On the Complexity of Model Checking Knowledge and Time

2.1 Syntax and Fragments

We first recall the logic \(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\), the extension of CTL* with operators for knowledge and common knowledge.

Let us fix a countably infinite set of atomic propositions \(\mathcal {AP}\) and a finite set of agents \(\mathit {Ag}\). As for state and path formulas in CTL*, we distinguish between history formulas and path formulas. We say history formulas instead of state formulas because, considering agents with perfect recall of the past, the truth of epistemic formulas depends not only on the current state, but also on the history before reaching this state.

Operators \(\mathit {X}\) and \(\mathit {U}\) are the standard next and until temporal operators of LTL, \(\mathit {E}\) is the existential path quantifier of CTL*, \(\mathit {K}_{a}\) is the knowledge operator for agent \(a\) from epistemic logics, and \({C_G}\) is the operator of common knowledge for the nonempty group of agents \(G\). Formula \(\mathit {K}_{a}\varphi\) reads as “agent \(a\) knows that \(\varphi\) is true,” and \({C_G}\varphi\) reads as “there is common knowledge among agents in \(G\) that \(\varphi\) is true.” Intuitively, this means that everybody in \(G\) knows that \(\varphi\) is true, and everybody knows that everybody knows that it is true, and everybody knows that everybody knows that everybody knows that it is true, and so on (see, for instance, Reference [23] for more on common knowledge).

As usual, we define \(\top =p\vee \lnot p\), \(\varphi \wedge \varphi ^{\prime }=\lnot (\varphi \vee \lnot \varphi)\), \(\varphi \rightarrow \varphi ^{\prime } = \lnot \varphi \vee \varphi ^{\prime }\), the temporal operators finally (\(\mathit {F}\)) and always (\(\mathit {G}\)): \(\mathit {F}\varphi = \top \mathit {U}\varphi\), and \(\mathit {G}\varphi =\lnot \mathit {F}\lnot \varphi\), and the universal path quantifier \(\mathit {A}\psi := \lnot \mathit {E}\lnot \psi\).

The language of \(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\) consists of the history formulas. We let \(\mathrm{Sub}(\varphi)\) be the set of subformulas in \(\varphi\), and we define the size of a formula \(\varphi\) as \(|\varphi |=|\mathrm{Sub}(\varphi)|\).

We now define the alternation depth of a formula \(\varphi\), written \(\mathrm{ad}(\varphi)\). Intuitively, \(\mathrm{ad}(\varphi)\) is the maximum number of alternations between knowledge operators for different agents in the formula (note that we only take into account the modalities \(\mathit {K}_{a}\) and not the modalities \({C_G}\) for common knowledge).

For instance, \(\mathrm{ad}(p)=0\), \(\mathrm{ad}(\mathit {K}_{a}p)=1\), \(\mathrm{ad}(\mathit {K}_{a}\lnot \mathit {K}_{a}p)=1\) and \(\mathrm{ad}(\mathit {K}_{b} \mathit {K}_{a}q \vee \mathit {K}_{a}p)=2\).

Fragments of \(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\). We consider the usual syntactic fragments \(\texttt { LTLK}_{\texttt { C}}\) and \(\texttt { CTLK}_{\texttt { C}}\) of \(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\). \(\texttt { LTLK}_{\texttt { C}}\) consists of formulas of the form \(\mathit {E}\psi\) or \(\lnot \mathit {E}\psi\) where path quantifiers in \(\psi\) are immediately preceded by epistemic modalities, while \(\texttt { CTLK}_{\texttt { C}}\) is obtained by requiring that the temporal modalities \(\mathit {X}\) and \(\mathit {U}\) are immediately preceded by a path quantifier. Formally, the syntax of \(\texttt { LTLK}_{\texttt { C}}\) and \(\texttt { CTLK}_{\texttt { C}}\) are defined by the following grammars: \(\begin{equation*} \begin{array}{lccl} \text{$\texttt { LTLK}_{\texttt { C}}$}: & \varphi & ::= & \mathit {E}\psi \mid \lnot \mathit {E}\psi \\ & \psi & ::= & \lnot \psi \mid \psi \vee \psi \mid \mathit {X}\psi \mid \psi \mathit {U}\psi \mid \mathit {K}_{a}\varphi , \end{array} \end{equation*}\) \(\begin{equation*} \begin{array}{lccl} \text{$\texttt { CTLK}_{\texttt { C}}$}: & \varphi & ::= & p \mid \lnot \varphi \mid \varphi \vee \varphi \mid \mathit {E}\mathit {X}\varphi \mid \mathit {E}\varphi \mathit {U}\varphi \mid \mathit {A}\varphi \mathit {U}\varphi \mid \mathit {K}_{a}\varphi \mid {C_G}\varphi . \end{array} \end{equation*}\)

We also let LTLK, CTLK, and \(\texttt { CTL}^{*}\texttt {K}\) be the fragments of \(\texttt { LTLK}_{\texttt { C}}\), \(\texttt { CTLK}_{\texttt { C}}\), and \(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\), respectively, obtained by forbidding the common knowledge operator \({C_G}\). Finally, for every \(k\in \mathbb {N}\), we define \(\texttt { LTLK}_{k}\), \(\texttt { CTLK}_{k}\), and \(\texttt { CTL}^{*}\texttt { K}_{k}\) the restrictions of LTLK, CTLK, and \(\texttt { CTL}^{*}\texttt {K}\), respectively, to formulas of alternation depth at most \(k\).

2.2 Models

\(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\) formulas are interpreted over Kripke structures (KS) equipped with one indistinguishability relation\(\sim _{a}\) for each agent \(a\).

The size \(|M|\) of \(M\) is the number of states in \(M\). A path is an infinite sequence of states \(\pi =s_0 s_1\dots\) such that for all \(i\ge 0\), \(s_i Rs_{i+1}\), and a history\(\tau\) is a non-empty prefix of a path. We denote by \(\textrm {H}(s)\) (respectively, \(\Pi (s)\)) the set of histories (respectively, paths) that start in \(s\). Unless specified otherwise, all histories and paths are assumed to start in the initial state \({{s}^\iota }\). For \(I\subseteq S\), we write \(R(I)=\lbrace s^{\prime } \mid \exists s\in I\mbox{ s.t. }sRs^{\prime }\rbrace\) for the set of successors of states in \(I\). Since the relation \(R\) is left-total, i.e., for every \(s\in S\) there exists \(s^{\prime }\in S\) such that \(sRs^{\prime }\), \(R(I)\) is nonempty for every nonempty \(I\). Finally, for \(a\in \mathit {Ag}\) and \(s\in S\), we let \([s]_{a}\) be the equivalence class of \(s\) for relation \(\sim _{a}\), which is also called agent \(a\)’s observation relation. For a history \(\tau\), \(\mbox{lst}(\tau)\) is the last state of \(\tau\).

Example 2.4.

We represent in Figure 1

Fig. 1.

View Figure

a Kripke structure that we use in the following to illustrate different semantics. There are two atomic propositions: \(p\), which is satisfied in \(s_2\), \(s_3\) and \(s_4\), and \(q\), satisfied only in \(s_4\). There is only one agent, \(a\), and its observation relation \(\sim _{a}\) defines two equivalence classes, \(\lbrace s_0,s_2\rbrace\) and \(\lbrace s_1,s_3,s_4\rbrace\).

