Quantified CTL: expressiveness and model checking (Extended abstract)

Quantified CTL: expressiveness and model checking (Extended abstract)

Arnaud Da Costa¹, Fran¸cois Laroussinie², and Nicolas Markey¹

1 LSV – CNRS & ENS Cachan

2 LIAFA – Univ. Paris Diderot & CNRS

Abstract. While it was defined long ago, the extension of CTLwith quantification over atomic propositions has never been studied extensively.

Considering two different semantics (depending whether propositional quantification refers to the Kripke structure or to its unwinding tree), we study its expressiveness (showing in particular thatQCTLcoincides with Monadic Second-Order Logic for both semantics) and characterize the complexity of its model-checking problem, depending on the number of nested propositional quantifiers (showing that the structure semantics populates the polynomial hierarchy while the tree semantics populates the exponential hierarchy). We also show how these results apply to model checkingATL-like temporal logics for games.

1 Introduction

Temporal logics. Temporal logics extend propositional logics with modalities for specifying constraints on the order of events in time. Since [25,5,26], they have received much attention from the computer-aided-verification community, since they fit particularly well for expressing and automatically verifying (e.g.viamodel checking) properties of reactive systems. Two important families of temporal logics have been considered: linear-time temporal logics (e.g.LTL [25]) can be used to express properties of one single execution of the system under study, while branching-time temporal logics (e.g. CTL[5,26] andCTL^∗ [10]) consider the execution tree. Since the 90s, many extensions of these logics have been introduced, of which alternating-time temporal logics (such as ATL,ATL^∗ [1]) extendCTLtowards the study of open systems (involving several agents).

In this landscape of temporal logics, bothCTLandATLenjoy the nice property of having polynomial-time model-checking algorithms. In return for this, both logics have quite limited expressiveness. Several extensions have been defined in order to increase this limited expressive power.

Our contributions. We are interested in the present paper in the extension of CTL(andCTL^∗) withpropositional quantification [28,11]. In that setting, propo- sitional quantification can take different meaning, depending whether the extra propositions label the Kripke structure under study (structure semantics) or its execution tree (tree semantics). While these extensions ofCTLwith propositional

quantification have been in the air for thirty years, they have not been extensively studied yet: some complexity results have been published for existential quantifica- tion [15], for the two-alternation fragment [16] and for the full extension [12]; but expressiveness issues, as well as a complete study of model checking for the whole hierarchy, have been mostly overlooked. We answer these questions in the present paper: in terms of expressiveness, we prove thatQCTLandQCTL^∗ are equally expressive, and coincide with Monadic Second-Order Logic. Regarding model checking, we consider both prenex-normal-form formulas (EQCTL) and general formulas (QCTL), and our results are summarized in the table below (wherekin EQ^kCTLandQ^kCTLrefers to some measure of quantification height of formulas, see Section 2.4). Finally, we also characterize the model- and formula-complexities of our problems, when one of the inputs to the model-checking problem is fixed.

By lack of spaces, most proofs are omitted. They can be found in [8].

structure semantics tree semantics EQ^kCTL Σ^P_k-c.

k-EXPTIME-c.

Q^kCTL ∆^P_k+1[O(logn)]-c.

EQ^kCTL^∗,Q^kCTL^∗

PSPACE-c.

k+1-EXPTIME-c.

EQCTL,QCTL,

EQCTL^∗,QCTL^∗ non-elementary

Applications to alternating-time temporal logics. ATLalso has several flaws in terms of expressiveness: namely, it can only focus on (some) zero-sum properties, i.e., on purely antagonist games, in which two coalitions fight with opposite objectives. In many situations, games are not purely antagonist, but involve several independent systems, each having its own objective. Recently, several extensions ofATLhave been defined to express properties of such non-zero-sum games. Among those, our logic ATLsc [7] extends ATL with strategy contexts, which provides a way of expressing interactions between strategies. Other similar approaches include Strategy Logics [4,19] or(B)SIL[32].

Interestingly, the model-checking problem for these extensions ofATLsc(and also for Strategy Logics) can be seen as aQCTLmodel-checking problem³: strategy quantification in ATL is naturally encoded using propositional quantification of QCTL; since this labelling is persistent, it can encode interactions between strategies. We give the full encoding in Section 5. Notice that while the tree semantics ofQCTLencodes plain strategies, thestructure semantics also finds a meaning in that translation, as it may correspond to memoryless strategies.

Related works. Propositional quantification was also defined and studied on LTL[28,29,14], where the model-checking problem for thek-alternation fragment

3 Notice that the link between games and propositional quantification already emerges inQdµ[24], which extends thedecisionµ-calculus with some flavour of propositional quantification. Also, the main motivation of [16] for studying the two-alternation fragment ofQCTLis a hardness result for the control and synthesis of open systems.

was settled complete fork-EXPSPACE. In the branching-time setting, the results are more sparse:CTLandCTL^∗ with only existential quantification was studied in [15], where model checking is shown NP- and PSPACE-complete resp. (for the structure semantics) andEXPTIME- and 2-EXPTIME-complete resp. (for the tree semantics). The two-alternation fragment was then studied in [16] (only for the tree semantics): model checking is2-EXPTIME- and3-EXPTIME-complete, respectively forCTLorCTL^∗. Finally, satisfiability of the full extension (with arbitrary quantification) was studied in [12].

Several other semantics have also been defined in the literature: the amorphous semantics is somewhat intermediary between structure- and tree semantics, and considers bisimilar structures before labelling with extra atomic propositions [12].

Alternative semantics are proposed and studied in [27,23].

