Content uploaded by Francesco Belardinelli

Author content

All content in this area was uploaded by Francesco Belardinelli on May 19, 2020

Content may be subject to copyright.

Veriﬁcation of Multi-Agent Systems with Public Actions

against Strategy Logic

Francesco Belardinelli

Department of Computing, Imperial College London, UK and Laboratoire IBISC, UEVE, France

Alessio Lomuscio

Department of Computing, Imperial College London, UK

Aniello Murano

DIETI, Universit`a degli Studi di Napoli, Italy

Sasha Rubin

University of Sydney, Australia

Abstract

Model checking multi-agent systems, in which agents are distributed and thus may have

diﬀerent observations of the world, against strategic behaviours is known to be a complex

problem in a number of settings. There are traditionally two ways of ameliorating this

complexity: imposing a hierarchy on the observations of the agents, or restricting agent

actions so that they are observable by all agents. We study systems of the latter kind,

since they are more suitable for modelling rational agents. In particular, we deﬁne multi-

agent systems in which all actions are public and study the model checking problem of

such systems against Strategy Logic with equality, a very rich strategic logic that can

express relevant concepts such as Nash equilibria, Pareto optimality, and due to the

novel addition of equality, also evolutionary stable strategies. The main result is that

the corresponding model checking problem is decidable.

Keywords: Strategy Logic, Multi-agent systems, Imperfect Information, Veriﬁcation,

Formal Methods

1. Introduction

Logics expressing individual and joint strategic abilities oﬀer powerful formalisms for

reasoning about the behaviour of rational agents in multi-agent systems (MAS), a subject

of growing interest in the area of formal methods for Artiﬁcial Intelligence. Coalition

Email addresses: belardinelli@ibisc.fr (Francesco Belardinelli), a.lomuscio@imperial.ac.uk

(Alessio Lomuscio), murano@na.infn.it (Aniello Murano), sasha.rubin@sydney.edu.au (Sasha Rubin)

Preprint submitted to Artiﬁcial Intelligence January 13, 2020

Logic [1] and Alternating-time Temporal Logic (ATL) [2] were among the ﬁrst and most

inﬂuential logics that were introduced for this purpose. These logics can be used to

express formally what states of aﬀairs coalitions of agents may bring about in a MAS

irrespective of what other agents in the system may do. For example, in a scenario where

several autonomous robots are competing for resources, a coalition of two robots may be

able to enforce that a particular resource can be brought under their control, irrespective

of the actions of the other robots in the system.

Over the years ATL has been enriched in a number of directions, including by incor-

porating epistemic operators to reason about both the knowledge and the strategic power

of the agents in the system [3,4,5,6], and by accounting explicitly for the resources

agents have available [7]. More recently, formalisms more expressive than ATL have been

introduced. In the framework of Strategy Logic (SL) strategies are ﬁrst-class objects that

can be named and associated with agents [8,9,10,11]. This enables the representation of

game-theoretic concepts, such as Nash equilibria, that cannot be rendered by formalisms

such as ATL, but are of high importance in MAS. Like ATL, SL has also been combined

with epistemic concepts [12,13,14,15].

A key focus of attention in these lines of work concerns formal veriﬁcation, notably

the model checking problem [16], of MAS against strategy-based speciﬁcations expressed

in these languages. Various methods and accompanying implementations have been

developed supporting ATL and variations [7,17,14,18,19,20,21]. These range from

explicit to symbolic model checkers, as well as SAT-based engines. By using these tools

practical scenarios ranging from strategic games [7] to autonomous vehicles [22,23], have

been analysed and debugged.

A crucial consideration in assessing the practical feasibility of veriﬁcation via model

checking is the computational complexity of its decision problem. In this light, an at-

tractive feature of ATL lies in the fact that its model checking problem is PTIME-

complete [2]. This is, however, limited to the case of perfect information, i.e., under

the assumption that the agents in the system have full visibility of its global state. In

MAS this assumption is of limited relevance, as the agents can normally access only a

fraction of the information available. Much more important in applications is the case

of imperfect information, particularly in the context of perfect recall, where agents in

the system have full memory of their local histories. While this is a compelling set-up

from a modelling point of view, it is challenging from a veriﬁcation standpoint, as the

corresponding model checking problem is undecidable [24]. It follows that the model

checking problem for all extensions of ATL, including Strategy Logic, is also undecidable

under the assumptions of perfect recall and imperfect information.

Given this limitation, it is of interest to identify cases for which the model checking

problem for strategic reasoning is decidable even under perfect recall and imperfect in-

formation. This paper provides one concrete setting, relevant for applications, where we

show it to be the case.

More speciﬁcally, there appear to be three possible directions to tame undecidability

in this context. One option involves restricting the syntax of the speciﬁcation languages.

This option generally results in a loss of expressiveness; however, useful speciﬁcation

patterns might be identiﬁed within the fragment [25]. A second possibility might concern

modifying the standard semantics for the speciﬁcation language in question. This might

involve amending the standard notion of strategy or to consider minor modiﬁcations of

the underlying complete information and perfect recall setting [26]. A third line of attack

2

consists in identifying semantical subclasses of MAS, still analysed under perfect recall

and incomplete information, for which the model checking is decidable. In the following

we pursue this latter option.

Contribution. In this work we introduce and study a variant of SL under incomplete

information (henceforth SLi), and exemplify its applicability in the context of MAS. In

particular, we describe a number of formulas of SLi that capture important concepts,

such as winning strategies, Nash equilibria, evolutionary stable strategies. We observe

that the corresponding model checking problem is undecidable in general, but identify a

subclass of MAS for which the same question is decidable. The subclass, that we isolate

and investigate, consists of systems of agents that can communicate only via public

actions. Examples of such systems include games with fully observable (public) moves,

open-cry auction protocols where all bidding is public, and, more generally, systems

evolving via broadcasting actions. Clearly, this is a broad class of systems of interest

in applications. We analyse the related complexity and show that the model-checking

problem for this subclass is in (k+ 2)-exptime, where kis the quantiﬁer-block depth of

the formula to be checked. We also provide a lower bound in (k−1)-expspace. Thus,

this subclass provides a middle ground between the full observability case (which is well-

understood, more tractable, but has limited expressiveness and applicability) and the

partial observability case (which is undecidable, but extremely expressive).

Related Work. The work here presented builds upon and extends the framework of

Strategy Logic [9,11]. In those papers, SL is interpreted on concurrent game structures

and, barring the exceptions below, it is typically employed and analysed under complete

information and perfect recall. In contrast, here we use a variant of interpreted systems

as the underlying semantics and study the veriﬁcation problem under the assumption of

imperfect information and perfect recall.

Variants on the semantics of Strategy Logic have been previously explored. In [27]

an alternative setting is studied in which strategies that are not bound to agents are not

propagated when temporal operators are evaluated. Under this semantics, the model

checking problem becomes undecidable. The notion of dependency between strategies in

SL is analysed in [28]. In this work when a strategy xis quantiﬁed in an SL formula,

it depends on all other strategies quantiﬁed before it. In particular, the value of x

on a given history depends on the value of other strategies on all histories. The same

paper introduces, motivates, and studies weaker dependencies (e.g., when a strategy

xis quantiﬁed, its value on a history hdepends only on the values of earlier quantiﬁed

strategies on preﬁxes of h). Further, [29] introduces an extension of SL in which strategies

can be nondeterministic and there is an unbinding operator that allows agents to revoke

their strategies. These extensions allow one to express the notion of sustainable control

for an agent, while retaining a decidable model checking problem.

In addition to the above, the veriﬁcation of MAS against various strategy-based

speciﬁcations, enriched with epistemic speciﬁcations, has been investigated in [7,17,

30,18,19,14]. However, this has been typically limited to observational or positional

semantics, where an agent’s strategy depends only on her current state. In contrast we

here analyse the case of perfect recall, which is undecidable. These works also focus

mainly on the interplay between strategic and epistemic modalities. While we show that

epistemic modalities are also supported in our setting, they are shown to be derivable

and do not need to be introduced as ﬁrst-class citizens. [31] also introduced an epistemic

strategy logic and studied the corresponding model checking problem. In this setup,

3

however, the strategies the agents use are directly encoded in their local states, resulting

in a rather diﬀerent framework. As in [14], the focus is on observational semantics, while

here we deal with the argubly more complex case of perfect recall.

Reasoning about strategic abilities in MAS under imperfect information is known to

be computationally diﬃcult even for logics less expressive than SL. For example, model

checking MAS against ATL speciﬁcations goes from PTIME-complete to ∆p

2-complete

under incomplete information and memoryless strategies [32], and it is undecidable under

perfect recall [24]. The results of this paper conﬁrm these ﬁndings and extend them to

Strategy Logic.

Other approaches have been introduced to retain decidability when reasoning about

strategies in MAS. A notable direction involves imposing a hierarchy on the information,

or the observations, of the agents [33,34,35,36,37]. This constraints in a well-structured

way the information that agents possess. Hierarchies have also been studied in the context

of variants of SL, thereby achieving similar results [37]. While we share the motivation

and the result of these approaches, these restrictions are considerably diﬀerent from ours.

In particular, we impose no a-priory hierarchy on the information and the observations

of the agents. In other words, hierarchies can be represented in the framework presented

here, but they are not a constitutive feature.

Diﬀerently from the contributions above, we here introduce the use of public actions

as a way to retain decidability for the veriﬁcation problem. There are strong correspon-

dences between our notion of public action and communication by broadcasting, which

has previously been studied in the context of MAS in [38,39,40]. While the semantics is

similar, previous approaches focused on the modelling and axiomatisations of epistemic

and temporal-epistemic logics on these structures. Instead, we here study variants of SL

and focus on the model checking problem instead.

Also related to the above are recent proposals to approximate the veriﬁcation problem.

For instance, [41] studies an approximation of the model checking problem for ATL

under imperfect information, speciﬁcally one in which the ATL operators admit ﬁxpoint

characterisations. By doing so, while the original undecidable problem cannot be solved,

a closely related veriﬁcation question is oﬀered a solution. Diﬀerently from [41], we solve

the same veriﬁcation problem but under the restricted communication assumption. Also,

we here work on SL, which is strictly more expressive than ATL.

Moreover, we note that there are points of contacts between the present work and

developments in Dynamic Epistemic Logic (DEL). DEL [42,43] is a framework whereby

an epistemic logic is augmented with dynamic modal operators to model information

updates. A noteworthy model update operator in DEL is truthful public announcement.

In DEL, as well as in related earlier frameworks [38,44], this is modelled via an epis-

temic model update incorporating the postconditions of the action. While the framework

here presented and DEL for public announcements address related classes of MAS, the

technical approaches are rather diﬀerent. While in DEL the models are instantaneous

representations of the agents’ epistemic alternatives and time is modelled via the update

operations, our models, in line with interpreted systems semantics, ATL, and SL models,

incorporate primitively the concepts of time in the notion of run and history. Moreover,

normally the syntax of DEL does not include operators for strategic abilities.

Related to our contribution is also some of the work in epistemic planning [45,46],

whereby one asks whether there is a sequence of event-models such that the resulting

model satisﬁes a given epistemic formula. Similarly to our ﬁndings, the problem is

4

undecidable in general, but becomes decidable when public actions are assumed [45].

