Hidden Protocols: Modifying our expectations in an evolving world Hans van Ditmarscha, Sujata Ghoshb, Rineke Verbruggec, Yanjing Wangd,∗ aLORIA, CNRS – Université de Lorraine, France bIndian Statistical Institute, Chennai, India cInstitute of Artificial Intelligence, University of Groningen, The Netherlands dDepartment of Philosophy, Peking University, China Abstract When agents know a protocol, this leads them to have expectations about future observations. Agents can update their knowledge by matching their actual observations with the expected ones. They eliminate states where they do not match. In this paper, we study how agents perceive protocols that are not commonly known, and propose a semantics-driven logical framework to reason about knowledge in such scenarios. In particular, we introduce the notion of epistemic expectation models and a propositional dynamic logic-style epistemic logic for reasoning about knowledge via matching agents' expectations to their observations. It is shown how epistemic expectation models can be obtained from epistemic protocols. Furthermore, a characterization is presented of the effective equivalence of epistemic protocols. We introduce a new logic that incorporates updates of protocols and that can model reasoning about knowledge and observations. Finally, the framework is extended to incorporate fact-changing actions, and a worked-out example is given. Keywords: protocols, dynamic epistemic logic, guarded automata ∗Corresponding author Email addresses: hans.van-ditmarsch@loria.fr (Hans van Ditmarsch), sujata@isichennai.res.in (Sujata Ghosh), rineke@ai.rug.nl (Rineke Verbrugge), y.wang@pku.edu.cn (Yanjing Wang) Preprint submitted to Artificial Intelligence December 23, 2013 1. Introduction Talking about knowledge and protocols, some questions come to our minds: What do we mean by knowing a protocol? How does this protocol knowledge affect our knowledge of facts about the world? The literature abounds with various formal models answering these questions from different angles [1, 2, 3, 4, 5], and the proper representation and formalization of knowledge and knowledge dynamics is a core interest in the area of artificial intelligence [6, 7, 8, 9]. In some situations, agents have partial knowledge of the underlying protocols that guide the behaviors of other agents. Based on their incomplete knowledge of protocols and their observations, the agents try to reason about other agents' epistemic attitudes as well as about hard facts. Protocols play a role, for example, when agents communicate using full-blown secret codes (see [10] for many intriguing historical examples). Our daily communications provide more mundane protocols that may help to hide information from part of the participants. Example 1 (The voice of Kathleen Ferrier). Consider a café in the 1950s, with three persons, Kate, Jane and Ann sitting across a table. Suppose Kate is gay and wants to know whether either of the other two is gay. She wants to convey the right information to the right person, without the other getting any idea of the information that is being communicated. She states, 'I am musical, I like Kathleen Ferrier's voice'. Jane, who is gay herself, immediately realizes that Kate is gay, whereas, for Ann, the statement just conveys a particular taste in music.1 Example 2 (Valentine's Day). Coming back to the present day, consider a similar café scenario with Carl, Ben and Alice. Carl and Ben are childhood friends and know each other like the back of their hands. Carl says to Ben: 'On Valentine's day I went to the pub with Mike and Sara. It was a crazy night!' This immediately catches the attention of Alice, who is in love with Mike. She asks: 'What happened?' Carl winks to Ben and says: 'Nothing'. Knowing Carl very well, Ben immediately realizes that indeed nothing has 1This example has been inspired by the interviews in [11], from which it appears that in 1950s Amsterdam, 'musical' was indeed a code term for 'gay', known almost exclusively by gay people. The additional mention of singer Kathleen Ferrier strengthened this 'gay' hint. Among gay women, Ferrier's low contralto voice, for example in her performance as Orfeo in Gluck's Orfeo ed Euridice, was widely popular. 2 happened, whereas Alice becomes unsure of that, as she saw the wink that Carl has given to Ben. This paper presents a dynamic epistemic logic (DEL, [12, 13]) that can suitably describe such scenarios. Knowing a protocol can mean 'knowing what to do according to the protocol' [1]. It can also correspond to 'understanding the underlying meaning of the actions induced by the protocol' [2]. Here, we follow the latter interpretation, which appears to capture the notion of a protocol in the types of situations we want to model. Kate's making a statement like 'I am musical, I like Kathleen Ferrier's voice' corresponds to the fact that 'Kate is gay'. In the second situation, 'Nothing' (even if accompanied by a wink) corresponds to the fact that 'Nothing has happened'. Our work is inspired by two lines of research: the work relating dynamic epistemic logic (DEL) and epistemic temporal logic (ETL) [3, 5, 14] and the work on protocol changes [4, 15]. In [14], Pacuit and Simon model protocols as tree compositions, basically equating protocols with plans. Hoshi et al. [3, 5] propose the notion of 'state-dependent' DEL-protocols (sets of sequences of event models [13]) in order to handle protocols that are not common knowledge. Consider an epistemic scenario wherein the agents are not only uncertain about the factual state of the world but also about the protocol that can be executed given some factual state, depicted as the model: s t {a} {b} p ¬p 1, 2 In this model, s, t are possible worlds, p is a proposition, and a, b are expected actions. The uncertainty of the agents about the protocol is denoted by a state-dependent protocol assigning singleton action sets {a} to s and {b} to t. Note that we have omitted the reflexive arrows for agents 1 and 2 for the sake of compact representation, and we will follow this convention throughout this paper. A system wherein the protocol can be different in any state is clearly more complex than a system wherein the protocol is a background parameter, and thus can be assumed common knowledge to all 3 agents. But in the example model above, we can still reclaim some form of common knowledge of the protocol, namely by describing it intuitively as follows: if p then a and if ¬p then b. In order to discuss the knowledge of protocols formally, we need to first fix a protocol specification language, which will then enable us to represent such protocol models in a more informative way. Given a protocol language, how do we obtain such epistemic models with protocol information from specifications of conditional protocols, and vice versa? Similar questions are addressed in [4, 15], in which Wang presents a logical framework that incorporates protocol specifications in epistemic models and introduces the idea of matching observations to expectations. However, there, protocols are assumed to be common knowledge. We do not assume that here. Our work is based on the logic developed in [4] but in the current article we use epistemic models with procedural information as in [3, 5] to deal with uncertainties about protocols, an agent's knowledge of underlying protocols, and her current observations affecting factual uncertainty. In our framework, the protocols can be viewed as 'given by nature', so the framework does not cover interesting aspects such as how and by whom the protocols have been designed and how agents have come to agree to use them. The ingredients of our work are: 1. epistemic models encoding state-dependent expected observations; 2. an update mechanism for eliminating impossible worlds according to the observation of agents and their expectations; 3. a formal language for specifying observations and protocols; 4. protocol models that represent agents' incomplete information about the 'real' protocols; 5. an update mechanism for incorporating protocol information (as protocol models) in epistemic (observation) models; 6. a notion of equivalence between protocol models; 7. a logic for reasoning about knowledge based on protocols; 8. fact-changing actions and factual change systems, in order to investigate how we modify our expectations in an evolving world. The paper is organized as follows. Section 2 introduces epistemic expectation models and a simple propositional dynamic logic (PDL)-style epis4 temic logic for reasoning about knowledge via matching agents' expectations to their observations. Section 3 discusses how we obtain epistemic expectation models from protocol models (i.e., epistemic protocols). We characterize three classes of epistemic expectation models that can be generated from various epistemic models. Furthermore we give a characterization of the effective equivalence of epistemic protocols. A logic is then given to incorporate the updates of protocols and to model reasoning about knowledge and observations. In Section 4 we address incorporation of factchanging actions. Section 5 discusses the application of the full framework, including factual changes, to a well-known logic puzzle. Finally, we point out relations to other research and future work in Sections 6 and 7. This article is the extended version of [16]. The main differences are: the introduction of the concept of observational saturation and a theorem about its relation to protocol models (Theorem 29); results about systems with fact-changing actions (Section 4); an extended application, namely about a protocol in the 'One hundred prisoners and a lightbulb' puzzle (Section 5); and a more extensive discussion of related work and ideas for future research (Sections 6 and 7). 2. Reasoning via Expectation and Observation In this section, we introduce epistemic expectation models, which are Kripke models with expected observations. We propose a dynamic logic style epistemic logic that is interpreted on such models for reasoning about knowledge via matching observations with expectations. 2.1. Epistemic Expectation Models Let I be a finite set of agents, and let P be a finite set of propositions describing the facts about the world. Let Bool(P) denote the set of all Boolean formulas over P. To set up the semantics, we first define a Kripke model in the usual sense, which models agents' epistemic uncertainties regarding the actual state of the world. Definition 3 (Epistemic model). An epistemic modelMe is a triple 〈S,∼ , V 〉, where S is a non-empty domain of states, ∼ stands for a set of accessibility (equivalence) relations {∼i| i ∈ I}, and V : S → P(P) is a valuation assigning to each state a set of propositional variables (those that are 'true in that state'). 