Practical Verification of Multi-Agent Systems
against Slk Specifications
Petr
ˇ
Cerm´ak
a
, Alessio Lomuscio
a
, Fabio Mogavero
b
, Aniello Murano
c
a
Imperial College London, UK
b
University of Oxford, UK
c
Universit`a degli Studi di Napoli Federico II, Italy
Abstract
We introduce Strategy Logic with Knowledge, a novel formalism to reason about
knowledge and strategic ability in memoryless multi-agent systems with incom-
plete information. We exemplify its expressive power; we define the model
checking problem for the logic and show that it is PSpace-complete. We pro-
pose a labelling algorithm for solving the verification problem that we show is
amenable to symbolic implementation. We introduce MCMAS
Slk
, an extension
of the open-source model checker MCMAS, implementing the proposed algo-
rithm. We report the benchmarks obtained on a number of scenarios from the
literature, including the dining cryptographers protocol.
Keywords: model checking, Strategy Logic, multi-agent systems, formal
verification
1. Introduction
Multi-agent systems (MAS) are distributed systems whereby the compo-
nents, or agents, display a high degree of autonomy and interact with their
peers in a cooperative or adversarial way in order to maximise their private
or common goals [1]. Over the years several logics have been put forward to
reason about MAS, including epistemic logics [2], deontic logics [3] and formal
languages accounting for the beliefs, desires and intentions of the agents [4].
These formalisms, once combined with temporal logic, are more expressive than
logics used to reason about reactive systems, such as Ltl and Ctl [5]. This
is because when reasoning about MAS, it is often not sufficient to establish
whether a particular temporal statement is realised. Instead, there is an in-
terest in establishing whether high-level properties of the agents hold in the
system. These may involve the evolution of their beliefs, the intentions they
want to bring about, what regulations they are subjected to and the interplay
of all of these.
Knowledge and strategic ability are two particular aspects of agency that are
of importance when reasoning about MAS. By means of epistemic specifications,
we can, for example, reason about what the agents know about the world,
Preprint submitted to Elsevier February 23, 2019
its evolution, their peers, their peers’ knowledge, as well as epistemic group
notions such as common knowledge [2]. By incorporating strategic abilities in
the specifications, we can establish whether particular groups of agents have the
ability to bring about certain temporal states of affairs.
There is a relatively long tradition in the development of verification tech-
nology, notably model checking, to verify MAS against temporal-epistemic spec-
ifications. This includes methods based on bounded [6, 7] verification, logical
representation through Binary Decision Diagrams (BDDs, for short) [8, 9, 10],
symmetry reduction [11] and abstraction [12, 13]. Verification techniques for
validating systems against strategic abilities have also been put forward. For
example, jMOCHA [14] is a model checker for the verification of systems against
specifications in Alternating-time Temporal Logic (Atl). Proposals have also
been made to devise methods supporting specifications that account for both
the epistemic states of the agents as well as their strategic ability [15, 16, 17].
Also related to the present proposal is [18], where an extension of ATL
for imperfect information games, namely CSLP, was introduced. CSLP can
express sophisticated strategic and epistemic game properties of coalitions under
uncertainty, including solution concepts. However, differently from the proposal
made here, CSLP consider the agents’ strategies implicitly, which are bound
directly to the agents they refer to.
MCMAS [19, 20] is a BDD-based model checker supporting both Atl and
epistemic specifications.
An important aspect in combining epistemic and strategic specifications is
the information model the agents adhere to, namely whether they have either
complete or incomplete information about the world and what form of mem-
ory they have. Epistemic analysis of MAS normally assumes that agents have
private, incomplete information about the world. It is known that the model
checking problem for Atl with incomplete information and perfect recall is un-
decidable [21]. Given this, the most widely adopted setting is incomplete infor-
mation with memoryless local states. In turn, this implies that Atl modalities
assume memoryless strategies. This raises further issues including whether local
strategies should be uniform [22, 19, 17].
In this work we follow this tradition, but extend the strategic dimension of
the analysis to a fragment of strategy logic [23]. A limitation of Atl is that while
specifications relate to the strategies of the agents to achieve a certain state of
affairs, the strategies themselves do not feature in the syntax explicitly; instead,
they are treated implicitly through agent modalities that refer to coalitions. The
logic Sl was introduced to overcome this by introducing strategies as first-class
citizens of the syntax and by allowing explicit quantification and binding over
them.
In this paper we define a combination of Sl with the standard epistemic
modalities on a memoryless variant of interpreted systems, introduce an algo-
rithm for model checking and present its implementation. A feature of the
present work is the relatively low complexity of the model checking problem,
which is shown to be PSpace-complete. As discussed in more details below,
this is achieved by limiting the scope of the epistemic operators in the language.
