Reasoning about Quality and Fuzziness of Strategic Behaviours
Patricia Bouyer, Orna Kupferman, Nicolas Markey, Bastien Maubert,, Aniello Murano, and Giuseppe Perelli

TL;DR
This paper introduces FSL, a quantitative extension of Strategy Logic that assigns real-valued satisfaction levels to strategic behaviors in multi-agent systems, enabling nuanced reasoning about quality and fuzziness.
Contribution
It presents FSL, a novel logic combining strategic reasoning with quantitative satisfaction, and provides a model-checking algorithm for this expressive framework.
Findings
FSL can express stability concepts in multi-agent systems.
FSL generalizes fuzzy temporal logics.
A model-checking algorithm for FSL is developed.
Abstract
Temporal logics are extensively used for the specification of on-going behaviours of reactive systems. Two significant developments in this area are the extension of traditional temporal logics with modalities that enable the specification of on-going strategic behaviours in multi-agent systems, and the transition of temporal logics to a quantitative setting, where different satisfaction values enable the specifier to formalise concepts such as certainty or quality. We introduce and study FSL---a quantitative extension of SL (Strategy Logic), one of the most natural and expressive logics describing strategic behaviours. The satisfaction value of an FSL formula is a real value in [0,1], reflecting `how much' or `how well' the strategic on-going objectives of the underlying agents are satisfied. We demonstrate the applications of FSL in quantitative reasoning about multi-agent systems, by…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsMulti-Agent Systems and Negotiation · Logic, Reasoning, and Knowledge · Semantic Web and Ontologies
LSV, CNRS & ENS Paris-Saclay, Univ. Paris-Saclay, France Hebrew University, Israel Irisa, CNRS & Inria & Univ. Rennes, France Universitá degli Studi di Napoli “Federico II”, Italy Universitá degli Studi di Napoli “Federico II”, Italy University of Leicester, UK \Copyright\supplement
Acknowledgements.
Perelli thanks the support of the project “dSynMA”, funded by the ERC under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 772459). Bouyer and Markey thank the support of the ERC Project EQualIS (308087). \hideLIPIcs\EventEditors \EventNoEds2 \EventLongTitle \EventShortTitle \EventAcronymCVIT \EventYear2016 \EventDateDecember 24–27, 2016 \EventLocationLittle Whinging, United Kingdom \EventLogo \SeriesVolume42 \ArticleNo23
Reasoning about Quality and Fuzziness of Strategic Behaviours
Patricia Bouyer
Orna Kupferman
Nicolas Markey
Bastien Maubert
Aniello Murano
Giuseppe Perelli
Abstract
Temporal logics are extensively used for the specification of on-going behaviours of reactive systems. Two significant developments in this area are the extension of traditional temporal logics with modalities that enable the specification of on-going strategic behaviours in multi-agent systems, and the transition of temporal logics to a quantitative setting, where different satisfaction values enable the specifier to formalise concepts such as certainty or quality. We introduce and study —a quantitative extension of SL (Strategy Logic), one of the most natural and expressive logics describing strategic behaviours. The satisfaction value of an formula is a real value in , reflecting “how much” or “how well” the strategic on-going objectives of the underlying agents are satisfied. We demonstrate the applications of in quantitative reasoning about multi-agent systems, by showing how it can express concepts of stability in multi-agent systems, and how it generalises some fuzzy temporal logics. We also provide a model-checking algorithm for our logic, based on a quantitative extension of Quantified .
category:
\relatedversion
1 Introduction
One of the significant developments in formal reasoning has been the use of temporal logics for the specification of on-going behaviours of reactive systems [61, 31, 37]. Traditional temporal logics are interpreted over Kripke structures, modelling closed systems, and can quantify the computations of the systems in a universal and existential manner. The need to reason about multi-agents systems has led to the development of specification formalisms that enable the specification of on-going strategic behaviours in multi-agent systems [7, 28, 57]. Essentially, these formalisms, most notably ATL, , and Strategy Logic (SL), include quantification of strategies of the different agents and of the computations they may force the system into, making it possible to specify concepts that have been traditionally studied in game theory.
The duration of games in game theory is typically finite and the outcome of the game depends on its final position [58, 59]. In contrast, agents in multi-agent systems maintain an on-going interaction with each other [44], and reasoning about their behaviour refers not to their final state (in fact, we consider non-terminating systems, with no final state) but rather to the language of computations that they generate. While SL, which subsumes enables the specification of rich on-going strategic behaviours, its semantics is Boolean: a system may satisfy a specification or it may not. The Boolean nature of traditional temporal logic is a real obstacle in the context of strategic reasoning. Indeed, while many strategies may attain a desired objective, they may do so at different levels of quality or certainty. Consequently, designers would be willing to give up manual design only after being convinced that the automatic procedure that replaces it generates systems of comparable quality and certainty. For this to happen, one should first extend the specification formalism to one that supports quantitative aspects of the systems and the strategies.
The logic is a multi-valued logic that augments LTL with quality operators [3]. The satisfaction value of an formula is a real value in , where the higher the value, the higher the quality in which the computation satisfies the specification. The quality operators in can prioritise different scenarios or reduce the satisfaction value of computations in which delays occur. For example, the set may contain the , , and functions, which are the standard quantitative analogues of the , , and operators. The novelty of is the ability to manipulate values by arbitrary functions. For example, may contain the weighted-average function . The satisfaction value of the formula is the weighted (according to ) average between the satisfaction values of and . This enables the specification of the quality of the system to interpolate different aspects of it. As an example, consider the formula . The formula states that we want requests to be granted immediately and the grant to hold for two transactions. When this always holds, the satisfaction value is . We are quite okay with grants that are given immediately and last for only one transaction, in which case the satisfaction value is , and less content when grants arrive with a delay, in which case the satisfaction value is .
