Dynamic logics of knowledge and access

Dynamic Logics of Knowledge and Access Tomohiro Hoshi ([email protected]) Department of Philosophy Stanford University Eric Pacuit ([email protected])∗ Tilburg Center for Logic and Philosophy of Science Tilburg University July 22, 2010 Abstract. A recurring issue in any formal model representing agents’ (changing) informational attitudes is how to account for the fact that the agents are limited in their access to the available inference steps, possible observations and available messages. This may be because the agents are not logically omniscient and so do not have unlimited reasoning ability. But it can also be because the agents are following a predefined protocol that explicitly limits statements available for observation and/or communication. Within the broad literature on epistemic logic, there are a variety of accounts that make precise a notion of an agent’s “limited access” (for example, Awareness Logics, Justification Logics, and Inference Logics). This paper interprets the agents’ access set of formulas as a constraint on the agents’ information gathering process limiting which formulas can be observed. Keywords: Dynamic Epistemic Logic, Logics of Awareness, Epistemic Temporal Logic 1. Introduction and Motivation Reasoning about rational agents interacting over time is a central topic in many areas of philosophy, computer science and economics. An important challenge for the logician is to account for the many dynamic processes that govern the agents’ interaction over time. Inference, observation and communication are all examples of such processes that are the focus of current logics of informational update and belief revision (see, for example, van Benthem, 1996; van Ditmarsch et al., 2007; Parikh and Ramanujam, 2003)1 . A recurring issue in any formal model representing agents’ (changing) informational attitudes is how to account for the fact that the agents are limited in their access to the available inference steps, possible observations and available messages. This may be because the agents are not logically omniscient and so do not have unlimited reasoning ability. But it can also be because ∗ Eric Pacuit is supported by the NWO Vidi grant 016.094.345. Of course, one may argue that (logical) inference is the central topic of any logic. What we have in mind here is reasoning about agents that make inferences. 1 c 2010 Kluwer Academic Publishers. Printed in the Netherlands. logobs-final.tex; 22/07/2010; 21:23; p.1 2 T. Hoshi and E. Pacuit the agents are following a predefined protocol that explicitly limits statements available for observation and/or communication. Within the broad literature on epistemic logic, there are a variety of accounts that make precise a notion of an agent’s “limited access”. An early approach of Fagin and Halpern (1988)2 extends standard epistemic logic with an awareness operator Aϕ intended to mean “the agent is aware of the sentence ϕ”. More recently, work building on Artemov’s Logic of Proofs (Artemov, 2001) labels epistemic modal operators with proof terms that explicitly keep track of the agent’s “justification” for (the truth of) a formula (see Fitting, 2005; Artemov and Nogina, 2005; Renne, 2008, and references therein). Other logics focus on explicitly modeling inferential steps that individual agents can make while interacting with other agents and the environment (see, for example, Eberle, 1974; Ågotnes and Alechina, 2007; van Benthem, 2008; Velazquez-Quesada, 2009). Finally, van Benthem et al. (2009) develop logics for reasoning about situations where the facts that agents can observe are limited by a predefined protocol (cf. Parikh and Ramanujam, 2003). Although the logical frameworks referenced above do differ in both “implementation details” and some underlying intuitions, there is a common thought that represents “what an agent currently has access to” as a set of formulas. We call this set of formulas the agent’s access set. There are two interpretations of this access set that can be found in the literature. The first views the access set as the (current) outcome of some information gathering process. That is, agents only have direct access to formulas that they have explicitly added to the access set (typically as a result of a logical inference step or observation, but other – trusted – agents may contribute to the access set through communication). This is the interpretation of the access sets found in the awareness logics (Halpern and Rego, 2005), justification logics (Artemov and Nogina, 2005; Fitting, 2005), inference logics (Ågotnes and Alechina, 2007; van Benthem, 2008; Velazquez-Quesada, 2009) and other epistemic logics with “explicit” knowledge operators. The second interpretation, found in (van Benthem et al., 2009), uses the access set to constrain the current information gathering process. That is, the access set consists of the sentences that an agent can3 observe or infer. 2 See also (Halpern and Rego, 2005; Halpern, 2001) for a recent discussion and references to relevant literature on the notion of awareness in game theory. 3 We may also say “is permitted to” or “has the ability to” (cf. Balbiani et al., forthcoming). logobs-final.tex; 22/07/2010; 21:23; p.2 A Dynamic Logic of Knowledge and Access 3 Formally, the access set is a new parameter that is added to standard epistemic models4 . This suggests a number of technical and conceptual questions (especially in social situations involving many agents): 1. How should we extend the basic modal language to reason about epistemic models with access sets? Of course, the answer here depends on the intended interpretation of the access sets and the type of properties that need to be expressed. To give just two examples: Halpern and Rego (2009) use a propositional modal language with quantifiers over propositions and Artemov and others use a modal language with labeled modalities where each label refers to a different access set (cf. Artemov and Nogina, 2005; Fitting, 2005). 2. What do the agents “know” about the other agents’ access sets? Again concrete answers to this question depend on the intended interpretation of the access sets. For example, if the access set represents the set of formulas an agent is “aware of”, then certainly an agent cannot know that another agent is aware of a specific formula ϕ without that agent being aware of ϕ. On the other hand, when access sets are “generated” by some underlying protocol or social convention it is natural to study situations where that underlying protocol may or may not be commonly known among the agents. 