Secrecy-Preserving Query Answering in ELH Knowledge Bases
Gopalakrishnan Krishnasamy Sivaprakasam and Giora Slutzki
Department of Computer Science, Iowa State University, Ames, U.S.A.
Keywords:
Knowledge Representation and Reasoning, Ontologies, Privacy and security, Semantic Web.
Abstract:
In this paper we study Secrecy-Preserving Query Answering problem under Open World Assumption (OWA)
for ELH Knowledge Bases (KBs). We employ two tableau procedures designed to compute some conse-
quences of ABox (A) and TBox (T ) denoted by A
∗
and T
∗
respectively. A secrecy set of a querying agent
is subset S of A
∗
∪ T
∗
which the agent is not allowed to access. An envelope is a superset of the secrecy
set which provides logical protection to the secrecy set against the reasoning of the querying agent. Once
envelopes are computed, they are used to efficiently answer assertional and GCI queries without compromis-
ing the secret information in S. Answering GCI queries while preserving secrecy has not been studied in the
current literature. When the querying agent asks a query q, the reasoner answers “Yes” if KB |= q and q does
not belong to the envelopes; otherwise, the reasoner answers “Unknown”. Being able to answer “Unknown”
plays a key role in protecting secrecy under OWA. Since we are not computing all the consequences of the KB,
answers to the queries based on just A
∗
and T
∗
could be erroneous. To fix this problem, we further augment
our algorithms to make the query answering procedure foolproof.
1 INTRODUCTION
The explosive growth in online banking activities, so-
cial networks, web based travel services and other in-
ternet based business and homeland security applica-
tions contain massive amounts of private details of
users, administrators, service providers and govern-
mental agencies. This contributes, on one hand, to un-
precedented levels of information sharing and, on the
other hand, to grave concerns about privacy and con-
fidentiality of communication between WWW users.
It will be an indispensable aspect of future web based
service industry that private information while being
shared must remain inviolate. In literature, most of
the approaches dealing with “information protection”
are based on access control mechanisms. For se-
mantic web applications, the authors of (Kagal et al.,
2003) have proposed policy languages to represent
obligation and delegation policies based on access
control approach. Biskup et al. in (Biskup and
Weibert, 2008; Biskup and Tadros, 2012) studied se-
crecy in incomplete databases using controlled query
evaluation (CQE). Since description logics (DLs) un-
derlie web ontology languages (OWLs), recently re-
searchers have shown an interest in studying secrecy-
preserving reasoning in DL knowledge bases (KBs).
In (Bao et al., 2007; Tao et al., 2010; Tao et al.,
2014), the authors have developed a secrecy frame-
work that attempts to satisfy the following compet-
ing goals: (a) it protects secret information and (b)
queries are answered as informatively as possible
(subject to satisfying property (a)). The notion of
an envelope to hide secret information against logi-
cal inference was first defined and used in (Tao et al.,
2010). Further, in (Tao et al., 2014), Tao et al.,
introduced a more elaborate conceptual framework
for secrecy-preserving query answering (SPQA) un-
der Open World Assumption (OWA) with multiple
querying agents. This approach is based on OWA
and (so far) it has been restricted to instance-checking
queries. Specifically, in (Bao et al., 2007; Tao et al.,
2010; Tao et al., 2014) the main idea was to utilize the
secret information within the reasoning process, but
then answering “Unknown” whenever the answer is
truly unknown or in case the true answer could com-
promise confidentiality.
The motivation for this work is that popular on-
tologies like GALEN, GO and SNOMED that can be
viewed as KBs defined in languages belong to E L
family. In addition, a number of studies were reported
in conjunctive query answering, reasoning and classi-
fications in ELH and its extensions, see (Bienvenu
et al., 2013; Delaitre and Kazakov, 2009).
In this paper we extend the work of Tao et al., re-
ported in (Tao et al., 2010), to the ELH language. In
addition to the extension, we make several new con-
Sivaprakasam, G. and Slutzki, G.
Secrecy-Preserving Query Answering in ELH Knowledge Bases.
DOI: 10.5220/0005709701490159
In Proceedings of the 8th International Conference on Agents and Artificial Intelligence (ICAART 2016) - Volume 2, pages 149-159
ISBN: 978-989-758-172-4
Copyright
c
2016 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
149
tributions. First, we study secrecy in the context of as-
sertions as well as general concept inclusions (GCIs).
To the best of our knowledge, secrecy-preserving rea-
soning for GCIs has not been studied before. As a
first step in constructing SPQA system, we design
two tableau algorithms to compute finite sets T
∗
and
then A
∗
, of consequences of the TBox T ∪ R
∗
and
the KB
h
A, T
∗
, R
∗
i
respectively, restricted to individ-
uals and concepts that actually occur in the given KB
Σ =
h
A, T , R
i
and an extra “auxiliary” set of con-
cepts defined over the signature of Σ. The approach to
constructing SPQA system presented in this paper is
quite different from (Tao et al., 2010). In (Tao et al.,
2010), the KB and envelope are expanded with new
queries. This makes the subsequent query answer-
ing step more and more complicated. In general, the
sets of all assertional consequences and GCI conse-
quences of a given Σ =
h
A, T , R
i
may be infinite. By
forcing the tableau algorithms to compute the conse-
quences (both assertions and GCIs) of KB restricted
to individuals and subconcepts that occur in a given
prescribed set, we obtain finite A
∗
and T
∗
that in
fact can be computed efficiently in polynomial time.
These sets, once computed, remain fixed and are not
modified. The two tableau algorithms are sound and
complete under the restrictions stated above, see sec-
tions 3.1 and 3.2. Since the sets A
∗
and T
∗
do not
contain all the consequences of the KB, in order to
answer user queries we have designed recursive algo-
rithms which break the queries into smaller assertions
or GCIs all the way until the information in the sets
A
∗
and T
∗
can be used. In effect, we have split the
task of query answering into two parts: in the first
part we compute all the consequences of Σ restricted
to concepts and individuals that occur in Σ, in the sec-
ond part we use a recursive algorithm to evaluate more
complex queries with the base case that has been com-
puted in the first part.
In more detail, starting from the secrecy sets S
A
(of assertions) and S
T
(of GCIs), we compute fi-
nite sets of assertions and GCIs, viz., the envelopes
E
A
⊆ A
∗
of S
A
and E
T
⊆ T
∗
of S
T
respectively.
These envelopes are computed by two tableau algo-
rithms based on the idea of inverting the expansion
rules of two tableau algorithms listed in Figures 1 and
2. The idea behind the envelope concept is that no
expression in the envelope can be logically deduced
from information outside the envelope. Once such
envelopes are computed, the answers to the queries
are censored whenever the queries belong to the en-
velopes. Since, generally, an envelope for a given
secrecy set is not unique, the developer can force
the algorithm to output a specific envelope from the
available choices satisfying the needs of application
domain, company policy, social obligations and user
preferences.
Next, we discuss query answering procedures
which allow us answer queries without revealing se-
crets. Usually in SPQA framework queries are an-
swered by checking their membership (a) in A
∗
\ E
A
if the query is an assertion; and (b) in T
∗
\ E
T
if
the query is a GCI. Since A
∗
and T
∗
do not contain
all the statements entailed by Σ, we need to extend
the query answering procedure from just membership
checking. Towards that end we designed two recur-
sive algorithms to answer more complicated assertion
and GCI queries. To answer an assertion query q, the
algorithm first checks if q ∈ A
∗
\ E
A
in which case the
answer is “Yes”; otherwise, the given query is broken
into subqueries based on the constructors, and the al-
gorithm is applied recursively on the subqueries, see
section 5. This query answering procedure runs in
polynomial time in the size of the KB and the query
q. Similar approach is used to answer GCI queries.
