3 Model checking uniform CGSOs

To appear in EPTCS.

c Franc¸ois Laroussinie, Nicolas Markey, Arnaud Sangnier This work is licensed under the

Creative Commons Attribution License.

Franc¸ois Laroussinie

LIAFA

Univ. Paris Diderot & CNRS, France

Nicolas Markey

LSV

ENS Cachan & CNRS, France

Arnaud Sangnier

LIAFA

Univ. Paris Diderot & CNRS, France

Alternating-time temporal logic with strategy contexts (ATL_sc) is a powerful formalism for expressing properties of multi-agent systems: it extendsCTLwithstrategy quantifiers, offering a convenient way of expressing both collaboration and antagonism between several agents. Incomplete observation of the state space is a desirable feature in such a framework, but it quickly leads to undecidable verification problems. In this paper, we prove thatuniformincomplete observation (where all players have the same observation) preserves decidability of the model checking problem, even for very expressive logics such asATL_sc.

1 Introduction

Model checking is a powerful technique for automatically checking properties of computerized sys- tems [Pnu77, CE82, QS82]. Model-checking algorithms classically take as input a model of the system under analysis (e.g. a finite-state automaton), and a formal property (expressed e.g. in some temporal logic, such asLTLorCTL) to be checked; they then automatically and exhaustively verify whether the set of behaviors of the model satisfies the property.

During the last 15 years, model checking has been extended to handle complex systems, whose behaviors are the result of the interactions of several components. Games played on graphs are a convenient model for representing such interactions, and temporal logics have been hence proposed in order to express relevant properties in such a setting. One of the specification language to navigate in the execution trees of multi-agents systems is the temporal logicATL[AHK02] (Alternating-Time Temporal Logic); it is an extension of the branching temporal logicCTLwhich allows to express properties such as the fact that a component can enforce a certain behavior independently of the actions performed by the other components.ATLhas then be enriched in different ways to obtain more expressive logics for multi-agent systems. In particular,ATLsc(ATLwith strategy contexts) [BDLM09, LM15] and Strategy Logic [CHP07, MMV10] are two powerful extensions with similar properties in terms of expressive power and algorithmic properties. It was furthermore proved that those two logics have decidable, but Tower-complete model-checking algorithms.

In the approaches cited above, it is always assumed that all the players in the games have perfect observation of the state of the game, and that they also have perfect recall of the sequence of states that have been visited. In other words, they can choose an action to perform based on the entire sequence of states visited before. However, in many applications, components only have bounded memory, and most often they do not have the ability to fully observe all the other components of the system. While considering imperfect recall—the hypothesis that each player can only store into a finite memory the history of the seen states seen—can greatly simplify verification algorithms (since the number of strategies in the systems becomes finite), partial observation is known to makeATLmodel checking undecidable [AHK02, DT¸ 11].

Such results obviously carry over to more expressive logics likeATLsc. Decidability can be regained by

∗This work was partly supported by ERC Starting grant EQualIS (FP7-308087) and by FET project Cassting (FP7-601148).

restricting to imperfect-recall strategies [Sch04], or by considering hierarchical information [BMV15] or special communication architectures in distributed synthesis [KV01, Sch08].

In this paper, we consider a restricted case of partial observation, where all the players have the same information about the state space. We call such a caseuniformpartial observation. We prove that under this hypothesis, model checking concurrent game structure is decidable, even for the powerful logicATLsc. In particular, it is decidable whether there exists a strategy, based only on a subset of atomic propositions (assuming that the precise states and the other propositions are not visible), to enforce a given property.

Note also that the restriction to uniform observation is not significant when one looks for a strategy of a single agentaagainst all other players, since the semantics we use requires that the strategy be winning for any outcome (hence the exact observation of the opponent players is irrelevant). The decidability proof for model-checking under uniform partial observation is obtained by adapting a previous approach developed in [DLM12, LM15], which consists in transforming the model-checking problem forATL^∗_scinto a model- checking problem forQCTL, an extension ofCTLwith propositional quantification. A similar technique also allows us to prove that when restricting the strategy quantifiers to range over memoryless strategies, then the model-checking problem forATL^∗_scwith partial observation is again decidable. We finally prove that satisfiability checking forATLscwith partial observation (i.e., deciding whether there exists a game structure with partial observation satisfying a given formula ofATL^∗_sc) is undecidable, even in the case of turn-based games (where satisfiability is decidable under full observation [LM13]).

2 Definitions

2.1 Game structures with partial observation

In this paper, we consider concurrent games with partial observation. They correspond to classical concurrent game structures [AHK02] where, for each agent, an equivalence relation over the states of the structure defines sets of states that are observationally equivalent for this player. Observation equivalence extends to sequences of states in the obvious way. The strategies of the agents then have to be compatible with their observation, in the sense that after two observationally equivalent plays, a strategy has to return the same action. In this preliminary section, we formalize this setting.

All along this paper, we consider a setAPof atomic propositions. We recall that aKripke structure overAPis a tuplehQ,R, `iwhereQis a countable set of states,R⊆Q×Qis the transition relation and

`:Q→2^APis a state-labeling function.

Definition 1. Aconcurrent game structure with partial observation(CGSO) is a tupleC =hQ,R, `,Agt, M,Mov,Edge,(∼<sub>a</sub>)a∈Agtiwhere:hQ,R, `iis a finite-state Kripke structure;Agt={a₁, . . . ,a_p}is a finite set of agents(or players); M ={m₁, . . . ,mr}is a finite set of moves (or actions); Mov: Q×Agt→ 2^Mr{∅}defines the set of available moves of each agent in each state; Edge:Q×M^Agt →Q is a transition table associating, with each state q and each set of moves of the agents, the resulting state q⁰, with the requirement that(q,q⁰)∈R; finally,(∼_a)a∈Agt assigns to each player an equivalence relation over Q.

In the following, we assume w.l.o.g. (w.r.t existence of specific strategies) thatMov(q,a) =M for every q∈Qand a∈Agt: all the actions are available to all the players at any time. A move vector is a vector m∈M^Agt; for such a vector and for an agenta∈Agt, we denote by m[a]the move of agentain m. Aturn-based game structure with partial observation(TBGSO) is a CGSO for which there exists a mappingOwn:Q→Agtsuch that for anyq∈Qand for any two move vectorsmandm⁰ ifm[Own(q)] =m⁰[Own(q)], thenEdge(q,m) =Edge(q,m⁰).

