Content uploaded by Bastien Maubert
Author content
All content in this area was uploaded by Bastien Maubert on Nov 18, 2016
Content may be subject to copyright.
Available via license: CC BY 4.0
Content may be subject to copyright.
Quantiﬁed CTL with imperfect information∗
Raphaël Berthon1, Bastien Maubert2, and Aniello Murano3
1 École Normale Supérieure de Rennes, France
raphael.berthon@ensrennes.fr
2 Università degli Studi di Napoli Federico II, Italy
bastien.maubert@gmail.com
3 Università degli Studi di Napoli Federico II, Italy
murano@na.infn.it
Abstract
Quantiﬁed CTL (QCTL) is a wellstudied temporal logic that extends CTL with quantiﬁcation
over atomic propositions. It has recently come to the fore as a powerful intermediary framework
to study logics for strategic reasoning. We extend it to include imperfect information by para
meterising quantiﬁers with an observation that deﬁnes how well they observe the model, thus
constraining their behaviour. We consider two diﬀerent semantics, one related to the notion of
no memory, the other to perfect recall. We study the expressiveness of our logic, and show that
it coincides with MSO for the ﬁrst semantics and with MSO with equal level for the second one.
We establish that the modelchecking problem is Pspacecomplete for the ﬁrst semantics. While
it is undecidable for the second one, we identify a syntactic fragment, deﬁned by a notion of
hierarchical formula, which we prove to be decidable thanks to an automatatheoretic approach.
1 Introduction
Temporal logic is a powerful framework widely used in formal systemdesign and veriﬁca
tion [
9
,
41
]. It allows reasoning over the temporal evolution of a system, without referring
explicitly to the elapsing of time. One of the most signiﬁcant contributions of the ﬁeld is model
checking, which allows to verify system correctness by checking whether a mathematical model
of the system satisﬁes a temporal logic formula expressing its desired behaviour [
8
,
9
,
25
,
26
].
Depending on the view of the nature of time, two types of temporal logics are mainly
considered. In lineartime temporal logics such as LTL [
41
] time is treated as if each moment
in time had a unique possible future. Conversely, in branchingtime temporal logics such
as CTL [
8
] and
CTL∗
[
15
], each moment in time may split into various possible futures;
existential and universal quantiﬁers then allow expressing properties of either one or all the
possible futures. While LTL is suitable to express path properties, CTL is more appropriate for
statebased ones, and
CTL∗
for both. These logics are “easytouse”, can express important
system properties such as liveness or safety, enjoy good fundamental theoretical properties
such as invariance under treeunwinding of models, and come with reasonable complexities
for the main related decision problems. For instance, the modelchecking and satisﬁability
problems for CTL∗are PspaceComplete [1] and 2ExptimeComplete [48], respectively.
Along the years,
CTL∗
has been extended in a number of ways in order to verify the beha
vior of a broad variety of systems. In multiagent opensystem veriﬁcation, AlternatingTime
Temporal Logic (
ATL∗
), introduced by Alur, Henzinger, and Kupferman [
3
], is particularly
successful. This generalization of
CTL∗
replaces path quantiﬁers with strategic modalities,
that is modalities over teams of agents that describe the ability to cooperate in order to
∗
This project has received funding from the European Union’s Horizon 2020 research and innovation
programme under the Marie SklodowskaCurie grant agreement No 709188.
2 Quantiﬁed CTL with imperfect information
achieve a goal against adversaries.
ATL∗
model checking is a very active area of research and
it has been studied in several domains, including communication protocols [
47
], fair exchange
protocols [
20
,
18
], and agentoriented programs [
11
]. The complexity of the problem has
been extensively studied in a multitude of papers, and algorithms have been implemented in
tools [
31
]. Remarkably,
ATL∗
has inspired fresh and more powerful logics such as Strategy
Logic (SL) [
7
,
34
,
33
],
ATL∗
with strategy context (
ATL∗
sc
) [
5
,
10
],
ATL∗
with Irrevocable
strategies (I
ATL∗
) [
2
] and Memoryful
ATL∗
(m
ATL∗
) [
35
]. These logics are progressively
overtaking
ATL∗
; in particular this is the case for SL as it can can express fundamental
gametheoretic concepts such as Nash Equilibrium and Subgame Perfect Equilibrium [33].
In the landscape of temporal logics, another breakthrough contribution comes from
Quantiﬁed
CTL∗
(
QCTL∗
), which extends
CTL∗
with the possibility to quantify over atomic
propositions [
45
,
22
,
23
,
16
,
29
].
QCTL∗
turns out to be very expressive (indeed, it is equi
valent to Monadic SecondOrder Logic, MSO for short) and was usefully applied in a number
of scenarios. Recently it has come to the fore as a convenient and uniform intermediary logic
to easily obtain algorithms for
ATL∗
sc
,SL, as well as related formalisms [
29
,
32
,
33
]. Indeed,
strategies can be represented by atomic propositions labelling the execution tree of the
game structure under study, and strategy quantiﬁcation can thus be expressed by means of
propositional quantiﬁcations. As a remark, quantiﬁcation in
QCTL∗
can be interpreted either
on Kripke structures (structure semantics) or their execution tree (tree semantics), allowing
for the encoding of memoryless or perfectrecall strategies, respectively. This diﬀerence
impacts also the complexity of the related decision problems: for instance, moving from
structure to tree semantics, model checking jumps from Pspace to nonelementary.
In game theory and opensystem veriﬁcation an important body of work has been devoted
to imperfect information, which refers to settings in which players have partial information
about the moves taken by the others [
6
,
13
,
19
,
24
,
42
]. This is a common situation in
reallife scenarios where players have to act without having all the relevant information at
hand. In computer science this situation occurs for example when some system’s variables
are internal/private [
44
]. Imperfect information is usually modelled by indistinguishability
relations over the states of the game. During a play, some players may not know precisely
in which state they are, and therefore they cannot base their actions on the exact current
situation: they must choose their actions uniformly over indistinguishable states [24].
This uniformity constraint deeply impacts the complexity of decision problems. It is well
known that multiplayer games with imperfect information are computationally hard, in
general undecidable [
38
], and to retain positive complexity results one needs to restrict players’
capabilities, by bounding their memory of past moves [
12
] or putting some hierarchical order
over their observational power [
42
]. Unfortunately, most of the approaches exploited under
full observation are not appropriate for imperfect information. In particular this is the case of
QCTL∗
, unless opportunely adapted. In this paper we work in this direction by incorporating
in
QCTL∗
the essence of imperfect information, that is the uniformity constraint on choices.
We believe it may provide a uniform framework to obtain new results on logics for strategic
reasoning under imperfect information, as does QCTL∗in the perfect information setting.
Our contribution.
We introduce
QCTL∗
i
, an opportune extension of
QCTL∗
that in
tegrates the central feature of imperfect information, i.e., uniformity constraint on choices.
We add internal structure to the states of the models, much like in Reif’s multiplayer game
structures [
38
] or distributed systems [
17
], and we parameterise propositional quantiﬁers
with observations that deﬁne what portions of the states a quantiﬁer can “observe”. The
semantics is adapted to capture the idea of quantiﬁcations on atomic propositions being
made with partial observation. Like in [29], we consider both structure and tree semantics.
R. Berthon, B. Maubert and A. Murano 3
We study the expressive power of
QCTL∗
i
. By using the same argument as for
QCTL∗
[
29
],
we ﬁrst show that
QCTL∗
i
and
QCTLi
are equally expressive for both semantics. Then we
prove that for the structure semantics, these logics are no more expressive than QCTL, and
thus coincide with MSO. Finally we show that under tree semantics
QCTLi
is expressively
equivalent to MSO extended with the equal level predicate (MSOeq, see [14, 30, 46]).
Concerning the modelchecking problem we ﬁrst prove that under structure semantics it
is Pspacecomplete for both
QCTL∗
i
and
QCTLi
, like QCTL. Under tree semantics, undecid
ability follows from the equivalence with
MSOeq
. However we identify a decidable syntactic
fragment, consisting of those formulas in which nested quantiﬁers have hierarchically ordered
observations, innermost ones observing more than outermost ones. We call such formulas
hierarchical formulas. Interestingly, a decidability result for Quantiﬁed
µ
Calculus with
partial observation [
40
] uses a similar syntactic restriction. This logic is very close to ours,
but orthogonal: while our tree semantics relies on a synchronous perfectrecall notion of
imperfect information, theirs is asynchronous. This hierarchical restriction is also related to
decidability results for games with imperfect information [
39
,
4
] and distributed synthesis [
21
].
Our decision procedure relies on automata constructions involving the narrowing operation
introduced by Kupferman and Vardi in [
27
] for distributed synthesis. We believe that our
choice of modelling imperfect information by means of local states eases greatly the use
of automata techniques to tackle imperfect information. Finally, our result provides new
decidability results for
ATL∗
sc
with imperfect information (not presented here), and we trust
it will ﬁnd applications in other logics, such as SL with imperfect information.
Plan.
In Section 2 we recall Kripke structures and trees, and the syntax and semantics
of
QCTL∗
. We then present
QCTL∗
i
in Section 3, we study its expressiveness in Section 4 and
its modelchecking problem in Section 5. We conclude and discuss future work in Section 6.