2 SYNTAX AND SEMANTICS
A vocabulary of ELH is a triple < N
O
, N
C
, N
R
> of
countably infinite, pairwise disjoint sets. The ele-
ments of N
O
are called object (or individual) names,
the elements of N
C
are called concept names and the
elements of N
R
are called role names. The set of E LH
concepts is denoted by C and is defined by the follow-
ing rules
C ::= A | > | C u D | ∃r.C
where A ∈ N
C
, r ∈ N
R
, > denotes the “top concept”,
and C, D ∈ C. Assertions are expressions of the form
C(a) or r(a, b), general concept inclusions (GCIs) are
expressions of the form C v D and role inclusions are
expressions of the form r v s where C, D ∈ C, r, s ∈
N
R
and a, b ∈ N
O
. The semantics of ELH concepts
is specified, as usual, by an interpretation I =
D
∆, ·
I
E
where ∆ is the domain of the interpretation, and ·
I
is an interpretation function mapping each a ∈ N
O
to
an element a
I
∈ ∆, each A ∈ N
C
to a subset A
I
⊆ ∆,
and each r ∈ N
R
to a binary relation r
I
⊆ ∆ × ∆. The
interpretation function ·
I
is extended inductively to
all ELH concepts in the usual manner:
>
I
= ∆; (C u D)
I
= C
I
∩ D
I
;
(∃r.C)
I
= {d ∈ ∆ | ∃e ∈ C
I
: (d, e) ∈ r
I
}.
An Abox A is a finite, non-empty set of assertions. A
TBox T is a finite set of GCIs and an RBox R is a
finite set of role inclusions. An E LH KB is a triple
Σ =
h
A, T , R
i
where A is an ABox, T is a TBox and
ICAART 2016 - 8th International Conference on Agents and Artificial Intelligence
150
R is an RBox. Let I =
D
∆, ·
I
E
be an interpretation,
C, D ∈ C, r, s ∈ N
R
and a,b ∈ N
O
. We say that I sat-
isfies C(a), r(a, b), C v D or r v s, notation I |= C(a),
I |= r(a, b), I |= C v D or I |= r v s if, respectively,
a
I
∈ C
I
, (a
I
, b
I
) ∈ r
I
, C
I
⊆ D
I
or r
I
⊆ s
I
. I is a
model of Σ, notation I |= Σ, if I satisfies all the asser-
tions in A, all the GCIs in T and all the role inclusions
in R. Let α be an assertion, a GCI or a role inclusion.
We say that Σ entails α, notation Σ |= α, if all models
of Σ satisfy α.
3 COMPUTATION OF A
∗
AND T
∗
Let Σ =
h
A, T , R
i
be an ELH KB. In this section, we
give two tableau algorithms that compute A
∗
, a set
of assertional consequence of Σ, and T
∗
a set of GCI
consequences of Σ, both restricted to concepts that oc-
cur in Σ. We assume that all RBoxes are acyclic. Be-
fore computing T
∗
and A
∗
, we compute R
∗
= R
+
∪
R
◦
, where R
+
is the transitive closure of R with re-
spect to role inclusion and R
◦
= {r v r | r occurs in Σ}.
As an example, consider a KB Σ =
h
A, T , R
i
where
ABox A = {A(a), ∃m.B(c)}, TBox T = {A v ∃n.D}
and RBox R = {r v s, p v q, u v v, s v u}. Then,
R
∗
= R ∪ {s v v, r v u, r v v} ∪ {m v m, n v n, r v r, s v
s, p v p, q v q, u v u, v v v}. R
∗
is easily computed in
polynomial time and we omit the details.
3.1 Computation of T
∗
Denote by N
Σ
the set of all concept names and role
names occurring in Σ and let S be a finite set of con-
cepts over the symbol set N
Σ
. Let C
Σ,S
be the set
of all subconcepts of concepts that occur in either S
or Σ. Given Σ and C
Σ,S
, we describe a procedure
that computes T
∗
, a set of GCI consequences of the
given KB Σ (restricted to concepts in C
Σ,S
). That is,
T
∗
= {C v D | C, D ∈ C
Σ,S
and Σ |= C v D}. This proce-
dure is similar to the calculus presented in (Kazakov
et al., 2014) (designed for EL
+
).
Let AX
T
= {C v C,C v >, > v > | C ∈ C
Σ,S
}. T
∗
is
initialized as AX
T
and then expanded by exhaustively
applying expansion rules listed in Figure 1. The T
v
-
rule derives a GCI based on transitivity of subsump-
tion. T
−
u
-rule derives new GCIs by decomposing con-
junction concepts into its two conjuncts. The T
+
u
-rule
is just the “opposite” of the T
−
u
-rule. Finally, T
+
H
-rule
derives GCIs based on concept and role inclusions.
A TBox is completed if no expansion rule in
Figure 1 is applicable to it. We denote by Λ
T
the algorithm which, given Σ, C
Σ,S
and R
∗
, non-
deterministically applies expansion rules in Figure 1
until no further applications are possible. Since Λ
T
has been restricted to derive GCIs whose left and right
hand side concept expressions occur in C
Σ,S
, the size
of the T
∗
is at most a polynomial in the size of its in-
put. Hence, the running time of Λ
T
is polynomial in
| Σ | + | C
Σ,S
|. The correctness of Λ
T
can be shown
by proving soundness and completeness of Λ
T
. The
soundness proof is obvious.
T
v
− rule : if C v D ∈ T
∗
, D v E ∈ T
and C v E < T
∗
,
then T
∗
:= T
∗
∪ {C v E};
T
−
u
− rule : if C v D u E ∈ T
∗
, and C v D < T
∗
or C v E < T
∗
,
then T
∗
:= T
∗
∪ {C v D,C v E};
T
+
u
− rule : if C v D, C v E ∈ T
∗
, D u E ∈ C
Σ,S
and C v D u E < T
∗
,
then T
∗
:= T
∗
∪ {C v D u E};
T
+
H
− rule : if C v ∃r.D, D v E ∈ T
∗
, r v s ∈ R
∗
,
∃s.E ∈ C
Σ,S
and C v ∃s.E < T
∗
,
then T
∗
:= T
∗
∪ {C v ∃s.E}.
Figure 1: TBox Tableau expansion rules.
Example 1. Let Σ =
h
A, T , R
i
be a ELH KB, where
A = {C(a), r(b, a), ∃u.A(d)}, T = {A v B,C v D u
E, F v ∃u.B} and R = {u v v}. Then, R
∗
= {r v r,u v
u, v v v, u v v}. Thus, applying rules in Figure 1 to
T , we get {> v >, A v >,C v C,∃u.A v ∃u.A, ∃u.A v
∃u.B, C v D,C v D u E} ⊆ T
∗
.
To prove the completeness of Λ
T
, we define the
canonical interpretation J =
D
∆, ·
J
E
for a completed
TBox T
∗
and an RBox R
∗
as follows:
∆ = {w
C
| C ∈ C
Σ,S
};
>
J
= ∆;
for A ∈ N
C
, A
J
= {w
C
| C v A ∈ T
∗
};
for r ∈ N
R
, r
J
= {(w
C
, w
D
) | C v ∃r.D ∈ T
∗
} ∪
S
uvr∈R
∗
u
J
.
The interpretation function ·
J
is extended to concept
expressions as usual. To prove that J is a model of
T
∗
, we need the following definition and technical
lemma.
