PreprintPDF Available

Strategy Logic with Imperfect Information

Authors:
Preprints and early-stage research may not have been peer reviewed yet.

Abstract

We introduce an extension of Strategy Logic for the imperfect-information setting, called SLii, and study its model-checking problem. As this logic naturally captures multi-player games with imperfect information, this problem is undecidable; but we introduce a syntactical class of "hierarchical instances" for which, intuitively, as one goes down the syntactic tree of the formula, strategy quantifications are concerned with finer observations of the model, and we prove that model-checking SLii restricted to hierarchical instances is decidable. To establish this result we go through QCTL, an intermediary, "low-level" logic much more adapted to automata techniques. QCTL is an extension of CTL with second-order quantification over atomic propositions. We extend it to the imperfect information setting by parameterising second-order quantifiers with observations. While the model-checking problem of QCTLii is, in general, undecidable, we identify a syntactic fragment of hierarchical formulas and prove, using an automata-theoretic approach, that it is decidable. We apply our result to solve complex strategic problems in the imperfect-information setting. We first show that the existence of Nash equilibria for deterministic strategies is decidable in games with hierarchical information. We also introduce distributed rational synthesis, a generalisation of rational synthesis to the imperfect-information setting. Because it can easily be expressed in our logic, our main result provides solution to this problem in the case of hierarchical information.
Strategy Logic with Imperfect Information
RAPHAËL BERTHON, École Normale Supérieure de Rennes, France
BASTIEN MAUBERT, Università degli Studi di Napoli “Federico II”, Italy
ANIELLO MURANO, Università degli Studi di Napoli “Federico II”, Italy
SASHA RUBIN, Università degli Studi di Napoli “Federico II”, Italy
MOSHE Y. VARDI, Rice University, USA
We introduce an extension of Strategy Logic for the imperfect-information setting, called
SLii
, and study its
model-checking problem. As this logic naturally captures multi-player games with imperfect information, this
problem is undecidable; but we introduce a syntactical class of “hierarchical instances” for which, intuitively, as
one goes down the syntactic tree of the formula, strategy quantications are concerned with ner observations
of the model, and we prove that model-checking
SLii
restricted to hierarchical instances is decidable. This
result, because it allows for complex patterns of existential and universal quantication on strategies, greatly
generalises the decidability of distributed synthesis for systems with hierarchical information. It allows us to
easily derive new decidability results concerning strategic problems under imperfect information such as the
existence of Nash equilibria, or rational synthesis.
To establish this result we go through an intermediary, “low-level” logic much more adapted to automata
techniques.
QCTL
is an extension of
CTL
with second-order quantication over atomic propositions that
has been used to study strategic logics with perfect information. We extend it to the imperfect information
setting by parameterising second-order quantiers with observations. The simple syntax of the resulting
logic,
QCTL
ii
, allows us to provide a conceptually neat reduction of
SLii
to
QCTL
ii
that separates concerns,
allowing one to forget about strategies and players and focus solely on second-order quantication. While the
model-checking problem of
QCTL
ii
is, in general, undecidable, we identify a syntactic fragment of hierarchical
formulas and prove, using an automata-theoretic approach, that it is decidable.
CCS Concepts:
Theory of computation Logic and verication
;
Modal and temporal logics
;Au-
tomata over innite objects;
Additional Key Words and Phrases: strategic reasoning, imperfect information, perfect recall, distributed
synthesis, hierarchical information, Nash equilibria, rational synthesis
ACM Reference Format:
Raphaël Berthon, Bastien Maubert, Aniello Murano, Sasha Rubin, and Moshe Y. Vardi. 2020. Strategy Logic with
Imperfect Information. ACM Trans. Comput. Logic 1, 1 (March 2020), 50 pages. https://doi.org/0000001.0000001
1 INTRODUCTION
Temporal logics such as LTL [
67
] or
CTL
[
28
] are extremely successful logics that have been studied
in great detail and extended in many directions along the past decades, notably in relation with
Authors’ addresses: Raphaël Berthon, École Normale Supérieure de Rennes, Computer Science and Telecommunication,
Rennes, France, raphael.berthon@ens-rennes.fr; Bastien Maubert, Università degli Studi di Napoli “Federico II”, DIETI,
Naples, Italy, bastien.maubert@gmail.com; Aniello Murano, Università degli Studi di Napoli “Federico II”, DIETI, Naples, Italy,
murano@na.infn.it; Sasha Rubin, Università degli Studi di Napoli “Federico II”, DIETI, Naples, Italy, sasha.rubin@unina.it;
Moshe Y. Vardi, Rice University, Houston, Texas, USA, vardi@cs.rice.edu.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee
provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and the
full citation on the rst page. Copyrights for components of this work owned by others than the author(s) must be honored.
Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires
prior specic permission and/or a fee. Request permissions from permissions@acm.org.
©2020 Copyright held by the owner/author(s). Publication rights licensed to ACM.
1529-3785/2020/3-ART $15.00
https://doi.org/0000001.0000001
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
2 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi
the development of the model-checking approach to program verication [
22
]. When considering
systems with multiple components such as multi-agent systems or distributed programs, popular
extensions of temporal logics are the family of so-called logics for strategic reasoning, or strategic
logics, which introduce operators that can express the existence of strategies for components to
ensure that the system’s executions satisfy certain temporal properties.
A fundational logic in this family is Alternating-time Temporal Logic (ATL) [
1
]. It extends
CTL
with a coalition operator
Aφ
, where
A
is a subset of components/agents of the system, which reads
as “coalition
A
has a strategy to enforce property
φ
no matter what the other components/agents
do”. This logic is thus quite expressive, as it allows for instance to express the existence of winning
strategies in games played on graphs. However it is not well suited to reason about other important
solution concepts in game theory, such as Nash equilibria. To address this problem Strategy Logic
(SL) was introduced [
20
,
60
]. In SL strategies are treated as rst-order objects, thanks to strategy
variables
x
that can be quantied upon and bound to players:
x
reads as “there exists a strategy
x
”, and
(a,x)
reads as “strategy
x
is assigned to player
a
”. This leads to a very expressive logic that
can express many solution concepts from game-theory such as best response, existence of Nash
equilibria or subgame-perfect equilibria.
Imperfect information.
An essential property of realistic multi-player games is that players
often have a limited view of the system. Such imperfect information, or partial observation, is
usually captured by equipping the models with equivalence relations
o
(called observations) over
the state space, that specify indistinguishable states. Strategies are then required to be uniform,
i.e., they cannot assign dierent moves to indistinguishable situations. Imperfect information is
known to make games computationally harder to solve. For two-player reachability games, Reif
showed in [
73
] that deciding the existence of winning strategies is Exptime-complete for imperfect
information, while it is in Ptime for perfect information. This result has later been generalised to
omega-regular objectives [
7
,
26
], and adapted to the setting of program synthesis from temporal
specications [
49
,
68
]. In the case of multiple players/components/agents, which interests us here,
the situation is even worse: the existence of distributed winning strategies is undecidable already
for two players with incomparable observation trying to enforce some reachability objective in the
presence of an adversarial third player [
65
], and a similar result was also proved in the framework
of distributed synthesis [
69
]. Since then, the formal-methods community has spent much eort
nding restrictions and variations that ensure decidability [
8
,
31
,
35
,
50
,
64
,
66
,
69
,
74
]. The common
thread in these approaches is hierarchical information: players can be totally ordered according to
how well they observe the game. Another line of works establishes that decidability can be retained
by forbidding private communication, i.e., by considering variants around the idea that all new
information should be public [4,5,11,72,79,80].
Strategy Logic with imperfect information.
We propose an extension of Strategy Logic to the
imperfect-information setting, which we call
SLii
. The rst step is to choose how to introduce
imperfect information in the logic. In the formal-methods literature it is typical to associate
observations to players. In
SLii
, instead, we associate observations to strategies: the strategy
quantier
x
from SL is now parameterised by observation
o
, written
xo
. This novelty allows
one to express, in the logic, that a player’s observation changes over time, to capture for instance
the loss of a sensor resulting in a diminished observation power. We also add to our logic
SLii
the outcome quantier
A
from Branching-time Strategy Logic (
BSL
) [
45
], which quanties on
outcomes of strategies currently used by the agents, and the unbinding operator
(a,?)
