Epistemic Model Checking for Knowledge-Based Program Implementation: an Application to Anonymous Broadcast

Epistemic Mo del Chec king for Kno wledge-Based Program Implemen tation: an App lication to Anon ymous Broadcast ⋆ Omar I. Al-Bataineh and Ron v an der Meyden { omara ,meyden } @cse.unsw .e du.au School of Computer Science and Engineering, Universit y of New South W a les Abstract. Knowl ed ge-based programs provide an abstract level of de- scription of proto cols in whic h agent actions are related to their states of k now ledge. The pap er describ es how ep istemic mo del chec king tech- nology may b e applied to d isco ver and verify concrete implementati ons based on this abstract lev el of description. The details of the imple- mentatio ns dep end on the sp ecific context of use of the protocol. The knowl edge-based approac h enables th e implementatio n s to be optimized relativ e to these conditions of use. The approach is illustrated using ex- tensions of the Dining Cryptographers p rotocol, a security proto col for anonymous broadcast. 1 In tr o duction In distributed systems, we generally would like agent’s actions to dep end up on the information that they hav e. How ever, the wa y that info r mation flows in such systems ca n b e q uite complex. It has bee n prop osed to addre ss this co mplexity by the use o f formal logics of knowledge [5 ]. In particular, know le dge b ase d pr o gr ams hav e b een pr op osed as a level of abstraction that directly captures the relationship betw een an age nt ’s knowledge and its actions, by allo wing branching statemen ts to contain form ula s of the mo dal logic of knowledge, express ing what the agent kno ws ab out the globa l sta te of the sys tem. This has several adv antages. By fo cusing on what infor mation is required, r ather than how it is enco ded, knowledge-based progr a ms can be more int uitive a nd more easily verified to b e corr ect. They ca n also provide a common description that is indep endent o f a ssumptions such a s the failure mo des of communication channels in the sy s tem. Finally , knowledge-bas ed pr ogra ms lead ⋆ V ersio n of A pril 20, 2010. This material is based on research sp onsored by the Air F orc e Research Lab oratory , u nder agreement num b er F A2386-09-1-4156. The U.S. Go vernment is authorized to repro du ce and distribute reprints for Go vernmen tal purp oses notwithstanding an y copyright notation thereon. The views and conclusions conta ined h erein are those of the aut hors and should not b e interpreted as necessarily representing th e official p olicies or en dorsements, either ex pressed or implied, of the Air F orce Research Lab oratory or the U.S. Gov ernment. us to implementations that are optimal in their use of informatio n, in the sense that ag ents do not ov er lo ok opp o rtunities to us e r elev ant informa tion that is av ailable in their lo cal states. A cos t of the abstra ction that knowledge-based progra ms provide, is that they are more like sp ecifica tions than c o ncrete progr ams, so cannot b e directly executed. T o obtain an executable pr o gram, is necessa ry to r eplace the tests for knowledge in the knowledge based progr am by equiv ale nt concre te pre dica tes of the a gent’s lo c a l s tate. B ecause o f the co mplexity o f information flow in dis- tributed systems, such concre te predicates can be difficult to find. T o date, this task has ge ne r ally b een carried out by p encil and pap er reas oning. Perhaps for this rea son, there rema in only a handful o f work ed out examples o f the develop- men t of concr ete implemen tations of knowledge-based progr ams (e.g., [1, 3, 4, 8, 9]). The difficulty can b e addr essed through the use of mo del checking technology for the lo gic of knowledge. Model check ers are systems that take a s input a for mal mo del of a sys tem, together with a s pe c ific a tion, and determine whether that sp ecification is satisfied by the mo del [12]. The spec ific a tion lang uage used in mo del c heckers is generally a for m of tempora l log ic, but in re c e nt years work has b eg un on the developmen t of mo del chec kers bas ed on logics of kno wledg e [6, 13, 18]. W e describ e a methodo logy for the use of this latter class of mo del chec kers to the dev elo pment of implementations of knowledge bas ed progr ams. The metho dolog y is partially automa ted. It assis ts users in finding a co ncrete predicates tha t ar e equiv alent to the k nowledge conditions in a k nowledge-bas ed progra m by means of an iterative pro cess , in which automatically computed counterexamples to a user’s gues s for the concrete predic a te a re used by the us e r to construct a n impr oved concrete pr edicate, until one is found that is equiv alent to the knowledge condition. W e illus trate the metho do logy by means of a n example in which we use the epistemic mo del chec ker MCK [6 ], to develop concr ete implementations o f a knowledge-based prog ram for anonymous br oadcas t, based on m ultiple ro unds of Chaum’s Dining Cr yptographer s Pr o to col [2]. The Dining C r yptogra phers Pro to col ena bles a mes s age to b e broadca st anonymously , under the assumption that only one a g ent is attempting to send broadcas t a message. The o b jective of the extension that w e consider is to remov e this assumption, so that any num b er of agents may broa dcast their mess ages anonymously . One of the main difficulties in this is that, since ag ents o p e r ate independently , it is p ossible for s imultaneous bro adcasts to in terfer e with each other, causing a fa ilur e in the tra nsmission. Thus, a key issue is to enable the agents to detect conflicts in the transmiss ion, and to resp ond appropria tely when a conflict is detected. In our a nalysis, we ex press the exp ected b ehaviour using a knowledge bas e d progra m that conditions the a g ent’s actions on whether it knows that there is a conflict. W e then use our model ch ecking supp or ted metho dology to iden tify exactly the concr e te conditions under which an agent knows whether there is a conflict. These conditions turn out to hav e a s urprising le vel of c o mplexity . In particular, w e find that these conditions can differ , dep ending on the as sumptions that we make abo ut the num b e r of agents wishing to broa dcast. Our approach lea ds to the discov ery (assisted by a uto mation) of a num b er of subtleties concerning the proto co l that, to our knowledge, have not b een previously noticed. In pa rticular, we find that it is p oss ible for ag ent s to detect conflicts (or lack o f conflict) in some quite unexp ected s ituations. Mor eov er , we discov er situa tions where, even though the