Content uploaded by Bastien Maubert

Author content

All content in this area was uploaded by Bastien Maubert on Mar 17, 2020

Content may be subject to copyright.

Strategy Logic with Imperfect Information

RAPHAËL BERTHON, École Normale Supérieure de Rennes, France

BASTIEN MAUBERT, Università degli Studi di Napoli “Federico II”, Italy

ANIELLO MURANO, Università degli Studi di Napoli “Federico II”, Italy

SASHA RUBIN, Università degli Studi di Napoli “Federico II”, Italy

MOSHE Y. VARDI, Rice University, USA

We introduce an extension of Strategy Logic for the imperfect-information setting, called

SLii

, and study its

model-checking problem. As this logic naturally captures multi-player games with imperfect information, this

problem is undecidable; but we introduce a syntactical class of “hierarchical instances” for which, intuitively, as

one goes down the syntactic tree of the formula, strategy quantications are concerned with ner observations

of the model, and we prove that model-checking

SLii

restricted to hierarchical instances is decidable. This

result, because it allows for complex patterns of existential and universal quantication on strategies, greatly

generalises the decidability of distributed synthesis for systems with hierarchical information. It allows us to

easily derive new decidability results concerning strategic problems under imperfect information such as the

existence of Nash equilibria, or rational synthesis.

To establish this result we go through an intermediary, “low-level” logic much more adapted to automata

techniques.

QCTL∗

is an extension of

CTL∗

with second-order quantication over atomic propositions that

has been used to study strategic logics with perfect information. We extend it to the imperfect information

setting by parameterising second-order quantiers with observations. The simple syntax of the resulting

logic,

QCTL∗

ii

, allows us to provide a conceptually neat reduction of

SLii

to

QCTL∗

ii

that separates concerns,

allowing one to forget about strategies and players and focus solely on second-order quantication. While the

model-checking problem of

QCTL∗

ii

is, in general, undecidable, we identify a syntactic fragment of hierarchical

formulas and prove, using an automata-theoretic approach, that it is decidable.

CCS Concepts:

•Theory of computation →Logic and verication

;

Modal and temporal logics

;Au-

tomata over innite objects;

Additional Key Words and Phrases: strategic reasoning, imperfect information, perfect recall, distributed

synthesis, hierarchical information, Nash equilibria, rational synthesis

ACM Reference Format:

Raphaël Berthon, Bastien Maubert, Aniello Murano, Sasha Rubin, and Moshe Y. Vardi. 2020. Strategy Logic with

Imperfect Information. ACM Trans. Comput. Logic 1, 1 (March 2020), 50 pages. https://doi.org/0000001.0000001

1 INTRODUCTION

Temporal logics such as LTL [

67

] or

CTL∗

[

28

] are extremely successful logics that have been studied

in great detail and extended in many directions along the past decades, notably in relation with

Authors’ addresses: Raphaël Berthon, École Normale Supérieure de Rennes, Computer Science and Telecommunication,

Rennes, France, raphael.berthon@ens-rennes.fr; Bastien Maubert, Università degli Studi di Napoli “Federico II”, DIETI,

Naples, Italy, bastien.maubert@gmail.com; Aniello Murano, Università degli Studi di Napoli “Federico II”, DIETI, Naples, Italy,

murano@na.infn.it; Sasha Rubin, Università degli Studi di Napoli “Federico II”, DIETI, Naples, Italy, sasha.rubin@unina.it;

Moshe Y. Vardi, Rice University, Houston, Texas, USA, vardi@cs.rice.edu.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee

provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and the

full citation on the rst page. Copyrights for components of this work owned by others than the author(s) must be honored.

Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires

prior specic permission and/or a fee. Request permissions from permissions@acm.org.

©2020 Copyright held by the owner/author(s). Publication rights licensed to ACM.

1529-3785/2020/3-ART $15.00

https://doi.org/0000001.0000001

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

2 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi

the development of the model-checking approach to program verication [

22

]. When considering

systems with multiple components such as multi-agent systems or distributed programs, popular

extensions of temporal logics are the family of so-called logics for strategic reasoning, or strategic

logics, which introduce operators that can express the existence of strategies for components to

ensure that the system’s executions satisfy certain temporal properties.

A fundational logic in this family is Alternating-time Temporal Logic (ATL) [

1

]. It extends

CTL∗

with a coalition operator

⟨A⟩φ

, where

A

is a subset of components/agents of the system, which reads

as “coalition

A

has a strategy to enforce property

φ

no matter what the other components/agents

do”. This logic is thus quite expressive, as it allows for instance to express the existence of winning

strategies in games played on graphs. However it is not well suited to reason about other important

solution concepts in game theory, such as Nash equilibria. To address this problem Strategy Logic

(SL) was introduced [

20

,

60

]. In SL strategies are treated as rst-order objects, thanks to strategy

variables

x

that can be quantied upon and bound to players:

⟨⟨x⟩⟩

reads as “there exists a strategy

x

”, and

(a,x)

reads as “strategy

x

is assigned to player

a

”. This leads to a very expressive logic that

can express many solution concepts from game-theory such as best response, existence of Nash

equilibria or subgame-perfect equilibria.

Imperfect information.

An essential property of realistic multi-player games is that players

often have a limited view of the system. Such imperfect information, or partial observation, is

usually captured by equipping the models with equivalence relations

o

(called observations) over

the state space, that specify indistinguishable states. Strategies are then required to be uniform,

i.e., they cannot assign dierent moves to indistinguishable situations. Imperfect information is

known to make games computationally harder to solve. For two-player reachability games, Reif

showed in [

73

] that deciding the existence of winning strategies is Exptime-complete for imperfect

information, while it is in Ptime for perfect information. This result has later been generalised to

omega-regular objectives [

7

,

26

], and adapted to the setting of program synthesis from temporal

specications [

49

,

68

]. In the case of multiple players/components/agents, which interests us here,

the situation is even worse: the existence of distributed winning strategies is undecidable already

for two players with incomparable observation trying to enforce some reachability objective in the

presence of an adversarial third player [

65

], and a similar result was also proved in the framework

of distributed synthesis [

69

]. Since then, the formal-methods community has spent much eort

nding restrictions and variations that ensure decidability [

8

,

31

,

35

,

50

,

64

,

66

,

69

,

74

]. The common

thread in these approaches is hierarchical information: players can be totally ordered according to

how well they observe the game. Another line of works establishes that decidability can be retained

by forbidding private communication, i.e., by considering variants around the idea that all new

information should be public [4,5,11,72,79,80].

Strategy Logic with imperfect information.

We propose an extension of Strategy Logic to the

imperfect-information setting, which we call

SLii

. The rst step is to choose how to introduce

imperfect information in the logic. In the formal-methods literature it is typical to associate

observations to players. In

SLii

, instead, we associate observations to strategies: the strategy

quantier

⟨⟨x⟩⟩

from SL is now parameterised by observation

o

, written

⟨⟨x⟩⟩o

. This novelty allows

one to express, in the logic, that a player’s observation changes over time, to capture for instance

the loss of a sensor resulting in a diminished observation power. We also add to our logic

SLii

the outcome quantier

A

from Branching-time Strategy Logic (

BSL

) [

45

], which quanties on

outcomes of strategies currently used by the agents, and the unbinding operator

(a,?)

, which

frees an agent from her current strategy. This does not increase the expressivity of the logic but

presents advantages that we discuss in Section 2.2. For instance it allows us to naturally consider

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

Strategy Logic with Imperfect Information 3

nondeterministic strategies (Strategy Logic only considers deterministic ones), which in turn allows

us to capture module checking, the extension of model checking to open systems [42,43,52].

The logic

SLii

is very powerful: it is an extension of SL (which considers perfect information),

and of the imperfect-information strategic logics

ATL∗

i,R

[

15

] and

ATL∗

sc,i

[

55

]. As already mentioned,

SLii

can express the distributed synthesis problem [

69

]. This problem asks whether there are

strategies for components

a1, . . . , an

of a distributed system to enforce some property given as

an LTL formula

ψ

against all behaviours of the environment. This can be expressed by the

SLii

formula

ΦSynth

:

=⟨⟨x1⟩⟩o1. . . ⟨⟨xn⟩⟩on(a1,x1). . . (an,xn)Aψ

, where

oi

represents the local view of

component

ai

. Also,

SLii

can express more complicated specications by alternating quantiers,

binding the same strategy to dierent agents and rebinding (these are inherited from SL), as well

as changing observations. For instance, it can express the existence of Nash equilibria.

