ATL with Strategy Contexts: Expressiveness and Model Checking

(1)

Expressiveness and Model Checking

Arnaud Da Costa

¹

, François Laroussinie

²

, and Nicolas Markey

¹

1 Lab. Spécification & Vérification, ENS Cachan & CNRS, France 2 LIAFA, Univ. Paris Diderot - Paris 7 & CNRS, France

Abstract

We study the alternating-time temporal logics ATLand ATL^? extended withstrategy contexts:

these make agentscommit to their strategiesduring the evaluation of formulas, contrary to plain ATLandATL^?where strategy quantifiersreset previously selected strategies.

We illustrate the important expressive power of strategy contexts by proving that they make the extended logics, namely ATLsc and ATL^?_sc, equally expressive: any formula in ATL^?_sc can be translated into an equivalent, linear-sizeATLsc formula. Despite the high expressiveness of these logics, we prove that their model-checking problems remain decidable by designing a tree- automata-based algorithm for model-checkingATL^?_scon the full class ofn-player concurrent game structures.

1 Introduction

Temporal logics and model checking. Thirty years ago, temporal logics (LTL,CTL) have been proposed for specifying properties of reactive systems, with the aim of automatically checking that those properties hold for these systems [18, 10, 19]. This model-checking approach to formal verification has been widely studied, with powerful algorithms and implementations, and successfully applied in many situations.

Alternating-time temporal logic (ATL). In the last ten years, temporal logics have been extended with the ability of specifying controllability properties of multi-agent systems:

the evolution of a multi-agent system depends on the concurrent actions of several agents, andATLextends CTLwithstrategy quantifiers[4]: it can express properties such asagentA has a strategy to keep the system in a set of safe states, whatever the other agents do.

qB

Figure 1Example of a two-player turn- based game

Nesting strategy quantifiers. Assume that, in the formula above, “safe states” are those from which agent B has a strategy to reach her goal state qB

infinitely often, and consider the system depicted on Fig. 1, where the circled states are controlled by player A (meaning that Player A selects the transition to be fired from those state) and the square state is controlled by playerB. It is easily seen that

this game contains no “safe state”: after each visit toqB, PlayerA can decide to take the system to the rightmost state, from whichqB is not reachable. It follows that Player Ahas no strategy to keep the system in safe states.

Now, assume that Player A commits to always select the transition to the left, when the system is in the initial (double-circled) state. Then under this strategy, it suffices for Player B to always go to qB when the system is in the square state in order to achieve her goal of visitingqB infinitely often. The difference with the previous case is that here, PlayerB takes advantage of Player A’s strategy in order to achieve her goal.

licensed under Creative Commons License NC-ND Leibniz International Proceedings in Informatics

Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany

(2)

Both interpretations of our original property can make sense, depending on the context.

However, the original semantics ofATLcannot capture the second interpretation: strategy quantifications inATL“reset” previous strategies. While this is very convenient algorithmic- ally (and makesATLmodel-checking polynomial-time for some game models), it prevents ATLfrom expressing many interesting properties of games (especially non-zero-sum games).

In [7], we introduced an alternative semantics forATL, where strategy quantifiersstore strategies in acontext. Those strategies then apply for evaluating the whole subformula, until they are explicitly removed from the context or replaced with a new strategy. We demonstrated the high expressiveness of this new semantics by showing that it can express important requirements,e.g.existence of equilibria or dominating strategies.

Our contribution. This work is a continuation of [7]. Our contribution in this paper is twofold: on the one hand, we prove thatATL^?_sc is not more expressive thanATLsc: this is a theoretical argument witnessing the expressive power of strategy contexts; it complements the more practical arguments presented in [7]. On the other hand, we develop an algorithm forATL^?_sc model-checking, based on alternating tree automata. Our algorithm uses a novel encoding of strategies into the execution tree of the underlying concurrent game structures.

This way, it is valid for the whole class of concurrent game structures and without restrictions on strategies, contrary to previously existing algorithms on related extensions ofATL.

Related work. In the last three years, several approaches have been proposed to increase the expressiveness ofATLandATL^?.

Strategy logic[8, 9] extendsLTLwith first-order quantification over strategies. This allows for very expressive constructs: for instance, the property above would be written as

∃σA. [G (∃σB. (G F qB) (σA, σB))] (σA).

This logic was only studied on two-player turn-based games in [8, 9], where a non- elementary algorithm is given. The algorithm we propose in this paper could be adapted to handle strategy logic in multi-player concurrent games.

QDµ[17] is a second-order extension of the propositional µ-calculus augmented with decision modalities. In terms of expressiveness, fixpoints allow for richer constructs than CTL- orLTL-based approaches. Again, model-checking has been proved to be decidable, but only over the class of alternating transition systems (as defined in [3]).

Stochastic game logic[6] is an extension ofATLsimilar to ours, but in the stochastic case.

It is proved undecidable in the general case, and decidable when strategy quantification is restricted to memoryless (randomized or deterministic) strategies.

several other semantics ofATL, related to ours, are discussed in [1, 2]. A ∆^P₂-algorithm is proposed there for a subclass of our logic (where strategies stored in the context are irrevocableand cannot be overwritten), but no proof of correctness is given. In [20], an NP algorithm is proposed for the same subclass, but where strategy quantification is restricted to memoryless strategies.

By lack of space, some proofs are omitted in this paper, but they are detailed in [11].

2 ATL with strategy contexts 2.1 Concurrent game structures.

Concurrent game structures [4] are a multi-player extension of classical Kripke structures.

