Playing to Learn, or to Keep Secret: Alternating-Time Logic Meets Information Theory
Masoud Tabatabaei, Wojciech Jamroga

TL;DR
This paper introduces ATLH, an extension of ATL with quantitative uncertainty measures, allowing for nuanced specifications of agents' knowledge and secrecy, while maintaining similar complexity and increased succinctness.
Contribution
The paper presents ATLH, a new logic that incorporates uncertainty quantification into ATL, enhancing expressiveness and succinctness without increasing complexity.
Findings
ATLH has the same expressivity as ATLK.
Model checking complexity remains unchanged.
ATLH is exponentially more succinct than ATLK.
Abstract
Many important properties of multi-agent systems refer to the participants' ability to achieve a given goal, or to prevent the system from an undesirable event. Among intelligent agents, the goals are often of epistemic nature, i.e., concern the ability to obtain knowledge about an important fact \phi. Such properties can be e.g. expressed in ATLK, that is, alternating-time temporal logic ATL extended with epistemic operators. In many realistic scenarios, however, players do not need to fully learn the truth value of \phi. They may be almost as well off by gaining some knowledge; in other words, by reducing their uncertainty about \phi. Similarly, in order to keep \phi secret, it is often insufficient that the intruder never fully learns its truth value. Instead, one needs to require that his uncertainty about \phi never drops below a reasonable threshold. With this motivation in…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsLogic, Reasoning, and Knowledge · Formal Methods in Verification · Logic, programming, and type systems
\setcopyright
ifaamas \acmConference[AAMAS ’23]Proc. of the 22nd International Conference on Autonomous Agents and Multiagent Systems (AAMAS 2023)May 29 – June 2, 2023 London, United KingdomA. Ricci, W. Yeoh, N. Agmon, B. An (eds.) \copyrightyear2023 \acmYear2023 \acmDOI \acmPrice \acmISBN \acmSubmissionID877
\affiliation \institutionInterdisciplinary Centre for Security and Trust, SnT,
University of Luxembourg \city \country
\affiliation \institutionInstitute of Computer Science, Polish Academy of Sciences \cityand SnT, University of Luxembourg \country
Playing to Learn, or to Keep Secret:
Alternating-Time Logic Meets Information Theory
Masoud Tabatabaei
and
Wojciech Jamroga
Abstract.
Many important properties of multi-agent systems refer to the participants’ ability to achieve a given goal, or to prevent the system from an undesirable event. Among intelligent agents, the goals are often of epistemic nature, i.e., concern the ability to obtain knowledge about an important fact . Such properties can be e.g. expressed in \ATLK, that is, alternating-time temporal logic ATL extended with epistemic operators. In many realistic scenarios, however, players do not need to fully learn the truth value of . They may be almost as well off by gaining some knowledge; in other words, by reducing their uncertainty about . Similarly, in order to keep secret, it is often insufficient that the intruder never fully learns its truth value. Instead, one needs to require that his uncertainty about never drops below a reasonable threshold.
With this motivation in mind, we introduce the logic \ATLH, extending ATL with quantitative modalities based on the Hartley measure of uncertainty. The new logic enables to specify agents’ abilities w.r.t. the uncertainty of a given player about a given set of statements. It turns out that \ATLHhas the same expressivity and model checking complexity as \ATLK. However, the new logic is exponentially more succinct than \ATLK, which is the main technical result of this paper.
Key words and phrases:
Multiagent Systems, Knowledge Representation, Uncertainty
1. Introduction
Many important properties of multi-agent systems refer to strategic abilities of agents and their groups Bulling et al. (2015); Ågotnes et al. (2015). They can be formalized in logics of strategic ability, such as alternating-time temporal logic ATL Alur et al. (2002); Schobbens (2004) or strategy logic SL Chatterjee et al. (2007); Mogavero et al. (2010). For example, the ATL formula , built upon the strategic operator for “there is a strategy for such that holds” and the temporal modality (“eventually”), can be used to express that the autonomous cab can deliver the passenger to his/her destination. Similarly, says that the passenger has the ability to survive the ride alive. Such statements allow to express important functionality and safety requirements in a simple and intuitive way. Moreover, they provide input to algorithms and tools for verification, that have been in constant development for over 20 years Alur et al. (1998, 2001); Kacprzak and Penczek (2004); Lomuscio and Raimondi (2006); Chen et al. (2013); Busard et al. (2014); Pilecki et al. (2014); Huang and van der Meyden (2014); Cermak et al. (2014); Lomuscio et al. (2017); Cermák et al. (2015); Belardinelli et al. (2017, 2017); Jamroga et al. (2019a); Kurpiewski et al. (2019); Kurpiewski et al. (2021).
Knowledge and information has always been an important aspect of interaction, but it has become even more important with the emergence of Internet and, more recently, social networks. Information is an important resource on which strategies are built, e.g., it is widely acknowledged that executable strategies must comply with so called uniformity constraints Schobbens (2004); Jamroga and van der Hoek (2004). More and more often, information becomes also the goal of the interaction. Agents may play to learn about a particular subject. People strive to know what the state of the economy is, what is the latest clothing fashion, and whether the coffee machine at their workplace serves good espresso or not. Using strategic-epistemic specifications that involve the knowledge operator , the latter kind of ability can be expressed by . Dually, the user of a social network may want to post a message for their friends only, in which case no outsider should learn the content of the message. This kind of ability can be captured by .