Besides the above-mentioned applications ofQCTLto open systems, let us mention that QCTL has also been used in the setting of three-valued model checking, wherepartial Kripke structures are considered (i.e., Kripke structures where the truth value of some atomic propositions may be unknown) [3].

2 Preliminaries

2.1 Kripke structures and trees

We fix once and for all a set APof atomic propositions.

Definition 1. AKripke structureSis a3-tuplehQ, R, `iwhereQis a countable set of states,R⊆Q<sup>2</sup> is a total<sup>4</sup> relation and`:Q→2^APis a labelling function.

An execution (or path) inSis an infinite sequenceρ= (qi)i∈Ns.t. (qi, qi+1)∈R for alli. We useExec(q) to denote the set of executions issued fromqandExec^f(q) for the set of all finite prefixes of executions ofExec(q). Givenρ∈Exec(q) and i∈N, we writeρⁱ for the path (q_i+k)_k∈N ofExec(q_i) (thei-th suffix of ρ),ρ_i for the finite prefix (q_k)_k≤i (thei-th prefix), andρ(i) for thei-th stateq_i.

Definition 2. LetΣ andS be two finite sets. AΣ-labelledS-tree is a pairT = hT, li, where T ⊆S^∗ is a non-empty set of finite words on S s.t. for any non- empty word n=m·sinT withm∈S^∗ ands∈S, the wordmis also inT; and l:T →Σ is a labelling function.

The unwinding of a finite-state Kripke structureS=hQ, R, `ifrom a state q∈Qis the (finitely-branching) 2<sup>AP</sup>-labelledQ-treeTS(q) =hExec<sup>f</sup>(q), `Tiwith

`T(q0· · ·qi) =`(qi). Note thatTS(q) =hExec^f(q), `Tican be seen as an (infinite- state) Kripke structure where the set of states isExec<sup>f</sup>(q), labelled according to`T, and with transitions (m, m·s) for allm∈Exec^f(q) ands∈Qs.t.m·s∈Exec^f(q).

Definition 3. ForP ⊆AP, two (possibly infinite-state) Kripke structures S= hQ, R, `iandS<sup>0</sup> =hQ<sup>0</sup>, R<sup>0</sup>, `⁰iare P-equivalent (denoted byS ≡P S⁰) whenever Q=Q⁰,R=R⁰, and`(q)∩P =`⁰(q)∩P for anyq∈Q.

In other terms, S ≡P S⁰ if S⁰ can be obtained from S by modifying the labelling function ofS for propositions inP.

4 I.e., for allq∈Q, there existsq⁰∈Qs.t. (q, q⁰)∈R.

2.2 CTL and quantified extensions

Definition 4. The syntax of QCTL^∗ is defined by the following grammar:

ϕ_state, ψ_state::=p| ¬ϕ_state|ϕ_state∨ψ_state| Eϕ_path| Aϕ_path| ∃p. ϕstate

ϕpath, ψpath::=ϕstate| ¬ϕpath|ϕpath∨ψpath|Xϕpath|ϕpathUψpath

wherepranges overAP. Formulas defined asϕ_stateare called state-formulas, while ϕ_path defines path-formulas. Only state formulas are QCTL^∗ formulas.

We use standard abbreviations as: > = p∨ ¬p, ⊥ = ¬ >, Fϕ = >Uϕ, Gϕ=¬F¬ϕ, and∀p·ϕ=¬ ∃p· ¬ϕ. The logic QCTLis a fragment ofQCTL^∗ where temporal modalities are under the immediate scope of path quantifiers:

Definition 5. The syntax of QCTLis defined by the following grammar:

ϕ_state, ψ_state::=p| ¬ϕ_state|ϕ_state∨ψ_state| ∃p. ϕ_state|

EϕstateUψstate| AϕstateUψstate| EXϕstate| AXϕstate. Standard definition ofCTL^∗ andCTLare obtained by removing the use of quantification over atomic proposition (∃p.ϕ) in the formulas. In the following,

∃and∀are called(proposition) quantifiers, while Eand Aarepath quantifiers.

Given QCTL^∗ (state) formulas ϕ and (ψi)i and atomic propositions (pi)i

appearing free in ϕ(i.e., not appearing as quantified propositions), we write ϕ[(pi→ψi)i] (orϕ[(ψi)i] when (pi)i are understood from the context) for the formula obtained fromϕby replacing each occurrence ofpi withψi. Given two sublogicsL1andL2ofQCTL^∗, we writeL1[L2] ={ϕ[(ψi)i]|ϕ∈L1, (ψi)i∈L2}.

2.3 Structure- and tree semantics

Formulas of the form∃p.ϕcan be interpreted in different manners (see [15,12,27]).

Here we consider two semantics: thestructure semantics and thetree semantics.

Structure semantics. Given a QCTL^∗ state formula ϕ, a (possibly infinite- state) Kripke structureS=hQ, R, `iand a stateq∈Q, we writeS, q|=_sϕto denote that ϕholds atqunder the structure semantics. This is defined as for CTL^∗, with the following addition:

S, q|=s∃p.ϕstate iff ∃S⁰≡_AP\{p}Ss.t.S⁰, q|=sϕstate

Intuitively,∃p.ϕholds true at state q of structureS if it is possible to modify thep-labelling of S in such a way thatϕholds atq.

Example 6. As an example, consider the formula selfloop = ∀z.(z⇒EXz).

If a state q in S satisfies this formula, then the particular labelling in which onlyqis labelled withzimplies that qhas to carry a self-loop. Conversely, any state that carries a self-loop satisfies this formula (for the structure semantics).

Letϕbe aQCTL^∗ formula, and consider now the formula uniq(ϕ) = EF(ϕ)∧ ∀z.

