Model-Checking Iterated Games

(1)

Model-Cheking IteratedGames

Chung-HaoHuang 1

SvenShewe 2

FarnWang 1;3

1:GraduateInstituteofEletroniEngineering,NationalTaiwanUniversity

2:DepartmentofComputerSienes,UniversityofLiverpool

3:DepartmentofEletrialEngineering,NationalTaiwanUniversity

Abstrat. Wepropose alogiforthedenition oftheollaborativepowerof

groupsofagentstoenforedifferenttemporalobjetives.Theresulting

tempo-ralooperationlogi(TCL)extendsATLbyallowingforsuessivedenition

ofstrategiesforagentsand agenies.Differenttopreviouslogiswithsimilar

aims,ourextensionutsanelinebetweenextendingthepowerand

maintain-ingalowomplexity:model-hekingTCLsentenesisEXPTIMEompletein

thelogi,andxedparametertratableforspeiationsofboundedsize.This

advanementovernon-elementarylogisisboughtbydisallowingatoolose

en-tanglementbetweenooperationandompetition.Weshowhowallowingsuh

anentanglementimmediately leadsto anon-elementary omplexity. Wehave

implementedamodel-hekerforthelogiandshownthefeasibilityof

model-hekingonafewbenhmarks.

1 Introdution

WhiletheveriationoftraditionallinearandbranhingtimelogislikeLTL,CTL,

andCTL*[17,8℄hasbeenreduedto(repeated)reahability[11,13℄,thesatisability

hekingandsynthesisproblemhasbeentightlylinked withgametheoryeversine

theseminalworksofBühiandLandweber[5,4℄.Withtheintrodutionof

alternat-ing timelogi (ATL)by Alur,Henzinger,andKupferman[1℄andinautomatabased

-alulusmodel-heking(e.g.,[22℄),gameshaveenteredintotheveriationofthe

orretnessofreativesystems.Withgametheoretihallengesmovingintothefous

ofresearherswhostudythespeiationanddesignofreativesystems, traditional

problemsofmulti-playergamesarereplaingtheformerdistintionbetweenan

adver-sarial environmentandasupportivesystem. Instead,we havegroupsofplayersthat

ooperateonsomeobjetiveswhileompetingonothers.

Forpartiularproperties,theintuitionthatsomeplayersrepresentthesystemwhile

otherplayersrepresentthe environmentis,however,still useful.Followingthis

intu-ition,thesystemwinsthegameinanexeution(oraplayinthejargonofgametheory)

ifthe systemspeiationisfullledalongit,anditwins thegameifit anforea

winningplay.Systemdesignasawholeforspeiationsingamelogisanratherbe

omparedtodesigningagameboardandtoshowthattherespetivegroupofplayers

(or:ageny)hastheoalitionpowerrequiredbythesystemspeiation.

?

TheresearhwassupportedbytheNationalSieneCounilgrant97-2221-E-002-129-MY3

(2)

ATL

,thealternating-alulus(AMC),andgamelogi(GL)[1℄,strategylogis[7,

9,15,14℄,oordinationlogi[10℄,stohastigamelogi[3℄,andbasistrategy

inter-ationlogi(BSIL)[21℄ forthe speiationofthe interplayinopen systems.Eah

languagealsoomeswithaveriationalgorithmthatdetermineswhetherawinning

strategyforthesystemexists.However,thereisagapbetweentheavailabletehniques

andthesalabilityrequiredforindustrialappliations.Franklyspeaking,noneofthe

languagesaboverepresents,inourview,aproperombinationofexpressivenessfor

loseinterationamong agentstrategiesandefienyforthe veriationor

refuta-tionofomplianewithaspeiation.Ononehand,logislikeATL,ATL

,AMC,

andGL[1℄allowustospeifytheollaborativepowerofgroupsofplayerstoenfore

aommonobjetive.Thisfallsshortfromspeifyingeventhesimplepropertiesina

typialgame.Forexample,itwasshownin[21℄thatATL,ATL

,AMC,andGL[1℄

annotexpressthatthesamestrategyofabankingsystemmustallowthelientsboth,

towithdrawandtodepositmoney:astrategyquantierintheselogisalwaysrefersto

thestrategiesofallagents,whereasthispropertyrequirestobindrstthestrategyof

thebank,andthenrefertodifferentstrategiesofthelients.Thisisarguablyasevere

restritionwhenreasoningaboutreal-worldproblems.

Tosolvethe expressiveness problem in the aboveexample,strategy logis (SL)

wereproposedin[3,7,15,14℄.Theyallowfortheexiblequantiationoverstrategies

inlogiformulas.However,theirveriationomplexityisprohibitivelyhighandhas

inhibitedpratialappliation.

Apreviousattempttotametheomplexityofstrategyinteration[21℄,ontheother

hand,resultsinafulltemporalisation.Thisleadstosevererestritionsinthe

entangle-mentbetweentemporaloperatorsandstrategybindingandthusprevents,forexample,

reasoningaboutNashequilibria.

Wethusproposetoadaptthelogiintroduedin[21℄toanewtemporallogialled

temporalooperationlogi(TCL)forthispurpose.LetusintrodueTCLinformallyon

agameamongthreeprisoners.

Example:IteratedPrisoners'Dilemma. Inspiredbythefamousprisoners'dilemma,

weonsideramodelwherethreesuspets,whoareinitiallyinustody,areinterrogated.

Inoursimpliedversion,theyplayinturns(ratherthanonurrently),andhavethe

hoiestoeitheradmitordenythehargesmadeagainstthem.Ifalldeny,theywillbe

releasedbasedonlakofevidene.

However,asuspetmaydeidetoollaboratewiththepolieandbetrayherpeers.A

soleollaboratorwillbeaquittedasarownwitness,whileherpeerswillbesentened.

Butiftwoormoresuspetsollaboratewiththepolie,allwillbesentened.

