## About

125

Publications

11,643

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

1,130

Citations

Citations since 2017

## Publications

Publications (125)

In the study of symbolic verification of cryptographic protocols, a central result due to Rusinowitch and Turuani [2003] is that the insecurity problem (deciding whether a protocol admits an execution which leaks a designated secret to the intruder) for security protocols with finitely many sessions is NP-complete. Central to their proof strategy i...

We study procedures for the derivability problem of fragments of intuitionistic logic. Intuitionistic logic is known to be PSPACE-complete, with implication being one of the main contributors to this complexity. In fact, with just implication alone, we still have a PSPACE-complete logic. We study fragments of intuitionistic logic with restricted im...

When we consider systems with process creation and exit, we have potentially infinite state systems where the number of processes alive at any state is unbounded. Properties of such systems are naturally specified using modal logics with quantification, but they are hard to verify even over finite state systems. In [11] we proposed , an implicitly...

Whether it be in normal form games, or in fair allocations, or in voter preferences in voting systems, a certain pattern of reasoning is common. From a particular profile, an agent or a group of agents may have an incentive to shift to a new one. This induces a natural graph structure that we call the improvement graph on the strategy space of thes...

Whether it be in normal form games, or in fair allocations, or in voter preferences in voting systems, a certain pattern of reasoning is common. From a particular profile, an agent or a group of agents may have an incentive to shift to a new one. This induces a natural graph structure that we call the improvement graph on the strategy space of thes...

In the context of modeling cryptographic tools like blind signatures and homomorphic encryption, the Dolev-Yao model is typically extended with an operator over which encryption is distributive. The intruder deduction problem has a non-elementary upper bound when the extended operator is an Abelian group operator. Here we show that the intruder ded...

Term modal logics (TML) are modal logics with unboundedly many modalities, with quantification over modal indices, so that we can have formulas of the form $\exists y. \forall x. (\Box_x P(x,y) \supset\Diamond_y P(y,x))$. Like First order modal logic, TML is also "notoriously" undecidable, in the sense that even very simple fragments are undecidabl...

Propositional term modal logic is interpreted over Kripke structures with unboundedly many accessibility relations and hence the syntax admits variables indexing modalities and quantification over them. This logic is undecidable, and we consider a variable-free propositional bi-modal logic with implicit quantification. Thus $[\forall] \alpha$ asser...

We present an experiential account of an adult mathematics classroom and try to make a case that themes like optimization and processes like multiple representations, formal communication, argumentation etc. deserve a place in the curriculum for adults learning mathematics. This requires a re-orientation of what we expect the learner to achieve but...

Quantified modal logic provides a natural logical language for reasoning about modal attitudes even while retaining the richness of quantification for referring to predicates over domains. But then most fragments of the logic are undecidable, over many model classes. Over the years, only a few fragments (such as the monodic) have been shown to be d...

We study term modal logics, where modalities can be indexed by variables that can be quantified over. We suggest that these logics are appropriate for reasoning about systems of unboundedly many reasoners and define a notion of bisimulation which preserves propositional fragment of term modal logics. Also we show that the propositional fragment is...

Grim-trigger strategies are a fundamental mechanism for sustaining equilibria in iterated games: the players cooperate along an agreed path, and as soon as one player deviates, the others form a coalition to play him down to his minmax level. A precondition to triggering such a strategy is that the identity of the deviating player becomes common kn...

In [21], we extended the Dolev-Yao model with assertions. We build on that work and add existential abstraction to the language, which allows us to translate common constructs used in voting protocols into proof properties. We also give an equivalence-based definition of anonymity in this model, and prove anonymity for the FOO protocol.

Methods for Modalities is a series aimed at bringing together researchers interested in developing proof methods, verification methods, algorithms and tools based on modal logic. Here the term "modal logics" is conceived broadly, including description logic, guarded fragments, conditional logic, temporal and hybrid logic, dynamic logic, etc. The fi...

In earlier work, we extend the Dolev-Yao model with assertions. We build on that work and add existential abstraction to the language, which allows us to translate common constructs used in voting protocols into proof properties. We also give an equivalence-based definition of anonymity in this model, and prove anonymity for the FOO voting protocol...