EF(ϕ∧z)⇒AG(ϕ⇒z) .

In order to satisfy such a formula, at least oneϕ-state must be reachable. Assume now that two different such statesqandq⁰ are reachable: then for the particular labelling where only qis labelled withz, the second part of the formula fails to hold. Henceuniq(ϕ) holds in a state (under the structure semantics) if, and only if, exactly one reachable state satisfies ϕ.

Tree semantics. The tree-semantics is obtained from the structure semantics by seeing the execution tree as an infinite-state Kripke structure. We write S, q|=_tϕto denote that formulaϕholds atqunder the tree semantics. Formally, seeingTS(q) as an infinite-state Kripke structure, we define:

S, q|=tϕ iff T_S(q), q|=sϕ

Clearly enough, selfloopis always false under the tree semantics, whileuniq(ϕ) holds if, and only if,ϕholds at only one node of the execution tree.

Example 7. Formulaacyclic= AG ∃z.(z∧uniq(z)∧AX AG¬z)

expresses that all infinite paths (starting from the current state) are acyclic, which for finite Kripke structures is always false under the structure semantics and always true under the tree semantics.

Equivalences between QCTL^∗ formulas. We consider two kinds of equiva- lences depending on the semantics we use. Two state formulas ϕandψare said s-equivalent (resp. t-equivalent), writtenϕ≡_sψ (resp. written ϕ≡_t ψ) if for any finite-state Kripke structureS and any stateqof S, it holdsS, q|=sϕiff S, q|=sψ(resp.S, q|=tϕiffS, q|=tψ). We writeϕ≡s,tψwhen the equivalence holds for both≡sand≡t.

Note that both equivalences≡s and≡t aresubstitutive,i.e., a subformula ψ can be replaced with any equivalent formulaψ⁰ without changing the truth value of the global formula. Formally, ifψ≡sψ⁰(resp.ψ≡tψ⁰), we haveΦ[ψ]≡sΦ[ψ⁰] (resp.Φ[ψ]≡tΦ[ψ⁰]) for anyQCTL^∗ formulaΦ.

2.4 Fragments of QCTL^∗.

In the sequel, besidesQCTLandQCTL^∗, we study several interesting fragments.

The first one is the fragment ofQCTL in prenex normal form, i.e., in which propositional quantification must be external to the CTL formula. We write EQCTLandEQCTL^∗ for the corresponding logics⁵

We also study the fragments of these logics with limited quantification. For prenex-normal-form formulas, the fragments are defined as follows:

5 Notice that the logics namedEQCTLandEQCTL^∗defined in [15] are restrictions of our prenex-normal-form logics where only existential quantification is allowed. They correspond to our fragmentsEQ¹CTLandEQ¹CTL^∗.

– for anyϕ∈CTLand any p∈AP, ∃p.ϕ is anEQ¹CTLformula, and∀p.ϕ is inAQ¹CTL;

– for any ϕ∈ EQ^kCTL and any p∈ AP, ∃p.ϕ is in EQ^kCTL and∀p.ϕ is in AQ^k+1CTL. Symmetrically, ifϕ∈AQ^kCTL, then∃p.ϕ is inEQ^k+1CTLwhile

∀p.ϕremains inAQ^kCTL.

Using similar ideas, we define fragments ofQCTLandQCTL^∗. Again, the definition is inductive:Q¹CTLis the logicCTL[EQ¹CTL], andQ^k+1CTL=Q¹CTL[Q^kCTL].

The corresponding extensions of CTL^∗, which we respectively denote with EQ^kCTL^∗,AQ^kCTL^∗ andQ^kCTL^∗, are defined in a similar way.

Remark 8. Notice that EQ^kCTL and AQ^kCTL are (syntactically) included in Q^kCTL, and EQ^kCTL^∗and AQ^kCTL^∗ are fragments ofQ^kCTL^∗.

3 Expressiveness

In this section we present several results about the expressiveness of our logics for both semantics. We show thatQCTL,QCTL^∗and Monadic Second-Order Logic are equally expressive. First we show that anyQCTLformula is equivalent to a formula in prenex normal form (which extends toQCTL^∗ thanks to Proposition 12).

3.1 Prenex normal form

By translating path quantification into propositional quantification, we can extract propositional quantification out of purely temporal formulas: for in- stance, EX(Q.ϕ) whereQis some propositional quantification is equivalent to

∃z.Q.

uniq(z)∧EX(z∧ϕ)

. This generalizes to fullQCTLfor both semantics:

Proposition 9. In both semantics,EQCTLandQCTLare equally expressive.

3.2 QCTL and Monadic Second-Order Logic

We briefly review Monadic Second-Order Logic (MSO) over trees and over finite Kripke structures (i.e., labeled finite graphs). In both case, we use constant monadic predicatesPa fora∈APand a relationEdgeeither for the immediate successor relation in anS-tree hT, lior for the relation Rin a finite KShQ, R, `i.

MSOis built with first-order (or individual) variables for nodes or vertices (denoted with lowercase lettersx, y, ...), monadic second-order variables for sets of nodes (denoted with uppercase lettersX, Y, ...). Atomic formulas are of the form x=y, Edge(x, y),x∈ X, P_a(x). Formulas are constructed from atomic formulas using the Boolean connectives and the first- and second-order quantifier∃.

We write ϕ(x₁, ..., x_n, X₁, ..., X_k) to state that x₁, ..., x_n and X₁, ..., X_k may appear free (i.e. not within the scope of a quantifier) in ϕ. A closed formula contains no free variable. We use the standard semantics for MSO, writing M, s1, ..., sn, S1, ..., Sk |=ϕ(x1, ..., xn, X1, ..., Xk) when ϕholds on Mwhen si

(resp.Sj) is assigned to the variablexi(resp.Xj) fori= 1, ..., n(resp.j= 1, ..., k).

