in-troduce DEMO, and in Section 6 we spec-ify and verify a finite version of the riddlein that model checker.

2 Public Announcement Logic

Public announcement logic is a dynamicepistemic logic and is an extension of stan-dard multi-agent epistemic logic. Intuitiveexplanations of the epistemic part of thesemantics can be found in [2, 19]. We givea concise overview of, in that order, thelanguage, the structures on which the lan-guage is interpreted, and the semantics.

Given are a finite set of agentsN and afinite or countably infinite set of atomsP . The language of public announcementlogic is inductively defined as

ϕ ::= p | ¬ϕ | (ϕ∧ψ) |Knϕ | CBϕ | [ϕ]ψ

wherep ∈ P , n ∈ N , andB ⊆ N are ar-bitrary. Other propositional and epistemicoperators are introduced by abbreviation.ForKnϕ, read ‘agentn knows formulaϕ’.For example, if Anne knows that her num-ber is 50, we can writeKa50a, whereastands for Anne and some set of atomicpropositions is assumed that contains50a

Model checking logic puzzles___________________________________________________________________________

140

to represent ‘Anne has the number 50.’ ForCBϕ, read ‘group of agentsB commonlyknow formulaϕ’. For example, we havethat Cabc(20b → Ka20b): it is commonknowledge to Anne, Bill, and Cath, thatif Bill’s number is 20, Anne knows that(because she can see Bill’s number on hisforehead)—instead of{a, b, c} we oftenwrite abc. For [ϕ]ψ, read ‘after public an-nouncement ofϕ, formulaψ (is true)’. Forexample, after Anne announces “(I knowmy number. It is 50.)” it is commonknowledge that Bill’s number is 20. Thisis formalised as[Ka50a]Cabc20b.

The basic structure is the epistemic model.This is a Kripke structure, or model,wherein all accessibility relations areequivalence relations. Anepistemic modelM = 〈S,∼, V 〉 consists of adomainSof (factual) states(or ‘worlds’), accessi-bility ∼ : N → P(S × S), where each∼(n) is an equivalence relation, and aval-uation V : P → P(S). For s ∈ S,(M, s) is an epistemic state(also knownas a pointed Kripke model). For∼ (n) wewrite ∼n, and forV (p) we writeVp. Ac-cessibility∼ can be seen as a set of equiv-alence relations∼n, andV as a set of val-uationsVp. Given two statess, s′ in thedomain,s ∼n s′ means thats is indistin-guishable froms′ for agentn on the basisof its information. For example, at the be-ginning of the riddle, triples(2, 14, 16) and(30, 14, 16) are indistinguishable for Annebut not for Bill nor for Cath. Therefore, as-suming a domain of natural number triples,we have that(2, 14, 16) ∼a (30, 14, 16).The group accessibility relation∼B is thetransitive and reflexive closure of the unionof all accessibility relations for the individ-uals inB: ∼B ≡ (

⋃n∈B ∼n)∗. This re-

lation is used to interpret common knowl-edge for groupB. Instead of ‘∼B equiv-alence class’ (∼n equivalence class) wewriteB-class (n-class).

For the semantics, assuming an epistemic

modelM = 〈S,∼, V 〉:

M, s |= p iff s ∈ Vp

M, s |= ¬ϕ iff M, s 6|= ϕM, s |= ϕ ∧ ψ iff M, s |= ϕ andM, s |= ψM, s |= Knϕ iff for all t ∈ S :

s ∼n t impliesM, t |= ϕM, s |= CBϕ iff for all t ∈ S :

s ∼B t impliesM, t |= ϕM, s |= [ϕ]ψ iff M, s |= ϕ implies

M |ϕ, s |= ψ

where modelM |ϕ = 〈S ′,∼′, V ′〉 is de-fined as

S ′ = {s′ ∈ S |M, s′ |= ϕ}∼′

n = ∼n ∩ (S ′ × S ′)V ′

p = Vp ∩ S′

The dynamic modal operator[ϕ] is inter-preted as an epistemic state transformer.Announcements are assumed to be truth-ful, and this is commonly known by allagents. Therefore, the modelM |ϕ is themodelM restricted to all the states whereϕ is true, including access between states.The dual of[ϕ] is 〈ϕ〉: M, s |= 〈ϕ〉ψ iffM, s |= ϕ andM |ϕ, s |= ψ. Formulaϕ isvalid on modelM , notationM |= ϕ, iff forall statess in the domain ofM : M, s |= ϕ.Formulaϕ is valid, notation|= ϕ, iff forall modelsM : M |= ϕ.

A proof system for this logic is presented,and shown to be complete, in [1], withprecursors—namely for public announce-ment logicwithoutcommon knowledge—in [15, 5]. A concise completeness proofis given in [19]. The logic is decidableboth with and without common knowledge[15, 1]. Results on the complexity of bothlogics can be found in [9]. The original[15] also contains a version of the seman-tics (no completeness results) with ‘know-value’-operators that can be said to for-malise infinitary conjunctions (or disjunc-tions), including announcements of suchformulas with corresponding restriction ofthe domain to those states where the for-mula is true. To analyse ‘What Sum’ weneed to refer to that extension (that we pre-fer to leave informal for the sake of the ex-position).