This book discusses major milestones in Rohit Jivanlal Parikh’s scholarly work. Highlighting the transition in Parikh’s interest from formal languages to natural languages, and how he approached Wittgenstein’s philosophy of language, it traces the academic trajectory of a brilliant scholar whose work opened up various new avenues in research.
Thi...

Web service choreographies specify conditions on observable interactions among the services. An important question in this regard is realizability: given a choreography C, does there exist a set of service implementations I that conform to C? Further, if C is realizable, is there an algorithm to construct implementations in I?
We propose two local...

We present a general theorem for distributed synthesis problems in coordination games with $\omega$-regular objectives of the form: If there exists a winning strategy for the coalition, then there exists an "essential" winning strategy, that is obtained by a retraction of the given one. In general, this does not lead to finite-state winning strateg...

In the formal study of security protocols and access control systems, fragments of intuitionistic logic play a vital role. These are required to be efficient, and are typically disjunction-free. In this paper, we study the complexity of adding disjunction to these subsystems. Our lower bound results show that very little needs to be added to disjun...

We study definability in the first order theory of graph order: that is, the set of all simple finite graphs ordered by either the minor, subgraph or induced subgraph relation. We show that natural graph families like cycles and trees are definable, as also notions like connectivity, maximum degree etc. This naturally comes with a price: bi-interpr...

The study of epistemic dynamics has largely concentrated on how knowledge of an agent changes due to communication and other ‘global’ actions that involve engagement of several agents. Local actions under the control of agents are treated as a special case. We point out that there are some specific issues of both technical and philosophical interes...

We study automata as memory structure for “online” strategizing in extensive form games. By online strategizing we mean a model in which players start with potential (partial) strategies that are generic plans for (local) subgames and dynamically compose and switch between them. We consider such startegizing to be relevant for a theory of play. We...

Cryptographic protocols often require principals to send certifications asserting partial knowledge of terms (for instance, that an encrypted secret is 0 or 1). Such certificates are themselves modelled by cryptographic primitives or sequences of communications. For logical analysis of such protocols based on the Dolev-Yao model [12], we suggest th...

Web service choreographies specify conditions on observable interactions
among the services. An important question in this regard is realizability:
given a choreography C, does there exist a set of service implementations I
that conform to C ? Further, if C is realizable, is there an algorithm to
construct implementations in I ? We propose a local...

In theory of play, a player needs to reason about other players’ types that could conceivably explain how play has reached a particular node of the extensive form game tree. Notions of rationalizability are relevant for such reasoning. We present a logical description of such player types and show that the associated type space is constructible (by...

We study repeated normal form games where the number of players is large. We argue that it is interesting to look at such games as being divided into subgames, each of which we call a neighbourhood. The structure of such a game is given by a graph G whose nodes are players and edges denote visibility. The neighbourhoods are maximal cliques in G. Th...

We study games in which the number of players are large, and hence outcomes are independent of the identities of the players. Game models typically study how choices made by individual rational players determine game outcomes. We extend this model to include an implicit player — the society, who makes actions available to players and incurs certain...

In this paper we propose actor-networks as a formal model of computation in heterogenous networks of computers, humans and their devices, where these new procedures run; and we introduce Procedure Derivation Logic (PDL) as a framework for reasoning about security in actor-networks, as an extension of our previous Protocol Derivation Logic. Both for...

In the theory of automata over infinite alphabets, a central difficulty is that of finding a suitable compromise between expressiveness and algorithmic complexity. We propose an automaton model where we count the multiplicity of data values on an input word. This is particularly useful when such languages represent behaviour of systems with unbound...

We study a game model to highlight the mutual recursiveness of individual rationality and societal rationality. These are games that change intrinsically based on the actions / strategies played by the players. There is an implicit player - the society, who makes actions available to players and incurs certain costs in doing so. If and when it feel...

A central question in knowledge theory relates to how knowers update their knowledge on receipt of a communication. This is
important, since the very purpose of communications is (typically) to create such an update of knowledge in the recipient.
However, there is often a lack of concordance between the intended update and that which occurs, leadin...

