Regular Model Checking Approach to Knowledge Reasoning over Parameterized Systems (technical report)
RRegular Model Checking Approach to Knowledge Reasoningover Parameterized Systems (technical report)
Daniel Stan
Technical University of [email protected]
Anthony W. Lin
Technical University of Kaiserslautern, [email protected]
ABSTRACT
We present a general framework for modelling and verifying epi-stemic properties over parameterized multi-agent systems that com-municate by truthful public announcements. In our framework, thenumber of agents or the amount of certain resources are paramet-erized (i.e. not known a priori), and the corresponding verificationproblem asks whether a given epistemic property is true regardlessof the instantiation of the parameters. For example, in a muddy chil-dren puzzle, one could ask whether each child will eventually findout whether (s)he is muddy, regardless of the number of children.Our framework is regular model checking (RMC) -based, whereinsynchronous finite-state automata (equivalently, monadic second-order logic over words) are used to specify the systems. We proposean extension of public announcement logic as specification lan-guage. Of special interests is the addition of the so-called iteratedpublic announcement operators, which are crucial for reasoningabout knowledge in parameterized systems. Although the operatorsmake the model checking problem undecidable, we show that thisbecomes decidable when an appropriate “disappearance relation” isgiven. Further, we show how Angluin’s L*-algorithm for learning fi-nite automata can be applied to find a disappearance relation, whichis guaranteed to terminate if it is regular. We have implemented thealgorithm and apply this to such examples as the Muddy ChildrenPuzzle, the Russian Card Problem, and Large Number Challenge.
KEYWORDS
Epistemic; Public Announcement Logic; Regular Model Checking;Automaton Learning; Parameterized; Muddy Children
Consider the standard problem of muddy children puzzle in know-ledge reasoning [11]. Suppose that there are a total of 𝑁 children,where 𝑀 ∈ { , . . . , 𝑁 } of them has a mud on their forehead. Eachchild can observe whether another child (but not himself) has amud on their forehead. The muddy children protocol goes in rounds.At each round, the father declares that there is a muddy child (i.e.with a mud on their forehead), and asks the children whether theyknow if they are muddy, to which the children can answer yes/no.The announcements made by the children are observable by otherchildren. After a few rounds (more precisely 𝑀 rounds), all childrenwill discover the so-called common knowledge of which children Proc. of the 20th International Conference on Autonomous Agents and Multiagent Systems(AAMAS 2021), U. Endriss, A. Nowé, F. Dignum, A. Lomuscio (eds.), May 3–7, 2021, Online .© 2021 All rights reserved. This is the authors’ version of the work. It is posted here foryour personal use. Not for redistribution. The definitive Version of Record is publishedin the aforementioned proceedings. (including themselves) are muddy and which are not, regardless ofthe value of the parameters 𝑀 and 𝑁 (e.g. see [11]).The muddy children puzzle, as stated above, can be constructedas a typical example of a parameterized verification problem [4, 8,16, 17] but with respect to epistemic properties. Even though theproblem was shown to be decidable for a simple safety propertyby Apt and Kozen in the 80s [6], the past twenty years or so havewitnessed a lot of progress in the field of parameterized verification(e.g., see [1, 8, 38, 39] for excellent surveys). Researchers resort toeither (1) general semi-algorithmic techniques that are applicable togeneral systems, but either without a termination guarantee or themethod might terminate with a “don’t know” answer, or (2) restric-tion to decidable subproblems (e.g. obtained by imposing certainstructures on the parameterized systems). More recently, paramet-erized verification problem was also considered in the setting ofmulti-agent systems (e.g., see [4, 8, 16, 17, 20]). Despite this, verylittle work has been done on parameterized verification problemwith respect to epistemic properties, in particular which is applic-able in the simple setting of the muddy children example. This is anextremely challenging problem, while most of the research focuson parameterized system verification for a few decades is on simplesafety properties, and only recently on liveness properties. Summary of Results.
We propose a framework for modelling andmodel-checking epistemic properties over parameterized multi-agent systems. Our emphasis in this paper is on general semi-algorithmic solutions that can lend themselves to automaticallysolve a variety of interesting examples in knowledge reasoning.While our semi-algorithm is not guaranteed to terminate in gen-eral, we provide a general termination condition , which is provedto subsume examples like Muddy Children Puzzle, Large NumberChallenge, and Russian Card Problem. We detail our results below.Firstly, let us recall a standard setting in the finite non-para-meterized case using
Public Announcement Logic (PAL) [25, 35](also see [32, 34, 36], which provide more detailed modelling and afinite-state model checker). The system is represented by a finiteKripke structure, each of whose (binary) accessibility relation 𝑎 (cid:123) (for each agent 𝑎 ) satisfying the S5 axioms, i.e., 𝑎 (cid:123) is an equivalencerelation (reflexive, symmetric, and transitive). That way, 𝑎 (cid:123) can beinterpreted as knowledge-indistinguishability by agent 𝑎 . PAL thenis simply a standard modal logic with one accessibility relation peragent, as well as public announcement modalities { 𝜑 ! } , whereby each agent learns about 𝜑 . A standard application of the publicannouncement operator is to model the announcement of a child inthe muddy children protocol, who declares that he knows whetherhe has a mud on his forehead. a r X i v : . [ c s . F L ] F e b o extend the framework to the parameterized setting, there are afew problems. Firstly, since the Kripke Structure is now infinite (i.e.the union of all possible instantiations of the parameter), how do we symbolically represent the Kripke Structure? Secondly, a closer lookat the solution to the muddy children example via PAL (or similarlogics) [11, 25, 35] suggests that the formula in the logic is different for different numbers of muddy children. For parameterized veri-fication, it is essential that we have a uniform specification for theepistemic property regardless of the instantiation of the parameters.We note that generalizations of epistemic logics that can providessuch a uniform specification do exist (e.g., quantified epistemic logic[7], iterated public announcement [13, 22]); the resulting logics arenot only undecidable, but there are also no known semi-algorithmicsolutions that would work for interesting examples.Our framework (see §3) is in the spirit of regular model checking [1, 2, 9, 10, 30], wherein a configuration in the (parameterized)systems are represented by a string over some finite alphabet Σ ,while a binary relation (cid:123) ⊆ Σ ∗ × Σ ∗ is represented by an automataover the product alphabet Σ × Σ . [The reader could understand aproduct alphabet just like a normal alphabet, where an automatonwould synchronously read a pair ( 𝑎, 𝑏 ) of symbols at each step.] Theresulting Kripke structures are called automatic Kripke structures [9, 10, 30]. One benefit of this framework is that one could encodean infinite number of accessibility relation { 𝑖 (cid:123) } 𝑖 ∈ N (one for eachagent indexed 𝑖 = , , , . . . ), where 𝑖 (cid:123) ⊆ Σ ∗ × Σ ∗ , as one singleautomaton representing (cid:123) ⊆ Σ ∗ × N × Σ ∗ . Since a string encoding 𝑠 ( 𝑖 ) of each number 𝑖 ∈ N could be given (e.g. 𝑖 = Σ × { , } × Σ . Second, to reason about knowledgeover automatic Kripke Structures, it is important to enrich PAL witha few new features: (1) basic string reasoning (e.g. whether 𝑏 occursat an even position in the string), since configurations in the Kripkemodels are represented as strings (2) iterated public announcementoperator { 𝜑 ! } ∗ , since in general an unbounded number of publicannouncements need to be made in parameterized systems (e.g. oneannouncement per child/round in the muddy children protocol).Our key results is as follows. First, in the absence of the iteratedpublic announcement operators in the input formula, the modelchecking problem in our framework is decidable with a nonelement-ary complexity (see §4). Despite the high complexity, we show thatour implementation [28] works well on examples like the paramet-erized version of the Russian Card Problem [33, 36] (where the totalnumber of cards is not fixed a priori), where the tool verifies an-onymous communication between two parties of the system couldbe achieved (see §6). Second, with the presence of the iterated publicannouncement operators in the input formula, although the modelchecking problem is in general undecidable (see §4), we provide asemi-algorithm for the problem tapping into Angluin’s L* automatalearning algorithm [5, 15] (see §5). To the best of our knowledge,this is the first application of automata learning methods to theparameterized model checking of epistemic properties. Looselyspeaking, the learning algorithm will attempt the computation ofthe so-called “disappearance relation”, that captures the order inwhich states are discarded during the announcements and is likelyto exhibit regular patterns of the system. A termination guaranteeis provided in this case (i.e. when the order can be represented by regular languages). We implemented the method and show that itcan successfully verify the parameterized versions of the MuddyChildren Protocol and the Large Number Challenge (see §6). We denote N the set of natural numbers, and for 𝑛 ∈ N , [ 𝑛 ] = { 𝑥 ∈ N | ≤ 𝑥 < 𝑛 } . Automata Background: An alphabet is a finite set Σ . A word 𝑤 over Σ is a finite sequence 𝑥 . . . 𝑥 𝑛 − ∈ Σ 𝑛 , of letters of Σ , for somelength 𝑛 , which is is denoted | 𝑤 | = 𝑛 . We write 𝑤 [ 𝑖 ] = 𝑥 𝑖 for its 𝑖 -th letter ( 𝑖 ∈ [| 𝑤 |] ) and 𝜖 for the empty word of length 0.A set of words 𝐿 is called a language . It is regular if it it canbe recognized by a regular expression, or equivalently by a non-deterministic automaton (e.g. see [27]). We denote Reg ( Σ ) the classof regular languages over Σ and recall the class is closed underconcatenation, boolean operations, and Kleene star.Let Σ ⊆ Σ ′ and Σ . Regular languages are also preserved by Synchronous product and morphism :For 𝑤 ∈ Σ 𝑙 and 𝑤 ∈ Σ 𝑙 two words of the same length 𝑙 ∈ N , we write 𝑤 ⊗ 𝑤 for the synchronous product word 𝑤 ∈( Σ × Σ ) 𝑙 such that ∀ 𝑖 ∈ [ 𝑙 ] , 𝑤 [ 𝑖 ] = ( 𝑤 [ 𝑖 ] , 𝑤 [ 𝑖 ]) . We ex-tend ⊗ to languages, by defining, for 𝐿 ⊆ Σ ∗ and 𝐿 ⊆ Σ ∗ , 𝐿 ⊗ 𝐿 = (cid:110) 𝑤 ⊗ 𝑤 (cid:12)(cid:12)(cid:12) 𝑤 ∈ 𝐿 ∧ 𝑤 ∈ 𝐿 ∩ Σ | 𝑤 | (cid:111) A morphism is any function 𝑓 : Σ → Σ , we extend 𝑓 to wordsover Σ by defining, for any 𝑤 ∈ Σ ∗ , 𝑓 ( 𝑤 ) = 𝑓 ( 𝑤 [ ]) . . . 𝑓 ( 𝑤 [| 𝑤 | − ]) ∈ Σ ∗ , then to languages over the superset Σ ′ : for any 𝐿 ⊆ ( Σ ′ ) ∗ , 𝑓 ( 𝐿 ) = { 𝑓 ( 𝑤 ) | 𝑤 ∈ 𝐿 ∩ ( Σ ) ∗ } .Of particular interest, we define projection morphisms :given Σ . . . Σ 𝑛 , and 1 ≤ 𝑖 < . . . 𝑖 𝑘 ≤ 𝑛 , we define: ∀( 𝛼 𝑖 ) ≤ 𝑖 ≤ 𝑛 , 𝜋 ( Σ 𝑖 , − ,..., − , Σ 𝑖𝑘 ) ( 𝛼 . . . 𝛼 𝑛 ) = ( 𝛼 𝑖 , . . . 𝛼 𝑖 𝑘 ) For example, synchronous product’s counterparts can be definedas the morphisms 𝜋 ( Σ , −) and 𝜋 (− , Σ ) , projections on the first andsecond component, respectively.We encode positions inside a word with the alphabet B = { , } and for 0 ≤ 𝑖 < 𝑙 , 𝑉 ( 𝑖, 𝑙 ) = 𝑖 𝑙 − 𝑖 − ∈ B 𝑙 encodes the 𝑖 -th position.When the meaning is clear, we will at times identify a finiteautomaton A and its recognized language L(A) ∈
Reg ( Σ ) . In par-ticular, whenever we claim a language 𝐿 is regular, a recognizingautomaton may be provided instead. Whenever Σ = Σ × Σ , theautomaton may also be called a length-preserving transducer, orsimply “transducer”, as it can be interpreted as an automaton map-ping a word 𝑤 ∈ Σ ∗ to (non-deterministically) a word 𝑤 ∈ Σ ∗ ofthe same length, such that 𝑤 ⊗ 𝑤 ∈ 𝐿 . In this section, we provide our regular model checking framework toknowledge reasoning over parameterized systems. The section hastwo parts. First, an extension of PAL called PPAL (ParameterizedPAL) that is interpreted over a parameterized Kripke structure.Second, a regular presentation of parameterized Kripke structure,over which PPAL-model checking is decidable.
