Keeping Secrets in Modalized DL Knowledge Bases
Gopalakrishnan Krishnasamy Sivaprakasam
1
and Giora Slutzki
2
1
Department of Mathematics & Computer Science, Central State University, Wilberforce, Ohio, U.S.A
2
Department of Computer Science, Iowa State University, Ames, Iowa, U.S.A
Keywords:
Secrecy Preserving Reasoning, Knowledge Bases, Modalized Description Logic, Query Answering.
Abstract:
In this paper we study Secrecy-Preserving Query Answering problem under the Open World Assumption
(OWA) for ELH
^
−>
Knowledge Bases. Here E LH
^
−>
is a top-free description logic E LH augmented with a
modal operator ^. We employ a tableau procedure designed to compute a rooted labeled tree T which contains
information about some assertional consequences of the given knowledge base. Given a secrecy set S, which
is a finite set of assertions, we compute a function E, called an envelope of S, which assigns a set of assertions
to each node of T. E provides logical protection to the secrecy set S against the reasoning of a querying
agent. Once the tree T and an envelope E are computed, we define the secrecy-preserving tree T
E
. Based on
the information available in T
E
, assertional queries with modal operator ^ can be answered efficiently while
preserving secrecy. To the best of our knowledge, this work is first one studying secrecy-preserving reasoning
in description logic augmented with modal operator ^. When the querying agent asks a query q, the reasoner
answers “Yes” if information about q is available in T
E
; otherwise, the reasoner answers “Unknown”. Being
able to answer “Unknown” plays a key role in protecting secrecy under OWA. Since we are not computing
all the consequences of the knowledge base, answers to the queries based on just secrecy-preserving tree T
E
could be erroneous. To fix this problem, we further augment our algorithms by providing recursive query
decomposition algorithm to make the query answering procedure foolproof.
1 INTRODUCTION
Recently, Tao et al., in (Tao et al., 2014) have de-
veloped a conceptual framework to study secrecy-
preserving reasoning and query answering in De-
scription Logic (DL) Knowledge Bases (KBs) under
Open World Assumptions (OWA). The approach uses
the notion of an envelope to hide secret information
against logical inference and it was first defined and
used in (Tao et al., 2010). The idea behind the en-
velope concept is that no expression in the envelope
can be logically deduced from information outside
the envelope. This approach is based on the assump-
tion that the information contained in a KB is incom-
plete (by OWA) and (so far) it has been restricted to
very simple DLs and simple query languages. Specif-
ically, in (Tao et al., 2010; Tao et al., 2014; Krish-
nasamy Sivaprakasam and Slutzki, 2016) the main
idea was to utilize the secret information within the
reasoning process, but then answering “Unknown”
whenever the answer is truly unknown or in case the
true answer could compromise confidentiality. In this
paper, we extend this approach to a DL that incorpo-
rates a modal operator.
Generally, modalized DLs are DLs with modal
operators. Lutz et al., in (Lutz et al., 2001) pre-
sented an exponential time tableau decision algorithm
for modalized ALC. In (Tao et al., 2012), the au-
thors presented a PSPACE algorithm for satisfiability
reasoning problem in acyclic modalized ALC KBs.
Modal logic was used to study privacy related rea-
soning tasks, see (Barth and Mitchell, 2005; Halpern
and O’Neill, 2005; Jafari et al., 2011). Specifi-
cally in (Halpern and O’Neill, 2005), the authors
showed that the modal logic of knowledge for mul-
tiagent systems provides a framework for reasoning
about anonymity. This framework was extended in
(Tsukada et al., 2009) to reasoning about privacy.
In an attempt to reduce the complexity of reason-
ing in modal logic to polynomial time, Hemaspaan-
dra in (Hemaspaandra, 2000) had considered several
propositional modal logic languages with one modal
operator. Motivated by these works, in this paper
we study secrecy-preserving query answering prob-
lem for ELH
^
−>
KBs where ELH
^
−>
is the top-free
description logic ELH augmented with the modal op-
erator ^. The reason for excluding > from the syn-
Krishnasamy Sivaprakasam G. and Slutzki G.
Keeping Secrets in Modalized DL Knowledge Bases.
DOI: 10.5220/0006202505910598
In Proceedings of the 9th International Conference on Agents and Artificial Intelligence (ICAART 2017), pages 591-598
ISBN: 978-989-758-220-2
Copyright
c
2017 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
591
tax of ELH logic is to avoid computing tautological
statements that are not relevant to secrecy preserva-
tion. In the literature there are several top-free DL
languages. For instance, DL-Lite
R
is a top-free DL,
see (Calvanese et al., 2007). The syntax and seman-
tics of the ELH
^
−>
DL are presented in Section 2.
Given an ELH
^
−>
KB Σ =
h
A, T , R
i
, as a first
step in constructing secrecy-preserving reasoning sys-
tem, we use a tableau algorithm to compute a finite
rooted labeled tree T. The labeling set of the root node
of the T is A
∗
which contains a set of consequences
of the KB Σ, restricted to concepts that actually occur
in Σ and an extra “auxiliary” set of concepts defined
over the signature of Σ. Since the computed tree does
not contain all the consequences of the KB, in order
to answer user queries we have designed a recursive
algorithm which breaks the queries into smaller as-
sertions all the way until the information in T can be
used.
