Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics Valentin Gorankoa,b Steen Vestera 1 aDepartment of Applied Mathematics and Computer Science Technical University of Denmark bDepartment of Mathematics, University of Johannesburg Abstract We consider several natural fragments of the alternating-time temporal logics ATL* and ATL with restrictions on the nesting between temporal operators and strategic quantifiers. We develop optimal decision procedures for satisfiability in these fragments, showing that they have much lower complexities than the full languages. In particular, we prove that the satisfiability problem for state formulae in the full 'strategically flat' fragment of ATL* is PSPACE-complete, whereas the satisfiability problems in the flat fragments of ATL and ATL+ are ΣP3 -complete. We note that the nesting hierarchies for fragments of ATL* collapse in terms of expressiveness above nesting depth 1, hence our results cover all such fragments with lower complexities. Keywords: satisfiability, decision procedures, alternating-time temporal logics, flat fragments, complexity 1 Introduction The Alternating-time temporal logic ATL∗ was introduced and studied in [2] as a multi-agent extension of the branching time temporal logic CTL∗, applied for specification and verification of properties of open systems. The most natural semantics for ATL∗ is defined in multi-agent transition systems, also known as concurrent game models, in which all agents take simultaneous actions at the current state and the resulting collective action effects the state transition. The language of ATL∗ involves expressions of the type 〈〈C〉〉Φ meaning that the coalition of agents C has a collective strategy to guarantee – no matter how the other agents choose to act – achieving the goal Φ on all plays (computations) enabled by that collective strategy. The logic ATL∗ and its fragment ATL (analogous to CTL) have gradually become one of the most popular logical formalisms for reasoning about multi-agent systems, studied extensively during the past 10 years both from a logical and computational perspective. While found to be quite useful and natural, however, the logic ATL∗, and even its fragment ATL, turned out to have some problematic semantic features 1 Emails: vfgo@dtu.dk, stve@dtu.dk 2 Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics related to the nesting of strategic quantifiers 〈〈*〉〉, including: • Conceptual difficulty in understanding the very meaning of nested expressions of the type 〈〈A〉〉 . . . 〈〈B〉〉Φ, especially, when the coalitions A and B share common agents. For instance, what exactly should 〈〈A〉〉¬〈〈A〉〉Φ mean? • This problem is related to a technical problem built in the semantics of ATL∗, where e.g., in the truth evaluation of a formula of the type 〈〈A〉〉 . . . 〈〈B〉〉Φ the strategy for A adopted to guarantee the success of the goal . . . 〈〈B〉〉Φ does not have any effect when evaluating the truth of the subgoal 〈〈B〉〉Φ, which, arguably, goes against the intuitive understanding of what a strategy and its execution mean. Such problems have lead to several proposals of alternative semantics for ATL∗, with irrevocable commitment to strategies [1] or with strategy contexts, explicitly controllable within the formulae [3]. The latter comes at a high price, resulting in an undecidable satisfiability problem [15]. • The meaning of ATL∗ formulae with nested strategic quantifiers is sensitive to the ability and capacity of the agents to use memory in their strategies, leading to essential variations of the semantics [4]. • The complexity of the full ATL∗ is very high: 2EXPTIME-complete for both the model checking [2] and the satisfiability testing [12] problems. • These problems are amplified when incomplete information is assumed. Then the basic temporal operators can no longer be naturally (if at all) characterized as fixed points of suitable operators, the semantics becomes truly noncomputational and even model checking of ATL becomes undecidable [2]. So, there are several good reasons to consider flat fragments of ATL∗, where nesting of strategic quantifiers and temporal operators is restricted or completely disallowed, thus avoiding the problems listed above at the cost of reduced expressiveness. There are two natural kinds of 'flatness' in the language of ATL∗: with respect to the temporal operators and with respect to strategic quantifiers. The former comes naturally from purely temporal logics and has been investigated before, see e.g., [9], [5], and [13] from a more general, coalgebraic perspective. Here we will mainly consider the latter type of flatness. The objective of the present paper is to develop optimal algorithmic methods for solving the satisfiability problem for the variety of naturally definable flat fragments of ATL∗ and to analyze their computational complexity. Our main results and the contributions of this paper are as follows: (i) The algorithmic problem of satisfiability testing in the full fragment of ATL∗ where nesting between strategic quantifiers is not allowed (but temporal operators can be nested in strategic quantifiers and between each other) is PSPACE-complete, in contrast to the 2EXPTIME-completeness of satisfiability in the full ATL∗. (ii) The algorithmic problem of satisfiability testing in the flat fragments of ATL and ATL+, where only nesting of temporal operators in the scope of strategic quantifiers is allowed, are ΣP3 -complete, in contrast to the Goranko, Vester 3 2EXPTIME-completeness of that problem in the full ATL+ (as subsuming CTL+, see [10]) and its EXPTIME-completeness in the full ATL [8]. The structure of the paper is as follows: In Section 2 we summarize basics of the logics LTL, CTL and CTL∗ as well as concurrent game models and the alternating-time temporal logics ATL, ATL+ and ATL∗. In Section 3 we introduce various flat fragments of ATL∗ and discuss their expressiveness. Section 4 contains the technical preparation for our algorithms, where we introduce some kinds of normal forms for ATL∗ formulae and obtain some key technical results. In Section 5 we provide sound and complete decision procedures as well as matching lower bounds for the flat fragments of ATL∗ considered in the paper. We end with brief concluding remarks in Section 6. 