Verifying Cake-Cutting, Faster

Abstract

Envy-free cake-cutting protocols procedurally divide an infinitely divisible good among a set of agents so that no agent prefers another’s allocation to their own. These protocols are highly complex and difficult to prove correct. Recently, Bertram, Levinson, and Hsu introduced a language called Slice for describing and verifying cake-cutting protocols. Slice programs can be translated to formulas encoding envy-freeness, which are solved by SMT. While Slice works well on smaller protocols, it has difficulty scaling to more complex cake-cutting protocols.

We improve Slice in two ways. First, we show any protocol execution in Slice can be replicated using piecewise uniform valuations. We then reduce Slice’s constraint formulas to formulas within the theory of linear real arithmetic, showing that verifying envy-freeness is efficiently decidable. Second, we design and implement a linear type system which enforces that no two agents receive the same part of the good. We implement our methods and verify a range of challenging examples, including the first nontrivial four-agent protocol.

1 Introduction

How would you divide a piece of cake between two children? Classic wisdom would say to have one child cut the piece into two, and have the other take their preferred slice. Procedures that divide an infinitely divisible good amongst a set of agents are called cake-cutting protocols. If the protocol ensures no agent prefers what another received, it is called envy-free. While classic wisdom gives an envy-free protocol for two agents, a three-agent envy-free protocol was not discovered until 1960, and a four-agent envy-free protocol that does not dispose any cake was only proposed in 2015 by Aziz and Mackenzie [2]. Modern cake-cutting protocols are highly complex, and proving envy-freeness requires checking an enourmous number of cases.

Verifying Envy-Freeness. To make cake-cutting protocols easier to verify, Bertram et al. [4] introduced a language called Slice that can describe cake-cutting protocols, and encode envy-freeness as a logical formula that can be dispatched to an SMT solver. While Slice can verify envy-freeness fully automatically, it has some drawbacks. First, it is not able to verify that agents receive non-overlapping pieces. This basic property, known as disjointness, is crucial for correctness.

Another drawback of Slice is the SMT instances encoding envy-freeness for complicated protocols are difficult to solve, and only scale to some three-agent protocols—non-trivial algorithms, but relatively simple compared to modern cake-cutting protocols. One reason the instances are difficult is they are higher order: they quantify over valuations, which are functions that describe the agents’ preferences.

Our Work: Verifying Disjointness and Envy-Freeness, Faster. We address these weaknesses in Slice. To verify disjointness, we develop an affine type system for Slice which restricts usage of the cake and then prove that well-typed programs are disjoint. Typechecking is straightforward and syntax-directed, requiring no use of SMT.

To verify envy-freeness more efficiently, we reduce Slice constraints into linear real arithmetic formulas, removing the need to quantify over valuations. This reduction leverages a key observation: the behavior of a protocol on any valuation can be replicated by a piecewise uniform valuation, which enables envy-freeness to be encoded as a first-order formula in linear real arithmetic. As a side benefit, our work shows that verifying envy-freeness of Slice protocols is decidable.

Finally, we implement both our affine type system and formula reduction procedure on top of the Slice implementation and transcribe two significantly more complicated protocols into Slice, including the first nontrivial four agent cake-cutting protocol [16]. For all Slice protocols, our type system establishes disjointness and our constraints encoding envy-freeness can be verified in substantially less time than in the previous version of Slice.

Outline. After describing the cake-cutting model (Sect. 2), we present the Slice language and our new linear type system for verifying disjointness (Sect. 3). We then review Slice’s constraints (Sect. 4) and describe our new constraint translation (Sect. 5). We discuss our implementation and evaluation (Sect. 6), and then conclude with related work and future directions (Sect. 7).

2 Cake-Cutting Preliminaries

In this section, we introduce the basics of cake-cutting protocols; the reader can consult a standard text for more background [14].

We begin by fixing a finite set of agents \(\mathbb {A}\). The cake or good is modeled by the unit interval [0, 1]. A piece P is a finite union of intervals from the cake: \(P = [r_1, r'_1]\cup \cdots \cup [r_{n},r'_{n}]\) where \(r_{1} \le r'_{1} < r_2 \le r'_{2} < \cdots < r_{n} \le r'_{n}\); the points \(r_i\) and \(r_i'\) are boundary points of P, and we write \(\partial P\) for the set of all boundary points. Two pieces \(P_1\) and \(P_2\) are disjoint if \((P_1\setminus \partial P_1) \cap (P_2 \setminus \partial P_2) = \emptyset \), that is, \(P_1\) and \(P_2\) only share possibly their boundary points.

Cake-cutting protocols produce an allocation of pieces to agents, i.e., an \(\mathbb {A}\)-tuple of pieces \((P_{a}\mid P_{a} \in \mathbb {P},a\in \mathbb {A})\). Protocols produce allocations based on agent preferences, which are typically modelled by functions \(V : \mathbb {P}\rightarrow [0,1]\) called valuations. We assume that valuations satisfy five standard assumptions: (1) Additivity: \(V(P\cup P') = V(P) + V(P')\) provided P and \(P'\) are disjoint; (2) Non-negativity: \(V(P) \ge 0\); (3) Continuity: \(V([r,r'])\) is continuous in both r and \(r'\); (4) Monotonicity: \(V(P)\ge V(P')\) if \(P' \subseteq P\); and (5) Normalization: \(V([0,1]) = 1\). We will often write \(V[r,r']\) for \(V([r,r'])\). A valuation set \(\overline{V}\) is an \(\mathbb {A}\)-tuple of valuations \((V_{a} \mid a \in \mathbb {A})\). We write \(\overline{V}_{a}\) for agent a’s valuation.

Cake-cutting protocols aim to produce fair allocations where no agent prefers another agent’s piece. More precisely, if A is an allocation and \(\overline{V}\) is a valuation set, we say A is envy-free (with respect to \(\overline{V}\)) if \(\overline{V}_{a}(A_{a}) \ge \overline{V}_{a}(A_{a'})\) for all \(a, a'\in \mathbb {A}\).

Protocols are assumed to have indirect access to agent valuations through specific kinds of agent queries. Slice implements the Robertson-Webb (RW) query model [15], which is the typical query model in the cake-cutting literature and captures most protocols. In the RW model, there are two kinds of queries. An eval query takes as input an agent and a piece and reports the agent’s value of that piece:

$$ \textsf{eval}_{a}(P)\ \text {reports}\ \overline{V}_{a}(P). $$

A mark query, when supplied an interval and a value, reports how much of the interval is needed to attain that value:

$$\textsf{mark}_{a}([\ell ,r],v)\ \text {reports}\ r'\ \text {where}\ \overline{V}_{a}[\ell ,r'] = v,\ \text {provided that}\ v \le \overline{V}_{a}[\ell ,r].$$

This query enables us to find intervals within the cake which have a specified value for a certain agent. For example, \(\textsf{mark}_{{a}}({[0,1]}, {1/2})\) will output a point \(r'\) such that \(\overline{V}_{a}[0,r'] = 1/2 = \overline{V}_{a}[r', 1]\). The assumption \(v \le \overline{V}_{a}[\ell ,r]\) is required since \(\overline{V}_{a}\) is monotone: if \(v > \overline{V}_{a}[\ell ,r]\), no such point exists. Note that if multiple points \(r'\) are a valid answer to a mark query, then mark can report any of them.