To protect the secret information in the secrecy set
S, we extend the idea of envelope (as a set of asser-
tions) to a function E that assigns a set of assertions
to each node in T. This envelope is computed by an-
other tableau algorithm based on the idea of inverting
the local and global expansion rules given in the first
tableau algorithm. Once such envelope is computed,
the answers to the queries are censored dependent
upon the labeling set assigned by E to the nodes of
T. Since, generally, an envelope is not unique, the de-
veloper has some freedom to output a envelope (from
the available choices) satisfying the needs of appli-
cation domain, company policy, social obligations or
user preferences.
Next, we discuss a query answering procedure
which allows us to answer queries without revealing
secrets. The queries are answered based on the in-
formation available in the secrecy-preserving tree ob-
tained from the tree T and the envelope E, see Section
4. This tree, once computed, remains fixed. Usu-
ally in secrecy-preserving query answering frame-
work queries are answered by checking their mem-
bership in a previously computed set, see (Tao et al.,
2010; Tao et al., 2014; Krishnasamy Sivaprakasam
and Slutzki, 2016). Since the secrecy-preserving tree
does not contain all the statements entailed by Σ, we
need to extend the query answering procedure from
just membership checking. Towards that end we have
designed a recursive algorithm to answer more com-
plicated queries. To answer a query q, the algorithm
first checks if q is a member of the labeling set of
the root node of the secrecy-preserving tree, in which
case the answer is “Yes”; otherwise, the given query
is broken into subqueries based on the logical con-
structors, and the algorithm is applied recursively on
the subqueries, see Section 5.
2 SYNTAX AND SEMANTICS
A vocabulary of ELH
^
−>
is a triple < N
O
, N
C
, N
R
>
of countably infinite, pairwise disjoint sets. The ele-
ments of N
O
are called object (or individual) names,
the elements of N
C
are called concept names and the
elements of N
R
are called role names. The set of
ELH
^
−>
concepts is denoted by C and is defined by
the following rules
C ::= A | C u D | ∃r.C | ^C
where A ∈ N
C
, r ∈ N
R
, C, D ∈ C and ^C denotes the
modal constructor, read as “diamond C”. Assertions
are expressions of the form C(a) or r(a, b), general
concept inclusions (GCIs) are expressions of the form
C v D and role inclusions are expressions of the form
r v s where C, D ∈ C, r, s ∈ N
R
and a, b ∈ N
O
.
The semantics of ELH
^
−>
concepts is defined by
using Kripke structures (Kripke, 1963). A Kripke
structure is a tuple M = hS, π, Ei where S is a set of
states, E ⊆ S × S is the accessibility relation, and π
interprets the syntax of ELH
^
−>
at each state s ∈ S.
Further, we denote by E(s) the set {t | (s, t) ∈ E} of
the successors of the state s. All the concepts and role
names will be interpreted in a common non-empty do-
main which we denote by ∆, see (Lutz et al., 2001;
Tao et al., 2012). The interpretation of concepts and
role names is defined inductively as follows: for all
a ∈ N
O
, A ∈ N
C
, r ∈ N
R
, C, D ∈ C and for all s ∈ S,
a
π(s)
∈ ∆; A
π(s)
⊆ ∆; r
π(s)
⊆ ∆ × ∆;
(C uD)
π(s)
= C
π(s)
∩ D
π(s)
; (^C)
π(s)
=
S
t∈E (s)
C
π(t)
;
(∃r.C)
π(s)
= {d ∈ ∆ | ∃e ∈ C
π(s)
: (d, e) ∈ r
π(s)
}.
An ABox A is a finite, non-empty set of assertions,
a TBox T is a finite set of GCIs and an RBox R is a
finite set of role inclusions. An ELH
^
−>
KB is a triple
Σ =
h
A, T , R
i
where A is an ABox, T is a TBox and
R is an RBox.
Let M = hS, π, Ei be a Kripke structure, s ∈ S,
C, D ∈ C, r, t ∈ N
R
and a, b ∈ N
O
. We say that
(M, s) satisfies C(a), r(a, b), C v D or r v t, nota-
tion (M, s) |= C(a), (M, s) |= r(a, b), (M, s) |= C v
D or (M, s) |= r v t if, respectively, a
π(s)
∈ C
π(s)
,
(a
π(s)
, b
π(s)
) ∈ r
π(s)
, C
π(s)
⊆ D
π(s)
or r
π(s)
⊆ t
π(s)
.
(M, s) satisfies Σ, notation (M, s) |= Σ, if (M, s) sat-
isfies all the assertions in A, all the GCIs in T and all
the role inclusions in R. M satisfies Σ, or M is a model
of Σ, if there exists a s ∈ S such that (M, s) |= Σ and
for all t ∈ S, (M, t) |= T ∪ R. Let α be an assertion, a
ICAART 2017 - 9th International Conference on Agents and Artificial Intelligence
592
GCI or a role inclusion. We say that Σ entails α, no-
tation Σ |= α, if for all Kripke structures M satisfying
Σ and for all states s of M, (M, s) |= Σ ⇒ (M, s) |= α.
