Towards a Coalgebraic Interpretation of Propositional Dynamic Logic
aa r X i v : . [ c s . L O ] S e p Towards a Coalgebraic Interpretation of Propositional DynamicLogic ∗ Ernst-Erich DoberkatTechnische Universit¨at Dortmund [email protected]
November 28, 2017
Abstract
The interpretation of propositional dynamic logic (PDL) through Kripke models re-quires the relations constituting the interpreting Kripke model to closely observe thesyntax of the modal operators. This poses a significant challenge for an interpretation ofPDL through stochastic Kripke models, because the programs’ operations do not alwayshave a natural counterpart in the set of stochastic relations. We use rewrite rules forbuilding up an interpretation of PDL. It is shown that each program corresponds to anessentially unique irreducible tree, which in turn is assigned a predicate lifting, servingas the program’s interpretation. The paper establishes and studies this interpretation. Itdiscusses the expressivity of probabilistic models for PDL and relates properties like logi-cal and behavioral equivalence or bisimilarity to the corresponding properties of a Kripkemodel for a closely related non-dynamic logic of the Hennessy-Milner type.
The interpretation of propositional dynamic logic (PDL) through Kripke models requires,as is customary in modal logics, the relations in the interpreting Kripke model to closelyobserve the syntactic properties of the modal operators [1, Section 2.4]. For example, thenondeterministic choice π ∪ π ′ of programs π and π ′ is usually interpreted through relation R π ∪ π ′ which satisfies R π ∪ π ′ = R π ∪ R π ′ , and the relation for the indefinite iteration π ∗ shouldsatisfy R π ∗ = R ∗ π .This poses a significant challenge for an interpretation of PDL through stochastic Kripkemodels, because the programs’ operations do not always have a natural counterpart in theset of stochastic relations. Clearly, operations like K π ∪ K π ′ or K ∗ π hardly make sense fortransition probabilities K π and K π ′ . In addition, an interpretation of PDL observes usuallysome tacit assumptions on the “static” semantics like π ; ( π ∪ π ) = π ; π ∪ π ; π . We convert these implicit assumptions into rewrite rules. This permits building up an inter-pretation of PDL through terms in an algebra. Because we have to cater for the indefiniteiteration of a program, the algebra admits an operator of infinite arity. It is shown that eachprogram corresponds to an essentially unique irreducible tree, which in turn is assigned a ∗ Research funded in part by Deutsche Forschungsgemeinschaft, grant DO 263/12-1,
Koalgebraische Eigen-schaften stochastischer Relationen. while -loop — requires a base space which is closed under the well-known Souslin operation from set theory. This is in particular inconvenient when the statespace is assumed to be Polish: these spaces are closed under this operation only if they arefinite. Hence previous results on the stochastic coalgebraic interpretation of modal logics aredifficult to apply.The paper discusses the expressivity of these models and relates properties like logical andbehavioral equivalence or bisimilarity to the corresponding properties of a Kripke model fora closely related non-dynamic logic of the Hennessy-Milner type.We will in Section 2 have a look at term rewriting for programs, producing an irreducibletree from a program. This tree is well-founded, hence has no infinitely long paths, but itmay have nodes with an infinite fan-out; these are exactly the nodes which correspond to the while -loop. We are able to produce an interpretation from an irreducible tree, provided wecan interpret primitive programs, and we know how to handle the choice and the iterationoperator. These operators are given through natural transformations for the Borel functor.We study these transformations in Section 3 together with some properties of the underlyingmeasurable spaces; this is becomes necessary because the presence of the iteration operatorcomplicates the measurable structure of the validity sets, as shown in [9]. Sections 4 and 5deal with models and interpretations: we first define the usual Kripke models and extendthem to incorporate natural transformations. They will then help to define the semanticsof PDL formulas. On the other hand, a simple modal logic of the Hennessy-Milner type isdefined, the modal operators being given through the primitive programs. These logics arecompared and help to give some insight into the question of expressivity; again, we have to bea bit careful because the case
Bisimilarity Vs. Behavioral Equivalence makes some topologicalassumptions mandatory for a successful discussion. This requires extending the notion of amodel in Section 6 for capturing fully the development discussed to far. A satisfactory answeron the equivalence of all three variants of expressivity can be given under the assumptionthat the respective sets of atomic expressions and of primitive programs both are countable.Finally, Section 7 wraps it all up and suggests further work.
The modalities for PDL are given through a simple grammar which is intended to modelprograms. When interpreting the logic through a Kripke model, the problem arises thatnot each modal operator has a relation associated with it. Associating a relation with eachprimitive program and working in a monad permits interpreting the composition of primitiveprograms through Kleisli composition, but there is no provision for interpreting operatorslike the nondeterministic choice or the indefinite iteration. These interpretations have to beconstructed explicitly. In order to be able to do this, we study the set of all programs first,introducing rewrite rules and equations for reducing programs to a simpler, more manageableform.The grammar for programs over the set U of primitive programs is given by π ::= ̺ | π ∪ π | π ; π | π ∗ with ̺ ∈ U . We assume that the empty program ǫ is a member of U . The set P ( U ) of programsNovember 28, 2017age 3 Coalgebraic Interpretation of PDLover U is perceived as the term algebra over the constants U with the unary operation · ∗ andthe binary operations { ; , ∪} . Program π ∪ π is the nondeterministic choice of programs π and π , π ; π is sequential composition, and π ∗ is indefinite iteration: executing π ∗ entailsexecuting π k times with k ≥ W of infinite arity. Denote the term algebra for theoperators { ; , ∪ , ∗ , W } over U by E ( U ). The free semigroup over U with respect to sequentialprogram composition (the basic blocks of compiler construction) is denoted by Ω( U ).Each program π is given an ordinal number w ( π ) as its weight. It is defined recursivelythrough w ( π ) := , if π = ǫ, , if π ∈ U \ { ǫ } ,w ( π ) · w ( π ) , if π = π ; π ,w ( π ) + w ( π ) + 1 , if π = π ∪ π , sup k ∈ N w ( π k ) , if π = π ∗ . Here π k is defined as the k -fold iteration of π , thus π k := ( ǫ if k = 0 ,π k − ; π otherwise . Form the definition it is clear that w ( π ) < ∞ iff π does not contain any iteration, i.e., asubexpression of the form π ∗ .The static semantics of program composition is usually given through informal rules: execut-ing π ; ( π ∪ π ), i.e., executing first π and then choosing between π and π should be thesame as choosing between π ; π and π ; π , or executing π ; π ∗ ; π should give the choice ofexecuting π ; π (i.e., not executing π at all), and π ; π ; π ∗ ; π (i.e., executing π at leastonce in the context of π and π ). It helps for a coalgebraic interpretation to have a formalspecification of these rules. We propose to use rewrite rules for this, augmented by equationswhich state properties like associativity).We introduce these rewrite rules (in order to avoid parentheses, we assume that operator ;binds tighter than the operator ∪ ):( d l ) x ; ( y ∪ z ) → x ; y ∪ x ; z ( d r ) ( x ∪ y ); z → x ; z ∪ y ; z ( d ǫ ) x ∗ → ǫ ; x ∗ ; ǫ ( d ∗ ) x ; y ∗ ; z → x ; y ∪ x ; y ; y ∗ ; z November 28, 2017age 4 Coalgebraic Interpretation of PDLThese are the equations:( id l ) ǫ ; x ≈ x ( id r ) x ; ǫ ≈ x ( ass s ) x ; ( y ; z ) ≈ ( x ; y ); z ( ass u ) x ∪ ( y ∪ z ) ≈ ( x ∪ y ) ∪ z ( comm ) x ∪ y ≈ y ∪ x ( idm ) x ∪ x ≈ x ( dis ∞ ) _ h x k | k ≥ i ≈ x ∪ _ h x k +1 | k ≥ i ( transp ) _(cid:10)_ h x k,ℓ | k ≥ i| ℓ ≥ (cid:11) ≈ _(cid:10)_ h x k,ℓ | ℓ ≥ i| k ≥ (cid:11) The first group of equations states that ǫ plays the role of the program skip , and that choiceas well as sequential composition are associative; choice is commutative as well. The lastgroup deal with the operator W which is assumed to be the implementation of the indefiniteiteration. Equation ( dis ∞ ) is akin to an infinite associative law: considering an infinite choiceof programs is the same as considering the choice between the first one and the rest. Equation( transp ) says that π ∗ ; π ∗ can be interpreted as either π terminating after a finite number ofsteps followed by π ∗ or as π ∗ followed by a finite number of executions of π .The set X of variables is assumed to be a countable set. As usual, a substitution σ is a mapfrom X to P ( U ) which is extended accordingly.Following [3], a term α ∈ E ( U ) is perceived as an ordered tree, each node in which hasaddress a in the Dewey notation (the node with address a = . . is reached through takingthe leftmost son of the root, then its second son and finally the fourth offspring); the subtreeof α rooted at the node which has the address a is denoted by α | a . Denote by α [ γ ] a denotesthe tree in which the subtree of α which is rooted at a is replaced by the tree associated withterm γ .We say that α ⇒ β iff there exists a rule l → r , a position a and a substitution σ such that α | a = σ ( l ) and α [ σ ( r )] a = β . The reflexive-transitive closure of ⇒ is denoted as usual by ⇒ ∗ .Call α ∈ E ( U ) irreducible iff there is no β ∈ E ( U ) with α ⇒ ∗ β and β = α .Denote by ≡ the congruence defined by ≈ ∪ ⇒ on E ( U ), thus ≡ is the smallest equivalencerelation on E ( U ) which is compatible with the operations { ; , ∪ , ∗ , W } on E ( U ) and whichcontains the relation ≈ ∪ ⇒ . The canonical projection which assigns α ∈ E ( U ) its class [ α ] ≡ is denoted by η ≡ : E ( U ) → E ( U ) / ≡ .The following statement shows that rewriting a program with finite weight always terminates.It does not give, however, a unique result, the result is rather determined uniquely up to ≡ (which is not surprising given, e.g., associativity, commutativity and idempotence of thenondeterministic choice). Lemma 2.1
Let π ∈ P ( U ) be a program with w ( π ) < ∞ . Then there exists F ⊆ Ω( U ) finitewith π ≡ S F. If π ≡ S F ′ for some finite F ′ ⊆ Ω( U ) , then η ≡ [ F ] = η ≡ [ F ′ ] . Proof
Note that w (cid:0) π ; ( π ∪ π ) (cid:1) > w ( π ; π ∪ π ; π ) , (see [3, p. 270]), similarly for rule( d r ). Because w ( π ) < ∞ , any application of the rewrite rules ( d l ) and ( d r ) terminates. Thus π ≡ S F for some F ⊆ Ω( U ) finite. Uniqueness up to ≡ is established by induction on thestructure of π . ⊣ These are some properties of irreducible elements of E ( U ).November 28, 2017age 5 Coalgebraic Interpretation of PDL Lemma 2.2
Denote by I ( U ) the set of irreducible elements in E ( U ) .a) I ( U ) is closed under the operators ∪ and W .b) If β , β ∈ I ( U ) , there exists β ′ ∈ I ( U ) such that β ; β ≡ β ′ . c) If π ∈ P ( U ) with w ( π ) < ∞ , then π is irreducible iff there exists F ⊆ Ω( U ) with π ( ass s ) = S F, ( ass s ) = denoting equality modulo associativity of operator ; . Proof
1. It is clear that I ( U ) is closed under ∪ because there is no rewrite rule which has ∪ as its main operator on its left hand side. It is also clear that I ( U ) is closed under theinfinite operator W , because each transformation of such a term is pushed into its components.Each element of Ω( U ) is irreducible, so is their finite union. From this follows the claim forprograms of finite rank.2. Note that the syntax tree associated with an element of E ( U ) is well formed, since it doesnot have paths of infinite length. An easy induction on the tree for β ∈ I ( U ) shows that if ̺ ∈ Ω( U ), then there exists β ′ ∈ I ( U ) with ̺ ; β ≡ β ′ .In fact, if β = π ∈ P ( U ) with w ( π ) < ∞ , or if β ≡ β ∪ β with irreducible β , β , the claimfollows easily. If we can write β ≡ β ; β then irreducibility of β implies irreducibility of ̺ ; β .Finally, assume that β ≡ W h β k | k ≥ i , then all β k are irreducible, and ̺ ; β ≡ W h ̺ ; β k | k ≥ i . For ̺ ; β k we find β ′ k with ̺ ; β k ≡ β ′ k by induction hypothesis, so that β ≡ β ′ := W h β ′ k | k ≥ i with β ′ ∈ I ( U ).3. We show now that β , β ∈ I ( U ) implies the existence of β ′ ∈ I ( U ) with β ; β ≡ β ′ by induction on the syntax tree for β . If this tree is finite, then parts 1. and 2. showthat β ; β ≡ S ̺ ∈ F ̺ ; β ≡ S ̺ ∈ F β ̺ with β ̺ ∈ I ( U ) for some finite F ⊆ Ω( U ). Assume β = W h β ,k | k ≥ i . By the induction hypothesis we know that for each k there exists β ′ k ∈ I ( U ) such that β ,k ; β ≡ β ′ k , so that β ; β ≡ W h β ′ k | k ≥ i , the latter being irreducible.If the tree for β is infinite and has the operator ; as its root, say β = β ,a ; β ,b , thenat least one of the trees for β ,a or β ,b is infinite. Assume without loss of generality that β ,a = W h β ,a,k | k ≥ i , then β ≡ W h β ,a,k ; β ,b | k ≥ i . Consequently, the induction hypothesismay be applied through the same argumentation as above. ⊣ This has as an immediate consequence that each program is equivalent to an irreducible one(which may have infinite branches).