____________________________________________________________________________Annales du LAMSADE N°8

141

In public announcement logic, not all for-mulas remain true after their announce-ment, in other words,[ϕ]ϕ is not a prin-ciple of the logic. Some formulas involv-ing epistemic operators becomefalseafterbeing announced! For a simple example,consider that Bill were to tell Anne (truth-fully) at the initial setting of the riddle:“Your number is 50 but you don’t knowthat.” Interpreting ‘but’ as a conjunction,this is formalised as50a ∧ ¬Ka50a. Af-ter the announcement, Anne knows thather number is 50:Ka50a. Therefore theannounced formula, that was true beforethe announcement, has become false afterthe announcement. In the somewhat dif-ferent setting that formulas of formp ∧¬Knp cannot be consistently known thisphenomenon is called the Moore-paradox[11, 7]. In the underlying dynamic settingit has been described as anunsuccessfulupdate[5, 19]. Similarly, ignorance state-ments in ‘What Sum’ such as Anne sayingthat she does not know her number, may indue time lead to Anne knowing her num-ber, the opposite of her ignorance.

3 Formalisation of ‘What Sum’

The set of agents{a, b, c} represent Anne,Bill and Cath, respectively. Atomic propo-sitionsin represent that agentn has naturalnumberi on its forehead. Therefore the setof atoms is{in | i ∈ N

+ andn ∈ {a, b, c}}.

If Anne sees (knows) that Bill has 20 onhis forehead and Cath 30, we describethis asKa(20b ∧ 30c). If an upper boundmax for all numberswerespecified in theriddle, the number of states would be fi-nite and “knowing the others’ numbers”would be described as

∨y,z≤max

Ka(yb ∧

zc). For model checking it is relevant topoint out that this expression is equiva-lent to

∧y,z≤max

(yb ∧ zc) → Ka(yb ∧ zc),given that different Bill/Cath number pairsare mutually exclusive, and using standardvalidities for the logic. The latter formis ‘cheaper’ to model check than the for-

mer, because the truth of the boolean con-dition in the conjuncts of the latter can bedetermined in a given state, whereas anepistemic statement requires checks in thatagent’s entire equivalence class.

For ‘What Sum’, Anne seeing the num-bers of Bill and Cath is therefore describedas theinfinitary

∨y,z∈N+ Ka(yb ∧ zc), and

Anne saying: “I don’t know my number”is similarly described as¬

∨x∈N+ Kaxa

(or∧

x∈N+(xa → ¬Kaxa)). Infinitary de-scriptions are, unlike infinitely large mod-els, not permitted in this (propositional)logic. Our model checking results will befor a finite version of the riddle.

The epistemic modelT = 〈S,∼, V 〉 is de-fined as follows, assuming positive naturalnumbersx, y, z.

S ≡ {(x, y, z) | x = y+z ory = x+z orz = x+y}

(x, y, z) ∼a (x′, y′, z′) iff y = y′ andz = z′

(x, y, z) ∼b (x′, y′, z′) iff x = x′ andz = z′

(x, y, z) ∼c (x′, y′, z′) iff x = x′ andy = y′

(x, y, z) ∈ Vxa

(x, y, z) ∈ Vyb

(x, y, z) ∈ Vzc

The fine-structure of the epistemic modelT is not apparent from its formal defini-tion. A relevant question is what the back-ground knowledge is that is available tothe agents, i.e., what theabc-classes in themodel are (anabc-class, or{a, b, c} equiv-alence class, of a states in the model con-sists of all statest such thats ∼{a,b,c} t,where ∼{a,b,c} = (∼a ∪ ∼b ∪ ∼c)

∗,as above). Such a computation was per-formed by Panti [14] for ‘Sum and Prod-uct’ (see footnote 2), which revealed threeclasses: either (in two of the three classes)the solution of the problem is already com-mon knowledge in the initial state, or theagents commonly know that the sum ofthe numbers is at least 7. This means thatin ‘Sum and Product’ not very much iscommonly known. In contrast, a modelTfor ‘What Sum’ has a very different struc-ture, with many more common knowledgeclasses. It is therefore quite informative to


142

know what they are, and we will describethem in detail.

An abc-class inT can be visualised asan infinite binary tree. The depth of thetree reflects the following order on num-ber triples in the domain ofT : (x, y, z) >(u, v, w) iff (x > u andy = v andz = w)or (x = u and y > v and z = w) or(x = u and y = v and z > w). If(x, y, z) > (u, v, w) according to this def-inition, (x, y, z) is a child of (u, v, w) inthat tree. Every node except the root hasone predecessor and two successors, as inFigure 1.