3 COMPUTATION OF A MODEL
FOR ELH
^
−>
KB Σ AND A
∗
Denote by N
Σ
the set of all concept names and role
names occurring in Σ and let S be a finite set of con-
cepts over N
Σ
1
. Let C
Σ,S
be the set of all subconcepts
of concepts that occur in S or Σ and define
A
∗
={C(a) | C ∈ C
Σ,S
and Σ |= C(a)}∪
{r(a, b) | Σ |= r(a, b)}.
We use O
Σ
to denote the set of individual names that
occur in Σ, and define the witness set W = {w
r
C
|
r ∈ N
R
∩ N
Σ
and C ∈ C
Σ,S
}. Define O
∗
= O
Σ
∪ W.
Given Σ and C
Σ,S
, we outline a procedure that com-
putes a tree called a constraint tree over Σ: a rooted
tree T = hV, k
0
, E, Li where V is a set of nodes, k
0
∈ V
is the root of T, E is a set of directed edges and L is
a function that labels each node with a set of asser-
tions obtained by applying the expansion rules speci-
fied below. The procedure builds T starting from the
root node k
0
whose labeling set L(k
0
) is initialized as
the ABox A. Further, T is grown by recursively ap-
plying the expansion rules in Figures 1 and 2. T is said
to be completed if no expansion rule in Figures 1 or 2
is applicable to it. The procedure is designed to out-
put a completed constraint tree T = hV, k
0
, E, Li with
L(k
0
) = A
∗
. For the purpose of query answering, T is
used as a “good approximation” of a (Kripke) model
of the given KB, for details see Section 5.
In more detail, there are two kinds of expansion
rules: (a) local expansion rules and (b) global expan-
sion rules. Local expansion rules are given in Figure
1 and generate new assertions within a single label-
ing set. The u
−
-rule decomposes conjunctions, and
∃
−
-rule decomposes existential restriction assertions
of the form ∃r.C(a) by introducing a corresponding
witness w
r
C
from the set W. The v-rule derives new
assertions based on the GCIs present in T . To con-
struct concept assertions whose associated concept
expressions already belong to C
Σ,S
, we use the u
+
and
∃
+
-rules. Finally, the H-rule derives role assertions
based on role inclusions in R. The global expansion
rules are given in Figure 2. The ^
−
-rule generates
new nodes that are directly accessible from the cur-
rent node. The ^
+
-rule adds a new ^ assertion to the
parent node of the current node.
1
A technicality; S will be used in Section 4 in the con-
text of secrecy-preserving reasoning.
u
+
− rule : if C(a), D(a) ∈ L(i), C u D ∈ C
Σ,S
,
and C u D(a) < L(i),
then L(i) := L(i) ∪ {C uD(a)};
u
−
− rule : if C u D(a) ∈ L(i),
and C(a) < L(i) or D(a) < L(i),
then L(i) := L(i) ∪ {C(a), D(a)};
∃
+
− rule : if r(a, b), C(b) ∈ L(i), ∃r.C ∈ C
Σ,S
and ∃r.C(a) < L(i),
then L(i) := L(i) ∪ {∃r.C(a)};
∃
−
− rule : if ∃r.C(a) ∈ L(i), and
∀b ∈ O
∗
, {r(a, b),C(b)} * L(i),
then L(i) := L(i) ∪ {r(a, w
r
C
),C(w
r
C
)},
where w
r
C
∈ W;
v −rule : if C(a) ∈ L(i), C v D ∈ T ,
and D(a) < L(i),
then L(i) := L(i) ∪ {D(a)};
H − rule : if r(a, b) ∈ L(i), r v s ∈ R,
and s(a, b) < L(i),
then L(i) := L(i) ∪ {s(a, b)};
Figure 1: Local expansion rules.
^
−
− rule : if there is a node i with ^C(a) ∈ L(i)
and i has no successor j
with C(a) ∈ L( j),
then add a new successor k of i
with L(k) := {C(a)};
^
+
− rule : if there is a node i with C(a) ∈ L(i),
^C ∈ C
Σ,S
and i has a parent j
with ^C(a) < L( j),
then L( j) := L( j) ∪ {^C(a)}.
Figure 2: Global expansion rules.
Example 1. Let Σ =
h
A, T , R
i
be a ELH
^
−>
KB,
where A = {^A(a),C(d), u(a, d)}, T = {^A v
B,C v ^^(D u E), E v ∃u.F, ^D v ^G}, R = {u v
v} and S = {∃u.C, ^^D}. Then, applying the rules in
Figures 1 and 2 we compute the completed constraint
tree T = hV, k
0
, E, Li whose labeling sets are given in
Figure 3. In this example, O
∗
= {a, d, w
u
C
, w
u
F
} and
- L(k
0
) = {^A(a), B(a),C(d), u(a, d), ∃u.C(a),
v(a, d), ^^(D u E)(d), ^^D(d)},
- L(k
1
) = {A(a)},
- L(k
2
) = {^(D u E)(d), ^D(d), ^G(d)},
- L(k
3
) = {D u E(d), D(d), E(d), ∃u.F(d),
u(d, w
u
F
), F(w
u
F
), v(d, w
u
F
)} and
- L(k
4
) = {G(d)}.
Keeping Secrets in Modalized DL Knowledge Bases
593
k
0
k
1
k
2
k
3
k
4
L(k
0
) = A
∗
L(k
1
)
L(k
2
)
L(k
3
)
L(k
4
)
Figure 3: Completed constraint tree T = hV, k
0
, E, Li.
