No big deal: introducing roles to reduce the size of ATL modelsAccepted for presentation at LAMAS 2012 workshop on June 5, 2012 in Valencia, Spain.

# No big deal: introducing roles to reduce the size of ATL models††thanks: Accepted for presentation at LAMAS 2012 workshop on June 5, 2012 in Valencia, Spain.

Sjur Dyrkolbotn Department of Informatics, University of Bergen    Piotr Kaźmierczak Department of Computing, Mathematics and Physics, Bergen University College Department of Information Science and Media Studies, University of Bergen Piotr Kaźmierczak’s research was supported by the Research Council of Norway project 194521 (FORMGRID).    Erik Parmann Department of Informatics, University of Bergen    Truls Pedersen Department of Information Science and Media Studies, University of Bergen
###### Abstract

In the following paper we present a new semantics for the well-known strategic logic atl. It is based on adding roles to concurrent game structures, that is at every state, each agent belongs to exactly one role, and the role specifies what actions are available to him at that state. We show advantages of the new semantics, analyze model checking complexity and prove equivalence between standard atl semantics and our new approach.

## 1 Introduction

One of the most intensively studied [8, 9, 16] areas of research in the field of multi-agent systems are strategic or cooperation logics – formalisms that allow for reasoning about agents’ strategies and behavior in a multi-agent setting. Two of the most known logics are Marc Pauly’s Coalition Logic (cl) [10, 11] and Alur, Henzinger and Kupferman’s Alternating-time Temporal Logic (atl) [5], which can be considered a temporal extension of Coalition Logic. Both these logics gained much popularity and generated a ‘zoo’ of derivatives [15, 13, 1, 3, 2].

This popularity is in no small part due to relative high expressive power of both cl and atl, but also due to low complexity of model checking problems for these respective logics. Model checking of Coalition Logic can be solved in polynomial time in the size of the model and the length of the formula [10]. It remains polynomial for atl as well [5], which is considered a very good result. However, as investigated by Jamroga and Dix [7], in both cases the number of agents must be fixed. If it is not then model checking of atl models represented as alternating transition systems is -complete, and if the models are represented as concurrent game structures (cgs) it becomes -complete. Also, van der Hoek, Lomuscio and Wooldridge show [14] that complexity of model checking for atl is sensitive to model representation. It is polynomial only if an explicit enumeration of all components of the model is assumed. For models represented in a (simplified) reactive modules language (rml) [4] complexity of model checking for atl becomes as hard as the satisfiability problem for this logic, namely  [14].

We present an alternative semantics that interprets formulas of ordinary atl over concurrent game structures with roles. As we describe in Section 2.1, such structures introduce an extra element – a set of roles. Agents belonging to the same role are considered homogeneous in the sense that all consequences of their actions are captured by considering only the number of votes an action gets (one vote per agent). We give some examples that motivate our approach and prove equivalence with atl based on concurrent game structures. We then discuss model checking, showing it to be of polynomial complexity in the size of models. This seems significant, since as long as the number of roles remain fixed, the size of our models does not grow exponentially in the number of players.

The structure of our paper is as follows. We present a revised formalism for atl in Section 2, prove equivalence with the standard one in Section 3, discuss model checking results in Section 4 and conclude in Section 5.

## 2 Role-based semantics for ATL

The language of ordinary atl is the following, as presented in [5]:

 ϕ::=p∣¬ϕ∣ϕ∧ϕ∣⟨⟨A⟩⟩◯ϕ ∣ ⟨⟨A⟩⟩□ϕ ∣⟨⟨A⟩⟩ϕUϕ

where is propositional letter, and is a coalition of agents. We follow standard abbreviations (e.g.  for ) and skip connectives that are derivable.

### 2.1 Concurrent Game Structures with Roles

In this section we will introduce concurrent game structures with roles (rcgs) and consider some examples. We will be using the notation , and we will let denote the set of functions from to . We will often work with tuples and we will often view as a function with domain and write for . We will do addition and subtraction on tuples of the same arity component by component, e.g. for , . Given a function and , we will use to denote the function defined by for all .

###### Definition 1

An rcgs is a tuple where:

• is a non-empty set of players. In this text we assume for some , and we will reserve to mean the number of agents.

• is the non-empty set of states.

• is a non-empty set of roles. In this text we assume for some .