. . .(|x− y|, x, y)

(x+ y, x, y)

(x+ y, x+ 2y, y) (x+ y, x, 2x+ y). . . . . .

a

b c

Figure 1: Modulo agent symmetry, all parts ofthe modelT branch as here. Arcs connecting nodesare labelled with the agent who cannot distinguishthose nodes.

The root of each tree has label(2x, x, x)or (x, 2x, x) or (x, x, 2x). Differently said,given three natural numbers such that oneis the sumof the other two, replace thatsum by thedifferenceof the other two;one of those other two has now becomethe sum; if you repeat the procedure, youalways end up with two equal numbersand their sum. An agent who sees twoequal numbers, immediately infers that itsown number must be their sum (twice thenumber that is seen), because otherwise itwould have to be their difference 0 whichis not a positive natural number. It will beobvious that: the structure truly is a for-est (a set of trees), because each node onlyhas a single parent; all nodes except rootsare triples of threedifferentnumbers; andall trees are infinite. Allabc-trees are iso-morphic modulo(i) a multiplication fac-tor for the numbers occurring in the ar-guments of the node labels, and modulo(ii) a permutation of arguments and a cor-

responding swap of agents, i.e., swap ofarc labels. For example, the numbers oc-curring in the tree with root(6, 3, 3) arethrice the corresponding numbers in thetree with root(2, 1, 1); the tree with root(2, 1, 1) is like the tree for root(1, 2, 1) byapplying permutation(213) to argumentsand (alphabetically ordered) agent labelsalike. The left side of Figure 3 showsthe trees with roots(2, 1, 1), (1, 2, 1), and(1, 1, 2). For simplicity, we write 211 in-stead of(2, 1, 1), etc. In the left tree,for Bill (2, 1, 1) is indistinguishable from(2, 3, 1) wherein his number is the sum ofthe other two instead of their difference;for Anne triple (2, 3, 1) is indistinguish-able from(4, 3, 1), etc.

Processing Announcements The result of anannouncement (whether described infini-tary or not) is the restriction of the modelto all states where the announcement istrue. We can also apply this to the igno-rance announcements of agents in ‘WhatSum’. Consider anabc-treeT in T . Letn be an arbitrary agent. Either the rootof T is a singletonn-class, or all itsn-classes consist of two elements: a two-element class represents the agent’s uncer-tainty about its own number. An ignoranceannouncement by agentn in this riddlecorresponds to removal of all singletonn-classes from the modelT . This means thatsomeof the model’s trees are split into twosubtrees (with both children of the originalroot now roots of infinite trees).

An ignorance announcement may havevery different effects onabc-classes thatare the same modulo agent permutations.For example, givenabc-classes inT withroots 121, 112, and 211, the effect of Annesaying that she does not know her numberonly results in elimination of 211, as onlythe firstabc-class contains ana-singleton.Given 211, Anne knows that she has num-ber 2 (as 0 is excluded). But triple 112 shecannot distinguish from 312, and 121 notfrom 321. Thus one proceeds with all threeannouncements. See also Figure 2.


143

211

231 213

431 235 413 253

451 437 835 275 473 415 853 257. . . . . . . . . . . . . . . . . . . . . . . .

b c

a c a b

b c a b b c a c

231 213

431 235 413 253

451 437 835 275 473 415 853 257. . . . . . . . . . . . . . . . . . . . . . . .

a c a b

b c a b b c a c

213

431 235 413 253

451 437 835 275 473 415 853 257. . . . . . . . . . . . . . . . . . . . . . . .

a b

b c a b b c a c

431 413 253

451 437 835 275 473 415 853 257. . . . . . . . . . . . . . . . . . . . . . . .

b c b c a c

Figure 2: The results of three ignorance an-nouncements on theabc-class with root(2, 1, 1).

Solving the riddle We have now sufficientbackground to solve the riddle. We applythe successive ignorance announcementsto the three classes with roots(2, 1, 1),(1, 2, 1), and(1, 1, 2), determine the tripleswherein Anne knows the numbers, andfrom those, wherein Anne’s number di-vides 50. See Figure 3—note that intriple (8, 3, 5) Anne also knows her num-ber: the alternative(2, 3, 5) wherein hernumber is 2 has been eliminated by Cath’s,last, ignorance announcement. Theuniquetriple wherein Anne’s number divides 50is (5, 2, 3). In other words, the uniqueabc-tree in theentire model T where Anneknows that she has 50 after the three ig-norance announcements, is the one withroot(10, 20, 10). The solution to the riddleis therefore that Bill has 20 and Cath has30. After the three announcements in theabc-class with root(10, 20, 10), the triple(50, 20, 30) remains wherein Anne knowsthat Bill has 20 and Cath 30.