We will use the following notion of TBox acyclic-
ity, called here ^-acyclicity.
Definition 1. A sequence S
0
, S
1
...., S
n
, ... of concept
assertions over Σ, is called a ^-sequence, if it satisfies
the following conditions:
• S
0
= C
0
(a
0
), C
0
∈ C
Σ,S
, a
0
∈ O
∗
.
• Given, S
n
= C
n
(a
n
), with C
n
∈ C
Σ,S
, a
n
∈ O
∗
, the
next element in the sequence can be obtained as
follows: Let B
n
be the set of all assertions ob-
tained by applying the local rules starting from
S
n
. Put D
n
= B
n
∪ {S
n
}.
- If D
n
does not contain any ^-assertions, then
S
n
is the last assertion of the sequence.
- If D
n
contains some ^-assertions, then
pick one, say ^P(b), and define S
n+1
=
C
n+1
(a
n+1
) = P(b).
The resulting ^-sequence is said to be non-repetitive,
if for distinct i, j, C
i
, C
j
.
Definition 2. A TBox T is said to be ^-acyclic (with
respect to the rules given in Figures 1 and 2), if every
^-sequence is non-repetitive.
In this paper, we assume that all TBoxes are ^-
acyclic as per Definition 2 (we shall omit the phrase
“with respect to the rules”). We denote by Λ the algo-
rithm which, given Σ and C
Σ,S
, nondeterministically
applies the expansion rules in Figures 1 and 2 until no
further applications are possible. It is easy to see that
for each node k in the constraint tree T = hV, k
0
, E, Li,
the size of L(k) is polynomial in | Σ | + | C
Σ,S
|. An up-
per bound for the depth of T is given in the following
claim which follows immediately from Definitions 1
and 2.
Claim 1. The depth of T is O(| C
Σ,S
|).
All executions of Λ terminate and by Claim 1,
Λ builds a tree T whose depth is linear in | C
Σ,S
|.
Since the ^-rule can in some cases be applied expo-
nentially many times in | Σ | + | C
Σ,S
|, T may have
exponentially many nodes. For instance, consider
a ELH
^
−>
KB Σ =
h
A, T , R
i
, where A = {A
1
(a)},
T = {A
i
v ^∃r.A
i+1
, A
i
v ^∃s.A
i+1
, 1 ≤ i ≤ n − 1}
and R =
/
0. Clearly, TBox T is ^-acyclic. To com-
pute the constraint tree T for Σ, the global rules must
be applied exponentially many times, implying that,
the worst case the running time of Λ is exponential in
| Σ | + | C
Σ,S
|.
Before proving the correctness of Λ, we define the
notion of interpretation of a constraint tree, see (Lutz
et al., 2001; Tao et al., 2012).
Definition 3. Let T = hV, k
0
, E, Li be a constraint tree
over Σ, M = hS, π, Ei a Kripke structure, and σ a map-
ping from V to S. We say that M satisfies T via σ if
for all k, k
0
∈ V,
- (k, k
0
) ∈ E ⇒ (σ(k), σ(k
0
)) ∈ E, and
- (M, σ(k)) |= L(k), i.e., (M, σ(k)) |= α for every
α ∈ L(k)
We say that M satisfies T, denoted as M ||= T, if there
is a mapping σ such that M satisfies T via σ.
In the next lemma, we formulate the local sound-
ness property of Λ. We say that f
0
is an extension of
a function f if f
0
agrees with f on the domain of f .
The proof of the following lemma is omitted.
Lemma 1. Let Σ =
h
A, T , R
i
be ELH
^
−>
KB with an
^-acyclic TBox T and let M = hS, π, Ei be a Kripke
structure satisfying Σ. Also let T be a constraint tree
over Σ, α a local or global expansion rule and T
α
a constraint tree obtained by applying α to T. If M
satisfies T via σ, then there exists a Kripke structure
M
0
= hS, π
0
, Ei such that
- M
0
satisfies Σ and π
0
is an extension of π,
- M
0
satisfies T
α
via σ
0
, an extension of σ.
Lemma 1 makes sure that each application of local
and global rules preserves the model existence prop-
erty. Next we define the canonical Kripke structure
of a constraint tree.
Definition 4. Let T = hV, k
0
, E, Li be a completed
constraint tree over Σ. The canonical Kripke struc-
ture M
T
= hS, π, Ei for T is defined as follows:
- S = V, E = E , ∆ = O
∗
= O
Σ
∪ W,
- a
π(k)
= a for all a ∈ O
∗
and each k ∈ V,
- A
π(k)
= {a ∈ O
∗
| A(a) ∈ L(k)}, A ∈ N
C
∩ N
Σ
,
- r
π(k)
= {(a, b) ∈ O
∗
×O
∗
| r(a, b) ∈ L(k)}, for all
r ∈ N
R
∩ N
Σ
,
π(k) is extended to compound concepts in the usual
way (see Section 2).
The following lemma shows that M
T
satisfies the
completed constraint tree T. The proof is omitted.
Lemma 2. Let Σ =
h
A, T , R
i
be ELH
^
−>
KB with a
^-acyclic TBox T . Also let T be a completed con-
straint tree over Σ. Then M
T
||= T.