2
The rest of the paper is organised as follows. In Section 2 we introduce
the specification language Slk, define its semantics on a variant of interpreted
systems, illustrate its use, define the model checking problem and investigate
its complexity. In Section 3 we present a labelling algorithm to solve the model
checking problem for Slk specifications against interpreted systems. In Sec-
tion 4 we present MCMAS
Slk
, a symbolic model checker derived from MCMAS,
implementing the labelling algorithm, and present experimental results. We
conclude in Section 5 by discussing related work.
2. Strategy Logic with Knowledge
In this section, we introduce Strategy Logic with Knowledge [24] (Slk, for
short) as an extension of the original Strategy Logic [25, 26] (Sl, for short)
introduced in [23]. Our aim is to define a formalism combining the ability of Sl
to express game-theoretic concepts with an epistemic framework for describing
the agents’ knowledge in the context of incomplete information. In order to
avoid the well-known undecidability result of the model-checking problem of
multi-agent systems under incomplete information and perfect recall [27], we
formalise the new logic by means of imperfect-recall semantics. This implies
that agents have no memory of the past, including when planning their strategy
to achieve a desired goal. Slk is defined w.r.t. interpreted systems [28], whereas
Sl has been introduced for concurrent game structures [27], since the former is
normally used in the context of incomplete information.
In the rest of this section, we give formal definitions of Slk syntax and se-
mantics, together with accessory concepts, such as strategy, profile and play.
These provide us with a solid foundation for the development of the model-
checking algorithm, which is theoretically presented in Section 3 and then de-
veloped as a software tool and benchmarked against several scalable scenarios
in Section 4.
2.1. Syntax
Sl syntactically extends liner-time temporal logic Ltl [29] by introducing
two strategy quantifiers hhxii and [[x]], and an agent binding (a, x), where x is a
variable and a an agent. Informally, these operators can be read as “there exists
a strategy x”, “for all strategies x” and “bind agent a to the strategy associated
with x”, respectively. Slk further extends Sl with epistemic modalities [28]
representing individual knowledge K
a
, group knowledge E
A
, distributed knowl-
edge D
A
and common knowledge C
A
, where a is an agent and A a set of agents.
Therefore, this language can be seen as a unique blend of three well-established
logic formalisms that allows us to reason about the temporal, strategic and
epistemic aspects of a model in a unified way.
Slk formulas are defined as follows.
Definition 1 (Syntax). Slk formulas are built inductively from the sets of
atomic propositions AP, variables Vr and agents Ag using the following context-
free grammar, where p ∈ AP, x ∈ Vr, a ∈ Ag and A ⊆ Ag:
3
ϕ ::= ⊥ | > | p | ¬ϕ | (ϕ ∧ ϕ) | (ϕ ∨ ϕ) | X ϕ | (ϕ U ϕ) | (ϕ R ϕ) |
hhxiiϕ | [[x]]ϕ | (a, x)ϕ | K
a
ϕ | E
A
ϕ | D
A
ϕ | C
A
ϕ
where the epistemic operators are applied to sentences only, i.e., free(ϕ) = ∅ in
K
a
ϕ, E
A
ϕ, D
A
ϕ and C
A
ϕ, where the function free is introduced in Definition 2.
Slk denotes the set of formulas generated by the aforementioned rules.
As for Sl, the free agents and free variables free(ϕ) of an Slk formula ϕ are
the subset of Ag ∪ Vr containing (i) all agents a for which there is no binding
(a, x) before the occurrence of a temporal operator and (ii) all variables x for
which a binding (a, x) is not in the scope of any quantification hhxii or [[x]].
Definition 2 (Free Agents and free Variables). The set of free agents and free
variables of an Slk formula is given by the function free: Slk → 2
Ag∪Vr
defined
inductively as follows:
1. free(⊥), free(>) , ∅;
2. free(p) , ∅, where p ∈ AP;
3. free(¬ϕ) , free(ϕ);
4. free(ϕ
1
Op ϕ
2
) , free(ϕ
1
) ∪ free(ϕ
2
), where Op ∈ {∧, ∨};
5. free(X ϕ) , Ag ∪ free(ϕ);
6. free(ϕ
1
Op ϕ
2
) , Ag ∪ free(ϕ
1
) ∪ free(ϕ
2
), where Op ∈ {U, R};
7. free(Qn ϕ) , free(ϕ) \ {x}, where Qn ∈ {hhxii, [[x]] | x ∈ Vr};
8. free((a, x)ϕ) , free(ϕ), if a 6∈ free(ϕ), where a ∈ Ag and x ∈ Vr;
9. free((a, x)ϕ) , (free(ϕ)\{a})∪{x}, if a ∈free(ϕ), where a ∈ Ag and x ∈Vr;
10. free(K
a
ϕ), free(E
A
ϕ), free(D
A
ϕ), free(C
A
ϕ) , ∅, where a ∈ Ag and A ⊆
Ag.