211

231 213

431 235 413 253

451 437 835 275 473 415 853 257. . . . . . . . . . . . . . . . . . . . . . . .

b c

a c a b

b c a b b c a c

431 413 253

451 437 835 275 473 415 853 257. . . . . . . . . . . . . . . . . . . . . . . .

b c b c a c

121

321 123

341 325 143 523

541 347 385 725 743 145 583 527. . . . . . . . . . . . . . . . . . . . . . . .

a c

b c b a

a c b a a c b c

321

341 325 143 523

541 347 385 725 743 145 583 527. . . . . . . . . . . . . . . . . . . . . . . .

b c

a c b a a c b c

112

132 312

134 532 314 352

154 734 538 572 374 514 358 752. . . . . . . . . . . . . . . . . . . . . . . .

b a

c a c b

b a c b b a c a

132 312

134 532 314 352

154 734 538 572 374 514 358 752. . . . . . . . . . . . . . . . . . . . . . . .

c a c b

b a c b b a c a

Figure 3:On the left,abc-classes of the modelTwith root 211, 121, and112. Any otherabc-classis isomorphic to one of these, modulo a multipli-cation factor. The results of the (combined) threeignorance announcements on thoseabc-classes areon the right. The triples in bold are those whereAnne knows her number.

The original riddle could have more re-strictive: in the quoted version [8] it isnotrequired to determine who holds whichother number, but as we have seen this canalso be determined. It also occurred tous that the original riddle could have beenposed differently (and we tend to think, farmore elegantly) as follows:

Each of agents Anne, Bill, and Cath has apositive integer on its forehead. They canonly see the foreheads of others. One of thenumbers is the sum of the other two. Allthe previous is common knowledge. Theagents now successively make the truthfulannouncements:

i. Anne: “I do not know my number.”

ii. Bill: “I do not know my number.”

iii. Cath: “I do not know my number.”

What are the numbers, if Anne now knowsher number and if all numbers are prime?

Consulting Figure 3, it will be obvious thatthe answer should be: ‘5, 2, and 3’.


144

4 Towards Model Checking

To be able to use a model checker we needa finite approximation of the model. Sup-pose we use an upper boundmax for thenumbers. LetT max be the correspond-ing epistemic model. Anabc-tree is nowcut at the depth where nodes(x, y, z) oc-cur such that the sum of two of the ar-gumentsx, y, z exceedsmax. This finiteapproximation may not seem a big dealbut it makes the problem completely dif-ferent:abc-classes will not just haverootswherein the agent may know his number(because the other numbers are equal) butwill also have leaveswherein the agentmay know his number (because the sumof the other two numbers exceedsmax).In other words, we have far more single-ton equivalence classes. Letmax = 10.Node (2, 5, 7) in the abc-class with root(2, 1, 1) has only ab-child (2, 9, 7) and ac-parent(2, 5, 3), and not ana-child, as5 + 7 = 12 > max. So Anne immedi-ately knows that her number is 2. All roots(2x, x, x) with 3x > max form singletonabc-classes inT max, for the same reason.

In such models it is no longer the casethat all equivalence classes are isomorphicmodulo a multiplication factor and swap-ping of agent labels. For a given upperboundmax we still have that, ifx > y, theabc-classT with root (2x, x, x) is a prefix(in a partially ordered sense) of theabc-classT ′ with root (2y, y, y), which impliesthatT ⊆ T ′ (modulo a factory

xfor num-

bers occurring inT ). For different upperboundsmax,max

′ we have that (literally)T max ⊆ T max

′

iff max ≤ max′.

Under these circumstances it is less clearwhat constitutes an exhaustive search of‘all possibilities that remain after an an-nouncement’. Fortunately, we are nowtalking aboutformalannouncements in thelanguage of public announcement logic.The following non-trivial result is essen-tial. Let T, T ′ be different epistemic mod-

els T for ‘What Sum’ (i.e., for differentupper boundsmax) or, modulo a multi-plication factor, differentabc-classes in agivenT model.

If T ⊆ T ′ and~ϕ is a sequence of ignoranceannouncements executable in bothT andT ′, thenT |~ϕ ⊆ T ′|~ϕ.

The proof is simple, and by induction onthe number of such announcements. Con-sider a next ignorance announcementψbeing made, by agentn. As said, it re-moves singleton equivalence classes forthat agent. IfT ⊆ T ′ it may be thatsome singletonn-classes inT were two-staten-classes inT ′. These will there-fore be omitted when executing the an-nouncement ofψ in T , whereas they wouldhave been preserved when executing thesame announcement inT ′. There areno other differences in execution: alln-classes that were singleton in bothT andT ′ will be omitted anyway as a result ofthe ψ-announcement. Therefore, we stillhave thatT |ψ ⊆ T ′|ψ.

This may seem obvious. But it is far fromthat: for arbitraryM ′ ⊆M and arbitraryϕwe donot have thatM ′|ϕ ⊆ M |ϕ. Let usgive a counterexample. Given agentsa, band state variablesp, q (in 10 p is true andq is false) consider the (two-state) modelM ′ = 11|a|10, which is a restriction ofthe (three state) modelM = 11|a|10|b|01.Considerϕ = Kbq∨Kb¬q, for ‘Bill knowswhetherq.’ Then M ′|ϕ = M ′, whereasM |ϕ is the singleton model consisting ofstate 11 whereina and b have commonknowledge ofp andq. ThereforeM ′ ⊆MbutM ′|ϕ 6⊆M |ϕ.