3. What dynamic operations change the access sets over time? A common assumption in the literature is that formulas are added to the access sets as a result of some logical inference (cf. Ågotnes and Alechina, 2007). However, access sets may also change as a result of observation and/or communication. There is now an extensive literature on so-called dynamic epistemic logics describing different “epistemic actions” changing the agents’ (implicit) information (both (van Ditmarsch et al., 2007), and (van Benthem, 2010), are recent textbook presentations of this literature). Building on this literature, van Benthem (2008) studies logics with epistemic actions such as “becoming informed that...” or “seeing that...” which change the access sets (Velazquez-Quesada, 2009; van Ditmarsch and French, 2010; Hill, 2010). Much of the epistemic logic literature incorporating some version of an access set has focused on the first interpretation where access sets represent the agents’ current stock of “available formulas”. And so, each 4 Typically, a set of formulas is assigned to each agent at each state in an epistemic model. There is often additional structure placed on these sets (cf. Halpern, 2001 and Fitting, 2005). Such technical details are not important for the discussion in this section, though they will play a role in Section 3.5. logobs-final.tex; 22/07/2010; 21:23; p.3 4 T. Hoshi and E. Pacuit of the above questions have been addressed with this interpretation in mind. In this paper, we focus on the second interpretation where the access sets constrain the agents’ social interactions and information gathering processes due to some underlying protocol or social convention. This continues a line of research initiated in (van Benthem et al., 2009, Section 4). There a constrained public announcement logic, where the formulas that can be observed (or announced) are restricted by some predefined protocol, is axiomatized. We have two main goals in this paper. The first is to investigate the above questions (especially questions 1 and 2) in contexts where the agents’ access sets are given by some underlying protocol. As mentioned above, this leads to interesting new technical results building on the work in (van Benthem et al., 2009). Our main technical contribution is an axiomatization where semi-private announcements are constrained by a predefined protocol (Section 3.3). Our second goal is to formally relate the logical framework that we investigate in this paper with similar frameworks found in the literature. In some cases, this leads to technical results showing our models are specific cases of more general “temporal dynamic epistemic models” as discussed in (van Benthem et al., 2009; Hoshi, 2009). We discuss this in Section 3.2. Comparisons with frameworks where the access sets are interpreted as outcomes of some information gathering processes (eg., Awareness Logics and Justifications Logics) are not as direct. Nonetheless, Section 4 points to a number of conceptual issues suggested by our logical framework. 2. Background Many logical systems today describe some form of “information dynamics”. However, two main approaches can be singled out. The first is exemplified by epistemic temporal logic (ETL, Fagin et al., 1995; Parikh and Ramanujam, 2003) which uses linear or branching time models with added epistemic structure induced by the agents’ different capabilities for observing events. These models provide a “grand stage” where histories (i.e., sequences of events) of some social situation are constrained by a protocol. Here a protocol is intended to represent the rules or conventions that govern many of our social interactions. Imposing such rules restricts the legitimate sequences of possible events (eg., messages or observations). The other approach is exemplified by dynamic epistemic logic (DEL, Gerbrandy, 1999; Baltag et al., 1998; van Ditmarsch et al., 2007) which describes social interactions in terms of epistemic event models (which may occur inside modalities of the language). Similar to the way epistemic models are used to capture logobs-final.tex; 22/07/2010; 21:23; p.4 A Dynamic Logic of Knowledge and Access 5 the (hard) information the agents’ have about a fixed social situation, an event model describes the agents’ information about which actual event is currently taking place. The temporal evolution of the situation is then computed from some initial epistemic model through a process of successive “product updates”. Consult (van Benthem et al., 2009; Kooi and Pacuit, 2010) for an extensive discussion of these two perspectives on rational interaction. We assume the reader is familiar with standard epistemic logic and the various dynamic versions mentioned above. Indeed, there are now a number of textbooks and survey papers that have thorough introductions to these topics (see, for example, Fagin et al., 1995; van Ditmarsch et al., 2007; van Benthem, 2010; Pacuit, forthcoming; and references therein). In this Section, we discuss some key definitions used in this paper. We start with the familiar definition of an epistemic model: DEFINITION 1. Let At be a set of atomic propositions. An epistemic model is a tuple hW, {Ri }i∈A , V i where W is a nonempty set (whose elements are called worlds or states), for each i ∈ A, Ri ⊆ W × W is a relation5 and V is a valuation function (V : At → 2W ). An ETL model is a special case of an epistemic model where the states are sequences of primitive events. That is, given a finite nonempty set Σ (whose elements are called events), an ETL model (based on Σ) is a tuple hH, {Ri }i∈A , V i where {Ri }i∈A and V are as in the above definition and H ⊆ Σ∗ is closed under non-empty prefixes. Elements of H are called histories and are intended to represent a possible way that a social situation may unfold. So, ETL models are forests (in general, there need not be a unique initial state) with relations for each agent on the set of histories (for this reason we often refer to ETL models as ETL forests). Different modal languages describe ETL models (see, for example, Hodkinson and Reynolds, 2006; Fagin et al., 1995), with ‘branching’ or ‘linear’ variants. As an example, the language LET L contains both knowledge and “event” modalities: p | ¬ϕ | ϕ ∧ ψ | Ki ϕ | heiϕ where i ∈ A, e ∈ Σ and p ∈ At (the set of atomic propositions). The boolean connectives (∨, →, ↔) and the dual modal operators (Li , [e]) are defined as usual. The intended interpretation of ‘heiϕ’ is “after event e (does) take place, ϕ is true”. Formulas are interpreted at histories: let H = hH, {Ri }i∈A , V i be an ETL model, ϕ ∈ LET L and h ∈ H, define H, h |= ϕ inductively as follows (we only give the modal definitions as the boolean connectives and atomic propositions are as usual), 5 Typically, it is assumed that these relations are equivalence relations, but this is not necessary. logobs-final.tex; 22/07/2010; 21:23; p.5 6 T. Hoshi and E. Pacuit 1. H, h |= Ki ϕ iff for each h′ ∈ H, if hRi h′ then H, h′ |= ϕ 2. H, h |= heiϕ iff he ∈ H and H, he |= ϕ The epistemic language, denoted LEL , is the sublanguage of LET L without the event modalities. Natural extensions of LET L include group operators (eg., common or distributed knowledge) and more expressive temporal operators (e.g., arbitrary future or past modalities). A key observation from (van Benthem et al., 2009) is that we can generate ETL models from an initial epistemic model using the machinery of DEL. This opens the door to rigorously comparing and merging the two main logical accounts of the dynamics of information in social interactive situations. Formally, a DEL protocol is a tree of event models (representing the complex informative events that are available at each moment). Given an epistemic model M = hW, {Ri }i∈A , V i and a DEL protocol P, Forest(M, P) is the ETL model representing all possible evolutions of the system obtained by updating M with sequences from P. We do not include the details of this general construction here (see van Benthem et al., 2009, Definitions 8 & 10). Instead we briefly discuss constrained public announcement logic which reexamines public announcement logic (PAL, Gerbrandy, 1999; Plaza, 1989) in situations where the availability of formulas for observation is constrained by a predefined protocol. A public announcement is an event where some (epistemic) formula ϕ is made publicly available. That is, it is completely open and all agents not only observe the event but also observe everyone else observing the event, and so on ad infinitum. Furthermore, all agents treat the source as infallible. Thus the effect of such