Model-checking iterated games

Abstract

We propose a logic for the definition of the collaborative power of groups of agents to enforce different temporal objectives. The resulting temporal cooperation logic (TCL) extends ATL by allowing for successive definition of strategies for agents and agencies. Different to previous logics with similar aims, our extension cuts a fine line between extending the power and maintaining a low complexity: model checking TCL sentences is EXPTIME complete in the logic, and NL complete in the model. This advancement over nonelementary logics is bought by disallowing a too close entanglement between the cooperation and competition. We show how allowing such an entanglement immediately leads to a nonelementary complexity. We have implemented a model checker for the logic and shown the feasibility of model checking on a few benchmarks.

Appendix: Proof of Lemma 6

This section contains the details of the reduction to PEEK-\(G_6\) from the proof of Lemma 6. Note that, while PEEK-\(G_6\) allows the agents to pass, we disllow it for simplicity. This is, however, no restriction: to simulate passing, we could add a single boolean variable for each agent that does not occur in the formula. Passing can then be identified with toggling the value of this variable.

1.1 Full Proof

To reduce determining the winner of an instance of a PEEK-\(G_6\) game to TCL model-checking, we introduce a 2-agent game \(\mathcal{G}=\langle 2,\mathcal{Q},r,\omega ,\mathcal{P},\lambda ,\mathcal{E}\rangle \) as shown in Fig. 5 with the following restrictions. Agent 1 (he, for convenience) is the safety agent while Agent 2 (she, for convenience) is the reachability agent.

• \(\mathcal{Q}=\{r,t_1,\ldots ,t_{h+k},f_1,\ldots ,f_{h+k},1,\ldots ,k\}\). Specifically, there are two states \(t_i\) and \(f_i\) for each variable in \(P_1\cup P_2\).

• There are \(k+3\) atomic propositions in \(\mathcal{P}=\{s,p,c_1,\ldots ,c_k\}\).

• Initial state r is the only state where s is true (\(\lambda (q)=\{s\}\) iff \(q=r\)). For each \(i\in [1,h+k]\), \(\lambda (t_i)=\{p\}\) and \(\lambda (f_i)=\emptyset \). For the remaining states \(i\in [1,k]\), we have \(\lambda (i)=\{c_i\}\).

• The state r has two successors, \(t_1\) and \(f_1\) in \(\mathcal{E}\). For \(i<h+k\), both \(t_i\) and \(f_i\) have two successors, \(t_{i+1}\) and \(f_{i+1}\). \(t_{h+k}\) and \(f_{h+k}\) have \(k+1\) successors, \(1,\ldots ,k\), and they all have one successor, r.

• \(t_{h+k}\) and \(f_{h+k}\) belong to a reachability agent (rectangular nodes), while all other states belong to a safety agent (circular nodes).

Note that \(\lnot \gamma \) can be rewritten in DNF by dualizing the \(\gamma \) (which is in CNF), that is, by swapping conjunctions and disjunctions and negating the literals.

The game is played in rounds. Every time the game is at state r, it enters a new round. Formally, the safety agent makes his moves at states

$$\begin{aligned} t_1,\ldots ,t_{h+k-1},f_1,\ldots ,t_{h+k-1},1,\ldots ,k, \end{aligned}$$

and r, while the reachability agent makes her moves at states \(t_{h+k}\) and \(f_{h+k}\). The specification we provide, however, will require that the safety agent must change exactly the variable of the reachability agent identified by the state the reachability agent has previously moved to. It also forces the safety agent to make his choice for the following round each time at state r, and to make it in a way that the value of exactly one variable is toggled.

For ease of notation we use, for any \(i\in {\mathbb N}\), the formula template \(\langle +\rangle \bigcirc ^{(i)}\psi _1\) to denote a sequence of i successive \(\langle +\rangle \bigcirc \) followed by subformula \(\psi _1\). Such formulas are used to assert that \(\psi _1\) is true in i steps of the game.