In many cases, however, strategic-epistemic specifications are too coarse. It is great if the worker can obtain full knowledge about the quality of workplace espresso, but being almost sure is almost as good. Dually, leaking some information about the social network post can be damaging, even if the intruder does not learn its exact content. With this motivation in mind, we propose to extend alternating-time temporal logic with new, information-theoretic modalities , based on the Hartley measure of uncertainty Hartley (1928). We also demonstrate the usefulness of the framework on a real-life voting scenario.
In terms of technical results, we prove that the resulting logic has the same expressive power and model checking complexity as strategic-epistemic specifications; however, it is exponentially more succinct. This is an important result, as it shows that the verification of a given property with uncertainty operators can take exponentially less time than when one uses knowledge modalities.
Related work. Strategic-epistemic reasoning has been intensively studied in the early 2000s, especially within the framework of ATEL van der Hoek and Wooldridge (2002, 2003a, 2003b); Ågotnes (2006); Jamroga and Ågotnes (2007) and Dynamic Epistemic Logic van Ditmarsch et al. (2007); Ågotnes and van Ditmarsch (2008). Dynamic epistemic planning Bolander and Birkegaard Andersen (2011) is a particularly relevant example. Still, we are not aware of any works combining logical formalizations of strategic reasoning with information-theoretic properties. The paper Jamroga and Tabatabaei (2013) comes closest, as it discusses the relation between a variant of resource-bounded temporal-epistemic logic and Hartley measure. Moreover, our proposal is directly inspired by information-theoretic notions of security, cf. Katz and Lindell (2020) for an introduction.
Another strand of related works concerns quantitative specification and verification of MAS due to stochastic interaction Chen and Lu (2007); Huang et al. (2012), graded Aminof et al. (2018); Ferrante et al. (2008) and fuzzy strategic modalities Bouyer et al. (2019); Belardinelli et al. (2022), or probabilistic beliefs about the opponents’ response Bulling and Jamroga (2009). Those papers considered neither knowledge nor information-theoretic properties, though Ferrante et al. (2008) leaned in that direction by including a count over the accessible imperfect worlds.
Succinctness of logical representations has been studied since early 1970s Stockmeyer (1972). In particular, the relative succinctness of branching-time logics was investigated in Wilke (1999); Adler and Immerman (2001); Markey (2003), and Bozzelli et al. (2020) studied the succinctness of the strategic logic ATL* with past-time operators. The methodology of proving succinctness by means of formula size games was proposed in Adler and Immerman (2001), and later generalized in French et al. (2013). We adapt the latter approach to obtain our main technical result here.
2. Logics of Strategic Ability
We first recapitulate the logical foundations that we chose for our approach.
2.1. Alternating-Time Logic ATL
Alternating-time temporal logic ATL Alur et al. (1997, 2002); Schobbens (2004) generalizes the branching-time temporal logic CTL Emerson (1990) by replacing the path quantifiers with strategic modalities . Informally, says that a group of agents has a collective strategy to enforce temporal property . ATL formulas can include temporal operators: “” (“in the next state”), “” (“always from now on”), “” (“now or sometime in the future”), and (strong “until”).
Syntax. Formally, let be a finite set of agents, and a countable set of atomic propositions. The language of ATL is defined as follows:
.
where and . Derived boolean connectives and constants () are defined as usual. “Sometime” is defined as .
2.2. Semantics of ATL
Models. The semantics of ATL is defined over a variant of synchronous multi-agent transition systems. Let be a concurrent game structure (CGS) such that: is a set of agents (or players), is the set of states of the system, is a set of actions, shows what actions are available for each player in each state, and is the transition function which, given a state and one action from each player in that state, returns the resulting sate. A CGS together with a set of atomic propositions and a valuation function is called a concurrent game model (CGM). A pointed CGM is a pair consisting of a concurrent game model and an initial state in .
Strategies and their outcomes. Given a CGS, we define the strategies and their outcomes as follows. A strategy for is a function such that .111 This corresponds to the notion of memoryless or positional strategies. In other words, we assume that the memory of agents is explicitly defined by the states of the model. The set of such strategies is sometimes denoted by , with the capital “I” referring to perfect Information, and the lowercase “r” for possibly imperfect recall. A collective strategy for a group of agents is a tuple of individual strategies . The set of such strategies is denoted by .
A path in a CGS is an infinite sequence of states such that there is a transition between each and . denotes the th position on (starting from ) and the suffix of starting with . The “outcome” function returns the set of all paths that can occur when agents execute strategy from state onward, defined as follows:
**: **
and for each there exists such that for every , and for every , and .
Semantic clauses. The semantics of ATL is defined by the following clauses:
**: **
iff , for ;
**: **
iff ;
**: **
iff and ;
**: **
iff there is a strategy such that, for each path , we have .
**: **
iff there is a strategy such that, for each path , we have for all .
**: **
iff there is a strategy such that, for each path , we have for some and for all .
2.3. Imperfect Information and Knowledge
Realistic multi-agent interaction always includes some degree of limited observability. Here, we use the classical variant of “ATL with imperfect information”, defined as follows:
We extend concurrent game structures with indistinguishability relations , for each . The resulting structure is called a concurrent epistemic game structure (CEGS). A CEGS together with a set of atomic propositions and a valuation function is called a concurrent epistemic game model CEGM.
Strategies of agents must specify identical choices in indistinguishable situations. That is, strategies with imperfect information (ir strategies, for short) are functions such that (1) , and (2) if then . 222Again, we consider only positional strategies here. As before, collective strategies for are tuples of individual strategies for . We denote the set of ’s imperfect information strategies by (with the lowercase “i” for imperfect information).
The semantics of “ATL with imperfect information” () differs from the one presented in Section 2.1 only in that the strategies are taken from instead of . In other words, the agents in should have an executable strategy which enforces from all the states that at least one member of the coalition considers possible.
