A Theory of Agreements and Protection Massimo Bartoletti University of Cagliari — BETTY COST Action

Contracts Many theories of contract for reactive systems: I (Bravetti, Zavattaro)+ I Carpineti & Laneve, I (Castagna, Gesbert, Padovani)+ I van der Aalst et al. ...each with different notions of: I compliance / agreement I subcontract / refinement Goal: find a commom semantic model: concurrent multi-party games

A theory of agreements and protection

Contracts = Obligations + Objectives I

Obligations = Event Structures I I I

I

a set of events E , a conflict relation # an enabling relation `

Objectives = functions Φ over sequences of events

Example: I A’s obligations: ∅ ` a I B’s obligations: {a} ` b

, if b ∈ σ , if a ∈ σ

/ if a ∈ σ, b 6∈ σ / if b ∈ σ, a 6∈ σ

Contracts as games

Plays C `e

e 6∈ C

C ∪ {e} conflict-free e

C −−→ C ∪ {e}

Strategies ΣA : finite plays → sets of events of A such that:

e ∈ ΣA (σ)

=⇒

σe is a play

Winning strategies A is innocent in σ iff: ∀i ≥ 0. ∀e of A.

e

e

σi −→ =⇒ ∃j ≥ i. σj − 6 −→




A wins in σ iff WAσ = ,, where   ΦAσ WAσ = /   ,

if all participants are innocent in σ if A is culpable in σ otherwise

Σ is a winning strategy for A in C iff A wins in every fair play of C which conforms to Σ.

Contracts as games — an example A : ` a, ` a0 , a # a0

B : a ` b, a ` c, b # c

ΦA : , if gets b or c / o.w., and did a or a0 o.w.

ΦB : , if gets a / o.w., and did b or c o.w.

( {a} if σ = ε ΣA (σ) = ∅ if σ 6= ε

( {b} ΣB (σ) = ∅

a

{a, b}

c

{a, c}

{a}

∅ a’

b

0

{a }

A hi hai ha bi

if a ∈ σ if a ∈ 6 σ B

/ ,

, ,

Agreement

A agrees on C iff A has a winning strategy in C.

A hi hai ha bi

B / ,

, ,

Session types as games Def. Let P and Q be binary session types. P is compliant with Q iff P | Q →∗ P 0 | Q 0 6→ implies P 0 = 0.

Theorem. P is compliant with Q iff the “eager” strategy is winning for A in CA (P) | CB (Q). P = (!a.!c)+!b

Q =?a&?b

Protection

C protects A iff ∀C0 .

A has a non-losing strategy in C | C0 .

Protection is relevant when service brokers are untrusted!

A : ` a, ` a0 , a # a0

B : a ` b, a ` c, b # c

ΦA : , if gets b or c / o.w., and did a or a0 o.w.

ΦB : , if gets a / o.w., and did b or c o.w.

Agreement vs. Protection Theorem. Let C1 , . . . , Cn be contracts with circular payoffs. Then:

EITHER all the participants agree on C1 | · · · | Cn

OR all the participants are protected

Extends a result in: Even and Yacobi. Relations among public key signature system, 1980.

Vicious circles

In event structures: A: a`b

B: b`a

Vicious circle: neither a nor b are reachable

In logic (IPC): a→b ∧ b→a Vicious circle: neither a nor b are provable

From vicious circles to virtuous circles Elimination of → in Intuitionistic Propositional Logic: ∆`p→q ∆`p ∆`q

(→E)

Example: ∆ = a → b, b → a

∆`a→b ∆`b→a

∆`b ∆`a

.. . ∆ ` a (→E) (→E)

Propositional Contract Logic [LICS’10]

PCL = IPC + contractual implication p  q ∆`pq ∆, q ` p ∆`q

(E)

Example: ∆ = b  a, a → b

∆`ba

∆, a ` a → b ∆, a ` a (→E) ∆, a ` b (E) ∆`a

Event structures with circular causality CES = ES + circular enabling relation Plays σ = e0 e1 e2 · · · are traces of the LTS e

(C , Γ(C )) −−−−→ (C ∪ {e}, Γ(C ∪ {e})) where Γ(σ) is the set of credits of σ: Γ(σ) = {ei ∈ σ | σi 6` ei ∧ σ 6 ei }

A: b a B: a`b

a

b

b

a

{∅, ∅} → − {{a}, {a}} → − {{b, a}, ∅} {∅, ∅} → − {{b}, {b}} → − {{b, a}, {b}}

Prudent events (enjoy mutual coinduction!) A is innocent in σ = e0 e1 · · · iff: ∀e of A. ∀i ≥ 0. ∃j ≥ i. e not prudent in σj

e is prudent in σ if ∃ Σ prudent strategy such that e ∈ Σ(σ)

Σ is a prudent strategy for A iff, for all fair plays σ 0 extending σ, conforming to Σ, and where all B 6= A are innocent: ∃k > |σ|. Γ(σk0 ) ∩ {events of A} ⊆ Γ(σ)

Agreement AND Protection

Theorem. For circular payoffs for participants A1 . . . An , there always exist CES-contracts C1 . . . Cn such that: C1 | · · · | Cn admits an agreement

AND ∀i ∈ 1..n : Ci protects Ai

This justifies extending ES with .

CES are a model of Horn PCL Conflict-free CES are isomorphic to Horn PCL theories: V X ` e ∼ (V X ) → e X e ∼ ( X)  e Example. I

CES: b ` a, a b

Reachable events: a, b

I

PCL: b → a, a  b

Provable atoms: a, b

Th. If E ∼ ∆, then reachable events in E = provable atoms in ∆

Publications

I

I

I

M. Bartoletti and R. Zunino. A calculus of contracting processes. LICS 2010. M. Bartoletti, T. Cimoli and R. Zunino. A theory of agreements and protection. POST 2013. M. Bartoletti, T. Cimoli and G.M. Pinna. A note on two notions of compliance. ICE 2014.