ArticlePDF Available

Quantified CTL with imperfect information

Abstract

Quantified CTL (QCTL) is a well-studied temporal logic that extends CTL with quantification over atomic propositions. It has recently come to the fore as a powerful intermediary framework to study logics for strategic reasoning. We extend it to include imperfect information by parameterizing quantifiers with an observation that defines how well they observe the model, thus constraining their behaviour. We consider two different semantics, one related to the notion of no memory, the other to perfect recall. We study the expressiveness of our logic, and show that it coincides with MSO for the first semantics and with MSO with equal level for the second one. We establish that the model-checking problem is Pspace-complete for the first semantics. While it is undecidable for the second one, we identify a syntactic fragment, defined by a notion of hierarchical formula, which we prove to be decidable thanks to an automata-theoretic approach.
Quantified CTL with imperfect information
Raphaël Berthon1, Bastien Maubert2, and Aniello Murano3
1 École Normale Supérieure de Rennes, France
raphael.berthon@ens-rennes.fr
2 Università degli Studi di Napoli Federico II, Italy
bastien.maubert@gmail.com
3 Università degli Studi di Napoli Federico II, Italy
murano@na.infn.it
Abstract
Quantified CTL (QCTL) is a well-studied temporal logic that extends CTL with quantification
over atomic propositions. It has recently come to the fore as a powerful intermediary framework
to study logics for strategic reasoning. We extend it to include imperfect information by para-
meterising quantifiers with an observation that defines how well they observe the model, thus
constraining their behaviour. We consider two different semantics, one related to the notion of
no memory, the other to perfect recall. We study the expressiveness of our logic, and show that
it coincides with MSO for the first semantics and with MSO with equal level for the second one.
We establish that the model-checking problem is Pspace-complete for the first semantics. While
it is undecidable for the second one, we identify a syntactic fragment, defined by a notion of
hierarchical formula, which we prove to be decidable thanks to an automata-theoretic approach.
1 Introduction
Temporal logic is a powerful framework widely used in formal system-design and verifica-
tion [
9
,
41
]. It allows reasoning over the temporal evolution of a system, without referring
explicitly to the elapsing of time. One of the most significant contributions of the field is model
checking, which allows to verify system correctness by checking whether a mathematical model
of the system satisfies a temporal logic formula expressing its desired behaviour [
8
,
9
,
25
,
26
].
Depending on the view of the nature of time, two types of temporal logics are mainly
considered. In linear-time temporal logics such as LTL [
41
] time is treated as if each moment
in time had a unique possible future. Conversely, in branching-time temporal logics such
as CTL [
8
] and
CTL
[
15
], each moment in time may split into various possible futures;
existential and universal quantifiers then allow expressing properties of either one or all the
possible futures. While LTL is suitable to express path properties, CTL is more appropriate for
state-based ones, and
CTL
for both. These logics are “easy-to-use”, can express important
system properties such as liveness or safety, enjoy good fundamental theoretical properties
such as invariance under tree-unwinding of models, and come with reasonable complexities
for the main related decision problems. For instance, the model-checking and satisfiability
problems for CTLare Pspace-Complete [1] and 2-Exptime-Complete [48], respectively.
Along the years,
CTL
has been extended in a number of ways in order to verify the beha-
vior of a broad variety of systems. In multi-agent open-system verification, Alternating-Time
Temporal Logic (
ATL
), introduced by Alur, Henzinger, and Kupferman [
3
], is particularly
successful. This generalization of
CTL
replaces path quantifiers with strategic modalities,
that is modalities over teams of agents that describe the ability to cooperate in order to
This project has received funding from the European Union’s Horizon 2020 research and innovation
programme under the Marie Sklodowska-Curie grant agreement No 709188.
2 Quantified CTL with imperfect information
achieve a goal against adversaries.
ATL
model checking is a very active area of research and
it has been studied in several domains, including communication protocols [
47
], fair exchange
protocols [
20
,
18
], and agent-oriented programs [
11
]. The complexity of the problem has
been extensively studied in a multitude of papers, and algorithms have been implemented in
tools [
31
]. Remarkably,
ATL
has inspired fresh and more powerful logics such as Strategy
Logic (SL) [
7
,
34
,
33
],
ATL
with strategy context (
ATL
sc
) [
5
,
10
],
ATL
with Irrevocable
strategies (I
ATL
) [
2
] and Memoryful
ATL
(m
ATL
) [
35
]. These logics are progressively
overtaking
ATL
; in particular this is the case for SL as it can can express fundamental
game-theoretic concepts such as Nash Equilibrium and Subgame Perfect Equilibrium [33].
In the landscape of temporal logics, another breakthrough contribution comes from
Quantified
CTL
(
QCTL
), which extends
CTL
with the possibility to quantify over atomic
propositions [
45
,
22
,
23
,
16
,
29
].
QCTL
turns out to be very expressive (indeed, it is equi-
valent to Monadic Second-Order Logic, MSO for short) and was usefully applied in a number
of scenarios. Recently it has come to the fore as a convenient and uniform intermediary logic
to easily obtain algorithms for
ATL
sc
,SL, as well as related formalisms [
29
,
32
,
33
]. Indeed,
strategies can be represented by atomic propositions labelling the execution tree of the
game structure under study, and strategy quantification can thus be expressed by means of
propositional quantifications. As a remark, quantification in
QCTL
can be interpreted either
on Kripke structures (structure semantics) or their execution tree (tree semantics), allowing
for the encoding of memoryless or perfect-recall strategies, respectively. This difference
impacts also the complexity of the related decision problems: for instance, moving from
structure to tree semantics, model checking jumps from Pspace to non-elementary.
In game theory and open-system verification an important body of work has been devoted
to imperfect information, which refers to settings in which players have partial information
about the moves taken by the others [
6
,
13
,
19
,
24
,
42
]. This is a common situation in
real-life scenarios where players have to act without having all the relevant information at
hand. In computer science this situation occurs for example when some system’s variables
are internal/private [
44
]. Imperfect information is usually modelled by indistinguishability
relations over the states of the game. During a play, some players may not know precisely
in which state they are, and therefore they cannot base their actions on the exact current
situation: they must choose their actions uniformly over indistinguishable states [24].
This uniformity constraint deeply impacts the complexity of decision problems. It is well
known that multi-player games with imperfect information are computationally hard, in
general undecidable [
38
], and to retain positive complexity results one needs to restrict players’
capabilities, by bounding their memory of past moves [
12
] or putting some hierarchical order
over their observational power [
42
]. Unfortunately, most of the approaches exploited under
full observation are not appropriate for imperfect information. In particular this is the case of
QCTL
, unless opportunely adapted. In this paper we work in this direction by incorporating
in
QCTL
the essence of imperfect information, that is the uniformity constraint on choices.
We believe it may provide a uniform framework to obtain new results on logics for strategic
reasoning under imperfect information, as does QCTLin the perfect information setting.
Our contribution.
We introduce
QCTL
i
, an opportune extension of
QCTL
that in-
tegrates the central feature of imperfect information, i.e., uniformity constraint on choices.
We add internal structure to the states of the models, much like in Reif’s multiplayer game
structures [
38
] or distributed systems [
17
], and we parameterise propositional quantifiers
with observations that define what portions of the states a quantifier can “observe”. The
semantics is adapted to capture the idea of quantifications on atomic propositions being
made with partial observation. Like in [29], we consider both structure and tree semantics.
R. Berthon, B. Maubert and A. Murano 3
We study the expressive power of
QCTL
i
. By using the same argument as for
QCTL
[
29
],
we first show that
QCTL
i
and
QCTLi
are equally expressive for both semantics. Then we
prove that for the structure semantics, these logics are no more expressive than QCTL, and
thus coincide with MSO. Finally we show that under tree semantics
QCTLi
is expressively
equivalent to MSO extended with the equal level predicate (MSOeq, see [14, 30, 46]).
Concerning the model-checking problem we first prove that under structure semantics it
is Pspace-complete for both
QCTL
i
and
QCTLi
, like QCTL. Under tree semantics, undecid-
ability follows from the equivalence with
MSOeq
. However we identify a decidable syntactic
fragment, consisting of those formulas in which nested quantifiers have hierarchically ordered
observations, innermost ones observing more than outermost ones. We call such formulas
hierarchical formulas. Interestingly, a decidability result for Quantified
µ
-Calculus with
partial observation [
40
] uses a similar syntactic restriction. This logic is very close to ours,
but orthogonal: while our tree semantics relies on a synchronous perfect-recall notion of
imperfect information, theirs is asynchronous. This hierarchical restriction is also related to
decidability results for games with imperfect information [
39
,
4
] and distributed synthesis [
21
].
Our decision procedure relies on automata constructions involving the narrowing operation
introduced by Kupferman and Vardi in [
27
] for distributed synthesis. We believe that our
choice of modelling imperfect information by means of local states eases greatly the use
of automata techniques to tackle imperfect information. Finally, our result provides new
decidability results for
ATL
sc
with imperfect information (not presented here), and we trust
it will find applications in other logics, such as SL with imperfect information.
Plan.
In Section 2 we recall Kripke structures and trees, and the syntax and semantics
of
QCTL
. We then present
QCTL
i
in Section 3, we study its expressiveness in Section 4 and
its model-checking problem in Section 5. We conclude and discuss future work in Section 6.
2 Preliminaries
Let Σbe an alphabet. A finite (resp. infinite)word over Σis an element of Σ
(resp. Σ
ω
).
