1 Motivation - Semantic Scholar

Knowledge, views and model checking R. Ramanujam The Institute of Mathematical Sciences, C.I.T. campus, Chennai 600 113, India. [email protected] Abstract Any reasoning agent in a system has a model of the system which represents the partial view available to that agent. We suggest the following notion of knowledge: agent i knows that holds if and only if is true in the sub-model visible to i. This corresponds to considering knowledge as an agent's ability to answer questions about the subject, and to provide evidence on which the knowledge is based. Simply stated, on facing a query, the agent runs a model checking algorithm on MV and , where MV is the agent's view-based model of the system (or evidence available to that agent). We argue that this is one way of getting around the logical omniscience problem, at least when the reasoners are components of distributed computing systems. We also prove a completeness theorem for the logic.

1 Motivation 1.1 Basic logic of knowledge The notion of knowledge has attracted philosophers for centuries. During the last decade, computation theorists have studied this notion extensively with a view to ascribing knowledge to reasoning agents, particularly in the context of distributed systems, arti cial intelligence and mathematical economics. The book [FHMV95] provides an excellent summary of dominant themes in this line of research. Following Hintikka's logical treatment, knowledge is studied as a modality in (typically) a propositional modal logic, with the semantics of formulas given in Kripke frames where the accessibility relation is an equivalence. Formally, we have a countable set of propositions P = fp ; p ; : : :g and the syntax of formulas is given by: 0

1

::= p 2 P j : j _ j K

The frames are Kripke structures F = (W; ), where W is a set of possible worlds, and is an equivalence relation called the indistinguishability relation for the reasoning agent. Models are frames with valuations: M = (F; V ), where F = (W; ) and V : W ! 2P . The semantics of formulas is then given by:

M; w j= p i p 2 V (w). M; w j= : i M; w 6j= . M; w j= _ i (M; w j= or M; w j= ). M; w j= K i 8w0 w, M; w0 j= .

The properties of this knowledge modality are given by the modal system S5. For completeness, we present the axiom system below:

The Hintikka axiom system for knowledge

(H 0) All the substitutional instances of the tautologies of PC (H 1) K( ) (K K ) (H 2) K (H 3) K KK (H 4) :K K:K

(MP ) ; (KG) K These axioms are debatable, and have been debated at length. In a technical sense, these properties are consequences of de ning knowledge in terms of indistinguishability relations. Is there any way of retaining the intuitive simplicity of this equivalence based notion of knowledge, and yet look for more reasonable properties ?

1.2 Ascribed knowledge An assertion K in this logic can be read as: `the reasoning agent knows that the

formula holds'. What kind of knowledge is referred to here ? There are (at least) two ways of interpreting this statement:

The agent possesses this knowledge in some actual sense; for instance, the

agent can provide evidence in support of the assertion , or can answer some queries `about' . This is knowledge ascribed to the agent by an observer outside the system. The observer considers all the information available to the agent at the world state w and concludes that is logically implied by such information, and therefore, can use the system as if the agent knew .

Clearly, the indistinguishability relation in the frames captures the notion of information in the latter sense (by describing the agent's information partitions of the set of states), and thus the latter interpretation is more immediate. Limited as it may seem, this reading is still immensely useful, as we can meaningfully ascribe knowledge to thermostats, computer programs and other such entities in this manner (\the thermostat knows that the room is too warm, so it switches on the air conditioner", \the program knows that the shared resource which is in use will be released within t units, so it decides to wait until then", and so on). Such knowledge assertions can be useful in system veri cation.

1.3 Limited visibility This reading is not useful in situations where an agent in a system needs to compute its knowledge on the basis of evidence available to it. There is a way in which explicit knowledge diers from implicit knowledge, one which is especially important in the context of distributed computing. A reasoner operating in an environment has only a limited view of the world, and her explicit knowledge is determined by the visibility of world states to her, whereas ascribed implicit knowledge of the agent depends on her behaviour in all possible worlds. In terms of the indistinguishability relation above, computing in itself may necessitate some eort. We can conceive of a situation where s s s , but at state s only s and s are visible to the agent and not s . That is, an observer who has access to complete information about all the world states may declare that the agent would behave in the same way in all these three states, but the agent itself may require computation to realise this. If the agent makes the eort and computes the world state s , it may also realise that s is in the same equivalence class as s . Visibility can also be seen as a manifestation of resource boundedness: a resource limited agent might need to reuse its resources, and thus computation rendering a state visible may entail losing information about other visible states, thus making some states invisible. In the example above, it may be the case that s is visible from s , but not s : as the agent computes the state s , it might `forget' the information about s . Thus, even among states within the same externally ascribed indistinguishability class, some may be `farther' and some `nearer' in terms of visibility to an agent. In the context of distributed systems, this happens routinely. A component of a system behaves in the same manner in all global system states in which its local state is the same. Hence all these states would be in the same equivalence class for that agent. However, this component would typically communicate only with immediate neighbours in the network, and may not even be aware of the existence of many other `distant' components in the network. In this case, for the agent to compute its knowledge, the rst task of computing these indistinguishable system states is well beyond its capabilities. Moreover, at dierent system states, the agent may have dierent views, and 0

1

2

0

0

1

2

2

2

1

2

1

0

0

2

this is also dependent on the computational resources available to the agent. For instance, a computational agent with bounded memory would forget events in the distant past. Even in static situations, computation may result in learning thereby enlarging visibility. This aspect of the distinction between ascribed and computed knowledge of view-limited reasoners seems to have been relatively less studied in the literature.