We introduce and study : an analogous multi-valued extension of SL. In addition to the quantitative semantics that arises from the functions in , another important element of is that its semantics is defined with respect to weighted multi-agent systems, namely ones where atomic propositions have truth values in , reflecting quality or certainty. Thus, a model-checking procedure for , which is our main contribution, enables formal reasoning about both quality and fuzziness of strategic behaviours.
As a motivating example, consider security drones that may patrol different height levels. Using , we can specify, for example (see specific formulas in Section 2.4), the quality of strategies for the drones whose objectives are to fly above and below all uncontrollable drones and perform certain actions when uncontrollable drones exhibit some disallowed behaviour. Indeed, the multi-valued atomic propositions are used to specify the different heights, temporal operators are used for specifying on-going behaviours, the functions in may be used to refer to these behaviours in a quantitative manner, for example to compare heights and to specify the satisfaction level that the designer gives to different possible scenarios. Note that the formula does not specify the ability of the drones to behave in some desired manner. Rather, it associates a satisfaction value in with each behaviour. This suggests that can be used not only for a quantitative specification of strategic behaviours but also for quantizing notions from game theory that are traditionally Boolean. For example (see specific formulas in Section 2.4), beyond specifying that the agents are in a Nash Equilibrium, we can specify how far they are from an equilibrium, namely how much an agent may gain by a deviation that witnesses the instability. As a result we can express concepts such as -Nash Equilibria [59].
The logic enables the quantification of strategies for the agents. We show that the quantification of strategies can be reduced to a Boolean quantification of atomic propositions, which enables us to reduce the model-checking problem of to that of \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} – an extension of \textsf{{CTL}}^{\star}\textsf{{[\mathcal{F}]}} [3] with quantified Boolean atomic propositions. A general technique for model-checking algorithms is to repeatedly evaluate the innermost state subformula by viewing it as an (existentially or universally quantified) LTL formula, and add a fresh atomic proposition that replaces this subformula [39]. This general technique is applied also to \textsf{{CTL}}^{\star}\textsf{{[\mathcal{F}]}}, with the fresh atomic propositions being weighted [3]. For \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} formulas, however, one cannot apply it. Indeed, the externally quantified atomic propositions may appear in different subformulas, and we cannot evaluate them one by one without fixing the same assignment for the quantified atomic propositions. Instead, we extend the automaton-theoretic approach to model-checking [49] to handle quantified propositions: given a \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} formula and predicate , we construct an alternating parity tree automaton that accepts exactly all the weighted trees such that the satisfaction value of in is in . The translation, and hence the complexity of the model-checking problem, is non-elementary. More precisely we show that it is -Exptime -complete for formulas involving at most quantifications on atomic propositions, and we show a similar complexity result for , in terms of nesting of strategy quantifiers.
Related works.
There have been long lines of works about games with quantitative objectives (in a broad sense), e.g. stochastic games [63, 41], timed games [9], or weighted games with various kinds of objectives (parity [38], mean-payoff [36] or energy [25, 15]). This does not limit to zero-sum games, but also includes the study of various solution concepts (see for instance [64, 23, 21, 19, 5]). Similarly, extensions of the classical temporal logics LTL and CTL with quantitative semantics have been studied in different contexts, with discounting [33, 2], averaging [14, 17], or richer constructs [13, 3]. In contrast, the study of quantitative temporal logics for strategic reasoning has remained rather limited: works on include algorithms for synthesis and rational synthesis [3, 4, 5, 6], but no logic combines the quantitative aspect of with the strategic reasoning offered by SL. Thus, to the best of our knowledge, our model-checking algorithm for is the first decidability result for a quantitative extension of a strategic specification formalism (without restricting to bounded-memory strategies).
Baier and others have focused on a variant of SL in a stochastic setting [10]; model checking was proven decidable for memoryless strategies, and undecidable in the general case. A quantitative version of SL with Boolean goals over one-counter games has been considered in [16]; only a periodicity property was proven, and no model-checking algorithm is known in that setting as well. Finally, Graded SL [8] extends SL by quantifying on the number of strategies witnessing a given strategy quantifier, and is decidable.
The other quantitative extensions we know of concern ATL /ATL∗, and most of the results are actually adaptations of similar (decidability) results for the corresponding extensions of CTL and CTL∗; this includes probabilistic ATL [29], timed ATL [46, 22], multi-valued ATL [47], and weighted versions of ATL [54, 24, 65]. Finally, some works have considered non-quantitative ATL with quantitative constraints on the set of allowed strategies [1, 35], proving decidability of the model-checking problem.
2 Quantitative Strategy Logic
Let be an alphabet. A finite (resp. infinite) word over is an element of (resp. ). The length of a finite word is , and is its last letter. Given a finite (resp. infinite) word and (resp. ), we let be the letter at position in , is the (nonempty) prefix of that ends at position and is the suffix of that starts at position . As usual, for any partial function , we write for the domain of . Strategy logic with functions, denoted , generalises both SL [28, 57] and [3] by replacing the Boolean operators of SL with arbitrary functions over . The logic is actually a family of logics, each parameterised by a set of functions.
2.1 Syntax
We build on the branching-time variant of SL [40], which does not add expressiveness with respect to the classic semantics [57] but presents several benefits (see [40] for more details), one of them being that it makes the connection with Quantified CTL tighter.
Definition 2.1** (Syntax).**
Let be a set of functions over of possibly different arities. The syntax of is defined with respect to a finite set of atomic propositions , a finite set of agents and a set of strategy variables . The set of formulas is defined by the following grammar:
[TABLE]
where , , , and .
Formulas of type are called state formulas, those of type are called path formulas. Formulas are called strategy quantifications whereas formulas are called bindings. Modalities and are temporal modalities, which take a specific quantitative semantics as we see below. We may use , , and to denote functions , and , respectively. We can then define the following classic abbreviations: , , , , and . Intuitively, the value of formula is the maximal value of the two formulas and , takes the minimal value of the two formulas, and the value of is one minus that of . The implication thus takes the maximal value between that of and one minus that of . In a Boolean setting, we assume that the values of the atomic propositions are in ([math] represents false whereas represents true), and so are the output values of functions in . One can then check that , , and take their usual Boolean meaning. We will come back later to temporal modalities, strategy quantifications and bindings.
