Alternating-time temporal logics with linear past

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.1 (1-19)

Theoretical Computer Science ••• (••••) •••–•••

Contents lists available at ScienceDirect

Theoretical Computer Science www.elsevier.com/locate/tcs

Alternating-time temporal logics with linear past Laura Bozzelli, Aniello Murano, Loredana Sorrentino University of Naples Federico II, Italy

a r t i c l e

i n f o

Article history: Received 19 February 2019 Received in revised form 12 September 2019 Accepted 25 November 2019 Available online xxxx Keywords: Alternating-time temporal logic Multi-agent systems Formal verification Strategic reasoning Logics with past modalities

a b s t r a c t We investigate the succinctness gap between two known equally-expressive and different linear-past extensions of standard ATL∗ . We establish by formal non-trivial arguments that the ‘memoryful’ linear-past extension (the history leading to the current state is taken into account) can be exponentially more succinct than the standard ‘local’ linear-past extension (the history leading to the current state is forgotten). As a second contribution, we consider the ATL-like fragment, denoted ATLlp , of the known ‘memoryful’ linear-past extension of ATL∗ . We show that ATLlp is strictly more expressive than ATL, and interestingly, it can be exponentially more succinct than the more expressive logic ATL∗ . Moreover, we prove that both satisfiability and model-checking for the logic ATLlp are Exptime-complete. © 2019 Elsevier B.V. All rights reserved.

1. Introduction Temporal logics provide a fundamental framework for the description of the dynamic behavior of reactive systems. Additionally, they support the successful model-checking approach [1] that allow complex (finite-state) systems, usually modeled by propositional Kripke structures, to be verified automatically. The model-checking methodology considers three types of temporal logics which differ in the underlying nature of time: linear, branching, and alternating. In linear-time temporal logics such as standard LTL [2], formulas are interpreted over linear sequences (corresponding to single paths of the Kripke structure), and temporal operators are provided for describing the ordering of events along a single computation path. Branching-time temporal logics such as CTL [3] and CTL∗ [4], on the other hand, allow to reason about several possible futures: formulas are interpreted over states of a Kripke structure, hence referring to all the possible system computations. Such logics are in general more expressive than linear-time temporal logics since they provide both temporal operators for describing properties of a single path, and path quantifiers for describing the branching structure in computation trees (resulting from unwinding a Kripke structure from the initial state). Finally, alternating-time temporal logic such as ATL∗ and ATL [5], generalize the branching-time paradigm (useful for the verification of closed systems) to a strategic-reasoning paradigm suitable for the verification of open and multi-agent systems [6,5,7–14]. In this setting, different processes or components (the agents) can interact in an adversarial or cooperative manner in order to achieve given temporal goals. The interaction among agents is usually modeled by concurrent game structures [5] (CGS, for short), a generalization of Kripke structures, where each transition results from a set of decisions, one for each agent. In particular, the logic ATL∗ , which is interpreted over CGS, is an extension of CTL∗ obtained by replacing path quantifiers with more general quantifiers  A  parameterized by a set A of agents which express selective quantification over those paths (from the current state) that are obtained as outcomes of the infinite game between the coalition A and the rest of the agents.

E-mail addresses: [email protected] (L. Bozzelli), [email protected] (A. Murano), [email protected] (L. Sorrentino). https://doi.org/10.1016/j.tcs.2019.11.028 0304-3975/© 2019 Elsevier B.V. All rights reserved.

JID:TCS AID:12283 /FLA

2

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.2 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

Linear past in temporal logics. Standard temporal logics such as LTL, CTL∗ , and ATL∗ do not have explicit mechanisms to refer to the past of the current time. On the other hand, it is well-known that temporal logics which combine both past and future temporal modalities make specifications easier to write and more natural. In particular, the past extension LTL p of standard LTL does not increase the complexity of model-checking and satisfiability-checking [15], and at the same time, turns out to be exponentially more succinct than LTL[16]. For branching-time temporal logics, the adding of past-time constructs has been investigated in many papers [17–25]. Usually, the past is assumed to be finite (since program computations have a definite starting time) and cumulative (i.e., the history of the current situation increases with time and is never forgotten). Moreover, one can adopt either a branching-past approach (past and future are handled uniformly) or a linear-past approach. Here, we focus on known linear-past extensions of CTL∗ and its alternating-time counterpart ATL∗ , which are syntactically obtained by adding the past versions of the standard LTL temporal modalities. The simplest linear-past extension of CTL∗ is the logic PCTL∗ [19], where the semantics of path quantification is the same as for CTL∗ : path quantification ranges over paths that start in the current node of the computation tree. Hence, the history (computation) from the rootnode (starting time) to the current node is forgotten (local linear-past view). A similar local linear-past extension, denoted PATL∗ , can be considered for the logic ATL∗ , where the linear-time temporal goals, arguments of the strategy quantifiers, are evaluated along the outcomes of the selected strategy starting from the current node. A more interesting and meaningful ∗ [20,21], where path quantification is ‘memoryful’, i.e., it ranges over paths linear-past extension of CTL∗ is the logic CTLlp ∗ , here that start at the root and visit the current node (memoryful linear-past view). The ATL∗ counterpart of the logic CTLlp ∗ , has been investigated in [14] (see also [26]), where the temporal goals are evaluated at the current time denoted by ATLlp of the paths obtained by prefixing the outcomes of the selected strategy with the history leading to the current node. The usefulness of memoryful linear-past has been illustrated in [21,14]: for example, one can require that a condition is satisfied only if a precondition holds along the whole past computation. In strategic reasoning, as argued in [14], memoryful linear-past enables relentful reasoning (agents can relent and change their goals depending on the history) which can be applied to relevant scenarios such as strong cyclic planning and bounded verification. Also, memoryful linear-past turns out to be useful in the context of causality and blame [27], which involve a sort of backward-looking for responsibility [28]. For example it may be useful in case one wants to blame a group of agents for some outcomes that result from their negligent behavior [29]. Satisfiability and model-checking of the mentioned linear-past extensions of CTL∗ (resp., ATL∗ ) have the same com∗ which is Expspace-complete [21], hence, plexity as CTL∗ (resp., ATL∗ ) with the exception of model-checking against CTLlp ∗ exponentially harder than CTL model-checking (the latter being Pspace-complete [4]). ∗ have the same expressiveness as CTL∗ [21] and there are translations Our contribution. It is known that PCTL∗ and CTLlp ∗ ∗ ∗ from PCTL and CTLlp into CTL of non-elementary complexity [21] based on the separation theorem for LTL p [30]. On ∗ exponentially more succinct than CTL∗ . the other hand, the ability to refer to the past makes both PCTL∗ and CTLlp ∗ ∗ Analogous results hold for the logics PATL and ATLlp when compared to ATL∗ [14]. On the other hand, no succinctness ∗ (resp., ATL∗ ) and the ‘local’ past view in PCTL∗ (resp., PATL∗ ). gap is known between the ‘memoryful’ past view in CTLlp lp ∗ (resp., ATL∗ ) can be Our first contribution addresses this issue: we establish by formal non-trivial arguments that CTLlp lp exponentially more succinct than PCTL∗ (PATL∗ ). The logics CTL [4] and ATL [5] are well-known syntactical fragments of CTL∗ and ATL∗ which have received a lot of attention due to the existence of polynomial-time algorithms which solve the associated model-checking problem. As a second ∗ which, to the best of our knowledge, has not been considcontribution, we investigate the ATL-like fragment ATLlp of ATLlp ered so far in the literature. In fact, a past perfect recall extension of ATL with a semantics equivalent to that of ATLlp has been studied in [31] under an incomplete information setting, and in particular, for such a setting, a model-checking algorithm of non-elementary complexity is provided [31]. We show that ATLlp is strictly more expressive than ATL, and interestingly, and perhaps surprisingly, it can be exponentially more succinct than the more expressive logic ATL∗ . Moreover, we establish that both satisfiability and model-checking for the logic ATLlp are Exptime-complete. Hence, while ATLlp satisfiability has the same complexity as ATL satisfiability, model-checking against ATLlp is exponentially harder than ATL model-checking. The upper bounds are obtained by using an automata-theoretic framework based on the use of a subclass of Büchi alternating automata for CGS (Büchi Automata for Concurrent Games, for short Büchi ACG) [32], which were introduced as ACG with satellites in [14].

2. Preliminaries Hereafter, AP denotes a finite non-empty set of atomic propositions, Ag denotes a finite non-empty set of agents, and Ac stands for some finite non-empty set of actions that can be taken by agents. Given a set A ⊆ Ag of agents, an A-decision d A is an element in Ac A assigning to each agent ag ∈ A an action d A (ag). For A , A  ⊆ Ag such that A ∩ A  = ∅, an A-decision d A and A  -decision d A  , d A ∪ d A  denotes the ( A ∪ A  )-decision defined in the obvious way. Let Dc = AcAg be the set of full decisions of all the agents in Ag. Let N be the set of natural numbers. For all i , j ∈ N , with i ≤ j, [i , j ] denotes the set of natural numbers h such that i ≤ h ≤ j. Let w be a finite or infinite word over some alphabet . By | w | we denote the length of w (we write | w | = ∞

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

[m3G; v1.261; Prn:30/12/2019; 14:52] P.3 (1-19)

3

if w is infinite). For all i , j ∈ N , with i ≤ j < | w |, w (i ) denotes the ith letter of w, and w [i , j ] the infix of w between positions i and j, i.e., the finite word w (i ) w (i + 1) . . . w ( j ). Given a set ϒ of directions, an (infinite) ϒ -tree T is a prefix closed subset of ϒ∗ such that for all x ∈ T , x · γ ∈ T for some γ ∈ ϒ. Elements of T are called nodes and ε is the root of T . For x ∈ T , the set of children of x in T is the set of nodes of the form x · γ for some γ ∈ ϒ . A path of T is a non-empty finite or infinite sequence π of nodes such that π (i ) is a child in T of π (i − 1) for all 0 < i < |π |. A path π of T is initial if it starts at the root, i.e. π (0) = ε . For an alphabet , a -labeled ϒ -tree is a pair  T , Lab consisting of a ϒ -tree and a labelling Lab : T →  assigning to each node in T a symbol in . We extend the labeling Lab to paths in the obvious way, i.e. Lab(π ) denotes the word over  of length |π | given by Lab(π (0))Lab(π (1)) . . .. W.l.o.g. we focus on labeled trees with a finite branching degree, i.e. such that each node has a finite number of children. 2.1. Concurrent game structures Concurrent game structures (CGS, for short) [5] generalize Kripke structures to a setting with multiple agents (or players). They can be viewed as multi-player arenas in which players perform concurrent actions, chosen strategically as a function of the history of the game. Definition 1 (CGS). A CGS (over AP, Ag, and Ac) is a tuple G = S, s0 , Lab, τ , where S is a set of states, s0 ∈ S is the initial state, Lab : S → 2AP maps each state to a set of atomic propositions, and τ : S × Dc → S is a transition function that maps a state and a full decision to a target state. The CGS G is finite if S is finite. A state s is controlled by an agent ag if for all {ag}-decisions d and counter-decisions d1 , d2 ∈ AcAg\{ag} , τ (s, d ∪ d1 ) = τ (s, d ∪ d2 ). We now recall the notion of strategy and counter strategy in a CGS G = S, s0 , Lab, τ . For a state s, the set of successors of s is the set of states s such that s = τ (s, d) for some full decision d. A play is an infinite sequence of states s1 s2 . . . such that si +1 is a successor of si for all i ≥ 1. An history (or track) ν is a non-empty prefix of some play. We denote by lst(ν ) the last state of ν . Let Trk be the set of tracks in G . Given a set A ⊆ Ag of agents, a strategy for A is a mapping f A : Trk → Ac A assigning to each track ν an A-decision. Intuitively, a strategy f A for agents in A is a combined plan that contains all choices of decisions as a function of the history of the current outcome. For a track ν , the set out(ν , f A ) of plays consistent with f A and ν (also called outcomes of f A from ν ) is the non-empty set of plays of the form π = ν  · s1 s2 . . . such that ν  · s1 = ν and for all i ≥ 1, there is a decision d ∈ AcAg\ A of agents in Ag \ A such that si +1 = τ (si , f A (ν  · s1 . . . si ) ∪ d). Thus, the outcome function out(ν , f A ) returns the set of all the plays having ν as prefix that can occur when agents A execute strategy f A from the history ν on. If ν consists of a single state s, we say that out(s, f A ) is the set of plays consistent with f A starting from state s. A counter strategy is a mapping f Ac : Trk × Ac A → AcAg\ A from tracks and decisions of the agents in A to decisions of the agents in Ag \ A. For a track ν , the set out(ν , f Ac ) of plays consistent with the counter strategy f Ac and ν is the non-empty set of plays of the form π = ν  · s1 s2 . . . such that ν  · s1 = ν and for all i ≥ 1, there is a decision d ∈ Ac A of agents in A so that si +1 = τ (si , f Ac (ν  · s1 . . . si , d) ∪ d). For a state s, an s-play is a play starting from state s. We are interested in the computation trees induced by CGS. Definition 2. For a set ϒ of directions, a Concurrent Game ϒ -Tree (ϒ -CGT) is a CGS  T , ε , Lab, τ , where  T , Lab is a 2AP -labeled ϒ -tree, and for each node x ∈ T , the set of successors of x corresponds to the set of children of x in T . Every CGS G = S, s0 , Lab, τ  induces a S-CGT, called computation tree of G and denoted by Unw(G ), obtained by unwinding G from the initial state in the usual way. Formally, Unw(G ) =  T , ε , Lab , τ  , where T is the set of elements ν in S ∗ such that s0 · ν is a track of G , and for all ν ∈ T and d ∈ Dc, Lab (ν ) = Lab(lst(ν )) and τ  (ν , d) = ν · τ (lst(ν ), d), where lst(ε ) = s0 . A Concurrent Game Tree (CGT, for short) is a ϒ -CGT for some set ϒ of directions. 2.2. Alternating-time temporal logic with linear past In this section, we recall the ‘memoryful’ linear-past extension of alternating-time temporal logic ATL∗ [5], introduced ∗ . ATL∗ [5] is a well-known extension of the standard branching-time temporal logic in [14] and, here, denoted by ATLlp ∗ CTL [4], where the path quantifiers are replaced by more general parameterized quantifiers which allow for reasoning ∗ extends both ATL∗ and linear-past branching-time temabout the strategic capability of groups of agents. The logic ATLlp ∗ poral logic CTLlp [21]. The latter is a known equally-expressive linear-past extension of CTL∗ , where path quantification is ‘memoryful’, i.e. it ranges over infinite paths that start at the root and visit the current node of the computation tree. ∗ path formulas ϕ are defined by the For the given sets AP and Ag of atomic propositions and agents, the set of ATLlp following grammar:

