The Logic of Distributed Protocols

1 Introduction Motivation and Background Ever since the seminal work of Floyd [6], Naur [14], and Hoare [9] there has been an increasing interest in the development and analysis of formal tools to reason about program behavior. This interest has led to the creation of a large number of logical systems for handling various types of program behavior. Such logical systems are called logics of programs. Notable examples of logics of programs are dynamic logic originally defined by Pratt [19] and temporal logic of programs introduced by Pnueli [18]. The large body of literature in logics of programs has deepened our understanding about reasoning about program behavior, not only about how to reason, but also about what inherent limitations there are in our reasoning. Important results include the discovery of complete proof systems for some of the logics, computational upper and lower bounds for some of the logics, and the establishment of the relative expressive power of different logics. More recently it has been recognized that the logics of programs developed so far are inadequate for reasoning about the behavior of distributed algorithms or, what we call protocols. Generally speaking, a protocol is an algorithm whose execution is shared by a number of independent participants or what we call players. Each player may be unaware of what the other players are exactly doing. Therefore, a key ingredient found in the behavior of many protocols (and not found in sequential or parallel algorithms) is the lack of knowledge about the complete state of the protocol by each of its players. A good example of this is found in the work on distributed agreement by Pease, Shostok, and Lamport [21]. They show that it is impossible for there to be a protocol such that the non-faulty players agree on a common value when there is a total of three players and at most one is faulty. The proof relies on the fact that, in the presence of inconsistent information coming from the other two players, it is possible for a non-faulty player to remain ignorant of which of the other two players is “lying”. They also show that there is a protocol which allows the non-faulty players to agree on a common value when there are four players and at most one is faulty. The proof relies on the fact that in two rounds of exchanging information the non-faulty players can know enough to come to agreement. In one round they cannot know enough. Any logic of protocols must include as part of it a logic of knowledge. A number of researchers have begun the development of logics of distributed protocols which include the notion of knowledge [7] [8] [10] [12] [13] [16]. In this paper we present two new logics of distributed protocols and prove some basic theorems about them. The logics are basically logics of knowledge which incorporate a notion of global time. The logics are capable of implicitly modeling asynchronous time by allowing the players to be ignorant of global time. In addition, the logics are capable of implicitly modeling game-like behavior of distributed computation. Any logic of protocols should also include a logic for time, or temporal logic. In particular, a key feature of time in a distributed computing setting is that it is asynchronous, that is, there is no global time that the independent computing agents know about. Asynchrony of time does not rule out the possibility of global time, only that if there is a global time then the individual computing participants have only limited knowledge of it. Temporal logics have been extensively studied in the context of both sequential and concurrent programs [1], [2], [3], [18], [25]. In addition, the behavior of distributed protocols exhibit game-like qualities which should be modeled in the logic of protocols. For example, the distributed agreement problems described above are “competitions” of a sort. Some of the players must come to agreement despite the 2 potential maliciousness of lying opponents. Another example of game-like property in distributed computing is the definition of the guaranteed lockout problem [11], [17]. Several formal treatments of game-theoretic aspects of computing have been introduced [17], [22], [23]. An early attempt to include game-like properties into a logic of programs is found in the work of Reif and Peterson [24]. Games and game-like behavior can be mathematically formalized in what is called game theory. It is not surprising that game theory should play an important role in distributed computing, because it already plays a significant role in Economics and Ecology, where multiple independent, yet interacting, players co-exist, compete, and cooperate [15]. We propose a (Church/Turing-like) Thesis for distributed computing. • Distributed protocols are equivalent to (i.e., can be formally modeled as) games. The fact that a logic is capable of modeling game-like behavior is critical if it is claimed to accurately model properties of distributed protocols. The work done so far on the logic of protocols which includes knowledge also includes, to varying degrees, time and to varying degrees is capable of implicitly modeling games [7] [8] [10] [12] [13] [16]. We feel, however, that the logics developed so far do not adequately model phenomena in protocols like asynchrony. In addition, they seem (with the possible exception of Parikh and Ramanujam’s work [16]) to be capable of modeling only restricted classes of games. We feel that the logics of distributed protocols that we present go further than those of previous researchers in two ways: • Our logics of protocols better model asynchronous time. • Our logics better model the game-like behavior of protocols. Indeed, the proof of our main theorem on the undecidability of one of the two logics relies heavily the fact that the logic is capable of modeling a