2 Preliminaries
Let Σbe an alphabet. A ﬁnite (resp. inﬁnite)word over Σis an element of Σ
∗
(resp. Σ
ω
).
The empty word is classically noted
, and Σ
+
= Σ
∗\ {}
. The length of a word is
w
:= 0
if
w
is the empty word
, if
w
=
w0w1. . . wn
is a ﬁnite nonempty word then
w
:=
n
+ 1,
and for an inﬁnite word
w
we let
w
:=
ω
. Given a word
w
and 0
≤i, j ≤ w −
1, we let
wi
be the letter at position
i
in
w
and
w
[
i, j
]be the subword of
w
that starts at position
i
and
ends at position
j
. If
w
is inﬁnite, we let
wi
:=
w
[
i, ω
]. We write
w4w0
if
w
is a preﬁx of
w0
, and
w4
is the set of ﬁnite preﬁxes of word
w
. Finally, for
n∈N
we let [
n
] :=
{
1
, . . . , n}
.
2.1 Kripke structures and trees
Let
AP
be a countably inﬁnite set of atomic propositions and let
AP ⊂ AP
be a ﬁnite subset.
IDeﬁnition 1.
AKripke structure over
AP
is a tuple
S
= (
S, R, `
)where
S
is a set of states,
R⊆S×Sis a lefttotal1transition relation and `:S→2AP is a labelling function.
Apointed Kripke structure is a pair (
S, s
)where
s∈ S
, and the size
S
of a Kripke
structure
S
is its number of states. A path in a structure
S
= (
S, R, `
)is an inﬁnite word
λ∈Sω
such that for all
i∈N
,(
λi, λi+1
)
∈R
. For
s∈S
, we let
Paths
(
s
)be the set of all
paths that start in s. A ﬁnite path is a ﬁnite nonempty preﬁx of a path.
1i.e., for all s∈S, there exists s0such that (s, s0)∈R.
4 Quantiﬁed CTL with imperfect information
We now deﬁne (inﬁnite) trees. In many works, trees are deﬁned as preﬁxedclosed sets of
words with the empty word
as root. Here trees represent unfoldings of Kripke structures,
and we ﬁnd it more convenient to see a node as a sequence of states and the root as the
initial state, hence the following deﬁnition, where Xis a ﬁnite set:
IDeﬁnition 2. An Xtree τis a nonempty set of words τ⊆X+such that:
there exists r∈X, called the root of τ, such that each u∈τstarts with r;
if u·x∈τand u6=, then u∈τ, and
if u∈τthen there exists x∈Xsuch that u·x∈τ.
The elements of a tree
τ
are called nodes. If
u·x∈τ
, we say that
u·x
is a child of
u
. An
X
tree is full if every node
u
has a child
u·x
for each
x∈X
. The depth of a node
u
is
u
.
Similarly to Kripke structures, a path is an inﬁnite sequence of nodes
λ
=
u0u1. . .
such that
for all
i∈N
,
ui+1
is a child of
ui
, and
P aths
(
u
)is the set of paths that start in node
u
. An
AP
labelled
X
tree, or (
AP, X
)tree for short, is a pair
t
= (
τ, `
), where
τ
is an
X
tree called
the domain of
t
and
`
:
τ→
2
AP
is a labelling. For a labelled tree
t
= (
τ, `
)and an atomic
proposition
p∈ AP
, we deﬁne the
p
projection of
t
as the labelled tree
t⇓p
:= (
τ, ` ⇓p
), where
for each u∈τ,`⇓p(u) := `(u)\ {p}. For a set of trees L, we let L⇓p:= {t⇓pt∈ L}.
IDeﬁnition 3
(Tree unfoldings)
.
Let
S
= (
S, R, `
)be a Kripke structure over
AP
, and let
s∈S
. The treeunfolding of
S
from
s
is the (
AP, S
)tree
tS,s
= (
τ, `0
), where
τ
is the set of
all ﬁnite paths that start in s, and for every u∈τ,`0(u) = `(last(u)).
2.2 QCTL∗, syntax and semantics
We recall the syntax of QCTL∗, as well as both the structure and tree semantics.
IDeﬁnition 4. The syntax of QCTL∗is deﬁned by the following grammar:
ϕ:= p ¬ϕϕ∨ϕEψ ∃p. ϕ
ψ:= ϕ ¬ψψ∨ψXψψUψ
where
p∈ AP
. Formulas of type
ϕ
are called state formulas, those of type
ψ
are called path
formulas, and QCTL∗consists of state formulas.
Like in [
29
] we consider two diﬀerent semantics, the structure semantics and the tree
semantics: in the former formulas are evaluated directly on the structure, while in the latter
the structure is ﬁrst unfolded into an inﬁnite tree. In the ﬁrst case, quantifying over
p
means
choosing a truth value for
p
in each state of the structure, while in the second case it is
possible to choose a diﬀerent truth value for pin each ﬁnite path of the structure.
2.2.1 Structure semantics
A
QCTL∗
state (resp. path) formula is evaluated in a state (resp. path) of a Kripke structure.
To deﬁne the semantics of quantiﬁcations over propositions, the following deﬁnition is handy.
IDeﬁnition 5.
For
p∈ AP
, two structures
S
= (
S, R, `
)and
S0
= (
S0, R0, `0
)are equivalent
modulo
p
, written
S ≡pS0
, if
S
=
S0
,
R
=
R0
and for each state
s∈S
,
`
(
s
)
\ {p}
=
`0
(
s
)
\ {p}
.
This deﬁnition also applies to labelled trees seen as inﬁnite Kripke structures.
R. Berthon, B. Maubert and A. Murano 5
The satisfaction relation

=
s
for the structure semantics is deﬁned inductively as follows,
where S= (S, R, `)is a Kripke structure, sis a state and λis a path in S:
S, s =spif p∈`(s)S, s =s¬ϕif S, s 6=sϕ
S, s =sϕ∨ϕ0if S, s =sϕor S, s =sϕ0
S, s =sEψif there exists λ∈Paths(s)such that S, λ =sψ
S, s =s∃p. ϕ if there exists S0≡pSsuch that S0, s =ϕ
S, λ =sϕif S, λ0=sϕS, λ =s¬ψif S, λ 6=sψ
S, λ =sψ∨ψ0if S, λ =sψor S, λ =sψ0S, λ =sXψif S, λ1=sψ
S, λ =sψUψ0if there exists i≥0such that S, λi=sψ0and for 0≤j < i, S, λj=sψ
2.2.2 Tree semantics
In the tree semantics, a formula holds in a state
s
of a structure
S
if it holds in the tree
unfolding of
S
from
s
. The semantics of
QCTL∗
on trees could be derived from the structure
semantics, seeing 2
AP
labelled trees as inﬁnitestate Kripke structures. We deﬁne it explicitly
on trees though, as it will make the presentation of the semantics for QCTLiclearer.
The satisfaction relation

=
t
for the tree semantics is thus deﬁned inductively as follows,
where t= (τ, `)is a 2AP labelled Xtree, uis a node and λis a path in τ:
t, u =tpif p∈`(u)t, u =t¬ϕif t, u 6=tϕ
t, u =tϕ∨ϕ0if t, u =tϕor t, u =tϕ0
t, u =tEψif there exists λ∈P aths(u)such that t, λ =tψ
t, u =t∃p. ϕ if there exists t0≡ptsuch that t0, u =ϕ
t, λ =tϕif t, λ0=tϕ t, λ =t¬ψif t, λ 6=tψ
t, λ =tψ∨ψ0if t, λ =tψor t, λ =tψ0t, λ =tXψif t, λ1=tψ
t, λ =tψUψ0if there exists i≥0such that t, λi=tψ0and for 0≤j < i, t, λj=tψ
We may write
t
=
tϕ
for
t, r 
=
tϕ
, where
r
is the root of
t
, and given a Kripke structure
S, a state sand a QCTL∗formula ϕ, we write S, s =tϕif tS,s =tϕ.
3QCTL∗with imperfect information
We now enrich the models, syntax and semantics to capture the idea of quantiﬁcations on
atomic propositions being made with a partial observation of the system.
3.1 Compound Kripke structures
First, we enrich Kripke structures by adding internal structure to states: we set them as
tuples of local states. To ease presentation and obtain ﬁnite alphabets for our tree automata
in Section 5.2.2, we ﬁx a collection {Li}i∈[n]of ndisjoint ﬁnite sets of local states.
For
I⊆
[
n
], we let
XI
:=
Śi∈ILi
. Let
J⊆I⊆
[
n
]. For
x
= (
li
)
i∈I∈XI
, we deﬁne
the
XJ
projection of
x
as
x↓XJ
:= (
li
)
i∈J
. If
J
=
∅
, we let
x↓∅
:=
0
, where
0
is a special
symbol, and we let
X∅
:=
{0}
. This deﬁnition extends naturally to words and trees over
XI
.
