FOUNDATIONS KNOWLEDGE DISTRIBUTED SYSTEMS on2 …Foundations of Knowledge for Distributed Systems 1 Introduction Knowledge and common knowledge are intuitive concepts that help us

AD-RI63 545 FOUNDATIONS OF KNOWLEDGE FOR DISTRIBUTED SYSTEMS i/iREVISION(U) YALE UNIV NEW HAVEN CT DEPT OF#CONPUTERSCIENCE M J FISHER ET AL DEC 35 YALEU/DCS/TR-450

UNLSSIFIED N88814-8 -K-0154 F/G 9/2 REhEE on2 shEEomo

Mooso

.42.8

'1p.

.4', 6 4.

IIIII U- 1111132.2

-1.

11.25 11114 1111.

MICROCOPY RESOLUTION TEST CHARTNATIONAL BUREAU OF STANDARDS - 1963-

.4-

%

InIn

to

DTIC

E VERIT~

9 6 0

C4, J,~

YALE UNIVERSITYDEPARTMENT OF COMPUTER SCIENCE

86 2r310;I

% ~~. ~~~--

FEBO04 19B69

FOUNDATIONS OF KNOWLEDGE FOR DISTRIBUTED SYSTEMS

Michael J. Fischer and Neil Immerman

YALEU/DCS/TR 450Revision of TR 426December, 1985

FOUNDATIONS OF KNOWLEDGE FOR DISTRIBUTED SYSTEMS

Michael J. Fischer' and Neil Immerman t

Computer Science DepartmentYale University

New Haven, CT 06520

Abstract

We give a simple, yet very general definition for distributed protocols. We thendefine notions of knowledge and common knowledge appropriate for these protocols.We study how changes in the states of knowledge relate to more standard notions ofcomputation. We find that by restricting our formulas to certain sets of global stateswe can realize different, appropriate definitions of knowledge with fundamentallydifferent properties.

Accesion For

NTIS CRA&IDTIC TAB ElUnannounced El

Justificatioi ... .............

By ...................Di.t ib.ti /.

D AvJJ. cj(Qr

'Research supported in part by the National Science Foundation under Grant Number DCR-8405478 and bythe Office of Naval Research under Contract Number N00014-82-K-0154.

t Research supported by an NSF postdoctoral fellowship and the Mathematical Sciences Research Insitute,Berkeley.

1...' "*.,- *. ,.q .- '- , . , . -" ," -. ,. ,.-'.-,..'. ,, .. -. ', " ,.'': . " .'. '. .. '.,',.'..'. " '". ...- ". "-.',-"-"," ." , V r e V' F,.6

SECURITY CLASSIFICATION OF TIS PAGE (VWhn DofsEntered)l

* REPORT DOCUMENTATION PAGE BEFORE COMPLETIGFORMI. REPORT NUMBER 2. GOVT ACCESSiON NO. 3. RECIPIENT'$ CATALOG NUMBER

YALEU/DCS/TR 450 - Revision of TR42 "

4. TITLE (anI SubhtIOe S. TYPE Of REPORT & PERIOD COVERED

FOUNDATIONS OF KNOWLEDGE FOR DISTRIBUTED SYSTEMS Technical ReportS. PERFORMING OG. REPORT NUMBER

7. AUTNOR(#) S. CONTRACT OR GRANT NUMB E(B)

NSF- DCR-8405478Michael J. Fischer and Neil Immerman DNR- N00014-82-K-0154

I. PERFORMING ORGANIZATION NAME AN ADDRESS 10. PROGRAM ELEMENT. PROJECT. 7TASK

Department of Computer Science/ Yale University AREA & WORK UNIT NUMBERS

10 Hillhouse Avenue

New Haven, CT 06520II. CONTROLLING OFFICE NAME AND ADDRESS 12. REPORT DATE

NSF, Washington, DC, 20550/ Office of Naval Research December, 1985800 North Quincy, Arlington, VA 22217 13. NUMBEROF PAGES

1814, MONITORING AGENCY ' AME & ADDRESS(l djllenf Iroan Controllng Office) IS. SECURITY CLASS. (f ilti report)

Office of Naval esearch U c a s f eUnclassified800 North QuincyArlington, VA 22217 IS&. DECLASSIFICATION:DOWNGRAON.G

SCHEDULE

16. DISTRIBUTION STATEMENT (of this Report)

Approved for public release; distributed unlimited

17. DISTRIBUTION STATEMENT (of the abstracat ntered In Block 20, if dllleron hon Report)

IS. SUPPLEMENTARY NOTES

19. KEY WORDS (Continue on reverse side it nece ary and identify by block niuber)

0 Distributed systemLogic of knowledge

20. ABSTRACT (Continue o ,everse aide if necesary id identify by block nubr)

0 We give a simple, yet very general definition for distributed protocols.* r- We then define notions of knowledge and common knowledge appropriate for

these protocols. We study how changes in the states of knowledge relate tomore standard notions of computation. We find that by restricting our for-mulas to certain sets of global states we can realize different, appropriatedefinitions of knowledge with fundamentally different properties.

