A Substructural Modal Logic of Utility

We introduce a substructural modal logic of utility that can be used to reason about optimality with respect to properties of states. Our notion of state is quite general, and is able to represent resource allocation problems in distributed systems. The underlying logic is a variant of the modal logic of bunched implications, and based on resource semantics, which is closely related to concurrent separation logic. We consider a labelled transition semantics and establish conditions under which Hennessy–Milner soundness and completeness hold. By considering notions of cost, strategy and utility, we are able to formulate characterizations of Pareto optimality, best responses, and Nash equilibrium within resource semantics. We also show that our logic is able to serve as a logic for a fully featured process algebra and explain the interaction between utility and the structure of processes.


Introduction
Mathematical modelling and simulation modelling are fundamental tools of engineering, science, and social sciences such as economics, and provide decision-support tools in management.The components of distributed systems (as described, e.g., in [13]) are typically modelled using various algebraic structures for the structural components -location, resource, and process -and probability distributions to represent stochastic interactions with the environment [12,10,11,2].Applications of this approach to systems security modelling have been explored extensively in, for example, [11,4,7,6,5].A key aspect of modelling distributed systems is resource allocation.For example, when many processes execute concurrently, they compete for resources.A common desire of system designers, managers, and users is to determine, if possible, the optimal allocation of resources required in order to solve a specific problem or deliver a specific service.
We develop a substructural modal predicate logic, MBIU, that can be used to reason about optimality with respect to properties of states.Our notion of state is quite general, and is able to represent resource allocation problems in distributed systems; in particular, it encompasses models of distributed systems in which there is a notion of agent [13,30,11].The preferences of agents among the various outcomes of system evolutions are modelled using numerical payoffs, as formulated in game theory.We use arithmetic predicates to relate states to payoffs, and so are able to give a logical representation of agents' degrees of satisfaction.The payoff of a state is defined via the actions that the state can perform: the logic's modal formulae can then be used to reason about the payoffs of states that are related by the transition system.The logic also includes substructural connectives -as in BI [26,27,16], MBI [12,10,2], and Separation Logic [17,29] -which can be used, among other things, to support reasoning about decision-making by concurrent combinations of agents.The notion of optimality of resource allocation is a central topic in economics, where game theory plays a significant role.
In Section 2, we develop MBIU.To do so, we must we introduce actions, and define a notion of transition systems with concurrent structure on their states.We introduce a slight variant on the standard notion of bisimulation for such a transition system, and describe various properties that we require for our results to hold; in particular, that the concurrent composition operator is a congruence with respect to the bisimulation relation.In Section 2.2, we specify our logic, and define its semantics in terms of concurrent transition relations.We obtain the technical result that, provided that bisimulation in the underlying transition system is a congruence with respect to the concurrent composition and any state can only evolve in finitely many ways, full Hennessy-Milner completeness holds for MBIU: that is, bisimulation equivalence of states corresponds exactly to logical equivalence in MBIU.
An agent or process, in a given starting state, makes a choice between possible actions and so evolves, along with its environment, to achieve a new state.Associated with such an action is its value, or utility, which is determined by payoff function.When agents evolve, or multiple agents co-evolve -such as when competing as players in a game for resources -they make sequences of moves, called strategies, that determine the outcome of the game and the payoffs for each of the agents.For all elementary notions from economics required for this paper, including ideas from utility theory and game theory, a suitable source is [30].
In order to define MBIU, we must introduce actions on states, their transition systems and the associated notion of bisimulation, payoffs, and strategies.We give some basic examples of how the logic is used to express properties of states, and establish the conditions on the operational semantics of actions that are required in order to obtain a Hennessy-Milner soundness and completeness theorem.
In Section 3, we illustrate how the the logical set-up that we have introduced can be used to capture the classical notions optimality and equilibrium as established in utility theory and game theory.We begin with a classic example from distributed systems modelling: mutual producer-consumer.We then explain how our setup can be used to express Pareto optimality.This example leads naturally into a discussion of game-theoretic examples and concepts.We consider here the prisoner's dilemma, the best-response property, and Nash equilibria.
In Sections 4 and 5, we show that the framework for modelling distributed systems, as introduced in [12,11] and improved theoretically in [2], is encompassed by our framework, with the consequence that the treatment of of utility in MBIU extends to the modelling framework given in [2].We revisit the mutual producerconsumer example from Section 3, explaining the interaction between the processtheoretic structure and utility.
Finally, in Section 6, we discuss a range of challenges for future research, in both logical and utility-theoretic directions.
A short version of this paper is [1].

A substructural modal logic of utility
In this section, we define a substructural modal predicate logic, MBIU, that can be used to reason about optimality with respect to properties of states.Our notion of state is quite general; in particular, it encompasses models of distributed systems in which there is a notion of agent [13,30,11].The preferences of agents among the various outcomes of system evolutions are modelled using numerical payoffs, as formulated in game theory.We use arithmetic predicates to relate states to payoffs, and so are able to give a logical representation of agents' degrees of satisfaction.The payoff of a state is defined via the actions that the state can perform: the logic's modal formulae can then be used to reason about the payoffs of states that are related by the transition system.The logic also includes substructural connectives -as in BI, MBI, and Separation Logic [17,29] -which can be used, among other things, to support reasoning about decision-making by concurrent combinations of agents.
In Section 2.1, we introduce actions, and define a notion of transition systems with concurrent structure on their states.We introduce a slight variant of the standard notion of bisimulation for such a transition system, and describe various properties that we require for our results to hold; in particular, that the concurrent composition operator is a congruence with respect to the bisimulation relation.In Section 2.2, we specify our logic, and define its semantics in terms of concurrent transition relations.We obtain the technical result that, provided that bisimulation in the underlying transition system is a congruence with respect to the concurrent composition and any state can only evolve in finitely many ways, full Hennessy-Milner completeness holds for MBIU.That is, bisimulation equivalence of states corresponds exactly to logical equivalence in MBIU.
2.1.Transition systems.First, we introduce our notion of action.We assume a set, Act, of actions, which correspond to the events of the system.Definition 1 (Actions).An action structure Act is a structure (Act, •, 1) such that (Act, •) is a total magma, and 1 ∈ Act is a distinguished action.
Note that we do not require that the distinguished action 1 be a unit for •, nor do we require • to be commutative, and hence Act is not necessarily a (commutative) monoid.We use = to denote syntactic equality of actions.Let ab denote a • b.
We take an additional equivalence relation on actions, ≡, for a given action structure Act.Note that the syntactic equivalence relation = and the action-composition equivalence relation ≡ are not necessarily the same.Herein, we only consider actions to be interchangeable if they are syntactically equal.
Then, we can define transition systems.Let Act be an action structure.
Definition 3 (Transition system).A transition system is a structure (S, Act, →) with carrier set S, action structure Act, and transition relation →⊆ S × Act × S.
Let r, s, etc., range over elements of the carrier set of a transition system.We refer to these elements as states.
In this paper, we shall often work with partial functions.We use the standard notations R ↓ and R ↑ to mean that an expression R is, respectively, defined or undefined.
Next, we add the concurrent structure of the states of a transition system.Concurrent transition systems (with some well-formedness conditions, defined below) are the core mathematical structure representing system dynamics in this paper.
Definition 4 (Concurrent transition system).A concurrent transition system is a structure (S, Act, →, ≡, •, e) such that (S, Act, →) is a transition system, ≡ is an action-composition equivalence relation, e ∈ S is a distinguished element of the state space, and • : S × S S is a partial operator such that, for all states r, s, r , s , r ∈ S and actions a, b ∈ Act: The operation • is referred to as the concurrent composition operation.In the sequel, we work with a fixed concurrent transition system at every point.We sometimes refer to the distinguished state as the unit state.We write r → s if there exists some a such that r a − → s, → * for the reflexive, transitive closure of →, and → + for the transitive closure of →.
We can use the partiality of the concurrent composition, along with a transition system, to model straightforwardly key examples in systems modelling [12,11], such as the following.
Example 5 (Semaphores).Let Act be the free monoid generated by the atomic actions a and 1, where 1 is the distinguished action.Suppose a concurrent transition system ({s, e},Act, →, •, e), where s a − → s, s • e = s, and s • s is undefined.Note that → is undefined for any values that are neither specified explicitly nor required by properties of Definitions 3 and 4. We then have that no state can perform the action aa, that is, e aa −→ and s aa −→.The concurrent transition system acts like a semaphore, in that only one access action a can be performed at any given time.
The standard notion of bisimulation is that two states in a system are bisimilar if they can perform the same actions, and, after those reductions, remain bisimilar.We weaken that approach slightly, and consider two states in a system to be bisimilar if they can perform actions that are equivalent under ≡, and, following those reductions, remain bisimilar.We define the notion of a (action-compositionequivalence-relation) bisimulation relation between states in a concurrent transition system.Definition 6 (Bisimulation).A (action-composition-equivalence-relation) bisimulation is a relation R such that, for all states r R s, then, for all actions a ∈ Act, Let ∼ ⊆ State × State be the union of all bisimulations for a given concurrent transition system.The union of any two bisimulations is also a bisimulation.Hence ∼ is well defined, and a bisimulation.Note that the usual definition of bisimulation for process calculi is a special case of the above, that where Act is an action monoid with commutative operation • and unit 1, and action-composition equivalence is just syntactic equality.
There are various technical properties of bisimulation that we require for the remainder of this paper.First, the bisimulation relation ∼ is an equivalence relation.
Lemma 7.For all states s, s , s ∈ S, s ∼ s, s ∼ s implies s ∼ s, and s ∼ s and s ∼ s imply s ∼ s .
Proof.The above are straightforward to observe.
Second, in the state space quotiented by the bisimulation relation, the concurrent composition • is commutative.
Proof.The bisimulation ∼ relation is the largest bisimulation relation, and contains all other bisimulation relations.In order to show that the above properties hold it is sufficient, therefore, to define a relation R, for which the required properties hold, and show that the relation R is a bisimulation.
− → r 2 , and s = r 1 • r 2 .Also by Definition 4, we have that r 2 • r 1 is defined and The other case is similar.Hence R is closed and a bisimulation.
Third, the distinguished state of a concurrent transition system, e, is a unit with respect to bisimulation.Lemma 9.For all states s ∈ S, s • e ∼ s.
By Definition 4, s•e is defined.Suppose that s•e c − → r .By Definition 4, we have that there exist Also by Definition 4, we have that a 2 = 1 and r 2 = e.By Definition 2, a 1 1 ≡ a 1 .We straightforwardly have that (r 1 • e, r 1 ) ∈ R.
The other case is similar.Hence R is closed and a bisimulation.
The transition systems can be non-deterministic.Consider the following example, which is non-deterministic in the sense that transitions with different actions are defined on individual states.
Example 10.Let Act be the free monoid generated from the atomic actions p, c, and 1, where 1 is the distinguished action.Suppose a concurrent transition system ({0, . . ., 10} × {0, . . ., 10}, Act, →, =, •, (0, 0)), or m 2 is 0, and n 1 or n 2 is 0.Then, for the resource (2, 0), actions p and c are both defined on the resource and, hence, in the transition system, there is non-determinism between the distinct actions, p and c.
When evolving non-deterministic transition systems, it is necessary to have a method to decide between possible options.A strategy can be used to determine, for a given state, which possible transition preferred.If there are no possible transitions, then the strategy returns the non-state symbol •.