Observe that when projecting a tree, nodes with same projection are merged. In particular,
for every
XI
tree
τ
,
τ↓∅
is the only
X∅
tree,
0ω
. We also deﬁne a lift operator
↑I
y
that, given
an XJtree rooted in xand a tuple y∈XI\J, produces the XItree rooted in (x, y)deﬁned
as
τ↑XI
y
:=
{u∈
(
x, y
)
·X∗
Iu↓XJ∈τ}
. Observe that because the sets
{Li}i∈[n]
are disjoint,
the ordering of elements in tuples of
XI
does not matter. For an (
AP, XJ
)tree
t
= (
τ, `
), we
deﬁne
t↑XI
y
:= (
τ↑XI
y, `0
)where
`0
(
u
) :=
`
(
u↓XJ
). In the following we may write
↑I
y
for
↑XI
y
,
and ↓Jinstead of ↓XJ.
6 Quantiﬁed CTL with imperfect information
IDeﬁnition 6.
Acompound Kripke structure, or CKS, is a Kripke structure
S
= (
S, R, `
)
such that S⊆X[n]. We call nthe dimension of CKSs.
I
Remark. Note that by ﬁxing ﬁnite sets of local states, we also ﬁx a ﬁnite set of possible
states. If it were not so, our translation from
QCTLi
to QCTL in Theorem 13, as well as
the one from
QCTLi
to
MSOeq
in Theorem 15 would no longer be valid, making us also lose
Corollary 14. We would no longer have equivalence in expressivity, but we would still have
that
QCTLi
is at least as expressive as MSO (resp.
MSOeq
) for structure semantics (resp.
tree semantics). Also our results on model checking in Section 5, and in particular our main
result, Theorem 23, would still be valid.
To model the fact that quantiﬁers may not observe some local states, we deﬁne a notion
of observation and the associated notion of observational indistinguishability.
IDeﬁnition 7.
An observation is a ﬁnite set of indices
o⊂N
. For an observation
o
and
I⊆[n], two tuples x, x0∈XIare oindistinguishable, written x∼ox0, if x↓I∩o=x0↓I∩o.
Intuitively, a quantiﬁer with observation
o
must choose the valuation of atomic propositions
uniformly with respect to
o
, and this notion of uniformity will vary between the structure
semantics and the tree semantics. But ﬁrst, let us introduce the syntax of QCTL∗
i.
3.2 QCTL∗
i, syntax and semantics
The syntax of
QCTL∗
i
is that of
QCTL∗
, except that quantiﬁers over atomic propositions are
parameterised by a set of indices that deﬁnes what local states the quantiﬁer can “observe”.
IDeﬁnition 8. The syntax of QCTL∗
iis deﬁned by the following grammar:
ϕ:= p ¬ϕϕ∨ϕEψ ∃op. ϕ
ψ:= ϕ ¬ψψ∨ψXψψUψ
where p∈ AP and o⊂Nis an observation.
We use standard abbreviations:
>
:=
p∨ ¬p
,
⊥
:=
¬>
,
Fψ
:=
>Uψ
,
Gψ
:=
¬F¬ψ
and
Aψ
:=
¬E¬ψ
. The size
ϕ
of a formula
ϕ
is deﬁned inductively as usual, but the following
case: ∃op. ϕ:= 1 + o+ϕ. We also classically deﬁne the syntactic fragment QCTLi:
IDeﬁnition 9. The syntax of QCTLiis deﬁned by the following grammar:
ϕ:= p ¬ϕϕ∨ϕ ∃op. ψ EXϕAXϕEϕUϕAϕUϕ
where p∈ AP and o⊂Nis an observation.
3.2.1 Structure semantics
In the case of structure semantics, uniformity is deﬁned as follows:
IDeﬁnition 10.
Let
S
= (
S, R, `
)be a CKS,
p∈ AP
and
o⊂N
.
S
is
o
uniform in
p
if for
every pair of states s, s0∈Ssuch that s∼os0, it holds that p∈`(s)if and only if p∈`(s0).
We enrich the satisfaction relation

=
s
with the following inductive case, where (
S, s
)is a
pointed CKS:
S, s =s∃op. ϕ if there exists S0≡pSsuch that S0is ouniform in pand S0, s =sϕ
Observe that ∃{1,...,n}p. ϕ is equivalent to the QCTL∗formula ∃p. ϕ.
R. Berthon, B. Maubert and A. Murano 7
3.2.2 Tree semantics
As observed in the introduction, propositional quantiﬁers can be seen as having perfect recall
in the tree semantics and no memory in the structure semantics. The following deﬁnition for
indistinguishability on trees, which diﬀers from that for CKS, reﬂects this diﬀerence.
IDeﬁnition 11.
Let
t
= (
τ, `
)be a labelled
XI
tree,
p∈ AP
an atomic proposition and
o⊂N
an observation. Two nodes
u
=
u0. . . ui
and
u0
=
u0
0. . . u0
j
of
τ
are
o
indistinguishable,
written
u≈ou0
, if
i
=
j
and for all
k∈ {
0
, . . . , i}
we have
uk∼ou0
k
. Tree
t
is
o
uniform in
p
if for every pair of nodes u, u0∈τsuch that u≈ou0, we have p∈`(u)iﬀ p∈`(u0).
The tree semantics for
QCTL∗
i
is deﬁned on labelled
Xn
trees, and it is obtained by
enriching =tas follows:
t, u =t∃op. ϕ if there exists t0≡ptsuch that t0is ouniform in pand t0, u =tϕ.
Consider the following CTL formula: border(p) := AFp∧AG(p→AXAG¬p).
This formula holds in a labelled tree if and only if each path contains exactly one
node labelled with
p
. Therefore, evaluating the
QCTLi
formula
∃∅p. border
(
p
)amounts to
choosing a level of the tree where to place one horizontal line of p’s.
4 Expressiveness
In this section we study the expressive power of our logics. We ﬁrst observe that for both
semantics,
QCTL∗
i
and
QCTLi
are equally expressive. We then prove that with structure
semantics
QCTLi
is expressively equivalent to QCTL, and thus also to MSO. Finally we show
that under tree semantics
QCTL∗
i
is expressively equivalent to MSO with equal level predicate.
Note that Theorem 13, Corollary 14 and Theorem 15 below only hold if the logics can talk
about the local states. For this reason, in this section we assume a set of dedicated atomic
propositions
APl
=
Si∈[n]Sl∈Li{pl} ⊂ AP
such that for every CKS
S
= (
S, R, `
), for each
i∈[n]and l∈Li, for each state s= (l1, . . . , ln)∈S, we have pl∈`(s)iﬀ li=l.
4.1 QCTL∗
i,QCTLiand QCTL
We ﬁrst remark that for the same reason why
QCTL∗
is no more expressive than QCTL, also
QCTL∗
i
and
QCTLi
are equally expressive (the proof of [
29
, Proposition 3.8] readily applies):
ITheorem 12. Under both semantics, QCTL∗
iand QCTLiare expressively equivalent.
We now prove that for the structure semantics,
QCTLi
is no more expressive than QCTL,
and thus has the same expressivity as MSO.
ITheorem 13. Under structure semantics, QCTLiand QCTL are expressively equivalent.
Proof.
It is quite clear that
QCTLi
subsumes QCTL. Observe however that the quantiﬁer on
propositions from QCTL can be translated using the quantiﬁer
∃[n]
only because we have
ﬁxed the dimension of our models. If we allowed for models with arbitrary dimension we
would have to add the classic quantiﬁer ∃in the syntax of QCTLifor it to capture QCTL.
For the other direction, we deﬁne a translation
e
from
QCTLi
to QCTL. We only provide
the inductive case for the quantiﬁcation on propositions, the others being trivial.
^
∃op. ϕ := ∃p.
^
(l1,...,lk)∈Xo∩[n]
AG(
k
^
i=1
pli→p)∨AG(
k
^
i=1
pli→ ¬p)
∧eϕ.
8 Quantiﬁed CTL with imperfect information
Observe that checking uniformity of
p
in the reachable part of the model is suﬃcient, as the
labelling of unreachable states is indiﬀerent. It can be proven easily that for every CKS
S
,
state s∈ S and formula ϕ∈QCTLi, it holds that S, s =sϕiﬀ S, s =seϕ.J
IRemark. One can check that eϕ=O(nmnϕ), where m= maxi∈[n]Li.
4.2 QCTLiand MSO with equal level
We brieﬂy recall the deﬁnition
MSOeq
(see, e.g., [
14
,
46
] for more detail). In the following,
Var1
=
{x, y, . . .}
(resp.
Var2
=
{X, Y, . . .}
) is a countablyinﬁnite set of ﬁrstorder (resp.
secondorder) variables. We also use a predicate Ppfor each atomic proposition p∈ AP.
The syntax of MSO with equal level relation, or
MSOeq
, is given by the following grammar:
ϕ::= Pp(x)x=yS(x, y)x∈Xeq(x, y) ¬ϕϕ∨ϕ ∃x.ϕ  ∃X.ϕ
where p∈ AP,x, y ∈Var1and X∈Var2.