5 We will introduce the concept of epistemic expectation models based on Kripke models, which captures the expected observations of agents. Agents observe what is happening around them and reason based on these observations. Examples of such observations are 'making an announcement', 'going to the right', and 'nodding your head'. One can distinguish such observations of actions from observations of facts, such as 'the chair is red'. Factual observations are not ruled out in our framework but we typically have observations of actions in mind. To this end, we introduce a finite set of actions, named Σ. An observation is a finite string of actions, for example, abcd. Note that an agent may expect different (even infinitely many) potential observations to happen at a given state, for example, she may expect a . . . ab to happen for any finite sequence of as preceding the terminating action b. As human beings and computers are essentially finite, we need to denote such expectations in a finitary way. To this end, we introduce the observation expressions (as regular expressions over Σ): Definition 4 (Observation expressions). Given a finite set of action symbols Σ, the language Lobs of observation expressions is defined by the following BNF: π ::= δ | ε | a | π * π | π + π | π∗ where δ stands for the empty set ∅ of observations, the constant ε represents the empty string, and a ∈ Σ. The semantics for the observation expressions are given by sets of observations (strings over Σ), similar to those for regular expressions. Definition 5 (Observations). Given an observation expression π, the corresponding set of observations, denoted by L(π), is the set of finite strings over Σ defined as follows: L(δ) = ∅ L(ε) = {ε} L(a) = {a} L(π * π′) = {wv | w ∈ L(π) and v ∈ L(π′)} L(π + π′) = L(π) ∪ L(π′) L(π∗) = {ε} ∪⋃n>0(L(π * * * π} {{ } n )) 6 Now we are ready to define epistemic observation models, which can be seen as epistemic models together with, for each world, a set of potential or expected observations. Definition 6 (Epistemic expectation model). An epistemic expectation model Mexp is a quadruple 〈S,∼, V, Exp〉, where 〈S,∼, V 〉 is an epistemic model (the epistemic skeleton ofMexp) and Exp : S → Lobs is an expected observation function assigning to each state an observation expression π such that L(π) 6= ∅ (non-empty set of finite sequences of observations). An epistemic expectation state is a pointed epistemic expectation model 〈S,∼, V, Exp, s〉. Intuitively, Exp assigns to each state a set of potential or expected observations. Given an epistemic expectation modelMexp = 〈S,∼, V, Exp〉, note that 〈S,∼, V 〉 is an epistemic model in the usual sense. Hence, sometimes, we also denote an epistemic expectation model as (Me, Exp), whereMe is the corresponding epistemic model. An epistemic modelMe can be considered as an epistemic expectation modelMexp where for all s ∈ S, Exp(s) = Σ∗ (where Σ∗ is shorthand for (a0+a1+* * *+ak)∗, given that Σ = {a0, . . . , ak}). Thus, in an epistemic model, the observations possible at each state are not specified; one can expect to observe anything. In this sense, Me lacks in providing procedural information about the world, andMexp fills that gap. In what follows we often leave out the subscripts, whenever the respective models are clear from the context. Example 7 (Dutch or not Dutch). In the Netherlands, people often greet each other by kissing three times on the cheek (left-right-left) while in the rest of Europe, people usually kiss each other only twice. We can reason whether a person is 'Dutch-related' by observing his behavior. Let pD be the proposition meaning 'Simon is Dutch-related'; a and b are two actions denoting kissing the left cheek and kissing the right cheek, respectively. The following model is what we expect (reflexive arrows are omitted again): s t 1 pD ¬pD a * b * a a * b 7 The indistinguishability relation above depicts that agent 1 does not know whether pD. The associated observations are those that the agents might expect in each state. Intuitively, if agent 1 observes Simon kissing three times (observation aba), then he or she can infer that Simon is Dutchrelated. In the next subsection, a simple logic is defined to handle such reasoning based on actual observations. 2.2. Public Observation Logic In this subsection we define a simple dynamic logic with knowledge operators to reason about knowledge via the matching of observations and expectations. The idea is similar to the one behind public announcement logic, where people update their information by deleting impossible scenarios according to what is publicly announced. Here we relax the link between meaning and public actions (like an announcement). We assume that when observing an action, people delete some impossible scenarios where they wouldn't expect that observation to happen. To make such reasoning formal, we first define the update of epistemic expectation models according to some observation w ∈ Σ∗. The idea behind an updated expectation model is that we delete the states where the observation w could not have been happened. Definition 8 (Update by observation). Let w be an observation over Σ and letM = (S,∼, V, Exp) be an epistemic expectation model. The updated model M|w = (S ′,∼′, V ′, Exp′). Here, S ′ = {s | L(Exp(s)\w) 6= ∅}, ∼′i = ∼i|S′×I×S′ , V ′ = V |S′ , and Exp′(s) = Exp(s)\w, where π\w is defined as the regular expression denoting the set {v | wv ∈ L(π)} (π\w corresponds to right residuation with respect to the monoid (Σ∗, *, ε)). A regular expression π\w is defined with an auxiliary output function o from the set of regular expressions over Σ to {δ, ε}. If ε ∈ L(π), the output function o maps a regular expression π to ε; otherwise, it maps π to δ [17, 18]: π = o(π) + ∑ a∈Σ(a * π\a) o(ε) = ε o(δ) = o(a) = δ o(π + π′) = o(π) + o(π′) o(π * π) = o(π) * o(π′) o(π∗) = ε ε\a = δ\a = b\a = δ (a 6= b) a\a = ε (π + π′)\a = π\a+ π′\a (π * π′)\a = (π\a) * π′ + o(π) * (π′\a) π∗\a = π\a * π∗ π\a0 * * * an = π\a0\a1 . . . \an 8 The above construction of the output function helps to compute the residual of compositions. Reading from left to right the above equations can be viewed as rewriting rules which push the \a operation to the 'inner' part of the expression and finally eliminate them. Thus by using these equations we can compute residuals of observations syntactically. We design the Public observation logic (POL) to reason about observations: Definition 9 (Public observation logic). The formulas φ of POL are given by: φ ::= > | p | ¬φ | φ ∧ φ | Kiφ | [π]φ where p ∈ P, i ∈ I, and π ∈ Lobs . The other propositional connectives are defined in the usual manner. Intuitively, [π]φ says that 'after any observation in π, φ holds'. Definition 10 (Truth definition for POL). Given an epistemic expectation model M = (S,∼, V, Exp), a state s ∈ S, and a POL-formula φ, the truth of φ at s, denoted byM, s  φ, is defined as follows: M, s  p ⇔ p ∈ V (s) M, s  ¬φ ⇔ M, s 2 φ M, s  φ ∧ ψ ⇔ M, s  φ andM, s  ψ M, s  Kiφ ⇔ for all t : (s ∼i t impliesM, t  φ) M, s  [π]φ ⇔ for each w ∈ L(π) : (w ∈ init(Exp(s)) impliesM|w, s  φ) where w ∈ init(π) iff ∃v ∈ Σ∗ such that wv ∈ L(π) (namely L(π\w) 6= ∅). Consider the modelM in Example 7. If we observe one or two kisses, first on the left and then on the right cheek (a * b), agent 1 still cannot tell that Simon is Dutch-related (¬K1pD), but if there is one more kiss on the left cheek to follow (a), then agent 1 knows. Formally, it can be verified that M, s  [a * b](¬K1pD ∧ [a]K1pD) (cf. Example 7). More complicated observation expressions π can be used to express (infinite) sets of observations, for example, [Σ∗ * a * Σ∗]Kiφ says 'as long as a is observed at some point, i knows φ' (recall that Σ∗ denotes the expression corresponding to the set all observations). 9 Clearly, the standard bisimulation between epistemic models is not an invariance of the above logic: POL can reason about what may happen at each state. We now define bisimulation between epistemic expectation models, which facilitates characterization results in later sections. Definition 11 (Observation bisimulation). A binary relationR between the domains of two epistemic expectation models M = (S,∼, V, Exp) and N = (S ′,∼′, V ′, Exp′) is called a bisimulation if for any s ∈ S, s′ ∈ S ′, we have that if (s, s′) ∈ R, then the following conditions hold: Propositional invariance V (s) = V ′(s′); Observational invariance L(Exp(s)) = L(Exp′(s′)); Zig if s ∼i t inM then there exists a t′ in N such that s′ ∼′i t′ and tRt′; Zag if s′ ∼′i t′ in N then there exists a t inM such that s ∼i t and tRt′. A bisimulation R is total if every state in one model is linked by R to some state in the other model. M andN are said to be (total) bisimilar (M↔o N ) if there is a (total) bisimulation R betweenM and N . (M, s) and (N , s′) are said to be bisimilar (M, s↔o N , s′) if there is a bisimulation R between them such that (s, s′) ∈ R. Note that the standard bisimilarity (notation ↔) is defined as ↔o without the condition for the invariance for observations. It is not hard to show that ↔o and logical equivalence ≡POL coincide on finite models: Proposition 12 (Bisimulation invariance). For any two finite epistemic expectation statesM, s and N , s′, the following statements are equivalent: • M, s↔o N , s′ • For any formula φ ∈ POL :M, s  φ ⇐⇒ N , s′  φ Proof. [↔o =⇒ ≡POL]: We prove this by induction on φ. The Boolean and Kiψ cases are trivial. Now consider φ = [π]ψ; so suppose that M, s ↔o N , s′ butM, s  [π]ψ and N , s′ 2 [π]ψ. Then there exists a w ∈ L(π) such that w ∈ init(Exp(s′)) and N|w, s′  ¬ψ. By the definition of↔o, we have L(Exp(s)) = L(Exp(s′)), therefore w ∈ init(Exp(s)). Thus M|w, s exists. We now show that M|w, s ↔o N|w, s′. 10 Let R be {(t, t′) ∈ SM|w × SN|w | M, t ↔o N , t′}. Clearly (s, s′) ∈ R. Note that if L(Exp(t)) = L(Exp(t′)) then L(Exp(t)\w) = L(Exp(t′)\w); this proves the invariance for observations. Based on this invariance, it is not hard to verify that R is indeed an observation bisimulation betweenM|w and N|w. SinceM|w, s↔o N|w, s′, by induction hypothesis we conclude that M|w, s  ¬ψ. Clearly, this contradicts the assumption thatM, s  [π]ψ. [≡POL =⇒ ↔o]: Let R = {(t, t′) ∈ SM × SN | M, t ≡POL N , t′}. We can show that R is an observation bisimulation. All the conditions are standard and thus can be handled by standard techniques except the new clause about the invariance for observations: we need to show that tRt′ implies L(Exp(t)) = L(Exp(t′)). However, this is trivial, since in the language of POL we can express 〈w〉>, so that M, t  〈w〉> ⇐⇒ w ∈ L(Exp(t)).  