Their definition is as follows:

(3)

IDefinition 1. AConcurrent Game Structure (CGS for short) Cis an 7-tuplehLoc,Lab, δ, Agt,M,Mov,Edgiwhere:

hLoc,Lab, δiis a finite Kripke structure, whereLocis the set oflocations,Lab:Loc→2^AP is a labelling function, and δ⊆Loc×Locis the set of transitions;

Agt={A1, ..., A_p} is a finite set ofagents(orplayers);

Mis a finite, non-empty set of moves;

Mov:Loc×Agt→ P(M)r{∅} defines the (finite) set of possible moves of each agent in each location.

Edg:Loc× M^Agt→δis a transition table; with each location`and each set of moves of the agents, it associates the resulting transition, which is required to depart from`.

The size|C|of a CGSC is|Loc|+|Edg|, where |Edg|is the size of the transition table¹. The intended behaviour of a CGS is as follows [4]: in a location`, each playerA_i in Agt chooses one among her possible movesmi inMov(`, Ai); the next transition to be fired is given byEdg(`,(m1, ..., mp)). We writeNext(`) for the set of all transitions corresponding to possible moves from`, andNext(`, A_j, m_j), withm_j ∈Mov(`, A_j), for the restriction of Next(`) to possible transitions from`when playerAj plays the movemj. We extendMov andNextto coalitions (i.e., sets of agents) in the natural way:

givenA⊆Agtand`∈Loc,Mov(`, A) denotes the set of possible moves for coalitionA from `. Those movesmare composed of one single move per agent of the coalition, i.e., m= (ma)_a∈A.

Given m= (ma)_a∈A∈Mov(`, A), we letNext(`, A, m) denote the restriction ofNext(`) to locations reachable from `when every playerAj ∈Amakes the movemAj.

A (finite or infinite)path ofC is a sequenceρ=`0`1. . .of locations such that for anyi,

`i+1∈Next(`i). Finite paths are also calledhistory. The length of a history ρ=`0`1. . . `n

is n. We writeρî→j for the part ofρbetween`_i and`_j (inclusive). In particular, ρî→j is empty iff j < i. We simply writeρⁱ forρî→i, denoting the i+ 1-st locationì ofρ. We also definefirst(ρ) =ρ⁰, and, ifρhas finite lengthn,last(ρ) =ρⁿ. Given a historyπof lengthn and a path ρs.t. last(π) =first(ρ), the concatenation ofπ andρis the pathτ =π·ρs.t.

τ^0→n =πandτ^n→∞=ρ(notice that the last location ofπand the first location ofρare

“merged”).

A strategy for a playerAi ∈ Agtis a function fi that maps any history to a possible move for A_i, i.e., satisfying f_i(`₀. . . `_m) ∈ Mov(`_m, A_i). A strategy for a coalition A of agents is a mapping assigning a strategy to each agent in the coalition. The set of strategies for Ais denoted Strat(A). The domain of F_A∈Strat(A) (denoteddom(F_A)) is A. Given a coalition B, the strategy (FA)_|B (resp. (FA)_rB) denotes the restriction of FA to the coalitionA∩B (resp.ArB).

Let ρbe a history of lengthn. A strategyFA= (fj)A_j∈A for some coalitionAinduces a set of paths from ρ, called the outcomesof FA after (or from) ρ, and denotedOut(ρ, FA):

a pathπ=ρ·`₁`₂. . . is in Out(ρ, F_A) iff, writing`₀ =last(ρ), for alli≥0 there exists a set of moves (mⁱ_k)A_k∈Agt such thatmⁱ_k ∈Mov(`i, Ak) for all Ak ∈Agt,mⁱ_k =fA_k(π^0→n+i) ifA_k∈A, and `_i+1∈Next(`_i,Agt,(mⁱ_k)_A_k_∈Agt). We writeOut^∞(ρ, F_A) for the set of infinite outcomes of FA afterρ. Note that Out(ρ, FA) ⊆Out(ρ,(FA)_|B) for any two coalitions A andB, and thatOut(ρ, F_∅) represents the set of all paths starting withρ.

1 Our results would still hold (with the same complexity) if we consider symbolic CGSs [13], where the transition table is encoded succinctly as boolean formulas.

(4)

It is also possible tocombinetwo strategiesF ∈Strat(A) andF⁰∈Strat(B), resulting in a strategyF◦F⁰ ∈Strat(A∪B) defined as follows: (F◦F⁰)_|A_j(ρ) isF_|A_j(ρ) (resp.F_|A⁰

j(ρ)) ifA_j ∈A(resp.A_j ∈BrA).

Finally, given a strategyF and a historyρ, we define the strategyF^ρ corresponding to the behaviour ofF after prefixρ: it is defined, for any historyπwithlast(ρ) =first(π), as F^ρ(π) =F(ρ·π).

2.2 Alternating-time temporal logics.

The logics ATL and ATL^? have been defined in [4] as extensions of CTL andCTL^? with strategy quantification. Following [7], we further extend them withstrategy contexts:

IDefinition 2. The syntax ofATL^?_sc is defined by the following grammar:

ATL^?_sc3ϕs, ψs ::= p | ¬ϕs | ϕs∨ψs | h·A·iϕp | ·iAh·ϕs

ϕp, ψp ::= ϕs | ¬ϕp | ϕp∨ψp | Xϕp | ϕpUψp

with p ∈ AP and A ⊆ Agt. Formulas defined as ϕ_s are called state-formulas, while ϕ_p defines path-formulas. The logic ATLsc is obtained by restricting the grammar ofATL^?_sc path-formulas as follows:

ϕp, ψp::=¬ϕp | Xϕs | ϕsUψs.

