PCTL

PCTL (Probabilistic Computational Tree Logic) [HJ94] is a probabilistic extension of the

temporal logic CTL. It is essentially the same as the logic pCTL of [ASB+_{95]. The syntax}

of PCTL is as follows: φ ::= true  a  φ ∧ φ   ¬φ   P./ p[ψ] ψ ::= X φ  φ U≤k φ   φ U φ

where a is an atomic proposition, ./ ∈ {≤, <, ≥, >}, p ∈ [0, 1] and k ∈ IN. PCTL formulas are interpreted over a DTMC or an MDP. Note that each atomic proposition a must be taken from the set used to label the states of this DTMC or MDP.

In the syntax above we distinguish between state formulas φ and path formulas ψ,

which are evaluated over states and paths, respectively. A property of a model will

always be expressed as a state formula. Path formulas only occur as the parameter of the probabilistic path operator P./ p[ψ]. Intuitively, a state s satisfies P./ p[ψ] if the probability

of taking a path from s satisfying ψ is in the interval specified by ./ p.

As path formulas we allow the X (next ), U≤k (bounded until ) and U (until ) operators

which are standard in temporal logic. Intuitively, X φ is true if φ is satisfied in the next state; φ1 U≤k φ2 is true if φ2 is satisfied within k time-steps and φ1 is true up until that

point; and φ1 U φ2 is true if φ2 is satisfied at some point in the future and φ1 is true up

until then. In the following two sections, we formally define the semantics of PCTL over DTMCs and MDPs.

PCTL over DTMCs

For a DTMC (S, s, P, L), state s ∈ S and PCTL formula φ, we write s |= φ to indicate that φ is satisfied in s. Alternatively, we say that φ holds in s or is true in s. We denote by Sat (φ) the set {s ∈ S | s |= φ} of all states satisfying the formula φ. Similarly, for a path ω satisfying path formula ψ, we write ω |= ψ. We can now give the formal semantics of PCTL over DTMCs. For a path ω:

ω |= X φ ⇐⇒ ω(1) |= φ

ω |= φ1 U≤k φ2 ⇐⇒ ∃i ≤ k . (ω(i) |= φ2∧ ω(j) |= φ1 ∀j < i)

and for a state s ∈ S:

s |= true for all s ∈ S

s |= a ⇐⇒ a ∈ L(s)

s |= φ1∧ φ2 ⇐⇒ s |= φ1∧ s |= φ2

s |= ¬φ ⇐⇒ s 6|= φ

s |= P./ p[ψ] ⇐⇒ ps(ψ) ./ p

where ps(ψ) = Probs({ω ∈ Paths | ω |= ψ}). The probability Probs assigned to this set

of paths is as defined in Section 3.1.1 and is provably measurable for all possible PCTL path formulas (see e.g. [Var85]).

PCTL over MDPs

The semantics of path formulas remain the same for MDPs as for DTMCs. However, as we saw in Section 3.1.2, the probability of a set of paths in an MDP can only be computed

for a particular adversary. We denote by pA

s(ψ) the probability that a path from s satisfies

path formula ψ under adversary A, i.e. pA

s(ψ) = Prob

A

s({ω ∈ Path

A

s | ω |= ψ}). To give

the semantics of a PCTL formula P./ p[ψ], we choose a class of adversaries Adv (in this

thesis, either all possible adversaries or only the fair ones) and then quantify over this set. We say that a state s satisfies P./ p[ψ] if pAs(ψ) ./ p for all adversaries A ∈ Adv . Hence,

the satisfaction relation is now parameterised by a class of adversaries Adv :

s |=Advtrue for all s ∈ S

s |=Adva ⇐⇒ a ∈ L(s)

s |=Advφ1∧ φ2 ⇐⇒ s |=Advφ1∧ s |=Advφ2

s |=Adv¬φ ⇐⇒ s 6|=Advφ

s |=AdvP./ p[ψ] ⇐⇒ pAs(ψ) ./ p for all A ∈ Adv

Additional Operators

From the basic syntax of PCTL, given above, we can derive a number of additional useful operators. Among these are the well known logical equivalences:

false ≡ ¬true

φ1∨ φ2 ≡ ¬(¬φ1∧ ¬φ2)

φ1→ φ2 ≡ ¬φ1∨ φ2

We also allow path formulas to contain the ♦ (diamond) operator, which is common in temporal logic. Intuitively, ♦φ means that φ is eventually satisfied, and its bounded

variant ♦≤kφ means that φ is satisfied within k time units. These can be expressed in terms of the PCTL until and bounded until operators as follows:

♦φ ≡ true U φ

♦≤kφ ≡ true U≤k φ

When writing specifications for MDPs in PCTL, it may sometimes be useful to consider the existence of an adversary, rather than state that all adversaries satisfy some property. This can be done via translation to a dual property. For example, verifying that “there

exists an adversary A for which pA

s(φ1 U φ2) ≥ p” is equivalent to model checking the

PCTL formula ¬P<1−p[φ1 U φ2].

A perceived weakness of PCTL is that it is not possible to determine the actual prob- ability with which a certain path formula is satisfied, only whether or not the probability meets a particular bound. However, since the PCTL model checking algorithms proceed by computing the actual probability and then comparing it to the bound, this restriction

on the syntax can be relaxed. If the outermost operator of a PCTL formula is the P./ p

operator, we can omit the bound ./ p and simply compute the probability instead. Fur- thermore, it may be useful to extend this idea by, for example, computing the probability

that a path formula ♦≤kφ is satisfied for several values of k and then plotting a graph of

this information.

For completeness, we should also discuss the limitations of PCTL. There are some useful properties of DTMCs and MDPs which cannot be expressed in the logic. The types of path formula, for example, supported by PCTL are quite limited. This could be solved by using the logic LTL (linear time temporal logic) which allows more complex path formulas. For example, we could compute the probability of the set of paths satisfying the path formula ♦φ1∧ ♦φ2, i.e. those where both φ1 and φ2 are eventually satisfied (but not

necessarily at the same time). Note that this cannot be derived from the probabilities that

the individual path formulas ♦φ1and ♦φ2 are satisfied. We could add further expressivity

by using the logic PCTL* [ASB+95, BdA95] which subsumes both PCTL and LTL.

Unfortunately this expressivity comes at a cost of increased model checking complexity. The model checking algorithms for PCTL on both DTMCs [CY88, HJ94] and MDPs [CY90, BdA95] are polynomial in the size of the model and linear in the size of the

formula. Model checking for LTL and PCTL*, e.g. [Var85, CY88, ASB+_{95, BdA95, BK98],}

however, proceeds by translating the model to a larger one for a given property and is exponential in the size of the formula for DTMCs and at least doubly exponential in the size of the formula for MDPs.