2 Preliminaries 2.1 Summary of LTL, CTL, CTL∗ and their flat fragments We assume that the reader is familiar with the temporal logics LTL, CTL and CTL∗. A standard reference is e.g., [6]. Given a set of atomic propositions Prop, the set of literals over Prop is Prop∪{¬p | p ∈ Prop}. We assume that the primitive temporal operators in LTL and CTL∗ are X ("at the next state") and U ("Until"), whereas F ("sometime in the future"), R ("Release"), and G ("always in the future") are definable as follows: Fφ := >Uφ, ψ Rφ := ¬((¬ψ)U (¬φ)), Gφ := ⊥Rφ. Respectively, the primitive temporal operators in CTL are AX , AU and AR , whereas the rest are definable as follows: EXφ := ¬AX¬φ, E(ψUφ) := ¬A((¬ψ)R (¬φ)), E(ψ Rφ) := ¬A((¬ψ)U (¬φ)), AFφ := A(>Uφ), AGφ := A(⊥Rφ), EFφ := E(>Uφ), EGφ := E(⊥Rφ). The following LTL-equivalences characterize U and R as fixed points, where the formulae on the right hand side are called the fixed point unfoldings respectively of θU η and θ R η (see e.g., [14], [6]): θU η ≡ η ∨ (θ ∧ X (θU η)), θ R η ≡ η ∧ (θ ∨ X (θ R η)). We define the flat fragments LTL1, CTL1 and CTL ∗ 1 resp. as subsets of LTL, CTL and CTL∗. In LTL1 no nesting of temporal operators is allowed, in CTL ∗ 1 no nesting of path quantifiers is allowed and in CTL1 neither is allowed. They are generating as follows, where β is a Boolean formula and θ is an LTL formula: LTL1: θ ::= p | ¬θ | θ ∧ θ | Xβ | β Uβ; CTL∗1 : φ ::= p | ¬φ | φ ∧ φ | Aθ. CTL1: φ ::= p | ¬φ | φ ∧ φ | AXβ | A(β Uβ) | A(β Rβ). For instance: • pU q ∧ X (r ∧ (q ∧ ¬p)) is in LTL1 but pU (X q) is not. • A(¬pU (p ∧ ¬q)) ∧ ¬(EF (q ∧ ¬p) ∧ ¬AF¬(p ∧ q)) is in CTL1 (and in CTL∗1). • AGF p is in CTL∗1 but not in CTL1; AGEF p is neither in CTL1 nor in CTL ∗ 1 . 4 Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics 2.2 Concurrent game models. The logic ATL* and fragments A concurrent game model [2] (CGM) is a tuple M = (A,St, {Acta}a∈A, {acta}a∈A, out,Prop, L) comprising: • a finite, non-empty set of players (agents) A = {1, . . . , k} • a set of actions Acta 6= ∅ for each a ∈ A. For any A ⊆ A we denote ActA :=∏ a∈A Acta and use αA to denote a tuple from ActA. In particular, ActA is the set of all possible action profiles in M. • a non-empty set of states St, • for each a ∈ A, a map acta : St → P(Acta) \ {∅} setting for each state s the actions available to a at s, • a transition function out : St × ActA → St that assigns deterministically a successor (outcome) state out(s,αA) to every state s and action profile αA = 〈α1, . . . , αk〉, provided that αa ∈ acta(s) for every a ∈ A (i.e., every αa that can be executed by player a in state s), • a finite set of atomic propositions Prop and a labelling L : St→ P(Prop). Concurrent game models represent multi-agent transition systems that function as follows: at any moment the system is in a given state, where each player select an action from those available to him at that state. All players execute their actions synchronously and the combination of these actions together with the current state determine a transition to a unique successor state in the model. A play in a CGM is an infinite sequence of such subsequent successor states. More formally, a play is an infinite sequence s0s1... ∈ Stω of states such that for each i ≥ 0 there exists an action profile αA = 〈α1, . . . , αk〉 such that out(si,αA) = si+1. A history is a finite initial segment s0s1...s` of a play. We denote by PlayM and HistM respectively the set of plays and set of histories in M. For a state s ∈ St we define PlayM(s) and HistM(s) as the set of plays and set of histories with initial state s. For a sequence ρ of states ρ0 is the initial state, ρi is the (i+ 1)th state, ρ≤i is the prefix ρ0...ρi of ρ and ρ≥i is the suffix ρiρi+1... of ρ. When ρ = ρ0...ρ` is finite, we say that it has length ` and write |ρ| = `. Further, we let last(ρ) = ρ`. A strategy for a player a inM is a mapping σa : HistM → Acta such that for all h ∈ HistM we have σa(h) ∈ acta(last(h)). Intuitively, it assigns a legal action for player a after any history h of the game. If that action depends only only on the current state, the strategy is called memoryless. We denote by StratM(a) the set of strategies of player a. A (collective) strategy of a coalition C ⊆ A is a tuple (αa)a∈C of strategies, one for each player in C. When C = A this is called a strategy profile. We denote by StratM(C) the set of collective strategies of coalition C. A play ρ ∈ PlayM is consistent with a strategy σC ∈ StratM(C) if for every i ≥ 0 there exists an action profile αA = 〈α1, . . . , αk〉 such that out(ρi,αA) = ρi+1 and αa = σa(ρ≤i) for all a ∈ C. The set of plays with initial state s that are consistent with σC is denoted PlayM(s, σC). In particular, we define PlayM(s, σa) = PlayM(s, σ{a}) for any player a. The Alternating-time temporal logic ATL∗, introduced in [2], is a logic, suitable for specifying and verifying qualitative objectives of players and coaliGoranko, Vester 5 tions in concurrent game models. The main syntactic construct of ATL∗ is a formula of type 〈〈C〉〉Φ, intuitively meaning: "The coalition C has a collective strategy to guarantee the satisfaction of the objective Φ on every play enabled by that strategy." Formally, ATL∗ is a multi-agent extension of the branching time logic CTL∗ with strategic quantifiers 〈〈C〉〉 indexed with sets (coalitions) C of players. There are two types of formulae in ATL∗, state formulae, that are evaluated at states, and path formulae, that are evaluated on plays. These are defined by mutual recursion as follows, where C ⊆ A, p ∈ Prop: State formulae of ATL∗ : φ ::= p | ¬φ | φ ∧ φ | 〈〈C〉〉Φ, Path formulae of ATL∗ : Φ ::= φ | ¬Φ | Φ ∧ Φ | XΦ | ΦUΦ | ΦRΦ. All other Boolean connectives are defined as usual, and the temporal operators F and G are defined as in CTL∗, which can be regarded as the fragment of ATL∗ only involving strategic quantifiers for the empty coalition 〈〈∅〉〉, identified with universal path quantifier A, and for the "grand coalition" of all players 〈〈A〉〉, identified with existential path quantifier E. Equivalently, by identifying all agents, CTL∗ can be regarded as the 1-agent fragment of ATL∗. To keep the notation lighter, we will list the members of C in 〈〈C〉〉 without using {}. The fragment ATL+ of ATL∗ is obtained when the temporal operators may only be applied to state formulae, i.e. when path formulae are re-defined as Path formulae of ATL+ : Φ ::= φ | ¬Φ | Φ ∧ Φ | Xφ | φUφ | φRφ Another, technically simpler and computationally better behaved fragment of ATL∗, is the logic ATL, which is the multi-agent analogue of CTL, only involving state formulae defined as follows, for any C ⊆ A, p ∈ Prop: Formulae of ATL : φ ::= p | ¬φ | φ∧φ | 〈〈C〉〉Xφ | 〈〈C〉〉(φUφ) | 〈〈C〉〉(φRφ) The combined operators 〈〈C〉〉Fφ and 〈〈C〉〉Gφ are defined respectively as 〈〈C〉〉>Uφ and 〈〈C〉〉⊥Rφ. The semantics of ATL∗ is given with respect to a concurrent game model M = (A,St, {Acta}a∈A, {acta}a∈A, out,Prop, L). The semantics of state formulae is given in terms of truth at a state s in M, as follows, where p ∈ Prop, φ1 and φ2 are state formulae, Φ is a path formula and C ⊆ A: M, s |= p if p ∈ L(s) M, s |= ¬φ1 if M, s 6|= φ1 M, s |= φ1 ∧ φ2 if M, s |= φ1 and M, s |= φ2 M, s |= 〈〈C〉〉Φ if there exist a collective strategy σC ∈ StratM(C), such that M, ρ |= Φ for all ρ ∈ PlayM(s, σC) The semantics of path formulae is given just like in LTL, in terms of truth on a path ρ in a CGM M, as follows, where φ is a state formula, Φ1 