• , such that for every we have

• For all , if then

For a coalition we write for the agents in which belong to role at , i.e.

• is a set of propositional letters and maps states to the propositions true at that state.

• is the number of available actions in a given state for a given role.

• For , we say that the set of complete votes for a role in a state is , the set of functions from the available actions to the number of agents performing the action. The functions in this set account for the actions of all the agents. The set of complete profiles at is . For each we have a transition function at , defining a partial function such that for all , ,

To illustrate how rcgs differs from an ordinary concurrent game structure, we provide some examples.

###### Example 1

We construct an example similar to the well-known train-controller scenario [5], but in contrast to the original, in our scenario there are trains. Consider a turn-based synchronous game structure with roles where:

• . There are trains and one controller.

• . There are two roles: one for trains and one for the controller.

• .

• , and , for all .

• , ,
, .

• ,
.

• and finally

 δ(q0,⟨(0,nt),1⟩)=δ(q1,⟨nt,(1,0,0)⟩)=δ(q2,⟨(0,nt),1⟩) =δ(q3,⟨(a,nt−a),1⟩)=q0 where 1≤a≤nt δ(q0,⟨(a,nt−a),1⟩)=δ(q1,⟨nt,((0,1,0))⟩)=q1 where 1≤a≤nt δ(q1,⟨nt,(0,0,1)⟩)=δ(q2,⟨(a,nt−a),1⟩)=q2 where 2≤a≤nt δ(q2,⟨(1,nt−1),1⟩)=δ(q3,⟨(0,nt),1⟩)=q3

Figure 1 presents the example in a visual way. The model can be seen as a generalization of the classical train-controller example. In we stay in unless at least one train issues a request. In the controller behaves as before; it can postpone making a decision (staying in ), reject all requests (going to ), or accept the requests (going to ). In the trains can choose to enter the tunnel, but only one of them may do so; if nobody attempts to enter the grant is revoked (or relinquished), if more than one train attempts to enter we stay in , and finally if (the trains reach an agreement and) only one train enters we go to . In any train may decide that the train in the tunnel has to leave (returning to ), and the train in the tunnel must comply. This reflects the homogeneity among players in the trains role. The action of deciding to leave the tunnel is shared among all trains, and the train actually in the tunnel remains unidentified.

Notice that in the single-train case (), the train can not wait before entering the tunnel after being granted permission (and retain the permission). This could of course easily be avoided by adding another action. More importantly, in the case of several trains, the controller can not distinguish between the different trains, so permission must be granted to all or none. This is a consequence of the strict homogeneity in the model: not only are the agents homogeneous in terms of the actions available to them, we can not reasonably distinguish between them as long as they remain in the same role. Notice that this feature allow us to add any number of trains to the scenario without incurring more than a linear increase in the size of the model (total number of profiles). This would not be possible if we did not have roles. If the model above was to be rendered as a concurrent game structure, the number of possible ways in which trains could act would be exponential in all states where trains have to make a choice of what action to perform. This would be the case even if, as in the scenario above, almost all possible combinations of choices should be treated in the same way by the system.

Sometimes homogeneity is desirable. In our trains and controller example, for instance, homogeneity strongly encourages cooperation among trains; no one can enter the gate unless everyone agree, and everyone knows that whoever gets to enter must leave as soon as he is asked to. On the other hand, we notice that it is impossible for any train to enter the gate unless all trains cooperate. This might be overly restrictive. By adding more roles, however, we can amend this while still retaining many of the benefits of using roles.

###### Example 2

In the previous example all trains were equal before the controller; the controller could not distinguish between trains. We could grant the agents much more individual identity by simply adding one more role, and in this example we sketch the result of doing so. First we make “copies” of the previous model sharing the state . In Figure 2 we illustrate the resulting model for . In we let the trains vote for which train should be allowed to request permission to enter the tunnel. We assume majority voting, but we do not resolve ties. It means that if one train, , gets more votes then all others we go to ”his” state, . Otherwise we just loop on . If we get to a -state, the controller can grant or reject the request. Contrary to the previous example the controller now knows which train is being proposed. If the controller grants the request, the selected train is put in a privileged role and given the sole choice of what to do with the permission.