2.3 Synchronous and Asynchronous Memoryless Semantics

We first recall both the synchronous and asynchronous memoryless semantics of \(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\). As usual, when not specified otherwise, memoryless semantics refers to the asynchronous variant, where agents do not remember anything, while we may use the term clock semantics for the synchronous variant in which agents only remember how many transitions were taken. We will write \(\models _m\) for the (asynchronous) memoryless semantics, and \(\models _{ck}\) for the clock semantics (synchronous memoryless).

2.4 Synchronous and Asynchronous Perfect Recall Semantics

We now define the perfect recall semantics of knowledge modalities, where agents remember all of the past. Two main notions of perfect recall have been considered for the semantics of epistemic temporal logics [27], as well as in games with imperfect information [50], depending on whether the system is assumed to be synchronous or not. While in synchronous systems agents always observe when a transition takes place, in asynchronous ones, agents cannot tell that a transition occurred if their observation of the state remains unchanged.

To define asynchronous perfect recall, we first define the sequence of observations that an agent has along a history, in which sequences of successive identical observations collapse to a single observation. Formally, for an agent \(a\), we let \(\text{Obs}_{a}(s)=[s]_{a}\), and \(\begin{equation*} \text{Obs}_{a}(\tau \cdot s)= {\left\lbrace \begin{array}{ll}\text{Obs}_{a}(\tau)\cdot [s]_{a} & \text{if }[s]_{a}\ne \mbox{lst}(\text{Obs}_{a}(\tau)),\\ \text{Obs}_{a}(\tau) & \text{otherwise.} \end{array}\right.} \end{equation*}\)

We also define, for every nonempty group of agents \(\emptyset \subsetneq G\subseteq \mathit {Ag}\), the relations for common knowledge \(\approx ^{\mbox{s}}_{G}\,=(\cup _{a\in G}\approx ^{\mbox{s}}_{a})^*\) and \(\approx ^{\mbox{as}}_{G}\,=(\cup _{a\in G}\approx ^{\mbox{as}}_{a})^*\).

We define the semantics of \(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\) formulas for either synchronous or asynchronous perfect recall as follows: The definition only differs in the relations on histories used, either \(\approx ^{\mbox{s}}_{a}\) and \(\approx ^{\mbox{s}}_{G}\) or \(\approx ^{\mbox{as}}_{a}\) and \(\approx ^{\mbox{as}}_{G}\). The relation on histories is also the only difference with the synchronous memoryless semantics (clock semantics) defined earlier.

A model \(M\) with initial state \({{s}^\iota }\) satisfies a \(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\) formula \(\varphi\) under the \(\text{SPR}\) semantics, written \(M\models _{\mbox{s}}\varphi\), if \({{s}^\iota }\models _{\mbox{s}}\varphi\), and similarly for the APR semantics: \(M\models _{\mbox{as}}\varphi\) if \({{s}^\iota }\models _{\mbox{as}}\varphi\).

2.5 Main Result

The model-checking problem for a semantics \(\models\) is the following: Given a finite model \(M\) and a formula \(\varphi\), decide whether \(M\models \varphi\). The main result in this work is the following:

In particular, for \(k=0\), we get that model checking formulas of alternation depth at most one is in Pspace , which generalizes a similar result from Reference [22] for LTLK with one agent, which is a strict subset of \(\texttt { LTLK}_{1}\). The upper bound was proved in Reference [1] for (a variant of) \(\texttt { CTLK}_{k}\), both for synchronous and asynchronous perfect recall. However, the best-known upper-bound for \(\texttt { CTL}^{*}\texttt { K}_{k+1}\) was \(k+1\)-Exptime , which we improve by extending the approach of Reference [1] to the case of the full branching time logic \(\texttt { CTL}^{*}\texttt {K}\), showing that it is not more expensive than CTLK. In addition, while it was only known that these problems are nonelementary, no precise lower bounds in terms of alternation depth were known, so it was not known whether the above-mentioned upper bounds were optimal or not. We settle this issue by providing matching lower-bounds in all cases.

In the next two sections (Sections 3 and 4), we establish Theorem 2.13, so we focus on the logics LTLK, CTLK, and \(\texttt { CTL}^{*}\texttt {K}\) (i.e., without common knowledge), and the perfect recall semantics (both synchronous and asynchronous). In Section 5, we focus on the no learning assumption, which we introduce there and for which we establish additional results on the complexity of model checking the various logics under the different memoryless and perfect recall semantics, with and without common knowledge.

3.1 Information Sets and Updates

An information set captures the set of states that an agent considers possible at a given moment. The following definition is common to synchronous and asynchronous perfect recall, and \(\approx _{a}\) stands for either \(\approx ^{\mbox{s}}_{a}\) or \(\approx ^{\mbox{as}}_{a}\):

We write \(I^{\mbox{s}}_{a}\) when referring to the synchronous semantics and \(I^{\mbox{as}}_{a}\) when referring to the asynchronous one.

We now define two different update functions, one for the synchronous and one for the asynchronous case. The role of these functions is to compute the new information set of an agent after a transition, given her former information set and the new state. We start with the synchronous case, which is easier and standard (see, for instance, Reference [50] or References [57, 59] for the more general case of \(k\)-trees).

This definition says that after taking a transition that arrives in state \(s\), the states that agent \(a\) considers possible are the successors of states she previously considered possible and that are compatible with what she observes of the new state \(s\).

For asynchronous perfect recall, the update is slightly more involved, as the agent may consider that arbitrarily many steps occurred without her noticing. We call invisible step (for some agent \(a\)) a transition between two states \(s\) and \(s^{\prime }\) such that \(s\sim _{a}s^{\prime }\), and given a set of states \(I\), we let \(\text{Reach}_i^a(I)\supseteq I\) be the set of states reachable from \(I\) via steps invisible for \(a\). We can now define the update as follows:

This definition is an adaptation to our setting of the one in Reference [50], which considers two-player games. The following result follows directly by applying the definitions:

3.2 Powerset Construction

Given a model \(M\), we define a powerset model \(\widehat{M}\) of exponential size in which formulas of alternation depth 1 can be evaluated positionally. States of \(\widehat{M}\) contain, in addition to the current state in \(M\), the current information set of each agent. This construction can be instantiated either for synchronous or asynchronous perfect recall by choosing the appropriate update function for information sets. In the following, we will often omit to specify which semantics is considered, because the construction and reasoning work for both.

Note that \(|\widehat{M}| = |M| 2^{|\mathit {Ag}||M|}\). Because the update of information sets with a new state is deterministic, every history \(\tau\) in \(M\) defines a unique history \(\widehat{\tau }\) of length \(|\tau |\) in \(\widehat{M}\), that starts in \(\widehat{s}^{\,\iota }\) and follows transitions in \(\tau\), and this naturally extends to (infinite) paths. The next lemma follows by definition of \(\widehat{M}\), \(\widehat{\tau }\) and application of Lemma 3.4.