Main result.

Of course, the high expressivity of

SLii

comes at a cost from a computational com-

plexity point of view. Its satisability problem is undecidable (this is already true of SL), and so is its

model-checking problem (this is already true of

ATL∗

i,R

even for the single formula

⟨{a,b}⟩Fp

[

25

],

which means that agents

a

and

b

have a strategy prole to reach a situation where

p

holds). We

mentioned that the two main settings in which decidability is retrieved for distributed synthesis are

hierarchical information and public actions. We extend the rst approach to the setting of strategic

logics by introducing a syntactic class of “hierarchical instances” of

SLii

, i.e., formula/model pairs,

and proving that the model-checking problem on this class of instances is decidable. Intuitively, an

instance of

SLii

is hierarchical if, as one goes down the syntactic tree of the formula, the observa-

tions annotating strategy quantications can only become ner. Although the class of hierarchical

instances refers not only to the syntax of the logic but also to the model, the class is syntactical in

the sense that it depends only on the structure of the formula and the observations in the model.

Moreover, it is straightforward to check (in linear time) whether an instance is hierarchical or not.

Applications.

Because the syntax of

SLii

allows for arbitrary alternations of quantiers in the

formulas, our decidability result for hierarchical instances allows one to decide strategic problems

more involved than module checking and distributed synthesis. For instance, we show in Section 7

how one can apply our result to establish that the existence of Nash equilibria is decidable in

games with imperfect information, in the case of hierarchical observations and deterministic

strategies. This problem is relevant as Nash equilibria do not always exist in games with imperfect

information [

30

]. We then consider the problem of rational synthesis [

23

,

30

,

33

,

48

], both in its

cooperative and non-cooperative variants. We introduce the generalisations of these problems

to the case of imperfect information, and call them cooperative and non-cooperative rational

distributed synthesis. We then apply again our main result to establish that they are decidable in

hierarchical systems for deterministic strategies. For the non-cooperative variant, we need the

additional assumption that the environment is at least as informed as the system. This is the case

for example when one ignores the actual observation power of the environment, and considers that

it plays with perfect information. Doing so yields systems that are robust to any observation power

the environment may have. As Reif puts it, this amounts to synthesising strategies that are winning

even if the opponent “cheats” and uses information it is not supposed to have access to [73].

Approach.

In order to solve the model-checking problem for

SLii

we introduce an intermediate

logic

QCTL∗

ii

, an extension to the imperfect-information setting of

QCTL∗

[

53

], itself an extension

of

CTL∗

by second-order quantiers over atoms. This is a low-level logic that does not mention

strategies and into which one can eectively compile instances of

SLii

. States of the models of the

logic

QCTL∗

ii

have internal structure, much like the multi-player game structures from [

63

] and

distributed systems [

39

]. Model-checking

QCTL∗

ii

is also undecidable (indeed, we show how to

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

4 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi

reduce from the MSO-theory of the binary tree extended with the equal-length predicate, known

to be undecidable [

56

]). We introduce the syntactical class

QCTL∗

i,⊆

of hierarchical formulas as

those in which innermost quantiers observe more than outermost quantiers, and prove that

model-checking is decidable using an extension of the automata-theoretic approach for branching-

time logics. We provide a reduction from model checking

SLii

to model checking

QCTL∗

ii

that

preserves being hierarchical, thus establishing our main contribution, i.e., that model checking the

hierarchical instances of SLii is decidable.

Complexity.

To establish the precise complexity of the problems we solve, we introduce a new

measure on formulas called simulation depth. This measure resembles the notion of alternation

depth (see, e.g., [

60

]), which counts alternations between existential and universal strategy (or

second-order) quantications. But instead of merely counting alternations between such operators,

simulation depth reects the underlying automata operations required to treat formulas, while

remaining a purely syntactical notion. We prove that the model-checking problem for the hierar-

chical fragment of

QCTL∗

ii

and

SLii

are both

(k+

1

)

-Exptime-complete for formulas of simulation

depth at most

k

. Already for the perfect-information fragment, this result is more precise than

what was previously known. Indeed, precise upper bounds based on alternation depth were known

for syntactic fragments of SL but not for the full logic [60].

Related work.

The literature on imperfect information in formal methods and articial intelligence

is very vast. Imperfect information has been considered in two-player games [

7

,

26

,

73

], module

checking [

43

,

52

], distributed synthesis of reactive systems [

31

,

50

,

69

] and strategies in multiplayer

games [

8

,

64

,

65

], Nash equilibria [

11

,

13

,

72

], rational synthesis [

30

,

38

], doomsday equilibria [

19

],

admissible strategies [

14

], quantitative objectives [

24

,

62

], and more, some of which we detail below.

Limited alternation of strategy quantication was studied in [

17

], in which several decidability

results are proved for two and three alternations of existential and universal quantiers. Except

for one where the rst player has perfect information, all the problems solved in this work are

hierarchical instances, and are thus particular cases of our main result.

Quantied

µ

-Calculus with partial observation is studied in [

66

], where the model-checking

problem is solved by considering a syntactic constraint based on hierarchical information, as we do

for

QCTL∗

ii

. However they consider asynchronous perfect recall, and the automata techniques they

use to deal with imperfect information cannot be used in the synchronous perfect-recall setting

that we consider in this work. Similarly the narrowing operation on tree automata (see Section 4.1),

which is crucial in our model-checking procedure, considers synchronous perfect recall and does

not seem easy to adapt to the asynchronous setting.

A number of works have considered strategic logics with imperfect information. Various seman-

tics for ATL with imperfect information have been studied in, e.g., [

41

,

44

]. The model-checking

problem for these logics, which is undecidable for agents with perfect recall [

25

], has been studied

for agents with bounded memory, for which decidability is recovered [

58

,

75

]. An epistemic strategic

logic with original operators dierent from those of ATL and SL is proposed in [

40

]. It considers

imperfect information strategies, but only for agents without memory. Concerning perfect recall,

which interest us in this work, decidability results have also been obtained for ATL [

37

] and ATL

with strategy context [55] when agents have the same information.

In [

45

], a branching-time variant of SL is extended with epistemic operators and agents with

perfect recall. Strategies are not required to be uniform in the semantics, but this requirement

can be expressed in the language. However no decidability result is provided. Another variant

of SL extended with epistemic operators and imperfect-information, perfect-recall strategies is

presented in [

3

], but model checking is not studied. The latter logic is extended in [

4

], in which

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

Strategy Logic with Imperfect Information 5

its model-checking problem is solved on the class of systems where all agents’ actions are public,

which is an assumption orthogonal to hierarchical information.

The work closest to ours is [

32

] which introduces a logic

CL

in which one can encode many

distributed synthesis problems. In this logic, hierarchical information is a necessary consequence

of the syntax and semantics, and as a result its model-checking problem is decidable. However, CL

is close in spirit to our

QCTL∗

i,⊆

, and its semantics is less intuitive than that of

SLii

. Furthermore, by

means of a natural translation we derive that CL is strictly included in the hierarchical instances

of

SLii

(Section 6.2). In particular, hierarchical instances of

SLii

can express non-observable goals,

while CL cannot. When considering players that choose their own goals it may be natural to assume

that they can observe the facts that dene whether their objectives are satised or not. But when

synthesising programs for instance, it may be enough that their behaviours enforce the desired

properties, without them having the knowledge that it is enforced. Such non-observable winning

conditions have been studied in, e.g., [8,16,24].

Outline.

In Section 2we dene

SLii

and hierarchical instances, and present some examples. In

Section 3we dene

QCTL∗

ii

and its hierarchical fragment

QCTL∗

i,⊆

. The proof that model checking

QCTL∗

i,⊆

is decidable, including the required automata preliminaries, is in Section 4. The hierarchy-

preserving translation of

SLii

into

QCTL∗

ii

is in Section 5. In Section 6we compare

SLii

with related

logics, and in Section 7we apply our main result to obtain decidability results for various strategic

problems under imperfect information. Finally we conclude and discuss future work in Section 8.

2SL WITH IMPERFECT INFORMATION

In this section we introduce

SLii

, an extension of SL to the imperfect-information setting with

synchronous perfect-recall. Our logic presents several original features compared to SL, which we

discuss in detail in Section 2.3: we introduce an outcome quantier akin to the path quantier in

branching-time temporal logics, we allow for nondeterministic strategies and unbinding agents

from their strategies, and we annotate strategy quantiers with observation symbols which denote

the information available to strategies. We rst x some basic notations.