ICAART 2017 - 9th International Conference on Agents and Artificial Intelligence
594
Next we prove that (M
T
, k) |= T ∪ R, for each
k ∈ S. We need the following auxiliary lemma whose
proof is an easy induction on the structure of C.
Lemma 3. For each C ∈ C
Σ,S
, each a ∈ O
∗
and each
k ∈ V, if (M
T
, k) |= C(a) then C(a) ∈ L(k).
The proof of the following lemma follows imme-
diately from Lemmas 2 and 3 and it is omitted.
Lemma 4. For each k ∈ S, (M
T
, k) |= T ∪ R.
The following corollary is an immediate conse-
quence of Lemmas 2 and 4.
Corollary 1. M
T
satisfies Σ.
Proof. By Definitions 3 and 4 and Lemmas 2 and 4,
we have that (1) (M
T
, k
0
) |= Σ and (2) for each k ∈ V,
(M
T
, k) |= T ∪ R. Hence M
T
satisfies Σ.
The proof of the next theorem follows from Defi-
nition 4 and Lemma 3. In a sense, this theorem cap-
tures the completeness property of the algorithm Λ.
Theorem 1. Let T = hV, k
0
, E, Li be a completed con-
straint tree over Σ and M
T
= hS, π, Ei a canonical
Kripke structure for T. Then, for all k ∈ V, C ∈ C
Σ,S
,
r ∈ N
Σ
∩ N
R
, and all a, b ∈ O
∗
- (M
T
, k) |= r(a, b) ⇒ r(a, b) ∈ L(k) and
- (M
T
, k) |= C(a) ⇒ C(a) ∈ L(k).
Finally, the following is a consequence of Theo-
rem 1 and Corollary 1.
Corollary 2. L(k
0
) = A
∗
.
4 SECRECY-PRESERVING
REASONING IN ELH
^
−>
KB’S
Let Σ =
h
A, T , R
i
be a ELH
^
−>
KB and T = hV, k
0
, E,
Li a completed constraint tree over Σ. Let S ⊆ A
∗
be
the “secrecy set”. Given Σ, S and T, the objective is
to answer assertion queries while preserving secrecy,
i.e., answering queries so that assertions in S remain
protected. Our approach is to compute a function E
that assigns a finite set of assertions to each node in T.
E is called the secrecy Envelope for S, so that protect-
ing E(i) for all i ∈ V, the querying agent cannot log-
ically infer any assertion in S. The sets E(i) for each
i ∈ V are obtained by applying the inverted expan-
sion rules given in Figures 4 and 5. The role of OWA
in answering the queries is the following: When an-
swering a query with “Unknown”, the querying agent
should not be able to distinguish between the case that
the answer to the query is truly unknown to the KB
reasoner and the case that the answer is being pro-
tected for reasons of secrecy. We envision a situation
in which once the T is computed, a reasoner R is as-
sociated with it, i.e., R has unfettered access to T. R
is designed to answer queries as follows: If a query
cannot be inferred from Σ, the answer is “Unknown”.
If it can be inferred and it is not in E(k
0
), the answer
is “Yes”; otherwise, the answer is “Unknown”. We
make the following assumptions about the capabili-
ties of the querying agent:
(a) does not have direct access to ABox A, but is
aware of the underlying vocabulary of Σ,
(b) has full access to TBox T and RBox R,
(c) can ask queries in the form of assertions, and
(d) is not aware of the witness set W, by hidden
name assumptions (HNA), for more details see
(Tao et al., 2010).
We formally define the notion of an envelope
Definition 5. Let Σ =
h
A, T , R
i
be a ELH
^
−>
KB, S
a finite secrecy set and T = hV, k
0
, E, Li a completed
constraint tree. The secrecy envelope of S is a func-
tion E with domain V satisfying the following proper-
ties:
- S ⊆ E(k
0
); for each i ∈ V, E(i) ⊆ L(i), and
- for each i ∈ V, each α ∈ E(i), L(i) \ E(i) 6|= α.
The intuition for the above definition is that for
each i ∈ V, no information in E(i) can be inferred
from the set L(i) \ E(i). To compute an envelope, we
use the idea of inverting the rules of Figures 1 and 2
(see (Tao et al., 2010), where this approach was first
utilized for membership assertions). Induced by the
Local and Global expansion rules in Figures 1 and
2, we define the corresponding “inverted” Local and
Global expansion rules in Figures 4 and 5, respec-
tively. Note that the ∃
−
-rule does not have its cor-
responding inverted rule. The reason for the omission
is that an application of this rule results in adding as-
sertions with individual names from the witness set.
By HNA, the querying agent is barred from asking
any queries that involve individual names from the
witness set. Inverted expansion rules are denoted by
prefixing Inv- to the name of the corresponding ex-
pansion rules.