Intuitively, these epistemic expectation models can be seen as compact representations of certain epistemic temporal models [2, 3]. An epistemic temporal model is a Kripke model with both epistemic and temporal binary relations between possible worlds. To make the link more precise, we can relate POL on epistemic expectation models to the same language on epistemic temporal models with the usual PDL-style interpretation of [π]φ formulas, as we now proceed to show. First let us define the epistemic temporal models that are generated from epistemic expectation models. Definition 13. LetM be an epistemic expectation model 〈S,∼i, V, Exp〉. The M-generated epistemic temporal model (notation: ET(M)) is defined as 〈H, a→ ,∼′i, V ′〉 where: • H = {(s, w) | s ∈ S,w = ε or w ∈ L(Exp(s))}; • (s, w) a→ (t, v) ⇐⇒ s = t and v = wa, a ∈ Σ; • (s, w) ∼i (t, v) ⇐⇒ s ∼i t and w = v; • p ∈ V ′(s, w) ⇐⇒ p ∈ V (s). From this definition, it is not hard to see that all the agents can observe all the actions. We can define the semantics of POL formulas on generated 11 epistemic temporal models N (we only show the non-trivial part): N , h EPDL Kiφ ⇔ for all h′ : (h ∼i h′ implies N , h′ EPDL φ) N , h EPDL [π]φ ⇔ for each w ∈ L(π), h w→ h′ implies N , h′ EPDL φ We call the above semantically defined logic Epistemic-PDL (EPDL): the language of POL interpreted on epistemic temporal models with respect to EPDL. To establish the precise link between epistemic expectation models and epistemic temporal models, we can prove the following. Proposition 14. Given a pointed POL modelM, s, and a POL formula φ, it can be shown that: M, s  φ ⇐⇒ ET(M), (s, ε) EPDL φ. Proof. We need to show for any epistemic expectation modelM, s and any POL formula φ: M, s  φ ⇐⇒ ET(M), (s, ε) EPDL φ We prove this by induction on φ. The Boolean case and the Kiψ case are trivial. Now consider the case [π]ψ. Suppose without loss of generality that there is an epistemic expectation modelM, s  [π]ψ and ET(M), (s, ε) 2EPDL [π]ψ. Then there exists a w ∈ L(π) such that ET(M), (s, w) 2 ψ. By the definition of ET(M), we conclude that w ∈ Exp(s), thus M|w exists. Based on the definition of ET(M), it is not hard to show that ET(M|w), (s, ε) is bisimilar (with respect to both ∼ and →) to ET(M), (s, w). Since EPDL is clearly invariant under bisimulation, we have: ET(M|w), (s, ε) EPDL ¬ψ. By induction hypothesis, M|w, s  ¬ψ, which contradicts the assumption thatM, s  [π]ψ.  Note that the generated epistemic temporal models can be infinite, and thus the above result does not give a straightforward model checking procedure for POL. According to the semantics of [π]φwe need to check infinitely many w ∈ L(π). Fortunately, this can be handled by partitioning L(π) into a finite number of regular expressions π0 . . . πk such that for any 0 ≤ i ≤ k and any w, v ∈ L(πi), we haveM|w =M|v, providing decidability of model checking after all (see [15] for details in a similar setting). 12 3. Expectation Comes from Protocols Epistemic expectation models describe the agents' expected observations, which in turn influence their reasoning. We investigate how agents acquire and change their expectations, by looking at protocols and protocol models as sources for the expected observations. 3.1. Protocol expressions Informally, a protocol is a rule telling us what we should do under what conditions. Protocols are ubiquitous in our daily life. A formal way of expressing such protocols or rules is to use a specification language. We specify protocols in the following language of protocol expressions Lprot: Definition 15 (Protocol expression). The language Lprot of protocols is defined by the following BNF: η ::= δ | ε | a | ?φ | η * η | η + η | η∗ where δ stands for the empty language ∅, the constant ε represents the empty string, and φ ∈ Bool(P). The above language of protocol expressions is obtained by adding Boolean tests to observation expressions. For example, (?love * stay)∗ * (?¬love * separate) expresses 'we should stay together as long as we are in love'. For a discussion on more complicated test scenarios (for example, considering agents' knowledge), see Section 7. We use test conditions in protocol expressions to describe the conditions under which certain observations can happen. A protocol without tests corresponds to observations without any conditions. This is the difference between protocols and the observations that arise out of such protocols, and we maintain this difference by adding tests to the observation expressions in order to express protocols. In the latter part of this section we will talk about public and private protocols. To this end, we will use dynamic epistemic logic (DEL)-like models to discuss knowledge and ignorance about protocols. In the story of Example 7, there seems to be an underlying protocol: if you are Dutch-related, then you kiss three times and if you are non-Dutchrelated, then you kiss two times. This is the reason for the agent to have the corresponding expectations of the observations. This protocol (call it πK) can be expressed as ?pD * a * b * a+?¬pD * a * b. We would like to generate the epistemic expectation model in Example 7 (see page 7) from the protocol πK and the following epistemic model: 13 s t 1 pD ¬pD Intuitively, the information of the protocol πK can be incorporated by adding to each state the possible observations allowed by the protocol. We now move on to the technical details. To compute the expected observations corresponding to a given protocol, we first define the semantics of protocol expressions. Intuitively, we associate to each protocol η a set Lg(η) of guarded observations in the form of ρ0a0ρ1a1 . . . ρkak, where each ρi ⊆ P denotes a state of affairs (the atomic propositions p ∈ ρ are true while the others are false), encoding the conditions for the later observations to happen. For Boolean formulas φ, we write ρ  φ if φ is true under ρ (viewed as a valuation: p is true iff p ∈ ρ). Definition 16. The set of guarded observations corresponding to a protocol expression is defined by induction, as follows: Lg(δ) = ∅ Lg(ε) = {ρ | ρ ⊆ P} Lg(a) = {ρaρ | ρ ⊆ P} Lg(?ψ) = {ρ | ρ  ψ, ρ ⊆ P} Lg(η1 * η2) = {w  v | w ∈ Lg(η1), v ∈ Lg(η2)} Lg(η1 + η2) = Lg(η1) ∪ Lg(η2) Lg(η∗) = {ρ | ρ ⊆ P} ∪ ⋃ n>0(Lg(ηn)), where  is the fusion product: w  v = w′ρv′ when w = w′ρ and v = ρv′, and not defined otherwise. Note that the ρi's in a guarded observation remain unchanged since no factual change is introduced by the execution of the actions (see Section 6 for a detailed discussion of fact-changing actions, such as toggling a light switch). We derive the set of observations to be expected under the same condition ρ according to η by a conversion function fρ : Lprot → Lobs: 14 fρ(δ) = δ fρ(ε) = ε fρ(a) = a fρ(?φ) = { ε if ρ |= φ δ else (i.e., if ρ 6|= φ) fρ(η * η′) = fρ(η) * fρ(η′) fρ(η + η ′) = fρ(η) + fρ(η ′) fρ(η ∗) = (fρ(η)) ∗ Definition 17 (Characteristic formula). Let ρ ⊆ P. Then we denote by φρ the characteristic formula for ρ: ∧ p∈ρ p∧ ∧ p 6∈ρ ¬p. For example, suppose that P = {p, q}, then φ{p} = p ∧ ¬q. Proposition 18. (a) For any η ∈ Lprot , it holds that L(fρ(η)) = {w | w = a0 . . . ak, where ai ∈ Σ∪{ε} and ρa0ρa1 . . . akρ ∈ Lg(η)}. Therefore: (b) Every η has a normal form η◦ as follows: η◦ = ∑ ρ⊆P (?φρ * fρ(η)) such that Lg(η) = Lg(η◦). Here φρ is the characteristic formula for ρ as defined in Definition 17. Proof. We first show (a) by induction on η ∈ Lprot . The atomic cases are straightforward. Now we check the complex cases: η = η1 + η2: L(fρ(η)) = L(fρ(η1 + η2)) = L(fρ(η1) + fρ(η2)) = L(fρ(η1)) ∪ L(fρ(η2)) = {w | w = a0 . . . ak, and ρa0ρ . . . ρakρ ∈ Lg(η1)}∪ {w | w = a0 . . . ak, and ρa0 . . . akρ ∈ Lg(η2)}(by IH) = {w | w = a0 . . . ak, and ρa0 . . . akρ ∈ Lg(η1 + η2)} η = η1 * η2: L(fρ(η)) = L(fρ(η1 * η2)) = L(fρ(η1) * fρ(η2)) = {wv | w ∈ L(fρ(η1)) and v ∈ L(fρ(η2))} = {wv | w = c0 . . . cm such that ρc0 . . . cmρ ∈ Lg(η1) and v = b0 . . . bn such that ρb0 . . . bnρ ∈ Lg(η2)}(by IH) = {u | u = a0 . . . ak, and ρa0 . . . akρ ∈ Lg(η1 * η2)}(by fusion product) 15 η = η∗1: L(fρ(η)) = L(fρ(η∗1)) = L((fρ(η1))∗) = {ε} ∪⋃n>0 L((fρ(η1))n) = {u | u = a0 . . . ak, and ρa0 . . . akρ ∈ {ρ | ρ ⊆ P} ∪ ⋃ n>0 Lg(ηn1 )}(by IH) = {u | u = a0 . . . ak, and ρa0 . . . akρ ∈ Lg(η∗1)} This completes the proof for (a). From (a) and the definition of Lg, it follows that: Lg(fρ(η)) = {ρ′a0 . . . akρ′ | ρ′ ⊆ P and ρa0 . . . akρ ∈ Lg(η)}. Let Gηρ = {ρa0ρa1 . . . akρ | ρa0ρa1 . . . akρ ∈ Lg(η)}, the set of all ρ-guarded expressions in Lg(η). Then, by fusion product, it follows that Lg(?φρ * fρ(η)) = G η ρ. Thus, Lg(η◦) = Lg( ∑ ρ⊆P (?φρ * fρ(η))) = ⋃ ρ⊆P Lg(?φρ * fρ(η)) = ⋃ ρ⊆P Gηρ = Lg(η). This proves (b).  From Proposition 18, according to the protocol η, the expected observations on a state s in an epistemic modelM can be computed by fVM(s)(η). For example, f{p}(?p * a+?¬p * b) = a. However, not every epistemic expectation model can be generated by a single protocol. We will investigate this issue in the next subsection. 3.2. Protocol models We introduce epistemic protocol models to represent uncertainty about protocols: Definition 19 (Epistemic protocol model). An epistemic protocol model A is a triple 〈T,∼, Prot〉, where T is a domain of abstract objects, ∼ stands for a set of accessibility (equivalence) relations {∼i| i ∈ I}, and Prot : T → Lprot assigns to each domain object a protocol. We call a pointed epistemic protocol model an epistemic protocol and a singleton epistemic protocol model (T is singleton) a public protocol. Note that public protocols are (implicitly) commonly known by all the agents. 16 Example 20. Consider the epistemic expectation model: s t p 1, 2 p a b We cannot associate a protocol η to the epistemic skeleton of the above model in such a way that fVM (s)(η) = a and fVM(t)(η) = b, since VM(s) = VM(t). Note that taking ?p(a + b) for η does not work. This model represents the uncertainty of the agents about the protocol: s t 1, 2 ?p * a ?p * b We will now proceed towards our main result in this section, namely that an epistemic observation state uniquely determines an epistemic protocol, and that an epistemic protocol and an epistemic state together uniquely determine an epistemic observation state. To show the correspondence, we need one more semantic operation, that is a modal product operation of an epistemic expectation model and a protocol model. It formalizes the change in possible observations induced by a protocol. We should see this definition as installing a new protocol, by means of novel observations, into the epistemic expectation model, and thus completely obliterating the current expected observations. Definition 21 (Protocol update). Given an epistemic expectation model Mexp = 〈S,∼, V, Exp〉 and an epistemic protocol model A = 〈T,∼, Prot〉, we define the product (Mexp ⊗A) = (S ′,∼′, V ′, Exp′) as follows: • S ′ = {(s, t) ∈ S × T : L(fVM(s)(Prot(t))) 6= ∅}; • (s, t) ∼′i (s′, t′) iff s ∼i s′ inMexp and t ∼i t′ in A; • V ′(s, t) = V (s); • Exp′((s, t)) = fVM(s)(Prot(t)). 