pro to col ter minates, an a gent canno t be sur e that its mess a ge ha s b een successfully tra nsmitted (althoug h it may hav e a high sub jective pro ba bility that this is the case ). Our r esults bo th show that there are previously unnoticed opp or tunities to optimize the proto col, and help to clar ify what should be the sp ecification of the proto co l (the prev ious literature generally descr ib es the proto co l without providing a formal s p ec ific a tion b eyond the statement tha t it is intended fo r anonymous broa dcast.) The structure of the pap er is as follows. W e give a br ief introduction to the logic of knowledge a nd epistemic mo del checking in Section 2. In Section 3 w e discuss knowledge-based pro grams and describ e our metho dolo gy for the devel- opment of their implemen ta tions using epistemic mo del chec k ing. The Dining Cryptogra phers pro blem and its extens io ns are introduced in Section 4 . In Sec- tion 5, we describ e the a pplication of our metho dolog y to this pr oto col. Fina lly , some conclusions a r e dr awn in Sectio n 6. 2 Mo del Check ing Epistemic Logic Epistemic logics are a clas s o f mo dal logics that include op er ators whose mean- ing concer ns the information av ailable to agents in a distributed or multi-agent system. W e descr ib e here briefly a version o f suc h a log ic co mbining o p erator s for knowledge and linear time, a nd its semantics in a class of structures known in the literature as interpr ete d systems [5]. W e then discuss the model chec ker MCK [6], which is based on this sema nt ics. Suppo se that we are in ter ested in systems comprised of n a gents and a set Pr op of atomic pr op ositions. The syn tax of the fragment of the log ic o f knowledge and time rele v ant for this pap er is g iven b y the following g rammar: φ ::= ⊤ | p | ¬ φ | φ ∧ φ | K i φ | X φ where p ∈ Pr op is an atomic prop osition and i ∈ { 1 . . . n } is an agent. (W e freely use standard b o olean op era tors that can b e defined using the tw o given.) Int uitiv ely , the meaning of K i φ is that ag ent i knows that φ is true, and X φ means that φ will b e true at the next moment of time. The semantics we use is the interpr ete d systems mo del for the logic o f knowl- edge [5]. F o r ea ch i = 0 . . . n , le t S i be a s et o f states. F or i = 0, we interpret S i as the set of p ossible states of the e nvironmen t within which the ag ents op erate; for i = 1 . . . n we interpret S i as the set of lo c al states o f agent i . Intuitiv ely , a lo cal state captures all the concrete pieces of infor mation o n the bas is of which an agent determines what it knows. W e define the set of glob al state base d o n such collection of environment a nd lo ca l sta tes , to b e the set S = S 0 × S 1 × . . . × S n . W e write s i for the i -th comp onent (counting from 0) o f a globa l state s . A run ov er S is a function r : N → S . An interpr ete d system for n agents is a tuple I = ( R , π ), where R is a set of runs over S , and π : S → P ( Pr op ) is an int e rpretation function. A p oint of I is a pair ( r , m ) whe r e r ∈ R and m ∈ N . W e say tha t tw o p oints ( r , m ) , ( r ′ , m ′ ) are indistinguishable to agent i , and write ( r, m ) ∼ i ( r ′ , m ′ ), if r ( m ) i = r ′ ( m ′ ) i , i.e., if agent i has the same lo cal state at these tw o po ints. W e define the sema ntics of the logic b y means of a r elation I , ( r, m ) | = φ , where I is a n intepreted sy stem, ( r, m ) is a p o int of I a nd φ is a formula. This relation is defined inductively as follows: – I , ( r , m ) | = p if p ∈ π ( r ( m )), – I , ( r , m ) | = ¬ φ if not I , ( r, m ) | = φ – I , ( r , m ) | = φ 1 ∨ φ 2 if I , ( r, m ) | = φ 1 or I , ( r , m ) | = φ 2 – I , ( r , m ) | = X φ if I , ( r , m + 1) | = φ – I , ( r , m ) | = K i φ if for all points ( r ′ , m ′ ) of I such that r ( m ) ∼ i r ′ ( m ′ ) w e hav e I , ( r ′ , m ′ ) | = φ W e note that the seman tics of the knowledge o p er ator dep ends not just on the run a t which the formula is b eing ev aluated, but a lso the set of all p ossible runs. Changing the set of runs (e.g., by making changes to the pr oto col), can ch ange what an a gent knows. Since knowledge-based prog rams change age nt b ehaviours based on what the agent knows, this makes the semantics o f knowledge-based progra ms somewhat subtle. MCK is a mo del chec ker ba sed on this semantics for the logic of knowledge. F or a g iven interpreted system I , and a sp ecificatio n φ in the logic of knowledge and time, MCK co mputes whether I , ( r, 0) | = φ holds fo r all runs r of I . Since interpreted systems a re infinite structures, MCK allows an in ter preted system to b e given a finite descr iptio n in the form of a program from which the int e rpreted system can be generated. This descr iption is given using: 1. A list of global v ar ia bles making up sta tes of the environmen t, and their t yp e s . 2. A listing of the ag ents in the system, tog ether with the globa l v ariables that they are able to access . F or each a gent, w e may also introduce lo ca l v ariables. If v is a lo cal v ar iable of a gent A , then we may r efer to this v aria ble in sp ecifica tion formulas as A.v . Lo cal v aria bles may b e aliased to globa l v ariables. A subset of the lo cal v ariables is sp ecified as b eing observable to the ag e nt. This mea ns that it will be taken into account in the definition of the indis- tinguishability relation for the agent. 3. A statement init cond φ , where φ is a b o o lean formula. All as signments satisfying this for m ula represent an initial sta te of the system. 4. A progr am that describ es the pr oto col executed by ea ch age nt . The pro to col describ es how the agent choo s es its actions dep ending on its history . Executing the a gent proto cols starting at an initia l state generates a set of r uns, that we take to b e the set o f runs of the in terpreted sy s tem genera ted b y input script. (The a gents op erate in lo ck-step, each a g ent executing a single action in each step. W rite-conflicts a re syntactically preven ted.) If V is the set o f all lo ca l and g lobal v ariables in the system, then the comp onent s 0 = r ( n ) 0 of the global state at each p oint ( r, n ) o f a run r is a well-t yp ed ass ignment of v alues to the v ariables V . The lo cal state s i of agent i in these runs are defined using the v ariables declare d to b e loc a l. MCK a llows this to be do ne in a nu m be r of wa ys , each giving a different semantics for the knowledge op er ators. The co nstruction of lo ca l sta tes r elev ant to the presen t pap er is the p erfe ct r e c al l interpr etation . W riting s 0 ↾ V i for the restriction of the a ssignment s 0 to the v ariables V i that are obser v able to agent i = 1 . . . n , the lo c a l states are defined to b e the sequence r ( n ) i = ( r (0) 0 ↾ V i ) ( r (1) 0 ↾ V i ) . . . ( r ( n ) 0 ↾ V i ) , i.e., the lo cal state is the history of a ll v alues of the v ariables observ able to the agent. This p er fect recall intepretation of knowledge is particula rly relev ant for anal- yses in which security or the optimal use of informatio n are of concern. In b oth cases, we are interested in deter mining the maximal infor mation that a n a gent is able to extract from what it obse r ves. Both iss ues are sig nificant in the example that w e s tudy in this pa p er . MCK is the only mo del chec ker curr ently av ailable that s uppo rts symbolic mo de l checking for the p erfect recall interpretation of knowledge. 