That a formulaϕinATL^?_sc (orATL_sc) holds (initially) along a computationρof a CGSC under a strategy context F (i.e., a preselected strategy for some of the players, hence belonging to someStrat(A) for a coalitionA), denoted C, ρ|=F ϕ, is defined as follows:

C, ρ|=F p iff p∈Lab(first(ρ)) C, ρ|=F ¬ϕ iff C, ρ6|=F ϕ

C, ρ|=_F ϕ∨ψ iff C, ρ|=_F ϕor C, ρ|=_F ψ

C, ρ|=_F h·A·iϕ_p iff ∃F_A∈Strat(A). ∀ρ⁰∈Out^∞(first(ρ), F_A◦F).C, ρ⁰|=_F_A_◦_F ϕ_p C, ρ|=_F ·iAh·ϕ_s iff C, ρ|=_F_rA ϕ_s

C, ρ|=_F Xϕ_p iff C, ρ^1→∞|=_Fρ0→1 ϕ_p

C, ρ|=F ϕpUψp iff ∃i≥0.C, ρ^i→∞|=_Fρ0→i ψp and∀0≤j < i.C, ρ^j→∞|=_Fρ0→j ϕp

We define the following shorthands, which will be useful in the sequel: >^def= p∨ ¬p,⊥^def=

¬>,Fϕ^def=>Uϕ,Gϕ^def= ¬F¬ϕ, h·A·iϕs

def= h·A·i(⊥Uϕs) and hhAiiϕ^def= ·iAgth· h·A·iϕ.

IExample 3 (see [7] for more examples). We illustrate the usefulness of strategy contexts with some examples. First, the last shorthand hhAii is the classical ATL^? strategy quantifier (where each quantification resets the context), so thatATLsc andATL^?_scencompassATLand ATL^?, respectively.

ATLsc can also express qualitative equilibria properties, for instance Nash equilibria.

Given the (non-zero-sum) objectives Φ1 and Φ2 of players 1 and 2, Nash equilibria are strategy profiles where none of the player can unilaterally improve her payoff. In other terms, if the Player-1 strategy in the context is not winning against the Player-2 strategy, then there is no Player-1 winning strategy against this particular strategy of Player 2 (and symmetrically). Thus, the existence of a Nash equilibrium can be expressed as

h·A₁, A₂·ih

h·A₁·iΦ₁→Φ₁

∧ h·A₂·iΦ₂→Φ₂i

(5)

As another example, we mention the interaction between a server S and different cli- ents (Ci)i, where we may want to express that the server can be programmed in such a way that each clientC_i has a strategy to have its request granted. This could be written as

h·S·iGh^

i

req_i→ h·Ai·iFgrant_ii

As stated in Lemma 4, the truth value of astate formulaϕ_sdepends only on the strategy context F and the first state of the computationρ where it is interpreted (thus we may simply writeC,first(ρ)|=F ϕs when it raises no ambiguity).

I Lemma 4. Let C be a CGS, and F ∈ Strat(A) be a strategy context. For any state formula ϕ_s, and for any two infinite pathsρandρ⁰ withfirst(ρ) =first(ρ⁰), it holds

C, ρ|=F ϕs ⇔ C, ρ⁰|=F ϕs.

Proof. The proof is by induction on the structure of ϕ_s: the result obviously holds for atomic propositions, and it is clearly preserved by boolean combinations and by the ·iAh·

operator. Finally, ifϕ_s= h·A·iψ_s, the result is immediate as the semantics only involves the first location of the path along which the formula is being evaluated. J

IRemark. It must be noted that contrary toATL, it is not possible to restrict to memoryless strategies (i.e., that only depend on the current state) for ATLsc formulas. For example, the formula h·A·iG(h·∅·iFP∧ h·∅·iFP⁰) is equivalent in a standard Kripke struture (seen as a CGS with one single playerA) to theCTL^? formula E(^∞FP∧^∞FP⁰) that may require strategies with memory. The next section provides more results on the extra expressiveness brought in by strategy contexts.

3 The expressive power of strategy contexts

As shown in [7], adding strategy contexts in formulas increases the expressive power of logics:

ATL_sc(resp.ATL^?_sc) is strictly more expressive thanATL(resp.ATL^?). Game Logic (see [4]) can also be translated intoATL^?_sc(while the converse is not true). In this section, we present some new results on the expressiveness ofATLsc.

3.1 Alternating bisimulation.

Contrary to ATL, ATL^?, GL or AMC, our logics are not alternating-bisimulation (see [5]) invariant, indeed we have: There exists two CGSsC andC⁰, with an alternating-bisimulation linking two states`0 of C and `⁰₀ in C⁰, and an ATLsc formula ϕsuch that C, `0 |=ϕ and C⁰, `⁰₀6|=ϕ.

3.2 Relative expressiveness of ATL

_sc

and ATL

^?_sc

.

Surprisingly, strategy contexts bringATLsc to the same expressiveness asATL^?_sc. This was already exemplified above, with the CTL^? formula E(^∞FP ∧^∞FP⁰). We can extend this approach to anyATL^?_sc formula: the idea is to

1. first usefull strategy contexts (by adding universally quantified strategies) in order to be able to insert the h·∅·i modality before every temporal modality, and

2. ensure that for every nested strategy quantifier h·A·i, CoalitionAcannot take advantage of the added strategies.

