A Formal Study of Boolean Games with Random Formulas as Payoff Functions

LIPICS - Leibniz International Proceedings in Informatics, Oct 2018

In this paper, we present a probabilistic analysis of Boolean games. We consider the class of Boolean games where payoff functions are given by random Boolean formulas. This permits to study certain properties of this class in its totality, such as the probability of existence of a winning strategy, including its asymptotic behaviour. With the help of the Coq proof assistant, we develop a Coq library of Boolean games, to provide a formal proof of our results, and a basis for further developments.

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

http://drops.dagstuhl.de/opus/volltexte/2018/9848/pdf/LIPIcs-TYPES-2016-14.pdf

A Formal Study of Boolean Games with Random Formulas as Payoff Functions

T Y P E S A Formal Study of Boolean Games with Random Formulas as Payoff Functions Érik Martin-Dorel 0 2 0 Sergei Soloviev 1 Lab. IRIT, Univ. of Toulouse, CNRS, IRIT Université Paul Sabatier , 118 route de Narbonne, 31062 Toulouse Cedex 9 , France 2 Lab. IRIT, Univ. of Toulouse, CNRS, IRIT Université Paul Sabatier , 118 route de Narbonne, 31062 Toulouse Cedex 9, France https://orcid.org/0000-0001-9716-9491 In this paper, we present a probabilistic analysis of Boolean games. We consider the class of Boolean games where payoff functions are given by random Boolean formulas. This permits to study certain properties of this class in its totality, such as the probability of existence of a winning strategy, including its asymptotic behaviour. With the help of the Coq proof assistant, we develop a Coq library of Boolean games, to provide a formal proof of our results, and a basis for further developments. 2012 ACM Subject Classification Theory of computation → Higher order logic, Theory of computation → Algorithmic game theory, Mathematics of computing → Stochastic processes Funding This work was partly supported by the FAGames project of LabEx CIMI. Acknowledgements The authors would like to thank Evgeny Dantsin and Jan-Georg Smaus for fruitful discussions on algorithmic games and other topics, as well as the anonymous referees for their remarks and feedback on our article. The first author also wishes to thank Cyril Cohen and Enrico Tassi for advice and enhancement suggestions for our under tactic. and phrases Boolean games; Random process; Coq formal proofs - One of the main motivations to consider the classes of games with random parameters is that it is a good method to explore these classes in their totality and to understand the relative importance of various properties of games (such as simultaneous or alternating moves, different assumptions concerning the access to information, etc.) The situation when, for a given game, only its type can be known in advance but its parameters cannot, is common when the game-theoretic approach is used to study the behaviour of embedded systems, i.e., when at least some of the players are programs and the 1 S. Soloviev was partly supported by the Government of Russian Federation Grant 08-08 at ITMO University, Saint-Petersburg, Russia (associated researcher). parameters are not fully controlled. The augmented frequency of interaction that usually surpasses any conceivable capacity of human players, and rapid evolution of parameters of interaction makes the use of probabilistic methods quite natural. In this paper we present the first results obtained via this approach applied to Boolean Games [11, 10, 7, 3]. More precisely, we limit our study to Boolean Games with random formulas that represent payoff functions. This model is naturally related to the situation when games between automated systems (e.g., embedded systems in computer networks) are considered. Indeed, assuming that the players are finite non-deterministic machines, they can be simulated by a family of Boolean formulas. Before the exploration may start, several choices have to be made concerning the probabilistic model. Regarding elementary events: we have chosen Boolean functions as elementary events. Another possible choice would be to consider formulas as syntactic objects, but the former choice makes it easier to define probability distributions that are naturally related to the properties on the associated Boolean games (while the latter choice would require to cope with the complex behaviour of the logical equivalence of formulas). It seems natural also to consider a probability space for each n, where n is the number of variables. Indeed, n is one of the key parameters involved when considering the complexity of Boolean functions, and if we shall need to consider different values of n, it is possible to combine in some way the spaces built for each n. Let us recall some basic properties of Boolean functions. (i) The domain of these functions is 2n = {false, true}n, the set of all Boolean vectors of length n (which contains 2n elements). (ii) Each Boolean function can be identified with a characteristic function of a subset of 2n and thus with the subset itself, so the set of all elementary events is Ω = 22n . (iii) A subset of 2n may be identified with a formula of n variables in the full disjunctive normal form2 that is satisfied by exactly these vectors (to each vector corresponds the conjunction of variables and their negations: to true at the i-th place corresponds vi and to false corresponds ¬vi). (iv) The set Ω is a complete Boolean algebra, and logical operators on elements of Ω correspond to the set-theoretic operators on 2n. The top element of this algebra is the set 2n ∈ Ω (it represents the Boolean function true) and the bottom element of this algebra is the set ∅ ∈ Ω (it represents the Boolean function false). How these logical operators “interact” with probability on Ω is a separate question, for example, P(true) needs not of course be equal to 1. (v) There is a natural partial order on the elements of Ω, that is defined by the inclusion of subsets of 2n and at the same time by Boolean implication (see Definition 1 below). Since the elements of Ω may be seen at the same time as Boolean functions and as sets of Boolean vectors, we pose the following definition: I Definition 1. Let ω1, ω2 be two Boolean functions (ω1, ω2 ∈ Ω := 22n ). We shall write ω1 ⇒0 ω2 and say that “ω2 is true on ω1” if for each vector v ∈ 2n, ω1(v) = true implies ω2(v) = true. Also, this is equivalent to the inclusion of ω1 in ω2, seen as subsets of 2n: ∀ω1, ω2 ∈ 22n . (ω1 ⇒0 ω2) ⇐⇒ (ω1 ⊆ ω2) . 