The model has grown, so the trains gain autonomy at a cost. Still, this cost is much less than the cost of modelling this scenario in a cgs. There, if each train is to have the option to “vote” for any train in , each train must have actions available. We would get edges leading out from ! In the rcgs model we get a substantially smaller degree, the following table summarizes the difference (formulas for counting the degree are explained and discussed further in section 4)

: 3 4 5 6 n
cgs: 27 256 3125 46656
rcgs: 10 35 127 462

Before we move on we introduce some more notation. Given a role , a state and a coalition , the set of -votes for at is , defined as follows:

 Vr(q,A)=⎧⎨⎩v∈[|Ar,q|][A(q,r)] ∣∣ ∣∣ ∑a∈[A(q,r)]v(a)=|Ar,q|⎫⎬⎭

The -votes for at gives the possible ways agents in that are in role at can vote. Given a state and a coalition , we define the set of -profiles at :

 P(q,A)={⟨v1,…,v|R|⟩∣1≤i≤|R|:vi∈Vr(q,A)}

When we say that a function is a complete vote (for at ), we mean that . For any and we write iff for all we have . If , we say that extends . If and with for every , we say that and that extends .

An profile is a complete profile iff the sum of its components equal , i.e.  iff iff . Given a (partial) profile at a state we write for the set of all complete profiles that extend .

Given two states , we say that is a successor of if there is some such that . A computation is an infinite sequence of states such that for all positions , is a successor of . We follow the standard abbreviations, hence -computation denotes a computation starting at , and , and denote the -th state, the finite prefix and the infinite suffix of for any computation and its position . An -strategy for is a function such that for all . That is, maps states to -profiles at that state. The set of all -strategies is denoted by . If is an -strategy and we apply to , we obtain a unique new state . Iterating, we get the induced computation such that and . Given two strategies and , we say that iff . Given an -strategy and a state we get an associated set of computations . This is the set of all computations that can result when at any state, the players in are voting in the way specified by :
It will also be useful to have access to the set of states that can result in the next step when follows strategy at state , . Clearly, iff there is some such that .

### 2.2 New Semantics for ATL

###### Definition 2

Given a rcgs and a state in , we define the satisfaction relation inductively:

 S,q⊨ p iff p∈π(q) S,q⊨ ¬ϕ iff  not S,q⊨ϕ S,q⊨ ϕ∧ϕ′ iff S,q⊨ϕ and S,q⊨ϕ′ S,q⊨ ⟨⟨A⟩⟩◯ϕ iff %thereissA∈strat(A) such that for all λ∈out(sA,q), we have S,λ[1]⊨ϕ S,q⊨ ⟨⟨A⟩⟩□ϕ iff  % there is sA∈strat(A) such that for all λ∈out(sA,q) we have S,λ[i]⊨ϕ for all i≥0 S,q⊨ ⟨⟨A⟩⟩ϕUϕ′ iff  there is sA∈strat(A) such that for all λ∈out(sA,q) we have S,λ[i]⊨ϕ′ and S,λ[j]⊨ϕ for some i≥0 and for all 0≤j

## 3 Equivalence between RCGS and CGS

In this section we show that definition 2 provides an equivalent semantics for atl. We do this by first giving a surjective function that takes an rcgs and returns a cgs. Then we show that and satisfy the same atl formulas.

Remember that a concurrent game structure is a tuple where every element is defined as for an rcgs except that maps agents and states to actions available at that state, and that is a partial function from states and action tuples to states defined by where is a transition function at based on tuples of actions rather than profiles. The satisfaction relation for atl based on cgss can be defined exactly as in definition 2, the difference concerning only what counts as a strategy.

We refer to elements of as complete action tuples at . A (memory-less) strategy for in a cgs is a function such that for all , while a strategy for is a list of strategies for all agents in , , for . We denote the set of strategies for by . When needed to distinguish between different structures we write to indicate that we are talking about the set of strategies for in .

We say that a complete action tuple at , extends a strategy if for all we have . We denote the set of all complete action tuples at extending by . For any state we have the set of all computations that comply with :

 out(q,sA)= {λ=q0q1q2… ∣q=q0 and for all i∈N:∃t∈ext(qi,sA), δ(q,t)=qi+1}

We define the set of -successors at :

 succ(q,sA)={q′∈Q∣∃t∈ext(q,sA), δ(q,t)=q′}

When we need to make clear which structure we are talking about, we write . Observe that iff for some .

