Simplicial models for the epistemic logic of faulty agents

Goubault, Éric; Kniazev, Roman; Ledent, Jérémy; Rajsbaum, Sergio

doi:10.1007/s40590-024-00656-x

Simplicial models for the epistemic logic of faulty agents

Original Article
Open access
Published: 09 September 2024

Volume 30, article number 90, (2024)
Cite this article

Download PDF

You have full access to this open access article

Boletín de la Sociedad Matemática Mexicana Aims and scope Submit manuscript

Simplicial models for the epistemic logic of faulty agents

Download PDF

376 Accesses
Explore all metrics

Abstract

In recent years, several authors have been investigating simplicial models, a model of epistemic logic based on higher dimensional structures called simplicial complexes. In the original formulation of Goubault et al. (Inf Comput 278:104597, 2021. https://doi.org/10.1016/j.ic.2020.104597), simplicial models are always assumed to be pure, meaning that all worlds have the same dimension. This is equivalent to the standard $\mathbf {S5_n}$ semantics of epistemic logic, based on Kripke models. By removing the assumption that models must be pure, we can go beyond the usual Kripke semantics and study epistemic logics where the number of agents participating in a world can vary. This approach has been developed in a number of papers (van Ditmarsch, WoLLIC 2021, pp 31–46, 2021. https://doi.org/10.1007/978-3-030-88853-4_3; Goubault et al. STACS 2022, pp 33:1–33:20, 2022. https://doi.org/10.4230/LIPIcs.STACS.2022.33; Goubault et al. LICS, pp 1–13, 2023. https://doi.org/10.1109/LICS56636.2023.10175737), with applications in fault-tolerant distributed computing where processes may crash during the execution of a system. A difficulty that arises is that subtle design choices in the definition of impure simplicial models can result in different axioms of the resulting logic. In this paper, we classify those design choices systematically, and axiomatize the corresponding logics. We illustrate them via distributed computing examples of synchronous systems where processes may crash.

Wanted Dead or Alive: Epistemic Logic for Impure Simplicial Complexes

Knowledge and Simplicial Complexes

Communication Pattern Logic: Epistemic and Topological Views

Article 28 July 2023

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

1 Introduction

Logics for reasoning about multi-agent systems have been thoroughly studied, and are of interest to various research areas, including logic, artificial intelligence, economics, and game theory [41]. They are of particular interest to distributed systems since the early 1980s, showing the fundamental role of notions such as common knowledge [13, 36]. Modal epistemic logics are used, with a language extending propositional logic by adding modalities $K_a$ representing the knowledge of each agent a.

The success of modal logics for reasoning about multi-agent systems is based on Kripke semantics, built around the notion of “possible world” representing the state of the system. States and their relations are formally represented in Kripke models, where a binary relation for each agent a is taken to mean that a cannot tell two states apart. This classic possible worlds relational structure was developed by Rudolf Carnap, Stig Kanger, Jakko Hintikka and Saul Kripke in the late 1950s and early 1960s.

From global states to local states. However, the intimate relationship between distributed computing and algebraic topology discovered in 1993 [26] showed the importance of moving from using worlds as the primary object, to perspectives about the worlds. After all, what exists in a distributed system is only the local states of the agents and events observable within the system. The world, namely the global state of the system, consists of the set of local states of the agents, and in some cases the state of the environment, such as messages in transit or the state of the shared memory. Thus, a world is an abstraction that may be useful to reason about the system, but not directly observable by the agents.

This point of view led to topological models of distributed systems, via a simplicial complex constructed using the local states as vertices and the global states as simplexes. Remarkably, it was shown that there are topological invariants that are preserved while the agents communicate with each other, that in turn determine which distributed tasks can be solved, or how fast they can be solved. A fruitful theory has been developed since then (see [26] for an overview), for a variety of message passing and shared memory systems, where synchronous or asynchronous processes may fail.

The topological theory of distributed computability shows that the power of a distributed system to solve input/output tasks is determined by multi-dimensional indistinguishability relations by sets of local states, rather than in the binary indistinguishability relations between pairs of global states defined in a Kripke structure. The solvability of some tasks such as consensus depends only on the one-dimensional (graph) connectivity of the Kripke structure of global states, and hence is intimately related to common knowledge. However, other tasks are known whose solvability depends on the higher dimensional connectivity properties of the simplicial complex of local states. An example of such a task is $\varepsilon $-approximate agreement, where processes start with inputs in a Euclidean space of some dimension d, and communicate to decide on values at distance $\varepsilon $ away from each other, in the convex hull of their inputs [33]. Another notable example is k-set agreement, where agents agree on at most k different input values among a discrete set of possible inputs [27].

From Kripke models to simplicial models. The realization that distributed computability is of a topological nature motivated the development of a formal semantics of epistemic logic formulas in terms of simplicial models [21]. A new class of models was introduced, based on simplicial complexes, which is equivalent to the usual Kripke model semantics for $\mathbf {S5_n}$. Tools were provided to reason about solvability of distributed tasks such as consensus, approximate agreement and equality negation [21, 44], as well as k-set agreement [47]. Bisimilarity of simplicial models was studied in [43], and connections with covering spaces in [44].

Interestingly, the use of simplicial complexes exposes the importance of the well-known notion of distributed knowledge [24], to be a higher dimensional version of knowledge. With respect to a group of k agents, distributed knowledge operates by moving from simplex to simplex along shared faces of k vertices corresponding to those agents. The use of distributed knowledge was crucial for the recent logical obstruction to the solvability of set agreement by Yagi and Nishimura [47].

The categorical equivalence of [21] between $\mathbf {S5_n}$ Kripke models and simplicial models associates each world of the Kripke model with a facet of the corresponding simplicial model. A core assumption of these models is that the same set of n agents always participate in every possible world. Because of this, every facet of the simplicial model is of the same dimension. Such models are called pure simplicial models. They can be used to analyze asynchronous models where crash failures are undetectable, such as the basic wait-free shared-memory model of computation [28], where all interleavings of the individual operations of the agents are possible, to show that a task is not wait-free solvable.

When agents may die. In this paper we wish to extend this equivalence to include simplicial models that are not pure. The goal is to be able to reason about situations where not necessarily all agents are present in every world. A variety of such situations have been frequently studied in distributed computing, motivated by, to name just a few, peer-to-peer systems with a permanently evolving set of nodes [37], in robot systems [16], in concurrent computing where the set of processes can evolve [1], in natural systems [39], and in blockchains [29].

Another way the set of agents can vary is in fault-tolerant distributed computing, when the agent represents a hardware or software component that has failed by crashing. Synchronous distributed systems where processes may fail by crashing have been thoroughly studied since early on in distributed computability, and have served to develop the theory of knowledge since e.g. the seminal work of Dwork and Moses [12], where a complete characterization of the number of rounds required to reach simultaneous consensus was given, in terms of common knowledge. For more recent additional references on algorithmic work see e.g. [4, 6] and on knowledge based work see e.g [5, 18, 25]. Lower bounds on the number of rounds needed to solve set agreement are proved using the topological structure of the induced simplicial complexes e.g. [9, 30]. We will discuss later on the corresponding impure complexes, depicted in Fig. 1.

Contributions. We introduce in this paper an epistemic logic whose semantics is naturally given by impure simplicial models. When some agents are missing from a simplex, in epistemic logic terms, we will say that agents may die. Semantics based on Kripke models has been very successful to study synchronous crash-failure models, but mainly for consensus [13]. By moving from Kripke models to impure simplicial models, we open the door to study tasks beyond consensus when not all agents are always present, whose solvability depends on a higher dimensional structure; such as k-set agreement, renaming [7], multi-dimensional agreement [33].

We start by discussing the distributed knowledge operator. Then, we introduce a generalized notion of simplicial models, where any simplex can be marked as a world, not necessarily a facet. As we have seen in our previous work [21], simplicial models correspond to Kripke models that are proper. While this was not restrictive when we considered only the knowledge operator $K_a\,\varphi $, it becomes important when we include distributed knowledge, $D_B\,\varphi $. Indeed, even in the standard setting of the logic $\mathbf {S5_n}$, proper Kripke models obey the axiom $\varphi \Rightarrow D_A\,\varphi $, where A is the set of all agents, while this property might fail in non-proper models. In our setting where some agents may die, we introduce a similar axiom called P (see Sect. 3.3) for that purpose.

This new model comes with a full proof of completeness with respect to our epistemic logic. Compared to the other proofs of completeness for $D_B$ found in the literature [3, 14], we have two differences: our Kripke models are transitive and symmetric but not necessarily reflexive; and we have extra axioms that are specific to simplicial models. The general structure of the proof is however similar.

Finally we present a brief discussion about applications to fault-tolerant distributed computing. To study the dynamics of how processes can communicate and crash during the execution of a distributed protocol, we use a slightly modified version of communication patterns [8]. Communication patterns are an alternative to the action models of Dynamic Epistemic Logic (DEL), which is better suited to study distributed computing dynamics. In the original formulation of communication patterns [8], the communication graphs are always assumed to be reflexive; by relaxing this assumption, we can accommodate the possibility of crashing agents. Finally, in Sect. 7.3, to exemplify how our logical framework can be leveraged to prove impossibility results in distributed computing, we study a classic example of a non-pure protocol complex in distributed computing: the synchronous crash failures model of computation [12]. This model has been exploited in [9, 30] to establish a lower bound on the number of rounds required to solve set agreement. Notice in Fig. 1 that the protocol complex is no longer a subdivision of the input complex, as in the asynchronous wait-free case. Due to the possibility of crashes, holes and lower-dimensional simplexes appear after the first round.

Relationship with previous papers. This article is an extended version of our conference paper [22], and also includes some ideas from a sequel conference paper [20]. The definition of generalized simplicial models as formulated in Definition 6 is new; it subsumes the impure simplicial models studied in [22], but it is strictly included in the so-called epistemic covering models studied in [20]. Contrary to the two conference papers, we include all proofs, including a fully detailed proof of completeness in Sect. 5. Moreover, in Sects. 6 and 7, we go beyond the static setting studied until now, and introduce a new framework to study the dynamics of distributed communication with crashes.

Compared to [22], we extended both the logic (adding the distributed knowledge operator), and the class of models that we consider (allowing worlds that are not facets of the simplicial complex). Using distributed knowledge is crucial to study higher-dimensional geometric properties of models. It also makes explicit the role of proper models: the peculiar “single-agent” axiom SA of [22] is now subsumed by our axiom of properness P. This shows that there is nothing specific about the worlds with only one agent; we just lacked the distributed knowledge operator to express this in higher dimensions. Allowing models where some worlds are not facets is important from the point of view of distributed computing, as it allows to model situations with undetectable crashes (see Sect. 6).
Compared to [20], the class of models that we study here is less general: we do not allow non-proper behaviour, and we do not allow models with a semi-simplicial set geometric structure (a.k.a. pseudo-models, using the Kripke model terminology). Both of those features are somewhat cumbersome to work with, and are rarely needed for distributed computing applications. In particular, properly defining semi-simplicial sets involves some fairly advanced categorical lingo. Here, we prefer to stay within the framework of simplicial complexes, and keep the paper easily accessible to readers unfamiliar with category theory.

Related work. A line of work started by Dwork and Moses [12] studied in great detail the synchronous crash failures model from an epistemic logic perspective. However, in their approach, the crashed processes are treated the same as the active ones, with a distinguished local state “fail”. In that sense, all agents are present in every state, hence they still model the usual epistemic logic $\mathbf {S5_n}$. Instead of changing the underlying model as we do here, they introduce new knowledge and common knowledge operators that take into account the non-rigid set of agents (see, e.g. [35], Chapter 6.4).

There are two other works that we are aware of, that considered the problem of defining a semantics of knowledge for possibly impure simplicial complexes. Velázquez-Cervantes [46] studies projections from impure complexes to pure sub-complexes, and algorithmic transformations between Kripke models and simplicial complexes. More relevant to our purpose is the paper of van Ditmarsch [42], who describes a two-staged semantics with a definability relation prescribing which formulas can be interpreted, on top of which the usual satisfaction relation is defined. This results in a three-valued logic, where formulas can be true, false or undefined. A complete axiomatization of this logic was later established in [40], and it ends up being quite peculiar: for instance, it does not obey Axiom K, which is the common ground of all Kripke-style modal logics. In contrast, we take a more systematic approach: we first establish a tight categorical correspondence between simplicial models and Kripke models. Via this correspondence, we translate the standard Kripke-style semantics to simplicial models. This leads us to a more standard two-valued logic, based on the well-understood modal logic $\mathbf {KB4_n}$.

In another related paper [19], we proposed a third approach to study the epistemic logic of faulty agents. In that work, we study a refinement of epistemic logic where formulas are separated into several sorts: “agent formulas” and “world formulas”. This avoids entirely the question of how to define the knowledge of a dead agent, since such a formula would be ill-typed. This approach might constitute a bridge between the three-valued semantics of van Ditmarsch et al., and the two-valued semantics presented here. The results of [19] are formulated using so-called hypergraph models rather than simplicial models. As we will see in Remark 14, this is not a fundamental difference, but simply a shift in perspective.

The example of synchronous crash failures that we study in Sect. 7 has also been considered in [38], concurrently with our paper. However, some slight differences can be noted. To formalize the dynamics, they introduce a variant of the DEL action models in which processes can crash; whereas we rely on a variant of communication pattern models (Sect. 6). As expected, the resulting simplicial model for synchronous crash failures is the same. Moreover, the obstruction formula used to prove impossibility is different: in [38], the formula is specifically tailored to prove impossibility in one round, using three nested knowledge operators. In contrast, we use a more general formula relying on the common knowledge operator. Lastly, we discuss some other variants of consensus task specification in the presence of crashes. Our main focus though, is to showcase how the epistemic logic machinery developed in this paper can be used to study concrete distributed computing problems.

Plan of the paper. In Sect. 2, we briefly recall the equivalence between pure simplicial complexes and epistemic Kripke models, as originally studied in [21]. In Sect. 3, we introduce generalized simplicial models as a semantics for distributed knowledge. We then define in Sect. 4 an equivalent class of Kripke models, called partial epistemic models, and describe the formal relationship with simplicial models. The main technical result of the paper is the completeness result, proved in full detail in Sect. 5. Then, in Sect. 6, we define an update operator to study the dynamics of simplicial models, based on communication patterns. And finally in Sect. 7, as a proof of concept, we study the solvability of consensus in the synchronous message-passing model.

2 Background on simplicial complexes and Kripke structures

Chromatic simplicial complexes. Simplicial complexes with vertices labelled with agent names have been used extensively in the field of fault-tolerant distributed protocols [26]. They are defined as follows:

Definition 1

A simplicial complex is a pair ${\mathcal {C}}= \langle V,S \rangle $ where V is a set, and $S \subseteq \mathscr {P}(V)$ is a family of non-empty subsets of V such that:

for all $v \in V$, $\{v\} \in S$, and
S is downward-closed: for all $X \in S$, $Y \subseteq X$ implies $Y \in S$.

Given a finite set A of colours, a chromatic simplicial complex coloured by A is a triple $\langle V,S,\chi \rangle $ where $\langle V,S \rangle $ is a simplicial complex, and $\chi : V \rightarrow A$ is required to assign distinct colours to the elements of every $X \in S$.

Elements of V (identified with singletons) are called vertices. Elements of S are simplexes, and the ones that are maximal w.r.t. inclusion are facets. The set of facets of ${\mathcal {C}}$ is denoted $\textsf{Facets}({\mathcal {C}})$. The dimension of a simplex $X \in S$ is $\dim (X) = |X|-1$. A face of a simplex X is a subset $X'\subseteq X$. A simplicial complex C is pure if all facets are of the same dimension.

The condition of having distinct colours for vertices of a simplex X implies that given a set of colours U of $\chi (X)$, there is a unique face of X coloured with U.

Chromatic simplicial complexes can be arranged into a category, whose morphisms preserve simplex dimension:

Definition 2

A chromatic simplicial map from ${\mathcal {C}}= \langle V,S,\chi \rangle $ to ${\mathcal {D}}= \langle V',S',\chi ' \rangle $ is a function $f: V \rightarrow V'$ such that:

f maps simplexes to simplexes, i.e., for every $X \in S$, $f(X) \in S'$, and
f respects colours, i.e., for every $v\in V$, $\chi '(f(v)) = \chi (v)$.

We denote by $\mathsf {SimCpx_{A}}$ the category of chromatic simplicial complexes coloured by A, and $\mathsf {SimCpx^\textrm{pure}_{A}}$ the full sub-category of pure chromatic simplicial complexes on A.

Equivalence with epistemic frames. The traditional possible worlds semantics of (multi-agent) modal logics relies on the notion of Kripke frame. In the following definition, we fix a finite set A of agents.

Definition 3

A Kripke frame $M = \langle W, R \rangle $ is given by a set of worlds W, together with an A-indexed family of relations on W, $R: A \rightarrow \mathscr {P}(W \times W)$. We write $R_a$ rather than R(a), and $u\,R_a\,v$ instead of $(u,v) \in R_a$. The relation $R_a$ is called the a-accessibility relation. Given two Kripke frames $M=\langle W, R \rangle $ and $N=\langle W',R' \rangle $, a morphism from M to N is a function $f: W \rightarrow W'$ such that for all $u, v \in W$, for all $a \in A$, $u\,{R_a}\,v$ implies $f(u)\,{R'_a}\,f(v)$.

To model multi-agent epistemic logic $\mathbf {S5_n}$, we additionally require each relation $R_a$ to be an equivalence relation. When this is the case, we usually denote the relation by $\sim _a$, and call it the indistinguishability relation. For the equivalence class of w with respect to $\sim _a$, we write $[w]_{a} \subseteq W$. Kripke frames satisfying this condition are called epistemic frames. An epistemic frame is proper when two distinct worlds can always be distinguished by at least one agent: for all $w,w' \in W$, if $w \ne w'$ then $w \not \sim _a w'$ for some $a \in A$. In [21], we exploited an equivalence of categories between pure chromatic simplicial complexes and proper Kripke frames, to give an interpretation of $\mathbf {S5_n}$ on simplicial models. This allowed us to apply epistemic logics to study distributed tasks.

Theorem 4

(see [21]) The category of pure chromatic simplicial complexes $\mathsf {SimCpx^\textrm{pure}_{A}}$ is equivalent to the category of proper epistemic frames $\mathsf {EFrame^\textrm{proper}_{A}}$.

Example 5

The picture below shows an epistemic frame (left) and its associated chromatic simplicial complex (right). The three agents a, b, c, are represented as colours blue, magenta and green (respectively) on the vertices of the simplicial complex. The three worlds $\{w_1, w_2, w_3\}$ of the epistemic frame correspond to the three facets (triangles) of the simplicial complex. The c-labelled edge between the two worlds $w_2$ and $w_3$ indicates that $w_2 \sim _c w_3$. Correspondingly, the two facets $w_2$ and $w_3$ of the simplicial complex share a common vertex, coloured in green (agent c). Similarly, the two facets $w_1$ and $w_2$ share their ab-coloured edge.