2.2 Semantics
While SL is evaluated on classic concurrent game structures with Boolean valuations for atomic propositions, formulas are interpreted on weighted concurrent game structures, in which atomic propositions have values in , and that we now present.
Definition 2.2**.**
A weighted concurrent game structure (WCGS) is a tuple where is a finite set of atomic propositions, is a finite set of agents, is a finite set of actions, V is a finite set of states, is an initial state, is the transition function, and is a weight function.
An element of is a joint action. For , we let be the set . For the sake of simplicity, we assume in the sequel that for all . A play in is an infinite sequence of states in V such that and for all . We write for the set of plays in , and for the set of plays in starting from . In this and all similar notations, we might omit to mention when it is clear from the context. A (strict) prefix of a play is a finite sequence , for some , which we denote . We write for the set of strict prefixes of play . Such finite prefixes are called histories, and we let and . We extend the notion of strict prefixes and the notation to histories in the natural way, requiring in particular that . A (finite) extension of a history is any history such that . A strategy is a mapping , and we write for the set of strategies in . An assignment is a partial function , that assigns strategies to variables and agents. The assignment maps to and is equal to otherwise. Let be an assignment and a history. We define the set of outcomes of from as the set of plays such that for every , there exists a joint action such that for each agent and , where .
Definition 2.3** (Semantics).**
Consider a WCGS , a set of variables , and a partial assignment of strategies for and . Given an state formula and a history , we use to denote the satisfaction value of in the last state of under the assignment . Given an path formula , a play , and a point in time , we use to denote the satisfaction value of in the suffix of that starts in position . The satisfaction value is defined inductively as follows:
[TABLE]
Strategy quantification computes the optimal value a choice of strategy for variable can give to formula . Dually, computes the minimal value a choice of strategy for variable can give to formula . Binding just assigns strategy given by to agent . Temporal modality takes the value of at the next step, while maximises, over all positions along the play, the minimum between the value of at that position and the minimal value of before this position. In a Boolean setting, we recover the standard semantics of SL. Also the fragment of with only temporal operators and functions and corresponds to Fuzzy Linear-time Temporal Logic [51, 43]. Note that by equipping with adequate functions, we can capture various classic fuzzy interpretations of boolean operators, such as the Zadeh, Gödel-Dummett or Łukasiewicz interpretations (see for instance [43]). However the interpretation of the temporal operators is fixed in our logic.
Remark 2.4**.**
As we shall see, once we fix a finite set of possible satisfaction values for the atomic propositions in a formula , as is the case when a model is chosen, the set of possible satisfaction values for subformulas of becomes finite. Therefore, the infima and suprema in the above definition are in fact minima and maxima.
For a state formula and a weighted game structure , we write for .
2.3 Model checking
The problem we are interested in is the following generalisation of the model checking problem, which is solved in [3] for LTL[] and \textsf{{CTL}}^{\star}\textsf{{[\mathcal{F}]}}.
Definition 2.5** (Model-checking problem).**
Given an state formula , a WCGS and a predicate , decide whether .
Note that should be finitely represented, typically as a threshold or an interval. The precise complexity of the model-checking problem will be stated in terms of nesting depth of formulas, which counts the maximal number of strategy quantifiers in a formula , and is written . We establish the following result in Section 5:
Theorem 2.6**.**
The model-checking problem for is decidable. It is -Exptime -complete for formulas of nesting depth at most .
2.4 What can express?
naturally embeds SL. Indeed, if the values of the atomic propositions are in and the only allowed functions in are , and , then the satisfaction value of the formula is in and coincides with the value of the corresponding SL formula. Below we illustrate how quantities enable the specification of rich strategic properties.
Drone battle
A “carrier” drone helped by a “guard” drone try to bring an artefact to a rescue point and keep it away from the “villain” adversarial drone . They evolve in a three dimensional cube of side length unit, in which coordinates are triples . We use the triples of atomic propositions and to denote the coordinates of and , respectively. Write for the (normalized) distance between two points in the cube. Let the atomic proposition safe denote that the artefact has reached the rescue point. In , we can express the level of safety for the artefact defined as the minimum distance between the carrier and the villain along a trajectory to reach the rescue point. Indeed, the formula
[TABLE]
states that the carrier and guard drones cooperate to keep the villain as far as possible from the artefact, until it is rescued. Note that the satisfaction value of the specification is [math] if there is a path in which the artefact is never rescued. The strategies of the carrier and the guard being quantified before that of the villain implies that they are unaware of the villain’s future moves. Now assume the guard is a double agent to whom the villain communicates his plan. Then his strategy can depend on the villain’s strategy, which is captured by the following formula:
[TABLE]
Note that the formula can be written in , whereas requires . In fact actually belongs to the fragment {\textsf{SL{}_{\textsf{1G}}}}{[\mathcal{F}]}, which we study in Section 6.
Synthesis with quantitative objectives
The problem of synthesis for LTL specifications dates back to [62]. The setting is simple: two agents, a controller and an environment, operate on two disjoint sets of variables in the system. The controller wants a given LTL specification to be satisfied in the infinite execution, while the environment wants to prevent it. The problem consists into synthesising a strategy for the controller such that, no matter the behaviour of the environment, the resulting execution satisfies . Recently, this problem has been addressed in the context of , where the controller aims at maximising the value of an formula , while the environment acts as minimiser. Both problems can be easily represented in SL and respectively, with the formula
[TABLE]
where and are the controller and environment agent, respectively, and the temporal specification expressed in either LTL or . Assume now that controller and environment are both composed of more than one agent, namely and , and each controller component has the power to adjust its strategic choice based on the strategies selected by the environmental agents of lower rank. That is, the strategy selected by agent depends, on the strategies selected by agents , for every . We can write a formula to represent this generalised synthesis problem as follows:
[TABLE]
Notice that every controller agent is bound to an existentially quantified variable, that makes it to maximise the satisfaction value of the formula in its scope. On the other hand, the environmental agents are bound to a universally quantified variable, that makes them to minimise the satisfaction value. Notice that in general each alternation between existential and universal quantification yields an additional exponential in the complexity of the model-checking problem, as we show in the overall quantification alternates from existential to universal times, which would induce a . In section 6, we show that, for the special case of these formulas, such alternation does not affect the computational complexity of the model-checking problem.