As we mentioned above, each relation∼_awitha∈Agtcharacterizes the observation of the agentain the game structure: ifq∼_aq⁰, then agentais not able to make a distinction between the statesqandq⁰; in such a case, we say thatqandq⁰area-equivalent. As an important special case, an observation relation (∼_a)a∈Agt is said to beuniformwhen∼_a=∼_a⁰ for alla,a⁰∈Agt. In that case we might substitute the set (∼_a)a∈Agt by a unique equivalence relation∼.

A finite path in the CGSO is a finite non-empty sequence of states ρ =q₀q₁q₂. . .qk such that (qi,q_i+1)∈Rfor alli∈ {0, . . . ,k−1}. Aninfinite path(or run) is an infinite sequence of states such that each finite prefix is a finite path. We denote byPath(resp.InfPath) the set of finite (resp. infinite) paths.

Let|ρ|the length of the pathρ(with|ρ|=∞ifρ is infinite). For 0≤i<|ρ|, we writeρ(i)to represent thei+1-th element of the pathρ. For a pathρ, we writefirst(ρ)for its first elementρ(0)and, when

|ρ|<∞, we writelast(ρ)for its last elementρ(|ρ|). For 0≤i<|ρ|, we denote byρ≤i the prefix ofρ until positioni, i.e. the finite pathρ(0)ρ(1). . .ρ(i). We extend the equivalence relation∼_afora∈Agt to paths as follows : two pathsρandρ⁰ area-equivalent (writtenρ∼aρ⁰) if, and only if,|ρ|=|ρ⁰|and ρ(i)∼_aρ⁰(i)for every 0≤i<|ρ|.

Given a CGSOC and one of its statesq₀, we writeT_C(q₀)for the execution treeofC from q₀: formally,T_C(q0)is the pairhT, `iwhereT is the set of all finite paths (callednodesin the context of trees) inC with first stateq<sub>0</sub>, and`labels each nodeρwith the labeling oflast(ρ)inC. It will be convenient in the sequel to see execution trees as infinite-state Kripke structures. To alleviate notations, we still write T_C(q0)for the Kripke structure hT,R, `iwherehT, `i is the tree defined above, andR⊆T×T is the transition relation such that(ρ,ρ⁰)∈Rwheneverρis the prefix ofρ⁰ of length|ρ⁰| −1.

Astrategyfor agenta∈Agtis a function fa:Path→M; it associates with any finite path a move to be played by agentaafter this path. A strategy f_afor agenta∈Agtis said to bememorylesswhenever for any two finite pathsρandρ⁰ such thatρ(|ρ| −1) =ρ⁰(|ρ⁰| −1), it holds f_a(ρ) = f_a(ρ⁰). Hence the decision of a memoryless strategy depends only on the current control state; for this reason, we may simply give such a strategy as a fonction fa:Q→M. A strategy fAfor a coalition of agentsA⊆Agt is a set of strategy{f_a}_a∈Aassigning a strategy f_ato each agenta∈A(note that a strategy for agenta is equivalent to a strategy for coalition{a}). Given a strategy fA={fa}_a∈A for coalitionA, we say that a pathρ respects fA from a finite path π if, and only if, for all 0≤i<|π|, we have ρ(i) =π(i)and for all|π| ≤i<|ρ| −1, we have thatρ(i+1) =Edge(ρ(i),m)wheremis a move vector satisfying m(a) = fa(ρ≤_i)for alla∈A. Given a finite pathπ, we denote byOut(π,fA)the set of infinite pathsρ⁰ such thatρrespects the strategy fAfromπ. Given a strategygA={ga}a∈Afor a coalitionAand a strategy f_B={f_b}_b∈Bfor a coalitionB, we denote byg_A◦f_B, the strategy{h_c}_c∈A∪Bfor coalitionA∪Bsuch that hc=gcfor allc∈Aandhc= fc for allc∈B\A. Finally given a fB={fb}_b∈Bfor a coalitionBand a set of agentsA⊆Agt, we denote by(fB)|A (resp.(fB)_rA) the strategy{f_b}_b∈B∩A (resp.{f_b}_b∈B\A) for coalitionB∩A(resp.B\A).

Partial observation comes into the play by restricting the space of allowed strategies: in our setting, we only consider strategies that arecompatiblewith the observation in the game, which means that after any twoa-equivalent finite pathsρ andρ⁰, the strategies for agenta have to take the same decisions (i.e. fa(ρ) = fa(ρ⁰)). We could equivalently define a compatible strategy foraas a function from the quotient setPath/∼_a toM, such that if[ρ]is the equivalence class ofρwith respect to∼a, then fa([ρ]) gives the move to play forafrom any history equivalent toρ. A strategy f_A={f_a}_a∈A for coalitionA iscompatibleif fais compatible for alla∈A. We writeStrat(A)to denote the unrestricted strategies for coalitionA, Strat^∼(A) for the set of compatible strategies, andStrat^∼₀(A) is the set of compatible memoryless strategies forA.

2.2 ATLwith strategy contexts

We will be interested in the logicATLsc, which extends the alternating-time temporal logic of [AHK02]

with strategy contexts. We assume a fixed set of atomic propositionsAPand a fixed set of agentsAgt.

Definition 2. The formulas ofATL^∗_scare defined by the following grammar:

ATL^∗_sc3ϕs,ψs::=P| ¬ϕs|ϕs∨ψs| h·A·iϕp| h·A·iϕp|LAMϕp|LAMϕp

ϕp,ψp::=ϕs| ¬ϕp|ϕp∨ψp|Xϕp|ϕpUψp

where P ranges overAPand A ranges over2^Agt.

We interpretATL^∗_scformulas over CGSOs, within a context (i.e., a preselected strategy for a coalition):

state formulasof the formϕsin the grammar above are evaluated over states, whilepath formulasof the formϕpare evaluated along infinite paths. In order to have a uniform definition, we evaluate all formulas at a given position along a path.

