T4 Introduction to the modelling and verification of, and reasoning about multi-agent systems

Modelling, Verification andReasoning in Multi-Agent Systems

Nils Bulling and Jürgen Dix

EASSS 2012Valencia, Spain

28. May – 1. June 2012

N. Bulling, J. Dix ·Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 1

TimeDuration: Three times 105 minutesDates: Thursday, 9:30-11:15, 15-16:45 and Friday 15-16:45,

Course type

Level: advancedPrerequisites: knowledge of propositional/predicate logic, basicsof automata and complexity theory, some universal algebra.

Course websitehttp://www.in.tu-clausthal.de/index.php?id=easss2012


Course OverviewThe course is divided into 6 lectures à 50 minutes:

Lec. 1: Linear and Branching Time (D, 60 min)SL, FOL, temporal logics: LTL, CTL∗, CTL,

Lec. 2: Cooperative Agents (D, 40 min)Strategic logics: ATL, ATL∗, effect of memory

Lec. 3: Comparing Semantics of ATL (B, 50 min)Semantic variants of ATL, tree unfolding

Lec. 4: Reasoning and Examples (D, 50 min)Basic Modal Logic, axiomatizations of LTL, CTL, ATLviewed as modal logics

Lec. 5: Complexity of Verification: Model Checking (B, 60min)Model checking problem and complexity

Lec. 6: Complexity of Reasoning: Satisfiablity (B, 40 min)Satisfiability checking problem and complexity


Reading Material I

Alur, R., Henzinger, T. A., and Kupferman, O. (2002).Alternating-time Temporal Logic.Journal of the ACM, 49:672–713.

Baier, C. and Katoen, J.-P. (2008).Principles of Model Checking.The MIT Press.

Blackburn, P., de Rijke, M., and Venema, Y. (2001).Modal Logic.Number 53 in Cambridge Tracts in Theoretical Computer Science.Cambridge University Press, Cambridge, UK.


Reading Material II

Bulling, N., Dix, J., and Jamroga, W. (2010).Model checking logics of strategic ability: Complexity.In Dastani, M., Hindriks, K. V., and Meyer, J.-J. C., editors,Specification and Verification of Multi-Agent Systems. Springer.

Clarke, E., Grumberg, O., and Peled, D. (1999).Model Checking.MIT Press.

Jürgen Dix and Michael Fisher (2012).Chapter 14: Specification and Verification of Multi-agent Systems.In G. Weiss (Ed.), Multiagent Systems, MIT Press.


Reading Material III

Jamroga, W. and Bulling, N. (2011).Comparing variants of strategic ability.In Proceedings of the 22nd International Joint Conference on ArtificialIntelligence (IJCAI), pages 252–257, Barcelona, Spain.


Outline

1 Linear and Branching Time

2 Cooperative Agents

3 Comparing Semantics of ATL

4 Reasoning and Examples

5 Complexity of Verification: Model Checking

6 Complexity of Reasoning: Satisfiability

7 Appendix: Automata Theory

8 References



1. Linear and Branching Time

1 Linear and Branching TimeSentential LogicFirst-Order LogicLinear Time LogicBranching Time Logic



Outline

We recapitulate very briefly sentential (also calledpropositional) logic (SL) and first-order logic (FOL),As an example of FOL, we consider FO(≤) monadic FOLof linear order.Then we present LTL, a logic to deal with linear time (nobranching). This logic is equivalent to FO(≤).CTL∗ is an extension of LTL to branching time.CTL is an interesting fragment of CTL∗, incomparablewith LTL, but with interesting computational properties.While LTL is defined over path formulae, CTL is definedover state formulae.CTL∗ is defined over both sorts of formulae.


1 Linear and Branching Time1.1 Sentential Logic

1.1 Sentential Logic



Syntax of SL

The propositional language is built uponPropositional symbols: p, q, r, . . . , p1, p2, p3, . . .Logical connectives: ¬ and ∨Grouping symbols: (, )

Often we consider only a finite, nonempty set ofpropositional symbols and refer to it as Prop.Propositional language LPL(Prop):

ϕ ::= p | ¬ϕ | ϕ ∨ ϕMacros:

> := p ∨ ¬p)⊥ := ¬>

ϕ ∧ ψ := ¬(¬ϕ ∨ ¬ψ)

ϕ→ ψ := ¬ϕ ∨ ψϕ↔ ψ := (ϕ→ ψ) ∧ (ψ → ϕ)



Semantics (SL)

A valuation (or truth assignment) v : Prop → t, f for alanguage LPL(Prop) is a mapping from the set ofpropositional constants defined by Prop into the sett, f.Inductively, we define the notion of a formula ϕ beingtrue or satisfied by v (denoted by v |= ϕ):v |= p iff v(p) = t and p ∈ Prop,v |= ¬ϕ iff not v |= ϕ,v |= ϕ ∨ ψ iff v |= ϕ or v |= ψ

For a set Σ ⊆ LPL we write v |= Σ iff v |= ϕ for all ϕ ∈ Σ.We use v 6|= ϕ instead of not v |= ϕ.



Truth Tables

Truth tables are a conceptually simple way of workingwith PL (invented by Wittgenstein in 1918).

p q ¬p p ∨ q p ∧ q p→ q p↔ qt t f t t t tf t t t f t ft f f t f f ff f t f f t t



Fundamental Semantical Concepts

If it is possible to find some valuation v that makes ϕtrue, then we say ϕ is satisfiable.If v |= ϕ for all valuations v then we say that ϕ is validand write |= ϕ . ϕ is also called tautology.A theory is a set of formulae: Φ ⊆ LPL.A theory Φ is called consistent if there is a valuation vwith v |= Φ.A theory Φ is called complete if for each formula ϕ in thelanguage, ϕ ∈ Φ or ¬ϕ ∈ Φ .

Two simple examples

Consider the two formulae p ∧ ¬b and a ∨ ¬a.Are they satisfiable or valid?Are they both consistent? What if we add b?



Consequences

Given a theory Φ we are interested in thefollowing question: Which facts can be derivedfrom Φ? We can distinguish two approaches:

1 semantical consequences, and2 syntactical inference.

Let Φ be a theory and ϕ be a formula. We saythat ϕ is a semantical consequence of Φ if forall valuations v:

v |= Φ implies v |= ϕ.


1 Linear and Branching Time1.2 First-Order Logic

1.2 First-Order Logic



Predicate logicIn addition to the propositional language (on which themodal language is built as well), the first-order language(FOL) contains variables, function-, and predicatesymbols.

Definition 1.1 (Variable)

A variable is a symbol of the set Var . Typically, we denotevariables by x0, x1, . . ..

Example 1.2

ϕ := ∃x0∀x1(P 20 (f 1

0 (x0), x1) ∧ P 12 (f 0

1 ))



Functions

Definition 1.3 (Function Symbols)

Let k ∈ N0. The set of k-ary function symbols is denoted byFunck. Elements of Funck are given by fk1 , f

k2 . . . . Such a

symbol takes k arguments. The set of all function symbols isdefined as

Func :=⋃k

Funck

A 0-ary function symbol is called constant.



Predicates

Definition 1.4 (Predicate Symbols)

Let k ∈ N0. The set of k-ary predicate symbols (or relationsymbols) is given by Predk. Elements of Predk are denotedby P k

1 , Pk2 . . . . Such a symbol takes k arguments. The set of

predicate symbols is defined as

Pred :=⋃k

Predk

A 0-ary predicate symbol is called (atomic) proposition.



SyntaxThe first-order language with equality LFOL is built fromterms and formulae.

In the following we fix a set of variables, function-, andpredicate symbols.

Definition 1.5 (Term)

A term over Func and Var is inductively defined as follows:

1 Each variable from Var is a term.2 If t1, . . . tk are terms then fk(t1, . . . , tk) is a term as well,

where fk is an k-ary function symbol from Funck.



Definition 1.6 (Language)

The first-order language with equalityLFOL(Var ,Func,Pred) is defined by the following grammar:

ϕ ::= P k(t1, . . . , tk) | ¬ϕ | ϕ ∨ ϕ | ∃x(ϕ) | t .= r

where P k ∈ Predk is a k-ary predicate symbol and t1, . . . , tkand t, r are terms over Var and Func.



Definition 1.7 (Macros)

We define the following syntactic constructs as macros(P ∈ Pred0):

⊥ := P ∧ ¬P> := ¬⊥

ϕ ∧ ψ := ¬(¬ϕ ∨ ¬ψ)

ϕ→ ψ := ¬ϕ ∨ ψϕ↔ ψ := (ϕ→ ψ) ∧ (ψ → ϕ)

∀x(ϕ) := ¬∃x(¬ϕ)



NotationWe will often leave out the index k in fki and P k

i

indicating the arity and just write fi and Pi.Variables are also denoted by u, v, w, . . .Function symbols are also denoted by f, g, h, . . .Constants are also denoted by a, b, c, . . . , c0, c1, . . .Predicate symbols are also denoted by P,Q,R, . . .We will use our standard notation p for 0-ary predicatesymbols and also call them (atomic) propositions.

Attention

In this course, we only need unary predicates (monadiclogic) and we do not need any function symbols at all. Soour terms are exactly the variables.



SemanticsDefinition 1.8 (Model, Structure)

A model or structure for FOL over Var ,Func and Pred isgiven by M = (U, I) where

1 U is a non-empty set of elements, called universe ordomain and

2 I is called interpretation. It assigns to each functionsymbol fk ∈ Funck a function I(fk) : Uk → U , to eachpredicate symbol P k ∈ Predk a relation I(P k) ⊆ Uk; andto each variable x ∈ Var an element I(x) ∈ U .

We write:1 M(P k) for I(P k),2 M(fk) for I(fk), and3 M(x) for I(x).



Note that a structure comes with an interpretation I, whichis based on functions and predicate symbols andassignments of the variables. But these are also defined inthe notion of a language. Thus we assume from now onthat the structures are compatible with the underlyinglanguage: The arities of the functions and predicates mustcorrespond to the associated symbols.

Example 1.9

ϕ := Q(x) ∨ ∀z(P (x, g(z))) ∨ ∃x(∀y(P (f(x), y) ∧Q(a)))

U = RI(a) : ∅ → R, ∅ 7→ π constant functions,I(f) : I(f) = sin : R→ R and I(g) = cos : R→ R,I(P ) = (r, s) ∈ R2 : r ≤ s and I(Q) = [3,∞) ⊆ R,I(x) = π

2, I(y) = 1 and I(z) = 3.



Definition 1.10 (Value of a Term)

Let t be a term and M = (U, I) be a model. We defineinductively the value of t wrt M, written as M(t), as follows:

M(x) := I(x) for a variable t = x,M(t) := I(fk)(M(t1), . . . ,M(tk)) if t = fk(t1, . . . , tk).



Definition 1.11 (Semantics)

Let M = (U, I) be a model and ϕ ∈ LFOL. ϕ is said to betrue in M, written as M |= ϕ, if the following holds:M |= P k(t1, . . . tk) iff (M(t1), . . . ,M(tk)) ∈M(P k)

M |= ¬ϕ iff not M |= ϕ

M |= ϕ ∨ ψ iff M |= ϕ or M |= ψ

M |= ∃x(ϕ) iff M[x/a]|= ϕ for some a ∈ U where M[x/a]

denotes the model equal to M but M[x/a](x) = a.M |= t

.= r iff M(t) = M(r)

Given a set Σ ⊆ LFOL we write M |= Σ iff M |= ϕ for allϕ ∈ Σ.



Example: FO(≤)Monadic first-order logic of order, denoted by FO(≤), isfirst-order logic with the only binary symbol ≤ (exceptequality, which is also allowed) and, additionally, anynumber of unary predicates. The theory assumes that ≤ isa linear order, but nothing else.

A typical model is given byN = 〈N,≤N, PN1 , PN2 , . . . PNn 〉

where ≤N is the usual ordering on the natural numbers andPNi ⊆ N.

The sets PNi determine the timepoints where the propertyPi holds.



What can we express in FO(≤)?

Can we find formulae that express thata property r is true infinitely often?

r is true at all even timepoints and ¬r at allodd timepoints?

whenever r is true, then s is true in the nexttimepoint?


1 Linear and Branching Time1.3 Linear Time Logic

1.3 Linear Time Logic



Reasoning about Time

The accessibility relation represents time.Time: linear vs. branching.Reasoning about a particular computation of a system.Models: paths (e.g. obtained from Kripke structures)

start

start



Temporal logic was originally developed in order torepresent tense in natural language.

Within Computer Science, it has achieved a significant rolein the formal specification and verification of concurrentand distributed systems.

Much of this popularity has been achieved because anumber of useful concepts can be formally, and concisely,specified using temporal logics, e.g.

safety propertiesliveness propertiesfairness properties



Typical temporal operators

Xϕ ϕ is true in the neXt moment in timeGϕ ϕ is true Globally: in all future momentsFϕ ϕ is true in Finally: eventually (in the future)ϕUUU ψ ϕ is true Until at least the moment when ψ

becomes true (and this eventually happens)

G((¬passport ∨ ¬ticket) → X¬board_flight)

send(msg, rcvr) → Freceive(msg, rcvr)



Safety Properties

“something bad will not happen”“something good will always hold”

Typical examples:

G¬bankruptGfuelOKand so on . . .

Usually: G¬....



Liveness Properties

“something good will happen”

Typical examples:

Frichpower_on→ Fonlineand so on . . .

Usually: F....



Fairness PropertiesCombinations of safety and liveness possible:

FG¬deadG(request_taxi→ Farrive_taxi) fairness

Strong fairness

“If something is requested then it will be allocated”:

G(attempt → Fsuccess),GFattempt → GFsuccess.

Scheduling processes, responding to messages, etc.No process is blocked forever, etc.



Definition 1.12 (Language LLTL [Pnueli, 1977])The language LLTL(Prop) is given by all formulae generatedby the following grammar, where p ∈ Prop is a proposition:

ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | ϕUUU ϕ | Xϕ.

The additional operatorsF (eventually in the future) andG (always from now on)

can be defined as macros :

Gϕ ≡ >UUU ϕ and Fϕ ≡ ¬G¬ϕ

The standard Boolean connectives >,⊥,∧,→, and↔ aredefined in their usual way as macros.



Models of LTLThe semantics is given over paths, which are infinitesequences of states from Q, and a standard labellingfunction π : Q→ P(Prop) that determines whichpropositions are true at which states.

Definition 1.13 (Path λ = q1q2q3 . . .)

A path λ over a set of states Q is an infinite sequencefrom Qω. We also identify it with a mapping N0 → Q.

λ[i] denotes the ith position on path λ (starting fromi = 0) andλ[i,∞] denotes the subpath of λ starting from i(λ[i,∞] = λ[i]λ[i+ 1] . . . ).



λ = q1q2q3 . . . ∈ Qω

Definition 1.14 (Semantics of LTL)

Let λ be a path and π be a labelling function over Q. Thesemantics of LTL, |=LTL, is defined as follows:

λ, π |=LTL p iff p ∈ π(λ[0]) and p ∈ Prop;λ, π |=LTL ¬ϕ iff not λ, π |=LTL ϕ (we will also writeλ, π 6|=LTL ϕ);λ, π |=LTL ϕ ∨ ψ iff λ, π |=LTL ϕ or λ, π |=LTL ψ;

λ, π |=LTL Xϕ iff λ[1,∞], π |=LTL ϕ; andλ, π |=LTL ϕUUU ψ iff there is an i ∈ N0 such thatλ[i,∞], π |= ψ and λ[j,∞], π |=LTL ϕ for all 0 ≤ j < i.



Other temporal operators

λ, π |= Fϕ iff λ[i,∞], π |= ϕ for some i ∈ N0 ;λ, π |= Gϕ iff λ[i,∞], π |= ϕ for all i ∈ N0 ;

Exercise

Prove that the semantics does indeed match thedefinitions Fϕ ≡ >UUU ϕ and Gϕ ≡ ¬F¬ϕ.



q2q1q0 q2q1q0

pos1 pos1pos0 pos0pos2 pos2

λ, π |= Fpos1

λ′ = λ[1,∞], π |= pos1

pos1 ∈ π(λ′[0])



q2q1q0 q2q1q0

pos1 pos1pos0 pos0pos2 pos2

λ, π |= GFpos1 iff

λ[0,∞], π |= Fpos1 andλ[1,∞], π |= Fpos1 andλ[2,∞], π |= Fpos1 and

. . .



Representation of paths

Paths are infinite entities.

They are theoretical constructs.

We need a finite representation!

Such a finite representation is given by atransition system or a pointed Kripkestructure.



Computational vs. bbehavioral structure

System Computational str.

1 2

1

2

1

2

pos0

pos1pos2

q0

q2 q1

pos0

pos1pos2



Computational str. Behavioral str.

q0

q2 q1

pos0

pos1pos2

q0

q0

q0

q1

q1 q1 q2

Important!

The behavioral structure is usually infinite! Here, it is aninfinite tree. We say it is the q0-unfolding of the model.



Some Exercises

Example 1.15

Formalise the following as LTL formulae:

1 r should never occur.2 r should occur exactly once.3 At least once r should directly be followed bys.

4 r is true at exactly all even states.5 r is true at each even state (the odd states do

not matter). Does r ∧G(r ∧ XXr) work?



Relation to first-order logic (1)

1 The monadic first-order theory of (linear)order, FO(≤) (see Slide 29) is equivalent toLTL.

2 There is a translation from sentences of LTL tosentences of FO(≤) and vice versa, such thatthe LTL sentence is true in λ, π iff its translationis true in the associated first-order structure.



Relation to first-order logic (2)

1 More precisely: an infinite path λ is described as afirst-order structure with domain N and predicates Ppfor p ∈ Prop. The predicates stand for the set oftimepoints where p is true. So each path λ can berepresented as a structure Nλ = 〈N,≤N, PN1 , PN2 , . . . PNn 〉.Then each LTL formula φ translates to a first-orderformula αφ(x) with one free variable s.t.

φ is true in λ[n,∞] iff αφ(n) is true in Nλ.

And conversely: for each first-order formula with a freevariable there is a corresponding LTL formula s.t. thesame condition holds.



The formulae GFp, FGp

1 What are their counterparts in FO(≤)?2 We will see later that FGp does not belong to

CTL, but to CTL∗. It is not even equivalent to aCTL formula.

3 However, GFp is equivalent to a CTL formula:AGAFp



Some Remarks

1 A particular logic LTL is determined by thenumber n of propositional variables. Strictlyspeaking, this number should be a parameterof the logic. This also applies to the logics CTLand ATL.

2 While both F and G can be expressed using UUU ,the converse is not true: UUU can not beexpressed by F and G.



Satisfiability of LTL formulae

A formula is satisfiable, if there is a path where it is true. Canwe restrict the structure of such paths? I.e. can we restrictto simple paths, for example paths that are periodic?

If this is the case, then we might be able to constructcounterexamples more easily, as we need only checkvery specific paths.It would be also useful to know how large the period isand within which initial segment of the path it starts,depending on the length of the formula ϕ.



Satisfiability of LTL formulae (cont.)

Theorem 1.16 (Periodic model theorem[Sistla and Clarke, 1985])

A formula ϕ ∈ LLTL is satisfiable iff there is a path λ which isultimately periodic, and the period starts within 21+|ϕ| stepsand has a length which is ≤ 41+|ϕ|.

2O(n) 4O(n)


1 Linear and Branching Time1.4 Branching Time Logic

1.4 Branching Time Logic



Branching Time

CTL, CTL∗: Computation Tree Logics.

Reasoning about possible computations of asystem.

Time is branching: We want all possiblecomputations included!

Models: states (time points, situations),transitions (changes). ( Kripke models).

Paths: courses of action, computations. ( LTL)



Path quantifiers: A (for all paths), E (there is apath);

Temporal operators: X (nexttime), F (finally),G (globally) and UUU (until);

CTL: each temporal operator must beimmediately preceded by exactly one pathquantifier;

CTL∗: no syntactic restrictions.



Example 1.17 (Branching Time)

q0

q1 q2

q4

p

q3q

q

p

In this structure, whenever p holds at some timepoint, thenthere is a path where q holds in the next step and there is(another) path where ¬q holds in the next step. And thisholds along all paths (there are three infinite paths).



Definition 1.18 (LCTL∗ [Emerson and Halpern, 1986])

The language LCTL∗(Prop) is given by all formulae generatedby the following grammar:

ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | Eγwhere

γ ::= ϕ | ¬γ | γ ∨ γ | γUUU γ | Xγand p ∈ Prop. Formulae ϕ (resp. γ) are called state (resp.path) formulae.

