Circular causality in event structures Tiziana Cimoli Dip. - PowerPoint PPT Presentation

Circular causality in event structures Tiziana Cimoli Dip. Matematica e Informatica, Universit` a degli Studi di Cagliari t.cimoli@unica.it (joint work with M. Bartoletti, G.M. Pinna, R. Zunino) 1 / 38

A typical transaction 1. B pays. 2. A ships. 2 / 38

A distrusted transation 1. B pays. 2. A takes the money and runs away. 3 / 38

Contract based computing (1) 4 / 38

Contract based computing (2) 5 / 38

Contract based computing (3) 6 / 38

Contract based computing (4) 7 / 38

A model for contracts The model must be able to : ◮ decide if γ has an agreement ◮ make γ evolve under actions ◮ assign duties to principals ◮ detect violations Example: “A will ship after B does pay” ◮ contract-as-process: pay . ship ◮ contract-as-formula: pay → ship 8 / 38

Winskel’s Event structures Event structures E = ( E , # , ⊢ ) are made of: ◮ a set of events E , ◮ a conflict relation # ( e 1 # e 2) ◮ an enabling relation ⊢ ( X ⊢ e 2) ES Contract { payCC } ⊢ ship I will ship after you payCC { payCash } ⊢ ship ⇐ ⇒ I will ship after you payCash payCash # payCC I will either payCC or payCash 9 / 38

ES: Configurations A set C of events is a configuration if, 1. C is conflict free and 2. for all e ∈ C , there exists a sequence � e 0 , . . . , e n � of events of C such that e n = e and: ∀ i ≤ n : { e 0 , . . . , e i − 1 } ⊢ e i The set of configurations of E is denoted by F E . 10 / 38

Example ∅ ⊢ a c { a } ⊢ b { a } ⊢ c a b b#c F = { ∅ , { a } , { a , b } , { a , c }} 11 / 38

Buyer-Seller (1) 1. A says: I ship, after you pay. 2. B says: I pay, after you ship. Modelled as an event structure: ◮ E A : { pay } ⊢ ship ◮ E B : { ship } ⊢ pay The event structure E A ∪ E b does not have any configuration besides the empty one: ◮ no agreement and no move ! 12 / 38

Buyer-Seller (2) 1. A says: I ship, after you pay. 2. B says: I pay. Modelled as an event structure: ◮ E A : { pay } ⊢ ship ◮ E B : ∅ ⊢ pay Configurations of E A ∪ E b are : ∅ , { pay } and { pay , ship } . On { pay , ship } there is an agreement. 13 / 38

Buyer-seller: the attack (3) Now, an attack is possible: 1. M(A) says: 1 sheep, after you pay 2. B says: I pay. Modelled as an event structure: ◮ E M : { pay } ⊢ sheep ◮ E B : ∅ ⊢ pay The problem: a contract of the form ∅ ⊢ a offers no protection. 14 / 38

The idea. 1. M(A) says: 1 sheep, after you pay 2. B says: I will pay if you promise to ship. Modelled as an event structure: ◮ E A : { pay } ⊢ sheep. ◮ E B : { ship } � pay. Now, B is protected. 15 / 38

Event structures with circular causality CES E = ( E , # , ⊢ , � ) are made of: ◮ a set of events E , ◮ a conflict relation #, ◮ an enabling relation ⊢ , ◮ a circular enabling relation � . CES: Contract: { pay } ⊢ ship I will ship after you pay. ⇐ ⇒ { ship } � pay I will pay if you promise to ship. 16 / 38

Event structures with circular causality CES E = ( E , # , ⊢ , � ) are made of: ◮ a set of events E , ◮ a conflict relation #, ◮ an enabling relation ⊢ , ◮ a circular enabling relation � . CES: Contract: { pay } � � ship � I will ship if you promise to pay. ⇐ ⇒ { ship } � pay I will pay if you promise to ship. 17 / 38

CES: configurations Winskel’s configurations: ∀ i ≤ n : { e 0 , . . . , e i − 1 } ⊢ e i CES configurations: ∀ i ≤ n : { e 0 , . . . , e i − 1 } ⊢ e i ∨ { e 0 , . . . , e n } � e i 18 / 38