(6)

Given anATL^?_scformula Φ and a coalitionB, we defineΦb^[B] inductively as follows:

Pb^{[B] def}= P ¬ϕc^{[B] def}= ¬ϕb^[B] ϕ\∧ψ^[B^{] def}= ϕb^[B]∧ψb^[B]

Xdϕ^[B^{] def}= h·∅·iXϕb^[B] ϕ\Uψ^[B^{] def}= h·∅·i(bϕ^[B]Uψb^[B]) h·A·i\ϕ

[B] def

= h·A·i ¬ h·Agt\(A∪B)·i ¬ϕb^[A∪B] ·iAh·\ϕ

[B] def

= ϕb^[B^r^A]

Clearly,Φb^[B] is anATLscformula. The idea behind this translation is that a state-formulaϕb^A interpreted in a strategy contextF only depends onF_|A. We then have:

ILemma 5. LetC be a CGS,`be one of its locations, andF be a strategy context. Then for anyATL^?_sc formulaϕ, for any strategy contextGs.t. dom(G) =Agtrdom(F), and for any outcomeπ∈Out^∞(`, G◦F), it holds: C, π|=F ϕ ⇔ C, π|=G◦F ϕb^[dom(F)]. Moreover, ifϕis a state-formula, this result extends to any strategy contextGs.t. dom(G)∩dom(F) =∅.

Since our transformation does not depend on the underlying CGS, we get:

ITheorem 6. Given a set of agentsAgt, anyATL^?_sc formula ϕcan be translated into an equivalent (under the empty context)ATLsc formula ϕbfor any CGS based onAgt.

Another consequence of the previous result is that any ATL^? state-formula ϕ can be translated into the equivalentATLsc formulaϕb^∅ in polynomial time. Thus we have:

ICorollary 7. Model-checking ATLsc is 2EXPTIME-hard.

4 From ATL

_sc

to alternating tree automata

The main result of this section is the following:

ITheorem 8. Model-checking ATLsc formulas with at most k nested strategy quantifiers can be achieved in (k+ 1)EXPTIME. The program complexity (i.e., the complexity of model-checking a fixedATLsc formula) is inEXPTIME.

The proof mainly consists in building an alternating tree automaton from a formula and a CGS. Similar approaches have already been proposed for strategy logic [9] orqDµ[17], but they were only valid for subclasses of CGSs: strategy logic was only studied on turn-based games, while the algorithm forqDµwas restricted to ATSs [3]. In both cases, the important point is that strategies are directly encoded as trees, with as many successors of a node as the number of possible moves from the corresponding node. With this representation, it is required that two different successors of a node correspond to two different states (which is the case for ATSs, hence for turn-based games): if this is not the case, the tree automaton may accept strategies that do not only depend on the sequence of states visited in the history, but also on the sequence of moves proposed by the players. Our encoding is different: we work on the execution tree of the CGS under study, and label each node with possible moves of the players. We then have to focus on branches that correspond to outcomes of selected strategies, and check that they satisfy the requirement specified by the formula. Before presenting the detailed proof, we first introduce alternating tree automata and fix notations.

4.1 Trees and alternating tree automata

Let Σ andS be two finite sets. A Σ-labelled S-treeis a pairT =hT, li, where

(7)

T ⊆S^∗is a non-empty set of finite words onS satisfying the following constraints: for any non-empty wordn=m·sinT withm∈T ands∈S, the wordmis also inT;

l:T →Σ is a labeling function.

Given such a treeT =hT, liand a noden∈T, the set ofdirections fromninT is the set dirT(n) ={s∈S|n·s∈T}. The set ofsuccessors ofninTissuccT(n) ={n·s|s∈dirT(n)}.

We use Tn to denote the subtree rooted in n. An S-tree is complete if T = S^∗, i.e., if dir_T(n) =S for alln∈T. We may omit the subscriptT when it is clear from the context.

The set ofinfinite paths ofT is the setPath_T ={s0·s1· · · ∈S^ω| ∀i∈N. s0·s1· · ·si∈T}.

Given such an infinite pathπ= (s_i)_i∈_N, we writel(π) for the infinite sequence (l(s_i))_i∈_N∈Σ^ω, andInf(l(π)) for the set of letters in Σ that appear infintely often alongl(π).

Assume that Σ = Σ1×Σ2, and pick a Σ-labelledS-treeT =hT, li. For alln∈T, we write l(n) = (l₁(n), l₂(n)) withl_i(n)∈Σ_i fori∈ {1,2}. Then fori∈ {1,2}, theprojection ofT on Σi, denoted by proj_Σ_i(T), is the Σi-labelled S-treehT, lii. Two Σ-labelled S-trees are Σ_i-equivalent if their projections on Σ_i are equal. These notions naturally extend to more complex alphabets, of the formQ

i∈IΣi.

We now define alternating tree automata, which will be used in the proof. This requires the following definition: the set ofpositive boolean formulasover a finite setP of propositional variables is the set of formulas generated by: PBF(P)3ζ::=p|ζ∧ζ|ζ∨ζ| > | ⊥where p ranges overP. That a valuationv:P → {>,⊥}satisfies a formula inPBF(P) is defined in the natural way. We abusively say that a subset P⁰ of P satisfies a formulaϕ∈ PBF(P) iff the valuation 1P⁰ (mapping the elements ofP⁰ to> and te elements of PrP⁰ to ⊥) satisfiesϕ. Since negation is not allowed, ifP⁰|=ϕandP⁰⊆P⁰⁰, then alsoP⁰⁰|=ϕ.

IDefinition 9. LetS and Σ be two finite sets. Analternating S-tree automaton onΣ, or hS,Σi-ATA, is a 4-tupleA=hQ, q₀, τ,Acciwhere Qis a finite set of states,q₀ ∈Qis the initial state, Σ is a finite alphabet,τ: Q×Σ→PBF(S×Q) is the transition function, and Acc:Q^ω→ {>,⊥}is the acceptance function.

