Verifying Epistemic Protocols under Common Knowledge
Yanjing Wang
Centrum Wiskunde en Informatica
PO Box 94079
1090 GB Amsterdam, NL
y.wang@cwi.nl
Lakshmanan Kuppusamy
Centrum Wiskunde en Informatica
PO Box 94079
1090 GB Amsterdam, NL
klachu@gmail.com
Jan van Eijck
Centrum Wiskunde en Informatica
PO Box 94079
1090 GB Amsterdam, NL
jve@cwi.nl
Abstract
Epistemic protocols are communication pro-
tocols aiming at transfer of knowledge in a
controlled way. Typically, the preconditions
or goals for protocol actions depend on the
knowledge of agents, often in nested form.
Informal epistemic protocol descriptions for
muddy children, coordinated attack, dining
cryptographers, Russian cards, secret key ex-
change are well known. The contribution of
this paper is a formal study of a natural re-
quirement on epistemic protocols, that the
contents of the protocol can be assumed to be
common knowledge. By formalizing this re-
quirement we can prove that there can be no
unbiased deterministic protocol for the Rus-
sian cards problem. For purposes of our for-
mal analysis we introduce an epistemic pro-
tocol language, and we show that its model
checking problem is decidable.
1 Introduction
Epistemic protocols have figured in puzzle books for
quite some time; an early reference for the muddy chil-
dren protocol is [9]; they also figure as standard exam-
ples in textbooks on epistemic logic [5, 18]. A formal
study of epistemic protocols should investigate a num-
ber of natural properties of a protocol. More precisely,
the protocol should prescribe what happens no mat-
ter what the initial situation is, and it should remain
correct if the protocol itself is commonly known, in-
cluding its goal and the precise preconditions for each
action in the protocol.
Starting points for our investigation are the perspec-
tive on knowledge in perfect cryptography from [12],
the analysis of Russian cards problems in [15, 2, 18, 16]
and the analysis of multiparty secret key exchange in
[7, 8, 4].
Compared to the flourishing field of formal verification
of communication protocols that started from [3], one
thing still lacking from the above accounts is a well-
defined language for specifying epistemic protocols. As
a consequence of this, formal verification of epistemic
protocols is not easy.
Consider the case of Russian cards problems [15]. A
Russian cards problem is a specification of a random
card distribution among a set of three participants, to-
gether with a goal of communicating the hand of one
participant to another participant by public announce-
ments, in such a way that the third participant does
not learn any card in the actual hands of the other two
participants. Solutions to this should take the form of
exhaustive lists of concrete distribution of cards with
matching announcements, such that the protocol can
be executed under an arbitrary initial distribution of
cards, not just for specific ones. In this paper we
will give formal specifications of such protocols. We
then can make formal distinctions that have not been
made before with informal descriptions of epistemic
protocols, like that between deterministic and non-
deterministic protocols, and analyze their properties.
For example, the 7-hand direct exchange solutions to
the Russian cards problem provided in [15] suggest un-
biased (non-deterministic) protocols that may work on
every initial distribution. However, we show that a
deterministic protocol that is executable on arbitrary
initial distributions exists for this, but that it is nec-
essarily biased.
A notable feature of epistemic protocols, compared to
more usual communication protocols, is that the cor-
rectness of the epistemic protocols heavily relies on
the assumptions of the agents’ meta knowledge about
the protocol itself. It is reasonable to assume that
the protocol and its goals are commonly known by all
the agents including possible adversaries, if we want
to apply the protocol repeatedly in real life cases. The
following example of a tentative four hand solution
for Russian cards problem RCP
2.2.1
1
illustrates how
such meta knowledge matters in the verification of the
protocol. To check the correctness of protocols under
the assumption that the protocol in commonly known,
formalization of protocols is clearly imperative.