In \(\widehat{M}\), the information contained in states is sufficient to evaluate epistemic formulas positionally. However, since states contain only one “level” of knowledge, we cannot evaluate nested knowledge operators for different agents. But, we can evaluate nested knowledge operators for the same agent, because \(\approx _{a}\) is an equivalence relation²: If \(\tau \approx _{a}\tau ^{\prime }\), then agent \(a\) knows the same things in \(\tau\) and in \(\tau ^{\prime }\). This is reflected in the definition of \(\widehat{\sim }_{a}\).

The following proposition establishes that for formulas of alternation depth at most one, the memoryless semantics on the powerset model is equivalent to the perfect-recall semantics on the original model (in the proposition below, \(\models\) can be either \(\models _{\mbox{s}}\) or \(\models _{\mbox{as}}\), and the right-hand part then refers to the corresponding powerset construction).

We now establish the upper bounds in Theorem 2.13. We start with the base case, showing that we can model check formulas of alternation depth at most one in polynomial space. We then use a marking algorithm on the powerset construction to show that model-checking formulas of alternation depth \(k+1\) reduces to model checking formulas of alternation depth \(k\) on an exponentially larger model. All the reasoning in this section is independent of the chosen semantics, synchronous or asynchronous perfect recall.

3.3 Alternation Depth One

For the base case, i.e., for formulas of alternation depth at most one, we combine three existing ideas to obtain a Pspace model-checking procedure. The first one is the original Pspace model-checking procedure for LTL by Sistla and Clarke [55], which can be seen as on-the-fly construction and resolution of Büchi automata for LTL formulas [63]. We extend this algorithm with an on-the-fly construction of the powerset model, which allows us to evaluate LTLK formulas of alternation depth one in polynomial space. It was already noted in Reference [1], for a variant of CTLK, that the powerset construction can be done on-the-fly. Finally, we use the meta-algorithm by Emerson and Lei [21] to extend this procedure from LTLK to the full branching-time setting of \(\texttt { CTL}^{*}\texttt {K}\).

In the main model-checking procedure, formulas of the form \(\mathit {E}\psi\) are dealt with by guessing a path in the powerset model, which is built on-the-fly, and evaluating \(\psi\) on it in polynomial space. However, for our algorithm to terminate, we need to bound the length of paths that need to be searched, and we need this bound to be at most exponential so we can count up to it in polynomial space. We now prove that it is indeed the case.

An infinite word \(w\) is ultimately periodic if there exist \(i,j\in \mathbb {N}\) such that \(w=w_{\le i-1}w_{[i,j]}^*\). Letting \(i\) and \(j\) be the smallest such values, we call \(i\) the start index of \(\pi\), and \(j-i+1\) is called its period.

We now adapt Emerson and Lei’s algorithm, which shows how to turn a polynomial-space model-checking procedure for LTL into one for CTL* that also runs in polynomial space [21]. The interesting case is for formulas of the form \(\mathit {E}\psi\). The proof of Lemma 3.8 provides a model-checking procedure for such formulas, but building the full automaton \(\mathcal {A}_\psi\) and powerset model \(\widehat{M}\) takes exponential space. We tackle this by building them both on-the-fly. The marking procedure of maximal history subformulas in states of \(\widehat{M}\) is replaced with recursive calls to the model-checking procedure for \(\texttt { CTL}^{*}\texttt { K}_{1}\), and by Lemma 3.8, we can implement in polynomial space a counter that indicates when the nondeterministic search of a satisfying path can be stopped.

3.4 Reducing Alternation

We now describe how we can use the powerset construction to eliminate one level of alternation of knowledge operators. This is done with a classic procedure that we recall for completeness.

The construction of \(M^{\prime }\) is as follows: First, build the powerset model \(\widehat{M}\) as in Definition 2.5. In this model, history formulas of alternation depth one can be evaluated positionally, as stated in Proposition 3.7. Let \(\mbox{Sub}_1(\Phi)\) be the set of maximal such formulas in \(\mbox{Sub}(\Phi)\). For each formula \(\varphi\) in \(\mbox{Sub}_1(\Phi)\) and each state \(\widehat{s}\) of \(\widehat{M}\), evaluate whether \(\widehat{s}\models _m\varphi\) (which can be done in space polynomial in \(\widehat{M}\) and \(\varphi\) [35], hence in exponential space, since \(\widehat{M}\) is of size exponential in the original model), and mark state \(\widehat{s}\) with the fresh atomic proposition \(p_\varphi\) if \(\widehat{s}\models _m\varphi\). We abuse notation and still call \(\widehat{M}\) the model obtained after this marking procedure (and similarly, \(\widehat{s}\), \(\widehat{\tau }\), and \(\widehat{\pi }\) refer to states, histories, and paths in the marked model). Also, for every subformula \(\varphi\) of \(\Phi\), define \(\widehat{\varphi }\) by replacing each \(\varphi ^{\prime }\) in \(\mbox{Sub}_1(\varphi)\) with atom \(p_{\varphi ^{\prime }}\) (note that if \(\varphi\) contains no knowledge operator, then \(\widehat{\varphi }=\varphi\)).

Unlike in Proposition 3.7, where we use the memoryless semantics to evaluate positionally formulas of alternation depth one, this time, we interpret \(\widehat{\varphi }\) on \(\widehat{M}\) with the perfect-recall semantics. One can prove the following lemma:

Using Proposition 3.10 for the inductive case and Proposition 3.9 for the base case, we easily prove the following by induction on \(k\).

4.1 Proof of Proposition 4.2 for the synchronous setting

Fix \(k\ge 0\). In the following, we assume that \(k\ge 1\) (the proof of Proposition 4.2 for the case \(k=0\) being simpler). First, we define a suitable encoding of the \(k\)-grids by infinite words over the set \(\text {AP}\) of atomic propositions given by \(\text {AP}= {{\it Main}}\cup {{\it Tags}}\), where

The propositions in \({{\it Main}}\) are used to encode the \(k\)-grids, while the propositions in \({{\it Tags}}\), whose meaning will be explained later, are used to mark in a suitable way the codes of \(k\)-grids. Essentially, the unmarked code of a \(k\)-grid \(f\) is obtained by concatenating the codes of the rows of \(f\) starting from the first row and adding the suffix \({\it acc}^{\omega }\) if \(f\) satisfies the acceptance requirement, and the suffix \(\bot ^{\omega }\) otherwise. The code of a row is in turn obtained by concatenating the codes of the row’s cells starting from the first cell.