In ATL^∗_sc, contrary to the case of classical ATL[AHK02], when strategy quantifiers assign new strategies to some players, the other players keep on playing their previously-assigned strategies. This is what “strategy contexts” refer to. Informally, formula h·A·iϕp holds at positionn alongρ under the contextF if it is possible to extendF with astrategyfor the coalitionAsuch that the outcomes of the resulting strategy afterρ≤nall satisfyϕp. In Section 4, we also consider the strategy quantifiers h·A·i₀, which quantifies only onmemorylessstrategies. Finally strategies can be dropped from the context using the operatorL-M. Notice that in this paper, all strategy quantifiers are restricted to compatible strategies.

We now define the semantics formally. LetC be a CGSO with agent setAgt,ρ be an infinite path ofC, andn∈N. LetB⊆Agtbe a coalition, and f_B∈Strat^∼(B). That a (state or path) formulaϕholds at a positionnalongρinC under strategy context f_B, denotedC,ρ,n|=f_B ϕ, is defined inductively as follows (omitting atomic propositions and Boolean operators):

C,ρ,n|=f_B LAMϕs iff C,ρ,n|=_(fB)rA ϕs

C,ρ,n|=f_B LAMϕs iff C,ρ,n|=_(fB)|A ϕs

C,ρ,n|=f_B h·A·iϕp iff ∃g_A∈Strat^∼(A).∀ρ⁰∈Out(ρ≤n,gA◦fB).C,ρ⁰,n|=g_A◦f_B ϕp

C,ρ,n|=f_B h·A·iϕp iff C,ρ,n|=f_B h·Agt\A·iϕp

C,ρ,n|=f_BXϕp iff C,ρ,n+1|=f_B ϕp

C,ρ,n|=fBϕpUψp iff ∃l≥0.C,ρ,n+l|=fBψpand∀0≤m<l.C,ρ,n+m|=fBϕp

Finally, we write C,q₀ |=ϕs when C,ρ,0|=f_/0 ϕs (with empty context) for all path ρ such that ρ(0) =q₀. Notice that this does not depend on the choice ofρ. The usual shorthands such asFandG are defined as forCTL^∗. It will also be convenient to use the constructs J·A·Kϕpas a shorthand for¬ h·A·i ¬ϕp, and h·A·iϕsas a shorthand forh·A·i ⊥Uϕs. TheCTL^∗universal path quantifiersEand Acan be expressed inATL^∗_sc. For instance, Aϕpis equivalent to L/0Mh·/0·iϕp. Finally the fragmentATLscofATL^∗_scis defined as usual, by restricting the set of path formulas to

ϕp,ψp::=¬ϕp|Xϕs|ϕsUψs.

Remark 3. The strategy quantifiers for complement coalitions (namely h·A·i and LAM) are only useful in case the setAgtis not known in advance, as it is the case when dealing with satisfiability or with expressiveness questions.

Remark 4. As opposed to Strategy Logic [CHP07, MMV10], the (existential) strategy quantifiers in ATLscinclude an implicit (universal) quantification over the outcomes of the strategies of the unassigned players. This is indeed a quantification over all the outcomes, and not over the outcomes that would result only from compatible strategies.

Example 5. Consider the CGSOC in Figure 1. It is a turn-based CGS with two players (Player a₁plays in circle node, and Player a₂ plays in box node). The setM is{1,2,3}. The partial observation for Player a₁is then given by∼_a1 is≡_P (i.e. two states are equivalent if, and only if, the truth value of P is the same in both states). Now consider the formulaϕ=h·a₁·iFf . To see thatϕ holds for true in q₀ with the standard semantics (where the strategy quantifiers are not restricted to compatible strategies), it is sufficient to consider the (memoryless) strategy for a₁consisting in choosing the move m₁from q₂ and the move m₂(or m₃) from q₃. Note that this strategy is not compatible (after q₀q₂and q₀q₃, agent a₁ should choose the same move), thus we need to consider another one to show thatϕis satisfied with the partial-observation semantics; for example, the strategy consisting in choosing m₁after q₀q₂and q₀q₃, m₂after q₀q₁q₃and m₁after q₀q₃q₂. If furthermore we look for a memoryless compatible strategy for a₁, we can use the strategy assigning the move m₁to q₂and q₃, hence the formula h·a₁·i₀Ff also holds true in q₀. Therefore, formulaϕholds true at q₀. On the other hand, formula h·a₁·i₀X X Xf does not hold true in q₀, but formula h·a₁·iX X Xf , where we drop the memory constraint, does hold true.

q₀

q₁

P

q₂

P

q₃

q₄

f

q₅ m₁

m3

m2

m1;m2;m3

m₁

m2;m3

m1

m2;m3

C

Fig. 1: The turn-based CGSC

In the sequel we will consider themodel-checking problemofATL^∗_sc over CGSOs which takes as input a CGSOC, a control stateq₀and anATL^∗_scformulaϕ and which answers yes ifC,q0|=ϕand no otherwise. We will also consider thesatisfiability problemwhich given a formula ofATL^∗_scdetermines whether there exists a CGSOC and a control stateq₀such thatC,q₀|=ϕ. We recall that when considering concurrent game structures (with full observation),ATL^∗_scmodel-checking is decidable, but its satisfiability problem is undecidable (except when restricting to turn-based games) [LM15].