1.4 Algorithmic knowledge In this context, we should mention the way implicit and explicit knowledge has been distinguished extensively in the literature. In the logic de ned above, a reasoner knows every logical consequence of any fact she knows; further she knows all the valid formulas. Human reasoners simply do not exhibit such logical omniscience, and hence the logic above does not re ect reasoning about human knowledge. On the other hand, if we consider the reasoner above to be a computing agent, we come up with the problem of resource boundedness. The agent has only limited computational resources at its disposal, and exploring all the logical consequences of an assumption is expensive business. In particular, the validity problem for the propositional calculus is already co-NP-complete, and for the reasoner to know all tautologies requires, at the least, a co-NP machine. See [FHMV 95] for a detailed treatment of this issue. Clearly explicit knowledge should be resource bounded. The papers of Rohit Parikh ([Pa 87a], [Pa 87b], [Pa 90] and [Pa 94]) provide all manners of criticism which include the two observations above and much more. For instance, he discusses the distinction between knowledge and information; the distinction between knowledge of a proposition and knowledge of the sentence denoting the proposition, and so on. In some sense, all these can be seen as further re nements of the distinction between knowledge explicitly available to an agent and implicit knowledge ascribed to the agent. An algorithm-based notion of knowledge has been proposed in [FHMV 95] (Chapter 10) and [Pa 87a] to capture explicit knowledge. This works as follows: at any state s, when asked whether a formula holds, the reasoner evokes an algorithm available at s. If the algorithm returns `Yes', we say that the reasoner explicitly (or algorithmically) knows . Depending on whether the algorithm gives only `Yes/No' outputs or whether it also has the possibility of a `?' output meaning `I cannot nd out within the resources available to me', we get the notions studied in [FHMV 95] or [Pa 87a], respectively. [FHMV 95] restricts the algorithm to be local, in the sense that when s s0, the algorithm invoked by the reasoner at s is the same as at s0. The algorithm-based formulation of explicit knowledge is interesting particularly because it avoids many of the philosophical pitfalls which cause criticism. In particular, we can see the invoked algorithm as a model checking algorithm. The idea of model checking is this: every reasoner in a system has an imperfect understanding of the entire system, but has a model (or approximation) of it as MV .

At any world w, when the reasoner is presented the query do you know whether holds ?, she checks whether MV ; w j= and says Yes if it does, and No otherwise. If the model checking problem is decidable, and the complexity of the decision procedure is within the resource bounds of the reasoner, there is never any occasion to say I do not know; otherwise, the logic is (at least) three-valued. Notice that the algorithm is run on MV and not on M . This has several implications: rstly, this means that the notion we have is claimed knowledge, rather than ascribed knowledge. Secondly, the approximation MV may vary from state to state and hence formulas claimed as known also vary. Thirdly, this means that when is valid, the reasoner knows to be true but does not know that it is valid. This is because , being a valid formula, happens also to be true in all the states being checked by the algorithm, and thus is explicitly known, but then so are many other non-valid formulas which simply happen to be true in the checked model. The framework facilitates the study of knowledge based on probabilistic algorithms ([KNP 90]) and action based on knowledge ([HF 89], [R96a]). The notion of algorithmic knowledge is very general, but unless we place restrictions on the class of algorithms available, the notion does not have interesting properties. For instance, if the system moves from a state s to state s0, how should the algorithms available at the two states be related ? Further, the invocation of an algorithm is an extra-logical notion and as it is, we have no way of studying algorithmic knowledge logically. The idea of using model checking algorithms as providing view limited knowledge oers a way for such a logical study.

1.5 This paper In [R96b], we approach the problem by asking: if knowledge amounts to model checking, which model is to be checked ? We hypothesize that due to limited visibility, the agent can see only a substructure of the given model, and hence checks for truth in that substructure. Thus an agent claims that holds at a state if holds in the substructure visible to the agent at that state. We can then say that the agent claims to know if holds at all the indistinguishable states in the visible substructure. This gives a framework in which a form of algorithmic knowledge is studied logically. Thus we have three basic notions: truth of a proposition, ascribed knowledge of propositions (determined by indistinguishability relations) and claimed knowledge (determined by views). The third notion corresponds to a knowledge base being maintained by the agent, so that when the agent's view changes, we can think of its knowledge base changing as well. [R98] presents such a logical framework, and the satis ability and model checking problems for the proposed logic are shown to be elementarily decidable. Here we study the problem of complete axiomatization for the valid formulas of the logic. The axiom system itself is simple, but the structure of models forced by formulas turns out to be interesting.

2 The logic We now present the basic logic of view-based knowledge, and the presentation closely follows the one in [R98]. This is simply the usual logic of knowledge augmented with a new modality: X will denote that the formula holds explicitly (or visibly) for the reasoner. For explicit knowledge, we will use formulas of the form XK. (As [FHMV 95] observe in Chapter 10, this should be seen as a reasoner claiming to know rather than knowing .)

2.1 Syntax Formally, we have a countable set of propositions P = fp ; p ; : : :g as before and the syntax of formulas is given by: 0

1

::= p 2 P j : j _ j K j X The xed formula p _ :p is called True. , the set of formulas introduced earlier, is a subset of and formulas in are referred to as X-free formulas. The other logical connectives are de ned as usual. The dual of K, namely :K: is denoted L, and the dual of X, namely :X: is denoted Y. 0

0

2.2 Semantics The frames are Kripke equivalence structures augmented with view functions.

De nition 2.1 A view frame is a tuple F = (W; ; ), where W is a set of worlds, W W is an equivalence on W , and : W ! 2W is the view function. A model is a tuple M = (F; V ), where F = (W; ; ) is a frame, and V : W ! 2P is the valuation. We denote the equivalence class of w under by [w]. When w0 2 (w), we say that w0 is visible from w. Note that there is no assumption that every world state is visible to the reasoner at that state. (Indeed, we might well have (w) = ; for some w). The standard Kripke frames for knowledge can now be seen as view frames with constant universal view function: 8w; (w) = W . When we have w w0 and w0 62 (w), we may wish to interpret this as w and w0 being logically indistinguishable, but computationally distinguishable. (This happens in situations where discovering that w and w0 constitute the same evidence requires computation).

De nition 2.2 Given a view frame F = (W; ; ) and W 0 W , the restriction of F to W 0 is given by: F dW 0 = (W 0 ; 0 ; 0 ), where 0 = \(W 0 W 0 ) and for all w 2 def

def

W 0, 0(w) = (w) \ W 0. For a model M = (F; V ), we de ne M dW 0 = (F dW 0; V 0), where for w 2 W 0 , V 0 (w) = V (w). def

def

def

The intended meaning of X at w should be clear now: it simply asserts that holds in the substructure induced by (w) at w. We assume that all other connectives have the same meanings as before.