A non-deterministic S-tree automaton onΣ, or hS,Σi-NTA, is a hS,Σi-ATA in which conjunctions are not allowed for defining the transition function. The size of A, denoted by|A|, is the number of states inQ.

LetA=hQ, q₀, τ,Accibe anhS,Σi-ATA, andT =hT, libe a Σ-labelledS-tree. Anexecu- tion treeofAonT is aT×Q-labelledS×Q-treeE =hE, pisuch thatp(ε) = (ε, q0), and for each nodee∈E withp(e) = (t, q), the setdir_E(e) ={(s₀, q₀),(s₁, q₁), ...,(s_n, q_n)} ⊆S×Q satisfiesτ(q, l(t)), and for all 0≤i≤n, the nodee·(si, qi) is labelled with (t·si, qi). We write pS(e·(si, qi)) =t·siandpQ(e·(si, qi)) =qifor the two components of the labelling function.

An execution tree is accepting if Acc(p_Q(π)) = > for any infinite pathπ ∈ (S×Q)^ω inPath_E. A treeT is accepted byAiff there exists an accepting execution tree ofAonT. In the sequel, we useparity acceptance condition, given as a function Ω :Q→ {0, ..., k−1}, from which Acc is defined as follows: Acc(pQ(π)) = > iff min{Ω(q) | q ∈ Inf(pQ(π))} is even. hS,Σi-ATAs with such accepting conditions are called hS,Σi-APTs, and given an hS,Σi-APTA, the size of the image of Ω is called theindex ofA, and is denoted by idx(A).

Analogously,hS,Σi-NPTs arehS,Σi-NTAs with parity acceptance conditions.

4.2 Unwinding of a CGS

LetC=hLoc,Lab, δ,Agt,M,Mov,Edgibe ann-player CGS, where we assume w.l.o.g. that δ=Loc×Loc, andMov(`, Ai) =Mfor any state`and any playerAi. Let`0 be a state ofC.

(8)

For each location ` ∈Loc, we define Σ(`) = {`} × {Lab(`)} × {Edg(`)}, and Σ⁺(`) = Σ(`)×(M ∪ {⊥})^Agt×2^{p^o^,p^l^,p^r^}, where⊥is a special symbol not inMandpo,pland pr

are three fresh propositions not inAP. We let² Σ_C =S

`∈LocΣ(`), and Σ⁺_C =S

`∈LocΣ⁺(`).

Theunwinding ofC from`₀is the Σ_C-labelled completeLoc-treeU =hU, viwhereU = Loc^∗ and v(u) ∈ Σ(last(`0·u)) for all u∈ U. An extended unwinding of C from `0 is a Σ⁺_C-labelled completeLoc-treeU⁰ such thatproj_Σ_C(U⁰) =U. For each letterσof Σ⁺_C, we write σLoc,σAP,σEdg,σstr andσp for the five components, and extend this subscripting notation for the labelling functions of trees (writtenlLoc,lAP,lEdg,lstrandlp).

In the sequel, we identify a nodeuofU (which is a finite word overLoc) with the finite path`₀·uofC. Notice that this sequence of states ofC may correspond to norealpath ofC, in case it involves a transition that is not in the image ofEdg.

With C and `0, we associate ahLoc,Σ⁺_Ci-APT A_C,`₀ = hLoc, `0, τ,Ωi s.t. Loc = {` |

`∈ Loc}, `₀ is the initial state, Ω constantly equals 0 (hence any valid execution tree is accepting), and given a state`∈Locand a letterσ∈Σ⁺_C, the transition function is defined as follows: ifσ∈Σ⁺(`), we letτ(`, σ) =V

`⁰∈Loc(`⁰, `⁰), and otherwise, we let τ(`, σ) =⊥.

ILemma 10. Let C be a CGS and `₀ be a state of C. Let T = hT, li be a Σ⁺_C-labelled Loc-tree. ThenAC,`₀ accepts T iffproj_Σ_C(T)is the unwinding of C from`0.

In the sequel, we also use automatonAC, which accepts the union of allL(AC,`₀) when`0

ranges overLoc. It is easy to come up with such an automaton,e.g. with Lemma 13 below.

4.3 Strategy quantification

LetT =hT, libe a Σ⁺_C-labelled completeLoc-tree accepted byA_C,`₀. Such a tree defines partial strategies for each player: forA∈Agt, and for each noden∈T, we definestrat^T_A(`₀· n) =lstr(n)(A)∈ M ∪ {⊥}. ForD⊆Agt, we writestrat^T_D for (strat^T_A)A∈D.

As a first step, for eachD⊆Agt, we build ahLoc,Σ⁺_Ci-APTAstrat(D) which will ensure that for all A ∈ D, strat^T_A is really a strategy for player A, i.e., never returns ⊥. This automaton has only one stateq0, withτ(q0, σ) =V

`∈Loc(`, q0) provided thatσstr(A)6=⊥for allA∈D. Otherwise,τ(q0, σ) =⊥. Finally,Astrat accepts all trees having a valid execution tree (i.e., Ω constantly equals 0). The following result is straightforward:

ILemma 11. Let C be a CGS, `₀ be a location ofC, and D ⊆Agt. Let T =hT, li be a Σ⁺_C-labelled completeLoc-tree accepted byA_C,`₀. ThenT is accepted by Astrat(D)iff for each playerA∈D,strat^T_A never equals ⊥.