and Φ2 are path formulae and C ⊆ A: 6 Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics M, ρ |= φ if M, ρ0 |= φ M, ρ |= ¬Φ1 if M, ρ 6|= Φ1 M, ρ |= Φ1 ∧ Φ2 if M, ρ |= Φ1 and M, ρ |= Φ2 M, ρ |= XΦ1 if M, ρ≥1 |= Φ1 M, ρ |= Φ1 UΦ2 if ∃k.M, ρ≥k |= Φ2 and ∀j < k.M, ρ≥j |= Φ1 M, ρ |= Φ1 RΦ2 if ∀k.M, ρ≥k |= Φ2 or ∃k.M, ρ≥k |= Φ1 and ∀j ≤ k.M, ρ≥j |= Φ1 We focus on the satisfiability problem for various fragments of ATL∗ in this paper. We will distinguish between the state satisfiability and path satisfiability problems which are defined on a given fragment L of ATL∗ as follows: • Given a state formula φ in L, does there exist a CGM M and a state s in M such that M, s |= φ? • Given a path formula Φ in L, does there exist a CGMM and a play ρ inM such that M, ρ |= Φ? Note that there are two variants of the satisfiability problem for formulae of ATL∗: tight, where it is assumed that all agents in the model are mentioned in the formula, and loose, where additional agents, not mentioned in the formula, are allowed in the model. It is easy to see that these variants are really different, but the latter one is immediately reducible to the former, by adding just one extra agent a to the language. Furthermore, this extra agent can be easily added superfluously to the formula, e.g., by adding a conjunct 〈〈a〉〉X>, so we hereafter only consider the tight satisfiability version. For further details and discussion on this issue, see e.g., [7,17]. We recall some important complexity results for the satisfiability problem: satisfiability in ATL is EXPTIME-complete [16,8], while satisfiability in ATL∗ is 2EXPTIME-complete [12]. Since ATL+ subsumes CTL+, the satisfiability in which is also 2EXPTIME-complete [10], this is the optimal complexity for the satisfiability in ATL+, too. All these results equally hold for satisfiability in concurrent game models and in alternating transition systems [2], as both semantics are equivalent (see e.g., [8]). 3 Flat fragments of ATL and ATL∗ Here we define some flat fragments of ATL∗ and ATL. Flatness generally means no nesting of non-Boolean operators. There are two natural notions of flatness in the languages of ATL and ATL∗: with respect to temporal operators and with respect to strategic quantifiers. We will be mostly concerned with the latter, but the former applies in the case of ATL, too. We adopt the following notational conventions: we will typically denote Boolean formulae by β, γ; LTL formulae by θ, η, ζ; ATL formulae by φ,ψ; and ATL∗ formulae – both state and path – by Θ,Φ,Ψ; all possibly with indices. 3.1 A hierarchy of flat fragments of ATL∗ We will consider the following fragments of ATL∗, where p is any atomic proposition, C ⊆ A, β is any Boolean formula and θ is any LTL formula: Goranko, Vester 7 (i) Separated ATL∗, denoted ATL∗Sep, consists of those formulae of ATL ∗ in which there is no nesting of strategic quantifiers in the scope of temporal operators (but, any nesting of temporal operators within strategic quantifiers or temporal operators is allowed), so the (external) strategic and the (internal) temporal layers are separated. More precisely, the formulae of ATL∗Sep are generated as follows: Φ ::= θ | ¬Φ | (Φ ∧ Φ) | 〈〈C〉〉Φ (ii) Full (strategically) flat ATL∗, denoted ATL∗1 , consists of those formulae of ATL∗ in which there is no nesting of strategic quantifiers within strategic quantifiers (but, nesting of strategic quantifiers and temporal operators in temporal operators is allowed), formally generated as follows: Φ ::= p | ¬Φ | (Φ ∧ Φ) | 〈〈C〉〉θ | XΦ | ΦUΦ | ΦRΦ If the restriction C 6= ∅ is imposed, we denote the resulting fragment ÂTL∗1 . (iii) State fragment of ATL∗1, denoted St(ATL ∗ 1), consists of the state formulae of ATL∗1 , i.e. those formulae of ATL ∗ in which there is no nesting of strategic quantifiers in either temporal operators or strategic quantifiers (but, nesting between temporal operators is allowed). The formulae of St(ATL∗1) are explicitly generated as follows: Φ ::= p | ¬Φ | (Φ ∧ Φ) | 〈〈C〉〉θ. (iv) Flat ATL+ (or, double-flat ATL∗ ), denoted ATL+1 , consists of those formulae of ATL+ which are also in St(ATL∗1), e.g., with no nesting of either strategic quantifiers or temporal operators within temporal operators. The formulae of ATL+1 are generated as follows, where θ ∈ LTL1: Φ ::= p | ¬Φ | (Φ ∧ Φ) | 〈〈C〉〉θ (v) Flat ATL, denoted ATL1, consists of those formulae of ATL + 1 which are in ATL, i.e., in which strategic quantifiers are followed immediately by temporal operators. The formulae of ATL1 are generated as follows: φ ::= p | ¬φ | (φ ∧ φ) | 〈〈C〉〉Xβ | 〈〈C〉〉(β Uβ) | 〈〈C〉〉(β Rβ) Inclusions between the different flat fragments are illustrated in Figure 1. All inclusions shown in the figure are strict and there are no inclusions except the ones shown (where transitive closure is implicit). For example: • (〈〈1〉〉G¬p ∧ ¬〈〈2〉〉X (p ∨ ¬q)) ∨ 〈〈1, 2〉〉(pU¬q) is in ATL1; • 〈〈1〉〉(G¬p ∧ F q), ¬〈〈1, 2〉〉((pR¬q) ∨ (¬pU q)) are in ATL+1 but not in ATL1; • 〈〈1〉〉(GF¬p ∨ X¬(pU¬q)) is in St(ATL∗1) but not ATL + 1 ; • G 〈〈1, 2〉〉F (¬p ∨ q) is in ÂTL∗1 but not in St(ATL∗1); 8 Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics CTL1 ATL1 CTL+1 LTL1 ATL+1 ÂTL ∗ 1 CTL∗1 St(ATL∗1) ATL ∗ 1 ATL ∗ Sep Fig. 1. Inclusions between flat fragments. An arrow from L1 to L2 means that every L1 formula is an L2 formula. • 〈〈∅〉〉G p ∧ G 〈〈1, 2〉〉GF¬p is in ATL∗1 but not in ÂTL∗1 ; • 〈〈2〉〉〈〈1〉〉¬(pU¬q) is in ATL∗Sep but not in ATL∗1 . Even though ATL∗1 is included in ATL ∗ Sep they have the same expressive power and there is an efficient translation from ATL∗Sep to ATL ∗ 1 . Proposition 3.1 Every formula of ATL∗Sep is logically equivalent to a formula of ATL∗Sep which is at most as long and has no nesting of strategic quantifiers. Such a formula is effectively computable in linear time. Proof. Because 〈〈C〉〉Φ ≡ Φ for every state formula Φ and coalition C. 2 Thus, deciding satisfiablity in ATL∗Sep is reducible with no cost to satisfiablity in St(ATL∗1), so we will not discuss ATL ∗ Sep hereafter. On the other hand, due to the equivalence above, the fragment ATL∗1 can be extended even further by allowing nesting of strategic quantifiers, as long as there are no occurrences of temporal operators in between them. The equivalence of 〈〈C〉〉Φ and Φ for state formulae Φ is an example of why nesting of strategic quantifiers in ATL∗ can be considered unnatural. We note that this phenomenon is avoided in ATL∗ with strategy context [3]. Between the full logics and their flat fragments, it is natural to consider the hierarchies of fragments with a bounded nesting depth of strategic quantifiers. However, the next result shows that the fragments with nesting depth 2 are essentially as expressive and computationally hard as the full logics. Proposition 3.2 For any logic L ∈ {LTL,CTL,CTL+,CTL∗,ATL,ATL+,ATL∗} and formula Φ of L there is an equi-satisfiable formula Φ′ in L with nesting depth 2 of strategic quantifiers (resp., temporal operators for LTL) and length |Φ′| = O(|Φ|) that can be computed in linear time. Proof. In each of the cases, the flattening is done by repeated renaming of state subformulae with fresh atomic propositions. We illustrate the technique on ATL∗. Let Φ be an ATL∗ formula. For any innermost subformula Ψ of Φ beginning with a strategic quantifier we introduce a fresh atomic proposition pΨ. Then Φ and Φ ′ = Φ[pΨ/Ψ] ∧ AG (pΨ ↔ Ψ) are equi-satisfiable. By repeated application of such renaming of strategically quantified subformulae we obtain an equi-satisfiable formula of nesting depth 2 that is linear in Goranko, Vester 9 the size of Φ. Since AG (pΨ ↔ Ψ) is a CTL formula, this works for each logic L ∈ {CTL,CTL+,CTL∗,ATL,ATL+,ATL∗}, while for LTL we use G (pΨ ↔ Ψ).2 Thus, the only complexity gain in restricting syntactic fragments of these logics with respect to nesting can occur when flat fragments are considered. 