Reduction Model Checking for Multi-Agent Systems of Group Social Commitments

Abstract

Innumerable industries now use multi-agent systems (MASs) in various contexts, including healthcare, security, and commercial deployments. It is challenging to select reliable business protocols for critically important safety-related systems (e.g., in healthcare). The verification and validation of business applications is increasingly explored concerning multi-agent systems’ group social commitments. This study explains a novel extended reduction verification method to model-check business applications’ critical specification rules using action restricted computation tree logic (ARCTL). In particular, we aim to conduct the verification process for the CTL^GC logic using a reduction algorithm and show its effectiveness to handle MASs with huge models, thus, showing its importance and applicability in large real-world applications. To do so, we need to transform the CTL^GC model to an ARCTL model and the CTL^GC formulas into ARCTL formulas. Thus, the developed method was verified with the model-checker new symbolic model verifier (NuSMV), and it demonstrated effectiveness in the safety-critical specification rule support provision. The proposed method can verify up to 2.43462 × 10¹⁴ states MASs, which shows its effectiveness when applied to real-world applications.

1. Introduction

Innumerable industries now use multi-agent systems (MASs) in various contexts, including healthcare, security, and commercial deployments [1,2,3]. Researchers have extensively undertaken highly structured modeling approaches for MASs to determine required specifications, considering the multifarious dimensions that must be technically accommodated within complex systems for synchronicity in modeling [4]. Model-checking verifies whether MASs perform as required in relation to their specifications [5]. This highly challenging context is inevitable for such modeling, and it presents a formidable challenge when modeling and verifying MASs [6,7]. This paper presents a model-checking tool to automatically investigate group commitment-related features. Investigating the problem of verifying MASs in the presence of single and group social commitments and their fulfillment is rarely addressed, specifically, the cases of specifying and verifying group-to-one and one-to-group social commitments. In our work in [8], we addressed group social commitments in MASs from semantics perspectives. In this work, we plan to enrich the literature of MASs by investigating group social commitment from a verification perspective (i.e., model-checking perspective). To do so, we extend our work in [8] by proposing a model-checking algorithm using the reduction approach, thus, providing an effective and consistent framework that can handle MASs with huge models. In particular, in this study, we investigate an MAS model that reaches 2.43462 × 10¹⁴ states before reaching a state explosion problem.

The following examples illustrate the rationale for undertaking specifying MASs using group social commitments.

Example 1.

Consider an employer who promises his employees a 5% salary raise if they complete a task over one month. This is a “one-to-group” commitment, whereby the single employer must remunerate each employee within the group if the group carried out the task.

Example 2.

Employees promise the employer that they will complete their task in two weeks; this relationship is a “group-to-one” commitment.

The analysis and determination of group and single commitments require commensurate tools and solutions. The expressive power of the logic developed by a previous study [9] was restricted to the reasoning and representation of single social commitments within MASs. More recent work has explored novel temporal logic for single and group social commitment reasoning in MASs in terms of verification and formal semantics [8]. In [8], computation tree logic group commitments (CTL^GC) logic extended CTL [10,11] to fulfil single and group commitments with appropriate modalities, with a comprehensive logic able to process both commitment types simultaneously within the same architecture. The study also revised and developed the previous system of [12], with a formal CTL^GC model for formula interpretation. The developed extension enables the modeling of interactions between groups and single agents.

The current study seeks to present a significant model-checking algorithm for the CTL^GC logic [8] that can effectively verify large MASs with huge state space by introducing a reduction-based model-checker algorithm. The proposed algorithm transforms the CTL^GC logic into the ARCTL logic [13], in order to use its model-checker [14] the NuSMV. The problem of model-checking the CTL^GC logic has not been addressed before, which gives a novelty to our work.

Figure 1 is given as an overview of the developed approach, which comprises three phases. In phase 1, the CTL^GC logic [8], which has modalities to reason about group and single commitments, was recalled. In phase 2, reduction/transformation was used for a formal verification algorithm, converting the model-checking CTL^GC logic problem into an ARCTL-model checking problem [13]. In phase 3, the effectiveness of this approach was tested by application with the extended NuSMV model-checker [14], reporting the verification results.

1.1. Paper Contributions

In this paper, we aim to enrich the literature of group social commitments in MASs from verification perspectives. In particular, we aim to address the following:

We aim to develop a reduction-based model-checking algorithm for the CTL^GC group commitments logic, by transforming the CTL^GC model-checking problem into an ARCTL model-checking problem using transformation rules. By doing so, we can use the extended NuSMV model-checker.

We aim to prove the soundness of the proposed reduction model-checking algorithm.

We aim to investigate the effectiveness and applicability of the proposed algorithm by implementing a real case study from the business domain (i.e., the NetBill protocol [15]).

1.2. Paper Organization

The remainder of this study is arranged as follows. Section 2 explores modeling development in terms of reasoning and verifying with regard to group and single MAS commitments. Subsequently, the formalism and effectiveness of interpreted systems (ISs) are explained for MAS modeling. Finally, the paradigm of symbolic model-checking is presented. Section 3 contains the semantics and syntax of the CTL^GC logic, whose problem model-checking is analyzed in Section 4. Section 5 describes the implementation of the novel technique and the verification outcomes. Section 6 concludes the study.