3 Language and Type System

We review the language [4] before describing our novel affine type system. Full details for this section can be found in the full paper [3].

3.1 Syntax of Base Slice

The set of all basic Slice expressions \(\mathcal {E}\) is given by the grammar shown in Fig. 1. The expression \(v\) is a value and \(\mathcal {X}\) is an infinite set of variables. We can form tuples and, through the \(\textsf{split}\) expression, extract their components. We have standard if-then-else expression, and a set \(\mathcal {O}\) consisting of primitive operations like \(+\), \(\ge \), etc.

The remaining expressions are cake-cutting specific. The expression \(\textsf{cake}\) represents the whole cake, \(\textsf{divide}\) takes an interval and a point, splitting the interval into two at the point, and \(\textsf{piece}\) takes in a list of intervals and forms a piece out of them. The expression \(\textsf{eval}_{a}\) implements the eval query by taking in an interval or piece, and producing its value according to agent a. The expression \(\textsf{mark}_{a}\) implements the mark query by taking in an interval and the target value, returning any point satisfying the query.

Fig. 1.

The grammar for Slice expressions (top) and values (bottom).

The set of all values is denoted by \(\mathcal {V}\). We have boolean constants, points \(r\#\textsf{Pt}\), and intervals \([r, r']\). Points represent positions within the cake. Intervals describe contiguous pieces of the cake. Tuple values enable us to describe allocations.

Values of the form \(P [r_1, r'_{1}] ,\ldots ,[r_{n}, r'_{n}]\) and \(r_{1} \cdot V_{a_{1}}(P_{1}) + \cdots + r_{n} \cdot V_{a_{n}}(P_{n})\) are referred to as pieces and valuations, respectively. Note that for piece values, we do not assume that \([r_{i},r'_{i}]\) is disjoint from \([r_{j}, r'_{j}]\) if \(i \ne j\). We sometimes write piece values as \(P_{i = 1}^{n} [r_{i},r'_{i}]\), or \(P_{i}[r_{i}, r'_{i}]\), where i ranges over a finite set. Within the valuation value, \(P_1,\ldots ,P_{n}\) are interval or piece values, \(a_1,\ldots ,a_{n}\) are agents, and \(r_1,\ldots ,r_{n}\) are real numbers. We sometimes write \(\sum _{i = 1}^{n}r_{i} \cdot V_{a_{i}}(P_{i})\), or \(\sum _{i}r_{i} \cdot V_{a_{i}}(P_{i})\) for short.

Figure 2 shows the two agent protocol described in Sect. 1 implemented in Slice; for now, we can ignore the bars over variables. This protocol uses the eval and mark queries to divide the cake into two pieces equally preferred by agent 1, and then uses eval queries for agent 2’s comparison.

Fig. 2.

Cut-choose in Slice.

3.2 A Linear Type System for Slice

In this section, we develop a new, affine type system for Slice. At a high level, our type system ensures that no two agents receive overlapping pieces in the allocation. In order to accomplish this, it suffices to ensure that any duplicated variable bound to an interval or piece cannot be used either make further cuts or form more pieces. After all, you can’t have your cake and eat it too!

Types. Slice types include affine types \(\tau \) and non-affine types \(\hat{\tau }\):

Any non-linear type can be viewed as a linear type (i.e., as a unary product).

We treat \(\textsf{Intvl}\) and \(\textsf{Piece}\) as affine types to prevent their values from being duplicated. However, restricting interval and piece types poses a problem: protocols often query an agent before using the same interval or piece for division or allocation. For example, in the second line in Fig. 2, p needs to be used to mark itself appropriately before being divided. To address this issue, we include two new base non-affine types, \(\overline{\textsf{Intvl}}\) and \(\overline{\textsf{Piece}}\), called “read only” types. Since these types are non-affine, variables of these types can be freely used in queries. However, dividing or forming pieces from read-only types is not allowed. This restriction ensures we can only create disjoint pieces.

Values and Expressions. We extend Slice with values of read-only type:

The overline syntax is also extended to notation on other values and types, e.g. \(\overline{r} = r\), \(\overline{(v_1,v_2)} = (\overline{v_1},\overline{v_2})\), \(\overline{\textsf{Vltn}} = \textsf{Vltn}\), and \(\overline{\tau _1\times \tau _2} = \overline{\tau _1} \times \overline{\tau _2}\). Next, we extend Slice expressions with two new classes of variables. Affine variables are drawn from \(\mathcal {W}\), while read-only variables are drawn from \(\overline{\mathcal {W}}\). Finally, we extend the syntax of the split expression to bind these variables:

$$ \textsf{let}\ x_1,\ldots ,x_{n}, w_1,\ldots ,w_{n'} = \textsf{split}\ e_1\ \textsf{in}\ e_2 $$

This expression implicitly binds read-only variables \(\overline{w_1} ,\ldots ,\overline{w_{n'}}\) corresponding to the affine variables \(w_1 ,\ldots ,w_{n}\). For example, in Fig. 2, \(\overline{p}\) is bound in the first line and both \(\overline{p_1}\) and \(\overline{p_2}\) are bound in the second line.

Fig. 3.

Select typing rules for Slice expressions.

Affine Typing Rules. Our typing judgements are of the form \(\varGamma ; \varDelta \vdash e : \tau \), for \(\varGamma \) a partial map from \(\mathcal {X}\cup \overline{\mathcal {W}}\) to non-affine types, and \(\varDelta \) a partial map from \(\mathcal {W}\) to linear types. We present a selection of rules in Fig. 3. For affine type contexts \(\varDelta _1\) through \(\varDelta _{n}\), the concatenation \(\varDelta _1,\ldots ,\varDelta _{n}\) denotes the union of disjoint contexts: \({{\,\mathrm{\text {dom}}\,}}(\varDelta _{i})\cap {{\,\mathrm{\text {dom}}\,}}(\varDelta _{j}) = \emptyset \) if \(i \ne j\).

The variable rules [T-Var] and [T-AffVar] type the given variable based on its context. The rule [T-Piece] shows the role of affine variables. The premise has expressions \(e_{i}\) under linear type contexts \(\varDelta _{i}\), while the conclusion has the combined affine type context \(\varDelta _1,\ldots ,\varDelta _{n}\). Since the \(\varDelta _i\) must have disjoint domain, the expressions \(e_i\) cannot share affine variables. In particular, it is not possible for the same interval variable to appear more than once in a piece.

The rules [T-Piece], [T-Div], [T-Mark], and [T-EvalPc] highlight the difference between affine types and their read-only variants. [T-Piece] requires its subexpressions have type \(\textsf{Intvl}\) as it is forming a piece. [T-Div] requires the first argument have type \(\textsf{Intvl}\) since it is forming new pieces. In contrast, [T-Mark] requires the first argument to have type \(\overline{\textsf{Intvl}}\) as it is querying a valuation, not forming a piece, and similarly for [T-EvalPc].