Corollary 2.3
Given a program π ∈ P ( U ) , there exists β ∈ I ( U ) such that π ≡ β . Proof
The proof proceeds by induction on w ( π ). If w ( π ) < ∞ , the assertion follows fromLemma 2.2, part c. Now let π with w ( π ) = ∞ be given, and assume that the assertion isestablished for all programs π ′ with w ( π ′ ) < w ( π ). If π = π ∪ π or π = π ∗ , the assertionfollows from the induction hypothesis together with part a in Lemma 2.2. If, however, π = π ; π , we apply the induction hypothesis to π and π , the assertion then follows from part bin Lemma 2.2. ⊣ Because ≡ is a congruence, these operations on E ( U ) / ≡ are well defined:[ π ] ≡ ⊔ [ π ] ≡ := [ π ∪ π ] ≡ , G(cid:10) [ π k ] ≡ | k ≥ (cid:11) := h_ h π k | k ≥ i i ≡ Define the map Θ : P ( U ) → E ( U ) / ≡ inductively on the weight of program π as follows.November 28, 2017age 6 Coalgebraic Interpretation of PDLa) If w ( π ) < ∞ , put Θ( π ) := G { [ ̺ ] ≡ | ̺ ∈ F } with π ≡ S F and F ⊆ Ω( U ) according to Lemma 2.1.b) Proceeding inductively, assume that Θ( π ) and Θ( π ) are defined, then putΘ( π ∪ π ) := Θ( π ) ⊔ Θ( π ) . c) Continuing with an inductive definition, assume that π = π ; π with w ( π ) not finite. Wedistinguish there cases(i) w ( π ) is finite. Since w ( π ; π ) is not finite, we can represent w ( π ) through m + k ,where m is a limit ordinal and k is finite. Thus π ≡ π ,a ∪ π ,b with w ( π ,a ) = m and w ( π ,b ) = k . Then π ,a ≡ ˆ π ; ˆ π ,a with w (ˆ π ) finite and ˆ π ,a = π ∗ ,c . This is sosince ℓ · m = m for any finite ℓ and any limit ordinal m . Thus π ≡ π ; (ˆ π ; π ∗ ,c ∪ π ,b ) ≡ ( π ; ˆ π ); π ∗ ,c ∪ π ; π ,b . Because both w ( π ; ˆ π ) and w ( π ; π ,b ) are finite, and since w ( π k ,c ) < w ( π ∗ ,c ), Θ isdefined for these arguments, and we putΘ( π ) := G h Θ( π ; ˆ π ; π k ,c ) | k ≥ i ⊔ Θ( π ; π ,b ) . (ii) w ( π ) is finite. We find F ⊆ Ω( U ) finite with π ≡ S { π ; ̺ | ̺ ∈ F } . Similar to thecase above we represent π ≡ π ; π ∗ ,a ∪ π ,b with both w ( π ) and w ( π ,b ) finite. Hence π ≡ S { ̺ ′ | ̺ ′ ∈ G } for some finite G ⊆ Ω( U ). Then defineΘ( π ) := G ̺ ∈ F G ̺ ′ ∈ G h Θ( ̺ ′ ; π k ,a ; ̺ ) | k ≥ i ⊔ Θ( π ,b ; π ) . (iii) Both w ( π ) and w ( π ) are not finite. Represent π ≡ π ,a ; π ∗ ,b ∪ π ,c ,π ≡ π ,a ; π ∗ ,b ∪ π ,c with w ( π ,a ) , w ( π ,c ) , w ( π ,a ) , w ( π ,c ) finite. Apply the rules ( d l ) and ( d r ) to obtain π ; π ≡ π ,a ; π ∗ ,b ; π ,a ; π ∗ ,b ∪ π ,c ; π ,a ; π ∗ ,b ∪ π ,a ; π ∗ ,b ; π ,c ∪ π ,c ; π ,c . Because we may represent π ,a = S { ̺ | ̺ ∈ F } and π ,a = S { ̺ ′ | ̺ ′ ∈ F ′ } for somefinite F, F ′ ⊆ Ω( U ), we may and do assume that π ,a , π ,a ∈ Ω( U ). PutΘ( π ,a ; π ∗ ,b ; π ,a ; π ∗ ,b ) := G k ≥ G ℓ ≥ Θ( π ,a ; π k ,b ; π ,a ; π ℓ ,b ) (cid:0) = G ℓ ≥ G k ≥ Θ( π ,a ; π k ,b ; π ,a ; π ℓ ,b ) (cid:1) Because max { w ( π ,c ; π ,a ; π ∗ ,b ) , w ( π ,a ; π ∗ ,b ; π ,c ) , w ( π ,c ; π ,c ) } < w ( π ) , we may nowdefineΘ( π ) := Θ( π ,a ; π ∗ ,b ; π ,a ; π ∗ ,b ) ⊔ Θ( π ,c ; π ,a ; π ∗ ,b ) ⊔ Θ( π ,a ; π ∗ ,b ; π ,c ) ⊔ Θ( π ,c ; π ,c ) . November 28, 2017age 7 Coalgebraic Interpretation of PDLThe construction shows that π ≡ β for β ∈ I ( U ) entails β ∈ Θ( π ), thus we obtain fromCorollary 2.3 Proposition 2.4
Θ : P ( U ) → E ( U ) / ≡ is well defined. ⊣ Summarizing, we construct for a program π ∈ P ( U ) an equivalence class which contains anirreducible element of E ( U ). Such an irreducible program is composed of the choice operatorand the explicit form of the indefinite iteration. The primitive programs appear only in theform of basic blocks ̺ ; . . . ; ̺ k with ̺ , . . . , ̺ k ∈ U .Consequently, an interpretation of a logic carrying programs for modalities will have to caterfor the respective interpretation of the choice operator, the explicit form of the indefiniteiteration, and the basic blocks. The latter ones can be composed from the interpretationof the primitive programs for example in those cases that are given by a monad, wherecomposition of programs may be modelled through Kleisli composition [15].Instead of providing after the preparations above a general coalgebraic interpretation througha monad over the category of sets now, we propose an interpretation through stochasticrelations (which offers its own idiosyncrasies in turn). We collect for the reader’s convenience some techniques and tools from set theory and prob-ability, in particular techniques for working with σ -algebras and their completion. A measurable space S is a set, again denoted by S , together with a Boolean σ -algebra B ( S ),thus B ( S ) is an algebra of sets which is also closed under countable unions. Denote for a set A of subsets of a set S by σ ( A ) the smallest σ -algebra containing A .A map f : S → T is called B ( S ) - B ( T ) -measurable (or just measurable , if the context is clear)iff the inverse image of each Borel set in T is a Borel set in S , or, formally, iff f − [ B ( T )] := { f − [ C ] | C ∈ B ( T ) } ⊆ B ( S ) . If B ( T ) = σ ( A ), then f : S → T is measurable iff f − [ A ] ∈ B ( S ) for all A ∈ A .The real numbers always carry the Borel sets B ( R ) as a σ -algebra, where B ( R ) := σ ( { G ⊆ R | G open } ) = σ ( { ] a, b [ | a, b ∈ R , a < b } ) . Let S ( S ) be the set of all subprobabilities on measurable space S , then B ( S ( S )) will bethe weak-*- σ -algebra, i.e., the smallest σ -algebra on S ( S ) which makes all the evaluations ev A : µ µ ( A ) Borel-measurable. Then B ( S ( S )) = σ ( { b q,A | q ∈ Rat , , A ∈ B ( S ) } )with b q,A := ev − A (cid:2) ] − ∞ , q [ (cid:3) = { µ ∈ S ( S ) | µ ( A ) < q } . A stochastic relation K : S T between the measurable spaces S and T is a Borel measurablemap from S to S ( T ); sometimes stochastic relations are called transition subprobabilities .November 28, 2017age 8 Coalgebraic Interpretation of PDLThus K : S T is a stochastic relation iff K ( s ) is a subprobability on the measurable space T for each s ∈ S such that s K ( s )( B ) is a B ( S )-measurable function for each B ∈ B ( T ).Denote by M the category of measurable spaces with measurable maps as morphisms, and by N the category of all σ -algebras with maps. The Borel functor B : M → N assigns to eachmeasurable space its Borel sets, and to a morphism f : S → T its inverse image f − : B ( T ) →B ( S ). Thus B is a contravariant functor. This has been discussed extensively in [10, 7].Given a morphism f : S → T in category M , we obtain a morphism S ( f ) : S ( S ) → S ( T )in M upon defining S ( f ) ( µ )( B ) := µ ( f − [ B ])for µ ∈ S ( S ) and B ∈ B ( T ). S ( f ) is B ( S ( S ))- B ( S ( T ))-measurable because S ( f ) − [ b q,B ] = b q,f − [ B ] holds for each real q and each measurable set B ∈ B ( T ). Functor S is the functorial part ofa monad which is sometimes called the Giry monad [12, 5, 6].Let K : S S and L : T T be stochastic relations for the measurable spaces S and T ,then a measurable map f : S → T is called a morphism K → L iff L ◦ f = S ( f ) ◦ K holds,rendering the diagram S f / / K (cid:15) (cid:15) T L (cid:15) (cid:15) S ( S ) S ( f ) / / S ( T )commutative. Expanded, this means that L ( f ( s ))( B ) = K ( s )( f − [ B ])holds for each state s ∈ S and each measurable set B ∈ B ( T ) . We will need this technical statement for transformations when considering runs of primitiveprograms below.