3 Simplicial semantics of epistemic logic with distributed knowledge

Let $\textsf{At}$ be a countable set of atomic propositions and A a finite set of agents. We consider the language $\mathcal {L}_D$ of epistemic logic with the distributed knowledge operator [13, 24], generated by the following BNF grammar:

$$\begin{aligned} \varphi {:}{:}= p \mid \lnot \varphi \mid \varphi \wedge \varphi \mid D_B\,\varphi \qquad p \in \textsf{At},\ B \subseteq A,\ B \ne \varnothing \end{aligned}$$

Other standard operators can be derived from the basic ones as follows:

$$\begin{aligned} & \varphi \vee \psi := \lnot (\lnot \varphi \wedge \lnot \psi ) \quad \varphi \Rightarrow \psi := \lnot \varphi \vee \psi \quad \textsf{true}:= p \vee \lnot p \quad \textsf{false}:= \lnot \textsf{true}\\ & K_a\,\varphi := D_{\{a\}}\,\varphi \quad E_B\,\varphi := \bigwedge _{a \in B} K_a\,\varphi \end{aligned}$$

The distributed knowledge operator $D_B\,\varphi $ models, intuitively, what a group B of agents would know if they were able to combine their individual knowledge (for example, via perfectly reliable communication). Another way to explain it is that we view the group B of agents as a single entity, which is able to distinguish to possible worlds whenever at least one agent $a \in B$ can distinguish them. Thus, in the usual Kripke-style semantics for epistemic logic, the indistinguishability relation $\sim _B$ of the group B is obtained as the intersection of the relations of all the agents in B: $\sim _B \;=\; \bigcap _{a \in B} \sim _a$.

Distributed knowledge should not be confused with another group knowledge operator, the everybody knows operator $E_B\,\varphi $, which asserts that every agent in the group B knows the formula $\varphi $. Technically, this amounts to taking the union of the indistinguishability relations of the agents $a \in B$, rather than the intersection. Another distinction between the two operators is that, given some agent $a \in B$, we have $E_B\,\varphi \Rightarrow K_a\,\varphi $ but $K_a\,\varphi \Rightarrow D_B\,\varphi $.

In the next section, we define the semantics of distributed knowledge for simplicial models. As we will see, this operator is crucial for our topological approach since it makes use of the higher-dimensional connectivity between adjacent simplexes. Indeed, while the operator $K_a\,\varphi $ only looks at whether two simplexes share a common vertex, the operator $D_B\,\varphi $ is concerned with whether two simplexes share a common face of higher dimension (edge, triangle, etc.). The distributed knowledge operator is also crucial for applications to distributed computing such as the k-set agreement tasks [31, 47].

3.1 Generalized simplicial models

Since the introduction of simplicial models in [21], several variants of this notion have been studied. Indeed, there is a number of design choices that can be made:

The underlying topological structure of the model. In the original paper [21], the model is assumed to be a pure simplicial complex. This yields a notion of model which is equivalent to standard Kripke models, but is quite restrictive from a topological point of view. Subsequent works have lifted this condition: both [42] and [22] (the conference version of this paper) consider possibly impure simplicial complexes. An even the larger class of models considered in a sequel of this work [20], obtained by considering semi-simplicial sets, a strict generalization of simplicial complexes.
Atomic propositions on the worlds vs. vertices. In the epistemic logic literature, the notion of Kripke model usually contains a valuation function, which equips each world with a set of atomic propositions. This contrasts with the usual practice in distributed computing, which labels the vertices of a model with atomic propositions instead. Previous papers on simplicial models have taken the distributed computing approach. In [21], we showed that this choice results in an extra axiom, dubbed the “Axiom of locality”, which asserts that every atomic proposition belongs to a particular agent, who must always know whether this proposition is true or false. Here, as we did in [22], we label directly the worlds of a model, in order to avoid dealing with this locality condition. This is strictly more general: local models as defined in [21] are a strict subclass of the models presented here. In Sect. 6, we will restrict to local models for distributed computing applications.
Worlds are facets versus simplexes. In the original paper on simplicial models [21], epistemic formulas could only be interpreted in a facet of a simplicial model; hence, we used the words “world” and “facet” interchangeably. The idea that any simplex (not necessarily a maximal one) might be a world was initially raised in [43], and further explored in [42]. In this approach, any simplex, without restriction, is considered to be a world, and we can interpret epistemic formulas on it. Here, we take an even more general stance, and require the model to specify a set of worlds, which may contain only the facets, or all simplexes, or any set of simplexes in-between the two. As we will see, there are distributed computing applications where the set of worlds is indeed something “in-between”.

We now introduce a notion of model based on (possibly not pure) simplicial complexes. They are equipped with a subset of simplexes called the worlds, which contains all the facets, and a valuation function that assigns to each world the set of all atomic propositions that are true in this world.

Definition 6

A (generalized) simplicial model ${\mathcal {C}}= \langle V, S, \chi , W, \ell \rangle $ over the set of agents A consists of a chromatic simplicial complex $\langle V,S,\chi \rangle $ together with a distinguished set of worlds W such that $\textsf{Facets}({\mathcal {C}}) \subseteq W \subseteq S$, and a labelling $\ell : W \rightarrow \mathscr {P}(\textsf{At})$ that associates with each world $w \in W$ a set of atomic propositions.

Remark 7

Let us explain how the class of simplicial models of Definition 6 relates to those of previous papers. In the conference version of this work [22], the models that we studied were exactly those such that $W = \textsf{Facets}({\mathcal {C}})$ (here, we call them the “minimal” models). In the original paper on simplicial models [21], the class of models considered was even smaller: on top of being minimal, we further impose that ${\mathcal {C}}$ must be pure, and that the labelling $\ell $ of a facet must be given by the union of the local labellings on its vertices (we will properly define the class of “local” simplicial models in Sect. 6). The models studied by van Ditmarsch in [42] implicitly use the set of worlds $W = S$ instead (here, we call them the “maximal” models); however, we do not claim to cover this work since the satisfaction relation that we define on our models is very different from the one of [42]. Finally, the class of models considered in [20] is even larger than the one that we defined. It allows the underlying geometric structure to be a semi-simplicial set, rather than a simplicial complex. Moreover, it allows to have several copies of the same world (which we call being “non-proper” here). Using the terminology of [20], the simplicial models of Definition 6 are exactly the epistemic covering models that are proper, have no empty worlds, and have standard group knowledge.

A pointed simplicial model $({\mathcal {C}},w)$ consists of a simplicial model ${\mathcal {C}}$ together with a distinguished world $w \in W$. Given a pointed simplicial model $({\mathcal {C}},w)$, we define the satisfaction relation ${\mathcal {C}},w \models \varphi $ by induction on the formula $\varphi $, as follows.

$$\begin{aligned} \begin{array}{lcl} {\mathcal {C}},w \models p & \text {iff} & p \in \ell (w) \\ {\mathcal {C}},w \models \lnot \varphi & \text {iff} & {\mathcal {C}},w \not \models \varphi \\ {\mathcal {C}},w \models \varphi \wedge \psi & \text {iff} & {\mathcal {C}},w \models \varphi \text { and } {\mathcal {C}},w \models \psi \\ {\mathcal {C}},w \models D_B\,\varphi & \text {iff} & {\mathcal {C}},w' \models \varphi \text { for all } w' \in W \text { such that } B \subseteq \chi (w \cap w') \end{array} \end{aligned}$$

When the relation ${\mathcal {C}},w \models \varphi $ holds, we say that the formula $\varphi $ is true in the world w. The first three clauses are the standard interpretation of propositional logic. The one for distributed knowledge says the following: $D_B\,\varphi $ is true in world w when $\varphi $ is true in every world $w'$ that shares a B-coloured face with w.

We will study the following two important subclasses of simplicial models.

Definition 8

A simplicial model ${\mathcal {C}}= \langle V, S, \chi , W, \ell \rangle $ is called:

minimal, when the set of worlds is the set of facets, i.e., $W = \textsf{Facets}({\mathcal {C}})$.
maximal, when the set of worlds is the set of all simplexes, i.e., $W = S$.

Example 9

Three toy examples are depicted below to illustrate some specific features of our models. The three models (called ${\mathcal {C}}_1$, ${\mathcal {C}}_2$ and ${\mathcal {C}}_3$ from left to right) use the same set of agents, $A = \{a,b,c\}$. The agents a,b and c are depicted using colours blue, magenta and green, respectively. In all three models, there are four worlds $W = \{w_1, w_2, w_3, w_4\}$. We consider a unique atomic proposition called p which is true exactly in the worlds $w_1$ and $w_2$. Thus, we have $\textsf{At}= \{p\}$, and the valuation function is given by $\ell (w_1) = \ell (w_2) = \{p\}$ and $\ell (w_3) = \ell (w_4) = \varnothing $. Note that the models ${\mathcal {C}}_1$ and ${\mathcal {C}}_2$ are both minimal, since all the worlds are facets. On the other hand, model ${\mathcal {C}}_3$ is neither maximal nor minimal.

Let us comment some of the example formulas given above.

Model ${\mathcal {C}}_1$ illustrates the topological meaning of distributed knowledge. In the world $w_1$, agent b does not know p, because the world $w_4$ is indistinguishable (i.e., $w_4$ shares a b-coloured vertex with $w_1$). Similarly, agent c does not know p, because of world $w_3$. However, the group $\{b,c\}$ has distributed knowledge of p. Indeed, to check that $D_{\{b,c\}}\,p$ holds in world $w_1$, we have to check all the worlds that share a bc-coloured edge with $w_1$. The only worlds which qualify are $w_1$ and $w_2$, and in both cases, p is true.
Model ${\mathcal {C}}_2$ is an example of a model where the simplicial complex is not pure: it has a facet of dimension 2 ($w_1$) and three facets of dimension 1 ($w_2, w_3, w_4$). In the worlds $w_2$, $w_3$ and $w_4$, only the agents b and c are alive: the agent a is not participating. However, b and c may or may not be aware of whether a is alive or dead. Interestingly, we can still evaluate formulas talking about dead agents: in world $w_4$, we have ${\mathcal {C}}_2,w_4 \models K_a\,p$. Indeed, there is no world that shares an a-coloured vertex with $w_4$ (since $w_4$ has no a-coloured vertex to begin with!), so the condition is vacuously true. In fact, we could even write: ${\mathcal {C}}_2,w_4 \models K_a\,\textsf{false}$.
Model ${\mathcal {C}}_3$ is an example of a model which has sub-worlds. This situation arises when some agents may die, and when none of the remaining agents is aware of it. In the picture, all three agents are alive in world $w_1$; a is dead in $w_2$; c is dead in $w_3$; and both a and c are dead in $w_4$. One can check, for example, that in world $w_1$ the formula $D_{\{a,b\}}\,p$ is not satisfied, because $w_1$ shares and ab-coloured edge with the world $w_3$ where p does not hold. As in the model ${\mathcal {C}}_2$, some formulas can be vacuously true when they involve the knowledge of dead agents: for example, $D_{\{a,b\}}\,\textsf{false}$ holds in world $w_2$.

In Example 9, we introduced some informal vocabulary such as “alive” agents or “sub-worlds”. We now define these notions formally.

Definition 10

(alive, dead) Let ${\mathcal {C}}= \langle V, S, \chi , W, \ell \rangle $ be a simplicial model, $w \in W$ a world of ${\mathcal {C}}$, and $a \in A$ an agent. We say that a is alive in w when $a \in \chi (w)$. Similarly, agent a is dead in w when $a \not \in \chi (w)$.

Definition 11

(sub-world) Given a simplicial complex $\langle V, S \rangle $, and two simplexes $X, Y \in S$, we say that X is a sub-simplex^{Footnote 1}of Y when $X \subseteq Y$. Similarly in a simplicial model $\langle V, S, \chi , W, \ell \rangle $, we say that a world $w_1 \in W$ is a sub-world of $w_2 \in W$ when $w_1 \subseteq w_2$.

Example 12

(Synchronous broadcast with one crash) The picture below shows a simplicial model after one round of the synchronous broadcast protocol with one crash failure, for three processes a, b and c. This distributed computing model will be studied in full detail in Sect. 7.3. This model is comprised of 10 facets $w_0, \ldots , w_9$ of various dimension. World $w_0$ (of dimension 2) corresponds to an execution where no crash occurred, so all three agents are alive. On the other hand, in worlds $w_1$, $w_2$ and $w_3$ (of dimension 1), agent c has crashed so only the agents a and b are alive. If we consider the minimal model where the set of worlds is exactly the facets $W = \{w_0, \ldots , w_9\}$, then we are modelling a protocol with detectable crashes. That is, we would be assuming implicitly that whenever a process crashes, one of the remaining processes has to be aware of it. If, instead, we want to consider a model where crashes might not always be detectable, we should also include some sub-worlds of this model. Note that we do not attach atomic propositions to the worlds here since this will be done in Sect. 7.3 where we describe this distributed computing example in more detail.

Example 13

(Immediate snapshot model with initial crashes) An example of a distributed computing model which is neither minimal nor maximal is the immediate snapshot model with initial crashes (see, e.g. [26, Chapter 8]). This means that a process can only crash before the start of the computation. In other words, the set of participating processes is not known in advance. Thus, in the picture below, there are 3 vertices $w_0, w_1, w_2$ corresponding to solo executions where only one process is alive; 9 edges $w_3, \ldots , w_{11}$ corresponding to executions where only two processes are participating; and 13 two-dimensional worlds $w_{12}, \ldots , w_{24}$ where all three processes are participating.

Remark 14

(Hypergraph models) Readers familiar with the notion of hypergraph might have noticed that our definition of generalized simplicial model (Definition 6) can be reformulated using hypergraphs. A hypergraph is a pair $\langle V,E \rangle $ where V is a set of vertices, and $E \subseteq \mathscr {P}(V)$ is a set of hyperedges. Thus, essentially, it is the same data as a simplicial complex, except that the set E of hyperedges is not required to be downward-closed. Indeed, simplicial complexes are a special case of hypergraphs. In a general hypergraph, we lose the geometric intuition of having higher dimensional cells (n-simplexes) that can share a common sub-simplex; instead, we think of a hyperedge simply as a relation linking n vertices together.

With that in mind, we can reformulate Definition 6 as follows. A hypergraph model is a tuple $\mathcal {H}= \langle V, E, \chi , \ell \rangle $, where $\langle V,E \rangle $ is a hypergraph, $\chi : V \rightarrow A$ is a colouring of the vertices such that every hyperedge has distinct colours, and $\ell : E \rightarrow \mathscr {P}(\textsf{At})$ labels each hyperedge with a set of atomic proposition. Notice that compared to generalized simplicial models, we got rid of one piece of data, the set of distinguished worlds W.

It is immediate to see that any generalized simplicial model ${\mathcal {C}}= \langle V, S, \chi , W, \ell \rangle $ can be turned into a hypergraph model $\langle V, W, \chi , \ell \rangle $ where the set of hyperedges is W. Conversely, any hypergraph model $\mathcal {H}= \langle V, E, \chi , \ell \rangle $ can be turned into a generalized simplicial model $\langle V, {E}\!\downarrow , \chi , E, \ell \rangle $, where the set of simplexes is the downward-closure of E, and the distinguished set of worlds is E itself. This correspondence is bijective due to the fact that we always require the set W to contain all the facets of ${\mathcal {C}}$. Thus, both notions are equivalent, and simply the result of a slight change of vocabulary. In this paper, we prefer to keep the geometric intuition of simplicial complexes, at the price of keeping track of the extra set W.

Hypergraph models are discussed more thoroughly in [19], to study a different epistemic logic where formulas are separated into several sorts: “agent formulas’ and “world formulas”.

3.2 Reasoning about alive and dead agents

Until now, we discussed agents being “alive” or “dead” as a meta-level property of the model. It is a natural idea to try to internalize this notion in the logic, i.e., to have formulas expressing whether an agent is alive or dead, such as “agent a knows that agent b is dead”. Fortunately, such formulas can already be expressed in our logic without any extra syntax, as derived operators:

$$\begin{aligned} \textsf{dead}(a) :=\, K_a\, \textsf{false}\qquad \qquad \textsf{alive}(a) :=\, \lnot \textsf{dead}(a). \end{aligned}$$

It is easy to check that the semantics of these formulas is, as expected (cf. Definition 10):

$$\begin{aligned} {\mathcal {C}},w \models \textsf{alive}(a) \quad \text {iff} \quad a \in \chi (w). \end{aligned}$$

Example 15

Interestingly, that means we can investigate some structural properties of the models, without referring to the atomic propositions. We illustrate this with the two distributed computing models of Examples 12 and 13.

The simplicial model depicted in Example 12, where the set of worlds $W = \{w_0, \ldots , w_9\}$ contains only the facets, is an example of a model with detectable crashes. That is, in every world where some agent is dead, one of the alive agents is aware of that fact. Let ${\mathcal {C}}_{12}$ denote the simplicial model of Example 12. Then for instance, in world $w_1$, only the agents a and b are alive, i.e., ${\mathcal {C}}_{12}, w_1 \models \textsf{alive}(a) \wedge \textsf{alive}(b) \wedge \textsf{dead}(c)$. Moreover, a does not know that c is dead, but b knows it: ${\mathcal {C}}_{12}, w_1 \models \lnot K_a\, \textsf{dead}(c) \wedge K_b\,\textsf{dead}(c)$.
The simplicial model ${\mathcal {C}}_{13}$ of Example 13 is neither minimal nor maximal. Thus, the agents might be aware or not of which other agents are alive, depending on where we are in the model. In world $w_{17}$ in the centre of the picture, all three agents are alive, and they know that everyone is alive. For instance, ${\mathcal {C}}_{13}, w_{17} \models K_a\,\textsf{alive}(b) \wedge K_a\,\textsf{alive}(c)$. Closer to the border, in world $w_{15}$, agent a still knows that b is alive, but considers possible that c might be dead: ${\mathcal {C}}_{13}, w_{15} \models K_a\,\textsf{alive}(b) \wedge \lnot K_a\,\textsf{alive}(c)$. In the worlds that contain the top vertex $w_0$, agent a considers possible that everyone might be dead: ${\mathcal {C}}_{13}, w_{12} \models \lnot K_a\,\textsf{alive}(b) \wedge \lnot K_a\,\textsf{alive}(c)$.

For groups of agents, we also use the following abbreviations:

$$\begin{aligned} \textsf{dead}(B) :=\, \bigwedge _{a \in B} \textsf{dead}(a) \qquad \qquad \textsf{alive}(B) :=\, \lnot D_B \textsf{false}\end{aligned}$$

meaning that all the agents in B are dead (resp., alive). Note that $\textsf{dead}(B)$ is not equivalent to $D_B\, \textsf{false}$: the formula $D_B\, \textsf{false}$ is true when at least one agent $a \in B$ is dead.

