Responsibility and verification: Importance value in temporal logics
Corto Mascle, Christel Baier, Florian Funke, Simon Jantsch, Stefan Kiefer
aa r X i v : . [ c s . L O ] F e b Responsibility and verification:Importance value in temporal logics
Corto Mascle ∗ , Christel Baier † , Florian Funke † , Simon Jantsch † , Stefan Kiefer ‡∗ ENS Paris-Saclay, France † Technische Universität Dresden, Germany ‡ University of Oxford, UK
Abstract —We aim at measuring the influence of the nondeter-ministic choices of a part of a system on its ability to satisfy aspecification. For this purpose, we apply the concept of Shapleyvalues to verification as a means to evaluate how important apart of a system is. The importance of a component is measuredby giving its control to an adversary, alone or along with othercomponents, and testing whether the system can still fulfill thespecification. We study this idea in the framework of model-checking with various classical types of linear-time specification,and propose several ways to transpose it to branching ones. Wealso provide tight complexity bounds in almost every case.
I. I
NTRODUCTION
Classical model-checking algorithms try to detect undesiredbehaviors in a formal system with reference to a givenspecification, and the system is deemed correct if they cannotfind one. However, simply knowing that the system satisfiesthe specification is in practice often unsatisfactory: we alsowant to know why it does, or does not. Especially in the casethat the specification is violated, knowing where in the systemto look for a potential model repair can significantly reducetroubleshooting times for both engineers and users.To this end, Chockler, Halpern and Kupferman defined anotion of causality aimed at explaining which parts of a systemare relevant for the satisfaction of a specification ϕ [1]. Morespecifically, a state s is considered a cause for ϕ with respectto an atomic proposition p if the value of p can be swapped ina subset of the states T such that further swapping the valueof p in s turns ϕ from being satisfied to being violated (wesay that ( s, T ) is critical ). Counterfactual reasoning in thisspirit (i.e., had the cause not occurred, then the event wouldnot have happened) has a rich history in the philosophy andmoral responsibility literature, and had been formalized in theframework of structural equation models [2], [3], on whichthe work [1] is based. Causes are further assigned a degree ofresponsibility by taking the inverse of the size of the smallestset T ∪ { s } such that ( s, T ) is critical. This numerical value,adapted from [4], is designed to measure the impact of the stateon the specification: Causes with high degree of responsibility This work was funded by DFG grant 389792660 as part of TRR 248 (seehttps://perspicuous-computing.science), the Cluster of Excellence EXC 2050/1(CeTI, project ID 390696704, as part of Germany’s Excellence Strategy),DFG-projects BA-1679/11-1 and BA-1679/12-1, the Research Training GroupQuantLA (GRK 1763). Kiefer is supported by a Royal Society UniversityResearch Fellowship. point to small changes of the system that have the power tocrucially alter its behavior.In this paper we define a novel measure for the influenceof a state on a specification, called the importance . While itis related to the degree of responsibility of [1], a significantdifference appears in how the counterfactuality principle isinvoked. The degree of responsibility relies on hypotheticalmodifications of the structure and answers the question “Isthe system still working if the truth value of this atomicproposition in that subset of states is switched?” In contrast,we never modify the system, but look at how its nonde-terministic choices are resolved, thus tackling the question“Does the system yield a satisfying run if the subset ofstates is under control (i.e., behaving in a manner conduciveto the functioning) while the others are not (i.e., behavingantagonistically)?” Hence, our definition of importance relieson a new viewpoint of what constitutes a critical pair, basedon capturing the specific nondeterministic choices available inthe states.The approach above determines the impact of a subset ofstates on the satisfaction of a specification. In order to turnthis information into the individual importance of a state (ora component) we employ a solution concept from cooperativegame theory, called the
Shapley value [5]. In a context ofcollaborative multi-agent interaction, Shapley values aim atmeasuring how beneficial the participation of a specific agentis in reaching some objective. Translated to Kripke structures,the idea is to compute the probability that taking control over aparticular state makes the system work as intended, where thecontrol over states is taken in a (uniformly) random order. Theimportance distills those parts of the system whose choices are crucial for its functioning.As an example, consider a system testing a server S by sending regular requests. If the server does not respondcorrectly, the system retries to send a request; if it does respondcorrectly, then the system may wait before testing again. Werepresent this system by a Kripke structure, displayed on theleft in Figure 1. Consider the specification stating that thesystem should make infinitely many tests and receive onlyfinitely many incorrect answers (modeled by the LTL formula ϕ = GF check ∧ F G ¬ fail ). The system fails this conditionif S malfunctions and fails infinitely often or if ok waitsindefinitely from some point on without rechecking the server.As the other states cannot enforce breaching ϕ without S and k check S fail ok check S S ′ fail Fig. 1. Two simple systems, as used in the introductory example. ok , the importance of these two states is / and that of theother states is .Let us now add a backup server S ′ with the same role as S (as displayed on the right in Figure 1). Then the systemsucceeds if it loops infinitely often between ok , check andthe set { S, S ′ } , which is only possible if ok and at leasttwo of check , S and S ′ behave well. In this case we getan importance of / for ok and / for check , S and S ′ . This is a numerical interpretation of the fact that controlover the behavior of ok is more critical to the functioning ofthe system: unfortunate choices made in ok (i.e., avoidingfurther tests forever) instantly make the system fail. Theequal importance of check , S , and S ′ reflects the fact that– although their actual roles in the system differ – they playinterchangeable parts when only the functioning of the systemis concerned: any two of them are needed to make the systemwork.It is noteworthy that a variant of the degree of responsibilitybased on our notion of critical pair (and applied in reversefashion, i.e., from violation of ϕ to satisfaction of ϕ ) wouldnot be able to distinguish check , ok , S , and S ′ as it evaluatesto / for each of these states. Roughly speaking, the degree ofresponsibility only takes a minimal critical pair into account,whereas the importance computes a weighted average over thesize of all critical pairs that a state belongs to. The rationalefor this is that belonging to many critical pairs makes the stateless dependent on behavior outside of its control, and hencemore powerful.The construction of the importance value as outlined abovegives rise to the following three complexity problems that westudy in this paper for a wide range of specifications. The value problem consists in determining if a subset of states ofa given Kripke structure can guarantee that the specificationis respected when the other states act in an adversarial way.The importance problem is the problem of computing theactual importance value. Finally, the usefulness problem askswhether a state of a system has positive importance, i.e.,whether its behavior has any influence at all on the satisfactionof the specification. In fact we define the importance valuein the presence of a prescribed partition of the state space,and study the complexity problems in this generalized setting.This allows us to capture more realistic scenarios such as theimportance of a system component in a composite architecture.Table I summarizes the complexity results obtained through- out the paper. We write ∈ C when the problem is in class C andwe do not have a matching lower bound, and just C when theproblem is C -complete. Since our examinations spread overa wide range of specifications, our results crucially rely on adiverse game-theoretic toolkit.The paper is split into three parts: In the first part wedefine the notions in the general setup of turn-based two-playergames on finite graphs. Then we apply these notions in orderto define the importance on Kripke structures with respect toLTL specifications, and finally we look at the case of CTLspecifications on modal transition systems. The proofs missingin the main document due to space constraints can be foundin the appendix. A. Related work
The complexity of computing the aforementioned degree ofresponsibility was examined for the general class of structuralequation models in [4] and for Boolean circuits in [1]. Theyare closely related to the complexity results about decidingcausality [12], [13].Our work ties into a ubiquitous quest for powerful explana-tions of model-checking results. If a system satisfies a spec-ification, then coverage estimation has been used to analyzewhich parts of the system are essential for the successful ver-ification result [14]–[17]. As in the definition of the degree ofresponsibility, the idea is to apply small changes to the system( mutants ) and check the resulting effect on the specification.
Vacuity detection , on the other hand, applies the principle ofsmall changes to the specification [18]–[20]. This strand ofresearch aims at checking whether the specification is satisfiedin an undesired, trivial fashion (typically due to insufficientmodeling of the system). Coverage and vacuity have beenshown to exhibit a formal duality [21], and recent work onthe subject is dedicated to analyzing network formation games[22].In the case of an unsuccessful verification process, one ofthe powerful features of many model checking approachesis the ability to generate a counterexample [23]. In order toextract further diagnostic information, there has been extensivework on localizing errors in faulty traces [24]–[29]. Typically,one compares an erroneous trace with a successful one thatlies nearby with respect to a suitable metric. Early detectionof error traces has been investigated in [30], where a game-like description close to ours between a system module and itsenvironment has been used. Work on explaining counterexam-ples using the notion of causality from [1] has been presentedin [31].Although the Shapley value is a classical solution conceptin economics, it has recently received considerable attention inthe computer science literature. Shapley-like values have beenused as explanations for machine learning models, where theyestimate the impact of the input parameters on the outcome[32]–[34]. They have also been employed as a means by whichcentrality in networks can be measured [35] or responsibilitiescan be assigned in game-like structures [36]. Computationalapproaches for the Shapley value are given in [37]–[40]. For
ABLE IA
SUMMARY OF THE RESULTS ON THE COMPLEXITY OF THE VALUE , USEFULNESSAND IMPORTANCE PROBLEMS FOR VARIOUS TYPES OF SPECIFICATIONS . Büchi Rabin Streett Parity Explicit MullerValue
P [6] NP [7] CO NP [7] ∈ NP ∩ CO NP [8] P [9] [6]
Usefulness
NP (Prop. IV.5) Σ P (Prop. IV.8) Σ P (Cor. IV.10) NP (Prop. IV.5) NP (Prop. IV.5) Importance NP (Thm. IV.9) NP (Cor. IV.10) Emerson-Lei LTL 2-turn CTL Concurrent CTLValue PS PACE [10] 2E XP T IME [11] Σ P (Prop. V.2) ∈ E XP T IME (Rmk. 8)
Usefulness PS PACE (Thm. IV.7) 2E XP T IME (Thm. IV.3) Σ P (Prop. V.3) ∈ E XP T IME (Rmk. 8)
Importance PS PACE (Thm. IV.7) 2E XP T IME (Thm. IV.3) Σ P (Thm. V.4) ∈ E XP T IME (Rmk. 8) a variety of recent results and applications of Shapley valueswe refer to [41]. II. P
RELIMINARIES
A. Words and structuresa) Words and trees:
Let A be an alphabet. We denoteby A ∗ (resp. A ω ) the set of finite (resp. infinite) words over A . Given a word w , we write | w | for its length and, for all i < | w | , we write w i for the i th letter of w .An infinite tree t over A is a prefix-closed subset of A ∗ suchthat for all p ∈ t , there exists a ∈ A such that pa ∈ t . The setof sons of a node p of the tree t is denoted by Sons t ( p ) = pA ∩ t . b) Kripke structures: A Kripke structure K is a 5-tuple ( S, AP , ∆ , init, λ ) where S is a finite set of states , AP isa finite set of atomic propositions , ∆ ⊆ S × S is a set of transitions , init is an initial state and λ : S → AP is a labeling function . For every s ∈ S , we define its image by ∆ as ∆( s ) = { t ∈ S | ( s, t ) ∈ ∆ } , and we always assume ∆( s ) to be nonempty for all s . A run of a Kripke structure K = ( S, AP , ∆ , init, λ ) is an infinite sequence r ∈ S ω suchthat for all i ∈ N , we have ( r i , r i +1 ) ∈ ∆ . To every run r we can associate a trace , which is the sequence of labelings λ ( r ) λ ( r ) · · · . The set of runs of K is denoted by R ( K ) while the set of traces it generates is called L ( K ) . c) Modal transition systems: A modal transition system (MTS) [42] M is a 6-tuple ( S, AP , ∆ may , ∆ must , init, λ ) where S is a finite set of states, AP is a set of atomicpropositions, ∆ must , ∆ may ⊆ S × S are sets of transitionssuch that ∆ must ⊆ ∆ may , init ∈ S is an initial stateand λ : S → AP is a labeling function. We assume ∆ must ( s ) to be nonempty for every state s . We call a Kripkestructure K = ( S, AP, ∆ , init, λ ) an implementation of M if ∆ must ⊆ ∆ ⊆ ∆ may . This is in contrast to other works inthe modal transition system literature which usually considera more general notions of implementation based on refinementrelations (see [43] for a recent overview). B. Temporal logics
We now define the syntax of the two logics we will considerin this paper, LTL and CTL. For the semantics and basicproperties of these logics we refer the reader to [44] or [45]. a) Linear temporal logic:
The formulas of LTL are givenby the grammar ϕ ::= a | ϕ ∨ ϕ | ¬ ϕ | Xϕ | ϕU ϕ with a ranging over a finite set of atomic propositions AP .LTL formulas are evaluated on infinite words over AP . Weextend the set of operators with ⊤ , ⊥ , ∧ , F, G and R in theusual way. b) Computation tree logic: The syntax of CTL is definedby the grammar ϕ ::= a | ϕ ∨ ϕ | ¬ ϕ | EXϕ | EϕU ϕ | AϕU ϕ with a ranging over a finite set of atomic propositions AP .CTL formulas are evaluated on infinite treesover AP . We extend the set of operators with ⊤ , ⊥ , ∧ , EF, EG, ER, AX, AR, AF and AG in the usualway. C. Games on graphs A directed graph G is a pair ( V, E ) with V a set of vertices and E ⊆ V a set of edges . An arena is a tuple ( G, V
Sat , V
Unsat ) with G a graph and V Sat , V
Unsat a partitionof its vertices. We say that the vertices of V Sat belong to player
Sat , or are controlled by player
Sat (and similarly for
Unsat ).A game G is defined by an arena (( V, E ) , V Sat , V
Unsat ) , aninitial vertex init ∈ V and a winning condition (also called objective ) Ω ⊆ V ω . As we will often use Kripke structuresand modal transition systems to construct games, we will oftenrefer to vertices as states and edges as transitions.For more information on infinite games played on finitegraphs we refer to [46]. In particular, we will use severalclassical winning conditions on such games, whose definitionscan be found in [46, Chapter 2]. . Complexity classes We consider mostly well-known and classical complexityclasses, a description of which can be found, e.g., in [47]. Weuse logarithmic space reductions for the decision problems andTuring reductions for the counting complexity classes.III. A
GENERAL DEFINITION OF IMPORTANCE INTWO - PLAYER GAMES
Let G be a two-player game between Sat and
Unsat on anarena (( V, E ) , V Sat , V
Unsat ) . Let Ω ⊆ V ω be Sat ’s objective(i.e. the set of plays of G she wins). In order for the game tobe determined, we assume Ω to be a Borel set.We start by defining a general notion of importance of astate (or a set of states, in a given partition), which is a measureof how much a state contributes towards Sat winning thegame. In other words, if
Sat is restricted to controlling onlysome of her states (for example, due to resource constraints)she should opt to control the ones with high importance inorder to win the game.
Definition III.1.