For this game, we model-check the following formula

$$\begin{aligned} \phi \mathop {=}\limits ^{{\tiny def}}\langle 1\rangle (\theta _1\wedge \langle +\rangle \Box (\lnot s\vee (\theta _2\wedge \theta _3\wedge \theta _4))), \end{aligned}$$

where \(\theta _1\), \(\theta _2\), \(\theta _3\), and \(\theta _4\) reflect the following guarantees:

• \(\theta _1\) specifies the correctness of the initial condition. Specifically,

  

• At every occurrence of r, the game enters a round in which the safety agent may toggle at most one of \(p_1,\ldots ,p_h\). This is specified with \(\theta _2\).

  $$\begin{aligned}&\theta _2\mathop {=}\limits ^{{\tiny def}}\bigvee _{i\in [1,h]} \delta _i \bigwedge _{j\in [1,h],j\ne i} \epsilon _j, \hbox {with}\\&\delta _i \mathop {=}\limits ^{{\tiny def}}\big ((\langle +\rangle \bigcirc ^{(i)} (p \wedge \langle +\rangle \bigcirc ^{(h+k+2)} \lnot p)\big ) \vee \big ((\langle +\rangle \bigcirc ^{(i)} (\lnot p \wedge \langle +\rangle \bigcirc ^{(h+k+2)} p)\big ) \hbox {and}\\&\epsilon _i \mathop {=}\limits ^{{\tiny def}}\big ((\langle +\rangle \bigcirc ^{(i)} (p \wedge \langle +\rangle \bigcirc ^{(h+k+2)} p)\big ) \vee \big ((\langle +\rangle \bigcirc ^{(i)} (\lnot p \wedge \langle +\rangle \bigcirc ^{(h+k+2)} \lnot p)\big ). \end{aligned}$$

• The reachability agent declares her choice for a change by selecting a state \(i\in \{1,\ldots ,k\}\). Choosing \(i\in [1,k]\) means the toggling of \(p_{h+i}\). This is specified by \(\theta _3\).

  $$\begin{aligned}&\theta _3\mathop {=}\limits ^{{\tiny def}}\bigwedge _{i\in [1,k]} \eta _i^+ \vee \eta _i^- \hbox {with}\\&\eta _i^+ \mathop {=}\limits ^{{\tiny def}}(\langle +\rangle \bigcirc ^{(h+i)} p) \wedge \langle +\rangle \bigcirc ^{(h+k+1)} \big ((c_i \wedge \langle +\rangle \bigcirc ^{(h+i+1)} \lnot p)\\&\quad \vee (\lnot c_i \wedge \langle +\rangle \bigcirc ^{(h+i+1)} p)\big )~\hbox {and}\\&\eta _i^- \mathop {=}\limits ^{{\tiny def}}(\langle +\rangle \bigcirc ^{(h+i)} \lnot p) \wedge \langle +\rangle \bigcirc ^{(h+k+1)} \big ((c_i \wedge \langle +\rangle \bigcirc ^{(h+i+1)} p)\\&\quad \vee (\lnot c_i \wedge \langle +\rangle \bigcirc ^{(h+i+1)} \lnot p)\big ). \end{aligned}$$

• Globally, at r the formula \(\gamma \) is not satisfied (using the truth of p in i steps for \(p_i\)). This is reflected by replacing every literal \(p_i\) in \(\lnot \gamma \) (recall that \(\lnot \gamma \) is in DNF) by \(\langle +\rangle \bigcirc ^{(i)}p\) and every literal \(\lnot p_i\) by \(\langle +\rangle \bigcirc ^{(i)} \lnot p\).

The turn taking and the order of the moves are reflected as well as the competitive nature of the game. It is apparent that the safety agent wins the PEEK game if the safety agent has a strategy scheme \(\sigma \), and it is easy to translate one into the other.