Assume-admissible synthesis

Brenguier, Romain; Raskin, Jean-François; Sankur, Ocan

doi:10.1007/s00236-016-0273-2

Assume-admissible synthesis

Original Article
Published: 13 July 2016

Volume 54, pages 41–83, (2017)
Cite this article

Download PDF

Acta Informatica Aims and scope Submit manuscript

Assume-admissible synthesis

Download PDF

Romain Brenguier¹,
Jean-François Raskin² &
Ocan Sankur³

2797 Accesses
23 Citations
Explore all metrics

Abstract

In this paper, we introduce a novel rule for synthesis of reactive systems, applicable to systems made of n components which have each their own objectives. This rule is based on the notion of admissible strategies. We compare this rule with previous rules defined in the literature, and show that contrary to the previous proposals, it defines sets of solutions which are rectangular. This property leads to solutions which are robust and resilient, and allows one to synthesize strategies separately for each agent. We provide algorithms with optimal complexity and also an abstraction framework compatible with the new rule.

Synthesis with Rational Environments

Synthesis with rational environments

Article Open access 21 June 2016

Orna Kupferman, Giuseppe Perelli & Moshe Y. Vardi

Non-Zero Sum Games for Reactive Synthesis

1 Introduction

The automatic synthesis of reactive systems has recently attracted a considerable attention. The theoretical foundations of most of the contributions in this area rely on two-player zero sum games played on graphs: one player (player $1$) models the system to synthesize, and the other player (player $2$) models its environment. The game is zero-sum: the objective of player $1$ is to enforce the specification of the system while the objective of player $2$ is the negation of this specification. This is a worst-case assumption: because the cooperation of the environment cannot be assumed, we postulate that it is antagonistic.

A fully adversarial environment is usually a bold abstraction of reality. Nevertheless, it is popular because it is simple and sound: a winning strategy against an antagonistic player is winning against any environment which pursues its own objective. But this approach may fail to find a winning strategy even if there exist solutions when the objective of the environment is taken into account. Also, this model is for two players only: system vs environment. In practice, both the system and the environment may be composed of several parts to be constructed individually or whose objectives should be considered one at a time. In fact, many systems, such as telecommunication protocols, and distributed algorithms are made of several components or processes, each having its own objective which may or may not conflict other components’ objectives. Consider, for instance, a communication network in which each node has the objective of transmitting a message to a subset of other nodes, using some preferred frequency range; the objectives of some nodes may not conflict at all if they are independent (using different frequencies), while some of them may be in conflict. Indeed, game theory is used to model such situations; see e.g. [20]. Such problems are the subject of non-zero sum games where each entitiy having its own objective is seen as a different player (a.k.a. agent). For controller synthesis within this context, it is thus crucial to take different players’ objectives into account when synthesizing strategies; accordingly, alternative notions have been proposed in the literature.

A first classical alternative is to weaken the winning condition of player $1$ using the objective of the environment, requiring the system to win only when the environment meets its objective. This approach together with its weaknesses have been discussed in [3], we will add to that later in the paper. A second alternative is to use concepts from n-players non-zero sum games. This is the approach taken both by assume-guarantee synthesis [7] (AG), and by rational synthesis [18] (RS). For two players, AG relies on secure equilibria [9] (SE), a refinement of Nash equilibria [28] (NE). In SE, objectives are lexicographic: players first try to maximize their own specifications, and then try to falsify the specifications of others. It is shown in [9] that SE are those NE which represent enforceable contracts between the two players. However the AG rule as extended to several players in [7] no longer corresponds to secure equilibria.

This was not noticed in [7], so the algorithm proposed for computing secure equilibria does not actually apply for the AG rule. The difference between AG and SE is that AG strategies have to be resiliant to deviations of all the other players, while SE profiles have to be resiliant to deviations by only one player.

In RS, the system is assumed to be monolithic and the environment is made of components that are partially controllable. In RS, we search for a profile of strategies where the system ensures its objective and the players that model the environment are given an “acceptable” strategy profiles, from which it is assumed that they will not deviate. “Acceptable” is formalized by any solution concept, e.g. by NE, dominating strategies (Dom), or subgame perfect equilibria (SPE).

Contributions

1.
As a first and central contribution, we propose a novel notion of synthesis where we take into account different players’ objectives using the concept of admissible strategies [2, 4, 5]. For a player with objective $\phi $, a strategy $\sigma $ is dominated by $\sigma '$ if $\sigma '$ does as well as $\sigma $ w.r.t. $\phi $ against all strategies of the other players, and better for some of those strategies. A strategy $\sigma $ is admissible if it is not dominated by another strategy. In [2], the notion of admissibility was lifted to games played on graphs, and algorithmic questions left open were solved in [5], with the goal of model checking the set of outcomes that survive the iterative elimination of dominated strategies. Here, we use this notion to derive a meaningful notion to synthesize systems with several components using multi-player games, with the following idea. Rational players should only play admissible strategies since dominated strategies are clearly suboptimal. In assume-admissible synthesis (AA), we make the assumption that players play admissible strategies. Then for each player, we search for an admissible strategy that is winning against all admissible strategies of other players. AA is sound: any strategy profile in which each strategy is admissible and winning against admissible strategies of other players, satisfies the objectives of all the players (Theorem 1).
2.
We compare different synthesis rules from the literature: First, we apply all the rules on a simple but representative example, and show the main advantages of AA w.r.t. the other rules (Sect. 4). Then we compare systematically the different approaches to show when a solution for one rule implies a solution for another rule (Fig. 5), and we prove that, contrary to other rules, $\mathsf {AA}$ yields rectangular sets of solutions (Theorem 8). We argue that the rectangularity property is essential for practical applications.
3.
As a third contribution, we provide algorithms to decide the existence of assume-admissible winning strategy profiles and prove the optimal complexity of our algorithm (Theorem 3): PSPACE-complete for Müller, and PTIME for Büchi objectives. We also give an algorithm for the rule AG with multiple players, which was missing in the literature (Theorem 6).
4.
As a last important contribution, we provide an abstraction framework which allows us to define sufficient conditions to compute sets of winning assume-admissible strategies for each player in the game compositionally (Theorem 5). The use of state-space abstraction is essential in order to make the methods scale to large systems; we follow the abstract interpretation framework [13, 21]. Moreover, combining abstraction and rectangularity, one can also decompose the problem into smaller problems to be solved for each player. The idea is to look for a strategy profile witnessing the AA rule by computing each strategy separately, which is possible by rectangularity. For each player i, we consider an abstraction of the state space, and give a sufficient condition for finding a strategy for player i by only using computations on the abstract state space. The idea is close to [17] in spirit, but we need a specialized algorithm to approximate the set of admissible strategies. We thus avoid exploring the state space of the original game. This approach is compositional in the following sense: for each player i, a different abstraction can be chosen, which is tailored for player i, and its strategy is computed independently of the other players’ strategies. Thus, to find a strategy profile, this abstraction technique is applied to each player one by one, and if all steps succeed in finding strategies, we obtain a strategy profile that satisfies the AA rule.

Additional pointers to related works We have already mentioned assume-guarantee synthesis [7] and rational synthesis [18, 24]. Those are the closest related works to ours as they pursue the same scientific objective: they propose a framework to synthesize strategy profiles for non-zero sum multi-player games by taking into account the specification of each player. As those works are defined for similar formal setting, we are able to provide formal statements in the core of the paper that add elements of comparison with our work.

In [17], Faella studies several alternatives to the notion of winning strategy including the notion of admissible strategy. His work is for two-players only, and only the objective of one player is taken into account, the objective of the other player is left unspecified. Faella uses the notion of admissibility to define a notion of best-effort in synthesis while we use the notion of admissibility to take into account the objectives of the other players in an n player setting where each player has his own objective.

The notion of admissible strategy is definable in strategy logics [10, 27] and decision problems related to the $\mathsf {AA}$ rule can be reduced to satisfiability queries in such logics. Nevertheless this would not lead to worst-case optimal algorithms. Based on our previous work [5], we develop in this paper worst-case optimal algorithms.

In [14], Damm and Finkbeiner use the notion of dominant strategy to provide a compositional semi-algorithm for the (undecidable) distributed synthesis problem. So while we use the notion of admissible strategy, they use a notion of dominant strategy. The notion of dominant strategy is strictly stronger: every dominant strategy is admissible but an admissible strategy is not necessary dominant. Also, in multiplayer games with omega-regular objectives with complete information (as considered here), admissible strategies are always guaranteed to exist [2] while it is not the case for dominant strategies. We will show in an example that the notion of dominant strategy is too strong for our purpose. Also, note that the objective of Damm and Finkbeiner is different from ours: they use dominance as a mean to formalize a notion of best-effort for components of a distributed system w.r.t. their common objective, while we use admissibility to take into account the objectives of the other components when looking for a winning strategy for one component to enforce its own objective. Additionally, our formal setting is different from their setting in several respects. First, they consider zero-sum games between a distributed team of players (processes) against a unique environment, each player in the team has the same specification (the specification of the distributed system to synthesize) while the environment is considered as adversarial and so its specification is the negation of the specification of the system. In our case, each player has his own objective and we do not distinguish between protagonist and antagonist players. Second, they consider distributed synthesis: each individual process has its own view of the system while we consider games with perfect information in which all players have a complete view of the system state. Finally, let us point out that Damm and Finkbeiner use the term admissible for specifications and not for strategies (as already said, they indeed consider dominant strategies and not admissible strategies). In our case, we use the notion of admissible strategy which is classical in game theory, see e.g. [4, 19]. This vocabulary mismatch is unfortunate but we decided to stick to the term of “admissible strategy” which is well accepted in the literature, and already used in several previous works on (multi-player) games played on graphs [2, 5, 17].

A preliminary version of this work was published in [6].

Structure of the paper Section 2 contains definitions. In Sect. 3, we review synthesis rules introduced in the literature and define assume-admissible synthesis. In Sect. 4, we consider an example; this allows us to underline some weaknesses of the previous rules. Section 5 contains algorithms for Büchi and Müller objectives, and while Sect. 6 presents the abstraction techniques applied to our rule. Section 7 presents the algorithm for the assume-guarantee rule. Section 8 presents a formal comparison of the different rules.

2 Definitions

2.1 Multiplayer arenas

A turn-based multiplayer arena is a tuple $\mathsf{A}= \left\langle \mathcal {P}, (\mathsf {S}_i)_{i\in \mathcal {P}}, s_{\mathsf{init}}, (\textsf {Act}_i)_{i\in \mathcal {P}}, \delta \right\rangle $ where $\mathcal {P}$ is a finite set of players; for $i \in \mathcal {P}$, $\mathsf {S}_i$ is a finite set of player $i$ states; we let $\mathsf {S}= \biguplus _{i\in \mathcal {P}} \mathsf {S}_i$; $s_{\mathsf{init}}\in \mathsf {S}$ is the initial state; for every $i \in \mathcal {P}$, $\textsf {Act}_i$ is the set of player $i$ actions; we let $\textsf {Act}= \bigcup _{i\in \mathcal {P}} \textsf {Act}_i$; and $\delta :\mathsf {S}\times \textsf {Act}\mapsto \mathsf {S}$ is the transition function. An outcome $\rho $ is a sequence of alternating states and actions $\rho = s_1a_1s_2a_2\ldots \in (\mathsf {S}\cdot \textsf {Act})^\omega $ such that for all $i\ge 1$, $\delta (s_i,a_i)= s_{i+1}$. We write $\rho _i = s_i$, and $\textsf {act}_i(\rho ) = a_i$. A history is a finite prefix of an outcome ending in a state. We denote by $\rho _{\le k}$ the prefix history $s_1a_1 \ldots s_k$, and by $\rho _{\ge k}$ the suffix $s_{k+1}a_{k+1}s_{k+2}\ldots $. and write $\mathsf {last}(\rho _{\le k}) = s_k$, the last state of the history. The set of states occurring infinitely often in an outcome $\rho $ is $\mathrm {Inf}({\rho }) = \left\{ s \in \textsf {S}\mid \forall j\in \mathbb {N}.\ \exists i > j, \rho _i = s \right\} $.

Strategies A strategy of player $i$ is a function $\sigma _i : (\mathsf {S}^* \cdot \mathsf {S}_i) \rightarrow \textsf {Act}_i$. A strategy profile for the set of players $P \subseteq \mathcal {P}$ is a tuple of strategies, one for each player of P. We write $-i$ for the set $\mathcal {P}{\setminus } \{ i \}$. Let $\Sigma _{i}(\mathsf{A})$ be the set of the strategies of player $i$ in $\mathsf{A}$, written $\Sigma _i$ if $\mathsf{A}$ is clear from context, and $\Sigma _P$ the strategy profiles of $P\subseteq \mathcal {P}$. A set $A \subseteq \Sigma _P$ of strategy profiles is rectangular if it can be written as $A = \prod _{i \in P}A_i$ where $A_i \subseteq \Sigma _i$.

An outcome $\rho $ is compatible with strategy $\sigma $ for player $i$ if for all $j\ge 1$, $\rho _j \in \mathsf {S}_i$ and $\textsf {act}_j(\rho ) = \sigma (\rho _{\le j})$. It is compatible with strategy profile $\sigma _\mathcal {P}$ if it is compatible with each $\sigma _i$ for $i\in \mathcal {P}$. The outcome of a strategy profile $\sigma _\mathcal {P}$ is the unique outcome compatible with $\sigma _\mathcal {P}$ starting at $s_{\mathsf{init}}$, denoted $\mathsf {Out}_{\mathsf{A}}(\sigma _\mathcal {P})$. For any state s, we write $\mathsf {Out}_{\mathsf{A},s}(\sigma _\mathcal {P})$ for the outcome starting at state s. For any history h, we write $\mathsf {Out}_{\mathsf{A},h}(\sigma _\mathcal {P})$ for the outcome starting at state $\mathsf {last}(s)$, concatenated to h; formally, $\mathsf {Out}_{\mathsf{A},h}(\sigma _\mathcal {P}) = h_{\le |h|-1} \cdot \mathsf {Out}_{\mathsf{A},\mathsf {last}(h)}(\sigma _\mathcal {P})$. Given $\sigma _P \in \Sigma _P$ with $P \subseteq \mathcal {P}$, let $\mathsf {Out}_\mathsf{A}(\sigma _P)$ denote the set of outcomes compatible with $\sigma _P$, and extend it to $\mathsf {Out}_\mathsf{A}(\Sigma ')$ where $\Sigma '$ is a set of strategy profiles. For $E \subseteq \mathsf {S}_i \times \textsf {Act}_i$, let $\mathsf{Strat}_i(E)$ denote the set of player $i$ strategies $\sigma $ that only use actions in E in all outcomes compatible with $\sigma $.

2.2 Objectives and games

An objective $\phi $ is a subset of outcomes. An objective is prefix-independent if all suffixes of outcomes in $\phi $ belong to $\phi $. Formally, for all outcomes $\rho \in \phi $, for all $k\ge 1$, we have $\rho _{\ge k} \in \phi $. A strategy $\sigma _i$ of player $i$ is winning for objective $\phi _i$ if for all $\sigma _{-i}\in \Sigma _{-i}$, $\mathsf {Out}_\mathsf{A}(\sigma _i,\sigma _{-i}) \in \phi _{i}$. A game is an arena equipped with an objective for each player, written $\mathsf {G} = \langle \mathsf{A}, (\phi _{i})_{i\in \mathcal {P}}\rangle $ where for each player $i$, $\phi _{i}$ is an objective. Given a strategy profile $\sigma _P$ for the set of players P, we write $\mathsf {G},\sigma _P \models \phi $ if $\mathsf {Out}_\mathsf{A}(\sigma _P) \subseteq \phi $. We write $\mathsf {Out}_\mathsf {G} (\sigma _P) = \mathsf {Out}_\mathsf{A}(\sigma _P)$, and $\mathsf {Out}_\mathsf {G} = \mathsf {Out}_\mathsf {G} (\Sigma )$. For any coalition $C \subseteq \mathcal {P}$, and objective $\phi $, we denote by $\mathsf {Win} _C(\mathsf{A},\phi )$ the set of states s such that there exists $\sigma _C \in \Sigma _C$ with $\mathsf {Out}_{\mathsf {G},s}(\sigma _C) \subseteq \phi $.

Although we prove some of our results for general objectives, we give algorithms for $\omega $-regular objectives represented by Muller conditions. A Muller condition is given by a family $\mathcal {F}$ of sets of states: $\phi _{i} = \{ \rho \mid \mathrm {Inf}({\rho })\in \mathcal {F}\}$. Following [22], we assume that $\mathcal {F}$ is given by a Boolean circuit whose inputs are $\textsf {S}$, which evaluates to true exactly on valuations encoding subsets $S \in \mathcal {F}$. We also use linear temporal logic (LTL) [30] to describe objectives. LTL formulas are defined by $\phi := \mathtt {G}\phi \mid \mathtt {F}\phi \mid \mathtt {X}\phi \mid \phi \mathtt {U}\phi \mid \phi \mathtt {W}\phi \mid S$ where $S \subseteq \mathsf {S}$ (we refer to [16] for the semantics). We consider the special case of Büchi objectives, given by $\mathtt {G}\mathtt {F}(B) = \{ \rho \mid B \cap \mathrm {Inf}({\rho }) \ne \varnothing \}$. Boolean combinations of formulas $\mathtt {G}\mathtt {F}(S)$ define Muller conditions representable by polynomial-size circuits.

2.3 Dominance

In any game $\mathsf {G} $, a player $i$ strategy $\sigma _i$ is dominated by $\sigma '_i$ if for all $\sigma _{-i} \in \Sigma _{-i}$, $\mathsf {G},\sigma _i,\sigma _{-i} \models \phi _i$ implies $\mathsf {G},\sigma '_i,\sigma _{-i} \models \phi _i$ and there exists $\sigma _{-i} \in \Sigma _{-i}$, such that $\mathsf {G},\sigma '_i,\sigma _{-i} \models \phi _i$ and $\mathsf {G},\sigma _i,\sigma _{-i} \not \models \phi _i$, (this is classically called weak dominance, but we call it dominance for simplicity). A strategy which is not dominated is admissible. Thus, admissible strategies are maximal, and incomparable, with respect to the dominance relation. We write $\mathsf{Adm}_{i}(\mathsf {G})$ for the set of admissible strategies in $\Sigma _i$, and $\mathsf{Adm}_P(\mathsf {G}) = \prod _{i \in P} \mathsf{Adm}_i(G)$ the product of the sets of admissible strategies for $P\subseteq \mathcal {P}$.