CES: example pay ⊢ ship pay ship ship � pay Configurations: ◮ ∅ ◮ { ship , pay } has only the trace � pay , ship � 19 / 38

ES: families of configurations The set F of configurations of an ES satisfies: ◮ coherence : ⇒ � A ∈ F for all A ⊆ F pairwise compatible 1 = 1 A ⊆ F pairwise compatible iff ∀ e , e ′ ∈ � A . ∃ C ∈ F . e , e ′ ∈ C 20 / 38

ES: families of configurations The set F of configurations of an ES satisfies: ◮ coherence : ⇒ � A ∈ F for all A ⊆ F pairwise compatible 1 = ◮ finiteness : ∀ C ∈ F . ∀ e ∈ C . ∃ C 0 ∈ F . e ∈ C 0 ⊆ fin C 1 A ⊆ F pairwise compatible iff ∀ e , e ′ ∈ � A . ∃ C ∈ F . e , e ′ ∈ C 20 / 38

ES: families of configurations The set F of configurations of an ES satisfies: ◮ coherence : ⇒ � A ∈ F for all A ⊆ F pairwise compatible 1 = ◮ finiteness : ∀ C ∈ F . ∀ e ∈ C . ∃ C 0 ∈ F . e ∈ C 0 ⊆ fin C ◮ coincidence-freeness : for all C ∈ F , and for all e � = e ′ ∈ C : ∃ C ′ ∈ F . C ′ ⊆ C ∧ ( e ∈ C ′ ⇐ ⇒ e ′ �∈ C ′ ) 1 A ⊆ F pairwise compatible iff ∀ e , e ′ ∈ � A . ∃ C ∈ F . e , e ′ ∈ C 20 / 38

CES: quasi-families of configurations The set F of configurations of a CES form a quasi-family of subsets of events because it satisfies ◮ coherence and ◮ finiteness ... but in general it does not satisfy coincidence-freeness! Example pay ⊢ ship pay ship � pay ship F = {∅ , { pay , ship }} 21 / 38

From Quasi-families to CES Theorem. For all quasi-families of configurations F , there exists a CES ˆ E (with circular enablings only) such that E = F F ˆ 22 / 38

ES: LTS Winksel’s LTS: C ⊢ e CF ( C ∪ { e } ) e − → E C ∪ { e } C a b Ex: ⊢ a , { a } ⊢ b ∅ − → { a } − → { a , b } What happens in CES? a b Ex: { b } � a , { a } ⊢ b ∅ − → ? − → { a , b } 23 / 38

CES: X -configurations CES Configurations: { e 0 , . . . , e i − 1 } ⊢ e i ∨ { e 0 , . . . , e n } � e i CES X-configurations: { e 0 , . . . , e i − 1 } ⊢ e i ∨ { e 0 , . . . , e n } � e i ∨ e i ∈ X The set of all X -configurations is denoted by F ( X ). X is a superset of all the pending credits. 24 / 38

Example pay ⊢ ship pay ship ship � pay a b ( ∅ , ∅ ) − − → {{ a } , { a }} − − → {{ a , b } , ∅} 25 / 38

Example pay ⊢ ship pay ship ship � pay a b ( ∅ , ∅ ) − − → {{ a } , { a }} − − → {{ a , b } , ∅} | | | F ( ∅ ) F ( { a } ) F ( ∅ ) 25 / 38

LTS for event structures Winksel’s LTS: C ⊢ e CF ( C ∪ { e } ) e C − → E C ∪ { e } CES’ LTS: CF ( C ∪ { e } ) e ( C , X ) − → E ( C ∪ { e } , X ′ ) where X ′ = least credit of C ∪ { e } 26 / 38

Properties of X-configurations (1) Th. If CF ( C ∪ C ′ ): C ′ ∈ F ( X ∪ C ) C ∈ F ( X ) C ∪ C ′ ∈ F ( X ) 27 / 38