2.1 Notations

Let

Σ

be an alphabet. A nite (resp. innite)word over

Σ

is an element of

Σ∗

(resp.

Σω

). Words are

written

w=w0w1w2. . .

, i.e., indexing begins with 0. The length of a nite word

w=w0w1. . . wn

is

|w|

:

=n+

1, and

last(w)

:

=wn

is its last letter. Given a nite (resp. innite) word

w

and 0

≤i<|w|

(resp.

i∈N

), we let

wi

be the letter at position

i

in

w

,

w≤i

is the prex of

w

that ends at position

i

and

w≥i

is the sux of

w

that starts at position

i

. We write

w≼w′

if

w

is a prex of

w′

, and

pref (w)

is the set of nite prexes of word

w

. Finally, the domain of a mapping

f

is written

dom(f)

,

its codomain codom(f), and for n∈Nwe let [n]:={i∈N: 1 ≤i≤n}.

2.2 Syntax

For the rest of the paper, for convenience we x a number of parameters for our logics and models:

AP

is a nite non-empty set of atomic propositions,

Ag

is a nite non-empty set of agents or players,

and

Var

is a nite non-empty set of variables. The main novelty of our logic is that we specify which

information is available to a strategy, by annotating strategy quantiers

⟨⟨x⟩⟩

with observation

symbols

o

from a nite set

Obs

, that we also x for the rest of the paper. When we consider

model-checking problems, these data are implicitly part of the input.

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

6 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi

Denition 2.1 (SLii Syntax). The syntax of SLii is dened by the following grammar:

φ:=p| ¬φ|φ∨φ| ⟨⟨x⟩⟩oφ| (a,x)φ| (a,?)φ|Eψ

ψ:=φ| ¬ψ|ψ∨ψ|Xψ|ψUψ

where p∈AP, x∈Var, o∈Obs and a∈Ag.

Formulas of type

φ

are called state formulas, those of type

ψ

are called path formulas, and

SLii

consists of all the state formulas dened by the grammar.

Boolean operators and temporal operators,

X

(read “next”) and

U

(read “until”), have the usual

meaning. The strategy quantier

⟨⟨x⟩⟩o

is a rst-order-like quantication on strategies:

⟨⟨x⟩⟩oφ

reads

as “there exists a strategy

x

that takes decisions based on observation

o

such that

φ

holds”, where

x

is a strategy variable. The binding operator

(a,x)

assigns a strategy to an agent, and

(a,x)φ

reads

as “when agent

a

plays strategy

x

,

φ

holds”. The unbinding operator

(a,?)

instead releases agent

a

from her current strategy, if she has one, and

(a,?)φ

reads as “when agent

a

is not assigned any

strategy, φholds”. Finally, the outcome quantier Equanties on outcomes of strategies currently

in use: Eψreads as “ψholds in some outcome of the strategies currently used by the players”.

We use abbreviations

⊤

:

=p∨ ¬p

,

⊥

:

=¬⊤

,

φ→φ′

:

=¬φ∨φ′

,

φ↔φ′

:

=φ→φ′∧φ′→φ

for boolean connectives,

Fφ

:

=⊤Uφ

(read “eventually

φ

”),

Gφ

:

=¬F¬φ

(read “globally

φ

”) for

temporal operators,

[[x]]oφ

:

=¬⟨⟨x⟩⟩o¬φ

(read “for all strategies

x

based on observation

o

,

φ

holds”)

and Aψ:=¬E¬ψ(read “all outcomes of the current strategies satisfy ψ”).

For every formula

φ∈SLii

, we let

free (φ)

be the set of variables that appear free in

φ

, i.e., that

appear out of the scope of a strategy quantier. A formula

φ

is a sentence if

free (φ)

is empty. Finally,

we let the size |φ|of a formula φbe the number of symbols in φ.

2.3 Discussion on the syntax

We discuss the syntactic dierences between our logic and usual Strategy Logic.

Outcome quantier.

This quantier was introduced in Branching-time Strategy Logic (

BSL

) [

45

],

which corresponds to the perfect-information fragment of the logic we dene here. It removes a

quirk of previous denitions, in which temporal operators could only be evaluated in contexts

where all agents were assigned a strategy. The outcome quantier, instead, allows for evaluation

of temporal properties on partial assignments. As a result, the notions of free agents and agent-

complete assignments from previous denitions of Strategy Logic are no longer needed (see, e.g.,

[

60

]). In addition, the outcome quantier highlights the inherent branching-time nature of Strategy

Logic: indeed, in SL, branching-time properties can be expressed by resorting to articial strategy

quantications for all agents. It will also make the correspondence with

QCTL∗

ii

tighter, which will

allow us to establish the precise complexity of the problem we solve, while the exact complexity

of model checking classic SL with perfect information is still not known. Finally, since the usual

denition of SL requires that the current strategies dene a unique outcome on which linear-time

temporal operators are evaluated, only deterministic strategies were considered. The introduction

of the outcome quantier allows us to consider nondeterministic strategies.

Unbinding.

With the possibility to evaluate temporal operators even when some agents are not

bound to any strategy, it becomes interesting to include the unbinding operator

(a,?)

, introduced

in [

54

] for ATL with strategy context and also present in

BSL

. Note that the outcome quantier and

unbinding operator do not increase the expressivity of SL, at the level of sentences [45].

Observations.

In games with imperfect information and ATL-like logics with imperfect information,

a strategy is always bound to some player, and thus it is clear with regards to what observations it

should be dened. In SL on the other hand, strategy quantication and binding are separate. This

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

Strategy Logic with Imperfect Information 7

adds expressive power with regards to ATL by allowing, for instance, to assign the same strategy to

two dierent players, but it also entails that when a quantication is made on a strategy, one does not

know with regards to which observation this strategy should be dened. We know of three ways to

solve this. One is the approach followed here, which consists in associating with strategy quantiers

an observation power. The second solution is to abandon the separation between quantication and

binding and to use instead quantiers of the form

∃a

, meaning “there exists a strategy for player

a

”, like in [

2

,

21

]: with this operator, the strategy is immediately bound to player

a

, which indicates

with regards to which observation the strategy should be compatible. The third one, adopted in [

4

],

consists in requiring that a strategy be uniform for all agents to whom it will be bound in the

formula. We chose to adopt the rst solution for its simplicity and expressiveness. Indeed the second

solution limits expressiveness by disallowing, for instance, binding the same strategy to dierent

agents. The third solution leads to a logic that is more expressive than the second one, but less than

the rst one. Indeed, the logic that we study here can capture the logic from [

4

] (assuming that

models contain observations corresponding to unions of individual observations), and in addition

SLii can express changes of agents’ observation power.

2.4 Semantics

The models of

SLii

are classic concurrent game structures extended by an interpretation for obser-

vation symbols in Obs.

Denition 2.2 (

CGSii

). Aconcurrent game structure with imperfect information (or

CGSii

for short)

is a tuple G=(Ac,V,E, ℓ, vι,O) where

•Ac is a nite non-empty set of actions,

•Vis a nite non-empty set of positions,

•E:V×AcAg →Vis a transition function,

•ℓ:V→2AP is a labelling function,

•vι∈Vis an initial position, and

• O :Obs →2V×Vis an observation interpretation.

For

o∈Obs

,

O(o)

is an equivalence relation on positions, that we may write

∼o

. It represents

what a strategy with observation

o

can see:

O(o)

-equivalent positions are indistinguishable to such

a strategy. Also, ℓ(v)is the set of atomic propositions that hold in position v.

We dene the size

|G |

of a

CGSii G=(Ac,V,E, ℓ, vι,O)

as the size of an explicit encoding of the

transition function: |G| :=|V|×|Ac||Ag|× ⌈log(|V|)⌉. We may writev∈ G for v∈V.

We now introduce a number of notions involved in the semantics of

SLii

. Consider a

CGSii

G=(Ac,V,E, ℓ, vι,O).

Joint actions.

In a position

v∈V

, each player

a

chooses an action

ca∈Ac

, and the game

proceeds to position

E(v,c)

, where

c∈AcAg

stands for the joint action

(ca)a∈Ag

. Given a joint

action c=(ca)a∈Ag and a∈Ag, we let cadenote ca.

Plays.

Anite (resp. innite)play is a nite (resp. innite) word

ρ=v0. . . vn

(resp.

π=v0v1. . .

