We approach the model checking problem in three stages. First, given a finite environmentE
and a viewv, we construct an infinite environmentEvthat reduces the model checking problem with respect tovinEto one of model checkingEvwith respect toobs. Second, we introduce bisimulations between environments, which, together with the previous step, may enable the problem of model checkingEwith respect tovto be reduced to model checking with respect to obsin finite state environmentE0(which is of exponential size in our applications). Finally, we
combine alternating Turing machine techniques with standard Büchi automata techniques to obtain the general model checking procedure (which runs in PSPACE in our applications).
LetE=(S,I,→, (Oi)i∈A,π,α) be a finite environment and letv be a view. DefineEv, thev-
environment for E, to be (Sv,Iv,→v, (Oiv)i∈A,πv,αv) where:
• Sv=runs(E)×N, • Iv=runs(E)×{0}, • (r,m)→v(r0,m0) ifr0=randm0=m+1, • Ovi(r,m)={(r,m)}vi, • πv(r,m)=π(r(m)), and • (r,m)∈αv iffr(m)∈α.
The following lemma states that the observational view on this (infinite) environment coincides with the viewvon the original (finite) environment. Given a runrofE, writervfor the run of
Evdefined byrv(n)=(r,n) for alln∈N.
Lemma 7. Letϕ∈L{2,U,K1,...,Kn,C}and let(r,m)be a point of E .
Since every run ofEvhas the formrvfor some run ofE, it follows thatE|=vϕiffEv|=obsϕ.
Letfpaths(E) be the set of all fair paths ofE. Forρ∈fpaths(E) andm∈Nletρ|mbe the fair path
withρ|m(j)=ρ(m+j), forj∈N.
Observe that the semantics ofE, (r,n)|=vϕrefers only to the future of the points considered in unfolding the definition. To formalise this, consider the following alternate definition of a relationE,ρ|=∗ϕ, defined for allρ∈fpaths(E), not just the initialized ones:
E,ρ|=∗p ifp∈π(ρ(0)), wherep∈Prop,
E,ρ|=∗ϕ1∧ϕ2 ifE,ρ|=∗ϕ1andE,ρ|=∗ϕ2,
E,ρ|=∗¬ϕ if notE,ρ|=∗ϕ,
E,ρ|=∗2ϕ ifE,ρ|1|=∗ϕ,
E,ρ|=∗ϕ1Uϕ2if there existsm00≥0 such thatE,ρ|m00|=∗ϕ2
andE,ρ|m0|=∗ϕ1for allm0with 0≤m0<m00.
E,ρ|=∗Kiϕ ifE,ρ0|=∗ϕfor allρ0∈fpaths(E) withOi(ρ0(0))=Oi(ρ(0))
E,ρ|=∗CGϕ if for all sequences of statess0,s1, . . . ,sksuch that
(i)s0=ρ(0), (ii) for allj<kthere exists ani∈G such thatOi(sj)=Oi(sj+1), and (iii) for all
ρ0∈fpaths(E) withρ0(0)=s
k, we haveE,ρ0|=∗ϕ.
We writeE|=∗ϕifE,r|=∗ϕfor all runsr ofE.
For an environmentE, define a state to be reachable if it occurs in some run ofE. Say that
observations in E preserve reachabilityif for all statess,tofEand all agentsi, ifsis reachable
andOi(s)=Oi(t) thentis reachable.3
Lemma 8. E, (r,m)|=obsϕiff E,r|m|=∗ϕwhen observations in E preserve reachability.
Proof. By induction on the construction ofϕ. The only non-trivial cases are those for the knowl-
edge operators. We describe the argument forKiϕ, that forCGϕis similar. SupposeE, (r,m)|=obs
Kiϕ. Then for all points (r0,m0) ofEwithOi(r(m))=Oi(r0(m0)) we haveE, (r0,m0)|=obsϕ. We
show thatE,r|m|=∗Kiϕ. For, letOi(r(m))=Oi(ρ(0)), whereρ∈fpaths(E). Since observations
preserve reachability, the stateρ(0) is reachable, so there exists a sequences0→s1→. . .sm0=
ρ(0) withs0∈I. Letr0be the sequenceso. . .sm0−1·ρ. Thenr is a run of E and (r,m)obs∼i(r0,m0).