The logic PPAL will be evaluated on a parameterized Kripke struc-ture. Loosely, such a structure represents a parameterized system, 𝑚 𝑚𝑐𝑐𝑚 𝑐𝑐
10 01 𝑚𝑚𝑚 𝑚𝑐𝑚𝑐𝑚𝑚 𝑐𝑐𝑚𝑚𝑚𝑐 𝑚𝑐𝑐𝑐𝑚𝑐 𝑐𝑐𝑐
10 2 0 212 20 1 01 . . .
Figure 1: First members of the parameterized Kripke fam-ily of the Muddy children example, with parameter (left)and (right), self loops are omitted. which can be viewed as a union of an infinite family of structures,each obtained by instantiating the parameter. Each state will beassigned a fixed parameter instantation, shared by all its successors.For simplicity, we use only one parameter called the state size , whichquantifies the (maximal) number of agents involved, as well as thenumber of copies of atomic propositions. Definition 3.1. A parameterized Kripke structure is a tuple M = ( 𝑆, 𝐴𝑃, (cid:123) , 𝐿, | · |) where: • 𝑆 is a (possibly infinite) set of states; • 𝐴𝑃 is a finite set of atomic propositions; • | · | maps any state 𝑠 ∈ 𝑆 to its size | 𝑠 | ∈ N ; • 𝐿 maps any state 𝑠 ∈ 𝑆 and index 𝑖 ∈ [| 𝑠 |] to its labelling 𝐿 𝑖 ( 𝑠 ) ⊆ 𝐴𝑃 ; • (cid:123) ⊆ 𝑆 × N × 𝑆 is a N -labelled accessibility relation betweenstates, called indistinguishability relation , such that any triple ( 𝑠, 𝑖, 𝑠 ′ ) ∈ (cid:123) satisfies 0 ≤ 𝑖 < | 𝑠 | = | 𝑠 ′ | . We assume: for any 𝑠 ∈ 𝑆 and 0 ≤ 𝑖 < | 𝑠 | , we have ( 𝑠, 𝑖, 𝑠 ) ∈ (cid:123) . ( 𝑠, 𝑖, 𝑠 ′ ) ∈ (cid:123) is written 𝑠 𝑖 (cid:123) 𝑠 ′ and reads "if 𝑠 is the actual stateof the system (world), the 𝑖 -th agent entertains the possibility thatthe current state is actually 𝑠 ′ , given its observation." Even thoughthis is not enforced by our definition, most of the proposed modelsbelow will assume 𝑖 (cid:123) to be an equivalence relation, for all 𝑖 , andthis property will be preserved when deriving models. Example 3.2.
Figure 1 depicts a parameterized Kripke structurefor the muddy children puzzle, where 𝑆 = { 𝑚, 𝑐 } ∗ , 𝐴𝑃 = { 𝑚 } , andthe size | 𝑤 | of a state 𝑤 ∈ 𝑆 is defined as its length. For all 𝑖 ∈ [| 𝑤 |] , 𝐿 𝑖 ( 𝑤 ) = (cid:26) { 𝑚 } if 𝑤 [ 𝑖 ] = 𝑚 ∅ otherwise ∈ 𝐴𝑃 Definition 3.3.
We define a formula 𝜑 in parameterized publicannouncement logic (PPAL) by the following grammar: 𝜑 :: = ⊤ | 𝜑 ∧ 𝜑 | ¬ 𝜑 | ∃ 𝑖 : 𝜑 | 𝑖 = | 𝑖 % 𝑘 = | 𝑖 = 𝑗 + 𝑘 | 𝑝 𝑖 | ⟨ 𝑖 ⟩ 𝜑 | { 𝜑 ! } 𝜑 Where 𝑖, 𝑗 are index variables, 𝑘 ∈ N is any integral constant and 𝑝 ∈ 𝐴𝑃 is any atomic proposition.Intuitively, PPAL extends PAL by an indexing capability, so thatone could easily refer to the 𝑖 th agent in the system. This is to someextent akin to how indexed LTL extends LTL [8]. However, we alsosuitably restrict the indexing capability (essentially, the differencebetween the indices of two agents is a certain constant 𝑘 , or thatthe index of agent is 𝑘 ( mod 𝑑 ) for some constants 𝑘 and 𝑑 ). Thisis essentially the extension of the difference logic [18] with modulo operators. This restriction makes the logic amenable to regularmodel checking techniques, but is also sufficiently powerful formodelling typical examples in parameterized systems. Shorthands:
Boolean connectives ∨ , → , ↔ and universal quan-tification ∀ can be encoded in a standard way. The formula [ 𝑖 ] 𝜑 ≡¬⟨ 𝑖 ⟩¬ 𝜑 encodes that agent 𝑖 knows with certainty that 𝜑 holds.Usage of constants is also allowed: 𝑖 = 𝑘 ≡ ∃ 𝑗 : 𝑗 = ∧ 𝑖 = 𝑗 + 𝑘 , 𝑝 𝑘 ≡ ∃ 𝑖 : 𝑖 = 𝑘 ∧ 𝑝 𝑖 , ⟨ 𝑘 ⟩ 𝜑 ≡ ∃ 𝑖 : 𝑖 = 𝑘 ∧ ⟨ 𝑖 ⟩ 𝜑 .We denote 𝐹𝑉 ( 𝜑 ) for the set of (“not quantified”) free variables ,of 𝜑 . We say that 𝜑 is a closed formula whenever 𝐹𝑉 ( 𝜑 ) = ∅ . Forany set 𝑋 of index variables, a function 𝜇 ∈ N 𝑋 is called a valuation.For a valuation 𝜇 and a formula 𝜑 , we write 𝜑 ( 𝜇 ) for the instantiatedformula where each occurrence of 𝑥 ∈ 𝑋 has been replaced by 𝜇 ( 𝑥 ) .In particular, if 𝐹𝑉 ( 𝜑 ) ⊆ 𝑋 , then 𝜑 ( 𝜇 ) is a closed formula. Definition 3.4.
For a parameterized Kripke structure M , a state 𝑠 ∈ 𝑆 , a PPAL formula 𝜑 , and a valuation 𝜇 ∈ N 𝐹𝑉 ( 𝜑 ) , we definethe satisfaction relation ⊨ , inductively, by M , 𝑠, 𝜇 ⊨ 𝜑 if, and only if, ∀ 𝑖, 𝜇 ( 𝑖 ) ∈ [| 𝑠 |] and one of the following condition holds: 𝜑 ≡ ⊤ 𝜑 ≡ 𝜓 ∧ 𝜓 and M , 𝑠, 𝜇 ⊨ 𝜓 and M , 𝑠, 𝜇 ⊨ 𝜓 𝜑 ≡ ¬ 𝜓 and M , 𝑠, 𝜇 ⊭ 𝜓𝜑 ≡ ∃ 𝑖 : 𝜓 and M , 𝑠, 𝜇 ′ ⊨ 𝜓 for some 𝜇 ′ s.t. ∀ 𝑥 ≠ 𝑖, 𝜇 ( 𝑥 ) ≡ 𝜇 ′ ( 𝑥 ) 𝜑 ≡ 𝑖 = 𝑗 + 𝑘 and 𝜇 ( 𝑖 ) ≡ 𝜇 ( 𝑗 ) + 𝑘𝜑 ≡ 𝑖 = 𝜇 ( 𝑖 ) ≡ 𝜑 ≡ 𝑖 % 𝑘 = 𝜇 ( 𝑖 ) % 𝑘 ≡ 𝜑 ≡ 𝑝 𝑖 and 𝑝 ∈ 𝐿 𝜇 ( 𝑖 ) ( 𝑠 ) 𝜑 ≡ ⟨ 𝑖 ⟩ 𝜓 and there exists 𝑡 ∈ 𝑆 such that 𝑠 𝜇 ( 𝑖 ) (cid:123) 𝑡 and M , 𝑡, 𝜇 ⊨ 𝜓𝜑 ≡ { 𝜓 ! } 𝜓 and M , 𝑠, 𝜇 ⊨ 𝜓 implies M{ 𝜑 ( 𝜇 ) ! } 𝜇 , 𝑠, 𝜇 ⊨ 𝜓 where for any closed PPAL formula 𝜓 , M{ 𝜓 ! } is the (parameter-ized) Kripke structure M restricted to the state space satisfying 𝜓 : 𝑆 { 𝜓 ! } = { 𝑠 | M , 𝑠, · ⊨ 𝜓 } .Note that we adopt here the vacuous truth semantics for thepublic announcement operator: whenever a state doesn’t satisfy apublicly announced property, it satisfies its conclusion. This choicewill turn out to be more convenient with our examples involvingthe newly iterated public announcement. While an alternative defin-ition 𝜑 ∧ { 𝜑 ! } 𝜓 is possible, they are both expressively equivalent.It is important to notice that the logic does not make a distinc-tion between variables designed for atomic propositions manipula-tion and variables for indexing agents. Not only this simplificationmakes our definition more concise, it also enables the specificationof relationships between agents and their atomic propositions. Example 3.5.
Consider the scenario of the muddy children puzzle,where the father announces that there is exactly one muddy child.“after this announcement, every child knows their own state” isencoded as the formula: (cid:8) ∃ 𝑖 : 𝑚 𝑖 ∧ ∀ 𝑗, 𝑖 ≠ 𝑗 → ¬ 𝑚 𝑗 ! (cid:9) ∀ 𝑖, [ 𝑖 ] 𝑚 𝑖 ∨ [ 𝑖 ]¬ 𝑚 𝑖 We now provide a regular presentation of parameterized Kripkestructures, and define the model checking problem. 𝑞 ( 𝑚, ,𝑚 )( 𝑐, ,𝑐 ) ( 𝑚, , 𝑚 ) , ( 𝑚, , 𝑐 )( 𝑐, , 𝑚 ) , ( 𝑐, , 𝑐 ) ( 𝑚, ,𝑚 )( 𝑐, ,𝑐 ) Figure 2: Transducer for the Muddy children
Definition 3.6.