For all sets of states V ′ Sat ⊆ V Sat , we define G V ′ Sat as the game between
Sat and
Unsat played on thearena ( G, V ′ Sat , V \ V ′ Sat ) , with G the graph of G and the sameobjective Ω for Sat . Definition III.2 (Value of state subset) . For all sets of states V ′ Sat ⊆ V Sat , we define the value of the set V ′ Sat as val ( V ′ Sat ) = ( if Sat has a winning strategy for G V ′ Sat if Unsat has a winning strategy for G V ′ Sat
Note that the value is defined with respect to a game, but thatgame does not appear in the notation as we will always makeit clear from context. The value is well-defined for all V ′ Sat aswe assumed the objective to be a Borel set, thus the game isdetermined.With the definition of value of a subset of states, we arein the position of defining the importance of a state. Thisdefinition corresponds to the classical formula for the Shapleyvalue [5]. In our context it can be explained as follows: for agiven state v , it counts the number of orderings of the statesin V Sat such that if
Sat gives up control of her states one byone in that order, then
Sat loses the game for the first timeafter giving up v . The number obtained is then divided bythe total number of such orderings. We can also look at thisdefinition from a probabilistic point of view: The importanceof a state v is the probability that, if Sat gives up control ofthe states sequentially in an order drawn uniformly at random,the first time
Sat is no longer able to win the game is whenshe gives up control of v . This is what we call switching inDefinition III.3 below. Definition III.3 (Importance) . The importance for
Sat ofa state v ∈ V Sat with respect to a game G on an arena (( V, E ) , V Sat , V
Unsat ) is defined as I ( v ) = 1 n ! X π ∈ Π V Sat val ( V π ≥ v ) − val ( V π ≥ v \ { v } ) where n = | V Sat | , Π V Sat is the set of bijections from V Sat to { , . . . , n } , and V π ≥ v = { v ′ ∈ V Sat | π ( v ′ ) ≥ π ( v ) } .Given a bijection π : V Sat → { , . . . , n } we say that v is switching the value in π if we have val ( V π ≥ v ) = 1 and val ( V π ≥ v \ { v } ) = 0 An equivalent definition, obtained by deleting the null termsfrom the sum, is obtained through the notion of critical pair .A pair ( v, T ) ∈ V Sat × V Sat is critical if val ( T ∪ { v } ) = 1 and val ( T ) = 0 . Then we set I ( v ) = 1 n ! X ( v,T ) critical ( | T | )!( n − | T | − as ( | T | )!( n − | T | − is the number of π ∈ Π V Sat such that V π ≥ v \ { v } = T . Remark 1.
Let v, v ′ be two states of G . If for all T ⊆ V Sat such that v ∈ T and v ′ / ∈ T , we have val ( T ) = 0 then I ( v ) ≤ I ( v ′ ) .We now assume that we are given a partition V , . . . , V n of V Sat . We generalize the previous definitions in a straightfor-ward manner. In all of our complexity proofs we will showthe lower bounds for the previous case (in which states arepartitioned in singletons) and the upper bounds for the generalcase. Thus all complexity results hold for both cases.
Definition III.4 (Importance for partitions) . The importance for
Sat of a set of states V i with ≤ i ≤ n is defined as I ( V i ) = 1 n ! X π ∈ Π n val ( V π ≥ i ) − val ( V π ≥ i \ V i ) where Π n stands for the set of permutations of { , . . . , n } ,and V π ≥ i = [ ≤ j ≤ nπ ( j ) ≥ π ( i ) V j We define a pair ( i, J ) ∈ { , . . . , n }× { ,...,n } to be critical if val ( S j ∈ J ∪{ i } V j ) = 1 and val ( S j ∈ J V j ) = 0 . Then we have: I ( V i ) = 1 n ! X ( i,J ) critical | J | !( n − | J | − Now let us show some basic results stating that partswith importance can be ignored in the computation of theimportance of the other parts. Remark 2.
Let ≤ i ≤ n . If I ( V i ) = 0 then there is no J ⊆ { . . . , n } such that ( i, J ) is critical. As a consequence,for all J ⊆ { , . . . , n } , val ( S j ∈ J V j ) = val ( S j ∈ J ∪{ i } V j ) .This means that if I ( V i ) = 0 , then Sat can always give upcontrol of states V i without any effect on whether she winsthe game. Lemma III.5 (Restriction to useful parts) . Let I ⊆ { . . . , n } be such that for all j / ∈ I , I ( V j ) = 0 . Then we have for all i ∈ I I ( V i ) = 1 | I | ! X π ∈ Π I val ( V π ≥ i ) − val ( V π ≥ i \ V i ) , ith Π I the set of bijections from I to { , . . . , | I |} .Proof. For all π ∈ Π n , let us denote by π (cid:12)(cid:12) I : I → { , . . . , | I |} the bijection such that for all i, j ∈ I , π ( i ) < π ( j ) if and onlyif π (cid:12)(cid:12) I ( i ) < π (cid:12)(cid:12) I ( j ) .Note that for all i ∈ I and π ∈ Π we have V π ≥ i \ V π | I ≥ i ⊆ [ j ∈{ ,...,n }\ I V j . As a consequence, val ( V π ≥ i ) = val ( V π | I ≥ i ), using Remark 2.Similarly we get val ( V π ≥ i \ V i ) = val ( V π | I ≥ i \ V i ). This allowsus to rewrite the importance of V i as I ( V i ) = 1 n ! X π ∈ Π n val ( V π ≥ i ) − val ( V π ≥ i \ V i )= 1 n ! X π ∈ Π n val ( V π | I ≥ i ) − val ( V π | I ≥ i \ V i )= 1 n ! X π ′ ∈ Π I n ! | I | ! · ( val ( V π ′ ≥ i ) − val ( V π ≥ i \ V i ))= 1 | I | ! X π ′ ∈ Π I val ( V π ′ ≥ i ) − val ( V π ′ ≥ i \ V i ) as for all π ′ ∈ Π I there are n ! | I | ! permutations π ∈ Π n suchthat π (cid:12)(cid:12) I = π ′ . Corollary III.6.
Just as in Definition III.4, by deleting the nullterms from the sum we can rewrite the sum from Lemma III.5.Let I ⊆ { . . . , n } be such that for all j / ∈ I , I ( V j ) = 0 . Thenwe have I ( V i ) = 1 | I | ! X ( i,J ) critical ,J ⊆ I ( | J | )!( n − | J | − for all i ∈ I . We will also need the following lemma, stating that theimportance of a part of a system remains unchanged when thespecification is replaced with its complement.
Lemma III.7 (Complement objective) . Let G be the gamewith the same arena and transitions as G but the complementobjective Ω = V ω \ Ω . Then for all ≤ i ≤ n , the importanceof V i is the same for games G and G .Proof. For all S ⊆ V let val ( S ) be the value of S in G andlet I ( V i ) be the importance of V i in G . For all permutations π ∈ Π n let ˜ π be the mirror permutation, such that for all ≤ i ≤ n , ˜ π ( i ) = π ( n + 1 − i ) . As the function associatingits mirror to each permutation is a bijection from Π n to itself,we can rewrite I ( V i ) as I ( V i ) = 1 n ! X π ∈ Π n val ( V ˜ π ≥ i ) − val ( V ˜ π ≥ i \ V i ) As V ˜ π ≥ i = V \ ( V π ≥ i \ { i } ) , we have val ( V ˜ π ≥ i ) = 1 − val ( V π ≥ i \ V i ) and val ( V ˜ π ≥ i \ V i ) = 1 − val ( V π ≥ i ) As a result, for all π ∈ Π n , val ( V π ≥ i ) − val ( V π ≥ i \ V i ) = val ( V ˜ π ≥ i ) − val ( V ˜ π ≥ i \ V i ) Finally, we obtain I ( V i ) = 1 n ! X π ∈ Π n val ( V π ≥ i ) − val ( V π ≥ i \ V i ) = I ( V i ) We now define the four computational problems which wewill study throughout this paper. The three first are decisionproblems, the fourth is a counting one:
Value problem ( Input: A game G , a subset V ′ Sat ⊆ V Sat
Output: Do we have val ( V ′ Sat ) = 1?
Usefulness problem
Input: A game G , a partition V , . . . , V n of the states, an index i Output: Do we have I ( V i ) > Importance threshold problem
Input: A game G , a partition V , . . . , V n of the states, an index i, η ∈ Q Output: Do we have I ( V i ) > η ? Importance computation problem
Input: A game G , a partition V , . . . , V n of the states, an index i Output: n ! · I ( V i ) The way the game is encoded is left open at this point, as itwill depend on the specific kind of game in question, especiallywhen it comes to the encoding of the objective.
The two importance problems characterize the complexityof computing the importance of a state in a game. We willgenerally use the counting problem, except in cases where thecomplexity class obtained is more natural for the thresholdversion. For instance, if verifying some condition is alreadyE XP T IME -complete, then we want to say that the problem ofcomputing how many elements of a set of exponential sizerespect that condition is also E XP T IME -complete. Howeverin order to do that we have to formulate the problem as adecision one. For the importance computation problem, themultiplication by n ! ensures that the output is always aninteger, which is necessary in order for this to be a countingproblem.The usefulness problem is a restricted version of the impor-tance threshold problem, only focusing on whether some partof the system may become necessary to the satisfaction of thespecification when some other parts malfunction. A similarroblem for voting games, called the pivot problem, has beenstudied in [48].IV. I MPORTANCE VALUES IN
LTLWe now apply the theory developed in the preceedingsection to linear time specifications in Kripke structures. Itturns out that the three decision problems defined above are2E XP T IME -complete for LTL specifications. As this renderspractical applications essentially impossible, we then go onto investigate the problems when specifications are restrictedto fragments of LTL, for which we obtain more tractablecomplexity classes.
A. The full logic
Let K = ( S, AP , ∆ , init, λ ) be a Kripke structure and ϕ anLTL formula over AP . Definition IV.1.
Given a subset of states V Sat ⊆ S , let G V Sat be the game between players
Sat and
Unsat over the arena (( S, ∆) , V Sat , V
Unsat ) with V Unsat = S \ V Sat . The winningcondition for player
Sat is the set of runs of K whose labelingsatisfies ϕ , i.e. { r ∈ R ( K ) | λ ( r ) (cid:15) ϕ } . The value val ( V Sat ) of V Sat ⊆ S is then defined as the value of V Sat in the game G V Sat (see Definition III.2).Note that if one of the players owns all the states, thenthe game comes down to that player selecting a run in thestructure. As a consequence, val ( S ) = 1 if and only if K hasa run satisfying ϕ , and val ( ∅ ) = 1 if and only if all runs in K satisfy ϕ . Definition IV.2.
Given a partition S , . . . , S n of S , we definethe importance of a set of states S i with respect to LTLformula ϕ as the importance of S i in game G S under thesame partition (see Definition III.4).A straightforward telescope sum argument shows that P ni =1 I ( S i ) = val ( S ) − val ( ∅ ) . Therefore we have P ni =1 I ( S i ) = 1 if and only if there exists a run in K thatsatisfies ϕ , but not all runs satisfy ϕ . Otherwise the sum is .The intuition behind these definitions is that the value of asubset of states is if its elements can cooperate to guaranteethe satisfaction of the specification no matter how the otherstates behave. The importance of a state is high if it is criticalin small teams, or numerous teams. We now illustrate ourimportance notion with a number of examples. Example 1.
Let us first consider the examples given in theintroduction and depicted in Figure 1, with states partitionedinto singletons. Again we consider the specification ϕ = GF check ∧ F G ¬ fail , and we begin with the left-hand systeminvolving only a single server S . Then Sat wins the game G V Sat if and only if { S, ok } ⊆ V Sat : if
Sat is not in controlof S , then she can respond fail forever, and if Sat is not incontrol of ok , then she can avoid further checks forever. Thus ( S, { ok } ) and ( ok , { S } ) are the only critical pairs, and it isstraightforward to compute I ( ok ) = I ( S ) = 1 / .Next consider the right-hand example of Figure 1 involvingtwo servers S and S ′ . In this case Sat wins the game G V Sat if and only if ok ∈ V Sat and |{ S, S ′ , check }| ∩ V Sat ≥ .Namely, in this case ok can initiate infinitely many checks;if both servers can be controlled to respond correctly, thenthis automatically results in infinitely many successful checks,and if one server and check can be controlled, then check can choose the funtioning server infinitely often. From thisit is obvious that I ( fail ) = 0 , so fail can be ignored byLemma III.5, and hence n = 4 . Each v ∈ { S, S ′ , check } belongs to two critical sets ( v, T ) , where | T | = 2 , and so I ( v ) = 1 / . On the other hand, ok belongs to three suchcritical sets and one calculates I ( ok ) = 1 / . Example 2.
In the three following examples we consider ϕ = aU b , and the states are partitioned into singletons. { a } { a } { a } ∅ { b } I (0) = 0 I (1) = 1 / I (2) = 1 / I (3) = 0 I (4) = 0 Fig. 2. Kripke structure of Example 2 (1), where atomic propositions aredisplayed in blue, and importance values for ϕ = aUb (1) In the example of Figure 2 if and belong to Sat thenas every game starts with the transition from to , she canthen go from to and then to , satisfying the specification.However if belongs to Unsat , then
Unsat can win byindefinitely going back to from . Similarly, if belongsto Unsat , then he can win by going from to if the gamereaches , leaving no possibility for Sat to satisfy aU b .As a result, a set of states will allow
Sat to win if and onlyif it contains and , thus will be the one switching the valuefrom to whenever it appears before in a permutation.This happens in half of the permutations, thus state hasimportance / (see Definition III.3 for what we mean byswitching the value). Similarly, also has importance / . { a } { a } { a } ∅ { b } I (0) = 1 / I (1) = 1 / I (2) = 2 / I (3) = 0 I (4) = 0 Fig. 3. Kripke structure of Ex. 2 (2) and importance values for ϕ = aUb (2) In the example of Figure 3 one can check that a setof states is allowing Sat to win if and only if it contains nd either or . Then will be the one switching the valuein permutations where it appears before either or , i.e. in / of the permutations. In the other permutations the oneswitching the value is the second one to appear between and . { a } { a } { a } ∅ { b } I (0) = 1 / I (1) = 1 / I (2) = 1 / I (3) = 0 I (4) = 0 Fig. 4. Kripke structure of Ex. 2 (3) and importance values for ϕ = aUb (3) In the example of Figure 4 one can check that a setof states allows Sat to win if and only if it contains at leasttwo out of the three states , , . Then, the one switching thevalue will be the second one to appear in a permutation. Asa result each one of the three will be the one switching thevalue in / of the permutations.We start our complexity results with the general case ofan LTL specification. The complexities of the problems weconsider is inferred from the 2E XP T IME -completeness ofsolving LTL games [11], which is inherited by the valueproblem.
Theorem IV.3.
