## No full-text available

To read the full-text of this research,

you can request a copy directly from the authors.

While it was defined long ago, the extension of CTL with quantification over
atomic propositions has never been studied extensively. Considering two
different semantics (depending whether propositional quantification refers to
the Kripke structure or to its unwinding tree), we study its expressiveness
(showing in particular that QCTL coincides with Monadic Second-Order Logic for
both semantics) and characterise the complexity of its model-checking and
satisfiability problems, depending on the number of nested propositional
quantifiers (showing that the structure semantics populates the polynomial
hierarchy while the tree semantics populates the exponential hierarchy).

To read the full-text of this research,

you can request a copy directly from the authors.

... On trees (i.e. QCTL t ), the problem is Tower-complete [29]. Consequently, it is natural to ask ourselves why the additional features made the problem harder. ...

... Second-order features often lead to logics with Tower-hard satisfiability problems, as illustrated above for first-order SL( * ) and QCTL t . A good amount of research has been done independently on these logics [5,10,19,29], culminating with the Tower-hardness of SL( * ) with two quantified variables [19] and the Tower-hardness of QCTL t with just one temporal operator between existsfinally EF and exists-next EX [5] (see Section 5 for the definitions). Connections between these two formalisms have not been explicitly developed so far, perhaps because of the quite different logics: QCTL is built on top of propositional calculus and it is interpreted on infinite trees, whereas SL( * ) does not feature propositional symbols and it is essentially interpreted on finite structures. ...

... Strong of Theorem 27, we now display the usefulness of ALT as a tool for proving the Towerhardness of logics interpreted on tree-like structures. In particular, we provide semantically faithful reductions from SAT(ALT) to the satisfiability problem of four logics that were independently found to be Tower-complete: the two-variables fragment of the first-order separation logic SL(∃, * ) and its extension featuring the bounded separating implication −[1] [10,9,19], quantified CTL on trees [29], modal logic of heaps [19] and modal separation logic [20]. Thanks to the simplicity of ALT, our reductions only use strict fragments of these formalisms, allowing us to refine their non-elementary (s, h) |= emp iff dom(h) = ∅ (i.e. the heap is empty), boundaries. ...

We describe a set of simple features that are sufficient in order to make the satisfiability problem of logics interpreted on trees Tower -hard. We exhibit these features through an Auxiliary Logic on Trees (ALT ), a modal logic that essentially deals with reachability of a fixed node inside a forest and features modalities from sabotage modal logic to reason on submodels. After showing that ALT admits a Tower -complete satisfiability problem, we prove that this logic is captured by four other logics that were independently found to be Tower -complete: two-variables separation logic, quantified computation tree logic, modal logic of heaps and modal separation logic. As a by-product of establishing these connections, we discover strict fragments of these logics that are still non-elementary.

... Below, we provide a satisfaction relation |= defined on total Kripke structures, providing the so-called structure semantics for QCTL (and leading to the logic QCTL s ). However, the version of QCTL with formulae interpreted on computation trees obtained from the unfoldings of finite total Kripke structures (i.e. in that case the satisfaction relation operates on tree-like structures), is known as QCTL under the tree semantics (written QCTL t ) and is extensively studied in [36]. To define formally the semantics for propositional quantifiers, we introduce the notion of X-equivalence between two Kripke structures, with X being a set of propositional variables. ...

... So, QLTL satisfiability problem is decidable but with high complexity. By contrast, CTL with propositional quantification (written QCTL) already admits an undecidable satisfiability problem by [25] (as CTL captures the modal logic K) but its variant under the tree semantics (written QCTL t ) admits a non-elementary Tower-complete satisfiability problem [36,19] (Tower is introduced in [49]). Having a tree semantics means that the formulae of QCTL t are interpreted on computation trees obtained from the unfolding of finite (total) Kripke structures, which allows us to regain decidability (see a similar approach in [62] with a quantified version of the modal logic S4). ...

... Having a tree semantics means that the formulae of QCTL t are interpreted on computation trees obtained from the unfolding of finite (total) Kripke structures, which allows us to regain decidability (see a similar approach in [62] with a quantified version of the modal logic S4). This is a major observation from [36], partly motivated by the design of decision procedures for ATL with strategy contexts [37]. The tree semantics, as far as satisfiability is concerned, amounts to consider Kripke structures that are finite-branching trees in which all the maximal branches are infinite. ...

Adding propositional quantification to the modal logics K, T or S4 is known to lead to undecidability but CTL with propositional quantification under the tree semantics (tQCTL) admits a non-elementary Tower-complete satisfiability problem. We investigate the complexity of strict fragments of tQCTL as well as of the modal logic K with propositional quantification under the tree semantics. More specifically, we show that tQCTL restricted to the temporal operator EX is already Tower-hard, which is unexpected as EX can only enforce local properties. When tQCTL restricted to EX is interpreted on N-bounded trees for some N >= 2, we prove that the satisfiability problem is AExpPol-complete; AExpPol-hardness is established by reduction from a recently introduced tiling problem, instrumental for studying the model-checking problem for interval temporal logics. As consequences of our proof method, we prove Tower-hardness of tQCTL restricted to EF or to EXEF and of the well-known modal logics such as K, KD, GL, K4 and S4 with propositional quantification under a semantics based on classes of trees.

... Different semantics for QCTL have been studied in the literature depending on the definition of the labelling: either it refers to the finite-state model -it is the structure semantics -or it refers to the execution tree -it is the tree semantics. Both semantics are interesting and have been extensively studied [16,13,23,14,9,17]. While the tree semantics allow us to use the tree automata techniques to get decision procedures (model-checking and satisfiability are TOWER-complete [17]), the situation is quite different for the structure semantics: in this framework, model-checking is PSPACE-complete and satisfiability is undecidable [13]. ...

... Both semantics are interesting and have been extensively studied [16,13,23,14,9,17]. While the tree semantics allow us to use the tree automata techniques to get decision procedures (model-checking and satisfiability are TOWER-complete [17]), the situation is quite different for the structure semantics: in this framework, model-checking is PSPACE-complete and satisfiability is undecidable [13]. ...

... Complexity First note that these two semantics do not have the same algorithmic properties: if QCTL model-checking and satisfiability are TOWERcomplete for the tree semantics (the algorithms are based on tree automata techniques), QCTL model-checking is PSPACE-complete for the structure semantics but satisfiability is undecidable (see [17] for a survey). ...

Quantified CTL (QCTL) extends the temporal logic CTL with quantifications over atomic propositions. This extension is known to be very expressive: QCTL allows us to express complex properties over Kripke structures (it is as expressive as MSO). Several semantics exist for the quantifications: here, we work with the structure semantics, where the extra propositions label the Kripke structure (and not its execution tree), and the model-checking problem is known to be PSPACE-complete in this framework. We propose a new model-checking algorithm for QCTL based on a reduction to QBF. We consider several reduction strategies and we compare them with a prototype (based on several QBF solvers) on different examples.

... This quantification will be used to simulate quantification over strategies. Model-checking regular trees against QCTL * specifications is decidable (and, in fact, is solved by tree automata) [80]. In fact, QCTL * has been used as an intermediate logic between the low-level machinery of tree-automata and strategic logics such as ATL * with strategic contexts [81] and hierarchical SLi [37]. ...

... We begin by recalling the syntax and semantics of the logic QCTL * from [80]. ...

... Note that the alternative semantics of QCTL * , so called "structure-based semantics" is not suitable for our purposes. Both semantics are studied in [80]. ...

Model checking multi-agent systems, in which agents are distributed and thus may have different observations of the world, against strategic behaviours is known to be a complex problem in a number of settings. There are traditionally two ways of ameliorating this complexity: imposing a hierarchy on the observations of the agents, or restricting agent actions so that they are observable by all agents. We study systems of the latter kind, since they are more suitable for modelling rational agents. In particular, we define multi-agent systems in which all actions are public and study the model checking problem of such systems against Strategy Logic with equality, a very rich strategic logic that can express relevant concepts such as Nash equilibria, Pareto optimality, and due to the novel addition of equality, also evolutionary stable strategies. The main result is that the corresponding model checking problem is decidable.

... On trees (i.e. T ), the problem is TOWER-complete [28]. Consequently, it is natural to ask ourselves why the additional features made the problem harder. ...

... Second-order features often lead to logics with TOWER-hard satisfiability problems, as illustrated above for first-order ( * ) and T . A good amount of research has been done independently on these logics [5,9,17,28], culminating with the TOWER-hardness of ( * ) with two quantified variables [17] and the TOWER-hardness of T with just one temporal operator between exists-finally and exists-next [5] (see Section 4 for the definitions). Connections between these two formalisms have not been explicitly developed so far, perhaps because of the quite different logics: T is built on top of propositional calculus and it is interpreted on infinite trees, whereas ( * ) does not feature propositional symbols and it is essentially interpreted on finite structures. ...

