Quantifying over boolean announcements

arXiv:1712.05310v1 [cs.LO] 14 Dec 2017

Quantifying over boolean announcements Hans van Ditmarsch∗, Tim French† December 15, 2017

Abstract Various extensions of public announcement logic have been proposed with quantification over announcements. The best-known extension is called arbitrary public announcement logic, APAL. It contains a primitive language construct ✷ϕ intuitively expressing that “after every public announcement of a formula, formula ϕ is true.” The logic APAL is undecidable and it has an infinitary axiomatization. Now consider restricting the APAL quantification to public announcements of boolean formulas only, such that ✷ϕ intuitively expresses that “after every public announcement of a boolean formula, formula ϕ is true.” This logic can therefore called boolean arbitrary public announcement logic, BAPAL. The logic BAPAL is the subject of this work. It is decidable and it has a finitary axiomatization. These results may be considered of interest, as for various applications quantification over booleans is sufficient in formal specifications.

1

Introduction

Public announcement logic (PAL) [13, 17] extends epistemic logic with operators for reasoning about the effects of specific public announcements. The formula [ψ]ϕ means that “ϕ is true after the truthful announcement of ψ.” This means that, when interpreted in a Kripke model with designated state, after submodel restriction to the states where ϕ is true (this includes the designated state, ‘truthful’ here means true), ψ is true in that restriction. Arbitrary public announcement logic (APAL) [3] augments this with operators for quantifying over public announcements. The formula ✷ϕ means that “ϕ is true after the truthful announcement of any formula that does not contain ✷.” Quantifying over the communication of information as in APAL has applications to epistemic protocol synthesis, where we wish to achieve epistemic goals by communicating information to agents, but where we do not know of a specific protocol that will achieve the goal, and where we may not even know if such a protocol exists. In principle, synthesis problems can be solved by specifying them as formulas in the logic, and applying ∗ †

LORIA – CNRS / University of Lorraine, Nancy, France; [email protected] University of Western Australia, Perth, Australia; [email protected]

1

model-checking or satisfiability procedures. However in the case of APAL, while there is a PSPACE-complete model-checking procedure [1], the satisfiability problem is undecidable in the presence of multiple agents [11]. The quest for a decidable version of public announcement logic with quantification has been going on for a while. Group announcement logic and coalition announcement logic, that are logics with quantifiers over public information change that are similar to APAL, are also undecidable [2]. Whereas the ‘mental model’ arbitrary public announcement logic of [8] is decidable. Yet other dynamic epistemic logics have more generalized quantification, namely over non-public information change. Of those, arbitrary arrow update logic [21] is undecidable, whereas refinement modal logic [6] and arbitrary action model logic [14] are decidable. The above-mentioned [8], wherein a decidable arbitrary public announcement logic is presented, is an interesting case. Decidability is achieved by restricting epistemic modalities, while retaining arbitrary announcements (of formulas containing such modalities). These special modalities are not labelled with an (abstract set of) agents, but with programs using propositional variables. This severely constrains the relational (‘Kripke’) models (possibly) satisfying the formulas bound by the epistemic modalities, which is how decidability can then be obtained for this logic. Instead, in the logic that we will propose, we do not restrict the epistemic modalities, but restrict the quantification over the announcements, the dynamic modalities. We propose a multi-agent epistemic logic with public announcements and with quantification over public announcements of boolean formulas (so-called boolean announcements).1 We call this boolean arbitrary public announcement logic (BAPAL). It is therefore a version of APAL: as said, in APAL we allow quantification over any quantifier-free (✷-free) formulas, including formulas with announcement modalities and knowledge modalities. Unlike APAL, BAPAL is decidable. For APAL only an infinitary axiomatization is known [4], although it has not been proved that a finitary axiomatization cannot exist [15]. Unlike APAL, BAPAL has a (complete) finitary axiomatization. We also show that BAPAL is more expressive than public announcement logic. There seem to be many applications, in particular in planning, wherein it makes sense only to consider quantifications over booleans. Consider cards cryptography wherein two communicating agents (the principals) attempt to learn the card deal without other players (eavesdroppers) learning the card deal, or even something stronger, such as not learning the ownership of any single card other than their own [10, 18, 9]. When modelling initial uncertainty about a stack of cards being dealt over a finite set of players, single states in such models can be uniquely identified with a card deal. Therefore, public announcements restricting such models correspond to 1

It is more common to write Boolean with a capital letter B, after the mathematician Boole, than to write boolean with a lower case b. We prefer the latter: at some stage, names become kinds. Anyone for writing Platonic love instead of platonic love? Or Caesarean delivery instead of caesarean delivery?

2

booleans. For example, let there be three cards 0, 1, 2 and three players Alice, Bob, and Eve, and suppose that Alice announces (truthfully) that she holds card 0. This corresponds to the public announcement of (some elementary boolean representation of) two card deals, namely the one wherein, additionally, Bob holds 1 and Eve holds 2, and the one wherein Bob holds 2 and Eve holds 1. As another example, consider multi-agent planning for publicly observable sensing actions under uncertainty [16, 20, 5, 7]: given multiple agents that are uncertain about a number of system parameters (lights, switches, temperature settings) they may be informed, or they may be informing each other, about their observations of the state of the light. Or they may be planning to make such observations, and contingent on the outcome of such observations take further action. We close the introduction with an outline of the content of this work. In Section 2 we define the logical language and semantics of BAPAL and we give various semantic results that will be used in later sections. Section 3 is on the expressivity of BAPAL, and Section 4 presents the complete axiomatization. Finally, Section 5 proves the decidability of BAPAL.

2

Boolean arbitrary public announcement logic

Given are a countable (finite or countably infinite) set of agents A and a countably infinite set of propositional variables P (a.k.a. atoms, or variables).

2.1

Syntax

We start with defining the logical language and some crucial syntactic notions. Definition 1 (Language) The language of boolean arbitrary public announcement logic is defined as follows, where a ∈ A and p ∈ P . L(A, P ) ∋ ϕ ::= p | ¬ϕ | (ϕ ∧ ϕ) | Ka ϕ | [ϕ]ϕ | ✷ϕ

⊣

Other propositional connectives are defined by abbreviation. For Ka ϕ read ‘agent a knows ϕ’. For ✷ϕ, read ‘after any (boolean) announcement, ϕ (is true)’. For [ϕ]ψ, read ‘after ˆ a ϕ := public announcement of ϕ, ψ’. The dual modalities are defined by abbreviation: K ¬Ka ¬ϕ, hϕiψ := ¬[ϕ]¬ψ, and ✸ϕ := ¬✷¬ϕ. Unless confusion results we often omit one or both of the parameters A and P in L(A, P ), and write L(P ) or L. We also distinguish the language Lel of epistemic logic (without the constructs [ϕ]ϕ and ✷ϕ) and the language Lpl of propositional logic (without additionally the construct Ka ϕ). Formula variables for propositional logical formulas are ϕ0 , ψ0 , etc. The set of propositional variables that occur in a given formula ϕ is denoted var(ϕ), its modal depth d(ϕ) is the maximum nesting of Ka modalities, and its quantifier depth D(ϕ) is the maximum nesting of ✷ modalities. These all have obvious inductive definitions. If p∈ / var(ϕ) we say that p is a fresh atom.