ϕ ::=  | p | ¬ϕ | ϕ ∨ ϕ | Xϕ | Yϕ | ϕ U ϕ | ϕ S ϕ |  A ϕ where p ∈ AP, A ⊆ Ag, X and U are the standard “next” and “until” linear temporal modalities, Y (“previous”) and S (“since”) are their past counterparts, respectively, and  A  is the “existential strategic quantifier” parameterized by a set of agents.

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.4 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

4

Formula  A ϕ expresses that the group of agents A has a collective strategy to enforce the temporal property use some shorthands:

• • • •

the the the the

universal strategic quantifier [[ A ]]ϕ := ¬ A ¬ϕ , expressing that no strategy of A can prevent property eventually modality Fϕ :=  U ϕ and its past counterpart Pϕ :=  S ϕ , always modality Gϕ := ¬F¬ϕ and its past counterpart G− ϕ := ¬P¬ϕ , release modality ϕ1 Rϕ2 := ¬(¬ϕ1 U¬ϕ2 ) and its past counterpart ϕ1 R− ϕ2 := ¬(¬ϕ1 S¬ϕ2 ).

ϕ . We also

ϕ,

A state formula is a formula where each temporal modality is in the scope of a strategic quantifier. A basic formula is a ∗ is the set of state formulas. The size |ϕ | of a formula ϕ is the number state formula of the form  A ϕ . The language ATLlp of distinct subformulas of ϕ . ∗ is interpreted over concurrent game trees (CGT) T =  T , ε , Lab, τ . For a path formula ϕ , an initial The logic ATLlp infinite path π of T (i.e., an ε -play of T ) and a position i ≥ 0, the satisfaction relation (T , π , i ) |= ϕ , indicating that ϕ holds at position i along π , is inductively defined as follows (we omit the clauses for the Boolean connectives which are standard):

(T , π , i ) |= p (T , π , i ) |= Xϕ (T , π , i ) |= Yϕ (T , π , i ) |= ϕ1 U ϕ2 (T , π , i ) |= ϕ1 S ϕ2 (T , π , i ) |=  A ϕ

⇔ ⇔ ⇔ ⇔ ⇔ ⇔

p ∈ Lab(π (i )), (T , π , i + 1) |= ϕ i > 0 and (T , π , i − 1) |= ϕ there is j ≥ i : (T , π , j ) |= ϕ2 and (T , π , k) |= ϕ1 for all i ≤ k < j there is j ≤ i : (T , π , j ) |= ϕ2 and (T , π , k) |= ϕ1 for all j < k ≤ i for some A-strategy f A : (T , π  , i ) |= ϕ for all π  ∈ out(π [0, i ], f A )

Note that for each node x ∈ T and ε -play π visiting x, π visits x exactly at position |x| (the distance of node x from the root). For a node x of T , we write (T , x) |= ϕ to denote that there is an ε -play π visiting x such that (T , π , |x|) |= ϕ . Note that if ϕ is a state formula, then for all ε -plays π and π  which visit node x, it holds that (T , π , |x|) |= ϕ iff (T , π  , |x|) |= ϕ . A CGT T satisfies a formula ϕ (we also say that T is a model of ϕ ) if (T , ε ) |= ϕ . Two path formulas ϕ and ϕ  are equivalent if they admit the same models. Two path formulas ϕ and ϕ  are congruent if for every CGT T , ε -play π of T and position i ≥ 0, (T , π , i ) |= ϕ if and only if (T , π , i ) |= ϕ  . Note that congruence is a stronger requirement than equivalence. It is worth noting that in the valuation of a strategy quantifier  A , while in standard ATL∗ , play quantification ranges ∗ play quantifiover the plays consistent with the selected strategy which start at the current node (local semantics), in ATLlp cation ranges over the plays obtained by prefixing the outcomes of the selected strategy from the current node with the history that starts at the root and leads to the current node (memoryful semantics). Evidently, for formulas which do not contain past temporal modalities, the standard local ATL∗ -semantics is equivalent to the memoryful semantics.1 Moreover, ∗ [21] of CTL∗ corresponds to the fragment of ATL∗ where only the stratethe known memoryful linear-past extension CTLlp lp gic modalities Ag (equivalent to the existential path quantifier E) and ∅ (equivalent to the universal path quantifier ∗ is interpreted over 2AP -labeled trees which correspond to one-agent CGT. We denote by A) are exploited. Note that CTLlp ∗ (resp., CTL∗ ) but interpreted under the local ATL∗ -semantics ∗ ∗ PATL (resp., PCTL ) the logic having the same syntax as ATLlp lp ∗ ∗ (resp., the local CTL -semantics). Intuitively, in PATL and PCTL∗ the past cannot go beyond the present. In the following, we also consider the past extension LTL p of standard (future) LTL [2] which syntactically corresponds ∗ where strategy quantifiers are disallowed. LTL formulas ψ over AP are interpreted over infinite to the fragment of ATLlp p words over 2AP . For such words w and positions i, we write ( w , i ) |=LTL ψ to denote that ψ holds at position i along w according to the standard LTL (LTL p ) semantics. A pure past LTL p formula is an LTL p formula which does not contain occurrences of future temporal modalities. 2.3. The logic ATLlp The logics CTL [3] and ATL [5] are well-known syntactical fragments of CTL∗ and ATL∗ which have received a lot of attention due to the existence of polynomial-time algorithms which solve the associated (finite) model-checking problem. In particular, CTL (resp., ATL) is obtained from the more expressive logic CTL∗ (resp., ATL∗ ) by requiring that each temporal modality is immediately preceded by a path quantifier (resp., strategy quantifier). In this section, we introduce the ATL-like ∗ which corresponds to the alternating-time version of the linear-past extension CTL of CTL introduced fragment of ATLlp lp in [21]. Since past is linear, play quantification of past-time modalities is redundant. Thus, in ATLlp , we require the future temporal modalities X, U, and R to be preceded by a strategic quantifier, but we impose no equivalent restriction on the past ∗ defined by the following grammar: temporal modalities. Formally, the set of ATLlp formulas ψ is the fragment of ATLlp

1

ϕ.

ATL∗ formulas

ϕ are usually interpreted over CGS G . However, ATL∗ is insensitive to unwinding: G is a model of ϕ iff the CGT Unw(G ) is a model of

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.5 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

5

ψ ::=  | p | ¬ψ | ψ ∨ ψ | Yψ | ψ S ψ |  A Xψ |  A (ψ Uψ) |  A (ψ Rψ) Note that the past counterpart R− of the release modality can be expressed in ATLlp , and we have omitted formulas of the form  A Yψ (resp.,  A (ψ1 Sψ2 ), resp.,  A (ψ1 R− ψ2 )), since they have the same evaluation as Yψ (resp., ψ1 Sψ2 , resp., ψ1 R− ψ2 ). Note that for an ATLlp formula ψ and for all ε -plays π and π  which visit a node x of a CGT T , (T , π , |x|) |= ψ iff (T , π  , |x|) |= ψ . As an example, let us consider the formula ψ := [[ A ]]G B G[(grant → Preq) ∧ G− (grant → Preq)] which specifies that at each node x, no strategy of the agents of A can serve A to avoid that the agents in B can enforce that along a full computation (starting from the root) and visiting x, every grant is preceded by some request. ∗ is known to have the same expressiveness as ATL∗ [14], ATL turns out to be strictly more expressive than While ATLlp lp ATL. In particular, the following holds. Proposition 3 (Expressiveness of ATLlp ). ATLlp is strictly more expressive than ATL and strictly less expressive than ATL∗ . ∗ and Proof. In order to prove Proposition 3, we first make some observations concerning the comparison between ATLlp ∗ ∗ ∗ CTLlp . For this, we need additional definitions. Given an ATLlp formula ϕ and a CTLlp formula ψ , we say that ϕ and ψ are

∗ equivalent if for each CGT T it holds that T is a model of ϕ iff the 2AP -labeled tree induced by T is a model of ψ . An ATLlp formula ϕ is simple if for each strategy quantifier  A  occurring in ϕ , either A = Ag or A = ∅. Let ag be a designated agent ∗ formula ϕ , we in Ag. We say that a CGT T is controlled by agent ag if each state of T is controlled by agent ag. For an ATLlp ∗ formula obtained from ϕ by replacing each strategy quantifier  A  occurring in denote by simple (ag , ϕ ) the simple ATLlp ϕ with Ag if ag ∈ A, and with ∅ otherwise. The following claim is trivial. ∗ formula ϕ , it holds that for each CGT T controlled by agent ag, T is a model of ϕ iff T is a model of Claim 1. Given an ATLlp ∗ formula θ is equivalent to the CTL∗ formula, called CTL∗ variant of θ , obtained from θ by simple (ag , ϕ ). Moreover, a simple ATLlp lp lp replacing the strategy quantifier Ag with E and the strategy quantifier with A.

