Content uploaded by Aniello Murano

Author content

All content in this area was uploaded by Aniello Murano on Nov 08, 2018

Content may be subject to copyright.

Reasoning about Knowledge and Strategies under Hierarchical Information

Bastien Maubert and Aniello Murano

Universit`

a degli Studi di Napoli “Federico II”

Abstract

Two distinct semantics have been considered for knowledge

in the context of strategic reasoning, depending on whether

players know each other’s strategy or not. In the former

case, that we call the informed semantics, distributed syn-

thesis for epistemic temporal speciﬁcations is undecidable,

already on systems with hierarchical information. However,

for the other, uninformed semantics, the problem is decid-

able on such systems. In this work we generalise this re-

sult by introducing an epistemic extension of Strategy Logic

with imperfect information. The semantics of knowledge op-

erators is uninformed, and captures agents that can change

observation power when they change strategies. We solve

the model-checking problem on a class of “hierarchical in-

stances”, which provides a solution to a vast class of strategic

problems with epistemic temporal speciﬁcations, such as dis-

tributed or rational synthesis, on hierarchical systems.

Introduction

Logics of programs, many of which are based on classic

temporal logics such as LTL or CTL, are meant to specify

desirable properties of algorithms. When considering dis-

tributed systems, an important aspect is that each processor

has a partial, local view of the whole system, and can only

base its actions on the available information. Many authors

have argued that this imperfect information calls for logical

formalisms that would allow the modelling and reasoning

about what different processes know of the system, and of

other processes’ state of knowledge. For instance, Halpern

and Moses wrote in (Halpern and Moses 1990):

“[. . . ] explicitly reasoning about the states of knowledge

of the components of a distributed system provides a more

general and uniform setting that offers insight into the basic

structure and limitations of protocols in a given system.”

To reason about knowledge and time, temporal logics

have been extended with the knowledge operator Kafrom

epistemic logic, giving rise to a family of temporal epistemic

logics (Fagin et al. 1995), which have been applied to, e.g.,

information ﬂow and cryptographic protocols (van der Mey-

den and Su 2004; Halpern and O’Neill 2005), coordination

problems in distributed systems (Neiger and Bazzi 1992)

and motion planning in robotics (Brafman et al. 1997).

Copyright c

2018, Association for the Advancement of Artiﬁcial

Intelligence (www.aaai.org). All rights reserved.

Distributed systems are often open systems, i.e., they in-

teract with an environment and must react appropriately to

actions taken by this environment. As a result, if we take

the analogy where processors are players of a game, and

processes are strategies for the processors, the task of syn-

thesising distributed protocols can be seen as synthesising

winning strategies in multi-player games with imperfect in-

formation. This analogy between the two settings is well

known, and Ladner and Reif already wrote in (Ladner and

Reif 1986) that “Distributed protocols are equivalent to (i.e.,

can be formally modelled as) games”.

To reason about a certain type of game-related proper-

ties in distributed systems, Alternating-time Temporal Logic

(ATL) was introduced (Alur, Henzinger, and Kupferman

2002). It can express the existence of strategies for coalitions

of players in multi-player games, but cannot express some

important game-theoretic concepts, such as the existence of

Nash equilibria. To remedy this, Strategy Logic (SL) (Chat-

terjee, Henzinger, and Piterman 2010; Mogavero et al. 2014)

was deﬁned. Treating strategies as explicit ﬁrst-order objects

makes it very expressive, and it can for instance talk about

Nash equilibria in a very natural way. These logics have been

studied both for perfect and imperfect information, and in

the latter case either with the assumption that agents have

no memory, or that they remember everything they observe.

This last assumption, called perfect recall, is the one usually

considered in distributed synthesis (Pnueli and Rosner 1990)

and games with imperfect information (Reif 1984), and it is

also central in logics of knowledge and time (Fagin et al.

1995). It is the one we consider in this work.

In order to reason about knowledge and strategic abilities

in distributed systems, epistemic temporal logics and strate-

gic logics have been combined. In particular, both ATL and

SL have been extended with knowledge operators (van der

Hoek and Wooldridge 2003; Jamroga and van der Hoek

2004; Belardinelli 2015; Dima, Enea, and Guelev 2010;

Belardinelli et al. 2017a; Belardinelli et al. 2017b). How-

ever, few decidable cases are known for the model check-

ing of these logics with imperfect information and perfect

recall. This is not surprising since strategic logics typically

can express the existence of distributed strategies, a prob-

lem known to be undecidable for perfect recall, already

for purely temporal speciﬁcations (Peterson and Reif 1979;

Pnueli and Rosner 1990).

arXiv:1806.00028v2 [cs.LO] 3 Sep 2018

Semantics of knowledge with strategies. Mixing knowl-

edge and strategies raises intricate questions of semantics.

As a matter of fact, we ﬁnd in the litterature two distinct

semantics for epistemic operators in strategic contexts, one

in works on distributed synthesis from epistemic temporal

speciﬁcations, and another one in epistemic strategic logics.

To explain in what they differ, let us ﬁrst recall the seman-

tics of the knowledge operator in epistemic temporal logics:

a formula Kaϕholds in a history h(ﬁnite sequence of states)

of a system if ϕholds in all histories h0that agent acannot

distinguish from h. In other words, agent aknows that ϕ

holds if it holds in all histories that may be the current one

according to what she observed. Now consider that the sys-

tem is a multi-player game, and ﬁx a strategy σbfor some

player b. Two semantics are possible for Ka: one could say

that Kaϕholds if ϕholds in all possible histories that are in-

distinguishable to the current one, as in epistemic temporal

logics, or one could restrict attention to those in which player

bfollows σb, discarding indistinguishable histories that are

not consistent with σb. In the latter case, one may say that

player a’s knowledge is reﬁned by the knowledge of σb, i.e.,

she knows that player bis using strategy σb, and she has the

ability to reﬁne her knowledge with this information, elim-

inating inconsistent possible histories. In the following this

is what we will be referring to when saying that an agent

knows some other agent’s strategy. We shall also refer to the

semantics where aknows σbas the informed semantics, and

that in which she ignores it as the uninformed semantics.

The two semantics are relevant as they model different

reasonable scenarios. For instance if players collaborate and

have the ability to communicate, they may share their strate-

gies with each other. But in many cases, components of a

distributed system each receive only their own strategy, and

thus are ignorant of other components’ strategies.

All epistemic extensions of ATL and SL we know of

consider the uninformed semantics. In contrast, works on

distributed synthesis from epistemic temporal speciﬁcations

use the informed semantics (van der Meyden and Vardi

1998; van der Meyden and Wilke 2005), even though it is not

so obvious that they do. Indeed these works consider speci-

ﬁcations in classic epistemic temporal logic, without strate-

gic operators. But they ask for the existence of distributed

strategies so that such speciﬁcations hold in the system re-

stricted to the outcomes of these strategies. This corresponds

to what we call the informed semantics, as the semantics of

knowledge operators is, in effect, restricted to outcomes of

the strategies that are being synthesised.

We only know of two works that discuss these two se-

mantics. In (Bozzelli, Maubert, and Pinchinat 2015) two

knowledge-like operators are studied, one for each seman-

tics, but distributed synthesis is not considered. More inter-

estingly, Puchala already observes in (Puchala 2010) that the

distributed synthesis problem studied in (van der Meyden

and Vardi 1998; van der Meyden and Wilke 2005) consid-

ers the informed semantics. While the problem is undecid-

able for this semantics even on hierarchical systems (van der

Meyden and Wilke 2005), Puchala sketches a proof that the

problem becomes decidable on the class of hierarchical sys-

tems when the uninformed semantics is used.