Alternating-time temporal epistemic logic ATLK adds the knowledge modality of the multi-agent epistemic logic to ATL with imperfect information. In multi-agent epistemic logic, expressing the knowledge of the agents is formalised by epistemic formulae of type , stating that agent knows that holds, with the following semantics:
**: **
iff, for every state such that , we have that .
The formula stating mutual knowledge (read ”everybody in knows that ”) is defined as:
iff , for all .
3. Motivating Example
In this section we show, using an example, how our proposed logic can express more refined epistemic goals of agents using considerably more concise formulas. As we will see, not only the new formulation of these epistemic properties will be significantly shorter; the interpretation of the formulas will also be easier to understand in comparison to their analogous formulas in \ATLK.
3.1. Coercion in Referendums
We consider a very simple scenario of an election with a single voter and a single coercer. The election is a referendum, in the sense that each voter has to either vote for an issue in question or to vote against it. We consider two variants. In the first one there is only one issue put for referendum (we call it proposal A). The model consists of two agents, the voter and the coercer . The set of possible actions for the coercer in the model is and for the voter is , where represents a null action (meaning the action of doing nothing). and respectively represent voting for and against the proposal . The atomic proposition states that the vote is cast in favor of proposal , while the atomic proposition shows that the vote is already cast. The game model is depicted in Figure 1.
The valuations of atomic propositions are depicted in blue, and the red dashed line between and shows that the these two states are indistinguishable for player . In this simple model, we might express the property of coercion resistance in \ATLKas follows:
[TABLE]
The formula states that the voter has a strategy to vote for the proposal or against it, in a way that in either case the coercer does not know the value of the vote.
3.2. Referendum with Multiple Proposals
Consider a more sophisticated variant in which the voter participates in a double referendum, i.e., votes on two proposals and on a single ballot. The set of atomic propositions in this scenario is and the set of actions for the voter is. For expressing the property of coercion resistance in this scenario, a seemingly reasonable way is to extend the above formulas as below:
[TABLE]
The formula states that the voter can vote in any combination, for or against or , without the coercer knowing the value of any single vote. At the first glance these security properties seem to be strong enough for capturing the desirable property of coercion resistance. However, if we look at the two models in Figure 2, both of them satisfy the property above. On the other hand, we would consider model less secure than . There are 4 possible combinations of the valuations of and . In , the coercer considers all 4 of them as plausible, but in he could narrow that down to only two possible combinations. In other words, the uncertainty of the coercer about propositions and is higher in than in . In fact, as we shall see later, it is possible to write a formula in the language of that keeps the above property and yet distinguishes and . But if we want to write a security property in \ATLKthat rejects all the models where the coercer has more distinguishing power over states to than the model , then the length of that formula would be very large – in the worst case, even exponential in the number of distinguishing properties.
3.3. Reasoning about Uncertainty
One way of looking at the above situation is that, when reaching any of the states to , we want the coercer to have the least amount of information, or in other words the maximum uncertainty about the possible values of and . To express this concept, we can use one of the well known quantitative measures of uncertainty. Two measures that come to mind are Shannon entropy and Hartley measure. Choosing Shannon entropy would be meaningful only if we knew the intrinsic probabilities of each state. However, in the models that we are using, and in the scenarios similar to the one above, what we are interested is the uncertainty of the agents about different possible outcomes of a set of properties (here and ). We recall the definition of Hartley measure below:
Definition \thetheorem (Hartley measure of uncertainty Hartley (1928)).
If is a set of possible outcomes, then its Hartley measure is defined by .
The Hartley function coincides with Shannon entropy when ignorance can be modeled by the uniform probability distribution. Using this measure, what we want to specify as a security property in the example above is that the uncertainty of the coercer about the values of and should be maximal. The set of properties of interest could have different combinations of values. Therefore if we want that the coercer considers all of these combinations as possible, the Hartley measure of uncertainty of the coercer would be bits. To express this, we add a new operator , and write the formula:
The formula states that the voter has a strategic ability to eventually cast her vote, while keeping the uncertainty of the coercer about the valuations of and at the level of at least 2 bits. Intuitively, the formula holds in state of model , but not .
In the next section, we use this idea to formalize the syntax and semantics of the logic .
4. ATL with Uncertainty
In this section we define the syntax and semantics of the logic of strategic abilities with uncertainty operator . The logic is based on the idea of using the Hartley measure to quantify the uncertainty of agents about the possible valuations of a set of formulas. Similarly to , the semantics of \ATLHis also defined with respect to concurrent epistemic game models (CEGM).
4.1. Syntax
The syntax of is given as follows:
.
where is a set of players, is a set of formulas, is a player, and is a comparison operator. For instance, the formula states that the the uncertainty of agent about the set of formulas is higher than .
4.2. Semantics
Let denote the abstraction class of state with respect to relation , i.e., the epistemic neighbourhood of from the perspective of agent . For a given formula , we define relation that connects states with the same valuation of :
.
If is a set of formulas and , then we define
I.e., iff look the same to and cannot be discerned by any formula in . Note that is an equivalence. We define
for the set of equivalence classes of contained in the epistemic neighbourhood of state . Then, the truth value of the statement “agent ’s uncertainty about the set of formulas is in relation to value ” can be defined as follows:
Some straightforward validities of \ATLHare:
- (1)
$\mathcal{H}_{a}^{\begin{subarray}{c}=m\ \geqslant m\
m\end{subarray}}\beta\rightarrow\mathcal{H}_{a}^{\begin{subarray}{c}\geqslant m\ \geqslant m\ m\end{subarray}}\beta^{\prime}\beta\subseteq\beta^{\prime}$;
- (2)
, for all .