2. Preliminaries

2.1. Commitments in Multi-Agent Systems (MASs)

A major aspect of multi-agent systems (MASs) is communication. Through communication, the agents do plan their behaviors and actions so as to achieve their predetermined goals [16]. In addition, autonomous, heterogeneous agents use agent communication languages (ACLs) in order to interact with each other and interchange messages [17,18,19,20]. Accordingly, there is significant need for the development of formal and coherent semantics for these ACLs [21,22].

A review of the published literature spotlights that numerous frameworks have been developed in the effort to find effective standards for the agent communications [22,23,24,25,26,27,28]. Within this context, Searle’s speech acts theory [29] represents the first endeavor to formulate standard semantic for the ACLs, namely, the mental approach. This semantic tries to analyze the tradeoffs among certain aspects of agent communications such as the belief-desire-intention (BDI) aspects, and provide a rational tradeoff between them [30]. This approach handles the communications as actions that ought to be performed by agents so as to achieve their goals. However, the mental methods focus on the minds of the interacting agents. Actually, they presume that the agents can guess how the others think [25]. As a consequence, these methods fail to determine if a certain agent does, or does not, behave on the basis of distinct semantics. Accordingly, these methods suffer from the well-known problem of semantics verification [31]. Besides this problem, these methods suffer from the lack of interoperability among the heterogeneous systems [25].

To fix these two problems of the ACL semantics, the MAS community made a substantial switch to social approaches [15,25]. Indeed, novel formal semantics for the ACLs were developed by adopting social approaches [15,32,33,34,35]. These approaches used the social commitments in order to produce robust frameworks which model the interactions among the agents in the MASs [2,21,26,36,37,38]. Manipulation and negotiation of commitments impart to the commitment-based techniques high flexibility and the capability to reason about the interactions among the agents in the MASs [39,40].

The social commitments have so far been successfully employed in numerous real applications, such as verification of the security protocols [41]; specification, modeling, and verification of multi-agent interaction protocols [42,43,44]; identification and verification of contracts of service composition [45]; development of Web-based applications [46,47]; modeling of the business processes [48]; introduction of artificial institutions [49]; and development of programming languages [50,51] and blockchain applications [52].

Varying frameworks were developed in order to formalize group commitments [53,54,55,56,57]. However, not one of those frameworks has the ability to classify the groups of agents. Additionally, not one of them can address the group-to-one social commitments and their fulfillment. Castelfranchi [58] categorized the commitments into three types: social, internal, and collective commitments. He has defined the internal commitment as a relation between a certain agent and its action. Moreover, he considered the social commitment as a relation between two agents. Furthermore, he stated that in the group (or collective) commitments “a set of agents is internally committed to a certain intention and (usually) there is mutual knowledge about that.” This conception of group commitment is very close to the conception of the previously-explained mental approaches. The rest of the frameworks followed a similar method to that of Castelfranchi [58] in formalizing the collective commitments.

Additionally, Wozna-Szczesniak and Szczesniak [31] expanded the work presented in [59] and presented new, real-time, unconditional, and conditional social commitment logic, referred to as RTCTLC. These researchers [31] defined their semantics over the duration communication interpreted system (DCIS), which is actually a system in which transitions have integer duration. These transitions enabled them to model numerous levels of deadlines and reduce further verification works because of using unit measure steps. The RTCTLC has the capability to figure out the unconditional, conditional, and group commitments and their associated fulfillments and real-time restraints, and to express them. For figuring out group commitments, these researchers examined only the one-to-group unconditional and conditional commitments and their fulfillment. Furthermore, they did not touch upon completeness and soundness of the RTCTLC. Moreover, they did not address the RTCTLC model-checking problem.

Sultan [60] examined MASs in which the agents have knowledge and communicate by manipulation of uncertain social commitments, particularly when the scope of the commitment steps is beyond the popular agent-to-agent plan or route. He proposed a method for model-checking that aims at verifying these systems and capitalizing not only on interactions between individuals, but also on one-to-group communicative commitments and knowledge under the condition of the presence of uncertainty. The effectiveness of this approach was assessed by implementing it atop of the PRISM model-checker. However, Sultan [60] did not address group-to-one commitments.

Lastly, we presented the CTL^GC logic in [8]. It is a temporal logic of group commitments for the agent communications that extends the computation tree logic (CTL) in such a way as to simultaneously reason about and specify the group social commitments and their fulfillment. For this purpose, we categorized the groups of the communicating agents into indivisible and divisible communicating groups. Then, we classified the group commitments into two categories: group-to-one commitments and one-to-group commitments. Afterwards, we identified the social accessibility relationships that are necessary for capturing the semantics of every type of commitment group. Then, we adopted Benthem’s correspondence theory for the modal logics, so as to prove soundness and completeness of the CTL^GC logic. However, we did not investigate the model-checking problem of CTL^GC. Thus, in this study, we aim to address the model-checking problem of the CTL^GC logic using reduction / transformation.

Revising the related research in the literature, we can summarize the gaps in the following:

-

Mental approaches in [22,23,24,25,27,52] suffer from a semantics verification problem [31]. Moreover, these methods suffer from the lack of interoperability among the heterogeneous systems [25].

-

Social approaches in [2,21,36,37,39,40,52] addressed only single commitment. None of them investigated group commitment.