Moreover, [47,48] study a reduction of epistemic planning with public announcements to

classical planning. The encoding allowing this reduction uses an idea similar to what we

use here, in that both reductions record the current state for each possible initial state.

An important application of the formalism presented in this paper concerns reasoning

about rich solution concepts such as Nash equilibria in which agents have LTL goals, as

well as generalisations thereof known as strong rational synthesis. In [49] the strong ra-

tional synthesis problem with LTL objectives and aggregation of ﬁnitely many objectives

is shown to be 2EXPTIME-complete. In [50], Equilibrium Logic is introduced to reason

about Nash equilibria in games with LTL and CTL objectives. However, both cases as-

sume that agents have perfect information. In case agents have imperfect information,

the existence of Nash equilibria is undecidable for three agents, but decidable for two

(cf. [51]). In the case of multiple agents, [37] shows that decidability for a language

similar to the one here presented, which can also express the existence of Nash equilib-

ria, can be retained by imposing a hierarchy on the agent observations. In contrast, in

Section 3we show that one can regain decidability, and thus decide the existence of Nash

equilibria, by assuming that agents use public actions only, while making no restriction

on the agent observations.

On the purely technical side of our contribution, we remark that one of the ideas used

in the proof of our decidability result uses ideas similarly to those employed in Littman’s

PhD Thesis [52][Lemma 6.1] and [53], in that one can convert a deterministic partially

observable Markov decision process (POMDP) into an MDP with exponentially many

states. The states of the derived MDP are functions Dt:S→Swhere Dt(s) says that,

after a ﬁxed sequence of actions and observations, if twere the initial state then swould

be the current state. The main diﬀerences with our work are that i) we consider a set

of initial states (rather than a probability distribution over the initial states), and ii) we

model check a very expressive logic, rather than simply solving the synthesis problem.

Previous Work. Preliminary versions of this work were published in non-archival

conference papers by the same authors [54,55,56]. There are a number of notable diﬀer-

ences that are introduced here to make the paper uniform, mature, and self-contained.

First, diﬀerently from [54,55], this paper uses interpreted systems, rather than concur-

rent game structures, as the underlying semantical model. This enables us, as we did

in [56] (and this is the only overlap with that paper), to give a more intuitive and precise

deﬁnition of what it means for an action of an agent to be public. Indeed, in [54,55]

we only referred to joint actions being public, not individual ones. Second, our logic no

longer includes explicit epistemic operators, but does allow equality between strategies.

Third, we include extensive examples of the expressiveness of the logic. Fourth, we pro-

vide a a diﬀerent, conceptually simpler, and fully detailed proof of the main decidability

result, including a complexity analysis. Indeed, instead of giving a reduction to monadic

second-order logic [55], or using automata-theoretic techniques [54], we here give a reduc-

tion to an intermediate logic (quantiﬁed CTL∗) that has served as a useful and natural

bridge between strategic logics and monadic second-order logic.

Outline. The rest of the paper is organised as follows.

−In Section 2we deﬁne the syntax and semantics of SLi, as well as provide a number of

formulas of SLi and discuss their importance and relevance to express the strategic

abilities of agents in MAS.

5

−In Section 3we introduce the subclass of systems in which agents operate only

through public actions, we prove that the corresponding model checking problem

is decidable, and provide upper and lower bounds on its complexity.

−In Section 4we summarise the main ﬁndings of the paper and point to future

directions of research.

2. Strategy Logic under Imperfect Information

In this section we introduce Strategy Logic under imperfect information (SLi), a logic

for strategic reasoning in multi-agent systems. The logic is inspired by Strategy Logic

(SL) [10], in which strategies are treated syntactically in the language. This is accom-

plished by having quantiﬁcation on ﬁrst-order variables ranging over strategies. In SL

the strategy quantiﬁer ∃xis read as “there exists a strategy x”, and the binding operator

bind(i, x) is read as “agent iuses strategy x”. Moreover, SL includes linear-temporal op-

erators Xand U[57] for reasoning about the temporal evolution of the system in which

the agents are bound to particular strategies. The logic we introduce, SLi, inherits these

features, and allows us to express game-theoretic concepts such as existence of winning

strategies, Nash equilibria, etc. [58].

The main diﬀerence between SL and SLi is that the semantics of SLi permits one

to reason about agents with imperfect information (other similar extensions of SL such

as [37,14] are discussed in the related-work section). Thus, if an agent is associated

to a strategy x, then strategy xwill prescribe actions that are enabled by the protocol

of that agent, and that only depend on the local state of the agent; cf. [10,14]. SLi is

equipped with two types of strategy quantiﬁers (∃oand ∃s); these are inspired by the

distinction between the objective and subjective semantics of alternating-time temporal

logic (ATL) [59]. Intuitively, these corresponds to whether or not the quantiﬁed strategy

is known to succeed by the agents that use them. Finally, SLi has the ability to express

whether two strategies are equal; this is inspired by SL with Graded Modalities [60] and

ﬁrst-order logic with equality.

2.1. Syntax of SLi

In what follows we ﬁx AP to be a ﬁnite, non-empty set of atoms, and Ag to be a

ﬁnite, non-empty set of agents. Further, let Var be a ﬁnite, non-empty set of strategy

variables denoted by x, y, . . . and xi, yi, . . .

Deﬁnition 1 (SLi).The following grammar deﬁnes the SLi formulas ϕ:

ϕ::= p|x=y| ¬ϕ|ϕ∨ϕ|Xϕ|ϕUϕ| ∃oxϕ | ∃sxϕ |bind(i, x)ϕ

where p∈AP ,x, y ∈Var, i∈Ag.

Without loss of generality, we assume that every variable xis quantiﬁed at most

once in ϕ(this can be done, without changing the size of the formula, by renaming

variables). We use the standard abbreviations, e.g., ϕ1∧ϕ2abbreviates ¬(¬ϕ1∨ ¬ϕ2),

true abbreviates p∨ ¬p,Fϕand Gϕare shorthands for true U ϕand ¬F¬ϕrespectively,

and ∀xϕ abbreviates ¬∃x¬ϕ.

Discussion. The formal semantics of SLi is presented in Section 2.2. Here, we give

intuitions about how to interpret formulas of SLi.

6

−Inspired by the distinction between the objective and subjective semantics of strat-

egy modalities in alternating-time temporal logic under imperfect information [59],

we use ∃oto refer to the objective interpretation and ∃sto refer to the subjective

interpretation.

−Quantiﬁed strategies are intended as being coherent and uniform, i.e., if an agent

uses a strategy then the actions it prescribes should be available to that agent

(coherency), and these actions should only depend on the local state of the agent

(uniformity). Thus, a formula ∃ox ϕ (or ∃sϕ) is read as “there exists a strategy x,

that is coherent and uniform for all agents that use it (in the subformula ϕ) such

that ϕholds”. Note that normally, both in SL and in ATL the formula is simply

read as “there exists a strategy xsuch that ϕ”.

−The formula x=ytests whether the strategies denoted by xand yare equal. This

is inspired by the distinction between ﬁrst-order logic with and without equality.

Moreover, it allows us to express complex properties such as uniqueness of solution

concepts (see Example 5), and the existence of an evolutionary stable strategy

(see Example 6). Previous versions of SL (e.g., [10]) do not include equality on

strategies, although some versions allow strategy counting [60].

To deﬁne the semantics we need some further notation deﬁned below.

Free Variables and Agents. We introduce the set free(ϕ) to denote the set of free variables

and agents appearing in a formula ϕ(cf. [10]). Intuitively, a variable xis free in ϕif one

needs to associate xwith a strategy in order to evaluate ϕ, and an agent ais free in ϕ

if one needs to bind a strategy to ain order to evaluate ϕ.

Deﬁnition 2 (Free variables and agents).The set free(ϕ)⊆Ag ∪Var representing free

agents and variables is deﬁned inductively as follows:

free(p) = ∅

free(x=y) = {x, y}

free(¬ϕ) = free(ϕ)

free(Xϕ) = Ag ∪free(ϕ)

free(ϕ1Uϕ2) = Ag ∪(free(ϕ1)∪free(ϕ2))

free(ϕ1∨ϕ2) = free(ϕ1)∪free(ϕ2)

free(∃ox ϕ) = free(∃sx ϕ) = free(ϕ)\ {x}

free(bind(i, x)ϕ) = ((free(ϕ)\ {i})∪ {x}if i∈free(ϕ)

free(ϕ)otherwise.

A formula ϕwithout free agents (resp., variables), i.e., with f ree(ϕ)∩Ag =∅(resp.,

free(ϕ)∩Var = ∅), is agent-closed (resp., variable-closed). If ϕis both agent- and

variable-closed, it is called a sentence.

Agents using strategies in a subformula. We introduce the set use(x, ϕ) to denote the

agents using strategy xin evaluating formula ϕ. Formally, let use(x, ϕ) consist of all

agents i∈Ag such that ϕhas a subformula of the form bind(i, x)ϕ0such that i∈

free(ϕ0). This set will be used to provide an imperfect information semantics to SLi.

7

2.2. Interpreted Systems

We interpret formulas of SLi on interpreted systems. Interpreted systems are a formal

model for multi-agent systems where each agent is deﬁned by its local states, actions,

and transition function [38]. In this section we recall this semantics, whereas in Section 3

we introduce a novel variant in which we distinguish speciﬁc actions that we call public.

Notation. We write [n] for the set {i∈N: 1 ≤i≤n}. The length of a ﬁnite

sequence u∈X∗is denoted by |u| ∈ N. For i≥1, we write uifor the i-th element

of u, and u≤ifor the preﬁx of uof length i. Then, we denote its ﬁrst element u1by

ﬁrst(u), and its last element u|u|by last(u). To ease notation, we sometimes write u(i)

instead of ui. The empty sequence is denoted by . The length of an inﬁnite sequence is

the cardinal ω. For a vector v∈QjXjwe denote the i-th co-ordinate of vby vi. The

powerset of Xis denoted P(X). We use the following convention: let f , f0:X→Ybe

partial functions and ∼a binary relation on Y; then whenever we write f(x)∼f0(x0)

we mean, in particular, that both f(x) and f0(x0) are deﬁned.

Deﬁnition 3 (Interpreted Systems).An interpreted system (IS) is a tuple

S= (Ag, {Li, Acti, Pi, τi}i∈Ag , S0, AP , λ)

where

1. Ag = [n]for some n∈N, is a ﬁnite non-empty set of agents.

2. For each agent i∈Ag:

(a) Liis a ﬁnite non-empty set of local states.

(b) Actiis a ﬁnite non-empty set of local actions.

(c) Pi:Li→P(Acti)\{∅} is the local protocol.

(d) τi:Li×Qj∈Ag Actj→Liis a partial function, called the local transition

function, such that for every l∈Li,a∈Qj∈Ag Actj,τi(l, a)is deﬁned iﬀ

ai∈Pi(l).

3. S0⊆Qi∈Ag Liis the set of initial global states.

4. AP is the ﬁnite set of atomic propositions (also called atoms).

5. λ:AP →P(Qi∈Ag Li)is a labelling function.