3 Implemen tation of Knowled ge-based P rograms Knowledge-based pro grams [5] ar e lik e standard pr ogra ms, except that ex pres- sions may r efer to agent’s knowledge. Tha t is, in a knowledge-based progr am for agent i , we may find statements of the forms if φ then P 1 else P 2 and v := φ , where φ is a formula o f the logic o f knowledge that is a b o olea n com- bination of atomic formulas concerning the agent’s lo cal v aria bles and formulas of the form K i ψ , and P 1 , P 2 are knowledge-based pr o grams for agent i . Unlik e standard programs, knowledge-based prog rams cannot in general b e directly executed, since, a s no ted ab ov e, the sa tisfaction of the knowledge sub- formulas dep ends on the set of a ll r uns of the progr am, which dep ends on the actions ta ken, which in turn dep ends on the s atisfaction of these knowledge subformulas. This appare nt circularity is handled by treating kno wledge-based progr ams as specificatio ns , and defining when a c o ncrete standard pr ogram satisfies this sp ecification. Supp o se that we have a standard pr ogra m P of the same syntactic structure as the knowledge-based progr am P , in w hich each knowledge-based expression φ is repla ced by a concrete predicate p φ of the lo cal v aria bles of the agent. In or de r to handle the p erfect rec a ll semant ics, w e also allow P to add lo cal history variables a nd co de fra gments of the form v := e , where e is an expression, that up date these history v ar iables, s o as to ma ke informa tion ab out past states av ailable at the current time. The predicate p φ may dep end on the history v ariable s . The co ncrete pro gram P genera tes a set of runs that we can take to be the basis of an interpreted system I ( P ). W e now say tha t P is an implementation of the knowledge-based progr am P if for each formula φ in a conditiona l, we hav e that in the int erpreted system I ( P ). the for mula p φ ⇔ φ is v alid (at times when the co ndition is used). That is , the c o ncrete conditio n is equiv alent to the knowledge conditio n in the implementation. In gener a l, knowledge-based pro- grams may hav e no implementations, a b ehaviourally unique implementation, or many implement ations. Some co nditions ar e known under which a b ehaviourally unique implementation is guara nt eed to exist. One of these co nditions is that agents ha ve p erfect recall and all knowledge formulas in the progr a m refer to the pres ent time (rather than to the past or future). This case will apply to the knowledge-based progr ams we consider in this pa p er, so we a re guara nteed behavioura lly unique implementations. W e now des crib e a pa rtially a utomated pro cess , using epistemic mo del chec k- ing, that can b e follow ed to find implementations of knowledge-based progr ams P (provide these terminate in a finitely b ounded time: this applies to our ex- amples) The user b egins by in tro ducing a lo cal b o olea n v ar iable v φ for each knowledge formula φ = K i ψ in the knowledge-based progra m, and replacing φ by v φ . T r eating v φ as a histor y v a r iable, the user may also add to the prog r am statements of the form v φ := e , relying on their int uitions concer ning situations under which the epistemic formula φ will b e true . This pro duces a standard progra m P that is a candidate to b e an implemen tatio n of the knowledge-based progra m P . (It has, at least, the c o rrect syntactic structur e.) T o verify the correctness of P as a n implementation of P , the user must now chec k that the v ariables v φ are being main tained so as to b e equiv alent to the knowledge fo rmulas that they ar e intended to express. This can b e done using epistemic mo del checking, where we verify formulas of the for m X n ( pc i = l ⇒ ( v φ ⇔ K i ψ )) where n is a time at which the test containing φ may b e e xecuted, pc i is the progra m counter of agent i a nd l is a lab el for the lo catio n of the expression containing φ . (This conditioning o n the prog ram co un ter can b e disp ensed with when the expr ession is known to alwa y s o ccur a t particula r times n , as it al- wa ys is in our examples . Mor e g enerally , we would write a for mula tha t c hecks equiv alence at al l times for nonterminating pro grams, but the r esulting model chec king problem is undecidable with resp ect to the p erfect reca ll sema ntics.) In ge neral, the user’s guess concer ning the concrete condition that is equiv- alent to the knowledge formula may b e inco rrect, and the mo del chec ker will rep ort the error . In this ca se, the mo del check er ca n b e used to gener ate an err or tr ac e , a partial run leading to a situation that falsifies the formula b eing chec ked. The next step of our pr o cess requir es the user to analyse this er r or tra c e (b y insp ection and h uman r easoning ) in order to unders tand the so urce o f the er- ror in their guess fo r the concr ete condition repr e senting the k nowledge for mula. As a result of this ana lysis, a corr ection of the a ssignment(s) to the v ariable v φ is made by the user (this step may require some ingenuit y on the part of the user .) The mo del chec ker is then inv oked again to check the new guess. This pr o cess is iterated unt il a guess is pr o duced for which a ll the formulas of interest are found to b e tr ue, at whic h p oint an implementation of the k nowledge-based prog ram has b een found. In ma ny ca ses, this pro cess can pro ceed monotonica lly . Starting fro m an initial ass ignment v φ := e , where e is a condition tha t the user ca n easily see to be su fficient for K i ψ , the error trace leads to the identification o f a situatio n where i may know ψ , which is not cov ered by the condition e . (That is, where K i ψ ⇒ e do es no t hold.) An analys is of this co ndition may lead to the discovery of a nother sufficient condition e ′ . In this ca se, the user can take as the next guess the as signment v φ := e ∨ e ′ . Co nt in uing in this wa y , we obtaining an increasing sequence of concrete lower a pproximations to the knowledge for mula, even tually conv erg ing to the cor rect implementation. (W e no te that such a condition e ′ can alwa ys b e found, since we may always take it to b e a complete descr iptio n o f the run pro ducing the c ounter-example. Finding a go o d genera lization that remains a sufficient co nditio n for the knowledge formula may b e more difficult.) In general, monotonicity is not guara nteed, but it obtains in our example in this pap er. W e leave the question of character izing the situatio ns wher e mono- tonicity a pplies to future work, and turn to a demonstration of the pro cess on a particular example, intro duced in the next s ection. 