In the following, we compare the expressiveness of our logics withMSOover the finite Kripke structures (the structure semantics) and the execution trees corresponding to a finite Kripke structure (tree semantics). First note that MSO formulas may express properties directly over trees or graphs, while our logics are interpreted overstates of these structures. Therefore we use MSOformulas with one free variablex, which represents the state where the formula is evaluated.

Moreover, we restrict the evaluation ofMSOformulas to thereachablepart of the model from the given state. This last requirement makes an important difference for the structure semantics, sinceMSO can express that a graph is connected.

Formally, for the tree semantics, we say thatϕ(x)∈MSOist-equivalent to someQCTL^∗formulaψ(writtenϕ(x)≡tψ) when for any finite Kripke structureS and any state q∈ T_S, it holdsT_S(q), q|=ϕ(x) iffT_S(q), q|=ψ. Similarly, for the structure semantics: ϕ(x) is s-equivalent toψ (written ϕ(x) ≡s ψ) iff for any finite Kripke structureS and any stateq∈ S, it holdsSq, q|=ϕ(x) iffSq, q|=ψ, whereSq is the reachable part of S fromq. For these definitions, we have:

Proposition 10. Under both semantics,MSO andQCTLare equally expressive.

Sketch of proof. One inclusion is straightforward:CTLis easily translated into MSO, and propositional quantification (for both semantics) can be encoded using second-order quantification. Conversely, every MSOformulaΦ(x) can be translated into an equivalentQCTLformulaΦ.b QCTLpropositional quantifications are used to encode both first-order and second-order quantification inΦ(but in the first-order case, we require that only one state is labeled by the dedicated proposition). Then anMSOsubformula of the formx_i∈X_jis rewritten inQCTL as EF(p_xi∧p_Xj) wherep_xi (resp. p_Xj) is the proposition associated with x_i (resp.X_j). A formula of the formEdge(x_i, x_j) is rewritten as EF(p_xi∧EXp_xj),

andx_i=x_j is replaced by EF(p_xi∧p_xj). Other cases use the same ideas. ut Remark 11. One can also notice that it is easy to express fixpoint operators with QCTL in both semantics, thus µ-calculus can be translated into QCTL.

This provides another proof of the previous result for the tree semantics, since theµ-calculus extended with counting capabilities has the same expressiveness asMSO on trees [20].

3.3 QCTL and QCTL^∗

Finally, we show thatQCTL^∗andQCTLare equally expressive for both semantics.

The main idea of the proof is an inductive replacement of quantified subformulas with extra atomic propositions.

Proposition 12. In the tree and structure semantics, everyQCTL^∗ formula is equivalent to some QCTLformula.

Proof.This was shown in [12] for the tree semantic. We give another translation, which is correct for both semantics. Consider aQCTL^∗ formulaΦ, and write k

for the number of subformulas ofΦthat are not inQCTL. Ifk= 0,Φ already belongs to QCTL. Otherwise let ψ be one of the inner-most Φ-subformulas in QCTL^∗\QCTL. Let (α_i)_1≤i≤mbe the largestψ-subformulas belonging toQCTL.

These are state formulas, so thatψis equivalent (for both semantics) to:

∃p1...∃pm.

ψ[(αi ←pi)i=1,...,m]∧ ^

i=1,...,m

AG(pi ⇔ αi)

Let Ω be ψ[(αi ← pi)i=1,...,m]. Then Ω is a CTL^∗ formula: every subformula of the form∃p.ξ inψappears in someQCTLformulaαi, sinceψ is one of the smallestQCTL^∗\QCTLsubformula. As everyCTL^∗formula is equivalent to some µ-calculus formula,Ω is equivalent to someQCTLformulaΩe (see Remark 11).

Hence

ψ≡s,t∃p1...∃pm.

Ωe∧ ^

i=1,...,m

AG(p_i ⇔ α_i)

Now, consider the formula obtained fromΦby replacingψwith the right-hand- side formula above. This formula is equivalent to Φ and has at most k−1 subformulas inQCTL^∗\QCTL, so that the induction hypothesis applies. ut

From Propositions 9, 10 and 12, we get:

Corollary 13. In both semantics, EQCTL, QCTL and QCTL^∗ and MSO are equally expressive.

Remark 14. In [12], French considers a variant ofQCTL^∗(which we callFQCTL^∗), with propositional quantification within path formulas:∃p. ϕ_pathis a valid path formula, meaning thatϕ_path holds alongρafter modifying the labelling with p:

S, ρ|=s∃p.ϕ_path iff ∃S⁰≡_AP\{p}S s.t.S⁰, ρ|=sϕ_path.

For the tree semantics,QCTLis as expressive asFQCTL^∗ [12]. For the structure semantics, we show thatFQCTL^∗is strictly more expressive than MSO. Formula

EG ∃z.∀z⁰.[uniq(z)∧uniq(z⁰)∧z∧ ¬z⁰]⇒X(¬zUz⁰) .

expresses the existence of an (infinite) path along which, between any two occurrences of the same state, all the other reachable states will be visited. This precisely characterizes the existence of a Hamilton cycle. This is known not to be expressible in MSO [9, Cor. 6.3.5], it can be expressed in Guarded Second Order Logic GSO (also calledMS2 in [6]), in which quantification over sets of edges is allowed (in addition to quantification over sets of states). Still,FQCTL^∗ is strictly more expressive thanGSO, as it is easy to modify the above formula to express the existence ofEuler cycles:

EG

∃x.∃y.∀x⁰.∀y⁰.h

tr(x, y)∧tr(x⁰, y⁰)∧next tr(x, y)∧ ¬next tr(x⁰, y⁰)i

⇒X(¬next tr(x, y)Unext tr(x⁰, y⁰)) wheretr(x, y) =uniq(x)∧uniq(y)∧EF(x∧Xy) states thatxandy mark the source and target of a reachable transition, and next tr(x, y) = x∧Xy states that the next transition along the current path jumps fromxtoy.