HenceE, (r,m)|=obs ϕ. By the inductive hypothesis, E,r0|m0 |=∗ ϕ, i.e. E,ρ |=∗ ϕ. Hence
E,r|m|=∗Kiϕ.
Conversely, supposeE,r|m |=∗Kiϕ. Let (r0,m0) be a point withOi(r0(m0))=Oi(r(m)). Then
r0|m0is a fair path withOi(r0|m0(0))=Oi(r(m)), soE,r0|m0|=∗ϕ, henceE, (r0,m0)|=obsϕ. This
shows thatE, (r,m)|=obsK iϕ.
3We remark that it is always possible to ensure this by deleting the unreachable states fromE, an operation that
preserves satisfaction of formulas. However, this operation is undesirable in our applications since we will deal with exponential size structures, in which observations already preserve reachability.
Next, we introduce a notion of bisimulation on environments (cf. (Park 1981)) in order to reduce the infinite state space ofEvto a finite one while preserving validity of formulas with respect toobs. For environmentsE=(S,I,→, (Oi)i∈A,π,α) andE0=(S0,I0,→0, (Oi0)i∈A,π0,α0), a function σ:S−→S0is said to be abisimulationfromEtoE0if the following hold:
1. I0=σ(I),
2. ifs→s0thenσ(s)→0σ(s0),
3. ifσ(s)→0uthen there existss0∈Ssuch thatσ(s0)=uands→s0, 4. ifOi(s)=Oi(t) thenOi0(σ(s))=O0i(σ(t)),
5. ifO0i(σ(s))=O0i(u) then there exists a statet∈Ssuch thatOi(s)=Oi(t) andσ(t)=u.
6. π0◦σ=π, and 7. σ(s)∈α0iffs∈α.
Lemma 9. Suppose thatσis a bisimulation from E to E0. Then
1. for all (initialised)ρ∈fpaths(E),σ(ρ)is a (initialised) fair path of E0;
2. for allρ0∈fpaths(E0)and (initial) states s of E , ifσ(s)=ρ0(0), then there exists a (initialised)
ρ∈fpaths(E)withρ(0)=s such thatσ(ρ)=ρ0;
3. for allρ∈fpaths(E)we have E,ρ|=∗ϕiff E0,σ(ρ)|=∗ϕ.
Proof. Letσbe a simulation fromEtoE0. Part (1) follows from points 1, 2, and 7. Part (2) follows
from points 3, and 7.
For part (3), letρ∈fpaths(E). We proceed by induction on the construction ofϕ. The proposi- tional case is immediate from 6. The temporal cases are straightforward.
For the knowledge case, assumeE,ρ|=∗Kiψand thatO0i(σ(ρ(0)))=O0i(ρ00(0)) for someρ00∈
fpaths(E). By 3, there exists a statetofEsuch thatOi(ρ(0))=Oi(t) andσ(t)=ρ00(0). By part (2),
there exists aρ0∈fpaths(E) such thatρ0(0)=t andσ(ρ0)=ρ00. ThusE,ρ0|=∗ψ. By the induction hypothesis,E0,ρ00|=∗ψ. This shows thatE0,σ(ρ)|=∗Kiψ.
Conversely, supposeE0,σ(ρ)|=∗Kiψ. SupposeOi(ρ(0))=Oi(ρ0(0)) whereρ0∈fpaths(E). By
part (1),σ(ρ0) is a fair path ofE0. By 4,O0
i(σ(ρ(0)))=O0i(σ(ρ0)(0)). ThusE0,σ(ρ0)|=∗ψ. By the
induction hypothesis,E0,ρ0|=∗ψ. This shows thatE,ρ|=∗Kiψ.
The case for common knowledge follows by similar arguments.
Noting that all states ofEvare reachable, we obtain the following:
Corollary 10. For all environments E and E0, if there exists a bisimulation from Evto E0, then E|=vϕiff E0|=∗ϕ.
This result provides the basic reduction that we use to obtain our complexity results. We now show that the relationE0|=∗ϕis decidable for finite environmentsE0. However, we will need to deal with the fact that the structureE0will be of size exponential in the size ofEin our applica- tions. For this reason, we express our decision procedure for|=∗as an alternating computation (Chandra, Kozen, and Stockmeyer 1981), in which we guess and verify the components ofE0.