Strategy $\sigma _i$ is dominant if for all $\sigma _i'$, and $\sigma _{-i}$, $\mathsf {G},\sigma _i',\sigma _{-i} \models \phi _i$ implies $\mathsf {G},\sigma _i,\sigma _{-i} \models \phi _i$. The set of dominant strategies for player $i$ is written $\mathsf {Dom} _i(\mathsf {G})$. A Nash equilibrium for $\mathsf {G} $ is a strategy profile $\sigma _\mathcal {P}$ such that for all $i \in \mathcal {P}$, and $\sigma _i' \in \Sigma _i$, $\mathsf {G},\sigma _{-i},\sigma _i' \models \phi _i$ implies $\mathsf {G},\sigma _{\mathcal {P}} \models \phi _i$; thus no player can improve its outcome by deviating from the prescribed strategy. A Nash equilibrium for $\mathsf {G} $ from s, is a Nash equilibrium for $\mathsf {G} $ where the initial state is replaced by s. A subgame-perfect equilibrium for $\mathsf {G} $ is a strategy profile $\sigma _\mathcal {P}$ such that for all histories h, $(\sigma _i \circ h)_{i\in \mathcal {P}}$ is a Nash equilibrium in $\mathsf {G} $ from state $\mathsf {last}(h)$, where given a strategy $\sigma $, $\sigma \circ h$ denotes the strategy that follows $\sigma $ starting at history h, i.e. $\sigma \circ h (h') = \sigma (h_{\le |h| - 1} \cdot h')$ if $h'_0 = \mathsf {last}(h)$ and $\sigma \circ h (h') = \sigma (h')$ otherwise.

3 Synthesis rules

In this section, we review synthesis rules proposed in the literature, and introduce a novel one: the assume-admissible synthesis rule ($\mathsf {AA}$). Unless stated otherwise, we fix for this section a game $\mathsf {G} $, with players $\mathcal {P}=\{1,\dots ,n\}$ and their objectives $\phi _1,\dots ,\phi _n$.

Rule $\mathsf {Coop}$: The objectives are achieved cooperatively if there is a strategy profile $\sigma _\mathcal {P}=(\sigma _1,\dots ,\sigma _n)$ such that $\mathsf {G},\sigma _\mathcal {P}\models \bigwedge _{i\in \mathcal {P}} \phi _i$.

This rule [12, 26] asks for a strategy profile that jointly satisfies the objectives of all the players. This rule makes very strong assumptions: players fully cooperate and strictly follow their respective strategies. This concept is not robust against deviations and postulates that the behavior of every component in the system is controllable. This weakness is well-known: see e.g. [7] where the rule is called weak co-synthesis.

Rule $\mathsf {Win}$. The objectives are achieved adversarially if there is a strategy profile $\sigma _\mathcal {P}=(\sigma _1,\dots ,\sigma _n)$ such that for all $i \in \mathcal {P}$, $\mathsf {G},\sigma _i \models \phi _i$.

This rule does not require any cooperation among players at all: the rule asks to synthesize for each player $i$ a strategy which enforces his/her objective $\phi _i$ against all possible strategies of the other players. Strategy profiles obtained by $\mathsf {Win}$ are extremely robust: each player is able to ensure his/her objective no matter how the other players behave. Unfortunately, this rule is often not applicable in practice: often, none of the players has a winning strategy against all possible strategies of the other players. The next rules soften this requirement by taking into account the objectives of other players.

Rule Win-under-Hyp: Given a two-player game $\mathsf {G} $ with $\mathcal {P}=\{1,2\}$ in which player $1$ has objective $\phi _1$, player $2$ has objective $\phi _2$, player $1$ can achieve adversarially $\phi _1$ under hypothesis $\phi _2$, if there is a strategy $\sigma _1$ for player $1$ such that $\mathsf {G}, \sigma _1 \models \phi _2 \rightarrow \phi _1$.

The rule winning under hypothesis applies for two-player games only. Here, we consider the synthesis of a strategy for player $1$ against player $2$ under the hypothesis that player 2 behaves according to his/her specification. This rule is a relaxation of the rule $\mathsf {Win}$ as player $1$ is only expected to win when player $2$ plays so that the outcome of the game satisfies $\phi _2$. While this rule is often reasonable, it is fundamentally plagued by the following problem: instead of trying to satisfy $\phi _1$, player $1$ could try to falsify $\phi _2$, see e.g. [3]. This problem disappears if player $2$ has a winning strategy to enforce $\phi _2$, and the rule is then safe. We come back to that later in the paper (see Lemma 1).

Assume guarantee Chatterjee et al. in [7] proposed synthesis rules inspired by Win-under-Hyp that avoid the aforementioned problem. The rule was originally proposed in a model with two components and a scheduler. We study here two natural extensions for n players.

Rules $\mathsf{AG}^{\wedge }$ and $\mathsf{AG}^{\vee }$: The objectives are achieved by
($\mathsf {AG} ^{\wedge }$):

assume-guarantee-$\wedge $ if there exists a strategy profile $\sigma _\mathcal {P}$ such that
1.:

$\mathsf {G},\sigma _\mathcal {P}\models \bigwedge _{i\in \mathcal {P}} \phi _i$,

2.:

for all players i, $\mathsf {G},\sigma _i \models (\bigwedge _{j\in \mathcal {P}\setminus \{i\}} \phi _j) \Rightarrow \phi _i$.

($\mathsf {AG} ^{\vee }$):

assume-guarantee-$\vee $ ^{Footnote 1} if there exists a strategy profile $\sigma _\mathcal {P}$ such that
1.:

$\mathsf {G},\sigma _\mathcal {P}\models \bigwedge _{i\in \mathcal {P}} \phi _i$,

2.:

for all players i, $\mathsf {G},\sigma _i \models (\bigvee _{j\in \mathcal {P}\setminus \{i\}} \phi _j) \Rightarrow \phi _i$.

The two rules differ in the second requirement: $\mathsf{AG}^{\wedge }$ requires that player i wins whenever all the other players win, while $\mathsf{AG}^{\vee }$ requires player i to win whenever one of the other player wins. Clearly $\mathsf{AG}^{\vee }$ is stronger, and the two rules are equivalent for two-player games. As shown in [9], for two-player games, a profile of strategy for $\mathsf{AG}^{\wedge }$ (or $\mathsf{AG}^{\vee }$) is a Nash equilibrium in a derived game where players want, in lexicographic order, first to satisfy their own objectives, and then as a secondary objective, want to falsify the objectives of the other players. As NE, $\mathsf{AG}^{\wedge }$ and $\mathsf{AG}^{\vee }$ require players to synchronize on a particular strategy profiles. As we will see, this is not the case for the new rule that we propose.

Rational synthesis [18] and [24] introduce two versions of rational synthesis ($\mathsf {RS}$). In the two cases, one of the player, say player $1$, models the system while the other players model the environment. The existential version (${\mathsf {RS}}^{\exists }$) searches for a strategy for the system, and a profile of strategies for the environment, such that the objective of the system is satisfied, and the profile for the environment is stable according to some solution concept; here we consider the most classical ones, namely, $\mathsf {NE}$, $\mathsf {SPE}$, or $\mathsf {Dom}$. The universal version (${\mathsf {RS}}^{\forall }$) searches for a strategy for the system, such that for all environment strategy profiles that are stable according to the solution concept, the objective of the system holds. We write $\Sigma _{G,\sigma _1}^{\mathsf {NE}}$ (resp. $\Sigma _{\mathsf {G},\sigma _1}^{\mathsf {SPE}}$) for the set of strategy profiles $\sigma _{-1} = (\sigma _2,\sigma _3,\dots ,\sigma _n)$ that are $\mathsf {NE}$ (resp. $\mathsf {SPE}$) equilibria in the game $\mathsf {G} $ when player $1$ plays $\sigma _1$, and $\Sigma _{G,\sigma _1}^{\mathsf {Dom}}$ for the set of strategy profiles $\sigma _{-1}$ where each strategy $\sigma _j$, $2 \le j \le n$, is dominant in the game $\mathsf {G} $ when player 1 plays $\sigma _1$.

Rules ${\mathsf {RS}}^{\exists ,\forall }(\mathsf {NE}, \mathsf {SPE}, \mathsf {Dom})$: Let $\gamma \in \{ \mathsf {NE},\mathsf {SPE},\mathsf {Dom} \}$, the objective is achieved by:
$({\mathsf {RS}}^{\exists }(\gamma ))$ :

existential rational synthesis under $\gamma $ if there is a strategy $\sigma _1$ of player $1$, and a profile $\sigma _{-1} \in \Sigma _{\mathsf {G},\sigma _1}^{\gamma }$, such that $\mathsf {G},\sigma _1,\sigma _{-1} \models \phi _1$.

$({\mathsf {RS}}^{\forall }(\gamma ))$ :

universal rational synthesis under $\gamma $ if there is a strategy $\sigma _1$ of player $1$, such that $\Sigma _{\mathsf {G},\sigma _1}^{\gamma }\not =\emptyset $, and for all $\sigma _{-1} \in \Sigma _{\mathsf {G},\sigma _1}^{\gamma } $, $\mathsf {G},\sigma _1,\sigma _{-1} \models \phi _1$.

Clearly, $({\mathsf {RS}}^{\forall }(\gamma ))$ is stronger than $({\mathsf {RS}}^{\exists }(\gamma ))$ and more robust. As ${\mathsf {RS}}^{\exists ,\forall }(\mathsf {NE},\mathsf {SPE})$ are derived from $\mathsf {NE}$ and $\mathsf {SPE}$, they require players to synchronize on particular strategy profiles.

Novel rule, assume-admissible We now present our novel rule based on the notion of admissible strategies.

Rule $\mathsf {AA}$: The objectives are achieved by assume-admissible ($\mathsf {AA}$) strategies if there is a strategy profile $\sigma _\mathcal {P}$ such that:

1.
for all $i \in \mathcal {P}$, $\sigma _i \in \mathsf{Adm}_i(\mathsf {G})$;

2.
for all $i \in \mathcal {P}$, $\forall \sigma _{-i}' \in \mathsf{Adm}_{-i}(\mathsf {G}).\ \mathsf {G},\sigma _{-i}',\sigma _i \models \phi _i$.

A player-i strategy satisfying conditions 1 and 2 above is called assume-admissible-winning ($\mathsf {AA}$-winning). A profile of $\mathsf {AA} $-winning strategies is an $\mathsf {AA} $-winning strategy profile. The rule $\mathsf {AA}$ requires that each player has a strategy winning against admissible strategies of other players. So we assume that players do not play strategies which are dominated, which is reasonable as dominated strategies are clearly suboptimal options. Notice that unlike in NE or SPE, players are not required to agree on a given equilibrium profile; they only need to assume the admissibility of the strategies played by other players.

Note that an adversarial environment can be easily considered in the assume-admissible rule: it suffices to add a player with a trivial objective (i.e. always winning). The set of admissible strategies will be the whole set of strategies for that player, and other players will then be required to satisfy their objectives against any strategy of this player.

The definition of $\mathsf {AA}$ does not explicitly require that the strategy profile satisfies all players’ objectives; but this is a consequence of the definition:

Proposition 1

For all $\mathsf {AA}$-winning strategy profile $\sigma _\mathcal {P}$, $\mathsf {G}, \sigma _\mathcal {P}\models \bigwedge _{i\in \mathcal {P}} \phi _i$.

Proof

Let $\sigma _\mathcal {P}$ be a strategy profile witness of $\mathsf {AA}$. Let i be a player, we have that $\sigma _{-i} \in \mathsf{Adm}_{-i}(\mathsf {G})$, because by Condition 1, for all $j \ne i$, $\sigma _j \in \mathsf{Adm}_j(\mathsf {G})$. Then by Condition 2 we have that $\mathsf {G}, \sigma _\mathcal {P}\models \phi _i$. Since this is true for all players i, we have that $\mathsf {G}, \sigma _\mathcal {P}\models \bigwedge _{i\in \mathcal {P}} \phi _i$. $\square $

The following example shows that $\mathsf {AA}$-winning strategies must be admissible themselves for Proposition 1 to hold.

Example 1

In $\mathsf {AA}$, the profile of strategy must be composed of admissible strategies only. This is necessary as otherwise assumptions of the players on each other may not be satisfied. This is illustrated by the example of Fig. 1 in which the two players have reachability objectives $\phi _1 = \mathtt {F}(s_4 \vee s_6)$ and $\phi _2 = \mathtt {F}(s_4)$ respectively.

Admissible strategies are shown in plain edges. Now, the player 2 strategy that chooses the dashed edge from $s_2$ satisfies Condition 2 of $\mathsf {AA}$, since $s_2$ is not reachable under admissible strategies of player 1. Similarly, the player 1 strategy that chooses the dashed edge from $s_1$ satisfies Condition 2 of $\mathsf {AA}$ since the thick edges lead back to a state satisfying $\phi _1$. But then the resulting profile is such that none of the two players wins.

4 Synthesis rules in the light of an example

We illustrate the synthesis rules on a multiplayer game which models a real-time scheduler with two tasks. The system is composed of three players, namely, User, Controller, and Scheduler. The high-level description of the system is the following: User sends actions $a_1$ or $a_2$ to Controller, which having received action $a_i$ must eventually send a corresponding request $r_i$ to Scheduler. The role of Scheduler is to schedule events: having received $r_i$, it must issue the event $q_i$ while meeting some temporal constraints.

More precisely, we model the system as a multiplayer game. Accordingly, each round consists of three steps: first, User chooses a valuation for $a_1,a_2$ (e.g. if $a_1$ is true, then User is sending action $a_1$), second, Controller chooses a valuation for $r_1,r_2$, and third, Scheduler chooses a valuation for $q_1,q_2$. Let us denote by $\bot $ the valuation that assigns false to all variables.

The objective of User is trivial, i.e. all outcomes are accepting, since we want the system to accept all sequences of actions made by an arbitrary user. The objectives for Scheduler and Controller are as follows:

1.
Upon receiving $a_i$, Controller must eventually issue $r_i$ within k steps. Moreover, having issued $r_i$, Controller cannot issue $r_i$ again until the next occurrence of $q_i$. Doing so, it “filters” the actions issued by User into requests and adheres to constraints imposed by Scheduler.
2.
Scheduler is not allowed to schedule the two tasks at the same time. When $r_1$ is true, then task 1 must be scheduled ($q_1$) either in the current round or in the next round. When $r_2$ is true, task 2 must be scheduled ($q_2$) in the next round.

We will keep k as a parameter.

These requirements can be expressed in LTL as follows:

$\phi _{\mathsf{User}} = \textsf {true}$.
$\phi _{\mathsf{Controller}} = \mathtt {G}(a_1 \Rightarrow \mathtt {F}_{\le k} r_1) \wedge \mathtt {G}(r_1 \rightarrow \mathtt {X}(\lnot r_1 \mathtt {W}q_1)) \wedge \mathtt {G}(a_2 \Rightarrow \mathtt {F}_{\le k} r_2) \wedge \mathtt {G}(r_2 \rightarrow \mathtt {X}(\lnot r_2 \mathtt {W}q_2))$.
$\phi _{\mathsf{Scheduler}} = \mathtt {G}(r_1 \rightarrow \mathtt {X}q_1 \vee \mathtt {X}^4 q_1) \wedge \mathtt {G}(r_2 \rightarrow \mathtt {X}^4 q_2) \wedge \mathtt {G}\lnot (q_1 \wedge q_2)$.

Notice that since each round takes three steps, $X^4 q_2$ (which means $\mathtt {X}\mathtt {X}\mathtt {X}\mathtt {X}q_2$) captures Scheduler’s issuing $q_i$ next round. Here, $\mathtt {F}_{\le k} r_i$ stands for $r_i \vee \mathtt {X}r_i \vee \cdots \vee \mathtt {X}^k r_i$.

Let us call an action $a_i$ of User pending if Controller has not issued a request $r_i$ since the arrival of $a_i$. Similarly, we say that a request $r_i$ is pending whenever the corresponding grant $q_i$ has not yet been issued by Scheduler.

A solution compatible with the rules proposed in the literature First, we note that there is no winning strategy neither for Scheduler nor for Controller. In fact, let $\hat{\sigma }_S$ be the strategy of Scheduler that never schedules any of the two tasks, i.e. constantly plays $\bot $. Then no Controller strategy is winning against $\hat{\sigma }_S$: if User keeps sending $a_i$, then Controller can only send $r_i$ once since $q_i$ is never true, thus violating $\phi _\mathsf{Controller}$. Second, let $\hat{\sigma }_C$ be a strategy for Controller which always requests the scheduling of both task 1 and task 2, i.e. $r_1$ and $r_2$ are constantly true. It is easy to see that this enforces $\lnot \phi _\mathsf{Scheduler}$ against any strategy of Scheduler. So, there is no solution with rule Win. However strategies $\hat{\sigma }_S$ and $\hat{\sigma }_C$ are clearly not optimal for Scheduler and Controller respectively, since they give up completely on their respective objectives after a deviation while there could be still a chance to satisfy these objectives. Other rules can take into account the objectives to disregard such strategies, so that we may still obtain a solution from the other rules. Observe that the rule $\mathsf {AG} ^{\vee }$ has no solution either: in fact, since $\phi _\mathsf{User}=\textsf {true}$, the rule becomes equivalent to Win. Note also that Win-under-Hyp does not apply since we have three players. We now consider a strategy profile which is a solution for the other rules from the literature.

Let $(\sigma _C,\sigma _S)$ be strategies for Controller and Scheduler respectively, which behave as follows. At the beginning of each round, given any valuation $\alpha $ on $a_1,a_2$,

In the first phase, Controller sends $r_1$, and Scheduler sends $q_1$ in the next round, producing a sequence $(\alpha r_1 \bot )~(\alpha '\bot q_1)$.
In the second phase, Controller sends $r_2$, and Scheduler sends $q_2$ in the next round, producing $(\alpha r_2\bot )~(\alpha ' \bot q_2)$,

Thus, these strategies are independent of User’s strategy: whatever the input by User, the same sequence of actions of Controller and Scheduler are prescribed by our strategy. Moreover, if Controller deviates from the above scheme, then Scheduler switches to strategy $\hat{\sigma }_S$ above; and similarly, if Scheduler deviates, Controller switches to $\hat{\sigma }_C$.