The usefulness and importance threshold prob-lems for LTL with respect to Kripke structures are XP T IME -complete. Further, one can compute the importance of a setof states in doubly exponential time.Proof sketch.
The upper bound comes from the 2E XP T IME upper bound on solving LTL games and the fact that enumer-ating exponentially many permutations still stays within thatclass. The idea for the lower bound is to reduce the problemof solving an LTL game to the usefulness problem (with statespartitioned into singletons). We consider an LTL game withstates split between V Sat and V Unsat . We add states c s , c u and t which are visited at the beginning of the game, and we addtransitions from c s to states of V Unsat and c u to states of V Sat .Finally, we add a sink state and a transition to it from everystate. See Figure 5 for an illustration.Let T be a set of states of the game and assume that oneof the states of V Sat is not in T . Then we encode in thespecification that Unsat can win by jumping from c u to thatstate and then to sink , making Sat lose with both T and T ∪ { t } . Similarly we ensure that in order for ( t, T ) to becritical, T has to be disjoint from V Unsat . The only case inwhich ( t, T ) can be critical is then the case where states arecorrectly distributed between the players, and the usefulnessof t is then equivalent to Sat winning the original game. (cid:3) c s c u t init V Sat V Unsat G Fig. 5. Illustration for the proof of Theorem IV.3. Every state has a transitionto a sink state which is not shown here.
B. Fragments of LTL
Considering the high complexity of the computation of theimportance in the case of LTL, we now look at fragmentsof the logic in order to get more tractable problems. Wetherefore explore several classical winning conditions whichcan be expressed as LTL formulas. The value problem overKripke structures with respect to some kind of specification isprecisely the problem of deciding the winner of a game on afinite graph with such a specification as winning condition.For the usefulness and importance problems, if the valueproblem has a complexity at least PS
PACE , we can enumeratepermutations of states while keeping the same complexity.However, if the value problem is for instance in P or NP, thenthe complexity of the usefulness and importance problems ismore involved.Below, we study various types of winning conditions. Westart with the basic case of reachability conditions, whichallows us to also prove tight complexity bounds for Büchi,Muller and parity conditions. We consider here explicit Mullerconditions, i.e., the condition is encoded as a list of setsof states. Muller conditions are sometimes encoded in moreconcise forms, such as a coloring function. We will give thecomplexity of that version as a consequence of the Emerson-Lei case, studied later in the paper.
Proposition IV.4.
The value problems for reachability, Büchiand explicit Muller conditions are P -complete.Proof. Reachability, Büchi and explicit Muller conditions areall known to be in P [9]. Furthermore, solving reachabilitygames is known to be P-hard [6].As we can encode the reachability condition reaching f inall three winning conditions we consider here, we obtain P-hardness for those conditions. Remark 3.
Solving games with parity conditions is in NP ∩ CO NP [8], but tight complexity bounds are not known, thus thesame can be said about the value problem for parity conditions.
Proposition IV.5.
The usefulness problems for reachability,Büchi, parity and explicit Muller conditions with respect toKripke structures are NP -complete.Proof. The problem is clearly in NP in the case of reachability,Büchi or Muller conditions as one can nondeterministicallyuess J ⊆ { , . . . , n } and check in polynomial time whether val ( S j ∈ J V j ) = 0 and val ( S j ∈ J ∪{ i } V j ) = 1 hold.For parity conditions we also have to guess positionalstrategies for Sat and
Unsat along with J and check inpolynomial time that those strategies allow Sat to win whenshe owns S j ∈ J ∪{ i } V j and Unsat to win when
Sat owns S j ∈ J V j .We obtain NP-hardness through a reduction from 3SAT.Let ψ = C ∧ C ∧ · · · ∧ C k be a 3SAT instance, with C j =( ℓ j ∨ ℓ j ∨ ℓ j ) for all j , and let { x , . . . , x n } be the set ofvariables appearing in ψ .We consider the Kripke structure K = ( S, AP , ∆ , c , λ ) with states partitioned into singletons, and • S = { f, s, sink } ∪ { c i | ≤ i ≤ k }∪{ ℓ pi | ≤ i ≤ k, ≤ p ≤ } ∪ { x ′ j , ¬ x ′ j | ≤ j ≤ n } • AP = { f } • λ ( f ) = { f } and λ ( q ) = ∅ for all q = f ∆ = { ( c i , ℓ pi ) | ≤ p ≤ , ≤ i ≤ k }∪ { ( ℓ pi , c i +1 ) | ≤ p ≤ , ≤ i ≤ k − }∪ { ( ℓ pk , s ) | ≤ p ≤ } ∪ { ( s, x ′ ) , ( s, ¬ x ′ ) }∪ { ( x ′ j , x ′ j +1 ) , ( ¬ x ′ j , x ′ j +1 ) | ≤ j ≤ n − }∪ { ( x ′ j , ¬ x ′ j +1 ) , ( ¬ x ′ j , ¬ x ′ j +1 ) | ≤ j ≤ n − }∪ { ( x ′ n , f ) , ( ¬ x ′ n , f ) } ∪ { ( q, sink ) | q ∈ S }∪ { ( ℓ pj , x ′ m ) | ℓ pj ≡ ¬ x m } Note that every literal in the clauses has a transition towards its negation in the variables. Player
Sat wins if and only if f is reached, which can be expressed as a reachability, Büchi orMuller condition. The construction can be done in logarithmicspace. See Figure 6 for an illustration of the construction.We are now going to show that state s is useful if andonly if the 3SAT formula is satisfiable, thus proving NP-hardness of the usefulness problem for all four types ofwinning conditions.As every state has a transition to a sink state, if at somepoint a state belonging to Unsat is reached before reaching f , then Sat loses. As a consequence,
Sat wins with a set ofstates if and only if there is a path in this set of states from c to f (possibly not including f ).Suppose there exists a valuation ν satisfying ψ . We extend ν to literals in the natural way, i.e. ν ( ¬ x i ) = ⊥ if ν ( x i ) = ⊤ and ν ( ¬ x i ) = ⊤ otherwise. Then we set T = { x ′ m | ν ( x m ) = ⊤} ∪ {¬ x ′ m | ν ( x m ) = ⊥}∪{ ℓ pj | ν ( ℓ pj ) = ⊤} ∪ { c i | ≤ i ≤ k } Clearly there is a path from c to f in T ∪ { s } , as for all ≤ i ≤ k there is at least one l pi satisfied by ν (and thus in T ),and for all ≤ i ≤ n one of x ′ i , ¬ x ′ i is in T . However, forall ( ℓ pi , x ′ j ) ∈ ∆ (resp. ( ℓ pi , ¬ x ′ j ) ), if ℓ pi ∈ T then ν ( ℓ pi ) = ⊤ thus, as ℓ pi ≡ ¬ x j (resp. x j ), ν ( x j ) = ⊥ (resp. ⊤ ) and x ′ j / ∈ T (resp. ¬ x ′ j ). Therefore there is no path in T from c to f .Now suppose there exists T such that there is a path from c to f in T ∪{ s } but not in T . Then there is a path in T ∪{ s } c x ¬ x ¬ x s x ′ ¬ x ′ x ′ ¬ x ′ f Fig. 6. Construction for ( x ∨ ¬ x ∨ ¬ x ) . All states have a transition to asink state, not shown here. from c to f going through s . In particular for all ≤ i ≤ n at least one of x ′ i , ¬ x ′ i is in T . Let ν be a valuation such thatfor all i , if ν ( x i ) = ⊤ then x ′ i ∈ T and ¬ x ′ i ∈ T otherwise.There is also a path from c to s in T , hence for all i thereis a p i such that ℓ p i i ∈ T . Then for all ℓ p i i of the form x j for some j , the state ¬ x ′ j cannot be in T as otherwise therewould be a path from c to ℓ p i i then to ¬ x ′ j and finally to f in T , not going through s . As a result we have x ′ j ∈ T and thus ν ( l p i i ) = ν ( x j ) = ⊤ . By a similar argument, if ℓ p i i = ¬ x j then ν ( x j ) = ⊥ . Hence for every i there is a literal in the i thclause satisfied by ν , thus the 3SAT instance is satisfiable. Theorem IV.6.
The importance computation problems forreachability, Büchi, parity and explicit Muller conditions withrespect to Kripke structures are -complete.Proof sketch.
The idea is to reduce the problem of countingthe valuations satisfying exactly one literal of every clauseof a 3SAT formula ϕ , known to be ϕ into another one ψ that is satisfiedby a valuation ν if and only if ν satisfies one literal per clausein ϕ . We then reuse the construction of the usefulness proof,and notice that the set of teams of states T making ( s, T ) critical in the structure can be split into parts of (up to somedetails) equal size, each one matching a valuation satisfyingthe formula. Further, all such teams are of (again, up to somedetails) the same size. This allows us to compute the numberof valuations satisfying the formula from the importance of s . (cid:3) Remark 4.
One can show with nearly identical proofs thatthose problems keep the same complexity with co-Büchi,safety or co-safety conditions.Now we consider not only Büchi conditions, but Booleancombinations of them, called Emerson-Lei conditions. Asexpected, we get an intermediate complexity between thosefor Büchi and LTL conditions.
Theorem IV.7.
The value, usefulness and importance thresh-old problems for Emerson-Lei conditions are PS PACE -omplete. Further, one can compute the importance of a setof states in polynomial space.Proof sketch.
As Emerson-Lei games are known to be inPS
PACE , the upper bound follows easily [10]. We prove thelower bound by reduction of QSAT. We construct a structureencoding a sequence of choices of the values of the variables.We ensure that for all T , ( s, T ) can only be critical if T contains the states choosing the values of the existentialvariables and not the other ones, by making one of the playerswin without using s for sets T not satisfying this condition.We also ensure that Unsat wins if he owns s , thus s isuseful if and only if Sat wins with s . We make playerschoose valuations of the variables infinitely many times, andwe encode in the specification that the player owning the firstvariable x i such that x i and ¬ x i are chosen infinitely oftenloses. If both players play consistently, the game is decidedby the satisfaction of the QSAT formula. (cid:3) Remark 5.
It was proven by Hunter and Dawar that Emerson-Lei conditions are more succinct than Muller conditionsencoded with a coloring of the states and a list of sets ofcolors [10]. As a result, the PS
PACE lower bounds we obtainedfor Emerson-Lei transfer to these succinct Muller conditions.Hunter and Dawar also show that solving games with thoseMuller conditions is PS
PACE -complete, from which we caneasily infer the PS
PACE -completeness of the value, usefulnessand importance threshold problem for this type of condition.We continue our exploration with a more complicatedcase, the Rabin and Streett conditions. We treat both casessimultaneously as they are symmetric.
Remark 6.
As solving Rabin (resp. Streett) games is NP-complete (resp. CO NP-complete), so is the value problem forRabin (resp. Streett) conditions [7].
Proposition IV.8.
The usefulness problem for Rabin condi-tions is Σ P -complete.Proof sketch. The complete proof is in the appendix. We reducethe dual of the ∀∃ T witnessing the usefulness of the state s will encodethe valuation of the first set of variables, with a trick similarto the one used in the proof of Proposition IV.5 to ensure thatthe encoded valuation is correct.As Sat plays for a Rabin objective, she has a positionalstrategy, with which she has to choose for each clause asatisfied literal. We use the Rabin condition to make sure that
Sat does not pick a literal and its negation. We also ensure that
Sat wins automatically with T ∪ { s } as soon as T encodes acorrect valuation, and then s is useful if and only if there existsa set of states T (i.e. a valuation of the first variables) suchthat for all positional strategy of Sat over T (i.e. valuation ofthe second variables), Sat loses the game (i.e. the formula isnot satisfied). (cid:3)
The theorem below uses the complexity class NP , whichis the class of counting problems P such that there exists a nondeterministic polynomial-time Turing machine with an NPoracle such that the answer of P on an input is the numberof accepting runs of the machine on that input. Theorem IV.9.
The importance computation problem forRabin conditions is NP -complete.Proof sketch. The idea is simply to observe that in theconstruction for Proposition IV.8, the sets of states witnessingthe usefulness of s are in bijection with the valuations of theuniversal variables witnessing the non-validity of the ∀∃ Sat formula (up to some technical details). In the appendix weshow that counting such valuations is NP -complete, fromwhich one can infer NP -completeness of the importancecomputation problem. (cid:3) Corollary IV.10.
As Streett conditions are exactly the com-plements of Rabin ones, by Lemma III.7 and Proposition IV.8,the usefulness problem for Streett conditions is Σ P -complete.By the same argument, by Lemma III.7 and Theorem IV.9,the importance computation problem for Streett conditions is NP -complete. V. I
MPORTANCE VALUES IN
CTLWe now adapt the definitions to deal with CTL specifica-tions. A notion of degree of responsibility of a state in a Kripkestructure for the satisfaction of a CTL formula was alreadygiven by Chockler, Halpern, and Kupferman [1]. While in theirapproach the responsibility of a state was based on the set ofatomic propositions it chooses to satisfy, in ours it it based onthe set of outgoing transitions it chooses to allow.In contrast to the previous sections, CTL has the additionalchallenge that the formulas are evaluated on trees and noton words. The first question that arises is the nature ofthe nondeterministic choices in this setting. Our definitionsrely on the fact that the nondeterminism of a state maybe resolved in different ways by the two players. However,due to the branching time nature of CTL, directly applyingthis methodology does not make sense, as CTL formulasalready take the nondeterminism into account. This is whywe consider modal transition systems (MTS), in which thereis another layer of choice: namely determining the subset of may transitions that are present in any state. Modal transitionsystems have been widely studied as a formalism to capturethe refinement of processes from abstract specifications to con-crete implementations [42], [43]. They have been extended invarious ways, and the corresponding synthesis and verificationproblems have been considered [49]–[51].The second, and related, issue is that letting the playersconstruct the tree turn-by-turn runs into the problem that theorder in which different branches are considered will oftenmake a difference. In Section V-A we explain the difficultiesof defining a game which allows both players to construct atree generated by an MTS in a turn-by-turn way.In the Section V-B we define a notion of importance forCTL on MTS, which we call two-turn CTL , where both playerschoose once in the beginning which may -transitions they ∅ ∅ { a } Fig. 7. A modal transition system with must -transitions depicted as solidlines, and may -transitions depicted as dashed lines. Even this simplisticexample illustrates the problem that has to be faced when defining turn-basedCTL values (cf. Example 3). allow in the states under their control. This choice induces aKripke structure on which the CTL formula can be evaluated.However the order in which the choices are made affects theimportance values. Therefore, in Section V-C we consider alsothe concurrent setting in which randomized strategies becomeimportant, which we call
Concurrent CTL .Throughout, let M = ( S, AP , ∆ must , ∆ may , init, λ ) be amodal transition system and let ϕ be a CTL formula. A. Importance in an MTS with respect to a CTL specification
It is appealing to define a notion of importance that relieson the ability of a set of states to guarantee the satisfactionof a specification. However, in the case of CTL the fact thatformulas are evaluated on trees and not on runs forbids us tomake the players construct the run turn by turn, as the winningplayer would heavily depend on the order in which branchesare constructed. We could define a success value where somesets of states are seen as neutral, meaning that this groupof states cannot guarantee that the specification is satisfied,nor can its complement guarantee that the specification isunsatisfied, similarly to what was done in [52]. However wewish to define the importance as a numerical value, thus it ismore practical that the success value can only be or .One could try to use formulations of CTL model-checkingin terms of turn-based games, as described for instance byLange [53]. However this faces a major issue, illustrated bythe following example. Example 3.