3.2 Some remarks on the expressiveness of the flat ATL∗-fragments The lower complexity of the satisfiability in the flat fragments of ATL∗ comes with a price, namely that various properties that require nesting of strategic quantifiers cannot be expressed anymore. However, many interesting and important properties of systems are still expressibe. For instance: • 〈〈ctrl〉〉G¬break in ATL1 specifies that a controller can make sure the system does not break no matter how the environment behaves, • ∧n i=1〈〈proci〉〉GF db accessi expresses that each process can ensure database access infinitely often, • 〈〈A〉〉(θfair → θ) means that coalition A can make sure that the LTL property θ is satisfied on all fair paths (where fairness is defined by LTL formula θfair). The semantics of ATL∗ is based on unbounded memory strategies, but it can be restricted and parameterized with the amount of memory that the proponent agents' strategies can use. The extreme case is the memoryless semantics, where the proponents may only use memoryless strategies. It turns out that satisfiability in ATL, is unaffected by such restrictions, but differences occur in ATL∗ and even in ATL+. For discussion on these see e.g., [4]. In contrast, using our satisfiability decision procedures developed in Section 5, we will show that all semantics based on different memory restrictions yield the same satisfiable (resp., the same valid) formulae in the flat fragment ATL∗1 . 4 Normal forms and satisfiability of special sets in ATL∗ 4.1 Negation normal form of ATL∗ formulae Definition 4.1 An ATL∗ formula Φ is in a negation normal form (NNF) if negations in Φ may only occur immediately in front of atomic propositions. We now define the dual [[*]] to the strategic quantifier 〈〈*〉〉 as usual: [[C]] ::= ¬〈〈C〉〉¬. If we consider [[*]] as a primitive operator in ATL∗, then every ATL∗ formula can be transformed to an equivalent formula in NNF by driving all negations inwards, using the self-duality of X and the duality between U and R . However, using [[*]] formally breaks the syntax of the fragments ATL and ATL1 because of inserting a ¬ between 〈〈*〉〉 and the temporal operator. Yet, this can be easily fixed by equivalently re-defining the applications of [[*]], using the following equivalences: [[C]]Xφ ≡ ¬〈〈C〉〉X¬φ, [[C]](φUψ) ≡ ¬〈〈C〉〉((¬φ)R (¬ψ)), [[C]](φRψ) ≡ ¬〈〈C〉〉((¬φ)U (¬ψ)). Hereafter we assume that the language ATL∗ and each of its fragments introduced above are formally extended with the operator [[*]] applied just like 〈〈*〉〉 in the respective fragments. Due to the equivalences above, the resulting extensions preserve the expressiveness of these fragments. Formally: 10 Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics Lemma 4.2 Every formula of ATL∗ extended with the operator [[*]] can be transformed to an equivalent formula in NNF. Furthermore, each of the fragments ATL, ATL1, ATL + 1 , St(ATL ∗ 1) and ATL ∗ 1, extended with [[*]], is closed under this transformation, i.e. if a formula is in any of these fragments then its NNF-equivalent formula is in that fragment, too. 4.2 Successor normal forms Definition 4.3 [Successor formulae] An ATL∗ formula is a successor formula (SF) if it is of the type 〈〈C〉〉XΦ or [[C]]XΦ. Definition 4.4 [Components] With every set of ATL∗ successor formulae Γ = {〈〈A0〉〉XΦ0, . . . , 〈〈Am−1〉〉XΦm−1, [[B0]]XΨ0, . . . , [[Bn−1]]XΨn−1} we associate the set of its • 〈〈*〉〉X -components: 〈〈*〉〉X (Γ) = {Φ0, . . . ,Φm−1}, • [[*]]X -components: [[*]]X (Γ) = {Ψ0, . . . ,Ψn−1}, • successor components: SC(Γ) = 〈〈*〉〉X (Γ) ∪ [[*]]X (Γ). Definition 4.5 [Successor normal form] (i) An LTL formula is in a LTL successor normal form (LSNF) if it is in NNF and is a Boolean combination of literals and successor formulae, i.e., LTL formulae beginning with X . (ii) An ATL∗ formula is in a successor normal form (SNF) if it is in NNF and is a Boolean combination of literals and ATL∗ successor formulae. Lemma 4.6 Every LTL-formula ζ can be effectively transformed to an equivalent formula in LTL successor normal form LSNF (ζ), of length at most 6|ζ|. Proof. We can assume that ζ is already transformed to NNF (of length less than twice the original length). Consider all maximal subformulae of ζ of the types (θU η) and (θ R η). Replace each of them with its LTL-equivalent fixpoint unfolding, respectively η∨ (θ∧X (θU η)) and η∧ (θ∨X (θ R η)). Then, the same procedure is applied recursively to all respective subformulae θ, η occurring above and not in the scope of X , until all occurrences of U and R get in the scope of X . This procedure at most triples the length of the starting formula and the result is clearly a formula in LSNF. 2 Definition 4.7 [Conjunctive formulae in SNF] An ATL∗ formula in SNF is conjunctive if it is of the form Θ = Φ∧〈〈A0〉〉XΦ0∧ . . .∧〈〈Am−1〉〉XΦm−1∧ [[B0]]XΨ0∧ . . .∧ [[Bn−1]]XΨn−1 With every such formula Θ we associate the set of its successor conjuncts: C(Θ) = {〈〈A0〉〉XΦ0, . . . , 〈〈Am−1〉〉XΦm−1, [[B0]]XΨ0, . . . , [[Bn−1]]XΨn−1} 4.3 Sets of distributed control of ATL∗ formulae Definition 4.8 [Set of distributed control] A set of ATL∗ formulae ∆ is a set of distributed control if ∆ = {〈〈A0〉〉Φ0, . . . , 〈〈Am−1〉〉Φl−1, [[B]]Ψ} where the Goranko, Vester 11 coalitions A0, . . . , Al−1 are pairwise disjoint, and A0 ∪ . . . ∪Al−1 ⊆ B. Lemma 4.9 A set of ATL∗ successor formulae Γ = {〈〈A0〉〉XΦ0, . . . , 〈〈Am−1〉〉XΦm−1, [[B0]]XΨ0, . . . , [[Bn−1]]XΨn−1, [[A]]X>} is satisfiable if and only if every subset of distributed control ∆ of Γ has a satisfiable set of successor components. Proof. First, note that the formula [[A]]X> is valid, so it plays no role in the satisfiability of Γ; it is only added there in order to enable sufficiently many subsets of distributed control. Now, suppose Γ is true at a state s of a CGMM. Then for every subset of distributed control ∆ = {〈〈A0〉〉XΦ0, . . . , 〈〈Al−1〉〉XΦl−1, [[B]]XΨ} consider