NE in weighted games
An important feature of SL in terms of expressiveness is that it captures Nash equilibria (NE, for short) and other common solution concepts. This extends to , but in a much stronger sense: first, objectives in are quantitative, so that profitable deviation is not a simple Boolean statement; second, the semantics of the logic is quantitative, so that being a NE is a quantitative property, and we can actually express how far a strategy profile is from being a NE. Consider a strategy profile . Assuming all agents follow their strategies in that profile, a NE can be characterised by the fact that all agents play one of their best responses against their opponents’ strategies. We would then write
[TABLE]
where equals if and zero otherwise. Strategy profile is a NE if, and only if, evaluates to . Adopting a more quantitative point of view, we can measure how much agent can benefit from a selfish deviation using formula , where . The maximal benefit that some agent may get is then captured by the following formula:
[TABLE]
Formula can be used to characterise -NE, by requiring that has value less than or equal to ; of course it also characterises classical NE as a special case.
Secure equilibria in weighted games
Secure equilibria [27] are special kinds of NEs in two-player games, where besides improving their objectives, the agents also try to harm their opponent. Following the ideas above, we characterise secure equilibria in as follows:
[TABLE]
where is when , and [math] otherwise. Secure equilibria have also been studied in -weighted games [23]: in that setting, the objective of the agents is to optimise e.g. the (limit) infimum or supremum of the sequence of weights encountered along the play. We can characterise secure equilibria in such setting (after first applying an affine transformation to have all weights in ): indeed, assuming that weights are encoded as the value of atomic proposition , the value of formula is the infimum of the weights, while the value of is the limit infimum. We can then characterise secure equilibria with (limit) infimum and supremum objectives by using those formulas as the objectives for the agents in formula . Other classical properties of games can be expressed, such as doomsday equilibria (which generalise winning secure equilibria in -player games) [26], robust NE (considering profitable deviations of coalitions of agents) [18], or strategy dominance and admissibility [12, 20], to cite a few.
Rational synthesis
Weak rational synthesis [42, 48, 5] aims at synthesising a strategy profile for a controller and the components constituting the environment, in such a way that (1) the whole system satisfies some objective , and (2) under the strategy of the controller, the strategies of the components form an NE (or any given solution concept) for their own individual objectives . That a given strategy profile satisfies the two conditions above can be expressed as follows:
[TABLE]
The formula returns the minimum between the satisfaction value of and that of . Thus, the satisfaction value of is zero if the strategy profile is not a NE under strategy assigned to , and it returns the satisfaction value of under the whole strategy profile otherwise. Then the value of
[TABLE]
is the best value of that the system can collectively achieve under the condition that the components in the environment are in an NE. Obviously, we can go beyond NE and use any other solution concept that can be expressed in . The counterpart of weak rational synthesis is strong rational synthesis, that aims at synthesising a strategy only for controller in such a way that the objective is maximised over the worst NE that can be played by the environment component over the strategy of itself. This can be expressed as follows:
[TABLE]
The formula in the scope of the quantifications and bindings returns the maximum value between and . Given that the former is if there is no NE and [math] otherwise, the disjunction takes value over the path with no NEs and the value of , otherwise. Given that the environment components have universally quantified strategies, the formula amounts at minimising such disjunction. Thus, the components will select (if any) the NE that minimises the satisfaction value of . Then the value of
[TABLE]
is the best value of that the controller can achieve under the condition that the components in the environment are playing the Nash Equilibrium that worsens it.
Core equilibria
In cooperative game theory, core equilibrium is probably the best known solution concept and sometimes related to the one of Nash Equilibrium for noncooperative games. Differently from NEs (but similarly to Strong NEs) it accounts multilateral deviations (also called coalition deviations) that, in order to be beneficial, must improve the payoff of the deviating agents no matter what is the reaction of the opposite coalition. More formally, for a given strategy profile , a coalition has a beneficial deviation if, for all strategy profiles it holds that , for every . We say that a strategy profile is a core equilibrium if, for every coalition, there is no beneficial deviation. This can be written in as follows:
[TABLE]
The strategy profile is a core equilibrium if, and only if, the formula evaluates to . The existence of a core equilibrium could be than expressed with the formula , which takes value if and only if there exists a core equilibrium.
3 Booleanly Quantified \textsf{{CTL}}^{\star}\textsf{{[\mathcal{F}]}}
In this section we introduce Booleanly Quantified \textsf{{CTL}}^{\star}\textsf{{[\mathcal{F}]}} (\textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}}, for short) which extends both \textsf{{CTL}}^{\star}\textsf{{[\mathcal{F}]}} and [52]. On the one hand, it extends \textsf{{CTL}}^{\star}\textsf{{[\mathcal{F}]}} with second order quantification over Boolean atomic propositions, on the other hand it extends to the quantitative setting of \textsf{{CTL}}^{\star}\textsf{{[\mathcal{F}]}}. While \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} formulas are interpreted over weighted Kripke structures, thus with atomic propositions having values in , the possible assignment for the quantified propositions are Boolean.
3.1 Syntax
Let be a set of functions over .
Definition 3.1**.**
*The syntax of \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} is defined with respect to a finite set \APof atomic propositions, using the following grammar: *
[TABLE]
where ranges over and over .