0

DD ,OM 1473 EDITION Of NOV 6, IS OBSOLETE.,.%~D I J- A N 78

SECURITY CLASSIFICATION Of THIS PAGE (When Dole SnmimEt)

J. . r,

Foundations of Knowledge for Distributed Systems

1 Introduction

Knowledge and common knowledge are intuitive concepts that help us reason about ordinaryeveryday situations in which we have only partial information. They become more complicatedwhen other agents in the situation are intelligent and have reasoning power, for then our stateof knowledge contains not only facts about the world but also facts about the state of knowledgeof others, and how these states change over time depends on the agents' reasoning ability aswell as on the occurrence of external events. (Cf. the "muddy children's -roblem" in [HM84].)It is appealing to use these concepts to reason about distributed pr' .cols, for processors ofa distributed system can be thought of as independent agents wit' )nly partial informationabout the global state of the system. To be sure our reasoning i "rect, it is necessary tohave rigorous and precise definitions of the intuitive concepts undt g such terms as "globalstate", "time", "knowledge", "message", etc. Only then can we be - to avoid the circularitiesand inconsistencies that are all too common in informal reasoning.

Halpern and Moses informally define various notions of "knowle ge" and "common knowl-edge" in the context of a particular model of distributed systems in which every processor hasa clock and stores in its state the entire history of messages sent to it [HM841 . They argue

* that while common knowledge is desirable, it is unattainable in many realistic settings. Theysuggest a hierarchy of weakened versions of common knowledge and discuss conditions underwhich these can be achieved.

We find the assertion that "common knowledge is not attainable in real world systems"I tobe at variance with our intuition, for it seems clear that "common knowledge" in the intuitivesense is attained in the real world. To understand this disparity between the formal model andour intuition, we examine, simplify, and make more precise the informal definitions given in[HM84].

We first give quite general and simple definitions of distributed protocol, knowledge andcommon knowledge. Under these simplified definitions, the arguments of [HM84], suitablyformalized, still apply to show the impossibility of attaining common knowledge in systemswithout globally simultaneous transitions. We then show that it is not necessary to discard thenotions of knowledge and common knowledge in favor of weaker ones in order to obtain realisticand useful definitions; rather, one can discard the assumption that formulas be interpretable atevery global state and instead interpret them only at a subset of "safe" states. This is analogousto notions of database consistency in which the database is only required to be consistent at

* times when no transaction is in the middle of execution. Using the same definitions as beforebut restricted to safe states, we get a new and different notion of common knowledge which canbe attained in situations where Halpern-Moses common knowledge cannot.

We conclude that formalizing these concepts is subtle, and seemingly innocuous assumptionscan lead to unexpected results. Our desire is to formalize concepts of knowledge so that they

0 may aid the design of distributed algorithms and clear proofs of their properties. We believewe have provided a solid base for future work in this area.

[I[H84], Conclusions.

024 - 2

0Ae


2 Distibuted Protocols

2.1 A General Model

Definition 2.1 A distributed protocol,

P = (n,Q,I,r),

consists of a number n of participants, a act Q of local states, a set I g Q0 of initial globalstates, and a nezt move relation 7 _ Q" x Q" on global states.

For any protocol P, let Rp be the r-reachable global states of P, that is, the set of all globalstates we can reach by starting in I and taking any number of -r steps. By definition, onlythe reachable global states can occur in a run of P. In general it may be a complex task totell if a given element of Q" is in Rp; however, in this paper we will only be concerned withthe reachable global states. For p E Q" a global state and i a participant, we write (p)1 to

denote the ith component of p. We will also use the notation p 2 q to mean that p, q E Rpand (p)i = (q)i, i.e. they are indistinguishable from i's point of view. Obviously each i is an

0 •equivalence relation.2

Our definition of protocol is certainly simple and precise. Let us argue that it is alsosuffciently general. Anything we would be willing to call a distributed system can be brokenup into a finite number of logical entities which we call "participants". A participant may beany component of a system: a processor, a buffer, a clock, etc.3 Each participant has some totalconfiguration that we are calling its (local) state. Furthermore, the states of all the participantscombined should determine the entire state of the system and thus which global states can nextbe entered.

It is easy to see for example that our model of distributed system is a generalization of theshared variable model of Lynch and Fischer rLF811. In that model, the participants consistof shared variables and processors. Each action involves exactly one processor and one sharedvariable.