This strategy profile is clearly not desirable since it allows for exactly one scenario satisfying the objectives, while under any change in one component’s behavior, all objectives fail. Moreover, the outcome does not depend at all on the behavior of User. It is intuitively easy to see that better strategy profiles exist: in fact, both components could continue to “try to satisfy” their objectives in all cases rather than switching to $\hat{\sigma }_C$ or $\hat{\sigma }_S$ which is guaranteed to make all objectives fail. Clearly such pathological strategy profiles should not be solutions to the synthesis problem.

However, we will now show that the rules Coop, $\mathsf{AG}^\wedge $, $\mathsf{RS}^{\cdot }(\mathsf {NE},\mathsf {SPE})$ do allow the above strategy profile:

Rule Coop: For any $\sigma _U$, the outcome of $(\sigma _U,\sigma _C,\sigma _S)$ satisfies all objectives; thus the profile is a possible solution of the rule.
Rule $\mathsf{AG}^{\wedge }$: When both players follow $(\sigma _C,\sigma _S)$, we know that the outcome is a model for both $\phi _\mathsf{Scheduler}$ and $\phi _\mathsf{Controller}$. We must in addition verify that $\sigma _C \models \phi _\mathsf{User} \wedge \phi _\mathsf{Scheduler} \rightarrow \phi _\mathsf{Controller}$ and that $\sigma _S \models \phi _\mathsf{User} \wedge \phi _\mathsf{Controller} \rightarrow \phi _\mathsf{Scheduler}$. To see the latter property, notice that either the outcome conforms to the above scheme and thus satisfy both objectives, or Controller deviates, in which case Scheduler switches to strategy $\hat{\sigma }_S$ and the outcome satisfies $\lnot \phi _\mathsf{Controller}$. The argument to show the former property is symmetric.
Rules $\mathsf{RS}^{\cdot }(\mathsf {NE},\mathsf {SPE},\mathsf {Dom})$: We assume that Controller is the system to be synthesized, while User and Scheduler model two components of the environment. We fix $\sigma _C$ for Controller. In this case, $\sigma _S$ is a winning strategy for Scheduler. Since $\phi _\mathsf{User}$ is trivial, for all $\sigma _U$, $(\sigma _U, \sigma _S)$ is a solution for $\mathsf {NE}$, $\mathsf {SPE}$, and $\mathsf {Dom}$. Thus the profile is a solution for $\mathsf{RS}^\exists (\mathsf {NE},\mathsf {SPE},\mathsf {Dom})$. For the universal rules, notice that since $\sigma _S$ is winning, all dominant strategies for Scheduler are winning too. It follows that all dominant strategies must be identical to $\hat{\sigma }_S$ until a deviation occurs. Thus, under all such strategies Controller’s objective is also satisfied. Similarly, Scheduler has a winning strategy in all Nash equilibria and SPE profiles, which satisfy Controller’s objective. Thus, the profile is also a solution for $\mathsf{RS}^\forall (\mathsf {NE},\mathsf {SPE},\mathsf {Dom})$.

Absence of dominant strategies Observe that Controller and Scheduler do not have dominant strategies. Indeed, towards a contradiction, assume that there exists a dominant Controller strategy $\sigma $. First, note that the outcome of $(\sigma _U, \sigma , \sigma _S)$ must be identical to the outcome of $(\sigma _U,\sigma _C,\sigma _S)$; in fact, otherwise, this means that $\sigma $ deviates from $\sigma _C$ at some point, in which case the outcome is losing for Controller. It follows that $(\sigma _U,\sigma ,\sigma _S)$ is losing, while $(\sigma _U,\sigma _C,\sigma _S)$ is winning by definition, so $\sigma $ cannot be dominant. Consider now strategy $\sigma _C'$ which is identical to $\sigma _C$ except that it starts at phase 2 rather than starting at phase 1. One can construct a Scheduler strategy that makes $\sigma _C'$ win, while making $\sigma _C$ lose: Scheduler switches to $\hat{\sigma }_S$ in the second round as soon as $\sigma _C'$ starts being played; and otherwise follows $\sigma _S$ starting at phase 2. This shows that $\sigma $ cannot be dominant.

Solutions provided by AA, our novel rule Let us describe the set of admissible strategies for all players. For Controller we claim that admissible strategies are exactly those strategies $\sigma $ that satisfy the following conditions for all histories h:

(C0)
If $\phi _\mathsf{Controller}$ was violated at h, then behave arbitrarily in the rest of the game; otherwise:
(C1)
For any $i\in \{1,2\}$, if $r_i$ is pending at h, then $\sigma $ sets $r_i$ to false at h.
(C2)
For any $i\in \{1,2\}$, if $a_i$ just became pending at h,

then for all histories $h'$ compatible with $\sigma $, extending h, and of length $|h| + k$, either $r_i$ is pending at all points $h_{\le i}'$ with $|h|\le i\le |h'|$, or $\sigma $ sets $r_i$ to true at some history $h'_{\le i}$ for $|h| \le i \le |h'|$.

Any strategy that does not satisfy these conditions is dominated. For instance, if a strategy violates (C1), say at history h, one can obtain a dominating strategy by switching at h to a strategy which respects this safety property. Similarly, if from history h, the strategy never sets $r_i$ in all possible continuations of length k while $a_i$ is pending and $r_i$ is not, one can again modify it by switching to a “better” strategy which does set $r_i$ eventually. The argument is formalized in the following lemma (detailed proofs are given in “Appendix 1”).

Lemma 1

Any strategy for Controller is admissible if, and only if it satisfies (C0), (C1), and (C2) at all histories.

We now describe the admissible strategies for Scheduler. Consider the set of strategies satisfying the following conditions, at all histories h,

(C3)
if both requests $r_1$ and $r_2$ were made at the latest round of h, then grant $q_1$,
(C4)
if request $r_2$ was made in the penultimate round of h, and either $r_1$ is not pending or the earliest pending request $r_1$ was made in the latest round, then grant $q_2$,
(C5)
if request $r_1$ was made in the penultimate round of h and is pending, and $r_2$ is not pending, or the earliest pending request $r_2$ was made in the latest round, then grant $q_1$.
(C6)
if both pending requests $r_1$ and $r_2$ were made at the penultimate round, then behave arbitrarily in the rest of the game.

Lemma 2

Any Scheduler strategy is admissible if, and only if it satisfies (C3), (C4), (C5), and (C6) at all histories.

We now show that the rule $\mathsf {AA}$ applies in this case: all players’ objectives hold under admissible strategies, that is, assuming conditions (C0)–(C6).

Lemma 3

For all $k\ge 4$, all strategy profiles $(\sigma _U,\sigma _C,\sigma _S)$ satisfying (C1)–(C6) also satisfy $\phi _\mathsf{User} \wedge \phi _\mathsf{Controller} \wedge \phi _\mathsf{Scheduler}$.

By the way we obtained the solutions of $\mathsf {AA}$, it should be clear that the set of solutions is rectangular. In fact, we independently characterized the set of admissible strategies for Controller, and then for Scheduler, and proved that any combination of these satisfy all objectives.

5 Algorithm for assume-admissible synthesis

In this section, we give an algorithm to decide the assume-admissible rule and to synthesize $\mathsf {AA}$-winning strategy profiles for prefix-independent objectives. Our algorithm is based on the characterization of the outcomes of admissible strategies of [2] and the algorithm of [5] that computes the iterative elimination of dominated strategies. Our general algorithm is an application of these results, but we also improve the complexity analysis in the case of Büchi objectives. The details of the algorithm will be useful in Sect. 6 where we will adapt the algorithm to abstract state spaces.

5.1 Values and admissible outcomes

Let us recall the characterization of the outcomes of admissible strategy profiles given in [5]. We use the game of Fig. 2 as a running example for this section. Clearly, none of the players of this game has a winning strategy for his own objective when not taking into account the objective of the other player, but, as we will see, both players have an admissible and winning strategy against the admissible strategies of the other player, and so the $\mathsf {AA}$ rule applies.

The notion of value associated to the states of a game plays an important role in the characterization of admissible strategies and their outcomes [2, 5]. We fix a game $\mathsf {G} $. Given a history h, and a set of strategies $\Sigma _i'$ for player $i$, we write $\Sigma '_i(h)$ for the set of strategies of $\Sigma '_i$ compatible with h, that is, the set of strategies $\sigma _i$ such that h is the prefix of an outcome in $\mathsf {Out}_\mathsf {G} (\sigma _i)$. We also write $\Sigma '(h)$ for $\prod _{i\in \mathcal {P}} \Sigma '_i(h)$.

Definition 1

(Value [2]) Let $\Sigma '$ be a rectangular set of strategy profiles. The value of history h for player $i$ with respect to $\Sigma '$, written $\mathsf{Val}_i(\Sigma ',h)$, is given by:

if every $\sigma _{\mathcal {P}} \in \Sigma '(h)$ is losing for player $i$ then $\mathsf{Val}_i(\Sigma ',h)=-1$;
if there is a strategy $\sigma _i \in \Sigma '_i(h)$ such that for all strategy profiles $\sigma _{-i}$ in $\Sigma '_{-i}(h)$, the profile $(\sigma _i,\sigma _{-i})$ is winning for player $i$ then $\mathsf{Val}_i(\Sigma ',h)=1$;
otherwise $\mathsf{Val}_i(\Sigma ',h)=0$;

We use the shorthand notation $\mathsf{Val}_i(h) = \mathsf{Val}_i(\Sigma ,h)$. Notice that for prefix-independent objectives, the value only depends on the last state. We may thus write $\mathsf{Val}_i(s) = \mathsf{Val}_i(h)$ for $s = \mathsf {last}(h)$.

A player $j$ decreases its own value in history h if there is a position k such that $\mathsf{Val}_j(h_{k+1}) < \mathsf{Val}_j(h_{k})$ and $h_k \in \mathsf {S}_j$. We proved in [5], that players do not decrease their own values when playing admissible strategies. In fact, if the current state has value 1, there is a winning strategy which stays within the winning region; if the value is 0, then although other players may force the play into states of value $-1$, a good strategy for player $i$ will not do this by itself. Let us call those strategies that do not decrease the player’s own value value-preserving.

Example 2

In the game of Fig. 2, we have $\mathsf{Val}_1(s_1) = \mathsf{Val}_1(s_2) = 0$ and $\mathsf{Val}_1(s_3) = -1$; in fact, Player 1 has no winning strategy from any state, and from $s_3$, it is impossible to satisfy the objective. For Player 2, the situation is similar; we have, $\mathsf{Val}_2(s_1) = \mathsf{Val}_2(s_2) = 0$ and $\mathsf{Val}_2(s_3) = -1$.

Lemma 4

[5, Lemma 1] For all games $\mathsf {G} $ with prefix-independent objectives, players i, and histories $\rho $, if $\mathsf {last}(\rho ) \in \mathsf {S}_i$ and $\sigma _i \in \mathsf{Adm}_i$ then $\mathsf{Val}_i(\delta (\mathsf {last}(\rho ),\sigma _i(\rho ))) = \mathsf{Val}_i(\rho )$.

We prove here that conversely, any winning outcome on which player $i$ does not decrease its own value is compatible with an admissible strategy of player $i$. We will use for that three lemmas from [2].

Lemma 5

([2, Corollary 12], for $\alpha = 1$) If $\Sigma $ is non-empty then $\mathsf{Adm}$ is non-empty.

Given $\sigma _i, \sigma '_i \in \Sigma _i$, and h such that $\sigma _i(h') = \sigma '_i(h')$ for all prefixes $h'$ of h, $\sigma _i[h \leftarrow \sigma '_i]$ the strategy that agrees with $\sigma '_i$ on every prefix of h and with $\sigma _i$ for all other histories. We say that a strategy set $\Sigma _i$ allows shifting, if for any $\sigma _i, \sigma '_i \in \Sigma _i$, such that for all h such that $\sigma _i(h') = \sigma '_i(h')$, $\sigma _i[h \leftarrow \sigma '_i] \in \Sigma _i$. A rectangular set of strategies allows shifting if all its components do.

Lemma 6

([2, Corollary 10], for $\alpha = 1$) $\mathsf{Adm}$ allows shifting.

Lemma 7

[2, Lemma 9] Let $\Sigma ' \subseteq \Sigma $ be a rectangular set that allows shifting. A strategy $\sigma _i \in \Sigma _i$ is admissible if, and only if, the value of $\{\sigma _i\} \times \Sigma _{-i}$ for player $i$ attains or exceeds that of $\Sigma $ for every reachable history.

Lemma 8

Consider game $\mathsf {G} $, a player i, and outcome $\rho $. If $\rho \models \phi _i$ and player $i$ does not decrease its own value in any prefix of $\rho $, then there exists a strategy profile $(\sigma _i,\sigma _{-i}) \in \mathsf{Adm}_i \times \Sigma _{-i}$ such that $\rho $ is the outcome of $(\sigma _i,\sigma _{-i})$.

Proof

We define the strategies $\sigma _i$ and $\sigma _{-i}$ such that they precisely follow $\rho $, but if a deviation from $\rho $ has occurred, they switch to non-dominated strategies. More precisely, if the current history is a prefix $\rho _{\le k}$ of $\rho $, then they proceed to the following state $\rho _{k+1}$. Otherwise there is k such that $h_k = \rho _k$, $h_{k+1} \ne \rho _{k+1}$, and starting from $h_{\le k+1}$, $\sigma _i$ follows a non-dominated strategy with respect to $\Sigma (h_{k+1})$. The fact that such non-dominated strategies exists follows from the existence of non-dominated strategies (Lemma 5) and the fact that this set allows shifting (Lemma 6). The outcome $\rho $ is obviously an outcome of this profile. We now have to show that the strategy $\sigma _i$ is admissible. According to Lemma 7, it is enough to show that for every history h compatible with $\sigma _i$, the value for player $i$ with respect to $\{\sigma _i\}\times \Sigma _{-i}$ is greater or equal to its value with respect to $\Sigma $.

Let h be a history compatible with $\sigma _i$. We distinguish the case where h has deviated from $\rho $ and the case where it has not.

If a deviation has occurred, then $\sigma _i$ follows a strategy non dominated with respect to $\Sigma (h_{\le k+1})$ where k is the last index where $h_k=\rho _k$. By Lemma 7, the value of $\{\sigma _i\}\times \Sigma _{-i}(h)$ in h is greater or equal to that of $\Sigma (h_{\le k+1})$. Since $\Sigma _{-i}(h) \subseteq \Sigma _{-i}(h_{\le k+1})$, the value of h with respect to $\{\sigma _i\}\times \Sigma _{-i}(h)$ is greater or equal to that with respect to $\Sigma (h)$. Note that by the definition of the value, the value of h with respect to a rectangular set $\Sigma '$ is equal to that of h with respect to $\Sigma '(h)$. Therefore the value of h with respect to $\{\sigma _i\} \times \Sigma $ is greater or equal to that with respect to $\Sigma $.

If a deviation has not occurred then h is a prefix of $\rho $. The value of h with respect to $\Sigma $ is greater or equal to 0 since $\rho $ is winning for $\phi _i$. Then:

if the value is 0, then as there is an outcome of $\sigma _i$ after this history which is winning (the outcome $\rho $), the value of $\sigma _i$ is at least 0;
if the value is 1, then we can show that from history h, $\sigma _i$ plays a winning strategy: if we stay along $\rho $, the outcome is winning; if we deviate in a state controlled by player $i$ then since player $i$ does not decrease its own value, the next state has value 1 and $\sigma _i$ reverts to a winning strategy; otherwise we deviate in a state s of the adversaries, because there is a winning strategy from states of value 1, there is also a winning strategies from all successors of s, so the outcome goes to a state of value 1 and $\sigma _i$ reverts to a winning strategy.

Therefore the property is satisfied by $\sigma _i$ and it is admissible. $\square $

We now introduce some notations to take into account the two previous lemmas in our characterization. We restrict ourselves here to prefix-independent objectives. For player $i$, let us define the sets $V_{i,x} = \{ s \mid \mathsf{Val}_i(s) = x\}$ for $x \in \{-1,0,1\}$, which partition $\mathsf {S}$. We define the set of value-preserving edges for player $i$ as

$$\begin{aligned} E_i = \{ (s,a) \in \mathsf {S}\times \textsf {Act}\mid s\in \textsf {S}_i \Rightarrow \mathsf{Val}_i(\delta (s,a)) = \mathsf{Val}_i(s)\}. \end{aligned}$$

Observe that value-preserving strategies for player $i$ are exactly those respecting $E_i$.

Example 3

In our running example of Fig. 2, it should be clear that any strategy that chooses a transition that goes to $s_3$ is not admissible nor for player $1$ neither for player $2$. By making such a choice, both players are condemned to lose for their own objectives while other choices would leave a chance to win. In fact, the choice of going to $s_3$ would decrease their own values. So, we can already conclude that player $2$ always chooses $s_2 \mapsto s_1$, which is his only admissible strategy.

However, not all value-preserving strategies are admissible: e.g. for Büchi objectives, staying inside the winning region (that is, states with value 1) does not imply the objective. Moreover, in states of value 0, admissible strategies must visit states where other players can “help” satisfy the objective. Formally, help states for player $i$ are other players’ states with value 0 and at least two different successors of value 0 or 1. Let us define

$$\begin{aligned} H_i= & {} \{ s \in \textsf {S}{\setminus } \textsf {S}_i \mid \mathsf{Val}_i(s) = 0 \wedge \exists s' \ne s''.\ \{ s' , s'' \}\\&\subseteq \delta (s,\textsf {Act}) \wedge \mathsf{Val}_i(s')\ge 0 \wedge \mathsf{Val}_i(s'')\ge 0\}. \end{aligned}$$

The following lemma, adapted from [5], characterizes the outcomes of admissible strategies. We denote by $\mathtt {G}(E_i)$ the set of outcomes that respect $E_i$, i.e. $\mathtt {G}(\bigvee _{(s,a)\in E_i} s \wedge \mathtt {X}(\delta (s,a)))$.

Lemma 9

For all games $\mathsf {G} $, and players i, we have $\mathsf {Out}_\mathsf {G} \cap \Phi _i = \mathsf {Out}_\mathsf {G} (\mathsf{Adm}_i,\Sigma _{-i})$, where

$$\begin{aligned} \Phi _i = \mathtt {G}(E_i) \wedge (\mathtt {G}\mathtt {F}(V_{i,1}) \Rightarrow \phi _i) \wedge (\mathtt {G}\mathtt {F}(V_{i,0}) \Rightarrow \phi _i \vee \mathtt {G}\mathtt {F}(H_i)). \end{aligned}$$

Proof

In [5, Lemma 6], an automaton $\mathcal {A} _i^1$ is defined such that $\mathcal {A}_i^1 \cap \mathsf {Out}_\mathsf {G} (\Sigma ) = \mathsf {Out}_\mathsf {G} (\mathsf{Adm}_i,\Sigma _{-i})$. Note that a more general construction $\mathcal {A} _i^n$ was given in [5] but we only need the case $n=1$ here.

