A. Zanardo. Completeness of a. Branching-Time. Logic with Possible Choices. Abstract. In this paper we present BTC, which is a logic for branching-time whose.
R. Ciuni A. Zanardo
Completeness of a Branching-Time Logic with Possible Choices
Abstract. In this paper we present BTC, which is a logic for branching-time whose modal operator quantifies over histories and temporal operators involves a restricted quantification over histories in a given possible choice. This is a technical novelty, since the operators of the usual logics for branching-time such as CTL expresses an unrestricted quantification over histories and moments. The value of the apparatus we introduce is connected to those logics of agency that are interpreted on branching-time, as for instance Stit Logics. Keywords: Branching-Time, Agency, Choices, Completeness, BTC.
1.
Introduction
The most common logics for branching-time employ modal operators that are to be read as quantifiers over histories (also called paths). As is well known, given a tree-like structure including a set of points (called moments) and a backward-linear, irreflexive and transitive relation on them (the earlier/later relation), a history is a maximal and linearly ordered set of moments. The structure being tree-like represents the indeterministic idea that “the world might develop in a number of ways” or that “a program might result in alternative outputs”. Quantification over histories is widespread both in mathematical logic and computer science. In the first field, we have Peircean and Ockhamist logics. Their operators may be defined as quantifiers that range over the histories (and moments) that are in the structure.1 . In the second field, we have the logics CTL and CTL∗ . Their language and semantics are similar to the ones for Ockhamist and Peircean logics, with an important difference: a discrete time and a next operator are assumed by CTL and CTL∗ , while
Presented by Name of Editor; Received December 1, 2005 1 Ockhamist and Peircean logics were first introduced in [19] Their formal syntax and semantics are given in [5], [17] and [21]. Completeness and decidability of Peircean logics w.r.t. bundled trees are proved in [7] and [24]. Completeness of Ockhamist Logics is proved in [23] w.r.t. bundled trees.
Studia Logica (0) 0: 1–28
c Springer
0
2
R. Ciuni, A. Zanardo
Ockhamist and Peircean logics usually take time to be continuous.2 . Ockhamist and Peircean Logics provide indeterministic models for the physical world. CTL and CTL∗ provide prominent specification languages in the field of automatic verification. The importance of such logics in their respective fields prove quantification over histories to be fruitful and deserve attention. At the same time, important applications of the logic of agency to time have suggested that it would be worth defining modal operators which express a restricted quantification over histories, that is, a quantification that ranges over subsets of the histories of the structure. One example is given by Stit Logics, which are logics of agency first introduced by Belnap et alii in [15] and [2]. There, the primitive modal operators stit (“seeing to it that”) are evaluated at moment-history pairs in a tree-like structure. Each history passing through a moment t belongs to one of the possible choices of each agent at t. Possible choices are defined in turn as disjoint sets of histories satisfying precise requirements and represent the courses of events that an agent is empowered to undertake.3 At any pair ht, hi, “agent α sees to it that A” is read as “for every history h0 that is in the same possible choice as h, A is true at the pair ht, h0 i”.4 . The above clause clearly involves a restricted quantification over histories. Another example comes from Alternating-Time Temporal Logic (ATL), which is intended to frame the notion of strategic ability of one or more agents. The ability of an agent to bring about A is read as the fact that the agent can force A in all the histories in the outcome of a given strategy, where strategies are maps from sequences of moments to sets of next-moments and outcomes are sets of histories passing through the intended sequence of moments.5 ATL is endowed with a strategic-ability opCTL and CTL∗ were introduced in [8] and in [11] Their semantics are usually based on transition systems with a finite number of states, but it is easy to unravel such structures in a branching-time with a finite numbers of moments, along the lines of [12]. It is also easy to adapt their semantics to allow an infinite number of moments. Completeness results are given in [10] (CTL w.r.t. bundled trees) and [20] (CTL∗ w.r.t. bundled trees). The decidability of CTL is proved in [10]. 3 We shall see in section 2 which requirements a set of history must satisfy to be a possible choice. 4 As we shall see below, the above informally expresses the truth-clause of the socalled cstit, an operator introduced in [9] and [15] The deliberative stit operator (dstit) introduced in [15] and [2] is defined by means of cstit and additional conditions (see section 2.3 below). The achievement stit operator (astit) introduced in [2] is not definable by means of the other two. In any case, today this last operator is attracting less attention that its cognate. Decidability for multi-agent dstit w.r.t. to full bundled trees is proved in [2], pp. 445-450. 5 ATL is presented in [1] and proved to be decidable in [13]. 2
Completeness of a Branching-Time Logic . . .
