Post on 20-Dec-2015
Common knowledge: application to distributed systems
Caesar Ogole, Jan Gerard Gerrits, Harrie de Groot, Julius Kidubuka & Stijn Colen
Common Knowledge in Distributed Systems
Looking back to the definition:
The Kripke Model M associated with a distributed system is
M=<S, R1 …………..Rm>
where:
S={( S1 …………..Sm | Si is a local state of processor i)}
π : S→P→(t, f),
Ri ={ (s, t), | Si = ti} for i=1....m
Some limiting properties of M
M does not contain any information about the actual state transformations (that the system executes or is subject to).
The actual process is determined by: The structure of the process The way they are programmed The protocols by which they communicate
Introducing the notion of a run of system Epistemic logic is limited in the sense that it cannot express
anything about the way in which a process comes about.
However, it is possible to describe processor knowledge using the concept of a run
A run in M is defined as:
s(1), s(2) →…………
(→ is not to be confused with )
Our main interest in a run Behaviour of some common knowledge during a run (given M)
Some prior knowledge
Consider the figure below:
1 PropositionIf we let s be a state in the Kripke Model M, and K the ‘upward cone’ of s, then:
(i) (M, s)|=Cφ if (M, t)|=φ for all t Ks
(ii) if Cφ holds in s (i.e. (M, s)|= Cφ) then Cφ holds in the world of ks
Proof
(i) (M, s) |=Cφ ↔ (M, t)|=φ for all t with s →> t ↔ (M, t)|= φ for all t Ks
(ii)…(proof (or hint) to be given)
Next: some more concepts
Definition (2.2.3)Strongly ConnectedLet M = <S, π, R1, …, Rm> and
↠ be defined as before.Then:
M is called strongly connected if for all s, t ∊ S it holds that s ↠ t.
Meaning: Every state is reachable from every other state in 0 or more steps
Model
s0 s1
R1
si ∊ S
Model
s0 s1
R1
si ∊ Sti ∊ S ti
Ri
Connected
S → t
s0 s1
R1
si ∊ Sti ∊ S ti
Ri
Strongly connected
S ↠ t
s0 s1
R1
si ∊ Sti ∊ S ti
Ri
Proposition (2.2.3.1)Connected Distributed Systems
The Kripke model associated with a distributed system, is strongly connected,
if m > 1.
R2 R2
R1
R1(0,0)
(1,0) (1,1)
(0,1)
All states are reachablewithin 2 steps, because of the strongly connected relations.
Proof: s ↠ t
Prove for any s,t ∊ S in the Kripke model of the distributed system that s ↠ t holds.
s = (s1,s2,…,sm) , t = (t1,t2,…,tm) s = (s1,s2,…,sm)→(s1,t2,…,tm)→(t1,t2,…,tm) →t
R1 Ri i ≠1
Thus: s ↠ t
Example; Model with multiple dimensions
si = <0,1,1,0,0,1,1,0>
si+1 = <1,1,1,0,0,1,1,0>
ti = <1,1,1,0,0,0,1,0>
Every state is reachable within 2 steps
Theorem (2.2.4) General Result
Let M be a strongly connected Kripke model. Suppose that for some state s and a formula φ it
holds that (M,s) ⊨ Cφ.
Then:M ⊨ Cφ
Proof
IF (M,s) ⊨ Cφ THEN M ⊨ Cφ because:
φ is true for all states in Ks
In a strongly connected system all s ∊ Ks
Corollary
Let M be a Kripke model associated with a distributed system with processors 1, …, m, (m > 1)
(M, s) ⊨ Cp {s ∊ S}
M ⊨ Cp
Common knowledge is constant through every run of M (Julius)
because a Kripke model of a distributed system is strongly connected
Example 1Given the following distributed system:Processors: A, B, CLocal states: 0, 1 (let P = {p, q})
Describe the Kripke Model M for this system, along with a truth
assignment such that:
(i) M ⊨ Cp(ii) There is a global state such
that (M, s) ⊨ Eq, but not M ⊨ Eq
Possible Worlds
(0,0,0) (1,0,0)
(0,0,1) (1,0,1)
(0,1,1) (1,1,1)
(1,1,0)(0,1,0)
Description of the modelM = <S, π, RA, RB, RC>S: {(x, y, z) | x, y, z {0,1}}∈
where s = (x1, y1, z1)and t = (x2, y2, z2)
RA: (s, t) R∈ A ↔ x1 = x2RB: (s, t) R∈ B ↔ y1 = y2RC: (s, t) R∈ C ↔ z1 = z2π : ∀s S: ∈ π(s)(p) = t
π(s)(q) = f ↔ s = (1,1,1)
Questions1. M ⊨ Cp
P is defined true everywhere, so we have M ⊨ Cp.
2. There is a global state such that (M, s) ⊨ Eq,
but not M ⊨ Eq
If we choose s = (0,0,0), we have (M, s) ⊨ Eq.
Since q is false in (1,1,1), we have M ⊭ Eq
Example 2
Show that for any Kripke model M it holds that: M ⊨ φ ⇒ M ⊨ Cφ
Answer: Suppose M ⊨ φ.Then in all s ∊ S, (M, s) ⊨ φ.But then φ is true in all Rc-successors of each world: let s and t ∊ S such that (s,t) ∊ Rc. Since φ is true in all states of S, we have (M, t) ⊨ φ, and thus (M, s) ⊨ Cφ.