, which
frees an agent from her current strategy. This does not increase the expressivity of the logic but
presents advantages that we discuss in Section 2.2. For instance it allows us to naturally consider
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
Strategy Logic with Imperfect Information 3
nondeterministic strategies (Strategy Logic only considers deterministic ones), which in turn allows
us to capture module checking, the extension of model checking to open systems [42,43,52].
The logic
SLii
is very powerful: it is an extension of SL (which considers perfect information),
and of the imperfect-information strategic logics
ATL
i,R
[
15
] and
ATL
sc,i
[
55
]. As already mentioned,
SLii
can express the distributed synthesis problem [
69
]. This problem asks whether there are
strategies for components
a1, . . . , an
of a distributed system to enforce some property given as
an LTL formula
ψ
against all behaviours of the environment. This can be expressed by the
SLii
formula
ΦSynth
:
=x1o1. . . xnon(a1,x1). . . (an,xn)Aψ
, where
oi
represents the local view of
component
ai
. Also,
SLii
can express more complicated specications by alternating quantiers,
binding the same strategy to dierent agents and rebinding (these are inherited from SL), as well
as changing observations. For instance, it can express the existence of Nash equilibria.
Main result.
Of course, the high expressivity of
SLii
comes at a cost from a computational com-
plexity point of view. Its satisability problem is undecidable (this is already true of SL), and so is its
model-checking problem (this is already true of
ATL
i,R
even for the single formula
⟨{a,b}⟩Fp
[
25
],
which means that agents
a
and
b
have a strategy prole to reach a situation where
p
holds). We
mentioned that the two main settings in which decidability is retrieved for distributed synthesis are
hierarchical information and public actions. We extend the rst approach to the setting of strategic
logics by introducing a syntactic class of “hierarchical instances” of
SLii
, i.e., formula/model pairs,
and proving that the model-checking problem on this class of instances is decidable. Intuitively, an
instance of
SLii
is hierarchical if, as one goes down the syntactic tree of the formula, the observa-
tions annotating strategy quantications can only become ner. Although the class of hierarchical
instances refers not only to the syntax of the logic but also to the model, the class is syntactical in
the sense that it depends only on the structure of the formula and the observations in the model.
Moreover, it is straightforward to check (in linear time) whether an instance is hierarchical or not.
Applications.
Because the syntax of
SLii
allows for arbitrary alternations of quantiers in the
formulas, our decidability result for hierarchical instances allows one to decide strategic problems
more involved than module checking and distributed synthesis. For instance, we show in Section 7
how one can apply our result to establish that the existence of Nash equilibria is decidable in
games with imperfect information, in the case of hierarchical observations and deterministic
strategies. This problem is relevant as Nash equilibria do not always exist in games with imperfect
information [
30
]. We then consider the problem of rational synthesis [
23
,
30
,
33
,
48
], both in its
cooperative and non-cooperative variants. We introduce the generalisations of these problems
to the case of imperfect information, and call them cooperative and non-cooperative rational
distributed synthesis. We then apply again our main result to establish that they are decidable in
hierarchical systems for deterministic strategies. For the non-cooperative variant, we need the
additional assumption that the environment is at least as informed as the system. This is the case
for example when one ignores the actual observation power of the environment, and considers that
it plays with perfect information. Doing so yields systems that are robust to any observation power
the environment may have. As Reif puts it, this amounts to synthesising strategies that are winning
even if the opponent “cheats” and uses information it is not supposed to have access to [73].
Approach.
In order to solve the model-checking problem for
SLii
we introduce an intermediate
logic
QCTL
ii
, an extension to the imperfect-information setting of
QCTL
[
53
], itself an extension
of
CTL
by second-order quantiers over atoms. This is a low-level logic that does not mention
strategies and into which one can eectively compile instances of
SLii
. States of the models of the
logic
QCTL
ii
have internal structure, much like the multi-player game structures from [
63
] and
distributed systems [
39
]. Model-checking
QCTL
ii
is also undecidable (indeed, we show how to
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
4 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi
reduce from the MSO-theory of the binary tree extended with the equal-length predicate, known
to be undecidable [
56
]). We introduce the syntactical class
QCTL
i,
of hierarchical formulas as
those in which innermost quantiers observe more than outermost quantiers, and prove that
model-checking is decidable using an extension of the automata-theoretic approach for branching-
time logics. We provide a reduction from model checking
SLii
to model checking
QCTL
ii
that
preserves being hierarchical, thus establishing our main contribution, i.e., that model checking the
hierarchical instances of SLii is decidable.
Complexity.
To establish the precise complexity of the problems we solve, we introduce a new
measure on formulas called simulation depth. This measure resembles the notion of alternation
depth (see, e.g., [
60
]), which counts alternations between existential and universal strategy (or
second-order) quantications. But instead of merely counting alternations between such operators,
simulation depth reects the underlying automata operations required to treat formulas, while
remaining a purely syntactical notion. We prove that the model-checking problem for the hierar-
chical fragment of
QCTL
ii
and
SLii
are both
(k+
1
)
-Exptime-complete for formulas of simulation
depth at most
k
. Already for the perfect-information fragment, this result is more precise than
what was previously known. Indeed, precise upper bounds based on alternation depth were known
for syntactic fragments of SL but not for the full logic [60].
Related work.
The literature on imperfect information in formal methods and articial intelligence
is very vast. Imperfect information has been considered in two-player games [
7
,
26
,
73
], module
checking [
43
,
52
], distributed synthesis of reactive systems [
31
,
50
,
69
] and strategies in multiplayer
games [
8
,
64
,
65
], Nash equilibria [
11
,
13
,
72
], rational synthesis [
30
,
38
], doomsday equilibria [
19
],
admissible strategies [
14
], quantitative objectives [
24
,
62
], and more, some of which we detail below.
Limited alternation of strategy quantication was studied in [
17
], in which several decidability
results are proved for two and three alternations of existential and universal quantiers. Except
for one where the rst player has perfect information, all the problems solved in this work are
hierarchical instances, and are thus particular cases of our main result.
Quantied
µ
-Calculus with partial observation is studied in [
66
], where the model-checking
problem is solved by considering a syntactic constraint based on hierarchical information, as we do
for
QCTL
ii
. However they consider asynchronous perfect recall, and the automata techniques they
use to deal with imperfect information cannot be used in the synchronous perfect-recall setting
that we consider in this work. Similarly the narrowing operation on tree automata (see Section 4.1),
which is crucial in our model-checking procedure, considers synchronous perfect recall and does
not seem easy to adapt to the asynchronous setting.
A number of works have considered strategic logics with imperfect information. Various seman-
tics for ATL with imperfect information have been studied in, e.g., [
41
,
44
]. The model-checking
problem for these logics, which is undecidable for agents with perfect recall [
25
], has been studied
for agents with bounded memory, for which decidability is recovered [
58
,
75
]. An epistemic strategic
logic with original operators dierent from those of ATL and SL is proposed in [
40
]. It considers
imperfect information strategies, but only for agents without memory. Concerning perfect recall,
which interest us in this work, decidability results have also been obtained for ATL [
37
] and ATL
with strategy context [55] when agents have the same information.
In [
45
], a branching-time variant of SL is extended with epistemic operators and agents with
perfect recall. Strategies are not required to be uniform in the semantics, but this requirement
can be expressed in the language. However no decidability result is provided. Another variant
of SL extended with epistemic operators and imperfect-information, perfect-recall strategies is
presented in [
3
], but model checking is not studied. The latter logic is extended in [
4
], in which
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
Strategy Logic with Imperfect Information 5
its model-checking problem is solved on the class of systems where all agents’ actions are public,
which is an assumption orthogonal to hierarchical information.
The work closest to ours is [
32
] which introduces a logic
CL
in which one can encode many
distributed synthesis problems. In this logic, hierarchical information is a necessary consequence
of the syntax and semantics, and as a result its model-checking problem is decidable. However, CL
is close in spirit to our
QCTL
i,
, and its semantics is less intuitive than that of
SLii
. Furthermore, by
means of a natural translation we derive that CL is strictly included in the hierarchical instances
of
SLii
(Section 6.2). In particular, hierarchical instances of
SLii
can express non-observable goals,
while CL cannot. When considering players that choose their own goals it may be natural to assume
that they can observe the facts that dene whether their objectives are satised or not. But when
synthesising programs for instance, it may be enough that their behaviours enforce the desired
properties, without them having the knowledge that it is enforced. Such non-observable winning
conditions have been studied in, e.g., [8,16,24].