Definition 1. Let J be the canonical interpretation
and u a role name that occurs in Σ. u is said to be
minimal with respect to (w
G
, w
H
) ∈ ∆ × ∆ if
1) (w
G
, w
H
) ∈ u
J
and
2) there is no v that occurs in R such that v , u,
(w
G
, w
H
) ∈ v
J
and v v u ∈ R
∗
.
Lemma 1. Let B, C ∈ C
Σ,S
. Then,
Secrecy-Preserving Query Answering in EL H Knowledge Bases
151
(a) w
C
∈ C
J
.
(b) w
C
∈ B
J
if and only if C v B ∈ T
∗
.
Proof. (a) By induction on the structure of C.
- C = A ∈ N
C
or C = >, the claim follows from the
definition of J .
- C = D u E. Then, D u E v D u E ∈ T
∗
and by
the T
−
u
-rule, we have D u E v D, D u E v E ∈ T
∗
,
whence w
DuE
∈ D
J
and w
DuE
∈ E
J
, by inductive
hypothesis. By the semantics of u, w
DuE
∈ D
J
∩
E
J
= (D u E)
J
.
- C = ∃r.D. Then, ∃r.D v ∃r.D ∈ T
∗
and by the
definition of J , (w
∃r.D
, w
D
) ∈ r
J
; also, by the in-
ductive hypothesis, w
D
∈ D
J
. By the semantics
of ∃, w
∃r.D
∈ (∃r.D)
J
.
(b) (⇐) By induction on the structure of B.
- B ∈ N
C
. Then, C v B ∈ T
∗
whence w
C
∈ B
J
, by
the definition of J .
- B = >, the claim follows from the definition of J .
- B = D u E. Then, C v D u E ∈ T
∗
. By T
−
u
-rule,
C v D, C v E ∈ T
∗
implies w
C
∈ D
J
and w
C
∈
E
J
, and by the inductive hypothesis whence w
C
∈
(D u E)
J
= B
J
, by the semantics of u.
- B = ∃r.D. We assume, C v ∃r.D ∈ T
∗
. Since
C, D ∈ C
Σ,S
, we have w
C
, w
D
∈ ∆. By the defi-
nition of J , (w
C
, w
D
) ∈ r
J
. By part (a), w
D
∈ D
J
hence w
C
∈ (∃r.D)
J
= B
J
, by the semantics of ∃.
(⇒) By induction on the structure of B.
- When B ∈ N
C
, the claim follows from the defini-
tion of J .
- B = >, the claim follows from the definition of
AX
T
.
- B = Du E. Then, w
C
∈ (D u E)
J
⇒ w
C
∈ D
J
and
w
C
∈ E
J
⇒ C v D,C v E ∈ T
∗
, by inductive hy-
pothesis. Since D u E occurs in C
Σ,S
, by the T
+
u
-
rule, we have C v D u E = B ∈ T
∗
.
- B = ∃r.D. Then, w
C
∈ (∃r.D)
J
⇒ there is an ele-
ment w
E
∈ ∆ such that (w
C
, w
E
) ∈ r
J
, w
E
∈ D
J
.
By inductive hypothesis, E v D ∈ T
∗
. Now, we
have two subcases depending on a “manner” in
which (w
C
, w
E
) entered r
J
.
- If r is minimal with respect to (w
C
, w
E
), then,
by the definition of J and Definition 1, C v
∃r.E ∈ T
∗
. Since r v r ∈ R
∗
, by the T
+
H
-rule,
we have C v ∃r.D ∈ T
∗
. Hence, C v B ∈ T
∗
.
- If r is not minimal, then (w
C
, w
E
) ∈ u
J
, u , r
and u v r ∈ R
∗
for some u that occurs in R. If
u is minimal with respect to (w
C
, w
E
), then by
previous case C v ∃u.E ∈ T
∗
and by the T
+
H
-
rule, we have C v ∃r.D ∈ T
∗
. Hence, C v B ∈
T
∗
. If u is not minimal with respect to (w
C
, w
E
),
since RBox R is acyclic, there exists a chain
v v v
1
v v
2
...... v v
k
v u in R such that v is min-
imal with respect to (w
C
, w
E
). Since R
∗
is the
transitive closure of R, v v r ∈ R
∗
. Again by
the previous case, C v ∃v.E ∈ T
∗
. By T
+
H
-rule,
we have C v ∃r.D ∈ T
∗
. Hence, C v B ∈ T
∗
.
The following lemma claims that J satisfies T
∗
and R
∗
. The proof is a consequence of Lemma 1
Lemma 2. J |= T
∗
∪ R
∗
.
The completeness of Λ
T
now follows by an easy
argument.
Theorem 1. Let Σ be a ELH KB and let T
∗
be the
completed TBox. For any C, D ∈ C
Σ,S
, if Σ |= C v D
then C v D ∈ T
∗
.
Proof. Suppose C v D < T
∗
, i.e., by part (b) of
Lemma 1, w
C
< D
J
. On the other hand by part (a) of
Lemma 1, w
C
∈ C
J
and this implies that J 6|= C v D.
Since by Lemma 2, J |= T
∗
, and since T ⊆ T
∗
, we
obtain Σ 6|= C v D.
3.2 Computation of A
∗
Let Σ =
h
A, T , R
i
be an ELH KB, R
∗
be defined as at
the beginning of this section and T
∗
be the completed
TBox as computed in Section 3.1. Also, let O
Σ
be
the set of individual names that occur in Σ and define
AX
A
= {>(a) | a ∈ O
Σ
}.
We outline the procedure that computes A
∗
, the
set of assertional consequences of Σ
∗
where Σ
∗
=
h
A, T
∗
, R
∗
i
, restricted to the concepts and role names
that occur in C
Σ,S
and Σ respectively.
That is A
∗
= {C(a) | C ∈ C
Σ,S
and Σ
∗
|= C(a)}∪
{r(a, b) | r occurs in Σ and Σ
∗
|= r(a, b)}.
A
∗
is initialized as A ∪ AX
A
and is expanded by ex-
haustively applying rules listed in Figure 2. A
−
u
-rule
decomposes conjunctions, and the A
v
-rule derives as-
sertions based on the GCIs present in T
∗
. To build
new concept assertions whose concept expressions al-
ready occur in C
Σ,S
, we use the A
+
u
and A
+
∃
-rules. Sim-
ilarly, the A
+
∃H
-rule derives concept assertions based
on role inclusions. It is important to note that this pro-
cedure does not introduce any fresh individual names
into A
∗
. Thus some assertions of the form ∃r.C(a)
may not have “syntactic witnesses”. Finally, the A
H
-
rule derives role assertions based on role inclusions.
An ABox is completed if no expansion rule in
Figure 2 is applicable to it. We denote by Λ
A
the
algorithm which, given A, R
∗
, T
∗
and C
Σ,S
, non-
deterministic-ally applies expansion rules in Figure 2
until no further applications are possible. Since Λ
A
derives only assertions involving concept expressions
ICAART 2016 - 8th International Conference on Agents and Artificial Intelligence
152
that occur in C
Σ,S
, it is easy to see that the running
time of Λ
A
is polynomial in | Σ | + | C
Σ,S
|.