We now provide a proof of Proposition 3 by exploiting the previous claim and known expressiveness results about the logic CTLlp . In particular, in [21], it is shown that the CTLlp formula AXAF( p ∧ Y p ) has no equivalent CTL formula, and the ∗ , and ATL∗ and ATL∗ have the CTL∗ formula EGF p has no equivalent CTLlp formula. Thus, since ATLlp is a fragment of ATLlp lp same expressiveness, Proposition 3 directly follows from the following claim. Claim 2. The ATLlp formula ∅X∅F( p ∧ Y p ) cannot be expressed in ATL, and the ATL∗ formula AgGF p cannot be expressed in ATLlp . Proof of Claim 2. We focus on the ATLlp formula ∅X∅F( p ∧ Y p ) (the case for the ATL∗ formula AgGF p being similar). We assume that ∅X∅F( p ∧ Y p ) is expressible in ATL and derive a contradiction. Let ψ be an ATL formula equivalent to ∅X∅F( p ∧ Y p ). By Claim 1, simple (ag , ψ) and ∅X∅F( p ∧ Y p ) are equivalent over the CGTs controlled by agent ag. Since each 2AP -labeled tree can be associated to some CGT controlled by agent ag, applying again Claim 1, it follows ∗ variant of ∅X∅F( p ∧ Y p ), which is the CTL formula AXAF( p ∧ Y p ) is equivalent to the CTL∗ variant that the CTLlp lp lp of simple (ag , ψ), which is a CTL formula. This is a contradiction since the CTLlp formula AXAF( p ∧ Y p ) has no equivalent CTL formula [21]. Hence, the result follows. 2 In the rest of the paper, we will study in details the following two decision problems:

• Satisfiability: has a given ATLlp state formula a model? • (Finite) Model Checking: given a finite CGS G and an ATLlp state formula ψ , is Unw(G ) a model of ψ ? 2.4. Specifying responsibility in ATLlp In this section, we provide an application example of ATLlp in the context of responsibility [33]. This, besides illustrating the use of ATLlp , gives an evidence of its usefulness. A central concept in the specification and verification of multi-agent systems is the notion of responsibility. That is to determine which group of agents are accountable for some realized undesirable state of affairs. This can be performed by means of a backward-looking perspective, finalized at analyzing if a group of agents that was able to execute its strategic power to influence the occurrence of the state of affair. Backward-looking responsibility has been also formalized in dynamic logic [34]. The attribution of responsibility to agents or groups of agents is often characterized by means of specific fairness conditions [35,28]. For example, the conditions that characterize accountability and blameworthiness, which are considered as two instances of backward-looking responsibility, are formulated as follows. Agents can be held accountable for a state of affairs if they have intentionally, deliberately and actively been involved in realizing the state of affairs. On the other hand,

JID:TCS AID:12283 /FLA

6

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.6 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

Fig. 1. The CGS G Plant .

agents can be blamed for a state of affairs if they can be held accountable for it, and moreover, the involvement is based on free choice, and they know that the state of affairs has negative consequences [36]. Following the definition of responsibility given in [33], by means of ATLlp formulas, we can declare an agent group responsible for a realized situation if, given the history of performed actions, the group was able to avoid the situation (the outcome) using the available strategies. We illustrate this on a scenario adapted from [29] and reported below. A plant must be both watered and fertilized in order to prevent it from dying. Assume there are tree agents a0 , a1 , and a2 . Agents a0 and a1 are responsible for adding two different fertilizers (that are required to be injected in the same moment), and a2 is responsible for watering the plant. In order to keep the plant alive, we need first to water it and then to add both fertilizers. Each agent has two actions: pour and idle, with the obvious meaning. A portion of the CGS G Plant representing the interactions among the three agents and the consequent evolution of the plant system is depicted in Fig. 1. In particular, s0 is the starting state, s1 represents the state in which agent a2 moves first and pour water (while the other agents stay idle), and, conversely, s2 represents the state in which agent a0 and a1 move first while a2 stays idle. Notice that the system stays in s0 if a2 and one or both agents a0 and a1 use action pour. Also, we remain in state s0 if all agents choose to perform action idle. For the sake of readability, we omit some transitions from states s1 and s2 . Also, we assume that all the states sk , where k ≥ 3, are sink states. Now, assume that the plant dies after it has been watered (this is characterized by the system reaching states s4 , s5 , or s6 , all labeled by deadw ). One can check that neither a0 nor a1 (alone) is responsible for the death of the plant. This is expressed by the ATLlp formula ϕi below, for i = 0, 1, which indeed is not fulfilled by the CGS G Plant . The formula ϕi asserts that whenever we reach a state labeled deadw , in the past we have passed through a state labeled wet from which agent ai had the opportunity to single-handedly prevent the death of the plant. This formula is not fulfilled since ai cannot prevent a(1−i ) from performing the idle action in s1 .

ϕi = AgF(deadw ∧ Y(wet ∧ ai X alive)) Conversely, we can assert that the coalition of agents {a0 , a1 } is responsible if the plant dies after having been watered, as they have a collective strategy in s1 to deviate and reach state s3 , labeled alive. In fact, the ATLlp formula ϕ below is fulfilled.

ϕ = AgF(deadw ∧ Y(wet ∧ a0 , a1 X alive)) 3. Succinctness gap between memoryful past and local past ∗ have the same expressiveness as CTL∗ [21] and there are translations from PCTL∗ It is known that PCTL∗ and CTLlp ∗ ∗ and CTLlp into CTL of non-elementary complexity [21] based on the separation theorem for LTL p [30]. On the other hand, ∗ exponentially more succinct than CTL∗ . Analogous results hold the ability to refer to the past makes both PCTL∗ and CTLlp ∗ ∗ ∗ for the logics PATL and ATLlp when compared to ATL [14]. Note that as observed in [14], the succinctness gap between the past extensions of CTL∗ (resp., ATL∗ ) and CTL∗ (resp., ATL∗ ) are a consequence of the fact that LTL p is exponentially more succinct than LTL[16]. Interestingly, and perhaps surprisingly, we can establish a similar result for the logic CTLlp (resp., ATLlp ) when compared to the more expressive logic CTL∗ (resp., ATL∗ ).

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.7 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

7

Theorem 4. CTLlp (resp., ATLlp ) can be exponentially more succinct than CTL∗ (resp., ATL∗ ). Proof. We focus on ATLlp and ATL∗ (a similar result holds for the logics CTLlp and CTL∗ ). Let start an abbreviation for the LTL p formula ¬Y which holds only at the initial position of a word, and for an LTL p formula ϕ , let init(ϕ ) be the LTL p formula P(start ∧ ϕ ) requiring that ϕ holds at the initial position of a word. Now, for each n ≥ 1, let p 0 , p 1 , . . . , pn

i =n

be n + 1 distinct atomic propositions, and let us consider the LTL p formula ψn given by ψn := G i =1 ( p i ↔ init( p i )) −→  ( p 0 ↔ init( p 0 ) . Note that |ψn | = O (n). Intuitively, formula ψn asserts that at each position i of the given word, if i and the initial position agree on the truth value of propositions p 1 . . . , pn , then they also agree on the truth value of proposition p 0 . It is shown in [16] that every LTL formula which is equivalent to the LTL p formula ψn has size at least 2 (n) . Now, we observe that ∅ψn is an ATLlp formula. Let ϕn be an ATL∗ formula equivalent to ∅ψn , and ϕn,LTL be the LTL formula obtained from ϕn by removing the occurrences of strategy quantifiers  A . Let be the set of CGT over 2AP having exactly one ε -play. Evidently, we have that for each T ∈ , T is a model of ∅ψn (resp., ϕn ) iff Lab(πT ) is a model of the LTL p formula ψn (resp., LTL formula ϕn,LTL ), where πT is the unique ε -play of T . Thus, since ϕn and ∅ψn are equivalent, and there is a bijection between and the set of infinite words over 2AP , we obtain that ϕn,LTL is equivalent to ψn , hence, ϕn,LTL has size at least 2 (n) . This entails that |ϕn | is at least 2 (n) , and we are done. 2 ∗ (resp., ATL∗ ) To the best of our knowledge, no succinctness gap is known between the ‘memoryful’ past view in CTLlp lp ∗ ∗ and the ‘local’ past view in PCTL (resp., PATL ). In this section, we address this issue by establishing the following result. ∗ (resp., ATL∗ ) can be exponentially more succinct than PCTL∗ (resp., PATL∗ ). Theorem 5. CTLlp lp ∗ and PCTL∗ , we prove the following. For the part of Theorem 5 concerning CTLlp ∗ formula Theorem 6. For each n ≥ 1, there exists a CTLlp

ϕn of size O (n) such that every equivalent PCTL∗ formula has size at least

2 (n) . ∗ and PATL∗ . As a corollary of Theorem 6, we deduce the part of Theorem 5 for ATLlp ∗ formula ϕ  over Ag of size O (n) such that every equivalent Corollary 7. Let Ag be a set of agents. For each n ≥ 1, there exists an ATLlp n

PATL∗ formula has size at least 2 (n) .

ϕn be the CTLlp∗ formula of size O (n) satisfying the ∗ version over Ag of ϕ , statement of Theorem 6, and APn the set of propositions occurring in ϕn . We denote by ϕn the ATLlp n i.e., the formula obtained from ϕn , by replacing the path quantifier E (resp., A) with the strategy quantifier Ag (resp., ∅). Note that |ϕn | = |ϕn |. We can associate with each 2APn -labeled tree T =  T , Lab a CGT of the form f (T ) =  T , ε , Lab, τ 

Proof. Fix a set Ag of agents and an agent ag ∈ Ag. Let n ≥ 1 and

over Ag such that each node in f (T ) is controlled by agent ag. Now, let ψn be a PATL∗ formula over Ag and APn equivalent to ϕn . We show that the size of ψn is at least 2 (n) , hence, the result follows. We denote by ψn the PCTL∗ formula obtained from ψn by replacing each strategy quantifier  A  with E if ag ∈ A, and with A otherwise. By construction, for each 2APn -labeled tree T =  T , Lab, T is a model of ψn (resp., ϕn ) iff f (T ) is a model of ψn (resp., ϕn ). Thus, since ψn and ϕn are equivalent, we obtain that the PCTL∗ formula ψn is equivalent to ϕn . By Theorem 6, the size of ψn is at least 2 (n) , hence, being |ψn | ≥ |ψn |, the result follows. 2 In the rest of this section, we provide a proof of Theorem 6 by exploiting an infinite set of atomic propositions. By using standard encoding techniques (see e.g. [37]) one can show that the succinctness gap occurs even for formulas over a fixed set of atomic propositions. Fix n ≥ 1. Let APn := { p 0 , p 1 , . . . , pn } be a set consisting of n + 1 distinct atomic propositions, APn := APn \ { p 0 } be the set obtained from APn by removing proposition p 0 , and #, check ∈ / APn two additional atomic  propositions. Fix an ordering a1 , . . . , a2n of the 2n distinct symbols of the alphabet 2APn . An n-word is a word of the form w = b1 . . . b2n · {#} over 2APn ∪{#} of length 2n + 1 such that for each i ∈ [1, 2n ], either b i = ai or b i = ai ∪ { p 0 }. Intuitively an n-word is either the word ν = a1 , . . . , a2n · {#}, or is obtained from ν by augmenting some non-last symbols ai in ν with n proposition p 0 . Note that there are exactly 22 distinct n-words. Next, we define the notions of n-block and n-configuration. (See Fig. 2.) Definition 8 (n-blocks). An n-block is a 2APn ∪{check,#} -labeled tree  T , Lab such that there is a finite path π from the root so that Lab(π ) is an n-word and each node x of π has exactly one child c x which is not visited by π . Moreover, there is exactly one infinite path starting from c x , and this path has label {check}ω . Intuitively, an n-block is a labeled tree consisting of an n-word augmented with check-branches starting from the n-word nodes.

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.8 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

8

Fig. 2. n-blocks and n-configurations.

Definition 9 (n-configurations). An n-configuration is a 2APn ∪{check,#} -labeled tree T =  T , Lab such that for some k ≥ 1, there exist k + 1 n-blocks T0 , . . . , Tk so that T is obtained by connecting the k + 1 n-blocks T0 , . . . , Tk as follows: the {#}-node of T0 has as children the roots of T1 . . . Tk . We say that T0 is the master n-block of T , and T1 . . . , Tk are the slave n-blocks of T . The n-configuration T is well-formed if the n-word associated with the master coincides with the n-word of some slave. ∗ formula We now show that one can construct a CTLlp are well-formed from the non-well-formed ones.