17 We mentioned that epistemic models can be seen as special cases of epistemic expectation models, namely with the 'anything goes' protocol. Therefore, also in that case the product operation between an epistemic model and a protocol model corresponds to the installation of a protocol. We now illustrate the definition of protocol update by the scenarios presented in Example 1 and Example 2 of the introduction. In the pictures below, we assume reflexivity, symmetry, and transitivity of the accessibility relations. Example 22. In the scenario of Example 1, at the beginning neither Jane nor Ann knows the basic proposition g (Kate is gay). However, one of them, Jane, is aware of the protocol that: if Kate is gay then she will make the statement 'I am musical, I like Kathleen Ferrier's voice' (action a); and if she is not gay, then she will talk about something else (action b). However, Ann has no idea whether a and b can carry such information. The scenario is modeled as follows, where the last model is the epistemic expectation model resulting from the update of the protocol on the first epistemic model: ⌃⇤ ⌃⇤ =Jane, Ann Ann Ann Ann Jane, Ann Jane, Ann s t u v (s, u) (t, v)(s, v) (t, u)g ¬g a + b g g ¬g ¬g a + b a + b a b?g * a+?¬g * b Here, g denotes the fact that 'Kate is gay', a denotes the observation of Kate making the 'musical statement' and b stands for Kate saying something else. Example 23. We now consider the scenario of Example 2. After Carl's first description of the night of Valentine's day, Ben and Alice still do not know what has happened. Now, the wink from Carl 'installs' the epistemic protocol which creates uncertainty in Alice about the meaning of Ben's later statements. In contrast, because Ben knows Carl so well, he immediately gets the protocol Carl is using. The modeling is as follows: 18 ⌃⇤ ⌃⇤ ?p * Y +?¬p * N ?¬p * Y +?p * N p p ¬p ¬p Y Y N N p ¬p =Ben, Alice Alice Alice Alice Ben, Alice Ben, Alice s t u v (s, u) (s, v)(t, v) (t, u) Here, p denotes the fact that 'Something has happened involving Mike and Sara on Valentine's night', while 'Y ' corresponds to Carl answering affirmatively to Alice's question, and 'N ' to Carl answering negatively. We assume that Alice's confusion would lead her to consider the possibility of a protocol where Carl would say "Yes" if indeed nothing has actually happened. Because of Carl's wink, however, Alice becomes very distrustful towards him. According to our definition, an epistemic protocol model acts on an epistemic model, thereby determining a unique epistemic expectation model. In the rest of this section we will investigate the converse question: Can an arbitrary epistemic expectation model be generated by updating an epistemic model by an epistemic protocol model? This is indeed the case, as we will now show. Proposition 24. Given an epistemic expectation modelM = (N , Exp), there is an epistemic model N ′ and an epistemic protocol model A such thatM↔o N ′ ⊗A. Proof. Let N ′ = (S ′,∼′, V ′) be the universal ignorance model, i.e., S ′ = P(P), for each i,∼′i= S ′×S ′, and V ′(ρ) = ρ ⊆ P. GivenM = (S,∼, V, Exp), letA = (S,∼, Prot) such that Prot(s) =?φV (s) *Exp(s). (Remember that φV (s) is the characteristic formula of V (s) ⊆ P, see Definition 17.) Now we show that M ↔o N ′ ⊗ A by proving that R = {(s, (ρ, s)) | V (s) = ρ} is a bisimulation relation. The invariance conditions are immediate. Now suppose s ∼i t in M, then (ρ, s) ∼i (V (t), t) inN ′⊗A by the definition of the product. Obviously, tR(ρ′, t), where ρ′ = V (t). 19 Suppose (ρ, s) ∼i (ρ′, t). Then V (t) = ρ′. Therefore s ∼i t and tR(ρ′, t).  This result shows that every epistemic expectation model is reasonable in the sense that it can be generated from an epistemic model by some epistemic protocol model. However, it is more intuitive to consider the particular epistemic model N inM = (N , Exp), and ask if there is a protocol model A such that N ⊗A ↔oM. For singleton protocol models, we have a characterization result. First we need a definition. Definition 25. An epistemic expectation modelM is said to be Boolean normal if for any two worlds s, t in it, VM(s) = VM(t) =⇒ L(Exp(s)) = L(Exp(t)). Theorem 26. Given an epistemic expectation model M = (N , Exp), M is Boolean normal iff there exists a singleton protocol model A such that N ⊗ A ↔oM, where↔o is total. Proof. ⇒: Let φs be the Boolean characterization formula corresponding to VN (s). Let ηM = ∑ s in N ?φs * Exp(s). Because of the finiteness of P and Boolean normality, ηM has a finite representation. Let AηM be the singleton pointed protocol model with Prot assigning ηM to the single point. We can verify that N ⊗AηM ↔oM. ⇐: Suppose M is not Boolean normal, then there are s, t in M such that V (s) = V (t) and Exp(s) 6= Exp(t). Due to the normal form of protocols, updating with a public protocol on s, t will result in the same observations. So there cannot be any single pointed protocol model to do the job.  Not every epistemic expectation model is Boolean normal, therefore, by Theorem 26, not every epistemic expectation model can be generated by a public protocol on its epistemic skeleton. In fact, as demonstrated by the following example, there are epistemic expectation models which cannot be generated by any protocol model on its epistemic skeleton. Example 27. Consider the following epistemic expectation modelM; we will show thatM cannot be generated by any epistemic protocol on its epistemic skeleton: 20 s s' p 1 p ab s'' 2 b ¬p Suppose towards contradiction that there is a protocol model A such that the execution of A on the epistemic skeleton ofM gives an epistemic expectation model that is bisimilar toM. To compose s′ in the epistemic expectation model, we need a state t in the protocol model such that Prot(t) allows a to happen if p is true. Then t can be composed with the leftmost p-world above as well, since the left world and middle world are Boolean indistinguishable. Therefore there will be a p(a)-world in the resulting model which cannot reach any ¬p-world in one step, due to the definition of ⊗ (the leftmost state above cannot reach any ¬p-world in one step). This leads us to consider a subclass of the epistemic expectation models given as follows. Definition 28 (Observational saturation). An epistemic expectation model M is said to be observationally saturated iff the following holds: For all states v, s, t inM, for all i ∈ I: If v ∼i s and V (s) = V (t), then there exists u inM such that v ∼i u, s↔ u and ExpM(t) = ExpM(u). Note that every Boolean normal epistemic expectation modelM is observationally saturated: suppose w ∼i s and V (s) = V (t) then clearly s↔ s and ExpM(s) = ExpM(t) sinceM is Boolean normal. Note that the model in Example 27 is not observationally saturated: the leftmost world and the middle world share the same valuation but different observations, however, there is no 1-successor of the leftmost world that is (standard) bisimilar to the leftmost world and has the same expectation as the middle world. In the following, we show that observational saturation is a sufficient condition for an epistemic expectation model to be generatable from its epistemic skeleton. Theorem 29. Given an epistemic expectation model M = (N , Exp), if N is observationally saturated then there is a protocol model A such that N ⊗ A↔oM. 21 Proof. Suppose N = (S,∼, V ). For any s ∈ S, let φNs be the Boolean characteristic formula of s. Let A = (S,∼′, Prot) where Prot(s) =?φNs * ExpM(s) and ∼′i= S × S for each i ∈ I. Let R ⊆ S × SN⊗A be the binary relation {(w, (v, t)) | w ↔ v and ExpM(w) = ExpM(t)} It is easy to see that (w, (w,w)) ∈ R for all w ∈ S. We need to show that R is indeed a total observation bisimulation (see Definition 11). To this end, suppose wR(v, t). Since Prot(t) =?φNt * ExpM(t) and (v, t) is in N ⊗ A, we have N , v  φNt . From the definition of R, we have ExpM(w) = ExpM(t) and w ↔ v thus w and (v, t) should have the same valuation according to the definition of ⊗. Moreover, it holds that ExpM(w) = ExpN⊗A((v, t)) since ExpM(w) = ExpM(t) and Prot(t) =?φ N t * ExpM(t). Now we only need to check the Zig-Zag conditions. So, suppose w ∼i w′ in M. Since w ↔ v there is a v′ in M such that v ∼i v′ and w′ ↔ v′ inM. Therefore VM(w′) = VM(v′), thus (v′, w′) exists in N ⊗ A. Now due to the fact that the relations in A are universal, we have (v, t) ∼i (v′, w′). It is clear that (w′, (v′, w′)) ∈ R. Suppose (v, t) ∼i (v′, t′) in N ⊗ A; then v ∼i v′ in M and VM(v′) = VM(t ′). Since w ↔ v, there is a w′ inM such that w ∼i w′ and w′ ↔ v′ in M. Therefore VM(w′) = VM(v′) = VM(t′). Now consider w′ and t′: sinceM is observationally saturated, there is a w′′ inM such that w ∼i w′′, w′ ↔ w′′ and ExpM(w ′′) = ExpM(t ′). Since w′′ ↔ w′, we have w′′ ↔ v′. Therefore (w′′, (v′, t′)) ∈ R. To complete the proof, we need to show that the bisimulation is total. It is clear that for each w: (w, (w,w)) ∈ R. Now for any (v, t) in N ⊗A, we need to show that (v, t) is linked to some world inM by R. Suppose (v, t) exists inM then VM(v) = VM(t). Note that v ∼i v for any i ∈ I since ∼i is reflexive. By observational saturation, there is a w inM such that v ∼i w, v ↔ w and ExpM(w) = ExpM(t). Therefore (w, (v, t)) ∈ R.  3.3. Equivalence of protocols In the introduction, we stated that one epistemic expectation model might be generated in different ways, even based on the same epistemic model. For example, consider the following expectation model: 22 s t p 1, 2 ab ¬p It can be generated from its epistemic skeleton by updating with the public protocol ?p * b+?¬p * a or with the epistemic protocol model: s t 1, 2 ?p * b ?¬p * a Actually, on arbitrary epistemic models, the announcement of ?p*b+?¬p* a will always yield the same result as the above epistemic protocol model. On the other hand, the announcement ?p * (a + b) gives a different update result on the same epistemic model compared to the update with the following epistemic protocol: s t 1, 2 ?p * a ?p * b Such examples suggest a notion of equivalence between protocol models. Definition 30 (Effective equivalence). Two protocol models A and B are said to be effectively equivalent (notation: A ≡ef B) if for any epistemic expectation modelM :M⊗A ↔oM⊗B. Inspired by the idea of action emulation introduced by Van Eijck, Ruan and Sadzik in [19] and further explored in [20], we characterize the notion of effective equivalence by the following structural equivalence. To simplify the notation, let Lρ(η) be L(fρ(η)) (cf. Proposition 18). Definition 31 (Protocol emulation). Two protocol models A = (S, Prot) and B = (T, Prot) are said to be emulated (notation: A ≈ B) if there is a binary relation E ⊆ S × T such that for every s ∈ A, there exists a t ∈ B with sEt, and for every t ∈ B, there exists an s ∈ A with sEt, and whenever sEt we have that: 23 • there exists ρ ⊆ P such that Lρ(Prot(t)) = Lρ(Prot(s)). • if s ∼i s′ in A then there is a set T ′ ⊆ T such that: 1. for any t′ ∈ T ′: t ∼i t′; 2. for any t′ ∈ T ′: s′Et′; 3. for any ρ ⊆ P such that Lρ(Prot(s′)) 6= ∅ there exists t′ ∈ T ′ such that Lρ(Prot(s′)) = Lρ(Prot(t′)) • if t ∼i t′ in B then there is a set S ′ ⊆ S such that: 1. for any s′ ∈ S ′: s ∼i s′; 2. for any s′ ∈ S ′: s′Et′; 3. for any ρ ⊆ P such that Lρ(Prot(t′)) 6= ∅ there exists s′ ∈ S ′ such that Lρ(Prot(s′)) = Lρ(Prot(t′)) When restricted to public protocols, it is not hard to see that η ≈ η′ ⇐⇒ Lg(η) = Lg(η′). In