In the encoding of a cell of a \(k\)-grid, we keep track of the content of the cell together with a suitable encoding of the cell number, which is a natural number in \([0,{\it Tower}(n,k)-1]\). Thus, for all \(1\le h\le k\), we define the notions of \(h\)-block and well-formed \(h\)-block. Essentially, for \(1\le h\lt k\), well-formed \(h\)-blocks are finite words over \((\lbrace \$_1,\ldots ,\$_{h}\rbrace \times \lbrace 0,1\rbrace)\cup \lbrace 0,1\rbrace\), which encode integers in \([0,{\it Tower}(n,h)-1]\), while well-formed \(k\)-blocks are finite words over \({{\it Main}}\setminus \lbrace \$,{\it acc},\bot \rbrace\), which encode the cells of \(k\)-grids. In particular, for \(h\gt 1\), a well-formed \(h\)-block encoding a natural number \(m\in [0,{\it Tower}(n,h)-1]\) is a sequence of \({\it Tower}(n,h-1)\) \((h-1)\)-blocks, where the \(i\)th \((h-1)\)-block encodes both the value and (recursively) the position of the \(i\)th-bit in the binary representation of \(m\). Formally, the set of (well-formed) \(h\)-blocks is defined by induction on \(h\) as follows:

Base Step: \(h=1\). The notions of 1-block and well-formed 1-block coincide, and a 1-block is a finite word \({\it bl}\) of length \(n+1\) having the form \({\it bl}=(\$_{1},\tau){\it bit}_1\ldots {\it bit}_n\) such that \({\it bit}_1,\ldots ,{\it bit}_n\in \lbrace 0,1\rbrace\) and \(\tau \in \lbrace 0,1\rbrace\) if \(1\lt k\), and \(\tau \in \Delta\) otherwise. For all \(1\le \ell \le n\), we say that \({\it bit}_\ell\) is the \(\ell\)th bit of \({\it bl}\). The content of \({\it bl}\) is \(\tau\), and the index of \({\it bl}\) is the natural number in \([0,{\it Tower}(n,1)-1]\) (recall that \({\it Tower}(n,1)=2^n\)) whose binary code is \({\it bit}_1\ldots {\it bit}_n\).³ The 1-block \({\it bl}\) is initial (respectively, final) if \({\it bit}_i=0\) (respectively, \({\it bit}_i=1\)) for all \(1\le i\le n\).

Induction Step: \(1\lt h\le k\). An \(h\)-block is a finite word \({\it bl}\) having the form \((\$_{h},\tau)\, {\it bl}_0 \ldots {\it bl}_j\) such that \(j\gt 0\), \({\it bl}_0,\ldots ,{\it bl}_j\) are \((h-1)\)-blocks, and \(\tau \in \lbrace 0,1\rbrace\) if \(h\lt k\), and \(\tau \in \Delta\) otherwise. Additionally, we require that \({\it bl}_0\) is initial, \({\it bl}_j\) is final, and for all \(0\lt i\lt j\), \({\it bl}_i\) is not final. The content of \({\it bl}\) is \(\tau\). The \(h\)-block \({\it bl}\) is initial (respectively, final) if the content of \({\it bl}_i\) is 0 (respectively, 1) for all \(0\le i\le j\). The \(h\)-block \({\it bl}\) is well-formed if additionally, the following holds: \(j={\it Tower}(n,h-1)-1\) and for all \(0\le i\le j\), \(bl_i\) is well-formed and has index \(i\). If \({\it bl}\) is well-formed, then its index is the natural number in \([0,{\it Tower}(n,h)-1]\) whose binary code is given by \({\it bit}_0,\ldots ,{\it bit}_j\), where \({\it bit}_i\) is the content of the sub-block \({\it bl}_i\) for all \(0\le i\le j\).

Encoding of \(k\)-grids A row-code is a finite word \(w_r=\${\it bl}_0\ldots {\it bl}_j\) satisfying the following:

The row-code \(w_r\) is well-formed if additionally, \(j={\it Tower}(n,k)-1\) and for all \(0\le i\le j\), \({\it bl}_i\) is well-formed and has index \(i\). A \(k\)-grid code (respectively, well-formed \(k\)-grid code) is an infinite word over \(\text {AP}\) of the form \(w\cdot \tau ^{\omega }\) such that (i) \(w\) is a finite sequence of row-codes (respectively, well-formed row-codes), and (ii) \(\tau ={\it acc}\) if the last row-code of \(w\) contains a \(k\)-block whose content is \(d_{\it acc}\) (acceptance), and \(\tau =\bot\) otherwise. A \(k\)-grid code is initialized if the first \(k\)-block of the first row-code has content \(d_{\it in}\). Note that while \(k\)-grid codes encode grids of \(\mathcal {I}\) having rows of arbitrary length, well-formed \(k\)-grid codes encode the \(k\)-grids of \(\mathcal {I}\). In particular, there is exactly one well-formed \(k\)-grid code associated with a given \(k\)-grid of \(\mathcal {I}\).

Construction of \(M_{\mathcal {I},k}\) in Proposition 4.2 for the synchronous case For a fixed \(k\ge 1\), we now illustrate the construction of the finite Kripke structure \(M_{\mathcal {I},k}\) over two agents, say, \(a_1\) and \(a_2\), in Proposition 4.2. Essentially, \(M_{\mathcal {I},k}\) nondeterministically generates all the initialized \(k\)-grid codes with the additional ability of nondeterministically marking some positions with the propositions in \({{\it Tags}}\). This marking is exploited for checking by a suitable fixed \(\texttt { LTLK}_{k+1} \bigcap \texttt { CTLK}_{k+1}\) formula that one of the initialized \(k\)-grid codes generated by \(M_{\mathcal {I},k}\) is well-formed and encodes a \(k\)-tiling of \(\mathcal {I}\). The main idea is to decompose the verification that a \(k\)-grid code \(\nu\) is well-formed and encodes a \(k\)-tiling in layers implementable with polynomially many states of \(M_{\mathcal {I},k}\), where each layer corresponds to a tagged version of some prefix of \(\nu\), and invoking other layers for \(\nu\) thanks to the knowledge modalities for the two agents \(a_1\) and \(a_2\). In particular, the propositions in \({{\it Main}}\) are observable by both agents, while the tag propositions in \({{\it Tags}}\setminus \lbrace \#_1,\#_2\rbrace\) are not observable by any agent. For the remaining two tag propositions \(\#_1\) and \(\#_2\), \(\#_1\) is observable by agent \(a_1\) but not by agent \(a_2\), and symmetrically for \(\#_2\).

We now define the marking performed by the Kripke structure \(M_{\mathcal {I},k}\). For a word \(w\) over \(2^{\text {AP}}\), the content of \(w\) is the word over \(2^{\text {AP}\setminus {{\it Tags}}}\) obtained by removing from each letter in \(w\) the propositions in \({{\it Tags}}\). Let \(1\le h\le k\). A tagged \(h\)-block is a word \({\it bl}\) over \(2^{\text {AP}}\) whose content is an \(h\)-block and:

A simple tagged \(h\)-block \({\it bl}\) is defined in a similar way but we require that only the first position of \({\it bl}\) is marked, with \(\#_1\) if \(h\) is odd, and \(\#_2\) otherwise. See Figure 2 for an illustration of a tagged \(h\)-block and Figure 3 for a simple tagged \(h\)-block.

Fig. 2.

View Figure

Fig. 3.