Formulas of type are called state formulas, those of type are called path formulas, and \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} consists of all the state formulas defined by the grammar. An atomic proposition which is not under the scope of a quantification is called free. If no atomic proposition is free in a formula , then we say that is closed. We again use , , and to denote functions , and , as well as classic abbreviations already introduced for , plus .
3.2 Semantics
\textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} formulas are evaluated on unfoldings of weighted Kripke structures.Note that the terminology Boolean only concerns the quantification of atomic propositions (which is restricted to Boolean atomic propositions), and that formulas are interpreted over weighted Kripke structures.
Definition 3.2**.**
A weighted Kripke structure (WKS) is a tuple where is a finite set of atomic propositions, S is a finite set of states, is an initial state, is a left-total transition relation111i.e., for all , there exists such that ., and is a weight function.
A path in is an infinite word over such that and for all . By analogy with concurrent game structures we call finite prefixes of paths histories, and write for the set of all histories in . We also let be the finite set of values appearing in .
Trees
Given finite sets of directions, of atomic propositions, and of possible values, an -labelled -tree, (or tree for short when the parameters are understood or irrelevant), is a pair where is closed under non-empty prefixes, all nodes start with the same direction , called the root, and have at least one child , and is a weight function. A branch is an infinite sequence of nodes such that for all , we have that is a child of . We let be the set of branches that start in node . Given a tree and a node , we define the subtree of rooted in as the tree where ( denotes the non-strict prefix relation) and is w restricted to . We say that a tree is Boolean in , written , if for all we have . As with weighted Kripke structures, we let . Given two -labelled -trees and , we write if and differ only in assignments to , which must be Boolean in : formally, , , for the same domain , , and for all such that and all , we have .
Finally, we define the tree unfolding of a weighted Kripke structure over atomic propositions and states S as the -labelled S-tree , where for every .
Definition 3.3** (Semantics).**
*Consider finite sets of directions, of atomic propositions, and of possible values. We fix an -labelled -tree . Given a \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} state formula and a node of , we use to denote the satisfaction value of in node . Given a \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} path formula and a branch of , we use to denote the satisfaction value of along . The satisfaction value is defined inductively as follows: *
[TABLE]
Remark 3.4**.**
As with , we will see that the suprema in the above definition can be replaced with maxima (see Lemma 4.1 below).
First, we point out that if , then \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} evaluated on boolean Kripke structures corresponds to classic [52]. Note also that the quantifier on propositions does not range over arbitrary values in . Instead, as in , it quantifies only on Boolean valuations. It is still quantitative though, in the sense that instead of merely stating the existence of a valuation, maximises the value of over all possible (Boolean) valuations of . For a tree with root we write for , and for a weighted Kripke structure we write for . Note that this semantics is an extension of the tree semantics of , in which the valuation of quantified atomic propositions is chosen on the unfolding of the Kripke structure instead of the states. This allows us to capture the semantics of Strategy Logic based on strategies with perfect recall, where moves can depend on the history, as apposed to the memoryless semantics, where strategies can only depend on the current state (see [52] for more detail). As for , we are interested in the following model-checking problem:
Definition 3.5**.**
Given a \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} state formula , a weighted Kripke structure , and a predicate , decide whether .
Similarly to , the precise complexity of the model-checking problem will be stated in terms of nesting depth of formulas, which counts the maximal number of nested propositional quantifiers in a formula , and is written . In the next section we establish our main technical contribution, which is the following:
Theorem 3.6**.**
*The quantitative model-checking problem for \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} is decidable. It is -Exptime -complete for formulas of nesting depth at most . *
This result, together with a reduction from to \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} that we present in Section 5, entails the decidability of model checking announced in Theorem 2.6.
4 Model checking \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}}
We start by proving that, as has been the case for LTL[], since the set of possible satisfaction values of an atomic proposition is finite, so is the set of satisfaction values of each \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} formula. This property allows to use instead of in Definition 3.3.
Lemma 4.1**.**
Let be a finite set of values with , let be a \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} state formula and a \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} path formula, with respect to . Define
[TABLE]
be the set of values taken by in nodes of -labelled trees. Similarly, define
[TABLE]
Then, and . Moreover, one can compute sets and such that and of size at most and , respectively.
Proof 4.2**.**
We prove the result by mutual induction on and . Clearly, . For , observe that if and , then for all trees such that it is also the case that (by assumption contains 0 and 1). It follows that is defined as the supremum of a subset of , which by induction hypothesis is of size at most , and thus the supremum is indeed a maximum. It follows that . Hence, , and thus . For , again is a supremum over a subset of , which by induction hypothesis is of size at most . The supremum is thus reached, hence and . For , we have , hence is at most . By induction hypothesis, we get . For , the result follows by hypothesis of mutual induction. For , we have that , and the result follows. For , the value of is defined via suprema and infima over possible values for and , which are finitely many by the induction hypothesis. The suprema and infima are thus maxima and minima, and . Hence, (since ). In all cases, the claim for over-approximations follows by the same reasoning as above.
The finite over-approximation of the set of possible satisfaction values induces a finite alphabet for the automata our model-checking procedure uses. In the following, we use alternating parity tree automata (APT in short), and their purely non-deterministic (resp. universal) variants, denoted NPT (resp. UPT). Given two APT and we denote (resp. ) the APT of size linear in and that accepts the intersection (resp. union) of the languages of and , and we call index of an automaton the number of priorities in its parity condition. We refer the reader to for a detailed exposition of alternating parity tree automata. We extend the automata-based model-checking procedure for from [49]. Note that since the quantified atomic propositions may appear in different subformulas, we cannot extend the algorithm for \textsf{{CTL}}^{\star}\textsf{{[\mathcal{F}]}} from [3], as the latter applies the technique of [39], where the evaluation of each subformula is independent.
Proposition 4.3**.**
Let be a finite set of values such that , and let be a finite set of directions. For every \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} state formula and predicate , one can construct an APT such that for every -labelled -tree , accepts if and only if . The APT has at most -exponentially many states, and its index is at most -exponential.
