Chapter 1

An Introduction to Logics of
arXiv:1503.00806v1 [cs.AI] 3 Mar 2015

Knowledge and Belief

Hans van Ditmarsch

Joseph Y. Halpern
Wiebe van der Hoek
Barteld Kooi

Contents
1.1 Introduction to the Book . . . . . . . . . . . . . . 1
1.2 Basic Concepts and Tools . . . . . . . . . . . . . 2
1.3 Overview of the Book . . . . . . . . . . . . . . . . 42
1.4 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 45
References . . . . . . . . . . . . . . . . . . . . . . . 49

Abstract This chapter provides an introduction to some basic

concepts of epistemic logic, basic formal languages, their se-
mantics, and proof systems. It also contains an overview of the
handbook, and a brief history of epistemic logic and pointers to
the literature.

1.1 Introduction to the Book

This introductory chapter has four goals:
1. an informal introduction to some basic concepts of epistemic logic;

2. basic formal languages, their semantics, and proof systems;

Chapter 1 of the Handbook of Epistemic Logic, H. van Ditmarsch, J.Y. Halpern, W. van
der Hoek and B. Kooi (eds), College Publications, 2015, pp. 1–51.
2 CHAPTER 1. INTRODUCTION

3. an overview of the handbook; and

4. a brief history of epistemic logic and pointers to the literature.

In Section 1.2, we deal with the first two items. We provide examples
that should help to connect the informal concepts with the formal defi-
nitions. Although the informal meaning of the concepts that we discuss
may vary from author to author in this book (and, indeed, from reader to
reader), the formal definitions and notation provide a framework for the
discussion in the remainder of the book.
In Section 1.3, we outline how the basic concepts from this chapter are
further developed in subsequent chapters, and how those chapters relate to
each other. This chapter, like all others, concludes with a section of notes,
which gives all the relevant references and some historical background, and
a bibliography.

1.2 Basic Concepts and Tools

As the title suggests, this book uses a formal tool, logic, to study the notion
of knowledge (“episteme” in Greek, hence epistemic logic) and belief, and,
in a wider sense, the notion of information.
Logic is the study of reasoning, formalising the way in which certain
conclusions can be reached, given certain premises. This can be done by
showing that the conclusion can be derived using some deductive system
(like the axiom systems we present in Section 1.2.5), or by arguing that the
truth of the conclusion must follow from the truth of the premises (truth
is the concern of the semantical approach of Section 1.2.2). However, first
of all, the premises and conclusions need to be presented in some formal
language, which is the topic of Section 1.2.1. Such a language allows us to
specify and verify properties of complex systems of interest.
Reasoning about knowledge and belief, which is the focus of this book,
has subtleties beyond those that arise in propositional or predicate logic.
Take, for instance, the law of excluded middle in classical logic, which says
that for any proposition p, either p or ¬p (the negation of p) must hold;
formally, p ∨ ¬p is valid. In the language of epistemic logic, we write Ka p
for ‘agent a knows that p is the case’. Even this simple addition to the
language allows us to ask many more questions. For example, which of the
following formulas should be valid, and how are they related? What kind
of ‘situations’ do the formulas describe?

• Ka p ∨ ¬Ka p

• Ka p ∨ Ka ¬p
1.2. BASIC CONCEPTS AND TOOLS 3

• Ka (p ∨ ¬p)
• Ka p ∨ ¬Ka ¬p
It turns out that, given the semantics of interest to us, only the first and
third formulas above are valid. Moreover as we will see below, Ka p logically
implies ¬Ka ¬p, so the last formula is equivalent to ¬Ka ¬p, and says ‘agent
a considers p possible’. This is incomparable to the second formula, which
says agent a knows whether p is true’.
One of the appealing features of epistemic logic is that it goes beyond
the ‘factual knowledge’ that the agents have. Knowledge can be about
knowledge, so we can write expressions like Ka (Ka p → Ka q) (a knows
that if he knows that p, he also knows that q). More interestingly, we can
model knowledge about other’s knowledge, which is important when we
reason about communication protocols. Suppose Ann knows some fact m
(‘we meet for dinner the first Sunday of August’). So we have Ka m. Now
suppose Ann e-mails this message to Bob at Monday 31st of July, and Bob
reads it that evening. We then have Kb m ∧ Kb Ka m. Do we have Ka Kb m?
Unless Ann has information that Bob has actually read the message, she
cannot assume that he did, so we have (Ka m ∧ ¬Ka Kb m ∧ ¬Ka ¬Kb m).
We also have Ka Kb ¬Ka Kb m. To see this, we already noted that ¬Ka Kb
m, since Bob might not have read the message yet. But if we can deduce
that, then Bob can as well (we implicitly assume that all agents can do
perfect reasoning), and, moreover, Ann can deduce that. Being a gentleman,
Bob should resolve the situation in which ¬Ka Kb m holds, which he could
try to do by replying to Ann’s message. Suppose that Bob indeed replies on
Tuesday morning, and Ann reads this on Tuesday evening. Then, on that
evening, we indeed have Ka Kb Ka m. But of course, Bob cannot assume
Ann read the acknowledgement, so we have ¬Kb Ka Kb Ka m. It is obvious
that if Ann and Bob do not want any ignorance about knowledge of m,
they better pick up the phone and verify m. Using the phone is a good
protocol that guarantees Ka m∧Kb m∧Ka Kb m∧Kb Ka m∧Ka Kb Ka m∧. . . ,
a notion that we call common knowledge; see Section 1.2.2.
The point here is that our formal language helps clarify the effect of a
(communication) protocol on the information of the participating agents.
This is the focus of Chapter 12. It is important to note that requirements of
protocols can involve both knowledge and ignorance: in the above example
for instance, where Charlie is a roommate of Bob, a goal (of Bob) for the
protocol might be that he knows that Charlie does not know the message
(Kb ¬Kc m), while a goal of Charlie might even be Kc Kb ¬m. Actually,
in the latter case, it may be more reasonable to write Kc Bb ¬m: Charlie
knows that Bob believes that there is no dinner on Sunday. A temporal
progression from Kb m ∧ ¬Ka Kb m to Kb Ka m can be viewed as learning.
4 CHAPTER 1. INTRODUCTION

This raises interesting questions in the study of epistemic protocols: given

an initial and final specification of information, can we find a sequence of
messages that take us from the former to the latter? Are there optimal
such sequences? These questions are addressed in Chapter 5, specifically
Sections 5.7 and 5.9.
Here is an example of a scenario where the question is to derive a
sequence of messages from an initial and final specification of information.
It is taken from Chapter 12, and it demonstrates that security protocols
that aim to ensure that certain agents stay ignorant cannot (and do not)
always rely on the fact that some messages are kept secret or hidden.

Alice and Betty each draw three cards from a pack of seven
cards, and Eve (the eavesdropper) gets the remaining card. Can
players Alice and Betty learn each other’s cards without reveal-
ing that information to Eve? The restriction is that Alice and
Betty can make only public announcements that Eve can hear.

We assume that (it is common knowledge that) initially, all three agents
know the composition of the pack of cards, and each agent knows which
cards she holds. At the end of the protocol, we want Alice and Betty to
know which cards each of them holds, while Eve should know only which
cards she (Eve) holds. Moreover, messages can only be public announce-
ments (these are formally described in Chapter 6), which in this setting
just means that Alice and Betty can talk to each other, but it is com-
mon knowledge that Eve hears them. Perhaps surprisingly, such a protocol
exists, and, hopefully less surprisingly by now, epistemic logic allows us
to formulate precise epistemic conditions, and the kind of announcements
that should be allowed. For instance, no agent is allowed to lie, and agents
can announce only what they know. Dropping the second condition would
allow Alice to immediately announce Eve’s card, for instance. Note there
is an important distinction here: although Alice knows that there is an
announcement that she can make that would bring about the desired state
of knowledge (namely, announcing Eve’s card), there is not something that
Alice knows that she can announce that would bring about the desired state
of knowledge (since does not in fact know Eve’s card). This distinction has
be called the de dicto/de re distinction in the literature. The connections
between knowledge and strategic ability are the topic of Chapter 11.
Epistemic reasoning is also important in distributed computing. As
argued in Chapter 5, processes or programs in a distributed environment
often have only a limited view of the global system initially; they gradually
come to know more about the system. Ensuring that each process has
the appropriate knowledge needed in order to act is the main issue here.
1.2. BASIC CONCEPTS AND TOOLS 5

The chapter mentions a number of problems in distributed systems where

epistemic tools are helpful, like agreement problems (the dinner example of
Ann and Bob above would be a simple example) and the problem of mutual
exclusion, where processes sharing a resource must ensure that only one
process uses the resource at a time. An instance of the latter is provided in
Chapter 8, where epistemic logic is used to specify a correctness property of
the Railroad Crossing System. Here, the agents Train, Gate and Controller
must ensure, based on the type of signals that they send, that the train is
never at the crossing while the gate is ‘up’. Chapter 8 is on model checking;
it provides techniques to automatically verify that such properties (specified
in an epistemic temporal language; cf. Chapter 5) hold. Epistemic tools
to deal with the problem of mutual exclusion are also discussed in Chapter
11, in the context of dealing with shared file updates.
Reasoning about knowing what others know (about your knowledge)
is also typical in strategic situations, where one needs to make a decision
based on how others will act (where the others, in turn, are basing their
decision on their reasoning about you). This kind of scenario is the focus
of game theory. Epistemic game theory studies game theory using notions
from epistemic logic. (Epistemic game theory is the subject of Chapter 9
in this book.) Here, we give a simplified example of one of the main ideas.
Consider the game in Figure 1.1.

a
A
l r

b
B C
✓ ◆
1 L R
4
a
D E
✓ ◆
2 l r
2
F G
✓ ◆ ✓ ◆
4 3
1 3

Figure 1.1: A simple extensive form game.

6 CHAPTER 1. INTRODUCTION

This model represents a situation where two players, a and b, take turns,
with a starting at the top node A. If a plays l (‘left’) in this node, the game
ends in node B and the payoff for a is 1 and that for b is 4. If a, however,
plays r in A, the game proceeds to node C, where it is b’s turn. Player
b has a choice between playing L and R (note that we use upper case to
distinguish b’s moves from a’s moves). The game continues until a terminal
node is reached. We assume that both players are rational; that is, each
prefers a higher outcome for themselves over a lower one. What will a play
in the start node A?
One way to determine what will happen in this game is to use backward.
Consider node E. If that node is reached, given that a is rational (denoted
r ata ), a will play l here, since she prefers the outcome 4 over 3 (which she
would get by playing r). Now consider node C. Since b knows that a is
rational, he knows that his payoff when playing R at C is 1. Since b is
rational, and playing L in C gives him 2, he will play L. The only thing
needed to conclude this is (r atb ∧Kb r ata ). Finally, consider node A. Player
a can reason as we just did, so a knows that she has a choice between the
payoff of 2 she would obtain by playing r and the payoff of 1 she would
obtain by playing l. Since a is rational, she plays r at A. Summarising, the
condition that justifies a playing r at A and b playing L at B is

r ata ∧ Ka r atb ∧ Ka Kb r ata ∧ r atb ∧ Kb r ata

This analysis predicts that the game will end in node D. Although
this analysis used only ‘depth-two’ knowledge (a knows that b knows), to
perform a similar analysis for longer variants of this game requires deeper
and deeper knowledge of rationality. In fact, in many epistemic analyses
in game theory, common knowledge of rationality is assumed. The con-
tribution of epistemic logic to game theory is discussed in more detail in
Chapter 9.

1.2.1 Language
Most if not all systems presented in this book extend propositional logic.
The language of propositional logic assumes a set At of primitive (or atomic)
propositions, typically denoted p, q, . . . , possibly with subscripts. They
typically refer to statements that are considered basic; that is, they lack
logical structure, like ‘it is raining’, or ‘the window is closed’. Classical
logic then uses Boolean operators, such as ¬ (‘not’), ∧ (‘and’), ∨, (‘or’), →
(‘implies’), and ↔ (‘if and only if’), to build more complex formulas. Since
all those operators can be defined in terms of ∧ and ¬ (see Definition 1.2),
the formal definition of the language often uses only these two connectives.
Formulas are denoted with Greek letters: ϕ, ψ, α, . . . . So, for instance,
1.2. BASIC CONCEPTS AND TOOLS 7

while (p ∧ q) is the conjunction of two primitive propositions, the formula

(ϕ ∧ ψ) is a conjunction of two arbitrary formulas, each of which may have
further structure.
When reasoning about knowledge and belief, we need to be able to refer
to the subject, that is, the agent whose knowledge or belief we are talking
about. To do this, we assume a finite set Ag of agents. Agents are typically
denoted a, b, . . . , i, j, . . . , or, in specific examples, Alice, Bob, . . . . To reason
about knowledge, we add operators Ka to the language of classical logic,
where Ka ϕ denotes ‘agent a knows (or believes) ϕ’. We typically let the
context determine whether Ka represents knowledge or belief. If it is nec-
essary to reason knowledge and belief simultaneously, we use operators Ka
for knowledge and Ba for belief. Logics for reasoning about knowledge are
sometimes called epistemic logics, while logics for reasoning about belief
are called doxastic logics, from the Greek words for knowledge and belief.
The operators Ka and Ba are examples of modal operators. We sometimes
use 2 or 2a to denote a generic modal operator, when we want to discuss
general properties of modal operators.
Definition 1.1 (An Assemblage of Modal Languages)
Let At be a set of primitive propositions, Op a set of modal operators, and
Ag a set of agent symbols. Then we define the language L(At, Op, Ag) by
the following BNF:
ϕ := p | ¬ϕ | (ϕ ∧ ϕ) | 2ϕ,
where p ∈ At and 2 ∈ Op. a

Typically, the set Op depends on Ag. For instance, the language for
multi-agent epistemic logic is L(At, Op, Ag), with Op = {Ka | a ∈ Ag}, that
is, we have a knowledge operator for every agent. To study interactions
between knowledge and belief, we would have Op = {Ka , Ba | a ∈ Ag}. The
language of propositional logic, which does not involve modal operators, is
denoted L(At); propositional formulas are, by definition, formulas in L(At).
Definition 1.2 (Abbreviations in the Language)
As usual, parentheses are omitted if that does not lead to ambiguity. The
following abbreviations are also standard (in the last one, A ⊆ Ag).
description/name definiendum definiens
false ⊥ p ∧ ¬p
true > ¬⊥
disjunction ϕ∨ψ ¬(¬ϕ ∧ ¬ψ)
implication ϕ→ψ ¬ϕ ∨ ψ
dual of K Ma ϕ or K̂a ϕ ¬K
V a ¬ϕ
everyone in A knows EA ϕ a∈A Ka ϕ
8 CHAPTER 1. INTRODUCTION

Note that Ma ϕ, which say ‘agent a does not know ¬ϕ’, can also be read
‘agent a considers ϕ possible’. a

Let 2 be a modal operator, either one in Op or one defined as an

abbreviation. We define the nth iterated application of 2, written 2n , as
follows:
20 ϕ = ϕ and 2n+1 ϕ = 22n ϕ.
We are typically interested in iterating the EA operator, so that we can
talk about ‘everyone in A knows’, ‘everyone in A knows that everyone in A
knows’, and so on.
Finally, we define two measures on formulas.
Definition 1.3 (Length and modal depth)
The length | ϕ | and the modal depth d(ϕ) of a formula ϕ are both defined
inductively as follows:

|p| = 1 and d(p) = 0

| ¬ϕ | = | ϕ | +1 and d(¬ϕ) = d(ϕ)
| (ϕ ∧ ψ) | = | ϕ | + | ψ | +1 and d(ϕ ∧ ψ) = max{d(ϕ), d(ψ)}
| 2a ϕ | = | ϕ | +1 and d(2ϕ) = 1 + d(ϕ).