certain three-player incomplete information game, where the players move asynchronously. The Logic of Protocols Informally, the logics we define are propositional logics with modal operators ✷, ✷ ∗ , and Ki for 1 ≤ i ≤ t for some t. The number t refers to the number of players and K i p means that player i knows that p holds. The expression ✷p means that in the next moment p must hold and ✷ ∗ p means that now and forever in the future p must hold. We can imagine that there is a global time which each of the players may or may not be knowledgeable of. This is akin to the common way of thinking about time in a distributed system where we imagine that the events taking place in the system are actually totally ordered but that each process in the system is unaware of the ordering except for those events that take place in its own process. We will define two logics of protocols, the linear logic of protocols (LLP) and the tree logic of protocols (TLP). The semantics of LLP and TLP are related to but not the same as, respectively, the linear and branching time semantics for the temporal logic of programs [18] [1]. In the semantics of both LLP and TLP global time is allowed to branch, but in LLP from each player’s point of view time is linear. This models the fact that in distributed systems, from one process’ point of view there is only one visible history of events, but many system histories may be consistent with that one visible history. In TLP global time can branch and players can be aware of it. The distinction between LLP and TLP can best be understood game theoretically. In a certain sense a model in 3 a semantics for the logic of protocols will define a game, what players do and do not know about the game, and a strategy for each of the players in the game. In LLP each player receives no direct knowledge of the states of the other players. Hence, whatever knowledge about the other players states can be, at best, inferred. In LLP each player’s strategy must be a blindfold strategy, that is, what each player does in a play of the game is preordained and cannot be changed as the game progresses. In TLP there is no preordained strategy for each player. A player can react differently in different plays of the game. In a practical sense, LLP models a distributed computing situation where the actions of each computing participant are determined as locally as possible. In TLP the actions of each participant are dependent on the interaction between the participants. Asynchrony of time is modeled in LLP and TLP by the fact that, although there is a global time, the individual players may not have full knowledge about it. So the combination of global time and lack of knowledge about it by the players models asynchronous time. Time can be passing, but an individual player may have no idea if time has progressed at all. Game-like behavior is modeled in LLP and TLP in a combination of ways. First, time can branch which models a choice of possible moves in a game. Second, players have lack of knowledge which models incomplete information in a game. Third, there may be a number of players which models multi-person games. To understand the semantics of LLP and TLP it is sometimes helpful to imagine an omniscient player, player 0, different from the players who may have lack of knowledge, players 1 to t. Player 0 knows all. It knows about the global time and every thing the other players know. In a distributed computing system, player 0 corresponds to the system taken as a whole, while players 1 to t model the individual computing agents in the system. The Results The main results of this paper are: • The introduction of a logic of protocols that adequately models knowledge and time, including asynchrony and game-like behavior. • Theorems that reveal the mathematical structure of the models for the logic of protocols. • A proof that the set of valid formulas in LLP is undecidable. The third result is surprising for a number of reasons. First, LLP is a propositional logic. Second, taken separately, each of the logic of knowledge and the logic of time are decidable. In particular, the propositional temporal logic is decidable, in fact decidable in deterministic exponential time. (The temporal logic with just ✷ and ✷ ∗ is a special case of dynamic logic which has deterministic exponential time upper and lower bound complexity [5], [20].) Further, the propositional logic of knowledge without time is also decidable. (The logic of knowledge is PSPACE complete and the logic of knowledge limited to one player is Co-NP complete [7].) But combining the two logics together in the way we suggest in this paper leads to an undecidable logic. This result adds more strong evidence to the thesis that reasoning about distributed systems is much more difficult than reasoning about sequential programs. Finally, the proof of the undecidability of LLP is interesting in its own right. The proof genuinely uses the asynchrony, lack of knowledge, and game-like behavior that are expressible in the logic of protocols. There is still a lot that we do not know about the logics of protocols. For example, it is still an open question whether or not the set of valid formulas in TLP is decidable. It would seem that 4 LLP is just a special case of TLP, but all we know at present is that every formula that is valid in TLP is also valid in LLP. There is no reason prima facie that the undecidability of LLP would imply the undecidability of TLP. Moreover, our proof of the undecidability of LLP relies heavily on the fact that we are using the linear semantics for the logic. Our proof of the undeciability of LLP also relies on there being more than one player. In the case there is just one player we have strong evidence that the logic of protocols with either the linear or tree semantics is decidable. The fact that LLP is undecidable does not rule out the possibility of a complete natural proof system. In fact, there is strong evidence in favor of a complete proof system because the set of valid formulas in LLP is recursively enumerable. This can be seen because formulas in LLP can be interpreted as formulas in first-order predicate logic and the set of valid formulas in first-order predicate logic is recursively enumerable. The paper is organized as follows: In Section 2 we give the formal definitions for the logics of protocols along with an example. In Section 3 we present some fundamental theorems which reveal the structure of models for the logics. In Section 4 we present the main result that the set of valid formulas in LLP is undecidable. 