Proof 4.4**.**
The proof proceeds by an induction on the structure of the formula and strengthens the induction statement as follows: one can construct an APT such that for every -labelled -tree , for every node , we have that accepts from node if and only if . If , the automaton has one state and accepts a tree in node if , and rejects otherwise. In addition, . If , we want to check whether the maximal satisfaction value of for all possible Boolean valuations of is in . To do so we first compute a finite set of exponential size such that , which we can do as established by Lemma 4.1. For each possible value , we check whether this value is reached for some -valuation, and if the value of is less than or equal to for all -valuations. For each , inductively build the APTs and . Turn the first one into a NPT and the second one into a UPT . Project existentially on , and call the result . Project universally on , call the result . Finally, we can define the APT . It is then easy to see that this automaton accepts a tree if and only if there exists a value in that is the maximum of the possible values taken by for all -valuations. If : as in the classic automata construction for [50], we first let be the set of maximal state sub-formulas of (that we call atoms thereafter – which have to be distinguished from atomic propositions of the formula). In a first step we see elements of as atomic propositions, and as an LTL[] formula over . According to Lemma 4.1 we can compute over-approximations for each , and we thus let be a finite over-approximation of the set of possible values for atoms. It is proven in [3] that for every , one can build a nondeterministic parity automaton of size exponential in such that accepts a word if and only if . Now let us compute (again using Lemma 4.1), and for each , construct an NPT that guesses a branch in its input and simulates on it. To obtain a universal word automaton of single exponential size that checks whether , first build the nondeterministic automaton from [3], and dualize it in linear time. From the resulting universal automaton we build a UPT that executes on all branches of its input.222We take universal because it is not possible to simulate a nondeterministic word automaton on all branches of a tree, but it is possible for a universal one. Note that we could also determinise , but it would cost one more exponential. We now define the APT on -trees as
[TABLE]
Now to go from atoms to standard atomic propositions, we define an APT that simulates by, in each state and each node of its input, guessing a value in for each formula , simulating on the resulting label, and launching a copy of for each . Note that the automaton is alternating and thus may have to guess several times the satisfaction value of a formula in a same node, but launching the forces it to always guess the same, correct value. Finally, if , we list all combinations of the possible satisfaction values for the subformulas such that , and we build automaton as the disjunction over such of the conjunction of automata . The complexity of this procedure is non-elementary. More precisely, we claim that has size at most -exponential and index (i.e., number of priorities for the parity condition) at most -exponential. The case where is an atomic proposition is trivial. For , we transform an exponential number of APTs into NPTs or UPTs. This entails an exponential blowup in the size and index of each automaton. The resulting automaton has at most -exponentially many states and index at most -exponential. Since , the inductive property is preserved. If has the form , then the automaton for is a combination of the automata for all , and for the various values those subformulas may take. By Lemma 4.1 there are at most different combinations, so assuming (from the induction hypothesis) that the automata for have at most -exponentially many states and index at most -exponential, the automaton for has at most -exponentially many states and index at most -exponential (note that ). Finally for : following [3], the size of is exponential in , and at most Büchi acceptance conditions. One can turn this automaton into an equivalent Büchi automaton still exponential in , which can be seen as a parity automaton with index . Then and both also have sizes exponential in , and index . Finally, , which combines an exponential number of the automata above, has size exponential in and index . The final automaton is obtained from that automaton by plugging the automata for , whose sizes and indices are dominating the size and index of . It follows that, for , the size of also is -exponential, and its index is -exponential.
To see that Theorem 3.6 follows from Proposition 4.3, recall that by definition . Thus to check whether , where atoms in takes values in , it is enough to build as in Proposition 4.3, take its product with a deterministic tree automaton that accepts only , and check for emptiness of the product automaton. The formula complexity is -exponential, but the structure complexity is polynomial. For the lower bounds, consider the fragment of which consists in formulas in prenex normal form, i.e. with all quantifications on atomic propositions at the beginning, with at most alternations between existential and universal quantifiers, counting the first quantifier as one alternation (see [52, p.8] for a formal definition). Clearly, can be translated in \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} with formulas of linear size and nesting depth at most (alternation is simply coded by placing function between quantifiers). It is proved in [52] that model checking is -Exptime -hard.
5 Model checking quantitative strategic logics
In this section we show how to reduce the model-checking problem for to that of \textsf{{QCTL}}^{\star}\textsf{{[\mathcal{F}]}}. This reduction is a rather straightforward adaptation of the usual one for qualitative variants of SL (see e.g. [53, 11, 40]). We essentially observe that it can be lifted to the quantitative setting. We let be a finite set of agents, and be a finite set of atomic propositions.
Models transformation.
We first define for every WCGS over and a WKS over some set and a bijection between the set of histories starting in the initial state of and the set of nodes in . We consider propositions , that we assume to be disjoint from . We let . Define the Kripke structure where
- •
,
- •
,
- •
, and
- •
.
For every history , define the node in (which exists, by definition of and of tree unfoldings). Note that the mapping defines a bijection between the set of histories from and the set of nodes in .
Formulas translation.
Given a game and a formula , we define a \textsf{{QCTL}}^{\star}\textsf{{[\mathcal{F}]}} formula such that . More precisely, this translation is parameterised with a partial function which records bindings of agents to strategy variables. Suppose that . We define the translation by induction on state formulas and path formulas . Here is the definition of for state formulas:
[TABLE]
and for path formulas:
[TABLE]
This translation is identical to that from branching-time SL to in all cases, except for the case of functions which is straightforward. To see that it can be safely lifted to the quantitative setting, it suffices to observe the following: since quantification on atomic propositions is restricted in \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} to Boolean values, and atoms in also have Boolean values, and always have value 0 or 1 and thus they can play exactly the same role as in the qualitative setting: holds if and only if the atomic propositions indeed code a strategy from the current state, and holds on a branch of if and only if in this branch each agent follows the strategies coded by atoms . As a result \exists p_{c_{1}}^{x}\ldots\exists p_{c_{m}}^{x}.\Big{(}\varphi_{\text{str}}(x)\wedge(\varphi)^{\,g}\Big{)} maximises over those valuations for the that code for strategies, other valuations yielding value 0. Similarly, formula minimises over branches that represent outcomes of strategies in , as others yield value 1. One can now see that the following holds, where is an formula.