In the last clause, 2a is a modal operator corresponding to a single agent.

Sometimes, if A ⊆ Ag is a group of agents and 2A is a group operator (like
EA , DA or CA ), | 2A ϕ | depends not only on ϕ, but also on the cardinality
of A. a

So, | 2a (q ∧ 2b p) |= 5 and d(2a (q ∧ 2b p)) = 2. Likewise, | 2a q ∧ 2b p |= 5

while d(2a q ∧ 2b p) = 1.

1.2.2 Semantics
We now define a way to systematically determine the truth value of a for-
mula. In propositional logic, whether p is true or not ‘depends on the
situation’. The relevant situations are formalised using valuations, where a
valuation
V : At → {true, false}
determines the truth of primitive propositions. A valuation can be ex-
tended so as to determine the truth of all formulas, using a straightforward
inductive definition: ϕ ∧ ψ is true given V iff each of ϕ and ψ is true given
V , and ¬ϕ is true given V iff ϕ is false given V . The truth conditions
of disjunctions, implications, and bi-implications follow directly from these
two clauses and Definition 1.2. To model knowledge and belief, we use ideas
that go back to Hintikka. We think of an agent a as considering possible
1.2. BASIC CONCEPTS AND TOOLS 9

a number of different situations that are consistent with the information

that the agent has. Agent a is said to know (or believe) ϕ, if ϕ is true in all
the situations that a considers possible. Thus, rather than using a single
situation to give meaning to modal formulas, we use a set of such situations;
moreover, in each situation, we consider, for each agent, what other situ-
ations he or she considers possible. The following example demonstrates
how this is done.
Example 1.1
Bob is invited for a job interview with Alice. They have agreed that it
will take place in a coffeehouse downtown at noon, but the traffic is quite
unpredictable, so it is not guaranteed that either Alice or Bob will arrive
on time. However, the coffeehouse is only a 15-minute walk from the bus
stop where Alice plans to go, and a 10-minute walk from the metro station
where Bob plans to go. So, 10 minutes before the interview, both Alice and
Bob will know whether they themselves will arrive on time. Alice and Bob
have never met before. A Kripke model describing this situation is given
in Figure 1.2.

a, b a, b

a
w v
ta , tb ta , ¬tb

b b

¬ta , tb ¬ta , ¬tb

s u
a

a, b a, b

Figure 1.2: The Kripke model for Example 1.1.

Suppose that at 11:50, both Alice and Bob have just arrived at their
respective stations. Taking ta and tb to represent that Alice (resp., Bob)
arrive on time, this is a situation (denoted w in Figure 1.2) where both ta
and tb are true. Alice knows that ta is true (so in w we have Ka ta ), but she
does not know whether tb is true; in particular, Alice considers possible the
situation denoted v in Figure 1.2, where ta ∧ ¬tb holds. Similarly, in w, Bob
considers it possible that the actual situation is s, where Alice is running
late but Bob will make it on time, so that ¬ta ∧ tb holds. Of course, in s,
Alice knows that she is late; that is, Ka ¬ta holds. Since the only situations
10 CHAPTER 1. INTRODUCTION

that Bob considers possible at world w are w and s, he knows that he

will be on time (Kb tb ), and knows that Alice knows whether or not she is
on time (Kb (Ka ta ∨ Ka ¬ta )). Note that the latter fact follows since Ka ta
holds in world w and Ka ¬ta holds in world s, so Ka ta ∨ Ka ¬ta holds in
both worlds that Bob considers possible. a

This, in a nutshell, explains what the models for epistemic and doxastic
look like: they contain a number of situations, typically called states or
(possible) worlds, and binary relations on states for each agent, typically
called accessibility relations. A pair (v, w) is in the relation for agent a if,
in world v, agent a considers state w possible. Finally, in every state, we
need to specify which primitive propositions are true.
Definition 1.4 (Kripke frame, Kripke model)
Given a set At of primitive propositions and a set Ag of agents, a Kripke
model is a structure M = hS, RAg , V At ), where
• S 6= ∅ is a set of states, sometimes called the domain of M , and
denoted D(M );
• RAg is a function, yielding an accessibility relation Ra ⊆ S × S for
each agent a ∈ Ag;
• V At : S → (At → {true, false}) is a function that, for all p ∈ At and
s ∈ S, determines what the truth value V At (s)(p) of p is in state s
(so V At (s) is a propositional valuation for each s ∈ S).
We often suppress explicit reference to the sets At and Ag, and write M =
hS, R, V i, without upper indices. Further, we sometimes write sRa t or
Ra st rather than (s, t) ∈ Ra , and use Ra (s) or Ra s to denote the set
{t ∈ S | Ra st}. Finally, we sometimes abuse terminology and refer to V as
a valuation as well.
The class of all Kripke models is denoted K. We use Km to denote the
class of Kripke models where | Ag |= m. A Kripke frame F = hS, Ri focuses
on the graph underlying a model, without regard for the valuation. a

More generally, given a modal logic with a set Op of modal operators,

the corresponding Kripke model has the form M = hS, ROp , V At i, where
there is a binary relation R2 for every operator 2 ∈ Op. Op may, for
example, consist of a knowledge operator for each agent in some set Ag and
a belief operator for each agent in Ag.
Given Example 1.1 and Definition 1.4, it should now be clear how the
truth of a formula is determined given a model M and a state s. A pair
(M, s) is called a pointed model; we sometimes drop the parentheses and
write M, s.
1.2. BASIC CONCEPTS AND TOOLS 11

Definition 1.5 (Truth in a Kripke Model)

Given a model M = hS, RAg , V At i, we define what it means for a formula
ϕ to be true in (M, s), written M, s |= ϕ, inductively as follows:

M, s |= p iff V (s)(p) = true for p ∈ At

M, s |= ϕ ∧ ψ iff M, s |= ϕ and M, s |= ψ
M, s |= ¬ϕ iff not M, s |= ϕ (often written M, s 6|= ϕ)
M, s |= Ka ϕ iff M, t |= ϕ for all t such that Ra st.

More generally, if M = hS, ROp , V At i, then for all 2 ∈ Op:

M, s |= 2ϕ iff (M, t) |= ϕ for all t such that R2 st.

Recall that Ma is the dual of Ka ; it easily follows from the definitions that

M, s |= Ma ϕ iff there exists some t such that Ra st and M, t |= ϕ.

We write M |= ϕ if M, s |= ϕ for all s ∈ S. a

Example 1.2
Consider the model of Figure 1.2. Note that Ka p∨Ka ¬p represents the fact
that agent a knows whether p is true. Likewise, Ma p ∧ Ma ¬p is equivalent
to ¬Ka ¬p ∧ ¬Ka p: agent a is ignorant about p. We have the following (in
the final items we write Eab instead of E{a,b} ):

1. (M, s) |= tb : truth of a primitive proposition in s.

2. M, s |= (¬ta ∧ Ka ¬ta ∧ ¬Kb ¬ta ) ∧ (tb ∧ ¬Ka tb ∧ Kb tb ): at s, a knows

that ta is false, but b does not; similarly, b knows that tb is true, but
a does not.

3. M |= Ka (Kb tb ∨ Kb ¬tb ) ∧ Kb (Ka ta ∨ Ka ¬ta ): in all states of M , agent

a knows that b knows whether tb is true, and b knows that a knows
whether ta is true.

4. M |= Ka (Mb tb ∧ Mb ¬tb ) ∧ Kb (Ma ta ∧ Ma ¬ta ) in all states of M , agent

a knows that b does not know whether ta is true, and b knows that a
does not know whether tb is true.

5. M |= Eab ((Ka ta ∨ Ka ¬ta ) ∧ (Ma tb ∧ Ma ¬tb )): in all states, everyone

knows that a knows whether ta is true, but a does not know whether
tb is true.

6. M |= Eab Eab ((Ka ta ∨Ka ¬ta )∧(Ma tb ∧Ma ¬tb )): in all states, everyone
knows what we stated in the previous item.
12 CHAPTER 1. INTRODUCTION

This shows that the model M of Figure 1.2 is not just a model for a situation
where a knows ta but not tb and agent b knows tb but not ta ; it represents
much more information. a
As the following example shows, in order to model certain situations,
it may be necessary that some propositional valuations occur in more than
one state in the model.
Example 1.3
Recall the scenario of the interview between Alice and Bob, as presented in
Example 1.1. Suppose that we now add the information that in fact Alice
will arrive on time, but Bob is not going to be on time. Although Bob does
not know Alice, he knows that his friend Carol is an old friend of Alice. Bob
calls Carol, leaving a message on her machine to ask her to inform Alice
about Bob’s late arrival as soon as she is able to do so. Unfortunately
for Bob, Carol does not get his message on time. This situation can be
represented in state M, v of the model of Figure 1.3.

a, b a, b a, b

a b
w v v�
ta , tb ta , ¬tb ta , ¬tb

b b
b b b

¬ta , tb ¬ta , ¬tb ¬ta , ¬tb

s u u�
a b

a, b a, b a, b

Figure 1.3: The Kripke model for Example 1.3.

Note that in (M, v), we have ¬Ka ¬tb (Alice does not know that Bob
is late), but also Mb (Ka ¬tb ) (Bob considers it possible that Alice knows
that Bob is late). So, although the propositional valuations in v and v 0 are
the same, those two states represent different situations: in v agent a is
uncertain whether ¬tb holds, while in v 0 she knows ¬tb . Also, in M, v, Bob
considers it possible that both of them will be late, and that Alice knows
this: this is because Rb vu0 holds in the model, and M, u0 |= Ka (¬ta ∧ ¬tb ).a
We often impose restrictions on the accessibility relation. For example,
we may want to require that if, in world v, agent a considers world w possi-
1.2. BASIC CONCEPTS AND TOOLS 13

ble, then in w, agent a should consider v possible. This requirement would

make Ra symmetric. Similarly, we might require that, in each world w, a
considers w itself possible. This would make Ra reflexive. More generally,
we are interested in certain subclasses of models (typically characterized by
properties of the accessibility relations).

Definition 1.6 (Classes of models, validity, satisfiability)

Let X be a class of models, that is, X ⊆ K. If M |= ϕ for all models M in
X , we say that ϕ is valid in X , and write X |= ϕ. For example, for validity
in the class of all Kripke models K, we write K |= ϕ. We write X 6|= ϕ when
it is not the case that X |= ϕ. So X 6|= ϕ holds if, for some model M ∈ X
and some s ∈ D(M ), we have M, s |= ¬ϕ. If there exists a model M ∈ X
and a state s ∈ D(M ) such that M, s |= ϕ, we say that ϕ is satisfiable in
X. a

We now define a number of classes of models in terms of properties of the

relations Ra in those models. Since they depend only on the accessibility
relation, we could have defined them for the underlying frames; indeed, the
properties are sometimes called frame properties.
Definition 1.7 (Frame properties)
Let R be an accessibility relation on a domain of states S.

1. R is serial if for all s there is a t such that Rst. The class of se-
rial Kripke models, that is, {M = hS, R, V i | every Ra is serial} is
denoted KD.

2. R is reflexive if for all s, Rss. The class of reflexive Kripke models is

denoted KT .

3. R is transitive if for all s, t, u, if Rst and Rtu then Rsu. The class of
transitive Kripke models is denoted K4.

4. R is Euclidean if for all s, t, and u, if Rst and Rsu then Rtu. The
class of Euclidean Kripke models is denoted K5

5. R is symmetric if for all s, t, if Rst then Rts. The class of symmetric

Kripke models is denoted KB

6. We can combine properties of relations:

(a) The class of reflexive transitive models is denoted S4.

(b) The class of transitive Euclidean models is denoted K45.
(c) The class of serial transitive Euclidean models is denoted KD45.
14 CHAPTER 1. INTRODUCTION

(d) R is an equivalence relation if R is reflexive, symmetric, and

transitive. It not hard to show that R is an equivalence relation
if R is reflexive and Euclidean. The class of models where the
relations are equivalence relations is denoted S5.

As we did for Km , we sometimes use the subscript m to denote the number

of agents, so S5m , for instance, is the class of Kripke models with | Ag |=
m. a

Of special interest in this book is the class S5. In this case, the accessi-
bility relations are equivalence classes. This makes sense if we think of Ra st
holding if s and t are indistinguishable by agent a based on the information
that a has received. S5 has typically been used to model knowledge. In
an S5 model, write s ∼a t rather than Ra st, to emphasize the fact that Ra
is an equivalence relation. When it is clear that M ∈ S5, when drawing
the model, we omit reflexive arrows, and since the relations are symmetric,
we connect states by a line, rather than using two-way arrows. Finally,
we leave out lines that can be deduced to exist using transitivity. We call
this the S5 representation of a Kripke model. Figure 1.4 shows the S5
representation of the Kripke model of Figure 1.3.

a b
w v v�
ta , tb ta , ¬tb ta , ¬tb

b b b

¬ta , tb ¬ta , ¬tb ¬ta , ¬tb

s u u�
a b

Figure 1.4: The S5 representation of the Kripke model in Figure 1.3.