-

Social approaches in [54,55,56,57,58] addressed group commitment using mental approaches. Therefore, none of them classified the groups of agents. Additionally, none of them addressed group-to-one social commitments and their fulfillment.

-

Wozna-Szczesniak and Szczesniak [27] did not address the RTCTLC model-checking problem.

-

Sultan [60] did not address group-to-one commitments and only investigated one-to-group commitments in the presence of uncertainty.

-

Our work in [8] classified a group of agents into divisible and indivisible, addressed one-to-group and group-to-one commitments, and proved the soundness and completeness of the CTL^GC logic. However, model-checking CTL^GC was not investigated.

Consequently, to close the gaps in the literature and extend our work in [8], we aim to address the verification problem of CTL^GC by proposing a reduction-based model-checking algorithm and building more effective and consistent MASs.

2.2. Modeling MASs by Using Interpreted Systems

Formalism of the interpreted systems (ISs) was first developed by Fagin et al. [12], in an effort to model the temporal evolution of a MASs so as to infer the knowledge and associated temporal properties. Formalism of the ISs does model differing classes of the MASs such as the asynchronous and the synchronous systems. In addition, it is broadly employed for local modeling of the heterogeneous and autonomous agents interacting within a global system via message sending and receiving [21].

ISs formalism consists of:

• “Set of n agents; A = {1, …, n}, such that every single agent i is defined by:

  —

  Non-empty set of local states, L_i. Local state of the agent i is described by l_i ∈ L_i. Every local state of the agent holds complete information about the system which this agent has at a specified moment.

  —

  Set of local actions (Act_i) in order to demonstrate the evolution of the system with time, i.e., the temporal evolution.

  —

  Function for local protocol (Pi: Li → 2^Act_i) in order to define the set of enabled actions which can be implemented in a certain local state.

  —

  Function for local evolution, τi, that specifies transitions for agent i between its local states. This function is defined as τi: Li × Act_i → Li.

• Set of the entire global states in the system G ⊆ L1 ×⋯× Ln is a sub-set of the Cartesian product of the whole local states of the n agents such that:

  —

  Global state g ∈ G is tuple; g = (l1, …, ln), that corresponds to a snapshot of the system.

  —

  Local state of the agent i in global state g is denoted as li (g).

• I ⊆ G is the set of the initial global states for the system.
• Global transition function. This function can be defined as τ: G × ACT → G, where ACT = Act₁ ×⋯× Act_n and every constituent, a ∈ ACT, is a joint action; that is, a tuple of actions, one only for every single agent.
• Set of atomic presumptions, Φp, and valuation function, V, for these presumptions, V: G → 2^Φp”.

For the provision of intuitive semantics for the social commitments which are established via communications among the interacting agents, Bentahar et al. [61] and El-Menshawy et al. [21] outspread formalism of the interpreted systems using shared and unshared variables.

In this paper, much like the case in telecommunications, we base our work on the assumption of asynchronous communication; that is, the creditor and debtor, both, function independent of one the other. Stated otherwise, the sender (i.e., the debtor) does not need to wait for acknowledgment of the sent message by the recipient (i.e., the creditor). Therefore, the debtor can send other messages or more to the creditor without knowing when those messages are received and processed by her/him. The idea of the herein designed model is similar to the communication architecture in the distributed systems, in that for any two agents, i and j, to communicate, they must have a shared channel for communication, which is exemplified by variables shared between these two agents: i and j [61].

2.3. Symbolic Model-Checking

Model-checking is an automatic, formal method that is employed for verification of finite state concurrent systems [11]. The process of model-checking is intended to answer the question: given certain model M and specific property φ that corresponds to specification in certain temporal logic, does this model fulfill this property? If the model does not fulfill this property, that is, M ⊭ φ, then the process returns a counterexample message that shows the steps wherein the error state was reached. However, if the model satisfies this property, namely, M ⊨ φ, then the process returns a true message.

Approaches to symbolic model-checking proved to be efficient in automatically verifying the soundness of MASs [62,63] as they, in general, utilize less memory than the automata-based methods because algorithms of the former methods are actually applied on Boolean functions (Bfs) rather than on explicit Kripke structures as is the case in the latter methods. In practice, the space requirements of the Bfs that can be expressed by employing ordered binary decision diagrams (OBDDs) [58] are exponentially smaller than the corresponding space requirements of an explicit representation. Accordingly, the symbolic model-checking techniques reduce the state explosion problem. In this study, we develop a model-checking method that belongs to the symbolic class of methods and apply our method on top of the expanded symbolic model-checker NuSMV [14].

3. The CTL^GC Logic

This section recalls the syntax and semantics of the CTL^GC logic which we earlier presented in [8]. The syntax of the CTL^GC is an extension of the CTL [11], with modalities for both group and single commitments and associated fulfillments. It is defined as follows [8]:

Definition 1.

Syntax of the CTL^GC.

“φ ::= p |¬φ | φ∨φ | EXφ | E(φUφ) | EG |C| Fu

C ::= C_i→jφ | C_i→Ωφ| C_Ω→jφ

Fu ::= Fu(C_i→jφ) | Fu(C_i→Ωφ) | Fu(C_Ω→jφ)”

Such that

• p, ¬,∨, E, X, U andG are similar CTL modalities [11].
• The formulae of social commitmentC are formulae for special state in the CTL^GC that grab social characteristics by employing theC_i→jφ,C_i→Ω, andC_Ω→j modal connectives, which stand for ‘commitment’, ‘commitment to divisible group’, and ‘commitment from divisible group’, respectively.