Example 1 (Guess My Cards) There are 5 cards
(0-4) and three agents {A, B, E}; agent A has two
cards, B has two cards, and E has only one card. A
wants to inform B of his hand by public announce-
ment, without revealing his cards to E. A ‘promising
protocol’ for this is that A announces the disjunction
of his actual hand (say 01) with all the different combi-
nations of the remaining cards, so he would announce
“I have 01 or 23 or 24 or 34.” Since B has one more
card than E he can eliminate all of 23, 24 and 34, while
E can only eliminate two of 23, 24 and 34. However,
it does not work like this anymore if E knows that the
protocol is meant to reveal A’s hand to B. Assume
that E has 3. Then E will know that A has either
01 or 24. Now suppose that A has 24 and B has 01.
Then B could not have learnt A’s hand from A’s an-
nouncement. So E can infer that A has 01. Another
way to see that the would-be protocol is wrong is as
follows. The procedure to generate the announcement
should also be commonly known. In the above case this
procedure is a function from card hands to announce-
ments f (xy) =“ I have xy or z
1
z
2
or z
2
z
3
or z
1
z
3
.”,
where z
1
, z
2
, z
3
are the remaining 3 cards other than
x, y. This function is injective, so the announcement
reveals the hand immediately.
1.1 Contributions
The main contributions of this paper are:
• An expressive protocol specification and verifica-
tion language whose model checking is decidable.
• Formal specifications and checks of epistemic pro-
tocols under common knowledge, from which it
follows that:
– the sequential muddy children protocol can
be formally proved correct;
– there is a correct, deterministic biased proto-
col for RCP
3.3.1
;
– there is no correct, deterministic and unbi-
ased 2-step protocol for RCP
3.3.1
;
– the non-deterministic 1-bit secret key genera-
tion protocol can be formally proved correct.
1
The parameters n.n.k express that first agent and sec-
ond agent each have n cards, and the third has k cards.
Structure of the paper We define the protocol
specification language in Section 2. Section 3 talks
about epistemic protocols in normal forms and their
verification problem under common knowledge. De-
terministic protocols for Russian cards problems are
studied in Section 4. We also demonstrate non-
deterministic protocol verification in Section 5 by look-
ing at a simplified secret-key generation protocol.
2 Preliminaries
Informally, epistemic protocols are the communication
patterns which make use of agents’ epistemic reason-
ing power in executions, in order to guarantee the ex-
change of certain information without leaking unde-
sired information to the possible adversaries. In this
paper we focus on the ones which implement public
announcements as the only communication methods,
since public announcements are the simplest and best
studied communication method in logic [18].
2.1 Language and Semantics
We define an Epistemic Protocol Language L
EP
for
specifying epistemic protocols and for reasoning about
them. The language is kept as simple as possible.
More realistic versions may have agent variable assign-
ment, to express things like “for agent := 1 to n do
. . . ”. The protocols are meant to be general; there is
no intrinsic link between agents and announcements.
Such links can be established by restricting announce-
ments to the form “agent a knows that . . . ”.
Assume p ranges over Φ and a over an agent set Ag.
The protocol language is a variation on dynamic epis-
temic languages as defined in [14, 13], with public an-
nouncement [!φ] as the basic communicative operation.
The new twist in this paper is that public announce-
ments are among the epistemic programs π as defined
below. Further on, when we discuss the specification
and analysis of unbiased protocols, we will extend the
language with a graded modality.