The syntax of MSO is obtained by removing the
eq
(
x, y
)production rule. We write
ϕ
(
x1, . . . , xi, X1, . . . , Xj
)to indicate that variables
x1, . . . , xi
and
X1, . . . , Xj
may appear
free in
ϕ
. Without loss of generality we assume that a variable cannot appear both free
and quantiﬁed in a formula. We use the standard semantics of MSO, the successor relation
symbol
S
being interpreted by the transition relation on Kripke structures, and by the
child relation on trees. The semantics for
MSOeq
is only deﬁned on trees, and
eq
(
x, y
)
holds if the nodes denoted by
x
and
y
are at the same depth in the tree. We write
M, s1, . . . , si, S1, . . . , Sj
=
ϕ
(
x1, . . . , xi, X1, . . . , Xj
)when
ϕ
holds in model
M
when
xk
(resp. Xk) is interpreted as sk(resp. Sk) for k∈[i](resp. k∈[j]).
Since we aim at comparing the expressivity of MSO (with equal level predicate in the
case of tree semantics) with that of the modal logic QCTLi, we will consider MSO formulas
of the form
ϕ
(
x
), where
x
is a free variable representing the point of evaluation in the model.
First, we have seen that under the structure semantics
QCTLi
has the same expressivity
as QCTL. Since QCTL has the same expressivity as MSO (evaluated on reachable parts of
the structures) [29], we obtain the following corollary of Theorem 13:
ICorollary 14. Under structure semantics, MSO and QCTLiare equally expressive.
We now turn to the case of the tree semantics. The constraint put on the tree semantics
for the proposition quantiﬁer involves testing length equality for arbitrarily long paths or, in
terms of trees, comparing the depths of arbitrarily deep nodes. It is thus not a surprise that
QCTLi
with tree semantics is more expressive than MSO on trees. It also seems natural that
extending MSO with the equal level predicate allows to capture this constraint on proposition
quantiﬁcation, and thus that
MSOeq
is as expressive as
QCTLi
with tree semantics. We
establish with the following theorem that in fact the other direction also holds.
ITheorem 15. Under tree semantics, MSOeq and QCTLiare equally expressive.
Proof.
We ﬁrst show how to express in
MSOeq
that two nodes in the unfolding of a CKS
are
o
indistinguishable (see Deﬁnition 11). Let
o
be an observation. We deﬁne the
MSOeq
formula ϕo(x, y)as follows:
ϕo(x, y) := eq(x, y)∧∀x0.∀y0.
x04x∧y04y∧eq(x0, y0)→^
i∈o∩[n]^
l∈Li
Ppl(x0)↔Ppl(y0)
where x04xis an MSO formula expressing that there is a path from x0to x.
R. Berthon, B. Maubert and A. Murano 9
Clearly, for every CKS Sand nodes u, u0in its unfolding tS,s from some state s,
tS,s, u, u0=ϕo(x, y)iﬀ u≈ou0.
It is then easy to see that
QCTLi
with tree semantics can be translated into
MSOeq
: the trans
lation for CTL is standard, and propositional quantiﬁcation with imperfect information can be
expressed using second order quantiﬁcation and the above formula for
o
indistinguishability.
For the other direction, we build upon the following translation from MSO to QCTL,
presented in [29]. For ϕ(x, x1, . . . , xi, X1, . . . , Xj)∈MSO, we inductively deﬁne bϕas:
\
Pp(x) = p\
Pp(xk) = EF(pxk∧p)
\x=xk=pxk\xk=xl=EF(pxk∧pxl)
\
x∈Xk=pXk
\
xk∈Xk=EF(pxk∧pXk)
d
¬ϕ0=¬b
ϕ0\
ϕ1∨ϕ2=cϕ1∨cϕ2
\
∃xk.ϕ0=∃pxk.uniq(pxk)∧b
ϕ0\
∃Xk.ϕ0=∃pXk.b
ϕ0
\
S(x, xk) = EXpxk
\
S(xk, x) = ⊥
\
S(xk, xl) = EF(pxk∧EXpxl)
where
uniq
(
p
) :=
EFp∧ ∀q. (EF(p∧q)→AG(p→q))
holds in a tree iﬀ it has exactly
one node labelled with
p
. Observe that
x
being interpreted as the root of a tree it has no
incoming edge, hence the translation of S(xk, x).
We extend this translation into one from
MSOeq
to
QCTLi
by adding the following rules:
\
eq(x, xk) = pxk
\
eq(xk, xl) = ∃∅p. border(p)∧AG(pxk→p∧pxl→p)
Observe that
x
being interpreted as the root,
xk
is on the same level as
x
if and only if it is
also assigned the root. Concerning the second case, recall from Section 3.2.2 that the
QCTLi
formula
∃∅p. border
(
p
)places in the tree one unique horizontal line of
p
’s. Requiring that
xk
and
xl
be both on this line thus ensures that they are on the same level. It is then easy
to prove by induction the following lemma:
ILemma 16.
For every
ϕ
(
x, x1, . . . , xi, X1, . . . , Xj
)
∈MSOeq
and every pointed CKS (
S, s
),
tS,s, s, u1, . . . , ui, U1, . . . , Uj=ϕ(x, x1, . . . , xi, X1, . . . , Xj)iﬀ t0
S(s), s =tbϕ
where
t0
S,s
is obtained from
tS,s
by changing the labelling for variables
pxk
and
pXk
as follows:
pxk∈`0(u)if u=ukand pXk∈`0(u)if u∈Uk.
In particular, it follows that tS,s, s =ϕ(x)iﬀ tS,s, s =bϕ.J
I
Remark. The twoway translation between
QCTLi
and
MSOeq
shows that when local states
are identiﬁed by atomic propositions, there is a normal form for
QCTLi
formulas involving
only blind and perfectinformation quantiﬁers.
5 Model checking QCTLi
We now study the modelchecking problem for
QCTL∗
i
, both for structure and tree semantics.
In other terms, we study the problem of deciding, given a ﬁnite CKS
S
, a state
s∈ S
and a
QCTL∗
iformula ϕ, whether it holds that S, s =sϕ(or S, s =tϕfor the tree semantics).
10 Quantiﬁed CTL with imperfect information
5.1 Structure semantics
We ﬁrst prove that under structure semantics, similarly to
QCTL∗
and QCTL, the model
checking problem is Pspacecomplete for both
QCTLi
and
QCTL∗
i
. Observe that if
n
is ﬁxed
the translation from
QCTLi
to QCTL from Theorem 13 suﬃces to obtain the upper bound.
But this translation, being exponential in
n
(see Remark 4.1), is not enough if
n
is not ﬁxed;
we provide an algorithm to show that the result holds even if nis part of the input.
ITheorem 17. Under structure semantics, model checking QCTL∗
iis Pspacecomplete.
Proof.
Hardness follows from the Pspacehardness of model checking QCTL [
29
]. For the
upper bound, we modify the algorithm described in [
29
, Theorem 4.2]. The main diﬀerence
is that when we guess a labelling for
p
on a CKS
S
, we need to check that this labelling
is uniform. With structure semantics this can be done in deterministic time
O
(
S2·n
):
look at every pair of states, and check that if they are observationally equivalent (tested by
comparing at most npairs of local states) then they agree on p.
We prove that the modelchecking problem for
QCTL∗
i
is in Pspace by induction on the
nesting depth
k
of propositional quantiﬁcation in input formulas. If
k
= 0,i.e., the input
formula is a
CTL∗
formula, call a
CTL∗
modelchecking algorithm running in polynomial
space. For nesting depth
k
+ 1, the input formula
ϕ
is of the form
ϕ
= Φ[
qi7→ ∃oipi. ϕi
],
where Φis a
CTL∗
formula and for each
i
,
qi
is a fresh atomic proposition,
oi
is an observation
and
ϕi
a
QCTL∗
i
formula of nesting depth at most
k
. For each
i
, guess in linear time a
labelling for
pi
, check in quadratic time that it is uniform, evaluate formula
ϕi
in each
state with this labelling, and mark states where it holds with
qi
. By induction hypothesis,
evaluating
ϕi
can be done in polynomial space. It just remains to evaluate the
CTL∗
formula
Φin polynomial space. The overall procedure thus runs in nondeterministic polynomial
space, and because NPspace =Pspace, the problem is in Pspace.J
5.2 Tree semantics
We turn to the case of tree semantics. The ﬁrst undecidability result comes at no surprise
since
QCTLi
can express the existence of winning strategies in imperfectinformation games.
ITheorem 18.
Under tree semantics, the modelchecking problem for
QCTLi
is undecidable.
Proof.
The
MSOeq
theory of the binary tree is undecidable [
30
], and with Lemma 16 we
obtain a reduction to the modelchecking problem for QCTLi.J
5.2.1 Alternating tree automata
We brieﬂy recall the notion of alternating (parity) tree automata. For a set
Z
,
B+
(
Z
)is
the set of formulas built with elements of
Z
as atomic propositions, using only connectives
∨
and
∧
, and with
>,⊥∈ B+
(
Z
). An alternating tree automaton (ATA) on (
AP, X
)trees
is a structure
A
= (
Q, δ, qι, C
)where
Q
is a ﬁnite set of states,
qι∈Q
is an initial state,
δ
:
Q×
2
AP →B+
(
X×Q
)is a transition function, and
C
:
Q→N
is a colouring function.