3.3 Axiomatization: $\mathbf {KB4_n}$ and beyond

Simplicial models satisfy all the usual axioms of multi-agent epistemic logic, except for the axiom of truth. The logic we get is called $\mathbf {KB4_n}$, and comprises the following axioms:

$$\begin{aligned}&{{\textbf {K:}}}\quad D_B (\varphi \Rightarrow \psi ) \Rightarrow (D_B\,\varphi \Rightarrow D_B\,\psi )\\&{{\textbf {B:}}}\quad \varphi \Rightarrow D_B \lnot D_B \lnot \varphi \\&{{\textbf {4:}}}\quad D_B\,\varphi \Rightarrow D_B D_B\,\varphi . \end{aligned}$$

It is well known that Axiom $\textbf{5}$ is provable in $\mathbf {KB4_n}$ (see, e.g. [17]), so we also have:

$$\begin{aligned} {{\textbf {5:}}} \lnot D_B\,\varphi \Rightarrow D_B \lnot D_B\,\varphi . \end{aligned}$$

The difference between $\mathbf {KB4_n}$ and the more standard multi-agent epistemic logics $\mathbf {S5_n}$ is that we do not necessarily have axiom $\textbf{T}$: $K_a\,\varphi \Rightarrow \varphi $. Indeed, in any world of a simplicial model where the agent a is dead, axiom $\textbf{T}$ will be violated, since $K_a\,\textsf{false}$ is satisfied. Here are a few examples of valid formulas in $\mathbf {KB4_n}$, related to the life and death of agents.

– Dead agents know everything:	$\mathbf {KB4_n}\vdash \textsf{dead}(a) \Rightarrow K_a\,\varphi $.
More generally, for any $a \in B$:	$\mathbf {KB4_n}\vdash \textsf{dead}(a) \Rightarrow D_B\,\varphi $.
– Alive agents satisfy Axiom T:	$\mathbf {KB4_n}\vdash \textsf{alive}(a) \Rightarrow (K_a\,\varphi \Rightarrow \varphi )$.
More generally:	$\mathbf {KB4_n}\vdash \textsf{alive}(B) \Rightarrow (D_B\,\varphi \Rightarrow \varphi )$.
– Alive agents know they are alive:	$\mathbf {KB4_n}\vdash \textsf{alive}(a) \Rightarrow K_a\,\textsf{alive}(a)$.
More generally:	$\mathbf {KB4_n}\vdash \textsf{alive}(B) \Rightarrow D_B\,\textsf{alive}(B)$.

We also consider six additional axioms that are not provable in $\mathbf {KB4_n}$. The first one called monotonicity is standard when dealing with distributed knowledge. The second axiom, called union, arises from the interplay between distributed knowledge and the possibility of having dead agents. It ensures that each world has a unique maximal set of alive agents, making the dead/alive status of individual agents, rather than groups, the primary concern. The third axiom, non-emptiness, says that every world has at least one agent that is alive. The fourth one, the axiom of properness, says that if two worlds have the same set of alive agents and no alive agent can distinguish them, then they must satisfy the same formulas. It is best understood when taking $B = A$, in which case it says that in the worlds where everyone is alive, $\varphi \Rightarrow D_A\,\varphi $ holds. The last two axioms, minimality and maximality, capture the sub-classes of minimal and maximal simplicial models, respectively. They are explained in more detail in Example 16 below. In the following, we denote by $B^{\textsf{c}}$ the complement of the set of agents B, i.e., $B^{\textsf{c}} = A \setminus B$.

$$\begin{aligned} \begin{array}{lll} {{\textbf {Mono:}}}& {D_B\, \varphi \Rightarrow D_{B'}\,\varphi }& \text {for all } B \subseteq B' \subseteq A\\ {{\textbf {Union:}}}& {\textsf{alive}(B) \wedge \textsf{alive}(B') \Rightarrow \textsf{alive}(B\cup B') }& \text {for all } B, B' \subseteq A \\ {{\textbf {NE:}}}& \textstyle \bigvee _{a \in A} \textsf{alive}(a)& \\ {{\textbf {P:}}}& {\textsf{alive}(B) \wedge \textsf{dead}(B^{\textsf{c}}) \wedge \varphi \Rightarrow D_B(\textsf{dead}(B^{\textsf{c}}) \Rightarrow \varphi )}& \text {for all } B \subseteq A\\ {{\textbf {Min:}}}& {\textsf{alive}(B) \wedge \textsf{dead}(B^{\textsf{c}}) \Rightarrow D_B\,\textsf{dead}(B^{\textsf{c}}) }& \text {for all } B \subsetneq A\\ {{\textbf {Max:}}}& {\textsf{alive}(B) \Rightarrow \lnot D_B \lnot \textsf{dead}(B^{\textsf{c}}) }& \text {for all } B \subsetneq A \end{array} \end{aligned}$$

Example 16

We illustrate the axioms Min and Max with the three models below, denoted by ${\mathcal {C}}_4, {\mathcal {C}}_5, {\mathcal {C}}_6$ from left to right. Notice that ${\mathcal {C}}_4$ is minimal, ${\mathcal {C}}_6$ is maximal, and ${\mathcal {C}}_5$ is neither minimal nor maximal.

Axiom Min can be understood intuitively as saying that crashes must be detectable (cf. Example 12). Indeed, it says that whenever some set of agents $B^{\textsf{c}}$ have crashed, there is distributed knowledge among the remaining agents that they have crashed. This can be seen in world $w_2$ of model ${\mathcal {C}}_4$, where the set of alive agents is $B = \{a,b\}$. Neither a not b, individually, know that agent c is dead. However, there is distributed knowledge among $\{a,b\}$ that c is dead. Thus, Axiom Min is valid in model ${\mathcal {C}}_4$. The way to invalidate Axiom Min is to have a world which is a sub-world of another, such as world $w_2$ in model ${\mathcal {C}}_5$. There, we do not have $D_{\{a,b\}}\,\textsf{dead}(c)$, because of the possibility of world $w_1$ where c is alive.
Axiom Max says, intuitively, that all crash patterns are possible and undetectable. Thus, all the sub-worlds always exist. For example, in world $w_1$ of model ${\mathcal {C}}_6$, all agents are alive. Any subset B of the alive agents considers possible that everyone else might be dead. Particular instances of Axiom Max for $B = \{b,c\}$ and $B = \{a\}$ are written below the picture. The first one is satisfied because of the existence of world $w_3$; the second one, because of world $w_5$. Thus, Axiom Max is valid in model ${\mathcal {C}}_6$. The way to invalidate Axiom Max is to have a missing sub-world, such as in model ${\mathcal {C}}_5$. Since the bc-coloured edge is not a world of ${\mathcal {C}}_5$, Axiom Max fails for $B = \{b,c\}$.

Remark 17

In the conference version of this paper [22], we had a different set of axioms. This is due to two facts: (i) we only considered standard knowledge $K_a\,\varphi $ instead of distributed knowledge, and (ii) we worked with the sub-class of minimal models only, rather that the full generality presented here (see Remark 7). Moreover, the original version [22] was missing Axiom P. This was fixed later on arXiv [23]. Thus, because of (i), only the case of a single agent $B = \{a\}$ is required; and because of (ii), the two axioms P and Min are merged into a single axiom called SA. With those two assumptions in mind, we can check that our axioms are indeed consistent with the one of [23], ${\textbf {SA}}_\textbf{a}\!\!: \textsf{alive}(a) \wedge \textsf{dead}(\{a\}^{\textsf{c}}) \wedge \varphi \Rightarrow K_a\,\varphi $.

Remark 18

The Axioms ${\textbf {Min}}$ and ${\textbf {Max}}$ for $B = A$ are vacuously true. For Axiom ${\textbf {P}}$, we only really need the instances where $\varphi = p \in \textsf{At}$ is an atomic proposition.

One can check that Mono, Union, NE and P are valid in all simplicial models. The axiom Min is valid (exactly) in all minimal simplicial models; and the axiom Max is valid (exactly) in all maximal simplicial models. Hence, let us write $\textbf{SC}$ (“the logic of simplicial complexes”) for the proof system given by the axioms $\mathbf {KB4_n}+ {\textbf {Mono}} + {\textbf {Union}} + {\textbf {NE}} + {\textbf {P}}$, as well as all propositional tautologies, closure by modus ponens, and the necessitation rule: if $\varphi $ is a tautology, then $D_B\,\varphi $ is a tautology. We also write $\textbf{SC}_{\textbf{min}}$ and $\textbf{SC}_{\textbf{max}}$ for the proof system $\textbf{SC}$ augmented, respectively, with the axioms Min and Max.

Proposition 19

The proof system $\textbf{SC}$ (resp., $\textbf{SC}_{\textbf{min}}$, $\textbf{SC}_{\textbf{max}}$) is sound with respect to the class of generalized (resp. minimal, maximal) simplicial models.

Proof

The proof of soundness is straightforward as usual by induction on the proof of a formula $\varphi $. We only check that the axioms of $\textbf{SC}$ are valid in all simplicial models.

Let ${\mathcal {C}}= \langle V,S,\chi ,W,\ell \rangle $ be a simplicial model. The axioms ${\textbf {K}}$, ${\textbf {B}}$ and ${\textbf {4}}$ hold because the satisfaction relation on simplicial models is a Kripke-style semantics in disguise (see Sect. 4, in particular Theorem 32). For now, let us give a direct proof for Axiom ${\textbf {4}}$. Let $w \in W$ be a world of ${\mathcal {C}}$ and assume that ${\mathcal {C}},w \models D_B\,\varphi $. In order to show that ${\mathcal {C}},w \models D_B D_B\,\varphi $, let $w' \in W$ such that $B \subseteq \chi (w \cap w')$ and let $w'' \in W$ such that $B \subseteq \chi (w' \cap w'')$. Since ${\mathcal {C}}$ is a chromatic simplicial complex, each colour appears at most once in a simplex. So, in fact, we have $B \subseteq \chi (w \cap w' \cap w'')$, and in particular $B \subseteq \chi (w \cap w'')$. Since we assumed that ${\mathcal {C}},w \models D_B\,\varphi $, we obtain ${\mathcal {C}},w'' \models \varphi $ as required.

The proof is similar for Axiom ${\textbf {Mono}}$: assume that ${\mathcal {C}},w \models D_B\,\varphi $ and that $B \subseteq B'$. To show ${\mathcal {C}},w \models D_{B'}\,\varphi $, let $w' \in W$ such that $B' \subseteq \chi (w \cap w')$. Then $B \subseteq \chi (w \cap w')$, so by assumption ${\mathcal {C}},w' \models \varphi $. In the same vein, ${\textbf {Union}}$ follows from the fact that if the vertices of a simplex are coloured by colours B and $B'$, then they are coloured by $B\cup B'$. That is, if ${\mathcal {C}}, w\models \textsf{alive}(B)$ and ${\mathcal {C}}, w\models \textsf{alive}(B')$, then ${\mathcal {C}}, w\models \textsf{alive}(B\cup B')$. The validity of ${\textbf {NE}}$ comes from the fact that a simplex is always non-empty (see Definition 1). So for any $w \in W$, there is at least one vertex $v \in w$. Then for $a:= \chi (v)$, we have ${\mathcal {C}},w \models \textsf{alive}(a)$. Validity of Axiom ${\textbf {P}}$ is a bit more involved. Assume that ${\mathcal {C}},w \models \textsf{alive}(B) \wedge \textsf{dead}(B^{\textsf{c}}) \wedge \varphi $, i.e., ${\mathcal {C}},w \models \varphi $ and, moreover, the set of colours of the vertices of w is exactly B. To prove that ${\mathcal {C}},w \models D_B(\textsf{dead}(B^{\textsf{c}}) \Rightarrow \varphi )$, let $w' \in W$ such that $B \subseteq \chi (w \cap w')$. So $w'$ contains all the vertices of w. If we assume moreover that ${\mathcal {C}},w' \models \textsf{dead}(B^{\textsf{c}})$, then $w'$ cannot contain any extra vertex, i.e. $w = w'$. Thus we must have ${\mathcal {C}},w' \models \varphi $, which concludes the proof.

To show that Axiom ${\textbf {Min}}$ is valid in every minimal simplicial model is very similar to the one of Axiom ${\textbf {P}}$ above. Indeed, assume that the set of colours in $w \in W$ is exactly B. Since w is a facet, the only possible $w' \in W$ such that $B \subseteq \chi (w \cap w')$ is $w' = w$ itself. In particular, we do have ${\mathcal {C}},w' \models \textsf{dead}(B^{\textsf{c}})$.

Finally, for Axiom ${\textbf {Max}}$, assume that $w \in W$ contains at least the colours in B. Let $w' \subseteq w$ be the sub-simplex of w whose colours are exactly those of B (potentially, $w' = w$). Since ${\mathcal {C}}$ is a maximal model, we must have $w' \in W$; and moreover ${\mathcal {C}},w' \models \textsf{dead}(B^{\textsf{c}})$. So we have ${\mathcal {C}},w \models \lnot D_B \lnot \textsf{dead}(B^{\textsf{c}})$ as required. $\square $

Completeness also holds for $\textbf{SC}$, $\textbf{SC}_{\textbf{min}}$ and $\textbf{SC}_{\textbf{max}}$, but the proof is more intricate. Indeed, we will use a detour via an equivalence with Kripke models, that we develop in Sect. 4. We then prove the three completeness results in Sect. 5.

4 Equivalent classes of Kripke models

In normal modal logics, whose semantics is based on Kripke models, there is a well-known correspondence between axioms of the logic and properties of the corresponding Kripke frames [17]. Namely, Axiom K holds in all Kripke models; while Axioms B and 4 are valid exactly on the class of Kripke models whose accessibility relation is symmetric and transitive, respectively. So the logic $\mathbf {KB4_n}$ is sound and complete with respect to the class of symmetric and transitive Kripke models. This will be our starting point to define the class of Kripke models that is equivalent to simplicial models. However, as we saw in Sect. 3.3, simplicial models have some additional built-in assumptions, that we need to impose on Kripke models too. Crucially, since non-pure simplicial models do not obey Axiom T, we consider Kripke models whose accessibility relation is not necessarily reflexive.

4.1 Partial epistemic models

Relations that are symmetric and transitive are called Partial Equivalence Relations in the context of PER semantic models of programming languages. They also appear, e.g. in [34], where they are called “Kripke logical partial equivalence relations”.

Definition 20

A Partial Equivalence Relation (PER) on a set X is a relation ${R \subseteq X \times X}$ that is symmetric and transitive (but not necessarily reflexive).

The domain of a PER R is the set $\textsf{dom}(R) = \{ x \in X \mid R(x,x)\} \subseteq X$, and it is easy to see that R is an equivalence relation on its domain, and empty outside of it. Thus, PERs are equivalent to the “local equivalence relations” defined in [42]. We now fix a set of agents A.

Definition 21

A partial epistemic frame $M = \langle W,\sim \rangle $ is a Kripke frame such that each relation $(\sim _a)_{a \in A}$ is a PER. We say that agent a is alive in a world w when $w \in \textsf{dom}(\sim _a)$, i.e., when $w \sim _a w$. We write $\overline{w}$ for the set of agents that are alive in world w. Finally, we say that a world w is a sub-world of $w'$ when $\overline{w} \subsetneq \overline{w'}$ and $w \sim _a w'$ for all $a \in \overline{w}$.

We now define four properties of partial epistemic frames, echoing the four Axioms NE, P, Min and Max defined in Sect. 3.3.

Definition 22

Let $M = \langle W,\sim \rangle $ be a partial epistemic frame. We say that:

M has no empty world when $\overline{w} \ne \varnothing $ for all $w \in W$.
M is proper when two distinct worlds with the same set of alive agents can always be distinguished by at least one alive agent. More formally, M is proper when for every $w \ne w' \in W$ such that $\overline{w} = \overline{w'}$, there exists $a \in \overline{w}$ such that $w \not \sim _a w'$.
M is minimal if it has no sub-world, i.e., for all $w,w' \in W$, if $\overline{w} \subsetneq \overline{w'}$, then there exists $a \in \overline{w}$ such that $w \not \sim _a w'$.
M is maximal if it has all sub-worlds, i.e., for all $w' \in W$ and for all non-empty $B \subsetneq \overline{w'}$, there exists $w \in W$ such that $\overline{w} = B$ and $w \sim _a w'$ for all $a \in B$.

Remark 23

We have slightly changed our terminology compared to the conference version of this work. Indeed, the property that we used to called “proper” in [22] is actually equivalent to the conjunction “non-empty and proper and minimal” in the sense of Definition 22. Since we are now interested in studying generalized simplicial models, and not just the subclass of minimal ones, we have refined this into three separate properties. We believe that our new usage of the word “proper”, which is now less specific than the one of [22], better captures what is usually understood as proper in the context of S5 epistemic frames.

Example 24

Four partial epistemic frames over the set of agents $A = \{a,b,c\}$ are represented below. The frame at the top left is not proper, while the three other frames are proper. The frame at top right is neither minimal nor maximal: the world $w_3$ is a sub-world of $w_2$, but not all possible sub-worlds of $w_2$ exist. The frame at the bottom left is minimal: neither $w_4$ nor $w_5$ is a sub-world of the other. The frame at the bottom right is maximal: both $w_6$ and $w_8$ are sub-worlds of $w_7$, and there can be no other sub-world without breaking properness.

Definition 25

A partial epistemic model $M= \langle W,\sim ,L \rangle $ over the set of agents A consists of a partial epistemic frame $\langle W, \sim \rangle $ together with function $L: W \rightarrow \mathscr {P}(\textsf{At})$.

Intuitively, L(w) is the set of atomic propositions that are true in the world w. Note that partial epistemic models are simply Kripke models (in the usual sense of normal modal logics), such that all the accessibility relations $(\sim _a)_{a \in A}$ are PERs. Thus, we can straightforwardly define the semantics of an epistemic formula $\varphi \in {\mathcal {L}}_D$ in such a model. Formally, given a pointed partial epistemic model $(M,w)$, we define by induction on $\varphi $ the satisfaction relation $M,w \models \varphi $ as follows:

$$\begin{aligned} \begin{array}{lcl} M,w \models p & \text {iff} & p \in L(w) \\ M,w \models \lnot \varphi & \text {iff} & M,w \not \models \varphi \\ M,w \models \varphi \wedge \psi & \text {iff} & M,w \models \varphi \text { and } M,w \models \psi \\ M,w \models D_B\,\varphi & \text {iff} & M,w' \models \varphi \text { for all } w' \text { such that } w \sim _B w' \end{array} \end{aligned}$$

where $\sim _B$ is the intersection of the relations $(\sim _a)_{a \in B}$, i.e., $w \sim _B w'$ iff $w \sim _a w'$ for all $a \in B$.