3
erator that conceals a combined quantification over strategies and outcomes (the latter being a restricted quantification over histories). It is worth noticing that in ATL time is assumed to be discrete and the transition function that maps moment-agent pairs into sets of possible next moments partitions the set of next states. As a consequence, outcomes (which are in turn defined on such maps) fulfil the requirements to be possible choices.6 Thus, some of the most prominent logics of agency employ a restricted quantification over histories, namely those histories that are in a given possible choice. The facts above suggest the importance of a logic for branching-time whose modal operators are interpreted as restricted quantifiers over the histories in a possible choice. In this paper, we present such a logic, which we call BTC (Branching-Time with Choices), and we show that BTC is complete w.r.t. choice b-trees, a new class of structures we shall introduce below. The rationale of the proof of completeness is not just its technical value. Indeed, some Stit Logics have been proved to be complete and decidable. This has been an important point for the use of Stit Logics in theoretical computer science.7 Indeed, the above properties become interesting when it comes to the computational treatment of agency. In such a field, Stit Logics helps us to reason about agent systems and model the behaviour of one or many agents (or even groups). Thus, Stit Logic can be of help in understanding the connections between a variety of different agents, as for example programs in distributed systems.8 In addition, extensions of Stit Logics prove helpful with very specific problems, for example they can give rise to epistemic extensions where each single agent acts in a uniform way when confronted with courses of events which are indistinguishable to him, something that ATL cannot do (see [14]). Thus, while a logic with restricted quantification over histories is needed to represent a number of phenomena about agency and time, the completeness of such a logic is a precondition for computational applications, together with decidability. With the proof of completeness, we aim at making a first step in this direction. The paper proceeds as follows. In Section 2 we introduce BTC, its semantics, and a new class of structures, choice b-trees, needed to evaluate the formulas of BTC. We also show that BTC is more expressive than CTL (by this we mean that there is a truth-preserving translation from the former to 6 To be more precise, in [4], p. 568, Broersen et alii prove that any structure for ATL can be unraveled into discrete branching-time structures where the choices of agent at a moment- individuated as sets of next moments - partition the set of next moments. 7 Examples of such a use are [3] and [4]. 8 A distributed system is a set of different programs connected through a network. Clearly, programs executing instructions can be thought of as agents performing actions.
4
R. Ciuni, A. Zanardo
the latter, but not vice versa) and that the most prominent stit operators are defined in a version of BTC that includes one agent. In section 3 we give the axioms for BTC, and in section 4 we prove completeness. Section 5 contains some concluding remarks and presents future research perspectives.
2.
Structures, Syntax and Semantics of BTC
In this section we introduce the structures that are needed to evaluate the formulas of BTC. They are tree-like structures enriched with a function of choice. Such a function maps every moment to the set of its possible choices. The language of BTC is introduced together with its semantics, and possible choices play a chief role in it. Before closing the section, we briefly compare the language of BTC with that of CTL and we make some remarks on BTC and Stit Logics. 2.1.
Choice B-Trees
BTC is a logic for discrete branching-time structures endowed with a function of choice Ch. The structures for evaluating BTC’s formulas are choice b-trees, being bundled trees endowed with Ch. A tree T is a pair hT, t such that MCTL , t0 |= A CTL5) MCTL , t |= fA iff some h passing through t contains a moment t0 > t such that MCTL , t0 |= A 16
See for example [3] and [4].