The most complicated rule is [T-Split], which binds multiple variables at once by pattern matching on tuples.

3.3 Semantics

We present a big-step style semantics, defined by a relation \({\Downarrow }_{\overline{V}} \subseteq \mathcal {E}\times \mathcal {V}\) indexed by a valuation set \(\overline{V}\), so our judgments are of the form \(e \Downarrow _{\overline{V}} v\). We omit \(\overline{V}\) when clear from context. Our big-step rules are straightforward. We present a few rules in Fig. 4 and discuss them here.

Fig. 4.

Select evaluation rules for Slice expressions.

The rule [E-Tup] forms a tuple out of a collection of values. [E-Mark] implements the mark query; since the equation \(\overline{V}_{a}[r_1,r] = \sum _{i}r_{i}\overline{V}_{a_{i}}(P_{i})\) can be satisfied by more than one r, the big-step semantics is non-deterministic. [E-EvalPc] implements the eval query. [E-Div] splits an interval into two, requiring the interval to contain the split point. Both this condition and the condition for [E-Mark] mean that some well-typed protocols may become stuck: they may not evaluate to values. Lastly, [E-Split] binds the variables \(x_1,\ldots ,x_{n}, w_{1},\ldots ,w_{n'}\) to the values \(v_1,\ldots ,v_{n},\ldots ,v_{n + n'}\), and binds \(\overline{w_1},\ldots ,\overline{w_{n}}\) to read-only versions \(\overline{v_{n + 1}},\ldots ,\overline{v_{n + n'}}\) of the affine values. It is straightforward to show that evaluation preserves types:

Proposition 1

(Type soundness). If \(\cdot \vdash e : \tau \) and \(e \Downarrow v\), then \(\cdot \vdash v: \tau \).

3.4 Disjointness

Our affine type system is designed to ensure that well-typed programs produce only disjoint allocations, i.e., tuples of pieces that do not overlap. To prove this claim, we generalize and define disjointness for values and general expressions, and then show that a well-typed disjoint program can only evaluate to a disjoint value.

Informally, an expression is disjoint if all interval values within it, excluding read-only versions, are disjoint from each other. Disjointness ignores read-only values since well-typed programs are allowed to duplicate them; this does not affect disjointness verification since we are only concerned with programs that return allocations, i.e., values of type \(\textsf{Piece}^{\mathbb {A}}\).

Since our type system prevents multiple uses of variables with type \(\textsf{Intvl}\) and \(\textsf{Piece}\), they cannot be duplicated so programs cannot construct pieces and intervals with overlapping components. This invariant enables us to show that disjoint expressions only evaluate to disjoint values.

Proposition 2

If \(\cdot \vdash e : \tau \) and e is disjoint, then \(e \Downarrow v\) implies \(v\) is disjoint.

Checking that a well-typed protocol is disjoint is easily done syntactically, and in the protocols we are concerned with, amounts to ensuring \(\textsf{cake}\) is only used once.

Example 1

We illustrate our type system with the two-agent Surplus protocol. In brief, both agents are asked to mark the cake at half the value of the whole cake. The agent that marked furthest to the left is given all the cake to the left of their own mark. Symmetrically, the other agent is given everything to the right of their own mark, leaving the cake lying between the marks un-allocated. The Slice programs shown in Fig. 5 both correctly implement the Surplus protocol, however, the left program is not well-typed, while the right one is. The left program does not type check because it divides the whole cake twice (highlighted in ), leaving either \(p_1\) and \(p_4\) or \(p_2\) and \(p_3\) to overlap. Disjointness cannot be verified in this instance since there are intermediate expressions that will not be in its evaluation. The right program avoids this issue by only dividing the cake once it is known where the marks lie in relation to each other.    \(\square \)

Fig. 5.

The Surplus protocol written in two ways. (Color figure online)

4 Constraints

Now that we’ve seen the Slice language, we review the original Slice constraint translation. For full details see the full paper [3]. Paths. As is standard, we consider each path through a program separately. Paths b are Slice expressions (Sect. 3) with an assert expression \(\textsf{assert}\ b_1\ \textsf{in}\ b_2\) in place of if-then-else.

Logical syntax Protocol paths are translated into a multi-sorted first order logic. The logic is standard, so most details are omitted, though we make note of select function symbols:

• \([\_, \_]\), \(\cup \) for forming intervals and pieces respectively

• \(\texttt{l}\), \(\texttt{r}\) for obtaining the left and right endpoints of an interval respectively

• \(\texttt{V}_{a}\) for each \(a \in \mathbb {A}\) for representing agent valuations

• \(\pi _{i}\) for the ith component of a tuple

• \(\texttt{O}\) which contains logical counterparts to the primitive operations O (e.g. \(+\), \(\ge \))

Through the function symbols and constants, any program value \(v\) can be encoded as a logical term \(\texttt{v}\). Throughout, the typewriter font designates logical counterparts to program objects. We also include a special set of variables \(\mathcal {Y}\), disjoint from \(\mathcal {X}\), which will only be used to represent points in our formulas.

With our logic, we can express envy-freeness, where x represents allocation:

$$\begin{aligned} E(x) \triangleq \bigwedge _{a,a' \in \mathbb {A}} \texttt{V}_{a}(\pi _{a} x) \ge \texttt{V}_{a}(\pi _{a'}x). \end{aligned}$$

(1)

Logical Semantics. Formula semantics are given by an interpretation \({{\,\mathrm{\mathcal {A}}\,}}\) and variable assignment \({{\,\mathrm{\mu }\,}}\). An interpretation associates sorts with sets and function symbols with functions on these sets. A variable assignment is a map from variables to elements of these sets. For our purposes, we fix a base interpretation that interprets everything but the symbols \(\texttt{V}_{a}\) for all a, and all full interpretations agree with the base. The base interprets objects as one would expect, e.g. \(\llbracket {\texttt{l}} \rrbracket ([r,r']) = r\). For full interpretations, the symbols \(\texttt{V}_{a}\) are interpreted over all possible valuations. Thus, full interpretations are uniquely determined by the choice of valuation set, and we write \({{\,\mathrm{\mathcal {A}}\,}}_{\overline{V}}\) for the interpretation such that \(\llbracket {\texttt{V}_{a}} \rrbracket _{{{\,\mathrm{\mathcal {A}}\,}}_{\overline{V}}} = \overline{V}_{a}\).