Note that we do not assume that sets Actis of local actions are disjoint. Intuitively,

an interpreted system describes the synchronous evolution of a group Ag of agents: at

any point in time, each agent iis in some local state l∈Li, which encodes the (possibly

partial) information she has about the state of the system. The local protocol Pispeciﬁes

which actions from Actiagent ican execute from each local state. The execution of a

joint action a∈Qj∈Ag Actjgives rise to the transition from the present state lto the

successor state τi(l, a). The actions in Pi(l) are said to be available to agent iin local

state l∈Li. Thus, the local transition function τi(l, a) is deﬁned iﬀ action aiis available

to agent iin local state l.

We now recall some standard terminology about interpreted systems (IS) that allows

us to reason about temporal, epistemic and strategic properties in an IS.

8

Global States, Joint Action, and Transitions. We introduce the following notions:

−the set S,Qi∈Ag Liis called the set of global states;

−the set Act ,Qi∈Ag Actiis called the set of joint actions;

−the partial function τ:S×Act →Sis called the global transition function; it is

deﬁned so that τ(s, a) = s0iﬀ for every i∈Ag,τi(si, a) = s0

i;

−the set of all actions ∪a∈AgActais denoted act.

Notice that transitions are synchronous executions of individual actions, one for each

agent in the system. Atomic facts about the system at every point in time are given by

the labelling function λ.

Runs and Histories. Arun (resp. history) is an inﬁnite (resp. ﬁnite non-empty) sequence

r=r(1)r(2) · · · of global states starting in an initial state and respecting the global

transition function, i.e., r(1) ∈S0and for every t < |r|there exists a joint action a∈Act

such that τ(r(t), a) = r(t+ 1). The set of all histories is denoted by Hist. Notice that

S0⊆Hist. For a run (or history) r, agent i∈Ag, and index t < |r|, let r(t)ibe the local

state of agent iin the global state r(t) (we use this notation as it is easier to read than

r(t)(i)).

Perfect recall of observations. We assume that agents have perfect recall. Intuitively,

this means that they remember the full history of their observations. Formally, we deﬁne

the indistinguishability relation of agent ias the equivalence relation ∼iover global states

Sdeﬁned as follows: s∼is0iﬀ si=s0

i, that is, two global states are indistinguishable for

agent iiﬀ agent i’s local state is the same in both [38]. In order to capture agents with

perfect recall of their observations, this relation is lifted to histories in a synchronous,

pointwise fashion: h∼ih0iﬀ (1) |h|=|h0|and (2) h(t)∼ih0(t) for 1 ≤t≤ |h|.

Strategies. We deﬁne a strategy to be a function σ:Hist → ∪j∈AgActjfrom histories to

actions. Then, let Str denote the set of all strategies. A strategy σis coherent for agent i

if action σ(h) is available to agent iin local state last(h)i, that is, σ(h)∈Pi(last(h)i); it

is uniform for agent iif h∼ih0implies σ(h) = σ(h0), that is, in indistinguishable states

agent iis required to execute the same action [59,61].

Assignments. Avaluation is a function ν: Var →Str that maps variables to strategies.

A valuation νis ϕ-compatible if for every variable x∈Var, the strategy ν(x) is coherent

and uniform for every agent in use(x, ϕ). A binding is a function β:Ag →Var that

maps agents to variables. Note that the composition function ν(β(·)) maps agents to

strategies (in the game-theory literature, such a function is called a strategy proﬁle). An

assignment χis a pair (ν, β) such that for all i∈Ag, the strategy ν(β(i)) is coherent

and uniform for i. An assignment (ν, β) and a history hdetermine a unique inﬁnite run

π(h, ν, β) in which agents play according to the assigned strategies, i.e., agent iplays

starting from haccording to ν(β(i)). Formally, π(h, ν, β) is deﬁned as the run πsuch

that (1) π≤|h|=h; and (2) for t > |h|,πt=τ(πt−1, a) where ai=ν(β(i))(π≤t−1) for

every i∈Ag.

9

We deﬁne variants of valuations and bindings. For x∈Var and σ∈Str, the variant

ν[x7→ σ] is the valuation ν0that agrees with νexcept that ν0maps xto σ. Similarly,

the variant β[i7→ σ] is the binding β0that agrees with βexcept that β0(i) = σ.

We now give the semantics of the satisfaction relation for the logic.

Deﬁnition 4 (Semantics).For a given IS Sand an SLi formula ϕ, we deﬁne the satis-

faction relation (S, h, ν, β)|=ϕinductively on the structure of ϕ, where his a history, ν

is a ϕ-compatible valuation, and βis a binding such that (ν, β)is an assignment:

(S, h, ν, β)|=pif last(h)∈λ(p)

(S, h, ν, β)|=x=yif for every history h0extending h,ν(x)(h0) = ν(y)(h0)

(S, h, ν, β)|=¬ϕif (S, h, ν, β)6|=ϕ

(S, h, ν, β)|=ϕ∨ϕ0if (S, h, ν, β)|=ϕor (S, h, ν, β)|=ϕ0

(S, h, ν, β)|=Xϕif (S, π≤|h|+1(h, ν, β ), ν, β)|=ϕ

(S, h, ν, β)|=ϕUϕ0if there exists j≥ |h|such that (S, π≤j(h, ν, β), ν, β)|=ϕ0

and for all |h| ≤ k < j , (S, π≤k(h, ν, β), ν, β)|=ϕ

(S, h, ν, β)|=∃oxϕ if for some σ∈Str that is coherent and uniform for every

agent in use(x, ϕ), we have that (S, h, ν[x7→ σ], β )|=ϕ

(S, h, ν, β)|=∃sxϕ if for some σ∈Str that is coherent and uniform for every

agent in use(x, ϕ), we have that (S, h0, ν[x7→ σ], β )|=ϕ

for every history h0∼ihand every i∈use(x, ϕ)

(S, h, ν, β)|=bind(i, x)ϕif (S, h, ν, β[i7→ x]) |=ϕ

Note that the satisfaction relation is well deﬁned in the sense that the valuation-

binding pairs introduced at every step of the inductive deﬁnition are indeed assignments

and that the valuations are compatible. We prove this in Appendix A.

It is routine to show (by structural induction) that if ϕis a sentence, i.e., f ree(ϕ) = ∅,

then (S, h, ν, β)|=ϕdoes not depend on the assignment (ν, β ). Thus, for a sentence ϕwe

write (S, h)|=ϕto mean that (S, h, ν, β )|=ϕfor some (equivalently every) assignment

(ν, β). Further, we say that ϕis true in S, and write S|=ϕ, iﬀ for every initial state

s∈S0, (S, s)|=ϕ.

Remark 1. We provide the derived semantics of the universal strategy quantiﬁers ∀o

and ∀s:

(S, h, ν, β)|=∀oxϕ if for every σ∈Str that is coherent and uniform for every

agent in use(x, ϕ), we have that (S, h, ν[x7→ σ], β )|=ϕ

(S, h, ν, β)|=∀sxϕ if for every σ∈Str that is coherent and uniform for every

agent in use(x, ϕ), we have that (S, h0, ν[x7→ σ], β )|=ϕ

for some h0∼ihwhere i∈use(x, ϕ)

Note that in the subjective semantics (i.e., ∃sand ∀s), we only consider reachable

epistemic alternatives h0, as histories are deﬁned to start in initial states and being

consistent with the transition function τ.

10

We also observe that the formal meaning of the ∀squantiﬁer seems disaligned from the

usual intuition about universal quantiﬁcation (since it includes an existential quantiﬁca-

tion over histories). However, this reading is consistent with the subjective interpretation

of operator [[A]] in ATL. Speciﬁcally, no matter what strategy we consider, ϕis epistem-

ically consistent.

Remark 2. The subjective existential quantiﬁer ∃sallows us to introduce an epistemic

operator Ki(for certain formulas) that represents the individual knowledge of agent ias

“truth in indistinguishable histories” [38]. Indeed, deﬁne Kiϕ,∃sz.bind(i, z)ϕ, where z

is a fresh variable not appearing in ϕand i6∈ free(ϕ). Since, idoes not appear free in ϕ,

the truth of Kiϕdoes not depend on the particular strategy assigned to z, and therefore

we have that:

(S, h, ν, β)|=Kiϕif for every history h0∼ihwe have that (S, h0, ν, β)|=ϕ

We remark that the operator Kideﬁnes a notion of knowledge based on truth in

indistinguishable histories, a mainstream notion in knowledge representation and multi-

agent systems [38]. On the other hand, the epistemic and strategic dimensions of multi-

agent systems can be combined in many diﬀerent ways (see [59,15] for some examples).

Such an analysis is beyond the scope of the current contribution.

Remark 3. We discuss the deﬁnition of equality =. Informally, we consider two strate-

gies to be equal if they agree on all histories. However, since formulas of SLi cannot talk

about the past, we may restrict this deﬁnition to histories extending the current one. That

is, (S, h)|=σ=σ0iﬀ σand σ0coincide on all histories extending h(which includes h

itself). This ensures that also =does not talk about the past, which is technically helpful

(in the proof of Proposition 2).

Note that the behaviour of σand σ0cannot be distinguished in SLi without subjective

quantiﬁers ∀sand ∃s. Indeed, well-known principles characterising equality, such as the

substitution of identicals: ∀ox∀oy(x=y→(ϕ↔ϕ[x/y])), are valid whenever neither

∀snor ∃sappear in ϕ.

Furthermore, we might want to consider a notion of equality that also accounts for

extensions of epistemic alternatives of the current history h. It turns out that such “sub-

jective” equality =scan be deﬁned by using =and the epistemic operator Kiintroduced

in Remark 2. More formally, deﬁne x=sy::= Vi∈Ag Ki(x=y). Then, the meaning of

=sis as follows:

(S, h, ν, β)|=x=syif for every agent i, every history h0∼ih, and every history h00

extending h0, we have that ν(x)(h00) = ν(y)(h00 )

Since =sis deﬁnable in terms of =and Ki, we take the latter as primitive. Note

however, that still formula ∀ox∀oy(x=sy→(ϕ↔ϕ[x/y])) is not valid unrestrictedly.

Remark 4 (Syntactic Fragments of SLi).It is well-known that, in the perfect information

setting, SL subsumes the alternating-time temporal logic ATL∗[2], and therefore also ATL

and the temporal logics LTL,CTL,CTL∗.

Similarly, in the imperfect information setting of this work, ATL∗can be seen as

a syntactic fragment of SLi. To show this, we present the syntax of ATL∗, where we

11

explicitly distinguish between strategy operators hhAiio(resp. hhAiis) interpreted according

to the objective (subjective, resp.) semantics for ATL∗:

ϕ::= p| ¬ϕ|ϕ∨ϕ| hhAiioψ| hhAiisψ

ψ::= ϕ| ¬ψ|ψ∨ψ|Xψ|ψUψ

where p∈AP , and A⊆Ag.

Here we do not provide the semantics of ATL∗but refer to [59] for full details.