4 Chaum’s dining cryptographers prot o col Chaum’s dining cryptographers pro to col [2, p. 6 5] is an example of a pro to col for secure mu ltiparty computation: it enables the v alue of a function of a g roup of ag ents to b e computed while r e vealing nothing more than that v alue. Chaum int r o duces the pro to col with the following s tory: Three cryptogra phers are s itting down to dinner at their fav o ur ite restau- rant. Their waiter infor ms them that arrang ements hav e b een made with the maitre d’hotel for the bill to be paid ano nymously . One of the cryp- tographer s might b e pa ying for the dinner, o r it might have b een NSA (U.S National Security Agenc y ). The three cryptogr aphers resp ect each other’s right to make an anonymous paymen t, but they w onder if NSA is paying. They r esolve their uncer taint y fairly b y carrying out the fol- lowing pro to col: Each cr yptographer flips an unbiased coin b ehind his menu, be t ween him and the cryptog rapher on his r ight, so that only the tw o of them ca n see the outcome. Ea ch cr yptogra pher then states alo ud whether the tw o coins he can see – the o ne he flipped and the o ne his left-hand neighbor flipped– fell on the same side or on different sides. If one of the differences uttered at the ta ble indicates that a cryptog rapher is paying; an even nu m ber indicates that NSA is paying (as suming that the dinner was paid for only once). Y et if a cr yptogra pher is paying, neither of the other t wo learns anything from the utterances ab out which cryptogra pher it is. This v er sion of the dining cryptog raphers pro to col has fr equently b een the fo cus of s tudies of verification o f security pro to cols, but it is just one of many v ariants discussed in C ha um’s pap er. One of Chaum’s co ns iderations is the use of the pro to col for more genera l anonymous br oadcas t applica tio ns, and he writes: The cryptog r aphers b ecome in tr ig ued with the abilit y to make messa ges public unt raceably . They dev ise a way to do this at the table for a state- men t of arbitrar y lenght: the basic pr oto col is rep eated ov er and ov er; when one c ryptogra pher wishes to make a messag e public, he merely beg ins in verting his sta tements in those rounds corre s p o nding to 1’s in a binary co ded version of his mes s age. If he notices that his mess age would collide with some o ther message , he may for example wait for a num- ber of ro unds chosen a t ra ndom from some s uitable distribution b efor e trying to tra nsmit again. He notes that “undetected collision results o nly from an o dd num b er of syn- chronized identical messag e seg ments”. As a particular re a lization of this idea, he discusses grouping co mm unication into blo cks a nd the use of the following 2-phase br o adc ast pro to col using slot-r eservation : In a net work with ma ny messag es per blo ck, a first blo ck may b e used by v arious anonymous sender s to request a “slot re s erv ation” in a second blo ck. A simple scheme would b e for each anonymous sender to inv ert one ra ndomly selected bit in the fir st blo ck for ea ch slot they wis h to reserve in the seco nd blo ck. After the result of the first blo ck bec o mes known, the participant who caused the ith bit in the fir st blo ck sends in the ith slot o f the second blo ck. This idea has bee n implement ed as part of the Herbivore system[7]. (Herbivore also a dds mechanisms for dividing the g roup o f par ticipants into cliq ue s of suf- ficient size to provide r easona ble anonymit y gua rantees, as well as pro to cols for joining a leaving the gr oup of particpants - we will not disc us s these extensio n here.) The Herbivore a uthors note that If a n even num b er of nodes a ttempt to reser ve a given slo t, the collisio n will be evident in the r eserv ation pha se, a nd they will simply w ait un- til the next r ound to transmit. If an o dd num b er o f no des co llide, the collission will o ccur during the tra ns mission phase. The r e marks ab ove do not constitute a concr e te definition of the proto co l, and leav e a num b er of questions co ncerning the implementation op en. F or ex a mple, what exact test is applied to deter mine whether there is a collision? Whic h a g ents are able to detect a co llision? Are there situations where so me agent exp ects to receive a messag e, but a collision o ccurs that it do es not detect (althoug h some other agent may do so?) Note that each ro und of the DC proto co l has b een prov ed corr e ct, but what ab out the wa y in which the r o unds are combined? It is not immediately cle a r that there are not subtle flows of infor mation! Prior knowledge o f the par ticipants may also affect the flo w of information. F or exa mple, supp ose that the proto col is being used for the participants in a referendum to a nonymously announce their votes. In this case it is known that all particpa nts will attempt to reseve a slot - does this information c hang e the flow of information in any wa y? If so, do es it affect the secur ity of the proto c o l? One of the b enefits of verification by epistemic mo del chec king is that it pe r mits such q ue s tions ab out v ariants of a proto col, and its application in a par ticular setting to b e investigated efficiently without requir ing re c o nstruction of p ossibly complex pro ofs. 5 The 2-phase Broadcast Proto col as a Kno wledge-based Program It is interesting to note that the descr iptions of the 2-phase proto c o l ab ov e are, in their level of abstr a ction, more like knowledge-based progr ams tha n like concrete implemen tations. In this section, we explicitly study the pr o to col fro m this p ersp ective, and a pply our pa rtially automated metho dolog y to derive the concrete implementations. W e consider a setting with 3 agents who use 3 slots for their bro adcast. Each slot p ermits the tr ansmission of a single -bit message. 