We study repeated normal form games where the number of players is large and suggest that it is useful to consider a neighbourhood structure on the players. The structure is given by a graph G whose nodes are players and edges denote visibility. The neighbourhoods are maximal cliques in G. The game proceeds in rounds where in each round the players...

We suggest that developing automata theoretic foundations is relevant for knowledge theory, so that we study not only what is known by agents, but also the mechanisms by which such knowledge is arrived at. We define a class of epistemic automata, in which agents’ local states are annotated with abstract knowledge assertions about others. These are...

The standard way of modelling imperfect information in games is in terms of information partitions for players. In this view,
each player is associated with an equivalence relation over the set of game positions. For multiplayer games of imperfect
information defined in this manner it turns out that most of the algorithmic questions like determinin...

In the context of modelling cryptographic tools like blind signatures and homomorphic encryption, the Dolev-Yao model is typically
extended with an operator over which encryption is distributive. We consider one such theory which lacks any obvious locality
property and show that its derivability problem is hard: in fact, it is dexptime-complete. Th...

Consider a player playing against different opponents in two extensive form games simultaneously. Can she then have a strategy
in one game using information from the other? The famous example of playing chess against two grandmasters simultaneously
illustrates such reasoning. We consider a simple dynamic logic of extensive form games with sequentia...

Overview. There is now a growing body of research on formal algorithmic models of social procedures and interactions between rational agents. These models attempt to identify logical elements in our day-to-day social activities. When interactions are modeled as games, reasoning involves analysis of agents' long-term powers for influencing outcomes....

In games with a large number of players where players may have overlapping objectives, the analysis of stable outcomes typically depends on player types. A special case is when a large part of the player population consists of imitation types: that of players who imitate choice of other (optimizing) types. Game theorists typically study the evoluti...

There are several ways in which mathematics in school classrooms misses elements that are vital to mathematicians’ practice. Here, we wish to emphasize processes such as selecting between or devising new representations, looking for invariances, observing extreme cases and typical ones to come up with conjectures, looking actively for counterexampl...

We propose an extension of the standard Dolev-Yao model of cryptographic protocols to facilitate symbolic reasoning about
zero-knowledge proofs. This is accomplished by communicating typed terms, and providing a proof amounts to certifying that
a term is of a particular type. We present a proof system for term derivability, which is employed to yie...

We suggest that in the context of planning in uncertain environments, an agent’s performance of an action may be tentative
and not definitive. In this view, an agent plans to merely try performing an action, and further planning is dependent on the success or failure of such a trial. Epistemic logics seem
well suited to formalize the reasoning in s...

In the theory of automata over infinite alphabets, a central difficulty is that of finding a suitable compromise between expressiveness
and algorithmic complexity. We propose an automaton model where we count the multiplicity of data values on an input word.
This is particularly useful when such languages represent behaviour of systems with unbound...

We suggest that a process-like notion of strategy is relevant in the context of interactions in systems of self-interested agents. In this view, strategies
are not plans formulated by rational agents considering all possible futures and (mutually recursively) taking into account
strategies employed by other players. Instead, they are partial; playe...

We study games in which the choices available to players are not fixed, and may change dur-ing the course of play. Specifically, we consider a model in which players may switch strategies, and a global (social) decision may remove some choices, based on the strategies being adopted by players. We propose a logical formalism in which such choices ar...

We study two-player non-zero sum games of perfect information in infinite games on graphs. We suggest that in such games, it is useful to study structurally specified strategies, so that we can reason about how a player’s strategy may depend on assumptions about the opponent’s strategy. In such a setting, we show that best response computation can...

We consider a propositional dynamic logic whose programs are regular expressions over game -strategy pairs. At the atomic level, these are finite extensive form game trees with structured strategy specifications, whereby a player's strategy may depend on properties of the opponent's strategy. The advantage of imposing structure not merely on games...

We consider a logic for reasoning about composite strategies in games, where players' strategies are like programs, composed struc- turally. These depend not only on conditions that hold at game po- sitions but also on properties of other players' strategies. We present an axiomatization for the logic and prove its completeness. 1 Summary Extensive...

We contend that reasoning about knowledge is both natural and pragmatic for veriication of electronic voting protocols. We present a model in which desirable properties of elections are nat-urally expressed using standard knowledge oper-ators, and show that the associated logic is decid-able (under reasonable assumptions of bounded agents and nonce...