Lemma 3.1
Let S and T be measurable spaces, f : S → T be a measurable map. Assumethat g : T → R is measurable and bounded.a. For any µ ∈ S ( S ) Z T g ( y ) S ( f ) ( µ )( dy ) = Z S ( g ◦ f )( x ) µ ( dx ) . b. If f : K → L is a morphism for the stochastic relations K : S S and L : T T , then Z T g ( y ) L ( f ( s ))( dy ) = Z S ( g ◦ f )( x ) K ( s )( dx ) . Proof
The formula in part a . is the classical Change of Variables Formula, see [7, Lemma1.6.20]. Part b . is an immediate consequence: because L ( f ( s )) = S ( f ) ( K ( s )) , we may write Z T g ( y ) L ( f ( s ))( dy ) = Z T g ( y ) (cid:0) S ( f ) ( K ( s )) (cid:1) ( dy ) = Z S g ( f ( x )) K ( s )( dx ) , the last equation being due to part a . ⊣ November 28, 2017age 9 Coalgebraic Interpretation of PDL
When interpreting the indefinite iteration π ∗ of program π , we will be faced with the prob-lem that validity sets for formulas formed using π ∗ will be using uncountable unions. Thusthese validity sets may not be measurable, because measurability always assumes countableoperations. There is, however, a broad class of measurable spaces which permit uncountableoperations in restricted form; by a completion operation, each measurable space can be em-bedded into such a space. This restricted form is described by the Souslin operation, whichwill be introduced now.A measurable space S is closed under the Souslin operation iff, whenever { A v | v ∈ Ω( N ) } ⊆B ( S ) is a family of measurable sets indexed by finite sequences of natural numbers, we have [ α ∈ N N \ n ∈ N A α | n ∈ B ( S ) , where α | n are the first n elements of sequence α . This is sometimes called operation A onthe Souslin scheme { A v | v ∈ Ω( N ) } [13, XI.5].Define for the measurable space S and a subprobability µ ∈ S ( S ) its µ -completion S µ through A ∈ B ( S µ ) ⇔ ∃ A , A ∈ B ( S ) : A ⊆ A ⊆ A and µ ( A \ A ) = 0 . slin Thus all sets which differ from a Borel set by a set on µ -measure 0 are added to the Borelsets; the underlying set remains unchanged. Then B ( S µ ) is a σ -algebra again. If M ⊆ S ( S )is a non-empty set of subprobabilities on S , put B ( S M ) := \ µ ∈ M B ( S µ ) . Definition 3.2 S M is called the M -completion of S , S S ( S ) is called the universal completionof S and is denoted by S . The important property reads
Proposition 3.3
The measurable space S M is closed under the Souslin operation for every ∅ 6 = M ⊆ S ( S ) . Proof [20, Theorem 3.5.22]. ⊣ Measurability of maps carries over to the completion.
Lemma 3.4
Given measurable spaces S and T , and assume that f : S → T is B ( S ) - B ( T ) -measurable.a. Let M ⊆ S ( S ) , N ⊆ S ( T ) such that S ( f ) ( µ ) ∈ N for all µ ∈ M . Then f is B ( S M ) - B ( T N ) -measurable.b. f is B ( S ) - B ( T ) -measurable. Proof [9, Proposition 4.3]. ⊣ We note for later use that a stochastic relation can be extended to the completion of ameasurable space as well, provided the measurable space is separable . This means that theBorel sets are countably generated, formally:November 28, 2017age 10 Coalgebraic Interpretation of PDL
Definition 3.5 S is called separable iff there exists a countable family A of subsets of S such that B ( S ) = σ ( A ) . For example, R is separable, so is every measurable space that has as Borel sets the σ -algebragenerated by the open sets of a topological space with a countable base. Polish spaces areimportant special case: call a second countable topological space Polish iff the topology canbe metrized with a complete metric. The Borel sets of a Polish space are countably generated,so that a measurable space generated from a Polish space is separable; the natural topologyon the reals is Polish. A measurable space generated from a Polish space is called a
StandardBorel space (hence discussing a Standard Borel space, we are not interested in its topologicalbut rather in its measurable structure).The following proposition shows why separable measurable spaces are of interest to us. Wewill use it later for completing models (but maintaining expressivity).
Proposition 3.6
Let S be a separable measurable space, K : S S be a stochastic relationon S . Then there exists a unique stochastic relation K : B ( S ) B ( S ) extending K . Let L be another stochastic relation defined over a separable measurable space. If f : K → L is amorphism, then f : K → L is a morphism. Proof [9, Proposition 7.10, Corollary 7.6] ⊣ The category of all measurable spaces which are closed under the Souslin operation is denotedby V , the restriction of functor B to V is again denoted by B .Denote by S the category of stochastic relations; it has pairs h S, R i as objects and the mor-phisms defined above as morphisms. Define functor B † on S through functor B by defining B † := B ◦ U with U : S → M as the forgetful functor; hence B † ( S, R ) = B ( S ), and B † actson morphisms accordingly. “Daggering” a functor will compose it with the forgetful functor U .The constant functor assigning each measurable space the rationals between 0 and 1 is alsodenoted by Rat , . Let N R be the category which has all maps Rat , → B ( S ) for a measurablespace S as objects, a morphism −→ F : (cid:0) Rat , → B ( S ) (cid:1) → (cid:0) Rat , → B ( T ) (cid:1) is induced by amap F : B ( S ) → B ( T ) so that −→ F ( γ )( q ) = F ( γ ( q )) for the object γ : Rat , → B ( S ) and q ∈ Rat , holds. Denote by B R the functor M → N R which maps the measurable space S to { γ | γ : Rat , → B ( S ) is a map } , and f : S → T measurable is mapped to −−→ f − , thus B R is contravariant.Assume that τ : Rat , × B • → B is a natural transformation, thus τ S ( · , A ) : q τ S ( q, A ) ∈B ( S ) is an object on N R for each measurable space S and for each A ∈ B ( S ). Lemma 3.7
Put −→ τ S ( A ) := τ S ( · , A ) for a natural transformation τ : Rat , × B • → B and A ∈ B ( S ) , then −→ τ : B • → B R is anatural transformation. November 28, 2017age 11 Coalgebraic Interpretation of PDL
Proof
In fact, if f : S → T is a measurable map, then we have for the measurable set A ∈ B ( S ) and q ∈ Rat , −→ τ S ( B ( f )( A ))( q ) = τ S ( q, f − [ A ])= ( τ S ◦ ( Rat , × B )( f ))( q, A )= B ( f )( τ T ( q, A ))= B R ( f )( −→ τ T ( A ))( q ) . ⊣ Corollary 3.8 −→ τ : B † • → B R is a natural transformation, provided τ : Rat , × B † • → B isnatural. ⊣ As an illustration, each stochastic relation induces a natural transformation
Rat , × B † • → B via the evaluation map. Lemma 3.9
Let K : S S be a stochastic relation. Then ̟ K ( q )( A ) := { s ∈ S | K ( s )( A ) < q } defines a natural transformation ̟ : Rat † , × B † • → B † . Proof
Because ̟ K ( q )( A ) = K − [ b q,A ] , and since K is a measurable map, we infer ̟ K ( q )( A ) ∈B ( S ), whenever K : S S . Now let f : K → L be a morphism, and take h q, B i ∈ Rat , × B ( T ), then (cid:0) B ( f ) ◦ ̟ L (cid:1) ( q, B ) = f − [ { t ∈ T | L ( t )( B ) < q } ]= { s ∈ S | K ( s )( f − [ B ]) < q } = (cid:0) ̟ K ◦ Rat , × B † ( f ) (cid:1) ( q, B ) . ⊣ Another consequence is interesting for us as well.
Corollary 3.10
Assume that
Φ : ( B R ) I • → B R is a natural transformation with I = { , . . . , n } for n ∈ N or I = N and that ψ i : Rat , × B • → B for i ∈ I . Then −−−−−−−−→ Φ (cid:0) ( −→ ψ i ) i ∈ I (cid:1) defines anatural transformation −→ Φ :
Rat , × B • → B with −→ Φ S ( q )( A ) = Φ (cid:0) ( ψ i,S ( · , A )) i ∈ I (cid:1) ( q ) . ⊣ To illustrate, define for rational q > Q ( n ) ( q ) := { a ∈ Rat n , | a + · · · + a n ≤ q } Q ( ∞ ) ( q ) := { ( a n ) n ∈ N ∈ Rat N , | a + a · · · ≤ q } Example 3.11
Let h η , η i ∈ B R ( S ) × B R ( S ) for a measurable space S , and define for q ∈ Rat , Φ S ( η , η )( q ) := [ h a ,a i∈ Q (2) ( q ) (cid:0) η ,S ( a ) ∩ η ,S ( a ) (cid:1) Then Φ : B R × B R • → B R is a natural transformation.November 28, 2017age 12 Coalgebraic Interpretation of PDLIn fact, because η ( a ) , η ( a ) ∈ B ( S ) for h a , a i ∈ Q (2) ( q ), and because Q (2) ( q ) is countable,we infer that Φ S ( η , η ) ∈ B R ( S ). Now let f : S → T be a measurable map, then this diagramcommutes: (cid:0) B R × B R (cid:1) ( T ) Φ T / / (cid:0) B R × B R (cid:1) ( f ) (cid:15) (cid:15) B R ( T ) B R ( f ) (cid:15) (cid:15) (cid:0) B R × B R (cid:1) ( S ) Φ S / / B R ( S )This is so since we have for h η , η i ∈ (cid:0) B R × B R (cid:1) ( T )Φ S (cid:0) B R ( f )( η ) , B R ( f )( η ) (cid:1) ( q ) = [ a (cid:0) f − [ η ( a )] ∩ f − [ η ( a )] (cid:1) = f − (cid:2)[ a ( η ( a ) ∩ η ( a )) (cid:3) = B R ( f ) (cid:0) Φ T ( η , η ) (cid:1) ♦ The next example requires that the base spaces are closed under the Souslin operation.