The empty word is classically noted
, and Σ
+
= Σ
\ {}
. The length of a word is
|w|
:= 0
if
w
is the empty word
, if
w
=
w0w1. . . wn
is a finite non-empty word then
|w|
:=
n
+ 1,
and for an infinite word
w
we let
|w|
:=
ω
. Given a word
w
and 0
i, j ≤ |w| −
1, we let
wi
be the letter at position
i
in
w
and
w
[
i, j
]be the subword of
w
that starts at position
i
and
ends at position
j
. If
w
is infinite, we let
wi
:=
w
[
i, ω
]. We write
w4w0
if
w
is a prefix of
w0
, and
w4
is the set of finite prefixes of word
w
. Finally, for
nN
we let [
n
] :=
{
1
, . . . , n}
.
2.1 Kripke structures and trees
Let
AP
be a countably infinite set of atomic propositions and let
AP ⊂ AP
be a finite subset.
IDefinition 1.
AKripke structure over
AP
is a tuple
S
= (
S, R, `
)where
S
is a set of states,
RS×Sis a left-total1transition relation and `:S2AP is a labelling function.
Apointed Kripke structure is a pair (
S, s
)where
s∈ S
, and the size
|S|
of a Kripke
structure
S
is its number of states. A path in a structure
S
= (
S, R, `
)is an infinite word
λSω
such that for all
iN
,(
λi, λi+1
)
R
. For
sS
, we let
Paths
(
s
)be the set of all
paths that start in s. A finite path is a finite non-empty prefix of a path.
1i.e., for all sS, there exists s0such that (s, s0)R.
4 Quantified CTL with imperfect information
We now define (infinite) trees. In many works, trees are defined as prefixed-closed sets of
words with the empty word
as root. Here trees represent unfoldings of Kripke structures,
and we find it more convenient to see a node as a sequence of states and the root as the
initial state, hence the following definition, where Xis a finite set:
IDefinition 2. An X-tree τis a nonempty set of words τX+such that:
there exists rX, called the root of τ, such that each uτstarts with r;
if u·xτand u6=, then uτ, and
if uτthen there exists xXsuch that u·xτ.
The elements of a tree
τ
are called nodes. If
u·xτ
, we say that
u·x
is a child of
u
. An
X
-tree is full if every node
u
has a child
u·x
for each
xX
. The depth of a node
u
is
|u|
.
Similarly to Kripke structures, a path is an infinite sequence of nodes
λ
=
u0u1. . .
such that
for all
iN
,
ui+1
is a child of
ui
, and
P aths
(
u
)is the set of paths that start in node
u
. An
AP
-labelled
X
-tree, or (
AP, X
)-tree for short, is a pair
t
= (
τ, `
), where
τ
is an
X
-tree called
the domain of
t
and
`
:
τ
2
AP
is a labelling. For a labelled tree
t
= (
τ, `
)and an atomic
proposition
p∈ AP
, we define the
p
-projection of
t
as the labelled tree
tp
:= (
τ, ` p
), where
for each uτ,`p(u) := `(u)\ {p}. For a set of trees L, we let Lp:= {tp|t∈ L}.
IDefinition 3
(Tree unfoldings)
.
Let
S
= (
S, R, `
)be a Kripke structure over
AP
, and let
sS
. The tree-unfolding of
S
from
s
is the (
AP, S
)-tree
tS,s
= (
τ, `0
), where
τ
is the set of
all finite paths that start in s, and for every uτ,`0(u) = `(last(u)).
2.2 QCTL, syntax and semantics
We recall the syntax of QCTL, as well as both the structure and tree semantics.
IDefinition 4. The syntax of QCTLis defined by the following grammar:
ϕ:= p| ¬ϕ|ϕϕ|Eψ| ∃p. ϕ
ψ:= ϕ| ¬ψ|ψψ|Xψ|ψUψ
where
p∈ AP
. Formulas of type
ϕ
are called state formulas, those of type
ψ
are called path
formulas, and QCTLconsists of state formulas.
Like in [
29
] we consider two different semantics, the structure semantics and the tree
semantics: in the former formulas are evaluated directly on the structure, while in the latter
the structure is first unfolded into an infinite tree. In the first case, quantifying over
p
means
choosing a truth value for
p
in each state of the structure, while in the second case it is
possible to choose a different truth value for pin each finite path of the structure.
2.2.1 Structure semantics
A
QCTL
state (resp. path) formula is evaluated in a state (resp. path) of a Kripke structure.
To define the semantics of quantifications over propositions, the following definition is handy.
IDefinition 5.
For
p∈ AP
, two structures
S
= (
S, R, `
)and
S0
= (
S0, R0, `0
)are equivalent
modulo
p
, written
S ≡pS0
, if
S
=
S0
,
R
=
R0
and for each state
sS
,
`
(
s
)
\ {p}
=
`0
(
s
)
\ {p}
.
This definition also applies to labelled trees seen as infinite Kripke structures.
R. Berthon, B. Maubert and A. Murano 5
The satisfaction relation
|
=
s
for the structure semantics is defined inductively as follows,
where S= (S, R, `)is a Kripke structure, sis a state and λis a path in S:
S, s |=spif p`(s)S, s |=s¬ϕif S, s 6|=sϕ
S, s |=sϕϕ0if S, s |=sϕor S, s |=sϕ0
S, s |=sEψif there exists λPaths(s)such that S, λ |=sψ
S, s |=sp. ϕ if there exists S0pSsuch that S0, s |=ϕ
S, λ |=sϕif S, λ0|=sϕS, λ |=s¬ψif S, λ 6|=sψ
S, λ |=sψψ0if S, λ |=sψor S, λ |=sψ0S, λ |=sXψif S, λ1|=sψ
S, λ |=sψUψ0if there exists i0such that S, λi|=sψ0and for 0j < i, S, λj|=sψ
2.2.2 Tree semantics
In the tree semantics, a formula holds in a state
s
of a structure
S
if it holds in the tree-
unfolding of
S
from
s
. The semantics of
QCTL
on trees could be derived from the structure
semantics, seeing 2
AP
-labelled trees as infinite-state Kripke structures. We define it explicitly
on trees though, as it will make the presentation of the semantics for QCTLiclearer.
The satisfaction relation
|
=
t
for the tree semantics is thus defined inductively as follows,
where t= (τ, `)is a 2AP -labelled X-tree, uis a node and λis a path in τ:
t, u |=tpif p`(u)t, u |=t¬ϕif t, u 6|=tϕ
t, u |=tϕϕ0if t, u |=tϕor t, u |=tϕ0
t, u |=tEψif there exists λP aths(u)such that t, λ |=tψ
t, u |=tp. ϕ if there exists t0ptsuch that t0, u |=ϕ
t, λ |=tϕif t, λ0|=tϕ t, λ |=t¬ψif t, λ 6|=tψ
t, λ |=tψψ0if t, λ |=tψor t, λ |=tψ0t, λ |=tXψif t, λ1|=tψ
t, λ |=tψUψ0if there exists i0such that t, λi|=tψ0and for 0j < i, t, λj|=tψ
We may write
t|
=
tϕ
for
t, r |
=
tϕ
, where
r
is the root of
t
, and given a Kripke structure
S, a state sand a QCTLformula ϕ, we write S, s |=tϕif tS,s |=tϕ.
3QCTLwith imperfect information
We now enrich the models, syntax and semantics to capture the idea of quantifications on
atomic propositions being made with a partial observation of the system.
3.1 Compound Kripke structures
First, we enrich Kripke structures by adding internal structure to states: we set them as
tuples of local states. To ease presentation and obtain finite alphabets for our tree automata
in Section 5.2.2, we fix a collection {Li}i[n]of ndisjoint finite sets of local states.
For
I
[
n
], we let
XI
:=
ŚiILi
. Let
JI
[
n
]. For
x
= (
li
)
iIXI
, we define
the
XJ
-projection of
x
as
xXJ
:= (
li
)
iJ
. If
J
=
, we let
x
:=
0
, where
0
is a special
symbol, and we let
X
:=
{0}
. This definition extends naturally to words and trees over
XI
.
Observe that when projecting a tree, nodes with same projection are merged. In particular,
for every
XI
-tree
τ
,
τ
is the only
X
-tree,
0ω
. We also define a lift operator
I
y
that, given
an XJ-tree rooted in xand a tuple yXI\J, produces the XI-tree rooted in (x, y)defined
as
τXI
y
:=
{u
(
x, y
)
·X
I|uXJτ}
. Observe that because the sets
{Li}i[n]
are disjoint,
the ordering of elements in tuples of
XI
does not matter. For an (
AP, XJ
)-tree
t
= (
τ, `
), we
define
tXI
y
:= (
τXI
y, `0
)where
`0
(
u
) :=
`
(
uXJ
). In the following we may write
I
y
for
XI
y
,
and Jinstead of XJ.
6 Quantified CTL with imperfect information
IDefinition 6.
Acompound Kripke structure, or CKS, is a Kripke structure
S
= (
S, R, `
)
such that SX[n]. We call nthe dimension of CKSs.
I
Remark. Note that by fixing finite sets of local states, we also fix a finite set of possible
states. If it were not so, our translation from
QCTLi
to QCTL in Theorem 13, as well as
the one from
QCTLi
to
MSOeq
in Theorem 15 would no longer be valid, making us also lose
Corollary 14. We would no longer have equivalence in expressivity, but we would still have
that
QCTLi
is at least as expressive as MSO (resp.
MSOeq
) for structure semantics (resp.
tree semantics). Also our results on model checking in Section 5, and in particular our main
result, Theorem 23, would still be valid.
To model the fact that quantifiers may not observe some local states, we define a notion
of observation and the associated notion of observational indistinguishability.
IDefinition 7.
An observation is a finite set of indices
oN
. For an observation
o
and
I[n], two tuples x, x0XIare o-indistinguishable, written xox0, if xIo=x0Io.
Intuitively, a quantifier with observation
o
must choose the valuation of atomic propositions
uniformly with respect to
o
, and this notion of uniformity will vary between the structure
semantics and the tree semantics. But first, let us introduce the syntax of QCTL
i.
