1. Each hotel guest has a set of keys and no two guests have the same key
Roger L. Costello
April 3, 2018

2. We want each room to have its own unique set of keys
Keys for Room1 K3 K4 K5 K0 K1 K2 K6
Keys for Room0
Keys for Room2 K7 K8

3. sig Room {keys: set Key}
This declaration:
sig Room {keys: set Key}
allows undesirable instances such as the one shown on the right. Notice that K0 is used by rooms 0, 1, and 2.
Room0 K1
Room0 K2
Room1 K0
Same key used in three rooms – ouch!
Room1 K4
Room1 K5
Room2 K0
Room2 K7
Room2 K8 … …

4. sig Room {keys: set Key}
We need to specify a constraint on the set of Key values.

5. Here’s one approach to constraining keys
pred DisjointKeySet {
keys in Room lone -> Key }
constrain
sig Room {keys: set Key}
Each Key value is associated to at most one Room.

6. Here’s another approach
sig Room {keys: disj set Key}
Each room has a set of key and each set is disjoint.

7. Are the two approaches equivalent?
I believe they are.
To be certain, however, let’s get the Alloy Analyzer to compare the two approaches and search for counterexamples.
How to do this? How to write the proper assert?

8. The book Software Abstractions says (p. 274)
equivalent
sig S {f: disj e}
sig S {f: e}
pred Every_S_has_a_different_value_for_f {
all a,b: S | a != b => no a.f & b.f }

9. sig Room {keys: disj set Key}
Therefore,
equivalent
sig S {f: disj e}
sig S {f: e}
pred Every_S_has_a_different_value_for_f {
all a,b: S | a != b => no a.f & b.f }
equivalent
sig Room {keys: disj set Key}
sig Room {keys: set Key}
pred Every_Room_has_a_different_set_of_keys{
all r, r': Room | r != r' => no r.keys & r'.keys }

10. sig Key {}
sig Room {
keys: set Key }
pred DisjointKeySet_v1 {
keys in Room lone -> Key
pred DisjointKeySet_v2 {
all r, r': Room | r != r' => no r.keys & r'.keys
assert Equivalent {
DisjointKeySet_v1 iff DisjointKeySet_v2
check Equivalent