Example 3.12
Let η := ( η ) n ∈ N ∈ B R ( S ) N , and defineΨ S ( η )( q ) := [ (cid:8) \ n ∈ N η n,S ( a n ) | a ∈ Q ( ∞ ) ( q ) (cid:9) for q ∈ Rat , . Then Ψ : ( B R ) N • → B R , when functor B is restricted to category V .We show first that Ψ S ( η )( q ) ∈ B ( S ) whenever S is closed under the Souslin operation. Forthis, we construct for q > ξ : N N → Q ( ∞ ) ( q ) such that ν | n = ν ′ | n implies ξ ( ν ) | n = ξ ( ν ′ ) | n for all ν, ν ′ ∈ N N and all n ∈ N , see [9, Lemma 4.6]. We infer in particularthat ν | n = ν ′ | n implies ξ ( ν ) n = ξ ( ν ′ ) n for all n ∈ N . Now put C ν | n := η n (cid:0) ξ ( ν ) n (cid:1) ∈ B ( S ) , then Ψ S ( η )( q ) = [ ν ∈ N N \ n ∈ N C ν | n . Since S is closed under the Souslin operation, the assertion on measurability follows. Natu-ralness is then shown exactly as in Example 3.11. ♦ We now turn to interpretations for PDL — although we did not define PDL yet, but nevermind. A Kripke model will be employed for interpreting each simple program, similarly, aninterpretation for primitive statements will be provided. We will build up from these dataan interpretation for modal formulas in which the modalities are given through programs.This will be done through the Kleisli composition for the underlying monad, yielding aninterpretation of basic blocks, i.e., of runs of simple programs, and through the naturaltransformations which will be associated with composing programs through nondeterministicchoice and indefinite iteration. It will be convenient separating these notions, so we willfirst define what a Kripke model is, and then define models by adding these transformations.November 28, 2017age 13 Coalgebraic Interpretation of PDLMorphisms will be important as well. They are defined for Kripke models, and, since thetransformations for the complex program operations are natural, they carry over in a mostnatural fashion to models. A stochastic Kripke model K = ( S, ( K ̺ ) ̺ ∈U , V ) is a measurable space S together with a family( K ̺ ) γ ∈U of stochastic relations K γ : S S such that • K ǫ = 1 S , • V : P → B ( S ) is a map.Here 1 S : S S is the identity relation1 S ( s )( A ) := ( , if s ∈ A , otherwise . The set V ( p ) gives for the atomic proposition p ∈ P the set of all states in which p is assumedto hold.Given a primitive program ̺ ∈ U , the stochastic relation K ̺ governs the transition uponexecuting ̺ : the probability that after executing program γ in state s ∈ S we are in a statewhich is an element of A ∈ B ( S ) is given by K γ ( s )( A ). Note that K γ ( s )( S ) < Definition 4.1
Given Kripke models K = ( S, ( K ̺ ) ̺ ∈U , V ) and L = ( T, ( L ̺ ) ̺ ∈U , W ) , a mea-surable map f : S → T is a morphism K → L for the Kleisli models iff1. f : K ̺ → L ̺ is a morphism of stochastic relations for each ̺ ∈ U ,2. f − [ W ( p )] = V ( p ) for each atomic proposition p ∈ P . Thus for morphism f : K → L an atomic proposition p holds in state s iff it holds in f ( s ),and the probability of hitting a state in B ∈ B ( T ) after executing program ̺ in state f ( s ) isthe same as the probability of hitting a state in f − [ B ] after executing ̺ in state s .We will need later that Kripke models are closed under coproducts, hence we state as anexample the corresponding construction. Example 4.2
Given Kripke models K = ( S, ( K ̺ ) ̺ ∈U , V ) and L = ( T, ( L ̺ ) ̺ ∈U , W ), definethe sum K ⊕ L of K and L as the Kripke model K ⊕ L := ( S + T, (( K + L ) ̺ ) ̺ ∈U , V + W ) . Here the measurable space S + T carries the final σ -algebra with respect to the embeddings i S and i T , and ( K + L ) ̺ : ( S + T ) ( S + T ) is defined through( K + L ) ̺ ( z )( A ) := ( K ̺ ( s )( i − S [ A ]) if z = i S ( s ) ,L ̺ ( t )( i − T [ A ]) if z = i T ( t ) . Then K i S −→ K ⊕ L i T ←− L are morphisms. It is easy to see that K ⊕ L together with theembeddings is the coproduct. ♦ November 28, 2017age 14 Coalgebraic Interpretation of PDLGiven a Kripke model K = ( S, ( K ̺ ) ̺ ∈U , V ), extend the transition laws from primitive pro-grams to basic blocks, i.e., sequences of primitive programs upon setting K ̺ ; ... ; ̺ n := K ̺ ∗ . . . ∗ K ̺ n , (1)where for K i : S S ( i = 1 ,
2) the
Kleisli composition K ∗ K of K and K is definedthrough (cid:0) K ∗ K (cid:1) ( s )( A ) := Z S K ( t )( A ) K ( s )( dt )( s ∈ S, A ∈ B ( S )), see [12]; this operation is known as the convolution of two transitionkernels in probability theory. Interpreting equation (1) for two programs ̺ , ̺ ∈ U , we seethat after executing ̺ in state s the system goes into some intermediate state t ∈ S fromwhich program ̺ continues, giving the probability of ending up in a state in Borel set A as K ̺ ( t )( A ) . The intermediate states are averaged over through K ̺ ( s ), accounting for theprobability Z S K ̺ ( t )( A ) K ̺ ( s )( dt ) , which is just (cid:0) K ̺ ∗ K ̺ (cid:1) ( s )( A ) . Notice that K ǫ ∗ K ̺ = K ̺ = K ̺ ∗ K ǫ for all ̺ ∈ U . Because stochastic relations are Kleisli morphisms for a monad, hence mor-phisms in a category, it follows that Kleisli composition is associative, thus we record for lateruse that ( K ∗ K ) ∗ K = K ∗ ( K ∗ K ) (2)holds (which we have already silently made use of in equation (1)).This extension from U to Ω( U ) through Kleisli composition is compatible with morphisms. Lemma 4.3
Let f : K → L and f : K → L be morphisms of stochastic relations for K i : S S and L i : T T ( i = 1 , ). Then f : K ∗ K → L ∗ L is a morphism. Proof
This follows from Lemma 3.1: (cid:0) L ∗ L (cid:1) ( f ( s ))( B ) = Z T L ( y )( B ) L ( f ( s ))( dy )= Z T L ( y )( B ) (cid:0) S ( f ) (cid:0) K ( s ) (cid:1)(cid:1) ( dy )= Z S L ( f ( x ))( B ) K ( s )( dx )= Z S K ( x )( f − [ B ]) K ( s )( dx )= (cid:0) K ∗ K )( s )( f − [ B ])= (cid:0) S ( f ) ◦ ( K ∗ K ) (cid:1) ( s )( B ) . ⊣ Applying this to morphisms for stochastic Kripke models yieldsNovember 28, 2017age 15 Coalgebraic Interpretation of PDL
Corollary 4.4
Let K and L be Kripke models, and assume that f : K → L is a morphism.Then f : K ̺ ; ... ; ̺ n → L ̺ ; ... ; ̺ n is a morphism for stochastic relations for all ̺ ; . . . ; ̺ n ∈ Ω( U ) . ⊣ Let K = K ( U , P ) be the category of Kripke models with universally measurable state spaces;it has the morphisms according to the definition above. Hence the state space of an object in K is a measurable space which is closed under universal completion according to Definition 3.2.We define the functor R : K → N from Kripke models to Borel sets of measurable spacesby adapting the Borel functor to K : each Kripke model K = (cid:0) S, ( K ̺ ) ̺ ∈U , V (cid:1) is mapped to B ( S ). By the choice of the base category of universally measurable spaces we make sure that R ( K ) is always closed under the Souslin operation. A morphism f : K → L is mapped by R to f − : B ( T ) → B ( S ).Assume furthermore that we are given natural transformations Φ : R R × R R • → R R andΨ : ( R R ) N • → R R . We associate with each basic block ̺ ; . . . ; ̺ n a natural transformationΓ( ̺ ; . . . ; ̺ n ) : Rat , × R • → R upon settingΓ( ̺ ; . . . ; ̺ n ) := ̟ K ̺ ... ; ̺n . (3)Assume that we have defined natural transformations Γ( β ) , Γ( β ) for the irreducible pro-grams β , β ∈ I ( U ), then Γ( β ∪ β ) := −−−−−−−−−−−→ Φ( −−−→ Γ( β ) , −−−→ Γ( β )) (4)defines a natural transformation Γ( β ∪ β ) : Rat , × R • → R . If Γ( β n ) : Rat , × R • → R isdefined for β n ∈ I ( U ), defineΓ (cid:0)_ h β n | n ∈ N i (cid:1) := −−−−−−−−−−−→ Ψ (cid:0) ( −−−→ Γ( β n )) n ∈ N (cid:1) . (5)Then Γ (cid:0)W h β n | n ∈ N i (cid:1) : Rat , × R • → R . Summarizing, we note for the record
Proposition 4.5
Given the transformations Φ and Ψ as above, Γ( β ) : Rat , × R • → R is anatural transformation, whenever β is an irreducible program. ⊣ It is worth noting that • composition of programs is modelled through the composition operator for stochasticrelations, hence through Kleisli composition for the underlying monad; this is the basicmechanism which the other transformations start from, • once a natural transformation for each basic block in Ω( U ) is defined, the Kripke modelproper is only needed to give the semantics for the atomic propositions in P . Thetransformations for irreducible programs β ∪ β and W h β k | k ∈ N i now rests on theshoulders of the transformations Φ resp. Ψ.November 28, 2017age 16 Coalgebraic Interpretation of PDL Now that the basic ingredients for defining a model are in place, we have to have a closer lookat these components. It does not make sense to define a models with arbitrary transforma-tions, because it is clear that the transformations should satisfy some properties, monotonicityand compatibility among that. The latter property refers to the observation that nondeter-ministic choice and indefinite iteration are somewhat related (this is reflected in the rewriterule ( d ∗ )), consequently we require their interpretations to cooperate along these lines. Someproperties are captured in the definition below. Definition 4.6
Let
Φ : R R × R R • → R R and Ψ : ( R R ) N • → R R be natural transformations.1. Φ is called • associative , iff Φ (cid:0) η , Φ( η , η ) (cid:1) = Φ (cid:0) Φ( η , η ) , η (cid:1) • commutative , iff Φ( η , η ) = Φ( η , η ) , • idempotent , iff Φ( η , η ) = η , provided η is monotone (i.e., q η ,S ( q )( A ) is amonotone map for each A ∈ B ( S ) )for any η , η , η : R R • → R R holds.2. Ψ is called symmetric iff Ψ (cid:0) Ψ(( η i,j ) i ∈ N ) j ∈ N (cid:1) = Ψ (cid:0) Ψ(( η i,j ) j ∈ N ) i ∈ N (cid:1) for each double indexed sequence ( η i,j ) h i,j i∈ N × N with η i,j : R R • → R R for all i, j ∈ N holds.3. Φ and Ψ are said to be compatible iff Ψ(( η i ) i ∈ N ) = Φ (cid:0) η , Ψ(( η i +1 ) i ∈ N ) (cid:1) holds for each sequence ( η i ) i ∈ N with η i : R R • → R R for each i ∈ N . The properties of Φ described in Definition 4.6 under 1 . make the set of all natural trans-formations R R • → R R a commutative semigroup, if h η , η i is sent to Φ( η , η ). They aremodelled after union or intersection in the power set of a set. Property 2 . deals with evalu-ating operator Ψ: An infinite matrix of natural transformations may be evaluated first alongits rows, producing a sequence of natural transformations again; evaluating this is assumed tobe identical to evaluating the matrix first along the columns and then evaluating the results.Finally, property 3 . says that Ψ may be evaluated stepwise through operator Φ akin to aninfinite sum, an infinite union, or an indefinite iteration. Lemma 4.7
