Exogenous Logics for Reasoning about Probabilistic Systems · the system evolution is modeled by parametrized Kripke structures that capture both stochastic and non–deterministic

Exogenous Logics for Reasoning about Probabilistic

Systems

PEDRO BALTAZAR and PAULO MATEUS

SQIG, Instituto de Telecomunicacoes, IST, TU Lisbon, Portugal

and

RAJAGOPAL NAGARAJAN

Department of Computer Science, University of Warwick, UK

Abstract. We define exogenous logics for reasoning about probabilistic systems: a probabilisticstate logic EPPL, and its fixpoint extension MEPL, which is enriched with operators from themodal µ-calculus. System states correspond to probability distributions over classical states andthe system evolution is modeled by parametrized Kripke structures that capture both stochasticand non–deterministic transitions. We introduce two approaches to the verification of propertiesexpressed in these logics, one syntactic (a weakly complete Hilbert calculus) and the other semantic(a model–checking algorithm). The completeness proof of MEPL builds on the decidability of theexistential theory of the real numbers and on a polynomial-space sat algorithm for EPPL. Themodel checking problem for MEPL is also analysed and the logic is related to previous work.The semantics of EPPL and MEPL are defined in terms of probability distributions over sets ofpropositional symbols, whereas the usual approaches are designed for reasoning about distributionsover paths of possible behaviour. The intended application of our logics is as a specificationformalism for properties of probabilistic systems. We illustrate the use of the logics for specifyingsystem properties with some simple examples.

1. BACKGROUND AND MOTIVATION

There are numerous applications in science where reasoning about probabilistic be-haviour is necessary. In computing, applications include probabilistic algorithms,computer modelling and verification of probabilistic systems, including communica-tion protocols with and without security guarantees. The properties of probabilisticprograms in particular have been studied before using many different approaches,and it is widely accepted that the development of formal logics for reasoning aboutsuch programs is highly beneficial, allowing designers and users of systems to for-mulate properties which the programs may or may not satisfy.

In this paper we describe a probabilistic state logic EPPL and its fixpoint exten-sion MEPL. Our approach is characterised by the use of an exogenous semanticswhich means that the models of state formulae are essentially probability distribu-tions of models of a propositional logic. The term exogenous was coined by Kozen[Kozen and Parikh 1984] to express the fact that the probabilities had an explicitsyntax and were not hidden in the propositional symbols or connectives (as inPCTL [Hansson and Jonsson 1994]). We build on earlier work on the probabilisticstate logic EPPL [Mateus et al. 2005], by extending it with operators of the modalµ-calculus; the result is a fixpoint logic for reasoning about probabilistic programs.The state logic is an extension of the probabilistic logic proposed in [Fagin et al.1990], in which we make classical restrictions over probabilistic spaces. EPPL wasinitially introduced in [Mateus and Sernadas 2004; 2006] to reason about quantum

2 · P. Baltazar, P. Mateus and R. Nagarajan

states and further developed in the context of a Hoare-like logic [Chadha et al.2007]. Our intention is to provide a powerful framework for specifying propertiesof communication protocols, especially security protocols. The proposed logic hassufficient expressive power to allow specification of security properties, and enableshigh–level reasoning due to the use of an exogenous semantics.

The exogenous semantics approach [Mateus et al. 2005] involves taking the se-mantic structures of a base logic (e.g. propositional logic) and combining themtogether, possibly adding new structure, to provide the semantics for a higher-levellogic. The exogenous approach can be considered a variant of the possible-worldssemantics of Kripke. A model of EPPL is a set of possible valuations over propo-sitional symbols (which, for instance, may denote memory cells of a probabilisticprogram) along with a probability space that gives the probability of each possiblevaluation. Indeed, as discussed in this paper, EPPL models can be reformulatedmore precisely as Bernoulli stochastic processes where the index space is the set ofpropositional symbols.

The logics described here are not directly related to the probabilistic temporal logicPCTL [Hansson and Jonsson 1994] which is used e.g. in the symbolic model-checkerPRISM [Kwiatkowska et al. 2002; 2005]. There is a fundamental difference betweenthe semantics of our logics and PCTL; whereas PCTL enables reasoning about distri-butions over paths in a probabilistic transition system, MEPL is designed for reason-ing about how a probability distribution over a finite set of propositional symbolschanges over time. The latter approach is particularly advantageous for reasoningabout certain types of systems, such as distributed randomised algorithms; we willdemonstrate this in the paper.

This paper is structured as follows. First, we present the syntax, semantics, model–checking problem and axiomatisation of the state logic EPPL and then turn to thefixpoint extension MEPL, discussing these same aspects in turn. We also provideintuition for the various constructs. Then, we address completeness and modelchecking for MEPL and, finally, we show practical applications of the proposedlogics.

The central contribution of this paper is the introduction of a brand new logicMEPL for verification of probabilistic systems; the associated complexity results,algorithms, and the examples are also completely new. The paper also developsEPPL in significantly more detail than in earlier publications [Mateus and Sernadas2004; 2006], including all the required proofs and presenting case studies.

2. A PROBABILISTIC STATE LOGIC

2.1 Syntax

The language of EPPL consists of formulae at two levels. The formulae at the firstlevel, basic formulae, allow us to reason about program variables and locations,which we abstract as a finite set of propositional symbols Λ. The formulae at thesecond level, global formulae, allow us to perform probabilistic reasoning. We alsoconsider algebraic real terms, built over a set of real logic variables R. These termsdenote real numbers used for quantitative reasoning at the level of global formulae.

Exogenous Logics for Reasoning about Probabilistic Systems · 3

The syntax of the language, expressed using BNF notation, is presented in Table I.

β := α 8 (¬β) 8 (β⇒ β) basic formulae

t := x 8 0 8 1 8R

β 8 (t + t) 8 (t× t) algebraic real terms

δ := (Aβ) 8 (β⊥β) 8 (t ≤ t) 8 (∼δ) 8 (δ ⊐ δ) global formulae

(where α ∈ Λ and x ∈ R).

Table I. Syntax of EPPL

The basic formulae, ranging over β, β1, . . ., are built from the propositional symbolsΛ and the classical connectives ¬ (negation) and ⇒ (implication). As usual, otherclassical connectives (f, t,∨,∧,⇔) are introduced as abbreviations.

The algebraic real terms, ranging over t, t1, . . ., denote the algebraic real numbers.We assume a countable set of real variables, Var , ranging over algebraic real num-bers. The algebraic real terms also contain real constants 0 and 1, which, togetherwith addition, multiplication and the set of logical variables, allow us to express allalgebraic real numbers [Basu et al. 2003]. The term

∫β denotes the probability of

the event described by β, i.e. the set of valuations that satisfy β. Terms of thiskind shall henceforth be called measure terms.

The global formulae, ranging over δ, δ1, . . ., are built from universal formulae (Aβ),independence formulae (β1⊥β2), comparison formulae (t1 ≤ t2) and the connectivesfor global negation (∼) and global implication (⊐). The universal formula (Aβ)allows us to impose restrictions on the probability space, namely to impose that allelements of the sample space satisfy β. We shall also use (Eβ) as an abbreviationfor (∼(A(¬β))). Intuitively, (Eβ) is satisfied, if there is at least one valuation inthe probability space which satisfies β. The independence formula (β1⊥β2) statesthat the event described by β1 is independent from the event described by β2.

Other connectives for global formulae (F,T,⊔,⊓,≡) and comparison predicates forreal terms =, 6=,≥, <,> are introduced as standard abbreviations. For instance,the global falsum F stands for ((Aα) ⊓ (∼Aα)) or (1 < 0), and (t1 = t2) stands for((t1 ≤ t2) ⊓ (t2 ≤ t1)).

The notion of occurrence of a term t, and a global formula δ1, in the global formulaδ is defined as usual. The same holds for the notion of replacing zero or moreoccurrences of probability terms and global formulae. For the sake of clarity, weshall often drop parentheses in formulae and terms, if it does not lead to ambiguity.

We shall also identify here a useful sublanguage of global formulae which do notcontain any occurrence of measure terms:

ξ := x 8 0 8 1 8 (ξ + ξ) 8 (ξ × ξ).

κ := (ξ ≤ ξ) 8 (∼κ) 8 (κ ⊐ κ);


The algebraic real terms of this sublanguage will be called analytical real terms,and the formulae will be called analytical formulae. This sublanguage is relevant,because it is possible to apply the SAT algorithm for the existential theory of thereal numbers to any analytical formula.

Example 2.1. Consider an experiment where a fair coin is tossed until the out-come is heads (represented by true). Consider an infinite, countable set of propo-sitional symbols Λ = α1, . . . , αn, . . ., where αn represents getting a head at timen ∈ N. Since we stop after getting the first head, the coin will remain in thatstate from that point on. This property can be specified using the EPPL formulae(A(αi⇒ αi+1)), for all i ∈ N.

2.2 Semantics

Let (Ω,F ,P) be a probability space, and X = (Xα : Ω→ 2)α∈Λ a stochastic processover (Ω,F ,P) where each Xα is a Bernoulli random variable, i.e. Xα ranges over2 = 0, 1. The models of EPPL are tuples m = (Ω,F ,P,X). Observe that eachbasic EPPL formula β induces a Bernoulli random variable Xβ : Ω→ 2, defined asfollows:

X(¬β)(ω) = 1−Xβ(ω); and X(β1⇒β2)(ω) = max1−Xβ1(ω), Xβ2

(ω).

So, each basic formula β represents the measurable subset ω ∈ Ω : Xβ(ω) = 1.Moreover, each ω ∈ Ω induces a valuation vω over Λ, such that vω(α) = Xα(ω), forall α ∈ Λ. Given an EPPL model m = (Ω,F ,P,X), and attribution ρ : R → R forthe real logical variables, the denotation of algebraic real terms is as follows:

—[[r]]m,ρ = ρ(r);

—[[0]]m,ρ = 0;

—[[1]]m,ρ = 1;

—[[t1 + t2]]m,ρ = [[t1]]m,ρ + [[t2]]m,ρ;

—[[t1 × t2]]m,ρ = [[t1]]m,ρ × [[t2]]m,ρ; and

—[[∫β]]m,ρ =

∫Xβ dP = P(Xβ = 1).

Note that the term [[∫β]]m,ρ gives the expected value of Xβ . Since Xβ is a Bernoulli

random variable, the expected value is the same as the probability of observing anoutcome ω, such that vω satisfies β.