Let M = ( 𝑆, 𝐴𝑃, (cid:123) , 𝐿, | · |) be a parameterizedKripke structure. It is regular if there exists an alphabet Σ such that: • 𝑆 ⊆ Σ ∗ ; • For all 𝑠 ∈ 𝑆 , | 𝑠 | is the actual length of 𝑠 , seen as a word; • For all 𝑖 ∈ [| 𝑠 |] , 𝐿 𝑖 ( 𝑠 ) = 𝐿 ( 𝑠 [ 𝑖 ]) ; • The indistinguishability relation can be encoded as a trans-ducer, more precisely the following language is regular: 𝑇 M = (cid:26) 𝑠 ⊗ 𝑉 ( 𝑖, | 𝑠 |) ⊗ 𝑡 (cid:12)(cid:12)(cid:12)(cid:12) 𝑠 𝑖 (cid:123) 𝑡 (cid:27) Recall that we assume the reflexivity 𝑖 (cid:123) , for each 𝑖 ∈ N . Hence,the state space 𝑆 of a regular Kripke structure is also regular, since 𝑆 = 𝜋 Σ , − ( 𝑇 M ) is a morphism image. In the rest of the paper, we willassume the labelling 𝐿 to be fixed, and identify any regular Kripkestructure M with its regular language 𝑇 M , seen as a transducer. Thefollowing proposition justifies the validity of the above restriction.Proposition 3.7. Given an indistinguishability relation ( 𝑖 (cid:123) ) 𝑖 ,encoded as a transducer, checking any of the following properties tobe satisfied by 𝑖 (cid:123) (for each 𝑖 ∈ N ) is decidable: (1) reflexive, (2) sym-metric, and (3) transitive. This follows from the fact that reflexivity, symmetry, and trans-itivity of a binary relation are first-order decidable, and that first-order model checking over regular Kripke structures (more gener-ally automatic structures ) is decidable [9, 10]. As a remark, it followsalso that checking whether a regular Kripke Structure satisfies theS5 axioms (whether all 𝑖 (cid:123) are equivalence relations) is decidable. Example 3.8 (Muddy children).
The parameterized Kripke struc-ture of Example 3.2 is regular: the transducer 𝑇 M is recognizedby the NFA depicted in Figure 2. For example, the accepting run 𝑞 ( 𝑐, ,𝑐 ) −−−−−→ 𝑞 ( 𝑐, ,𝑐 ) −−−−−→ 𝑞 ( 𝑚, ,𝑐 ) −−−−−−→ 𝑞 𝑓 for the word 𝑐𝑐𝑚 ⊗ ⊗ 𝑐𝑐𝑐 encodes the observation 𝑐𝑐𝑚 (cid:123) 𝑐𝑐𝑐 .The regular model checking problem for PPAL is the problemof model checking PPAL formulas over regular Kripke structures:given a regular Kripke structure M , and a formula 𝜑 , check if thefollowing satisfaction set is empty: ⟦ 𝜑 ⟧ (M) : = (cid:110) ( 𝑠, 𝜇 ) ∈ 𝑆 × N 𝐹𝑉 ( 𝜑 ) (cid:12)(cid:12)(cid:12) M , 𝑠, 𝜇 ⊨ 𝜑 (cid:111) Although we are considering non-pointed Kripke structures, thesetting is not restrictive here, as initial states could be specified byadding an extra atomic proposition 𝑖𝑛𝑖𝑡 ∈ 𝐴𝑃 and replacing 𝜑 by 𝜑 ′ ≡ 𝑖𝑛𝑖𝑡 → 𝜑 . Our main result in this section is the decidability of regular modelchecking of PPAL. Theorem 4.1.
Given a regular Kripke structure M and a closed PPAL formula 𝜑 , its semantics ⟦ 𝜑 ⟧ (M) is regular and computable. When evaluating a public announcement, the Kripke structuremay be modified in a way that is dependent of the current valuation.The crux of the proof lies in carrying a family of regular Kripkestructures, encoded as a single extended transducer. The followinglemma makes our claim more precise:Lemma 4.2.
Let X be a finite set of variables, 𝜑 a PPAL formulawith 𝐹𝑉 ( 𝜑 ) ⊆ X , and 𝑇 ∈ Reg (cid:16) Σ × B × Σ × B X (cid:17) . We assume thatfor any 𝑣 ∈ B X , the transducer { 𝑤 | 𝑤 ⊗ 𝑣 ∈ 𝑇 } represents a regularKripke structure denoted M 𝑣 . Then, the extended semantics (cid:103) ⟦ 𝜑 ⟧( 𝑇 ) = { 𝑠 ⊗ 𝑣 | ∃ 𝜇 ∈ N X : 𝑣 = 𝑉 ( 𝜇, | 𝑠 |) ∧ M 𝑣 , 𝑠, 𝜇 ⊨ 𝜑 } can be recursively computed using boolean, synchronous product andmorphism operations on regular languages. Proof. • (cid:103) ⟦⊤⟧( 𝑇 ) = 𝜋 ( Σ , − , − , B X ) ( 𝑇 ) ; • (cid:159) ⟦ 𝜑 ∧ 𝜑 ⟧( 𝑇 ) = (cid:157) ⟦ 𝜑 ⟧( 𝑇 ) ∩ (cid:157) ⟦ 𝜑 ⟧( 𝑇 ) ; • (cid:157) ⟦¬ 𝜑 ⟧( 𝑇 ) = (cid:103) ⟦⊤⟧( 𝑇 )\ (cid:103) ⟦ 𝜑 ⟧( 𝑇 ) ; • An existential quantification over 𝑖 ∈ X is implementedby removing the information about 𝑖 ’s position. For 𝛼 = 𝑡 ⊗ 𝑣 ⊗ 𝑥 ∈ (( Σ × B × Σ )× B X × B ) ∗ , we define 𝐹 ( 𝛼 ) = 𝑡 ⊗ 𝑣 [ 𝑖 / 𝑥 ] .Hence, (cid:159) ⟦∃ 𝑖 : 𝜑 ⟧( 𝑇 ) = 𝐹 ( (cid:103) ⟦ 𝜑 ⟧( 𝑇 ) ⊗ ∗ ∗ ) ; • 𝑖 = 𝑗 + 𝑘 is encoded by the fixed regular expression: 𝐿 𝑘 = (cid:40) ( , ) ∗ ( , )( , ) 𝑘 − ( , )( , ) ∗ if 𝑘 > ( , ) ∗ ( , )( , ) ∗ otherwiseFor 𝑤 ⊗ 𝑣 ∈ ( Σ × B × Σ ) × B X , we consider the morphism 𝐹 defined on any tuple 𝛼 = 𝑡 ⊗ 𝑣 ⊗ ( 𝑣 ( 𝑖 ) , 𝑣 ( 𝑗 )) by 𝐹 ( 𝛼 ) = 𝑡 ⊗ 𝑣 ,so we finally have (cid:159) ⟦ 𝑖 = 𝑗 + 𝑘 ⟧( 𝑇 ) = 𝐹 ( (cid:103) ⟦⊤⟧( 𝑇 ) ⊗ 𝐿 𝑘 ) ; • (cid:157) ⟦ 𝑝 𝑖 ⟧( 𝑇 ) = 𝜋 ( Σ , − , − , B X ) ( 𝑇 ) ∩ 𝐴 ∗ 𝐵𝐴 ∗ , where 𝐴 = { 𝛼 ∈ Σ | 𝑝 ∉ 𝐿 ( 𝛼 )} × { 𝑣 | 𝑣 ( 𝑖 ) = } 𝐵 = { 𝛼 ∈ Σ | 𝑝 ∈ 𝐿 ( 𝛼 )} × { 𝑣 | 𝑣 ( 𝑖 ) = }• (cid:159) ⟦⟨ 𝑎 𝑖 ⟩ 𝜑 ⟧( 𝑇 ) = 𝜋 (cid:16) 𝑇 ∩ 𝐴 ∗ 𝐵𝐴 ∗ ∩ ( Σ × B ) ∗ ⊗ (cid:103) ⟦ 𝜑 ⟧( 𝑇 ) (cid:17) where: 𝐴 = Σ × { } × Σ × { 𝑣 | 𝑣 ( 𝑖 ) = } 𝐵 = Σ × { } × Σ × { 𝑣 | 𝑣 ( 𝑖 ) = } 𝜋 ( 𝛼, 𝛽,𝛾, 𝜂 ) = ( 𝛼, 𝜂 ) Intuitively, we intersect the transducer with legal moveswhere the current observational player matches the variable 𝑖 .We also intersect with the transducer that always ends upin a state and valuation satisfying 𝜑 . • The implementation of the public announcement is by far themost complex one as, we need first to introduce the publicannouncement transducer 𝑇 { 𝜑 ! } , encoding for any 𝑣 , the reg-ular Kripke structure obtained from M 𝑣 , after announcing 𝜑 ( 𝜇 𝑣 ) : 𝑇 { 𝜑 ! } = (cid:216) 𝑣 ∈ B X (cid:16) 𝑇 M 𝑣 { 𝜑 ( 𝜇 𝑣 ) ! } (cid:17) ⊗ { 𝑣 } 𝑇 { 𝜑 ! } is actually regular: we first build (cid:103) ⟦ 𝜑 ⟧( 𝑇 ) in orderto construct a regular Kripke on this state space. In ordero do so, we define the morphism 𝐹 defined for any 𝑡 = 𝑤 ⊗ 𝑣 ⊗ 𝑥 ⊗ 𝑤 ′ ⊗ 𝑣 ∈ ( Σ × B X × Σ × B X ) ∗ by 𝐹 ( 𝑡 ) = 𝑤 ⊗ 𝑥 ⊗ 𝑤 ′ ⊗ 𝑣 .Then, it remains to intersect the image transducer with theinitial model: 𝑇 { 𝜑 ! } = 𝑇 ∩ 𝐹 ( (cid:103) ⟦ 𝜑 ⟧( 𝑇 ) ⊗ ∗ ∗ ⊗ (cid:103) ⟦ 𝜑 ⟧( 𝑇 )) .Finally, we conclude with the implementation of the (vacuoustruth) semantics of the public announcement: (cid:159) ⟦{ 𝜑 ! } 𝜓 ⟧ = (cid:157) ⟦¬ 𝜑 ⟧( 𝑇 ) ∪ (cid:103) ⟦ 𝜓 ⟧( 𝑇 { 𝜑 ! }) □ Example 4.3.
Consider again the regular Kripke structure ofFigure 2 and the effect of publicly announcing "there is at leastone muddy child": initially M has state space Σ ∗ = { 𝑚, 𝑐 } ∗ . After {∃ 𝑖 : 𝑚 𝑖 ! } , it is reduced to Σ ∗ { 𝑚 } Σ ∗ . After announcing "no oneknows (s)he muddy", namely {∀ 𝑖, ⟨ 𝑖 ⟩¬ 𝑚 𝑖 ! } , it is further reducedto Σ ∗ { 𝑚 } Σ ∗ { 𝑚 } Σ ∗ . And after 𝑘 similar announcements, the result-ing state space becomes Σ ∗ ({ 𝑚 } Σ ∗ ) 𝑘 . This sequence of announce-ments, however, cannot continue forever as each iteration removesall states of length 𝑘 − iterated public announcement operator [22]: { 𝜑 ! } { 𝜑 ! } . . . { 𝜑 ! } (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) abritrarily many times 𝜓 Definition 4.4.