Outline.
In Section 2we dene
SLii
and hierarchical instances, and present some examples. In
Section 3we dene
QCTL
ii
and its hierarchical fragment
QCTL
i,
. The proof that model checking
QCTL
i,
is decidable, including the required automata preliminaries, is in Section 4. The hierarchy-
preserving translation of
SLii
into
QCTL
ii
is in Section 5. In Section 6we compare
SLii
with related
logics, and in Section 7we apply our main result to obtain decidability results for various strategic
problems under imperfect information. Finally we conclude and discuss future work in Section 8.
2SL WITH IMPERFECT INFORMATION
In this section we introduce
SLii
, an extension of SL to the imperfect-information setting with
synchronous perfect-recall. Our logic presents several original features compared to SL, which we
discuss in detail in Section 2.3: we introduce an outcome quantier akin to the path quantier in
branching-time temporal logics, we allow for nondeterministic strategies and unbinding agents
from their strategies, and we annotate strategy quantiers with observation symbols which denote
the information available to strategies. We rst x some basic notations.
2.1 Notations
Let
Σ
be an alphabet. A nite (resp. innite)word over
Σ
is an element of
Σ
(resp.
Σω
). Words are
written
w=w0w1w2. . .
, i.e., indexing begins with 0. The length of a nite word
w=w0w1. . . wn
is
|w|
:
=n+
1, and
last(w)
:
=wn
is its last letter. Given a nite (resp. innite) word
w
and 0
i<|w|
(resp.
iN
), we let
wi
be the letter at position
i
in
w
,
wi
is the prex of
w
that ends at position
i
and
wi
is the sux of
w
that starts at position
i
. We write
ww
if
w
is a prex of
w
, and
pref (w)
is the set of nite prexes of word
w
. Finally, the domain of a mapping
f
is written
dom(f)
,
its codomain codom(f), and for nNwe let [n]:={iN: 1 in}.
2.2 Syntax
For the rest of the paper, for convenience we x a number of parameters for our logics and models:
AP
is a nite non-empty set of atomic propositions,
Ag
is a nite non-empty set of agents or players,
and
Var
is a nite non-empty set of variables. The main novelty of our logic is that we specify which
information is available to a strategy, by annotating strategy quantiers
x
with observation
symbols
o
from a nite set
Obs
, that we also x for the rest of the paper. When we consider
model-checking problems, these data are implicitly part of the input.
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
6 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi
Denition 2.1 (SLii Syntax). The syntax of SLii is dened by the following grammar:
φ:=p| ¬φ|φφ| ⟨xoφ| (a,x)φ| (a,?)φ|Eψ
ψ:=φ| ¬ψ|ψψ|Xψ|ψUψ
where pAP, xVar, oObs and aAg.
Formulas of type
φ
are called state formulas, those of type
ψ
are called path formulas, and
SLii
consists of all the state formulas dened by the grammar.
Boolean operators and temporal operators,
X
(read “next”) and
U
(read “until”), have the usual
meaning. The strategy quantier
xo
is a rst-order-like quantication on strategies:
xoφ
reads
as “there exists a strategy
x
that takes decisions based on observation
o
such that
φ
holds”, where
x
is a strategy variable. The binding operator
(a,x)
assigns a strategy to an agent, and
(a,x)φ
reads
as “when agent
a
plays strategy
x
,
φ
holds”. The unbinding operator
(a,?)
instead releases agent
a
from her current strategy, if she has one, and
(a,?)φ
reads as “when agent
a
is not assigned any
strategy, φholds”. Finally, the outcome quantier Equanties on outcomes of strategies currently
in use: Eψreads as “ψholds in some outcome of the strategies currently used by the players”.
We use abbreviations
:
=p∨ ¬p
,
:
=¬⊤
,
φφ
:
=¬φφ
,
φφ
:
=φφφφ
for boolean connectives,
Fφ
:
=Uφ
(read “eventually
φ
”),
Gφ
:
=¬F¬φ
(read “globally
φ
”) for
temporal operators,
[[x]]oφ
:
=¬⟨xo¬φ
(read “for all strategies
x
based on observation
o
,
φ
holds”)
and Aψ:=¬E¬ψ(read “all outcomes of the current strategies satisfy ψ”).
For every formula
φSLii
, we let
free (φ)
be the set of variables that appear free in
φ
, i.e., that
appear out of the scope of a strategy quantier. A formula
φ
is a sentence if
free (φ)
is empty. Finally,
we let the size |φ|of a formula φbe the number of symbols in φ.
2.3 Discussion on the syntax
We discuss the syntactic dierences between our logic and usual Strategy Logic.
Outcome quantier.
This quantier was introduced in Branching-time Strategy Logic (
BSL
) [
45
],
which corresponds to the perfect-information fragment of the logic we dene here. It removes a
quirk of previous denitions, in which temporal operators could only be evaluated in contexts
where all agents were assigned a strategy. The outcome quantier, instead, allows for evaluation
of temporal properties on partial assignments. As a result, the notions of free agents and agent-
complete assignments from previous denitions of Strategy Logic are no longer needed (see, e.g.,
[
60
]). In addition, the outcome quantier highlights the inherent branching-time nature of Strategy
Logic: indeed, in SL, branching-time properties can be expressed by resorting to articial strategy
quantications for all agents. It will also make the correspondence with
QCTL
ii
tighter, which will
allow us to establish the precise complexity of the problem we solve, while the exact complexity
of model checking classic SL with perfect information is still not known. Finally, since the usual
denition of SL requires that the current strategies dene a unique outcome on which linear-time
temporal operators are evaluated, only deterministic strategies were considered. The introduction
of the outcome quantier allows us to consider nondeterministic strategies.
Unbinding.
With the possibility to evaluate temporal operators even when some agents are not
bound to any strategy, it becomes interesting to include the unbinding operator
(a,?)
, introduced
in [
54
] for ATL with strategy context and also present in
BSL
. Note that the outcome quantier and
unbinding operator do not increase the expressivity of SL, at the level of sentences [45].
Observations.
In games with imperfect information and ATL-like logics with imperfect information,
a strategy is always bound to some player, and thus it is clear with regards to what observations it
should be dened. In SL on the other hand, strategy quantication and binding are separate. This
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
Strategy Logic with Imperfect Information 7
adds expressive power with regards to ATL by allowing, for instance, to assign the same strategy to
two dierent players, but it also entails that when a quantication is made on a strategy, one does not
know with regards to which observation this strategy should be dened. We know of three ways to
solve this. One is the approach followed here, which consists in associating with strategy quantiers
an observation power. The second solution is to abandon the separation between quantication and
binding and to use instead quantiers of the form
a
, meaning “there exists a strategy for player
a
”, like in [
2
,
21
]: with this operator, the strategy is immediately bound to player
a
, which indicates
with regards to which observation the strategy should be compatible. The third one, adopted in [
4
],
consists in requiring that a strategy be uniform for all agents to whom it will be bound in the
formula. We chose to adopt the rst solution for its simplicity and expressiveness. Indeed the second
solution limits expressiveness by disallowing, for instance, binding the same strategy to dierent
agents. The third solution leads to a logic that is more expressive than the second one, but less than
the rst one. Indeed, the logic that we study here can capture the logic from [
4
] (assuming that
models contain observations corresponding to unions of individual observations), and in addition
SLii can express changes of agents’ observation power.
2.4 Semantics
The models of
SLii
are classic concurrent game structures extended by an interpretation for obser-
vation symbols in Obs.
Denition 2.2 (
CGSii
). Aconcurrent game structure with imperfect information (or
CGSii
for short)
is a tuple G=(Ac,V,E, ℓ, vι,O) where
Ac is a nite non-empty set of actions,
Vis a nite non-empty set of positions,
E:V×AcAg Vis a transition function,
:V2AP is a labelling function,
vιVis an initial position, and
O :Obs 2V×Vis an observation interpretation.