2 In particular, the empty subset may be identified with the empty DNF, that is the constant false (the neutral element of the disjunction). I Remark. We may see random Boolean functions as (not necessarily independent) vectors of 2n random variables with values in 2 = {false, true}. Regarding the sigma-algebra of events: as usual for finite probability spaces, we consider the sigma-algebra S of all subsets of Ω: S = 222n . Regarding the probability distributions on the spaces of Boolean formulas: as it is noticed in [8], it is often assumed that all Boolean functions on a given number of variables have the same probability (see also [16]). In this paper where we start our study, we decided to consider a slightly more general class of probability distributions, where Boolean functions are generated by a Bernoulli scheme on Boolean vectors, with any probability p as parameter. Some more sophisticated ways to define probability distributions on Boolean expressions are discussed in [8] and we plan to explore them in a near future. In Section 2, we prove several general results on the probability of winning strategies assuming an arbitrary probability distribution. Then in Section 3, we study the case of Boolean functions constructed through a finite Bernoulli process, specialise our results in this simpler setting, then discuss the relevance of these results. In Section 4, we further study the probability that a winning strategy exists for player A, with the new assumption that player A knows s bits of the opponent player. Then in Section 5, we study the growth rate of the aforementioned probability, with respect to the knowledge of the second player’s choices. Section 6 is devoted to technical remarks about the formalisation of our results within the Coq [5] formal proof assistant. Finally, a discussion on the notion of “non-guaranteed win” and its relationship with the order of moves is presented in Appendix A. All the results of the paper have been formally verified within Coq.3 The Coq code is available online at https://github.com/erikmd/coq-bool-games and it also has been archived, see [14]. Beyond the fact that formal certification is interesting in itself to the types community, it is nowadays common in the development and characterisation of the behaviour of autonomous programs, which is one of the subjects of this study. 2 Probability of Winning Strategies Building upon the material of the previous section, we can consider any probability P defined on the sigma-algebra S = 222n , and thus obtain a probability space (Ω, S, P). We shall show in this section that several results can be derived in this setting, however general as it may sound. I Example 2 (using Definition 1). The probability of the event “ω is true on ω0”, with fixed ω0 ∈ Ω, is P(ω0 ⇒0 ω) = ω0⇒ω 0ω X P({ω}). Below we shall consider the Boolean Games of two players A and B with a random Boolean function F of n variables as the payoff function of A, and its negation as the payoff 3 In the sequel of the paper, all definitions and theorems will be stated in mathematical syntax, and the corresponding Coq identifier will be given between brackets. function for B. We shall assume that A controls the first k variables, and B the remaining n − k variables. The strategy of A is any vector that belongs to 2k (valuation of the first k variables) and the strategy of B any valuation of the remaining n − k variables (a vector of 2n−k). The outcome of the game is given by player A’s payoff function F : 2n → 2, which can thereby be viewed as a function F : 2k × 2n−k → 2 (mapping a profile strategy to a Boolean outcome). In the sequel of the paper, we shall identify these two possible types for the function F – while in the formal development they will be encoded respectively as (bool_fun n) and (bool_game n k). I Definition 3 (winA). For any game F : 2k × 2n−k → 2, a strategy a = (a1, . . . , ak) of player A is winning if it wins against any strategy b ∈ 2n−k of B: winA[F ](a) := ∀b ∈ 2n−k. F (a, b) = true. If there is no ambiguity, we shall omit the name of the game and simply write winA(a). In other words, a is winning if the payoff function is equal to true on all vectors of length n that “extend” a. This led us to introduce the following I Definition 4 (w_, W_). For any a ∈ 2k, let ωa be the set of vectors in 2n that extend a: ωa := {v ∈ 2n | v1 = a1 ∧ · · · ∧ vk = ak} ∈ Ω and Wa be the set of all Boolean functions that are true on ωa: Wa := {ω ∈ Ω | ωa ⇒0 ω} ∈ S. These definitions straightforwardly imply the following lemma: I Lemma 5 (winA_eq). For any Boolean function F : 2n → 2 and any strategy a ∈ 2k of player A in the associated Boolean game, we have: winA(a) ⇐⇒ F ∈ Wa. Lemma 5 implies that the probability that a winning strategy exists satisfies:   P(∃a : 2k. winA(a)) = P  [ Wa . a∈2k Then we shall rely on the inclusion-exclusion formula, which we proved in full generality as follows: I Theorem 6 (Pr_bigcup_incl_excl). For any finite probability space (Ω, S, P) and any sequence of events (Si)0≤i<n, we have:   P  [ Si = 0≤i<n n X (−1)m−1 m=1 X J⊆N∩[0,n) Card J=m   P  \ Sj . j∈J (1) (2) Proof. For proving this theorem in Coq we formalise a small theory of indicator functions IndS : Ω → {0, 1} for any finite set S ⊆ Ω, including the fact that the expectation satisfies E(IndS ) = P(S), then formalise an algebraic proof of the inclusion-exclusion formula.4 These proofs strongly rely on the bigop theory of the MathComp library, as well as on the tactic “under” that we developed in Ltac to easily “rewrite under lambdas” (e.g., under the P symbol). These tactics facilities will be further detailed in Section 6. J Hence the following result: I Theorem 7 (Pr_ex_winA). For any finite probability space (Ω, S, P), the probability that there exists some strategy a = (a1, . . . , ak) of A that is winning satisfies: P(∃a : 2k. winA(a)) = X P(Wa) − P(Wa ∩ Wa0 ) + · · · a∈2k = I Definition 8 (winB). For any game F : 2k × 2n−k → 2, a strategy b = (b1, . . . , bn−k) of player B is winning if it wins against any strategy a ∈ 2k of A: winB[F ](b) := ∀a ∈ 2k. F (a, b) = false. If there is no ambiguity, we shall omit the name of the game and