We use the same abbreviations as for LLTL:

λ, π |= Fϕ iff λ[i,∞], π |= ϕ for some i ∈ N0 ;λ, π |= Gϕ iff λ[i,∞], π |= ϕ for all i ∈ N0 ;



The LCTL∗-formula EFϕ, for instance, ensures that thereis at least one path on which ϕ holds at some (future)time moment.

The formula AFGϕ states that ϕ holds almosteverywhere . More precisely, on all paths it alwaysholds from some future time moment.

LCTL∗-formulae do not only talk about temporal patternson a given path, they also quantify (existentially oruniversally) over such paths.

The logic is complex! For practical purposes, a fragmentwith better computational properties is oftensufficient.



Definition 1.19 (LCTL [Clarke and Emerson, 1981])

The language LCTL(Prop) is given by all formulae generatedby the following grammar, where p ∈ Prop is a proposition:

ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | E(ϕUUU ϕ) | EXϕ | EGϕ.

We introduce the following macros:

Fϕ ≡ >UUU ϕ,AXϕ ≡ ¬EX¬ϕ,AGϕ ≡ ¬EF¬ϕ, andAϕUUU ψ ≡ . . . Exercise!



For example, AGEXp is a LCTL-formula whereas AGFp is not.

Example 1.20 (CTL∗ or CTL?)

Are the following CTL∗ or CTL formulae? What do theyexpress?

1 EFAXshutdown2 EFXshutdown3 AGFrain4 AGAFrain (Is it different from (3)?)5 EFGbroken6 AG(p→ (EXq ∧ EX¬q))



The precise definition of Kripke structures is given inSection 4. To understand the following definitions it sufficesto note that:

Given a set of states Q (each is a propositional model), aKripke model M is simply a tuple (Q,R) whereR ⊆ Q×Q is a binary relation.q1Rq2 (also written (q1, q2) ∈ R or R(q1, q2)) means thatstate q2 is reachable from state q1 (by executingcertain actions).The relation R is serial: for all q there is a q′ such thatqRq′. This ensures that our paths are infinite.Given a state q in a Kripke model, by Λ(q) we mean theset of all paths determined by the relation R starting inq: q, q1, q2, . . . , qi, . . . where qRq1 , . . . qiRqi+1, . . .



Definition 1.21 (Semantics |=CTL∗)

Let M be a Kripke model, q ∈ Q and λ ∈ Λ. The semanticsof LCTL∗- and LCTL-formulae is given by the satisfactionrelation |=CTL∗ for state formulae by

M, q |=CTL∗ p iff λ[0] ∈ π(p) and p ∈ Prop;M, q |=CTL∗ ¬ϕ iff M, q 6|=CTL∗ ϕ;M, q |=CTL∗ ϕ ∨ ψ iff M, q |=CTL∗ ϕ or M, q |=CTL∗ ψ;M, q |=CTL∗ Eϕ iff there is a path λ ∈ Λ(q) such thatM, λ |=CTL∗ ϕ;



and for path formulae by:M, λ |=CTL∗ ϕ iff M, λ[0] |=CTL∗ ϕ;M, λ |=CTL∗ ¬γ iff M, λ 6|=CTL∗ γ;M, λ |=CTL∗ γ ∨ δ iff M, λ |=CTL∗ γ or M, λ |=CTL∗ δ;M, λ |=CTL∗ Xγ iff λ[1,∞], π |=CTL∗ γ; andM, λ |=CTL∗ γUUU δ iff there is an i ∈ N0 such thatM, λ[i,∞] |=CTL∗ δ and M, λ[j,∞] |=CTL∗ γ for all0 ≤ j < i.

Is this complicated semantics over paths necessary for CTL?



State-based semantics for CTL

M, q |=CTL p iff q ∈ π(p);M, q |=CTL ¬ϕ iff M, q 6|=CTL ϕ;M, q |=CTL ϕ ∨ ψ iff M, q |=CTL ϕ or M, q |=CTL ψ;M, q |=CTL EXϕ iff there is a path λ ∈ Λ(q) such thatM, λ[1] |=CTL ϕ;M, q |=CTL EGϕ iff there is a path λ ∈ Λ(q) such thatM, λ[i] |=CTL ϕ for every i ≥ 0;M, q |=CTL EϕUUU ψ iff there is a path λ ∈ Λ(q) such thatM, λ[i] |=CTL ψ for some i ≥ 0, and M, λ[j] |=CTL ϕ for all0 ≤ j < i.



LTL as subset of CTL∗

LTL is interpreted over infinite chains (infinite words), butnot over (serial) Kripke structures (which are branching).

To consider LTL as a subset of CTL∗, one can just addthe quantifier A in front of a LTL formula and use thesemantics of CTL∗. For infinite chains, this semanticscoincides with the LTL semantics.The theorem of Clarke und Draghiescu gives a nicecharacterization of those CTL∗ formulae that areequivalent to LTL formulae. Given a CTL∗ formula ϕ,we construct ϕ′ by just forgetting all path operators.Then

ϕ is equivalent to a LTL formulaiff

ϕ and Aϕ′ are equivalent under the semantics of CTL∗.



Application of Clarke and DraghiescuWe consider the LTL formula GFp. Viewed as a CTL∗ formulait becomes AGFp. But this is equivalent (in CTL∗) to AGAFp,a CTL formula.Now we consider the CTL formula EGEFp. It is notequivalent to any LTL formula. This is because

EGEFp and AGFpare not equivalent in CTL∗:

q0 q1 q2

p

The first formula holds, the second does not.



LTL as subset of CTL∗ (2)

How do LTL and CTL compare?The CTL formula AG(p→ (EXq ∧ EX¬q)) describesKripke structures of the form in Example 1.17. No LTLformula can describe this class of Kripke structures.The LTL formula AF(p ∧ Xp) can not be expressed by aCTL formula. Check why neither AF(p ∧ AXp) norAF(p ∧ EXp) are equivalent. Similarly, the LTL formulaAFGp can not be expressed by a CTL formula.There is a syntactic characterisation of formulaeexpressible in both CTL and LTL. Model checking in thisclass can be done more efficiently. We refer to[Maidl, 2000].



Example 1.22 (Robots and Carriage)

1 2

1

2

1

2

pos0

pos1pos2

Figure 1 : Tworobots and a carriage.

Two robots push a carriage fromopposite sides.Carriage can move clockwise oranticlockwise, or it can remain in thesame place.3 positions of the carriage.We label the states with propositionspos0, pos1, pos2, respectively, to allowfor referring to the current positionof the carriage in the objectlanguage.



1 2

1

2

1

2

pos0

pos1pos2

q0

q2 q1

pos0

pos1pos2

Figure 2 : Two robots and a carriage: A schematic view (left) and atransition system M0 that models the scenario (right).



q0

q2 q1

pos0

pos1pos2

M0, q0 |=CTL EFpos1: In state q0,there is a path such that thecarriage will reach position 1sometime in the future.The same is not true for all paths,so we also have:M0, q0 6|=CTL AFpos1.

It becomes more interesting if abilities of agents areconsidered ATL.



Example: Rocket and Cargo

A rocket and a cargo.The rocket can be moved between London (propositionroL) and Paris (proposition roP ).The cargo can be in London (caL), Paris (caP ), or insidethe rocket (caR).The rocket can be moved only if it has its fuel tank full(fuelOK).When it moves, it consumes fuel, and nofuel holds aftereach flight.




nofuelroL

caR

fuelOK nofuel fuelOK

nofuel fuelOK nofuel fuelOK


1

5 6

2

3 4

87

9 10 1211

roL roP

roL roL

roLroL

roP

roP roP

roP

roP

caL caL caLcaL

caR caR caR

caP caP caP caP

roL→ E♦roP

AG(roL ∨ roP )

roL→ AX(roP → nofuel)




nofuelroL

caR

fuelOK nofuel fuelOK



1

5 6

2

4

87

9 10 1211

roL roP

roL roL

roLroL

roP

roP roP

roP

roP

caL caL caLcaL

caR caR caR

caP caP caP caP

3

E♦caP



In our logics, we assumed a serial accessibility relation:no deadlocks are possible.One can also allow states with no outgoing transitions.In that case, in the semantical definition of E on Slide 65one has to replace “there is a path” by “there is aninfinite path or one which can not be extended”.Similar modifications are needed in the definition ofCTL.One can also add to each state with no outgoingtransitions a special transition leading to a new statethat loops into itself.

How to express that there is no possibility of a deadlock?

AGX> ( CTL∗) AGEX> ( CTL)



A Venn diagram showing typical formulae in the respectiveareas.



2. Cooperative Agents

2 Cooperative AgentsAlternating-Time Temporal LogicsImperfect Information



Outline

We introduce ATL, Alternating Time Temporal Logic: ablend of temporal logic and game theory.Like CTL, ATL comes in two variants: ATL and ATL∗.Appropriate models for ATL are concurrent gamestructures.We introduce four variants of ATL along two differentaxis:

perfect vs imperfect information, andperfect vs imperfect recall.


2 Cooperative Agents2.1 Alternating-Time Temporal Logics

2.1 Alternating-Time TemporalLogics



The picture so far.What kind of logics did we introduce so far?

Linear-time temporal logic (LTL)Branching-time logics (CTL and CTL∗)

In the temporal case each transition modelled a time step.We considered only one single “actor”.Now: Modelling abilities of multiple agents: CTL can beviewed as the single actor restriction of ATL.

Agents can execute actions and cooperate. Action profilesdetermine the behaviour of the system.



Alternating-time Temporal Logics

ATL, ATL∗ [Alur et al. 1997]Temporal logic meets game theoryModeling abilities of multiple agentsMain idea: cooperation modalities

〈〈A〉〉ϕ: coalition A has a collective strategy to enforce ϕ

Enforcement is understood in the game-theoretical sense:There is a winning strategy.



The syntax is given as for the computation-tree logics.

Definition 2.1 (Language LATL∗[Alur et al., 1997])

The language LATL∗ is given by all formulae generated by thefollowing grammar:

ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | 〈〈A〉〉γ whereγ ::= ϕ | ¬γ | γ ∨ γ | γUUU γ | ©γ,

A ⊆ Agt, and p ∈ Prop. Formulae ϕ (resp. γ) are called state(resp. path) formulae.

Note that we are using now the symbol “©” instead of “X”as it is more custom when dealing with ATL.



The language LATLrestricts LATL∗ in the same way as LCTLrestricts LCTL∗: Each temporal operator must be directlypreceded by a cooperation modality.

Definition 2.2 (Language LATL[Alur et al., 1997])

The language LATL is given by all formulae generated by thefollowing grammar:

ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | 〈〈A〉〉 © ϕ | 〈〈A〉〉ϕ | 〈〈A〉〉ϕUUU ϕwhere A ⊆ Agt and p ∈ Prop.

Note that we are using now the symbol “” instead of “G”as it is more custom when dealing with ATL.



The language LATL+restricts LATL∗ but extends LATL. It allowsfor Boolean combinations of path formulae.

Definition 2.3 (Language LATL+)

The language LATL+ is given by all formulae generated bythe following grammar:

ϕ ::= p | ¬ϕ | ϕ∨ϕ | 〈〈A〉〉γ, γ ::= ¬γ | γ ∨ γ | ©ϕ | ϕUUU ϕ.

where A ⊆ Agt and p ∈ Prop.



ATL Models: Concurrent Game StructuresAgents, actions, transitions, atomic propositionsAtomic propositions + interpretationActions are abstract

1 2

1

2

1

2

pos0

pos1pos2

q0

q2 q1

pos0

pos1

wait,wait

wait,wait wait,wait

push,push

push,push push,push

push

,wai

t

push,wait

push,wait

wait,push

pos2

wait,pushw

ait,p

ush



Definition 2.4 (Concurrent Game Structure)

A concurrent game structure is a tupleM = 〈Agt, Q, π, Act, d, o〉, where:

Agt: a finite set of all agents;Q: a set of states;π : Q→ P(Prop): a valuation of propositions;Act: a finite set of (atomic) actions;d : Agt×Q→ P(Act) defines actions available to anagent in a state;o: a deterministic transition function that assignsoutcome states q′ = o(q, α1, . . . , αk) to states and tuplesof actions.



Recall and informationA strategy of agent a is a conditional plan that specifies what a isgoing to do in each situation.

Two types of “situations”: Decisions are based on

the current state only ( memoryless strategies)

sa : Q→ Act.

on the whole history of events that have happened( perfect recall strategies)

sa : Q+ → Act.

We also distinguish between agents with

perfect information (all states are distinguishable).

imperfect information (some state are indistinguishable).N. Bulling, J. Dix ·Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 86


Perfect Information Strategies

Definition 2.5 (IR- and Ir-strategies)

A perfect information perfect recall strategy foragent a (IR-strategy for short) is a function

sa : Q+ → Act such that sa(q0q1 . . . qn) ∈ da(qn).The set of such strategies is denoted by ΣIR

a .

A perfect information memoryless strategy for agenta (Ir-strategy for short) is given by a function

sa : Q→ Act where sa(q) ∈ da(q).The set of such strategies is denoted by ΣIr

a .

i (resp. I) stands for imperfect (resp. perfect) information and r (resp. R)for imperfect (resp. perfect) recall. [Schobbens, 2004]



Some NotationThe following holds for all kind of strategies:

A collective strategy for a group of agentsA = a1, . . . , ar ⊆ Agt is a set

sA = sa | a ∈ Aof strategies, one per agent from A.sA|a, we denote agent a’s part of the collectivestrategy sA, sA|a = sA ∩ Σa.s∅ = ∅ denotes the strategy of the empty coalition.ΣA denotes the set of all collective strategies of A.Σ = ΣAgt



Outcome of a strategyout(q, sA)= set of all paths that may occurwhen agents A execute sA from state q onward.

Definition 2.6 (Outcome)

λ = q0q1 . . . ∈ Q ∈ out(q, sA) ⊆ Qω iff

1 q0 = q

2 for each i = 1, . . . there is a tuple (αi−11 , . . . , αi−1

k ) ∈ Actksuch that

αi−1a ∈ da(qi−1) for each a ∈ Agt,αi−1a = sA|a(q0q1 . . . qi−1) for each a ∈ A, ando(qi−1, α

i−11 , . . . , αi−1k ) = qi.

For an Ir-strategy replace “sA|a(q0q1 . . . qi−1)” by“sA|a(qi−1)”.



Definition 2.7 (Perfect information semantics)M, q |=Ix p iff p is in π(q);M, q |=Ix ϕ ∨ ψ iff M, q |=Ix ϕ or M, q |=Ix ψ;

M, q |=Ix 〈〈A〉〉Φ iff there is a collective Ix-strategy sAsuch that, for each path λ ∈ out(q, sA),we have M, λ |=Ix Φ.

M, λ |=Ix ©ϕ iff M, λ[1,∞] |=Ix ϕ;M, λ |=Ix ♦ϕ iff M, λ[i,∞] |=Ix ϕ for some i ≥ 0;M, λ |=Ix ϕ iff M, λ[i,∞] |=Ix ϕ for all i ≥ 0;M, λ |=Ix ϕUUU ψ iff M, λ[i,∞] |=Ix ψ for some i ≥ 0, and

M, λ[j,∞] |=Ix ϕ forall 0 ≤ j ≤ i.

Note that temporal formulae and the Boolean connectivesare handled as before.



Example: Robots and Carriage

q0

q2 q1

pos0

pos1

wait,wait

wait,wait wait,wait

push,push

push,push push,push

push

,wai

t

push,wait

wait,push

push,wait

wait,push

wai

t,pus

h

pos2

pos0 → 〈〈1〉〉¬pos1



Definition 2.8 (ATLIx, ATL+Ix, ATL∗Ix, ATL, ATL∗)

def:atl-R-defs We define ATLIx, ATL+Ix, and ATL∗Ix as

the logics (LATL, |=Ix), (LATL+, |=Ix) and(LATL∗, |=Ix) where x ∈ r, R, respectively.Moreover, we use ATL (resp. ATL∗) as anabbreviation for ATLIR (resp. ATL∗IR).

Intuitively, a logic is given by the set of all validformulae.



Theorem 2.9For LATL, the perfect recall semantics is equivalent to thememoryless semantics under perfect information , i.e.,M, q |=IR ϕ iff M, q |=Ir ϕ. Both semantics are different forLATL∗. That is

ATL = ATLIr = ATLIR.

Proof idea.

The first “non-looping part” of each path has to satisfy aformula. Exercise

The property has been first observed in [Schobbens, 2004]but it follows from [Alur et al., 2002] in a straightforwardway.



Example: Robots and Carriage (2)

1 2

1

2

1

2

pos0

pos1pos2

1 2

halt q0

q2 q1

pos0

pos1

wait,wait

wait,wait

halt,wait

wait,wait wait,wait

push,push

push,push push,push

push

,wai

t

push,wait

wait,push

push,wait

wait,push

wai

t,pus

h

pos2

halt,push qh

halt

What about 〈〈1, 2〉〉(♦pos1 ∧ ♦halt)?M, q0 |= IR〈〈1, 2〉〉(♦pos1 ∧ ♦halt)M, q0 6|= Ir〈〈1, 2〉〉(♦pos1 ∧ ♦halt)


2 Cooperative Agents2.2 Imperfect Information

2.2 Imperfect Information



Imperfect information

How can we reason about agents/extensivegames with imperfect information?

We combine ATL∗ and epistemic logic.We extend CGSS with indistinguishabilityrelations ∼a⊆ Q×Q, one per agent. Therelations are assumed to be equivalencerelations.

We interpret 〈〈A〉〉 epistemically( |=iR and |=ir)



Definition 2.10 (CEGS)

A concurrent epistemic game structure (CEGS)is a tuple

M = (Agt, Q,Π, π, Act, d, o, ∼a| a ∈ Agt)with

(Agt, Q,Π, π, Act, d, o) a CGS and∼a⊆ Q×Q equivalence relations(indistinguishability relations).



Example: Robots and Carriage

1 2

1

2

1

2

pos0

pos1pos2

q0

q2 q1

pos0

pos1

wait,wait

wait,wait wait,wait

push,push

push,push push,push

push,wait

push,wait

wait,pushpush,w

ait

wait,push

wait,push

pos2

1 2

What about 〈〈Agt〉〉 © pos1 in q0?M, q0 |= Ir〈〈Agt〉〉 © pos1

M, q0 6|= ir〈〈Agt〉〉 © pos1



Problem:

Strategic and epistemic abilities are not independent!

〈〈A〉〉Φ = A can enforce Φ

It should at least mean that A are able to identify andexecute the right strategy!

Executable strategies = uniform strategies



Definition 2.11 (Uniform strategy)

Strategy sa is uniform iff it specifies the same choices forindistinguishable situations :

Memoryless strategies:if q ∼a q′ then sa(q) = sa(q

′).Perfect recall:

if λ ≈a λ′ then⇒ sa(λ) = sa(λ′),

where λ ≈a λ′ iff λ[i] ∼a λ′[i] for every i.

A collective strategy is uniform iff it consists only of uniformindividual strategies.



Imperfect Information Strategies

Definition 2.12 (IR- and Ir-strategies)

A imperfect information perfect recall strategy foragent a (iR-strategy for short) is a uniform IR-strategy.A imperfect information memoryless strategy foragent a (ir-strategy for short) is a uniform Ir-strategy.

The outcome is defined as before.



Imperfect Information SemanticsThe imperfect information semantics is defined as before,only the clause for

M, q |=Ix 〈〈A〉〉ϕ iff there is a collective Ix-strategy sA suchthat, for each path λ ∈ out(q, sA), we have M, λ |=Ix ϕ.

is replaced by

M, q |=ix 〈〈A〉〉ϕ iff there is a uniform ix-strategysA such that, for each path λ ∈ ⋃

q′:q∼Aq′ out(q′, sA), we have

M, λ |=ix ϕ

where x ∈ r, R and ∼A:= ∪a∈A ∼a.Remark 2.13This definition models that “everybody in A knows that ϕ”.



The fixed-point characterisation does not hold anymore!

Theorem 2.14The following formulae are not valid for ATLir:〈〈A〉〉ϕ ↔ ϕ ∧ 〈〈A〉〉 © 〈〈A〉〉ϕ〈〈A〉〉ϕ1UUU ϕ2 ↔ ϕ2 ∨ (ϕ1 ∧ 〈〈A〉〉 © 〈〈A〉〉ϕ1UUU ϕ2).

Proof.

: Exercise.