Moreover, the satisfaction of global formulae is given by:

—m, ρ (Aβ) iff Xβ(ω) = 1 for all ω ∈ Ω;

—m, ρ (β1⊥β2) iff [[∫β1 ∧ β2]]m,ρ = [[

∫β1]]m,ρ × [[

∫β2]]m,ρ;

—m, ρ (t1 ≤ t2) iff [[t1]]m,ρ ≤ [[t2]]m,ρ;

—m, ρ (∼δ) iff m, ρ 6 δ;

—m, ρ (δ1 ⊐ δ2) iff m, ρ δ2 or m, ρ 6 δ1.


Algebraic real terms without occurrences of real logical variables are called closedterms. A global formula involving only closed terms is called a closed global for-mula. Clearly, the denotation of closed terms is independent of the attribution.Consequently, the satisfaction of closed global formulae are also independent of theattribution. So, in these cases, we drop the attribution from the notation.

Example 2.2. The process in Example 2.1 can be described by the EPPL modelm = (Ω,F ,P,X), over the set of propositional symbols Λ, where:

—Ω = 00 . . .0︸︷︷︸

k

111 . . . : k ≥ 0;

—F = 2Ω is the powerset of Ω;

—Xi : Ω→ 2 is the state of the coin at time i ∈ N, for all αi ∈ Λ; and

—P(00 . . . 0︸︷︷︸

k

111 . . .) = 12k+1 , for k ≥ 0.

Note that, in contrast to the usual approach in probability theory, we exclude fromΩ all impossible events. In this case, we exclude all the sequences where a 1 isfollowed by a 0. This is important in order to ensure non-probabilistic semanticsfor universal formulae such as (A(αn⇒ αn+1)) for some n ∈ N.

We have the following:

—m (A(αi⇒αi+1)), for all i ∈ N; that is, when the outcome is heads the processis stopped, and the coin stays in that state henceforth;

—the configuration 001111 . . . can be represented by the basic formula((¬α1) ∧ (¬α2) ∧ α3);

—the configuration “never heads”, 0000 . . ., cannot be represented by any basicformula. The limitation comes from the fact that the EPPL model is an infinitestochastic process, but we do not allow infinite conjunctions of EPPL proposi-tional symbols. So, each formula will mention a finite number of random vari-ables.

We can group the random variables into a finite set, in order to overcome the abovelimitation. Consider the finite stochastic process m′ = (Ω,F ,P,X′), over Λ′ =α1, . . . , αn−1, α∞, such that (Ω,F ,P) is as above. Let X′ = X1, . . . , Xn−1 ∪X∞, where each random variable X1, . . . , Xn−1 is as above, and X∞ is 1 if weeventually get “heads”, from time n, and 0 otherwise.

In this case:

—the basic formula β0 := ((¬α1) ∧ . . . ∧ (¬αn−1) ∧ (¬α∞)) represents the configu-ration 0000 . . . and m′ (

∫β0 ≤ 0);

—so, m′ (∫(¬β0) ≥ 1), but m′ 6 (A(¬β0)).

Obviously, there are many other events that are impossible to represent within thisstochastic process. However, the above example shows us that we can performPCTL-like reasoning by encapsulating path-formulae in propositional symbols.


Remark 2.3. To design a SAT algorithm for EPPL it is important to make someobservations on EPPL models. Let Vm = vω : ω ∈ Ω be the set of all valuationsover Λ induced by m. The basic cylinders, also called rectangles, of an EPPL modelm are the subsets B(b1 . . . bk) = v ∈ Vm : v(α1) = b1, . . . , v(αk) = bk, for k ≥ 0,α1, . . . , αk ∈ Λ, and b1, . . . , bk ∈ 2. Let Bm be the set of all basic cylinders ofm. Observe that, an EPPL model m = (Ω,F ,P,X) induces a probability spacePm = (Vm,Fm,Pm) over valuations, where

—Fm ⊆ 2Vm is the Borel field generated by the basic cylinders Bm; and

—Pm is defined over basic cylinders by Pm(B) = P(ω ∈ Ω : vω ∈ B), for allB ∈ Bm.

Moreover, given a probability space over valuations P = (V,F ,P), we can constructan EPPL model mP = (V,F ,P,X), where, for each α ∈ Λ, we define Xα(v) = v(α),for all v ∈ V . It is easy to see that m and mPm

satisfy precisely the same formulae.This means that it is enough for a SAT algorithm to search for probability spacesover valuations.

Observe that, an EPPL model is a stochastic process of Bernoulli random variables,indexed by a fixed set of propositional symbols. The set of propositional symbolscould denote different spatial locations, time moments, or both. We will focuson the spatial perspective, since we will explicitly temporalize EPPL models inforthcoming sections.

Given that we are working towards a complete Hilbert calculus for EPPL througha SAT algorithm, it is important to investigate whether EPPL fulfills a small modeltheorem. If this is the case, then an upper bound on the size of the satisfying modelswould imply the decidability of the logic, since it would be enough to search formodels up to this bound.

Remark 2.4. The semantics of the independence formulae (β1⊥β2) allows usto substitute all of its occurrences, in global formulae, by the conjunction

(∫β1 ∧ β2 ≤

∫β1 ×

∫β2)

d(∫β1 ×

∫β2 ≤

∫β1 ∧ β2).

For this reason, independence formulae can be see as syntactic sugar.

2.3 Small Model Theorem

Small model theorems are essential to derive decidability of SAT algorithms. To ob-tain a small model theorem for EPPL, we start by defining a quotient construction.Let δ be an EPPL formula. We denote the sets of inequalities and basic subformulaeoccurring in δ by iq(δ) and bsf(δ), respectively. In addition, we denote the (finite)set of propositional symbols that appear in δ by prop(δ). Given a formula δ andan EPPL model m = (Ω,F ,P,X), we define the following relation on the samplespace

Ω : ω1∼δω2 iff Xα(ω1) = Xα(ω2) for all α ∈ prop(δ).

Let propω(δ) be the subset of propositional symbols of δ such that Xα(ω) = 1. Wedenote by [ω]δ the ∼δ-class of ω. Given an EPPL model m = (Ω,F ,P,X) and anEPPL formula δ, we define the quotient model m/∼δ = (Ω′,F ′,P′,X′) where:


—Ω′ = Ω/∼δ is the finite set of ∼δ-classes;

—F ′ = 2Ω′

is the powerset Borel field;

—P′(B) = P(∪B) for all B ∈ F ′;

—X ′α([ω]δ) = Xα(ω) for all α ∈ Λ.

Lemma 2.5. The relation ∼δ is a finite index equivalence relation on Ω. More-over, if ω1∼δω2 then Xβ(ω1) = Xβ(ω2), for all β ∈ bsf(δ).

Proof. Clearly ∼δ is an equivalence relation. The set prop(δ) is finite, thereforeit allows only a finite number of different ∼δ-classes. The second part of the lemmais straightforward by structural induction on β ∈ bsf(δ). Let ω1, ω2 ∈ Ω such thatω1∼δω2.Base case: true by definition.Induction step: When the formula is of the form (¬β), we have

X(¬β)(ω1) = 1−Xβ(ω1) = 1−Xβ(ω2) = X(¬β)(ω2).

For the case (β1⇒ β2), we have

X(β1⇒β2)(ω1) = max1−Xβ1(ω1), Xβ2

(ω1) = max1−Xβ1(ω2), Xβ2

(ω2) = X(β1⇒β2)(ω2).

Lemma 2.6. Let ω ∈ Ω, then

[ω]δ =

⋂

α∈propω(δ)

ω′ : Xα(ω′) = 1

⋂

⋂

α/∈propω(δ)

w′ : Xα(ω′) = 0

.

Moreover, [ω]δ ∈ F .

Proof. For the first claim, observe that if ω1∼δω2 then propω1(δ) = propω2

(δ).We prove the second using the fact that (Xα)α∈Λ are random variables, and alsothat F is Borel field.

Next, we prove that the quotient model is well defined.

Proposition 2.7. Let m = (Ω,F ,P,X) be an EPPL model, and δ an EPPL

formula. Then m/∼δ = (Ω′,F ′,P′,X′) is a finite EPPL model.

Proof. By Lemma 2.5, Ω′ is a finite set. If B ∈ F ′, then ∪B = ∪[s]δ : [s]δ ∈ Bis in F by Lemma 2.6. By definition we get that P′([s]δ) = P([s]δ), and P′(Ω′) =P(∪Ω′) = P(Ω) = 1. So, P′ is a finite probabilistic measure over Ω′.

Now, we prove that satisfaction is preserved by the quotient construction. Conse-quently, any satisfiable formula has a finite discrete EPPL model of size boundedby the length formula. We take the length of a basic formula, algebraic real term,or global formula, to be the number of symbols required to write the formula orterm. The length of a formula or term ξ is denoted by |ξ|.

We are now able to establish a small model theorem for EPPL. Observe that atfirst sight, to construct a model for a formula δ, it seems that we need O(2|δ|)


algebraic real numbers to describe the probability measure of the Borel field over thepropositional symbols occurring in δ. However, adapting a technique for eliminatingspurious variables in linear programming ([Fagin et al. 1990]), we are able to setthis bound to be just linear.

Theorem 2.8 Small Model Theorem. If δ is a satisfiable EPPL formula thenit has a finite model using at most 2|δ|+ 1 algebraic real numbers.

Proof. Let m = (Ω,F ,P,X) be an EPPL model of δ for attribution ρ. We startby computing the quotient model m′ = m/∼δ which is a finite discrete EPPL modelof size 2|prop(δ)| ∈ O(2|δ|). We will then reduce the model to one which uses only2|δ|+ 1 algebraic real numbers.

Observe that, in the quotient model m′, we need an algebraic real number for eachvaluation over prop(δ). Therefore, we need at most 2|δ| algebraic real numbers. Westart by proving that m′ satisfies δ. Note that m and m′ agree in the denotation ofprobabilistic terms. The only non-trivial case involves terms such as (

∫β). Using

Lemma 2.6, for β ∈ bsf(δ), we get

[[∫β]]m′,ρ = P′(X ′β = 1) = P(∪X ′β = 1) = P(Xβ = 1) = [[

∫β]]m,ρ.

By structural induction on terms of δ, we can see that m and m′ agree on inequa-tions, and on independence formulae.

For any subformula Aβ of δ, we have that m, ρ Aβ iff Ω = X−1β (1) iff Ω′ =

(X ′β)−1(1) iff m′, ρ Aβ. Now, since m and m′ agree on universal formulae Aβ,inequations (t1 ≤ t2), and independence formulae (β1⊥β2), m

′ is a model for δ bystructural induction.

