The Modal Logic of Stepwise Removal

Forthcoming in The Review of Symbolic Logic (Cambridge University Press) doi:10.1017/S1755020320000258 ©Association for Symbolic Logic 2020 The Modal Logic of Stepwise Removal arXiv:2103.05117v1 [cs.LO] 8 Mar 2021 Johan van Benthem1,2,3 , Krzysztof Mierzewski4 and Francesca Zaffora Blando4 1 Stanford University and Logical Dynamics Lab, CSLI 2 ILLC, University of Amsterdam 3 Tsinghua University 4 Carnegie Mellon University Abstract We investigate the modal logic of stepwise removal of objects, both for its intrinsic interest as a logic of quantification without replacement, and as a pilot study to better understand the complexity jumps between dynamic epistemic logics of model transformations and logics of freely chosen graph changes that get registered in a growing memory. After introducing this logic (MLSR) and its corresponding removal modality, we analyze its expressive power and prove a bisimulation characterization theorem. We then provide a complete Hilbert-style axiomatization for the logic of stepwise removal in a hybrid language enriched with nominals and public announcement operators. Next, we show that model-checking for MLSR is PSPACE-complete, while its satisfiability problem is undecidable. Lastly, we consider an issue of fine-structure: the expressive power gained by adding the stepwise removal modality to fragments of first-order logic. 2010 Mathematics Subject Classification: 03B45, 03B42 Key words and phrases: dynamic logics, hybrid logic, logics for graph games, complexity and decidability 1 Model change and quantification Logical systems describing model change come up when reasoning about forms of semantic interpretation that affect a current model, varieties of information update, or more general actions changing a local environment. A typical feature of such systems is the use of dynamic modalities that, when evaluated in a current model M, look at what is true in other models N , related to M via some relevant cross-model relation. These dynamic logics come in a wide range of expressive power and computational complexity [Aucher et al., 2018]. Our aim in this small pilot study is to explore a significant border line, where the complexity of the satisfiability problem jumps from decidable to undecidable. In the process, we highlight some further issues, as well as some new proof techniques, as will be explained below. Johan van Benthem: [email protected], Krzysztof Mierzewski: [email protected], Francesca Zaffora Blando: [email protected]. 1 Dynamic epistemic logics of information update. Here is one recent genre of dynamic logics that can describe model change. When modeling the effects of new information, a natural format changes a current epistemic model to a new one, suitably modified. For instance, an event !ϕ of reliable public information that ϕ is the case changes a current pointed model (M, s) to the definable sub-model (M|ϕ, s), whose domain is the set of all points in M that satisfy ϕ. Likewise, an event where all agents publicly lose all uncertainty about ϕ takes (M, s) to a model (M\ϕ, s), where the domain stays the same, but the epistemic accessibility relation ∼ of M gets replaced by the refinement s ∼ϕ t: i.e., s ∼ t and, also, M, t |= ϕ if and only if M, s |= ϕ. These and many other model transformations F have matching modalities [F ]ψ in dynamic epistemic logics, whose key axioms for [F ]ψ give a recursive analysis of when the postconditions ψ hold in terms of what was true before the F -update (see the survey by van Benthem [2011]). Dynamic epistemic logics are usually decidable if their underlying static logics are: the recursion axioms reduce out the dynamic modalities, at least on full standard universes of epistemic models. Sabotage-style graph logics. Here is a second natural genre of modal logics for describing model change. In the sabotage game of van Benthem [2005], arbitrary links in a graph are cut, one by one, by a Demon opposing a Traveler, who, in turn, moves across the graph along still available links. The winning positions of the Demon and the Traveler can be analyzed using standard modalities, together with additional modalities describing what holds in a pointed model after one link has been removed from the current accessibility relation. However, validity in modal logics for various graph games of this sort can be undecidable, and the resulting model theory is quite complex (see [Aucher et al., 2018] and [van Benthem and Liu, 2020]). This difference in complexity calls for an explanation. The present paper locates its source in the contrast between, on the one hand, the simultaneous removal of points or links in dynamic epistemic logics and, on the other, the stepwise modifications captured by logics for sabotage and related graph games. In doing so, we explore the border between two system designs: dynamic epistemic logics of graph change that reduce effectively to a decidable static base language—and, hence, to what is true in the initial model, which already ‘pre-encodes’ the effects of changes—and, on the other hand, undecidable sabotagetype logics of graph change operations, whose effects are not pre-encoded in the original model, but rather depend on a growing ‘memory’ of previous changes. To make this concrete, here is a simplest dynamic epistemic logic turned ‘stepwise’. For simplicity, we focus on point deletion, rather than link deletion. A stepwise update modality. Consider the standard language of basic modal logic, augmented with a dynamic modality h−ϕiψ that has the following semantics. Definition 1.1. Given a relational model M = (W, R, V ), with R ⊆ W × W and V a valuation, the satisfaction clause for h−ϕiψ reads M, s |= h−ϕiψ iff there is a point t , s in M with M, t |= ϕ and M − {t}, s |= ψ, where M − {t} is the submodel of M having just the point t removed from its domain. More generally, given D ⊆ W , M − D denotes the submodel of M with domain W \ D. 2 This system of what may be called stepwise point removal (MLSR) will be studied here as an intermediate case between the simplest dynamic epistemic logic of public announcements, where all points satisfying ϕ are removed simultaneously during an update, and a simple sabotage modal logic for stepwise graph change. Quantification without replacement. The language introduced here has various further interpretations. For instance, it can be seen as a medium for describing ‘interventions’ that minimally change some given model to make some specified new properties true [Renardel de Lavalette, 2001]. But the system has an even more general logical motivation, which is not tied to information updates or any other specific application. Consider the evaluation of restricted existential quantifiers ∃x ϕ(x) · ψ(x) in first-order logic (FOL). One searches for an object d satisfying ϕ and then checks whether d also satisfies ψ. In this second stage, the model has not changed: the witness d is still in the domain and it influences the evaluation of ψ. Call this process “quantification with replacement”. Now, it has been claimed [Hintikka and Sandu, 1997] that quantifiers in natural language can also behave differently: witness, for instance, the natural sense in which the distrust in “John distrusted everyone” does not apply to John himself. Even though this may be an idiosyncrasy of natural language, it clearly makes sense to explore quantification without replacement as a model for evaluation procedures that change domains [Gabbay, 2013]: ∃x(ϕ|ψ) says that there is an object (or, in a natural polyadic version ∃x(ϕ|ψ), a tuple of objects) that satisfies ϕ in the current model M, while ψ holds in the sub-model M − {s} where that object (or all those objects) has been removed. This quantifier form is clearly definable in FOL with identity, but, taken by itself, it suggests its own model theory and proof theory. Moreover, as we shall see, adding quantification without replacement to weaker fragments of the first-order language, such as monadic predicate logic or basic modal logic, produces much less simple effects. The system MLSR. The system MLSR of stepwise object removal studied in this paper provides a simple modal setting for bringing all of this out. Its syntax is that of the basic modal language with proposition letters, ¬, ∨, ^, plus the additional modality h−ϕiψ, whose semantics was given above (Definition 1.1). Occasionally, we will also use this language extended with a “public announcement”, or relativization, modality h!ϕiψ describing what is true in restrictions to definable subdomains: M, s |= h!