HAL Id: hal-01515874
https://hal.archives-ouvertes.fr/hal-01515874
Submitted on 28 Apr 2017
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entic research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diusion de documents
scientiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Admissible Strategies in Timed Games
Nicolas Basset, Jean-François Raskin, Ocan Sankur
To cite this version:
Nicolas Basset, Jean-François Raskin, Ocan Sankur. Admissible Strategies in Timed Games. Models,
Algorithms, Logics and Tools., Jul 2017, Aalborg, Denmark. pp.403-425. �hal-01515874�
Admissible Strategies in Timed Games
Nicolas Basset
1
, Jean-Fran¸cois Raskin
1
, and Ocan Sankur
2
1
Universit´e libre de Bruxelles, Brussels, Belgium
{nbasset, jraskin}@ulb.ac.be
2
CNRS, IRISA, Rennes, France
ocan.sankur@irisa.fr
Abstract. In this paper, we study the notion of admissibility in timed games. First, we
show that admissible strategies may not exist in timed games with a continuous semantics
of time, even for safety objectives. Second, we show that the discrete time semantics of
timed games is better behaved w.r.t. admissibility: the existence of admissible strategies is
guaranteed in that semantics. Third, we provide symbolic algorithms to solve the model-
checking problem under admissibility and the assume-admissible synthesis problem for
real-time non-zero sum n-player games for safety objectives.
1 Introduction
An embedded controller is a reactive system that maintains a continuous interaction with its
environment and has the objective to enforce outcomes, from this interaction, that satisfy some
good properties. As the actions taken by the environment in this interaction are out of the direct
control of the controller, those actions should be considered as adversarial. Indeed, a controller
should be correct no matter how the environment in which it operates behaves. As reactive
systems most often exhibit characteristics, like real-time constraints, concurrency, or parallelism,
etc., which make them difficult to develop correctly, formal techniques have been advocated to
help to their systematic design. One well-studied formal technique is model checking [3] which
compares a model of a system with its specification. Model-checking either provides a proof of
correctness of the model of the controller within its environment or provides a counter-example
that can be used to improve the design.
A scientifically more challenging technique is synthesis that uses algorithms that transform
the specification of a reactive system and a model of its environment into a correct system, i.e.,
a system that enforces the specification no matter how the environment behaves. Synthesis can
take different forms: from computing optimal values of parameters to the full-blown automatic
synthesis of a model of the system’s components. Albeit this diversity, one mathematical model
has emerged to perform synthesis for reactive systems: two-player zero-sum games played on
graphs; and the main solution concept for those games is the notion of winning strategy. Zero-
sum timed games played on timed automata (defined by [1]) have been introduced in [27] as a
formal model for the synthesis of reactive systems with timed specifications. A practical algorithm
for the problem was first presented in [17] and implemented in the tool Uppaal-Tiga [5].
Timed games, as defined in [27] and in almost all subsequent works, see e.g. [2, 17, 15, 16], are
zero-sum games. In zero-sum games, the environment is considered as fully antagonist. The zero-
sum game abstraction is often used because it is simple and sound: a winning strategy against
an antagonistic environment is winning against any environment including obviously those that
This work was partially supported by the ERC Starting grant 279499 (inVEST), the ARC project
“Non-Zero Sum Game Graphs: Applications to Reactive Synthesis and Beyond” (F´ed´eration Wallonie-
Bruxelles, J.-F. Raskin is Professeur Francqui de Recherche.
strive to secure their own objective. But, in general the zero-sum hypothesis is a bold abstraction
of reality: most often the environment has its own objective which, in general, does not corre-
spond to that of falsifying the specification of the controller. Then, it should be clear that the
zero-sum approach may fail to find a winning strategy even if solutions exist when the objective
of the environment is taken into account, or it may produce sub-optimal solutions because those
solutions are overcautious in order to be able to face with all possible behaviors of the environ-
ment, even if they are in contradiction with the environment’s objectives. Recently, several new
solution concepts for synthesis of reactive systems that take the objectives of the environment
into account, and so relax the fully adversarial assumption, have been introduced [10]. One ap-
proach that is particularly promising is based on the notion of admissible strategies [7, 23, 13, 12,
11].
Assume Admissible Synthesis In [12], we have introduced a new synthesis rule based on
admissibility in the general case of n-player multiplayer games. This synthesis rule can be sum-
marized as follows. For a player with objective φ, a strategy σ is dominated by σ
0
if σ
0
does as
well as σ w.r.t. φ against all strategies of the other players, and better for some of those strate-
gies. A strategy σ is admissible if it is not dominated by another strategy. Starting from the fact
that only admissible strategies should be played by rational players (dominated strategies being
clearly sub-optimal options), when synthesizing a controller, we search for an admissible strategy
that is winning against all admissible strategies of the environment. Assume admissible synthe-
sis is sound: if all players choose admissible strategies that are winning against all admissible
strategies of the other players, the objectives of all players is guaranteed to be satisfied.