We now analyze further the language of $\mathcal {A}_i^1$. The edges are those of $\mathtt {G}$ except for edges outside of $E_i$ (these edges are noted T in [5]), so the set of outcomes in $\mathcal {A}_i^1$ corresponds to $\mathsf {Out}_\mathsf {G} \cap \mathtt {G}(E_i)$. Now an outcome of $\mathcal {A}_i^1$ is accepted if, and only if one the following condition is satisfied, writing $\textsf {VR}(\rho )$ for the sequence $(\mathsf{Val}(\rho _i))_{i\in \mathbb {N}}$:

$\textsf {VR}(\rho ) \in 0^* (-1)^\omega $;
$\textsf {VR}(\rho ) \in 0^* 1^\omega $ and $\rho \models \phi _i$;
$\textsf {VR}(\rho ) \in 0^\omega $ and $\rho \models \phi _i$ or $\rho \models \mathtt {G}\mathtt {F}(H_i)$.

Any outcome of $\mathsf {Out}_\mathsf {G} \cap \mathtt {G}(E_i)$ reaching some state of value $-1$ is necessarily losing; thus all successors also have value $-1$. Similarly, because we removed edges where player $i$ decreases its own value, once the outcomes reaches a state of value 1, it never gets out of these states. Therefore outcomes of $\mathsf {Out}_\mathsf {G} \cap \mathtt {G}(E_i)$ have one of the three forms: $0^*(-1)^\omega $, $0^* 1^\omega $ or $0^\omega $.

Let $\rho $ be an outcome that is accepted by $\mathcal {A}_i^1$, it satisfies $\mathtt {G}(E_i)$ and:

if $\rho $ ends in the states of value $-1$ then it does not visit $V_{i,1}$ or $V_{i,0}$ infinitely often and thus belongs to $\Phi _i$;
if $\rho $ ends in the states of value 1, then by the acceptance condition it satisfies $\phi _i$ and thus belongs to $\Phi _i$;
otherwise it stays in the states of value 0, then by the acceptance condition, either it satisfies $\phi _i$ or $\mathtt {G}\mathtt {F}(H_i)$ and thus belongs to $\Phi _i$.

Now let $\rho $ be an outcome that satisfies $\phi _i$, it satisfies $\mathtt {G}(E_i)$ and therefore corresponds to a valid outcome of $\mathcal {A}_i^1$.

If $\rho $ ends in the states of value $-1$ then condition $\textsf {VR}(\rho ) \in 0^* (-1)^\omega $ is satisfied, thus $\rho $ is accepted by $\mathcal {A}_i^1$.
If $\rho $ ends in the states of value 1, then by definition of $\Phi _i$ it satisfies $\phi _i$ and condition $\textsf {VR}(\rho ) \in 0^* 1^\omega $ and $\rho \models \phi _i$ is satisfied, thus $\rho $ is accepted by $\mathcal {A}_i^1$.
Otherwise it stays in the states of value 0, then by definition of $\Phi _i$, either $\phi _i$ or $\mathtt {G}\mathtt {F}(H_i)$ holds for $\rho $, hence $\textsf {VR}(\rho ) \in 0^\omega $ and $\rho \models \phi _i$ or $\rho \models \mathtt {G}\mathtt {F}(H_i)$ is satisfied, thus $\rho $ is accepted by $\mathcal {A}_i^1$.

This shows that $\Phi _1\cap \mathsf {Out}_\mathsf {G} = \mathcal {A}^1_i \cap \mathsf {Out}_\mathsf {G} $ and by [5, Lemma 6], this equals $\mathsf {Out}(\mathsf{Adm}_i,\Sigma _{-i})$. $\square $

In our running example of Fig. 2, a strategy of player $1$ which, after some point, always chooses $s_1 \mapsto s_1$ is dominated by strategies that choose infinitely often $s_1 \mapsto s_2$. This is a corollary of the lemma above. Indeed, while all those strategies only visit states with value 0 (and so do not decrease the value for player $1$), the strategy that always chooses $s_1 \mapsto s_1$ has an outcome which is losing for player $1$ while the other strategies are compatible with outcomes that are winning for player $1$. So, all outcomes of admissible strategies for player $1$ that always visit states with values 0, also visits $s_2$ infinitely often. Using the fact that strategies are value-preserving and the last observation, we can now conclude that both players have (admissible) winning strategies against the admissible strategies of the other players. For instance when player $1$ always chooses to play $s_1 \mapsto s_2$, he wins against the admissible strategies of player $2$.

5.2 Algorithm for Müller objectives

For player $i$, let us define the objective

$$\begin{aligned} \Omega _i = \mathsf {Out}_\mathsf {G} (\mathsf{Adm}_i) \wedge (\mathsf {Out}_\mathsf {G} (\mathsf{Adm}_{-i}) \Rightarrow \phi _i), \end{aligned}$$

which describes the outcomes of admissible strategies of player $i$, which satisfy objective $\phi _i$ under the hypothesis that they are compatible with other players’ admissible strategies. In fact, it follows from [5] that $\Omega _i$ captures the outcomes of $\mathsf {AA}$-winning strategies for player $i$.

Lemma 10

A player $i$ strategy is $\mathsf {AA}$-winning iff it is winning for objective $\Omega _i$.

Proof

It is shown in [5, Proposition 5] that a strategy of player $i$ is a strategy of $\Sigma ^{n}_i$ which is winning against all strategies of $\Sigma ^{n}_{-i}$ if, and only if, it is winning for objective $\Omega _i^n$ (where $\Sigma ^{n}$ is the set of strategies that remain after n steps of elimination, and $\Omega _i^1$ coincides with $\Omega _i$). The results immediately follows from the case $n=1$. $\square $

Thus, solving the $\mathsf {AA}$ rule is reduced to solving, for each player i, a game with objective $\Omega _i$. We now give the details of an algorithm with optimal complexity to solve games with these objectives. The algorithm uses procedures from [5], originally developed to compute the outcomes that survive the iterative elimination of dominated strategies. More precisely, the elimination procedure of [5] first computes the outcomes of admissible strategies;

from this it deduces the strategies that are not dominated when all players are restricted to admissible strategies, and their possible outcomes; and this is repeated until the set of outcomes stabilizes. In the end, one obtains the set of the outcomes that are the outcomes of strategy profiles that have survived this iterative elimination. In the rest of this section, we re-visit roughly the first iteration of the above procedure, and explicitly give algorithms to actually synthesize strategies that are winning against admissible strategies.

Objective $\Omega _i$ is not prefix-independent since $\Phi _i$ has a safety part, thus it cannot be directly expressed as a Müller condition. Since considering prefix-independent objectives simplifies the presentation and the proofs, we are going to encode the information whether $\mathtt {G}(E_i)$, or $\mathtt {G}(\cup _{j \ne i} E_j)$ has been violated in the state space.

Let us decompose $\Phi _i$ into $\Phi _i = S_i \wedge M_i$ where $S_i = \mathtt {G}(E_i)$ is a safety condition and

$$\begin{aligned} M_i = (\mathtt {G}\mathtt {F}(V_{i,1}) \Rightarrow \phi _i) \wedge (\mathtt {G}\mathtt {F}(V_{i,0}) \Rightarrow (\phi _i \vee \mathtt {G}\mathtt {F}(H_i))) \end{aligned}$$

is prefix-independent, and can be expressed by a Müller condition described by a circuit of polynomial size.

We now describe the encoding. For each player $i$, we define game $\mathsf {G} _i'$ by taking the product of $\mathsf {G} $ with $\{\top ,0,\bot \}$; that is, the states are $\mathsf {S}\times \{\top ,0,\bot \}$, and the initial state $(s_{\mathsf{init}},0)$. The transitions are defined as for $\mathsf {G} $ for the first component; while from state (s, 0), any action a outside $E_i$ leads to $(\delta (s,a),\bot )$, and any action a outside $E_j$, for some $j \ne i$, leads to $(\delta (s,a),\top )$. The second component is absorbing at $\bot ,\top $. We define

$$\begin{aligned} \Omega '_i = \left( \mathtt {G}\mathtt {F}(\mathsf {S}\times \{0\} ) \wedge M'_i \wedge (\wedge _{j\ne i} M'_{j} \Rightarrow \phi '_i) \right) \vee \left( \mathtt {G}\mathtt {F}(\mathsf {S}\times \{\top \}) \wedge M'_i\right) , \end{aligned}$$

where $M_i'$ is the set of outcomes of $\mathsf {G} _i'$ whose projections to $\mathsf {G} $ are in $M_i$, and similarly for $\phi _i'$.

We will now establish the equivalence of $\mathsf {G} $ and $\mathsf {G} _i'$ for objectives $\Omega _i$ and $\Omega _i'$ respectively. Let us first formalize the correspondence between $\mathsf {G} $ and $\mathsf {G} _i'$. We define relation $\mathord {\sim } \subseteq \mathsf {S}\times \mathsf {S}'$: for all $(s,x) \in \mathsf {S}\times \{\bot ,0,\top \}$, $s \sim (s,x)$. We extend this to outcomes by $\rho \sim \rho '$ iff for all $i \in \mathbb {N}$, $\rho _i \sim \rho '_i$. The next lemma shows that the relation is a bijection between $\mathsf {Out}_\mathsf {G} $ and $\mathsf {Out}_{\mathsf {G} _i'}$.

Lemma 11

For any $\rho \in \mathsf {Out}_\mathsf {G} $ there is a unique $\rho ' \in \mathsf {Out}_{\mathsf {G} _i'}$ such that $\rho \sim \rho '$.

Proof

For any outcome $\rho \in \mathsf {Out}_{\mathsf {G} _i'}$, let us write $\pi (\rho )$ the projection to $\mathsf {Out}_{\mathsf {G}}$ defined by mapping each vertex (s, x) to s.

Assume towards a contradiction that we have $\rho '$ and $\rho ''$ such that $\rho = \pi (\rho ') = \pi (\rho '')$. Let k be the last state such that they coincide: $\rho '_k = \rho ''_k$ and $\rho '_{k+1} \ne \rho ''_{k+1}$. Since $\pi (\rho ') = \pi (\rho '')$ we have that they differ only by the second component. We can assume without loss of generality that there are actions a and b such that $(\rho _k,a) \in E_j$ (where player $j$ controls $\rho _k$), $(\rho _k,b) \not \in E_j$ and $\delta (\rho _k,a)= \rho _{k+1} = \delta (\rho _k,b) $. This means that there are actions a and b such that $(s,a) \in E_j$ (where player $j$ controls $\rho _k$), $(s,b) \not \in E_j$ and $\delta (\rho _k,a)= \rho _{k+1} = \delta (\rho _k,b) $. We have $\delta (\rho _k, b) = \delta (\rho _k,a)$, then by definition of $E_j$ and because $(\rho _k,a) \in E_j$, $\mathsf{Val}_j(\delta (s,a)) = \mathsf{Val}_j(s)$ therefore $\mathsf{Val}_j(\delta (s,b)) = \mathsf{Val}_j(s)$ and by definition of $E_j$, $(\rho _k,b)$ belongs to $E_j$ which contradicts our assumptions and ends the proof.$\square $

We thus write $\pi $ for the bijection which, to $\rho ' \in \mathsf {Out}_{\mathsf {G} _i'}$ associates $\rho \in \mathsf {Out}_{\mathsf {G}}$ with $\rho \sim \rho '$. We extend $\pi $ as a mapping from strategies of $\mathsf {G} '_i$ to strategies of $\mathsf {G} $ by $\pi (\sigma '_i) (h) = \sigma '_i(\pi ^{-1}(h))$. Observe that for all strategies $\sigma '_i$, $\pi (\mathsf {Out}_{\mathsf {G} _i'}(\sigma '_i)) = \mathsf {Out}_\mathsf {G} (\pi (\sigma '_i))$.

Lemma 12

Let $\mathsf {G} $ be a game, and i a player. Player i has a winning strategy for $\Omega _i$ in $\mathsf {G} $ if, and only if, he has a winning strategy for $\Omega '_i$ in $\mathsf {G} '_i$. Moreover if $\sigma '_i$ is winning for $\Omega '_i$ in $\mathsf {G} '_i$ then $\pi (\sigma '_i)$ is winning for $\Omega _i$ in $\mathsf {G} $.

Proof

We will first rewrite $\Omega _i$ in a form that is closer to that of $\Omega '_i$. The objective $\Omega _i$ is defined by $\mathsf {Out}_\mathsf {G} (\mathsf{Adm}_i) \cap (\mathsf {Out}_\mathsf {G} (\mathsf{Adm}_{-i}) \Rightarrow \phi _i)$. Observe that $\mathsf {Out}_\mathsf {G} (\mathsf{Adm}_{-i}) = \cap _{j \ne i} \mathsf {Out}_\mathsf {G} (\mathsf{Adm}_j)$ by definition.

$$\begin{aligned} \Omega _i&= \mathsf {Out}_\mathsf {G} (\mathsf{Adm}_i) \cap \left( \bigcap _{j\ne i} \mathsf {Out}_\mathsf {G} (\mathsf{Adm}_{j}) \Rightarrow \phi _i\right) \\ \Omega _i&= \Phi _i \cap \mathsf {Out}_\mathsf {G} \cap \left( \left( \mathsf {Out}_\mathsf {G} \cap \bigcap _{j\ne i} \Phi _{j}\right) \Rightarrow \phi _i\right) ~ \text {using Lemma 9} \\ \Omega _i&= \Phi _i \cap \mathsf {Out}_\mathsf {G} \cap \left( \bigcap _{j\ne i} \Phi _{j} \Rightarrow \phi _i\right) \\ \Omega _i&= \mathsf {Out}_\mathsf {G} \wedge \mathtt {G}(E_i) \wedge M_i \wedge \left( \left( \bigcap _{j\ne i} M_{j} \Rightarrow \phi _i\right) \vee \bigvee _{j\ne i} \lnot \mathtt {G}(E_j)\right) \\ \Omega _i&= \mathsf {Out}_\mathsf {G} \wedge \mathtt {G}(E_i) \wedge M_i \wedge \left( \left( \bigcap _{j\ne i} M_{j} \Rightarrow \phi _i\right) \vee \bigvee _{j\ne i} \mathtt {F}(\lnot E_j)\right) \end{aligned}$$

Let $\sigma _i$ be a winning strategy for $\Omega _i$ in $\mathsf {G} $. We consider the strategy $\sigma '_i$ defined by $\sigma '_i(h') = \sigma _i(\pi (h'))$ and will show that it is winning for $\Omega '_i$. Let $\rho '$ be an outcome of $\sigma '_i$. We have that $\pi (\rho ')$ is an outcome of $\sigma _i$. Since $\sigma _i$ is winning for $\Omega _i$, $\pi (\rho ')$ belongs to $\Omega _i$.

If $\pi (\rho ') \models M_i \wedge \mathtt {G}(E_i) \wedge \bigvee _{j\ne i} \mathtt {F}(\lnot E_j)$, then by construction of $\delta '$ the play $\rho '$ reaches a state of $\mathsf {S}\times \{\top \}$ and, from there, only states of $\mathsf {S}\times \{\top \}$ are visited. The condition $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{ \top \}) \wedge M_i$ is met by $\rho '$ and therefore $\rho '$ is winning for $\Omega '_i$.
Otherwise $\pi (\rho ') \models M_i \wedge \mathtt {G}(E_i) \wedge (\bigwedge _{j\ne i} M_j) \Rightarrow \phi _i$. By construction of $\delta '$ the play $\rho '$ stays in $\mathsf {S}\times \{0\}$. The condition $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{ 0\}) \wedge M_i\wedge (\bigwedge _{j\ne i} M_j) \Rightarrow \phi _i$ is met by $\rho '$ and therefore $\rho ' \in \Omega '_i$.

This shows that the strategy $\sigma '_i$ is winning for $\Omega '_i$ in $\mathsf {G} '_i$.

Let $\sigma '_i$ be a winning strategy for $\Omega '_i$ in $\mathsf {G} '_i$, we show that $\pi (\sigma '_i)$ is winning for $\Omega _i$ in $\mathsf {G} $. Let $\rho $ be an outcome of $\pi (\sigma '_i)$. We have that $\pi ^{-1}(\rho )$ is an outcome of $\sigma '_i$. Since $\sigma '_i$ is winning for $\Omega '_i$, $\pi ^{-1}(\rho )$ belongs to $\Omega '_i$. We have that $\pi ^{-1}(\rho ) \models \mathtt {G}\mathtt {F}(\mathsf {S}\times \{ 0,\top \})$ and by construction of $\delta '$ this ensures that all edges that are taken belong to $E_i$ and thus $\pi ^{-1}(\rho )$ satisfies the condition $\mathtt {G}(E_i)$.

If $\pi ^{-1}(\rho ) \models \mathtt {G}\mathtt {F}(S \times \{\top \}) \wedge M_i$ then by construction of $\delta '$, an edge outside of $E_j$ for some $j\ne i$ is taken. This ensures condition $\mathtt {F}(\lnot E_j)$ and therefore $\rho $ belongs to $\Omega _i$.
otherwise $\pi ^{-1}(\rho ) \models (\bigwedge _{j\ne i} M_j \Rightarrow \phi _i)$ and therefore $\rho $ satisfies the condition $\mathtt {G}(E_i) \wedge M_i \wedge \left( \bigcap _{j\ne i} M_{j} \Rightarrow \phi _i\right) $ and hence belongs to $\Omega _i$.

This shows that the strategy $\pi (\sigma '_i)$ is winning for $\Omega _i$ in $\mathsf {G} $. $\square $

This characterization yields a PSPACE algorithm for checking whether a given player has a $\mathsf {AA}$-winning strategy. In fact, when objectives $\phi _i$ are given as Müller conditions (described by circuits), the value sets $V_{i,-1}, V_{i,0}, V_{i,1}$ and $H_i$ can be computed in PSPACE. Formulae $M_i$ can be written as circuits of size linear in the size of $\phi _i$ and the size of the game (in fact, one needs to encode the sets $V_{i,\cdot }$). Condition $\Omega _i'$ can also be written in linear size. Last, the game $\mathsf {G} _i'$ can be constructed in linear time from $\mathsf {G} $. The algorithm consists in solving $\mathsf {G} _i'$ for Player i with objective $\Omega _i'$. Moreover, PSPACE-hardness follows from that of Muller games.