3. Comparing Semantics of ATL

3 Comparing Semantics of ATLSemantics SettingsPerfect vs. Imperfect InformationPerfect Recall and Tree UnfoldingsPerfect vs. Imperfect RecallBetween Subjective and Objective AbilityConclusions



Outline

We consider the relationship between standard variants ofthe alternating-time temporal logics.

perfect recall / no memoryperfect / imperfect informationobjective / subjective ability

Focus is on the logics; i.e., on the level of valid sentences.

Validities capture general properties of games.

Same logics induce same kind of ability in games.

The following section is based on [Jamroga and Bulling, 2011].


3 Comparing Semantics of ATL3.1 Semantics Settings

3.1 Semantics Settings



We have considered various semantics for ATL and its variants:memoryless strategies;perfect recall strategies;perfect information; andimperfect information.

In this section we systematically analyze how these setting giverise to different logics.For the perfect information case we define the following sets ofvalidities:

Cf. Definition 2.8We define the following logics:

ATLIx is the set of valid sentences over (LATL, |=Ix)

ATL∗Ix is the set of valid sentences over (LATL∗ , |=Ix)

where x ∈ r,R, respectively.



Does memory matter? In Theorem 2.9 we have already seen thefollowing:

Cf. Theorem 2.9For LATL, the perfect recall semantics is equivalent to thememoryless semantics under perfect information , i.e.,

M, q |=IR ϕ iff M, q |=Ir ϕ.

That is

ATL = ATLIr = ATLIR.

Both semantics are different for LATL∗ ; that is, ATL∗Ir 6= ATL∗IR.



Example 3.1 (ATL∗IR 6= ATL∗Ir)

q1 q2

p

1

2

1

ϕ = 〈〈a〉〉(©p ∧©©¬p)



Objective vs. subjective ability

There are two more characteristics of ability under imperfectinformation:

Subjective ability (is): All paths from all indistinguishablestates are taken into account.

Objective ability (io): Only paths from the (real) currentstate are considered.

q1 q2

objective

subjective



Definition 3.2 (Subjective epistemic outcome,xy-outcome)

(a) The (subjective) epistemic outcome outs(q, sA) is defined as

outs(q, sA) =⋃

q∼Aq′out(q′, sA).

(b) Let x ∈ is, io, I and y ∈ r,R The xy-outcome outxy(q, sA)is defined as follows:

outxy(q, sA) =

outs(q, sA) if x = is;

out(q, sA) else.



Remark 3.3 (Strategies and semantics)

In order to ensure a uniform notation, we introduce xy-strategiesfor x ∈ is, io, I and y ∈ r,R as follows:

IR: sa : Q+ → Act such that sa(q0 . . . qn) ∈ d(a, qn) for allq0, . . . , qn;

Ir: as IR with the additional constraint s(hq) = s(h′q) forall histories h (or, alternatively, sa : Q+ → Act suchthat sa(q) ∈ d(a, q) for all q);

ior, isr: like Ir, with the additional constraint that q ∼a q′implies sa(hq) = sa(hq

′) for all histories h;

ioR, isR: like IR, with the additional constraint that h ≈a h′implies sa(h) = sa(h

′).



Definition 3.4 (Imperfect information semantics)

M, q |=xy 〈〈A〉〉ϕ iffthere is a collective xy-strategy sAsuch that, for each path λ ∈ outxy(q′, sA),we have M, λ |=xy ϕ

where x ∈ io, is, y ∈ r,R and ∼A:= ∪a∈A ∼a.

Analogously to Definition 3.5, we define the following sets:

Definition 3.5 (ATLisx, ATL∗isx, ATLiox, ATL∗iox)

We define the following logics:

ATLyx is the set of valid sentences over (LATL, |=yx)

ATL∗yx is the set of valid sentences over (LATL∗ , |=yx)

where y ∈ is, io and x ∈ r,R, respectively.



How does the picture look?

?ATLIR = ATLIr

ATLior ATLisr

ATLisRATLioR

ATLioR

ATLior

ATLisr

ATLisR

ATLIr 6= ATL

IR

subjectiveobjective

memoryless

perfect recalllanguage



Comparing ValiditiesRecall our motivation:

Relationship between standard variants of ATL∗ on the levelof valid sentences

Logic = set of validitiesValidities capture general properties of games underconsideration

If two logics over LATL∗ generate the same valid sentencesthen the underlying notions of ability induce the same kindof gamesFirst step towards devising algorithms for satisfiabilitychecking



Remark 3.6 (Important Validities and Invalidities)

〈〈a〉〉♦p↔ p ∨ 〈〈a〉〉 © 〈〈a〉〉♦pInvalid in all variants with imperfect information.Valid for perfect information.

〈〈a〉〉(♦p1 ∧ ♦p2)↔ 〈〈a〉〉♦((p1 ∧ 〈〈a〉〉♦p2) ∨ (p2 ∧ 〈〈a〉〉♦p1))

Invalid for imperfect informationValid for perfect information and perfect recall

¬〈〈∅〉〉♦¬p↔ 〈〈Agt〉〉pInvalid for subjective ability under imperfect infotmationValid for perfect information.


3 Comparing Semantics of ATL3.2 Perfect vs. Imperfect Information

3.2 Perfect vs. ImperfectInformation



Comparing ATLir vs. ATLIrSubjective incomplete information vs. perfect information.

Proposition 3.7

ATLisr ( ATLIr

Inclusion: Every CGS can be seen as a special CEGS

M, q0 6|=isr (shot ∨ 〈〈a〉〉 © 〈〈a〉〉♦shot)→ 〈〈a〉〉♦shot

q0 q1

q4 q5

q2

shot

q3

a

shootL

shootR shootR

shootL

look look



Objective incomplete information vs. perfect information.

Proposition 3.8

ATLior ( ATLIr

M, q′0 6|=ior (shot ∨ 〈〈a〉〉 © 〈〈a〉〉♦shot)→ 〈〈a〉〉♦shot

q′0

q0 q1

q2shot

q3

a

〈−, putL〉

〈−, putR〉

〈shootL,−〉

〈shootR ,−〉

〈shootR,−〉

〈shoot L,−〉



Comparing ATLiR vs. ATLIR

Objective incomplete information vs. perfect information underperfect recall.

By the same reasoning as above:

Corollary 3.9

ATLioR ( ATLIR



Subjective ability and incomplete information vs. perfectinformation.

Proposition 3.10

ATLisR ( ATLIR

M, q4 6|=isR 〈〈a〉〉♦shot→ (shot ∨ 〈〈a〉〉 © 〈〈a〉〉♦shot)

q0 q1

q4 q5

q2

shot

q3

a

shootL

shootR shootR

shootL

look look


3 Comparing Semantics of ATL3.3 Perfect Recall and Tree Unfoldings

3.3 Perfect Recall and TreeUnfoldings



IR-Tree Unfolding

Interesting is the comparison between memory and nomemory.Can Agents really achieve more (in terms of validities) if theyhave memory available?Suppose we want to show that ATL∗Ir ⊆ ATL∗IR; i.e., moreproperties of games are valid if perfect recall strategies areconsidered.For this purpose, we show that every IR-satisfiable formula isalso Ir-satisfiable.Then, the claim follows: Suppose ϕ ∈ ATLIr and ϕ 6∈ ATLIR. Bythe latter, ¬ϕ is IR-satisfiable hence also Ir-satisfiable.Contradiction!

How can we show that IR-satisfiability implies Ir-satisfiability?



Suppose (M, q) IR-satisfies ϕ. Then, we show that there is apointed model (M′, q) which satisfies the same formulae andin which memoryless and perfect-recall strategies coincide.Which properties must M′ have such that both kind ofstrategies have the same expressive power?

Definition 3.11 (Tree-like CGS)

Let M be a CGS. M is called tree-like iff there is a state q0 (theroot) such that for every q there is a unique history leading from q0

to q.

Proposition 3.12 (Recall invariance for tree-like CGS)

For every tree-like CGS M, state q in M, and ATL∗-formula ϕ, wehave: M, q |= Ir ϕ iff M, q |= IR ϕ.

Can we always obtain such a tree-like “version” of a model?



For each model, we can construct an equivalent tree-like model:Fix a state and unfold the model to an infinite tree.

q1 q2

q1

q1 q2

q2q1 q1 q2

(α,α) (β,α) (α,α)

(α,β)

Tree unravelling

Note: states correspond to finite histories.



Definition 3.13 (Perfect information tree unfolding)

Let M = (Agt, Q,Π, π, Act, d, o) be a CGS and q be a state in it.The (perfect information) tree unfolding of the pointed model(M, q) denoted T (M, q) is defined as (Agt, Q′,Prop, π′, Act, d′, o′)where

Q′ := ΛfinM (q),

d′(a, h) := d(a, last(h)),

o′(h, ~α) := h o(last(h), ~α), and

π′(h) := π(last(h)).

The node q in the unfolding is called root of T (M, q).

Theorem 3.14For every CGS M, state q in M, and ATL∗-formula ϕ we have:

M, q |= IR ϕ iff T (M, q), q |= IR ϕ iff T (M, q), q |= Ir ϕ.



ioR-Tree Unfolding

The case of incomplete information we only have to take intoaccount epistemic relations in the tree:

h ∼TioR(M,q)a h′ iff h ≈M

a h′

Theorem 3.15For every CEGS M, state q in M, and ATL∗-formula ϕ we have:

M, q |=ioRϕ iff To(M, q), q |=

ioRϕ iff To(M, q), q |= ior

ϕ.



isR-Tree UnfoldingThe tree unfolding for the is-semantics is more sophisticated.Consider the following model and the formula〈〈a〉〉 © 〈〈a〉〉 © 〈〈a〉〉shot. How can a isR-tree unfolding look like.

q0 q1

q4 q5

q2

shot

q3

a

shootL

shootR shootR

shootL

look look



A first naive approach could be a set of ioR-tree unfoldingsinterconnected with epistemic links.

1

15

151

1512 1513 1515

12 13

......

......

...

0

02 03 04

040

0402 0403 0404

......

......

...

To(M1, q0) To(M1, q1)a

Figure 3 : Two ioR-tree unfoldings connected by an epistemic link. Weuse number i1i2 . . . to refer to the history qi1qi2 . . . .

What about the formula 〈〈a〉〉 © 〈〈a〉〉 © 〈〈a〉〉shot?The isR-tree unfoldings is shown on the next slide.



1

15

151

1512 1513 1515

12 13

......

......

...

0

02 03 04

040

0402 0403 0404

......

......

...

040a0

040a02 040a03 040a04

040a040

040a0402 040a0403 040a0404

......

......

...

151a0

151a02 151a03 151a04

151a040

151a0402 151a0403 151a0404

......

......

...

040a1

040a15

040a151

040a1512 040a1513 040a1515

040a12 040a13

......

......

...

151a1

151a15

151a151

151a1512 151a1513 151a1515

151a12 151a13

......

......

...

To(M1, q0) To(M1, q1)a

a

To(M1, q0)

To(M1, q0)

To(M1, q1)

To(M1, q1)

To(M1, q1)



Now we can state our main result for isR-tree unfoldings.

Theorem 3.16For every CEGS M, state q in M, and ATL∗-formula ϕ, it holds that

M, q |=isRϕ iff Ts(M, q), q |=

isRϕ iff Ts(M, q), q |= isr

ϕ.

Summary

If a formula is IR-, ioR- or isR-satisfiable then it also is Ir-, ior- orisr-satisfiable, respectively.


3 Comparing Semantics of ATL3.4 Perfect vs. Imperfect Recall

3.4 Perfect vs. Imperfect Recall



We now compare perfect vs. imperfect memory.

Proposition 3.17

ATL∗Ir ( ATL∗IR (Even: ATL+Ir ( ATL+IR)

Membership: If |=Ir ϕ then Treemodels |=Ir ϕ thenTreemodels |=IR ϕ then |=IR ϕStrict inclusion:

M, q0 6|=Ir 〈〈a〉〉(♦p1∧♦p2)↔ 〈〈a〉〉♦((p1∧〈〈a〉〉♦p2)∨ (p2∧〈〈a〉〉♦p1)).

p1 = cleanp2 = delivered

q0

q1

clean

q2

delivered

clean deliver



Objective ability: no memory vs. perfect recall.

Proposition 3.18

ATLior ( ATLioR.

Recall: ¬〈〈∅〉〉♦¬p↔ 〈〈Agt〉〉p for perfect recall.M, q0 6|=ior ¬〈〈∅〉〉♦¬(¬suspicious ∨ ¬angry)→〈〈a〉〉(¬suspicious ∨ ¬angry)

q0 q1

q2

angry

q3

suspicious

a

not-kiss

kiss

kiss not-kiss



Proposition 3.19

ATLisr ( ATLisR

Inclusion: |=isr ϕ then Treemodels |=isr ϕ then Treemodels |=isR ϕthen |=isR ϕStrict inclusion:

M, q0 6|=isr 〈〈a〉〉 © 〈〈a〉〉♦p→ 〈〈a〉〉♦p.

q0 q1

q4 q5

q2

shot

q3

a

shootL

shootR shootR

shootL

look look


3 Comparing Semantics of ATL3.5 Between Subjective and Objective Ability

3.5 Between Subjective andObjective Ability



Proposition 3.20

ATLiox 6⊆ ATLisy for x, y ∈ r,R.

Formula Φ2 ≡ 〈〈a〉〉♦p→ p ∨ 〈〈a〉〉 © 〈〈a〉〉♦p is valid in ATLiox butinvalid in ATLisy.

M, q4 6|=isR 〈〈a〉〉♦shot→ shot ∨ 〈〈a〉〉 © 〈〈a〉〉♦shot

q0 q1

q4 q5

q2

shot

q3

a

shootL

shootR shootR

shootL



Proposition 3.21

ATLisx 6⊆ ATLioy for x, y ∈ r,R.

Φ6 ≡ 〈〈a〉〉N〈〈c〉〉 © 〈〈a〉〉 © p→ 〈〈a, c〉〉♦p is valid in ATLisx butInvalid in ATLioy where N (“now”) as Nϕ ≡ ϕUUU ϕ.

M, q′0 6|=ioR 〈〈a〉〉N〈〈c〉〉 © 〈〈a〉〉 © p→ 〈〈a, c〉〉♦p

q′0

q0 q1

q2shot

q3

a

〈−, putL〉

〈−, putR〉

〈shootL,−〉

〈shootR ,−〉

〈shootR,−〉

〈shoot L,−〉

(Plus an agent c with no choices.)

So: ATLisy and ATLioz are incomparable for every y, z ∈ R, r.


3 Comparing Semantics of ATL3.6 Conclusions

3.6 Conclusions


3 Comparing Semantics of ATL3.6 Conclusions

Overview of the Results

“All” semantic variants aredifferent on the level ofgeneral properties; beforeour study, it was by nomeans obvious.

Strong pattern ofsubsumption (memory andinformation)

Very natural when you seeit (not obvious before).

In particular: non-validitiesare interesting.

ATLIR = ATLIr

ATLiorATLisr

ATLisR ATLioR

ATLIR

((

(

( (

ATLIr

(

incomparable



4. Reasoning and Examples

4 Reasoning and ExamplesBasic Modal LogicAxiomatic SystemsCorrespondence TheoryEpistemic LogicAxioms for LTLAxioms for CTLAxioms for ATL



Outline

We present basic modal logic based on the operatoras a suitable framework for temporal and other logics.We introduce Kripke models, based on a generalaccessibility relation, as underlying structures. Specialinstances are models of LTL, CTL, and ATL consideredearlier.We consider semantic consequences in modal logic andthe basics of correspondence theory: axioms involving correspond exactly to properties of the accessibilityrelation.We very briefly look at epistemic interpretations of :belief as opposed to knowledge.We end by giving sound and complete axiomaticsystems for LTL, CTL, and ATL.


4 Reasoning and Examples4.1 Basic Modal Logic

4.1 Basic Modal Logic



What is a Logic?

We present a framework for thinking about logics as:languages for describing a problem,ways of talking about relational structures andmodels.

Two key components in the way we will approach logic:1 Language:

fairly simple, precisely defined, formal languages.2 Model (or relational structure):

simple “world” that the logic talks about.



Relational StructuresA relational structure is given by (W, R1, . . . ,Rn) andconsists of:

A non-empty set W , the elements of which are ourobjects of interest. They are called points, states,nodes, worlds, times, instants or situations.A non-empty set R1, . . . ,Rn of relations,Ri ⊆ W ×W .

An important special case is when the Ri are equivalencerelations. They could represent which of the worlds areconsidered indistinguishable for agent i.

So we can model the situation where different agents havedifferent views about the world.



The Basic Modal Language

Propositional logic can be seen as a one-point relationalstructure.But relational structures can describe much more. Wecan talk about points, lines etc.Therefore, we introduce the basic modal language ontop of the propositional language by extendingLPL(Prop) with two new operators:

Possibility and necessity

♦ϕ: ϕ is possible(We see one or more states where ϕ holds.)

ϕ: ϕ is necessary(In all reachable states ϕ holds.)



A Language for Relational Structures

Definition 4.1 (Basic modal language LBML)

Let Prop be a set of propositions. The basic modal languageLBML(Prop) consists of all formulae defined by the followinggrammar:

ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | ϕwhere p ∈ Prop.

Boolean macros are defined in the standard way.Additionally, we have the dual ♦ (called “diamond”) of :

♦ϕ := ¬¬ϕ



We can talk about attributes by adding labels to nodes(e.g. painting them in a particular color).

Example 4.2 (Colored graph I)

Imagine standing in a node of a colored graph. What canwe see?

♦ blue

♦ blue



Example 4.3 (Colored graph II)

We imagine standing in a node of a colored graph. Whatcan we see?

♦(black ∧ red) ∧ ♦♦green



Colored graph II

Example 4.4

blue→ blackgreen→ black

yellow → ♦yellow



Definition 4.5 (Kripke frame)

A Kripke frame is given by F = (W,R) whereW is a non-empty set, called set of domains or worlds,R ⊆ W ×W is a binary relation.

Frames are mainly used to talk about validities: They standfor a whole set of models.

Definition 4.6 (Kripke model)

A Kripke model is given by M = (W,R, V ) where(W,R) is a Kripke frame,V : Prop → P(W ) is called labelling function orvaluation. We also use V : W → P(Prop).

Kripke frames (resp. models) are simply relationalstructures (resp. with labels)!



Example 4.7

Consider the frame F = (w1, w2, w3, w4, w5,R) whereRwiwj iff j = i+ 1 and V (p) = w2, w3,V (q) = w1, w2, w3, w4, w5, V (r) = ∅.

w1

qw2

q, pw3

q, pw4

qw5

q



Frames vs. Models?Frames

Mathematical pictures of ontologies that we findinteresting. That is, frames define the fundamentalstructure of the domain of interest.

For example, we model time as a collection of pointsordered by a strict partial order.

Models

Frames are extended by contingent information. That is,models extend the mathematical structure provided byframes by additional information.

Can Kripke models be used to interpret the propositionallanguage?



Formal semantics of LML.

Definition 4.8 (Semantics M, w |= ϕ)

Let M be a Kripke model, w ∈ WM , and ϕ ∈ LML. ϕ is said tobe locally true or satisfied in M and world w (calledpointed Kripke model, written as M, w |= ϕ , if the followingholds:M, w |= p iff w ∈ VM(p) and p ∈ Prop,M, w |= ¬ϕ iff not M, w |= ϕ

M, w |= ϕ ∨ ψ iff M, w |= ϕ or M, w |= ψ

M, w |= ϕ iff for all worlds w′ ∈ W such that wRw′ wehave M, w′ |= ϕ

For Σ ⊆ LML we write M, w |= Σ iff M, w |= ϕ for all ϕ ∈ Σ .

What about ♦ϕ?



Internal and Local

Satisfaction of formulae is internal and local!

Internal: Formulae are evaluated inside models at somegiven world.

Local: Given a world it is only possible to refer to directsucessors of this world.

How does first-order logic compare to that?



Some Examples

Example 4.9

F = (w1, w2, w3, w4, w5,R) where Rwiwj iff j = i+ 1 andV (p) = w2, w3, V (q) = w1, w2, w3, w4, w5, V (r) = ∅.

w1

qw2

q, pw3

q, pw4

qw5

q

1 M, w1 |= ♦p2 M, w1 6|= ♦p→ p

3 M, w2 |= ♦(p ∧ ¬r)4 M, w1 |= q ∧ ♦(q ∧ ♦(q ∧ ♦(q ∧ ♦q))))5 M |= q



Kripke models as LTL and CTL structuresKripke models can be seen as labelled directed graphs. Suchmodels were used for LTL, CTL, CTL∗ and ATL, but with severalmodal operators (multi-modal).