general, we have the following result. Theorem 32. For all finite protocol models A and B: A ≡ef B ⇐⇒ A ≈ B. Proof. ⇐: Suppose A ≈ B. We need to show for any epistemic expectation model M that: M⊗A ↔o M⊗ B. We define a binary relation between M⊗ A and M⊗ B as (w, s)R(v, t) ⇐⇒ w = v, sEt and Exp((w, s)) = Exp((v, t)). Whenever (w, s) ∈M⊗A, (w, t) ∈M⊗B for some t ∈ B. This happens due to the fact that A ≈ B, and the epistemic relations in each model are reflexive. Thus we have that the definition of R is both sound and total. Now we verify the condition Zig of Definition 11 (the invariance condition is trivial by definition of R). Suppose (w, s) ∼i (w′, s′), then w ∼i w′ inM and s ∼i s′ in A. Since sEt, there is a t′ in B such that t ∼i t′, s′Et′, and Lρ0(Prot(s′)) = Lρ0(Prot(t′)), where ρ0 = V (w′). Clearly (w′, t′) is inM⊗B and Exp((w′, t′)) = Exp((w, s′)). Thus we have that (w, t) ∼i (w′, t′) and (w′, s′)R(w′, t′). The condition Zag can be proved in a similar way. ⇒: Suppose A ≡ef B. It is clear that for a universal ignorance modelM (cf. the proof of Proposition 24), we haveM⊗A ↔oM⊗B. We define a relation E between the state spaces of A and B as: sEt iff (w, s) ↔o (w, t) for some w. We can verify that E is a protocol emulation relation. The first (consistency) condition of protocol emulation is immediate according to the invariance condition of observation bisimulation. Now we show the 24 second one. Suppose s ∼i s′ and sEt. Now consider an arbitrary ρ ⊆ P such that Lρ(Prot(s′)) 6= ∅. SinceM is a universal ignorance model, there is a state w′ in M such that V (w′) = ρ and (w, s) ∼i (w′, s′). Since sEt then by definition of E, (w, s) ↔o (w, t). Thus there is a (v′, t′) in M⊗ B such that (w, t) ∼i (v′, t′) and (w′, s′) ↔o (v′, t′); clearly w′ and v′ share the same valuation, thus w′ = v′ since M is a universal ignorance model. It follows that t ∼i t′ and Lρ(Prot(s′)) = Lρ(Prot(t′)). Thus for all ρ ⊆ P such that Lρ(Prot(s′)) 6= ∅ there is a state t′ with t ∼i t′ in B, such that s′Et′ and Lρ(Prot(s′)) = Lρ(Prot(t′)). The third condition can be shown similarly. The emulation relation is total, as we are considering total bisimulation here.  We now extend the framework of POL to provide a DEL-style logical language that can describe the 'installation' or 'change' of protocols, together with the effect of the observations of agents, based on the current protocol. Note that installing a protocol is different from executing a protocol: Installing a protocol gives the knowledge of the protocol before its execution. 3.4. Epistemic Protocol Logic In the language of epistemic protocol logic (EPL), we consider protocol models as primitives in the language, giving a DEL-like language. Definition 33 (Language of EPL). The formulas φ of EPL are given by: φ ::= > | p | ¬φ | φ ∧ φ | Kiφ | [π]φ | [!Ae]φ where p ∈ P, i ∈ I, π ∈ Lobs , and Ae is an epistemic protocol with the designated state e. In defining the language we restrict ourselves to finite protocol models. The models for the logic EPL are taken to be the epistemic expectation models M = 〈S,∼, V, Exp〉. The truth definition is given as follows: Definition 34 (Truth definition for EPL). Given an epistemic expectation model M = 〈S,∼, V, Exp〉, a state s ∈ S, and an EPL-formula φ, the truth conditions of φ at s coincide with POL for the formulas that they have in common. The truth condition for the new formula in EPL is defined as follows: 25 M, s  [!Ae]φ ⇔ If L(fV (s)(Prot(e))) 6= ∅ thenM⊗A, (s, e)  φ Recalling the meaning of the modal product operation, the expression '[!Ae]φ' therefore stands for 'after installing the new epistemic protocol Ae, the formula φ is true'. As an example, let us give the model of Example 1 from the introduction, the epistemic expectation model induced by the epistemic protocol (modelled on page 18, call it Ae), and the updated model according to observation a (in the picture, visualized by |a): Ann Ann Jane, Ann Jane, Ann (s, u) (t, v)(s, v) (t, u)g g ¬g ¬g a + b a + b a b Ann Jane, Ann (s, u) (t, v)(s, v) g g ¬g |a ✏ ✏ ✏ Recall the original modelM: ⌃⇤ Jane, Ann t ¬g ⌃⇤ s g Now we can verify for the actual state s: M, s  [!Ae][a](KJaneg ∧ ¬KAnng), and M, s  [!Ae][a]¬KAnn(KJaneg ∨KJane¬g). The picture corresponding to Example 2 from the introduction is as follows. Here, A′e′ is the corresponding epistemic protocol modelled on page 18: 26 p p ¬p ¬p Y Y N N Alice Alice Ben, Alice Ben, Alice (s, u) (s, v)(t, v) (t, u) |N p ¬p Alice (s, v) (t, u) ✏ ✏ Recall the initial model N : ⌃⇤Ben, Alice t ⌃⇤ s p ¬p Now we can verify for the actual state t: N , t  [!A′e′ ][N ](KBen¬p ∧ ¬KAlice¬p), but N , t  [!A′e′ ][N ]KAlice(KBenp ∨KBen¬p). 4. Incorporating factual changes So far, we have only presented information changing actions, not factchanging actions: recall that Lg(η) consists of guarded strings with uniform guards only. This may not be so realistic in practice, since many actions used in protocols also change the facts, for example, 'turn on the light if you see that the light is off'. Factual change can be modelled by assigning to each action a function that changes the valuation of basic propositions (as in [21, 22]). Let us now show how protocols based on fact-changing actions can be incorporated in our setting. Following [21], we first introduce factchanging actions. Definition 35 (Fact-changing actions). A set of fact-changing actions (fcactions) is a tuple (Σ, ι) such that ι : Σ×P→ Bool(P). Intuitively, ι captures the post-condition of actions: after executing action a ∈ Σ, the propositional atom p is assigned the truth value of the proposition ι(a, p). Thus, the new truth value of p is the truth value of ι(a, p) 27 evaluated before executing a. Note that in this paper we restrict ι(a, p) to be Boolean. For example, let p be the proposition denoting 'the door is closed' and let a be the action 'slam the door'. Then slamming the door (a) has a post-condition given by ι(a, p) = >. On the other hand, toggling the switch (b) has the post-condition modelled by ι(b, q) = ¬q if q expresses that 'the switch is on'. Clearly, non-fact-changing actions can be seen as (Σ, ι0), where for any a ∈ Σ, ι0(a) is the identity function. For the ease of reading in proofs, we introduce factual change systems as an alternative way of representing fact-changing actions. In the following, ρ  φ means that the valuation represented by ρ, a subset of P, makes the Boolean formula φ true. Definition 36 (Factual change system). A Σ-factual change system (fc-system) F is a tuple (Q, r) where Q = P(P) and r : Q×Σ→ Q is a function. Because r is a deterministic transition function, it can be extended to the domain of Q×Σ∗ in such a way that r(ρ, a0 * * * ak) is the unique state ρ′ ⊆ P of the fc-system that is reachable from ρ ⊆ P via transitions sequentially labelled by actions a0, . . . , ak. Intuitively, a factual change system explicitly represents the post-conditions of actions that can change the facts on states. We say that a set of fact-changing actions (Σ, ι) is equivalent to a Σ-factual change system (Q, r) if for any a ∈ Σ and any ρ, ρ′ ⊆ P the following holds: ρ  ∧ p∈ρ′ ι(a, p) ∧ ∧ p 6∈ρ′ ¬ι(a, p) ⇐⇒ r(ρ, a) = ρ′ As a reminder, for each ρ ⊆ P, we write φρ as the abbreviation of the characteristic formula (see Definition 17). Now we show that sets of factchanging actions can be seen as factual change systems and vice versa. Proposition 37. (a) For each set of fc-actions (Σ, ι) there is an equivalent Σ-fc-system. (b) For each Σ-fc-system there is an equivalent set of fc-actions (Σ, ι). Proof. (a) To define the corresponding transition function r in the factual change system, we do the following. For every ρ ⊆ P and a ∈ Σ, we define r(ρ, a) = ρ′ if and only if ρ  ∧ p∈ρ′ ι(a, p) ∧ ∧ p 6∈ρ′ ¬ι(a, p). (b) For the second part, we can define a set of fact-changing actions (Σ, ι) 28 by letting ι(a, p) = ∨ ρ⊆P{φρ | p ∈ r(ρ, a)}. We need to verify the equivalence condition. Suppose r(ρ1, a) = ρ2, then by the definition of ι, it is clear that ρ1  ∧ p∈ρ2 ι(a, p). Since fc-systems are deterministic, for each p 6∈ ρ2: ρ1 6∈ {ρ | p ∈ r(ρ, a)}. Therefore for each p 6∈ ρ2: ρ1  ¬ ∨ ρ⊆P{φρ | p ∈ r(ρ, a)}. Thus ρ1  ∧ p 6∈ρ2 ¬ι(a, p). On the other hand, if r(ρ1, a) = ρ3 6= ρ2 then there is a proposition p ∈ P on which ρ2 and ρ3 do not agree. Suppose that p ∈ ρ3 but p 6∈ ρ2. Since ι(a, p) = ∨ ρ⊆P{φρ | p ∈ r(ρ, a)} then ρ1 2 ι(a, p). Thus ρ1 2 ∧ p∈ρ2 ι(a, p). Similarly, we can show that if p ∈ ρ2 but p 6∈ ρ3 then ρ1 2 ∧ p 6∈ρ2 ¬ι(a, p). Therefore ρ1 2 ∧ p∈ρ2 ι(a, p) ∧ ∧ p 6∈ρ2 ¬ι(a, p).  In the sequel, we only work with fc-systems in the proofs. To interpret observation expressions with respect to an fc-system F , we only need to revise Definition 16 of Lg as follows: LFg (a) = {ρaρ′ | ρ a→ ρ′ in F} To install protocols with factual change on an epistemic model, we need to compute the state-dependent expectations according to those protocols. However, it is not immediately clear how we can rewrite a protocol into a normal form as in Proposition 18, where the tests only happen at the beginning. To model the updates of protocols with factual change, we first need to prove an analogue of Proposition 18. This will be Proposition 41. To prove this proposition we need techniques for guarded automata developed in [23]. Given P, let T be the set 22P. Intuitively, X ∈ T represents a Boolean formula over P. Definition 38 (Automata on guarded strings [23]). A finite automaton on guarded strings (or a guarded automaton) over a finite set of actions Σ and a finite set of atomic propositions P is a tuple A = (Q,Σ,P, q0, 7→, F ), where Q is a set of states with the designated start state q0; 7→ is a set of transitions labelled by actions in Σ (action transitions) and sets X ∈ T (test transitions); F is the set of final states. A accepts a finite string w over Σ ∪ T (notation: w ∈ LΣ∪T(A)), if it accepts w as a standard finite automaton over label set Σ ∪T. The acceptance for guarded strings is defined based on the acceptance of normal strings and the following transformation function G which takes a string over Σ ∪T and outputs a set of guarded strings, as follows: 29 G(a) = {ρaρ′ | ρ, ρ′ ⊆ P} G(X) = {ρ | ρ ∈ X} G(ww′) = {vρv′ | vρ ∈ G(w) and ρv′ ∈ G(w′)} We say that A accepts a finite guarded string v : ρ0a0ρ1 . . . ak−1ρk over Σ and P, if v ∈ G(w) for some string w ∈ LΣ∪T(A). Let Lg(A) be the language of guarded strings accepted by A. A guarded automaton is said to be deterministic if it satisfies the following properties (cf. [23]): • Each state is either a state that only has outgoing action transitions (action state) or a state that only has outgoing test transitions (test state). • The outgoing action transitions are deterministic: for each action state q and each a ∈ Σ, state q has one and only one a-successor. • The outgoing test transitions are deterministic: they are labelled by {{ρ} | ρ ⊆ P} and for each test state q and each ρ, state q has one and only one {ρ}-successor. Clearly these tests ρ at a test state are logically pairwise exclusive and altogether exhaustive (viewing ρ as the characteristic Boolean formula φρ, see Definition 17). • The start state q0 is a test state and all accept states are action states. • Each cycle contains at least one action transition. A Kleene-like theorem about the relation between guarded automata and guarded regular expressions has been proved in [23]. Here follows a reminder. Theorem 39 ([23]). For each guarded regular expression η over P and Σ there is a deterministic guarded automaton A over P and Σ such that Lg(η) = Lg(A), and vice versa. Given an fc-system F , we define a translation tF : Lprot → Lprot by replacing each a with ∑ ρ⊆P{?