φ ::= > | p | ¬φ | φ
1
∧ φ
2
| [π]φ
π ::= a |?φ |!φ | π
1
; π
2
| π
1
∪ π
2
| π
∗
Below, we will be more specific about basic propo-
sitions p, and may take them to be of the certain
forms, e.g. has
a
x for a ∈ Ag, for certain applica-
tions. We employ the usual abbreviations: φ ∨ ψ,
φ → ψ and hπiφ are shorthand for ¬(¬φ ∧ ¬ψ), ¬φ ∨ ψ
and ¬[π]¬φ, respectively. The truth value of a L
EP
formula φ in a state s of a multi-S5 Kripke model
M = (S, {∼
i
|i ∈ Ag}, V ), is defined by:
M, s p ⇔ p ∈ V (s)
M, s ¬φ ⇔ M, s 2 φ
M, s φ ∧ ψ ⇔ M, s φ and M, s ψ
M, s [π]φ ⇔ for all M
0
, s
0
: (M, s)JπK(M
0
, s
0
)
implies M
0
, s
0
φ
where π are epistemic programs functioning as model
changers:
(M, s)JaK(M
0
, s
0
) ⇔ M
0
= M and s ∼
a
s
0
(M, s)J?ψK(M
0
, s
0
) ⇔ (M
0
, s
0
) = (M, s)
and M, s ψ
(M, s)J!ψK(M
0
, s
0
) ⇔ (M
0
, s
0
) = (M|
ψ
, s)
and M, s ψ
(M, s)Jπ
1
; π
2
K(M
0
, s
0
) ⇔ (M, s)Jπ
1
K ◦ Jπ
2
K(M
0
, s
0
)
(M, s)Jπ
1
∪ π
2
K(M
0
, s
0
) ⇔ (M, s)Jπ
1
K ∪ Jπ
2
K(M
0
, s
0
)
(M, s)J(π
1
)
∗
K(M
0
, s
0
) ⇔ (M, s)Jπ
1
K
∗
(M
0
, s
0
)
where M|
ψ
is the restriction of M to the states where
ψ holds; ◦, ∪ and
∗
at right-hand side express the usual
composition, union and reflexive transitive closure on
relations respectively.
As usual, in order to emphasise the intuitive epistemic
meanings of some of our operators, we write K
a
φ for
[a]φ and we use Cφ for [(
S
i∈Ag
i)
∗
]φ (the common
knowledge operator).
A notable difference between our language and the
PDL-style dynamic epistemic languages as in [14, 13]
is that we treat atomic programs and announcements
in an uniform way. Thus, we not only allow compli-
cated program constructions on announcements like
(!φ∪!ψ)
∗
but also the interaction between atomic pro-
grams and announcements. For example, [(!ψ; (a ∪
b))
∗
]φ expresses conditional common knowledge of φ
among a, b w.r.t. announcements. When we interpret
basic programs as arbitrary basic actions as in PDL,
then (?ψ; (!ψ∪a))
∗
can express a protocol which makes
choices repeatedly between an announcement and a
basic action while ψ holds.
To understand the expressivity better, we identify a
fragment of L
EP
which can be translated into PDL.
Call a formula echo-free if it has no public announce-
ments in the scope of a star. Any echo-free L
EP
for-
mula can be translated into a formula without an-
nouncements, by proceeding in two steps. The first
translation t is as follows:
t(>) = >
t(p) = p
t(¬φ) = ¬t(φ)
t(φ
1
∧ φ
2
) = t(φ
1
) ∧ t(φ
2
)
t([a]φ) = [a]t(φ)
t([?ψ]φ) = t(ψ) → t(φ)
t([!ψ]φ) = [!t(ψ)]t(φ)
t([π
1
∪ π
2
]φ) = t([π
1
]φ) ∧ t([π
2
]φ)
t([π
1
; π
2
]φ) = t([π
1
][π
2
]φ)
t([π
∗
]φ) = [π
∗
]t(φ)
This yields an equivalent formula where each program
π either has the form !φ or is announcement-free. Thus
the transformed formulas of t can be regarded as LCC
formulas in [13], if we consider the public announce-
ments as the corresponding single-pointed action mod-
els. Next, apply the translation procedure T in [13] to
transform the LCC formulas into P DL.