We can deﬁne a translation tfrom ATL∗to SLi that is the identity on atoms (i.e.,

t(p) = p) and that commutes with the Boolean and temporal operators (e.g., t(¬ϕ) =

¬t(ϕ)and t(Xψ) = Xt(ψ)), and whose translation of strategy formulas is given as follows,

for Ag = [n]and A= [m]:

t(hhAiioψ)=(∃oxi)1≤i≤m(∀oxi)m<i≤n(bind(xi, ai))1≤i≤nt(ψ)

t(hhAiisψ)=(∃oxi)1≤i≤m^

i≤m

Ki(∀oxi)m<i≤n(bind(xi, ai))1≤i≤nt(ψ)

Speciﬁcally, the translation of operator hhAiioclosely corresponds to its informal read-

ing: there exist (uniform) strategies for the agents in coalition Asuch that, no matter

what the agents in Ag \Ado, it is the case that ψholds. As regards hhAiis, its translation

states that “there exists (uniform) strategies for the agents in coalition Asuch that in all

histories indistinguishable for some agent in A, no matter what the agents in Ag \Ado

it is the case that ψholds”.

In particular, the truth-preserving implication from hhAiioψto t(hhAiioψ)holds inde-

pendently from the assumptions on knowledge and memory, as the choice of any strategy

for the adversary coalition Ag \Agenerates some path in the iCSG. As for the converse

implication, we claim that if hhAiioψis false, then t(hhAiioψ)is false as well. Indeed,

suppose that for every strategy available to coalition A, there exists some path λsuch

that ψis false on λ. Given such a path λ, we can deﬁne a joint strategy for the adversary

coalition Ag \Athat basically returns the actions played by Ag \Aalong λ. The fact that

agents have perfect recall allows them to play possibly diﬀerent actions whenever they

end up in an indistinguishable state along the path, and therefore the strategy for Ag \A

is well-deﬁned. Moreover, the strategy can be assumed to be uniform w.l.o.g. by simply

associating the same action in indistinguishable histories. As a result, the translation

t(hhAiioψ)is false as well.

Further, note that a naive translation of hhAiisthat makes use of a suite (∃sxi)1≤i≤m

of subjective quantiﬁers will not achieve the same eﬀect, as for each quantiﬁer ∃sxia

possible diﬀerent set of histories (i.e., those indistinguishable for agent i) may be selected.

Following the intuitions above, by suitably adapting the semantics in [59] to inter-

preted systems, it can be shown that a formula ϕin ATL∗is true in an IS Siﬀ its

translation t(ϕ)is. Hence, our logic SLi is a (conservative) extension of ATL∗under

imperfect information, both in its objective and subjective interpretation.

2.3. MAS Speciﬁcations in SLi

In this section we illustrate the use of SLi for the speciﬁcation of strategic interplay in

MAS. As we show below, SLi is a very expressive speciﬁcation language to reason about

MAS under incomplete information.

12

Example 1. [Winning strategies] We begin by observing that since ATL∗formulas can

be expressed in SLi (Remark 4), SLi can express express speciﬁcations often used in

voting (“a coercer can ensure that the voter will eventually either have voted for a given

candidate or be punished” [41]), bridge endplay (“a given player can ensure that her team

takes more than half of the remaining tricks” [41]), scheduler systems (mutual exclusion

and lack of starvation [14]), and anonymity protocols (such as dining cryptographers [14]).

The corresponding SLi speciﬁcations used in these context are variations of the property

expressing that a player in a game has a winning strategy.

Suppose Srepresents a card game between multiple players in which the atom pointsp

j

represents that player jhas scored ppoints (see Example 7for more details). The SLi

formula

winning1, ^

p

pointsp

1→_

q:q<p

pointsq

2!

expresses that player 1 has scored more points than player 2. This can be generalised to

player 1 having scored more points than any of the other players. Let end be an atom

denoting that the game has ended, and deﬁne the SLi formula

ψ,bind(1, x)bind(2, y)F(end ∧winning1)

that expresses that if player 1 uses strategy xand player 2 uses strategy ythen eventually

the game ends with player 1 having more points than player 2.

Consider the formula schema ϕ,∃x∀yψ that expresses, intuitively, that player 1 has

a strategy that dominates all of player 2’s strategies. We will consider all 4 variations

of this schema in which the quantiﬁers are subjective or objective. Since these are

sentences, we consider, for a given a history h, whether (S, h)|=ϕ. Note that in all cases

the strategy quantiﬁed by xmust be coherent and uniform for agent 1 since only agent

1 uses strategy x(formally, use(x, ∀y bind(1, x)bind(2, y)F(end ∧winning1)) = {1});

similarly, throughout we will assume that the strategy quantiﬁed by ymust be coherent

and uniform for agent 2. For simplicity, we will assume that his a history of length 1,

i.e., player i(for i= 1,2) has been dealt a set Hiof cards that the other player cannot

see, and the game is about to commence.

1. The sentence ∃ox∀oyψ represents that there is a strategy σ1for player 1, such that

for every strategy σ2for player 2, if each player uses their strategy starting from

h, player 1 will win. In words, player 1, with hand H1, can defeat player 2if his

hand is H2.

2. The sentence ∃sx∀oyψ means that there is a strategy σ1for player 1, such that for

every h0∼1h, and every strategy σ2for player 2, if each player uses their strategy

starting from h0, player 1 will win. In words, player 1, with hand H1, can defeat

player 2no matter what his hand is.

3. The sentence ∃ox∀syψ means that there exists a strategy σ1for player 1 such that

for all strategies σ2for player 2 there exists h00 ∼2h, such that if each player uses

their strategy, then starting at h00 player 1 will win. In words, player 1, with hand

H1, can ensure that player 2will consider it possible that player 2(not knowing

player 1’s hand) will be defeated.

13

4. The sentence ∃sx∀syψ means that there exists a strategy σ1for player 1, such that

for every h0∼1h, and every strategy σ2for player 2, there exists h00 ∼2h0, such

that if each player uses their strategy, then starting at h00 player 1 will win. In

words, player 1has a strategy that she knows player 2will think it may defeat him

(player 2).

Observe that ∃sxψ logically implies ∃oxψ, whereas the converse does not hold. Thus,

e.g., ∃sx∀syψ implies ∃ox∀syψ. Moreover, the formulas ∃ox∀oyψ and ∃sx∀oyψ have the

same interpretation as the formulas hh1iioψand hh1iisψin ATL∗respectively. However

there are no simple translations for the formulas ∃ox∀syψ and ∃sx∀syψ into ATL∗, since

the latter cannot express both the subjective and objective interpretation of quantiﬁers.

In what follows, let ¯xdenote a tuple (x1, x2,· · · , xn) of strategy variables, and let

bind(i, xi)i∈[n]stand for the binding preﬁx

bind(1, x1)bind(2, x2)· · · bind(n, xn).

Example 2. [Dependencies of coalitions] By alternating quantiﬁers, SLi can express

various dependencies of coalitions in games. For instance, the formula

∃ox1∃ox3∀ox2bind(i, xi)i∈[3] ψ(1)

represents that players 1 and 2 can collude to ensure that ψholds no matter what player

2 does. Compare this with the formula

∃ox1∀ox2∃ox3bind(i, xi)i∈[3] ψ(2)

which is similar except that player 3’s strategy may depend on player 2’s strategy. Note

that (1) can be expressed by the ATL∗formula hh{1,2}iiot(ψ); in contrast, formula (2)

cannot be expressed in ATL∗.

Example 3. [Game-theoretic solution concepts] SLi can express classic notions of strate-

gic behaviour in multiplayer games, e.g., best-response and Nash equilibrium. Consider

a game where the objective for player iis encoded by the formula ψi(objectives may be

arbitrary SLi formulas; typically, they are just LTL formulas). The SLi formula

BRi(x),(∃oy bind(j, xj)j6=ibind(i, y)ψi)→bind(j, xj)j6=ibind(i, xi)ψi

expresses that xiis a best-response to (xj)j6=i, that is, if agent ican achieve goal ψiby

playing the strategy y, then she already can by playing strategy xi. Building on this,

the SLi formula

NE(x1, . . . , xn),^

i∈[n]

BRi(x)

expresses that each strategy xiis a best-response to the strategies of the other players.

Nash equilibria (NE), as expressed by the formula above, describe optimal play in two-

player zero-sum games of imperfect information [58]. SLi can express properties that

14

build on NE, such as correctness of fair division protocols [62]. Related notions such as

(strong) rational synthesis [49] and the simple one-alternation strategy formulas for two-

player zero-sum games [8] can also be expressed in SL and thus in SLi. Also, NE are used

as a basis for other solution concepts. For instance, subgame-perfect equilibria of certain

inﬁnite-duration games can be expressed in SLi [60]. Subgame-perfect equilibria are

arguably more suited to graph-games because they eliminate some implausible NE [63].

Finally, SLi can express solution concepts such as k-resilience and timmunity that are

also used in rational distributed computing [64,65].

We now discuss in more detail a subjective interpretation of the formulas expressing

best-response and NE. Recall that Kiϕis expressible as long as iis not free in ϕ. So,

the SLi formula KLRi(y, ¯x) deﬁned by

bind(j, xj)j6=ibind(i, y)ψi→Kibind(j, xj)j6=ibind(i, xi)ψi

expresses that for every strategy yto achieve goal ψi, strategy xiis known by agent ito

be at least as good as a response to (xj)j6=ias y.

Then, the formula, KBRi(x) deﬁned by

(∃sy bind(j, xj)j6=ibind(i, y)ψi)→Kibind(j, xj)j6=ibind(i, xi)ψi

expresses that for every strategy proﬁle (xj)j6=i, if some strategy yfor agent iachieves

goal ψi, then strategy xiis known to be a best-response to (xj)j6=i.

Finally, the SLi formula KNE (x1,· · · , xn), deﬁned by Vi∈[n]KBRi(x) expresses an

epistemic variant of NE, according to which the strategy each agent currently plays is

not just the best response, but it is known to be so by each agent.

s0

sLsR

sLL

q

sLR

qsRL

p

sRR

s0

0

s0

Ls0

R

s0

LL

q

s0

LR

qs0

RL

s0

RR

LR

L

RL

R

LR

L

RL

R

1,2

1,21,2

Figure 1: Illustration of epistemic variant of NE

To illustrate these formulas, consider the turn-based game of imperfect information

in Fig. 1in which agent 1 plays ﬁrst (atoms true in a state are drawn to the left of that

state). Observe that such a game can be represented as an IS, in which both agents 1

and 2 are uncertain about the initial state. Agent 1 has goal X X p, while agent 2 has goal

X X q. Notice that a uniform strategy for agent 1 consists of a single move, either L(left)

or R(right); whereas agent 2’s strategies must be uniform on {sL, s0

L}and {sR, s0

R}, even

though she might choose diﬀerent actions for the two knowledge sets. Now consider the

strategy proﬁle where agent 1 plays Land agent 2 plays Lin all states. We can check

15

that playing Lis a best response for agent 1, that is, the formula KBR1(x) is true in

s0for the relevant strategy proﬁle x. Indeed, even though playing Ldoes not guarantee

that agent 1 achieves his goal, the antecedent of KBR1is false as well: since pis false

in s0

RL, there is no strategy that guarantees that agent 1 also achieves his goal from the

indistinguishable state s0

0, and therefore agent 1 does not know the alternative to be a

best response. However, is always playing La known best response for agent 2? Although

playing Rwould guarantee that agent 2 knows he achieves his goal, this knowledge can

be already obtained by playing L. As a result, playing Lis a best response for agent 2

as well. Since the chosen strategy proﬁle is known to be a best response for both agents,

it satisﬁes the epistemic variant KNE of the existence of a Nash equilibrium.