Similarly our model includes synchronous protocols in which every processor sends a messageto every other during each round. One way to model this is to specify that the set of possiblestates is of the form Q = M", i.e. each processor's total configuration consists of an n-tuple.

* We can specify that the ith entry of j's state is the value of the message sent from i to j duringthe previous round. This can be done as follows: for all processors i, j, and for all global states

'Our definition of knowledge given in Section 3 will be that of inherent knowledge-those facts that a par-ticipant could deduce given arbitrary computational power. Thus, in a global state p E Rp, a participant i willknow that we are in some q 6 Rp with q - p, and its knowledge will consist exactly of those facts true in allsuch q. The problem of determining membership in Ris not relevant to the notions considered in this paper.

. It certainly is relevant, however, when considering knowledge in cryptographic protocols when an explicit boundis given on the computational resources of the participants.

-This approach is different from most of the other formal specifications of protocols of which we are aware,e.g. [CM831, (HM851, (HF851, IPR851. The more usual approach is to say that after a message is sent it may

. sometime later be received by the addressee, but a message in transit is not explicitly modeled.

4' 3

.......... ... ............... ..... ...........-

L-


p, q, r, s, if (p, q) and (r, s) are in r and if processor i has the same state in p as in r, then theSth component of processor i's state is the same in q as in s.

The sense in which our model could be too general is that we allow any transition relation r.Of course, for certain applications we can make appropriate restrictions. We have already seenthat we can restrict our attention to processors which communicate with shared variables, or tosynchronous message passing protocols. Similarly, instead of letting each processor's transitionsbe perfectly general, we can restrict our attention to processors with specified computing power,e.g. finite automata, polynomial time Turing machines, etc.

One interesting kind of restriction to place on the transition relation r is locality.

Definition 2.2 Let T = {i... , ik) be a set of participants, and let ET(p, q) hold if (p)i = (q)ifor all i r T.

e We say that (p,q) affects only participants in T if E,(p, q) holds, where T is the set ofparticipants not in T.

. We say that (p,q) E r is enabled by T if for all p' such that ET(p',p), then (p',q') E r forthe (unique) q' such that ET (q', q) and Ev(q', p').

* We say (p, q) C r is local to T if it affects only participants in T and is enabled by T.

9 We say that a protocol is pairwise local if every transition in r is local to some set T ofsize two.

Thus, a transition is local to T if only coordinates belonging to T are changed during thetransition and if the local states of the participants not in T have no effect on whether or notthis transition can occur. Note that a transition local to T does not necessarily affect all of themembers of T. Note also that the same transition can be local to two sets T, and T2 but notbe local to their intersection. Consider for example the transition a = ((0, 1, 1, 1), (1, 1, 1, 1)),and suppose r contains every transition of the form ((, X2 , X3 , X4 ), (X 2, X3, X4 )) except for((O,O,O,0), (1,O,0,O)). Let T -{1,i}, i - 2,3,4. Then a affects only T (since only the firstcomponent changes), and a is enabled by Ti (since no matter how the components outside ofTi are changed, participant 1 can still make the transition from state 0 to 1). Thus, a is localto Ti for each i, but clearly a is not local to nf ="- {1}.

2.2 Comparison with Other Models

The shared variable model [LF81] is pairwise local: each transition is local to one processor'. *~and one shared variable. On the other hand the synchronous protocol described above is not

pairwise local: each transition in general affects all n participants. We believe that if one models* a distributed system at a sufficiently fine level then it will be pairwise local simply because it isS." difficult to insure that distant events occur simultaneously. However it is sometimes convenient

to discuss synchronous protocols when the finer analysis would only obscure what is going on.

The models described in [CM85, 1HM85], [HF851, [PR85] are all asynchronous messagepassing systems and thus are pairwise local when translated to our protocols. For readers more

4

0--


familiar with these other models, we will now consider one of them in more detail. Chandyand Misra [CM85] consider systems of n processors in which there are three disjoint sets oftransitions: sends, receives, and local events. The relation between sends and receives is thateach receive must correspond to a unique earlier send. The Chandy and Misra model forcesthe processors to remember their entire local history. Furthermore, the ability to perform atransition depends only on the local history of the affected processor except in the case of areceive, which also requires that the message to be received has already been sent. We cancharacterize the Chandy and Misra model in terms of our protocol model as follows:

Proposition 2.3 The Chandy and Misra model [CM85] is isomorphic to the protocol modelP = (n + 1,Q,I, r):

S1. Participants 1 to n are the processors and participant n + 1 is the message buffer.

. There are sets E of local events and M of messages. A message triple (i,j,m) is a sendfrom i and a receive by j of message m. The local state of processor i is a list of localevents and message triples, each of which is a send from i or a receive by i. The localstates of the buffer consist of any multiset of message triples.