4.2 Relating simplicial models and partial epistemic models

In this section, we show how to canonically associate a proper partial epistemic frame with any chromatic simplicial complex, and vice versa. More precisely, for any generalized simplicial model ${\mathcal {C}}$, we construct an associated partial epistemic model $\kappa ({\mathcal {C}})$ which is proper and has no empty world. Conversely, for any proper partial epistemic model M that has no empty world, we associate a generalized simplicial model $\sigma (M)$. We also show that in both cases, the notions of “minimal” and “maximal” models are preserved. In Theorem 32, we state the key property of this section: the two maps $\kappa $ and $\sigma $ preserve the satisfaction relation. Similar correspondences appears in [21, 22, 42], with some differences:

Here, we work in a more general framework of generalized simplicial models, rather than just the minimal ones where worlds are facets. As a consequence, the corresponding class of Kripke models is larger (because we changed the meaning of “proper”, cf. Remark 23).
On the other hand, here we are not concerned with the morphisms between models. Thus, we do not prove that $\sigma $ and $\kappa $ form a categorical equivalence between simplicial models and Kripke models. For instance, while [21] and [22] show that $\kappa \circ \sigma (M)$ is isomorphic to M; and [42] shows that $\kappa \circ \sigma (M)$ is bisimilar to M; here we only prove that the satisfaction relation is preserved, which is the weakest of those three properties. Nonetheless, it will be sufficient for our purpose, the completeness results of Sect. 5.

Definition 26

Let ${\mathcal {C}}= \langle V, S, \chi , W, \ell \rangle $ be a generalized simplicial model on the set of agents A and atomic propositions $\textsf{At}$. Its associated partial epistemic model is $\kappa ({\mathcal {C}})=\langle W, \sim , L \rangle $, whose set of worlds W is the same as the one of ${\mathcal {C}}$, and whose relation $\sim _a$, for each agent $a \in A$, is given by $w \sim _a w'$ iff $a \in \chi (w \cap w')$. The labelling is simply defined as $L(w) = \ell (w)$.

Proposition 27

$\kappa ({\mathcal {C}})$ is a proper partial epistemic frame that has no empty world.

Proof

The relation $\sim _a$ is easily seen to be a symmetric and transitive, because since the simplicial complex ${\mathcal {C}}$ is chromatic, there can be at most one vertex $v \in w \cap w'$ with $\chi (v) = a$. Moreover, since the worlds of $\kappa ({\mathcal {C}})$ are simplexes of ${\mathcal {C}}$, and simplexes are always non-empty by definition, we immediately see that $\kappa ({\mathcal {C}})$ has no empty world. Finally, to show that $\kappa ({\mathcal {C}})$ is proper, consider two distinct worlds w and $w'$ in $\kappa ({\mathcal {C}})$, i.e., two simplexes of ${\mathcal {C}}$, and assume they have the same set of alive agents, i.e., $\chi (w) = \chi (w')$. Since a simplex is uniquely determined by its set of vertices, there is at least one vertex of w, say v, that does not belong to $w'$ (otherwise we would have $w = w'$). Let $a = \chi (v)$ be the colour of v. Then a is alive in w because $a \in \chi (w \cap w)$; and $w \not \sim _a w'$ because $v \not \in w \cap w'$ and there can be only one vertex with colour a in w. $\square $

Proposition 28

If ${\mathcal {C}}$ is minimal (resp., maximal), then $\kappa ({\mathcal {C}})$ is minimal (resp., maximal).

Proof

Assume the simplicial model ${\mathcal {C}}$ is minimal, i.e., that all worlds are facets: ${W = \textsf{Facets}({\mathcal {C}})}$. Let $w,w'$ be two worlds of $\kappa ({\mathcal {C}})$ with $\overline{w} \subsetneq \overline{w'}$. Then there must be at least one vertex of w, say v, that does not belong to $w'$: otherwise we would have $w \subsetneq w'$, which contradicts the fact that w is a facet. Let $a = \chi (v)$ be the colour of v; then a is alive in w and $w \not \sim _a w'$. Thus $\kappa ({\mathcal {C}})$ is minimal.

Assume now that ${\mathcal {C}}$ is maximal, i.e., all simplexes are worlds: $W = S$. Let $w'$ be a world of $\kappa ({\mathcal {C}})$, whose set of alive agents is $\overline{w'} = \chi (w')$. Let $B \subsetneq \chi (w')$ be a non-empty subset of alive agents, and let $w \subsetneq w'$ be the face of $w'$ that consists of all vertices whose colour is in B. Then we have $w \in W$ (because all simplexes are worlds), and it is easy to check that w is a sub-world of $w'$ in $\kappa ({\mathcal {C}})$. So $\kappa ({\mathcal {C}})$ is maximal. $\square $

Conversely, we now consider a partial epistemic model $M=\langle W,\sim ,L \rangle $, and we define the associated simplicial model $\sigma (M)$. Intuitively, each world $w \in W$ where k agents are alive will be represented by a simplex of dimension $k-1$, whose vertices are coloured by $\overline{w}$. These simplexes must then be “glued” together according to the indistinguishability relations. Formally, this is done by a quotient construction, described in Definition 29 below. When a is alive in a world w, we write $[w]_a$ for the equivalence class of w w.r.t. $\sim _a$, within $\textsf{dom}(\sim _a)$.

Definition 29

Let $M = \langle W, \sim ,L \rangle $ be a proper partial epistemic model with no empty world. Its associated chromatic simplicial complex is $\sigma (M) = \langle V, S, \chi , \widehat{W}, \ell \rangle $, where:

The set of vertices is $V = \{(a,[w]_a) \mid w \in W, a \in \overline{w} \}$. We denote such a vertex $(a,[w]_a)$ by $v^w_{a}$ for succinctness; but note that $v^w_{a} = v^{w'}_{a}$ whenever $w \sim _a w'$.
The set S of simplexes is generated by sets of the form $X_w = \{ v^w_{a} \mid a \in \overline{w}\}$ for each $w \in W$; as well as all their sub-simplexes.
The colouring is given by $\chi (v^w_a) = a$.
The set of worlds is $\widehat{W} = \{ X_w \mid w \in W \}$.
The labelling is $\ell (X_w) = L(w)$.

Proposition 30

$\sigma (M)$ is well defined, and is a generalized simplicial model.

Proof

The set S of simplexes is downward-closed by construction, and every singleton $\{v^w_a\}$ belongs to S since it is a sub-simplex of $X_w$. The fact that M has no empty world ensures that every simplex $X_w$ is non-empty, as required. All vertices of $X_w$ have distinct colours by construction, so $\langle V, S, \chi \rangle $ is indeed a chromatic simplicial complex. We still need to show that $\widehat{W}$ contains all facets. That is also true by construction, since every simplex is a sub-simplex of some $X_w$, and a facet can only be a sub-simplex of itself. Lastly, for the labelling to be well-defined, we need to make sure that $X_w \ne X_{w'}$ whenever $w \ne w'$, i.e., that there is a bijection between W and $\widehat{W}$. Assume by contradiction that this is not the case: then $X_w = X_{w'}$ implies that $\overline{w} = \overline{w'}$, and that $v^w_a = v^{w'}_a$ for all $a \in \overline{w}$. This is not possible because we assumed that M is proper. $\square $

Proposition 31

If M is minimal (resp., maximal) then $\sigma (M)$ is minimal (resp., maximal).

Proof

Assume that M is minimal. We want to show that every $X_w \in \widehat{W}$ is a facet of $\sigma (M)$. It suffices to show that for all $w \ne w'$, $X_w \not \subseteq X_{w'}$. Assume by contradiction that $X_w \subseteq X_{w'}$. We already proved that equality is impossible, so we must have $\overline{w} \subsetneq \overline{w'}$, and for every $a \in \overline{w}$, $v^w_a = v^{w'}_a$. This contradicts the minimality of M.

Finally, assume instead that M is maximal, and let us show that every simplex of $\sigma (M)$ belongs to $\widehat{W}$. Let X be a simplex of $\sigma (M)$, that is, $X \subseteq X_w$ for some w. We want to show that there exists $w' \in W$ such that $X = X_{w'}$. Let $B = \chi (X)$ be the set of colours of the vertices of X. Since $B \subseteq \overline{w}$, by maximality of M, there exists a world $w' \in W$ such that $\overline{w'} = B$ and $w' \sim _a w$ for all $a \in B$. Then for every $a \in B$ we have $v^{w'}_a = v^w_a$, so $X = X_{w'}$. $\square $

We now check that the associated models given by $\kappa $ and $\sigma $ preserve the semantics of epistemic logic formulas in ${\mathcal {L}}_D$.

Theorem 32

Given a pointed simplicial model $({\mathcal {C}},w)$, we have ${\mathcal {C}},w \models \varphi $ iff $\kappa ({\mathcal {C}}),w \models \varphi $. Conversely, given a pointed partial epistemic model (M, w) which is proper and has no empty world, we have $M,w \models \varphi $ iff $\sigma (M),X_w \models \varphi $.

Proof

The first equivalence is straightforward by induction on the structure of the formula $\varphi $. Indeed, the base case of atomic propositions comes from the fact that we keep the same labelling $L(w) = \ell (w)$ in Definition 26. The cases of the operators $\wedge $ and $\lnot $ are obvious using the induction hypothesis. And for a formula of the form $D_B\,\varphi $, notice that since we defined $w \sim _a w'$ iff $a \in \chi (w \cap w')$ in Definition 26, we also get $w \sim _B w'$ iff $B \subseteq \chi (w \cap w')$.

The other half of the theorem is also proved by induction on the formula $\varphi $. Atomic propositions, conjunction and negation are straightforward. For a formula of the form $D_B\,\varphi $, all we have to show is that $w \sim _B w'$ in the model M iff $B \subseteq \chi (X_w \cap X_{w'})$ in $\sigma (M)$. This follows from the fact that $w \sim _a w'$ iff $v^w_a = v^{w'}_a$ iff $a \in \chi (X_w \cap X_{w'})$. $\square $

Example 33

The toy model below depicts a simplicial model (left) with set of worlds $W = \{w_1, \ldots , w_7\}$. On the right is the equivalent partial epistemic model obtained by applying $\kappa $. Alternatively, one can also apply $\sigma $ to the model on the right in order to produce the simplicial model depicted on the left. Some edges that can be deduced by transitivity have been omitted on the picture of the epistemic model on the right. Notice that the set of alive agents in a world can be read directly from the reflexive loops. In both models, the worlds $w_5$ and $w_6$ are sub-worlds of $w_1$; and world $w_7$ is a sub-world of $w_4$.

Example 34

Recall the synchronous broadcast model with detectable crashes of Example 12. Its associated partial epistemic model is depicted below. Note that both models are minimal in the appropriate sense.

5 Completeness results

In this section, we show the completeness results that we mentioned after Proposition 19. Namely, we will see that the axiom system $\textbf{SC}$ (resp., $\textbf{SC}_{\textbf{min}}$, $\textbf{SC}_{\textbf{max}}$) is complete with respect to the class of generalized (resp., minimal, maximal) simplicial models. In the presence of the distributed knowledge operator, completeness proofs usually proceed in two steps (see, e.g. [3, 14]). First, we define a canonical pseudo-model whose worlds are maximal consistent sets of formulas. Then, this pseudo-model needs to be unravelled in order to obtain an actual model.

We follow these two routine steps in Sects. 5.1 and 5.2, where we recall the definitions and main properties of the canonical pseudo-model and the unravelling construction. Even though our setting is slightly non-standard (with partial epistemic frames and extra axioms), everything works as usual in these two sections. Section 5.3 deals with the fact that our models are proper. Finally in Sect. 5.4, we put all the pieces together to show that $\textbf{SC}$ is complete with respect to the class of proper partial epistemic models with no empty world. Completeness for generalized simplicial models then follows directly from Theorem 32. The proofs of completeness for $\textbf{SC}_{\textbf{min}}$ and $\textbf{SC}_{\textbf{max}}$ work the same, with a couple of extra conditions to be checked at the end. Hence we focus on $\textbf{SC}$ for the time being.

5.1 The canonical pseudo-model

A pseudo-model is similar to a Kripke model, except that we have an indistinguishability relation $\sim _B$ for each group of agents $B \subseteq A$. In the context of this paper, we will consider pseudo-models where those relations $\sim _B$ are partial equivalence relations (PER). Any partial epistemic model (as in Definition 25) yields a pseudo-model by setting $\sim _B\, = \bigcap _{a \in B} \sim _a$. However, in general, this equality may not hold in a pseudo-model.

Definition 35

A pseudo-model $M = \langle W, \sim , L \rangle $ over the set of agents A consists of:

a set of worlds W;
a PER $\sim _B\,\subseteq W \times W$ for each $B \subseteq A$, such that (i) $\sim _{B'}\, \subseteq \, \sim _{B}$ whenever $B \subseteq B' \subseteq A$, and (ii) for every $w \in W$ and $B,B'\subseteq A$, if $w \sim _B w$ and $w \sim _{B'} w$, then $w \sim _{B\cup B'} w$;
a valuation function $L: W \rightarrow \mathscr {P}(\textsf{At})$.

Note that condition (ii) implies that for every world w, there is a maximal set $U \subseteq A$ such that $w \sim _U w$. We call this set U the set of alive agents in w, and denote it by $\overline{w} = U$. The satisfaction relation $M,w \models \varphi $ on pseudo-models is defined inductively on the structure of the formula $\varphi \in \mathcal {L}_D$, as we did in Sect. 4.1, except that to define the semantics of the distributed knowledge operator $D_B\,\varphi $ we rely on the relation $\sim _B$ of the pseudo-model, rather than the intersection of the single-agent relations.

Let $\Gamma \subseteq \mathcal {L}_D$ be a set of formulas. We write $\Gamma \vdash _{\textbf{SC}} \varphi $ when the formula $\varphi $ is provable from the hypothesis $\Gamma $ in the proof system $\textbf{SC}$. We say that $\Gamma $ is consistent when $\Gamma \not \vdash _{\textbf{SC}} \textsf{false}$, and that $\Gamma $ is maximal consistent when moreover, for every $\varphi \not \in \Gamma $, we have $\Gamma \cup \{\varphi \} \vdash _{\textbf{SC}} \textsf{false}$.

Definition 36

The canonical pseudo-model $M^\textrm{c}= \langle W^\textrm{c}, \sim ^\textrm{c}, L^\textrm{c}\rangle $ is defined as follows:

$W^\textrm{c}= \{ \Gamma \mid \Gamma \text {is a maximal consistent set of formulas} \}$.
$\Gamma \sim ^\textrm{c}_B \Delta $ iff $D_B\,\varphi \in \Gamma $ implies $\varphi \in \Delta $.
$L^\textrm{c}(\Gamma ) = \Gamma \cap \textsf{At}$.

First, let us check that $M^\textrm{c}$ is indeed a pseudo-model. Symmetry and transitivity of $\sim ^\textrm{c}_B$ are proved as usual using Axioms $\textbf{B}$ and $\textbf{4}$, respectively. To see that $\sim ^\textrm{c}_{B'}\,\subseteq \,\sim ^\textrm{c}_{B}$ for $B \subseteq B'$, assume that $\Gamma \sim ^\textrm{c}_{B'} \Delta $ and that $D_B\,\varphi \in \Gamma $. Using the axiom Mono and the fact that $\Gamma $ is maximal consistent, we must have $D_{B'}\,\varphi \in \Gamma $. Then $\varphi \in \Delta $ because we assumed $\Gamma \sim ^\textrm{c}_{B'} \Delta $, so $\Gamma \sim ^\textrm{c}_{B} \Delta $ as required. Finally, assuming that $\Gamma \sim ^\textrm{c}_{B} \Gamma $ and $\Gamma \sim ^\textrm{c}_{B'} \Gamma $, we want to show that $\Gamma \sim ^\textrm{c}_{B\cup B'} \Gamma $. First, notice that $\textsf{alive}(B) \in \Gamma $: otherwise, we would have $D_B\,\textsf{false}\in \Gamma $, i.e. $\textsf{false}\in \Gamma $, and so $\Gamma $ would be inconsistent. Similarly, $\textsf{alive}(B') \in \Gamma $, so $\textsf{alive}(B \cup B') \in \Gamma $ by axiom Union. Let $\Delta ^- = \{ \varphi \mid D_{B\cup B'}\,\varphi \in \Gamma \}$. Then $\Delta ^-$ is consistent, otherwise we would have $D_{B \cup B'}\, \textsf{false}\in \Gamma $, which we ruled out. We can thus extend $\Delta ^-$ to a maximal and consistent set $\Delta \supseteq \Delta ^-$, which satisfies $\Gamma \sim ^\textrm{c}_{B \cup B'} \Delta $. By symmetry and transitivity of $\sim ^\textrm{c}_{B \cup B'}$, we get $\Gamma \sim ^\textrm{c}_{B \cup B'} \Gamma $ as required.

Lemma 37

(Truth Lemma) For any formula $\varphi \in \mathcal {L}_D$ and any maximal consistent set of formulas $\Gamma \in W^\textrm{c}$, we have $\varphi \in \Gamma $ iff $M^\textrm{c},\Gamma \models \varphi $.

Proof

Proceed by induction on the structure of $\varphi $. The base case of atomic propositions holds by definition of $L^\textrm{c}$. For the Boolean connectives, the proof is trivial.

Let us do the case of $D_B\,\varphi $. Assume that $D_B\,\varphi \in \Gamma $ and let $\Delta \in W^\textrm{c}$ such that $\Gamma \sim ^\textrm{c}_{B} \Delta $. By definition of $\sim ^\textrm{c}$, we have $\varphi \in \Delta $, so by induction hypothesis, $M^\textrm{c},\Delta \models \varphi $. Thus $M^\textrm{c},\Gamma \models D_B\,\varphi $. Conversely, assume that $M^\textrm{c},\Gamma \models D_B\,\varphi $, and suppose by contradiction that $D_B\,\varphi \not \in \Gamma $. Then the set $\Delta ^- = \{ \lnot \varphi \} \cup \{ \psi \mid D_B\,\psi \in \Gamma \}$ is consistent. Indeed, if $\Delta ^-$ was inconsistent, we would have a proof of $\vdash _{\textbf{SC}} \psi _1 \wedge \ldots \wedge \psi _k \Rightarrow \varphi $ where $D_B\,\psi _i \in \Gamma $ for every i. Then, using Axiom K, we could prove $\vdash _{\textbf{SC}} D_B\,\psi _1 \wedge \ldots \wedge D_B\,\psi _k \Rightarrow D_B\,\varphi $. Because $\Gamma $ is maximal consistent, this implies that $D_B\,\varphi \in \Gamma $, which contradicts our assumption. So $\Delta ^-$ is consistent, and by Lindenbaum’s Lemma, we can extend it to a maximal consistent set $\Delta \supseteq \Delta ^-$. By construction, $\Gamma \sim ^\textrm{c}_{B} \Delta $, and by induction hypothesis, $M^\textrm{c}, \Delta \not \models \varphi $. This contradicts the initial assumption that $M^\textrm{c},\Gamma \models D_B\,\varphi $. Therefore $D_B\,\varphi \in \Gamma $, which concludes the proof. $\square $

Remark 38

In this article, pseudo-models serve only as a means to show the completeness of $\textbf{SC}$. It is possible, however, to take pseudo-models as a primitive notion, and to define a semantics for $\mathcal {L}_D$ based on them. This yields a non-standard notion of distributed knowledge. This approach has been studied in a companion paper [20]. Remarkably, pseudo-models also have a geometric counterpart: they amount to replacing simplicial complexes by semi-simplicial sets. Another paper that used such pseudo-models as the main object of study is [2], in order to model observability in quantum systems.