collective actions for the coalitions A0, . . . , Al−1 at s that guarantee satisfaction of their respective nexttime objectives in ∆ in any of the resulting successor states. Add arbitrarily fixed actions of the remaining agents in B and a respective collective action for A \ B dependent on the so fixed actions of the agents in B, that brings about satisfaction of Ψ in the resulting successor state s′. Then all successor components of ∆ are true at s′. Conversely, suppose that ∆1, . . . ,∆d are all subsets of Γ of distributed control and they are all satisfiable. For each ∆i we fix a CGM Mi and a state si in it that satisfies SC(∆i). We can assume, w.l.o.g., that Mi is generated from si, i.e. consists only of states reachable by plays starting at si. We will construct a CGM satisfying Γ by using a construction from [8]. The idea is to first create a root state s and supply all agents with sufficiently many actions at s in order to ensure the existence of all collective actions and respective successor states necessary for satisfying the successor components of Γ. We will show that it suffices to take care of the sets of successor components of each subset of distributed control Γ and then will use the CGMs satisfying these to complete the construction of the model satisfying Γ. Now, the construction. Recall that |A| = k and let r = m+n (the numbers of 〈〈*〉〉and [[*]]-components in Γ). Each agent will have r available actions {0, . . . , r − 1} at the root state s, hence {0, . . . , r − 1}k is the set of all possible action profiles at s. The intuition is that every agent's action at s is a choice of that agent of a formula from Γ for the satisfaction of which the agent chooses to act. For every such action profile σ we denote by N(σ) the set of agents {i | σi ≥ m} and then we define the number neg(σ) to be the remainder of [ ∑ i∈N(σ)(σi−m)] modulo n. (The idea of this definition is that, once all agents in any given proper subset of N(σ) choose their actions, the remaining agents in N(σ) can act accordingly to yield any value of neg(σ) between 0 and n− 1 they wish, i.e., to set the "collective action" of all agents in neg(σ) on any [[*]]X -formula in Γ they choose.) Now, we consider the set ∆σ = {〈〈Aj〉〉XΦj | j < m and σi = j for all i ∈ Aj} ∪ {[[Bl]]XΨl | neg(σ) = l and A \Bl ⊆ N(σ)} Note that ∆σ is a subset of Γ of distributed control if it contains a formula 12 Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics [[Bj ]]XΨ, or else can be made a set of distributed control by adding [[A]]X> to it. Indeed, all agents in a Aj choose j, so all coalitions Aj must be pairwise disjoint. Besides, if [[Bl]]XΨl ∈ ∆σ then it is clearly a unique [[*]]-formula in ∆σ and no agents from any Aj ∈ ∆σ are in N(σ), hence Aj ⊆ Bl for each 〈〈Aj〉〉XΦj ∈ ∆σ. Thus, ∆σ is one of ∆1, . . . ,∆d, say ∆i. Then, we determine the successor state out(s, σ) to be si. To complete the definition of the CGM, at each successor state si of s we graft a copy of Mi. We will show that the resulting CGM M satisfies Γ at s. Indeed, for every 〈〈Aj〉〉XΦj ∈ Γ a collective strategy for Aj that guarantees the satisfaction of that formula at s consists in all agents from Aj acting j at s, following their strategy that guarantees in Mi the satisfaction of the objective Φj if the play enters the copy of Mi, and acting in an arbitrarily fixed manner at all other states of M. (Note that, if the strategy for Aj in Mi is positional, then the above described strategy is positional, too.) Lastly, every [[Bl]]XΨl ∈ Γ is true at s, too, because if Bl 6= A then for every collective action of all agents from [[Bl]]X there is a suitable complementary action of A\Bl, where all agents choose actions greater than m and such that neg(σ) adds up to l modulo n. (In fact, this can be guaranteed by any agent in A \Bl after all others have chosen their actions.) In the case when Bl = A, every subset {〈〈Aj〉〉XΦj , [[Bl]]XΨl} for j < m is of distributed control, hence Ψl is true at the root si of Mi for each i = 1, ..., d. Thus, M, s |= Γ, which completes the proof. 2 A consequence of the proof above is that memoryless and memory-based semantics yield the same satisfiable state formulae in the flat fragments. Corollary 4.10 A St(ATL∗1) formula Φ is satisfiable in the memoryless semantics if and only if it is satisfiable in the memory-based semantics. Proof. Lemma 4.9 can be proved for memoryless semantics in the same way, but only for St(ATL∗1) formulae. This is because the successor components are LTL formulae which have the same semantics with and without memory. Further, for both semantics each subformula 〈〈A〉〉θ or [[A]]θ of Φ with a strategic quantifier as main connective can be converted to SNF by converting θ to LSNF using Lemma 4.6. Then, we can use the memoryless and memory-based version of Lemma 4.9 and obtain that Φ is satisfiable in the memory-based semantics if and only if it is satisfiable in the memoryless semantics since the satisfiable sets of successor components are the same for the two types of semantics. 2 5 Optimal decision procedures for satisfiability in fragments of ATL∗1 5.1 Centipede models. Satisfiability in LTL1, CTL1 and CTL + 1 Satisfiability of LTL1 is analyzed in [5]. In particular, it is shown that if an LTL1 formula θ is satisfiable then it is satisfiable in a model of the form s0s1...s ω ` where ` = |θ|. Consequently, it is shown that satisfiability of LTL1 is NPcomplete. We provide similar results for CTL+1 and CTL1 here. Goranko, Vester 13 Proposition 5.1 If a CTL+1 formula φ has a model, then it has a model with at most O(|φ|2) states. Proof. SupposeM, s0 |= φ for a CTL+1 formula φ, a modelM and a state s0. Assume w.l.o.g. that φ is in NNF. We generate another modelM′ with O(|φ|2) states and a state s′0 such that M′, s′0 |= φ. Let ∆Q be the set of subformulae of φ that has Q as main connective for Q ∈ {E,A} and let ∆B be the set of maximal Boolean subformulae of φ that do not occur in the scope of a path quantifier. For each Z ∈ {E,A,B} let ∆>Z ⊆ ∆Z be the subsets satisfied in M, s0. Now, for each Eψ ∈ ∆>E let ρψ = ρ ψ 0 ρ ψ 1 ... be a path in M starting in s0 such that ρψ |= ψ. SinceM, s0 |= φ we have for every Aψ′ ∈ ∆>A that ρψ |= ψ′ because ψ′ is satisfied along all paths from s0. Further, ρ ψ 0 = s0 implies that ρψ |= ψ ∧ ∧ ψ′∈∆>A ψ′ ∧ ∧ β∈∆>B β. Since this is an LTL1 formula of size at most |φ| it has a model πψ of the form πψ0 ...(π ψ |φ|) ω where πψ0 is labelled as s0. Now, by gluing together each path πψ (which is made finite by adding a self-loop to the state πψ|φ|) in the initial state s ′ 0 we obtain a transition system M′ such that M′, s′0 |= φ. Since |∆>E | ≤ |φ| there are at most O(|φ|2) states in M′. 