2.3 From concurrent games to turn-based games

Following our definitions, turn-based game structures can be seen as special cases of concurrent game strcutres, where in each location only one player may have several non-equivalent moves. In this section, we prove that any partial-observation CGSO can be turned into anequivalentpartial-observation TBGSO (whereequivalentwill be made precise later). While all players play at the same time in a CGSO, they play one after the other (in any predefined order) in the correspondig TBGSO, but the intermediary states are made undistinguishable to all players, so that no player can gain information from playing after another one. Figure 2 schematically represents this transformation in the case of two players. Obviously, since we add intermediary states, we also have to modify theATL^∗_sc formula to be checked, by making the intermediary states “invisible”; this is a classical construction in temporal logics. In the end, we prove the following result:

q₀

q₁ q₂ q₃

hm1,m1i hm2,m1i

hm1,m2i hm2,m2i

q₀

q₁ q₂ q₃

m₁ m₂

m1 m2 m1 m2

Fig. 2: Turning a CGSO into an equivalent TBGSO

Theorem 6. For any CGSOC=hQ,R, `,Agt,M,Mov,Edge,(∼<sub>a</sub>)a∈Agti, we can compute a TBGSOT = hQ<sup>0</sup>,R<sup>0</sup>, `⁰,Agt,M,Mov⁰,Edge⁰,(≈a)_a∈Agtiwith Q⊆Q⁰, for which there is a logspace translationϕ∈ ATL^∗_sc7→ϕ_e∈ATL^∗_scsuch that for anyϕ∈ATL^∗_scand any state q ofC, it holds:

C,q|=/0ϕ ⇔ T,q|=/0ϕ.e Furthermore, ifC is uniform, then so is T.

2.4 QCTL^∗in a nutshell

As we explain in the sequel, under some restrictions (uniformity or restriction of the considered strategies), the model-checking problem ofATL^∗_scover CGSOs can be reduced to the model-checking problem of the temporal logic QuantifiedCTL^∗over Kripke Structures.QCTL^∗extends the classical branching time temporal logicCTL^∗ withatomic propositions quantifiers∃P.ϕs(and its dual∀P.ϕs), wherePis an atomic proposition inAP:

QCTL^∗3ϕs,ψs::=P| ¬ϕs|ϕs∨ψs|Eϕp| ∃P.ϕs

ϕp,ψp::=ϕs| ¬ϕ_p|ϕp∨ψp|Xϕp|ϕpUψp

where Pranges over AP. We briefly reviewQCTL^∗ here, and refer to [LM14] for more details and examples.

QCTL^∗formulas are then interpreted over a (classical) Kripke structureS =hQ,R, `i. Informally

∃P.ϕsis used to specify the existence of a valuation forPoverS such thatϕsis satisfied. We consider two different semantics of∃P.ϕ: thestructure semanticswhere one looks for a valuation of the structureS, and thetree semanticswhere one considers the valuation of its execution tree.

ForX⊆AP, two Kripke structuresS =hQ,R, `iandS<sup>0</sup>=hQ<sup>0</sup>,R<sup>0</sup>, `⁰iareX -equivalent(denoted by S ≡X S⁰) wheneverQ=Q⁰,R=R⁰, and`≡X`⁰(i.e.,`(q)∩X =`⁰(q)∩Xfor anyq∈Q). Thestructure semanticsofQCTL^∗ (whose satisfaction relation is denoted by|=st) is derived from the semantics of CTL^∗by adding the following rule:

S,ρ,n|=st∃P.ϕs iff ∃S⁰.S⁰≡_APr{P}S andS⁰,ρ,n|=stϕs.

In other terms,∃P.ϕsmeans that it is possible to (re)label the Kripke structure withPin order to makeϕs

hold. As for CGSO, we writeS,q₀|=_stϕswheneverS,ρ,0|=_stϕsfor all pathρsuch thatρ(0) =q₀. Thetree semantics(whose satisfaction relation is denoted by|=_tr) is defined as:S,q₀|=_trϕsif, and only if,T_S(q0),q₀|=stϕs(whereT_S(q0)is the execution tree ofS fromq₀, seen as an infinite-state Kripke structure).

Example 7. Consider formula EXϕ∧ ∀P.EX(ϕ∧P)⇒AX(P⇒ϕ), which we write EX₁ϕ in the sequel. This formula states the existence of a unique immediate successor satisfyingϕ. We will reuse it later in our construction.

Theorem 8([LM14]). 1. For the structure semantics, the model-checking problem of QCTL^∗ is PSPACE-complete and the satisfiability problem is undecidable.

2. For the tree semantics, the model-checking and satisfiability problems ofQCTL^∗are decidable, and Tower-complete.

3 Model checking uniform CGSOs

As we have already mentioned, it is well known that the model-checking ofATLover CGSO is undecid- able [AHK02, DT¸ 11]. SinceATLis a fragment ofATL^∗_sc, this undecidability result holds also forATL^∗_sc. We prove in this section that decidability can be regained by restricting to uniform partial observation, i.e., by assuming that the observation is the same for all the agents. The idea consists in reducing the model-checking problem ofATL^∗_scover uniform CGSOs to the model-checking problem forQCTL^∗with tree semantics over a complete Kripke structure representing the possible observations.

In the sequel, we consider a uniform CGSOC =hQ,R, `,Agt,M,Mov,Edge,(∼_a)a∈Agtiwith the finite set of statesQ={q₀, . . . ,qs}, the finite set of movesM ={m₁, . . . ,mr}and∼_a=∼for alla∈Agt.

For eachq∈Q, we denote by[q]the equivalence class ofqwith respect to∼,i.e.[q]⊆2^Qis such that q⁰∈[q]if, and only if,q∼q⁰. We also consider anATL^∗_scformulaϕswhose h·-·i-depth (i.e. the maximal number of nested modalitiesh·-·i) isλ(we assume here that modalitiesh·-·i andL-M have been previously removed fromϕs, as the set of agents is known). The idea behind our proof is to consider a Kripke structureS_C as a complete graph whose set of nodes is the set of equivalence classes[q]. We then use the power ofQCTL^∗(with the tree semantics) to build paths and strategies in this Kripke Structure. The fact that, in the Kripke structure, the paths go through equivalent classes of states (and not through states), guarantees that the corresponding strategies are compatible with the partial observation.

Before we build the Kripke Structure, we need to introduce some sets of fresh atomic propositions (not appearing inC or inϕs) which we will use to encode paths and strategies in the Kripke structure. Let APQ={q^`_i |1≤i≤sand 0≤κ≤λ},AP^a_M={m^a₁, . . . ,m^a_r}for everya∈Agt, andAP_M=^Sa∈AgtAP^a_M andAP_S={s_i|1≤i≤s}be those sets of fresh atomic propositions. We assume thatAPQ,AP_M and AP_Sare subsets ofAP. Intuitively, propositions inAPQwill be used to fix a path ofC at each levelκ of quantification (a path at levelκbeing a sequence of statesq^κ_i ); propositions inAP^a_M will be used to label the choices corresponding to a strategy of agenta.