Example 4. [Kingmaker] Consider the SLi formula

(∃ox1∃ox2∃ox3NEϕ1(x1, x2, x3)) ∧(∃ox1∃ox2∃ox3N Eϕ2(x1, x2, x3))

where

−ϕ1=Wp<q pointsp

1∧pointsq

2says that player 2 gets more points than player 1,

−ϕ2=Wp<q pointsp

2∧pointsq

1says that player 1 gets more points than player 2,

−and NEϕ(¯x) = NE( ¯x)∧bind(i, xi)i∈[3]ϕexpresses that ¯xis a Nash equilibrium in

which ϕholds.

The whole formula says that there are two Nash equilibria in which player 3 can decide

which of the other players gets more points. This expresses a form of a kingmaker

property, that occurs in certain forms of poker with mixed strategies such as Kuhn’s

three-player, four-card poker [66] in which there are four cards, with values 1,2,3,4, and

each of the three players gets a single card (visible only to them), and after some rounds

of betting the player with the highest card who has not folded wins the pot.

Since SLi includes equality of variables, we can express concepts that involve compar-

isons between strategies.

Example 5. [Unique Equilibria] The formula

∃x∀y.NE (y)→^

i∈Ag

yi=xi

expresses that there is a unique Nash equilibrium. Deciding if a game has a unique Nash

equilibrium is relevant to the predictive power of the Nash equilibrium as a solution

concept. Indeed, in case there are multiple equilibria, the outcome of the game cannot

be uniquely pinned down.1

Example 6. Consider a symmetric two-player game where p(x, y) is the payoﬀ to player

1 if she uses strategy xand the opponent uses strategy y. Recall that a strategy x

1We remark that a diﬀerent extension of SL was introduced in [67] to capture, amongst other things,

uniqueness of Nash equilibria.

16

is evolutionary stable if, intuitively, no mutant strategy can replace xif all players are

playing x[68]. Formally, xis an evolutionary stable strategy if for every y6=x, either

i) p(x, x)> p(y, x) or ii) p(x, x) = p(y, x) and p(x, y)> p(y, y). In case p(x, y) can

only take on a ﬁnite number of values, we can express the concept of evolutionary stable

strategies in SLi. Let pi(x, y) be an atom denoting that p(x, y) = i. Then the following

SLi formula deﬁnes that xis an evolutionary stable strategy:

∀y.(y6=x)→C1∨(C2∧C3)

where C1is ∨i>j (pi(x, x)∧pj(y, x)), and C2is ∨i(pi(x, x)∧pi(y , x)), and C3is ∨i>j(pi(x, y)∧

pj(y, y)).

Remark 5. Although winning strategies (Example 1) can be expressed in ATL∗, richer

solution concepts such as Nash equilibria in which agents have LTL goals are not express-

ible in ATL∗, already for three players with reachability/safety goals and perfect infor-

mation [69, Theorems 3and 5]. We remark that winning strategies have been used to

characterise the existence of Nash equilibria in some special cases [70,71]; this holds, in

particular, for two-player turn-based games of perfect information in which agents have

LTL objectives that do not depend on ﬁnite preﬁxes of the play [8, Proof of Lemma 1]. A

detailed study of the preservation of the existence of Nash equilibria under bisimulation

is given in [72].

In case agents have imperfect-information, the existence of Nash equilibria is unde-

cidable for three agents [51], and for two agents decidable, cf. [51]. For multiple-agents,

[37] show that one can regain decidability (for a strategy logic similar to ours that can

express the existence of Nash equilibria) by imposing a hierarchy on the agent observa-

tions. In contrast, in Section 3we will show that one can regain decidability, and thus

decide the existence of Nash equilibria, assuming agents use public actions (and we make

no restriction on the agent observations).

2.4. The Model-checking Problem

In the rest of the paper we consider the following decision problem.

Deﬁnition 5 (Model Checking).The model-checking problem is deﬁned as follows: given

an interpreted system Sand an SLi sentence ϕ, decide whether S|=ϕ.

As expected, this problem is undecidable in general.

Theorem 6. Model checking IS against SLi speciﬁcations is undecidable.

To see this, we observe that the model-checking problem for concurrent-game struc-

tures under perfect recall and imperfect information (iCGS) against speciﬁcations ex-

pressed in alternating-time temporal logic (ATLiR) is undecidable. In fact, the latter

problem is undecidable already for formulas of the form hhAii Gpwhere |A|= 2 and

|Ag|= 3 [24]. Since this is an adaptation of existing results, we only sketch the reduc-

tion. Speciﬁcally, in Appendix B we deﬁne the semantics of SLi over iCGS and prove

that the model-checking problem for a subclass of iCGS, namely the square iCGS, against

SLi is inter-reducible in polynomial time to the model-checking problem for IS against

SLi (this result is novel and may be of independent interest). A key property of square

iCGS is that if agent iﬁnds two states indistinguishable, then after applying the same

17

joint action, the resulting states are still indistinguishable to agent i(this captures that,

in an IS, an agent updates its local states using its local transition function τi). Then,

in Appendix C, we show that the undecidability proof in [24] can be adapted to hold

for square iCGS.

As discussed in the introduction, a number of restrictions on the general setting have

been explored to obtain decidability. In the next section we will deﬁne and study a class

of IS for which the model-checking problem is decidable. Moreover, in order to make

statements about the computational complexity of the problem, we need to specify how

the inputs Sand ϕare represented. We use an explicit representation. In particular, the

size of the SLi formula, denoted |ϕ|, is the number of its symbols, and the size of the

IS, denoted |S|, is the number of transitions in its global transition function restricted

to the reachable global states. Here, a state sis reachable if it occurs in some history

of S(recall that histories start in initial states and are consistent the global transition

function). In particular, we do not measure the size of the labelling function, i.e., we

assume that the number of atoms is ﬁxed.

3. Public Action Interpreted Systems and SLi

In this section we introduce a class of interpreted systems and prove that their model

checking problem, against SLi speciﬁcations, is decidable. This result should be con-

trasted with the undecidability in the general case (Theorem 6).

3.1. Interpreted Systems with Public Actions

We introduce a class of interpreted systems (Deﬁnition 3) in which we distinguish

explicitly public actions, that is, actions that are observable to all agents.

Deﬁnition 7 (IS with Public Actions).An interpreted system with public actions is a

tuple

S= (Ag, {L pri, Acti,Pb Acti, Pi, τi}i∈Ag , S0, AP , λ)

such that

(Ag, {Li, Acti, Pi, τi}i∈Ag , S0, AP , λ)

is an interpreted system where, for every agent i∈Ag:

1. Pb Acti⊆Actiis the set of public actions of agent i;

2. Li=L pri×Qj∈Ag (Pb Actj∪ {∆})is the set of local states, where ∆is a fresh

symbol;

3. the local transition function τisatisﬁes the property that τi(l, a)=(p0, a0)implies

that for all j∈Ag, if aj∈Pb Actjthen a0

j=ajand otherwise a0

j= ∆.

The set L priconsists of the private (local) states of agent i. By the condition on the

local transition functions, the public actions performed last are copied into the successor

local states of all agents; and in case the last action is not public, ∆ is copied instead.

As a result, such actions are observable to every agent.

18

Remark 6. Even if an action is not in Pb Actait may still be observed by all agents,

i.e., it is recorded in the private local state of everybody. Thus, Pb Actashould really be

considered as the set of all explicitly public actions of agent a.

Clearly, any system following Deﬁnition 7is an interpreted system. Also notice

that any interpreted system is isomorphic to some system adhering to Deﬁnition 7for

which Pb Acti=∅for all i∈Ag. To prove the latter fact, consider the mapping

θ:l7→ (l, ¯

∆); this can be lifted to a bijection θbetween global states, which has the

property that τ(s, a) = s0iﬀ τ(θ(s), a) = θ(s0). Given this, for convenience we will call

systems conforming to Deﬁnition 7simply interpreted systems (IS).

The next deﬁnition singles out interpreted systems in which all actions are public.

Deﬁnition 8. Let PAIS (Public-Action Interpreted Systems) denote the set of inter-

preted systems with public actions such that Acti=Pb Actifor all i∈Ag.

We now discuss the expressive power of PAIS for modeling AI scenarios. Although

all actions in PAIS are public, they can still model private update of an agent’s private

state. For instance, if an agent’s private local state contains a Boolean variable x, then

we can model a private update of the value of xas follows. First, for every global initial

state with x= 0 we ensure there is an identical global initial state except that x= 1,

and vice versa. Second, the agent can update its variable with the public action “toggle

the value of x”, which has the eﬀect of replacing the value of xby 1 −x. In particular

then, although the other agents know that the variable was toggled, if they could not

distinguish between x= 0 and x= 1 before the action, then they can’t afterwards either.

Also, PAIS can model that an agent allows the other agents to see part of its local

state. For instance, this can be done with the public action “the value of xis 0”, which

we assume can only be done by the agent who owns the variable xif indeed x= 0.

Moreover, PAIS can be used to represent several AI scenarios of interest:

1. In community-card games such as Texas hold’em, each player is privately dealt

some cards, which are combined with “community cards” that are dealt face up

on the table. Moreover, all bidding is public. Single rounds, or a bounded number

of rounds, of such games can be modelled as PAIS. Such single rounds appear,

for instance, as endgames and other simpliﬁed forms of Poker [73,74,75,66] and

Bridge [41].

2. In epistemic puzzles such as the muddy children puzzle, the Russian cards puzzle,

the consecutive numbers puzzle, and the sum-and-products puzzle (see [76]), all

communication is public, and therefore they can be modelled as PAIS.

3. In distributed systems one of the basic communication primitives is to broadcast

a message to all other components [77]. The exchange of such messages can be

modelled via public actions.

We now give an example of a PAIS that represents a simple trick-taking card game.

Example 7. [Card Game] Consider an r-player card game parameterised by integers

k, l with 1 ≤l≤k. The game is played with rmany decks of kcards numbered 1

through k. Each player starts with a subset of size lof their deck of cards that only

19

they can see (the remaining cards are not used in the game). At each round the players

simultaneously reveal one card and the player with the highest revealed card scores a

point. The revealed cards are discarded. This is repeated until all the cards have been

revealed, and the winner (if any) is the player that has the most points. This game can

be formalised as a PAIS with the following components:

−Ag = [r],

−Lpriconsists of all pairs of the form (H, p) where H⊆[k] represents the cards

player icurrently holds, and p∈[k]∪ {0}represents the number of points player i

currently has.

−Acti={revealm:m∈[k]}, i.e., revealmis the action of revealing the card with

value m. The set of local states Liconsists of elements of the form (H, p, a) where

(H, p)∈L priand a∈Qj∈Ag (Actj∪ {∆}).

−Pi(H, p, a) = {revealm:m∈H}, i.e., one can only reveal a card one is holding.

−The local transition function τimaps the local state (H, p, a) and joint action

a0= (revealm1, . . . , revealmr) to the local state (H0, p0, a0) where H0=H\ {mi},

and p0=pif mi≤mjfor some j6=i, or p0=p+ 1 otherwise.