Contributions. We introduce a logic for reasoning about

knowledge and strategies. Our Epistemic Strategy Logic

(ESL) is based on Strategy Logic, and besides boolean and

temporal operators, it contains the imperfect-information

strategy quantiﬁer hhxiiofrom SLii (Berthon et al. 2017),

which reads as “there exists a strategy xwith observation

o”, and epistemic operators Kafor each agent a. Our logic

allows reasoning about agents whose means of observing

the system changes over time, as agents may successively

use strategies associated with different observations. This

can model, for instance, an agent that is granted higher se-

curity clearance, giving her access to previously hidden in-

formation. The semantics of our epistemic operators takes

into account agents’ changes of observational power. ESL

also contains the outcome quantiﬁer Afrom Branching-time

Strategy Logic (BSL) (Knight and Maubert 2015), which

quantiﬁes on outcomes of strategies currently used by the

agents, and the unbinding operator (a, ?), which frees an

agent from her current strategy. The latter was introduced

in (Laroussinie and Markey 2015) for ATL with strategy

context and is also present in BSL. The outcome quanti-

ﬁer together with the unbinding operator allow us to express

branching-time temporal properties without resorting to ar-

tiﬁcial strategy quantiﬁcations which may either affect the

semantics of agents’ knowledge or break hierarchicality.

We solve the model-checking problem for hierarchical in-

stances of ESL. As in SLii, hierarchical instances are for-

mula/model pairs such that, as one goes down the syntactic

tree of the formula, observations annotating strategy quan-

tiﬁers hhxiiocan only become ﬁner. In addition, in ESL we

require that knowledge operators do not refer to (outcomes

of) strategies quantiﬁed higher in the formula.

Any problem which can be expressed as hierarchical in-

stances of our logic is thus decidable, and since ESL is very

expressive such problems are many. A ﬁrst corollary is an

alternative proof that distributed synthesis from epistemic

temporal speciﬁcations with uninformed semantics is decid-

able on hierarchical systems. Puchala announced this result

in (Puchala 2010), but we provide a stronger result by going

from linear-time to branching-time epistemic speciﬁcations.

We also allow for nesting of strategic operators in epistemic

ones, as long as hierarchicality is preserved and epistemic

formulas do not refer to previously quantiﬁed strategies. An-

other corollary is that rational synthesis (Kupferman, Perelli,

and Vardi 2016; Condurache et al. 2016) with imperfect in-

formation is decidable on hierarchical systems for epistemic

temporal objectives with uninformed semantics.

Our approach to solve the model-checking problem for

our logic extends that followed in (Laroussinie and Markey

2015; Berthon et al. 2017), which consists in “compiling”

the strategic logic under study into an opportune variant

of Quantiﬁed CTL∗, or QCTL∗for short (Laroussinie and

Markey 2014). This is an extension of CTL∗with second-

order quantiﬁcation on propositions which serves as an in-

termediary, low-level logic between strategic logics and tree

automata. In (Laroussinie and Markey 2015), model check-

ing ATL∗with strategy context is proved decidable by reduc-

tion to QCTL∗. In (Berthon et al. 2017), model checking

SLii is proved decidable for a class of hierarchical instances

by reduction to the hierarchical fragment of an imperfect in-

formation extension of QCTL∗, called QCTL∗

ii. In this work

we deﬁne EQCTL∗

ii, which extends further QCTL∗

ii with

epistemic operators and an operator of observation change

introduced recently in (Barri`

ere et al. 2018) in the context of

epistemic temporal logics. We deﬁne the hierarchical frag-

ment of EQCTL∗

ii, which strictly contains that of QCTL∗

ii,

and solve its model-checking problem for this fragment.

Related work. We know of ﬁve other logics called Epis-

temic Strategy Logic. In (Huang and Van Der Meyden

2014), epistemic temporal logic is extended with a ﬁrst-

order quantiﬁcation ∃xon points in runs of the system and

an operator ei(x)that compares local state iat xand at the

current point. When interpreted on systems where strategies

are encoded in local states, this logic can express existence

of strategies and what agents know about it. However it only

concerns memoryless strategies. Strategy Logic is extended

with epistemic operators in (Cerm´

ak et al. 2014), but they

also consider memoryless agents. (Belardinelli 2015) ex-

tends a fragment of SL with epistemic operators, and consid-

ers perfect-recall strategies, but model checking is not stud-

ied. The latter logic is extended in (Belardinelli et al. 2017a),

in which its model-checking problem is solved on the class

of broadcast systems. In (Knight and Maubert 2015) SL is

also extended with epistemic operators and perfect-recall

agents. Their logic does not require strategies to be uniform,

but this requirement can be expressed in the language. How-

ever no decidability result is provided. The result we present

here is the ﬁrst for an epistemic strategic logic with perfect

recall on hierarchical systems. In addition, ours is the ﬁrst

epistemic strategic logic to allow for changes of observa-

tional power.

Plan. We ﬁrst deﬁne ESL and hierarchical instances, and

announce our main result. Next we introduce EQCTL∗

ii and

solve the model-checking problem for its hierarchical frag-

ment. We then establish our main result by reducing model

checking hierarchical instances of ESL to model checking

hierarchical EQCTL∗

ii. We ﬁnally present two corollaries,

exemplifying what our logic can express, and we ﬁnish with

a discussion on the semantics of knowledge and strategies.

Notations

Let Σbe an alphabet. A ﬁnite (resp. inﬁnite)word over Σ

is an element of Σ∗(resp. Σω). The length of a ﬁnite word

w=w0w1. . . wnis |w|:= n+ 1, last(w) := wnis its

last letter, and we note for the empty word. Given a ﬁnite

(resp. inﬁnite) word wand 0≤i≤ |w|(resp. i∈N), we

let wibe the letter at position iin w,w≤iis the preﬁx of w

that ends at position iand w≥iis the sufﬁx of wthat starts

at position i. We write w4w0if wis a preﬁx of w0, and w4

is the set of ﬁnite preﬁxes of word w. Finally, the domain

of a mapping fis written dom(f), and for n∈Nwe let

[n] := {i∈N: 1 ≤i≤n}.

We ﬁx for the rest of the paper a number of parameters for

our logics and models: AP is a ﬁnite set of atomic proposi-

tions, Ag is a ﬁnite set of agents or players, Var is a ﬁnite set

of variables and Obs is a ﬁnite set of observation symbols.

These data are implicitly part of the input for the model-

checking problems we consider.

Epistemic Strategy Logic

In this section we introduce our epistemic extension of Strat-

egy Logic with imperfect information.

Models

The models of ESL are essentially the same as those of

SLii, i.e., concurrent game structures extended by an obser-

vation interpretation O, that maps each observation symbol

o∈Obs to an equivalence relation O(o)over positions of

the game structure. However models in ESL contain, in ad-

dition, an initial observation for each player. This initial ob-

servation may change if the player receives a strategy corre-

sponding to a different observation.

Deﬁnition 1 (CGSii).Aconcurrent game structure with

imperfect information (or CGSii for short) is a structure

G= (Ac, V, E , `, O, vι,oι)where

•Ac is a ﬁnite non-empty set of actions,

•Vis a ﬁnite non-empty set of positions,

•E:V×AcAg →Vis a transition function,

•`:V→2AP is a labelling function,

• O :Obs →V×Vis an observation interpretation, and

for each o∈Obs,O(o)is an equivalence relation,

•vι∈Vis an initial position, and

•oι∈ObsAg is a tuple of initial observations.

Two positions being equivalent for relation O(o)means

that a player using a strategy with observation ocannot dis-

tinguish them. In the following we may write ∼ofor O(o)

and v∈ G for v∈V.

Joint actions. When in a position v∈V, each player a

chooses an action ca∈Ac and the game proceeds to po-

sition E(v, c), where c∈AcAg stands for the joint action

(ca)a∈Ag. If c= (ca)a∈Ag , we let cadenote cafor a∈Ag.

