Building Proofs in Context

Building Proofs in Context  Giuseppe Attardi and Maria Simi Dipartimento di Informatica Universita di Pisa Corso Italia 40 I-56125 Pisa, Italy net: fattardi, [email protected].

Abstract

When reasoning with implicitly de ned contexts or theories, a general notion of proof in context is more appropriate than classical uses of re ection rules. Proofs in a multicontext framework can still be carried out by switching to a context, reasoning within it, and exporting the result. Context switching however does not correspond to re ection or rei cation but involves changing the level of nesting of theory within another theory. We introduce a generalised rule for proof in context and a convenient notation to express nesting of contexts, which allows us to carry out reasoning in and across contexts in a safe and natural way.

1 Introduction A general notion of relativised truth can be useful for reasoning in and about dierent theories in a formal setting. For example to reason about the reasoning of dierent agents, to model temporal evolution of knowledge, to split a large knowledge base into manageable chunks or microtheories that can be related to each other by means of transfer rules or lifting axioms. There are several approaches to the formalization of a notion of relativised truth: by means of a predicate expressing \provability" like for example PR(T; P ) in [Weyhrauch 80] and demo(T; P ) in [Bowen 82], or with a notion of truth in context like for example ist(c; p) in [Guha 91, McCarthy 87, McCarthy 93, Buvac 93] and pc in [Shoham 91], or with a notion of entailment from a set of assumptions like in(P; vp) [Attardi 84, Simi 91, Attardi 93]. Most of these are syntactic approaches where theories are modeled as collections of rei ed statements or statement names in First Order Predicate Calculus. The object theory is extended with a metatheory consisting of statements about statements. The relation between general validity and truth relativised to a subtheory is usually expressed by means of a pair of re ection/rei cation rules. For example, [Kowalski 91] use the following rules:

T `P

(Rei cation1)

pr ` demo(T; P ) 

CA.

This work has been done while the authors were visiting the International Computer Science Institute, Berkeley

1

pr ` demo(T; P ) T `P

(Re ection1)

which say that if formula P is derivable from the set of statements T , then demo(T; P ) is derivable in the meta-theory from theory pr and vice versa, where pr is a theory containing a suitable axiomatisation of the demo predicate. Unfortunately carrying out proofs dealing with multiple theories is not simple. When reasoning about reasoning, one often needs to carry out some proof steps within a dierent theory from the current one and then to lift the conclusions back into the original theory. The deductive rules required to carry out these steps involve either re ection principles or some other notion of proof in context. Standard formulations of the re ection rules assume explicit knowledge of the theory one reasons about. In many interesting application however it is not possible to explicitly state once for all the assumptions of a theory; this is often the case for theories representing agents and is always the case for in nite theories, for theories which refer to each other or re ective theories, as those required for expressing common knowledge. Moreover dynamic extension of theories, provided by lifting axioms, requires the ability to de ne theories implicitly. In this paper we discuss dierent approaches to contextual reasoning according to whether implicit and mutually referential theories are allowed. We will argue that implicit contexts are necessary for most signi cant applications. When reasoning with implicit contexts however, re ection rules are not the right way to tranfer facts from one context to another. Context switching in a natural deduction proof is better seen as nesting or unnesting of contexts justi ed by suitable rules for proof in context. A notation is introduced to write more readable proofs where context switching is interpreted according to this semantics. The three approaches discussed in the paper use three slightly dierent notations for relativised truth, whose correspondence is shown below: demo(T; P ) Kowalski ist(T; P ) McCarthy in(P; T ) Attardi and Simi

2 Approaches to proofs in context 2.1 Explicit vs. implicit theories When reasoning with contexts or theories, an important distinction is whether we are dealing with explicit theories or with theories which are only implicitly de ned. In the rst case we assume that a theory can be explicitly and completely characterised by a nite set of statements representing the relevant assumptions of the theory. If names are used for theories they should be considered as linguistic shortcuts for the set of statements. This is an adequate model in many practical situations; for example one can reason about a subset of an agent's beliefs 2

as if it was complete, without having to know all of them. In many interesting applications theories cannot be de ned explicitly as a nite set of statements and the ability to characterize theories implicitly is required. The language must then allow for constants, or more in general terms, denoting theories or contexts. For example, one may want to characterize theories by means of assertions, like McCarthy's lifting rules [McCarthy 93], stating that whenever a formula satisfying some condition holds in a theory vp1 then a related formula holds in another theory vp2 . As a special case, subsumption between theories can be expressed as follows in our notation: 8x : in(x; vp1) ) in(x; vp2)