0 8 S. The set of initial global states is the singleton I = (A,..., A, 0) in which all processors

have the empty list A as their local history and the buffer is empty.

4. Each transition is of one of the following three forms. Transition (a) only involves par-

ticipant i, and transitions (b) and (c) only involve participants i and n + 1.

(a) Local event e - E at processor i: e is appended to i's local state.(b) Send of m E M from processor i to processor j: the message triple (i,j, m) is ap-

pended to i's local state and added to n + 1 's local state.

(c) Receive by processor i of the message m E M sent by processor k: a message triple(k,i, m) is deleted from n + 1 's local state and appended to i's local state.

2.3 Two Examples

We conclude this section with two nontrivial examples of protocols, one asynchronous and the

-'. other synchronous. These protocols will be frequently referred to in the remainder of the paper.

* Both protocols model the situation of a completely connected network of n processors whichoperate in rounds. On each round, every processor i sends a message mi to each other processorj. After receiving all of the messages sent to it on the given round, processor i changes stateand chooses a new set of messages to send out on the next round. The new state and messageset depend on the old state and on the messages received during the round.

0 In protocol A, the messages are sent asynchronously, one at a time, via message buffers. Abuffer either contains a message or is empty. A message can only be sent to an empty bufferand only received from a non-empty buffer. Sending a message makes the buffer non-empty,and receiving a message makes the buffer empty again. Thus, the execution of each round takesmany steps.

0

5

* . . .. . .


In protocol B, all messages are sent and received in one big synchronous step, that is, onestep of B corresponds to an entire round of A.

2.3.1 Protocol A

Let A = (n2,QA,IA,,A) be an asynchronous message passing protocol defined as follows: Thefirst n participants of A are the processors ai,... ,a.; the remaining (n - 1)n participants arebuffers. For a global state p, we abuse our previous notation slightly and write (P)a, to denotethe component corresponding to a and (p)bi. to denote the component corresponding to bufferbid.

The set of possible local states of a buffer bid, i 0 j, is QA = M U {A}, where M is a setof possible messages and A is a special symbol denoting the null message. (p)b6,, = m E Mindicates that the single message m was sent by i but not yet delivered to j in global state p,and (p)bjj = A indicates that no message is waiting.

The set of possible local states of a processor ai is Q. = (D x (M U {A})I x N). State(d,. mi... , mi , .. , iM,, r) indicates that the processor is in internal state d at roundlr/2J with pending messages mi,..., mi-1, m.+i,..., m,,. If r is even, then the processor is ina 'send' state, waiting to place each m. # A into buffer bij. If r is odd, then the processor is ina 'receive' state waiting to fetch a message from bij for each j such that m. = A.

Thus, the complete set of local states QA is QA U Qb.

.- The transitions making up rA are of four kinds:

1. (p, q) 1 Sendi,, if

* p. q for allc c {aj, bij};

l (p)b~ = A;

*(p). = (d,.. , 2k);* (q)j =(d,..., m,._.,A,m,+i,...,2k).

2. (p, q) E End..-sendi if

o p C qforallc ai;

M-a (d,,...,A,2k);- (q),= (d,,A,..., A, 2k + 1).

3. (p, q) e Receiveid if

" * p. q for all c i {ai,bii};,',.,'. = ms # A;

0 (qb., = A;

* (p)o, = (d,...,m._.,A, m.+,...,2k + 1);

6

0A.0J

'S7

. Foundations of Knowledge for Distributed Systems

m .(q)o, = (d,.. ., m.- mm,+i,.. .,2k + 1).

4. (p, q) E Endreceivei if

. * p qfor all c96ai;

* (p)°,= (d, ml,...,m.,2k+ 1), where mi 0 A for all j i;

* =) (d',m.,.. m' ,2k + 2), where m, #, A for all a' i, and d' and m'. are-,-,*- functions of (P)°.

Now we let rA consist of all the above transitions:

r= U Sendij U End.sendi U Receiveij U End.receivei.ij

Finally let 1A be some nonempty set of global states in which the state of every processora, has the form (d, mi,...,m,,,O) with my #6 A for all j 9 i, and all the buffers are empty.

2.3.2 Protocol B

Our second example of a protocol is a synchronous version of A. Let 3 = (n2, QB, 'B, re), where

= DxM - x{2rIr EN},'S=

QB Q*BU Q'.

Let U = (Q,)n x (Q )n(n-I). Let the transitions rB consist of all pairs (p, q) E r; n (i$ xsuch that no rA path in A from p to q goes through intermediate global states in iB. Finallylet Is = IA.