3.2 QCTL
i, syntax and semantics
The syntax of
QCTL
i
is that of
QCTL
, except that quantifiers over atomic propositions are
parameterised by a set of indices that defines what local states the quantifier can “observe”.
IDefinition 8. The syntax of QCTL
iis defined by the following grammar:
ϕ:= p| ¬ϕ|ϕϕ|Eψ| ∃op. ϕ
ψ:= ϕ| ¬ψ|ψψ|Xψ|ψUψ
where p∈ AP and oNis an observation.
We use standard abbreviations:
>
:=
p∨ ¬p
,
:=
¬>
,
Fψ
:=
>Uψ
,
Gψ
:=
¬F¬ψ
and
Aψ
:=
¬E¬ψ
. The size
|ϕ|
of a formula
ϕ
is defined inductively as usual, but the following
case: |∃op. ϕ|:= 1 + |o|+|ϕ|. We also classically define the syntactic fragment QCTLi:
IDefinition 9. The syntax of QCTLiis defined by the following grammar:
ϕ:= p| ¬ϕ|ϕϕ| ∃op. ψ |EXϕ|AXϕ|EϕUϕ|AϕUϕ
where p∈ AP and oNis an observation.
3.2.1 Structure semantics
In the case of structure semantics, uniformity is defined as follows:
IDefinition 10.
Let
S
= (
S, R, `
)be a CKS,
p∈ AP
and
oN
.
S
is
o
-uniform in
p
if for
every pair of states s, s0Ssuch that sos0, it holds that p`(s)if and only if p`(s0).
We enrich the satisfaction relation
|
=
s
with the following inductive case, where (
S, s
)is a
pointed CKS:
S, s |=sop. ϕ if there exists S0pSsuch that S0is o-uniform in pand S0, s |=sϕ
Observe that {1,...,n}p. ϕ is equivalent to the QCTLformula p. ϕ.
R. Berthon, B. Maubert and A. Murano 7
3.2.2 Tree semantics
As observed in the introduction, propositional quantifiers can be seen as having perfect recall
in the tree semantics and no memory in the structure semantics. The following definition for
indistinguishability on trees, which differs from that for CKS, reflects this difference.
IDefinition 11.
Let
t
= (
τ, `
)be a labelled
XI
-tree,
p∈ AP
an atomic proposition and
oN
an observation. Two nodes
u
=
u0. . . ui
and
u0
=
u0
0. . . u0
j
of
τ
are
o
-indistinguishable,
written
uou0
, if
i
=
j
and for all
k∈ {
0
, . . . , i}
we have
ukou0
k
. Tree
t
is
o
-uniform in
p
if for every pair of nodes u, u0τsuch that uou0, we have p`(u)iff p`(u0).
The tree semantics for
QCTL
i
is defined on labelled
Xn
-trees, and it is obtained by
enriching |=tas follows:
t, u |=top. ϕ if there exists t0ptsuch that t0is o-uniform in pand t0, u |=tϕ.
Consider the following CTL formula: border(p) := AFpAG(pAXAG¬p).
This formula holds in a labelled tree if and only if each path contains exactly one
node labelled with
p
. Therefore, evaluating the
QCTLi
formula
p. border
(
p
)amounts to
choosing a level of the tree where to place one horizontal line of p’s.
4 Expressiveness
In this section we study the expressive power of our logics. We first observe that for both
semantics,
QCTL
i
and
QCTLi
are equally expressive. We then prove that with structure
semantics
QCTLi
is expressively equivalent to QCTL, and thus also to MSO. Finally we show
that under tree semantics
QCTL
i
is expressively equivalent to MSO with equal level predicate.
Note that Theorem 13, Corollary 14 and Theorem 15 below only hold if the logics can talk
about the local states. For this reason, in this section we assume a set of dedicated atomic
propositions
APl
=
Si[n]SlLi{pl} ⊂ AP
such that for every CKS
S
= (
S, R, `
), for each
i[n]and lLi, for each state s= (l1, . . . , ln)S, we have pl`(s)iff li=l.
4.1 QCTL
i,QCTLiand QCTL
We first remark that for the same reason why
QCTL
is no more expressive than QCTL, also
QCTL
i
and
QCTLi
are equally expressive (the proof of [
29
, Proposition 3.8] readily applies):
ITheorem 12. Under both semantics, QCTL
iand QCTLiare expressively equivalent.
We now prove that for the structure semantics,
QCTLi
is no more expressive than QCTL,
and thus has the same expressivity as MSO.
ITheorem 13. Under structure semantics, QCTLiand QCTL are expressively equivalent.
Proof.
It is quite clear that
QCTLi
subsumes QCTL. Observe however that the quantifier on
propositions from QCTL can be translated using the quantifier
[n]
only because we have
fixed the dimension of our models. If we allowed for models with arbitrary dimension we
would have to add the classic quantifier in the syntax of QCTLifor it to capture QCTL.
For the other direction, we define a translation
e
from
QCTLi
to QCTL. We only provide
the inductive case for the quantification on propositions, the others being trivial.
^
op. ϕ := p.
^
(l1,...,lk)Xo[n]
AG(
k
^
i=1
plip)AG(
k
^
i=1
pli→ ¬p)
eϕ.
8 Quantified CTL with imperfect information
Observe that checking uniformity of
p
in the reachable part of the model is sufficient, as the
labelling of unreachable states is indifferent. It can be proven easily that for every CKS
S
,
state s∈ S and formula ϕQCTLi, it holds that S, s |=sϕiff S, s |=seϕ.J
IRemark. One can check that |eϕ|=O(nmn|ϕ|), where m= maxi[n]|Li|.
4.2 QCTLiand MSO with equal level
We briefly recall the definition
MSOeq
(see, e.g., [
14
,
46
] for more detail). In the following,
Var1
=
{x, y, . . .}
(resp.
Var2
=
{X, Y, . . .}
) is a countably-infinite set of first-order (resp.
second-order) variables. We also use a predicate Ppfor each atomic proposition p∈ AP.
The syntax of MSO with equal level relation, or
MSOeq
, is given by the following grammar:
ϕ::= Pp(x)|x=y|S(x, y)|xX|eq(x, y)| ¬ϕ|ϕϕ| ∃x.ϕ | ∃X
where p∈ AP,x, y Var1and XVar2.
The syntax of MSO is obtained by removing the
eq
(
x, y
)production rule. We write
ϕ
(
x1, . . . , xi, X1, . . . , Xj
)to indicate that variables
x1, . . . , xi
and
X1, . . . , Xj
may appear
free in
ϕ
. Without loss of generality we assume that a variable cannot appear both free
and quantified in a formula. We use the standard semantics of MSO, the successor relation
symbol
S
being interpreted by the transition relation on Kripke structures, and by the
child relation on trees. The semantics for
MSOeq
is only defined on trees, and
eq
(
x, y
)
holds if the nodes denoted by
x
and
y
are at the same depth in the tree. We write
M, s1, . . . , si, S1, . . . , Sj|
=
ϕ
(
x1, . . . , xi, X1, . . . , Xj
)when
ϕ
holds in model
M
when
xk
(resp. Xk) is interpreted as sk(resp. Sk) for k[i](resp. k[j]).
Since we aim at comparing the expressivity of MSO (with equal level predicate in the
case of tree semantics) with that of the modal logic QCTLi, we will consider MSO formulas
of the form
ϕ
(
x
), where
x
is a free variable representing the point of evaluation in the model.
First, we have seen that under the structure semantics
QCTLi
has the same expressivity
as QCTL. Since QCTL has the same expressivity as MSO (evaluated on reachable parts of
the structures) [29], we obtain the following corollary of Theorem 13:
ICorollary 14. Under structure semantics, MSO and QCTLiare equally expressive.
We now turn to the case of the tree semantics. The constraint put on the tree semantics
for the proposition quantifier involves testing length equality for arbitrarily long paths or, in
terms of trees, comparing the depths of arbitrarily deep nodes. It is thus not a surprise that
QCTLi
with tree semantics is more expressive than MSO on trees. It also seems natural that
extending MSO with the equal level predicate allows to capture this constraint on proposition
quantification, and thus that
MSOeq
is as expressive as
QCTLi
with tree semantics. We
establish with the following theorem that in fact the other direction also holds.
ITheorem 15. Under tree semantics, MSOeq and QCTLiare equally expressive.
Proof.
We first show how to express in
MSOeq
that two nodes in the unfolding of a CKS
are
o
-indistinguishable (see Definition 11). Let
o
be an observation. We define the
MSOeq
formula ϕo(x, y)as follows:
ϕo(x, y) := eq(x, y)x0.y0.
x04xy04yeq(x0, y0)^
io[n]^
lLi
Ppl(x0)Ppl(y0)
where x04xis an MSO formula expressing that there is a path from x0to x.
R. Berthon, B. Maubert and A. Murano 9
Clearly, for every CKS Sand nodes u, u0in its unfolding tS,s from some state s,
tS,s, u, u0|=ϕo(x, y)iff uou0.
It is then easy to see that
QCTLi
with tree semantics can be translated into
MSOeq
: the trans-
lation for CTL is standard, and propositional quantification with imperfect information can be
expressed using second order quantification and the above formula for
o
-indistinguishability.
For the other direction, we build upon the following translation from MSO to QCTL,
presented in [29]. For ϕ(x, x1, . . . , xi, X1, . . . , Xj)MSO, we inductively define bϕas:
\
Pp(x) = p\
Pp(xk) = EF(pxkp)
\x=xk=pxk\xk=xl=EF(pxkpxl)
\
xXk=pXk
\
xkXk=EF(pxkpXk)
d
¬ϕ0=¬b
ϕ0\
ϕ1ϕ2=cϕ1cϕ2
\
xk0=pxk.uniq(pxk)b
ϕ0\
Xk0=pXk.b
ϕ0
\
S(x, xk) = EXpxk
\
S(xk, x) =
\
S(xk, xl) = EF(pxkEXpxl)
where
uniq
(
p
) :=
EFp∧ ∀q. (EF(pq)AG(pq))
holds in a tree iff it has exactly
one node labelled with
p
. Observe that
x
being interpreted as the root of a tree it has no
incoming edge, hence the translation of S(xk, x).