The expression C_i→jφ means ”agent i commits to agent j that is φ” [61]. The term C_i→Ωφ implies that agent i commits to everyone in Ω that is φ. Meanwhile, the expression C_Ω→jφ indicates that everyone in Ω commits to j that is φ.

In this study, we only recall semantics of the group and the single commitments and their associated fulfillments because the chief part of the CTL^GC logic is the CTL logic [11].

Definition 2.

Satisfaction of the CTL^GC [8].

By using modelM, satisfaction of the formula of CTL^GC,, that is, φ, in some global statew described by (M,w) |= φ is defined repeatedly as follows:

• (M,w) |= C_i→jφ iff the condition of(M,w^′) |= φ is satisfied for all the global statesw^′∈W such thatw∼_i→jw^′;
• (M,w) |= C_i→Ωφ iff the condition of(M,w^′) |= φ is satisfied for all the global statesw^′∈W such thatw∼_i→Ω w^′;
• (M,w) |= C_Ω→jφ iff the condition of(M,w^′) |= φ is satisfied for all the global statesw^′∈W such thatw∼_Ω→jw^′;
• (M,w) |= Fu(C_i→jφ) iff there isw^′∈W such thatw^′∼_i→jw and(M,w^′) |= C_i→jφ;
• (M,w) |= Fu(C_i→Ωφ) iff there isw^′∈W such thatw^′∼_i→Ω w and(M,w^′) |= C_i→Ωφ;
• (M,w) |= Fu(C_Ω→jφ) iff there isw^′∈W such thatw^′∼_Ω→jw and(M,w^′) |= C_Ω→jφ.

The semantics of the formulae of the CTL^GC state are defined in model M such as the semantics of standard CTL [11] with modalities for specifying single social commitments, group social commitments, fulfillment, and group fulfillment. More details about the semantic of CTL^GC can be found in [8].

4. Symbolic Model-Checking Algorithm for CTL^GC

This section introduces a new method for model-checking of the CTL^GC. The technical formulation of the problem of model-checking the CTL^GC can be summarized as follows:

Given an MAS that is represented as an interpreted system model M and formula φ in the CTL^GC that describes certain property, the model-checking problem can be described as determining whether or not ‘M ⊨ φ, i.e., ∀ s ∈ I M,s) ⊨ φ [8].

Checking the logic of the CTL^GC can be conducted in either of the two methods, direct method or formal transformation (reduction) method, as follows:

• The direct method can be performed by either developing an appropriate model-checker from scratch or extending an already existent model-checker by using new algorithms for the due modalities as was made in [61,64,65,66].
• Formal transformation entails transforming a method into an existent model-checker as was made in [14,21,46,67]. In this study, we adopt this approach and, accordingly, transform the CTL^GC model-checking problem into a problem of ARCTL model- checking [13].

4.1. Transforming the CTL^GC into ARCTL

This section briefly reviews the ARCTL logic [13], and then illustrates how the CTL^GC model-checking problem can be transformed, that is, reduced, to an ARCTL model-checking problem. The major advantage of employing this reduction (transformation) is benefiting from the procedure of efficient model-checking that is already incorporated into the extended NuSMV model-checker [68]. Figure 2 presents the workflow of such a transformation method that comprises three subsequent processes. Firstly, we reduce the CTL^GC model M into the ARCTL model. Secondly, we reduce the CTL^GC formulae into the ARCTL formulae. Then, both the ARCTL model and ARCTL formulae are inputted to the extended NuSMV model-checker so as to obtain the model verification outcomes.

Syntax of the ARCTL is defined by BNF grammar [13] as follows:

• “φ ::= p |¬φ | φ∨φ | E_αXφ | E_α(φ U φ) | E_αGφ
• α ::= b |¬α | α∨α”

where φ expresses state formula, α represents action formula, p ∈ Φ_p denotes atomic proposition, and b ∈ Φ_a stands for proposition of atomic action. The ARCTL logic integrates the action formulae and state formulae by means of confining the path formulae to the particular paths whose actions fulfill certain action formula.

Definition 3.

ARCTL Model.

A modelM_AR = (S_AR, I_AR, AC_AR, T_AR, VS_AR, VA_AR) is tuple, whereS_AR is non-empty set of states;I_AR⊆S_AR is set of initial states;AC_AR is set of actions;T_AR⊆S_AR × AC_AR × S_AR is labeled transition relationship;VS_AR : S_AR → 2^Φp is interpretation for the atomic propositions; andVA_AR : AC_AR → 2^Φa is interpretation for atomic action propositions.

The semantics of this logic [13] are obtained by defining α-restriction of M_AR as follows:

M^α_AR =(S_AR, I_AR, AC_AR, T^α_AR, VS _AR, VA_AR), where T^α_AR is the transition relationship such that (s, a, s’) ∈ T^α_AR iff (s, a, s^′) ∈ T_AR and a |= α, in which |= is defined according to the subsequent equations:

• a |= b iff b ∈ VA_AR(a);
• a |= ¬α iff not (a |= α) and;
• a |= α ∨ α^′ iff a |= α or a |= α^′.