The translation function from rcgs to cgs is defined as follows:

 f⟨A,R,R,Q,Π,π,A,δ⟩=⟨A,Q,Π,π,d,δ′⟩

where:

 da(q) =A(q,r) where a∈R(q,r) δ′(q,α1,…,αn) =δ(q,v1,…,v|R|) where for each role r
 vr=⟨|{i∈R(q,r) | αi=1}|,…,|{i∈R(q,r) | αi=A(q,r)}|⟩

We can see straight away that is surjective because for any cgs with agents we could define a rcgs with that many roles where each role contains exactly one agent. A vote for a role , , at would then simply be a -tuple consisting of a single 1 (representing the agents chosen action) and otherwise zeros. It is easy to verify that .

Given either a cgs or an rcgs , we define the set of sets of states that a coalition can enforce in the next state of the game:

 force(S,q,A)={succ(q,sA)∣sA is a strategy for A in S}.

The first thing we do towards showing equivalence is to describe a surjective function mapping action tuples and strategies of to profiles and strategies of respectively. For all and any action tuple for at , with for all , the -profile is defined in the following way:

 m(tq) =⟨v(tq,1),…,v(tq,|R|)⟩ where for % all 1≤r≤|R| we have v(tq,r) =⟨|{a∈Ar,q∣αa=1}|,…,|{a∈Ar,q∣αa=A(q,r)}|⟩

Thus the -th component of will be the number of agents from in role at that perform action .

Given a strategy in we define the strategy for by taking for all .

Surjectivity of is helpful since it means that for every possible strategy that exists in the rcgs , there is a corresponding one in . This in turn means that when we quantify over strategies in one of and we are implicitly also quantifying over strategies in the other. Showing equivalence, then, can be done by showing that these corresponding strategies have the same strength. Before we proceed, we give a proof of surjectivity of .

###### Lemma 1

For any rcgs and any , the function is surjective

###### Proof

Let be some strategy for in . We must show there is a strategy in such that . For all , we must define appropriately. Consider the profile and note that by definition of a profile, all for are -votes for and that by definition of an -vote, we have . Also, for all agents we know, by definition of , that .

From this it follows that there are functions such that for all , and for all , i.e.

 vr=⟨|{a∈Ar,q|α(a)=1}|,…,|{a∈Ar,q|α(a)=A(q,r)}|⟩

We choose some such and . Having defined in this way, it is clear that .

Using the surjective function we can prove the following lemma, showing that the ”next time” strength of any coalition is the same in as it is in .

###### Lemma 2

For any rcgs , any state and any coalition , we have

###### Proof

By definition of and lemma 1 it is sufficient to show that for all , we have . We show as follows: Assume that . Then there is some complete profile , extending , such that . Let and form defined by for all . Then each is an -vote for role , meaning that the sum of entries in the tuple is . This means that we can define a function such that for all , and for all , and for every and every , and every , . Having defined like this it follows by definition of that for all , . Then for all and all we have . By definition of it follows that so that . We conclude that . The direction follows easily from the definitions of and .

Given a structure (with or without roles), and a formula , we define . Equivalence of models and is now demonstrated by showing that the equivalence in next time strength established in lemma 2 suffices to conclude that for all .

###### Theorem 3.1

For any rcgs , any and any , we have iff

###### Proof

We prove the theorem by showing that for all , we have . We use induction on complexity of . The base case for atomic formulas and the inductive steps for Boolean connectives are trivial, while the case of is a straightforward application of lemma 2. For the cases of and we rely on the following fixed point characterizations, which are well-known to hold for atl, see for instance [6], and are also easily verified against definition 2:

 ⟨⟨A⟩⟩□ϕ↔ϕ∧⟨⟨A⟩⟩◯⟨⟨A⟩⟩□ϕ⟨⟨A⟩⟩ϕ1Uϕ2↔ϕ2∨(ϕ1∧⟨⟨A⟩⟩◯⟨⟨A⟩⟩ϕ1Uϕ2 (1)

We show the induction step for , taking as induction hypothesis . The first equivalence above identifies as the maximal subset of such that is true at every state in and such that can enforce a state in from every state in , i.e. such that . Notice that a unique such set always exists. This is clear since the union of two sets satisfying the two requirements will itself satisfy them (possibly the empty set). The first requirement, namely that is true at all states in , holds for iff if holds for by induction hypothesis. Lemma 2 states , and this implies that also the second requirement holds in iff it holds in . From this we conclude as desired. The case for is similar, using the second equivalence.∎

## 4 Model checking and the size of models

We have already seen that using roles can lead to a dramatic decrease in the size of atl-models. In this section we give a more formal account, first by investigating the size of models in terms of the number of roles, players and actions, then by an analysis of model checking atl over concurrent game structures with roles.