We extend this translation into one from
MSOeq
to
QCTLi
by adding the following rules:
\
eq(x, xk) = pxk
\
eq(xk, xl) = p. border(p)AG(pxkppxlp)
Observe that
x
being interpreted as the root,
xk
is on the same level as
x
if and only if it is
also assigned the root. Concerning the second case, recall from Section 3.2.2 that the
QCTLi
formula
p. border
(
p
)places in the tree one unique horizontal line of
p
’s. Requiring that
xk
and
xl
be both on this line thus ensures that they are on the same level. It is then easy
to prove by induction the following lemma:
ILemma 16.
For every
ϕ
(
x, x1, . . . , xi, X1, . . . , Xj
)
MSOeq
and every pointed CKS (
S, s
),
tS,s, s, u1, . . . , ui, U1, . . . , Uj|=ϕ(x, x1, . . . , xi, X1, . . . , Xj)iff t0
S(s), s |=tbϕ
where
t0
S,s
is obtained from
tS,s
by changing the labelling for variables
pxk
and
pXk
as follows:
pxk`0(u)if u=ukand pXk`0(u)if uUk.
In particular, it follows that tS,s, s |=ϕ(x)iff tS,s, s |=bϕ.J
I
Remark. The two-way translation between
QCTLi
and
MSOeq
shows that when local states
are identified by atomic propositions, there is a normal form for
QCTLi
formulas involving
only blind and perfect-information quantifiers.
5 Model checking QCTLi
We now study the model-checking problem for
QCTL
i
, both for structure and tree semantics.
In other terms, we study the problem of deciding, given a finite CKS
S
, a state
s∈ S
and a
QCTL
iformula ϕ, whether it holds that S, s |=sϕ(or S, s |=tϕfor the tree semantics).
10 Quantified CTL with imperfect information
5.1 Structure semantics
We first prove that under structure semantics, similarly to
QCTL
and QCTL, the model-
checking problem is Pspace-complete for both
QCTLi
and
QCTL
i
. Observe that if
n
is fixed
the translation from
QCTLi
to QCTL from Theorem 13 suffices to obtain the upper bound.
But this translation, being exponential in
n
(see Remark 4.1), is not enough if
n
is not fixed;
we provide an algorithm to show that the result holds even if nis part of the input.
ITheorem 17. Under structure semantics, model checking QCTL
iis Pspace-complete.
Proof.
Hardness follows from the Pspace-hardness of model checking QCTL [
29
]. For the
upper bound, we modify the algorithm described in [
29
, Theorem 4.2]. The main difference
is that when we guess a labelling for
p
on a CKS
S
, we need to check that this labelling
is uniform. With structure semantics this can be done in deterministic time
O
(
|S|2·n
):
look at every pair of states, and check that if they are observationally equivalent (tested by
comparing at most npairs of local states) then they agree on p.
We prove that the model-checking problem for
QCTL
i
is in Pspace by induction on the
nesting depth
k
of propositional quantification in input formulas. If
k
= 0,i.e., the input
formula is a
CTL
formula, call a
CTL
model-checking algorithm running in polynomial
space. For nesting depth
k
+ 1, the input formula
ϕ
is of the form
ϕ
= Φ[
qi7→ ∃oipi. ϕi
],
where Φis a
CTL
formula and for each
i
,
qi
is a fresh atomic proposition,
oi
is an observation
and
ϕi
a
QCTL
i
formula of nesting depth at most
k
. For each
i
, guess in linear time a
labelling for
pi
, check in quadratic time that it is uniform, evaluate formula
ϕi
in each
state with this labelling, and mark states where it holds with
qi
. By induction hypothesis,
evaluating
ϕi
can be done in polynomial space. It just remains to evaluate the
CTL
formula
Φin polynomial space. The overall procedure thus runs in nondeterministic polynomial
space, and because NPspace =Pspace, the problem is in Pspace.J
5.2 Tree semantics
We turn to the case of tree semantics. The first undecidability result comes at no surprise
since
QCTLi
can express the existence of winning strategies in imperfect-information games.
ITheorem 18.
Under tree semantics, the model-checking problem for
QCTLi
is undecidable.
Proof.
The
MSOeq
theory of the binary tree is undecidable [
30
], and with Lemma 16 we
obtain a reduction to the model-checking problem for QCTLi.J
5.2.1 Alternating tree automata
We briefly recall the notion of alternating (parity) tree automata. For a set
Z
,
B+
(
Z
)is
the set of formulas built with elements of
Z
as atomic propositions, using only connectives
and
, and with
>,⊥∈ B+
(
Z
). An alternating tree automaton (ATA) on (
AP, X
)-trees
is a structure
A
= (
Q, δ, qι, C
)where
Q
is a finite set of states,
qιQ
is an initial state,
δ
:
Q×
2
AP B+
(
X×Q
)is a transition function, and
C
:
QN
is a colouring function.
To ease reading we shall write atoms in transition formulas between brackets, such as [
x, q
].
Anondeterministic tree automaton (NTA) on (
AP, X
)-trees is an ATA
A
= (
Q, δ, qι, C
)such
that for every
qQ
and
a
2
AP
, if
δ
(
q, a
)is written in disjunctive normal form, then for
every direction
xX
, each disjunct contains exactly one element of
{x} × Q
. The size of an
ATA is its number of states and its index is its number of different colours.
Because we work with trees that are not necessarily complete as they represent unfoldings
of Kripke structures, we find it convenient to assume that the state set is partitioned between
R. Berthon, B. Maubert and A. Murano 11
Q>
and
Q
: when sent in a direction where there is no node in the input tree, states in
Q>
accept immediately while states in Qreject immediately2.
We also recall the definition of acceptance by ATA via games between Eve and Adam.
Let
A
= (
Q, δ, qι, C
)be an ATA over (
AP, X
)-trees, let
t
= (
τ, `
)be such a tree and
let
uιτ
. We define the parity game
G
(
A, t, uι
)=(
V, E , vι, C0
): the set of positions is
V
=
τ×Q×B+
(
X×Q
), the initial position is
vι
= (
uι, qι, δ
(
qι, uι
)), and a position (
u, q, α
)
belongs to Eve if
α
is of the form
α1α2
or [
x, q0
]; otherwise it belongs to Adam. Moves in
G(A, t, uι)are defined by the following rules:
(u, q, α1α2)(u, q, αi)where † ∈ {∨,∧} and i∈ {1,2},
(u, q, [x, q0])
(u·x, q0, δ(q0, `(u·x))) if u·xt
(u, q, >)if u·x /tand qQ>
(u, q, )if u·x /tand qQ
Positions of the form (
u, q, >
)and (
u, q,
)are deadlocks, winning for Eve and Adam
respectively. The colouring is inherited from the one of the automaton: C0(u, q, α) = C(q).
A tree
t
is accepted from node
u
by
A
if Eve has a winning strategy in
G
(
A, t, u
), and we
let L(A)be the set of trees accepted by Afrom their root.
We recall three classic results on tree automata. The first one is that nondeterministic tree
automata are closed under projection, and was established by Rabin to deal with second-order
monadic quantification:
ITheorem 19
(Projection [
43
])
.
Given an NTA
N
and an atomic proposition
p∈ AP
, one
can build an NTA N ⇓pof same size and index such that L(N ⇓p) = L(N)p.
Because it will be important to understand the automata construction for our decision
procedure in Section 5.2.2, we briefly recall that the projected automaton
N ⇓p
is simply
automaton
N
with the only difference that when it reads the label of a node, it can
choose whether
p
is there or not: if
δ
is the transition function of
N
, that of
N ⇓p
is
δ0
(
q, a
) =
δ
(
q, a ∪ {p}
)
δ
(
q, a \ {p}
), for any state
q
and label
a
2
AP
. Another way of
seeing it is that
N ⇓p
first guesses a
p
-labelling for the input tree, and then simulates
N
on this modified input. To prevent
N ⇓p
from guessing different labels for a same node in
different executions, it is crucial that
N
be nondeterministic, reason why we need the next
classic result: the crucial simulation theorem, due to Muller and Schupp.
ITheorem 20
(Simulation [
37
])
.
Given an ATA
A
, one can build an NTA
N
of exponential
size and linear index such that L(N) = L(A).
The last one was established by Kupferman and Vardi to deal with imperfect information
aspects in distributed synthesis. The rough idea is that, if one just observes
X
, uniform
p
-labellings on
X×Y
-trees can be obtained by choosing the labellings directly on
X
-trees,
and then lifting them to X×Y.
ITheorem 21
(Narrowing [
27
])
.
Given an ATA
A
on
X×Y
-trees, one can build an ATA
AXon X-trees of same size such that for al l yY,t∈ L(A X)iff tX×Y
y∈ L(A).
In fact the result in [
27
] is stated for
t
(and thus also
tX×Y
) a complete tree, but the
proof transfers straightforwadly to this slightly more general result.
2
Note that we could also work only with complete trees, with a special symbol labelling missing nodes.
12 Quantified CTL with imperfect information
5.2.2 A decidable fragment: hierarchy on observations
We turn to our main result, which is the identification of an important decidable fragment.
IDefinition 22.
A
QCTL
i
formula
ϕ
is hierarchical if for all subformulas
ϕ1, ϕ2
of the form
ϕ1=o1p1. ϕ0
1and ϕ2=o2p2. ϕ0
2where ϕ2is a subformula of ϕ0
1, we have o1o2.