The translation T ◦ t thus yields an equivalent PDL
formula, for all echo-free L
EP
formulas. Note that this
translation cannot be extended to the full L
EP
lan-
guage, due to the result of [11] which states that the
satisfiability problem of a language containing at least
iterated relativization ((!φ)
∗
) and common knowledge
operators is undecidable, even on finite models. How-
ever, for model checking problem we have:
Proposition 1 Model checking L
EP
on finite Kripke
models is decidable.
Proof : The idea of the proof is based on the obser-
vation that the epistemic programs are eliminative in
nature. We want to turn L
EP
model checking M, s φ
into PDL-style model checking on a larger finite model
N such that instead of interpreting π in φ as model
changers on M, we can see π as a label for a relation
in N . Intuitively, we build N by making all the pos-
sible pointed sub-models (M
0
, s
0
) of M as the states
in N . In N , the a-relations ∼
N
a
are defined as follows:
(M
0
, s
0
) ∼
N
a
(M
00
, s
00
) ⇐⇒ M
0
= M
00
and s
0
∼
a
s
00
in M
0
. Valuations V
N
((M
0
, s
0
)) = V
M
0
(s
0
). Now we
are ready to compute all the corresponding relations
of π in N by usual treatments in PDL model checking
algorithms for PDL-operators ; , ∪ and
∗
and the fol-
lowing operation to deal with !φ
0
: M
0
, s
0
→
!φ
0
M
00
, s
00
iff M
00
= M
0
|
φ
0
and s
0
= s
00
. To compute M
0
|
φ
0
we
need to call the model checking algorithm again but
since φ
0
is strictly simpler than φ, we will finally arrive
at a situation that can be handled by the PDL model
checking algorithm. 2
3 Epistemic protocols
In this section, we address the epistemic protocols and
their verification problem formally. We first restrict
ourselves to a sub-language L
SP
of L
EP
with propo-
sition set P and agent set Ag, in order to specify the
epistemic protocols in a simpler but adequate form:
φ ::= > | p | ¬φ | φ
1
∧ φ
2
| [π]φ
π ::= π
act
| π; π
0
| π
∗
π
act
::= ?φ; !ψ | π
act
∪ π
0
act
Intuitively we want to specify a sequence of conditional
announcements which may involve non-deterministic
choices. Actions ?φ; !ψ are guarded announcements,
with φ as the precondition and ψ as the message.
Note that a protocol often comes with assumptions
about the initial situation where the protocol can be
applied and implicitly a set of “axioms” about the
facts which should remain true while the protocol is
running. These define the “physical setting” of the
protocol. For example, in RCP we may assume that
at the beginning each player has a certain number
of different cards and for each card c it holds that
has
i
c →
V
j6=i
¬has
j
c, where has
j
c is a basic propo-
sition with the obvious meaning: j has card c. In
this paper we will not focus on the specification of the
initial states, but assume that given a protocol Prot,
there is an initial model M
Prot
, with a set of axioms
T
Prot
which are valid on M
Prot
and remain valid while
executing the protocol
2
. T
Prot
is used in the following
to define deterministic protocols which intuitively can
execute only one action at any time starting from the
initial situation.
Definition 1 (Epistemic Protocol) An epistemic
protocol Prot is a pair hπ
Prot
, Φ
Prot
i where π
Prot
is
an epistemic program in the language L
SP
and Φ
Prot
is a set of (announcement-free) formulas serving as
the goal of the protocol. A step of Prot is a guarded
action or a choice among guarded actions. A step
?φ
1
; !ψ
1
∪· · · ∪?φ
n
; !ψ
n
is called deterministic if it holds
that ∀i 6= j < n :
If {φ
i
∧ φ
j
} ∪ T
Prot
is satisfiable then ψ
i
= ψ
j
.
A protocol is called deterministic if each of its steps
is, and non-deterministic if it is not deterministic. A
protocol Prot is of definite length if π
Prot
is echo-free,
otherwise it is of indefinite length. The length of a
protocol of definite length is the number of its steps.