Also, if is the number of states in the model, then it holds that .
4.3. Model Checking
In this section, we discuss model checking for \ATLH. The following results have long been known in the literature:
- •
Model checking of epistemic logic is in P with respect to the size of the model and the length of the formula Halpern and Vardi (1991).
- •
Model checking of \ATLKfor agents with ir strategies is -complete with respect to size of the model and the length of the formula Bulling et al. (2010). This is a direct consequence of the fact that model checking of is -complete Schobbens (2004); Jamroga and Dix (2006).
In the following, we show that model checking of \ATLHis also -complete. To this end, it suffices to show that model checking of the uncertainty part of the language is in P.
**Proposition **\thetheorem
If is an \ATLHformula without strategic and temporal operators and is a CEGM, then checking if is satisfied in a state of can be done in polynomial time with respect to and , where is the total number of states, transitions, and epistemic relation pairs in .
Proof.
Let be the subformulas of (which incrementally generate ) listed in order of length. We can see that , as there are at most subformulas of . We start labeling each state in in increasing order of , with labels or , depending on whether is true in that state or not. It is easy to see that we can do this in at most labeling step. If the formula is a propositional formula with respect to it’s subformulas, then it can be labeled in in each state in constant time. In cases where is of the form where and , we have that each is a subformula of . Therefore for labeling we construct the set of equivalence classes by checking the labels of formulas in in all the states where . Then we calculate and compare it with in order to label . This procedure can be done in at most steps. Therefore the whole process of checking whether is satisfied in a state or not can be done in at most . ∎
**Proposition **\thetheorem
Model checking of \ATLHfor agents with ir strategies is -complete with respect to size of the model and the length of the formula.
Proof.
The lower bound follows from the fact that \ATLHsubsumes , and model checking is -hard. The upper bound is straightforward from Proposition 4.3 and the fact that model checking is in . ∎
5. Expressive Power of \ATLH
In this section we show that and ATLK have the same expressive power. We start by recalling the semantic definition of comparative expressivity Wang and Dechesne (2009).
Definition \thetheorem (Expressivity).
Let and represents two logics, such that and are the set of formulas defined in these logics, is a nonempty class of models (or pointed models) over which the logics are defined, and and are the truth relations of these logics, such that and . We say that is at least as expressive as on the class of models , iff for every formula , there exists a formula such that for every we have iff . We will write it as .
If both and , then we say that and are equally expressive on , and write .
In the following, we use and to denote the semantic relation of ATLK and , respectively, whenever it might not be clear from the context.
5.1. Knowledge as Uncertainty
{theorem}
is at least as expressive as ATLK.
Proof.
Because the set of formulas defined in includes all the formulas defined in ATLK except the formulas including operator, and the semantics of the common formulas are similar in both logics, it suffices to prove that for any formula of type in ATLK there is a formula in such that for every ,
We claim that we can construct such from to be . Therefore we need to prove that:
We have that if and only if holds in all the indistinguishable states from for , which includes state itself. This means that holds in and , which in \ATLHwould be expressed as . ∎
5.2. Uncertainty as Knowledge
{theorem}
ATLK is at least as expressive as \ATLH.
The proof proceeds by translating every occurrence of to a Boolean combination of epistemic formulas that express the knowledge of agent with respect to the indistinguishability classes of the formulas in , defined as follows:
Definition \thetheorem (Indistinguishability class of a formula).
For a given model , if , and is a formula, then we define the indistinguishability class of with respect to and as follows:
,
where denotes the set of states that are indistinguishable from for , and is the set of states were .
The full proof is technical and rather tedious; it can be found in the appendix. Here, we present how the translation works on an example. Let and be two formulas that do not contain any operators. We would like to find an ATLK formula , such that:
First we define new formulas , , and as follows: , , and . It is clear that the sets of states , , and are mutually exclusive, and moreover they partition . Because the truth value of each one of , , , corresponds to the truth value of exactly one of four possible different valuation combinations of and , so they are distinct.
If , then exactly one of , , or has to be empty. Because these sets are mutually disjoint, if all are non-empty then we should have at least four different states in with the four different valuation combinations for the formulas and . This would mean that which contradicts . Similarly if more than one of , , or are empty, then it means that only two or less possible valuation combinations of and exist in . This entails that , which is again a contradiction. The converse is also true: if exactly three of the sets , , or are non-empty, then there are exactly three valuation combinations of and in , which follows that . So the formula holds if and only if exactly one of , , or is empty. This can happen in four different ways (one corresponding to each of , , or being empty).
First consider the case where is empty. Then:
[TABLE]
In a similar way we can show that is non-empty iff . The same goes for , and . Therefore among , , and , only is empty iff:
We got this result by assuming that only is empty. Given that iff exactly one of , , or is empty, and knowing that we have four possible choices for which one is to be empty, we get that:
where is defined as:
[TABLE]
6. Uncertainty Is Exponentially More Succinct than Knowledge
The notion of succinctness Stockmeyer (1972); Wilke (1999); Adler and Immerman (2001) is a refinement of the notion of expressivity. Assume that one particular property can be expressed in both languages and , with formulas and respectively. When comparing the representational succinctness of these two languages, we are interested in whether there is a significant difference in the lengths of and . Similar to analysis of complexity, what we consider significant is at least exponential growth of the size of a formula in one of the languages comparing to the equivalent formula in the other language. In this section, we prove that the language of is exponentially more succinct than ATLK. We use the so called formula size games (FSG) from French et al. (2013) to construct the proof. In brief, we will show that for any , there is a formula of size linear to in ATLH, such that for any formula in ATLK with the same set of satisfying models as , the parse tree of will have at least distinct nodes, and therefore the size of is at least exponential in .