Finally, we will simplify m′, to obtain a model m′′ = (Ω′′, 2Ω′′

,P′′,X′′) of δ, suchthat |Ω′′| ≤ 2|δ|+ 1.

Let β1, . . . , βk be the set of basic formulae β, such that∫β appears in δ, and

define Ω′βi= X ′

−1βi

(1) ⊆ Ω′. Observe that k ≤ |δ|. Therefore, we can build asystem of k+1 equations

∑

ω∈Ω′

β1

xω = P′(Xβ1= 1)

. . .∑

ω∈Ω′

βk

xω = P′(Xβk= 1)

∑

ω∈Ω′ xω = 1.

For the set of equations above, there is a non-negative solution xω = P′(ω),for all ω ∈ Ω′. From Linear Programming, it is well known that, if a system ofk + 1 linear equations has a non-negative solution, then there is a solution η forthe system with at most k + 1 variables taking positive values (see, for instance,Theorem 9.3 in [Chvatal 1983]). Therefore, we can construct a modelm′′′, such thatΩ′′′ = ω ∈ Ω′ : η(xω) > 0, and P′′′(ω) = η(xω). Observe that, m′′′ (t1 ≤ t2)iff m′ (t1 ≤ t2), for each inequation (t1 ≤ t2) occurring in δ. The same is true ofindependence formulae, since by construction m′ and m′′ agree on the denotationsof terms. However, since Ω′′′ ⊆ Ω′, it may be the case that m′′′ Aβ and m′ 6 Aβ,


for some subformula Aβ of δ. Therefore, for each subformula Aβ of δ, such thatm′ 6 Aβ and m′′′ Aβ, there exists ωβ ∈ Ω′ \ Ω′′′, where vωβ

6 β. We can nowconstruct the model m′′, with

Ω′′ = Ω′′′ ∪ ωβ ∈ Ω′ \ Ω′′′ : m′ 6 Aβ and m′′′ Aβ,

P′′(ω) =

P′′′(ω) if ω ∈ Ω′′′

0 otherwise, and

X ′′p (ω) = X ′p(ω) for all ω ∈ Ω.

Clearly, |Ω′′| ≤ 2|δ| + 1 and m′′, ρ δ. Finally, from the first order theory of realordered fields, if there is a model for a real closed formula using real numbers, thenthere is a model using only algebraic real numbers [Basu et al. 2003].

The small model theorem does not impose a bound on the size of the representationof the algebraic real numbers. Indeed, an algebraic real number can be representedby the root of a polynomial of integers and an interval, and this polynomial canincrease without any bound. Fortunately, due to the fact that the existential theoryof real numbers can be decided in PSPACE [Canny 1988], we are able to place abound on the size of the representation of the algebraic real numbers, as a functionof the size of the formula. This will lead to a SAT algorithm for EPPL.

2.4 Decision Algorithm for Satisfaction

The decision algorithm for EPPL satisfaction uses the decidability of the existen-tial theory of real numbers and the small model theorem. Before presenting thealgorithm, we introduce some notation. Given an EPPL formula δ, we will denoteby

—iq(δ), the set of all inequations (t1 ≤ t2) in δ;

—bfA(δ), the set of all universal subformulae Aβ in δ;

—ip(δ), the set of all independence subformulae β1⊥β2 in δ;

—at(δ) = bfA(δ) ∪ iq(δ) ∪ ip(δ), the set of all global atoms of δ.

From now on, by an exhaustive conjunction ε of literals of at(δ), we mean a formulaε of the form δ1 ⊓ . . . ⊓ δk, where each δi is either a global atom, or its negation.Moreover, all global atoms or their negations occur in ε, therefore k = |at(δ)|. Wealso consider that in formula ε all its global atoms β1⊥β2 can be substituted by theglobal conjunction as in Remark 2.4.

Given a global formula δ, we denote by δb the propositional formula obtainedby replacing in δ, each global atom δi with a fresh propositional symbol αi, fori = 1, . . . , k. We also replace in δ, the global connectives ∼ and ⊐, by the propo-sitional connectives ¬ and ⇒, respectively. We denote by vε, the valuation overpropositional symbols α1, . . . , αk, such that vǫ(αi) = 1 iff δi occurs positively in ε.

Given an exhaustive conjunction ε of literals of at(δ), we denote by lbfA(ε) the setof basic formulae such that β ∈ lbfA(ε) if Aβ occurs positively in ε (that is, notnegated). Similarly, the set of basic formulae that occur nested by a ∼A in ε is


denoted by lbfE¬(ε). Finally, we denote all the inequalities occurring in ε by liq(ε).This last set contains the new inequations introduced by the substitution of theindependence formulae.

Given a global formula δ in liq(ε), we denote by δa the analytical formula whereall terms of the form

∫β are replaced in δ by

∑

v∈V,v β xv. We assume that xv is afresh variable from Var . We can use the PSPACE SAT algorithm of the existentialtheory of the reals numbers [Canny 1988], that we denote SatReal. We assumethat this algorithm either returns no model, if there is no solution for the inputsystem of inequations, or a solution array η, where η(x) is the solution for variablex. We denote by var(δ) the set of real logical variables that occur in δ. Given asolution η for a system with X variables and a subset Y ⊆ X , we denote by η|Ythe function that maps each element y of Y to η(y).

Algorithm 1: SatEPPL(δ)

Input: EPPL formula δ

Output: (V,P) (denoting the EPPL model m = (V, 2V , P,X)) and attribution ρ orno model

compute bfA(δ), ip(δ), iq(δ) and at(δ);1

foreach exhaustive conjunction ε of literals of at(δ) such that vε δb do2

compute lbfA(ε), lbfE¬(ε) and liq(ε);3

foreach V ⊆ 2prop(δ) such that 0 < |V | ≤ 2|δ|+ 1, V ∧lbfA(ε) and V 6 β for4

all β ∈ lbfE¬(ε) doκ←−

`

P

v∈V xv = 1´

⊓`

T

v∈V 0 ≤ xv

´

;5

foreach δ ∈ liq(ε) do6

κ←− κ ∩ δa;7

end8

η ←− SatReal(κ);9

if η 6= no model then10

Pη ←− η|xv :v∈V ;11

ρη ←− η|var(δ);12

return (V,Pη) and attribution ρη;13

end14

end15

end16

return (no model);17

Theorem 2.9. Algorithm 1 decides the satisfiability of an EPPL formula inPSPACE.

Proof. We now explain the algorithm and show its soundness. Given an EPPL

formula δ, we start by computing (line 1) its global atoms bfA(δ), ip(δ), iq(δ) andat(δ). Observe that computing these sets can be done in PSPACE. Next, we see δ asthe propositional formula δb (which is obtained by replacing each global atom witha new propositional symbol) and loop over all exhaustive conjunctions ε such thatvε δb (line 2). Note that if δ has a model m, γ then this model will either satisfyor not satisfy all global atoms at(δ). Therefore, there is an exhaustive conjunction


ε such that m, γ is a model of ε and, moreover, in this case, vε δb. On the otherhand, if δ has no model, then all ε such that vε δb have no model. Hence, to finda model for δ, it is enough to find a model for an ε such that vε δb. Observe thatat each step of the loop of line 2 we only need to store one such ε, which requiresonly polynomial space. In the body of the loop we check whether, given such ε,there is an EPPL model that satisfies all literals occurring in ε.

Using Remark 2.4 we rewrite ε yielding an equivalent EPPL formula without inde-pendence formulae. To check if there is an EPPL model for ε we start by computinglbfA(ε), lbfE¬(ε) and liq(ε) (line 3), which can also be stored in polynomial space.Due to Remark 2.3, it is sufficient to check for models where the outcome space Ω isgiven as a set of valuations of the basic propositional symbols. Moreover, due to thesmall model theorem (Theorem 2.8), it is sufficient to search for sets of valuationsV such that |V | ≤ 2|δ|+ 1. Observe that V has to satisfy the universal literals Aβand ∼Aβ occurring in ε, that is: (i) for all β ∈ lbfA(ε) and v ∈ V we have thatv β; (ii) for all β ∈ lbfE∼(ε) there exists v ∈ V such that v 6 β. We can rewrite(i) as V ∧lbfA(ε) and (ii) as V 6 β for all β ∈ lbfE¬(ε). Hence, it is sufficientto construct a model with a set of valuations that fulfills the guard of the loop ofline 4. In the body of this loop, we shall check if there is a model of ε taking suchV as the set of outcomes, that is, if there is a solution for the inequations in liq(ǫ).Since we only need to store a set of valuations V with |V | ≤ 2|δ|+ 1 at each stepof the loop, once again we need only polynomial space.

Next, we search for a model of the inequations in liq(ε) having a set of outcomesV (line 5). To this end we consider a fresh real logical variable xv for each v ∈ Vrepresenting its probability. The idea behind this step is to build an analyticalformula κ that specifies the two probability constraints expressed in line 5 andthe inequations in liq(ε). This formula, κ, is constructed in line 7, by replacingthe terms

∫β in liq(ε) by

∑

v∈V :v β xv, that is, we rewrite the measure termsby the measure of its outcomes. In line 9 we call the SatReal algorithm for asolution (model) to κ. Since |κ| is polynomial in |δ| and the set of variables in κis polynomially bounded by |δ|, SatReal will compute the solution in PSPACE. Ifsuch a solution η exists, we have succeeded in finding a model for δ. Hence, wereturn (V,Pη) and ρη, where Pη(v) is η(xv) (line 11) and ρη is the restriction of ηto var(δ) (line 12). As stated in Remark 2.3 this is enough to construct an EPPL

model. If there is no solution η then we could not find a solution for the set V ofvaluations, and have to try with another V . Finally, if for all ε and V we are notable to find a solution, then there is no model for δ.

2.5 Completeness

In [Mateus et al. 2005] it is shown that a superset of axioms and inference rulesin Table II is a sound and a (weakly) complete axiomatization of EPPL. Due tothe EPPL SAT algorithm, we are able to show here that the calculus presented inTable II is weakly complete.