For a logical term t, we let \(\llbracket {t} \rrbracket _{{{\,\mathrm{\mathcal {A}}\,}}}^{{{\,\mathrm{\mu }\,}}}\) denote the interpretation of t according to \({{\,\mathrm{\mathcal {A}}\,}}\), with variable values determined by \({{\,\mathrm{\mu }\,}}\), defined in the usual way (e.g., \(\llbracket {\texttt{V}_{a}([y,y'])} \rrbracket _{{{\,\mathrm{\mathcal {A}}\,}}_{\overline{V}}}^{{{\,\mathrm{\mu }\,}}} =\overline{V}_{a}[{{\,\mathrm{\mu }\,}}(y),{{\,\mathrm{\mu }\,}}(y')]\)). Likewise, for a formula \(\varphi \), we write \({{\,\mathrm{\mathcal {A}}\,}},{{\,\mathrm{\mu }\,}}\vDash \varphi \) if \(\varphi \) is true when interpreted through \({{\,\mathrm{\mathcal {A}}\,}}\) with variable values determined by \({{\,\mathrm{\mu }\,}}\), also defined in the usual way. We write \({{\,\mathrm{\mathcal {A}}\,}}\vDash \varphi \) if for all assignments \({{\,\mathrm{\mu }\,}}\) we have \({{\,\mathrm{\mathcal {A}}\,}}, {{\,\mathrm{\mu }\,}}\vDash \varphi \). If t is a term containing no \(\texttt{V}_{a}\) symbols, then for a fixed assignment \({{\,\mathrm{\mu }\,}}\), the term t is always interpreted the same way and we write just \(\llbracket {t} \rrbracket ^{{{\,\mathrm{\mu }\,}}}\).

If \(\texttt{v}\) is an allocation, \({{\,\mathrm{\mathcal {A}}\,}}_{\overline{V}}, {{\,\mathrm{\mu }\,}}\vDash E(\texttt{v})\) states that \(\llbracket {\texttt{v}} \rrbracket _{{{\,\mathrm{\mathcal {A}}\,}}_{\overline{V}}}^{{{\,\mathrm{\mu }\,}}}\) is an envy-free allocation. If e is a expression, we say that e satisfies E(x) and write \(e \vDash E(x)\) if for all valuation sets \(\overline{V}\), \(e \Downarrow _{\overline{V}} v\) implies \({{\,\mathrm{\mathcal {A}}\,}}_{\overline{V}}\vDash E(\texttt{v})\). Thus \(e\vDash E(x)\) means e is envy-free.

In order to verify envy-freeness, Slice translates programs e to logical formulas ensuring \(e \vDash E(x)\). We review this constraint translation next, before describing our improved translation.

Constraints. To translate protocols to formulas, we translate each path in a protocol to a formula consisting of a logical term \(\rho (b)\) and a formula \(c(b)\). Intuitively, \(\rho (b)\) is the logical term representation of the value that b evaluates to assuming that the formula \(c(b)\) holds. We give some cases of the definition in Fig. 6.

Fig. 6.

\(\rho (b)\) and \(c(b)\) for select path expressions b.

It is informative to compare these definitions to the big-step semantics shown in Sect. 3. For instance, \(\rho (\textsf{divide}({b_1}, {b_2}))\) is a logical encoding of the original interval being split into two, \(\rho (\textsf{mark}_{{a}}({b_1}, {b_2}))\) is a variable that represents the mark, \(\rho (\textsf{eval}_{{a}}({b}))\) is the value of the interval or piece provided.

The formula \(c(b)\) is referred to as the constraint of b. Roughly, the formula corresponds to the side conditions shown in the big-step semantics. The most interesting cases of the definition are in Fig. 6. All constraints conjoin the conditions from their subexpressions. The constraint for \(\textsf{divide}\) encodes that the point dividing the interval must be within. The constraint of \(\textsf{eval}\) has no additional conditions to satisfy, so it is just the constraint of its subexpression. The constraint of \(\textsf{mark}\) ensures that the new point has the required property and the constraint of \(\textsf{assert}\) asserts that the guard must hold.

Example 2

Consider the following path, denoted b, from Cut-Choose (Fig. 2):

$$ \begin{array}{l} \textsf{let}\ p = \textsf{split}\ \textsf{cake}\ \textsf{in}\\ \textsf{let}\ p_1, p_2 = \textsf{split}\ \textsf{divide}({p}, {\textsf{mark}_{{1}}({\overline{p}}, {1/2\cdot \textsf{eval}_{{1}}({\overline{p}})})})\ \textsf{in}\\ \textsf{assert}\ {\textsf{eval}_{{2}}({\overline{p_1}}) \ge \textsf{eval}_{{2}}({\overline{p_2}})}\ \textsf{in}\ {(\textsf{piece}(p_2), \textsf{piece}(p_1))} \end{array} $$

The path b gives the following (simplified) constraint:

$$\begin{aligned} \begin{array}{rl} c(b) &{}= (\texttt{V}_{1}([0,y]) = 1/2 \cdot \texttt{V}_1([0,1])) \wedge ( \texttt{V}_{2}([0,y]) \ge \texttt{V}_{2}([y,1])) \\ \rho (b) &{}= (\cup [y,1], \cup [0,y]) \end{array} \end{aligned}$$

The first conjunct in \(c(b)\) is from the expression \(\textsf{mark}_{{1}}({\overline{p}}, {1/2\cdot \textsf{eval}_{{1}}({\overline{p}})})\), while the second is from \(\textsf{eval}_{{2}}({\overline{p_1}})\ge \textsf{eval}_{{2}}({\overline{p_2}})\). The term \(\rho (b)\) is a logical encoding of b’s evaluation.    \(\square \)

The following result, akin to Corollary 4.8 for Slice [4], characterizes paths in terms of their constraints.

Theorem 1

Suppose \(\cdot \vdash b : \tau \). Then \(b \Downarrow _{\overline{V}} v\) if and only if there is a variable assignment \({{\,\mathrm{\mu }\,}}\) such that \({{\,\mathrm{\mathcal {A}}\,}}_{\overline{V}},{{\,\mathrm{\mu }\,}}\vDash c(b)\) and \(\llbracket {\rho (b)} \rrbracket _{{{\,\mathrm{\mathcal {A}}\,}}_{\overline{V}}}^{{{\,\mathrm{\mu }\,}}} = |v |\).

With our constraint translation being sound and complete, we look to use constraints to verify envy-freeness only by checking the validity of certain formulas involving the constraint. For the following, let \(\mathcal {Y}_{b}\) be the set of free variables contained in \(c(b)\), and let B(e) be the set of paths within e. The following theorem forms the basis for automated verification in Slice.

Theorem 2

Suppose that e is a well-formed expression and \(\cdot \vdash e : \textsf{Piece}^{\mathbb {A}} \). Then

$$\begin{aligned} {{\,\mathrm{\mathcal {A}}\,}}_{\overline{V}} \vDash \bigwedge _{b \in B(e)} \forall \mathcal {Y}_{b}.(c(b)\Rightarrow E(\rho (b))) \end{aligned}$$

(2)

for all \(\overline{V}\) if and only if \(e \vDash E(x)\).

The formal definition for a well-formed expression can be found within the full paper [3], though the imposed conditions are mild; any typical cake-cutting protocol is well-formed. This theorem can be generalized from E(x) to general formulas F(x) satisfying mild conditions.