Properties of X-configurations (1) Th. If CF ( C ∪ C ′ ): C ′ ∈ F ( X ∪ C ) C ∈ F ( X ) C ∪ C ′ ∈ F ( X ) In Intuitionistic Propositional Logic: Γ ⊢ p Γ , p ⊢ q (Cut) Γ ⊢ q 27 / 38

Properties of X-configurations (2) Th. If CF ( C ∪ C ′ ): C ′ ∈ F ( X ∪ Y ) C ∈ F ( X ) C ⊢ Y C ∪ C ′ ∈ F ( X ) 28 / 38

Properties of X-configurations (2) Th. If CF ( C ∪ C ′ ): C ′ ∈ F ( X ∪ Y ) C ∈ F ( X ) C ⊢ Y C ∪ C ′ ∈ F ( X ) In Intuitionistic Propositional Logic: Γ ⊢ p Γ , q ⊢ r p → q ∈ Γ ( → L) Γ ⊢ r 28 / 38

Other properties of X-configurations (3) Th. If CF ( C ∪ C ′ ): C ′ ∈ F ( X ∪ Y ) C ∈ F ( X ∪ C ′ ) C � Y C ∪ C ′ ∈ F ( X ) 29 / 38

Other properties of X-configurations (3) Th. If CF ( C ∪ C ′ ): C ′ ∈ F ( X ∪ Y ) C ∈ F ( X ∪ C ′ ) C � Y C ∪ C ′ ∈ F ( X ) Γ , r ⊢ p Γ , q ⊢ r p ։ q ∈ Γ (Fix) Γ ⊢ r 29 / 38

Other properties of X-configurations (3) Th. If CF ( C ∪ C ′ ): C ′ ∈ F ( X ∪ Y ) C ∈ F ( X ∪ C ′ ) C � Y C ∪ C ′ ∈ F ( X ) Γ , r ⊢ p Γ , q ⊢ r p ։ q ∈ Γ (Fix) Γ ⊢ r Propositional Contract Logic (PCL) - M. Bartoletti & R. Zunino, LICS’10 29 / 38

Propositional Contract Logic (M. Bartoletti & R. Zunino, LICS’10) Syntax: p ::= IPC formulae | p ։ p Axioms: IPC axioms + some for the contractual implications: ⊤ ։ ⊤ ( p ։ p ) → p ( p ′ → p ) → ( p ։ q ) → ( q → q ′ ) → ( p ′ ։ q ′ ) a ։ b ∧ b ։ a ⊢ PCL a ∧ b Note: 30 / 38

Structural properties of PCL Gentzen-style proof system ⊢ PCL : ◮ consistency ◮ subformula property ◮ cut elimination ◮ decidability PCL not homomorphically encodable into IPC. 31 / 38

CES configuration via PCL [] F : finite CES − → PCL formulae a ⊢ b a b b � a Encoding of E : ◮ [a ⊢ b] F = (! b ∧ ! a ∧ a ) → b ◮ [b � a] F = (! a ∧ ! b ∧ b ) ։ a { a , b } ∈ F ⇐ ⇒ [ E ] F , ! a , ! b ⊢ PCL a ∧ b { a } �∈ F ⇐ ⇒ [ E ] F , ! a �⊢ PCL a 32 / 38

CES configuration via PCL Def. [( X i ◦ e i ) i ∈ I ] F = { [ X i ◦ e i ] F | i ∈ I } � → if ◦ = ⊢ � � [ X ◦ e ] F = ! e ∧ X ∧ ! X [ ◦ ] e [ ◦ ] = if ◦ = � ։ [ a # b ] F = (! a ∧ ! b ) → ⊥ Th. Let E be a finite CES. For all C ⊆ E and for all X ⊆ E : C ∈ F E ( X ) ⇐ ⇒ [ E ] F , ! C , X ⊢ PCL C and [ E ] F , ! C , X �⊢ PCL ⊥ 33 / 38

Conclusions ◮ A model for contracts that ◮ is a conservative extension of event structures ◮ offers both agreements and protection 34 / 38

Conclusions ◮ A model for contracts that ◮ is a conservative extension of event structures ◮ offers both agreements and protection ◮ Strong relations between CES and contract logic ◮ configurations, ◮ reachable events ◮ urgent events 34 / 38