From now on, we assume that T has been com-
puted and is readily available for computing the en-
velope. The computation begins with the initializa-
tion step: The set E(k
0
) is initialized as S, and E(i)
is initialized as
/
0 for all i ∈ V \ {k
0
}. Next, the sets
E(k
0
) and E(i) for all i ∈ V \{k
0
} are expanded using
the inverted expansion rules listed in Figures 4 and 5
until no further applications are possible. The result-
ing function E is said to be completed. We denote by
Λ
S
the algorithm which computes the sets E(i) for all
i ∈ V. Due to non-determinism in applying the rules
Inv-u
+
and Inv-∃
+
, different executions of Λ
S
may
result different outputs. Since for each i ∈ V, L(i)
Keeping Secrets in Modalized DL Knowledge Bases
595
Inv- u
−
−rule : if {C(a), D(a)} ∩ E(i) ,
/
0
and C u D(a) ∈ L(i) \ E(i),
then E(i) := E(i) ∪ {C u D(a)};
Inv- u
+
−rule : if C u D(a) ∈ E(i),
{C(a), D(a)} ⊆ L(i) \ E(i)
and C u D ∈ C
Σ,S
,
then E(i) := E(i) ∪ {C(a)}
or E(i) := E(i) ∪ {D(a)};
Inv-∃
+
− rule : if ∃r.C(a) ∈ E(i),
{r(a, b),C(b)} ⊆ L(i) \ E(i) with
b ∈ O
∗
and ∃r.C ∈ C
Σ,S
,
then E(i) := E(i) ∪ {r(a, b)}
or E(i) := E(i) ∪ {C(b)};
Inv- v −rule : if D(a) ∈ E(i), C v D ∈ T ,
and C(a) ∈ L(i) \ E(i),
then E(i) := E(i) ∪ {C(a)};
Inv-H − rule : if s(a, b) ∈ E(i), r v s ∈ R,
and r(a, b) ∈ L(i) \ E(i),
then E(i) := E(i) ∪ {r(a, b)}.
Figure 4: Inverted local expansion rules.
is finite, the computation of Λ
S
terminates. Let the
sets E(i) for i ∈ V be an output of Λ
S
. Since the size
of each L(i) is polynomial in |Σ| + |C
Σ,S
|, and each
application of inverted expansion rule moves an as-
sertion from L(i) into E(i), the size of E(i) is at most
the size of L(i). Since the size of V can be exponen-
tial, Λ
S
may take exponential time to compute the sets
E(i). Define the secrecy-preserving tree (constraint)
for the secrecy set S to be T
E
= hV, k
0
, E, L
E
i, where
L
E
(i) = L(i) \ E(i) for all i ∈ V.
Example 2. (Example 1 cont.) Recall that T =
hV, k
0
, E, Li is the completed constraint tree. Let
S = {B(a), ^^D(d)} be the secrecy set. Then, by
using rules in Figures 4 and 5 we compute the en-
velope for S, and one of the corresponding secrecy-
preserving trees is given below:
- E(k
0
) = S ∪ {^A(a),C(d), ^^(D u E)(d)},
- E(k
1
) = {A(a)},
- E(k
2
) = {^(D u E)(d), ^D(d)},
- E(k
3
) = {D u E(d), D(d)} and
- E(k
4
) =
/
0.
Before proving the main result on envelopes, we
present several auxiliary lemmas. First shows that for
each i ∈ V, no assertion in E(i) is “logically reach-
able” from L
E
(i). The proof is omitted.
Inv-^
−
− rule : if there is a node j with
C(a) ∈ E( j) and
^C(a) ∈ L(i) \ E(i)
where i is the parent of j,
then E(i) := E(i) ∪ {^C(a)};
Inv-^
+
− rule : if there is a node i with
^C(a) ∈ E(i) and
C(a) ∈ L( j) \ E( j)
where j is a successor of i
and ^C ∈ C
Σ,S
,
then E( j) := E( j) ∪ {C(a)}.
Figure 5: Inverted global expansion rule.
k
0
k
1
k
2
k
3
k
4
L
E
(k
0
)
L
E
(k
1
)
L
E
(k
2
)
L
E
(k
3
)
L
E
(k
4
)
- L
E
(k
0
) = {u(a, d), ∃u.C(a), v(a, d)},
- L
E
(k
1
) =
/
0,
- L
E
(k
2
) = {^G(d)},
- L
E
(k
3
) = {E(d), ∃u.F(d), u(d, w
u
F
), F(w
u
F
),
v(d, w
u
F
)} and
- L
E
(k
4
) = {G(d)}.
Figure 6: Secrecy-preserving tree T
E
= hV, k
0
, E, L
E
i.
Lemma 5. Let E be a completed function resulting
from the algorithm Λ
S
. Also, let T
E
= hV, k
0
, E, L
E
i
be a secrecy-preserving tree. Then, for each i ∈ V,
L
E
(i) is completed.
Next we claim that the secrecy-preserving tree has
properties similar to those of its completed constraint
tree. The proof is similar to the proofs of Lemmas 2,
3 and 4.
Lemma 6. Let T
E
= hV, k
0
, E, L
E
i be a secrecy-
preserving tree obtained from the completed con-
straint tree T = hV, k
0
, E, Li over Σ and the completed
function E. Define the canonical Kripke structure
M
E
T
= hS, π, Ei for T
E
as
- S = V, E = E , ∆ = O
∗
= O
Σ
∪ W,
- a
π(k)
= a for all a ∈ O
∗
and each k ∈ V,
- A
π(k)
= {a ∈ O
∗
| A(a) ∈ L
E
(k)}, for all A ∈ N
C
,
ICAART 2017 - 9th International Conference on Agents and Artificial Intelligence
596
- r
π(k)
= {(a, b) ∈ O
∗
× O
∗
| r(a, b) ∈ L
E
(k)}, for
all r ∈ N
R
,
π(k) is extended to compound concepts in the usual
way (see Section 2). Then,
- M
E
T
||= T
E
,
- For each C ∈ C
Σ,S
, each a ∈ O
∗
and each k ∈ V,
if (M
E
T
, k) |= C(a), then C(a) ∈ L
E
(k) and
- For each k ∈ S, (M
E
T
, k) |= T ∪ R.