Plays and strategies. Aﬁnite (resp. inﬁnite)play is a ﬁnite

(resp. inﬁnite) word ρ=v0. . . vn(resp. π=v0v1. . .) such

that v0=vιand for all iwith 0≤i < |ρ| − 1(resp. i≥0),

there exists a joint action csuch that E(vi,c) = vi+1. We

let Plays be the set of ﬁnite plays. A strategy is a function

σ:Plays →Ac, and we let Str be the set of all strategies.

Assignments. An assignment χ:Ag∪Var *Str is a partial

function assigning to each player and variable in its domain

a strategy. For an assignment χ, a player aand a strategy

σ,χ[a7→ σ]is the assignment of domain dom(χ)∪ {a}

that maps ato σand is equal to χon the rest of its domain,

and χ[x7→ σ]is deﬁned similarly, where xis a variable;

also, χ[a7→?] is the assignment of domain dom(χ)\{a}, on

which it is equal to χ.

Outcomes. For an assignment χand a ﬁnite play ρ, we let

out(χ, ρ)be the set of inﬁnite plays that start with ρand

are then extended by letting players follow the strategies as-

signed by χ. Formally, out(χ, ρ)is the set of inﬁnite plays

of the form ρ·v1v2. . . such that for all i≥0, there exists c

such that for all a∈dom(χ)∩Ag, ca∈χ(a)(ρ·v1. . . vi)

and vi+1 =E(vi,c), with v0=last(ρ).

Synchronous perfect recall. Players with perfect recall re-

member the whole history of a play. Each observation rela-

tion is thus extended to ﬁnite plays as follows: ρ≈oρ0if

|ρ|=|ρ0|and ρi∼oρ0

ifor every i∈ {0,...,|ρ| − 1}.

Uniform strategies. For o∈Obs, an o-strategy is a strategy

σ:V+→Ac such that σ(ρ) = σ(ρ0)whenever ρ≈oρ0.

For o∈Obs we let Strobe the set of all o-strategies.

Syntax

ESL extends SLii with knowledge operators Kafor each

agent a∈Ag, and the outcome quantiﬁer from Branching-

time Strategy Logic, introduced in (Knight and Maubert

2015), which quantiﬁes on outcomes of the currently ﬁxed

strategies. While in SL temporal operators could only be

evaluated in contexts where all agents were assigned to a

strategy, this outcome quantiﬁer allows for evaluation of

(branching-time) temporal properties on partial assignments

of strategies to agents. This outcome quantiﬁer can be sim-

ulated in usual, linear-time variants of Strategy Logic, by

quantifying on strategies for agents who do not currently

have one. But in the context of imperfect information, where

strategy quantiﬁers are parameterised by an observation, this

may cause to either break the hierarchy or artiﬁcially modify

an agent’s observation, which affects his knowledge.

Deﬁnition 2 (ESL Syntax).The syntax of ESL is deﬁned by

the following grammar:

ϕ:p| ¬ϕ|ϕ∨ϕ| hhxiioϕ|(a, x)ϕ|(a, ?)ϕ|Kaϕ|Aψ

ψ:ϕ| ¬ψ|ψ∨ψ|Xψ|ψUψ,

where p∈AP,x∈Var,o∈Obs and a∈Ag.

Formulas of type ϕare called history formulas, those of

type ψare path formulas. We may use usual abbreviations

>:= p∨ ¬p,⊥:= ¬>,ϕ→ϕ0:= ¬ϕ∨ϕ0,Fϕ:= >Uϕ,

Gϕ:= ¬F¬ϕ,[[x]]oϕ:= ¬hhxiio¬ϕand Eψ:= ¬A¬ψ.

A variable xappears free in a formula ϕif it appears out

of the scope of a strategy quantiﬁer. We let free(ϕ)be the

set of variables that appear free in ϕ. An assignment χis

variable-complete for a formula ϕif its domain contains all

free variables in ϕ. Finally, a sentence is a history formula ϕ

such that free(ϕ) = ∅.

Remark 1. Without loss of generality we can assume that

each strategy variable xis quantiﬁed at most once in an ESL

formula. Thus, each variable xthat appears in a sentence is

uniquely associated to a strategy quantiﬁcation hhxiio, and

we let ox=o.

Discussion on the syntax. In SLii as well as in ESL, the ob-

servation used by a strategy is speciﬁed at the level of strat-

egy quantiﬁcation: hhxiioϕreads as “there exists a strategy

xwith observation osuch that ϕholds”. When a strategy

with observation ois assigned to some agent avia a bind-

ing (a, x), it seems natural to consider that agent astarts

observing the system with observation o. As a result agents

can change observation when they change strategy, and thus

they can observe the game with different observation powers

along a same play. This contrasts with most of the literature

on epistemic temporal logics, where each agent’s observa-

tion power is usually ﬁxed in the model.

Epistemic relations with changing observations

Dynamic observation change has been studied recently in

the context of epistemic temporal logics in (Barri`

ere et al.

2018), from which come the following deﬁnitions.

First, dealing with the possibility to dynamically change

observation requires to remember which observation each

agent had at each point in time.

Observation records. An observation record rafor agent

a∈Ag is a ﬁnite word over N×Obs, i.e., ra∈(N×Obs)∗.

If at time n, an agent awith current observation record ra

receives a strategy with observation o, her new observation

record is ra·(o, n). The observation record ra[n]is the pro-

jection of raon {n} × Obs, and represents the sequence of

observation changes that occurred at time n.

Given an observation record for each agent r= (ra)a∈Ag,

we note rafor ra. We say that an observation record rstops

at time nif ra[m]is empty for all m > n, and rstops at

a ﬁnite play ρif it stops at time |ρ| − 1. If rstops at time

n, we let r·(n, o)abe the observation record rwhere rais

replaced with ra·(n, o).

At each step of a play, each agent observes the new po-

sition with her current observation power. Then, if an agent

changes strategy, she observes the same position with the ob-

servation of the new strategy, which may be different from

the previous one. Also, due to the syntax of ESL, an agent

may change observation several times before the next step.

Therefore, the observation sequence osa(r, n)with which

agent aobserves the game at time nconsists of the observa-

tion she had when the n-th move is taken, plus those corre-

sponding to strategy changes that occur before the next step.

It is deﬁned by induction on n:

osa(r,0) = o1·. . . ·ok,

if ra[0] = (0, o1)·. . . ·(0, ok),and

osa(r, n + 1) = last(osa(r, n)) ·o1·. . . ·ok,

if ra[n+ 1] = (n+ 1, o1)·. . . ·(n+ 1, ok).

If at time nagent adoes not receive a new strategy,

osa(r, n)contains only one observation, which will be ei-

ther that of the last strategy taken by the agent or the agent’s

initial observation, given by the CGSii.

The indistinguishability relation for synchronous perfect-

recall with observation change is deﬁned as follows.

Deﬁnition 3. For ρand ρ0two ﬁnite plays and ran ob-

servation record, ρand ρ0are observationally equivalent

to agent a, written ρ≈r

aρ0, if |ρ|=|ρ0|and, for every

i∈ {0,...,|ρ| − 1}, for every o∈osa(r, i),ρi∼oρ0

i.

Remark 2. Observe that, at a given point in time, the order

in which an agent observes the game with different observa-

tion does not matter. Intuitively, all that matters is the total

information gathered before the next step. Also, in the case

of an empty observation record, the above deﬁnition corre-

sponds to blind agents, for which all ﬁnite plays of same

length are indistinguishable. However in the following ob-

servation records will never be empty, but will always be

initialised with the initial observations given by the model.

Semantics

We now deﬁne the semantics of ESL.