Definition 11 (Strategies).
A strategy is a total function σ : S → ((Act×S)∪{•}) such that, for all states r ∼ s ∈ S, • If there exist a ∈ Act, r ∈ S such that σ(r) = (a, r ), then there exist Example 12.We can define a strategy to resolve the non-determinism we see in Example 10.Let σ be a function such that otherwise.
This strategy chooses the c action whenever possible, then the p action whenever possible, and the 1 action otherwise.
One property that we immediately obtain is that all strategies map the distinguished state to the pair of the distinguished action and the distinguished state.The transition system approach to distributed systems modelling abstracts away from the entities that make decisions, and their mechanisms for doing so.A mechanism for resolving choices can be re-introduced into the models through strategies: it does not, however, represent the goals and interests of the entities making the choices.We can model the decision-making-entities' preferences concerning the events (or outcomes) of the system through the use of a map from actions to the rationals.These numbers are interpreted as measures of an agent's level of happiness with a given action.Let Act be an action structure, with distinguished action 1.

Definition 14 (Action payoff function). An action payoff function is a partial function
Note that it is possible to have that v(ab) is defined, but that v(a) and v(b) are not defined (c.f., Example 35).
We use different action payoff functions to represent the preferences of different decision-making entities (or, agents).In order to extend payoff functions to states, we must consider what value to give those states that can perform no actions.The structure in which we value states is the tropical semiring.
Definition 15 (Tropical semiring).The tropical semiring comprises the carrier set of the rationals together with negative infinity, supremum as the additive function, addition as the multiplicative function, and negative infinity and zero as the additive and multiplicative units, respectively.Let the elements of the tropical semiring be denoted q, q , etc.We sometimes refer to such elements as utility values or payoffs.
Fix an action payoff function v, a strategy σ, and let δ be some rational number in the open interval (0, 1).We can then extended the notion of preference over actions to preferences over states.These numbers are interpreted as measures of an agent's level of happiness in the given states [30].

Definition 16 (State payoff function).
A state payoff function is a partial function u v,σ,δ : S (Q ∪ −∞) such that: The value that can be accumulated from actions performed at states reachable in the future are worth less than value that can be accumulated immediately.The discount factor δ is used to discount future accumulated values.
We can now determine payoffs for various resources in Example 12 (which relies on Example 10).

State payoff functions (Definition 16
) specify the value of states in terms of a series of simultaneous equations.In order to solve these straightforwardly, we only consider strategies that generate a finite set of simultaneous equations.We make some auxiliary definitions that we use to reason about the actions and states chosen by repeatedly applying a strategy to a state (and its resulting chosen states).
We particularly make use of these definitions in the proof of various equational properties of payoffs of resource-process pairs (Section 5).Definition 18.If σ(r) = (a, s), then σ 0 state (r) = s and σ 0 act (r) = a, and, for all n ∈ N, if σ(r) = (a, s), σ n state (s) ↓, and σ n act (s) ↓, then σ n+1 state (r) = σ n state (s) and σ n+1 act (r) = σ n act (s).Let σ last (s, σ) = n if and only if σ n state (s) ↓ and, for all n > n, σ n state (s) ↑.Definition 19 (Strategy transition closure).Let C σ (r) be the set of states that can be reached from state r by following the transitions specified by a strategy σ, that is, In the case that C σ (r) is finite, then u v,σ,δ (r) is specified in terms of a finite set of simultaneous linear equations (by Definition 16), which can be solved using the methods described in [20].Henceforth, we consider only strategies σ such that, for all states s ∈ S, C σ (s) is finite.
With these assumptions, we can show a key property: bisimilar states are mapped to the same payoffs.This is used to demonstrate the fulfilment of required properties concerning the interpretation of logical predicates (Definition 25).
Proof.By our assumptions, r and s both have a finite number of successor states.These states, and their relevant transition systems, can be uniquely mapped into the final coalgebra of finite and infinite sequences of actions.In particular, since r ∼ s we know that both are uniquely mapped to the same element of the final coalgebra (see Definition 11).By [23], as r and s both have a finite number of successor states, the sequence to which they are mapped is either finite or eventually periodic.Hence, the utility function can be defined over these elements of the final coalgebra in a similar fashion to how it is defined over states.To be precise both utility functions are defined as a unique coalgebra-to-algebra homomorphism (for details see [20]) and they correspond to computing the solution of a linear system of equations.As there is a unique mapping from the states to the final coalgebra, and a unique mapping from the final coalgebra to the payoff, there is a unique mapping from each of the states to the payoff, which is identical for r and s.
We conclude this section with an additional property of our framework, namely, that the unit state always has a payoff of 0.
We assume a two-sorted first order language Σ, building standard terms t, u, etc., from standard variables x, y, z, etc., and action terms, denoted w, w , etc., built from action variables α, β, etc.The predicate symbols of the language, however, may be applied to standard terms only.
Definition 22.The action terms of MBIU, denoted d, d , etc., building on actions a, b, c, etc., are formed according to the following grammar: Let q be a term constant denoting the rational number q, and v(d) be a constant denoting the rational-valued payoff of an action term d according to action payoff function v.
Definition 23 (Terms).Let the numerical terms, denoted t, t , etc., be formed according to the following grammar: We assume a set Pred of predicate symbols, each with a given arity n, with elements denoted p, q, etc..Then, formulae can be defined as follows.
Definition 24 (Predicate formulae).The predicate formulae of MBIU, denoted p, p , etc., are given by the following grammar: where t, s, x, and α range over terms, action terms, term variables, and action variables, respectively.
The (additive) modalities are the standard necessarily and possibly connectives familiar from modal logics, in particular Hennessy-Milner-style logics for process algebras [18,25].As such, they implicitly use meta-theoretic quantification to make statements about reachable resources.Multiplicative modalities can also be defined [12,11].The connectives * and − − * are the multiplicative conjunction (with unit I) and implication (right-adjoint to * ), respectively, familiar from bunched logics [16] and in particular Boolean BI [22].Now we give a Kripke-style frame semantics for MBIU.A valuation is a function mapping standard variables to rational numbers and action variables to actions.Valuations can be extended to arbitrary terms and action terms in the standard way: action constants are mapped to their obvious action, is mapped to action composition •, term constants are mapped to their obvious denotations, and arithmetical functions are mapped to their standard definitions.Let ρ( ) denote valuations of terms and action terms.Valuations extend to tuples of terms in the straightforward way.We relate the value of states to terms, for each payoff function v ∈ V, via a distinguished predicate u v (t).An interpretation then comprises a model and a valuation.