Proposition 15. Under the structure semantics, FQCTL^∗ is more expressive thanQCTL^∗ andMSO.

Still, FQCTL^∗ model checking (see next section) is decidable: for the tree semantics, it suffices to translate FQCTL^∗ to QCTL[12]. The problem in the structure semantics can then be encoded in the tree semantics: we first assume that each state of the input Kripke structureS is labelled with its name (so that any two different states can be distinguished). Then any quantification ∃p.ϕin the structure semantics is considered in the tree semantics, with the additional requirement that any two copies of the same state receive the samep-labelling.

4 QCTL model checking

We now consider the model-checking problem forQCTL^∗and its fragments under both semantics: given a finite Kripke structureS, a state qand a formula⁶ ϕ, is ϕsatisfied in stateq inS under the structure (resp. tree) semantics? Some results already exist,e.g.forEQ¹CTL andEQ¹CTL^∗ under both semantics [15].

Hardness results for EQ²CTL and EQ²CTL^∗ under the tree semantics can be found in [16]. Here we extend these results to all the fragments of QCTL^∗ we have defined. We also characterize the model- and formula-complexities [31] of model-checking for these fragments.

4.1 Model checking for the structure semantics

Formulas in prenex normal form. Prenex-normal-form formulas are (tech- nically) easy to handle: a formula in EQ^kCTL can be model-checked by non- determinisitically guessing a labelling and applying a model-checking procedure forAQ^k−1CTL. We easily derive the following results.

Theorem 16. Under the structure semantics, model checkingEQ^kCTL isΣ^P_k- complete, model checkingAQ^kCTLis Π^P_k-complete, and model checkingEQ^kCTL^∗, AQ^kCTL^∗,EQCTLandEQCTL^∗ isPSPACE-complete.

General case. If we drop the prenex-normal-form restriction, we get

Theorem 17. For the structure semantics, model checking is∆^P_k+1[O(logn)]- complete for Q^kCTL, andPSPACE-complete forQ^kCTL^∗,QCTL andQCTL^∗. Sketch of proof. The algorithm in∆^P_k+1[O(logn)] is obtained by first noticing that a formulaϕ∈Q^k+1CTLcan be written asΦ[(qi→ ∃Pi. ψi)i] with Φbeing a CTL formula involving fresh atomic propositions q_i, and ∃Pi. ψ_i (with ∃Pi

denoting a sequence of existential quantifications) are subformulas of ϕ with ψ_i∈Q^kCTL. The algorithm then consists in asking independant oracles for the sets of states satisfying ∃P_i. ψ_i, and applying a CTLmodel-checking algorithm.

Hardness is proved by encodingPARITY (Σ^P_k), which aims at deciding whether the number of positive instances ofΣ^P_k in a given set of instances is even [13]. ut

6 For standard notions of size forSandϕ, unless specified otherwise (see Theorem 18).

Formula- and program-complexity. Most of the proofs above can be adapted to use a fixed formula or a fixed model. One notable exception isQCTL: when model checking a fixed formula ofQCTL(hence with fixed alternation depth), there is no hope of being able to encode arbitrary alternation: the program complexity ofQCTLmodel checking thus lies in the small gap between PHand PSPACE(unless the polynomial-time hierarchy collapses).

Theorem 18. Under the structure semantics, the formula-complexity (i.e., when the model is fixed) of model checking isΣ^P_k-complete forEQ^kCTL,Π^P_k-complete for AQ^kCTL; it is ∆^P_k+1[O(logn)]-complete forQ^kCTLwhen considering the DAG- size of the formula. It is PSPACE-complete forEQ^kCTL^∗, AQ^kCTL^∗,Q^kCTL^∗, EQCTL,QCTL,EQCTL^∗, andQCTL^∗.

The program-complexity (i.e., when the formula is fixed) of model checking is Σ^P_k-complete forEQ^kCTLandEQ^kCTL^∗,Π^P_k-complete forAQ^kCTLandAQ^kCTL^∗, and∆^P_k+1[O(logn)]-complete for Q^kCTL andQ^kCTL^∗ (for positive k). It isPH- hard but not in PH (unless the polynomial-time hierarchy collapses), and in PSPACE but notPSPACE-hard forEQCTL,QCTL,EQCTL^∗ andQCTL^∗.

4.2 Model checking for the tree semantics

Theorem 19. Model checking EQ^kCTL, AQ^kCTL and Q^kCTL under the tree semantics isk-EXPTIME-complete (for positivek).

Sketch of proof. SinceEQ^kCTLandAQ^kCTLare dual and contained inQ^kCTL, it suffices to prove hardness forEQ^kCTLand membership for Q^kCTL. We briefly sketch the proof here.

IHardness ink-EXPTIME. The reduction uses the ideas of [16,29]: we encode an alternating Turing machineMwhose tape has sizek-exponential. An execution of Mon an input wordy of lengthnis then a tree. Our reduction consists in building a Kripke structureKand anEQ^kCTLformulaϕsuch thatϕholds true inK(for the tree semantics) iff Macceptsy. The encoding is depicted on Fig. 1.