It is impossible to obtain a strongly complete axiomatization for EPPL (that is, if∆ δ then ∆ ⊢ δ, for arbitrarily large ∆, possibly infinite set) because the logicis not compact [Mateus et al. 2005]. Nevertheless, weak completeness is enough


Axioms

[CTaut] ⊢EPPL (Aβ) for each valid propositional formula β;

[GTaut] ⊢EPPL δ for each instantiation of a propositional tautology δ;

[Lift ⇒] ⊢EPPL (A(β1⇒ β2) ⊐ (Aβ1 ⊐ Aβ2));

[EqvF] ⊢EPPL (Af≡ F);

[Indep] ⊢EPPL (β1⊥β2)≡ (R

β1 ∧ β2 =R

β1 ×R

β2);

[ROF] ⊢EPPL (t1 ≤ t2) for each instantiation of a valid analytical inequality;

[Prob] ⊢EPPL (R

t = 1);

[FAdd] ⊢EPPL ((R

(β1 ∧ β2) = 0) ⊐ (R

(β1 ∨ β2) =R

β1 +R

β2));

[Mon] ⊢EPPL (A(β1⇒ β2) ⊐ (R

β1 ≤R

β2));

Inference rules

[MP] δ1, (δ1 ⊐ δ2) ⊢EPPL δ2.

Table II. HCEPPL : complete calculus for EPPL

for system verification, since a program specification generates a finite number ofhypotheses.

For the axiomatization of Table II, we consider an Hilbert system with a recursiveset of axioms and finitary rules. Recall that the axiom schema ROF is decidabledue to Tarski’s result on the decidability of real ordered fields. Thus, the axioms inTable II constitute a recursive set. Note that the ROF axioms allow us to separatethe reasoning about probabilities from the reasoning about real numbers.

We can simplify the proof in [Mateus et al. 2005] using the SAT algorithm presentedbefore. The soundness of the calculus of Table II is straightforward, and so, we focuson the completeness result.

Theorem 2.10. The set of rules and axioms of Table II is a weakly completeaxiomatization of EPPL.

Proof. To show the completeness of the system, we use a contrapositive argu-ment: if 6⊢ δ then 6 δ. By definition, a formula δ is consistent if 6⊢ ∼δ. So, if weprove that every consistent formula δ has a model we get the completeness result.To check this fact, observe that if 6⊢ δ then 6⊢ ∼∼δ, that is, ∼δ is consistent. If ∼δis consistent it has a model and therefore, 6 δ.

We will prove that every consistent formula δ has a model. Assume by contradic-tion that δ is consistent and the SAT algorithm returns no model. Let A = εexhaustive conjunction of literals: vε δb. By the completeness of propositional


logic it follows that ⊢ (∨ε∈Aεb)⇔ δb, and by GTaut we have that ⊢ ∪A ≡ δ. If

δ is consistent then there is an ε which is consistent, and if δ has no model, thenthe consistent ε has no model as well. If the SAT algorithm returns no model for εit has to be for one of the following two reasons: (i) it can not find a V at line 4;(ii) for all viable V the SatReal algorithm returns no model at line 9. We will nowshow that for both cases we can contradict the consistency of ε.

In case (i) – no V can be found at line 4 – it cannot be because |V | > 2|δ|+1, due tothe small model theorem. This means that if we remove the bound 0 < |V | ≤ 2|δ|+1in line 4, and consider all possible sets of valuations the algorithm would also fail.In particular, take V = 2prop(δ), it must happen

(a) V 6 ∧lbfA(ε) or

(b) V β for some β ∈ lbfE¬(ε).

For case (a) we have that 6 ∧lbfA(ε) and so, 6 β for some β ∈ lbfA(ε), or equiv-alently β ⇒ f. But by completeness of the propositional calculus we have that⊢ β⇒ f, by CTaut we have that ⊢ A(β⇒ f) and by Lift⇒ and EqvF we have that⊢ ∼(Aβ) from which follows ⊢ ∼ε which contradicts the consistency of ε. In case(b) there is β ∈ lbfE¬(ε) such that β is a tautology. Then, by CTaut, ⊢ Aβ. Fromthe last derivation we get ⊢ ∼ε, which contradicts the consistency of ε.

In case (ii), the algorithm fails at line 9 for all viable V computed in line 4. Fromthe small model theorem it can be seen that the algorithm would also fail at line 9for all V such that

V ∧lbfA(ε) and V 6 β for all β ∈ lbfE¬(ε), (1)

independently of the bound on the size of V . It is easy to see that the sets ofvaluations satisfying (1) are closed under unions, and therefore there is the largestV fulfilling (1), say Vmax, and for this set the algorithm would fail at line 9. LetV c = 2prop(δ) \Vmax, since ε is consistent it is easy to see that ε′ = ε∩(∩v∈V cA¬βv)is consistent, where βv is a propositional formula that is satisfied only by valuationv. Indeed, ⊢ ∧lbfA(ε)⇒¬βv for all v ∈ V c, from which we derive that

⊢ (⊓β∈lbfA(ε)Aβ) ⊐ (∩v∈V cA¬βv)

and so ⊢ ε′ ≡ ε. Thus, if ε is consistent then ε′ is also consistent, and if there isno model for ε then there is no model for ε′ as well, and the algorithm will failprecisely in line 9.

By RCF we have ⊢ ∼κxvR

βv, where κxv

R

βvis the formula κ where we replace each

variable xv by the term∫βv with βv a propositional formula that is satisfied only

by v. By Prob, FAdd and Mon we have ⊢ (A¬βv) ⊐ (∫βv = 0), thus we can

derive

⊢ ε′ ⊐ (∩v∈V c(∫βv = 0)). (2)

From ⊢ ∼κxvR

βvand FAdd and RCF we obtain that

⊢ ∩v∈V c(∫βv = 0) ⊐ ∼ ∩α∈liq(δ) α. (3)


Finally, by CTaut we have

⊢ ∼ ∩α∈liq(δ) α ⊐ ∼ε′. (4)

So, from (2), (3) and (4) we obtain with tautological reasoning ⊢ ε′ ⊐ ∼ε′ fromwhich we conclude ⊢ ∼ε′. This contradicts the consistency of ε′ and thus, theconsistency of δ. For this reason there must be a model for ε′ and consequently, amodel for δ.

2.6 Model Checking

Given a finite set of propositional symbols Λ, using the small model theorem wecan assume that all EPPL models are defined over a discrete and finite probabilityspace.

For the model checking procedure we have to deal with computer representationand, in practice, probabilities are represented by floating points and not sym-bolically by algebraic real numbers. Therefore we consider only EPPL modelsm = (Ω,F ,P,X) specified with floating point arrays. Observe that, since floatingpoint numbers are rational numbers, they are also algebraic real numbers. There-fore the semantics given in Section 2.2 does not require any modification. Werepresent an EPPL model as a |Λ|× |Ω|-matrix X of boolean values for the randomvariables and an |Ω|-array P of real numbers for the probabilities. The size of Ωis at most 2|Λ|. Therefore an EPPL model can be stored in memory by the record(P,X).

Let δ be an EPPL global formula. We consider that in δ we have already replacedall occurrences of independence formulae (β1⊥β2) by inequalities as described inRemark 2.4.

We define the arrays

bsf(δ) = (β1, . . . , βk), ast(δ) = (t1, . . . , ts) and gsf(δ) = (δ1, . . . , δm, δ)

as the ordered tuples of basic subformulae, algebraic real subterms and global sub-formulae of δ, respectively, ordered by increasing length. An attribution ρ for reallogical variables is also represented by a finite array where the dimension is deter-mined by the number of real logical variables in the formula |δ|, that is boundedby s (the length of ast(δ)). As usual for floating points, we assume that the basicarithmetical operations take O(1) time.

Given an EPPL model m = (Ω,F ,P,X), an attribution ρ and a global formulaδ, the model checking problem consists of determining whether m, ρ δ. Modelchecking of EPPL is detailed in Algorithm 2.

Theorem 2.11. Assuming that all basic arithmetical operations and that ac-cessing array/matrix values take O(1) time, Algorithm 2 takes O(|δ| · |Ω|) time todecide if an EPPL model m = (Ω,F ,P,X) and attribution ρ satisfy δ.

Proof. The first part of the model checking algorithm (lines 1–7) consists ofwriting a Boolean |bsf(δ)|× |Ω|-matrix B where the entry B(i, j) is Xβi

(ωj), for all1 ≤ i ≤ |bsf(δ)| and 1 ≤ j ≤ |Ω|. In the second part of the algorithm (lines 8–16),we evaluate all the subterms to a real |ast(δ)|-array T , where T (i) = [[ti]]m,γ , for all


Algorithm 2: CheckEPPL(m, ρ, δ)

Input: EPPL model m = (P,X), attribution ρ and a formula δ

Output: Boolean value G(|gsf(δ)|)

for i = 1 to |bsf(δ)| do /* this loop iterates O(|δ|) times */1

switch βi do /* each case takes O(|Ω|) time */2

case α : B(i) = Xα;3

case (¬βj) : B(i) = 1−B(j);4

case (βj ⇒ βl) : B(i) = max(1−B(j), B(l));5

end6

end7

for i = 1 to |ast(δ)| do /* this loop iterates O(|δ|) times */8

switch ti do /* each case takes O(|Ω|) */9

case z : T (i) = ρ(z) :;10

case 0 or 1 : T (i) = ti;11

caseR

βj : T (i) = B(j).P ; /* this case takes O(2|Ω|) */12

case (tj + tl) : T (i) = T (j) + T (l);13

case (tj .tl) : T (i) = T (j).T (l);14

end15

end16

for i = 1 to |gsf(δ)| do /* this loop iterates O(|δ|) times */17

switch δi do /* each case takes O(|Ω|) */18

case (Aβj) : G(i) = Π|Ω|l=1B(j, l) ; /* this case takes O(|Ω| − 1) */19

case (tj ≤ tl) : G(i) = (T (j) ≤ T (l));20

case (∼δj) : G(i) = 1−G(j);21

case (δj ⊐ δl) : G(i) = max(1−G(j), G(l));22

end23

end24

1 ≤ i ≤ |ast(δ)|. In this part, denotation of the term∫βi is calculated in line 12 by

the matrix product of the two arrays, [[∫βi]]m,γ = B(i).P, for all 1 ≤ i ≤ |bsf(δ)|.

Finally, in the third part of the algorithm (lines 17–24), we evaluate all globalsubformulae to a Boolean |gsf(δ)|-array G, where G(i) = 1 iff m, γ δi, for all1 ≤ i ≤ |gsf(δ)|, and return as output G(|gsf |).