We now build an automaton for checking that proposition p_o labels outcomes of T. More precisely, letD⊆Agtbe a set of players. The automatonAout(D) will accept T iff po labels exactly the outcomes of strategies strat^T_A for playersA∈D. This is achieved by the following two-state automatonAout(D) =hQ, q∈, τ,Ωi: Q={q∈, q∈/}, q∈ is the initial state, Ω constantly equals 0, and the transition function is defined as follows: ifpo∈/σ, then τ(q_∈, σ) =⊥andτ(q_∈_/, σ) =V

`∈Loc(`, q_∈_/); otheriwse,τ(q_∈_/, σ) =⊥and τ(q_∈, σ) = ^

`∈Next(σ,D)

(`, q_∈)∧ ^

` /∈Next(σ,D)

(`, q_∈_/)

2 Notice that|ΣC|=|Loc|and|Σ⁺_C|is linear in the size of the input, as we assume an explicit representation of theEdgfunction [13].

(9)

whereNext(σ, D) is

{`∈Loc| ∃(mi)i∈ M^Agts.t. (σLoc, `) =σEdg(σLoc,(mi)i) and∀Ai∈D. σstr(Ai) =mi}.

In other terms, Next(σ, D) returns the set of successor states of stateσ_Loc if players inD follow the strategies given by σstr, and according to the transition tableσEdg. Notice that Next(σ, D) is non-empty iffσstr(Ai)6=⊥for allAi∈D. We then have:

ILemma 12. LetC be a CGS, and `₀ be one of its locations, andD⊆Agt. LetT =hT, li be a Σ⁺_C-labelled completeLoc-tree accepted by A_C,`₀ and Astrat(D). ThenT is accepted by A_out(D)iff for alln∈T,p_o∈l_p(n)iff the finite run `₀·nis an outcome ofstrat^T_D from`₀.

4.4 Boolean operations, projection, non-determinization, ...

In this section, we review some classical results about alternating tree automata, which we will use in our construction.

ILemma 13. [15, 16] LetAandBbe twohS,Σi-APTs that respectively accept the languages A and B. We can build twohS,Σi-APTs C and D that respectively accept the languages A∩B and A(the complement ofAin the set ofΣ-labelledS-trees). The size and index of C are at most (|A|+|B|)andmax(idx(A),idx(B)) + 1, while those ofDare |A|andidx(A).

ILemma 14. [16] LetAbe ahS,Σi-APT. We can build ahS,Σi-NPTN accepting the same language as A, and such that|N | ∈2O(|A|idx(A)·log(|A|idx(A))) andidx(N)∈O(|A|idx(A)).

ILemma 15. [14] LetAbe ahS,Σi-NPT, withΣ = Σ₁×Σ₂. For alli∈ {1,2}, we can build ahS,Σi-NPTBi such that, for any treeT, it holds: T ∈ L(Bi)iff∃T⁰∈ L(A). proj_Σ_i(T) = proj_Σ_i(T⁰). The size and index ofB_i are those of A.

ILemma 16. LetA be ahS,Σ×2^{p}i-APT s.t. for any two Σ×2^{p}-labelled S-treesT and T⁰ withproj_Σ(T) =proj_Σ(T⁰), we haveT ∈ L(A)iff T⁰∈ L(A). Then we can build a hS,Σ×2^{p}i-APTB s.t. for allΣ×2^{p}-labelled S-tree T =hT, li, it holds: T ∈ L(B)iff

∀n∈T.(p∈l(n)iffTn∈ L(A)). ThenB has sizeO(|A|)and index idx(A) + 1.

4.5 Transforming an ATL

sc

formula into an alternating tree automaton

I Lemma 17. Let C be a CGS with finite state space Loc. Let ψ be an ATLsc-formula, andD⊆Agtbe a coalition. We can build ahLoc,Σ⁺_Ci-APTAψ,D s.t.

for any Σ⁺_C-labelled completeLoc-tree T accepted byAC and byAstrat(D), it holds T ∈ L(Aψ,D) ⇔ C, lLoc(ε)|=_stratT

D ψ;

for any two Σ⁺_C-labelled complete Loc-tree T andT⁰ s.t. proj_Σ⁰

C(T) =proj_Σ⁰

C(T⁰), with Σ⁰_C = Σ_C×(M ∪ {⊥})^Agt, we have

T ∈ L(Aψ,D) ⇔ T⁰ ∈ L(Aψ,D).

The size of Aψ,D is at most d-exponential, where d is the number of (nested) strategy quantifiers inψ. Its index is d−1-exponential.

Sketch of proof. The proof proceeds by induction on the structure of formulaψ. The case of atomic propositions is straightforward. Applying Lemma 13, we immediately get the result for the case whenϕis a boolean combination of subformulas.

(10)

We now sketch the proof for the case whenψ= h·A·iXϕ. The case formulas h·A·iϕ1Uϕ2

and³ h·A·iϕ1Rϕ2 could be handled similarly. The idea of the construction is as follows:

we use automatonAout(D∪A) to label outcomes with p_o,Aϕ,D∪A to label nodes whereϕ holds, and build an intermediate automatonAf to check that all the outcomes satisfyXϕ.

We then project out the strategy of coalitionA, which yields the automaton for h·A·iXϕ.