... We now display the usefulness of ALT as a tool for proving the TOWER-hardness of logics interpreted on tree-like structures. In particular, we provide semantically faithful reductions from SAT(ALT) to the satisfiability problem of four logics that were independently found to be TOWER-complete: first-order separation logic [9], quantified CTL on trees [28], modal logic of heaps [17] and modal separation logic [18]. Our reduction only use strict fragments of these formalisms, allowing us to draw some new results on these logics. ...

We describe a set of simple features that are sufficient in order to make the satisfiability problem of logics interpreted on trees Tower-hard. We exhibit these features through an Auxiliary Logic on Trees (ALT), a modal logic that essentially deals with reachability of a fixed node inside a forest and features modalities from sabotage modal logic to reason on submodels. After showing that ALT admits a Tower-complete satisfiability problem, we prove that this logic is captured by four other logics that were independently found to be Tower-complete: two-variables separation logic, quantified computation tree logic, modal logic of heaps and modal separation logic. As a by-product of establishing these connections, we discover strict fragments of these logics that are still non-elementary.

... Approach. In order to solve the model-checking problem for SL ii we introduce an intermediate logic QCTL * ii , an extension to the imperfect-information setting of QCTL * [53], itself an extension of CTL * by second-order quantifiers over atoms. This is a low-level logic that does not mention strategies and into which one can effectively compile instances of SL ii . ...

... In this section we introduce an imperfect-information extension of QCTL * [34,46,47,53,77], which is an extension of CTL * with second-order quantification on atomic propositions. In order to introduce imperfect information, instead of considering equivalence relations between states as in concurrent game structures, we will enrich Kripke structures by giving internal structure to their states, i.e., we see states as n-tuples of local states. ...

... ii semantics Several semantics have been considered for QCTL * , the two most studied being the structure semantics and the tree semantics (see [53] for more details). For the semantics of QCTL * ii we adapt the tree semantics, and we explain the reasons for doing so in Section 3.3. ...

We introduce an extension of Strategy Logic for the imperfect-information setting, called SLii, and study its model-checking problem. As this logic naturally captures multi-player games with imperfect information, this problem is undecidable; but we introduce a syntactical class of "hierarchical instances" for which, intuitively, as one goes down the syntactic tree of the formula, strategy quantifications are concerned with finer observations of the model, and we prove that model-checking SLii restricted to hierarchical instances is decidable. To establish this result we go through QCTL, an intermediary, "low-level" logic much more adapted to automata techniques. QCTL is an extension of CTL with second-order quantification over atomic propositions. We extend it to the imperfect information setting by parameterising second-order quantifiers with observations. While the model-checking problem of QCTLii is, in general, undecidable, we identify a syntactic fragment of hierarchical formulas and prove, using an automata-theoretic approach, that it is decidable. We apply our result to solve complex strategic problems in the imperfect-information setting. We first show that the existence of Nash equilibria for deterministic strategies is decidable in games with hierarchical information. We also introduce distributed rational synthesis, a generalisation of rational synthesis to the imperfect-information setting. Because it can easily be expressed in our logic, our main result provides solution to this problem in the case of hierarchical information.

... Different semantics for QCTL have been studied in literature depending on the definition of the labelling : either it refers to the finite-state model -it is the structure semantics -or it refers to the execution tree -it is the tree semantics. Both semantics are interesting and have been extensively studied [9,7,13,8,4,10]. While the tree semantics allow us to use the tree automata techniques to get decision procedures (model-checking and satisfiability are TOWER-complete [10]), the situation is quite different for the structure semantics : in this framework, model-checking is PSPACE-complete and satisfiability is undecidable [7]. ...

... Both semantics are interesting and have been extensively studied [9,7,13,8,4,10]. While the tree semantics allow us to use the tree automata techniques to get decision procedures (model-checking and satisfiability are TOWER-complete [10]), the situation is quite different for the structure semantics : in this framework, model-checking is PSPACE-complete and satisfiability is undecidable [7]. ...

... Moreover, these two semantics do not have the same algorithmic properties : if QCTL model-checking and satisfiability are TOWER-complete for the tree semantics (the algorithms are based on tree automata techniques), QCTL model-checking is PSPACE-complete for the structure semantics but satisfiability is undecidable. (see [10] for a survey). Nevertheless, in both semantics, QCTL and QCTL * (the extension of CTL * with quantifications) are equally expressive, and are as expressive 1 as the Monadic Second-Order Logic over the finite structure or the infinite trees (depending on the semantics). ...

QCTL extends the temporal logic CTL with quantifications over atomic propositions. This extension is known to be very expressive: QCTL allows us to express complex properties over Kripke structures (it is as expressive as MSO). Several semantics exist for the quantifications: here, we work with the structure semantics, where the extra propositions label the Kripke structure (and not its execution tree), and the model-checking problem is known to be PSPACE-complete in this framework. We propose a model-checking algorithm for QCTL based on a reduction to QBF. We consider several reduction strategies, and we compare them with a prototype (based on the SMT-solver Z3) on several examples.

... ◮ Remark 10. As with SL[F ], we will see that the suprema in the above definition can be replaced with maxima (see Lemma 13 below [52]. Note also that the quantifier on propositions does not range over arbitrary values in [0, 1]. ...

... Note that this semantics is an extension of the tree semantics of QCTL ⋆ , in which the valuation of quantified atomic propositions is chosen on the unfolding of the Kripke structure instead of the states. This allows us to capture the semantics of Strategy Logic based on strategies with perfect recall, where moves can depend on the history, as apposed to the memoryless semantics, where strategies can only depend on the current state (see [52] for more detail). ...

... Clearly, EQ k CTL ⋆ can be translated in BQCTL ⋆ [F ] with formulas of linear size and nesting depth at most k (alternation is simply coded by placing function ¬ between quantifiers). It is proved in [52] that model checking EQ k CTL ⋆ is (k + 1)-Exptime-hard. ...

Temporal logics are extensively used for the specification of on-going behaviours of reactive systems. Two significant developments in this area are the extension of traditional temporal logics with modalities that enable the specification of on-going strategic behaviours in multi-agent systems, and the transition of temporal logics to a quantitative setting, where different satisfaction values enable the specifier to formalise concepts such as certainty or quality. We introduce and study FSL---a quantitative extension of SL (Strategy Logic), one of the most natural and expressive logics describing strategic behaviours. The satisfaction value of an FSL formula is a real value in [0,1], reflecting `how much' or `how well' the strategic on-going objectives of the underlying agents are satisfied. We demonstrate the applications of FSL in quantitative reasoning about multi-agent systems, by showing how it can express concepts of stability in multi-agent systems, and how it generalises some fuzzy temporal logics. We also provide a model-checking algorithm for our logic, based on a quantitative extension of Quantified CTL*.

... In particular, the model-checking problem for the k-alternation 145 fragment was proved to be k-EXPSPACE-complete. More recently, [41] discusses qctl, a quantified version of the braching-time temporal logic ctl. The authors prove several complexity and expressivity results for a logic that has more modal operators than sopml. ...

... One such question is the relative expressivity of sopml and qctl. As mentioned in Section 1.1, the variant of sopml with full domain of quantification is similar to one of the variants of qctl presented in [41], with the main difference being that qctl is based on ctl, while sopml is based on basic modal logic. The temporal logic ctl has more operators than modal logic, and it is strictly more expressive. ...

... (2) Detailed comments page 5, sentence that summarises relevant content of reference [41] as an "independence result" seems misleading to me. It should also be stressed 2305 that [41] deals with (the SO-extension of ) mono-modal S5, which can hardly be considered an (interesting) "class of epistemic frames", since these are essentially just naked sets. ...

In this paper we advance the state-of-the-art on the application of second-order propositional modal logic (SOPML) in the representation of individual and group knowledge, as well as temporal and spatial reasoning. The main theoretical contributions of the paper can be summarised as follows. Firstly, we introduce the language of (multi-modal) SOPML and interpret it on a variety of different classes of Kripke frames according to the features of the accessibility relations and of the algebraic structure of the quantification domain of propositions. We provide axiomatisations for some of these classes, and show that SOPML is unaxiomatisable on the remaining classes. Secondly, we introduce novel notions of (bi)simulations and prove that they indeed preserve the interpretation of formulas in (the universal fragment of) SOPML. Then, we apply this formal machinery to study the expressiveness of Second-order Propositional Epistemic Logic (SOPEL) in representing higher-order knowledge, i.e., the knowledge agents have about other agents’ knowledge, as well as graph-theoretic notions (e.g., 3-colorability, Hamiltonian paths, etc.). The final outcome is a rich formalism to represent and reason about relevant concepts in artificial intelligence, while still having a model checking problem that is no more computationally expensive than that of the less expressive quantified boolean logic.