For
oObs
,
O(o)
is an equivalence relation on positions, that we may write
o
. It represents
what a strategy with observation
o
can see:
O(o)
-equivalent positions are indistinguishable to such
a strategy. Also, (v)is the set of atomic propositions that hold in position v.
We dene the size
|G |
of a
CGSii G=(Ac,V,E, ℓ, vι,O)
as the size of an explicit encoding of the
transition function: |G| :=|V|×|Ac||Ag|× ⌈log(|V|)⌉. We may writev∈ G for vV.
We now introduce a number of notions involved in the semantics of
SLii
. Consider a
CGSii
G=(Ac,V,E, ℓ, vι,O).
Joint actions.
In a position
vV
, each player
a
chooses an action
caAc
, and the game
proceeds to position
E(v,c)
, where
cAcAg
stands for the joint action
(ca)aAg
. Given a joint
action c=(ca)aAg and aAg, we let cadenote ca.
Plays.
Anite (resp. innite)play is a nite (resp. innite) word
ρ=v0. . . vn
(resp.
π=v0v1. . .
)
such that
v0=vι
and for every
i
such that 0
i<|ρ| −
1(resp.
i
0), there exists a joint action
c
such that E(vi,c)=vi+1.
Strategies.
A (nondeterministic) strategy is a function
σ
:
V+
2
Ac \ ∅
that maps each nite play
to a nonempty nite set of actions that the player may play. A strategy
σ
is deterministic if for all
ρ
,
σ(ρ)is a singleton. We let Str denote the set of all strategies.
Assignments.
An assignment is a partial function
χ
:
Ag Var Str
, assigning to each player
and variable in its domain a strategy. For an assignment
χ
, a player
a
and a strategy
σ
,
χ[a7→ σ]
is
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
8 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi
the assignment of domain
dom(χ) ∪ {a}
that maps
a
to
σ
and is equal to
χ
on the rest of its domain,
and
χ[x7→ σ]
is dened similarly, where
x
is a variable; also,
χ[a7→ ?]
is the restriction of
χ
to
domain
dom(χ) \ {a}
. In addition, given a formula
φSLii
, an assignment is variable-complete for
φif its domain contains all free variables of φ.
Outcomes.
For an assignment
χ
and a nite play
ρ
, we let
Out(χ,ρ)
be the set of innite plays that
start with
ρ
and are then extended by letting players follow the strategies assigned by
χ
. Formally,
Out(χ,ρ)
is the set of plays of the form
ρ·v1v2. . .
such that for all
i
0, there exists
c
such that
for all adom(χ) ∩ Ag, caχ(a)(ρ·v1. . . vi)and vi+1=E(vi,c), with v0=last(ρ).
Synchronous perfect recall.
In this work we consider players with synchronous perfect recall,
meaning that each player remembers the whole history of a play, a classic assumption in games
with imperfect information and logics of knowledge and time. Each observation relation is thus
extended to nite plays as follows: ρoρif |ρ|=|ρ|and ρioρ
ifor every i∈ {0, . . . , |ρ| 1}.
Imperfect-information strategies.
For
oObs
, a strategy
σ
is an
o
-strategy if
σ(ρ)=σ(ρ)
whenever
ρoρ
. The latter constraint captures the essence of imperfect information, which is
that players can base their strategic choices only on the information available to them. For
oObs
we let Strobe the set of all o-strategies.
Denition 2.3 (
SLii
semantics). The semantics of a state formula is dened on a
CGSii G
, an
assignment
χ
that is variable-complete for
φ
, and a nite play
ρ
. For a path formula
ψ
, the nite
play is replaced with an innite play
π
and an index
iN
. The denition by mutual induction is
as follows:
G,χ,ρ|=pif p(last(ρ))
G,χ,ρ|=¬φif G,χ,ρ̸|=φ
G,χ,ρ|=φφif G,χ,ρ|=φor G,χ,ρ|=φ
G,χ,ρ|=⟨⟨xoφif σStr os.t. G,χ[x7→ σ],ρ|=φ
G,χ,ρ|=(a,x)φif G,χ[a7→ χ(x)],ρ|=φ
G,χ,ρ|=(a,?)φif G,χ[a7→ ?],ρ|=φ
G,χ,ρ|=Eψif there exists πOut(χ,ρ)such that G,χ,π,|ρ| − 1|=ψ
G,χ,π,i|=φif G,χ,πi|=φ
G,χ,π,i|=¬ψif G,χ,π,i̸|=ψ
G,χ,π,i|=ψψif G,χ,π,i|=ψor G,χ,π,i|=ψ
G,χ,π,i|=Xψif G,χ,π,i+1|=ψ
G,χ,π,i|=ψUψif jis.t. G,χ,π,j|=ψ
and ks.t. ik<j,G,χ,π,k|=ψ
Remark 1.Observe that because of the semantics of the outcome quantier, and unlike usual
denitions of SL, the meaning of an
SLii
sentence depends on the assignment in which it is
evaluated. For instance the
SLii
formula
AFp
is clearly a sentence, but whether
G,χ,ρ|=AFp
holds
or not depends on which agents are bound to a strategy in
χ
and what these strategies are. However,
as usual, a sentence does not require an assignment to be evaluated, and for an
SLii
sentence
φ
we
let G,ρ|=φif G,,ρ|=φfor the empty assignment , and we write G |=φif G,vι|=φ.
SL is the fragment of
SLii
obtained by interpreting all observation symbols as the identity relation
(which models perfect information), restricting to deterministic strategies, and considering only
assignments in which each agent has a strategy (in this case the outcome of an assignment consists
of a single play; one can thus get rid of the outcome quantier and evaluate temporal operators in
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
Strategy Logic with Imperfect Information 9
the unique outcome of the current assignment, as usually done in SL). Also,
CTL
is the fragment
of SLii which uses no binding, unbinding or strategy quantication.
2.5 Discussion on the semantics
We now discuss some aspects of the semantics.
Evaluation on nite plays.
Unlike previous denitions of Strategy Logic, we evaluate formulas
on nite plays (instead of positions), where the nite play represents the whole history starting
from the initial position of the
CGSii
in which the formula is evaluated. There are several reasons
to do so. First, it allows us to dene the semantics more simply without having to resort to the
notion of assignment translations. Second, it makes it easier to see the correctness of the reduction
to
QCTL
ii
, that we present in Section 5. In SL, a strategy only has access to the history of the
game starting from the point where the strategy quantier from which it arises has been evaluated.
In contrast, in
SLii
strategies have access to the whole history, starting from the initial position.
However this does not aect the semantics, in the sense that the perfect-information fragment of
SLii
with deterministic strategies corresponds to SL. Indeed, when agents have perfect information,
having access to the past or not does not aect the existence of strategies to enforce temporal
properties that only concern the future.
Players not remembering their actions.
Our denition of synchronous perfect recall only
considers the sequence of positions in nite plays, and forgets about actions taken by players.
In particular, it is possible in this denition that a player cannot distinguish between two nite
plays in which she plays dierent actions. This denition is standard in games with imperfect
information [
7
,
8
,
26
,
80
], since remembering one’s actions or not is indierent for the existence
of distributed winning strategies or Nash equilibria. However it makes a dierence for some
more involved solution concepts that are expressible in strategic logics such as
SLii
. For instance
it is observed in [
10
, Appendix A] that some games admit subgame-perfect equilibria only if
agents remember their own past actions. Nonetheless we consider the setting where agents do
not remember their actions, as it is the most general. Indeed, as noted in [
18
, Remark 2.1, p.8],
one can simulate agents that remember their own actions by storing in positions of the game the
information of the last joint move played (this may create
|Ac||Ag|
copies of each position, but the
branching degree is unchanged). One can then adapt indistinguishability relations to take actions
into account. For instance, for an observation symbol
o
and an agent
a
, one could consider a new
observation symbol
oa
that would be interpreted in the enriched game structure as the renement
of
o
that considers two positions indistinguishable if they are indistinguishable for
o
and contain
the same last action for agent
a
. Binding agent
a
only to strategies that use observation of the form
oafor some ocaptures the fact that agent aremembers her actions.
Agents changing observation.
In
SLii
observations are not bound to agents but to strategies.