In other words, a formula is hierarchical if innermost propositional quantifiers observe at
least as much as outermost ones. We let
QCTL
i,
be the set of hierarchical
QCTL
i
formulas.
ITheorem 23.
Under tree semantics, model checking
QCTL
i,
is non-elementary decidable.
In order to prove this we establish Lemma 25 below, but we first introduce a few more
notations. For every
ϕQCTL
i
, we let
Iϕ
:=
ToOo
, where
O
is the set of observations that
occur in
ϕ
, with the intersection over the empty set defined as [
n
]. We also let
Xϕ
:=
XIϕ
(recall that for I[n],XI=ŚiILi). We will need a final important definition.
IDefinition 24
(Merge)
.
Let
t
= (
τ, `
)be an (
AP, X
)-tree and
t0
= (
τ0, `0
)an (
AP 0, X
)-tree.
We define the merge of
t
and
t0
as the (
AP AP 0
)-labelled
X
-tree
t!t0
:= (
ττ0, `00
), where
`00(u) = `(u)`0(u).
We explain the idea behind this definition. In our decision procedure, quantification on
atomic propositions is performed by means of automata projection (see Theorem 19). But in
order to obtain uniform labellings for these propositions, we need to first narrow down our
automata and our trees (see Theorem 21), and in this process we lose information on the
labelling of atomic propositions in the CKS
S
on which we evaluate the formula. To address
this problem, first we assume without loss of generality that propositions that are quantified
upon in Φdo not appear free in Φ. We can then partition propositions in Φbetween those
that are quantified upon,
AP
, and those that appear free,
APf
. We use the input tree
of the automaton we build to carry the labelling for
AP
, and in the end the input tree is
merged with the unfolding of Sthat carries the labelling to evaluate propositions in APf.
ILemma 25.
Let Φ
QCTL
i,
with
AP
and
APf
defined as above, and let
S
be a finite
CKS over
APf
. For every subformula
ϕ
of Φand state
s
of
S
, one can build an ATA
Aϕ
s
on
(AP , Xϕ)-trees such that for every (AP , Xϕ)-tree trooted in sXϕ,
t∈ L(Aϕ
s)iff t[n]
y!tS,s |=tϕ, where y=s[n]\Iϕ.
For an XI-tree t, from now on t[n]!tS,s stands for t[n]
y!tS,s, where y=s[n]\I.
Proof.
Let Φ
QCTL
i,
, and let
AP
(resp.
APf
) be the set of atomic propositions that
are quantified upon (resp. that appear free) in Φ. Modulo renaming of atomic propositions,
we can assume without loss of generality that
AP
and
APf
are disjoint. Let
S
= (
S, R, `S
)
be a finite CKS over
APf
. For each state
sS
and each subformula
ϕ
of Φ(note that
all subformulas of Φare also hierarchical), we define by induction on
ϕ
the ATA
Aϕ
s
. The
definition builds upon the classic construction for CTLfrom [28].
ϕ=p:
We let
Ap
s
be the ATA over
X[n]
-trees with one unique state
qι
, with transition
function defined as follows:
δ(qι, a) = (>if (pAPfand p`S(s)) or (pAP and pa)
if (pAPfand p /`S(s)) or (pAP and p /a)
R. Berthon, B. Maubert and A. Murano 13
The idea is that since we know the state
sS
in which we want to evaluate the formula,
we can read the labelling for atomic propositions in
APf
(those that are not quantified
upon) directly from
s
. However, for propositions in
AP
, we need to read them from
the input tree. Indeed, if
pAP
it means that
p
is quantified upon in Φ: there is a
subformula
op. ϕ
of Φsuch that
p
is a subformula of
ϕ
. The automaton
Aop. ϕ
s
will be
built by narrowing, nondeterminising and projecting
Aϕ
s
on
p
. On a given input tree
t
,
Aop. ϕ
s
will thus guess a labelling for
p
in each node of
t
and simulate (the nondeterminised
narrowing of)
Aϕ
s
on this modified input.
Aϕ
s
must therefore read the labelling for
p
from
its input tree.
ϕ=¬ϕ0:We obtain Aϕ
sby dualising Aϕ0
s, which is a classic operation on ATAs.
ϕ=ϕ1ϕ2:
Because
Iϕ
=
Iϕ1Iϕ2
, and each
Aϕi
s
works on
Xϕi
-trees, we need to narrow
them so that they work on Xϕ-trees: for i∈ {1,2}, we let Ai:= Aϕi
sIϕ.
We then build
Aϕ
s
by taking the disjoint union of
A1
and
A2
and adding a new initial
state that nondeterministically chooses which of
A1
or
A2
to execute on the input tree,
so that L(Aϕ
s) = L(A1)∪ L(A2).
ϕ= Eψ:
The aim is to build an automaton
Aϕ
s
that works on
Xϕ
-trees and that on input
t
, checks for the existence of a path in
t[n]!tS,s
that satisfies
ψ
. To do so,
Aϕ
s
guesses
a path λin (S, s). It remembers the current state in S, which provides the labelling for
atomic propositions in APf, and while it guesses λit follows its projection on Xϕin its
input tree t, reading the labels to evaluate propositions in AP .
Let
max
(
ψ
) =
{ϕ1, . . . , ϕn}
be the set of maximal state sub-formulas of
ψ
. In a first step
we see these maximal state sub-formulas as atomic propositions. Formula
ψ
can thus be
seen as an LTL formula, and we can build a nondeterministic parity word automaton
Wψ
= (
Qψ,
ψ, qψ
ι, Cψ
)over alphabet 2
max(ψ)
that accepts exactly the models of
ψ
. We
define the ATA
A
that, given as input a (
max
(
ψ
)
, Xϕ
)-tree
t
, nondeterministically guesses
a path
λ
in
t[n]!tS,s
and simulates
Wψ
on it, assuming that the labels it reads while
following
λXϕ
in its input correctly represent the truth value of formulas in
max
(
ψ
)
along λ. Recall that S= (S, R, `S); we define A:= (Q, δ, qι, C), where
Q=Qψ×S,
qι= (qψ
ι, s),
C(qψ, s0) = Cψ(qψ), and
for each (qψ, s0)Qand a2max(ψ),
δ((qψ, s0), a) = _
q0ψ(qψ,a)_
s00R(s0)
[s00 Xϕ,(q0, s00)].
The intuition is that
A
reads the current label, chooses nondeterministically which
transition to take in
Wψ
, chooses a next state in
S
and proceeds in the corresponding
direction in Xϕ. To ensure3that the path it guesses is not only in tS,s but also in t[n],
it is enough to make sure that it always tries to stay inside its input tree
t
, which is
achieved by letting
Q>
=
and
Q
=
Q
. Thus,
A
accepts exactly the
max
(
ϕ
)-labelled
Xϕ
-trees
t
in which there exists a path that corresponds to some path in
t[n]!tS,s
that satisfies ψ, where maximal state formulas are considered as atomic propositions.
Now from
A
we build the automaton
Aϕ
s
over
Xϕ
-trees labelled with real atomic proposi-
tions in
AP
. In each node it visits, this automaton guesses what should be its labelling
over
max
(
ψ
), it simulates
A
accordingly, and checks that the guesses it makes are correct.
3
Actually this is not very important since the tree
t
on which our automata will work will always be
such that the domain of t[n]contains the domain of tS,s.
14 Quantified CTL with imperfect information
If the path being guessed in
t[n]!tS,s
is currently in node
u
ending with state
s0
, and
Aϕ
s
guesses that
ϕi
holds in
u
, it checks this guess by starting a simulation of automaton
Aϕi
s0from node v=uXϕin its input t.
For each
s0∈ S
and each
ϕimax
(
ψ
)we first build
Aϕi
s0
, and we let
Ai
s0
=
Aϕi
s0
=
(
Qi
s0, δi
s0, qi
s0, Ci
s0
). We also let
Ai
s0
= (
Qi
s0, δi
s0, qi
s0, Ci
s0
)be its dualisation, and we assume
w.l.o.g. that all the state sets are pairwise disjoint. Observe that because each
ϕi
is a
maximal state sub-formula, we have
Iϕi
=
Iϕ
, so that we do not need to narrow down
automata
Ai
s0
and
Ai
s0
. We define the ATA
Aϕ
s
= (
QSi,s0Qi
s0Qi
s0, δ0, qι, C 0
), where
the colours of states are left as they were in their original automaton, and
δ
is defined as
follows. For states in
Qi
s0
(resp.
Qi
s0
),
δ
agrees with
δi
s0
(resp.
δi
s0
), and for (
qψ, s0
)
Q
and a2AP we let
δ0((qψ, s0), a) = _
a02max(ψ)
δ(qψ, s0), a0^
ϕia0
δi
s0(qi
s0, a)^
ϕi/a0
δi
s0(qi
s0, a)
.
ϕ=op. ϕ0:
We build automaton
Aϕ0
s
that works on
Xϕ0
-trees; because
ϕ
is hierarchical,
we have that
oIϕ0
and we can narrow down
Aϕ0
s
to work on
Xo
-trees and obtain
A1
:=
Aϕ0
sXo
. By Theorem 20 we can nondeterminise it to get
A2
, which by Theorem 19
we can project with respect to p, finally obtaining Aϕ
s:= A2p.
We now prove by induction on
ϕ
that the construction is correct. In each case, we let
t= (τ, `)be an (AP , Xϕ)-tree rooted in sXϕ.
ϕ=p:
First, note that
Ip
= [
n
], so that
t
is rooted in
sXp
=
s
. Let us consider first the
case where
pAPf
. By definition of
Ap
s
, we have that
t∈ L
(
Ap
s
)iff
p`S
(
s
). On the
other hand, by definition of the merge operation, of the unfolding, and because
AP
and
APf
are disjoint, we have
t[n]!tS,s |
=
p
iff
p`S
(
s
), and we are done. Now if
pAP
: by definition of
Ap
s
, we have
t∈ L
(
Ap
s
)iff
p`
(
s
); also, by definition of the
merge, we have that t[n]!tS,s |=piff p`(s), which concludes.
