On Computational Tractability for Rational Verification
Total Page:16
File Type:pdf, Size:1020Kb
Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence (IJCAI-19) On Computational Tractability for Rational Verification Julian Gutierrez1 , Muhammad Najib1 , Giuseppe Perelli2 , Michael Wooldridge1 1Department of Computer Science, University of Oxford, UK 2Department of Informatics, University of Leicester, UK fjulian.gutierrez, mnajib, michael.wooldridgeg@cs.ox.ac.uk, giuseppe.perelli@leicester.ac.uk Abstract theoretic (e.g., Nash) equilibrium. Unlike model checking, rational verification is still in its infancy: the main ideas, Rational verification involves checking which formal models, and reasoning techniques underlying rational temporal logic properties hold of a concur- verification are under development, while current tool sup- rent/multiagent system, under the assumption that port is limited and cannot yet handle systems of industrial agents in the system choose strategies in game the- size [Toumi et al., 2015; Gutierrez et al., 2018a]. oretic equilibrium. Rational verification can be un- derstood as a counterpart of model checking for One key difficulty is that rational verification is computa- multiagent systems, but while model checking can tionally much harder than model checking, because checking be done in polynomial time for some temporal logic equilibrium properties requires quantifying over the strategies specification languages such as CTL, and polyno- available to players in the system. Rational verification is also mial space with LTL specifications, rational ver- different from model checking in the kinds of properties that ification is much more intractable: 2EXPTIME- each technique tries to check: while model checking is inter- any complete with LTL specifications, even when using ested in correctness with respect to possible behaviour of explicit-state system representations. In this paper a system, rational verification is interested only in behaviours sustained by a Nash equilibrium we show that the complexity of rational verification that can be , when a multia- can be greatly reduced by restricting specifications gent system is modelled as a multi-player game. This, in par- to GR(1), a fragment of LTL that can represent ticular, adds a new ingredient to the verification problem, as it preferences most response properties of reactive systems. We is now necessary to take into account the of play- also provide improved complexity results for ra- ers with respect to the possible runs of the system. Typically, tional verification when considering players’ goals in rational verification, such preferences are given by associ- LTL γ i given by mean-payoff utility functions—arguably ating an goal i with each player in the game. In this ' the most widely used quantitative objective for case, rational verification with respect to a specification is EXPTIME agents in concurrent and multiagent systems. In 2 -complete, regardless of whether the representa- [ et al. particular, we show that for a number of relevant tion of the system is given succinctly Gutierrez , 2017a; et al. ] settings, rational verification can be done in poly- Gutierrez , 2015b or explicitly simply as a finite-state [ et al. ] nomial space or even in polynomial time. labelled transition graph Gutierrez , 2015a . In this paper, we address this issue and provide complex- ity results that greatly improve on the 2EXPTIME-complete 1 Introduction result of the general case. In particular, we consider games The formal verification of systems using temporal logics such where the goals of players are represented as either GR(1) as LTL and CTL [Emerson, 1990] is a major research area, formulae (an important fragment of LTL that can express which has led to the development of an impressive number most response properties of a concurrent and reactive sys- of industrial-strength verification tools and techniques. Ar- tem [Bloem et al., 2012]), or mean-payoff utility functions guably the most successful technique within formal verifica- (one of the most studied reward and quality measures used tion is model checking, which can be done in polynomial in games for automated formal verification). In each case, space for LTL specifications and even in polynomial time we study the rational verification problem for system spec- for CTL specifications [Clarke et al., 2018]. In the con- ifications ' given as GR(1) formulae and as LTL formulae, text of multiagent systems, rational verification forms a nat- with respect to system models that are formally represented ural counterpart of model checking [Gutierrez et al., 2015b; as concurrent game structures [Alur et al., 2002]. Wooldridge et al., 2016; Gutierrez et al., 2017a]. This is the Our main results, summarised in Table 1, show that in the problem of checking whether a given property ', expressed cases above mentioned, the 2EXPTIME result can be dramat- as a temporal logic formula, is satisfied in a computation of ically improved, to settings where rational verification can be a system that might be generated if agents within the sys- solved in polynomial space, NP, or even in polynomial time tem choose strategies for selecting actions that form a game- if the number of players in the game is assumed to be fixed. 