Incidentally, the possibility of quanti cation over statements inside the in predicate, not provided by modal logics, appears essential here; hence our preference for a syntactic treatment of in, our notion of relativised truth. Another example could be the evolution of state of aairs, as in: in(0Clear(A) ^ Clear(B )0 ; sit1) ) in(0On(A; B )0 ; sit(puton(A; B ); sit1))

This allows for compact statements of problems and leaves to the logic machinery the burden of incrementally specifying theories when the rules for their construction are known. Implicit theories are also required for expressing self referential statements. Here are a few examples, where we use in to express belief: John believes that he has a false belief in(09x : in(x; vp(John)) ^ False(x)0; vp(John)) Agent a believes that whatever he and agent b believe is true, while b does not believe so in(08x : in(x; vp(a)) _ in(x; vp(b)) ) True(x)0; vp(a)) in(0:8x : in(x; vp(a)) _ in(x; vp(b)) ) True(x)0; vp(b)) Agent a and agent b have common knowledge (or belief) that A in(0A0 ; CK ) (CK-1) 8x : in(x; CK ) ) in(x; vp(a)) ^ in(x; vp(b)) (CK-2) 8x : in(x; CK ) ) in(in(x; vp(a)) ^ in(x; vp(b)); CK ) (CK-3) Note that for common knowledge it is not enough that both agents know A but it is also required that they know that they know A, that they know that they know that they know A, : : : and so on. Such in nite nesting calls for a recursive de nition like CK-3. The approach of implicit contexts is carried to its extreme consequences in the proposal of McCarthy, where contexts are primitive objects denoted by symbols in the language, and are never explicitly characterised. 3

2.2 Re ective vs. layered theories Syntactic approaches to relativised truth dier in the degree of connection between object-theory and meta-theory, ranging from a semantic connection of completely separate theories as in [Konolige 82], to the re ection principles of FOL [Weyhrauch 80], bridging two still distinct theories, to the proposal of a single amalgamated theory encompassing object and meta-level [Bowen 82] or, more in general, re ective theories. Nevertheless, a satisfactory rst order theory of relativised truth is not easy to develop since one must face delicate issues of semantics and must avoid the pitfalls of paradoxes arising from self referential statements, which trickle in by diagonalization [Montague 63]. A simple way out of paradoxes is to keep the object language separate from the metalanguage [Moore 77, Weyhrauch 80] and when nested beliefs are involved, to build a hierarchy of languages, each one being a meta-language for the previous [Konolige 82]. Self reference is not allowed and the construction of paradoxical statements is blocked. However this forbids also non paradoxical self referential statements like those mentioned in the previous section. This lack of expressiveness may be considered a major drawback [Perlis 85] since self referential statements about truth, beliefs or knowledge arise naturally in common sense reasoning. The complex machinery required by the layered approach also does not seem convenient for implementation within reasoning programs nor natural as a formalisation of common sense. When self or mutually referential theories are allowed, they must be accounted for in the semantics of the logic. One way to do so is to use non well founded sets [Aczel 88] as denotation for theories and rely on Barwise solution lemma to ensure that solutions to the recursive equations exist. A dierent approach is the one pursued in the theory of viewpoints [Attardi 93], where viewpoints denote recursive set of statements and the interpretation of in statements is done in a layer by layer fashion so as to properly account for paradoxical self referential statements. Moreover re ection rules are to be carefully formulated to avoid falling into an inconsistent theory because of the results of [Montague 63]. A possibility is to be conservative and use re ection rules, such as the ones in [Bowen 82], which do not add any new theorem with respect to the amalgamated theory without re ection rules. But useful non conservative formulations, still preserving consistency, are possible, as the one we propose for the theory of viewpoints.

2.3 Re ection rules vs. nesting/unnesting When reasoning with multiple theories one needs rules for context switching, i.e. for moving from one theory to another, performing some deduction there and then transfering elsewhere some of the derived consequences. For theories which are specially related by being one the meta-theory for the other, re ection and rei cation may be used for this purpose. All standard formulations of the re ection rules however require the theory from which one re ects to be completely speci ed and expressed by means of a term in the meta-language. For instance the conclusion T ` P from Re ection1 would not be meaningful unless T was known. 4

While there are many useful nite theories that one can handle with such rules, most interesting theories turn out to be in nite or only partially and implicitly speci ed as discussed above. In the case of implicit theories, one could assert: demo(T; P ) demo(T; Q)