LTL: Here we consider Kripke models where theaccessibility relation is a discrete, linear order with asmallest element. We also require that theaccessibility relation is serial: for each state there is asuccessor state (not necessarily a new one).We call these Kripke models LTL Kripke models.

CTL: Here we consider Kripke models that are trees (i.e.acyclic, and each node has at most one predecessor,and there is one unique root node) and each path isinfinite (serial accessibility relation).We call these Kripke models CTL Kripke models.

CTL∗: Here we consider arbitrary graphs.



Kripke models as ATL structures

In contrast to LTL and CTL, the logic ATL uses additionalmodal operators, namely indexed by coalitions. So wehave again a multi-modal version where CTL can beseen as a one player fragment of it.The semantics of ATL is based on concurrent gamestructures, as described in the last chapter. These arelabelled transition systems and can be seen as aninstance of Kripke models.An axiomatization of ATL is thus a system that allows toderive all formulae that are true in all possibleconcurrent game structures.

We call these models ATL models.


4 Reasoning and Examples4.2 Axiomatic Systems

4.2 Axiomatic Systems



Sound and complete axiom system forpropositional logicThere is a finitistic notion of proof, that allows to derive newformulae from given ones:

Φ ` φ: there is a proof of φ from Φ.

It is based on a finite system of axioms and (MP) as the onlyinference rule: From ϕ and ϕ→ ψ infer ψ.The axiom system has the following property for arbitrarysets Φ (infinite or not):

Φ ` φ iff Φ |= φ

The direction from left to right is called soundness, the otherdirection is called completeness.



Definition 4.10 (Sound-, Completeness for a calculus)

Given an arbitrary calculus (which defines a notion `) and asemantics based on certain models (which defines arelation |=), we say that

Soundness: The calculus is sound (also called correct) withrespect to the semantics, if the following holds:

Φ ` φ implies Φ |= φ.

Completeness: The calculus is complete with respect tothe semantics, if the following holds:

Φ |= φ implies Φ ` φ.



A general notion of a certain sort of calculi.

Definition 4.11 (Hilbert-Type Calculi)

A Hilbert-Type calculus over a language L is a pair〈Ax, Inf〉 where

Ax: is a subset of FmlL, the set of well-formedformulae in L: they are called axioms,

Inf: is a set of pairs written in the formφ1, φ2, . . . , φn

ψ

where φ1, φ2, . . . , φn, ψ are L-formulae: they arecalled inference rules.

Intuitively, one can assume all axioms as “true formulae”(tautologies) and then use the inference rules to deriveeven more new formulae.



Definition 4.12 (Calculus for Sentential Logic SL)

We define HilbertSLL = 〈AxSLL , MP〉, the Hilbert-Typecalculus: L ⊆ LSL with the wellformed formulae FmlL.Axioms in SL (AxSLL ) are the following formulae:

1 φ→ >, ⊥ → φ, ¬> → ⊥, ⊥ → ¬>,2 (φ→ ψ)→ ((φ→ (ψ → χ))→ (φ→ χ)),3 (φ ∧ ψ)→ φ, (φ ∧ ψ)→ ψ,4 φ→ (φ ∨ ψ), ψ → (φ ∨ ψ),5 ¬¬φ→ φ, (φ→ ψ)→ ((φ→ ¬ψ)→ ¬φ),6 φ→ (ψ → φ), φ→ (ψ → (φ ∧ ψ)).7 (φ→ χ)→ ((ψ → χ)→ (φ ∨ ψ → χ)).

φ, ψ, χ stand for arbitrarily complex formulae (not just constants).They represent schemata, rather than formulae in the language.



Definition (continued)

The only inference rule in SL is modus ponens:

MP : Fml × Fml→ Fml : (ϕ,ϕ→ ψ) 7→ ψ.

or short

(MP)ϕ, ϕ→ ψ

ψ.

(ϕ,ψ are arbitrarily complex formulae).



Theorem 4.13 (Correct-, Completeness for HilbertSLL )

A formula follows semantically from a theory Φ if and only ifit can be derived:

Φ |= ϕ if and only if Φ ` ϕ

A similar result holds for first-order logic: there is also aHilbert-Type calculus that is sound and complete.However, first-order logic is in general undecidable: theset of valid formulae is recursively enumerable, but it isnot recursive.The same is true for many (propositional) modal logics.



Validity in Modal LogicWe take on a global point of view.

Given a specification like ϕ := ¬crash. In which states should itbe true?

Definition 4.14 (Validity)

A formula ϕ is called valid or globally true in a model M iffM, w |= ϕ for all w ∈WM. We write M |= ϕ.

ϕ is satisfiable in M if M, w |= ϕ for some w ∈WM.

Analogously, we say that a set Σ of formulae is valid (resp.satisfiable) in M iff all formulae in Σ are valid (resp. satisfiable) inM.

Validity and satisfiability are dual concepts!



Example 4.15

In which models is the following formula true?

(p→ q)→ (p→ q)

M, w |= (p→ q)

iff ∀w′(wRw′ ⇒M, w′ |= p→ q)

iff ∀w′(wRw′ ⇒ (M, w′ |= p⇒M, w′ |= q))

implies ∀w′(wRw′ ⇒M, w′ |= p)⇒∀w′(wRw′ ⇒M, w′ |= q)

iff M, w |= p⇒M, w |= qiff M, w |= p→ q

The formula is true in any frame and hence in any model. Itcorresponds to a tautology in propositional logic.



Modal Consequence RelationUp to now we verified formulae in a given model and state.Often, it is interesting to know whether a property follows from agiven set of formulae.

Definition 4.16 (Local Consequence Relation)

LetM be a class of models, Σ be a set of formulae and ϕ be aformula.

ϕ is a (local) semantic consequence of Σ over M, writtenΣ |=M ϕ , if for all M ∈M and all w ∈WM it holds thatM, w |= Σ implies M, w |= ϕ .

IfM is the class of all models we just say that ϕ is a (local)consequence of Σ and write Σ |= ϕ .



Frames and ValidityIn Example 4.15 we have seen that a formula can be true/false forall valuations. We can speak about structural propertiesignoring contingent information.

Definition 4.17 (Frame Validity: F |= ϕ)

Let F be a frame and ϕ ∈ LBML.

1 ϕ is valid in F and w ∈WF, written F, w |= ϕ , if M, w |= ϕ forall models M = (F, π) based on F.

2 ϕ is valid in F , written F |= ϕ, if F, w |= ϕ for all w ∈WF.

3 Let F be class of frames. ϕ is said to be valid in F , if ϕ is validin each frame F ∈ F .



Lemma 4.18 (Distribution Axioms)

The two formulae

♦(p ∨ q)→ (♦p ∨ ♦q)(p→ q)→ (p→ q)

are both valid in all Kripke frames F. The last formula is also calledaxiom K.

Proof. Exercise and Example 4.15.



Example 4.19

Is ♦> valid in all frames? In which class is the formula valid?

w1 w2 w1 w2

What about >?

Example 4.20

Is ♦♦p→ ♦p true in w1?

w1 w2

p

w3

p

w1 w2 w3

p

Is there a class of frames in which formula is valid?



Example 4.21

LetM be the class of transitive models. Then:

1 ♦♦p |=M ♦p,

2 p |=M p, but

3 p |=M p does not hold.

In fact, there is a class of modelsM for which ♦♦p |=M ♦p holds,but no model inM is transitive.


4 Reasoning and Examples4.3 Correspondence Theory

4.3 Correspondence Theory



Correspondence TheoryWe have learnt that some formulae are valid in particular frames.E.g. ♦♦ϕ→ ♦ϕ is valid in all transitive frames. Here, we considersuch correspondences systematically.

Definition 4.22 (KDT45)

We define the following formulae, that will play an important rolefor defining various modal logics.

K (p→ q)→ (p→ q)D ¬(p ∧ ¬p)T p→ p4 p→ p5 ¬p→ ¬p

In epistemic logic, e.g., these formulae will have intuitiveepistemic properties.



Properties of Frame (1)We consider properties of the accessibility relations R of frames:

Serial: For all w there is a w′ with wRw′.Reflexive: For all w: wRw.

Transitive: For all w,w′, w′′: wRw′ and w′Rw′′ implies wRw′′.Euclidean: For all w,w′, w′′: wRw′ and wRw′′ implies w′Rw′′.

Symmetric: For all w,w′: wRw′ implies w′Rw.

Definition 4.23 (Frame property)

We say a frame F = (W,R) has property X if its relation R hasproperty X.

Remember Slide 173 where we discussed transitive frames .



Example 4.24

We have

F |= p→ p iff F is reflexive.

Let F be a frame satisfying p→ p. That is,

for all w ∈W , F, w |= p→ p.

This is the case, if for all models M over F and

for all w ∈W , M, w |= p→ p.

Which properties must R satisfy? Suppose R is not reflexive.Then, there is a state w′ with not w′Rw′. Make p true at all statesof W\w′. Then, M, w′ 6|= p→ p and hence F 6|= p→ p.Contradiction!



Now suppose we are given a reflexive frame F and supposeF 6|= p→ p.

Then, there is a model M = (F, π) and a state w,M, w 6|= p→ p.

That is, M, w |= p and M, w 6|= p.

By reflexivity we have wRw.

But then, from M, w |= p it follows that M, w |= p.Contradiction!

We must have F |= p→ p.

In other words, axiom T characterises reflexive frames.



Validity in Several Frames (3)

Lemma 4.25 (Appropriate Frames)

Let (W,R) be a Kripke frame. Then the following holds:

K: (W,R) |= (p→ q)→ (p→ q).D: (W,R) |= ¬(p ∧ ¬p) iff R is serial.T: (W,R) |= p→ p iff R is reflexive.

4: (W,R) |= p→ p iff R is transitive.

5: (W,R) |= ¬p→ ¬p iff R is Euclidean.

B: (W,R) |= p→ ♦p iff R is symmetric.

Proof. : Exercise.



Axiomatic SystemsAs in classical logic, one can ask about a complete axiom system.Is there a calculus that allows to derive all sentences true in allKripke models?

Definition 4.26 (System K)

The system K is an extension of the propositional calculus by theaxiom

K (ϕ ∧(ϕ→ ψ))→ ψ

and the inference rule ϕϕ (Necessitation).

Note, ϕ and ψ can be substituted by any formula.



Proposition 4.27

Axiom K is equivalent to (ϕ→ ψ)→ (ϕ→ ψ).

Theorem 4.28 (Sound-/completeness of K)

System K is sound and complete with respect to arbitrary Kripkemodels.

Note that we have not assumed any properties of theaccessibility relation R: It is just any binary relation.

Assuming that R is an equivalence relation, what additionalstatements (axioms) are true in all such Kripke models?



Theorem 4.29 (Sound/complete subsystems)

Let X be any subset of D,T,4,5 and let X be the subset ofserial, reflexive, transitive, euclidean corresponding to X.Then system K extended with axioms X is sound and complete withrespect to Kripke frames which satisfy properties X .

For example, we have the following important instance:

Corollary 4.30 (KT45)

System KT45 is sound and complete with respect to Kripke frameswith an accessibility relation which is an equivalence relation.


4 Reasoning and Examples4.4 Epistemic Logic

4.4 Epistemic Logic



Interpreting i as knowledge

Let us now assume we have several agents i and we interpret iϕas agent i knows that ϕ. In that case one often writes

Kiϕ instead of iϕ.

Accessibility relation

What does the equivalence relation encode? Incompleteinformation:

wRw′ The agent cannot distinguish w and w′. Both statesprovide the same information.

Knowledge = Truth in all indistinguishable states



What other properties should hold when interpreting asknowledge?

K K(p→ q)→ (Kp→ Kq)D ¬K⊥ consistencyT Kp→ p truth4 Kp→ KKp positive introspection5 ¬Kp→ K¬Kp negative introspection



Interpreting as belief

Up to now we were thinking of i as agent i knows that ϕ. Whatif we interpret the operator as belief?

Under such an interpretation axiom T is usually not assumed tohold. But all other axioms make sense.

Definition 4.31 (System KD45)

Axiom system KD45 is called the standard logic of beliefs.Axiom K is called logical omniscience, axiom D is calledconsistency, axiom 4 (resp. axiom 5) is called positive(resp. negative) introspection.


4 Reasoning and Examples4.5 Axioms for LTL

4.5 Axioms for LTL



Weakly Completeness

Like many modal logics, LTL is only weakly complete, i.e.

Φ |= ψ implies Φ ` ψ

is only true for finite sets Φ, not for infinite sets.The set

r → s, r → Xs, r → XXs, . . .serves as a counterexample. It certainly implies r → Gs, butthis can not be inferred using any sound axiom system(the reason is that no finite subset of the above set impliesthis formula).



Note thatwe have “¬”, “∨”, as basic propositionaloperators (all the others are macros), and“·UUU ·”, and “©·” as basic LTL operators,All other operators are defined as usual.



Theorem 4.32 (Axiomatization of LTL)

The system consisting of HilbertSLL and the following

(A1) G(ϕ→ Xϕ)→ (ϕ→ Gϕ)(A2) (ϕUUU ψ) ↔ (ψ ∨ (ϕ ∧ X(ϕUUU ψ)))(A3) (ϕUUU ψ) → Fψ(Fun) ¬Xϕ↔ X¬ϕ(KX) X(ϕ→ ϕ′)→ (Xϕ→ Xϕ′)) (NX)

ϕXϕ

(KG) G (ϕ→ ϕ′) → G (Gϕ→ Gϕ′) (NG) ϕGϕ

is sound and weakly complete with respect to LTL Kripkemodels.


4 Reasoning and Examples4.6 Axioms for CTL

4.6 Axioms for CTL



Note thatwe have “¬”, “∨”, as basic propositionaloperators (all the others are macros), and“E · UUU ·”, “E© ·”, and “EG·”, as basic CTLoperators,All other operators are defined as usual.



Theorem 4.33 (Axiomatization of CTL)

The system consisting of HilbertSLL and the following

(A1) EFϕ↔ E(>UUU ϕ) (A′1) AFϕ↔ A(>UUU ϕ)(A2) AGϕ↔ ¬EF¬ϕ (A′2) EGϕ↔ ¬AF¬ϕ(A3) EX(ϕ ∨ ψ) ↔ (EXϕ ∨ EXψ) (A4) AXϕ↔ ¬EX¬ϕ(A5) EX> ∧ AX> (R) ϕ

AGϕ(A6) E(ϕUUU ψ) ↔ (ψ ∨ (ϕ ∧ EXE(ϕUUU ψ)))(A′6) A(ϕUUU ψ) ↔ (ψ ∨ (ϕ ∧ AXA(ϕUUU ψ)))(A7) AG(ρ→ (¬ψ ∧ EXρ)) → (ρ→ ¬A(ϕUUU ψ))(A8) AG(ρ→ (¬ψ ∧ EXρ))) → (ρ→ ¬AFψ)(A9) AG(ρ→ (¬ψ ∧ (ϕ→ AXρ))) → (ρ→ ¬E(ϕUUU ψ))(A10) AG(ρ→ (¬ψ ∧ AXρ))) → (ρ→ ¬EFψ)(A11) AG(ϕ→ ψ) → (EXϕ→ EXψ)

is sound and weakly complete with respect to CTL Kripkemodels.



A (very complicated) sound and complete (withrespect to the appropriate Kripke models)axiomatization of CTL∗ has been defined in[Reynolds, 2001].


4 Reasoning and Examples4.7 Axioms for ATL

4.7 Axioms for ATL



Note thatwe have “¬”, “∨”, as basic propositionaloperators (all the others are macros), and“〈〈A〉〉 © ·”, “〈〈A〉〉·”, “〈〈A〉〉 · UUU ·”, as basic CTLoperators,all other operators are defined as usual, andwe only consider the version of ATL based onperfect information and perfect recall: ATLIR(=ATLIr).



Theorem 4.34 (Axiomatization of ATL)

The system consisting of HilbertSLL and the following (where A,A1, A2 aresubsets of Agt are A1, A2 are disjoint):

(⊥) ¬〈〈A〉〉 © ⊥ (Mon) ϕ1→ϕ1

〈〈A〉〉©ϕ2→〈〈A〉〉©ϕ1

(>) 〈〈A〉〉 © > (Nec) ϕ〈〈∅〉〉ϕ

(Agt) ¬〈〈∅〉〉 © ¬ϕ → 〈〈Agt〉〉 © ϕ(S) (〈〈A1〉〉 © ϕ1 ∧ 〈〈A2〉〉 © ϕ2) → (〈〈A1 ∪A2〉〉 © (ϕ1 ∧ ϕ2))(FP) 〈〈A〉〉ϕ ↔ (ϕ ∧ 〈〈A〉〉 © 〈〈A〉〉ϕ)(GFP) 〈〈∅〉〉(θ → (ϕ ∧ 〈〈A〉〉 © θ)) → 〈〈∅〉〉(θ → 〈〈A〉〉ϕ)(FPUUU ) 〈〈A〉〉ϕ1UUU ϕ2 ↔ (ϕ2 ∨ (ϕ1 ∧ 〈〈A〉〉 © 〈〈A〉〉ϕ1UUU ϕ2))(LFPUUU ) 〈〈∅〉〉((ϕ2 ∨ (ϕ1 ∧ 〈〈A〉〉 © θ))→ θ) → (〈〈∅〉〉ϕ1UUU ϕ2 → θ)

is sound and weakly complete with respect to ATL models (concurrentgame structures).

This axiomatization is from [Goranko and van Drimmelen, 2006a].Nothing is known for ATL∗, ATL+, ATL+

ir or ATL+iR.



5. Complexity of Verification: Model Checking

5 Complexity of Verification: Model CheckingWhat is Model Checking?Model Checking Temporal LogicLTL: Automaton Aϕ and Proof of Theorem (skipped)Model Checking MAS with Perfect Information and RecallModel Checking MAS with Imperfect Information or NoRecallSummary of Complexity Results



Outline

We introduce the model checking method which can be usedfor the verification of systems.

We show how automata on infinite words can be used tosolve the model checking problem for LTL.

We present polynomial time algorithms for CTL and ATL.

We determine the model checking complexities of CTL∗ usingthe results for LTL.

We identify the complexities of the remaining strategic logics.


5 Complexity of Verification: Model Checking5.1 What is Model Checking?

5.1 What is Model Checking?



Why do we need verification methods?

AT&T Telephone Network Outage (1990)

Problem in New York City: 9 hour outage of large parts of UStelephone network.

Costs: several 100 million $.

Source: wrong interpretation of a break statement in C.

“. . . Virtually the entire AT&T network of 4ESS toll tandemsswitches went in and out of service over and over again onJan. 15, 1990 . . . . A software bug was found.” [Wikipedia]

Acknowledgment: The following presentation is partly based on thebook “Principles of Model Checking” by Christel Baier and Joost-PieterKatoen.



Pentium FDIV BUG (1994)

(FDIV: Floating point division unit)

Incorrect results.

Costs: 500 million $ and image loss.

Source:

“. . . Certain floating point division operations performedwith these processors would produce incorrect results.”[Wikipedia]



Ariane 5 Desaster (1996)

Crash of Ariane 5-missle.

Costs: > 500 million $.

Source:

“. . . a data conversion from a 64-bit floating point to 16-bitsigned integer value caused a hardware exception. . . ”[Wikipedia]

What are the lessons learned?

Verification may pay off!

In such cases the extra costs and efforts put into properverification techniques may be cheaper as the results of anerror.



Software becomes larger.

Use in safety-critical systems, important domains.

Increasing need for reliable software.

Errors can be costly and fatal (Ariane-5 launch, stock marketsystems,...).

Mass production of products (errors are expensive, computerchips,...).



Testing and reviewing ( non-formal methods)

Deductive methods (Hoare Calculus), code integration ( undecidable, expertise during programming necessary)

Model checking ( how is the correct model obtained?)



Model Checking TechniqueErrors are expensive: Ariane 5 missile crash,. . .

Model checking provides means to detect such erros!

Formal model

Logical (formal) specification

Let's model ckeck...

M |= hh1, 2ii g>' = hh1, 2ii g> Computational

Complexity?