6.1. Succinctness and Formula Size Games
Before showing that ATL with uncertainty is exponentially more succinct than ATL with knowledge, we summarize the basic terminology.
Definition \thetheorem (Length of formulas in \ATLH).
The length of formula is denoted by , recursively defined as follows:
,
,
,
.
Definition \thetheorem (Succinctness).
Let and be two logics such that and let be a strictly increasing function. If for every there are two formulas and where:
- •
- •
- •
is the shortest formula on that is equivalent to on ,
then we say that is exponentially more succinct than on and write it as: .
In the following, for a set of pointed models , we use the term to mean that .
Definition \thetheorem (FSG).
One-person formula size game (FSG) on two sets of pointed models and is played as follows: during the course of the game, a game tree is constructed such that each node is labeled with pair of sets of pointed models. The possible moves for the player (called the spoiler) on each node of the tree are , where . A node can be open or closed. Once a node is closed, no further move can be played there. The condition and consequences of each of possible moves are as below:
**: **
(Atomic move): the spoiler chooses such that and . Then the node is declared closed.
**: **
(Not move): A new node is added to the tree.
**: **
(Or move): two nodes and are added to the tree such that .
**: **
(Knows move), where : For each the spoiler chooses a pointed model such that . If for some such does not exist, then the spoiler cannot play this move. All such chosen pointed models are collected in . Moreover, for each , all possible pointed models such that are added to . Then a new node is added to the tree.
We say that the spoiler wins FSG starting at in moves iff there is a game tree with root and precisely n nodes such that every leaf of is closed.
{theorem}
[French et al. (2013)] The spoiler can win the FSG starting at in less than moves iff there is some and a formula such that , and , where is the set of formulas defined in Multiagent epistemic logic and shows truth relation in it.
The game tree through which the spoiler wins the FSG is the parse three of formula in the language of Multiagent epistemic logic. For any , the set of all closed game trees with root is denoted by . Consequently, the set of closed trees represents also the set of all formulas that could distinguish the set of pointed models from the set of pointed models via the truth relation .
6.2. \ATLHIs More Succinct than \ATLK
Theorem 6.1 allows us to use FSG for proving the succinctness of our new logic \ATLHwith respect to ATLK.
{theorem}
The logic ATLH is exponentially more succinct than the logic ATLK.
The full proof is rather technical; it can be found in the appendix. Here we explain the sketch of the proof:
Proof sketch.
Let and represent the languages of the logics ATLK and ATLH respectively. For every , we define a formula where . Then, we define two sets of pointed models and , such that and . Because ATLK is as expressive as ATLH, there exists a formula which is the shortest formula in equivalent to . Therefore too can distinguish sets and , which means the spoiler can win the FSG game starting at by playing the formula . We then prove that the spoiler cannot win the FSG game starting at in less than moves, which means the size of is at least . ∎
7. Case Study: Three Ballot
We demonstrate the usefulness of our proposal on a real-life voting scenario.
7.1. Voting with ThreeBallot
ThreeBallot Rivest (2006); Rivest and Smith (2007) has been proposed by Rivest as a paper-based end-to-end verifiable voting protocol. Here, we use a simplified version of the protocol, which can be used for multiple-issue referendums. Following the example in Section 3, we consider a two-issue referendum, in which each voter votes to accept or reject two proposals and .
In ThreeBallot, the ballots are prepared such that for each issue, there are three empty fields that the voter can fill. For voting to accept the issue, the voter has to fill exactly two of the empty fields, and to vote to reject the issue, the voter has to fill exactly one empty field. However, the exact positions of the filled spaces are up to the voter. After filling the ballots, the voter separates three columns of fields, and in this way creates three separate ballots. The voter can make (and keep) a copy of one of those ballots as the receipt. Finally, she puts all the original ballots in the ballot box. The tally of the votes is done by counting the filled spaces for each issue. The difference between the number of filled spaces for each issue and the number of voters shows the number of votes in favor of that issue. After the tallying, all the ballots are published on a public bulletin board, so that everyone can check the correctness of the result.
One of the main goals of ThreeBallot is coercion resistance Juels et al. (2005), i.e., the protocol should make it impossible for a third party to successfully coerce or bribe voters into voting in a particular way. Informally, coercion resistance is usually understood as the inability of the coercer to learn how the voter has voted, even if the voter cooperates with the coercer. Interestingly, ThreeBallot was both claimed secure Rivest and Smith (2007) and insecure Appel (2006). It might seem that one of the claims must be wrong, but a closer look reveals that they are based on different concepts of vote privacy. In Rivest and Smith (2007), it is argued that the coercer cannot get to know how the voter has voted, which is a strategic-epistemic property. In contrast, Appel (2006) argues that the coercer can gain information about the value of the vote. We demonstrate the difference in the remainder of this section.
7.2. Model of the Scenario
In our example, the two propositions that determine the vote of the voter are and . We encode a vote against an issue by using overline. So, indicates a vote for issue and against issue ; in other words, it states that is false and is true. This way, the set of possible votes from the voter is . Similarly, we encode a filled space by and a blank (not filled) space by . For instance, a ballot is denoted by . Figure 3 depicts an example ThreeBallot card and the resulting ballots.