To ease reading we shall write atoms in transition formulas between brackets, such as [
x, q
].
Anondeterministic tree automaton (NTA) on (
AP, X
)trees is an ATA
A
= (
Q, δ, qι, C
)such
that for every
q∈Q
and
a∈
2
AP
, if
δ
(
q, a
)is written in disjunctive normal form, then for
every direction
x∈X
, each disjunct contains exactly one element of
{x} × Q
. The size of an
ATA is its number of states and its index is its number of diﬀerent colours.
Because we work with trees that are not necessarily complete as they represent unfoldings
of Kripke structures, we ﬁnd it convenient to assume that the state set is partitioned between
R. Berthon, B. Maubert and A. Murano 11
Q>
and
Q⊥
: when sent in a direction where there is no node in the input tree, states in
Q>
accept immediately while states in Q⊥reject immediately2.
We also recall the deﬁnition of acceptance by ATA via games between Eve and Adam.
Let
A
= (
Q, δ, qι, C
)be an ATA over (
AP, X
)trees, let
t
= (
τ, `
)be such a tree and
let
uι∈τ
. We deﬁne the parity game
G
(
A, t, uι
)=(
V, E , vι, C0
): the set of positions is
V
=
τ×Q×B+
(
X×Q
), the initial position is
vι
= (
uι, qι, δ
(
qι, uι
)), and a position (
u, q, α
)
belongs to Eve if
α
is of the form
α1∨α2
or [
x, q0
]; otherwise it belongs to Adam. Moves in
G(A, t, uι)are deﬁned by the following rules:
(u, q, α1†α2)→(u, q, αi)where † ∈ {∨,∧} and i∈ {1,2},
(u, q, [x, q0]) →
(u·x, q0, δ(q0, `(u·x))) if u·x∈t
(u, q, >)if u·x /∈tand q∈Q>
(u, q, ⊥)if u·x /∈tand q∈Q⊥
Positions of the form (
u, q, >
)and (
u, q, ⊥
)are deadlocks, winning for Eve and Adam
respectively. The colouring is inherited from the one of the automaton: C0(u, q, α) = C(q).
A tree
t
is accepted from node
u
by
A
if Eve has a winning strategy in
G
(
A, t, u
), and we
let L(A)be the set of trees accepted by Afrom their root.
We recall three classic results on tree automata. The ﬁrst one is that nondeterministic tree
automata are closed under projection, and was established by Rabin to deal with secondorder
monadic quantiﬁcation:
ITheorem 19
(Projection [
43
])
.
Given an NTA
N
and an atomic proposition
p∈ AP
, one
can build an NTA N ⇓pof same size and index such that L(N ⇓p) = L(N)⇓p.
Because it will be important to understand the automata construction for our decision
procedure in Section 5.2.2, we brieﬂy recall that the projected automaton
N ⇓p
is simply
automaton
N
with the only diﬀerence that when it reads the label of a node, it can
choose whether
p
is there or not: if
δ
is the transition function of
N
, that of
N ⇓p
is
δ0
(
q, a
) =
δ
(
q, a ∪ {p}
)
∨δ
(
q, a \ {p}
), for any state
q
and label
a∈
2
AP
. Another way of
seeing it is that
N ⇓p
ﬁrst guesses a
p
labelling for the input tree, and then simulates
N
on this modiﬁed input. To prevent
N ⇓p
from guessing diﬀerent labels for a same node in
diﬀerent executions, it is crucial that
N
be nondeterministic, reason why we need the next
classic result: the crucial simulation theorem, due to Muller and Schupp.
ITheorem 20
(Simulation [
37
])
.
Given an ATA
A
, one can build an NTA
N
of exponential
size and linear index such that L(N) = L(A).
The last one was established by Kupferman and Vardi to deal with imperfect information
aspects in distributed synthesis. The rough idea is that, if one just observes
X
, uniform
p
labellings on
X×Y
trees can be obtained by choosing the labellings directly on
X
trees,
and then lifting them to X×Y.
ITheorem 21
(Narrowing [
27
])
.
Given an ATA
A
on
X×Y
trees, one can build an ATA
A↓Xon Xtrees of same size such that for al l y∈Y,t∈ L(A ↓X)iﬀ t↑X×Y
y∈ L(A).
In fact the result in [
27
] is stated for
t
(and thus also
t↑X×Y
) a complete tree, but the
proof transfers straightforwadly to this slightly more general result.
2
Note that we could also work only with complete trees, with a special symbol labelling missing nodes.
12 Quantiﬁed CTL with imperfect information
5.2.2 A decidable fragment: hierarchy on observations
We turn to our main result, which is the identiﬁcation of an important decidable fragment.
IDeﬁnition 22.
A
QCTL∗
i
formula
ϕ
is hierarchical if for all subformulas
ϕ1, ϕ2
of the form
ϕ1=∃o1p1. ϕ0
1and ϕ2=∃o2p2. ϕ0
2where ϕ2is a subformula of ϕ0
1, we have o1⊆o2.
In other words, a formula is hierarchical if innermost propositional quantiﬁers observe at
least as much as outermost ones. We let
QCTL∗
i,⊂
be the set of hierarchical
QCTL∗
i
formulas.
ITheorem 23.
Under tree semantics, model checking
QCTL∗
i,⊂
is nonelementary decidable.
In order to prove this we establish Lemma 25 below, but we ﬁrst introduce a few more
notations. For every
ϕ∈QCTL∗
i
, we let
Iϕ
:=
To∈Oo
, where
O
is the set of observations that
occur in
ϕ
, with the intersection over the empty set deﬁned as [
n
]. We also let
Xϕ
:=
XIϕ
(recall that for I⊆[n],XI=Śi∈ILi). We will need a ﬁnal important deﬁnition.
IDeﬁnition 24
(Merge)
.
Let
t
= (
τ, `
)be an (
AP, X
)tree and
t0
= (
τ0, `0
)an (
AP 0, X
)tree.
We deﬁne the merge of
t
and
t0
as the (
AP ∪AP 0
)labelled
X
tree
t!t0
:= (
τ∩τ0, `00
), where
`00(u) = `(u)∪`0(u).
We explain the idea behind this deﬁnition. In our decision procedure, quantiﬁcation on
atomic propositions is performed by means of automata projection (see Theorem 19). But in
order to obtain uniform labellings for these propositions, we need to ﬁrst narrow down our
automata and our trees (see Theorem 21), and in this process we lose information on the
labelling of atomic propositions in the CKS
S
on which we evaluate the formula. To address
this problem, ﬁrst we assume without loss of generality that propositions that are quantiﬁed
upon in Φdo not appear free in Φ. We can then partition propositions in Φbetween those
that are quantiﬁed upon,
AP ∃
, and those that appear free,
APf
. We use the input tree
of the automaton we build to carry the labelling for
AP ∃
, and in the end the input tree is
merged with the unfolding of Sthat carries the labelling to evaluate propositions in APf.
ILemma 25.
Let Φ
∈QCTL∗
i,⊂
with
AP ∃
and
APf
deﬁned as above, and let
S
be a ﬁnite
CKS over
APf
. For every subformula
ϕ
of Φand state
s
of
S
, one can build an ATA
Aϕ
s
on
(AP ∃, Xϕ)trees such that for every (AP ∃, Xϕ)tree trooted in s↓Xϕ,
t∈ L(Aϕ
s)iﬀ t↑[n]
y!tS,s =tϕ, where y=s↓[n]\Iϕ.
For an XItree t, from now on t↑[n]!tS,s stands for t↑[n]
y!tS,s, where y=s↓[n]\I.
Proof.
Let Φ
∈QCTL∗
i,⊂
, and let
AP ∃
(resp.
APf
) be the set of atomic propositions that
are quantiﬁed upon (resp. that appear free) in Φ. Modulo renaming of atomic propositions,
we can assume without loss of generality that
AP ∃
and
APf
are disjoint. Let
S
= (
S, R, `S
)
be a ﬁnite CKS over
APf
. For each state
s∈S
and each subformula
ϕ
of Φ(note that
all subformulas of Φare also hierarchical), we deﬁne by induction on
ϕ
the ATA
Aϕ
s
. The
deﬁnition builds upon the classic construction for CTL∗from [28].
ϕ=p:
We let
Ap
s
be the ATA over
X[n]
trees with one unique state
qι
, with transition
function deﬁned as follows:
δ(qι, a) = (>if (p∈APfand p∈`S(s)) or (p∈AP ∃and p∈a)
⊥if (p∈APfand p /∈`S(s)) or (p∈AP ∃and p /∈a)
R. Berthon, B. Maubert and A. Murano 13
The idea is that since we know the state
s∈S
in which we want to evaluate the formula,
we can read the labelling for atomic propositions in
APf
(those that are not quantiﬁed
upon) directly from
s
. However, for propositions in
AP ∃
, we need to read them from
the input tree. Indeed, if
p∈AP ∃
it means that
p
is quantiﬁed upon in Φ: there is a
subformula
∃op. ϕ
of Φsuch that
p
is a subformula of
ϕ
. The automaton
A∃op. ϕ
s
will be
built by narrowing, nondeterminising and projecting
Aϕ
s
on
p
. On a given input tree
t
,
A∃op. ϕ
s
will thus guess a labelling for
p
in each node of
t
and simulate (the nondeterminised
narrowing of)
Aϕ
s
on this modiﬁed input.
