We may now define the model checking problem we consider in this paper and state our main results.
Say that formulaϕisrealizedin the environmentEwith respect to a viewv, denotedE|=vϕ, if, for all runsrofE, we haveE, (r, 0)|=vϕ. Our interest is in the following problem, which we call
therealization problemwith respect to a viewv: given an an environmentEand a formulaϕof
a languageL, determine ifϕis realized inEwith respect tov.
The realization problem for the logic of knowledge and linear time has been studied by van der Meyden and Shilov (van der Meyden and Shilov 1999), who show that for the perfect recall view, the problem is undecidable for the languageL{2,U,K1,...,Kn,C}whenn≥2, and decidable for the language L{2,U,K1,...,Kn}, but with nonelementary complexity. More specifically, for L{2,U,K1,...,Kn}their approach runs in space polynomial inf(depth(ϕ),O(|E|)), where the func- tionf is defined by f(0,m)=mandf(k+1,m)=2f(k,m). It is also shown by van der Meyden and Shilov that there is a similar lower bound on the complexity when there is more than one agent.
Our main contribution in this paper is to develop a general algorithm scheme for model checking the logic of knowledge and time based on a notion of bisimulation of environments, and to show that this scheme yields improved complexity bounds in a number of special cases. The scheme itself is presented in SectionA.4, and parameterizes a procedure for model checking with respect to the observational view. In particular, this procedure yields the following result for the observational view.2
Theorem 1. Determining if a given formula in the languageL{2,U,K1,...,Kn,C}is realized in a given
environment E with respect to the observational view is decidable in PSPACE.
By showing the existence of bisimulation from an enviroment representing the perfect recall semantics for a single agent to a suitable finite environment, we obtain the following result:
Theorem 2. Determining if a given formula inL{2,U,K}is realized in a given environment E
with respect to the perfect recall view is in PSPACE.
This shows that the complexity of the realization problem for formulas with a single agent with perfect recall is strictly lower than the general case, and significantly improves upon the complexity bound of van der Meyden and Shilov in this case.
By finding other suitable structures we may derive complexity bounds on several other cases of the realization problem, as stated in the following results. First, although with respect to the perfect recall view, the realization problem is non-elementary forL{2,U,K1,...,Kn}, there exist classes of environments with respect to which the problem has lower complexity, even if we add the common knowledge operators. In particular, this holds forbroadcast environments(van der
2This result does not appear to have been previously stated in the literature, but we note that results of Vardi (Vardi 1996) on the problem of verifying that a concrete protocol implements a knowledge-based program are very closely related. Lomuscio and Raimondi have studied the complexity of model checking the combination of the logic of knowledge with the branching time logic CTL with respect to the observational semantics (Lomuscio and Raimondi 2006a).
Meyden 1996b). Intuitively, these are environments in which the only communication mecha- nism available to agents is to broadcast toallagents in the system. The formal definition will be given in sectionA.5.2. For broadcast environments we show the following.
Theorem 3. Determining if a given formula in the languageL{2,U,K1,...,Kn,C}is realized in a given
broadcast environment E with respect to the perfect recall view is decidable in PSPACE.
Realization for the clock view may also handled using the bisimulation technique and again the common knowledge operator may be included in the language.
Theorem 4. Determining if a given formula in the languageL{2,U,K1,...,Kn,C}is realized in a given
environment E with respect to the clock view is decidable in PSPACE.
Note that the complexity of model checking linear time temporal logic (i.e. realization for the languageL{2,U}) is PSPACE-complete (Sistla and Clarke 1985). SinceL{2,U}is a sublanguage of the languages in the above results, these results show that the above bounds are tight, in the sense that the problems are in fact PSPACE-complete.
That some of our complexity bounds are no more than the PSPACE complexity of the linear time temporal logic LTL may at first suggest that model checking these cases of the logic and knowledge and time could be as effective in practice as model checking LTL. However, a closer inspection indicates that it is not obvious that this will be case. The time complexity of LTL model checking afixedformula is linear in the size of the model. The time complexity is exponential in the size of the formula. This exponential bound is not an impediment in practice since the formulas of interest tend to be small. The models, on the other hand, may be very large. We show that as a function of model size, the complexity of model checking fixed formulas of the logic of knowledge and time falling within our PSPACE cases can be be as high as PSPACE-hard (forL{2,U,K}with respect to perfect recall) and at any level of the polynomial hierarchy for the clock view.
Theorem 5. There exists a formulaϕofL{2,U,K}such that the problem of deciding ifϕis realized
in a given environment E with respect to the perfect recall view is PSPACE-hard.