Inaniteratedprisoners'dilemma,theinterplayanontinueuptoanunbounded

numberoftimes.Suhagameisveryusefulinmodellingollaborationandompetition

innetworks.Forexample,astrategyinprisoners'dilemmaisnieifitdoesnotsuggest

betrayalinitiallyandonlysuggestsbetrayalif,inthepreviousround,anotherprisoner

betrayed[2℄.ThefollowingTCLsentenestatesthatPrisoner1hasaniestrategy.

h1i((h+i:betray

1 )_

W

a6=1

betray

a

(3)

toahievehertemporalgoal.h+iisastrategyinterationquantier(SIQ)thatinherits

thestrategyfromitsparentformula.Propositionbetray

i

isanatomipropositionfor

thebetrayalofprisoneriatthepresentstate.Similarly,weanreetmoreinvolved

strategies,suhas`Prisoner2willalwaysbetraywhenshedoesnothavethepowerto

forePlayer1toalwaysplaynie.'

h2i((h+ibetray

2

)_h+i((h+i:betray

1 )_

W

a6=1

betray

a

)) (B)

Similarpropertiesanbeusedtospeifyforgiving 1

orotherrelatedstrategies[2℄.

AforgivingstrategyofPrisoner1isreetedbythefollowingTCLproperty.

h1i((h+i:betray

1 )^

W

a6=1

betray

a

) (C)

Weanalsoreasonabout theexisteneofPrisoner2'sstrategythatavoidbetrayalif

Prisoner1anbeunforgivingunderthisstrategy.

h2i((h+i:betray

2

)_h+1i((h+i:betray

1 )^

W

a6=1

betray

a

)) (D)

Asanbeseen,propertieslike(B)and(D)arerelevantinnetworkenvironmentswhere

playsanbeextendedroundbyroundwithouttermination.Everyagentmaytrakeah

others'reordstodeidewhetherornottoooperate.Suhapropertyannotbe

ex-pressedinATL

,GL,AMC,orBSIL.WhileitanbeexpressedwithSL,the

veria-tionomplexityofSLisprohibitive.

In[21℄,SIQsanneitheroverridenorrevokestrategiesassignedbytheSQorSIQs

inwhosesopetheyare.Consequently,BSILannotexpressdeterministiNash

equi-libria.Tooveromethisrestrition,weintrodueastrategyresetoperatorthatrevokes

previousstrategyassignments.

Letjail

a

beaproposition,whihstatesthatPrisoneraisinjail.InTCL,

h1;2;3i V

a2[1;3℄

(h+;i:jail

a

)_h aijail

a

(E)

requiresthatthetreeagentsanooperatesuhthateveryagenteithereventuallyleaves

prism,orstaysforeverinprismregardlessofherownstrategyundertheurrent

strate-giesoftheremainingprisoners.TheSIQh ai revokesthebindingofagentatoher

strategy.

Inthiswork,weestablishthatTCLisinomparablewithATL

,GL,andAMCin

expressiveness.Althoughthestrategylogisproposedin[3,7,9,15℄subsumeTCLwith

theirexiblequantiationofstrategiesandbindingtostrategyvariables,their

model-hekingomplexities arealldoublyexponentialtimehard.Inontrast, TCLenjoys

an EXPTIME-ompletemodel-heking omplexity andxed parametertratability

whenusingthelengthoftheformulaasparameter,aswellas2EXPTIMEompleteness

ofthe TCL satisability problem forturn-basedgamegraphs. TCL thusprovidesa

betterbalanebetweenexpressivenessandomplexity/efienyonsiderationsthan

ATL

,GL [1℄,andSL[7,15,14℄.Giventhe expressivepowerasexempliedby the

speiationsfromabove,TCLanbeviewedasanexpressiveyetinexpensivesublass

ofSL[15,14℄.

1

(4)

w 0

fqg u

0

fpg ;

w

; ;

u

belongstoAgent1andbelongstoAgent2.

Fig.1.Aturn-basedgamegraph

OrganisationofthePaper. Setion2explainsturn-basedgamegraphsforthe

desrip-tionofmulti-agentsystemsandpresentsthesyntaxandsemantisofTCL.Setion3

disussestheexpressivenessofTCL,establishingthatCTL,ATL,LTL,andCTL*an

beviewedassyntatifragmentsofTCL.WeshowthatTCLismoreexpressivethan

anyoftheselogiswhileinomparablewithATL

,AMC,andGL[1℄in

expressive-ness,anddisusstheeffetofamildextensionofTCL.Inthefollowingsetions,we

develop an automatabased model-hekingalgorithmand establish the

EXPTIME-ompletenessand2EXPTIME-ompletenessoftheTCLmodel-hekingand

satisa-bilityproblem,respetively.Finally,wehaveimplementamodel-hekerandvalidated

thefeasibilityofusingTCLonasetofbenhmarks.

2 SystemModelsandTCL

2.1 Turn-basedgamegraphs

Aturn-basedgameisplayedbyanitenumbermofagents,indexed1throughm.A

gameisatupleG=hm;Q;r;!;P;;Ei,where

Parametermisthenumberofagentsinthegame.

Qisthesetofstatesandr2Qistheinitialstate(orroot)ofG.

!:Q7![1;m℄isafuntionthatspeiestheownerofeahstate.Onlytheowner

ofastatemakeshoiesatthestate.

Pisanitesetofatomipropositions.

:Q7!2 P

isapropositionlabellingfuntion.

EQQisthesetoftransitions.

Foreaseofnotation,wedenotewithQ

a

=fq2Qj!(q)=agthestatesownedbyan

agenta.

InFigure1,wehavethegraphialrepresentationofaturn-basedgamegraph.The

ovalsandsquaresrepresentstateswhilethearsrepresentstatetransitions.Wealsoput

downthevaluesinsidetheorrespondingstates.

Foronveniene,intheremainingpartofthe manusript,weassumethatwe are

alwaysintheontextofagivengamegraphG=hm;Q;r;!;P;;Ei.Thus,whenwe

writeQ;r;!;P;,andE,werespetivelyrefertotheomponentsQ,r,!,P,,and

EofthisG.