M; w j= X i w 2 (w) and M d (w); w j=

As usual, we say is satis able if there exists a view model M = ((W; ; ); V ) such that for some w 2 W , we have M; w j= . In addition, we say is explicitly satis able if there exists a model M = ((W; ; ); V ) such that for some w 2 W , we have W = (w) and M; w j= . A formula is (explicitly) valid if and only if its negation is not (explicitly) satis able. Note that is explicitly satis able i X is satis able, and is explicitly valid i Y is valid. The rst thing to note is that the modality does not collapse | in the sense that there are formulas such that X is not valid. To see this, consider the view frame given by: W = fw ; w g, = W W and (wj ) = fwj g for j 2 f1; 2g. Let M be a model on this frame with the valuation: V (w ) = ; and V (w ) = fpg. Clearly, we see that M; w j= (Lp ^ :XLp), and that M; w j= (:Kp ^ XKp). Secondly, consider the dual modality: Y is a weaker assertion { at w it only means that if w 2 (w) then M d (w); w j= , and hence can be true vacuously. However, we can check that the implication X Y is valid. Thirdly, though X is not valid, X is explicitly valid, as we would expect. Further, the equivalences XX X XY and YX Y YY are valid. Thus we have a modality which is not like a traditional S5 modality and somewhat stronger than a usual belief modality. To see this, note that K and :K K:K are valid formulas, but X and :X X:X are not. But X:X X: is valid, but usually B:B B: is not held to be valid in any logic of belief, since an agent may not believe that holds and be aware of such a belief, but may yet not believe that the denial of holds either. In any case, like the K and L modalities, the X and Y modalities also collapse at the second level. We get nontrivial second level modalities only by looking at alternations of the knowledge and explicitness modalities like XK, XL etc. Indeed, a formula like XLXLXKp may not in general be collapsible to any smaller formula. Therefore, we will be interested in the modal alternation depth of a formula, de ned below. 1

2

1

1

2

2

De nition 2.3 The modal alternation depth of a formula , denoted () is de ned as follows:

(p) = 0 for p 2 P . def

(:) = (). def

( _ ) = maxf(); ( )g. def

(K) = (). (X) is de ned inductively: { (Xp) = 0 for p 2 P . { (X: ) = (X ). { (X( _ )) = maxf(X ); (X )g. { (XK ) = ( ) + 1. { (XX ) = (X ). def

def

1

def

2

1

2

def

def

Note that for any , () (X) () + 1.

2.3 Forcing distinct substructures In modal logic, frames are de ned as pairs (W; R) and the size of a nite frame is given by j W j= m. The size of R is at most m , hence this is reasonable. However, even when presented with a nite view frame of size m (in this sense), the view function may lead us to looking at mm substructures, so the size of the frame should really be this very large quantity. But this may not be a limitation in general: the more relevant question is | how many distinct substructures may be forced by a formula? This is of particular importance in determining the complexity of model checking, where we are given a view model M , an element w in M and a formula , and asked whether M; w j= . Consider a structure W = fw ; w ; : : :g, where for all j , (wj ) = fwj ; wj g and some model M based on it. Then for any modal formula , the truth of at wj (j > 0) in the structure M d (wj ) is in general independent of the truth of the same formula at the same state in the structure M d (wj? ). Thus, for any formula and worlds w ; w such that w 2 (w ), we need to see whether M d (w ); w j= holds. But there is still worse to come: when this formula is of the form X , this requires us to look at the substructure obtained by restricting to ( (w ) \ (w )) which need not be of the form (w) for any w 2 W . Therefore, in the worst case, we should be prepared to look at M dS; w j= for arbitrary nonempty subsets S of W (such that w 2 S ). Can we nd formulas that force us to look at substructures in the manner described above ? For instance, consider the frame F = (W; ; ), where W = fw ; w ; w ; w g, = W W , and is given by: (w ) = fw ; w ; w g, (w ) = fw ; w ; w g, (w ) = fw ; w ; w g and (w ) = fw g. Consider the valuation V (w ) = fpg, and for all 2

0

1

+1

1

1

1

2

1

2

2

1

2

1

2

1

1

1

3

4

4

4

3

2

2

3

3

2

4

3

4

3

w 6= w , V (w) = ;. Let = XLXLXKp. It can be checked that M; w j= , and for any proper sux of , for all w 2 W , M; w 6j= . Evaluating this formula at w requires evaluation of suxes LXLXKp at M = M d (w ), LXKp at M j = M d (wj ); j 2 f2; 3g and XKp at M = M d (w ), respectively. Thus it seems clear that we may need to look at substructures to some `depth'. Just how far we need to look turns out to depend on the modal alternation depth of the formula in question. Motivated by such considerations, we de ne the following way of organizing the substructures of a given view frame. 3

1

1

2

1

3

2 2

1

1

3

De nition 2.4 Let F = (W; ; ) be a frame. A view tree on F is a labelled tree F = (; !; ), where is the set of tree nodes with the distinguished element as the root, ! ( W ) is the set of edges labelled by elements of W , and : ! 2W labels each node by a subset of W , satisfying the following conditions: 0

1. (0 ) = W . w 0 w 00 2. If there are tree edges ! and ! , then 0 = 00.

w 0 3. There is a tree edge ! i w 2 (0 ) = (() \ (w)) 6= ().

Note that a node is a leaf node exactly when we have, for all w 2 (), () \ (w) = (), or w 62 (w). When j W j= n, and F is of depth d, then it has at most nd elements.

Proposition 2.5 Let F = (W; ; ) be a frame and let F be a view tree on F , where F = (; !; ). Let M = (F; V ), 2 , S = (), w 2 (S \ (w)) and let X be a formula such that (X) = (). Then M dS; w j= X i M dS; w j= . Proof: The proof is by induction on . When = p 2 P , the assertion follows from the fact that V dS = V d(S \ (w)). The boolean cases follow from the identities X: (XTrue ^ :X ) and X( _ ) (X _ X ). cannot be of the form K since (XK ) 6= ( ). If is of the form X , the assertion follows from the validity of the identity XX = X . 2 1

2

1

2

View trees and modal alternation depth of formulas play a crucial role in decision procedures for the logic. The following theorems are from [R98].