Consider the tautological formula
EF a ∨ AG ¬ a and the MTS in Figure 7. Say state belongs to Unsat . In amodel-checking game,
Sat would be expected to choose oneof the sides of the disjunction at some point in the game andprove it. But if we do not fix the structure and allow
Unsat to choose transitions after
Sat has chosen a subformula, then
Unsat will be able to react to the choice of
Sat by allowingor not the transition from to . As a result, Unsat wins thegame even though the specification is a tautology.
B. Two-turn CTL importance
The idea of two-turn importance values is that a set of stateshas value one if it can choose sets of outgoing transitionssuch that the specification is satisfied no matter which setsof outgoing transitions are chosen by the other states. Thisdefinition puts more burden on the satisfier, but matches avision of the MTS as a way to represent a set of Kripke structures (possible implementations of a system) rather thana language of trees.
Definition V.1 (Two-turn importance values) . Let M = ( S, AP , ∆ must , ∆ may , init, λ ) be a modal transitionsystem, let V Sat ⊆ S and let ϕ be a CTL specification. A pure strategy for Sat is a function σ Sat : V Sat → ∆ may suchthat for all v ∈ V Sat , ∆ must ( v ) ⊆ σ Sat ( v ) ⊆ ∆ may ( v ) . Wedefine pure strategies σ Unsat for
Unsat symmetrically.Two pure strategies σ Sat , σ
Unsat yield a Kripke structure,whose states are the ones of M and transitions from a stateare given by the strategy of the player owning that state. Wecall that Kripke structure K ( σ Sat , σ
Unsat ) .The value val turn ( V Sat ) of V Sat is defined as if thereexists a pure strategy σ Sat of Sat such that for all purestrategies σ Unsat of Unsat , K ( σ Sat , σ
Unsat ) satisfies ϕ , and otherwise.The importance is defined analogously to Definition III.4:Given a partition S , . . . , S n of S , the importance of S i isdefined as I turn ( S i ) = 1 n ! X π ∈ Π n val turn ( S π ≥ i ) − val turn ( S π ≥ i \ S i ) . Example 4. (1) Consider the formula ϕ = A ( EF a ) U b andthe modal transition system displayed in Figure 8. Observethat the two ways in which ϕ may be violated are • Unsat owns , and and allows transitions from to , to but not to , so that there is a path labeled { a }∅{ b } to and then a single possible path looping on . • Unsat owns and and chooses transitions so that thereis no transition from to or from to .The importance is therefore distributed as follows: { a } ∅ { b } { a }∅∅{ a, b }I turn (0) = 1 / I turn (1) = 1 / I turn (2) = 7 / I turn (3) = 0 I turn (4) = 0 I turn (5) = 1 / I turn (6) = 0 Fig. 8. MTS of Ex. 4 (1) and 2-turn importance values for ϕ = A ( EF a ) Ub (2) In the example of fig. 9 we want to illustrate a lim-itation of this notion with respect to what was discussed inSection V-A. Such a mechanism can be illustrated by tryingto prove AG ( a ⇒ EX ( EF b )) on the following structure: ∅ ∅ { b }{ a, b } { a } I turn (0) = 1 / I turn (1) = 0 I turn (2) = 0 I turn (3) = 1 / I turn (4) = 1 / Fig. 9. MTS of Ex. 4 (2) and 2-turn importance values for ϕ = AG ( a ⇒ EX ( EF b )) In the 2-turn CTL framework,
Unsat wins if and only if heowns , and , in order to create a path to but no transitionfrom to . Thus in any ordering of the states the last onebetween , and will be the one switching the value.However one might want to design a richer model in whichwe would also give the victory to Unsat when he owns either , and or , and . The reason is that after allowing thetransition from to at the start, we would like to let Unsat delete it. Then
Unsat can not allow the transition from to ,and ensure that there is no path from to . Therefore thereis no path from a successor of reaching a state labeled b .This version would yield an importance of / for and / for , and .This observation motivates the study of turn-based def-initions of CTL importance in MTS for restricted sets offormulas. We will not investigate it further in this paper,focusing instead on the two definitions of CTL importancewe propose here.In the appendix we prove the following results. The hard-ness proofs consist in encoding choices of valuations of vari-ables in SAT formulas as the players’ choices of transitions. Proposition V.2.
The value problem for two-turn CTL is Σ P -complete. Proposition V.3.
The usefulness problem for two-turn CTL is Σ P -complete. Theorem V.4.
The importance computation problem for two-turn CTL is Σ P -complete. Remark 7.
We can define a dual game, in which
Unsat playsfirst, and then
Sat . While in the former game
Sat was at adisadvantage, in this version
Unsat is, as he is the one whohas to choose his strategy without knowing the adversary’s.Let M be an MTS with a set of states S , let V Sat ⊆ S and let ϕ be a specification, the value of V Sat with respect to ϕ in the game where Unsat starts is − val turn ( S \ V Sat ) with val turn ( V Sat ) the value of V Sat with respect to ¬ ϕ inthe game where Sat starts. From this one infers easily thatthe value problem for the game where
Unsat starts is Π P -complete and that, by an argument similar to the proof of III.7,the usefulness problem is Σ P -complete and the importancecomputation problem Σ P -complete. C. Concurrent CTL importance
The previous version of the game breaks the symmetrybetween the two players: We have to pick either
Sat or Unsat to play first (we chose
Sat in the definition above). One mayprefer a version of this game in which we do not give anysuch advantage to a player.We now introduce a concurrent game, in which both playerschoose a mixed strategy, in the form of a distribution over allthe possible choices of sets of transitions from their respectivestates. The value of a set of states is the highest probabilitysuch a mixed strategy can guarantee for
Sat with this setof states. The Nash theorem guarantees the existence of aNash equilibrium, which means that the highest probabilitya set of states can achieve for
Sat is one minus the highestprobability its complement can achieve for
Unsat . For anintroductory account on non-cooperative concurrent games, werefer to [54].
Definition V.5 (Concurrent game induced by CTL formula) . Let M = ( S, AP , ∆ must , ∆ may , init, λ ) be a modal transitionsystem, let V Sat ⊆ S and let ϕ be a CTL specification.Let C S ( M , V Sat ) be the set of pure strategies for Sat . A mixed strategy for
Sat is a probability distribution p S : C S ( M , V Sat ) → [0 , . We define C U ( M , V Unsat ) and p U ina similar way. Let M S and M U denote respectively the set ofmixed strategies of Sat and
Unsat .We consider the concurrent game with the payoff functions ρ Sat ( σ Sat , σ
Unsat ) = ( if K ( σ Sat , σ
Unsat ) satisfies ϕ otherwiseand ρ Unsat ( σ Sat , σ
Unsat ) = 1 − ρ Sat ( σ Sat , σ
Unsat ) , for all σ Sat ∈ C S ( M , V Sat ) , σ Unsat ∈ C U ( M , V Unsat ) . Given twomixed strategies p S , p U , the expected payoff of Sat is E Sat ( M , ϕ, p S , p U ) = X σ ∈ C S ( M ,V Sat ) σ ′ ∈ C U ( M ,V Unsat ) p S ( σ ) p U ( σ ′ ) ρ Sat ( σ, σ ′ ) The expected payoff of
Unsat is E Unsat ( M , ϕ, p S , p U ) = 1 − E Sat ( M , ϕ, p S , p U ) . Finally, we define the value of a set of states V Sat as val concur ( V Sat ) = sup p S ∈ M S inf p U ∈ M U E Sat ( M , ϕ, p S , p U ) It is a direct consequence of Nash’s theorem [55] that val concur ( V Sat ) is the payoff of Sat obtained in any Nashequilibrium of the concurrent game defined above. In partic-ular we have val concur ( V Sat ) = inf p U ∈ M U sup p S ∈ M S E Sat ( M , ϕ, p S , p U ) Definition V.6 (Concurrent importance values) . Given a par-tition of the states S , . . . , S n , we define the importance of aset of states S i as usual: I concur ( S i ) = 1 n ! X π ∈ Π n val concur ( S π ≥ i ) − val concur ( S π ≥ i \ S i ) emark 8. Computing the value of a set of states in thisframework amounts to solving a linear optimization problemwith exponential input [56]. As the latter problem can besolved in polynomial time, the former is in E XP T IME [57].
Lemma V.7.
For each set of states V Sat , we have val concur ( V Sat ) = 1 if and only if val turn ( V Sat ) = 1 . Inparticular, as val turn ( V Sat ) ∈ { , } for all V Sat , the value val turn ( V Sat ) is entirely determined by val concur ( V Sat ) (it isits integer part).Proof. Suppose val turn ( V Sat ) = 1 , then
Sat has a winningpure strategy, thus wins with probability if she applies it inthe concurrent game. Hence val concur ( V Sat ) = 1 .Now suppose val turn ( V Sat ) = 0 , then for every purestrategy σ of Sat , Unsat has a winning strategy against σ . Asa result, by taking a uniform distribution over its strategies, Unsat can achieve a positive probability to win. As a result, val concur ( V Sat ) < . Remark 9.
We can make a similar statement about the dualof the two-turn CTL game, described in Remark 7. For all setsof states and specifications the value given by the dual gameis if and only if the concurrent value is. Proposition V.8 (Comparing 2-turn and concurrent importancevalues) . Let S , . . . , S n be a partition of the states of anMTS. If a set of states S i is useful with respect to the 2-turnDefinition V.1, then it is useful with respect to the concurrentDefinition V.6.Proof. Suppose I concur ( S i ) = 0 . Then for all J ⊆ { , . . . , n } we have val concur ( S j ∈ J S j ) = val concur ( S j ∈ J ∪{ i } S j ) .Then by Lemma V.7, for all J we have val turn ( [ j ∈ J S j ) = val turn ( [ j ∈ J ∪{ i } S j ) and thus I turn ( S i ) = 0 .The converse of Proposition V.8 does not hold as shown bythe following example. Example 5.
We consider the MTS displayed in Figure 10 withstates partitioned into singletons, and the formula ϕ ∨ ϕ ∨ ϕ with ϕ = EX ( b ∧ EXc ) ∧ AX ( ¬ c ∧ ¬ ( a ∧ EXc )) ϕ = AXa ∧ EXEXcϕ = EXc ∧ EX ( b ∧ EXc ) ∧ EX ( a ∧ EXc ) In this system, ϕ expresses that the only path from to isthrough , ϕ that the only path is through and ϕ that allthree paths exist. ∅∅{ b } { a, b } I concur (0) = 7 / I concur (1) = 1 / I concur (2) = 1 / I concur (3) = 0 I turn (0) = 1 / I turn (1) = 1 / I turn (2) = 0 I turn (3) = 0 Fig. 10. MTS of Ex. 5
The computation of the concurrent game importance valuesis lengthy, but straightforward. We observe that
Sat has a purewinning strategy whenever she has states and , and Unsat has a pure winning strategy whenever he has either or and . The remaining case is when Sat has and and Unsat has , so Sat can choose to allow or not the paths , and , , , and Unsat can choose to allow or not path , , .Then one can observe that the case where Unsat allowspath , , with probability / and Sat never allows , and allows , , with probability / is a Nash equilibrium,thus the set { , } has value / . This example shows that insome cases some sets of states may be useless from the 2-turnCTL point of view but not from the Concurrent CTL one.VI. C ONCLUSION
We have introduced a new measure of the influence that apart of a system has on its ability to satisfy a given specifi-cation. We have considered two model-checking frameworks,LTL formulas against Kripke structures and CTL formulasagainst modal transition systems. We have provided tightcomplexity bounds in most of those cases, except for thecomplexity of computing the importance in the concurrentcase, which we leave open. A general conclusion is that thenotion of importance value is natural, but still costly in termsof complexity, especially in the case of LTL. This problem canbe mitigated by considering sets of states rather than singlestates, and formulas from weaker logics.We expect that the principle of designing a game andcomputing the importance of a part of the system by shiftingits control from one player to the other can be easily adaptedto many model-checking problems. We have studied hereclassical and basic logics, but one could try to find or designlogics more well-suited to the computation of the importance,yielding lower complexities.Another continuation of this work would be a fairer defi-nition of the importance in the case of CTL model-checking.Some subsets of CTL formulas may allow us to design a gamein which the players can simultaneously choose transitions onthe structure and prove the formula without disadvantagingone of the two. This could be related to the notion of good-for-games automata.Finally we can extend the definition of value to probabilisticgames, by defining the value as the maximal probability ofuccess that
Sat can achieve. This gives us a natural notionof importance in probabilistic games that calls for study.R
EFERENCES[1] H. Chockler, J. Y. Halpern, and O. Kupferman, “What causesa system to satisfy a specification?”
ACM Transactions onComputational Logic , vol. 9, no. 3, Jun. 2008. [Online]. Available:https://doi.org/10.1145/1352582.1352588[2] J. Y. Halpern and J. Pearl, “Causes and Explanations: A Structural-Model Approach. Part I: Causes,”
The British Journal for the Philosophyof Science , vol. 56, no. 4, pp. 843–887, 2005.[3] ——, “Causes and Explanations: A Structural-Model Approach. PartII: Explanations,”
The British Journal for the Philosophy of Science ,vol. 56, no. 4, pp. 889–911, 2005.[4] H. Chockler and J. Y. Halpern, “Responsibility and blame: A structural-model approach,” in
Proceedings of the Eighteenth International JointConference on Artificial Intelligence (IJCAI) , 2003. [Online]. Available:http://ijcai.org/Proceedings/03/Papers/021.pdf[5] L. S. Shapley, “A value for n -person games,” in Kuhn, H., Tucker,A. (Eds.), Contributions to the Theory of Games. Vol. II.