We stress that in order to apply this theorem to conclude \(e \vDash E(x)\), Formula (2) needs to be valid for all valuation sets. Our logic is not rich enough to quantify over valuations and their axioms, so for verification, these formulas must be embedded in a richer theory (e.g., from a modern SMT solver).

5 Piecewise Uniform Reduction

Now that we have seen how the existing constraint translation works in Slice, we show how to produce a result similar to Theorem 2, but instead with a formula in the theory of linear real arithmetic. Formula (2) contains terms like \(\texttt{l}([t_1,t_2])\), \(\pi _{k}(t_1,\ldots ,t_{n})\), and \(\texttt{V}_{a}(t)\), which all need to be reduced to linear sums of real variables. Most terms can be reduced via syntactic simplifications, but reducing valuation terms \(\texttt{V}_{a}(t)\) is much more challenging.

The broad approach is to show a protocol execution on any valuation set can be replicated with a piecewise uniform valuation set, then replace terms \(\texttt{V}_{a}(t)\) with sums of differences of real variables that represent \(\texttt{V}_{a}(t)\). We discuss conditions under which protocol executions can be replicated, then show there are always piecewise uniform valuations meeting these conditions. Then, we describe how to construct the formula reduction, prove that it preserves validity, and then apply it to obtain an analog to Theorem 2. Our approach is inspired by Theorem 1 from Kurokawa, Lai, and Procaccia [9].

For this section only, we will assume that the operations \(\mathcal {O}\) consist only of boolean operators, comparisons, constant multiplication and addition. These operations are sufficient for describing cake-cutting protocols. A more detailed description of \(\mathcal {O}\) is shown in the full paper [3].

5.1 Replicating Protocol Executions

In this subsection, we give a condition when the same evaluation judgement holds for two possibly different valuation sets. For this, we define the following relationship between valuation sets.

Definition 1

Let \(M\supseteq \{0,1\}\) a finite set of points. We say that valuation sets \(\overline{U}\) and \(\overline{V}\) agree on M if for any piece P with boundary points in M, \(V_{a}(P) = U_{a}(P)\) for all \(a \in \mathbb {A}\).

The following theorem says that we can identically derive an evaluation judgement with a different valuation set, as long as the valuation set agrees with the original on all pieces formed from points in the derivation.

Theorem 3

Let \(\overline{U}\) and \(\overline{V}\) be valuation sets, and suppose \(e\Downarrow _{\overline{V}} v\). If \(\overline{U}\) and \(\overline{V}\) agree on all points considered in the derivation of \(e \Downarrow _{\overline{V}}v\), then \(e \Downarrow _{\overline{U}} v\).

There is an analog for formulas.

Theorem 4

If valuation sets \(\overline{U}\) and \(\overline{V}\) agree on the set of points considered in a formula \(\varphi \) under variable assignment \({{\,\mathrm{\mu }\,}}\), then \({{\,\mathrm{\mathcal {A}}\,}}_{\overline{V}},{{\,\mathrm{\mu }\,}}\vDash \varphi \iff {{\,\mathrm{\mathcal {A}}\,}}_{\overline{U}},{{\,\mathrm{\mu }\,}}\vDash \varphi \).

5.2 Piecewise Uniform Valuations

Now that we have seen what is required for replication, we show that there is always a special piecewise uniform valuation set that meets the requirements.

We first formally define piecewise uniform valuations. It is easiest to define these valuations in terms of their density. For our purposes, a density is a function \(w : [0,1] \rightarrow \mathbb {R}_{\ge 0}\), and a valuation W has density w if \(W({P}) = \int _{P}w\quad \) for all \(P\in \mathbb {P}\).

Definition 2

We say that a valuation U is piecewise uniform if U has density u for which there exists a piece \(P \in \mathbb {P}\) and a constant c such that

$$u(x) = {\left\{ \begin{array}{ll} c &{}\text {if}\ x\in P \\ 0 &{}\text {if}\ x\not \in P. \end{array}\right. }$$

We let P(U) denote P and c(U) denote c.

Because valuations are normalized, the constant associated with a piecewise uniform valuation U is the reciprocal length of P(U). Therefore, any piece P uniquely determines a piecewise uniform valuation \(U_{P}\), where \(P(U_{P}) = P\).

Much of the advantage of these valuations lies in how we can represent their values on specific pieces. For intervals built from right endpoints of P(U), the valuation reduces to a simple sum of differences between real numbers. If we write out \(P(U)= [l_1, r_1]\cup \cdots \cup [l_{n}, r_{n}]\) where \(l_1 \le r_1 < \cdots < l_{n} \le r_{n}\), then

$$\begin{aligned} U[r_{i}, r_{i'}] = c(U)\cdot \sum _{i' \ge j > i} (r_{j} - l_{j}). \end{aligned}$$

(3)

This formula is key for our reduction, as it enables us to convert valuations applied to intervals (left) to sums of differences of real numbers (right).

We call a valuation set a piecewise uniform valuation set if all valuations within it are piecewise uniform. Our formula reduction will benefit from the following key conditions on piecewise uniform valuation sets.

Definition 3

Let \(\overline{U}\) be a piecewise uniform valuation set and let \(M\supseteq \{0,1\}\) be a finite set of points. We say that \(\overline{U}\) is easily replaceable on M if

1. 1.

   For each \(a \in \mathbb {A}\), and for each \(m \in {M}^{\setminus 0}\triangleq M \setminus \{0\}\), there exists \(l_{a}(m)\) such that if \(l_{a}(m) < m'\) for \(m' \in {M}^{\setminus 0}\), then \(m \le m'\) and

   $$ P(\overline{U}_{a}) = \bigcup _{m \in {M}^{\setminus 0}}[l_{a}(m), m]. $$
2. 2.

   For each \(a,a'\in \mathbb {A}\), \(c(\overline{U}_{a}) = c(\overline{U}_{a'})\).

The first part is valuable for the reduction as it removes the need to keep track of distinct right endpoints for each agent. The second part means that the coefficient in Eq. (3) can be ignored when comparing these valuations with each other, which will be important later for the formulas to be in real linear arithmetic.

Theorem 5

For any valuation set \(\overline{V}\) and any finite set of points \(M\supseteq \{0,1\}\), there exists a piecewise uniform valuation set that both agrees with \(\overline{V}\) on M and is easily replaceable on M.

The proof constructs a specific piecewise uniform valuation set that satisfies these properties. The construction is a slightly more general version of the construction shown in Theorem 1 by Kurokawa, Lai, and Procaccia [9].

A consequence of the theorem is that any protocol execution can be replicated by the specific piecewise uniform valuation set, and any formulas that hold for the original valuation set that only consider points from the execution will also hold for this specific valuation set.