?Problem (e.g. mobile phone)

+(Safety) Property

(e.g. deadlock free)

q0

q2 q1

pos0

pos1

wait,wait

wait,wait wait,wait

push,push

push,push push,push

push

,wai

t

push,wait

wait,push

push,wait

wait,push

wai

t,pus

h

pos2



system requirement

formal model formal specification

model checkingalgorithm

true

false

counterexample

flaw in system

model checker

formalization

informal problem



Model checking refers to the problem to determine whethera given formula ϕ is satisfied in a state q of model M .

Local model checking is the decision problem thatdetermines membership in the set

MC(L,Struc, |=) := (M, q, ϕ) ∈ Struc× L | M, q |= ϕ ,where

L is a logical language,Struc is a class of (pointed) models for L (i.e. a tupleconsisting of a model and a state), and|= is a semantic satisfaction relation compatible with L andStruc.



Global model checking: Determine all states in which ϕ istrue.

Here: The complexities of local and global model checkingcoincide.

We are interested in the decidability and the computationalcomplexity of determining whether an input instance(M, q, ϕ) belongs to MC(. . . ).



Input size

Important

The complexity is always relative to the size of the input!

That is, the size of the representation of the model and therepresentation of the formula that we use.

In order to establish the complexity, it is necessary to fix howwe represent the input and how we measure its size.

Remark 5.1Sometimes it makes sense to only consider the size of the model or ofthe formula.

In this course, we always consider the size of the model and ofthe formula .



Input size

Size of the model (|M|): number of (states and) transitionsin the M

Size of the formula (|ϕ|): given by its length (i.e., the numberof elements it is composed of, apart from parentheses).

For example, the formula A© (pos0 ∨ pos1) has length 5.

Be careful......if numbers are involved!


5 Complexity of Verification: Model Checking5.2 Model Checking Temporal Logic

5.2 Model Checking TemporalLogic



Representation of PathsLet M be a Kripke model and q be a state in the model.

Model checking a LCTL/LCTL∗-formula ϕ in M, q means todetermine whether M, q |= ϕ, i.e., whether ϕ holds in M, q.

Consider the path λ = qi1qi2 . . . with i1.i2i3i4 · · · = 3.14159265 . . . .How can we represent such a path? We need a finiterepresentation.

For LTL, checking M, q |= ϕ means that we check whether ϕholds on all the paths in M which start from q.

That is, it is equivalent to CTL∗ model checking of a formulaAϕ in M, q.



Remark 5.2 (Representation of paths)

Paths are infinite entities.

They are theoretical constructs.

We need a finite representation!

We consider paths in a Kripke structure.

We use a (pointed) Kripke model M, q and consider the problemwhether an LLTL-formula holds on all paths of M starting in q.



Model Checking CTLWe determine all states in which ϕ holds:

ϕ = p: Return all states in in which p holdsϕ = ¬ψ: Suppose ψ holds in Q1. Return Q\Q1.ϕ = ψ1 ∧ ψ2: Suppose ψi holds in Qi. Return Q1 ∩Q2

ϕ = E© ψ: Suppose ψ holds in Q1. Return all states Q′ whichlead to some state in Q1. Q′ is the preimage of Q1.

Preimage

Formally: Given a set of statesQ′ ⊆ Q the preimage of Q′,pre(Q′), consists of all states q′′

such that there is a state q′ ∈ Q′

with (q′′, q′) ∈ R.

Q1

pre(Q1)



ϕ = Eψ: Suppose ψ holds in Q1 and that Q′ is returned.Then, we make the following observations:

Q′ ⊆ Q1

For all states q ∈ Q′ there is a state q′ with qRq′ andq′ ∈ Q′ ⊆ Q1.

Hence, we are looking for the greatest set Q′ with theseproperties. Actually, this observation corresponds to thefollowing fixed-point formula:

Eϕ↔ ϕ ∧ E© Eϕ,The formula allows to compute a satisfying pathstep-by-step by computing the greatest fixed-point:

νX.[ϕ]M ∩ pre(X)

where [ϕ]M denotes the set of states in which ϕ holds.



ϕ = Eψ: Similarly, we have

E♦ϕ↔ ϕ ∨ E© E♦ϕ,hence we return the smallest fixed-point:

µX.[ϕ]M ∪ pre(X)

Eϕ1UUU ϕ2: Similarly, we have

Eϕ1UUU ϕ2 ↔ ϕ2 ∨ (ϕ1 ∧ E© Eϕ1UUU ϕ2)

hence we return the smallest fixed-point:

µX.[ϕ2]M ∪ ([ϕ1]M ∩ pre(X))

Note, that the three (associated) functions are monotonicallydecreasing and increasing hence by Knaster/Tarski the greatestand smallest fixed-points exist.



Theorem 5.3 (CTL [Clarke et al., 1986, Schnoebelen, 2003])

Model checking CTL is P-complete, and can be done in timeO(|M| · |ϕ|), where |M| is given by the number of transitions.

ProofThe algorithm determining the states in a model at which a givenformula holds is presented in Figure 4 on Slide 221.

The lower bound (P-hardness) can be for instance proven by areduction of the Circuit-Value-Problem [Schnoebelen, 2003].



Model checking Eψ

¬ Q = Q1

Q2 = Q3

Q3

Q2 := Q3 \ pre(Q1)

¬ Q = Q1



function mcheck(M, ϕ).case ϕ ≡ p : return q ∈ Q | p ∈ π(q)case ϕ ≡ ¬ψ : return Q \mcheck(M, ψ)case ϕ ≡ ψ1 ∧ ψ2 : return mcheck(M, ψ1) ∩mcheck(M, ψ2)case ϕ ≡ E© ψ : return pre(mcheck(M, ψ))case ϕ ≡ Eψ :Q1 := Q; Q2 := Q3 := mcheck(M, ψ);while Q1 6⊆ Q2 do Q1 := Q1 ∩Q2; Q2 := pre(Q1) ∩Q3 od;return Q1

case ϕ ≡ Eψ1UUU ψ2 :Q1 := ∅; Q2 := mcheck(M, ψ2); Q3 := mcheck(M, ψ1);while Q2 6⊆ Q1 do Q1 := Q1 ∪Q2; Q2 := pre(Q1) ∩Q3 od;return Q1

end case

Figure 4 : CTL-model checking algorithm



Büchi automataWe are mainly interested in the complexity class (and anabstract algorithm) of the model checking problem.

Is there a more convenient way to determine the complexitywithout working out the algorithm?

Automata-theory to build algorithms.

Unified approach.

Automata are well studied.

Simplifies complexity analysis.

Usually, one is only interested in a complexity class. It is verytime-demanding to come up with a good algorithm.



Automata and Model Checking

How can we use ω-automata for the model checking problem?

The basic idea is the following:

1 We build an automaton AM,q0 accepting the paths of modelM, q0.

2 We build an automaton Aϕ accepting all paths satisfying ϕ.

3 Then, we have:

M |= ϕ iff L(AM,q0) ⊆ L(Aϕ).

Remark 5.4A more detailed presentation of Büchi automata can be found inSection 9 (cf. pages 353).



Definition 5.5 (Büchi-automaton)

An ω-automaton is a tuple

A = (Q,Σ,∆, qI , F )

where

1 Q is a finite set of states;

2 Σ is a finite alphabet;

3 ∆ ⊆ Q× Σ×Q a transition relation ;

4 qI is the initial state; and

5 F ⊆ Q is the acceptance component (which is specialised inthe following).



Definition 5.6 (Run)

A run ρ = ρ(0)ρ(1) · · · ∈ Qω of A on a word w = w1w2 · · · ∈ Σω isan infinite sequence of states of A such that:

1 ρ(0) =qI

2 ρ(i) ∈ ∆(ρ(i− 1), wi) for i ≥ 1.

How could we accept the following language?

L = w ∈ a, bω | w contains infinitely many a and only finitelymany b .Is it sufficient to reach a final state once?



We define Inf (ρ) as the set of all states that occur infinitelyoften on ρ; that is,

Inf (ρ) = q ∈ Q | ∀i∃j(j > i ∧ ρ(j) = q)

Definition 5.7 (Acceptance)

A Büchi automaton A accepts w ∈ Σω if, and only if, there is a runρ of A such that

Inf (ρ) ∩ F 6= ∅.

The language accepted by A, L(A), consists of all words acceptedby A. That is, L(A) = w ∈ Σω | A accepts w.

Thus, such an automaton accepts all words such that some statefrom F is visited infinitely often on a corresponding run. Otheracceptance conditions yield different automata types: Rabinautomata, Muller automata.



Example 5.8

Is there a Büchi Automaton that accepts the following language Lover Σ = a, b, c?

L = w ∈ Σω | w contains infinitely many a or b and only finitelymany c

blackboard



Example 5.9

Is there a Büchi Automaton that accepts the following language Lover Σ = a, b?

L = w ∈ Σω | w ends with aω or (ab)ω



Model Checking LTL

Büchi Automata and Kripke Models

We can relate a Kripke model M = (Q,R, π) and a state q0 ∈ Q toa Büchi automaton AM,q0 = (Σ, Q, q0,∆, Q) where

Σ = P(Prop): Each input symbol is a set of propositions,

q′ ∈ ∆(q, w) iff ((q, q′) ∈ R and w = π(q)),all states being accepting states (i.e. each infinite run ofthe automaton is accepting).

q0 q1

pr, s

r, s

r, s p

q1q0

Note: The automaton accepts words over P(Prop) but paths aresequences of states! What now?



LTL Semantics RevisitedThe truth of λ, π |= ϕ does only depend on the propositions trueat states.

Clearly, for path λ, λ′ we have the following: If for all i ∈ N0

π(λ[i]) = π(λ′[i]) then λ, π |= ϕ iff λ′, π |= ϕ.

Hence, we can also use the infinite word

λπ := π(λ[0])π(λ[1])π(λ[2]) · · · ∈ P(Prop)ω

to give truth to LTL-formulae.Now, we can simply replace “λ, π” by “λπ” everywhere andmodify the clause for propositions as follows:

λπ |=LTL p iff p ∈ λπ[0].



We can state the relation between ΛM, M, q and AM,q precisely.

Proposition 5.10

Let M = (Q,R, π) and q0 ∈ Q. The automaton AM,q0 accepts thelanguage

λπ | λ ∈ ΛM(q0).

Proof.Exercise!



The Automaton Aϕ

In the following we define the automaton Aϕ accepting exactlythose infinite words w over P(Prop) such that w |= ϕ. Then, wehave:

M, q |= ϕ iff L(AM,q) ⊆ L(Aϕ) iff L(AM,q) ∩ L(Aϕ) = ∅.

How can we avoid the complementation of the Büchi automaton(this operation is expensive)? We have:

L(AM,q) ∩ L(Aϕ) = ∅ iff L(AM,q) ∩ L(A¬ϕ) = ∅.

So: model checking is reduced to emptiness checking Büchiautomata.



Example 5.11 (Automaton for ♦green)

Construct a Büchi automaton which accepts all path satisfying♦green over Prop = green. Thus, the autmaton can read ∅ orgreen.

green

green

q0 q1

∅

∅

The automaton accepts e.g.

∅∅∅(green)ω = q0q0q0(q1)ω

(∅green)ω = (q0q1)ω



Example 5.12 (Automaton for ♦green)

Construct a Büchi automaton which accepts all path satisfying♦green over Prop = green.

green

green

q0 q1 q2

∅

∅

∅ greengreen

Note, that this automaton is non-deterministic.



In the following we describe how the automaton Aϕ can beconstructed systematically.

Theorem 5.13 ([Sistla and Clarke, 1985,Lichtenstein and Pnueli, 1985, Vardi and Wolper, 1986])

For a given LLTL-formula ϕ a Büchi Automaton Aϕ = (S,Σ,∆, S0, F )accepting exactly the words satisfying ϕ can be constructed whereΣ = P(Prop) and |S| ≤ 2(O(|ϕ|)).

The proof of this Theorem is given in Section 3.



Main ideas underlying automaton construction

States are built from subformulae of ϕ.

Each state is labelled with propositionally consistent sets.

The transition relation reflects the semantics of LTL; e.g. if astate contains©p then, all related states contain p.

Initial states are states which contain ϕ.

Runs of the automaton correspond to ω-paths.

It needs to be ensured that all eventualities are fulfilled.



Definition 5.14 (Aϕ)

The generalized Büchi automaton for ϕ over Prop is defined asAϕ = (Σ, S,∆, S0, F ) where

1 Σ = P(Prop)

2 S = EL(ϕ) (cf. Def. 5.23)

3 S0 = s ∈ S | ϕ ∈ s4 F see below5 (s, a, t) ∈ ∆ iff

1 s ∩ Prop = a2 ∀© ψ ∈ cl(ϕ) :©ψ ∈ s iff ψ ∈ t3 ∀ϕ1UUU ϕ2 ∈ cl(ϕ) :

ϕ1UUU ϕ2 ∈ s iff (ϕ2 ∈ s or (ϕ1 ∈ s and ϕ1UUU ϕ2 ∈ t))



Let ϕ1UUU ψ1, . . . , ϕnUUU ψn be all eventualities occurring in cl(ϕ).Then, we define F = F1, . . . , Fn with

Fi = s ∈ S | ϕiUUU ψi, ψi ⊆ s or ϕiUUU ψi 6∈ s.

That is,

F = s ∈ Q | ϕ1UUU ϕ2 6∈ s or ϕ2 ∈ s | ϕ1UUU ϕ2 ∈ cl(ϕ).



r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

r

r

r

r

rA reads r

A reads s

(s, a, t) ∈ ∆ then ∀rUUU s ∈ cl(ϕ) :rUUU s ∈ s iff (s ∈ s or (r ∈ s and rUUU s ∈ t))



r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

s

ss

s

s

A reads s

A reads r, s




r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

r, s

r, s r, s

r, s

r, s

A reads r, s

A reads ∅




r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

∅

∅

∅

∅

∅

A reads ∅




r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

r, s

r

r

r

r

s

ss

s

s

r, s r, s

r, s

r, s

r

∅

∅

∅

∅

∅

The completeautomaton




Theorem 5.15 (LTL [Sistla and Clarke, 1985,Lichtenstein and Pnueli, 1985, Vardi and Wolper, 1986])

Model checking LTL is PSPACE-complete, and can be done intime 2O(|ϕ|)O(|M|), where |M| is given by the number of transitions.



Proof: Upper Bound

Given an LLTL-formula ϕ.

1 Construct Büchi automaton A¬ϕ of size 2O(|ϕ|) acceptingexactly the words satisfying ¬ϕ.

2 Kripke model M, q can directly be interpreted as a Büchiautomaton AM,q of size O(|M|) accepting all possible wordsin the Kripke model starting in q.

3 The model checking problem reduces to the emptinesscheck of L(AM,q)∩L(A¬ϕ) which can be done in polynomialtime wrt the size of the automaton (cf.pp. 377). That is, intime O(|M|) · 2O(|ϕ|) by constructing the product automaton.



Proof: In PSPACE .We consider the automaton A := AM,q ×Aϕ where Aϕ is a GBAaccepting paths satisfying ϕ (cf. Def. 7.11). We guess an acceptingrun as follows:

Non-deterministically guess a run u0 . . . un−1(un . . . un+m−1)ω

where each ui = (qi, Bi).

Check whether it is a valid run (this can be done “locally”.).In particular, all eventualities between un and un+m−1 mustbe satisfied.

Implementation: Guess state un and only the next state in thesequence. Keep a counter that counts the number of steps.At most O(|M| · exp(|ϕ|)) steps are necessary (binaryencoding).



Proof: Lower BoundSimulate nk-space bounded deterministic Turing machineA = (S,Σ, δ, s0, Sf ).

Tape Cell 1 Tape Cell 2 Tape Cell n^k

Content of one cell

A configuration (Instant Description)ID-Start

ID-End

Prop = (S × Σ) ∪ Σ ∪ ID − Start, ID − End



Proof: Lower BoundA path will be related to a sequence of instantaneousdescriptions.

1 Use nk ©-operators to describe an ID.

2 ψw: Encodes the input w.

3 ψvalid: Checks whether an ID is valid.

4 ψnext: Ensures that each successive ID follows from thecurrent one.

5 ψaccept: Describes the halting configurations.

Let ψ := ψw ∧ ψvalid ∧ ψnext ∧ ψaccept. Then, we have

M, q0 6|= ¬ψ iff ∃λ ∈ Λ(q0) : λ, π |= ψ iff A accepts w.



Model Checking CTL∗

Theorem 5.16(CTL∗ [Clarke et al., 1986, Emerson and Lei, 1987])

Model checking CTL∗ is PSPACE-complete.

Example 5.17 (LTL mchecking for CTL∗ mchecking)

In which states does ϕ = E♦A♦¬r hold? How to use LTLmodel checking?

q1

q2

q3

q4

r



Proof.Upper bound: Combine CTL and LTL model checking.

Consider LCTL∗-formula ϕ containing Eψ where ψ is a pureLLTL-formula.

Determine all states which satisfy Eψ (these are all states qwith M, q 6|=LTL ¬ψ), Complexity: PSPACE.

Label them by a fresh proposition, say p, and replace Eψ in ϕ

by p: E© (

p2︷︸︸︷r ∧ E♦s︸︷︷︸

p1

) E© (p2 ∧ p1)

Applying this procedure recursively yields a pure LCTL-formulawhich can be verified in polynomial time. Complexity:PPSPACE = PSPACE

Hardness: immediate from Theorem 5.15 as LLTL “can be seen” asa fragment of LCTL∗ .

This is a standard approach often used!N. Bulling, J. Dix ·Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 248


Summary

Model checking CTL is P-complete.

Model checking LTL is PSPACE-complete. The algorithmhas been constructed from Büchi automata.

Model checking CTL∗ is also PSPACE-complete. Thealgorithm is obtained by combining the one for CTL and LTL.


5 Complexity of Verification: Model Checking5.3 LTL: AutomatonAϕ and Proof of Theorem (skipped)

5.3 LTL: Automaton Aϕ and Proofof Theorem (skipped)



How does the automaton look like?States will consist of subformulae of ϕ (or their negations).A run ρ = S1S2 . . . of the automaton is an infinite sequence ofsuch sets ofsubformulae.

Given a word λπ = w1w2 . . . with λπ |= ϕ we would like to enricheach (propositional) wi with subformulae to Si such that

λπ[i,∞] |= ψ iff ψ ∈ Sifor all subformulae ψ of ϕ.

Intuitively, each Si encodes the formulae which should be true atthis moment.

The basic idea is that a run of the automaton simulates the LTLsemantics.



Definition 5.18 (Closure cl(ϕ))

The closure cl(ϕ) is defined as follows:

1 ϕ ∈ cl(ϕ),

2 φ ∧ ψ ∈ cl(ϕ) implies φ, ψ ∈ cl(ϕ),

3 ¬ψ ∈ cl(ϕ) implies ψ ∈ cl(ϕ),

4 ψ ∈ cl(ϕ) and ψ 6= ¬φ implies ¬ψ ∈ cl(ϕ),

5 ©ψ ∈ cl(ϕ) implies ψ ∈ cl(ϕ),

6 ψUUU φ ∈ cl(ϕ) implies ψ, φ ∈ cl(ϕ).

Note, that it holds that |cl(ϕ)| ≤ 2|ϕ|.



Example 5.19 (Closure)

How does the closure for ϕ = rUUU (s ∨ t) look like?The closure cl(ϕ) consists of the following formulae:

1 ϕ

2 s ∨ t3 r

4 s

5 t

and their negations!

What other properties should such sets fulfill? Note, that we areinterested in a correspondence to runs.



Definition 5.20 (Logically consistent)

We call B ⊆ cl(ϕ) propositionally consistent iff for allϕ1 ∧ ϕ2, ψ ∈ cl(ϕ):

1 ϕ1 ∧ ϕ2 ∈ B iff ϕ1 ∈ B and ϕ2 ∈ B,

2 ψ ∈ B implies ¬ψ 6∈ B,

3 > ∈ cl(ϕ) implies > ∈ B.

We identify ¬¬ϕ with ϕ.

Definition 5.21 (Locally consistent)

We call B ⊆ cl(ϕ) locally consistent iff for all ϕ1UUU ϕ2 ∈ cl(ϕ):

1 ϕ2 ∈ B implies ϕ1UUU ϕ2 ∈ B.

2 ϕ1UUU ϕ2 ∈ B and ϕ2 6∈ B implies ϕ1 ∈ B.



Definition 5.22 (Maximal consistent)

We call B ⊆ cl(ϕ) maximal iff for all ψ ∈ cl(ϕ)

ψ 6∈ B implies ¬ψ ∈ B.

We identify ¬¬ϕ with ϕ.