Theorem 1

Deciding the existence of an $\mathsf {AA}$-winning strategy profile is PSPACE-complete for Müller objectives.

Computation of $\mathsf {AA}$ -winning Strategy Profiles We just proved the PSPACE-completeness of the decision problem; here, we show how to actually compute $\mathsf {AA}$-winning strategies. Thanks to Lemma 12, we obtain an algorithm to compute $\mathsf {AA}$-winning strategies by looking for winning strategies in $\mathsf {G} '_i$ and projecting them:

Theorem 2

Given a game $\mathsf {G} $ with Muller objectives, if $\mathsf {AA}$ has a solution, then an $\mathsf {AA}$-winning strategy profile can be computed in exponential time.

Proof

If $\mathsf {AA}$ has a solution, then by Lemma 12, there is a winning strategy for $\Omega '_i$ in $\mathsf {G} '_i$. This Muller game has polynomial size, hence we can compute a winning strategy $\sigma '_i$ in exponential time (for instance in [29] the authors show that we can compute such a winning strategy via a safety game of size $|\mathsf {S}|!^3$). By Lemma 12, the projection $\pi (\sigma '_i)$ is an $\mathsf {AA}$-winning strategy. Doing this for each player we obtain a strategy profile solution of $\mathsf {AA}$. $\square $

5.3 Algorithm for Büchi objectives

In this section, we show that the complexity of the problem can be substantially reduced if players’ objective are described by Büchi conditions. In fact, we give a polynomial-time algorithm in this case by showing that $\Omega _i'$ is expressible by a parity condition with only four colors.

Theorem 3

The existence of an $\mathsf {AA}$-winning strategy profile can be decided in polynomial time for Büchi objectives.

The following of this section is devoted to proving this theorem. In the case of Büchi objectives, let us write $\phi _i = \mathtt {G}\mathtt {F}(B_i)$ the objective of player $i$. We can then rewrite the objective $M_i$ defined in Sect. 5.2 as $M_i = (\mathtt {G}\mathtt {F}(V_{i,1}) \Rightarrow \mathtt {G}\mathtt {F}(B_i)) \wedge (\mathtt {G}\mathtt {F}(V_{i,0}) \Rightarrow (\mathtt {G}\mathtt {F}(B_i) \vee \mathtt {G}\mathtt {F}(H_i)))$. In game $\mathsf {G} $, an outcome that satisfies $\mathtt {G}(E_i)$ will either visit only $V_{i,1}$ after some point, or only $V_{i,-1}$ after some point, or only $V_{i,0}$ (see the proof of Lemma 9 for details). In order to simplify the notations, and since the propositions $V_{i,1}, V_{i,0}, V_{i,-1}$ are mutually exclusive in the game $\mathsf {G} $, in the following we will only write $V_{i,1}$ to mean $V_{i,1} \wedge \lnot V_{i,0} \wedge \lnot V_{i,-1}$ (and similarly $V_{i,0}$ and $V_{i,-1}$). We show that $M_i$ coincide with $\mathtt {G}\mathtt {F}((V_{i,1} \wedge B_i) \vee (V_{i,0} \wedge B_i) \vee (V_{i,0} \wedge H_i) \vee V_{i,-1})$ on the language $\mathsf {Out}_\mathsf {G} (\Sigma ) \cap \mathtt {G}(E_i)$:

$$\begin{aligned} \mathsf {Out}_\mathsf {G} (\Sigma ) \cap \mathtt {G}(E_i) \cap M_i&= \mathsf {Out}_\mathsf {G} (\Sigma ) \cap \mathtt {G}(E_i) \cap (\mathtt {F}\mathtt {G}(V_{i,1}) \cup \mathtt {F}\mathtt {G}(V_{i,-1}) \cup \mathtt {G}(V_{i,0})) \cap M_i \\&= \mathsf {Out}_\mathsf {G} (\Sigma ) \cap \mathtt {G}(E_i) \cap ((\mathtt {F}\mathtt {G}(V_{i,1}) \cap M_i)\\&\quad \cup (\mathtt {G}(V_{i,0}) \cap M_i) \cup (\mathtt {G}\mathtt {F}(V_{i,-1}) \cap M_i))\\ \mathtt {F}\mathtt {G}(V_{i,1}) \cap M_i&= \mathtt {F}\mathtt {G}(V_{i,1}) \cap \mathtt {G}\mathtt {F}(B_i) \\&= \mathtt {F}\mathtt {G}(V_{i,1}) \cap \mathtt {G}\mathtt {F}(V_{i,1} \cap B_i) \\ \mathtt {F}\mathtt {G}(V_{i,0}) \cap M_i&= \mathtt {F}\mathtt {G}(V_{i,0}) \cap (\mathtt {G}\mathtt {F}(B_i) \cup \mathtt {G}\mathtt {F}(H_i)) \\&= \mathtt {F}\mathtt {G}(V_{i,0}) \cap \mathtt {G}\mathtt {F}(V_{i,0} \cap (B_i \cup H_i)) \\ \mathtt {F}\mathtt {G}(V_{i,-1}) \cap M_i&= \mathtt {F}\mathtt {G}(V_{i,-1}) \\ \mathsf {Out}_\mathsf {G} (\Sigma ) \cap \mathtt {G}(E_i) \cap \mathtt {F}\mathtt {G}(V_{i,j})&= \mathsf {Out}_\mathsf {G} (\Sigma ) \cap \mathtt {G}(E_i) \cap \mathtt {G}\mathtt {F}(V_{i,j}) ~ \text {for all } j \in \{ -1, 0, 1\} \end{aligned}$$

Hence:

$$\begin{aligned} \mathsf {Out}_\mathsf {G} (\Sigma ) \cap \mathtt {G}(E_i) \cap M_i&= \mathsf {Out}_\mathsf {G} (\Sigma ) \cap \mathtt {G}(E_i) \cap \mathtt {G}\mathtt {F}(V_{i,1} \cap B_i)\\&\quad \cup \mathtt {G}\mathtt {F}((V_{i,0} \cap B_i) \cup (V_{i,0} \cap H_i)) \cup \mathtt {G}\mathtt {F}(V_{i,-1})\\&= \mathsf {Out}_\mathsf {G} (\Sigma ) \cap \mathtt {G}(E_i) \\&\quad \cap \mathtt {G}\mathtt {F}((V_{i,1} \cap B_i) \cup (V_{i,0} \cap B_i) \cup (V_{i,0} \cap H_i) \cup V_{i,-1}) \end{aligned}$$

Therefore $M_i$ coincide with the Büchi condition $\mathtt {G}\mathtt {F}(C_i)$ where $C_i = (V_{i,1} \cap B_i) \cup (V_{i,0} \cap B_i) \cup (V_{i,0} \cap H_i) \cup V_{i,-1}$.

We write $C_i'$ for the states of $\mathsf {G} '_i$ whose projection is in $C_i$. We will also write $B'_i$ for the states $B_i \times \{\bot ,0,\top \}$ of the game $\mathsf {G} '_i$.

We define

$$\begin{aligned} \Omega ''_i= & {} (\mathtt {G}\mathtt {F}(\mathsf {S}\times \{0\}) \wedge \mathtt {G}\mathtt {F}(C_i') \wedge \left( \bigwedge _{j\ne i} \mathtt {G}\mathtt {F}(C_j') \right. \\&\left. \Rightarrow \mathtt {G}\mathtt {F}(B_i \times \{\bot ,0,\top \}))) \vee (\mathtt {G}\mathtt {F}(\mathsf {S}\times \{\top \}) \wedge \mathtt {G}\mathtt {F}(C_i')\phantom {\bigwedge _{j\ne i}}\right) . \end{aligned}$$

Notice that $\Omega _i''$ is obtained from $\Omega _i'$ by replacing each $M_j'$ by $\mathtt {G}\mathtt {F}(C_j')$. From the observations above, it follows that $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{0\}) \wedge \mathtt {G}\mathtt {F}(C_i')$ is equivalent to $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{0\})\wedge M_i'$; however, this is not the case a priori for players $j\ne i$. Nevertheless, we prove in the following lemma that winning for objective $\Omega _i''$ in $\mathsf {G} '$ is equivalent to winning for the objective $\Omega _i$ in $\mathsf {G} $ for Player i.

Lemma 13

Let $\mathsf {G} $ be a game, and i a player. Player i has a winning strategy for $\Omega _i$ in $\mathsf {G} $ if, and only if, he has a winning strategy for $\Omega ''_i$ in $\mathsf {G} '_i$. Moreover if $\sigma '_i$ is winning for $\Omega ''_i$ in $\mathsf {G} '_i$ then $\pi (\sigma '_i)$ is winning for $\Omega _i$ in $\mathsf {G} $.

Proof

The proof is very similar to Lemma 12. First as we proved in the proof of Lemma 12, we have that:

$$\begin{aligned} \Omega _i = \mathsf {Out}_\mathsf {G} \wedge \mathtt {G}(E_i) \wedge M_i \wedge \left( \left( \bigcap _{j\ne i} M_{j} \Rightarrow \phi _i\right) \vee \bigvee _{j\ne i} \mathtt {F}(\lnot E_j)\right) \end{aligned}$$

We then prove the equivalence.

Let $\sigma _i$ be a winning strategy for $\Omega _i$ in $\mathsf {G} $. We consider the strategy $\sigma '_i$ defined by $\sigma '_i(h') = \sigma _i(\pi (h'))$ and will show that it is winning for $\Omega '_i$. Let $\rho '$ be an outcome of $\sigma '_i$. We have that $\pi (\rho ')$ is an outcome of $\sigma _i$. Since $\sigma _i$ is winning for $\Omega _i$, $\pi (\rho ')$ belongs to $\Omega _i$.
- If $\pi (\rho ') \models \mathtt {G}(E_i) \wedge \mathtt {G}\mathtt {F}(C_i') \wedge \bigvee _{j\ne i} \mathtt {F}(\lnot E_j)$ then it also satisfies $M_i \wedge \mathtt {G}(E_i) \wedge \bigvee _{j\ne i} \mathtt {F}(\lnot E_j)$. By construction of $\delta '$ the play $\rho '$ reaches a state of $\mathsf {S}\times \{\top \}$ and, from there, only states of $\mathsf {S}\times \{\top \}$ are visited. The condition $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{ \top \}) \wedge M_i$ is met by $\rho '$. Therefore $\rho '$ satisfies $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{ \top \}) \wedge \mathtt {G}\mathtt {F}(C_i')$. It is thus winning for $\Omega ''_i$.
- Otherwise $\pi (\rho ') \models M_i \wedge \mathtt {G}(E_i) \wedge (\bigwedge _{j\ne i} M_j) \Rightarrow \phi _i$. By construction of $\delta '$ the play $\rho '$ stays in $\mathsf {S}\times \{0\}$. The condition $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{ 0\}) \wedge M_i\wedge (\bigwedge _{j\ne i} M_j) \Rightarrow \phi _i$ is met by $\rho '$. Therefore $\mathtt {G}\mathtt {F}(C_i')$ is also met. Since having $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{ 0\})$ means that no edge outside of $E_j$ is seen for any player $j$, under the assumption $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{ 0\})$, $\bigwedge _{j\ne i} M_j$ is equivalent to $\bigwedge _{j\ne i} \mathtt {G}\mathtt {F}(C_j')$. Therfore $\rho '$ satisfies $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{0\}) \wedge \mathtt {G}\mathtt {F}(C_i') \wedge (\bigwedge _{j\ne i} \mathtt {G}\mathtt {F}(C_j') \Rightarrow \mathtt {G}\mathtt {F}(B_i \times \{\bot ,0,\top \}))$. It is thus winning for $\Omega ''_i$.
This shows that the strategy $\sigma '_i$ is winning for $\Omega ''_i$ in $\mathsf {G} '_i$.
Let $\sigma '_i$ be a winning strategy for $\Omega ''_i$ in $\mathsf {G} '_i$, we show that $\pi (\sigma '_i)$ is winning for $\Omega _i$ in $\mathsf {G} $. Let $\rho $ be an outcome of $\pi (\sigma '_i)$. We have that $\pi ^{-1}(\rho )$ is an outcome of $\sigma '_i$. Since $\sigma '_i$ is winning for $\Omega ''_i$, $\pi ^{-1}(\rho )$ belongs to $\Omega ''_i$. We have that $\pi ^{-1}(\rho ) \models \mathtt {G}\mathtt {F}(\mathsf {S}\times \{ 0,\top \})$ and by construction of $\delta '$ this ensures that all edges that are taken belong to $E_i$ and thus $\pi ^{-1}(\rho )$ satisfies the condition $\mathtt {G}(E_i)$.
- If $\pi ^{-1}(\rho ) \models \mathtt {G}\mathtt {F}(S \times \{\top \}) \wedge \mathtt {G}\mathtt {F}(C_i')$ then by construction of $\delta '$, an edge outside of $E_j$ for some $j\ne i$ is taken. This ensures condition $\mathtt {F}(\lnot E_j)$ and therefore $\rho $ belongs to $\Omega _i$.
- otherwise $\pi ^{-1}(\rho ) \models \mathtt {G}\mathtt {F}(S \times \{ 0 \}) \wedge \mathtt {G}\mathtt {F}(C_i') \wedge (\bigwedge _{j\ne i} \mathtt {G}\mathtt {F}(C_j') \Rightarrow \mathtt {G}\mathtt {F}(B_i \times \{ \bot , 0, \top \}))$. Since $\rho $ satisfies condition $\mathtt {G}(E_i)$, it also satisfies $M_i$ (by the main property of $C_i'$). And since having $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{ 0\})$ means that no edge outside of $E_j$ is seen for any player $j$, under the assumption $\mathtt {G}\mathtt {F}(\mathsf {S}\times \{ 0\})$, $\bigwedge _{j\ne i} M_j$ is equivalent to $\bigwedge _{j\ne i} \mathtt {G}\mathtt {F}(C_j')$. Therefore $\rho $ satisfies $\mathtt {G}(E_i)\wedge M_i \wedge \left( \bigcap _{j\ne i} M_{j} \Rightarrow \phi _i\right) $ and hence belongs to $\Omega _i$.
This shows that the strategy $\pi (\sigma '_i)$ is winning for $\Omega _i$ in $\mathsf {G} $. $\square $

Since in game $\mathsf {G} _i'$, states of $\mathsf {S}\times \top $ and $\mathsf {S}\times \bot $ are absorbing (no play can get out of those components) we write an objective equivalent to $\Omega _i''$ in terms of runs of $\mathsf {G} '_i$ it defines, which is: $(\mathtt {G}\mathtt {F}(C_i'\times \{0\}) \wedge (\bigwedge _{j\ne i} \mathtt {G}\mathtt {F}(C_j') \Rightarrow \mathtt {G}\mathtt {F}(B_i))) \vee (\mathtt {G}\mathtt {F}(C_i' \times \{\top \})$. We define a (small) deterministic parity automaton $\mathcal {A}$ which recognizes this language. Its state space is $(\{s,t,u,v\} \times (\{ j \mid j \in \mathcal {P}{\setminus }\{ i \}\} \cup \{ f \}))$. Intuitively the first component monitors which of $C_i'$ and $B_i$ occurs infinitely often, and the second component monitors whether we satisfy each of the conditions $\mathtt {G}\mathtt {F}(C_j')$. The transition relation is a product of transitions for the two components: $s\xrightarrow {C_i' \times \{0,\top \}} u$, $u \xrightarrow {\lnot C_i'} t$, $\{ t,u \} \xrightarrow {C_i' \setminus B_i'} u$, $\{t,u\} \xrightarrow {B_i'} v$, $v \xrightarrow ~s$, and $j\xrightarrow {\lnot B_j \times \{0\}} j$, $j \xrightarrow {B_j \times \{0\}} j'$ where $j'$ is $j+1$ if $j+1 \in \mathcal {P}{\setminus } \{i\}$, $j+2$ if $j+1=i$ and $j+2\in \mathcal {P}$, f otherwise, $f \xrightarrow ~ j_0$ where $j_0$ is the smallest element of $\mathcal {P}{\setminus } \{i\}$. The structure of the two components of the automaton are represented in Figs. 3 and 4. The coloring is defined by a function $\chi $ where $\chi (v,*) = 4$ (where $*$ is any possible second component), $\chi (\{s,t,u\},f)=3$, $\chi (u,\mathcal {P}{\setminus }\{i\}) = 2$, and for all other states s, $\chi (s)=1$. A word is accepted by $\mathcal {A}$ when the maximal color appearing infinitely often is even.

We show that a play of $\mathsf {G} '_i$ satisfies $\Omega ''_i$ if, and only if, it is a word accepted by $\mathcal {A}$.

Let $\rho $ be a play of $\mathsf {G} '_i$ which satisfies $\Omega ''_i$. Either it ends in the $\mathsf {S}\times \top $ component or the $\mathsf {S}\times 0$ component:

If $\rho $ ends in the $\top $ component then the state of color 3 will not be visited infinitely often, because we need to be in the $\mathsf {S}\times 0$ part of the game to progress on the second component of the automaton. As $\rho $ visits infinitely often $C_i'$, the corresponding outcome in $\mathcal {A}$ will visit infinitely often u, and therefore the maximal color that appears infinitely often is either 2 or 4.
Otherwise $\rho $ ends in the 0 component. Since $\rho $ satisfies $\Omega ''_i$, it visits $C_i'$ infinitely often and either there is a $C_j'$ for $j\ne i$ that is not visited infinitely often, or $\rho $ visits infinitely often $B_i'$.
- If there is a $C_j'$ for $j\ne i$ that is not visited infinitely often, then the second component of $\mathcal {A}$ will get stuck at some point and its state f which is neccessary for color 3, will not be visited infinitely often. As $\rho $ visits infinitely often $C_i'$, the corresponding outcome in $\mathcal {A}$ will visit infinitely often u, and therefore the maximal color that appears infinitely often is either 2 or 4.
- Otherwise $\rho $ visits infinitely often $B_i'$. Since we also visit $C_i'$ infinitely often, the outcome of $\mathcal {A}$ corresponding to $\rho $ will reach infinitely often a state $(v,*)$ and therefore the maximal color occurring infinitely often is 4.

This proves that the word is accepted by $\mathcal {A}$.