simply write winB(b). A first result consists in showing that player B wins in a given game if and only if player A wins in the “dual game”. I Lemma 9 (winB_eq). Any Boolean game F : 2k × 2n−k → 2 (with n variables, k of which are controlled by player A) can be associated with a dual Boolean game F 0 : 2n−k × 2k → 2 such that winB[F ](b) ⇐⇒ winA[F 0](b) F 0 := (b, a) 7→ ¬F (a, b). Proof. First, we define the dual game F 0 := bool_game_sym(F ) associated with F as: Then, we define bool_game_sym’ (the inverse of function bool_game_sym) and show that both functions are bijections. In the formal development, the related lemmas are named bool_game_sym_bij and bool_game_sym’_bij. J We then deduce the following result, which relates the probability of existence of a winning strategy for player B with respect to that of player A. 4 taking inspiration from the proof path presented at https://en.wikipedia.org/wiki/ Inclusion-exclusion_principle#Algebraic_proof I Theorem 10 (Pr_ex_winB). For any finite probability space (Ω, S, P), the probability that there exists some strategy b = (b1, . . . , bn−k) of B that is winning satisfies: P ∃b : 2n−k. winB[F ](b) = P ∃a : 2n−k. winA[F 0](a) , where F 0 := bool_game_sym(F ). Proof. The proof straightforwardly derives from Lemma 9. J Finally, we prove the intuitive fact that the events “∃a. winA(a)” and “∃b. winB(b)” are disjoint, and thereby their probability adds up: I Lemma 11 (Pr_ex_winA_winB_disj). For any finite probability space (Ω, S, P), we have: P (∃a. winA(a) ∨ ∃b. winB(b)) = P (∃a. winA(a)) + P (∃b. winB(b)) . Proof. Given the definitions of winA and winB, for a given game F and any strategies a and b, the events “winA(a)” and “winB(b)” are disjoint. So the proof path just amounts to lift this fact (considering existence) and use the additivity of P. J 3 Bernoulli Process and Winning Strategies Ienndtohwisesdecwtiiotnh wtheestdililsccorentseidσer-atlhgeebspraacSe Ω==22222nn, oafnrdantdhoemasBsoooclieaatnedfoBr mooulleaasnofgnamvaesriawbiltehs parameter 0 ≤ k ≤ n. But now, we assume that the Boolean formulas (in DNF) are determined by a random choice of the Boolean vectors that satisfy the formulas. To be more precise, we assume the probability that each vector v ∈ 2n belongs to the truth-set of the formula F is equal to p, (0 ≤ p ≤ 1). As usual, we write q = 1 − p. In the sequel, we shall often identify Boolean functions F : 2n → 2 and their truth-set F −1 ({true}) ∈ 22n . In the Coq formalisation, the distinction between the two is always made explicit, and the function that gives the truth-set of a Boolean function is implemented by a function finset_of_bool_fun : ∀ n : nat, bool_fun n -> {set bool_vec n} and the inverse of this function is formalised as a function DNF_of (disjunctive normal form). Our setup amounts to constructing a Bernoulli process, that is a series of independent Bernoulli trials, to decide whether each vector v ∈ 2n belongs to the truth-set of F or not. We obtain the following result: I Lemma 12 (dist_BernoulliE). For any F ∈ Ω, the probability of an elementary event {F } with respect to the considered probability Pn; p (modelling a series of 2n independent Bernoulli trials of parameter p) is: Pn; p({F }) = pm(1 − p)2n−m where m denotes the number of vectors in the truth-set of F , and 2n − m denotes the number of vectors in the truth-set of the negation of F . Proof. The proof (and its formal counterpart in Coq) straightforwardly derives from the definitions. J For now, we assume that the choices of player A and B are done simultaneously. A wins if the value of F is true, otherwise B wins. What is the probability that A has a winning strategy? First, suppose that the strategy a of A is fixed, and let us compute the probability that it is winning. We first prove the following I Lemma 13 (Pr_implies0_Bern). Let S ⊆ 2n, and let us write m := Card S. Then the probability that F is true on S satisfies: Pn; p(S ⇒0 F ) = pm. Proof. We follow the following proof path: Pn; p(S ⇒0 F ) = X Pn; p({F }) F S⊆F X Pn; p({F }) = = S0⊆2n\S F =S∪S0 X S0⊆2n\S 2n−m = X m0=0 2n−m = pm X m0=0 = pm(p + q)2n−m = pm. pCard(S∪S0)q2n−Card(S∪S0) by Lemma 12 I Lemma 14 (card_w_a_Bern). For any strategy a of player A, we have Card wa = 2n−k. Proof. This lemma easily follows from the fact that wa is the image of the strategy space 2n−k of B by an injective function. J Hence the following theorem, which gives the probability that a fixed strategy of A is winning: I Theorem 15 (Pr_winA_Bern). For any strategy a of player A, we have Pn; p(winA(a)) = p2n−k . Proof. This result is an immediate consequence of Lemmas 13 and 14. Now, let us determine what is the probability that A has at least one winning strategy. One may first notice the following I Lemma 16 (w_trivIset). The truth-sets of wa (for a ∈ J ⊂ 2k) are pairwise disjoint. Proof. By contradiction: if we had a, a0 ∈ 2k such that wa 6= wa0 and wa ∩ wa0 6= ∅, then let us pose x ∈ wa ∩ wa0 . By unfolding Definition 4, this means that the first k bits of x coincides with all bits of a, and likewise for a0. This implies that a = a0 and thereby wa = wa0 , which contradicts the initial hypothesis. J J J Lemma 16 implies that we have Card We can now prove the following By duality, one can derive the existence of a winning strategy for player B: I Corollary 18 (Pr_ex_winB_Bern). For any p, n, k, if Pn; p denotes the considered Bernoulli scheme (with parameters 0 ≤ p ≤ 1 and n ∈ N) and if k denotes the number of variables controlled by player A, then the probability that player B has a winning strategy is: Pn; p(∃b : 2n−k. winB(b)) = 1 − 1 − (1 − p)2k 2n−k . Proof. The result follows from Theorems 10 and 17. Also, the proof makes use of our under tactic for rewriting under lambdas (it will be presented in Section 6). J I Theorem 17 (Pr_ex_winA_Bern). For any n and k, if Pn; p follows the Bernoulli scheme that we previously constructed, the probability that player A has a winning strategy is: Pn; p(∃a. winA(a)) = 1 − 1 − p2n−k 2k . Proof. Thanks to Theorem 7, we can write: Pn; p(∃a : 2k. winA(a)) = (3) I Corollary 19 (Pr_nex_winA_winB_Bern). For any p, n, k, if Pn; p denotes the considered Bernoulli scheme (with parameters 0 ≤ p ≤ 1 and n ∈ N) and if k denotes the number of variables controlled by player A, then the probability that no player has a winning strategy is: Pn; p ¬ (∃a. winA(a)) ∨ (∃b. winB(b)) = 1 − p 2n−k 2k+ 1 − (1 − p)2k 2n−k− 1. (4) Proof. The result follows from Lemma 11, Theorem 17 and Corollary 18. J 3.1 Discussion The computations above may seem elementary, but lead to some observations that are less trivial. As we may see, there is a considerable probability that there is no winning strategy at all. For example, if p ∈ { 4 , 12 , 34 }, n ∈ {10, 20}, 0 < k < n, the probability that a winning 1 strategy exists neither for A nor for B (cf. Equation (4)) is given in Tables 1 and 2 (the values were computed using Sollya5 with 3-digit decimal output). In both tables, it should be noted that 1 actually means a value extremely close to 1, not 1 exactly. Also, one may notice that when p ∈ (0, 1) is fixed, k = c · n for a given constant 0 < c < 1, and n tending towards +∞, the probability that a winning strategy exists neither for player A, nor for player B, tends to 1. If (for some game F ) a winning strategy exists neither for A nor for B, then the order of moves becomes important. Indeed, let a be an arbitrary strategy of A. Since it is not winning, there exists at least one b of B such that F (a, b) = false. If B makes his choice after A, he may always win. Similarly, if A makes his choice after B, he may always win. We shall elaborate on this observation and give a motivating example in Appendix A. Bradfield, Gutierrez and Wooldridge notice [4] (as do some other authors): “As they are conventionally formulated, Boolean games assume that players make their choices in ignorance of the choices being made by other players – they are games of simultaneous moves. 5 http://sollya.gforge.inria.fr/ For many settings, this is clearly unrealistic.” Our simple probabilistic analysis provides a direct quantitative argument to support this general observation. 4 Partial Information on the Opponent’s Choices Now, let us consider the case when A may have partial information about the choices of B before making his own choice. Without loss of generality, we may assume that he knows the values of the first s variables among the variables vk+1, ..., vn controlled by B. We shall consider the probability of existence of strategies of A such that for every vector b1:s = (b1, ..., bs) ∈ 2s there exists a strategy a ∈ 2k that wins against any strategy b ∈ 2n−k where first s values coincide with b1:s. In other words, we are interested in the probability of guaranteed win by A when s choices by B among n − k are known (assuming 0 ≤ s ≤ n − k). We thus introduce the following predicate: I Definition 20 (winA_knowing). For any game F : 2k × 2n−k → 2 and any b1:s ∈ 2s, we say that a strategy a ∈ 2k is winning under the knowledge of b1:s if it is winning against all strategy profile (a, b) ∈ 2k × 2n−k that is compatible with b1:s: winA(a | b1:s) := ∀b ∈ 2n−k. compat_knowing(b1:s, b) =⇒ F (a, b) = 1, where compat_knowing(b1:s, b) := ∀i ∈ 2s. (b1:s)i = bi. For relating this predicate with that of Definition 3, the proof of the following lemma is immediate: I Lemma 21 (winA_knowingE). For any game F : 2k × 2n−k → 2 and any bit-vectors b1:s ∈ 2s and a ∈ 2k, we have: winA[F ](a | b1:s) = winA[bgk(F, b1:s)](a) bgk(F, b1:s)(a, b0) = F (a, (b1:s, b0)). where bgk(F, b1:s) : 2k × 2n−s−k is the Boolean game defined by: Now, to compute the probability Pn; p ∀b1:s ∈ 2s. ∃a ∈ 2k. winA(a | b1:s) in the space (Ω, S, Pn; p) introduced in Section 3, we shall first construct a probability space (Ω0, S0, P0) that is provably isomorphic to (Ω, S, Pn; p), but which is simpler to handle. First, we note that there are 2s possible Boolean vectors b1:s = (b1, ..., bs) and for all b1:s, we pose Bb1:s = {v ∈ 2n | vk+1 = b1 ∧ · · · ∧ vk+s = bs}. The family (Bb1:s )b1:s∈2s constitutes a partition of 2n (we have 2n = Sb1:s∈2s Bb1:s , intersections of Bb1:s for different b1:s are empty, and no set Bb1:s is empty). Second, we define Ωb1:s := 2Bb1:s as the powerset of Bb1:s and show that there is a obnijee-cttoio-onnsebycogrr:eΩspb1o:snd→en2c2en−bsetawnedehn :Ω2b21n:s−sand 22n−s . We shall denote the corresponding → Ωb1:s . In the formal development, the related lemmas are named bool_fun_of_OmegaB_bij and OmegaB_of_bool_fun_bij. Next, we consider the probability Pb1:s := Pn−s; p ◦ h−1 defined as the pushforward distribution (with respect to function h) of the Bernoulli process Pn−s; p with parameters n − s and p. We then consider the product space (Ω0, S0, P0) defined by: Relying on functions g and h, we finally show that there is a one-to-one correspondence between Ω0 and Ω = 22n . We shall denote the corresponding bijections by g0 : Ω0 → Ω and h0 : Ω → Ω0. In the formal development, the related lemmas are named bool_fun_of_Omega’_bij and Omega’_of_bool_fun_bij. We now prove that the spaces (Ω, S, Pn; p) and (Ω0, S0, P0) are isomorphic: I Lemma 22 (isom_dist_Omega’). The probability distribution Pn; p (defined in Section 3 as the Bernoulli process with parameters n and p) is extensionally equal to the pushforward distribution of P0 with respect to function g0. Proof. In the Coq formal proof, this lemma amounts to splitting a big-operator expression with respect to the partition of 2n, reindexing big-operator expressions half-a-dozen times, and rewriting “cancellation lemmas” for simplifying the composition of a bijection and its inverse function. Also, the use of our under tactic (see Section 6) contributed to simplify the mechanisation of this proof. J A key ingredient for the sequel will be the following I Lemma 23 (ProductDist.indep). Given a finite type I and a family of finite probability spaces (Ωi, Si=2Ωi , Pi)i∈I , the product space defined by I Theorem 24 (Pr_ex_winA_knowing_Bern). For all p ∈ [0, 1] and for all integers n, k, s satisfying 0 ≤ s ≤ n − k ≤ n, if Pn; p is the Bernoulli process with parameters n and p defined in Section 3, the probability of guaranteed win for player A knowing s choices of player B among his n − k variables is: s Pn; p ∀b1:s ∈ 2s. ∃a ∈ 2k. winA(a | b1:s) = 1 − 1 − p2n−k−s 2k 2 . (5) ΩΠ = Qi∈I Ωi   SΠ = 2ΩΠ   PΠ = Ni∈I Pi PΠ ! \ πi−1(Qi) = Y Pi(Qi). i∈I i∈I We can now prove the following is such that the projections (πi : ΩΠ → Ωi)i∈I are independent random variables. In other words, for any family of events (Qi)i∈I ∈ Qi∈I Si, we have: Proof. We follow the following proof path: Pn; p ∀b1:s ∈ 2s. ∃a ∈ 2k. winA(a | b1:s) = Pn; p F ∈ Ω ∀b1:s ∈ 2s. ∃a ∈ 2k. winA[F ](a | b1:s) hence by using Lemma 21 hence by using Lemma 22 = Pn; p F ∈ Ω ∀b1:s ∈ 2s. ∃a ∈ 2k. winA[bgk(F, b1:s)](a) = (P0 ◦ g0−1) F ∈ Ω ∀b1:s ∈ 2s. ∃a ∈ 2k. winA[bgk(F, b1:s)](a) hence by using elementary facts on g, g0 and the bgk function defined in Lemma 21 = P0 f ∈ Ω0 ∀b1:s ∈ 2s. f (b1:s) ∈ S ∈ Ωb1:s ∃a ∈ 2k. winA[g(S)](a) hence by using Lemma 23 hence by definition of Pb1:s hence by definition of g and h = Y b1:s∈2s = Y b1:s∈2s = Y b1:s∈2s = Y b1:s∈2s 1 − 1 − p2n−s−k 2k s = 1 − 1 − p2n−k−s 2k 2 . Pb1:s S ∈ Ωb1:s ∃a ∈ 2k. winA[g(S)](a) Pn−s; p ◦ h−1 S ∈ Ωb1:s ∃a ∈ 2k. winA[g(S)](a) Pn−s; p nF ∈ 22n−s ∃a ∈ 2k. winA[F ](a)o hence by using Theorem 17 in the case of random Boolean functions with n − s variables J We may compare this probability with the probability of existence of unconditionally winning strategy studied in Section 3 (Theorem 17). The upcoming section will focus on this question. I Remark. In Theorems 17 and 24, we formally studied the probability of guaranteed win (knowing partial information on the opponent), that is, the probability that for every value taken by the first s variables of B,6 there exists a strategy for A that wins against all strategies of B given this fixed value of the first s variables of B. This problem is purely combinatorial and does not depend on the “preferences” of B (regarding the variables that he controls). So this probability will typically be different from the probability of non-guaranteed win for player A, as this latter probability could be influenced by the preferences of B for some choices, the dependency of these choices on F , and so on. 6 Theorem 17 being a particular case of Theorem 24 (s = 0). Probability of Guaranteed Win: Growth Rate to: Using the result given by Theorem 24, we would like to study how the probability of guaranteed win grows with each bit of information concerning the choice of B. For fixed values of p ∈ (0, 1), n, k ∈ N such that 0 < k < n, and for 0 ≤ s ≤ n − k, let us write g(s) the quantity given in Equation (5). First, we note that when s tends to n − k, the probability of guaranteed win for A tends g(n − k) = 1 − Then, an interesting question may be: what is the order of growth of the difference |proba. of guara{nzteed win for B} φ(s) := g(s) − g(0) (∈ [0, 1]) with respect to s? The following result is a first answer to this question: I Theorem 25 (phi_ineq). For any p ∈ (0, 1), n, k ∈ N∗ such that 0 ≤ s ≤ n − k, if the following condition holds: 2kp2n−k−s < 1, then we have where φ(s) > . In particular, condition (6) is satisfied as soon as the following, stronger condition is satisfied: s ≤ (n − k) − log2(k + 1) + log2(| log2 p|). 2k 1 − (1 − t)2k = 2kt − (2kt)2 X(−1)i2−2k 2k i ti−2. i=2 Proof. Let us write t = p2n−k−s . By the binomial formula, we have: We notice that if (6) holds, that is if 2kt < 1, then the absolute value of the (i + 1)th member of the sum P in (9) is less than that of the i-th member because it is obtained by multiplication by ((2k − i)/(i + 1))t < 2kt. So, if (6) holds, then the sum (positive) is less than or equal to its first term. Moreover, the first term of the sum P in (9) is 2−2k 2k(2k−1) < 12 . 2 So, if (6) is satisfied for some n, k, s, then from (9) we obtain 1 − (1 − t)2k ≥ 2kt − 12 (2kt)2 = 2kt 1 − 12 2kt > 2k−1t. Thus, under these conditions g(s) = 1 − 1 − p 2n−k−s 2k 2 s > 2(k−1)2s p2n−k . (6) (7) (8) (9) (10) (11) Next, a similar analysis applied to 1 − 1 − p2n−k 2k g(0) = 1 − 1 − p Finally, the following condition is obviously stronger than (6): Applying the log a second time, we obtain s ≤ (n − k) − log2(k + 1) + log2(| log2 p|), which is thereby a sufficient condition for (6). For example, if p = 12 , condition (8) becomes s ≤ (n − k) − log2(k + 1). (12) (13) J (14) And if 0 < p < 12 , log2(| log2 p|) > 0 so we have − log2(k + 1) < − log2(k + 1) + log2(| log2 p|), and thereby we can also rely on condition (14). It can be noted that inequality (7) essentially gives an order of growth of 2(k−1)2s with respect to the quantity of information s (number of extra bits known by player A), which is much faster than usual orders of growth of s or 2s. Still, a more refined study of the behaviour of the function that describes the growth of g(s) (the probability of a guaranteed win depending on s) requires much more effort and space that we could give to it in this exploratory paper. For example, it is intuitively clear that the graph of this function is a typical “S-form” curve (see Figure 1), but it is not easy to determine where the critical points are placed; and for small values of the parameter s, the inequality we get in (7) may be too rude to place with sufficient precision. However the behaviour of this function g may be of interest for strategic planning concerning both players. This remains subject of future work. 6 6.1 Remarks on the Formal Setup in the Coq Proof Assistant Related Works on Formal Libraries of Probability There have been several works focusing on the formalisation of measure theory or probability using interactive theorem proving. Some of these works only deal with discrete probability, or focus on the analysis of randomised algorithms; others formalise large fragments of measure theory up to Lebesgue’s integration theory. Figure 1 Graph of g(s), for the parameters p = 12 , n = 10, and k = 6. The vertical line at s ≈ 1.19 indicates the largest s ∈ R that satisfies (8). Using the HOL proof assistant, Hurd [13] developed a framework for proving properties of randomised programs, relying on a formalisation of measure theory, and following a “monadic transformation” approach that provides the user with an infinite sequence of independent, identically distributed Bernoulli( 12 ) random variables. Still using the HOL proof assistant and building upon Hurd’s work, Mhamdi, Hasan and Tahar [12, 15] developed a comprehensive formalisation of measure theory, including Lebesgue’s integration theory. Using the Coq proof assistant, Audebaud and Paulin-Mohring [2] developed the ALEA library7 that provides a framework to reason about randomised functional programs. Unlike Hurd’s approach, it does not require a complete formalisation of measure theory: it is built upon a Coq axiomatisation of the interval [0, 1] and it interprets randomised programs as (discrete) probability distributions. Still using the Coq formal proof assistant, Affeldt, Hagiwara and Sénizergues [1] developed the Infotheo library8 that provides a formalisation of information theory. This library comes with a formalisation of finite probability theory and strongly relies on the theories of the MathComp library9. For developing our library on random Boolean games, we have chosen to rely on the Infotheo library. Even though it only deals with finite probability, this setting was sufficient for formalising our results and, further, it allowed us to benefit from the facilities of the SSReflect/MathComp library. In the rest of this section, we shall summarise the main notions that we used from the MathComp library and present our related contributions (in Section 6.2), then describe the overall setup of the Infotheo probability theory and present our related contributions (in Section 6.3). 