−AP ={pointsj

i:i∈Ag, j ∈[k]}∪{end}

−λis deﬁned as follows:

- it maps end to the global states ((Hi, wi, ai)i∈Ag) such that Hi=∅for all i,

i.e., end holds if all the cards have been revealed;

- it maps pointsj

ito the global states ((Hi, wi, ai)i∈Ag) such that wi=j, i.e.,

player ihas scored jpoints.

Note that we do not put the entire history of the play into the local state as we assume

perfect recall semantics.

PAIS can be used similarly to model repeated games in normal form with unknown

initial types, more complicated scoring mechanisms (for instance, that take ties into

account), inﬁnitely many rounds (for instance, by giving each player a “pass” action that

does not play a card in that round, or allowing players to reuse played cards), turn-based

games including endplay scenarios in bridge (as in [41]).

Finally, we compare PAIS to similar formalisms in the literature.

Abroadcasting environment [40] is deﬁned as an IS with a distinguished agent called

the environment, in which each agent’s local state Liconsists of two pieces of information:

1) a private part Pithat only depends on its local actions, and 2) a shared part that is

the value of some ﬁxed function obs :Le→O(the same function for all agents) of the

local state of the environment agent. Similarly, as discussed above, a PAIS can model

that an agent can update its private variable, as well as allow other agents to observe

just part of its local state.

Adeterministic partially observable Markov decision process (POMDP) [52,53] is a

POMDP in which the transition function and observation functions are deterministic.

In particular, the only stochasticity is in the initial distribution. A PAIS is also a deter-

ministic transition system, except that instead of an initial distribution, it has an initial

set of states.

20

3.2. Model Checking PAIS against SLi speciﬁcations

In this section we prove that model checking PAIS against SLi speciﬁcations is de-

cidable. Then, in Section 3.5 we provide an analysis of the computational complexity of

the problem.

Theorem 9. Model checking PAIS against SLi speciﬁcations is decidable.

Before proving Theorem 9, we outline a standard approach for evaluating the com-

plexity of model-checking strategic logics, and discuss how to adapt it to the setting at

hand. The basic idea involves encoding strategies σas trees T. Typically, the domain of

Tis the set of histories of the system, and a node his labelled by action σ(h). A mapping

is then made from formulas into a formalism (such as tree automata or a branching-time

logic) that can process trees. For instance, one approach used by algorithms for model

checking SL [10] and ATL∗[2] is to eﬀectively convert ϕinto a tree automaton that ac-

cepts exactly the trees Tthat code the strategies σthat make the formula ϕtrue (in

the given game-structure, or model). This encoding cannot be used in the presence of

imperfect information since the set of uniform strategies (for a given agent, in a given

structure) is not the language of any tree automaton. Intuitively, the reason for this is

that uniformity is a non-local restriction on the labels of the nodes of the tree that are

“distant cousins”, and a tree automaton cannot tell if a distant cousin has the same label.

One way to overcome this problem is to encode a strategy for an agent as a tree whose

nodes are the set of sequences of observations of that agent. In this way, uniformity

becomes a local condition. This approach can be used in the case of a single agent in

an environment, or agents whose observations are hierarchical, in the sense that their

indistinguishability relations are totally ordered by the reﬁnement relation [78,36,37].

However, this encoding cannot be used in the multi-player case in which agents’ obser-

vations are not hierarchical. The reason, intuitively, is that neither tree of observations

is a reﬁnement of the other, and thus the automaton cannot encode the strategies that

arise from incomparable observations.

Given the above, we require a novel encoding of strategies, which we now describe.

The proposed encoding is based on the following insight: every history hin a PAIS is

uniquely determined by a pair (s, α) where sis a state and αis a sequence of joint

actions. Given this, strategies in a PAIS can be encoded as labellings of the tree Twhose

domain consists of all sequences of joint actions. The labelling of a node α∈Act∗is a

function that encodes, for every state s, the action of the strategy given that the starting

state is sand the sequence of joint actions were α. Under this encoding, uniformity

becomes a local condition on the tree. Also, the fact that all strategies are labellings of

the same tree Tmeans that the inﬁnite run determined by an assignment corresponds

to an inﬁnite path in T. This allows formalisms like tree-automata or branching-time

logics to check properties of the path.

In what follows, we apply this encoding and translate SLi formulas and PAIS into

formulas of a branching-time logic, rather than to tree automata. That is, we show how to

reduce the model-checking problem of PAIS against SLi speciﬁcations to model checking

regular trees against Quantiﬁed Computation Tree Logic (QCTL∗). The logic QCTL∗is a

generalisation of CTL∗that enables the quantiﬁcation over atomic propositions [79]. This

quantiﬁcation will be used to simulate quantiﬁcation over strategies. Model-checking

regular trees against QCTL∗speciﬁcations is decidable (and, in fact, is solved by tree

21

automata) [80]. In fact, QCTL∗has been used as an intermediate logic between the

low-level machinery of tree-automata and strategic logics such as ATL∗with strategic

contexts [81] and hierarchical SLi [37].

We begin by recalling the syntax and semantics of the logic QCTL∗from [80].

3.3. Quantiﬁed Computation Tree Logic

This language of QCTL∗adds quantiﬁcation over atomic propositions to the syntax

of CTL∗.

Deﬁnition 10 (QCTL∗Syntax).QCTL∗state formulas ϕand path formulas ψare

deﬁned by the following grammar, where p∈AP :

φ::= p|φ∨φ| ¬φ|Eψ| ∃p.φ

ψ::= φ|ψ∨ψ| ¬ψ|Xψ|ψUψ

Formulas in QCTL∗are all and only the state formulas in Def. 10. The intuitive

reading of linear-time operators Xand Uis the same as in SLi; whereas Eis the existential

path quantiﬁer from CTL∗. Finally, a quantiﬁed formula ∃p.φ is read as “there exists

an assignment to atom psuch that φis true”. Clearly, universal quantiﬁcation can be

expressed as ∀p.φ ,¬∃p.¬φ.

In order to introduce the semantics of QCTL∗, we need the notion of a tree. Let Dbe

a ﬁnite set of directions, and let Σ be a ﬁnite set of labels. A D-ary domain dom ⊆D∗

is a non-empty preﬁx-closed set of strings over D. A Σ-labelling of dom is a function

lab :dom →Σ. A D-ary Σ-labelled tree (or simply tree) is a pair T= (dom(T), lab(T)).

Anode of Tis an element t∈dom, and a path of Tfrom a node tis an inﬁnite sequence

π=t1t2. . . such that t1=tand for every i≥1 there is a d∈Dsuch that ti+1 =ti·d

and ti+1 ∈dom. The set of all paths from tis denoted P aths(t). For i≥1, deﬁne

π≥i=πiπi+1 . . . , i.e., the path starting at the ith position of path π. For p∈AP and

domain dom, two P(AP )-labellings lab, lab0of dom are p-equivalent w.r.t. tree T, written

lab =plab0, if for all t∈dom, we have that lab(t)\ {p}=lab0(t)\ {p}, i.e., lab and lab0

may diﬀer only on the labelling of nodes in Tby the atom p. We often omit tree Twhen

it is clear from the context.

We need introduce the “tree-based” semantics of QCTL∗. Note that the alterna-

tive semantics of QCTL∗, so called “structure-based semantics” is not suitable for our

purposes. Both semantics are studied in [80].

Deﬁnition 11 (QCTL∗Semantics).Deﬁne the satisfaction relation (T , t)|=ϕfor QCTL∗

state formulas ϕand (T, π)|=ψfor QCTL∗path formulas by induction on the formulas,

22

as follows:

(T, t)|=pif p∈lab(t)

(T, t)|=ϕ1∨ϕ2if (T , t)|=ϕifor some i∈ {1,2}

(T, t)|=¬ϕif (T , t)6|=ϕ

(T, t)|=∃p.ϕ if for some lab0=plab,((dom(T), lab0), t)|=ϕ

(T, t)|=Eψif for some π∈P aths(t),(T , π)|=ψ

(T, π)|=ϕif (T, π1)|=ϕ

(T, π)|=ψ1∨ψ2if (T, π )|=ψifor some i∈ {1,2}

(T, π)|=¬ψif (T, π )6|=ψ

(T, π)|=Xψif (T, π≥2)|=ψ

(T, π)|=ψ1Uψ2if for some j≥1,for all k∈[1, j),(T, π≥j)|=ψ2and (T , π≥k)|=ψ1.

A formula ϕis true in a tree T, or T|=ϕ, iﬀ ϕis true in the initial node , i.e.,

(T, )|=ϕ. The tree-unwinding of a ﬁnite-state system is called a regular tree, and its

size is the number of states of the ﬁnite-state system. In [80] it is proved that model

checking QCTL∗, that is, deciding whether a QCTL∗formula φis true in a regular tree

T, is decidable. We report this result as the following theorem.

Theorem 12 ([80]).Model-checking regular trees against QCTL∗speciﬁcations is decid-

able.

Later (Theorem 16), we will cite a theorem that gives the complexity of this decision

procedure. Hereafter, our model checking procedure for SLi proceeds by translating the

given SLi formula and PAIS into a QCTL∗formula and regular tree, and then applying

Theorem 12. We now present this reduction.

3.4. Reducing SLi to QCTL∗

We ﬁrst show that one can interchange histories of PAIS with pairs consisting of a

state and a sequence of joint actions. Deﬁne the function µthat maps a state sand a

sequence of actions αto the history it determines, i.e., the history that starts in state s

and applies the sequence of joint actions α.

Deﬁnition 13. Let Sbe an IS. Deﬁne the function µ:S×Act∗→Hist(S)such that,

for all s∈S:

1. µ(s, ),s;

2. µ(s, α ·¯a),µ(s, α)·τ(last(µ(s, α)),¯a), for α∈Act∗.

The function µis clearly onto. On the other hand, if Sis a PAIS, then µis also

one-to-one. To see this we will use the following central fact about PAIS.

Fact 1. For all states s0, t0and joint actions ¯a, ¯

b, if τ(s0,¯a) = τ(t0,¯

b)then ¯a=¯

b.

To see this, simply note that the deﬁnition of PAIS implies that after a transition is

taken, the last joint action is written into the local state of every agent.

Proposition 1. In a PAIS S, the function µ:S×Act∗→Hist(S)is one-to-one.

23

Proof. To show that µis one-to-one we suppose that µ(s, α) = µ(t, β) and show that

s=tand α=β. By deﬁnition of µwe have that |α|=|β|, call this length l≥0.

If l= 0 then α=β=and so s=µ(s, ) = µ(t, ) = t, as required. So, suppose

l > 0. Then, s=tsince s=µ(s, ) = first(µ(s, α)) = f irst(µ(t, β)) = µ(t, ) = t.

Finally, to check that α=β, repeatedly apply fact 1.

The relevance of µbeing both onto and one-to-one, i.e., a bijection, is that we can

treat histories in Hist(S) and sequences in S×Act∗interchangeably. In particular, the

following notation is well deﬁned.

Deﬁnition 14. In a PAIS S, for every history h∈Hist(S)let state(h)∈Sand

actions(h)∈Act∗denote the unique elements such that µ(state(h), actions(h)) = h.