Now let $\rho $ be a play of $\mathsf {G} '_i$ such that the corresponding word is accepted by $\mathcal {A}$. If it is accepted then either the color 4 is seen infinitely often or the color 2 is and the color 3 is not:

If the color 4 is visited infinitely often then this means t is reached infinitely often in the first component, and because of the structure of $\mathcal {A}$, u also is, which means both $C_i'\times \{0\}$ and $B_i'$ occurs infinitely often. This implies that the outcome $\rho $ belongs to $\Omega ''_i$.
Otherwise the color 2 is visited infinitely often and 3 is not. The states $(*,\top )$ are therefore not visited infinitely often (otherwise the maximal color would be 3 or 4). We deduce from that and the structure of $\mathcal {A}$ that some $C_j'$ for $j\ne i$ is not visited infinitely often. This means $\bigwedge _{j\ne i} \mathtt {G}\mathtt {F}(C_j')$ is not true for $\rho $. Since the color 2 is seen infinitely often, this means $u,*$ is seen infinitely often and therefore $B_i \times \{ 0, \top \}$. This ensures $\rho $ belongs to $\Omega ''_i$.

This proves that a play of $\mathsf {G} '_i$ satisfy $\Omega ''_i$ if, and only if, it is a word accepted by $\mathcal {A}$.

Then solving the game $\mathsf {G} '_i$ with objective $\Omega ''_i$ is the same as solving it with objective given by $\mathcal {A}$. This can be done by solving the parity game obtained by the product of $\mathsf {G} '_i$ with the automaton $\mathcal {A}$. The obtained game is of polynomial size and the number of priorities is 4, such games can be solved in polynomial time (see for instance [25, 31]) and therefore we can decide our problem in polynomial time.

Computation of $\mathsf {AA}$ -winning strategies

Theorem 4

Given a game $\mathsf {G} $ with Büchi objectives, if $\mathsf {AA}$ has a solution, then an $\mathsf {AA}$-winning strategy profile can be computed in polynomial time.

Proof

If $\mathsf {AA}$ has a solution, then by Lemma 13, there is a winning strategy for $\Omega ''_i$ in $\mathsf {G} '_i$. This parity game has polynomial size and only 4 priorities. We can compute a winning strategy $\sigma '_i$ in polynomial time for this kind of games (for instance in [1] the authors compute the most permissive strategy in time $\mathcal {O}(n^{d/2 + 1})$ where n is the size of the game and d the number of priorities). By Lemma 13, the projection $\pi (\sigma '_i)$ is an $\mathsf {AA}$-winning strategy. Doing this for each player we obtain a strategy profile solution of $\mathsf {AA}$. $\square $

Reduction to Strategy Logic As we already mentioned it in the introduction, we can reduce the existence of a winning $\mathsf {AA}$-profile to the model-checking problem of a strategy logic formula [10, 27]. The strategy logic formula is obtained directly from the definition of winning $\mathsf {AA}$-profiles using quantification over strategies and LTL formulas to express the objectives of each player. Remember that the objectives of the players are either succinct Muller objectives defined by circuits, or Büchi objectives defined sets of accepting states, one per player.

To study the complexity of the algorithm that we get from such a reduction, we note that the formula of strategy logic that are construct are of constant alternation depth as strategy quantifiers are used exactly as in the definition of winning $\mathsf {AA}$-profiles and so the number of alternation does not depend on the instance of the problem that is considered. On the contrary, the size of the formula which is generated is bounded:

exponentially in the size of the game graph for succinct Muller games (as – to the best of our knowledge – there does not exist succinct ways to code succinct Muller objectives into LTL objectives),
bounded polynomially in the size of the game graph times the number of players (as on the contrary Büchi objectives can be coded succinctly in LTL).

Now, if we apply theorem 3 of [10], we get a 2ExpTime algorithm for succinct Muller games and a ExpTime algorithm for Büchi games.

Our results provide better complexities as we provide a PSpace algorithm for succinct Muller games and a PTime algorithm for Büchi games Ñ matching the known lower bounds for the respective problems. Also, we could add that for reachability and safety objectives, easy extension of our solution provides polynomial time algorithms when the number of players is fixed (this is a consequence of Theorem 4 of [5]). Again, those results are out of reach of a direct reduction to strategy logic.

6 Abstraction framework

We present abstraction techniques to compute assume-admissible strategy profiles following the abstract interpretation framework [13]; see [21] for games. Abstraction is a crucial feature for scalability in practice, and we show here that the $\mathsf {AA} $ rule is amenable to abstraction techniques. The problem is not directly reducible to computing $\mathsf {AA}$-winning strategies in abstract games obtained as e.g. in [15]; in fact, the set of admissible strategies of an abstract game is incomparable with those of the concrete game in general; we give this evidence in “Appendix 2”. Thus, we are going to revisit the assume-admissible synthesis algorithm presented in the previous section, and give an effective sufficient criterion that can be decided solely on the abstract state space.

Overview Informally, to compute an $\mathsf {AA}$-winning strategy for player $k$, we construct an abstract game $\mathcal {A}_k'$ with objective $\underline{\Omega }_k'$ s.t. winning strategies of player $k$ in $\mathcal {A}_k'$ map to $\mathsf {AA}$-winning strategies in $\mathsf {G} $. To define $\mathcal {A}_k'$, we re-visit the steps of the algorithm of Sect. 5 by defining approximations computed on the abstract state space. More precisely, we show how to compute under- and over-approximations of the sets ${V}_{x,k}$, namely $\underline{V}_{x,k}$ and $\overline{V}_{x,k}$, using fixpoint computations on the abstract state space only. We then use these sets to define approximations of the value preserving edges ($\underline{E}_k$ and $\overline{E}_k$) and those of the help states ($\underline{H}_k$ and $\overline{H}_k$). These are then combined to define objective $\underline{\Omega '}_k$ s.t. if player k wins the abstract game for $\underline{\Omega '}_k$, then he wins the original game for $\Omega _k'$, and thus has an $\mathsf {AA}$-winning strategy.

6.1 Abstract games

Consider $\mathsf {G} = \langle \mathsf{A}, (\phi _i)_{i\in \mathcal {P}}\rangle $ with $ \mathsf{A}= \left\langle \mathcal {P}, (\mathsf {S}_i)_{i\in \mathcal {P}}, s_{\mathsf{init}}, (\textsf {Act}_i)_{i\in \mathcal {P}}, \delta \right\rangle $ where each $\phi _i$ is a Müller objective given by a family of sets of states $(\mathcal {F}_i)_{i\in \mathcal {P}}$. Let $\mathsf {S}^\mathsf{a}= \biguplus _{i \in \mathcal {P}}\mathsf {S}^\mathsf{a}_i$ denote a finite set, namely the abstract state space. A concretization function $\gamma :\mathsf {S}^\mathsf{a}\mapsto 2^\mathsf {S}$ is a function such that:

the abstract states partitions the state space: $\biguplus _{s^\mathsf{a}\in \mathsf {S}^\mathsf{a}} \gamma (s^\mathsf{a}) = \mathsf {S}$,
it is compatible with players’ states: for all players i and $s^\mathsf{a}\in \mathsf {S}_i^\mathsf{a}$, $\gamma (s^\mathsf{a}) \subseteq \mathsf {S}_i$.

We define the corresponding abstraction function ${\alpha } : \mathsf {S}\rightarrow \mathsf {S}^\mathsf{a}$ where $\alpha (s)$ is the unique state $s^\mathsf{a}$ s.t. $s \in \gamma (s^\mathsf{a})$. We also extend $\alpha ,\gamma $ naturally to sets of states; and to histories, by replacing each element of the sequence by its image.

The pair of abstraction and concretization functions $(\alpha ,\gamma )$ actually defines a Galois connection:

Lemma 14

The pair $(\alpha ,\gamma )$ is a Galois connection, that is, for all $S \subseteq \mathsf {S}$ and $T \subseteq \mathsf {S}^\mathsf{a}$, we have that $\alpha (S) \subseteq T$ if, and only if, $S\subseteq \gamma (T)$.

Proof

Let $s\in S$. Since $\gamma $ defines a partition of $\mathsf {S}$, there exists $t\in \mathsf {S}^\mathsf{a}$ such that $s \in \gamma (t)$. By definition of $\alpha $, $\alpha (s) = t$. Assuming $\alpha (S) \subseteq T$, we have that $t \in T$. As $s\in \gamma (t)$, we have $s \in \gamma (T)$.

If $s^\mathsf{a}\in \alpha (S)$, then there is $s\in S$ such that $s^\mathsf{a}= \alpha (s)$. Assuming $S \subseteq \gamma (T)$, there is $t\in T$ such that $s = \gamma (t)$. By definition of $\alpha $, we have that $\alpha (s) = t$. Therefore $s^\mathsf{a}\in T$. $\square $

We further assume that $\gamma $ is compatible with all objectives $\mathcal {F}_i$ in the sense that the abstraction of a set S is sufficient to determine whether $S \in \mathcal {F}_i$: for all $i \in \mathcal {P}$, for all $S,S' \subseteq \mathsf {S}$ with $\alpha (S) = \alpha (S')$, we have $S \in \mathcal {F}_i \Leftrightarrow S' \in \mathcal {F}_i$. If the objective $\phi _i$ is given by a circuit, then the circuit for the corresponding abstract objective $\phi _i^\mathsf{a}$ is obtained by replacing each input on state s by $\alpha (s)$. We thus have $\rho \in \phi _i$ if, and only if, $\alpha (\rho ) \in \phi ^\mathsf{a}_i$.

The abstract transition relation $\Delta ^{\mathsf{a}}$ induced by $\gamma $ is defined by:

$$\begin{aligned} (s^\mathsf{a},a,t^\mathsf{a}) \in \Delta ^{\mathsf{a}} \Leftrightarrow \exists s \in \gamma (s^\mathsf{a}), \exists t \in \gamma (t^\mathsf{a}), t = \delta (s,a). \end{aligned}$$

We write $\textsf {{post}}_\Delta (s^\mathsf{a},a) {=} \{ t^\mathsf{a}\in \mathsf {S}^\mathsf{a}\mid \Delta (s^\mathsf{a},a,t^\mathsf{a})\}$, and $\textsf {{post}}_\Delta (s^\mathsf{a},\textsf {Act}) {=}\cup _{a \in \textsf {Act}} \textsf {{post}}_\Delta (s^\mathsf{a},a)$. For each coalition $C\subseteq \mathcal {P}$, we define a game in which players C play together against coalition $-C$; and the former resolves non-determinism in $\Delta ^\mathsf{a}$. Intuitively, the winning region for C in this abstract game will be an over-approximation of the winning region for C in the original game. Given C, the abstract arena $\mathcal {A}^{C}$ is $\langle \{ C , -C \}, (\mathsf {S}_C,\mathsf {S}_{-C}), \alpha (s_{\mathsf{init}}), (\textsf {Act}_C, \textsf {Act}_{-C}), \delta ^{\mathsf{a},C} \rangle $, where

$$\begin{aligned} \mathsf {S}_C = \left( \bigcup _{i\in C} \mathsf {S}^\mathsf{a}_i\right) \cup \left( \bigcup _{i\in \mathcal {P}} \mathsf {S}^\mathsf{a}_i \times \textsf {Act}_i \right) ,~ \mathsf {S}_{-C} = \bigcup _{i\not \in C} \mathsf {S}^\mathsf{a}_i, \end{aligned}$$

and $\textsf {Act}_C = \left( \bigcup _{i\in C} \textsf {Act}_i\right) \cup \mathsf {S}^\mathsf{a}$ and $\textsf {Act}_{-C} = \bigcup _{i\in -C} \textsf {Act}_i$. The relation $\delta ^{\mathsf{a},C}$ is given by: if $s^\mathsf{a}\in \mathsf {S}^\mathsf{a}$, then $\delta ^{\mathsf{a},C}(s^\mathsf{a},a) = (s^\mathsf{a},a)$. If $(s^\mathsf{a},a) \in \mathsf {S}^\mathsf{a}\times \textsf {Act}$ and $t^\mathsf{a}\in \mathsf {S}^\mathsf{a}$ satisfies $(s^\mathsf{a},a,t^\mathsf{a})\in \Delta ^\mathsf{a}$ then $\delta ^{\mathsf{a},C}((s^\mathsf{a},a), t^\mathsf{a}) = t^\mathsf{a}$; while for $(s^\mathsf{a},a,t^\mathsf{a})\not \in \Delta ^\mathsf{a}$, the play leads to an arbitrarily chosen state $u^\mathsf{a}$ with $\Delta (s^\mathsf{a},a,u^\mathsf{a})$. Thus, from states $(s^\mathsf{a},a)$, coalition C chooses a successor $t^\mathsf{a}$ which satisfies $\Delta ^\mathsf{a}$.

We extend $\gamma $ to histories of $\mathcal {A}^{C}$ by first removing states of $(\mathsf {S}^\mathsf{a}_i\times \textsf {Act}_i)$; and extend $\alpha $ by inserting these intermediate states. Given a strategy $\sigma $ of player k in $\mathcal {A}^{C}$, we define its concretization as the strategy $\gamma (\sigma )$ of $\mathsf {G} $ that, at any history h of $\mathsf {G} $, plays $\gamma (\sigma )(h) = \sigma (\alpha (h))$. We write $\mathsf {Win} _D(\mathcal {A}^{C},\phi ^{\mathsf{a}}_k)$ for the states of $\mathsf {S}^\mathsf{a}$ from which the coalition D has a winning strategy in $\mathcal {A}^{C}$ for objective $\phi ^\mathsf{a}_k$, with $D \in \{C,-C\}$. Informally, it is easier for coalition C to achieve an objective in $\mathcal {A}^{C}$ than in $\mathsf {G} $, that is, $\mathsf {Win} _C(\mathcal {A}^C,\phi ^\mathsf{a}_k)$ over-approximates $\mathsf {Win} _C(\mathsf{A},\phi _k)$:

Lemma 15

If the coalition C has a winning strategy for objective $\phi _k$ in $\mathsf {G} $ from s then it has a winning strategy for $\phi _k^\mathsf{a}$ in $\mathcal {A}^{C}$ from $\alpha (s)$.

Proof

Assume $\sigma _C$ is a winning profile of coalition C, for objective $\phi _k$ in $\mathsf {G} $. We define by induction a winning strategy $\sigma ^\mathsf{a}_C$ in $\mathsf {G} ^{\mathsf{a},k,C}$. We assume that $\sigma ^\mathsf{a}_C$ has been defined in a manner such that for each finite outcome $h^\mathsf{a}$ of $\sigma ^\mathsf{a}_C$ shorter than some bound m, there is some $h\in \gamma (h^\mathsf{a})$ such that h is a finite outcome of $\sigma _C$. The idea is then to define $\sigma ^\mathsf{a}_C$ to resolve the determinism in a way which simulates the behavior from h.

If $s_i^\mathsf{a}\in \bigcup _{i\in \mathcal {P}} \mathsf {S}^\mathsf{a}_i \times \textsf {Act}_i$, then $\sigma ^\mathsf{a}_C(h^\mathsf{a}\cdot (\mathsf {last}(h^\mathsf{a}),a)) = \gamma (t)$ where $t = \delta (\mathsf {last}(h),a)$.
If $s^\mathsf{a}\in \bigcup _{i\in C} \mathsf {S}^\mathsf{a}_i$, $\sigma ^\mathsf{a}_C(h^\mathsf{a}\cdot (\mathsf {last}(h^\mathsf{a}),a) \cdot s^\mathsf{a}) = \sigma _C(h \cdot \delta (\mathsf {last}(h),a))$.

With this definition, our induction hypothesis will be respected for histories containing one more step, and therefore this holds for all histories. Let now $\rho ^\mathsf{a}$ be an outcome $\sigma ^\mathsf{a}_C$. By the way we defined this strategy there is an outcome $\rho $ outcome of $\sigma _C$ such that $\rho \in \gamma (\rho ^\mathsf{a})$. As $\sigma _C$ is winning, $\rho $ satisfies the Muller condition $\phi _k$ and since $\gamma $ is compatible with players’ objectives, $\rho ^\mathsf{a}$ satisfies $\phi _k^\mathsf{a}$. This shows that C has a winning strategy in $\mathcal {A}^C$ for $\phi _k^\mathsf{a}$. $\square $

6.2 Value-preserving strategies

We now use the abstract games defined above to define under- and over-approximations for value-preserving strategies for a given player. We start by computing approximations $\underline{V}_{k,x}$ and $\overline{V}_{k,x}$ of the sets $V_{k,x}$, and then use these to obtain approximations of the value-preserving edges $E_k$ (denoted $\underline{E}_k$ and $\overline{E}_k$). At the end of this subsection, we show that these allow us to obtain under- and over-approximations of the set $\gamma (E_k)$ of value-preserving strategies.

Fix a game $\mathsf {G} $, and a player $k$. Let us define the controllable predecessors for player k as

$$\begin{aligned} \begin{array}{ll} \textsf {CPRE}_{\mathcal {A}^{\mathcal {P}\setminus \{k\}},k}(X) = &{}\{ s^\mathsf{a}\in \mathsf {S}^\mathsf{a}_k \mid \exists a \in \textsf {Act}_k, \textsf {{post}}_{\Delta }(s^\mathsf{a},a) \subseteq X\}\\ &{}\cup \,\{ s^\mathsf{a}\in \mathsf {S}^\mathsf{a}_{\mathcal {P}\setminus \{k\}} \mid \forall a \in \textsf {Act}_{-k}, \textsf {{post}}_{\Delta }(s^\mathsf{a},a) \subseteq X\}. \end{array} \end{aligned}$$

We let

$$\begin{aligned} \begin{array}{l r} \overline{V}_{k,1} = \mathsf {Win} _{\{k\}}(\mathcal {A}^{\{k\}}, \phi ^{\mathsf{a}}_k), &{} \overline{V}_{k,-1} = \mathsf {Win} _\emptyset (\mathcal {A}^{\emptyset }, \lnot \phi ^{\mathsf{a}}_k),\\ \overline{V}_{k,0} = \mathsf {Win} _{\mathcal {P}\setminus \{k\}}(\mathcal {A}^{\mathcal {P}\setminus \{k\}}, \lnot \phi ^{\mathsf{a},k}) \cap \mathsf {Win} _{\mathcal {P}}(\mathcal {A}^{\mathcal {P}},\phi ^{\mathsf{a}}_k), &{} \\ \underline{V}_{k,1} = \mathsf {Win} _{\{k\}}(\mathcal {A}^{\mathcal {P}\setminus \{k\}}, \phi ^{\mathsf{a}}_k), &{} \underline{V}_{k,-1} = \mathsf {Win} _\emptyset (\mathcal {A}^{\mathcal {P}}, \lnot \phi ^{\mathsf{a}}_k) \\ \underline{V}_{k,0} = \nu X. \big (\textsf {CPRE}_{\mathcal {A}^{\mathcal {P}\setminus \{k\}},k}(X \cup \underline{V}_{k,1} \cup \underline{V}_{k,-1}) \cap F\big ),\\ \qquad \text {where } F = \mathsf {Win} _{\mathcal {P}\setminus \{k\}}(\mathcal {A}^{\{k\}}, \lnot \phi ^{\mathsf{a}}_k) \cap \mathsf {Win} _{\mathcal {P}}(\mathcal {A}^{\emptyset },\phi ^{\mathsf{a}}_k). \end{array} \end{aligned}$$

The last definition uses the $\nu X.f(X)$ operator which is the greatest fixpoint of f. These sets define approximations of the sets $V_{k,x}$. Informally, this follows from the fact that to define e.g. $\overline{V}_{k,1}$, we use the game $\mathcal {A}^{\{k\}}$, where player k resolves itself the non-determinism, and thus has more power than in $\mathsf {G} $. In contrast, for $\underline{V}_{k,1}$, we solve $\mathcal {A}^{\mathcal {P}\setminus \{k\}}$ where the adversary resolves non-determinism. We state these properties formally:

Lemma 16

For all players k and $x \in \{-1,0,1\}$, $\gamma (\underline{V}_{k,x}) \subseteq V_{k,x} \subseteq \gamma (\overline{V}_{k,x})$.