PrincetonUniversity Press, 1953, pp. 307–317.[6] N. Immerman, “Number of quantifiers is better than number of tapecells,”
Journal of Computer and System Sciences , vol. 22, no. 3, pp.384–406, 1981.[7] E. A. Emerson and C. S. Jutla, “The complexity of tree automata andlogics of programs (extended abstract),” in , 1988, pp. 328–337. [Online].Available: https://doi.org/10.1109/SFCS.1988.21949[8] E. A. Emerson, C. S. Jutla, and A. P. Sistla, “On model-checkingfor fragments of µ -calculus,” in Computer Aided Verification,5th International Conference, (CAV) , 1993, pp. 385–396. [Online].Available: https://doi.org/10.1007/3-540-56922-7_32[9] F. Horn, “Explicit Muller Games are PTIME,” in
IARCS AnnualConference on Foundations of Software Technology and TheoreticalComputer Science (FSTTCS) , 2008, pp. 235–243. [Online]. Available:https://doi.org/10.4230/LIPIcs.FSTTCS.2008.1756[10] P. Hunter and A. Dawar, “Complexity bounds for regular games,”in
Mathematical Foundations of Computer Science, 30th InternationalSymposium (MFCS) , 2005, pp. 495–506. [Online]. Available:https://doi.org/10.1007/11549345_43[11] R. Rosner, “Modular synthesis of reactive systems,” Ph.D. dissertation,PhD thesis, Weizmann Institute of Science, 1992.[12] T. Eiter and T. Lukasiewicz, “Causes and explanations in thestructural-model approach: Tractable cases,”
Artificial Intelligence ,vol. 170, no. 6, pp. 542 – 580, 2006. [Online]. Available:https://doi.org/10.1016/j.artint.2005.12.003[13] ——, “Complexity results for structure-based causality,”
ArtificialIntelligence , vol. 142, no. 1, pp. 53 – 89, 2002. [Online]. Available:https://doi.org/10.1016/S0004-3702(02)00271-0[14] Y. Hoskote, T. Kam, P.-H. Ho, and X. Zhao, “Coverage estimationfor symbolic model checking,” in
Proceedings of the 36th AnnualACM/IEEE Design Automation Conference (DAC) , 1999, p. 300–305.[Online]. Available: https://doi.org/10.1145/309847.309936[15] H. Chockler, O. Kupferman, R. P. Kurshan, and M. Y. Vardi,“A practical approach to coverage in model checking,” in
Computer Aided Verification , 2001, pp. 66–78. [Online]. Available:https://doi.org/10.1007/3-540-44585-4_7[16] H. Chockler, O. Kupferman, and M. Y. Vardi, “Coverage metricsfor temporal logic model checking,” in
Tools and Algorithms for theConstruction and Analysis of Systems (TACAS) , 2001, pp. 528–542.[Online]. Available: https://doi.org/10.1007/3-540-45319-9_36[17] H. Chockler, O. Kupferman, and M. Vardi, “Coverage metrics for formalverification,”
International Journal on Software Tools for TechnololgyTransfer , vol. 8, no. 4–5, p. 373–386, Aug. 2006.[18] I. Beer, S. Ben-David, C. Eisner, and Y. Rodeh, “Efficient detectionof vacuity in actl formulas,” in
Proceedings of the 9th InternationalConference on Computer Aided Verification (CAV) , 1997, p. 279–290.[Online]. Available: https://doi.org/10.1007/3-540-63166-6_28[19] O. Kupferman and M. Y. Vardi, “Vacuity detection in temporal modelchecking,” in
Proceedings of the 10th IFIP WG 10.5 Advanced ResearchWorking Conference on Correct Hardware Design and VerificationMethods (CHARME) , 1999, p. 82–96. [20] M. Purandare and F. Somenzi, “Vacuum cleaning CTL formulae,” in
Computer Aided Verification , 2002, pp. 485–499. [Online]. Available:https://doi.org/10.1007/3-540-45657-0_39[21] O. Kupferman, W. Li, and S. A. Seshia, “A theory of mutationswith applications to vacuity, coverage, and fault tolerance,” in
FormalMethods in Computer-Aided Design (FMCAD) , 2008, pp. 1–9. [Online].Available: https://doi.org/10.1109/FMCAD.2008.ECP.29[22] G. Bielous and O. Kupferman, “Coverage and Vacuity in NetworkFormation Games,” in , 2020. doi: 10.4230/LIPIcs.CSL.2020.10 pp. 10:1–10:18. [Online]. Available: https://doi.org/10.4230/LIPIcs.CSL.2020.10[23] E. M. Clarke, O. Grumberg, K. L. McMillan, and X. Zhao, “Efficientgeneration of counterexamples and witnesses in symbolic model check-ing,” in
Proceedings of the 32nd Annual ACM/IEEE Design Automa-tion Conference , ser. DAC ’95. New York, NY, USA: Associationfor Computing Machinery, 1995. doi: 10.1145/217474.217565. ISBN0897917251 p. 427–432.[24] T. Ball, M. Naik, and S. K. Rajamani, “From symptom to cause:Localizing errors in counterexample traces,”
SIGPLAN Not. , vol. 38,no. 1, p. 97–105, 2003. doi: 10.1145/640128.604140[25] A. Zeller, “Isolating cause-effect chains from computer programs,”in
Proceedings of the 10th ACM SIGSOFT Symposium on Founda-tions of Software Engineering , ser. SIGSOFT ’02/FSE-10. NewYork, NY, USA: Association for Computing Machinery, 2002. doi:10.1145/587051.587053. ISBN 1581135149 p. 1–10.[26] A. Groce and W. Visser, “What went wrong: Explaining counterexam-ples,” in
Model Checking Software , T. Ball and S. K. Rajamani, Eds.Berlin, Heidelberg: Springer Berlin Heidelberg, 2003, pp. 121–136.[27] M. Renieres and S. P. Reiss, “Fault localization with near-est neighbor queries,” in , 2003. doi:10.1109/ASE.2003.1240292 pp. 30–39.[28] A. Groce, “Error explanation with distance metrics,” in
Tools andAlgorithms for the Construction and Analysis of Systems , K. Jensenand A. Podelski, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg,2004, pp. 108–122.[29] A. Groce, S. Chaki, D. Kroening, and O. Strichman, “Error explanationwith distance metrics,”
International Journal on Software Tools forTechnology Transfer , vol. 8, no. 3, pp. 229–247, 2006. [Online].Available: https://doi.org/10.1007/s10009-005-0202-0[30] L. de Alfaro, T. A. Henzinger, and F. Y. C. Mang, “Detecting errorsbefore reaching them,” in
Computer Aided Verification , E. A. Emersonand A. P. Sistla, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg,2000, pp. 186–201.[31] I. Beer, S. Ben-David, H. Chockler, A. Orni, and R. J. Trefler, “Ex-plaining counterexamples using causality,”
Formal Methods in SystemDesign , vol. 40, no. 1, pp. 20–40, 2012.[32] S. M. Lundberg and S.-I. Lee, “A unified approach to interpreting modelpredictions,” in
Proceedings of the 31st International Conference onNeural Information Processing Systems , ser. NeurIPS’17. Red Hook,NY, USA: Curran Associates Inc., 2017, p. 4768–4777.[33] S. M. Lundberg, G. G. Erion, and S.-I. Lee, “Consistent individualizedfeature attribution for tree ensembles,” Tech. Rep. arxiv:1802.03888,2018.[34] M. Sundararajan and A. Najmi, “The many shapley values for modelexplanation,” in
Proceedings of the 37th International Conference onMachine Learning , ser. Proceedings of Machine Learning Research,H. D. III and A. Singh, Eds., vol. 119. PMLR, 2020, pp. 9269–9278.[35] M. K. Tarkowski, T. P. Michalak, T. Rahwan, and M. Wooldridge,“Game-theoretic network centrality: A review,” 2017.[36] V. Yazdanpanah, M. Dastani, W. Jamroga, N. Alechina, and B. Logan,“Strategic responsibility under imperfect information,” in
Proceedingsof the 18th International Conference on Autonomous Agents and Mul-tiAgent Systems (AAMAS) . International Foundation for AutonomousAgents and Multiagent Systems, 2019, p. 592–600.[37] X. Deng and C. Papadimitriou, “On the complexity of cooperativesolution concepts,”
Mathematics of Operations Research , vol. 19, no. 2,pp. 257–266, 1994.[38] S. S. Fatima, M. J. Wooldridge, and N. R. Jennings, “A linearapproximation method for the Shapley value,”
Artificial Intelligence ,vol. 172, no. 14, pp. 1673–1699, 2008. [Online]. Available:https://doi.org/10.1016/j.artint.2008.05.003[39] O. Skibski, T. Rahwan, T. P. Michalak, and M. J. Wooldridge,“Enumerating connected subgraphs and computing the Myerson andhapley values in graph-restricted games,”
ACM Transactions onIntelligent Systems and Technololgy , vol. 10, no. 2, pp. 15:1–15:25,2019. [Online]. Available: https://doi.org/10.1145/3235026[40] O. Skibski, T. P. Michalak, Y. Sakurai, M. J. Wooldridge, and M. Yokoo,“Partition decision trees: representation for efficient computation ofthe Shapley value extended to games with externalities,”
AutonomousAgents and Multi-Agent Systems , vol. 34, no. 1, p. 11, 2020. [Online].Available: https://doi.org/10.1007/s10458-019-09429-7[41] E. Algaba, V. Fragnelli, and J. Sánchez-Soriano,
Handbook of theShapley value . CRC Press, 2019.[42] K. G. Larsen and B. Thomsen, “A modal process logic,” in [1988]Proceedings. Third Annual Symposium on Logic in Computer Science ,Jul. 1988. doi: 10.1109/LICS.1988.5119 pp. 203–210.[43] J. Kˇretínský, “30 Years of Modal Transition Systems: Survey ofExtensions and Analysis,” in
Models, Algorithms, Logics and Tools:Essays Dedicated to Kim Guldstrand Larsen on the Occasion ofHis 60th Birthday , L. Aceto, G. Bacci, G. Bacci, A. Ingólfsdóttir,A. Legay, and R. Mardare, Eds., 2017, pp. 36–74. [Online]. Available:https://doi.org/10.1007/978-3-319-63121-9_3[44] E. M. Clarke, O. Grumberg, and D. A. Peled,
Model checking .MIT Press, 2001. ISBN 978-0-262-03270-4. [Online]. Available:http://books.google.de/books?id=Nmc4wEaLXFEC[45] C. Baier and J. Katoen,
Principles of model checking . MIT Press, 2008.ISBN 978-0-262-02649-9[46] E. Grädel, W. Thomas, and T. Wilke, Eds.,
Automata, Logics, andInfinite Games: A Guide to Current Research , ser. Lecture Notes inComputer Science, vol. 2500. Springer, 2002. [Online]. Available:https://doi.org/10.1007/3-540-36387-4[47] C. H. Papadimitriou,
Computational complexity . Academic InternetPubl., 2007. ISBN 978-1-4288-1409-7[48] K. Prasad and J. S. Kelly, “NP-completeness of some problemsconcerning voting games,”
International Journal of Game Theory ,vol. 19, no. 1, p. 1–9, Apr. 1990. doi: 10.1007/BF01753703. [Online].Available: https://doi.org/10.1007/BF01753703[49] N. Beneš, I. ˇCerná, and J. Kˇretínský, “Modal TransitionSystems: Composition and LTL Model Checking,” in
AutomatedTechnology for Verification and Analysis (ATVA) , 2011.ISBN 978-3-642-24372-1 pp. 228–242. [Online]. Available:https://doi.org/10.1007/978-3-642-24372-1_17[50] S. S. Bauer, U. Fahrenberg, L. Juhl, K. G. Larsen,A. Legay, and C. Thrane, “Quantitative Refinement for WeightedModal Transition Systems,” in
Mathematical Foundations ofComputer Science (MFCS) , 2011, pp. 60–71. [Online]. Available:https://doi.org/10.1007/978-3-642-22993-0_9[51] A. Antonik, M. Huth, K. G. Larsen, U. Nyman, and A. W˛asowski,“Complexity of Decision Problems for Mixed and ModalSpecifications,” in
Foundations of Software Science and ComputationalStructures (FOSSACS) , 2008, pp. 112–126. [Online]. Available:https://doi.org/10.1007/978-3-540-78499-9_9[52] M. Huth, R. Jagadeesan, and D. A. Schmidt, “Modal transitionsystems: A foundation for three-valued program analysis,” in
Programming Languages and Systems, 10th European Symposiumon Programming (ESOP) , 2001, pp. 155–169. [Online]. Available:https://doi.org/10.1007/3-540-45309-1_11[53] M. Lange, “Games for modal and temporal logics,”
Ph.D. Thesis , 2003.[54] G. Owen,
Game theory . Emerald Group Publishing Limited, 2013.ISBN 978-1-781-90507-4[55] J. Nash, “Non-cooperative games,”
Annals of Mathematics . IEEE, 2006, pp. 261–272.[57] L. Khachiyan, “A polynomial algorithm in linear programming,”
Dok-lady Akademii Nauk SSSR , vol. 244, pp. 1093–1096, 1979.[58] M. Jurdzi´nski, “Deciding the winner in parity games is in UP ∩ co-UP,” Information Processing Letters , vol. 68, no. 3, pp. 119–124, 1998.[Online]. Available: https://doi.org/10.1016/S0020-0190(98)00150-1[59] N. Creignou and M. Hermann, “Complexity of generalizedsatisfiability counting problems,”
Information and Computation
TheoreticalComputer Science , vol. 3, no. 1, pp. 1 – 22, 1976. [Online]. Available:https://doi.org/10.1016/0304-3975(76)90061-X[61] C. Wrathall, “Complete sets and the polynomial-time hierarchy,”
Theoretical Computer Science , vol. 3, no. 1, pp. 23 – 33, 1976.[Online]. Available: https://doi.org/10.1016/0304-3975(76)90062-1[62] N. Klarlund, “Progress measures, immediate determinacy, and asubset construction for tree automata,”
Annals of Pure and AppliedLogic , vol. 69, no. 2, pp. 243 – 268, 1994. [Online]. Available:https://doi.org/10.1016/0168-0072(94)90086-8
PPENDIX
A. The full logic
Proof of Theorem IV.3
The usefulness and importance threshold problems for LTLwith respect to Kripke structures are 2E XP T IME -complete.
Proof.