2 The Formal Syntax and Semantics In this section we give the formal syntax and sematics for the logics of protocols with t players. We assume we have a set of propositional variables Φ, Boolean logical connectives, ¬, ∧, Boolean constants 0 and 1, and modal operators ✷, ✷ ∗ , and Ki for 1 ≤ i ≤ t. The set of logic of protocols formulas are defined inductively: 1. If P ∈ Φ then P is a formula and 0 and 1 are formulas. 2. If p and q are formulas then so are ¬p, p ∧ q, ✷p, ✷ ∗ p, and Ki p for 1 ≤ i ≤ t. The set of formulas is the smallest set satisfying 1. and 2. above. The additional boolean operators ∨, ⊃, and ≡ can be defined in the usual way from ¬, ∧, 0, and 1. (p ∨ q = ¬(¬p ∧ ¬q), p ⊃ q = ¬p ∨ q, p ≡ q = (p ⊃ q) ∧ (q ⊃ p)). In addition, we can define the dual modal operators for ✷, ✷∗ , and Ki . Define ✸p = ¬✷¬p, ✸∗ p = ¬✷∗ ¬p. In the semantics we are about to define formally we imagine some underlying distributed system with global time and t players. The system can move from one state of the system to another and as the system moves sequences of states of the system form histories, the last state in the history being the current state. One history extends a second if the sequence of states that forms the first history has as a prefix the second history. A successor of a history is an extension by just one move of the system. In general the system is nondeterministic in that there may be more than one successor. The propositional variables represent primitive statements that hold or not in given states. In general a formula will hold for a given history or not. Let w be a history of the system. Informally, ✷p holds at w if p holds at every successor v of w, and ✷ ∗ p holds at w if p holds at w and at every history v that extends w. Thus, ✸p holds at w if p holds in some successor history v, and ✸∗ p holds at w if p holds at w or at some history v that extends w. The formula K i p holds at w if p holds at every history v indistinguishable from w from player i’s point of view. Shortly, we will make precise the notion of “indistinguishable from player i’s point of view.” Definition of Models 5 Let Φ be a set of propositional variables. A model or tree model for the logic of protocols with t players is a (t + 4)-tuple M = (W, W0 , π, ρ, 1 , ..., t ) where W is a set of states, W0 ⊆ W is a set of initial states, π : W → 2Φ is a mapping indicating which propositional variables hold at which states, ρ ⊆ W × W is a relation indicating the next move relation, and for each i, i ⊆ W ∗ × W ∗ indicating what player i does and does not know, where W ∗ is the set of all finite sequences (strings) of members of W . In addition M must satisfy properties listed A1 − A3 below. Given a nonempty sequence w ∈ W ∗ define last(w) to be the last member of the sequence. We define the set of histories of M , W ρ , inductively as follows. If w ∈ W0 then w ∈ W ρ and if w ∈ W ρ , (last(w), a) ∈ ρ then wa ∈ W ρ , and there are no other members of W ρ . If u and v are two histories then define u ⊆ρ v if u is a prefix of v and u ⊂ρ v if u is a proper prefix of v, that is u ⊂ ρ v if u ⊆ρ v and u 6= v. In what follows we let i be arbitrary where 1 ≤ i ≤ t. In general, u, v, w, x, y will range over W ρ unless otherwise specified. The first additional property of M is: A1 : i is a reflexive and transitive relation on W ρ . This first property begins to express the meaning of the relation  i . Intuitively, u i v means that from player i’s point of view the history v is an extension of the history u. Property A 1 expresses that player i’s view of history is reflexive and transitive. We can now express the idea that two histories are indistinguishable from player i’s point of view by defining the equivalence relation, ≈i , on W ρ : u ≈i v if and only if u i v and v i u. The relation ≈i is an equivalence relation because  i is reflexive and transitive. Precisely, u ≈ i v means that histories the u and v are indistinguishable from player i’s point of view. Further define: u ≺i v if and only if u i v and u 6≈i v. The remaining properties are: A2 : If u ⊆ρ v then u i v. A3 : If u i v then v ′ ≈i u, for some v ′ ⊆ρ v,. Properties A2 and A3 express more clearly how player i can come to view two histories to be indistinguishable. First, if one history extends another then player i’s view is consistent with that extension. Second, if one history extends another from player i’s point of view then there must be an earlier time in the first history when player i’s view was the same as his view of the second history. A linear model is a model which satisfies the following additional property: A4 : u i v or v i u. 6 Some fundamental properties of models and linear models will be given in the next section. Definition of Truth Let M = (W, W0 , π, ρ, 1 , ..., t ) be a model and w ∈ W ρ . If p is a formula then we define the relation M, w |= p inductively on the structure of p. 1. M, w |= 1 and M, w 6|= 0, 2. M, w |= P if and only if P ∈ π(last(w)), if P ∈ Φ, 3. M, w |= ¬p if and only if M, w 6|= p, 4. M, w |= p ∧ q if and only if M, w |= p and M, w |= q, 5. M, w |= ✷p if and only if for all a ∈ W such that wa ∈ W ρ , M, wa |= p, 6. M, w |= ✷∗ p if and only if for all v ∈ W ∗ such that wv ∈ W ρ , M, wv |= p, 7. M, w |= Ki p if and only if for all v ∈ W ρ such that v ≈i w, M, v |= p. Define TLP t and LLP t to be the logic of protocols with t players where the interpretation of formulas is made in, repectively, tree and linear models for the logic of protocols with t players. Define TLP and LLP to be the logic of protocols corresponding to TLP t and LLP t where the number of players t is unbounded. We say that a formula p is satisfiable in TLP t if there is a tree model M = (W, W0 , π, ρ, 1 , ..., t ) and a w ∈ W0 such that M, w |= p. Further, p is valid in TLP t if for every tree model M = (W, W0 , π, ρ, 1 , ..., t ) and every w ∈ W0 , M, w |= p. A formula is satisfiable in LLP t if it is satisfiable in some linear model and valid in LLP t if it is valid in all linear models. We say that a formula p is valid (satisfiable) in TLP (LLP) if it is valid (satisfiable) in TLP t (LLP t ) for some t where the knowledge operators, Ki in p are such that i ≤ t. Example For example, consider a model M = ({a, b, c}, {a}, π, ρ,  1 ) where 1. π(a) = π(b) = {P }, π(c) = ∅, 2. ρ = {(a, b), (b, c), (c, c)}, 3. 1 = {(a, a), (a, abci ), (abci , abcj ) : i, j ≥ 0}. Figure 1. graphically illustrates what this model looks like. In the model M , player 1 can distinguish the history a from the history ab, but cannot distinguish the histories ab, abc, abcc, .... Now consider the formula p = K1 ✷P ∧ ¬✷K1 P . 7 Figure 1: Illustration of the model M . Indistinguishable histories are enclosed. We have M, a |= p. This formula is interesting because it is an instance of the negation of one of Lehman’s axioms for his logic of knowledge and time [12]. This points out a fundamental difference between previous models and ours. Our models allow for asynchrony. Player 1 is aware of going from the history a to the history ab, but is totally unaware of going from history ab to abc. In history a he knows that in one step P will be true, but in one step he does not know that P will be true because in one step his knowledge of time suddenly becomes limited. On the other hand the slightly modified formula K1 ✷∗ P ∧ ¬✷∗ K1 P is not satisfiable which naturally implies that the formula K1 ✷∗ P ⊃ ✷∗ K1 P is valid. 3 Structure of Models The properties A1 − A4 by themselves do not give a clear picture of what tree and linear models look like. The goal of this section is to present by way of two theorems a concrete picture of tree and linear models. The following describes in word what models look like. In any model the histories, W ρ , form a family of trees, where each non-initial history has a unique immediate predecessor history and every history has zero or more immediate successor histories. Consider each player i individually. The histories are partitioned into equivalence classes by the relation ≈ i . In the tree model case the equivalence classes themselves form a family of trees, where the predecessor and successors of an equivalence class are implicitly induced by the relation  i . In the linear model case the equivalence classes form a sequence where the linear order of the sequence is implicitly induced by the relation i . Figure 3 describes the models graphically. To lead to our two theorems we are required to pass through a sequence of lemmas. In what follows we let M = (W, W0 , π, ρ, 1 , ..., t ) be a model and let 1 ≤ i ≤ t. Define w ∈ W ρ to be i-minimal if v i w implies v ≈i w. Lemma 3.1 A member w of W ρ is i-minimal if and only if w ≈i w0 for some w0 ∈ W0 . 8 Figure 2: Graphical depiction of a tree model and a linear model. 9 Proof Let w be i-minimal and choose w0 ∈ W0 such that w = w0 v for some v ∈ W ∗ . By property A2 , w0 i w and since w is i-minimal w0 ≈i w. Now, suppose w ≈i w0 where w0 ∈ W0 . Let v i w. Hence, v i w0 . By property A3 there is u ⊆ρ W0 such that u ≈i v. Since w0 is already a member of W0 , u = w0 . Thus, v ≈i u = w0 ≈i w. ✷ If w ∈ W ρ is not i-minimal define predi (w) to be the unique w ′ such that for some a ∈ W , w′ ⊆ρ w′ a ⊆ρ w, and w′ ≺i w′ a ≈i w. Such a string exits by Lemma 3.1 and by property A 2 . Lemma 3.2 If u, v ∈ W ρ are such that predi (u) i v i u then either v ≈i predi (u) or v ≈i u. Proof Let predi (u) i v i u. By property A3 there is u′ ⊆ρ u such that u′ ≈i v. If ρ predi (u) ⊆ u′ . In that case, by property A2 , u′ ≈i u. Hence, v ≈i u. If u′ ⊆ρ predi (u), then again by property A2 , u′ i predi (u), Hence, v ≈i u′ i predi (u) i v. Thus, v ≈i predi (u). ✷ The final lemma in this series shows that the pred i function is invariant under ≈i . Lemma 3.3 If u, v ∈ W ρ are such that u ≈i v and u is not i-minimal then predi (u) ≈i predi (v). Proof Let u ≈i v where u is not i-minimal. We will show that pred i (u) i predi (v). The proof of the reverse ordering is symmetric. Since pred i (u) i v there is v ′ ⊆ρ v such that v ′ ≈i predi (u). If predi (v) ⊆ρ v ′ then, by Lemma 3.2 and the definition of predi, v ′ ≈i v. Because v ≈i u and v ′ ≈i predi (u), we have u ≈i predi (u) which is impossible. Hence, v ′ ⊆ρ predi (v). Thus, predi (u) ≈i v ′ i predi (v). ✷ If w ∈ W ρ then define succi (w) to be the set of all wva ∈ W ρ such that v ∈ W ∗ , a ∈ W , and w ≈i wv ≺i wva. Lemma 3.4 If u, v ∈ W ρ are such that v ∈ succi (u) then predi (v) ≈i u. Proof Let v ∈ succi (u). By the definition of succi , v = uxa where u ≈i ux ≺i uxa for some x and a. By the definition of predi , ux = predi (v). Since ux ≈i u, u ≈i predi (v). ✷ Lemma 3.5 If u, v, x ∈ W ρ are such that u ∈ succi (v) and v i x i u then x ≈i v or x ≈i u. Proof Let u ∈ succi (v) and v i x i u. By Lemma 3.4 v ≈i predi (u) so we have predi (u) i x i u. By Lemma 3.2 x ≈i predi (u) or x ≈i u. Hence, x ≈i v or x ≈i u. ✷ We also get a corresponding result to Lemma 3.3 if the model M is linear. Lemma 3.6 Let M be a linear model. If u, v, x, y ∈ W ρ are such that