Assume Admissible Timed Synthesis In the classical setting of game graphs with ω-regular
objectives, admissibility is well behaved: admissible strategies always exist in perfect information
n-player game graphs with ω-regular objectives, both for turn-based games [7, 23, 13] and for
concurrent games [4]. By contrast, in this paper, we show that, in the continuous time semantics,
players in a timed game are not guaranteed to have admissible strategies. This is because in
some timed games there may not exist an optimal time to play. This is the case for example if
a player has to play as soon as possible but strictly after a given deadline. We exhibit concrete
games with this property. We also show that those problems are an artefact of the continuous
time semantics. In contrast, in the discrete-time semantics of timed games, admissible strategies
always exist.
To obtain our results in the discrete-time semantics we provide a reduction to finite concurrent
games with an additional player that arbitrates situations in which several players propose to
play at the exact same time. While the reduction to finite concurrent games is adequate to
obtain theoretical results, it is not practical. This is why we define symbolic algorithms based
on zones to solve the model-checking under admissible strategies and the assume admissible
synthesis problem for safety objectives. To obtain those symbolic algorithms, we show how to
use (continuous) timed zones to represent efficiently sets of discrete time valuations. We believe
that those results are also interesting on their own. Note that it is possible to solve discrete-time
games by enumerative techniques [25]; however, our algorithms require representing complex
sets of states, so being able to solve a given game is not sufficient, and we do need some form of
succinct representation.
Other related works Related works on zero-sum timed games have been given above. To the
best of our knowledge, our work is the first to deal with admissibility for timed games. In this
paragraph we discuss several works related to admissibility in (untimed) games.
Other works in the literature propose the use of Nash equilibria (NE) in n-players non-zero
sum games to model variants of the reactive synthesis problem. Most notably, assume-guarantee
2
synthesis, based on secure equilibria [19] (refining Nash equilibria), has been proposed in [18],
while cooperative rational synthesis has been proposed in [24], and non-cooperative rational
synthesis in [26]. In the context of infinite duration games played on graphs, one well known
limitation of Nash equilibria is the existence of non-credible threats. Refinements of the notion
of NE, like sub-game perfect equilibria (SPE), have been proposed to overcome this limitation.
SPE for games played on graphs have been studied in e.g. [29, 14]. Admissibility does not suffer
from this limitation. In [23], Faella proposes several alternatives to the notion of winning strategy
including the notion of admissible strategy. His work is for two-players but only the objective
of one player is taken into account, the objective of the other player is left unspecified. In that
work, the notion of admissibility is used to define a notion of best-effort in synthesis. The notion
of admissible strategy is definable in strategy logics [20, 28] and decision problems related to the
assume-admissible rule can be reduced to satisfiability queries in such logics. This reduction does
not lead to worst-case optimal algorithms; we presented worst-case optimal algorithms in [21]
based on our previous work [13].
The only works that we are aware of and that consider non-zero sum timed games are the
following two papers [8, 9] that study decision problems related to the concept of Nash equilibria
and not to the concept of admissibility.
2 Admissibility in Concurrent Games
Let P = {1, 2, . . . n} denote a set of players. A concurrent game played by players P is a tuple
G = (S, s
init
, Σ, (M
i
)
i∈P
, δ) where,
– S is a set of states, and s
init
∈ S the initial state;
– Σ is a set of moves;
– For all i ∈ P , M
i
: S → 2
Σ
\ {∅} assigns to every state s ∈ S and player i the set of available
moves from state s.
– δ : S × Σ × . . . × Σ → S is the transition function.
The game is called finite if S and Σ are finite. We write M(s) = M
1
(s) × . . . × M
n
(s) for every
s ∈ S. A history is a finite path h = s
1
s
2
. . . s
N
∈ S
∗
such that (i) N ∈ N; (ii) s
1
= s
init
; and
(iii) for every 2 ≤ k ≤ N, there exists (a
1
, . . . , a
n
) ∈ M(s
k−1
) with s
k
= δ(s
k−1
, a
1
, . . . , a
n
). A run
is defined similarly as a history except that its length is infinite. For a history or a run ρ, let us
denote its i-th state by ρ
i
. The game is played from the initial state s
init
for an infinite number
of rounds, producing a run. At each round k ≥ 1, with current state s
k
, all players i select
simultaneously moves a
i
∈ M
i
(s
k
), and the state δ(s
k
, a
1
, . . . , a
n
) is appended to the current
history.
It is often convenient to consider a player i separately and see the set of other players P \{i} as
a single player denoted −i. Hence, the set of moves of −i in state s is M
−i
(s) =
Q
j∈P \{i}
M
j
(s).
An objective φ is a subset of runs of the game. We assume that concurrent games are equipped
with a function Φ mapping all players i ∈ P to an objective Φ(i). Thus, a run ρ is winning for
player i iff ρ ∈ Φ(i). An objective φ ⊆ S
ω
is a simple safety objective if there exists B ⊆ S
such that ρ ∈ φ if, and only if ∀j, ρ
j
6∈ B; and for all s ∈ B and m ∈ M(s), δ(s, m) ∈ B. In
other terms, once B is reached, the play never leaves B. The set B is informally called bad states
for the objective φ. Note that contrary to general safety objectives, simple safety objectives are
prefix independent. Also, any safety objective can be turned into a simple safety objective by
modifying the underlying concurrent game. Games equipped with simple safety objectives are
called simple safety games.