We begin with a reduction to well-known techniques for LTL. Say that a formula is a pure
knowledge formulaif it is of the one of the formsKiψorCGψ, or their negation. Note that for
formulasϕthat are either atomic propositions or their negation, or pure knowledge formulas, we have that ifρ(0)=ρ0(0), thenE,ρ|=∗ϕiffE,ρ0|=∗ϕ. Thus, for such formulasϕ, we may defineE,s|=∗ϕ, wheresis a state ofE, to hold ifE,ρ|=∗ϕfor some (equivalently, every) pathρ withρ(0)=s.
We may use this state-dependence property to transform theL{2,U,K1,...,Kn,C}model checking
problem with respect to|=∗into a problem of model checkingL{2,U}, by replacing the pure knowledge subformulas by atomic propositions. Introduce a new atomic propositionqKiψfor
each formulaKiψandqCGψfor each formulaCGψ. LetL{∗2,U}be the language of temporal logic
over the set of atomic propositionsProptogether with these new atomic propositions. Given a formulaϕofL{2,U,K1,...,Kn,C}and an occurrence of a pure knowledge formula as a subformula of ϕ, say this occurrence ismaximalif it does not lie within the scope of a knowledge or common knowledge operator. For example, in (K22K1p)∨K1p, the maximal occurrences of knowledge subformulas are the occurrence ofK22K1pand the second (but not the first) occurrence of
K1p. Defineϕ∗to be the formula ofL{∗2,U}obtained by replacing each maximal occurrence of a knowledge formulaKiψby the propositionqKiψand similarly for the maximal occurrences of
CGψ.
More precisely,
p∗=p (ϕ1∧ϕ2)∗=ϕ1∗∧ϕ2∗ (¬ϕ)∗= ¬(ϕ∗) (2ϕ)∗=2(ϕ∗)
(ϕ1Uϕ2)∗=ϕ1∗Uϕ2∗ Kiϕ∗=qKiψ CGϕ∗=qCGψ
Thus, ((K22K1p)∨K1p)∗=qK22K1p∨qK1p. WritePropϕ∗ for the set of atomic propositions occuring inϕ∗andKProp
ϕ∗for the set of atomic propositions of the formqKiψandqCGψthat
occur inϕ∗.
Suppose we enrich the structureEby extending the valuationπso thatqKiψ∈π(s) iffE,s|=∗Kiψ
andqCGψ∈π(s) iffE,s|=∗CGψ. Call the resulting structureE∗. Then we haveE,ρ|=∗ϕiff
E∗,ρ|=ϕ∗. This turns the problem of model checkingL
{2,U,K1,...,Kn,C}inEinto the problem of model checkingL{∗2,U} inE∗. Of course, to apply this technique, we need to have the appropriate extensionE∗ofE. We may deal with this in an NPSPACE computation byguessing
the extensionE∗, iteratively verifying its correctness over larger and larger pure knowledge
subformulas ofϕ(using LTL model checking techniques), and then model checking the formula
ϕ∗. Since NPSPACE = PSPACE, this already yields a proof of Theorem1.4
4The guess and verify technique discussed here is essentially that used in Vardi’s results on verifying implementa-
However, in our applications, we will not be interested in a given structureE, but in a structure
E0of size exponential in the size ofE. This means that the cost of guessing (E0)∗is exponential. We will handle this by guessing the extension not upfront, but on the fly, for each state ofE0as it arises during the verification, and using an APTIME computation that incorporates a Büchi automaton emptiness check for the LTL parts of the verification.
LetMϕ∗be the nondeterministic Büchi automaton for theL∗
{2,U}formulaϕ∗over propositions
Propϕ∗, with statesSϕ∗, initial statesIϕ∗, transitions⇒a (wherea∈P(Propϕ∗)) and acceptance
conditionαϕ∗. We make use of the following properties of this automaton (Vardi and Wolper
1984): (1) The automaton is of sizeO(2|ϕ∗|), where each state is of sizeO(¯¯ϕ ¯
¯). (2) DecidingSϕ∗, Iϕ∗,⇒a, andαϕ∗can be done in ATIME(log2¯¯ϕ
¯ ¯).
For a finite environmentE=(S,I,→, (Oi)i∈A,π,α), we define the productE×Mϕ∗(a transition
system with Büchi acceptance condition) as follows.