The following lemma characterises ≡i:

Lemma 1. For all agents iand histories h, h0, we have that h≡ih0iﬀ actions(h) =

actions(h0)and state(h)∼istate(h0).

Proof. Recall that in an IS two histories are indistinguishable to agent i, i.e., h≡ih0,

if agent ihas the same sequence of local states in both hand h0. Moreover, in a PAIS,

the local state consists of the private state and the tuple of last actions of each agent

(with a dummy action in the ﬁrst state). Thus, if h≡ih0then actions(h) = actions(h0)

(since, in particular, the joint actions are visible) and state(h)∼istate(h0) (since, in

particular, the initial states of the histories are indistinguishable to agent i). For the

direction from right to left, use the fact that agent i’s local state at a given point in time

is determined by the local transition function τi, and thus only depends on its local state

in the previous point of time and on the last joint action.

In what follows, all trees will have the same domain, i.e., dom ,Act∗(recall that

Act =QiActi). We now deﬁne labellings over this domain. These labellings will encode

the transition function of the PAIS and agent strategies.

Encoding PAIS

We now describe the labelling labSthat encodes the PAIS S; later we will consider

labellings labνthat encode valuations ν. The labelling labScaptures relevant information

about the system, e.g., it records the current state, given that the history started in state

s.

New atoms. To deﬁne labS, we introduce the following new sets of atoms:

− {cur(s, s0) : s, s0∈S}; intuitively, cur(s, s0) holds in a node αif s0is the result of

applying the sequence of actions αto the state s.

− {lastact(i, a) : i∈Ag, a ∈Acti∪ {∆}}; intuitively, lastact(i, a) holds in a node α

if the last action done by agent iis a(here ∆ represents the case that no action

has yet been done).

− {atom(s, p) : s∈S, p ∈AP }; intuitively, atom(s, p) holds in a node αif the atom

p∈AP holds after applying the sequence of actions αto the state s.

− {rel(i, s, t) : i∈Ag, s, t, ∈S}; intuitively, rel(i, s, t) holds in a node αif the

histories, resulting from applying the sequence of actions αstarting with sand

tare indistinguishable to agent i.

24

Labelling labS.We now deﬁne labSby induction on the length of the elements in dom ,

Act∗. For the base case, deﬁne labS() to be the union of the following sets of atoms:

− {cur(s, s) : s∈S}; intuitively, the empty sequence of actions does not advance the

state.

− {lastact(i, ∆) : i∈Ag}; intuitively, the ﬁrst action of each agent is the dummy ∆

action.

− {atom(s, p) : s∈λ(p) and p∈AP }; intuitively, the atoms of AP that hold are

those that hold in s.

− {rel(i, s, t) : s, t ∈S, i ∈Ag, and s∼it}; intuitively, the initial indistinguishability

relations are the given observability relations.

For the inductive case, let α∈Act∗,¯a∈Act, and deﬁne labS(α·¯a) to consist of the

union of the following sets of atoms:

− {cur(s, t) : for some s0, t =τ(s0,¯a) and cur(s, s0)∈labS(α)}; intuitively, given that

swas the starting state, the current state is τ(s0,¯a) if in the previous step the state

was s0and the joint action was ¯a.

− {lastact(i, ai) : i∈Ag}; intuitively, if the last direction in the tree was a, then ai

was the last action of agent i.

− {atom(s, p) : for some t∈S, t ∈λ(p) and cur(s, t)∈labS(α·¯a)}; intuitively, p

holds now assuming the initial state was s.

− {rel(i, s, t) : for some s0, t0∈S, rel(i, s, t)∈labS(α), s0∼it0, cur(s, s0), cur(t, t0)∈

labS(α·¯a)}; intuitively, the histories starting in sand tare indistinguishable to

agent iif they were so one step prior and the current states are indistinguishable

to agent i.

The following properties of the labelling labSfollow from the deﬁnitions:

Lemma 2. For all α∈dom,s, t ∈S,i∈Ag,p∈AP :

1. cur(s, t)∈labS(α)iﬀ t=last(µ(s, α)).

2. atom(s, p)∈labS(α)iﬀ last(µ(s, α)) ∈λ(p).

3. rel(i, s, t)∈labS(α)iﬀ µ(s, α)≡iµ(t, α).

Proof. We prove the ﬁrst item by induction on α(the proofs of the other items are

similar). Suppose α=. Then cur(s, t)∈labS(α) iﬀ s=t(by Deﬁnition of labS) iﬀ t=

last(µ(s, α)), since µ(s, ) = sby deﬁnition of µ. Suppose α6=. Then cur(s, t)∈labS(α·

¯a) iﬀ there exists s0such that t=τ(s0,¯a) and cur(s, s0)∈labS(α) (by Deﬁnition of labS)

iﬀ there exists s0such that t=τ(s0,¯a) and s0=last(µ(s, α)) (by induction hypothesis)

iﬀ t=τ(last(µ(s, α)),¯a) = last(µ(s, α ·¯a), since µ(s, α ·¯a),µ(s, α)·τ(last(µ(s, α)),¯a),

by deﬁnition of µ.

25

Encoding strategies

Intuitively, a strategy is encoded by a labelling that maps a node α∈Act∗to the

function that maps the state sto the action suggested by the strategy on history µ(s, α).

To capture this we introduce below new atoms str(x, s, a) and a labelling labνof the

domain dom (Def. 15).

New atoms. We introduce the following new set of atoms:

− {str(x, s, a) : x∈V ar, s ∈S, a ∈Act}; intuitively, str(x, s, a) holds at a node

α∈Act∗if the strategy for variable xsuggests action ain history µ(s, α).

Recall that act denotes ∪iActi, the set of all possible actions.

QCTL∗formulas deﬁning strategies, coherence, uniformity. For every x∈Var and Z⊆

Ag, deﬁne the following QCTL∗formulas:

Uniqx,A G ^

s∈S_

a∈act ^

b:b6=a

str(x, s, a)∧ ¬str(x, s, b)

Cohex

Z,A G ^

i∈Z^

s∈S_

a∈Pi(si)

str(x, s, a)

Unif x

Z,A G ^

i∈Z^

t,t0∈S^

a∈Acti

[rel(i, t, t0)∧str(x, t, a)→str(x, t0, a)]

Intuitively, Uniqxexpresses that the atoms str(x, −,−) encode a strategy, i.e., a

unique action is associated with every history, and Cohex

Z(resp., Unif x

Z) expresses that

the strategy is coherent (resp., uniform) for the agents in Z. These facts are captured

by the following lemma, whose proof follows from the deﬁnitions of the formulas and

Deﬁnition 14.

In what follows, a tree Twith domain Act∗will be labeled by P(AP ) where AP is the

set of atoms introduced above. In particular, the labeling of Tcan be decomposed into

two parts: labSwhich labels nodes of the tree by the atoms cur(−,−), lastact(−,−),

atom(−,−), and rel(−,−,−); and lab which labels nodes of the tree by atoms of the

form str(−,−,−).

Lemma 3. Fix a tree T= (Act∗, labS∪lab), a variable x∈Var, and a set Z⊆Ag of

agents. Consider the relation Rx⊆Hist ×Act deﬁned by Rx(h, a)iﬀ str(x, state(h), a)∈

lab(actions(h)).

1. T|=U niqxiﬀ Rxrepresents a strategy, i.e., for every h∈Hist there exists a unique

a∈Act such that Rx(h, a).

2. If Rxrepresents a strategy (as in item 1), then T|=Cohex

Ziﬀ the strategy is

coherent for the agents in Z.

3. If Rxrepresents a strategy (as in item 1), then T|=Unif x

Ziﬀ the strategy is

uniform for the agents in Z.

26

Proof. For the ﬁrst item, suppose that T|=U niqxand let hbe a history. Let α=

actions(h) and s=state(h). Since T|=Uniqx, there is a unique action asuch that

str(x, s, a)∈lab(α), as required. Conversely, suppose that Rxrepresents a strategy and

let α∈Act∗. For every s∈Slet abe the unique action such that Rx(µ(s, α), a). By

deﬁnition of Rx, for every sthere is a unique action asuch that str(x, s, a)∈lab(α), as

required.

For the second item, we are given that Rxrepresents the strategy (as in item 1).

Suppose T|=Cohex

Z, let hbe a history, and i∈Z. Let α=actions(h) and s=

state(h). Since T|=C ohex

Zwe have that str(x, s, b)∈lab(α) for some b∈Pi(si)⊆Acti.

Since Rxrepresents a strategy, this strategy maps hto the unique action asuch that

str(x, s, a)∈lab(α), and so a=b. Since hwas arbitrary, the strategy is coherent.

Conversely, suppose the strategy represented by Rxis coherent, let α∈Act∗,i∈Zand

s∈S. Since Rxrepresents a strategy, this strategy maps hto the unique action asuch

that str(x, s, a)∈lab(α). By coherency, a∈Pi(si), as required.

For the third item, we are given that Rxrepresents the strategy (as in item 1).

Suppose T|=Unifx

Z, let i∈Z, and let h, h0be two histories such that h≡ih0. By

Lemma 1, we have that α,actions(h) = actions(h0) and t,state(h)∼it0,state(h0).

By Lemma 2, we have that rel(i, t, t0)∈labS(α). Say the strategy maps history hto

action a. Then str(x, t, a)∈lab(α). Thus also str(x, t0, a)∈lab(α), i.e., the strategy

maps history h0=µ(t0, α) to a. Since h, h0and iwere arbitrary, conclude that the strategy

is uniform for agents in Z. Conversely, suppose the strategy is uniform for agents in Z,

let α∈Act∗,i∈Z, t, t0∈Sand a∈Acti. Further, suppose that rel(i, t, t0)∈labS(α)

and str(x, t, a)∈lab(α). By Lemma 2we have that h,µ(t, α)≡ih0,µ(t0, α).

By uniformity, we have that the strategy maps hand h0to the same action. However

str(x, t, a)∈lab(α) implies that the strategy maps hto a. Thus the strategy also maps

h0to a, and so str(x, t0, a)∈lab(α), as required.

Deﬁnition 15 (labelling labν).To every valuation ν:V ar →Str we associate the

labelling labνover the atoms deﬁned as follows:

−str(x, s, a)∈labν(α)iﬀ ν(x)(µ(s, α)) = a.

In the introduction to this section we suggested that we would encode strategies in

such a way that uniformity becomes a local condition. The next remark explains this.

Remark 7. Uniformity is a property of labνthat can be checked at each node inde-

pendently. More precisely, the strategy ν(x)is uniform for agent iiﬀ for every node

α∈Act∗, states s∼is0, and action a∈act, we have that str(x, s, a)∈labν(α)iﬀ

str(x, s0, a)∈labν(α).

Reduction SLi to QCTL∗

The following proposition shows how to reduce the model checking problem for SLi

to the same problem for QCTL∗. Intuitively, we reduce checking whether Ssatisﬁes ϕ

under assignment (ν, β) to verifying if the tree (dom, labS∪labν) satisﬁes the translation

ϕβ,state(h)in QCTL∗. The domain dom of the tree is Act∗, and its labelling is labS∪labν

where labSand labνwere deﬁned earlier.