3. µ-CALCULUS EXTENSION OF EXOGENOUS PROBABILISTIC LOGIC

We now introduce a µ-calculus extention of EPPL by adopting the fixpoint construc-tors [Kozen 1983]. We also provide a sound and (weakly-) complete proof systemby enriching the µ-calculus proof system with the axioms of EPPL. We start bybriefly recalling the syntax, semantics and proof system of the µ-calculus.

3.1 Propositional µ-calculus

Syntax. We shall assume that there is a countable set of propositional constants Γ,and a countable set of propositional variables Ξ. The µ-calculus formulae are givenin BNF notation as


ϕ := τ 8 ξ 8 (¬ϕ) 8 (ϕ⇒ ϕ) 8 (3ϕ) 8 (µξ.ϕ)

where τ ∈ Γ, and ξ ∈ Ξ is a propositional variable. In (µξ.ϕ) the formula ϕis positive in ξ, i.e., every occurrence of ξ in ϕ occurs in the scope of an evennumber of negations. As usual, the other propositional connectives ∨, ∧, f, t aredefined as abbreviations. Also as abbreviation we define (2ϕ) = (¬(3(¬ϕ))) and(νξ.ϕ) = (¬(µξ.(¬ϕ(¬ξ)))).

Semantics. The semantics of the µ-calculus is given using a Kripke structure anda valuation of propositional variables V : Ξ→ 2S.

Definition 3.1 Kripke Structure. A Kripke structure over a set of propo-sitions Γ is a tuple K = (S,R,L) where:

—S is a set, elements of which are called states.

—R ⊆ S × S is the accessibility relation, and it is assumed that for every s ∈ Sthere exists s′ ∈ S such that (s, s′) ∈ R.

—L : S → 2Γ is said to be a labeling function.

The meaning [ϕ]KV of a formula ϕ in a model K, given valuation V , is definedinductively by

—[δ]KV = s ∈ S : τ ∈ L(s);

—[ξ]KV = V (ξ);

—[(¬ϕ)]KV = S − [ϕ]KV ;

—[(ϕ1⇒ ϕ2)]KV = [¬ϕ1]

KV ∪ [ϕ2]

KV ;

—[(3ϕ)]KV = s : ∃s′ ∈ S, (s, s′) ∈ R, s′ ∈ [ϕ]KV ;

—[µξ.ϕ]KV =⋂S′ ⊆ S : [ϕ]KV [ξ←S′] ⊆ S

′

where V [ξ ← S′] denotes the valuation V ′ that may just differ from V by havingV ′(ξ) = S′.

If ϕ is a closed formula, then [ϕ]MV = [ϕ]MV ′ for all valuations V, V ′ : Ξ → 2S . Inthis case we omit the valuation from the notation, and we say that M, s MU ϕ ifs ∈ [ϕ]MV , for some valuation V .

Axiomatization. The µ-calculus enjoys a sound and weakly complete axiomatiza-tion [Walukiewicz 1995], and the proof system HCMU is given in Table III. We usethe notation ϕ[ξ ← ψ] to denote the formula that can be obtained by replacing thepropositional variable ξ by the formula ψ.


Axioms

[a1] all propositional tautologies

[a2] ((3ϕ1) ∨ (3ϕ2)⇔ (3(ϕ1 ∨ ϕ2)))

[a3] ((((3ϕ1) ∧ (2ϕ2))⇒ (3(ϕ1 ∧ ϕ2)))

[a4] ((3f)⇔ f)

[a5] ((ϕ[ξ ← µξ.ϕ])⇒ (µξ.ϕ))

Inference rules

[r1] ϕ1, (ϕ1⇒ ϕ2) ⊢MU ϕ2

[r2] (ϕ1[ξ ← ϕ2]⇒ ϕ2) ⊢MU (µξ.(ϕ1⇒ ϕ2))

Table III. HCMU : complete calculus for µ-calculus

3.2 Syntax

The syntax of MEPL is formed by enriching the µ-calculus by taking as propositionalsymbols the global atoms of EPPL. The syntax is detailed in Table IV.

β := α 8 (¬β) 8 (β⇒ β) basic formulae

t := z 8 0 8 1 8R

β 8 (t + t) 8 (t.t) algebraic real terms

ϕ := (Aβ) 8 (t ≤ t) 8 ξ 8 (∼ϕ) 8 (δ ⊐ ϕ) 8 (3ϕ) 8 (µα.ϕ) global µ-formulae

(where α ∈ Λ, z ∈ Z, and ξ ∈ Ξ).

Table IV. Syntax of MEPL

The basic formulae and probabilistic terms have the same intuitive meaning as inEPPL. Similarly, the global formulae with fixpoint operators have the same meaningas in the µ-calculus. From this point on, we assume the reader is conversant withthe µ-calculus.

3.3 Semantics

In order to provide semantics for the logic, we introduce a very simple notionof Kripke structure over EPPL models. An MEPL structure, or an EPPL-Kripkestructure, consists of a tuple M = (S,R,L) where S is a non-empty set of states,R ⊆ S×S is a total relation, and L is a map that assigns an EPPL model (includinga variable assignment γ : Z → R) to each state in S. Our models are closely relatedto the models of probability and knowledge in [Fagin and Halpern 1994].


The MEPL semantics mimics the semantics of the µ-calculus. In a Kripke structure,L maps each state to a set of propositional symbols (or equivalently to a valuation),that is a propositional model. For our EPPL-Kripke structures, L maps each stateto an EPPL model. As we shall see in Section 5, EPPL-Kripke structures allow tomodel probabilistic programs, and protocols.

We now present the formal semantics of MEPL. For this purpose, we denote by[δ]MV the set of states of M that satisfy δ given valuation V : Ξ→ 2S . The set [δ]MVis defined inductively on the structure of δ as follows:

—[(Aβ)]MV = s ∈ S : L(s) EPPL (Aβ);

—[t1 ≤ t2]MV = s ∈ S : L(s) EPPL (t1 ≤ t2);

—[ξ]MV = V (α);

—[(∼ϕ)]MV = S \ [ϕ]MV ;

—[(ϕ1 ⊐ ϕ2)]MV = [∼ϕ1]

MV ∪ [ϕ2]

MV ;

—[(3ϕ)]MV = s ∈ S : exists s′ ∈ S, such that (s, s′) ∈ R, and s′ ∈ [ϕ]MV ;

—[µξ.ϕ]MV =⋂S′ ⊆ S : [ϕ]MV [ξ←S′] ⊆ S

′;

where V [ξ ← S′], as before, denotes the valuation V ′ that may just differ fromV by V ′(α) = S′.

Given a closed formula ϕ, if s ∈ [ϕ]MV for some valuation V then we writeM, s MEPL ϕ.

3.4 Completeness

In this section we provide a complete calculus for MEPL. Completeness is obtainedby using the completeness of the µ-calculus and EPPL. We give the complete ax-iomatization HCMEPL of MEPL in Table V and in the rest of the section we focus onthe proof of completeness.

In order to obtain completeness, we need to translate a MEPL formula into a for-mula of the µ-calculus. Consider a bijective function ( )b that translates EPPL

atomic formulae (t1 ≤ t2) and (Aβ) to a propositional constant in Γ. Using thefunction ( )b we can translate MEPL formulae to µ-calculus formulae by preservingconnectives.

As an example, consider the formula ϕ := ((Aβ) ⊐ (2(∫β ≤ 0))). We have

ϕb := (τ1⇒ (2τ2)).

Observe that with the bijection ( )b we can also translate an EPPL-Kripke struc-ture to a Kripke structure. Indeed, an EPPL-Kripke structure M = (S,R,L) canbe transformed in the Kripke structures M b = (S,R,Lb), such that

Lb(s) = δb ∈ Γ : for all atomic EPPL formulae δ such that L(s) EPPL δ.


Axioms

[A1] all EPPL tautologies

[A2] all instantiations of HCMU tautologies with MEPL formulae

Inference rules

[R1] ϕ1, (ϕ1 ⊐ ϕ2) ⊢MEPL ϕ2

[R2] (ϕ1[ξ ← ϕ2] ⊐ ϕ2) ⊢MEPL (µξ.(ϕ1 ⊐ ϕ2))

Table V. HCMEPL : complete calculus for MEPL

The next lemma shows that the translation ( )b preserves the meaning of formulae.

Lemma 3.2. Let M be an EPPL-Kripke structure. Then, [ϕb]Mb

V = [ϕ]MV .

Proof. We carry out the proof by structural induction.

Base Case: Let ϕ be an atomic EPPL formula. By definition

[ϕb]Mb

V = s ∈ S : ϕb ∈ Lb(s) = s ∈ S : L(s) EPPL ϕ = [ϕ]MV .

Induction Step:

(1) For negation and implication it is straightforward.

(2) ϕ is (3φ). Then, we have ϕb = (3φb), and using the induction hypotheses

[φb]Mb

V = [φ]MV we get

[ϕb]Mb

V = s ∈ S : exists s′ ∈ S, (s, s′) ∈ R, and s′ ∈ [φb]Mb

V = [ϕ]MV .

(3) ϕ is µξ.φ. Then, ϕb = µξ.φb, and by hypotheses [φb]Mb

V = [φ]MV . Hence,

[µξ.φb]Mb

V =⋂

S′ ⊆ S : [φb]Mb

V [ξ←S′] ⊆ S′ = [ϕ]MV .

Using this lemma we are able to prove the conservativeness of MEPL semanticsrelative to the µ-calculus.

Corollary 3.3. M, s MEPL ϕ iff M b, s MU ϕb.

Corollary 3.4. If MU ϕ then MEPL ϕ.

Regarding the EPPL conservativeness we establish the following result.

Lemma 3.5. For any EPPL formula δ, we have

EPPL δ iff MEPL δ.


Proof. (→) Suppose EPPL δ. Given an MEPL model M = (S,R,L) and for anystate s ∈ S, M, s MEPL δ iff L(s) EPPL δ. Since δ is a valid EPPL formula, it is alsoa valid MEPL formula.

(←) Given an EPPL model m, and attribution γ, we can consider the MEPL

model M = (s, (s, s), L(s) = (m, γ)). By the hypotheses M, s MEPL δ, andso L(s) EPPL δ. Hence δ is a valid EPPL formula.

We are now able to prove the soundness of the axiomatic system HCMEPL.

Proposition 3.6. The axiomatization HCMEPL is sound.

Proof. As usual, we proceed by proving that all axioms and rules are valid.From Lemma 3.5 and completeness of EPPL we get that the Axiom [A1] is valid.The validity of Axiom [A2] is obtained by using Lemma 3.4 and the completeness ofthe µ−calculus. Validity of rules [R1] and [R2] can be proved using Lemma 3.2.