7 https://www.lri.fr/~paulin/ALEA/ 8 https://staff.aist.go.jp/reynald.affeldt/shannon 9 https://math-comp.github.io/math-comp/ 6.2 MathComp and Our Related Contributions The MathComp library was born in the Mathematical Components project, which aimed at formalising the Odd Order Theorem in the Coq proof assistant [9], while organising formal proofs into components to get a reusable library of mathematical facts. It is built upon SSReflect, an extension of Coq’s proof language that has a native support for the so-called small scale reflection (and in particular Boolean reflection) and often leads to concise proof scripts. For our library of random Boolean games, we have been especially using the following libraries: (i) fintype for finite types with decidable equality, (ii) finfun for functions over finite domains, (iii) finset for finite sets, (iv) bigop for properties on “big-operators”. Big-operators and rewriting under lambdas Regarding big-operators such as P, Q, T or S, they are formalised in MathComp as a higher-order function bigop that takes several arguments, including a function that specifies the “domain predicate” and the “general term”. For example, the sum 4 X i2 ii=od1d can be formally written as \sum_(1 <= i < 5 | odd i) i^2, which amounts to the following term if we get rid of the \sum notation: bigop 0 ( index_iota 1 5) ( fun i: nat => BigBody i addn ( odd i) (i ^2)) If we want to transform such a big-operator expression by rewriting its domain predicate or general term, the following two MathComp lemmas on big-operators can be used. eq_bigr : forall (R : Type ) ( idx : R) ( op : R -> R -> R) (I : Type ) (r : seq I) (P : pred I) ( F1 F2 : I -> R), ( forall i : I , P i -> F1 i = F2 i) -> \ big [ op / idx ]_(i <- r | P i) F1 i = \ big [ op / idx ]_(i <- r | P i) F2 i eq_bigl : forall (R : Type ) ( idx : R) ( op : R -> R -> R) (I : Type ) (r : seq I) ( P1 P2 : pred I) (F : I -> R), P1 =1 P2 -> \ big [ op / idx ]_(i <- r | P1 i) F i = \ big [ op / idx ]_(i <- r | P2 i) F i Still, applying them directly would require to provide the entire term corresponding to the function we want to obtain. We thus developed a Coq tactic “under” for rewriting under the lambdas of big-operators. A generalised version of our tactic, also applicable for MathComp notions such as matrices, polynomials, and so on, is available online at https://github.com/erikmd/ssr-under-tac and we plan to submit it for possible inclusion in MathComp. Below is a typical example of use for that generalised implementation of the under tactic. the proof script will yield the following goal: For a goal that looks like A : finType n : nat F : A -> nat ======================================================== 0 <= \ sum_ (0 <= k < n) \ sum_ (J in { set A} | #| J :&: [ set : A ]| == k) \ sum_ (j in J) F j under eq_bigr [k Hk ] under eq_bigl [J] rewrite setIT . A : finType n : nat F : A -> nat ======================================================== 0 <= \ sum_ (0 <= k < n) \ sum_ (J in { set A} | #| J| == k) \ sum_ (j in J) F j Dependent product of finTypes MathComp has built-in support for finite functions: for any (A:finType) and (T:Type), the notation {ffun A -> T} stands for the type of finite functions from A to T. If n denotes the cardinal of A, these functions are represented by a n-tuple of elements of T, which allows one to obtain convenient properties such as the extensionality of finite functions, which wouldn’t hold otherwise in the constructive, intensional logic of Coq. If T is also a finite type, then the MathComp library allows one to automatically retrieve (thanks to type inference and so-called canonical structures) a finite type structure for the type {ffun A -> T} itself. Thus, this construct amounts to the non-dependent product of a finType. However, for formalising our results and in particularly to construct the type Ω0 that appears in Section 4, we have been led to formalise the dependent product of a finite family of finite types. This material is gathered in a file fprod.v which provides a type fprod, some notations in MathComp style and several support results such as lemmas fprodP and fprodE, whose signature is as follows: fprod : forall I : finType , (I -> finType ) -> finType fprodP : forall (I : finType ) ( T_ : I -> finType ) ( f1 f2 : fprod I T_ ), ( forall x : I , f1 x = f2 x) <-> f1 = f2 fprodE : forall (I : finType ) ( T_ : I -> finType ) (g : forall i : I , T_ i) (x : I), [ fprod i => g i] x = g x This theory involves proofs with dependent types, and to facilitate the formalisation process we tried to follow a MathComp formalisation style as much as possible, by using finite functions, records with Boolean conditions, and so on. This enabled us to rely on extensionality of functions, the Altenkirch-Streicher K axiom and proof irrelevance, which can be used “axiom-free” in the decidable fragment of MathComp finTypes. 