The α-restriction stimulates us to always focus on distinctive transitions whose labels fulfill a certain action formula. Subsequently, when some formula needs to be checked, the relevant transitions only should be taken into consideration. For defining the semantics of the ARCTL, we just take into account the general case of the infinite paths.

Π^α(s) is a set of the paths (referred to as the α-paths) whose actions fulfill a certain action formula α and start at s. The relationship of satisfaction (M^α_AR,s) |= φ is defined according to [13], with the omission of semantics of the propositional atoms and Boolean connectives:

• (M^α_AR,s) |= E_αXφ iff there is path π ∈ Π^α(s) and π(1) |= φ;
• (M^α_AR,s) |= E_α(φ U ψ) iff there is path π ∈ Π^α(s) such that for certain k ≥ 0,π(k) |= ψ and π(j) |= φ for all 0 ≤ j < k;
• (M^α_AR,s) |= E_αGφ iff there is path π ∈ Π^α(s) such that π(k) |= φ for all k ≥ 0.

The transformation process is defined in this study as follows:

Considering a CTL^GC model M, where M = (S, I, R_t,{∼_i→j |(i, j) ∈A²},V) and CTL^GC formula φ, we need to define α-restricted ARCTL model M^α_AR, where M^α_AR = T(M), and ARCTL formula φ, where φ = T(φ) by use of transformation function T such that M |= φ iff T(M) |= T(φ). The T(M) model is defined as ARCTL model M^α_AR = (S_AR, I_AR, AC_AR, T_A^α, VS_AR, VA_AR) according to the following notions:

• S_AR = S;
• I_AR = I;
• VS_AR = V.
• The set of propositions of the atomic action Φ_a is then defined as follows:

Every relationship in M is transformed into a labeled transition in T(M), that is, M^α_AR. Doing so allows us three sorts of actions: an action for the relationship of transition which is already present in the model; an action for the relationship of social accessibility ∼_i→j to obtain the semantics of group and the single commitments; and an action from symmetric closure of the ∼_i→j t in order to gain the fulfillment semantics. Hence,

Φ_a = {ϵ, α_1→1, α_1→2, ..., α_n→n, α_i→Ω, α_Ω→j,} ∪ {β_1→1, β_1→2, ..., β_n→n, β_i→Ω, β_Ω→j}

In consequence, we define the AC_AR set of actions as follows:

AC_AR = {αo, α11, α12, ..., αnn, αiΩ, αΩj}∪{β11, β12, ..., βnn, βiΩ, βΩj}

where α^o, α^ij, α^iΩ, and α^Ωj are the actions that label the transitions which are defined, respectively, from the transition relationship R_t; and the relationships of the social accessibility ∼_i→j, ∼_i→Ω, and ∼_Ω→j. In the meantime, the β^ij, β^iΩ, and β^Ωj are the actions that denote the symmetric transitions which are added when there are transitions labeled with α^ij, α^iΩ, and α^Ωj, which are actually needed for defining the transformation of the three formulae Fu(C_i→jφ), Fu(C_i→Ωφ), and Fu(C_Ω→jφ).

• The VA_AR function is defined according to the following equations:
  • If α^o∈AC_AR, thenVA_AR(α^o) = {ϵ};
  • VA_AR(α^ij) = {α_i→j} for1 ≤ i ≤ n and1 ≤ j ≤ n;
  • VA_AR(α^iΩ) = {α_i→Ω} for1 ≤ i ≤ n andΩ = {1...n};
  • VA_AR(α^Ωj) = {α_Ω→j} forΩ = {1...n} and1 ≤ j ≤ n;
  • VA_AR(β^ij) = {β_i→j} for1 ≤ i ≤ n and1 ≤ j ≤ n;
  • VA_AR(β^iΩ) = {β_i→Ω} for1 ≤ i ≤ n andΩ = {1...n};
  • VA_AR(β^Ωj) = {β_Ω→j} forΩ = {1...n} and1 ≤ j ≤ n.
• The labeled relationship of transition $T_{AR}^{\alpha }$ joins the temporal labeled transition R_t, accessibility relationships ∼_i→j and ∼_i→Ω, ∼_Ω→i, and the symmetric closure of the relationships of social accessibility ∼_i→j, ∼_i→Ω, and ∼_Ω→i under the sequent conditions for the states s and s^′ ∈ S
  • (s, α^o, s^′) ∈ T_AR^ϵ if (s, s^′) ∈ R_t;
  • (s, α^ij, s^′) ∈ T _AR ^αi→j if s ∼_i→j s’;
  • (s, αⁱ_Ω, s^′) ∈ T _AR ^{Ω i→ Ω} if s ∼_{i→ Ω} s’;
  • (s, α^Ωj, s^′) ∈ T _AR ^αΩ→j if s ∼ _{Ω → j} s’;
  • (s, β^ij, s′) ∈ T_AR^βi→j if (s′, α^ij, s) ∈ T_AR^αi→j;
  • (s, β^iΩ, s′) ∈ T_AR^βi→Ω if (s′, α^iΩ, s) ∈ T_AR^αi→Ω;
  • (s, β^Ωj, s′) ∈ T_AR^{β Ω →j} if (s′, α^Ωj, s) ∈ T_AR^{α Ω →j}.
  Henceforth, we define T (φ) by an induction on the form of formula φ of the CTL^GC:
  • T (p) = p, if p is atomic proposition;
  • T (¬φ) = ¬T (φ);
  • T (φ ∨ ψ) = T (φ) ∨ T (ψ);
  • T (EXφ) = E_ϵ(XT (φ));
  • T (E(φ U ψ)) = E_ϵ(T (φ) U T (ψ));
  • T (EGφ) = E_ϵ(GT (φ));
  • T (C_i→jφ) = A_αi→jXT (φ);
  • T (C_i→Ωφ) = A_αi→ΩXT (φ);
  • T (C_Ω→jφ) = A_αΩ→jXT (φ);
  • T (Fu(C_i→jφ)) = E_βi→j(XT (C_i→jφ));
  • T (Fu(C_i→Ωφ)) = E_βi→Ω(XT (C_i→Ωφ));
  • T (Fu(C_Ω→jφ)) = E_βΩ→j(XT (C_Ω→jφ)).