The axiomatic system HCMEPL extends the theoremhood of both HCEPPL and HCMU

systems.

Lemma 3.7. Let ϕ be a MEPL formula and δ an EPPL formula.

(i) If ⊢MU ϕb then ⊢MEPL ϕ.

(ii) Moreover, ⊢EPPL δ iff ⊢MEPL δ.

Proof. (i) The proof proceeds by induction on the length of the derivation ofϕ, and by using the fact that all axioms and rules of HCMU are also in HCMEPL.

(ii) (→) As in the proof of (i), since HCEPPL and HCMEPL have the same EPPL

tautologies, and EPPL inference rules.

(←) Let ⊢MEPL δ. By soundness we have MEPL δ. Given an EPPL model m and at-tribution γ, consider the EPPL-Kripke structure M = (s, (s, s), L(s) = (m, γ)).Then M MEPL δ iff m, γ EPPL. Hence, by EPPL completeness we get ⊢EPPL δ.

Given a MEPL formula ϕ, let at(ϕ) = δ1, . . . , δn be the set of EPPL atomicformulae. For each k-vector u ∈ 0, 1k, consider the EPPL formula

δu = δ′1 ⊓ . . . ⊓ δ′k, where δ′i =

δi if u(i) = 1

(∼δi) otherwise.

Let C ⊆ 0, 1k be the set of k-vectors u such that δu has a model, i.e. is consistent,and consider the EPPL formula δϕ = ∪u∈Cδu. We use the abbreviation AGϕ :=(νξ.(ϕ ⊓ (2ξ))).

Lemma 3.8. If ⊢MEPL ϕ then ⊢MEPL AGϕ.

Proof. We have the derivation:


1) ⊢MEPL ϕ hypothesis

2) ⊢MEPL (ϕ ⊐ F) ⊐ F) tautology

3) ⊢MEPL (ϕ ⊐ 3F) ⊐ F) Axiom A4

4) ⊢MEPL µξ.(ϕ ⊐ 3ξ) ⊐ F) applying rule R2 to 3)

5) ⊢MEPL T ⊐ ∼(µξ.(ϕ ⊐ 3ξ)) propositional tautology

6) ⊢MEPL ∼(µξ.(∼ϕ ⊔ (∼2∼ξ))) by modus ponens, and tautologies for ⊔ and 3

7) ⊢MEPL ∼(µξ.∼(ϕ ⊓ (2∼ξ))) = AGϕ tautology for ⊓

Lemma 3.9. Let ϕ be a MEPL formula and K = (S,R,L) a Kripke structure.

(i) [AGϕb]KV = [ϕb]KV ∩ [2AGϕb]KV , for all valuations V ;

(ii) s ∈ [AGϕb]KV and (s, s′) ∈ R then s′ ∈ [AGϕb]KV .

Proof. We get (i) from the equivalence

(νξ.(ϕ ⊓ (2ξ))) = (ϕ ⊓ (2(νξ.(ϕ ⊓ (2ξ)))).

Claim (ii) is obtained by using (i), i.e. the fact that [AGϕb]KV ⊆ [2AGϕb]KV .

Lemma 3.10. Let K = (S,R,L) be a Kripke structure and s ∈ S. If K ′ =(S′, R′, L′) is a Kripke structure such that S′ ⊆ S contains all successors of s(where R′ and L′ are the restriction to S′ of their counterparts in K), then forevery formula ϕ we have

s ∈ [ϕb]K′

V iff s ∈ [ϕb]KV .

Proof. The proof is by structural induction on ϕ. Let V be a valuation.

Base Case: If ϕ is an EPPL formula then L(s) = L′(s), so s ∈ [ϕb]K′

V iff s ∈ [ϕb]KV .

Induction Step: The case of negation and implication are straightforward.

– if ϕ is (3φ) then s ∈ [3φ]K′

V iff there is s′ ∈ S′ with (s, s′) ∈ R and s′ ∈ [φ]K′

V iffs ∈ [3φ]KV , and using the fact that S′ contains all the successors of s.

– if ϕ is (µξ.φ) is straightforward, using the induction hypotheses that s ∈ [ϕb]K′

V iff s ∈[ϕb]KV .

Proposition 3.11. Let ϕ be a valid MEPL formula. Then there is an EPPL

formula δϕ such that ⊢MEPL δϕ, and ⊢MU (AGδbϕ⇒ ϕb).


Proof. Let ϕ be a valid MEPL formula, and δϕ be as defined before. Supposethat

6⊢MU (AGδbϕ⇒ ϕb).

By completeness of the HCMU calculus we get that 6 MU (AGδbϕ⇒ ϕb). So, there is

a Kripke structure K = (S,R,L) and s ∈ S, such that

K, s 6 (AGδbϕ⇒ ϕb), and hence K, s AGδb

ϕ and K, s 6 ϕb.

For all s′ ∈ [AGδbϕ]K , we have that s′ ∈ [δb

ϕ]K , and hence there is an us′ ∈ C such

that s′ ∈ [δus′]K . Therefore, there is an EPPL model mus′

and attribution γus′

such that mus′, γus′

δus′. Consider the EPPL-Kripke structure MK = (S′, R′, L′)

such that S′ = [AGδbϕ]K , R′ ⊆ R is the restriction of R to S′, and L′(s′) =

(mus′, γus′

) for all s′ ∈ S′. From Lemma 3.10, (K ′)b, s 6 MU ϕb, and using Corollary

3.3 we get MK , s 6 MEPL ϕ. Contradiction with the hypotheses MEPL ϕ. Hence,⊢MU (AGδb

ϕ⇒ ϕb).

Theorem 3.12. The axiomatization HCMEPL is weakly complete.

Proof. Let ϕ be a valid EPPL formula. From Proposition 3.11 we have that⊢MEPL (AGδϕ ⊐ ϕ). Using Lemma 3.8 we get ⊢MEPL AGδϕ. By modus ponens we get⊢MEPL ϕ.

3.5 Satisfaction

Given an MEPL formula ϕ consider the EPPL formula δϕ as constructed above. Wehave that δϕ is a valid EPPL formula, EPPL δϕ. Let K = (S,R,L) be a Kripkestructure such that K MU (δb

ϕ ∧ ϕb). Therefore, for each s ∈ S there is an us ∈ Cϕ

such that s ∈ [δus]K . Since each formula δus

is satisfiable, there is an EPPL modelmus

and attribution γussuch that mus

, γus δus

. Consider the EPPL-Kripkestructure MK = (S,R,LK) with LK(s) = (mus

, γus), for all s ∈ S. Clearly, (MK)b

and K satisfy the same formulae over the propositional symbols δb : δ ∈ at(ϕ).

Theorem 3.13. Let ϕ be an MEPL formula. The formula ϕ is satisfiable iff(δb

ϕ ∧ ϕb) is satisfiable.

Proof. (→) Let ϕ be a satisfiable MEPL formula. Therefore, there is an EPPL-Kripke structure M = (S,R,L) such that M ϕ. From Corollary 3.3, M b MU ϕ

b.By construction, and as stated before MEPL δϕ. Therefore, M b MEPL (δb

ϕ ∧ ϕb).

(←) Suppose that (δbϕ ∧ ϕ) is a satisfiable formula. Therefore, there is a Kripke

structure K = (S,R,L), such that K MU (δbϕ ∧ ϕ). Hence, (MK)b MU ϕb iff

MK MEPL ϕ.

The satisfaction problem for µ-calculus is EXPTIME-complete [Kozen and Parikh1984]. Furthermore, since the formula δb

ϕ ∧ ϕb is exponentially larger than ϕ, one

could imagine that the complexity of deciding satisfiability of MEPL formulae isexponentially worse than that for the µ−calculus. However, as we shall see inSection 4.1, for some cases we need not apply the SAT algorithm directly to theentire formula δb

ϕ.


Exogenous Probabilistic Linear Temporal Logic. An important sub-logic of MEPL

is the one obtained by taking just the path connectives next X and until U, suchthat Xϕ :=ab (3ϕ), and ϕ1Uϕ2 :=ab (µ.ξ(ϕ2 ⊔ (3(ϕ1 ⊓ ξ)))). We call this logicexogenous probabilistic linear temporal logic (EPLTL).

Due to the correspondence of LTL formulae with Buchi automata [Vardi and Wolper1986; Gerth et al. 1996], the problem of finding a model is equivalent to the empti-ness problem of the associated Buchi automaton. The size of the Buchi automatonis exponential relative to the formula size. Although the emptiness problem isNLOGSPACE-complete [Vardi and Wolper 1994], we have the PSPACE bound forthe satisfaction relative to the formula size.

The algorithms introduced in [Sistla and Clarke 1985; Gerth et al. 1996] to solvesatisfiability can be extended to EPLTL.

Theorem 3.14. The satisfiability problem for EPLTL is in PSPACE.

Proof. (Proof sketch) In both cases [Sistla and Clarke 1985] and [Gerth et al.1996], the algorithms presented solve the problem by constructing a witness path,where states are defined by a set of subformulae. In the first case by guessing thenext state, and in the second by expanding a graph with tableaux techniques. Ineach step, consistence tests are performed, and the syntactic states are discarded ifthey fail such tests. To extend this algorithms to EPLTL formulae we just need toadd the EPPL consistence test, via EPPL SAT. Since EPPL SAT is in PSPACE (The-orem 2.9), we get that the satisfiability problem for EPLTL is also in PSPACE.

4. MODEL CHECKING

Model checking is the problem of verifying if a formula holds against a model.The problem for MEPL can be stated as follows. Given an EPPL-Kripke structureM = (S,R,L), state s ∈ S and formula ϕ, is it true that M, s MEPL ϕ?

4.1 Finite State

Consider the case where M = (S,R,L) is an finite EPPL-Kripke structure, i.e.S is a finite set and L assigns finite EPPL models. As proved for Theorem 3.3,the combination of the model checking algorithm for the µ-calculus, over the finiteKripke structure M b, and the EPPL algorithm applied to L(s) : s ∈ S yieldsa decision procedure for the model checking problem over finite MEPL models.Therefore, the complexity of the model checking is bounded by the complexity ofone run of the µ-calculus model checking algorithm to solveM b, s ϕb, and at most|S|×|ϕ| times the EPPL model checking algorithm to solve all instances L(s) δ, forall EPPL atoms of ϕ. The logics CTL and LTL are sub-logics of the µ-calculus andare obtained by making the usual restriction on the fixed-point formulae allowed.The same restrictions applied to MEPL yield corresponding sub-logics EPCTL andEPLTL. In Table VI we present the complexity of model checking of all three logics.