... Instead we build upon the proof presented in [24] that establishes the decidability of model checking ATL * sc by reduction to the model-checking problem for Quantified CTL * (QCTL * ). The latter extends CTL * with second-order quantification on atomic propositions, and it has been well studied [36,20,21,14,23]. QCTL * i , an imperfect-information extension of QCTL * , has recently been introduced, and its modelchecking problem was proven decidable for the class of hierarchical formulas [3]. ...

... Quantified CTL * , or QCTL * for short, is an extension of CTL * with second-order quantifiers on atomic propositions that has been well studied [36,20,21,23]. It has recently been further extended to take into account imperfect information, resulting in the logic called QCTL * with imperfect information, or QCTL * i [3]. ...

... The intuition is that a quantifier with observation o must choose the valuation of atomic propositions uniformly with respect to o. Note that in [3], two semantics are considered for QCTL * i , just like in [23] for QCTL * : the structure semantics and the tree semantics. In the former, formulas are evaluated directly on the structure, while in the latter the structure is first unfolded into an infinite tree. ...

Alternating-time Temporal Logic (ATL*) is a central logic for multiagent systems. Its extension to the imperfect information setting (ATL*i ) is well known to have an undecidable model-checking problem when agents have perfect recall. Studies have thus mostly focused either on agents without memory, or on alternative semantics to retrieve decidability. In this work we establish new decidability results for agents with perfect recall: We first prove a meta-theorem that allows the transfer of decidability results for classes of multiplayer games with imperfect information, such as games with hierarchical observation, to the model-checking problem for ATL*i . We then establish that model checking ATL* with strategy context and imperfect information is decidable when restricted to hierarchical instances.

... As a tool to study SL ii we introduce QCTL * ii , an extension to the imperfect-information setting of QCTL * [16], itself an extension of CTL * by second-order quantifiers over atoms. This is a low-level logic that does not mention strategies and into which one can effectively compile instances of SL ii . ...

... In this section we introduce an imperfect-information extension of QCTL * [16], [25]- [29]. In order to introduce imperfect information, instead of considering equivalence relations between states as in concurrent game structures, we will enrich Kripke structures by giving internal structure to their states, i.e., we see states as n-tuples of local states. ...

... Formulas of MSO eq are interpreted on trees, and the semantics of eq(x, y) is that x and y have the same depth in the tree. There is a translation of MSO-formulas to QCTL * -formulas that preserves satisfaction [16]. This translation can be extended to map MSO eqformulas to QCTL * ii -formulas using the formula level(·) from Example 2 to help capture the equal-length predicate. ...

We introduce an extension of Strategy logic for the imperfect-information setting, called SL ii , and study its model-checking problem. As this logic naturally captures multi-player games with imperfect information, the problem turns out to be undecidable. We introduce a syntactical class of " hierarchical instances " for which, intuitively, as one goes down the syntactic tree of the formula, strategy quantifications are concerned with finer observations of the model. We prove that model-checking SL ii restricted to hierarchical instances is decidable. This result, because it allows for complex patterns of existential and universal quantification on strategies, greatly generalises previous ones, such as decidability of multi-player games with imperfect information and hierarchical observations, and decidability of distributed synthesis for hierarchical systems. To establish the decidability result, we introduce and study QCTL * ii , an extension of QCTL (itself an extension of CTL with second-order quantification over atomic propositions) by parameterising its quantifiers with observations. The simple syntax of QCTL * ii allows us to provide a conceptually neat reduction of SL ii to QCTL * ii that separates concerns, allowing one to forget about strategies and players and focus solely on second-order quantification. While the model-checking problem of QCTL * ii is, in general, undecidable, we identify a syntactic fragment of hierarchical formulas and prove, using an automata-theoretic approach, that it is decidable. The decidability result for SL ii follows since the reduction maps hierarchical instances of SL ii to hierarchical formulas of QCTL * ii .

... As a tool to study SL ii we introduce QCTL * ii , an extension to the imperfect-information setting of QCTL * [16], itself an extension of CTL * by second-order quantifiers over atoms. This is a low-level logic that does not mention strategies and into which one can effectively compile instances of SL ii . ...

... In this section we introduce an imperfect-information extension of QCTL * [16], [25]- [29]. In order to introduce imperfect information, instead of considering equivalence relations between states as in concurrent game structures, we will enrich Kripke structures by giving internal structure to their states, i.e., we see states as n-tuples of local states. ...

... Formulas of MSO eq are interpreted on trees, and the semantics of eq(x, y) is that x and y have the same depth in the tree. There is a translation of MSO-formulas to QCTL * -formulas that preserves satisfaction [16]. This translation can be extended to map MSO eqformulas to QCTL * ii -formulas using the formula level(·) from Example 2 to help capture the equal-length predicate. ...

We introduce an extension of Strategy logic for the imperfect-information setting, called SL ii , and study its model-checking problem. As this logic naturally captures multi-player games with imperfect information, the problem turns out to be undecidable. We introduce a syntactical class of " hierarchical instances " for which, intuitively, as one goes down the syntactic tree of the formula, strategy quantifications are concerned with finer observations of the model. We prove that model-checking SL ii restricted to hierarchical instances is decidable. This result, because it allows for complex patterns of existential and universal quantification on strategies, greatly generalises previous ones, such as decidability of multi-player games with imperfect information and hierarchical observations, and decidability of distributed synthesis for hierarchical systems. To establish the decidability result, we introduce and study QCTL * ii , an extension of QCTL (itself an extension of CTL with second-order quantification over atomic propositions) by parameterising its quantifiers with observations. The simple syntax of QCTL * ii allows us to provide a conceptually neat reduction of SL ii to QCTL * ii that separates concerns, allowing one to forget about strategies and players and focus solely on second-order quantification. While the model-checking problem of QCTL * ii is, in general, undecidable, we identify a syntactic fragment of hierarchical formulas and prove, using an automata-theoretic approach, that it is decidable. The decidability result for SL ii follows since the reduction maps hierarchical instances of SL ii to hierarchical formulas of QCTL * ii .

... Instead we build upon the proof presented in [24] that establishes the decidability of model checking ATL * sc by reduction to the model-checking problem for Quantified CTL * (QCTL * ). The latter extends CTL * with second-order quantification on atomic propositions, and it has been well studied [33,20,21,14,23]. QCTL * i , an imperfect-information extension of QCTL * , has recently been introduced, and its model-checking problem was proven decidable for the class of hierarchical formulas [3]. ...

... Quantified CTL * , or QCTL * for short, is an extension of CTL * with second-order quantifiers on atomic propositions that has been well studied [33,20,21,23]. It has recently been further extended to take into account imperfect information, resulting in the logic called QCTL * with imperfect information, or QCTL * i [3]. ...

... The intuition is that a quantifier with observation o must choose the valuation of atomic propositions uniformly with respect to o. Note that in [3], two semantics are considered for QCTL * i , just like in [23] for QCTL * : the structure semantics and the tree semantics. In the former, formulas are evaluated directly on the structure, while in the latter the structure is first unfolded into an infinite tree. ...

... In the landscape of temporal logics, another breakthrough contribution comes from Quantified CTL * (QCTL * ), which extends CTL * with the possibility to quantify over atomic propositions [45,22,23,29]. QCTL * turns out to be very expressive (indeed, it is equivalent to Monadic Second-Ordel Logic, MSO for short) and was usefully applied in a number of scenarios. ...

... QCTL * turns out to be very expressive (indeed, it is equivalent to Monadic Second-Ordel Logic, MSO for short) and was usefully applied in a number of scenarios. Recently it has come to the fore as a convenient and uniform intermediary logic to easily obtain algorithms for ATL * sc , SL, as well as related formalisms [29,32,33]. Indeed, strategies can be represented by atomic propositions labelling the execution tree of the game structure under study, and strategy quantification can thus be expressed by means of propositional quantifications. ...

... The semantics is adapted to capture the idea of quantifications on atomic propositions being made with partial observation. Like in [29], we consider both structure and tree semantics. ...

Quantified CTL (QCTL) is a well-studied temporal logic that extends CTL with quantification over atomic propositions. It has recently come to the fore as a powerful intermediary framework to study logics for strategic reasoning. We extend it to include imperfect information by parameterizing quantifiers with an observation that defines how well they observe the model, thus constraining their behaviour. We consider two different semantics, one related to the notion of no memory, the other to perfect recall. We study the expressiveness of our logic, and show that it coincides with MSO for the first semantics and with MSO with equal level for the second one. We establish that the model-checking problem is Pspace-complete for the first semantics. While it is undecidable for the second one, we identify a syntactic fragment, defined by a notion of hierarchical formula, which we prove to be decidable thanks to an automata-theoretic approach.

... where P ranges over AP. We briefly review QCTL * here, and refer to [LM14] for more details and examples. ...