Apart from having an upper bound we dis-cuss one other, less essential, change: sup-pose we start counting from 0 instead of1. In that case eachabc-equivalence classwith root (2x, x, x) is extended with onemore node: the new root(0, x, x) is indis-tinguishable from(2x, x, x) for Anne. Anagent who sees a 0, infers that his number


145

must be the other number that (s)he sees.If there is a 0, two of the three agents seethat. Therefore, the root has just one child(2x, x, x); if the triple is (0, x, x) Bill andCath know that their number isx.3

Theabc-class with root011 from the epis-temic modelT 10

0 (upper bound 10, lowerbound 0) is displayed on the left in Fig-ure 4. The result of the three ignoranceannouncements is displayed on the right.We can now investigate different versionsof the problem. The model checker is thenhelpful because some versions are hard toverify with pencil and paper, or mere men-tal computation. For example, we consid-ered the version: If0 ≤ x, y, z ≤ max,for which values ofmax does Anneal-waysknow the numbers after the three an-nouncements? This range is8 ≤ max ≤13 (so, for 7 not all three announcementscan be made truthfully, and for 14 it maybe that Anne does not know her num-ber) and this includesmax = 10. Fig-ure 4 shows that fromabc-class with root011 the triples 211 and 213 remain. Inboth cases Anne knows her number. Sim-ilar computations show that from theabc-classes with root 101 and 110 no triples re-main. In other words, the announcementscould not all three have been made (truth-fully) if the number triple occurs in eitherof those two classes. Using the proper-ties of inclusion for differentabc-classes,we have now ruled out all classes of typex0x andxx0 and only have to check otherclasses of type0xx. From class022, thetriples 242 and 246 remain after the threeannouncements (and the ones with root033 and beyond are empty again). There-fore, whatever the numbers, Anne now

3Suppose there is no upper bound but 0 is still allowed—every audience being presented with this riddle for positive in-tegers contains at least one person asking if 0 is allowed. This isan interesting variation. Anne will still learn her own number ifit is 50 from the three ignorance announcements, but the reader(‘problem solver’) can now no longer deduce Bill’s and Cath’snumber in that case: these can now also be 25 and 25. Thereader should be able to determine this easily by contemplatingFigure 3. From the models resulting from the three ignoranceannouncements, onlyonenow looks different. Which one?

011

211

231 213

431 235 413 253

451 437 835 275 473 415 853 257

297651 459 A37 279 A73 615 495 297

671

871

891

A91

617

817

819

A19

a

b c

a c a b

b c a b b c a c

a c a c a a b b

b

a

b

a

c

a

c

a

211

213

c

Figure 4: Theabc-class with root 011 in modelT 10

0, and the result of three ignorance announce-

ments. The horizontal order of branches has nomeaning. Symbol A represents 10.

knows her number. But the problem solvercannot determine what that number is (itmay be 1, or it may be 2) and also cannotdetermine what the other numbers are, noteven if it is also known what Anne’s num-ber is (if it is 1, the other numbers may be2 and 1, or 2 and 3; and similarly if it is 2).

5 Model Checker DEMO

Epistemic model checkers with dynamicfacilities have been developed to ver-ify properties of interpreted systems,knowledge-based protocols, and variousother multi-agent systems. Examples areMCK [4], MCMAS [16], and recent workby Su [17]. All those model checkers usethe interpreted systems architecture, andexploration of the search space is based onordered binary decision diagrams. Theirdynamics are expressed in temporal ortemporal epistemic (linear and/or branch-ing time) logics.

A different model checker, not basedon a temporal epistemic architecture, isDEMO. It has been developed by VanEijck [20]. DEMO is short for Dynamic


146

Epistemic MOdelling. It allows mod-elling epistemic updates, graphical displayof Kripke structures involved, and for-mula evaluation in epistemic states. Thisgeneral purpose model checker has alsomany other facilities. DEMO is writtenin the functional programming languageHaskell.

The model checker DEMO implementsthe dynamic epistemic logic of [1]. Inthis ‘action model logic’ the global stateof a multi-agent system is represented byan epistemic model. But more epistemicactions are allowed than just public an-nouncements, and each epistemic actionis represented by anaction model. Justlike an epistemic model, an action modelis also based on a multi-agent Kripkeframe, but instead of carrying a valuationit has a precondition function that assignsa precondition to each point in the actionmodel. A point in the action model domainstands for an atomic action.