Definition 5.23 (Elementary, EL(ϕ))

We call B ⊆ cl(ϕ) elementary iff B is propositionally and locallyconsistent and maximal.We define EL(ϕ) as the set of all elementary subsets of cl(ϕ).

In the following we construct infinite words over EL(ϕ) thatcorresponds to accepting paths.



The closure of ϕ = rUUU s is given by ϕ,¬ϕ, r, s,¬r,¬s.Which of the following sets are elementary?

1 ∅2 rUUU s, r, s3 rUUU s, r4 rUUU s,¬r,¬s5 rUUU s,¬r, s6 rUUU s, r,¬s7 rUUU s, r,¬r,¬s8 ¬(rUUU s), r,¬s9 ¬(rUUU s),¬r,¬s



Example 5.24 (Elementary sets)

The closure of ϕ = rUUU s is given by

cl(ϕ) = ϕ,¬ϕ, r, s,¬r,¬s

The following list contains all elementary sets of ϕ:

1 E1 = rUUU s, r, s2 E2 = rUUU s,¬r, s3 E3 = rUUU s, r,¬s4 E4 = ¬rUUU s, r,¬s5 E5 = ¬rUUU s,¬r,¬s

In the following, we construct the Büchi automaton Aϕ forϕ = rUUU s.



Constructing the Automaton for rUUU s

r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

Initial states?s ∈ S | ϕ ∈ s

Accepting states?If ϕ1UUU ϕ2 ∈ cl(ϕ) thenϕ1UUU ϕ2 6∈ s orϕ2 ∈ s



r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

Initial states?s ∈ S | ϕ ∈ sAccepting states?If ϕ1UUU ϕ2 ∈ cl(ϕ) thenϕ1UUU ϕ2 6∈ s orϕ2 ∈ s

A reads r




r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

r

r

r

r

rA reads r

A reads s




r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

s

ss

s

s

A reads s

A reads r, s




r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

r, s

r, s r, s

r, s

r, s

A reads r, s

A reads ∅




r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

∅

∅

∅

∅

∅

A reads ∅




r U sr, s

r U s¬r, s

r U sr,¬s

¬(r U s)r,¬s

¬(r U s)¬r,¬s

r, s

r

r

r

r

s

ss

s

s

r, s r, s

r, s

r, s

r

∅

∅

∅

∅

∅

The completeautomaton




Encoding as Generalised Büchi Automaton

The basic idea of the encoding is the following:

Semantics of propositional logic? states©-operator? transition relationUUU -operator? states plus transition relation plusacceptance condition

ϕ1UUU ϕ2 = ϕ2 ∨ (ϕ1 ∧©ϕ1UUU ϕ2)



Remark 5.25 (Acceptance states)

We need to ensure that eventualities become actually fulfilled.

So, once a state containing an eventuality ϕ1UUU ϕ2 is visitedsometime in the future a state containing ϕ2 must be visited.

We require that states containing

(ϕ2 and ϕ1UUU ϕ2) or ¬ϕ1UUU ϕ2

occur infinitely often.

But what if there is more than one eventuality in cl(ϕ)? Weneed to fulfill all of them.



We use generalized Büchi automata (cf. pp. 365). Theyallow sets of sets of final states. We associate each eventualityformula with one of these sets: the Büchi acceptance setF ⊆ Q is replaced by F ⊆ P(Q):

A accepts w ∈ Σω if, and only if, there is a run ρ of A suchthat for each Fi ∈ F

Inf (ρ) ∩ Fi 6= ∅.For each generalised Büchi automaton one can construct anequivalent Büchi automaton (cf. Theorem 7.12).



Definition 5.26 (Aϕ)

The generalized Büchi automaton for ϕ over Prop is defined asAϕ = (Σ, S,∆, S0, F ) where

1 Σ = P(Prop)

2 S = EL(ϕ)

3 S0 = s ∈ S | ϕ ∈ s4 F see below5 (s, a, t) ∈ ∆ iff

1 s ∩ Prop = a2 ∀© ψ ∈ cl(ϕ) :©ψ ∈ s iff ψ ∈ t3 ∀ϕ1UUU ϕ2 ∈ cl(ϕ) :

ϕ1UUU ϕ2 ∈ s iff (ϕ2 ∈ s or (ϕ1 ∈ s and ϕ1UUU ϕ2 ∈ t))



Let ϕ1UUU ψ1, . . . , ϕnUUU ψn be all eventualities occurring in cl(ϕ).Then, we define F = F1, . . . , Fn with

Fi = s ∈ S | ϕiUUU ψi, ψi ⊆ s or ϕiUUU ψi 6∈ s.

That is,

F = s ∈ Q | ϕ1UUU ϕ2 6∈ s or ϕ2 ∈ s | ϕ1UUU ϕ2 ∈ cl(ϕ).



Proof of the Theorem

In the following we introduce notation necessary for the proof.

It is easily seen that we have the following fixed-point equivalence

ϕ1UUU ϕ2 = ϕ2 ∨ (ϕ1 ∧©ϕ1UUU ϕ2).

We construct a path over EL(ϕ) which “respect” the semantics ofLTL. Recall that we would like to have:

λπ[i,∞] |= ψ iff ψ ∈ Si



Definition 5.27 (ϕ-closure-labelling)

A ϕ-closure-labelling is a function

τ : N0 → EL(ϕ)

such that:

(C1) ©ϕ ∈ τ(i) iff ϕ ∈ τ(i+ 1),

(C2) ϕ1UUU ϕ2 ∈ τ(i) iffϕ2 ∈ τ(i) or (ϕ1 ∈ τ(i) and ϕ1UUU ϕ2 ∈ τ(i+ 1)),

(C3) ϕ1UUU ϕ2 ∈ τ(i) implies ∃j(j ≥ i and ϕ2 ∈ τ(j)).



Given a word λπ a closure labelling corresponding to λπ shouldagree with the propositional symbols.

Definition 5.28 (λπ-valid)

A ϕ-closure-labelling τ is said to be λπ-valid iff for all p ∈ Prop itholds that

1 p ∈ τ(i) implies p ∈ λπ[i], and

2 ¬p ∈ τ(i) implies p 6∈ λπ[i].



Lemma 5.29 (Soundness Lemma)

Let ϕ ∈ LLTL(Prop) and τ be a λπ-valid closure labelling. Then, forall ϕ′ ∈ cl(ϕ) and all i ≥ 0 it holds that

ϕ′ ∈ τ(i) iff λπ[i,∞] |= ϕ′.

The proof is done by structural induction on ϕ′. Exercise!

Lemma 5.30 (Existence Lemma)

Let ϕ ∈ LLTL(Prop). If λπ |= ϕ. Then, there is a λπ-valid ϕ-closurelabelling τ such that ϕ ∈ τ(0).

Prof: The labelling is constructed from subformulae true at eachpoint of λπ. Exercise!



From these lemmata we obtain the following theorem.

Theorem 5.31Let ϕ ∈ LLTL(Prop). Then, λπ |= ϕ iff there is a λπ-valid ϕ-closurelabelling τ such that ϕ ∈ τ(0).

Now we proceed with the proof of Theorem 5.13.

For a given LLTL-formula ϕ a Büchi AutomatonAϕ = (S,Σ,∆, S0, F ) accepting exactly the words satisfying ϕ canbe constructed where Σ = P(Prop) and |S| ≤ 2(O(|ϕ|)).



Using Theorem 5.31 we build a generalised Büchi automatonaccepting all the infinite words λπ that correspond to a λπ-validϕ-closure-labelling.

Idea:

1 The automaton reads λπ.

2 Each set of propositions causes a state change, states areelementary sets.

3 Runs ρ of the automaton correspond to ϕ-closure labellings.

4 ρ is accepting iff it is λπ-valid and satisfies ϕ.



Proof of Theorem 5.13.

λ = q0q1q2 . . .

τ = B0B1B2 . . .

λπ = π(q0)π(q1)π(q2) . . .

τ is λπ-valid ϕ-closure labelling iff

run of the automaton given λπ

λπ |= ϕ iff

λ,π |= ϕ iff λπ |= ϕ

τ accepted by the automaton



Correctness: In line with Theorem 5.31 we have to show that Aaccepts λπ iff there is an accepting run ρ with ϕ ∈ ρ(0) andwhich is an λπ-valid ϕ-closure labelling. This is immediate byconstruction.

Finally, we convert the generalised Büchi automaton to a Büchiautomaton (cf. Proposition 7.12).

The number of states of the automaton is exponential in thelength of the formula.


5 Complexity of Verification: Model Checking5.4 Model Checking MAS with Perfect Information and Recall

5.4 Model Checking MAS withPerfect Information and Recall



Example 5.32

Which formulae are true in the model?

1 M, q1 |= 〈〈1〉〉r2 M, q1 |= 〈〈1〉〉s3 M, q1 |= 〈〈1〉〉 © 〈〈1〉〉r

q1

q2

q3

q4

r

s

q5

r

r

s(1, 2)

(2, 1)

(1, 1)

(1, 1)

(2, 1)

(1, 1)



The ATL model checking algorithm employs the well-knownfixpoint characterisations :

〈〈A〉〉ϕ ↔ ϕ ∧ 〈〈A〉〉 © 〈〈A〉〉ϕ,〈〈A〉〉ϕ1UUU ϕ2 ↔ ϕ2 ∨ ϕ1 ∧ 〈〈A〉〉 © 〈〈A〉〉ϕ1UUU ϕ2.

Do these characterisations also hold for incomplete information?

No! A choice of an action at a state q has non-local consequences:It automatically fixes choices at all states q′ indistinguishable fromq for the coalition A.

Again, crucial for model checking is the notion of preimage.



Example 5.33 (Preimage operator for ATL)

1 What is the preimage of q2, q3?2 What is the preimage of q2?

These questions are not well defined. The preimage depends on agroup of agents which try to reach a given region.

1 What is the preimage of q2, q3 wrt. any group A?

2 What is the preimage of q2 wrt. 1 and 2?

q1

q2

q3

q4

r

s

q5

r

r

s(1, 2)

(2, 1)

(1, 1)

(1, 1)

(2, 1)

(1, 1)



function pre(M,A,Q).Auxiliary function; returns the exact set of states Q′ such that,when the system is in a state q ∈ Q′, agents A can cooperate andenforce the next state to be in Q.return q | ∃αA∀αAgt\A o(q, αA, αAgt\A) ∈ Q

The function follows the same idea as the pre-image function ofCTL model checking.

Q1

pre(A, Q1)



Note that: ATL = ATLIr = ATLIR (cf. Theorem 2.9)

Theorem 5.34 (ATLIr and ATLIR [Alur et al., 2002])

Model checking ATLIr and ATLIR is P-complete, and can be done intime O(|M| · |ϕ|), where |M| is given by the number of transitions inM.

Note, that the size of M is exponential in the number of statesand agents!



Besides the new definition of the preimage function the algorithmis the same as for CTL:

function mcheck(M,ϕ).Returns states q with M, q |= ϕ.case ϕ ∈ Π : return π(p)case ϕ = ¬ψ : return Q \mcheck(M,ψ)case ϕ = ψ1 ∨ ψ2 : return mcheck(M,ψ1) ∪mcheck(M,ψ2)case ϕ = 〈〈A〉〉 © ψ : return pre(M,A,mcheck(M,ψ))case ϕ = 〈〈A〉〉ψ :Q1 := Q; Q2 := mcheck(M,ψ); Q3 := Q2;while Q1 6⊆ Q2

do Q1 := Q2; Q2 := pre(M,A,Q1) ∩Q3 od;return Q1

case ϕ = 〈〈A〉〉ψ1UUU ψ2 :Q1 := ∅; Q2 := mcheck(M,ψ1);Q3 := mcheck(M,ψ2);while Q3 6⊆ Q1

do Q1 := Q1 ∪Q3; Q3 := pre(M,A,Q1) ∩Q2 od;return Q1

end case

Multi-agent extension of CTL model checking.N. Bulling, J. Dix ·Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 284


And-Or-Graph Reachability

For the lower bound, we reduce reachability in and-or-graphs.

An and-or graph [Immerman, 1981]

is a tuple (E, V, l) such that G = (E, V ) is a directed acyclicgraph and l : V → ∧,∨ a labeling function.

Let x1, . . . , xn denote all successor nodes of u. v is said to bereachable from u iff

1 u = v; or

2 l(u) = ∧, n ≥ 1, and v is reachable from all xi’s; or,

3 l(u) = ∨, n ≥ 1, and v is reachable from some xi.

Theorem 5.35 ([Immerman, 1981])

The and-or-graph reachability problem is P-complete.



Proof: Lower BoundHardness is shown by a reduction of reachability inAnd-Or-Graphs:

Transform and-or-graph to a CGS;

Player 1 owns or-states;

Player 2 owns and-states;

v reachable from a iff M, a |= 〈〈1〉〉♦lv.



ATL∗ with perfect recallFor perfect recall, we cannot simply guess a strategy Q+ → Act.

For model checking an automata theoretic approach is used.Consider the formula 〈〈A〉〉ψ where ψ ∈ LLTL and CGS M and astate q.

1 A tree automaton AM,q,A is used to accept all possibleexecutions in M which can be enforced by A followingsome strategy.

(Note: 〈〈A〉〉ψ says that there is some “tree” such that ψ holdsalong all branches).

2 A tree automaton Aψ is constructed to accept all (tree-like)models satisfying the LCTL∗-formula Aψ.

3 We have: M, q |= 〈〈A〉〉ψ iff L(AM,q,A) ∩ L(Aψ) 6= ∅.



Execution trees

q1 q2

q1

q1 q2

q2q1 q1 q2

q1

q2

q1 q2

(α,α) (β,α) (α,α)

(α,β)

Tree unravelling (q1, 1)-execution tree



An (q,A)-execution tree is induced by out(q, sA) for somestrategy sA of A.Intuitively, the transition relation of AM,q,A in a state q0 isconstructed from the different choices which A can enforceat q0.

q1

q2

q3

q4

q5

q0

(2, 3)

(1, 1)

(1, 2)

(2, 1)

(2, 2)

q0

q1 q2 q3 q4 q5

q0

Theorem 5.36 (ATL∗IR [Alur et al., 2002])

Model checking ATL∗IR is 2EXPTIME-complete in the number oftransitions in the model and the length of the formula.

Complexity: Size of the automata and checking emptiness.N. Bulling, J. Dix ·Modelling, Verification and Reasoning in Multi-Agent Systems EASSS, 2012 289

5 Complexity of Verification: Model Checking5.5 Model Checking MAS with Imperfect Information or No Recall

5.5 Model Checking MAS withImperfect Information or No Recall



Complexity ClassesDeterministic Turing machine (DTM)

infinite (readable and writable) tape

finitely many states

deterministic moves

Non-deterministic Turing machine (NTM)

Like a DTM but non-deterministic moves are allowed.

Orcale Machine (OTM)

Let A be a language . An A-oracle machine is a DTM or NTMwith a subroutine which allows to decide in one step whetherw ∈ A for some word w.

For a complexity class C a C-oracle machine is a A-oraclemachine for any A ∈ C.



Complexity Classes ΣP2 , ∆P

2 , ∆P3

ΣPi : problems solvable in polynomial time by a

non-deterministic Turing machine making adaptive queries toa ΣP

i−1 oracle; i.e. by ΣPi−1-oracle polynomial time NTMs.

ΣP2 = NPNP: problems solvable in polynomial time by a

non-deterministic Turing machine making adaptive queries toan NP oracle.

∆P2 = PNP: A problem is in ∆P

2 = PNP if it can be solved indeterministic polynomial time with subcalls to an NP-oracle.We also have ∆P

3 := P[NPNP] and ∆P1 = P.

We have:

P = ∆P1 ⊆ ΣP

1 = NP ⊆∆P2 ⊆ ΣP

2 ⊆ · · · ⊆ PH ⊆ PSPACE.



Number of StrategiesWe have introduced four types of strategies:

1 ir-strategies;2 Ir-strategies;3 IR-strategies;4 iR-strategies.

How many strategies are there for each type?1 exponentially many;2 exponentially many;3 infinitely many;4 infinitely many.

Exponentially many wrt the size of the input! ≈ |Act||Agt|·|Q|



Assume we are looking for a “good” Ir-strategy wrt someproperty P . How complex is this task? (Upper bound)

It is in NP, provided P ∈ P!

1 Guess sA;

2 check whether sA satisfies P .

And the case for “good” ir-strategies?

It is also in NP, provided P ∈ P! Why? What about uniformity?

1 Guess Ir-strategy sA;

2 check whether it is an ir-strategy, i.e. for uniformity (Q isfinite!);

3 check whether sA satisfies P .



What if P is verifiable in C for an arbitrary complexity class C?

Finding ir- and Ir-strategies is in NPC.

What about perfect recall strategies?

There are infinitely many: So there is no general method!



Imperfect InformationAgent’s ability to identify a strategy as winning also variesthroughout the game in an arbitrary way (agents can learn as wellas forget). This suggests that winning strategies cannot besynthesized incrementally.Indeed the fixpointcharacterisations do not hold! :

〈〈A〉〉ϕ 6↔ ϕ ∧ 〈〈A〉〉 © 〈〈A〉〉ϕ,〈〈A〉〉ϕ1UUU ϕ2 6↔ ϕ2 ∨ ϕ1 ∧ 〈〈A〉〉 © 〈〈A〉〉ϕ1UUU ϕ2.

How to model check a formula M, q |= 〈〈A〉〉γ where γ includes nonested cooperation modalities ?

Theorem 5.37 (ATLir)

Model checking ATLir is ∆P2 -complete.

The lower bound is proven by a reduction of SNSAT1.



Recall: ∆P2 = PNP

Proof: Upper Bound

Let 〈〈A〉〉γ be given where γ includes no nested cooperationmodalities.

1 Guess a strategy sA of A.

2 “ Prune” M to M|sA ; i.e. remove transitions that cannot occuraccording to sA.

3 Remove labels from M|sA and interpret it as Kripkestructure M′|sA

4 Then,

M, q |= 〈〈A〉〉γ iff M′|sA , q |=CTL Aγ

The basic idea is to guess a strategy and apply CTL modelchecking.



ATL and CTL: Pruning

(α,α)

(α,α)(α,α)

(α,α)

(α,α)

(α,α)

(α,α)

(β,α)

(β,α)

(α,β) (α,β)

(α,β) (α,α)(α,α)

(β,α)

Guess the strategy s1 in which 1 always plays α .

〈〈1〉〉♦γ guess s1 , check A♦γ in the pruned model



Model Checking ATL∗ with memorylessstrategies

To solve the model checking problem for ATL∗Ir we make use ofCTL∗ model checking.

The basic idea for model checking 〈〈A〉〉ψ is as follows:

1 Guess a strategy sA : Q→ Act|A| (in NP).

2 Prune the model; i.e. remove transitions which cannot occur.

3 CTL∗ model check Aψ in the resulting model.



Pruning the modelWe can reduce model checking to model checking CTL∗:

(α,α)

(α,α)(α,α)

(α,α)

(α,α)

(α,α)

(α,α)

(β,α)

(β,α)

(α,β) (α,β)

(α,β) (α,α)(α,α)

(β,α)

Guess the strategy s1 in which 1 always plays α .

〈〈1〉〉♦γ guess s1 , check A♦γ in the pruned model

s1: agent 1 plays α in all states.



Theorem 5.38 (ATL∗ir and ATL∗Ir [Schobbens, 2004])

Model checking ATL∗ir and ATL∗Ir is PSPACE-complete in thenumber of transitions in the model and the length of the formula.

Proof: Lower BoundLTL model checking is a special case of LATL∗ model checking:PSPACE-hard.



Proof: Upper Bound

Let 〈〈A〉〉ψ where ψ is an LLTL-formula.

1 Guess an Ir-strategy (resp. ir-strategy) sA of A.

2 “Prune” M to M|sA ; i.e. remove transitions that cannot occuraccording to sA.

3 Remove transition labels from M|sA and interpret it asKripke structure M′|sA

4 Then,

M, q |= 〈〈A〉〉γ iff M′|sA , q |=CTL∗ Aγ

This procedure can be performed in NPPSPACE, which rendersthe complexity of the whole language to be inPNPPSPACE

= PSPACE.



Imperfect Information and Perfect Recall

Conjecture 1 (ATLiR)

Model checking ATLiR is undecidable.

Recently, a proof has been proposed by Dima and Tiplea (June2010).

Conjecture 2 (ATL∗iR)

Model checking ATL∗iR is undecidable.

Conjecture 3 (ATL+iR)

Model checking ATL+iR is undecidable.


