Epistemic Reasoning with Byzantine-Faulty Agents

Abstract

We introduce a novel comprehensive framework for epistemic reasoning in multi-agent systems where agents may behave asynchronously and may be byzantine faulty. Extending Fagin et al.’s classic runs-and-systems framework to agents who may arbitrarily deviate from their protocols, it combines epistemic and temporal logic and incorporates fine-grained mechanisms for specifying distributed protocols and their behaviors. Besides our framework’s ability to express any type of faulty behavior, from fully byzantine to fully benign, it allows to specify arbitrary timing and synchronization properties. As a consequence, it can be adapted to any message-passing distributed computing model we are aware of, including synchronous processes and communication, (un-)reliable uni-/multi-/broadcast communication, and even coordinated action. The utility of our framework is demonstrated by formalizing the brain-in-a-vat scenario, which exposes the substantial limitations of what can be known by asynchronous agents in fault-tolerant distributed systems. Given the knowledge of preconditions principle, this restricts preconditions that error-prone agents can use in their protocols. In particular, it is usually necessary to relativize preconditions with respect to the correctness of the acting agent.

...By our remembrances of days foregone

Such were our faults, or then we thought them none.

W. Shakespeare,

All’s Well That Ends Well

R. Kuznets—Supported by the Austrian Science Fund (FWF) project RiSE/SHiNE (S11405) and ADynNet (P28182).

K. Fruzsa—PhD student in the FWF doctoral program LogiCS (W1255).

A Appendix

This section is dedicated to proving the Brain-in-a-Vat Lemma. Before engaging with the proof, we flesh out necessary details of how our framework operates.

For a function \(f :\varSigma \rightarrow \varTheta \) and a set \(X \subseteq \varSigma \) we use the following notation: . For functions with multiple arguments, we allow ourselves to mix and match elements with sets of elements, e.g., . As stated in Sect. 2, the function must be total and satisfy the following properties: for arbitrary \(i,j\in \mathcal {A}\), and , and \(a \in Actions _{i}\), and \(b \in Actions _{j}\),

1. 1.

   ;

2. 2.

   .

Thus, it is possible to define an inverse function on :

Definition 14

We use a function \( local :\overline{{ GHaps }_{}}\longrightarrow Haps _{}\) converting correct haps from the global format into the local ones for the respective agents in such a way that, for any \(i \in \mathcal {A}\), , and \(a \in Actions _{i}\), (1) \( local \left( \overline{ GActions }_{i}\right) = Actions _{i}\); (2) \( local \left( \overline{ GEvents }_{i}\right) = Events _{i}\); (3)  .

Recall that \( \overline{ GEvents }_{i}\cap \overline{ GEvents }_{j}=\varnothing \) for \(i\ne j\),

and . While for correct haps, \( local \) provides a translation to local format on a hap-by-hap basis, the same cannot be extended to all haps because system events from \( SysEvents _{i}\) and byzantine actions do not correspond to any local hap, to be recorded in i’s history. Thus, the localization function \(\sigma \) is defined on sets of global haps:

Definition 15

We define a localization function :

Thus, as intended, for any \(E \in \overline{ GEvents }_{i}\), the local record left by \({\mathop { fake }\left( i,E\right) }\) for agent i is the same as the record of E, whereas for any \(A'\in \overline{ GActions }_{i}\) and any , the local record of \({\mathop { fake }\left( i,A\mapsto A'\right) }\) for i is the same as that of \(A'\), whichever action A was taken in reality.

Definition 16

We abbreviate and for a tuple of performed events \(X_\epsilon \subseteq GEvents _{}\) and actions \(X_i \subseteq \overline{ GActions }_{i}\) for each \(i \in \mathcal {A}\). Given a global state \( r_{}\left( t\right) = \bigl (r_{\epsilon }\left( t\right) , r_{1}\left( t\right) , \dots , r_{n}\left( t\right) \bigr ) \in \mathscr {G}\), we define agent i’s update function that outputs a new local state from \( {\mathscr {L}^{}_{i}} \) based on i’s actions \(X_i\) and events \(X_{\epsilon }\):

(note that, in transitional runs, is always used after the action ; thus, in the absence of go(i), it is always the case that \(X_i = \varnothing \)). Similarly, the environment’s state update function

outputs a new state of the environment based on events \(X_{\epsilon }\) and all actions \(X_i\): Summarizing,

The following properties directly follow from Definition 7 of the i-intervention :

Lemma 17

Let and r be an arbitrary run. Then

1. 1.