Definition 25 (MBIU-model).
A model, M , of MBIU, together with a valuation ρ of variables, interprets standard terms in the carrier set of the tropical semiring, D, and action terms in a set Act of actions, denoted a, b, etc., in the manner familiar from first-order logic.We write t M for the interpretation of term t in model M (extended point-wise to tuples of terms).Models must also contain the following elements: • a concurrent transition system (S, Act, →, ≡, •, e); • a set of payoff functions V, a discount factor δ, and a strategy σ; We can then define the semantics of formulas φ via the satisfaction relation s M,ρ φ, where M is a model, s is a state in the concurrent transition system of the model, and ρ is a valuation.Satisfaction in a given model is then denoted s M,ρ ϕ, read as 'for the given model M , with valuation ρ, the state s has property ϕ'.The definition of our satisfaction relation is given by Figure 1.In the sequel, we drop the model M or the valuation ρ, writing s ρ φ or s φ, when their definitions are obvious.An alternative formulation of MBIU with intuitionistic additives (cf.[26,12]) can be taken if desired.Its use in modelling applications remains to be explored in future work.
We can now formally describe payoff properties of states.
Example 26.Recall Examples 10, 12, and 17.The formula denotes that it is possible to perform actions p and c, and that the payoff obtained by performing p (and the actions that follow from the resulting state) is less than that obtained by performing c (and the actions that follow from the resulting state).
To obtain some key theoretical results concerning of our modelling framework, we require some additional properties.
When we perform a composition of states, it is necessary to take account of the partiality of the composition operator.As a result, we shall also require the following •-∼-closed property of concurrent transition systems.
Henceforth, all concurrent transitions systems are assumed to be •-∼-closed.An immediate result is that concurrent compositions of bisimilar states are bisimilar.This is a key result, which is used in the proof of the soundness direction of the Hennessy-Milner correspondence (Theorem 31, Case ϕ = ϕ 1 − − * ϕ 2 ).
The other case is similar.Hence R is closed and a bisimulation.
When we describe states logically, it is necessary to take account of the number of successor states that can be reached.As a result, we shall also require the following image-finiteness property of concurrent transition systems.

Definition 29 (Image-finite).
A state s is image-finite if it has finitely many derivatives.
From this point onwards, all states are assumed to be image-finite.With this set-up, we can prove the Hennessy-Milner soundness and completeness theorem.We define the notion of logical equivalence as follows.
Definition 30 (Logical equivalence).Fix some model M .Then, r ≡ MBIU s if and only if, for all valuations ρ and formulae φ, r M,ρ φ if and only if s M,ρ φ.
With this set-up, we can prove the soundness direction of the Hennessy-Milner completeness theorem -operational equivalence implies logical equivalence .This proof requires the congruence property (Lemma 28).
Proof.Fix some model M .We show that, for all states r and s, valuations ρ, and formulae φ, if r M,ρ φ and r ∼ s, then s M,ρ φ.This property is sufficient to prove logical equivalence.We proceed by induction over the structure of the satisfaction relation, r M,ρ ϕ.
Case ϕ = ⊥.As the premisses assume r M,ρ ⊥, we have a contradiction and can disregard this case.
Case ϕ = ϕ 1 → ϕ 2 .By the induction hypothesis, we have that s M,ρ ϕ 1 whenever r M,ρ ϕ 1 , and s M,ρ ϕ 2 whenever r M,ρ ϕ 2 .Hence, we have that Case ϕ = I.By Lemma 7, as r ∼ e and r ∼ s, we have that s ∼ e.Hence, we have that s M,ρ I.
Case ϕ = ϕ 1 * ϕ 2 .By the hypotheses, we have that r Suppose some r such that r M,ρ ϕ 1 and s•r is defined.By Definition 27, we have that r•r is defined.By Lemma 28, we have that r•r ∼ s•r .By the hypotheses, we have that r • r M,ρ ϕ 2 .By the induction hypothesis, we have that s • r M,ρ ϕ 2 .Hence, we have that s M,ρ ϕ 1 − − * ϕ 2 .
Case ϕ = d ψ.By the hypothesis, there exist a, r such that r Case ϕ = ∃α.ψ.By the hypotheses, there exists a ∈ Act such that r M,ρ[α:=a] ψ.By the induction hypothesis, we have that s M,ρ[α:=a] ψ.Hence, we have that s M,ρ ∃α.ψ.

The reverse direction of the Hennessy-Milner completeness theorem relies on image-finiteness (Definition 29).
Theorem 32.If r ≡ MBIU s, then r ∼ s.
Proof.Fix some model M .Supposing that r ≡ MBIU s, we require to show that r ∼ s.As ∼ is the largest relation closed under the conditions in Definition 6, it suffices to show that ≡ MBIU is a bisimulation.
Suppose some a ∈ Act and r ∈ State such that r for some finite n.By our supposition, for all 1 ≤ i ≤ n, (r , s i ) ∈ R, hence r ≡ MBIU s i .Thus there exist formulae φ 1 , . . ., φ n such that r φ i but s i φ i , for all i.Hence r a (φ 1 ∧ . . .∧ φ n ) and s a (φ 1 ∧ . . .∧ φ n ), again contradicting r ≡ MBIU s.Hence our supposition must be false, and there must exist b ∈ Act and The other case is similar.Hence R is closed and a bisimulation.
The notion of attaching payoffs or weights to actions exists in the literature.Markov chains support reasoning about complex notions such as average utility with a given time discount, but do not provide compositionality results over model structures [19].Process calculi for Markov decision processes, which include both stochastic and cost-based decision-making, provide such compositionality results for the class of systems that do not permit negative utility, and then only for a notion of simulation [15].That calculus has an associated modal logic, where the action modalities are also modalities on the weights of the actions.The notion of payoff of a process state is not directly represented, and cannot be reasoned over in the logic.