The operators Φ and Ψ defined in Example 3.11 resp. Example 3.12 have theseproperties:a. Φ is associative, commutative and idempotent,b. Ψ is symmetric,c. Φ and Ψ are compatible. November 28, 2017age 17 Coalgebraic Interpretation of PDL
Proof
1. Properties a and c are fairly obvious. Let ( η i,j ) h i,j i∈ N × N with η i,j : R R • → R R ,put ρ i := ( η i,j ) j ∈ N and σ j := ( η i,j ) i ∈ N . We now show thatΨ K (cid:0) ( A i ) i (cid:1) = Ψ K (cid:0) ( B j ) j (cid:1) holds, where A i ( q ) = Ψ K ( ρ i )( q ) B j ( q ) = Ψ K ( σ j )( q )This will establish that operator Ψ is symmetric.2. Now fix q ∈ Rat , and put for ( a n ) n ∈ N ∈ Rat ( ∞ )0 , Z ( a ) := { ( a i,j ) | ∀ i ∈ N : X j ∈ N a i,j ≤ a i } ,R ( a ) := { ( a i,j ) | ∀ j ∈ N : X i ∈ N a i,j ≤ a j } . Hence an infinite matrix of non negative numbers is in Z ( a ) iff for each row i the columnsums are dominated by a i , similarly for R ( a ) and the row sums. Note that X i ∈ N (cid:0) X j ∈ N a i,j (cid:1) = X j ∈ N (cid:0) X i ∈ N a i,j (cid:1) (6)by Pringsheim’s Theorem [2, V.31], because all terms are non-negative.3. Now s ∈ Ψ K (cid:0) ( A i ) i (cid:1) ( q ) ⇐⇒ ∃ a ∈ Q ( ∞ ) ( q ) ∀ i ∈ N ∃ ( a i,j ) j ∈ Rat ( ∞ )0 , ( a i ) ∀ j ∈ N : s ∈ η i,j, K ( a i,j ) (7) ⇐⇒ ∃ a ∈ Q ( ∞ ) ( q ) ∃ b ∈ Z ( a ) ∀ i, j ∈ N : s ∈ η i,j, K ( b i,j ) (8) ⇐⇒ ∃ x ∈ Q ( ∞ ) ( q ) ∃ y ∈ R ( x ) ∀ i, j ∈ N : s ∈ η i,j, K ( y i,j ) (9) ⇐⇒ s ∈ Ψ K (cid:0) ( B j ) j (cid:1) ( q ) (10)For, assume that a and b are given according to (8), then define x j := P i ∈ N b i,j , y := b, hence X j x j = X j X i b i,j ( ) = X i X j b i,j ≤ X i a i ≤ q. This justifies the implication (8) ⇒ (9), similarly for the converse. ⊣ Call a natural transformation Λ : ( R R ) I • → R R monotone iff Λ (cid:0) ( η i ) i ∈ I (cid:1) is monotone, provided η i : R R • → R R is monotone for all i ∈ I ⊆ N , see Definition 4.6.We extend Kripke models now to models for PDL. Definition 4.8 A model M = ( K , Φ , Ψ) for PDL is composed of a Kripke model K and oftwo monotone transformations Φ : R R × R R • → R R and Ψ : ( R R ) N • → R R so that Φ isassociative, commutative and idempotent, Ψ is symmetric, and Φ and Ψ are compatible. November 28, 2017age 18 Coalgebraic Interpretation of PDLWhen talking about a model, we always refer to a model in the sense of Definition 4.8,unless otherwise specified. Hence we always have with a model a Kripke model and twotransformations at our disposal. Define for model M the transformation Γ M ( β ) : Rat , × R • → R for irreducible programs β as at the end of Section 4.1, equations 3 through 5, seeProposition 4.5. Lemma 4.9
Given an irreducible program β , the state space S of a Kripke model K , the map q Γ M , K ( q, A ) := (cid:0) Γ M ( β ) (cid:1) K ( q, A ) is monotone for any fixed A ∈ B ( S ) . Proof
This is established by induction on β . Assume first that β = ̺ ; . . . ; ̺ n ∈ Ω( U ) . ThenΓ M , K ( ̺ ; . . . ; ̺ n )( q, A ) = { s ∈ S | K ̺ ; ... ; ̺ n ( s )( A ) < q } , which is clearly a monotone function of q . If β = β ∪ β , and monotonicity is establishedalready for β and β , then −−−−→ Γ M ( β ) and −−−−→ Γ M ( β ) are monotone, thus Φ( −−−−→ Γ M ( β ) , −−−−→ Γ M ( β )) ismonotone, from which the assertion for β follows. One argues similarly for β = W h β n | n ≥ i , provided the claim holds for all β n . ⊣ We show now that Γ M is invariant under the equivalence classes with respect to ≡ , as far asirreducible programs are concerned. This step is necessary for ensuring that the interpretationof formulas is well defined. Proposition 4.10
Let β , β be irreducible programs with β ≡ β . Then Γ M ( β ) = Γ M ( β ) . Proof
1. It is enough to show that β ≈ β implies Γ M ( β ) = Γ M ( β ) . Because no rewriterules apply due to irreducibility, we may then conclude that ≡ ∩ (cid:0) I ( U ) × I ( U ) (cid:1) ⊆ ker (Γ M ) , from which the assertion follows. We will discuss the different cases in turn.2. The cases ( id l ) and ( id r ) are covered by the observation that K ǫ = 1 S , which in turn isthe neutral element for Kleisli composition, case ( ass s ) follows from associativity for Kleislicomposition. Because Φ is associative and commutative, the cases ( ass u ) resp. ( comm ) arecovered as well. We infer from Lemma 4.9 and from idempotence of Φ that Γ M ( β ∪ β ) =Γ M ( β ). Finally, the cases ( dis ∞ ) and ( transp ) are covered through the compatibility of Φand Ψ resp. the symmetry of Ψ. ⊣ Now take a program π ∈ P ( U ) and consider β , β ∈ Θ( π ) ∩ I ( U ). Then Γ M ( β ) = Γ M ( β ).Sending Θ( π ) ∩ I ( U ) to Γ M ( β ), provided β ∈ Θ( π ) ∩ I ( U ), we obtain a well defined map(recall Θ( π ) ∩ I ( U ) = ∅ by Corollary 2.3).Thus define J M ( π ) := Γ M ( β ) , (11)with π ∈ P ( U ), provided β ∈ Θ( π ) ∩ I ( U ). This is defines a natural transformation, seeProposition 4.5. We define the logic PDL as usual through modal operators which come from programs;because we investigate probabilistic aspects, we introduce a quantitative aspect by limitingNovember 28, 2017age 19 Coalgebraic Interpretation of PDLcertain probabilities from above. The logic is negation free and does not have disjunction.This looks on first sight a bit restricting, but since we work in a Boolean algebra of sets wecan express negation through complementation, hence we do not need a separate operator forit. Omission of disjunction, however, cannot be compensated; it turns out that disjunctionis not really necessary in the arguments to follow, so Occam’s Razor could be applied. Itshould also be noted that we do not include the test operator. While this operator expandsthe usability of the logic, it does not contribute to the structural questions which we areconcerned with; this has been discussed in [9, Section 6.5].We will first define PDL and its semantics, then we will take only the simple programs and theatomic expressions and define a Hennessy-Milner logic from it, much in the spirit of [14, 4, 6].This type of logics has been investigated extensively, and it will be helpful to use its semanticproperties for the investigation of PDL. Syntactically, we have in the Hennessy-Milner logiconly basic blocks at our disposal, these basic blocks are important for expressing the semanticsof programs in PDL, so that we will relate these constructs to each other.Finally we define expressivity — logical equivalence, bisimilarity, behavioral equivalence –––for our models and relate them to each other. Bisimilarity will play a special rˆole which partlywill have to be delegated to the next section due to Standard Borel spaces being closed underthe Souslin operation only in the finite case. The constructions to be undertaken will requiresome leg work for constructing the proper measurable spaces etc.
Given a set U of primitive programs and a set P of atomic propositions, we define the formulasof logic L ( U , P ) through this grammar ϕ ::= ⊤ | p | ϕ ∧ ϕ | ⌊ π ⌉ q ϕ with p ∈ P an atomic proposition, π ∈ P ( U ) a program and q ∈ Rat , a rational number.Hence a formula is ⊤ as a formula which always holds, an atomic proposition, the conjunctionof two formulas or a modal formula ⌊ ϕ ⌉ q ϕ . The latter one is going to hold whenever formula ϕ holds with probability less than q ∈ Rat , after executing program π .Define inductively for a given model M = ( K , Φ , Ψ) with state space S and valuation V : S →B ( S ) the extension or validity set [[ ϕ ]] M for formula ϕ through[[ ⊤ ]] M := S, (12)[[ p ]] M := V ( p ) , (13)[[ ϕ ∧ ϕ ]] M := [[ ϕ ]] M ∩ [[ ϕ ]] M , (14)[[ ⌊ π ⌉ q ϕ ]] M := J M ( π )( q )([[ ϕ ]] M ) , (15)where the natural transformation J M is defined in Equation (11). The validity relation | = isthen defined through M , s | = ϕ ⇐⇒ s ∈ [[ ϕ ]] M , consequently, M , s | = ⊤ holds by (12) always, and M , s | = p iff s ∈ V ( p ) for the atomicproposition p ∈ P by (13). If ̺ , . . . , ̺ n ∈ U , we infer from (14) through the definition of J in particular M , s | = ⌊ ̺ ; . . . ; ̺ n ⌉ q ϕ iff K ̺ ; ... ; ̺ n ( s )([[ ϕ ]] M ) < q (16)November 28, 2017age 20 Coalgebraic Interpretation of PDLAlthough the logic is negation free, we are still able to state that formula ϕ does not hold in a state. Because we work in a σ -algebra, thus in particular in a Boolean algebra, wecan state that formula ϕ does not hold in state s iff s [[ ϕ ]] M , so that the set { s ∈ S | ϕ does not hold in s } is a measurable set, provided the extension of ϕ is measurable.We note for later use that the validity sets are measurable. This is so since we deal withnatural transformations involving the Borel functor. Lemma 5.1 [[ ϕ ]] M ∈ B ( S ) for a model M over state space S and a PDL formula ϕ . ⊣ Example 5.2