Aϕ
s
must therefore read the labelling for
p
from
its input tree.
ϕ=¬ϕ0:We obtain Aϕ
sby dualising Aϕ0
s, which is a classic operation on ATAs.
ϕ=ϕ1∨ϕ2:
Because
Iϕ
=
Iϕ1∩Iϕ2
, and each
Aϕi
s
works on
Xϕi
trees, we need to narrow
them so that they work on Xϕtrees: for i∈ {1,2}, we let Ai:= Aϕi
s↓Iϕ.
We then build
Aϕ
s
by taking the disjoint union of
A1
and
A2
and adding a new initial
state that nondeterministically chooses which of
A1
or
A2
to execute on the input tree,
so that L(Aϕ
s) = L(A1)∪ L(A2).
ϕ= Eψ:
The aim is to build an automaton
Aϕ
s
that works on
Xϕ
trees and that on input
t
, checks for the existence of a path in
t↑[n]!tS,s
that satisﬁes
ψ
. To do so,
Aϕ
s
guesses
a path λin (S, s). It remembers the current state in S, which provides the labelling for
atomic propositions in APf, and while it guesses λit follows its projection on Xϕin its
input tree t, reading the labels to evaluate propositions in AP ∃.
Let
max
(
ψ
) =
{ϕ1, . . . , ϕn}
be the set of maximal state subformulas of
ψ
. In a ﬁrst step
we see these maximal state subformulas as atomic propositions. Formula
ψ
can thus be
seen as an LTL formula, and we can build a nondeterministic parity word automaton
Wψ
= (
Qψ,
∆
ψ, qψ
ι, Cψ
)over alphabet 2
max(ψ)
that accepts exactly the models of
ψ
. We
deﬁne the ATA
A
that, given as input a (
max
(
ψ
)
, Xϕ
)tree
t
, nondeterministically guesses
a path
λ
in
t↑[n]!tS,s
and simulates
Wψ
on it, assuming that the labels it reads while
following
λ↓Xϕ
in its input correctly represent the truth value of formulas in
max
(
ψ
)
along λ. Recall that S= (S, R, `S); we deﬁne A:= (Q, δ, qι, C), where
Q=Qψ×S,
qι= (qψ
ι, s),
C(qψ, s0) = Cψ(qψ), and
for each (qψ, s0)∈Qand a∈2max(ψ),
δ((qψ, s0), a) = _
q0∈∆ψ(qψ,a)_
s00∈R(s0)
[s00 ↓Xϕ,(q0, s00)].
The intuition is that
A
reads the current label, chooses nondeterministically which
transition to take in
Wψ
, chooses a next state in
S
and proceeds in the corresponding
direction in Xϕ. To ensure3that the path it guesses is not only in tS,s but also in t↑[n],
it is enough to make sure that it always tries to stay inside its input tree
t
, which is
achieved by letting
Q>
=
∅
and
Q⊥
=
Q
. Thus,
A
accepts exactly the
max
(
ϕ
)labelled
Xϕ
trees
t
in which there exists a path that corresponds to some path in
t↑[n]!tS,s
that satisﬁes ψ, where maximal state formulas are considered as atomic propositions.
Now from
A
we build the automaton
Aϕ
s
over
Xϕ
trees labelled with real atomic proposi
tions in
AP ∃
. In each node it visits, this automaton guesses what should be its labelling
over
max
(
ψ
), it simulates
A
accordingly, and checks that the guesses it makes are correct.
3
Actually this is not very important since the tree
t
on which our automata will work will always be
such that the domain of t↑[n]contains the domain of tS,s.
14 Quantiﬁed CTL with imperfect information
If the path being guessed in
t↑[n]!tS,s
is currently in node
u
ending with state
s0
, and
Aϕ
s
guesses that
ϕi
holds in
u
, it checks this guess by starting a simulation of automaton
Aϕi
s0from node v=u↓Xϕin its input t.
For each
s0∈ S
and each
ϕi∈max
(
ψ
)we ﬁrst build
Aϕi
s0
, and we let
Ai
s0
=
Aϕi
s0
=
(
Qi
s0, δi
s0, qi
s0, Ci
s0
). We also let
Ai
s0
= (
Qi
s0, δi
s0, qi
s0, Ci
s0
)be its dualisation, and we assume
w.l.o.g. that all the state sets are pairwise disjoint. Observe that because each
ϕi
is a
maximal state subformula, we have
Iϕi
=
Iϕ
, so that we do not need to narrow down
automata
Ai
s0
and
Ai
s0
. We deﬁne the ATA
Aϕ
s
= (
Q∪Si,s0Qi
s0∪Qi
s0, δ0, qι, C 0
), where
the colours of states are left as they were in their original automaton, and
δ
is deﬁned as
follows. For states in
Qi
s0
(resp.
Qi
s0
),
δ
agrees with
δi
s0
(resp.
δi
s0
), and for (
qψ, s0
)
∈Q
and a∈2AP ∃we let
δ0((qψ, s0), a) = _
a0∈2max(ψ)
δ(qψ, s0), a0∧^
ϕi∈a0
δi
s0(qi
s0, a)∧^
ϕi/∈a0
δi
s0(qi
s0, a)
.
ϕ=∃op. ϕ0:
We build automaton
Aϕ0
s
that works on
Xϕ0
trees; because
ϕ
is hierarchical,
we have that
o⊆Iϕ0
and we can narrow down
Aϕ0
s
to work on
Xo
trees and obtain
A1
:=
Aϕ0
s↓Xo
. By Theorem 20 we can nondeterminise it to get
A2
, which by Theorem 19
we can project with respect to p, ﬁnally obtaining Aϕ
s:= A2⇓p.
We now prove by induction on
ϕ
that the construction is correct. In each case, we let
t= (τ, `)be an (AP ∃, Xϕ)tree rooted in s↓Xϕ.
ϕ=p:
First, note that
Ip
= [
n
], so that
t
is rooted in
s↓Xp
=
s
. Let us consider ﬁrst the
case where
p∈APf
. By deﬁnition of
Ap
s
, we have that
t∈ L
(
Ap
s
)iﬀ
p∈`S
(
s
). On the
other hand, by deﬁnition of the merge operation, of the unfolding, and because
AP ∃
and
APf
are disjoint, we have
t↑[n]!tS,s 
=
p
iﬀ
p∈`S
(
s
), and we are done. Now if
p∈AP ∃
: by deﬁnition of
Ap
s
, we have
t∈ L
(
Ap
s
)iﬀ
p∈`
(
s
); also, by deﬁnition of the
merge, we have that t↑[n]!tS,s =piﬀ p∈`(s), which concludes.
ϕ=¬ϕ0:trivial.
ϕ=ϕ1∨ϕ2:
We have
Ai
=
Aϕi
s↓Xϕ
, so by Theorem 21 we get that
t∈ L
(
Ai
)iﬀ
t↑Xϕi∈ L
(
Aϕi
s
), which by induction hypothesis holds iﬀ (
t↑Xϕi
)
↑[n]!tS,s 
=
tϕi
,i.e., iﬀ
t↑[n]!tS,s =tϕi. We conclude by reminding that L(Aϕ
s) = L(A1)∪ L(A2).
ϕ= Eψ:Suppose that t0=t↑[n]!tS,s =tEψ. There exists a path λstarting at the root
s
of
t0
such that
t0, λ 
=
ψ
. Again, let
max
(
ψ
)be the set of maximal state subformulas of
ϕ
, and let
w
be the inﬁnite word over 2
max(ψ)
that agrees with n
λ
on the state formulas
in
max
(
ψ
). By deﬁnition,
Wψ
has an accepting execution on
w
. Now in the acceptance
game of
Aϕ
s
on
t
, Eve can guess the path
λ
, following
λ↓Xϕ
in its input
t
, and she can
also guess the corresponding word
w
on 2
max(ψ)
and an accepting execution of
Wψ
on
w
.
Let
u0∈t0
be a node of
λ
,
s0
its last direction and let
u
=
u0↓Xϕ∈t
. Assume that in node
u
of the input tree, in a state (
qψ, s0
)
∈Q
, Adam challenges Eve on some
ϕi∈max
(
ψ
)
that she assumes to be true in
u0
,i.e., Adam chooses the conjunct
δi
s0
(
qi
s0, a
), where
a
is
the label of
u
. Note that in the evaluation game this means that Adam moves to position
(u, (qψ, s0), δi
s0(qi
s0, a)). We want to show that Eve wins from this position.
Let
tu
(resp.
t0
u0
) be the subtree of
t
(resp.
t0
) starting in
u
(resp.
u0
)
4
. It is enough to
show that
tu
is accepted by
Ai
s0
=
Aϕi
s0
. Observe that
tu
is rooted in the last direction
4
If
u
=
w·x
, a subtree
tu
of
t
= (
τ, `
)is deﬁned as
tu
:= (
τu, `u
)with
τu
=
{x·w0w·x·w0∈τ}
, and
`u(x·w0) = `(w·x·w0): we remove from each node all directions before last(u).