5.2 Unravelling a pseudo-model

As we mentioned at the beginning of Sect. 5.1, partial epistemic models can be viewed as a special case of pseudo-models. However, the canonical model $M^\textrm{c}$ is not among this subclass of pseudo-models, because $\sim ^\textrm{c}_B \,\ne \bigcap _{a \in B} \sim ^\textrm{c}_{\{a\}}$.

We now describe a general construction called unravelling, which can turn any pseudo-model into a (bisimilar) partial epistemic model. Later, we will use this construction to unravel the canonical model.

Let $M = \langle W, \sim , L \rangle $ be a pseudo-model. A history of M is a finite sequence of the form $h = (w_0, B_1, w_1, \ldots , B_k, w_k)$ for some $k \ge 0$, such that $w_{i-1} \sim _{B_{i}} w_{i}$ for all $1 \le i \le k$. We write $\textsf{last}(h) = w_k$ for the last element of a history, and we write $h \rightarrow _a h'$ if $h' = (h, B_{k+1}, w_{k+1})$ with $a \in B_{k+1}$

Definition 39

The unravelling of M is a partial epistemic model $U(M)= \langle H, \sim ^\textrm{u}, L^\textrm{u}\rangle $ defined as follows:

$H$ is the set of histories of M,
$\sim ^\textrm{u}_a$ is the transitive and symmetric closure of $\rightarrow _a$, i.e., $\sim ^\textrm{u}_a\, = \left( \rightarrow _a \cup \leftarrow _a \right) ^+$,
$L^\textrm{u}(h) = L(\textsf{last}(h))$.

It is immediate to see that U(M) is a partial epistemic model, since $\sim ^\textrm{u}_a$ is symmetric and transitive by definition. Before we can prove that unravelling a pseudo-model preserves the satisfaction relation (Lemma 41), we first show a useful lemma relating the relation $\sim _B$ of a pseudo-model with the one of its unravelling.

Lemma 40

Let M be a pseudo-model and U(M) its unravelling. Let $h, h' \in H$ be histories, and $B \subseteq A$ a set of agents. If $h \sim ^\textrm{u}_a h'$ for all $a \in B$, then $\textsf{last}(h) \sim _B \textsf{last}(h')$.

Proof

Let us first assume that $h \ne h'$; we will treat the other case separately. Let $h''$ be the common prefix of h and $h'$, and let us write $h = (h'', B_1, w_1, \ldots , B_k, w_k)$ and $h' = (h'', B'_1, w'_1, \ldots , B'_\ell , w'_\ell )$. For each agent $a \in B$, notice that there is a unique non-redundant path from h to $h'$ for the relation $(\rightarrow _a \cup \leftarrow _a)$, which first goes backwards from h to $h''$, then forwards from $h''$ to $h'$, as follows: $h \leftarrow _a \ldots \leftarrow _a h'' \rightarrow _a \ldots \rightarrow _a h'$. Since any proof that $h \sim ^\textrm{u}_a h'$ must go through this path, we must have $a \in B_i$ for all $1 \le i \le k$, and $a \in B'_j$ for all $1 \le j \le \ell $. The same fact holds for each $a \in B$, so in fact $B \subseteq B_i$ and $B \subseteq B'_j$ for all i, j, and since M is a pseudo-model, $\sim _{B_i} \,\subseteq \, \sim _B$ and $\sim _{B'_j} \,\subseteq \, \sim _B$. Thus, all the worlds of M along this path are related by $\sim _B$:

$$\begin{aligned} \textsf{last}(h) = w_k \sim _B \ldots \sim _B w_1 \sim _B \textsf{last}(h'') \sim _B w'_1 \sim _B \ldots \sim _B w'_\ell = \textsf{last}(h'). \end{aligned}$$

Finally, by transitivity of $\sim _B$, we get $\textsf{last}(h) \sim _B \textsf{last}(h')$ as required.

We still need to prove the lemma for $h = h'$. The difficulty is that to have $h \sim ^\textrm{u}_a h$, we must take a detour via another history $h \rightarrow _a h'' \leftarrow _a h$. However, unlike in the first half of the proof, the choice of $h''$ might differ for each $a \in B$. This is where condition (ii) in the definition of a pseudo-model comes into play. Clearly, for each $a \in B$, $h \sim ^\textrm{u}_a h$ implies that $\textsf{last}(h) \sim _{\{a\}} \textsf{last}(h)$. Using condition (ii) of the pseudo-model M repeatedly, we get $\textsf{last}(h) \sim _{B} \textsf{last}(h)$, which concludes the proof. $\square $

Lemma 41

For every history $h \in H$ and formula $\varphi \in \mathcal {L}_D$, $M,\textsf{last}(h) \models \varphi $ iff $U(M),h \models \varphi $.

Proof

This is proved by induction on the structure of the formula $\varphi $. The cases of atomic propositions and Boolean connectives are straightforward, so we focus on the case of $D_B\,\varphi $.

For the left-to-right implication, assume that $M,\textsf{last}(h) \models D_B\,\varphi $, and let $h' \in H$ be a history such that $h \sim ^\textrm{u}_B h'$, i.e., $h \sim ^\textrm{u}_a h'$ for all $a \in B$. By Lemma 40 we get $\textsf{last}(h) \sim _B \textsf{last}(h')$, which implies that $M,\textsf{last}(h') \models \varphi $, and by induction hypothesis $U(M),h' \models \varphi $.

For the right-to-left implication, assume that $U(M),h \models D_B\,\varphi $ and let $w' \in W$ such that $\textsf{last}(h) \sim _B w'$ in M. Consider the history $h' = (h, B, w')$. Then $h \rightarrow _a h'$ for each $a \in B$, therefore, $h \sim ^\textrm{u}_B h'$. Thus, $U(M),h' \models \varphi $ because we assumed that $U(M),h \models D_B\,\varphi $, and by induction hypothesis, $M,\textsf{last}(h') \models \varphi $ i.e. $M,w' \models \varphi $ as required. $\square $

Remark 42

In fact, the map $\textsf{last}: H \rightarrow W$ can be shown to be a bisimulation between M and U(M).

5.3 Making the model proper

Even though the canonical model $M^\textrm{c}$ can be shown to be proper thanks to Axiom P, the unravelling construction introduces some redundancy and as a consequence, $U(M^\textrm{c})$ is not proper. To illustrate why this happens, let us consider the proper model M depicted below, with two worlds $w_0$ and $w_1$, such that $w_0$ is a sub-world of $w_1$.

In the unraveled model U(M), there are infinitely many worlds (histories). Among them, consider $h_0 = (w_0)$ and $h_0' = (w_0, \{a\}, w_0)$. Then we have $\overline{h_0} = \overline{h_0'} = \{a\}$, but $h_0 \sim _a h_0'$, so the model U(M) is not proper. Even if we were to disallow such “trivial” steps in the definition of history, the problem persists: consider $h_1 = (w_0, \{a\}, w_1)$ and $h_2 = (w_0, \{a\}, w_1, \{a\}, w_0)$. Then by transitivity, $h_0 \sim _a h_1 \sim _a h_2$, so once again U(M) is not proper.

As we will see in the next section (Proposition 46), $U(M^\textrm{c})$ has a good enough property: two “equivalent” worlds always satisfy the same set of formulas. This allows us to construct a bisimilar proper model, by merging the redundant worlds, as we describe below.

Let $M = \langle W, \sim , L \rangle $ be a partial epistemic model, and recall that $\overline{w} = \{ a \in A \mid w \sim _a w \}$ is the set of alive agents in w. We say that two worlds $w,w'$ are equivalent, written $w \equiv w'$, if $\overline{w} = \overline{w'}$ and for all $a \in \overline{w}$, $w \sim _a w'$. Thus, M is proper if and only if $w \equiv w'$ implies $w = w'$. Here, we assume a weaker property: that if $w \equiv w'$, then $L(w) = L(w')$. From this, one can deduce by an easy induction that for all $\varphi \in \mathcal {L}_D$, $M,w \models \varphi $ iff $M,w' \models \varphi $.

Definition 43

The model ${M}_proper = \langle W/\!\equiv , \sim ', L'\rangle $ is defined as follows:

$W/\!\equiv $ is the set of equivalence classes of the relation $\equiv $. We write $[w] \in W/\!\equiv $ for the equivalence class of $w \in W$.
$[w_1] \sim '_a [w_2]$ iff $w_1 \sim _a w_2$.
$L'([w]) = L(w)$.

It is straightforward to check that the definitions of $\sim '$ and $L'$ do not depend on the choice of representative of the equivalence class, and that ${M}_proper $ is a partial epistemic model.

Lemma 44

The model ${M}_proper $ is proper, and moreover $M,w \models \varphi $ iff ${M}_proper ,[w] \models \varphi $.

Proof

To show that ${M}_proper $ is proper, consider two worlds [w] and $[w']$ of ${M}_proper $, such that $\overline{[w]} = \overline{[w']}$, and for all $a \in \overline{[w]}$, $[w] \sim '_a [w']$. We want to show that $[w] = [w']$. By definition of $\sim '$, the same conditions hold of w and $w'$ in M: $\overline{w} = \overline{w'}$, and for all $a \in \overline{w}$, $w \sim _a w'$. But that means precisely that $w \equiv w'$, i.e., w and $w'$ belong to the same equivalence class. Thus, we do have $[w] = [w']$ and the model is proper.

To prove the second part of the lemma, proceed by induction on the formula $\varphi $. The cases of atomic propositions and Boolean connectives are trivial. So assume that $M,w \models D_B\,\varphi $, and let $[w'] \in W/\!\equiv $ be such that $[w] \sim '_a [w']$ for all $a \in B$. Then $w \sim _a w'$ for all $a \in B$, thus $M,w' \models \varphi $. By induction hypothesis, ${M}_proper ,[w'] \models \varphi $. The converse is identical. $\square $

5.4 Proofs of completeness

We are almost ready to prove completeness for the axiom system $\textbf{SC}$. What remains to be checked is that the unravelled canonical model $U(M^\textrm{c})$ can be made proper using the construction in Sect. 5.3, and that the resulting model ${U(M^\textrm{c})}_proper $ has no empty world.

Lemma 45

Let h be a history of $M^\textrm{c}$, and write $\Gamma = \textsf{last}(h)$. Then $a \in \overline{h}$ iff $\textsf{alive}(a) \in \Gamma $.

Proof

Consider $a \in \overline{h}$, and recall that $\overline{h}$ denotes the set of alive agents in the world h of the model $U(M^\textrm{c})$. By unfolding the definitions, there must be some history $h_0$ such that either $h \rightarrow _a h_0$ or $h \leftarrow _a h_0$. Writing $\Gamma ' = \textsf{last}(h_0)$, this means that $\Gamma \sim ^\textrm{c}_a \Gamma '$. So we cannot have $K_a\,\textsf{false}\in \Gamma $, otherwise $\textsf{false}\in \Gamma '$ and $\Gamma '$ would be inconsistent. Thus $\lnot K_a\,\textsf{false}\in \Gamma $ (because $\Gamma $ is maximal), i.e. $\textsf{alive}(a) \in \Gamma $.

Conversely, assume that $\textsf{alive}(a) \in \Gamma $. We have seen in Sect. 3.3 that the formula $\textsf{alive}(a) \Rightarrow (K_a\,\varphi \Rightarrow \varphi )$ is valid in $\mathbf {KB4_n}$ (a fortiori in $\textbf{SC}$). Thus, for every formula $\varphi $, $K_a\,\varphi \in \Gamma $ implies $\varphi \in \Gamma $, i.e. $\Gamma \sim ^\textrm{c}_a \Gamma $. Writing $h' = (h, \{a\}, \Gamma )$, we have shown that $h \rightarrow _a h'$. By symmetry and transitivity, this yields $h \sim ^\textrm{u}_a h$, which concludes the proof. $\square $

The following condition is required to apply the construction of Sect. 5.3.

Proposition 46

In the model $U(M^\textrm{c})$, if $h \equiv h'$ then $L^\textrm{u}(h) = L^\textrm{u}(h')$.

Proof

Consider two histories $h, h'$ of $M^\textrm{c}$, and assume that $h \equiv h'$, i.e. $\overline{h} = \overline{h'}$ and for all $a \in \overline{h}$, $h \sim ^\textrm{u}_a h'$. Let $\Gamma = \textsf{last}(h)$ and $\Delta = \textsf{last}(h')$. By Lemma 45, $\textsf{alive}(a) \in \Gamma \iff \textsf{alive}(a) \in \Delta $.

Let $p \in L^\textrm{u}(h) = L^\textrm{c}(\Gamma )$ be an atomic proposition. We have $p \in \Gamma $ by definition of $L^\textrm{c}$. Let $B = \overline{h} = \{ a \mid \textsf{alive}(a) \in \Gamma \}$. Since $\Gamma $ is maximal and consistent, it contains the formula $\textsf{alive}(B) \wedge \textsf{dead}(B^{\textsf{c}}) \wedge p$. By Axiom P, $\Gamma $ must also contain $D_B\,(\textsf{dead}(B^{\textsf{c}}) \Rightarrow p)$. By Lemma 40, $h \sim ^\textrm{u}_a h'$ for all $a \in B$ implies that $\Gamma \sim ^\textrm{c}_B \Delta $. By definition of $\sim ^\textrm{c}$, the set $\Delta $ then contains the formula $\textsf{dead}(B^{\textsf{c}}) \Rightarrow p$. And since $\Delta $ is maximal consistent, and contains the formula $\textsf{dead}(B^{\textsf{c}})$, we finally have $p \in \Delta $, i.e. $p \in L^\textrm{u}(h')$.

The converse inclusion $L^\textrm{u}(h') \subseteq L^\textrm{u}(h)$ is proved symmetrically. $\square $

Proposition 47

The model ${U(M^\textrm{c})}_proper $ has no empty world.

Proof

It is sufficient to show that $U(M^\textrm{c})$ has no empty world, since any agent a which is alive in h is also alive in [h], because $h \sim ^\textrm{u}_a h$ implies $[h] \sim '_a [h]$.

So let h be a history of $M^\textrm{c}$, and write $\Gamma = \textsf{last}(h)$. We want to find some agent $a \in A$ such that $a \in \overline{h}$. Since $\Gamma $ is maximal and consistent, and obeys the Axiom NE, there must be some agent $a \in A$ such that $\textsf{alive}(a) \in \Gamma $. By Lemma 45, this entails $a \in \overline{h}$. $\square $

Theorem 48

The system $\textbf{SC}$ is complete with respect to the class of proper partial epistemic models with no empty world.

Proof

We prove the converse of completeness: if a formula $\varphi \in \mathcal {L}_D$ is not provable, then it is not valid in all models. So assume that $\not \vdash _{\textbf{SC}} \varphi $, i.e. $\{\lnot \varphi \}$ is a consistent set of formulas. By Lindenbaum’s Lemma, there is a maximal consistent set $\Gamma $ such that $\lnot \varphi \in \Gamma $. By the Truth Lemma (Lemma 37), $M^\textrm{c},\Gamma \models \lnot \varphi $, and by Lemmas 41 and 44, ${U(M^\textrm{c})}_proper , [(\Gamma )] \models \lnot \varphi $. Since ${U(M^\textrm{c})}_proper $ is a proper partial epistemic model with no empty world, this concludes the proof. $\square $

While Theorem 48 might seem somewhat arbitrary, our real goal was to prove completeness with respect to the class of generalized simplicial models:

Corollary 49

The system $\textbf{SC}$ is complete with respect to the class of simplicial models.

Proof

Assume a formula $\varphi \in \mathcal {L}_D$ is valid in all simplicial models. By Theorem 32, $\varphi $ is also valid in all proper partial epistemic models with no empty worlds. So by Theorem 48, $\varphi $ is provable in the system $\textbf{SC}$. $\square $

Completeness for $\textbf{SC}_{\textbf{min}}$ and $\textbf{SC}_{\textbf{max}}$. We now prove completeness of $\textbf{SC}_{\textbf{min}}$ and $\textbf{SC}_{\textbf{max}}$ with respect to the class of minimal (resp. maximal) simplicial models. The proof is almost the same as the one for $\textbf{SC}$: we write $M^\textrm{c}_min $ and $M^\textrm{c}_max $ for the canonical pseudo-models whose worlds are sets of formulas that are maximal and consistent with respect to the logic $\textbf{SC}_{\textbf{min}}$ (resp. $\textbf{SC}_{\textbf{max}}$). All the machinery of Sects. 5.1–5.3 works the same. The only extra properties that we need to show are the following:

Proposition 50

The partial epistemic model ${U(M^\textrm{c}_min )}_proper $ is minimal, and the partial epistemic model ${U(M^\textrm{c}_max )}_proper $ is maximal.

Proof

To prove that ${U(M^\textrm{c}_min )}_proper $ is minimal, it is sufficient to show that $U(M^\textrm{c}_min )$ is minimal. Let $h,h'$ be histories of $M^\textrm{c}_min $ such that $\overline{h} \subsetneq \overline{h'}$, and let us write $B = \overline{h}$, $\Gamma = \textsf{last}(h)$ and $\Delta = \textsf{last}(h')$. Assume for contradiction that for all $a \in B$, $h \sim ^\textrm{u}_a h'$. By Lemma 40, this entails ${\Gamma \sim ^\textrm{c}_B \Delta }$. Since $\Gamma $ is maximal and consistent, and using Lemma 45, the formula $\textsf{alive}(B) \wedge \textsf{dead}(B^{\textsf{c}})$ belongs to $\Gamma $. Using Axiom Min, $\Gamma $ must also contain the formula $D_B\,\textsf{dead}(B^{\textsf{c}})$, and since $\Gamma \sim ^\textrm{c}_B \Delta $, we obtain that $\textsf{dead}(B^{\textsf{c}}) \in \Delta $. But this is a contradiction: since we assumed that $\overline{h} \subsetneq \overline{h'}$, there exists an agent $a \not \in B$ such that $a \in \overline{h'}$, i.e. $\textsf{alive}(a) \in \Delta $ by Lemma 45.