Theorem 2.6 Given a nite model M = (F; V ) where F = (W; ; ), j W j= n, a world w 2 W , and a formula of length m, checking whether M; w j= holds can 0

be done in time O(m:nd ), where d = ().

0

Theorem 2.7 The satis ability of a formula can be decided in nondeterministic time 2O(m:d2 ) , where m is the length of and d = ().

3 Axiom system We now present an axiomatization of the valid formulas of the logic. We present it in two layers, one for explicitly valid formulas, in which the agent is supposed to be reasoning, and one for generally valid ones, in which we ascribe knowledge to the agent. We use the notation `X to denote formulas proved as theorems in the system for explicit validity and ` for the theorems of the system for general validity. However, we will have rules for `transferring' theorems from one system to the other, so we are always, in eect, speaking of the combined system.

Ax, The axiom system for valid formulas (A0) All the substitutional instances of the tautologies of PC (A1) K( ) (K K ) (A2) Y( ) (Y Y ) (A3) K (A4) K KK (A5) :K K:K (A6) Y ((Y) = ()) (A7) XL L ( boolean) (A8) X Y

Inference rules

(MP ) ; (KG) (XG) `X K Y AxX , The axiom system for explicitly valid formulas (B 0) X

Inference rules

(MPX ) ; (IE ) ` A derivation of the combined system is a nite sequence of formulas where each line is of the form:

` where is an axiom of Ax or follows from formulas earlier in the sequence

by an application of a rule of Ax, or `X where is an axiom of AxX or follows from formulas earlier in the sequence by an application of a rule of AxX . A thesis or theorem of the combined system is a formula that occurs as the last line of a derivation. When it is of the form ` (`X ), we refer to it as a theorem of Ax (AxX ). The axiom schemes carry no surprises: schemes (A1) and (A2) are deductive closure axioms for the two modalities. Schemes (A3) through (A5) are the usual

properties of the K operator. (A6) asserts Proposition 2.5, whereas (A7) asserts that the visible structure is indeed a substructure. (A8) says that the visible substructure is unique. (B0) is the only crucial dierence between the two systems, as it is not valid, but explicitly valid. Note that every theorem of Ax is also a theorem of AxX . This allows us, for instance, to derive tautologies as theorems of AxX due to rule (IE), and `X-versions' of tautologies thanks to rule (XG). It can be checked that the following are theses and derived rules of the combined system. The derivations are easy and hence omitted. (T 1) ` K( ^ ) (K ^ K ) (T 2) ` L( _ ) (L _ L ) (T 3) ` (K ^ L ) L( ^ ) (T 4) ` (Y ^ X ) X( ^ ) (T 5) ` X XX (T 6) ` X XY (T 7) ` Y YX (T 8) ` Y YY (T 9) `X K (T 10) ` (X ^ X ) X( ^ ) (T 11) ` (XL)k L ( boolean; k > 0) (KGX ) `X `X K As usual, we say a formula is consistent if its negation is not a thesis of the combined system. Speci cally, if 6` :, we call Ax-consistent, and if 6`X :, we call AxX -consistent. Clearly, every AxX -consistent formula is Ax-consistent due to rule (IE), and whenever X is Ax-consistent, is AxX -consistent, thanks to rule (XG). A nite set of formulas A is consistent i the conjunction of all formulas in it (denoted Ab) is consistent. We assume that ;b = False by convention. A set of formulas ? is consistent i every nite subset of ? is consistent. We will be interested in sets of Ax-consistent formulas as well as sets of AxX -consistent formulas. Since every set of the latter type is also one of the former type, when we simply speak of consistent sets, we mean Ax-consistent sets. A set A is said to be Maximal Consistent, if whenever there is a formula such that A [ fg is consistent, then 2 A. We will use A; B; : : : to refer to maximal Ax-consistent sets (abbreviated MCS's) and use M; N; : : : to refer to maximal AxX consistent sets (abbreviated X-MCS's).

Theorem 3.1 The combined system provides a sound and complete axiomatization of valid formulas.

Soundness is proved easily. To prove completeness of the system, we show that

every Ax-consistent formula is satis able. The rest of the section is devoted to this proof. (Strictly, we should simultaneously show that every AxX -consistent formula is explicitly satis able as well; but such a proof is easy to carry out on the same lines, and writing it explicitly only makes the presentation tedious, so we omit it.) Fix a consistent formula . Let A denote the set of all MCS's and let M denote the set of X-MCS's. Clearly, there exists A 2 A such that 2 A . We will take the following properties of MCSs for granted in the sequel: (note that every X-MCS will then have the same properties as well.) For any MCS A, 0

0

0

0

: 2 A i 62 A. _ 2 A i 2 A or 2 A. Let 2 A. If ` , or if A is an X-MCS and `X , then 2 A; De nition 3.2 Let A; B be MCS's and M an X-MCS. The binary relations and are de ned as follows: A B i for every formula , K 2 A i K 2 B . M A i for every formula , if 2 M then X 2 A. A consequence of the de nition is that A B i for every formula , L 2 A i L 2 B . Because of axiom (A3), we have, in addition, that whenever 2 A and A B , L 2 B .

Proposition 3.3 is an equivalence relation on MCS's. is re exive on X-MCSs. This proposition is proved by appealing to axioms (A3) through (A5) and axiom (B1). The proposition below is also proved easily: the rst statement follows from (T1) and (T3), while the second follows from (T10) and rule (XG). The third statement is a consequence of (T11).

Proposition 3.4 Let A be an MCS. 1. If L 2 A then there exists an MCS B A such that 2 B .

2. If X 2 A then there exists an X-MCS M A such that 2 M .

3. Let k 0, A1 ; : : : ; Ak+1 be MCS's, M1 ; : : : ; Mk be X-MCS's and a boolean formula. If 2 A1 M1 A2 : : : Ak Mk Ak+1 , then there exists an MCS B such that Ak+1 B and 2 B .