3

Arbitrary announcement normal form is a syntactic restriction of Lbapal that pairs all public announcements with arbitrary boolean announcement operators. It plays a role in the decidability proof. We will show that any formula in Lbapal is equivalent to one in Laanf . Definition 2 (Arbitrary announcement normal form) The language fragment Laanf is defined by the following syntax, where a ∈ A and p ∈ P . ϕ ::= p | ¬ϕ | (ϕ ∧ ϕ) | Ka ϕ | [ϕ]✷ϕ We now define necessity forms and possibility forms. Necessity forms are used in derivation rules in the proof system. Definition 3 (Necessity form) Consider a new symbol ♯. The necessity forms are defined inductively as follows, where ϕ ∈ Lbapal and a ∈ A. ψ(♯) ::= ♯ | (ϕ → ψ(♯)) | Ka ψ(♯) | [ϕ]ψ(♯) A necessity form contains a unique occurrence of the symbol ♯. If ψ(♯) is a necessity form and ϕ ∈ Lbapal , then ψ(ϕ) is ψ(♯)[ϕ/♯] (the substitution of ♯ in ψ(♯) by ϕ), where we note that ψ(ϕ) ∈ Lbapal . A possibility form is the dual of a necessity form. They are therefore defined as: ˆ a ψ{♯} | hϕiψ{♯} ψ{♯} ::= ♯ | (ϕ ∧ ψ{♯}) | K

2.2

Structures

We consider the following structures and structural notions in this work. Definition 4 (Model) An (epistemic) model M = (S, ∼, V ) consists of a domain s of states (or ‘worlds’), an accessibility function ∼: A → P(S × S), where each ∼a is an equivalence relation, and a valuation V : P → P(s), where each V (p) represents the set of states where p is true. For s ∈ S, a pair (M, s) for which we write Ms is an epistemic state. ⊣ We will abuse the language and also call Ms a model. Definition 5 (Bisimulation) Let M = (S, ∼, V ) and M ′ = (S ′ , ∼′ , V ′ ) be epistemic models. A non-empty relation R ⊆ S × S ′ is a bisimulation if and only if for every (s, s′ ) ∈ R, p ∈ P , and a ∈ A the conditions atoms, forth and back hold. • atoms: s ∈ V (p) if and only if s′ ∈ V ′ (p). • forth: for every t ∼a s there exists t′ ∼′a s′ such that (t, t′ ) ∈ R. • back: for every t′ ∼′a s′ there exists t ∼a s such that (t, t′ ) ∈ R. If (s, s′ ) ∈ R, then Ms and Ms′ ′ are bisimilar, notation Ms ↔ Ms′ ′ (or R : Ms ↔ Ms′ ′ ). 4

⊣

Definition 6 (n-Bisimulation) Let n ∈ N. We define the notion of n-bisimulation R between (pointed) epistemic models Ms , Ms′ ′ , notation R : Ms ↔ n Ms′ ′ , by natural induction on n. A non-empty relation R ⊆ S × S ′ is a 0-bisimulation between Ms and Ms′ ′ , if and only if atoms holds for pair (s, s′ ). Then, R is a (n + 1)-bisimulation between Ms and Ms′ ′ , if and only if for all a ∈ A: • n-forth: For every t ∼a s there exists t′ ∼′a s′ such that R : Mt ↔ n Mt′′ ; • n-back: For every t′ ∼′a s′ there exists t ∼a s such that R : Mt ↔ n Mt′′ .

2.3

⊣

Semantics

We continue with the semantics of our logic. Definition 7 (Semantics) The interpretation of formulas in L on epistemic models is defined by induction on formulas. Assume an epistemic model M = (S, ∼, V ), and s ∈ S. Ms Ms Ms Ms Ms Ms

|= p |= ¬ϕ |= ϕ ∧ ψ |= Ka ϕ |= [ϕ]ψ |= ✷ψ

iff iff iff iff iff iff

s ∈ V (p) Ms 6|= ϕ Ms |= ϕ and Ms |= ψ for all t ∈ S : s ∼a t implies Mt |= ϕ Ms |= ϕ implies Msϕ |= ψ for all ϕ0 ∈ Lpl : Ms |= [ϕ0 ]ψ

where [[ϕ]]M := {s ∈ S | Ms |= ϕ}; and where epistemic model M ϕ = (S ′ , ∼′ , V ′ ) is such that: S ′ = [[ϕ]]M , ∼′a = ∼a ∩ ([[ϕ]]M × [[ϕ]]M ), and V ′ (p) := V (p) ∩ [[ϕ]]M . For (M ϕ )ψ we may write M ϕψ . ⊣ Formula ϕ is valid, notation |= ϕ, if for all Ms , Ms |= ϕ. The logic (set of validities) is called BAPAL. Given Ms and Ms′ ′ , if for all ϕ ∈ Lbapal , Ms |= ϕ iff Ms′ ′ |= ϕ, we write Ms ≡ Ms′ ′ . Similarly, if this holds for all ϕ with d(ϕ) ≤ n, we write Ms ≡n Ms′ ′ . Just as for the logical language, we may occasionally write M(P ), Ms (P ), BAPAL(P ), in order to be explicit about the parameter set of atoms P .

2.4

Semantic results

We continue with basic semantic results for the logic. They will be used in various of the later sections. Various well-known results for any dynamic epistemic logic with propositional quantification generalize straightforwardly to BAPAL and do not need proof. We start with the bisimulation invariance of BAPAL. Lemma 8 Let Ms , Ms′ ′ be epistemic models. Then Ms ↔ Ms′ ′ implies Ms ≡ Ms′ ′ . 5

⊣

The next lemma may look obvious but actually is rather special: it holds for BAPAL but not, for example, for APAL, where the quantifiers are over formulas of arbitrarily large modal depth. Lemma 9 plays a role in the expressivity Section 3. Lemma 9 Let two models Ms , Ns′ be given. If Ms ↔ n Ns′ , then Ms ≡n Ns′ .

⊣

Proof We prove the above by showing the following statement by induction (on n, and for a given n, induction on ϕ; n = 0 is obvious): For all n ∈ N, for all ϕ ∈ Lbapal with d(ϕ) ≤ n, for all models Ms , Ns′ : if Ms ↔ n Ns′ , then Ms |= ϕ iff Ns′ |= ϕ. We show two cases of the induction (the first is rather obvious, the second is crucial). Case ϕ = Ka ψ: Ms |= Ka ϕ ⇔ for all t ∼a s : Mt |= ϕ ⇔ for all t ∼a s : Nt′ |= ϕ ⇔ Ns′ |= Ka ϕ

d(ϕ) ≤ n − 1, and induction for n − 1

Case ϕ = ✷ψ: Ms |= ✷ψ ⇔ for all ϕ0 ∈ Lpl : Ms |= [ϕ0 ]ψ ⇔ for all ϕ0 ∈ Lpl : Ms |= ϕ0 implies Msϕ0 |= ψ ⇔ for all ϕ0 ∈ Lpl : Ns′ |= ϕ0 implies Nsϕ′ 0 |= ψ ⇔ Ns′ |= ✷ψ

(∗)

In step (*) we use that: (i) Ms |= ϕ0 iff Ns′ |= ϕ0 (as ϕ0 is boolean); (ii) if Ms ↔ n Ns′ , then for any ϕ0 ∈ Lpl , Msϕ0 ↔ n Nsϕ′ 0 ; (iii) Msϕ0 ↔ n Nsϕ′ 0 and induction on ψ entails that Msϕ0 |= ϕ iff Nsϕ′ 0 |= ϕ.  Lemma 10 Every formula of Lbapal is semantically equivalent to a formula in arbitrary announcement normal form. ⊣ Proof We give the proof by defining a truth preserving transformation δ from Lbapal to

6

Laanf . This is defined with the following recursion: δ(p) δ(ψ ∧ ψ ′ ) δ([α]p) δ([α](ψ ∧ ψ ′ )) δ([α][β]ψ) δ(✷ψ)