Deﬁnition 4 (ESL Semantics).The semantics of a history

formula is deﬁned on a game G(omitted below), an assign-

ment χvariable-complete for ϕ, and a ﬁnite play ρ. For a

path formula ψ, the ﬁnite play is replaced with an inﬁnite

play πand an index i∈N. The deﬁnition is as follows:

χ, r, ρ |=pif p∈`(last(ρ))

χ, r, ρ |=¬ϕif χ, r, ρ 6|=ϕ

χ, r, ρ |=ϕ∨ϕ0if χ, r, ρ |=ϕor χ, r, ρ |=ϕ0

χ, r, ρ |=hhxiioϕif ∃σ∈Stro. χ[x7→ σ],r, ρ |=ϕ

χ, r, ρ |= (a, x)ϕif χ[a7→ χ(x)],r, ρ |=ϕ

χ, r, ρ |= (a, ?)ϕif χ[a7→?],r, ρ |=ϕ

χ, r, ρ |=Kaϕif ∀ρ0∈Plays s.t. ρ0≈r

aρ,

χ, r, ρ0|=ϕ

χ, r, ρ |=Aψif ∀π∈out(χ, ρ),

χ, r, π, |ρ| − 1|=ψ

χ, r, π, i |=ϕif χ, r, π≤i|=ϕ

χ, r, π, i |=¬ψif χ, r, π, i 6|=ψ

χ, r, π, i |=ψ∨ψ0if χ, r, π, i |=ψor χ, r, π, i |=ψ0

χ, r, π, i |=Xψif χ, r, π, i + 1 |=ψ

χ, r, π, i |=ψUψ0if ∃j≥is.t. χ, r, π, j |=ψ0and

∀k∈[i, j[, χ, r, π, k |=ψ

The satisfaction of a sentence is independent of the as-

signment; for an ESL sentence ϕwe thus let G,r, ρ |=ϕif

G, χ, r, ρ |=ϕfor some assignment χ. We also write G |=ϕ

if G,rι, vι|=ϕ, where rι= (0,oι

a)a∈Ag.

Discussion on the semantics. First, the semantics of the

knowledge operator corresponds, as announced, to what we

called uninformed semantics in the introduction. Indeed it is

not restricted to outcomes of strategies followed by the play-

ers: Kaϕholds in a ﬁnite play ρif ϕholds in all ﬁnite plays

in the game that are indistinguishable to ρfor agent a.

Also, note that the relation for perfect recall with obser-

vation change, and thus also observation records, are only

used in the semantics of the knowledge operators. As usual,

a strategy with observation ohas to be uniform with regards

to the classic perfect-recall relation ∼ofor static observa-

tions, even if it is assigned to an agent who previously had a

different observation. The reasons to do so are twofold.

First, we do not see any other natural deﬁnition. One may

think of parameterising strategy quantiﬁers with observation

records instead of mere observations, but this would require

to know at the level of quantiﬁcation at which points in time

the strategy will be given to an agent, and what previous ob-

servations this agent would have had, which is not realistic.

More importantly, when one asks for the existence of a

uniform strategy after some ﬁnite play ρ, it only matters how

the strategy is deﬁned on sufﬁxes of ρ, and thus the unifor-

mity constraint also is relevant only on such plays. But for

such plays, the “ﬁxed observation” indistinguishability re-

lation is the same as the “dynamic observation” one. More

precisely, if agent areceives observation oat the end of ρ,

i.e., last(ra) = (|ρ|− 1, o), then for all ﬁnite plays ρ0, ρ00 that

are sufﬁxes of ρ, we have ρ0≈oρ00 if, and only if, ρ0≈r

aρ00.

Indeed, since we use the S5 semantics of knowledge, i.e.,

indistinguishability relations are equivalence relations, the

preﬁx ρis always related to itself, be it for ≈r

aor ≈o, and

after ρboth relations only consider observation o.

Model checking and hierarchical instances

We now introduce the decision problem studied in this paper,

i.e., the model-checking problem for ESL.

Model checking. An instance is a pair (Φ,G)where Φis

a sentence of ESL and Gis a CGSii. The model-checking

problem for ESL is the decision problem that, given an in-

stance (Φ,G), returns ‘yes’ if G |= Φ, and ‘no’ otherwise.

SLii can be translated into ESL, by adding outcome quan-

tiﬁers before temporal operators. Since model checking SLii

is undecidable (Berthon et al. 2017), we get the following

result:

Theorem 1. Model checking ESL is undecidable.

Hierarchical instances. We now isolate a sub-problem ob-

tained by restricting attention to hierarchical instances. In-

tuitively, an ESL-instance (Φ,G)is hierarchical if, as one

goes down a path in the syntactic tree of Φ, the observa-

tions parameterising strategy quantiﬁers become ﬁner. In ad-

dition, epistemic formulas must not talk about currently de-

ﬁned strategies.

Given an ESL sentence Φand a syntactic subformula ϕ

of Φ, by parsing Φ’s syntactic tree one can deﬁne the set

Ag(ϕ)of agents who are bound to a strategy at the level of

ϕ, as well as where in Φthese strategies are quantiﬁed upon.

Deﬁnition 5. Let Φbe an ESL sentence. A subformula Kaϕ

is free if for every subformula Aψof ϕ, the current strategy

of each agent in Ag(Aψ)is quantiﬁed within ϕ.

In other words, an epistemic subformula Kaϕis free if it

does not talk about strategies that are quantiﬁed before it.

Example 1. If Φ = hhxiio(a, x)KaAXp, then KaAXpis

not free in Φ, because at the level of Aagent ais bound to

strategy xwhich is quantiﬁed “outside” of KaAXp. But if

Φ = hhxiio(a, x)Ka(a, ?)AXp, then Ka(a, ?)AXpis free

in Φ, because at the level of Ano agent is bound to a

strategy. Also if Φ = hhxiio(a, x)Kahhyiio0(a, y)AXp, then

Kahhyiio0(a, y)AXpis free in Φ, because at the level of A

the only agent bound to a strategy is a, and her strategy is

quantiﬁed upon after the knowledge operator.

We can now deﬁne the hierarchical fragment for which

we establish decidability of the model-checking problem.

Deﬁnition 6 (Hierarchical instances).An ESL-instance

(Φ,G)is hierarchical if all epistemic subformulas of Φare

free in Φand, for all subformulas of the form ϕ1=hhxiio1ϕ0

1

and ϕ2=hhxiio2ϕ0

2where ϕ2is a subformula of ϕ0

1, it holds

that O(o2)⊆ O(o1).

In other words, an instance is hierarchical if innermost

strategy quantiﬁers observe at least as much as outermost

ones, and epistemic formulas do not talk about current

strategies. Here is the main contribution of this work:

Theorem 2. The model-checking problem for ESL re-

stricted to the class of hierarchical instances is decidable.

We prove this result by reducing it to the model-checking

problem for the hierarchical fragment of an extension of

QCTL∗with imperfect information, knowledge and obser-

vation change, which we now introduce and study in order

to use it as an intermediate, “low-level” logic between tree

automata and ESL.

QCTL∗

ii with knowledge and observation

change

QCTL∗extends CTL∗with second order quantiﬁcation on

atomic propositions (Emerson and Sistla 1984; Kupferman

1995; Kupferman et al. 2000; French 2001; Laroussinie

and Markey 2014). It was recently extended to model

imperfect-information aspects, resulting in the logic called

QCTL∗

ii (Berthon et al. 2017). In this section we ﬁrst de-

ﬁne an epistemic extension of QCTL∗

ii with operators for

knowledge and dynamic observation change, that we call

EQCTL∗

ii. Then we deﬁne the syntactic class of hierarchical

formulas and prove that model checking this class of formu-

las is decidable.

Models

The models of EQCTL∗

ii, as those of QCTL∗

ii, are structures

in which states are tuples of local states. Fix n∈N.

Local states. Let {Li}i∈[n]denote ndisjoint ﬁnite sets of

local states. For I⊆[n], we let LI:= Qi∈ILiif I6=∅,

and L∅:= {0}where 0is a special symbol.

Concrete observations. A set o ⊆[n]is a concrete obser-

vation (to distinguish from observation symbols oof ESL).