We see that the reachable global states of B all belong to QE. Thus, all buffers are alwaysempty and the local states of the ai's are the corresponding states from A at the beginning ofa round. It is not hard to see that B is a synchronous version of A such that in each round allprocessors send n - 1 messages and then receive n - 1 messages.

p,;.

* 3 Definitions of Knowledge and Common Knowledge

It is convenient to picture a protocol P as a graph with nodes consisting of all the elements ofRp. There is a directed edge labelled r from p to q just if (p,q) E r. Furthermore there is anundirected edge labelled 'i' between p and q just if p L q.4

'The reader familiar with Kripke models will observe that an alternate description of a protocol P is as aKrlpke model K = (Rp,,r, where the -'s are equivalence relations; and furthermore for all worldsW.', Wv, e R, if w W' wu for all i then w = w'. See [FIS5] where this characterization of protocols is used to obtain

. a simple proof that propositional logic of knowledge and branching time is EXPTIME complete.

7

5,. .o

/9. .,, ''.- ' ' - ' . - - - -. / -- " .- - ' ", - - , -" ' -" " '"." " : " ''''''''''' --..--.-. ' -.-, :''') - -. '


Let E be an equivalence relation on the reachable global states Rp with equivalence classes[PIE, p r Rp. Corresponding to E is a modal operator o(E). For any sentence ce, it is naturalto make the following definition of I0(E) c, which we read as "box E c&':

(P,p) [3(E) e Vq C[p] E( q) ce).

Thus, 03(E) a holds just if a is true in all the worlds E-equivalent to the current world.

Several equivalence relations will be of interest. i the indistinguishability relation forparticipant i, has already been defined. We denote i(L) by Ki, which we read "i knows."Thus, i knows a just if a is true in all worlds which are indistinguishable by i from the currentworld.

We generalize to a group of participants G C {I, ,n}. Let

that is, the transitive closure of the union of the L relations for i E G. Thus, we have0G.- : . p -j q 4* (3r > 0) (3i1,..., ir E G) (3pI,..., pr-1)[p pi pl 2. .. pr-- I q]

We denote M by Cc, which we read "it is common knowledge among the members of G".

Note that f so also Ci) - Ki. We write ; for r and C for Cc in the special case that Gincludes all participants.

The next result shows that Cak coincides with the definition current in the literature. (Seefor example [HM84].)

Theorem 3.1 The following two statements are equivalent:

1. V ) cc ..?.,2 - (Vr > )(Vil,.. - ,ir E G)((P,p) K;, K;,:... Ki, oe).

* ProofG(1 =o, 2): For any ~,we have C0/3- since p % p. Thus, it suffices to show that for any p3,

if (PP) ) CGO, then for all i E G, (P,p) CgKif. This is clear because if q ; p and q' / q

then q' f p; hence (P,q) k Kip. Since Kip holds for all q E [p]l, it is common knowledge in G0 +at p, as desired.

'We have intentionally left the logical language unspecified from which the sentence a is drawn, for all that werequire is that it be possible to interpret a at the pair (P, p) (and we weaken even that requirement in Section 8).Of course the strongest such language would have a way to express each possible subset of Rp. The languageswe consider may be taken to be some unspecified subset of this strongest language.

V+% -~

8

-..7 t- I

0:::

"-'-.- - - .-...,-.-, -.-.....,-..........-.-..-....--.-..."...-..-"".-.,'".....-"....'.-,-.'-..."..---.--"..-..--


(2 =* 1): Suppose that (P,p) K Cca. It follows that there is a q E [p]o such that (P,q)

-,a. Let i,.. .,ir E G be such that there exists Pl,...,Pr-1 with p P1 2 P2.. .Pr-1 q. Itfollows that (P, p) =-K, Ki,.K 1 ,ct.

As an example of the above concepts, the next proposition shows that for the synchronousprotocol B described at the end of the last section, whenever a processor is in round r, it iscommon knowledge among all the processors that they are in round r. We will see in the nextsection that this assertion is false for the asynchronous protocol A.

Proposition 3.2 Let P = {l,...,n} be the set of processors in protocol B (omitting thebuffers). Let i,j E P, let ca(i, r) be a formula meaning that processor i is in round r, andlet q e RB be any reachable global state. Then

,., (B, q) - oe(i, r) - Cpa (j, r).

Proof It is trivial to show by induction that for all p e Rq, all the processors are in the sameround. Therefore suppose that (B, q) = &(i, r). It follows that for all p E [q] p, (B,p) p

4 Common Knowledge in Asynchronous Systems

Informally, an "asynchronous system" has two kinds of participants, "active" and "passive".Typically, the active elements are processors and the passive elements are memory cells ormessage ports. Every step of such a system consists of an interaction between an active and apassive element, and whether or not a step can occur depends only on the states of the elementpair involved.