Consider the transformations Φ from Example 3.11 and Ψ from Example 3.12.Expanding (15), we obtain[[ ⌊ π ∪ π ⌉ q ϕ ]] M = [(cid:8) [[ ⌊ π ⌉ a ϕ ]] M ∩ [[ ⌊ π ⌉ a ϕ ]] M | a , a ∈ Rat , , a + a ≤ q (cid:9) , (17)[[ ⌊ π ∗ ⌉ q ϕ ]] M = [(cid:8) \ m ∈ N [[ ⌊ π m ⌉ a m ϕ ]] M | ( a n ) n ∈ N ⊆ Rat , , for all n ∈ N , X n a n ≤ q (cid:9) . (18)Selecting nondeterministically one of the programs π or π , [[ ⌊ π ⌉ a ϕ ]] M accounts for allstates which are lead by executing π to a state in which ϕ holds with probability at most a , similarly, [[ ⌊ π ⌉ a ϕ ]] M for π . Since we want to bound the probability from above by q ,we require a + a ≤ q . This leads to Equation (17).Suppose that executing program π exactly n times results in a state in which ϕ holds withprobability not exceeding a n , then executing π a finite number of times (including not exe-cuting it at all) results in a member of [[ ϕ ]] M with probability at most a + a + . . . , whichshould be bounded above by q for the resulting state to be a state in which ϕ holds withprobability at least q . This leads to Eq. (18).These specific interpretations were investigated more closely in [9]. ♦ Define for each state s of a model M the M -theory associated with s as the set of formulaswhich hold in that state, formally T h L ( U , P ) ( M , s ) := { ϕ | ϕ is a formula in L ( U , P ) and M , s | = ϕ } . We define the negation free Hennessy-Milner logic M ( U , P ) through these formulas: ϕ ::= ⊤ | p | ϕ ∧ ϕ | h ̺ i q ϕ with ̺ ∈ U a primitive program, q ∈ Rat , a threshold value, and p ∈ P an atomic proposi-tion. Thus each primitive program serves as a modal operator of arity 1 for the modal logic M ( U , P ).Considering ̺ as an action as in labelled Markov transition systems, the intended interpreta-tion of formula h ̺ i q ϕ holding in state s is that upon action ̺ , i.e., upon executing program ̺ ∈ U , a state in which ϕ holds is reached with probability at least q , see, e.g. [14, 4, 6].November 28, 2017age 21 Coalgebraic Interpretation of PDLFormally, we define for a Kripke model K = ( S, ( K ̺ ) ̺ ∈U , V ) and each formula ϕ of M ( U , P )the validity sets [[ ϕ ]] K recursively through[[ ⊤ ]] K := S, (19)[[ p ]] K := V ( p ) , if p ∈ P , (20)[[ ϕ ∧ ϕ ]] K := [[ ϕ ]] K ∩ [[ ϕ ]] K , (21)[[ h ̺ i q ϕ ]] K := { s ∈ S | K ̺ ( s )([[ ϕ ]] K ) ≥ q } (22)Define for state s and formula ϕ the relation | = through K , s | = ϕ ⇔ s ∈ [[ ϕ ]] K , Equation (22) shows that [[ ϕ ]] K is always a measurable set. A comparison with [[ · ]] M shows thatthe definitions for ⊤ , for atomic propositions, and for the conjunction of formulas (12 , , , ,
21) are identical. Because of the identity (16), we see that for ̺ ∈ U and aformula ϕ which is both an M ( U , P ) and an L ( U , P ) formula the correspondence[[ ⌊ ̺ ⌉ q ϕ ]] M = S \ [[ h ̺ i q ϕ ]] K (23)holds. This observation can be refined. Define I K ( A, ̺, q ) := { s ∈ S | K ̺ ( s )( A ) ≥ q } , I K ( A | ̺ , q , . . . , ̺ n +1 , q n +1 ) := I K ( I K ( A | ̺ , q , . . . , ̺ n , q n ) , ̺ n +1 , q n +1 ) J M ( A, ̺, q ) := { s ∈ S | K ̺ ( s )( A ) < q } , J M ( A | ̺ , q , . . . , ̺ n +1 , q n +1 ) := J M ( J M ( A | ̺ , q , . . . , ̺ n , q n ) , ̺ n +1 , q n +1 ) . for the measurable set A ∈ B ( S ), ̺, ̺ , . . . , ̺ n , ̺ n +1 ∈ U and q, q , . . . q n , q n +1 ∈ Rat , . Thus,e.g., I K ([[ p ]] K | ̺ , q , ̺ , q ) = [[ h ̺ i q h ̺ i q p ]] K J M ([[ p ]] M | ̺ , q , ̺ , q ) = [[ ⌊ ̺ ⌉ q ⌊ ̺ ⌉ q p ]] M for the atomic program p ∈ P .Note that q J M ( A, ̺, q ) is monotonically increasing, and that I K ( A | ̺, q ) = S \ J M ( A | ̺, q )by Equation (23).These quantities can be related for the probabilistic case. Lemma 5.3
Assume that K ̺ ( s )( S ) = 1 for all states s ∈ S , then I K ( A | ̺ , q , . . . , ̺ · n , q · n ) = \(cid:8) J M ( A | ̺ , q , ̺ , − q + 1 /k , ̺ , q , . . . ,̺ · n , − q · n + 1 /k n ) | k , . . . , k n ∈ N (cid:9) (24) and I K ( A | ̺ , q , . . . , ̺ · n +1 , q · n +1 ) = \(cid:8) S \ J M ( A | ̺ , q , ̺ , − q + 1 /k , ̺ , q , . . . , ̺ · n , − q · n + 1 /k n ,̺ · n +1 , q · n +1 ) | k , . . . , k n ∈ N (cid:9) (25)November 28, 2017age 22 Coalgebraic Interpretation of PDL Proof
The proof proceeds by induction on n . If n = 0, then there is nothing to prove forEquation (24), and Equation (25) boils down to I K ( A | ̺, q ) = { s ∈ S | K ̺ ( s )( A ) ≥ q } = S \ { s ∈ S | K ̺ ( s )( A ) < q } = S \ J M ( A | ̺, q ) . Now assume that Equation (24) and (25) are established for n . Put T k ,...,k n := S \ R k ,...,k n ,R k ,...,k n := J M ( A | ̺ , q , ̺ , − q + 1 /k ,̺ , q , . . . , ̺ · n , − q · n + 1 /k n , ̺ · n +1 , q · n +1 ) , then I K ( A | ̺ , q , . . . , ̺ · n +1 , q · n +1 , ̺, q )= I K ( I K ( A | ̺ , q , . . . , ̺ · n +1 , q · n +1 ) , ̺, q ) ( ∗ ) = { s | K ̺ ( s )( \ k ,...,k n ∈ N T k ,...,k n ) ≥ q } = S \ { s | K ̺ ( s )( \ k ,...,k n ∈ N T k ,...,k n ) < q } ( σ ) = S \ { s | inf k ,...,k n ∈ N K ̺ ( s )( T k ,...,k n ) < q } ( p ) = S \ { s | − sup k ,...,k n ∈ N K ̺ ( s )( R k ,...,k n ) < q } = { s | sup k ,...,k n ∈ N K ̺ ( s )( R k ,...,k n ) ≤ − q } = \ k ,...,k n ∈ N { s | K ̺ ( s )( R k ,...,k n ) ≤ − q } = \ k ,...,k n ,k n +1 ∈ N { s | K ̺ ( s )( R k ,...,k n ) < − q + 1 /k n +1 } = \ k ,...,k n ,k n +1 ∈ N J M ( R k ,...,k n , ̺, − q + 1 /k n +1 ) . This implies Equation (24) for n + 1. The induction hypothesis is used in equality ( ∗ ), andequality ( σ ) uses σ -additivity of the measure K ̺ ( s ) for each s : this property is equivalent to K ̺ ( s ) (cid:0) \ n ∈ N A n (cid:1) = inf n ∈ N K ̺ ( s )( A n ) , whenever ( A n ) n ∈ N ⊆ B ( S ) is decreasing. Finally, equality ( p ) uses the assumption that thefull space has probability one.To work on Equation (25) for n + 1, put V k ,...,k n +1 := J M ( A | ̺ , q , ̺ , − q + 1 /k , ̺ , q , . . . , ̺ · ( n +1) , − q · ( n +1) + 1 /k n +1 ) , November 28, 2017age 23 Coalgebraic Interpretation of PDLthen I K ( A | ̺ , q , . . . , ̺ · ( n +1) , q · ( n +1) , ̺, q )= I K ( I K ( A | ̺ , q , . . . , ̺ · ( n +1) , q · ( n +1) ) | ̺, q )= { s | K ̺ ( I K ( A | ̺ , q , . . . , ̺ · ( n +1) , q · ( n +1) )) ≥ q } = { s | K ̺ ( \ k ,...,k n +1 ∈ N V k ,...,k n +1 ) ≥ q } = { s | inf k ,...,k n +1 ∈ N K ̺ ( V k ,...,k n +1 ) ≥ q } = \ k ,...,k n +1 ∈ N { s | K ̺ ( V k ,...,k n +1 ) ≥ q } = \ k ,...,k n +1 ∈ N S \ { s | K ̺ ( V k ,...,k n +1 ) < q } = \ k ,...,k n +1 ∈ N S \ J M ( V k ,...,k n +1 | ̺, q )Equation (25) for n + 1 follows now. ⊣ This has as a consequence that the semantics of a large class of formulas in L ( U , P ) can beexpressed through the semantics for M ( U , P )-formulas. Corollary 5.4
Assume that K ̺ ( s )( S ) = 1 for all states s ∈ S , and let p be an atomicformula. Then [[ h ̺ · n i q · n . . . h ̺ i q p ]] K = \ k ,...,k n ∈ N [[ ⌊ ̺ · n ⌉ − q · n +1 /k n ⌊ ̺ · n − ⌉ q · n − . . . ⌊ ̺ ⌉ − q +1 /k ⌊ ̺ ⌉ q p ]] M and [[ h ̺ · n +1 i q · n +1 . . . h ̺ i q p ]] K = \ k ,...,k n ∈ N S \ [[ ⌊ ̺ · n +1 ⌉ q · n +1 ⌊ ̺ · n ⌉ − q · n +1 /k n ⌊ ̺ · n − ⌉ q · n − . . . ⌊ ̺ ⌉ − q +1 /k ⌊ ̺ ⌉ q p ]] M ⊣ Note that logic M ( U , P ) does not deal with the choice operator or with indefinite iteration— we do not even have disjunction in this logic after all. Hence we will not be able to interpretthe semantics of these operators in L ( U , P ) through operators in M ( U , P ).Returning to the general discussion, define as above T h M ( U , P ) ( K , s ) := { ϕ | ϕ is a formula in M ( U , P ) and K , s | = ϕ } the K -theory associated with state s .It is not difficult to establish that validity is preserved under morphisms.November 28, 2017age 24 Coalgebraic Interpretation of PDL Proposition 5.5
Let K and K be Kripke models, and f : K → K a morphism, then K , s | = ϕ ⇐⇒ K , f ( s ) | = ϕ for each state s in K and each M ( U , P ) -formula ϕ . Proof
See, e.g., [6, Lemma 6.17]. ⊣ Kripke models are traditionally related to each other in different ways, which are captured inthe following definition.
Definition 5.6
Let K and K be Kripke models, then K and K are called1. behaviorally equivalent iff there exists a Kripke model K and surjective morphisms f , f with K f −→ K f ←− K , HM-equivalent iff { T h M ( U , P ) ( K , s ) | s is a state in K } = { T h M ( U , P ) ( K , t ) | t is a state in K } , bisimilar iff there exists a Kripke model K and surjective morphisms f , f with K f ←− K f −→ K . The name
HM-equivalence alludes to the Hennessy-Milner logic which gives the context of thisdiscussion. Usually the term “logical equivalence” is used. We will define logical equivalencebelow for models, and we do not want these very closely related concepts to get confused.Thus K and K are behaviorally equivalent iff we can find an intermediate Kripke modelwhich permits comparing the validity of formulas through surjective morphisms; we needsurjectivity here because we want to be able to trace back a state in the intermediate Kripkemodel to K and K . Otherwise we could simply take the coproduct of the Kripke models,see Example 4.2. The models are bisimilar iff we can find a mediating model for them, andthey are HM equivalent iff we can find for each state in K another state in K which satisfiesexactly the same formulas, and vice versa. The reader is referred to [14, 4, 6, 10] for anextensive discussion stressing different angles.Kripke models have been defined over the category of measurable spaces, the discussion ofbisimilarity, however, requires some differentiation with respect to the base category for thestate space.The following result is well known. Theorem 5.7
Let K and K be Kripke models, and consider these statements.a. K and K are behaviorally equivalent.b. K and K are HM-equivalent.c. K and K are bisimilar. November 28, 2017age 25 Coalgebraic Interpretation of PDL
Then the following holds:i. a . ⇔ b . ⇐ c.ii. If K and K both are models over analytic spaces, and if both U and P are countable,then all three statements are equivalent. Moreover, if K and K are Kripke models overPolish spaces, then in this case a mediating model over a Polish space may be constructed. Proof
See [10, Theorem 6.17] for i . and models over Polish spaces in ii. The case of Kripkemodels over analytic spaces has first been discussed in [11, 4]. ⊣ S`anchez Perraf shows in [21] that the existence of a bisimulation is tied to analytic and, byimplication, to Polish spaces. Hence an attempt to generalize part ii . of Theorem 5.7 togeneral measurable spaces is futile.Given a model M = ( K , Φ , Ψ), call K the Kripke model underlying M . Define for models M = ( K , Φ , Ψ) and M = ( K , Φ , Ψ) a model morphism f : M → M as a morphism f : K → K for the underlying Kripke models. Note that Φ and Ψ do not enter explicitlyinto this definition because they are natural transformations, hence by their very naturecompatible with morphisms for Kripke models.Behavioral equivalence and bisimilarity can be described in terms of these morphisms: Definition 5.8