Fix o ⊆[n]and I⊆[n]. Two tuples x, x0∈LIare o-

indistinguishable, written x∼ox0, if for each i∈I∩o,

xi=x0

i. Two words u=u0. . . uiand u0=u0

0. . . u0

jover

alphabet LIare o-indistinguishable, written u≈ou0, if i=

jand for all k∈ {0, . . . , i}we have uk∼ou0

k.

Compound Kripke structures. These are like Kripke struc-

tures except that the states are elements of L[n]. A com-

pound Kripke structure, or CKS, over AP, is a tuple S=

(S, R, `, sι,oι)where S⊆L[n]is a set of states,R⊆S×S

is a left-total1transition relation,`:S→2AP is a labelling

function,sι∈Sis an initial state, and oι= (oι

a)a∈Ag is an

initial concrete observation for each agent.

Apath in Sis an inﬁnite sequence of states π=s0s1. . .

such that for all i∈N,(si, si+1)∈R, and a ﬁnite path

ρ=s0s1. . . snis a ﬁnite preﬁx of a path. For s∈S, we let

Pathsω(s)be the set of all paths that start in s, and Paths∗(s)

is the set of ﬁnite paths that start in s.

Syntax of EQCTL∗

ii

The syntax of EQCTL∗

ii extends that of QCTL∗

ii with epis-

temic operators Kaand observation-change operators ∆o

a,

which were recently introduced and studied in (Barri`

ere et

al. 2018) in an epistemic temporal logic without second-

order quantiﬁcation.

1i.e., for all s∈S, there exists s0such that (s, s0)∈R.

Deﬁnition 7 (EQCTL∗

ii Syntax).The syntax of EQCTL∗

ii is

deﬁned by the following grammar:

ϕ:= p| ¬ϕ|ϕ∨ϕ|Aψ| ∃op. ϕ |Kaϕ|∆o

aϕ

ψ:= ϕ| ¬ψ|ψ∨ψ|Xψ|ψUψ

where p∈AP,a∈Ag and o⊆[n].

Formulas of type ϕare called state formulas, those of

type ψare called path formulas, and EQCTL∗

ii consists

of all the state formulas. Ais the classic path quantiﬁer

from branching-time temporal logics. ∃ois the second-order

quantiﬁer with imperfect information from QCTL∗

ii (Berthon

et al. 2017). ∃op. ϕ holds in a tree if there is way to choose

a labelling for psuch that ϕholds, with the constraint that

o-equivalent nodes of the tree must be labelled identically.

Kaϕmeans “agent aknows that ϕholds”, where the knowl-

edge depends on the sequence of observations agent ahas

had; ﬁnally, ∆o

aϕmeans that after agent aswitches to obser-

vation o, ϕholds.

Given an EQCTL∗

ii formula ϕ, we deﬁne the set of quan-

tiﬁed propositions AP∃(ϕ)⊆AP as the set of atomic propo-

sitions psuch that ϕhas a subformula of the form ∃op. ϕ.

We also deﬁne the set of free propositions APf(ϕ)⊆AP as

the set of atomic propositions pthat appear out of the scope

of any quantiﬁer of the form ∃op.

Semantics of EQCTL∗

ii

Before deﬁning the semantics of the logic we ﬁrst recall

some deﬁnitions for trees.

Trees. Let Xbe a ﬁnite set (typically a set of states). An

X-tree τis a nonempty set of words τ⊆X+such that:

•there exists xι∈X, called the root of τ, such that each

u∈τstarts with xι(i.e., xι4u);

•if u·x∈τand u6=, then u∈τ, and

•if u∈τthen there exists x∈Xsuch that u·x∈τ.

The elements of a tree τare called nodes. If u·x∈τ,

we say that u·xis a child of u. A path in τis an inﬁnite

sequence of nodes λ=u0u1. . . such that for all i∈N,

ui+1 is a child of ui, and Pathsω(u)is the set of paths that

start in node u. An AP-labelled X-tree, or (AP, X)-tree for

short, is a pair t= (τ, `), where τis an X-tree called the

domain of tand `:τ→2AP is a labelling. For a labelled

tree t= (τ, `)and an atomic proposition p∈AP, we deﬁne

the p-projection of tas the labelled tree t⇓p:= (τ, ` ⇓p),

where for each u∈τ,`⇓p(u) := `(u)\ {p}. Two labelled

trees t= (τ, `)and t0= (τ0, `0)are equivalent modulo p,

written t≡pt0, if t⇓p=t0⇓p(in particular, τ=τ0).

Quantiﬁcation and uniformity. In EQCTL∗

ii, as in QCTL∗

ii,

∃op. ϕ holds in a tree tif there is some o-uniform p-labelling

of tsuch that twith this p-labelling satisﬁes ϕ. A p-labelling

of a tree is o-uniform if every two nodes that are indistin-

guishable for observation o agree on their p-labelling.

Deﬁnition 8 (o-uniformity).A labelled tree t= (τ, `)is o-

uniform in pif for every pair of nodes u, u0∈τsuch that

u≈ou0, we have p∈`(u)iff p∈`(u0).

Changing observations. To capture how the observation-

change operator affects the semantics of the knowledge op-

erator, we use again observation records rand the asso-

ciated notion of observation sequence osa(r, n). They are

deﬁned as for ESL except that observation symbols oare

replaced with concrete observations o. For u=u0. . . ui

and u0=u0

0. . . u0

jover alphabet LI, and an observation

record r, we say that uand u0are observationally equiva-

lent to agent a, written u≈r

au0, if i=jand, for every

k∈ {0, . . . , i}and every o ∈osa(r, k),uk∼ou0

k.

Finally, we inductively deﬁne the satisfaction relation |=.

Let t= (τ, `)be a 2AP -labelled LI-tree, ua node and ran

observation record that stops at u:

t, r, u |=pif p∈`(u)

t, r, u |=¬ϕif t, r, u 6|=ϕ

t, r, u |=ϕ∨ϕ0if t, r, u |=ϕor t, r, u |=ϕ0

t, r, u |=Eψif ∃λ∈Pathsω(u)s.t. t, r, λ |=ψ

t, r, u |=∃op. ϕ if ∃t0≡pts.t. t0is o-uniform in p

and t0,r, u |=ϕ

t, r, u |=Kaϕif ∀u0∈ts.t. u≈r

au0,

t, r, u0|=ϕ

And if λis a path in τand rstops at λ0:

t, r, λ |=ϕif t, r, λ0|=ϕ

t, r, λ |=¬ψif t, r, λ 6|=ψ

t, r, λ |=ψ∨ψ0if t, r, λ |=ψor t, r, λ |=ψ0

t, r, λ |=Xψif t, r, λ≥1|=ψ

t, r, λ |=ψUψ0if ∃i≥0s.t. t, r, λ≥i|=ψ0and

∀js.t. 0≤j < i, t, r, λ≥j|=ψ

We let t, r|=ϕdenote t, r, xι|=ϕ, where xιis t’s root.

Tree unfoldings tS.Let S= (S, R, `, sι,oι)be a com-

pound Kripke structure over AP. The tree-unfolding of S

is the (AP, S)-tree tS:= (τ , `0), where τis the set of all

ﬁnite paths that start in sι, and for every u∈τ,`0(u) :=

`(last(u)). Given a CKS Sand an EQCTL∗

ii formula ϕ, we

write S |=ϕif tS,rι|=ϕ, where rι= (0,oι

a)a∈Ag.

Model-checking problem for EQCTL∗

ii.The model-

checking problem for EQCTL∗

ii is the following: given an

instance (S, ϕ)where Sis a CKS and ϕis an EQCTL∗

ii for-

mula, return ‘Yes’ if S |=ϕand ‘No’ otherwise.

Clearly, EQCTL∗

ii subsumes QCTL∗

ii. Since the latter has

an undecidable model-checking problem (Berthon et al.