A formula 𝜑 is in PPAL ∗ if it is in the grammarof PPAL, augmented with 𝜑 :: = { 𝜑 ! } 𝑘 𝜑 | { 𝜑 ! } ∗ 𝜑 with 𝑘 ∈ N . Thesemantics is given by induction on 𝑘 : • (cid:18) { 𝜑 ! } 𝜓 (cid:19) (M) = ⟦ 𝜓 ⟧ (M) ; • (cid:20) { 𝜑 ! } 𝑘 + 𝜓 (cid:21) (M) = (cid:20) { 𝜑 ! } 𝑘 ({ 𝜑 ! } 𝜓 ) (cid:21) (M) ; • ⟦{ 𝜑 ! } ∗ 𝜓 ⟧ (M) = (cid:208) 𝑘 ≥ (cid:20) { 𝜑 ! } 𝑘 𝜓 (cid:21) (M) .Theorem 4.1 ensures that model checking of a regular Kripkestructure against a PPAL formula is decidable, by reduction to reg-ular language universality problem. However, the translation of aformula into a regular language may involve several exponentialblow-ups, so the overall running time may become non-elementary.Moreover, this translation does not apply to the newly introduced {· ! } ∗ operator, and decidability is not guaranteed in this case. Weclarify now these complexity questions:Theorem 4.5. There exists a regular structure M , such that: (1) Model checking against a
PPAL formula is non-elementary; (2)
Model checking against a
PPAL ∗ formula is undecidable. Proof. (1) In [29, Proposition 20], the author constructs anautomatic structure M whose modal logic theory is non-elementary. Modal logic can be seen as a particular fragmentof PPAL, with only one agent. An automatic structure canalso be seen as a regular Kripke structure with only oneagent. The hardness reduction is therefore immediate. notice that the same valuation 𝑣 appears on both sides. The construction for a fixed 𝑘 ∈ N is only a syntactic sugar useful. (2) We construct now a regular Kripke structure M such thatits PPAL ∗ theory is undecidable. To this end, we encode theMinsky machine halting problem [23]: a 2-counter (Minsky)machine is a tuple ( 𝑄, 𝑞 , 𝑞 𝑓 , 𝛿 ) where • 𝑄 is a finite subset; • 𝑞 ∈ 𝑄 is the initial state; • 𝑞 𝑓 ∈ 𝑄 is the final state; • 𝛿 ⊆ 𝑄 × { 𝑡𝑒𝑠𝑡, 𝑖𝑛𝑐, 𝑑𝑒𝑐 } × B × 𝑄 is the set of transitions.The semantics of such a machine is defined over the config-uration space 𝑄 × N , with ( 𝑞, 𝑥 , 𝑥 ) 𝑡 −→ ( 𝑟, 𝑦 , 𝑦 ) if, andonly if, the following conditions hold: • 𝑡 = ( 𝑞, 𝑜𝑝, 𝑖, 𝑟 ) ∈ 𝛿 for some ( 𝑜𝑝, 𝑖 ) ∈ { 𝑡𝑒𝑠𝑡, 𝑝𝑜𝑠, 𝑖𝑛𝑐, 𝑑𝑒𝑐 } × B ; • 𝑥 − 𝑖 = 𝑦 − 𝑖 ; • if 𝑜𝑝 = 𝑡𝑒𝑠𝑡 , then 𝑥 𝑖 = 𝑦 𝑖 = • if 𝑜𝑝 = 𝑝𝑜𝑠 , then 𝑥 𝑖 = 𝑦 𝑖 > • if 𝑜𝑝 = 𝑖𝑛𝑐 , then 𝑥 𝑖 + = 𝑦 𝑖 ; • if 𝑜𝑝 = 𝑑𝑒𝑐 , then 𝑥 𝑖 = 𝑦 𝑖 + ( 𝑞 , , ) to configuration ( 𝑞 𝑓 , 𝑥 , 𝑥 ) for some ( 𝑥 , 𝑥 ) .Moreover, we assume, without loss of generality, our 2-countermachines to be deterministic, namely: if for any configura-tion 𝛾 , there exists at most one 𝑡 ∈ 𝛿 such that 𝛾 𝑡 −→ 𝛾 ′ forsome 𝛾 ′ .We consider the regular Kripke structure M with 𝐴𝑃 = { 𝑝, 𝑐 ( ) , 𝑐 ( ) } , and 𝑇 M the complete transducer Σ ∗ ⊗ ∗ ∗ ⊗ Σ ∗ .Given a 2-counter machine ( 𝑄, 𝑞 , 𝑞 𝑓 , 𝛿 ) , we construct a for-mula 𝜑 such that the machine terminates if, and only if, ⟦ 𝜑 ⟧ (M) ≠ ∅ . We assume for our encoding that 𝑄 = [| 𝑄 |] ,allowing us to encode the current state as a unary position.Let’s first restrict the model to states where each propositionis true at exactly one position, by announcing: 𝜑 𝑚 = ∃ 𝑖 , 𝑖 , 𝑖 : 𝑐 ( ) 𝑖 ∧ 𝑐 ( ) 𝑖 ∧ 𝑝 𝑖 = 𝑗 ∀ 𝑗, 𝑐 ( ) 𝑗 → 𝑖 = 𝑗 ∧ 𝑐 ( ) 𝑗 → 𝑖 = 𝑗 ∧ 𝑝 𝑗 → 𝑖 = 𝑗 Intuitively, a configuration ( 𝑞, 𝑥 , 𝑥 ) will be encoded as thestate word 𝑉 ( 𝑥 , 𝑙 )⊗ 𝑉 ( 𝑥 , 𝑙 )⊗ 𝑉 ( 𝑞, 𝑙 ) for any 𝑙 ≥ 𝑚𝑎𝑥 ( 𝑞, 𝑥 , 𝑥 ) .We construct now a formula 𝜑 𝑡 expressing that the currentconfiguration still has successor: 𝜑 𝑡 = ∃ 𝑖 , 𝑖 , 𝑗 ≠ 𝑞 𝑓 : 𝑐 ( ) 𝑖 ∧ 𝑐 ( ) 𝑖 ∧ 𝑝 𝑗 ∧ (cid:220) ( 𝑞,𝑜𝑝,𝑘,𝑞 ′ ) ∈ 𝛿 𝑗 = 𝑞 ∧ ⟨ ⟩( 𝑝 𝑞 ′ ∧ 𝜑 𝑜𝑝,𝑘 ) where 𝜑 𝑜𝑝,𝑘 = 𝑖 𝑘 = ∧ 𝑐 ( ) 𝑖 ∧ 𝑐 ( ) 𝑖 when 𝑜𝑝 = 𝑡𝑒𝑠𝑡 ∃ 𝑙 : 𝑖 𝑘 = 𝑙 + ∧ 𝑐 ( ) 𝑖 ∧ 𝑐 ( ) 𝑖 when 𝑜𝑝 = 𝑝𝑜𝑠 ∃ 𝑙 : 𝑖 𝑘 = 𝑙 + ∧ 𝑐 ( 𝑘 ) 𝑙 ∧ 𝑐 ( − 𝑘 ) 𝑖 − 𝑘 when 𝑜𝑝 = 𝑑𝑒𝑐 ∀ 𝑙, 𝑙 = 𝑖 𝑘 + → 𝑐 ( 𝑘 ) 𝑙 ∧ 𝑐 ( − 𝑘 ) 𝑖 − 𝑘 when 𝑜𝑝 = 𝑖𝑛𝑐 Note that a state 𝑠 encoding the configuration ( 𝑞, 𝑥 , 𝑥 ) ,where a increment of 𝑥 𝑖 is available but 𝑥 𝑖 = | 𝑠 | −
1, is neverremoved, even though state 𝑠 has no successor in the currentKripke structure: we adopt this convention since any statein ( + · 𝑠 ) still has a successor.e encode now the whole formula: 𝜑 = 𝑝 𝑞 ∧ 𝑐 ( ) ∧ 𝑐 ( ) ∧ { 𝜑 𝑚 ! } { 𝜑 𝑡 ! } ∗ ⊥ We claim that ⟦ 𝜑 ⟧ (M) ≠ ∅ if, and only if, the machineterminates. • If the machine terminates, there exists a finite run ( 𝑞 , 𝑥 , 𝑦 ) . . . ( 𝑞 𝑛 , 𝑥 𝑛 , 𝑦 𝑛 ) with 𝑞 𝑛 = 𝑞 𝑓 and 𝑥 = 𝑦 = 𝑙 = 𝑚𝑎𝑥 { 𝑥 𝑖 , 𝑦 𝑖 | ≤ 𝑖 ≤ 𝑛 } . We prove by (de-creasing) induction on 𝑖 that 𝑉 ( 𝑥 𝑖 , 𝑙 ) ⊗ 𝑉 ( 𝑦 𝑖 , 𝑙 ) ⊗ 𝑉 ( 𝑞 𝑖 , 𝑙 ) ∈⟦{ 𝜑 𝑚 ! } { 𝜑 𝑡 ! } ∗ ⊥⟧ (M) . The result holds for 𝑖 = 𝑛 since 𝜑 𝑡 is not satisfied for 𝑞 𝑓 , then, we follow the semantics defini-tion for the induction case: by determinacy of the machine,there exists at most one valid instruction ( 𝑞 𝑖 − , 𝑜𝑝, 𝑘, 𝑞 𝑖 ) .Because no state can satisfy ⊥ , the state 𝑉 ( 𝑥 𝑖 , 𝑙 ) ⊗ 𝑉 ( 𝑦 𝑖 , 𝑙 ) ⊗ 𝑉 ( 𝑞 𝑖 , 𝑙 ) has to eventually be removed, hence 𝜑 𝑡 becomeseventually unsatisfied from 𝑉 ( 𝑥 𝑖 − , 𝑙 )⊗ 𝑉 ( 𝑦 𝑖 − , 𝑙 )⊗ 𝑉 ( 𝑞 𝑖 − , 𝑙 ) . • For the converse implication, assume the machine hasan infinite run denoted with ( 𝑞 𝑖 , 𝑥 𝑖 , 𝑦 𝑖 ) 𝑖 ∈ N . For a fixed 𝑙 ∈ N , we check by induction on 𝑘 , that for all 𝑖 , such that 𝑙 ≥ 𝑚𝑎𝑥 { 𝑥 𝑖 , 𝑦 𝑖 , 𝑞 𝑖 } , we still have M , 𝑉 ( 𝑥 𝑖 , 𝑙 ) ⊗ 𝑉 ( 𝑦 𝑖 , 𝑙 ) ⊗ 𝑉 ( 𝑞 𝑖 , 𝑙 ) ⊭ { 𝜑 𝑚 ! } { 𝜑 𝑡 ! } 𝑘 ⊥ . – For 𝑘 =
0, the formula reduces to { 𝜑 𝑚 ! } ⊥ , and sinceall states are proper encoding of configurations, theysatisfy 𝜑 𝑚 but not ⊥ . – Assuming the result is true for some 𝑘 ∈ N , we prove theresult still holds for ( 𝑞 𝑖 , 𝑥 𝑖 , 𝑦 𝑖 ) at step 𝑘 +
1, by applyingeither applying the induction hypothesis on ( 𝑞 𝑖 + , 𝑥 𝑖 + , 𝑦 𝑖 + ) at step 𝑘 , or checking that 𝑥 𝑖 + > 𝑙 or 𝑦 𝑖 + meaning 𝑉 ( 𝑥 𝑖 , 𝑙 ) ⊗ 𝑉 ( 𝑦 𝑖 , 𝑙 ) ⊗ 𝑉 ( 𝑞 𝑖 , 𝑙 ) satisfies 𝜑 𝑡 through its increment clause.That is to say: ⟦ 𝜑 ⟧ (M) ∩ Σ 𝑙 = ∅ . Since the result holdsfor any 𝑙 ∈ N , we conclude that ⟦ 𝜑 ⟧ (M) = ∅ . □ We study in this section the limit behaviour induced by an operatorrestricting incrementally the state space. This study is motivatedby the PPAL ∗ construction { 𝜑 ! } ∗ ⊥ , whose semantics can be seenas the set of states not being removed, after arbitrarily many statespace restriction operated by the public announcement { 𝜑 ! } .For the rest of this section, we fix a more general setting with: • An alphabet Σ ; • An initial state space S = S ⊆ Σ ∗ ; • A function 𝐹 : 2 Σ ∗ → Σ ∗ restricting the state space, that isto say: ∀ 𝑋 ⊆ Σ ∗ , 𝐹 ( 𝑋 ) ⊆ 𝑋 . • For all 𝑘 ∈ N , we let S 𝑘 + = 𝐹 ( S 𝑘 ) and S ∞ = ∩ 𝑘 ≥ S 𝑘 .Moreover, we assume S to be a regular language, and 𝐹 to pre-serve regular languages, in a way that will later be clarified.Our study aims at computing the limit set of states S ∞ . Despiteour assumptions, this set is not in general regular nor computable,as one can observe as a consequence of the undecidability result ofTheorem 4.5, or the following counterexample. Example 5.1.