ϕn of size O (n) which distinguishes the n-configurations which

∗ formula ϕ over AP ∪ {check, #} having size O (n) such that for each n-configuration Lemma 10. For each n ≥ 1, there exists a CTLlp n n  T , Lab,  T , Lab is a model of ϕn if and only if  T , Lab is well-formed. ∗ formula Proof. Given n ≥ 1, we construct a CTLlp path π of T from the root such that:

ϕn which is satisfied by an n-configuration T iff there exists an infinite

(1) π visits the n-word w M of the master and the n-word w S of some slave, and (2) the two n-words w M and w S visited by π coincide (i.e., w M = w S ). Note that by definition of n-word, Requirement (2) is equivalent to the following one: (3) for each non-last position i of the n-word w S and for each non-last position k of the n-word w M , if w M (k) and w S (i ) agree on propositions p 1 , . . . , pn (i.e., w M (k) ∩ { p 1 , . . . , pn } = w S (i ) ∩ { p 1 , . . . , pn }), then w M (k) and w S (i ) agree on proposition p 0 too (i.e., w M (k) ∩ { p 0 } = w S (i ) ∩ { p 0 }). ∗ formula of size O (n) satisfying Requirement (3) is that for each The crucial property which allow us to define a CTLlp node x of π associated with some non-last position of the slave n-word w S , there is a child y of x whose subtree reduces to a path labelled by the word ({check})ω . Thus, the ‘memoryful’ semantics of the path quantifier E allow us to ‘select’ the prefix of π until node x, by using the check-node y as marker, and to require that such a prefix satisfies the following

(*) for each node z along the n-word of the master whose label is not {#}, if the labels of z and x agree on propositions p 1 , . . . , pn , then they also agree on proposition p 0 . ∗ formula Thus, the CTLlp







ϕn is EF # ∧ (XF#) ∧ G (¬# ∧ ¬check) → E(Xcheck ∧ ψn )

Requirement (*) for the selected 2APn -labeled node of the selected slave: i =n   ψn := P # ∧ YG−





i =1 qi ∈{ p i ,¬ p i }



q0 ∈{ p 0 ,¬ p 0 }



qi → F(¬check ∧ Xcheck ∧ qi ) −→

(q0 → F(¬check ∧ Xcheck ∧ q0 )



2

where ψn is an LTL p formula ensuring

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.9 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

9

Next, in order to complete the proof of Theorem 6, we show that for all n ≥ 1, every PCTL∗ formula equivalent to the ∗ formula ϕ of Lemma 10 has size at least 2 (n) . For this, we exploit the well-known result concerning the translation CTLlp n of CTL∗ (and PCTL∗ as well) formulas into equivalent parity symmetric alternating tree-automata (parity SATA). SATA [38] are a variation of classical (asymmetric) alternating automata in which it is not necessary to specify the direction (i.e., the choice of the children) of the tree on which a copy is sent. In fact, through existential and universal moves, it is possible to send a copy of the automaton, starting from a node of the input tree, to one or all its successors. We now recall syntax and semantics of parity SATA. For a set X , B+ ( X ) denotes the set of positive Boolean formulas over X , i.e. Boolean formulas built from elements in X using ∨ and ∧ (we also allow the formulas true and false). A subset Y of X satisfies θ ∈ B+ ( X ) iff the truth assignment that assigns true to the elements in Y and false to the elements of X \ Y satisfies θ . A parity SATA over a finite alphabet  is a tuple A = , q0 , Q , δ, , where Q is a finite set of states, q0 ∈ Q is the initial state, δ : Q ×  → B+ ( Q × {2, 3}) is the transition function, and : Q → N is a parity acceptance condition over Q assigning to each state an integer (color). Intuitively, a target of a move of A is encoded by an element in Q × {2, 3}. An atom (q, 3) means that from the current node x of the -labeled input tree, A moves to some child of x and the state is updated to q. On the other hand, an atom (q, 2) means that from the current node x, the automaton splits in multiple copies and, for each child x of x in the input tree, one of such copies moves to node x and the state is updated to q. Formally, for a -labeled tree T =  T , Lab, a run of A over T is a ( Q × T )-labeled N -tree r =  T r , Labr , where each node of T r labelled by (q, x) describes a copy of the automaton that is in state q and reads the node x of T . Moreover, we require that r (ε ) = (q0 , ε ) (initially, the automaton is in state q0 reading the root node), and for each y ∈ T r with r ( y ) = (q, x), there is a (possibly empty) minimal set H ⊆ Q × {2, 3} satisfying δ(q, Lab(x)) such that the set L ( y ) of labels of children of y in T is the smallest set satisfying the following conditions: for all atoms at ∈ H ,

• if at = (q , 3), then for some child x of x in T , (q , x ) ∈ L ( y ); • if at = (q , 2), then for each child x of x in T , (q , x ) ∈ L ( y ). The run r is accepting if for all infinite paths π starting from the root, the smallest color of the states in Q that occur infinitely often along Labr (π ) is even. A -labeled tree T =  T , Lab is accepted by A if there is an accepting run over T . The following is a well-known result [39]. Proposition 11 ([39]). Given a PCTL∗ formula ψ , one can construct a parity SATA with 2 O (|ψ|) states accepting the set of models of ψ. Theorem 6 directly follows from Lemma 10, Proposition 11, and the following result. ∗ formula ϕ in Lemma 10. Lemma 12. Let n ≥ 1 and An be a parity SATA over 2APn ∪{check,#} accepting the set of models of the CTLlp n n

Then, An has at least 22 states. Proof. Let n ≥ 1 and An = 2APn ∪{check,#} , q0 , Q , δ,  as in the statement of the lemma. For each state q ∈ Q , we denote by q q An the parity SATA 2APn ∪{check,#} , q, Q , δ, , i.e., An is obtained from An by considering q as initial state instead of q0 . We show the following. Claim. For each n-word w, there is a state q w of An such that: q

• there is an accepting run of An w over the n-block associated with w; q • for each n-word w  distinct from w, there is no accepting run of An w over the n-block related to w  . By the claim above, it follows that there is a bijection between the set of n-words and a subset of the set Q of An -states. n Thus, since the number of distinct n-words is 22 , the result follows. It remains to prove the claim. n An n-configuration T is complete if T has 22 slaves and for each n-word w, there is a slave of T associated with w. Fix an n-word w and let T w be a complete n-configuration whose master matches the n-word w. Since T w is well-formed, by hypothesis and Lemma 10, there is an accepting run r w of An over T w . Let x# be the {#}-labeled node of the T w -master, n and x1 , . . . , x22n be the 22 children of x# which correspond to the roots of the T w -slaves. Without loss of generality, assume \w

that x1 is the root of the slave associated with the n-word w. Moreover, let T w be the n-configuration obtained from T w 3 be the set of states associated with by removing the subtree rooted at node x1 (i.e., the slave associated with w), and Q w \w

the copies of the run r w reading node x1 and obtained by existential moves. Since T w is not well-formed, by hypothesis \w and Lemma 10, there is no accepting run of An over T w . 3 , there exists an accepting Since the parity acceptance condition is prefix independent, by construction, for each q ∈ Q w q run of An over the n-block associated with w (in particular, the subtree rooted at the node of the run r w associated with the copy of An reading node x1 in state q is such a run). Thus, since w is an arbitrary n-word, in order to prove the claim, 3 such that for each n-word w  distinct from w, there is no accepting it suffices to show that there exists a state q w ∈ Q w

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.10 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

10

3 = {q , . . . , q }. By run of An w over the n-block related to w  . We assume the contrary and derive a contradiction. Let Q w 1 k q hypothesis, for all i ∈ [1, k], there exists an n-word w i = w and an accepting run r i of Ani over the n-block related to w i . Let r  be the labeled tree obtained from the accepting run r w by replacing for all i ∈ [1, k] and node zi of r w associated with the copy of An reading node x1 in state q i , the subtree rooted at node zi with a copy of the run r i . Since for each i ∈ [1, k], \w the n-configuration T w has a slave associated with the n-word w i , by construction, we obtain that r  is an accepting run \w of An over T w , which is a contradiction, and the result follows. 2 q

4. Decision procedures for ATLlp In this section, we establish that both satisfiability and model-checking for the logic ATLlp are Exptime-complete. The upper bounds are obtained by an automata-theoretic framework based on the use of a subclass of Büchi alternating automata for CGS (Büchi ACG) [32], called ACG with satellites and introduced in [14]. By translating ATLlp formulas into equivalent Büchi ACG with satellites, we reduce model-checking (resp., satisfiability) of ATLlp to the membership (resp., non-emptiness) problem of such a class of automata. Notice that the symbolic algorithm, based on reachability analysis, used for solving ATL model-checking [5] cannot be applied to ATLlp . This is because unlike ATL, the satisfaction of an ATLlp formula ϕ at a node x of the unwinding Unw(G ) of a finite CGS does not depend only on the state of G associated with node x, but also depends on the history from the root to node x. The rest of the section is organized as follows. In Subsection 4.1, we establish a preliminary result concerning the dualization of basic ATLlp formulas which generalizes to linear past a similar result holding for ATL∗ . In Subsection 4.2, we recall the framework of ACG with satellites, and in Subsection 4.3, we solve satisfiability and model-checking of ATLlp by providing a translation of ATLlp formulas into equivalent Büchi ACG with satellites involving a single exponential blowup. Finally, in Subsection 4.4, we show that model-checking against ATLlp is Exptime-hard. 4.1. Dualization of basic ATLlp formulas In order to solve the considered decision problems for the logic ATLlp , we exploit the following preliminary result (which is known to hold for ATL∗ [40]). Proposition 13. Given a basic ATLlp formula  A ψ , a CGT T , and a node x, the following holds, where νx is the history from the root to node x: (T , x) |= ¬ A ψ if and only if there is a counter-strategy f Ac for A such that for all ε -plays π ∈ out(νx , f Ac ), (T , π , |x|) |= ¬ψ . The rest of this subsection is devoted to the proof of Proposition 13. For this, we need additional results based on the separation theorem for LTL p over infinite words [30] (which states that any LTL p formula can be effectively converted into an equivalent Boolean combination of LTL formulas and pure past LTL p formulas). ∗ (note that we consider the more expressive logic ATL∗ ) are congruent Recall that two path formulas ϕ and ϕ  of ATLlp lp

∗ path formula if for every CGT T , ε -play π of T and position i ≥ 0, (T , π , i ) |= ϕ if and only if (T , π , i ) |= ϕ  . For an ATLlp ϕ over AP, let BFL(ϕ ) be the set of first-level basic subformulas of ϕ , i.e. the basic subformulas of ϕ for which there is an occurrence in ϕ which is not in the scope of strategy quantifiers. Note that ϕ can be seen as an LTL p formula over the set of ∗ path formulas ϕ whose first-level basic subformulas propositions AP augmented with BFL(ϕ ). We first show that for ATLlp ∗ are in ATL , it is possible to separate past and future temporal modalities. ∗ formula such that BFL(ϕ ) consists of ATL∗ formulas. Then,  A ϕ and ϕ are congruent to Lemma 14. Let  A ϕ be a basic ATLlp ∗ path formulas that correspond to pure past LTL formulas over the set of ∗ Boolean combinations of ATL path formulas and ATLlp p propositions AP ∪ BFL(ϕ ).

Proof. Let AP = AP ∪ BFL(ϕ ). By hypothesis, BFL(ϕ ) is a set of ATL∗ formulas. Given a CGT T over AP with propositional labeling Lab and an ε -play π of T , we denote by

πAP the infinite word over

2AP defined as follows for every position i ≥ 0:

• πAP (i ) ∩ AP = Lab(π (i )); • πAP (i ) ∩ BFL(ϕ ) = {ψ ∈ BFL(ϕ ) | (T , π , i ) |= ψ}. Now, the path formula ϕ over AP can be seen as an LTL p formula over AP. By definitions of the infinite words πAP and the ∗ semantics, one can easily show by structural induction that for all CGT T over AP, ε -plays π of T , and LTL p and ATLlp positions i ≥ 0:

(T , π , i ) |= ϕ if and only if (πAP , i ) |=LTL ϕ By applying the separation theorem for LTL p [30], starting from the LTL p formula over AP of the form

(1)

ϕ , one can construct an LTL p formula θ

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.11 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

θ :=

11

 (θ p , ∧ θ f , )

(2)

∈ I

such that I = ∅, for all  ∈ I , θ p , is a pure past LTL p formula, θ f , is an LTL formula, and for all infinite words w over 2AP and i ≥ 0, it holds that ( w , i ) |=LTL ϕ iff ( w , i ) |=LTL θ . ∗ formula over AP, by replacing formula ϕ with θ in Point (1), we obtain that ϕ and θ Since θ corresponds to an ATLlp



∗ formula  A ϕ over AP is congruent to the basic ATL∗ formula  A  are congruent and the given basic ATLlp lp

(θ p , ∧ θ f , ).

∈ I

Thus, the statement of Lemma 14 directly follows from the following claim.



Claim. ψ :=  A 

(θ p , ∧ θ f , ) is congruent to ψ B :=

     ( θ p , ) ∧  A ( θ f , ) . J ⊆ I | J =∅

∈ I

∈ J

∈ J

Proof of the Claim. Fix a CGT T over AP, an ε -play π of T , and a position i ≥ 0. First, assume that (T , π , i ) |= ψ . Hence, there is a strategy f A for A such that the following holds, where is the non-empty set of ε -plays π  ∈ out(π [0, i ], f A ): for all π  ∈ , (T , π  , i ) |= ∈ I (θ p , ∧ θ f , ). Let J be the non-empty subset of I consisting of the elements  ∈ I such that (T , π  , i ) |= θ p , ∧ θ f , for some π  ∈ . Since θ p , corresponds to a pure past LTL p formula over AP and π  [0, i ] = π [0, i ] for all π  ∈ , it follows that for all  ∈ J , (T , π , i ) |= θ p , . Thus, we obtain that

(T , π , i ) |= (



θ p , ) ∧  A (

∈ J



θ f , ) which entails that (T , π , i ) |= ψ B .