We consider a scenario with two voters and a two issue referendum with issues and . Let us call the first voter the voter, as she will be the one that we are focusing on in this example. We call the second voter the other voter. During the election, the voter has several choices. The first is what vote she is going to cast. Then for each possible vote, there are various ways that the ballots can be filled, which will result in different ballot sets. After that, the voter has the choice of which of the ballots to keep a copy as the receipt. In our scenario, there exist a coercer who after the election will force the voter to reveal her receipt. The coercer then tries to infer the actual value of the voter’s vote, based on the receipt and the published bulletin board.
Table 1 shows the different ways how the choices of the voter affect the possible indistinguishability set of the coercer about the value of the vote, after the receipt has been revealed. The different indistinguishability sets in each row result from various ways in which the other voter might fill his ballot.
7.3. Analysis: Epistemic Security
The coercion resistance security property is usually framed following the idea that the coercer cannot get to know how the voter has voted, even if the voter cooperates with the coercer. In Tabatabaei et al. (2016), various nuances of coercion resistance are formulated in the logic \ATLK. In a similar way, we can use \ATLKto express coercion resistance in our ThreeBallot example as follows:
The formula states that for any vote choice, there exists no common strategy for the voter and the coercer, such that the voter selects that vote and given that the choice of the two voters are different (the reason for this condition is explained below), the coercer would know the value of the vote.333 Note that we use in the role of an atomic proposition which evaluates to true whenever is indeed equal to . Condition is treated analogously.
It is obvious that in the cases where both voters have voted identically, even without revealing the receipt, the coercer will know the value of the vote just by looking at the bulletin board. This is similar to the case when in an election all the voters vote similarly, in which case the privacy of their votes will be broken after publishing the tally (unless some sort of obfuscation is used Jamroga et al. (2019b)). We added the condition to the above formula to account for this. Also in the following we only focus on the cases where the two voters has voted differently.
By looking at Table 1 we can see that the model satisfies the coercion resistance property as formulated in the above \ATLKexpression. This is because there is no row in the table that consists of only one indistinguishability set for the coercer which has only one member (the actual value of the vote). However the voter votes and selects the receipt, there is at least one possible indistinguishability set with more than one member, meaning that the coercer might not get to know the actual vote of the voter.
7.4. Information-Theoretic Security in \ATLH
We can alternatively define the coercion resistance property in the information-theoretic sense, namely that the coercer cannot gain information on how the voter has voted, even if the voter cooperates with the coercer. Phrasing this differently, we want that no matter the course of actions of the voter and coercer, the coercer has always maximum uncertainty about the actual value of the vote. We can express this property in \ATLHas follows:
The above formula states that, for any joint strategy of the coercer and the voter, the uncertainty of the coercer will always be at the maximum. Looking at Table 1, we can see that the ThreeBallot protocol does not satisfy this property. This is because in each row there exists a possible indistinguishability set whose size is less than the number of possible votes.
This example shows that, although ThreeBallot could be considered secure with respect to the epistemic notion of coercion resistance expressed in \ATLK, it is not secure when we define the security requirement as an information-theoretic property, and formalize it in \ATLH.
8. Conclusion
In this work, we introduce the logic \ATLHwhich extends alternating-time temporal logic ATL with quantitative modalities based on the Hartley measure of uncertainty. As the main technical result, we show that \ATLHhas the same expressive power and the same model checking complexity as \ATLK(i.e., ATL with epistemic modalities), but it is exponentially more succinct.
The succinctness result, together with the model checking complexity, is of major significance. As we have seen in Section 4.3, both \ATLKand \ATLHhave the same verification complexity with respect to the size of the model and the length of the formula. Theorem 6.2 promises that, for some properties, their verification in \ATLHwill be exponentially faster than in \ATLK. Also, a more succinct language often results in better readability, which in turn helps the designers of a system to make less mistakes in the specification of desired properties. Last but not least, many properties can be expressed in \ATLHin a much more intuitive way than in \ATLK. Understanding the information-theoretic intuition of a corresponding \ATLKformula can be a real challenge.
We suggest the specification of security requirements as an important application area for our proposal. In particular, the framework can be used to expose the logical structure of security claims, for example, the difference between the epistemic and information-theoretic notions of privacy. We demonstrate this on a real-life voting scenario involving the ThreeBallot protocol, which has been both claimed secure and insecure in the past. Indeed, the protocol is secure with respect to an epistemic notion of privacy, but it may fail to obtain the information-theoretic one.
In the future, we plan to implement model checking for \ATLHas an extension of the STV Kurpiewski et al. (2021) or MCMAS Lomuscio et al. (2017) model checkers.
{acks}
The work has been supported by NCBR Poland and FNR Luxembourg under the PolLux/FNR-CORE projects STV (POLLUX-VII/1/2019 & C18/IS/12685695/IS/STV/Ryan) and SpaceVote (POLLUX-XI/14/SpaceVote/2023).
Appendix A Detailed Proofs
Proof of Theorem 5.2
Theorem**.**
ATLK is at least as expressive as \ATLH.
Because the set of formulas defined in ATLK includes all the formulas defined in , except the formulas including operator, and the semantics of the common formulas are similar in both logics, we formulate the proof by giving a translation from an ATLH formula of type to an equivalent ATLK formula. Before giving the translation, we introduce some helper definitions: For a given formula , let and .
Definition \thetheorem.
If is a set of formulas, we define the set of formulas as
Each member of is formula which is constructed by the conjunction of terms, each term being either a member of or its negation. Because has members, the size of is . It can be seen that for any and , the indistinguishablity classes of members of with respect to and (Definition.5.2) are mutually exclusive and they partition (with the same reasoning as explained in Section 5.2).
Definition \thetheorem.
For , and , we define the set as follows:
is the set of possible orderings of [math]s and s, such that the number of s is and the number of [math]s is . If , then we refer to th element of by (which of course could be either [math] or ).