)

such that

v0=vι

and for every

i

such that 0

≤i<|ρ| −

1(resp.

i≥

0), there exists a joint action

c

such that E(vi,c)=vi+1.

Strategies.

A (nondeterministic) strategy is a function

σ

:

V+→

2

Ac \ ∅

that maps each nite play

to a nonempty nite set of actions that the player may play. A strategy

σ

is deterministic if for all

ρ

,

σ(ρ)is a singleton. We let Str denote the set of all strategies.

Assignments.

An assignment is a partial function

χ

:

Ag ∪Var ⇀Str

, assigning to each player

and variable in its domain a strategy. For an assignment

χ

, a player

a

and a strategy

σ

,

χ[a7→ σ]

is

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

8 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi

the assignment of domain

dom(χ) ∪ {a}

that maps

a

to

σ

and is equal to

χ

on the rest of its domain,

and

χ[x7→ σ]

is dened similarly, where

x

is a variable; also,

χ[a7→ ?]

is the restriction of

χ

to

domain

dom(χ) \ {a}

. In addition, given a formula

φ∈SLii

, an assignment is variable-complete for

φif its domain contains all free variables of φ.

Outcomes.

For an assignment

χ

and a nite play

ρ

, we let

Out(χ,ρ)

be the set of innite plays that

start with

ρ

and are then extended by letting players follow the strategies assigned by

χ

. Formally,

Out(χ,ρ)

is the set of plays of the form

ρ·v1v2. . .

such that for all

i≥

0, there exists

c

such that

for all a∈dom(χ) ∩ Ag, ca∈χ(a)(ρ·v1. . . vi)and vi+1=E(vi,c), with v0=last(ρ).

Synchronous perfect recall.

In this work we consider players with synchronous perfect recall,

meaning that each player remembers the whole history of a play, a classic assumption in games

with imperfect information and logics of knowledge and time. Each observation relation is thus

extended to nite plays as follows: ρ∼oρ′if |ρ|=|ρ′|and ρi∼oρ′

ifor every i∈ {0, . . . , |ρ| − 1}.

Imperfect-information strategies.

For

o∈Obs

, a strategy

σ

is an

o

-strategy if

σ(ρ)=σ(ρ′)

whenever

ρ∼oρ′

. The latter constraint captures the essence of imperfect information, which is

that players can base their strategic choices only on the information available to them. For

o∈Obs

we let Strobe the set of all o-strategies.

Denition 2.3 (

SLii

semantics). The semantics of a state formula is dened on a

CGSii G

, an

assignment

χ

that is variable-complete for

φ

, and a nite play

ρ

. For a path formula

ψ

, the nite

play is replaced with an innite play

π

and an index

i∈N

. The denition by mutual induction is

as follows:

G,χ,ρ|=pif p∈ℓ(last(ρ))

G,χ,ρ|=¬φif G,χ,ρ̸|=φ

G,χ,ρ|=φ∨φ′if G,χ,ρ|=φor G,χ,ρ|=φ′

G,χ,ρ|=⟨⟨x⟩⟩oφif ∃σ∈Str os.t. G,χ[x7→ σ],ρ|=φ

G,χ,ρ|=(a,x)φif G,χ[a7→ χ(x)],ρ|=φ

G,χ,ρ|=(a,?)φif G,χ[a7→ ?],ρ|=φ

G,χ,ρ|=Eψif there exists π∈Out(χ,ρ)such that G,χ,π,|ρ| − 1|=ψ

G,χ,π,i|=φif G,χ,π≤i|=φ

G,χ,π,i|=¬ψif G,χ,π,i̸|=ψ

G,χ,π,i|=ψ∨ψ′if G,χ,π,i|=ψor G,χ,π,i|=ψ′

G,χ,π,i|=Xψif G,χ,π,i+1|=ψ

G,χ,π,i|=ψUψ′if ∃j≥is.t. G,χ,π,j|=ψ′

and ∀ks.t. i≤k<j,G,χ,π,k|=ψ

Remark 1.Observe that because of the semantics of the outcome quantier, and unlike usual

denitions of SL, the meaning of an

SLii

sentence depends on the assignment in which it is

evaluated. For instance the

SLii

formula

AFp

is clearly a sentence, but whether

G,χ,ρ|=AFp

holds

or not depends on which agents are bound to a strategy in

χ

and what these strategies are. However,

as usual, a sentence does not require an assignment to be evaluated, and for an

SLii

sentence

φ

we

let G,ρ|=φif G,∅,ρ|=φfor the empty assignment ∅, and we write G |=φif G,vι|=φ.

SL is the fragment of

SLii

obtained by interpreting all observation symbols as the identity relation

(which models perfect information), restricting to deterministic strategies, and considering only

assignments in which each agent has a strategy (in this case the outcome of an assignment consists

of a single play; one can thus get rid of the outcome quantier and evaluate temporal operators in

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

Strategy Logic with Imperfect Information 9

the unique outcome of the current assignment, as usually done in SL). Also,

CTL∗

is the fragment

of SLii which uses no binding, unbinding or strategy quantication.

2.5 Discussion on the semantics

We now discuss some aspects of the semantics.

Evaluation on nite plays.

Unlike previous denitions of Strategy Logic, we evaluate formulas

on nite plays (instead of positions), where the nite play represents the whole history starting

from the initial position of the

CGSii

in which the formula is evaluated. There are several reasons

to do so. First, it allows us to dene the semantics more simply without having to resort to the

notion of assignment translations. Second, it makes it easier to see the correctness of the reduction

to

QCTL∗

ii

, that we present in Section 5. In SL, a strategy only has access to the history of the

game starting from the point where the strategy quantier from which it arises has been evaluated.

In contrast, in

SLii

strategies have access to the whole history, starting from the initial position.

However this does not aect the semantics, in the sense that the perfect-information fragment of

SLii

with deterministic strategies corresponds to SL. Indeed, when agents have perfect information,

having access to the past or not does not aect the existence of strategies to enforce temporal

properties that only concern the future.

Players not remembering their actions.

Our denition of synchronous perfect recall only

considers the sequence of positions in nite plays, and forgets about actions taken by players.

In particular, it is possible in this denition that a player cannot distinguish between two nite

plays in which she plays dierent actions. This denition is standard in games with imperfect

information [

7

,

8

,

26

,

80

], since remembering one’s actions or not is indierent for the existence

of distributed winning strategies or Nash equilibria. However it makes a dierence for some

more involved solution concepts that are expressible in strategic logics such as

SLii

. For instance

it is observed in [

10

, Appendix A] that some games admit subgame-perfect equilibria only if

agents remember their own past actions. Nonetheless we consider the setting where agents do

not remember their actions, as it is the most general. Indeed, as noted in [

18

, Remark 2.1, p.8],

one can simulate agents that remember their own actions by storing in positions of the game the

information of the last joint move played (this may create

|Ac||Ag|

copies of each position, but the

branching degree is unchanged). One can then adapt indistinguishability relations to take actions

into account. For instance, for an observation symbol

o

and an agent

a

, one could consider a new

observation symbol

oa

that would be interpreted in the enriched game structure as the renement

of

∼o

that considers two positions indistinguishable if they are indistinguishable for

∼o

and contain

the same last action for agent

a

. Binding agent

a

only to strategies that use observation of the form

oafor some ocaptures the fact that agent aremembers her actions.

Agents changing observation.

In

SLii

observations are not bound to agents but to strategies.

And because agents can change their strategy thanks to the binding operator, it follows that they

can change observation, or more precisely they can successively play with strategies that have

dierent observations. For instance consider a controller that observes a system through a set

of

n

sensors

S={s1, . . . , sn}

as in, e.g., [

9

]. Let

oi

be the observation power provided by the set

of sensors

S\ {si}

(one can think of a system where states are tuples of local states, each sensor

observing one component). Also let

o

be the observation power provided by the full set

S

of sensors,

and let atom faultirepresent the fact that a fault occurs on sensor si. The formula

φ:=⟨⟨x⟩⟩o(a,x)AG safe ∧

n

Û

i=1

faulti→ ⟨⟨x⟩⟩oi(a,x)AG safei!

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

10 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi

expresses that the controller

a

has a strategy (which uses all sensors in

S

) to maintain the system

safe, and if a sensor is lost, it can respond by switching to a strategy using the remaining sensors

to maintain some alternative, possibly weaker, security requirement safei.