2 Further, we will see that for satisfiable formulae of CTL∗1 , ATL1 and St(ATL ∗ 1) there are models that can be obtained by gluing together ultimately periodic paths as in the proof of Proposition 5.1. We call such models centipede models, illustrated in Figure 2. Note that these models only branch in the initial state. • • • . . . • • • • • • • • • • • • • • ••• • • • • ••• • • • • ••• • • • • ••• • • • • Fig. 2. A centipede model However, for the flat fragments CTL∗1 , ATL1, St(ATL ∗ 1) models of polynomial size are not guaranteed to exist as for CTL+1 . First, the length of the period and the prefix of the ultimately periodic paths can be exponential due to LTL subformulae in the case of CTL∗1 and St(ATL ∗ 1). Second, in the cases of ATL1 and St(ATL∗1) (but not for CTL ∗ 1) an exponential branching factor in the initial state may be forced by a formula. Indeed, consider the following ATL1 formula φ = n∧ i=1 〈〈i〉〉X pi ∧ 〈〈i〉〉X¬pi over the propositions {p1, ..., pn} and players {1, ..., n}. For a state s0 to satisfy this formula there has to be a successor state for each possible truth assignment 14 Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics to the propositions {p1, ..., pn}, of which there are 2n. This phenomenon does not occur in the branching-time logic CTL∗1 . Proposition 5.2 Satisfiability in CTL+1 is NP-complete. Proof. NP-hardness follows directly from Boolean satisfiability. An NPalgorithm for CTL+1 works as follows. It takes as input a CTL + 1 formula φ in NNF, hence a positive Boolean combination of flat CTL+1 state formulae, and guesses non-deterministically a centipede model M, s0 of size O(|φ|2) for φ, as well as the disjuncts in φ that evaluate to true at s0. (According to Proposition 5.1, if φ has a model then it has a model of this form and size.) After guessing, it checks whether the resulting formula of the form φ′ = β ∧ ∧` i=0 φ ′ i is true in the guessed model where β is a Boolean formula and each φ′i is of the form Aθi or Eθi for an LTL1 formula θi. First, the model-checking of β can be done in linear time. Next, for each of the O(|φ|) formulae θi it can checked whether it is true in each of the O(|φ|) paths of the centipede model in polynomial time since LTL model-checking of an ultimately periodic path of length O(|φ|) can be done in polynomial time in |φ| [11]. Thus, the guess can be verified in polynomial time due to the small model property of Proposition 5.1 and the centipede shape of the model. 2 Corollary 5.3 Satisfiability in CTL1 is NP-complete. 5.2 Lower bound for satisfiability in ATL1 Proposition 5.4 ATL1-SAT is Σ P 3 -hard. Proof. The proof is by reduction from the ΣP3 -SAT problem, which is Σ P 3 complete. This problem takes as input a quantified Boolean sentence γ = ∃x1, ..., xm∀xm+1, ..., xk∃xk+1, ..., xn.γ′ where γ′ is a Boolean formula over the Boolean variables x1, ..., xn. The output is true if and only if γ is true. Given γ, we construct an ATL1 formula ψ(γ) over the set Prop = {x1, ..., xn} of proposition symbols as follows ψ = m∧ j=1 (AXxj∨AX¬xj)∧ n∧ i=m+1 (〈〈{i}〉〉Xxi ∧ 〈〈{i}〉〉X¬xi)∧¬〈〈{m+1, . . . , k}〉〉X¬γ′ We now claim that γ is true if and only if ψ(γ) is satisfiable. First, suppose that γ is true. Then we construct a CGM M = (A,St, {Acta}a∈A, {acta}a∈A, out,Prop, L) and a state s0 ∈ St, such thatM, s0 |= ψ(γ), as follows. Let A = {m + 1, ..., n}, St = {s0} ∪ {svm+1,...,vn | vi ∈ {0, 1} for m + 1 ≤ i ≤ n}, Acta = {0, 1} for all a ∈ A. Then, for every agent a ∈ A define acta(s0) = {0, 1} and acta(s) = {0} for all s 6= s0. The transitions are defined by out(s0, 〈vm+1, . . . vn〉) = svm+1,...vn and out(s, αA) = s for all s 6= s0 and all action profiles αA. The set of proposition symbols is Prop = {x1, . . . , xn}. The labelling is given by L(s0) = ∅ and for every Goranko, Vester 15 i ∈ {m + 1, . . . , n} we have xi ∈ L(svm+1,...,vn) if and only if vi = 1 when svm+1,...,vn ∈ St \ {s0}. Finally, let x′1, ..., x′m be particular values such that ∀xm+1, . . . , xk∃xk+1, ..., xn.γ′[x1 7→ x′1, . . . , xm 7→ x′m] is true. Such values exist since γ is true. For 1 ≤ i ≤ m and every svm+1,...,vn ∈ St \ {s0}, let xi ∈ L(svm+1,...,vn) if and only if x′i = 1. Intuitively, for all i such that m+ 1 ≤ i ≤ n player i chooses the value of xi in the successor state and then the play stays in that state forever. The value of xi for 1 ≤ i ≤ m in the successor state is defined by the values x′1, ..., x′m. The subformula ∧n i=m+1 (〈〈{i}〉〉Xxi ∧ 〈〈{i}〉〉X¬xi) is clearly true at s0. The same is the case for ∧m j=1(AXxj ∨ AX¬xj). Next, since γ is true when xi takes the values x′i for 1 ≤ i ≤ m, then no matter which values of xi are chosen by players in {m+ 1, ..., k} there exists values of xi for players in {k + 1, ..., n} such that γ′ is true in the successor state. Thus, coalition {m+ 1, ..., k} does not have a strategy to ensure that γ′ is false in the successor state. Thus, M, s0 |= ψ(γ). For the converse direction, suppose that ψ(γ) is satisfied by some model M, s0. For contradiction, suppose that γ is false. Then for all x1, ..., xm there exists xm+1, ..., xk such that γ ′ is false for all xk+1, ..., xn. In particular, this must be the case when xi take the unique values x ′ i for 1 ≤ i ≤ m that are true in all successors of s0. These are unique since s0 satisfies ∧m j=1(AXxj∨AX¬xj). In this case there exists particular values x′i for m + 1 ≤ i ≤ k such that γ′ is false for all xk+1, ..., xn when xi take the values x ′ i for m + 1 ≤ i ≤ k. Consider the strategy for coalition {m+ 1, ..., k} that chooses these values for xi in the successor state for m + 1 ≤ i ≤ k. This strategy ensures that γ′ is false in the successor state. However, this contradicts the fact that M, s0 |= ¬〈〈{m+ 1, . . . , k}〉〉X¬γ′. Thus, γ must be true. This completes the proof. 2 Note that the hardness result only requires the use of the temporal operator X and neither U nor R . This is interesting since this lower bound will be shown to be an upper bound for the full ATL+1 in the following section. Thus, the 〈〈*〉〉X fragment of ATL1 is as hard as the full ATL + 1 . 5.3 Deciding satisfiability in St(ATL∗1) and ATL + Lemma 5.5 Let Φ = 〈〈C〉〉Ψ be an ATL∗ formula and let Prop(Φ) = {p1, . . . pr} be the set of atomic propositions occurring in Φ. Consider any mapping v : Prop(Φ) → {>,⊥} and let v[Φ] be the result of substitution of all occurrences of pi in Φ which are not in the scope of a temporal operator by v(pi), for each p1, . . . pr. Further, let δ(v) := ∧ v(pi)=> pi ∧ ∧ v(pi)=⊥ ¬pi Then, δ(v) ∧ Φ ≡ δ(v) ∧ v[Φ]. Proof. Consider any CGM M and a state s in it. If δ(v) is false at s then both sides are false. Suppose M, s |= δ(v). Then M, s |= v(pi) ↔ pi for each p1, . . . pr. Then, Φ and v[Φ] are equally true or false at s, as they only differ in the occurrences of atomic propositions that are evaluated at s. 2 16 Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics Proposition 5.6 (i) The satisfiability testing for St(ATL∗1) is in PSPACE. (ii) The satisfiability testing for ATL+1 (and ATL1) is in Σ P 3 . Proof. The decision procedures for both St(ATL∗1) and ATL + 1 will be essentially the same, but in their last phases they work in different computational complexities. First, consider an St(ATL∗1) formula Φ and let Prop(Φ) = {p1, . . . pr}. The formula Φ is a Boolean combination of atomic propositions and subformulae of the type 〈〈C〉〉θ where θ ∈ LTL. By Lemma 4.6, we can assume that each such θ is in a LSNF of linearly increased length, i.e., is a Boolean combination of atomic propositions and X -formulae (formulae beginning with X ) of LTL. The algorithm now works as follows: 1. Guess a truth assignment τ for the atomic propositions in Prop(Φ) at a state s of a CGM satisfying Φ, if any. Consider the unique map v : Prop(Φ)→ {>,⊥} for which δ(v) is true under τ . By Lemma 5.5, each maximal subformula 〈〈C〉〉θ in Φ can be equivalently replaced by v[〈〈C〉〉θ], which is 〈〈C〉〉v[θ]. 