Examples and optimality
To illustrate the logical set-up we have introduced, we begin with a classic example from distributed systems modelling: mutual producer-consumer.We then explain how our set-up can be used to express Pareto optimality.This example leads naturally into a discussion of game-theoretic examples and concepts.We consider here the prisoner's dilemma, the best-response property, and Nash equilibrium.
Example 33 (Mutual producer-consumer).A classic example of distributed systems modelling is distributed coordination without mutual exclusion, the most common form of which is that of the producer-consumer system [11, Section 2.3.5].In such a scenario, one entity generates work that another entity can handle at a later point.We modify this slightly to the scenario with two entities, where each entity can generate work for, and consume work from, the other.
We extend Example 10.Suppose a concurrent transition system ({0, . . ., 10} × {0, . . ., 10}, Act, →, =, •, (0, 0)), and The states of the concurrent transition system are pairs of natural numbers, where the first element of the pair denotes the number of work packages that the first entity can consume, and the second element of the pair denotes the number of work packages that the second entity can consume.
Suppose actions p 1 , p 2 , c 1 , and c 2 , where The p 1 action denotes production of a work package by the first entity for the second entity, and the c 1 action denotes the consumption of a work package by the first entity.The p 2 and c 2 actions have the obvious converse denotations.
Consider the situation where the entities 'profit' from the consumption of work packages, and must 'pay' to create work packages.A pair of possible payoff functions v 1 and v 2 , for the two entities, which represents this situation is Note that each entity has no direct preferences over the actions of the other entity.Let the discount factor δ be 0.8, and the strategy σ be a function such that each entity consumes, if possible, does nothing if the other is consuming, and produce together when there are no resources for either to consume.
Consider the unit resource, (10, 0).As there are only work packages available for the first entity, the actions defined on the resource are the consume action c 1 , the produce action p 1 , and the distinguished action 1.Each entity incurs has a negative payoff when performing a produce action, which only benefits the other entity.The payoffs that can be obtained by performing the p 1 and c 1 actions, in the state (10, 0), are as follows.
In state (10, 0), the action c 1 gains the most for the first entity and p 1 gains the most for the second.
For either action, it is not possible to swap to an alternative action that makes one of the entities better off, without making the other entity worse off.This notion is called Pareto optimality.
Definition 34 (Pareto optimality).A state s is Pareto optimal if there exists an action a such that, for all other actions b, if some entity strongly prefers that action b be performed, then there is some other agent that strongly prefers that action a be performed.Formally, the state s is Pareto optimal if, for entities with payoff functions We abbreviate the above formula as P O(v 1 , . . ., v n ).In Example 33, the resource (10, 0) is Pareto optimal, witnessed by both the actions p 1 and c 1 , and (10, 0) P O(v 1 , v 2 ) holds.Note that optimality is defined in terms of actions; this is as, here, we take seriously the representation of actions that perform allocations.A transition is then an (actively performed) state allocation.
One field in which notions of optimality have been studied significantly is that of games and decision theory.We can model games in our resource semantics.A classic decision-making example from game theory is the prisoner's dilemma.
Example 35 (Prisoner's dilemma).Two prisoners are kept separately, so that they cannot collude in their decision-making.Each is offered the choice of attempting to 'defect', and give evidence against their partner, or to 'collaborate', and say nothing.If one prisoner collaborates and the other defects, then the collaborating partner goes to jail for a long time, and the defecting partner goes free.If both prisoners defect, then they both go to jail for a moderate time.If both prisoners collaborate, then they both go to jail for a short time.
Let Act be the free monoid generated by the actions c 1 , d 1 , c 2 , d 2 , and 1, where 1 is the distinguished action.Let S = {r 1 , r 2 , r 1,2 , e} be the state space.The state r 1 denotes a resource where the first person can make a choice, the r 2 resource denotes a resource where the second person can make a choice, and the r 1,2 resource denotes a resource where both people can make a choice at the same time.Let r 1 • r 2 = r 1,2 be defined, and − → e.
The c 1 action denotes collaboration by the first person, and the d 1 action denotes defection by the person.The c 2 and d 2 actions have the obvious denotations for the second person.Then, (S, Act, →, =, •, e) is a concurrent transition system.We make use of the trivial strategy, for all states s ∈ S, σ(s) = (1, s).The action payoff functions v 1 and v 2 for the two people are: Hence, if the first person collaborates and the second defects, then the first person receives six years in prison (cost v 1 (c 1 d 2 ) = −6), while the second receives no time in prison (cost We can define notions of best response and Nash equilibrium. Definition 36 (Best response).An action a is a best response for a given entity to a particular choice of action b by another entity, at a given resource, if the (former) entity has no other action c available to it such that the action cb is defined on the resource and the entity (strongly) prefers cb to ab.Formally, a is the best response to action b at resource s if We abbreviate the above formula, denoting that a is the best response to action b for the agent whose payoff function is v, as BR(a, b, v).In the prisoner's dilemma example, the best response for the first agent to the action c 2 is d 1 , and We generalize this notation slightly, so that we write BR(a, b 1 , . . ., b n , v) to denote that a is the best response to the composite action b 1 . . .b n , for the payoff function v. Formally,

Now we can express Nash equilibrium.
Definition 37 (Nash equilibrium).A state s is a Nash equilibrium for a set of entities I = {1, . . ., n} if there is a collection of actions a 1 , . . ., a n such that, for each entity i ∈ I with payoff function v i , the action a i is the best response to the composition of actions a j , where j ∈ I \ {i}.Formally, the state s is a Nash equilibrium if We abbreviate the above formula as N E(v 1 , . . ., v n ).In the prisoner's dilemma example, the Nash equilibrium is the state r 1,2 , witnessed by the actions d 1 and d 2 , for payoff functions v 1 and v 2 , and r 1,2 N E(v 1 , v 2 ) holds.