And because agents can change their strategy thanks to the binding operator, it follows that they
can change observation, or more precisely they can successively play with strategies that have
dierent observations. For instance consider a controller that observes a system through a set
of
n
sensors
S={s1, . . . , sn}
as in, e.g., [
9
]. Let
oi
be the observation power provided by the set
of sensors
S\ {si}
(one can think of a system where states are tuples of local states, each sensor
observing one component). Also let
o
be the observation power provided by the full set
S
of sensors,
and let atom faultirepresent the fact that a fault occurs on sensor si. The formula
φ:=xo(a,x)AG safe
n
Û
i=1
faulti→ ⟨xoi(a,x)AG safei!
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
10 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi
expresses that the controller
a
has a strategy (which uses all sensors in
S
) to maintain the system
safe, and if a sensor is lost, it can respond by switching to a strategy using the remaining sensors
to maintain some alternative, possibly weaker, security requirement safei.
2.6 Model checking and hierarchical instances
We now introduce the main decision problem of this paper, which is the model-checking problem
for
SLii
. An
SLii
-instance is a model together with a formula, i.e., it is a pair
(G,Φ)
where
G
is a
CGSii and ΦSLii.
Denition 2.4 (Model checking
SLii
). The model-checking problem for
SLii
is the decision problem
that, given an SLii-instance (G,Φ), returns ‘Yes’ if G |=Φ, and ‘No’ otherwise.
It is well known that deciding the existence of winning strategies in multi-player games with
imperfect information is undecidable for reachability objectives [
63
]. Since this problem is easily
reduced to the model-checking problem for SLii, we get the following result.
Theorem 2.5. The model-checking problem for SLii is undecidable.
Hierarchical instances.
We now isolate a sub-problem obtained by restricting attention to hier-
archical instances. Intuitively, an
SLii
-instance
(G,Φ)
is hierarchical if, as one goes down a path in
the syntactic tree of Φ, the observations tied to quantications become ner.
Denition 2.6 (Hierarchical instances). An
SLii
-instance
(G,Φ)
is hierarchical if for every subfor-
mula φ1=yo1φ
1of Φand subformula φ2=xo2φ
2of φ
1, it holds that O(o2) ⊆ O(o1).
If
O(o2) ⊆ O(o1)
we say that
o2
is ner than
o1
in
G
, and that
o1
is coarser than
o2
in
G
. Intuitively,
this means that a player with observation
o2
observes game
G
no worse than, i.e., knows at least as
much as a player with observation o1.
Remark 2.If one uses the trick described in Section 2.5 to model agents that remember their own
actions, then for an agent
a
to know at least as much as another agent
b
it needs to be the case that,
in particular, agent aobserves all actions played by agent b.
Example 2.7 (Fault-tolerant diagnosibility). Consider the following formula from Section 2.5:
φ:=xo(a,x)AG safe
n
Û
i=1
faulti→ ⟨xoi(a,x)AG safei!
As already discussed, it expresses that the controller can react to the loss of a sensor to keep
ensuring some property of the system. Clearly, the controller’s observation
oi
after the loss of
sensor
i
is coarser than its original observation
o
, and thus formula
φ
in such a system does not
form a hierarchical instance.
We now give an example of scenario where hierarchical instances occur naturally.
Example 2.8 (Security levels). Consider a system with dierent “security levels”, where higher
levels have access to more data (i.e., can observe more). Assume that the
CGSii G
is such that
O(on) ⊆ O(on1) ⊆ . . . ⊆ O(o1)
: in other words, level
n
has the highest security clearance, while
level 1has the lowest. Consider that agent
a
wants to reach some objective marked by atom “goal”,
that it starts with the lowest observation clearance
o1
, and that atomic formula “
promotei
” means
that the agent is granted access to level
i
(observe that whenever we have
promotei
, we should
also have promotejfor all j<i). For every iwe let
φi(φ):=goal ∨ (promotei∧ ⟨xoi(a,x)AFφ)
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
Strategy Logic with Imperfect Information 11
Now the formula
φ:=φ1(φ2(. . . φn1(φn(goal)) . . .))
means that agent
a
can enforce her goal, possibly by rst getting access to higher security levels
and using this additional observation power to reach the goal. Because the strategy quantications
that are deeper in the formula have access to more information, this formula forms a hierarchical
instance in G.
Here is the main contribution of this work:
Theorem 2.9. The model-checking problem for
SLii
restricted to the class of hierarchical instances
is decidable.
We prove this result in Section 5by reducing it to the model-checking problem for the hierarchical
fragment of a logic called
QCTL
with imperfect information, which we now introduce and study
in order to use it as an intermediate, “low-level” logic between tree automata and
SLii
. We then
discuss some applications of this theorem in Section 7.
3QCTLWITH IMPERFECT INFORMATION
In this section we introduce an imperfect-information extension of
QCTL
[
34
,
46
,
47
,
53
,
77
],
which is an extension of
CTL
with second-order quantication on atomic propositions. In order to
introduce imperfect information, instead of considering equivalence relations between states as in
concurrent game structures, we will enrich Kripke structures by giving internal structure to their
states, i.e., we see states as
n
-tuples of local states. This way of modelling imperfect information is
inspired from Reif’s multi-player game structures [
63
] and distributed systems [
39
], and we nd it
very suitable to application of automata techniques, as discussed in Section 3.3.
The syntax of
QCTL
ii
is similar to that of
QCTL
, except that we annotate second-order quantiers
by subsets
o⊆ [n]
. The idea is that quantiers annotated by
o
can only “observe” the local states
indexed by
io
. We dene the tree-semantics of
QCTL
ii
: this means that we interpret formulas on
trees that are the unfoldings of Kripke structures (this will capture the fact that players in
SLii
have
synchronous perfect recall). We then dene the syntactic class of hierarchical formulas and prove,
using an automata-theoretic approach, that model checking this class of formulas is decidable.
For the rest of the section we x some natural number
nN
which parameterises the logic
QCTL
ii, and which is the number of components in states of the models.
3.1 QCTL
ii Syntax
The syntax of
QCTL
ii
is very similar to that of
QCTL
: the only dierence is that we annotate
quantiers by a set of indices that denes the “observation” of that quantier.
Concrete observations.
A set
o⊆ [n]
is called a concrete observation (to distinguish it from
observations oin the denitions of SLii).
Denition 3.1 (QCTL
ii Syntax). The syntax of QCTL
ii is dened by the following grammar:
φ:=p| ¬φ|φφ|Eψ|op.φ
ψ:=φ| ¬ψ|ψψ|Xψ|ψUψ
where pAP and o⊆ [n].
Formulas of type
φ
are called state formulas, those of type
ψ
are called path formulas, and
QCTL
ii
consists of all the state formulas dened by the grammar. We use standard abbreviation
Aψ:=¬E¬ψ. We also use p.φas a shorthand for [n]p.φ, and we let p.φ:=¬p.¬φ.
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
12 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi
Given a
QCTL
ii
formula
φ
, we dene the set of quantied propositions
AP(φ) ⊆ AP
as the set of
atomic propositions
p
such that
φ
has a subformula of the form
op.φ
. We also dene the set of
free propositions
APf(φ) ⊆ AP
as the set of atomic propositions that have an occurrence which is
not under the scope of any quantier of the form
op.
Observe that
AP(φ) ∩ APf(φ)
may not be
empty, i.e., a proposition may appear both free and quantied in (dierent places of) a formula.
3.2 QCTL
ii semantics
Several semantics have been considered for
QCTL
, the two most studied being the structure
semantics and the tree semantics (see [53] for more details). For the semantics of QCTL
ii we adapt
the tree semantics, and we explain the reasons for doing so in Section 3.3.
As already mentioned, for
QCTL
ii
we consider structures whose states are tuples of local states.
We now dene these structures and related notions.
Denition 3.2 (Compound Kripke structures). Acompound Kripke structure, or CKS, over
AP
is a
tuple S=(S,R, ℓ, sι)where
SÎi∈[n]Liis a set of states, with {Li}i∈[n]a family of ndisjoint nite sets of local states,
RS×Sis a left-total1transition relation,
:S2AP is a labelling function and
sιSis an initial state.