2.6 Model checking and hierarchical instances

We now introduce the main decision problem of this paper, which is the model-checking problem

for

SLii

. An

SLii

-instance is a model together with a formula, i.e., it is a pair

(G,Φ)

where

G

is a

CGSii and Φ∈SLii.

Denition 2.4 (Model checking

SLii

). The model-checking problem for

SLii

is the decision problem

that, given an SLii-instance (G,Φ), returns ‘Yes’ if G |=Φ, and ‘No’ otherwise.

It is well known that deciding the existence of winning strategies in multi-player games with

imperfect information is undecidable for reachability objectives [

63

]. Since this problem is easily

reduced to the model-checking problem for SLii, we get the following result.

Theorem 2.5. The model-checking problem for SLii is undecidable.

Hierarchical instances.

We now isolate a sub-problem obtained by restricting attention to hier-

archical instances. Intuitively, an

SLii

-instance

(G,Φ)

is hierarchical if, as one goes down a path in

the syntactic tree of Φ, the observations tied to quantications become ner.

Denition 2.6 (Hierarchical instances). An

SLii

-instance

(G,Φ)

is hierarchical if for every subfor-

mula φ1=⟨⟨y⟩⟩o1φ′

1of Φand subformula φ2=⟨⟨x⟩⟩o2φ′

2of φ′

1, it holds that O(o2) ⊆ O(o1).

If

O(o2) ⊆ O(o1)

we say that

o2

is ner than

o1

in

G

, and that

o1

is coarser than

o2

in

G

. Intuitively,

this means that a player with observation

o2

observes game

G

no worse than, i.e., knows at least as

much as a player with observation o1.

Remark 2.If one uses the trick described in Section 2.5 to model agents that remember their own

actions, then for an agent

a

to know at least as much as another agent

b

it needs to be the case that,

in particular, agent aobserves all actions played by agent b.

Example 2.7 (Fault-tolerant diagnosibility). Consider the following formula from Section 2.5:

φ:=⟨⟨x⟩⟩o(a,x)AG safe ∧

n

Û

i=1

faulti→ ⟨⟨x⟩⟩oi(a,x)AG safei!

As already discussed, it expresses that the controller can react to the loss of a sensor to keep

ensuring some property of the system. Clearly, the controller’s observation

oi

after the loss of

sensor

i

is coarser than its original observation

o

, and thus formula

φ

in such a system does not

form a hierarchical instance.

We now give an example of scenario where hierarchical instances occur naturally.

Example 2.8 (Security levels). Consider a system with dierent “security levels”, where higher

levels have access to more data (i.e., can observe more). Assume that the

CGSii G

is such that

O(on) ⊆ O(on−1) ⊆ . . . ⊆ O(o1)

: in other words, level

n

has the highest security clearance, while

level 1has the lowest. Consider that agent

a

wants to reach some objective marked by atom “goal”,

that it starts with the lowest observation clearance

o1

, and that atomic formula “

promotei

” means

that the agent is granted access to level

i

(observe that whenever we have

promotei

, we should

also have promotejfor all j<i). For every iwe let

φi(φ′):=goal ∨ (promotei∧ ⟨⟨x⟩⟩oi(a,x)AFφ′)

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

Strategy Logic with Imperfect Information 11

Now the formula

φ:=φ1(φ2(. . . φn−1(φn(goal)) . . .))

means that agent

a

can enforce her goal, possibly by rst getting access to higher security levels

and using this additional observation power to reach the goal. Because the strategy quantications

that are deeper in the formula have access to more information, this formula forms a hierarchical

instance in G.

Here is the main contribution of this work:

Theorem 2.9. The model-checking problem for

SLii

restricted to the class of hierarchical instances

is decidable.

We prove this result in Section 5by reducing it to the model-checking problem for the hierarchical

fragment of a logic called

QCTL∗

with imperfect information, which we now introduce and study

in order to use it as an intermediate, “low-level” logic between tree automata and

SLii

. We then

discuss some applications of this theorem in Section 7.

3QCTL∗WITH IMPERFECT INFORMATION

In this section we introduce an imperfect-information extension of

QCTL∗

[

34

,

46

,

47

,

53

,

77

],

which is an extension of

CTL∗

with second-order quantication on atomic propositions. In order to

introduce imperfect information, instead of considering equivalence relations between states as in

concurrent game structures, we will enrich Kripke structures by giving internal structure to their

states, i.e., we see states as

n

-tuples of local states. This way of modelling imperfect information is

inspired from Reif’s multi-player game structures [

63

] and distributed systems [

39

], and we nd it

very suitable to application of automata techniques, as discussed in Section 3.3.

The syntax of

QCTL∗

ii

is similar to that of

QCTL∗

, except that we annotate second-order quantiers

by subsets

o⊆ [n]

. The idea is that quantiers annotated by

o

can only “observe” the local states

indexed by

i∈o

. We dene the tree-semantics of

QCTL∗

ii

: this means that we interpret formulas on

trees that are the unfoldings of Kripke structures (this will capture the fact that players in

SLii

have

synchronous perfect recall). We then dene the syntactic class of hierarchical formulas and prove,

using an automata-theoretic approach, that model checking this class of formulas is decidable.

For the rest of the section we x some natural number

n∈N

which parameterises the logic

QCTL∗

ii, and which is the number of components in states of the models.

3.1 QCTL∗

ii Syntax

The syntax of

QCTL∗

ii

is very similar to that of

QCTL∗

: the only dierence is that we annotate

quantiers by a set of indices that denes the “observation” of that quantier.

Concrete observations.

A set

o⊆ [n]

is called a concrete observation (to distinguish it from

observations oin the denitions of SLii).

Denition 3.1 (QCTL∗

ii Syntax). The syntax of QCTL∗

ii is dened by the following grammar:

φ:=p| ¬φ|φ∨φ|Eψ|∃op.φ

ψ:=φ| ¬ψ|ψ∨ψ|Xψ|ψUψ

where p∈AP and o⊆ [n].

Formulas of type

φ

are called state formulas, those of type

ψ

are called path formulas, and

QCTL∗

ii

consists of all the state formulas dened by the grammar. We use standard abbreviation

Aψ:=¬E¬ψ. We also use ∃p.φas a shorthand for ∃[n]p.φ, and we let ∀p.φ:=¬∃p.¬φ.

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

12 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi

Given a

QCTL∗

ii

formula

φ

, we dene the set of quantied propositions

AP∃(φ) ⊆ AP

as the set of

atomic propositions

p

such that

φ

has a subformula of the form

∃op.φ

. We also dene the set of

free propositions

APf(φ) ⊆ AP

as the set of atomic propositions that have an occurrence which is

not under the scope of any quantier of the form

∃op.

Observe that

AP∃(φ) ∩ APf(φ)

may not be

empty, i.e., a proposition may appear both free and quantied in (dierent places of) a formula.

3.2 QCTL∗

ii semantics

Several semantics have been considered for

QCTL∗

, the two most studied being the structure

semantics and the tree semantics (see [53] for more details). For the semantics of QCTL∗

ii we adapt

the tree semantics, and we explain the reasons for doing so in Section 3.3.

As already mentioned, for

QCTL∗

ii

we consider structures whose states are tuples of local states.

We now dene these structures and related notions.

Denition 3.2 (Compound Kripke structures). Acompound Kripke structure, or CKS, over

AP

is a

tuple S=(S,R, ℓ, sι)where

•S⊆Îi∈[n]Liis a set of states, with {Li}i∈[n]a family of ndisjoint nite sets of local states,

•R⊆S×Sis a left-total1transition relation,

•ℓ:S→2AP is a labelling function and

•sι∈Sis an initial state.

Apath in

S

is an innite sequence of states

λ=s0s1. . .

such that for all

i∈N

,

(si,si+1) ∈ R

. A

nite path is a nite non-empty prex of a path. We may write

s∈ S

for

s∈S

, and we dene the

size |S | of a CKS S=(S,R,sι, ℓ)as its number of states: |S | :=|S|.

Since we will interpret QCTL∗

ii on unfoldings of CKS, we now dene innite trees.

Trees.

In many works, trees are dened as prex-closed sets of words with the empty word

ϵ

as

root. Here trees represent unfoldings of Kripke structures, and we nd it more convenient to see

a node

u

as a sequence of states and the root as the initial state. Let

X

be a nite set of directions

(typically a set of states). An X-tree τis a nonempty set of words τ⊆X+such that:

•there exists r∈X, called the root of τ, such that each u∈τstarts with r(r≼u);

•if u·x∈τand u·x,r, then u∈τ,

•if u∈τthen there exists x∈Xsuch that u·x∈τ.