... We will reuse it later in our construction. Theorem 8 ( [LM14]). ...

... Below we show how to translate a formula ϕ s of ATL * sc,0 into a formula of " ϕ s of QCTL * such that we will have C , q 0 |= ϕ s for a state q 0 of C iff K C , q 0 |= st " ϕ s . Note that at the opposite of the previous section, we consider here the structure semantics [LM14] when performing the model-checking of K C : this means that instead of ranging over labelings of the execution tree, propositional quantification ranges over labelings of the Kripke structure. This is due to the fact that the compatible memoryless strategies we take here into account are functions mapping equivalent states (and not anymore path of equivalent states) to the same move. ...

Alternating-time temporal logic with strategy contexts (ATLsc) is a powerful
formalism for expressing properties of multi-agent systems: it extends CTL with
strategy quantifiers, offering a convenient way of expressing both
collaboration and antagonism between several agents. Incomplete observation of
the state space is a desirable feature in such a framework, but it quickly
leads to undecidable verification problems. In this paper, we prove that
uniform incomplete observation (where all players have the same observation)
preserves decidability of the model-checking problem, even for very expressive
logics such as ATLsc.

... To do so we extend the classic approach, which is to reduce to QCTL * , the extension of CTL * with quantification on atomic propositions. This logic is equivalent to MSO on infinite trees (Laroussinie and Markey 2014), and it is easy to express that a strategy (or the atomic propositions that code for it) refines another one. Definition 6. ...

... The simulation depth for QCTL * is defined exactly as for SL ≺ , with the case for ∃p ϕ corresponding to ∃x ϕ. The following is proved in (Laroussinie and Markey 2014): ...

Nondeterministic strategies are strategies (or protocols, or plans) that, given a history in a game, assign a set of possible actions, all of which are winning. An important problem is that of refining such strategies. For instance, given a nondeterministic strategy that allows only safe executions, refine it to, additionally, eventually reach a desired state of affairs. We show that strategic problems involving strategy refinement can be solved elegantly in the framework of Strategy Logic (SL), a very expressive logic to reason about strategic abilities. Specifically, we introduce an extension of SL with nondeterministic strategies and an operator expressing strategy refinement. We show that model checking this logic can be done at no additional computational cost with respect to standard SL, and can be used to solve a variety of problems such as synthesis of maximally permissive strategies or refinement of Nash equilibria.

... Our approach to solve the model-checking problem for our logic extends that followed in (Laroussinie and Markey 2015;Berthon et al. 2017), which consists in "compiling" the strategic logic under study into an opportune variant of Quantified CTL * , or QCTL * for short (Laroussinie and Markey 2014). This is an extension of CTL * with secondorder quantification on propositions which serves as an intermediary, low-level logic between strategic logics and tree automata. ...

... We prove this result by reducing it to the model-checking problem for the hierarchical fragment of an extension of QCTL * with imperfect information, knowledge and observation change, which we now introduce and study in order to use it as an intermediate, "low-level" logic between tree automata and ESL. QCTL * ii with knowledge and observation change QCTL * extends CTL * with second order quantification on atomic propositions (Emerson and Sistla 1984;Kupferman 1995;Kupferman et al. 2000;French 2001;Laroussinie and Markey 2014). It was recently extended to model imperfect-information aspects, resulting in the logic called QCTL * ii (Berthon et al. 2017). ...

Two distinct semantics have been considered for knowledge in the context of strategic reasoning, depending on whether players know each other's strategy or not. In the former case, that we call the informed semantics, distributed synthesis for epistemic temporal specifications is undecidable, already on systems with hierarchical information. However, for the other, uninformed semantics, the problem is decid-able on such systems. In this work we generalise this result by introducing an epistemic extension of Strategy Logic with imperfect information. The semantics of knowledge operators is uninformed, and captures agents that can change observation power when they change strategies. We solve the model-checking problem on a class of "hierarchical in-stances", which provides a solution to a vast class of strategic problems with epistemic temporal specifications, such as distributed or rational synthesis, on hierarchical systems.

... Our approach to solve the model-checking problem for our logic extends that followed in (Laroussinie and Markey 2015;Berthon et al. 2017), which consists in "compiling" the strategic logic under study into an opportune variant of Quantified CTL * , or QCTL * for short (Laroussinie and Markey 2014). This is an extension of CTL * with secondorder quantification on propositions which serves as an intermediary, low-level logic between strategic logics and tree automata. ...

... We prove this result by reducing it to the model-checking problem for the hierarchical fragment of an extension of QCTL * with imperfect information, knowledge and observation change, which we now introduce and study in order to use it as an intermediate, "low-level" logic between tree automata and ESL. QCTL * ii with knowledge and observation change QCTL * extends CTL * with second order quantification on atomic propositions (Emerson and Sistla 1984;Kupferman 1995;Kupferman et al. 2000;French 2001;Laroussinie and Markey 2014). It was recently extended to model imperfect-information aspects, resulting in the logic called QCTL * ii (Berthon et al. 2017). ...

Two distinct semantics have been considered for knowledge in the context of strategic reasoning, depending on whether players know each other’s strategy or not. The problem of distributed synthesis for epistemic temporal specifications is known to be undecidable for the latter semantics, already on systems with hierarchical information. However, for the other, uninformed semantics, the problem is decidable on such systems. In this work we generalise this result by introducing an epistemic extension of Strategy Logic with imperfect information. The semantics of knowledge operators is uninformed, and captures agents that can change observation power when they change strategies. We solve the model-checking problem on a class of "hierarchical instances", which provides a solution to a vast class of strategic problems with epistemic temporal specifications on hierarchical systems, such as distributed synthesis or rational synthesis.

... As for the upper bound of MCP for LDL-SL, we conjecture that we could reduce the MCP for LDL-SL into that for QCTL * under the tree semantics [40], inspired by the approach proposed in [41]. ...

Specification and verification of coalitional strategic abilities have been an active research area in multi-agent systems, artificial intelligence, and game theory. Recently, many strategic logics, e.g., Strategy Logic (SL) and alternating-time temporal logic (ATL*), have been proposed based on classical temporal logics, e.g., linear-time temporal logic (LTL) and computational tree logic (CTL*), respectively. However, these logics cannot express general ω-regular properties, the need for which are considered compelling from practical applications, especially in industry. To remedy this problem, in this paper, based on linear dynamic logic (LDL), proposed by Moshe Y. Vardi, we propose LDL-based Strategy Logic (LDL-SL). Interpreted on concurrent game structures, LDL-SL extends SL, which contains existential/universal quantification operators about regular expressions. Here we adopt a branching-time version. This logic can express general ω-regular properties and describe more programmed constraints about individual/group strategies. Then we study three types of fragments (i.e., one-goal, ATL-like, star-free) of LDL-SL. Furthermore, we show that prevalent strategic logics based on LTL/CTL*, such as SL/ATL*, are exactly equivalent with those corresponding star-free strategic logics, where only star-free regular expressions are considered. Moreover, results show that reasoning complexity about the model-checking problems for these new logics, including one-goal and ATL-like fragments, is not harder than those of corresponding SL or ATL*.

... To the best of our knowledge, this is the first attempt to provide a compositional account of behavioral constraints. We believe the generality and flexibility of the semantic settings opens up the possibility of a systematic investigation of the impact of this type of constraints in quantified temporal logics, such as QCTL [15], [42], HyperLTL/CTL* [6], [7], [11], [12], [14], Coordination Logic [13], and Strategy Logic [5], [48]. APPENDIX A. Proofs for Section II Proposition 1. X ⊆ X and X ≡ X, for all X ∈ HAsg. ...

An extension of QPTL is considered where functional dependencies among the quantified variables can be restricted in such a way that their current values are independent of the future values of the other variables. This restriction is tightly connected to the notion of behavioral strategies in game-theory and allows the resulting logic to naturally express game-theoretic concepts. The fragment where only restricted quantifications are considered, called behavioral quantifications, can be decided, for both model checking and satisfiability, in 2ExpTime and is expressively equivalent to QPTL, though significantly less succinct.

... We first consider the simpler case of pushdown systems. We extend the approach followed in [BMM + 17], which consists in reducing the model-checking problem for SL iR to that of QCTL * iR , an intermediary, low-level logic introduced in [BMM + 17] as an imperfectinformation extension of QCTL * [LM14], which itself extends CTL * with second-order quantification on atomic propositions. In [BMM + 17], QCTL * iR is evaluated on finite compound Kripke structures, which are Kripke structures whose states are tuples of local states, and the second-order quantifiers are parameterised by an indication of which components of states they can observe. ...