• The transition system has states〈b,s,v〉, whereb∈P({0, 1}),s∈Sandv∈Sϕ∗. Intuitively,
0∈b(1∈b) represents thatE(resp.,Mϕ∗), has passed through an accepting state since
the most recent accepting state of the product.
• The set of initial states consists of all〈;,s,v〉wheres∈Iandv∈Iϕ∗.
• There is a transition〈b,s,v〉 ⇒k〈b0,s0,v0〉for a setk⊆KPropϕ∗when:
– s→s0,
– v⇒π(s)∪kv0, and
– b0=b0∪b1∪b2, where ifb={0, 1} thenb0= ;, elseb0=b; ifs∈αthenb1={0}, else
b1= ;; and ifv∈αϕ∗thenb2={1}, elseb2= ;;
• the automaton has as accepting states the states〈b,s,v〉withb={0, 1}.
Intuitively, this transition system represents runningMϕ∗ as a monitor on runs ofE, with
the values of the propositionsKPropϕ∗ chosen arbitrarily. Thus, there exists a fair pathρ= s0s1. . . ofE such thatE,ρ|=∗ϕiff there exists an accepting run〈b0,s0,v0〉 ⇒k0 〈b1,s1,v1〉 ⇒k1
〈b2,s2,v2〉 ⇒k2. . . ofE×M¬ϕ∗ such that for allj≥0, we haveE,sj|=∗kj. Applying the usual emptiness check for Büchi automata, such a path exists iff we can find a finite such sequence with〈bl,sl,vl〉an accepting state and final element〈bl0,sl0,vl0〉 = 〈bl,sl,vl〉for somel0>l, where
bothlandl0−lare at most¯
¯E×Mϕ∗¯¯. Our decision procedure searches for such paths using a
Savitch-style reachability procedure (Savitch 1970) in order to deal with the exponential size of the search-space.
For the verification thatE,s|=∗k, it suffices to check, for each maximal knowledge subformula
Kiψofϕ, thatqKiψ∈kiffOi(s)=Oi(t) implies that for all fair pathsρ=t0t1. . . witht0=t, we haveE,ρ|=ψ∗. For this, we recursively apply the above ideas onE×M¬ψ∗. Sinceψis a strict
subformula ofϕ, the recursion is well founded. A similar check is applied for the common knowledge subformulas.
We are now ready to present our general algorithm scheme as an alternating computation (Chan- dra et al. 1981). Suppose that we are given a finite environmentE, for which it is known that there exists a bisimulation fromEv to a finite environmentE0=(S0,I0,→0, (O0i)i∈A,π0,α0). We
assume that there is a representation ofE0such that the states and other components ofE0
can be represented and verified within known space and alternating time complexity bounds. (That is, givenE, the states ofE0are representable as strings of length bounded by some known function of|E|, in such a way that we can decide whether such a string represents a state ofE0, whethers→0s0etc. with some known complexity bounds.) We define the following alternating procedure that searches for such runs by operating over the states〈b,s,v〉of the automata
E0×Mψ∗ for subformulasψofϕand their negations. For clarity, we write expressions referring
to the components ofE0(such as “chooses∈I0and do X”) which need to be expanded to expres- sions (“choosesand universally (1) verifys∈I0and (2) do X”) that use the verification routines assumed to exist.
VERIFY(E,ϕ): Universally chooses∈I0and call¬FALSIFY(E,s,ϕ)
FALSIFY(E,s,ψ): Existentially choosek⊆KPropψ∗, an initial statev ofM¬ψ∗, an accepting
state〈b0,s0,v0〉and a state〈b1,s1,v1〉ofE0×M¬ψ∗where (b0,s0,v0)⇒k(b1,s1,v1).
