Common knowledge: application to distributed systems

1
Common knowledge application to distributed
systems

• Caesar Ogole, Jan Gerard Gerrits, Harrie de
  Groot, Julius Kidubuka Stijn Colen

2
Common Knowledge in Distributed Systems

• Looking back to the definition
• The Kripke Model M associated with a distributed
  system is
• MltS, R1 ..Rmgt
• where
• S( S1 ..Sm Si is a local state of
  processor i)
• p S?P?(t, f),
• Ri (s, t), Si ti for i1....m

3
Some limiting properties of M

• M does not contain any information about the
  actual state transformations (that the system
  executes or is subject to).
• The actual process is determined by
• The structure of the process
• The way they are programmed
• The protocols by which they communicate

4
Introducing the notion of a run of system

• Epistemic logic is limited in the sense that it
  cannot express anything about the way in which a
  process comes about.
• However, it is possible to describe processor
  knowledge using the concept of a run
• A run in M is defined as
• s(1), s(2) ?
• (? is not to be confused with
  )
• Our main interest in a run
• Behaviour of some common knowledge during a run
  (given M)

5
Some prior knowledge

• Consider the figure below
• 1 Proposition
• If we let s be a state in the Kripke Model M, and
  K the upward cone of s, then
• (i) (M, s)Cf if (M, t)f for all t Ks
• (ii) if Cf holds in s (i.e. (M, s) Cf) then Cf
  holds in the world of ks

6
Proof

• (i) (M, s) Cf ? (M, t)f for all t with s ?gt t
  ? (M, t) f for all t Ks
• (ii)(proof (or hint) to be given)
• Next some more concepts

7
Definition (2.2.3)Strongly Connected
Let M ltS, p, R1, , Rmgt and ? be defined
as before.
Then M is called strongly connected if for all
s, t ? S it holds that s ? t. Meaning Every
state is reachable from every other state in 0 or
more steps
8
Model
R1
s0
s1
si ? S
9
Model
R1
s0
s1
Ri
si ? S ti ? S
ti
10
Connected
R1
s0
s1
Ri
si ? S ti ? S
ti
S ? t
11
Strongly connected
R1
s0
s1
Ri
si ? S ti ? S
ti
S ? t
12
Proposition (2.2.3.1)Connected Distributed
Systems
The Kripke model associated with a distributed
system, is strongly connected, if m gt 1.
R1
(0,0)
(0,1)
All states are reachable within 2 steps, because
of the strongly connected relations.
R2
R2
R1
(1,0)
(1,1)
13
Proof s ? t
Prove for any s,t ? S in the Kripke model of the
distributed system that s ? t holds. s
(s1,s2,,sm) , t (t1,t2,,tm)  s
(s1,s2,,sm)?(s1,t2,,tm)?(t1,t2,,tm) ?t
R1 Ri i ?1 Thus s ? t
14
Example Model with multiple dimensions
si lt0,1,1,0,0,1,1,0gt si1
lt1,1,1,0,0,1,1,0gt ti lt1,1,1,0,0,0,1,0gt Every
state is reachable within 2 steps
15
Theorem (2.2.4) General Result
Let M be a strongly connected Kripke model.
Suppose that for some state s and a formula f it
holds that (M,s) ? Cf. Then M ? Cf
16
Proof

• IF (M,s) ? Cf THEN M ? Cf
• because
• f is true for all states in Ks
• In a strongly connected system all s ? Ks

17
Corollary

• Let M be a Kripke model associated with a
  distributed system with processors 1, , m, (m gt
  1)
• (M, s) ? Cp s ? S
• M ? Cp
• Common knowledge is constant through every run of
  M (Julius)

because a Kripke model of a distributed system is
strongly connected
18
Example 1
Given the following distributed
system Processors A, B, C Local states 0, 1
(let P p, q)
Describe the Kripke Model M for this system,
along with a truth assignment such that

1. M ? Cp
2. There is a global state such that (M, s) ? Eq,
   but not M ? Eq

19
Possible Worlds
(0,1,1)
(1,1,1)
(1,0,1)
(0,0,1)
(0,1,0)
(1,1,0)
(0,0,0)
(1,0,0)
20
Description of the model
M ltS, p, RA, RB, RCgt S (x, y, z) x, y, z ?
0,1 where s (x1, y1, z1) and t (x2,
y2, z2) RA (s, t) ? RA ? x1 x2 RB (s, t) ? RB
? y1 y2 RC (s, t) ? RC ? z1 z2 p ?s ? S
p(s)(p) t p(s)(q) f ? s (1,1,1)
21
Questions
1. M ? Cp P is defined true everywhere, so we
have M ? Cp. 2. There is a global state such
that (M, s) ? Eq, but not M ? Eq If we choose s
(0,0,0), we have (M, s) ? Eq. Since q is false
in (1,1,1), we have M ? Eq
22
Example 2

• Show that for any Kripke model M it holds that M
  ? f ? M ? Cf
• Answer Suppose M ? f.Then in all s ? S, (M, s)
  ? f.But then f is true in all Rc-successors of
  each world let s and t ? S such that (s,t) ? Rc.
  Since f is true in all states of S, we have (M,
  t) ? f, and thus (M, s) ? Cf.