MCS's are used in modal logic as logical representations of possible worlds { a of all the formulas satis ed by a world w. In this logic, the situation is more tricky: at each node of a view tree we have one set of possible worlds. As remarked earlier, the formulas satis ed by a world w in one substructure S may be very dierent

report

from those satis ed by w in another substructure S 0, and these would correspond to distinct MCS's. Thus an MCS cannot in itself be thought as a world in the model constructed, and hence it is dicult to construct canonical models of this kind. We follow a constructive approach below. For a consistent formula, we build a countable model. The construction proceeds in stages, each stage consisting of building a nite part of the view tree required eventually. We can think of it as a sort of depth- rst construction: we pick a world w, decide the worlds visible from w, and rst attempt to build the substructure (w). These requirements are suggested by the syntactic structure of , the consistent formula for which we are building a model. Formally, we need the following notion. 0

De nition 3.5 The subformula closure of a formula , denoted SF () is de ned

in the usual manner: SF 0 () is the least set containing and satisfying the following conditions | if Op 2 SF 0() then 2 SF 0 (), where Op 2 f:; K; Xg; if 1 _ 2 2 SF 0() then f 1 ; 2 g SF 0(); XTrue 2 SF 0(). We then de ne SF () def = SF 0() [ f: j 2 SF 0()g.

From now on, when we say SF , we mean SF ( ), the set of subformulas of , the given consistent formula. Note that SF is nite, and its size is linear in the length of . When we consider models, we will restrict ourselves to valuations V : W ! 2P \SF . 0

0

0

De nition 3.6 Let M = (F; V ) be a model, where F = (W; ; ) is a frame, and let F = (; !; ) be a view tree on F . A partial report on M for 0 is a map T : ( W ) ! A, de ned for all pairs (; w) such that w 2 (), satisfying the following conditions: 1. For every 2 and w 2 (), the following conditions hold: (a) T (; w) \ (P \ SF ) = V (w). (b) XTrue 2 T (; w) i w 2 (w). (c) For every w0 2 () \ [w], T (; w) T (; w0 ). w 0 (d) If ! , then T (0 ; w) T (; w).

2. There exists w0 2 W such that 0 2 T (0 ; w0 ).

T is said to have a level d requirement at w in F i there exists 2 such that (() = W or () (w)), w0 2 () and L 2 T (; w0) \ SF such that (L) = d (0) ? depth() and for all w00 2 () \ [w0], 62 T (; w00). T is said to have a requirement at w 2 W if there exists d (0) such that T has a level d requirement w in F . T is said to be a full report on M i it has no requirements.

The following property of full reports is crucial, and says that they force a `maximal' structure on view trees.

Proposition 3.7 Let T be a full report on model M = (W; ; ; V ) and let = (; !; ) be the associated view tree. Let 2 , w 2 () and 2 T (; w) \ SF , () (( ) ? depth()). 0

1. If is of the form L , then there exists w0 2 () \ [w] such that 2 T (; w0). 2. If is of the form X , then either () \ (w) = () and 2 T (; w), or w 0 there exists an edge ! in with 2 T (0; w).

We omit the detailed proof of this proposition: the rst assertion is a consequence of the de nition of requirements and the second is proved by an easy induction on (X), using (T11). The motivation for de ning full reports should be clear. As the following lemma shows, building a model satisfying amounts to constructing a full report for . (In what follows, when w 2 () = S , we will often write T (S; w) for T (; w) by abuse of notation, when the context is clear.) 0

0

Lemma 3.8 Let M = (F; V ) be a model, where F = (W; ; ) is a frame, let F = (; !; ) be a view tree on F , and let T : ( W ) ! A be a full report on M . Then for every formula 2 SF and for every such that () (( ) ? depth()), and for all w 2 S = (), 0

2 T (; w) i M dS; w j=

Proof: The proof is by induction on the structure of . When = p 2 P , p 2 T (; w) i p 2 V (w) i M; w j= p i M dS; w j= p since V (w) = (V dS )(w), for w 2 S . The cases when is boolean are routine. Now suppose that K 2 T (; w). To show that M dS; w j= K, consider w0 2 (S \ [w]); it suces to show that M dS; w0 j= , which would follow by the induction hypothesis if 2 T (; w0). But T (; w) T (; w0); hence K 2 T (; w0) and by axiom (A3), 2 T (; w0), as required. Conversely, if M dS; w j= K and K 62 T (; w), we have L: 2 T (; w) \ SF . By Proposition 3.7, there exists w0 2 (() \ [w]) such that : 2 T (; w0). Hence 62 T (; w0). By induction hypothesis, M dS; w0 6j= , contradicting the fact that M dS; w j= K, and we are done. When we consider formulas of the form X, we have two cases to consider: when (X) = (), axiom (A6) and induction hypothesis give us the result. Otherwise, (X) = () + 1. Now suppose that X 2 T (; w). Hence XTrue 2 T (; w) and hence w 2 (w), by condition (b) on reports.

w 0 We now have two cases: either there exists an edge ! in the tree, or there exists no such edge. In the former case, condition (d) on reports and the induction hypothesis give the result, since () = ( ) ? depth(0 ). In the latter case, we have both that () \ (w) = () = S by de nition of a view tree, and that 2 T (; w) by Proposition 3.7. Hence, by induction hypothesis, M d(S \ (w)); w j= , and we are done. On the other hand, if M dS; w j= X, then M d(S \ (w)); w j= , and we consider the cases when S \ (w) is the same as S or when it is a proper subset of S . In the latter case, we use condition (d), and in the former, Proposition 3.7, alongwith the induction hypothesis, give us the required assertion. This completes the induction and proves the lemma. 2 0

We now begin the construction of a full report for the given consistent formula . The following property of partial reports follows easily from an inductive argument using (T11): 0

Proposition 3.9 Let T be a partial report on a model M = (W; ; ; V )w, andwlet F = (; !; ) \ be the view tree associated with M . Consider the path ! : : : !k so that () = (w), where Z = fw ; : : : ; wk g. If there exists a boolean formula w2Z such that L 2 T (; w), then for every \ (ww0)2, LZ, 2LT(20; wT )(. ; w), and for every w 2 Z 0 Z and 0 such that (0) = 0

