Niveles de seguridad

3.3.1.1 Syntax Alphabet

The alphabet of pTLA* consists of the alphabet of propositional logic _Lp

Properties and Temporal Logic 25

Formulas and preformulas

Definition 3.6 Formulas and preformulas of pTLA* are inductively defined as follows.

1. false is a formula, as is every atomic proposition v _{∈ V}. 2. If F,G are formulas then F _→G and ₂F are formulas. 3. If A is a preformula and v _{∈ V} then ₂[A]v is a formula.

4. If F is formula then F and _◦F are preformulas. 5. If A,B are preformulas then A_→B is a preformula.

For a (pre-)formula A, we denote by At(A) the set of atomic propositions that occur in A.

For writing formulas, we will use symbols such as F,G for formulas and A,B for preformulas. Notice that₂[...]v is considered to be a separate oper-

ator for all v _{∈ V}. Abbreviations

We use the abbreviation of propositional logic _Lp for both formulas and

preformulas. We sometimes write v0 instead of _◦v when v _{∈ V} is an atomic proposition. For (possibly primed) atomic propositions we sometimes use the equality symbol to denote equivalence, and write, for examplew0 =v instead of w0 _↔ v. If V = _{v1, . . . ,vn} ⊆ V is a finite set of atomic propositions,

we write V0 = V for the preformula v₁0 = v1 ∧. . .∧vn0 = vn and 2[A]V or 2[A]v1,...,vn to denote the formula 2[A]v1 ∧. . .∧2[A]vn.

In particular,₂[A]_∅ is equal totrue. We write₃F for the formula_¬2¬F and _3hA_iv for ¬2[¬A]v. Consequently, 3hAiv1,...,vn denotes 3hAiv1 ∨. . .∨

3hAivn.

3.3.1.2 Semantics

A stateis a boolean valuation as in propositional logic, i.e. s : _{V → {}tt, ff_}

of the atomic propositions. Abehavior σ =s0s1. . .is an infinite sequence of

states. Notice that since a behavior is a sequence, the conventional notations for a sequence (described in Section 2.3) also hold for it.

We now define what it means for a preformula or a formula to hold of a behavior σ, written σ_|≈ A or σ _|=F, respectively. Because every formula is also preformula, this also defines the semantics of formulas.

Definition 3.7 (semantics of (pre-)formulas) The semantics of preformulas is given by the relation _|≈, which is inductively defined as follows:

σ6|≈ false.

σ_|≈v iff s0(v) = tt (for v ∈ V).

σ_|≈A_→B iff σ_|≈A implies σ_|≈B .

σ_|≈2F iff σ[i..]_|≈F holds for all i _∈N.

σ_|≈2[A]v iff for all i ∈N,s_i(v) = s_i+1(v) or σ[i..]|≈A.

σ_{|≈ ◦}F iff σ[1..]_|≈F .

For a formula F , we usually write σ_|=F instead of σ_|≈F .

A behavior σ such that σ _|≈A holds is called a model of A. We say that a formula F is valid over a behavior σ iff σ[n..] _|= F holds for all n _∈ N.

Finally, F isvalid (written _|=F) iff it is valid over all behaviors. 3.3.1.3 Stuttering invariance

pTLA* is invariant under stuttering. In this section we describe what it means for a logic to be invariant under stuttering.

Definition 3.8 Let V _{⊆ V}.

1. Two states s,t are called V-similar, written s=V t, iff s(v) =t(v) for

all v _∈ V . Two behaviors σ, τ are called V -similar iff si =V ti holds

for all i .

2. V-stuttering equivalence, written _'V, is the smallest equivalence rela-

tion on behaviors that identifies ρ_{◦ h}s_{i ◦}σ and ρ_{◦ h}tu_{i ◦} σ, for any finite sequence of states ρ, infinite sequence of states σ, and pairwise V -similar states s,t,u.

3. Stuttering equivalence (written _') is _V-stuttering equivalence.

It follows that σ _'Vτ implies σ 'Wτ whenever W ⊆ V. In particular,

stuttering equivalence is the finest relation among all_'V. Note also that two

states s,t are _V-similar iff they are equal.

A logic is invariant under stuttering when none of its formulas can dis- tinguish between two stuttering-equivalent behaviors.

Given two behaviors σ =s0s1. . .and τ =t0t1. . . such that σ'Vτ holds

then

Properties and Temporal Logic 27

2. For every n _∈ N there is some m ∈ N such that both σ[n..] '_Vτ[m..]

and σ[n+ 1..]_'Vτ[m + 1..].

Replacing maximal finite repetitions of V-similar states by a single oc- currence of, say, the first of these states, it follows that for any behavior σ there exists a V-stuttering equivalent behavior \Vσ=s0s1. . .that contains

successive V-similar states only if it ends in V-stuttering, that is, for all i _∈ N, s_i =_V s_i+1 holds only if s_i =_V s_j for all j ≥ i. We call any such

behavior \Vσ a V-stuttering free variant of σ. Two behaviors σ, τ are V-

stuttering equivalent if and only if \Vσ =V \Vτ holds, where \Vσ and \Vτ

denote arbitrary V-stuttering free variants of σ and τ.

The following theorem can be used to prove that every pTLA* formula is invariant under stuttering.

Theorem 3.9 (stuttering invariance) Assume that A is a preformula, F is a formula and that σ, τ are behaviors.

1. If σ_'At(A) τ and σ[1..]'At(A) τ[1..] then σ|≈A iff τ|≈A.

2. If σ_'At(F) τ then σ|=F iff τ |=F .

The proof of Theorem 3.9 can be found in [83].