Apath in
S
is an innite sequence of states
λ=s0s1. . .
such that for all
iN
,
(si,si+1) ∈ R
. A
nite path is a nite non-empty prex of a path. We may write
s∈ S
for
sS
, and we dene the
size |S | of a CKS S=(S,R,sι, ℓ)as its number of states: |S | :=|S|.
Since we will interpret QCTL
ii on unfoldings of CKS, we now dene innite trees.
Trees.
In many works, trees are dened as prex-closed sets of words with the empty word
ϵ
as
root. Here trees represent unfoldings of Kripke structures, and we nd it more convenient to see
a node
u
as a sequence of states and the root as the initial state. Let
X
be a nite set of directions
(typically a set of states). An X-tree τis a nonempty set of words τX+such that:
there exists rX, called the root of τ, such that each uτstarts with r(ru);
if u·xτand u·x,r, then uτ,
if uτthen there exists xXsuch that u·xτ.
The elements of a tree
τ
are called nodes. If
u·xτ
, we say that
u·x
is a child of
u
. The depth of
a node
u
is
|u|
. An
X
-tree
τ
is complete if for every
uτ
and
xX
,
u·xτ
. A path in
τ
is an
innite sequence of nodes λ=u0u1. . . such that for all iN,ui+1is a child of ui, and Paths(u)is
the set of paths that start in node u.
Labellings.
An
AP
-labelled
X
-tree, or
(AP,X)
-tree for short, is a pair
t=(τ, ℓ)
, where
τ
is an
X
-tree
called the domain of
t
and
:
τ
2
AP
is a labelling, which maps each node to the set of propositions
that hold there. For
pAP
, a
p
-labelling for a tree is a mapping
p
:
τ→ {
0
,
1
}
that indicates in
which nodes
p
holds, and for a labelled tree
t=(τ, ℓ)
, the
p
-labelling of
t
is the
p
-labelling
u7→
1
if
p(u)
, 0 otherwise. The composition of a labelled tree
t=(τ, ℓ)
with a
p
-labelling
p
for
τ
is dened as
tp
:
=(τ, ℓ)
, where
(u)=(u) ∪ {p}
if
p(u)=
1, and
(u) \ {p}
otherwise. A
p
-labelling for a labelled tree
t=(τ, ℓ)
is a
p
-labelling for its domain
τ
. A pointed labelled tree is a
pair (t,u)where uis a node of t.
If
u=w·x
, the subtree
tu
of
t=(τ, ℓ)
is dened as
tu
:
=(τu, ℓu)
with
τu={x·w|w·x·wτ}
,
and u(x·w)=(w·x·w). A labelled tree is regular if it has nitely many disctinct subtrees.
1i.e., for all sS, there exists ssuch that (s,s) ∈ R.
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
Strategy Logic with Imperfect Information 13
In the tree semantics of
QCTL
ii
that we consider here, formulas are evaluated on tree unfoldings
of CKS, which we now dene.
Tree unfoldings.
Let
S=(S,R, ℓ, sι)
be a compound Kripke structure over
AP
. The tree-unfolding
of
S
is the
(AP,S)
-tree
tS
:
=(τ, ℓ)
, where
τ
is the set of all nite paths that start in
sι
, and for
every uτ,(u):=(last(u)).
Note that a labelled tree is regular if and only if it is the unfolding of some nite Kripke structure.
Narrowing.
Let
X
and
Y
be two nite sets, and let
(x,y) ∈ X×Y
. The
X
-narrowing of
(x,y)
is
(x,y)↓X:=x. This denition extends naturally to words and trees over X×Y(point-wise).
Given a family of (disjoint) sets of local states
{Li}i∈[n]
and a subset
I⊆ [n]
, we let
LI
:
=ÎiILi
if
I,
and
L
:
={0}
, where
0
is a special symbol. For
I,J⊆ [n]
and
zLI
, we also dene
zJ
:
=zLIJ
, where
z
is seen as a pair
z=(x,y) ∈ LIJ×LI\J
, i.e., we apply the above denition
with
X=LIJ
and
Y=LI\J
. This is well dened because having taken sets
Li
to be disjoint, the
ordering of local states in
z
is indierent. We also extend this denition to words and trees. In
particular, for every LI-tree τ,τis the only L-tree, 0ω.
Quantication and uniformity.
In
QCTL
ii op.φ
holds in a tree
t
if there is some
o
-uniform
p
-labelling of
t
such that
t
with this
p
-labelling satises
φ
. Intuitively, a
p
-labelling of a tree is
o-uniform if every two nodes that are indistinguishable for observation oagree on p.
Denition 3.3 (o-indistinguishability and o-uniformity in p). Fix o⊆ [n]and I⊆ [n].
Two tuples x,xLIare o-indistinguishable, written xox, if xo=xo.
Two words
u=u0. . . ui
and
u=u
0. . . u
j
over alphabet
LI
are
o
-indistinguishable, written
uou, if i=jand for all k∈ {0, . . . , i}we have ukou
k.
Ap-labelling for a tree τis o-uniform if for all u,uτ,uouimplies p(u)=p(u).
Denition 3.4 (
QCTL
ii
semantics). We dene by induction the satisfaction relation
|=
of
QCTL
ii
.
Let t=(τ, ℓ)be an AP-labelled LI-tree, ua node and λa path in τ:
t,u|=pif p(u)
t,u|=¬φif t,u̸|=φ
t,u|=φφif t,u|=φor t,u|=φ
t,u|=Eψif λPaths(u)s.t. t,λ|=ψ
t,u|=op.φif pao-uniform p-labelling for tsuch that tp,u|=φ
t,λ|=φif t,λ0|=φ
t,λ|=¬ψif t,λ̸|=ψ
t,λ|=ψψif t,λ|=ψor t,λ|=ψ
t,λ|=Xψif t,λ1|=ψ
t,λ|=ψUψif i0s.t. t,λi|=ψand js.t. 0j<i,t,λj|=ψ
We write
t|=φ
for
t,r|=φ
, where
r
is the root of
t
. Given a CKS
S
and a
QCTL
ii
formula
φ
, we
also write S |=φif S,sι|=φ.
Example 3.5. Consider the following CTL formula:
border(p):=AFpAG(pAXAG¬p).
This formula holds in a labelled tree if and only if each path contains exactly one node labelled
with p. Now, consider the following QCTL
ii formula:
level(p):=p.border(p).
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
14 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi
For a blind quantier, two nodes of a tree are indistinguishable if and only if they have same
depth. Therefore, this formula holds on a tree i the
p
’s label all and only the nodes at some xed
depth. This formula can thus be used to capture the equal level predicate on trees. Actually, just as
QCTL
captures MSO, one can prove that
QCTL
ii
with tree semantics subsumes MSO with equal
level [
27
,
56
,
78
]. In Theorem 3.7 we make use of a similar observation to prove that model-checking
QCTL
ii is undecidable.
3.3 Discussion on the definition of QCTL
ii
We now motivate in detail some aspects of QCTL
ii.
Modelling of imperfect information.
We model imperfect information by means of local states
(rather than equivalence relations) because this greatly facilitates the use of automata techniques.
More precisely, in our decision procedure of Section 4we use an operation on tree automata called
narrowing, which was introduced in [
49
] to deal with imperfect-information in the context of
distributed synthesis for temporal specications. Given an automaton
A
that works on
X×Y
-trees,
where
X
and
Y
are two nite sets, and assuming that we want to model an operation performed on
trees while observing only the
X
component of each node, this narrowing operation allows one to
build from
A
an automaton
A
that works on
X
-trees, such that
A
accepts an
X
-tree if and only
if
A
accepts its widening to
X×Y
(intuitively, this widening is the
X×Y
-tree in which each node
is labelled as its projection on the original X-tree; see Section 4for details).
With our denition of compound Kripke structures, their unfoldings are trees over the Cartesian
product
L[n]
. To model a quantication
op
with observation
o⊆ [n]
, we can thus use the narrowing
operation to forget about components
Li
, for
i∈ [n] \ o
. We then use the classic projection of
nondeterministic tree automata to perform existential quantication on atomic proposition
p
. Since
the choice of the p-labelling is made directly on Lo-trees, it is necessarily o-uniform.
Choice of the tree semantics.