The Kripke structureS_C associated withC is then defined ashQ_C,R_C, `<sub>C</sub>iwhereQ<sub>C</sub> ={[q]|q∈Q}, R<sub>C</sub> =Q<sub>C</sub>×Q<sub>C</sub> and`_C([q]) ={s_i|q_i∈[q]}. Compatible strategies can then be encoded as functions labeling the execution trees of this Kripke structure (from the state where we evaluate the formula):

a strategy fafor some agent ais represented as a function ^‹fa:Q⁺_C →AP^a_M that labels the execution treesT_SC(q)ofS_C from the current stateqwith proposition inAP^a_M. However note thatS_C being a complete graph, paths in this structure might not correspond to paths in the associated CGSOC; we will use atomic propositionsqito identify concrete paths ofC.

Given a coalitionBinAgt, an integer 0≤κ≤λ, and a subformula ofϕsath·-·i-depthκ, we define a QCTL^∗formulaϕe^B,κinductively as follows:

Pe^B,κ= ^_

{i|P∈`(qi)}

q^κ_i ^‡LAMϕs

B,κ

=ϕ‹s

BrA,κ

‡ϕ∧ψ^B,κ=ϕe^B,κ∧ψ_‹^B,κ ¬gϕ^B,κ=¬ϕ_e^B,κ

ϕ·pUψp

B,κ=fϕp

B,κUψfp

B,κ

Xfiϕp

B,κ=Xfϕp

B,κ

For a formula of the shape¹ h·a·iϕ_p, the construction is as follows:

·h·a·iϕp

B,κ=∃m^a₁. . .m^a_κ.^hΦ_strat({a})∧ ∀q^κ+1₁ . . .q^κ+1_s .Φ_path(κ+1)∧ _

1≤i≤s

(q^κ_i ∧q^κ+1_i )∧Φout(κ+1,B∪ {a})⇒AG ^_

1≤i≤s

q^κ+1_i ⇒ _fϕp

B∪{a},κ+1i

with

Φ_strat(A) =^{^}

a∈A

AG ^_

1≤j≤r

(m^a_j∧^{^}

j⁰6=j

¬m^a_j⁰)

Φpath(κ+1) =EG ^_

1≤i≤s

Äq^κ+1_i ∧si∧^{^}

i⁰6=i

¬q^κ+1_i0

ä∧EX1( ^_

1≤i≤s

q^κ+1_i )

Φ_out(κ+1,B) =EG ^_

1≤i≤s

_

¶

(m,qj)

m∈M^Agt∧ q_j=Edge(qi,m)

©

q^κ+1_i ∧m_‹^B∧EXq^κ+1_j

wherem‹^Bis a shorthand for the formula^V{(b,m_k)|b∈B∧m[b]=m_k}m^b_k. We point out the fact thatΦ_out(κ+1,B) is based on the transition tableEdgeofC; consequently, its size is inO(|Q|²· |M|^|Agt|)(i.e., inO(|Q| ·

|Edge|)).

The intuition behind formula^·h·a·iϕp

B,κ

is as follows: the formula first “selects” a strategy for agenta under the form of a labeling of the execution tree ofSC withm^a_i; it then uses subformulaΦstrat({a})to ensure that this labeling correctly encodes a strategy fora; finally, it checks that all the outcomes of the selected strategy satisfyϕp. The latter task is achieved by considering all the labelings of the structure withq^κ+1₋ , and, for the labelings that correspond to one outcome of the selected strategy, by checking the formulaϕp. Ensuring that a labeling corresponds to an outcome is done as follows:

1. it corresponds to an infinite branch in the execution tree ofS_C, and each node labeled byq^κ+1_i should correspond to a node [qi](labeled by si) in S_C (both points are ensured by formula² Φpath(κ+1));

2. at the present position, one of the propositionsq^κ+1_i has to match with one of the stateq^κ_i of the previous level (this ensures that the path labeled byq^κ+1₋ starts from the “current state” considered in the game);

3. the branch obtained by this labeling effectively follows the choices dictated by the labels m^b₋ encoding the strategies forb∈B∪ {a}; this is checked by the formulaΦ_out(κ+1,B∪ {a}).

Finally, the formula checks that the corresponding path satisfies the formulafϕp

B∪{a},κ+1

. The correctness of the reduction is stated in the following theorem:

1For the sake of readability, we restrict to one-player coalitions here; the construction easily extends to the the general case with a coalition (including the empty coalition).

2See Example 7 for the definition ofEX₁

Theorem 9. Letϕsbe anATL^∗_scstate-formula,C be a uniform CGSO, and q_αbe a state ofC. Then:

C,q_α|=ϕs if, and only if, S_C,[q_α]|=_tr∃q⁰_α.ϕ‹s

/0,0∧q⁰_α

Proof.First we point out the fact that none of the formula used in the reduction checks that the considered strategies are compatible, but in fact this is guaranteed because we evaluate the formula over the Kripke structureS_C, and two equivalent paths inC with respect to∼are necessarily matched to a unique path in the execution tree ofS_C.

We now prove that our reduction is correct. LetT_SC([qα]) =hT_C,R⁰_C, `<sup>0</sup><sub>C</sub>ibe the execution tree of the Kripke structureS<sub>C</sub> from the state[q<sub>α</sub>]. Note that nodes inT<sub>SC</sub>([q<sub>α</sub>])are thus finite paths of the form [q<sub>0</sub>][q<sub>1</sub>]. . .[qk](withq<sub>0</sub>=q<sub>α</sub>). For a finite pathπ inC such thatπ(0) =q<sub>α</sub>, we denote by[π]the path inS<sub>C</sub> such that|π|=|[π]|and for all 0≤i<|π|, we have[π](i) = [π(i)]. We also denote bypath(π) the path inT<sub>SC</sub>([q<sub>α</sub>])such that|path(π)|=|π|and for all 0≤i<|π|, path(π)(i) = [π≤i]. We now consider the treeT<sup>0</sup>=hT<sub>C</sub>,R<sup>0</sup><sub>C</sub>, `⁰iwhere`<sup>0</sup> extends the function`⁰_S with propositions of typem^a_j andq^κ_i. This extension is used to encode a strategy context and to describe a path ofC. Given a compatible strategy f_B={f_b}_b∈B for the coalitionB={b₁, . . . ,b_h}, an infinite pathρinC suchρ(0) =q_α and a positionn≥0, we say that`⁰is:

• an f_B-labeling whenever, for every nodeγ∈T_C withγ= [π]for some finite pathπinC, for any b∈B, for any 1≤ j≤r, we havem^b_j∈`⁰(γ)if, and only if, fb(π) =mj;

• a(κ,ρ)-labeling if the following two conditions are verified:

1. for all j≥0, it holdsq^κ_i ∈`⁰([ρ≤j])if, and only if,ρ(j) =qi

2. ifq_i∈`⁰(π)for a nodeπ∈T_C, then there exists j≥0 such thatπ= [ρ≤j].