an event on an epistemic model should be clear: remove all states that do not satisfy ϕ. Formally, DEFINITION 2. Suppose M = hW, {Ri }i∈A , V i is an epistemic model and ϕ is a (epistemic) formula. The model updated by the public announcement of ϕ is the structure Mϕ = hW ϕ , {Riϕ }i∈A , , V ϕ i where W ϕ = {w ∈ W | M, w |= ϕ}, for each i ∈ A, Riϕ = Ri ∩ W ϕ × W ϕ , and for all atomic proposition p, V ϕ (p) = V (p) ∩ W ϕ . The language of PAL extends LEL with dynamic modal operators, hϕiψ, meaning “after ϕ is publicly announced, ψ is true”. These modal operators are interpreted on epistemic models as follows: M, w |= hϕiψ iff M, w |= ϕ and Mϕ , w |= ψ. A PAL protocol is a tree of (epistemic) formulas. Given an epistemic model M and PAL protocol P, an ETL model Forest(M, P) can be generated by performing public announcements of formulas logobs-final.tex; 22/07/2010; 21:23; p.6 A Dynamic Logic of Knowledge and Access 7 permitted by P. 6 More concretely, a sequence of epistemic formulas σ = ϕ1 · · · ϕn with an initial epistemic model generates a sequence of epistemic models M, Mϕ1 , (Mϕ1 )ϕ2 , . . . , (((Mϕ1 )ϕ2 )··· )ϕn This can be turned into an ETL model with histories of the form V wϕ1 ϕ2 · · · ϕj where w is a state in M and M, w |= 1≤i≤j ϕi . Then Forest(M, P) consists of all such histories consistent with P. In this new setting the PAL formula hϕi⊤ not only expresses that the current model is updated by the public announcement of ϕ but also that ϕ is permitted according to the predefined PAL protocol. Taking into account this new interpretation of the PAL language, van Benthem et al. (2009) give a sound and complete axiomatization of the class of all ETL models generated by some epistemic model and PAL protocol7 . However, a public announcement is one specific type of event model, what about classes of ETL models generated by other types of event models? That is, given a set of DEL protocols X, can we axiomatize the class F(X) = {Forest(M, P) | M an epistemic model and P ∈ X}? Three parameters are crucial for such a logical analysis: 1. The type of epistemic events in the protocol(s). Examples range from public announcements (Definition 2) where everyone witnesses the same event to private communications between a group of agents with the other agents not even being aware of the event. 2. Structural properties of the protocol(s). Examples range from restricting trees to a fixed length to “fairness properties” such as if the agent can observe ϕ, then the agent can observe ¬ϕ. 3. Expressivity of the formal language used to describe these DEL generated ETL models. There is a growing literature providing logical analyses along these lines although the general situation is not yet fully understood. It is beyond the scope of this paper to provide a complete survey of this literature: see (van Benthem et al., 2009) for a discussion. This paper contributes to this literature in two ways. First, we axiomatize F(X) where X is the class of semi-private announcements satisfying various 6 Actually the most general situation is where there are different PAL protocols at each state. We return to this issue in Section 3.3. 7 Note that the usual method for proving completeness via reduction axioms will not work here. In particular, since ϕ being true does not necessarily imply that ϕ can be announced and so the PAL validity ϕ ↔ hϕi⊤ is not valid (of course, hϕi⊤ → ϕ is valid since we are working with true announcements). logobs-final.tex; 22/07/2010; 21:23; p.7 8 T. Hoshi and E. Pacuit structural properties. Second, we suggest that the formal language used to describe ETL models of the from Forest(M, P) should contain three different types of operators: 1. operators describing the agents’ informational attitudes (knowledge, beliefs, group notions), 2. temporal and/or dynamic operators and 3. operators that can describe the protocol. 3. Protocols of Semi-Private Announcements We assume that at each moment different pieces of information are made publicly available. However, as opposed to public announcements where all agents have access to this information, we assume that different agents have access to different pieces of information. Thus we are interested in ETL models generated by protocols consisting of the following type of event model: A ϕ e A G ϕ f where A is the (finite) set of agents, ϕ is a formula (in the language defined below) and ϕ is the “negation” of ϕ (i.e., ϕ = ψ if ϕ = ¬ψ and ϕ = ¬ϕ otherwise). This event model represents situations where (the truth of) ϕ is made available only to the agents A − G. Of course, the event itself is public so which agents actually have access to which pieces of information is commonly known (i.e., the agents in G know that the agents in A − G know whether ϕ is true). The logical framework discussed in the previous section based on (van Benthem et al., 2009) is very general focusing on ETL models generated by arbitrary event models. Note that when working with a specific type of event model (eg., public announcement or semi-private announcement), many of the definitions can be simplified (cf. the constrained public announcement logic from Section 4 of van Benthem et al., 2009). These simplified versions also facilitate a more direct comparison with various awareness logics discussed in Section 1. The precise relationship with the more general framework of (van Benthem et al., 2009) is given in Section 3.2. logobs-final.tex; 22/07/2010; 21:23; p.8 A Dynamic Logic of Knowledge and Access 9 3.1. A Dynamic Logic of Knowledge and Access The Language. The language of the Dynamic Logic of Knowledge and Access (DKA) includes standard epistemic and dynamic modalities plus operators intended to describe each agent’s access set, or protocol (i.e., which formulas the agent has access to). Fix a finite set A of agents and a (countable) set of atomic propositions At. The language LDKA is defined inductively: ϕ ::= ⊤ | p | ¬ϕ | ϕ ∧ ϕ | Ki ϕ | hϕiϕ | Ai ϕ where p ∈ At and i ∈ A. The dual operators, Li and [ϕ], and other boolean operators are defined as usual. The epistemic fragment of LDKA without the ‘hϕi’ and ‘Ai ’ operators is denoted LEL . The intended meaning of the modal operators is summarized below: − Ki ϕ is intended to mean “according to i’s current information ϕ is true” (following the standard convention we may also say “agent i knows that ϕ”). − hϕiψ is intended to mean “after ϕ is made publicly available, ψ is true” (we may also say “after ϕ is announced ψ is true”, but this should not be confused with the public announcement of ϕ discussed in the previous section. − Ai ϕ is “agent i has access to ϕ” (alternatively we may say “agent i can observe ϕ” or “agent i has the ability to observe ϕ”). For later use, we define the complexity c(ϕ) of a formula ϕ: DEFINITION 3. The complexity of ϕ, denoted c(ϕ) is defined as follows: c(p) = 0 where p ∈ At, c(α ∧ β) = c(α) + c(β) + 1, c(¬α) = 1 + c(α), c(Ki α) = 1+c(α), c(Ai α) = 1+c(α) and c(hαiβ) = c(α)+c(β)+1. The Semantics. Our models extend epistemic models with a description of what the agents can observe. Note that “being able to observe ϕ” is an event type which we take to mean that in situations where ϕ is true, the agent observes that ϕ and when ϕ is false the agents observes that ¬ϕ. This explains the closure condition in the the following definition: DEFINITION 4. A protocol is a function p : A×N → ℘(LDKA ) such that, for every n ∈ N, i ∈ A, and ϕ ∈ LDKA , ϕ ∈ p(i, n) iff ϕ ∈ p(i, n). We denote the set of protocols by P tcl. For brevity, we write pni for p(i, n) where p ∈ P tcl, i ∈ A, and n ∈ N. logobs-final.tex; 22/07/2010; 