5 Complexity of Verification: Model Checking5.6 Summary of Complexity Results

5.6 Summary of ComplexityResults



Nice results: model checking CTL and ATL is tractable.But: the result is relative to the size of the model and theformulaWell known catch (CTL): size of models is exponential wrt ahigher-level description

Another problem: transitions are labelled

So: the number of transitions can be exponential in thenumber of agents.



Ir IR ir iRLATL P P ∆P

2 Undecidable†

LATL+ ∆P3 PSPACE ∆P

3 Undecidable†

LATL∗ PSPACE 2EXPTIME PSPACE Undecidable†

Figure 5 : † These problems are believed to be undecidable.



6. Complexity of Reasoning: Satisfiability

6 Complexity of Reasoning: SatisfiabilitySatisfiability Problem and TableauxA Tableau Algorithm for LTLA Tableau Algorithm for CTLCTL∗ is 2EXPTIME-completeATL and ATL*



Outline

We present tableau procedures forpropositional logic,LTL, andCTL.

We discuss the complexity of the satisfiability problems forLTL, CTL, CTL∗, ATL, and ATL∗.


6 Complexity of Reasoning: Satisfiability6.1 Satisfiability Problem and Tableaux

6.1 Satisfiability Problem andTableaux



Satisfiability Problem

The satisfiability problem is the following question:

Given a formula ϕ (of some logic L) is there a model M(from a class M of models associated with L) and a state qin M such that M, q |= ϕ?

More precisely, this is the L-satisfiabilty problem (over class M)of models.

In the following we consider the class of all Kripke structures forthe temporal logics.



To obtain a decision procedure one often proceeds as follows:

Establish a small model theorem for L: That is, if there is amodel for ϕ then there also is a “small model” (in particularfinite one).

Methods of choice: quotient constructions / filtrations(“equivalent states” are identified).

Well-known methods are tableaux procedure: They“encode” all models of a given formula.

Automata-theoretic constructions offer another alternative(cf. the LTL automata theoretic construction, CTL∗ and ATL∗

decision procedures).



Tableaux for Propositional Logic

Tableau

Encodes all models of a given formula

Rule-based definition allows an intuitive presentation

Semantic structures can often be extracted easily easyconstruction of satisfying models

Often, tight limits on their size which allows a goodcomplexity analysis.

A tableau is a graph/tree-like structure to visualize attemptsto create a model.For building a tableau there are rules to systematically splitthe input formula into subformulae.

Each branch of the tableau represents a way of trying to builda model.



Example 6.1 (Tableau for ϕ = (a ∧ c) ∧ (¬a ∨ b))ϕ

ϕ, a ∧ c

ϕ, a ∧ c,¬a ∨ b

ϕ, a ∧ c,¬a ∨ b,¬a ϕ, a ∧ c,¬a ∨ b, b

ϕ, a ∧ c,¬a ∨ b,¬a, a ϕ, a ∧ c,¬a ∨ b, b, a

ϕ, a ∧ c,¬a ∨ b, b, a, cContradiction!

All nodes are labelled with subformulae of ϕ or their negation.The last set in the right branch is maximally propositionallyconsistent (wrt. the closure of ϕ) and represents a model of ϕ.



We assume as basic connectives: ∧ and ¬ (one can also take∨ instead of ∧).We use Σ to represent a set of propositional formulae.

Definition 6.2 (Propositional logic tableau rules)

A tableau rule has the form ΣΣ′ or Σ

Σ′|Σ′′ . Both rules can be appliedto a node n with label Σ. The effect of the first rule is a new noden′ with label Σ′ connected to n, and of the second rule two nodesn′ and n′′ labeled Σ′ and Σ′′, respectively, both connected to n.The propositional logic tableau rules are given as follows:

Σ∪ψ,¬ψ⊥

Σ∪¬¬ψΣ∪ψ

Σ∪ψ∧χΣ∪ψ,χ

Σ∪ψ∨χΣ∪ψ|Σ∪χ

We call a branch of a tableau closed if it contains ⊥;otherwise, open.



Remark 6.3

Termination can be achieved by marking subformulae alreadytreated.

Movement along branches represents adding consequences.

Branching represents choices between alternatives.

The tableau can be interpreted as a graph/tree.

We call these tableau rules static (as the whole tableauxprocedure is about finding a propositional model).

Note also, that the tableau procedure does not require anynormal form (what is for instance the case for resolution).


6 Complexity of Reasoning: Satisfiability6.2 A Tableau Algorithm for LTL

6.2 A Tableau Algorithm for LTL



We extend the propositional tableaux algorithm such that we cancheck satisfiability of LTL formulae.

Basic connectives: ¬, ∧,©, UUU .Recall: ω-models are propositional worlds connected bytemporal transitions.We introduce two kinds of tableau rules:

static rules: affect the very (propositional) statetransition rules: temporal evolution

As before: nodes are labeled with subsets from cl(ϕ).

Definition 6.4 (Closure)

Let sub(ϕ) denote the set of subformulae of ϕ. The closure of ϕ isdefined as follows:

cl(ϕ) = sub(ϕ) ∪ ¬ψ | ψ ∈ sub(ϕ)

(Note, that cl(ϕ) is not closed under negation. We do identify¬¬ψ with ψ.)



Our first proposal to an LTL-tableau procedure is based on newtableau rules capturing the temporal evolution. Later, we willdiscuss an alternative approach.

Definition 6.5 (LTL-tableau rules)

The LTL-tableau rules extend the propositional ones fromDefinition 6.2 by the following static rules:

Σ∪ψ1UUU ψ2Σ∪ψ1|Σ∪ψ2

Σ∪¬(ψ1UUU ψ2)Σ∪¬ψ2

and the following transition rules: Σ∪¬ψ2,ψ1UUU ψ2©Σ∪ψ1UUU ψ2

Σ∪©ψ©Σ∪ψ

where

©Σ = ψ | ©ψ ∈ Σ ∪ ¬ψ | ©¬ψ ∈ Σ∪ ψ1UUU ψ2 | ¬ψ2, ψ1UUU ψ2 ∈ Σ∪ ¬(ψ1UUU ψ2) | ψ1,¬(ψ1UUU ψ2) ∈ Σ∪ t | t ∈ Σ



The tableau rules modelpropositional reasoning andtemporal reasoning.

How to apply these rules? Can we apply them in any order?

Example 6.6

Suppose we are given Σ = p ∧ ¬p,©q. Then, we can obtain alabel q. The corresponding branch of the tableau is open.However, Σ is not satisfiable!

Propositional consistency has to be ensured before applyingtransition rules!That is, we are only allowed to apply transition rules if nomore static rules can be applied and the branch is open!How to achieve this? Mark subformulae to which no staticrule can be applied or to which a static rules has beenapplied. Then, do only apply transition rules if allsubformulae have been marked and if the branch is open.



In the following we follow an alternative approach and “hide” theapplication of static rules completely and consider sets which aremaximally propositionally consistent.

Definition 6.7 (Maximally propositionally consistent)

A set Σ ⊆ cl(ϕ) is maximally propositionally consistent wrt. cl(ϕ)if the following conditions are satisfied:

for all ψ ∈ cl(ϕ): ψ ∈ Σ iff ¬ψ 6∈ Σ;

if ψ1 ∧ ψ2 ∈ cl(ϕ) then ψ1 ∈ Σ and ψ2 ∈ Σ; and

if ¬(ψ1 ∧ ψ2) ∈ cl(ϕ) then ¬ψ1 ∈ Σ or ¬ψ2 ∈ Σ.

The set of all such sets is called PC (ϕ).

We note that such sets are not necessarily consistent in general;consider e.g. ©p,©¬p. The tableau takes care about it by adeletion mechanism.



The nodes of the tableau procedure are labelled with sets fromPC (ϕ). How to connect these nodes?

We define a relation R ⊆ PC (ϕ) as follows:Σ1RΣ2 iff

1 for all©ψ ∈ cl(ϕ): ©ψ ∈ Σ1 iff ψ ∈ σ2; and2 for all ψ1UUU ψ2 ∈ cl(ϕ): ψ1UUU ψ2 ∈ Σ1 iff (ψ2 ∈ Σ1 or ( ψ1 ∈ Σ1

and ψ1UUU ψ2 ∈ Σ2)).Moreover, we add a “dummy” start node which we connect to allΣ with ϕ ∈ Σ. If such nodes do not exist, then ϕ is obviously notsatisfiable.

Remark 6.8 (Efficiency)

We note that from a practical point of view, this method is not veryefficient as all states from PC (ϕ) have to be constructed! Anincremental approach does usually perform better on average.



Example 6.9

Consider the set Σ = © p,©p, p where ψ is defined as¬♦¬ψ ≡ ¬(>UUU ¬ψ). This set results in a non-terminating, loopingbranch. Such branches are declared open.

Definition 6.10 (Initial tableau)

We call the graph (PC (ϕ), R) the initial LTL-tableau of ϕ.

Clearly, a node with label Σ in the tableau can be considered as apropositional sate; we simply take Σ ∩ Prop(ϕ) where Prop(ϕ) isthe set of propositional symbols occurring in ϕ. In the followingwe identify nodes and states in this way.

Now, the question is whether the initial tableau contains anLTL-model of ϕ. How to determine this?



There are two possible types of error:1 States may not have successors? (Consider e.g. ©p,©¬p.)2 There are non-fulfilled eventualities.

An eventuality ψ1UUU ψ2 is fulfilled in a node, if there is a nodereachable from the current one which contains ψ2.

LTL-Tableau algorithm

1 Construct (PC (ϕ), R).

2 Remove all nodes from (PC (ϕ), R) which do not have asuccessor.

3 Remove all nodes which contain a non-fulfilled eventuality.

4 If none of the above steps can be applied and a node whichcontains ϕ remains return “satisfiable”; otherwise,“unsatisfiable”.



Theorem 6.11The LTL-tableau algorithm terminates and is correct; i.e.“satisfiable” is returned on input ϕ iff ϕ is satisfiable. Moreover, thealgorithm runs in exponential time.

Sketch.

Termination: PC (ϕ) is a finite set of finite sets. The tableaualgorithm does only remove nodes. Checking fulfillment canbe done in a depth-first manner with marking.

Correctness: “⇐”: Suppose ϕ is satisfiable in λ. We definethe sets Σi = ψ ∈ cl(ϕ) | λ[i,∞] |= ψ for i ∈ N0. It is easy tosee that none of these sets is removed by the tableaualgorithm; hence, it returns “satisfiable”.



“⇒”: Suppose the algorithm returns “satisfiable”.Let G ⊆ PC (ϕ) be the set of remaining nodes and let ϕ ∈ Σ0.We recursively define sequences 0 = i0 < i1 < · · · < ω andΣ0,Σ1, . . . . Suppose we have constructed this sequence up toΣij .If Σij does not contain any unfulfilled eventuality setij+1 = ij + 1 and chose Σij+1 as some R-successor of Σij .Otherwise, find a path Σij ,Σij+1, . . . ,Σij+1

such that allunfulfilled eventualities in Σij are fulfilled in Σij+1

.Now it is easy to show that the constructed path satisfies alleventualities occurring in any state, and also those newlyintroduced in Σij+1, . . . ,Σij+1−1.



Complexity:Each Σ ∈ PC (ϕ) is of size linear in |ϕ| and there areexponentially many such subsets.The deletion steps can be done in deterministic timepolynomial in the size of PC (ϕ).

The LTL-tableau algorithm can also be implemented inpolynomial space by guessing the “right” branch of the tableau.However, since a branch can be of exponential length we can notstore it explicitly. We make use of the ultimately periodic modelproperty of LTL (cf. Theorem 1.16):

2O(n) 4O(n)



The idea is the same as for LTL model checking (cf. Theorem 5.15).

Theorem 6.12 (LTL isPSPACE-complete [Sistla and Clarke, 1985])

Satisfiability checking LTL is PSPACE-complete.

Proof.We use a polynomially space bounded Turing machine:

Given ϕ, guess a path through the tableaux-construction ofexponential length (in |ϕ|).Only the current state and the state at which the path loopsback, and a counter has to be kept in memory.

Hardness: Reduction from polynomial space-bounded Turingmachines.



Remark 6.13In Section 1.3 (cf. Theorem 5.13) we have constructed an automatonwhich accepts all models of an LLTL-formula. This directly yieldsanother decision procedure for LTL-satisfiability which essentiallyreduces to checking emptiness of the automaton.


6 Complexity of Reasoning: Satisfiability6.3 A Tableau Algorithm for CTL

6.3 A Tableau Algorithm for CTL



In this section we discuss a tableau algorithm for CTL. The idea isthe very same as for LTL.

Given PC (ϕ) we define a relation R as follows: Σ1RΣ2 iff

1 For all A© ψ ∈ cl(ϕ): if A© ψ ∈ Σ1 then α ∈ Σ2

2 For all ¬E© ψ ∈ cl(ϕ): if ¬E© ψ ∈ Σ1 then ¬ψ ∈ Σ2

3 For all Aψ1UUU ψ2 ∈ cl(ϕ): if Aψ1UUU ψ2 ∈ Σ1 then (ψ2 ∈ Σ1 or(ψ1 ∈ Σ1 and Aψ1UUU ψ2 ∈ Σ2))

4 For all ¬Eψ1UUU ψ2 ∈ cl(ϕ): if ¬Eψ1UUU ψ2 ∈ Σ1 then (¬ψ2 ∈ Σ1

and (either ¬ψ1 ∈ Σ1 or ¬Eψ1UUU ψ2 ∈ Σ2)).



Again, the deletion process consists of two steps:

1 Local pruning: Remove states which do not “agree with” thesemantics of the subformulae contained in the states.

2 Remove states which contain non-fulfillable eventualities.

In the case of CTL, eventualities are given by Eψ1UUU ψ2 andAψ1UUU ψ2.



CTL-tableau algorithm

1 Construct (PC (ϕ), R).2 Remove all nodes Σ from (PC (ϕ), R) which do not satisfy the

following conditions:1 if E© ψ ∈ Σ then there is Σ′ with ΣRΣ′ and ψ ∈ Σ′;2 if ¬A© ψ ∈ Σ then there is Σ′ with ΣRΣ′ and ¬ψ ∈ Σ′;3 if Eψ1UUU ψ2 ∈ Σ then ψ2 ∈ Σ or (ψ1 ∈ Σ and there is Σ′ with

ΣRΣ′ such that Eψ1UUU ψ2 ∈ Σ′); and4 if ¬Aψ1UUU ψ2 ∈ Σ then ¬ψ2 ∈ Σ and (either ¬ψ1 ∈ Σ or there is

Σ′ with ΣRΣ′ such that ¬Aψ1UUU ψ2 ∈ Σ′).

3 Remove all nodes which contain an eventuality which is notfulfilled.

4 If none of the above steps can be applied and a node whichcontains ϕ remains return “satisfiable”; otherwise,“unsatisfiable”.



Theorem 6.14The CTL-tableau algorithm terminates and is correct; i.e.“satisfiable” is returned on input ϕ iff ϕ is satisfiable. Moreover, thealgorithm runs in exponential time.

Theorem 6.15 (Satisfiability of CTL)

The satisfiability problem for CTL is EXPTIME-complete

Proof.Membership in EXPTIME is proven by the CTL-tableauxalgorithm (cf. Theorem 6.11).Hardness can be shown by a reduction alternating polynomialspace bounded Turing machines.



LTL-satisfiability revisited

Yet another approach to check LTL-satisfiability is a reductionto CTL-satisfiability.Given an LTL-formula, we define the translationtr : LLTL[pnf ]→ LCTL by replacing ♦, ,©, UUU , B by A♦, A,A©, AUUU , AB , respectively.

The following theorem shows that LTL-satisfiability can bechecked in EXPTIME as well:

Theorem 6.16 (LTL is in EXPTIME)

Let ϕ ∈ LLTL be in positive normal form. Then, tr(ϕ) ∈ LCTL and ϕ isLTL-satisfiable iff tr(ϕ) is CTL-satisfiable. Hence, LTL-satisfiabilityis in EXPTIME.


6 Complexity of Reasoning: Satisfiability6.4 CTL∗ is 2EXPTIME-complete

6.4 CTL∗ is 2EXPTIME-complete



Satisfiability of CTL∗ can be shown by a subtle automata-theoreticconstruction. The idea is sketched in the following:

A normal form for CTL∗ formulae is established. This normalform is essentially built from 3 types of subformulae: Aψ, Eψ,or AEψ where ψ ∈ LLTL

It is shown that CTL∗ is satisfiable iff there is a(n) (infinite)tree-like model with fixed branching.A tree automaton accepting these tree-like models isconstructed from ω-word automata (cf. LTL model checking),one for each subformula of the aforementioned type of thenormal form.In particular, the construction of the automaton for Aψ iscostly.Satisfiability of ϕ is reduced to checking emptiness of thistree automaton.



Theorem 6.17 (Normal form [Emerson and Sistla, 1984])

For each ϕ ∈ LCTL∗ it is possible to construct a formula ϕ′ ∈ LCTL∗

with the following properties:

1 ϕ′ is composed of conjunctions and disjunctions of subformulaeof the form Aψ, Eψ, or AEψ where ψ ∈ LLTL.

2 The length of ϕ′ is linear in the length of ϕ.

3 ϕ is satisfiable iff ϕ′ is satisfiable.

4 Any model of ϕ can be used to construct a model of ϕ′ and viceversa.

We say that ϕ′ is a normal form of ϕ.

Theorem 6.18 ([Emerson and Sistla, 1984])

Any satisfiable formula ϕ ∈ LCTL∗ in normal form has an infinitetree-like model in which each node has at most |ϕ| outgoingedges and each subformula Eψ of ϕ is satisfied along a designatedpath of the tree-like model.



Theorem 6.19 ([Vardi and Stockmeyer, 1985,Emerson and Sistla, 1984, Emerson and Jutla, 1999])Satisfiability checking CTL∗ is 2EXPTIME-complete.

Proof.Hardness is shown in [Vardi and Stockmeyer, 1985].Membership is shown by a subtle automata-theoreticconstruction. Let ϕ be a formula in normal form.

Theorem 6.18 allows to use tree automata (fixed branching).

For a pure LLTL formula let Aψ denote the Büchi wordautomaton accepting exactly the paths satisfying ψ (cf.Theorem 5.13).



For each subformula Aψ, Eψ, or AEψ of ϕ we construct atree automaton (build from the aforementioned wordautomata Aψ) accepting those trees satisfying the formula.We construct a complemented pairs tree automaton for eachof these subformulae as follows:

Eψ: Run Aψ at the root of any given tree on the designatedpath.AEψ: Run Aψ at any node and run it down the designatedpath for Eψ.Both automata have 2O(|ψ|) states and |ψ| pairs.Aψ: Running Aψ down all paths from the root does not work!Why?Firstly, we have to transform Aψ into a deterministic Rabinautomaton.



The resulting deterministic automaton A′ψ has 22O(|ψ|) statesand 2O(|ψ|) pairs (cf. Theorem ??).

The tree automaton for Aψ runs A′ψ along all path of theinput tree. It as the same size as A′ψ.

All these tree automata are combined to a product automatonwhich yields a complemented pairs automaton with 22O(|ϕ|)

states and 2O(|ϕ|) pairs.

By Theorem ?? non-emptiness can be checked indeterministic time (mn)O(n) where m is the number ofstates and n the number of pairs.

Hence, we have time complexity of(22O(|ϕ|) · 2O(|ϕ|))2O(|ϕ|)

= 22O(|ϕ|)steps.



Summary

We have shown (via a tableau algorithm) that the satisfiabilityproblem for LTL is PSPACE-complete.

Alternatively, we have presented an automata-theoreticapproach and a reduction to CTL-satisfiability checking.

We have shown (via a tableau algorithm) that the satisfiabilityproblem for CTL is EXPTIME-complete.

The algorithm for CTL∗ is based on a subtle constructionbased on tree automata. Non-trivial results from automatatheory (Safra’s construction and non-emptyness checks)were necessary.


6 Complexity of Reasoning: Satisfiability6.5 ATL and ATL*

6.5 ATL and ATL*



In this section we briefly discuss the satisfiability problems for ATLand ATL∗. A detailed presentation is out of scope of this tutorial.

Firstly, we state the satisfiability problem. There are at least foursensible settings:

1 Is ϕ satisfiable over a fixed and finite set Agt of agents?2 Is ϕ satisfiable over Agt where Agt(ϕ) ⊆ Agt?3 Is there a set Agt of agents with Agt(ϕ) ⊆ Agt such that ϕ

is satisfiable over Agt?4 Is ϕ satisfiable over Agt(ϕ)?