-. In our more general model, we have only one kind of participant, so we define a protocol tobe asynchronous if it is pairwise local as defined in Section 2. Thus, every interaction "involves"

--at most two participants, and two steps involving disjoint sets of participants can occur in eitherorder with the same effect.

The theorem that follows depends on much less than full asynchrony. Thus, we define avery weak notion of an asynchronous protocol that we call "nonsimultaneous".

Definition 4.1 Let G _ (1,. . . , n} be a specified se of participants in a protocol P = (n, Q, I, r).We will call P nonsimultaneous with respect to G if for all (p, q) E r, there is a participant i E Gnot affected by the transition (p, q). We say that P is nonsimultaneous if it is nonsimultaneouswith respect to the set of all participants.

':. . As an example, note that a message passing protocol such as in [CM85] is nonsimultaneous*. with respect to its set of processors provided it has at least two processors. Note also that any

asynchronous protocol with at least three participants is nonsimultaneous.

St i' ... . . . . .. . .- - " - " " - ' ' ' , - "V" "* "<' " . " """ ., "'." "" " "." L ",". ' % "- ' . - - ' ' , ". -'- , " - '.


The following theorem shows that in a nonsimultaneous protocol, no new common knowledgecan be acheived. (Cf. [HM84], Theorem 3.)

Theorem 4.2 Let P be a protocol and G a set of participants. Let p be any global state in Rpand let po be an intial state from which p is reachable by a sequence of T steps, all of which arenonsimultaneous with respect to G. Let a be any sentence in a logic for P. Then (P,p) Cca

iff (Ppo) Coct.

GProof It suffices to show that q v r for any step (q, r) e r that is nonsimultaneous with respect

Gto G, for then po s p follows by considering the path of steps from Po to p, and the theoremthen follows from the definition of common knowledge in G. But if (q, r) E r is nonsimultaneouswith respect to G, then there must exist a participant j r G unaffected by the transition, i.e.

j Gsuch that q r. It follows that q s r.

Corollary 4.3 Let G be a set of participants in a protocol P that is nonsimultaneous withrespect to G. Then it is impossible to gain new common knowledge among the members of G.

As an example, consider the protocol A discussed at the end of the last section. It is easyto check that A is nonsimultaneous with respect to any set of G participants including at leasttwo processors or at least two buffers. Thus, no new common knowledge among the membersof any such G can arise in A. This is in sharp contrast to the situation for A's cousin B (cf.Proposition 3.2).

It would seem at first glance that the difficulty in achieving common knowledge has to dowith the problem of reaching an arbitrary depth of K's with only finitely many messages. Weconclude this section with a look at finite state protocols where common knowledge is equivalentto a bounded stack of K's.

Theorem 4.4 Let P = (n,Q,I,r) be a finite state protocol, i.e. IQI < o. For each i, let

Thus, each processor is a IQI-state automaton. Let r = min{jQiI 1 1 < i < n}. Let p be any, global state and let a be any formula. Then the following are equivalent:

I. (P,p> I=Ca.

0 2. For all il,.i2 , 2,-, ((P,p) K8, .K... or).

Proof

(1 = 2): By definition of C.

10

N..

" . .. . . .. ., . . . . . . . . . - . . . . . . , x , " .. . ", ' " - ..- , ... . ..--' " ' - - ,


(2 =* 1): Suppose that (P,p) & Ca. Then there must exist q E [p]. such that (P,q) a.Consider a minimum length - chain from p to q:

iP = PO 0 P i '%P2 ... P,-1 -P s = -q

No nonconsecutive pair pj, pk of global states agree on any component because if they did thechain could be shortened. It follows that in any given component, each state appears at mosttwice. Therefore a _5 2r - 1. It follows that

(P,p) = Ki K,. K,',._.

Example 4.5 Consider the protocol P, " (2, {1,... ,r + 1}, {(1, 1)},r,) where,

This protocol has the unique computation chain:

(1, 1), (2, ), (2, 2), (3, 2),. , (r, - ), (r, r), (r +I , r).

Furthermore, for all reachable global states p and q, we have p ;, q. Thus, for any a,

(Pr,p) = Cce for all q E Rp,, (Pr, q) t ck.

Let a say that processor I is not in state 1. Then (Pr, (1, 1)) a , so (Pr, (r + 1, r)) Cak.On the other hand, it is easily seen that

(Pr, (r +1,r)) = KIK 2 KI K2KI... K2 KIa.2r-2

It follows that for all ii2,. -, i2,-2 E {1,2},

(Pr, (r + 1, r)) I= K,, ... a_

showing that the bound in Theorem 4.4 cannot be improved.