**Proposition **\thetheorem
If is a set of formulas then for a model , and we have
**
where and is defined as below:
,
and is any ordering on the members of .
Proof.
The idea of the proof is similar to the example in Section 5.2. By the way we constructed , we have that the members of the set are mutually exclusive, and they partition . Therefore if and only if exactly members of the set are non-empty. For any , we have that is empty if and only if , and similarly is non-empty if and only if . Therefore if and only if for some subsets such that , we have that and . This statement could be exactly represented by the formula defined as above. ∎
For formulas of type and the construction could be written as below:
* *
where is defined as in Proposition A.
Proof of Theorem 6.2
For introducing the proof of Theorem 6.2 we need some prerequisites which will follow.
**Lemma **\thetheorem
In any concurrent game model , if the outcome function contains only reflexive transitions, then for any and any state :
- •
* iff .*
- •
* iff .*
- •
* iff .*
Proof.
The proof follows directly from the semantics of the temporal operators and the fact that for any strategy and any , we have that for any . So in a sense the agents can never ”escape” from the state . As the indistinguishability relation of the agents are also reflexive, it follows that the strategic abilities of agents to bring about in any future state is equivalent to having mutual knowledge about in the current state. ∎
Observation 1**.**
In any concurrent game model , if the outcome function contains only reflexive transitions and is a singleton (for example ), then any formula in the language of ATLK has an equivalent formula in Multiagent epistemic logic which does not have a higher length. This follows from the lemma A and that in this model is equivalent to .
Definition \thetheorem.
For , we define to be a concurrent epistemic game model, such that , , and . We allow , to be defined arbitrarily, and the transition function is reflexive. The valuation function is defined as follows: If is the binary representation of the number , then in state , we let be true iff . In other words, we let the set of atomic propositions have a distinct valuation out of possible combinations in each of states.
Definition \thetheorem.
For a given , we define to be constructed by removing state from . We also modify , , , and as needed to be compatible be the removing of the state.
We denote the set of states of by . We define to be the set of all pointed models , where . Therefore contains pointed models, corresponding to each of states of . For any , we define to be any set of pointed models that contains . Similarly could be any set of pointed models that contain (therefore, these terms are not referring to specific sets, but rather they show a property of a set of pointed models).
Observation 2**.**
If , then , there exists such that and have same valuation for . This is true, because for , has at least 4 states, and each holds in at least 2 of them, and does not hold in at least 2 other states.
Observation 3**.**
If and , then the spoiler cannot play an atomic move in a node which is labeled by or . Because state prevents any to hold on all models on the left side and to not hold on all models on the right side.
We will use the models and to construct our proof. Throughout the proof, we will create a formula size game tree. As we saw before, every node in a formula size game tree is labeled with a pair of sets of pointed models. Below we define six types of nodes, parameterized by a given state , based on properties of their labels.
- •
: The label could be represented by
- •
: The label could be represented by
- •
: The label could be represented by
- •
: The label could be represented by
- •
: The label could be represented by
- •
: The label could be represented by
Next, we investigate that if in a FSG, a node has one of the above types, what will be the result of each of the spoiler’s possible moves. In particular, we are interested to see a) whether the spoiler can close a node of a certain type be playing one of her moves, and b) if it is not closed then, what type of child nodes will be generated.
, defined by
-
Atomic move is not possible (by observation 3).
-
Or move will generate at least one child node of type . Because it splits the set of pointed models on the left side, therefore will end up on the left side of one of the child nodes.
-
Knows move will generate a child node of type . Because it expands the pointed models on the left side to . Therefore, no matter how we generate the right side, we can always select one of the pointed models on the right side which are of form (for some ) and because , therefore will be included on the left side. Hence the child node is of type .
-
Not move will generate a child node of type . Because it just reverses the pointed models on right side and left side.
, defined by
-
Atomic move is not possible (by observation 3).
-
Or move will generate at least one child node of type . Because it splits the set of pointed models on the left side, therefore will end up on the left side of one of the child nodes.
-
Knows move will generate a child node of either type or . By playing the knows move (which could be only move), the left side of the label in the generated node will be expanded to . On the right side, we either select pointed models such that at least for one among them, exists on the left side, in which case the resulting node will be of type . Or we select the pointed models on the right side such that for no on the left side there exist a on the right side. This can happen only if the new generated node is labeled with , which means it is of type .
-
Not move will generate a child node of type . Because it just reverses the pointed models on right side and left side.
, defined by
-
Atomic move is not possible. Because by observation 3, for any which is not true in , there is where where does not hold in too, therefore no atomic proposition could close this node.
-
Or move will generate at least one child node of either type or . If we select the all the pointed models on the left side, to be the left side of a child node, then the label of that child node is the same as this node and therefore it is also of type . Otherwise we can select any of the child nodes generated by or move and one of the pointed models on its left side. Because , this node’s label will be of type .
-
Knows move will generate a child node of either type or . By playing the knows move (which could be only move), the left side of the label in the generated node will remain to be . On the right side, we either select , in which case exists on the left side, and therefore the resulting node will be of type . Or we select the pointed model , in which case the label of the child node stays intact and hence is of type .
-
Not move will generate a child node of type . Because it just reverses the pointed models on right side and left side.
, defined by
-
Atomic move is not possible. Because by observation 3, for every , there is such that does hold in both and , therefore no atomic proposition could close this node.
-
Or move will generate a node of type . This is because the set of pointed models on the left side of this node has only one member, so at least one of the child nodes will have a similar label as of this one, which is of type .