x ∈ succi (u), y ∈ succi (v), and u ≈i v then x ≈i y. Proof Let x ∈ succi (u), y ∈ succi (v), and u ≈i v By linearity, we need only consider one of the two symmetric cases, either x  i y or y i x. Let x i y. Thus, v ≈i u i x i y. By Lemma 3.5, x ≈i v or x ≈i y. The former cannot hold because v ≈ i u ≺i x. Hence, x ≈i y. ✷ If M is a linear model then all the members of succ i (w) are ≈i -equivalent. Thus if succi (w) is nonempty then any member of it can represent the equivalence class containing it. The properties listed in Lemmas 3.1 - 3.6 essentially give us the structure of the equivalence classes of W ρ under the equivalence relation ≈i . Let [w]i be the equivalence class of w under ≈ i . Define [W ρ ]i = {[w]i : w ∈ W ρ }. The reflexive, transitive relation  i induces a partial order ≤i on [W ρ ]i in a natural way. We say that [u]i ≤i [v]i if u i v. The relation ≤i is reflexive, transitive, and antisymmetric on its domain [W ρ ]i . We can further, define [u]i <i [v]i if [u]i ≤i [v]i and [u]i 6= [v]i . 10 Theorem 3.7 Let M = (W, W0 , π, ρ, 1 , ..., t ) be a tree model. The set [W ρ ]i ordered by ≤i is a family of trees. Specifically: 1. The roots of [W ρ ]i are {[w0 ]i : w0 ∈ W0 }, 2. If [w]i is not a root then its parent is [predi (w)]i , 3. The children or [w]i are {[v]i : v ∈ succi (w)}. The proof follows immediately from Lemmas 3.1 - 3.6. Theorem 3.8 Let M = (W, W0 , π, ρ, 1 , ..., t ) be a linear model. The set [W ρ ]i is linearly ordered by ≤i . Specifically: 1. The least member of [W ρ ]i is [w0 ]i for any w0 ∈ W0 , 2. If [w]i is not the least member of [W ρ ]i then its immediate predecessor is [predi (w)]i , 3. If [w]i is not the greatest member of [W ρ ]i then its immediate successor is [v]i for any v ∈ succi (w). The proof follows from Lemmas 3.1 - 3.6. The result of Theorem 3.8 will be used in the proof of the undecidability of the set of valid formulas in LLP. 4 The Undecidability Result In this section we prove that the set of valid formulas in LLP is undecidable. More specifically we show that the set of satisfiable formulas in LLP 2 is not recursively enumerable. Since a formula p in the logic of protocol with two players is valid in LLP if and only if the formula ¬p is not satisfiable in LLP 2 , it follows that validity in LLP is undecidable if satisfiabilty in LLP 2 is undecidable. Theorem 4.1 The set of satisfiable formulas in LLP 2 is not recursively enumerable. Proof Some of the ideas behind this proof come from a proof of the undecidability of a certain three-player game which is an instance of the guaranteed lockout problem defined by Peterson and Reif [17]. The motivation behind this proof is implicitly game theoretic. The general plan is to show that given a Turing machine T a formula f T can be constructed with the property that T runs without halting with a blank input if and only if the formula f T is satisfiable in some linear model. Since the set of Turing machines that do not halt on a blank tape is not a recursively enumerable set then the set of satisfiable formulas in LLP is not recursively enumerable. Let M be a one tape Turing machine with states Q, tape symbols Γ, Q ∩ Γ = ∅, blank symbol B ∈ Γ, start state q0 ∈ Q, and transition partial funtion δ : Q × Γ → Q × Γ × {R, L}. Let ∆ = Q ∪ Γ ∪ {#, c/}, where # and c/ are new symbols. Define an ID to be a string of the form c/a1 c/a2 c/.../ cam c/ where a1 a2 ...am ∈ Γ∗ QΓ∗ . Define the initial ID to be c/q0 c/B/ c. Finally, define an infinite computation to be an infinite string of the form #m0 C0 #m1 C1 #m2 C2 #m3 ... 11 where 1. Ci is an ID for all i, 2. C0 is the initial ID, 3. Ci+1 follows from Ci in one move of T for all i, 4. |Ci | = 2i + 5 for all i, 5. mi > 0 for all i, The reason why infinite computations have this unusual form will be clarified later. Let q = ⌈log2 |∆|⌉. With each symbol σ ∈ ∆ we assign a specific Boolean vector (σ 1 , ..., σq ) of length q. When we talk about σ in the context of a formula we are referring to its representation as a Boolean vector. The formula we will construct will have propositional variables X, and S ij for i = 1, 2 and 1 ≤ j ≤ q. Let S1 and S2 be the vectors (S11 , S12 , ..., S1q ) and (S21 , S22 , ..., S2q ). In general, we will think of S1 and S2 as variables that take on values in ∆. If U and V are two Boolean vectors of the same length m. We use the abbreviation “U = V ” to stand for (U 1 ≡ V1 ) ∧ ... ∧ (Um ≡ Vm ). We define a function collapse : ∆ω ∪ ∆∗ → ∆ω ∪ ∆∗ by collapse(s) is the string obtained from s by collapsing multiple contiguous occurrences of the same symbol to one occurrence. That is, if ai is a member of ∆ for all i, ai 6= ai+1 for all i, and mi > 0 for all i then 0 m1 collapse(am 0 a1 ...) = a0 a1 a2 .... Further, if ai is a member of ∆ for 0 ≤ i ≤ r, ai 6= ai+1 for 0 ≤ i < r and mi > 0 for 0 ≤ i < r then ω 0 m1 collapse(am 0 a1 ...ar ) = a0 a1 ...ar Similarly, if ai is a member of ∆ for 0 ≤ i ≤ r, ai 6= ai+1 for 0 ≤ i ≤ r and mi > 0 for 0 ≤ i ≤ r then mr 0 m1 collapse(am 0 a1 ...ar ) = a0 a1 ...ar Two members s1 and s2 of ∆ω are identical collapsed if collapse(s 1 ) = collapse(s2 ). Informally, the formula fT describes a situation involving two players, player 1 and player 2. For all time player 1 knows the value of S 1 and player 2 knows the value of S2 . Neither player ever knows the value of X. As time passes the successive values of S 1 form an infinite string s1 ∈ ∆ω . Even though player 1 knows S1 he is unaware of time passing if the value of S 1 does not change form one moment to the next. Intuitively, as time passes player 1 sees collapse(s 1 ), not s1 itself. Similarly, s2 is the successive values of S2 and player 2 only sees collapse(s 2 ). Because neither player knows X it will turn out that if the formula f T is satisfied in a linear model it will be satisfied in a linear model with two infinite histories, one