First, as one can solve LTL games in doubly exponen-tial time, one can compute the value of any subset of the statesof K in doubly exponential time as well. There are exponen-tially many such subsets, thus the computation of all thosevalues takes again doubly exponential time. The computationof the importance then comes down to enumerating orderingsof the states and computing the sum along the way. As aresult, one can compute the importance and compare it with τ in doubly exponential time, thus the importance thresholdproblem (and thus also the usefulness one) is in 2E XP T IME .For the hardness, we prove that the usefulness problem is2E XP T IME -hard in the case where the states are partitionedin singletons. The hardness of the usefulness and importancethreshold problems follow directly. We reduce the problem ofsolving LTL games. Let K = ( S, AP, ∆ , init, λ ) be a Kripkestructure, let ϕ be an LTL formula, and let V Sat ⊔ V Unsat = S be a partition of S between states of Sat and
Unsat . Weconsider the LTL game G induced by those parameters.Consider the Kripke structure K ′ = ( S ′ , AP ′ , ∆ ′ , c s , λ ′ ) with S ′ = S ∪ { c s , c u , sink, t } , AP ′ = AP ∪ S ′ , and ∆ ′ = ∆ ∪{ ( s, sink ) | s ∈ S ′ }∪{ ( c s , s ) | s ∈ V Unsat } ∪ { ( c u , s ) | s ∈ V Sat }∪{ ( c s , c u ) , ( c u , t ) , ( t, init ) } and for all s ∈ S ′ , λ ′ ( s ) = λ ( s ) ∪{ s } if s ∈ S and λ ′ ( s ) = { s } otherwise. In other words, every state is labeled with its ownname. See Figure 5 for an illustration of the construction.Let ϕ ′ = ¬ ϕ checkUnsat ∨ ( ϕ checkSat ∧ X ϕ ) with ϕ checkSat = ¬ Xsink ∧ X ¬ c u ⇒ X sink ∧ X t ⇒ X init ∧ X G ( _ s ∈ V Sat s ⇒ ¬ Xsink ) ϕ checkUnsat =[ Xc u ⇒ ( ¬ X sink ∧ ( ¬ X t ⇒ X sink ))] ∧ X G ( _ s ∈ V Unsat s ⇒ ¬ Xsink ) This construction can be done in logarithmic space. Theintuition is that if some state in V Unsat belongs to
Sat thenshe can win by going from c s to that state and then to sink .Similarly if some state of V Sat belongs to
Unsat then he canwin by going to that state from c u and then to sink . In bothcases players win without using t . The remaining case is when Sat owns states of V Sat and
Unsat of V Unsat . Then if
Unsat owns t he can win by going from there to sink , otherwise the players have to play the original game G from init . Asa result t is useful if and only if Sat wins G . We will nowprove that the state t is useful with respect to ϕ ′ if and onlyif Sat wins the original LTL game.First suppose that
Sat wins G , then we consider T = { c s } ∪ V Sat . Player
Sat loses with T : • If she goes from c s to sink she loses. • If she goes from c s to a state of V Unsat
Unsat can thengo to some state different from sink and not satisfy ϕ checkSat while satisfying ϕ checkUnsat (recall that in ourdefinition of Kripke structure we assume every state tohave at least one outgoing transition). • If she goes from c s to c u then Unsat can go to t then sink and not satisfy ϕ checkSat while satisfying ϕ checkUnsat .Moreover, player Sat wins with T ∪ { t } , as she can startby going from c s to c u and: • If Unsat goes to sink from c u he loses. • If Unsat goes from c u to a state of V Sat , Sat can thengo to some state different from sink and not satisfy ϕ checkUnsat . • If Unsat goes from c u to s then Sat can go to init and then win by playing a winning strategy for G , thussatisfying ϕ checkSat ∧ X ϕ .Thus t is useful.Now suppose that t is useful, let T ⊆ S ′ be a set of statessuch that ( t, T ) is critical. T has to contain c s as otherwise Unsat can go from c s to sink directly and make Sat losewith T ∪ { t } . If Sat had a winning strategy with T ∪ { t } notgoing from c s to c u , then she would also win with just T byapplying this strategy as t is then never reached.As a result, Sat with T ∪ { t } has to go from c s to c u . Asa consequence, T has to be disjoint from V Unsat , as otherwise
Sat with T could go from c s to a state in T ∩ V Unsat and fromthere to sink , unsatisfying ϕ checkUnsat . Further, c u cannot bein T as otherwise Sat could win by going from c u to sink .Finally, Unsat cannot win when
Sat has T by going from c u to a state different from t as otherwise he could win when Sat has T ∪ { t } with the same strategy. As a consequence, T has to contain V Sat , as if not
Unsat could go from c u to astate in V Sat \ T and then sink , winning the game.Whether sink is in T is irrelevant to the game as there isonly one outgoing transition from sink . Thus we can assumethat T = { c s } ∪ V Sat . Suppose
Unsat wins G , and considerthe game where Sat has T ∪ { t } . As Sat has to go from c s to c u to win, Unsat can then go from c u to s , and Sat has togo to init . Then
Unsat can apply his winning strategy for G ,as Sat loses if she goes to sink and thus cannot go out of S .This makes Unsat win, contradicting the hypothesis that
Sat wins with T ∪ { t } . In conclusion, Sat wins G .As a result, the usefulness and importance threshold prob-lems are 2E XP T IME -complete for LTL.
Proof of Theorem IV.6
The importance computation problem for reachability,Büchi, parity and explicit Muller conditions with respect toKripke structures are roof.
First the upper bound for reachability, Büchi andexplicit Muller conditions is obtained by constructing a Turingmachine guessing an ordering of { , . . . , n } , and accepting ifthe set J of indices coming after i in the ordering is such that ( i, J ) is critical, which can be checked in polynomial time.The number of accepting runs is the number of permutationssatisfying this condition, i.e., n ! I ( V i ) . The problem is there-fore in K , a partition V , . . . , V n of the states, anindex i and a coloring c and guesses an ordering of { , . . . , n } .Let J be the set of indices coming after i in the permutation,our machine can simulate the unambiguous Turing machinein order to check that Sat wins with S j ∈ J ∪{ i } V j and Unsat wins with S j ∈ J V j . The number of accepting runs of thismachine is precisely n ! I ( V i ) .Our reduction to show ϕ = C ∧ C ∧ · · · ∧ C k be a 3SAT formula, with C j = ( ℓ j ∨ ℓ j ∨ ℓ j ) for all j , and let { x , . . . , x n } be theset of variables appearing in ϕ . We first construct the formula ψ = V kj =1 C j ∧ V nj =1 ( x j ∨ ¬ x j ) ∧ V kj =1 C , j ∧ C , j ∧ C , j with C i ,i j = ( ¬ ℓ i j ∨ ¬ ℓ i j ) .One can check that a valuation ν : { x , . . . , x n } → {⊥ , ⊤} satisfies ψ if and only if it satisfies exactly one literal perclause in ϕ .Furthermore if a valuation satisfies ψ then it satisfies ex-actly one literal in every clause except for exactly one of C , j , C , j , C , j for each j , in which it satisfies both literals.We reuse the construction from the proof of Proposi-tion IV.5, with ψ as our 3SAT instance. Recall that thisconstruction used a reachability condition, easily expressibleas a Büchi, parity or Muller condition, making the reductionwork for all those winning conditions. As sink and f onlyhave one outgoing transition, they have no influence on thesatisfaction of a specification by a set of states, thus theirimportance is . As a consequence, by Corollary III.6 theycan be ignored in the computation of the importance, thus wewill only consider set of states containing neither. Then a teamof states T makes ( s, T ) critical if and only if it contains allthe c i but not s and there exists a valuation ν satisfying ψ suchthat T contains exactly the states associated literals satisfiedby ν , except in clauses C i ,i j in which ν satisfies both literals,in which T contains either one of the two states or both.As a result, for every valuation ν satisfying ψ , we haveexactly k sets of states T making s critical and matching thatvaluation. Indeed, T is completely determined by ν exceptfor one C i ,i j for each ≤ j ≤ k , in which it has threepossibilities: contain the first literal, the second, or both. c x ¬ x x ¬ x c swin S win U Fig. 11. Kripke structure corresponding to formula ∀ x , ∃ x , x ∧ ¬ x A brief analysis shows that for each such valuation ν , thereare, for each ≤ i ≤ k , (cid:0) ik (cid:1) k − i corresponding teams of size i + k − i + 2 k + 2 n (those teams being the ones containingboth literals in i out of the k clauses C i ,i j in which ν satisfiesboth literals), adding up to k teams.Let N be the total number of states in the Kripke struc-ture. By Corollary III.6, the number of valuations satisfying ϕ with exactly one satisfied literal per clause is therefore ( N − N ! M N ! I ( s ) , with M = k X i =1 (cid:18) ik (cid:19) k − i ( i + 3 k + 2 n )!([ N − − i − k − n )! As M can be computed in polynomial time, the problem istherefore Proof of Theorem IV.7
The value, usefulness and importance threshold problemsfor Emerson-Lei conditions are PS
PACE -complete.
Proof.
The upper bounds arise from the complexity of solvingEmerson-Lei games, which are PS
PACE -complete [10]. Asenumerating permutations of the state can be done in linearspace, one can compute the importance of a set of states inPS
PACE .For the lower bounds, we adapt a classic proof thatEmerson-Lei games are PS
PACE -hard to our framework. Weonly need to prove that the usefulness problem is PS
PACE -hardas the importance threshold problem reduces to it. Further, weonly use the particular case when the set of states is partitionedin singletons.We reduce the QSAT problem. Let Q x · · · Q k x k ψ be aQSAT instance, we consider the following Kripke structure: • { c i , x i , ¬ x i | ≤ i ≤ k } ∪ { s, win S , win U } is the set ofstates, c is the only initial state. • For all ≤ i ≤ k there are transitions ( c i , x i ) , ( c i , ¬ x i ) , ( x i , c i +1 ) , ( ¬ x i , c i +1 ) , with c k +1 = s .There is also a transition ( c i , win U ) if Q i = ∃ and ( c i , win S ) if Q i = ∀ . The remaining transitions are ( s, c ) , ( s, win U ) , ( win S , win S ) , ( win U , win U ) .The labeling is irrelevant here. Figure 11 illustrates the con-struction.or all ≤ i ≤ k let ϕ i = Inf ( x i ) ∧ Inf ( ¬ x i ) ∧ i ^ j =1 ¬ ( Inf ( x j ) ∧ Inf ( ¬ x j )) expressing that i is the minimal i such that both x i and ¬ x i are visited infinitely many times.We take as winning condition for Sat the formula ( ψ ′ ∨ Inf ( win S ) ∨ _ Q i = ∀ ϕ i ) ∧ ¬ Inf ( win U ) ∧ ^ Q i = ∃ ¬ ϕ i where ψ ′ is ψ in which every x i has been replaced with Inf ( x i ) .This construction can be done in logarithmic space. We willnow prove that the QSAT formula is valid if and only if state s is useful.Suppose the QSAT formula is valid, let T = { c i | Q i = ∃} .Clearly Sat loses with T as by taking the transition to win U from s , Unsat can guarantee that every play reaches win U and thus wins.As the QSAT formula is valid, there exist functions ( f i ) Q i = ∃ such that for all i f i : {⊤ , ⊥} i − → {⊤ , ⊥} andfor all ν : { x , . . . , x k } → {⊤ , ⊥} such that for all f i wehave ν ( x i ) = f i ( ν ( x ) , . . . , ν ( x i − )) , ν satisfies ψ .Further, as Sat makes all the existential choices, if
Sat chooses according to f i from every c i she owns, and takes thetransition to c from s . Suppose Sat takes the transitions to x i and ¬ x i infinitely many times, then as Sat plays accordingto functions f i , it means there exists a j < i such that x j and ¬ x j were visited infinitely many times.As a consequence the minimal i , if it exists, such that x i and ¬ x i are visited infinitely many times is such that Q i = ∀ .If it exists then ϕ i is satisfied, while ϕ j is not satisfied forany other j , and as win U is never visited, Sat wins.If it does not exist, then for all j exactly one of x j , ¬ x j isvisited infinitely many times, and as Sat plays according tothe f i , we have that ψ ′ is satisfied. As no ϕ j is satisfied and win U is never visited, Sat wins.Now suppose the QSAT formula is not satisfiable, andsuppose there exists T such that Sat wins with T ∪ { s } butnot with T . If there exists c i ∈ T such that Q i = ∀ or c i / ∈ T such that Q i = ∃ then either Sat can reach win S and winwith T , or Unsat can reach win U and win while Sat has T ∪ { s } . Whether win S , win U or the x i , ¬ x i belong to T isirrelevant as they have only one outgoing transition.Thus we can assume that T = { c i | Q i = ∃} . By similararguments as above, there exist functions ( f i ) Q i = ∀ such that f i associates to the i − values of the previous literals a valuationof x i , and any valuation respecting those functions does notsatisfy ψ . And again by similar arguments as above, playingaccording to those functions allows Unsat to win the gamewhile
Sat has T ∪ { s } , contradicting the hypothesis that Sat wins with T ∪ { s } . As a result, s is not useful. Proof of Proposition IV.8
The usefulness problem for Rabin conditions is Σ P -complete. Proof.