2. After elementary Boolean simplifications (of the type >∧A ≡ A,⊥∧A ≡ ⊥, etc.) each v[θ] is transformed to a Boolean combination of X -formulae only. Using the LTL validities X η ∧ X ζ ≡ X (η ∧ ζ) and X η ∨ X ζ ≡ X (η ∨ ζ), it is further equivalently transformed into an X -formula which is at most as long. The original formula is now (non-deterministically) transformed to an equisatisfiable Boolean combination of ATL∗ formulae of type 〈〈C〉〉X θ and [[C]]X θ. 3. Now, assuming that the resulting formula is satisfiable, we further guess the true disjuncts in every ∨-subformula in a satisfying CGM and reduce the problem to checking satisfiability of a conjunctive formula of the type Θ = 〈〈A0〉〉X θ0 ∧ . . . ∧ 〈〈Am−1〉〉X θm−1 ∧ [[B0]]X η0 ∧ . . . ∧ [[Bn−1]]X ηn−1 Let D(Θ) be the union of the set C(Θ) of conjuncts of Θ and {[[A]]X>}, i.e. D(Θ) = {〈〈A0〉〉X θ0, . . . , 〈〈Am−1〉〉X θm−1, [[B0]]X η0, . . . , [[Bn−1]]X ηn−1, [[A]]X>} 4. By Lemma 4.9, the set D(Θ) is satisfiable iff every subset of distributed control of it has a satisfiable set of successor components. Since each of them is a set of LTL formulae, these checks can be done using standard techniques. Each check in step 4. of the algorithm can be done in PSPACE when Φ is a St(ATL∗1) formula, since each successor component is an LTL formula. In the case of ATL+1 the checks can be done in NP according to [5], as in this case each successor component is an LTL1 formula. Hence, checking that each of the (possibly exponentially many) subsets of distributed control is satisfiable can be done in coNPPSPACE = PSPACE for St(ATL∗1) and in coNP NP for ATL+1 . Thus, the whole procedure can be done respectively in NPPSPACE = PSPACE for St(ATL∗1) and in NP coNPNP for ATL+1 , by guessing the true propositions in the initial state and the true disjuncts in Φ, and then applying resp. a PSPACEoracle and coNPNP-oracle. Since NPcoNP NP = ΣP3 the proof is completed. 2 Goranko, Vester 17 This result, combined with Proposition 5.4 and the PSPACE-hardness of LTL satisfiability, yields the following. Theorem 5.7 The satisfiability problem of (i) St(ATL∗1) is PSPACE-complete (ii) CTL∗1 is PSPACE-complete (iii) ATL+1 is Σ P 3 -complete (iv) ATL1 is Σ P 3 -complete Here is another consequence of the proof of Proposition 5.6: Corollary 5.8 Every satisfiable St(ATL∗1) formula Φ has a centipede model M with branching factor O(2|Φ|) in the root. Further, every ultimately periodic path in M has a prefix of length O(2|Φ|) and a period of length O(|Φ| * 2|Φ|). 5.4 PSPACE decision procedure for the satisfiability in ATL∗1 The decision procedure for St(ATL∗1) can be extended to a PSPACE-complete decision procedure for the whole ATL∗1 , by combining it with a PSPACE decision procedure for LTL and showing that every path-satisfiable ATL∗1 formula can be satisfied in a special type of CGMs described below. The proof of the latter is rather lengthy (see brief discussion further), so we only state and prove here the easier case of the slightly smaller fragment ÂTL∗1 ,where no strategic quantifiers 〈〈∅〉〉 (i.e, fully universal path quantifiers) are allowed. We only note that the procedure for the full ATL∗1 is essentially the same. First, recall that every satisfiable LTL formula has an ultimately period linear model with prefix and period that both have length exponential in the size of the formula [14]. Further, according to Corollary 5.8, every satisfiable St(ATL∗1) formula can be satisfied at the root state of a centipede model of exponentially bounded number and length of legs. Combining these results leads to a new type of CGMs which we call Lasso of Centipedes (LoC) models. Such models consist of an ultimately periodic path (the lasso) where each state is the root of a centipede model. An illustration of a model like this is shown in Figure 3. Proposition 5.9 Every satisfiable ÂTL∗1 formula Φ is satisfied in a LoC model with size bounded exponentially in |Φ|. Proof. Given an ÂTL∗1 formula Φ we define its LTL skeleton SkLTL(Φ) as follows: Let the state subformulae of Φ of type 〈〈C〉〉θ or [[C]]θ be Ψ1, . . . ,Ψn. For each of them Ψ we introduce a new (not in Prop) atomic proposition pΨ. Then we produce the LTL formula Φ by replacing every occurrence of such a subformula Ψ in Φ by pΨ. Now, define SkLTL(Φ) ::= Φ ∧ n∧ i G (pΨi → Ψi) 18 Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics • • • • • • • • • • • • . . . .. . Fig. 3. A Lasso of Centipedes (LoC) model We claim that any CGM M and a path π in it on which Φ is true can be expanded to a CGM M and a path π in it satisfying SkLTL(Φ), by evaluating each new atomic proposition pΨ to be true at exactly those states of π at which Ψ is true inM. Conversely, for any CGMM and a path π in it on which SkLTL(Φ) is true, the formula Φ is true on π, too, because all atomic propositions pΨi occur only positively in Φ, so replacing them with the respective Ψi's will preserve the truth. Thus, it suffices to show that if SkLTL(Φ) is path-satisfiable then it can be satisfied on the lasso path in some LoC model of size bounded exponentially in |Φ|. Indeed, take any CGM M and a path π in it on which SkLTL(Φ) is true. Then, in particular, the path π alone is a linear model for Φ. Now, take an ultimately periodic linear model π of length bounded exponentially in |Φ|, hence in |Φ|. Such a model can be obtained from π by cutting its tail off at a suitable position and looping back to a suitable previous state. Thus, every state in π has the label of a prototype state in π. Now, for every state ŝ on π, let s be its prototype in π. We do the following. • Consider the set Γ(s) of state subformulae Ψ of Φ such that pΨ is in the label of s in π. Since SkLTL(Φ) is true on π, every formula in Γ(s) is true at s in M. Thus, Γ(s) is satisfiable, hence by Corollary 5.8, it can be satisfied at the root state of a centipede modelM(Γ(s)) of exponentially bounded in |Φ| number and length of legs. • Now, we graft a copy of M(Γ(s)) at the state ŝ in π by identifying its root with