When we restrict the classes of models considered, we get some inter-

esting additional valid formulas.
Theorem 1.1 (Valid Formulas)
Parts (c)–(i) below are valid formulas, where α is a substitution instance
of a propositional tautology (see below), ϕ and ψ are arbitrary formulas,
and X is one of the classes of models defined in Definition 1.7; parts (a),
(b), and (j) show that we can infer some valid formulas from others.
(a) If X |= ϕ → ψ and X |= ϕ, then X |= ψ.

(b) If X |= ϕ then X |= Kϕ.

1.2. BASIC CONCEPTS AND TOOLS 15

(c) X |= α.

(d) X |= K(ϕ → ψ) → (Kϕ → ψ).

(e) KD |= Kϕ → M ϕ.

(f) T |= Kϕ → ϕ.

(g) K4 |= Kϕ → KKϕ.

(h) K5 |= ¬Kϕ → K¬Kϕ.

(i) KB |= ϕ → KM ϕ.

(j) If X ⊆ Y then Y |= ϕ implies that X |= ϕ. a

Since S5 is the smallest of the classes of models considered in Definition 1.7,

it easily follows that all the formulas and inference rules above are valid
in S5. To the extent that we view S5 as the class of models appropriate
for reasoning about knowledge, Theorem 1.1 can be viewed as describing
properties of knowledge. As we shall see, many of these properties apply
to the standard interpretation of belief as well.
Parts (a) and (c) emphasise that we represent knowledge in a logi-
cal framework: modus ponens is valid as a reasoning rule, and we take
all propositional tautologies for granted. In part (c), α is a substitution
instance of a propositional tautology. For example, since p ∨ ¬p and
p → (q → p) are propositional tautologies, α could be Kp ∨ ¬Kp or
K(p ∨ q) → (Kr → K(p ∨ q)). That is, we can substitute an arbitrary
formula (uniformly) for a primitive proposition in a propositional tautol-
ogy. Part (b) says that agents know all valid formulas, and part (d) says
that an agent is able to apply modus ponens to his own knowledge. Part
(e) is equivalent to Kϕ → ¬K¬ϕ; an agent cannot at the same time know a
proposition and its negation. Part (f) is even stronger: it says that what an
agent knows must be true. Parts (g) and (h) represent what has been called
positive and negative introspection, respectively: an agent knows what he
knows and what he does not know. Part (i) can be shown to follow from
the other valid formulas; it says that if something is true, the agent knows
that he considers it possible.

Notions of Group Knowledge

So far, all properties that we have encountered are properties of an indi-
vidual agent’s knowledge. such as EA , defined above. In this section we
introduce two other notions of group knowledge, common knowledge CA
and distributed knowledge DA , and investigate their properties.
16 CHAPTER 1. INTRODUCTION

Example 1.4 (Everyone knows and distributed knowledge)

Alice and Betty each has a daughter; their children can each either be at
the playground (denoted pa and pb , respectively) or at the library (¬pa ,
and ¬pb , respectively). Each child has been carefully instructed that, if she
ends up being on the playground without the other child, she should call
her mother to inform her. Consider the situation described by the model
M in Figure 1.5.

¬pa , pb
w
a a
pa , pb ¬pa , ¬pb
a, b
s t

b b
u pa , ¬pb

Figure 1.5: The (S5 representation of the) model for Example 1.4.

We have

M |= ((¬pa ∧ pb ) ↔ Ka (¬pa ∧ pb )) ∧ ((pa ∧ ¬pb ) ↔ Kb (pa ∧ ¬pb )).

This models the agreement each mother made with her daughter. Now
consider the situation at state s. We have M, s |= Ka ¬(pa ∧ ¬pb ), that
is, Alice knows that it is not the case that her daughter is alone at the
playground (otherwise her daughter would have informed her). What does
each agent know at s? If we consider only propositional facts, it is easy
to see that Alice knows pa → pb and Betty knows pb → pa . What does
everyone know at s? The following sequence of equivalences is immediate
from the definitions:
M, s |= E{a,b} ϕ
iff M, s |= Ka ϕ ∧ Kb ϕ
iff ∀x(Ra sx ⇒ M, x |= ϕ) and ∀y(Rb sy ⇒ M, y |= ϕ)
iff ∀x ∈ {s, w, t} (M, x |= ϕ) and ∀y ∈ {s, u, t} (M, y |= ϕ)
iff M |= ϕ.

Thus, in this model, what is known by everyone are just the formulas valid
in the model. Of course, this is not true in general.
Now suppose that Alice and Betty an opportunity to talk to each other.
Would they gain any new knowledge? They would indeed. Since M, s |=
1.2. BASIC CONCEPTS AND TOOLS 17

Ka (pa → pb ) ∧ Kb (pb → pa ), they would come to know that pa ↔ pb holds;

that is, they would learn that their children are at least together, which
is certainly not valid in the model. The knowledge that would emerge if
the agents in a group A were allowed to communicate is called distributed
knowledge in A, and denoted by the operator DA . In our example, we
have M, s |= D{a,b} (pa ↔ pb ), although M, s |= ¬Ka (pa ↔ pb ) ∧ ¬Kb (pa ↔
pb ). In other words, distributed knowledge is generally strongerWthan any
individual’s knowledge, and we therefore cannot define DA ϕ as i∈A Ki ϕ,
the dual of general knowledge that we may have expected; that would be
weaker than any individual agent’s knowledge. In terms of the model,
what would happen if Alice and Betty could communicate is that Alice
could tell Betty that he should not consider state u possible, while Betty
could tell Alice that she should not consider state w possible. So, after
communication, the only states considered possible by both agents at state
s are s and t. This argument suggests that we should interpret T DA as
the necessity operator (2-type modal operator) of the relation a∈A Ra .
By way of contrast, it follows easily from the definitions
S that EA can be
interpreted as the necessity operator of the relation a∈A Ra . a

The following example illustrates common knowledge.

Example 1.5 (Common knowledge)
This time we have two agents: a sender (s) and a receiver (r). If a message
is sent, it is delivered either immediately or with a one-second delay. The
sender sends a message at time t0 . The receiver does not know that the
sender was planning to send the message. What is each agent’s state of
knowledge regarding the message?
To reason about this, let sz (for z ∈ Z) denote that the message was sent
at time t0 +z, and, likewise, let dz denote that the message was delivered at
time t = z. Note that we allow z to be negative. To see why, consider the
world w0,0 where the message arrives immediately (at time t0 ). (In general,
in the subscript (i, j) of a world wi,j , i denotes the time that the message
was sent, and j denotes the time it was received.) In world w0,0 , the receiver
considers it possible that the message was sent at time t0 − 1. That is, the
receiver considers possible the world w−1,0 where the message was sent at
t0 − 1 and took one second to arrive. In world w−1,0 , the sender considers
possible the world w−1,−1 where the message was sent at time t0 − 1 and
arrived immediately. And in world w−1,−1 , the receiver considers possible
a world w−2,−1 where the message as sent at time t0 − 2. (In general, in
world wn,m , the message is sent at time t0 + n and received at time t0 + m.)
In addition, in world w0,0 , the sender considers possible world w0,1 , where
the message is received at time t0 + 1. The situation is described in the
following model M .
18 CHAPTER 1. INTRODUCTION

r s r s
(s0 , d0 ) (s−1 , d0 ) (s−1 , d−1 ) (s−2 , d−1 ) (s−2 , d−2 )

(s0 , d1 ) (s1 , d1 ) (s1 , d2 ) (s2 , d2 ) (s2 , d3 )

r s r s

Figure 1.6: The (S5 representation of the) model for Example 1.5.

Writing E for ‘the sender and receiver both know’, it easily follows that

M, w0,0 |= s0 ∧ d0 ∧ ¬E¬s−1 ∧ ¬E¬d1 ∧ ¬E 3 ¬s−2 .

The notion of ϕ being common knowledge among group A, denoted

CA ϕ, is meant to capture the idea that, for all n, E n ϕ is true. Thus, ϕ is
not common among A if someone in A considers it possible that someone in
A considers it possible that . . . someone in A considers it possible that ϕ is
false. This is formalised below, but the reader should already be convinced
that in our scenario, even if it is common knowledge among the agents that
messages will have either no delay or a one-second delay, it is not common
knowledge that the message was sent at or after time t0 − m for any value
of m! a
Definition 1.8 (Semantics of three notions of group knowledge)
Let A ⊆ Ag be a group of agents. Let REA = ∪a∈A Ra . As we observed
above,

(M, s) |= EA ϕ iff for all t such that REA st, we have (M, t) |= ϕ.

Similarly, taking RDA = ∩a∈A Ra , we have

(M, s) |= DA ϕ iff for all t such that RDA st, we have (M, t) |= ϕ.

Finally, recall that the transitive closure of a relation R is the smallest

relation R+ such that R ⊆ R+ , and such that, for S all x, y, and z, if R+ xy
+
and R yz then R xz. We define RCA as REA = ( a∈A Ra )+ . Note that,
+ +
+
in Figure 1.6, every pair of states is in the relation RC {r,s}
. In general, we
have RCA st iff there is some path s = s0 , s1 , . . . , sn = t from s to t such
that n ≥ 1 and, for all i < n, there is some agent a ∈ A for which Ra si si+1 .
Define

(M, s) |= CA ϕ iff for all t such that RCA st, (M, t) |= ϕ.

It is almost immediate from the definitions that, for a ∈ A, we have

K |= (CA ϕ → EA ϕ) ∧ (EA ϕ → Ka ϕ) ∧ (Ka ϕ → DA ϕ). (1.1)

1.2. BASIC CONCEPTS AND TOOLS 19

Moreover, for T (and hence also for S4 and S5), we have

T |= Da ϕ → ϕ.

The relative strengths shown in (1.1) are strict in the sense that none
of the converse implications are valid (assuming that A 6= {a}).
We conclude this section by defining some languages that are used
later in this chapter. Fixing At and Ag, we write LX for the language
L(At, Op, Ag), where

X =K if Op = {Ka | a ∈ Ag}
X = CK if Op = {Ka , CA | a ∈ Ag, A ⊆ Ag}
X = DK if Op = {Ka , DA | a ∈ Ag, A ⊆ Ag}
X = CDK if Op = {Ka , CA , DA | a ∈ Ag, A ⊆ Ag}
X = EK if Op = {Ka , EA | a ∈ Ag, A ⊆ Ag}.

Bisimulation
It may well be that two models (M, s) and (M 0 , s0 ) ‘appear different’, but
still satisfy the same formulas. For example, consider the models (M, s),
(M 0 , s0 ), and (N, s1 ) in Figure 1.7. As we now show, they satisfy the same
formulas. We actually prove something even stronger. We show that all
of (M, s), (M, t), (M 0 , s0 ), (N, s1 ), (M, s2 ), and (N, s3 ) satisfy the same
formulas, as do all of (M, u), (M, w), (M 0 , w0 ), (N, w1 ), and (N, w2 ). For
the purposes of the proof, call the models in the first group green, and
the models in the second group red. We now show, by induction on the
structure of formulas, that all green models satisfy the same formulas, as
do all red models. For primitive propositions, this is immediate. And if two
models of the same colour agree on two formulas, they also agree on their
negations and their conjunctions. The other formulas we need to consider
are knowledge formulas. Informally, the argument is this. Every agent
considers, in every pointed model, both green and red models possible. So
his knowledge in each pointed model is the same. We now formalise this
reasoning.
Definition 1.9 (Bisimulation)
Given models M = (S, R, V ) and M 0 = (S 0 , R0 , V 0 ), a non-empty relation
R ⊆ S × S 0 is a bisimulation between M and M 0 iff for all s ∈ S and s0 ∈ S 0
with (s, s0 ) ∈ R:

• V (s)(p) = V 0 (s0 )(p) for all p ∈ At;

• for all a ∈ Ag and all t ∈ S, if Ra st, then there is a t0 ∈ S 0 such that

Ra0 s0 t0 and (t, t0 ) ∈ R;
20 CHAPTER 1. INTRODUCTION

• for all a ∈ Ag and all t0 ∈ S 0 , if Ra0 s0 t0 , then there is a t ∈ S such that

Ra st and (t, t0 ) ∈ R.

We write (M, s) ↔ (M 0 , s0 ) iff there is a bisimulation between M and M 0

linking s and s0 . If so, we call (M, s) and (M 0 , s0 ) bisimilar. a

Figure 1.7 illustrates some bisimilar models. In terms of the models

p, ¬q
p, ¬q
M0
M w w0
a, b a, b
p, q p, q
s t a, b

a, b a, b
u s0
p, q
p, ¬q

N
p, q p, ¬q p, q p, ¬q p, q
s1 w1 s2 w2 s3
a, b a, b a, b a, b

Figure 1.7: Bisimilar models.

of Figure 1.7, we have M, s ↔ M 0 , s0 , M, s ↔ N, s1 , etc. We are interested

in bisimilarity because, as the following theorem shows, bisimilar models
satisfy the same formulas involving the operators Ka and CA .
Theorem 1.2 (Preservation under bisimulation)
Suppose that (M, s) ↔ (M 0 , s0 ). Then, for all formulas ϕ ∈ LCK , we have

M, s |= ϕ ⇔ M 0 , s0 |= ϕ. a

The proof of the theorem proceeds by induction on the structure of formu-

las, much as in our example. We leave the details to the reader.
Note that Theorem 1.2 does not claim that distributed knowledge is
preserved under bisimulation, and indeed, it is not, i.e., Theorem 1.2 does
not hold for a language with DA as an operator. Figure 1.8 provides
a witness for this. We leave it to the reader to check that although
(M, s) ↔ (N, s1 ) for the two pointed models of Figure 1.8, we nevertheless
have (M, s) |= ¬D{a,b} p and (N, s1 ) |= D{a,b} p.
We can, however, generalise the notion of bisimulation to that of a group
bisimulation and ‘recover’ the preservation theorem, as follows. If A ⊆ Ag,
1.2. BASIC CONCEPTS AND TOOLS 21

¬p
t1
M N a b
p ¬p p p
a, b
s t s1 s2

b a
¬p
t2

Figure 1.8: Two bisimilar models that do not preserve distributed know-
ledge.

s and t are states, then we write RA st if A = {a | Ra st}. That is, RA st

holds if the set of agents a for which s and t are a-connected is exactly A.
(M, s) and (M 0 , s0 ) are group bisimilar, written (M, s) ↔ group (M 0 , s0 ), if the
conditions of Definition 1.9 are met when every occurrence of an individual
agent a is replaced by the group A. Obviously, being group bisimilar implies
being bisimilar. Note that the models (M, s) and (N, s1 ) of Figure 1.8 are
bisimilar, but not group bisimilar. The proof of Theorem 1.3 is analogous
to that of Theorem 1.2.
Theorem 1.3 (Preservation under bisimulation)
Suppose that (M, s) ↔ group (M 0 , s0 ). Then, for all formulas ϕ ∈ LCDK , we
have
M, s |= ϕ ⇔ M 0 , s0 |= ϕ. a

1.2.3 Expressivity and Succinctness

If a number of formal languages can be used to model similar phenomena,
a natural question to ask is which language is ‘best’. Of course, the answer
depends on how ‘best’ is measured. In the next section, we compare vari-
ous languages in terms of the computational complexity of some reasoning
problems. Here, we consider the notions of expressivity (what can be ex-
pressed in the language?) and succinctness (how economically can one say
it?).