Resource semantics and modelling
In this section, we take the first step towards using MBIU as a logic of state for a fully featured process algebra.To this end, we recall our theory of distributed systems modelling, as presented in, for example [12,11,2].Building on the classical distributed systems theory [13], the structural components of this modelling framework are location, resource, and process, together with a stochastically modelled environment.In this paper, we make no further use of stochastically modelled environments.
Mathematically, we capture the structural components as follows: • Location.In general, locations can convenient modelling using a range of graph-theoretic and topological structures [9,11], with directed graphs being the key example for most practical modelling work.For simplicity, we make no further use of locations in this paper.The reader might think of them either as implicitly present, or consider them to be rolled up into the definition of resources (see [11] for relevant technical support); • Resource.In general, resources are assumed to form a preordered partial commutative resource monoid, in which resource elements can be combined, using the monoid operation, compared, using the preorder.The partiality ensures that not all combinations need be considered (for example, such as those beyond a certain size in a resource monoid based on the natural numbers).The structure of the monoid is subject to some coherence conditions [26,16,11].A key example of a monoid of resources is given by the natural numbers (with 0), with addition as the monoid operation and less-than-or-equals as the order: (N, ≤, +, 0).For this paper, we work in the simpler setting in which we omit the preorder (see Definition 38, below); • Process.In general, our treatment of process is based on Milner's synchronous calculus of communicating systems (SCCS) [24], as developed as a basis for systems modelling in [12,11].Note that asynchronous calculi can be encoded within such synchronous calculi [24].The key idea is that resources and processes co-evolve, according one of the following judgement: R, E a → R , E , which is read as 'the process E, using resources R, performs action a and so becomes the process E that is able to evolve using resources R '.The operational semantics that defines such a transition system relies on a (partial) modification function (see Definition 39, below) that specifies how a given action modifies a given resource.This approach is know as resource semantics.
A simple way to describe distributed systems -neglecting for now the processtheoretic structure -is using resource semantics for the state space and concurrent composition, and using a modification function as the dynamics of the transition system.This family of systems are concurrent transition systems, and have all the properties that we described in Section 2. Later, in Section 5, we develop the theory in the process of a fully featured process algebra.
For now, we begin with the notion of resource from Boolean BI [17].
Definition 38 (Resource monoid).A resource monoid is a structure R = (R, •, e) with carrier set R, commutative partial binary operation • : R × R R, and unit e ∈ R.
Let Act be a commutative monoid of actions, freely generated from a set of atomic actions, with operation • and unit 1.The actions correspond to the events of the system.Let ab denote a • b.The dynamics of the system is then given by the modification function, which describes how actions transform resources.If µ(R, a) is defined, then we say that action a is defined on resource R. We refer to a structure (R, Act, µ, =, •, e) as a resource monoid model.
A key systems modelling example, seen previously in Example 5, is that of semaphores.Note that Example 40 is essentially the same as Example 5, excepting that here we use the modification function as the transition relation.
Example 40 (Semaphores).Let Act be the free monoid generated by the atomic actions a and 1, where 1 is the distinguished action.Let R be the resource monoid (R, •, e) such that s a − → s, s • e = s, and s • s is undefined.We use a modification function such that µ(a, s) = s.We then have that no resource can perform the action aa, that is, µ(aa, e) ↑ and µ(aa, s) ↑.The resource monoid model acts like a semaphore, in that only one access action a can be performed at any given time.
The mutual-producer-consumer model (Example 33) and the prisoner's dilemma model (Example 35) are also resource semantics models.In fact, all resource models (as specified in this section) are concurrent transitions systems (as specified in Definition 4).If the modification function is defined for an action a on a resource R, and µ(a, R) = S, then we say that there exists a transition R a − → S, and that S is a successor of R. The notion of bisimulation in Definition 6 is immediately applicable to resource models.
In order to use of resource models as a semantics for MBIU, we restrict ourselves to those resource models that conform to Definitions 27 and 29.With those restrictions in place, we can then use resource monoid models as a semantics for MBIU.Hence, we can make use of logical characterisations of notions of optimality, such as were described in Section 3, over distributed systems modelled using resource monoid models.
We conclude this section with a property of payoff functions for resource monoid models which is not true of payoff functions for generic concurrent transition systems, namely, that if a strategy chooses the unit action in some state, then the payoff of that state is always 0.
Proof.By Definition 14, we have that v(1) = 0.By Definitions 11 and 39, we have that s 1 − → s and s = s.By Definition 16, we have that u v,σ,δ (s) = 0 + δ × u v,σ,δ (s).As (1 − δ) = 0, we have that u v,σ,δ (s) = 0 5. Resource-process systems modelling One modelling approach, which might be expected to form the basis of an example of our methodology in Section 2, is that based on the resource-process calculi, as given in [12,11] and introduced in Section 4. These calculi consist of two components: resources, which describe objects that can be created, moved, and consumed; and processes, which describe the dynamics of systems, and have a more complex, algebraic structure, including sequencing, non-deterministic choice, and fixed points.Each component has a notion of composition, and so resource-process pairs have the obvious composition pairwise on the components.An action-indexed transition system can be defined in terms of a structural operational semantics over the structure of processes, so that resources and processes (i.e., the state) co-evolve: R, E a − → R , E .Unfortunately, in such calculi (for example, in [12,11]), bisimulation fails to be a congruence for concurrent composition.As a result, the soundness direction of the Hennessy-Milner property holds only for fragments of the logic that exclude multiplicative implication (− − * ).Bisimulation fails to be a congruence for concurrent composition because of the way in which the resource semantics interacts with the resource-process operational semantics.Resources can be viewed as being 'capabilities', which enable behaviour in the process components of the pairs.When performing concurrent composition, these 'capabilities' can be exchanged between the process components of the pairs, enabling different behaviour in different compositions.This clearly violates the required congruence property.
This problem has been solved, in [2], by changing the resource semantics to ensure that 'capabilities' cannot be exchanged between process components in the operational semantics.Additional structure is added to the resource model, beyond that in [12,11] and Section 4. The key structural modification is the introduction of additional combinatorial structure to the resource semantics -resources are bunched, being combined using either ⊗, corresponding to the monoidal composition •, or ⊕, which builds in choice -with the key property being injectivity of concurrent composition.
In this section, we review the resource-process calculi as set up in [2] and show that they are indeed examples of our methodology.In particular, we show that our analysis of utility extends to these resource-process calculi, and provide an extended example (Example 63, below) based on the 'mutual producer-consumer' introduced in Example 33, comprising distributed coordination without mutual exclusion: a mutual producer-consumer system, where each 'agent' can generate work for, and consume work from, the other.In Example 33, the 'agents' performing the production and consumption are represented indirectly.For example, it is not possible to consider one agent's behaviour on its own; as the dynamics are directly encoded via the resource semantics, both agents are always 'present' in any given resource.Using the richer resource-process framework that we introduce in this section, we can represent the dynamics of the different agents more directly.Specifically, we represent these agents as processes.We can then demonstrate how, for example, the first entity cannot make progress when it only possesses resources that the second process can consume available to it.
The set-up of the required process calculi -henceforth known as Calculi of Bunched Resources and Processes, or CBRP -assumes the provision of certain additional data pertaining to some semantic structure (Act, R, µ, Γ, H) -of actions, resources, modification function, a set redistribution functions, and a set hiding functions, respectively -over which we work and which we define in the development below.The actions, resources (excepting the injective bunching structure), and modification function are defined as they are in Section 4, the redistribution functions are used to specify how combinations of resources defined using ⊗ and ⊕ can be rearranged, and the hiding functions are used to bind resources to processes locally (see Definition 49, below).The modification function, the redistribution functions, and the hiding functions are all essential parts of the operational semantics (see Figure 2).Thus we should properly refer to the calculus as (Act, R, µ, Γ, H)-CBRP.In this section, however, we suppress the prefix as, at every stage, we work with a fixed such structure.
We begin with a notion of resource which can be seen as restricting the combinatorial structure taken in Section 4 in that it considers choices between resources, and it requires the notions of composition to be injective.Let R be a set of resources, equipped with an 'empty' element e ∈ R. We write R, S, etc. to denote resources.We consider unique (partial) concurrent composition of, and nondeterministic choice between, resources.In [28,26,12,11], and other works in the relevant logic tradition, bunches are trees with leaves labelled by atomic resources, and internal nodes labelled by either ⊕ or ⊗.We implement bunching through the use of two injective functions; a resource is a node of a particular type if there exists some (unique) pair of resources that are mapped to the initial resource by the relevant function.
Definition 43 (Resource models).A resource model (R, e, ⊗, ⊕) is a structure consisting of a set of resources R with a distinguished 'empty' resource e ∈ R, and two injective, partial functions ⊗, ⊕ : R × R R, such that, for all R, S, T ∈ R and ∈ {⊕, ⊗} (1) R S is defined if and only if S R is defined; (2) R (S T ) is defined if and only if (R S) T is defined; Note that properties 1−4 are only required to obtain the algebraic results (Proposition 55), and are not necessary to obtain the Hennessy-Milner correspondence.
In the sequel, when we write an expression of the form R ⊗ S or R ⊕ S, we assume that the result of the application of the partial function to its arguments is defined.Actions correspond to the events of a system.In resource-process algebra as set up in [12,11], actions are used to determine how resources evolve.This necessitates a relationship between the concurrent structure of actions and the concurrent structure of resources.To obtain an analogous relationship in our setting (formally stated in Definition 46), we also require action composition to be injective.
Definition 44 (Actions).An action model (Act, •, 1) is a structure consisting of a set of actions with a distinguished 'unit' action 1 ∈ Act, and an injective, total function •.
Let ab denote a • b.In many process algebras, such as SCCS and SCRP, the commutative monoid structure of actions is used to prove various algebraic properties of states.In this section, unlike resource monoid models (Section 4), as we do not require that 1 be a unit for •, the actions do not form a (commutative) monoid.We establish that the CBRP notion of actions (Definition 44) is an action structure (as in Definition 1), a property that we will use when we demonstrate that CBRP are instances of concurrent transition systems (Proposition 53).
Proof.As Act is closed under pairing, the total function • is a total magma.The semantics of resources is then given by a functional relationship from actionresource pairs to resources.Note that the action 1 is a unit for µ's action on resources.Note also that a modification function is one of the parameters to the calculus.
Modification functions are homomorphisms with respect to the concurrent product structure of resource bunches.As a result, we cannot use the modification function to 'move' resources from one side of a concurrent product to another (such a move corresponds to changing the process to which the resources are allocated, for example, passing an object from producer to consumer).Using a modification function, we can only add or remove resources to each side of a product independently of what is on the other side of the concurrent product.
As we cannot use a modification function for redistribution of resources, instead, we make use of redistribution functions.In Figure 2, the rules for the operational semantics of sequential composition are The resource-process pair R, E : γ F consists of a resource bunch and a sequential composition.The sequential composition consists of two processes, E and F , and a redistribution function γ.If the prefix E can evolve with the resources R to a nonblocked state, then the sequential composition evolves similarly (the PrefixOne rule).If the prefix E can evolve with the resources R to a blocked state, then the redistribution function is applied to the resulting resources R , and the pair that consists of the redistributed resources and the suffix, γ(R ), F , is the result of the transition (the PrefixTwo rule).The redistribution function is applied to the resources so that the structure of the resulting resources will match the structure of the suffix process.Redistribution functions are total so that the evolution of a sequential composition can only be blocked by the behaviour of the prefixing process, not the redistribution of resources.
Definition 47 (Redistribution functions).A redistribution function is a total function γ : R → R. Let there be a set of redistribution functions Γ whose elements are written γ, γ , etc.. Let Γ, which is one of the parameters to the calculus, include the identity function.From a modelling perspective, we argue that the use of redistribution functions encourages good discipline with respect to making decisions about how resources are allocated to processes within a system.In [12,9,11], following a transition, all possible allocations are possible, and a system can non-deterministically choose between them.In the resource-process modelling methodology used in this section, whenever resources are to be re-allocated (i.e., following each reduction step, within a sequential composition), a conscious modelling decision is required as to where the resources should be allocated.
In classical process calculi, restriction is used to ensure that certain behaviour is only visible, or accessible, in certain parts of a system.A similar feature can be incorporated into resource-process modelling [12].The hiding operator on processes associates additional resources with the process to which it is applied.If a resource-process pair is allocated additional resources, it may be able to perform additional actions.This behaviour must then be restricted, however; only actions that could be performed without the additional resources must be visible beyond the process where the hidden resources are available.First, we define a notion of action containment, so that we can formalize the notion of 'additional behaviour'.
Definition 48 (Action-containment order).We define ≤ to be the least reflexivetransitive relation on actions such that 1 ≤ α, for any atomic action α, and if a ≤ a and b ≤ b then a • b ≤ a • b .
Then, we define hiding functions on actions and resources.In Figure 2, the rule for the operational semantics of hiding functions is A resource-process pair R, ν h.E evolves by stripping the hiding operator ν h.from the process component and applying the hiding function h to the resource component, resulting in the resource-process pair h(R), E. Following the evolution of the transformed state, the resulting pair h(R ), E is modified by applying the inverse of the hiding function to the resource component and adding the hiding operator to the process component, resulting in the resource-process pair R , ν h.E .To ensure that a hiding function and its inverse can be uniquely applied, hiding functions on resources are bijections.
Definition 49 (Hiding functions).Let (R, e, ⊗, ⊕) be a resource model and µ be a modification function.A function h : R → R on a resource model is a hiding function if it is a bijection.Let there be a set of hiding functions H whose elements are written h, h , etc.. Define A : (R → R) → Act → P(Act) Next, we define processes formally.
Definition 50 (Processes).Processes are formed according to the following grammar: Here, 0 is the zero process, X is a process variable, a is an action, γ ∈ Γ is a redistribution function, and h ∈ H is a hiding function.Let Proc be the set of all processes, and E, F etc. denote processes.The process 1, which performs the action 1 infinitely, is denoted as µX.1 : id X.
Closed processes are those processes that contain no free variables.A state is a pair consisting of a resource and a closed process.Let State be the set of all states, and CState be the set of all closed states.
The operational behaviour of a closed state is defined by a labelled family of transition relations The family is defined recursively using the derivation rules in Figure 2.
An action process reduces according to the modification function µ.Nondeterminism is introduced solely through the presence of sums.There, a choice must be made both in the process component and the resource component.Product processes distribute the resources according to the multiplicative structure in the resources.
Sequential composition behaves slightly counter-intuitively.If the prefix is reduced to a non-blocking state, then the sequential composition follows similarly.If the prefix process is reduced to a blocking state, then the sequential composition reduces to the resource that results from applying the redistribution function to the residual resources from evolving the prefix, and the suffix.The redistribution function is used to redistribute the resources between the process components, following a reduction that moves to the second part of a sequential composition.It should be noted that the use of process prefixing, rather than action prefixing, is a deliberate design decision, made so that models can more intuitively reflect the structure of the system they abstract.
We can then show that all CBRP, equipped with a suitable notion of equivalence of actions and composition of states, are concurrent transition systems (as specified in Definition 4).
Definition 51 (Resource-process action equivalence).The ≡ is the action equivalence relation such that, for all actions a, b, c, a Definition 52 (Concurrent composition of resource-process states).The concurrent composition of resource-process states Act, →, ≡, •, (e, 1)) is a concurrent transition system.
Proof.By Lemma 45, Act is an action structure.Then, we straightforwardly have that (CState, Act, →) is a transition system, and ≡ is an action-composition equivalence relation.
Suppose some states (R, E), (S, F ), (R , E ), (S , F ), (T, G) ∈ CState and actions a, b ∈ Act.By Definition 43, we have that, if R ⊗ S is defined, then S ⊗ R is defined, and hence if (R, E) In order to use CBRP transition systems as a semantics for MBIU, we must restrict ourselves to those calculi that conform to Definitions 27 and 29.In order to obtain the property specified in Definition 27, it is sufficient to restrict ourselves to those calculi that have the following property.
Henceforth, we consider only CBRP that are ∼-resource-closed.An immediate result is that concurrent compositions of bisimilar resource-process pairs are bisimilar (Lemma 28).
In order to reason equationally about resource-process states, it is also useful to establish various algebraic properties concerning concurrent composition and choice.Notable standard algebraic properties of process calculi are commutativity and associativity of concurrent composition.We obtain such properties for CBRP.
Proposition 55 (Algebraic properties).For all bunched resources R, S, T ∈ R and closed processes E, F, G, Proof.Commutativity of choice.Let The other case is similar.Hence R is closed and a bisimulation.
The other case is similar.Hence R is closed and a bisimulation.
By the Prod rule, there exist a, b, R , S , E , and The other case is similar.Hence R is closed and a bisimulation.
Hence R is closed and a bisimulation.Zero property of product.Let Suppose that R ⊗ e, E × 0 →.By the Prod rule, R, E → and e, 0 →.This is a contradiction as, by Figure 2, e, 0 →.
The other case is similar.Hence R is closed and a bisimulation.
The other case is similar.Hence R is closed and a bisimulation.
The other case is similar.Hence R is closed and a bisimulation.
Corollary 56.For all bunched resources R, S, T ∈ R and closed processes E, F, G, Furthermore, it is possible to reason equationally about the payoffs of resourceprocess pairs.We define a class of strategies that generate payoffs functions whose output will follow the structure of the resource-process pairs (Proposition 61).These strategies are known as elementary strategies.
Definition 57.An elementary CBRP strategy is a strategy σ such that, for all actions a, b, c, resources R, S, R , S , T and closed processes E, F , E , F , G, and σ(S, F ) = (b, (S , F )) if and only if In order to obtain the equational result for concurrent composition (Proposition 61 [8]), we establish two auxiliary lemmas.First, we show that if a strategy can be applied to a state at least n times, then we can unroll the definition of state payoff functions (Definition 16) n times, and the payoff of the state is the sum of the discounted payoffs of the action chosen at each step and the discounted payoff of the state reached after n steps.
Lemma 58.For all states (R, E) and natural numbers n ∈ N, if u v,σ,δ (R, E) and Proof.By induction over n.
Suppose n = 0. We immediately have that Suppose 0 < n.Let σ(R, E) = (a, (R , E )).By Definition 18, σ n−1 state (R , E ) = S, F .By Definition 16, v(a) and u v,σ,δ (R , E ) are defined.By the induction hypothesis, By Definition 16, Second, we show that if a strategy can be applied to a concurrent composition of states at least n times, for all number of applications of the strategy up to n, the action and state chosen by the strategy is the concurrent composition of the actions and states chosen by the strategy on the states of the concurrent composition.This provides a way to compositionally reason about actions and states that are chosen by a strategy for a sequence of transitions of a concurrent composition of states.
Lemma 59.For all elementary strategies σ, natural numbers n, resources R, S, T , and closed processes E, F, G, if σ n state (R ⊗ S, E × F ) = T, G, then, there exist resources R , S and closed processes E , F such that T = R ⊗ S and G = E × F , and for all 0 ≤ i ≤ n,