However, if one wanted to conclude, given P; Q ` R, that demo(T; R)

re ection rules would not be applicable, since theory T in not known. What we believe to be an improper use of rei cation appears in the solution to the three wise men puzzle presented in [Kowalski 91] in the framework of the amalgamated logic of Bowen and Kowalski [Bowen 82] as discussed in [Attardi 94]. These considerations suggest that another kind of context switching is more appropriate when reasoning with contexts which are dynamically nested during deduction: this kind of contextual reasoning can be made explicit, by representing somehow the structure of nesting. For example, in their formalization of contexts [Buvac 93] Buvac and Mason propose rules for context switching which correspond to this idea, and introduce indexes made of sequences of context names to represent nested contexts. The rule they present is bidirectional and reads as follows:

 `k ist(k1; ) `kk1

(CS)

The index k represents a sequence of contexts and the rule expresses that a statement about the truth of  in a series of nested contexts k can be turned into the fact  holding in the series of contexts k  k1. Keeping track of the level of nesting is crucial for the correctness of the rule. Following this idea we will introduce our notion and notation for nesting/unnesting of contexts and present a solution to the three wise men which does not make use of re ection rules.

3 Proof theory In order to discuss the problems and subtle issues hinted in the previous sections, we introduce a formal deductive system for proofs in contexts developed in connection with the theory of viewpoints [Attardi 93]. The theory of viewpoints is a re ective rst order theory with explicit or implicit viewpoints (viewpoint constants and functions). A complete semantic account of viewpoints is presented in [Attardi 93]. 5

Viewpoints are sets of rei ed statements and the expression in(0P 0 ; vp) means that a statement P is contextually entailed by the set of assumptions represented by vp. More precisely, given a term t1 denoting a statement and a viewpoint expression t2 denoting a set of statements, in(t1 ; t2) is true at a model M i the statement denoted by t1 is true in any model of the statement denoted by t2 which is \coherent" with M in the interpretation of viewpoint constants and functions. The proof theory for viewpoints can be conveniently presented in the style of natural deduction.

3.1 Inference rules for classical natural deduction As customary, the notation ? ` P indicates the pending assumptions in rules where some of the assumptions are discharged, like in the cases of implication introduction and negation introduction. When the pending assumptions are the same in the antecedent and consequent of a rule they are omitted. The rules for natural deduction are quite standard. For example:

P; Q (^ I ) P ^Q

P ^ Q (^ E ) P; Q

are the rules for conjunction introduction and elimination, respectively, and ? [ fP g ` Q () I ) ? ` (P ) Q)

P; P ) Q () E ) Q

are the rules for implication introduction and elimination. The full set of classical rules used is presented in the appendix.

3.2 Metalevel axioms and inference rules The behaviour of in is characterised by the following axioms and inference rules, which allow classical reasoning to be performed inside any viewpoint. The rst axiom asserts that all the statements which constitute a viewpoint hold in the viewpoint itself, while the second establishes a principle which could be called positive introspection, if we chose an epistemic interpretation for in. The third axiom states monotonicity of viewpoints. in(0P 0 ; f: : :;0P 0 ; : : :g)

(Axiom1)

in(0P 0 ; vp) ) in(0in(0P 0 ; vp)0; vp)

(Axiom2)

in(0P 0 ; vp) ) in(0P 0 ; vp [ f`Q0 g)

(Axiom3) 6

Moreover we have a meta-inference rule for each classical natural deduction inference rule. For example: in(0P 0 ; vp); in(0Q0; vp) in(0P ^ Q0 ; vp)

(Meta

^

I)

in(0P ^ Q0 ; vp) in(0P 0 ; vp); in(0Q0; vp)

(Meta

^

E)

in(0Q0; vp [ f0P 0 g) in(0P ) Q0 ; vp)

(Meta ) I)

in(0P 0 ; vp); in(0P ) Q0 ; vp) in(0Q0; vp)

(Meta

)

E)

The full set of meta-inference rules is presented in the appendix.