∈ J

For the converse direction, assume that (T , π , i ) |= ψ B . Hence, there are a non-empty subset J ⊆ I and a strategy f A for A such that the following holds, where is the non-empty set of ε -plays π  ∈ out(π [0, i ], f A ):

• for all  ∈ J , (T , π , i ) |= θ p , ; • for all π  ∈ , there is  ∈ J such that (T , π  , i ) |= θ f , . Again since θ, p corresponds to a pure past LTL p formula over AP and π  [0, i ] = π [0, i ] for all π  ∈ , it follows that for all   ∈ J and π  ∈ , (T , π  , i ) |= θ p , . Hence, (T , π , i ) |=  A  (θ p , ∧ θ f , ) which entails that (T , π , i ) |= ψ . 2 ∈ J ∗ path formulas. We now extend Lemma 14 to arbitrary ATLlp ∗ path formula. Then, ϕ is congruent to a Boolean combination of ATL∗ path formulas and ATL∗ path Lemma 15. Let ϕ be an ATLlp lp formulas that correspond to pure past LTL p formulas over the set of propositions AP ∪ H, where H consists of basic ATL∗ formulas.

Proof. The proof is by induction on the nesting depth of the strategy quantifiers in ϕ . For the base case, BFL(ϕ ) = ∅, and the result directly follows from Lemma 14. For the inductive step, let  A  ψ ∈ BFL(ϕ ). By the inductive hypothesis, the thesis ∗ formula ψ  such that BFL(ψ  ) consists of basic ATL∗ formulas. holds for formula ψ . Hence, ψ is a congruent to an ATLlp ∗ formula, say ξ , such that BFL(ξ ) consists of basic ATL∗ formulas. By applying Lemma 14,  A  ψ is congruent to an ATLlp

By replacing each occurrence of  A  ψ in ϕ with ξ , and repeating the procedure for all the formulas in BFL(ϕ ), we obtain ∗ path formula θ which is congruent to ϕ (note that the congruence relation is closed under substitution) and such an ATLlp that BFL(θ) consists of basic ATL∗ formulas. At this point we can apply Lemma 14 to formula θ proving the assertion. 2 Proof. Proof of Proposition 13 by exploiting Lemma 15, we now provide a proof of Proposition 13. Let  A ψ , T , x, and νx be as in Proposition 13. First, assume that there is a counter strategy f Ac for A such that for all ε -plays π ∈ out(νx , f Ac ), (T , π , |x|) |= ¬ψ . Since for each strategy f A for A, out(νx , f Ac ) ∩ out(νx , f A ) = ∅, we deduce that (T , x) |= ¬ A ψ , and the result follows. ∗ For the converse direction, assume that (T , x) |= ¬ A ψ . By Lemma 15, the ATLlp formula ψ is congruent to an ATLlp path formula θ of the form

θ :=

 (θ p , ∧ θ f , )

(3)

∈ I

such that I = ∅, for all  ∈ I , θ f , is a path ATL∗ formula and θ p , corresponds to a pure past LTL p formula over the set of propositions AP ∪ H where H consists of basic ATL∗ formulas. Let J x be the set of elements  ∈ I such that (T , x) |= θ p , . If J x = ∅, then by Point (3), for each ε -play π visiting node x, we have that (T , π , |x|) |= ¬θ . Thus, since θis congruent to ψ , the result follows. Now, assume that J x = ∅. In the proof of Lemma 14, we exploit the fact that  A  (θ p , ∧ θ f , ) is congruent to

     ( θ p , ) ∧  A ( θ f , ) . J ⊆ I | J =∅

∈ J

∈ J

∈ I

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.12 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

12

By hypothesis, (T , x) |= ¬ A ψ . Hence, by definition of J x , it follows that

(T , x) |= ¬ A (



θ f , )

∈ J x



θ f , ) is a basic ATL∗ formula, by [40], there exists a counter strategy f Ac for agents in A such that for all ε -plays π ∈ out(νx , f Ac ) and  ∈ J x , (T , π , |x|) |= ¬θ f , .2 Moreover, since θ p , is a pure past LTL p formula over AP ∪ H, where H consists of basic ATL∗ formulas, by definition of J x , for all  ∈ I \ J x and ε -plays π visiting x, (T , π , |x|) |= ¬θ p , . Thus, by Point (3) and since θ is congruent to ψ , we obtain that for all ε -plays π ∈ out(νx , f Ac ), (T , π , |x|) |= ¬ψ , which concludes the proof of Proposition 13. 2 Since  A (

∈ J x

4.2. Automata for ATLlp In this section, we recall the class of ACG [32] and the subclass of ACG with satellites [14]. ACG generalize the class of symmetric alternating automata (recalled in Section 3) by branching universally or existentially over all successors that result from the agents’ decisions. Formally, a Büchi ACG over 2AP and Ag is a tuple A = 2AP , q0 , Q , δ, F , where Q is a finite set of states, q0 ∈ Q is the initial state, δ : Q × 2AP → B+ ( Q × {2, 3} × 2Ag ) is the transition function, and F ⊆ Q is a Büchi acceptance condition on Q . The transition function δ maps a state and an input letter to a positive Boolean combination of universal atoms (q, 2, A ) which refer to all successors states for some A-decision, and existential atoms (q, 3, A ) which refer to some successor state for all A-decisions. We interpret the Büchi ACG A over CGT T =  T , ε , Lab, τ  on AP and Ag. A run of A over T is a ( Q × T )-labeled N -tree r =  T r , Labr , where each node of T r labelled by (q, x) describes a copy of the automaton that is in the state q and reads the node x of T . Moreover, we require that Labr (ε ) = (q0 , ε ) (initially, the automaton is in state q0 reading the root node), and for each y ∈ T r with Labr ( y ) = (q, x), there is a set H ⊆ Q × {2, 3} × 2Ag such that H is model of δ(q, Lab(x)) and the set L of labels associated with the children of y in T r minimally satisfies the following conditions:

• for all universal atoms (q , 2, A ) ∈ H , there is some A-decision d A such that for all the children x of x in T which are consistent with d A , (q , x ) ∈ L; • for all existential atoms (q , 3, A ) ∈ H and for all A-decisions d A , there is some child x of x in T which is consistent with d A such that (q , x ) ∈ L. The run r is accepting if for all infinite paths π starting from the root, Labr (π ) visits infinitely often elements in F . The language L(A) accepted by A consists of the CGT T over AP and Ag such that there is an accepting run of A over T . In the following, we also consider standard nondeterministic and deterministic word automata (NWA and DWA) with no acceptance condition (safety NWA and safety DWA) running on words over a finite alphabet . Recall that a safety NWA is a tuple A = , q0 , Q , δ, where q0 and Q are as for ACG, and δ : Q ×  → 2 Q is the transition function. The automaton is deterministic if for each state q and input symbol σ , δ(q, σ ) is a singleton. A run π over an input w ∈ ω is an infinite sequence of states π = q0 , q1 , . . . (starting from the initial state) such that q i +1 ∈ δ(qi , w (i )) for all i ≥ 0. In the translation of ATLlp formulas into equivalent ACG, the main technical obstacle is the handling of (memoryful) linear past which enables a reference to histories since the root of a CGT. This requires an automaton to remember the past. A simple solution would consist of using a two-way extension of ACG, but for such a class of automata, the membership and the non-emptiness problem would appear to be harder than the ones for (one-way) ACG. Instead, we adopt the approach ∗ [21] and ATL∗ [14] based on the use of alternating automata augmented with satellites. Specifically, ACG with for CTLlp lp satellites [14] represent a subclass of ACG in which the state space can be partitioned into two components, one of which (the satellite) is independent of the other, has no influence on the acceptance, and runs on all the branches of the input CGT by maintaining information about the past. Formally, a Büchi ACG equipped with a satellite is a pair (A, U ), where U = 2AP , s0 , S , δ S , the satellite, is a safety NWA, while A (the main automaton) is a Büchi ACG A = 2AP , q0 , Q , δ, F  whose transition function is of the form δ : Q × 2AP × S → B+ ( Q × {2, 3} × 2Ag ). Intuitively, when a copy of A reads a node x of the input with label σ , a possible move is performed in two phases. In the first phase, the associated copy of U reads the letter σ and updates its state. In the second phase, A reads σ and the updated state of U , and updates its state. Formally, (A, U ) is equivalent to the ordinary Büchi ACG A = 2AP , (q0 , s0 ), Q × S , δ  , F × S , where for all (q, s) ∈ Q × S and σ ∈ 2AP , δ  ((q, s), σ ) = s ∈δ S (s,σ ) f (q, σ , s ) with f (q, σ , s ) being obtained from δ(q, σ , s ) by replacing each atom (q , 2, A ) (resp., (q , 3, A )) with ((q , s ), 2, A ) (resp., ((q , s ), 3, A )). The separation of the satellite U from the main automaton A allows a tighter analysis of the complexity of the nonemptiness problem. If U is deterministic, then the resulting exponential blow-up in the alternation removal (used for checking non-emptiness) only concerns the states of the main automaton. In particular, by [21,14], the following holds.

2

The result in [40] is based on the well-known determinacy of two-players turn-based games with LTL objectives.

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.13 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

13

Proposition 16 ([21,14]). The non-emptiness problem of a Büchi ACG A with n states and a deterministic satellite with n S states can be solved in time 2 O (n log n S +n

2

log n)

.

In Subsection 4.3, we provide a translation of ATLlp formulas ϕ into equivalent Büchi ACG accepting the set of models of ϕ . In such a way, model-checking against ATLlp is reduced to checking for a finite CGS G and a Büchi ACG A, whether Unw(G ) is accepted by A. By standard arguments (see e.g. [39]), checking whether Unw(G ) is accepted by A can be reduced in polynomial-time to checking non-emptiness of a Büchi alternating word automaton over a 1-letter input alphabet with n · m states, where n (resp., m) is the number of states in G (resp., A). By [41], the latter problem can be solved in time O ((n · m)2 ). Proposition 17. Given a Büchi ACG A with m states and a finite CGS G with n states, checking whether Unw(G ) is accepted by A can be done in time O ((n · m)2 ). 4.3. From ATLlp to Büchi ACG with satellites In this section, in order to solve ATLlp satisfiability, we show how to translate a given ATLlp formula  into a Büchi ACG A with O (||) main states equipped with a deterministic satellite U having 2 O (||) states accepting extended versions of the models of  (extended basic models). For the model-checking problem, we convert the pair (A , U ) into a ACG A  having 2 O (||) states accepting the set of models of with O (||) main states equipped with a nondeterministic satellite U . We now proceed with the technical details. Fix an ATLlp state formula  over AP, and let B  be the set of basic subformulas of . Recall by Subsection 4.1 that BFL() denotes the set of first-level basic subformulas of , i.e. the basic subformulas of  which occur in  outside the scope of strategy quantifiers. Note that an ATLlp formula ψ can be seen as a pure past LTL p formula, denoted [ψ]LTL p , over the set AP augmented with the set BFL(ψ) ⊆ B ψ of first-level basic subformulas of ψ . In particular, if ψ is a state formula, then [ψ]LTL p is a propositional formula over AP ∪ BFL(ψ). For a finite set B disjoint from AP and a CGT T =  T , ε , Lab, τ  over AP, a B-labeling extension of T is a CGT over AP ∪ B of the form  T , ε , Lab , τ , where Lab (x) ∩ AP = Lab(x) for all x ∈ T . A CGT T over AP ∪ B  is called an extended basic model of  iff the following holds, where Lab is the labeling of T :

• for each  A ψ ∈ B  and node x of T , (T , x) |=  A ψ if and only if  A ψ ∈ Lab(x); • Lab(ε ) is a model of the propositional formula []LTL p . Evidently, by the semantics of ATLlp , the following holds. Remark 18. Let T be a CGT over AP and  be an ATLlp state formula over AP. Then:

• T is a model of  iff there exists a B  -labeling extension of T which is an extended basic model of ; • there is at most one B  -labeling extension of T which is an extended basic model of . Next, we provide a characterization of the set of extended basic models of the given state formula  based on a set of conditions which can be easily checked by Büchi ACG equipped with deterministic satellites. Let ψ be a pure past LTL p formula over the set of propositions AP ∪ B  . The closure cl(ψ) of ψ is the set of pure past LTL p formulas consisting of the subformulas of ψ and their negations (we identify ¬¬ψ with ψ ). Note that ψ, ¬ψ ∈ cl(ψ) and |cl(ψ)| = O (|ψ|). It is worth noting that in the previous definition, elements in B  are considered as atomic propositions. By an adaptation of the well-known translation of LTL formulas into equivalent generalized Büchi NWA[42], we obtain the following result. Proposition 19. Let ψ be a pure past LTL p formula over AP ∪ B  . Then, one can construct a safety DWA Dψ = 2AP∪ B  , q0 , Q ∪ {q0 }, δ such that Q ⊆ 2cl(ψ) , there is no transition leading to q0 , and the following holds for each infinite word w over 2AP∪ B  :