Example 3

We illustrate the construction for \(\mathbb {A}= \{1,2\}\) with valuation \(\overline{V}_{1}\) being the uniform valuation over the cake, and \(\overline{V}_2\) having density \(x \mapsto 2x\), and the set of points \(M = \{0, 1/2, 1\}\). Set \(\overline{U}_1 = U_{P_1(d)}\) and \(\overline{U}_2 = U_{P_2(d)}\) for pieces

$$ \begin{array}{l} P_1(d) = [1/2 - 1/2\cdot 1/d , 1/2]\cup [1- 1/2\cdot 1/d, 1]\\ P_2(d) = [1/2 - 1/4\cdot 1/d , 1/2]\cup [1- 3/4\cdot 1/d, 1] \end{array} $$

for \(d \ge 3/2\). Clearly both pieces have interval right endpoints of \(\{1/2,1\} = {M}^{\setminus 0}\). Also, it is easily to calculate that \(c(U_{P_1}) = c(U_{P_2}) = d\). Thus, \(\overline{U}\) is easily replaceable on M. We additionally have

$$ \begin{array}{l l l} \overline{U}_1[0,1/2] = &{} d\cdot (1/2 - (1/2 - 1/2\cdot 1/d)) &{}= 1/2 = \overline{V}_1[0,1/2],\\ \overline{U}_1[1/2,1] = &{} d\cdot (1 - (1 - 1/2\cdot 1/d)) &{}= 1/2 = \overline{V}_1[1/2,1],\\ \overline{U}_2[0,1/2] = &{} d\cdot (1/2 - (1/2 - 1/4\cdot 1/d)) &{}= 1/4 = \overline{V}_2[0,1/2],\\ \overline{U}_2[1/2,1] = &{} d\cdot (1 - (1 - 3/4\cdot 1/d)) &{}= 3/4 = \overline{V}_2[1/2,1], \end{array} $$

so \(\overline{U}\) replicates \(\overline{V}\) on M.    \(\square \)

5.3 Piecewise Uniform Replacement

We leverage the above results to produce a reduction on protocol constraints. At a high level, for any formula having only variables for points, we can simplify it to be a disjunction of inequalities in terms of the form \(\sum _{i}r_{i}\cdot \texttt{V}_{a_{i}}(P_{i})\) for real \(r_{i}\) and logical pieces and intervals \(P_{i}\). We then replace terms of the form \(\texttt{V}_{a}(P)\) with sums of differences of real variables. Using Theorem 4 and Theorem 5 we can show that the original formula holds if and only if the replaced formula holds for a piecewise uniform valuation set.

Simplified terms are the terms within the following sets, indexed by sort:

$$\begin{aligned} R_{\texttt{Point}} &\triangleq \mathcal {Y} \cup \{r\#\textsf{Pt}\mid r \in \mathbb {R}\} & R_{\texttt{Piece}} &\triangleq \{\cup (t_1,\ldots ,t_{i})\mid t_{i} \in R_{\texttt{Intvl}}\} \\ R_{\texttt{Intvl}} &\triangleq \{[t,t']\mid t,t' \in R_{\texttt{Point}}\} & R_{\texttt{Vltn}} &\triangleq \{ {\textstyle \sum _{i}}r_{i}\cdot \texttt{V}_{a_{i}}(P_{i})\mid P_{i} \in R_{\texttt{Intvl}}\cup R_{\texttt{Piece}}\} \end{aligned}$$

For any well-sorted term t containing only variables in \(\mathcal {Y}\), we can produce an equivalent simplified version of it, which we denote by \(\texttt{R}(t)\). The notion of simplified and the simplification operation \(\texttt{R}\) easily extends to whole formulas as well. For further details of this step, see the full paper [3]. For further use, if t is a simplified term or formula, we let \(\#\textsf{Pt}(t)\) denote the subset of \(R_{\texttt{Point}}\) contained as subterms of t.

Proceeding with the reduction, we introduce a new set of logical variables, \(\mathcal {Z}\) and we assume for each \(y\in \mathcal {Y}\cup \{1\}\), and \(a\in \mathbb {A}\), there is a unique \(z_{a,y} \in \mathcal {Z}\). To understand the purpose of \(\mathcal {Z}\), consider a piecewise uniform valuation set \(\overline{U}\) that is easily replaceable on M. Then \(P(\overline{U}_{a})\), the piece corresponding to agent a’s valuation, is the union of intervals of the form \([l_{a}(m),m]\) for \(m \in {M}^{\setminus 0}\). If the variable y represents the variable m, then the variable \(z_{a,y}\) then represents the left endpoint \(l_{a}(m)\).

Definition 4

A piecewise uniform replacement is a finite totally ordered subset \((S, >_{S})\) of \(\mathcal {Y}\cup \{0,1\}\) such that \(\{0,1\}\subseteq S\) and \(0 \le _{S} y \le _{S}1 \) for all \(y\in S\). For \(y,y'\in S\), we define \({S}|_{y}^{y'} \triangleq \{y '' \in S \mid y' \ge _{S} y'' >_{S} y\}\). We let \(S|_{t}\triangleq {S}|_{y}^{y'}\) if \(t = [y, y']\) and \(S|_{t} \triangleq {S}|_{y_1}^{y'_{1}}\cup \cdots \cup {S}|_{y_n}^{y'_{n}}\) if \(t = \cup [y_1 ,y'_1],\ldots ,[y_{n}, y'_{n}]\).

The piecewise uniform replacement packages neatly all the data needed to replace valuation symbols in formulas. The order on S represents the ordering of real numbers, since variables from \(\mathcal {Y}\) represent points. A replacement is applied to terms:

Definition 5

The application of a piecewise uniform substitution S on a term \(t\in R_{\texttt{S}}\) for which \(\#\textsf{Pt}(t)\subseteq S\) is as follows:

$$\begin{aligned} S(\texttt{V}_{a}(t)) &\triangleq {\sum _{y \in S|_{t}}} (y - z_{a,y}) & S({ \sum _{i}}r_{i}\cdot t_{i}) &\triangleq {\sum _{i}}r_{i}\cdot S(t_{i}) & S(t) &\triangleq t\ \text {otherwise.} \end{aligned}$$

S can be applied to formulas by passing itself down to its terms. When \(S|_{t}\) is empty, we replace the term with 0.

The piecewise uniform replacement syntactically applies Eq. (3) (ignoring the constant) to valuation terms for valuations of the form shown in Definition 3. The following example illustrates this concretely.

Example 4

Returning to the path b shown in Example 2, consider the piecewise uniform replacement \(S = \{0, y ,1\}\) where \(0 <_{S} y <_{S} < 1\). Then \(\texttt{V}_{a}([0,y])\) and \(\texttt{V}_{a}([y,1])\) are replaced with \(y - z_{a,y}\) and \(1 - z_{a,1}\) respectively. The formula \(c(b)\) simplifies to

$$\begin{aligned} \begin{array}{l} S(c(b)) = (y - z_{1,y} = 1/2 \cdot (y - z_{1,y} + 1 - z_{1,1})) \wedge (y - z_{2,y} \ge 1 - z_{2,1}), \\ \end{array} \end{aligned}$$

and the encoding of envy-freeness becomes

$$\begin{aligned} \begin{array}{l} S(E(\rho (b))) = (y - z_{2,y} \ge 1 - z_{2,1}) \wedge (y - z_{1,y} \ge 1 - z_{1,1}). \end{array} \end{aligned}$$

Both are clearly linear inequalities in real variables.    \(\square \)

Piecewise uniform replacements are used to reduce simplified formulas to linear real inequalities:

Proposition 3

Let f be a simplified formula. Let S be a piecewise uniform replacement such that \(\#\textsf{Pt}(f)\subseteq S\). Then S(f) consists only of conjunctions and disjunctions of linear inequalities of real variables.