Aplayisaninnitepathq

0 q

1

:::inGsuhthat,foreveryk2N,(q

k ;q

k +1 )2E.

isinitialifq

0

=r.Foreveryk0,welet(k)denoteq

k

.Also,givenhk,welet

(5)

aplayprex = q

0 q

1 :::q

n

,jj = n+1denotesthelengthoftheprex.Givena

k2 [0;jj 1℄,welet(k)=q

k

.Foronveniene,weuselast()todenotethelast

statein,i.e.,(jj 1).

Foranagenta2[1;m℄,astrategy foraisafuntionfromQ

Q

a

toQsuhthat

forevery2Q

Q

a

,()2Qwith last();()

2E.

AnagenyAof[1;m℄isasubsetof[1;m℄.Inashorthandnotation,weoftendrop

the urlybraketsinthesetnotation,inpartiularforsingletonandemptysets.For

example,1;3;4isashorthandforf1;3;4g.

Aplayisompatiblewithastrategy

a

ofanagenta2[1;m℄iff,foreveryk2N,

!((k))=aimplies(k+1)=([0::k℄).

2.2 TCLSyntax

ATCLformulaisonstrutedwiththefollowingthreesyntaxrules.

::=pj:

1 j 1 _ 2 jhAi

::=jj

1 _ 2 j 1 ^ 2 jh+Ai 1 jh+Ai 1 jh+Ai 1 U 1 jh+Ai 1 R 1

j h Ai

1

jh Ai

1

jh Ai

1 U

1

jh Ai

1 R

1

::=j

1 _ 2 j 1 ^ 2 jh+i 1 jh+i 1 U 2 jh+i 1 R 2

j h Ai

1

jh Ai

1 U

2

jh Ai

1 R

2

Here,pisanatomipropositioninP andA f1;:::;mgisanageny.Property

hAi

1

isan(existential)strategyquantiation(SQ)speifyingthatthereexist

strate-giesoftheagentsinAthatmakeallplaysonsistentwiththesestrategiessatisfy

1 .

Propertyh+Ai

1

isan(existential)strategyinterationquantiation(SIQ)andan

onlyourboundbyanSQ.Intuitively,h+Ai

1

meansthatthereexiststrategiesofthe

agentsinAthatworkwiththestrategiesintroduedbytheanestorformulas.Likewise,

h AiindiatesarevoationofthestrategybindingfortheagentsinA.h+iisan

ab-breviationforh+;or,equivalentlyh ;i.Thus,itneitherbindsnorrevokesthebinding

ofthestrategyofanyagent.Yet,itprovidesatemporalisationinthatitprovidesatree

formulathatanbeinterpretedatapartiularpoint.

`U'istheuntiloperator.Theproperty

1 U

2

speiesaplayalongwhih

1 istrue

until

2

beomestrue.Moreover,alongtheplay,

2

musteventuallybefullled.`R'is

thereleaseoperator.Property

1 R

2

speiesaplayalongwhiheither

2 isalways trueor 2 U( 1 ^ 2

)issatised.(Releaseisdualtountil::(

1 U 2 ) , : 2 R: 1 .)

Inthefollowingwemayuseh?Ai toonvenientlydenoteanSQorSIQformula

with`?'isempty,`+',or`-'.AnSIQhAi isallednon-trivialifAisnotempty,and

trivialotherwise.

FormulasarealledTCLformulas,sentenes,orstateformulas.Formulas and

arealledtreeformulas.Notethatwestritlyrequirethatnon-trivialstrategy

intera-tionannotrosspathmodaloperators.Thisrestritionisimportantbeauseitoffersa

sufientlevelofloalitytoefientlymodel-hekasystemagainstaTCLproperty.

Toillustratethisandtoprovideasimpleextensionthatoffersmoreexpressivepowerto

theostofamuhhigheromplexity,weinformallydisussasmallextension,extended

(6)

usedtoenodeATL ,andtherealisabilityproblemofprenexQPTLanbereduedto

ETCLmodel-heking.

Foronveniene,wealsohavethefollowingshorthandnotations.

truep_(:p) false:true

1 ^

2

:((:

1 )_(:

2

))

1

)

2

(:

1 )_

2

1

trueU

1

falseR

1

:

1

:

1

hAi

1

hAih+i

1

hAi

1 U

2

hAih+i

1 U

2

hAi

1 R

2

hAih+i

1 R

2

Ingeneral,itwouldalsobenietohavetheuniversalSQsandSIQsasdualsof

exis-tentialSQsandSIQs,respetively.Couldn'tweadd,orenodebypushingnegationsto

stateformulas,apropertyoftheform[+A℄

1

,meaningthat,forallstrategiesofageny

A,

1

willbefullled?Inpriniple,thisisindeednoproblem,andextendingthe

se-mantiswouldbesimple.Thislogiwouldbeequivalenttoallowingfornegationsin

theprodutionruleof .Theproblemwiththislogiisthatitistoosuint.Wewill

brieydisussinthefollowingsetionthatmodel-hekingbeomesnon-elementary

ifweallowforsuhnegations.

Fromnowon,weassumethatwearealwaysintheontextofagivenTCLsentene.

2.3 TCLSemantis

Inordertopreparethe denitionofasemantisforTCLformulas,westartwiththe

denitionofasemantisforsentenesoftheformhAi ,where doesnotontainany

SQs.WealltheseformulasprimitiveTCLformulas.

DuetothedesignofTCL,strategybindingsanonlyeffetivelyhappenat

non-trivialSQshAiandwhenanon-trivialSIQh+Biisinterpreted.Toeasereferringto

thesestrategies,werstdenetheboundagenyofasubformulasofaTCLsentene

,denotedbnd(),asfollows.

Forstateformulas,bnd()=;.

ForstateformulashAi ,bnd( )=A(unless isastateformula).

Fortreeformulas

1

=h+Ai

2 ,bnd(

2

)=bnd(

1 )[A.

Fortreeformulas

1

=h Ai

2 ,bnd(

2

)=bnd(

1 )rA.