In other words, the propositionsq^κ₁, . . . ,q^κ_s label a unique branch in the tree, that can be matched with the pathρ.

We say that for 0≤κ ≤λ, a subformulaϕ ofϕsoccurs at h·-·i-depthκ, if the number of h·-·i- quantifier aboveϕ in tree representing formulaϕsisκ.

Proposition 10. Letϕbe some subformula ofϕswhich occurs at h·-·i-depthκwith0≤κ≤λ,ρbe a run ofC such thatρ(0) =q_α, n be a natural number, fBbe a compatible strategy for coalition B. Let T⁰=hT_C,R⁰_C, `<sup>0</sup>ibe the tree defined as above. If`⁰is an f_B-labeling and a(κ,ρ)-labeling, then we have:

C,ρ,n|=f_B ϕ if, and only if, T⁰,path(ρ),n|=stϕe^B,κ.

Proof.The proof is done by structural induction overϕ. In the following, we letq_α⁰=ρ(n).

• caseϕ=P: we haveρ(n)|=f_B Pif, and only if,P∈`(q<sub>α</sub><sup>0</sup>). As`⁰ is a(κ,ρ)-labeling, we know that T⁰,path(ρ),n|=q^κ_α. By definition ofP^eB,κ, the implication follows. Conversely assume T⁰,path(ρ),n|=Pe^B,κ, we know thatρ(n)has to be labeled byP, because`⁰is a(κ,B)-labeling.

• caseϕ=ϕpUψp: ifC,ρ,n|=fB ϕpUψp, then there existsi≥ns.t.C,ρ,i|=fBψpand for anyn≤ j<i, we haveC,ρ,j|=f_Bϕp. By i.h., we getT⁰,path(ρ),i|=ψfp

B,κand, for anyj,T⁰,path(ρ),j|= fϕp

B,κ; from this we obtainsT⁰,path(ρ),n|=ϕe^B,κ. The converse is similar.

• caseϕ=h·a·iϕp: AssumeC,ρ,n|=f_B h·a·iϕp. Then there exists a∼-compatible strategy fas.t. for anyρ⁰∈Out(ρ≤n,fa◦fC), we haveρ⁰|=f_a◦f_B ϕp. From this strategy fa, we deduce a valuation for propositions m^a₁, . . . ,m^a_r extending `<sup>0</sup> over T (because f<sub>a</sub> is ∼-compatible), and satisfying Φ<sub>strat</sub>({a}). Now extend`⁰with a valuation forq^κ+1₁ , . . . ,q^κ+1_s following the runρ⁰(i.e. for every stateρ⁰(i) =q_β, the corresponding node[ρ⁰](i)is labeled byq^κ+1_β , and only[ρ⁰]-nodes are labeled by these propositions). Let`⁰⁰be this new valuation forT⁰.Then clearly we have:

– T⁰,path(ρ),n|=Φ_path(κ+1), sinceqpropositions label a path;

– T⁰,path(ρ),n|=q^κ_α0∧q^κ+1_α0 , because the current position belongs to the runsρandρ⁰, and the new runρ⁰is issued from the current position;

– T⁰,path(ρ),n|=Φ_out(κ+1,C∪ {a}), meaning that the labeling ofq^κ+1₋ propositions follows the ”correct” pathρ⁰ fromOut(ρ≤n,fa◦fB);

– finally,T⁰,path(ρ⁰),n|=fϕp

B∪{a},κ+1

by i.h.

Therefore we have:T⁰,path(ρ),n|=ϕe^B,κ.

We now prove the converse implication. Assume T⁰,path(ρ),n|=ϕe^B,κ. From the existence of a labeling form^a₁, . . . ,m^a_r satisfyingΦstrat({a}), we deduce a ∼-compatible strategy fa inC for every finite runs issued fromρ(≤n)Now consider a valuation forq^κ+1₁ , . . . ,q^κ+1_s . Either it makes the left-hand side subformula of the implication to be false, and there is no consequence, or this subformula is true and in this case, the valuation describes a runρ⁰inC issued fromρ(n) and belonging in Out(ρ≤n,fa◦fB); this run has to satisfy fϕp

B∪{a},κ+1

, and by i.h. we get that C,ρ⁰,n|=f_a◦f_Bϕp.

Corollary 11. The model-checking problem of ATL^∗_scover uniform CGSOs is decidable (andTower- complete).

Remark 12. Our algorithm can be used to decide whether one player (with partial observation of the system) has a compatible strategy to win against all the other players, whatever is the observation of the other players (since the implicit quantification in strategy quantifiers ranges over all the outcomes).

As a consequence, when considering the fragment ofATLin which strategy quantifiers always involve at most one-player coalitions, the model-checking problem is decidable for possibly non-uniform partial observation. It can be checked that indeed the undecidability proof of [DT¸ 11] involves a strategy quantification over a coalition of two players with different observation.