Strategy Logic with imperfect information (SLiR) is a very expressive logic designed to express complex properties of strategic abilities in distributed systems. Previous work on SLiR focused on finite systems, and showed that the model-checking problem is decidable when information on the control states of the system is hierarchical among the players or components of the system, meaning that the players or components can be totally ordered according to their respective knowledge of the state. We show that moving from finite to infinite systems generated by collapsible (higher-order) pushdown systems preserves decidability, under the natural restriction that the stack content is visible. The proof follows the same lines as in the case of finite systems, but requires to use (collapsible) alternating pushdown tree automata. Such automata are undecidable, but semi-alternating pushdown tree automata were introduced and proved decidable, to study a strategic problem on pushdown systems with two players. In order to tackle multiple players with hierarchical information, we refine further these automata: we define direction-guided (collapsible) pushdown tree automata, and show that they are stable under projection, nondeterminisation and narrowing. For the latter operation, used to deal with imperfect information, stability holds under some assumption that is satisfied when used for systems with visible stack. We then use these automata to prove our main result.

... While ICPDL allows intersection, loop and converse, we also look at EQ-ICPDL where we allow existential quantification over new propositional variables in a similar spirit as in [22]. Thus, formulae of EQ-ICPDL(Σ, Γ) have the form Ψ = ∃p 1 , . . . ...

In this paper, we analyze timed systems with data structures, using a rich interplay of logic and properties of graphs. We start by describing behaviors of timed systems using graphs with timing constraints. Such a graph is called realizable if we can assign time-stamps to nodes or events so that they are consistent with the timing constraints. The logical definability of several graph properties has been a challenging problem, and we show, using a highly non-trivial argument, that the realizability property for collections of graphs with strict timing constraints is logically definable in a class of propositional dynamic logic (EQ-ICPDL), which is strictly contained in MSO. Using this result, we propose a novel, algorithmically efficient and uniform proof technique for the analysis of timed systems enriched with auxiliary data structures, like stacks and queues. Our technique unravels new results (for emptiness checking as well as model checking) for timed systems with richer features than considered so far, while also recovering existing results.

... This is a severe limitation in ATL/ATL * and has been studied under the name of irrevocability of strategies in [1]. Remarkably, this feature can be handled with more sophisticated logics such as Strategy Logics [9,24], ATL with strategy contexts [22], and quantified CTL [21]. However, for such logics, the relative model checking question turns out to be non-elementary. ...

Module checking has been introduced in late 1990s to verify open systems, i.e., systems whose behavior depends on the continuous interaction with the environment. Classically, module checking has been investigated with respect to specifications given as CTL and CTL* formulas. Recently, it has been shown that CTL (resp., CTL*) module checking offers a distinctly different perspective from the better-known problem of ATL (resp., ATL*) model checking. In particular, ATL (resp., ATL*) module checking strictly enhances the expressiveness of both CTL (resp., CTL*) module checking and ATL (resp. ATL*) model checking. In this paper, we provide asymptotically optimal bounds on the computational cost of module checking against ATL and ATL*, whose upper bounds are based on an automata-theoretic approach. We show that module-checking for ATL is EXPTIME-complete, which is the same complexity of module checking against CTL. On the other hand, ATL* module checking turns out to be 3EXPTIME-complete, hence exponentially harder than CTL* module checking.

An extension of QPTL is considered where functional dependencies among the quantified variables can be restricted in such a way that their current values are independent of the future values of the other variables. This restriction is tightly connected to the notion of behavioral strategies in game-theory and allows the resulting logic to naturally express game-theoretic concepts. Inspired by the work on logics of dependence and independence, we provide a new compositional semantics for QPTL that allows for expressing such functional dependencies among variables. The fragment where only restricted quantifications are considered, called behavioral quantifications , allows for linear-time properties that are satisfiable if and only if they are realisable in the Pnueli-Rosner sense. This fragment can be decided, for both model checking and satisfiability , in 2E xp T ime and is expressively equivalent to QPTL , though significantly less succinct .

We introduce an extension of Strategy Logic for the imperfect-information setting, called SL ii and study its model-checking problem. As this logic naturally captures multi-player games with imperfect information, this problem is undecidable; but we introduce a syntactical class of “hierarchical instances” for which, intuitively, as one goes down the syntactic tree of the formula, strategy quantifications are concerned with finer observations of the model, and we prove that model-checking SL ii restricted to hierarchical instances is decidable. This result, because it allows for complex patterns of existential and universal quantification on strategies, greatly generalises the decidability of distributed synthesis for systems with hierarchical information. It allows us to easily derive new decidability results concerning strategic problems under imperfect information such as the existence of Nash equilibria or rational synthesis.
To establish this result, we go through an intermediary, “low-level” logic much more adapted to automata techniques. QCTL * is an extension of CTL * with second-order quantification over atomic propositions that has been used to study strategic logics with perfect information. We extend it to the imperfect information setting by parameterising second-order quantifiers with observations. The simple syntax of the resulting logic, QCTL * ii , allows us to provide a conceptually neat reduction of SL ii to QCTL * ii that separates concerns, allowing one to forget about strategies and players and focus solely on second-order quantification. While the model-checking problem of QCTL * ii is, in general, undecidable, we identify a syntactic fragment of hierarchical formulas and prove, using an automata-theoretic approach, that it is decidable.

Quantified CTL (QCTL) extends the temporal logic CTL with quantifications over atomic propositions. This extension is known to be very expressive: QCTL allows us to express complex properties over Kripke structures (it is as expressive as MSO). Several semantics exist for the quantifications: here, we work with the structure semantics, where the extra propositions label the Kripke structure (and not its execution tree), and the model-checking problem is known to be PSPACE-complete in this framework. We propose a new model-checking algorithm for QCTL based on a reduction to QBF. We consider several reduction strategies and we compare them with a prototype (based on several QBF solvers) on different examples.

We study the expressivity and complexity of two modal logics interpreted on finite forests and equipped with standard modalities to reason on submodels. The logic ML(C) extends the modal logic K with the composition operator C from ambient logic, whereas ML(∗) features the separating conjunction ∗ from separation logic. Both operators are second-order in nature.
We show that ML(C) is as expressive as the graded modal logic GML (on trees) whereas ML(∗) is strictly less expressive than GML. Moreover, we establish that the satisfiability problem is Tower-complete for ML(∗), whereas it is (only) AExpPol-complete for ML(C), a result which is surprising given their relative expressivity. As by-products, we solve open problems related to sister logics such as static ambient logic and modal separation logic.

The study of graph structure has advanced in recent years with great strides: finite graphs can be described algebraically, enabling them to be constructed out of more basic elements. Separately the properties of graphs can be studied in a logical language called monadic second-order logic. In this book, these two features of graph structure are brought together for the first time in a presentation that unifies and synthesizes research over the last 25 years. The authors not only provide a thorough description of the theory, but also detail its applications, on the one hand to the construction of graph algorithms, and, on the other to the extension of formal language theory to finite graphs. Consequently the book will be of interest to graduate students and researchers in graph theory, finite model theory, formal language theory, and complexity theory.

The differences between and appropriateness of branching versus linear time temporal logic for reasoning about concurrent programs are studied. These issues have been previously considered by Lamport. To facilitate a careful examination of these issues, a language, CTL*, in which a universal or existential path quantifier can prefix an arbitrary linear time assertion, is defined. The expressive power of a number of sublanguages is then compared. CTL* is also related to the logics MPL of Abrahamson and PL of Harel, Kozen, and Parikh. The paper concludes with a comparison of the utility of branching and linear time temporal logics.

We give an efficient procedure for verifying that a finite-state concurrent system meets a specification expressed in a (propositional, branching-time) temporal logic. Our algorithm has complexity linear in both the size of the specification and the size of the global state graph for the concurrent system. We also show how this approach can be adapted to handle fairness. We argue that our technique can provide a practical alternative to manual proof construction or use of a mechanical theorem prover for verifying many finite-state concurrent systems. Experimental results show that state machines with several hundred states can be checked in a matter of seconds.

The complexity of satisfiability and determination of truth in a particular finite structure are considered for different propositional linear temporal logics. It is shown that these problems are NP-complete for the logic with F and are PSPACE-complete for the logics with F, X, with U, with U, S, X operators and for the extended logic with regular operators given by Wolper.