3.3 Re ection rules The following are the re ection and rei cation rules for the theory of viewpoints: they are more powerful than those of [Bowen 82], but still safe from paradoxes as discussed in [Attardi 91].

vp1 ` in(0P 0 ; vp2) vp1 [ vp2 ` P

(Re ection)

vp `C P ` in(0P 0 ; vp)

(Rei cation)

The notation `C stands for \classically derivable" or \derivable without using the re ection rules". We have argued elsewhere for the usefulness of the strong version of re ection [Attardi 91], [Attardi 93]. As a consequence we have:

Theorem 1 in(0P 0; f0Q0g) ) (Q ) P ) Rei cation is a derived inference rule; in fact any proof at the object level can be completely mirrored at the metalevel using the meta-level inference rules. In fact also the stronger

vp `C P iff

`C

in(0P 0 ; vp)

holds. This can be proved by induction on the length of the proof, with the base case being provided by Axiom1, or derived as a consequence of theorem 3 below. 7

3.4 Proof in context Proof in context is a powerful mechanism for reasoning across multiple contexts. In this section we present the results which provide the formal justi cation for this technique. First we note that logical theorems can be used in proofs within any context, and then that classical deductions can be carried out within any viewpoint. The rst result is a consequence of rei cation and Axiom1:

Theorem 2 in(0P 0; vp), for any logical theorem P and viewpoint vp. ? `C P in(0?0 ; vp) `C in(0P 0 ; vp) where the ? in the consequent should be read as the conjunction of the formulae in ?.

Theorem 3 (Proof in context)

Proof. The proof is by induction on the length of the derivation and by showing that each step

can be mirrored at the metalevel using the corresponding meta-inference rule. The only interesting case is the one for implication introduction. Suppose that this rule was used in the last step of the derivation to prove Q ) R. We have by induction hypothesis: ? [ fQg `C R in(0? ^ Q0 ; vp) `C in(0R0; vp) Therefore: in(0?0 ; vp) in(0Q0 ; vp [ f0Q0 g) in(0? ^ Q0 ; vp [ f0Q0g) in(0R0 ; vp [ f0Q0g) in(0Q ) R0; vp)

(premise) (Axiom1) (Meta ^ I) (induction) (Meta ) I)

2 The following inference rules can be established from theorem 3: in(0P 0 ; vp); P `C Q in(0Q0; vp)

(Proof in context)

which generalises to: fx j in(x; vp)g `C

in( P ; vp) 0 0

P

(Generalised proof in context) 8

The antecedent of the rule corresponds to the condition that in order to exploit a proof carried out in another context one must know at least that the premises of the proof are in that context. Notice that the consequent of theorem 3 is again a classical derivation, therefore the theorem can be applied repeatedly, to carry out a proof at any level of nesting within viewpoints. For instance, if P `C Q then: in(0P 0 ; vp1) `C in(0Q0; vp1) in(0in(0P 0 ; vp1)0; vp2) `C in(0 in(0Q0; vp1)0; vp2)

... Similarly the rules of proof in context can be extended to deal with arbitrary level of nesting.

3.5 Entering and leaving contexts Another useful mechanism to build proofs in context is the ability to switch contexts and perform natural deduction proofs within viewpoints. The safest way to interpret context switching in the framework of natural deduction proofs with implicit contexts is simply to go one level deeper or shallower in nesting, or in other words unnesting and nesting. This means for instance that in order to prove a statement of the form in(0P 0 ; vp1)

one may pretend to move inside vp1, and perform a proof using those facts which are present in vp1, i.e. are of the form in(0Q0; vp1). If the formula P is itself of the form in(0R0; vp2) one will have to go one level deeper to prove R by using this time just facts of the form in(0in(0S 0; vp2)0; vp1). Later we will provide safe rules for importing and exporting facts in a context.

4 A proof method and notation Our proofs will become more readable and intuitive with the aid of a graphical notation, which emphasises the boundaries and nesting of contexts. The notation we introduce is an extension of the box notation introduced by Kalish and Montague [Kalish 64].

4.1 Rules for classical natural deduction We show here some examples of proof schemas for classical natural deduction. The following schema corresponds to the rule of ) I and should be read as: \if assuming P you succeed in proving Q, then you have proved P ) Q". 9

P (assum.) ::: Q P )Q

Similarly, the schema corresponding to the inference rule of : I is the following:

P (assum.) ::: Q ::: :Q :P

The box notation is useful to visualise the scope of the assumptions made during a natural deduction proof. In performing a proof within a box one can use facts proved or assumed in the same box or in enclosing boxes. Facts cannot be exported from within a box to an enclosing or unrelated box.