4 Restriction to memoryless strategies

In this section, we show that another way to obtain decidability for the model-checking problem ofATL^∗_sc over game structure with (possibly non-uniform) partial observation is by restricting the set of considered strategies to memoryless strategies. We denote byATL^∗_sc,0, the temporal logic obtained fromATL^∗_scby replacing respectively the quantifiers over strategiesh·A·i by h·A·i₀ and h·A·i by h·A·i₀. Given a CGSOC a pathρ ofC, andn∈Nsuch thatn<|ρ|and fB∈Strat^∼₀(B), the semantics of these two operators is given by:

C,ρ,n|=f_B h·A·i₀ϕp iff ∃g_A∈Strat^∼₀(A).∀ρ⁰∈Out(ρ≤n,gA◦fB).C,ρ⁰,n|=g_A◦f_Bϕp

C,ρ,n|=f_B h·A·i₀ϕp iff ∃g_A∈Strat^∼₀(Agt\A).∀ρ⁰∈Out(ρ≤n,g_A◦f_B).C,ρ⁰,n|=g

A◦f_B ϕp

In [LM15], a reduction from model-checkingATLsc,0andATL^∗_sc,0toQCTL^∗model-checking problem over concurrent game structure with perfect observation is given, the main idea is to use the structure semantics instead of the tree semantics. In this framework the complexity is simpler, since both problems arePSPACE-complete: the number of memoryless strategies for one player being bounded (by|M|^|Q|), we can easily enumerate all of them, and store each strategy within polynomial space. When considering partial observation, we can use the same approach, we need to also ensure that the chosen strategies are compatible, but this can easily be achieved when considering memoryless strategies, since one only needs to check that a strategy f_aproposes for two equivalent states (w.r.t.∼_a) the same move.

LetC =hQ,R, `,Agt,M,Mov,Edge,(∼<sub>a</sub>)a∈Agtibe a CGSO with finite set of statesQ={q<sub>0</sub>, . . . ,qs}, finite set of movesM={m<sub>1</sub>, . . . ,m<sub>r</sub>}and the finite set of agentsAgt={a<sub>1</sub>, . . . ,a<sub>p</sub>}. For eacha∈Agt, we suppose that the number of equivalence classes for∼<sub>a</sub>isn<sub>a</sub>and we use the notationE<sub>i</sub><sup>a</sup>with 1≤i≤n<sub>a</sub>to represent thei-th equivalence class of∼<sub>a</sub>. We denote byK<sub>C</sub> the Kripke structurehQ,R, `_KiunderlyingC based on the same states and the same transitions, and where the labeling function extends`by adding labels from the sets{P_q|q∈Q} ∪ {P^∼_i ^a |a∈Agt∧1≤i≤n_a}in such a way that the following two conditions hold:

• Pq∈`_K(q⁰)if, and only if,q⁰=q,

• for alla∈Agt,P^∼_i ^a∈`_K(q)if, and only if,q∈E_i^a.

Below we show how to translate a formulaϕsofATL^∗_sc,0 into a formula ofϕ“sofQCTL^∗ such that we will haveC,q₀|=ϕsfor a stateq₀ofC iffK_C,q₀|=_stϕ“s. Note that at the opposite of the previous section, we consider here thestructure semantics[LM14] when performing the model-checking ofK_C: this means that instead of ranging over labelings of the execution tree, propositional quantification ranges over labelings of the Kripke structure. This is due to the fact that the compatible memoryless strategies we take here into account are functions mapping equivalent states (and not anymore path of equivalent states) to the same move. Given a coalitionBinAgtandϕ a subformula ofϕs, we define aQCTL^∗formulaϕb^B inductively as follows:

Pb^B=P ^÷LAMϕs

B

=ϕ“s

BrA

÷ϕ∧ψ^B=ϕb^B∧_“ψ^B ¬dϕ^B=¬ϕ_b^B ϕ◊pUψp

B=cϕp

BUψcp

B

Xϕ‘p

B=Xcϕp

B

For a formula of the shape h·a·i₀ϕp, we let³:

ÿh·a·i₀ϕp

B

=∃m^r₁. . .m^a_κ.Φ_strat0({a})∧A^h(Φ⁰_out({a} ∪B))⇒ _cϕp

B∪{a}i

where

Φstrat0(A) =^{^}

a∈A

ñ

AG ^_

1≤j≤r

(m^a_j∧^{^}

j⁰6=j

¬m^a_j⁰)∧ ^{^}

1≤c≤n_a

^

1≤j≤r

EF(P^∼_c^a∧m^a_j)⇒AG(P^∼_c^a⇒m^a_j) ô

and

Φ⁰_out(B) =G ^{^}

q∈Q

^

¶

(m,q⁰)

m∈M^Agt∧ q⁰=Edge(q,m)

©

î(Pq∧m_“^B)⇒XP_q^0ó.

wherem“^Bis a shorthand for the formula^V_{(b,mk)|b∈B∧m[b]=m_k}m^b_k. The last FormulaΦ⁰_out(B)characterizes the outcomes of the strategies in use for some coalitionB. We point out that theQCTL^∗formulaϕ“s

/0has sizeO(|Φ| · |Q| ·(|Agt| · |M|²+|Q| · |Edge|)).

A memoryless and compatible strategy fB can easily be encoded by labeling states ofK_C with the moves of the coalitionBthanks to the propositionsm^a₁, . . . ,m^a_r fora∈B. TheΦstrat₀(B)is here to ensure both that the labelsm^acorrespond to a strategy for coalitionBand to check that such a strategy is memoryless and compatible: for allreachablestates labeled with some move, the formula verifies that all

3As in the previous case, the extension toh·A·i₀ is straightforward.

the equivalent states are labeled by the same move. Note that this property ranges over reachable states:

we could have unreachable states that are labeled in an improper way but this is not a problem as such state will never be reached from the current position (and consequently they cannot impact on the truth value of the formula).

We will now consider the Kripke structureK_C⁰ =hQ,R, `<sup>0</sup>iwhere`⁰ extends the function`<sub>K</sub> with propositions of typem<sup>a</sup><sub>j</sub>. Given a compatible memoryless strategyf<sub>B</sub>={f<sub>b</sub>}<sub>b∈B</sub>for the coalitionB, we say that`⁰is an fB-labeling if for every nodeq∈Q, for anyb∈Band for any 1≤j≤r, we havem^b_j∈`⁰(q) iff f_b(q) =m_j(we recall that a memoryless strategy f_bcan be seen as a function fromQtoM).