A specification formalism for reactive systems defines a class of Ω-languages. We call a specification formalism fully decidable if it is constructively closed under boolean operations and has a decidable satisfiability (nonemptiness) problem. There are two important, robust classes of Ω-languages that are definable by fully decidable formalisms. The Ω -reqular languages are definable by finite automata, or equivalcntly, by the Sequential Calculus. The counter-free Ω-regular languages are definable by temporal logic, or equivalcntly, by the first-order fragment of the Sequential Calculus. The gap between both classes can be closed by finite counting (using automata connectives), or equivalently, by projection (existential second-order quantification over letters).
A specification formalism for real-time systems defines a class of timed Ω-langnages, whose letters have real-numbered time stamps. Two popular ways of specifying timing constraints rely on the use of clocks, and on the use of time bounds for temporal operators. However, temporal logics with clocks or time bounds have undecidable satisfiability problems, and finite automata with clocks (so-called timed automata) are not closed under complement. Therefore, two fully decidable restrictions of these formalisms have been proposed. In the first case, clocks are restricted to event clocks, which measure distances to immediately preceding or succeeding events only. In the second case, time bounds are restricted to nonsingular intervals, which cannot specify the exact punctuality of events. We show that the resulting classes of timed Ω-languages are robust, and we explain their relationship.
First, we show that temporal logic with event clocks defines the same class of timed Ω-languages as temporal logic with nonsingular time bounds, and we identify a first-order monadic theory that also defines this class. Second, we show that if the ability of finite counting is added to these formalisms, we obtain the class of timed Ω-languages that are definable by finite automata with event clocks, or equivalently, by a restricted second-order extension of the monadic theory. Third, we show that if projection is added, we obtain the class of timed Ω-languages that are definable by timed automata, or equivalently, by a richer second-order extension of the monadic theory. These results identify three robust classes of timed Ω-languages, of which the third, while popular, is not definable by a, fully decidable formalism. By contrast, the first two classes are definable by fully decidable formalisms from temporal logic, from automata theory, and from monadic logic. Since the gap between these two classes can be closed by finite counting, we dub them the timed Ω-regular languages and the timed counter-free Ω-rcgular languages, respectively.

The paper focuses on extending to the first order case the semantical program for modalities first introduced by Dana Scott and Richard Montague. We focus on the study of neighborhood frames with constant domains and we offer in the first part of the paper a series of new completeness results for salient classical systems of first order modal logic. Among other results we show that it is possible to prove strong completeness results for normal systems without the Barcan Formula (like FOL + K)in terms of neighborhood frames with constant domains. The first order models we present permit the study of many epistemic modalities recently proposed in computer science as well as the development of adequate models for monadic operators of high probability. Models of this type are either difficult of impossible to build in terms of relational Kripkean semantics [40].
We conclude by introducing general first order neighborhood frames with constant domains and we offer a general completeness result for the entire family of classical first order modal systems in terms of them, circumventing some well-known problems of propositional and first order neighborhood semantics (mainly the fact that many classical modal logics are incomplete with respect to an unmodified version of either neighborhood or relational frames). We argue that the semantical program that thus arises offers the first complete semantic unification of the family of classical first order modal logics.

Two complexity measures for query languages are proposed. Data complexity is the complexity of evaluating a query in the language as a function of the size of the database, and expression complexity is the complexity of evaluating a query in the language as a function of the size of the expression defining the query. We study the data and expression complexity of logical languages - relational calculus and its extensions by transitive closure, fixpoint and second order existential quantification - and algebraic languages - relational algebra and its extensions by bounded and unbounded looping. The pattern which will be shown is that the expression complexity of the investigated languages is one exponential higher then their data complexity, and for both types of complexity we show completeness in some complexity class.

In open systems verification, to formally check for reliability, one needs an appropriate formalism to model the interaction between agents and express the correctness of the system no matter how the environment behaves. An important contribution in this context is given by modal logics for strategic ability, in the setting of multiagent games, such as Atl, Atl*, and the like. Recently, Chatterjee, Henzinger, and Piterman introduced Strategy Logic, which we denote here by CHP-Sl, with the aim of getting a powerful framework for reasoning explicitly about strategies. CHP-Sl is obtained by using first-order quantifications over strategies and has been investigated in the very specific setting of two-agents turned-based games, where a nonelementary model-checking algorithm has been provided. While CHP-Sl is a very expressive logic, we claim that it does not fully capture the strategic aspects of multiagent systems.
In this article, we introduce and study a more general strategy logic, denoted Sl, for reasoning about strategies in multiagent concurrent games. As a key aspect, strategies in Sl are not intrinsically glued to a specific agent, but an explicit binding operator allows an agent to bind to a strategy variable. This allows agents to share strategies or reuse one previously adopted. We prove that Sl strictly includes CHP-Sl, while maintaining a decidable model-checking problem. In particular, the algorithm we propose is computationally not harder than the best one known for CHP-Sl. Moreover, we prove that such a problem for Sl is NonElementary. This negative result has spurred us to investigate syntactic fragments of Sl, strictly subsuming Atl*, with the hope of obtaining an elementary model-checking problem. Among others, we introduce and study the sublogics Sl[ng], Sl[bg], and Sl[1g]. They encompass formulas in a special prenex normal form having, respectively, nested temporal goals, Boolean combinations of goals, and, a single goal at a time. Intuitively, for a goal, we mean a sequence of bindings, one for each agent, followed by an Ltl formula. We prove that the model-checking problem for Sl[1g] is 2ExpTime-complete, thus not harder than the one for Atl*. In contrast, Sl[ng] turns out to be NonElementary-hard, strengthening the corresponding result for Sl. Regarding Sl[bg], we show that it includes CHP-Sl and its model-checking is decidable with a 2ExpTimelower-bound.
It is worth enlightening that to achieve the positive results about Sl[1g], we introduce a fundamental property of the semantics of this logic, called behavioral, which allows to strongly simplify the reasoning about strategies. Indeed, in a nonbehavioral logic such as Sl[bg] and the subsuming ones, to satisfy a formula, one has to take into account that a move of an agent, at a given moment of a play, may depend on the moves taken by any agent in another counterfactual play.

The emerging technology of interacting systems calls for new for- malisms to ensure their reliability. Concurrent games are paradigmatic abstract models for which several logics have been studied. However, the existing for- malisms show certain limitations in face of the range of strategy properties re- quired to address intuitive situations. We propose a generi c solution to specify expressive constraints on strategies in concurrent games. Our formalism natu- rally extends alternating-time logics while being highly fl exible to combine con- straints. Our approach is constructive and can synthesize many types of complex strategies, via automata-theoretic techniques.

We consider an extension of the mu-calculus as a general framework to describe and synthesize controllers. This extension
is obtained by quantifying atomic propositions, we call the resulting logic quantified mu-calculus. We study its main theoretical properties and show its adequacy to control applications. The proposed framework is expressive
: it offers a uniform way to describe as varied parameters as the kind of systems (closed or open), the control objective,
the type of interaction between the controller and the system, the optimality criteria (fairness, maximally permissive), etc.
To our knowledge, none of the former approaches can capture such a wide range of concepts.

There has been a growing interest in detecting whether a logic specifi- cation holds in the system vacuously. For example, a specification "every request is eventually followed by an acknowledgment" holds vacuously on those sys- tems that never generate requests. In a recent paper, Armoni et al. have argued against previous definitions of vacuity, defined as sensitivity with respect to syn- tactic perturbation. They suggested that vacuity should be robust, i.e., insensitive to trivial changes in the logic and in the model, and is better described as sensitiv- ity with respect to semantic perturbation, represented by universal propositional quantification. In this paper, we extend the above suggestion by giving a formal definition of robust vacuity that allows us to define and detect vacuous satisfaction and vacuous failure for arbitrary CTL* properties, even with respect to multiple occurrences of subformulas. We discuss complexity of our approaches and study the relationship between vacuity and abstraction.

Translating linear temporal logic formulas to automata has proven to be an effective approach for implementing linear-time model-checking, and for obtaining many extensions and improvements to this verification method. On the other hand, for branching temporal logic, automata-theoretic techniques have long been thought to introduce an exponential penalty, making them essentially useless for model-checking. Recently, Bernholtz and Grumberg [1993] have shown that this exponential penalty can be avoided, though they did not match the linear complexity of non-automata-theoretic algorithms. In this paper, we show that alternating tree automata are the key to a comprehensive automata-theoretic framework for branching temporal logics. Not only can they be used to obtain optimal decision procedures, as was shown by Muller et al., but, as we show here, they also make it possible to derive optimal model-checking algorithms. Moreover, the simple combinatorial structure that emerges from the automata-theoretic approach opens up new possibilities for the implementation of branching-time model checking and has enabled us to derive improved space complexity bounds for this long-standing problem.

We consider the complexity of satisfiability and determination of truth in a particular finite structure for different propositional linear temporal logics. We show that both the above problems are NP-complete for the logic with F operator and are PSPACE-complete for the logics with F,X, with U, with U,S,X, and Wolper's extended logic with regular operators [Wo81].

The problem of complementing Büchi automata arises when developing decision procedures for temporal logics of programs. Unfortunately, previously known constructions for complementing Büchi automata involve a doubly exponential blow-up in the size of the automaton. We present a construction that involves only an exponential blow-up. We use this construction to prove a polynomial space upper bound for the propositional temporal logic of regular events and to prove a complexity hierarchy result for quantified propositional temporal logic.