Forallothertreeformulas

1 or

2

with =

1 OP

2

,withOP2f^;_;U;Rg,

wehavebnd(

1

)=bnd( )orbnd(

2

)=bnd( ),respetively.

bndshows,whihagentshavestrategiesassignedtothembyanSIQorSQ.Notethat

thisleavesthebndundenedforallstateformulasnotinthesopeofanSQformulas.

Forompleteness,weoulddenebndasemptyintheseases,butadenitionwillnot

berequiredinthedenitionofthesemantis.

Astheintrodutionofadditionalstrategiesthroughnon-trivialSIQ h+Biis

gov-ernedbyapositiveBooleanombination,allstrategyseletionsanbeperformed

on-urrently.Suhadesignleadsustotheoneptofstrategyshemes.

Astrategyshemeisthesetofstrategiesintroduedbyanynon-trivialSQhAior

SIQh+Ai.Byabuseofnotation,weuse[;a℄toidentifysuhastrategy.Readinthis

way,anbeviewedasapartialfuntionfromsubformulasandtheirboundagenies

(7)

h2iq),thestrategyusedinbyAgent1toenforethewholeformulaanbereferred

toby

[h1i((h+2ip)^h2iq);1℄;

butalsoby[h+2ip;1℄,while[h2iq;1℄isundened.

WeuseasimpletreesemantisforTCLformulas.A(omputation)treeT

r is

ob-tainedbyunravellingGfromrandexpandtheownershipandlabellingfuntionsfrom

GtoT

r

inthenaturalway.Tehnially,wehavethefollowingdenition.

Denition:ComputationTree. AomputationtreeforaturnbasedgameGfroma

stateq,denotedT

q

,isthesmallestsetofplayprexesthatontainsqand,forall2T

and(last();q 0

)2E,q 0

2T.

Thestrategy-prunedtreeforatreenode,astrategysheme,andasubformula

1

offromastateq,insymbolsT

q h;;

1

i,isthesmallestsubsetofT

q suhthat: 2T q h;; 1 i; forall 0 2 T q h;; 1

i with! (last( 0 ) = 2 bnd( 1

)and(last( 0

);q 0

) 2 E,

0 q 0 2T q h;; 1 i; forall 0 2 T q h;; 1

i, a = ! (last ( 0

)

,and q 0

= [

1 ;a℄(

0

)with a 2

bnd( 1 ), 0 q 0 2T q h;; 1 i.

Given aomputationtreeorastrategy-prunedtreeT anda node 2 T,forevery

q2T,wesaythatqisasuessorofinT.AplayisalimitofT (oraninnite

pathinT),insymbols 1

2T,ifthereareinnitelymanyprexesofinT.

WenowdenethesemantisofsubformulasofprimitiveTCLformulasindutively

as follows.Given theomputationtreeT

q

ofG,atree node 2 T

q

,andastrategy

sheme,wewriteT

q ;;j=

1

todenotethatT

q

satises

1

atnodewithstrategy

sheme.

Whilethenotation mightseemheavyonrstglane,notethatthe truthforstate

formulasmerelydependsonthestatelast()inwhihtheyareinterpreted,andthetree

formulasaresimplyinterpretedonastrategyprunedtreerootedinanddenedbythe

strategysheme.

ForstateformulasotherthanSQformulas,weusethestateformulasemantis:

T

q

;;j=iffG;last()j=,withtheusualdenition.

G;qj=pif,andonlyif,p2(q),

G;qj=:if,andonlyif,G;q6j=,

G;qj=

1 _

2

if,andonlyif,G;qj=

1

orG;qj=

2 ,and

G;qj=

1 ^

2

if,andonlyif,G;qj=

1

andG;qj=

2 .

(Notethatthisallowsforusingnegationforstateformulas.)

T

q

;;j=

1 _

2 iffT

q

;;j=

1 orT

q

;;j=

2 .(The

i

arenostateformulas.)

T

q

;;j=

1 ^

2 iffT

q

;;j=

1 andT

q

;;j=

2 hold.

T

q

;; j= hAi iff, forall suessorsq 0

of inT

q

h;;hAi

1 i, T q ;q 0

;j= holds.

T

q

;; j= hAi

1 U

2

iff, forall limits 1

2 T

q

h;;hAi

1 U

2

i,there is

ak jj 1suhthat T

q

;[0;k℄; j=

2

and,forall h 2 [jj 1;k 1℄,

T

q

;[0;h℄;j=

(8)

T

q

;; j= hAi

1 R

2

iff,foralllimits 2 T

q

h;;hAi

1 R

2

i,oneofthe

followingtworestritionsaresatised.

Forallkjj 1,T

q

;[0;k℄;j=

2 .

Thereisak jj 1suhthatT

q

;[0;k℄; j=

1 ^

2

,and,forallh 2

[jj 1;k℄,T

q

;[0;h℄;j=

2 .

T

q

;;j=hAi

1 iffT

q ;;j=

1 .

G;qj=hAi

1

iffthereisastrategyshemesuhthatT

q ;q;j=

1 .

If

1

isaTCLsentenethenwewriteGj=

1

forG;rj=

1 .

Notethat,whileaskingfortheexisteneofastrategyshemereferstoallstrategies

introduedbysomeSQorSIQintheTCLsentene,onlythestrategiesintroduedby

therespetiveSQandtheSIQsinitssopearerelevant.

Thesimpliityofthesemantisisowedtothefatthatitsufestointroduenew

strategies atthepointswhereeventualitiesbeometrue forthe rsttime. Thus,they

donotreallydependonthepositioninwhihtheyareinvokedandweanguessthem

up-front.(Or,similarly,togetherwiththepointsontheunravellingwheretheyare

in-voked.)Thisispossible,simplybeausethevalidityofstate formulas(andheneof

TCLsentenes)annotdependonthevalidityofthelefthandsideofanuntil(orthe

righthandsideofarelease)afterthersttimeithasbeensatised.