   , i.e., removes all actions.

2. 2.

   , i.e., never lets agent i act.

3. 3.

   .

4. 4.

   \(r_i(t+1) \ne r_i(t)\)   iff   .

The last two properties mean that from i’s local perspective, the intervention is imperceptible (also when agent i was unaware of the passing round in the given run).

Proof

(of Brain-in-a-Vat Lemma 8). Let . Prop. 6 follows from the definitions of and . Prop. 7 follows from (1). Prop. 8 follows from Lemma 17.1 for i and from the definitions of and for \(j\ne i\). Prop. 5 follows from (1) for i and from the definition of for \(j\in Byz\). Prop. 2–4 depend solely on rounds to of \(r'\), whereas the transitionality of \(r'\) for Prop. 1 from round onward directly follows from Definition 6. We now show Prop. 1–4 for \(m\le t\) by induction on m.

Base: \(m=0\). Prop. 3–4 and transitionality for Prop. 1 are trivial. Prop. 2 follows from Definition 6.

Step from m to \(m+1\) . We prove Prop. 1 based on the gullibility of i and delayability (and fallibility) of all other \(j\ne i\). In order to show that , we need to demonstrate that the \(\beta \)-sets prescribed by \( adj \) can be obtained in a regular round. Since the adversary’s choice of actions  for all \(j\in \mathcal {A}\) is immaterial due to the absence of go(j) (by Prop. 7 for i and Prop. 6 for other \(j\ne i\)), we concentrate on ensuring the adversary can choose suitable \(\alpha \)-sets of events. Consider from the original run r. The set is coherent because r is transitional. By the delayability of all \(j \ne i\), Note that for any \(Z \subseteq FEvents _{i}\), because . Thus, by the gullibility of i,

(note that this set is coherent because it contains no correct events and neither go(i) nor \({\mathop { hibernate }\left( i\right) }\)). Finally, by the fallibility of all agents \(j\in Byz\), This is coherent and unaffected by filtering (there are no correct receives in to be filtered out, and only at most f agents from \(\{i\}\sqcup Byz\) become byzantine).

It remains to show that filtering turns these sets , into the exact \(\beta \)-sets prescribed by the adjustment \( adj \). Let us abbreviate:

Our goal is to show that and for each \(j \in \mathcal {A}\). After the filtering phase, for our i and \(j\ne i\), we have the following:

the latter being exactly . Since \(go(j) \notin \varUpsilon \) for any \(j \in \mathcal {A}\), we also have that for all \(j \in \mathcal {A}\). This completes the induction step for Prop. 1.

For Prop. 2, the induction step follows from Lemma 17.3–4. We have:

• if , then by IH. It remains to use Lemma 17.3 to see that the last expression is the same as

• if but \(r_{i}\left( m+1\right) \ne r_{i}\left( m\right) \), then \( r_{i}\left( m+1\right) =\) by IH. By Lemma 17.4, we also have . Thus, this case can be concluded by using Lemma 17.3 as it was done in the previous case.

• if and \(r_{i}\left( m+1\right) = r_{i}\left( m\right) \), then by Lemma 17.3–4 (note that , meaning that ). Using IH, we now immediately get,

This completes the proof of the induction step for Prop. 2.

For Prop. 3–4, the induction step is even simpler. Since, for any \(j \ne i,\) by Prop. 6, it follows that by IH. Similarly, by Prop. 6 for \(j \notin \{i\}\sqcup Byz\). Thus, being correct at m by IH, such agents j remain correct after round .   \(\square \)