5 Alternate Definitions of Knowledge

Halpern and Moses argue that, "If Cp is to be attained, all processors must start supporting it• simi'ltaneously.' 6 Their conclusion is that in the absence of perfect global clocks and guaranteed

-exact message delivery times, one must settle for weaker notions than common knowledge. Theysuggest alternative notions and discuss when these can be acheived.

*[HMS41, Lemma 2.

S11

V.


We draw a differenct conclusion from the same problem, namely we believe that there is nota best or most desirable common knowledge which one would acheive if one could; but rather

4that different notions of knowledge and common knowledge may be appropriate for differentprotocols.

It is useful to consider our example protocols A and B. We hope the reader will agree thatthey are realistic instances of an asynchronous and a synchronous message passing protocol,respectively. Recall that new common knowledge among the n processors is attainable in B butnot in A. This is confusing because in a very strong sense A and B are isomorphic protocols

(d. [CM85]). 7

The difference between protocols A and B concerns the granularity at which processors inthe two protocols may introspect. In B, processors are only allowed to think about what theyknow at the start of each round. The fact that two structures whose observable behaviors areequivalent should differ so dramatically in terms of their knowledge gives us cause to reexamineour definitions of knowledge and common knowledge.

- Let P be any protocol and let S C Rp be any subset of reachable global states. For eachi, let 0%s be the restriction of - to S X S. As before, let G (1,...,n} be a group of theparticipants in a protocol. Let

' S "- iS)

that is, the transitive closure of the union of the 's relations for i E G. Thus, we have

p wsq * p,qCES and::. (3r >_ )(3i,,q..,i, 6 G)(Bp,,... ,p,_ E S)[P is -S P2 P... P,-1 s

We generalize our previous definitions of knowledge by letting K denote the modal operator

o3( $) and by letting CS denote the modal operator E3 k$ As before, we omit mention of

G when G includes all participants.

The intuitive meaning of "K" is, "Participant i knows that a holds, assuming we are inS," and the intuitive meaning of "Csc " is, "It is common knowledge among the members of Gthat a holds, assuming we are in S." The following theorem makes this intuition precise.

Theorem 5.1 Let S Rp, let p C S, and let a, mean, 'We are in S.' Let G C {1,...,n}.Then

I. (P,p) o (P, p) Ki(ac-.cr)

2. (PpI =Csct * (VT 0 )(Vi>,..,ir EG)((P,p) If= K K... <

'We will call a pair of protocols such as A and 8, all of whose interactions are accomplished by a series ofmessages, isomorphic if the set of messages sequences they generate is identical up to permutations which do notswitch the order of a send and a receive by the same participant, nor the order of a send and its correspondingreceive.

12

d •d..?


Proof (1) is immediate from the definition of K-F. The proof of (2) is similar to the proof ofTheorem 3.1. U

For any protocol P and any nonempty S g Rp, the operators KS and CS seem to satisfy all

requirements stated in [HM84] for such knowledge operators. In particular we note that they

satisfy Kripke's S5 axioms (cf. [La77]).

Proposition 5.2 For any protocol P, any nonempty S 5 Rp, and G g {1,...,n}, the opera-tore Kf and C' satisfy the S5 axioms for modal operators.

Proof This is immediate from the fact that each "s and f$ is an equivalence relation. I

Let us now consider the protocol A with S = RD. The following proposition relates knowl-edge in B to knowledge with respect to S in A.

Proposition 5.3 Let S = RD and p E S. Let a be any knowledge formula all of whose K'sand C's have the superscript S. Let o& be the formula resulting from a when we remove all ofthe superscripts S. 8 Then

Proof This is an easy induction on the length of a. The most interesting case is whena = Kfis. In this case

(Ap) J= ,O* (for all q E [p] j)(A,q) J po

'-SV 4* (for all q E 1p]) )(B, q) = 50

4* (B,p} 1= Kigp'

It follows from Propositions 5.2 and 5.3 that if we consider the protocol A with S = RD,then we get a quite reasonable definition of knowledge and common knowledge. Furthermore,with these definitions new common knowledge is attained in an asynchronous protocol.

Joe Halpern [HaSS] points out that we are in a sense cheating because when we considerKS , we evaluate formulas only at the global states in S. This form of 'cheating' may howeverbe useful and appropriate. An example of a useful restriction of attention to a set of safestates occurs in databases. A database must maintain some integrity constraints which can beviolated in the middle of certain transactions. It is useful to assert that the constraints arealways satisfied and to evaluate such assertions only at the safe states in which no transactionsare incomplete. Note that during a typical run of the database system, no such safe states needoccur.

'Recall that we haven't specified the syntax of the knowledge-free formulas. Any -uch knowledge-free subfor-mula -y of a specifies a certain subset T , R4. We assume that -1 is changed to -y' in o' where 1' specifies thesame subset restricted to R,, i.e. T' = T nRo.