Fitting and Mendelsohn present a thorough treatment of first-order modal logic, together with some propositional background. They adopt throughout a threefold approach. Semantically, they use possible world models; the formal proof machinery is tableaus; and full philosophical discussions are provided of the way that technical developments bear on well-known philosophical problems.
The book covers quantification itself, including the difference between actualist and possibilist quantifiers; equality, leading to a treatment of Frege's morning star/evening star puzzle; the notion of existence and the logical problems surrounding it; non-rigid constants and function symbols; predicate abstraction, which abstracts a predicate from a formula, in effect providing a scoping function for constants and function symbols, leading to a clarification of ambiguous readings at the heart of several philosophical problems; the distinction between nonexistence and nondesignation; and definite descriptions, borrowing from both Fregean and Russellian paradigms.

We study the extension of the alternating-time temporal logic (ATL) with strategy contexts: contrary to the original semantics, in this semantics the strategy quantifiers do not reset the previously selected strategies.We show that our extension ATLsc is very expressive, but that its decision problems are quite hard: model checking is k-EXPTIME-complete when the formula has k nested strategy quantifiers; satisfiability is undecidable, but we prove that it is decidable when restricting to turn-based games. Our algorithms are obtained through a very convenient translation to QCTL (the computation-tree logic CTL extended with atomic quantification), which we show also applies to Strategy Logic, as well as when strategy quantification ranges over memoryless strategies.

While it was defined long ago, the extension of CTL with quantification over atomic propositions has never been studied extensively. Considering two different semantics (depending whether propositional quantification refers to the Kripke structure or to its unwinding tree), we study its expressiveness (showing in particular that QCTL coincides with Monadic Second-Order Logic for both semantics) and characterize the complexity of its model-checking problem, depending on the number of nested propositional quantifiers (showing that the structure semantics populates the polynomial hierarchy while the tree semantics populates the exponential hierarchy). We also show how these results apply to model checking ATL-like temporal logics for games.

We propose a logic for the definition of the collaborative power of groups of agents to enforce different temporal objectives. The resulting temporal cooperation logic (TCL) extends ATL by allowing for successive definition of strategies for agents and agencies. Different to previous logics with similar aims, our extension cuts a fine line between extending the power and maintaining a low complexity: model-checking TCL sentences is EXPTIME complete in the logic, and fixed parameter tractable for specifications of bounded size. This advancement over non-elementary logics is bought by disallowing a too close entanglement between cooperation and competition. We show how allowing such an entanglement immediately leads to a non-elementary complexity. We have implemented a model-checker for the logic and shown the feasibility of model-checking on a few benchmarks.

We introduce a hierarchy of fast-growing complexity classes and show its
suitability for completeness statements of many non elementary problems. This
hierarchy allows the classification of many decision problems with a
non-elementary complexity, which occur naturally in logic, combinatorics,
formal languages, verification, etc., with complexities ranging from simple
towers of exponentials to Ackermannian and beyond.

In this paper we define and study a propositional μ-calculus Lμ, which consists essentially of propositional modal logic with a least fixpoint operator. Lμ is syntactically simpler yet strictly more expressive than Propositional Dynamic Logic (PDL). For a restricted version we give an exponential-time decision procedure, small model property, and complete deductive system, theory subsuming the corresponding results for PDL.

I investigate the properties of various systems of propositional modal logic with propositional quantifiers.

We consider second-order propositional modal logic (SOPML), an extension of the basic modal language with propositional quantifiers
introduced by Kit Fine in 1970. We determine the precise expressive power of SOPML by giving analogues of the Van Benthem–Rosen
theorem and the Goldblatt Thomason theorem. Furthermore, we show that the basic modal language is the bisimulation invariant
fragment of SOPML, and we characterize the bounded fragment of first-order logic as being the intersection of first-order
logic and SOPML.

The aim of this paper is to illustrate by an example, the alternating bit protocol, the use of CESAR, an interactive system for aiding the design of distributed applications.
CESAR allows the progressive validation of the algorithmic description of a system of communicating sequential processes with respect to a given set of specifications. The algorithmic description is done in a high level language inspired from CSP and specifications are a set of formulas of a branching time logic, the temporal operators of which can be computed iteratively as fixed points of monotonic predicate transformers. The verification of a system consists in obtaining by automatic translation of its description program an Interpreted Petri Net representing it and evaluating each formula of the specifications.

Temporal logic and ω-automata are two ofthe common frameworks for specifying properties of reactive systems in modern verification tools. In this
paper we unify these two frameworks in the linear time setting for the specification of stutter-invariant properties, which
are used in the context ofpartial-order verification. We will observe a simple variant oflinear time propositional temporal
logic (LTL) for expressing exactly the stutter-invariant ω-regular languages. The complexity of, and algorithms for, all the relevant decision procedures for this logic remain essentially
the same as with ordinary LTL. In particular, satisfiability remains PSPACE-complete and temporal formulas can be converted
to at most exponential sized ω-automata. More importantly, we show that the improved practical algorithms for conversion ofL TL formulas to automata, used
in model-checking tools such as SPIN, which typically produce much smaller than worst-case output, can be modified to incorporate
this extension to LTL with the same benefits. In this way, the specification mechanism in temporal logic-based tools that
employ partial-order reduction can be extended to incorporate all stutter-invariant ω-regular properties.

We introduce strategy logic, a logic that treats strategies in two-player games as explicit first-order objects. The explicit treatment of strategies allows us to specify properties of nonzero-sum games in a simple and natural way. We show that the one-alternation fragment of strategy logic is strong enough to express the existence of Nash equilibria and secure equilibria, and subsumes other logics that were introduced to reason about games, such as ATL, ATL∗, and game logic. We show that strategy logic is decidable, by constructing tree automata that recognize sets of strategies. While for the general logic, our decision procedure is nonelementary, for the simple fragment that is used above we show that the complexity is polynomial in the size of the game graph and optimal in the size of the formula (ranging from polynomial to 2EXPTIME depending on the form of the formula).

Computation Tree Logic (CTL) is one of the most syntactically elegant and computationally attractive temporal logics for branching time model checking. In this paper, we observe that while CTL can be verified in time polynomial in the size of the state space times the length of the formula, there is a large set of reachability properties which cannot be expressed in CTL, but can still be verified in polynomial time. We present a powerful extension of CTL with first-order quantification over sets of reachable states. The extended logic, QCTL, preserves the syntactic elegance of CTL while enhancing its expressive power significantly. We show that QCTL model checking is PSPACE-complete in general, but has a rich fragment (containing CTL) which can be checked in polynomial time. We show that this fragment is significantly more expressive than CTL while preserving the syntactic beauty of CTL.

The polynomial-time hierarchy is that subrecursive analog of the Kleene arithmetical hierarchy in which deterministic (nondeterministic) polynomial time plays the role of recursive (recursively enumerable) time. Known properties of the polynomial-time hierarchy are summarized. A word problem which is complete in the second stage of the hierarchy is exhibited. In the analogy between the polynomial-time hierarchy and the arithmetical hierarchy, the first order theory of equality plays the role of elementary arithmetic (as the ω-jump of the hierarchy). The problem of deciding validity in the theory of equality is shown to be complete in polynomial-space, and close upper and lower bounds on the space complexity of this problem are established.

Direct embeddings of the full branching-time CTL∗ and its extension ECTL∗ into the modal μ-calculus are presented. The embeddings use tableaux as intermediate representations of formulas, and use extremal fixed points to characterise those paths through tableaux that satisfy an admissibility criterion, guaranteeing eventualities to be eventually satisfied. The version of ECTL∗ considered replaces the entire linear-time fragment of CTL∗ by Büchi automata on infinite strings. As a consequence the embedding of ECTL∗ turns out to be computable in linear time, while the embedding of CTL∗ is doubly exponential in the worst case.

In this paper the full branching time logic (CTL*) is studied. It has basic modalities consisting of a path quantifier, either A (“for all paths”) of E (“for some path”), followed by an arbitrary linear time assertion composed of unrestricted combinations of the usual linear temporal operators F (“sometime”), G (“always”), X (“nexttime”), and U (“until”). It is shown that the problem of determining if a CTL* formula is satisfiable in a structure generated by a binary relation is decidable in triple exponential time. The decision procedure exploits the special structure of the finite state ω-automata for linear temporal formulae which allows them to be determinized with only a single exponential blowup in size. Also the expressive power of tree automata is compared with that of CTL* augmented by quantified auxillary propositions.

Monadic second-order logic (MSOL) provides a general framework for expressing properties of reactive systems as modelled by trees. Monadic path logic (MPL) is obtained by restricting second-order quantification to paths reflecting computation sequences. In this paper we show that the expressive power of MPL over trees coincides with the usual branching time logic CTL* embellished with a simple form of counting. As a corollary, we derive an earlier result that CTL* coincides with the bisimulation-invariant properties of MPL. In order to prove the main result, we first prove a new Composition Theorem for trees.