ŝ and keeping all other states disjoint from π. • Next, we add a special new action for every agent at the state ŝ and define the successor of the resulting action profile to be the successor of ŝ on the path π, while every other action profile involving some (but not all) of these special new actions leads to a successor of ŝ in the grafted copy ofM(Γ(s)), chosen so as not to affect the truth of any of the formulae from Γ(s) at ŝ. We omit the easy but tedious details of this construction. After completing this procedure for each state of π, the result is a LoC model M which, by construction, satisfies the formula Φ on π and satisfies at each state ŝ on π the set Γ(s). Therefore, M, π |= SkLTL(Φ), hence M, π |= Φ.2 Goranko, Vester 19 For lack of space we only briefly indicate the additional complication in extending this result to ATL∗1 : if a subformula Ψ = 〈〈∅〉〉θ is true at some state of the path π in the CGM satisfying Φ, its effect cannot be constrained only on the centipede model grafted at the respective state of M, as done above, but it propagates through the path π to all centipede models grafted at all further states on π. So, additional description in LTL is needed to describe and preserve this effect when converting π into the lasso π. That is why we state the next result relativized to only what we have proved here. Proposition 5.10 The path-satisfiability problem in LoC models of size bounded exponentially in the length of input ATL∗1 formulae is in PSPACE. Proof. The algorithm begins like the PSPACE decision procedure for LTL satisfiability that guesses the lasso on the fly for an LTL input formula θ [14]. First, the length of the prefix and the length of the period are guessed. At each step around the lasso, the subformulae that are true from the current state are guessed non-deterministically and a local consistency check as well as a onestep consistency check are performed. Further, a set ∆ (of at most polynomial size) of eventuality formulae is kept to make sure that all eventualities that are needed for θ to be true are actually true further on the lasso. The algorithm for ATL∗1 works in the same way on an ATL ∗ 1 formula Φ, but treats strategically quantified subformulae of Φ as atomic propositions and, at each step of the procedure, the local consistency check includes verifying these subformulae that have to be true at the current state. This amounts to checking satisfiability of an St(ATL∗1) formula and can be done in PSPACE, by Theorem 5.7. For the formulae of the form 〈〈A〉〉θ where A 6= ∅ this can be done independently of the rest of the lasso, by ensuring that when agents in A commit to satisfying θ then the play goes into the centipede (and stays there). But, when A = ∅ then θ has to be true on all paths from the current state. This includes both the path around the lasso and those that enter one of the centipedes at some point. Note that the original set ∆ of formulae we are keeping only needs to be satisfied around the lasso. To keep track of this we keep, in addition to ∆, an extra set of formulae Γ which must be satisfied both around the lasso and on paths that exits to a centipede. Thus, the formulae in Γ must be included in the St(ATL∗1) satisfiability check at each step. But since Γ is polynomial in size at each step, this check can still be performed in PSPACE. This means that the entire procedure can be performed in PSPACE. 2 Corollary 5.11 Satisfiability of ÂTL∗1 is PSPACE-complete. 6 Concluding remarks and summary of results We have developed optimal decision procedures for the satisfiability problems in flat fragments of ATL∗, and in particular CTL∗ and have obtained exact complexity results for them. A summary of the main complexity results obtained in this paper is provided in the table in Fig. 4. It shows that these complexities are much lower than those for the full languages while, in view of Proposition 3.2, they are very tight with respect to syntactic extensions in terms of nesting 20 Optimal decision procedures for satisfiability in fragments of alternating-time temporal logics depth of formulae. L SAT(L) SAT(L1) LTL PSPACE [14] NP [5] CTL EXPTIME [6] NP (Cor. 5.3) CTL+ 2EXPTIME [10] NP (Prop. 5.2) CTL∗ 2EXPTIME [6] PSPACE (Theo. 5.7) ATL EXPTIME [16] ΣP3 (Theo. 5.7) ATL+ 2EXPTIME [12][10] ΣP3 (Theo. 5.7) ATL∗ 2EXPTIME [12] PSPACE (Theo. 5.7, Cor. 5.11) Fig. 4. Complexity of satisfiability. All results are completeness results. In the case of ATL∗ the results refer to St(ATL∗1 ) and ÂTL ∗ 1 . References [1] Ågotnes, T., V. Goranko and W. Jamroga, Alternating-time temporal logics with irrevocable strategies, in: D. Samet, editor, Proc. of TARK XI (2007), pp. 15–24. [2] Alur, R., T. A. Henzinger and O. Kuperman, Alternating-time temporal logic, Journal of the ACM 49 (2002), pp. 672–713. [3] Brihaye, T., A. Da Costa, F. Laroussinie and N. Markey, ATL with strategy contexts and bounded memory, in: Proc. of LFCS'2009, Springer LNCS 5407, 2009, pp. 92–106. [4] Bulling, N. and W. Jamroga, Comparing variants of strategic ability: how uncertainty and memory influence general properties of games, J. of AAMAS (2013), pp. 1–45. [5] Demri, S. and P. Schnoebelen, The complexity of propositional linear temporal logics in simple cases, Inf. Comput. 174 (2002), pp. 84–103. [6] Emerson, E. A., Temporal and modal logic, in: Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics (B), 1990 pp. 995–1072. [7] Goranko, V. and D. Shkatov, Tableau-based decision procedures for logics of strategic ability in multiagent systems, ACM Trans. Comput. Log. 11 (2009). [8] Goranko, V. and G. van Drimmelen, Complete axiomatization and decidablity of Alternating-time temporal logic, Theor. Comp. Sci. 353 (2006), pp. 93–117. [9] Halpern, J. Y., The effect of bounding the number of primitive propositions and the depth of nesting on the complexity of modal logic, Artif. Intell. 75 (1995), pp. 361–372. [10] Johannsen, J. and M. Lange, CTL+ is Complete for Double Exponential Time, in: Proc. ICALP'03 (2003), pp. 767–775. [11] Markey, N. and P. Schnoebelen, Model checking a path, in: CONCUR, 2003, pp. 248–262. [12] Schewe, S., ATL* satisfiability is 2EXPTIME-complete, in: Proc. of ICALP (2), 2008, pp. 373–385. [13] Schröder, L. and Y. Venema, Flat coalgebraic fixed point logics, in: Proc. of CONCUR'2010 (2010), pp. 524–538. [14] Sistla, A. P. and E. M. Clarke, The complexity of propositional linear temporal logics, J. ACM 32 (1985), pp. 733–749. [15] Troquard, N. and D. Walther, On satisfiability of ATL with strategy contexts, in: Proc. of JELIA'12, LNAI 7519 (2012), pp. 398–410. [16] van Drimmelen, G., Satisfiability in alternating-time temporal logic, in: Proc. of LICS'03, 2003, pp. 208–217. [17] Walther, D., C. Lutz, F. Wolter and M. Wooldridge, ATL satisfiability is indeed ExpTime-complete, Journal of Logic and Computation 16 (2006), pp. 765–787.