A
−
u
− rule : if C u D(a) ∈ A
∗
, and
C(a) < A
∗
or D(a) < A
∗
,
then A
∗
:= A
∗
∪ {C(a), D(a)};
A
+
u
− rule : if C(a), D(a) ∈ A
∗
,
C u D ∈ C
Σ,S
and C u D(a) < A
∗
,
then A
∗
:= A
∗
∪ {C u D(a)};
A
+
∃
− rule : if r(a, b), C(b) ∈ A
∗
,
∃r.C ∈ C
Σ,S
and ∃r.C(a) < A
∗
,
then A
∗
:= A
∗
∪ {∃r.C(a)};
A
v
− rule : if C(a) ∈ A
∗
, C v D ∈ T
∗
,
and D(a) < A
∗
,
then A
∗
:= A
∗
∪ {D(a)};
A
+
∃H
− rule : if ∃r.C(a) ∈ A
∗
, r v s ∈ R
∗
,
C v D ∈ T
∗
,
∃s.D ∈ C
Σ,S
and ∃s.D(a) < A
∗
,
then A
∗
:= A
∗
∪ {∃s.D(a)};
A
H
− rule : if r(a, b) ∈ A
∗
, r v s ∈ R
∗
, and
s(a, b) < A
∗
, then A
∗
:= A
∗
∪ {s(a, b)}.
Figure 2: ABox Tableau expansion rules.
Example 2. (Example 1 cont.) Recall that Σ =
h
A, T , R
i
be a ELH be the given KB, R
∗
the com-
puted RBox and T
∗
the completed TBox. Then, by
applying rules in Figure 2 to A and using T
∗
and R
∗
we get,
A
∗
= {>(a), >(b), >(d), ∃u.A(d), ∃u.B(d),C(a),
r(b, a), D(a), E(a), D u E(a)}.
The correctness of Λ
A
can be shown by prov-
ing its soundness and completeness. The soundness
is obvious. To prove the completeness of Λ
A
, we
first define the canonical interpretation K =
D
∆, ·
K
E
for a completed ABox A
∗
. The definition of K is
similar to the definition of canonical model I
K
pre-
sented in (Lutz et al., 2008). Define the witness set,
W = {w
C
| C ∈ C
Σ,S
}.
∆ = O
Σ
∪ W ;
a
K
= a, where a ∈ O
Σ
;
>
K
= ∆;
for each A ∈ N
C
,
A
K
= {a ∈ O
Σ
| A(a) ∈ A
∗
}∪
{w
C
∈ W | C v A ∈ T
∗
};
for each r ∈ N
R
, r
K
= {(a, b) ∈ O
Σ
× O
Σ
| r(a, b) ∈ A
∗
}∪
{(a, w
C
) ∈ O
Σ
× W | ∃r.C(a) ∈ A
∗
}∪
{(w
C
, w
D
) ∈ W × W | C v ∃r.D ∈ T
∗
}
∪
S
{u
K
| u v r ∈ R
∗
}.
K is extended to compound concepts in the usual way.
We argue that K is a model of A
∗
, T
∗
and R
∗
.
Lemma 3. Let a, b ∈ O
Σ
and suppose that the role
name r occurs in Σ. If (a, b) ∈ r
K
, then r(a, b) ∈ A
∗
.
Proof. Assume the hypotheses. We prove the claim
by induction on how r(a, b) has been generated by Λ
A
.
The base case, when r(a, b) ∈ A, is trivial. Let (a, b) ∈
u
K
with u v r ∈ R
∗
. Then by induction hypothesis,
u(a, b) ∈ A
∗
and by applying the A
H
-rule, we have
r(a, b) ∈ A
∗
.
We state the following lemma whose proof is sim-
ilar to the proof of Lemma 1.
Lemma 4. Let B, C ∈ C
Σ,S
. Then,
(a) w
C
∈ C
K
.
(b) w
C
∈ B
K
if and only if C v B ∈ T
∗
.
The following definition is similar to Definition
1, but is based on the canonical interpretation of the
ABox A
∗
.
Definition 2. Let K be the canonical interpretation,
and u a role name that occurs in Σ. u is said to be
minimal with respect to (a,b) if
1) (a,b) ∈ u
K
and
2) there is no role name, v that occurs in R such that
v , u, (a, b) ∈ v
K
and v v u ∈ R
∗
.
Lemma 5. Let a ∈ O
Σ
and B ∈ C
Σ,S
. If a ∈ B
K
, then
B(a) ∈ A
∗
.
Proof. By induction on the structure of B.
- When B ∈ N
C
, the claim follows directly from the
definition of K.
- When B = >, the claim follows from the definition
of AX
A
.
- B = C u D. Then, a ∈ (C u D)
K
⇒ a ∈ C
K
and a ∈
D
K
⇒ C(a), D(a) ∈ A
∗
, by inductive hypothesis.
Since C u D occurs in C
Σ,S
, by the A
+
u
-rule, we
have C u D(a) = B(a) ∈ A
∗
.
- B = ∃r.C. Then, a ∈ (∃r.C)
K
implies that there is
an element b ∈ ∆ such that (a, b) ∈ r
K
and b ∈ C
K
.
There are two cases.
- b ∈ O
Σ
. Since r occurs in Σ and C occurs in
C
Σ,S
, by Lemma 3, we have r(a, b) ∈ A
∗
and
by the inductive hypothesis, C(b) ∈ A
∗
. Since
∃r.C occurs in C
Σ,S
, by the A
+
∃
-rule, we have
∃r.C(a) = B(a) ∈ A
∗
.
Secrecy-Preserving Query Answering in EL H Knowledge Bases
153
- b = w
D
∈ W for some D ∈ C
Σ,S
. Then, we
have (a, w
D
) ∈ r
K
and w
D
∈ C
K
. By part (b) of
Lemma 1, D v C ∈ T
∗
. Now, we have two sub-
cases depending on a manner in which (a,w
D
)
entered r
K
.
- If r is minimal with respect to (a, w
D
), then, by
the definition of K and Definition 2, ∃r.D(a) ∈
A
∗
. Since r v r ∈ R
∗
, by the A
+
∃H
-rule, we
have ∃r.C(a) ∈ A
∗
, i.e., B(a) ∈ A
∗
.
- If r is not minimal, then (a, w
D
) ∈ u
K
, u , r
and u v r ∈ R
∗
for some u that occurs in R.
If u is minimal with respect to (a, w
D
), then
by previous case ∃u.D(a) ∈ A
∗
. By A
+
∃H
-rule,
we have ∃r.C(a) ∈ A
∗
. Hence, B(a) ∈ A
∗
.
If u is not minimal with respect to (a, w
D
),
since RBox R is acyclic, there exists a chain
v v v
1
v v
2
...... v v
k
v u in R such that v is
minimal with respect to (a, w
E
). Since R
∗
is
the transitive closure of R, v v r ∈ R
∗
. Again
by the previous case, ∃v.D(a) ∈ A
∗
. By A
+
∃H
-
rule, we have ∃r.C(a) ∈ A
∗
, i.e., B(a) ∈ A
∗
.
The next lemma is, roughly, the inverse of Lemma
5 and its proof is omitted.
Lemma 6. If B(a) ∈ A
∗
, then a ∈ B
K
.
In the following we prove that K satisfies A
∗
, T
∗
and R
∗
.
Lemma 7. K |= A
∗
∪ T
∗
∪ R
∗
.
Proof. It follows immediately from the definition of
K that K |= R
∗
. Next, we show that K satisfies A
∗
.
C(a) ∈ A
∗
; then, by Lemma 6, a ∈ C
K
, i.e., K |= C(a).
For r(a, b) ∈ A
∗
, K |= r(a, b), by the definition of K.
Hence K |= A
∗
.
Now, we show that K satisfies T
∗
. Let F v G ∈ T
∗
and a ∈ F
K
. We have two cases.