Proof. By induction over n.
Suppose n = 0.By Definition 18, there exists an action c such that As the Prod rule is the only operational semantics rule to evolve concurrent compositions, we have that there exist resources R , S and closed processes E , F such that T = R ⊗ S and G = E × F .By Definition 57 [4], there exist a, b, a, (R , E )), and σ(S, F ) = (b, (S , F )).As 0 ≤ i ≤ n, the only possible value of i is 0. By Definitions 18 and 52, As the Prod rule is the only operational semantics rule to evolve concurrent compositions, we have that there exist resources R , S and closed processes E , F such that U = R ⊗S and H = E × F .By the induction hypothesis, there exist resources R , S and closed processes E , F such that T = R ⊗ S and G = E × F , and, for all 0 ≤ i ≤ (n − 1), ).By Definition 57 [4], there exist a, b, such that c = ab, σ(R, E) = (a, (R , E )), and σ(S, F ) = (b, (S , F )), and hence We define the payoff of a n-length prefix of a trace, for use when considering sequencing.
Then we can show that payoffs of states, determined using elementary strategies, have intuitive equational properties over the structure of states, notably, that the payoff of a non deterministic choice is the payoff of one of the possible choices and that the payoff of a concurrent composition is the sum of the payoffs of the concurrent components.
We can also show similar results for bounded utility calculations.
Example 63 (Mutual producer-consumer).In Example 33, we introduce an example of distributed coordination without mutual exclusion: a mutual producerconsumer system, where each 'agent' can generate work for, and consume work from, the other.There, the agents performing the production and consumption are represented indirectly.Using a resource-process framework, we can represent the dynamics of the different agents more directly.Specifically, we represent these agents as processes.We can then demonstrate how, for example, the first entity cannot make progress when it only possesses resources that the second process can consume available to it.
Suppose a resource model (R, e, ⊗, ⊕) such that, for all resources r, s, t ∈ R and for all natural numbers n 1 , n 2 ∈ N, and only if r = s = t, and • e = (0, 0).
Intuitively, a pair of natural numbers denotes the resources, or work packages, that could be consumed by the two agents in the system (should they have access to them): the first number denotes the resources that could be consumed by the first entity, and the second number denotes the resources that could be consumed by the second entity.The p 1 action denotes production of a work package by the first entity for the second entity, and the c 1 action denotes the consumption of a work package by the first entity.Note that a process cannot perform a consume action if there are zero resources that it can consume available to it.The p 2 and c 2 actions have the obvious converse denotations.This is represented formally in the modification function.Let µ be a modification function such that, for all natural numbers 0 ≤ m, n ≤ 10, We represent the first agent with a process, E 1 : The process is a fixed point which consists of three possibilities.The process may either: produce a resource (for the second process), using p 1 , and recurse; consume a resource from the other process (if available), using c 1 , and recurse; or, perform the tick action and terminate.When combined with the resource (1, 0), it can perform any of its three possible actions, as demonstrated by the following derivations: When combined with the resource (0, 0), it can only produce (and recurse) or terminate; it cannot perform the c 1 action.When combined with the resource (0, 10), it can only perform the tick action and terminate: it cannot perform either the c 1 or the p 1 action.The process E 2 = fix Y 2 .((p 2 : Y 2 )+(c 2 : Y 2 )+1), which represents the second agent, behaves similarly.
In order to transfer the produced resources from one process to another, we make use of a redistribution function γ such that: This redistribution function takes all of the work packages for the first process, including those that were previously allocated to the second process, and gives them all to the first process, and takes all of the work packages for the second process, including those that were previously allocated to the first process, and gives them all to the second process.The dynamics of the full system can then be defined by the process E: Suppose that the agents 'profit' from the consumption of work packages, and must 'pay' to create work packages.We can represent this situation via a pair of total payoff functions v 1 and v 2 for the two entities such that We make use of a strategy where each entity consumes, if able; if not, and there are no resources for the other entity, it produces; otherwise, it terminates.This is represented via an elementary strategy σ such that As σ is an elementary strategy, we can the derive the payoff of the resourceprocess pairs over their structure, via Propositions 61 and 62, rather than via Definition 16.Suppose that u v1,δ,σ ((e, e), E) is defined.Let us consider the payoff of the state (0, 0), E, from the perspective of the first agent.
The payoff of the whole system is then the payoff of the original prefix and the discounted payoff of the original suffix: Recall the notion of Pareto optimality from Definition 34, that is, that a state s is Pareto optimal if there exists an action a such that, for all other actions b, if some entity (weakly) prefers that action b be performed, then there is some other agent that strongly prefers that action a be performed.Here we have that the state (e, e), E is Pareto optimal, witnessed by the action p 1 • p 2 .The only other action that can be performed by (e, e), E is 1 • 1.Note that (e, e), E Hence, for the first agent, switching from the action p 1 • p 2 to 1 • 1 results in a loss of payoff, so the state is Pareto optimal.