ϕiψ iff M, s |= ϕ and M|ϕ, s |= ψ, with M|ϕ the submodel of M consisting of all and only the points in M where ϕ is true. Outline of the paper. In this paper, we study the essential features of this modal system. In §2, we analyze the expressive power of MLSR by providing a first-order translation and a semantic characterization in terms of bisimulation invariance. This mainly requires straightforward adaptations of known techniques. §3 and §4 present a complete axiomatization for MLSR, based on a new idea of mixing standard relativization with stepwise removal, which may very well be applicable to many other logics of graph change, for which Hilbert-style axiomatizations have long been an open problem. In §5, we first analyze the 3 computational complexity of model checking for MLSR, which turns out to be PSPACEcomplete. This analysis uses a reduction technique from Löding and Rohde [2003] which deserves to be better known in modal logic. Next, we prove that the satisfiability problem for MLSR is undecidable using a tiling argument familiar from the modal logic literature [Marx, 2006; Areces et al., 2015]. In §6, we then raise a more general definability issue: namely, what the addition of quantification without replacement does to various fragments of first-order logic. In particular, we show that, when added to monadic first-order logic, the modality h−ϕiψ essentially allows us to count, boosting the expressive power of monadic first-order logic to that of monadic first-order logic with identity. In summary, we locate the threshold of complexity in the stepwise character of the modality for point removal, leading to the need for a computational device for maintaining a memory of deleted points, whose complexity equals that of arbitrary tiling problems and computations of Turing machines. In the process, we also raise new types of questions about modal logics of graph change, and we advertise and introduce some techniques that deserve to be better known among modal logicians. 2 Basics of expressive power We start with the formal language to be used in most of this paper.1 Definition 2.1. The syntax of MLSR is given by ϕ := p | ¬ϕ | (ϕ ∨ ϕ) | ^ϕ | h−ϕiϕ, with p ∈ PROP. Dual modal operators , [−ϕ] are defined as usual. Some definable notions. The language of MLSR can define various modal operators from hybrid logic [Areces and ten Cate, 2006] that go beyond the basic modal language. For instance, the difference modality Dϕ (‘ϕ is true at some different point’) can be defined as h−ϕi⊤, and this, in turn, allows to define the existential modality Eϕ as ϕ ∨ Dϕ. MLSR can also count all finite cardinalities, using suitably iterated formulas h−⊤i...h−⊤i ⊤, | {z k times } which express that a model has at least k objects different from the current point of evaluation. In addition, MLSR can define quite a few finite relational graphs up to isomorphism. For instance, let ρ2 be the formula defining domain size 2, and let U be the universal modality (i.e., Uϕ = ϕ ∧ [−¬ϕ]⊥). The following observation requires an easy exercise in understanding what our language can express. Fact 2.2. The MLSR-formula ρ2 ∧ Uh−⊤i⊥ ∧ ^^⊤ defines a two-point irreflexive loop. However, not every finite graph is definable, as we shall soon see. SR-bisimulation. The semantic invariance matching this language is as follows. 1 This language will be extended slightly with nominals in §3 and §4, which deal with proof systems. 4 Definition 2.3. A relation Z between a set of pointed relational models is an SR-bisimulation if it is a modal bisimulation in the ordinary sense, where the back and forth clauses stay inside the same models M, N , while, in addition, (a) if (M, s)Z(N , t) and u ∈ M with u , s, then there is a v ∈ N such that v , t, (M, u)Z(N , v), and (M − {u}, s)Z(N − {v}, t), (b) the analogous clause in the converse direction. Note that this definition imposes some minimal closure conditions on the set of models involved in the above clauses that are easy to spell out. The following property is proved by a standard induction on formulas. Fact 2.4. MLSR-formulas are invariant for SR-bisimulations. Now we can give an example of two finite graphs that are not definable up to isomorphism and, in line with this, a first-order formula that is not in MLSR. Fact 2.5. ∀y(Rxy ∨ Ryx) is not MLSR-definable. Proof. Consider the model M consisting of two isolated reflexive points and the model N consisting of two points with the universal relation, plus all their submodels. By checking all clauses, one sees that the universal relation Z between all pairs (M, x) and (N , y) plus all links between the 1-point pointed sub-models of M and N is an SR-bisimulation. But, clearly, connectedness holds in N , but not in M.  This new logical system still lies inside standard first-order logic. Fact 2.6. There is an effective meaning-preserving translation from MLSR into FOL. Proof. We define the following compositional translation τ (ϕ, y, X) from MLSR-formulas ϕ to first-order formulas, where y is a free variable and X a finite set of variables: τ (p, y, X) = P y, τ (¬ϕ, y, X) = ¬τ (ϕ, y, X), τ (ϕ ∨ ψ, y, X) = τ (ϕ, y, X) ∨ τ (ψ, y, X),  τ (^ϕ, y, X) = ∃z Ryz ∧  ^  ¬(z = x) ∧ τ (ϕ, z, X) , x∈X τ (h−ϕiψ, y, X) = ∃z ¬(z = y) ∧ ^  ¬(z = x) ∧ τ (ϕ, z, X) ∧ τ (ψ, y, X ∪ {z}) . x∈X Let (M, s) be any pointed model and D = {d1 , ..., dk } a finite set of points in M of size k. The following equivalence is shown by a straightforward induction on MLSR-formulas ϕ and sets of variables X = {x1 , ..., xk } of size k: M − D, s |= ϕ iff M, a[y/s, X/D] |= τ (ϕ, y, X), where a[y/s, X/D] is the variant of the variable assignment a such that a[y/s, X/D](y) = s and a[y/s, X/D](xi ) = di for 1 ≤ i ≤ k. As a special case, there is an equivalence for MLSR-formulas in ordinary relational models M with D = ∅.  5 Remark 2.7. The set X in this translation serves as a finite memory storing the points that have already been deleted. This is an essential difference with first-order translations for standard modal languages, which usually lie inside fixed finite-variable fragments. A simple adaptation of a well-known model-theoretic argument for standard modal logic (cf. [Blackburn et al., 2011]) yields the following result. Theorem 2.8. The following assertions are equivalent for all first-order formulas ϕ(x) in the signature of our models, with one free variable: (a) ϕ(x) is invariant for SR-bisimulation; (b) ϕ(x) is equivalent to the translation of some MLSR-formula. Proof. We merely outline the points that need attention in the non-trivial direction from (a) to (b). Let SR denote the MLSR-fragment of first-order logic (that is, all first-order formulas equivalent to translations of MLSR formulas via the translation τ from Fact 2.6). As usual, one shows that ϕ(x) is a semantic consequence of the set Cx (ϕ) of its SRconsequences and then applies Compactness to get an SR-equivalent. We thus need to show that Cx (ϕ) |= ϕ(x). Suppose M, s |= Cx (ϕ). A standard compactness argument shows that there is a model N and t ∈ N such that (M, s) and (N , t) are SR-equivalent, while N , t |= ϕ(x). These models are then extended to ω-saturated elementary extensions (M+ , s) and (N + , t). We use first-order saturation allowing finite sets of parameters consisting of designated objects in the models; in turn, the finitely satisfiable sets of first-order formulas to be saturated can have a finite set of free variables (not just one, as in the argument for basic modal logic). This is needed for the saturation argument to follow. Now we define a relation Z between pointed models (M+ −D, u) and (N + −E, v), with E, D of the same finite size, which holds if (M+ − D, u) and (N + − E, v) satisfy the same SR-formulas. Using saturation, it can be shown that Z is an SR-bisimulation, where the argument for the modality ^ϕ is standard, while the one for h−ϕiψ in terms of removing single objects goes as follows. Take (M+ − D, u) and w , u. Now, let  Γ(y) := γ(y) ∈ SR M+ − D, w |= γ  ∆(x) := δ(x) ∈ SR M+ − (D ∪ {w}), u |= δ} and consider the set of first-order formulas p(x, y) := {¬(y = x)} ∪ Γ(y) ∪ ∆(x) This set is finitely satisfiable in (M+ − D, u, w) (interpreting x as u and y as w). For each of its finite subsets {¬(y = x)} ∪ Γ′ (y) ∪ ∆′ (x), we have M+ − D, u, w |= ¬(y = x) ∧ which means that  M+ − D, u |= ∃y ¬(y = x) ∧ 6 ^ Γ′ (y) ∧ ^ ∆′ (x), ^ Γ′ (y) ∧ ^ ∆′ (x) ,  and this formula is in SR (it is equivalent to the translation of a h−ϕiψ formula). This means that the formula also holds in (N + − E, v). Thus, every finite subset of p(x, y) is satisfiable in (N + −E, v) (interpreting x as v). In other words, expanding the language with a new constant symbol c, the 1-type p(c, y) is finitely satisfiable in (N + − E, v) (fixing the interpretation of c as v). Then, by saturation, the type is realized in (N + − E, v): we can thus find an object in N + −E matching the given w, as required for an SR-bisimulation.  Remark 2.9. The first-order translation for MLSR can also be phrased in terms of the hybrid language H(E, ↓), [Areces and ten Cate, 2006]. The key translation clause here reads, for each formula of the form h−ϕiψ and sequence of nominals n = (n1 , ..., nℓ ):  σ(h−ϕiψ) =↓m .E ↓k . ¬m ∧ n ℓ ^ ¬ni ∧ σ(ϕ) ∧ @m σ(ψ) n n,k i=1  Further connections of MLSR with hybrid logics will be discussed in §7 below. 3 Axiomatization Thanks to the first-order translation, the valid formulas of MLSR are effectively axiomatizable. But more immediate information comes from explicit modal laws. For instance, the removal modality h−ϕiψ distributes over disjunction in both of its arguments: Fact 3.1. The following formulas are both valid: h−ψi(ϕ1 ∨ ϕ2 ) ↔ h−ψiϕ1 ∨ h−ψiϕ2 h−(ϕ1 ∨ ϕ2 )iψ ↔ h−ϕ1 iψ ∨ h−ϕ2 iψ