Consider S = { 𝑎 } ∗ { 𝑏 } ∗ , and for all 𝑋 ⊆ S , define 𝐹 ( 𝑋 ) = { 𝑎 𝑛 𝑏 𝑚 | 𝑛 = 𝑚 = ∨ ( 𝑛𝑚 > ∧ 𝑎 𝑛 − 𝑏 𝑚 − ∈ 𝑋 )} . Then,for any 𝑘 ∈ N , S 𝑘 = { 𝑎 𝑖 𝑏 𝑖 | ≤ 𝑖 < 𝑘 } ∪ { 𝑎 𝑘 + 𝑛 𝑏 𝑘 + 𝑚 | 𝑛, 𝑚 ≥ } isregular, but not its limit S ∞ = { 𝑎 𝑖 𝑏 𝑖 | ≤ 𝑖 } . S \ S S ∞ S 𝑖 \ S 𝑖 + S 𝑖 + \ S 𝑖 + ⪯ . . . ⪯ ⪯ ⪯ . . . ⪯ S 𝑖 = ↑ 𝑠 S 𝑖 + = 𝐹 (↑ 𝑠 ) 𝑠 𝑡 ≺≻ Figure 3: Hierarchy of the equivalence classes of the disap-pearance relation
Let us first remark that the application 𝐹 is not necessarily mono-tone. Consider for example the announcement ∀ 𝑖, 𝑚 𝑖 ∨[ 𝑖 ]¬ 𝑚 𝑖 whichreads: “ every non-muddy child knows he’s not muddy. ”Then 𝐹 ({ 𝑐𝑚 }) = { 𝑐𝑚 } but 𝐹 ({ 𝑐𝑚, 𝑚𝑚 }) = ∅ . As a consequence, S ∞ is a fixed point of 𝐹 , but cannot be characterized as the smallestnor the greatest one. Hence, we narrow down our computationgoal by introducing the following pre-order over states: Definition 5.2.
The disappearance relation ⪯ is defined for every ( 𝑠, 𝑡 ) ∈ S , by: 𝑠 ⪯ 𝑡 if, and only if, ∀ 𝑘 ∈ N , 𝑠 ∈ S 𝑘 ⇒ 𝑡 ∈ S 𝑘 Intuitively, 𝑠 ⪯ 𝑡 means that 𝑠 disappears from the state space be-fore 𝑡 . ⪯ is a total pre-order, i.e. any two elements are comparable,the relation is reflexive, transitive, but not necessarily antisym-metric. Notice that S ∞ can be characterized as the set of maximalelements of ⪯ .In order to reason over set of states induced by a pre-order, weintroduce the following notations: Definition 5.3.
For a relation 𝑅 ⊆ S × S , and any 𝑠 ∈ S , wedefine the upward-closure and equivalence class of 𝑠 by ↑ 𝑅 𝑠 = { 𝑢 ∈ S | ( 𝑠, 𝑢 ) ∈ 𝑅 } , and [ 𝑠 ] 𝑅 = { 𝑢 ∈ S | ( 𝑠, 𝑢 ) ∈ 𝑅 ∧ ( 𝑢, 𝑠 ) ∈ 𝑅 } ,respectively. We omit the subscript notation when 𝑅 = ⪯ .As suggested by its name, the latter notion involves an equival-ence relation, namely 𝑅 ∩ 𝑅 − which relates states of S disappearingat the same iteration. On the other hand, the upward-closure ↑ 𝑠 canbe interpreted as one of the iterated S 𝑘 = ↑ 𝑠 for some 𝑘 ∈ N ⊎ {∞} .When 𝑘 < ∞ , we know this is the last iteration before 𝑠 and all itsequivalent states got removed. This entails S 𝑘 + = S 𝑘 \[ 𝑠 ] , hence 𝐹 (↑ 𝑠 ) = ↑ 𝑠 \[ 𝑠 ] . When 𝑘 = ∞ , we know on the contrary, that 𝑠 neverdisappears, which also means [ 𝑠 ] = ↑ 𝑠 = S ∞ .This setting is summarised in the following Figure 3 and Propos-ition 5.4, the latter also provides a unique characterization undercertain conditions:Proposition 5.4. Let 𝑅 ⊆ S × S . If 𝑅 = ⪯ , then: (1) 𝑅 is a total pre-order on S , and (2) for 𝑠 ∈ S , [ 𝑠 ] 𝑅 = ↑ 𝑅 𝑠 \ 𝐹 (↑ 𝑅 𝑠 ) or [ 𝑠 ] 𝑅 = ↑ 𝑅 𝑠 = 𝐹 (↑ 𝑅 𝑠 ) .Moreover, the converse holds whenever S is finite. Sketch. A proof of the direct implication being already sketchedabove, we focus on the converse implication:Assuming that 𝑅 satisfies the above conditions and S is finite, weprove that 𝑅 = ⪯ , by induction on | S | .The result is trivial when | S | =
0, consider now S ≠ ∅ and someminimal 𝑠 ∈ S with respect to the total pre-order 𝑅 , that is to say ↑ 𝑅 𝑠 = S . If [ 𝑠 ] 𝑅 = ↑ 𝑅 𝑠 \ 𝐹 (↑ 𝑅 𝑠 ) , then [ 𝑠 ] 𝑅 = S \ 𝐹 ( S ) = S \ S . Inparticular, 𝑠 ∉ 𝐹 ( S ) = S . Consider ⪯ ′ = ⪯ ∩ S × S and 𝑅 ′ = 𝑅 ∩ S × S . We easily check that ⪯ ′ is the disappearancerelation of 𝐹 , with initial set S , and 𝑅 ′ is a total pre-orderon S such that for every 𝑠 ∈ S , [ 𝑠 ] 𝑅 = [ 𝑠 ] 𝑅 ′ and ↑ 𝑅 = ↑ 𝑅 ′ .We can therefore apply the induction hypothesis on S : ⪯ and 𝑅 coincide on S × S .It remains to show that this is also the case over S × S \( S × S ) : for 𝑢 ∈ S \ S = [ 𝑠 ] 𝑅 , and 𝑡 ∈ S , ( 𝑢, 𝑡 ) ∈ 𝑅 (by equival-ence to 𝑠 ) and 𝑢 ⪯ 𝑡 since 𝑢 ∉ S and 𝑡 ∈ S . On the otherhand, by minimality of 𝑠 , ( 𝑡, 𝑢 ) ∈ 𝑅 ⇔ 𝑡 ∈ [ 𝑠 ] 𝑅 ⇔ 𝑡 ⪯ 𝑠 . Weconclude in this case that ⪯ = 𝑅 . • If [ 𝑠 ] 𝑅 = ↑ 𝑅 𝑠 = 𝐹 (↑ 𝑅 𝑠 ) , then [ 𝑠 ] 𝑅 = S ∞ and 𝑅 = ⪯ = S × S . □ The unique characterization of Proposition 5.4 paves the way to alearning procedure for computing ⪯ . More precisely, we considerfor this section an encoding of ⪯ seen as as a language over pairsof letters: 𝐿 ⪯ = { 𝑠 ⊗ 𝑡 | | 𝑠 | = | 𝑡 | ∧ 𝑠 ⪯ 𝑡 } ⊆ ( Σ × Σ ) ∗ Assuming 𝐿 ⪯ is a regular language, we will develop a learningprocedure to construct it. On the one hand, notice that this defini-tion of 𝐿 ⪯ looses some information about ⪯ as it can only relatestates of the same length. On the other hand, this restriction is notcrucial as the PPAL logic is exclusively based on length-preservingtransducers. We keep the following requirement: ( 𝑅 ) : “ 𝐹 is length-preserving”Strictly speaking, we assume 𝐿 ⪯ to be the representation of thefamily (⪯ 𝑘 ) 𝑘 ∈ N , where for each 𝑘 , ⪯ 𝑘 is the disappearance relationstarting from the initial state space S ∩ Σ 𝑘 . As Σ 𝑘 is finite fora given 𝑘 , this restriction further allows us to provide a uniquecharacterization of 𝐿 ⪯ , as provided by Proposition 5.4.We now introduce the 𝐿 ∗ algorithm from Angluin, which allowsus to learn a finite automaton A , or equivalently a target regularlanguage 𝐿 𝑡 ∈ Reg ( Σ 𝑡 ) , based on queries answered by an Oracle.Such an Oracle has to answer so-called membership and equivalence queries, either by having direct access to the target language or byindirect means.We explain the exact semantics of 𝐿 ∗ queries for a target languagelanguage 𝐿 𝑡 ∈ Reg ( Σ 𝑡 ) , and how they are answered in this learningprocedure, where the target language is 𝐿 ⪯ ∈ Reg ( Σ × Σ ) : • Membership Queries: the Oracle is asked whether a givenword 𝑤 ∈ Σ ∗ 𝑡 is in the target language 𝐿 𝑡 . Answer: we let 𝑠, 𝑡 ∈ Σ | 𝑤 | with 𝑠 ⊗ 𝑡 = 𝑤 and decide whether 𝑠 ⪯ 𝑡 . We proceed to the iterative computation of the sets ( S 𝑘 ) 𝑘 ∈ N and stop whenever 𝑠 or 𝑡 is no more in the set. This ishowever a semi-decision procedure as it may fail in the casewhere neither 𝑠 nor 𝑡 disappear ( 𝑠, 𝑡 ∈ S ∞ ). To circumventthis issue, we perform the computation on the restrictedstate space of a fixed length | 𝑤 | , namely S 𝑘 ∩ Σ | 𝑤 | , ensuringa finite cardinality. As soon as 𝑠, 𝑡 ∈ S 𝑘 ∩ Σ | 𝑤 | = S 𝑘 + ∩ Σ | 𝑤 | ,we conclude that 𝑠 ⪯ 𝑡 . This leads to our second requirement: ( 𝑅 ) : “ 𝐹 restricts the state space independently for differentstate sizes.” • Equivalence Queries:
Given a candidate language 𝐿 , theOracle is asked whether 𝐿 = 𝐿 𝑡 and if not, provides a counter-example 𝑤 ∈ 𝐿 \ 𝐿 𝑡 ∪ 𝐿 𝑡 \ 𝐿 . Answer: we make use of Proposition 5.4, which can be seenas a first order characterization of ⪯ , and translate the listedcriteria into equivalence problems over regular languages. Ifone regular language equivalence fails, we have to provide acounter example to the learning procedure. Unfortunately,a counterexample to a criterion of Proposition 5.4 does notdirectly provide a counter example for 𝐿 ∗ . For example, acounter example for the transitivity property would consistin a triple ( 𝑠 , 𝑠 , 𝑠 ) ∈ S such that 𝑠 ⊗ 𝑠 ∈ 𝐿 , 𝑠 ⊗ 𝑠 ∈ 𝐿 but 𝑠 ⊗ 𝑠 ∉ 𝐿 , and it wouldn’t be clear whether the property failsbecause either ( 𝑠 , 𝑠 ) or ( 𝑠 , 𝑠 ) 𝑡 should be removed from 𝐿 or because ( 𝑠 , 𝑠 ) should be added. Nonetheless, since acounterexample was provided for a fixed length 𝑙 , we areguaranteed that 𝐿 restricted to ( Σ × Σ ) 𝑙 is not a proper en-coding of ⪯ ∩ Σ 𝑙 × Σ 𝑙 . A direct enumeration of the sequence ( S 𝑘 ∩ Σ 𝑙 ) 𝑘 ≥ will therefore terminate and therefore willprovide a counterexample. In order to effectively implement the procedure, we provide thefollowing equivalent characterization of Proposition 5.4, in termsof first-order formulae.Proposition 5.5.