Thus, this transformation enables us to check the formulae of the CTL^GC model via reducing them into ARCTL by employing the extended NuSMV tool [14]. Figure 3 gives an example that explains the transformation function T.

The CTL^GC model M, which is located on the left side of Figure 3, will be transformed into ARCTL model M^α_AR, which is shown on the right of this figure. Model M comprises two global states: s₀ and s₁. The s₁ state is accessible socially from the s₀ state (that is, s₀ ∼_i→j s₁). Moreover, φ holds on the s₁ state, namely, (M, s₁) |= φ. On this account, and based on semantics, we obtain (M, s₀) |= C_i→jφ. Since the commitment modality applies to s₀, i.e., (M, s₀) |= C_i→jφ, and s₁ is accessible socially from s₀, that is, s₀ ∼_i→j s₁, then, based on semantics, the fulfillment modality will apply to s₁, namely, (M, s₁) |= Fu(C_i→jφ). By using the aforementioned transformation method, model M will be reduced to M^α_AR according to the following steps. The transition relationship (that is, (s₀, s₁) ∈ R_t) is transformed into a labeled transition (s₀, α^o, s₁). Additionally, the relationship of social accessibility (∼_i→j) between s₀ and s₁ is transformed into a labeled transition (s₀, α^ij, s₁). The symmetric closure of the relationship of social accessibility (∼_i→j) between these two states is also transformed into a labeled transition (s₁, β^ij, s₀). Lastly, every formula of state in the CTL^GC will be transformed into the corresponding ARCTL formula through the use of the transformation function T. Indeed, the three formulae φ, C_i→jφ, and Fu(C_i→jφ) are due to be transformed, respectively, into T (φ), T (C_i→jφ), and T (Fu(C_i→jφ)).

The next theorem confirms the soundness of the herein conducted transformation algorithm the CTL^GC to the ARCTL.

Theorem 1.

Soundness ofT.

Assume thatφ and M are a CTL^GC formula and model, respectively, and assume thatT (φ) and T (M) are the corresponding formula and model in the ARCTL. We, then, haveM |= φ iffT (M) |= T (φ).

Proof. 

This theorem is proven here by an induction on structure of the φ formula. The entire cases are direct cases, except the subsequent six cases:

• φ = C_i→jψ. We have (M, s) |= C_i→jψ iff (M, s^′) |= ψ for each s^′∈ S such that s∼_i→j s^′. Accordingly, (M, s) |= C_i→jψ iff (T (M), s^′) |= T (ψ) for each s^′∈ S_AR such that (s, α^ij, s^′)∈.T_AR^αi→j. By using semantics of A and X, we get (T (M), s) |= A_αi→j(XT (ψ).
• φ = C_i→Ωψ. We have (M, s) |= C_i→Ωψ iff (M, s^′) |= ψ for each s^′∈ S such that s∼_i→Ω s^′. Thereupon, (M, s) |= C_i→Ωψ iff (T (M), s^′) |= T (ψ) for each s^′∈ S_AR such that (s, α^iΩ, s^′)∈ T_AR^αi→Ω. By using semantics of A and X, we end up with (T (M), s) |= A_αi→Ω(XT (ψ).
• φ = C_Ω→jψ. We have (M, s) |= C_Ω→jψ iff (M, s^′) |= ψ for each s^′∈ S such that s∼_Ω→j s^′. Thus, (M, s) |= C_Ω→jψ iff (T (M), s^′) |= T (ψ) for each s^′∈ S_AR such that(s, α^Ωj, s’)∈T_AR^{α Ω →j}. By use of semantics of A and X, we get (T (M), s) |= A_αΩ→j(XT (ψ).
• φ = Fu(C_i→jψ). We have (M, s) |= Fu(C_i→jψ) iff (M, s₁) |= C_i→jψ for the state s₁∈ S such that s₁∼_i→j s. Hence, (M, s) |= Fu(C_i→jψ) iff (T (M), s₁) |= T (C_i→jψ) for s₁∈ S_AR such that (s, β^ij, s₁)∈ T_AR^αi→j. By using semantics of E and X, we end up with (T (M), s) |= E_βi→j(XT (C_i→jψ)).
• φ = Fu(C_i→Ωψ). We have (M, s) |= Fu(C_i→Ωψ) iff (M, s₁) |= C_i→Ωψ for the state s₁∈ S such that s₁∼_i→Ω s. So, (M, s) |= Fu(C_i→Ωψ) iff (T (M), s₁) |= T (C_i→Ωψ) for s₁∈ S_AR such that(s, β^iΩ, s′)∈T_AR^βi→Ω. By use of the semantics of E and X, we get (M), s) |= E_βi→Ω(XT (C_i→Ωψ)).
• φ = Fu(C_Ω→jψ). We have (M, s) |= Fu(C_Ω→jψ) iff (M, s₁) |= C_Ω→jψ for the state s₁∈ S such that s₁∼_Ω→j s. In consequence, (M, s) |= Fu(C_Ω→jψ) iff (T (M), s₁) |= T (C_Ω→jψ) for s₁∈ S_AR such that(s, β^Ωj, s′)∈T_AR^{βΩ →j}. Through use of the semantics of E and X, we get (M), s) |= E_βΩ→j(XT (C_Ω→jψ)).