The epistemic state change in the systemis via a general operation called theupdateproduct: this is a way to produce a singlestructure (the next epistemic model) fromtwo given structures (the current epistemicmodel and the current action model). Wedo not give details, as we restrict our atten-tion to very simple action models, namelythose corresponding to public announce-ments. Such action models have a single-ton domain, and the precondition of thatpoint is the announced formula. The nextepistemic model is produced from the cur-rent epistemic model and the singleton ac-tion model for the announcement by themodel restriction introduced in Section 2.

The recursive definition of formulasin DEMO includes (we omitted theclause for updates)Form = Top | PropProp | Neg Form | Conj [Form] |Disj [Form] | K Agent Form | CK[Agent] Form . FormulaTop stands for⊤, Prop Prop for atomic propositionalletters (the first occurrence ofProp means

that the datatype is ‘propositional atom’,whereas the second occurrence ofProp isthe placeholder for an actual propositionletter, such asP 3), Neg for negation,Conj[Form] stands for the conjunction of a listof formulas of typeForm, similarly forDisj, K Agent stands for the individualknowledge operator for agentAgent, andCK [Agent] for the common knowledgeoperator for the group of agents listed in[Agent].

The pointed and singleton action modelfor a public announcement is created bya function public with a precondition(the announced formula) as argument.The update operation is specified asupd:: EpistM -> PoAM -> EpistM ; hereEpistM is an epistemic state andPoAM is apointed action model, and the update gen-erates a new epistemic state. If the in-put epistemic stateEpistM corresponds tosome(M, s), then in case of the truthfulpublic announcement ofϕ the resultingEpistM has the form(M |ϕ, s). We canalso update with a list of pointed actionmodels: upds :: EpistM -> [PoAM]-> EpistM .

Complexity Each model restrictionM |ϕrequires determining the set{s ∈ D(M) |M, s |= ϕ}. Given a modelM , a states, and a formulaϕ, checking whetherM, s |= ϕ can be solved in timeO(|M | ×|ϕ|), where|M | is the size of the modelas measured in the size of its domain plusthe number of pairs in its accessibility re-lations, and where|ϕ| is the length of theformula ϕ. This result has been estab-lished by the well-known labelling method[6, 2]. This method is based on dividingϕinto subformulas. One then orders all thesesubformulas, of which there are at most|ϕ|, by increasing length. For each subfor-mula, all states are labelled with either theformula or its negation, according to thevaluation of the model and based on theresults of previous steps. This is a bottom-up approach, in the sense that the labellingstarts from the smallest subformulas. So


147

it ensures that each subformula is checkedonly once in each state.

In DEMO (v1.02) the algorithm to checkwhether M, s |= ϕ does not employthis bottom-up approach. Instead, it usesa top-down approach, starting with theformula ϕ and recursively checking itslargest subformulas. For example, tocheck whetherM, s |= Kaψ, the algo-rithm checks whetherM, s′ |= ψ for alls′ such thats ∼a s

′, and then recursivelychecks the subformulas ofψ. This algo-rithm isO(|M ||ϕ|), since each subformulamay need to be checked|M | times, andthere are at most|ϕ| subformulas ofϕ. So,theoretically, DEMO’s algorithm is quiteexpensive.

In practice it is less expensive, because theHaskell language and its compiler and in-terpreter support a cache mechanism: afterevaluating a function, it caches some re-sults in memory for reuse (see e.g. [13]).Since it is hard to predict what resultswill be cached and for how long, we can-not give an estimate how much the cachemechanism influences the computationalresults for DEMO. See also [18]. Compu-tational results for the experiments in thenext section are given in footnote 5.

6 ‘What Sum’ in DEMO

The DEMO programSUMXYZ.hs, dis-played in Figure 5, implements the‘What Sum’ problem for upper boundmax = 10.4 The list triples =triplesx ++ triplesy ++ triplesz(this is a union (++) of three lists) cor-responds to the set of possible triples(x, y, z) for the given bound 10—note thatin Haskell we are required to define suchsets as lists. The next part of the programconstructs the domain based on that list:this merely means that each member of thelist must be associated with a state name.

4The program is original but should be considered a versionof the DEMO program for ‘Sum and Product’ in [18].

module SUMXYZwhereimport DEMOupb = 10-- constrained triples (x,y,z) with x,y,z <= upbtriplesx = [(x,y,z)|x<-[0..upb], y<-[0..upb],

z<-[0..upb], x==y+z]triplesy = [(x,y,z)|x<-[0..upb], y<-[0..upb],

z<-[0..upb], y==x+z]triplesz = [(x,y,z)|x<-[0..upb], y<-[0..upb],

z<-[0..upb], z==x+y]triples = triplesx ++ triplesy ++ triplesz-- associating states with number triplesnumtriples = llength(triples)llength [] =0llength (x:xs) = 1+ llength xsitriples = zip [0..numtriples-1] triples-- initial multi-pointed epistemic modelthree :: EpistMthree =(Pmod [0..numtriples-1] val acc [0..numtriples-1])whereval = [(w,[P x,Q y,R z])|(w,(x,y,z))<-itriples]acc = [(a,w,v)| (w,(x1,y1,z1))<-itriples,