= = = = = =

p δ(ψ) ∧ δ(ψ ′ ) δ(α) → p δ([α]ψ ∧ [α]ψ ′ ) [δ(α ∧ [α]β)]δ(ψ) [⊤]✷δ(ψ)

δ(¬ψ) δ(Ka ψ) δ([α]¬ψ) δ([α]Ka ψ) δ([α]✷ψ)

= = = = =

¬δ(ψ) Ka δ(ψ) δ(α) → ¬δ([α](ψ)) δ(α) → Ka δ([α]ψ) [δ(α)]✷δ(ψ)

It is easy to see that every one of these equivalences is semantically valid, and that δ will always return a formula in Laanf .  A number of obvious BAPAL validities is as follows. Proposition 11 • |= ✷ϕ → ✷✷ϕ (4) • |= ✷✸ϕ → ✸✷ϕ (MK) • |= ✸✷ϕ → ✷✸ϕ (CR)

⊣

Proof • The dual validity ✸✸ϕ → ✸ϕ follows from the simple observation that for all ϕ0 , ψ0 ∈ Lpl and for all M: M ϕ0 ψ0 = M ϕ0 ∧ψ0 .2 • MK is shown in the usual way. Assume that Ms |= ✷✸ϕ. Given the set v(ϕ) of propositional variables occurring in ϕ, let δs (ϕ) be the characteristic function for the δ (ϕ) valuation of v(ϕ) in state s. We then have Ms |= [δs (ϕ)]✸ϕ, and Ms s |= ✸ϕ. δs (ϕ) As Ms is v(ϕ)-bisimilar to a singleton model, and because on singleton models ✸ϕ ↔ ϕ and ✷ϕ ↔ ϕ are valid (and because restricted bisimilarity to a singleton δ (ϕ) model implies modal equivalence in the restricted language), from Ms s |= ✸ϕ δs (ϕ) follows Ms |= ✷ϕ. Thus Ms |= hδs (ϕ)i✷ϕ, and Ms |= ✸✷ϕ. • In order to prove CR we have to show that: for all ϕ0 , ψ0 ∈ Lpl and for all M, ′ ′ there are ϕ′0 , ψ0′ ∈ Lpl such that M ϕ0 ϕ0 ↔ M ψ0 ψ0 . The obvious choice is ϕ′0 = ψ0 and ψ0′ = ϕ0 , as ′

′

M ϕ0 ϕ0 = M ϕ0 ψ0 = M ϕ0 ∧ψ0 = M ψ0 ∧ϕ0 = M ψ0 ϕ0 = M ψ0 ψ0 .3  2 So, this is a more direct proof than in [3], where it is used that M ϕψ is bisimilar to M ϕ∧[ϕ]ψ . For ϕ, ψ ∈ 6 Lpl , M ϕψ is typically not bisimilar to M ϕ∧ψ . 3 So, the proof of CR for BAPAL is easier than for other quantified epistemic logics, where we ‘close the diamond at the bottom’: we then declare the values of all atoms, i.e., ϕ′0 = ψ0′ = δs (ϕ).

7

We will now define novel notion of boolean closure, and prove some lemmas for it. These will play a role in proving the soundness of the axiomatization of the logic BAPAL, later. Definition 12 (Boolean closure) Given atoms P , consider P¨ = P ∪{pϕ0 | ϕ0 ∈ Lpl (P )}. ¨ = (S, ∼, V¨ ) The boolean closure of a model M = (S, ∼, V ) for atoms P is the model M that is as M, except that the boolean closed valuation V¨ is for atoms P¨ and such that V¨ (p) = V (p) for p ∈ P and V¨ (pϕ0 ) = V (ϕ0 ) for pϕ0 ∈ P¨ \ P . ⊣ As P is countably infinite, and as the booleans on P can be enumerated, P¨ is also countably infinite. Given an epistemic model, then for each atom and for each boolean there are also infinitely many atoms with the same value on the boolean closure of that model. E.g., p has the same value as pp∧p (i.e., the atom q corresponding to the boolean p ∧ p), and the same value as pp∧p∧p (the atom q ′ corresponding to boolean p ∧ p ∧ p), etc. ¨ for all booleans, including booleans of atoms in P¨ \ P , On a boolean closed model M, there is an atom with the same value, so that the semantics of ✷ becomes: ¨ s |= ✷ψ iff for all p ∈ P¨ : M ¨ s |= [p]ψ M ¨ = (S, ∼, V¨ ) be its Lemma 13 Let model M = (S, ∼, V ) for atoms P be given, let M ¨ boolean closure, and let ψ ∈ Lbapal (P ). Consider the translation tr : Lbapal (P¨ ) → Lbapal (P ) such that tr(pϕ0 ) = ϕ0 for pϕ0 ∈ P¨ \ P and all other clauses trivial. Then: ¨ s |= ψ iff Ms |= tr(ψ). M

⊣

Proof The proof is by induction on ψ. The interesting cases are: Case ψ = q: ¨ s |= q iff Ms |= q. If q ∈ P¨ \ P (and such that q = pϕ0 ), then M ¨ s |= q iff If q ∈ P , then M Ms |= ϕ0 . Case ψ = ✷ψ ′ : ¨ s |= ✷ψ ′ M ⇔ ¨ s |= [q]ψ ′ for all q ∈ P¨ , M ⇔ ¨ s |= [ϕ0 ]ψ ′ for all ϕ0 ∈ Lpl (P ), M ⇔ ¨ s |= ϕ0 implies M ¨ sϕ0 |= ψ ′ for all ϕ0 ∈ Lpl (P ), M ⇔ (∗) IH ϕ0 ′ for all ϕ0 ∈ Lpl (P ), Ms |= ϕ0 implies Ms |= tr(ψ ) ⇔ for all ϕ0 ∈ Lpl (P ), Ms |= [ϕ0 ]tr(ψ ′ ) ⇔ Ms |= tr(✷ψ ′ ). ¨ s |= ϕ0 iff Ms |= ϕ0 , where tr(ϕ0 ) = ϕ0 , and In step (*) we use that by induction, M ′ ′ ϕ ϕ ¨ s 0 |= ψ iff Ms 0 |= tr(ψ ).  M 8

¨ s |= ψ iff Ms |= ψ, because in that case tr(ψ) = ψ. Corollary 14 Let ψ ∈ L(P ). Then M The following result will be needed to show the soundness of a rule in the axiomatization of BAPAL. As a similar result from the literature ([3, Prop. 3.7]) was later shown false, we give the proof in full detail. An atom q is fresh in a formula ϕ containing it, if ϕ does not contain another occurrence of q. Lemma 15 Let ψ{♯} be a possibility form, and M = (S, ∼, V ) an epistemic model. If ¨ s |= ψ{hpiϕ} for a fresh p ∈ P¨ . Ms |= ψ{✸ϕ} then M ⊣ Proof The proof is by induction on the structure of possibility forms. Case ♯: Let Ms |= ✸ϕ. Then, there is a ϕ0 ∈ Lpl such that Ms |= hϕ0 iϕ. Therefore ¨ s |= hpϕ0 iϕ. As pϕ0 ∈ P¨ \ P , pϕ0 is fresh. Note that it could have been that ϕ0 = p ∈ P , M but even so the variable pp is then different from variable p with the same value. Case ψ ∧ ξ{♯}: Ms |= ψ ∧ ξ{✸ϕ} ⇔ Ms |= ψ and Ms |= ξ{✸ϕ} ⇔ induction & Lemma 13 ¨ s |= ψ and M ¨ s |= ξ{hpiϕ} M ⇔ ¨ s |= ψ ∧ ξ{hpiϕ} M Note that, as p is fresh in ξ{hpiϕ} and p ∈ P¨ \ P , p remains fresh in ψ ∧ ξ{hpiϕ}. ˆ a ξ{♯}: Case K ˆ a ξ{✸ϕ} Ms |= K ⇔ ∃t ∼a s such that Mt |= ξ{✸ϕ} ⇔ ¨ t |= ξ{hpiϕ} ∃t ∼a s such that M ⇔ ¨ s |= K ˆ a ξ{hpiϕ} M Ms ⇔ Ms ⇔ ¨s M ⇔ ¨s M

induction

Case hψiξ{♯}: |= hψiξ{✸ϕ} |= ψ and Msψ |= ξ{✸ϕ} induction & Lemma 13

¨ ψ |= ξ{hpiϕ} |= ψ and M s

|= hψiξ{hpiϕ} Again, as p is fresh in ξ{hpiϕ} and p ∈ P¨ \ P , p remains fresh in hψiξ{hpiϕ}.