• let q0 C 0 C 1 . . . be the unique run of Dψ over w. Then, for all i ≥ 0 and θ ∈ cl(ψ), θ ∈ C i if and only if ( w , i ) |= θ . Proof. The safety DWA Dψ = 2AP∪ B  , q0 , Q ∪ {q0 }, δ such that Q ⊆ 2cl(ψ) is defined as follows. Q is the set of atoms of ψ consisting of the maximal propositionally consistent subsets C of cl(ψ). Formally, an atom C of ψ is a subset of cl(ψ) satisfying the following:

• for each θ ∈ cl(ψ), θ ∈ C iff ¬θ ∈ / C; • for each θ1 ∨ θ2 ∈ cl(ψ), θ1 ∨ θ2 ∈ C iff {θ1 , θ2 } ∩ C = ∅. An atom is initial if

JID:TCS AID:12283 /FLA

14

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.14 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

• for each Yθ ∈ cl(ψ), Yθ ∈ / C; • for each θ1 Sθ2 ∈ cl(ψ), θ1 Sθ2 ∈ C iff θ2 ∈ C . The transition relation δ captures the semantics of the previous modalities, and the local fixpoint characterization of the since modalities. Formally, for each σ ∈ 2AP∪ B  , δ(q0 , σ ) consists of the only initial atom C which is consistent with the input symbol σ , i.e., such that C ∩ (AP ∪ B  ) = σ ∩ (AP ∪ B  ). Moreover, for each atom C of ψ and σ ∈ 2AP∪ B  , δ(C , σ ) consists of the only atom C  of ψ which is consistent with the input symbol σ and such that:

• for each Yθ ∈ cl(ψ), Yθ ∈ C  iff θ ∈ C ; • for each θ1 Sθ2 ∈ cl(ψ), θ1 Sθ2 ∈ C  iff either θ2 ∈ C  , or θ1 ∈ C  and θ1 Sθ2 ∈ C . By standard arguments (see [42]), given an infinite word w over 2AP∪ B  , for the unique run π = q0 C 0 C 1 . . . C  of Dψ over w, the following holds: for all i ≥ 0 and θ ∈ cl(ψ), θ ∈ C i if and only if ( w , i ) |= θ . Hence, the result follows. 2 We are now ready to provide a characterization of the extended basic models of the ATLlp state formula . For each ATLlp subformula ψ of , let Dψ be the safety DWA over 2AP∪ B  of Proposition 19 for the pure past LTL p formula [ψ]LTL p . For each finite word w over 2AP∪ B  , we denote by Dψ ( w ) the state reached by Dψ on reading w.

Definition 20 (Well-formedness). Let T be a CGT over AP ∪ B  with labeling Lab and  A ψ ∈ B  be a basic subformula of . For each node x of T , let νx be the track of T from the root to node x.

• T is positively well-formed with respect to  A ψ if for all nodes x such that  A ψ ∈ Lab(x), there is a strategy f A for A such that for all the outcomes π ∈ out(νx , f A ): – Case ψ = Xψ1 : ψ1 ∈ Dψ1 (Lab(π [0, |x| + 1])). – Case ψ = ψ1 Uψ2 : there is j ≥ |x| such that ψ2 ∈ Dψ2 (Lab(π [0, j ])) and ψ1 ∈ Dψ1 (Lab(π [0, k])) for all k ∈ [|x|, j − 1]. – Case ψ = ψ1 Rψ2 : for all j ≥ |x| either ψ2 ∈ Dψ2 (Lab(π [0, j ])) or ψ1 ∈ Dψ1 (Lab(π [0, k])) for some k ∈ [|x|, j − 1]. • T is negatively well-formed with respect to  A ψ if for all nodes x such that  A ψ ∈ / Lab(x), there is a counter strategy f Ac for A such that for all the outcomes π ∈ out(νx , f Ac ): – Case ψ = Xψ1 : ¬ψ1 ∈ Dψ1 (Lab(π [0, |x| + 1])). – Case ψ = ψ1 Uψ2 : for all j ≥ |x|, either ¬ψ2 ∈ Dψ2 (Lab(π [0, j ])), or ¬ψ1 ∈ Dψ1 (Lab(π [0, k])) for some k ∈ [|x|, j − 1]. – Case ψ = ψ1 Rψ2 : there is j ≥ |x| such that ¬ψ2 ∈ Dψ2 (Lab(π [0, j ])) and ¬ψ1 ∈ Dψ1 (Lab(π [0, k])) for all k ∈ [|x|, j − 1]. By the dualization result (Proposition 13) and Proposition 19, we deduce the following characterization of extended basic models of . Lemma 21. [Characterization of extended basic models of ] Let T be a CGT with labeling Lab over AP ∪ B  such that Lab(ε ) is a model of the propositional formula []LTL p . Then, T is an extended basic model of  if and only if for each basic subformula  A ψ ∈ B  , T is both positively and negatively well-formed with respect to  A ψ . Proof. Let T as in the statement of the lemma, and for a node x of T , let νx be the track of T from the root to node x. First assume that for each basic subformula  A ψ ∈ B  , T is both positively and negatively well-formed with respect to  A ψ . Fix a node x of T and  A ψ ∈ B  . We need to show that  A ψ ∈ Lab(x) iff (T , x) |=  A ψ . The proof is by structural induction on the nesting depth of strategy quantifiers in ψ . We focus on the implication  A ψ ∈ / Lab(x) ⇒ (T , x) |= ¬ A ψ (the converse implication  A ψ ∈ Lab(x) ⇒ (T , x) |=  A ψ is similar) and assume that ψ = ψ1 Uψ2 (the other cases being similar). Thus, let  A ψ ∈ / Lab(x). Since T is negatively well-formed with respect to  A ψ ,  A ψ ∈ / Lab(x), and ψ = ψ1 Uψ2 , by Definition 20 there exists a counter strategy f Ac of T for A such that for all the outcomes π ∈ out(νx , f Ac ), the following holds, where Dψ1 and Dψ2 are the safety DWA of Proposition 19 associated with the pure past LTL p formulas [ψ1 ]LTL p and [ψ2 ]LTL p : (*) for all j ≥ |x| either ¬ψ2 ∈ Dψ2 (Lab(π [0, j ])) or ¬ψ1 ∈ Dψ1 (Lab(π [0, k])) for some k ∈ [|x|, j − 1]. By applying Proposition 19 to the unique run of the DWA Dψ1 (resp., Dψ2 ) over the infinite word Lab(π ), by Condition (*) we deduce that (**) for all j ≥ |x| either (Lab(π ), j ) |=LTL [¬ψ2 ]LTL p or (Lab(π ), k) |=LTL [¬ψ1 ]LTL p for some k ∈ [|x|, j − 1]. It follows that (Lab(π ), |x|) |=LTL [¬ψ]LTL p . By the induction hypothesis, for each  A  θ ∈ BFL(ψ) and position j ≥ 0, we have that  A  θ ∈ Lab(π ( j )) iff (T , π ( j )) |=  A  θ (note that in the base step, BFL(ψ) = ∅, hence ψ is a pure past LTL p

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.15 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

15

formula over AP). Thus, by the semantics of ATLlp , it follows that (T , π , |x|) |= ¬ψ . Since π in an arbitrary outcome of the counter strategy f Ac from the history νx , by Proposition 13, we conclude that (T , x) |= ¬ A ψ , and the result follows. For the converse implication, assume that for each node x of T and basic subformula  A ψ ∈ B  ,  A ψ ∈ Lab(x) iff (T , x) |=  A ψ . Fix  A ψ ∈ B  . We show that T is both positively and negatively well-formed with respect to  A ψ . We focus on the negative well-formedness condition and assume that ψ = ψ1 Uψ2 (the other cases being similar). Thus, let x be a node of T such that  A ψ ∈ / Lab(x). By hypothesis, (T , x) |= ¬ A ψ . By Proposition 13, there exists a counter strategy f Ac of T for A such that for all the outcomes π ∈ out(νx , f Ac ), it holds that (T , π , |x|) |= ¬ψ , hence, (Lab(π ), |x|) |=LTL [¬ψ]LTL p . Fix π ∈ out(νx , f Ac ). Let q10 C 01 C 11 . . . (resp., q20 C 02 C 12 . . .) be the unique run of the safety DWA Dψ1 (resp., Dψ2 ). Since (Lab(π ), |x|) |=LTL [¬ψ]LTL p and ψ = ψ1 Uψ2 , by Proposition 19, it follows that for all j ≥ |x| either ¬ψ2 ∈ C 2j or

¬ψ1 ∈ C k1 for some k ∈ [|x|, j − 1]. Since,

π and x are arbitrary, by Definition 20, we conclude that T is negatively well-formed with respect to  A ψ . 2

Based on the Characterization Lemma, we obtain the following result. Theorem 22. Given an ATLlp state formula , one can build in single exponential time a Büchi ACG A , equipped with a deterministic satellite U , that accepts the set of extended basic models of . Moreover, A has O (||) states and U has 2 O (||) states. Proof. Let F be the set of subformulas ψ of  such that there exists a basic subformula of  having one of the following forms:  A Xψ or  A (θ O ψ) or  A (ψ O θ) where O ∈ {U, R}. Then, the deterministic satellite U is the synchronous product of the safety DWA of Proposition 19 associated with the formulas [ψ]LTL p where ψ ∈ F . For a state s of U and ψ ∈ F , let s[ψ] be the component of the state s associated with the automaton Dψ . If s is not initial (hence, s[ψ] ⊆ cl([ψ]LTL p )), we write P + (s, ψ) to denote true if ψ ∈ s[ψ], and false otherwise. Dually, we write P − (s, ψ) to denote true if ¬ψ ∈ s[ψ], and false otherwise. Next, we define the Büchi ACG A . We first build for each basic subformula b of , two Büchi ACG Ab and A¬b such that Ab (resp., A¬b ), equipped with the satellite U , accepts the set of CGT over AP ∪ B  which are positively (resp., negatively) well-formed with respect to b. Then A is obtained by ‘composing’ the automata Ab and A¬b for all b ∈ B  . Fix b ∈ B  . Then, Ab = 2AP∪ B  , qb , {qb , b}, δb , F b  consists of two states b and qb . State qb is always accepting, i.e. qb ∈ F b , while state b is in F b iff b is of the form  A (ψ1 Rψ2 ). The transition function δb is defined as follows, where s is a state of U :

⎧ if b ∈ /σ ⎨ (qb , 2, ∅) δb (qb , σ , s) = (qb , 2, ∅) ∧ (b, 2, A ) if b ∈ σ and b is of the form  A Xψ1 ⎩ (qb , 2, ∅) ∧ δb (b, σ , s) otherwise ⎧ if b =  A Xψ1 ⎨ P + ( s , ψ1 ) δb (b, σ , s) = P + (s, ψ2 ) ∨ ( P + (s, ψ1 ) ∧ (b, 2, A )) if b =  A (ψ1 Uψ2 ) ⎩ P + (s, ψ2 ) ∧ ( P + (s, ψ1 ) ∨ (b, 2, A )) if b =  A (ψ1 Rψ2 )

Intuitively, the automaton Ab uses the part (qb , 2, ∅) of the transition function to traverse every node in an input CGT T . Additionally, whenever the basic subformula b =  A ψ is in the label of the current input node x and Ab is in its initial state qb , Ab guesses a strategy f A of T for coalition A and checks that for all the plays π ∈ out(νx , f A ), Lab(π ) satisfies the conditions of Definition 20 (which depend on the form of ψ ). This check is done by using the part (b, 2, A ) of the transition function which allows to send copies of Ab , all of them in state b, to all and only the children of the current node which are consistent with the guessed strategy f A , and by consulting the current state s of the satellite (i.e., the state reached by U on reading the labeling of the track from the root to the current node). The construction of the ACG A¬b = 2AP∪ B  , q¬b , {q¬b , ¬b}, δ¬b , F ¬b  is similar but we now use P − (s, ψi ) instead of P + (s, ψi ), and we use atoms of the form (q, 3, A ) for selecting plays of counter strategies for A in the input CGT. The ACG A is then defined as follows, where we assume that the various automata Ab and A¬b with b ∈ B  have no state in common: Aφ = 2AP∪ B  , q0 , Q ∪ q0 , δ, F , where Q (resp., F ) consists of the states (resp., accepting states) of Ab and A¬b for all b ∈ B  , q0 is a fresh initial state, and the transition function for the states q = q0 is inherited from the respective ACG. For the initial state q0 , δ(q0 , σ , s), where s is a satellite state, δ(q0 , σ , s) = false if σ is not a model of  is defined as follows:  the propositional formula []LTL , and δ(q0 , σ , s) =

δb (qb , σ , s) ∧

b∈ B  ∩σ

δ¬b (q¬b , σ , s) otherwise. By construction and

b∈ B  \σ

Lemma 21, for every CGT T over AP ∪ B  , A accepts T iff T is a basic extended model of . Moreover, by Proposition 19, A has O (||) states and U has 2 O (||) states, which concludes the proof of Theorem 22. 2 For solving satisfiability for , we can check the pair (A , U ) of Theorem 22 for non-emptiness. However, for solving the model-checking problem against ATLlp , we need automata running on CGT over 2AP . By slightly adapting the construction of Theorem 22, we obtain the following result.