- a ∈ O
Σ
. Then, by Lemma 5, F(a) ∈ A
∗
. Since A
∗
is completed, by the A
v
-rule, we get G(a) ∈ A
∗
.
By Lemma 6, a ∈ G
K
. Hence, K |= F v G.
- a = w
C
∈ W for some C ∈ C
Σ,S
. This implies, by
the definition of K, that C v F ∈ T
∗
. Since T
∗
is completed, we have C v G ∈ T
∗
. Again by the
definition of K, a ∈ G
K
which implies K |= F v G.
We are ready to prove the completeness of Λ
A
.
Theorem 2. Let Σ
∗
=
h
A, T
∗
, R
∗
i
be a ELH KB as
defined in section 3.2 and A
∗
the completed ABox.
Suppose that B ∈ C
Σ,S
and r occurs in Σ. Then, for
any a, b ∈ O
Σ
,
- Σ
∗
|= B(a) ⇒ B(a) ∈ A
∗
.
- Σ
∗
|= r(a, b) ⇒ r(a, b) ∈ A
∗
.
Proof. Since A ⊆ A
∗
, by Lemma 7, we have K |= Σ
∗
.
We show that K 6|= B(a) and K 6|= r(a, b). Assume that
B(a) < A
∗
. Then, a < B
K
by Lemma 5 and hence K 6|=
B(a). Now, assume that r(a, b) < A
∗
. Then, (a, b) < r
K
by Lemma 3 and hence K 6|= r(a, b).
4 SECRECY-PRESERVING
REASONING
Let Σ =
h
A, T , R
i
be an ELH KB. Also let S
A
⊆
A
∗
\ AX
A
and S
T
⊆ T
∗
\ AX
T
be the “secrecy sets”.
Given Σ, S
A
and S
T
, the objective is to answer as-
sertion or GCI queries while preserving secrecy. Our
approach is to compute two sets E
A
and E
T
, where
S
A
⊆ E
A
⊆ A
∗
\ AX
A
and S
T
⊆ E
T
⊆ T
∗
\ AX
T
, called
the secrecy envelopes for S
A
and S
T
respectively, so
that protecting E
A
and E
T
, the querying agent can-
not logically infer any assertion in S
A
and any GCI
in S
T
, see (Tao et al., 2010) where the DL language
is just EL and secrecy is restricted to membership as-
sertions. Similarly, (Tao et al., 2014) presents a gen-
eral framework for secrecy preserving reasoning. The
role of OWA in answering the queries is the follow-
ing: When answering a query with “Unknown”, the
querying agent should not be able to distinguish be-
tween the case that the answer to the query is truly
unknown to the KB reasoner and the case that the an-
swer is being protected for reasons of secrecy. We
envision a situation in which once the ABox A
∗
and
TBox T
∗
are computed, a reasoner R is associated
with it. R is designed to answer queries as follows: If
a query cannot be inferred from Σ, the answer is “Un-
known”. If it can be inferred and it is not in E
A
∪ E
T
,
the answer is “Yes”; otherwise, the answer is “Un-
known”. Note that since the syntax of ELH does not
include negation, an E LH KB cannot entail a negative
query.
We make the following assumptions about the ca-
pabilities of the querying agent:
(a) does not have direct access to the KB Σ, but is
aware of the underlying vocabulary,
(b) can ask queries in the form of assertions or GCIs,
and
(c) cannot ask queries in the form of role inclusions.
We formally define the notion of an envelope in
the following.
Definition 3. Let Σ =
h
A, T , R
i
be a ELH KB, and
let S
A
and S
T
be two finite secrecy sets. The secrecy
envelopes E
A
and E
T
of S
A
and S
T
respectively, have
the following properties:
- S
A
⊆ E
A
⊆ A
∗
\ AX
A
,
- S
T
⊆ E
T
⊆ T
∗
\ AX
T
,
ICAART 2016 - 8th International Conference on Agents and Artificial Intelligence
154
- for every α ∈ E
T
, T
∗
\ E
T
6|= α, and
- for every α ∈ E
A
, A
∗
\ E
A
6|= α.
The intuition for the above definition is that no in-
formation in E
A
and E
T
can be inferred from the cor-
responding sets A
∗
\ E
A
and T
∗
\ E
T
. To compute
envelopes, we use the idea of inverting the rules of
Figures 1 and 2 (see (Tao et al., 2010), where this ap-
proach was first utilized for membership assertions).
Induced by the TBox and ABox expansion rules in
Figures 1 and 2, we define the corresponding “in-
verted” ABox and TBox expansion rules in Figures
3 and 4, respectively. These inverted expansion rules
are denoted by prefixing Inv- to the name of the cor-
responding expansion rules.
Inv-A
−
u
− rule : if {C(a), D(a)} ∩ E
A
, ∅
and C u D(a) ∈ A
∗
\ E
A
,
then E
A
:= E
A
∪ {C u D(a)};
Inv-A
+
u
− rule : if C u D(a) ∈ E
A
, C u D ∈ C
Σ,S
and {C(a), D(a)} ⊆ A
∗
\ E
A
,
then E
A
:= E
A
∪ {C(a)}
or E
A
:= E
A
∪ {D(a)};
Inv-A
+
∃
− rule : if ∃r.C(a) ∈ E
A
,
{r(a, b),C(b)} ⊆ A
∗
\ E
A
and ∃r.C ∈ C
Σ,S
,
then E
A
:= E
A
∪ {r(a, b)}
or E
A
:= E
A
∪ {C(b)};
Inv-A
v
− rule : if D(a) ∈ E
A
, C v D ∈ T
∗
,
and C(a) ∈ A
∗
\ E
A
,
then E
A
:= E
A
∪ {C(a)};
Inv-A
+
∃H
− rule : if ∃s.D(a) ∈ E
A
, C v D ∈ T
∗
,
r v s ∈ R
∗
, ∃s.D ∈ C
Σ,S
and
∃r.C(a) ∈ A
∗
\ E
A
,
then E
A
:= E
A
∪ {∃r.C(a)};
Inv-A
H
− rule : if s(a, b) ∈ E
A
, r v s ∈ R
∗
,
and r(a, b) ∈ A
∗
\ E
A
,
then E
A
:= E
A
∪ {r(a, b)}.
Figure 3: Inverted ABox Tableau expansion rules.
From now on, we assume that A
∗
, T
∗
and R
∗
have been computed and readily available for com-
puting the envelopes. The computation of envelopes
proceeds in two steps. In the first step, we compute
E
A
by initializing it to S
A
and then expanding it us-
ing the inverted expansion rules listed in Figure 3 un-
til no further applications are possible. We denote by
Λ
S
A
the algorithm which computes the set E
A
. Due
to non-determinism in applying the rules Inv-A
+
u
and
Inv-A
+
∃
, different executions of Λ
S
A
may result in dif-
ferent outputs. Since A
∗
is finite, the computation of
Λ
S
A
terminates. Let E
A
be an output of Λ
S
A
. Since the
size of A
∗
is polynomial in |Σ| + |C
Σ,S
|, and each ap-
plication of inverted expansion rule moves some as-
sertions from A
∗
into E
A
, the size of E
A
is at most
the size of A
∗
. Therefore Λ
S
A
takes polynomial time
in | Σ | + | C
Σ,S
| to compute the envelope E
A
.
In step two, we compute E
T
independent of E
A
by initializing it to S
T
and then expanding it using the
inverted TBox expansion rules listed in Figure 4 until
no further applications of rules are possible. We de-
note by Λ
S
T
the algorithm which computes the set E
T
.