Proof

This is a direct consequence of Lemma 15.

If $s\in V_{k,-1}$ then the coalition $\mathcal {P}$ has no winning strategy in $\mathsf {G} $. By determinacy, the empty coalition has a strategy to ensure $\lnot \phi _k$. Therefore by Lemma 15, the coalition $\varnothing $ has a strategy in $\mathcal {A}^{\mathcal {P}}$ from $\alpha (s)$ that ensures $\lnot \phi _k$. Therefore $s \in \gamma ( \overline{V}_{k,-1})$.

Recall that $V_{k,0} = \mathsf {Win} _{\mathcal {P}\setminus \{k\}}(\mathsf{A},\lnot \phi _k) \cap \mathsf {Win} _{\mathcal {P}}(\mathsf{A},\phi _k)$. Let s be a state in $V_{k,0}$. By Lemma 15, $\alpha (s)$ belongs to both sides of the intersection, thus $\alpha (s) \in \overline{V}_{k,0}$. Thus $V_{k,0} \subseteq \gamma (\overline{V}_{k,0})$.

If $s^\mathsf{a}\in \underline{V}_{k,1}$ then the coalition $\mathcal {P}{\setminus }\{k\}$ has no strategy in $\mathcal {A}^{\mathcal {P}\setminus \{k\}}$ for $\lnot \phi _k^\mathsf{a}$. Therefore by Lemma 15, it has no strategy in $\mathsf{A}$ from any state of $\gamma (s^\mathsf{a})$ to do so. Therefore k has a winning strategy in $\mathsf{A}$ from $\gamma (s^\mathsf{a})$, and $\gamma (s^\mathsf{a}) \in V_{k,1}$.

If $s^\mathsf{a}\in \underline{V}_{k,-1}$, then the coalition $\mathcal {P}$ has no winning strategy in $\mathcal {A}^{\mathcal {P}}$ for objective $\phi ^{\mathsf{a}}_k$. Therefore by Lemma 15, it has no winning strategy in $\mathsf{A}$ from $\gamma (s^\mathsf{a})$ neither for the objective $\phi _k$. This means that $\gamma (s^\mathsf{a}) \in V_{k,-1}$.

Note that by definition of the $\nu X.$ operator, $\underline{V}_{k,0} \subseteq F$. Thus, let us just show that $\gamma (F) \subseteq V_{k,0}$. Recall that $V_{k,0} = \mathsf {Win} _{\mathcal {P}\setminus \{k\}}(\mathsf{A}, \lnot \phi _k) \cap \mathsf {Win} _{\mathcal {P}}(\mathsf{A},\phi _k)$. Let $s \in \gamma (\underline{V}_{k,0})$. Then player k has no strategy in $\mathcal {A}^{\{k\}}$ for $\phi _k^\mathsf{a}$, hence, by Lemma 15, it cannot win $\mathsf{A}$ neither for $\phi _k$ from $\gamma (s)$. This shows that $\gamma (s) \subseteq \mathsf {Win} _{\mathcal {P}\setminus \{k\}}(\mathsf{A}, \lnot \phi ^{\mathsf{a}}_k) $. Furthermore, the coalition $\emptyset $ has no strategy in $\mathcal {A}^\mathcal {P}$ for $\lnot \phi ^{\mathsf{a}}_k$, thus it does not have one neither in $\mathsf{A}$ for $\lnot \phi _k$ from $\gamma (s)$. In other terms, $\gamma (s) \subseteq \mathsf {Win} _{\mathcal {P}}(\mathsf{A},\phi _k)$. $\square $

We thus have $\cup _x \gamma (\overline{V}_{k,x}) = \textsf {S}$ (as $\cup _x V_{k,x} = \textsf {S}$) but this is not the case for $\underline{V}_{k,x}$; so let us define $\underline{V} = \cup _{j \in \{-1,0,1\}} \underline{V}_{k,j}$. We now define approximations of $E_k$ based on the above sets.

Intuitively, $\overline{E}_k$ is an over-approximation of $E_k$, and $\underline{E}_k$ under-approximates $E_k$ when restricted to states in $\underline{V}$ (notice that $\underline{E}_k$ contains all actions from states outside $\underline{V}$). In fact, our under-approximation will be valid only inside $\underline{V}$; but we will require the initial state to be in this set, and make sure the play stays within $\underline{V}$. We show that sets $\underline{E}_k$ and $\overline{E}_k$ provide approximations of value-preserving strategies.

We show that when playing according to $\underline{E}_k$, player k ensures staying in $\underline{V}$. This is proven in the following.

Let us write $\gamma (\mathcal {E}) = \{ (s,a) \mid (\alpha (s),a) \in \mathcal {E} \}$ for $\mathcal {E} \in \{ \underline{E}_k, \overline{E}_k\}$.

Lemma 17

For all games $\mathsf {G} $, and players k,

1.
$\gamma (\underline{E}_k \cap (\underline{V} \times \textsf {Act})) \subseteq E_k \subseteq \gamma (\overline{E}_k)$.
2.
For all $s^\mathsf{a}\in \textsf {S}^\mathsf{a}_k$, there exist $a,a'\in \textsf {Act}_k$ such that $(s^\mathsf{a},a) \in \underline{E}_k$ and $(s^\mathsf{a},a') \in \overline{E}_k$.
3.
For all $(s^\mathsf{a},a) \in \underline{E}_k$ with $s^\mathsf{a}\in \underline{V}$, we have $\textsf {{post}}_\Delta (s^\mathsf{a},a) \subseteq \underline{V}$.

Proof

The inclusion $E_k \subseteq \gamma (\overline{E}_k)$ follows from the definition of $\overline{E}_k$, and by Lemma 16. It also follows that for all $s \in \textsf {S}^\mathsf{a}_k$, there is $(s,a') \in \overline{E}_k$, since this is always the case for $E_k$.

Let $(s^\mathsf{a},a)$ be an edge in $\underline{E}_k \cap (\underline{V} \times \textsf {Act})$. Let s be a state in $\gamma (s^\mathsf{a})$. We have that $s \in \gamma (\underline{V}_{k,x})$ for some $x \in \{ -1,0,1\}$ and by Lemma 16 $s \in V_{k,x}$. By definition of $\underline{E}_k$, for all $t^\mathsf{a}$ such that $\Delta (s^\mathsf{a},a,t^\mathsf{a})$, $t^\mathsf{a}\in \underline{V}_{k,l}$ with $l \ge x$ and $s^\mathsf{a}\in \underline{V}_{k,x}$. By Lemma 16, we have that the value of all states in $\gamma (t^\mathsf{a})$ are at least as great as any state in $\gamma (s^\mathsf{a})$. By definition of $\Delta $, $\alpha (\delta (s,a)) \subseteq \{ t^\mathsf{a}\mid \Delta (s^\mathsf{a},a,t^\mathsf{a}) \}$. Therefore $\alpha (\delta (s,a)) \in \cup _{l \ge x} \underline{V}_{k,l}$, which means $\delta (s,a) \in \cup _{l \ge x} \gamma (\cup _{l \ge x} \underline{V}_{k,l}) \subseteq \cup _{l\ge x} V_{k,l}$ using Lemma 16.

By definition of $E_k$ this implies that $(s,a) \in E_k$.

It remains to prove that for all $s^\mathsf{a}\in \textsf {S}_k^\mathsf{a}$, there is $(s^\mathsf{a},a) \in \underline{E}_k$, and that if $s^\mathsf{a}\in \underline{V}$, then for all $(s^\mathsf{a},a) \in \underline{E}_k$, $\Delta (s^\mathsf{a},a,{t}^\mathsf{a})$ implies ${t}^\mathsf{a}\in \underline{V}$.

If $s^\mathsf{a}\in \mathsf {S}_k^\mathsf{a}{\setminus } \underline{V}$, then $(s^\mathsf{a},a) \in \underline{E}_k$ for all $a \in \textsf {Act}_k$ by definition. Let us now assume $s^\mathsf{a}\in \underline{V}$.

If $s^\mathsf{a}\in \underline{V}_{k,-1}$, then By definition of $\underline{V}_{k,-1}$, we have that for all actions a, and all states $t^\mathsf{a}$, if $\Delta ^\mathsf{a}(s^\mathsf{a},a,t^\mathsf{a})$ then $t^\mathsf{a}\in \underline{V}_{k,-1}$. Thus $(s^\mathsf{a},a) \in \underline{E}_k$, and $t^\mathsf{a}\in \underline{V}_{k,-1}$ for any such $t^\mathsf{a}$, so $t^\mathsf{a}\in \underline{V}$.
If $s \in \underline{V}_{k,1}$, then there exists a such that $(s^\mathsf{a},a,t^\mathsf{a}) \in \Delta ^\mathsf{a}$ implies $t^\mathsf{a}\in \underline{V}_{k,1}$. So $(s^\mathsf{a},a) \in \underline{E}_k$, and $t^\mathsf{a}\in \underline{V}_{k,1}$. Moreover this holds for all a with $(s^\mathsf{a},a) \in \underline{E}_k$, since for such a, $(s^\mathsf{a},a,t^\mathsf{a}) \in \Delta ^\mathsf{a}$ implies $t^\mathsf{a}\in \underline{V}_{k,1}$ by definition of $\underline{E}_k$.
If $s \in \underline{V}_{k,0}$, then by the greatest fixpoint defining $\underline{V}_{k,0}$, there exists $a \in \textsf {Act}_k$ such that for all $t^\mathsf{a}$ with $\Delta (s^\mathsf{a},a,t^\mathsf{a})$, $t^\mathsf{a}\in \underline{V}_{k,0}$. Conversely, for all $(s^\mathsf{a},a) \in \underline{E}_k$, a ensures staying inside $\underline{V}_{k,0} \cup \underline{V}_{k,1}$. Thus for any such a, $(s^\mathsf{a},a) \in \underline{E}_k$, and any $t^\mathsf{a}$, $\Delta (s^\mathsf{a},a,t^\mathsf{a})$ means $t^\mathsf{a}\in \underline{V}_{k,0}$.

Recall that $\underline{E}_k$ does not constrain the actions outside the set $\underline{V}$; thus strategies in $\mathsf{Strat}_k(\underline{E}_k)$ can actually choose dominated actions outside $\underline{V}$. To prove that $\mathsf{Strat}_k(\underline{E}_k)$ is an under-approximation of $\mathsf{Strat}_k(E_k)$ when started in $\underline{V}$, we need to formalize the fact that admissible strategies may choose arbitrary actions at states that are not reachable by any outcome. Intuitively, such strategies cannot be dominated since the dominated behavior is never observed.

For any strategy $\sigma $, let $\mathsf{Reach}(\mathsf {G},\sigma )$ denote the set of states reachable from $s_{\mathsf{init}}$ by runs compatible with $\sigma $. We show that if one arbitrarily modifies an admissible strategy outside the set $\mathsf{Reach}(\mathsf {G},\sigma )$, the resulting strategy is still admissible.

Lemma 18

Let $\sigma $ be a strategy in $\mathsf{Adm}_i(\mathsf {G})$ and $\sigma '$ a strategy in $\Sigma _i(\mathsf {G})$. If for all histories h such that $\mathsf {last}(h) \in \mathsf{Reach}(\mathsf {G},\sigma )$, we have $\sigma (h) = \sigma '(h)$, then $\sigma ' \in \mathsf{Adm}_i(\mathsf {G})$.

Proof

For all profiles $\sigma _{-k} \in \Sigma _{-k}(\mathsf {G})$, we have $\mathsf {Out}_\mathsf {G} (\sigma _{-k},\sigma ) = \mathsf {Out}_\mathsf {G} (\sigma _{-k},\sigma ')$ so if $\sigma '$ is dominated, then $\sigma $ would also be dominated, which is a contradiction.

We now show that the sets $\gamma (\mathsf{Strat}_k(\underline{E}_k))$ and $\gamma (\mathsf{Strat}_k(\overline{E}_k))$ are abstractions of $\mathsf{Strat}_k(E_k)$.

Lemma 19

For all games $\mathsf {G} $, and players k, $\mathsf{Strat}_k(E_k) \subseteq \gamma (\mathsf{Strat}_k(\overline{E}_k))$, and if $s_{\mathsf{init}}\in \gamma (\underline{V})$, then $\emptyset \ne \gamma (\mathsf{Strat}_k(\underline{E}_k)) \subseteq \mathsf{Strat}_k(E_k)$.

Proof

Since $E_k \subseteq \gamma (\overline{E}_k)$ by Lemma 17, we have $\mathsf{Strat}_k(E_k) \subseteq \gamma (\mathsf{Strat}_k(\gamma (\overline{E}_k)))$.

Assume $s_{\mathsf{init}}\in \gamma (\underline{V})$. The fact that $\mathsf{Strat}_k(\underline{E}_k)$, thus also $\gamma (\mathsf{Strat}_k(\underline{E}_k))$ are non-empty follows from Lemma 17 too, since for any state $s^\mathsf{a}$ there is $a \in \textsf {Act}_k$ with $(s^\mathsf{a},a) \in \underline{E}_k$.

We prove that $\mathsf{Reach}(\mathcal {A}^{\mathcal {P}\setminus \{k\}},\sigma ) \subseteq \underline{V}$ for all $\sigma \in \mathsf{Strat}_k(\underline{E}_k)$. We already know, by Lemma 17, that for all $s^\mathsf{a}\in \underline{V}$, if $(s^\mathsf{a},a) \in \underline{E}_k$ then all successors $t^\mathsf{a}$ with $\Delta (s^\mathsf{a},a,t^\mathsf{a})$ satisfies $t^\mathsf{a}\in \underline{V}$. We are going to show that for all $s^\mathsf{a}\in \underline{V} \cap \mathsf {S}_j^\mathsf{a}$ with $j\ne k$, for all $a \in \textsf {Act}_j$, $\Delta ^\mathsf{a}(s^\mathsf{a},a,t^\mathsf{a})$ implies $t^\mathsf{a}\in \underline{V}$.

Consider $s^\mathsf{a}\in \underline{V}$. If $s^\mathsf{a}\in \underline{V}_{k,1}$, then for all $a \in \textsf {Act}$, $\Delta ^\mathsf{a}(s^\mathsf{a},a,t^\mathsf{a})$ implies that $t^\mathsf{a}\in \underline{V}_{k,1}$, since $\mathcal {P}{\setminus }\{k\}$ resolves non-determinism.

The situation is similar if $s^\mathsf{a}\in \underline{V}_{k,-1}$; for all $a \in \textsf {Act}_j$, $\Delta ^\mathsf{a}(s^\mathsf{a},a,t^\mathsf{a})$ implies ${t}^\mathsf{a}\in \underline{V}_{k,-1}$. If $s^\mathsf{a}\in \underline{V}_{k,0}$, then, by the definition of the outer fixpoint, for all $a \in \textsf {Act}_j$, $\Delta ^\mathsf{a}(s^\mathsf{a},a,{t}^\mathsf{a})$ implies that ${t}^\mathsf{a}\in \underline{V}$.

Thus $\mathsf{Reach}(\mathcal {A}^{\mathcal {P}\setminus \{k\}},\sigma ) \subseteq \underline{V}$ for all $\sigma \in \mathsf{Strat}_k(\underline{E}_k)$. It then follows that $\mathsf{Reach}(\mathsf {G},\gamma (\sigma )) \subseteq \gamma (\underline{V})$. So, by Lemma 18, and by the fact that $\gamma (\underline{E}_k) \subseteq E_k$, all strategies in $\gamma (\mathsf{Strat}_k(\underline{E}_k))$ are value preserving, which is to say, belong to $\mathsf{Strat}_k(E_k)$. $\square $

6.3 Help states

We now define approximations of the help states $H_k$, where we write $\Delta (s^\mathsf{a},\textsf {Act},t^\mathsf{a})$ to mean $\exists a \in \textsf {Act}, \Delta (s^\mathsf{a},a,t^\mathsf{a})$.

$$\begin{aligned} \begin{array}{ll} \overline{H}_k &{} = \{ s^\mathsf{a}\in \overline{V}_{k,0} {\setminus } \mathsf {S}^\mathsf{a}_k \mid \exists t^\mathsf{a}, u^\mathsf{a}\in \overline{V}_{k,0} \cup \overline{V}_{k,1}.\ \Delta (s^\mathsf{a},\textsf {Act},t^\mathsf{a}) \wedge \Delta (s^\mathsf{a},\textsf {Act},u^\mathsf{a})\}\\ \underline{H}_k &{} = \{ s^\mathsf{a}\in \underline{V}_{k,0} {\setminus } \mathsf {S}^\mathsf{a}_k \mid \exists a \ne b \in \textsf {Act}, \textsf {{post}}_\Delta (s^\mathsf{a},a) \cap \textsf {{post}}_\Delta (s^\mathsf{a},b) = \emptyset , \\ &{} \textsf {{post}}_\Delta (s^\mathsf{a},a) \cup \textsf {{post}}_\Delta (s^\mathsf{a},b)\subseteq \underline{V}_{k,0} \cup \underline{V}_{k,1} \}. \end{array} \end{aligned}$$

Lemma 20

For all players k, $ \gamma (\underline{H}_k) \subseteq H_k \subseteq \gamma (\overline{H}_k)$.