Expressivity
To give an example of expressivity and the tools that are used to study it, we
start by showing that finiteness of models cannot be expressed in epistemic
logic, even if the language includes operators for common knowledge and
distributed knowledge.
22 CHAPTER 1. INTRODUCTION

Theorem 1.4
There is no formula ϕ ∈ LCDK such that, for all S5-models M = hS, R, V i,

M |= ϕ iff S is finite a

Proof Consider the two models M and M 0 of Figure 1.9. Obviously,

a, b
M
p
s

M0 p p p p
s1 s2 s3 s4
a, b a, b a, b a, b

Figure 1.9: A finite and an infinite model where the same formulas are
valid.

M is finite and M 0 is not. Nevertheless, the two models are easily seen to
be group bisimilar, so they cannot be distinguished by epistemic formulas.
More precisely, for all formulas ϕ ∈ LCDK , we have M, s |= ϕ iff M 0 , s1 |= ϕ
iff M 0 , s2 |= ϕ iff M 0 , sn |= ϕ for some n ∈ N, and hence M |= ϕ iff M 0 |= ϕ.
a

It follows immediately from Theorem 1.4 that finiteness cannot be ex-

pressed in the language LCDK in a class X of models containing S5.
We next prove some results that let us compare the expressivity of two
different languages. We first need some definitions.
Definition 1.10
Given a class X of models, formulas ϕ1 and ϕ2 are equivalent on X , written
ϕ1 ≡X ϕ2 , if, for all (M, s) ∈ X , we have that M, s |= ϕ1 iff M, s |= ϕ2 .
Language L2 is at least as expressive as L1 on X , written L1 vX L2 if, for
every formula ϕ1 ∈ L1 , there is a formula ϕ2 ∈ L2 such that ϕ1 ≡X ϕ2 . L1
and L2 are equally expressive on X if L1 vX L2 and L2 vX L1 . If L1 vX L2
but L2 6vX L1 , then L2 is more expressive than L1 on X , written L1 <X L2 .a

Note that if Y ⊆ X , then L1 vX L2 implies L1 vY L2 , while L1 6vY L2

implies L1 6vX L2 . Thus, the strongest results that we can show for the
classes of models of interest to us are L1 vK L2 and L1 6vS5 L2
With these definitions in hand, we can now make precise that common
knowledge ‘really adds’ something to epistemic logic.
1.2. BASIC CONCEPTS AND TOOLS 23

Theorem 1.5
LK vK LCK and LK 6vS5 LCK . a

Proof Since LK ⊆ LCK , it is obvious that LK vK LCK . To show that

LCK 6vS5 LK , consider the sets of pointed models M = {(Mn , s1 ) | n ∈ N}
and N = {(Nn , t1 ) | n ∈ N} shown in Figure 1.10. The two models Mn and
Nn differ only in (Mn , sn+1 ) (where p is false) and (Nn , tn+1 ) (where p is
true). In particular, the first n − 1 states of (Mn , s1 ) and (Nn , t1 ) are the
same. As a consequence, it is easy to show that,

for all n ∈ N and ϕ ∈ LK with d(ϕ) < n, (Mn , s1 ) |= ϕ iff (Nn , t1 ) |= ϕ.

(1.2)
Clearly M |= C{a,b} ¬p while N |= ¬C{a,b} ¬p. If there were a formula
ϕ ∈ LK equivalent to C{a,b} ¬p, then we would have M |= ϕ while N |= ¬ϕ.
Let d = d(ϕ), and consider the pointed models (Md+1 , s1 ) and (Nd+1 , t1 ).
Since the first is a member of M and the second of N , the pointed models
disagree on C{a,b} ¬p; however, by (1.2), they agree on ϕ. This is obviously
a contradiction, therefore a formula ϕ ∈ L that is equivalent to C{a,b} ¬p
does not exist.
p
M1 s 1 s2 N1 t1 t2
a a

p
M2 s1 s2 s3 N 2 t1 t2 t3
a b a b

p
M3 s 1 s2 s3 s4 N 3 t1 t2 t3 t4
a b a a b a

Figure 1.10: Models Mn and Nn . The atom p is only true in the pointed
models (Nn , sn+1 ).

The next result shows, roughly speaking, that distributed knowledge is

not expressible using knowledge and common knowledge, and that common
knowledge is not expressible using knowledge and distributed knowledge.
Theorem 1.6
(a) LK vK LDK and LK 6vS5 LDK ;
(b) LCK 6vS5 LDK ;
24 CHAPTER 1. INTRODUCTION

(c) LDK 6vS5 LCK ;

(d) LCK vK LCDK and LCDK 6vS5 LCK ;

(e) LDK vK LCDK and LCDK 6vS5 LDK . a

Proof For part (a), vK holds trivially. We use the models in Figure 1.8 to
show that LDK 6vS5 LK . Since (M, s) ↔ (N, s1 ), the models verify the same
L-formulas. However, LDK discriminates them: we have (M, s) |= ¬D{a,b} p,
while (N, s1 ) |= D{a,b} p. Since (M, s) and (N, s1 ) also verify the same LCK -
formulas, part (3) also follows.
For part (b), observe that (1.2) is also true for all formulas ϕ ∈ LDK ,
so the formula C{a,b} ¬p ∈ LCK is not equivalent to a formula in LDK .
Part (c) is proved using exactly the same models and argument as part
(a).
For part (d), v is obvious. To show that LCDK 6vS5 LDK , we can use
the models and argument of part (b). Similarly, for part (e), v is obvious.
To show that LCDK 6vS5 LDK , we can use the models and argument of part
(a). a

We conclude this discussion with a remark about distributed knowledge.

We informally described distributed knowledge in a group as the knowledge
that would obtain were the agents in that group able to communicate.
However, Figure 1.8 shows that this intuition is not quite right. First,
observe that both a and b know the same formulas in (M, s) and (N, s1 );
they even know the same formulas in (M, s) and (N, s1 ). That is, for all
ϕ ∈ LK , we have

(M, s) |= Ka ϕ iff (M, s) |= Kb ϕ iff (N, s1 ) |= Ka ϕ iff (N, s1 ) |= Kb ϕ

But if both agents possess the same knowledge in (N, s1 ), how can
communication help them in any way, that is, how can it be that there
is distributed knowledge (of p) that no individual agent has? Similarly, if
a has the same knowledge in (M, s) in (N, s1 ), and so does b, why would
communication in one model (N ) lead them to know p, while in the other,
it does not? Semantically, one could argue that in s1 agent a could ‘tell’
agent b that t2 ‘is not possible’, and b could ‘tell’ a that t1 ‘is not possible’.
But how would verify the same formulas? This observation has led some
researchers to require that distributed knowledge be interpreted in what
are called bisimulation contracted models (see the notes at the end of the
chapter for references). Roughly, a model is bisimulation contracted if it
does not contain two points that are bisimilar. Model M of Figure 1.8 is
bisimulation contracted, model N is not.
1.2. BASIC CONCEPTS AND TOOLS 25

Succinctness

Now suppose that two languages L1 and L2 are equally expressive on X ,

and also that their computational complexity of the reasoning problems for
them is equally good, or equally bad. Could we still prefer one language
over the other? Representational succinctness may provide an answer here:
it may be the case that the description of some properties is much shorter
in one language than in the other.
But what does ‘much shorter’ mean? The fact that there is a formula
L1 whose length is 100 characters less than the shortest equivalent formula
in L2 (with respect to some class X of models) does not by itself make L1
much more succinct that L2 .
We want to capture the idea that L1 is exponentially more succinct than
L2 . We cannot do this by looking at just one formula. Rather, we need a
sequence of formulas α1 , α2 , α3 , . . . in L1 , where the gap in size between αn
and the shortest formula equivalent to αn in L2 grows exponentially in n.
This is formalised in the next definition.
Definition 1.11 (Exponentially more succinct)
Given a class X of models, L1 is exponentially more succinct than L2 on X
if the following conditions hold:

(a) for every formula β ∈ L2 , there is a formula α ∈ L1 such that α ≡X β

and | α |≤| β |.

(b) there exist k1 , k2 > 0, a sequence α1 , α2 , . . . of formulas in L1 , and a

sequence β1 , β2 , . . . of formulas in L2 such that, for all n, we have:

(i) | αn |≤ k1 n;
(ii) | βn | ≥ 2k2 n ;
(iii) βn is the shortest formula in L2 that is equivalent to αn on X .a

In words, L1 is exponentially more succinct than L2 if, for every formula

β ∈ L2 , there is a formula in L1 that is equivalent and no longer than β,
but there is a sequence α1 , α2 , . . . of formulas in L1 whose length increases
at most linearly, but there is no sequence β1 , β2 , . . . of formulas in L2 such
that βn is the equivalent to αn and the length of the formulas in the latter
sequence is increasing better than exponentially.
We give one example of succinctness results here. Consider the language
LEK . Of course, EA can be defined using the modal operators Ki for i ∈ A.
But, as we now show, having the modal operators EA in the language makes
the language exponentially more succinct.
26 CHAPTER 1. INTRODUCTION

Theorem 1.7
The language LEK is exponentially more succinct than LK on X , for all X
between K and S5. a

Proof Clearly, for every formula α in (L)K , there is an equivalent

formula in LEK that is no longer than α, namely, α itself. Now consider
the following two sequences of formulas:
n
αn = ¬E{a,b} ¬p

and

β1 = ¬(Ka ¬p ∧ Kb ¬p), and βn = ¬(Ka ¬βn−1 ∧ Kb ¬βn−1 ).

If we take | EA ϕ |=| A | + | ϕ |, then it is easy to see that | αn |= 2n + 3, so

| αn | is increasing linearly in n. On the other hand, since | βn |> 2 | βn−1 |,
we have | β |≥ 2n . It is also immediate from the definition of E{a,b} that βn
is equivalent to αn for all classes X between K and S5. To complete the
proof, we must show that there is no formula shorter than βn in LK that is
equivalent to αn . This argument is beyond the scope of this book; see the
notes for references. a

1.2.4 Reasoning problems

Given the machinery developed so far, we can state some basic reasoning
problems in semantic terms. They concern satisfiability and model checking.
Most of those problems are typically considered with a specific class of
models and a specific language in mind. So let X be some class of models,
and let L be a language.

Decidability Problems
A decidability problem checks some input for some property, and returns
‘yes’ or ‘no’.
Definition 1.12 (Satisfiability)
The satisfiability problem for X is the following reasoning problem.
Problem: satisfiability in X , denoted satX .
Input: a formula ϕ ∈ L.
Question: does there exist a model M ∈ X and a state s ∈
D(M ) such that M, s |= ϕ?
Output: ‘yes’ or ‘no’.
1.2. BASIC CONCEPTS AND TOOLS 27

Obviously, there may well be formulas that are satisfiable in some

Kripke model (or generally, in a class Y), but not in S5 models. Satis-
fiability in X is closely related to the problem of validity in X , due to the
following equivalence: ϕ is valid in X iff ¬ϕ is not satisfiable in X .

Problem: validity in X , denoted valX .

Input: a formula ϕ ∈ L.
Question: is it the case that X |= ϕ?
Output: ‘yes’ or ‘no’.

The next decision problem is computationally and conceptually simpler

than the previous two, since rather than quantifying over a set of models,
a specific model is given as input (together with a formula).
Definition 1.13 (Model checking)
The model checking problem for X is the following reasoning problem:

Problem: Model checking in X , denoted modcheckX .

Input: a formula ϕ ∈ L and a pointed model (M, s) with
M ∈ X and s ∈ D(M ).
Question: is it the case that M, s |= ϕ?
Output:: ‘yes’ or ‘no’.

The field of computational complexity is concerned with the question

of how much of a resource is needed to solve a specific problem. The
resources of most interest are computation time and space. Computational
complexity then asks questions of the following form: if my input were to
increase in size, how much more space and/or time would be needed to
compute the answer? Phrasing the question this way already assumes that
the problem at hand can be solved in finite time using an algorithm, that is,
that the problem is decidable. Fortunately, this is the case for the problems
of interest to us.
Proposition 1.1 (Decidability of sat and modcheck)
If X is one of the model classes defined in Definition 1.7, (M, s) ∈ X , and
ϕ is a formula in one of the languages defined in Definition 1.1, then both
satX (ϕ) and modcheckX ((M, s), ϕ) are decidable. a

In order to say anything sensible about the additional resources that an

algorithm needs to compute the answer when the input increases in size,
we need to define a notion of size for inputs, which in our case are formulas
and models. Formulas are by definition finite objects, but models can in
principle be infinite (see, for instance, Figure 1.6). The following fact is the
28 CHAPTER 1. INTRODUCTION

key to proving Fact 1.1. For a class of models X , let Fin(X ) ⊆ X be the
set of models in X that are finite.
Proposition 1.2 (Finite model property)
For all classes of models in Definition 1.7 and languages L in Definition 1.1,
we have, for all ϕ ∈ L,

X |= ϕ iff Fin(X ) |= ϕ. a

Fact 1.2 does not say that the models in X and the finite models in X
are the same in any meaningful sense; rather, it says that we do not gain
valid formulas if we restrict ourselves to finite models. It implies that a
formula is satisfiable in a model in X iff it is satisfiable in a finite model
in X . It follows that in the languages we have considered so far, ‘having
a finite domain’ is not expressible (for if there were a formula ϕ that were
true only of models with finite domains, then ϕ would be a counterexample
to Fact 1.2).
Definition 1.14 (Size of Models)
For a finite model M = hS,Ag , V At i, the size of M , denoted kM k, is the
sum of the number of states (| S |, for which we also write | M |) and the
number of pairs in the accessibility relation (| Ra |) for each agent a ∈ Ag.a

We can now strengthen Fact 1.2 as follows.