φρ *a*?φρ′ | ρ a→ ρ′ in F}. It is not hard to see that for each guarded expression η: LFg (η) = Lg(tF(η)). From Theorem 39, we have the following corollary. 30 Corollary 40. Given an fc-system F , for each guarded expression η, there is a deterministic guarded automaton A and a deterministic finite automaton A′ over the alphabet Σ ∪ 2P such that: LFg (η) = Lg(A) = L(A′). Proof. Consider tF(η). The existence of the deterministic guarded automaton A follows from Theorem 39 directly. By the definition of determinism, L(A) is a set of guarded strings in the shape of {ρ0}a0{ρ1} * * * {ρn−1}an−1{ρn}. Clearly G({ρ0}a0{ρ1} * * * {ρn−1}an−1{ρn}) = ρ0a0ρ1 * * * ρn−1an−1ρn Now we can build the desired deterministic finite automaton A′ over the symbol set Σ∪ 2P by simply replacing the transition labels {ρ} in A by ρ.  Finally, we are ready to prove an analogue of Proposition 18: there is a normal form of guarded regular expressions with respect to an fc-system F in which tests only appear at the beginning. This is stated formally in the following proposition. Proposition 41 (Normal form with respect to F). Given an fc-system F , every η has a normal form ηF = ∑ ρ⊆P (?φρ * πρ) for some πρ ∈ Lobs such that LFg (η) = LFg (ηF). Proof. From Corollary 40, for a given fc-systemF and a guarded expression η we have a deterministic automaton A over Σ∪2P such that L(A) = LFg (η). Due to the construction of A, the start state has only outgoing ρ transitions for each ρ ⊆ P, thus we can separate the automaton that corresponds to the guarded regular expression into |2P| zones. Let qρ be the state that is the ρ-successor of the start state in A; by determinism there is only one such state. Let Aρ be the ε-non-deterministic automaton over Σ just like A, but setting qρ as the start state and replacing any label ρ ⊆ P by ε. By Kleene's theorem, there is a regular expression πρ over Σ such that L(πρ) = L(Aρ). We claim the following: 31 Claim LFg (ρ * πρ) = {ρv | ρv ∈ LFg (η)}. Proof. First suppose that ρa0ρ1 * * * ρn−1an−1ρn ∈ LFg (ρ*πρ), then a0 . . . an−1 ∈ L(Aρ). Therefore ρa0ρ′1 * * * ρ′n−1an−1ρ′n ∈ LFg (η) for some ρ′1 . . . ρ′n. Since the fc-system is deterministic, ρ′i = ρi for 1 ≤ i ≤ n. Thus ρa0ρ1 * * * ρn−1an−1ρn ∈ LFg (η). For the other direction, suppose that ρa0ρ1 * * * ρn−1an−1ρn ∈ LFg (η), then a0 . . . an−1 ∈ L(Aρ) = L(πρ). By determinism of F it is clear that ρa0ρ1 * * * ρn−1an−1ρn ∈ LFg (ρ * πρ). From the claim, we can generate the desired normal form for η with respect to a given fc-system F .  Based on Proposition 41, we can define the 'installation' of protocols with fact-changing actions on epistemic expectation models, similar to Definition 21. Before we proceed to the definition, note that given ηF =∑ ρ⊆P(?φρ * πρ), we have that fρ(ηF) = πρ for any ρ ⊆ P (cf. the definition of fρ before Definition 17). Let us now see how the fact-changing actions affect our knowledge state in this evolving world. To this end we first introduce fact-changing epistemic expectation models and protocol models, MFexp and AF , given by 〈Mexp ,F〉 and 〈A,F〉, whereMexp is an epistemic expectation model, A is a protocol model and F is a factual change system. Definition 42 (Protocol update with factual changes). Given a fact-changing epistemic expectation model MFexp = 〈S,∼, V, Exp,F〉, and a fact-changing epistemic protocol model AG = 〈T,∼, Prot,G〉, we define the product (MFexp⊗ AG) = (S ′,∼′, V ′, Exp′,F ′) as follows: • S ′ = {(s, t) ∈ S × T : L(fVM(s)(ProtG(t))) 6= ∅}; • (s, t) ∼′i (s′, t′) iff s ∼i s′ inMexp and t ∼i t′ in A; • V ′(s, t) = V (s); • Exp′((s, t)) = fVM(s)(ProtG(t)); • F ′ = G. where ProtG(t) is the normal form of Prot(t) with respect to G. 32 Accordingly, the truth condition of the new formulas of EPL with respect to these models is changed to the following: MFexp , s  [!AGe ]φ ⇔ If L(fV (s)(ProtG(e))) 6= ∅ thenMFexp ⊗AG, (s, e)  φ MFexp , s  [π]φ ⇔ for each w ∈ L(π) : (w ∈ init(Exp(s)) impliesMFexp|w, s  φ) where MFexp|w = (S ′,∼′, V ′, Exp′,F) with S ′,∼′, Exp′ defined as before in M|w (cf. Definition 8) and V ′(s) = r(V (s), w) where r is the (extended) transition function in F (cf. Definition 36). Example 43. Consider a room where a child is playing with a small plastic seat, and Dora standing outside the room. Before Dora enters, she does not have any idea whether the seat is in an upright position. This is modelled by considering the epistemic modelM: s t p Dora ¬p Here, p stands for 'the seat is in an upright position'. Suppose a denotes the action 'pulling the seat down' and b denotes the action 'pulling the seat up'. Then what the child is doing can be described by the protocol model AF : s t Dora ?p * a ?¬p * b Here, both a and b are fact-changing actions: ι(a, p) = ¬p, and ι(b, p) = ¬p. We note that any epistemic model is an epistemic expectation model which in turn can be considered as a fact-changing epistemic expectation model where ι is the identity mapping in the second argument. The updated product model will be of the form: 33 s t p Doraa b ¬p At the actual state s of the epistemic modelM, we have: M, s  [!AFe ][a]KDora¬p That is, after entering the room, upon observing action a, Dora will come to know that the seat is not in an upright position. In the following section, we describe a more detailed application of factual change systems. 5. Application: One Hundred Prisoners and a Lightbulb In this section we model within our framework the '100 prisoners and a lightbulb' puzzle [24, 25] from the novel perspective of the guard in the puzzle. The following description is based on [24]. A group of 100 prisoners, all together in the prison dining area, are told that they will be all put in isolation cells and then will be interrogated one by one in a room containing a light with an on/off switch. The prisoners may communicate with one another by toggling the light-switch (and that is the only way in which they can communicate). All the prisoners know that the light is initially switched off. There is no fixed order of interrogation, or fixed interval between interrogations, and at any stage every prisoner will be interrogated again sometime in the future. When interrogated, a prisoner can either do nothing, or toggle the light-switch, or announce that all prisoners have been interrogated. If that announcement is true, the prisoners will (all) be set free, but if it is false, they will all be executed. While still in the dining room, and before the prisoners go to their isolation cells, can the prisoners agree on a protocol that will set them free? 34 Two protocols to solve the puzzle are as follows [24]. We move to the perspective of n + 1 prisoners, where n ≥ 2. (The case n = 1 is a tricky boundary case which requires special treatment. For simplicity we leave it out in this paper.) Protocol 1 The n+1 prisoners appoint one amongst them as the leader. The remaining n prisoners are the followers. All n followers turn the light on (i.e., toggle the switch) the first time they enter the room when the light is off; on other occasions, they do not toggle the switch. The leader turns off the light (toggles the switch) the first n times that the light is on when he enters the interrogation room; on other occasions, he does not toggle the switch. After turning the light off for the nth time, the leader announces that all prisoners have been interrogated. Protocol 2 The leader does exactly as in Protocol 1. The followers do all they do in Protocol 1, but also do more. Each follower counts the number of times the state of the light has changed from off to on according to his own observation (see the explanation below). If a follower has observed n such changes, he announces that all prisoners have been interrogated. We say that a follower observes a change of the state of light from off to on, if the light was off in his last interrogation but the light is on in his current interrogation. Moreover, there are also two special cases in the counting of such changes: 1. Since initially the light is switched off, when a follower enters the room for the first time and observes that the light is on, it counts as an off-on change; 2. When a follower is about to toggle the light from off to on according to the protocol, it also counts as an off-on change. The above explanation will be made more precise in the formalization of Protocol 2 below. Note that the interest of Protocol 2 is that followers may indeed announce that all prisoners have been interrogated before the leader does. However, for more than a few prisoners the likelihood of this is very low (see [24]). 35 5.1. A formalization of the puzzle We first formalize the protocols in our framework. The leader is a prisoner that we name 0, and the followers are prisoners named 1, . . . , n (with n ≥ 2). The set ΣLB of possible actions for the n + 1 agents/prisoners i = 0, . . . , n is as follows: name description ti i toggles ai i announces ei i enters xi i exits The set PLB of relevant atomic propositions is as follows: name description l light is on fin protocol terminates qi i has toggled the switch mi the light was on, last time when i left the room (where i 6= 0) pj0 0 has toggled the light for at least j times (where 0 ≤ j ≤ n) pji i has counted off-on changes for at least j times (where i 6= 0) The post-conditions are given by the following table (where the remaining post-conditions are the identity). (1) ι(ai, fin) = > i ≥ 0 (2) ι(xi,mi) = l i ≥ 0 (3) ι(ti, qi) = > i ≥ 0 (4) ι(ti, l) = ¬l i ≥ 0 (5) ι(t0, p j 0) = p j 0 ∨ (pj−10 ∧ l) j > 0 (6) ι(ei, p j i ) = p j i ∨ (pj−1i ∧ ((¬mi ∧ l) ∨ (¬qi ∧ ¬l))) i > 0 Post-condition (2) expresses that when i leaves the room he memorizes the situation of the light; post-condition (5) allows leader 0 to count the number of times that he toggled the switch; post-condition (6) lets i count the number of off-on changes. By Proposition 37, the above fact-changing actions (ΣLB, ι) can be turned into an equivalent factual change system FLB. We are now ready to express the protocols in our protocol language. 36 Protocol 1 η1 = (?¬fin * Σni=0(ei * θi * xi))∗, where: • θ0 :=?l * t0 * (?pn0 * a0+?¬pn0 )+?¬l • θi := ?(¬l ∧ ¬qi) * ti+?¬(¬l ∧ ¬qi) i > 0 Protocol 2 η2 = (?¬fin * Σni=0(ei * θ′i * xi))∗, where: • θ′0 := θ0 • θ′i := ?pni * ai+?