21:23; p.9 10 T. Hoshi and E. Pacuit Using the terminology from Section 1, a protocol describes for each agent and each moment which formulas that agent can access. So, in this setting, the agents’ access sets consist of sequences of formulas representing which observations are available now and in the future (and in what order). The closure condition states that agents have access to a formula iff they have access to its “negation”. Of course, this is only one of many different properties that may be assumed about the protocol. For example, it may be natural to assume that if an agent has access to both ϕ and ψ then the agent must also have access to ϕ ∧ ψ. Using the access modality Ai such properties will be expressible in our language. This will be discussed in more detail in Section 3.5. DEFINITION 5. An epistemic model with a protocol is a quadruple hW, {Ri }i∈A , V, pi, where hW, {Ri }i∈A , V i is an epistemic model (Definition 1) and p is a protocol (Definition 4). We are restricting attention to one type of dynamic epistemic action: “making ϕ publicly available where only some of the agents have access to (the observation of) ϕ”. Here “having access to ϕ” means that the agent can incorporate the observation of ϕ into the agent’s current information. Formally, “making ϕ publicly available” amounts to performing a product update (Baltag et al., 1998) with the semi-private announcement of ϕ using the event model given above (where G is the set of agents who do not have ϕ in their protocol). In this simplified setting, we can define this update as a restriction on the agents’ current accessibility relations. Intuitively, if an agent incorporates the observation of ϕ, she should consider possible only states where ϕ is true. But in order to do this, the agent must have access to both ϕ and ϕ (this also explains the closure condition placed on protocols in Definition 4). So, the accessibility relation does not change for agents without access to ϕ. For agents with access to ϕ, all connections between ϕ and ¬ϕ worlds are dropped. DEFINITION 6. Let P = hW, {Ri }i∈A , V, pi be an epistemic model with a protocol. The truth of a formula ϕ in LDKA is defined as follows: P, w P, w P, w P, w P, w P, w |= p |= ¬ϕ |= ϕ ∧ ψ |= Ki ϕ |= hϕiψ |= Ai ϕ iff iff iff iff iff iff w ∈ V (p) (with p ∈ P ) P, w 6|= ϕ P, w |= ϕ and P, w |= ψ ∀v ∈ W : if wRi v then P, v |= ϕ P, w |= ϕ and P ⊗ ϕ, w |= ψ ϕ ∈ p(i, 0) logobs-final.tex; 22/07/2010; 21:23; p.10 11 A Dynamic Logic of Knowledge and Access where P ⊗ ϕ = hW ′ , {R′ }i∈A , V ′ , p′ i is defined by: W′ := W ( Ri Ri′ := {(w, v) ∈ Ri | P, w |= ϕ iff P, v |= ϕ} V ′ (p) := V (p) p′ (i, n) := p(i, n + 1) if ϕ 6∈ p(i, 0) if ϕ ∈ p(i, 0) 3.2. Comparison with Other Systems We stress that there is nothing new in the definition of the above epistemic action. Indeed, it is a simple exercise to check that for any epistemic model M and formula ϕ, M ⊗ ϕ is isomorphic to the model resulting from the product update of M and the event model: A A G ϕ e ϕ f where G = {i | ϕ 6∈ p0i }. In this section, we are more precise about the relationship between our framework and the logical systems discussed in Section 2. It is easy to see that our framework generalizes public announcement logic (PAL). Let LP AL be the set of PAL-formulas. Also let PP AL = hW, {Ri }i∈A , V, pi be a model where for each i ∈ A and n ∈ N, p(i, n) = LP AL . It is a simple exercise to check that for each ϕ ∈ LP AL : PP AL , w |= ϕ in DKA iff hW, {Ri }i∈A , V i, w |= ϕ in PAL. So, in a PAL model, agents always have access to all formulas. Given this it should not be surprising that there are PAL validities that are falsifiable over the class of epistemic models with protocols: OBSERVATION 1. The following are falsifiable: 1. hαihβiϕ → hhαiβiϕ 2. [p]Ki p where p ∈ At 3. hθiKi ϕ ↔ hθi⊤ ∧ Ki (θ → hθiϕ) logobs-final.tex; 22/07/2010; 21:23; p.11 12 T. Hoshi and E. Pacuit Proof. The first two formulas illustrate the role that the protocols play in our framework. 1. Formula 1 can be falsified by putting α = β := p and ϕ := Ki p. Let P = hW, {Ri }i∈A , V, pi be a model where P, w |= p ∧ ¬Ki p for some w. If p ∈ p(i, 1) and p ∈ p(i, 2), but hpip 6∈ p(i, 1), we have P, w |= hpihpiKi p ∧ ¬hhpipiKi p. 2. Formula 2 can be falsified at any state w in P = hW, {Ri }i∈A , V, pi where P, w |= p ∧ ¬Ki p and p 6∈ p(i, 0). 3. Formula 3 is a critical formula for the reduction analysis in PAL, which can be falsified by putting θ = ϕ := p. Consider a model P = hW, {Ri }i∈A , V, pi and state w where P, w |= p ∧ ¬Ki p but p 6∈ p(i, 0). Then the left-hand-side of the bi-conditional is false while the right-hand-side is true. However, there is an embedding from the language of PAL to LDKA that preserves validity: let sub(ϕ) be the set of subformulas of ϕ, PROPOSITION 1. For every formula ϕ of PAL,  ϕ is valid in PAL iff  ^ ^ i∈A ψ∈sub(ϕ)  Ai ψ  → ϕ is valid in DKA The simple but instructive proof is left to the reader (but the intuition is clear: the dynamic operation “make ϕ public” from Definition 6 behaves like a public announcement of ϕ provided all agents have access to all subformulas of ϕ). We conclude this section with a precise comparison with temporal dynamic epistemic logic as discussed in Section 2 (cf. also Hoshi, 2009; Hoshi and Yap, 2009). In DKA, when ϕ is made publicly available, the agents may or may not obtain the information that ϕ, depending on whether they have access to ϕ. As discussed above, this situation can be modeled by an event model that consists of two events, whose preconditions are ϕ and ¬ϕ respectively. Only agents who have access to ϕ (and ¬ϕ) can distinguish these two events. We give a formal translation below. Let p be a protocol and ϕ a formula in LDKA . Define an event model8 E(ϕ, p, n) = hE, {→i }i∈A , prei as follows: 8 An event model is a tuple hE, {→i }i∈A , prei where E is a set of primitive events, for each i ∈ A, →i is a relation on E and pre : E → LEL . We assume the reader is familiar with this notion, the definition of product update and the language of DEL (Baltag et al., 1998; van Ditmarsch et al., 2007; van Benthem, 2010). logobs-final.tex; 22/07/2010; 21:23; p.12 A Dynamic Logic of Knowledge and Access 13 1. E = {1, 2} 2. →i = ( {(1, 1), (1, 2), (2, 1), (2, 2)} {(1, 1), (2, 2)} if ϕ ∈ p(i, n) if ϕ ∈ 6 p(i, n). 3. pre(1) = ϕ, pre(2) = ¬ϕ Given a protocol model P = hW, {Ri }i∈A , V, pi, we define a DEL generated ETL model tr(P) = Forest(MP , pP ) as follows: 1. MP = hW, {Ri }i∈A , V i and 2. pP is a state-dependent protocol9 on MP such that, for every w ∈ W , pP (w) consists of all sequences of the form σ = σ0 · · · σn where σk (0 ≤ k ≤ n) is of the form hE(ϕ, p, k), ei with e in E(ϕ, p, k). Let L− DKA be the fragment of LDKA without the operator Ai . We are now ready to give a formal translation from our language to the language of temporal dynamic epistemic logic. For each k ∈ N define trk as follows: trk (p) = p, trk commutes with the boolean connectives and the Ki operators and trk (hϕiψ) = hE(trk (ϕ), p, k), 1itrk+1 (ψ) Unpacking the above definitions gives us the following result: let |=ET L denote the truth relation for ETL models (see Section 2), PROPOSITION 2. For any epistemic model with a protocol and formula ϕ ∈ LDKA , P, w |= ϕ iff tr(P), w |=ET L tr0 (ϕ). 