The main tool in this proof is a set of (polynomial-size) formulas ofEQ^kCTL that are able to relate two states that are at distancek-exponential. This is used in our reduction to ensure that the content of one cell of the Turing machine is preserved from one configuration to the next one, unless the tape head is around.

Our set of formulas will ensure the following (see Fig. 2): given a tree labeled with propositionssandt(among others), bothsandtappear exactly once along each branch, and the distance between them isF(k, n), defined as

F(0, n) =n F(k+ 1, n) =F(k, n)·2^F(k,n).

The formulas fork= 0 are easy to write. Given a formula for levelk, we build the formula for levelk+ 1 as follows: we add a new propositionr, which is required to hold atsandt, and at distance F(k, n) from each other inbetween. We then use existential quantification over another proposition in order to implement a counter enforcing that there are exactly 2^F(k,n)occurrences of rbetweensandt.

1 10 0

F(k, n)

01 00

11 00

0 10 0

0 00 0

1 00 0

Fig. 1.A run ofM

s

t

F(k, n) s

t F(k, n)

Fig. 2.Chunks of heightF(k, n)

IMembership ink-EXPTIME. Our algorithm forQ^kCTLmodel checking uses alternating parity tree automata[21,30]. The construction is inductive: we be- gin with building automata for the innermostCTLformulas [18], and then use projection to encode existential quantification. This requires turning the alter- nating automata into non-deterministic ones, which comes with an exponential blowup [22]. We apply this procedure recursively, until the last propositional quantifier. We end up with a non-deterministic parity tree automaton with size k-exponential and index (k−1)-exponential; emptiness is then solved in time k-exponential [17]. We apply a CTL model-checking algorithm to handle the possible outermostCTLoperators. This whole algorithm runs ink-EXPTIME. ut Theorem 20. Model checkingEQ^kCTL^∗, AQ^kCTL^∗ and Q^kCTL^∗ under the tree semantics are (k+1)-EXPTIME-complete (for positive k).

Proof. The proof techniques are the same as in the previous proof. Member- ship requires that we build an automaton for a CTL^∗ formula, which entails an additional exponential blowup. Hardness is proven by using CTL^∗ to have yardstickⁿ₀(s, t) enforce that the distance betweensandtis 2ⁿ. ut

Formula- and program-complexity. The reductions above can be made to work with a fixed model. When fixing the formula, the problem becomes much easier (in terms of theoretical complexity):

Theorem 21. Under the tree semantics, the formula-complexity of model-checking isk-EXPTIME-complete forEQ^kCTL,Q^kCTL,EQ^kCTL^∗andQ^kCTL^∗withk≥1.

It is non-elementary forEQCTL,QCTL,EQCTL^∗ andQCTL^∗.

The program-complexity of model-checking isPTIME-complete for all those fragments ofQCTL^∗.

5 Using QCTL for specifying multi-agent systems

ExtendingCTLwith propositional quantification has already found several ap- plications for reasoning about complex systems. In this section, we show how a

model-checking problem involving a multi-agent system (typically a concurrent game) and a property written in ATL_sc (see below) is logspace-reducible to a QCTLmodel-checking problem.

5.1 Basic definitions

Definition 22 ([1]).AConcurrent Game Structure(CGS)Cis a7-tuplehQ, R,

`,Agt,M,Mov,Edgeiwhere: hQ, R, `iis a Kripke structure,Agt={A1, ..., Ap} is a finite set of agents, M is a non-empty set of moves, Mov:Q×Agt → P(M)r{∅}defines the set of available moves of each agent in each state, and Edge:Q× M^Agt→Ris a transition table associating, with each stateqand each set of moves of the agents, the resulting transition departing from q.

The size of a CGSCis|Q|+|Edge|. For a stateq∈Q, we writeNext(q) for the set of all transitions corresponding to possible moves fromq, andNext(q, A_j, m_j), withmj∈Mov(q, Aj), for the restriction ofNext(q) to possible transitions fromq when playerAj plays movemj. We extendMov andNextto coalitions (i.e., sets of agents) in the natural way. A path in C is a path in its underlying Kripke structure. For a finite prefixπof a path, we writelast(π) =πi for its last state.

Astrategy for some playerAi∈Agtis a functionfi that maps any history to a possible move for Ai,i.e., satisfying fi(π)∈Mov(last(π), Ai). A strategy for a coalition Ais a mapping assigning a strategy to each agent inA. The set of strategies forAis denotedStrat(A). Thedomaindom(FA) ofFA∈Strat(A) isA.

Given a coalitionB, the strategy (FA)_|B (resp. (FA)_rB) denotes the restriction of F_A to the coalitionA∩B (resp.ArB). Given two strategies F ∈Strat(A) andF⁰ ∈Strat(B), we defineF◦F⁰ ∈Strat(ASB) as (F◦F⁰)_|Aj(ρ) =F_|Aj(ρ) (resp.F_|A⁰

j(ρ)) ifA_j∈A(resp.A_j ∈BrA).

Letρbe a history. A strategyFA= (fj)A_j∈Afor some coalitionA induces a set of paths fromρ, called theoutcomes ofFAafter ρ, and denotedOut(ρ, FA):

an infinite path π = ρ·q1q2. . . is in Out(ρ, FA) iff, writing q0 = last(ρ), for all i ≥ 0 there is a set of moves (mⁱ_k)A_k∈Agt such that mⁱ_k ∈ Mov(qi, Ak) for allAk ∈Agt,mⁱ_k=fA_k(π_|ρ|+i) ifAk ∈A, andqi+1∈Next(qi,Agt,(mⁱ_k)A_k∈Agt).