¬pni * θi i > 0 It is not hard to see that the formulas θi are almost the literal translations of the specifications of Protocol 1. For i > 0, θ′i only adds the extra announcement action based on θi. Note that θi, θ′i are deterministic in the sense that there is always a unique way to proceed, due to the mutually exclusive preconditions of the actions. 5.2. Some example runs of the protocols The initial situation can be represented as a singleton expectation model M, s with the universal protocol Σ∗LB and the valuation assigning > only to p0i for all i ≥ 0. Example 44. Assume that there is a set of three prisoners {0, 1, 2} and that the sequence of interrogations is 1020. We show an execution of Protocol 1 (formalized as η1) on M. Note that the followers do not need to count in Protocol 1, thus we omit all the pji , mi for i > 0: l fin q0 q1 q2 p 0 0 p 1 0 p 2 0 M ⊥ ⊥ ⊥ ⊥ ⊥ > ⊥ ⊥ e1 ⊥ ⊥ ⊥ ⊥ ⊥ > ⊥ ⊥ t1 * x1 * e0 > ⊥ ⊥ > ⊥ > ⊥ ⊥ t0 * x0 * e2 ⊥ ⊥ > > ⊥ > > ⊥ t2 * x2 * e0 > ⊥ > > > > > ⊥ t0 ⊥ ⊥ > > > > > > a0 ⊥ > > > > > > > In the above table, we combine several actions into a sequence if after the first action, the valuation of the relevant propositions stays the same throughout the whole sequence; for example, after t1, the valuation of the propositions in 37 concern is not changed by x1 and e0. As the above table shows, 1 first turns the light on, 0 turns the light off, 2 turns the light on again, and finally 0 turns the light off and announces that everybody has been interrogated. Let ηFLB1 be the singleton protocol model with respect to η1 and FLB. Now we can verify the following: M, s  [!ηFLB1 ]〈e1 * t1 * x1 * e0 * t0〉(¬〈a0〉> ∧ 〈x0 * e2 * t2 * x2 * e0 * t0〉〈a0〉>) Formally, one needs first to convert η1 with respect to FLB into the corresponding normal form using the guarded automata construction of Proposition 41, and then construct the epistemic expectation model M⊗ ηFLB1 according to Definition 42, and finally check the truth value of the remaining [!ηFLB1 ]-free formula on this model. For details of similar, rather involved, computations in the setting of other examples, see [4, p.47]. Example 45. Still assuming that there are three prisoners, we now look at the interrogation sequence 1202 under Protocol 2. In the following table, the irrelevant propositions are omitted: l fin q0 q1 q2 p 0 0 p 1 0 p 2 0 m2 p 0 2 p 1 2 p 2 2 M ⊥ ⊥ ⊥ ⊥ ⊥ > ⊥ ⊥ ⊥ > ⊥ ⊥ e1 ⊥ ⊥ ⊥ ⊥ ⊥ > ⊥ ⊥ ⊥ > ⊥ ⊥ t1 * x1 > ⊥ ⊥ > ⊥ > ⊥ ⊥ ⊥ > ⊥ ⊥ e2 > ⊥ ⊥ > ⊥ > ⊥ ⊥ ⊥ > > ⊥ x2 * e0 > ⊥ ⊥ > ⊥ > ⊥ ⊥ > > > ⊥ t0 * x0 ⊥ ⊥ > > ⊥ > > ⊥ > > > ⊥ e2 ⊥ ⊥ > > ⊥ > > ⊥ > > > > a2 ⊥ > > > ⊥ > > ⊥ > > > > Follower 1 turns the light on; then follower 2 finds the light on and does not toggle the switch but counts 1; subsequently, leader 0 turns the light off; and finally follower 2 finds the light off, counts to 2 since he is ready to toggle the light, and then announces that everybody has been interrogated. Note that in the above table, m2 plays an important role. We can verify: M, s  [!ηFLB2 ]〈e1 * t1 * x1 * e2 * x2 * e0 * t0〉(¬〈a0〉> ∧ 〈x0 * e2〉〈a2〉>) 5.3. Correctness of the two protocols To check the correctness of the protocols, we need to show that if someone makes an announcement then each of the prisoners has been interrogated in the room at least once. Instead of this condition, we will actually 38 check a stronger one, namely: If someone, say agent i, makes an announcement (ai), then all the other prisoners j 6= i have toggled the switch (qj). Note that an agent can only make an announcement if he is in the room (ei always precedes ai in η1 and η2), thus it suffices to check qj for all j 6= i. The correctness of Protocol 2 relies on the assumption that n ≥ 2 ensures that the leader has toggled the light at least once before any follower can make the announcement. Formally, we can verify the following: M, s  [!ηFLB1 ][Σ∗LB](〈a0〉> → ∧ j 6=0 qi) ∧ [!ηFLB2 ][Σ∗LB] ∧ i≥0 (〈ai〉> → ∧ j 6=i qj) 5.4. What does the guard know? We can verify that the guard will always know when the prisoners will make the announcements, given that the protocol is public (recall that g is the guard). Let φi = (〈ai〉> → Kg〈ai〉>) ∧ (¬〈ai〉> → Kg¬〈ai〉>). Now the following is straightforward, since there is only one world in the model throughout the evaluation: M, s  [!ηFLB1 ][Σ∗LB]φ0 ∧ [!ηFLB2 ][Σ∗LB] ∧ i≥0 φi To confuse the guard, the prisoners may truthfully declare that they have agreed to use one of the two protocols, without telling the guard which one. Here we only model the uncertainty of the guard, not of the prisoners, by the following protocol model AFLB : u v g ⌘1 ⌘2 After updating AFLB onM, the new modelM′ =M⊗AFLB will have two g-indistinguishable states (s, u) and (s, v) with different expectations but the same valuation. For any w ∈ Σ∗LB, it is clear that the states inM′|w, if such states exist, have the same valuation, since the effect of executing w is deterministic. Therefore, the guard does not have any uncertainty about atomic propositions in PLB: M, s  [!AFLBv ][Σ∗LB] ∧ p∈PLB ((p→ Kgp) ∧ (¬p→ Kg¬p)). 39 On the other hand, an observation may be consistent with one state but not with the other. In particular, a sequence of actions ending by an announcement ai may be possible on (s, v) but not possible on (s, u) since Protocol 2 (formalized as η2) allows more prisoners to make the announcement, as was seen, for example, in the interrogation sequence 1202 in Example 45: M, s 2 [!AFLBv ][Σ∗LB] ∧ 0≤i≤n φi. The above shows that the guard cannot always predict the announcements. On the other hand, he might find out which protocol the prisoners are running through his observations. The following formula says: If a follower does not announce that all prisoners have been interrogated in a situation in which he could do so according to Protocol 2, then the guard can eliminate the possibility that the prisoners are using Protocol 2 and make correct predictions of the future announcement:∧ 0<j≤n [!AFLBu ][Σ∗LB * ej](pnj → [(tj + xj) *Σ∗LB] ∧ 0≤i≤n φi). Our language is very handy in verifying such complicated properties. 6. Related work There are important differences between our work and the standard DEL approach with action models [13]. This summarizes those differences: • In our setting the meaning of an action is not fixed. It is given by the expectations that come from protocols. For example, the way you interpret a fire depends on the protocol. It can be a warning or a welcome. There is no fixed precondition attached to the actions as in DEL. • The π in the [π] modalities in the language of POL are regular sets of action sequences. In DEL, in contrast, arbitrary finite action sequences (the Kleene * operator) are not commonly considered. • Our protocol models look like action models in DEL but instead of preconditions we have protocols on each state, and the update with 40 such a model on an expectation model computes the expectations according to the protocols on each possible world of the expectation model, in contrast to the precondition matching in the standard DEL updates. Moreover, we introduce a notion of equivalence between protocol models based on the ideas of action emulation [20]. • Protocols in our setting are syntactic objects that are part of the logical language. In DEL, protocols are typically sets of sequences of DELactions. We now continue with a more detailed comparison between our approach and DEL. In [4, 15], Wang introduces a logical framework for the dynamics of protocols and knowledge. In his framework, public protocols can be installed and changed, and the knowledge of agents is updated by matching expectations from protocols with observations. A similar update mechanism in the context of message passing can be found in the recent work [26] inspired by [2]. We also follow this type of 'matching updates' in this work, but deviate from [4, 15] by using epistemic models with explicit expectations, which we call epistemic expectation models, instead of standard epistemic models. Moreover, we use 'hidden protocols' on top of public ones. Our epistemic expectation models may look similar to the models used in the work by Hoshi and colleagues [5, 3], where each epistemic state is equipped with an extensional DEL-protocol, namely a set of sequences of pointed action models. However, in the current article, a protocol is simply a syntactic expression based on tests and atomic actions that have neither inner structures nor fixed meanings. By using the protocol specification language, we can separate the protocols from epistemic models, and discuss the 'installation' of possibly uncertain protocol information on the epistemic models. In particular, we can formally discuss which kinds of expectations come from which kinds of protocols. Such a formal account of protocols also facilitates the study of the equivalence between protocols. We incorporate potentially iterative program-like observations, which also distinguishes us from the single-step updates in DEL-based protocol logics [26, 5, 3], where the iteration of updates often introduces undecidability, as observed in [27]. In [14], Pacuit and Simon present a PDL-style logic for reasoning about protocols under imperfect information. Their focus is on the executability 41 and achievable outcomes of branching protocols under the uncertainties of the game states. In contrast, uncertainties may have two sources in the current paper: uncertainties about the real world and uncertainties about the protocols. The latter kind of uncertainty creates novel issues not covered by [14]. Executability of protocols also plays a role in our work but in a simpler way because of the linear interpretation of protocols, compared to the much more refined tree interpretation of protocols in [14]. Instead of executability, we focus more on the update effects of observations based on protocol information. In fact, the executors and the observers of the protocol can well be different. The protocol may be executed by external agents which are not modeled in the framework. 7. Conclusion and future work The information that actions carry may depend on agents' knowledge of protocols. In this paper we studied cases where protocols are not commonly known and proposed a semantics-driven logical framework for updating knowledge by observations based on epistemic protocols. We have left a complexity analysis, for example, in line of [4], for the future. Although our semantics-driven logics POL and EPL are 'dynamic epistemic' in spirit, the usual reduction-based completeness proof for DEL-like logics does not apply, since the dynamic operators [π] in POL cannot be eliminated. Complete axiomatizations of POL and EPL demand new techniques, pioneered in [28, 29]. We have partial results but we leave a systematic study to a future occasion. Let us consider various other extensions of our work. We only used Boolean tests in the language Lprot . A more expressive protocol language includes epistemic tests. An example of such a protocol would be (?