To obtain an explicit modal axiomatization, we extend the language of MLSR with a countable set NOM of nominals, each standing for either a unique point in the model, or not denoting at all (this small technical deviation from hybrid logic will be helpful later on.) We also add standard public announcement modalities h!ϕiψ from dynamic epistemic logic, whose interpretation was given in §1. This will turn out to be useful, even though the axiom system to follow features no recursion axioms in the usual dynamic epistemic style for the removal modality. For simplicity, we retain the name MLSR for this logic. Remark 3.2. There seem to be no modal recursion axioms inverting the operator order for combinations h−ϕih!αiψ or h!αih−ϕiψ. For example, h!αih−ϕiψ is not equivalent to α ∧ h−h!αiϕih!αiψ (consider, for instance, the case where α = ^p, ϕ = ⊥ and ψ = ⊤). This feature of the modal language may be contrasted with how first-order logic augmented with an explicit syntactic operator of relativization would write this recursion: (∃x(ϕ|ψ))α(·) (x) ↔ α(x) ∧ ∃y(α(y) ∧ y , x ∧ ϕα(·) (y) ∧ (ψ)α(·)∧ · ,(y) (x)) We now extend the language of Definition 2.1 with nominals, public announcement operators, as well as the existential modality. 7 Definition 3.3. MLSR with nominals (for short still to be called MLSR) has the syntax ϕ := p | n | ⊤ | ¬ϕ | (ϕ ∨ ϕ) | ^ϕ | h!ϕiϕ | h−ϕiϕ | Eϕ, with p ∈ PROP, n ∈ NOM. Dual modal operators , [!ϕ], [−ϕ] and U are defined as usual. Note that it is not necessary to add the @n operator from hybrid logic as a primitive symbol, for it can be defined using the universal modality: in our setting with (possibly non-referring) nominals, @n ϕ is simply a shorthand for U(n → ϕ).2 The following proof system may look somewhat complex, but its components just follow the formal syntax just introduced. Definition 3.4. The logic MLSR (see Figure 1) consists of: • the rule of Replacement of Provable Equivalents,3 • the axioms and rules of classical propositional logic; • the axioms and rules of the minimal normal modal logic for all the universal box modalities of the language (static or dynamic), plus the standard axioms and rules for the global universal modality [Blackburn et al., 2011]; • the Name Rule and the Paste Rule from hybrid logic [Areces and ten Cate, 2006], with the latter slightly adapted to our setting; • the axiom E(n ∧ ϕ) → U(n → ϕ), which we denote by (H); • the usual reduction axioms of public announcement logic PAL for atoms (including nominals), the existential base modality, the global existential modality, and the announcement modality [van Benthem, 2011],4 as well as the Truth Axiom h!⊤iϕ ↔ ϕ; • the following two principles connecting the stepwise removal modality with the public announcement modality: (Mix Axiom) (E(n ∧ α) ∧ h!¬niϕ) → h−αiϕ; (Mix Rule) If ⊢ E(n ∧ h!ϕiE(k ∧ α) ∧ h!ϕih!¬kiψ) → σ, then ⊢ E(n ∧ h!ϕih−αiψ) → σ, where k < σ, ϕ, α, ψ. Fact 3.5. The Mix Axiom is valid, and the Mix Rule is semantically sound. Remark 3.6. The system MLSR does not include all the usual axioms for the basic hybrid language because nominals can fail to denote in our models after an update. In particular, after the deletion of a state named by n, the formula ¬En holds. Connected to this, the equivalence E(n ∧ ¬ϕ) ↔ ¬E(n ∧ ϕ) underpinning the common hybrid notation @n is no longer valid. However, the proof principles of MLSR guarantee all the properties of nominals that we need in what follows. In particular, the following useful facts are provable: 2 For a further study of combining dynamic epistemic proof systems with hybrid logic, see [Hansen, 2011]. This rule is the basis for any ordinary logical system. In particular, in MLSR, it applies to formulas following modalities as well as formulas occurring inside announcement and deletion modalities. 4 A reduction axiom for disjunction is supplied by the minimal modal logic for announcement modalities. 3 8 The System MLSR • The rule of Replacement of Equivalents: ϕ↔ψ (RE) α(ϕ) ↔ α[ψ/ϕ] • All tautologies of classical propositional logic, plus the Modus Ponens rule • Modal K axioms and rules for all universal modalities , U, [!ϕ] and [−ϕ] • S5-axioms for the universal modality U, plus the axiom Uϕ → ϕ • Axioms for PAL: h!ϕip ↔ ϕ ∧ p (p ∈ PROP) h!ϕi(ψ ∨ α) ↔ (h!ϕiψ ∨ h!ϕiα) h!ϕin ↔ ϕ ∧ n (n ∈ NOM) h!ϕi^ψ ↔ (ϕ ∧ ^h!ϕiψ) h!ϕi⊤ ↔ ϕ h!ϕih!ψiα ↔ h!(ϕ ∧ [!ϕ]ψ)iα h!ϕi¬ψ ↔ (ϕ ∧ ¬h!ϕiψ) h!ϕiEψ ↔ (ϕ ∧ Eh!ϕiψ) • The Truth Axiom: h!⊤iϕ ↔ ϕ • Hybrid axiom: (H) E(n ∧ ϕ) → U(n → ϕ) Hybrid inference rules: m→ϕ (m < ϕ) (Name) ϕ
E(n ∧ ∇m) ∧ E(m ∧ ϕ) → σ E(n ∧ ∇ϕ) → σ (m < ϕ, σ and ∇ ∈ {^, E}) (Paste) • Axiom for the removal modality: (Mix) (E(n ∧ α) ∧ h!¬niϕ) → h−αiϕ Inference rule for the removal modality:
E n ∧ h!ϕi(E(k ∧ α) ∧ h!¬kiψ) → σ
E n ∧ h!ϕih−αiψ → σ (k < ϕ, α, ψ, σ) (Mix Rule) Figure 1: The Hilbert-style proof system for MLSR. 9 • E(n ∧ ¬ϕ) ↔ (En ∧ ¬E(n ∧ ϕ)) • n → (E(n ∧ ϕ) ↔ ϕ) The language of MLSR captures various global properties of our semantics, such as the fact that nominals hold at one state at most. Deriving this shows the Mix Rule at work. Observation 3.7. The formula n → ¬h−ni⊤ is an MLSR theorem for any n ∈ NOM. Proof. Take ϕ, ψ = ⊤, σ = ⊥, α = n. Then the antecedent formula in the Mix Rule reads E(n ∧ h!⊤iE(k ∧ n) ∧ h!⊤ih!¬ki⊤) → ⊥ This is derivable in MLSR. Using Replacement of Equivalents,5 and appealing to (i) a simple analysis of h!⊤iE(k ∧ n) using the PAL reduction axioms for E and nominals, and (ii) the implication from h!¬ki⊤ to ¬k which is one half of the PAL reduction axiom for ⊤, the antecedent of the above formula derives E(k ∧ ¬k). It then suffices to note that the S5 axioms for quantifiers allow to derive E(k ∧ ¬k) → ⊥. Therefore, the consequent formula is provable using the Mix Rule: E(n ∧ h!⊤ih−ni⊤) → ⊥ Using the Truth Axiom and the S5 axioms for quantifiers, this is equivalent in MLSR to U(n → ¬h−ni⊤), which implies the desired n → ¬h−ni⊤.  To increase familiarity with the proof system, we explore MLSR a bit further. Remark 3.8. (a) Here is a more elaborate derivation showing the interplay of the two dynamic modalities. The premise of the above Mix Rule uses antecedents prefixed by an existential modality. However, we can also derive the following ‘bare’ variant: h!ϕi(E(k ∧ α) ∧ h!¬kiψ) → σ (k < ϕ, α, ψ, σ) h!ϕih−αiψ → σ (Stripped Mix Rule) To see this, assume the premise. Take a fresh nominal n, and using propositional logic, derive (n∧ h!ϕi(E(k∧ α)∧ h!¬kiψ)) → σ. Given the facts derived in Remark 3.6, this is equivalent to (n ∧ E(n ∧ h!ϕi(E(k ∧ α) ∧ h!¬kiψ))) → σ. Again by propositional logic, this yields E(n ∧ h!ϕi(E(k ∧ α) ∧ h!¬kiψ))) → (n → σ). Here, since n was fresh, the nominal k still satisfies the conditions of the Mix Rule. Therefore, we can conclude E(n∧h!ϕih−αiψ) → (n → σ). From this, using propositional logic, (n∧E(n∧ h!ϕih−αiψ)) → σ. Then using Remark 3.6 once more, we get (n ∧ h!ϕih−αiψ) → σ, and with propositional logic, n → (h!ϕih−αiψ) → σ). Finally, using the Name Rule of the hybrid logic component of MLSR, the conclusion h!ϕih−αiψ → σ follows. Taking the special case of ϕ = ⊤, and using the Truth Axiom of MLSR (which was not used in the preceding derivations), the Stripped Mix Rule reduces to: (E(k ∧ α) ∧ h!¬kiψ) → σ (k < α, ψ, σ) h−αiψ → σ 5 (Basic Mix Rule) This basic rule of our proof system will be appealed to tacitly at many places in what follows. 10 (b) MLSR also admits the following simple variant of the Paste Rule: E(k ∧ ϕ) → σ (k < ϕ, σ) Eϕ → σ (Basic Paste Rule) The Basic Paste Rule is derivable by the preceding method, starting with the premise: ⊢ E(k ∧ ϕ) → σ ⊢ E(k ∧ ϕ) → (n → σ) (by propositional logic; where n is a fresh nominal)
⊢ E(n ∧ Ek) ∧ E(k ∧ ϕ) → (n → σ) (by propositional logic) ⊢ E(n ∧ Eϕ) → (n → σ) (by the Paste Rule)
⊢ n ∧ E(n ∧ Eϕ) → σ (by propositional logic) ⊢ (n ∧ Eϕ) → σ (by Remark 3.6 and Replacement of Equivalents) ⊢ n → (Eϕ → σ) (by propositional logic) ⊢ Eϕ → σ (by the Name Rule, since n < ϕ, σ) We now use our observations to derive some simple but useful validities. Proposition 3.9. The following are MLSR-provable validities: (i) h!ϕiα → ϕ (announced formulas are always true);