For the upper bound we simply consider a nonde-terministic Turing machine guessing a set of indices J andcalling an NP oracle twice to check that player Sat wins with S j ∈ J ∪{ i } V j as set of states and loses with just S j ∈ J V j .For the lower bound, we reduce the dual of the ∀∃ Π P -complete [60] [61]. Given a formula ϕ = ∀ ( x i ) ≤ i ≤ n , ∃ ( y i ) ≤ i ≤ p ψ with ψ = W ki =1 Cl i a ∀∃ K (withstates partitioned in singletons), a state s and a Rabin condition R such that s is useful to K with respect to R if and only ifthis formula is not valid.First of all note that we can assume that every clause con-tains an existential variable y i . Indeed, any clause ( ℓ ∨ ℓ ∨ ℓ ) can be replaced by ( ℓ ∨ ℓ ∨ y ) ∧ ( ¬ y ∨ ℓ ) ∧ ( ¬ ℓ ∨ y ) , with y a fresh variable which we add to the set of existential ones.One can check that we obtain a formula equisatisfiable to theprevious one.Consider the structure K whose states are elements of { c i , x i , ¬ x i , c ′ i , x ′ i , ¬ x ′ i | ≤ i ≤ n }∪{ sk x i , sk ¬ x i , ret x i , ret ¬ x i | ≤ i ≤ n }∪{ y j , ¬ y j | ≤ j ≤ p } ∪ { Cl i | ≤ i ≤ k } ∪ { s, sink } whose initial state is c and whose transitions are as follows: • There are transitions from init to itself, to c and to every Cl j . • For all i there are transitions from c i to x i and ¬ x i andfrom x i and ¬ x i to c i +1 , with c n +1 = c ′ . • For all i , for all ℓ ∈ { x i , ¬ x i } , there are transitions ( ℓ, sk ℓ ) , ( sk ℓ , ¬ ℓ ′ ) • We have transitions ( c ′ i , x ′ i ) , ( c ′ i , ¬ x ′ i ) , ( x ′ i , c ′ i +1 ) , ( ¬ x ′ i , c ′ i +1 ) for all ≤ i ≤ n , with the convention c ′ n +1 = s . • For all ℓ of the form x i or ¬ x i , for all clause Cl j containing ℓ there are transitions ( Cl j , ret ℓ ) and ( ret ℓ , ℓ ) . • For all ℓ of the form y i or ¬ y i , for all Cl j containing ℓ ,there is a transition ( Cl j , ℓ ) and a transition ( ℓ, c ) . • For all clause Cl j there is a transition ( s, Cl j ) . • There are transitions from all c i , c ′ i , x i , ¬ x i , x ′ i , ¬ x ′ i , Cl j to sink .Figure 12 illustrates the construction. There are transitionsfrom the blue and white states to skip , which is omittedon the picture. The blue states are the ones hardcoded tobelong to Sat , the grey ones are the ones that have only oneoutgoing transition, and the white ones are the ones encodingthe valuation of the x i .As states sink, ret ℓ , sk ℓ , y i , ¬ y i have only one outgoingtransition, whether they belong to Sat or Unsat has noconsequence on the game. In the proof that follows we willignore which player they belong to.We take as Rabin condition R = { ( { y i } , {¬ y i } ) , ( {¬ y i } , { y i } ) | ≤ i ≤ p }∪{ ( { sk ℓ } , ∅ ) , ( { ret ℓ } , ∅ ) | ≤ i ≤ n, ℓ ∈ { x i , ¬ x i }}∪{ ( ∅ , { c ′ , sink } ) , ( { init } , ∅ ) } . The construction can be done in logarithmic space. We willnow show that the formula ϕ is not valid if and only if s s useful in the Kripke structure with respect to this Rabincondition. { ( { x } , {¬ x } ) , ( {¬ x } , { x } ) , ( { sk x } , ∅ ) , ( { sk ¬ x } , ∅ ) , ( { ret x } , ∅ ) , ( { init } , ∅ ) } initc x ¬ x c ′ x ′ ¬ x ′ sCl Cl ret x sk x sk ¬ x y ¬ y Fig. 12. Construction for the formula ∀ x ∃ x ( x ∨ ¬ x ) ∧ ( x ∨ ¬ x ) .The sink state is omitted. The Rabin condition is displayed at the top of thefigure. Suppose that ϕ is not valid, let ν be a valuation of the x i not satisfying ∃ ( y i ) ψ . We take as set of states T all the c i , c ′ i ,all the Cl j , and the ℓ and ℓ ′ such that ν ( ℓ ) = ⊤ .If Sat has states T ∪ { s } , then she can pick any clause Cl j ,any literal ℓ in Cl j of the form y i or ¬ y i .If Unsat loops on init forever then
Sat wins. If he choosesto go to c , then as there is a path P in T from c to s , Sat can repeat indefinitely the cycle taking P from c to s , thengoing through Cl j , then ℓ , then back to c . This allows Sat to win as she goes through ℓ infinitely many times withoutgoing through ¬ ℓ .If Unsat goes to some Cl j from init then Sat can simplygo to some y i or ¬ y i (recall that we assumed every clause tocontain an y i or ¬ y i ), then to c and from there play as in theprevious case.If Sat has states T , then we proceed by contradiction.Suppose Sat has a winning strategy, then as she is the playerwith a Rabin winning condition, she has a positional one [62].In particular from every Cl j Sat picks either a successor ret ℓ with ℓ in Cl j or a successor y i or ¬ y i in Cl j . In the firstcase, ℓ has to be satisfied by ν , otherwise after ret ℓ the gamereaches ℓ , from which Unsat goes to sink and wins.Further, from every c i Sat has to pick the successor x i or ¬ x i satisfied by ν , otherwise Unsat can then reach sink andwin.From an x i belonging to Sat , she cannot go to sk x i as thenshe ends up in ¬ x ′ i , from where Unsat can reach sink . Thesame argument stops her from going to sk ¬ x i from ¬ x i . Asa result, from c Sat has to follow a path to s . As every ret ℓ to which Sat goes from a Cl j is such that ν satisfies ℓ , if there were a valuation of the y i satisfying everyliteral y i or ¬ y i to which Sat goes to from a clause, then wecould infer from the strategy of
Sat a valuation µ such that ν and µ combined satisfy ψ . This would contradict the fact that ν does not satisfy ∃ ( y i ) ψ , thus there is no such valuation µ .As a result, there exist i, j , j such that Sat picks y i from Cl j and ¬ y i from Cl j . As Sat has to go to s from c , Unsat can then alternately choose Cl j and Cl j as successors,thus making Sat go infinitely many times through y i and ¬ y i (and never through other y i or ¬ y i ). Then Unsat wins,contradicting the fact that
Sat is playing a winning strategy.In conclusion, if ϕ is not valid, then s is useful for K withrespect to R .Now we have to prove that if s is useful for K with respectto R , then ϕ is not valid. Suppose the former, let T be a setof states such that Sat wins with T ∪ { s } but not with T .As Sat loses with T , init cannot be in T , otherwise Sat could win by looping forever on init .Suppose there exists a Cl j / ∈ T , then Unsat can win bygoing to Cl j from init and then to sink , contradicting thefact that Sat wins with T ∪ { s } . Thus T contains all Cl j .If Unsat loops on init forever then
Sat wins. If
Unsat goesfrom init to some Cl j then Sat can go to some y i or ¬ y i andfrom there to c . We can thus assume that the players alwaysend up reaching c .As Sat loses with T , there cannot be any path in T from c to s going through a sk ℓ , otherwise Sat could go infinitelymany times through that sk ℓ . However as Sat wins with T ∪ { s } , there has to be a path from c to s in T (otherwise Sat would have to reach a state of
Unsat with a transition to sink and lose). Thus for all i , c i , c ′ i belong to T , as well asone of x i , ¬ x i and one of x ′ i , ¬ x ′ i . Further, for all i , we cannothave both x i and ¬ x ′ i , or both ¬ x i and x ′ i in T . As a resultfor all i either x i , x ′ i ∈ T and ¬ x i , ¬ x ′ i / ∈ T or ¬ x i , ¬ x ′ i ∈ T and x i , x ′ i / ∈ T . Let ν be the valuation of the x i such that ν ( x i ) = ⊤ if and only if x i ∈ T .Let µ be a valuation of the y i , suppose for the sake ofcontradiction that the combination of ν, µ satisfies ψ . Thenfor all j Cl j has a transition either to a ret ℓ with ν ( ℓ ) = ⊤ or to an y i with µ ( y i ) = ⊤ or to a ¬ y i with µ ( y i ) = ⊥ .Then by taking from each Cl j the successor as stated above, Sat wins as she will necessarily either go through a ret ℓ infinitely many times, or through an y i or ¬ y i infinitely manytimes while never visiting the opposite literal.We obtain a contradiction as Unsat is supposed to win thegame when
Sat only owns T .As a result, ν, µ cannot satisfy ψ , thus ϕ is not valid. Proof of Theorem IV.9
The importance computation problem for Rabin conditionsis NP -complete. Proof.
We reduce the problem of counting, given a formula ψ in 3CNF over variables x , . . . , x n , y , . . . , y p , the number ofvaluations of the x i such that for all valuation of the y i , thecombination of those does not satisfy ψ .irst let us justify that this problem is NP -hard. Let M be a non-deterministic Turing machine with an oracle solvingan NP-complete problem (say SAT), let w be an input.We can assume without loss of generality that M onlymakes one query to the oracle, and accepts if and only ifthe answer is negative.Indeed, say M has to make queries ψ , . . . , ψ k to the oracle,all over existential variables y , . . . , y p . It can nondeterministi-cally guess the answers of the oracle and delay the verificationto the end of the run.Now let us define the order ≤ on valuations of the existentialvariables as the lexicographic order, a valuation ν beingseen as the tuple ( ν ( y ) , . . . , ν ( y p )) and with the convention ⊥ ≤ ⊤ . Then for the positive answers M can guess a minimal witness valuation for the y i with respect to ≤ , negate theformula. The problem, given a SAT instance and a valuationof the existential variables, of checking whether this is theminimal valuation witnessing the satisfiability of the formula,is clearly in CO NP. As a result M can guess the minimalvaluation of the y i witnessing the satisfiability of the formula,and then turn it into a SAT formula unsatisfiable if and onlyif the guess is correct. As there is for every SAT formula anunique minimal valuation satisfying it, M can only make onecorrect guess, thus its number of runs is unchanged.Finally, in the end M has to make the oracle check adisjunction of ∃ formulas, it can rename variables in order tomerge them all into one equivalent SAT instance, and acceptif and only if the oracle rejects that formula.We now use the classical encoding of Turing machinesin 3CNF formulas to construct a 3CNF formula ψ overvariables x , . . . , x n , y , . . . , y p , r , . . . , r k such that for allvaluations of the x i , y i (encoding respectively the nondeter-ministic choices of M and the ones of the oracle), there isa non-accepting run of M on w if and only if there exists avaluation of the r i (encoding the runs of M and the oracle)satisfying the formula along with these valuations of x i , y i .As a result, there is an accepting run of M on w if andonly if the formula ∀ ( x i ) ∃ ( y i ) , ( r i ) ϕ is not valid, and thevaluations of the x i witnessing non-validity are in bijectionwith the runs of M .Hence the problem is NP -hard.Now in order to prove the hardness for the importance com-putation problem for Rabin conditions, we use the same con-struction as in the proof of Proposition IV.8. Let ϕ be a 3CNFformula with k clauses over variables x , . . . , x n , y , . . . , y p ,we consider the Kripke structure from that proof.Furthermore, a set of states T makes ( s, T ) critical ifand only if it contains the c i , c ′ i , Cl i , and the x i , ¬ x i , x ′ i ¬ x ′ i encoding a valuation of the x i such that for all valuation ofthe y i , the combination of the two valuations does not satisfy ϕ .Note that states sk ℓ , ret ℓ , y i , ¬ y i all have one outgoingtransition and thus have importance .As those sets T all have the same size k + 4 n , theformula from Corollary III.6 gives us that the number ofvaluations of the x i such that for all valuation of the y i , the combination of the two valuations does not satisfy ϕ is P ! N !( k +4 n )!( P − k +4 n )! N ! I ( s ) where N is the number of statesin the Kripke structure and P the number of states minus the sk ℓ , ret ℓ , y i , ¬ y i .As P ! N !( k +4 n )!( P − k +4 n )! can be computed in polynomialtime, the importance computation problem for Rabin condi-tions is NP -complete. Proof of Proposition V.2
The value problem for two-turn CTL is Σ P -complete. Proof.
One can reformulate the problem as the existenceof a subset of outgoing transitions from V Sat such that forall subsets of outgoing transitions from V Unsat , the structureyielded by those subsets of transitions satisfies ϕ .As those subsets of transitions are of polynomial size, andas the satisfaction of a Kripke structure by a CTL formula canbe checked in polynomial time, the problem is in Σ P .We now prove the lower bound, by reducing ∃∀ SAT. Let ∃ ( x i ) ≤ i ≤ n , ∀ ( y i ) ≤ i ≤ k ψ with ψ quantifier-free be a ∃∀ SATinstance. Without loss of generality, we assume that all thenegations in ψ have been pushed to the atomic propositions.We consider the following modal transition system M = ( S, AP, ∆ must , ∆ may , init, λ ) with: • S = { sink } ∪ { c i , x i , ¬ x i | ≤ i ≤ n + k } . The initialstate is c . • AP = { x i | ≤ i ≤ n + k } and λ ( x i ) = { x i } for all ≤ i ≤ n + k and λ ( s ) = ∅ for all other s ∈ S . • ∆ must = { ( x n + k , sink ) , ( ¬ x n + k , sink ) , ( sink, sink ) }∪{ ( x i , c i +1 ) , ( ¬ x i , c i +1 ) | ≤ i ≤ n + k − } . • ∆ may = { ( c i , x i ) , ( c i , ¬ x i ) | ≤ i ≤ n + k } .We split S into V Sat = { sink } ∪ { x i , ¬ x i | ≤ i ≤ n + k } ∪ { c i | ≤ i ≤ n } and V Unsat = { c i | n + 1 ≤ i ≤ n + k } .Informally, we are going to make players choose valuationsof the variables through their choices of transitions. The CTLformula will then ensure that the choices of transitions yieldwell-defined valuations, and that these valuations satisfy theSAT formula.With that goal in mind, we define the specification asfollows: ϕ = ( ϕ SAT ∧ ϕ checkSat ) ∨ ϕ checkUnsat ϕ checkSat = n ^ i =1 EX i − ( AX ( x i ) ∨ AX ( ¬ x i )) ∧ EX ⊤ ϕ checkUnsat = EX n n _ i =1 EX i − ( EX ( x i ) ∧ EX ( ¬ x i )) ∧ AX ⊥ and ϕ SAT is ψ where every x p has been replaced by EX p − x p and every ¬ x p replaced by EX p − ¬ x p . Recallthat we assumed that ψ only has negations in front of atomicropositions. This construction can be done in logarithmicspace.The idea is that ϕ SAT mimics ψ in order to check thatthere exists a path in the structure obtained through thegame matching a valuation satisfying ψ . Meanwhile, formulas ϕ checkSat and ϕ checkUnsat ensure that players never pick both x i or neither.Now for the formal proof, suppose there exists a valuation ν : { x , . . . , x n } → {⊤ , ⊥} such that for every valuation ν : { x n +1 , . . . , x n + k } → {⊤ , ⊥} , the combination of ν and ν satisfies ψ .Then let σ ( c i ) = ( x i if ν ( x i ) = ⊤¬ x i otherwise for ≤ i ≤ n and let σ be a pure strategy for Unsat . Clearly as | σ ( c i ) | = 1 for all i , the resulting structure satisfies ϕ checkSat .If | σ ( c i ) | = 0 for some i , then ϕ checkUnsat is satisfied, thusso is ϕ . If Unsat gives every c i a successor, then there is a pathfrom c to sink , representing a valuation whose projection to { x , · · · , x n } matches ν . As a result, ψ is satisfied by thisvaluation, thus ϕ SAT is satisfied by the structure yielded by σ and σ , hence so is ϕ .Now suppose there exists a pure strategy σ for Sat suchthat for all pure strategy σ for Unsat , σ , σ yield a structuresatisfying ϕ . For all ≤ i ≤ n , if we had | σ ( c i ) | = 0 thenneither ϕ checkSat nor ϕ checkUnsat would be satisfied, and ifwe had | σ ( c i ) | > then ϕ checkSat would not be satisfied, and Unsat could win by choosing one outgoing transition for each c i he owns, thereby unsatisfying ϕ checkUnsat . As a result, σ selects exactly one of { x i , ¬ x i } for each i , thus we can define ν the valuation such that ν ( x i ) = ( ⊤ if σ ( c i ) = x i ⊥ otherwise for ≤ i ≤ n Let ν : { x n +1 , . . . , x n + k } → {⊤ , ⊥} , we define acorresponding strategy for Unsat as σ ( c i ) = ( x i if ν ( c i ) = ⊤¬ x i otherwise for n + 1 ≤ i ≤ n + k .As σ , σ yield a structure satisfying ϕ , either ϕ SAT issatisfied or ϕ checkUnsat is. Further, as in that structure everystate has exactly one successor, ϕ checkUnsat is not satisfied,thus ϕ SAT is. As a consequence, the combination of ν and ν satisfies ψ .We have constructed in logarithmic space a CTL formula, amodal transition system and a subset V Sat of states such that
Sat has a pure winning strategy on V Sat if and only if ψ withset of existential variables { x , · · · , x n } is in ∃∀ SAT.As a result the value problem corresponding to defini-tion V.1 is Σ P -complete. Proof of Proposition V.3
The usefulness problem for two-turn CTL is Σ P -complete. Proof.