For the second part of the statement, again it suffices to prove that $U(M^\textrm{c}_max )$ is maximal. Let $h'$ be a history of $M^\textrm{c}_max $, with $\Delta = \textsf{last}(h')$, and let $B \subsetneq \overline{h'}$. We want to exhibit a sub-world h of $h'$ whose set of alive agents is B. For every $a \in B$, we have $\textsf{alive}(a) \in \Delta $ by Lemma 45, so using Axiom Max and the fact that $\Delta $ is maximal and consistent, we get $\lnot D_B \lnot \textsf{dead}(B^{\textsf{c}}) \in \Delta $. Then the set $\Gamma ^- = \{ \textsf{dead}(B^{\textsf{c}}) \} \cup \{ \psi \mid D_B\,\psi \in \Delta \}$ is consistent, using the same reasoning as in the proof of Lemma 37. By Lindenbaum’s Lemma, there is a maximal consistent set $\Gamma \supseteq \Gamma ^-$. Moreover, $\Gamma \sim ^\textrm{c}_B \Delta $ by construction (and symmetry of $\sim ^\textrm{c}$). Let $h = (h', B, \Gamma )$. Then we have $h \sim ^\textrm{u}_a h'$ for every $a \in B$, so in particular $B \subseteq \overline{h}$. The converse inclusion stems from the fact that $\textsf{dead}(B^{\textsf{c}}) \in \Gamma $ and Lemma 45. Hence h is a sub-world of $h'$ such that $\overline{h} = B$. $\square $

With the above proposition, and using the same reasoning as before, we get a proof of completeness of $\textbf{SC}_{\textbf{min}}$ and $\textbf{SC}_{\textbf{max}}$ with respect to the classes of minimal/maximal proper partial epistemic models with no empty world. More interestingly, we can lift this to simplicial models, once again using Theorem 32, and the fact that the notions of minimal/maximal models are preserved by the equivalence (see Propositions 31 and 28). Finally:

Theorem 51

The proof system $\textbf{SC}_{\textbf{min}}$ (resp. $\textbf{SC}_{\textbf{max}}$) is complete with respect to the class of minimal (resp. maximal) simplicial models.

6 Dynamics: communication pattern models

In this section, we describe how a generalized simplicial model evolves when the agents share information by communicating. We use the framework of communication patterns [3, 45], which we slightly modify in two ways: (i) we define it entirely on (generalized) simplicial models, rather than Kripke models, and (ii) we allow the processes to crash during a communication event. The first modification was also performed in [8] (Definition 24), in a setting without crashes. Their proposed definition is very similar to our Definition 53; in fact, it is a special case of it. The second point, adding the possibility of crashes, has not been done previously with communication patterns to our knowledge. Conceptually this is quite straightforward, but some care is required in order to avoid some technical issues (see Remark 54 and Example 55). Similar issues arise when we add the possibility of crashes to the action model formalism, as noticed in [38].

Local simplicial models In this section, in contrast to the rest of the paper, we will adopt the distributed computing practice of labelling the vertices (rather than the worlds) of a simplicial model with atomic propositions. Thus, as in previous papers (e.g. [21, 42, 43]), we assume that the set $\textsf{At}$ of atomic proposition is partitioned into sets $\textsf{At}= \bigcup _{a \in A} \textsf{At}_a$, so that each atomic proposition “belongs” to a particular agent. Then a local simplicial model ${\mathcal {C}}= \langle V, S, \chi , W, \ell \rangle $ is given by a chromatic simplicial complex $\langle V, S, \chi \rangle $ and a distinguished set of worlds W, as in Definition 6, except that the labelling $\ell $ assigns to each vertex $v \in V$ of colour $\chi (v) = a$, a set of atomic propositions concerning agent a, $\ell (v) \subseteq \textsf{At}_a$.

Note that every local simplicial model gives rise to a (generalized) simplicial model in the sense of Definition 6: the labelling of a given world $w \in W$ is then obtained by taking the union of the labellings of its vertices: $\ell (w) = \bigcup _{v \in w} \ell (v)$. Local simplicial models are strictly less general than the simplicial models of Definition 6. Indeed, local simplicial models obey the so-called Locality axiom (see [21]), which says that every agent a knows the status (true or false) of all the atomic propositions in $\textsf{At}_a$. The locality assumption will be crucial when we define the product update model (see Remark 54).

Communication patterns Communication patterns rely on communication graphs, which indicate how information flows between the agents: an arrow from a to b in a communication graph indicates that agent a successfully sends a message to agent b, containing all the information currently known to a. In distributed computing, this is known as a full-information protocol. In [8], communication graphs are always assumed to be reflexive, so that each agent remembers the information that they had at the previous round. Here, we relax this assumption, and inspired by Sect. 4.1 we will interpret lack of reflexivity as representing the death (a.k.a. crash, in distributed computing) of an agent.

Definition 52

(Communication pattern) A communication graph $G \subseteq A \times A$ is a binary relation on the set of agents. When G is clear from context, we write $a \rightarrow b$ instead of $(a,b) \in G$. The in-neighbourhood of a in G is denoted $\textsf{N}^-_{G}(a) = \{ b \in A \mid b \rightarrow a \}$, and the out-neighbourhood is $\textsf{N}^+_{G}(a) = \{ b \in A \mid a \rightarrow b \}$. We say that agent a is alive in G when $a \rightarrow a$, and that a is dead otherwise. A communication pattern P is a set of communication graphs, i.e. $P \subseteq \mathscr {P}(A \times A)$.

Communication patterns describe a round-based communicative event where every agent tries to broadcast its current local state to all other agents; but some of those messages might be lost. At each round, a communication graph $G \in P$ is chosen arbitrarily, and describes which messages failed to arrive during this round: an edge $a \rightarrow b$ in G indicates that a successfully delivered its message to b. Moreover, some agents might crash during the round, possibly after sending messages to other agents. A crash is indicated by the lack of a reflexive edge $a \rightarrow a$ in G. Communication patterns are closely related to dynamic networks [32], a very general distributed computing model which subsumes not only message-passing models but also round-based shared memory models such as immediate snapshot.

Given a (local) simplicial model ${\mathcal {C}}= \langle V, S, \chi , W, \ell \rangle $ and a communication pattern P, we denote by ${\mathcal {C}}\odot P$ the updated simplicial model which represents the knowledge of the agents after some communicative event $G \in P$ occurred. Informally, its worlds should be pairs (w, G) where $w \in W$ is a world of ${\mathcal {C}}$ and $G \in P$ is a communication graph allowed by P. Moreover, we require that G is compatible with w, in the sense that agents that are dead in w cannot send messages in G: $a \not \in \chi (w)$ implies $\textsf{N}^+_{G}(a) = \varnothing $. Two worlds (w, G) $(w', G')$ should be indistinguishable by some agent a when in both communication graphs G and $G'$, a has received messages from the same set of agents, and the worlds w and $w'$ are indistinguishable for all of these agents, i.e. $(w,G) \sim _a (w', G')$ iff $\textsf{N}^-_{G}(a) = \textsf{N}^-_{G'}(a)$ and $\textsf{N}^-_{G}(a) \subseteq \chi (w \cap w')$ and $a \in \textsf{N}^-_{G}(a)$. Note that the last condition ensures that a is alive in $w, w', G$ and $G'$. These conditions also imply that $w \sim _a w'$. One could check that this yields a partial epistemic model^{Footnote 2}; but in the definition below, we directly construct the corresponding simplicial model.

Let us first introduce some notations. Given a vertex v of a simplicial model and a set B of agents, we write $\textsf{star}_{B}(v)$ for the set of simplexes coloured by B containing v.

$$\begin{aligned} \textsf{star}_{B}(v) = \{ X \in S \mid \chi (X) = B \text { and } v \in X \} \end{aligned}$$

Given a world w of a simplicial model and a set $B \subseteq \chi (w)$, we write ${w}\!\restriction _{B}$ for the sub-simplex of w containing exactly the vertices whose colour is in B. Note that ${w}\!\restriction _{B}$ need not be a world in general. We will use the simplex ${w}\!\restriction _{B}$ to represent the new local state of an agent a after it receives (full-information) messages from the set B of agents. Finally, to increase readability, we annotate vertices with their colour, e.g. we write $v_a \in V$ as shorthand for $v \in V$ such that $\chi (v) = a$. For instance, ${w}\!\restriction _{B} = \{ v_a \in w \mid a \in B \}$.

Definition 53

The updated simplicial model is given by ${\mathcal {C}}\odot P = \langle V', S', \chi ', W', \ell ' \rangle $, where:

$V' = \{ (v_a, X) \mid v_a \in V \text { and } X \in \textsf{star}_{B}(v_a) \text { where } B = \textsf{N}^-_{G}(a) \text { for some } G \in P \}$.
$S' = {W'}\!\downarrow $, that is, the set of all sub-simplexes of the simplexes in $W'$ (defined below).
$\chi '(v_a,X) = a$.
$W' = \{ w \odot G \mid w \in W \text {, } G \in P \text { and } G \text { is compatible with } w \}$,

where $w \odot G = \{ (v_a, {w}\!\restriction _{\textsf{N}^-_{G}(a)}) \mid v_a \in w \text { and a{ isalivein}G} \}$.
$\ell '(v_a, X) = \ell (v_a)$.

Remark 54

Note that it is possible to have $w \odot G = w' \odot G'$ for two distinct worlds $w,w'$ and communication graphs $G, G'$. This is due to the possibility of crashing agents, as illustrated in Example 55 below. This is where the requirement that the initial simplicial model ${\mathcal {C}}$ must be local becomes crucial. Indeed, in a non-local model, we put atomic propositions on the worlds, not vertices, so the last item of the definition should become $\ell '(w \odot G) = \ell (w)$. However, this is not well-defined when $w \odot G = w' \odot G'$ and $\ell (w) \ne \ell (w')$. Intuitively, two worlds w and $w'$ of the original model have been “merged” and we do not know which one to take the labelling from. Locality ensures that whenever two worlds are merged, they already had the same labelling in the initial model.

Example 55

(Synchronous broadcast with crash failures) We now define the communication pattern that produces the simplicial model of Example 12. Consider the set of agents $A = \{a, b, c\}$ and the following communication graphs on A:

We name these graphs $G_1, \ldots , G_4$, from left to right. Note that we omitted some graphs that can be obtained from those by permuting the names of the agents (i.e., graphs where agent b or c crashed instead of a). Intuitively,

$G_1$ is an execution where no crash occurred, all messages were successfully delivered;
$G_2$, $G_3$, $G_4$ are executions where only process a crashed, after sending 0, 1 or 2 messages.

Among those communication graphs, only $G_1$, $G_2$ and $G_3$ have “detectable crashes”, in the sense that whenever a process is dead, at least one of the remaining agents knows about it (because no message was received from the dead agent). So let us define two communication patterns: $P_{\text {detectable}}$ contains $G_1,G_2,G_3$ as well as graphs obtained from them by permuting the names of the agents (totalling 10 graphs); and $P_{\text {undetectable}}$ contains $G_1,G_2,G_3,G_4$ as well as permutations of them (totalling 13 graphs).

Let ${\mathcal {C}}$ be the simplicial model which consists of only one triangle world w with agents a, b, c. One can check that computing ${\mathcal {C}}\odot P_{\text {detectable}}$ yields the (minimal) simplicial model of Example 12. Indeed, world $w \odot G_1$ corresponds to the facet $w_0$; world $w \odot G_2$ corresponds to $w_5$; and world $w \odot G_3$ corresponds to $w_4$. Similarly, one can check that ${\mathcal {C}}\odot P_{\text {undetectable}}$ yields three extra worlds, corresponding to the three edges of world $w_0$ in Example 12, where one agent has crashed but none of the others know about it.

A more interesting example is to consider what happens when the initial model ${\mathcal {C}}$ has more than one facet. In the picture below, we start from the model ${\mathcal {C}}'$ which comprises two triangle worlds w and $w'$ that are glued along their bc-coloured edge. Computing ${\mathcal {C}}' \odot P_{\text {detectable}}$ gives rise to the simplicial complex depicted on the right, with 19 worlds named $w_0, \ldots , w_9$ and $w'_0, \ldots , w'_9$ (notice that $w'_5$ is missing). Similarly, starting with the binary input sphere would yield the same picture as in Fig. 1.

For instance, one can check that the worlds $w_0$ and $w'_0$ correspond to $w \odot G_1$ and $w' \odot G_1$, respectively. Similarly, $w_4$ and $w'_4$ correspond to $w \odot G_3$ and $w' \odot G_3$ (it is a good exercise to verify that these worlds share the same c-coloured vertex). Most interestingly, the world labelled $w_5$ corresponds to both $w \odot G_2$ and $w' \odot G_2$ at the same time (cf. Remark 54). Indeed, when the communication graph $G_2$ occurs, a has crashed and the two agents b and c exchange information. But neither b nor c is able to distinguish between the initial worlds w and $w'$. So no matter whether we started in w or $w'$, the two remaining agents end up with the same local state, i.e., $w \odot G_2 = w' \odot G_2$. This illustrates the fact that working with simplicial complexes automatically makes the model “proper”. This is because in simplicial models, worlds are not a first-class entity, they are merely a collection of compatible local states, that is, a simplex.

Example 56

(Immediate snapshot with initial crash failures) Similarly, the simplicial model of Example 13 can be obtained by computing ${\mathcal {C}}\odot P_{\text {immediate}}$, where ${\mathcal {C}}$ is the simplicial model with a single triangle world for three agents a, b, c, and $P_{\text {immediate}}$ contains the following communication graphs and their permutations (totalling 25 graphs):

The four types of graphs on top, where all processes are alive but some messages might be lost, correspond to the 13 facets of the model in Example 13. The three bottom graphs are those where some initial crash failure(s) occurred: some agents do not participate in the computation. They correspond to the 9 edges and 3 vertices on the boundary.

7 Application to fault-tolerant distributed computing

The goal of this section is to showcase how the epistemic logic machinery developed in this paper can be used to study concrete distributed computing problems. More precisely, we study in details the following distributed computing problem: how to prove that consensus cannot be solved in the synchronous broadcast model with one round and one crash failure. The impossibility result itself is well known, and has been studied extensively in the distributed computing literature, with a very precise analysis of the number of rounds required to solve consensus with various crash assumptions, see e.g. [4, 5, 12]. Our focus here is merely to see how to extend the proof technique of [21], in a setting where processes can crash.

Concurrently with our paper, the same example has been considered in [38]. There are some slight differences between the two proofs however. First, they describe the dynamics using the notion of action models, extended to take into account crashing processes; while we relied on communication pattern models in Sect. 6. Second, the obstruction formula used in the impossibility proof is different: we use a common knowledge operator, while the proof of [38] uses three nested knowledge operators. This is sufficient for the specific one-round toy example being considered, but does not generalize well to multi-round protocols. Lastly, the task to be solved itself is slightly different, since we discuss some other variants of the binary task specification.

7.1 Background on task solvability for fault-tolerant distributed systems

In this section, we will assume the reader is familiar with topological methods to study task solvability in distributed computing. Namely, the initial state of the processes can be described by an input complex $\mathcal {I}$. After communicating, the final states of the processes can be described by a protocol complex $\mathcal {P}_\mathcal {I}$, whose topological structure depends on the communication primitives being used by the processes. The task to be solved can also be described by a simplicial complex, called the task complex $\mathcal {T}$. The central result of distributed computing is the Asynchronous Computability Theorem of Herlihy and Shavit:

Theorem 57

([27]) A task is solvable by a given protocol if and only if there exists a simplicial map $\delta : \mathcal {P}_\mathcal {I}\rightarrow \mathcal {T}$ (satisfying some extra conditions).

Thus, a computational question (solvability of a task) is reduced to a topological question (existence of a simplicial map). A detailed account of topological methods in distributed computing can be found in [26]. As we have seen, simplicial complexes can also be viewed as models for epistemic logic. A full reformulation of task solvability in terms of epistemic logic was developed in [21]. We briefly recap below the definitions that we will be using here.

As in Sect. 6, we will rely here on local simplicial models. This is because in distributed computing, the atomic propositions represent local states of a particular agent. Hence, it is more natural to attach atomic propositions to the vertices of the model, rather than the worlds. Formally, the set of atomic propositions will be of the form $\textsf{At}= \{ \textsf{input}_{a}^{i} \mid a \in A, i \in \mathcal {V}\}$, where $\mathcal {V}$ is a set of input values. Such an atomic proposition is read “agent a has input value i”. Thus, we can partition this set as $\textsf{At}= \bigcup _{a \in A} \textsf{At}_a$, where for a fixed agent a, $\textsf{At}_a = \{ \textsf{input}_{a}^{i} \mid i \in \mathcal {V}\}$ is the set of atomic propositions concerning agent a. Recall that a local simplicial model is a special case of generalized simplicial model, where the labelling $\ell $ assigns each vertex v (rather than world) of colour a, with a set of atoms $\ell (v) \subseteq \textsf{At}_a$.

Consider a local simplicial model $\mathcal {I}= \langle V_{\mathcal {I}}, S_{\mathcal {I}}, \chi _{\mathcal {I}}, W_{\mathcal {I}}, \ell _{\mathcal {I}} \rangle $ called the initial simplicial model. Each world of $\mathcal {I}$, with its labelling $\ell $, represents a possible initial configuration. Similarly, we will have $\mathcal {O}=\langle V_{\mathcal {O}}, S_{\mathcal {O}}, \chi _{\mathcal {O}}, W_{\mathcal {O}}, \ell _{\mathcal {O}} \rangle $ a simplicial model for all possible output values. In [21], we defined a task for $\mathcal {I}$ using a simplicial action model, since we were interpreting DEL. Here we take a more ad hoc approach and simply encode the relation between inputs and outputs that the task should satisfy. Hence, $\mathcal {T}=\langle V_{\mathcal {T}}, S_{\mathcal {T}}, \chi _{\mathcal {T}}, W_{\mathcal {T}}, \ell _{\mathcal {T}} \rangle $ is going to be a sub-complex of $\mathcal {I}\times \mathcal {O}$, encoding all the allowed combinations of input vectors and output vectors.

Since the definition of task solvability relies on the existence of a morphism between simplicial models, we need to define what a morphism is in our setting:

Definition 58

Let ${\mathcal {A}}=\langle V_{{\mathcal {A}}}, S_{{\mathcal {A}}}, \chi _{{\mathcal {A}}}, W_{{\mathcal {A}}}, \ell _{{\mathcal {A}}} \rangle $ and ${\mathcal {B}}=\langle V_{{\mathcal {B}}}, S_{{\mathcal {B}}}, \chi _{{\mathcal {B}}}, W_{{\mathcal {B}}}, \ell _{{\mathcal {B}}} \rangle $ be two local simplicial models. A morphism $f: {\mathcal {A}}\rightarrow {\mathcal {B}}$ of simplicial models consists of a simplicial map from $\langle V_{\mathcal {A}},S_{\mathcal {A}}\rangle $ to $\langle V_{\mathcal {B}},S_{\mathcal {B}}\rangle $, such that $f(W_{\mathcal {A}})\subseteq W_{\mathcal {B}}$, and for all $v \in V_{\mathcal {A}}$, $\chi _{\mathcal {B}}(f(v))=\chi _{\mathcal {A}}(v)$, and $\ell _{\mathcal {B}}(f(v))=\ell _{\mathcal {A}}(v)$.