Similarly to Λ
S
A
, due to non-determinism in applying
Inv-T
+
u
and Inv-T
+
H
-rules, different executions of Λ
S
T
may result in different outputs. Since T
∗
is finite, the
computation of Λ
S
T
terminates. Let E
T
be an output
of Λ
S
T
. Since the size of T
∗
is polynomial in the size
of Σ and C
Σ,S
, and each application of inverted TBox
expansion rule moves some GCIs from T
∗
into E
T
,
the size of E
T
is at most the size of T
∗
. Therefore Λ
S
T
takes polynomial time in | Σ | + | C
Σ,S
| to compute the
envelope E
T
.
Inv-T
v
− rule : if C v E ∈ E
T
, D v E ∈ T
and C v D ∈ T
∗
\ E
T
,
then E
T
:= E
T
∪ {C v D};
Inv-T
−
u
− rule : if {C v D,C v E} ∩ E
T
, ∅
and C v D u E ∈ T
∗
\ E
T
,
then E
T
:= E
T
∪ {C v D u E};
Inv-T
+
u
− rule : if C v D u E ∈ E
T
, D u E ∈ C
Σ,S
and {C v D,C v E} ⊆ T
∗
\ E
T
,
then E
T
:= E
T
∪ {C v D}
or E
T
:= E
T
∪ {C v E};
Inv-T
+
H
− rule : if C v ∃s.E ∈ E
T
, r v s ∈ R
∗
,
∃s.E ∈ C
Σ,S
and
{C v ∃r.D, D v E} ⊆ T
∗
\ E
T
,
then E
T
:= E
T
∪ {C v ∃r.D}
or E
T
:= E
T
∪ {D v E}.
Figure 4: Inverted TBox Tableau expansion rules.
Example 3. (Example 2 cont.) Recall that A
∗
and T
∗
are the completed ABox and TBox respectively. Let
S
A
= {D u E(a)} and S
T
= {C v D u E} be the secrecy
sets. Then, by using rules in Figure 3, we get the en-
velope for S
A
,
E
A
= S
A
∪ {D(a)}.
Similarly, using the rules in Figure 4, we get the
envelope for S
T
,
E
T
= S
T
∪ {C v D}.
Secrecy-Preserving Query Answering in EL H Knowledge Bases
155
Before proving the main results on envelopes, we
prove the following auxiliary lemmas. First, we show
that no assertions in E
A
is “logically reachable” from
any assertion in A
∗
\ E
A
.
Lemma 8. Let A
∗
be a completed ABox obtained
from A by applying the tableau expansion rules in
Figure 2. Also, let E
A
be a set of assertions which
is completed by applying the tableau expansion rules
in Figure 3 starting with the secrecy set S
A
. Then, the
ABox A
∗
\ E
A
is completed.
Proof. We have to show that no rule in Figure 2 is
applicable to A
∗
\ E
A
. The proof is by contradiction
according to cases: assuming that a rule in Figure 2
is applicable and showing that a some inverse rule is
applicable.
- If A
−
u
-rule is applicable, then there is an asser-
tion C u D(a) ∈ A
∗
\ E
A
such that C(a) < A
∗
\
E
A
or D(a) < A
∗
\ E
A
. Since A
∗
is completed,
{C(a), D(a)} ⊆ A
∗
. Hence, {C(a), D(a)} ∩ E
A
, ∅.
This makes the Inv-A
−
u
-rule applicable.
- If A
+
u
-rule is applicable, then there are assertions
C(a), D(a) ∈ A
∗
\ E
A
such that C u D ∈ C
Σ,S
and
C u D(a) < A
∗
\ E
A
. Since A
∗
is completed, C u
D(a) ∈ A
∗
. Hence, C u D(a) ∈ E
A
. This makes the
Inv-A
+
u
-rule applicable.
- If A
+
∃
-rule is applicable, then there are asser-
tions r(a, b),C(b) ∈ A
∗
\ E
A
such that ∃r.C ∈ C
Σ,S
and ∃r.C(a) < A
∗
\ E
A
. Since A
∗
is completed,
∃r.C(a) ∈ A
∗
. Hence, ∃r.C(a) ∈ E
A
. This makes
the Inv-A
+
∃
-rule applicable.
- If A
v
-rule is applicable, then there is an assertion
C(a) ∈ A
∗
\ E
A
and a GCI C v D ∈ T
∗
such that
D(a) < A
∗
\ E
A
. Since A
∗
is completed, D(a) ∈
A
∗
. Hence, D(a) ∈ E
A
. This makes the Inv-A
v
-
rule applicable.
- If A
+
∃H
-rule is applicable, then there is an asser-
tion ∃r.C(a) ∈ A
∗
\ E
A
, a GCI C v D ∈ T
∗
, a
role inclusion r v s ∈ R
∗
such that ∃s.D ∈ C
Σ,S
and ∃s.D(a) < A
∗
\ E
A
. Since A
∗
is completed,
∃s.D(a) ∈ A
∗
. Hence, ∃s.D(a) ∈ E
A
. This makes
the Inv-A
+
∃H
-rule applicable.
- If A
H
-rule is applicable, then there is an assertion
r(a, b) ∈ A
∗
\ E
A
and a role inclusion r v s ∈ R
∗
such that s(a, b) < A
∗
\E
A
. Since A
∗
is completed,
s(a, b) ∈ A
∗
. Hence, s(a, b) ∈ E
A
. This makes the
Inv-A
H
-rule applicable.
The next lemma is an analog of Lemma 8 for T
∗
. Its
proof is similar.
Lemma 9. Let T
∗
be a completed TBox obtained
from Σ and C
Σ,S
by applying the tableau expansion
rules in Figure 1. Also, let E
T
be a set of GCIs which
is completed by using tableau expansion rules in Fig-
ure 4 starting with the secrecy set S
T
. Then, the TBox
T
∗
\ E
T
is completed.
We now show that the completed sets E
A
and E
T
are in fact envelopes.
Theorem 3. E
A
and E
T
are envelopes for S
A
and S
T
respectively .
Proof. We must show that the sets E
A
and E
T
sat-
isfy the four properties of Definition 3. Properties
1 and 2 are obvious. To prove property 3, suppose
A
∗
\ E
A
|= α, for some α ∈ E
A
. This means, by The-
orem 2, that α ∈ (A
∗
\ E
A
)
∗
and since, by Lemma 8,
A
∗
\ E
A
is completed, (A
∗
\ E
A
)
∗
= A
∗
\ E
A
, whence
α ∈ A
∗
\E
A
. This is a contradiction. Proof of property
4 is similar, using Theorem 1 and Lemma 9 instead of
Theorem 2 and Lemma 8, respectively.
To answer queries as informatively as possible
without revealing the secret information, we should
aim to make the size of the envelope E as small as
possible. From now on, we focus on computing an
envelope E with the property that removing any mem-
ber in E could reveal some of the secrets. We call such
an envelope tight.
Definition 4. An envelope E is said to be tight if for
every α ∈ E, E \ {α} is not an envelope.
We now show by an example, that the envelopes
computed by using the rules in Figures 3 and 4 are not
necessarily tight.
Example 4. Let Σ =
h
A, T , R
i
be a ELH KB, where
A = {C(a), r(b, a)}, T = {A v B,C v D u E,C v D u F}
and R = ∅. Also let S
A
= {D u E(a), D u F(a)} and
S
T
= {C v D u E,C v D u F} be the secrecy sets.