27

Proposition 2. For every PAIS S, assignment (ν, β ), history h∈Hist(S), and SLi

formula ϕ, there is a QCTL∗formula ϕβ,state(h)that depends on ϕ,S,βand state(h),

such that

(S, h, ν, β)|=ϕif and only if ((dom, labS∪labν), actions(h)) |=ϕβ,state(h)(3)

Moreover, ϕβ,state(h)is computable in polynomial time on the size of ϕ.

Before we prove this proposition, we show how to use it to conclude that model-

checking PAIS against SLi speciﬁcations is decidable (Theorem 9).

Proof of Theorem 9.Recall that a tree is regular if it is the tree-unwinding of a ﬁnite-state

system. Given a PAIS S, history h, and SLi sentence ϕ, apply the following steps:

1. Pick an assignment (ν, β) so that (dom, labS∪labν) is a regular tree;2

2. Form the QCTL∗formula ϕβ,state(h)from Proposition 2;

3. Decide if (dom, labS∪labν)|=ϕβ ,state(h)using Theorem 12.

Note that since ϕis a sentence, its truth does not depend on the particular assignment

(ν, β) chosen. Thus, we have that the answer in the last step is “Yes” iﬀ (S, h)|=ϕ.

Proof of Proposition 2.To prove this proposition we ﬁrst describe how to construct the

QCTL∗formula ϕβ,state(h), and then prove that it is correct, i.e., that equivalence (3)

holds.

Constructing ϕβ,state(h).Recall that Act =∪iActiis the set of all actions. We

deﬁne the QCTL∗formula ϕβ,s (for β:Ag →V ar and s∈S) inductively:

−if ϕis p∈AP , deﬁne ϕβ,s ,atom(s, p).

−if ϕis x=ydeﬁne

ϕβ,s ,^

t∈S^

a∈Act

A G (str(x, t, a)↔str(y , t, a))

−if ϕis ϕ0∨ϕ00 deﬁne ϕβ,s ,(ϕ0)β,s ∨(ϕ00 )β,s .

−if ϕis ¬ϕ0deﬁne ϕβ,s ,¬(ϕ0)β,s .

−if ϕis bind(i, x)ϕ0deﬁne ϕβ,s ,ϕ0

β[i7→x],s.

−if ϕis ∃oxϕ0deﬁne

ϕβ,s ,(∃str(x, t, a))t∈S,a∈Act hU niqx∧Cohex

use(x,ϕ)∧Unif x

use(x,ϕ)∧(ϕ0)β,s i

where the atoms str(x, t, a) and the formulas Uniqx, C ohex

Z, U nifx

Zare deﬁned

above (for arbitrary xand Z).

2This is not hard to do, e.g., let βassign each agent a diﬀerent variable, and for each local state si

ﬁx an action ai∈Pi(si) and deﬁne ν(x)(h) = aiincase β(i) = xand last(h)i=si.

28

−if ϕis ∃sxϕ0deﬁne ϕβ,s in a similar way to the ∃o-case except that the last conjunct

(i.e., ϕ0

β,s ) is replaced by

^

i∈use(x,ϕ)^

t∈S

(rel(i, s, t)→ϕ0

β,t ).

−if ϕis Xϕ0then ϕβ,s ,E(I sP athβ,s ∧Xϕ0

β,s ).

−if ϕis ϕ0Uϕ00 then ϕβ,s ,E(I sP athβ,s ∧ϕ0

β,s Uϕ00

β,s ).

In the last two items we use a QCTL∗path formula that depends on the binding

β:Ag →Var and state s∈S, deﬁned as follows:

I sP athβ,s ,G^

i∈Ag ^

a∈Acti

(Xlastact(i, a)→str(β(i), s, a))

where lastact(i, a) are new atoms introduced above. Intuitively, IsP athβ,s holds of a

path πstarting at node α∈dom if there is an inﬁnite path extending µ(s, α) such that

agent ifollows the strategy associated with variable β(i)∈V ar.

This completes the construction of ϕβ,s .

Proof that the construction is correct. To prove that equivalence 3in Propo-

sition 2holds, we proceed by induction on ϕ.

−If ϕis p∈AP , then we have (S, h, ν, β )|=p

⇐⇒ last(h)∈λ(p) dfn of |= in SLi

⇐⇒ last(µ(state(h), actions(h)) ∈λ(p) dfn 14

⇐⇒ atom(state(h), p)∈lab(actions(h)) lemma 2

⇐⇒ (dom, labS∪labν), actions(h)|=atom(state(h), p) dfn of |= in QCTL∗

⇐⇒ (dom, labS∪labν), actions(h)|= (p)β ,state(h)construction

−If ϕis x=y, then we have (S, h, ν, β )|=x=y

⇐⇒ for all h0, h pr ef h0implies ν(x)(h0) = ν(y)(h0) dfn of |= in SLi

⇐⇒ (T , actions(h)) |=^

t∈S^

a∈act

A G (str(x, t, a)↔str(y , t, a)) lemma 3

⇐⇒ (T , actions(h)) |= (x=y)β,state(h)construction

where T= (dom, labS∪labν).

−The case that ϕis a Boolean combination is immediate from the induction hypoth-

esis. For instance, if ϕis ¬ϕ0then (S, h, ν, β)|=ϕ

⇐⇒ (S, h, ν, β )6|=ϕ0dfn of |= in SLi

⇐⇒ ((dom, labS∪labν), actions(h)) 6|=ϕ0

β,state(h)induction

⇐⇒ ((dom, labS∪labν), actions(h)) |=¬ϕ0

β,state(h)dfn of |= in QCTL∗

⇐⇒ ((dom, labS∪labν), actions(h)) |=ϕβ ,state(h)construction

29

−If ϕis bind(i, x)ϕ0, we have (S, h, ν, β )|=bind(i, x)ϕ

⇐⇒ (S, h, ν, β [i7→ x]) |=ϕ0dfn of |= in SLi

⇐⇒ (dom, labS∪labν), actions(h)|= (ϕ0)β[i7→x],state(h)induction

⇐⇒ (dom, labS∪labν), actions(h)|= (bind(i, x)ϕ0)β ,state(h)construction

−If ϕ=∃oxϕ0, we have (S, h, ν, β )|=∃oxϕ0

⇐⇒ for some σuniform and coherent for use(x, ϕ0),

(S, h, ν[x7→ σ], β )|=ϕ0dfn of |= in SLi

⇐⇒ for some σuniform and coherent for use(x, ϕ0),

(dom, labS∪labν[x7→σ]), actions(h)|= (ϕ0)β,state(h)induction

⇐⇒ (dom, labS∪labν), actions(h)|= (∃str(x, t, a))t∈S,a∈Act

hUniqx∧C ohex

use(x,ϕ0)∧Unif x

use(x,ϕ0)∧(ϕ0)β,state(h)ilemma 3

⇐⇒ (dom, labS∪labν), actions(h)|= (∃ox.ϕ0)β ,state(h)construction

−The case for ϕ=∃sxϕ0is similar to the previous one.

−If ϕis Xϕ0, we have (S, h, ν, β )|=Xϕ0

⇐⇒ (S, π≤|h|+1 (h, ν, β), ν, β)|=ϕ0dfn of |= in SLi

i.e., the path πextending hin which each agent ifollows

strategy ν(β(i)), satisﬁes that ϕ0holds in the next step

⇐⇒ (dom, labS∪labν), actions(h)|=

E(I sP athβ,state(h)∧X(ϕ0)β,state(h)) induction

⇐⇒ (dom, labS∪labν), actions(h)|= (Xϕ0)β ,state(h)construction

−The case for ϕ=ϕ0Uϕ00 is similar to the previous one.

This completes the proof of Proposition 2.

Remark 8. We mention that we can provide a slight but useful optimisation in the

translation from SLi to QCTL∗. Instead of dealing with consecutive temporal operators

separately, we treat them as a single LTL formula. That is, we can view the syntax

of SLi so that besides including the terms Xϕ|ϕUϕwe also include arbitrary LTL

formulas whose atoms are SLi formulas, e.g., we include (ϕ∨ϕ)U(X X ϕ). Then, in

the reduction we add the corresponding items, e.g., if ϕis (ϕ0∨ϕ00 )U(X X ϕ000)then

ϕβ,s ,E(I sP athβ,s ∧((ϕ0)β,s ∨(ϕ00 )β,s )U(X X(ϕ000)β ,s). The consequence of this is that

ϕβ,s has the form E(LTL(·)) rather than the more general form CTL∗(·)where ·stands

for the translation of SLi formulas.

Similarly, we can treat sequences of quantiﬁers of the same type in a single step of

the translation. That is, there are two types of quantiﬁers in SLi, i.e., ∃oand ∃s. So,

for instance, instead of treating a sequence of quantiﬁers ∃ox1∃ox2. . . ∃oxkin kseparate

30

steps of the translation, we can treat them in one step and thus get a translated formula

of the form

(∃str(x1, t, a)∃str(x2, t, a). . . ∃str(xk, t, a))t∈S,a∈act . . .

These optimisations have consequences for the complexity of model-checking SLi, as

we see next.

3.5. Computational Complexity of model-checking PAIS

In this section we provide upper and lower bounds on the computational complexity

of model checking PAIS against SLi (recall that we use an explicit representation of the

inputs Sand ϕto the model-checking problem; see Section 2.4).

We start with upper bounds.

Upper Bound

The complexity of the algorithm in the previous section depends on a) the complex-

ity of model-checking QCTL∗formulas, and b) the complexity of the translation of SLi

formulas to QCTL∗formulas. We analyse these components in turn.

The ﬁnest published upper bound for model checking QCTL∗is based on the quantiﬁer-

block depth of a formula, i.e., the maximum, over all paths in the parse tree of the formula,

of the number of consecutive sequences of quantiﬁers. Formally, for a QCTL∗formula φ

deﬁne the quantiﬁer-block depth, denoted depth(φ), inductively as follows:

−depth(p)=0

−depth(φ1∨φ2) = maxi(depth(φi))

−depth(¬φ) = depth(φ)

−depth(∃pφ) = depth(φ) + mwhere m= 0 if φstarts with ∃, and m= 1 otherwise.

−depth(Eψ) = maxi(depth(φi)), where φivaries over the maximal state subformulas

of ψ.

Recall that the complexity class k-exptime consists of the decision problems that can

be solved by a deterministic Turing machine running in time O(expk(P(n))) where Pis

a polynomial and expkis deﬁned inductively as follows: exp0(n),nand expk+1 (n),

2expk(n).

Theorem 16. [80] The complexity of model-checking QCTL∗formulas of quantiﬁer-

block depth k≥1is (k+ 1)-exptime-complete.3

To apply this result, we similarly deﬁne the quantiﬁer-block depth of an SLi formula.

Here, however, we have two types of quantiﬁers, ∃oand ∃s, which are treated separately.

Formally, for ϕ∈SLi, deﬁne depth(ϕ) inductively:

−depth(p) = depth(x=y) = 0

3The deﬁnition of quantiﬁer-block depth given above coincides with that given in [80]. To see this,

note that depth(φ) = 0 iﬀ φ∈CTL∗, and that depth(φ)≤k+ 1 iﬀ ϕis of the form CTL∗(∃p1...∃pnφ0)

where nvaries ov