Let M = ( S, AP, ∆ must , ∆ may , init, λ ) be an MTS,let V , . . . , V n be a partition of S , let ≤ i ≤ n , let ϕ be aCTL formula.In order to check the usefulness of s , we can guess a setof indices J and a pure strategy σ : S j ∈ J ∪{ i } V j → ∆ may , make an adversary choose pure strategies σ ′ : S j ∈ J V j → ∆ may and σ : S \ ( S j ∈ J ∪{ i } V j ) → ∆ may , and then guess apure strategy σ ′ : S \ S j ∈ J V j → ∆ may such that the structureyielded by σ , σ satisfies ϕ but the one yielded by σ ′ , σ ′ doesnot.This shows that the problem is in Σ P .Now let us show hardness. We reduce the problem ∃∀∃ SAT.Let ∃ x , . . . , x n , ∀ y , . . . , y k , ∃ z , . . . , z p ψ with ψ quantifier-free be a ∃∀∃ SAT instance. We assume without loss ofgenerality that all negations have been pushed to the atomicpropositions.We define the MTS M = ( S, AP, ∆ must , ∆ may , init, λ ) as follows : S = { x i , ¬ x i , c xi | ≤ i ≤ n }∪{ y i , ¬ y i , c yi | ≤ i ≤ k }∪{ z i , ¬ z i , c zi | ≤ i ≤ p }∪{ x ′ i , ¬ x ′ i | ≤ i ≤ n } ∪ { win S , win U , s } AP = S ∆ must = { ( x i , c xi +1 ) , ( ¬ x i , c xi +1 ) | ≤ i ≤ n − }∪{ ( y i , c yi +1 ) , ( ¬ y i , c yi +1 ) | ≤ i ≤ k − }∪{ ( z i , c zi +1 ) , ( ¬ z i , c zi +1 ) | ≤ i ≤ p − }∪{ ( x n , c y ) , ( ¬ x n , c y ) , ( y k , c z ) , ( ¬ y k , c z ) }∪{ ( x ′ i , x ′ i +1 ) , ( x ′ i , ¬ x ′ i +1 ) | ≤ i ≤ n − }∪{ ( ¬ x ′ i , x ′ i +1 ) , ( ¬ x ′ i , ¬ x ′ i +1 ) | ≤ i ≤ n − }∪{ ( x i , ¬ x ′ i ) , ( ¬ x i , x ′ i ) | ≤ i ≤ n }∪{ ( x ′ n , win S ) , ( ¬ x ′ n , win S ) }∪{ ( win S , win S ) , ( win U , win U ) , ( z p , s ) , ( ¬ z p , s ) }∪{ ( c yi , win U ) | ≤ i ≤ k }∪{ ( c zi , win S ) | ≤ i ≤ p } ∆ may = { ( c xi , x i ) , ( c xi , ¬ x i ) | ≤ i ≤ n }∪{ ( c yi , y i ) , ( c yi , ¬ y i ) | ≤ i ≤ k }∪{ ( c zi , z i ) , ( c zi , ¬ z i ) | ≤ i ≤ p }∪{ ( x i , win U ) , ( ¬ x i , win U ) | ≤ i ≤ n }∪{ ( x ′ i , win U ) , ( ¬ x ′ i , win U ) | ≤ i ≤ n }∪{ ( s, x ′ ) , ( s, ¬ x ′ ) } λ ( t ) = { t } for every state t , and the initial state is init = c x .We consider the formula ϕ =( ¬ ϕ SAT ∧ ϕ checkSat ∧ AG ¬ win U ) ∨ ( EF win S ∧ AG ¬ win U ) ∨ ϕ checkUnsat with checkSat = AG ( k ^ i =1 AX ( y i ) ∨ AX ( ¬ y i )) ∧ ( k ^ i =1 ( EX n +2 i − ) EX ⊤ ) ϕ checkUnsat = EF ( p _ i =1 EX ( z i ) ∧ EX ( ¬ z i )) ∨ p _ i =1 ( EX n +2 k +2 i − ) AX ⊥ and ϕ SAT is ψ where every x i , y i , z i has been replaced byrespectively EF x i , EF y i and EF z i , and every ¬ x i , ¬ y i , ¬ z i by respectively AG ¬ x i , AG ¬ y i , AG ¬ z i . This constructioncan be done in logarithmic space. The formulas ϕ checkUnsat and ϕ checkUnsat ensure that the players never allow transitionsto both or neither variables from a c xi , c yi or c zi state.Suppose there exists T such that Sat wins with T ∪ { s } butloses with T . As all x i , ¬ x i , x ′ i , ¬ x ′ i have a may transition to win U , there has to be either a path from c x to c y in T , or apath in T from c x to some x i or ¬ x i , from there a transition tosome x ′ i or ¬ x ′ i , and a path in T from there to win S , otherwise Unsat wins both games. In the second case,
Sat wins without s , thus we have to be in the first case. In particular for every x i ∈ T , x ′ i / ∈ T and for every ¬ x i ∈ T , ¬ x ′ i / ∈ T .As a result, there has to be a path in M (using may and musttransitions) to all c xi , c yi , c zi from c x . In order for the gameswith T and T ∪ { s } to have different winners, every c yi has tobe in T (as they have a may transition to win U ) and similarlyevery c zi has to not be in T . The formulas ϕ checkSat and ϕ checkUnsat force both players to pick exactly one outgoingtransition from each c xi , c yi , c zi .Now observe that the choice of transitions from s has noimpact on the satisfaction of ¬ ϕ SAT , ϕ checkSat , AG ¬ win U or ϕ checkUnsat . As Unsat has a winning strategy when
Sat onlyhas T , this same strategy will ensure that Sat can only win bysatisfying
EF win S ∧ AG ¬ win U in the game with T ∪ { s } .In order to satisfy EF win S ∧ AG ¬ win U , there has to be apath in T from s to win S . As a result, at least one of x ′ i , ¬ x ′ i has to be in T . As we have seen before, for every x i ∈ T , x ′ i / ∈ T and for every ¬ x i ∈ T , ¬ x ′ i / ∈ T , thus at most one of x i , ¬ x i can be in T for all ≤ i ≤ n . Further, we have seenthat at least one of x i , ¬ x i has to be in T .As a result, the set of x i in T with ≤ i ≤ n matchesa valuation ν of x , · · · , x n . Let ν be a valuation of y , · · · , y k , suppose Sat picks transitions matching ν fromthe c yi . As Unsat wins the game in which
Sat owns only T , and as the satisfaction of both ϕ checkSat and AG ¬ win U is guaranteed by the strategy of Sat , the only possibility isthat ¬ ϕ SAT is dissatisfied, which
Unsat can only achieve bypicking transitions matching a valuation ν of z , · · · , z p suchthat the combination of ν , ν and ν satisfies ϕ . As a result,the ∃∀∃ SAT instance is true.Now for the converse, suppose there exists a valuation ν such that for all ν , there exists ν such that their combinationsatisfies ψ . Let T be such that T ∩{ x , . . . , x n , ¬ x , . . . , ¬ x n } and T ∩ { x ′ , . . . , x ′ n , ¬ x ′ , . . . , ¬ x n } both match ν , T con-tains every c xi and c yi but does not contain c zi for any ≤ i ≤ p .Let us first look at the game in which Sat has states T ∪{ s } .As one of { x i , ¬ x i } belongs to T for all ≤ i ≤ n , Sat canchoose transitions so that there is a path from c to c n + k +1 ,and a transition from s to win S .If Unsat gives no outgoing transition to one of the c i with n + k + 1 ≤ i ≤ n + k + p , then ϕ checkUnsat is satisfied,thus so is ϕ . As a result, there is a path from c n + k +1 to either win S or s , and thus also win S . Hence ϕ is satisfied in everycase, Sat wins that game.Now let us study the game in which
Sat only owns T .No matter which strategy Sat chooses,
Unsat can guaranteethat
EF win S ∧ AG ¬ win U is not satisfied by allowing thetransition to win U from every x i , ¬ x i x ′ i , ¬ x ′ i it owns, and notallowing any transition from s . This way, all paths to win S gothrough states with a transition towards win U . Unsat can alsoensure that ϕ checkUnsat is not satisfied by picking transitionsmatching some valuation from the c i he owns.Assume Sat has a winning strategy to ensure that ϕ checkSat ∧ ϕ checkSat ∧ AG ¬ win U is satisfied. As ϕ checkSat and AG ¬ win U are satisfied, the choices of transitionsof Sat from the c i have to match ν and a valuation ν of { x n +1 , · · · , x n + k } . There exists a valuation ν of { x n + k +1 , . . . , x n + k + p } such that the combination of ν , ν and ν satisfies ψ . Then if Unsat chooses transitions fromthe c i he owns matching ν , ¬ ϕ SAT is not satisfied by theresulting structure, contradicting the existence of a winningstrategy for
Sat .We have proven the proposition.
Proof of Theorem V.4
The importance computation problem associated to defini-tion V.1 is Σ P -complete. Proof.
The upper bound is easily obtained by considering themachine which guesses an ordering π of the elements of thepartition V , . . . , V n , computes the set J of indices appearingafter s in π , and then calls a Σ P oracle twice to determinethe winner when Sat owns S j ∈ J V j and when Sat owns S j ∈ J ∪{ i } V j . The number of accepting runs of the machineis then precisely the number of permutations π matching theabove condition.Now for the lower bound, we proceed in two steps. Firstwe show that the following problem is Σ P -complete. Count ∃∀∃
SAT
Input: A SAT formula ψ over variables { x , . . . , x n , y , . . . , y m , z , . . . , z r } . Output: The number of valuations of the x i such thatfor all valuations of the y i there exists a valuation of the z i such thatthe combination of those valuations satisfies ψ. Then we show that the importance computation problemreduces to
Count ∃∀∃
SAT.or the first part, let M be a nondeterministic Turingmachine with an oracle solving a Σ P -complete problem (say ∃∀ SAT). We can assume without loss of generality that M only makes one query to the oracle, and accepts if and onlyif the answer is negative.Indeed, say M has to make queries ψ , . . . , ψ k to the oracle,all over existential variables y , . . . , y m and universal variables z , . . . , z r . It can nondeterministically guess the answers of theoracle and delay the verification to the end of the run.Now let us define the order ≤ on valuations of the existentialvariables as the lexicographic order, a valuation ν beingseen as the tuple ( ν ( y ) , . . . , ν ( y m )) and with the convention ⊥ ≤ ⊤ . Then for the positive answers M can guess a minimal witness valuation for the y i with respect to ≤ , negatethe formula. The problem, given a ∃∀ SAT instance and avaluation of the existential variables, of checking whether thisis the minimal valuation witnessing the satisfiability of theformula, is clearly in CO NP, thus also in Π P . As a result M can guess the minimal valuation of the y i witnessing thesatisfiability of the formula, and then turn it into a ∃∀ SATformula unsatisfiable if and only if the guess is correct.Finally, in the end M has to make the oracle check adisjunction of ∃∀ formulas, it can rename variables in orderto merge them all into one equivalent ∃∀ formula, and acceptif and only if the oracle rejects that formula.In all the above transformations, the number of acceptingruns of the machine stays the same as the non-deterministictransitions we added (in order to guess minimal valuationswitnessing satisfiability of ∃∀ SAT formulas) yield at most oneaccepting run (as the existence of such a valuation is equivalentto the existence of a single minimal one).An adaptation of the classical construction proving that ∃∀ SAT is Σ P -complete allows us to construct in polynomialtime, given an input w for M , a formula ϕ (( x i ) , ( q i ) , ( s i )) such that the following conditions are equivalent for allvaluations ν of the x i , q i and s i : • ν satisfies ϕ (( x i ) , ( q i ) , ( s i )) • the ν ( x i ) encode a sequence of non-deterministic choicesof M , the ν ( s i ) encode a correct run of M followingthose choices, and the ν ( q i ) encode the query made tothe oracle at the end of this runWe can also construct in polynomial time a for-mula ϕ (( y i ) ≤ i ≤ m , ( z i ) ≤ i ≤ r , ( q i ) ≤ i ≤ p , ( u i ) ≤ i ≤ k ) simu-lating the oracle such that a valuation of the q i satisfies ∃ ( y i ) , ∀ ( z i ) , ϕ (( y i ) , ( z i ) , ( q i ) , ( u i )) if and only if the q i en-code a valid instance of ∃∀ SAT. As a result the formula ∀ ( y i ) , ∃ ( z i ) , ( x i ) , ( q i ) ,ϕ (( x i ) , ( q i ) , ( s i ) ∧ ϕ (( y i ) , ( z i ) , ( q i ) , ( u i )) is satisfied by a valuation of the x i if and only if M has a runaccepting w following the choices encoded by this valuation.Thus the number of accepting runs of M is precisely thenumber of valuations of the s i witnessing the validity of ∃ ( x i ) , ∀ ( y i ) , ∃ ( z i ) , ( s i ) , ( q i ) ,ϕ (( x i ) , ( q i ) , ( s i ) ∧ ϕ (( y i ) , ( z i ) , ( q i ) , ( u i ) The problem
Count ∃∀∃
SAT is therefore Σ P -hard.Finally, Count ∃∀∃
SAT can be reduced to the importancecomputation problem for 2-turn CTL using the same construc-tion as in the proof of Proposition V.3. Note that the x i , ¬ x i for all n + 1 ≤ i ≤ n + k + p , as well as win S , win U , all haveno outgoing may transitions, thus have importance and thus,by a similar argument as in Lemma III.5, can be ignored inthe computation of the importance. We will now only considersets of states containing none of those. Then one can observethat the teams T allowing player Sat to win with T ∪ { s } butnot with T are exactly the teams T such that • T contains all the c i for ≤ n + k and no other c i . • T ∩ { x i , ¬ x i | ≤ i ≤ n } and T ∩ { x ′ i , ¬ x ′ i | ≤ i ≤ n } match a same valuation ν witnessing the validity of the ∃∀∃ SAT formula.Then we have that all the teams T such that ( s, T ) iscritical (and containing none of the aforementioned states withimportance ) have the same size M .We obtain that the number of valuations witnessing thevalidity of the ∃∀∃ SAT formula is P ! N ! M !( P − M − N ! I ( s ) , with N the number of states in the constructed MTS and P thenumber of states minus the x i , ¬ x i for n + 1 ≤ i ≤ n + k + p , s , win U and win S . Hence we have a reduction from Counting ∃∀∃ to the importance problem for 2-turn CTL. As P ! N ! M !( P − M − can be computed in polynomial time, the latterproblem is Σ P2