1

1

0

w 2Z 0

0

We will be modifying frames in the sequel, and need to refer to reports on the modi ed structures, and relate them to the reports on the given structures. For ease of description in such situations, we introduce some notation now. Let T be a partial report on a model M = (F; V ), where F = (W; ; ) is a frame and F = (; !; ) is the view tree associated with it. For w 2 W such that w 2 (w), there is a node w in with (w ) = (w). We use the notation dw to denote the subtree of rooted at w , and similarly dw etc. Let T 0 be a partial report on model M 0 = (F 0; V 0), where F 0 = (W 0; 0 ; 0) and F = (0; !0; 0) is the view tree associated with F 0 such that W W 0 and V 0dW = V . Let w 2 W such that (w) = 0 (w). We say that T 0 extends T at w i T (W; w) = T 0(W 0; w), and there is a bijection f : dw ! 0dw such that for all 2 dw, () = 0(f ()), and for all w0 2 (), T (; w0) = T 0(f (); w0). The following proposition asserts that we can always \relabel" elements in a frame and retain a partial report in such a way that a designated world w is not visible from any other world in the resulting frame, except possibly from itself. This is useful in the process of ful lling requirements: once all requirements at a world are ful lled, applying such a construction ensures that it never generates another requirement later on. 0

Proposition 3.10 Given a partial report T on a nite model M = ((W; ; ); V ), and w 2 W , there exists a partial report T 0 on a model M 0 = ((W 0 ; 0 ; 0 ); V 0 ) such that W W 0, (w) = 0 (w), for all w0 2 (W ? fwg), w 62 (w0 ), V 0 dW = V , and T 0 extends T at w.

Proof: Fix w and suppose there exists w0 such that w 2 (w0 ). Pick x 62 W and set W 0 = W [fxg. De ne 0(x) = ; if (w) is empty, and otherwise let 0 (x) = ( (w)? fwg) [fxg. For w00 2 W ?fwg, if w 2 (w00) then de ne 0 (w00) = ( (w00) ?fwg) [fxg; otherwise set 0 (w00) = (w00). De ne 0 = [f(x; x)g [ f(x; w00); (w00; x) j w w00g. We need to de ne T 0: let F = (0; !0; 0), and 0 2 0. Then there exists 2 such that S = () and either S 0 = 0(0) = S or S 0 = (S ?fwg) [fxg. In either case, for w00 2 W , de ne T 0(0; w00) = T (; w00), and when w 2 (), T 0(0; x) = T (; w). 0

It can be checked that T 0 is a partial report on M 0 as required.

2

Lemma 3.11 Given a partial report T on a nite model M = ((W; ; ); V ), and w 2 W such that T has some requirements at w, there exists a partial report T 0 on a model M 0 = ((W 0 ; 0 ; 0 ); V 0 ) such that W W 0 , 0 , for all w0 2 (W ? (w)), 0 (w0) = (w) and T 0 extends T at w0, and T 0 has no requirements at w. Proof: Consider w 2 W such that T has a level d requirement at w . If d > 0, x a node such that depth() = d, w 2 (), L 2 T (; w ) \ SF , () (( ) ? d), and for all w 2 ()u\ [w ],u 62 T (; w). There exists an MCS B T (; w ). has a path from the root ! : : : !d d = , and () = (u ) \ : : : \ (ud ). Set Z = fu ; : : : ; udg. Then w 2 Z . If d = 0, then there is a similar formula L 2 T ( ; w ). Again, there exists an MCS B T ( ; w ). Set Z = ;, and w = w . Pick x 62 W . De ne W 0 = W [fxg. De ne 0 as follows: For w 2 (W ? Z ), de ne 0 (w) = (w); for ui 2 Z , 1 i k, de ne 0 (ui) = (ui) [ fxg; if XTrue 2 B then set 0 (x) = fxg, otherwise set 0 (x) = ;. De ne 0= [f(x; x)g [ f(w; x); (x; w) j w w g. De ne V 0 (w) = V (w) for w 2 W , and V 0(x) = B \ P \ SF . Let F = (0; !0; 0) be the view tree associated with F 0. Consider w 2 W 0 and a node 0 2 F such that w 2 0(0) = Z 0, say. If w 2 W , then there is a corresponding node in F such that () = Z 0 ? fxg. De ne T 0 (0; w) = T (; w). Otherwise, w = x,\and by construction, we have three cases: Z 0 = W , Z 0 = 0 (w); w 2 Z 00 , or 0(w), where Z 00 = (Z [ fxg). Z0 = 1

1

2

0

2

1

0

1

2

2

1

2

0

0

1

2

1

1

2

0

0

w2Z

00

In each of the three cases, we rst consider an MCS B 0. Firstly, consider the set ? = V (x) [ f:p j p 2 ((P \ SF ) ? B )g. ?b 2 B and since B A = T (; w ), L?b 2 A. By Proposition 3.9, for every j; uj 2\Z , L?b 2 T ( ; uj ). Moreover, for every in F (w0), Z 0 Z , L?b 2 T (0; w). and w 2 W such that w 2 () = 2

0

w 2Z 0

0

When Z 0 = W , by the argument above, L?b 2 B 0 = T (W; w ). When Z 0 = (w0) for w0 2 Z , again by the argument above, we have L?b 2 B 0 = T ( (w0); w0). In the third case, we have ui 2 Z such that L?b 2 T (Z; ui) = B 0 . De ne = fK j K 2 B 0g [ fL j L 2 B 0 g [ f?b ; g, where = XTrue if x 2 0(x), and = True, otherwise. It can be easily checked that is consistent, and hence there exists an MCS D such that D B 0. De ne T 0(Z 0 ; x) = D, in all three cases when Z 0 6= fxg. If XTrue 2 D, there exists E D; de ne T 0(Z 0 \ (x); x) = E , and this de nes T 0( (x); x) as well. This completes the construction of T 0 on the model M 0 . This procedure is applied inductively to arrive at a partial report in which there is no requirement at w . 2 0

1

Lemma 3.12 If is a consistent formula, then there exists a model M and a full report T on M .