23
Counter example

• Counter example of M ? f ? Cf
• In first example (cube). (M (0,0,0)) ? q ?
  Cqand thus M ? q ? Cq.

24
Example Increasing common knowledge

• Model M ltS, p, R1, R2, RE, RC gt obtained asS
  a, b p(x)(p) t iff x a and R1 R2
  (a, a), (b,b). In run a ? b its the case that
  the common knowledge about p increases
• We have (M, a) ? Cp while (M, b) ? Cp

R1R2
R1R2
a p
b p
25
Some comments

• We would expect common knowledge in distributed
  systems to increase by communication
• Why not?
• Hence the Kripke model loses the property of
  being strongly connected

26
Plausible solution

• Consider Kripke models M ltS, p, R1,..,
  Rmgtwhere S is a subset of S1,S2,,Sm rather than
  (S S1 Sm )
• The task at hand is to prove that C-knowledge is
  constant, hence

27
Definition 2.2.11

• A run s(1) ? s(2) ? .
• is called non-simultaneous if for every
• transition s(k) ? s(k1) there exists
• a processor 1 i m with si(k) si(k1)

28
Theorem 2.2.12

• In non-simultaneous runs common knowledge is
  constant

29
Proof of Theorem 2.2.12

• Suppose s ? s' for s (s1, s2, , sm) and s'
  (s1', s2, , sm) with si si', and
  consequently (s, s')?Ri , and suppose (M, s') ?
  Cf.
• Now it holds that
• (M, s') ? Cf ? (M, s') ? ECf ? (M, s') ? KiCf

30
.

• Since Ri is an equivalence relation, then it
  holds that
• (s, s')?Ri ? (s', s)?Ri
• Using the definition of the semantics of the
  Ki-operator, we have
• (M, s) ? Cf

31
.

• From above, any C-knowledge present in s' is also
  present in s and vice versa as well
• Hence, C-knowledge is constant at the
  non-simultaneous transition s ? s'
• Then by induction, C-knowledge is also constant
  in a non-simultaneous run.

32
Co-ordinated Attack Problem

• Two separated generals co-ordinating an attack
• Cf (fattack at time x!) necessary
• Messengers may be captured by enemy

General B
General A
Communication
Hostile army
33
Attaining Cf

• f, Messenger f
• KBf, messenger KBf
• KAKBf, messenger KAKBf
• Ad infinitum
• Cf is never attained (in finite time)
• Even without actual deletion or delay (common
  knowledge about deletion or delay is enough)
• Each message adds only one level of knowledge

34
Proof by induction no finite amount of messages
is enough

• 0 messages KBf
• Inductive step, k messages insufficient Cf
• If k1 suffice
• k1s sender attacks without confirmation
• k1 was apparently irrelevant
• k should have sufficed
• which contradicts the inductive hypothesis

35
Non-guaranteed communication

• NG1 for all r and t, r exists extending (r,t)
• r has same history and internal clock as r
• r receives no messages on or after t
• NG2 if in r, pi does not receive messages in
  (t, t)
• r exists extending (r, t), with h(pi, r, t)
  h(pi, r, t) for all t lt t
• no other processor pj receives message in r in
  t, t)

36
Consequence of NG1 NG2

• If Cf can be attained by communication, Cf can be
  attained without communication
• Since no k messages are enough, either is
  impossible in the current problem
• Proof by induction follows

37
C without guaranteed communication (1)

• Theorem
• r run in R
• d(r) amount of messages in r up to time t
• r same run in R, no messages up to time t
• (I, r, t) Cf ? (I, r, t) Cf
• d(r) 0
• h(p1, r, t) h(p1, r, t)
• (I, r, t) Cf ? (I, r, t) Cf

38
C without guaranteed communication (2)

• Assume hypothesis holds for all runs r with
  d(r) k
• Assume d(r) k 1
• t lt t is latest time of message reception in r
  before t
• pj receives message at t in r
• There is a run r for which h(pi, r, t)h(pi,
  r, t) for all t t
• Other processor pk receives no messages in t,
  t)

39
C without guaranteed communication (3)

• d(r) lt k
• Inductive hypothesis, when d(r) k (I, r, t)
  Cf ? (I, r, t) Cf
• Since h(pi, r, t) h(pi, r, t)
• (I, r, t) Cf ? (I, r, t) Cf
• Therefore (I, r, t) Cf ? (I, r, t) Cf

40
Possible solution

• Problem
• t gt n gt b gt a OR t gt n gt a gt b
• Attack, I will attack once I am sure we both
  will.
• Solution
• t gt b gt n gt a OR t gt a gt n gt b
• Attack, please ack, I will not re-ack.

41
Discussion

• Does TCP protocol solve the problem?
• Are there real-life equivalents of this problem?
• With less strict requirements?