2017), the following is immediate:

Theorem 3. Model checking EQCTL∗

ii is undecidable.

We now present the syntactic fragment for which we

prove that model checking is decidable. First we adapt the

notion of free epistemic formula to the context of EQCTL∗

ii.

Intuitively, an epistemic subformula ϕof a formula Φis free

if it does not contain a free occurrence of a proposition quan-

tiﬁed in Φ. To see the connection with the corresponding

notion for ESL, consider that quantiﬁcation on propositions

will be used to capture quantiﬁcation on strategies.

Deﬁnition 9. Let Φ∈EQCTL∗

ii, and recall that we assume

AP∃(Φ)∩APf(Φ) = ∅. An epistemic subformula ϕ=Kaϕ0

of Φis free in Φif AP∃(Φ) ∩APf(ϕ) = ∅.

For instance, if Φ = ∃op. (Kap)∧Kaq, then subformula

Kaqis free in Φ, but subformula Kapis not because pis

quantiﬁed in Φand appears free in Kap.

Deﬁnition 10 (Hierarchical formulas).An EQCTL∗

ii for-

mula Φis hierarchical if all its epistemic subformulas are

free in Φ, and for all subformulas ϕ1, ϕ2of the form ϕ1=

∃o1p1. ϕ0

1and ϕ2=∃o2p2. ϕ0

2where ϕ2is a subformula of

ϕ0

1, we have o1⊆o2.

In other words, a formula is hierarchical if epistemic

subformulas are free, and innermost propositional quanti-

ﬁers observe at least as much as outermost ones. Note that

this is very close to hierarchical formulas of ESL. We let

EQCTL∗

ii,⊆be the set of hierarchical EQCTL∗

ii formulas.

Theorem 4. The model-checking problem for EQCTL∗

ii,⊆is

non-elementary decidable.

Proof sketch. We build upon the tree automata construction

for QCTL∗

ii presented in (Berthon et al. 2017), which we

extend to take into account knowledge operators and obser-

vation change. To do so we resort to the k-trees machinery

developed in (van der Meyden 1998; van der Meyden and

Shilov 1999), and extended in (Barri`

ere et al. 2018) to the

case of dynamic observation change. One also needs to ob-

serve that free epistemic subformulas can be evaluated in-

differently in any node of the input tree.

Model-checking hierarchical ESL

In this section we prove that model checking hierarchical

instances of ESL is decidable (Theorem 2), by reduction to

the model-checking problem for QCTL∗

i,⊆.

Let (Φ,G)be a hierarchical instance of the ESL model-

checking problem. The construction of the CKS is the same

as in (Berthon et al. 2017), except that in addition we have

to deal with initial observations.

Constructing the CKS SG.Let G= (Ac, V, E , `, O, vι,oι)

and Obs ={o1, . . . , on}. For i∈[n], deﬁne the local states

Li:= {[v]oi|v∈V}where [v]ois the equivalence class

of vfor relation ∼o. We also let Ln+1 := V. Finally, let

APv:= {pv|v∈V}be a set of fresh atomic propositions,

disjoint from AP.

Deﬁne the CKS SG:= (S, R, `0, sι,oι)where

•S:= {sv|v∈V},

where sv:= ([v]o1,...,[v]on, v)∈Qi∈[n+1] Li.

•R:= {(sv, sv0)| ∃c∈AcAg s.t. E(v, c) = v0} ⊆ S2,

•`0(sv) := `(v)∪ {pv} ⊆ AP ∪APv,

•sι:= svι,

•oιis such that oι

a={i}if oι

a=oi.

For every ρ=v0. . . vk, we let uρ:= sv0. . . svk. The

mapping ρ7→ uρis a bijection between ﬁnite plays in G

and nodes in tSG. For i∈[n]we let oi={i}, and for an

observation record rin Gwe let r0be the observation record

in SGwhere each oiis replaced with oi.

Constructing the EQCTL∗

ii,⊆formulas (ϕ)f.Suppose that

Ac ={c1, . . . , cl}; let APc:= {px

c|c∈Ac and x∈Var}

be a set of propositions disjoint from AP ∪APv. For every

partial function f:Ag *Var we deﬁne (ϕ)fby induction

on ϕ. All cases for boolean, temporal and knowledge opera-

tors are obtained by simply distributing over the operators of

the logic; for instance, (p)f=pand (Kaϕ)f=Ka(ϕ)f.

We now describe the translation for the remaining cases.

(hhxiioϕ)f:= ∃

eopx

c1. . . ∃

eopx

cl. ϕstr(x)∧(ϕ)f

where eoi={j| O(oi)⊆ O(oj)}, and

ϕstr(x) = AG _

c∈Ac

(px

c∧^

c06=c

¬px

c0).

Note that oi={i} ⊆ eoi. The deﬁnition of eoiis tailored to

obtain a hierarchical EQCTL∗

ii formula. It is correct because

for each additional component in eoi(i.e., each j6=i), we

have O(oi)⊆ O(oj), meaning that each such component

jbrings less information than component i. A strategy thus

has no more information with eoithan it would with oi.

For the binding operator, agent a’s observation becomes

the one associated with strategy variable x(see Remark 1):

((a, x)ϕ)f:= ∆oi

a(ϕ)f[a7→x]if ox=oi.

For the outcome quantiﬁer, we let

(Aψ)f:= A(ψout(f)→(ψ)f),where

ψout(f) = G^

v∈V

pv→_

c∈AcAg

(^

a∈dom(f)

pf(a)

ca∧XpE(v,c))

The formula ψout(f)selects paths in which agents who

are assigned to a strategy follow it.

Proposition 5. Suppose that free(ϕ)∩Ag ⊆dom(f), that

for all a∈dom(f),f(a) = xiff χ(a) = χ(x), and that r

stops at ρ. Then

G, χ, r, ρ |=ϕif and only if tSG,r0, uρ|= (ϕ)f.

Applying this to sentence Φ, any assignment χ,f=∅,

ρ=vιand initial observation records, we get that

G |= Φ if and only if tSG|= (Φ) ∅.

Preserving hierarchy. To complete the proof of Theorem 2

we show that (Φ) ∅is a hierarchical EQCTL∗

ii formula.

First, observe that if Kaϕis a free epistemic formula in Φ,

then its translation is also a free epistemic formula in (Φ) ∅.

Indeed, the only atomic propositions that are quantiﬁed in

(Φ) ∅are of the form px

c. They code for strategies, and ap-

pear only in translations of strategy quantiﬁers, where they

are quantiﬁed upon, and outcome quantiﬁers. Thus they can

only appear free in the translation of an epistemic formula

Kaϕif ϕcontains an outcome quantiﬁer where some agent

uses a strategy that is not quantiﬁed within ϕ. Concerning

the hierarchy on observations of quantiﬁers, simply observe

that Φis hierarchical in G, and for every two observations oi

and ojin Obs such that O(oi)⊆ O(oj), by deﬁnition of eok

we have that eoi⊆eoj.

Applications

ESL being very expressive, many strategic problems with

epistemic temporal speciﬁcations can be cast as model-

checking problems for ESL. Our main result thus provides

a decision procedure for such problems on systems with hi-

erarchical information. We present two such applications.

Distributed synthesis

We consider the problem of distributed synthesis from epis-

temic temporal speciﬁcations studied in (van der Meyden

and Vardi 1998; van der Meyden and Wilke 2005) and we

give a precise deﬁnition to its variant with uninformed se-

mantics of knowledge, discussed in (Puchala 2010).