Finally, we show that a completed function E is in
fact an envelope for the secrecy set S.
Theorem 2. Let T = hV, k
0
, E, Li be a completed con-
straint tree over Σ. Also, let T
E
= hV, k
0
, E, L
E
i be a
secrecy-preserving tree for the secrecy set S. Then,
the completed function E is an envelope for S.
Proof. We have to show that the completed function
E satisfies all three properties of Definition 5. Proper-
ties 1 and 2 are obvious. To prove property 3, suppose
that for some i ∈ V, some α ∈ E(i), L
E
(i) |= α.
Let M
E
T
= hS, π, Ei be the canonical Kripke struc-
ture for T
E
. By Lemma 6, for each i ∈ V, (M
E
T
, i) |=
L
E
(i). Again, by Lemma 6, α ∈ L
E
(i). This is a con-
tradiction.
5 QUERY ANSWERING
Let Σ =
h
A, T , R
i
be a ELH
^
−>
KB. We assume
that the secrecy-preserving tree T
E
= hV, k
0
, E, L
E
i
has been precomputed and use E(k) to denote the set
{k
0
∈ V | (k, k
0
) ∈ E} of the successors of the node
k ∈ V. The reasoner R answers queries based on
the information in T
E
and replies to a query q with
“Yes” if Σ |= q and q < E(k
0
); otherwise, the answer
is “Unknown”. Recall that, because of the syntactic
restrictions of the language ELH
^
−>
, R does not an-
swer “No” to any query.
Since the completed constraint tree T over Σ does
not contain all the consequences of Σ, the completed
secrecy-preserving tree T
E
obtained from T does not
contain all the information needed to answer queries.
To address this problems we provide a procedure
Eval(k, q) which works by recursively decomposing
the compound queries all the way to the information
available in T
E
, see Figure 7. Initial call of this pro-
cedure is at the root node k
0
of T
E
. In lines 1 and 2,
the reasoner checks the membership of q in L
E
(k) and
answers “Yes” if q ∈ L
E
(k). From line 3 onwards we
consider cases in which query q is broken into sub-
queries based on the constructors defined in ELH
^
−>
and apply the procedure recursively. The following
theorem states the correctness claim of the algorithm.
Eval(k, q)
1: case q ∈ L
E
(k) = L(k) \ E(k)
2: return “Yes”
3: case q = C u D(a)
4: if Eval(k,C(a)) =“Yes” and
Eval(k, D(a)) =“Yes” then
5: return “Yes”
6: else
7: return “Unknown”
8: case q = ∃r.C(a)
9: if for some d ∈ O
∗
[ r(a, d) ∈ L
E
(k)
and Eval(k,C(d)) =“Yes”] then
10: return “Yes”
11: else
12: return “Unknown”
13: case q = ^C(a)
14: if for some l ∈ E(k)
[Eval(l,C(a)) = “Yes” ] then
15: return “Yes”
16: else
17: return “Unknown”
Figure 7: Query answering algorithm.
Theorem 3. Let Σ =
h
A, T , R
i
be an ELH
^
−>
KB,
T
E
= hV, k
0
, E, L
E
i a completed secrecy-preserving
tree and q a query. Then, for every k ∈ V,
- Soundness: Eval(k, q) outputs “Yes” ⇒ L
E
(k) |=
q;
- Completeness: Eval(k, q) outputs “Unknown”
⇒ L
E
(k) 6|= q.
Proof. We omit the proof of soundness. To prove
the completeness part assume that L
E
(k) |= q. We
have to show that Eval(k, q) = “Yes”. Let M
E
T
be the
canonical Kripke structure for T
E
as defined in Sec-
tion 4. By Lamma 6, M
E
T
||= T
E
and for all k ∈ V,
(M
E
T
, k) |= T ∪ R. Therefore (M
E
T
, k) |= L
E
(k) and
hence, by the assumption, for every k, (M
E
T
, k) |= q.
We prove the claim by induction on the structure of q.
The inductive hypothesis is, for each k ∈ V and each
assertion α if (M
E
T
, k) |= α, then Eval(k, α) = “Yes”.
The base case: Let q =C(a) where C ∈ C
Σ,S
. Then, by
Lemma 6, C(a) ∈ L
E
(k). By Lines 1 and 2 in Figure
7, the claim follows immediately. Next, let q = C(a)
where C < C
Σ,S
.
- q = C u D(a). To answer this query the algo-
rithm computes Eval(k,C(a)) and Eval(k, D(a)).
Now, the assumption (M
E
T
, k) |= C u D(a) implies
(M
E
T
, k) |= C(a) and (M
E
T
, k) |= D(a) which, by
inductive hypothesis, implies that Eval(k,C(a)) =
Eval(k, D(a)) = “Yes”. Hence, by Lines 4 and 5
in Figure 7, Eval(k,C u D(a)) = “Yes”.