Proof. By reduction from the problem of deciding if, for a given nondeterministic finite state
automatonAover an alphabetΣ, the languageL(A) is equal to the universal languageΣ∗. Let A = (Q,q0,δ,F) be an NFA with statesQ, initial stateq0, transition functionδ:Q×Σ−→2Q and final statesF. We define an environmentEA that has two different types of runs: one
corresponds to the generation of a sequence of inputs toA, the other corresponds to runs ofA. We employ the special letter²6∈Σto handle the empty word in both types of runs. To ensure that
EAhas a fair path starting at every state, we add the sink state⊥ 6∈Σ. Formally, the environment
EA=(S,I,→,O1,π,α) consists of: • statesS=Σ∪{², (²,q0),⊥}∪Σ×Σ,
• initial statesI={², (²,q0)}, • transitions
– ²→landl→l0for eachl,l0∈Σ,
– (l,q)→(l0,q0) for eachl∈Σ∪{²},q∈Q,l0∈Σandq0∈δ(q,l0),
– (l,q)→ ⊥ifδ(q,l)= ;, – ⊥ → ⊥,
• observation functionO1(l)=l=O1(l,q), for alll∈Σ∪{²} andq∈Q, andO1(⊥)= ⊥, • interpretationπgiven by
– π(⊥)= ;,
– π(l)={in} forl∈Σ∪{²},
– π(l,q)={final} ifl∈Σ∪{²} andq∈Felseπ(l,q)= ;, and • trivial acceptance conditionα.
Note that forw∈Σ∗ of lengthm, ifr[0· · ·]=².w thenPlpr(EA,r,m)={l}∪{(l,q)|q0→w q}, wherel=r(m). Since there is such a runrfor every wordw∈Σ∗, it follows thatEA|=pr0(in⇒ ¬K¬final) iffL(A)=Σ∗.
In the case of the clock semantics, we may obtain the following lower bound.
Theorem 6. For each level Πpk of the polynomial hierarchy, there exists a formulaϕ of the
languageL{2,U,K1,...,Kn}such that the problem of deciding, given an environment E , whether
E|=clkϕ, isΠkp-hard.
Note that this implies PSPACE-hardness of the version of the problem in which the formula is given.
Proof. Fixk, and considerΠpk quantified Boolean formulasΦof the form
∀qk1. . .qn∃k qqk−1
1 . . .q
k−1
n . . . (∀/∃)q11. . .q1n(α),
whereαis a 3-CNF formula of propositional logic in the variablesqij. (Formulas with differing numbers of propositional variables in the quantifications can always be put into this form at polynomial costO(nk) symbols by padding with unused variables.)
We construct environmentsEcorresponding to such formulas in which the transition relation is the disjoint union of cycles of the forms0→ · · · →sN−1→s0We call such a component of the transition relation acycle of length N.
Such cycles are used to represent assignments to the truth values of the propositional variables
qij as follows. Letp11. . .p1n, . . . ,p1k. . .p
k
Then the largest numberpknin this sequence is known to beO(nk(lognk+log lognk))=O(n2). LetNij=Π1≤j0≤jpj
0
i . Thus the largest of these numbers isN k
n=O(n2k).
We associate with each variableqijseveral cycles, each of lengthNij, with one such cycle for each positive or negative occurrence ofqij inα. Letα=V
c∈Cc, where eachc={l1c,l2c,l3c} is a set representing a disjunction of 3 literals. Ifqij or¬qij occurs in c, we include inE a cycle
xc0,i,j→. . .xNc,i,j→xc0,i,jwhereN=Nij−1. Note that occurrences of a variable in distinct clauses give rise to distinct cycles, i.e., ifc6=c0thenxlc,i,j6=xmc0,i,j, but these cycles have the same length.
Of these states, the statesx0c,i,jare made initial. Thus we have one initial state per cycle in the transition relation. The total number of states isO(|Φ| ·Nnk)=O(|Φ|2k+1).
We make all the states arising from the clausecmutually indistinguishable to agent 1, i.e., we defineO1(xlc,i,j)=c. The observation function for agent 2 is defined so as to make all states indistinguishable, i.e.,O2(x)= ⊥for all statesx.
LetXjbe the set of statesxlc,i,j, and call these thelevel lstates. It follows that ifPm=P(E,r,m)
is the set of states possible at time m, then
Pm∩Xj={xlc,i,j|c∈C, 1≤i≤n, {qij,¬qij}∩c6= ;,l=mmodNij}.
Noting that the numbersNijfor fixedjare co-prime, we have that the setsPm∩Xjcycle with
periodΠni=1Nij. More precisely, we have the following properties:
P1. For each functionf :A−→Nsuch that 0≤f(i)<Nij for eachi∈A, there existsmsuch thatPm∩Xj={xcf,(ii,)j|c∈C, {qij,¬qij}∩c6= ;}.
P2. Ifcandc0are clauses with {qj
i,¬q j i}∩c6= ;and {q j i,¬q j
i}∩c06= ;, then for allm∈Nand
0≤l<Nij, we havexlc,i,j∈Pmiffxc 0,i,j l ∈Pm.