3.3. Axiomatization There are two main categories of axiom schemes. The first contains reduction axioms describing the effect of “making a formula publicly available” on an epistemic model: R1 hθip ↔ θ ∧ p where p ∈ At R2 hθi¬ϕ ↔ θ ∧ ¬hθiϕ R3 hθi(ϕ ∧ ψ) ↔ hθiϕ ∧ hθiψ 9 A state-dependent protocol on an epistemic model M assigns a possible different protocol to each state in the model. logobs-final.tex; 22/07/2010; 21:23; p.13 14 T. Hoshi and E. Pacuit R4 hθiKi ϕ ↔ θ ∧ (Ai θ → Ki [θ]ϕ) ∧ (¬Ai θ → Ki ([θ]ϕ ∧ [θ]ϕ)) Two key observations about these axiom schemes are in order. First of all, note that hθi⊤ ↔ θ is a consequence of R1. This means that any true formula can always be made publicly available. Of course, whether agents have access to this formula depends on their protocols. This distinguishes our framework from the one found in Section 4 of (van Benthem et al., 2009) where hθi⊤ means both that θ is publicly announced and θ can be observed according to the protocol. Here hθi⊤ simply means that θ is made publicly available. We use the Ai operator to express when agents have access to specific formula (i.e., Ai ϕ means that ϕ is in agent i’s current protocol). Second, strictly speaking, R4 may not be properly called a reduction axiom since the right-hand side of the biconditional increases the complexity (according to Definition 3) of the formula inside the announcement modality. Nonetheless, following the usual reduction axiom methodology, the right-hand side does describe what agents know after θ is made publicly available in terms of the agent’s current information. When θ is made publicly available, there are two cases to consider. The first is when agent i does have access to θ, so Ai θ is true. This case is covered by the second conjunct. When an agent has access to θ, the links between θ-worlds and ¬θ-worlds are removed after the announcement of θ. Thus, hθiKi ϕ is the same as Ki [θ]ϕ following typical reduction axiom reasoning. The third conjunct describes the situation in which the agent does not have access to θ (so ¬Ai θ is true). In this case, the agent’s accessibility relation will not change, so any links between θworlds and ¬θ-worlds will not be removed. Thus, agents will know the formulas that survive both an announcement of θ and an announcement of θ̄. This situation is described by the formula Ki ([θ]ϕ ∧ [θ̄]ϕ). To introduce the second category of axiom schemes, we need some notation. Let σ be a (possibly empty) finite sequence of LDKA -formulas (we write this as σ ∈ L∗DKA ). We denote the length of σ by len(σ). Also, we denote by σn and σ(n) the n-th element of σ and the initial segment of σ of the length n respectively. When n is greater than the length of σ, the former denotes the empty sequence λ. Finally, we write σ, hσi and [σ] for σ1 ...σlen(σ) , hσ1 i . . . hσlen(σ) i and [σ1 ] . . . [σlen(σ) ] respectively. The following axiom schemes describe our assumptions about the protocols: P-neg Ai ϕ ↔ Ai ϕ Ptcl1 Ai ϕ ↔ K j Ai ϕ Ptcl2 ¬Ai ϕ ↔ Kj ¬Ai ϕ Uni hσiAi ϕ → [τ ]Ai ϕ where σ, τ ∈ L∗DKA logobs-final.tex; 22/07/2010; 21:23; p.14 A Dynamic Logic of Knowledge and Access 15 The first axiom scheme encodes the closure condition on protocols that agents have access to ϕ iff they have access to ϕ. The last three axiom schemes encode the fact that protocols are “common knowledge”10 and uniform. Ptcl1 & Ptcl2 guarantee that every agent knows the access sets, and by standard modal reasoning, all agents know all agents know it,..., up to an arbitrary depth.11 Uni adds the additional constraint that the formulas an agent has access to do not depend on earlier observations. That is, each agent’s access set is determined only by the temporal point and not the history of previous observations. This assumption is built into our definition of a protocol as a function assigning sets of formulas to agent-moment pairs12 . 3.4. Completeness Our main technical contribution is a sound and complete axiomatization of the class of all epistemic models with protocols (cf. Definition 5) in the language LDKA . We first gather the axioms from the previous section in one definition: DEFINITION 7 (Axiomatization). The logic DKA is the smallest set containing all instances of the following axiom schemes13 : K1 Ki (ϕ → ψ) → (Ki ϕ → Ki ψ) K2 [θ](ϕ → ψ) → ([θ]ϕ → [θ]ψ) R1 hθip ↔ θ ∧ p where p ∈ At R2 hθi¬ϕ ↔ θ ∧ ¬hθiϕ R3 hθi(ϕ ∧ ψ) ↔ hθiϕ ∧ hθiψ R4 hθiKi ϕ ↔ θ ∧ (Ai θ → Ki [θ]ϕ) ∧ (¬Ai θ → Ki ([θ]ϕ ∧ [θ]ϕ)) P-neg Ai ϕ ↔ Ai ϕ Ptcl1 Ai ϕ ↔ K j Ai ϕ 10 Of course, since we do not have a common knowledge operator in our language it is only an informal statement that the protocol is common knowledge. 11 This is also guaranteed for the future access sets as well as the current access set, as will be shown in the proof of Lemma 2. 12 We also note that in (van Benthem et al., 2009) the existential modality is needed to express this uniformity property. We do not need it here given our definition of a model (Definition 5) and the more expressive language. 13 For concreteness, we only include the axiom schema Ki (ϕ → ψ) → (Ki ϕ → Ki ψ), but other modal logics will work as well such as S5. logobs-final.tex; 22/07/2010; 21:23; p.15 16 T. Hoshi and E. Pacuit Ptcl2 ¬Ai ϕ ↔ Kj ¬Ai ϕ hσiAi ϕ → [τ ]Ai ϕ where σ, τ ∈ L∗DKA Uni and is closed under necessitation for Ki and [θ]. We write ⊢DKA ϕ if ϕ ∈ DKA. Our goal in this section is to prove the following result: THEOREM 1. DKA is sound and strongly complete with respect to the class of epistemic models with protocols. Soundness is a simple (and instructive) exercise. The proof of completeness is a variant of the one found in Section 4 of (van Benthem et al., 2009) which itself is a variant of the standard Henkin construction (cf. Section 4.2, Blackburn et al., 2002). We construct a canonical model from the set of DKA maximal consistent sets (MCS). A key observation is that each MCS contains a description of a protocol: DEFINITION 8. Given a maximally consistent set Γ, we define the Γ-protocol pΓ as follows: Γ p (i, n) = ( {ϕ | Ai ϕ ∈ Γ} {ϕ | ∃ψ1 . . . ψn : hψ1 i . . . hψn iAi ϕ ∈ Γ} if if n=0 n≥1 That pΓ is in fact a protocol according to Definition 4 is an immediate consequence of axiom P-neg and standard modal reasoning. Next we define the base canonical model that will serve as the initial epistemic model. DEFINITION 9. Let Γ be a maximally consistent set. The Γ-generated canonical model P Γ = hW Γ , {RiΓ }i∈A , V Γ , pΓ i is defined as follows: 1. W Γ = {∆ | p∆ = pΓ and ∆ is an MCS.} 2. For all ∆, ∆′ ∈ W Γ , ∆RiΓ ∆′ iff {ϕ | Ki ϕ ∈ ∆} ⊆ ∆′ 3. V Γ (p) = {∆ ∈ W Γ | p ∈ ∆} (and pΓ is defined according to Definition 8). So, P Γ is the canonical model constructed from the set of MCSs that agree with the protocol information in Γ. When there is no confusion, we omit the superscript Γ in the definition of a canonical model. Now, given a maximally consistent set Γ and a LDKA -formula ϕ, if hϕi⊤ ∈ Γ, we define Γϕ to be the set {θ | hϕiθ ∈ Γ}. This can be lifted to sequences of formulas σ as follows: Γσ = (. . . (Γσ1 )σ2 ) . . . ). We then have: logobs-final.tex; 22/07/2010; 21:23; p.16 A Dynamic Logic of Knowledge and Access 17 LEMMA 1. For every maximally consistent set Γ and sequence σ of LDKA -formulas, Γσ (if defined) is a maximally consistent set. Proof. The proof is a simple induction on the length of σ. The key step uses standard modal reasoning to show from R2 and R3 that for any formula ϕ, (if defined) ∆ϕ is a maximally consistent set. As usual, the key step is to prove a Truth Lemma. Much of the reasoning here is typical for modal completeness proofs14 . Nonetheless, our framework does raise some interesting issues which we focus on in this Section (leaving more standard arguments to the reader). The first stems from the fact that we restrict attention to maximally consistent sets that agree on the protocol information. Prima facie, this poses a problem for the “existence step” showing that if Ki ϕ 6∈ Γ then there is