The elements of a tree

τ

are called nodes. If

u·x∈τ

, we say that

u·x

is a child of

u

. The depth of

a node

u

is

|u|

. An

X

-tree

τ

is complete if for every

u∈τ

and

x∈X

,

u·x∈τ

. A path in

τ

is an

innite sequence of nodes λ=u0u1. . . such that for all i∈N,ui+1is a child of ui, and Paths(u)is

the set of paths that start in node u.

Labellings.

An

AP

-labelled

X

-tree, or

(AP,X)

-tree for short, is a pair

t=(τ, ℓ)

, where

τ

is an

X

-tree

called the domain of

t

and

ℓ

:

τ→

2

AP

is a labelling, which maps each node to the set of propositions

that hold there. For

p∈AP

, a

p

-labelling for a tree is a mapping

ℓp

:

τ→ {

0

,

1

}

that indicates in

which nodes

p

holds, and for a labelled tree

t=(τ, ℓ)

, the

p

-labelling of

t

is the

p

-labelling

u7→

1

if

p∈ℓ(u)

, 0 otherwise. The composition of a labelled tree

t=(τ, ℓ)

with a

p

-labelling

ℓp

for

τ

is dened as

t⊗ℓp

:

=(τ, ℓ′)

, where

ℓ′(u)=ℓ(u) ∪ {p}

if

ℓp(u)=

1, and

ℓ(u) \ {p}

otherwise. A

p

-labelling for a labelled tree

t=(τ, ℓ)

is a

p

-labelling for its domain

τ

. A pointed labelled tree is a

pair (t,u)where uis a node of t.

If

u=w·x

, the subtree

tu

of

t=(τ, ℓ)

is dened as

tu

:

=(τu, ℓu)

with

τu={x·w′|w·x·w′∈τ}

,

and ℓu(x·w′)=ℓ(w·x·w′). A labelled tree is regular if it has nitely many disctinct subtrees.

1i.e., for all s∈S, there exists s′such that (s,s′) ∈ R.

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

Strategy Logic with Imperfect Information 13

In the tree semantics of

QCTL∗

ii

that we consider here, formulas are evaluated on tree unfoldings

of CKS, which we now dene.

Tree unfoldings.

Let

S=(S,R, ℓ, sι)

be a compound Kripke structure over

AP

. The tree-unfolding

of

S

is the

(AP,S)

-tree

tS

:

=(τ, ℓ′)

, where

τ

is the set of all nite paths that start in

sι

, and for

every u∈τ,ℓ′(u):=ℓ(last(u)).

Note that a labelled tree is regular if and only if it is the unfolding of some nite Kripke structure.

Narrowing.

Let

X

and

Y

be two nite sets, and let

(x,y) ∈ X×Y

. The

X

-narrowing of

(x,y)

is

(x,y)↓X:=x. This denition extends naturally to words and trees over X×Y(point-wise).

Given a family of (disjoint) sets of local states

{Li}i∈[n]

and a subset

I⊆ [n]

, we let

LI

:

=Îi∈ILi

if

I,∅

and

L∅

:

={0}

, where

0

is a special symbol. For

I,J⊆ [n]

and

z∈LI

, we also dene

z↓J

:

=z↓LI∩J

, where

z

is seen as a pair

z=(x,y) ∈ LI∩J×LI\J

, i.e., we apply the above denition

with

X=LI∩J

and

Y=LI\J

. This is well dened because having taken sets

Li

to be disjoint, the

ordering of local states in

z

is indierent. We also extend this denition to words and trees. In

particular, for every LI-tree τ,τ↓∅is the only L∅-tree, 0ω.

Quantication and uniformity.

In

QCTL∗

ii ∃op.φ

holds in a tree

t

if there is some

o

-uniform

p

-labelling of

t

such that

t

with this

p

-labelling satises

φ

. Intuitively, a

p

-labelling of a tree is

o-uniform if every two nodes that are indistinguishable for observation oagree on p.

Denition 3.3 (o-indistinguishability and o-uniformity in p). Fix o⊆ [n]and I⊆ [n].

•Two tuples x,x′∈LIare o-indistinguishable, written x≈ox′, if x↓o=x′↓o.

•

Two words

u=u0. . . ui

and

u′=u′

0. . . u′

j

over alphabet

LI

are

o

-indistinguishable, written

u≈ou′, if i=jand for all k∈ {0, . . . , i}we have uk≈ou′

k.

•Ap-labelling for a tree τis o-uniform if for all u,u′∈τ,u≈ou′implies ℓp(u)=ℓp(u′).

Denition 3.4 (

QCTL∗

ii

semantics). We dene by induction the satisfaction relation

|=

of

QCTL∗

ii

.

Let t=(τ, ℓ)be an AP-labelled LI-tree, ua node and λa path in τ:

t,u|=pif p∈ℓ(u)

t,u|=¬φif t,u̸|=φ

t,u|=φ∨φ′if t,u|=φor t,u|=φ′

t,u|=Eψif ∃λ∈Paths(u)s.t. t,λ|=ψ

t,u|=∃op.φif ∃ℓpao-uniform p-labelling for tsuch that t⊗ℓp,u|=φ

t,λ|=φif t,λ0|=φ

t,λ|=¬ψif t,λ̸|=ψ

t,λ|=ψ∨ψ′if t,λ|=ψor t,λ|=ψ′

t,λ|=Xψif t,λ≥1|=ψ

t,λ|=ψUψ′if ∃i≥0s.t. t,λ≥i|=ψ′and ∀js.t. 0≤j<i,t,λ≥j|=ψ

We write

t|=φ

for

t,r|=φ

, where

r

is the root of

t

. Given a CKS

S

and a

QCTL∗

ii

formula

φ

, we

also write S |=φif S,sι|=φ.

Example 3.5. Consider the following CTL formula:

border(p):=AFp∧AG(p→AXAG¬p).

This formula holds in a labelled tree if and only if each path contains exactly one node labelled

with p. Now, consider the following QCTL∗

ii formula:

level(p):=∃∅p.border(p).

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

14 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi

For a blind quantier, two nodes of a tree are indistinguishable if and only if they have same

depth. Therefore, this formula holds on a tree i the

p

’s label all and only the nodes at some xed

depth. This formula can thus be used to capture the equal level predicate on trees. Actually, just as

QCTL∗

captures MSO, one can prove that

QCTL∗

ii

with tree semantics subsumes MSO with equal

level [

27

,

56

,

78

]. In Theorem 3.7 we make use of a similar observation to prove that model-checking

QCTL∗

ii is undecidable.

3.3 Discussion on the definition of QCTL∗

ii

We now motivate in detail some aspects of QCTL∗

ii.

Modelling of imperfect information.

We model imperfect information by means of local states

(rather than equivalence relations) because this greatly facilitates the use of automata techniques.

More precisely, in our decision procedure of Section 4we use an operation on tree automata called

narrowing, which was introduced in [

49

] to deal with imperfect-information in the context of

distributed synthesis for temporal specications. Given an automaton

A

that works on

X×Y

-trees,

where

X

and

Y

are two nite sets, and assuming that we want to model an operation performed on

trees while observing only the

X

component of each node, this narrowing operation allows one to

build from

A

an automaton

A′

that works on

X

-trees, such that

A′

accepts an

X

-tree if and only

if

A

accepts its widening to

X×Y

(intuitively, this widening is the

X×Y

-tree in which each node

is labelled as its projection on the original X-tree; see Section 4for details).

With our denition of compound Kripke structures, their unfoldings are trees over the Cartesian

product

L[n]

. To model a quantication

∃op

with observation

o⊆ [n]

, we can thus use the narrowing

operation to forget about components

Li

, for

i∈ [n] \ o

. We then use the classic projection of

nondeterministic tree automata to perform existential quantication on atomic proposition

p

. Since

the choice of the p-labelling is made directly on Lo-trees, it is necessarily o-uniform.

Choice of the tree semantics.

The two most studied semantics for

QCTL∗

are the structure

semantics, in which formulas are evaluated directly on Kripke structures, and the tree semantics, in

which Kripke structures are rst unfolded into innite trees. Tree semantics thus allows quantiers

to choose the value of a quantied atomic proposition in each nite path of the model, while in

structure semantics the choice is only made in each state. When

QCTL∗

is used to express existence

of strategies, existential quantication on atomic propositions labels the structure with strategic

choices; in this kind of application, structure semantics reects so-called positional or memoryless

strategies, while tree semantics captures perfect-recall or memoryful strategies. Since in this work

we are interested in perfect-recall strategies, we only consider the tree semantics.