Models M and M are behaviorally equivalent iff there exists a model M and surjective morphisms f , f with M f −→ M f ←− M . If a mediating model M andsurjective morphisms g , g exist with M g ←− M g −→ M , then M and M are called bisimilar . M and M are logically equivalent iff { T h L ( U , P ) ( M , s ) | s is a state in M } = { T h L ( U , P ) ( M , t ) | t is a state in M } . We obtain from Proposition 5.5
Proposition 5.9
Let M and M be models and f : M → M be a model morphism. Then M , s | = ϕ ⇐⇒ M , f ( s ) | = ϕ (26) for each state s of M and each formula in L ( U , P ) . Proof
The statement is may be reformulated as [[ ϕ ]] M = f − [[[ ϕ ]] M ] . We argue by inductionon ϕ . The equivalence in (26) is true for ϕ = ⊤ and for atomic propositions by the definitionof a morphism. If it is true for ϕ and for ϕ , then it is also true for ϕ ∧ ϕ .We do an induction on program π in formula ⌊ π ⌉ q ϕ , assuming that the equivalence (26) holdsfor ϕ . If π = ̺ ; . . . ; ̺ n ∈ Ω( U ), the assertion follows from Lemma 3.9, for π = π ∪ π andfor π = π ∗ the assertion follows from the fact that Φ and Ψ are natural transformations. ⊣ Because morphisms for models and for their underlying Kripke models are the same, weobtain immediately
Corollary 5.10
Let M and M be models with underlying Kripke models K resp. K , thena. M and M are behaviorally equivalent iff K and K are behaviorally equivalent.b. M and M are bisimilar iff K and K are bisimilar. ⊣ The construction of a model onto which logically equivalent models can be mapped requiressome technical preparations, which we now turn to.November 28, 2017age 26 Coalgebraic Interpretation of PDL
The factor construction for the investigation of logical equivalence follows basically [19] and [7,Section 2.6.2]; this construction cannot be used for the present purpose as it stands, becausesome small but not unimportant changes have to be made. Hence we construct factors fairlyexplicitly for the reader’s convenience, pointing out differences as we go.Preparing for the construction, we recall the important π - λ -Theorem from the theory of Borelsets [7, Theorem 1.3.1]. Proposition 5.11
Let A be a family of subsets of a set X that is closed under finite inter-sections. Then σ ( A ) is the smallest family of subsets containing A which is closed under com-plementation and countable disjoint unions. In particular, if the measures µ , µ ∈ S ( σ ( A )) coincide on A , then they are equal on σ ( A ) . ⊣ This yields a proof strategy for the identification of σ -algebras in the construction to follow.It goes like this. In order to establish a property for all measurable sets, we will single outthose sets for which the property holds and show that these sets form a generator which isclosed under finite intersections. Then we will conclude through Proposition 5.11 that theproperty holds for each set in the σ -algebra.The following simple statement will be technically helpful as well. Lemma 5.12
Let f : M → N be a map, and assume that A ⊆ M is f -invariant (i.e., a ∈ A , f ( a ) = f ( a ′ ) together imply a ′ ∈ A ). Then f − [ f [ A ]] = A . If B is also f -invariant, then f [ A ∩ B ] = f [ A ] ∩ f [ B ] . ⊣ Fix a model M = ( K , Φ , Ψ) for the moment. Define on the state space S of M the equivalencerelation s ∼ s ′ iff T h L ( U , P ) ( M , s ) = T h L ( U , P ) ( M , s ′ ) . Thus s ∼ s ′ iff the state s and s ′ satisfy exactly the same PDL formulas. Define on S the set E PDL of extensions of formulas through E PDL := { [[ ϕ ]] M | ϕ is a PDL formula } . Note that E PDL ⊆ B ( S ) is closed under finite intersections, because the logic is closed underfinite conjunctions. Make the factor space S/ ∼ a measurable space by defining the σ -algebra B ( S/ ∼ ) := σ ( { A ⊆ S/ ∼ | η − ∼ [ A ] ∈ E PDL } ) . The σ -algebra is generated by the images of the formulas’ extensions: Lemma 5.13
The set A := { η ∼ [[[ ϕ ]] M ] | ϕ is a PDL formula } is a generator of B ( S/ ∼ ) which is closed under finite intersections. If there are countably many PDL-formulas, then B ( S/ ∼ ) is countably generated. Proof
Each extension is η ∼ -invariant by construction, the logic is closed under conjunctions,thus A is closed under finite intersections by Lemma 5.12. It follows also that [[ ϕ ]] M = η − ∼ [ η ∼ [[[ ϕ ]] M ]] , thus A ⊆ B ( S/ ∼ ). Now, if η − ∼ [ A ] ∈ E PDL , then we find some PDL-formula ϕ with [[ ϕ ]] M = η − ∼ [ A ] , so that A = η ∼ [[[ ϕ ]] M ] , because η ∼ is onto. This implies B ( S/ ∼ ) ⊆ σ ( A ).Plainly, if there are countably many PDL-formulas, then A is countable. ⊣ November 28, 2017age 27 Coalgebraic Interpretation of PDL
Corollary 5.14 η ∼ : S → S/ ∼ is measurable. Proof
Put D := { A ∈ B ( S/ ∼ ) | η − ∼ [ A ] ∈ B ( S ) } , then D is plainly closed under com-plementation and countable disjoint unions. We obtain from Lemma 5.1 and from [[ ϕ ]] M = η − ∼ [ η ∼ [[[ ϕ ]] M ]] that η ∼ [[[ ϕ ]] M ] ∈ D for each formula ϕ , so it follows from Lemma 5.13 that D = B ( S/ ∼ ), from which the assertion follows. ⊣ This observation permits the construction of a stochastic relation k ̺ : S/ ∼ S/ ∼ for each ̺ ∈ U . One first notes that s ∼ s ′ implies K ̺ ( s )([[ ϕ ]] M ) = K ̺ ( s ′ )([[ ϕ ]] M ) for each PDL-formula ϕ . In fact, if, say, K ̺ ( s )([[ ϕ ]] M ) < K ̺ ( s ′ )([[ ϕ ]] M ) , then we can find q rational with K ̺ ( s )([[ ϕ ]] M ) < q ≤ K ̺ ( s ′ )([[ ϕ ]] M ) , so that M , s | = ⌊ ̺ ⌉ q ϕ , but M , s ′ = ⌊ ̺ ⌉ q ϕ , contradicting s ∼ s ′ . Consequently, s K ̺ ( s )([[ ϕ ]] M ) is constant on each ∼ -class, so that k ̺ ([ s ] ∼ )( A ) := K ̺ ( s )( η − ∼ [ A ])is well defined on S/ ∼ whenever A ∈ B ( S/ ∼ ). Is is clear that k ̺ ([ s ] ∼ ) ∈ S ( S/ ∼ ), so thatmeasurability needs to be established. Proposition 5.15 k ̺ : S/ ∼ S/ ∼ is a stochastic relation for each ̺ ∈ U . Proof
Put D := { A ∈ B ( S/ ∼ ) | v k ̺ ( s )( A ) is B ( S/ ∼ )-measurable } . Then evidently D isclosed under complementation and under countable disjoint unions. Moreover, η ∼ [[[ ϕ ]] M ] ∈ D for each formula ϕ by Lemma 5.13. Because { v | k ̺ ( v )( η ∼ [[[ ϕ ]] M ]) < q } = η ∼ h [[ ⌊ ̺ ⌉ q ϕ ]] M i ∈ B ( S/ ∼ )we may apply Lemma 5.13 again, we see that D = B ( S/ ∼ ) . ⊣ Taking ϕ = ⊤ , we obtain in particular from the argument above that s ∼ s ′ implies ∀ ̺ ∈ U : K ̺ ( s )( S ) = K ̺ ( s ′ )( S ) . (27)Now define the Kripke model K / ∼ := ( S/ ∼ , ( k ̺ ) ̺ ∈U , V ∼ )with V ∼ := { η ∼ [ V ( p )] | p ∈ P} as the valuations for the atomic propositions. It may benoted that the equivalence relation has been defined through a model, but that we define theKripke model now on its classes. The following observation is immediate Lemma 5.16 η ∼ : K → K / ∼ is a morphism for Kripke models. ⊣ Define for the logically equivalent models M and M with underlying Kripke models K and K over state spaces S resp. S the map κ as follows. κ : ( S / ∼ → S / ∼ [ s ] ∼ [ s ] ∼ iff T h L ( U , P ) ( M , s ) = T h L ( U , P ) ( M , s ) . On account of logical equivalence, κ is a bijection, but we can say even more. Proposition 5.17 κ : K / ∼ → K / ∼ is an isomorphism. November 28, 2017age 28 Coalgebraic Interpretation of PDL
Proof
1. We show first that κ : S / ∼ → S / ∼ is measurable. In fact, let D := { A ∈ B ( S / ∼ ) | κ − [ A ] ∈ B ( S / ∼ ) } , then is is by Proposition 5.11 and Lemma 5.13 enough to show that η ∼ [[[ ϕ ]] M ] ∈ D for eachPDL formula ϕ . This follows from κ − [ η ∼ [[[ ϕ ]] M ]] = η ∼ [[[ ϕ ]] M ] . This implies measurability, and the equation κ [ η ∼ [[[ ϕ ]] M ]] = η ∼ [[[ ϕ ]] M ] . shows that κ − is measurable as well.2. Observe that we have k ,̺ ([ s ] ∼ )( η ∼ [[[ ϕ ]] M ]) = K ,̺ ( s )([[ ϕ ]] M ) ( ∗ ) = K ,̺ ( s )([[ ϕ ]] M )= k ,̺ ([ s ] ∼ )( η ∼ [[[ ϕ ]] M ])for each ̺ ∈ U and s , s with κ ([ s ] ∼ ) = [ s ] ∼ and for each formula ϕ (we argue in Equa-tion ( ∗ ) as in the proof of Corollary 5.14). Because D := { A ∈ B ( S / ∼ ) | k ,̺ ( κ ([ s ] ∼ ))( A ) = k ,̺ ([ s ] ∼ )( κ − [ A ]) } is by (27) closed under complementation and countable disjoint unions, and since it con-tains all sets η ∼ [[[ ϕ ]] M ] by the argument above it equals B ( S / ∼ ) by Lemma 5.12 and byProposition 5.11. A very similar argument applies to κ − . ⊣ These constructions can be carried out in general measurable spaces and do not need therequirement of separability, which will enter the argument in a moment.
This, then, is a characterization of logical vs. behavioral equivalence.
Proposition 5.18
Let M and M be models, and consider these statements.a. M and M are behaviorally equivalent.b. M and M are logically equivalent.Theni. a . ⇒ b . ii. If the set U of primitive programs and P of atomic propositions are countable, then b . ⇒ a . Proof
1. Part i . follows immediately from Proposition 5.9, so part ii . remains to be estab-lished. November 28, 2017age 29 Coalgebraic Interpretation of PDL2. Let K and K be the Kripke models underlying M resp. M . Construct models K / ∼ and K / ∼ and the isomorphism κ : K / ∼ → K / ∼ as in Proposition 5.17, then the statespaces of these models are separable according to Lemma 5.13.Complete K / ∼ according to Proposition 3.6, then we have the morphisms K η ∼ / / K / ∼ K , κ − ◦ η ∼ o o because both K and K are defined over complete spaces, again by Proposition 3.6. This isso because the factor map η ∼ : S → S / ∼ is also a measurable map S → S / ∼ . Hence η ∼ : K → K / ∼ extends to a morphism η ∼ : K → K / ∼ . A similar argument applies to K .Now define M := ( K / ∼ , Φ , Ψ), then η ∼ : M → M and κ − ◦ η ∼ : M → M are thedesired morphisms. ⊣ The state space of a model is assumed to be a universally complete measurable space. Werelax this a bit by introducing generalized models. This is necessary in order to get a firmergrip on state spaces that are Polish, as will be argued below.