9



Lemma 16 Let ϕ ∈ Lbapal (P ) and p ∈ var(ϕ), and let Ms be an epistemic model. If ϕ is ¨ s |= ϕ[q/p] for any q ∈ P¨ \ P . valid, then M ⊣ Proof Let ϕ be a validity in BAPAL(P ). We first show that, if P ⊆ Q, then ϕ is a validity in BAPAL(Q). It is more intuitive to show the contrapositive (where we replace ϕ by ¬ϕ): if ϕ is satisfiable for BAPAL(Q), then ϕ is satisfiable for BAPAL(P ). We now first prove by induction on ϕ ∈ Lbapal (P ) that for all Ms (Q), Ms (Q) |= ϕ implies Ms (P ) |= ϕ. The only non-trivial case is when ϕ = ✸ϕ′ . Case ϕ = ✸ϕ′ : Suppose Ms (Q) |= ✸ϕ′ . Then there is ψ0 ∈ Lpl (Q) such that Ms (Q) |= hψ0 iϕ′ , and therefore Ms (Q) |= ψ0 and Msψ0 (Q) |= ϕ′ . For any atom q ∈ var(ψ0 ) such that q ∈ Q \ P , choose a fresh atom p′ ∈ P (fresh with respect to ψ0 and ϕ′ , and with respect to prior choices of such atoms in var(ψ0 )), and transform M into N = (S, ∼, V ′ ) with V ′ (p′ ) = V (q) and V ′ (q) = V (p′ ). Let ψ0′ ∈ Lpl (P ) be the result of all such substitutions. It is clear that Ms (Q) |= ψ0 iff Ns (Q) |= ψ0′ and that [[ψ0 ]]M = [[ψ0′ ]]N . We also have ψ′ Msψ0 (Q) |= ϕ′ iff Ns 0 (Q) |= ϕ′ , as the value of ϕ′ does not depend on swapping variables not occurring in it. By induction, and as ψ0′ ∈ Lbapal (P ), Ns (Q) |= ψ0′ implies Ns (P ) |= ψ0′ . Also by ψ′ ψ′ ψ′ induction, Ns 0 (Q) |= ϕ′ implies Ns 0 (P ) |= ϕ′ . From Ns (P ) |= ψ0′ and Ns 0 (P ) |= ϕ′ follows Ns (P ) |= ✸ϕ′ . Now observe that Ns (P ) and Ms (P ) only differ in variables not occurring in ✸ϕ′ , so that Ns (P ) |= ✸ϕ′ iff Ms (P ) |= ✸ϕ′ . Therefore, Ms (P ) |= ✸ϕ′ . We can now quickly close the argument. Let ϕ be satisfiable for Q. Then there is Ms (Q) such that Ms (Q) |= ϕ. Using the above, Ms (P ) |= ϕ. Therefore ϕ is satisfiable for P. This proves that, if ϕ is valid for P , and P ⊆ Q, then ϕ is valid for Q. We continue. Clearly P ⊂ P¨ . So, if ϕ is a validity of BAPAL(P ), then ϕ is a validity of BAPAL(P¨ ). We now use that, for any validity ϕ′′ in a logic BAPAL(P ′′ ), p′′ ∈ P ′′ , and fresh q ′′ ∈ P ′′ , ϕ[q ′′ /p′′ ] is also a BAPAL(P ′′ ) validity. Therefore, given that ϕ is a validity of BAPAL(P¨ ) and a (obviously) fresh q ∈ P¨ \ P , also ϕ[q/p] is a validity of BAPAL(P¨ ). Here is it important to observe that this is a validity for the epistemic model class for variables P¨ , it is not relative to boolean closed models. In other words, the value of q, if q = pχ0 , need not be related to the boolean χ0 . But, fortunately, a boolean closed model for P , is after ¨ s |= ϕ[q/p]. all a model for P¨ . Therefore, also M 

3

Expressivity

Given two logics X and Y , with languages respectively LX and LY : • X is at least as expressive as Y iff for all ϕ ∈ LY there is a semantically equivalent ψ ∈ LX ; • X and Y are equally expressive iff X is at least as expressive as Y , and Y is at least as expressive as X; 10

• X is (strictly) more expressive than Y iff X is at least as expressive as Y and Y is not at least as expressive as X. We show that BAPAL is more expressive than EL and that BAPAL is not as least as expressive as other known logics with quantification over announcements: APAL, GAL. It is not known if APAL and GAL are at least as expressive as BAPAL.4 Proposition 17 BAPAL is more expressive than EL.

⊣

Proof To prove that BAPAL is more expressive than EL we first observe that Lel ⊆ Lbapal , so that BAPAL is at least as expressive as EL, and we then observe that the (standard) proof that EL is not at least as expressive as APAL [3] can also be used to show that EL is not at least as expressive as BAPAL. We recall that in that proof, the formula ✸(Ka p∧¬Kb Ka p) is shown not to be equivalent to an epistemic logical formula ψ, because, given a propositional variable q not occurring in ψ, two models that are bisimilar except for q will either make ψ true in both or false in both, whereas ✸(Ka p ∧ ¬Kb Ka p) may be true in one and false in the other, as it implicitly quantifies over variable q as well: we can easily make hqi(Kap ∧ ¬Kb Ka p) true in one and false in the other, as shown below. As the announcement witnessing the diamond is a boolean, this also proves the case for BAPAL. Ms :

{p}

a

Ms′ ′ :

{}

{p, q}

a

{} b

b {p, q}

{p, q}

{q}

a

{q}



Proposition 18 BAPAL is not at least as expressive as APAL.

⊣

Proof Consider (again, but to other usage) Lapal formula ✸(Ka p ∧ ¬Ka Kb p). Let us suppose that there exists an equivalent Lbapal formula ψ. Given the modal depth d(ψ) of ψ, consider the following two models Nt , Ot′ , with a difference between them further away from the root than d(ψ), ensuring that Nt ↔ d(ψ) Ot′ . Note that the model Nt is the unwinding of the model Ms also used in the previous proposition. Ms{} :

{}

Nt :{}

{}

: Ot′ {}

{}

{p}

{p} a a

{p} {p}

b b

{p} {p}

a a a

{} {} {}

b b

{}

{p}

{p}

{}

{p}

{p}

{}

> d(ψ)

{p}

b

{p}

4 To prove that, one would somehow have to show that the BAPAL ✷ in a given formula ✷ϕ can be ‘simulated’ by a APAL ✷ that is properly entrenched in preconditions and postconditions relative to ϕ, thus providing an embedding of Lbapal into Lapal . This seems quite hard.