Note that the goals in the above definition are intended
to be met at the end of the protocol, but our formalism
can also express checks of protocol steps, by sequen-
tially composing the step π with a guarded command
?φ; !> (effectively a check of φ).
An epistemic protocol is expected to be implemented
in an environment where every announcement is pub-
licly broadcasted in the possible presence of some pas-
sive eavesdropper. A run of the protocol is a sequence
of guarded announcements ?φ; !ψ, which is executable
on the initial model according to the protocol specifi-
cation. We will assume that no different instantiations
of a protocol run in parallel.
Definition 2 (Verification of Epistemic Protocol)
Verification of an epistemic protocol Prot is checking
whether all the goals hold after any run or some
2
Formally T
Prot
can be considered as a subset of the
formulas that are not only valid at M
Prot
but also preserved
under any π operations.
run of the protocol against the initial model M
Prot
under any initial state. The usual distinction between
safety and liveness properties applies. Checks of
safety properties have the form M
Prot
[π]φ, those
of liveness properties are of the form M
Prot
hπiφ,
where M
Prot
ϕ iff for all s ∈ M
Prot
, s ϕ.
Note that if a deterministic protocol is of definite
length then checking [π]φ coincides with hπiφ, if the
protocol is always executable on M
Prot
. For proto-
cols of indefinite length, we may want to check hπiφ
to make sure the protocol achieves its goal φ at some
finite run.
We call a model connected if every state is connected
to all other states by a path of epistemic relations.
Note that in most applications, the initial models are
connected, assuming that the agents are perfect rea-
soners who can imagine the possibilities others may
think given the facts they can observe. Now we can
use common knowledge to reformulate the verification
problem:
Proposition 2 Suppose M is a connected model then
for any s ∈ M,
M φ ⇐⇒ M, s Cφ
This means to verify that a protocol is correct under
any possible initial information distribution is to check
the common knowledge of the correctness of the pro-
tocol at some arbitrary initial situation.
As we motivated in the introduction, we assume the
protocol is commonly known in the following sense:
1. The guards of the actions are commonly known;
2. The truthfulness of the announcements is com-
monly known;
3. The goals of the protocol are commonly known.
Such requirements call for a bit of further streamlin-
ing on the form of protocols in our framework. To
motivate this, consider the following choice:
(?q; !¬p) ∪ (?¬q; !p).
According to requirement (1) above, the agent should
be able to learn q from the announcement of ¬p. In
general, for each guarded action ?φ; !ψ, we can make
the precondition commonly known by announcing it
too. Thus we may assume: ψ → φ is valid. Accord-
ing to the above requirement (2), for each ?φ; !ψ that
occurs in a protocol we may assume that φ → ψ is
valid. Some reflection shows that the above require-
ments together boil down to the requirement that in
each guarded action the guard and the announcement
are the same. Thus, we can restrict our attention to
choices of the following normal form:
S
i
?!φ
i
, where ?!φ
i
is an abbreviation for ?φ
i
; !φ
i
3
.
Given an epistemic protocol Prot, we can transform
every step ?φ
1
; !ψ
1
∪ · · · ∪?φ
n
; !ψ
n
of it into the right
shape under the assumptions of (1) and (2) by the
following procedure:
• Lump the same actions in each step of the pro-
tocol together: if ψ
1
= · · · = ψ
m
then we can
replace ?φ
1
; !ψ
1
∪ · · · ∪?φ
m
; !ψ
m
by an equivalent
single guarded action ?(φ
1
∨ · · · ∨ φ
m
); !ψ
1
.
• Transform every appearance of ?φ
1
; !ψ
1
into ?(φ
1
∧
ψ
1
); !(φ
1
∧ ψ
1
).
To implement requirement (3), the straightforward
idea would be simply checking the common knowledge
of the correctness of the protocol (C[π]φ or Chπiφ).
We will show this is indeed enough to guarantee the
protocol is correct under the assumption that the
agents know the goals that the protocol should fulfil.