Proposition 1.3
For all classes of models in Definition 1.7 and languages L in Definition 1.1,
we have, for all ϕ ∈ L, ϕ is satisfiable in X iff there is a model M ∈ X such
that | D(M ) |≤ 2|ϕ| and ϕ is satisfiable in M . a

The idea behind the proof of Proposition 1.3 is that states that ‘agree’ on
all subformulas of ϕ can be ‘identified’. Since there are only | ϕ | subformulas
of ϕ, and 2|ϕ| truth assignments to these formulas, the result follows. Of
course, work needs to done to verify this intuition, and to show that an
appropriate model can be constructed in the right class X .
To reason about the complexity of a computation performed by an
algorithm, we distinguish various complexity classes. If a deterministic al-
gorithm can solve a problem in time polynomial in the size of the input, the
problem is said to be in P. An example of a problem in P is to decide, given
two finite Kripke models M1 and M2 , whether there exists a bisimulation
between them. Model checking for the basic multi-modal language is also
in P; see Proposition 1.4.
In a nondeterministic computation, an algorithm is allowed to ‘guess’
which of a finite number of steps to take next. A nondeterministic algorithm
1.2. BASIC CONCEPTS AND TOOLS 29

for a decision problem says ‘yes’ or accepts the input if the algorithm says
‘yes’ to an appropriate sequence of guesses. So a nondeterministic algorithm
can be seen as generating different branches at each computation step, and
the answer of the nondeterministic algorithm is ‘yes’ iff one of the branches
results in a ‘yes’ answer.
The class NP is the class of problems that are solvable by a nondeter-
ministic algorithm in polynomial time. Satisfiability of propositional logic is
an example of a problem in NP: an algorithm for satisfiability first guesses
an appropriate truth assignment to the primitive propositions, and then
verifies that the formula is in fact true under this truth assignment.
A problem that is at least as hard as any problem in NP is called NP-
hard. An NP-hard problem has the property that any problem in NP can be
reduced to it using a polynomial-time reduction. A problem is NP-complete
if it is both in NP and NP-hard; satisfiability for propositional logic is well
known to be NP-complete. For an arbitrary complexity class C, notions of
C-hardness and C-completeness can be similarly defined.
Many other complexity classes have been defined. We mention a few
of them here. An algorithm that runs in space polynomial in the size of
the input it is in PSPACE. Clearly if an algorithm needs only polynomial
time then it is in polynomial space; that is P ⊆ PSPACE. In fact, we also
have NP ⊆ PSPACE. If an algorithm is in NP, we can run it in polynomial
space by systematically trying all the possible guesses, erasing the space
used after each guess, until we eventually find one that is the ‘right’ guess.
EXPTIME consists of all algorithms that run in time exponential in the
size of the input; NEXPTIME is its nondeterministic analogue. We have P
⊆ NP ⊆ PSPACE ⊆ EXPTIME ⊆ NEXPTIME. One of the most important
open problems in computer science is the question whether P = NP. The
conjecture is that the two classes are different, but this has not yet been
proved; it is possible that a polynomial-time algorithm will be found for
an NP-hard problem. What is known is that P 6= EXPTIME and NP 6=
NEXPTIME.
The complement P̄ of a problem P is the problem in which all the
‘yes’ and ‘no’ answers are reversed. Given a complexity class C, the class
co-C is the set of problems for which the complement is in C. For every
deterministic class C, we have co-C = C. For nondeterministic classes, a class
and its complement are, in general, believed to be incomparable. Consider,
for example, the satisfiability problem for propositional logic, which, as we
noted above, is NP-complete. Since a formula ϕ is valid if and only if ¬ϕ is
not satisfiable, it easily follows that the validity problem for propositional
logic is co-NP-complete. The class of NP-complete and co-NP-complete
problems are believed to be distinct.
30 CHAPTER 1. INTRODUCTION

We start our summary of complexity results for decision problems in

modal logic with model checking.
Proposition 1.4
Model checking formulas in L(At, Op, Ag), with Op = {Ka | a ∈ Ag}, in
finite models is in P. a

Proof We now describe an algorithm that, given a model M = hS, RAg ,

At
V i and a formula ϕ ∈ L, determines in time polynomial in | ϕ | and kM k
whether M, s |= ϕ. Given ϕ, order the subformulas ϕ1 , . . . ϕm of ϕ in such
a way that, if ϕi is a subformula of ϕj , then i < j. Note that m ≤ | ϕ |. We
claim that

(*) for every k ≤ m, we can label each state s in M with either

ϕj (if ϕj if true at s) or ¬ϕj (otherwise), for every j ≤ k, in
kkM k steps.

We prove (*) by induction on m. If k = 1, ϕm must be a primitive propo-

sition, and obviously we need only | M | ≤ kM k steps to label all states as
required. Now suppose (*) holds for some k < m, and consider the case
k + 1. If ϕk+1 is a primitive proposition, we reason as before. If ϕk+1 is
a negation, then it must be ¬ϕj for some j ≤ k. Using our assumption,
we know that the collection of formulas ϕ1 , . . . , ϕk can be labeled in M in
kkM k steps. Obviously, if we include ϕk+1 = ¬ϕj in the collection of for-
mulas, we can do the labelling in k more steps: just use the opposite label
for ϕk+1 as used for ϕi . So the collection ϕ1 , . . . , ϕk+1 can be labelled in
M in at (k + 1)kM k steps, are required. Similarly, if ϕk+1 = ϕi ∧ ϕj , with
i, j ≤ k, a labelling for the collection ϕ1 , . . . , ϕk+1 needs only (k + 1)kM k
steps: for the last formula, in each state s of M , the labelling can be com-
pleted using the labellings for ϕi and ϕj . Finally, suppose ϕk+1 is of the
form Ka ϕj with j ≤ k. In this case, we label a state s with Ka ϕj iff each
state t with Ra st is labelled ϕj . Assuming the labels ϕj and ¬ϕj are al-
ready in place, this can be done in | Ra (s) |≤ kM k steps. a

Proposition 1.4 should be interpreted with care. While having a poly-

nomial-time procedure seems attractive, we are talking about computation
time polynomial in the size of the input. To model an interesting scenario
or system often requires ‘big models’. Even for one agent and n primitive
propositions, a model might consist of 2n states. Moreover, the procedure
does not check properties of the model either, for instance whether it be-
longs to a given class X .
We now formulate results for satisfiability checking. The results de-
pend on two parameters: the class of models considered (we focus on
1.2. BASIC CONCEPTS AND TOOLS 31

K, T , S4, KD45 and S5) and the language. Let Ag=1 consist of only one
agent, let Ag≥1 6= ∅ be an arbitrary set of agents, and let Ag≥2 be a set of
at least two agents. Finally, let Op = {Ka | a ∈ Ag}.
Theorem 1.8 (Satisfiability)
The complexity of the satisfiability problem is

1. NP-complete if X ∈ {KD45, S5} and L = L(At, Op, Ag=1 );

2. PSPACE-complete if

(a) X ∈ {K, T , S4} and L = L(At, Op, Ag≥1 ), or

(b) X ∈ {KD45, S5} and L = L(At, Op, Ag≥2 );

3. EXPTIME-complete if

(a) X ∈ {K, T and L = L(At, Op ∪ {C}, Ag≥1 ), or

(b) X ∈ {S4, KD45, S5} and L = L(At, Op ∪ {C}, Ag≥2 ). a

From the results in Theorem 1.8, it follows that the satisfiability prob-
lem for logics of knowledge and belief for one agent, S5 and KD45, is
exactly as hard as the satisfiability problem for propositional logic. If we
do not allow for common knowledge, satisfiability for the general case is
PSPACE-complete, and with common knowledge it is EXPTIME-complete.
(Of course, common knowledge does not add anything for the case of one
agent.)
For validity, the consequences of Theorem 1.8 are as follows. We re-
marked earlier that if satisfiability (in X ) is in some class C, then validity
is in co-C. Hence, checking validity for the cases in item 1 is co-NP-complete.
Since co-PSPACE = PSPACE, the validity problem for the cases in item 2 is
PSPACE-complete, and, finally, since co-EXPTIME = EXPTIME, the valid-
ity problem for the cases in item 3 is EXPTIME-complete. What these re-
sults on satisfiability and validity mean in practice? Historically, problems
that were not in P were viewed as too hard to deal with in practice. How-
ever, recently, major advances have been made in finding algorithms that
deal well with many NP-complete problems, although no generic approaches
have been found for dealing with problems that are co-NP-complete, to say
nothing of problems that are PSPACE-complete and beyond. Nevertheless,
even for problems in these complexity classes, algorithms with humans in
the loop seem to provide useful insights. So, while these complexity results
suggest that it is unlikely that we will be able to find tools that do auto-
mated satisfiability or validity checking and are guaranteed to always give
correct results for the logics that we focus on in this book, this should not
be taken to say that we cannot write algorithms for satisfiability, validity,
32 CHAPTER 1. INTRODUCTION

or model checking that are useful for the problems of practical interest.
Indeed, there is much work focused on just that.

1.2.5 Axiomatisation
In the previous section, the formalisation of reasoning was defined around
the notion of truth: X |= ϕ meant that ϕ is true in all models in X . In
this section, we discuss a form of reasoning where a conclusion is inferred
purely based on its syntactic form. Although there are several ways to do
this, in epistemic logic, the most popular way to define deductive inference
is by defining a Hilbert-style axiom system. Such systems provide a very
simple notion of formal proofs. Some formulas are valid merely because
they have a certain syntactic form. These are the axioms of the system.
The rules of the system say that one can conclude that some formula is
valid due to other formulas being valid. A formal proof or derivation is a
list of formulas, where each formula is either an axiom of the system or can
be obtained by applying an inference rule of the system to formulas that
occur earlier in the list. A proof or derivation of ϕ is a derivation whose
last formula is ϕ.

Basic system
Our first definition of such a system will make the notion more concrete.
We give our definitions for a language where the modal operators are Ka
for the agents in some set Ag, although many of the ideas generalise to a
setting with arbitrary modal operators.
Definition 1.15 (System K)
Let L = L(At, Op, Ag), with Op = {Ka | a ∈ Ag}. The axiom system K
consists of the following axioms and rules of inference:

1 All substitution instances of propositional tautologies.

K Ka (ϕ → ψ) → (Ka ϕ → Ka ψ) for all a ∈ Ag.
MP From ϕ and ϕ → ψ infer ψ.
Nec From ϕ infer Ka ϕ. a

Here, formulas in the axioms 1 and K have to be interpreted as ax-

iom schemes: axiom K for instance denotes all formulas {Ka (ϕ → ψ) →
(Ka ϕ → Ka ψ) | ϕ, ψ ∈ L}. The rule MP is also called modus ponens; Nec
is called necessitation. Note that the notation for axiom K and the axiom
system K are the same: the context should make clear which is intended.
To see how an axiom system is actually used, we need to define the
notion of derivation.
1.2. BASIC CONCEPTS AND TOOLS 33

Definition 1.16 (Derivation)

Given a logical language L, let X be an axiom system with axioms Ax1 , . . . ,
Axn and rules Ru1 , . . . Ruk . A derivation of ϕ in X is a finite sequence
ϕ1 , . . . , ϕm of formulas such that: (a) ϕm = ϕ, and (b) every ϕi in the
sequence is either an instance of an axiom or else the result of applying a
rule to formulas in the sequence prior to ϕi . For the rules MP and Nec,
this means the following:

MP ϕh = ϕj → ϕi , for some h, j < i.

That is, both ϕj and ϕj → ϕi occur in th sequence before ϕi .

Nec ϕi = Ka ϕj , for some j < i;

If there is a derivation for ϕ in X we write X ` ϕ, or `X ϕ, or, if the system

X is clear from the context, we just write ` ϕ. We then also say that ϕ is
a theorem of X, or that X proves ϕ. The sequence ϕ1 , . . . , ϕm is then also
called a proof of ϕ in X. a

Example 1.6 (Derivation in K)

We first show that

K ` Ka (ϕ ∧ ψ) → (Ka ϕ ∧ Ka ψ). (1.3)

We present the proof as a sequence of numbered steps (so that the formula
ϕi in the derivation is given number i). This allows us to justify each step
in the proof by describing which axioms, rules of inference, and previous
steps in the proof it follows from.
1. (ϕ ∧ ψ) → ϕ 1
2. Ka ((ϕ ∧ ψ) → ϕ) Nec, 1
3. Ka ((ϕ ∧ ψ) → ϕ) → (Ka (ϕ ∧ ψ) → Ka ϕ) K
4. Ka (ϕ ∧ ψ) → Ka ϕ MP, 2, 3
5. (ϕ ∧ ψ) → ψ 1
6. Ka ((ϕ ∧ ψ) → ψ) Nec, 5
7. Ka ((ϕ ∧ ψ) → ψ) → (Ka (ϕ ∧ ψ) → Ka ψ) K
8. Ka (ϕ ∧ ψ) → Ka ψ MP, 6, 7
9. (Ka (ϕ ∧ ψ) → Ka ϕ) →
((Ka (ϕ ∧ ψ) → Ka ψ) → (Ka (ϕ ∧ ψ) → (Ka ϕ ∧ Ka ψ))) 1
10. (Ka (ϕ ∧ ψ) → Ka ψ) → (Ka (ϕ ∧ ψ) → (Ka ϕ ∧ Ka ψ)) MP, 4, 9
11. Ka (ϕ ∧ ψ) → (Ka ϕ ∧ Ka ψ) MP, 8, 10
Lines 1, 5, and 9 are instances of propositional tautologies (this can be
checked using a truth table). Note that the tautology on line 9 is of the
form (α → β) → ((α → γ) → (α → (β ∧ γ))). A proof like that above
may look cumbersome, but it does show what can be done using only the
34 CHAPTER 1. INTRODUCTION

axioms and rules of K. It is convenient to give names to properties that

are derived, and so build a library of theorems. We have, for instance that
K ` KCD, where KCD (‘K-over-conjunction-distribution’) is

KCD Ka (α ∧ β) → Ka α and Ka (α ∧ β) → Ka β.