Let 𝑅 ⊆ Σ ∗ × Σ ∗ and 𝑘 ∈ N . 𝑅 ∩ ( Σ 𝑘 × Σ 𝑘 ) ≠ ⪯ 𝑘 if, and only if, any one of the conditions holds: (1) ∃ 𝑠, 𝑡 : ( 𝑠, 𝑡 ) ∈ 𝑅 ∧ ( 𝑠, 𝑡 ) ∉ S × S ; (2) ∃ 𝑠 : ( 𝑠, 𝑠 ) ∉ 𝑅 ; (3) ∃ 𝑠 , 𝑠 , 𝑠 : ( 𝑠 , 𝑠 ) ∈ 𝑅 ∧ ( 𝑠 , 𝑠 ) ∈ 𝑅 ∧ ( 𝑠 , 𝑠 ) ∉ 𝑅 ; (4) ∃ 𝑠, 𝑡 : ( 𝑠, 𝑡 ) ∉ 𝑅 ∧ ( 𝑡, 𝑠 ) ∉ 𝑅 ; (5) ∃ 𝑠, 𝑡 , 𝑡 : ( 𝑠, 𝑡 ) ∈ 𝑅 ∧ ( 𝑠, 𝑡 ) ∈ 𝑅 ( 𝑡 , 𝑠 ) ∉ 𝑅 ↮ 𝑡 ∈ 𝐹 (↑ 𝑅 𝑠 )( 𝑡 , 𝑠 ) ∉ 𝑅 ∨ 𝑡 ∉ 𝐹 (↑ 𝑅 𝑠 ) Where all quantifications are made over Σ 𝑘 . Proof. Property ( ) enforces 𝑅 ⊆ S × S while properties ( )−( ) encode respectively reflexivity, transitivity and totality, as statedby Proposition 5.4, after taking the negation.We provide here a proof of property ( ) built on top on thesecond property not being fulfilled. Recall first that 𝐹 ( 𝑋 ) ⊆ 𝑋 forall 𝑋 , and [ 𝑠 ] 𝑅 ⊆↑ 𝑅 𝑠 for any 𝑠 , hence condition [ 𝑠 ] 𝑅 = ↑ 𝑅 𝑠 = 𝐹 (↑ 𝑅 𝑠 ) is equivalent to ↑ 𝑅 𝑠 ⊆ [ 𝑠 ] 𝑅 ∩ 𝐹 (↑ 𝑅 𝑠 ) .After taking the negation, the second property of Proposition 5.4becomes: ∃ 𝑠 : [ 𝑠 ] 𝑅 ≠ ↑ 𝑅 \ 𝐹 (↑ 𝑅 𝑠 ) ∧ ↑ 𝑅 𝑠 ⊈ [ 𝑠 ] 𝑅 ∩ 𝐹 (↑ 𝑅 𝑠 ) which isequivalent to: ∃ 𝑠, 𝑡 , 𝑡 : (cid:26) (( 𝑠, 𝑡 ) ∈ 𝑅 ∧ ( 𝑡 , 𝑠 ) ∈ 𝑅 ) ↮ (( 𝑠, 𝑡 ) ∈ 𝑅 ∧ 𝑡 ∉ 𝐹 (↑ 𝑅 𝑠 ))( 𝑠, 𝑡 ) ∈ 𝑅 ∧ (( 𝑡 , 𝑠 ) ∉ 𝑅 ∨ 𝑡 ∉ 𝐹 (↑ 𝑅 𝑠 )) Hence, after factoring by ( 𝑠, 𝑡 ) ∈ 𝑅 : ∃ 𝑠, 𝑡 , 𝑡 : (cid:26) ( 𝑠, 𝑡 ) ∈ 𝑅 ∧ (( 𝑡 , 𝑠 ) ∈ 𝑅 ↮ 𝑡 ∉ 𝐹 (↑ 𝑅 𝑠 ))( 𝑠, 𝑡 ) ∈ 𝑅 ∧ (( 𝑡 , 𝑠 ) ∉ 𝑅 ∨ 𝑡 ∉ 𝐹 (↑ 𝑅 𝑠 )) □ ased on this first-order characterization, we provide an actualimplementation of equivalence queries on the candidate language 𝐿 , by resorting to queries on length-preserving transducers, namelyregular languages over Σ × Σ . For example, Property ( ) is translatedto the query 𝐿 ∩ S ⊗ S ? = ∅ .While the predicates S × S and 𝑅 can be encoded as the regularlanguages S ⊗ S and 𝐿 𝑐 , respectively, property ( ) involves thecomputation of the operator 𝐹 as the following binary predicate: 𝐹 (↑ 𝑅 ·) = {( 𝑠, 𝑡 ) | 𝑠 ∈ 𝐹 (↑ 𝑅 𝑡 )} This condition is introduced as the last requirement: ( 𝑅 ) : “ 𝐹 is effective and uniformly regular”Conditions ( 𝑅 ) − ( 𝑅 ) are formally defined through the followingconditions: Definition 5.6.
Let 𝐺 be a function from 2 Σ ∗ to 2 Σ ∗ . • 𝐺 is independently length-preserving if: ∀ 𝑙 ∈ N ∀ 𝑋 ⊆ Σ ∗ , 𝐺 ( 𝑋 ∩ Σ 𝑙 ) = 𝐺 ( 𝑋 ) ∩ Σ 𝑙 ; • 𝐺 is effectively uniformly regular if:For any given alphabet Σ ′ and 𝐿 ∈ Reg ( Σ ′ × Σ ) , the follow-ing language is regular and computable: (cid:110) 𝑤 ′ ⊗ 𝑤 (cid:12)(cid:12)(cid:12) ∃ 𝑤 ∈ Σ | 𝑤 | : 𝑤 ∈ 𝐺 (cid:0)(cid:8) 𝑤 | 𝑤 ′ ⊗ 𝑤 ∈ 𝐿 (cid:9)(cid:1)(cid:111) Theorem 5.7.
Assume 𝐹 is an independently length-preservingand uniformly regular function.Then the 𝐿 ∗ learning procedure described in Section 5.2 eventuallyterminates and returns 𝐿 ⪯ if, and only, it is regular. Proof. Thanks to the length-preserving property of 𝐹 , the re-lation ⪯ 𝑘 = Σ 𝑘 × Σ 𝑘 ∩ ⪯ coincide with the disappearance relationinitiated from S ∩ Σ 𝑘 with the same operator 𝐹 .Uniform and effective regularity enables the effecive implement-ation of the Oracles: • First of all, membership queries, as well as counterexamplegeneration in the equivalence queries, require the computa-tion of sequences 𝐹 𝑖 ( S ∩ Σ 𝑙 ) for different values of 𝑖, 𝑙 ∈ N .This can be seen as a weaker form of effective regularity,satisfied by the operator. • Equivalence queries implementation relies on the translationof the conditions provided by Proposition 5.5 into regularqueries on transducers over Σ × Σ . Last condition in particular,requires, for a candidate relation 𝑅 , encoded as a transducer 𝑅 ∈ Reg ( Σ × Σ ) , the computation of { 𝑠 ⊗ 𝑡 | 𝑡 ∈ 𝐹 (↑ 𝑅 𝑠 )} = (cid:110) 𝑠 ⊗ 𝑡 (cid:12)(cid:12)(cid:12) ∃ 𝑢 ∈ Σ | 𝑤 | : 𝑡 ∈ 𝐹 ({ 𝑢 | 𝑠 ⊗ 𝑢 ∈ 𝐿 }) (cid:111) We conclude with the termination guarantees: • If 𝐿 ⪯ is regular, the 𝐿 ∗ procedure terminates in polynomialtime[5]. • Conversely, if the procedure terminates, the returned lan-guage 𝐿 is regular and passed the equivalence query. There-fore, it satisfies the 𝐿 ⪯ characterization provided by Proposi-tion 5.5, so 𝐿 ⪯ = 𝐿 is regular. □ PPAL ∗ We finally address the general case with the following observation:Proposition 5.8.
Let 𝜑 and 𝜓 be two closed formula and M aparameterized Kripke structure, whose state space is S . For any 𝑋 ⊆ S ,we define M | 𝑋 for the parameterized Kripke structure restricted to 𝑋 and consider the resulting disappearance relation ⪯⊆ S .We have: ⟦[ 𝜑 ! ] ∗ 𝜓 ⟧ (M) = (cid:8) 𝑠 ∈ S (cid:12)(cid:12) ∃ 𝑡 ∈ S : 𝑠 ∈ ⟦ 𝜓 ⟧ (M |↑ ⪯ 𝑡 ) (cid:9) We can easily see that the above set is regular if M and ⪯ areboth regular. In order to proceed to their computation, we need toprovide the following uniformly regular property:Proposition 5.9. Let 𝜑 be a closed formula on a regular Kripkestructure M . The application, 𝐹 𝜑 defined by ∀ 𝑋 ⊆ S , 𝐹 𝜑 ( 𝑋 ) = ⟦ 𝜑 ⟧ (M | 𝑋 ) is length-preserving, effectively and uniformly regular. Proof. Given 𝐿 ∈ Reg ( Σ ′ × Σ ) , we define a new regular Kripkestructure M ′ storing the information about Σ ′ in its state space.The construction of M ′ is effective, and by Theorem 4.1, we cancompute ⟦ 𝜑 ⟧ (M ′ ) . □ We developed a prototype tool implementation, using the Javalibraries Learnlib and Automatalib [14]. Three different modelswere specified then verified showing tractability of the procedure:Model Duration Memory UsageRussian cards 36s 2365MBLarge number 53s 1218MB 𝑀 ≤ 𝑀 ≤ 𝑀 ≤ 𝑀 ≤
10 Muddy children TO (5min+) 𝑀 ≤
11 Muddy children out of memory 𝑀 < ∞ Muddy children 2.5s 111MBThe rest of the section discusses implementation details and de-scription of the aforementioned models.
Usage.