View Figure

The initialized \(k\)-grid codes are marked by the Kripke structure \(M_{\mathcal {I},k}\) as follows: A tagged \(k\)-grid code is an infinite word \(\nu\) over \(2^{\text {AP}}\) such that the content of \(\nu\) is an initialized \(k\)-grid code and one of the following holds:

\((h,=)\)-tagging with \(1\le h\le k\): there are two tagged \(h\)-blocks \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) along \(\nu\) such that \({\it bl}\hspace{1.00006pt}^{\prime }\) follows \({\it bl}\) and:

\((h,{\it inc})\)-tagging with \(1\le h\le k\): there are two tagged \(h\)-blocks \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) along \(\nu\) such that \({\it bl}\hspace{1.00006pt}^{\prime }\) follows \({\it bl}\) and:

—	if \(h=1\), then the marked bit of \({\it bl}\) has the same position as the marked bit of \({\it bl}\hspace{1.00006pt}^{\prime }\);
—	\({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) are adjacent within the same \((h+1)\)-block if \(h\lt k\), and within the same row-code otherwise;
—	each position in \(\nu\) following the last position of \({\it bl}\hspace{1.00006pt}^{\prime }\) is marked by the tags in \(O\) where \(\lbrace (h,{\it inc})\rbrace \subseteq O\subseteq \lbrace (h,{\it inc}),{\it good}\rbrace\), and: — case \(h=1\): let \(i_0\) be the position of the least significant (i.e., leftmost) bit of \({\it bl}\) whose value is 0 (note that, since \({\it bl}\hspace{1.00006pt}^{\prime }\) comes after \({\it bl}\), \({\it bl}\) is not final and thus such a bit exists). Then, we require that \({\it good}\in O\) if and only if the marked bits of \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) have the same value if the marked bit of \({\it bl}\) follows the \(i_0^{th}\) bit of \({\it bl}\), and the marked bits of \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) have distinct value otherwise. — case \(h\gt 1\): let \({\it sb}_0\) be the first \((h-1)\)-sub-block of \({\it bl}\) whose content is 0 (again, since \({\it bl}\hspace{1.00006pt}^{\prime }\) comes after \({\it bl}\), \({\it bl}\) is not final and thus such a sub-block \({\it sb}_0\) exists). Then, we require that \({\it good}\in O\) if and only if the marked sub-blocks of \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) have the same content if the marked sub-block of \({\it bl}\) follows \({\it sb}_0\), and the marked sub-blocks of \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) have distinct content otherwise.
—	no other position of \(\nu\) is marked (see Figure 4). Fig. 4. View Figure

row-tagging: there are two simple tagged \(k\)-blocks \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) along \(\nu\) such that \({\it bl}\hspace{1.00006pt}^{\prime }\) follows \({\it bl}\) and:

—	\({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) are adjacent within the same row-code;
—	each position in \(\nu\) following the last position of \({\it bl}\hspace{1.00006pt}^{\prime }\) is marked by the tags in \(O\) where \(\lbrace {\it row}\rbrace \subseteq O\subseteq \lbrace {\it row},{\it good}\rbrace\). Moreover, \({\it good}\in O\) iff \([d]_{{\it right}}=[{\it d}\hspace{1.00006pt}^{\prime }]_{{\it left}}\), where \(d\in \Delta\) is the content of \({\it bl}\) and \({\it d}\hspace{1.00006pt}^{\prime }\in \Delta\) is the content of \({\it bl}\hspace{1.00006pt}^{\prime }\);
—	no other position of \(\nu\) is marked. (see Figure 5). Fig. 5. View Figure

column-tagging: there are two simple tagged \(k\)-blocks \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) along \(\nu\) such that \({\it bl}\hspace{1.00006pt}^{\prime }\) follows \({\it bl}\) and:

A partial tagged \(k\)-grid code is the prefix of some tagged \(k\)-grid code whose last position is labeled by tags in \({{\it Tags}}\setminus \lbrace \#_1,\#_2\rbrace = \lbrace {\it row},{\it col},{\it good}\rbrace \cup \bigcup _{h=1}^{k}\lbrace (h,=),(h,{\it inc})\rbrace\). Thus, we have four different types of partial tagged \(k\)-grid codes \(\rho\), where a type is identifiable by the tag proposition in \({{\it Tags}}\setminus \lbrace \#_1,\#_2,{\it good}\rbrace\), which marks the last position of \(\rho\). The additional proposition \({\it good}\) is used to check whether some additional condition is fulfilled, depending on the specific type. Intuitively, partial \((h,=)\)-tagged \(k\)-grid codes are exploited as nested layers for checking that distinct well-formed \(h\)-blocks along the given initialized \(k\)-grid code have the same index, while partial \((h,{\it inc})\)-tagged \(k\)-grid codes are used as nested layers to check that the indices of adjacent well-formed \(h\)-blocks \({\it bl}_1\) and \({\it bl}_2\) are consecutive (i.e., \({\it bl}_1\) is not final and the index of \({\it bl}_2\) is the index of \({\it bl}_1\) plus one); this is used for testing well-formedness of blocks and \(k\)-grid codes. Finally, partial row-tagged \(k\)-grid codes and partial column-tagged \(k\)-grid codes are exploited as first-level layers for verifying the row adjacency and column adjacency requirements.

As an example, let us consider a partial \((h,{\it inc})\)-tagged \(k\)-grid code \(\rho\) corresponding to some arbitrary prefix of a given initialized \(k\)-grid code \(\nu\). Moreover, assume that \(h\) is odd and the \(h\)-blocks along \(\nu\) are well-formed (this well-formedness requirement will be checked by other marking layers). To check that the two tagged \(h\)-blocks \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) along \(\rho\) have consecutive indices, we consider the set \(\Pi\) of partial \((h,{\it inc})\)-tagged \(k\)-grid codes \(\rho ^{\prime }\) having the same content and the same marked \(h\)-blocks as \(\rho\). So, \(\rho\) and \(\rho ^{\prime }\) differ only in the choice of the marked bits of \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) if \(h=1\), and the marked \(h-1\)-sub-blocks of \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) otherwise. By construction of \(M_{\mathcal {I},k}\) (see the following Lemma 4.4), the set \(\Pi\) corresponds to the set of finite traces \(\rho ^{\prime }\) of \(M_{\mathcal {I},k}\), which are SPR \(a_1\)-indistinguishable from \(\rho\) and whose last position is tagged by \((h,{\it inc})\).⁴ Thus, for selecting the set \(\Pi\), we use the knowledge modalities for agent \(a_1\). Moreover, by definition of the tagging schemas, if \(h=1\), then \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) have consecutive indices iff for each of such traces \(\rho ^{\prime }\in \Pi\), the last position of \(\rho ^{\prime }\) is also marked by \({\it good}\). If instead \(h\gt 1\), then \({\it bl}\) and \({\it bl}\hspace{1.00006pt}^{\prime }\) have consecutive indices iff for all \(\rho ^{\prime }\in \Pi\) such that the marked \(h-1\)-sub-block \({\it sb}\) of \({\it bl}\) in \(\rho ^{\prime }\) and the marked \(h-1\)-sub-block \({\it sb}\hspace{1.00006pt}^{\prime }\) of \({\it bl}\hspace{1.00006pt}^{\prime }\) in \(\rho ^{\prime }\) have the same index, it holds that the last position of \(\rho ^{\prime }\) is also marked by \({\it good}\). In this case, for selecting the finite traces in \(\Pi\) satisfying the previous condition, starting from a selected trace \(\rho ^{\prime }\in \Pi\), we use the knowledge modality for agent \(a_2\) and the nested marked layer of type \((h-1,=)\) (for details, see Lemma 4.5).