Combinations CTL LTL µ-calculus

EPPL EPCTL EPLTL MEPL

Complexity P PSPACE EXPTIME

Table VI. Complexity of model checking

4.2 Infinite State

Consider now the case of a finitary EPPL-Kripke structure, i.e. where the set ofstates S is infinite, but L assigns finite EPPL models. This class includes systemssuch as Probabilistic Finite Automata and Markov Decision Processes.

A probabilistic finite automaton (PFA) over an alphabet Σ is a tupleA = (Q, Paa∈Σ, u, F )where

—Q is a finite set of states;

—Paa∈Σ is a family of stochastic matrices of dimension |S| × |S|, i.e. for eachletter a ∈ Σ, Pa is a non-negative matrix such that each row sums up to one;

—u is the initial probability distribution over S;

—F ⊆ Q is the set of accepting states.

Given a word w ∈ Σ∗, the probability of accepting w = a1 . . . ak is

pA(w) := uTPa1Pa2

. . . PakuF = uTPwuF = uT

wuF ;

where uF is the vector representing F .

Let 0 ≤ λ < 1 be a real number. The set of words accepted by A with cut-point λis

L>λ(A) = w ∈ Σ∗ : pA(w) > λ.

If there is an ǫ > 0 such that |pA(w) − λ| > ǫ for all w ∈ Σ∗ then we say that thelanguage L>λ(A) is recognized with an isolated cut-point.

With the PFA A = (Q, Paa∈Σ, u, F ) we associate the EPPL-Kripke structureMA = (S,R,L) such that

—S = Σ∗;

—(w1, w2) ∈ R iff w1a = w2 for some a ∈ Σ;

—L(w) = uTPw = uw.

Theorem 4.1. Let M = (S,R,L) be a finitary EPPL-Kripke structure, and s ∈S. If 0 < λ < 1 then the following problems are undecidable:

(i) M, s MEPL (AG(∫β > λ));

(ii) M, s MEPL (EF (∫β > λ)).

Proof. LetA = (Q, Paa∈Σ, u, F ) be a PFA over an alphabet Σ, and 0 < λ < 1a non-zero cut-point. Consider the EPPL-Kripke structureMA overQ, and the basic


formula βF that represents the set F ⊆ Q. Hence, MA, sε MEPL AG(∫β

F> λ) if

and only if L>λ(A) = Σ∗. Since the universality problem for PFAs with non zerocut-point is undecidable [Nasu and Honda 1969], (i) is undecidable as well. For (ii),we have that MA, sε MEPL EF (

∫β

F> λ) if and only if L>λ(A) 6= ∅. Therefore,

from the undecidability of the emptiness problem for PFAs with non zero cut-pointwe conclude that (ii) is also undecidable.

We can show decidability for a certain class of problems, capitalizing on the decid-ability results for PFAs [Rabin 1963].

Theorem 4.2. Let A = (Q, Paa∈Σ, u, F ) be a PFA over an alphabet Σ. Thefollowing problems are decidable:

(i) MA, sε MEPL AG(∫βF > 0);

(ii) MA, sε MEPL EF (∫β

F> 0);

(iii) MA, sε MEPL AG(∫βF = 1);

(iv) MA, sε MEPL EF (∫β

F= 1).

Proof. In all the cases the PFA is equivalent to a deterministic automaton.Hence, from the decidability of the emptiness and universality problem for deter-ministic automata, we get the decidability for the corresponding model checkingproblem.

Clearly, one needs to understand for which PFAs decidability can be attained. Inmost cases we are interested in PFAs where Pa is very particular (where only thetoss of fair coins are allowed, for instance).

5. APPLICATIONS

In this section we present some simple applications of the logics described in thispaper.

Propositional logic is widely used in the verification of circuitry in industry. Thetechniques used exploit the increasing power of propositional SAT solvers. The useof satisfaction algorithms in formal verification has been gaining importance due tothe lack of scalability of binary decision diagrams [Biere et al. 1999]. The MTBDDsused in probabilistic verification suffer from the same problem. With EPPL we areable to model defective gates. Therefore we can extend verification to quantitativeproperties and analyse defect-tolerant systems, circuits in the presence of noise.

5.1 Hardware

Consider the compositional circuit shown in Figure 1. In the usual verification ofhardware we write a formula describing the implementation of the circuit and aformula for the specification, both in propositional logic. In this case the formulaeare the following:

Implementation:

(α4⇔ α1 ∧ α2) ∧ (α5⇔ α3 ∨ α4) ∧ (α6⇔¬α5);


α1

α2 α4

α3

α5α6

Fig. 1. AND-OR-INVERTER (AOI21)

Specification:

(α6⇔¬(α3 ∨ (α1 ∧ α2))).

The aim of the verification process is to prove that from the implementation we canderive the specification. Deploying the complete Hilbert calculus for the proposi-tional logic, we are able to prove that the circuit is correct for all inputs.

With EPPL we are able to extend the verification to quantitative properties. Sup-pose that we know from experimental results that the real implementation of theAND gate yields a correct value at least 99% of the time, the OR gate deliverscorrect output at least 97% of the time and that, in the case of the NOT gate, nofaults are detected. In this situation, the formula that describes the implementationis

(∫(α4⇔ α1 ∨ α2) > 0.97) ⊓ (

∫(α5⇔ α3 ∧ α4) > 0.99) ⊓ (A(α6⇔¬α5)).

Using the complete EPPL Hilbert calculus we can derive that the implementationimplies the specification, which is described by the formula

(∫α6⇔¬(α3 ∧ (α1 ∨ α2)) ≥ 0.98)

that states the quantified correctness of the circuit, that is, that the circuit hasthe correct behaviour at least 98% of the time. As in the framework of classicalhardware verification, where SAT tools are used to validate the implementation,we can do the same for EPPL SAT. Let δimp and δspec be the implementation andspecification formulae, respectively. We apply the EPPL SAT algorithm to theconjunction δimp ⊓ (∼δspec). If the algorithm returns “No Model” it means thatthe circuit satisfies the specification, otherwise it will return a model that witnessesa situation where the specification fails. Finally, we note that for EPPL formulaewithout terms multiplication, the SAT algorithm can be simplified so that it is inNP, by adapting the results in [Fagin et al. 1990]. This is no worse than the caseof classical propositional logic.

5.2 Software

Another potential application of EPPL is on bounded verification of programs withrandom calls. Bounded model checking [Clarke et al. 2001; Biere et al. 2003]has been a successful technique for catching bugs in software and hardware. Thesystem under verification is unfolded n times and sent together with a correctnessproperty to a SAT solver. In this way, bugs up to executions of length n can beeliminated. This technique can typically be used to ensure the reliability of manycritical systems.


Given a Boolean probabilistic program P , we are able to translate it into an EPPL

formula δP representing its behaviour. As in the previous example, the formula δPdescribes the implementation. Consider the execution of the lines of the code inFigure 2 (a) and its translation in Figure 2 (b) to an EPPL formula.

x = rand();

y = rand();

y = x ∨ y;

if (x) x = ¬ x ;

else

x = x ∨ y;

(a)

(b)

(R

αx1 = 0.5) ⊓ (R

αy1 = 0.5)⊓

(A(αy2⇔ αx1 ∨ αy1)) ⊓ (A(αx3⇔¬αx2))⊓

(A(αx4⇔ αx2 ∨ αy2)) ⊓ (A(αx5 ⇔ (αx2?αx3 : αx4)))

Fig. 2. Translation of a program to an EPPL formula

Now, if we wish to verify a probabilistic safety property, for instance,

δsaf = ⊓5i=1(

∫αxi ≤ 0.5)

we can send the conjunction formula (δP ⊓ δsaf ) to a SAT solver.

5.3 Further Examples

5.3.1 The Dining Cryptographers Protocol. Our next example is the “Dining Cryp-tographers protocol” [Chaum 1988]. Consider the following scenario. Three cryp-tographers working for a covert organization are sitting at a round table, diningin a fine restaurant. After the meal, when it is time to pay, the waitress informsthem that the bill had already been settled. It seems that either one of the cryp-tographers has paid, or the secret agency has. The cryptographers would like toknow which is the case, without revealing the identity of the cryptographer if oneof them has paid.

A probabilistic solution to this problem is as follows. Three (fair) coins are placedon the table, one between each cryptographer. Each cryptographer tosses the cointo his right, and records its outcome. In addition, each cryptographer is also able tosee the outcome of the coin toss immediately to his left. At the end of the tossing,each cryptographer announces whether the outcomes of the coin toss on their leftand right agree. However, the cryptographer who has paid, if there is one, lies i.e.inverts the answer. Now, if the total number of “agrees” is odd, then one of thecryptographers has paid, otherwise it is their organization that has footed the bill.


The anonymity in this protocol can be expressed by the fact that the two cryptog-raphers who have not paid are unable to identify the one who has paid, if there isone. The anonymity with the respect to the first cryptographer corresponds to theassertion that the programs in which the second and the third cryptographers pay,respectively, are equivalent. In [Legay et al. 2008] the authors solve the problem ofprogram equivalence by translating them to probabilistic automata, and solving thecorrespondent equivalence problem for probabilistic automata. A similar process ispossible by checking equivalence of EPPL formulae.

Let c1, c2, and c3 denote the outcome of the coin toss of the first, second andthird cryptographer respectively. For each i | 1 ≤ i ≤ 3, we let ai be 0, ifci = c(i + 1), and 1 otherwise. In the case where the second cryptographer haspaid, the knowledge of the first cryptographer about the state of the variables c1,c2, a1, a2, and a3 is described by the formula

(∫α

c1= 1/2) ⊓ (

∫α

c2= 1/2) ⊓

(A(αa1⇔ (αc1⇔ αc2)) ⊓ (∫α

a2= 1/2) ⊓ (A(αa3) ⊔ A(¬αa3)).

Moreover, the case where the second cryptographer has paid yields exactly the sameEPPL formula as the case where the third cryptographer has paid. Hence, thesedifferent situations are indistinguishable by cryptographer one, which proves theanonymity.