11

: Otξ′ {}

{}

a

{p}

b

{p}

{}

{}

{p}

{p}

We use Lemma 9 that n-bisimilarity implies n-logical equivalence: from Nt ↔ d(ψ) Ot′ it follows that Nt ≡d(ψ) Ot′ and thus, as the formula ψ itself has depth d(ψ), that Nt |= ψ iff Ot′ |= ψ (i). On the other hand, Nt 6|= ✸(Ka p ∧ ¬Ka Kb p) (obviously, consider the bisimilar Ms ) whereas Ot′ |= ✸(Ka p ∧ ¬Ka Kb p). Concerning the latter, the rightmost world in O is the unique world satisfying Ka p. Using that, we can distinguish every finite subset in O. Therefore, there is some ξ such that O ξ is as depicted, so that Ot′ |= hξi(Ka p ∧ ¬Ka Kb p), and thus Ot′ |= ✸(Ka p ∧ ¬Ka Kb p). This is a contradiction with (i). Therefore, no such ψ ∈ Lbapal exists.  As a corollary of Proposition 18 we can very similarly show that BAPAL is not at least as expressive as GAL, as in GAL we also quantify over announcements of arbitrarily large modal depth.

4

Axiomatization

We now provide a sound and complete finitary axiomatisation for boolean arbitrary announcement logic. Definition 19 (Axiomatization bapal bapal) This is the axiomatization bapal of BAPAL. P T 5 AN AK A✷ NecK

propositional tautologies Ka ϕ → ϕ ¬Ka ϕ → Ka ¬Ka ϕ [ϕ]¬ψ ↔ (ϕ → ¬[ϕ]ψ) [ϕ]Ka ψ ↔ (ϕ → Ka [ϕ]ψ) ✷ϕ → [ψ0 ]ϕ where ψ0 ∈ Lpl ϕ implies Ka ϕ

K 4 AP AC AA MP NecA R✷

Ka (ϕ → ψ) → (Ka ϕ → Ka ψ) K a ϕ → Ka K a ϕ [ϕ]p ↔ (ϕ → p) [ϕ](ψ ∧ χ) ↔ ([ϕ]ψ ∧ [ϕ]χ) [ϕ][ψ]χ ↔ [ϕ ∧ [ϕ]ψ]χ ϕ and ϕ → ψ imply ψ ϕ implies [ψ]ϕ ψ → [η][p]ϕ implies ψ → [η]✷ϕ where p fresh ⊣

The rules and axioms in bapal are as in the axiomatization of APAL, except for the axiom A✷ and the derivation rule R✷. A formula ϕ is a theorem (notation ⊢ ϕ) if it belongs to the least set of formulas containing all axioms and closed under the derivation rules. The main interest of bapal is that it is finitary, unlike other known axiomatizations for logics with quantification over announcements [3, 1, 12]. Essential towards proving that result is Lemma 15, stating that every diamond ✸ in a possibility form is witnessed by the announcement hpi of a fresh variable.5 5

A similar lemma and finitary axiomatization reported for APAL [3] are in fact incorrect, see http://personal.us.es/hvd/errors.html, although for APAL the infinitary axiomatization stands [3, 4].

12

To demonstrate soundness and completeness of the axiomatization bapal we can (still) use the line of reasoning in [3]. We will only sketch the argument found in there, and point out the crucial differences and important details for the comprehension. We start with soundness. The soundness of axiom A✷ directly follows from the semantics of ✷. To establish the soundness of rule R✷, consider three versions of this derivation rule. • R✷ω : ( ξ([ϕ0 ]ϕ) for all ϕ0 ∈ Lpl ) implies ξ(✷ϕ). • R✷1 : ( ξ([p]ϕ) for a fresh p ∈ P ) implies ξ(✷ϕ). • R✷: ( ψ → [η][p]ϕ for a fresh p ∈ P ) implies ψ → [η]✷ϕ. We can analogously consider three axiomatizations: • bapal ω = bapal − R✷ + R✷ω • bapal 1 = bapal − R✷ + R✷1 • bapal We show that all three of R✷ω , R✷1 , and R✷ are sound, and that all three axiomatizations are sound and complete. It is thus a matter of taste which one is preferred. Note that bapal ω is infinitary whereas bapal 1 and bapal are finitary. Finitary axiomatizations are considered preferable over infinitary axiomatizations. Both bapal 1 and bapal have (an instantiation of) a necessity form as premisse; the difference is that ψ → [η][p]ϕ is a particular necessity form whereas ξ([p]ϕ) can be any necessity form. As R✷ is more restrictive in logical structure it may be considered preferable, but admittedly this is really more a matter of taste. The soundness of rule R✷ω directly follows from the semantics of ✷. We now show that the derivation rule R✷1 is sound. This is the main technical result of this section, wherein we use results for the boolean completions of models introduced in Section 2. Proposition 20 Derivation rule R✷1 is sound.

⊣

Proof Let, for any ψ(η) ∈ Lbapal (where ψ(♯) is a necessity form), ψ ′ {¬η} (where ψ ′ {♯} is a possibility form) be equivalent to ¬ψ(η). Suppose that ξ([p]ϕ) ∈ Lbapal (P ) is valid where p is fresh. Let M be any epistemic ¨ s |= ξ([q]ϕ) for any fresh atom q ∈ p¨ \ P . model. Then from Lemma 16 follows that M ¨ s |= ξ ′ {hqi¬ϕ} where Therefore it is not the case that: there is a q ∈ P¨ \ P such that M q is fresh. By applying the contrapositive of Lemma 15, we obtain Ms 6|= ξ ′{✸¬ϕ}, i.e., Ms |= ξ(✷ϕ).  Corollary 21 Derivation rule R✷ is sound.

⊣

Theorem 22 bapal is sound.

⊣ 13

We proceed to show that the three axiomatizations are complete, by way of showing that they all define the same set of theorems. Proposition 23 ([4]) bapal ω is complete.

⊣

Proof (Rough sketch.) The infinitary axiomatization can be shown to be complete along exactly the same lines as the completeness proof in [4].6 The soundness was already mentioned above. The completeness part involves a canonical model construction and a fairly involved complexity measure and truth lemma with induction and subinduction using that complexity.  Lemma 24 ([3]) A derivation in bapal 1 can be transformed into a derivation in bapal bapal.⊣ Proof (We sketch the proof found in [3].) A rule application of R✷1 in a derivation can be transformed into a rule application of R✷ plus additional derivation steps. Consider the following equivalences: [η](χ → ψ) ↔ [η]χ → [η]ψ [η]Ka ψ ↔ η → Ka [η]ψ [η][χ]ψ ↔ [η ∧ [η]χ]ψ All three push the announcement deeper into the formula. Starting with a formula of shape ξ([p]ϕ) (and where the subformula [p]ϕ takes the role of ψ in the equivalences above), then by iterating these (provable) equivalences we can obtain a formula of shape . . . [η][p]ϕ, i.e., where a single announcement η binds the formula [p]ϕ. However, it may not have shape . . . → [η][p]ϕ but shape . . . Ka [η][p]ϕ. The latter can be transformed into the former by iterated application of the (S5) equivalence x → Ka y ˆ a x → y. iff K The now resulting formula may still not have shape ψ → [η][p]ϕ but shape (. . . → (. . . → [η][p]ϕ)). The latter can be transformed into the former by lumping all antecedents of implications into a conjunction.  With these results we can now easily demonstrate that not only bapal ω but also the other two axiomatizations are complete and define the same set of theorems. Below, let the name of the axiomatization stand for the set of derivable theorems. • bapal ω ⊆ bapal 1 : A derivation with R✷ω rule applications (with, for each such application, an infinite number of premisses, one for each boolean) can be transformed into one with R✷1 rule applications by removing all but one premise (namely, keep one for a fresh boolean p) in each such R✷ω rule application. • bapal 1 = bapal bapal: A derivation with R✷1 rule applications can be transformed into one with R✷ rule applications by employing the (derivable) equivalences in the transformation spelled out above (Lemma 24). The other direction (of the mutual inclusion) is trivial, as a R✷ rule application is also a R✷1 rule application. 6

The proof in [4] is an improvement on the version found in [3]

14

• bapal ⊆ bapal ω : Here we use completeness of bapal ω . Let a bapal theorem be given. Using soundness of bapal bapal, we obtain that it is valid. The completeness proof ω of bapal involves showing that every bapal ω consistent formula is satisfiable. In other words, all BAPAL validities are bapalω theorems. So, our bapal theorem, that is a BAPAL validity, is a bapal ω theorem. Theorem 25 bapal is complete.