3 ExpressivenessofTCL

NotethatTCLisnotasuperlassofBSILsineBSILallowsfornegationinfrontof

SIQswhileTCLdoesnot.However,byexaminingtheproofsin[21℄forthe

inexpress-ibilityofBSIL properties byATL

, GL,andAMC,we nd thatthe BSILsentene

usedintheproofsisalsoaTCLsentene.Thisleadstotheonlusionthatthereare

propertiesexpressibleinTCLbutannotbeexpressedinATL

,GL,andAMC.

Lemma1. ThereareTCLsentenesthatannotbeexpressedinanyofATL

,GL,or

AMC.

TCLis,infat,notonlyapowerfullogi,butalsoontainsimportantlogiseither

assyntatialfragmentsoranembedtheminastraightforwardway.ATLandCTL

anbeviewedassyntatifragmentsofTCL.

ButitisalsosimpletoembedLTLandevenCTL

.Westartwith9LTL,theless

usedvariantwhereoneisontentifonepathsatisestheformula.Wethentranslatean

LTLformula,whihweassumew.l.o.g.tobeinnegativenormalform(negationsonly

infrontofatomipropositions).Thenthereisapaththatsatisesisequivalentto

h1;:::;mi b

,where b

isderivedfrombyreplaingeveryourreneof,U,andR

byh+i,h+iU ,andh+iR,respetively.Thesimpletranslationispossiblebeausethe

formula b

isde-fatointerpretedoverapath,thepathformedbythejointstrategyof

theageny[1;m℄.Theh+ioperatorswehaveaddedhavenoeffetonthesemantisin

suhaase,justasaCTLformulaanbeinterpretedastheLTLformulaobtainedby

deletingallpathquantierswheninterpretedoveraword.

Consequently,we havetheexpetedsemantisfor8LTL:allpathssatisfyis

equivalentto:hAi

:,where:isassumedtobere-writteninnegativenormalform.

Theenodingof9LTLand8LTLaneasilybeextendedtotheenodingofCTL

(9)

2 3 4 5

n

Fig.2.Theturn-basedgamegraphfromthenon-elementaryhardnessproofofextendedTCL.

Lemma2. TCLismoreexpressivethanCTL

andLTL.

ThisenodingdoesnotextendtoATL

.h1i((p)_q)isanATL

propertythat

annotbeexpressedwithTCL.

Thisis different from the ATL property (h1ip)_h1iq or the TCL property

h1i((h+ip)_h+iq).Infat,theproofsandexamplesin[21℄analsobeapplied

inthisworktoshowthattherearepropertiesofATL

(orGL,orAMC)thatannotbe

expressedwithTCL.Thisleadstothefollowinglemma.

Lemma3. TCLisinomparableinexpressivenesswithATL

,GL,andAMC.

Note,however,thatallowingforanegationinthedenitionof wouldhangethe

situation.ThenanATL

formulahAi (assumingforthesakeofsimpliitythat isan

LTLformula),wouldbeomehAi:h+[1;m℄rAi

: intheextendedversionofTCL.

ThetranslationextendstofullATL

,butthisexamplealsodemonstrateswhynegation

is banned:even withoutnesting, we an, byenoding ATL

, enodea 2EXPTIME

ompletemodel-hekingproblem,losingtheappealingtratabilityofourlogi.

Infat,itiseasytoreduetherealisabilityproblemofprenexQPTL,andhenea

non-elementaryproblem,tothemodel-hekingproblemofextendedTCL.Usingthe

gamestruturefromFigure2,weanenodetherealisabilityofaprenexQPTLformula

withn 1variables,forsimpliityoftheform8p

2 9p

3 8p

4 :::9p

n

,wherep

2 ;:::;p

n

areallpropositionsourringin.Wereduethistomodel-hekingtheformula

0

=h1i:h+2i:h+3i:h+4i:::::h+ni(

^h+ip

1 );

where

anbeobtainedfrom b

byreplaing

everyliteralp

i

byh 1ih+1i(p

i

^h+ip

i ),and

everyliteral:p

i

byh 1ih+1i(p

i

^h+i:p

i ).

TheseformulasaretehniallynotextendedTCLformulasash+ii

1

isnotpartof

theprodutionruleof ,buth+ii

1

anbeusedasanabbreviationforh+iifalseU

1 .

Chekingsatisabilityofisisequivalenttomodel-heking 0

onthegameshown

inFigure2.Thegamehasn+1nodes,agents,andatomipropositions.Thenodesin

Figure2arelabeledwiththeagentthatownedthenodes,andtheatomipropositionp

i

istrueexatlyinnodei.Fromhisstate,Agent1anmovetoanyotherstate,whileall

otheragentsaneitherstayintheirstateorreturntothestateownedbyAgent1.

ThegamestartsinthenodeownedbyAgent1,andinordertoomplywiththe

speiation,theoutermoststrategyprolehosenbyAgent1mustbetostayinthe

initialstateforever.

ishosentoalignthe truthofp

i

atpositionj 2 N withthe

deisionthat Agentimakes onthehistory1 j

i: trueorrespondstostayinginiand

falsewithreturningto1.

(10)

r

f

1 t

1

f

2 t

2

f

3 t

3

f

h+k t

h+k

1 .

.

Fig.3.Theturn-basedgamegraphfromtheEXPTIMEhardnessproof.

4 ComplexityofTCL

Inthissetion, we show that model-hekingTCL formulas isEXPTIME-omplete

inthe formulaandP-ompleteinthe model(andforxed formulas),while the

sat-isabilityproblemis2EXPTIME-omplete.Astheproofofinlusionofthe

satisa-bilityproblemin2EXPTIMEbuildsontheproofoftheinlusionofmodel-heking

inEXPTIME, we startwithan outlineofthe EXPTIME hardnessargumentfor the

TCLmodel-hekingproblemandthenontinuewithdesribingEXPTIMEand

2EX-PTIME deisionproeduresforthe TCLmodelandsatisability hekingproblem,

respetively.2EXPTIMEhardnessforTCLsatisabilityisimpliedbytheinlusionof

CTL*asade-fatosub-language[20℄.