10
R. Ciuni, A. Zanardo
CTL6) MCTL , t |= XA iff for every h passing through t, M, suc(t, h) |= A The embedding of CTL-models in BTC-models is straightforward, since a bundled tree can be viewed as a choice b-tree where Ch(t) = {Bt } (a limit choice b-tree). In other words, bundled trees are those choice b-trees which are endowed with the largest function of choice, and thus represent a limit-case of the structures of BTC. There is a translation τ from CTL into BTC that preserves truth. This means that for every CTL-formula A, CTL-model MCTL , and moment t in MCTL , MCTL , t |= A ⇔ M, ht, hi |= τ (A) (2.1) where M is obtained from MCTL by adding an arbitrary choice function and h is any history in Bt . The translation τ maps each propositional variable to itself and boolean combinations to the same combinations of the translated formulas. The translations of tempo-modal formulas are the following: τ (FA) = �F τ (A) τ (fA) = ♦f τ (A) τ (XA) = �Xτ (A) The function τ is truth-preserving because quantifications over Bt can be decomposed into quantifications over the set of choices Cht , and quantifications within each class [h]Ch t . In particular, the truth of τ (A) on the right side of (2.1) does not depend on the choice of the history h, that is, according to Peircean semantics the truth of τ (A) depends only on the moment t. It is also easy to see that, by contrast, there is no truth-preserving translation τ 0 from BTC to CTL. In other words, (2.1) does not hold with τ (A) replaced by A in the right side and A replaced by τ 0 (A) in the left side. The reason is twofold. First, the semantics of CTL is not able to single out arbitrary possible choices at a moment in a tree. Second, bundled trees can be defined as particular (limit) choice b-trees with just one possible choice (coinciding with Bt ) at each moment t. This prevents BTC from being translatable into CTL salva veritate. Consider for instance the BTC formula (*) ♦Xp ∧ ♦X¬p, where p is a propositional varible. For a given moment t, this formula states that “(i) for every history h in some possible choice at t, M, ht1 , hi |= p, where t1 is the successor of t on h, while (ii) M, ht01 , h0 i |= ¬p for any h0 in some other possible choice at t, where again t01 is the successor of t on h0 . The formula
Completeness of a Branching-Time Logic . . .
11
(*) is satisfiable in any BTC-tree containing some moment t at which two (or more) possible choices are available. Then, any translation τ 0 from BTC to CTL cannot preserve truth: τ 0 ((*)) will turn false in every CTL-model because in such models we have just one possible choice at every moment. Beside the comparison with CTL, there is another important point about BTC: it expresses particular mono-agent versions of two stit operators: the dstitα introduced by Belnap and Horty and the cstitα introduced by Chellas.17 Stit Logics are defined on structures that are exactly as our choice b-trees or full choice b-trees (see Footnote 9). As a consequence, the comparison here is even simpler than with CTL, and we can directly compare the formulas of some Stit Logics with those of BTC. The difference in the evaluation functions of BTC and Stit Logics will play no role here. Informally stated, the truth-clause for cstitα says that “cstitα A is true at ht, hi iff A is true at ht, h0 i for every history h0 in the same possible choice (of a at t) as h”. dstitα A may be defined in turn as “cstitα A and some h00 is such that A is false at ht, h00 i”. The formal truth-clauses are given in [2] and [15].18 Stit Logics do not usually comprise temporal operators. Indeed, a recurrent idea in the works of Belnap et alii is that, in dstitα A, the subformula A should be taken as a future tensed formula (in other words, it should read “α sees to it that it will be the case that A). If we take the assumption seriously - more seriously than Belnap et alii did from a formal point of view - we will have to modify the semantics of the two operators as follows: “cstit∗α A is true at ht, hi iff A is true at ht0 , h0 i for every history h0 in the same possible choice (of a at t) as h”, with t0 a moment in the future of t, and dstit∗α A is “cstit∗α A and some h00 is such that A is false at ht0 , h00 i, with t0 and t00 two incomparable moments later than t”. Under the assumption that that there is only one agent in the structure, it is evident that cstit∗α A has the same truth-clause as F A in BTC, and that dstit∗α A has the same truth-clause as F A ∧ ♦¬F A. We can equivalently come back to the Stit Logic with dstitα and cstitα , and endow them with the operator for simple future F ∗ . The operator is included in CTL∗ , and its informal truth-clause is “F ∗ A is true at ht, hi iff A is true at ht0 , hi, where t0 is some moment later than t”. It is easy to 17
In dstitα , the subscript α refers to the agent. Though here the comparison will be done under the assumption that only one agent is defined in the structures, we shall keep α. Indeed, reference to it seems indispensable to make sense of stit operators as expressing the notion of “seeing to it that”. 18 See [2], p. 37 and [15], p. 592 for dstitα . See [2], p. 298 and [15], p. 600 for cstitα .
12
R. Ciuni, A. Zanardo
see that cstitα F ∗ A has the same truth-conditions as F A in BTC, and that dstitα F ∗ A has the same truth-clause as F A ∧ ♦¬F A. We can also define a next operator X ∗ by “X ∗ A is true at ht, hi iff A is true at ht0 , hi, where t0 is the successor of t in h”. In that case, cstitα X ∗ A is the same as XA in BTC, and dstitα X ∗ A is the same as XA ∧ ♦¬XA. However, these temporal Stit Logics will include BTC, since they will be able to express those cases of instantaneous action - like cstitα B, where B is a non-tensed formula which BTC cannot express.