Assume that we have already built the automaton A_ϕ,D∪A (inductively). Applying Lemma 16 toA_ϕ,D∪Awith the extra proposition pr, we get an automatonBp_r,ϕ,D∪A such that, given a treeT =hT, liaccepted by A_C andA_strat(D∪A), it holds

T ∈ L(Bp_r,ϕ,D∪A) ⇔ ∀n∈T.(pr∈l(n)⇔ C, lLoc(n)|=_strat^Tn

D∪Aϕ). (1)

In order to check that all the outcome satisfy Xϕ, we simply have to build an automaton Af for checking the CTL^? property A(Gpo→Xpr). We refer to [12] for this classical construction. This automatonAf has the following property: for any Σ⁺_C-labelled Loc-treeT =hT, li, we have

T ∈ L(Af) ⇔ T, ε|= A(Gpo→Xpr). (2)

Now, letHbe the product ofAstrat(A),Aout(D∪A),Af andBp_r,ϕ,D∪A, and letT be a tree accepted byA_C andAstrat(D). IfT is accepted byH, then then D∪A⊆dom(T) and all the outcomes of the strategystrat^T_D∪A froml_Loc(ε) satisfy Xϕ.

The converse does not hold in general, but we prove a weaker form: fromT =hT, li, accepted byAC andAstrat(D), and such thatD∪A⊆dom(T) and the outcomes ofstrat^T_D∪A fromlLoc(ε) satisfy Xϕ, we build T⁰ =hT, l⁰isuch that proj_Σ0

C(T) = proj_Σ0

C(T⁰), and T⁰ is accepted by H. To do this, it suffices to modify the labelling of T with p_o and p_r, in such a way that T⁰ is accepted by Aout(D ∪A) and Bp_r,ϕ,D∪A. This ensures that C, lLoc(ε)|=_stratT 0

D∪A

h·∅·iXϕ, and thatT⁰ is also accepted byAf. In the end, we have that for any treeT =hT, liaccepted by AC andAstrat(D),

D∪A⊆dom(T) and C, lLoc(ε)|=_strat^T

D∪A h·∅·iXϕ ⇔

∃T⁰ s.t. proj_Σ⁰

C(T⁰) =proj_Σ⁰

C(T) andT⁰ ∈ L(H). (3) Applying Lemma 14, we get ahΣ⁺_C,Loci-NPTN such thatL(N) =L(H). We can then apply Lemma 15 for Σ⁺_C = (Σ_C×(M ∪ {⊥})Âgt^rÂ)×((M ∪ {⊥})Â×2^pô^,p^l^,p^r) on the NPTN; the resultinghΣ⁺_C,Loci-NPTP accepts all treesT whose labelling on (M ∪ {⊥})Â×2^pô^,p^l^,p^r can be modified in order to have the tree accepted byN. ThenP satisfies both properties of the Lemma: the second property directly follows from the use Lemma 15. For the first one, pickT =hT, liaccepted byAC and byAstrat(D). IfT is accepted byP, then from Lemma 15, there exists a treeT⁰ = hT, l⁰i, with the same labelling as T on Σ_C ×(M ∪ {⊥})Âgt^rÂ), and accepted byN. SinceL(N) =L(H), and from (3), we get thatD∪A⊆dom(T⁰) and C, lLoc(ε) |=_stratT 0

D∪A h·∅·iXϕ. Thus strat^T_A⁰ is a strategy for coalition A, and it witnesses the fact that C, lLoc(ε) |=_stratT 0

D

h·A·iXϕ, and we get the desired result since strat^T_D = strat^T_D⁰. Conversely, if C, lLoc(ε) |=_stratT

D h·A·iXϕ, then we can modify the labelling of T with a witnessing strategy forA, obtaining a treeT⁰ such thatC, lLoc(ε)|=_stratT 0

D∪A h·∅·iXϕ.

From (3), T⁰ can in turn be modified into a tree T⁰⁰, with proj_Σ0

C(T⁰⁰) = proj_Σ0

C(T⁰), in

3 The “release” modality R is the dual of U, defined byϕ1Rϕ2≡ ¬[(¬ϕ1)U(¬ϕ2)]. Notice thatX is self-dual as we only evaluate formulas along infinite outcomes.

(11)

such a way that T⁰⁰ ∈ L(H). Finally, since the projections of T⁰⁰ and T coincide on (Σ_C ×(M ∪ {⊥})^Agt^r^A), it holds that T is accepted byP. This concludes the proof for

h·A·iXϕ.

The proofs for the “until” and “release” modalities follow the same lines, usingpl andpr

as extra atmomic propositions for the left- and right-hand subformulas, and modifying automatonAf so that it accepts trees satisfying A(Gpo→plUpr) and A(Gpo→plRpr), respectively. Finally, whenψ= ·iAh·ϕ, we letA_·iAh·_ϕ,D=Aϕ,DrA, which is easily proved to satisfy both requirements.

Unless A = ∅, the construction of the automaton for h·A·iXϕ (or h·A·iϕ₁Uϕ₂ or h·A·iϕ1Rϕ2) involves an exponential blowup in the size and index of the automata for the subformulas, and the index is bilinear in the size and index of these automata. In the end, for a formula involving d nested non-empty strategy quantifiers, the automaton has size

d-exponential and indexd−1-exponential. J

I Corollary 18. Given an ATLsc formula ϕ, a CGS C and a state `₀ of C, we can built an alternating parity tree automaton A s.t. L(A) 6= ∅iff C, `0 |=_∅ ϕ. Moreover, A has sized-exponential and indexd−1-exponential, wheredis the number of nested non-empty strategy quantifiers.

Proof. It suffices to take the product of the automaton Aϕ,∅ (from Lemma 17) withAC,`0. In case thishLoc,Σ⁺_Ci-APT accepts a treeT, Lemma 17 entails thatC, `0|=_∅ϕ. Conversely, ifC, `₀|=ϕ, then the extended unwinding treeT =hT, liofCfrom`₀ in whichl_str(n) =⊥ for alln∈T is accepted byAC,`₀ (and, trivially, byAstrat(∅)), and from Lemma 17, it is

also accepted byAϕ,∅. J

Proof of Theorem 8. The first statement directly follows from the previous corollary, since emptiness of alternating parity tree automataAcan be checked in time exp(O(|A| ×idx(A))).