4.2 Rules for proofs in context For proofs in context we introduce a dierent kind of box, with a double border, to suggest boundaries which are more dicult to traverse. The double box represents a viewpoint, i.e. a theory, whose assumptions, if known, are listed in the heading of the box. If the assumptions are not known the name of the viewpoint is shown. The only two rules for bringing facts in and out of a double box are the rules corresponding to unnesting and nesting. Importing a fact in a viewpoint: in(0P 0; vp)

vp P :::

(unnesting )

Exporting a fact from a viewpoint:

vp ::: P in(0P 0; vp)

(nesting )

The only way to import a fact P in a double box vp is to have a statement in(0P 0 ; vp) in the environment immediately outside the box. Symmetrically you can obtain in(0P 0 ; vp) in the environment 10

immediately outside a double box vp if P appears in a line immediately inside the double box (not inside a further single or double box within the double box). Note that to import a fact in nested double boxes an appropriate number of crossing double lines must be justi ed. According to Axiom1, the assumptions of a viewpoint, if known, can also be used inside the viewpoint: f0P10 ; : : :;0Pn0 g

P1; : : :; Pn :::

and, in the case of explicit viewpoints, in can be introduced as follows: f0P10 ; : : :;0Pn0 g

::: P

in(0P 0 ; f0P10 ; : : :;0 Pn0 g) Theorem 3 justi es the possibility of carrying on regular natural deduction proofs within a double box. For example the following deduction schema is valid:

vp P ::: Q ::: :Q :P

(assum.)

in(0:P 0 ; vp) This is just a combination of the schemas introduced above for classical negation introduction and nesting. Notice that opening a single box within a double box to make an assumption corresponds to adding the assumption to those of the viewpoint in the box. In practice, it should be considered as an alternative notation for:

vp [ f0 P 0 g ::: Q ::: :Q 11

in(0:P 0 ; vp) This schema provides us a mean to carry out proofs by contradiction, which naturally occur in the solution of the three wise men puzzle.

5 Examples To illustrate the method just described we will use two examples taken from the recent literature where proofs are composed of subproofs in dierent contexts. The rst example was used by John McCarthy [McCarthy 93] to illustrate the power of \lifting axioms", which allow extrapolating facts from one theory to another and transforming them at the same time into a dierent format. Even though no formal proof theory was provided, the example was meant to suggest the kind of proofs one would like to be able to perform. In this case, things are complicated by the fact that the proof is carried out in a natural deduction setting, so there are pending assumption when switching from one context to another. The second one is a solution to the classical three wise men puzzle, which as been tackled in so many dierent ways in the knowledge representation literature. In [Attardi 94] we discussed for example the approach taken by Kowalski and Kim [Kowalski 91] where a rule of rei cation is used, we believe improperly, to lift a conclusion reached in a common knowledge theory wise0 to the theory of the third wise man. Our solution is meant to show that a natural representation of the kind of knowledge and reasoning involved in the puzzle requires the ability to express common knowledge through recursive de nition (hence implicit contexts) and a mechanism for nesting and unnesting.

5.1 Lifting rules and natural deduction In performing proofs involving multiple theories, one would like to be able to move easily from one theory to another, reason within a theory with traditional means, for instance by natural deduction, and then to carry outside some of the consequences obtained. One must be careful however, not to leave behind in an innermost context essential assumptions and not to extrapolate to an unrelated context. The example presented in [McCarthy 93] is useful to illustrate these issues. A xed theory, called AboveTheory , is used to represent the basic facts about the blocks world which do not depend on situations. One would like to make these facts and their consequences available, in the appropriate form, in another theory c where situations are accounted for. The correspondence between these theories is established by axioms written in viewpoint c. An outer context, c0, is also needed for lifting facts deduced in AboveTheory to c. Using our notation, the statement of the problem can be expressed as in Figure 1. To simplify the notation, we have dropped the quotation marks used to represent meta-level statements. 12

c0 (1) 8p in(p; AboveTheory ) ) in(in(p; AboveTheory ); c)

AboveTheory (2) 8x; y on(x; y ) ) above(x; y ) (3) 8x; y; z above(x; y ) ^ above(y; z ) ) above(x; z ) c

(4) 8x; y; s on(x; y; s) , in(on(x; y ); c(s)) (5) 8x; y; s above(x; y; s) , in(above(x; y ); c(s)) (6) 8p; s in(p; AboveTheory ) ) in(p; c(s)) Figure 1. Statement of the lifting problem The lifting axiom (1) was missing in the sketch of proof presented by McCarthy [McCarthy 93] but it is necessary in order to lift in(8x; y on(x; y ) ) above(x; y ); AboveTheory )

from c0 to c where it can be exploited by axiom (6). Without this additional assumption step (10) below could not be accounted for by any sound rule, producing a case of improper lifting. The full proof appears in Figure 2.

5.2 The three wise men The statement of this well known puzzle is the following [Kowalski 91]. A king, wishing to determine which of his three wise men is the wisest, puts a white spot on each of their forheads, and tells them that at least one of the spots is white. The king arranges the wise men in a circle so that they can see and hear each other (but cannot see their own spots) and asks each wise man in turn what is the colour of his spot. The rst two say that they don't know, and the third says that his spot is white.