The proof of this follows steps 1 - 4 and steps 5 - 8, respectively, of the

proof above. We can also derive new rules; for example, the following rule:
CC (‘combine conclusions’) is derivable in K:

CC from α → β and α → γ infer α → (β ∧ γ).

The proof is immediate from the tautology on line 9 above, to which we

can, given the assumptions, apply modus ponens twice. We can give a more
compact proof of Ka (ϕ ∧ ψ) → (Ka ϕ ∧ Ka ψ) using this library:

1. Ka (ϕ ∧ ψ) → Ka ϕ KCD
2. Ka (ϕ ∧ ψ) → Ka ψ KCD
3. Ka (ϕ ∧ ψ) → (Ka ϕ ∧ Ka ψ) CC, 1, 2 a

For every class X of models introduced in the previous section, we want

to have an inference system X such that derivability in X and validity in
X coincide:
Definition 1.17 (Soundness and Completeness)
Let L be a language, let X be a class of models, and let X be an axiom
system. The axiom system is said to be

1. sound for X and the language L if, for all formulas ϕ ∈ L, X ` ϕ

implies X |= ϕ; and

2. complete for X and the language L if, for all formulas ϕ ∈ L, X |= ϕ

implies X ` ϕ.

We now provide axioms that characterize some of the subclasses of models

that were introduced in Definition 1.7.
Definition 1.18 (More axiom systems)
Consider the following axioms, which apply for all agents a ∈ Ag:

T. Ka ϕ → ϕ
D. Ma >
B. ϕ → Ka Ma ϕ
4. Ka ϕ → Ka Ka ϕ
5. ¬Ka ϕ → Ka ¬Ka ϕ
1.2. BASIC CONCEPTS AND TOOLS 35

A simple way to denote axiom systems is just to add the axioms that are
included together with the name K. Thus, KD is the axiom system that
has all the axioms and rules of the system K (1, K, and rules MP and
Nec) together with D. Similarly, KD45 extends K by adding the axioms
D, 4 and 5. System S4 is the more common way of denoting KT4, while
S5 is the more common way of denoting KT45. If it is necessary to make
explicit that there are m agents in Ag, we write Km , KDm , and so on. a

Using S5 to model knowledge

The system S5 is an extension of K with the so-called ‘properties of know-
ledge’. Likewise, KD45 has been viewed as characterizing the ‘properties
of belief’. The axiom T expresses that knowledge is veridical: whatever
one knows, must be true. (It is sometimes called the truth axiom.) The
other two axioms specify so-called introspective agents: 4 says that an agent
knows what he knows (positive introspection), while 5 says that he knows
what he does not know (negative introspection). As a side remark, we men-
tion that axiom 4 is superfluous in S5; it can be deduced from the other
axioms.
All of these axioms are idealisations, and indeed, logicians do not claim
that they hold for all possible interpretations of knowledge. It is only
human to claim one day that you know a certain fact, only to find yourself
admitting the next day that you were wrong, which undercuts the axiom
T. Philosophers use such examples to challenge the notion of knowledge
in the first place (see the notes at the end of the chapter for references to
the literature on logical properties of knowledge). Positive introspection
has also been viewed as problematic. For example, consider a pupil who is
asked a question ϕ to which he does not know the answer. It may well be
that, by asking more questions, the pupil becomes able to answer that ϕ
is true. Apparently, the pupil knew ϕ, but was not aware he knew, so did
not know that he knew ϕ.
The most debatable among the axioms is that of negative introspection.
Quite possibly, a reader of this chapter does not know (yet) what Moore’s
paradox is (see Chapter 6), but did she know before picking up this book
that she did not know that?
Such examples suggest that a reason for ignorance can be lack of aware-
ness. Awareness is the subject of Chapter 3 in this book. Chapter 2 also
has an interesting link to negative introspection: this chapter tries to cap-
ture what it means to claim ‘All I know is ϕ’; in other words, it tries to give
an account of ‘minimal knowledge states’. This is a tricky concept in the
presence of axiom 5, since all ignorance immediately leads to knowledge!
One might argue that ‘problematic’ axioms for knowledge should just
36 CHAPTER 1. INTRODUCTION

be omitted, or perhaps weakened, to obtain an appropriate system for

knowledge, but what about the basic principles of modal logic: the axiom
K and the rule of inference Nec. How acceptable are they for knowledge?
As one might expect, we should not take anything for granted. K assumes
perfect reasoners, who can infer logical consequences of their knowledge.
It implies, for instance, that under some mild assumptions, an agent will
know what day of the week July 26, 5018 will be. All that it takes to
answer this question is that (1) the agent knows today’s date and what
day of the week it is today, (2) she knows the rules for assigning dates,
computing leap years, and so on (all of which can be encoded as axioms in
an epistemic logic with the appropriate set of primitive propositions). By
applying K to this collection of facts, it follows that the agent must know
what day of the week it will be on July 26, 5018. Necessitation assumes
agents can infer all S5 theorems: agent a, for instance, would know that
Kb (Kb q ∧ ¬Kb (p → ¬Kb q)) is equivalent to (Kb q ∧ Mb p). Since even telling
whether a formula is propositionally valid is co-NP-complete, this does not
seem so plausible.
The idealisations mentioned in this paragraph are often summarised as
logical omniscience: our S5 agent would know everything that is logically
deducible. Other manifestations of logical omniscience are the equivalence
of K(ϕ ∧ ψ) and Kϕ ∧ Kψ, and the derivable rule in K that allows one
to infer Kϕ → Kψ from ϕ → ψ (this says that agents knows all logical
consequences of their knowledge).
The fact that, in reality, agents are not ideal reasoners, and not logically
omniscient, is sometimes a feature exploited by computational systems.
Cryptography for instance is useful because artificial or human intruders
are, due to their limited capacities, not able to compute the prime factors
of a large number in a reasonable amount of time. Knowledge, security,
and cryptographic protocols are discussed in Chapter 12
Despite these problems, the S5 properties are a useful idealisation of
knowledge for many applications in distributed computing and economics,
and have been shown to give insight into a number of problems. The S5
properties are reasonable for many of the examples that we have already
given; here is one more. Suppose that we have two processors, a and b, and
that they are involved in computations of three variables, x, y, and z. For
simplicity, assume that the variables are Boolean, so that they are either 0
or 1. Processor a can read the value of x and of y, and b can read y and z.
To model this, we use, for instance, 010 as the state where x = 0 = z, and
y = 1. Given our assumptions regarding what agents can see, we then have
x1 y1 z1 ∼a x2 y2 z2 iff x1 = x2 and y1 = y2 . This is a simple manifestation of
an interpreted system, where the accessibility relation is based on what an
agent can see in a state. Such a relation is an equivalence relation. Thus, an
1.2. BASIC CONCEPTS AND TOOLS 37

interpreted system satisfies all the knowledge axioms. (This is formalised

in Theorem 1.9(1) below.)
While T has traditionally been considered an appropriate axiom for
knowledge, it has not been considered appropriate for belief. To reason
about belief, T is typically replaced by the weaker axiom D: ¬Ba ⊥, which
says that the agent does not believe a contradiction; that is, the agent’s
beliefs are consistent. This gives us the axiom system KD45. We can
replace D by the following axiom D0 to get an equivalent axiomatisation
of belief:
D0 : Ka ϕ → ¬Ka ¬ϕ.
This axioms says that the agent cannot know (or believe) both a fact and
its negation. Logical systems that have operators for both knowledge and
belief often include the axiom Ka ϕ → Ba ϕ, saying that knowledge entails
belief.

Axiom systems for group knowledge

If we are interested in formalising the knowledge of just one agent a, the
language L(At, {Ka }, Ag) is arguably too rich. In the logic S51 it can be
shown that every formula is equivalent to a depth-one formula, which has
no nested occurrences of Ka . This follows from the following equivalences,
all of which are valid in S5 as well as being theorems of S5: KKϕ ↔ Kϕ;
K¬Kϕ ↔ ¬Kϕ; K(Kϕ∨ψ) ↔ (Kϕ∨Kψ); and K(¬Kϕ∨ψ) ↔ ¬Kϕ∨Kψ.
From a logical perspective things become more interesting in the multi-
agent setting.
We now consider axiom systems for the notions of group knowledge that
were defined earlier. Not surprisingly, we need some additional axioms.
Definition 1.19 (Logic of common knowledge)
The following axiom and rule capture common knowledge.

Fix. CA ϕ → EA (ϕ ∧ CA ϕ).
Ind. From ϕ → EA (ψ ∧ ϕ) infer ϕ → CA ψ.

For each axiom system X considered earlier, let XC be the result of adding
Fix and Ind to X. a

The fixed point axiom Fix says that common knowledge can be viewed
as the fixed point of an equation: common knowledge of ϕ holds if everyone
knows both that ϕ holds and that ϕ is common knowledge. Ind is called the
induction rule; it can be used to derive common knowledge ‘inductively’.
If it is the case that ϕ is ‘self-evident’, in the sense that if it is true, then
38 CHAPTER 1. INTRODUCTION

everyone knows it, and, in addition, if ϕ is true, then everyone knows ψ, we

can show by induction that if ϕ is true, then so is EA k (ψ ∧ ϕ) for all k. It

follows that CA ϕ is true as well. Although common knowledge was defined

as an ‘infinitary’ operator, somewhat surprisingly, these axioms completely
characterize it.
For distributed knowledge, we consider the following axioms for all A ⊆
Ag:

W. Ka ϕ → DA ϕ if a ∈ A.
KD . DA (ϕ → ψ) → (DA ϕ → DA ψ).
TD . DA ϕ → ϕ.
DD . ¬DA ¬>.
BD . ϕ → DA ¬DA ¬ϕ.
4D . DA ϕ → DA DA ϕ.
5D . ¬DA ϕ → DA ¬DA ϕ.

These axioms have to be understood as follows. It may help to think about

distributed knowledge in a group A as the knowledge of a wise man, who
has been told, by every member of A, what each of them knows. This is
captured by axiom W. The other axioms indicate that the wise man has
at least the same reasoning abilities as distributed knowledge to the system
S5m , we add the axioms W, KD , TD , 4D , and 5D to the axiom system.
For Km , we add only W and KD .

Proving Completeness
We want to prove that the axiom systems that we have defined are sound
and complete for the corresponding semantics; that is, that K is sound and
complete with respect to K, S5 is sound and complete with respect to S5,
and so on. Proving soundness is straightforward: we prove by induction on
k that any formula proved using a derivation of length k is valid. Proving
completeness is somewhat harder. There are different approaches, but the
common one involves to show that if a formula is not derivable, then there
is a model in which it is false. There is a special model called the canonical
model that simultaneously shows this for all formulas. We now sketch the
construction of the canonical model.
The states in the canonical model correspond to maximal consistent sets
of formulas, a notion that we define next. These sets provide the bridge
between the syntactic and semantic approach to validity.
Definition 1.20 (Maximal consistent set)
A formula ϕ is consistent with axiom system X if we cannot derive ¬ϕ in X.
A finite set {ϕ1 , . . . , ϕn } of formulas is consistent with X if the conjunction
1.2. BASIC CONCEPTS AND TOOLS 39

ϕ1 ∧ . . . ∧ ϕn is consistent with X. An infinite set Γ of formulas is consistent

with X if each finite subset of Γ is consistent with X. Given a language L
and an axiom system X, a maximal consistent set for X and L is a set Γ of
formulas in L that is consistent and maximal, in the sense that every strict
superset Γ0 of Γ is inconsistent. a

We can show that a maximal consistent set Γ has the property that,
for every formula ϕ ∈ L, exactly one of ϕ and ¬ϕ is in Γ. If both were
in Γ, then Γ would be inconsistent; if neither were in Γ, then Γ would not
be maximal. A maximal consistent set is much like a state in a Kripke
model, in that every formula is either true or false (but not both) at a
state. In fact, as we suggested above, the states in the canonical model can
be identified with maximal consistent sets.
Definition 1.21 (Canonical model)
The canonical model for L and X is the Kripke model M = hS, R, V i defined
as follows:

• S is the set of all maximal consistent sets for X and L;

• ΓRa ∆ iff Γ|Ka ⊆ ∆, where Γ|Ka = {ϕ | Ka ϕ ∈ Γ};

• V (Γ)(p) = true iff p ∈ Γ. a

The intuition for the definition of Ra and V is easy to explain. Our

goal is to show that the canonical model satisfies what is called the Truth
Lemma: a formula ϕ is true at a state Γ in the canonical model iff ϕ ∈ Γ.
(Here we use the fact that the states in the canonical model are actually sets
of formulas—indeed, maximal consistent sets.) We would hope to prove this
by induction. The definition of V ensures that the Truth Lemma holds for
primitive propositions. The definition of Ra provides a necessary condition
for the Truth Lemma to hold for formulas of the form Ka ϕ. If Ka ϕ holds at
a state (maximal consistent set) Γ in the canonical model, then ϕ must hold
at all states ∆ that are accessible from Γ. This will be the case if Γ|Ka ⊆ ∆
for all states ∆ that are accessible from Γ (and the Truth Lemma applies
to ϕ and ∆).
The Truth Lemma can be shown to hold for the canonical model, as
long as we consider a language that does not involve common knowledge
or distributed knowledge. (The hard part comes in showing that if ¬Ka ϕ
holds at a state Γ, then there is an accessible state ∆ such that ¬ϕ ∈ ∆.
That is, we must show that the Ra relation has ‘enough’ pairs.) In addition
to the Truth Lemma, we can also show that the canonical model for axiom
system X is a model in the corresponding class of models; for example, the
canonical model for S5 is in S5.
40 CHAPTER 1. INTRODUCTION

Completeness follows relatively easily once these two facts are estab-
lished. If a formula ϕ ∈ L cannot be derived in X then ¬ϕ must be
consistent with X, and thus can be shown to be an element of a maximal
consistent set, say Γ. Γ is a state in the canonical model for X and L. By
the Truth Lemma, ¬ϕ is true at Γ, so there is a model where ϕ is false,
proving the completeness of X.
This argument fails if the language includes the common knowledge
operator. The problem is that with the common knowledge operator in the
language, the logic is not compact: there is a set of formulas such that all its
finite subsets are satisfiable, yet the whole set is not satisfiable. Consider
the set {EAn p | n ∈ N} ∪ {¬C p}, where A ⊆ Ag is a group with at least
A
two agents. Each finite subset of this set is easily seen to be satisfiable in
a model in S5 (and hence in a model in any of the other classes we have
considered), but the whole set of formulas is not satisfiable in any Kripke
model. Similarly, each finite subset of this set can be shown to be consistent
with S5C. Hence, by definition, the whole set is consistent with S5C (and
hence all other axiom systems we have considered). This means that this
set must be a subset of a maximal consistent set. But, as we have observed,
there is no Kripke model where this set of formulas is satisfied.
This means that a different proof technique is necessary to prove com-
pleteness. Rather than constructing one large canonical model for all for-
mulas, for each formula ϕ, we construct a finite canonical model tailored
to ϕ. And rather than considering maximal consistent subsets to the set
of all formulas in the language, we consider maximal consistent sets of the
set of subformulas of ϕ.
The canonical model Mϕ = hSϕ , R, V i for ϕ and KC is defined as
follows:

• Sϕ is the set of all maximal consistent sets of subformulas of ϕ for

KC;

• ΓRa ∆ iff (Γ|Ka ) ∪ {CA ψ | CA ψ ∈ Γ and a ∈ A} ⊆ ∆.