3.
Axioms
The logic BTC is determined by the following axioms A0 to A14, and Rules MP, N1, and N2 below. A0 Every instance of a tautology; A1 S5-axioms for the operators ♦ and �; A2 p ↔ �p for every propositional variable p; A3 G(A → B) → (GA → GB); A4 G(A → B) → (F A → F B); A5 X(A → B) → (XA → XB); A6-9 f f A → f A;
F F A → F A;
A10-11 f A ↔ x(A ∨ f A);
F A → f A;
xA → f A;
gA ↔ x(A ∧ gA);
A12 G(A → XA) → (XA → GA); A13,14 XA → xA;
XA ↔ X�A.
A→B A A N1 : N2 : B �A GA The BTC-validity of Axioms A0-13 is easily checked. Axiom A14 establishes the connection between tense and modality. In order to show that also this axiom is BTC-valid, we assume M, ht, hi |= XA for some pair ht, hi in 0 0 some model M = hT Ch , V i. Then, given any h0 ∈ [h]Ch t , M, ht , h i |= A, 0 0 where t is the successor of t in h . By Condition C2, every history h00 in [h0 ]t0 belongs also to [h]Ch and hence M, ht0 , h0 i |= �A. Since h0 is an arbitrary t Ch element of [h]t , we can conclude M, ht, hi |= X�A. A Axiom A9 can also be written as GA → XA and hence XA is a derived inferential rule. Then, the logic of the operator X is a normal modal logic. In particular, by A13, we have that ♦> is a theorem of BTC for every tautology >. Theoremhood in BTC will be denoted by `. MP :
A
13
Completeness of a Branching-Time Logic . . .
4.
Completeness: Preliminaries and Proof
The completeness proof for BTC is based on a Henkin-style construction: given any consistent formula D, it will be shown that there exists a choice b-tree hT Ch , Bi in which D is satisfiable. Some preliminaries: Consistency and maximal consistent sets (m.c.s.’s) are defined in the usual way and the latter will be denoted by Greek capital letters ∆, Γ, Σ, . . . . By the Lindenbaum Lemma every consistent set of formulas has a maximal consistent extension (m.c.e.). The definition of the modal and temporal relations between m.c.s.’s is standard as well: def
∆ ∼ Γ ≡ {A : �A ∈ ∆} ⊆ Γ
def
∆ C Γ ≡ {A : GA ∈ ∆} ⊆ Γ
(4.1)
We have already observed that truth in a BTC-model can be viewed as truth at some [h]Ch t . Thus, in the completeness construction, maximal consistent sets are meant to represent entities of this kind. According to the interpretation of the operator �, the semantical correspondent of ∼ relates 0 and [h0 ]Ch [h]Ch t t0 whenever t = t . Similarly, the tree relation < between Ch moments induces a relations between classes [h]Ch t : we can say that [h]t 0 Ch 0 is related to [h0 ]Ch t0 whenever h ∈ [h]t and t < t . This particular relation corresponds to the relation C between maximal consistent sets. It is routine to show that ∼ is an equivalence relation and that C is transitive. These relations could have also been defined by means of the dual operators ♦ and f . We have in fact ∆ ∼ Γ ≡ Γ ⊆ {A : ♦A ∈ ∆}
∆ C Γ ≡ Γ ⊆ {A : f A ∈ ∆}
(4.2)
The predecessor relation between m.c.s.’s is defined by means of the operators X or x: def
Pr(∆, Γ) ≡ {A : XA ∈ ∆} ⊆ Γ
(≡ Γ ⊆ {A : xA ∈ ∆})
(4.3)
By A8, we have that Pr(∆, Γ) ⇒ ∆ C Γ. It will be technically convenient to consider also the set of all successors of the m.c.s. ∆: def
Suc(∆) = {Γ : Pr(∆, Γ)}
(4.4)
Standard modal logic results (taking into account that X is a normal modal logic operator) yield to the following lemma. Lemma 4.1. If ♦A, or f A, or xA belongs to the m.c.s. ∆, then there exists a m.c.e. Γ of A such that, respectively, ∆ ∼ Γ, or ∆ C Γ, or Pr(∆, Γ).