Several solutions to the three wise men puzzle have appeared in the literature, some of which quite reasonable; so our focus here is in the search for an adequate proof system enabling us to carry out proofs with multiple theories in both a sound and intuitive way. In our solution common knowledge is grouped in a single theory and lifting rules are provided for each agent to access it. The advantages are a more compact statement of the problem which does not rely on \ad hoc" initialization or on the y construction of theories by extra logical machinery and a proof which is more carefully accounted for. 13

c0 (7) in(on(A; B; S0); c)

(assumption)

c

(8) on(A; B; S0) (9) in(on(A; B ); c(S0)) (10) in(8x; y on(x; y ) ) above(x; y ); AboveTheory ) (11) in(8x; y on(x; y ) ) above(x; y ); c(S0))

c(S0) (12) on(A; B ) (13) 8x; y on(x; y ) ) above(x; y ) (14) above(A; B )

(unnesting, 7) (8 and 4) (2, nesting, 1, unnesting) (proof in context, 6 and 10)

(unnesting, 9) (unnesting, 11) (proof in context, 12 and 13)

(15) in(above(A; B ); c(S0)) (16) in(above(A; B ); c(S0)) ) above(A; B; S0) (17) above(A; B; S0)

(nesting, 14) (instance of 5) (proof in context, 15 and 16)

(18) in(above(A; B; S0); c) Figure 2. Proof of the lifting problem

14

The three wise men puzzle is also tackled in [Nakashima 91] where a model for the representation of common knowledge is presented in the framework of situation theory. Oddly, the authors claim that, in their model, adopting a static (declarative) formalization of problems involving common knowledge, it is impossible to build proofs by contradiction, which is the most natural style of reasoning to solve this puzzle. They argue that no private knowledge is possible with their static representation, therefore they are led to develop a procedural model for the representation of common knowledge. Our formulation of common knowledge does not negatively interfere with proofs by contradiction and does not prevent private knowledge. A common approach to the representation of nested beliefs is to introduce explicitly a number of dierent theories according to the dierent views that an agent has of other agents. In the three wise men puzzle we would have the theory that wise3 has about wise2 , the theory that wise3 has about the theory that wise2 has about wise1 , : : : and so on. The construction of tower of theories, one being \meta" for the one below, is what justi es the use of re ection and rei cation principles to transfer information between them. It seems to us very unnatural to be forced to conceive from the beginning an appropriate number of theories according to the number of agents and the nesting level of the reasoning which is required: in this simple puzzle, which requires a nesting level of three, one should theoretically conceive of 27 dierent theories (even without considering the evolution of time). Our solution is not radically dierent but, we believe, more natural. The nesting of viewpoints implicitly takes care of the dierent perspectives. Finally, our solution does not make use of axioms like con dence or wiseness which are used in other solutions to make a wise man believe the conclusions of another wise man that he is aware of. The following viewpoints are used. wise1: viewpoint of the rst wise man wise2 : viewpoint of the second wise man wise3: viewpoint of the third wise man CK : viewpoint including the common knowledge. The predicate whitei means the color of the spot of wise man i is white. The common knowledge viewpoint is shown in Figure 3. Two axioms, external to the CK and wise men viewpoints are needed for the wise men to obtain the common knowledge. (1) 8x in(x; CK ) ) in(x; wise1) ^ in(x; wise2) ^ in(x; wise3) (2) 8x in(x; CK ) ) in(in(x; wise1) ^ in(x; wise2) ^ in(x; wise3); CK )

15

(1) 8x in(x; CK ) ) in(x; wise1) ^ in(x; wise2) ^ in(x; wise3) (2) 8x in(x; CK ) ) in(in(x; wise1) ^ in(x; wise2) ^ in(x; wise3); CK )