(ii) h−(ϕ1 ∨ ϕ2 )iψ ↔ h−ϕ1 iψ ∨ h−ϕ2 iψ (distributivity over disjunction, cf. Fact 3.1); (iii) Eα ↔ (α ∨ h−αi⊤) (the removal modality captures quantifiers). Proof. (i) This follows since h!ϕiα → h!ϕi⊤ is provable by principles of the minimal logic K for the modality h!ϕi, while the PAL reduction axiom for the atom ⊤ gives h!ϕi⊤ ↔ ϕ. (ii) With the Basic Mix Rule in hand, it is straightforward to derive this non-trivial distribution law. We sketch the left-to-right direction, appealing to the Basic Mix Rule with α = ϕ1 ∨ ϕ2 and σ = h−ϕ1 iψ ∨ h−ϕ2 iψ. For k a fresh nominal, E(k ∧ (ϕ1 ∨ ϕ2 )) ∧ h!¬kiiψ) provably implies h−ϕ1 iψ ∨ h−ϕ2 iψ: this can be shown using the standard distribution of the E modality over disjunctions, after which the Mix Axiom gives the required result. (iii) For the left-to-right direction, let k be a fresh nominal not appearing in α. Note that, by the (H) Axiom, E(k ∧ α) → U(¬α → ¬k) is derivable. Then, since ⊢ (E(k ∧ α) ∧ ¬α) → (E(k ∧ α) ∧ ¬k), ⊢ (E(k ∧ α) ∧ ¬k) → (E(k ∧ α) ∧ h!¬ki⊤), and ⊢ (E(k ∧ α) ∧ h!¬ki⊤) → h−αi⊤ (by the Mix Axiom), we have that ⊢ (E(k ∧ α) ∧ ¬α) → h−αi⊤. The following instance of the Basic Paste Rule then gives us the desired conclusion: E(k ∧ α) → (α ∨ h−αi⊤) (k < α) Eα → (α ∨ h−αi⊤) 11 For the right-to-left direction, we have to show that h−αi⊤ → Eα. Let k be a fresh nominal not appearing in α. Since (E(k ∧ α) ∧ h!¬ki⊤) → Eα is clearly derivable, this follows from the instance of the Basic Mix Rule displayed here: (E(k ∧ α) ∧ h!¬ki⊤) → Eα (k < α) h−αi⊤ → Eα  Many of the formal proof routines illustrated in this section will be assumed without further explanation in the completeness proof of our next section. The above axiom system, though matching our later completeness proof, may have some redundancies in its formulation. There is more power to the PAL reduction axioms than meets the eye, and the same is true of the Mix Rule. Remark 3.10. Consider the Truth Axiom, a modest, but useful principle: h!⊤iϕ ↔ ϕ In public announcement logic PAL with nominals and global modalities, the Truth Axiom is redundant, as all its instances are derivable. This can be shown by a straightforward induction on the formula ϕ. The base cases for atoms (proposition letters, nominals and ⊤), as well as the inductive steps for negations, disjunctions, and the two existential modalities are immediate from the corresponding reduction axioms in PAL. However, in the setting of MLSR, we must also consider the inductive step for the removal modality. As it happens, one direction presents no difficulties. By the Stripped Mix Rule, to prove h!⊤ih−αiψ → h−αiψ, it suffices to derive, for some fresh nominal k, the implication h!⊤i(E(k ∧ α) ∧ h!¬kiψ) → h−αiψ. And here, distributing the modality h!⊤i inside by appealing to the PAL axioms of MLSR, and using the inductive hypothesis that h!⊤iα ↔ α is derivable already, the antecedent is provably equivalent to E(k ∧ α) ∧ h!¬kiψ, which implies h−αiψ by the Mix Axiom. A similar analysis in the opposite direction would derive h−αiψ → h!⊤ih−αiψ using the earlier Basic Mix Rule. However, showing the validity of that rule involved an appeal to the Truth Axiom, and it is not clear whether we can do without. We leave finding a more minimal and provably non-redundant presentation of MLSR as an open problem (see also the final point in §4 about the need for the PAL component). Even so, as shown in this section, MLSR is quite a workable proof system, whose finestructure deserves further exploration. 4 Completeness We now proceed to prove (strong) completeness of our deductive calculus. Theorem 4.1. The system MLSR is complete for validity in the given semantics. Soundness of the given axioms and rules follows from a straightforward inspection. The Henkin-style completeness proof follows standard modal and hybrid lines [Blackburn et al., 2011], but there are some interesting new features that will be highlighted in what follows. We begin with a preliminary definition toward a Lindenbaum Lemma. 12 Definition 4.2 (Named, Pasted, Mixed). A set of MLSR-formulas Γ is • named if it contains a nominal; • ^-pasted if E(n∧^ϕ) ∈ Γ implies that there is some nominal m such that the formula E(n ∧ ^m) ∧ E(m ∧ ϕ) ∈ Γ; • E-pasted if E(n ∧ Eϕ) ∈ Γ implies that there is some nominal m such that the formula E(n ∧ Em) ∧ E(m ∧ ϕ) ∈ Γ; • mixed if h!ϕih−αiψ ∈ Γ implies that there is some nominal n such that the formula h!ϕiE(n ∧ α) ∧ h!ϕih!¬niψ ∈ Γ; • E-mixed if, whenever E(n ∧ h!ϕih−αiψ) ∈ Γ, then there is some nominal k such that
E n ∧ h!ϕi(E(k ∧ α) ∧ h!¬kiψ) ∈ Γ. A set Γ of MLSR-formulas will be said to be pasted if it is both ^-pasted and E-pasted. The technical reason for having two mixing principles instead of one will become clear later on. But it may be noted here already that if a deductively closed set Γ contains some nominal n naming it, then E-mixing implies plain mixing. For, in that case, as was shown in Remark 3.6, modulo Γ, any formula ψ will be provably equivalent to E(n ∧ ψ). Remark 4.3. As will be seen below, the Mix Rule of MLSR supports the preceding ‘mixing’: i.e., witnessing the removal modality by introducing a new nominal for the point to be removed. As stated, the rule does this only under one-step update modalities h!ϕi. But this implies the Mix Rule for arbitrary finite sequences of updates. First, the special case of h!⊤iψ gives the case of single formulas ψ, as the two are equivalent in MLSR. But also, longer sequences of updates are covered, as is easy to see using the PAL axiom h!ϕih!ψiα ↔ h!(ϕ ∧ [!ϕ]ψ)iα compressing two nested update modalities to a single one. It follows that if a deductively closed set Γ is mixed, then it also witnesses sequences of announcement modalities h!ϕi, where h!ϕi := h!ϕ1 i...h!ϕk i for a sequence of formulas ϕ = (ϕ1 , . . . , ϕk ). For instance, with simple mixing: if h!ϕih−αiψ ∈ Γ, then there is a nominal n such that h!ϕiE(n ∧ α) ∧ h!ϕih!¬niψ ∈ Γ.6 Lemma 4.4 (Lindenbaum Lemma). Every MLSR-consistent set of formulas can be extended to an MLSR maximal consistent set that is named, pasted, as well as mixed in both senses. Proof. Naming and pasting work in exactly the same way as in the completeness proof for the basic hybrid logic. As for mixing, given the above observation, we only consider the case of E-mixing. We have to ensure that, throughout the inductive construction, whenever we consistently add a formula of the form E(n ∧ h!ϕih−αiψ) to a consistent, named set of formulas Σ, the formula E(n ∧ h!ϕi(E(k ∧ α) ∧ h!¬kiψ)) is also added to Σ—where k is the first nominal in the enumeration of nominals used in our construction that occurs in neither 6 For a concrete case of how this works, suppose that h!ϕ1 ih!ϕ2 ih−αiψ ∈ Γ. Using the PAL iteration axiom h!ϕ1 ih!ϕ2 iϑ ↔ h!(ϕ1 ∧ [!ϕ1 ]ϕ2 )iϑ, we get h!(ϕ1 ∧ [!ϕ1 ]ϕ2 )ih−αiψ ∈ Γ. Since Γ is mixed, there is then a nominal n such that h!(ϕ1 ∧ [!ϕ1 ]ϕ2 )iE(n ∧ α) ∧ h!(ϕ1 ∧ [!ϕ1 ]ϕ2 )ih!¬niψ ∈ Γ. But then, using the PAL iteration axiom once more, it follows that h!ϕ1 ih!ϕ2 iE(n ∧ α) ∧ h!ϕ1 ih!ϕ2 ih!¬niψ ∈ Γ. 13 Σ nor h!ϕih−αiψ. Crucially, for such a k, the set Σ ∪ {E(n ∧ h!ϕi(E(k ∧ α) ∧ h!¬kiψ))} is consistent, given that Σ is consistent. For if not, then for some conjunction σ of formulas from Σ, the implication E(n ∧ h!ϕi(E(k ∧ α) ∧ h!¬kiψ)) → ¬σ would be provable. But then, by the Mix Rule, the implication E(n ∧ h!ϕih−αiψ) → ¬σ is provable from Σ, contradicting our initial assumption that Σ ∪ {E(n ∧ h!ϕih−αiψ)} is consistent.  For the remainder of this proof, fix a maximal consistent set Γ of MLSR-formulas (an MLSR-MCS, for short) that is named, pasted, and mixed in all the senses of Definition 4.2. Next, for all nominals n with En ∈ Γ, define the set ∆n := {ϕ ∈ MLSR | E(n ∧ ϕ) ∈ Γ}. Let W = {Γ} ∪ {∆n | n ∈ NOM, En ∈ Γ}. Over this universe, accessibility relations are defined as follows: R^ (∆n , ∆m ) iff E(n ∧ ^m) ∈ Γ RE (∆n , ∆m ) iff E(n ∧ Em) ∈ Γ. In this definition, the set Γ is thought of as containing all information about the whole universe W. This includes information about Γ itself, since, by an earlier observation, Γ = ∆n for any nominal n ∈ Γ, and such nominals exist since Γ is named by our Lindenbaum construction. One could continue the completeness argument in this style, but in what follows we consider all sets introduced here on a par, as ‘worlds’ or ‘states’ in a modal model, for which we will use the standard notation w, v, ...7 We now define an initial structure toward finding a model for our consistent set. Definition 4.5 (Upper Henkin Model). The upper Henkin model M generated by Γ is defined as the structure (W, R^ , RE , V ), where • W := [Γ]RE , the equivalence class of Γ in W under RE ; • the relations R^ and RE are, respectively, R^ and RE restricted to W ; • the valuation V is given by V (p) = {w ∈ W | p ∈ w} for all proposition letters p and, for all nominals n, V (n) = {∆n } if En ∈ Γ, and V (n) = ∅ otherwise. Setting the domain to be the equivalence class of Γ under RE ensures that RE is the universal relation in the model. It is also easy to show that the valuation is well-defined for nominals. This construction has some important properties, listed in the next result. Lemma 4.6 (Existence Lemma). Let Γ be a named, pasted and E-mixed MLSR-MCS and M = (W, R^ , RE , V ) the upper Henkin model yielded by Γ. • All sets ∆n are MLSR-MCSs; • If u ∈ W and ^ϕ ∈ u, then there is an object v ∈ W such that R^ uv and ϕ ∈ v. • If u ∈ W and Eϕ ∈ u, then there is some v ∈ W such that RE uv and ϕ ∈ v. 7 The above accessibility relations could also be defined equivalently in a standard modal manner: for any w, v ∈ W, we have R^ (w, v) if and only if for all ϕ, if ϕ ∈ v then ^ϕ ∈ w, and similarly for RE . 14 • All sets ∆n are mixed in the first sense listed in Definition 4.2. The proof of all these assertions is by reference to the Pasting and E-Mixing properties of the original set Γ, using principles available in MLSR that were identified earlier. Next, we define a family of derived structures which capture the effects of finite sequences of updates on the upper Henkin model M. Recall that, given a sequence ϕ = (ϕ1 , . . . , ϕk ), the notation h!ϕi stands for h!ϕ1 i...h!ϕk i. Definition 4.7 (Derived Henkin Model). For each finite sequence of MLSR-formulas ϕ = ϕ , REϕ , V ϕ ), where (ϕ1 , . . . , ϕk ), the derived Henkin model M : ϕ is the structure (W ϕ , R^ • Wϕ := {(w, ϕ) | w ∈ W and h!ϕ1 i . . . h!ϕk i⊤ ∈ w};