-
Knows move will generate a child node of . Because after a knows move (which could be only move), the left side of the label in the generated node will be . Therefore no matter how we generate the pairs on the right side, for any chosen pair on the right side exists on the left side, and therefore the resulting node would be of type .
-
Not move will generate a child node of type . Because it just reverses the pointed models on right side and left side.
, defined by
-
Atomic move is possible. If it is played, then the node will be closed and there won’t be any further child. Notice that we are not saying the for every node of type the atomic move is possible. What we state is that by the definition of this type alone, we cannot discard the possibility of an atomic move, and this will be enough for our purpose.
-
Or move will generate a child node of type . Because for all on the left side of this node’s label, we have that . Therefore any subset of it also retains this property and hence an or move will generate at least one child node of type .
-
Knows move will generate at least one node of either type or . The reasoning is similar to the knows move for the node type .
-
Not move will generate a child node of type . It follows directly from the definitions of node types and .
, defined by
-
Atomic move is possible. Again, this only means that only by the definition of type , we cannot reject the possibility of an atomic move, which will be enough for our proof.
-
Or move will generate a child node of type . The reasoning is similar to the or move of node type .
-
Knows move will generate a child node of type . The reasoning is similar to the knows move of node type .
-
Not move will generate a child node of type . It follows directly from the definitions of node types and .
Any node which is tagged with a type to defined as above is called a typed node.
Observation 4**.**
If the spoiler wins a FSG starting from a root of type , then the game tree has at least one leaf of either type or (with a singleton set containing on one side of the label of that leaf).
To see why, notice that every move that the spoiler plays at each step will generate at least one typed node parameterized by as a child. So if we create a path from the root downwards the tree, containing only typed nodes parameterized by , this path can end only by the node being closed at some point. As we assumed that the spoiler wins the FSG, then all paths from the root has to end in a leaf. Among the node types, the spoiler can close the node only when the type is or . Therefore, any path that contains only of typed nodes parameterized by has to end in a node of types either or .
Now we have enough prerequisite materials to construct our proof:
Proof.
*(Proof of Theorem 6.2)
For every , we define the formula as:
where . The size of is , which is strictly increasing (and linear) in . Also for every , we define two set of pointed models and as below:
,
where and are defined as in Definitions A and A. So contains a single pointed model , and is constructed by summing all possible ways that we can remove one of the states of , other than state 0. Therefore consists of pointed models.
It holds that , because has states and the set has a distinct combination of values in each of those states, which are all in the same indistinguishability class for agent from state [math]. Therefore , and so . It is also true that , because for all , has states, and so regardless of the valuations of atomic propositions in those states, . Hence . It follows that , which means .
So we have and . Now to prove the succinctness theorem, by definition 6.1 we need to show that the shortest formula which is equivalent to , has the size of at least . Assume is the shortest formula in which is equivalent to . By Observation 1, there exist a formula in which is not longer than . By theorem 6.1, the spoiler can win the FSG game starting at . If is the lowest number of moves that the spoiler can win the FSG game starting at , then by theorem 6.1, is a lower bound for the size of . Now consider that the spoiler actually plays and wins this FSG game and constructs this winning tree. We will tag each node of this tree by its type, based on the types to that we defined before. We start from the root. For each , we can tag the root of this tree as type by replacing in the definition of type . Therefore, by observation 4, this tree has at least one leaf of either type or for each . Because we have choice for , and because no node can be of types or , and at the same time of types or for , therefore this tree has at least distinct leaves. Moreover, because the root is of type and cannot be closed with the first move, the tree has at least one no-root/no-leaf node. So to win this game the spoiler has to play at least moves, and because this is a lower bound on the size of , we have that . As can only be longer than , it follows that .
So we showed that for any , we can define a with length , such that the shortest which is equivalent to has at least the length of . By definition 6.1 this proves that ATLH is exponentially more succinct than ATLK. ∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1(1)
- 2Adler and Immerman (2001) Micah Adler and Neil Immerman. 2001. An n! Lower Bound on Formula Size. In Proceedings of IEEE Symposium on Logic in Computer Science . 197–206.
- 3Ågotnes (2006) T. Ågotnes. 2006. Action and Knowledge in Alternating-time Temporal Logic. Synthese 149, 2 (2006), 377–409.
- 4Ågotnes et al . (2015) T. Ågotnes, V. Goranko, W. Jamroga, and M. Wooldridge. 2015. Knowledge and Ability. In Handbook of Epistemic Logic . 543–589.
- 5Ågotnes and van Ditmarsch (2008) T. Ågotnes and H. van Ditmarsch. 2008. Coalitions and Announcements. In Proceedings of International Joint Conference on Autonomous Agents and Multiagent Systems (AAMAS) . 673–680.
- 6Alur et al . (2001) R. Alur, L. de Alfaro, R. Grossu, T.A. Henzinger, M. Kang, C.M. Kirsch, R. Majumdar, F.Y.C. Mang, and B.-Y. Wang. 2001. j Mocha: A Model-Checking Tool that Exploits Design Structure. In Proceedings of International Conference on Software Engineering (ICSE) . 835–836.
- 7Alur et al . (1998) R. Alur, T. Henzinger, F. Mang, S. Qadeer, S. Rajamani, and S. Tasiran. 1998. MOCHA: Modularity in Model Checking. In Proceedings of Computer Aided Verification (CAV) (Lecture Notes in Computer Science, Vol. 1427) . 521–525.
- 8Alur et al . (1997) R. Alur, T. A. Henzinger, and O. Kupferman. 1997. Alternating-Time Temporal Logic. In Proceedings of the 38th Annual Symposium on Foundations of Computer Science (FOCS) . 100–109.
