In this appendix we proof some of the propositions and theorems used throughout the thesis. Proofs of LTL-reductions of chapter 4

Transcription

1 AppendixA Selected Proofs In this appendix we proof some of the propositions and theorems used throughout the thesis. Proofs of LTL-reductions of chapter 4 In chapter we introduced a linear-time temporal logic for the expression of norms. There we have given semantical definitions of various normatives that are expressable in the logic mentioned. We claimed that these normatives could be reduced to expressions containing only temporal operators already in the formalism, and we will prove some of these reductions here. Reduction of Deadlines In definition 4.5 we defined deadlines as the following: M, s OBLIGED(a, P BEFORE D) def t s : M, t D and ( s u < t : M, u NOTviol(a, P, D)) and (( s v < t : M, v P and M, v ALWAYS NOTviol(a, P, D)) or ( s w < t : M, w P and M, t viol(a, P, D))) We now show that this can be reduced to the LTL formula as presented in proposition 4.6. Assuming that M at state s satisfies OBLIGED(a, P BEFORE D), i.e. the LTL model complies with the semantical definition given above, we will show that these models satisfy the proposition 4.6 as well. The first condition of definition 4.5, t s : M, t D, tells us that D will hold in some world in the future (with s the current world), i.e. M, s SOMETIMED. Although D may hold many times more in the future, we are mainly interested 185

2 186 APPENDIX A in its first occurrence: (NOT D UNTIL D) From the second condition, s u < t : M, u NOT viol(a, P, D), we know that no violations will occur before the deadline occurs (in time moment t), i.e. ((NOT D AND NOTviol(a, P, D)) UNTIL D). The last condition then specifies how the deadline handles the compliance and violation, respectively. This condition defines two different cases: 1. Conditions 1 and 2 hold until the (first) appearance of P (strictly before the appearance of D), after which no violation of the deadline can occur; or 2. Conditions 1 and 2 hold until the deadline holds and a violation occurs. Let us first look at the case defining the violation first. s w < t : M, w P and M, t viol(a, P, D) tells us that, before t has happened (the time-moment of the deadline), P will never occur, and, in that case, t satisfies viol(a, P, D). Combined with our currently derived formula (for conditions 1 and 2) we get: (D AND viol(a, P, D) ] However, if the deadline is adhered to, which is expressed in the first part of the last condition, there is a state v before t (but after s) where P holds, and after that viol(a, P, D) never holds (note that, because v happens strictly before t, v also satisfies NOT D, as expressed in the second condition of definition 4.5). This leads to the following when combined with the formula for conditions 1 and 2 (assuming that the occurrence of P is the first occurrence 1 ): (NOTD AND P AND ALWAYS NOTviol(a, P, D) ] Combining both cases, we get a formula expressing the deadline: ((NOTD AND P AND ALWAYS NOTviol(a, P, D)) OR (D AND viol(a, P, D))) ] Which is exactly the LTL-reduction mentioned in proposition 4.6. The formal reduction, which we explained (informally) above, shows that models expressed by the reduction are also the same as those defined by the semantic definition (thus proving that the reduction is equivalent to the semantic definition): 1 This assumption is warranted because if P would occur more then once before D, the same restrictions hold on the model.

3 SELECTED PROOFS 187 t s : M, t D and ( s u < t : M, u NOTviol(a, P, D)) and (( s v < t : M, v P and M, v ALWAYS NOTviol(a, P, D)) or ( s w < t : M, w P and M, t viol(a, P, D))) M, s SOMETIMED and M, s (NOTD AND NOT viol(a, P, D))UNTILD and ( s v < t : M, v NOT D AND P AND ALWAYS NOT viol(a, P, D)) or ( s w < t : M, w NOTP and M, t viol(a, P, D) M, s SOMETIMED and M, s (NOT D NOTP AND NOTviol(a, P, D))UNTIL(D AND viol(a, P, D)) or (M, s (NOT D AND NOTP NOT viol(a, P, D))UNTIL (NOTD AND P AND ALWAYS NOTviol(a, P, D))) ] ((NOTD AND P AND ALWAYS NOTviol(a, P, D)) OR (D AND viol(a, P, D))) ] Reduction of Temporal Prohibitions We can show that the reduction from the Temporal prohibitions of definition 4.7 to the LTL reduction in proposition 4.9 can be done in a similar manner. In definition 4.7 temporal prohibitions are defined as follows: M, s FORBIDDEN(a, P BEFORE D) def If t s : M, t D then ((( s u < t : M, u P and M, u NEXT viol(a, P, D)) and ( s w < u : M, w P and M, w NOT viol(a, P, D))) or ( s v < t : M, v P and M, v NOT viol(a, P, D) and M, t ALWAYS NOT viol(a, P, D))) and if t s : M, t D then u s : if M, u P then M, u NEXT viol(a, P, D) This temporal prohibition works, in essence, similar to the deadline specified above. We show (formally) that the semantical definition is equivalent to a formula in LTL, as given by proposition 4.9.