A formula ϕ without free agents (resp. variables), i.e., with free(ϕ) ∩ Ag = ∅
(resp. free(ϕ) ∩ Vr = ∅), is called agent-closed (resp. variable-closed). If ϕ is
both agent-closed and variable-closed, it is called a sentence.
Note that strategies can be shared among the agents. However, the inter-
preted systems on which we will later define the semantics allow agents to use
different, possibly disjoint, sets of actions and thus also different sets of strate-
gies. Therefore, to determine the set of strategies over which a variable can
range, we need to know which agents are bound to it. We thus introduce the
set of sharing agents that refers, intuitively, to the agents associated with the
same given variable within a formula.
Definition 3 (Sharing Agents). The set of sharing agents of an Slk formula
w.r.t. a variable is given by the function shr : Slk ×Vr → 2
Ag
defined inductively
as follows:
1. shr(⊥, x), shr(>, x) , ∅;
2. shr(p, x) , ∅, where p ∈ AP;
3. shr(Op ϕ, x) , shr(ϕ, x), where Op ∈ {¬, X} ∪ {hhyii, [[y]] | y ∈ Vr} ∪
{K
a
| a ∈ Ag} ∪ {E
A
, D
A
, C
A
| A ⊆ Ag};
4
4. shr(ϕ
1
Op ϕ
2
, x) , shr(ϕ
1
, x) ∪ shr(ϕ
2
, x), where Op ∈ {∧, ∨, U, R};
5. shr((a, x)ϕ, x) , {a} ∪ shr(ϕ, x);
6. shr((a, y)ϕ, x) , shr(ϕ, x), where y ∈ Vr \ {x};
Note that, for conciseness, we assume throughout this work that every vari-
able is quantified at most once in a given formula. This can be easily ensured by
renaming variables which are not free in the formula (e.g., (a
, x)hhxii(a
, x)X p ≡
(a
, x)hhyii(a
, y)X p 6≡ (a
, y)hhxii(a
, x)X p).
2.2. Multi-Agent Model
As mentioned before, we provide a semantics for Slk based on interpreted
systems [2]. Differently from standard interpreted systems, here we take an
agent’s local states to be composed of private, or internal, states and states
resulting from portions of the environment that are visible to the agent in ques-
tion. This is similar to variants of interpreted systems such as broadcasting
systems [30].
Definition 4 (Interpreted Systems). Let Ag , {1, . . . , n} ∪ {Env} be a set
of agents, or players, where Env is a distinguished element representing the
environment and Σ , {1, . . . , n} is the set of proper agents, and AP a finite
non-empty set of atomic propositions. An interpreted system is a tuple I ,
D
(St
a
, Ac
a
, P
a
, tr
a
)
a∈Ag
, I, h
E
whose components are formally defined as follows:
• St
a
is a finite, non-empty set of local states of agent a ∈ Ag. For each
proper agent i ∈ Σ, we assume that St
i
, St
p
i
× St
vis
i
Env
, where St
p
i
is
the set of internal states of agent i and St
vis
i
Env
is an image of the set of
the environment states visible to agent i via the agent’s visibility function
vis
i
: St
Env
→ St
vis
i
Env
. For conciseness, set St
p
Env
, St
Env
.
A tuple s = (s
p
1
, . . . , s
p
n
, s
Env
) ∈ St , St
p
1
× · · · × St
p
n
× St
Env
is called a
global state. The symbols s
i
(s) , (s
p
i
, vis
i
(s
Env
)) and s
p
i
(s) , s
p
i
represent
the local and internal state of proper agent i ∈ Σ in the global state s,
respectively. Again, set s
Env
(s) , s
p
Env
(s) , s
Env
for conciseness.
• Ac
a
is a finite non-empty set of actions that agent a ∈ Ag can perform.
By Dc , Ac
× · · · × Ac
n
× Ac
Env
we denote the set of decisions, or joint
actions, of all agents. The symbol c
a
(δ) ∈ Ac
a
represents the action of
agent a ∈ Ag in the decision δ ∈ Dc. Furthermore, Ac ,
S
a∈Ag
Ac
a
and
Ac
A
,
T
a∈A
Ac
a
are the sets of total actions and shared actions of the
agents in A ⊆ Ag.
• P
a
: St
a
→ 2
Ac
a
\ {∅} is the protocol of agent a ∈ Ag, i.e., a function
that associates each local state s
a
∈ St
a
with the non-empty set of actions
P
a
(s
a
) available to the agent a. The global protocol P : St → 2
Dc
is
defined as P(s) , {δ ∈ Dc | ∀a ∈ Ag . c
a
(δ) ∈ P
a
(s
a
(s))} for all global
states s ∈ St.
5