CK (3) white1 _ white2 _ white3 (at least one spot is white) (4) white1 ) in(white1 ; wise2) ^ in(white1 ; wise3) (wise2 and wise3 see wise1's spot) (4') :white1 ) in(:white1 ; wise2) ^ in(:white1 ; wise3) (5) white2 ) in(white2 ; wise1) ^ in(white2 ; wise3) (wise1 and wise3 see wise2's spot) (5') :white2 ) in(:white2 ; wise1) ^ in(:white2 ; wise3) (6) white3 ) in(white3 ; wise1) ^ in(white3 ; wise2) (wise1 and wise2 see wise3's spot) (6') :white3 ) in(:white3 ; wise1) ^ in(:white3 ; wise2) (7) :in(white1; wise1) (asserted by rst man) (8) :in(white2; wise2) (asserted by second man) Figure 3. Statement of the problem in the three wise men puzzle Axioms (1) and (2) provide a proper account of common knowledge, allowing to derive the commonly known facts in any viewpoint, no matter how nested. In particular axiom (2) is used to achieve the appropriate level of nesting in CK , axiom (1) to lift from the CK viewpoint to any other viewpoint. The details of the derivation of common knowledge are omitted from the proof. We can formally account, as shown in Figure 4, for the reasoning of the third wise man after the rst and second one have spoken. The third wise man is in fact able to prove that his spot is white.

6 Conclusions We have discussed several approaches to the realization of formal systems for contextual reasoning. Important issues in this respect are whether explicit or implicit theories are allowed and whether theories are strati ed or one unique re exive theory is allowed. We described a set of inference rules for proof in context based on the theory of viewpoints and a notation for their application which expands on the box notation introduced by Kalish and Montague for natural deduction. We suggested that when dealing with partially speci ed theories or contexts a generalised notion of proof in context is more appropriate than re ection rules and gave an account of what \entering" and \leaving" a context should be in the setting of natural deduction proofs.

16

wise3 (9) :white3 (10) :white3 ) in(:white3 ; wise2) (11) in(:white3 ; wise2)

(assumption) (6, 1) (9, 10)

wise2

(12) :white3 (13) :white2 (14) :white2 ^ :white3 (15) :white2 ) in(:white2 ; wise1) (16) :white3 ) in(:white3 ; wise1) (17) in(:white2 ^ :white3 ; wise1) (18) in(white1 _ white2 _ white3 ; wise1)

wise1

(19) :white2 ^ :white3 (20) white1 _ white2 _ white3 (21) white1

(unnesting, 11) (assumption) (12, 13) (5, 2, 1) (6, 2, 1) (14, 15, 16) (3, 2, 1) (unnesting, 17) (unnesting, 18) (19, 20)

(22) in(white1 ; wise1) (23) :in(white1; wise1)

(nesting 21) (7, 2, 1)

(24) white2

(: I, 22, 23)

(25) in(white2; wise2) (26) :in(white2 ; wise2)

(nesting) (8, 1)

(27) white3

(: I, 25, 26)

(28) in(white3 ; wise3)

(nesting, 27) Figure 4. Proof of the three wise men puzzle

17

Acknowledgments We wish to thank the International Computer Science Institute in Berkeley, for providing the support and the right atmosphere to get this work done and Sasa Buvac for interesting and useful discussions which helped us to better understand McCarthy's notion of context.

References [Aczel 88] [Attardi 84] [Attardi 91]

[Attardi 93] [Attardi 94] [Bowen 82] [Buvac 93] [Guha 91] [Konolige 82] [Kowalski 91]

[McCarthy 87]

P. Aczel (1988). Non-well-founded sets, CSLI lecture notes, 12, Center for the Study of Language and Information, Stanford, California. G. Attardi and M. Simi (1984). Metalanguage and reasoning across viewpoints, in ECAI84: Advances in Arti cial Intelligence, T. O'Shea (ed.), Elsevier Science Publishers, Amsterdam. G. Attardi and M. Simi (1991). Re ections about re ection, in Allen, J. A., Fikes, R., and Sandewall, E. (eds.) Principles of Knowledge Representation and Reasoning: Proceedings of the Second International Conference. Morgan Kaufmann, San Mateo, California. G. Attardi and M. Simi (1993). A formalisation of viewpoints, TR-93-062, International Computer Science Institute, Berkeley. G. Attardi and M. Simi (1994). Proofs in context, in Doyle, J. and Torasso, P. (eds.) Principles of Knowledge Representation and Reasoning: Proceedings of the Fourth International Conference. Morgan Kaufmann, San Mateo, California. K.A. Bowen and R.A. Kowalski (1982). Amalgamating language and metalanguage in logic programming, in Logic Programming, K. Clark and S. Tarnlund (eds.), Academic Press, 153-172. S. Buvac and I.A. Mason (1993). Propositional Logic in Context, Proc. of the Eleventh AAAI Conference, Washington DC, 412-419. R.V. Guha (1991). Contexts: a formalization and some applications, MCC Tech. Rep. ACT-CYC-42391. K. Konolige (1982). A rst order formalization of knowledge and action for a multiagent planning system, Machine Intelligence 10. R. Kowalski and Kim J.S. (1991). A metalogic programming approach to multiagent knowledge and belief, in Vladimir Lifschitz (ed.), Arti cial Intelligence and the Mathematical Theory of Computation: Papers in Honor of John McCarthy, Academic Press, 1991, Academic Press, 231-246. J. McCarthy, Generality in Arti cial Intelligence, Communications of the ACM, 30(12), 1987, 1030-1035. 18