LetN= dl og2 ¯ ¯states(E0×M¬ψ∗)¯¯e. Universally call: • REACH(E, (;,s,v), (b0,s0,v0),N,¬ψ), • CHECK(E,s0,k,ψ), and • REACH(E, (b1,s1,v1), (b0,s0,v0),N,¬ψ) CHECK(E,s,k,ψ): Universally,
• for eachpKiψ0inKPropψ∗,
ifpKiψ0∈kthen callKCHECK(E,s,Kiψ0) else call¬KCHECK(E,s,Kiψ0)
• for eachpCGψ0inKPropψ∗,
ifpCGψ0∈kthen callCKCHECK(E,s,CGψ0) else call¬CKCHECK(E,s,CGψ0)
KCHECK(E,s,Kiψ): Universally, for eachs0∈S0whereO0i(s)=Oi0(s0), call¬FALSIFY(E,s0,ψ)
CKCHECK(E,s,CGψ): Universally, for eachs0∈S0: (1) verify5there is a sequences=s0, . . . ,sk=s0
withk ≤¯¯S0 ¯
¯and for each j <k there is ani∈G such thatO0i(sj)=O0i(sj+1). (2) call ¬FALSIFY(E,s0,ψ)
REACH(E, (b0,s0,v0), (b1,s1,v1),N,ψ): Accept if (b0,s0,v0)=(b1,s1,v1). Otherwise ifN=0, existentially guessk⊆KPropψ∗then
• universally verify that (b0,s0,v0)⇒k(b1,s1,v1) andCHECK(E,s0,k,ψ).
5In general, this may require another Savitch-style search. In fact, in our applications,k≤ |S|2, i.e., the square of
IfN>0, existentially guess a state (b2,s2,v2) ofE×Mψ∗, then universally call:
• REACH(E, (b0,s0,v0), (b2,s2,v2),N−1,ψ) and • REACH(E, (b2,s2,v2), (b1,s1,v1),N−1,ψ).
An analysis of the complexity of the algorithm scheme yields the following.
Theorem 11. Let v be a view, andC be a class of environments such that for each environment
E ∈C there exists an environment E0 with states that can be represented in space f(|E|)and
components that can be verified in ATIME(g(|E|)), such that there is a bisimulationσfrom Ev
to E0. Then© (E,ϕ)∈C×L{2,U,K1,...,Kn,C} ¯ ¯E|=vϕ ª is in ATIME(p(f(|E|),g(|E|),¯¯ϕ ¯ ¯))for some polynomial p.
Proof. Correctness of the alternating procedure is a straightforward combination of the cor-
rectness arguments for Büchi automaton emptiness checking, Savitch-style search and the definition of|=∗.
For the complexity analysis, note that the number N used inFALSIFY(E,s,ψ) isO(f(|E|)+ |ψ|). The routineFALSIFY(E,s,ψ) generates a computation tree in which the longest branch is
O(f(|E|)+ |ψ|) (for the existential choice) plus the maximum ofO(g(|E|)) (for the verification of the guessed components) and the longest branch forREACH(E,w,w0,N,ψ).
NoteREACH(E,w,w0,n,ψ) callsCHECK() only whenn=0, and each recursion before then adds timeO(f(|E|)+ |ψ|) to construct the guess for the recursive call. HenceREACH(E,w,w0,N,ψ) runs in alternating timeO((f(|E|)+ |ψ|)2) plus the time required for the call toCHECK(E,s,k,ψ) oncen=0. The largest cost in the latter is the calls toCKCHECK(E,s,CGψ0), which add another
O((f(|E|)+ |ψ|)2) alternating time steps before callingFALSIFY(E,s,ψ0), withψ0of lower knowl- edge depth thanψ. Thus, ifT(E,h) is the alternating time required byFALSIFY(E,s,ψ) for formulasψwith|ψ| ≤h, we have the recurrenceT(E,h)=O((f(|E|)+h)2+g(|E|))+T(E,h−1), henceT(E,h)=O(h·((f(|E|)+h)2+g(|E|))). This yields the result.
We remark that since the procedureREACHhas an alternation before the recursive call, the number of alternations is also polynomial in|E|. Theorem5can be understood as asserting that this is inherently so.
In the following sections, we apply Theorem11to obtain complexity bounds for model checking the logic of knowledge and linear time in a number of cases. In each case, we identify an appro- priate environmentE0where the states can be represented and verified in polynomial space and time, respectively, hence the complexity of the alternating procedure is APTIME. By (Chandra et al. 1981), this is equivalent to PSPACE. The environmentsE0and the bisimulations we use are extensions (by the addition of transition relations→0) of similar structures that have been used elsewhere in the literature (van der Meyden 1996b) for another problem (existence of finite-state implementations of knowledge-based programs.)