- q = ∃r.C(a). By the assumption, (M
E
T
, k) |=
∃r.C(a). This implies that, for some d ∈
Keeping Secrets in Modalized DL Knowledge Bases
597
O
∗
, (M
E
T
, k) |= r(a, d) and (M
E
T
, k) |= C(d). By
Theorem 1, r(a, d) ∈ L
E
(k) and by the induc-
tive hypothesis Eval(k,C(d))=“Yes”. Hence, by
the Lines 9 and 10 in Figure 7, Eval(k, ∃r.C(a))=
“Yes”.
- q = ^C(a). Then, (M
E
T
, k) |= ^C(a). This implies
that, for some l ∈ E(k), (M
E
T
, l) |= C(a). By Def-
inition 4, (k, l) ∈ E and therefore l ∈ E(k). By
the inductive hypothesis Eval(l,C(a)) = “Yes”.
Hence, by the Lines 14 and 15 in Figure 7,
Eval(k, ^C(a))= “Yes”.
Given an assertional query q, the algorithm given
in Figure 7 checks for some assertions related to query
q in the labeling sets of nodes along a particular path
in T
E
. Since the size of each labeling set is bounded
by | Σ | + | C
Σ,S
|, by the Claim 1, this algorithm runs
in time polynomial in | Σ | + | C
Σ,S
|. Hence the as-
sertional query answering can be done in polynomial
time in the size of | Σ | + | C
Σ,S
|.
Example 3. (example 2 cont.) Recall that T
E
is
a secrecy-preserving tree. Suppose that the query-
ing agent asks the assertional queries ∃u.C(a),
^^∃v.F(d) and ^A(a) . Using the algorithm in Fig-
ure 7, we get the following answers:
q Eval(k, q) Remarks
∃u.C(a) Yes by Lines 1 and 2
^^∃v.F(d) Yes by 14, 15, 9 and 1
^A(a) Unknown by 14 and 17
6 CONCLUSIONS
In this paper we have studied the problem of secrecy-
preserving query answering over ELH
^
−>
KBs. We
have used the conceptual logic-based framework for
secrecy-preserving reasoning which was introduced
in Tao et al. 2014, to a top-free description logic
ELH augmented with a modal operator ^. The
main contribution is in the way that we compute the
consequences and preserve secrecy while answering
queries. We break the process into two parts, the first
one using the ^-assertions in the KB, precomputes
the rooted labeled tree T and the envelope E for the
given secrecy set S. For this we use two separate (but
related) tableau procedures. In query answering step,
given T and E, we define the secrecy-preserving tree
T
E
. Once T
E
has been computed, the query answer-
ing procedure is efficient and can be implemented in
polynomial time.
REFERENCES
Barth, A. and Mitchell, J. C. (2005). Enterprise privacy
promises and enforcement. In Proceedings of the 2005
workshop on Issues in the theory of security, pages
58–66. ACM.
Calvanese, D., De Giacomo, G., Lembo, D., Lenzerini, M.,
and Rosati, R. (2007). Tractable reasoning and effi-
cient query answering in description logics: The dl-
lite family. J. of Automated Reasoning, 39(3):385–
429.
Halpern, J. Y. and O’Neill, K. R. (2005). Anonymity and
information hiding in multiagent systems. Journal of
Computer Security, 13(3):483–514.
Hemaspaandra, E. (2000). The complexity of poor mans
logic. In STACS 2000, pages 230–241. Springer.
Jafari, M., Fong, P. W., Safavi-Naini, R., Barker, K., and
Sheppard, N. P. (2011). Towards defining semantic
foundations for purpose-based privacy policies. In
Proceedings of the first ACM conference on Data
and application security and privacy, pages 213–224.
ACM.
Kripke, S. A. (1963). Semantical analysis of modal logic
1 normal modal propositional calculi. Mathematical
Logic Quarterly, 9(5-6):67–96.
Krishnasamy Sivaprakasam, G. and Slutzki, G. (2016).
Secrecy-preserving query answering in E LH knowl-
edge bases. In ICAART.
Lutz, C., Sturm, H., Wolter, F., and Zakharyaschev, M.
(2001). Tableaux for temporal description logic with
constant domains. In Automated Reasoning, pages
121–136. Springer.
Tao, J., Slutzki, G., and Honavar, V. (2010). Secrecy-
preserving query answering for instance checking in
EL. In Proceedings of Web Reasoning and Rule Sys-
tems, 195–203.
Tao, J., Slutzki, G., and Honavar, V. (2012). Pspace tableau
algorithms for acyclic modalized ALC. Journal of
Automated Reasoning, 49(4):551–582.
Tao, J., Slutzki, G., and Honavar, V. (2014). A conceptual
framework for secrecy-preserving reasoning in knowl-
edge bases. TOCL, 16(1):3:1–3:32.
Tsukada, Y., Mano, K., Sakurada, H., and Kawabe, Y.
(2009). Anonymity, privacy, onymity, and identity: A
modal logic approach. In Computational Science and
Engineering, 2009. CSE’09. International Conference
on, volume 3, pages 42–51. IEEE.
ICAART 2017 - 9th International Conference on Agents and Artificial Intelligence
598