Definition 6.1 N = ( K , Φ , Ψ) is called an generalized model (g-model) iff K is a Kripkemodel over a general measurable space; the natural transformations Φ : R R × R R • → R R and Ψ : ( R R ) N • → R R have the same properties as in Definition 4.8. A morphism N → N is amorphism for the underlying Kripke models K → K . Behavioral equivalence can be defined for g-models through morphisms exactly as in Defini-tion 5.8. It is, however, difficult to discuss logical equivalence, because the validity of formulascannot be described without information about the measurable structure of the validity sets.This is so since K ̺ : S S might not be extendable to K ̺ : S S in general, i.e., withoutadditional assumptions.Call a Kripke model separable iff its state space is countably generated, call accordingly ang-model separable iff the underlying Kripke model is separable. For N separable we canconstruct a model N = ( K , Φ , Ψ) by completion, where K = ( S, ( K ̺ ) ̺ ∈U , V ) is the completionof Kripke model K . Thus we may call separable g-models N and N logically equivalent ifftheir completions N and N are logically equivalent.Assume that Kripke model K is separable. Then the inclusion K → K is a morphism, hence T h M ( U , P ) ( K , s ) = T h M ( U , P ) ( K , s ) (28)for each state s of K by Proposition 5.5. This implies that two separable Kripke models areHM-equivalent iff their completions are HM-equivalent.We obtain Proposition 6.2
Let N and N be separable g-models with underlying Kripke models K and K . Considera. N and N are behaviorally equivalent.b. N and N are logically equivalent. November 28, 2017age 30 Coalgebraic Interpretation of PDL c. K and K are behaviorally equivalent.d. K and K are HM-equivalent.e. K and K are HM-equivalent.Theni. a . ⇔ c . ⇔ d . ⇔ e . ii. a . ⇒ b . Proof
1. The equivalence c . ⇔ d . ⇔ e . is the first part of Theorem 5.7 together with theobservation (28), the equivalence a . ⇔ c . is trivial. This establishes part i.2. If f : N → N is a morphism for g-models, then f : N → N is a model morphism byvirtue of Proposition 3.6. Thus part ii . follows from Proposition 5.9. ⊣ If we know that the separable g-models N and N are logically equivalent, and that both U and P are countable, then we may conclude from part ii . of Proposition 5.18 that we canfind a model M and surjective morphisms N g ←− M g −→ N . Tracing the construction, weeven know that model M is the completion of a separable g-model. But there is no reasonto assume that the inverse images of the morphisms g and g map Borel sets to Borel sets(rather than Borel sets to universal Borel sets).Thus for the time being the question remains open whether logically equivalent models arebehaviorally equivalent as well.The existence of a mediating model is dependent on topological assumptions, because — bythe standard construction — a mediating model is constructed from a semi-pullback, theexistence of which requires an analytic or a Standard Borel space. It is mandatory to discussg-models in this case, because as a rule Standard Borel spaces are not complete, providedthey are not countable. This can be seen as follows. Let X be an uncountable Standard Borelspace, then there exists an analytic set A ⊆ X which is not a Borel set [20, Theorem 4.1.5]. A can be obtained through the Souslin operation as A = [ α ∈ N N \ n ∈ N F α | n with a family { F v | v ∈ Ω( N ) } of closed sets by [20, Theorem 4.1.13]. If the measurable space X would be complete, it would be closed under the Souslin operation by [20, Proposition3.5.22], hence A would be a Borel set, contrary to the assumption.We need some preparations. Let S be a Standard Borel space. Call an equivalence relation ≃ on S countably generated (or smooth ) iff there exists a sequence ( B n ) n ∈ N ⊆ B ( S ) whichdefines the relation, i.e., s ≃ s ′ ⇐⇒ ∀ n ∈ N : (cid:2) s ∈ B n ⇔ s ′ ∈ B n (cid:3) . A set B ⊆ S is called ≃ -invariant iff B is the union of ≃ -classes, equivalently, iff b ∈ B and b ≃ b ′ together imply b ′ ∈ B (hence B is η ≃ -invariant, see Lemma 5.12). Relation ≃ definesa σ -algebra A ≃ ⊆ B ( S ) through its invariant Borel sets, i.e., A ≃ := σ ( { B ∈ B ( S ) | B is ≃ -invariant } ) . This construction has been studied quite extensively in the context of stochastic relations.Vice versa, this σ -algebra determines the equivalence relation uniquely [7]:November 28, 2017age 31 Coalgebraic Interpretation of PDL Lemma 6.3
Let S be a Standard Borel space with smooth equivalence relations ≃ and ≃ .If A ≃ = A ≃ , then ≃ = ≃ . ⊣ Fix a model M with underlying Kripke model K , and assume that both U and P are countable.Consider these sets of formulas: X := { ⌊ ̺ ⌉ q . . . ⌊ ̺ n ⌉ q n p | p ∈ P , ̺ , . . . , ̺ n ∈ U , q , . . . , q n ∈ Rat , , n ∈ N } Y := {h ̺ i q . . . h ̺ n i q n p | p ∈ P , ̺ , . . . , ̺ n ∈ U , q , . . . , q n ∈ Rat , , n ∈ N } Z := { ϕ | ϕ is a L ( U , P )-formula } The sets X and Y are countable, since U and P are. The formulas helping to define X couldbe called the single-step formulas in L ( U , P ): execute simple program ̺ n , check whether itsresult on atomic sentence p is below q n , then execute simple program ̺ n − on the correspond-ing states, check whether the result is below q n − etc.Let ≃ X be the equivalence relationsgenerated by the validity sets { [[ ϕ ]] M | ϕ ∈ X } with σ -algebras A X of invariant sets, similarlyfor ≃ Y with A Y and for ≃ Z with A Z .This observation is obvious, because all formulas from Z are generated from the formulasfrom Y by finitary operations. Lemma 6.4 A Y = A Z . ⊣ Throughout the rest of the paper, we make in view of Lemma 5.3 the assumption that allKripke models ( S, ( K ̺ ) ̺ ∈U ) , V ) are strictly probabilistic , i.e., that ∀ ̺ ∈ U ∀ s ∈ S : K ̺ ( s )( S ) = 1 (29)holds. Lemma 6.5 A X = A Y . Proof
We infer from Corollary 5.4 that [[ ψ ]] K is expressible through sets from A X for each ψ ∈ Y , thus A X = A Y . Starting from Equation (23), a similar representation of [[ ϕ ]] M for ϕ ∈ X through sets from A Y , yielding the other inclusion. ⊣ This has as an immediate consequence
Corollary 6.6
These statements are equivalent for states s, s ′ in an g-model N with under-lying Kripke model K .a. N , s | = ϕ ⇔ N , s ′ | = ϕ for all single-step formulas ϕ , i.e., all M ( U , P ) -formulas ϕ of theshape ⌊ ̺ ⌉ q . . . ⌊ ̺ n ⌉ q n p with ̺ , . . . , ̺ n ∈ U , q , . . . , q n ∈ Rat , , n ∈ N and p ∈ P .b. K , s | = ψ ⇔ K , s ′ | = ψ for all L ( U , P ) -formulas ψ . Proof
Lemma 6.5, Lemma 6.4 and Lemma 6.3. ⊣ Given g-models N and N with underlying Kripke models K and K over state spaces S resp. S , construct the g-model N ⊕ N := ( K ⊕ K , Φ , Ψ) , see Example 4.2 with embeddings i S and i S . It is not difficult to see that S + S is a Standard Borel space, provided S and S are, that S + S = S + S , and, because N i S −→ N ⊕ N i S ←− N are morphisms, N , s | = ϕ ⇔ N ⊕ N , i S ( s ) | = ϕ N , s | = ϕ ⇔ N ⊕ N , i S ( s ) | = ϕ November 28, 2017age 32 Coalgebraic Interpretation of PDLfor all M ( U , P )-formulas ϕ .We finally obtain for generalized models Proposition 6.7
Let N and N be generalized models with Standard Borel state spaces, andassume that both U and P are countable. These statements are equivalent.a. N and N are logically equivalent.b. N and N are behaviorally equivalent.c. N and N are bisimilar. Proof
0. Because Standard Borel spaces are based on Polish spaces which in turn have acountable base for their topology, the g-models under consideration are countably based.1. b ⇒ c: Assume that N and N are logically equivalent. Let K and K be the underlyingKripke models with state spaces S and S and valuations V resp. V . We claim that K and K are HM-equivalent. Given s ∈ S there exists s ′ ∈ S with T h M ( U , P ) ( N , s ) = T h M ( U , P ) ( N , s ′ ) so that N , s | = ϕ ⇔ N , s ′ | = ϕ holds for all M ( U , P )-formulas ϕ , thus N ⊕ N , i S ( s ) | = ϕ ⇔ N ⊕ N , i S ( s ′ ) | = ϕ. This holds in particular for all formulas of the syntactic shape given in part a . of Corollary 6.6,from which we infer that K ⊕ K , i S ( s ) | = ψ ⇔ K ⊕ K , i S ( s ′ ) | = ψ holds for all L ( U , P )-formulas ψ , thus K , s | = ψ ⇔ K , s ′ | = ψ is inferred for all L ( U , P )-formulas ψ . Hence K and K are HM-equivalent by Proposition 6.2,so that N and N are bisimilar by Corollary 5.10. ⊣ We investigate propositional dynamic logics (PDL) with a view towards a coalgebraic interpre-tation. This logic is technically a bit more challenging than the usual modal logics because itsmodalities do not always correspond to the interpreting relations in a Kripke model. Hencethese relations have to be provided, which is straightforward for non-deterministic Kripkemodels, but turns out to be somewhat involved in the case of their stochastic counterpart.This is so since there are no natural counterparts to the program constructs in the set ofstochastic relations. We observe also that interpreting PDL makes some informal assump-tions on the programs’ semantics like associativity over the basic operations or some sort ofdistributivity of program composition and the nondeterministic choice.In order to prepare the ground for a coalgebraic interpretation we have a closer look at theprograms; they are perceived as elements of a term algebra, the primitive terms being takenfrom a set of primitive programs. The informal semantics is translated into a set of rewriteNovember 28, 2017age 33 Coalgebraic Interpretation of PDLrules and equations; it turns out that we have to adjust the term algebra a bit when looking atthe indefinite iteration of a program. Each program is shown to correspond to an irreducibleone, unique up to the congruence made up from the rewriting rules and the equations. Thisirreducible program can easily be interpreted in a coalgebra, because we have eliminated thecrucial indefinite iteration and replaced it by an operation which is easier to handle (but thereis no free lunch: we pay the price for this by an operation of infinite arity).We specialize the coalgebraic discussion for most of the paper to coalgebras related to thesubprobability functor. They are discussed and brought into the interpretation. This isfollowed by the investigation of the expressivity of the corresponding models. Due to somemeasure-theoretic observations we have to discuss these questions with a distinct look for thedetails, i.e., for the particulars of the underlying state spaces. It turns out to be helpful tocomplete a model and to study the interplay of completion and expressivity.Further work will include applying the present approach to game logics as proposed byParikh [16], see also [17]. A first step towards a coalgebraic interpretation can be foundin [8], where in particular the notions of bisimilarity from [16, 17] has been related to the onestudied in coalgebras [18].While the present approach deals mainly with stochastic relations and the correspondingpredicate liftings, the use of term rewriting can certainly be applied for defining the coalgebraicsemantics of dynamic logics for other functors.
Acknowledgements.
The author wants to gratefully acknowledge discussions with ChunlaiZhou, Christoph Schubert, Shashi Srivastava and H. Sabadhikari.
References [1] P. Blackburn, M. de Rijke, and Y. Venema.
Modal Logic . Number 53 in CambridgeTracts in Theoretical Computer Science. Cambridge University Press, Cambridge, UK,2001.[2] T. J. Bromwich.
In Introduction to the Theory of Infinite Series . MacMillan and Co.,1908.[3] N. Dershowitz and J.-P. Jouannaud. Rewrite systems. In J. van Leeuwen, editor,
Hand-book of Theoretical Computer Science , volume B: Formal Models and Semantics, chapterChapter 6, pages 243 – 320. Elsevier, Amsterdam, 1990.[4] J. Desharnais, A. Edalat, and P. Panangaden. Bisimulation of labelled Markov processes.
Information and Computation , 179(2):163 – 193, 2002.[5] E.-E. Doberkat. Kleisli morphisms and randomized congruences for the Giry monad.
J.Pure Appl. Alg. , 211:638–664, 2007.[6] E.-E. Doberkat.
Stochastic Relations. Foundations for Markov Transition Systems . Chap-man & Hall/CRC Press, Boca Raton, New York, 2007.[7] E.-E. Doberkat.
Stochastic Coalgebraic Logic . EATCS Monographs in Theoretical Com-puter Science. Springer-Verlag, 2009.November 28, 2017age 34 Coalgebraic Interpretation of PDL[8] E.-E. Doberkat. A note on the coalgebraic interpretation of game logic.
Rendiconti Ist.di Mat. Univ. di Trieste , 42:191 – 204, 2010.[9] E.-E. Doberkat. A stochastic interpretation of propositional dynamic logic: Expressivity.
J. Symb. Logic (in print) , 2012.[10] E.-E. Doberkat and Ch. Schubert. Coalgebraic logic over general measurable spaces - asurvey.
Math. Struct. Comp. Science , 21:175 – 234, 2011. Special issue on coalgebraiclogic.[11] A. Edalat. Semi-pullbacks and bisimulation in categories of Markov processes.
Math.Struct. Comp. Science , 9(5):523 – 543, 1999.[12] M. Giry. A categorical approach to probability theory. In
Categorical Aspects of Topologyand Analysis , number 915 in Lect. Notes Math., pages 68 – 85, Berlin, 1981. Springer-Verlag.[13] K. Kuratowski and A. Mostowski.
Set Theory , volume 86 of
Studies in Logic and theFoundations of Mathematics . North-Holland and PWN, Polish Scientific Publishers,Amsterdam and Warzawa, 1976.[14] K. G. Larsen and A. Skou. Bisimulation through probabilistic testing.
Information andComputation , 94:1 – 28, 1991.[15] E. Moggi. Notions of computation and monads.
Information and Computation , 93:55 –92, 1991.[16] R. Parikh. The logic of games and its applications. In M. Karpinski and J. van Leeuwen,editors,
Topics in the Theory of Computation , volume 24, pages 111–140. Elsevier, 1985.[17] M. Pauly and R. Parikh. Game logic — an overview.
Studia Logica , 75:165 – 182, 2003.[18] J. J. M. M. Rutten. Universal coalgebra: a theory of systems.
Theor. Comp. Sci. ,249(1):3 – 80, 2000. Special issue on modern algebra and its applications.[19] Ch. Schubert. Coalgebraic logic over measurable spaces: behavioral and logical equiva-lence. In Y. Chen, E.-E. Doberkat, and A. Jung, editors,
Proc. 5th Int. Symp. DomainTheory, Shanghai , ENTCS, pages 57 – 69, Sept. 2009.[20] S. M. Srivastava.
A Course on Borel Sets . Graduate Texts in Mathematics. Springer-Verlag, Berlin, 1998.[21] P. S`anchez Terraf. Unprovability of the logical characterization of bisimulation.