0

Proof: Fix a consistent formula . Let A be an MCS such that 2 A . Fix a countable set W = fw ; w ; : : :g, and an enumeration of W . We now de ne a sequence of nite frames F ; F ; : : :, with partial reports Ti on Mi = (Fi; Vi), i 0, with the following properties: let Mi = (Wi; i; i ; Vi) and Ui Wi such that Ti has no requirement at any w 2 Ui in Fi, i 0. Wi Wi , i i and Ui Ui . For all w 2 Ui , i (w) = i (w) and Ti extends Ti at w. The construction proceeds inductively as follows: de ne W = fw g, = f(w ; w )g, (w ) = fw g if XTrue 2 A , and (w ) = ; otherwise. Set T (W ; w ) = A and V = A \ P . Clearly, T is a partial report on the model M . 0

0

0

1

+1

+1

+1

+1

0

0

0

0

0

0

0

0

1

0

+1

0

0

0

0

0

0

0

0

0

0

0

0

0

Suppose that we are given Ti on Fi satisfying the inductive assumptions. If Wi = Ui, then set Mi = Mi and Ti = Ti; otherwise, among elements in Wi ? Ui , pick the least one in the enumeration, say w. By repeated applications of Proposition 3.10, we get T on the nite model M = (W; ; ; V ) where Wi W , and for all w0 2 Ui , we have (w0) = i (w0), for all w00 2 W , w0 62 (w00 ), V (w0) = Vi(w0), and T extends Ti at w0. In particular, for all w0 2 Ui, w0 62 (w). Note that T has a requirement at w in M as well. By Lemma 3.11, there exists a partial report T 0 on model M 0 which has no requirements at w, and in addition, for all w0 2 Ui, 0(w0) = (w) and T 0 extends T at w0, as required. Set Mi = M 0 and Ti = T 0. Such a construction ensures the following property: for all i 0, there exists ni such that for all k ni, wi 2 Wk , k (wi) = ni (wi) and Tk extends Tni at wi. [ Now de ne the model Mlim = (Wlim ; lim; lim ; Vlim), where Wlim = Wi and i [ lim = i . Consider w 2 Wlim; there exists i 0 such that w 2 Wi. De ne +1

+1

+1

+1

def

i

lim (w) = ni (w). To de ne Tlim, consider any node in the view tree Flim such that w 2 lim(w); clearly there exists a node 0 in Fni such that ni (0) = lim(). De ne Tlim (; w) = Tni (0 ; w). It can be easily checked that Tlim is a full report on the model Mlim , as required. 2 Lemmas 3.12 and 3.8 togther show that every consistent formula is satis able, establishing Theorem 3.1.

4 Subclasses The class of frames is extremely general: we have no conditions at all relating visibility at dierent worlds. It is only to be expected that modelling systems in this framework will impose several structural relationships between (w) and (w0 ), depending on the systems being modelled. Here, we brie y discuss some subclasses motivated more by abstract considerations than modelling compulsions.

4.1 Recognizable frames Let F = (W; ; ) be a frame. Call a world w recognizable if w 2 (w). A frame F is said to be recognizable if every world in F is. The class of recognizable frames is easily characterized by the following axiom scheme: (R) Y X It can be easily checked that the combined system presented in the previous section, enriched with this scheme, provides a complete axiomatization of the class of formulas valid over recognizable models. While recognizability may be too strong an assumption to make about every world, it does seem unintuitive to have worlds w; w0 where w 2 (w0) but w 62 (w). Thus, even if every world is not recognizable, we might at least want every visible world to be recognizable: call a frame F weakly recognizable i for every w, if there exists w0 such that w 2 (w0) then w 2 (w). Such frames are also easily characterized, and we again get a complete axiomatization with the addition of the following scheme: (WR) YKXTrue

4.2 Transitive frames In Section 1.4, we discussed resource boundedness in the context of reasoning about knowledge. A way in which resource dependence is made explicit in this framework is by the depth of the view tree associated with a view frame, and this arises from

the lack of transitivity in the view function. We consider (w), the worlds visible to the agent at w, as explicit knowledge of the agent, say by using a database locally accessible to the agent. When w0 2 (w) and w00 2 (w0), we could argue that the agent does have access to w00, but that such access requires some resources from the agent. In this sense, the following class of frames provides a framework for computationally unlimited but view-limited agents (in the sense in which agents in spatially distributed systems have limited visibility). Call a frame F = (W; ; ) transitive i whenever w 2 (w ), we also have (w ) (w ). It should be easy to see that when F is transitive and W 0 W , then F dW 0 is also transitive. The following axiom scheme characterizes transitive frames: (T ) XLX LX To see the soundness of this scheme, consider a transitive model M = (W; ; ; V ) and w 2 W such that M; w j= XLX. Hence w 2 (w) and there exists w0 2 (w) such that w0 w and M d (w); w0 j= X. Hence M d( (w) \ (w0)); w0 j= . But by transitivity of the frame, (w0) (w) and hence (w) \ (w0) = (w0). Therefore, M d (w0 ); w0 j= . That is, M; w0 j= X. Since w w0, M; w j= LX, proving validity of (T). The completeness argument is more involved. The relation can be shown to be transitive, in the sense that when M; N are X-MCSs and A is an MCS, (M N A) implies (M A). The crucial lemma showing that requirements can be ful lled needs considerable reworking to maintain transitivity of frames. On the other hand, the complexity of the decision procedure for satis ability can be considerably improved for transitive frames, leading to an O(md) algorithm for checking satis ability of a formula whose length is m and modal alternation depth is d. 1

1

2

2

4.3 Monotone frames In an example discussed in Section 2, we considered a situation where w w w where (w ) = fw ; w g and (w ) = fw ; w g. We might see this as the agent `forgetting' the information about w at w ; for instance, this may be a case of reusing memory to compute the state w . We now consider the subclass of frames where this cannot happen, and in which visibility preserves logical indistinguishability. 0

0

0

1

1

1

0

1

2

2

1

2

De nition 4.1 A view frame F = (W; ; ) is said to be monotone if and only if it is weakly recognizable, and 8w; w ; w 2 W , if fw ; w g (w) and w w then (w) \ (w ) = (w) \ (w ). 1

1

2

1

2

1

2

2

In monotone frames, once a logically indistinguishable world (w ) becomes visible from another (w ), they both contain the same information, in the sense that at w, the agent considers the same worlds to be visible at w as at w . The following properties of view functions make this clearer. 1

2

1

Proposition 4.2 Let F = (W; ; ) be a monotone frame.