3.4 Model checking QCTL∗

ii

We now dene the model-checking problem studied in the rest of this section.

Denition 3.6 (Model checking

QCTL∗

ii

). The model-checking problem for

QCTL∗

ii

is the following

decision problem: given an instance

(S,Φ)

where

S

is a CKS, and

Φ

is a

QCTL∗

ii

formula, return

‘Yes’ if S |=Φand ‘No’ otherwise.

We now prove that the model-checking problem for

QCTL∗

ii

is undecidable. This comes as no

surprise since, as we will show in Section 5,

QCTL∗

ii

can express the existence of distributed winning

strategies in imperfect-information games. However we propose a proof that shows the connection

between

QCTL∗

ii

and MSO with equal-level predicate [

27

,

56

,

78

]. This proof also has the benet of

showing that

QCTL∗

ii

is undecidable already for formulas that involve only propositional quantiers

that observe either everything or nothing.

Theorem 3.7. The model-checking problem for QCTL∗

ii is undecidable.

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

Strategy Logic with Imperfect Information 15

Proof.

Let

MSOeq

denote the extension of the logic MSO (without unary predicates) by a binary

predicate symbol

eq

.

MSOeq

is interpreted on the full binary tree, and the semantics of

eq(x,y)

is

that

x

and

y

have the same depth in the tree. We show how to eectively translate

MSOeq

into

QCTL∗

ii

, and our result follows since the

MSOeq

-theory of the binary tree is undecidable [

56

]. The

translation from

MSOeq

to

QCTL∗

ii

is obtained by extending that from MSO to QCTL [

53

], using

the formula level(·) from Example 3.5 to help capture the equal-length predicate.

We dene a translation

c

from

MSOeq

to

QCTL∗

ii

such that for every tree

t

with root

r

, nodes

u1, . . . , ui∈t

and sets of nodes

U1, . . . , Uj⊆t

, and every

MSOeq

formula

φ(x,x1, . . . , xi,X1, . . . , Xj)

,

we have that

t,r,u1, . . . , ui,U1, . . . , Uj|=φ(x,x1, . . . , xi,X1, . . . , Xj)if and only if b

t,r|=bφ(1)

where

b

t

is obtained from

t

by dening the labelling for fresh atomic propositions

pxk

and

pXk

, with

k∈ [i], as follows: pxk∈b

ℓ(u)if u=ukand pXk∈b

ℓ(u)if u∈Uk.

The translation of MSO to

QCTL∗

from [

53

] can be extended to one from

MSOeq

to

QCTL∗

ii

by adding rules for the equal level predicate. Indeed, for

φ(x,x1, . . . , xi,X1, . . . , Xj) ∈ MSOeq

, we

inductively dene the QCTL∗

ii formula bφas follows, where k∈ [i]:

x=xk:=pxkxk=xl:=EF(pxk∧pxl)

x∈Xk:=pXk

xk∈Xl:=EF(pxk∧pXl)

d

¬φ′:=¬b

φ′

φ1∨φ2:=bφ1∨bφ2

∃xk.φ′:=∃pxk.uniq(pxk) ∧ b

φ′

∃Xk.φ′:=∃pXk.b

φ′

S(x,xk):=EXpxk

S(xk,x):=⊥

S(xk,xl):=EF(pxk∧EXpxl)

where

uniq(p)

:

=EFp∧∀q.(EF(p∧q) → AG(p→q))

holds in a tree i it has exactly one node

labelled with

p

. To understand the

x=xk

and

x∈Xk

cases, consider that

x

will be interpreted as

the root. For the

S(xk,x)

case, observe that

x

has no incoming edge since it is interpreted as the root.

Second-order quantication

∃Xk

is translated into quantication on atomic proposition

pXk

, and

rst-order quantication

∃xk

is treated similarly, with the additional constraint that quantication

is limited to pxk-labellings that set pxkto true in one and only one node of the tree.

The rules for eq are as follows:

eq(x,xk):=pxk

eq(xk,xl):=∃∅p.border(p) ∧ AG(pxk→p∧pxl→p)

To understand the rst case, observe that since

x

is interpreted as the root,

xk

is on the same level

as

x

if and only if it is also assigned the root. For the second case, recall from Example 3.5 that

the

QCTL∗

ii

formula

∃∅p.border(p)

places one unique horizontal line of

p

’s in the tree, and thus

requiring that

xk

and

xl

be both on this line ensures that they are on the same level. The correctness

of the translation follows from (1), which is proven by induction.

Now take an instance

(t,φ(x))

of the model-checking problem for

MSOeq

on the full binary tree

t

.

Let

S

be a CKS with two states

s0

and

s1

(local states are irrelevant here), whose transition relation

is the complete relation, and with empty labelling function. Clearly,

tS=t

, and applying

(1)

we get:

t,s0|=φ(x)i b

t,s0|=bφ.

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

16 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi

Observe that in the previous line, because there are no free variables besides

x

, which stands for

the root, we have that

b

t=t=tS

, hence we have indeed produced an instance of the model-checking

problem for QCTL∗

ii.□

4 A DECIDABLE FRAGMENT OF QCTL∗

ii: HIERARCHY ON OBSERVATIONS

The main result of this section is the identication of an important decidable fragment of QCTL∗

ii.

Denition 4.1 (Hierarchical formulas). A

QCTL∗

ii

formula

φ

is hierarchical if for all subformulas

φ1=∃o1p1.φ′

1and φ2=∃o2p2.φ′

2of φwhere φ2is a subformula of φ′

1, we have o1⊆o2.

In other words, a formula is hierarchical if innermore propositional quantiers observe at least

as much as outermore ones.

Example 4.2. Formula

∃{1,2}p.∃{1,2,4}q.AG(p∨q)

is hierarchical because

{

1

,

2

}⊆{

1

,

2

,

4

}

. On the

other hand, formula

∃{1,2}p.∃{1,2,4}q.AG(p∨q) ∧ ∃{3}q′.EF(p∧q′)

is not, because

{

1

,

2

}⊈{

3

}

.

Note that neither is it the case that

{

3

} ⊆ {

1

,

2

}

: the observation power of quantiers

∃{1,2}p.

and

∃{3}q′.

are incomparable. Finally, formula

∀{1,2,3}p.∃{1,2}q. .AG(p∨q)

is not hierarchical even

though {1,2}⊆{1,2,3}, as the quantier that observes best is higher in the syntactic tree.

We let QCTL∗

i,⊆be the set of hierarchical QCTL∗

ii formulas.

Theorem 4.3. Model checking QCTL∗

i,⊆is non-elementary decidable.

Since our decision procedure for the hierarchical fragment of

QCTL∗

ii

is based on an automata-

theoretic approach, we recall some denitions and results for alternating tree automata.

4.1 Alternating parity tree automata

We recall alternating parity tree automata. Because their semantics is dened via acceptance games,

we start with basic denitions for two-player turn-based parity games, or simply parity games.

Parity games.

Aparity game is a structure

G=(V,E,vι,C)

, where

V=VE⊎VA

is a set of positions

partitioned between positions of Eve (

VE

) and those of Adam (

VA

),

E⊆V×V

is a set of moves,

vι

is an initial position and

C

:

V→N

is a colouring function of nite codomain. In positions

VE

,

Eve chooses the next position, while Adam chooses in positions

VA

. A play is an innite sequence

of positions

v0v1v2. . .

such that

v0=vι

and for all

i≥

0,

(vi,vi+1) ∈ E

(written

vi→vi+1

). We

assume that for every

v∈V

there exists

v′∈V

such that

v→v′

. A strategy for Eve is a partial

function

V∗⇀V

that maps each nite prex of a play ending in a position

v∈VE

to a next

position

v′

such that

v→v′

. A play

v0v1v2. . .

follows a strategy

σ

of Eve if for every

i≥

0such

that

vi∈VE

,

vi+1=σ(v0. . . vi)

. A strategy

σ

is winning if every play that follows it satises the

parity condition, i.e., the least colour seen innitely often along the play is even.

Parity tree automata.