ϕ (w, ϕ), (v, ϕ) (resp., REϕ (w, ϕ), (v, ϕ) ) if and only if • for (w, ϕ), (v, ϕ) ∈ Wϕ , R^ R^ wv (resp., RE wv) in the upper Henkin model M; • V ϕ (p) := {(w, ϕ) | p ∈ w} for p ∈ PROP and V ϕ (n) := {(w, ϕ) | n ∈ w} for n ∈ NOM. Points in the derived Henkin model M : ϕ are sequences (w, ϕ1 , . . . , ϕk ), where w is a MCS in the upper Henkin model that contains the pre-condition formula 8 pre(ϕ) = h!ϕi⊤ = h!ϕ1 i . . . h!ϕk i⊤ The accessibility relations stay as they were for the initial points of the sequences in the upper Henkin model. Likewise, the valuation for proposition letters at each sequence stays the same as that for its initial point in the upper Henkin model. In derived Henkin models, all points are still named by nominals, but some nominals may fail to denote. This explains the modified hybrid base logic for MLSR (Remark 3.6). Now, to each point (w, ϕ1 , . . . , ϕk ) in the derived Henkin model M : ϕ, we associate the following set of formulas Φ(M, ϕ, w) := {α | h!ϕ1 i . . . h!ϕk iα ∈ w}. These sets record what the upper Henkin model ‘claims’ is true after the update with ϕ. Our task is to analyze how this matches up with truth in the updated models. To do so, we first note some useful theorems of MLSR concerning the effects of finite sequences of successive updates. The first of these computes preconditions explicitly: ⊢MLSR h!ϕ1 i . . . h!ϕk i⊤ ↔ ϕ1 ∧ h!ϕ1 iϕ2 ∧ h!ϕ1 ih!ϕ2 iϕ3 ∧ . . . ∧ h!ϕ1 i . . . h!ϕk−1 iϕk ↔ k ^ h!ϕ1 i . . . h!ϕi−1 iϕi (R1) i=1 The derivation of (R1) and the following principles of MLSR are obtained by straightforward iteration of the principles of public announcement logic PAL [van Benthem, 2011]. Our second observation analyses when atomic formulas are true after iterated updates: 8 From another perspective, worlds in derived Henkin models are like the finite update histories in temporal ‘protocol models’ for PAL [van Benthem et al., 2009]. 15 ⊢MLSR h!ϕip ↔ (pre(ϕ) ∧ p) (R2) The preceding theorem also applies to nominals. A similar pattern occurs with negations:9 ⊢MLSR h!ϕi¬α ↔ (pre(ϕ) ∧ ¬h!ϕiα) (R3) For conjunctions, it is easy to see that ⊢MLSR h!ϕi(α ∧ β) ↔ (h!ϕiα ∧ h!ϕiβ) (R4) Finally, consider the diamond modality. Here we have: ⊢MLSR h!ϕi^α ↔ (pre(ϕ) ∧ ^h!ϕiα) (R5) A similar principle holds for global existential modalities of the form Eα.10 Intuitively, the models M : ϕ are meant to be isomorphic to submodels of M after the sequence of consecutive semantic updates ϕ, but the precise sense in which this is true will become clear in the following key property of the construction of initial and derived Henkin models.11 Now comes the main point of our construction so far. Lemma 4.8 (Truth Lemma). For all formulas ψ, finite sequences ϕ and points w, M : ϕ, (w, ϕ) |= ψ if and only if ψ ∈ Φ(M, ϕ, w) Proof. The proof is by induction on the formulas ψ. For convenience, when the context is clear, we write w instead of (w, ϕ), reflecting the fact that derived Henkin models represent submodels arising from iterated PAL updates. Also note that, by the earlier definitions, the existence of the state (w, ϕ) in M : ϕ assumes that the precondition pre(ϕ) of the relevant update sequence belongs to w. This fact will be used repeatedly in what follows. (a) For the equivalence of truth and membership for atoms p, it suffices to observe that p ∈ Φ(M, ϕ, w) iff h!ϕip ∈ w iff (by the above-noted fact (R2)) pre(ϕ) ∧ p ∈ w. But then, by the definition of the valuation in derived Henkin models, this means that p is true at the initial w and all its descendants under update. The same argument applies to nominals. (b) For negations, we have ¬ψ ∈ Φ(M, ϕ, w) iff h!ϕi¬ψ ∈ w, which, by (R3), is provably equivalent to pre(ϕ) ∈ w and ¬h!ϕiψ ∈ w. Given that pre(ϕ) ∈ w, we have that h!ϕi¬ψ ∈ w iff h!ϕiψ < w. The latter statement is equivalent to ψ < Φ(M, ϕ, w), which, by the inductive hypothesis for ψ, holds if and only if M : ϕ, w |= ¬ψ. 9 For a concrete illustration, the following chain of equivalences is provable: h!ϕ1 ih!ϕ2 i¬ψ ↔ h!ϕ1 i(ϕ2 ∧ ¬h!ϕ2 iψ) ↔ (h!ϕ1 iϕ2 ∧ h!ϕ1 i¬h!ϕ2 iψ) ↔ (h!ϕ1 iϕ2 ∧ ¬h!ϕ1 ih!ϕ2 iψ). 10 All these facts unpack finite sequences of PAL-update modalities. But they can also be understood in terms of one-step modalities using the PAL axiom for compressing two iterated updates into one. 11 While not essential for what follows, the following fact further clarifies the structure of derived Henkin
models. Given (w, ϕ) and (v, ϕ) in Wϕ , the following assertions are equivalent: (a) R^ϕ (w : ϕ), (v : ϕ) as defined earlier, (b) for all formulas α, if α ∈ Φ(M, ϕ, v), then ^α ∈ Φ(M, ϕ, w). We omit the proof here. 16 (c) The inductive step for conjunctions ψ1 ∧ ψ2 is straightforward, using the above distribution principle (R4) of h!ϕi modalities over conjunctions, as well as the fact that maximally consistent sets decompose conjunctions into components. (d) Next, we consider the basic modality ^ψ, relying on the above principle (R5). ϕ • If M : ϕ, w |= ^ψ, then, for some v with R^ wv, M : ϕ, v |= ψ. So, by the inductive hypothesis, ψ ∈ Φ(M, ϕ, v). Hence, in the upper Henkin model M, we have that h!ϕiψ ∈ v and also R^ wv. This entails that, in M, ^h!ϕiψ ∈ w. Now, using (R5) and the fact that pre(ϕ) ∈ w, h!ϕi^ψ ∈ w. By the definition of Φ, then ^ψ ∈ Φ(M, ϕ, w). • Conversely: ^ψ ∈ Φ(M, ϕ, w) entails that h!ϕi^ψ ∈ w in the upper Henkin model M. From (R5) we obtain ^h!ϕiψ ∈ w. Therefore, by the Existence Lemma 4.6, there is some v ∈ M with R^ wv and h!ϕiψ ∈ v. Now obviously ⊢MLSR h!ϕiψ → h!ϕi⊤ = pre(ϕ), and so it follows that pre(ϕ) ∈ v. Hence, v is in the derived Henkin model under consideration here. So, we have that ψ ∈ Φ(M, ϕ, v) and, by the ϕ wv, and so inductive hypothesis, we get M : ϕ, v |= ψ. Since R^ wv, we have R^ M : ϕ, w |= ^ψ. (e) The reasoning for the existential modality Eψ is just like the preceding argument. (f) The analysis for PAL modalities h!αiψ proceeds as follows. First note that, by the inductive hypothesis, the truth of α at any point (v, ϕ) is equivalent to α belonging to Φ(M, ϕ, v). Hence, restricting the model M : ϕ to (M : ϕ)|α in the usual semantic sense yields exactly the derived Henkin model M : (ϕ⌢ α).12 We then have the following equivalences: M : ϕ, w |= h!αiψ iff M : ϕ, w |= α and (M : ϕ)|α, w |= ψ iff M : (ϕ⌢ α), w |= ψ iff ψ ∈ Φ(M, ϕ⌢ α, w) (by the inductive hypothesis) iff h!αiψ ∈ Φ(M, ϕ, w) (since h!ϕ⌢ αiψ = h!ϕih!αiψ) (g) Finally, the MLSR deletion modality h−αiψ is analyzed as follows. • If M : ϕ, w |= h−αiψ, then, by the truth definition, for some v , w, (i) M : ϕ, v |= α and (ii) (M : ϕ) − {v}, w |= ψ. Next, since all states in the upper Henkin model are named (see Definition 4.2), there exists a nominal n denoting v, and this nominal is still available for denoting v’s descendant in the derived Henkin model M : ϕ. First consider conjunct (i). By the inductive hypothesis, α ∈ Φ(M, ϕ, v), while also, for our nominal n, we have n ∈ Φ(M, ϕ, v). Therefore, in the upper Henkin model M, h!ϕi(n ∧ α) ∈ v. Now, the relation RE is universal in the upper Henkin model, and so, in particular, RE wv, which entails that Eh!ϕi(n ∧ α) ∈ w. Next, by our earlier observations about provable generalized reduction axioms in MLSR:
⊢MLSR h!ϕiE(n ∧ α) ↔ pre(ϕ) ∧ Eh!ϕi(n ∧ α) (†) 12 Thanks to the inductive hypothesis, the model (M : ϕ)|α contains exactly the states w for which h!ϕiα ∈ w. But by its definition, the derived Henkin model M : (ϕ⌢ α) is restricted to exactly the states w such that pre(ϕ⌢ α) ∈ w, which is equivalent to h!ϕiα ∈ w. 17 Together with the fact that pre(ϕ) ∈ w, it follows that h!ϕiE(n ∧ α) ∈ w. Next, consider conjunct (ii) in our initial assumption. It is easy to see that the model (M : ϕ) − {v} equals the updated model (M : ϕ)|¬n, using the fact that each nominal belongs to at most one world in M. Thus (ii) implies that (M : ϕ)|¬n, w |= ψ. Moreover, it can be seen that the latter model in turn equals M : (ϕ⌢ ¬n).13 Therefore, we also have M : (ϕ⌢ ¬n), w |= ψ. But then, by the inductive hypothesis, we have that ψ ∈ Φ(M, ϕ⌢ ¬n, w), i.e., h!ϕih!¬niψ ∈ w. It now remains to apply the Mix Axiom. As stated in the definition of the system MLSR, this says that the conjunction E(n ∧ α) ∧ h!¬niψ implies h−αiψ. Now in the upper Henkin model, we only have the antecedent for this in the set w under the prefix h!ϕi. But then the modalized conclusion h!ϕih−αiψ is derivable using the K axioms for the h!ϕi modalities, and hence it, too, is in w. In other words, h−αiψ ∈ Φ(M, ϕ, w). • Next suppose that h−αiψ ∈ Φ(M, ϕ, w): i.e., h!ϕih−αiψ ∈ w. Since w is mixed by the Existence Lemma 4.6, there exists some nominal n such that (i) h!ϕiE(n ∧ α) ∈ w, and (ii) h!ϕih!¬niψ ∈ w. Using the earlier equivalence (†) once more, from (i), we get Eh!ϕi(n ∧ α) ∈ w. By the Existence Lemma 4.6 once more, this means that there is some v ∈ M with h!ϕi(n ∧ α) ∈ v. So, n ∧ α ∈ Φ(M, ϕ, v). By the inductive hypothesis, this entails that M : ϕ, v |= α. Next, turning to (ii), using the straightforward observation that ⊢MLSR h!