The protocol that we use to solve a task will be specified by a communication pattern model P, as defined in Sect. 6. Then, the protocol simplicial model will be defined as the updated model $\mathcal {P}= \mathcal {I}\odot P$. Since both the protocol model $\mathcal {P}$ and the task complex $\mathcal {T}$ are defined as products, they come with first projection morphisms $\pi _\mathcal {I}: \mathcal {P}\rightarrow \mathcal {I}$ and $\pi _\mathcal {I}: \mathcal {T}\rightarrow \mathcal {I}$. The role of these morphisms is to recall, for a given final state or output value, from which input state it originally came from. With this data, we can reformulate the solvability of a task as follows:

Definition 59

A task ${\mathcal {T}}$ is solvable using the protocol P if there exists a morphism $\delta : \mathcal {P}\rightarrow \mathcal {T}$ such that $\pi _{\mathcal {I}}\, \circ \, \delta =\pi _\mathcal {I}$, i.e., the diagram of simplicial complexes below commutes.

The intuition behind this definition is the following. A world w in $\mathcal {P}$ corresponds to a global state that is reachable from input $\pi _\mathcal {I}(w)$ in $\mathcal {I}$. The morphism $\delta $ takes w to a world $\delta (w)=(w_{\mathcal {I}},w_{\mathcal {O}})$ of $\mathcal {T}$. The commutativity of the diagram expresses the fact that both w and $\delta (w)$ correspond to the same input assignment. Now consider a single vertex $v \in w$ with $\chi (v) = a \in A$. Then, agent a decides its value solely according to its knowledge in $\mathcal {P}$: if another world $w'$ contains v, then $\delta (v) \in \delta (w) \cap \delta (w')$, meaning that a has to decide the same value in both situations.

7.2 Knowledge gain as a logical tool for task solvability

In [21], to prove that the map $\delta $ of Definition 59 does not exist, we rely on a key property of our logic called “knowledge gain”. This principle says that agents cannot acquire new knowledge along morphisms of simplicial models. Namely, what is known in the image of a morphism was already known in the domain. Thus, to prove that the simplicial map $\delta : \mathcal {P}\rightarrow \mathcal {T}$ cannot exist, we have to find a formula $\varphi $ such that:

1.
that $\varphi $ is true in every world of $\mathcal {T}$,
2.
and that $\varphi $ is false in at least one world of $\mathcal {P}$.

Then by the knowledge gain property, the map $\delta $ does not exist. Such a formula $\varphi $ is called a logical obstruction. Intuitively, the formula $\varphi $ describes some amount of knowledge which is a necessary condition to be able to solve the task $\mathcal {T}$ (Item 1), and is not achieved using protocol $\mathcal {P}$ (Item 2).

Knowledge gain for guarded formulas

In [21], the formulas $\varphi $ that could be used as obstruction formulas were all positive formulas. Here, in the presence of process crashes, we need an additional restriction: $\varphi $ must be a guarded formula, which we define now. Formally, the fragment of guarded positive epistemic formulas $\varphi \in {{\mathcal {L}}}^+_{K,\text {alive}}$ is defined by the grammar:

$$\begin{aligned} \varphi {:}{:}=&\textsf{alive}(B) \Rightarrow \psi _B \mid \varphi \wedge \varphi \mid \varphi \vee \varphi \mid D_U\varphi \mid C_U \varphi & U, B \subseteq A,\; \psi _B \in {{\mathcal {L}}}\!\restriction _{B}\\ \psi _B {:}{:}=&p \mid \lnot \psi _B \mid \psi _B \wedge \psi _B & p \in \textsf{At}_B \end{aligned}$$

where:

$C_U$ is the common knowledge operator [14], which is the least solution of the equation $C_U \varphi = \varphi \vee \bigvee _{u \in U} K_u(C_U\varphi )$, and whose semantics on a simplicial model $M=\langle V_{M}, S_{M}, \chi _{M}, W_{M}, \ell _{M} \rangle $ is given as follows: for every world $w'$ in $W_M$ reachable from w in $W_M$ following a sequence of simplexes sharing a U-coloured simplex, $M,w' \models \varphi $;
the formula $\textsf{alive}(B)$ stands for $\bigwedge _{a \in B} \textsf{alive}(a)$;
the set $\textsf{At}_B$ denotes the set of atoms concerning the agents in B, i.e., $\textsf{At}_B = \bigcup _{a \in B} \textsf{At}_a$;
and the formula $\psi _B \in {{\mathcal {L}}}\!\restriction _{B}$ is a propositional formula restricted to the agents in B. It can only contain atomic propositions concerning the agents in B, and no modal operator.

Theorem 60

(knowledge gain, revisited) Consider simplicial models ${\mathcal {C}}=\langle V_{{\mathcal {C}}}, S_{{\mathcal {C}}}, \chi _{{\mathcal {C}}}, W_{{\mathcal {C}}}, \ell _{{\mathcal {C}}} \rangle $ and ${\mathcal {D}}=\langle V_{{\mathcal {D}}}, S_{{\mathcal {D}}}, \chi _{{\mathcal {D}}}, W_{{\mathcal {D}}}, \ell _{{\mathcal {D}}} \rangle $, and a morphism $f: {\mathcal {C}}\rightarrow {\mathcal {D}}$. Let $\varphi \in {{\mathcal {L}}}^+_{K,alive }$ be a guarded positive epistemic formula. Then ${\mathcal {D}},f(w) \models \varphi $ implies ${\mathcal {C}},w \models \varphi $.

Proof

We proceed by induction on the structure of the guarded positive formulas $\varphi $. The inductive cases are obvious to prove for $\wedge $ and $\vee $.

The case of the operator $D_B \varphi $ is proved as follows. Suppose that ${\mathcal {D}},f(w) \models D_B \varphi $, where $\varphi $ is a guarded positive formula. In order to show that ${\mathcal {C}}, w \models D_B \varphi $, let us consider a world $w' \in W_{\mathcal {C}}$ such that $B \subseteq \chi (w'\cap w)$. Since f is a morphism of simplicial models, $w'$ being in $W_{\mathcal {C}}$ implies that $f(w')\in W_{\mathcal {D}}$. Moreover, we have $B \subseteq \chi (f(w')\cap f(w))$: indeed, we have $\chi (w'\cap w) = \chi (f(w'\cap w))$ because morphisms preserve colours; and $f(w'\cap w) \subseteq f(w')\cap f(w)$ because simplicial maps operate on vertices. Thus, $B \subseteq \chi (w'\cap w) = \chi (f(w'\cap w)) \subseteq \chi (f(w')\cap f(w))$. Finally, since the world f(w) satisfies $D_B \varphi $, we must have ${\mathcal {D}}, f(w') \models \varphi $, and therefore by induction hypothesis, ${\mathcal {C}}, w' \models \varphi $ as required.

The case of $C_U \varphi $ is very similar. Suppose that ${\mathcal {D}},f(w) \models C_U \varphi $. Then, consider a world $w'$ in $W_{\mathcal {C}}$ reachable from w following a sequence of worlds of ${\mathcal {C}}$ sharing a U-coloured simplex. When we apply f to that sequence, since it is a morphism of simplicial model, $f(w')$ is reachable from f(w) following a sequence of worlds sharing a U-coloured simplex. Then ${\mathcal {D}},f(w') \models \varphi $, and by induction hypothesis, ${\mathcal {C}}, w' \models \varphi $. This proves that ${\mathcal {C}}, w\models C_U \varphi $.

For the base case, assume that $\varphi = \textsf{alive}(B) \Rightarrow \psi _B$ for some set of agents $B \subseteq A$ and some propositional formula $\psi _B \in {{\mathcal {L}}}\!\restriction _{B}$. We distinguish two cases. Either some agent $a \in B$ is dead in the world w, in which case ${\mathcal {C}},w \models \varphi $ is vacuously true, and we are done. Or all agents in B are alive in w, and since f is a morphism of pointed simplicial models, all agents in B are also alive in f(w). Thus, we have ${\mathcal {D}},f(w) \models \psi _B$. Moreover, since f is a morphism, we know that $\ell _{{\mathcal {D}}}(f(v)) = \ell _{\mathcal {C}}(v)$ for all v in w. So all atomic propositions in $\textsf{At}_{B}$ have the same truth value in the worlds w and f(w). As a consequence ${\mathcal {D}},f(w) \models \psi _B$ implies that ${\mathcal {C}},w \models \psi _B$, and thus ${\mathcal {C}},w \models \varphi $ as required. $\square $

Note that this theorem is slightly different from the one considered in the conference version of this paper [22]. First, we consider epistemic formulas with common knowledge, that was not considered as an operator in [22]. Second, since we are working with a more general definition of simplicial models, the notion of morphism is also slightly different and the proof is adapted in consequence.

7.3 Extended example: consensus in synchronous broadcast protocols

We are now equipped to study the following distributed computing problem: how to prove that the consensus task cannot be solved in the synchronous broadcast model with one crash failure. Rather than the impossibility result itself, which is well known, our main focus here is to showcase how the epistemic logic machinery developed in this paper can be used to establish an impossibility proof in distributed computing.

Input model. We will be working with three agents (a.k.a. processes) a, b and c. For the binary consensus task, each of them starts the computation with an input value, either 0 or 1. The initial simplicial model $\mathcal {I}= \langle V_{\mathcal {I}}, S_{\mathcal {I}}, \chi _{\mathcal {I}}, W_{\mathcal {I}}, \ell _{\mathcal {I}} \rangle $ modelling the initial states of the processes is depicted below. Each of the 8 facets of $\mathcal {I}$ represents a possible initial configuration for the agents a, b and c, with possible input values 0 or 1. We denote by $\textsf{input}_{a}^{v}$ the atomic proposition meaning that “agent a has input value v”. On the figure below, the labelling of a vertex is indicated by a subscript: $\ell _{\mathcal {I}}(a_i)=\{\textsf{input}_{a}^{i}\}$, $\ell _{\mathcal {I}}(b_i)=\{\textsf{input}_{b}^{i}\}$ and $\ell _{\mathcal {I}}(c_i)=\{\textsf{input}_{c}^{i}\}$, for $i=0, 1$. The set of worlds W associated to the simplicial model $\mathcal {I}$ is composed of the 8 facets modelling the initial states when all processes are alive, plus the 12 edges in thick black below, modelling the possible states of any pair of processes, the third one being dead:

The synchronous broadcast model with crash failures Let us first explain informally the synchronous broadcast model with one crash failure. To keep the pictures small and 2-dimensional, we assume here that there is a single input simplex, where agents a, b, c always start the computation with input values $v_1,v_2,v_3$, respectively; but we keep in mind that in general, an agent does not know in advance the inputs of the others. (In the introduction section of the paper, Fig. 1 depicts a less degenerate situation where we start with the full binary input complex.) At the beginning of the computation, the local state of each process is its input value. Then, communication occurs via synchronized rounds. At each round:

Each process sends its own local state to all other processes, in an unspecified order.
At most one process may crash per round. When a process crashes, it simply stops sending messages. Under the detectable crashes assumption, a process may not crash after successfully sending all of its messages. This ensures that at least one of the other processes is able to witness the crash.
The round ends when all the non-faulty processes have finished sending their messages. Each non-faulty process then updates its local state by appending all the messages that it received during the round; we then proceed to the next round.

Due to the synchronous nature of this model, whenever a round ends and some process P has not received a message from process Q, process P immediately knows that Q has crashed.

In the following, we focus on modelling a single round of computation. The resulting simplicial model is the one depicted in Example 12. It can be computed using the communication pattern $P_{\text {detectable}}$ of Example 55. Now we can make explicit the labelling of vertices. Thus, here all a-labelled vertices $u_a$ (in blue in Example 12) have labelling $\ell (u_a)=\{\textsf{input}_{a}^{v_1}\}$, all b-labelled vertices $u_b$ (in red) have $\ell (u_b)=\{\textsf{input}_{b}^{v_2}\}$ and all c-labelled vertices $u_c$ (in green) have $\ell (u_c)=\{\textsf{input}_{c}^{v_3}\}$.

Output model The output model $\mathcal {O}= \langle V_{\mathcal {O}}, S_{\mathcal {O}}, \chi _{\mathcal {O}}, W_{\mathcal {O}}, \ell _{\mathcal {O}} \rangle $ is depicted below:

In this model, there are 8 worlds: there are the two facets, modeling the fact that the three agents are still alive, and they either all decide 0, or all decide 1. There are also the 6 edges in thick black modeling the fact that two among three agents are still alive when the protocol completes, deciding either 0 or 1. The decision values are indicated as a superscript on agent’s names. As a simplicial model, we declare the labelling on vertices empty.

Binary consensus task specification The task specification simplicial model is given as a relation between input and output, hence, its underlying simplicial complex is a subcomplex of the product complex $\mathcal {I}\times \mathcal {O}$. Let us first describe the full product $\mathcal {I}\times \mathcal {O}$, depicted below. Its worlds are a given by the set-theoretic product $W_{\mathcal {I}}\times W_{\mathcal {O}}$, and, intuitively, the corresponding indistinguishability relation (seen as a Kripke epistemic model) is given by $(w,u) \sim _a (w',u')$ iff $w \sim _a w'$ and $u \sim _a u'$. As a simplicial model, we get the picture below, which consists of two copies of the input model $\mathcal {I}$. The worlds of $\mathcal {I}\times \mathcal {O}$ are all the edges, depicted as thick lines, and all triangles, in grey. (However, since we consider only one crash failure, the isolated vertices are not worlds of the model.)

Formally, the complex $\mathcal {I}\times \mathcal {O}$ is defined as follows: its set of vertices is given by pairs of vertices of $\mathcal {I}$ and $\mathcal {O}$ of the same colour: $V_{\mathcal {I}\times \mathcal {O}} = \{ (a, v, v') \in A \times V_\mathcal {I}\times V_\mathcal {O}\mid \chi (v) = \chi (v') = a \}$. Such a vertex is coloured by a, and inherits the atomic propositions of the input model $\mathcal {I}$. Then, a simplex of $\mathcal {I}\times \mathcal {O}$ is a set of vertices such that the projections on the second and third components yield simplexes of $\mathcal {I}$ and $\mathcal {O}$, respectively. In other words, every pair of simplexes $X = \{v_1, \ldots , v_k\} \in S_\mathcal {I}$ and $Y = \{v'_1, \ldots , v'_k\} \in S_\mathcal {O}$ such that $\chi (v_i) = \chi (v'_i) = a_i$ yields a simplex $X \times Y = \{(a_1, v_1, v'_1), \ldots , (a_k, v_k, v'_k)\} \in S_{\mathcal {I}\times \mathcal {O}}$.

In the picture above, the left binary sphere represents the possible output situations where the processes decide 0. The binary sphere on the right represents situations where processes decide 1. In a vertex, the subscript represents the input value of a process, and the superscript represents the output. The labelling is taken from the input value, e.g., $\ell _{\mathcal {I}}(a^j_i)=\{\textsf{input}_{a}^{i}\}$.

In the presence of crashes, there are various ways to specify the consensus task [10]. The first one is called the validity axiom (SV1) in [10]:

“The decision of any correct process is equal to the input of some correct process.”

In that case, we should take out among the simplices of the corresponding task specification $\mathcal {T}\subseteq W_I\times W_O$ the triangle with all inputs at 1, for the left copy of the binary sphere (which corresponds to deciding 0), the triangle with all inputs 0 for the right copy of the binary sphere (which corresponds to deciding 1), and also take out the 3 edges with all 1 s on the left sphere, and the 3 edges with all 0s on the right sphere, as worlds, leading to the following picture, simplicial model $\mathcal {T}_1$:

Another, weaker specification of the consensus task is the validity axiom (RV1) of [10]:

“The decision of any correct process is equal to the input of some process.”

In that case, we should take out among the simplices of the corresponding task specification $\mathcal {T}\subseteq W_I\times W_O$ the triangle with all inputs at 1, for the left copy of the binary sphere (which corresponds to deciding 0), the triangle with all inputs 0 for the right copy of the binary sphere (which corresponds to deciding 1), but this time keep the 3 edges with all 1s on the left sphere, and the 3 edges with all 0s on the right sphere, as worlds, leading to the following picture, simplicial model $\mathcal {T}_2$:

Impossibility of (SV1) consensus in one round As well known [11], consensus cannot be reached in a synchronous architecture with at most f failures in less than $f+1$ rounds. Here we exemplify this result, in logical terms, in the case $f=1$, showing that consensus needs at least 2 rounds to be solvable.

For the asynchronous wait-free architecture, it is well known that consensus is not solvable (in any number of rounds) see e.g. [15], and it is well known that on the epistemic logic side, this comes from the impossibility of reaching common knowledge among agents [21, 36]. In this paper, we propose a new logical obstruction, also based on common knowledge, that works for the case of synchronous architectures. The main idea is that in synchronous architectures, there is a way to tell whether agents have died or are still alive. This is reflected by the knowledge gain theorem, Theorem 60.

We are now ready to consider the following formulas, for $i=0,1$:

$$\begin{aligned} \varphi _i=C_A\left( \mathop {\bigwedge }\limits _{B \subseteq A} \left( \textsf{alive}(B)\Rightarrow \mathop {\bigvee }\limits _{b \in B} \textsf{input}_{b}^{i}\right) \right) \end{aligned}$$

where $C_A$ is the common knowledge operator for the set of agents A. The formula $\varphi _0\vee \varphi _1$ is actually specifying axiom (SV1): indeed in the corresponding task specification model $\mathcal {T}_1$, $\varphi _0$ holds in the left component, whereas $\varphi _1$ holds in the right component.

Now, we check that neither $\mathcal {I}\odot P_{\text {detectable}},w \models \varphi _0$ nor $\mathcal {I}\odot P_{\text {detectable}},w \models \varphi _1$. In $\mathcal {T}_1$, all simplexes which are worlds are connected to one another. In particular, the triangle which is labelled by $\{\textsf{input}_{a}^{0}, \textsf{input}_{b}^{0}, \textsf{input}_{c}^{0}\}$ is connected to the triangle which is labelled by $\{\textsf{input}_{a}^{1}, \textsf{input}_{b}^{1}, \textsf{input}_{c}^{1}\}$. Hence, by the semantics of Sect. 3.1, agents in A cannot have common knowledge of either $\mathop {\bigwedge }\limits _{B \subseteq A} \left( \textsf{alive}(B)\Rightarrow \mathop {\bigvee }\limits _{b \in B} \textsf{input}_{b}^{0}\right) $ nor $\mathop {\bigwedge }\limits _{B \subseteq A} \left( \textsf{alive}(B)\Rightarrow \mathop {\bigvee }\limits _{b \in B} \textsf{input}_{b}^{1}\right) $.