We remark that using EPPL we can perform reasoning on finite integer data types.Given a variable x ranging over the integer modulus n, we can use a basic formulae,with at most log(n) + 1 propositional symbols, to specify all the possible valuesof that variable. For example, for a integer variable x modulus 5, we use theabbreviation

(x = 4) := (¬αx1) ∧ (¬αx2) ∧ (αx3).

Therefore, we can write the EPPL formula (∫(x = 4) ≤ 1/2) ⊐ A(y = 0)).

5.3.2 A Flip-flop. Consider the MEPL model given by the Markov Chain shownin Figure 3. The Markov chain models a flip-flop that can either be ON or OFF.Sometimes, the flip-flop stops working and fails, getting into state F.

The system M starts in the state s where ON and OFF are possible with equalprobability. We can prove that a formula Gϕ is true, M, s Gϕ, by showing thatthe initial state satisfies ϕ and that (ϕ ⊐ (Xϕ)) is satisfied by all states.

Now, consider the formula G(∫αon ≤

∫αoff ) stating that the probability of being

ON is always less than probability of being OFF. Clearly, if the formula

(∫αon = x1) ⊓ (

∫αoff = x2)

holds in some state, in the next state we have ((∫α

on= 0.98x1)⊓(

∫α

off= 0.99x2)).

Therefore, since 0.98x1 ≤ 0.99x2 if x1 ≤ x2 we get that the formula

((∫α

on≤

∫α

off) ⊐ X(

∫α

on≤

∫α

off))

is true in all states of M . Using the fact that the initial state satisfies (∫α

on≤

∫αoff ) we get that M fulfils the invariant property G(

∫αon ≤

∫αoff ).


ON OFF

F

0.99

0.98

1

0.020.01

Fig. 3. Markov chain modeling a flip-flop

6. CONCLUSIONS AND FUTURE WORK

We have defined Exogenous Probabilistic Propositional Logic EPPL and its fix-point extension MEPL, which includes operators from the modal µ-calculus. Wehave introduced syntactic and semantic approaches to the verification of propertiesexpressed in both logics. The completeness proof for MEPL builds on the decid-ability of the existential theory of the real numbers and on a polynomial-space sat

algorithm for EPPL. The model checking problem for EPPL and MEPL are alsoanalysed. We claim that our logics are a suitable specification formalism for ex-pressing properties of probabilistic systems and we demonstrate this fact throughsome simple examples.

Our work can be thought of as complementary to previous work on probabilisticverification [Baier and Kwiatkowska 1998; Kwiatkowska et al. 2004; 2005]. Thesemantics of EPPL and MEPL are defined in terms of probability distributions oversets of propositional symbols, whereas the usual approaches are designed for rea-soning about distributions over paths of possible behaviour. Furthermore, existinglogics such as PCTL are designed mainly for model checking, and use transitionsystems as the underlying model. In addition to model checking, we are also ableto verify probabilistic systems using a syntactic approach, based on a (weakly com-plete) Hilbert calculus. The approach presented here is very well suited for handlingnon-determinism and probability. In contrast to PCTL, which requires the use of amin–max semantics in order to assign just a single value to probability assertionsin the presence of non–determinism, EPPL and MEPL do not need such additionalconstructions.

There are properties that our logics can express that PCTL cannot, and vice versa,and this is to be expected. The semantics of our logics is closer to that of prob-abilistic programs [den Hartog and de Vink 2002; Chadha et al. 2007]. Manyinteresting model checking scenarios involve infinite states, and this subject willbe the focus of our future research. Although the general model checking case forinfinite state systems is undecidable, it would be interesting to understand which


classes of probabilistic automata and Markov chains induce a Kripke structure withdecidable model checking. Clearly, we are close to the limit of expressivity, as weknow that monadic second-order probabilistic logic is undecidable [Beauquier et al.2002].

We would also like to stress that our logic could be easily adapted to enable rea-soning about quantum systems. Another possible direction of work could be aimedat using the logic for reasoning about security protocols, following the lines of [denHartog and de Vink 2002].

We believe that the work presented here will serve as a solid theoretical foundationfor understanding and modelling various systems and computing applications inwhich probability plays a role, and we have already designed a detailed researchprogramme to extend and apply EPPL and MEPL to interesting and diverse prob-lems.

Acknowledgements

We would like to thank Nick Papanikolaou for suggesting improvements to thispaper. Some of this work was carried out when the third author was on sabbat-ical at IST, Lisbon. This work was partially supported by Instituto de Teleco-municacoes, FCT and EU FEDER through PTDC, namely via the QSec project(PTDC/EIA/67661/2006), IT project QuanTel and the European Network of Ex-cellence EURO-NF. The first author was also funded by FCT and an EU FEDERPhD fellowship SFRH/BD/22698/2005.

REFERENCES

Baier, C. and Kwiatkowska, M. Z. 1998. Model checking for a probabilistic branching timelogic with fairness. Distributed Computing 11, 3, 125–155.

Basu, S., Pollack, R., and coise, R. M.-F. 2003. Algorithms in Real Algebraic Geometry.Springer.

Beauquier, D., Rabinovich, A. M., and Slissenko, A. 2002. A logic of probability with decid-able model-checking. In CSL ’02: Proceedings of the 16th International Workshop and 11th

Annual Conference of the EACSL on Computer Science Logic. Springer-Verlag, London, UK,306–321.

Biere, A., Cimatti, A., Clarke, E. M., Fujita, M., and Zhu, Y. 1999. Symbolic model checkingusing SAT procedures instead of BDDs. In DAC. 317–320.

Biere, A., Cimatti, A., Clarke, E. M., Strichman, O., and Zhu, Y. 2003. Bounded modelchecking. Advances in Computers 58, 118–149.

Canny, J. 1988. Some algebraic and geometric computations in PSPACE. In STOC ’88: Pro-

ceedings of the twentieth annual ACM symposium on Theory of computing. ACM, New York,NY, USA, 460–469.

Chadha, R., Cruz-Filipe, L., Mateus, P., and Sernadas, A. 2007. Reasoning about proba-bilistic sequential programs. Theoretical Computer Science 379, 1-2, 142–165.

Chaum, D. 1988. The dining cryptographers problem: Unconditional sender and recipient un-traceability. J. Cryptology 1, 1, 65–75.

Chvatal, V. 1983. Linear Programming. Freeman.

Clarke, E. M., Biere, A., Raimi, R., and Zhu, Y. 2001. Bounded model checking using satis-fiability solving. Formal Methods in System Design 19, 1, 7–34.

den Hartog, J. and deVink, E. 2002. Verifying probabilistic programs using a hoare like logic.International Journal of Foundations of Computer Science 13, 3, 315–340.


Fagin, R. and Halpern, J. Y. 1994. Reasoning about knowledge and probability. J. ACM 41, 2,

340–367.

Fagin, R., Halpern, J. Y., and Megiddo, N. 1990. A logic for reasoning about probabilities.Information and Computation 87, 1/2, 78–128.

Gerth, R., Peled, D., Vardi, M. Y., and Wolper, P. 1996. Simple on-the-fly automaticverification of linear temporal logic. In Proceedings of the Fifteenth IFIP WG6.1 International

Symposium on Protocol Specification, Testing and Verification XV. Chapman & Hall, Ltd.,London, UK, UK, 3–18.

Hansson, H. and Jonsson, B. 1994. A logic for reasoning about time and reliability. Formal

Aspects of Computing 6, 5, 512–535.

Kozen, D. 1983. Results on the propositional mu-calculus. Theor. Comput. Sci. 27, 333–354.

Kozen, D. and Parikh, R. 1984. A decision procedure for the propositional mu-calculus. InProceedings of the Carnegie Mellon Workshop on Logic of Programs. Springer-Verlag, London,UK, 313–325.

Kwiatkowska, M., Norman, G., and Parker, D. 2002. PRISM: Probabilistic symbolic modelchecker. In TOOLS ’02: Proceedings of the 12th International Conference on Computer Per-

formance Evaluation, Modelling Techniques and Tools. Springer-Verlag, London, UK, 200–204.

Kwiatkowska, M., Norman, G., and Parker, D. 2004. Modelling and verification of probabilis-tic systems. In Mathematical Techniques for Analyzing Concurrent and Probabilistic Systems,P. Panangaden and F. V. Breugel, Eds. American Mathematical Society. Volume 23 of crm

Monograph Series.

Kwiatkowska, M., Norman, G., and Parker, D. 2005. Probabilistic model checking in practice:Case studies with PRISM. SIGMETRICS Perform. Eval. Rev. 32, 4, 16–21.

Legay, A., Murawski, A. S., Ouaknine, J., and Worrell, J. 2008. On automated verificationof probabilistic programs. In TACAS. 173–187.

Mateus, P. and Sernadas, A. 2004. Reasoning about quantum systems. In Logics in Artificial

Intelligence, Ninth European Conference, JELIA’04, J. Alferes and J. Leite, Eds. Lecture Notesin Artificial Intelligence, vol. 3229. Springer-Verlag, 239–251.

Mateus, P. and Sernadas, A. 2006. Weakly complete axiomatization of exogenous quantumpropositional logic. Information and Computation 204, 5, 771–794. ArXiv math.LO/0503453.

Mateus, P., Sernadas, A., and Sernadas, C. 2005. Exogenous semantics approach to enrichinglogics. In Essays on the Foundations of Mathematics and Logic, G. Sica, Ed. Vol. 1. Polimetrica,165–194.

Nasu, M. and Honda, N. 1969. Mappings induced by pgsm-mappings and some recursivelyunsolvable problems of finite probabilistic automata. Information and Control 15, 3, 250–273.

Rabin, M. O. 1963. Probabilistic automata. Information and Control 6, 3, 230–245.

Sistla, A. P. and Clarke, E. M. 1985. The complexity of propositional linear temporal logics.J. ACM 32, 3, 733–749.

Vardi, M. Y. and Wolper, P. 1986. An automata-theoretic approach to automatic programverification. In Proc. 1st Symp. on Logic in Computer Science. Cambridge, 332–344.

Vardi, M. Y. and Wolper, P. 1994. Reasoning about infinite computations. Information and

Computation 115, 1–37.

Walukiewicz, I. 1995. Completeness of Kozen’s axiomatisation of the propositional mu-calculus.In LICS ’95: Proceedings of the 10th Annual IEEE Symposium on Logic in Computer Science.IEEE Computer Society, Washington, DC, USA, 14.

Documents

Exogenous Logics for Reasoning about Probabilistic Systems · the system evolution is modeled by parametrized Kripke structures that capture both stochastic and non–deterministic