an accessible state in the canonical model where ϕ is false (i.e., ϕ is not in the MCS). As usual, this state is constructed by showing that the set ∆′ = {ψ | Ki ψ ∈ Γ} ∪ {¬ϕ} is consistent and using Lindenbaum’s Lemma to extend to a maximally consistent set ∆. But how can we guarantee that ∆ is in W Γ (i.e., pΓ = p∆ )? This is a direct consequence of Ptcl1 (Ai ϕ ↔ Kj Ai ϕ) and Ptcl2 (¬Ai ϕ ↔ Kj ¬Ai ϕ), as shown in the following lemma. LEMMA 2. Let Γ be a maximally consistent set. Suppose ∆ is a MCS such that {ψ | Ki ψ ∈ Γ} ⊆ ∆. Then pΓ = p∆ . Proof. Given Definition 8, it suffices to show that, for any sequence σ of formulas in LDKA , hσiAi ϕ ∈ Γ implies hτ iAi ϕ ∈ ∆, and hσi¬Ai ϕ ∈ Γ implies hτ i¬Ai ϕ ∈ Γ, where τ is a sequence in L∗DKA such that len(τ ) = n and τi = ⊤ for all i (1 ≤ i ≤ n). The proof of the first implication appeals to Ptcl1, and the proof of the second appeals to Ptcl2. We only prove the first, since the proof of the second is similar. First, let len(σ) = n. By Uni, hσiAi ϕ → [τ ]Ai ϕ. Note here that, by standard DEL reasoning, [α]β ↔ (α → hαiβ) for any α, β ∈ LDKA . Since ⊤ is a tautology, it follows that [τ ]Ai ϕ ↔ hτ iAi ϕ. Therefore, hσiAi ϕ ∈ Γ implies hτ iAi ϕ ∈ Γ. Next, by standard modal reasoning, Ptcl1 implies hτ iAi ϕ ↔ hτ iKj Ai ϕ and R4 implies that hτ iKj Ai ϕ → Kj [τ ]Ai ϕ. Therefore, hσiAi ϕ ∈ Γ implies Kj [τ ]Ai ϕ ∈ Γ. Given that ⊤ is a tautology again, this also yields Kj hτ iAi ϕ ∈ Γ. Given the current assumption, we have hτ iAi ϕ ∈ ∆ as desired. The second issue concerns the dynamic modalities ‘hϕi’ and how to build an appropriate canonical model. This requires more thought 14 We assume the reader is familiar with modal completeness proofs. For an excellent textbook presentation, see Section 4.2 of (Blackburn et al., 2002). logobs-final.tex; 22/07/2010; 21:23; p.17 18 T. Hoshi and E. Pacuit since we must move from a single canonical model to the universe of all models generated from the initial canonical model by sequences of “making ψ publicly available” events. In other words, we need to make use of models of the form (· · · ((P Γ ⊗ ψ1 ) ⊗ ψ2 ) · · · ⊗ ψn ). To ease exposition, denote these models by P Γ σ where σ = ψ1 · · · ψn . The key idea is that since all necessary information is already available in the initial canonical model (as suggested by Lemma 1), we can simply use the update operation (Definition 6) to construct the additional models. To that end, we define the canonical models after a sequence of announcements: DEFINITION 10 (Canonical Model after σ). Given a (possibly empty) sequence σ of LDKA -formulas and a Γ-generated canonical model P Γ , we define P σ = hW σ , {Riσ }i∈A , V σ , pσ i inductively as follows: 1. P λ = P Γ (λ is the empty string) 2. W σ(n) = {∆σn | P σ(n−1) , ∆ |= σn } ∪ {∆σ n | P σ(n−1) , ∆ |= σn } σ 3. For all ∆χ, ∆′ χ′ ∈ W σ(n) , ∆χRi (n) ∆′ χ′ iff σ a) ∆Ri (n−1) ∆′ and b) either of the following cases hold: − χ = χ′ , or − χ = χ′ and χ, χ′ 6∈ pσ(n−1) (i, 0) 4. For all p ∈ At and ∆χ ∈ W σ(n) , ∆χ ∈ V σ(n) (p) iff ∆ ∈ V σ(n−1) (p) 5. pσ(n) (i, n) := pσ(n−1) (i, n + 1) A few comments are in order about the above definition. First of all, note that for any σ and canonical model P, P σ is an epistemic model with a protocol according to Definition 5. Therefore, for any formula ϕ, we can use Definition 6 to interpret P σ , ∆σ |= ϕ. Second, note also that P σ = P σ by the condition 2 above. Finally, recall that ∆σ is only defined provided hσi⊤ ∈ ∆. Now, if hσiϕ ∈ ∆ then (by standard modal reasoning using R1 & R3) hσi⊤ ∈ ∆ and so ∆σ is defined. However, for an arbitrary sequence of DKA formulas σ, if P σ , ∆σ |= χ, we cannot conclude that ∆σχ is defined (this would require a Truth Lemma which we have not yet proved!). Thus in item 2 in the above Definition, there is an implicit assumption that each element of W σ(n) is actually defined. It is important to keep this in mind in the remainder of this Section. Let us take stock of where we stand in the proof of completeness (Theorem 1). We need to show that any consistent set Γ0 of DKA logobs-final.tex; 22/07/2010; 21:23; p.18 A Dynamic Logic of Knowledge and Access 19 formulas has a model. Now, given a consistent set Γ0 of DKA formulas, Lindenbaum’s Lemma can be used to construct a maximally consistent set Γ extending Γ0 . This MCS gives us a canonical model P Γ = hW Γ , {RiΓ }i∈A , V Γ , pΓ i (Definition 9). Following the usual method for proving completeness, we must prove a Truth Lemma: for all ϕ ∈ LDKA , for each ∆ ∈ W Γ , ϕ ∈ ∆ iff P Γ , ∆ |= ϕ. Much of the proof is a simple adaptation of the usual argument (some details are provided below). The difficulty comes when considering formulas of the form hσiψ where σ is sequence of DKA formulas. We prove this by a (sub)induction on structure of ψ. The strategy is to use the canonical model after σ (Definition 10). The following proposition contains the key steps needed to complete the proof of the Truth Lemma: PROPOSITION 3. Let Γ be a MCS and P Γ = hW Γ , {Ri }i∈A , V Γ , pΓ i be a Γ-generated canonical model. For any sequence σ ∈ L∗DKA : 1. For all ∆ ∈ W Γ (such that ∆σ is defined) and all ϕ ∈ LDKA , P σ , ∆σ |= ϕ iff P Γ ⊗ σ, ∆ |= ϕ. 2. For all ∆ ∈ W Γ (such that ∆σ is defined) and all ϕ ∈ LDKA , hσiϕ ∈ ∆ iff P σ , ∆σ |= ϕ. We prove this proposition in a series of Lemmas. The first item follows from the following Lemma: LEMMA 3. Suppose P Γ is a Γ-generated canonical model and σ is a sequence of DKA formulas. For any ∆ in P σ and formula χ ∈ LDKA where ∆χ is defined and P σ , ∆ |= χ, for all ϕ ∈ LDKA , P σχ , ∆χ |= ϕ iff P σ ⊗ χ, ∆ |= ϕ. Proof. It suffices to show that, for all sequences σ ∈ L∗DKA , the two models, P σ and (. . . (P ⊗ σ1 ) · · · ⊗ σlen(σ) ), are isomorphic, i.e. there is one to one map between the domains of the two models that preserves the accessibility relations {Ri }i∈A and valuation V . (The protocols in the two models are clearly identical, given the condition 5 in Definition 10 and the definition of ⊗ operation in Definition 6.) We prove this by induction on len(σ). The base case follows from Definition 10 (and the assumption that ∆χ is defined). Suppose that the claim holds for an arbitrary σ. Then consider the models P σ ⊗ χ and P σχ . For the inductive step, it suffices to show that there is an isomorphic map between P σ ⊗ χ and P σχ . (By IH, P σ and P ⊗ σ are isomorphic.) Here, logobs-final.tex; 22/07/2010; 21:23; p.19 20 T. Hoshi and E. Pacuit take a map f from P σ ⊗χ to P σχ so that f (∆) = ∆χ, if P σ ⊗χ, ∆ |= χ; f (∆) = ∆χ if P σ ⊗ χ, ∆ |= χ. Clearly ∆ ∈ V (p) iff ∆χ ∈ V (p) by the condition 5 in Definition 10 and the definition of the ⊗ operation in Definition 6. For the accessibility relation, suppose ∆Ri ∆′ in P σ ⊗ χ. This implies that ∆Ri ∆′ in P σ . There are two cases to consider. Case 1: The truth values of χ at ∆ and ∆′ are the same in P σ . In this case, we have f (∆) = f (∆′ ). This implies ∆χRi ∆χ in P σχ by the condition 2 and the first condition of 3b in Definition 10. Case 2: The truth values of χ at ∆ and ∆′ are different in P σ . In this case, by Definition 6, we have to have χ 6∈ p(i, 0). This implies f (∆)Ri f (∆′ ) in P σχ by the condition 2 and the second condition of 3b in Definition 10. Therefore, ∆Ri ∆′ in P σ ⊗ χ implies ∆Ri ∆′ in P σχ . The other direction of the implication is similar. We need two more lemmas. These lemmas confirm that the canonical models after a sequence of updates (Definition 10) “keeps” enough structure to prove a truth lemma. LEMMA 4. For any σ ∈ L∗DKA , if ∆σRi ∆′ σ ′ in P σ then {ϕ | Ki ϕ ∈ ∆σ} ⊆ ∆′ σ ′ . Proof. We prove the claim by induction on len(σ). The