ϕi¬n → ¬n, we get n < w, while h!ϕi(n ∧ α) ∈ v entails n ∈ v, so w , v. Lastly, h!ϕih!¬niψ ∈ w means h!¬niψ ∈ Φ(M, ϕ, w). This is equivalent to ψ ∈ Φ(M, ϕ⌢ ¬n, w), which, by the inductive hypothesis, yields that M : ϕ⌢ ¬n, w |= ψ. Next, as already noted in the argument for the converse direction, M : (ϕ⌢ ¬n) = (M : ϕ)|¬n, and hence we get (M : ϕ)|¬n, w |= ψ. Moreover, we had (M : ϕ)|¬n = (M : ϕ) − {v}, and so we also have (M : ϕ) − {v}, w |= ψ. Taking these three facts together, it can be concluded that M : ϕ, w |= h−αiψ. This concludes the proof of the Truth Lemma, and thus, the consistent set Γ at the start of the construction has a model. This establishes the completeness of the system MLSR.  Remark 4.9. One way of understanding the mechanics of this modal completeness proof is doing a parallel standard Henkin-style completeness proof for a first-order language with explicit operations of quantification without replacement and definable relativization. Finally, a natural question is if our expanded language with nominals and PAL modalities is really needed. We leave the existence of a ‘pure’ axiomatization of MLSR open here.14 13 Observe that w ∈ M : (ϕ⌢ ¬n) iff pre(ϕ⌢ ¬n) ∈ w iff h!ϕi¬n ∈ w. Now, as observed earlier, ⊢MLSR h!ϕi¬n ↔ pre(ϕ) ∧ ¬h!ϕin, so the last statement is equivalent to pre(ϕ) ∈ w and h!ϕin < w, which holds exactly when n < w ∈ M : ϕ, which means that w ∈ (M : ϕ)|¬n by the truth definition. 14 In ongoing follow-up work, Johan van Benthem, Li Lei, Chenwei Shi, and Haoxuan Yin at Tsinghua University have used the techniques presented here to axiomatize hybrid sabotage modal logic in several 18 5 Complexity and undecidability Having analyzed expressive power and axiomatization, we now turn to matters of computational complexity for the core notions of our system MLSR as defined in §2. 5.1 Model checking We begin by showing that model checking for MLSR is PSPACE-complete. We do so by providing a reduction from the quantified Boolean formula problem (QBF) [Stockmeyer and Meyer, 1973], in the style of Rohde [2005] and Löding and Rohde [2003]. Theorem 5.1. Model checking for MLSR is PSPACE-complete. Proof. An upper bound is established as follows. The translation into first-order logic given earlier (Fact 2.6) only has a polynomial size increase, and it is known that model checking for first-order logic is in PSPACE. The lower bound is demonstrated by a reduction from QBF into model checking for MLSR. Take any QBF formula ϕ: that is, a formula of the form Q1 x1 ... Qn xn ^ Ci , 1≤i≤k where Qj ∈ {∃, ∀}, and each Ci is a disjunction of literals ±xj (here, without loss of generality, we can assume that the quantifiers alternate between ∃ and ∀). Given such a formula ϕ, we construct a finite pointed model (Mϕ , s) and an MLSR formula γϕ such that ϕ is true if and only if (Mϕ , s) |= γϕ . The construction will ensure that the model Mϕ and the formula γϕ both have a size that grows linearly in the number of quantifiers and clauses of ϕ, which gives the desired reduction from QBF. To increase intuitive understanding, in what follows the model (Mϕ , s) is constructed so that the truth of ϕ can be captured by a traveling game on the model between two players: Traveler and Demon. The formula ϕ is true if and only if Traveler has a winning strategy in the traveling game on (Mϕ , s), while the MLSR formula γϕ states the existence of a winning strategy for Traveler. (Mϕ , s) consists of n + 1 vertically concatenated ‘modules’: one initial module for the first quantifier in ϕ, one module for each of the remaining n − 1 quantifiers, plus one final verification module. Each of these modules is depicted in Figure 2. More in detail, the construction of Mϕ is as follows: starting with the initial module, we concatenate successive ∀xi - and ∃xj -modules corresponding to the order of quantifiers in ϕ (we treat the top nodes labeled by xj and ¬xj as the end nodes of the previous module). The goal points are those to which the valuation assigns the proposition letter g (as depicted in Figure 2). Once all n quantifier modules have been added, we append the final verification module. For each clause Ci , we use a distinct proposition letter ci , which holds at exactly one node in the verification module, called a clause vertex. Each clause vertex ci has an outgoing edge to all and only the duals of literals that make Ci true. semantics, and to derive further results such as interpolation theorems. One feature of their approach suggests an alternative perspective on our completeness proof. The crucial use of public announcements in the above is in the special form h!¬niϕ. This is equivalent to the hybrid MLSR formula (¬En ∧ ϕ) ∨ h−niϕ. This suggests a pure axiomatization where the minimal PAL modalities become convenient suggestive notation. The full system MLSR merges definable uniform and arbitrary stepwise removal, thus describing quantification with and without replacement combined with unrestricted relativization. 19 ¬xj−1 xj−1 g g g g g g g s g p1 p1 x1 ¬x1 g (b) ∃xj -module. (a) Initial module. xj−1 ¬xj−1 g g pj+1 g g g c1 g ¬xn xn g pj+1 g ¬xj xj ... ci ... ck g xj ¬xj (d) Final verification module. (c) ∀xj -module. Figure 2: The shape of the initial module (a) does not depend on which quantifier ϕ begins with. In (b), (c) and (d), the top nodes labeled by xj and ¬xj are the end nodes of the previous module. In (d), each clause vertex ci has an outgoing edge to a vertex labeled by a literal ±xj exactly if the dual literal ∓xj makes clause Ci true. Now, the traveling game proceeds in the following manner. At the beginning, Traveler is positioned at the starting vertex s. When Demon plays, she deletes a node in the graph. When Traveler plays, she can travel along one of the remaining edges to an adjacent vertex. Traveler wins if she manages to reach a goal point, marked with the proposition letter g. Demon wins otherwise. More in detail, if ϕ starts with ∃, Traveler goes first. If ϕ starts with ∀, Demon goes first: in the first move, she can only delete a vertex marked by p1 —that is, she can only delete a point adjacent to the starting vertex. From then on, Traveler and Demon alternate their turns, with turns being either traveling one edge further or deleting one node, respectively, where the Demon’s second move at each ∀xj -module is restricted to nodes marked with pj (see Figure 2). This continues in this manner until Traveler reaches a node that sees a clause node. At this point, Demon has k − 1 moves, which she must use to delete all but one clause node. Then, we allow Traveler two successive moves (once 20 Demon has restricted her choices to one clause node). Then, Demon and Traveler once again alternate single moves until the game is resolved. See Figure 3 for an example. The game adequately captures the truth of ϕ: Observation 5.2. Traveler has a winning strategy for the game on (Mϕ , s) if and only if the initial QBF formula ϕ is true. Proof. Each travel path to the verification module yields a valuation. Say that a truth value is selected for xi if Traveler’s path passes through the node labeled xi . At ∀xi modules, Demon selects a truth value for xi . At ∃xj modules, Traveler selects a truth value for xj . Once Traveler reaches a clause node, an assignment has thus been chosen for all variables. Here, the design of the above modules guarantees the following two key facts at that stage: (i) the deleted goal points are all and only those seen by the visited vertices, and also, (ii) all unvisited ±xi vertices still have two adjacent goal points. If ϕ is true, then the assignment chosen in this manner (with Demon controlling ∀ and Traveler controlling ∃) makes all (disjunctive) clauses true. So, for every clause Ci , there is some visited ±xj node, for some ±xj that entails Ci . By design of the final clause module, no matter which clause Traveler is at, there is some unvisited vertex labeled ∓xj accessible from this clause vertex. Traveler can then travel to this vertex, where she sees two goal points. Demon can remove at most one of them at her next move, and Traveler therefore wins. Conversely, if ϕ is false, the final assignment makes at least one clause false. Demon forces Traveler to the corresponding clause vertex: because the current assignment makes the disjunctive clause false, all the accessible ±xj vertices have already been visited and, thus, do not see any goal points. Demon therefore wins.  Lastly, to conclude the proof of Theorem 5.1, we make sure that MLSR can express the existence of a winning strategy for Traveler. When ϕ starts with ∀ and has n quantifiers and k clauses, the general form of the corresponding MLSR formula γϕ is [−αj ]^