Therefore, the theorem is confirmed. □

5. Case Study

One of the key motivations of this study is the need for checking the effectiveness of the herein proposed transformation algorithm. We applied the reduction method that was discussed in Section 4.1 atop of the extended NuSMV [14], in order to reason about, and verify, the single commitments, the group commitments, and their fulfillment in the MASs (phase 3 in Figure 1). The case study on which we were capable of responding to this motivation is the NetBill protocol [69], which is a protocol that was developed for the buying and selling of encrypted software on the Internet [69,70]. It consists of two interacting agents: the merchant and the customer [71,72]. A description of this protocol has been provided by [69].

In brief, the NetBill payment protocol consists of eight steps. In the first step, the first message demands a quote on the basis of identity of the customer (e.g., support for the subscriptions or volume discounts) so as to allow for a customized per user pricing. If the quote (step two) has been accepted (step three), then the merchant passes the relating digital information to the customer (step four) but encrypts it and keeps the key. The software of the customer creates an electronic payment order (EPO) that describes the transaction and includes a cryptographic checksum of the received goods. The order is then signed with the private key of the customer and passed to the merchant who verifies its contents, appends the key to it for decryption of the related goods, and approves the EPO with digital signature and passes it to the NetBill server. After that, the NetBill server verifies the funds in the NetBill account of the customer, debits the customer, and credits the merchant. Thereafter, the digitally-signed receipt, including the key for decryption of the goods, is first sent to the merchant, and then, to the customer. The software of the customer can, by that time, decrypt the bought information and present it to her/him. Figure 4 depicts the NetBill payment protocol.

Encoding the NetBill Protocol

The new symbolic model verifier (NuSMV) [68] is a symbolic model-checker for the branching temporal logics (CTLs) and the linear temporal logics (LTLs). Thus far, it has been used in an effective way in checking models of business, web service composition, and multi-agent interaction protocols [54]. However, the original NuSMV version does not support the action of model-checking and the cognitive characteristics in the system of agents. For overcoming this shortcoming, the extended version of the NuSMV is usually used to first support checking the ARCTL model, and then, transform the cognitive formulae to the ARCTL formulae [14]. The extended NuSMV employs symbolic methods that are based on ordered binary decision diagrams (OBDDs). In these methods, the formulae and states of the model to be tested are represented by Boolean functions (Bfs), which can be represented easily by using OBDDs. Likewise, the set of model states that fulfill the ARCTL formula is presented as Bfs. By holding comparisons between the set of states that fulfill the ARCTL formula with the set of the initial states, it becomes possible to find out whether or not a specific formula applies to the model under consideration. Therefore, the problem of checking the ARCTL model is reduced to a comparison of Bfs. In the extended NuSMV, the models are described using modular language that is known as the extended symbolic model verifier, i.e., extended SMV [13].

For the purpose of modeling the actions of the ARCTL, Lomuscio et al. [14] and Pecheur et al. [13] proposed the use of the existent input variables of the NuSMV. In addition, they made extensions to the NuSMV code in an attempt to enable the verification of these operators. Further details on ARCTL action modeling can be found in [13]. For the verification of the NetBill protocol by using the extended NuSMV, we carried out 15 experiments and had up to 22 agents.

6. Conclusions and Future Work

In this study, verification was conducted by using a DELL computer with Intel^® Core^TM i3 CPU, a clock speed of 2.59 GHz, and RAM of 4GB RAM that operates on the Windows 10 64-bit operating system. We used the extended NuSMV (NuSVM-ARCTL-TLACE http://lvl.info.ucl.ac.be/Tools/NuSMV-ARCTL-TLACE (accessed on 1 January 2022)), which is based on the modified version of NuSMV 2.2.2 that can check the formulae of the ARCTL model. Figure 5 shows the verification workflow. The verification process starts by inserting the CTLGC model and specifications into the reduction algorithm. The reduction algorithm transforms the CTLGC model into the ARCTL model, and CTLGC specification into ARCTL specification. The ARCTL model and specification are inserted into the extended NuSMV model-checker and verification results are then obtained.

The results of 15 experiments are shown in

Table 1. Results of verification of the NetBill protocol using the extended NuSMV.