Proposition 13. Letρ be a run ofC, n be a natural number, fB be a compatible strategy inStrat^∼₀(B) for coalition B. If`⁰is an fB-labeling, then we have:

C,ρ,n|=f_B ϕs iff K_C⁰,ρ,n|=ϕ“s

B

Proof.The proof is done by structural induction overΦ.

• Φ=ϕpUψp: AssumeC,ρ,n|=f_BϕpUψp. Therefore there existsi≥ns.t.C,ρ,i|=f_B ψpand for anyn≤ j<i, we haveC,ρ,j|=f_Bϕp. For every position betweennandi, the induction hypothesis can be applied and we deduceK_C⁰,ρ,n|=ϕcp

BUψcp

B. The converse is done similarly.

• Φ=h·a·iϕp:(1)⇒(2). AssumeC,ρ,n|=f_B h·a·iϕp. There exists a memoryless compatible strategy f_as.t. for anyρ⁰∈Out(ρ≤n,f_a◦f_B), we haveC,ρ⁰,n|=fa◦fB ϕp. Thus we can find a labeling of propositionsm^a₁, . . . ,m^a_r for K_C⁰ to represent f_a. This labeling completes the existing one for strategy contextFBand the formulaΦ_strat0({a} ∪B)is then satisfied onK_C⁰,ρ,n. And anyK_C⁰-run satisfyingΦ⁰_out({a} ∪B)belongs to the set of outcomes generated by the strategy context fa◦fB, and then satisfiescϕp

{a}∪B

by induction hypothesis.

(2)⇒(1). Now assumeK_C⁰,ρ,n|=ϕb^B. Therefore there exists a labeling form^a₁, . . . ,m^a_r such that Φ_strat0({a})holds true. Such a labeling defines a memoryless and compatible strategy for the reachable states (fromρ,n). And finally every run satisfyingΦ⁰_out({a} ∪B)has to satisfyϕcp

{a}∪B

. By induction hypothesis we get the stated result.

Thus we have:

Theorem 14. The model-checking problem ofATL^∗_sc,0isPSPACE-complete.

Proof. QCTL^∗ model checking can be solved in polynomial space for the structure semantics. This immediately gives aPSPACEalgorithm for our problem. Conversely,ATL_sc,0 model checking (with perfect observation) isPSPACE-hard [BDLM09]. This extends immediately to the partial-observation setting.

Remark 15. Quantification over memoryless strategies could also be achieved using the tree semantics, following the presentation of Section 3. To do so, it suffices to label each state with its name (hence adding a few extra atomic propositions) and to require that the labeling of the execution tree with strategies satisfies that whenever some state s is labeled with some move m_i, then all the occurrences of s must be labeled with the same mode mi.

While this has little interest for model checkingATL^∗_sc,0in terms of complexity, it shows that model checking remains decidable for the logic involving quantification over both memoryful, bounded-memory and memoryless strategies.

5 Satisfiability and partial observation

In this section, we consider satisfiability checking: given a formulaΦ, we look for a game structureC, an equivalence∼over states, and a control stateq₀, such thatC,q₀|=Φ. This problem is undecidable for ATLsc(andATL^∗_sc) in the classical setting of perfect-observation games.

First note that considering partial observation makes the problem different: there exists formulas that are satisfiable under partial observation, and not satisfiable for full observation. Consider formulaΦ= AX(h·a₁·iXf)∧ ¬ h·a₁·iX Xf. ClearlyΦis satisfiable when considering games with partial observation:

for example, one can consider the turn-based structure in Figure 3, wherea₁plays in circle nodes anda₂ plays in box nodes, and where∼is≡_P: fromq₀, there is no∼-strategy fora₁ensuring the propertyX Xf (because from the strategy should play the same move afterq₀q₁andq₀q₂), but the subformula h·a₁·iXf holds for true inq₁and inq₂.

q₀ P

q₁

P

q₂

q₃

f

q₄ 1

2

1

1 2 2

C

Fig. 3: The turn-based CGSC s.t.q₀|=Φ

But formulaΦis not satisfiable in the classical case: assume that AX(h·a₁·iXf)is satisfied in some stateq, then from everyq-successorq⁰, there is a strategy fq⁰ fora₁to ensureXf. Therefore the strategy for a₁ consisting, fromq, to choose an arbitrary move, and then to choose the strategy f_q⁰ for every possible successorq⁰ensures the propertyX Xf.

From a decidability point of view, considering partial observation does not make satisfiability problems to be simpler: in fact this problem remains undecidable forATLsc. Furthermore, it is even worse than in the classical setting: while the turn-based satisfiability is decidable when perfect information is assumed, it is undecidable when one considers the partial observation case.

Theorem 16. Satisfiability problems forATL^∗_sc. ATLsc,ATL^∗_sc,0andATL_sc,0(with partial observation) are undecidable even restricted to turn-based structures.

Proof.We can mostly reuse the proof of Troquard and Walther [TW12] (we have slighty modified in [LM15]). The key idea of their proof is to reduce S5ⁿ satisfiability to ATLsc satisfiability. Given an S5ⁿformulaΦ, one can build anATLscformula h·/0·iÙΦsuch thatΦis satisfiable iff h·/0·iÙΦis satisfiable.

Without considering the details of the proof, one can just note that^ÙΦuses Boolean operators and strategies quantifiers h·a_i·i (for 1≤i≤n) and formulas of the formXP: there is no U modality and there is no nesting ofX. Therefore with such a formula, every strategies quantifier is interpreted in a unique statew and we only consider the moves done in this statew: adding an equivalence∼over states or considering memoryless strategies do not change the semantics of^ÙΦ.

Assume thatΦis satisfiable. From the proof of [TW12], one can build a game structureC satisfying h·/0·iÙΦ. Moreover one can use the reduction of Theorem 6 to get a tun-based games with partial information.

Now assume thath·/0·iÙΦis satisfiable. Therefore there exists a game structureC with an equivalence∼ such thatC,q|= h·/0·iÙΦ. This structure is based on a set of agents{1, . . . ,k}withk≤n. And there is a strategyFforAgtsuch thatC,q|=FÙΦand^ÙΦmay only modify the choices for playersa₁, . . . ,a_n. Ifk>n,