[McCarthy 93]

J. McCarthy (1993). Notes on Formalizing Context, Proceedings of the Thirteenth International Joint Conference on Arti cial Intelligence, Chambery. [Kalish 64] D. Kalish and R. Montague (1964). Logic: techniques of formal reasoning, New York, Harcourt, Brace & World. [Nakashima 91] H. Nakashima, S. Peters, H. Schutze (1991). Communication and Inference through situations, Proc. of 12th International Joint Conference on Arti cial Intelligence, Sidney, Australia. [Montague 63] R. Montague (1963). Syntactical treatment of modalities, with corollaries on re exion principles and nite axiomatizability, Acta Philosoph. Fennica, 16, 153167. [Moore 77] R. C. Moore (1977). Reasoning about knowledge and action, Proc. of IJCAI77 , Cambridge, MA, 223-227. [Perlis 85] D. Perlis (1985). Languages with self-reference I: foundations, Arti cial Intelligence, 25:301-322. [Shoham 91] Y. Shoham (1991). Varieties of contexts, in Vladimir Lifschitz (ed.), Arti cial Intelligence and the Mathematical Theory of Computation: Papers in Honor of John McCarthy, Academic Press, 393-407. [Simi 91] M. Simi (1991). Viewpoints subsume belief, truth and situations, in Trends in Arti cial Intelligence, Proc. of 2nd Congress of the Italian Association for Arti cial Intelligence, Ardizzone, Gaglio, Sorbello (Eds), Lecture Notes in Arti cial Intelligence 549, Springer Verlag, 38-47. [Weyhrauch 80] R.W. Weyhrauch (1980). Prolegomena to a theory of mechanized formal reasoning, Arti cial Intelligence, 13(1,2):133-170.

A APPENDIX A.1 Inference rules for classical natural deduction P; Q P ^Q

(^ I)

P ^Q P; Q

(^ E)

? [ fP g ` Q ? ` (P ) Q)

() I)

P; P ) Q Q

() E) 19

P P _ Q; Q _ P

(_ I)

P _ Q; P ) R; Q ) R R

(_ E)

P ) Q; P ) :Q :P

(: I)

::P

(: E)

P

P [y=x] 8y : P

where y is a new variable

(8 I)

where the notation P [t=x] stands for P with all the free occurrences of variable x substituted by t. 8x : P P [t=x]

where t does not contain variables occurring in P

P [t=x] 9x : P 9x : P

P [y=x]

(8 E) (9 I)

where y is a new variable

(9 E)

A.2 Metalevel axioms and inference rules in(0P 0 ; f: : :;0P 0 ; : : :g)

(Axiom1)

in(0P 0 ; vp) ) in(0in(0P 0 ; vp)0; vp)

(Ax2)

in(0P 0 ; vp); in(0Q0; vp) in(0P ^ Q0 ; vp)

(Meta ^ I)

in(0P ^ Q0 ; vp) in(0P 0 ; vp); in(0Q0; vp)

(Meta ^ E)

in(0Q0; vp [ f0P 0 g) in(0P ) Q0 ; vp)

(Meta ) I)

in(0P 0 ; vp); in(0P ) Q0 ; vp) in(0Q0; vp)

(Meta ) E) 20

in(0P 0 ; vp) in(0P _ Q0 ; vp); in(0Q _ P 0 ; vp)

(Meta _ I)

in(0P _ Q0 ; vp); in(0P ) R0; vp); in(0Q ) R0; vp) in(0R0; vp)

(Meta _ E)

in(0P 0 ; vp); in(0P ) Q ^ :Q0 ; vp) in(0 :P 0 ; vp)

(Meta : I)

in(0::P 0 ; vp) in(0P 0 ; vp)

(Meta : E)

in(0P [y=x]0; vp) in(0 8x : P 0 ; vp)

(Meta 8 I)

in(08x : P 0 ; vp) in(0P [t=x]0; vp)

(Meta 8 E)

in(0P [t=x]0; vp) in(09x : P 0 ; vp)

(Meta 9 I)

in(0 9x : P 0 ; vp) in(0P [y=x]0; vp)

(Meta 9 E)

21