Lemma 5.1**.**
Let be an assignment and such that and for all , implies . Then
[TABLE]
As a result, the quantitative model-checking problem for an formula , a weighted CGS and a predicate can be solved by computing the \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} formula and the weighted Kripke structure , and deciding whether , which can be done by Theorem 3.6. This establishes the upper-bounds in Theorem 2.6. As in the case of \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}}, the lower-bounds are obtained by reduction from the model-checking problem for . This reduction is an adaptation of the one from to ATL with strategy context in [53], and that preserves nesting depth.
Remark 5.2**.**
Lemma 5.1 together with Lemma 4.1 imply that formulas also can take only exponentially many values when a finite domain is fixed for atomic propositions. This justifies the observation of Remark 2.4 that supremum and infimum in the semantics of can be replaced with maximum and minimum.
6 The case of {\textsf{SL{}_{\textsf{1G}}}}{[\mathcal{F}]}
We now study the fragment {\textsf{SL{}{\textsf{1G}}}}{[\mathcal{F}]}, which is the extension to the quantitative setting of the one-goal fragment SL of SL [56]. In order to define the syntax, we need to introduce the notions of quantification prefix and binding prefix. A quantification prefix is a sequence \wp=\mbox{\langle!\langle}x_{1}\mbox{]>!!]}\ldots\mbox{\langle!\langle}x_{n}\mbox{]>!!]}, where \mbox{\langle!\langle}x_{i}\mbox{]>!!]}\in\{\langle\!\langle x_{i}\rangle\!\rangle,[\![x_{i}]\!]\} is either an existential or universal quantification. For a fixed set of agents a binding prefix is a sequence , where every agent in occurs exactly once. A combination is closed if every variable occurring in occurs in some quantifier of . We can now give the definition of {\textsf{SL{}{\textsf{1G}}}}{[\mathcal{F}]} syntax.
Definition 6.1** ({\textsf{SL{}_{\textsf{1G}}}}{[\mathcal{F}]} Syntax).**
Let be a set of Boolean atomic propositions, and let be a set of functions over . The set of {\textsf{SL{}_{\textsf{1G}}}}{[\mathcal{F}]} formulas is defined by the following grammar:
[TABLE]
where , , and is a closed combination of a quantification prefix and of a binding prefix.
Note that all formulas are sentences, as all strategy variables are quantified immediately before being bound to some agent. The sentence nesting depth of an {\textsf{SL{}_{\textsf{1G}}}}{[\mathcal{F}]} formula is defined as follows:
- •
for every ;
- •
;
- •
;
- •
.
- •
;
Intuitively, the sentence nesting depth measures the number of sentences, i.e., formulas with no free agent or variable, that are nested into each other in the formula. In order to solve the model-checking problem for {\textsf{SL{}_{\textsf{1G}}}}{[\mathcal{F}]}, we need the technical notion of concurrent multi-player parity game introduced in [55].
Definition 6.2**.**
A concurrent multi-player parity game (CMPG) is a tuple , where is a set of agents indexed with natural numbers, S is a set of states, is a designated initial state, is a priority function, and is a transition function determining the evolution of the game according to the joint actions of the players.
A CMPG is a game played by players for an infinite number of rounds. In each round, the players concurrently and independently choose moves, and the current state and the action chosen for each player determine the successor state. In details we have that each player , with is part of the existential (even) team; the other players are instead part of the universal (odd) team. Informally, the goal in a CMPG is to check whether there exists a strategy for [math] such that, for each strategy for , there exists a strategy for , and so forth, such that the induced plays satisfy the parity condition. Then, we say that the existential team wins the game. Otherwise the universal team wins the game. As shown in [55, Theorem 4.1, Corollary 4.1], one can decide the winners of a CMPG in time polynomial w.r.t. and , and exponential w.r.t. and (the maximal priority).
Theorem 6.3**.**
*The model-checking problem for closed formulas of {\textsf{SL{}_{\textsf{1G}}}}{[\mathcal{F}]} is decidable, and -EXPTIME-complete. *
Proof 6.4**.**
*We let be a WCGS and we consider a formula of the form . We also assume, for simplicity, that \wp=\langle\!\langle x_{0}\rangle\!\rangle[\![x_{1}]\!],\ldots,\mbox{\langle!\langle}x_{k}\mbox{]>!!]}, that is, quantifiers perfectly alternate between existential and universal.333To reduce to this case, one can either collapse the agents occurring in the same quantification block, or interleave them with dummy agents quantified with the other modality. Note that the formula is a sentence, therefore the choice of an assignment is useless. Moreover, recall that, by Lemma 5.1 and in particular Remark 5.2, the set of possible values is bounded by . We proceed by induction on the sentence nesting depth. As base case let , i.e., there is no occurrence of neither quantifiers nor bindings in . Then, can be regarded as an formula that can be interpreted over paths of the WKS where . Now, thanks to [3, Theorem 3.1], for every value , there exists a nondeterministic generalised Büchi word automaton , with that accepts all and only the infinite paths of such that .
Following [60], we can convert into a deterministic parity word automaton of size doubly-exponential in the size of and index bounded by . At this point, define the following CMPG such that*
- •
* is a set of agents, one for every variable occurring in , ordered in the same way as in itself;*
- •
* is the set of actions in ;*
- •
* is the product of the states of and the automaton ;*
- •
* is the pair given by the initial states of and , respectively;*
- •
* mimics the parity function of ;*
- •
if , mimics the execution of both and .