4 188 APPENDIX A If t s : M, t D then (( s u < t : M, u P and M, u NEXT viol(a, P, D)) and ( s w < u : M, w P and M, w NOT viol(a, P, D))) or ( s v < t : M, v P and M, v NOT viol(a, P, D) and M, t ALWAYS NOT viol(a, P, D)) ] and if t s : M, t D then u s : if M, u P then M, u NEXT viol(a, P, D) If M, s SOMETIMED then (( s u < t : M, u P AND NEXT viol(a, P, D)) and ( s w < u : M, w NOTP AND NOT viol(a, P, D))) or (M, s (NOT D AND NOTP AND NOT viol(a, P, D))UNTIL (D AND ALWAYS NOTviol(a, P, D))) ] and if M, s ALWAYS NOTD then u s : M, u P IMPLIESNEXT viol(a, P, D) If M, s SOMETIMED then (M, s (NOTAND NOT NOTP AND NOT viol(a, P, D))UNTIL (NOTD AND P AND NEXT viol(a, P, D))) or (M, s (NOT D AND NOTP AND NOT viol(a, P, D))UNTIL (D AND ALWAYS NOTviol(a, P, D))) ] and if M, s ALWAYS NOTD then u s : M, u P IMPLIESNEXT viol(a, P, D) M, s ( SOMETIME D IMPLIES (NOT D AND NOT P AND NOT viol(a, P, D)) UNTIL ((D AND NOT P AND NEXTALWAYS ]) NOT viol(a, P, D)) OR (P AND NEXT viol(a, P, D))) AND ( ]) ALWAYS NOT D IMPLIES ALWAYS P IMPLIES NEXT viol(a, P, D) Which is exactly expressed in proposition 4.9. ProofsofTheoremsusedinChapter6 In sections 6.4 and 6.5 several theorems were used to derive the safety and liveness properties of the protocol. Some of these theorems, like theorem 6.13, theorem 6.17 and 6.18 were derived from Kröger, 1987], and proofs of these theorems can be found there. The other theorems are proven in this section.

5 SELECTED PROOFS 189 Derivation Rule The following theorem was mentioned in section 6.4 to derive the invariance of a violation predicate: Theorem A.1(Derivation Rule) The following rule is valid: M O x (α < δ) M atπ i α M atπ i δ M atπ i viol(x, α, δ) Proof. We show semantically that theorem A.1 holds. First, remember that O(α < δ) stated in means the following (see definition 4.5): M, s O x (α < δ) t s : M, t δ and ( s u < t : M, u V ) and (( s v < t : M, v α and M, v V ) or ( s w < t : M, w α and M, t V )) Now, knowing that M, s O(α < δ), for s being the state where start Π holds (remember, we are only interested in those situations where the norms hold and the protocol is started), we also know that there will be a state t such that δ holds. Moreover, all states from s up to t will satisfy V, and either there exists a state between s and t (s included) where α holds, in which case V will holds as well, or α does not hold in any state between s and t (again, s included), in which case V holds in t. Suppose we have that, for some state i s : M, i atπ i. Now we have to prove that M, i V. Since we know that atπ i δ is true in all states of the computation we know that M, i δ, meaning that the moment that atπ i holds the deadline has not yet occurred, so we can conclude that s i < t. Moreover, since atπ i α holds, i.e. atπ i counts as α, we know that α happens before the deadline. This means that s i < t : M, i α holds, and according to the semantical definition given above we can conclude that M, i V holds as well. Therefore, we can conclude that atπ i V and, in particular, atπ i V hold. Liveness Rule The following theorem was mentioned in section 6.5 to derive the liveness property of a protocol: Theorem A.2(Liveness Rule) The following rule is valid when γ and γ are invari-

6 190 APPENDIX A ants of Π: start Π γ (atπ e ϕ 1 ) start Π γ (atπ e ϕ 2 ) start Π (atπ e (γ ϕ 1 ) ( γ ϕ 2 )) (A.1) (A.2) (A.3) Proof. We will only consider the cases where start Π actually holds, since those are the only cases we are interested in and the rule is trivially true those cases where start Π does not hold. Let us assume we can derive (1) and (2), and let us assume that γ actually holds. In this case start Π γ holds as well and we know, because of (1), that (atπ e ϕ 1 ) holds. Since γ is an invariant of Π, γ holds at all steps of the protocol, and thus at the moment that atπ e holds. Therefore, (atπ e γ ϕ 1 )) holds, and we can thus derive that (atπ e (γ ϕ 1 )). Since γ holds (and is an invariant of Π), we know that all states satisfy γ χ, for arbitrary χ. If we choose χ = ϕ we thus obtain the desired π e (γ ϕ 1 ) ( γ ϕ 2 )). Reasoning similarly for γ and using (2) instead, we again obtain π e (γ ϕ 1 ) ( γ ϕ 2 )). We can therefore conclude that, whenever start Π holds, π e (γ ϕ 1 ) ( γ ϕ 2 )) holds, and thus start Π (at α e (γ ϕ 1 ) ( γ ϕ 2 )).