ϕ=¬ϕ0:trivial.
ϕ=ϕ1ϕ2:
We have
Ai
=
Aϕi
sXϕ
, so by Theorem 21 we get that
t∈ L
(
Ai
)iff
tXϕi∈ L
(
Aϕi
s
), which by induction hypothesis holds iff (
tXϕi
)
[n]!tS,s |
=
tϕi
,i.e., iff
t[n]!tS,s |=tϕi. We conclude by reminding that L(Aϕ
s) = L(A1)∪ L(A2).
ϕ= Eψ:Suppose that t0=t[n]!tS,s |=tEψ. There exists a path λstarting at the root
s
of
t0
such that
t0, λ |
=
ψ
. Again, let
max
(
ψ
)be the set of maximal state subformulas of
ϕ
, and let
w
be the infinite word over 2
max(ψ)
that agrees with n
λ
on the state formulas
in
max
(
ψ
). By definition,
Wψ
has an accepting execution on
w
. Now in the acceptance
game of
Aϕ
s
on
t
, Eve can guess the path
λ
, following
λXϕ
in its input
t
, and she can
also guess the corresponding word
w
on 2
max(ψ)
and an accepting execution of
Wψ
on
w
.
Let
u0t0
be a node of
λ
,
s0
its last direction and let
u
=
u0Xϕt
. Assume that in node
u
of the input tree, in a state (
qψ, s0
)
Q
, Adam challenges Eve on some
ϕimax
(
ψ
)
that she assumes to be true in
u0
,i.e., Adam chooses the conjunct
δi
s0
(
qi
s0, a
), where
a
is
the label of
u
. Note that in the evaluation game this means that Adam moves to position
(u, (qψ, s0), δi
s0(qi
s0, a)). We want to show that Eve wins from this position.
Let
tu
(resp.
t0
u0
) be the subtree of
t
(resp.
t0
) starting in
u
(resp.
u0
)
4
. It is enough to
show that
tu
is accepted by
Ai
s0
=
Aϕi
s0
. Observe that
tu
is rooted in the last direction
4
If
u
=
w·x
, a subtree
tu
of
t
= (
τ, `
)is defined as
tu
:= (
τu, `u
)with
τu
=
{x·w0|w·x·w0τ}
, and
`u(x·w0) = `(w·x·w0): we remove from each node all directions before last(u).
R. Berthon, B. Maubert and A. Murano 15
of
u
=
u0Xϕ
, and since the last direction of
u0
is
s0
we have that
tu
is rooted in
s0Xϕ
.
Since
Iϕ
=
Iϕi
we have that
tu
is rooted in
s0Xϕi
. We can thus apply the induction
hypothesis on tuwith ϕi, and we get that
tu∈ L(Aϕi
s0)iff tu[n]!tS,s0|=tϕi.(1)
Now, because u0ends in s0we also have that
t0
u0=tu[n]!tS,s0.(2)
Putting
(1)
and
(2)
together, we obtain that
tu∈ L
(
Ai
s0
)iff
t0
u0|
=
tϕi
. And because we
have assumed that Eve guesses
w
correctly, we have that
t0, u0|
=
tϕi
,i.e.,
t0
u0|
=
tϕi
, and
we get that tuis accepted by Ai
s0.
Eve thus has a winning strategy from the initial position of the acceptance game of
Ai
s0
on
tu
. This initial position is (
u, qi
s0, δi
s0
(
qi
s0, a
)). Since (
u, qi
s0, δi
s0
(
qi
s0, a
)) and (
u, q, δi
s0
(
qi
s0, a
))
contain the same node
u
and transition formula
δi
s0
(
qi
s0, a
), a winning strategy in one of
these positions
5
is also a winning strategy in the other, and therefore Eve wins Adam’s
challenge. With a similar argument, we get that also when Adam challenges Eve on
some
ϕi
assumed not to be true in node
v
, Eve wins the challenge. Finally, Eve wins the
acceptance game of Aϕ
son t, and thus t∈ L(Aϕ
s).
For the other direction, assume that
t∈ L
(
Aϕ
s
),i.e., Eve wins the evaluation game of
Aϕ
s
on
t
. Again, let
t0
=
t[n]!tS,s
. A winning strategy for Eve describes a path
λ
that is
both in
tS,s
and in
t[n]
(recall that we have forbidden Eve to leave the input tree by
letting
Q>
=
and
Q
=
Q
), so that
λ
is a path in
t0
. This winning strategy also defines
an infinite word
w
over 2
max(ψ)
such that
w
agrees with
λ
on the formulas in
max
(
ψ
),
and it also describes an accepting run of Wψon w. Hence t0, λ |=tψ, and t0|=tϕ.
ϕ=op. ϕ0:
First, observe that because
ϕ
is hierarchical, we have that
Iϕ
=
o
. Next, by
Theorem 19 we have that
t∈ L(Aϕ
s)iff there exists tpptsuch that tp∈ L(A2).(3)
By Theorem 20,
L
(
A2
) =
L
(
A1
), and since
A1
=
Aϕ0
sXo
=
Aϕ0
sXϕ
we get by Theorem 21
that
tp∈ L(A2)iff tpXϕ0
y∈ L(Aϕ0
s),where y=s(Iϕ0\Iϕ). (4)
Now
tp
and
t
have the same root,
sXϕ
. The root of
tpXϕ0
y
is thus (
sXϕ, y
) =
sXϕ0
,
and we can apply the induction hypothesis on tpXϕ0
ywith ϕ0:
tpXϕ0
y∈ L(Aϕ0
s)iff tpXϕ0
y[n]!tS,s |=tϕ0.(5)
Now, with (3), (4) and (5) together with the fact that tpXϕ0
y[n]=tp[n], we get that
t∈ L(Aϕ
s)iff there exists tpptsuch that tp[n]!tS,s |=tϕ0.(6)
Let us prove that the right-hand side of
(6)
holds if and only if
t[n]!tS,s |
=
top. ϕ0
.
For the first direction, assume that there exists
tpptsuch that tp[n]!tS,s |
=
tϕ0
.
First, by definition of the merge, because
pAP
and
AP
and
APf
are disjoint, the
5Recall that positional strategies are sufficient in parity games [49].
16 Quantified CTL with imperfect information
p
-labelling of
tp[n]!tS,s
is determined by the
p
-labelling of
tp[n]
, which by definition
of the lift is
o
-uniform. In addition it is clear that
tp[n]!tS,s pt[n]!tS,s
, which
concludes this direction.
For the other direction, assume that
t[n]!tS,s |
=
top. ϕ0
: there exists
t0
ppt[n]!tS,s
such that
t0
p
is
o
-uniform in
p
and
t0
p|
=
tϕ0
. Let us write
t0
p
= (
τ0, `0
p
)and
t
= (
τ, `
). We
define
tp
:= (
τ, `p
)where for each
uτ
, if there exists
u0τ0
such that
u0o
=
u
, we let
`p(u) = (`(u)∪ {p}if p`0
p(u0)
`(u)\ {p}otherwise.
This is well defined because
t0
p
is
o
-uniform in
p
: if two nodes
u0, v0
project on
u
, we
have
u0ov0
and thus they agree on
p
. In case there is no
u0τ0
such that
u0Xϕ
=
u
,
we can let
`p
(
u
) =
`
(
u
)as this node disappears in
t[n]!tS,s
. Clearly,
tppt
. Now
we write
t00
p
=
tp[n]!tS,s
and we prove that
t00
p
=
t0
p
hence
t00
p|
=
tϕ0
, which concludes.
It is clear that
t00
p
and
t0
p
have the same domain. Also, because
t0
ppt[n]!tS,s
and
t00
p
=
tp[n]!tS,s
, by definition of the merge both agree with
tS,s
for all atomic
propositions in
APf
. Because
tppt
, and again by definition of the merge,
t00
p
and
t0
p
also
agree on all atomic propositions in
AP \ {p}
. Finally, by definition of
tp
and because
t0
p
is o-uniform in p, we get that t00
pand t0
palso agree on p, and therefore t00
p=t0
p.J
We can now prove Theorem 23. Let (
S, s
)be a pointed CKS, and let
ϕQCTL
i,
. By
Lemma 25 one can build an ATA
Aϕ
s
such that for every labelled
Xϕ
-tree
t
rooted in
sXϕ
,
it holds that
t∈ L
(
Aϕ
s
)
iff t[n]!tS,s |
=
tϕ
. Let
τ
be the full
Xϕ
-tree rooted in
sXϕ
, and
let
t
= (
τ, `
), where
`
is the empty labelling. Clearly,
t[n]!tS,s
=
tS,s
, and because
t
is rooted in
sXϕ
, we have
t∈ L
(
Aϕ
s
)
iff tS,s |
=
tϕ
. It only remains to build a simple
deterministic tree automaton
A
over
Xϕ
-trees such that
L
(
A
) =
{t}
, and check for emptiness
of the alternating tree automaton
L
(
A∩Aϕ
s
). Because nondeterminisation makes the size of
the automaton gain one exponential for each nested quantifier on propositions, the procedure
is nonelementary, and hardness is inherited from the model-checking problem for QCTL [
29
].
6 Conclusion and future work
We have introduced the essence of imperfect information in
QCTL
, by adding internal struc-
ture to states of the models and parameterising propositional quantifiers with observational
power over this internal structure. We considered both the structure and tree semantics,
intimately related to the notions of no memory and perfect recall in game strategies, respect-
ively. For the structure semantics we showed that our logic coincides with QCTL in expressive
power, and thus also with MSO, and that the model-checking problem is Pspace-complete, as
for QCTL. For the tree semantics however we showed that our logic is expressively equivalent
to MSO with equal level, and that its model-checking problem is thus undecidable. But we
established, thanks to automata techniques made possible by our modelling choices, that
model checking hierarchical formulas is decidable.