5

⊣

Decidability of the satisfiability problem

To show that BAPAL is decidable we give a procedure to find a finite model of any satisfiable formula. The correctness of this procedure is shown by induction over the depth of the nesting of the ✷ operator. In this section, let ϕ ∈ Lbapal be the given formula for which we are to determine satisfiability, let Ag(ϕ) be the set of agents appearing in ϕ, and let D(ϕ) be the maximum nesting of ✷ operators in ϕ. We recall that var(ϕ) is the set of propositional variables that appear in ϕ. Lemma 10 demonstrated that we may assume without loss of generality that ϕ is in Laanf , and consequently that all ✷ operators are necessarily coupled with a single public announcement operator, and vice versa. To model arbitrary boolean announcements we introduce a set of fresh atoms to represent all the announcements that can be made within a model. Let ψ ⊆ ϕ denote that ψ is a subformula of ϕ, and let |ϕ| denote the number of symbols in ϕ. Definition 26 (Closure) 1. We define cl(ϕ), the closure of ϕ, inductively so that: • cl(ϕ) = {ψ, ¬ψ | ψ ⊆ ϕ} if d(ϕ) = 0, and • cl(ϕ) = {ψ, ¬ψ | ψ ⊆ ϕ} ∪ {Ka ψ ′ , ¬Ka ψ ′ | Ka ψ ⊆ ϕ and ψ ′ ∈ cl(ψ)}. Note that in the second clause d(ψ) < d(ϕ), so the definition is well-founded. 2. For all x ≥ 0 let the x-closure set of ϕ be clx (ϕ) = {ψ ∈ cl(ϕ)| D(ψ) ≤ x} ∪ {⊤}. |ϕ|2

3. Let the extended closure of ϕ be cl∗ (ϕ) = clD(ϕ) ∪ {pk | k ≤ 22 |ϕ|2

k ≤ 22

}, where for all

, pk does not appear in ϕ. 2

As the size of cl(ϕ) is less than 2|ϕ| , the number of subsets of cl(ϕ) must be less than |ϕ|2 22 . ⊣ The fresh atoms k are intended to label the boolean announcements that may be made. |ϕ|2

Let B(ϕ) = ℘(℘(var(ϕ) ∪ {pk | k < 22 })). The set B(ϕ) is sufficient to represent all boolean formulas that may be built from atoms in ϕ along with the introduced atoms. 15

That is, every boolean formula may be represented by the set of precisely the sets of atoms that validate that formula. We define the propositionally consistent sets as below. Definition 27 Given ϕ, the set of maximal ϕ-sets is the set Σ ⊂ ℘(cl∗ (ϕ)) such that: 1. ∀σ ∈ Σ, ∀¬ψ ∈ cl(ϕ), either ψ ∈ σ or ¬ψ ∈ σ. 2. ∀σ ∈ Σ, ∀ψ ∧ ψ ′ ∈ cl(ϕ), ψ ∧ ψ ′ ∈ σ if and only if ψ ∈ σ and ψ ′ ∈ σ. 3. ∀σ ∈ Σ, Ka ψ ∈ σ implies ψ ∈ σ.

⊣ ϕ |2

Given s ∈ Σ and β ∈ B(ϕ) we say s |= β if s ∩ (var(ϕ) ∪ {pk | k ≤ 22 }) = β. We now take the propositionally consistent subsets as the worlds to define a set of models. The set of models are defined with the intention that every satisfiable formula in cl(ϕ) should be satisfied by some model in this set. Definition 28 Given ϕ, let the set of canonical-ϕ-models, C, be the largest set of models such that M = (S M , ∼M , V M ) ∈ C if and only if: 1. S M ⊆ Σ; 2. for s, t ∈ S M , s ∼a t if and only for all Ka ψ ∈ cl(ϕ), Ka ψ ∈ s if and only if Ka ψ ∈ t; 3. for all p ∈ cl∗ (ϕ), for all s ∈ S M , s ∈ V M (p) if and only if p ∈ s; 4. for all s ∈ S M , for all ¬Ka ψ ∈ s, there is some t ∈ S M where t ∼a s and ¬ψ ∈ t; 5. for all [α]✷ψ ∈ cl(ϕ), for all s ∈ S M , [α]✷ψ ∈ s if and only if for all β ∈ B(ϕ) such that s |= β, for all N ∈ C, for all t ∈ S N such that Nt ↔ Msαβ , we have ψ ∈ t; where M αβ = (X, ∼′ , V ′ ) for X = {s ∈ S M | α ∈ s, s |= β}, such that for each a ∈ A, ∼′a = ∼a ∩ (X × X), and for each p ∈ P , V ′ (p) = V (p) ∩ X. ⊣ For this definition to be well-founded, it is required that for any two sets of models satisfying clauses 1–5, their union also satisfies these clauses. Fortunately, this is the case. Lemma 29 Given any two sets of models A and B satisfying conditions 1–5 of Definition 28, the set of models A ∪ B also satisfies the five clauses. ⊣ Proof The first four clauses are immediate, since they only depend on the individual model. Suppose for contradiction, that for some M ∈ A, for some s ∈ S M , [α]✷ψ ∈ s, and for some β ∈ B(ϕ) where s |= β, for some N ∈ B, there is t ∈ S N where Nt ↔ Msαβ and ψ ∈ / t. Furthermore suppose that ψ is the smallest such formula where this holds. As A satisfies clauses 1-5, there must be some model O, with u ∈ S O , where Ou ↔ Msαβ and ψ ∈ u. Therefore, Ou ↔ Nt . From the facts that A and B satisfy the five clauses and Ou ↔ Nt , n and t will agree on the propositional and modal interpretation of every formula. 16

So if ψ ∈ t − u (i.e., ψ ∈ t but ψ ∈ / u), this means that there must be some subformula [α′ ]✷ψ ′ ⊆ ψ with [α′ ]✷ψ ′ ∈ (t − u) ∪ (u − t). Suppose, without loss of generality, that [α′ ]✷ψ ′ ∈ t, Then because [α′ ]✷ψ ′ ∈ / u, for some β ∈ B(ϕ) where t |= β, there is some ′ ′ N′ ′ ↔ α′ β / t′ . However, ψ ′ ⊂ ψ contradicts the fact N ∈ B and t ∈ S where Nt′ Ou and ψ ′ ∈ that ψ was the smallest such formula for which this could happen.  Therefore, we are entitled to define C as the largest set of models satisfying the five clauses. We project models into the set C with the following transformation. Definition 30 Given some model M = (S M , ∼M , VTM ), then for all u ∈ S M , let uϕ = {ψ ′ ∈ cl(ϕ) | Mu |= ψ ′ }, and for all T ⊆ S M , T ϕ = {sϕ | s ∈ T }. Suppose also that the subsets of ℘(cl(ϕ)) are enumerated as θ0 , . . . , θ2|cl(ϕ)| . For each s ∈ S M , let s ∈ Σ be such that o n p | ∃p ∈ P, s ∈ V M (p) and V M (p)ϕ = θ k k . s = sϕ ∪ ¬pk | ∀p ∈ P, s ∈ V M (p) implies V M (p)ϕ 6= θk Then, the ϕ-projection of M is the model M where: 1. S M = {s | s ∈ S M }; M M 2. for all σ, τ ∈ S M , for all a ∈ A, σ ∼M a τ if and only if for some s, t ∈ S , s ∼a t, s = σ and t = τ ;

3. for all p ∈ P , for all σ ∈ S N , σ ∈ V M (p) if and only if p ∈ σ.