In the vision of the Group, school mathematics takes place in a situation where: (1) Children learn to enjoy mathematics, (2) Children learn important mathematics, (3) Mathematics is a part of childrenâ€™s life experience which they talk about, (4) Children pose and solve meaningful problems, (5) Children use abstractions to perceive relationships...

While reasoning about security protocols, most of the difficulty of reasoning relates to the complicated semantics (with freshness of nonces, multisessions, etc.). While logics for security protocols need to be abstract (without explicitly dealing with nonces, encryption, etc.), ignoring details may result in rendering any verification of abstract...

We present a logical characterization of a particular aspect of concurrency called the concurrent step notion. We do so by providing a sound and complete axiomatization of models called distributed transition systems. In a distributed transition system an old state is transformed into a new state through a set of actions occurring concurrently. Our...

We consider a logic for reasoning about composite strategies in games, where players' strate- gies are like programs, composed structurally. These depend not only on conditions that hold at game positions but also on properties of other players' strategies. We present an axiomatization for the logic and prove its completeness. 1 Summary Extensive f...

An important problem in the analysis of security protocols is that of checking whether a protocol preserves secrecy, i.e., no secret owned by the honest agents is unintentionally revealed to the intruder. This problem has been proved to be undecidable in several settings. In particular, [11] prove the undecidability of the secrecy problem in the pr...

Logics for specifying properties of security protocols and reasoning about them have received increasing attention over the past few years. In this paper, we propose a propositional logic of knowledge, augmented with tense modalities, in which many important properties of security protocols can be naturally expressed. We also describe in some detai...

Tagging schemes have been used in security protocols to ensure that the analysis of such protocols can work with messages of bounded length. When the set of nonces is bounded, this leads to decid- ability of secrecy. In this paper, we show that tagging schemes can be used to obtain decidability of secrecy even in the presence of unbound- edly many...

Lamport diagrams are partial orders which depict computations of message passing systems. It is natural to consider generalizations
of linear time temporal logics over such diagrams. In [MR00], we presented a decidable temporal logic with local temporal
modalities and a global ‘previous’ modality to talk of message receipts. It seems reasonable to...

this paper, we propose a simple syntactic restriction on protocols and show that it achieves this purpose. The condition essentially states that between any two terms that occur in distinct communications, no encrypted subterm of one can be uni ed with a subterm of the other. In the absence of such a restriction, the intruder may use such a binding...

We investigate the semantics of messages, and argue that the meaning of a message is naturally and usefully given in terms of how it affects the knowledge of the agents involved in the communication. We note that this semantics depends on the protocol used by the agents, and thus not only the message itself, but also the protocol appears as a param...

We propose a notion of information based abstraction for the logical study of security protocols and study how protocol actions update agents' information. We show that interesting security properties of Needham-Schroeder like protocols can be verified automatically.

Lamport diagrams are partial orders which depict computations of message passing systems. It is natural to consider generalizations of linear time temporal logics over such diagrams. In [MR00], we presented a decidable temporal logic with local temporal modalities and a global 'previous' modality to talk of message receipts. It seems reasonable to...

We propose a class of finite state systems of synchronizing distributed processes, where processes make assumptions at local
states about the state of other processes in the system. This constrains the global states of the system to those where assumptions
made by a process about another are compatible with the commitments offered by the other at t...

We present a simple theoretical model of web navigation, in which each WWW user creates style specifications which constrain web browsing, search and navigation using the user’s own judgement of the quality of visited sites. A finite
state automaton is associated with each specification, which is presented in a two-level modal logic making up the a...

We present a simple theoretical model of web navigation, in which each WWW user creates style specifications which constrain web browsing, search and navigation using the user's own judgement of the quality of visited sites. A finite state automaton is associated with each specification, which is presented in a two-level modal logic making up the a...

Formulas of temporal logic which cannot distinguish between different interleavings of the same run are said to be trace consistent. So called partial-order methods can be applied for verification of such formulas, since checking such a property over an equivalence class of runs reduces to checking it for one representative. In this paper, we prese...