We show that a 0–1 law holds for propositional modal logic, both for structure validity and frame validity. In the case of structure validity, the result follows easily from the well-known 0–1 law for first-order logic. However, our proof gives considerably more information. It leads to an elegant axiomatization for almost-sure structure validity and to sharper complexity bounds. Since frame validity can be reduced to a Π11 formula, the 0–1 law for frame validity helps delineate when 0–1 laws exist for second-order logics.

We study the alternating-time temporal logics ATL and ATL ? extended with strategy contexts: these make agents commit to their strategies during the evaluation of formulas, contrary to plain ATL and ATL ? where strategy quantifiers reset previously selected strategies. We illustrate the important expressive power of strategy contexts by proving that they make the extended logics, namely ATLsc and ATL ? sc, equally expressive: any formula in ATL ? sc can be translated into an equivalent, linear-size ATLsc formula. Despite the high expressiveness of these logics, we prove that their model-checking problems remain decidable by designing a tree- automata-based algorithm for model-checking ATL ? sc on the full class ofn-player concurrent game structures.

It has long been known that past-time operators add no expressive power to linear temporal logics. In this paper, we consider the extension of branching temporal logics with past-time operators. Two possible views regarding the nature of past in a branching-time model induce two different such extensions. In the first view, past is branching and each moment in time may have several possible futures and several possible pasts. In the second view, past is linear and each moment in time may have several possible futures and a unique past. Both views assume that past is finite. We discuss the practice of these extensions as specification languages, characterize their expressive power, and examine the complexity of their model-checking and satisfiability problems.

It is shown that a 0-1 law holds for propositional modal logic,
both for structure validity and for frame validity. In the case of
structure validity, the result follows easily from the well-known 0-1
law for first-order logic. However, the proof gives considerably more
information. It leads to an elegant axiomatization for almost-sure
structure validity, and sharper complexity bounds. Since frame validity
can be reduced to a II<sub>1</sub><sup>1</sup> formula, the 0-1 law for
frame validity helps delineate when 0-1 laws exist for second-order
logics

In temporal-logic model checking, we verify the correctness of a program with respect to a desired behaviour by checking whether a structure that models the program satisfies a temporal logic formula that specifies this behaviour. One of the ways to overcome the expressiveness limitation of temporal logics is to augment them with quantification over atomic propositions. In this paper we consider the extension of branching temporal logics with existential quantification over atomic propositions. Once we add existential quantification to a branching temporal logic, it becomes sensitive to unwinding. That is, unwinding a structure into an infinite tree does not preserve the set of formulas it satisfies. Accordingly, we distinguish between two semantics, two practices as specification languages, and two versions of the model-checking problem for such a logic. One semantics refers to the structure that models the program, and the second semantics refers to the infinite computation tree that the program induces. We examine the complexity of the model-checking problem in the two semantics for the logics CTL and CTL* augmented with existential quantification over atomic propositions. Following the cheerless results that we get, we examine also the program complexity of model checking; i.e. the complexity of this problem in terms of the program, assuming the formula is fixed. We show that while fixing the formula dramatically reduces model-checking complexity in the tree semantics, its influence on the structure semantics is poor.

We Propose a method of constructing concurrent programs in which the synchronization skeleton of the program is automatically synthesized from a high-level (branching time) Temporal Logic specification. The synchronization skeleton is an abstraction of the actual program where detail irrelevant to synchronization is suppressed. For example, in the synchronization skeleton for a solution to the critical section problem each process's critical section may be viewed as a single node since the internal structure of the critical section is unimportant. Most solutions to synchronization problems in the literature are in fact given as synchronization skeletons. Because synchronization skeletons are in general finite state, the propositional version of Temporal Logic can be used to specify their properties.

We extend the branching temporal logics CTL and CTL* with quantified propositions and consider various semantic interpretations
for the quantification. The use of quantificiation greatly increases the expressive power of the logics allowing us to represent,
for example, tree-automata. We also show that some interpretations of quantification allow us to represent non-propositional
properties of Kripke frames, such as the branching degree of trees. However this expressive power may also make the satisfiability
problem for the logic undecidable. We give a proof of one such case, and also examine decidability in the less expressive
semantics.

We define a propositional version of the -calculus, and give an exponential-time decision procedure, small model property, and complete deductive system. We also show that it is strictly more expressive than PDL. Finally, we give an algebraic semantics and prove a representation theorem.

We propose an extension to ATL (alternating-time logic), called BSIL (basic strategy-interaction logic), for the specification of interaction among the strategies of agents in a multi-agent system. BSIL allows for the specifications
of one system strategy that can cooperate with several strategies of the environment for different requirements. We argue
that such properties are important in practice and rigorously show that such properties are not expressible in ATL
*, GL (game logic), and AMC (alternating μ-calculus). Specifically, we show that BSIL is more expressive than ATL but incomparable with ATL*, GL, and AMC in expressiveness. We show that a memoryful strategy is necessary for fulfilling a specification in BSIL. We
also show that the model-checking problem of BSIL is PSPACE-complete and is of lower complexity than those of ATL*, GL, AMC, and the general strategy logics. This may imply that BSIL can be useful in closing the gap between real-world projects
and the game-theoretical results. We then show the plausibility and feasibility of our techniques by reporting our implementation
and experiment with our PSPACE model-checking algorithm for BSIL. Finally, we discuss an extension of BSIL.

Polynomial time machines having restricted access to an NP oracle are investigated. Restricted access means that the number of queries to the oracle is restricted or the way in which the queries are made is restricted (e.g., queries made during truth-table reductions). Very different kinds of such restrictions result in the same or comparable complexity classes. In particular, the class P NP [O(logn)] can be characterized in very different ways. Furthermore the Boolean hierarchy is generalized in such a way that it is possible to characterize P NP and P NP [O(logn)] in terms of the generalization.

In this paper we consider problems and complexity classes definable by interdependent queries to an oracle in NP. How the queries depend on each other is specified by a directed graph G. We first study the class of problems where G is a general dag and show that this class coincides with Δ p 2 .
We then consider the class where G is a tree. Our main result states that this class is identical to P NP [O(log n)], the class of problems solvable in polynomial time with a logarithmic number of queries to an oracle in NP. This result has interesting applications in the fields of modal logic and artificial intelligence. In particular, we show that the following problems are all P NP [O(log n)] complete: validity-checking of formulas in Carnap's modal logic, checking whether a formula is almost surely valid over finite structures in modal logics K, T, and S4 (a problem recently considered by Halpern and Kapron [1992]), and checking whether a formula belongs to the stable set of beliefs generated by a propositional theory.
We generalize the case of dags to the case where G is a general (possibly cyclic) directed graph of NP-oracle queries and show that this class corresponds to Π p 2 . We show that such graphs are easily expressible in autoepistemic logic. Finally, we generalize our complexity results to higher classes of the polynomial-time hierarchy.

In temporal-logic model checking, we verify the correctness of a program with respect to a desired behaviour by checking whether a structure that models the program satisfies a temporal logic formula that specifies this behaviour, One of the ways to overcome the expressiveness limitation of temporal logics is to augment them with quantification over atomic propositions. In this paper we consider the extension of branching temporal logics with existential quantification over atomic propositions. Once we add existential quantification to a branching temporal logic, it becomes sensitive to unwinding. That is, unwinding a structure into an infinite tree does not preserve the set of formulas it satisfies. Accordingly, we distinguish between two semantics, two practices as specification languages, and two versions of the model-checking problem for such a logic. One semantics refers to the structure that models the program, and the second semantics refers to the infinite computation free that the program induces. Vie examine the complexity of the model-checking problem in the two semantics for the logics CTL and CTL* augmented with existential quantification over atomic propositions. Following the cheerless results that we get, we examine also the program complexity of model checking; i.e. the complexity of this problem in terms of the program, assuming the formula is fixed. We show that while fixing the formula dramatically reduces model-checking complexity in the tree semantics, its influence on the structure semantics is poor.

We give a proof that alternating tree automata can be simulated by nondeterministic tree automata which yields new complexity results and a unified proof of the theorems of Rabin, McNaughton and Safra. We also give a simple axiomatic framework for uniformizing strategies.

In this paper, we investigate the power of extending first-order quantification over states to branching and linear time temporal logics. We show that an unrestricted extension significantly enriches the expressive power of μ-calculus, but also leads to a significant jump in model checking complexity. However, by restricting the scope of the extension, we are able to present a powerful extension of μ-calculus that is richer than μ-calculus, but is in the same complexity class as μ-calculus in terms of model checking complexity. In the case of linear time temporal logic, we find that first-order quantification over states is more computationally expensive. We show that even under the most restricted scope of quantification, the program complexity of model checking linear temporal logic (LTL) is NP-hard and coNP-hard. However, we also show that model checking LTL with this generic extension remains PSPACE-complete. ó 2004 Elsevier B. V. All rights reserved.