corresponding to each of the possibilities X = 0 and X = 1. Consider the case X = 0. As time progresses the successive values of S 1 form an infinite string e1 ∈ ∆ω . Similarly, successive values of S 2 form the infinite string e2 . The formula will force e1 = e2 , collapse(e1 ) = e1 , and collapse(e2 ) = e2 . If X = 1 then infinite strings m1 and m2 are formed from successive values of S 1 and S2 respectively. The formula fT forces the two strings to match in a way such that, when m 1 and m2 are interpreted as infinite computations, the first ID of m 1 “matches” the second ID of m2 , the 12 second ID of m1 “matches” the third ID of m2 , and so on. This “matching” guarantees that if m1 and m2 are identical collapsed then each of m 1 and m2 are infinite computations. In the linear model satisfying the formula it will be guaranteed that e 1 and m1 are identical collapsed and that e2 and m2 are identical collapsed. Thus, in the linear model satisfying f T all four strings e1 , m1 , e2 , and m2 are identical collapsed and each is an infinite computation. The formula f T guarantees that embedded in any linear model satisfying it is a “proof” that an infinite computation exists. The “proof” can be found by examining the two infinite histories arising from the lack of the players knowledge about the variable X. Thus T does not halt on the blank input if and only if f T is satisfied in a linear model. We now describe the “matching” that is forced by the formula f T Consider the two infinite computations: s = #5 #3 C0 #3 C1 #3 C2 #3 C3 #3 ... t = #C0 #C1 #C2 #C3 #C4 #... Because |C0 | = 5 and |Ci+1 | = |Ci | + 2 then the i-th ID of s “lines up” with the (i + 1)-st ID of t. The initial padding in s matches the initial ID of t the rest of the padding in s aligns the middle # of each #3 with a corresponding # in t. There is a function F : ∆ 7 → ∆ ∪ {ε} which can be used to verify the matching after the 5-th character of s and the 6-th character of t. Let si and ti be the (i + 1)-st characters of s and t respectively, so that s = s 0 s1 s2 ... and t = t0 t1 t2 .... The symbol ε, which is needed to make F a totally defined function, is a new symbol with its own representation as a Boolean vector. The function F can be defined in such a way that for all i ≥ 5, F (si , si+1 , ..., si+6 ) = ti+1 . We can define F as follows: F (σ0 , σ1 , ..., σ6 ) =                      # B c/ σ2 σ 1    τ          p         ε if if if if σ0 = σ1 = σ2 = #, σ2 = σ3 = σ4 = #, σ0 = c/ or σ2 = c/, σ1 = c/ and ({σ0 , σ2 , σ4 } ∩ Q = ∅ and σ2 6= # or σ4 ∈ Q and δ(σ4 , σ6 ) = (p, τ, R)), if σ1 = c/ and σ2 ∈ Q and δ(σ2 , σ4 ) = (p, τ, L), if σ1 = c/ and (σ0 ∈ Q and δ(σ0 , σ2 ) = (p, τ, L) or σ2 ∈ Q and δ(σ2 , σ4 ) = (p, τ, R)), if σ1 = c/ and (σ0 ∈ Q and δ(σ0 , σ2 ) = (p, τ, R) or σ2 ∈ Q and δ(σ4 , σ6 ) = (p, τ, L)), otherwise. The following Propostion describes completely the properties that F must possess. Proposition 1. Let s = s0 s1 s2 ... and t = t0 t1 t2 .... be infinite strings in ∆ω with the properties: 1. s ∈ #8 c/q0 c/B/ c((¬/ cc/)∗ #3 c/)ω , 2. t ∈ #(/ c¬/ c)ω , 3. For all i ≥ 5, F (si , si+1 , ..., si+6 ) = ti+1 , 4. collapse(s) = collapse(t). 13 Then, s and t are infinite computations. The proof of the Proposition is straightforward but tedious. We are now ready to define fT . We will specify eight formulas f 1 − f8 in such a way that fT = ^ Km [ m=1,2 8 ^ fn ]. n=1 To simplify the formulas we make some abbreviations. We already mentioned the abbreviation “S = T ” when S and T are Boolean vectors. We use the notation “✷ k p” to stand for ✷✷...✷p where the number of ✷’s is k. So ✷0 p = p. If σ ∈ ∆ then we use “¬σ” to abbreviate ∆ − {σ}. After each conjunct fi we will provide some intuition about what the conjunct means. Intuitively we can imagine time as a sequence of moments, so that each conjunct must hold in the initial moment (moment 0). Conjuncts of the form ✷ ∗ p force p to hold for all moments. A subformula of a conjunct of the form ✷k p forces p to hold in the k-th moment from the time the whole subformula holds. f 1 : ✷∗ ^ _ Ki (Si = σ) i=1,2 σ∈∆ The formula f1 states that at all time each player i knows the value of its variable S i which is one of the symbols in ∆. f 2 : ✷∗ ^ ^ ¬Ki (X = j) i=1,2 j=0,1 The formula f2 states that for all time neither player knows the value of X. f 3 : ✷∗ ^ (X = j ⊃ (✸(X = j) ∧ ✷(X = j))) j=0,1 The formula f3 states that for all time, if X has a certain value then there is a next moment when it has the same value and in every next moment it has the same value. This formula guarantees that there is always a next moment. That is, time does not stop. This formula also guarantees that if initially X has a certain value then it has that value forever. This formula also guarantees that, as time passes, the successive values of S i form an infinite string in the language ∆ ω . f4 : S2 = c/ ∧ ✷∗ ((S2 = c/ ⊃ ✷(S2 6= c/)) ∧ (S2 6= c/ ⊃ ✷(S2 = c/))) The formula f4 states that initially S2 has the value c/ and for all time if the value of S 2 is c/ then in the next moment the value is not c/ and vice versa. Thus, as time passes the successive values of S2 form an infinite string in the language (/ c¬/ c) ω . f5 : X = 0 ⊃ ✷∗ (S1 = S2 ) The formula f5 states that if at the beginning the value of X is 0 then for all time the value of S 1 equals the value of S2 . Thus, if the value of X is 1 then the infinite string formed by successive values of S1 is identical to the infinite string formed by successive values of S 2 . 