6.3 Infotheo and Our Related Contributions The Infotheo library relies on MathComp as well as the Reals theory from Coq’s standard library. Among the Infotheo theories, the proba theory was the starting point of our formalisation. It first defines distributions as a dependent record dist, gathering a function pmf that gives the probability of each elementary event, and a proof that the sum of these probabilities is equal to 1: Record dist (A : finType ) := mkDist { pmf :> A -> R+ ; pmf1 : \ rsum_ (a in A) pmf a = 1 }. Then, it defines the probability of a subset of A as the sum of the probabilities of all elementary events in A: Definition Pr (A : finType ) (P : dist A) (E : { set A }) := \ rsum_ (a in E) P a. Then, basic properties of probability and expectation are provided in this setting. On top of the Infotheo theories, we have developed the following contributions: (i) a formalisation of the pushforward distribution dist_img with the associated lemma Lemma Pr_dist_img : forall {A B : finType } (X : A -> B) ( PA : dist A) (E : { set B }) , Pr ( dist_img X PA ) E = Pr PA (X @ ^ -1: E ). (ii) a formal proof of a general version of the inclusion–exclusion theorem that we presented above in Theorem 6; (iii) the product distribution of a family of distributions, whose signature is as follows: ProductDist .d : forall (I : finType ) ( T_ : I -> finType ), ( forall i : I , dist ( T_ i )) -> dist ( fprod I T_ ) The associated independence result was presented above as Lemma 23. 7 Conclusion In this work, we used the basics of the theory of Boolean games. In this sense, our work is obviously related to this area. But to the best of our knowledge, the idea of using probability theory applied to a certain class of Boolean games as a whole (in difference from merely random strategies) is new. The analysis of the whole class of games permits to discover some quantitative properties of these games that would be difficult to discover in the study of an individual game. Furthermore, we used type theory and interactive theorem proving to formalise our results in order to give strong guarantees on their correctness as well as to extend existing formal libraries with new items. In particular, we have proved a closed formula for the probability of existence of winning strategies in those random Boolean games. We specialised this result with a probability distribution on Boolean functions that are generated by a Bernoulli scheme on Boolean vectors with any probability p as parameter (it can be noted that this setting subsumes the simpler case where all Boolean functions have the same probability: this latter case corresponds to choosing p = 21 in our setting). In this paper our methods remained elementary, but they permitted to estimate the relative importance of the cases where the players use simultaneous and alternative moves. Another interesting phenomenon seems to us to be the growth of probability of the win as function of the information about the choices of the opponent. Essentially, it is much faster than usual 2s where s is the quantity of information (number of extra bits) known by the player. This phenomenon emphasises the difference between the information that is required for winning and the “measure of knowledge” of the opponent and its strategies. We already mentioned the interest of machine checked verification for the games between autonomous programs (embedded systems). As a future work, we plan to consider more general classes of probability distributions and explore the “weight” of information with respect to winning in this more general setting. We plan also to consider more closely the connection with algorithmic games [6]. 1 2 3 4 5 6 7 8 9 10 11 A Non-Guaranteed Win: When the Order of Choices Matters Let us consider an example of three variables a, b, c and two players, Alice who controls a and Bob who controls b, c. Let us consider all possible Boolean functions as payoff functions. There are 256 that may be identified with the subsets of the nodes of the cube below. Each subset is interpreted as the disjunction of the conjunctions in the nodes. abc abc abc abc abc abc abc abc It makes sense to analyse this situation in a purely combinatorial way before we consider randomly generated payoff functions. We notice the following facts: Alice has an unconditionally winning strategy in 31 cases (these cases correspond to all subsets that contain all nodes of either the face with a or the face with a; the number of subsets is easily counted by the formula of inclusions-exclusions). Bob has an unconditionally winning strategy in 175 cases (the cases correspond to the subsets that do not intersect with one of the four edges defined by the choice of two literals among b, c, b, c; the number is counted as above). There are 50 cases when neither Alice nor Bob has an unconditionally winning strategy. In these cases the order of choice matters: If Alice chooses the value of a first, then Bob has a winning strategy (he may win in all these cases). Similarly, if Bob chooses the values of b, c first then Alice may win in all these cases. Now let us consider in more detail the case where the order of choices is B − A − B. In fact, here we need to distinguish three subcases: 1. Bob may give a value to any of b, c at his first step. 2. At his first step, Bob gives a value to b, and at his second to c. 3. At his first step, Bob gives a value to c, and at his second to b. It can be noted that these three variants may correspond to preferences or to obligations (extra constraints) concerning Bob, in line with the remark at the end of Section 4 (page 12). We elaborate on these three subcases below. 1. The choice of Bob may be interpreted as the selection of one of the four faces of the cube that corresponds to b, b, c, c respectively. There are four cases when Alice may win if she knows the first choice of Bob. One subset is shown below in bold, other are obtained by rotation. (We exclude the cases of unconditional win that were counted before.) abc abc abc abc abc abc abc abc In the case displayed above, if Bob has chosen b = true then Alice has to choose a = true and wins because the remaining formula will be c ∨ c. 2. If at the first step Bob must choose the value of b, then it may be seen as the choice of one of the two faces of the cube that correspond to b or b. This gives Alice more possibilities to win. Indeed, she may win if the subset of nodes includes either abc, abc, abc, abc or abc, abc, abc, abc. We may add one or more nodes to each subset of four, but if we exclude the previously considered cases, we shall have 12 more cases when Alice may win. 3. Similar analysis shows that it will be 12 cases (not considered previously) where Alice may win if Bob must choose the value of c first. It is important to notice that the choices of Alice and Bob are not necessarily interpreted as the choices of logical values of a, b, c. This model