Because it is sucient for our needs and simplies denitions, we assume

that all input trees are complete trees. For a set

Z

,

B+(Z)

is the set of formulas built from the

elements of

Z

as atomic propositions using the connectives

∨

and

∧

, and with

⊤,⊥∈ B+(Z)

. An

alternating tree automaton (ATA) on

(AP,X)

-trees is a structure

A=(Q,δ,qι,C)

where

Q

is a

nite set of states,

qι∈Q

is an initial state,

δ

:

Q×

2

AP →B+(X×Q)

is a transition function,

and

C

:

Q→N

is a colouring function. To ease reading we shall write atoms in

B+(X×Q)

between brackets, such as

[x,q]

. A nondeterministic tree automaton (NTA) on

(AP,X)

-trees is an

ATA

A=(Q,δ,qι,C)

such that for every

q∈Q

and

a∈

2

AP

,

δ(q,a)

is written in disjunctive normal

form and for every direction

x∈X

each disjunct contains exactly one element of

{x} × Q

. An NTA

is deterministic if for each q∈Qand a∈2AP,δ(q,a)consists of a single disjunct.

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

Strategy Logic with Imperfect Information 17

Acceptance of a pointed labelled tree

(t,uι)

, where

t=(τ, ℓ)

, by an ATA

A=(Q,δ,qι,C)

is

dened via the parity game

G(A,t,uι)=(V,E,vι,C′)

where

V=τ×Q×B+(X×Q)

, position

(u,q,α)

belongs to Eve if

α

is of the form

α1∨α2

or

[x,q′]

, and to Adam otherwise,

vι=(uι,qι,δ(qι,uι))

,

and C′(u,q,α)=C(q). Moves in G(A,t,uι)are dened by the following rules:

(u,q,α1†α2)→(u,q,αi)where † ∈ {∨,∧} and i∈ {1,2},

(u,q,[x,q′]) → (u·x,q′,δ(q′, ℓ(u·x)))

Positions of the form (u,q,⊤) and (u,q,⊥) are sinks, winning for Eve and Adam respectively.

A pointed labelled tree

(t,u)

is accepted by

A

if Eve has a winning strategy in

G(A,t,u)

, and the

language of

A

is the set of pointed labelled trees accepted by

A

, written

L(A )

. We write

t∈ L(A )

if

(t,r) ∈ L(A)

, where

r

is the root of

t

. Finally, the size

|A |

of an ATA

A

is its number of states

plus the sum of the sizes of all formulas appearing in the transition function.

Word automata.

When the set of directions

X

is a singleton, directions can be forgotten and

innite trees can be identied with innite words. We thus call parity word automaton a parity tree

automaton on (AP,X)-trees where Xis a singleton. In the case of a nondeterministic parity word

automaton, transitions can be represented as usual as a mapping

∆

:

Q×

2

AP →

2

Q

which, in a

state

q∈Q

, reading the label

a∈

2

AP

of the current position in the word, indicates a set of states

∆(q,a)from which Eve can choose to send in the next position of the word.

We recall four classic operations on tree automata.

Complementation.

Given an ATA

A=(Q,δ,qι,C)

, we dene its dual

A=(Q,δ,qι,C)

where,

for each

q∈Q

and

a∈

2

AP

,

δ(q,a)

is the dual of

δ(q,a)

, i.e., conjunctions become disjunctions and

vice versa, and C(q):=C(q)+1.

Theorem 4.4 (Complementation [61]). For every labelled tree tand node uin t,

(t,u) ∈ L(A) if, and only if, (t,u)<L(A).

Projection.

The second construction is a projection operation, used by Rabin to deal with second-

order monadic quantication:

Theorem 4.5 (Projection [

71

]). Given an NTA

N

on

(AP,X)

-trees and an atomic proposition

p∈AP, one can build in linear time an NTA N ⇓pon (AP \ {p},X)-trees such that

(t,u) ∈ L(N ⇓p)i there exists a p-labelling ℓpfor ts.t. (t⊗ℓp,u) ∈ L(N).

Intuitively,

N ⇓p

is automaton

N

with the only dierence that when it reads the label of a node,

it can choose to run as if

p

was either true or false: if

δ

is the transition function of

N

, that of

N ⇓p

is

δ′(q,a)=δ(q,a∪ {p}) ∨ δ(q,a\ {p})

, for any state

q

and label

a∈

2

AP

. Another way of seeing it

is that N ⇓pguesses a p-labelling for the input tree, and simulates Non this modied input.

Simulation.

To prevent

N ⇓p

from guessing dierent labels for a same node in dierent executions,

it is crucial that Nbe nondeterministic, which is the reason why we need the following result:

Theorem 4.6 (Simulation [

61

]). Given an ATA

A

, one can build in exponential time an NTA

N

such that L(N ) =L(A).

The last construction was introduced by Kupferman and Vardi to deal with imperfect information

aspects in distributed synthesis. To describe it we need to dene a widening operation on trees

which expands the directions in a tree.

Tree widening.

We generalise the widening operation dened in [

49

]. In the following denitions

we x a CKS

S=(S,R,sι, ℓ)

, and for

I⊆ [n]

we let

SI

:

={s↓I|s∈S} ⊆ LI

(recall that

LI=Îi∈ILi

).

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.

18 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi

Let

J⊆I⊆ [n]

. For every

SJ

-tree

τ

rooted in

sJ

and

sI∈SI

such that

sI↓J=sJ

, we dene the

I-widening of τas the SI-tree

τ↑I

sI:={u∈sI·S∗

I|u↓J∈τ}.

For an (AP,SJ)-tree t=(τ, ℓ)rooted in sJand sI∈SIsuch that sI↓J=sJ, we let

t↑I

sI:=(τ↑I

sI, ℓ′),where ℓ′(u):=ℓ(u↓J).

When clear from the context we may omit the subscript

sI

. It is the case in particular when

referring to pointed widenings of trees: (t↑I,u)stands for (t↑I

u0,u).

Narrowing.

We now state a result from [

49

] in our slightly more general setting (the proof can be

adapted straightforwardly). The rough idea of this narrowing operation on ATA is that, if one just

observes

SJ

, uniform

p

-labellings on

SI

-trees can be obtained by choosing the labellings directly on

SJ-trees, and then lifting them to SI.

Theorem 4.7 (Narrowing [

49

]). Given an ATA

A

on

SI

-trees one can build in linear time an ATA

A ↓J

on

SJ

-trees such that for every pointed

(AP,SJ)

-tree

(t,u)

and every

u′∈S+

I

such that

u′↓J=u

,

(t,u) ∈ L( A ↓J)i (t↑I,u′) ∈ L(A).

4.2 Translating QCTL∗

i,⊆to ATA

In order to prove Theorem 4.3 we need some more notations and a technical lemma that contains

the automata construction.

Denition 4.8. For every φ∈QCTL∗

ii, we let

Iφ:=Ù

o∈Obs(φ)

o⊆ [n],

where

Obs(φ)

is the set of concrete observations that occur in

φ

, with the intersection over the

empty set dened as [n]. For a CKS Swith state set S⊆Îi∈[n]Liwe also let Sφ:={s↓Iφ|s∈S}.

Elements of

Sφ

will be the possible directions used by the automaton we build for

φ

. In other

words, the automaton for

φ

will work on

Sφ

-trees. The intuition is that the observations in

φ

determine which components of the model’s states can be observed by the automaton.

Our construction, that transforms a

QCTL∗

i,⊆

formula

φ

and a CKS

S

into an ATA, builds upon the

classic construction from [

51

], which builds ATA for

CTL∗

formulas. In addition, we use projection

of automata to treat second-order quantication, and to deal with imperfect information we resort

to automata narrowing.

Moreover, we use tree automata in an original way that allows us to deal with non-observable

atomic propositions, which in turn makes it possible to consider non-observable winning conditions

in our decidable fragment of

SLii

. The classical approach to model checking via tree automata is to

build an automaton that accepts all tree models of the input formula, and check whether it accepts

the unfolding of the model [

51

]. We instead encode the model in the automata, using the input tree

only to guess labellings for quantied propositions.

Encoding the model in the automaton.

Quantication on atomic propositions is classically

performed by means of automata projection (see Theorem 4.5). But in order to obtain a labelling

that is uniform with regards to the observation of the quantier, we need to make use of the

narrowing operation (see Theorem 4.7). Intuitively, to check that a formula

∃op.φ

holds in a tree

t

, we would like to work on its narrowing

t′

:

=t↓o

, guess a labelling for

p

on this tree thanks to

automata projection, thus obtaining a tree

t′

p

, take its widening

t′′

p

:

=t′

p↑[n]

, obtaining a tree with an

ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.