Let us start from the observation made in [15] that
just checking M, w [!ψ]φ
goal
is sometimes not suffi-
cient, for a one step protocol !ψ aiming at establishing
φ
goal
. Indeed, if the agents know the intended goal of
the protocol then they will assume that others do not
perform actions which do not lead to the goal. Such
an assumption gives agents the power to reason more,
as we also saw in Section 1, which sometimes destroys
the correctness of the protocol. Now we can try to
make agents know the goal of protocol by announcing
it.
In [15] the author proposed that the verification should
be undertaken while an announcement !ψ is inter-
preted more than just announcing ψ
4
:
M, w [!(ψ ∧ [!ψ]φ
goal
)]φ
goal
The idea behind this is that we announce the goal of
the announcement to make sure that under the as-
sumption that agents know the goal, the protocol is
still correct. However, if [!(ψ ∧ [!ψ]φ
goal
)]φ
goal
is now
assumed and known by agents, we still need to make
sure that knowing this again does not affect the cor-
rectness of the protocol. We can iterate such reasoning
ad libitum. Formally we define:
3
Although equivalent to !φ, ?!φ is still used in the fol-
lowing for its clearer reading in protocol specification ac-
cording to L
SP
.
4
In the original setting of [15], it is suggested that the
announcement of !ψ by agent a aiming at establishing ψ is
actually !(ψ ∧ [!ψ]K
a
φ), we omit the details in [15] that are
relevant to the context of Russian cards problem.
• η
0
= [!ψ]φ
• η
i+1
= [!(ψ ∧ η
0
∧ · · · ∧ η
i
)]φ
We can simplify η
i+1
, by making use of the valid for-
mula [!(ψ ∧ [!ψ]φ)]χ ↔ [!ψ][!φ]χ:
Proposition 3 η
i+1
= [!ψ; !φ; . . . ; !φ
| {z }
i
]φ
We actually need to check all η
i
, since there are cases
where all the η
i
are logically different
5
.
Notice that if φ
goal
is in the shape of Cφ then
η
i+1
= [!ψ] [!Cφ] . . . [!Cφ]
| {z }
i
Cφ ⇔ [!ψ]Cφ = η
0
.
due to the fact that [!Cφ]Cφ is a valid formula [18],
thus making the infinite process of checking η
i
man-
ageable. In [15], the author suggests that instead of
checking property φ, we should check property Cφ.
Note that the simplification in Proposition 3 works
on the one-announcement-protocols, but it is not very
clear how to deal with the more complicated forms
of the epistemic protocols as we defined in this paper.
Thus checking common knowledge after the run of the
protocol may not be grounded.
Now we take another perspective, instead of reinter-
preting each announcements, we address the formula
to be checked as a whole. Intuitively, we strengthen
[π]φ
goal
by some ψ such that:
• ψ should imply [π]φ
goal
.
• if [π]ψ
goal
is true then truthfully announcing φ
in advance should not change the truth value of
[π]φ
goal
.
Thus formally we require:
ψ ↔ [π]φ
goal
∧ h!ψi[π]φ
goal
Unfortunately, f(X) = [π]φ
goal
∧ h!Xi[π]φ
goal
is not
a monotonic function, given no restriction on [π]φ
goal
.
However, it is not hard to see that the common knowl-
edge of the correctness of the protocol itself is indeed
a fixed point for f (X):
Proposition 4 C[π]φ
goal
is a fixed point of f (X), but
[π]Cφ
goal
is not always a fixed point of f (X).
5
Consider the dynamic epistemic analysis of the tra-
ditional Muddy Children puzzle [18]. There is always a
model M, s such that M, s [!ψ; !φ; . . . ; !φ
| {z }
i
]φ, but M, s 2
[!ψ; !φ; . . . ; !φ
| {z }
i+1
]φ where φ is the formula that expresses “We
do not know whether we are dirty or not”.