. Two runs of a distributed system can be considered equivalent if they represent different interleavings of the same run. Formulas of the propositional temporal logic of linear time (PTL) are said to be trace consistent when they cannot distinguish between equivalent runs. Determining whether a formula is trace consistent is decidable. In this pap...

Introduction to Modal Logic 2. Basic Modal Logic: Correspondence Theory 3. Basic Modal Logic: Completeness and Decidability 4. Propositional Dynamic Logic 5. Hintikka's Logic of Knowledge 6. The problem of logical omniscience 7. Knowledge and time 8. Common Knowledge 9. Probabilistic Knowledge 10. Nonmonotonic reasoning 1 1 Introduction to Modal Lo...

In the information-based definition of knowledge, an agent is said to know α at a state s if α is true in all states that look the same as s to that agent. However, in systems where an agent's view of the system is partial, even if a state s′ may be logically indistinguishable from a state s, s′ may not be visible from s. For instance, in a distrib...

We argue the need for a logic of knowledge revision, in which one can explicitly reason about how agents' actions change their states of knowledge. However, we also show a strong negative result for a `natural' modal logic defined on these systems, suggesting that more subtlety is called for. 1 Motivation The problem of modelling knowledge revision...

We extend labelled transition systems to distributed transition systems by labelling the transition relation with a finite set of actions, representing the fact that the actions occur as a concurrent step. We design an action-based temporal logic in which one can explicitly talk about steps. The logic is studied to establish a variety of positive a...

Introduction to Modal Logic 2. Basic Modal Logic: Correspondence Theory 3. Basic Modal Logic: Completeness and Decidability 4. Hintikka's Logic of Knowledge 5. The problem of logical omniscience 6. Knowledge and time 7. Common Knowledge 8. Probabilistic Knowledge 9. Nonmonotonic reasoning 1 1 Introduction to Modal Logic In this lecture, we rst reca...

We consider the problem of reasoning about message based systems in finite state environments. Two notions of finite state
environments are discussed: bounded buffers and implicit buffers. The former notion is standard, whereby the sender gets blocked
when the buffer is full. In the latter, the sender proceeds as if the buffer were unbounded, but t...

When the state of the world changes due to an action performed by an agent in a multiagent system, the views of other agents, and hence their knowledge, remain unaffected. We describe such situations using a simple modal logic. Traditionally, modal logics of knowledge are interpreted over global states of the multi-agent system. When actions are in...

Any reasoning agent in a system has a model of the system which represents the partial view available to that agent. We suggest the following notion of knowledge: agent i knows that ff holds if and only if ff is true in the sub-model visible to i. This corresponds to considering knowledge as an agent's ability to answer questions about the subject,...

In the study of distributed systems, the assumption - commitment framework is crucial for compositional specification of processes. The idea is that we reason about each process separately, making suitable assumptions about other processes in the system. Symmetrically, each process commits to certain actions which the other processes can rely on. W...

A distributed presentation of a regular language L is a system of communicating automata accepting L, where the constraint on distribution is given in the form of a distributed alphabet. We study such presentations in the assumption-commitment framework, where each process makes assumptions about other processes in the system. Symmetrically, each p...

A distributed presentation of a regular language L is a system of communicating automata accepting L, where the constraint on distribution is given in the form of a distributed alphabet. We study such presentations in the assumption - commitment framework, where each process makes assumptions about other processes in the system. Symmetrically, each...

Formulas of temporal logic which cannot distinguish between different interleavings of the same run are said to be trace consistent. So called partial-order methods can be applied for verification of such formulas, since checking such a property over an equivalence class of runs reduces to checking it for one representative.
In this paper, we prese...

We study linear time temporal logics of multiple agents, where the temporal modalities are local. These modalities not only refer to local next-instants and local eventuality, but also global views of agents at any local instant, which are updated due to communication from other agents. Thus agents also reason about the future, present and past of...

## Projects

Project (1)

Despite First-order Modal Logic being perceived to be notoriously undecidable, some researchers have taken steps in recent times to identify decidable fragments such as the monodic fragments. Inspired by non-standard epistemic logics of knowing how/why/what, we discovered some very expressive new decidable fragments of FOML by bundling quantifiers and modalities together. This project systematically explores this line of research.