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.16 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

16

Theorem 23. Given an ATLlp state formula , one can build in single exponential time a Büchi ACG A over 2AP , equipped with a  , that accepts the set of models of . Moreover, A has O (||) states and U  has 2 O (||) states. nondeterministic satellite U   Proof. Let A and U be the Büchi ACG and the deterministic satellite of Theorem 22 running on CGT with labeling over 2AP∪ B  . Starting from A and U , we construct a new Büchi ACG A which is equipped with a nondeterministic satellite U over 2AP and accepts the set of models of . Intuitively, given an input CGT T , A and U guess a B  -labeling extension of the input T and check that such an extension is an extended basic model of . In particular, we let the  guess the B -labeling extension and let the ACG A check the guess. Thus, U  is obtained from U by adding satellite U     on top of the deterministic transition relation a guess of the subset of B  to be read in the current node of the input CGT. Note that since ACGs are alternating automata, it is not to possible, in general, for an ACG to guess a labelling of the input, since different copies of the automaton which read the same input node may take different guesses. However, here we exploit the crucial fact that for a CGT T over 2AP , there is at most one B  -labeling extension of T which is an extended basic model of  (Remark 18). Formally, let A = 2AP∪ B  , q0 , Q , δ, F  and U = 2AP∪ B  , s0 , S ∪ {s0 }, δ S . Then, A = 2AP , q0 , Q , δ  , F  and U = 2AP , s0 , S × 2 B  ∪ {s0 }, δ S , where δ  and δ S are defined as follows:

• δ S (s0 , σ ) =

σ  ∈2 B 

• δ S ((s, σ  ), σ ) =

δ S ( s 0 , σ ∪ σ  ) × {σ  } .

δ S (s, σ ∪ σ  ) × {σ  }.

σ  ∈2 B 

• δ  (q, σ , (s, σ  )) = δ(q, σ ∪ σ  , s). We now prove that the construction is correct. Evidently, by construction and Theorem 22, it suffices to show that for each input T , if T is accepted by A , then T is a model of . Let r be an accepting run of A over an input T . Note that for each subformula ψ of , since [ψ]LTL p is an LTL p formula over AP ∪ BFL(ψ), the transition function δψ (q, σ ) of the safety DWA Dψ of Proposition 19 is independent of the B  \ BFL(ψ)-part of σ . Thus, by a straightforward double induction on the nesting depth of strategy quantifiers in θ for a basic formula  A θ ∈ B φ and the distance |x| from the root of a node x of the input T , and by construction and the proof of Theorem 22, the following holds:  in states (s , σ  ) and (s , σ  ) in the run r resulting • for all input nodes x and copies of the nondeterministic satellite U on reading the input node x, it holds that: (s , σ  ) = (s , σ  ) and for all  A θ ∈ B φ ,  A θ ∈ σ  iff (T , x) |=  A θ .

Hence, the result follows.

2

We show in Subsection 4.4 that model-checking against ATLlp properties is Exptime-hard by a polynomial-time reduction from the acceptance problem for linearly-bounded alternating Turing Machines. Since ATLlp subsumes ATL and satisfiability of ATL is Exptime-complete [5], by Propositions 16 and 17 and Theorems 22 and 23, we obtain the main result of this section. Corollary 24. Satisfiability and model-checking against ATLlp are both Exptime-complete. 4.4. Exptime-hardness of ATLlp model-checking In this section, we establish the following result, where a two-player turn-based CGS is a CGS with two agents where each state is controlled by an agent. Theorem 25. Model checking against ATLlp is Exptime–hard even for finite two-player turn-based CGS of fixed size. Theorem 25 is proved by a polynomial-time reduction from the acceptance problem for linearly-bounded alternating Turing Machines (TM) of branching degree 2 and with a fixed size, which is Exptime-complete [43]. In the rest of this section, we fix such a TM M = , Q , Q ∀ , Q ∃ , q0 , δ, F , where  is the input alphabet, Q is the finite set of states which is partitioned into Q = Q ∀ ∪ Q ∃ , Q ∃ (resp., Q ∀ ) is the set of existential (resp., universal) states, q0 is the initial state, F ⊆ Q is the set of accepting states, and the transition function δ is a mapping δ : Q ×  → ( Q ×  × { L , R })2 . Moreover, we fix an input α ∈ ∗ such that |α | ≥ 1 and consider the parameter n = |α |. Since M is linearly bounded, we can assume that M uses exactly n tape cells when started on the input α . Hence, a TM configuration (of M over α ) is a word C = η · (q, σ ) · η ∈ ∗ · ( Q × ) · ∗ of length exactly n denoting that the tape content is η · σ · η , the current state is q, and the tape head is at position |η| + 1. From configuration C , the machine M nondeterministically chooses a triple (q , σ  , dir ) in δ(q, σ ) = (q1 , σ1 , dir1 ), (q2 , σ2 , dir2 ), and then moves to state q , writes σ  in the current tape cell, and its tape head moves one cell to the left or to the right, according to dir. We denote by succl (C ) and succr (C ) the successors of C obtained by choosing respectively the left and the right triple in

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.17 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

17

(q1 , σ1 , dir1 ), (q2 , σ2 , dir2 ). The configuration C is accepting (resp., universal, resp., existential ) if the associated state q is in F (resp., in Q ∀ , resp., in Q ∃ ). A (finite) computation tree of M over α is a finite tree in which each node is labeled by a configuration. The root of the tree corresponds to the initial configuration C α defined as C α := (q0 , α (0))α (1) . . . α (n − 1). An internal node that is labeled by a universal configuration C has two children, corresponding to succl (C ) and succr (C ), while an internal node labeled by an existential configuration C has a single child, corresponding to either succl (C ) or succr (C ). The tree is accepting iff each its leaf is labeled by an accepting configuration. The input α is accepted by M iff there is an accepting computation tree of M over α . We prove the following result from which Theorem 25 directly follows. Theorem 26. One can construct, in time polynomial in n and the size of M, a finite turn-based CGS G and an ATLlp state formula ϕ over the set of agents Ag = {ag∃ , ag∀ } such that M accepts α iff Unw(G ) |= ϕ . Moreover, the size of G depends only on the size of M. In order to prove Theorem 26, we first define a suitable encoding of the TM computations of M over α . Formally, we exploit the set AP of atomic propositions given by AP :=  ∪ Q ×  × {∀, ∃, l, r , acc}. A TM configuration C = u 1 u 2 . . . un is encoded by words w C over 2AP of the form w C = {tag1 }{u 1 } . . . {uk }{tag2 }, where tag1 ∈ {l, r }, tag2 = acc if C is an accepting configuration, tag2 = ∃ if C is a non-accepting existential configuration, and tag2 = ∀ otherwise. The symbols l and r are used to mark a left and a right TM successor, respectively. We also use the symbol l to mark the initial configuration C α . A sequence w C 1 · . . . · w C p of TM configuration codes is good if the following holds:

• C 1 is the initial configuration and w C 1 is marked by symbol l; • C p is accepting; • for each 1 ≤ i < p, either w C i+1 is marked by symbol l and C i +1 = succl (C i ), or w C i+1 is marked by symbol r and C i +1 = succr (C i ). Now, we prove Theorem 26. The finite turn-based CGS G over the set of agents Ag = {ag∃ , ag∀ } in Theorem 26 is defined as follows:

• • • •

the set of states of G is AP and the initial state is l; the label of each state p ∈ AP is { p }; state ∀ is controlled by agent ag∀ , and each other state is controlled by agent ag∃ ; state ∀ has as successors the states l and r, state acc has as successor itself, while each other state has as successors the whole set of states. Note that the CGS G is independent of n. By construction, the following hold.

Claim. M accepts α iff there exists a strategy f ∃ of agent ag∃ in Unw(G ) such that for all ε -plays π consistent with f ∃ , the label of π is an infinite word over 2AP of the form w · {acc}ω such that w is a good sequence of TM configuration codes. Proof of the Claim. By construction of the CGS G , there is a bijection between the set of strategies of agent ag∃ in Unw(G ) and the set of 2AP -labeled trees, called ∃-trees of G , satisfying the following conditions: (i) each node is labeled by a singleton { p } for some p ∈ AP and the root is labeled {l}, (ii) each node whose label is not {∀} has exactly one child, and (iii) each node whose label is {∀} has two children, one is labeled {l} and the other one is labeled {r }. Note that the initial infinite paths of an ∃-tree of G correspond to the ε -plays of the associated strategy. By the definitions of M-acceptance and good sequence of TM configuration codes, it easily follows that there is a bijection between the set of accepting computation trees of M over α and the set of ∃-trees whose initial infinite paths π have label of the form w · {acc}ω such that w is a good sequence of TM configuration codes. Hence, the result follows. 2 By the previous claim, the ATLlp formula ϕ satisfying the statement of Theorem 26 is given by ϕ := ag∃ F(acc ∧ ψgood ), where ψgood is a pure past LTL p formula of size polynomial in n capturing the good sequences of TM configuration codes. In order to define the LTL p formula ψgood , we need additional notation. Let C = u 1 . . . un be a TM configuration. For each 1 ≤ i ≤ n, the ith symbol u i of the left successor succl (C ) (resp., left successor succr (C )) of C is completely determined by the values u i −1 , u i and u i +1 (taking un+1 for i = n and u 0 for i = 1 to be some special symbol, say ). We denote by nextl (u i −1 , u i , u i +1 ) (resp., nextr (u i −1 , u i , u i +1 )) our expectation for u i (these functions can be trivially obtained from the transition function δ of M). The pure past LTL p formula ψgood is then defined as ψgood := ψcon ∧ ψfair where ψcon ensures that the prefix until the first occurrence of acc of the given ε -play is a sequence of configuration codes starting with the initial configuration C α , while the conjunct ψfair ensures that such a prefix is faithful to the evolution of the TM M. Formulas ψcon and ψfair are defined below.

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.18 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

18

n −1    ψcon := P Yn+1 (l ∧ ¬Y) ∧ Yn (q0 , α (0)) ∧ Yi α (i ) ∧ G− (acc ∨ ∃ ∨ ∀) −→



n +1

Y

i =1

n     (l ∨ r ) ∧ (Y → Y(∃ ∨ ∀)) ∧ Yi u ∧







Yk v



k∈[1,n]\{i } v ∈

i =1 u ∈ Q ×

Formula ψfair is defined as follows where  := ( Q × ) ∪  and for each direction dir ∈ {l, r } and u  ∈ , we denote by ϒ(dir , u  ) the set of triples (u p , u , u s ) such that u ∈ , u p , u s ∈  ∪ {}, and u  = nextdir (u p , u , u s ).