R. Berthon, B. Maubert and A. Murano 15
of
u
=
u0↓Xϕ
, and since the last direction of
u0
is
s0
we have that
tu
is rooted in
s0↓Xϕ
.
Since
Iϕ
=
Iϕi
we have that
tu
is rooted in
s0↓Xϕi
. We can thus apply the induction
hypothesis on tuwith ϕi, and we get that
tu∈ L(Aϕi
s0)iﬀ tu↑[n]!tS,s0=tϕi.(1)
Now, because u0ends in s0we also have that
t0
u0=tu↑[n]!tS,s0.(2)
Putting
(1)
and
(2)
together, we obtain that
tu∈ L
(
Ai
s0
)iﬀ
t0
u0
=
tϕi
. And because we
have assumed that Eve guesses
w
correctly, we have that
t0, u0
=
tϕi
,i.e.,
t0
u0
=
tϕi
, and
we get that tuis accepted by Ai
s0.
Eve thus has a winning strategy from the initial position of the acceptance game of
Ai
s0
on
tu
. This initial position is (
u, qi
s0, δi
s0
(
qi
s0, a
)). Since (
u, qi
s0, δi
s0
(
qi
s0, a
)) and (
u, q, δi
s0
(
qi
s0, a
))
contain the same node
u
and transition formula
δi
s0
(
qi
s0, a
), a winning strategy in one of
these positions
5
is also a winning strategy in the other, and therefore Eve wins Adam’s
challenge. With a similar argument, we get that also when Adam challenges Eve on
some
ϕi
assumed not to be true in node
v
, Eve wins the challenge. Finally, Eve wins the
acceptance game of Aϕ
son t, and thus t∈ L(Aϕ
s).
For the other direction, assume that
t∈ L
(
Aϕ
s
),i.e., Eve wins the evaluation game of
Aϕ
s
on
t
. Again, let
t0
=
t↑[n]!tS,s
. A winning strategy for Eve describes a path
λ
that is
both in
tS,s
and in
t↑[n]
(recall that we have forbidden Eve to leave the input tree by
letting
Q>
=
∅
and
Q⊥
=
Q
), so that
λ
is a path in
t0
. This winning strategy also deﬁnes
an inﬁnite word
w
over 2
max(ψ)
such that
w
agrees with
λ
on the formulas in
max
(
ψ
),
and it also describes an accepting run of Wψon w. Hence t0, λ =tψ, and t0=tϕ.
ϕ=∃op. ϕ0:
First, observe that because
ϕ
is hierarchical, we have that
Iϕ
=
o
. Next, by
Theorem 19 we have that
t∈ L(Aϕ
s)iﬀ there exists tp≡ptsuch that tp∈ L(A2).(3)
By Theorem 20,
L
(
A2
) =
L
(
A1
), and since
A1
=
Aϕ0
s↓Xo
=
Aϕ0
s↓Xϕ
we get by Theorem 21
that
tp∈ L(A2)iﬀ tp↑Xϕ0
y∈ L(Aϕ0
s),where y=s↓(Iϕ0\Iϕ). (4)
Now
tp
and
t
have the same root,
s↓Xϕ
. The root of
tp↑Xϕ0
y
is thus (
s↓Xϕ, y
) =
s↓Xϕ0
,
and we can apply the induction hypothesis on tp↑Xϕ0
ywith ϕ0:
tp↑Xϕ0
y∈ L(Aϕ0
s)iﬀ tp↑Xϕ0
y↑[n]!tS,s =tϕ0.(5)
Now, with (3), (4) and (5) together with the fact that tp↑Xϕ0
y↑[n]=tp↑[n], we get that
t∈ L(Aϕ
s)iﬀ there exists tp≡ptsuch that tp↑[n]!tS,s =tϕ0.(6)
Let us prove that the righthand side of
(6)
holds if and only if
t↑[n]!tS,s 
=
t∃op. ϕ0
.
For the ﬁrst direction, assume that there exists
tp≡ptsuch that tp↑[n]!tS,s 
=
tϕ0
.
First, by deﬁnition of the merge, because
p∈AP ∃
and
AP ∃
and
APf
are disjoint, the
5Recall that positional strategies are suﬃcient in parity games [49].
16 Quantiﬁed CTL with imperfect information
p
labelling of
tp↑[n]!tS,s
is determined by the
p
labelling of
tp↑[n]
, which by deﬁnition
of the lift is
o
uniform. In addition it is clear that
tp↑[n]!tS,s ≡pt↑[n]!tS,s
, which
concludes this direction.
For the other direction, assume that
t↑[n]!tS,s 
=
t∃op. ϕ0
: there exists
t0
p≡pt↑[n]!tS,s
such that
t0
p
is
o
uniform in
p
and
t0
p
=
tϕ0
. Let us write
t0
p
= (
τ0, `0
p
)and
t
= (
τ, `
). We
deﬁne
tp
:= (
τ, `p
)where for each
u∈τ
, if there exists
u0∈τ0
such that
u0↓o
=
u
, we let
`p(u) = (`(u)∪ {p}if p∈`0
p(u0)
`(u)\ {p}otherwise.
This is well deﬁned because
t0
p
is
o
uniform in
p
: if two nodes
u0, v0
project on
u
, we
have
u0≈ov0
and thus they agree on
p
. In case there is no
u0∈τ0
such that
u0↓Xϕ
=
u
,
we can let
`p
(
u
) =
`
(
u
)as this node disappears in
t↑[n]!tS,s
. Clearly,
tp≡pt
. Now
we write
t00
p
=
tp↑[n]!tS,s
and we prove that
t00
p
=
t0
p
hence
t00
p
=
tϕ0
, which concludes.
It is clear that
t00
p
and
t0
p
have the same domain. Also, because
t0
p≡pt↑[n]!tS,s
and
t00
p
=
tp↑[n]!tS,s
, by deﬁnition of the merge both agree with
tS,s
for all atomic
propositions in
APf
. Because
tp≡pt
, and again by deﬁnition of the merge,
t00
p
and
t0
p
also
agree on all atomic propositions in
AP ∃\ {p}
. Finally, by deﬁnition of
tp
and because
t0
p
is ouniform in p, we get that t00
pand t0
palso agree on p, and therefore t00
p=t0
p.J
We can now prove Theorem 23. Let (
S, s
)be a pointed CKS, and let
ϕ∈QCTL∗
i,⊂
. By
Lemma 25 one can build an ATA
Aϕ
s
such that for every labelled
Xϕ
tree
t
rooted in
s↓Xϕ
,
it holds that
t∈ L
(
Aϕ
s
)
iﬀ t↑[n]!tS,s 
=
tϕ
. Let
τ
be the full
Xϕ
tree rooted in
s↓Xϕ
, and
let
t
= (
τ, `∅
), where
`∅
is the empty labelling. Clearly,
t↑[n]!tS,s
=
tS,s
, and because
t
is rooted in
s↓Xϕ
, we have
t∈ L
(
Aϕ
s
)
iﬀ tS,s 
=
tϕ
. It only remains to build a simple
deterministic tree automaton
A
over
Xϕ
trees such that
L
(
A
) =
{t}
, and check for emptiness
of the alternating tree automaton
L
(
A∩Aϕ
s
). Because nondeterminisation makes the size of
the automaton gain one exponential for each nested quantiﬁer on propositions, the procedure
is nonelementary, and hardness is inherited from the modelchecking problem for QCTL [
29
].
6 Conclusion and future work
We have introduced the essence of imperfect information in
QCTL∗
, by adding internal struc
ture to states of the models and parameterising propositional quantiﬁers with observational
power over this internal structure. We considered both the structure and tree semantics,
intimately related to the notions of no memory and perfect recall in game strategies, respect
ively. For the structure semantics we showed that our logic coincides with QCTL in expressive
power, and thus also with MSO, and that the modelchecking problem is Pspacecomplete, as
for QCTL. For the tree semantics however we showed that our logic is expressively equivalent
to MSO with equal level, and that its modelchecking problem is thus undecidable. But we
established, thanks to automata techniques made possible by our modelling choices, that
model checking hierarchical formulas is decidable.
Several future work directions await us. First it would be interesting to study
QCTLi
under the amorphous semantics, studied by French for QCTL in [
16
]. We would also like to
investigate fragments with better complexity, as well as the satisﬁability problem for
QCTLi
.
Then we believe that there may be interesting connections with Chain Logic with equal level,
a restriction of
MSOeq
that is decidable on trees. Does it correspond to another interesting
decidable fragment of
QCTL∗
i
? Finally, we aim at exploiting our last result in various logics
for strategic reasoning with imperfect information, such as ATL∗
sc and SL.
R. Berthon, B. Maubert and A. Murano 17
References
1E. A.Emerson and C.L. Lei. Modalities for model checking: Branching time strikes back.
In PL’85, pages 84–96. ACM Press, 1985.
2T. Ågotnes, V. Goranko, and W. Jamroga. AlternatingTime Temporal Logics with Irre
vocable Strategies. In TARK’07, pages 15–24, 2007.