Agents	States	Time (s)	Memory (MB)
2	12	< 0.001	4.87
3	221	< 0.01	5.32
4	542	0.1	5.66
5	1154	0.5	5.92
6	3234	1	6.22
7	17544	1.4	6.68
8	45337	3.2	6.97
9	125743	5.6	7.12
10	1.41321 × 106	22.1	8.84
12	3.21301 × 106	76.3	10.64
14	2.17233 × 107	97.2	12.65
16	3.32414 × 108	321.4	15.43
18	4.28516 × 109	769.6	18.82
20	4.32614 × 1010	1240	24.41
22	2.43462 × 1014	4328	44.64

. We began the experiments with two agents only: the merchant and the customer, who interact in an MAS so as to simultaneously determine their single commitments, group commitments, and fulfillment. In the second experiment, we added another customer. In the remainder of the experiments, we added up to 22 agents.

Table 1 lists the numbers of agents (Agents), numbers of achievable states (States), execution times (Time (s)), and the memory use for constructing the data structure of the OBDD (Memory (MB)). We observed that the state space grows exponentially with the number of the agents. However, the memory use grows polynomially with the same number of agents. This supports the efficiency of our approach to model-checking under the condition of scaling up of the system (nearly 2.43462 × 10¹⁴ states).

Another noteworthy motivation of this study was the use of the CTL^GC to verify the characteristics of the protocols that encompass single social commitments, group social commitments, and associated fulfillment. Usually, these characteristics express certain protocol requirements that need to be satisfied. In effect, varying properties are proposed in the related literature [36,43,64,67,73,74,75].

In this section, we examine the Liveness, Reachability, and Safety properties of the NetBill protocol because they are examples of common protocol characteristics.

• Safety

The safety property means that something that is not good will never take place. Generally, safety can be connoted in the CTL by AG¬φ, where φ points to a bad (i.e., non-desirable) situation. Bad situations encircle, for example, the case when the customer (cust) sends payment (Pay) to the merchant (mer); that is, the customer satisfies her/his commitment, but the merchant does not deliver the goods (Deliver). It is possible to avoid such a situation by using the CTL^GC as follows:

φ1 = AG ¬(Fu(Ccust→merPay)∧ AG ¬(Cmer→custDeliver)).

It is possible to generalize this situation if a group of customers fulfill their commitments to a specific merchant via making their due payments, but the merchant does not deliver the due goods:

φ2 = AG ¬(Fu(CΩcust→merPay)∧ AG ¬(Cmer→ΩcustDeliver)).

• Liveness

This property refers to the case when eventually something good will occur, e.g., if the merchant commits to deliver goods to the customer, then it will eventually fulfill this commitment. This situation can be expressed as follows:

φ3 = AG(Cmer→custDeliver → EF Fu(Cmer→custDeliver)).

This property can be generalized in such a way as to express the commitment of a merchant to delivering the due goods to all her/his customers and the merchant eventually fulfilling her/his commitment. This situation can be expressed as follows:

φ4 = AG(Cmer→ΩcustDeliver → EF Fu(Cmer→ΩcustDeliver)).

• Reachability

The reachability property indicates that a specific situation can be reached. It is expressed as EFφ, where φ is the situation to be reached, e.g., the commitment of the merchant to deliver the due goods to all her/his customers, which is a situation that ought to be reached from the early state. This situation is expressed as follows:

φ5 = EF Cmer→ΩcustDeliver

One more example of reachability is the case when a group of customers commit to send the due payments for the required goods to a certain merchant. This situation can be expressed as:

φ6 = EF CΩcust→merDeliver

We note that the different formulae are true in the model as illustrated in

Table 2. Outcomes of verification of the NetBill protocol properties.

Property	Verification Result	Verification Time (s)
φ1	Satisfied	0.01
φ2	Satisfied	0.15
φ3	Satisfied	0.03
φ4	Satisfied	0.12
φ5	Satisfied	0.19
φ6	Satisfied	0.21

.

This means that our proposed method is successful in expressing the properties of the protocol by using CTL^GC, and that our transformation-based method of model-checking works effectively.

In this paper, we presented a new method for model-checking the logic of single and group commitments, CTL^GC. In this method, we developed a set of transformation rules so as to formally reduce the CTL^GC model-checking problem to a problem of ARCTL model-checking. We experimentally proved the soundness of this proposed reduction method.

The effectiveness of this proposed method was assessed empirically by applying it on a real case study drawn from the e-business domain, which is the NetBill protocol, and then running the transformation algorithm atop of the extended NuSMV model-checker. We could successfully check some desirable properties of this protocol expressed in the CTL^GC. In addition, we confirmed that this model is scalable since we could test 2.43462 × 10¹⁴ states. These appealing results support the capability of the CTL^GC to capture interactions among the concepts of the single and the group commitments, not only in small and medium systems but also in large systems.

As future directions of this work, we plan to devise dedicated algorithms for checking the CTL^GC model logic and apply them atop of the model checker for multi-agent systems (MCMAS) symbolic model-checker [61]. By doing so, we will become able to compare the outcomes of verification of the two algorithms, namely, the reduction/transformation algorithms and the model-checking algorithms. As well, we plan to investigate the single and the group social commitments under the condition of the presence of uncertainty. Moreover, we plan to investigate group conditional commitments (i.e., developing group conditional social commitments that handle one-to-group and group-to-one conditional commitment and their fulfillment), and address the verification problem of the proposed logic.