Discussion
In this paper, we motivate our development from a richly expressive modal logic for resource semantics and distributed systems modelling, MBIU.This logic includes both additive and multiplicative propositional connectives and also additive action modalities, as well as certain first-order quantifiers.We employ an abstract formulation of MBIU that is based on a semantics that employs a labelled transition system, a notion of concurrent composition of states, and an equivalence relation on actions.Following the approach in [2], we establish Hennessy-Milner soundness and completeness for our abstract formulation.This framework and logic is sufficient to model classic examples from distributed systems modelling and game theory, and to express game-theoretic concepts, including Pareto optimality, the best-response property, and Nash equilibrium.The key role of the multiplicative conjunction, * , in the formulae representing best response should be noted.Used with the additives, it allows the separation of the states performing different actions (the as and bs) to be enforced when required, whilst allowing payoff properties of the overall system to be expressed relative to the overall resources, as required.We then describe two instantiations of our abstract formulation.First, monoidal resource semantics: this can be utilised to provide a simple way to model distributed systems.Many of our early examples in the abstract formulation turned out to be of this class.Second, resource-process modelling: this can be utilised to model scenarios in more structural detail.Using this approach, we should be able to incorporate the analysis of utility and optimality presented here into the widely deployed systems and security modelling tools established in, for example, [12,10,11], with deployments described in, for example, [21,3,7,5,6].Some conceptual and technical issues, beyond our present scope, remain to be addressed.
Multiplicative modalities, logical formulae that are often included in multiplicative logics such as MBI, can be used to reason about transitions in the situations where additional components are concurrently composed with the state at which a formula is evaluated for satisfiability.With these modalities, it is possible to provide a natural description of various agent based scenarios, including the notion that achieving some goal is within an agent's capabilities, were it to be given additional resources, and the notion that achieving some goal is never within an agent's capabilities, no matter how much additional resource it is given [14].This can be further extended to represent security examples where attacks can occur through introduction of racy concurrent behaviour.
There are various possible choices of how to interpret the multiplicative components of a logic in the case where the states have a multi-dimensional structure [12,11,14].We present and contrast different possible interpretations (defined informally) of multiplicative implication and multiplicative modalities.
We can add multiplicative modalities into our system straightforwardly.For example, the multiplicative modality d ν can be specified as: R, E ρ d ν φ iff there exist a, S, F, R , E such that R ⊗ S, E × F a − → R , E , |d| ≡ a, and R , E ρ φ.
Note that this formulation adds both a process and a resource component, following the interpretation of multiplicative implication: R, E ρ φ 1 − − * φ 2 iff for all S, F , S, F ρ φ 1 implies R ⊗ S, E × F ρ φ 2 .
As a result, this multiplicative modality can be defined in terms of the multiplicative implication and the additive fragment of the logic [2].
By contrast, in [12,11], multiplicative implication composes both a resource and a process component, while multiplicative modalities compose solely a resource component.An interpretation of multiplicative implication, following [12,11], in our resource-process calculus, would be as above, but an interpretation of the multiplicative modality a ν φ, following [12,11], in our resource-process calculus, would be: R, E ρ d ν φ iff there exist a, S, R , E such that R ⊗ S, E a − → R , E , |d| ≡ a, and R , E ρ φ.
By further contrast, in [14], one of us has considered a generalization of resource semantics to admit multi-dimensional satisfaction relations of the form, for example, w, r φ, in which w ∈ W are taken to be Kripke worlds (ordered by , say) in the sense of classical modal logic and r ∈ R are interpreted as resources, where R carries monoidal structure (with composition •, say).In this set-up, we can define a multiplicative modality ♦ s as w, r ♦ s φ iff there is a world w v such that v, r • s φ.Such a modality is highly expressive and, among other things, generalizes the usual S4 modality [8,14].This multiplicative modality can be defined in terms of the multiplicative implication and the additive fragment of the logic.
Thus, there are various approaches taken in terms of which components are augmented by multiplicative implication and multiplicative modalities.We believe that an investigation into the comparative properties of these approaches would be valuable.Furthermore, we conjecture that all of the above are examples of a more general treatment of multiplicative connectives within a generalised multidimensional handling of concurrent transition systems, and that such a handling would have natural resource interpretations.
Another multiplicative possible extension to the logic is multiplicative quantifiers [12,11].Multiplicative quantifiers reason about actions in the presence of hiding; their inclusion of multiplicative quantifiers into our system is a complex prospect.A rendering of multiplicative existential quantification, ∃ ν α.φ, for our resourceprocess calculus, following [12,11], would be R, E ρ ∃ ν α.φ iff there exists S, F, a ∈ Act, h ∈ H such that R, E ∼ S, νh.F and h(S), F ρ[α:=a] φ.
Thus, multiplicative quantification is closely related to the notion of hiding and to the multi-dimensional world structure in resource-process calculi.There is no immediately apparent generalisation of such an approach to arbitrary concurrent transition systems that do not have a multi-dimensional world structure.
It does not appear possible, within the current framework, to handle of the payoff of the hiding operator equationally.It is relatively straightforward to determine the payoff of a resource-process pair with hiding in terms of the derivation of the payoff of the relevant resource-process pair without hiding.This can be done as follows.Extend the notion of elementary strategy (Definition 57), for all hiding functions h, with: If σ(h(R), E) = (a, (h(R ), E )), then σ(R, νh.E) = (νh.a,(R , νh.E )).The payoff of the state h(R), E is specified by a finite set of linear simultaneous equations, u v,σ,δ (h(R), E) = v(σ 0 act (h(R), E)) + δ × u v,σ,δ (σ 0 state (h(R), E)) . . .u v,σ,δ (σ n−1 state (h(R), E)) = v(σ n act (h(R), E)) + δ × u v,σ,δ (σ n state (h(R), E)).The payoff of the state R, νh.E, with respect to an elementary strategy σ, can then be specified by the modified finite set of linear simultaneous equations, u v,σ,δ (R, νh.E) = v(νh.(σ 0act (h(R), E))) + δ × u v,σ,δ (σ 0 state (R, νh.E)) . . .u v,σ,δ (σ n−1 state (R, νh.E)) = v(νh.(σn act (h(R), E))) + δ × u v,σ,δ (σ n state (R, νh.E)).It does not appear possible to render this result so that the payoff u v,σ,δ (R, νh.E) is determined equationally in terms of the value of the payoff u v,σ,δ (h(R), E).One possibility is to modify our definition of state payoff functions to include action transformations of the form seen above.Let an action transformation function be a total function f : Act → Act such that, for all action payoff functions v ∈ V and actions a ∈ Act, if v(a) ↓, then v(f (a)) ↓.We define a transformative payoff function as Let us restrict the set of hiding functions H so that, for all h ∈ H and v ∈ V, v(a) ↓ implies v(ν h.a) ↓.Then, the payoff of (R, νh.E), u v,σ,δ (R, νh.E), is simply the (action transformed) payoff of (h(R), E) with respect to the hiding function ν h, u v,σ,δ,(νh) (h(R), E).Further research is required to determine how hiding can be used in practice in modelling scenarios that consider payoff, the extent to which the lack of equational theory is a concern, and our alternative derivation of payoff in such circumstances.
Finally, while it is possible to define an operational semantics for open states, an appropriate notion of substitution, and an appropriate notion of bisimulation for open states, in arbitrary concurrent transition systems are open problems.