f (n) [δ]k−1 ^2 [−⊤]^g Here, f (n) is a function counting the total number of rounds played in the game up to the final module: f is linear in n (it is in fact easy to see that f (n) ≤ 3n). The symbol αj denotes pj whenever Traveler sees a pj -point in the corresponding ∀xj -module; it stands for ⊤ otherwise. The formula δ, on the other hand, is a Boolean combination of ci ’s expressing that exactly one of the clauses is true. The repeated modalities capture exactly the structure of the game and the restrictions on the players’ moves. The game goes on for f (n) rounds until the penultimate stage is reached. The [−pj ] modalities force Demon to remove only pj -points during the middle round played on a ∀xj -module. Then, [δ]k−1 quantifies over all ways in which Demon can remove k−1 clauses (all but one). The formula γϕ expresses that Traveler can ensure that such a sequence of moves results in reaching a goal point, and thus holds exactly if Traveler has a winning strategy: equivalently, it holds  if and only if the initial QBF formula ϕ is true.15 15 The results in this section extend to the expanded modal language of §3. The PSPACE lower bound obviously remains valid, but so is the upper bound. The reason is that extending the first-order translation of Fact 2.6 to nominals and PAL-modalities incurs only a polynomial blow-up in size. 21 ϕ = ∀x1 ∃x2 ∀x3 (C1 ∧ C2 ∧ C3 ) where C1 = ¬x1 ∨ x2 , C2 = ¬x1 ∨ x2 ∨ ¬x3 , and C3 = x1 ∨ x2 ∨ x3 s g p1 g p1 x1 g ¬x1 g g g g x2 g ¬x2 p3 g g p3 x3 c1 g ¬x3 c2 g c3 Figure 3: An example. The proposition letter g marks the goal points. Each ∀-module forces Traveler to the literal ±xj point chosen by Demon, while each ∃-module leaves the choice to Traveler. The letters p1 , ..., pk are level markers that restrict Demon’s moves. In the final module, Demon forces Traveler into some clause. For each literal ±xj that makes such clause true, Traveler can then go to the node labeled by dual literal ∓xj above. 22 Note on game perspectives. While not strictly necessary for the proof of Theorem 4.1, the above traveling game with point removal over the initial structure is independently appealing, and it suggests links with the graph games that motivate sabotage logics and related logics for graph change mentioned in §1 [van Benthem and Liu, 2020]. As a further perspective, the above traveling game is virtually identical to the standard logical evaluation game for the crucial quantified Boolean formula in the above proof. Making these game perspectives precise is left as an open problem here. 5.2 Satisfiability Next, we show that, despite the recursive axiomatizability shown in §3, stepwise removal has a complex theory. The satisfiability problem for the logic MLSR is undecidable, which we establish by a reduction from the tiling problem, a standard technique in modal logic (cf. [Blackburn et al., 2011; Marx, 2006], to which we refer for details). Theorem 5.3. The satisfiability problem for MLSR with two binary accessibility relations Ru and Rr is undecidable. Proof. Let T = {T1 , ..., Tn } be a finite set of tile types. Given a tile type Ti , u(Ti ), r(Ti ), d(Ti ) and l(Ti ) will represent the colors of the upper, right, lower and left edges of Ti , respectively. For each tile type Ti , we fix a proposition letter ti that is going to encode Ti . We will now define an MLSR formula ϕT such that the following holds: ϕT is satisfiable if and only if T tiles the discrete quadrant N × N. The formula ϕT is the conjunction of the following MLSR formulas. The first three describe the relational structure of a grid, the last three encode the behavior of a tiling of the grid: (Func) Uh−⊤i(u ⊥ ∧ ^r ⊤) Uh−⊤i(r ⊥ ∧ ^u ⊤) (Conf) (Unique) Uh−⊤i(^r u ⊥ ∧ ^u r ⊥) U _ 1≤i≤n (Vert) (Horiz) U U ^ ti ∧ ^ ! (ti → ¬tj ) 1≤i<j≤n ti → ^u _ tj 1≤i≤n 1≤j≤n,u(Ti )=d(Tj ) ^ _ 1≤i≤n ti → ^r 1≤j≤n,r(Ti )=l(Tj ) tj ! ! (⇐) It is easy to see that any tiling of N × N induces a model for ϕT . (⇒) For the other direction, suppose that M, w |= ϕT , for some LSR-model M = (W, Ru , Rr , V ) and w ∈ W . The formula (Func) ensures that the relations Ru and Rr are functions, and that for every point x, that Ru [x] , Rr [x] (the Ru and Rr -images of x are different). The formula (Conf ) then guarantees that the functions commute: Ru ◦ Rr = Rr ◦ Ru . This 23 ensures the existence of an embedding f : N2 → W that preserves the structure of vertical and horizontal successors: that is, for all (n, m) ∈ N2 , we have Ru (f (n, m), f (n, m + 1)) and Rr (f (n, m), f (n + 1, m)). Now, tile the point (n, m) in N2 with tile Ti exactly if M, f (n, m) |= ti . This gives a tiling of the discrete quadrant of the plane.  The two standard modalities used in this proof can be reduced to one using standard techniques [Kracht and Wolter, 1999], but we forego details here because of the syntactic cost involved in writing the formulas. The above undecidability argument applies a fortiori to the richer language of §3 with nominals and PAL modlities. But it will also work with languages that are less expressive than MLSR. In particular, one can replace the universal modality by an extra standard modality that can survey the domain by employing the well-known ‘spypoint technique’ from hybrid logic. A detailed syntactic construction of this sort for modal logics of graph games can be found in [Zaffora Blando et al., 2020]. Having determined the complexity of model checking and satisfiability, one task would remain, concerning definability and expressive power. However, we leave this open here. Open problem. What is the complexity of testing for SR-bisimulation? Given any two finite models M, N , it is easy to find an EXPSPACE upper bound. One considers the space of all models arising from M, N by deleting finite sequences of different points, and then tests for ordinary modal bisimulation over this space with respect to MLSR, now viewed as a standard bimodal language. But, just as with standard modal bisimulation [Kanellakis and Smolka, 1983], one can probably do better. 6 Stepwise removal over first-order fragments Having established the complexity of adding quantification without replacement to the basic modal language, we can also consider other fragments of first-order logic. Perhaps the simplest case is adding the removal modality h−ϕiψ to monadic first-order logic MFOL. As it turns out, this yields exactly the formulas in MFOLx= : that is, all formulas with one free variable x in monadic first-order logic with identity. Theorem 6.1. MLSR(MFOL) = MFOLx= . Proof. Fix finitely many unary predicates P1 , . . . , Pk . We define standard normal forms for the whole language MFOL= . Local state descriptions sd are conjunctions of ±Pi with 1 ≤ i ≤ k. There are 2k of these, and they can be applied to arbitrary variables. Global V state descriptions SD of depth N are then conjunctions j SDj where, for each local state description sdj , SDj is either the statement that exactly mj objects satisfy sdj , where we have mj < N , or the statement that at least N objects satisfy sdj . Definition 6.2. An enumerative normal form is a disjunction of conjunctions N F , each consisting of (a) local state descriptions for each of the variables xi plus a complete set of equalities and inequalities for all pairs of variables from x1 , ..., xm , plus (b) a global state description that is consistent with (a) in an obvious syntactic sense. 24 Claim. Each formula in MFOL= of quantifier depth N and m free variables x1 , ..., xm is equivalent to an enumerative normal form. This can be proved by induction on formulas via a syntactic argument.16 Claim. MFOL= is closed under the modality h−ϕiψ. Proof of Claim. Using the disjunction axioms for existential modalities and h−ϕiψ stated in §3, in proving closure, one can restrict attention to conjunctive forms N F and special removal modalities h−sd ∧ SDiN F . Closure can be shown here by a simple argument, driven by the following two key facts: • the equivalence h−sd ∧ SDiN F ↔ (SD ∧ h−sdiN F ) is valid,17 • the formula h−sdi i(sd′ ∧ SD) is equivalent to sd′ ∧ SD[i := i + 1], where SD[i := i + 1] replaces the quantification in the i-th conjunct of SD by a quantifier stating the existence of one more point satisfying the relevant local state description.  Arguments like this are available for other languages that admit of simple normal forms of modal depth 1. Here is one obvious question. Open problem. What fragment of first-order logic results from adding the dynamic operators of MLSR to the language of modal S5? We have some initial results, but the combinatorics get considerably more complex, since the logic can now also distinguish between different equivalence classes in S5 models. The general question suggested by the specific case analyzed in Theorem 6.1 is the following: what is the boost in expressive power when we close fragments of first-order logic under various model-changing modalities? 7 Conclusion and further directions The logic of stepwise removal of objects lies in between modal logics of definable model change and logics for graph games with arbitrary moves, and it may well be the most intuitive example of a modal system that crosses the line from decidable to undecidable.18 We have established its main properties, proving a bisimulation characterization theorem and other results on expressive power, a completeness theorem, and two basic complexity results. Most of the techniques that we used are well-known, others less so, and we also introduced a new technique for proving completeness. The resulting style of thinking can be applied to a wide range of modal systems of this sort. 16 Alternatively, N F describes a model M in such a way that, for any model N that satisfies N F , Duplicator has a winning strategy in the Ehrenfeucht game over N rounds between M and N starting with the partial isomorphism between the objects on both sides satisfying the atomic diagram (a). 