(v,(x2,y2,z2))<-itriples,y1==y2,z1==z2]++[(b,w,v)| (w,(x1,y1,z1))<-itriples,(v,(x2,y2,z2))<-itriples,x1==x2,z1==z2]++

[(c,w,v)| (w,(x1,y1,z1))<-itriples,(v,(x2,y2,z2))<-itriples, x1==x2, y1==y2]

-- agents a,b,c say: I do not know my numberfagxnot = Conj [(Disj[Neg (Prop (P x)),

Neg (K a (Prop (P x))) ])| x <-[0..upb]]aagxnot = public (fagxnot)fagynot = Conj [(Disj[Neg (Prop (Q y)),

Neg (K b (Prop (Q y))) ])| y <-[0..upb]]aagynot = public (fagynot)fagznot = Conj [(Disj[Neg (Prop (R z)),

Neg (K c (Prop (R z))) ])| z <-[0..upb]]aagznot = public (fagznot)-- model restriction from announcementsresult =showM (upds three [aagxnot, aagynot, aagznot])

Figure 5:The DEMO programSUMXYZ.hs

State names must be consecutive numbers,counting from 0. The association is ex-plicit in the list itriples that consists ofpairs of which the first argument is a num-ber (from the list[0..numtriples-1])and the second argument is one of thetriples (x, y, z) in the list triples. Theinitial model T 10

0 is then represented asthree in the program. The expression(Pmod [0..numtriples-1] val acc[0..numtriples-1]) definesthree asan epistemic model (Pmod), with domain[0..numtriples-1], valuation val, aset (list) of accessibility relationsacc(and [0..numtriples-1] points—leftunexplained here). Inval we find forexample(67,[p6, q8, r2]) which says


148

that state number 67 corresponds to triple(6, 8, 2). Given(43,[p10, q8, r2]) wenow find(a,43,67) in acc.

Anne’s announcement that she does notknow her number is represented as the ac-tion modelaagxnot constructed from theannouncement formulafagxnot by thefunctionpublic. The formulafagxnot isdefined asConj [(Disj[Neg (Prop (Px)), Neg (K a (Prop (P x))) ])|x<-[0..upb]] . This specifies that what-everx is (x <-[0..upb]), if Anne has itshe does not know it(Disj[Neg (Prop(P x)), Neg (K a (Prop (P x))) ]).The last corresponds to¬xa ∨ ¬Kaxa,which is equivalent toxa → ¬Kaxa.Therefore, the whole expression corre-sponds to

∧0≤x≤10 xa → ¬Kaxa. This

is the computationally cheaper versionalso formalised as¬

∨0≤x≤10Kaxa, see

Section 3.

The final line in the program asks to dis-play the results of the three ignorance an-nouncements. Its output is

==> [0,1,2,3][0,1,2,3](0,[p2,q1,r1])(1,[p1,q3,r2])(2,[p1,q3,r4])(3,[p2,q1,r3])

(a,[[0],[1],[2],[3]])(b,[[0],[1],[2],[3]])(c,[[0,3],[1,2]])

States are sequentially renumbered start-ing from 0 after each update. The four re-maining triples 211, 132, 134, and 213 areclearly shown, see also Figure 4. Anne al-ways knows her number, as her partitionon the set of four states is the identity (andso does Bill, but not Cath).5

5We did experiments in a PC configured as Windows XP,AMD CPU 1.8Ghz, with 1G RAM. We use the Glasgow HaskellCompiler Interactive (GHCi) version 6.4.1, enabling the option“:set +s” to display information after evaluating each expres-sion, including the elapsed time and number of bytes allocated.The results for time and space consumption of the crucialupdsmsnp [aagxnot,aagynot,aagznot] are as follows: forupb=10, time: 1.59 seconds, and space: 29,075,432 bytes; togive an impression of how this scales up: forupb=20, time:30.31 seconds, and space: 334,474,032 bytes; forupb=30,time: 193.20 seconds, and space: 1,706,593,672 bytes.

We hope that this rather summaryoverview of DEMO nevertheless re-veals its enormous versatility as a modelchecker. E.g., to check which statesremain when a different upper bound ischosen, one merely has to replace the lineupb = 10 in the program by that otherupper bound. In general, the enormousadvantage of this model checker is that itallows for a separate specification of theinitial model and the subsequent dynamicfeatures, as in the original riddle (and,typically, as in the specification of thedynamics of a multiagent system to beformally modelled).

7 Conclusions

We presented an original analysis of anepistemic riddle, and formalised a finiteversion of the riddle with the use of publicannouncement logic and epistemic modelchecking. Crucial in the analysis was tomodel the riddle as an interpreted system,and to focus on the description of the back-ground knowledge, i.e.,abc-equivalenceclasses of the epistemic model. We intro-duced the model checker DEMO and thespecification of the riddle in DEMO.