⊣

Our approach now is to show that: 1. The ϕ-projection preserves the interpretation of formulas from cl(ϕ). 2. The ϕ-projection is idempotent. That is, for all s ∈ S M , we have M s ↔ M s . 3. For every model M, M ∈ C. We first show that the ϕ-projection preserves the interpretation of formulas. Lemma 31 For all ψ ∈ cl(ϕ) for all models M, for all s ∈ S M , Ms |= ψ if and only if M s |= ψ. Proof We can proceed by induction over the complexity of ψ. • For ψ ∈ P , Ms |= ψ if and only if ψ ∈ s, if and only if s ∈ V M (ψ), if and only if M s |= ψ. • For ψ = ψ ′ ∧ ψ ′′ , Ms |= ψ if and only if Ms |= ψ ′ and Ms |= ψ ′′ . By the induction hypothesis, Ms |= ψ ′ if and only if M s |= ψ ′ , and likewise for ψ ′′ . Therefore, Ms |= ψ ′ ∧ ψ ′′ if and only if M s |= ψ ′ ∧ ψ ′′ . 17

• For ψ = ¬ψ ′ , Ms |= ¬ψ ′ if and only if Ms 6|= ψ ′ , if and only if M s 6|= ψ ′ (by the induction hypothesis), if and only if M s |= ¬ψ ′ . • For ψ = Ka ψ ′ , suppose Ms |= ψ. For each τ ∈ S M , where s ∼a τ , there is some pair s′ , t′ ∈ S M such that s′ ∼a t′ , s′ = s and t′ = τ . Therefore ψ ∈ s′ , so Ms′ |= Ka ψ ′ , and for all such t′ we have Mt′ |= ψ ′ . By the induction hypothesis we have M t′ |= ψ ′ , ′ ′ and hence for all τ ∈ S M , if s ∼M a τ then M τ |= ψ . Hence M s |= Ka ψ . Conversely, suppose that M s |= Ka ψ ′ . Then for every t ∈ S M where t ∼M a s we have ′ ′ M t ∼ s. As M s |= Ka ψ , it follows that M t |= ψ , and by the induction hypothesis, ′ Mt |= ψ ′ . As this holds for all t where s ∼M a t, we have Ms |= Ka ψ . • For ψ = [α]✷ψ ′ , if Ms 6|= α then the results follows immediately from the induction hypothesis. Where Ms |= α we observe the following equivalences: Ms |= [α]✷ψ ′

⇐⇒ ⇐⇒ ⇐⇒ ⇐⇒

Msα |= ✷ψ ′ ∀ϕ0 ∈ Lpl , Msα |= [ϕ0 ]ψ ′ ∀ϕ0 ∈ Lpl , Msα |= ϕ0 implies Msαϕ0 |= ψ ′ ∀ϕ0 ∈ Lpl , M α s |= ϕ0 implies M αϕ0 s |= ψ ′

Here we can see that for all ϕ0 ∈ Lpl , for every atom p appearing in ϕ0 , there is some θk = {uϕ | u ∈ S M , Muα |= p}. Therefore there is some β ∈ B(ϕ) such that β α M αϕ0 = M α . By the induction hypothesis, we have M α = M , since M and M agree on the interpretation of α. So it follows that for all ϕ0 ∈ Lpl , there is some αβ β = pk ∈ B(ϕ) where M αϕ0 = M . Likewise for every β ∈ B(ϕ), there is some αβ ϕ0 ∈ Lpl where M αϕ0 = M , and so αβ

∀ϕ0 ∈ Lpl , M αϕ0 s |= ψ ′ ⇐⇒ ∀β ∈ B(ϕ), M s |= ψ ′ . Continuing: αβ

⇐⇒ ⇐⇒

∀β ∈ B(ϕ), M s |= ψ ′ α M s |= ✷ψ ′ M s |= [α]✷ψ ′ 

We note that by Definition 30 we have the simple corollary that for all ψ ∈ cl(ϕ), M s |= ψ if and only if ψ ∈ s. Next we show that ϕ-projection is idempotent. Lemma 32 For all s ∈ S M , we have M s ↔ M s .

18

⊣

Proof This proof is relatively straightforwardly following from Lemma 31. We show that the relation {(s, s) | s ∈ S M } meets the criteria for a bisimulation. • atoms: By Lemma 31, for all ψ ∈ cl(ϕ), we have M s |= ψ if and only if M s |= ψ, so the relation preserves the interpretation of atoms. M • forth: By Definition 30, for all s, t ∈ S M , where s ∼M a t, we have s ∼a t, so the forth clause holds. M • back: For all s ∈ S M , for all τ ∼M where u = s, v = τ , and a s, there are u, v ∈ S M u ∼a v. By Lemma 31 for all ψ ∈ cl(ϕ) we have ψ ∈ u if and only if ψ ∈ u if and only if ψ ∈ s if and only if ψ ∈ s, it follows that s = u. Therefore s ∼M a v and v = τ , so the back clause holds. 

Finally we show that the image of the ϕ-projection must be in the set of ϕ-canonical models. Lemma 33 For every model M, M ∈ C.

⊣

Proof Let M = (S M , ∼M , V M ). We consider the clauses of Definition 28 in turn: 1. For s ∈ S M , s ⊆ cl∗ (ϕ), so S M ⊆ Σ. 2. From Definition 30 for all σ, τ ∈ S M where σ ∼a τ we have some s, t ∈ S M where s ∼M a t, s = σ and t = τ . Then Ka ψ ∈ σ ∩ cl(ϕ) if and only Ms |= Ka ψ if and only if Mt |= Ka ψ if and only if Ka ψ ∈ τ . 3. For all p ∈ cl∗ (ϕ), for all σ ∈ S M , σ ∈ V M if and only p ∈ σ. This is guaranteed by clause 3 of Definition 30. 4. Suppose ¬Ka ψ ∈ σ ∈ S M . Therefore there is some s ∈ S M where s = σ, so Ms |= ¬Ka ψ. It follows that there is some t ∈ S M where t ∼a s and Mt |= ¬ψ. From Definition 30, there is τ ∈ S M where σ ∼a τ and t = τ , so ¬ψ ∈ τ . 5. Here we apply an inductive argument. We must show for all σ ∈ S M , for all [α]✷ψ ∈ clx (ϕ), [α]✷ψ ∈ σ if and only if for every β ∈ B(ϕ) where σ |= β, for all N ∈ C, for all αβ τ ∈ S N where Nτ ↔ M σ , we have ψ ∈ τ . Additionally, we include in our induction hypothesis, that for all ψ ∈ clx (ϕ), ψ ∈ σ if and only if M σ |= ψ. The base case of this induction, x = 0, is straightforward, as there are no formulas [α]✷ψ ∈ cl0 (ϕ), and the correspondence ψ ∈ σ if and only if M σ |= ψ is guaranteed by the previous four clauses. Now suppose that [α]✷ψ ∈ σ ∩ clx (ϕ). Again, the previous four clauses will provide the correspondence between ψ ∈ σ and M σ |= ψ for the modal and propositional cases, leaving us to consider the announcement operator. Then there is some s ∈ S M 19