WeshowEXPTIMEhardnessbyaredutionfromthePEEK-G

6

[19℄game.An

in-staneofPEEK-G

6

onsistsoftwodisjointsetsofbooleanvariables,P

1 =fp

1 ;:::;p

h g

(ownedbyasafetyagent)andP

2 =fp

h+1 ;:::;p

h+k

g(ownedbyareahabilityagent),

asubsetI P

1 [P

2

ofthemthatareinitiallytrue,andabooleanformulainCNF

overP

1 [P

2

thatthereahabilityagentwantstobeometrueeventually.Thegameis

playedinturnsbetweenthesafetyandthereahabilityagent(say,withthesafetyagent

movingrst),andeahplayeranhangethetruthvalueofoneofhisorhervariables

inhis/herturn.

Lemma4. TCLmodel-hekingisEXPTIMEhardforprimitiveTCLformulas.

Proof. ToreduedeterminingthewinnerofaninstaneofaPEEK-G

6

gametoTCL

model-heking,we introduea2-agentgameG = h2;Q;r;!;P;;Eiasshownin

Figure3,whereAgent1(he,foronveniene)representsthesafetyagentwhileAgent

2(she,foronveniene)representsthereahabilityagent.t

h+k andf

h+k

aretheonly

statesownedbyAgent2.

Thegameisplayedinrounds,andaroundstartseahtimethegameisatstater.

Ifthegamegoesthrought

i

thisisidentiedwiththevariablep

i

tobetrue.Likewise,

goingthroughf

i

isidentiedwiththevariablebeingfalse.

ItissimpletowriteaTCLspeiationthatforesthesafetyplayertotogglethe

valueofexatlyoneofhisvariablesineahround,andtotogglethevalueofthevariable

p

h+i

ofthereahabilityplayerdenedbythestateishehaspreviouslymovedto,while

maintainingallothervariablevalues.Requiringadditionallythatthesafetyagentan

(11)

gamewithonlytwoagentssufesfortheproof.Twoagentsarealsosufienttoshow

Phardnessforxedformulas,assolvingareahabilityproblemforAND-ORgraphs

[12℄naturallyreduestoshowingh1ip.

Lemma5. TCLmodel-hekingforxedformulasisPhardforprimitiveTCL

formu-las.

InordertoestablishinlusioninEXPTIMEandP,respetively,weuseanautomata

basedargument.

Theorem1. Themodel-hekingproblemofTCL formulasagainstturn-basedgame

graphsisEXPTIME-omplete,andP-ompleteforxedformulas.

Proof. WerstshowthelaimforprimitiveTCLformulas=hAi .

Tokeep the proofsimple, we rst onsider a treeautomatonU thatheks the

aeptaneof foragivenstrategysheme .Thatis,U heksifT

q +

;q; j=

undertheassumptionthatbothandthetruthvaluesforthesubformulasstartingwith

ahBiareenodedinthenodesofT

q +

.

Suhanautomatonwouldmerelyhavetorunsimpleonsistenyheks,anditis

simpletoonstrutasuitableuniversalweaktreeautomatonU,whihispolynomialin

thesizeof.FromthereitissimpletoinferadeterministiBühitreeautomatonD,

whihisexponentialintheweakuniversaltreeautomaton[16℄.

Itisthenatrivialstep(projetion)toguess andthetruthannotationofthe

sub-formulasonthey,turningthedeterministiBühitreeautomatonDthatrequiresa

orretannotationinto anondeterministiBühi automatonN ofthe samesizethat

heksG;qj=.Aeptaneanbehekedintimequadratiinthesizeofthe

prod-utofN andG[6℄.

TotakethesteptofullTCL,weanmodel-hekthetruthofprimitiveTCL

formu-lasandthenusetheresultofthismodel-hekinginsteadoftherespetivesubformula.

HardnessisinheritedfromLemmata4and5.

Thisargumentshowsmore:theomplexityofTCLmodel-hekingforxed

for-mulasdoesnotdependontheformula.ItsufestosolveanumberofBühigames,

whereboththesizeofthegameandthenumberofgamestobeplayedislinearinG.

Corollary1. ViewingthesizeofaTCLsenteneasaparameter,TCLmodel-heking

isxedparametertratable.

TheautomataonstrutionfromtheproofofTheorem1extendstoaonstrution

forsatisabilityheking.

Theorem2. TheTCLsatisabilityproblemis2EXPTIME-omplete.

Proof. Asusual,itisonvenienttoonstrutanenrihedmodelthatontainsthetruth

ofallsubformulasforaTCLsentenethatstartwithanSQ.

Inarst step, we onstrutan alternating treeautomatonA thatreognises the

(12)

thetruthassignmentofeahSQisonsistent.Butthisissimple,asweanusethetree

automatonN

0

fromtheproofforTheorem1tovalidatethelaimthatasubformula 0

ofthatstartswithanSQistrue,anditsdualtovalidatethatitisfalse.Hene,suhan

automatonhasonlytwostatesmorethanthesumofthestatesoftheindividualN

0.In

partiular,itisexponentialin.

Fortheresultingalternatingautomaton,weanagaininvokethesimulationtheorem

[16℄toonstrutanequivalentnondeterministiparityautomaton,whihhasdoubly

exponentiallymanystatesin(andwhosetransitiontableisdoublyexponentialin)

andwhoseoloursareexponentialin .Solvingtheemptinessgameofthisautomaton

reduestosolvingaparitygame,whihanbedoneintimedoublyexponentialin ,

e.g.,using[18℄.

HardnessisinheritedfromCTL

satisabilityheking[20℄.

5 ImplementationandExperiment

Asaproofofonept,wehaveimplementedamodel-heker,tl,inC++.tl

a-eptsmodelsomposedofextendedautomatathatommuniatewithsynhronisersand

sharedvariables,withanexpliitsharedvariableturnthatspeiestheturnofagents

atastate.Aturn-basedgamegraphisthenonstrutedastheprodutoftheextended

automata.Suhaninputformatfailitatesmodulardesriptionoftheinterationamong

theagents.