Several future work directions await us. First it would be interesting to study
QCTLi
under the amorphous semantics, studied by French for QCTL in [
16
]. We would also like to
investigate fragments with better complexity, as well as the satisfiability problem for
QCTLi
.
Then we believe that there may be interesting connections with Chain Logic with equal level,
a restriction of
MSOeq
that is decidable on trees. Does it correspond to another interesting
decidable fragment of
QCTL
i
? Finally, we aim at exploiting our last result in various logics
for strategic reasoning with imperfect information, such as ATL
sc and SL.
R. Berthon, B. Maubert and A. Murano 17
References
1E. A.Emerson and C.-L. Lei. Modalities for model checking: Branching time strikes back.
In PL’85, pages 84–96. ACM Press, 1985.
2T. Ågotnes, V. Goranko, and W. Jamroga. Alternating-Time Temporal Logics with Irre-
vocable Strategies. In TARK’07, pages 15–24, 2007.
3R. Alur, T.A. Henzinger, and O. Kupferman. Alternating-Time Temporal Logic. JACM,
49(5):672–713, 2002.
4Dietmar Berwanger, Anup Basil Mathew, and Marie van den Bogaard. Hierarchical inform-
ation patterns and distributed strategy synthesis. In Automated Technology for Verification
and Analysis - 13th International Symposium, ATVA 2015, Shanghai, China, October 12-
15, 2015, Proceedings, pages 378–393, 2015. doi:10.1007/978-3-319-24953-7\_28.
5T. Brihaye, A. Da Costa Lopes, F. Laroussinie, and N. Markey. ATL with Strategy Contexts
and Bounded Memory. In LFCS’09, LNCS 5407, pages 92–106. Springer, 2009.
6P. Čermák, A. Lomuscio, F. Mogavero, and A. Murano. MCMAS-SLK: A Model Checker
for the Verification of Strategy Logic Specifications. In CAV’14, LNCS 8559, pages 524–531.
Springer, 2014.
7K. Chatterjee, T.A. Henzinger, and N. Piterman. Strategy Logic. Information and Com-
putation, 208(6):677–693, 2010.
8E.M. Clarke and E.A. Emerson. Design and Synthesis of Synchronization Skeletons Using
Branching-Time Temporal Logic. In LP’81, LNCS 131, pages 52–71. Springer, 1981.
9E.M. Clarke, O. Grumberg, and D.A. Peled. Model Checking. MIT Press, 2002.
10 A. Da Costa, F. Laroussinie, and N. Markey. ATL with Strategy Contexts: Expressiveness
and Model Checking. In FSTTCS’10, LIPIcs 8, pages 120–132, 2010.
11 M. Dastani and W. Jamroga. Reasoning about strategies of multi-agent programs. In
AAMAS’10, pages 997–1004. IFAAMAS, 2010.
12 C. Dima and F. L. Tiplea. Model-checking ATL under imperfect information and perfect
recall semantics is undecidable. CoRR, abs/1102.4225, 2011.
13 C. Dima and F.L. Tiplea. Model-checking ATL under Imperfect Information and Perfect
Recall Semantics is Undecidable. Technical report, arXiv, 2011.
14 C. C. Elgot and M. O. Rabin. Decidability and undecidability of extensions of second
(first) order theory of (generalized) successor. J. Symb. Log., 31(2):169–181, 1966. URL:
http://dx.doi.org/10.2307/2269808,doi:10.2307/2269808.
15 E.A. Emerson and J.Y. Halpern. “Sometimes” and “Not Never” Revisited: On Branching
Versus Linear Time. JACM, 33(1):151–178, 1986.
16 Tim French. Decidability of quantifed propositional branching time logics. In Australian
Joint Conference on Artificial Intelligence, pages 165–176. Springer, 2001.
17 Joseph Y Halpern and Moshe Y Vardi. The complexity of reasoning about knowledge and
time. i. lower bounds. Journal of Computer and System Sciences, 38(1):195–237, 1989.
18 W. Jamroga, S. Mauw, and M. Melissen. Fairness in non-repudiation protocols. In Pro-
ceedings of STM’11, volume 7170 of LNCS, pages 122–139, 2012.
19 W. Jamroga and A. Murano. On Module Checking and Strategies. In AAMAS’14, pages
701–708. IFAAMAS, 2014.
20 S. Kremer and J.-F. Raskin. A game-based verification of non-repudiation and fair exchange
protocols. Journal of Computer Security, 11(3), 2003.
21 O. Kupermann and M.Y. Vardi. Synthesizing distributed systems. In Logic in Computer
Science, 2001. Proceedings. 16th Annual IEEE Symposium on, pages 389–398. IEEE, 2001.
22 O. Kupferman. Augmenting branching temporal logics with existential quantification over
atomic propositions. In CAV’95, LNCS 939, pages 325–338. Springer, 1995.
18 Quantified CTL with imperfect information
23 O. Kupferman, P. Madhusudan, P. S. Thiagarajan, and M. Y. Vardi. Open systems in
reactive environments: Control and synthesis. In CONCUR’00, LNCS 1877, pages 92–107.
Springer, 2000.
24 O. Kupferman and M. Y. Vardi. Module checking revisited. In CAV’97, volume 1254 of
LNCS, pages 36–47. Springer, 1997.
25 O. Kupferman, M.Y. Vardi, and P. Wolper. An Automata Theoretic Approach to
Branching-Time Model Checking. JACM, 47(2):312–360, 2000.
26 O. Kupferman, M.Y. Vardi, and P. Wolper. Module Checking. IC, 164(2):322–344, 2001.
27 Orna Kupferman and Moshe Y Vardi. Church’s problem revisited. Bul letin of Symbolic
Logic, pages 245–263, 1999.
28 Orna Kupferman, Moshe Y. Vardi, and Pierre Wolper. An automata-theoretic approach
to branching-time model checking. J. ACM, 47(2):312–360, 2000.
29 François Laroussinie and Nicolas Markey. Quantified CTL: expressiveness and complexity.
Logical Methods in Computer Science, 10(4), 2014. URL: http://dx.doi.org/10.2168/
LMCS-10(4:17)2014,doi:10.2168/LMCS-10(4:17)2014.
30 Hans Läuchli and Christian Savioz. Monadic second order definable relations on the binary
tree. The Journal of Symbolic Logic, 52(01):219–226, 1987.
31 A. Lomuscio and F. Raimondi. MCMAS : A model checker for multi-agent systems. In
TACAS’06, LNCS 4314, pages 450–454, 2006.
32 A.D.C. Lopes, F. Laroussinie, and N. Markey. ATL with Strategy Contexts: Expressive-
ness and Model Checking. In FSTTCS’10, LIPIcs 8, pages 120–132. Leibniz-Zentrum fuer
Informatik, 2010.
33 F. Mogavero, A. Murano, G. Perelli, and M.Y. Vardi. Reasoning About Strategies: On the
Model-Checking Problem. TOCL, 15(4):34:1–42, 2014.
34 F. Mogavero, A. Murano, and M.Y. Vardi. Reasoning About Strategies. In FSTTCS’10,
LIPIcs 8, pages 133–144. Leibniz-Zentrum fuer Informatik, 2010.
35 F. Mogavero, A. Murano, and M.Y. Vardi. Relentful Strategic Reasoning in Alternating-
Time Temporal Logic. In LPAR’10, LNAI 6355, pages 371–387. Springer, 2010.
36 David E. Muller and Paul E. Schupp. Alternating automata on infinite trees. Theor. Com-
put. Sci., 54:267–276, 1987. URL: http://dx.doi.org/10.1016/0304-3975(87)90133-2,
doi:10.1016/0304-3975(87)90133-2.
37 David E. Muller and Paul E. Schupp. Simulating alternating tree automata by nondetermin-
istic automata: New results and new proofs of the theorems of rabin, mcnaughton and safra.
Theor. Comput. Sci., 141(1&2):69–107, 1995.
38 Gary Peterson, John Reif, and Salman Azhar. Lower bounds for multiplayer noncooperative
games of incomplete information. Computers & Mathematics with Applications, 41(7):957–
992, 2001.
39 Gary Peterson, John Reif, and Salman Azhar. Decision algorithms for multiplayer nonco-
operative games of incomplete information. Computers & Mathematics with Applications,
43(1):179–206, 2002.
40 Sophie Pinchinat and Stéphane Riedweg. A decidable class of problems for control under
partial observation. Information Processing Letters, 95(4):454–460, 2005.
41 A. Pnueli. The Temporal Logic of Programs. In FOCS’77, pages 46–57. IEEE Computer
Society, 1977.
42 A. Pnueli and R. Rosner. On the Synthesis of a Reactive Module. In POPL’89, pages
179–190. Association for Computing Machinery, 1989.
43 Michael O Rabin. Decidability of second-order theories and automata on infinite trees.
Transactions of the american Mathematical Society, 141:1–35, 1969.
44 John H. Reif. The complexity of two-player games of incomplete information. J. Comput.
Syst. Sci., 29(2):274–301, 1984.
R. Berthon, B. Maubert and A. Murano 19
45 A.P. Sistla. Theoretical Issues in the Design and Cerification of Distributed Systems. PhD
thesis, Harvard University, Cambridge, MA, USA, 1983.
46 W. Thomas. Infinite trees and automaton-definable relations over omega-words. Theor.
Comput. Sci., 103(1):143–159, 1992.
47 W. van der Hoek and M. Wooldridge. Cooperation, knowledge and time: Alternating-time
Temporal Epistemic Logic and its applications. Studia Logica, 75(1):125–157, 2003.