Since Λ
S
A
is non-deterministic, we may get differ-
ent envelopes as an output. Some of the envelopes are
1 E
A
= S
A
∪ {D(a), F(a)} – not tight,
2 E
A
= S
A
∪ {E(a), F(a)} – tight and
3 E
A
= S
A
∪ {D(a)} – minimum and tight.
Since Λ
S
T
is non-deterministic, we may get differ-
ent envelopes as an output depending on the choice
made in the application of Inv-T
+
u
-rule when comput-
ing the envelopes. The envelopes are
1 E
T
= S
T
∪ {C v D,C v F} – not tight,
2 E
T
= S
T
∪ {C v E,C v F} – tight and
3 E
T
= S
T
∪ {C v D} – minimum and tight.
We briefly describe a naive procedure to com-
pute a tight envelope. Given a precomputed A
∗
and
a secrecy set S
A
, we can compute an envelope E
A
ICAART 2016 - 8th International Conference on Agents and Artificial Intelligence
156
of S
A
in polynomial time as explained in the be-
ginning of this section. An assertion α ∈ E
A
\ S
A
is said to be redundant if E
A
\ {α} is an envelope,
i.e., ((A
∗
\ E
A
) ∪ {α})
∗
∩ (E
A
\ {α}) = ∅. To compute a
tight envelope, for each β ∈ E
A
\ S
A
check whether
β is redundant in which case it is moved from E
A
to A
∗
\ E
A
. Otherwise, β remains in E
A
. It is easy
to see that checking whether an element in the set
E
A
\ S
A
is redundant or not, can be done in polyno-
mial time. This redundancy check should be done for
each β ∈ E
A
\ S
A
. Hence given A
∗
, S
A
and E
A
, a
tight envelope can be computed in polynomial time.
The same procedure may be used to compute a tight
envelope for the secrecy set S
T
.
5 QUERY ANSWERING
The recursive procedures given in Figures 5 and 6
take an input q (as a query) and output “Yes” or
“Unknown”.
EvalA(q)
1: case q ∈ A
∗
\ E
A
2: return “Yes”
3: case q = C u D(a)
4: if EvalA(C(a)) = “Yes” and
EvalA(D(a)) = “Yes” then
5: return “Yes”
6: else
7: return “Unknown”
8: case q = ∃r.C(a)
9: if for some d ∈ O
Σ
[ r(a, d) ∈ A
∗
\ E
A
and EvalA(C(d)) =“Yes”] then
10: return “Yes”
11: else
12: if for some E ∈ C
Σ,S
[E v C ∈ T
∗
and EvalA(∃r.E(a)) = “Yes” ] then
13: return “Yes”
14: else
15: if for some s ∈ R
R
[s v r ∈ R
∗
and
EvalA(∃s.C(a)) = “Yes” ] then
16: return “Yes”
17: else
18: return “Unknown”
Figure 5: Query answering algorithm for assertional
queries.
In Section 4, we have described briefly how the
reasoner R responds to queries. In this section we pro-
vide a few more details. Here we assume that A
∗
, E
A
,
T
∗
, E
T
and R
∗
have all been precomputed and are
considered to be globally accessible. Define the set
R
R
= {r | r is a role name that occurs in R}. The recur-
sive procedures for answering the assertional queries
and the GCI queries are given in Figure 5 and Fig-
ure 6 respectively. In Lines 1 and 2 of Figure 5, we
check the membership of q in A
∗
\ E
A
and answer
“Yes” if q ∈ A
∗
\ E
A
. From line 3 onwards we con-
sider several cases in which we break the query q into
subqueries based on the constructors defined in the
language ELH and apply the procedure recursively.
The following theorem proves the correctness of the
algorithm.
Theorem 4. Let Σ =
h
A, T , R
i
be an ELH KB. Let
A
∗
be an completed ABox, E
A
an envelope of the se-
crecy set S
A
and q an assertional query. Then,
- Soundness: EvalA(q) outputs “Yes” ⇒ A
∗
\
E
A
|= q
- Completeness: EvalA(q) outputs “Unknown” ⇒
A
∗
\ E
A
6|= q
Proof. We omit the proof of soundness.
We prove the completeness part using a contrapos-
itive argument. Assume that A
∗
\ E
A
|= q. We have to
show that EvalA(q) = “Yes”. Let K be the canonical
interpretation as defined in section 3.2. By Lemma
7, K satisfies A
∗
, T
∗
and R
∗
and hence K satisfies
A
∗
\ E
A
and q. We argue that: if K |= q then EvalA(q)
= “Yes”, by induction on the structure of q. There are
two cases. If q ∈ A
∗
\ E
A
, then the claim follows im-
mediately. Next, consider the case q < A
∗
\ E
A
. There
are several cases:
- q = C u D(a). To answer this query the algorithm
computes EvalA(C(a)) and EvalA(D(a)). Now,
the assumption K |= C u D(a) implies K |= C(a)
and K |= D(a) which, by inductive hypothesis, im-
plies that EvalA(C(a)) = EvalA(D(a)) = “Yes”.
Hence, by Lines 4 and 5 in Figure 5, EvalA(C u
D(a))=“Yes”.
- q = ∃r.C(a). By the assumption, K |= ∃r.C(a).
This implies, for some b ∈ ∆ [(a,b) ∈ r
K
and b ∈
C
K
]. There are two subcases:
- r is minimal with respect to (a, b). Again there
are two subcases:
- b ∈ O
Σ
. Then, K |= r(a, b) and K |= C(b).
By the first case r(a, b) ∈ A
∗
\ E
A
and by
inductive hypothesis EvalA(C(b)) = “Yes”.
Hence, by Lines 9 and 10 in Figure 5, EvalA
(∃r.C(a))=“Yes”.
- b = w
D
∈ W for some D ∈ C
Σ,S
. Then, K |=
∃r.D(a) and by part (b) of Lemma 4, D v C ∈
T
∗
. By inductive hypothesis EvalA(∃r.D(a))
= “Yes”. Hence, by Lines 12 and 13 in Figure
5, EvalA(∃r.C(a)) =“Yes”.
- r is not minimal with respect to (a, b). Since
RBox R is acyclic, there exists a chain s v v
1
v
Secrecy-Preserving Query Answering in EL H Knowledge Bases
157
v
2
...... v v
k
v u in R such that s is minimal with
respect to (a, b). Since R
∗
is the transitive clo-
sure of R, s v r ∈ R
∗
. Again there are two
cases:
- b ∈ O
Σ
. Then, by Definition 2 and the defini-
tion of K, K |= s(a,b). Also, K |= s v r and K |=
C(b). By the first subcase of the previous case
EvalA(∃s.C(a)) = “Yes”. Hence, by Lines 15
and 16 in Figure 5, EvalA(∃r.C(a))=“Yes”.
- b = w
D
∈ W for some D ∈ C
Σ,S
. Then, by
Definition 2 and the definition of K, K |=
∃s.D(a). Also, K |= s v r and by part (b) of
Lemma 4, D v C ∈ T
∗
. By the second sub-
case of the previous case EvalA(∃s.C(a)) =
“Yes”. Hence, by Lines 15 and 16 in Figure
5, EvalA(∃r.C(a)) =“Yes”.
Since the algorithm given in Figure 5 runs in
polynomial time in the size of A
∗
\ E
A
and q, the as-
sertional query answering can be done in polynomial
time as a function of | A
∗
| + | q |.