The two most studied semantics for
QCTL
are the structure
semantics, in which formulas are evaluated directly on Kripke structures, and the tree semantics, in
which Kripke structures are rst unfolded into innite trees. Tree semantics thus allows quantiers
to choose the value of a quantied atomic proposition in each nite path of the model, while in
structure semantics the choice is only made in each state. When
QCTL
is used to express existence
of strategies, existential quantication on atomic propositions labels the structure with strategic
choices; in this kind of application, structure semantics reects so-called positional or memoryless
strategies, while tree semantics captures perfect-recall or memoryful strategies. Since in this work
we are interested in perfect-recall strategies, we only consider the tree semantics.
3.4 Model checking QCTL
ii
We now dene the model-checking problem studied in the rest of this section.
Denition 3.6 (Model checking
QCTL
ii
). The model-checking problem for
QCTL
ii
is the following
decision problem: given an instance
(S,Φ)
where
S
is a CKS, and
Φ
is a
QCTL
ii
formula, return
‘Yes’ if S |=Φand ‘No’ otherwise.
We now prove that the model-checking problem for
QCTL
ii
is undecidable. This comes as no
surprise since, as we will show in Section 5,
QCTL
ii
can express the existence of distributed winning
strategies in imperfect-information games. However we propose a proof that shows the connection
between
QCTL
ii
and MSO with equal-level predicate [
27
,
56
,
78
]. This proof also has the benet of
showing that
QCTL
ii
is undecidable already for formulas that involve only propositional quantiers
that observe either everything or nothing.
Theorem 3.7. The model-checking problem for QCTL
ii is undecidable.
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
Strategy Logic with Imperfect Information 15
Proof.
Let
MSOeq
denote the extension of the logic MSO (without unary predicates) by a binary
predicate symbol
eq
.
MSOeq
is interpreted on the full binary tree, and the semantics of
eq(x,y)
is
that
x
and
y
have the same depth in the tree. We show how to eectively translate
MSOeq
into
QCTL
ii
, and our result follows since the
MSOeq
-theory of the binary tree is undecidable [
56
]. The
translation from
MSOeq
to
QCTL
ii
is obtained by extending that from MSO to QCTL [
53
], using
the formula level(·) from Example 3.5 to help capture the equal-length predicate.
We dene a translation
c
from
MSOeq
to
QCTL
ii
such that for every tree
t
with root
r
, nodes
u1, . . . , uit
and sets of nodes
U1, . . . , Ujt
, and every
MSOeq
formula
φ(x,x1, . . . , xi,X1, . . . , Xj)
,
we have that
t,r,u1, . . . , ui,U1, . . . , Uj|=φ(x,x1, . . . , xi,X1, . . . , Xj)if and only if b
t,r|=bφ(1)
where
b
t
is obtained from
t
by dening the labelling for fresh atomic propositions
pxk
and
pXk
, with
k∈ [i], as follows: pxkb
(u)if u=ukand pXkb
(u)if uUk.
The translation of MSO to
QCTL
from [
53
] can be extended to one from
MSOeq
to
QCTL
ii
by adding rules for the equal level predicate. Indeed, for
φ(x,x1, . . . , xi,X1, . . . , Xj) ∈ MSOeq
, we
inductively dene the QCTL
ii formula bφas follows, where k∈ [i]:
x=xk:=pxkxk=xl:=EF(pxkpxl)
xXk:=pXk
xkXl:=EF(pxkpXl)
d
¬φ:=¬b
φ
φ1φ2:=bφ1bφ2
xk.φ:=pxk.uniq(pxk) ∧ b
φ
Xk.φ:=pXk.b
φ
S(x,xk):=EXpxk
S(xk,x):=
S(xk,xl):=EF(pxkEXpxl)
where
uniq(p)
:
=EFpq.(EF(pq) → AG(pq))
holds in a tree i it has exactly one node
labelled with
p
. To understand the
x=xk
and
xXk
cases, consider that
x
will be interpreted as
the root. For the
S(xk,x)
case, observe that
x
has no incoming edge since it is interpreted as the root.
Second-order quantication
Xk
is translated into quantication on atomic proposition
pXk
, and
rst-order quantication
xk
is treated similarly, with the additional constraint that quantication
is limited to pxk-labellings that set pxkto true in one and only one node of the tree.
The rules for eq are as follows:
eq(x,xk):=pxk
eq(xk,xl):=p.border(p) ∧ AG(pxkppxlp)
To understand the rst case, observe that since
x
is interpreted as the root,
xk
is on the same level
as
x
if and only if it is also assigned the root. For the second case, recall from Example 3.5 that
the
QCTL
ii
formula
p.border(p)
places one unique horizontal line of
p
’s in the tree, and thus
requiring that
xk
and
xl
be both on this line ensures that they are on the same level. The correctness
of the translation follows from (1), which is proven by induction.
Now take an instance
(t,φ(x))
of the model-checking problem for
MSOeq
on the full binary tree
t
.
Let
S
be a CKS with two states
s0
and
s1
(local states are irrelevant here), whose transition relation
is the complete relation, and with empty labelling function. Clearly,
tS=t
, and applying
(1)
we get:
t,s0|=φ(x)i b
t,s0|=bφ.
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
16 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi
Observe that in the previous line, because there are no free variables besides
x
, which stands for
the root, we have that
b
t=t=tS
, hence we have indeed produced an instance of the model-checking
problem for QCTL
ii.
4 A DECIDABLE FRAGMENT OF QCTL
ii: HIERARCHY ON OBSERVATIONS
The main result of this section is the identication of an important decidable fragment of QCTL
ii.
Denition 4.1 (Hierarchical formulas). A
QCTL
ii
formula
φ
is hierarchical if for all subformulas
φ1=o1p1.φ
1and φ2=o2p2.φ
2of φwhere φ2is a subformula of φ
1, we have o1o2.
In other words, a formula is hierarchical if innermore propositional quantiers observe at least
as much as outermore ones.
Example 4.2. Formula
{1,2}p.{1,2,4}q.AG(pq)
is hierarchical because
{
1
,
2
}⊆{
1
,
2
,
4
}
. On the
other hand, formula
{1,2}p.{1,2,4}q.AG(pq) ∧ {3}q.EF(pq)
is not, because
{
1
,
2
}{
3
}
.
Note that neither is it the case that
{
3
} ⊆ {
1
,
2
}
: the observation power of quantiers
{1,2}p.
and
{3}q.
are incomparable. Finally, formula
{1,2,3}p.{1,2}q. .AG(pq)
is not hierarchical even
though {1,2}⊆{1,2,3}, as the quantier that observes best is higher in the syntactic tree.
We let QCTL
i,be the set of hierarchical QCTL
ii formulas.
Theorem 4.3. Model checking QCTL
i,is non-elementary decidable.
Since our decision procedure for the hierarchical fragment of
QCTL
ii
is based on an automata-
theoretic approach, we recall some denitions and results for alternating tree automata.
4.1 Alternating parity tree automata
We recall alternating parity tree automata. Because their semantics is dened via acceptance games,
we start with basic denitions for two-player turn-based parity games, or simply parity games.
Parity games.
Aparity game is a structure
G=(V,E,vι,C)
, where
V=VEVA
is a set of positions
partitioned between positions of Eve (
VE
) and those of Adam (
VA
),
EV×V
is a set of moves,
vι
is an initial position and
C
:
VN
is a colouring function of nite codomain. In positions
VE
,
Eve chooses the next position, while Adam chooses in positions
VA
. A play is an innite sequence
of positions
v0v1v2. . .
such that
v0=vι
and for all
i
0,
(vi,vi+1) ∈ E
(written
vivi+1
). We
assume that for every
vV
there exists
vV
such that
vv
. A strategy for Eve is a partial
function
VV
that maps each nite prex of a play ending in a position
vVE
to a next
position
v
such that
vv
. A play
v0v1v2. . .
follows a strategy
σ
of Eve if for every
i
0such
that
viVE
,
vi+1=σ(v0. . . vi)
. A strategy
σ
is winning if every play that follows it satises the
parity condition, i.e., the least colour seen innitely often along the play is even.
Parity tree automata.