• V (Γ)(p) = true iff p ∈ Γ.

The intuition for the modification to the definition of Ra is the following:

Again, for the Truth Lemma to hold, we must have Γ|Ka ⊆ ∆, since if
Ka ψ ∈ Γ, we want ψ to hold in all states accessible from Γ. By the fixed
point axiom, if CA ψ is true at a state s, so is EA CA ψ; moreover, if a ∈ A,
then Ka CA ψ is also true at s. Thus, if CA ψ is true at Γ, CA ψ must also
be true at all states accessible from Γ, so we must have {CA ψ | CA ψ ∈ Γ
and a ∈ A} ⊆ ∆. Again, we can show that the Truth Lemma holds for
the canonical model for ϕ and KC for subformulas of ϕ; that is, if ψ is a
1.2. BASIC CONCEPTS AND TOOLS 41

subformula of ϕ, then ψ is true at a state Γ in the canonical model for ϕ

and KC iff ϕ ∈ Γ.
We must modify this construction somewhat for axiom systems that
contain the axiom 4 and/or 5. For axiom systems that contain 4, we
redefine Ra so that ΓRa ∆ iff (Γ | Ka )∪{CA ψ | CA ψ ∈ Γ and a ∈ A}∪{Ka ψ |
Ka ψ ∈ Γ} ⊆ ∆. The reason that we want {Ka ϕ | Ka ϕ ∈ Γ} ⊆ ∆ is that if
Ka ψ is true at the state Γ, so is Ka Ka ψ, so Ka ψ must be true at all worlds
accessible from Γ. An obvious question to ask is why we did not make this
requirement in our original canonical model construction. If both Ka ψ and
Ka Ka ψ are subformulas of ϕ, then the requirement is in fact not necessary.
For if Ka ψ ∈ Γ, then consistency will guarantee that Ka Ka ψ is as well,
so the requirement that Γ|Ka ⊆ ∆ guarantees that Ka ψ ∈ ∆. However, if
Ka ψ is a subformula of ϕ but Ka Ka ψ is not, this argument fails.
For systems that contain 5, there are further subtleties. We illustrate
this for the case of S5. In this case, we require that ΓRa ∆ iff {Ka ψ | Ka ψ ∈
Γ} = {Ka ψ | Ka ψ ∈ ∆} and {CA ψ | CA ψ ∈ Γ and a ∈ A} = {CA ψ | CA ψ ∈
∆ and a ∈ A}. Notice that the fact that {Ka ψ | Ka ψ ∈ Γ} = {Ka ψ | Ka ψ ∈
∆} implies that Γ|Ka = ∆|Ka . We have already argued that having 4 in the
system means that we should have {Ka ψ | Ka ψ ∈ Γ} ⊆ {Ka ψ | Ka ψ ∈ ∆}.
For the opposite inclusion, note that if Ka ψ ∈ / Γ, then ¬Ka ψ should be
true at the state Γ in the canonical model, so (by 5) Ka ¬Ka ψ is true at Γ,
and ¬Ka ψ is true at ∆ if ΓRa ∆. But this means that Ka ψ ∈ / ∆ (assuming
that the Truth Lemma applies). Similar considerations show that we must
have {CA ψ | CA ψ ∈ Γ and a ∈ A} = {CA ψ | CA ψ ∈ ∆ and a ∈ A}, using
the fact that ¬CA ψ → EA ¬CA ψ is provable in S5C.
Getting a complete axiomatisation for languages involving distributed
knowledge requires yet more work; we omit details here.
We summarise the main results regarding completeness of epistemic lo-
gics in the following theorem. Recall that, for an axiom system X, the
axiom system XC is the result of adding the axioms Fix and Ind to X.
Similarly, XD is the result of adding the ‘appropriate’ distributed know-
ledge axioms to X; specifically, it includes the axiom W, together with
every axiom YD for which Y is an axiom of X. So, for example, S5D has
the axioms of S5 together with W, KD , TD , 4D , and 5D .
Theorem 1.9
If (At, Op, Ag), X is an axiom systems that includes all the axioms and
rules of K and some (possibly empty) subset of {T, 4, 5, D}, and X is the
corresponding class of Kripke models, then the following hold:
1. if Op = {Ka | a ∈ Ag}, then X is sound and complete for X and L;
2. if Op = {Ka | a ∈ Ag} ∪ {CA | A ⊆ Ag}, then XC is sound and
complete for X and L;
42 CHAPTER 1. INTRODUCTION

3. if Op = {Ka | a ∈ Ag} ∪ {DA | A ⊆ Ag}, then XD is sound and

complete for X and L;

4. if Op = {Ka | a ∈ Ag} ∪ {CA | A ⊆ Ag} ∪ {DA | A ⊆ Ag}, then XCD

is sound and complete for X and L. a

1.3 Overview of the Book

The book is divided into three parts: informational attitudes, dynamics,
and applications. Part I, informational attitudes, considers ways that basic
epistemic logic can be extended with other modalities related to knowledge
and belief, such as “only knowing”, “awareness”, and probability. There
are three chapters in Part I:

Only Knowing Chapter 2, on only knowing, is authored by Gerhard

Lakemeyer and Hector J. Levesque. What do we mean by ‘only knowing’ ?
When we say that an agent knows p, we usually mean that the agent knows
at least p, but possibly more. In particular, knowing p does not allow us
to conclude that q is not known. Contrast this with the situation of a
knowledge-based agent, whose knowledge base consists of p, and nothing
else. Here we would very much like to conclude that this agent does not
know q, but to do so requires us to assume that p is all that the agent knows
or, as one can say, the agent only knows p. In this chapter, the logic of only
knowing for both single and multiple agents is considered, from both the
semantic and proof-theoretic perspective. It is shown that only knowing
can be used to capture a certain form of honesty, and that it relates to a
form of non-monotonic reasoning.

Awareness Chapter 3, on logics where knowledge and awareness inter-

act, is authored by Burkhard Schipper. Roughly speaking, an agent is
unaware of a formula ϕ if ϕ is not on his radar screen (as opposed to
just having no information about ϕ, or being uncertain as to the truth of
ϕ). The chapter discusses various approaches to modelling (un)awareness.
While the focus is on axiomatisations of structures capable of modelling
knowledge and awareness, structures for modelling probabilistic beliefs and
awareness, are also discussed, as well as structures for awareness of un-
awareness.

Epistemic Probabilistic Logic Chapter 4, authored by Lorenz Demey

and Joshua Sack, provides an overview of systems that combine probabil-
ity theory, which describes quantitative uncertainty, with epistemic logic,
1.3. OVERVIEW OF THE BOOK 43

which describes qualitative uncertainty. By combining knowledge and prob-

ability, one obtains a very powerful account of information and information
flow. Three types of systems are investigated: systems that describe uncer-
tainty of agents at a single moment in time, systems where the uncertainty
changes over time, and systems that describe the actions that cause these
changes.

Part II on dynamics of informational attitudes considers aspects of how

knowledge and belief change over time. It consists of three chapters:

Knowledge and Time Chapter 5, on knowledge and time, is authored

by Clare Dixon, Cláudia Nalon, and Ram Ramanujam. It discusses the
dynamic aspects of knowledge, which can be characterized by a combina-
tion of temporal and epistemic logics. The chapter presents the language
and axiomatisation for such a combination, and discusses complexity and
expressivity issues. It presents two different proof methods (which apply
quite broadly): resolution and tableaux. Levels of knowledge and the re-
lation between knowledge and communication in distributed protocols are
also discussed, and an automata-theoretic characterisation of the know-
ledge of finite-state agents is provided. The chapter concludes with a brief
survey on applications.

Dynamic Epistemic Logic Chapter 6, on dynamic epistemic logic, is

authored by Lawrence Moss. Dynamic Epistemic Logic (DEL) extends
epistemic logic with operators corresponding to epistemic actions. The
most basic epistemic action is a public announcement of a given sentence
to all agents. In the first part of the chapter, a logic called PAL (public an-
nouncement logic), which includes announcement operators, is introduced.
Four different axiomatisations for PAL are given and compared. It turns
out that PAL without common knowledge is reducible to standard epis-
temic logic: the announcement operators may be translated away. However,
this changes once we include common knowledge operators in the language.
The second part of Chapter 6 is devoted to more general epistemic actions,
such as private announcements.

Dynamic Logics of Belief Change Chapter 7, on belief change, is

authored by Johan van Benthem and Sonja Smets. The chapter gives an
overview of current dynamic logics that describe belief update and revision.
This involves a combination of ideas from belief revision theory and dyna-
mic epistemic logic. The chapter describes various types of belief change,
depending on whether the information received is ‘hard’ or ‘soft’. The
chapter continues with three topics that naturally complement the setting
44 CHAPTER 1. INTRODUCTION

of single steps of belief change: connections with probabilistic approaches

to belief change, long-term temporal process structure including links with
formal learning theory, and multi-agent scenarios of information flow and
belief revision in games and social networks. It ends with a discussion
of alternative approaches, further directions, and windows to the broader
literature.

Part III considers applications of epistemic logic in various areas. It consists

of five chapters:

Model Checking Temporal Epistemic Logic Chapter 8, authored

by Alessio Lomuscio and Wojciech Penczek, surveys work on model check-
ing systems against temporal-epistemic specifications. The focus is on two
approaches to verification: approaches based on ordered binary decision
diagrams (OBDDs) and approaches based on translating specifications to
propositional logic, and then applying propositional satisfiability checkers
(these are called SAT-based approaches). OBDDs provide a compact repre-
sentation for propositional formulas; they provide powerful techniques for
efficient mode checking; SAT-based model checking is the basis for many
recent symbolic approach to verification. The chapter also discusses some
more advanced techniques for model checking.

Epistemic Foundations of Game Theory Chapter 9, authored by Gi-

acomo Bonanno, provides an overview of the epistemic approach to game
theory. Traditionally, game theory focuses on interaction among intelligent,
sophisticated and rational individuals. The epistemic approach attempts
to characterize, using epistemic notions, the behavior of rational and intel-
ligent players who know the structure of the game and the preferences of
their opponents and who recognize each other’s rationality and reasoning
abilities. The focus of the analysis is on the implications of common belief
of rationality in strategic-form games and on dynamic games with perfect
information.

BDI Logics Chapter 10, on logics of beliefs, desires, and intentions

(BDI), is authored by John-Jules Ch. Meyer, Jan Broersen and Andreas
Herzig. Various formalisations of BDI in logic are considered, such as
the approach of Cohen and Levesque (recast in dynamic logic), Rao and
Georgeff’s influential BDI logic based on the branching-time temporal logic
CTL∗ , the KARO framework, in which action together with knowledge (or
belief) is the primary concept on which other agent notions are built, and
BDI logics based on STIT (seeing to it that) logics, such as XSTIT.
1.4. NOTES 45

Knowledge and Ability Chapter 11, authored by Thomas Ågotnes,

Valentin Goranko, Wojciech Jamroga and Michael Wooldridge, relates epis-
temic logics to various logics for strategic abilities. It starts by discussing
approaches from philosophy and artificial intelligence to modelling the in-
teraction of agents knowledge and abilities, and then focuses on concurrent
game models and the alternating-time temporal logic AT L. The authors
discuss how AT L enables reasoning about agents’ coalitional abilities to
achieve qualitative objectives in concurrent game models, first assuming
complete information and then under incomplete information and uncer-
tainty about the structure of the game model. Finally, extensions of AT L
that allow explicit reasoning about the interaction of knowledge and strate-
gic abilities are considered; this leads to the notion of constructive know-
ledge.

Knowledge and Security Chapter 12, on knowledge and security, is au-

thored by Riccardo Pucella. A persistent intuition in the field of computer
security says that epistemic logic, and more generally epistemic concepts,
are relevant to the formalisation of security properties. What grounds this
intuition is that much work in the field is based on epistemic concepts.
Confidentiality, integrity, authentication, anonymity, non-repudiation, all
can be expressed as epistemic properties. This survey illustrates the use
of epistemic concepts and epistemic logic to formalise a specific security
property, confidentiality. Confidentiality is a prime example of the use of
knowledge to make a security property precise. It is explored in two large
domains of application: cryptographic protocol analysis and multi-level se-
curity systems.