13

A'


6 Conclusions

We have given precise formulations of distributed protocols. For any subset S of the reachablestates, we have given a precise definition of knowledge and common knowledge with respectto S. We have presented theorems outlining some cases where new common knowledge canbe attained and some cases where it cannot. Most strikingly, we have shown that in certainsituations two plausible choices for S can give completely different results.

One can now ask the question, "For which sets of protocols is there a 'best' choice for $?"and thus a 'best' definition for knowledge and common knowledge. We suspect that in at leastcertain situations there may be such a best S, and that in this case knowledge and commonknowledge with respect to S may be valuable tools.

Many arguments in distributed systems are first formulated at the intuitive level of whatcertain processors 'know' at certain points in the computation. With precise definitions for theseconcepts, it may be easier to formulate clear and correct proofs. We believe that considerablework is needed in order to develop logical tools and demonstrate their usefulness on problemsof interest in distributed systems.

Acknowledgements

We are grateful to Dick Stearns for helpful comments on an earlier draft of this paper and toJoe Halpern, Yoram Moses, Albert Meyer, and Nancy Lynch for probing questions, constructivecriticism, and valuable suggestions on this work.

References

[CM85] K. Mani Chandy and Jayadev Misra, "How Processes Learn," Fourth ACM Syrp. onPrinciples of Distributed Computing (1985), 204-214.

[DM86] Cynthia Dwork and Yoram Moses, "Knowledge and Common Knowledge in a Byzan-tine Environment I: Crash Failures," this volume.

[FI85 Michael J. Fischer and Neil Immerman, "Propositional Logic of Knowledge and Timeis Exponential Time Complete," manuscript (1985).

r [Ha85] J. Y. Halpern, personal communication.

[HF85] J. Y. Halpern and Ron Fagin, "A Formal Model of Knowledge, Action, and Communi-cation," Fourth A CM Symp. on Principles of Distributed Computing (1985), 224-236.

[HM84] J. Y. Halpern and Y. Moses, "Knowledge and Common Knowledge in a DistributedEnvironment," Third ACM Symp. on Principles of Distributed Computing (1984),50-61.

[HM85] J. Y. Halpern and Y. Moses, "Knowledge and Common Knowledge in a Distributed

Environment," revised manuscript (October, 1985).

14


[La77] Richard Ladner, "The Computational Complexity of Provability in Systems of Modal

Propositional Logic," SIAM J. Comput. 6, 3 (1977), 467-480.

[LF81] Nancy A. Lynch and Michael J. Fischer, "On Describing the Behavior and Implemen-tation of Distributed Systems," Theoretical Comp. Sci. 18 (1981), 17-43.

[PR85] Rohit Parikh and R. Ramanujam, "Distributed Processes and the Logic of Knowledge(preliminary report)," Proc. of Workshop on Logics of Programs, Brooklyn (1985),256-268.

iI

6

6

I15

6°

..' %,* DISTRIBIJTION LIST

Office of Naval Research Contract NQ0014-82-K-0154

IMichael J. Fischer, Principal Investigator

.,,. Defense Technical Information Center Naval Ocean Systems CenterBuilding 5, Cameron Station Advanced Software Technology DivisionAlexandria, VA 22314 Code 5200(12 copies) San Diego, CA 92152

(1 copy)

Office of Naval Research Mr. E.R. Gleisser800 North Quincy Street Naval Ship Research and Development CenterArlington, VA 22217 Computation and Mathematics Department

" ;-'=-7Bethesda, MD 20084Dr. R.B. Grafton, Scientific (1 copy)

Officer (I copy)

Information Systems Program (437) Captain Grace M. Hopper(2 copies) Naval Data Automation Command

*@ Washington Navy YardCode 200 (1 copy) Building 166Code 455 (1 copy) Washington, D.C. 20374

* Code 458 (1 copy) (I copy)

Office of Naval Research Defense Advance Research Projects AgencyBranch Office, Pasadena ATTN- Program Management/MIS1030 East Green Street 1400 Wilson BoulevardPasadena, CA 91106 Arlington, VA 22209(1 copy) (3 copies)

Naval Research LaboratoryTechnical Information DivisionCode 2627Washington, D.C. 20375(1 copy)

Dr. A.L. SlafkoskyScientific AdvisorCommandant of the Marine CorpsCode RD-1Washington, D.C. 20380

-. (1 copy)

0

4" 3

-

."j,

"°Sd '

!.

-.

4 -0.2

I-i

Documents

FOUNDATIONS KNOWLEDGE DISTRIBUTED SYSTEMS on2 …Foundations of Knowledge for Distributed Systems 1 Introduction Knowledge and common knowledge are intuitive concepts that help us