Agt(ϕ): Agent names occurring in ϕ.Do these settings affect the satisfiability of formulae?

Example 6.20

Is the following formula satisfiable?

¬〈〈1〉〉 © p ∧ ¬〈〈1〉〉 © q ∧ 〈〈1〉〉 © (p ∨ q)



Proposition 6.21

The satisfiability problems (2) and (4) are polynomially reducibleto each other. Problem (3) is polynomially reducible to (2).

Moreover, we have that ϕ is satisfiable over Agt (withAgt(ϕ) ⊆ Agt) iff ϕ is satisfiable over Agt(ϕ) ∪ |Agt(ϕ)|+ 1.



In [van Drimmelen, 2003] and[Goranko and van Drimmelen, 2006b] an automata theoreticapproach is used to show that the satisfiability problem isEXPTIME-complete for a fixed set of agents (setting 1).

In [Walther et al., 2006] it is shown that the general setting 4is EXPTIME-complete (over alternating transition sysmtes).The basic idea is similar to the one used in the CTL-tableauxalgorithm. Models are essentially built from〈〈A〉〉 © ψ-formulae occurring in ϕ

In [Goranko and Shkatov, 2009] a generic “incremental”tableaux decision procedure is proposed (over CGS). Theapproach can be used for the general setting (4).

Theorem 6.22 (Complexity: Membership)

The satisfiability problems for ATL are EXPTIME-complete, evenfor the general setting (4).



Proof of lower bound.Membership follows from the tableau procedure.

Hardness: Reduction of global consequence in logic K: Given ψ1

and ψ2. Does M |= ψ1 imply M |= ψ2 for all Kripke models M?

ATL can “encode” logic K: e.g. ♦p=¬〈〈∅〉〉 © ¬p.

Now we have: ψ2 follows globally from ψ1 iff 〈〈∅〉〉ψ′1 ∧¬ψ′2 isATL-unsatisfiable over an arbitrary set of agents.



Satisfiability of ATL∗

Membership is shown by an automata-theoreticconstruction.

The model is transformed into a special tree like modelwhich is enriched with additional information on witnessingstrategies.

Hardness is shown by a reduction of satisfiability checkingof CTL∗.

Theorem 6.23 ( [Schewe, 2008])

Satisfiability checking ATL∗ is 2EXPTIME-complete.


7 Appendix: Automata Theory

7. Appendix: Automata Theory

7 Appendix: Automata TheoryBüchi AutomataGeneralized Büchi AutomataTree automataEmptiness Checking


7 Appendix: Automata Theory7.1 Büchi Automata

7.1 Büchi Automata



Büchi Automata

We would like to use finite automata to solve the modelchecking problem.

Finite automata (on finite words) accept only finite words butpaths are infinite.

We need to extend the model to finite automata that acceptinfinite words.

How can we accept infinite words?



Definition 7.1 (ω-automaton)

An ω-automaton is a tuple

A = (Q,Σ,∆, qI , C)

where

1 Q is a finite set of states;

2 Σ is a finite alphabet;

3 ∆ ⊆ Q× Σ×Q a transition relation ;

4 qI is the initial state; and

5 C an acceptance component (which is specialised in thefollowing).

The crucial point is the acceptance component!



Definition 7.2 (Run)

A run ρ = ρ(0)ρ(1) · · · ∈ Qω of A on a word w = w1w2 · · · ∈ Σω isan infinite sequence of states of A such that:

1 ρ(0) =qI

2 ρ(i) ∈ ∆(ρ(i− 1), wi) for i ≥ 1.

How could we accept the following language?

L = w ∈ a, bω | w contains infinitely many a and only finitelymany b .Is it sufficient to reach a final state once?



We define Inf (ρ) as the set of all states that occur infinitelyoften on ρ; that is,

Inf (ρ) = q ∈ Q | ∀i∃j(j > i ∧ ρ(j) = q)

Definition 7.3 (Büchi automaton)

A Büchi automaton is an ω-automaton

A = (Q,Σ,∆, qI , F )

where F ⊆ Q with the following acceptance condition: Aaccepts w ∈ Σω if, and only if, there is a run ρ of A such that

Inf (ρ) ∩ F 6= ∅.

Thus, such an automaton accepts all words such that some statefrom F is visited infinitely often on a corresponding run.



Definition 7.4 (Acceptable language)

The language accepted by A, L(A), consists of all words acceptedby A. That is,

L(A) = w ∈ Σω | A accepts w.

A language is said to be (Büchi) acceptable if there is a Büchiautomaton that accepts it.

Remark 7.5 (Other automata types)

Other acceptance conditions yield different automata types: Rabinautomata, Muller automata.



Example 7.6

Is there a Büchi Automaton that accepts the following language Lover Σ = a, b, c?

L = w ∈ Σω | w contains infinitely many a or b and only finitelymany c

blackboard



Example 7.7

Is there a Büchi Automaton that accepts the following language Lover Σ = a, b?

L = w ∈ Σω | w ends with aω or (ab)ω

: Back to model checking LTL, pp. 225.



Proposition 7.8 (Closure propeties)

1 Büchi acceptable languages are closed under union,intersection, and negation.

2 If A is a regular language with ε 6∈ A, then, Aω is Büchiacceptable.

3 If A is a regular language and B is Büchi recognizable, then ABis Büchi acceptable.



Proof sketch

1 Union: Nondeterministically guess which automata should beexecuted. ExerciseIntersection: Product automaton yields a generalised Büchiautomaton. The acceptance set is given byF1 × S2, S1 × F2. ExerciseComplement: This part is non-trivial and cannot be done inthe scope of this lecture.

2 Aω: Connect transitions to final states also with the initialstate Exercise

3 AB: Connect transitions to final states of the finite automatonwith the initial state of the Büchi automaton. Exercise



Theorem 7.9 (Characterization Theorem)

A language L is Büchi acceptable if, and only if, there are finitelymany regular languages U1, . . . , Un and V1, . . . , Vn such that

L =⋃

i=1,...,n

Ui(Vi)ω

This shows that any language L 6= ∅ acceptable by a Büchiautomaton contains an ultimately periodic word.

Example 7.10

For the language L = w ∈ Σω | w ends with aω or (ab)ω fromExample 7.7 we have that L = Σ∗aω ∪ Σ∗abω.



Proof of Theorem 7.9“⇒”: Let W(q,q’) = w ∈ Σ∗ | q →w q′. Each language W (q, q′) isregular. Then,

L(A) =⋃q∈Qf

W (qI , q)(W (q, q))ω.

“⇐”: Let L =⋃i=1,...,n Ui(Vi)

ω where each Ui, Vi is regular. ByProposition 7.8 we have that (Vi)

ω and Ui(Vi)ω are Büchirecognizable. Thus also their finite union.


7 Appendix: Automata Theory7.2 Generalized Büchi Automata

7.2 Generalized Büchi Automata



Definition 7.11 (Generalised Büchi automaton)

A generalised Büchi automaton is an ω-automaton

A = (Q,Σ,∆, qI , F )

where F ⊆ P(Q) with the following acceptance condition: Aaccepts w ∈ Σω if, and only if, there is a run ρ of A such that foreach Fi ∈ F

Inf (ρ) ∩ Fi 6= ∅.

Thus, such an automaton accepts all words such that some statefrom each Fi is visited infinitely often on a corresponding run.



We will use generalised Büchi automata for model checking LTL.How is the relation between Büchi and generalised Büchiautomata?Proposition 7.12 (Generalised Büchi Büchi)

For each generalised Büchi automaton one can construct anequivalent Büchi automaton.

Proof.Idea: Consider state-tuples: S × 1, . . . , k. If the GBA moves tothe next acceptance set a counter is incremented (modulo k).Then, a run visits states from each Fi infinitely often iff statesfrom F1 × 1 appear infinitely often.

We first consider an example:



Example 7.13

q1

a

a

bb

q0

F1 F2

q0, 1 q1, 1

q1, 2q0, 2

aa

a

a

b

b

b

b

Back to LTL-model checking, pp. 269.



Proof ctd.Let A = (Σ, S,∆, S0, F1, . . . , Fn) be a generalised Büchiautomaton. We construct the Büchi AutomatonA′ = (Σ, S′,∆′, S′0, F

′):

S′ = S × 1, . . . , n;S′0 = S0 × 1;((s, j), a, (t, i)) ∈ ∆′ iff

(s, a, t) ∈ ∆ and

i = j , if s 6∈ Fj ;i = (j + 1) mod k , if s ∈ Fj ;

F ′ = F1 × 1.



Proof ctd.It remains to prove that both automata accept the samelanguages. We present the main ideas.“⇒“: Let A be a GBA that accepts the word w. Then, there is a runρ such that states from each Fi, i = 1, . . . , k, occur infinitely oftenon ρ. That is, there is an infinite subsequence (q1 . . . qk)

ω of ρ suchthat qi ∈ Fi. Hence, the state (q1, 1) is visited infinitely often in theautomaton A′.

“⇐“: Let A′ accept the word w. Then, some state (q1, 1) withq1 ∈ F1 is visited infinitely often. After it has been visited once theautomaton is in a state (q, 2) and can only return to (q′, 1) if somestate q ∈ F2 is visited, some from F3 and so on is visited.


7 Appendix: Automata Theory7.3 Tree automata

7.3 Tree automata



As before let Σ be a finite alphabet and k a natural number.A k-ary Σ-tree t = (domt, L) is a tree with maximal branching kand in which each node is labelled by an element from Σ. That is

L : domt → Σ

where domt ⊆ 0, . . . , k − 1∗ denotes the domain of the tree. It isrequired that domt is closed under prefixes, i.e.

wx ∈ domt → ∀y(0 ≤ y < x→ wy ∈ domt).

A k-ary ω-tree automaton over the alphabet Σ is an automatonthat accepts infinite k-ary Σ-trees.



Definition 7.14 (k-ary ω-tree automaton)

A k-ary ω-tree automaton over the alphabet Σ is given by a tuple

A = (Q, qI ,∆, C)

where

Q is a set of states,

qI ∈ Q the initial state,

∆ : Q× Σ× 1, . . . , k → P(∪i=1...kQi) with ∆(q, a, i) ⊆ Qi a

transition relation, and

C an acceptance component (which is specified in thefollowing).



Definition 7.15 (Run, path, successful, accepting)

A run of a k-ary ω-tree automaton A on an infinite k-ary Σ-treet = (domt, Lt) is an infinite k-ary Q-tree r = (domr, Lr) such that

1 domr = domt,

2 Lr(∅) = qI and

3 ∀w ∈ domt : (Lr(w0), . . . , Lr(wi)) ∈ ∆(Lr(w), Lt(w), i) wherei = maxj | wj ∈ domt.

A path of the run r is an infinite linearly ordered subset of domr

(i.e. it denotes a branch in the tree). We say that run r issuccessful if each path of r satisfies the accepting condition C.An input tree t is accepted by A if there is a successful run.



Definition 7.16 (Büchi tree automaton)

A Büchi tree automaton is given by an ω-tree automatonA = (Q, qI ,∆, F ) where F ⊆ Q is a set of final states. A runr = (domr, L) is successful if, and only if, for each path p on rthere is a state that occurs infinitely often on p; i.e. for all paths pof r we have that

Inf (L|p) ∩ F 6= ∅.

L|p denotes the set of states in L which do also appear on p.



Definition 7.17 (Rabin tree automaton)

A Rabin tree automaton (or pairs tree automaton) is given by anω-tree automaton A = (Q, qI ,∆,Ω) where

Ω = (L1, U1), . . . , (Ln, Un)

where each pair (Li, Ui) ⊆ Q×Q is a set of “accepting” pairs(these pairs are called Rabin pairs). A run r = (domr, L) issuccessful if, and only if, for each path p on r there is an indexi ∈ 1, . . . , n such that no state (resp. a state) from Li (resp. fromUi) occurs infinitely often on p; i.e.

Inf (L|p) ∩ Li = ∅ and Inf (L|p) ∩ Ui 6= ∅

Theorem 7.18 ([Rabin, 1970])There is a set of trees that is acceptable by a Rabin tree automatonbut not by any Büchi tree automaton.


7 Appendix: Automata Theory7.4 Emptiness Checking

7.4 Emptiness Checking



Checking EmptinessFor the model checking algorithms we need to check whether thelanguage of a Büchi automaton is empty.

Definition 7.19 (Graph reachability)

Let G = (V,E) be graph. Given two vertices u, v ∈ V thegraph-reachability problem is the question whether v isreachable from u.

Theorem 7.20 ([Jones, 1977, Jones, 1975])The graph-reachability problem is NLOGSPACE-completeunder logspace-reductions.



Theorem 7.21 ([Emerson and Lei, 1987])The emptiness problem for Büchi automata is solvable in lineartime and in nondeterministic logarithmic space .

ProofWe check whether there is some ultimately periodic word byfinding an accepting state reachable from the initial state andfrom itself. The following algorithm runs in non-deterministiclogarithmic space:

1 Guess an accepting state r, and

2 check whether reach(r, r).

: Back to LTL model checking, pp. 245.



How does reach(x , y) work?

1 Chose some x-successor x′ (non-determinism!).2 Return “yes”, if x′ = y else reach(x ′, y).

Hardness is shown by a reduction of theNLOGSPACE-complete problem of graph reachability fromDefinition 7.19. Given G, u, v, transform G to a Büchi automatonwith initial state u and final state v and add a loop to v. Then:

v reachable from u in G iff automaton non-empty.



Theorem 7.22 ([Rabin, 1970, Vardi and Wolper, 1984])The emptiness problem for Büchi tree automata is decidable andP-complete under logarithmic space reductions.

Theorem 7.23([Emerson and Jutla, 1988, Pnueli and Rosner, 1989])The non-emptiness problem for Rabin tree automata is decidableand complete for NP.

Theorem 7.24 ([Emerson and Jutla, 1999])The non-emptiness problem for pairs tree automata is decidable indeterministic time (mn)O(n) where m is the number of states and nthe number of pairs in the automaton.


7 Appendix: Automata Theory7.5 Determinization

7.5 Determinization


7 Appendix: Automata Theory7.5 Determinization

Determinization of Automata

Theorem 7.25 (Safra’s construction [Safra, 1988])

Let A be a nondeterministic Büchi automaton with n states. Then,there is an equivalent deterministic Rabin automaton with 2O(n logn)

states.


8 References

8. References

8 References


8 References

Alur, R., Henzinger, T. A., and Kupferman, O. (1997).Alternating-time Temporal Logic.In Proceedings of the 38th Annual Symposium on Foundations of Computer Science (FOCS), pages 100–109. IEEEComputer Society Press.

Alur, R., Henzinger, T. A., and Kupferman, O. (2002).Alternating-time Temporal Logic.Journal of the ACM, 49:672–713.

Clarke, E. and Emerson, E. (1981).Design and synthesis of synchronization skeletons using branching time temporal logic.In Proceedings of Logics of Programs Workshop, volume 131 of Lecture Notes in Computer Science, pages 52–71.

Clarke, E., Emerson, E., and Sistla, A. (1986).Automatic verification of finite-state concurrent systems using temporal logic specifications.ACM Transactions on Programming Languages and Systems, 8(2):244–263.

Emerson, E. and Halpern, J. (1986).Sometimes and not never revisited: On branching versus linear time temporal logic.Journal of the ACM, 33(1):151–178.

Emerson, E. A. and Jutla, C. S. (1988).The complexity of tree automata and logics of programs.In SFCS ’88: Proceedings of the 29th Annual Symposium on Foundations of Computer Science, pages 328–337,Washington, DC, USA. IEEE Computer Society.


8 References

Emerson, E. A. and Jutla, C. S. (1999).The complexity of tree automata and logics of programs.SIAM J. Comput., 29:132–158.

Emerson, E. A. and Lei, C.-L. (1987).Modalities for model checking: Branching time logic strikes back.Science of Computer Programming, 8(3):275–306.

Emerson, E. A. and Sistla, A. P. (1984).Deciding branching time logic.In STOC ’84: Proceedings of the sixteenth annual ACM symposium on Theory of computing, pages 14–24, New York,NY, USA. ACM.

Goranko, V. and Shkatov, D. (2009).Tableau-based decision procedures for logics of strategic ability in multiagent systems.ACM Trans. Comput. Logic, 11(1):3:1–3:51.

Goranko, V. and van Drimmelen, G. (2006a).Complete axiomatization and decidability of alternating-time temporal logic.Theor. Comput. Sci., 353(1-3):93–117.

Goranko, V. and van Drimmelen, G. (2006b).Complete axiomatization and decidability of alternating-time temporal logic.Theor. Comput. Sci., 353:93–117.

Immerman, N. (1981).


8 References

Number of quantifiers is better than number of tape cells.Journal of Computer and System Sciences, 22(3):384 – 406.

Jamroga, W. and Bulling, N. (2011).Comparing variants of strategic ability.In Proceedings of the 22nd International Joint Conference on Artificial Intelligence (IJCAI), pages 252–257, Barcelona,Spain.

Jones, N. D. (1975).Space-bounded reducibility among combinatorial problems.Journal of Computer and System Sciences, 11(1):68 – 85.

Jones, N. D. (1977).Corrigendum: Space-bounded reducibility among combinatorial problems.J. Comput. Syst. Sci., 15(2):241.

Lichtenstein, O. and Pnueli, A. (1985).Checking that finite state concurrent programs satisfy their linear specification.In POPL ’85: Proceedings of the 12th ACM SIGACT-SIGPLAN symposium on Principles of programming languages,pages 97–107, New York, NY, USA. ACM.

Maidl, M. (2000).The common fragment of ctl and ltl.In FOCS, pages 643–652. IEEE Computer Society.

Pnueli, A. (1977).


8 References

The temporal logic of programs.In Proceedings of FOCS, pages 46–57.

Pnueli, A. and Rosner, R. (1989).On the synthesis of a reactive module.In POPL ’89: Proceedings of the 16th ACM SIGPLAN-SIGACT symposium on Principles of programming languages,pages 179–190, New York, NY, USA. ACM.

Rabin, M. (1970).Weakly definable relations and special automata.Mathematical Logic and Foundations of Set Theory, pages 1–23.

Reynolds, M. (2001).An axiomatization of full computation tree logic.J. Symb. Log., 66(3):1011–1057.

Safra, S. (1988).On the complexity of omega -automata.In Proceedings of the 29th Annual Symposium on Foundations of Computer Science, pages 319–327, Washington,DC, USA. IEEE Computer Society.

Schewe, S. (2008).ATL* satisfiability is 2ExpTime-complete.In Proceedings of the 35th International Colloquium on Automata, Languages and Programming, Part II (ICALP2008), 6–13 July, Reykjavik, Iceland, volume 5126 of Lecture Notes in Computer Science, pages 373–385.Springer-Verlag.


8 References

Schnoebelen, P. (2003).The complexity of temporal model checking.In Advances in Modal Logics, Proceedings of AiML 2002. World Scientific.

Schobbens, P. Y. (2004).Alternating-time logic with imperfect recall.Electronic Notes in Theoretical Computer Science, 85(2):82–93.

Sistla, A. P. and Clarke, E. M. (1985).The complexity of propositional linear temporal logics.J. ACM, 32(3):733–749.

van Drimmelen, G. (2003).Satisfiability in Alternating-time Temporal Logic.In Proceedings of LICS’2003, pages 208–217. IEEE Computer Society Press.

Vardi, M. Y. and Stockmeyer, L. (1985).Improved upper and lower bounds for modal logics of programs.In Proceedings of the seventeenth annual ACM symposium on Theory of computing, STOC ’85, pages 240–251, NewYork, NY, USA. ACM.

Vardi, M. Y. and Wolper, P. (1984).Automata theoretic techniques for modal logics of programs: (extended abstract).In STOC ’84: Proceedings of the sixteenth annual ACM symposium on Theory of computing, pages 446–456, NewYork, NY, USA. ACM.


8 References

Vardi, M. Y. and Wolper, P. (1986).An automata-theoretic approach to automatic program verification (preliminary report).In Proceedings of the First Annual IEEE Symposium on Logic in Computer Science (LICS 1986), pages 332–344. IEEEComputer Society Press.

Walther, D., Lutz, C., Wolter, F., and Wooldridge, M. (2006).ATL satisfiability is indeed EXPTIME-complete.Journal of Logic and Computation, 16(6):765–787.


Education

T4 Introduction to the modelling and verification of, and reasoning about multi-agent systems