We now label the states with propositions as follows:
1. For eachj=1 . . .l, there is a propositionlevelj, which holds just at states of the form
xcl,i,jfor somec,i,l.
2. For each level of quantificationj=1 . . .k, there is a propositionpassgtj, which we assign to be true at all states xlc,i,j if j =1 and at states xlc,i,j with j >1 iffl is divisible by
Nij/pij=Nij−1. Thus, there arepijsuch states on the cycle. Intuitively,passgtjholds at
states that representpossiblecontributions to truth assignments to the leveljvariables: we treat propositionqijas being possibly assigned a value oftrueat a statexcl,i,j satisfying passgtjiflis even. Note that if we consider different clausesc,c0, then, for states labelled passgtj, propertyP2implies that at a given timem, all the assignments of truth value to
qijaccording to this rule are consistent.
However, in the formula we construct, we will be interested not directly in the truth value assigned to a variable, but in whether this assignment causes a clause in which the variable occurs to be true. For this, we further label the statesxcl,i,j wherepassgtj holds with
the propositionsatj, provided eitherlis even (soqijis considered true) andqijoccurs
positively in the clausec, orlis odd (soqijis considered false) andqij occurs negatively in the clausec. These are the only states in the cycle wheresatj holds. Intuitively, this
represents that the clausecis satisfied because of the choice of truth value forpij.
We have said that truth of passgtj at a state indicates that the state represents a possible contribution to an assignment of truth values to a proposition at levelj. In fact, not all such occurrences will be treated as yielding assignments, but only those at times such that all states in
Pm∩Xjsatisfypassgtj. It can be seen that this is the case just whenmis divisible byN j−1
i for
alli=1 . . .n, or equivalently i (since theNij−1are co-prime), whenmis divisible byΠi=1...nNij−1.
Intuitively, this condition represents thatmis a time instant from which an assignment of truth value forallthe leveljpropositionsqij can be read off. We may capture the satisfaction of this condition by the formula
Assgtj=K2(levelj⇒passgtj)
which expresses that all leveljstates at the given time instant satisfypassgt.
Suppose we are given an assignment π:A−→{0, 1}. Let f :A−→N be any function with
f(i)<Nijsuch that f(i) is divisible byNij−1andf(i) is even iffπ(i)=1. Then by propertyP1, there existsmsuch thatPm∩Xj={xcf,(ii,)j|c∈C, {pij,¬pij}∩c6= ;}. Thus, the assignment to the
level jvariables at this instant of time is exactlyπ.
Moreover, all these possible asssignments occur within every interval of lengthN1j. . .Nnj. In
particular, between any two timesm(N1j−1. . .Nnj−1) and (m+1)(N1j−1. . .Nnj−1), the combinations of levelj−1 states cycle through all possibilities, so we have all possible assignments to the level
j−1 variables represented between these successive leveljassignments.
Instead of reading the value of a leveljvariable from the assignment at the current time, we read it from the next time that all the level jvariables are assigned a value. This can be captured by the following formulas. First, define the expressionallj(ϕ) as2[(Assgtj⇒ϕ)U(Assgtj+1)], which says thatϕholds at all points corresponding to ajlevel assignment that precede the next levelj+1 assignment. The dual of this is the expressionsomej(ϕ), defined as¬allj(¬ϕ), which
says thatϕholds at some point before the next levelj+1 assignment. Next, defineHoldsas¬K1¬β, where
β= _
j=1...n
next(Assgtj,satj)
wherenext(ϕ,ψ) is the formula2((¬ϕ)U(ϕ∧ψ)), which says thatψholds at the next point (after the current) whereϕholds. Note that, whenHoldsis evaluated at point where the state isxlc,i,jthe definition of observability for agent 1 implies that we checkβonly at points where the state is of the formxcl00,i0,j0withc0=c. Thus, this formula corresponds to checking that some
literal inccausescto be satisfied, according to the “current assignment” to the variables, which is determined at each level by looking at the first time in the future that corresponds to a levelj
We may then translate the given formula as
Φ∗=0(Assgt
k⇒somek−1allk−2. . . (K2Holds))
Note that during the evaluation of this formula, because of the nesting structure for the occur- rence of assignments down the levels, the successor assignment for each leveljis preserved whenever an operatorallj0 orsomej0withj0<jmoves the point of evaluation. Thus the suc-
cessor assignments used in the evaluation ofHoldsare the same as those determined by the points of evaluation for these operators. The knowledge operatorK2may move the point of evaluation from any point (r,n) to another point (r0,n) at the same time. In particular, this
operator captures quantification over all the clausescin the given QBF formula. It follows that
E|=clkΦ∗iffΦis true.