base case is clear by Definition 9. Suppose that the claim holds of an arbitrary σ. Suppose ∆σχRi ∆′ σ ′ χ′ . For any Ki ϕ ∈ ∆σχ, we have hχiKi ϕ ∈ ∆σ by definition. By R4, we have Ai χ → Ki [χ]ϕ, ¬Ai χ → Ki ([χ]ϕ ∧ [χ]ϕ) ∈ ∆σ. We go by cases. Suppose Ai χ ∈ ∆σ. By Definition 10 (the condition 3b), we have χ = χ′ . This implies that χ ∈ ∆′ σ ′ (the presence of ∆′ σ ′ χ′ in the model implies χ′ ∈ ∆′ σ ′ by Definition 10). Also we have Ki [χ]ϕ ∈ ∆σ. By IH, we have [χ]ϕ ∈ ∆′ σ ′ . Given χ, [χ]ϕ ∈ ∆′ σ ′ , we have hχiϕ ∈ ∆′ σ ′ , which implies ϕ ∈ ∆′ σ ′ χ′ . Suppose ¬Ai χ ∈ ∆σ. This implies that Ki ([χ]ϕ ∧ [χ]ϕ) ∈ ∆σχ, which yields Ki ([χ]ϕ), Ki [χ]ϕ ∈ ∆σχ by standard modal reasoning. Here, if χ = χ′ , the argument goes similarly to the above argument. Thus suppose χ 6= χ′ , that is, χ = χ′ . In this case, χ, [χ]ϕ ∈ ∆′ σ ′ (by the same reasoning as above). This will give us ϕ ∈ ∆′ σ ′ χ′ . LEMMA 5. For any σ ∈ L∗DKA , if {ϕ | Ki ϕ ∈ ∆σ}∪{ψ} is consistent, there is a maximally consistent set ∆′ σ ′ such that {ϕ | Ki ϕ ∈ ∆σ} ∪ {ψ} ⊆ ∆′ σ ′ and ∆σRi ∆′ σ ′ in P σ . logobs-final.tex; 22/07/2010; 21:23; p.20 A Dynamic Logic of Knowledge and Access 21 Proof. The proof is by induction on len(σ). The base case is clear by the standard completeness argument and Lemma 2. The inductive step is given by applications of R4 that are similar to those given in the proof of Lemma 4. We are now ready to prove Proposition 3. Proof (of Proposition 3). Let P Γ = hW Γ , {Ri }i∈A , V Γ , pΓ i be a Γgenerated canonical model (where Γ is a MCS). For part 1, we must show that for all sequences σ ∈ L∗DKA and ∆ ∈ W Γ (such that ∆σ is defined) and all ϕ ∈ LDKA , P σ , ∆σ |= ϕ iff P Γ ⊗ σ, ∆ |= ϕ. The proof is by induction on the length of the sequence σ with the key inductive step following from Lemma 3. For part 2, we must show that for all sequences σ ∈ L∗DKA and ∆ ∈ W Γ (such that ∆σ is defined) and all ϕ ∈ LDKA , hσiϕ ∈ ∆ iff P σ , ∆σ |= ϕ. The proof is by induction on the complexity of ϕ. The base case is a direct consequence of Definitions 9 and 10 and axiom R1: hσip ∈ ∆ iff σ1 , σ2 , . . . , σlen(σ) , p ∈ ∆ iff ∆ ∈ V (p), ∆σ1 ∈ V σ1 (p),. . . , ∆σ ∈ V σ (p) iff P σ , ∆σ |= p. The boolean cases are as usual. The knowledge modality case follows by a standard argument using Lemmas 4 and 5 (cf. van Benthem et al., 2009; Hoshi, 2009). Thus, we deal only with the cases for hχi and Ai . Suppose ϕ is of the form hχiψ. Assume P σ , ∆σ |= hχiψ. Then σ P , ∆σ |= χ and P σ ⊗χ, ∆σ |= ψ. By Lemma 3, P σχ , ∆σχ |= ψ. By the induction hypothesis, hσχiψ ∈ ∆. I.e., hσihχiψ ∈ ∆. For the left-toright direction, assume hσihχiψ ∈ ∆. That is, hσχiψ ∈ ∆. Then, by the induction hypothesis, we have P σχ , ∆σχ |= ψ. Also, since hσihχiψ ∈ ∆, using standard modal reasoning, we have hσihχi⊤ ∈ ∆. Hence, by R1, hσiχ ∈ ∆. This implies that P σ , ∆σ |= χ. Applying Lemma 3, we have P σ ⊗ χ, ∆σ |= ψ. Therefore, P σ , ∆σ |= hχiψ, as desired. Suppose ϕ is of the form Ai ψ. First, assume Ai ψ ∈ ∆σ. By definition, this means that hσn i · · · hσ1 iAi ψ ∈ ∆. By Definition 4, ψ ∈ p∆ (i, n). Recall that Γ is the initial MCS used to construct the initial canonical model and that pΓ = p∆ . By Definition 10 part 5, ψ ∈ pσ (i, 0). Hence, P σ , ∆σ |= Ai ψ. Now assume P σ , ∆σ |= Ai ψ. Then ψ ∈ pσ (i, 0). By Definition 10 part 5, this implies ψ ∈ p∆ (i, n) where n is the length of σ. Also, by Definition 8, there are α1 , . . . , αn such that hα1 i · · · hαn iAi ψ ∈ ∆. Then repeated applications of Uni and R2 gives us hσiAi ψ ∈ ∆. Putting everything together, we now prove the main Truth Lemma: TRUTH LEMMA 6. For each formula ϕ ∈ LDKA , for each ∆ ∈ W Γ , ϕ ∈ ∆ iff P Γ , ∆ |= ϕ. logobs-final.tex; 22/07/2010; 21:23; p.21 22 T. Hoshi and E. Pacuit Proof. The proof is by strong induction on the complexity of ϕ, c(ϕ). If c(ϕ) = 0 then ϕ is an atomic proposition and we have p ∈ ∆ iff ∆ ∈ V Γ (p) iff P Γ |= p. Suppose the statement holds for all ψ such that c(ψ) < c(ϕ). There are four cases: 1. ϕ is of the form ψ1 ∧ ψ2 . The argument is completely standard. 2. ϕ is of the form ¬ψ. The argument is completely standard. 3. ϕ is of the form Ki ψ. The standard proof works given Lemma 2. 4. ϕ is of the form Ai ϕ. We have Ai ϕ ∈ ∆ iff ϕ ∈ pΓ (i, 0) iff P Γ , ∆ |= Ai ϕ. 5. ϕ is of the form hσiψ where σ is a sequence of DKA formulas. There are two cases: A. hσi⊤ ∈ ∆. Then ∆σ is defined and the result follows from Proposition 3. B. hσi⊤ 6∈ ∆. Then hσiψ 6∈ ∆. Hence the left-to-right direction is trivially true. Thus we need only show P Γ , ∆ 6|= hσiψ. We show that for any sequence of formulas σ with hσi⊤ 6∈ ∆, there is some i ≤ len(σ) such that P Γ , ∆ 6|= hσ(i) iσi+1 . If σ = χ, we have hχi⊤ 6∈ ∆. This means χ 6∈ ∆. Since c(χ) < c(ϕ) we have P Γ , ∆ 6|= χ. Suppose σ = σ ′ χ. If there is some i ≤ ′ iσ ′ len(σ ′ ) with P Γ , ∆ 6|= hσ(i) i+1 then we are done. Suppose no such i exists. Then, since hσ ′ χi⊤ 6∈ ∆, we have hσ ′ iχ 6∈ ∆. Since c(hσ ′ iχ) < c(ϕ), we have P Γ , ∆ 6|= hσ ′ iχ, as desired. Since hσi⊤ 6∈ ∆, P Γ , ∆ 6|= hσ(i) iσi+1 but this means that for any ψ, P Γ ⊗ σ(i) , ∆ 6|= hσi+1 · · · σlen(σ) iψ and so P Γ , ∆ 6|= hσiψ. As discussed above, the usual argument shows that every DKAconsistent set is satisfiable. This completes the proof of Theorem 1. 3.5. Describing Protocols According to Definition 4, the notion of protocols is quite general. Indeed the only constraint on a protocol p is that ϕ ∈p(i, n) iff ϕ ∈p(i, n) for each i and n. Of course, other properties may be relevant. Many of these additional properties can be expressed using our language. For example, consider the following properties: ptcl-A Ai ϕ ∧ Ai ψ → Ai (ϕ ∧ ψ) ptcl-K Ai (ϕ → ψ) → (Ai ϕ → Ai ψ) logobs-final.tex; 22/07/2010; 21:23; p.22 A Dynamic Logic of Knowledge and Access Ref Ai ϕ → Ai Ai ϕ F-Mon Ai ϕ → [α]Ai ϕ P-Mon [α]Ai ϕ → Ai ϕ Exp 23 Ki ϕ → Ai ϕ The first three properties are examples of structural properties of protocols. The first two (ptcl-A and ptcl-K) say that the protocol is closed under conjunction and consequence respectively. The third property (Ref) says that if an agent has access to a formula ϕ, then the agent has access to that fact (i.e., Ai ϕ). Of course, these are only three examples of closure principles that may be of interest and many properties will be expressible using the Ai modality. The next two properties (F-Mon and P-Mon) express monotonicity conditions of protocols toward future and past respectively. That is, the axiom scheme F-Mon says that if a formula ϕ is currently accessible, then it will be accessible after a future step. The converse (P-Mon) expresses a similar property looking into the past. Finally, the last axiom scheme (Exp) connects the agent’s current information and access set. This can be understood as restricting to a type of explicit knowledge where agents must have access to what they (implicitly) know. It is straightforward to show that the above sentences correspond to the mentioned properties. Given such correspondence results, adding these axiom schemes to the axiomatization DKA yields completeness proofs for classes of models based on protocols with the corresponding properties. Details are left to the reader. 