Definition 2 (
Action-composition equivalence relation).An action-composition equivalence relation is an equivalence relation ≡ ⊆ Act × Act such that, for all a, b, a , b ∈ Act, a • 1 ≡ a, a • b ≡ b • a, and a ≡ a and b ≡ b implies a • b ≡ a • b .
and s b − → s , then r •s is defined and r•s ab − → r •s ; • If r • s is defined and r • s c − → r , then there exist a, b ∈ Act, r , s ∈ S such that c = ab, r a − → r , s b − → s , and r = r • s ; • The transition e 1 − → e is the only transition defined on the distinguished state e; • r • e is defined.
then there exist b ∈ Act, s ∈ S such that s b − → s , a ≡ b, and r R s , and • if s a − → s , then there exist b ∈ Act, r ∈ S such that r b − → r , a ≡ b, and r R s .

Lemma 13 . 1 − 1 −
For all strategies σ, σ(e) = (1, e).Proof.By Definition 4, the transition e → e is the only transition defined on the distinguished state e.By Definition 11, there exists some a and s such that σ(e) = (a, s ) and e a − → s .As the transition e → e is the only transition defined on the distinguished state e, a = 1 and s = e.

a−
→ r , ρ(d) ≡ a, and r M,ρ ψ.By the definition of bisimulation, we have that there exist b ∈ Act, s ∈ S such that s b − → s , a ≡ b, and r ∼ s .By Definition 2, ρ(d) ≡ b.By the induction hypothesis, we have that s M,ρ ψ.Hence, we have that s M,ρ d ψ.Case ϕ = [d]ψ.Suppose that s b − → s and ρ(d) ≡ b.By the definition of bisimulation, we have that there exist a ∈ Act, r ∈ S such that r a − → r , a ≡ b, and r ∼ s .By Definition 2, a ≡ ρ(d).By the hypotheses, we have that r M,ρ ψ.By the induction hypothesis, we have that s M,ρ ψ.Hence, we have that s M,ρ [d]ψ.

a−
→ r .Suppose, for a contradiction, that, there exist no b ∈ Act and s ∈ State, such that s b − → s , a ≡ b, and r R s .Let F = {s | s b − → s and a ≡ b}.If F is empty, then r a and s a , contradicting r ≡ MBIU s.Hence F is non-empty.By Definition 29,

Proposition 41 .
A resource monoid model (R, Act, µ, =, •, e) is a concurrent transition system.Proof.By Definition 39, we have that (R, Act, µ) is a transition system.Suppose some a, b, c ∈ Act.By the definition of a commutative monoid, we have that a1 = a, ab = ba, and, if a = a and b = b , ab = a b .Hence = is an action-composition equivalence relation.Suppose some states r, s, r , s , r ∈ S and actions a, b ∈ Act.As • is commutative, if r • s is defined, then s • r is defined.The other required properties of • follow straightforwardly from Definition 39.

Figure 2 .
Figure 2. Operational Semantics and S, F b − → S , F .By the Prod rule, we have that R ⊗ S, E × F ab − → R ⊗ S , E × F .Suppose that R ⊗ S, E × F c − → T, G.By the Prod rule, we have that there exist a, b, R , S , E , F such that c = ab, T = R ⊗ S , G = E × F , R, E a − → R , E , and S, F b − → S , F .Suppose that e, µX.1 : id X a − → S , F .By the Fix, PrefixTwo, and Act rules, and Definition 46, we have that S = e, F = µX.1 : id X and a = 1.By Definition 43, we have that R ⊗ e is defined, and hence (R, E) • (e, 1) is defined.
G. By the Sum rule, either R, E a − → T, G or R, 0 a − → T, G.By Figure 2, R, 0 →, and hence R, E a − → T, G.By Definition 51, a ≡ a.As simulation is an equivalence relation, T, G ∼ T, G, and hence (T, G) R (T, G).Suppose that R, E a − → T, G.By Definition 43[3], R ⊕ R is defined.By the Sum rule, R ⊕ R, E ⊕ 0 a − → T, G.By Lemma 7, T, G ∼ T, G, and hence (T, G) R (T, G).Hence R is closed and a bisimulation.Associativity of choice.Let F .By Definition 43[2], S ⊗ R and S ⊗ R are defined.By the Prod rule, S ⊗ R, F × E ba − → S ⊗ R , F × E .By Definition 51, ab ≡ ba.We immediately have that
φ 2 iff there exist s 1 , s 2 , with s ∼ s 1 • s 2 , such that s 1 ρ φ 1 and s 2 ρ φ 2 s As bisimilar states have the same payoff, for fixed action payoff function, strategy, and discount factor (Lemma 20), interpretations of the distinguished predicates are ∼-closed.
By Definition 19, there exists some natural number m such that σ m state