*The game emulates two things, one per each component of its state-space. In the first, it emulates a path generated in . In the second, it emulates the execution of the automaton when it reads the path generated in the first component. By construction, it results that every execution in satisfies the parity condition determined by if, and only if, . Moreover, observe that, since is deterministic, for every possible history in , there is a unique partial run that makes the partial execution possible in . This makes the sets of possible strategies and in perfect bijection. has a winning strategy if and only if . In order to compute the exact value of , we repeat the procedure described above for every and take the maximum of those for which . For the induction case, assume we can compute the satisfaction value of every {\textsf{SL{}_{\textsf{1G}}}}{[\mathcal{F}]} formula with sentence nesting depth at most , and let . Observe that, for every subsentence of , we have that and so, by induction hypothesis, we can compute for every . Now, introduce a fresh atomic proposition whose weight in is defined as and a set of fresh atomic propositions , one for every , whose weights in are defined as and if . Now, consider the Boolean formula *
[TABLE]
Observe that every disjunct is a conjunction of the form , whose satisfaction value on a state is the minimum among the weights of and . This can be either [math], if or , if . Now, the big disjunction takes the maximum among them. Therefore, we obtain that . This allows us to replace every occurrence of in with the Boolean combination , making the resulting formula to be of sentence nesting depth . Thus, we can apply the procedure described in the base case, to compute . Regarding the complexity, note that the size of is that is in turn linear with respect to the size of and doubly exponential in the size of . This is due to the fact that the automaton results from the construction of the NGBW , of size singly exponential in and the transformation to a DPW, that adds up another exponential to the construction. On the other hand, the number of priorities in is only singly exponential in , and it is due to the fact that the transformation from NGBW to DPW requires a singly exponential number of priorities. Therefore, the CMPG can be solved in time polynomial w.r.t. the size and double exponential in . Such -EXPTIME procedure is executed a number of time exponential in , which is still -EXPTIME. Hardness follows from that of SL [56].
7 Future work
We introduced and studied , a formalism for specifying quality and fuzziness of strategic on-going behaviour. Beyond the applications described in the paper, we highlight here some interesting directions for future research. In classical temporal-logic model checking, coverage and vacuity algorithms measure the sensitivity of the system and its specifications to mutations, revealing errors in the modelling of the system and lack of exhaustiveness of the specification [30]. When applied to , these algorithms can set the basis to a formal reasoning about classical notions in game theory, like the sensitivity of utilities to price changes, the effectiveness of burning money [45, 34] or tax increase [32], and more. Recall that our model-checking algorithm reduces the problem to \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}}, where the quantified atomic propositions take Boolean values. It is interesting to extend \textsf{{BQCTL}}^{\star}\textsf{{[\mathcal{F}]}} to a logic in which the quantified atomic propositions are associated with different agents, which would enable easy specification of controllable events. Also, while in our application the quantified atomic propositions encode the strategies, and hence the restriction of their values to is natural, it is interesting to study \textsf{{QCTL}}^{\star}\textsf{{[\mathcal{F}]}}, where quantified atomic propositions may take values in .
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Natasha Alechina, Brian Logan, Nguyen Hoang Nga, and Abdur Rakib. Resource-bounded alternating-time temporal logic. In Wiebe van der Hoek, Gal A. Kaminka, Yves Lespérance, Michael Luck, and Sandeep Sen, editors, Proceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems (AAMAS’10) , pages 481–488. International Foundation for Autonomous Agents and Multiagent Systems, May 2010.
- 2[2] Shaull Almagor, Udi Boker, and Orna Kupferman. Discounting in LTL. In Erikz Ábrahám and Klaus Havelund, editors, Proceedings of the 20th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS’14) , volume 8413 of Lecture Notes in Computer Science , pages 424–439. Springer-Verlag, April 2014. doi:10.1007/978-3-642-54862-8_37 . · doi ↗
- 3[3] Shaull Almagor, Udi Boker, and Orna Kupferman. Formally reasoning about quality. Journal of the ACM , 63(3):24:1–24:56, September 2016. doi:10.1145/2875421 . · doi ↗
- 4[4] Shaull Almagor and Orna Kupferman. High-quality synthesis against stochastic environments. In Jean-Marc Talbot and Laurent Regnier, editors, Proceedings of the 25th EACSL Annual Conference on Computer Science Logic (CSL’16) , volume 62 of Leibniz International Proceedings in Informatics , pages 28:1–28:17. Leibniz-Zentrum für Informatik, September 2016. doi:10.4230/LIP Ics.CSL.2016.28 . · doi ↗
- 5[5] Shaull Almagor, Orna Kupferman, and Giuseppe Perelli. Synthesis of controllable Nash equilibria in quantitative objective games. In Jérôme Lang, editor, Proceedings of the 27th International Joint Conference on Artificial Intelligence (IJCAI’18) , pages 35–41. IJCAI organization, July 2018. doi:10.24963/ijcai.2018/5 . · doi ↗
- 6[6] Shaull Almagor, Orna Kupferman, Jan Oliver Ringert, and Yaron Velner. High-quality synthesis against stochastic environments. In Rupak and Majumdar, editor, Proceedings of the 29th International Conference on Computer Aided Verification (CAV’17) , volume 10427 of Lecture Notes in Computer Science , pages 353–374. Springer-Verlag, July 2017. doi:10.1007/978-3-319-63390-9_19 . · doi ↗
- 7[7] Rajeev Alur, Thomas A. Henzinger, and Orna Kupferman. Alternating-time temporal logic. Journal of the ACM , 49(5):672–713, September 2002. doi:10.1145/585265.585270 . · doi ↗
- 8[8] Benjamin Aminof, Vadim Malvone, Aniello Murano, and Sasha Rubin. Graded modalities in strategy logic. Information and Computation , 261(4):634–649, August 2018. doi:10.1016/j.ic.2018.02.021 . · doi ↗