TheimplementationbuildsonaprototypeforaPSPACElogi[21℄.Theextension

ispossiblebeauseweanreduethe omplexityofTCL toPSPACEbysimply

re-stritingthenumberofoperatorsintheprodutionrulesinthesopeofanySQtobe

logarithmiinthesizeoftheTCLsentene.WeshowthisforprimitiveTCLsentenes.

Lemma6. Model-hekinganbedoneinspaebilinearinthesizeoftheturnbased

gamestrutureandthestateandtreeformulasthatareproduedusingthe prodution

rulesandexponentiallyonlyinthenumberofproduedtreeformulas.

Proof. Wehaveseenthat,foraprimitiveTCLsentene,weanuseasinglestrategy

shemeandonlyhavetorefertotherstpositionthattherighthandsideofanuntil

orthelefthandsideofareleaseoperatoristrue.Moreover,itsufestoguessjusta

minimalsetofpositionswheretreeformulasaretrue.Inpartiular,thelefthandside

ofarelease,the righthandsideofanuntil,andanextformulaarethenmarkedtrue

exatlyone,andtherespetivereleaseanduntilformulasneverneedtobemarkedas

trueaftersuhanevent.

Weanthereforeuseanalternatingalgorithmthatguessessuhminimaltruthlaims.

Thealgorithmalternatesbetweenaverierwhoguessesatruthassignmentandthe

ur-rent deisionsofthe strategysheme,andafalsier,whoguessesthe diretion into

whihtoexpandthepath.

Itis noweasytosee thattheywill produean innite pathinthis way,andon

thispatheahobligationthatreferstoatreesubformulafroma produtionrulean

appear onlyon a ontinuousinterval.The points wherethese obligationshangeis

(13)

by produtionrules, thisalsoinludes amarkerthatdistinguishesaleading until,

whihishangedinaroundrobinfashionwhentheleadinguntilityisfullled.)

Thenumberofpossibleassignmentsisthenexponentialinthenumberoftree

sub-formulasfromprodutionrules.Notethatformulasanbeexemptfromthisrule:

theyaremonotonousandheneinurasmallimpatsimilartotheformulasintrodued

usingthe produtionrule.

Hene,ifjGjdenotesthesizeoftheturnbasedgameandkthenumberoftemporal

operators(differentto)introduedby produtionrules,we endup inayle if

thereisnohangeinthetruthassignmenttemporaloperatorsthatareintroduedby

produtionrulesoroperatorswereahaylewithinjGjk2 k

steps.Hene,we

reahayleinanumberofstepsthatislinearinjGjandthesizeof,andexponential

onlyinthesizeof-produedtemporaloperators(differentto).

Uponreahingayle,issufestohekiftheyleisaepting.(Nostanding

obligationbyanuntil.)

Themodel-hekerusesastaktoexpliitlyenumerateallpathsofalltreetopswith

depthpresribedbyLemma6.ThetoolanbedownloadedfromSoureforgeatprojet

REDLIBat:http://soureforge.net/projets/redlib/.

Weusetheparametrisedmodelsoftheiteratedprisoners'dilemmaas our

benh-markstohektheperformaneofourimplementation.Abriefexplanationofthe

mod-elsanbefoundintheintrodution.Theuniqueparametertothemodelsarethenumber

ofprisonersm.Thereisalsoapoliemaninthemodels.Webuildaturn-basedgame

graphforeahvalueofmintheexperiments.Theparametrisationhelpsustoobserve

howouralgorithmandimplementationsaletomodelandformulasizes.Tosimplify

theonstrutionofthestate-spaerepresentation,weassumethat,ineahiteration,the

prisonersmaketheirdeisionsinaxedorder.Afterallprisonershavemadetheir

de-isions,thepoliemanmakeshisdeision.Subsequently,thewholegamemovestothe

nextiteration.Weusesevenbenhmarkformulasonthesemodelsinourexperiments.

Therstvebenhmarksaretakenfromtheexamples(A)through(E)fromthe

intro-dution.Benhmarks(F)and(G)arethefollowingtwoproperties,takenfrom[21℄.

Property(F)speiesthatallprisonersexeptPrisoner1anollaboratetorelease

Prisoner1andletPrisoner1deidetheirfate.

h2;:::;mi (h+i:jail

1 )^

V

i2f2;:::mg

(h+1i:jail

i

)^(h+1ijail

i

(F)

Property(G)speiesthatPrisoner1hasastrategytoputallotherprisonersinjail

whileleavingherfatetothem.

h1i ( V

i2f2;:::mg

h+ijail

i

)^(h2;:::;mi:jail

1

)^h2;:::;mijail

1

(G)

Forthesebenhmarks,wehaveolletedtheperformanedataforvariousparameter

valuesinTable1. Forsmall models,thememory usageisdominatedbythe normal

overhead,suhastherepresentationofvariabletables,state-transitiontables,formula

strutures,et.Thedatashowsthatourprototypeanhandlethevariousbenhmarks,

andsaleswellonveofthesevenbenhmarks.Ignoringtheoverhead,italsoshowsthe

exponentialgrowth.Themodels,however,aregrowingexponentially,too.Weassume

(14)

P

P properties

m

2 3 4 5 6 7 8 9 10

(A) 0.71s 0.94s 5.41s 66.3s 945s >1000s

163M165M185M350M1307M

(B) 0.50s 0.52s 0.61s 0.71s 1.11s 1.62s 5.77s 20.9s 68.1s

163M163M164M165M 168M 176M214M270M376M

(C) 0.51s 0.51s 0.6s 0.82s 1.01s 1.81s 5.54s 18.2s 48.3s

163M163M164M165M 168M 176M200M241M318M

(D) 0.5s 0.51s 0.57s 0.74s 1.01s 1.79s 7.41s 33.8s 141s

163M163M164M165M 168M 175M232M312M430M

(E) 0.51s 0.66s 19.1s >1000s

163M164M194M

(F) 0.51s 0.53s 0.61s 0.71s 1.01s 1.70s 5.38s 15.2s 53.7s

163M163M163M165M 168M 175M202M243M295M

(G) 0.52s 0.52s 0.65s 0.72s 1.03s 1.85s 4.86s 16.1s 93.5s

163M163M164M165M 169M 177M189M208M235M

s:seonds;M:megabytes.