4. Discussion This paper has focused primarily on access sets interpreted as constraints on the agents’ information gathering processes. That is, it is assumed there is some underlying protocol, or social convention, limiting the observations of the agents. We have discussed a logical framework for reasoning about such social interactive situations. Our main technical result is a sound and complete axiomatization, but we have also noted parallels between our frameworks and similar work found in the literature. Concrete translations from our logic to similar dynamic epistemic logics can be found in Section 3.2. Perhaps more interesting are the broader themes discussed in Section 1. There we discussed a number of logical systems where access sets represent the set of formulas that are currently available to the agent. logobs-final.tex; 22/07/2010; 21:23; p.23 24 T. Hoshi and E. Pacuit That is, access sets are the current outcome of some information gathering process rather than constraining the process. Despite similarities between the different formal frameworks, these two perspectives on the access sets are conceptually quite different. Nonetheless, merging the two perspectives may lead to new insights. We end by briefly discussing one such issue: dynamics. Much of the work on so-called inference logics (for example, see Ågotnes and Alechina, 2007; van Benthem, 2008; Velazquez-Quesada, 2009, and references therein) is centered around the dynamic processes that change an agent’s access set. The focus in much of the literature is on the modeling of agents that use logical inference rules to extend their access sets. However, the recent work of van Benthem (2008) and Velazquez-Quesada (2009) also use of DEL-style epistemic events to model change in the agents’ access sets. But these dynamic operations also make sense in our context where the access sets are generated by some underlying protocol. While our protocols (Definition 4) do explicitly represent temporal shifts in the agents’ access sets, we do not explicitly represent the dynamic events that cause these changes. There are two levels where epistemic events can enter. The first is to think of the protocols as being generated by specific types of epistemic and/or “awareness” events. For example, use the “become informed” events of (van Benthem, 2008) to construct protocols where successive access sets are formed by execution of these events. This amounts to restricting attention to protocols satisfying specific structural properties (such as forwards monotonicity of access sets). Indeed, it would be interesting to analyze various structural properties on protocols (such as the ones discussed in Section 3.5) in terms of the type of events that generate protocols with those properties. But the protocols themselves may change as well. This is the second level where dynamic epistemic events can enter our analysis. Such dynamic operations are not as wellstudied (though see (Renne et al., 2009; Icard et al., 2010) for some first steps in this direction) and we leave this for future work. Acknowledgements The authors would like to thank the anonymous referees whose careful comments greatly improved the content and the readability of this text. The second author would also like to thank the participants at the workshop Formal Theories of Communication at the Lorentz Center in Leiden for their comments on an early version of this paper. logobs-final.tex; 22/07/2010; 21:23; p.24 A Dynamic Logic of Knowledge and Access 25 References Ågotnes, T. and N. Alechina: 2007, ‘The dynamics of syntactic knowledge’. Journal of Logic and Computation 17(1), 83–116. Artemov, S.: 2001, ‘Explicit Provability and Constructive Semantics’. Bulletin for Symbolic Logic 7(1), 1–36. Artemov, S. and E. Nogina: 2005, ‘Introducing justification into epistemic logic’. Journal of Logic and Computation 15(6), 1059–1073. Balbiani, P. H. van Ditmarsch and P. Seban: forthcoming, ‘Reasoning about permitted announcements’. Journal of Philosophical Logic. Baltag, A., L. Moss, and S. Solecki: 1998, ‘The Logic of Common Knowledge, Public Announcements and Private Suspicions’. In: I. Gilboa (ed.): Proceedings of the 7th Conference on Theoretical Aspects of Rationality and Knowledge (TARK 98). pp. 43 – 56. van Benthem, J.: 1996, Exploring Logical Dynamics. CSLI Publications. van Benthem, J.: 2008, ‘Merging observation and access in dynamic logic’. Studies in Logic 1, 1 – 17. van Benthem, J.: 2010, Logical Dynamics of Information Flow. Cambridge University Press. van Benthem, J., J. Gerbrandy, T. Hoshi, and E. Pacuit: 2009, ‘Merging Frameworks for Interaction’. Journal of Philosophical Logic 38(5), 491 – 526. Blackburn, P., M. de Rijke, and Y. Venema: 2002, Modal Logic. Cambridge: Cambridge University Press. van Ditmarsch, H. and T. French: 2010, ‘Becoming Aware’. Manuscript. van Ditmarsch, H., W. van der Hoek, and B. Kooi: 2007, Dynamic Epistemic Logic, Synthese Library. Springer. Eberle, R.: 1974, ‘A Logic of Believing, Knowing and Inferring’. Synthese 26, 356 – 382. Fagin, R. and J. Halpern: 1988, ‘Belief, Awareness and Limited Reasoning’. Artificial Intelligence 34, 39 – 76. Fagin, R., J. Halpern, Y. Moses, and M. Vardi: 1995, Reasoning about Knowledge. Boston: The MIT Press. Fitting, M.: 2005, ‘The logic of proofs, semantically’. Annals of Pure and Applied Logic 132, 1 – 25. Gerbrandy, J.: 1999, ‘Bisimulations on Planet Kripke’. Ph.D. thesis, Institute for Logic, Language and Computation (DS-1999-01). Halpern, J.: 2001, ‘Alternative Semantics for Unawareness’. Games and Economic Behavior 37, 321 – 339. Halpern, J. and L. Rego: 2005, ‘Interactive Unawareness Revisited’. In: Proceedings of Theoretical Aspects of Rationality and Knowledge (TARK’05). Halpern, J. and L. Rego: 2009, ‘Reasoning about Knowledge of Unawareness Revisited’. In: A. Heifetz (ed.): Proceedings of Theoretical Aspects of Rationality and Knowledge (TARK’09). Hill, B.: 2010, ‘Awareness Dynamics’. Journal of Philosophical Logic 39(2), 113 – 137. Hodkinson, I. and M. Reynolds: 2006, ‘Temporal Logic’. In: P. Blackburn, J. van Benthem, and F. Wolter (eds.): Handbook of Modal Logic, Vol. 3 of Studies in Logic. Elsevier, pp. 655 – 270. Hoshi, T.: 2009, ‘Epistemic Dynamics and Protocol Information’. Ph.D. thesis, Stanford University. logobs-final.tex; 22/07/2010; 21:23; p.25 26 T. Hoshi and E. Pacuit Hoshi, T. and A. Yap: 2009, ‘Dynamic Epistemic Logic with Branching Temporal Structures’. Synthese: Knowledge, Rationality, and Action 169(2), 259 — 281. Icard, T., E. Pacuit and Y. Shoham: 2010, ‘Joint Revision of Beliefs and Intentions’. In: F. Lin, U. Sattler and M. Truszczynski (eds.): Principles of Knowledge Representation and Reasoning: Proceedings of the Twelfth International Conference, KR 2010. Kooi, B. and E. Pacuit: 2010, ‘Logics for Rational Interaction’. In: O. Roy, P. Girard, and M. Marion (eds.): Dynamic Formal Epistemology. Pacuit, E.: Forthcoming, ‘Logics of Informational Attitudes and Informative Actions’. Journal of the Indian Council of Philosophy. Available at http://ai.stanford.edu/~epacuit/papers/india-logknowbel.pdf Parikh, R. and R. Ramanujam: 2003, ‘A Knowledge based Semantics of Messages’. Journal of Logic, Language and Information 12, 453 – 467. Plaza, J.: 1989, ‘Logics of public communications’. In: M. L. Emrich, M. S. Pfeifer, M. Hadzikadic, and Z. Ras (eds.): Proceedings, 4th International Symposium on Methodologies for Intelligent Systems. pp. 201–216 (republished as Plaza, 2007). Plaza, J.: 2007, ‘Logics of Public Communications’. Synthese: Knowledge, Rationality, and Action 158(2), 165 – 179. Renne, B.: 2008, ‘Dynamic Epistemic Logic with Justification’. Ph.D. thesis, The City University of New York. Renne, B., J. Sack, and A. Yap: 2009, ‘Dynamic Epistemic Temporal Logic’. In: X. He, J. Horty, and E. Pacuit (eds.): Logic, Rationality and Interaction: Proceedings of LORI 2009, Vol. LNAI 5834. pp. 263 – 277. Velazquez-Quesada, F. R.: 2009, ‘Inference and update’. Synthese (Knowledge, Rationality & Action) 169(2), 283 – 300. logobs-final.tex; 22/07/2010; 21:23; p.26