1.4 Notes
The seminal work of the philosopher Jaakko Hintikka (1962) is typically
taken as the starting point of modern epistemic logic. Two texts on epis-
temic logic by computer scientists were published in 1995: one by Fagin,
Halpern, Moses, and Vardi (1995) and the other by Meyer and van der Hoek
(1995). Another influential text on epistemic logic, which focuses more on
philosophical aspects, is by Rescher (2005). Formal treatments of the no-
tion of knowledge in artificial intelligence, in particular for reasoning about
action, go back to the work of Moore (1977). In the mid-1980s, the con-
ference on Theoretical Aspects of Reasoning About Knowledge (TARK),
later renamed to “Theoretical Aspects of Rationality and Knowledge, was
started (1986); in the mid-1990s, the Conference on Logic and Foundations
of Game and Decision Theory (LOFT) (1996) began. These two conferences
46 CHAPTER 1. INTRODUCTION

continue to this day, bringing together computer scientists, economists, and

philosophers.
Our chapter is far from the first introduction to epistemic logic. The
textbooks by Fagin et al. (1995) and by Meyer and van der Hoek (1995) each
come with an introductory chapter; more recent surveys and introductions
can be found in the book by van Ditmarsch, van der Hoek, and Kooi (2007,
Chapter 2), in a paper on epistemic logic and epistemology by Holliday
(2014), in the chapter by Bezhanishvili and van der Hoek (2014), which
provides a survey of semantics for epistemic notions, and in online resources
(Hendricks and Symons 2014, Wikipedia).
Halpern (1987) provides an introduction to applications of knowledge
in distributed computing; the early chapters of the book by Perea (2012)
give an introduction to the use of epistemic logic in game theory. As we
already said, more discussion of the examples in Section 1.1 can be found in
the relevant chapters. Public announcements are considered in Chapter 6;
protocols are studied in Chapter 12 and, to some extent, in Chapter 5;
strategic ability is the main topic of Chapter 11; epistemic foundations of
game theory are considered in Chapter 9; distributed computing is touched
on in Chapter 5, while examples of model checking distributed protocols
are given in Chapter 8.
The use of Kripke models puts our approach to epistemic logic firmly
in the tradition of modal logic, of which Kripke is one of the founders
(see Kripke (1963)). Modal logic has become the framework to reason not
only about notions as knowledge and belief, but also about agent attitudes
such as desires and intentions (Rao and Georgeff, 1991), and about notions
like time (Emerson, 1990), action (Harel, 1984), programs (Fischer and
Ladner, 1979), reasoning about obligation and permission (von Wright,
1951), and combinations of them. Modern references to modal logic include
the textbook by Blackburn, de Rijke, and Venema (2001) and the handbook
edited by Blackburn, van Benthem, and Wolter (2006).
Using modal logic to formalise knowledge and belief suggests that one
has an idealised version of these notions in mind. The discussion in Sec-
tion 1.2.5 is only the tip of the iceberg. Further discussion of logical omni-
science can be found in (Stalnaker, 1991; Sim, 1997) and in (Fagin et al.,
1995, Chapter 9). There is a wealth of discussion in the philosophy and
psychology literature of the axioms and their reasonableness (Koriat, 1993;
Larsson, 2004; Zangwill, 2013). Perhaps the most controversial axiom of
knowledge is 5; which was dismissed in the famous claim by Donald Rums-
feld that there are ‘unknown unknowns’ (see http://en.wikipedia.org/
wiki/There_are_known_knowns). Some approaches for dealing with lack
of knowledge using awareness avoid this axiom (and, indeed, all the others);
see Chapter 3.
1.4. NOTES 47

Broadly speaking, philosophers usually distinguish between the truth

of a claim, our belief in it, and the justification for the claim. These are
often considered the three key elements of knowledge. Indeed, there are
papers that define knowledge as justified true belief. There has been much
debate of this definition, going back to Gettier’s (1963) Is justified true belief
knowledge?. Halpern, Samet, and Segev (2009) provide a recent perspective
on these issues.
The notion of common knowledge is often traced back to the philosopher
David Lewis’s (1969) independently developed by the sociologist Morris
Friedell (1969). Work on common knowledge in economics was initiated by
Robert Aumann (1976); John McCarthy’s (1990) work involving common
knowledge had a significant impact in the field of artificial intelligence.
Good starting points for further reading on the topic of common knowledge
are by Vanderschraaf and Sillari (2014) and by Fagin et al. (1995, Chapter
6). Section 9.5 compares the notions of common knowledge with that of
common belief.
Distributed knowledge was discussed first, in an informal way, by Hayek
(1945), and then, in a more formal way, by Hilpinen (1977). It was rediscov-
ered and popularized by Halpern and Moses (1990), who originally called
it implicit knowledge.
The notion of bisimulation is a central notion in modal logic, providing
an answer to the question when two models are ‘the same’ and is discussed
in standard modal logic texts (Blackburn et al., 2001, 2006). Bisimulation
arises quite often in this book, including in Chapters 5, 6, and 7.
We mentioned below Theorem 1.8, when discussing complexity of va-
lidity, that some recent advances make NP-complete problems seem more
tractable: for this we refer to work by Gomes, Kautz, Sabharwal, and
Selman (2008).
We end this brief discussion of the background literature by provid-
ing the pointers to the technical results mentioned in our chapter. The-
orem 1.1 gives some standard valid formulas for several classes of models
(see Fagin et al. (1995, Chapter 2.4) for a textbook treatment). Theo-
rem 1.2 is a folk theorem in modal logic: for a proof and discussion, see
Blackburn et al. (2006, Chapter 2.3). Proposition 1.3 is proved by Fagin
et al. (1995) as Theorem 3.2.2 (for the case X = K) and Theorem 3.2.4 (for
X = T , S4, KD45, and S5). Proposition 1.4 is Proposition 3.2.1 by Fagin
et al. (1995). Theorem 1.8 is proved by Halpern and Moses (1992).
Although the first proofs of completeness for multi-agent versions of ax-
iom systems of the form Xm and XCm are by Halpern and Moses (1992),
the ideas go back much earlier. In particular, the basic canonical model
construction goes back to Makinson (1966) (see Blackburn et al. (2001,
Chapter 4) for a discussion), while the idea for completeness of axiom sys-
48 CHAPTER 1. INTRODUCTION

tems of the form XC is already in the proof of Kozen and Parikh (1981) for
proving completeness of dynamic logic. Completeness for axiom systems
of the form XD was proved by Fagin, Halpern, and Vardi (1992) and by
van der Hoek and Meyer (1992). A novel proof is provided by Wang (2013,
Chapter 3). Theorem 1.6 is part of logical folklore. A proof of Theorem 1.7
was given by French, van der Hoek, Iliev, and Kooi (2013).

Acknowledgements The authors are indebted to Cláudia Nalon for a

careful reading. Hans van Ditmarsch is also affiliated to IMSc, Chennai,
as associated researcher, and he acknowledges support from European Re-
search Council grant EPS 313360. Joseph Y. Halpern was supported in part
by NSF grants IIS-0911036 and CCF-1214844, by AFOSR grant FA9550-
09-1-0266, by ARO grants W911NF-09-1-0281 and W911NF-14-1-0017, and
by the Multidisciplinary University Research Initiative (MURI) program
administered by the AFOSR under grant FA9550-12-1-0040.
 49

References
Aumann, R. J. (1976). Agreeing to disagree. Annals of Statistics 4 (6), 1236–1239.

Bezhanishvili, N. and W. van der Hoek (2014). Structures for epistemic logic. In
A. Baltag and S. Smets (Eds.), Logical and Informational Dynamics, a volume
in honour of Johan van Benthem, pp. 339–381. Springer.

Blackburn, P., M. de Rijke, and Y. Venema (2001). Modal Logic. Cambridge

University Press: Cambridge, England.

Blackburn, P., J. van Benthem, and F. Wolter (Eds.) (2006). Handbook of Modal
Logic. Elsevier Science Publishers B.V.: Amsterdam, The Netherlands.

van Ditmarsch, H., W. van der Hoek, and B. Kooi (2007). Dynamic Epistemic
Logic. Berlin: Springer.

Emerson, E. A. (1990). Temporal and modal logic. In J. van Leeuwen (Ed.), Hand-
book of Theoretical Computer Science Volume B: Formal Models and Semantics,
pp. 996–1072. Elsevier Science Publishers B.V.: Amsterdam, The Netherlands.

Fagin, R., J. Y. Halpern, Y. Moses, and M. Y. Vardi (1995). Reasoning About

Knowledge. The MIT Press: Cambridge, MA.

Fagin, R., J. Y. Halpern, and M. Y. Vardi (1992). What can machines know? on
the properties of knowledge in distributed systems. Journal of the ACM 39 (2),
328–376.

Fischer, M. and R. Ladner (1979). Propositional dynamic logic of regular pro-

grams. Journal of Computer and System Sciences 18, 194–211.

French, T., W. van der Hoek, P. Iliev, and B. Kooi (2013). On the succinctness of
some modal logics. Artificial Intelligence 197, 56–85.

Friedell, M. (1969). On the structure of shared awareness. Behavioral Sci-

ence 14 (1), 28–39. A working paper with the same title was published in 1967
by the Center for Research on Social Organization, University of Michigan.

Gettier, E. (1963). Is justified true belief knowledge? Analysis 23, 121–123.

Gomes, C. P., H. Kautz, A. Sabharwal, and B. Selman (2008). Satisfiability solvers.

In Handbook of Knowledge Representation, pp. 89–133.

Halpern, J. Y. (1987). Using reasoning about knowledge to analyze distributed

systems. In J. F. Traub, B. J. Grosz, B. W. Lampson, and N. J. Nilsson (Eds.),
Annual Review of Computer Science, Volume 2, pp. 37–68. Palo Alto, Calif.:
Annual Reviews Inc.

Halpern, J. Y. and Y. Moses (1990). Knowledge and common knowledge in a

distributed environment. Journal of the ACM 37 (3), 549–587. A preliminary
version appeared in Proc. 3rd ACM Symposium on Principles of Distributed
Computing, 1984.
50 CHAPTER 1. INTRODUCTION

Halpern, J. Y. and Y. Moses (1992). A guide to completeness and complexity for

modal logics of knowledge and belief. Artificial Intelligence 54, 319–379.

Halpern, J. Y., D. Samet, and E. Segev (2009). Defining knowledge in terms

of belief: The modal logic perspective. The Review of Symbolic Logic 2 (3),
469–487.

Harel, D. (1984). Dynamic logic. In D. Gabbay and F. Guenther (Eds.), Handbook

of Philosophical Logic Volume II — Extensions of Classical Logic, pp. 497–604.
D. Reidel Publishing Company: Dordrecht, The Netherlands. (Synthese library
Volume 164).

Hayek, F. (1945). The use of knowledge in society. American Economic Review 35,
519–530.

Hendricks, V. and J. Symons (retrieved 2014). Epistemic logic. In E. N. Zalta

(Ed.), The Stanford Encyclopedia of Philosophy. http://plato.stanford.
edu/archives/spr2014/entries/logic-epistemic/.

Hilpinen, R. (1977). Remarks on personal and impersonal knowledge. Canadian

Journal of Philosophy 7, 1–9.

Hintikka, J. (1962). Knowledge and Belief. Cornell University Press: Ithaca, NY.
Reprint: ‘Knowledge and Belief’, in: Texts in Philosophy, Vol. 1, Kings College
Publications, 2005.

van der Hoek, W. and J.-J. Meyer (1992). Making some issues of implicit knowledge
explicit. International Journal of Foundations of Computer Science 3 (2), 193–
224.

Holliday, W. (2014). Epistemic logic and epistemology. to appear, preliminary

version at http://philosophy.berkeley.edu/file/814/el_episteme.pdf.

Koriat, A. (1993). How do we know that we know? the accessibility model of the
feeling of knowing. Psychological review 100, 609–639.

Kozen, D. and R. Parikh (1981). An elementary proof of the completeness of PDL.

Theoretical Computer Science 14 (1), 113–118.

Kripke, S. (1963). Semantical analysis of modal logic. Zeitschrift für Mathematis-

che Logik und Grundlagen der Mathematik 9, 67–96.

Larsson, S. (2004). The magic of negative introspection.

Lewis, D. (1969). Convention — A Philosophical Study. Harvard University Press:

Cambridge, MA.

LOFT (since 1996). Logic and the foundations of game and decision theory. http:
//www.econ.ucdavis.edu/faculty/bonanno/loft.html.

Makinson, D. (1966). On some completeness theorems in modal logic. Zeitschrift

für Mathematische Logik und Grundlagen der Mathematik 12, 379–384.
REFERENCES 51

McCarthy, J. (1990). Formalization of two puzzles involving knowledge. In V. Lif-

schitz (Ed.), Formalizing Common Sense : Papers by John McCarthy, Ablex
Series in Artificial Intelligence. Norwood, N.J.: Ablex Publishing Corporation.
original manuscript dated 1978–1981.

Meyer, J.-J. C. and W. van der Hoek (1995). Epistemic Logic for AI and Computer
Science. Cambridge University Press: Cambridge, England.

Moore, R. C. (1977). Reasoning about knowledge and action. In Proceedings of

the Fifth International Joint Conference on Artificial Intelligence (IJCAI-77),
Cambridge, MA.

Perea, A. (2012). Epistemic Game Theory. Cambridge, U.K.: Cambridge Univer-

sity Press.

Rao, A. S. and M. P. Georgeff (1991, April). Modeling rational agents within a

BDI-architecture. In R. Fikes and E. Sandewall (Eds.), Proceedings of Know-
ledge Representation and Reasoning (KR&R-91), pp. 473–484. Morgan Kauf-
mann Publishers: San Mateo, CA.

Rescher, N. (2005). Epistemic Logic: A Survey of the Logic of Knowledge. Uni-

versity of Pittsburgh Press.

Sim, K. M. (1997). Epistemic logic and logical omniscience: A survey. Interna-

tional Journal of Intelligent Systems 12 (1), 57–81.

Stalnaker, R. (1991). The problem of logical omniscience, I. Synthese 89 (3),

425–440.

TARK (since 1986). Theoretical aspects of rationality and knowledge. http:

//www.tark.org.

Vanderschraaf, P. and G. Sillari (retrieved 2014). Common knowledge. In

E. N. Zalta (Ed.), The Stanford Encyclopedia of Philosophy. http://plato.
stanford.edu/archives/spr2014/entries/common-knowledge/.

Wang, Y. (2013). Logical Dynamics of Group Knowledge and Subset Spaces. Ph.
D. thesis, University of Bergen.

Wikipedia. Epistemic modal logic. http://en.wikipedia.org/wiki/Epistemic_

modal_logic.

von Wright, G. H. (1951). Deontic logic. Mind 60 (237), 1–15.

Zangwill, N. (2013). Does knowledge depend on truth? Acta Analytica 28 (2),

139–144.