To apply piecewise uniform replacements in a sound way, the variable assignment must properly line it up with the valuation set; the precise conditions for this are given in the following definition.

Definition 6

Let \(\overline{U}\) be a piecewise uniform valuation set. Let S is a piecewise uniform replacement and \({{\,\mathrm{\mu }\,}}\) a variable assignment. We write \(S \xrightarrow {{{\,\mathrm{\mu }\,}}} \overline{U}\) if

1. 1.

   \(\overline{U}\) is easily replaceable on \({{\,\mathrm{\mu }\,}}(S)\) (by convention \({{\,\mathrm{\mu }\,}}(0) = 0\) and \({{\,\mathrm{\mu }\,}}(1) = 1\))

2. 2.

   \({{\,\mathrm{\mu }\,}}(z_{a,y}) = l_{a}({{\,\mathrm{\mu }\,}}(y))\) if \(y = \min \{ y'\in S \mid {{\,\mathrm{\mu }\,}}(y') = {{\,\mathrm{\mu }\,}}(y) \}\)

3. 3.

   \({{\,\mathrm{\mu }\,}}(z_{a,y}) = {{\,\mathrm{\mu }\,}}(y)\) if \(y \ne \min \{ y'\in S \mid {{\,\mathrm{\mu }\,}}(y') = {{\,\mathrm{\mu }\,}}(y) \}\)

4. 4.

   If \({{\,\mathrm{\mu }\,}}(y) < {{\,\mathrm{\mu }\,}}(y')\) then \(y <_{S} y'\).

This definition formalizes how we think of variables in a piecewise uniform replacement. Condition (1) says that \({{\,\mathrm{\mu }\,}}(S)\) captures the right endpoints of \(P(\overline{U}_{a})\) correctly, (2) and (3) together ensure that we don’t repeat values in our sums, and (4) ensures that the variable ordering is compatible with the real ordering given by \({{\,\mathrm{\mu }\,}}\).

Example 5

Let \(S = \{0, y, 1\}\), and let \(\overline{U}\) be the piecewise uniform valuation set described in Example 3. Set \({{\,\mathrm{\mu }\,}}(y) =1/2\), and

$$\begin{aligned} \begin{array}{l l} {{\,\mathrm{\mu }\,}}(z_{1,y}) = {1/2 - 1/2\cdot 1/d} \quad &{} \quad {{\,\mathrm{\mu }\,}}(z_{1,1}) = {1 - 1/2\cdot 1/d} \\ {{\,\mathrm{\mu }\,}}(z_{2,y}) = {1/2 - 1/4\cdot 1/d} \quad &{} \quad {{\,\mathrm{\mu }\,}}(z_{2,1}) = {1 - 3/4\cdot 1/d}. \end{array} \end{aligned}$$

Then \({{\,\mathrm{\mu }\,}}(S) = \{0, 1/2, 1\}\) and Example 3 illustrates that \(\overline{U}\) is easily replaceable on \({{\,\mathrm{\mu }\,}}(S)\). Also, \(z_{a,y}\) is the left endpoint, \(l_{a}(1/2)\), of the left interval for \(P_{a}(d)\), and \(z_{a,1}\) is the left endpoint, \(l_{a}(1)\), of the right interval for \(P_{a}(d)\), hence condition (2) is satisfied. Condition (3) is vacuous here. Clearly, \(0 < 1/2 < 1\) and \(0 <_{S} y <_{S} 1\) so condition (4) is satisfied. Thus we have that \(S \xrightarrow {{{\,\mathrm{\mu }\,}}} \overline{U}\).    \(\square \)

Piecewise uniform replacements preserve validity when the conditions in Definition 6 are met.

Theorem 6

Let f be a simplified formula and let S be a piecewise uniform replacement such that \(\#\textsf{Pt}(f) \subseteq S\). Let \({{\,\mathrm{\mu }\,}}\) be an assignment and \(\overline{U}\) a piecewise uniform valuation set. If \(S \xrightarrow {{{\,\mathrm{\mu }\,}}} \overline{U}\) then \({{\,\mathrm{\mathcal {A}}\,}}_{\overline{U}},{{\,\mathrm{\mu }\,}}\vDash f \iff {{\,\mathrm{\mathcal {A}}\,}}_{\overline{U}},{{\,\mathrm{\mu }\,}}\vDash S(f)\).

Example 6

We illustrate the theorem by applying it with \(S = \{0, y, 1\}\) for the formula \(c(b)\) Example 2 reproduced here:

$$\begin{aligned} \begin{array}{rl} c(b) &= (\texttt{V}_{1}([0,y]) = 1/2 \cdot \texttt{V}_1([0,1])) \wedge ( \texttt{V}_{2}([0,y]) \ge \texttt{V}_{2}([y,1])). \end{array} \end{aligned}$$

Supposing \(S \xrightarrow {{{\,\mathrm{\mu }\,}}} \overline{U}\), this formula is equivalent to its reduced version from Example 4:

$$\begin{aligned} \begin{array}{l} S(c(b)) = (y - z_{1,y} = 1/2 \cdot (y - z_{1,y} + 1 - z_{1,1})) \wedge (y - z_{2,y} \ge 1 - z_{2,1}). \end{array} \end{aligned}$$

One can verify this equivalence for the example \(\overline{U}\) and \({{\,\mathrm{\mu }\,}}\) shown in Example .

Associated with each piecewise uniform replacement S, is a formula \(\psi (S)\).

Definition 7

Let S be a piecewise uniform replacement, written \(S = \{y_1 ,\ldots ,y_{n}\}\) so that \(y_1 <_{S} \cdots < _{S} y_{n}\). We let \(\psi (S)\) denote the conjunction of the following formulas for all agents \(a,a'\in \mathbb {A}\):

$$\begin{aligned} &0 \le z_{a, y_{1}} \le y_{1} \le \cdots \le z_{a,y_{n}} \le y_{n} \le 1,& \sum _{y \in S} y - z_{a, y} &= \sum _{y \in S\setminus \{0\}} y - z_{a', y}. \end{aligned}$$

Whenever the above formula holds for some variable assignment \({{\,\mathrm{\mu }\,}}\), a piecewise uniform valuation set \(\overline{U}\) that is easily replaceable on \({{\,\mathrm{\mu }\,}}(S)\) can be constructed:

$$ P(\overline{U}_{a}) = \bigcup _{y \in S\setminus \{0\}}[{{\,\mathrm{\mu }\,}}(z_{a,y}), {{\,\mathrm{\mu }\,}}(y)], \quad \quad c (\overline{U}_{a}) = \sum _{y \in S\setminus \{0\}} {{\,\mathrm{\mu }\,}}(y) - {{\,\mathrm{\mu }\,}}(z_{a,y}). $$

This assists us in showing that our constraint reduction procedure is complete.