¬Kp * (a + b))∗ * (?Kp * c): as long as you do not know p, keep choosing an a or b action, until you get to know p, and then do c. As observed in [30], knowledge-based protocols are much more involved than fact-based protocols. Defining the interpretation and executability of such protocols is a challenge, because checking epistemic formulas is nonlocal. Also, the introduction of knowledge tests may make the satisfiability problem of the logic undecidable. For example, the observations may easily encode iterated public announcement, which is known as a source of undecidability in such logics [27]. On the positive side, by including more 42 expressive tests we expect better matching between epistemic expectation models and epistemic protocols (cf. Theorem 29). Another extension is to consider less radical update mechanisms for installing new protocols. In our current approach, when installing a new protocol, we simply ignore and overwrite the old expected observations completely. Consider a singleton observation epistemic model with observation a+ c. Now, when updating with the protocol a+ b we simply replace a + c by a + b. Instead, we could integrate a + c with a + b, somehow. For example, such a 'non-radical' protocol update with a + b could result in b (intersected refinement), or in (b + c) * (a + b) (concatenation), or in (b + c) + (a + b) (choice), and so on. See [15] for a discussion. Finally, we could relax the assumption of public observation, for example, some actions might not be observable to certain agents. It would also be interesting to relax the underlying logic and to use KD45, modeling belief, instead of S5, modeling knowledge. For example, in the models of protocol updates for the story of Example 1 of the introduction (see page 18), it would fit more naturally with the story if the link for Ann between the alternatives in the epistemic protocol model were unidirectional only, namely from ?g * a+?¬g * b to a+ b, plus a Jane-loop from ?g *a+?¬g *b to itself and Janeand Ann-loops from a+b to itself, as follows. s t Ann a + b?g * a+?¬g * b Jane Jane, Ann This would model installing the protocol wherein Anne is unaware of the gay interpretation. Currently, the model on page 18 installs the possibly later observed information that Ann is uncertain whether the statement is to be interpreted as 'Kate is gay' or not, but she considers the option. By contrast, in the actual story, Jane will only interpret a as a sure sign of 'Kate is gay' and b as a sign of 'Kate is not gay'. We would rather be able to model that Jane considers both the 'Kate is gay' and the 'no double meaning' interpretation of a and b, corresponding to Ann's stance in the current model, whereas Ann only considers the 'no double meaning' interpretation and believes that Jane does so too. 43 The subject of hidden protocols is also interesting from the point of view of language pragmatics. Speakers who intend to convey information to only some of their listeners in such a way that others will not understand what is going on, are deliberately acting against some of Grice's maxims of cooperative conversation [31]. Forms of indirect or uncooperative communication, such as veiled bribes and threats, have already been investigated from the perspective of pragmatics and cognitive science, relating them also to aspects like lack of common knowledge [32, 33, 34, 35]. Our analysis of hidden protocols in this paper, by distinguishing between expected observations and actions, is more fine-grained than the changes in 'standard' dynamic epistemic logic, but could benefit from taking such Gricean aspects into account. Thus, in addition to observational powers of the agents, also their assertive powers may be modeled. Finally, it would be interesting to investigate the role of the interlocutors' goals and intentions when they utter a veiled speech act that is part of a hidden protocol (cf. [36, 37, 38, 39]). Acknowledgments Hans van Ditmarsch is also affiliated to IMSc (Institute of Mathematical Sciences, Chennai, India), as associated researcher. Part of this research was carried out by Hans van Ditmarsch and Yanjing Wang during their joint stays at the IMSc. Hans van Ditmarsch thanks the Netherlands Organization for Scientific Research (NWO) for a visiting grant 040.11.177 to Rineke Verbrugge, University of Groningen, of which the conference precursor [16] of this publication can be seen as an outcome. Hans van Ditmarsch also acknowledges support from ERC starting grant EPS 313360; this work has also been partially supported by the European Union Seventh Framework Programme under grant agreement no. 295261 (MEALS). Sujata Ghosh acknowledges NWO research grant 600.065.120.08N-201 and Rineke Verbrugge acknowledges NWO research grants 600.065.120.08N201 and Vici grant NWO 227-80-001, both for her own research and for being able to invite Hans van Ditmarsch, Sujata Ghosh and Yanjing Wang as visitors to Groningen to cooperate on this extended article. Yanjing Wang thanks the National Social Science Foundation of China for the research grant 11CZX054 which also supports this work. He also acknowledges INSA-JRD TATA Fellowship which enabled him to visit Indian Statistical Institute (ISI), Chennai and helped in preparing the final version. The authors would like to thank the anonymous reviewers and the editors of this 44 journal for their very helpful comments. [1] R. Fagin, J. Y. Halpern, M. Y. Vardi, Y. Moses, Reasoning about Knowledge, MIT Press, Cambridge, MA, 1995. [2] R. Parikh, R. Ramanujam, A knowledge based semantics of messages, Journal of Logic, Language and Information 12 (2003) 453–467. [3] J. van Benthem, J. Gerbrandy, T. Hoshi, E. Pacuit, Merging frameworks for interaction, Journal of Philosophical Logic 38 (2009) 491– 526. [4] Y. Wang, Epistemic Modelling and Protocol Dynamics, Ph.D. thesis, University of Amsterdam, 2010. [5] T. Hoshi, Epistemic Dynamics and Protocol Information., Ph.D. thesis, Stanford University, 2009. [6] Y. Zhang, Y. Zhou, Knowledge forgetting: Properties and applications, Artificial Intelligence 173 (2009) 1525–1537. [7] F. Belardinelli, A. Lomuscio, Quantified epistemic logics for reasoning about knowledge in multi-agent systems, Artificial Intelligence 173 (2009) 982–1013. [8] J. Halpern, Y. Moses, A guide to completeness and complexity for modal logics of knowledge and belief, Artificial Intelligence 54 (1992) 319–379. [9] E. Davis, Knowledge and communication: A first-order theory, Artificial Intelligence 166 (2005) 81–139. [10] S. Singh, The Code Book: The Evolution of Secrecy from Mary, Queen of Scots, to Quantum Cryptography, Doubleday, New York, NY, USA, 1999. [11] A. van Kooten Niekerk, S. Wijmer, Verkeerde Vriendschap: Lesbisch Leven in de Jaren 1920-1960, Sara, Amsterdam, 1985. [12] A. Baltag, A logic for suspicious players: Epistemic actions and beliefupdates in games, Bulletin of Economic Research 54 (2002) 1–45. 45 [13] H. van Ditmarsch, W. van der Hoek, B. Kooi, Dynamic Epistemic Logic, volume 337 of Synthese Library, Springer, Berlin, 2007. [14] E. Pacuit, S. Simon, Reasoning with protocols under imperfect information, The Review of Symbolic Logic 4 (2011) 412–444. [15] Y. Wang, Reasoning about protocol change and knowledge, in: Proceedings of the 4th Indian Conference on Logic and its Applications (ICLA 2011), LNAI 6521, Springer, Berlin, 2010, pp. 189–203. [16] H. van Ditmarsch, S. Ghosh, R. Verbrugge, Y. Wang, Hidden protocols, in: K. R. Apt (Ed.), Proceedings of the 13th Conference on Theoretical Aspects of Rationality and Knowledge (TARK-2011), ACM, 2011, pp. 65–74. [17] J. A. Brzozowski, Derivatives of regular expressions, Journal of the ACM 11 (1964) 481–494. [18] J. H. Conway, Regular Algebra and Finite Machines, Chapman and Hall, London, 1971. [19] J. van Eijck, J. Ruan, T. Sadzik, Action emulation, Synthese 185 (2012) 131–151. [20] D. van Eijck, F. Sietsma, Action emulation between canonical models, in: Proceedings of Conference on Logic and the Foundations of Game and Decision Theory 2012. [21] J. van Benthem, J. van Eijck, B. Kooi, Logics of communication and change, Information and Computation 204 (2006) 1620–1662. [22] J. van Eijck, Perception and change in update logic, in: J. van Eijck, R. Verbrugge (Eds.), Games, Actions and Social Software, volume 7010 of Texts in Logic and Games (FOLLI subseries of LNCS), Springer Verlag, Berlin, 2011, pp. 119–140. [23] D. Kozen, Automata on Guarded Strings and Applications, Technical Report, Cornell University, Ithaca, NY, USA, 2001. [24] H. van Ditmarsch, J. van Eijck, W. Wu, Verifying one hundred prisoners and a lightbulb, Journal of Applied Non-Classical Logics 20 (2010) 173–191. 46 [25] H. van Ditmarsch, J. van Eijck, W. Wu, One hundred prisoners and a lightbulb logic and computation, in: F. Lin, U. Sattler, M. Truszczynski (Eds.), KR, AAAI Press, 2010, pp. 90–100. [26] B. Rodenhäuser, A logic for extensional protocols, Journal of Applied Non-Classical Logics 21 (2011) 477–502. [27] J. S. Miller, L. S. Moss, The undecidability of iterated modal relativization, Studia Logica 79 (2005) 373–407. [28] Y. Wang, Q. Cao, On axiomatizations of public announcement logic, Synthese (2013). Online first: http://dx.doi.org/10.1007/s11229012-0233-5. [29] Y. Wang, G. Aucher, An alternative axiomatization of DEL and its applications, in: Proceedings of IJCAI2013, pp. 1147–1154. [30] R. Fagin, J. Y. Halpern, Y. Moses, M. Y. Vardi, Knowledge-based programs, Distributed Computing 10 (1997) 199–225. [31] H. P. Grice, Logic and conversation, in: P. Cole, J. L. Morgan (Eds.), Syntax and Semantics, volume 3, New York: Academic Press, 1975, pp. 41–59. [32] H. Clark, Using Language, Cambridge University Press, Cambridge, 1996. [33] R. Verbrugge, L. Mol, Learning to apply theory of mind, Journal of Logic, Language and Information 17 (2008) 489–511. Special issue on formal models for real people, edited by M. Counihan. [34] S. Pinker, M. Nowak, J. Lee, The logic of indirect speech, Bulletin of Economic Research 54 (2002) 1–45. [35] H. van Ditmarsch, J. van Eijck, R. Verbrugge, Common knowledge and common belief, in: J. van Eijck, R. Verbrugge (Eds.), Discourses on Social Software, volume 5 of Texts in Games and Logic, Amsterdam University Press, Amsterdam, 2009, pp. 99–122. [36] M. Bratman, Intention, Plans, and Practical Reason, Harvard University Press, Cambridge, MA, 1987. 47 [37] A. Rao, M. Georgeff, Modeling rational agents within a BDI-architecture, in: R. Fikes, E. Sandewall (Eds.), Proceedings of the Second Conference on Knowledge Representation and Reasoning, Morgan Kaufman, 1991, pp. 473–484. [38] B. Grosz, C. Sidner, Plans for discourse, in: P. Cohen, J. Morgan, M. Pollack (Eds.), Intentions in Communication, MIT Press, Cambridge, MA, 1990, pp. 417–444. [39] F. Dignum, B. Dunin-Kȩplicz, R. Verbrugge, Creating collective intention through dialogue, Logic Journal of the IGPL 9 (2001) 145–158.