Assume that Ag ={a1, . . . , an, e}, where eis a spe-

cial player called the environment. Assume also that to each

player aiis assigned an observation symbol oi. The above-

mentioned works consider speciﬁcations from linear-time

epistemic temporal logic LTLK, which extends LTL with

knowledge operators. The semantics of knowledge opera-

tors contains an implicit universal quantiﬁcation on contin-

uations of indistinguishable ﬁnite plays. In (van der Meyden

and Vardi 1998; van der Meyden and Wilke 2005), which

considers the informed semantics of knowledge, i.e., where

all players know each other’s strategy, this quantiﬁcation

is restricted to continuations that follow these strategies;

in (Puchala 2010), which considers the uninformed seman-

tics, it quantiﬁes over all possible continuations in the game.

We now prove a stronger result than the one announced

in (Puchala 2010), by allowing the use of either existential

or universal quantiﬁcation on possible continuations after a

knowledge operator. For an ESL path formula ψ, we deﬁne

Φsyn(ψ) := hhx1iio1. . . hhxniion(a1, x1). . . (an, xn)Aψ.

Note that the outcome quantiﬁer Aquantiﬁes on all pos-

sible behaviours of the environment.

Deﬁnition 11. The epistemic distributed synthesis problem

with uninformed semantics is the following: given a CGSii G

and an ESL path formula ψ, decide whether G |= Φsyn(ψ).

Let LTLK (CTL∗K) the set of path formulas obtained

by allowing in LTL subformulas of the form Kaϕ, with

ϕ∈CTL∗K. The path quantiﬁer from CTL∗Kquantiﬁes

on all possible futures, and is simulated in ESL by an un-

binding for all players followed by an outcome quantiﬁer.

Therefore with speciﬁcations ψin LTLK (CTL∗K), all epis-

temic subformulas are free. It follows that if the system Gis

hierarchical, and we assume without loss of generality that

O(oi)⊇ O(oi+1), then (G,Φsyn(ψ)) is a hierarchical in-

stance of ESL.

Theorem 6. The epistemic distributed synthesis problem

from speciﬁcations in LTLK (CTL∗K) with uninformed se-

mantics is decidable on hierarchical systems.

In fact we can deal with even richer speciﬁcations: as long

as hierarchy is not broken and epistemic subformulas remain

free, it is possible to re-quantify on agents’ strategies inside

an epistemic formula. Take for instance formula

ψ=FKan(a1,?) . . . (an,?)hhxiion(an, x)AGKanp

It says that eventually, agent anknows that she can change

strategy so that in all outcomes of this strategy, she will al-

ways know that pholds. If Gis hierarchical, then Φsyn(ψ)

forms a hierarchical instance with G. Consider now formula

ψ=FKai(a1,?) . . . (an,?)[[x]]o(aj, x)EG¬Kajp

which means that eventually agent aiknows that for any

strategy with observation othat agent ajmay take, there is

an outcome in which ajnever knows that pholds. If ois

ﬁner than on(and thus all other oi), for instance if orep-

resents perfect information, then hierarchy is preserved and

we can solve distributed synthesis for this speciﬁcation. In

addition, the semantics of our knowledge operator takes into

account the fact that agent ajchanges observation power.

Rational synthesis

Consider Ag ={a1, . . . , an}, each player aihaving obser-

vation symbol oi. Given a global objective ψgand individual

objectives ψifor each player ai, deﬁne

Φrat := hhx1iio1. . . hhxniion(a1, x1). . . (an, xn)Aψg

∧^

i∈{1,...,n}

[[xi]]oi((ai, xi)Aψi)→Aψi.

It is easy to see that Φrat expresses the existence of a solu-

tion to the cooperative rational synthesis problem (Kupfer-

man, Perelli, and Vardi 2016; Condurache et al. 2016).

However this formula does not form hierarchical instances,

even with hierarchical systems. But the same argument used

in (Berthon et al. 2017) for Nash equilibria shows that Φrat

is equivalent to Φ0

rat, obtained from Φrat by replacing each

[[xi]]oiwith [[xi]]op, where oprepresents perfect observation.

Theorem 7. Rational synthesis from LTL (CTL∗K) speciﬁ-

cations is decidable on hierarchical systems.

As in the case of distributed synthesis discussed before,

we can in fact handle more complex speciﬁcations, nesting

knowledge and strategy quantiﬁcation.

Discussion

In the uninformed semantics, players ignore each other’s

strategy, but they also ignore their own, in the sense that

they consider possible ﬁnite plays in which they act dif-

ferently from what their strategy prescribes. This is the

usual semantics in epistemic strategic logics (van der Hoek

and Wooldridge 2003; Jamroga and van der Hoek 2004;

Belardinelli 2015; Dima, Enea, and Guelev 2010; Belar-

dinelli et al. 2017a; Belardinelli et al. 2017b), and in some

situations it may be what one wants to model. For instance,

an agent may execute her strategy step by step without hav-

ing access to what her strategy would have prescribed in al-

ternative plays. In this case, where the agent cannot know

whether a possible play follows her strategy or not, the un-

informed semantics of knowledge is the right one.

On the other hand it seems natural, especially formu-

lated in these terms, to assume that an agent knows her own

strategy. We describe how, in the case where agents do not

change strategies or observation along time, this semantics

can be retrieved within the uninformed semantics.

Assume that player ais assigned some observation sym-

bol oa. As pointed out in (Puchala 2010, p.16), in the set-

ting of synchronous perfect recall, letting a player know

her strategy is equivalent to letting her remember her own

actions. To see this, assume that ﬁnite plays also contain

each joint action between two positions, and let ∼0

oabe

such that vιc1v1. . . cnvn∼0

oavιc1v1. . . cnvnif for all

i∈ {1, . . . , n},ca=c0

aand vi∼oav0

i. Then, for a strategy

σof player aand two ﬁnite plays ρ, ρ0such that ρ∼0

oaρ0, it

holds that ρis consistent with aplaying σiff ρ0is consistent

with aplaying σ. This is because for every i<nwe have

ρ≤i∼0

oaρ0

≤i(perfect recall), the next action taken by player

ais the same after ρ0

≤iand ρ0

≤i(deﬁnition of ∼0

oa), and σ

being an oa-strategy it is deﬁned similarly on both preﬁxes.

In our setting, moves are not part of ﬁnite plays. To sim-

ulate the relation ∼0

oain which agent aremembers her own

actions, one can put inside the positions of game structures

the information of the last joint move played, possibly du-

plicating some positions. One then reﬁnes each observation

oato only consider two positions equivalent if they contain

the same move for player a. We then get a semantics where

each agent remembers her own actions which, if agents do

not change strategy or observation through time, is equiva-

lent to knowing her own strategy. Note that doing so, a sys-

tem can only be hierarchical if more informed players also

observe all actions of less informed ones.

In the general case, where players can change strategies

and observations, we do not know to what extent we can deal

with the variant of the uninformed semantics where players

know there own strategies. We leave this for future work.

Conclusion

In this paper we have discussed two possible semantics of

knowledge when combined with strategies, the informed

and uninformed one. Focusing on the latter, we introduced

ESL, a very expressive logic to reason about knowledge and

strategies in distributed systems which can handle sophisti-

cated epistemic variants of game-theoretic notions such as

Nash equilibria. In addition, it is the ﬁrst logic of knowledge

and strategies that permits reasoning about agents whose

observation power may change. This is a very natural phe-

nomenon: one may think of a program that receives access

to previously hidden variables, or a robot that loses a sensor.

We solved the model-checking problem of our logic for

hierarchical instances. To do so, we introduced an extension

of QCTL∗with epistemic operators and operators of obser-

vation change, and we developed an automata construction

based on tree automata and k-trees. This is the ﬁrst decid-

ability result for a logic of strategies, knowledge and time

with perfect recall on systems with hierarchical information.

Besides, it is also the ﬁrst result for epistemic strategic logics

that takes into account dynamic changes of observation.

Our result implies that distributed synthesis and rational

synthesis for epistemic temporal speciﬁcations and the un-

informed semantics of knowledge are decidable on hierar-

chical systems. Similar results for other solution concepts,

such as subgame-perfect equilibria or admissible strate-

gies (Brenguier et al. 2017), could be obtained similarly.