Because it is sucient for our needs and simplies denitions, we assume
that all input trees are complete trees. For a set
Z
,
B+(Z)
is the set of formulas built from the
elements of
Z
as atomic propositions using the connectives
and
, and with
,⊥∈ B+(Z)
. An
alternating tree automaton (ATA) on
(AP,X)
-trees is a structure
A=(Q,δ,qι,C)
where
Q
is a
nite set of states,
qιQ
is an initial state,
δ
:
Q×
2
AP B+(X×Q)
is a transition function,
and
C
:
QN
is a colouring function. To ease reading we shall write atoms in
B+(X×Q)
between brackets, such as
[x,q]
. A nondeterministic tree automaton (NTA) on
(AP,X)
-trees is an
ATA
A=(Q,δ,qι,C)
such that for every
qQ
and
a
2
AP
,
δ(q,a)
is written in disjunctive normal
form and for every direction
xX
each disjunct contains exactly one element of
{x} × Q
. An NTA
is deterministic if for each qQand a2AP,δ(q,a)consists of a single disjunct.
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
Strategy Logic with Imperfect Information 17
Acceptance of a pointed labelled tree
(t,uι)
, where
t=(τ, ℓ)
, by an ATA
A=(Q,δ,qι,C)
is
dened via the parity game
G(A,t,uι)=(V,E,vι,C)
where
V=τ×Q×B+(X×Q)
, position
(u,q,α)
belongs to Eve if
α
is of the form
α1α2
or
[x,q]
, and to Adam otherwise,
vι=(uι,qι,δ(qι,uι))
,
and C(u,q,α)=C(q). Moves in G(A,t,uι)are dened by the following rules:
(u,q,α1α2)→(u,q,αi)where † ∈ {∨,∧} and i∈ {1,2},
(u,q,[x,q]) → (u·x,q,δ(q, ℓ(u·x)))
Positions of the form (u,q,⊤) and (u,q,⊥) are sinks, winning for Eve and Adam respectively.
A pointed labelled tree
(t,u)
is accepted by
A
if Eve has a winning strategy in
G(A,t,u)
, and the
language of
A
is the set of pointed labelled trees accepted by
A
, written
L(A )
. We write
t∈ L(A )
if
(t,r) ∈ L(A)
, where
r
is the root of
t
. Finally, the size
|A |
of an ATA
A
is its number of states
plus the sum of the sizes of all formulas appearing in the transition function.
Word automata.
When the set of directions
X
is a singleton, directions can be forgotten and
innite trees can be identied with innite words. We thus call parity word automaton a parity tree
automaton on (AP,X)-trees where Xis a singleton. In the case of a nondeterministic parity word
automaton, transitions can be represented as usual as a mapping
:
Q×
2
AP
2
Q
which, in a
state
qQ
, reading the label
a
2
AP
of the current position in the word, indicates a set of states
(q,a)from which Eve can choose to send in the next position of the word.
We recall four classic operations on tree automata.
Complementation.
Given an ATA
A=(Q,δ,qι,C)
, we dene its dual
A=(Q,δ,qι,C)
where,
for each
qQ
and
a
2
AP
,
δ(q,a)
is the dual of
δ(q,a)
, i.e., conjunctions become disjunctions and
vice versa, and C(q):=C(q)+1.
Theorem 4.4 (Complementation [61]). For every labelled tree tand node uin t,
(t,u) ∈ L(A) if, and only if, (t,u)<L(A).
Projection.
The second construction is a projection operation, used by Rabin to deal with second-
order monadic quantication:
Theorem 4.5 (Projection [
71
]). Given an NTA
N
on
(AP,X)
-trees and an atomic proposition
pAP, one can build in linear time an NTA N ⇓pon (AP \ {p},X)-trees such that
(t,u) ∈ L(N ⇓p)i there exists a p-labelling pfor ts.t. (tp,u) ∈ L(N).
Intuitively,
N ⇓p
is automaton
N
with the only dierence that when it reads the label of a node,
it can choose to run as if
p
was either true or false: if
δ
is the transition function of
N
, that of
N ⇓p
is
δ(q,a)=δ(q,a∪ {p}) ∨ δ(q,a\ {p})
, for any state
q
and label
a
2
AP
. Another way of seeing it
is that N ⇓pguesses a p-labelling for the input tree, and simulates Non this modied input.
Simulation.
To prevent
N ⇓p
from guessing dierent labels for a same node in dierent executions,
it is crucial that Nbe nondeterministic, which is the reason why we need the following result:
Theorem 4.6 (Simulation [
61
]). Given an ATA
A
, one can build in exponential time an NTA
N
such that L(N ) =L(A).
The last construction was introduced by Kupferman and Vardi to deal with imperfect information
aspects in distributed synthesis. To describe it we need to dene a widening operation on trees
which expands the directions in a tree.
Tree widening.
We generalise the widening operation dened in [
49
]. In the following denitions
we x a CKS
S=(S,R,sι, ℓ)
, and for
I⊆ [n]
we let
SI
:
={sI|sS} ⊆ LI
(recall that
LI=ÎiILi
).
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.
18 R. Berthon, B. Maubert, A. Murano, S. Rubin and M. Y. Vardi
Let
JI⊆ [n]
. For every
SJ
-tree
τ
rooted in
sJ
and
sISI
such that
sIJ=sJ
, we dene the
I-widening of τas the SI-tree
τI
sI:={usI·S
I|uJτ}.
For an (AP,SJ)-tree t=(τ, ℓ)rooted in sJand sISIsuch that sIJ=sJ, we let
tI
sI:=(τI
sI, ℓ),where (u):=(uJ).
When clear from the context we may omit the subscript
sI
. It is the case in particular when
referring to pointed widenings of trees: (tI,u)stands for (tI
u0,u).
Narrowing.
We now state a result from [
49
] in our slightly more general setting (the proof can be
adapted straightforwardly). The rough idea of this narrowing operation on ATA is that, if one just
observes
SJ
, uniform
p
-labellings on
SI
-trees can be obtained by choosing the labellings directly on
SJ-trees, and then lifting them to SI.
Theorem 4.7 (Narrowing [
49
]). Given an ATA
A
on
SI
-trees one can build in linear time an ATA
A ↓J
on
SJ
-trees such that for every pointed
(AP,SJ)
-tree
(t,u)
and every
uS+
I
such that
uJ=u
,
(t,u) L( A ↓J)i (tI,u) ∈ L(A).
4.2 Translating QCTL
i,to ATA
In order to prove Theorem 4.3 we need some more notations and a technical lemma that contains
the automata construction.
Denition 4.8. For every φQCTL
ii, we let
Iφ:=Ù
oObs(φ)
o⊆ [n],
where
Obs(φ)
is the set of concrete observations that occur in
φ
, with the intersection over the
empty set dened as [n]. For a CKS Swith state set SÎi∈[n]Liwe also let Sφ:={sIφ|sS}.
Elements of
Sφ
will be the possible directions used by the automaton we build for
φ
. In other
words, the automaton for
φ
will work on
Sφ
-trees. The intuition is that the observations in
φ
determine which components of the model’s states can be observed by the automaton.
Our construction, that transforms a
QCTL
i,
formula
φ
and a CKS
S
into an ATA, builds upon the
classic construction from [
51
], which builds ATA for
CTL
formulas. In addition, we use projection
of automata to treat second-order quantication, and to deal with imperfect information we resort
to automata narrowing.
Moreover, we use tree automata in an original way that allows us to deal with non-observable
atomic propositions, which in turn makes it possible to consider non-observable winning conditions
in our decidable fragment of
SLii
. The classical approach to model checking via tree automata is to
build an automaton that accepts all tree models of the input formula, and check whether it accepts
the unfolding of the model [
51
]. We instead encode the model in the automata, using the input tree
only to guess labellings for quantied propositions.
Encoding the model in the automaton.
Quantication on atomic propositions is classically
performed by means of automata projection (see Theorem 4.5). But in order to obtain a labelling
that is uniform with regards to the observation of the quantier, we need to make use of the
narrowing operation (see Theorem 4.7). Intuitively, to check that a formula
op.φ
holds in a tree
t
, we would like to work on its narrowing
t
:
=to
, guess a labelling for
p
on this tree thanks to
automata projection, thus obtaining a tree
t
p
, take its widening
t′′
p
:
=t
p[n]
, obtaining a tree with an
ACM Trans. Comput. Logic, Vol. 1, No. 1, Article . Publication date: March 2020.