Counter example
Counter example of: M ⊨ φ → Cφ
In first example (cube). (M (0,0,0)) ⊨ q ʌ ¬Cq
and thus: M ⊭ q → Cq. (0,0,0) (1,0,0)
(0,0,1) (1,0,1)
(0,1,1) (1,1,1)
(1,1,0)(0,1,0)
Example: Increasing common knowledge Model: M = <S, π, R1, R2, RE, RC > obtained as:
S = {a, b}; π(x)(p) = t iff x = a and R1 = R2 = {(a, a), (b,b)}. In run a ➙ b it’s the case that the common knowledge about ¬p increases:
We have (M, a) ⊨ ¬C¬p while (M, b) ⊨ C¬p
a p
b ¬p
R1R2 R1R2
Some comments
We would expect common knowledge in distributed systems to increase by communication
Why not?
Hence the Kripke model loses the property of being strongly connected
Plausible solution
Consider Kripke models M = <S, π, R1,.., Rm>where S is a subset of S1,S2,…,Sm rather than (S = S1 × … × Sm )
The task at hand is to prove that C-knowledge is constant, hence…
Definition 2.2.11
A run s(1) → s(2) → ….
is called non-simultaneous if for every
transition s(k) → s(k+1) there exists
a processor 1 ≤ i ≤ m with si(k) = si
(k+1)
Theorem 2.2.12
“In non-simultaneous runs common knowledge is constant”
Proof of Theorem 2.2.12
Suppose s → s' for s = (s1, s2, …, sm) and s' = (s1', s2’, …, sm’) with si = si', and consequently (s, s')∈Ri , and suppose (M, s') Cφ.⊨
Now it holds that:
(M, s') Cφ → (M, s') ECφ → (M, s') KiCφ⊨ ⊨ ⊨
….
Since Ri is an equivalence relation, then it holds that:
(s, s') R∈ i → (s', s) R∈ i
Using the definition of the semantics of the Ki-operator, we have:
(M, s) Cφ⊨
….
From above, any C-knowledge present in s' is also present in s and vice versa as well
Hence, C-knowledge is constant at the non-simultaneous transition s → s'
Then by induction, C-knowledge is also constant in a non-simultaneous run.
Co-ordinated Attack Problem
Two separated generals co-ordinating an attack
Cφ (φ=“attack at time x!”) necessary Messengers may be captured by enemy
General A General B
Hostile army
Communication
Attaining Cφ φ, Messenger: φ KBφ, messenger: KBφ KAKBφ, messenger: KAKBφ
Ad infinitum… Cφ is never attained (in finite time)
Even without actual deletion or delay (common knowledge about deletion or delay is enough)
Each message adds only one level of knowledge
Proof by induction: no finite amount of messages is enough 0 messages: ¬KBφ Inductive step, k messages insufficient:
¬Cφ If k+1 suffice:
k+1’s sender attacks without confirmationk+1 was apparently irrelevantk should have sufficed…which contradicts the inductive hypothesis
Non-guaranteed communication
NG1: for all r and t, r’ exists extending (r,t)r’ has same history and internal clock as rr’ receives no messages on or after t
NG2: if in r, pi does not receive messages in (t’, t)r’ exists extending (r, t’), with
h(pi, r, t’’) = h(pi, r’, t’’) for all t’’ <= tno other processor pj receives message in r’ in [t’,
t)
Consequence of NG1 & NG2
If Cφ can be attained by communication, Cφ can be attained without communicationSince no k messages are enough, either is
impossible in the current problem
Proof by induction follows
C without guaranteed communication (1) Theorem:
r: run in Rd(r): amount of messages in r up to time t r*: same run in R, no messages up to time t (I, r, t) ╞ Cφ ↔ (I, r*, t)╞ Cφ
d(r) = 0h(p1, r, t) = h(p1, r*, t)
(I, r, t) ╞ Cφ ↔ (I, r*, t)╞ Cφ
C without guaranteed communication (2) Assume hypothesis holds for all runs r’ with
d(r’) = k Assume d(r) = k + 1:
t’ < t is latest time of message reception in r before t
pj receives message at t’ in rThere is a run r’ for which h(pi, r, t’’)=h(pi, r’, t’’)
for all t’’ ≤ t Other processor pk receives no messages in [t’, t)
C without guaranteed communication (3) d(r’) <= k
Inductive hypothesis, when d(r’) = k:(I, r*, t) ╞ Cφ ↔ (I, r’, t)╞ Cφ
Since h(pi, r, t) = h(pi, r’, t):
(I, r, t) ╞ Cφ ↔ (I, r’, t)╞ Cφ
Therefore: (I, r, t) ╞ Cφ ↔ (I, r*, t)╞ Cφ
Possible solution
Problem: t > n > b > a OR t > n > a > b“Attack, I will attack once I am sure we both
will.” Solution:
t > b > n > a OR t > a > n > b“Attack, please ack, I will not re-ack.”
Discussion
Does TCP protocol solve the problem? Are there real-life equivalents of this
problem?With less strict requirements?