Given a set of numbers and a number , it is a well-known combinatorial fact that the number of ways in which to choose elements from , allowing repetitions, is . Furthermore, this number satisfies the following two inequalities:111If this is not clear, remember that and are the number of functions and respectively. It should not be hard to see that all ways in which to choose elements from induce non-intersecting sets of functions of both types

 (n+(a−1))!n!(a−1)!≤an,(n+(a−1))!n!(a−1)!≤na (2)

These two inequalities provide us with an upper bound on the size of rcgs models that makes it easy to compare their sizes to that of cgs models. Typically, the size of concurrent game structures is dominated by the size of the domain of the transition function. For an rcgs and a given state this is the number of complete profiles at . To measure it, remember that every complete profile is an -tuple of votes , one for each role . It follows that is the set of all possible combinations of votes for each role. Also remember that a vote for is an -tuple such that the sum of entries is . Equivalently, the vote can be seen as the number of ways in which we can make choices, allowing repetitions, from a set of alternatives. Looking at it this way, we obtain:

 |P(q)|=∏r∈R(|R(q,r)|+(A(q,r)−1))!|R(q,r)|!(A(q,r)−1))!

We sum over all to obtain what we consider to be the size of an rcgs . In light of equation 2, it follows that the size of is upper bounded by both of the following expressions.

 O(∑q∈Q∏r∈R|R(q,r)|A(q,r)),O(∑q∈Q∏r∈RA(q,r)|R(q,r)|) (3)

We observe that growth in the size of models is polynomial in if and is fixed, and polynomial in if and are fixed. This identifies a significant potential advantage arising from introducing roles to the semantics of atl. The size of a cgs , when measured in the same way, replacing complete profiles at by complete action tuples at , grows exponentially in the players whenever for each player . We stress that we are not just counting the number of transitions in our models differently. We do have an additional parameter, the roles, but this is a genuinely new semantic construct that gives rise to genuinely different semantic structures. We show that it is possible to use them to give the semantics of atl, but this does not mean that there is not more to be said about them. Particularly crucial is the question of model checking over rcgs models.

### 4.1 Model checking using roles

For strategic logics, checking satisfiability is usually non-tractable, and the question of model checking is often crucial in assessing the usefulness of different logics. For atl there is a well known “standard” algorithm, see e.g. [5]. It does model checking in time linear in the length of the formula and the size of the model. The algorithm is based on the fixed point equation 1 from the proof of Theorem 3.1, so it will work also when model checking rcgs models. It is not clear, however, how the high level description should be implemented and, crucially, what the complexity will be in terms of the new parameters that arise.

Given a structure with roles, , and a formula , the standard model checking algorithm returns the set , proceeding as detailed in algorithms 1 and 2.

Given a structure , a coalition , a state and a set of states , the method answers true or false depending on whether or not can enforce from . That is, it tells us if at there is such that . Given a fixed length formula and a fixed number of states, this step dominates the running time of (algorithm 1). It is also the only part of the standard algorithm that behaves in a different way after addition of roles to the structures. It involves the following steps:222In implementations one would seek to take advantage of information collected by repeating calls to and not just do a Boolean check for every new instance in the way we do it here. This aspect is not crucial for our analysis, so we do not address it further

For all profiles the algorithm runs through all complete profiles that extend . Over cgss, given a coalition and two action tuples for at , the sets of complete action tuples that extend and respectively do not intersect. It follows that running through all such extensions for all possible action tuples for at is at most linear in the total number of complete action tuples at . This is no longer the case for rcgs models. Given two profiles for at , there can be many shared extensions. In fact, and can share exponentially many in terms of the number of players and actions available.333 To see this, consider and . Each sums to . Then form a complete profile at such that for all and all we have . Then, if it exists, choose a coalition such that