where s = σ and Ms |= [α]✷ψ. If Ms 6|= α, then the clause is vacuously true, αβ since by Lemma 31, M σ 6|= α, so there is no pointed model M s . Now suppose for contradiction, there is some β ∈ B(ϕ) such that for some N ∈ C, for some τ ∈ S N , αβ / τ . By the induction hypothesis, we have Nτ |= ¬ψ. As Lbapal Nτ ↔ M σ and ψ ∈ αβ is bisimulation invariant we have, M σ |= ¬ψ. From the argument presented in Lemma 31, there is some ϕ0 ∈ Lpl such that M αϕ0 σ |= ¬ψ. Therefore, there is some s ∈ S M where Ms |= hαi⋄¬ψ and s = σ. It follows from the propositional consistency αβ of σ that [α]✷ψ ∈ / σ, giving the required contradiction. Hence for every Nτ ↔ M σ αβ

it must be that ψ ∈ τ . From Lemma 32, for any β ∈ B(ϕ) we have N = M ∈ C αβ and hence Ns ↔ M σ implies Ns |= [α]✷ψ. By the bisimulation invariance of Lbapal (Lemma 8) we have M σ |= [α]✷ψ as required. Conversely, suppose for every β ∈ B(ϕ) where σ |= β, for all N ∈ C, for all τ ∈ S N αβ where Nτ ↔ M σ , we have ψ ∈ τ . By the induction hypothesis we have Nτ |= ψ and αβ

hence for every β ∈ B(ϕ), M σ |= ψ. Therefore M σ |= [α]✷ψ, and [α]✷ψ ∈ σ from Lemmas 31 and 32.  We can now put everything together. Corollary 34 For all ψ ∈ cl(ϕ), ψ is satisfiable if and only if there is some M ∈ C such ⊣ that for some σ ∈ S M , ψ ∈ σ. Proof In the forward direction, if ψ is satisfiable then for some model N, for some t ∈ S N , we have Nt |= ψ. Therefore, by Lemma 31 we have N t |= ψ, by Definition 30 we have ψ ∈ t, and by Lemma 33 we have N ∈ C. Let M = N and s = t. By Lemma 33, we have M ∈ C, and by Lemma 31 we have ψ ∈ s, as required. Conversely, if ψ ∈ σ, then by Definition 30, for some s ∈ S M , we have Ms |= ψ.  The satisfiability procedure now runs as follows: 1. We build C, by applying a top-down tableaux approach. This is of size four-exponential in the size of ϕ. All clauses may be verified by applying a model-checking procedure. 2. For each model M ∈ C compute M , by applying a model-checking procedure. 3. Report that ϕ is satisfiable if and only if ϕ appears in s for some s ∈ M ∈ C. The size of CD (ϕ) dominates the decision procedure so the time required is 4EXP in the size of ϕ. We therefore can conclude that: Theorem 35 The logic BAPAL is decidable. 20

⊣

6

Conclusions and further research

We proposed the logic BAPAL. It is an extension of public announcement logic. It contains a modality ✷ϕ intuitively corresponding to: “after every public announcement of a boolean formula, ϕ is true.” We have shown that the logic BAPAL is more expressive than multiagent epistemic logic, that it has a finitary axiomatization, and — our main result — that its satisfiability problem is decidable. For further research we reserve the investigation of yet another logic with quantification over announcements, called positive arbitrary public announcement logic, APAL+. It has a primitive modality “after every public announcement of a positive formula, ϕ is true.” The positive formulas correspond to the universal fragment in first-order logic. These are the formulas where negations do not bind modalities. We conjecture that this logic is also decidable, like BAPAL. It has been tentatively reported in [19].

References [1] T. ˚ Agotnes, P. Balbiani, H. van Ditmarsch, and P. Seban. Group announcement logic. Journal of Applied Logic, 8:62–81, 2010. [2] T. ˚ Agotnes, H. van Ditmarsch, and T. French. The undecidability of quantified announcements. Studia Logica, 104(4):597–640, 2016. [3] P. Balbiani, A. Baltag, H. van Ditmarsch, A. Herzig, T. Hoshi, and T. De Lima. ‘Knowable’ as ‘known after an announcement’. Review of Symbolic Logic, 1(3):305– 334, 2008. [4] P. Balbiani and H. van Ditmarsch. A simple proof of the completeness of APAL. Studies in Logic, 8(1):65–78, 2015. [5] T. Bolander and M.B. Andersen. Epistemic planning for single and multi-agent systems. Journal of Applied Non-classical Logics, 21(1):9–34, 2011. [6] L. Bozzelli, H. van Ditmarsch, T. French, J. Hales, and S. Pinchinat. Refinement modal logic. Information and Computation, 239:303–339, 2014. [7] T. Charrier, A. Herzig, E. Lorini, F. Maffre, and F. Schwarzentruber. Building epistemic logic from observations and public announcements. In Proc. of 15th KR, pages 268–277. AAAI Press, 2016. [8] T. Charrier and F. Schwarzentruber. Arbitrary public announcement logic with mental programs. In G. Weiss, P. Yolum, R. Bordini, and E. Elkind, editors, Proc. of AAMAS, pages 1471–1479. ACM, 2015. [9] A. Cord´on-Franco, H. van Ditmarsch, D. Fern´andez-Duque, and F. Soler-Toscano. A colouring protocol for the generalized russian cards problem. Theor. Comput. Sci., 495:81–95, 2013. 21

[10] M.J. Fischer and R.N. Wright. Bounds on secret key exchange using a random deal of cards. Journal of Cryptology, 9(2):71–99, 1996. [11] T. French and H. van Ditmarsch. Undecidability for arbitrary public announcement logic. In C. Areces and R. Goldblatt, editors, Advances in Modal Logic 7, pages 23–42, London, 2008. College Publications. [12] R. Galimullin and N. Alechina. Coalition and group announcement logic. In Proc. of 16th TARK, pages 207–220, 2017. [13] J.D. Gerbrandy and W. Groeneveld. Reasoning about information change. Journal of Logic, Language, and Information, 6:147–169, 1997. [14] J. Hales. Arbitrary action model logic and action model synthesis. In Proc. of 28th LICS, pages 253–262. IEEE, 2013. [15] L.B. Kuijer. Arbitrary arrow update logic with common knowledge is neither RE nor co-RE. In Proc. of 16th TARK, volume 251 of EPTCS, pages 373–381, 2017. [16] H. Levesque. What is planning in the presence of sensing? In W. Clancey and D. Weld, editors, Proc. of 13th AAAI, pages 1139–1146. AAAI Press / The MIT Press, 1996. [17] J.A. Plaza. Logics of public communications. In Proc. of the 4th ISMIS, pages 201–216. Oak Ridge National Laboratory, 1989. [18] H. van Ditmarsch. The Russian cards problem. Studia Logica, 75:31–62, 2003. [19] H. van Ditmarsch, T. French, and J. Hales. Positive announcements. Presented at Software Engineering Research Conference, UWA, Perth: http://jameshales.org/manuscripts/csse2014.pdf, 2014. [20] H. van Ditmarsch, A. Herzig, and T. De Lima. From situation calculus to dynamic epistemic logic. Journal of Logic and Computation, 21(2):179–204, 2011. [21] H. van Ditmarsch, W. van der Hoek, and L.B. Kuijer. The undecidability of arbitrary arrow update logic. Theor. Comput. Sci., 693:1–12, 2017.

22