5.1 The Kno wledge - Based Program Figure 1 represents the 2-phase pro to col as a knowledge-based pr ogra m. The parameters of the proto col in the first line alias certain lo cal v ariable s to globa l v ariables in the en v ironment. V ar iable i is a num b er in the ra nge 1..3 used to index the present instance of the pr oto col, and v ariables ke yleft a nd ke yrigh t represent keybits (r eferred to a s “coins ”, a b ov e), which a re shar ed b etw ee n b y agents in the a ppropria te pattern. Note that since a fresh set of keybits needs to be used for ea ch instance of the bas ic Dining Cr y ptographer s proto col (which we run 6 times here), w e assume tha t an e x ternal pro cess gener ates fresh v alues for these keybit v ar iables at each step; we omit the details. The final v ariable sai d in the par ameters repr esent the ar ray o f public anno uncement s b y the agents at each step. All arrays are a ssumed to be indexed starting from 1. The lo cal v ariable slot-r eques t records the slot num b e r (in the r a nge 1..3 ) that this ag e nt will attempt to r eserve. If s lot-r eques t =0, then the a gent w ill no t attempt to reserve any slo t. The v ariable messag e records the single bit mes sage tha t the agent wishes to ano nymously br oadcast (if any). V a r iables for which an initial v alue is not explic itly sp ecified can take any initia l v alue. W e write ‘ ⊕ ’ for the exclusive or op er a tion. protocol dc agent(i:[1,3 ], keyleft , keyri ght , said [3]:Bool) { local v ariables: slot-request :[ 0,3], message :B ool, rcvd 0[3] , rcvd 1[3], dlvrd : Bool (initially false); //reserv ation ph ase for ( s = 1; s ≤ 3; s ++) { said [i] := ( keyleft ⊕ keyright ⊕ ( slot-request = s )); } //transmissio n phase for ( s = 1; s ≤ 3; s ++) { if ( slot - request = s ∧ ¬ K i ( conflict ( s )) then said [i] := ( keyleft ⊕ keyright ⊕ message ) else said [i] := ( keyleft ⊕ keyright ⊕ false); rcvd 0[s] := K i ( sender ( i, 0 , s )) ; rcvd 1[s] := K i ( sender ( i, 1 , s )) } ; dlvrd := V x ∈ B ool,t = 1 .. 3 (( message = x ∧ slot - request = t ) ⇒ K i ( V j 6 = i K j sender ( j, x, t ))) } Figure 1: The kno wledg e-based program C D C The term con flict ( s ) in the knowledge-bas ed progra m represents tha t ther e is a conflict on slot s . This is a g lobal condition that is defined as confli ct ( s ) = _ i 6 = j ( i .slot -requ est = s = j .slot-r eques t ) . i.e., there exist tw o distinct agents i and j bo th requesting slot s . The ter m s ender ( i, x, s ) repr esents that a n a gent other than i is sending message x in slot s ; this is defined as sender ( i, x, s ) = _ j 6 = i ( j. messag e = x ∧ j. slo t - reque st = s ) . Thu s the v ariable rcvd0[ s] is assigned to b e true if in round s , the agent lear ns that so meo ne e lse is trying to send the bit 0 , and similar ly for rcv d1[s] . This addresses an iss ue that is not explicitly mentioned in the dis c ussion of the tw o- phase proto col above, viz., how do es an agent know whether it ha s received a transmission from another ? Note that this is p ertinent b eca use the knowledge- based pro gram allows that, although an agent has declar ed that it wishes to reserve a slot, it may still back off from the transmission if it discovers that there is a conflict. But will the receiver a lwa ys know that it has done so? W e note that this represe ntation of the 2-phase pr oto col as a knowledge- based progr am is sp e culative : an agent transmits in a slot so long as it do es not know that there is a conflict. This a llows that a collision w ill occur during the transmission phase. One of the benefits of the knowledge-based appro ach is that it makes explicit the difference b etw een this and another in ter pretation of the proto col, where in place o f the condition ¬ K i ( confli ct ( s )) we use the co ndition K i ( ¬ conflic t ( s )). In this c onservative version, an a gent would broa dcast only if it is certain that there is not a conflict on its desir e d slot. B oth versions may b e appropria te dep ending on the circumstances, but w e focus our discussion here on the sp eculative version. Since a n agent may attempt to r eserve a slot, a nd then back off, or ma y send in a reserved slot without s uc c e ss, the pr oto col do es not guar antee that the message will b e delivered. In this cas e , the agent is re q uired to retry the transmission in the next run of the pr o to col. So that it c an de ter mine whether a retry is necess ary , the final assignment to the v ariable d lvrd captures whether the agent knows that its (a no nymous) transmiss ion has be en successful. This is the case if a ll other age nts kno w that some agent se nt the bit i. mess age in slot j. s lot - reques t . (Subtleties ab out the sema ntics of the lo gic of knowledge preven t simplifica tion of this for mula by substitution of these e xpressions for x and t .) In order to se t up the appr opriate configuratio n of the 3 a g ents and to a lias their pa rameters to v ariables in the environment , we use the following declaratio n blo ck: agent C2 : dc_agent(1,k 31,k12,sa id) agent C3 : dc_agent(2,k 12,k23,sa id) agent C3 : dc_agent(3,k 23,k31,sa id) where the k ij are b o olean v ariables that r epresent the k eybit shar ed b etw een agent i and ag ent j . In Figure 2, we give the generic structure of a p os sible implementation of the knowledge-based pr ogra m, as we s e ek using our par tially-automa ted pro cess. The lines marked with (+) indicate places of difference with CDC. Here we hav e introduced so me histo r y v aria bles rr[ s] that r ecord the r ound r esults said[0 ] ⊕ said[1 ] ⊕ sai d[2] obtained fro m ea ch round s o f the basic Dining Cryptogr aphers proto col. Note that, b eca use of the pa tter n of shar ing of the keybits b etw een the ag ents, this express ion contains each keybit v alue twice, so that the keybits cancel out, leaving just the ex clusive-or o f the a ctual conten t being transmitted by ea ch of the age nts (in each assignment to said [i] , this is the final term in the exclusive-or). In par ticula r, under the assumption that just one agent has a genuine message x to tr a nsmit in round j , and the other s transmit f al se , we o bta in that rr[j] = x . The v ar ia ble kc[s ] is used to represent the epistemic co ndition co ncerning conflict in the knowledge-based progra m ( ¬ K i ( confli ct ( s )) or K i ( ¬ conflic t ( s )), depe nding on whether w e are dealing with the spe c ulative o r the conserv ative version). Thus, in verifying that we have an implement ation, the key condition to be ch eck ed is whether k c[s] ⇔ ¬ K i ( confli ct ( s )) (resp ectively , k c[s] ⇔ K i ( ¬ conflic t ( s ))) is v alid a t the times the if s tatement is exec uted. The main difficult y in finding a n implementation is to find the appr opriate concrete as- signment for this v ar iable that will make this condition v alid. Similarly we seek assignments to the v ariables rc vd0[s ], recv d1[s] that give these the intended meaning. protocol dc agent(i:[0,2 ], keyleft , keyri ght , said [3]:Bool) { local v ariables: slot-request :[ 0,3], message :B ool, rcvd 0[3] , rcvd 1[3]: Bool (initially false), rr [6]:Bool, (+) kc [3]:Bool (initially false); (+) //reserv ation ph ase for ( s = 1; s ≤ 3; s ++) { said [i] := ( keyleft ⊕ keyright ⊕ ( slot-request == s )); rr [s] := said [0] ⊕ said [1] ⊕ said [2]; (+) } //transmissio n phase for ( s = 1; s ≤ 3; s ++) { kc [s] :=???; (+) if ( slot-request == s ∧ kc [s]) then said [i] := ( keyleft ⊕ keyright ⊕ message ) else said [i] := ( keyleft ⊕ keyright ⊕ false); rr[s+3] := said [0] ⊕ said [1] ⊕ said [2]; (+) rcvd 0[s] := ???; (+) rcvd 1[s] := ???; (+) } dlvrd := ??? (+) } Figure 2: A generic implementation of C D C 5.2 V erification Conditions In order to apply our metho do logy , it is necessar y for the user to s ubstitute a guess for parts of the implementation marked ‘???’, and then to us e mode l chec king to chec k the cor rectness of the guess . W e now discuss the for mulas that a r e used to verify the implementation. In g eneral, the conditions nee d to b e verified only at sp e cific times n , str a ightforw a rdly determined from the s tr ucture of the pro gram. W e generally omit discussio n of this. The fir s t for m ula of int erest concerns the corr ectness of the g uess for the knowledge condition ¬ K i ( confli ct ( s )) (in case of the sp ecula tive implementa- tion, o r K i ( ¬ conflic t ( s )) (in the case of the co nserv ative implementation). In the implementation, this condition is repr esented b y the v ariable kc [s] . Sp e cific ation 1: kc[s ] c orr e ctly r epr esents know le dge of the existenc e of a c onflict in slot s = 1 .. 3 . In case of the sp eculative in ter pretation, we use the formula X n ( i. kc[s] ⇔ ¬ K i ( confli ct ( s ))) (1 s ) and in case of the conserv ative implementation, we use the formula X n ( i. kc[s] ⇔ K i ( ¬ conflic t ( s ))) (1 c ) (In b oth cases, the appropriate v alues of n a re 7, 12 a nd 17, w he r e we treat the for lo ops as macro s a nd the if co nditions as taking zero time.) As remarked ab ov e, it has been claimed that the 2-phas e proto col is guar- anteed to detect a conflict either in the slot-r eserv ation phase or else in the transmission phase. T o v e rify this, we can use the fo llowing sp ecifica tion: Sp e cific ation 2: A c onflict is always dete cte d. X n ( confli ct ( s ) ⇒ K i ( confli ct ( s ))) where we may ta ke time n to cor resp ond to the final time in the pr oto col. W e remark that the conv ers e implication is trivial from the s emantics of knowledge. As will discuss b elow, Sp ecifica tion 2 is arg ua bly to o strong, since agents may not be able to le arn ab out conflicts on slots they do not reserve. Thus, the following weaker sp ecific a tion is also of interest. Sp e cific ation 3: If ther e is a slot c onflict involving agent i , then agent i dete cts it. X n (( conflic t ( s ) ∧ i. slot - reque st = s ) ⇒ K i ( confli ct ( s ))) where again we ta ke n to co rresp ond to the end of the pr o to col. Next, the proto co l has so me p o sitive goals, viz., to a llow ag ent s to broadcas t some information, and to do so anonymously . Succes sful reception of a bit by the time n immediately after the transmission in slot s is intended to b e repr esented by the v aria bles rcv d0[s] and rcvd1[ s] . T o ensure that the assig nmen ts to these v ariables cor rectly implement their in tended meaning in the k nowledge- based progr am, we use spe c ific a tions of the following form. Sp e cific ation 4: r e c eption variables c orr e ctly r epr esent t r ansmissions by others X n ( i. rcvd 0[ s ] ⇔ K i ( sender ( i, 0 , s ))) (4 a ) and X n ( rcvd 1[ s ] ⇔ K i ( sender ( i, 1 , s ))) (4 b ) Similarly , we need to verify corr ect implementation of the agent’s knowledge ab out whether its tr ansmission is succes s ful. Sp e cific ation 5: delivery variables c orr e ctly r epr esent know le dge ab out delivery X n ( i. dlvrd ⇔ V x ∈ B ool, t =1 .. 3 ( i. messa ge = x ∧ i. slo t - request = t ⇒ K i ( V j 6 = i K j sender ( j, x, t )))) Finally , the aim o f the proto c ol is to ensure that when infor mation is trans - mitted, this is done anonymously . An ag ent may know that o ne o f the other tw o agents has a particular mes s age v alue , but it ma y not k now what tha t v alue is for a spec ific agent. W e may write the fact that agent i knows the v alue of a bo olean v ariable x by the notation ˆ K i ( x ), defined by ˆ K i ( x ) = K i ( x ) ∨ K i ( ¬ x ) . Using this, we migh t first a ttempt to s pe c ify anonymit y a s V j 6 = i ( ¬ ˆ K i ( j. messag e ), i.e., a gent i knows no o ther’s messag e . Unfor tunately , the proto co l ca nnot b e ex- pec ted to sa tisfy this: supp os e that a ll a gents manage to broa dcast their message and all mes s ages hav e the same v a lue x : then each knows that the other’s v alue is x . W e ther e fore write the following weaker sp ecification of anonymit y: Sp e cific ation 6: The pr oto c ol pr eserves anonymity X n ( _ x =0 , 1 K i ( ^ j 6 = i ( j. messag e = x )) ∨ ^ j 6 = i ( ¬ ˆ K i ( j. messag e ))) to b e ev alua ted with n se t to the final time of the pro to col. 5.3 Finding an im plemention of the knowledge-based prog ram W e no w illustr a te how we find an implementation of the k nowledge-bas ed pro- gram using o ur metho dolo gy . W e fo cus here on the sp eculative version, and consider a scenario wher e the nu m be r of a gents that are seeking to br o adcast − is initially unknown, a nd could b e any v alue from the set { 0 .. 3 } . Our first task in implementing the knowledge-based progr a m is to find an appropria te assignment for the v ariables kc [ s ], and to verify that this ass ignment correctly repr esents knowledge ab out slot conflicts and v alidates S p e cific ation 1 . It is plain from the discussion ab ov e that if an agent attempts to reser ve slo t s , but sees that the round r esult for that reserv atio n attempt is not tr ue , then this m ust b e b eca us e some o ther agent also a ttempted to r e s erve the slot. T hus, in this case the age nt detects a co nflict. A reaso nable guess for the ass ignment to kc [ s ] to repres e nt ¬ K i ( confli ct ( s )) is therefor e kc [ s ] := ¬ ( slo t - reque st = s ∧ ¬ rr [ s ] = f al se ) . Indeed, this prov es to b e the correc t c ho ice: if we now mo del chec k S p e cific ation 1s then we find that this sp ecification is true. 1 The next question of interest is then whether S p e cific ation 2 holds , as claimed. The answer obtained b y mo del chec king is tha t it do es not, a nd the counter-example discovered is the following: Example 1: (None o f the agents discov er conflict) Suppo se that all agents (C1, C2, C3) would like to reserve slot 2 and each has messag e 1. The round results r r [ s ] a re shown in on the left in Figure 3, wher e we show for each agent the co nt ribution other than keybits (whic h ca ncel out). 