14 f6 : X = 1 ⊃ S1 = c/ ∧ ^ ✷k (S1 = #) ∧ ✷9 (S1 = c/)∧ 1≤k≤8 ✷10 (S1 = q0 ) ∧ ✷11 (S1 = c/) ∧ ✷12 (S1 = B) ∧ ✷13 (S1 = c/) f7 : X = 1 ⊃ ✷13 ✷∗ ((S1 = c/ ⊃ ✷(S1 6= c/)) ∧ ((S1 6= c/ ∧ S1 6= #) ⊃ ✷(S1 = c/)) ∧ ((S1 = c/ ∧ ✷(S1 = #)) ⊃ (✷2 (S1 = #) ∧ ✷3 (S1 = #) ∧ ✷4 (S1 = c/)))) The formulas f6 and f7 combined together state that if at the beginning the value of X is 1 then then as time passes the first value of S 1 is c/, the next 8 are # and the next 5 are the initial ID. Furthermore, from the 13-th moment on (i) if S 1 has the value c/ in the next moment the value is not c/, (ii) if S1 does not have the value c/ and in the next moment does not have the value # then in that next moment it has the value c/, and (iii) if S 1 has the value c/ and in the next moment has the value # then in the next three successive moments after that S 1 must have the values ##/ c, respectively. Summarizing f6 and f7 , if X = 1 then the successive values of S 1 form an infinite string in the language c/#8 c/q0 c/B/ c((¬/ cc/)∗ #3 c/)ω . The final formula in fT is: f 8 : X = 1 ⊃ ✷ 6 ✷∗ _ ( ^ ✷k (S1 = σk ) ∧ ✷(S2 = τ ) ∧ F (σ0 , ..., σ6 ) = τ ) σ0 ,...,σ6 ,τ ∈∆ 0≤k≤6 The formula f8 states that if the value of X is 1 then the infinite strings formed by successive values of S1 and S2 must match in a nice way. For i ≥ 6, i-th, (i + 1)-st, ... , (i + 6)-th characters of the infinite string formed by successive values of S 1 and the (i + 1)-st character of the infinite string formed by successive values of S2 must match according to the function F . Claim I. If T does not halt on a blank input tape then f T is satisfiable. Let s = #8 C0 #3 C1 #3 C2 #3 ... and t = #C0 #C1 #C2 #... be infinite computations. Let c/s = s0 s1 s2 ... where si is the (i + 1)-st character of c/s and let c/t = t 0 t1 t2 .... where ti is the (i + 1)-st character of c/t. We construct a linear model M = (W, W0 , π, ρ, 1 , 2 ) which satisfies fT . Let W = {ui , vi : i ≥ 0}, W0 = {u0 , v0 }, and ρ = {(ui , ui+1 ), (vi , vi+1 ) : i ≥ 0}. For each i let u[i] be the history u0 u1 ...ui and let v[i] be the history v0 v1 ...vi . Define π so that for all i: M, u[i] |= X = 0 ∧ S1 = ti ∧ S2 = ti , M, v[i] |= X = 1 ∧ S1 = si ∧ S2 = ti . What remains to be described is 1 and 2 . Define s[i] = s0 s1 ...si and t[i] = t0 t1 ...ti . For each player 1 define 1 : If x is a finite string and y is a finite or infinite string let the notation x ⊑ y mean that x is a prefix of y. u[i] 1 u[j] ⇔ collapse(t[i]) ⊑ collapse(t[j]), v[i] 1 v[j] ⇔ collapse(s[i]) ⊑ collapse(t[j]), u[i] 1 v[j] ⇔ collapse(t[i]) ⊑ collapse(s[j]), v[i] 1 u[j] ⇔ collapse(s[i]) ⊑ collapse(t[j]), 15 For player 2 define 2 : u[i] 2 u[j] ⇔ collapse(t[i]) ⊑ collapse(t[j]), v[i] 2 v[j] ⇔ collapse(t[i]) ⊑ collapse(t[j]), u[i] 2 v[j] ⇔ collapse(t[i]) ⊑ collapse(t[j]), v[i] 2 u[j] ⇔ collapse(t[i]) ⊑ collapse(t[j]), Because collapse(t[i]) = t[i] for all i some of these definitions can be simplified. For example, for k = 1, 2 u[i] k u[j] if and only if i ≤ j. Figure 2 illustrates what the model M looks like. It is straightforward but tedious to check that M, u[0] |= f T . M, u[0] |= fT only if for 1 ≤ n ≤ 8, M, u[0] |= fn and M, v[0] |= fn . For example, consider the conjunct f 1 . For i = 1, 2 and for all k, k ′ and k ′′ , if u[k] ≈i u[k ′ ] and u[k] ≈i v[k ′′ ] then there is a σ ∈ ∆ such that M, u[k] |= S i = σ, M, u[k ′ ] |= Si = σ, and M, v[k ′′ ] |= Si = σ. Hence, for i = 1, 2 and for all k, M, u[k] |= K i (Si = σ). Thus, M, u[0] |= f1 . Similarly, it can be shown that M, v[0] |= f 1 . As another example, consider the conjunct f2 . For i = 1, 2 and for all k there exists k ′ such that u[k] ≈i v[k ′ ]. Since M, u[k] |= X = 0 and M, v[k ′ ] |= X = 1, for j = 0, 1 M, u[k] |= ¬Ki (X = j). Hence M, u[0] |= f2 . Similarly, M, v[0] |= f2 . The remaining conjuncts can be verified in a similar manner. Claim II. If fT is satisfiable then T does not halt on a blank input tape. Let M = (W, W0 , π, ρ, 1 , 2 ) be a linear model and let w0 be a member of W0 such that M, w0 |= fT . By Theorem 3.8 for each i = 1, 2 and for each x 0 ∈ W0 , x0 ≈i w0 . Hence, for all x0 ∈ W0 and for 1 ≤ n ≤ 9, M, x0 |= fn . Choose u0 , v0 ∈ W0 such that M, u0 |= X = 0 and M, v0 |= X = 1. Such u0 and v0 exist because M, w0 |= f2 . Because M, u0 |= f4 and M, v0 |= f3 there must exist two infinite sequences u 0 u1 u2 ... and v0 v1 v2 ... in W ω , each of which is an infinite history. Let u[k] = u0 u1 ...uk and v[k] = v0 v1 ...vk . Again, by f4 we have M, u[k] |= X = 0 and M, v[k] |= X = 1 for all k ≥ 0. Because M, u[k] |= f1 and M, v[k] |= f1 , there exist infinite sequences e1 = e10 e11 e12 ..., e2 = e20 e21 e22 ..., m1 = m10 m11 m12 ..., and m2 = m20 m21 m22 ...∈ ∆ω such that M, u[k] |= S1 = e1k M, u[k] |= S2 = e2k M, v[k] |= S1 = m1k M, v[k] |= S2 = m2k The formulas f4 − f8 guarantee the following: • e2 , m2 ∈ (/ c¬/ c)ω (f4 ), • e1 = e2 (f5 ) • m1 ∈ c/#8 c/q0 c/B/ c((¬/ cc/)∗ #3 c/)ω (f6 , f7 ), • F (m1i , m1(i+1) , ..., m1(i+6) ) = m2(1+1) for all i ≥ 5 (f8 ). If we let s = m11 m12 m13 ... and t = m21 m22 m23 ... then s and t satisfy parts 1-3 of Proposition 1. If we can show, in addition, that s and t satisfy part 4 then s and t are infinite computations. Thus, T does not halt on a blank tape. Because M is a linear model there must be sequences σ 10 < σ11 < σ12 < ..., σ20 < σ21 < σ22 < ..., τ10 < τ11 < τ12 < ..., and τ20 < τ21 < τ22 < ... with the properties: 16 X S1 S2 u0 0 c/ c/ v0 u1 0 # # v1 u2 0 c/ c/ v2 u3 0 q0 q0 v3 u4 0 c/ c/ v4 u5 0 B B v5 u6 0 c/ c/ v6 u7 0 # # v7 u8 0 c/ c/ v8 u9 0 c11 c11 v9 u10 0 c/ c/ v10 X S1 S2 1 c/ c/ 1 # # 1 # c/ 1 # q0 1 # c/ 1 # B 1 # c/ 1 # # 1 # c/ 1 1 c/ q0 c11 c/ u11 0 c12 c12 v11 u12 0 c/ c/ v12 u13 0 c13 c13 v13 u14 0 c/ c/ v14 u15 0 # # v15 u16 0 c/ c/ v16 ... ... ... ... ... 1 c/ c12 1 B c/ 1 c/ c13 1 # c/ 1 # # 1 # c/ ... ... ... u11 0 c12 c12 v11 u12 0 c/ c/ v12 u13 0 c13 c13 v13 u14 0 c/ c/ v14 u15 0 # # v15 u16 0 c/ c/ v16 ... ... ... ... ... 1 c/ c12 1 B c/ 1 c/ c13 1 # c/ 1 # # 1 # c/ ... ... ... (a) X S1 S2 u0 0 c/ c/ v0 u1 0 # # v1 u2 0 c/ c/ v2 u3 0 q0 q0 v3 u4 0 c/ c/ v4 u5 0 B B v5 u6 0 c/ c/ v6 u7 0 # # v7 u8 0 c/ c/ v8 u9 0 c11 c11 v9 u10 0 c/ c/ v10 X S1 S2 1 c/ c/ 1 # # 1 # c/ 1 # q0 1 # c/ 1 # B 1 # c/ 1 # # 1 # c/ 1 1 c/ q0 c11 c/ (b) Figure 3: The model M is illustrated in both (a) and (b). Player 1’s knowledge relation,  1 , is illustrated in (a) and player 2’s relation,  2 is illustrated in (b). Equivalence classes are circled. The j-th symbol of the i-th configuration C i is denoted by cij . 