Themodelsarewith1poliemanandmprisoners.TheexperimentwasarriedoutonanIntel

i52.4Gnotebookwith2oresand4Gmemory,runningubuntuLinuxversion11.10.

6 Conlusion

TCLisapromisinglogiforthespeiationofgroupsofagentswhobalanetheir

strategiesinordertoooperatewithdifferentpartnerstoahievedifferentobjetives.It

isaninexpensivelogiinmanyways.Firstandforemost,itisxedparametertratable.

Followingfolklore,speiationsaretinywhilemodelsarehuge.Inthissituation,xed

parametertratabilityisaveryimportantproperty,inpartiularas itisahievedbya

naturalandsimpledeisionproedure,whihismerelyexponentialintheformula.

Thisappealingpropertyisnotboughtwithinexpressiveness.Inpartiular,the

pop-ulartemporallogisLTL,CTL,ATL,andCTL

areontainedas de-fatosublogis.

Consequently,itanbeexellentlyusedtoextendexistingspeiationsinthese

lan-guages,withouttheneedtodevelopompetitivemodels.

Theappliabilityisunderlinedbyompellingdatafromourbenhmarks.Thisis

inspiteofthefatthatourimplementationisratherbasedonanadhoextensionof

anexistingalgorithmforadifferentlogi,andneitherfullyexploitthelowomplexity,

norisa fullysymboliimplementation.Itwill beinterestingtosee bywhihextent

symbolirepresentationlikeBDDswillenhanetheperformaneandhowanautomata

basedtoolwouldfare.

Referenes

1. R.Alur,T.A.Henzinger,andO.Kupferman. Alternating-timetemporallogi. Journalof

(15)

24(1):325,1980.

3. C. Baier,T. Brázdil,M.Gröser, andA.Kuera. Stohastigamelogi. InQEST,pages

227236.IEEEComputerSoiety,2007.

4. J.BühiandL.Landweber. Denabilityinthemonadiseond-ordertheoryofsuessor.

JournalofSymboliLogi,34(2):166170,1969.

5. J.BühiandL.Landweber. Solvingsequentialonditionsbynite-statestrategies. Trans.

AMS,138(4):295311,1969.

6. K.ChatterjeeandM.Henzinger. AnO(n 2

)timealgorithmforalternatingBühigames.

InProeedingsoftheTwenty-ThirdAnnualACM-SIAMSymposiumonDisreteAlgorithms

(SODA2012),Kyoto,Japan,January17-19,2012,pages13861399.SIAM,2012.

7. K.Chatterjee,T.A.Henzinger,andN.Piterman.Strategylogi.Informationand

Computa-tion,208:677693,2010.

8. E.M.ClarkeandE.A.Emerson. Designandsynthesisofsynhronizationskeletonsusing

branhing-time temporallogi. InWorkshop onLogi of Programs,volume LNCS131.

Springer-Verlag,1981.

9. A. D.Costa,F.Laroussinie, andN. Markey. Atl withstrategy ontexts:Expressiveness

andmodelheking. InIARCSAnnualConfereneonFoundationsofSoftwareTehnology

andTheoretialComputerSiene(FSTTCS2010),volume8ofLeibnizInternational

Pro-eedingsinInformatis(LIPIs),pages120132.ShlossDagstuhlLeibniz-Zentrumfuer

Informatik,2010.

10. B.FinkbeinerandS.Shewe.Coordinationlogi.InCSL,pages305319,2010.

11. G.J.Holzmann.Themodelhekerspin.IEEETrans.SoftwareEng.,23(5),1997.

12. N.Immerman. Numberofquantiersisbetterthannumberoftapeells. Journalof

Com-puterandSystemSienes,22(3):6572,1981.

13. O.Kupferman,M.Y.Vardi,andP.Wolper. Anautomata-theoretiapproahto

branhing-timemodelheking.JournalofACM,47(2):312360,2000.

14. F.Mogavero,A.Murano,G.Perelli,andM.Y.Vardi. Whatmakesatl

deidable?a

de-idablefragmentofstrategylogi. InConurrenytheory(CONCUR2012),volumeLNCS

7454,pages193208.Springer-Verlag,2012.

15. F. Mogavero,A.Murano, andM. Y. Vardi. Reasoning aboutstrategies. In IARCS

An-nualConfereneonFoundationsofSoftwareTehnologyandTheoretialComputerSiene

(FSTTCS2010),LIPIs8,pages133144,2010.

16. D.E.MullerandP.E.Shupp. Simulatingalternatingtreeautomataby nondeterministi

automata:newresultsandnewproofsofthe theoremsofRabin,MNaughtonandSafra.

TheoretialComputerSiene,141(1-2):69107,1995.

17. A.Pnueli. Thetemporallogiofprograms. In18thannualIEEE-CSSymposiumon

Foun-dationsofComputerSiene,pages4557,1977.

18. S.Shewe. Solvingparitygamesinbigsteps. InProeedingsofthe27thConfereneon

Foundations of Software Tehnologyand TheoretialComputerSiene (FSTTCS2007),

1214 Deember, NewDelhi,India,volume4805ofLetureNotesinComputerSiene,

pages449460.Springer-Verlag,2007.

19. L.J.StokmeyerandA.K.Chandra.Provablydifultombinatorialgames.SIAMJournal

onComputing(SICOMP),8(2):151174,1979.

20. M.VardiandL.Stokmeyer. Improvedupperandlowerboundsformodallogisof

pro-grams:Preliminaryreport. InProeedingsofthe17thAnnualACMSymposiumonTheory

ofComputing(STOC'85),May6-8,Providene,RhodeIsland,USA,pages240251,1985.

21. F.Wang,C.-H.Huang,andF.Yu.Atemporallogifortheinterationofstrategies.In22nd

ConurrenyTheory(CONCUR),volumeLNCS6901.Springer-Verlag,Sept.2011.

22. T.Wilke. Alternatingtreeautomata,paritygames,andmodal-alulus. Bulletinof the