3R. Alur, T.A. Henzinger, and O. Kupferman. AlternatingTime Temporal Logic. JACM,
49(5):672–713, 2002.
4Dietmar Berwanger, Anup Basil Mathew, and Marie van den Bogaard. Hierarchical inform
ation patterns and distributed strategy synthesis. In Automated Technology for Veriﬁcation
and Analysis  13th International Symposium, ATVA 2015, Shanghai, China, October 12
15, 2015, Proceedings, pages 378–393, 2015. doi:10.1007/9783319249537\_28.
5T. Brihaye, A. Da Costa Lopes, F. Laroussinie, and N. Markey. ATL with Strategy Contexts
and Bounded Memory. In LFCS’09, LNCS 5407, pages 92–106. Springer, 2009.
6P. Čermák, A. Lomuscio, F. Mogavero, and A. Murano. MCMASSLK: A Model Checker
for the Veriﬁcation of Strategy Logic Speciﬁcations. In CAV’14, LNCS 8559, pages 524–531.
Springer, 2014.
7K. Chatterjee, T.A. Henzinger, and N. Piterman. Strategy Logic. Information and Com
putation, 208(6):677–693, 2010.
8E.M. Clarke and E.A. Emerson. Design and Synthesis of Synchronization Skeletons Using
BranchingTime Temporal Logic. In LP’81, LNCS 131, pages 52–71. Springer, 1981.
9E.M. Clarke, O. Grumberg, and D.A. Peled. Model Checking. MIT Press, 2002.
10 A. Da Costa, F. Laroussinie, and N. Markey. ATL with Strategy Contexts: Expressiveness
and Model Checking. In FSTTCS’10, LIPIcs 8, pages 120–132, 2010.
11 M. Dastani and W. Jamroga. Reasoning about strategies of multiagent programs. In
AAMAS’10, pages 997–1004. IFAAMAS, 2010.
12 C. Dima and F. L. Tiplea. Modelchecking ATL under imperfect information and perfect
recall semantics is undecidable. CoRR, abs/1102.4225, 2011.
13 C. Dima and F.L. Tiplea. Modelchecking ATL under Imperfect Information and Perfect
Recall Semantics is Undecidable. Technical report, arXiv, 2011.
14 C. C. Elgot and M. O. Rabin. Decidability and undecidability of extensions of second
(ﬁrst) order theory of (generalized) successor. J. Symb. Log., 31(2):169–181, 1966. URL:
http://dx.doi.org/10.2307/2269808,doi:10.2307/2269808.
15 E.A. Emerson and J.Y. Halpern. “Sometimes” and “Not Never” Revisited: On Branching
Versus Linear Time. JACM, 33(1):151–178, 1986.
16 Tim French. Decidability of quantifed propositional branching time logics. In Australian
Joint Conference on Artiﬁcial Intelligence, pages 165–176. Springer, 2001.
17 Joseph Y Halpern and Moshe Y Vardi. The complexity of reasoning about knowledge and
time. i. lower bounds. Journal of Computer and System Sciences, 38(1):195–237, 1989.
18 W. Jamroga, S. Mauw, and M. Melissen. Fairness in nonrepudiation protocols. In Pro
ceedings of STM’11, volume 7170 of LNCS, pages 122–139, 2012.
19 W. Jamroga and A. Murano. On Module Checking and Strategies. In AAMAS’14, pages
701–708. IFAAMAS, 2014.
20 S. Kremer and J.F. Raskin. A gamebased veriﬁcation of nonrepudiation and fair exchange
protocols. Journal of Computer Security, 11(3), 2003.
21 O. Kupermann and M.Y. Vardi. Synthesizing distributed systems. In Logic in Computer
Science, 2001. Proceedings. 16th Annual IEEE Symposium on, pages 389–398. IEEE, 2001.
22 O. Kupferman. Augmenting branching temporal logics with existential quantiﬁcation over
atomic propositions. In CAV’95, LNCS 939, pages 325–338. Springer, 1995.
18 Quantiﬁed CTL with imperfect information
23 O. Kupferman, P. Madhusudan, P. S. Thiagarajan, and M. Y. Vardi. Open systems in
reactive environments: Control and synthesis. In CONCUR’00, LNCS 1877, pages 92–107.
Springer, 2000.
24 O. Kupferman and M. Y. Vardi. Module checking revisited. In CAV’97, volume 1254 of
LNCS, pages 36–47. Springer, 1997.
25 O. Kupferman, M.Y. Vardi, and P. Wolper. An Automata Theoretic Approach to
BranchingTime Model Checking. JACM, 47(2):312–360, 2000.
26 O. Kupferman, M.Y. Vardi, and P. Wolper. Module Checking. IC, 164(2):322–344, 2001.
27 Orna Kupferman and Moshe Y Vardi. Church’s problem revisited. Bul letin of Symbolic
Logic, pages 245–263, 1999.
28 Orna Kupferman, Moshe Y. Vardi, and Pierre Wolper. An automatatheoretic approach
to branchingtime model checking. J. ACM, 47(2):312–360, 2000.
29 François Laroussinie and Nicolas Markey. Quantiﬁed CTL: expressiveness and complexity.
Logical Methods in Computer Science, 10(4), 2014. URL: http://dx.doi.org/10.2168/
LMCS10(4:17)2014,doi:10.2168/LMCS10(4:17)2014.
30 Hans Läuchli and Christian Savioz. Monadic second order deﬁnable relations on the binary
tree. The Journal of Symbolic Logic, 52(01):219–226, 1987.
31 A. Lomuscio and F. Raimondi. MCMAS : A model checker for multiagent systems. In
TACAS’06, LNCS 4314, pages 450–454, 2006.
32 A.D.C. Lopes, F. Laroussinie, and N. Markey. ATL with Strategy Contexts: Expressive
ness and Model Checking. In FSTTCS’10, LIPIcs 8, pages 120–132. LeibnizZentrum fuer
Informatik, 2010.
33 F. Mogavero, A. Murano, G. Perelli, and M.Y. Vardi. Reasoning About Strategies: On the
ModelChecking Problem. TOCL, 15(4):34:1–42, 2014.
34 F. Mogavero, A. Murano, and M.Y. Vardi. Reasoning About Strategies. In FSTTCS’10,
LIPIcs 8, pages 133–144. LeibnizZentrum fuer Informatik, 2010.
35 F. Mogavero, A. Murano, and M.Y. Vardi. Relentful Strategic Reasoning in Alternating
Time Temporal Logic. In LPAR’10, LNAI 6355, pages 371–387. Springer, 2010.
36 David E. Muller and Paul E. Schupp. Alternating automata on inﬁnite trees. Theor. Com
put. Sci., 54:267–276, 1987. URL: http://dx.doi.org/10.1016/03043975(87)901332,
doi:10.1016/03043975(87)901332.
37 David E. Muller and Paul E. Schupp. Simulating alternating tree automata by nondetermin
istic automata: New results and new proofs of the theorems of rabin, mcnaughton and safra.
Theor. Comput. Sci., 141(1&2):69–107, 1995.
38 Gary Peterson, John Reif, and Salman Azhar. Lower bounds for multiplayer noncooperative
games of incomplete information. Computers & Mathematics with Applications, 41(7):957–
992, 2001.
39 Gary Peterson, John Reif, and Salman Azhar. Decision algorithms for multiplayer nonco
operative games of incomplete information. Computers & Mathematics with Applications,
43(1):179–206, 2002.
40 Sophie Pinchinat and Stéphane Riedweg. A decidable class of problems for control under
partial observation. Information Processing Letters, 95(4):454–460, 2005.
41 A. Pnueli. The Temporal Logic of Programs. In FOCS’77, pages 46–57. IEEE Computer
Society, 1977.
42 A. Pnueli and R. Rosner. On the Synthesis of a Reactive Module. In POPL’89, pages
179–190. Association for Computing Machinery, 1989.
43 Michael O Rabin. Decidability of secondorder theories and automata on inﬁnite trees.
Transactions of the american Mathematical Society, 141:1–35, 1969.
44 John H. Reif. The complexity of twoplayer games of incomplete information. J. Comput.
Syst. Sci., 29(2):274–301, 1984.
R. Berthon, B. Maubert and A. Murano 19
45 A.P. Sistla. Theoretical Issues in the Design and Ceriﬁcation of Distributed Systems. PhD
thesis, Harvard University, Cambridge, MA, USA, 1983.
46 W. Thomas. Inﬁnite trees and automatondeﬁnable relations over omegawords. Theor.
Comput. Sci., 103(1):143–159, 1992.
47 W. van der Hoek and M. Wooldridge. Cooperation, knowledge and time: Alternatingtime
Temporal Epistemic Logic and its applications. Studia Logica, 75(1):125–157, 2003.
48 M.Y. Vardi and L.J. Stockmeyer. Improved upper and lower bounds for modal logics of
programs: Preliminary report. In STOC’85, pages 240–251, 1985.
49 Wieslaw Zielonka. Inﬁnite games on ﬁnitely coloured graphs with applications to automata
on inﬁnite trees. Theor. Comput. Sci., 200(12):135–183, 1998.