We now introduce the extension ofATLwith strategy contexts [2,7]:

Definition 23. The syntax ofATLscis defined by the following grammar (where pranges over AP andA over2^Agt):

ϕstate, ψstate::=p| ¬ϕstate|ϕstate∨ψstate| ·iAh·ϕstate| h·A·iϕpath

ϕ_path, ψ_path::=Xϕ_state | ϕ_stateUψ_state | ϕ_stateWψ_state.

That a formulaϕinATL_scis satisfied by a stateqof a CGSCunder a strategy context F ∈Strat(B) (for some coalition B), denotedC, q|=_F ϕ, is defined as follows (omitting Boolean operators and path modalities):

C, q|=_F ·iAh·ϕ_state iffC, q|=_FrAϕ_state

C, q|=F h·A·iϕpathiff∃FA∈Strat(A).∀ρ⁰ ∈Out(q, FA◦F).C, ρ⁰ |=F_A◦F ϕpath

In the following we will use h·A·iϕstateas a shorthand for h·A·i ⊥Uϕstate.

5.2 From ATL_sc to QCTL^∗ and QCTL model checking

LetC=hQ, R, `,Agt,M,Mov,Edgeibe a CGS, andMbe{m₁, . . . , m_k}. We con- sider the following sets of fresh atomic propositions: P_Q = {p_q | q ∈ Q}, P^j_M={m^j₁, . . . ,m^j_k}for every Aj∈Agt, andP_M=S

Aj∈AgtP^j_M.

Let SC be the Kripke structure hQ, R, `+iwhere for any state q, we have:

`<sub>+</sub>(q) = `(q)∪ {p_q}. S_C is the Kripke structure underlying C, in which every state q is labelled with its own atomic propositionp_q. In the following, every labelling function we consider coincides with`₊onAP\P_M.

A strategy for an agentA_j can be seen as a function labelling the execution tree of S_C with P^j_M. More precisely, a strategy for A_j is a labelling function f_j: Exec^f(`) →P^j_M. A memoryless strategy for A_j corresponds to a labelling functionf_j:Q→P^j_M, i.e., a labelling of the Kripke structureS_C.

Let F ∈ Strat(C) be a strategy context and Φ ∈ ATL_sc. We reduce the question whetherC, q |=_F Φ to a model-checking instance forQCTL^∗ overS_C. For this, we define aQCTL^∗formula Φb^C inductively; for non-temporal formulas,

\·iAh·ϕ

C

=ϕb^CrA \ϕ∧ψ^C=bϕ^C∧ψb^C ¬dψ^C=¬ϕb^C Pb^C=P For a formula of the form h·A·iXϕwithA={A_j1, . . . , A_jl}, we let:

h·A·i\Xϕ^C =∃m^j₁¹...m^j_k¹...m^j₁^l...m^j_k^l. ^

A_j∈A

AG(Φ_strat(A_j))∧A

Φ^[A∪C]_out ⇒Xϕb^C∪A

where: Φstrat(Aj) =W

q∈Q

pq∧W

m_i∈Mov(q,Aj)(m^j_i∧V

l6=i¬m^j_l) Φ^[A]_out=G ^

q∈Q m∈Mov(q,A)

(pq∧Pm)⇒X _

q⁰∈Next(q,A,m)

pq⁰

where m is a move (m^j)A_j∈A ∈ Mov(q, A) for A and Pm is the propositional formulaV

Aj∈Am^jcharacterizingm. FormulaΦstrat(Aj) ensures that, the labelling of propositionsm^j_is describes a feasible strategy forAj. FormulaΦ^[A]_outcharacterizes the outcomes of the strategy forAthat is described by the atomic propositions in the model. Note thatΦ^[A]_out is based on the transition tableEdgeofC. Then:

Theorem 24. Let q be a state in C. Let Φ be an ATLsc formula and F be a strategy context for some coalition C. LetT⁰ be the execution tree TSC(q)with a labelling function `⁰ s.t. for every π∈ Exec^f(q) of length i and any Aj ∈ C,

`⁰(π)∩P^j_M=m^j_i iffF(π)_|Aj =mi. ThenC, q|=F ΦiffT⁰, q|=Φb^C.

We get a non-elementary model-checking algorithm for ATLsc, similar to [7].

Remark 25. The translation above assumes the tree semantics. However, it also makes sense in the structure semantics, where quantification then corresponds to the selection of amemoryless strategy. A variant of Theorem 24 can be stated for the structure semantics for QCTLand memoryless strategies forATLsc.

Remark 26. Our reduction above is intoQCTL^∗ but we can use Proposition 12 to get an equivalentQCTLformula. This may increase the quantifier height of the formula. For the tree semantics, a direct translation intoQCTLexists: instead of usingΦ^[A]_out, we can use an extra atomic propositionp_out for labelling outcomes.

This yields aQCTLformula with the same quantifier height.

Using a converse translation, fromQCTLto ATLsc, we can prove:

Theorem 27. Model-checking the fragment ofATL_sc with at most knon-trivial nested strategy quantifiers is k-EXPTIME-complete.

Strategy logic (SL) [4,19] is another temporal logic for non-zero-sum games, which has explicit first-order quantification over strategies. Our results above can be adapted toSL, correcting a wrong claim in [19, Theorem 4.2]:

Theorem 28. The model-checking problems forQCTL, ATLsc andSL are inter- reducible (in logarithmic space). They all are non-elementary.