Acknowledgements

This project has received funding from the European

Union’s Horizon 2020 research and innovation programme

under the Marie Sklodowska-Curie grant agreement No

709188.

References

[Alur, Henzinger, and Kupferman 2002] Alur, R.; Hen-

zinger, T. A.; and Kupferman, O. 2002. Alternating-time

temporal logic. JACM 49(5):672–713.

[Barri`

ere et al. 2018] Barri`

ere, A.; Maubert, B.; Murano, A.;

and Rubin, S. 2018. Changing observations in epistemic

temporal logic. arXiv.

[Belardinelli et al. 2017a] Belardinelli, F.; Lomuscio, A.;

Murano, A.; and Rubin, S. 2017a. Veriﬁcation of broadcast-

ing multi-agent systems against an epistemic strategy logic.

In IJCAI’17, 91–97.

[Belardinelli et al. 2017b] Belardinelli, F.; Lomuscio, A.;

Murano, A.; and Rubin, S. 2017b. Veriﬁcation of multi-

agent systems with imperfect information and public ac-

tions. In AAMAS’17, 1268–1276.

[Belardinelli 2015] Belardinelli, F. 2015. A logic of

knowledge and strategies with imperfect information. In

LAMAS’15, 1–15.

[Berthon et al. 2017] Berthon, R.; Maubert, B.; Murano, A.;

Rubin, S.; and Vardi, M. Y. 2017. Strategy Logic with im-

perfect information. In LICS’17.

[Bozzelli, Maubert, and Pinchinat 2015] Bozzelli, L.;

Maubert, B.; and Pinchinat, S. 2015. Uniform strategies,

rational relations and jumping automata. Inf. Comput.

242:80–107.

[Brafman et al. 1997] Brafman, R. I.; Latombe, J.-C.; Moses,

Y.; and Shoham, Y. 1997. Applications of a logic of knowl-

edge to motion planning under uncertainty. Journal of the

ACM (JACM) 44(5):633–668.

[Brenguier et al. 2017] Brenguier, R.; Pauly, A.; Raskin, J.;

and Sankur, O. 2017. Admissibility in games with imperfect

information (invited talk). In CONCUR’17, 2:1–2:23.

[Cerm´

ak et al. 2014] Cerm´

ak, P.; Lomuscio, A.; Mogavero,

F.; and Murano, A. 2014. MCMAS-SLK: A model checker

for the veriﬁcation of strategy logic speciﬁcations. In

CAV’14, 525–532.

[Chatterjee, Henzinger, and Piterman 2010] Chatterjee, K.;

Henzinger, T. A.; and Piterman, N. 2010. Strategy Logic.

Inf. Comput. 208(6):677–693.

[Condurache et al. 2016] Condurache, R.; Filiot, E.; Gen-

tilini, R.; and Raskin, J. 2016. The complexity of rational

synthesis. In ICALP’16, 121:1–121:15.

[Dima, Enea, and Guelev 2010] Dima, C.; Enea, C.; and

Guelev, D. P. 2010. Model-checking an Alternating-time

Temporal Logic with knowledge, imperfect information,

perfect recall and communicating coalitions. EPTCS 25.

[Emerson and Sistla 1984] Emerson, E. A., and Sistla, A. P.

1984. Deciding branching time logic. In STOC’84, 14–24.

[Fagin et al. 1995] Fagin, R.; Halpern, J. Y.; Moses, Y.; and

Vardi, M. Y. 1995. Reasoning about knowledge. MIT press

Cambridge.

[French 2001] French, T. 2001. Decidability of quantifed

propositional branching time logics. In AJCAI’01, 165–176.

[Halpern and Moses 1990] Halpern, J. Y., and Moses, Y.

1990. Knowledge and common knowledge in a distributed

environment. Journal of the ACM (JACM) 37(3):549–587.

[Halpern and O’Neill 2005] Halpern, J. Y., and O’Neill,

K. R. 2005. Anonymity and information hiding in multia-

gent systems. Journal of Computer Security 13(3):483–512.

[Huang and Van Der Meyden 2014] Huang, X., and Van

Der Meyden, R. 2014. A temporal logic of strategic knowl-

edge. In KR.

[Jamroga and van der Hoek 2004] Jamroga, W., and van der

Hoek, W. 2004. Agents that know how to play. Fundam.

Inform. 63(2-3):185–219.

[Knight and Maubert 2015] Knight, S., and Maubert, B.

2015. Dealing with imperfect information in strategy logic.

In SR.

[Kupferman et al. 2000] Kupferman, O.; Madhusudan, P.;

Thiagarajan, P. S.; and Vardi, M. Y. 2000. Open systems

in reactive environments: Control and synthesis. In CON-

CUR’00, 92–107.

[Kupferman, Perelli, and Vardi 2016] Kupferman, O.;

Perelli, G.; and Vardi, M. Y. 2016. Synthesis with rational

environments. Ann. Math. Artif. Intell. 78(1):3–20.

[Kupferman 1995] Kupferman, O. 1995. Augmenting

branching temporal logics with existential quantiﬁcation

over atomic propositions. In CAV’95, 325–338.

[Ladner and Reif 1986] Ladner, R. E., and Reif, J. H. 1986.

The Logic of Distributed Protocols. In TARK’86, 207–222.

[Laroussinie and Markey 2014] Laroussinie, F., and Markey,

N. 2014. Quantiﬁed CTL: expressiveness and complexity.

LMCS 10(4).

[Laroussinie and Markey 2015] Laroussinie, F., and Markey,

N. 2015. Augmenting ATL with strategy contexts. IC

245:98–123.

[Mogavero et al. 2014] Mogavero, F.; Murano, A.; Perelli,

G.; and Vardi, M. Y. 2014. Reasoning about strategies: On

the model-checking problem. TOCL 15(4):34:1–34:47.

[Neiger and Bazzi 1992] Neiger, G., and Bazzi, R. 1992.

Using knowledge to optimally achieve coordination in dis-

tributed systems. In TARK’92, 43–59.

[Peterson and Reif 1979] Peterson, G. L., and Reif, J. H.

1979. Multiple-person alternation. In SFCS’79, 348–363.

[Pnueli and Rosner 1990] Pnueli, A., and Rosner, R. 1990.

Distributed reactive systems are hard to synthesize. In

FOCS’90, 746–757.

[Puchala 2010] Puchala, B. 2010. Asynchronous omega-

regular games with partial information. In MFCS’10, 592–

603.

[Reif 1984] Reif, J. H. 1984. The complexity of two-player

games of incomplete information. JCSS 29(2):274–301.

[van der Hoek and Wooldridge 2003] van der Hoek, W., and

Wooldridge, M. 2003. Cooperation, knowledge and time:

Alternating-time Temporal Epistemic Logic and its applica-

tions. Studia Logica 75(1):125–157.

[van der Meyden and Shilov 1999] van der Meyden, R., and

Shilov, N. V. 1999. Model checking knowledge and time in

systems with perfect recall (extended abstract). In FSTTCS,

432–445.

[van der Meyden and Su 2004] van der Meyden, R., and Su,

K. 2004. Symbolic model checking the knowledge of the

dining cryptographers. In CSFW’17, 280–291.

[van der Meyden and Vardi 1998] van der Meyden, R., and

Vardi, M. Y. 1998. Synthesis from knowledge-based speci-

ﬁcations. In CONCUR’98. 34–49.

[van der Meyden and Wilke 2005] van der Meyden, R., and

Wilke, T. 2005. Synthesis of distributed systems from

knowledge-based speciﬁcations. In CONCUR’05, 562–576.

[van der Meyden 1998] van der Meyden, R. 1998. Common

knowledge and update in ﬁnite environments. Inf. Comput.

140(2):115–157.