14
R. Ciuni, A. Zanardo
Lemma 4.2. Let Γ0 , . . . , Γn a sequence of m.c.s.’s such that F A ∈ Γ0 , g¬A ∈ Γn , and, for i = 1 to n, Pr(Γi−1 , Γi ). Then, there exists a k such that A ∈ Γk . Proof. Let k be the smallest index such that g¬A ∈ Γk and F A ∈ Γk−1 . Observe now that, by the definition of g and x, A12 is equivalent to F A ↔ X(A ∨ F A). Then A ∨ F A ∈ Γk and hence A ∈ Γk . 4.1.
Atoms
Since histories in BTC models are isomorphic to the set of natural numbers, BTC satisfiability faces a well known non-compactness phenomenon. Consider for instance the set of formulas Ψ = {X n p : n ∈ N} ∪ {f ¬p}, where X 0 p = p and X n+1 p = XX n p. Every finite subset of Ψ is satisfiable, but the whole set (which is consistent) is not satisfiable because the truth of all formulas of the form X n p implies the truth of Gp. This is the reason why we prove that a single consistent formula D is satisfiable and why, differently from the usual Henkin constructions, maximal consistent sets cannot be used. In our proof, the role of these maximal sets will be played by suitable finite sets which will be called atoms (see below). Intuitively, an atom is a consistent set containing enough information for describing the truth of the formula D. As a support for the construction, we define the sets cl− (D) and cl(D) by means of the following clauses: i cl− (D) contains the set {D, G⊥, �⊥, F ⊥, X⊥}, and it is closed under subformulas and Boolean connectives. ii XA ∈ cl− (D) ⇒ X¬A ∈ cl− (D) iii F A ∈ cl− (D) ⇒ XA, XF A ∈ cl− (D) iv f A ∈ cl− (D) ⇒ xA, xf A ∈ cl− (D) v A ∈ cl− (D) ⇒ �A ∈ cl− (D) vi cl(D) = {B | all the propositional variables of B are in cl− (D) and there exists A ∈ cl− (D) such that ` A ↔ B} From (i), (ii), (v) and (vi) it follows that cl(D) is infinite. However, cl(D) can be represented by a finite subset D∗ of it: (∗)
for every A in cl(D), there exists a A∗ in D∗ such that ` A ↔ A∗
The existence of D∗ derives from the fact that (i), (ii) and (v) determine finitely many equivalent classes modulo provability. Indeed: (1) there are finitely many propositional functions on a finite set of propositional variables,
15
Completeness of a Branching-Time Logic . . .
(2) X¬¬A ↔ XA, (3) by S5 axioms, given any sequence ◦1 · · · ◦k , where each ◦ is either � or ♦, ◦1 · · · ◦k A is equivalent with ◦k A. From now on, D∗ is any fixed set fulfilling (∗) above. In the construction of our model, the role of m.c.s.’s will be played by suitable subsets of D∗ . These subsets will be called atoms and the set MD∗ of D∗ -atoms is defined by MD∗ = {a ⊆ D∗ : for some m.c.s. Γ , Γ ∩ D∗ = a}
(4.5)
¯ a to mean that there is a formula A0 such that ` A ↔ We will write A ∈ A0 and A0 ∈ a. It will not be confusing to say that A ‘belongs’ to a also in ¯ a. The following lemma characterizes the relation ∈ ¯ in terms of case A ∈ membership to m.c.s.’s. Lemma 4.3. For every atom a ∈ MD∗ and every formula A ∈ cl(D), the following statements are equivalent ¯ a (1) A ∈ (2) for all m.c.s. Γ, a = D∗ ∩ Γ implies A ∈ Γ (3) for some m.c.s. Γ, a = D∗ ∩ Γ and A ∈ Γ ¯ a, then A is provably equivalent to a formula A0 ∈ a and Proof. If A ∈ hence every m.c.s. containing a contains also A; thus (1) ⇒ (2). By the definition of atom, a m.c.e. of a exists, and hence (2) ⇒ (3). Assume a = D∗ ∩ Γ and A ∈ Γ. Since A ∈ cl(D), there is a A0 in D∗ such that ` A ↔ A0 . This implies A0 ∈ Γ and A0 ∈ a. Then (3) ⇒ (1). Atoms are finite sets of formulas and hence they can be represented by the conjunction of all formulas belonging to them. We shall use also this representation of atoms, in addition to their representation as sets. We extend our definitions of ∼,