329 Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence (IJCAI-19) Players’ goals Specification E-NASH LTL LTL 2EXPTIME-complete GR(1) LTL PSPACE-complete (Corollary 1) GR(1) GR(1) FPT (Theorem 3) mp LTL PSPACE-complete (Corollary 2) mp GR(1) NP-complete (Theorem 5) Table 1: Summary of main complexity results. Related Work: If (α; 0) j= ', we write α j= ' and say that α satisfies '. Rational verification has been studied for a number of set- General Reactivity of rank 1. The language of General Re- tings, including iterated Boolean games, reactive modules activity of rank 1, denoted GR(1), is the fragment of LTL of games, and concurrent game structures [Gutierrez et al., formulae written in the following form [Bloem et al., 2012]: 2015b; Gutierrez et al., 2017a; Gutierrez et al., 2015a; Gutier- (GF ^ ::: ^ GF ) ! (GF' ^ ::: ^ GF' ), rez et al., 2017b]. In all cases, the problem is 2EXPTIME- 1 m 1 n complete. Rational verification is also closely related to ra- where each subformula i and 'i is a Boolean combination tional synthesis, which is also 2EXPTIME-complete both in of atomic propositions. the Boolean case [Fisman et al., 2010] and with rational en- Mean-Payoff value. For an infinite sequence β 2 R! of real vironments [Kupferman et al., 2016]. All of the above cases numbers, let mp(β) be the mean-payoff value of β, that is, only consider perfect information. In settings with imperfect information, the problem has been shown to be undecidable mp(β) = lim inf avgn(β) n!1 both for games with succinct and explicit model representa- N 1 Pn−1 tions [Gutierrez et al., 2018b; Filiot et al., 2018]. where, for n 2 , we define avgn(β) = n j=0 βj. Our work also relates to LTL and mean-payoff (mp) games Arenas. An arena is a tuple at large. While the former are already 2EXPTIME-complete even for two-player games (and in fact already 2EXPTIME- A =hN; Ac; St; s0; tr; λi hard for many LTL fragments [Alur and La Torre, 2004]), where N, Ac, and St are finite non-empty sets of players the latter are NP-complete for multi-player games [Ummels N = jNj actions states s 2 St ] (write ), , and , respectively; 0 and Wojtczak, 2011 and in NP \ coNP for two-player ~ games [Zwick and Paterson, 1996], and in fact solvable in is the initial state; tr : St × Ac ! St is a transition function quasipolynomial time since they can be reduced to two-player mapping each pair consisting of a state s 2 St and an action N perfect-information parity games [Calude et al., 2017]. profile ~a 2 Ac~ = Ac , one for each player, to a successor state; and λ : St ! 2AP is a labelling function, mapping every state to a subset of atomic propositions. 2 Preliminaries We sometimes call an action profile ~a = (a1;:::; an) 2 ~ Linear Temporal Logic. LTL extends propositional logic Ac a decision, and denote ai the action taken by player i. We with two operators, X (“next”) and U (“until”), for express- also consider partial decisions. For a set of players C ⊆ N ing properties of paths [Pnueli, 1977; Emerson, 1990]. The and action profile ~a, we let ~aC and ~a−C be two tuples of syntax of LTL is defined with respect to a set AP of atomic actions, respectively, one for all players in C and one for all propositions as follows: players in NnC. We also write ~ai for ~afig and ~a−i for ~aNnfig. 0 0 For two decisions ~a and ~a , we write (~aC ;~a−C ) to denote the ' ::= > j p j :' j ' _ ' j X' j ' U ' decision where the actions for players in C are taken from ~a and the actions for players in N n C are taken from ~a0. where p 2 AP. As usual, we define '1^'2 ≡ :(:'1_:'2), A path π = (s ;~a0); (s ;~a1) ··· is an infinite sequence in F U G F 0 1 '1 ! '2 ≡ :'1 _ '2, ' ≡ > ', and ' ≡ : :'. We ~ ! k interpret LTL formulae with respect to pairs (α; t), where α 2 (St × Ac) such that tr(sk;~a ) = sk+1 for all k. Paths are (2AP)! is an infinite sequence of sets of atomic proposition generated in the arena by each player i selecting a strategy σi that indicates which propositional variables are true in every that will define how to make choices over time. We model N strategies as finite state machines with output. Formally, for time point and t 2 is a temporal index into α. Formally, 0 the semantics of LTL is given by the following rules: arena A, a strategy σi = (Qi; qi ; δi; τi) for player i is a finite state machine with output (a transducer), where Qi is a finite 0 (α; t) j= > and non-empty set of internal states, qi is the initial state, (α; t) j= p iff p 2 αt δi : Qi × Ac~ ! Qi is a deterministic internal transition (α; t) j= :' iff it is not the case that (α; t) j= ' function, and τi : Qi ! Aci an action function, Aci ⊆ Ac (α; t) j= ' _ iff (α; t) j= ' or (α; t) j= for all i 2 N.