6 Conclusions and future works

We have proposed a complete picture ofCTLextended with propositional quan- tifiers w.r.t. expressiveness and model-checking. On the expressiveness side, we proved how adding quantification on top of CTL fills in the gap between temporal logics and monadic second-order logic. As for model checking, we ex- haustively characterized the complexity ofQCTLand its variants, completing the earlier results from [15,12]. Finally, we provided an application (which was our original motivation) of QCTL for reasonning about multi-agent systems.

Satisfiability of fragments ofQCTL^∗ is part of our future work.

References

[1] R. Alur, T. A. Henzinger, and O. Kupferman. Alternating-time temporal logic.

J. ACM, 49(5):672–713, 2002.

[2] Th. Brihaye, A. Da Costa, F. Laroussinie, and N. Markey. ATL with strategy contexts and bounded memory. In LFCS’09, LNCS 5407, p. 92–106. Springer, 2009.

[3] G. Bruns and P. Godefroid. Model checking partial state spaces with 3-valued temporal logics. In CAV’99, LNCS 1633, p. 274–287. Springer, 1999.

[4] K. Chatterjee, T. A. Henzinger, and N. Piterman. Strategy logic. In CONCUR’07, LNCS 4703, p. 59–73. Springer, 2007.

[5] E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In LOP’81, LNCS 131, p. 52–71. Springer, 1982.

[6] B. Courcelle and J. Engelfriet.Graph Structure and Monadic Second-Order Logic, a Language Theoretic Approach. Cambridge University Press, 2011.

[7] A. Da Costa, F. Laroussinie, and N. Markey. ATL with strategy contexts: Expres- siveness and model checking. In FSTTCS’10, LIPIcs 8, p. 120–132. LZI, 2010.

[8] A. Da Costa, F. Laroussinie, and N. Markey. Quantified CTL: expressiveness and model checking. Research Report LSV-12-02, Laboratoire Sp´ecification et V´erification, ENS Cachan, France, 2012.

[9] H.-D. Ebbinghaus and J. Flum. Finite Model Theory. Springer, 1995.

[10] E. A. Emerson and J. Y. Halpern. ”Sometimes” and ”not never” revisited:

On branching versus linear time temporal logic. J. ACM, 33(1):151–178, 1986.

[11] E. A. Emerson and A. P. Sistla. Deciding full branching time logic. Inf.&Cont., 61(3):175–201, 1984.

[12] T. French. Decidability of quantified propositional branching time logics. In AJCAI’01, LNCS 2256, p. 165–176. Springer, 2001.

[13] G. Gottlob. NP trees and Carnap’s modal logic. J. ACM, 42(2):421–457, 1995.

[14] Y. Kesten and A. Pnueli. A complete proof systems for QPTL. In LICS’95, p. 2–12.

IEEE Comp. Soc. Press, 1995.

[15] O. Kupferman. Augmenting branching temporal logics with existential quantifica- tion over atomic propositions. In CAV’95, LNCS 939, p. 325–338. Springer, 1995.

[16] O. Kupferman, P. Madhusudan, P. S. Thiagarajan, and M. Y. Vardi. Open systems in reactive environments: Control and synthesis. In CONCUR’00, LNCS 1877, p. 92–107. Springer, 2000.

[17] O. Kupferman and M. Y. Vardi. Weak alternating automata and tree automata emptiness. In STOC’98, p. 224–233. ACM Press, 1998.

[18] O. Kupferman, M. Y. Vardi, and P. Wolper. An automata-theoretic approach to branching-time model-checking. J. ACM, 47(2):312–360, 2000.

[19] F. Mogavero, A. Murano, and M. Y. Vardi. Reasoning about strategies. In FSTTCS’10, LIPIcs 8, p. 133–144. LZI, 2010.

[20] F. Moller and A. Rabinovich. Counting on CTL^*: on the expressive power of monadic path logic. Inf.&Comp., 184(1):147–159, 2003.

[21] D. E. Muller and P. E. Schupp. Alternating automata on infinite trees. TCS, 54(2-3):267–276, 1987.

[22] D. E. Muller and P. E. Schupp. Simulating alternating tree automata by non- deterministic automata: New results and new proofs of the theorems of Rabin, McNaughton and Safra. TCS, 141(1-2):69–107, 1995.

[23] A. C. Patthak, I. Bhattacharya, A. Dasgupta, P. Dasgupta, and P. P. Chakrabarti.

Quantified computation tree logic. IPL, 82(3):123–129, 2002.

[24] S. Pinchinat. A generic constructive solution for concurrent games with expressive constraints on strategies. In ATVA’07, LNCS 4762, p. 253–267. Springer, 2007.

[25] A. Pnueli. The temporal logic of programs. In FOCS’77, p. 46–57. IEEE Comp. Soc.

Press, 1977.

[26] J.-P. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR. In SOP’82, LNCS 137, p. 337–351. Springer, 1982.

[27] S. Riedweg and S. Pinchinat. Quantified µ-calculus for control synthesis. In MFCS’03, LNCS 2747, p. 642–651. Springer, 2003.

[28] A. P. Sistla.Theoretical Issues in the Design and Verification of Distributed Systems.

PhD thesis, Harvard University, Cambridge, Massachussets, USA, 1983.

[29] A. P. Sistla, M. Y. Vardi, and P. Wolper. The complementation problem for B¨uchi automata with applications to temporal logics. TCS, 49:217–237, 1987.

[30] W. Thomas. Languages, automata and logics. InHandbook of Formal Languages, p. 389–455. Springer, 1997.

[31] M. Y. Vardi. The complexity of relational query languages. In STOC’82, p. 137–146.

ACM Press, 1982.

[32] F. Wang, C.-H. Huang, and F. Yu. A temporal logic for the interaction of strategies.

In CONCUR’11, LNCS 6901, p. 466–481. Springer, 2011.