2

1. 8w1 ; w2 2 W , if w2 2 (w1 ) and w1 w2 then (w1 ) = (w2 ).

2. 8w; w1; w2 2 W , if fw1 ; w2 g (w) and w1 w2 then (w1 ) = (w2 ).

Proof: Assume that w 2 (w ) and w w . By weak recognizability, w 2 (w ). By de nition of monotonicity, since fw ; w g (w ) and w w , we get (w ) = (w ) \ (w ), that is, (w ) (w ). But then w 2 (w ) as well, and again by weak recognizability, w 2 (w ). Now we have fw ; w g (w ) and as before we nd that (w ) (w ). Thus, (w ) = (w ), establishing the rst statement. The de nition of monotonicity and the hypotheses of (2) together imply that w 2 (w ) and w 2 (w ), and the claim follows from (1). 2 2

1

1

1

1

2

1

1

2

1

2

2

2

2

1

2

1

1

1

1

2

1

2

2

2

2

1

2

1

2

1

The following axiom scheme characterizes monotone frames: (M ) XL LX To see the soundness of the scheme, suppose M; w j= XL in a monotone model M . Then, w 2 (w) and M d (w); w j= L. Let w0 2 (w) and w w0 such that M d (w); w0 j= . By the proposition above, (w) = (w0) and hence we have M d (w0 ); w0 j= . That is, M; w0 j= X. Since w w0, we get M; w j= LX, as required. The advantage of monotone frames is clearly seen by the implications of Proposition 4.2: consider a universal monotone frame F = (W; ), that is, one in which = W W , and note that partitions W into sets W ; W ; : : : such that a world in Wi is visible from a world in Wj i i = j . Thus the frame is split into a set of universal full subframes. Further, observe that for every formula and w; w0 2 W such that w0 2 (w), since (w) = (w0), 1

2

M d (w); w0 j= i M d (w0 ); w0 j= : Thus, given a frame with k worlds in it, there are at most k + 1 substructures which we need to work with when we wish to check truth and we can de ne the size of a monotone frame (W; ; ) to be simply j W j. The bene ts bestowed by these observations are this: the satis ability problem is in NP, and truth checking is in time linear in the number of worlds. The completeness argument becomes very simple as well. Note that transitivity and monotonicity are dierent conditions even on weakly recognizable frames. Consider the following frames:

F = (W ; ; ), where W = fw; w ; w g, = W W , (w) = W , (w ) = fw g and (w ) = fw g. F = (W ; ; ), where W = fw; w ; w ; w g, is the identity relation on W , (w) = W , (w ) = fw ; w g, (w ) = fw ; w g and (w ) = ;. 1

1

1

1

1

1

1

2

2

1

2

2

2

1

2

2

2

1

1

1

1

1

1

2

2

2

2

1

3

1

2

2

2

3

2

2

3

2

3

1

We can check that F is transitive but not monotone, and F is monotone but not transitive. Further, it is easy to see that the axiom scheme (M) implies the scheme (T) (simply substitute X for ), but not the other way around. Thus, when we construct a model for an M -consistent formula, we can construct a model that is not only monotone, but transitive as well. 1

2

4.4 Bounded visibility frames We need to study subclasses of frames in which bounds on visibility are placed structurally. The advantage of such a set-up is that resource limitations can be modelled in a natural way: for instance, we can consider systems where views are uniformly bounded to have at most k states; or insist that only the adjacent states (in the transition system or graph representation of the system) be visible at any state. We can then study interactions between agents one of whom does a one-step-look-ahead whereas the other always looks ahead two steps, and so on. This suggests that a dynamic or temporal logic of view-based knowledge may be well worth studying.

References [FHMV95] Fagin, R., Halpern, J., Moses, Y. and Vardi, M., Reasoning about knowledge, M.I.T. Press, 1995. [HF89] Halpern, J., and Fagin, R., \Modelling knowledge and action in distributed systems", Distributed Computing, vol 3, #4, 1989, 159-177. [HMV94] Halpern, J., Moses, Y., and Vardi, M., \Algorithmic knowledge", TARK V, Theoretical Aspects of Reasoning about Knowledge, 1994, 255-266. [KNP90] Krasucki, P., Ndjatou, G. and Parikh, R., \Probabilistic knowledge and probabilistic common knowledge", in ISMIS 90, International Symp. on Methodology for Intelligent Systems, 1990, 1-8. [KR94] Krasucki, P., and Ramanujam, R., \Knowledge and the ordering of events in distributed systems", TARK V, Theoretical Aspects of Reasoning about Knowledge, 1994, 267-283. [Pa87a] Parikh, R., \Knowledge and the problem of logical omniscience", ISMIS 87, International Symp. on Methodology for Intelligent Systems, 1987, 432-439. [Pa87b] Parikh, R., \Some recent applications of knowledge" in FST and TCS 7, Foundations of Software Technology and Theoretical Computer Science, 1987, LNCS #287, 528-539.

[Pa90] [Pa94] [R96a] [R96b] [R98]

Parikh, R., \Recent trends in reasoning about Knowledge" TARK III, Theoretical Aspects of Reasoning about Knowledge, 1990, 3-10. Parikh, R., \Logical omniscience" in Logic and Computational Complexity LNCS # 960, 22-29. Ramanujam, R., \Local knowledge assertions in a changing world", TARK VI, Theoretical Aspects of Rationality and Knowledge, 1996, pp. 1-17. Ramanujam, R., \A discussion on explicit knowledge", in The Parikh Project: Seven papers in honour of Rohit, ed. K. Segerburg, Uppsala Prints and Reprints in Philosophy, No. 18, 1996. Ramanujam, R., \View based explicit knowledge", to appear in Journal of Pure and Applied Logic, 1998.