The tool takes as an input an automaton description ofa regular Kripke structure M , and for each specification 𝜑 , com-putes its satisfaction set. In case the complement ⟦¬ 𝜑 ⟧ (M) isnon-empty, a NFA is returned, which can be interpreted as theset of counterexamples to 𝜑 . For usability reasons, the syntax ofPPAL ∗ is enhanced with several syntactic sugars, but can also em-bed dummy formulae, equivalent to ⊤ , whose evaluation triggersvisualization of the intermediate constructed automata. Automaton size.
Since specifying a transducer for · (cid:123) can bequite tedious, we specify a rather general regular Kripke structureencoding only the observation of the agents, and further restrictingthe state space by applying public announcement constructions. Asa matter of fact, the state space after only few announcements canalready require several hundred states. The intermediate compu-tations may even lead to semantics automata of up to millions ofstates. Note that the ordering of index quantifications inside the Experiments were conducted on a i7-8550U CPU @ 1.80GHz machine with 16GB ofRAM and JavaSE-1.8. The prototype and models are available online [28]. pecification plays a crucial role, as each quantified index is carriedaround in one coordinate of the automaton alphabet, as explainedby Lemma 4.2.
Learning procedure.
Although several DFA learning algorithmsare provided by Learnlib, the classical Angluin’s 𝐿 ∗ turned out tobe sufficient for our experiments: for all our examples, whenevertermination was guaranteed , the algorithm converged within aminute. The most expensive task of the equivalence check is the lastproperty of Proposition 5.5: it is indeed the only criterion involvingthe evaluation of the PPAL formula. Fortunately, many equivalencequeries fail on previous criteria, that are less expensive to check. This puzzle [33] involves 𝑁 different cards which are distributedbetween three players Alice, Bob and Cathy. The goal of the gameis for Alice and Bob to exchange messages publicly, in order to getto know who has which card in their hand, without disclosing anyindividual card information to Cathy.In the one-round setting, Alice broadcasts a first message, thenBob replies, which conclude the protocol. As Bob can only announcea piece of information he already knows, his message can triviallybe assumed to announce Cathy’s cards. In other words, the one-round case focuses on Alice’s announcement. Kripke structure.
We let 𝐴𝑃 = { 𝑎, 𝑏, 𝑐 } , and the only agentindexes involved are 𝑎 = 𝑏 =
2, and 𝑐 =
3. For 𝑥 ∈ 𝐴𝑃 and 𝑖 ∈ N , 𝑥 𝑖 holds iff agent 𝑥 has card 𝑖 in their hand. Moreover, we assumethat 𝑎 𝑖 , 𝑏 𝑖 and 𝑐 𝑖 are mutually exclusive (each card appears only inone) hand. We easily check that M is regular. Specification.
An announcement of Alice is any statementabout her own observation, namely a characterization of the cardsin her hand, or equivalently {{ 𝑖 , 𝑖 , 𝑖 } , { 𝑖 , 𝑖 , 𝑖 } , . . . } , seen as aset of possible hands. However, this representation is not fit to aparameterized context, where the total number of cards is not fixeda priori. Instead, we consider announcements specified in a para-meterized manner, namely in the propositional fragment of PPAL,involving only index quantifications, the atomic proposition 𝑎 andno epistemic operator. A formula 𝜓 is a good announcement if fur-thermore, it satisfies: 𝜑 𝑔𝑜𝑜𝑑 = 𝜓 ∧ { 𝜓 ! } ( // truthful PA ∀ 𝑖, [ 𝑏 ] 𝑎 𝑖 ∨ [ 𝑏 ] 𝑏 𝑖 ∨ [ 𝑏 ] 𝑐 𝑖 // b knows the distribution ∀ 𝑖, ¬ 𝑐 𝑖 → (cid:26) ⟨ 𝑐 ⟩ 𝑎 𝑖 ∧ ⟨ 𝑐 ⟩¬ 𝑎 𝑖 ⟨ 𝑐 ⟩ 𝑏 𝑖 ∧ ⟨ 𝑐 ⟩¬ 𝑏 𝑖 ) // c doesn’t knowWhile [3] provides several sufficient and necessary conditionson the number of cards received by each participants, we focus hereon a single example of (sufficient) good announcement, providedby [3, Proposition 5] in the case where 𝑁 %3 =
0, Alice receives 3cards, Cathy only one, and Bob the rest (property 𝜑 𝑚𝑜𝑑𝑒𝑙 ).If Alice received the first three cards, the following announce-ment is claimed to be good: 𝜓 ≡ ∃ 𝑗 : 𝑗 %3 = ∧ (cid:0) ( 𝑎 𝑗 ∧ 𝑎 𝑗 + ∧ 𝑎 𝑗 + ) ∨ ( 𝑎 𝑗 ∧ 𝑎 𝑗 + ∧ 𝑎 𝑗 + ) (cid:1) The learning procedure diverges if, and only if, 𝐿 ⪯ is not regular. We can assume that 𝑖 (cid:123) is trivial for 𝑖 ≥ . Which can be checked with the verification question: M ? ⊨ { 𝜑 𝑚𝑜𝑑𝑒𝑙 ! } (cid:16) 𝑎 ∧ 𝑎 ∧ 𝑎 → 𝜑 𝑔𝑜𝑜𝑑 (cid:17) We leave to the reader the generalization to any initial hand ofAlice and the specification of 𝜑 𝑚𝑜𝑑𝑒𝑙 . 𝜑 𝑚𝑜𝑑𝑒𝑙 ≡ 𝑁 %3 = ∃ 𝑖 : 𝑐 𝑖 ∧ ∀ 𝑗 : 𝑐 𝑗 → 𝑖 = 𝑗 ∃ 𝑖, 𝑗, 𝑘 : 𝑖 ≠ 𝑗 ∧ 𝑖 ≠ 𝑘 ∧ 𝑗 ≠ 𝑘 ∧ 𝑎 𝑖 ∧ 𝑎 𝑗 ∧ 𝑎 𝑘 ∀ 𝑙, 𝑎 𝑙 → 𝑖 = 𝑙 ∨ 𝑗 = 𝑙 ∨ 𝑘 = 𝑙 Remark:
If Alice is not given the cards 0 , ,
2, nor another com-bination specified by 𝜓 , the announcement is not valid. However, itcan be rewritten, depending on Alice’s current hand. Let 𝑥 and 𝑦 betwo index variables. For any 𝜑 formula, we denote 𝜑 [ 𝑥 | 𝑦 ] for theformula where any propositional sub-formula 𝑝 𝑖 has been rewritteninto 𝑖 = 𝑥 ∧ 𝑎 𝑦 ∨ 𝑖 = 𝑦 ∧ 𝑎 𝑥 ∨ 𝑖 ∉ { 𝑥, 𝑦 } ∧ 𝑎 𝑖 .The previous verification question is converted into: M ? ⊨ { 𝜑 𝑚𝑜𝑑𝑒𝑙 ! } (cid:16) ∃ 𝑥 , 𝑦 , 𝑥 , 𝑦 : [ 𝑎 ] 𝜑 𝑔𝑜𝑜𝑑 ( 𝜓 [ 𝑥 | 𝑦 ] [ 𝑥 | 𝑦 ]) (cid:17) Note that the choice of a satisfying set of indices 𝑥 , 𝑥 , 𝑦 , 𝑦 mustnot be serendipity: it should work for all possible hands of 𝑏 and 𝑐 ,that 𝑎 may imagine, hence the universal [ 𝑎 ] quantification. Notealso that we need to swap only two pairs of cards, to reconstitute atriple of cards appearing in 𝜓 . The highest number problem involves two agents Alice and Bobboth receiving a different natural number between 0 and 𝑁 , whichthey keep private. We model this situation by 𝐴𝑃 = { 𝑎, 𝑏 } andencode the observation of 𝑎 = 𝑏 = 𝛼 ∈ 𝐴𝑃 is used to encode 𝛼 ’s number, in unary. At each round, theyare both asked simultaneously if one of them knows who has thehighest number. If not, a public announcement is made for this fact.If yes, the game stops. The termination of this protocol is checkedby the following iterated announcement, which we successfullyverify: {¬ (∃ 𝑖 ∃ 𝑗 : [ 𝑗 ]( 𝑎 𝑖 ∧ ¬ 𝑏 𝑖 ) ∨ [ 𝑗 ](¬ 𝑎 𝑖 ∧ 𝑏 𝑖 )) ! } ∗ ⊥ In this section, assume the number of muddy children is boundedby some fixed 𝑀 ∈ N , although the total number of children is leftas a parameter 𝑁 . This assumption is implemented as public an-nounecement made on the regular Kripke structure of Example 3.8. {∃ 𝑖 : 𝑚 𝑖 ! } (cid:40) ∃ 𝑖 . . . 𝑖 𝑀 : ∀ 𝑗 : 𝑚 𝑗 → 𝑀 (cid:220) 𝑘 = 𝑗 = 𝑖 𝑘 ! (cid:41) Intuitively, the effect of this announcements is to construct theproduct automaton of the original transducer 𝑇 M with a finiteautomaton of size 𝑀 + 𝑂 ( 𝑀 ) .Then, we proceed to the iterated announcement {∀ 𝑖, ⟨ 𝑖 ⟩¬ 𝑚 𝑖 ! } ∗ ,which reduces to the disappearance relation computation: for 𝑠, 𝑡 ∈ S , 𝑠 ⪯ 𝑡 if, and only if, | 𝑠 | 𝑚 ≤ | 𝑡 | 𝑚 . As a matter of fact, the protocolerminates after | 𝑠 | 𝑚 announcements of the father whenever thereare exactly | 𝑠 | 𝑚 muddy children.This relation can be effectively encoded as a length-preservingtransducer, counting the difference of number of muddy childrenbetween 𝑠 and 𝑡 , which lies between − 𝑀 and 𝑀 . As predicted, ouralgorithm successfully computes a transducer for ⪯ , with 𝑂 ( 𝑀 ) states. We remove now the boundedness condition. As before, ⪯ has tocompare the number of muddy children between two given states,which can now be arbitrarily large: take for example 𝑚 𝑛 𝑐 𝑛 ⪯ 𝑐 𝑛 𝑚 𝑛 .As a consequence, 𝐿 ⪯ is not regular anymore and the learningprocedure doesn’t terminate.Nonetheless, we observe that the problem is invariant underpermutation, more precisely: • The formula 𝜑 lies in a fragment of PPAL ∗ without indexcomparison of the form 𝑖 = 𝑗 + 𝑘 for any 𝑘 ≠ • For any word 𝑤 ∈ 𝑇 M and any bijection Σ on [| 𝑤 |] , 𝑤 [ 𝜎 ( )] . . . 𝑤 [ 𝜎 (| 𝑤 | − )] ∈ 𝑇 M .Therefore, we proceed to a counting abstraction of the model,restricting the regular Kripke structure. Informally, we want topreserve the property that a transition 𝑠 𝑖 (cid:123) 𝑡 is valid if, and onlyif, there exists some agent 𝑗 with the same "local state" as 𝑖 , thatcan perform this transition. Here, the announcement translates to“there is still a muddy child who doesn’t know”.As the state space is reduced to 𝑐 ∗ 𝑚 ∗ , our rewriting actually con-sists in a unary encoding of the number clean and muddy children.As for the largest number challenge, the disappearance relation isregular, and we successfully verify the rewritten formula: 𝜑 ≡ {∀ 𝑖, ¬ 𝑚 𝑖 + → ¬ 𝑚 𝑖 ! } {∃ 𝑖 : 𝑚 𝑖 ! } {∃ 𝑖 : 𝑚 𝑖 ∧ ⟨ 𝑖 ⟩¬ 𝑚 𝑖 ! } ∗ ⊥ Related Work.