1 Strictly , in order to mo del chec k this claim, w e first need t o fill in the other ‘???’ assignmen ts. W e remark that b ecause of indep endencies, the outcome of mod el chec k- ing Sp e cific ation 1s is the same whatever we choose for t h e other ‘???’ assignments. W e omit a detailed argumen t for this here. s 1 2 3 4 5 6 Agent C1 0 1 0 0 1 0 Agent C2 0 1 0 0 1 0 Agent C3 0 1 0 0 1 0 rr [ s ] 0 1 0 0 1 0 s 1 2 3 4 5 6 Agent C1 0 1 0 0 1 0 Agent C2 0 0 0 0 0 0 Agent C3 0 0 0 0 0 0 rr [ s ] 0 1 0 0 1 0 slot - request = [2 , 2 , 2], slot - request = [2 , 0 , 0] message = [1 , 1 , 1] message = [1 , 1 , 1] Figure 3: Runs indistinguishable to C1 Now from agent C 1’s p ersp ective, this run of the proto c ol is indistinguisha ble from ano ther run where only C 1 a ttempts to reser ve slo t 2, a nd it still has message 1, shown on the r ig ht in Figur e 3. Hence we hav e a situation wher e although there is a conflict agen t C 1 cannot know that there is a conflict, and Sp e cific ation 2 fa ils. 2 Indeed, we see that the more lib eral Sp e cific ation 3 also fails in this exa mple. In the discussion ab ov e, we hav e fo c us sed on the agent’s knowledge that there is a conflict. F r om the p oint of v ie w of determining the a ppropriate a s- signments to the v aria bles r cvd 0 and rcvd 1, it w ould b e helpful to deter mine under w ha t cir cumstances a n a gent knows that ther e will b e a transmission on a slot but there is not a conflict o n that slot. Th us, it would b e helpful to have a predic a te i. c onflic t - fr ee ( s ) that is equiv alent to K i ( W j j. slot - req uest = s ∧ ¬ co nflict ( s )). W e now inv estiga te this ques tion, a nd use it to illus trate the iterative pr o cedure to obtain lo cal predicates that a re equiv alent to knowledge formulas. Plainly , a ro und-result of 1 during the res e rv ation phase implies that someo ne wishes to send in that slot. How ever, Example 1 also s hows that K i ¬ confli ct ( s ) cannot hold in ca se ag e nt i o bta ins round result 1 in a slot it intends to tra nsmit in, and 0 in all o ther slots, since it is p os s ible that all agents ar e attempting to transmit in the sa me slo t. Hence a re asonable guess is confli ct - f ree 1( s ) = rr [ s ] = 1 ∧ ¬ ( ∧ t ∈{ 1 , 2 , 3 }\{ s } rr [ t ] = 0 ) . When we mo del check X n ( i. confl ict - free 1( s ) ⇔ K i ( _ j j. slot - reques t = s ∧ ¬ confl ict ( s )) at time n after the tra ns mission phase, we find that this for mula is false. A counter-example pro duced by the mo del check er shows that this ha pp e ns when 2 In fairness to the auth ors of [7], th ey state that messages are sent with an MD5 chec ksum, so most conflicts of messages somewhat longer than a single bit would in fact b e detected with high probability through corruption of this chec ksum . How ever, even with this device, colli sions of 3 identical messages w ould still go undetected , as noted by Chaum. O ur example shows that the appropriate formalization of t his claim should be probabilistic, something that we do n ot take up here. C 1 and C 3 r equest slo t 3, and C 2 requests slot 1. Note that in this c ase the reserv ation r o und r esults ar e (1 , 0 , 0). Here C 1 and C 3 detect a conflict in slot 3. Since there a r e o nly thre e agents, they a re able to rea son that the conflict must hav e b een 2-way (else we hav e the scena rio of E xample 1). This means tha t they are able to deduce that there is not a conflict in slot 1. This example motiv ates a seco nd guess for the predicate c onflic t - fr ee ( s ), viz., (when all v ar iables are lo cal to agent i ) confli ct - f ree 2( s ) = co nflict - f ree 1( s ) ∨ ( rr [ s ] = 1 ∧ slot - reques t ∈ { 1 , 2 , 3 } \ { s } ∧ rr [ i. slot - request ] = 0) . Mo del chec k ing this pre dic a te for equiv alence to K i ( W j j. slot - reques t = s ∧ ¬ confli ct ( s )) , we still find that the eq uiv alence do es not hold. The counter- example pro duced this time is the situation where ag ents C 1 and C 2 do not request a slot, but agent C 3 requests slot s so that the r o und result o f slot s is 1. Note tha t here, agents C 1 and C 2 know that any slo t collision must b e 2-wa y , sinc e they cannot b e a participant. Since the r eserv ation req uest o n slot s gav e r ound result 1 , there must b e exactly one a gent requesting slot s . With some refle c tion, we note that agent C 1 would hav e b een able to draw the sa me conclusion ab out slots 2 and 3 in ca s e the round result pattern were (0 , 1 , 1 ). Thu s, we ar e led to the following improv ed guess: confli ct - f ree 3( s ) = co nflict - f ree 2( s ) ∨ ( rr [ s ] = 1 ∧ slot - reque st 6 = s ) A t this p oint, model chec king shows that we have found the predicate we seek. Returning now to the ques tion of when ag ents lea r n the bit tha t another agent is trans mitting, we guess the a ssignment rcvd 1[ s ] := rr [ s ] = 1 ∧ confli ct - f ree 3( s ) ∧ slot - request 6 = s . That is, the agent sees tha t there will be a conflict free transmiss ion on s lo t s , but it is not itself using that slo t. W e now mo del check Sp ecification 4b. Some- what s urprisingly , this sp ecifica tion turns o ut to b e false! The counter example returned is one in which the a gent is C 1, all agents rese r ve slot 1 , and the age nts hav e messag es (1 , 1 , 0). Note that here, the r ound res ult obtained for the tra ns- mission is 0 , so agent C 1 detects the co llision, which it knows must hav e b een 3-wa y . It ca n also reaso n that the o ther agents cannot b oth have had messa ges 0, since this would have pro duced ro und result 0, th us , at le a st one must hav e had message 1! This obse r v ation leads to the rev ised guess rcvd 1[ s ] := ( r r [ s ] = 1 ∧ con flict - free 3( s ) ∧ slo t - request 6 = s ) ∨ ( slot - requ est = 1 ∧ rr [ s + 3] 6 = m essag e ∧ V t ∈{ 1 , 2 , 3 }\{ s } rr [ t ] = 0) . W e now find that Sp ecification 4b holds, so we have c o rrectly implemen ted this part o f the knowledge-based progr am. A similar assignment works for the as- signment to r cvd 0 a nd Sp e cific ation 4a . This pro cess can als o be carried out also for the