Let us now consider the following formulas, for $j=0,1$:

$$\begin{aligned} \psi _j=C_A\left( \mathop {\bigwedge }\limits _{B \subseteq A} \left( \textsf{alive}(B)\Rightarrow \mathop {\bigvee }\limits _{a \in A} \textsf{input}_{a}^{j}\right) \right) \end{aligned}$$

Now, the formula $\psi _0\vee \psi _1$ is specifying axiom (RV1): indeed, similarly to the previous case, in the corresponding task specification model $\mathcal {T}_2$, $\varphi _0$ holds in the left component, whereas $\varphi _1$ holds in the right component.

The conclusion holds in a similar manner, binary consensus even with the weak requirement (RV1) cannot be solved in one round in the synchronous broadcast protocol model.

8 Conclusion

In this work, we have extended the simplicial model approach to epistemic logic, so that to account for the case in which some agents may die, and others may know, or not know, they are dead.

On the model-theoretic side, this implied to decorate simplicial models with subsets of simplexes that are the observable worlds, in the corresponding Kripke model approach. On the logical side, this made us move from $\mathbf {S5_n}$ to $\mathbf {KB4_n}$ and other axioms, according to the choices we can make about the knowledge of agents’ deaths.

This paper has further ramifications. First, another generalization can be made using (semi-)simplicial sets instead of simplicial complexes, see [20], which deepens the discussion of this paper about distributed knowledge. Second, it is natural to view our simplicial complex models decorated with observable worlds as hypergraphs. This is developed in another sequel [19] where we further discuss the ways predicates should be attached to worlds, or to agents (as point of views in [19]) or both.

There are still numerous extensions to this work, to be considered. Indeed, more applications to distributed computing should be developed; in particular, extending the logical obstruction to the solvability of set agreement by Yagi and Nishimura [47] to the synchronous setting where f processes may crash to obtain the lower bound of [9, 30] showing that $\lfloor f/k\rfloor +1$ rounds are needed to solve k-set agreement. This calls for a more in-depth discussion of temporal extensions of our epistemic logics, to account for the evolution of knowledge in distributed computed, through communication, extending the DEL approach which we originally presented in [21].

Notes

In topology, X is often called a face of Y, but we prefer to avoid the confusion with the word “facet”.
This partial epistemic model might not be proper in general. One can make it proper as in Sect. 5.3, but this requires an extra assumption. Remark 54 discusses the same issue in the simplicial setting.

References

Aguilera, M.K.: A pleasant stroll through the land of infinitely many creatures. SIGACT News 35(2), 36–59 (2004). https://doi.org/10.1145/992287.992298
Article Google Scholar
Baltag, A., Smets, S.: Correlated knowledge: an epistemic-logic view on quantum entanglement. Int. J. Theor. Phys. 49(12), 3005–3021 (2010). https://doi.org/10.1007/s10773-010-0411-5
Article MathSciNet Google Scholar
Baltag, A., Smets, S.: Learning what others know. In: Albert, E., Kovács, L., (eds.) LPAR 2020: 23rd International Conference on Logic for Programming, Artificial Intelligence and Reasoning, Alicante, Spain, May 22–27, 2020, Volume 73 of EPiC Series in Computing, pp. 90–119. EasyChair (2020). https://doi.org/10.29007/plm4
Castañeda, A., Fraigniaud, P., Paz, A., Rajsbaum, S., Roy, M., Travers, C.: Synchronous t-resilient consensus in arbitrary graphs. Inf. Comput. 292, 105035 (2023). https://doi.org/10.1016/j.ic.2023.105035
Article MathSciNet Google Scholar
Castañeda, A., Gonczarowski, Y.A., Moses, Y.: Unbeatable consensus. In: Kuhn, F. (ed.) Distributed Computing, pp. 91–106. Springer, Berlin Heidelberg (2014)
Chapter Google Scholar
Castañeda, A., Moses, Y., Raynal, M., Roy, M.: Early decision and stopping in synchronous consensus: a predicate-based guided tour. In: El Abbadi, A., Garbinato, B. (eds.) Networked Systems, pp. 206–221. Springer, Cham (2017)
Chapter Google Scholar
Castañeda, A., Rajsbaum, S., Raynal, M.: The renaming problem in shared memory systems: an introduction. Comput. Sci. Rev. 5(3), 229–251 (2011). https://doi.org/10.1016/j.cosrev.2011.04.001
Article Google Scholar
Castañeda, A., van Ditmarsch, H., Rosenblueth, D.A., Velázquez, D.A.: Communication pattern logic: epistemic and topological views. J. Philos. Log. (2023). https://doi.org/10.1007/s10992-023-09713-8
Article MathSciNet Google Scholar
Chaudhuri, S., Herlihy, M., Lynch, N.A., Tuttle, M.R.: Tight bounds for k-set agreement. J. ACM 47(5), 912–943 (2000). https://doi.org/10.1145/355483.355489
Article MathSciNet Google Scholar
De Prisco, R., Malkhi, D., Reiter, M.K.: On k-set consensus problems in asynchronous systems. IEEE Trans. Parallel Distrib. Syst. 12(1), 7–21 (2001)
Article Google Scholar
Dolev, D., Reischuk, R., Strong, H.R.: Early stopping in byzantine agreement. J. ACM 37(4), 720–741 (1990). https://doi.org/10.1145/96559.96565
Article MathSciNet Google Scholar
Dwork, C., Moses, Y.: Knowledge and common knowledge in a byzantine environment: crash failures. Inf. Comput. 88(2), 156–186 (1990). https://doi.org/10.1016/0890-5401(90)90014-9
Article MathSciNet Google Scholar
Fagin, R., Halpern, J.Y., Moses, Y., Vardi, M.Y.: Reasoning About Knowledge. MIT Press, Cambridge (2003)
Google Scholar
Fagin, R., Halpern, J.Y., Vardi, M.Y.: What can machines know? on the properties of knowledge in distributed systems. J. ACM 39(2), 328–376 (1992). https://doi.org/10.1145/128749.150945
Article MathSciNet Google Scholar
Fischer, M.J., Lynch, N.A.: A lower bound for the time to assure interactive consistency. Inf. Process. Lett. 14(4), 183–186 (1982). https://doi.org/10.1016/0020-0190(82)90033-3
Article MathSciNet Google Scholar
Flocchini, P., Prencipe, G., Santoro, N. (eds.): Distributed Computing by Mobile Entities, Current Research in Moving and Computing, Volume 11340 of Lecture Notes in Computer Science. Springer, Berlin (2019). https://doi.org/10.1007/978-3-030-11072-7
Book Google Scholar
Garson, J.: Modal logic. In: Zalta, E.N. (ed.) The Stanford Encyclopedia of Philosophy, Summer 2021 edn. Metaphysics Research Lab, Stanford University (2021)
Goren, G., Moses, Y.: Silence. J. ACM 67(1), 1–26 (2020). https://doi.org/10.1145/3377883
Article MathSciNet Google Scholar
Goubault, E., Kniazev, R., Ledent, J.: A many-sorted epistemic logic for chromatic hypergraphs. Accepted for presentation at CSL’24 (2023). arXiv:2308.00477
Goubault, É., Kniazev, R., Ledent, J., Rajsbaum, S.: Semi-simplicial set models for distributed knowledge. In: LICS, pp. 1–13 (2023). https://doi.org/10.1109/LICS56636.2023.10175737
Goubault, É., Ledent, J., Rajsbaum, S.: A simplicial complex model for dynamic epistemic logic to study distributed task computability. Inf. Comput. 278, 104597 (2021). https://doi.org/10.1016/j.ic.2020.104597
Article MathSciNet Google Scholar
Goubault, É., Ledent, J., Rajsbaum, S.: A simplicial model for KB4n: epistemic logic with agents that may die. In: 39th International Symposium on Theoretical Aspects of Computer Science, STACS 2022, pp. 33:1–33:20 (2022). https://doi.org/10.4230/LIPIcs.STACS.2022.33
Goubault, E., Ledent, J., Rajsbaum, S.: A simplicial model for KB4n: epistemic logic with agents that may die (2022). arXiv:2108.10293
Halpern, J.Y., Moses, Y.: Knowledge and common knowledge in a distributed environment. J. ACM 37(3), 549–587 (1990). https://doi.org/10.1145/79147.79161
Article MathSciNet Google Scholar
Halpern, J.Y., Pass, R.: A knowledge-based analysis of the blockchain protocol. In: Lang, J. (ed.) Proceedings Sixteenth Conference on Theoretical Aspects of Rationality and Knowledge, TARK 2017, Liverpool, UK, 24–26 July 2017, Volume 251 of EPTCS, pp. 324–335 (2017). https://doi.org/10.4204/EPTCS.251.22
Herlihy, M., Kozlov, D., Rajsbaum, S.: Distributed Computing Through Combinatorial Topology. Morgan Kaufmann, San Francisco (2013)
Google Scholar
Herlihy, M., Shavit, N.: The topological structure of asynchronous computability. J. ACM 46(6), 858–923 (1999). https://doi.org/10.1145/331524.331529
Article MathSciNet Google Scholar
Herlihy, M.: Wait-free synchronization. ACM Trans. Program. Lang. Syst. 13(1), 124–149 (1991). https://doi.org/10.1145/114005.102808
Article Google Scholar
Herlihy, M.: Blockchains from a distributed computing perspective. Commun. ACM 62(2), 78–85 (2019). https://doi.org/10.1145/3209623
Article Google Scholar
Herlihy, M., Rajsbaum, S., Tuttle, M.R.: An overview of synchronous message-passing and topology. Electron. Notes Theor. Comput. Sci. 39(2), 1–17 (2000). https://doi.org/10.1016/S1571-0661(05)01148-5
Article Google Scholar
Hoshino, S.: Determining existence of logical obstructions to the distributed task solvability (2022). arxiv:2203.05153
Kuhn, F., Oshman, R.: Dynamic networks: models and algorithms. SIGACT News 42(1), 82–96 (2011). https://doi.org/10.1145/1959045.1959064
Article Google Scholar
Mendes, H., Herlihy, M., Vaidya, N., Garg, V.K.: Multidimensional agreement in byzantine systems. Distrib. Comput. 28(6), 423–441 (2015). https://doi.org/10.1007/s00446-014-0240-5
Article MathSciNet Google Scholar
Mitchell, J.C., Moggi, E.: Kripke-style models for typed lambda calculus. Ann. Pure Appl. Log. 51, 99–124 (1996)
Article MathSciNet Google Scholar
Moses, Y., Fagin, R., Halpern, J., Vardi, M.: Reasoning About Knowledge. MIT Press, Cambridge (1995)
Google Scholar
Moses, Y.: Knowledge in Distributed Systems, pp. 1051–1055. Springer New York, New York (2016). https://doi.org/10.1007/978-1-4939-2864-4_606
Book Google Scholar
Mostefaoui, A., Raynal, M., Travers, C., Patterson, S., Agrawal, D., Abbadi, A.E.: From static distributed systems to dynamic systems. In: 24th IEEE Symposium on Reliable Distributed Systems (SRDS’05), pp. 109–118 (2005).https://doi.org/10.1109/RELDIS.2005.19
Nakai, D., Muramatsu, M., Nishimura, S.: Partial product updates for agents of detectable failure and logical obstruction to task solvability (2023). arXiv:2303.16437
Oh, S., Randall, D., Richa, A.W.: Adaptive collective responses to local stimuli in anonymous dynamic networks. In: Doty, D., Spirakis, P.G. (eds.) 2nd Symposium on Algorithmic Foundations of Dynamic Networks, SAND 2023, June 19–21, 2023, Pisa, Italy, Volume 257 of LIPIcs, pp. 6:1–6:23. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2023). https://doi.org/10.4230/LIPIcs.SAND.2023.6
Randrianomentsoa, R., van Ditmarsch, H., Kuznets, R.: Impure simplicial complexes: complete axiomatization. Log. Methods Comput. Sci. 19(4), 3:1-3:35 (2023). https://doi.org/10.46298/lmcs-19(4:3)2023
Article MathSciNet Google Scholar
van der Hoek, W., Wooldridge, M.: Logics for multiagent systems. AI Mag. 33(3), 92 (2012). https://doi.org/10.1609/aimag.v33i3.2427
Article Google Scholar
van Ditmarsch, H.: Wanted dead or alive: epistemic logic for impure simplicial complexes. In: Silva, A., Wassermann, R., de Queiroz, R.J.G.B. (eds.) Logic, Language, Information, and Computation—27th International Workshop, WoLLIC 2021, Proceedings, Volume 13038 of Lecture Notes in Computer Science, pp. 31–46. Springer (2021). https://doi.org/10.1007/978-3-030-88853-4_3
van Ditmarsch, H., Goubault, É., Ledent, J., Rajsbaum, S.: Knowledge and simplicial complexes. In: Lundgren, B., Hernández, N.A.N. (eds.) Philosophy of Computing, vol. 143, pp. 1–50. Springer, Berlin (2022). https://doi.org/10.1007/978-3-030-75267-5_1
Chapter Google Scholar
van Ditmarsch, H., Goubault, É., Lazic, M., Ledent, J., Rajsbaum, S.: A dynamic epistemic logic analysis of equality negation and other epistemic covering tasks. J. Log. Algebraic Methods Program. 121, 100662 (2021). https://doi.org/10.1016/j.jlamp.2021.100662
Article MathSciNet Google Scholar
Velázquez, D.A., Castañeda, A., Rosenblueth, D.A.: Communication pattern models: an extension of action models for dynamic-network distributed systems. In: Halpern, J.Y., Perea, A. (eds.) Proceedings Eighteenth Conference on Theoretical Aspects of Rationality and Knowledge, TARK 2021, Volume 335 of EPTCS, pp. 307–321 (2021). https://doi.org/10.4204/EPTCS.335.29
Velázquez-Cervantes, D.: Una relación entre las lógicas modales y el enfoque topológico del cómputo distribuido. Master’s thesis, UNAM, Mexico (2019)
Yagi, K., Nishimura, S.: Logical obstruction to set agreement tasks for superset-closed adversaries (2020). CoRR, arxiv:2011.13630

Download references

Funding

Éric Goubault was partially funded by Agence de l’Innovation de Défense - AID - via Centre Interdisciplinaire d’Etudes pour la Défense et la Sécurité - CIEDS - (project 2021 - FARO) and the academic chair Complex Systems Architecture via the CIEDS. Sergio Rajsbaum received additional support from ANR project DUCAT (ANR-20-CE48-0006), and Fondation Sciences Mathématiques de Paris (FSMP).

Author information

Authors and Affiliations

LIX, École Polytechnique, CNRS and IP-Paris, 91128, Palaiseau Cedex, France
Éric Goubault & Roman Kniazev
ENS Paris-Saclay, CNRS, LSV, Université Paris-Saclay, 91190, Gif-sur-Yvette, France
Roman Kniazev
CNRS, IRIF, Université Paris Cité, F-75013, Paris, France
Roman Kniazev & Jérémy Ledent
Instituto de Matemáticas, UNAM, 04510, Mexico City, Mexico
Sergio Rajsbaum

Authors

Éric Goubault
View author publications
You can also search for this author in PubMed Google Scholar
Roman Kniazev
View author publications
You can also search for this author in PubMed Google Scholar
Jérémy Ledent
View author publications
You can also search for this author in PubMed Google Scholar
Sergio Rajsbaum
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jérémy Ledent.

Ethics declarations

Conflict of interest

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Sergio Rajsbaum: Part of this work was done while Sergio Rajsbaum was visiting LIX, École Polytechnique and IRIF, Université Paris Cité.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Goubault, É., Kniazev, R., Ledent, J. et al. Simplicial models for the epistemic logic of faulty agents. Bol. Soc. Mat. Mex. 30, 90 (2024). https://doi.org/10.1007/s40590-024-00656-x

Download citation

Received: 15 November 2023
Accepted: 17 July 2024
Published: 09 September 2024
DOI: https://doi.org/10.1007/s40590-024-00656-x

– Dead agents know everything:	\(\mathbf {KB4_n}\vdash \textsf{dead}(a) \Rightarrow K_a\,\varphi \).
More generally, for any \(a \in B\):	\(\mathbf {KB4_n}\vdash \textsf{dead}(a) \Rightarrow D_B\,\varphi \).
– Alive agents satisfy Axiom T:	\(\mathbf {KB4_n}\vdash \textsf{alive}(a) \Rightarrow (K_a\,\varphi \Rightarrow \varphi )\).
More generally:	\(\mathbf {KB4_n}\vdash \textsf{alive}(B) \Rightarrow (D_B\,\varphi \Rightarrow \varphi )\).
– Alive agents know they are alive:	\(\mathbf {KB4_n}\vdash \textsf{alive}(a) \Rightarrow K_a\,\textsf{alive}(a)\).
More generally:	\(\mathbf {KB4_n}\vdash \textsf{alive}(B) \Rightarrow D_B\,\textsf{alive}(B)\).

Simplicial models for the epistemic logic of faulty agents

Abstract

Similar content being viewed by others

Wanted Dead or Alive: Epistemic Logic for Impure Simplicial Complexes

Knowledge and Simplicial Complexes

Communication Pattern Logic: Epistemic and Topological Views

1 Introduction

2 Background on simplicial complexes and Kripke structures

Definition 1

Definition 2

Definition 3

Theorem 4

Example 5

3 Simplicial semantics of epistemic logic with distributed knowledge

3.1 Generalized simplicial models

Definition 6

Remark 7

Definition 8

Example 9

Definition 10

Definition 11

Example 12

Example 13

Remark 14

3.2 Reasoning about alive and dead agents

Example 15

3.3 Axiomatization: \(\mathbf {KB4_n}\) and beyond

Example 16

Remark 17

Remark 18

Proposition 19

Proof

4 Equivalent classes of Kripke models

4.1 Partial epistemic models

Definition 20

Definition 21

Definition 22

Remark 23

Example 24

Definition 25

4.2 Relating simplicial models and partial epistemic models

Definition 26

Proposition 27

Proof

Proposition 28

Proof

Definition 29

Proposition 30

Proof

Proposition 31

Proof

Theorem 32

Proof

Example 33

Example 34

5 Completeness results

5.1 The canonical pseudo-model

Definition 35

Definition 36

Lemma 37

Proof

Remark 38

5.2 Unravelling a pseudo-model

Definition 39

Lemma 40

Proof

Lemma 41

Proof

Remark 42

5.3 Making the model proper

Definition 43

Lemma 44

Proof

5.4 Proofs of completeness

Lemma 45

Proof

Proposition 46

Proof

Proposition 47

Proof