Finite-state model checkers for various epistemiclogics are available, e.g., MCMAS [21], DEMO [32, 37], SMCDEL [31],and MCK [12]. Kouvaros and Lomuscio [17] have studied cutofftechniques for ACTL*K \ X, a temporal-epistemic logic combining S5and temporal logic ACTL* \ X, which is used in MCMAS. Roughlyspeaking, a cutoff exists for a parameterized system when the be-havior of any instance of the system can be simulated (using anappropriate notion of simulation) by the behavior of systems of afixed computable parameter-size 𝑘 , which would allow us to reducethe parameterized model checking problem into finite-state modelchecking (up to parameter of size 𝑘 ). This cutoff technique — asis the case with most cutoff methods (see [8, 38]) — needs to bespecially tuned to different subclasses of parameterized systems.We are not aware of the existence of such cutoff values for thesystems that we consider in this paper. Our regular model checkingmethod is complementary to such cutoff methods. The method isfully automatic, but it might not terminate in general (albeit weprovide also termination guarantees). To the best of our knowledge,our method provides the first automatic solution to the parameter-ized verification problem for the muddy children puzzle, the Russiancard puzzle [33], and the large number challenge, all of which havebeen studied in the finite-state case (e.g. see [21, 31, 32, 37]). Future Work.
Natural extensions of PPAL ∗ include the support ofdynamic properties, enabling the specification and verification ofricher communication protocols, where the communication patternis non-deterministic [21]. The study of the disappearance relationrevealed that the chosen encoding is crucial for termination. Thecounting abstraction sketched for the Muddy children case wouldbenefit from a systemic approach. Once the symmetries have beendetected in the automatic structure, which can be implemented [19]with transducer techniques, a lossless Parikh image [24] could becomputed in terms of a Presburger formula [26]. As the PPAL se-mantics involves only boolean, synchronous product and morphismoperations, the computation could be performed in this domain.We leave this for future work. We would also like to investigate thepossibility of developing cutoff methods of [17] for the examplesthat we consider in this paper. ACKNOWLEDGMENTS
This work was supported by the ERC Starting Grant 759969 (AV-SMP) and Max-Planck Fellowship.
REFERENCES [1] Parosh Aziz Abdulla. 2012. Regular model checking.
Int. J. Softw. Tools Technol.Transf.
14, 2 (2012), 109–118. https://doi.org/10.1007/s10009-011-0216-8[2] Parosh Aziz Abdulla, Bengt Jonsson, Marcus Nilsson, and Mayank Saksena. 2004.A Survey of Regular Model Checking. In
CONCUR 2004 - Concurrency Theory, 15thInternational Conference, London, UK, August 31 - September 3, 2004, Proceedings(Lecture Notes in Computer Science) , Philippa Gardner and Nobuko Yoshida (Eds.),Vol. 3170. Springer, 35–48. https://doi.org/10.1007/978-3-540-28644-8_3[3] Michael H. Albert, Robert E. L. Aldred, Mike D. Atkinson, Hans P. van Ditmarsch,and Chris C. Handley. 2005. Safe communication for card players by combinatorialdesigns for two-step protocols.
Australas. J Comb.
33 (2005), 33–46. http://ajc.maths.uq.edu.au/pdf/33/ajc_v33_p033.pdf[4] Benjamin Aminof, Aniello Murano, Sasha Rubin, and Florian Zuleger. 2016. Auto-matic Verification of Multi-Agent Systems in Parameterised Grid-Environments.In
Proceedings of the 2016 International Conference on Autonomous Agents & Mul-tiagent Systems, Singapore, May 9-13, 2016 , Catholijn M. Jonker, Stacy Marsella,John Thangarajah, and Karl Tuyls (Eds.). ACM, 1190–1199. http://dl.acm.org/citation.cfm?id=2937098[5] Dana Angluin. 1987. Learning Regular Sets from Queries and Counterexamples.
Inf. Comput.
75, 2 (Nov. 1987), 87–106. https://doi.org/10.1016/0890-5401(87)90052-6[6] Krzysztof R. Apt and Dexter Kozen. 1986. Limits for Automatic Verificationof Finite-State Concurrent Systems.
Inf. Process. Lett.
22, 6 (1986), 307–309.https://doi.org/10.1016/0020-0190(86)90071-2[7] Francesco Belardinelli and Alessio Lomuscio. 2009. Quantified epistemic logicsfor reasoning about knowledge in multi-agent systems.
Artif. Intell.
Decidability of Parameterized Verification . Morgan& Claypool Publishers. https://doi.org/10.2200/S00658ED1V01Y201508DCT013[9] A. Blumensath. 1999.
Automatic Structures . Master’s thesis. RWTH Aachen.[10] A. Blumensath and E. Grädel. 2004. Finite Presentations of Infinite Structures:Automata and Interpretations.
Theory Comput. Syst.
37, 6 (2004), 641–674.[11] Ronald Fagin, Joseph Y. Halpern, Yoram Moses, and Moshe Vardi. 1995.
Reasoningabout Knowledge . MIT Press.[12] Peter Gammie and Ron van der Meyden. 2004. MCK: Model Checking the Logicof Knowledge. In
Computer Aided Verification, 16th International Conference, CAV2004, Boston, MA, USA, July 13-17, 2004, Proceedings . 479–483. https://doi.org/10.1007/978-3-540-27813-9_41[13] Nina Gierasimczuk and Jakub Szymanik. 2011. A Note on a Generalization ofthe Muddy Children Puzzle. In
Proceedings of the 13th Conference on TheoreticalAspects of Rationality and Knowledge (TARK XIII) . Association for Computing Ma-chinery, New York, NY, USA, 257–264. https://doi.org/10.1145/2000378.2000409[14] Malte Isberner, Falk Howar, and Bernhard Steffen. 2015. The Open-SourceLearnLib. In
Computer Aided Verification , Daniel Kroening and Corina S.Păsăreanu (Eds.). Springer International Publishing, Cham, 487–495.[15] Michael J. Kearns and Umesh V. Vazirani. 1994.
An Introduction to Computa-tional Learning Theory . MIT Press. https://mitpress.mit.edu/books/introduction-computational-learning-theory16] Panagiotis Kouvaros and Alessio Lomuscio. 2013. Automatic verification ofparameterised multi-agent systems. In
International conference on AutonomousAgents and Multi-Agent Systems, AAMAS ’13, Saint Paul, MN, USA, May 6-10,2013 , Maria L. Gini, Onn Shehory, Takayuki Ito, and Catholijn M. Jonker (Eds.).IFAAMAS, 861–868. http://dl.acm.org/citation.cfm?id=2485057[17] Panagiotis Kouvaros and Alessio Lomuscio. 2016. Parameterised verificationfor multi-agent systems.
Artificial Intelligence
234 (2016), 152 – 189. https://doi.org/10.1016/j.artint.2016.01.008[18] Daniel Kroening and Ofer Strichman. 2008.
Decision Procedures . Springer.[19] Anthony W. Lin, Truong Khanh Nguyen, Philipp Rümmer, and Jun Sun. 2016.Regular Symmetry Patterns. In
Verification, Model Checking, and Abstract In-terpretation , Barbara Jobstmann and K. Rustan M. Leino (Eds.). Springer BerlinHeidelberg, Berlin, Heidelberg, 455–475.[20] Alessio Lomuscio and Edoardo Pirovano. 2020. Parameterised Verification ofStrategic Properties in Probabilistic Multi-Agent Systems. In
Proceedings of the19th International Conference on Autonomous Agents and Multiagent Systems,AAMAS ’20, Auckland, New Zealand, May 9-13, 2020 , Amal El Fallah Seghrouchni,Gita Sukthankar, Bo An, and Neil Yorke-Smith (Eds.). International Foundationfor Autonomous Agents and Multiagent Systems, 762–770. https://dl.acm.org/doi/abs/10.5555/3398761.3398852[21] Alessio Lomuscio, Hongyang Qu, and Franco Raimondi. 2017. MCMAS: AnOpen-Source Model Checker for the Verification of Multi-Agent Systems.
Int. J.Softw. Tools Technol. Transf.
19, 1 (Feb. 2017), 9–30. https://doi.org/10.1007/s10009-015-0378-x[22] Joseph S. Miller and Lawrence S. Moss. 2005. The Undecidability of Iterated ModalRelativization.
Stud Logica
79, 3 (2005), 373–407. https://doi.org/10.1007/s11225-005-3612-9[23] Marvin Minsky. 1967.
Computation: Finite and Infinite Machines . Prentice HallInternational.[24] Rohit J. Parikh. 1966. On Context-Free Languages.
J. ACM
13, 4 (Oct. 1966),570–581. https://doi.org/10.1145/321356.321364[25] Jan Plaza. 2007. Logics of public communications.
Synth.
Automata, Languages and Programming , Josep Díaz,Juhani Karhumäki, Arto Lepistö, and Donald Sannella (Eds.). Springer BerlinHeidelberg, Berlin, Heidelberg, 1136–1149. [27] Michael Sipser. 1997.
Introduction to the Theory of Computation . PWS PublishingCompany.[28] Daniel Stan and Anthony W. Lin. 2021. MCPPAL: Regular ModelChecking for Parametric Public Announcement Logic (Artifact). ht-tps://zenodo.org/record/4507467. (2021). https://doi.org/10.5281/zenodo.4507467Source https://arg-git.informatik.uni-kl.de/ds/mcppal.[29] Anthony Widjaja To. 2009. Model Checking FO(R) over One-Counter Processesand beyond. In
Computer Science Logic , Erich Grädel and Reinhard Kahle (Eds.).Springer Berlin Heidelberg, Berlin, Heidelberg, 485–499.[30] Anthony Widjaja To and Leonid Libkin. 2010. Algorithmic Metatheorems forDecidable LTL Model Checking over Infinite Systems. In
FoSSaCS . 221–236.https://doi.org/10.1007/978-3-642-12032-9_16[31] Johan van Benthem, Jan van Eijck, Malvin Gattinger, and Kaile Su. 2018. Symbolicmodel checking for Dynamic Epistemic Logic - S5 and beyond.
J. Log. Comput.
28, 2 (2018), 367–402. https://doi.org/10.1093/logcom/exx038[32] Hans Van Dimarsch and Ji Ruan. 2007. Model Checking Logic Puzzles. (Nov.2007). https://hal.archives-ouvertes.fr/hal-00188953 working paper or preprint.[33] Hans P. van Ditmarsch. 2003. The Russian Cards Problem.
Stud Logica
75, 1(2003), 31–62. https://doi.org/10.1023/A:1026168632319[34] Hans P. van Ditmarsch, Ji Ruan, and L. C. Verbrugge. 2005. Model CheckingSum and Product. In
AI 2005: Advances in Artificial Intelligence, 18th AustralianJoint Conference on Artificial Intelligence, Sydney, Australia, December 5-9, 2005,Proceedings (Lecture Notes in Computer Science) , Shichao Zhang and Ray Jarvis(Eds.), Vol. 3809. Springer, 790–795. https://doi.org/10.1007/11589990_82[35] Hans P. van Ditmarsch, Wiebe van der Hoek, and Barteld Kooi. 2008.
DynamicEpistemic Logic . Springer.[36] Hans P. van Ditmarsch, Wiebe van der Hoek, Ron van der Meyden, and Ji Ruan.2006. Model Checking Russian Cards.
Electron. Notes Theor. Comput. Sci.