We now prove the following result concerning the construction of the finite Kripke structure \(M_{\mathcal {I},k}\):

Construction of the fixed formula \(\varphi _k\) in Proposition 4.2 A \(\textsf {K}\)-propositional formula is a \(\texttt { CTL}^{*}\texttt {K}\) formula that only contains the knowledge modalities, Boolean connectives, and atomic propositions. For each \(h\in \mathbb {N}\), a \(\textsf {K}_h\)-propositional formula is a \(\textsf {K}\)-propositional formula with alternation depth \(h\). Let \(k\ge 1\) and \(M_{\mathcal {I},k}\) be the Kripke structure of Lemma 4.4. By Lemma 4.4, the indistinguishability relations \(\sim _{a_i}\) of \(M_{\mathcal {I},k}\) (for \(i=1,2\)) depend only on the valuation function. Hence, histories that have the same trace are indistinguishable by any agent and satisfy the same \(\textsf {K}\)-propositional formulas. Thus, for a finite trace \(\rho\) of \(M_{\mathcal {I},k}\) and a \(\textsf {K}\)-propositional formula, we write \(\rho \models \psi\) to mean that \(\tau \models \psi\) under the SPR semantics for any history whose trace is \(\rho\). The core result in the proposed reduction is represented by the following lemma, which, together with Lemma 4.4, concludes the proof of Proposition 4.2 for the SPR semantics.

4.2 Proof of Proposition 4.2 for the Asynchronous Setting

For the asynchronous case, we slightly modify the construction of model \(M_{\mathcal {I},k}\) in Lemma 4.4 by incorporating a bit represented by a fresh atomic proposition \(p_{b}\) that is flipped at every transition and is observed by all agents. This way, the resulting model \(M^{\prime }_{\mathcal {I},k}\) generates the same traces as \(M_{\mathcal {I},k}\) (modulo \(p_b\)), and for all histories \(\tau\) and \(\tau ^{\prime }\), \(\tau \approx ^{\mbox{as}}_{a}\tau ^{\prime }\) iff \(\tau \approx ^{\mbox{s}}_{a}\tau ^{\prime }\) (the asynchronous and synchronous semantics coincide). We point out that a similar trick was used in Reference [57] to turn asynchronous systems into synchronous ones.

Formally, let \(M_{\mathcal {I},k}=(\text {AP},S,R,V,\lbrace \sim _{a}\rbrace _{a\in \mathit {Ag}},{{s}^\iota })\). We define \(\begin{equation*} M^{\prime }_{\mathcal {I},k}=(\text {AP}\cup \lbrace p_b\rbrace ,S\times \lbrace 0,1\rbrace ,R^{\prime },V^{\prime },\lbrace \sim _{a}^{\prime }\rbrace _{a\in \mathit {Ag}},({{s}^\iota },0)), \end{equation*}\) where

It is clear that \(M^{\prime }_{\mathcal {I},k}\) generates the same traces as \(M^{\prime }_{\mathcal {I},k}\), modulo the valuations of \(p_b\). It is also clear that all agents observe every step, so the asynchronous and synchronous semantics coincide. Also, since the bit \(i\in \lbrace 0,1\rbrace\) is reflected by \(p_b\), it is also the case that histories that have the same trace are indistinguishable for both agents and satisfy the same \(\textsf {K}\)-propositional formulas, so all the reasoning in the proof of Lemma 4.5 still holds. Finally, since the formulas built for Lemma 4.5 do not mention \(p_b\), we obtain that \(M_{\mathcal {I},k}\models _{\mbox{s}}\varphi _k\) iff \(M^{\prime }_{\mathcal {I},k}\models _{\mbox{as}}\varphi _k\), which concludes the proof of Proposition 4.2 for the asynchronous case.

5.1 Definition of No Learning

An interpreted system for agents \(\mathit {Ag}\) is a tuple \(\text{IS}=(\Pi ,V)\) where \(\Pi\) is a set of infinite paths \(\pi =\pi _0\pi _1\pi _2\ldots \in (L^\mathit {Ag})^\omega\), where \(L\) is a set of local states, and \(V:\Pi \times \mathbb {N}\rightarrow 2^\mathcal {AP}\) is a valuation function indicating for each path \(\pi \in \Pi\) and timestep \(n\in \mathbb {N}\) the set of atomic propositions that hold at \(\pi _n\). A pair \((\pi ,n)\) is called a point, and two points \((\pi ,n)\) and \((\pi ^{\prime },n^{\prime })\) are indistinguishable for agent \(a\), written \((\pi ,n)\approx _{a}(\pi ^{\prime },n^{\prime })\), if the local states of agent \(a\) at \(\pi _n\) and \(\pi ^{\prime }_{n^{\prime }}\) are the same. Formally, letting \(\pi _n=(l_a)_{a\in \mathit {Ag}}\) and \(\pi _{n^{\prime }}=(l^{\prime }_a)_{a\in \mathit {Ag}}\), relation \(\approx _{a}\) is defined by letting \((\pi ,n)\approx _{a}(\pi ^{\prime },n^{\prime })\) if \(l_a=l^{\prime }_a\).

Intuitively, the local state of agent \(a\) in \(\pi _n\) represents all the information she has accumulated along \(\pi\) until time \(n\). In particular, it does not correspond to the “instantaneous” observation that agent \(a\) makes in our setting at time \(n\) of path \(\pi =s_0s_1\ldots\), where she observes \([s_n]_{a}\) and updates her memory with this new piece of information. It is closer to the notion of information set (see Definition 3.1), but it is finer, because two histories can have the same information set without being equivalent (think, for instance, of two histories of different length in the synchronous setting). Instead, a local state characterizes precisely a set of equivalent histories.

In this setting, perfect recall is therefore not a way of extending instantaneous equivalence relations to finite plays, as in Definitions 2.9 and 2.10. Instead, it is said that an agent in an interpreted system has perfect recall if the relation \(\approx _{a}\), defined by local states, satisfies a certain property. This property, intuitively, says that the local states of agent \(a\) encode all that this agent has observed from the beginning. From the various equivalent formal characterizations of perfect recall, we recall the one from Reference [27], which is more intuitive. Let \(\text{IS}=(\Pi ,V)\) be an interpreted system, and define agent \(a\)’s local state sequence at point \((\pi ,n)\) as the sequence of local states \(l_0,\ldots ,l_k\) that agent \(a\) sees along \(\pi\) until time \(n\), after removal of successive repetitions (note that in a synchronous system there can never be repetitions of local states along a run, as by definition of \(\approx _{a}\) there would then be equivalent histories of different length). Now, agent \(a\) has perfect recall in \(\text{IS}\) if for all points \((\pi ,n)\) and \((\pi ^{\prime },n^{\prime })\) in \(\text{IS}\) such that \((\pi ,n)\approx _{a}(\pi ^{\prime },n^{\prime })\), agent \(a\) has the same local state sequence at \((\pi ,n)\) and \((\pi ^{\prime },n^{\prime })\). So, agent \(a\)’s local state is the same in two points if and only if the local state sequences at these points are the same, which captures the intuition that an agent with perfect recall remembers her view of the past.