EvalT(q)
1: case q ∈ T
∗
\ E
T
2: return “Yes”
3: case q = C v D u E
4: if EvalT(C v D) =“Yes” and
EvalT(C v E) =“Yes” then
5: return “Yes”
6: else
7: return “Unknown”
8: case q = C v ∃r.D
9: if for some E ∈ C
Σ,S
[E v D ∈ T
∗
and
EvalT(C v ∃r.E) =“Yes”] then
10: return “Yes”
11: else
12: if for some s ∈ R
R
[s v r ∈ R
∗
and
EvalT(C v ∃s.D) =“Yes”] then
13: return “Yes”
14: else
15: return “Unknown”
Figure 6: Query answering algorithm for GCI queries.
Next, suppose that the querying agent poses a GCI
query q. In response, the reasoner R invokes the query
answering algorithm EvalT(q) given in Figure 6 and
returns the answer as output. We prove in the follow-
ing the correctness of the recursive algorithm given in
Figure 6.
Example 5. (Example 3 cont.) Recall that A
∗
and T
∗
are the completed ABox and TBox respectively. Also,
recall that E
A
= S
A
∪ {D(a)} and E
T
= S
T
∪ {C v D}
are the the envelopes for S
A
and S
T
respectively.
Suppose that the querying agent asks the asser-
tional queries C u E(a), ∃r.C(b), ∃r.E(b) and D(a).
Using the algorithm in Figure 5, we get the following
answers:
q EvalA(q) Remarks
C u E(a) Yes by Lines 4, 5
∃r.E(b) Yes by Lines 12, 13
D(a) Unknown by Line 18
Next, suppose that the querying agent asks the
GCI queries C v C u E, ∃r.C v ∃r.E and C v D. Us-
ing the algorithm in Figure 6, we get the following
answers:
q EvalT(q) Remarks
C v C u E Yes by Lines 4, 5
∃r.C v ∃r.E Yes by Lines 9, 10
C v D Unknown by Line 15
Theorem 5. Let Σ =
h
A, T , R
i
be an ELH KB. Let
T
∗
be an completed TBox, E
T
an envelope of the se-
crecy set S
T
and q a GCI query. Then,
- Soundness: EvalT(q) outputs “Yes” ⇒ T
∗
\
E
T
|= q
- Completeness: EvalT(q) outputs “Unknown” ⇒
T
∗
\ E
T
6|= q
Proof. We prove the completeness part using a con-
trapositive argument. Assume that T
∗
\ E
T
|= q. We
have to show that EvalT(q) =“Yes”. Let J be the
canonical interpretation as defined in section 3.1. By
Lemma 2, J satisfies T
∗
and R
∗
. Hence J satisfies
T
∗
\ E
T
and q. We argue by induction on the struc-
ture of q that, if J |= q then EvalT(q) = “Yes”. The
basic case is. q ∈ T
∗
\ E
T
. Then, by Lines 1 and 2
in Figure 6, the claim is obvious. Next, consider the
case q < T
∗
\ E
T
. There are several cases:
- q = C v D u E. The algorithm in Figure 6 com-
putes EvalT(C v D) and EvalT(C v E). Now, the
assumption J |= C v D u E implies J |= C v D
and J |= C v E which, by inductive hypothe-
sis, implies that EvalT(C v D) = EvalT(C v E)
= “Yes”. Hence, by Lines 4 and 5 in Figure 6,
EvalT(C v D u E) = “Yes”.
- q = C v ∃r.D. By the assumption, J |= C v ∃r.D.
This implies, C, D ∈ C
Σ,S
and ∃r.D < C
Σ,S
.
- J |= C v ∃r.E
1
, E
1
v E
2
, ...E
k−1
v E
k
, E
k
v
D where ∃r.E
1
, E
2
, .... E
k
∈ C
Σ,S
and C v
∃r.E
1
, E
1
v E
2
, ...E
k−1
v E
k
, E
k
v D ∈ T
∗
\ E
T
.
Since, by Lemma 9, T
∗
\ E
T
is completed,
E
1
v D ∈ T
∗
\ E
T
. Also, by the basic step,
EvalT(C v ∃r.E
1
) = “Yes”. Hence, by Lines
9 and 10, EvalT(C v ∃r.D) = “Yes”.
- J |= C v ∃s.D, s v v
1
, v
1
v v
2
, .....v
k
v r where
∃s.D ∈ C
Σ,S
, s, v
1
, v
2
, ...v
k
∈ R
R
, C v ∃s.D ∈ T
∗
and s v v
1
, v
1
v v
2
, .....v
k
v r ∈ R
∗
. Then, s v r ∈
ICAART 2016 - 8th International Conference on Agents and Artificial Intelligence
158
R
∗
and by the basic step, EvalT(C v ∃s.D) =
“Yes”. Hence, by Lines 15 and 16, EvalT(C v
∃r.D) = “Yes”.
Since the algorithm runs in polynomial time in the
size of T
∗
\E
T
and q, the GCI query answering can be
done in polynomial time as a function of | T
∗
| + | q |.
6 SUMMARY
The main contribution of this paper is that we allow
secrets as well as queries to be of two types: (a) lo-
cal type, assertions about specific individuals (e.g.,
C(a) or r(a, b)), as well as (b) global type, GCIs (e.g.,
C v D) which specify hierarchical inclusion relation-
ships between concepts. Another contribution is in
the way that we compute the consequences and pre-
serve secrecy while answering queries. We break the
process into two parts, first one precomputes all the
consequences for concepts and individuals that oc-
cur in the given KB. For this we use four separate
(but related) tableau procedures. As for the actual
query answering, we parse the query all the way to
constituents that occur in the previously precomputed
set of consequences. Then, the queries are answered
based on the membership of the constituents of the
query in A
∗
\ E
A
and T
∗
\ E
T
. All the algorithms
are efficient and can be implemented in polynomial
time. As for future work, we would like to study
secrecy-preserving reasoning framework in modal-
ized ELH description logic and possibly in proba-
bilistic description logic Prob-ELH
>0,=1
.
REFERENCES
Bao, J., Slutzki, G., and Honavar, V. (2007). Privacy-
preserving reasoning on the semanticweb. In Web In-
telligence, IEEE/WIC/ACM Conference,791–797.
Bienvenu, M., Ortiz, M.,
ˇ
Simkus, M., and Xiao, G. (2013).
Tractable queries for lightweight description logics. In
Proceedings of the Twenty-Third UJCAI,768–774.
Biskup, J. and Tadros, C. (2012). Revising belief without
revealing secrets. In Foundations of Information and
Knowledge Systems, pages 51–70. Springer.
Biskup, J. and Weibert, T. (2008). Keeping secrets in in-
complete databases. International Journal of Infor-
mation Security, 7(3):199–217.
Delaitre, V. and Kazakov, Y. (2009). Classifying E LH on-
tologies in sql databases. In OWLED.
Kagal, L., Finin, T., and Joshi, A. (2003). A policy based
approach to security for the semantic web. In Interna-
tional Semantic Web Conference, volume 2870, pages
402–418. Springer.
Kazakov, Y., Kr
¨
otzsch, M., and Siman
ˇ
c
´
ık, F. (2014). The
incredible elk. JAR, 53(1):1–61.
Lutz, C., Toman, D., and Wolter, F. (2008). Conjunctive
query answering in EL using a database system.
Tao, J., Slutzki, G., and Honavar, V. (2010). Secrecy-
preserving query answering for instance checking in
EL. In Web Reasoning and Rule Systems, 195–203.
Tao, J., Slutzki, G., and Honavar, V. (2014). A conceptual
framework for secrecy-preserving reasoning in knowl-
edge bases. TOCL, 16(1):3.
Secrecy-Preserving Query Answering in EL H Knowledge Bases
159