We now state our main theorem. For a path b, let \(S_{b}\) be the set of piecewise uniform replacements on \(\mathcal {Y}_{b}\cup \{0,1\}\)—note that this set is finite.

Theorem 7

Suppose e is well-formed and \(\cdot \vdash e : \textsf{Piece}^{\mathbb {A}}\). Then \(e \vDash E(x)\) if and only if

$$\begin{aligned} \vDash \bigwedge _{b \in B(e)} \bigwedge _{S \in S_{b}} \forall \mathcal {Y}_{b}.S(\texttt{R}(c(b)\wedge \psi (S) \Rightarrow E(\rho (b)))). \end{aligned}$$

(4)

In contrast to Theorem 2, we no longer need to quantify over valuations—a valuation set is baked into the formula through \(\psi (S)\). This also gives a valuation set witness whenever Formula (4) does not hold.

Similar to Theorem 2, this theorem can be extended to more general formulas F(x).

Proof

(sketch). For the forward direction, we assume that \(e \Downarrow _{\overline{V}} v\) and apply Theorems 5 to 3 to obtain a piecewise uniform valuation set \(\overline{U}\) for which \(e \Downarrow _{\overline{U}} v\). Then it is a matter of applying Theorem 6 and Theorem 4 to obtain that \(E(\texttt{v})\) is satisfied. For the backward direction, we suppose that Formula (4) doesn’t hold for some b and \(S_{b}\), and use \(\psi (S)\) to construct a piecewise uniform valuation set that evaluates to \(v\) yet \(E(\texttt{v})\) is not satisfied.

According to Proposition 3, Formula (4) consists entirely of linear inequalities of real variables. Thus, we have the following corollary.

Corollary 1

Let e be a well-formed and well-typed Slice protocol. Checking if e is envy-free is decidable.

6 Implementation and Evaluation

We implemented our type system and formula reduction on top of the Slice implementation. Protocols are first type-checked following our linear typing rules, and then compiled to linear real arithmetic constraints encoding envy-freeness, which are dispatched to Z3 [12].

Benchmark Protocols. In our benchmarks, we include all original protocols implemented in Slice [4]; we briefly describe them here. Cut-choose is the classic 2 agent protocol where one agent cuts and the other picks. Surplus is a two agent protocol which leaves a “surplus” piece of the cake in the center. Selfridge-Conway-Full is the classic three agent protocol [6]. Selfridge-Conway-Surplus is a variant of Selfridge-Conway-Full that disposes the trimming, and Waste-Makes-Haste-3 [16] effectively is a minor variant on Selfridge-Conway-Surplus.

We also implement two new, more complicated protocols. The first, Aziz-Mackenzie-3, is the three-agent variant of the first bounded envy-free four agent protocol with no free disposal [2]. Briefly, this protocol obtains an envy-free allocation by first obtaining a partial allocation where one agent does not care how the rest is allocated amongst the others. Cut-Choose is then applied. The second, Waste-Makes-Haste-4, is the four-agent connected variant of the Waste-Makes-Haste free disposal protocol [16, Section 6]. This protocol relies on equalize queries: \(\text {Equalize}_{a}(n)\) has agent a divide the cake to produce n equally most preferred (according to a) pieces of the cake. It can be shown using Hall’s marriage theorem that an envy-free allocation can be made from a set of pieces following some sequence of equalize queries among the agents (for 4 agents, \(n \le 5\)), although the allocation must be found through exhaustive search. This protocol exhaustively tries certain sequences of equalize queries until an envy-free allocation is obtained. Notably, this is the first four agent envy-free cake-cutting protocol to be implemented and verified.

Evaluation. Table 1 presents some statistics from verifying envy-freeness for each of our benchmark protocols. Our experiments were conducted on an M1 MacBook Pro with 16 GB of RAM. We measured the time both to compile protocols to constraints, and the actual time Z3 took to solve. We also record here the number of paths in each protocol, as well as the number of lines for the protocol implementation and the constraint formula. Each path corresponds to a distinct disjunct in the constraint. We measure this against the solving time for the original Slice constraints (Old), which uses non linear real arithmetic formulas. Our results demonstrate a reduction in solving time compared with the old constraints. The four-agent protocol is significantly more complex than the others, though Z3 can still solve the constraints efficiently.

Table 1. Verifying envy-freeness (averaged over 5 runs).

7 Related and Future Work

Cake Cutting Verification. In recent work, Lester [11] proposes a system called Crumbs to verify and disprove envy-freeness, using C bounded model checker (CBMC) instead of SMT. While performance on correct (envy-free) protocols is similar to the prior version of Slice, Lester [11] shows that Crumbs is much more effective at finding counterexamples for incorrect protocols. By using our new constraint reduction, our current work significantly outperforms Slice and Crumbs for correct protocols, and we can efficiently construct counterexamples for incorrect protocols (details in the full paper [3]). In terms of expressivity, Crumbs supports a more restrictive, higher-level query model, enabling constraint solving over bounded integer arithmetic. In contrast, our work supports all protocols written in the standard Robertson-Webb model. Our system also establishes disjointness, which Crumbs does not consider.

Substructural Type Systems. Our type system is an example of a substructural type system, which originate from substructural logics. In brief, substructural logics restrict the application of assumptions in proofs. Likewise, substructural type systems restrict the usage of variables, enabling computational resource usage to be restricted. A classic example is linear logic, due to Girard [8], which led to linear type systems [1, 10, 17, 18]. Walker [19] provides a resource for learning about substructural type systems. Our type system is designed to ensures physical disjointness of parts of the cake; we are not aware of prior work that uses substructural types for a single divisible good, though there are similar ideas in separation logic (e.g., [5]).

Formal Methods and Social Choice. Cake-cutting protocols belong to a broader literature on social choice theory, which has had many fruitful interactions with formal methods. In one direction, formal methods researchers have used interactive theorem provers to verify classical protocols and impossibility theorems in social choice theory (e.g., [13]). In the other direction, social choice researchers have used computer-aided solvers to prove novel theorems in social choice theory (e.g., [7]).

Conclusions and Future Work. Our work makes progress in cake-cutting protocol verification, through an affine type system for disjointness and a formula reduction that enables much more efficient envy-freeness checking. However, there are envy-free cake-cutting protocols even more complex than what we can verify here. The complexity of these protocols makes it difficult to even write them down in Slice, let alone the constraint compiling and solving time involved. New Slice language features may be needed to address transcription effort, while improvements to the Slice implementation and early pruning of unreachable paths could significantly decrease both compile and solving time. The most notable of these protocols is the four agent version of Aziz-Mackenzie-3 [2], which does not discard any cake, unlike Waste-Makes-Haste-4. By making our affine type system instead linear, it could be used to verify no cake is discarded for that protocol, and others already implemented.