ψfair :=





G− ( u  ∧

dir ∈{l,r } u  ∈

n 



Yi (dir ∧ Y)) −→

i =1

 θ(u p , u , u s )

(u p ,u ,u s )∈ϒ(dir ,u  )

where the subformula θ(u p , u , u s ) is defined as follows: w.l.o.g. we assume that n > 2

⎧ n +3 ⎨ Y u p ∧ Yn+2 u ∧ Yn+1 u s θ(u p , u , u s ) := Yn+3 (l ∨ r ) ∧ Yn+2 u ∧ Yn+1 u s ⎩ n +3 Y u p ∧ Yn+2 u ∧ Yn+1 (∃ ∨ ∀)

if u p = and u s = if u p = and u s = if u p = and u s =

5. Conclusions While it is well-known that linear past exponentially increases the succinctness of temporal logic formulas, little is known about the succinctness gap between different linear-past semantics. In this paper, we have addressed this issue. ∗ (resp., ATL∗ ) makes the logic exponentially more succinct Notably, we have proved that the memoryful past view in CTLlp lp ∗ ∗ than the logic PCTL (resp., PATL ) which has a local past view. Another important contribution of this paper has concerned the investigation of ATLlp , a memoryful linear-past extension of ATL∗ , but with the vanilla restriction of ATL. Concerning expressiveness, we have proved that ATLlp lies properly between ATL and ATL∗ . Regarding the satisfiability and the model-checking problems for ATLlp , we have proved that both are Exptime-complete, thus exponentially less expensive than the ones for ATL∗ . The positive results achieved for ATLlp open to several interesting directions for future work both on the theoretical and the practical side. One interesting direction would be to investigate richer logics for the strategic reasoning featuring memoryful linear-past. Among the others, it would be interesting to investigate Strategy Logic and its One-Goal fragment [9,13,44]. Strategy Logic has recently come to the fore thanks to the possibility to formalize reasoning about important solution concepts with a very simple formalism. In particular it allows to check in 2Exptime for the existence of Nash equilibrium in a multi-agent setting where the agents’ goals can be expressed as LTL formulas. Similarly to ATLlp , the hope is to come up with a variant of strategy logic that may provide exponentially more succinct formulas or a less expensive procedure while checking for Nash equilibria. Another interesting direction would be to formally bring ATLlp in the normative systems field in order to come up with a proper framework for expressing backward-looking responsibility [33]. The ambitious goal here is to use ATLlp as a bridge between strategic reasoning and normative fields, which seem to have talked very little each other in the last years. In [31] the model-checking problem for an extension of ATL with past and perfect recall having a semantics equivalent to that of ATLlp has been studied under an incomplete information setting and proved to be non-elementary. Recently, works in (classic future) strategic reasoning under incomplete information have considered some restricted form, but yet powerful, of memoryful strategies, such as, strategies with public actions [45], strategies under hierarchical agent visibility [46], natural strategies [47], to name a few. In particular these restrictions have allowed to recover decidability for the model checking problem and, generally, retain the same complexity of the complete information case. It would be worth investigating the ∗ , aiming for an elementary decidability of the corresponding model-checking problem. same restrictions on ATLlp and ATLlp On the practical side, an interesting direction would be to investigate an implementation of ATLlp and evaluate its performance on some real-case scenarios. Along this line, one can think of extending the open-source tool MCMAS [48], which is also equipped with modules to handle Strategy Logic and its fragments, both under complete and incomplete information [49,50]. As far as we know, no existing tools in strategic reasoning have been ever extended to accommodate backwards modalities of any kind. Declaration of competing interest The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. References [1] C. Baier, J. Katoen, Principles of Model Checking, The MIT Press, 2008.

JID:TCS AID:12283 /FLA

Doctopic: Logic, semantics and theory of programming

[m3G; v1.261; Prn:30/12/2019; 14:52] P.19 (1-19)

L. Bozzelli et al. / Theoretical Computer Science ••• (••••) •••–•••

19

[2] A. Pnueli, The temporal logic of programs, in: Proc. 18th FOCS, IEEE, 1977, pp. 46–57. [3] E. Clarke, E. Emerson, Design and synthesis of synchronization skeletons using branching time temporal logic, in: Proc. of Workshop on Logic of Programs, in: LNCS, vol. 131, Springer-Verlag, 1981, pp. 52–71. [4] E. Emerson, J. Halpern, “Sometimes” and “Not Never” revisited: on branching versus linear time temporal logic, J. ACM 33 (1) (1986) 151–178, https:// doi.org/10.1145/4904.4999. [5] R. Alur, T.A. Henzinger, O. Kupferman, Alternating-time temporal logic, J. ACM 49 (5) (2002) 672–713, https://doi.org/10.1145/585265.585270. [6] T. Ågotnes, V. Goranko, W. Jamroga, Alternating-time temporal logics with irrevocable strategies, in: Proc. 11th TARK, 2007, pp. 15–24. [7] L. Bozzelli, A. Murano, On the complexity of ATL and ATL* module checking, in: Proc. 8th GandALF, in: EPTCS, vol. 256, 2017, pp. 268–282. [8] T. Brihaye, A.D.C. Lopes, F. Laroussinie, N. Markey, ATL with Strategy Contexts and Bounded Memory, Proc. LFCS, LNCS, vol. 5407, Springer, 2009, pp. 92–106. [9] K. Chatterjee, T.A. Henzinger, N. Piterman, Strategy logic, Inf. Comput. 208 (6) (2010) 677–693, https://doi.org/10.1016/j.ic.2009.07.004. [10] W. Jamroga, A. Murano, Module checking of strategic ability, in: Proc. AAMAS, ACM, 2015, pp. 227–235. [11] O. Kupferman, M. Vardi, Module checking, in: Proc. 8th CAV, in: LNCS, vol. 1102, Springer, 1996, pp. 75–86. [12] D.P. Guelev, Reducing validity in epistemic ATL to validity in epistemic CTL, in: Proc. 1st SR, in: EPTCS, vol. 112, 2013, pp. 81–89. [13] F. Mogavero, A. Murano, G. Perelli, M.Y. Vardi, Reasoning about strategies: on the model-checking problem, ACM Trans. Comput. Log. 15 (4) (2014) 34:1–34:47, https://doi.org/10.1145/2631917. [14] F. Mogavero, A. Murano, M. Vardi, Relentful strategic reasoning in alternating-time temporal logic, J. Log. Comput. 26 (5) (2016) 1663–1695, https:// doi.org/10.1093/logcom/exu052. [15] M. Vardi, A temporal fixpoint calculus, in: Proc. 15th POPL, ACM, 1988, pp. 250–259. [16] F. Laroussinie, N. Markey, P. Schnoebelen, Temporal logic with forgettable past, in: Proc. 17th LICS, IEEE Computer Society, 2002, pp. 383–392. [17] P. Bonatti, C. Lutz, A. Murano, M. Vardi, The complexity of enriched mu-calculi, Log. Methods Comput. Sci. 4 (3) (2008) 1–21, https://doi.org/10.2168/ LMCS-4(3:11)2008. [18] L. Bozzelli, The complexity of CTL* + linear past, in: Proc. 11th FOSSACS, in: LNCS, vol. 4962, Springer, 2008, pp. 186–200. [19] T. Hafer, W. Thomas, Computation tree logic CTL* and path quantifiers in the monadic theory of the binary tree, in: Proc. 14th ICALP, in: LNCS, vol. 267, Springer, 1987, pp. 269–279. [20] O. Kupferman, A. Pnueli, Once and for all, in: Proc. 10th LICS, IEEE Comp. Soc. Press, 1995, pp. 25–35. [21] O. Kupferman, A. Pnueli, M.Y. Vardi, Once and for all, J. Comput. Syst. Sci. 78 (3) (2012) 981–996, https://doi.org/10.1016/j.jcss.2011.08.006. [22] F. Laroussinie, P. Schnoebelen, A hierarchy of temporal logics with past, Theor. Comput. Sci. 148 (2) (1995) 303–324, https://doi.org/10.1016/03043975(95)00035-U. [23] F. Laroussinie, P. Schnoebelen, Specification in CTL+past for verification in CTL, Inf. Comput. 156 (1–2) (2000) 236–263, https://doi.org/10.1006/inco. 1999.2817. [24] R.S. Streett, Propositional dynamic logic of looping and converse, in: Proc. 13th STOC, ACM, 1981, pp. 375–383. [25] M. Vardi, Reasoning about the past with two-way automata, in: Proc. 25th ICALP, in: LNCS, vol. 1443, Springer, 1998, pp. 628–641. [26] N. Bulling, W. Jamroga, M. Popovici, Agents with truly perfect recall in alternating-time temporal logic, in: Proc. AAMAS’14, IFAAMAS/ACM, 2014, pp. 1561–1562. [27] K.G. Shaver, The Attribution of Blame: Causality, Responsibility, and Blameworthiness, Springer Science & Business Media, 2012. [28] I.V. de Poel, The relation between forward-looking and backward-looking responsibility, in: Moral Responsibility, Springer, 2011, pp. 37–52. [29] M. Dastani, J. Dix, H. Verhagen, S. Villata, Normative multi-agent systems (Dagstuhl Seminar 18171), Dagstuhl Rep. 8 (4) (2018) 72–103, https:// doi.org/10.4230/DagRep.8.4.72. [30] D.M. Gabbay, The declarative past and imperative future: executable temporal logic for interactive systems, in: Proc. Temporal Logic in Specification, in: LNCS, vol. 398, Springer, 1987, pp. 409–448. [31] D. Guelev, C. Dima, C. Enea, An alternating-time temporal logic with knowledge, perfect recall and past: axiomatisation and model-checking, J. Appl. Non-Class. Log. 21 (1) (2011) 93–131, https://doi.org/10.3166/jancl.21.93-131. [32] S. Schewe, B. Finkbeiner, Satisfiability and finite model property for the alternating-time mu-calculus, in: Proc. 20th CSL, in: LNCS, vol. 4207, Springer, 2006, pp. 591–605. [33] H. Chockler, J. Halpern, Responsibility and blame: a structural-model approach, J. Artif. Intell. Res. 22 (2004) 93–115, https://doi.org/10.1613/jair.1391. [34] T.D. Lima, L.M. Royakkers, F. Dignum, Modeling the problem of many hands in organisations, in: Proc. 19th ECAI, in: Frontiers in Artificial Intelligence and Applications, vol. 215, IOS Press, 2010, pp. 79–84. [35] R. Mastop, Characterising responsibility in organisational structures: the problem of many hands, in: Proc. 10th DEON, in: LNCS, vol. 6181, Springer, 2010, pp. 274–287. [36] N. Bulling, M. Dastani, Coalitional responsibility in strategic settings, in: Proc. 14th CLIMA, in: LNCS, vol. 8143, Springer, 2013, pp. 172–189. [37] S. Demri, P. Schnoebelen, The complexity of propositional linear temporal logics in simple cases, Inf. Comput. 174 (1) (2002) 84–103, https://doi.org/ 10.1006/inco.2001.3094. [38] D. Janin, I. Walukiewicz, Automata for the modal mu-calculus and related results, in: Proc. 20th MFCS, in: LNCS, vol. 969, Springer, 1995, pp. 552–562. [39] O. Kupferman, M. Vardi, P. Wolper, An automata-theoretic approach to branching-time model checking, J. ACM 47 (2) (2000) 312–360, https://doi.org/ 10.1145/333979.333987. [40] S. Schewe, ATL* satisfiability is 2EXPTIME-complete, in: Proc. 35th ICALP, in: LNCS, vol. 5126, Springer, 2008, pp. 373–385. [41] O. Kupferman, M.Y. Vardi, Weak alternating automata and tree automata emptiness, in: Proc. 30th STOC, ACM, 1998, pp. 224–233. [42] M.Y. Vardi, P. Wolper, Reasoning about infinite computations, Inf. Comput. 115 (1) (1994) 1–37, https://doi.org/10.1006/inco.1994.1092. [43] A. Chandra, D. Kozen, L. Stockmeyer, Alternation, J. ACM 28 (1) (1981) 114–133, https://doi.org/10.1145/322234.322243. [44] F. Mogavero, A. Murano, G. Perelli, M. Vardi, Reasoning about strategies: on the satisfiability problem, Log. Methods Comput. Sci. 13 (1) (2017), https:// doi.org/10.23638/LMCS-13(1:9)2017. [45] F. Belardinelli, A. Lomuscio, A. Murano, S. Rubin, Verification of multi-agent systems with imperfect information and public actions, in: Proc. AAMAS, ACM, 2017, pp. 1268–1276. [46] R. Berthon, B. Maubert, A. Murano, S. Rubin, M. Vardi, Strategy logic with imperfect information, in: Proc. 32nd LICS, IEEE Computer Society, 2017, pp. 1–12. [47] W. Jamroga, V. Malvone, A. Murano, Reasoning about natural strategic ability, in: Proc. AAMAS, ACM, 2017, pp. 714–722. [48] A. Lomuscio, H. Qu, F. Raimondi, MCMAS: a model checker for the verification of multi-agent systems, in: Proc. 21st CAV, in: LNCS, vol. 5643, Springer, 2009, pp. 682–688. [49] P. Cermák, A. Lomuscio, F. Mogavero, A. Murano, Practical verification of multi-agent systems against Slk specifications, Inf. Comput. 261 (Part) (2018) 588–614, https://doi.org/10.1016/j.ic.2017.09.011. [50] P. Cermák, A. Lomuscio, A. Murano, Verifying and synthesising multi-agent systems against one-goal strategy logic specifications, in: Proc. 29th AAAI, AAAI Press, 2015, pp. 2038–2044.