48 M.Y. Vardi and L.J. Stockmeyer. Improved upper and lower bounds for modal logics of
programs: Preliminary report. In STOC’85, pages 240–251, 1985.
49 Wieslaw Zielonka. Infinite games on finitely coloured graphs with applications to automata
on infinite trees. Theor. Comput. Sci., 200(1-2):135–183, 1998.
... The latter extends CTL * with second-order quantification on atomic propositions, and it has been well studied [36,20,21,14,23]. QCTL * i , an imperfect-information extension of QCTL * , has recently been introduced, and its modelchecking problem was proven decidable for the class of hierarchical formulas [3]. In this paper we define a notion of hierarchical instances for the ATL * sc,i model-checking problem: an ATL * sc,i formula ϕ together with a concurrent game structure G is a hierarchical instance if the observations of agents appearing in strategy quantifiers get more refined as one goes down ϕ's syntactic tree. ...
... Theorem 2. Model checking ATL * i is decidable on the class of CGSi with hierarchical observation. 3 Observe that if A = Ag then G ↑ Ag\A = G, and Nature thus does not do anything. This is coherent with the fact that for agents with perfect recall Ag ϕ ≡ Eϕ, where E is the CTL path quantifier, even for imperfect information. ...
... Quantified CTL * , or QCTL * for short, is an extension of CTL * with second-order quantifiers on atomic propositions that has been well studied [36,20,21,23]. It has recently been further extended to take into account imperfect information, resulting in the logic called QCTL * with imperfect information, or QCTL * i [3]. We briefly present this logic, as well as a decidability result on its model-checking problem proved in [3] and that we rely on to establish our result on the model checking of ATL * sc,i . ...
Preprint
Full-text available
Alternating-time Temporal Logic (ATL*) is a central logic for multiagent systems. Its extension to the imperfect information setting (ATL*i ) is well known to have an undecidable model-checking problem when agents have perfect recall. Studies have thus mostly focused either on agents without memory, or on alternative semantics to retrieve decidability. In this work we establish new decidability results for agents with perfect recall: We first prove a meta-theorem that allows the transfer of decidability results for classes of multiplayer games with imperfect information, such as games with hierarchical observation, to the model-checking problem for ATL*i . We then establish that model checking ATL* with strategy context and imperfect information is decidable when restricted to hierarchical instances.
... The latter extends CTL * with second-order quantification on atomic propositions, and it has been well studied [33,20,21,14,23]. QCTL * i , an imperfect-information extension of QCTL * , has recently been introduced, and its model-checking problem was proven decidable for the class of hierarchical formulas [3]. In this paper we define a notion of hierarchical instances for the ATL * sc,i model-checking problem: informally, an ATL * sc,i formula ϕ together with a concurrent game structure G is a hierarchical instance if outermost strategic modalities in ϕ concern agents who observe less in G. ...
... If a finite play v · ρ · v · ρ yields hierarchical information in (G, v), so does v · ρ in (G, v ), with the same preorder among agents. 3 Observe that if A = Ag then G ↑ Ag\A = G, and Nature thus does not do anything. This is coherent with the fact that for agents with perfect recall Ag ϕ ≡ Eϕ, where E is the CTL path quantifier, even for imperfect information. ...
... Quantified CTL * , or QCTL * for short, is an extension of CTL * with second-order quantifiers on atomic propositions that has been well studied [33,20,21,23]. It has recently been further extended to take into account imperfect information, resulting in the logic called QCTL * with imperfect information, or QCTL * i [3]. We briefly present this logic, as well as a decidability result on its model-checking problem proved in [3] and that we rely on to establish our result on the model checking of ATL * sc,i . ...
Article
Full-text available
Temporal logics are a well-investigated formalism for the specification, verification and synthesis of reactive systems.Within this family, Alternating-Time Temporal Logic (ATL) has been introduced as a useful generalization of classical linear and branching-Time temporal logics, by allowing temporal operators to be indexed by coalitions of agents. Classically, temporal logics are memoryless: once a path in the computation tree is quantified at a given node, the computation that has led to that node is forgotten. Recently, mCTL∗ has been defined as a memoryful variant of CTL∗, where path quantification is memoryful. In the context of multi-Agent planning, memoryful quantification enables agents to 'relent'and change their goals and strategies depending on the histories of evolutions. In this article, we introduce Relentful ATL∗RAtl∗), a kind of temporally memoryful extension of ATL∗, in which a formula is satisfied at a certain node of a play by taking into account both its future and past.We study the expressive power of RAtl, its succinctness, as well as related decision problems.We investigate the relationship between memoryful quantifications and past modalities and prove their equivalence. We also show that both the relentful and the past extensions come without any computational price; indeed, we prove that both the satisfiability and the model-checking problems are 2ExpTime-complete, as for ATL∗.
Conference Paper
Full-text available
We indicate two problems with the specifications of fairness that are currently used for the verification of non-repudiation and other fair-exchange protocols. The first of these problems is the implicit as-sumption of perfect information. The second problem is the possible lack of effectiveness. We solve both problems in isolation by giving new definitions of fairness, but leave the combined solution for further work. Moreover, we establish a hierarchy of various definitions of fairness, and indicate the consequences for existing work.
Conference Paper
Full-text available
Two decision problems are very close in spirit: module check-ing of CTL/CTL* and model checking of ATL/ATL*. The latter appears to be a natural multi-agent extension of the former, and it is commonly believed that model checking of ATL(*) subsumes module checking of CTL(*) in a straight-forward way. Perhaps because of that, the exact relationship between the two has never been formally established. A more careful look at the known complexity results, however, makes one realize that the relationship is some-what suspicious. In particular, module checking of CTL is EXPTIME-complete, while model checking of ATL is only P-complete. Thus, the (seemingly) less expressive frame-work yields significantly higher computational complexity than the (seemingly) more expressive one. This suggests that the relationship may not be as simple as believed. In this paper, we show that the difference is indeed fundamen-tal. The way in which behavior of the environment is un-derstood in module checking cannot be equivalently char-acterized in ATL(*). Conversely, if one wants to embed module checking in ATL(*) then its semantics must be ex-tended with two essential features, namely nondeterministic strategies and long-term commitment to strategies.
Conference Paper
Full-text available
We introduce MCMAS-SLK, a BDD-based model checker for the verification of systems against specifications expressed in a novel, epistemic variant of strategy logic. We give syntax and semantics of the specification language and a introduce a labelling algorithm for epistemic and strategy logic modalities. We provide details of the checker which can also be used for synthesizing agents strategies so that a specification is satisfied by the system. We evaluate the efficiency of the implementation by discussing the results obtained for a scheduling system and the dining cryptographers protocol.
Conference Paper
Infinite games with imperfect information are deemed to be undecidable unless the information flow is severely restricted. One fundamental decidable case occurs when there is a total ordering among players, such that each player has access to all the information that the following ones receive. In this paper we consider variations of this hierarchy principle for synchronous games with perfect recall, and identify new decidable classes for which the distributed synthesis problem is solvable with finite-state strategies. In particular, we show that decidability is maintained when the information hierarchy may change along the play, or when transient phases without hierarchical information are allowed.
Article
In this paper, we report on a recent work for the verification of non-repudiation protocols. We propose a verification method based on the idea that non-repudiation protocols are best modeled as games. To formalize this idea, we use alternating transition systems, a game based model, to model protocols and alternating temporal logic, a game based logic, to express requirements that the protocols must ensure. This method is automated by using the model-checker MOCHA, a model-checker that supports the alternating transition systems and the alternating temporal logic. Several optimistic protocols are analyzed using MOCHA.
Article
Temporal logic comes in two varieties: linear-time temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branching-time temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternating-time temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While linear-time and branching-time logics are natural specification languages for closed systems, alternative-time logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also, the problems of receptiveness, realizability, and controllability can be formulated as model-checking problems for alternating-time formulas. Depending on whether we admit arbitrary nesting of selective path quantifiers and temporal operators, we obtain the two alternating-time temporal logics ATL and ATL*. We interpret the formulas of ATL and ATL* over alternating transition systems. While in ordinary transitory systems, each transition corresponds to a possible step of the system, in alternating transition systems, each transition corresponds to a possible move in the game between the system and the environment. Fair alternating transition systems can capture both synchronous and asynchronous compositions f open systems. For synchronous systems, the expressive power of ATL beyond CTL comes at no cost: the model-checking complexity of synchronous ATL is linear in the size of the system and the length of the formula. The symbolic model-checking algorithm for CTL extends with few modifications to synchronous ATL, and with some work, also to asynchronous to ATL, whose model-checking complexity is quadratic. This makes ATL an obvious candidate for the automatic verification of open systems. In the case of ATL*, the model-checking problem is closely related to the synthesis problem for linear-time formulas, and requires doubly exponential time for both synchronous and asynchronous systems.
Article
While it was defined long ago, the extension of CTL with quantification over atomic propositions has never been studied extensively. Considering two different semantics (depending whether propositional quantification refers to the Kripke structure or to its unwinding tree), we study its expressiveness (showing in particular that QCTL coincides with Monadic Second-Order Logic for both semantics) and characterise the complexity of its model-checking and satisfiability problems, depending on the number of nested propositional quantifiers (showing that the structure semantics populates the polynomial hierarchy while the tree semantics populates the exponential hierarchy).
Conference Paper
Model checking is an automatic technique for verifying finite-state reactive systems, such as sequential circuit designs and communication protocols. Specifications are expressed in temporal logic, and the reactive system is modeled as a state-transition graph. An efficient search procedure is used to determine whether or not the state-transition graph satisfies the specifications. This paper describes the basic model checking algorithm and shows how it can be used with binary decision diagrams to verify properties of large state-transition graphs. Abstraction and compositional reasoning techniques are also discussed that significantly extend the power of model checking techniques by exploiting the hierarchical structure of complex circuit designs and protocols.