17 Here is a general useful principle that is easy to state in first-order syntax. When we take out a point satisfying ϕ(x) ∧ ψ, where x does not occur free in ψ, then we can just put ψ outside in a conjunction. 18 Another contender is the ‘modal fact change logic’ of Thompson [2020]. 25 Among the issues still to be addressed is the complexity problem for SR-bisimulation (§5), as well as the expressive closure problem for S5. Moreover, all of our questions return for some obvious extensions and variations. Simultaneous versions of MLSR. It is natural to add a modality for removing a fixed finite number of points, either in a conjunctive unary version h−(ϕ1 , ..., ϕk )iψ or with truly polyadic operators h−ϕiψ, where the formulas ϕ can be evaluated in a tuple of indices. These modalities seem undefinable as iterations of our unary h−ϕiψ. Even so, we conjecture that all of our results go through. Another immediate question concerns other extended modal logics. Connections with hybrid logic. MLSR seems closely related to hybrid modal formalisms such as ‘memory logics’ that have been used to detect jumps to undecidability for fragments of FOL in an illuminating manner, [Areces et al., 2008]. Given that MLSR translates into a fragment of the first-order language, cf. Fact 2.5, it may be of interest to compare the fragments that arise by adding the removal modality h−ϕiψ to various first-order fragments with the natural hierarchy offered by the memory-logic perspective.19 Then, there is the question of the scope of our methods. Axiomatizing logics of graph games. It is a long-standing open problem how to axiomatize the validities of sabotage-style modal logics and related ones [Aucher et al., 2018]. Does our axiomatization technique for MLSR employing added dynamic epistemic modalities work for these logics, as well?20 Next, returning to the issue of undecidability, a few questions arise naturally. Other sources of undecidability. In addition to the undecidability induced by stepwise removal, there is the undecidability induced by local link-cutting or local definable point removal, taking place only at the current point of evaluation [Li, 2020]. Both modifications of dynamic-epistemic logics block the usual recursion axioms, both allow for tiling encodings, but the connection remains to be clarified. But there are also other perspectives on complexity that we have found. Lowering the complexity of MLSR. Can MLSR be shifted back into the decidable modal fold? For many logical systems, one can lower the complexity by a Henkin-style change in the semantics [Andréka et al., 2016]. In particular, one could restrict the removal of points to those that are accessible from the current point in some global relation Axy and, if this does not suffice for decidability, one might use further guarding, so that the earlier firstorder translations of MLSR formulas (from §2) end up inside guarded, or loosely guarded, fragments of FOL. Yet, moves like this make most sense when connected to a principled view of computation. We believe that modal logics like MLSR, but also hybrid memory logics or related systems, offer an interesting alternative take on the sources of computational complexity. 19 The referee has suggested looking also at a variant of MLSR, where h−ϕiψ only describes taking away a point satisfying ψ that is R-accessible from the current point. This modified logic of ‘accessible’ object removal translates into H(@, ↓), i.e., the bounded fragment of first-order logic. 20 Modifications may be needed: e.g., for sabotage logics, one wants to name arrows rather than points. 26 In the usual automata hierarchy, Turing machine power arises when we have an active memory that can be rewritten. In our logics, however, a simple device that merely stores the set of deleted or visited points suffices. The reason must be the interplay of memory and expressiveness of the language for constructing models around that memory, suggesting a sort of descriptive complexity theory complementary to that of Immerman [1999]. Acknowledgments We thank audiences in Amsterdam, Beijing, Gothenburg and Stanford for their comments on versions of this work, while Dazhu Li and the referee provided further useful corrections. We thank, especially, Alexandru Baltag for giving us the crucial hint toward our completeness theorem. But most of all, we are indebted to Carlos Areces for a very inspiring and pleasant collaboration during his 2018 spring stay at Stanford. Johan van Benthem was supported by the Tsinghua University Initiative Scientific Research Program, No. 2017THZWYX08. References H. Andréka, N. Bezhanishvili, J. van Benthem, and I. Németi. Changing a Semantics: Opportunism or Courage? In E. Alonso, M. Manzano, and I. Sain, editors, The Life and Work of Leon Henkin, pages 307–337. Birkhaueser Verlag, 2016. C. Areces and B. ten Cate. Hybrid Logics. In P. Blackburn, J. van Benthem, and F. Wolter, editors, Handbook of Modal Logic, pages 821–868. Elsevier Science, Amsterdam, 2006. C. Areces, D. Figueira, S. Figueira, and S. Mera. Expressive Power and Decidability for Memory Logics. In W. Hodges and R. de Queiroz, editors, Logic, Language, Information and Computation, WoLLIC 2008. Lecture Notes in Computer Science, volume 5110, pages 56–68. Springer, Berlin, Heidelberg, 2008. C. Areces, R. Fervari, and G. Hoffmann. Relation-Changing Modal Operators. Logic Journal of the IGPL, 23(4):601–627, 2015. G. Aucher, J. van Benthem, and D. Grossi. Modal logics of sabotage revisited. Journal of Logic and Computation, 28(2): 269–303, 2018. J. van Benthem. An essay on sabotage and obstruction. In D. Hutter and W. Stephan (eds.), Mechanizing Mathematical Reasoning: Essays in Honor of Jörg H. Siekmann on the Occasion of His 60th Birthday, Lecture Notes in Artificial Intelligence, 2605: 268–276, 2005. J. van Benthem. Logical Dynamics of Information and Interaction. Cambridge University Press, Cambridge UK, 2011. J. van Benthem and F. Liu. Graph Games and Logic Design. In F. Liu, H. Ono, and J. Yu, editors, Knowledge, Proof and Dynamics, pages 125–146. Logic in Asia: Studia Logica Library, Springer: Singapore, 2020. J. van Benthem, J. Gerbrandy, T. Hoshi, and E. Pacuit. Merging frameworks for interaction. Journal of Philosophical Logic, 38(5): 491–526, 2009. 27 P. Blackburn, M. de Rijke, and Y. Venema. Modal Logic. Cambridge University Press, Cambridge UK, 2011. D. Gabbay. Introducing Reactive Kripke Semantics and Arc Accessibility. In D. Gabbay, editor, Reactive Kripke Semantics, pages 29–76. Springer Science, Dordrecht, 2013. J. U. Hansen. A hybrid public announcement logic with distributed knowledge. Electronic Notes in Theoretical Computer Science, Elsevier Amsterdam, 273: 33–50, 2011. J. Hintikka and G. Sandu. Game-Theoretic Semantics. In A. ter Meulen and J. van Benthem, editors, Handbook of Logic and Language, pages 361–410. Elsevier Science, Amsterdam, 1997. N. Immerman. Descriptive Complexity. Springer Science Publishers, Dordrecht, 1999. P. Kanellakis and S. Smolka. CCS expressions, finite state processes, and three problems of equivalence. In Proceedings of the 2nd ACM Symposium on Principles of Distributed Computing, pages 228–240. Springer Science, Dordrecht, 1983. M. Kracht and F. Wolter. Normal Monomodal Logics can Simulate All Others. Journal of Symbolic Logic, 64(1):99–138, 1999. D. Li. Losing Connection: The Modal Logic of Definable Link Deletion. Journal of Logic and Computation, 30(3):715–743, 2020. C. Löding and P. Rohde. Solving the Sabotage Game is PSPACE-Hard. In Rovan B., Vojtás P. (eds.), Mathematical Foundations of Computer Science 2003. MFCS 2003. Lecture Notes in Computer Science, 2747, 2003. M. Marx. Complexity of Modal Logic. In P. Blackburn, J. van Benthem, and F. Wolter, editors, Handbook of Modal Logic, pages 139–179. Elsevier Science, Amsterdam, 2006. G. Renardel de Lavalette. A Logic of Modification and Creation. In C. Condoravdi and G. Renardel de Lavalette, editors, Logical Perspectives on Language and Information, pages 197–219. CSLI Publications, Stanford, 2001. P. Rohde. On games and logics over dynamically changing structures. Ph.D. dissertation, RWTH Aachen University, Germany, pages 1–216, 2005. L. J. Stockmeyer and A. R. Meyer. Word problems requiring exponential time. Proceedings of the 5th ACM Symposium on Theory of Computing, STOC ’73, pages 1–9, 1973. D. Thompson. Local Fact Change Logic. In F. Liu, H. Ono, and J. Yu, editors, Knowledge, Proof and Dynamics, pages 73–96. Logic in Asia: Studia Logica Library, Springer: Singapore, 2020. F. Zaffora Blando, K. Mierzewski, and C. Areces. The Modal Logics of the Poison Game. In F. Liu, H. Ono, and J. Yu, editors, Knowledge, Proof and Dynamics, pages 3–23. Logic in Asia: Studia Logica Library, Springer: Singapore, 2020. 28