may be used to model any binary choice. Indeed, let a = true mean the choice of some value va and a = false mean the choice of va0 by Alice. Similarly, Bob may choose one of vb, vb0 and one of vc, vc0. Instead of conjunction of literals (e.g., abc) let us take for each such conjunction a predicate10 Pabc(x, y, z) which is true if and only if x = va, y = vb0, z = vc0. Instead of considering the disjunction of these conjunctions, let us take the disjunction of corresponding predicates. It appears that the logical value of the result will exactly be the logical value of the payoff function represented by the DNF (or Boolean function). The roles of Alice and Bob may be seen as the roles of “coaches” who choose the players for a series of matches. Alice wins if her “champion” wins at least one match. Also, to come back to the situation with random payoff functions, it makes perfect sense that in a real tournament the coach cannot know in advance which matches will be necessary to play. 10 defined for (x, y, z) ∈ {va, va0} × {vb, vb0} × {vc, vc0} The same idea may be used to model markets (the choice a = true may mean that Alice orders to buy a certain product a, a = false that she orders to sell, and the presence of abc that she makes profit when she buys at the same time when Bob sells his two products). This analysis also clearly shows what may be the role of introduction of random choice of payoff functions. It takes into account certain amount of unpredictability in a real situation. Notice that it does not eliminate some “geometric flavour” displayed in the above example. However, as we emphasised before, we intend to use probability mostly for the analysis of the totality of games with all possible Boolean functions as payoff, rather than for considering one game with a randomly-chosen payoff function (though this may sometimes make sense). The choice of probability distribution will influence the relative “weight” of the cases that we considered above in a purely combinatorial way, and has to be taken into account when additional conditions are considered, such as the order of moves or access to the information. For example, if the probability parameter p takes a value of 12 (i.e., if we focus on the instance P3; 12 of the Bernoulli process presented in Section 3), this will give the uniform distribution on the 256 cases considered in the appendix. Reynald Affeldt , Manabu Hagiwara, and Jonas Sénizergues . Formalization of Shannon's theorems . J. Autom. Reasoning , 53 ( 1 ): 63 - 103 , 2014 . doi: 10 .1007/s10817-013-9298-1. Philippe Audebaud and Christine Paulin-Mohring. Proofs of randomized algorithms in Coq . Sci. Comput . Program., 74 ( 8 ): 568 - 589 , 2009 . doi: 10 .1016/j.scico. 2007 . 09 .002. Élise Bonzon . Modélisation des interactions entre agents rationnels : les jeux booléens . PhD thesis , Université Toulouse III - Paul Sabatier , Toulouse, France, 2007 . Julian C. Bradfield , Julian Gutierrez, and Michael Wooldridge . Partial-order Boolean games: informational independence in a logic-based model of strategic interaction . Synthese , 193 ( 3 ): 781 - 811 , 2016 . doi: 10 .1007/s11229-015-0991-y. The Coq Development Team. The Coq Proof Assistant: Reference Manual: version 8 .8, 2018 . URL: https://coq.inria.fr/distrib/V8.8.0/refman/. Evgeny Dantsin , Jan-Georg Smaus , and Sergei Soloviev . Algorithms in Games Evolving in Time: Winning Strategies Based on Testing . In Isabelle Users Workshop - ITP 2012 , 2012 . 18 pages. In José Júlio Alferes and João Alexandre Leite, editors, Logics in Artificial Intelligence, 9th European Conference, JELIA 2004 , Lisbon, Portugal, September 27-30 , 2004 , Proceedings, volume 3229 of Lecture Notes in Computer Science, pages 347 - 359 . Springer, 2004 . doi: 10 .1007/978-3- 540 -30227-8_ 30 . Danièle Gardy . Random Boolean expressions . In René David, Danièle Gardy, Pierre Lescanne, and Marek Zaionc, editors, Computational Logic and Applications , CLA ' 05 , volume AF of DMTCS Proceedings , pages 1 - 36 , Chambéry, France, 2006 . Discrete Mathematics and Theoretical Computer Science. Georges Gonthier , Andrea Asperti, Jeremy Avigad, Yves Bertot, Cyril Cohen, François Garillot, Stéphane Le Roux, Assia Mahboubi, Russell O'Connor , Sidi Ould Biha, Ioana Pasca, Laurence Rideau, Alexey Solovyev, Enrico Tassi, and Laurent Théry . A MachineChecked Proof of the Odd Order Theorem . In Sandrine Blazy, Christine Paulin-Mohring, and David Pichardie, editors, Interactive Theorem Proving - 4th International Conference, ITP 2013 , Rennes, France, July 22-26 , 2013 . Proceedings, volume 7998 of Lecture Notes in Computer Science, pages 163 - 179 . Springer, 2013 . doi: 10 .1007/978-3- 642 -39634-2_ 14 . Paul Harrenstein . Logic in Conflict. Logical Explorations in Strategic Equilibrium. PhD thesis , Utrecht University, 2004 . Paul Harrenstein , Wiebe van der Hoek, John-Jules Meyer, and Cees Witteveen. Boolean Games . In J. van Benthem, editor, Proceedings of the 8th International Conference on Theoretical Aspects of Rationality and Knowledge (TARK'01) , pages 287 - 298 , San Francisco, 2001 . Morgan Kaufmann. Osman Hasan and Sofiène Tahar . Using theorem proving to verify expectation and variance for discrete random variables . J. Autom. Reasoning , 41 ( 3-4 ): 295 - 323 , 2008 . doi: 10 .1007/ s10817-008-9113-6. Joe Hurd . Formal verification of probabilistic algorithms . PhD thesis , University of Cambridge, 2002 . Erik Martin-Dorel and Sergei Soloviev. erikmd/coq-bool-games: BoolGames , 2018 . doi: 10 .5281/zenodo.1317609. Tarek Mhamdi , Osman Hasan, and Sofiène Tahar . On the formalization of the Lebesgue integration theory in HOL . In Matt Kaufmann and Lawrence C. Paulson, editors, Interactive Theorem Proving , First International Conference, ITP 2010, Edinburgh , UK , July 11-14 , 2010 . Proceedings, volume 6172 of Lecture Notes in Computer Science, pages 387 - 402 . Springer, 2010 . doi: 10 .1007/978-3- 642 -14052-5_ 27 . Journal of Mathematics and Physics , 21 : 83 - 93 , 1942 .


This is a preview of a remote PDF: http://drops.dagstuhl.de/opus/volltexte/2018/9848/pdf/LIPIcs-TYPES-2016-14.pdf

\'Erik Martin-Dorel, Sergei Soloviev. A Formal Study of Boolean Games with Random Formulas as Payoff Functions, LIPICS - Leibniz International Proceedings in Informatics, 2018, 14:1-14:22, DOI: 10.4230/LIPIcs.TYPES.2016.14