For no learning, the definition is dual. First, define agent \(a\)’s future local state sequence at \((\pi ,n)\) as the sequence of local states \(l_0,l_1,\ldots\) of agent \(a\) along \(\pi\) starting at time \(n\), with consecutive repetitions omitted. Agent \(a\) does not learn if for all \(\pi ,\pi ^{\prime },n,n^{\prime }\) such that \((\pi ,n)\approx _{a}(\pi ^{\prime },n^{\prime })\), agent \(a\)’s future local state sequence is the same at \((\pi ,n)\) and \((\pi ^{\prime },n^{\prime })\). So, if two runs are indistinguishable at some points, then they will remain indistinguishable.

Example 5.1.

In the interpreted system depicted on the left of Figure 6

Fig. 6.

View Figure

(left), both agents \(a\) and \(b\) do not learn. For agent \(a\) it is clear, as she is blindfold: She has the same local state \(l_a\) at all times in both paths \(\pi _1\) and \(\pi _2\), and thus at any point her future local state sequence is simply \(l_a\). Agent \(b\) first has local state \(l_b\) in both paths, and then has local state \(l^{\prime }_b\) forever, starting at time 1 in \(\pi _1\) and time 2 in run \(\pi _2\). Thus, at all points where she has local state \(l_b\), her future local state sequence is \(l_bl^{\prime }_b\), and at all points where her local state is \(l^{\prime }_b\), her future local state sequence is just \(l^{\prime }_b\). Since two points are equivalent if they contain the same local state, equivalent points indeed have the same future local state sequence. Note that this system is asynchronous.

Definition of No Learning for Finite Models

We now adapt the definition of no learning to our formal framework, where models are not given as explicit sets of infinite paths, but as finite Kripke structures that generate these paths.

First, when considering no learning, it becomes relevant to make the difference between models that have one unique initial state and those that have more. Indeed, the trick mentioned in Remark 1 to simulate the case of several possible initial states by adding an artificial unique initial state does not preserve no learning: By imposing that all start with the same state, which is necessary equivalent to itself, we impose that all paths have the same sequence of future local states for no learning to hold. So, from now on, we consider that models are of the form \(M=(\text {AP},S,R,V,\lbrace \sim _{a}\rbrace _{a\in \mathit {Ag}},S^\iota)\), where \(S^\iota \subseteq S\) is a set of initial states, and we write \(\textrm {H}(S^\iota)\) (respectively, \(\Pi (S^\iota)\)) the set of histories (respectively, paths) that start in some state \(s\in S^\iota\): Formally, \(\textrm {H}(S^\iota):=\cup _{s\in S^\iota }\textrm {H}(s)\) and \(\Pi (S^\iota):=\cup _{s\in S^\iota }\Pi (s)\). Finally, the notion of information set from Definition 3.1 is also generalized as follows:

Here, a crucial difference with the setting of interpreted systems is that equivalence of histories is not defined directly by the local states contained in the last state, but rather is inferred from how agents observe states of the system, their memory (memoryless or perfect recall), and whether they have access to a global clock (synchronous or asynchronous). Fix a model \(M\) with initial states \(S^\iota\), and assume that indistinguishability relations \(\approx _{a}\) on histories are defined. We call local state of an agent \(a\) at a history \(\tau \in \textrm {H}(S^\iota)\), noted \(ls_{a}(\tau)\), the set of all histories indistinguishable from \(\tau\) for \(a\): \(ls_{a}(\tau):=\lbrace \tau ^{\prime }\in \textrm {H}(S^\iota) \mid \tau ^{\prime } \approx _{a}\tau \rbrace\). To see that this corresponds to the notion of local state in interpreted systems, observe that two histories are equivalent if and only if they have the same local state. Given a path \(\pi \in \Pi (S^\iota)\) and a point in time \(n\in \mathbb {N}\), the future local-state sequence at \((\pi ,n)\) for agent \(a\) is the sequence of local states \(ls_{a}(\pi _{\le n}),ls_{a}(\pi _{\le n+1}),\ldots\) in which consecutive repetitions are omitted.

We can make the connection between the two notions more formal. First, for each Kripke structure \(M=(\text {AP},S,R,V,\lbrace \sim _{a}\rbrace _{a\in \mathit {Ag}},S^\iota)\), define its generated interpreted system \(\text{IS}_M=(\Pi _M,V_M)\) over agents \(\mathit {Ag}\cup \lbrace a_0\rbrace\), defined as follows: First \(\Pi _M=\lbrace \widehat{\pi }\mid \pi \in \Pi (S^\iota)\rbrace\), where for each \(i\in \mathbb {N}\), \(\widehat{\pi }_i=(\pi _i,(ls_{a}(\pi _{\le i}))_{a\in \mathit {Ag}})\): Each path \(\pi\) in \(M\) gives rise to a path \(\widehat{\pi }\) in \(\text{IS}_M\) by taking the sequence of local states for each agent along \(\pi\). We use the additional agent \(a_0\) to retain the actual sequence of states, so we can define the valuation as follows: \(V_M(\widehat{\pi },i))=V(\pi _i)\). For instance, in Figure 6, the interpreted system \(I\) is isomorphic to \(I_M\) (with respect to agents \(\mathit {Ag}\)). In particular, \(I\) does not contain the additional agent \(a_0\) and its local states, which are only useful when different paths share the same sequence of local states for all agents and would thus be merged in the same run without \(a_0\). By applying the definitions, we can prove that:

We now study the complexity of the model-checking problem for agents that do not learn.

5.2 No Learning with No Memory

First, considering the no learning assumption amounts to restricting attention to a subclass of models, and therefore it cannot make model checking harder. The complexity results in the general case thus provide upper bounds for the case of no learning. Also, because the no learning assumption only impacts epistemic aspects, we inherit the lower bounds for the underlying temporal languages of the different logics, i.e., the syntactic fragments obtained by removing knowledge operators. Whenever the upper bounds for an epistemic logic are the same as the lower bounds for its purely temporal fragment, model checking cannot get easier with no learning, and we thus get the following results (see Table 1 for the works where these upper bounds are established in the general case, i.e., without the no learning assumption).

Concerning memoryless agents, there only remains to treat the case of \(\texttt { CTLK}_{\texttt { C}}\) with synchronous semantics (the so-called “clock semantics” [22, 32]). We know from Reference [32] that in the general case the model-checking problem for \(\texttt { CTLK}_{\texttt { C}}\) with clock semantics is in Pspace and is PH -hard (hard for every level of the polynomial hierarchy PH).⁶ First, this gives us Pspace membership for the particular case of No Learning. We also observe that in the hardness proof in Reference [32] the models that are built, which have two agents and multiple initial states, satisfy the no learning assumption for both agents, so we obtain directly the lower bounds for the case of multiple initial states. We then show that we can adapt the proof to obtain models with unique initial state and a single blindfold agent (who thus satisfies no learning), thus obtaining the lower bound also for unique initial state and a single agent.

