Model Checking Temporal Logics of Knowledge in Distributed Systems

Model checking is a promising approach to automatic verification, which has concentrated on specification expressed in temporal logic. Comparatively little attention has been given to temporal logics of knowledge, although such logics have been proven to be very useful in the specifications of protocols for distributed systems. In this paper, we address ourselves to the model checking problem for a temporal logic of knowledge (Halpern and Vardi’s logic of CKLn). Based on the semantics of interpreted systems with local propositions, we develop an approach to symbolic CKLn model checking via OBDDs. In our approach to model checking specifications involving agents’ knowledge, the knowledge modalities are eliminated via quantifiers over agents’ non-observable variables. Introduction Model checking is most widely understood as a technique for automatically verifying that finite state systems satisfy formal specifications. The success of model checking in mainstream computer science has led to a recent growth of interest in the use of the technology in fields of AI such as planning and multiagent systems. However, the formal specifications for finite state systems are most commonly expressed as formulae of temporal logics such as LTL (linear temporal logic) in the case of SPIN (Holzmann 1997) and FORSPEC (Vardi 2001) and CTL in the case of SMV (McMillan 1993), while the specifications for multiagent systems involve agents’ knowledge, belief and other notions of agents’ mental states. In this paper, we address ourselves to the model checking problem for a temporal logic of knowledge (Halpern and Vardi’s logic of CKLn). The application of model checking within the context of the logic of knowledge was first mooted by (Halpern & Vardi 1991). A number of algorithms for model checking epistemic specifications and the computational complexity of the related problems were studied in (van der Meyden 1998). However, they did not investigate “practical” model checking for knowledge and time. (Rao & Georgeff 1993) investigated the model checking problem for situated reasoning systems, but they did not consider S5 logics of knowledge and they did not implement any Copyright c © 2004, American Association for Artificial Intelligence (www.aaai.org). All rights reserved. of the techniques they developed. (Benerecetti, Giunchiglia, & Serafini 1999; Benerecetti & Giunchiglia 2000) developed techniques for some temporal modal logics, but these logics have an unusual (non-Kripke) semantics. (van der Meyden & Su 2004) took a promising first step towards model checking of anonymity properties in formulas involving knowledge. Nevertheless, they took the assumptions that agents are of perfect recall and considered only a small class of epistemic formulas without any nest of epistemic modalities. (Hoek & Wooldridge 2002) developed an approach to reduceCKLn model checking to linear temporal logic (LTL) (Pnueli 1977) model checking. However, the verification process of their approach still requires an input from a human verifier (to obtain the so-called local propositions when reducing the CKLn specification to LTL). A “direct” implementation of CKLn model checking would thus be desirable. Our approach presents a methodology for symbolic CKLn model checking, based on the semantics of interpreted systems with local propositions (Engelhardt, van der Meyden, & Moses 1998), which leads to a “direct” implementation of CKLn model checking. Moreover, by the results presented, we can provide via OBDD (Bryant 1986) an approach to symbolic verifying CTL, the combination of LTL and CTL (branching temporal logic). This is interesting because LTL and CTL have been well studied and implemented efficiently into a number of tools (Clark, Grumberg, & Peled 2000; Holzmann 1997) and the community of model checking expects such a tool that can verify specifications in full CTL efficiently. The present paper follows similar lines to (Hoek & Wooldridge 2002), which is based on the idea of local propositions as described in (Engelhardt, van der Meyden, & Moses 1998; Engelhardt, van der Meyden, & Su 2002). The main advantages of the present paper over (Hoek & Wooldridge 2002) are: 1. We explicitly introduce the notion of finite-state program with n-agents (which is a symbolic representation of the well-known interpreted systems) and present some interesting results on the theoretical foundations of (Hoek & Wooldridge 2002). 2. In order to determine whether Kiφ holds at some point of an interpreted system, Hoek and Wooldridge (Hoek & Wooldridge 2002) attempt to find an i-local proposition ψ which is equivalent to Kiφ at that point; whereas, we try to get an i-local proposition ψ which is equivalent to Kiφ at any point (see Remark 11). The structure of the paper is as follows. In the next section, we shortly introduce the well-known interpreted system (Fagin et al. 1995) and a temporal logic of knowledge, Halpern and Vardi’s CKLn (Halpern & Vardi 1989). Then, we define a class of interpreted systems that are generated by finite-state programs with n-agents. The most exciting result is to show how to use OBDDs to implement symbolic CKLn model checking, based on those interpreted systems generated by finite-state programs with n-agents. Knowledge in an Interpreted System with Local Variables In this section, we define the semantic framework within which we study the model checking of specifications in the logic of knowledge. First, we introduce interpreted systems (Fagin et al. 1995) and a temporal logic of knowledge CKLn (Halpern and Vardi’s CKLn (Halpern & Vardi 1989)). Then, we present the notion of a finite-state program with n-agents, a finite-state transition representation for those interpreted systems with local variables