We think that detailed analysis of logicpuzzles contributes to the understandingof logical tools and formalisms, and howto apply them to model multiagent sys-tem dynamics. In particular, the specifi-cation of security protocols in DEMO is,we think, promising. In our experienceswith specifying such protocols, DEMOcompares favourably to other state-of-the-art model checkers MCK and MCMAS—of course we would not dare to suggestthat DEMO is ‘better’: when specifyinga problem in which public announcementsare essential, it is not surprising that atool specially developed for such dynam-ics functions well.

Future development of DEMO may in-volve (Jan van Eijck, personal communi-


149

cation) facilities to model not merely in-formation change, such as incoming newinformation, but also factual change. Thiswould expand the use of this tool to modelplanning protocols, security protocols thatinclude key exchange, etc. We are muchlooking forward to that development.

References[1] A. Baltag, L.S. Moss, and S. Solecki.

The logic of public announcements, com-mon knowledge, and private suspicions. InI. Gilboa, editor,Proceedings of TARK VII,pages 43–56, 1998.

[2] R. Fagin, J.Y. Halpern, Y. Moses, and M.Y.Vardi. Reasoning about Knowledge. MITPress, Cambridge MA, 1995.

[3] H. Freudenthal. (formulation of the sum-and-product problem).Nieuw Archief voorWiskunde, 3(17):152, 1969.

[4] P. Gammie and R. van der Meyden. MCK:Model checking the logic of knowledge. InR. Alur and D. Peled, editors,Proceedings ofCAV 04, pages 479–483. Springer, 2004.

[5] J.D. Gerbrandy. Bisimulations on PlanetKripke. PhD thesis, University of Amster-dam, 1999. ILLC Dissertation Series DS-1999-01.

[6] J.Y. Halpern and M.Y. Vardi. Model check-ing vs. theorem proving: a manifesto. InV. Lifschitz, editor,Artificial intelligence andmathematical theory of computation: papersin honor of John McCarthy, pages 151–176,San Diego, CA, USA, 1991. Academic PressProfessional, Inc.

[7] J. Hintikka. Knowledge and Belief. CornellUniversity Press, Ithaca, NY, 1962.

[8] A. Liu. Problem section: Problem 182.MathHorizons, 11:324, 2004.

[9] C. Lutz. Complexity and succinctness of pub-lic announcement logic. InProceedings ofAAMAS 06, pages 137–144, 2006.

[10] J. McCarthy. Formalization of two puzzlesinvolving knowledge. In V. Lifschitz, ed-itor, Formalizing Common Sense : Papersby John McCarthy. Ablex Publishing Cor-poration, Norwood, N.J., 1990. originalmanuscript dated 1978–1981.

[11] G.E. Moore. A reply to my critics. InP.A. Schilpp, editor,The Philosophy of G.E.Moore, pages 535–677. Northwestern Univer-sity, Evanston IL, 1942. The Library of Liv-ing Philosophers (volume 4).

[12] Y.O. Moses, D. Dolev, and J.Y. Halpern.Cheating husbands and other stories: a casestudy in knowledge, action, and communica-tion. Distributed Computing, 1(3):167–176,1986.

[13] N. Nethercote and A. Mycroft. The cachebehaviour of large lazy functional programson stock hardware.SIGPLAN Notices, 38(2supplement):44–55, 2003.

[14] G. Panti. Solution of a number theoreticproblem involving knowledge.InternationalJournal of Foundations of Computer Science,2(4):419–424, 1991.

[15] J.A. Plaza. Logics of public communications.In M.L. Emrichet al., editors,Proceedings ofthe 4th International Symposium on Method-ologies for Intelligent Systems, pages 201–216. Oak Ridge National Laboratory, 1989.

[16] F. Raimondi and A.R. Lomuscio. Verifica-tion of multiagent systems via ordered bi-nary decision diagrams: An algorithm and itsimplementation. InProceedings of AAMAS04, pages 630–637. IEEE Computer Society,2004.

[17] K. Su. Model checking temporal logics ofknowledge in distributed systems. In D. L.McGuinness and G. Ferguson, editors,Pro-ceedings of AAAI 04, pages 98–103. AAAIPress / The MIT Press, 2004.

[18] H.P. van Ditmarsch, J. Ruan, and R. Ver-brugge. Sum and product in dynamic epis-temic logic. Journal of Logic and Computa-tion, 2007. To appear.

[19] H.P. van Ditmarsch, W. van der Hoek, andB.P. Kooi. Dynamic Epistemic Logic, volume337 ofSynthese Library. Springer, 2007.

[20] J. van Eijck. Dynamic epistemic modelling.Technical report, Centrum voor Wiskunde enInformatica, Amsterdam, 2004. CWI ReportSEN-E0424.

[21] W. Wu. 100 prisoners and a lightbulb.www.ocf.berkeley.edu/~wwu/papers/100prisonersLightBulb.pdf, 2001.


150

hans van dimarsch, ji ruan to cite this version · 2020-07-10 · model checking logic puzzles hans...

Documents