5.3 No Learning with Synchronous Perfect Recall

We now show that for synchronous perfect recall, the no-learning assumption makes the problem drastically easier: From undecidable (with operators for common knowledge) or nonelementary decidable (without common knowledge), it becomes Pspace even with common knowledge operators.

It is observed in Reference [27] that assuming no learning together with unique initial state and synchronous semantics implies that all agents always have the same knowledge, so this case boils down to the one agent case: Every formula is equivalent to the same formula with each knowledge operator replaced with \(\mathit {K}_{a}\) for a single agent \(a\). We prove a more general result that will be central to build a Pspace procedure for no learning agents with synchronous perfect recall.

So, the information set \(I_{a}(\tau)\) of agent \(a\) at history \(\tau\) is entirely determined by the first state of \(\tau\) and its length, and in particular all histories that start in the same state and have same length are equivalent for all agents. We strongly rely on this fact and define a variant of the notion of information sets, parameterized no longer by agents but by starting states.

In the following, let us fix a model \(M=(\text {AP},S,R,V,\lbrace \sim _{a}\rbrace _{a\in \mathit {Ag}},S^\iota)\) where all agents do not learn. For every starting state \(s\in S^\iota\) and every history \(\tau \in \textrm {H}(S^\iota)\), we let \(\begin{equation*} I_{s}(\tau)=\lbrace s^{\prime }\mid \exists \tau ^{\prime }\in \textrm {H}(s) \text{ s.t. }|\tau |= |\tau ^{\prime }| \text{ and }s^{\prime }=\mbox{lst}(\tau ^{\prime })\rbrace . \end{equation*}\)

\(I_{s}(\tau)\) is the set of possible states after histories of length \(\tau\) that start in \(s\). Note that it does not depend on the agent. The following lemma follows directly from the definitions of \(I_{a}(\tau)\) and \(I_{s}(\tau)\) and Lemma 5.8:

Based on this, we now adapt the powerset construction from Section 3.2 to obtain a structure of single exponential size that contains enough information to evaluate formulas with arbitrary nesting of knowledge operators.

This model is of size \(|\widehat{M}| = |M|^2\times 2^{|M|^2}\). Each set \(I_{s}\) is updated by simply taking the set of successors of states in the current \(I_{s}\). As in the construction of Section 3.2, this update is deterministic and thus every history \(\tau\) starting in state \(s\in S^\iota\) defines a unique history \(\widehat{\tau }\) of length \(|\tau |\) in \(\widehat{M}\), which starts in \((s,s,\langle \lbrace s^{\prime }\rbrace \rangle _{s^{\prime }\in S^\iota })\in \widehat{S}^{\,\iota }\) and follows transitions in \(\tau\). Similarly, every path \(\pi\) in \(M\) induces a unique path \(\widehat{\pi }\) in \(\widehat{M}\). We have the following:

Together with Lemma 5.9, this explains why, as in the general case, we can evaluate one level of knowledge operators positionally in model \(\widehat{M}\), using relations \(\widehat{\sim }_{a}\): After history \(\tau\) starting in \(s\), if we write \(\mbox{lst}(\widehat{\tau })=(s,\mbox{lst}(\tau),\langle I_{s^{\prime }}\rangle _{s^{\prime }\in S^\iota })\), then for each agent \(a\), we have \(I_{a}(\tau)=\bigcup _{s^{\prime }\sim _{a}s} I_{s^{\prime }}\). But, in fact, we can do more, and \(\widehat{M}\) contains enough information to evaluate positionally formulas with arbitrary nesting of knowledge operators, and even common knowledge.

In the general case, after history \(\tau\), \(\mbox{lst}(\widehat{\tau })\) contains the information set \(I_{a}(\tau)\) for each agent \(a\), and in particular for all \(\tau ^{\prime }\) such that \(\tau \approx _{a}\tau ^{\prime }\), \(I_{a}(\tau)\) contains \(\mbox{lst}(\tau ^{\prime })\), which is enough information to evaluate whether a purely temporal formula holds at \(\tau ^{\prime }\), but not to evaluate epistemic formulas. For this, we would need the information sets of all agents after \(\tau ^{\prime }\), and while \(I_{a}(\tau)=I_{a}(\tau ^{\prime })\) if \(\tau \approx _{a}\tau ^{\prime }\), in general, we may have \(I_{b}(\tau)\ne I_{b}(\tau ^{\prime })\) for \(b\ne a\). This is why we iterate the powerset construction as presented in Section 3.4.

With synchronous perfect recall and no learning, information sets \(I_{a}(\tau)\) can be deduced from sets \(I_{s}(\tau)\). Since for each \(s\in S^\iota\), \(I_{s}(\tau)\) is completely determined by the length of \(\tau\), then for all \(\tau \approx _{a}\tau ^{\prime }\), by synchronicity it holds that \(I_{s}(\tau)=I_{s}(\tau ^{\prime })\). This explains the last part of the definition of \(\widehat{\sim }_{a}\) in Definition 5.10, and it also explains why we can use the memoryless semantics on the powerset model to evaluate formulas of arbitrary alternation depth and with common knowledge. This is formalized by the following variant of Proposition 3.7:

Proposition 5.12 shows that to model check \(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\) with synchronous perfect recall and no-learning agents, we can equivalently model check the same formula with the (asynchronous) memoryless semantics \(\models _m\) on the powerset model. Model checking for the memoryless semantics is in Pspace [35], and by building on-the-fly the powerset model as in Section 3.3, we obtain a Pspace model-checking procedure.

5.4 No Learning with Asynchronous Perfect Recall

The last remaining case is that of no learning with asynchronous perfect recall. In this case, indistinguishable histories can be of different lengths, and in a given history the number of events observed may not be the same for different agents. As a consequence, the characterization in Lemma 5.9, on which relies the Pspace model-checking procedure for no learning with synchronous perfect recall, does not hold. We have instead the following characterization, where \(|\tau |_a:=|\text{Obs}_{a}(\tau)|\) denotes the number of visible events for agent \(a\) in history \(\tau\):

However, since the number of observations made along a history may be different for each agent, this characterization does not get us rid of the need to record nested information for different agents to evaluate nested knowledge operators. Intuitively, two histories that are indistinguishable to agent \(a\) may have different numbers of observations for agent \(b\).

Concerning upper bounds, we can infer from Theorem 3.12 that for \(\texttt { CTL}^{*}\texttt {K}\) (without common knowledge) the problem is in \(k-1\)-Expspace for alternation depth \(k\). For lower bounds, we know that the problem is Pspace -hard for LTLK and \(\texttt { CTL}^{*}\texttt {K}\), and PH -hard for CTLK. The latter result is obtained by a simple adaptation of the proof of Theorem 5.7. Using the same trick used in the proof of Theorem 4.1 to deal with the asynchronous case, the only agent is turned from one that observes nothing to one that observes only the clock by switching between two observations at every transition in the model. The exact complexity remains an open problem. In particular, we do not know if model checking \(\texttt { CTL}^{*}\texttt {K}_{\texttt {C}}\) with asynchronous perfect recall remains undecidable on systems with no learning or if it becomes decidable.