For the second statement, notice that the size and index ofAϕ,∅in the proof of Corollary 18 do not depend on the CGSC. Hence the automatonAof Corollary 18 has size linear in|C|, and can be computed in time exponential in|C|(because Aout(D) requires the computation ofNext(σ, D)). Non-emptiness is then checked in time exponential in|C|. J IRemark. Our algorithm can easily be modified in order to handleATL^?_sc. One solution is to rely on Theorem 6, but our translation from ATL^?_scto ATLscmay double the number of nested non-empty strategy quantifiers. The algorithm would then be in (2k+ 1)-EXPTIME, wherekis the number of nested strategy quantifications. Another solution is to adapt our construction, by replacing each state-subformula with a fresh atomic proposition, and build the automaton Af for a more complexCTL^? formula. This results in a (k+ 1)-EXPTIME algorithm. In both cases, the program complexity is unchanged, inEXPTIME.

Similarly, our algorithm could be modified to handle strategy logic [9]. One important difference is that strategy logic may require to store several strategies per player in the tree, whileATLsc only stores one strategy per player. This would then be reflected in a modified version of theNextfunction we use when buildingAout(D), where we should also indicate which strategies we use for which player.

5 Conclusions

Strategy contexts provide a very expressive extension of the semantics ofATL, as we witnessed by the fact thatATLsc andATL^?_scare equally expressive. We also designed a tree-automata-

(12)

based algorithm for model-checking both logics on the whole class of CGSs, based on a novel encoding of strategies as a tree.

Our algorithms involve a non-elementary blowup in the size of the formula, which we currently don’t know if it can be avoided. Trying to establish lower-bounds on the complexity of the problems is part of our future works. Regarding expressiveness,ATL_sc can distinguish between alternating-bisimilar CGSs, and we are also looking for a behavioural equivalence that could characterize the distinguishing power ofATLsc.

References

1 T. Ågotnes, V. Goranko, and W. Jamroga. Alternating-time temporal logics with irrevocable strategies. InTARK’07, p. 15–24, 2007.

2 T. Ågotnes, V. Goranko, and W. Jamroga. Strategic commitment and release in logics for multi-agent systems. Tech. Rep. 08-01, Clausthal U. of Technology, Germany, 2008.

3 R. Alur, T. A. Henzinger, and O. Kupferman. Alternating-time temporal logic. InCOM- POS’97, LNCS 1536, p. 23–60. Springer, 1998.

4 R. Alur, T. A. Henzinger, and O. Kupferman. Alternating-time temporal logic. J. ACM, 49(5):672–713, 2002.

5 R. Alur, T. A. Henzinger, O. Kupferman, and M. Y. Vardi. Alternating refinement relations.

InCONCUR’98, LNCS 1466, p. 163–178. Springer, 1998.

6 Ch. Baier, T. Brázdil, M. Größer, and A. Kučera. Stochastic game logic. InQEST’07, p. 227–236. IEEE Comp. Soc., 2007.

7 Th. Brihaye, A. Da Costa, F. Laroussinie, and N. Markey. ATL with strategy contexts and bounded memory. InLFCS’09, LNCS 5407, p. 92–106. Springer, 2009.

8 K. Chatterjee, T. A. Henzinger, and N. Piterman. Strategy logic. InCONCUR’07, LNCS 4703, p. 59–73. Springer, 2007.

9 K. Chatterjee, T. A. Henzinger, and N. Piterman. Strategy logic.Inf. & Comp., 208(6):677–

693, 2010.

10 E. M. Clarke and E. A. Emerson. Design and synthesis of synchrization skeletons using branching-time temporal logic. InLOP’81, LNCS 131, p. 52–71. Springer, 1982.

11 A. Da Costa, F. Laroussinie, and N. Markey. Expressiveness and decidability of ATL with strategy contexts. Tech. Rep. LSV-10-14, Lab Spécification & Vérification, France, 2010.

12 O. Kupferman, M. Y. Vardi, and P. Wolper. An automata-theoretic approach to branching- time model-checking. J. ACM, 47(2):312–360, 2000.

13 F. Laroussinie, N. Markey, and G. Oreiby. On the expressiveness and complexity of ATL.

LMCS, 4(2), 2008.

14 D. E. Muller and P. E. Schupp. Alternating automata on infinite objects, determinacy and Rabin’s theorem. InEPIT’84, LNCS 192, p. 99–107. Springer, 1985.

15 D. E. Muller and P. E. Schupp. Alternating automata on infinite trees. TCS, 54(2-3):267–

276, 1987.

16 D. E. Muller and P. E. Schupp. Simulating alternating tree automata by nondeterministic automata: New results and new proofs of the theorems of Rabin, McNaughton and Safra.

TCS, 141(1-2):69–107, 1995.

17 S. Pinchinat. A generic constructive solution for concurrent games with expressive constraints on strategies. InATVA’07, LNCS 4762, p. 253–267. Springer, 2007.

18 A. Pnueli. The temporal logic of programs. InFOCS’77, p. 46–57. IEEE Comp. Soc., 1977.

19 J.-P. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR.

InSOP’82, LNCS 137, p. 337–351. Springer, 1982.

20 D. Walther, W. van der Hoek, and M. Wooldridge. Alternating-time temporal logic with explicit strategies. InTARK’07, p. 269–278, 2007.