17 • u[k] ≈i u[l] ⇔ σij ≤ k, l < σi(j+1) , • v[k] ≈i v[l] ⇔ τij ≤ k, l < τi(j+1) , • u[k] ≈i v[l] ⇔ σij ≤ k < σi(j+1) and τij ≤ l < τi(j+1) , By f1 , (i) if u[k] ≈i u[l] then eik = eil , (ii) if v[k] ≈i v[l] then mik = mil , and (iii) if u[k] ≈i v[l] then eik = mil . Since e1 = e2 and e2 , m2 ∈ (/ c¬/ c)ω then we must have for all j ≥ 0, σij = j for i = 1, 2 and τ2j = j. Thus, e2 = m2 . Furthermore, for all j, e1j = m1k for all k such that τ1j ≤ k < τ1(j+1) . Since we already have e1 = e2 then we can summarize all of this with the equation: collapse(m2 ) = m2 = e2 = e1 = collapse(m1 ). Thus, s and t satisfy part 4 of Proposition 1. 5 Conclusion Although we have introduced two logics of protocols, TLP and LLP, we have only been able to show undecidability for LLP which is arguably the less interesting of the two logics. TLP can model general games of incomplete information while LLP only can model blindfold games. It is our belief that TLP is also undecidable, but direct application of the techniques in this paper does not seem sufficient to prove it. Fischer and Immerman have recently developed a logic which seem to model Markov games, games where strategies do not depend on complete histories but only on the current position of the game [4]. The Fischer-Immerman logic is decidable. It is not yet clear which logics which include knowledge and time will turn out to be the most useful. What is clear already is that the study of logics for distributed computation is enriching our understanding of what the foundations of distributed computation are. References [1] Ben-Ari, M., Manna, Z., and Pnueli, A. The Temporal Logic of Branching Time. Eighth ACM Symposium on Principles of Programming Languages, 1981, pp. 164-176. [2] Emerson, E.A. and Halpern J.Y. Decision Procedures and Expressiveness in the Temporal Logic of Branching Time. Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, 1982, pp. 169-180. [3] Emerson, E.A. and Sistla, A.P. Deciding Branching Time Logic. Proceedings of the Sixteenth Annual ACM Symposium on Theory of Computing, 1984, 14-24. [4] Fischer, M.J. and Immerman, N. Foundations of Knowledge in Distributed Systems. Conference on Theoretical Aspects of Reasoning About Knowledge, Asilomar, March 19-22, 1986. [5] Fischer, M.J. and Ladner, R.E. Propositional Dynamic Logic of Regular Progams. Journal of Computer and System Sciences, Vol. 18, No. 2, 1979, pp. 194-211. [6] Floyd, R.W. Assigning Meaning to Programs. In J.T. Schwartz (ed.) Mathematical Aspects of Computer Science, Proc. Symp. in Applied Math. 19. Providence, R.I. American Math. Soc., 1967, pp 19-32. 18 [7] Fagin, R., Halpern,J.Y., and Vardi, M.Y. A Model-Theoretic Analysis of Knowledge: Preliminary Report. 25th Annual Symposium on Foundations of Computer Science, 1984, pp. 268-287. [8] Halpern, J.Y. and Fagin, R. A Formal Model of Knowledge, Action, and Communication in Distributed Systems. Proceedings of the Fourth Annual ACM Symposium on Principles of Distributed Computing, 1985, pp 224-236. [9] Hoare, C.A.R. An Axiomatic Basis for Computer Programming. Communications of the ACM, Vol. 12, 1969, pp. 576-580. [10] Halpern, J.Y. and Moses, Y. Knowledge and Common Knowledge in a Distributed Environment. Proceedings of the Third Annual ACM Conference on Principles of Distributed Computing, 1984. [11] Ladner, Richard E. The Complexity of Problems in Systems of Communicating Processes. Journal of Computer and System Sciences, Vol. 21, No. 2, 1980, pp. 179-194. [12] Lehman, Daniel. Knowledge, Common Knowledge and Related Puzzles. Proceedings of the Third Annual ACM Conference on Principles of Distributed Computing, 1984, pp. 62-67. [13] Moses, Y., Dolev D., and Halpern, J.Y. Cheating Husbands and Other Stories: A Case Study of Knowledge, Action, and Communication. Proceedings of the Fourth Annual ACM Symposium on Principles of Distributed Computing, 1985, pp 215-223. [14] Naur, P. Proof of Algorithms by General Snapshots. BIT, Vol. 6, 1966, pp 310-316. [15] Owen, G., Game Theory, Academic Press, 1982. [16] Parikh, Rohit and Ramanujam, R. Distributed Processes and the Logic of Knowledge. Logic of Programs, Lecture Notes in Computer Science, No. 193, Ed. by Rohit Parikh, Springer-Verlag, N.Y., 1985, pp 256-268. [17] Peterson, Gary L. and Reif, John H. Multiple-Person Alternation. 20th Annual Symposium on Foundations of Computer Science. IEEE Computer Society, 1979, pp. 348-363. [18] Pnueli, A, The Temporal Logic of Programs. 18th Annual Symposium on Foundations of Computer Science, 1977, pp 46-57. [19] Pratt, V.R. Semantical Considerations on Floyd-Hoare Logic. 17th Annual Symposium on Foundations of Computer Science, 1976, pp.109-121. [20] Pratt, V.R. A Near Optimal Method for Reasoning about Action. MIT Technical Report, LCS/TM-138, 1979. [21] Pease, M., Shostak, R., and Lamport, L. Reaching Agreement in the Presence of Faults. Journal of the ACM, Vol. 27, No. 2, 1980. pp 228-234. [22] Reif, John H. Universal Games of Incomplete Information. Proceedings of the Eleventh Annual ACM Symposium on Theory of Computing. ACM, 1979, pp. 288-308. 19 [23] Reif, John H. The Complexity of Two-Player Games of Incomplete Information. Journal of Computer and System Sciences, Vol. 29, No. 2, 1984, pp. 274-301. [24] Reif. John H. and Peterson, Gary L. A Dynamic Logic of Multiprocessing with Incomplete Information. Seventh Annual ACM Symposium on Principles of Programming Languages, 1980, pp. 193-202. [25] Sistla, A.P. and Clarke, E.M. The Complexity of Propositional Linear Temporal Logics. Ninth Annual ACM Symposium on Principles of Programming Languages, 1982, 159-168. 20