final sp ecification S p e cifi- c ation 5 , whic h concerns the circumsta nce s under which a sender knows that their message has b een rec e ived by the others. One obvious situa tion when this is the ca se is when the sender i kno w s that the slot on which they are sending is co nflict-free. Recall that this o ccurs only when t wo or more of the reserv ation round res ults equal 1, and note that this implies that all other a gents also know that the slot on whic h i is sending is conflict-free. Thus the others will receive that messa ge that i is sending (a nonymously) on this slot. This sugge sts the assignment dlvrd := s lot - reques t = 0 ∨ _ s ∈{ 1 , 2 , 3 } slot - reques t = s ∧ conf lict - free 3( s ) . When we mo del c he ck this with re sp ect to Sp e cific ation 5 , we find that that the sp ecification holds, a nd w e hav e a complete implement ation of the knowledge- based progr a m. Finally , we may als o mo del check Sp e cific ation 6 and verify that the pro to col preser ves anonymit y in the appropria te sense. This proves to b e the case. 6 Conclusion W e hav e demonstrated the application of our par tially automated metho dol- ogy for knowledge-based program implementation on a pro to col for anonymous broadcas t. While, like related studies [10, 11, 17, 1 6 , 14 , 15], we verify that an anonymit y pr op erty holds, the fo c us of our effor t lies in other a sp ects of the proto col. One of the main outcomes of the ana lysis is that the flows of infor mation in the proto co l a r e considerably more subtle than o ne might hav e exp ected. In particular, we find that there are circumstanc e s, that go b eyond those that hav e bee n ident ified in the liter ature, where agents are able to obtain kno w le dg e o f each other’s bits. Significantly , we make this disco very not manually , but using automated supp or t. W e also address in our work a n um b er o f questions that hav e not b een considered in the prior liter ature, viz., under what c ir cumstances can a r e c eiver be co nfident that they ar e rec eiving a tr ansmission, and under what circumstanc e s a sender can know that its tr ansmission has b een success ful, and find complete ans wers to these questio ns in a particular scenar io. On the o ther hand, being based on mo del chec king of a concr ete mo del under very particular a ssumptions, our appr oach la cks gener ality: it do es not yield an immediate answer to how our conclusions a re affected by changing the n um- ber o f a g ents, their top o lo gy , o r the initial ass umptions co ncerning the num b er of agents wishing to tra nsmit. Ho wever, the metho dology provides an e fficie nt means to exp eriment with such ques tio ns. W e are pre s ently inv estigating further v ariants using our metho do logy , in or der to obta in a n empir ical bas is from which theoretical r esults may be generalized. Our present mo dels are also star ting to press the limits of the mo del chec king technology (run times of the order o f hours for some quer ies, for pro to cols o f ar ound 20 steps), so we a re also investigating optimizations that will incr ease the scale and co mplexity of the pro blems we can address. W e plan to rep or t on this in future work. References 1. Kai Baukus and Ron va n d er Meyden. A knowl ed ge based analysis of cache co- herence. In 6th Int. Conf. on F ormal Engine ering Metho ds , volume 3308 of LNCS , pages 99–114. S pringer, 2004. 2. Chaum. The dinin g cryptographers problem: Un conditional sender and recipient untraceabil ity . Journal of cryptolo gy , pages 65–75, 1988. 3. C. Dwork and Y. Moses. Knowle dge and common knowledge in a Byzantine en- vironment : crash failures. In Pr o c e e dings of the 1986 Confer enc e on The or etic al asp e cts of r e asoning ab out know le dge , pages 149–169, San F rancisco , CA, USA , 1986. Morgan Kaufmann Publishers Inc. 4. C. Dwork and Y. Moses. Knowledge and common kn owledge in a Byzantine envi- ronment: crash failures. Information and C omputation , 88(2):156–186, 1990. 5. R. F agin, J. Y. Halp ern, Y. Moses, and M. Y . V ardi. R e asoning ab out Know l e dge . MIT Press, Cam bridge, Mass., 1995. 6. P . Gammie and R . v an der Meyden. MCK: Model chec king the logic of knowl- edge. In Pr o c e e ding of the 16th I nt. Conf. on c omputer Sci enc e Aide d V erific ation (CA V’04) , volume 3114 of LNCS, pages 479–483. Springer-V erlag, 2004. 7. S. Go el, M. Robson, M. Pol t e, and E. Sirer. Herbivore: A S calable and Efficient Protocol for Anonymous Communication. T echnical rep ort, Cornell Universit y , Ithaca, NY , F ebruary 2003. 8. V. Hadzilacos. A knowledge-theoretic analysis of atomic commitment protocols. In PODS ’ 87: Pr o c e e dings of the sixth ACM SIGACT-SIGMOD-SIGAR T symp osium on Principles of datab ase systems , pages 129–13 4, New Y ork, NY, USA, 1987. ACM . 9. J. Y. Halp ern and L. D. Zuck. A little knowledge go es a long wa y: knowledge-based deriv ations and correctness pro ofs for a family of proto cols. Journal of the ACM , 39(3):449– 478, 1992. 10. Joseph Y . Halp ern and Kev in R. O’Neill. Anonymit y and information hiding in multia gent systems. In Pr o c. of the 16th I EEE C omputer Se curity F oundat ions Workshop , pages 75–88, 2003. 11. D ominic H ughes and Vitaly Shm atiko v. Information hiding, anonymity and pri- v acy: a m o du lar approach. Journal of Computer Se curity , 12 (1):3–36, 2004. 12. E. M. Clark e Jr., O. Grumb erg, and D. A . Pele d. Mo del Che cking . The MIT Press, 1999. 13. A . Lomuscio, H. Qu, and F. Raimondi. MCMAS: A mo del chec ker for the verifica- tion of multi-agen t systems. I n CA V , volume 5643 of L e ctur e Note s in Computer Scienc e , p ages 682–68 8. Springer, 2009. 14. P . Ryan and S. Schneider. The mo del li ng and analysis of se curity pr oto c ols: the CSP appr o ach . Addison-W esley Professional, 2000. 15. S teve Sc hneider and Abraham Sidirop oulos. CSP and anonymit y. In Pr o c. of the Eur op e an Symp osium on R ese ar ch i n Computer Se curity (ESORICS) , pages 198–218 . Springer-V erlag, 1996. 16. Paul Syverson and Stuart Stubblebine. Group principals and th e formalization of anonymit y . In FM ’99: Pr o c e e dings of the Wold Congr ess on F o rmal Metho ds in the Development of Com puting Systems-V olume I , pages 814–833, Lond on, UK, 1999. Springer-V erlag. 17. R on va n der Meyden and Kaile Su. Symbolic model chec kin g the kno wledge of the dining cryptographers. I n Pr o c e e dings of the 17th IEEE Computer Se curity F ound ation Workshop , pages 280–291 . IEEE Computer So ciety , 2004. 18. J. v an Eijck. Dynamic epistemic mo delling. T ec hn ical rep ort, Centrum voor Wiskunde en Informatica, Amsterdam, 2004. CWI Rep ort SEN-E0424.