A strategy for player i is a function σ from histories to moves of player i such that for all
histories h: σ(h) ∈ M
i
(s) where s is the last state of h. We denote by Γ
i
(G) the set of player i’s
3
strategies in the game; we might omit G if it is clear from context. A strategy profile σ for a
subset A ⊆ P of players is a tuple (σ
i
)
i∈A
with σ
i
∈ Γ
i
for all i ∈ A. When the set of players A
is omitted, we assume A = P . Let σ = (σ
i
)
i∈P
be a strategy profile. Then, for all players i, we
let σ
−i
denote the restriction of σ to P \ {i} (hence, σ
−i
can be regarded as a strategy of player
−i that returns, for all histories h, a move from M
−i
(s) where s is the last state of h). We denote
by Γ
−i
the set {σ
−i
| σ ∈ Γ }. We sometimes denote by σ the pair (σ
i
, σ
−i
). For any history
h, let σ(h) = (σ
i
(h))
i∈A
and be the tuple of choices made by all players (when they play from
h according to σ) and the resulting state, respectively. We let Out(σ) be the outcome of σ, i.e.
the unique run ρ = s
1
s
2
· · · such that s
k
= δ(s
k−1
, σ(s
1
· · · s
k−1
)).
Assume the game we consider has winning condition Φ. Then, we say that σ is winning for
i, from h, written σ |=
h
Φ(i), if h is a prefix of Out(σ) and Out(σ) ∈ Φ(i). We write σ |=
h
Φ(i),
if for every τ ∈ Γ
−i
such that h is a prefix of Out((σ, τ)) it holds that Out((σ, τ )) ∈ Φ(i).
Dominance and admissibility Fix a game G and a player i. Given two strategies σ, σ
0
∈ Γ
i
,
we say that σ is weakly dominated by σ
0
, denoted σ 4 σ
0
if for all σ
−i
∈ Γ
−i
, (σ, σ
−i
) |= Φ(i)
implies (σ
0
, σ
−i
) |= Φ(i). Intuitively, this means that σ
0
is not worse than σ, because it yields a
winning outcome (for i) every time σ does. When σ 4 σ
0
but σ
0
64 σ we say that σ is dominated
by σ
0
. Note that σ ≺ σ
0
if and only if σ 4 σ
0
and there exists at least one σ
−i
∈ Γ
−i
, such that
(σ, σ
−i
) 6|= Φ(i) and (σ
0
, σ
−i
) |= Φ(i). That is, σ
0
is now strictly better than σ because it yields a
winning outcome for i every time σ does; but i secures a winning outcome against at least one
strategy of the other players by playing σ
0
instead of σ. A strategy is called admissible if it is
not dominated.
Theorem 1 ([4]). For every finite concurrent game, for all objectives, the set of admissible
strategies of each player is non-empty.
Now that we have defined a notion of dominance on strategies, let us turn our attention to
a more local definition of dominance on moves. Let h be a history. We say that a move a ∈ M
i
is h-dominated by another move a
0
∈ M
i
iff for all σ ∈ Γ
i
s.t. σ(h) = a, there exists σ
0
∈ Γ
i
s.t. σ
0
(h) = a
0
and σ ≺
h
σ
0
. We denote this by a <
h
a
0
. If a move a is not h-dominated by any
move, we say that a is h-admissible. This allows us to define a more local notion of dominated
strategy: a strategy σ of player i is called locally-admissible (LA for short) if for every h, σ(h) is
an h-admissible move. By definition, all admissible strategies are also LA, but the converse only
holds for simple safety games.
Theorem 2 ([4]). In concurrent finite simple safety games, a strategy is locally admissible if,
and only if it is admissible.
We close these preliminaries by explaining how to associate values to histories and moves.
First, the value of history h for player i is defined as follows. χ
i
h
= 1 if ∃σ ∈ Γ
i
∀σ
−i
∈
Γ
−i
, (σ
i
, σ
−i
) |=
h
Φ(i); χ
i
h
= −1 if ∀σ ∈ Γ, σ 6|=
h
Φ(i); and χ
i
h
= 0 otherwise.
So the intuition is that: (i) χ
i
h
= 1 iff i has a winning strategy from h; (ii) χ
i
h
= −1 iff no
outcome is winning for i from h; and (iii) χ
i
h
= 0 when i has no winning strategy from h but
can still win with the help of other players. Thus, χ
i
h
= −1 is stronger than saying that i has no
winning strategy from h, since, in this case, i can never win, even with the help of other players.
When the other players can help, we have rather χ
i
h
= 0, which means that there is some strategy
σ of i such that there is a profile σ with σ
i
= σ and σ |=
h
Φ(i).
Lemma 1 ([4]). In finite concurrent games, for any player i, history h that ends in a state s,
and moves a, b ∈ M
i
(s), we have a <
h
b if, and only if the conjunction of the following conditions
holds:
4