Proof

Let $s^\mathsf{a}\in \underline{H}_k$, and let $a,b \in \textsf {Act}$ two witnessing actions. For all $s \in \gamma (s^\mathsf{a})$, we have $\delta (s,a) \in \gamma (\textsf {{post}}_\Delta (s^\mathsf{a},a)) \subseteq V_{k,0} \cup V_{k,1}$ and $\delta (s,b) \in \gamma (\textsf {{post}}_\Delta (s^\mathsf{a},a)) \subseteq V_{k,0} \cup V_{k,1}$. Moreover $\alpha (\delta (s,a)) \in \textsf {{post}}_\Delta (s^\mathsf{a},a)$, $\alpha (\delta (s,b)) \in \textsf {{post}}_\Delta (s^\mathsf{a},b)$, and $\textsf {{post}}_\Delta (s^\mathsf{a},a) \cap \textsf {{post}}_\Delta (s^\mathsf{a},b) = \varnothing $, therefore $\alpha (\delta (s,a)) \ne \alpha (\delta (s,b))$ and thus $\delta (s,a) \ne \delta (s,b)$. Hence $s \in H_k$.

Now, consider any $s \in H_k$; and let $a,b \in \textsf {Act}$ be such that $\delta (s,a),\delta (s,b) \in V_{k,0} \cup V_{k,1}$ and $\delta (s,a) \ne \delta (s,b)$. If we write $t^\mathsf{a}= \alpha (\delta (s,a))$ and $u^\mathsf{a}= \alpha (\delta (s,b))$, then $t^\mathsf{a},u^\mathsf{a}\in \overline{V}_{k,0} \cup \overline{V}_{k,1}$, and $\Delta (s^\mathsf{a},a,t^\mathsf{a})$, and $\Delta (s^\mathsf{a},b,u^\mathsf{a})$; thus $\alpha (s) \in \overline{H}_k$. It follows that $H_k \subseteq \gamma (\overline{H}_k)$. $\square $

6.4 Abstract synthesis of $\mathsf {AA}$-winning strategies

We now describe the computation of $\mathsf {AA}$-winning strategies in abstract games. Consider game $\mathsf {G} $ and assume sets $\underline{E}_i, \overline{E}_i$ are computed for all players i. Roughly, to compute a strategy for player k, we will constrain him to play only edges from $\underline{E}_k$, while other players j will play in $\overline{E}_j$. By Lemma 19, any strategy of player k maps to value-preserving strategies in the original game, and all value-preserving strategies for other players are still present. We now formalize this idea, incorporating the help states in the abstraction.

We fix a player k. We construct an abstract game in which winning for player k implies that player k has an effective $\mathsf {AA}$-winning strategy in $\mathsf {G} $. We define

$$\begin{aligned} \mathcal {A} _{k}' = \langle \{\{k\},-k\}, ({\mathsf {S}'}^\mathsf{a}_k, {\mathsf {S}'}^\mathsf{a}_{-k} \cup {\mathsf {S}'}^\mathsf{a}\times \textsf {Act}), \alpha (s_{\mathsf{init}}), (\textsf {Act}_k, \textsf {Act}_{-k}), \delta _{\mathcal {A} ^k}\rangle , \end{aligned}$$

where ${\mathsf {S}'}^\mathsf{a}= \mathsf {S}^\mathsf{a}\times \{\bot ,0,\top \}$; thus we modify $\mathcal {A}^{\mathcal {P}\setminus \{k\}}$ by taking the product of the state space with $\{\top ,0,\bot \}$. Intuitively, as in Sect. 5, initially the second component is 0, meaning that no player has violated the value-preserving edges. The component becomes $\bot $ whenever player k plays an action outside of $\underline{E}_k$; and $\top $ if another player j plays outside $\overline{E}_j$ (for $j \in \mathcal {P}{\setminus }\{i\}$). We extend $\gamma $ to $\mathcal {A}_k'$ by $\gamma ( (s^\mathsf{a},x)) = \gamma (s^\mathsf{a}) \times \{x\}$, and extend it to histories of $\mathcal {A}_k'$ by first removing the intermediate states ${\mathsf {S}'}^\mathsf{a}\times \textsf {Act}$. We thus see $\mathcal {A} _k'$ as an abstraction of $\mathsf{A}'$ of Sect. 5.

We define the following approximations of the objectives $M_k'$ and $\Omega _k'$ in $\mathcal {A} '_k$.

$$\begin{aligned} \begin{array}{l} \underline{M}'_k = ( \mathtt {G}\mathtt {F}(\overline{V}_{k,1}) \Rightarrow \phi _k^\mathsf{a}) \wedge \left( \mathtt {G}\mathtt {F}(\overline{V}_{k,0}) \Rightarrow (\phi ^\mathsf{a}_k \vee \mathtt {G}\mathtt {F}(\underline{H}_k)) \right) ,\\ \overline{M}'_k = (\mathtt {G}\mathtt {F}(\underline{V}_{k,1}) \Rightarrow \phi _k^\mathsf{a}) \wedge \left( \mathtt {G}\mathtt {F}(\underline{V}_{k,0}) \Rightarrow (\phi _k^\mathsf{a}\vee \mathtt {G}\mathtt {F}(\overline{H}_k)) \right) ,\\ \underline{\Omega '}_k = \left( \mathtt {G}\mathtt {F}(\mathsf {S}^\mathsf{a}\times \{0\}) \wedge \underline{M'}_k \wedge \left( \bigwedge _{j \ne k} \overline{M'}_j \Rightarrow {\phi }^\mathsf{a}_k \right) \right) \vee \left( \mathtt {G}\mathtt {F}(\mathsf {S}^\mathsf{a}\times \{\top \}) \wedge \underline{M'}_k\right) .\\ \end{array} \end{aligned}$$

Lemma 21

We have $\gamma (\underline{M_k'}) \subseteq M_k' \subseteq \gamma (\overline{M_k'})$.

Proof

We have $\gamma (\phi _k^\mathsf{a}) = \phi _k$ by assumption on $\gamma $. Thus, by Lemma 16,

$$\begin{aligned} \gamma (( \mathtt {G}\mathtt {F}(\overline{V}_{k,1}) \Rightarrow \phi _k^\mathsf{a})) \subseteq \mathtt {G}\mathtt {F}(V_{k,1}) \Rightarrow \phi _k) \subseteq \gamma (( \mathtt {G}\mathtt {F}(\underline{V}_{k,1}) \Rightarrow \phi _k^\mathsf{a})). \end{aligned}$$

Similarly, by Lemma 20, we get $ \gamma \left( \mathtt {G}\mathtt {F}(\overline{V}_{k,0}) \Rightarrow ({\phi }^\mathsf{a}_k \vee \mathtt {G}\mathtt {F}(\underline{H}_k)) \right) \subseteq \mathtt {G}\mathtt {F}({V}_{k,0} \Rightarrow (\phi _k \vee \mathtt {G}\mathtt {F}(H_k)) \subseteq \gamma \left( \mathtt {G}\mathtt {F}(\underline{V}_{k,0}) \Rightarrow ({\phi }^\mathsf{a}_k \vee \mathtt {G}\mathtt {F}(\overline{H}_k)) \right) .$ It follows that $\gamma (\underline{M'}_k) \subseteq M_k' \subseteq \gamma (\overline{M'}_k)$. $\square $

The following lemma implies our main result, stated next as a theorem.

Lemma 22

Let $k \in \mathcal {P}$ be a player and $\sigma _k$ a strategy of player $k$. If $s_{\mathsf{init}}^\mathsf{a}\in \underline{V}$, and $\sigma _k$ is winning for objective $\underline{\Omega '}_k$ in $\mathcal {A}_k'$, then $\gamma (\sigma _k)$ is winning for $\Omega _k'$ in $\mathsf {G} '_k$.

Proof

Let us rewrite

$$\begin{aligned} \underline{\Omega '}_i = \underline{M'}_i \wedge \left( \left( \mathtt {G}\mathtt {F}(\mathsf {S}^\mathsf{a}\times \{0\}) \wedge \left( \bigwedge _{j \ne i} \overline{M'}_j \Rightarrow {\phi }^\mathsf{a}_i \right) \right) \vee \mathtt {G}\mathtt {F}(\mathsf {S}^\mathsf{a}\times \{\top \})\right) . \end{aligned}$$

Let $\sigma _k$ be a winning strategy in $\mathcal {A}_k'$ for $\underline{\Omega '}_k$. We will show that $\mathsf {G} _k', \gamma (\sigma _k) \models \Omega _k'$.

Consider any run $\rho $ of $\mathsf {G} '_k$ compatible with $\gamma (\sigma _k)$. By definition of $\gamma (\sigma _k)$, $\alpha (\rho )$ is an outcome of $\mathcal {A}_k'$ compatible with $\sigma _k$. Since $\sigma _k$ is a winning strategy, $\alpha (\rho ) \in \underline{M'}_k$, and by Lemma 21 $\rho \in M_k'$.

We now show that $\rho \in \mathtt {G}\mathtt {F}(\mathsf {S}\times \{0,\top \})$.

By assumption, we have $\mathcal {A}_k', \sigma _k \models \mathtt {G}\mathtt {F}(\mathsf {S}^\mathsf{a}\times \{0,\top \})$, which means that for all histories $h^\mathsf{a}$ of $\mathcal {A}_k'$ compatible with $\sigma _k$, $(\mathsf {last}(h^\mathsf{a}), \sigma (h^\mathsf{a})) \in \underline{E}_k$ (otherwise the transition relation of $\mathcal {A}_k'$ would lead to a $\bot $ state). Moreover, since $s_{\mathsf{init}}^\mathsf{a}\in \underline{V}$, it follows from Lemma 19 that $(\mathsf {last}(h), \gamma (\sigma )(h)) \in E_k$ for all histories h compatible with $\gamma (\sigma _k)$. Thus no state $(*, \bot )$ is reachable under $\gamma (\sigma )$ in $\mathsf {G} '_k$.

Because of the structure of $\mathsf {G} '_k$ this means that $\rho $ either visits states of $\mathsf {S}\times \{0\}$ or states of $\mathsf {S}\times \{\top \}$ infinitely often:

If $\rho \in \mathtt {G}\mathtt {F}(\mathsf {S}\times \{0\})$, then $\alpha (\rho ) \in \mathtt {G}\mathtt {F}(\mathsf {S}^\mathsf{a}\times \{0\})$; so $\alpha (\rho ) \in \bigwedge _{j \ne k} \overline{M'}_j \Rightarrow \phi _k^\mathsf{a}$; it follows, by Lemma 21 and the compatibility of the abstraction with players’ objectives, that $\rho \in \bigwedge _{j \ne k} M'_j \Rightarrow \phi _k$. Thus $\rho \in \Omega _k'$.
Otherwise $\rho \in \mathtt {G}\mathtt {F}(\mathsf {S}\times \{\top \})$, so $\rho \in \Omega _k'$.

Thus any outcome $\rho $ of $\gamma (\sigma _k)$ belongs to $\Omega _k'$ which shows it is winning. $\square $

Theorem 5

For all games $\mathsf {G} $, and players k, if $s_{\mathsf{init}}\in \underline{V}$, and player $k$ has a winning strategy in $\mathcal {A}'_k$ for objective $\underline{\Omega }_k'$, then he has a winning strategy in $\mathsf {G} _k'$ for $\Omega _k$; and thus a $\mathsf {AA} $-winning strategy in $\mathsf {G} $.

Theorem 5 allows one to find $\mathsf {AA}$-winning strategies using abstractions. In fact, for each player k, one can define an abstraction, construct and solve the game $\mathcal {A}_k'$ for objective $\underline{\Omega }_k'$. If this succeeds for each player k, the obtained strategies yield an $\mathsf {AA}$-winning strategy profile in $\mathsf {G} $.

7 Algorithm for assume-guarantee synthesis

The assume-guarantee-$\wedge $ rule was studied in [7] for particular games with three players. However, the given proofs are based on secure equilibria which do not actually capture assume-guarantee synthesis, so the correctness of the algorithm of [7] is not clear. We first give an example that illustrates the non-correspondance of secure equilibria and assume-guarantee synthes, and then give an alternative algorithm for deciding assume-guarantee-$\wedge $ for multiplayer games, and prove its correctness.

We recall that a secure equilibrium [7] is a strategy profile $\sigma _\mathcal {P}$ such that for any player $i$, and $\sigma '_i \in \Sigma _i$, $\mathsf {Out}(\sigma '_i, \sigma _{-i}) <_i \mathsf {Out}(\sigma _\mathcal {P})$ where $\rho <_i \rho '$ means $\rho \not \models \phi _i \wedge \rho ' \models \phi _i$ or $\rho ' \models \phi _i \wedge |\{j\ne i \mid \rho \models \phi _j \}| < |\{j\ne i \mid \rho ' \models \phi _j \}|$.

Example 4

We consider a game with three players: player $1$ controls the valuation of $x_1$; player $2$ the valuation of $x_2$, and player $3$ is a scheduler which gives turn to either player $1$ or player $2$ at each step. player $3$ is assumed to be fair in the sense that at every point in the game each player eventually gets to play. Consider the following objective for player $1$: $\phi _1 = (x_2 \rightarrow \texttt {X} x_1) \wedge (\texttt {F} x_1 \rightarrow \texttt {F} x_2)$. The objective for player $2$ is trivial (always true). We consider strategy $\sigma _3$ of player $3$ that alternates between each player. Strategy $\sigma _1$ of player $1$ puts $x_1$ to true once $x_2$ has been put to true at least once. Strategy $\sigma _2$ of player $2$ never puts $x_2$ to true. These strategies form a secure equilibrium which satisfies each objective since we cannot improve the outcome with respect to $<_i$ by changing only the strategy of player $i$. However it is not an assume-guarantee solution: if we consider another scheduler strategy $\sigma '_3$ which gives twice the turn to player $2$, and a strategy $\sigma '_2$ which will put $x_2$ to true in the first turn, then $\mathsf {Out}(\sigma _1,\sigma '_2,\sigma '_3) \not \models \phi _1$. The same is in fact true for any strategy $\sigma '_1$ of player $1$ so there is no assume-guarantee synthesis solution, which contradicts [7, Thm. 4].

We now give an algorithm for assume-guarantee synthesis. For any game $\mathsf {G} $, and state s, we denote by $G_s$ the game obtained by making s the initial state. Assuming that each player $i$ has an objective $\phi _i$ which is prefix independent, let us define $W_i = \{ s \in \mathsf {S}\mid \exists \sigma _i.\ G_s , \sigma _i \models \bigwedge _{j\in \mathcal {P}\setminus \{i\}} \phi _j \Rightarrow \phi _i \}$.

The following lemma gives a decidable characterization of assume-guarantee synthesis:

Lemma 23

Let $(\phi _i)_{i \in \mathcal {P}}$ be prefix-independent objectives. Rule $\mathsf {AG} ^\wedge $ has a solution if, and only if, there is an outcome $\rho $ which visits only states of $\bigcap _{i\in \mathcal {P}} W_i$ and such that $\rho \models \bigwedge _{i\in \mathcal {P}} \phi _i$.

Proof

Let $\sigma _\mathcal {P}$ be a solution of $\mathsf {AG} ^\wedge $. Let $\rho $ be its outcome. We have that $\rho \models \bigwedge _{i\in \mathcal {P}} \phi _i$ by hypothesis of $\mathsf {AG} ^\wedge $. Let i be a player, we show that $\rho $ only visits states of $W_i$. This is because $\sigma _i$ is winning for $\bigwedge _{j\in \mathcal {P}\setminus \{i\}} \phi _j \Rightarrow \phi _i$. For all k, $\rho _{\le k}$ is a finite outcome of $\sigma _i$, and the strategy played by $\sigma _i$ after this history is winning for $\bigwedge _{j\in \mathcal {P}\setminus \{i\}} \phi _j \Rightarrow \phi _i$, which means that $\rho _{k}$ belongs to $W_i$. Hence $\rho $ satisfies the desired conditions.

If there is such an outcome $\rho $, we define the strategy profile $\sigma _\mathcal {P}$ to follow this outcome if no deviation has occurred and otherwise each player $i$ plays a strategy which is winning for $\bigwedge _{j\in \mathcal {P}\setminus \{i\}} \phi _j \Rightarrow \phi _i$ if possible. We show that such a strategy profile satisfies the assumption of assume-guarantee. Obviously $\sigma _\mathcal {P}\models \bigwedge _{i\in \mathcal {P}} \phi _i$. Let $\rho '$ be an outcome of $\sigma _i$ and k the first index such that $\rho '_k \ne \rho _k$. The state $\rho '_{k-1}=\rho _{k-1}$ is not controlled by player $i$, because $\sigma _i$ follows $\rho $. As $\rho _{k-1}$ is in $W_i$ and not controlled by player $i$, this means that $\rho '_{k} \in W_i$. Therefore $\sigma _i$ plays a winning strategy from $\rho '_k$ for the objective $\bigwedge _{j\in \mathcal {P}\setminus \{i\}} \phi _j \Rightarrow \phi _i$; thus $\rho '$ satisfies this objective. Hence $\sigma _\mathcal {P}$ is a solution of $\mathsf {AG} ^\wedge $. $\square $

We deduce a polynomial-space algorithm for the $\mathsf {AG} ^\wedge $ rule with Muller objectives:

Theorem 6

For multiplayer games with Muller objectives, deciding whether $\mathsf {AG} ^\wedge $ has a solution is PSPACE-complete.

Proof

The algorithms proceed by computing the set $W_i$ for each player $i$ with an algorithm that computes winning regions and then checks whether there is an outcome in the intersection $\bigcap _{i\in \mathcal {P}} W_i$ which satisfies $\bigwedge _{i\in \mathcal {P}} \phi _i$. This algorithm is correct thanks to Lemma 23.

This is in PSPACE because the objective $\bigwedge _{j\in \mathcal {P}\setminus \{i\}} \phi _j \Rightarrow \phi _i$ can be expressed by a Muller condition encoded by a circuit [23] of polynomial size. We can decide in polynomial space if a given state is winning for a Muller condition given by a circuit. Thus, the set $\bigcap _{i \in \mathcal {P}} W_i$ can be computed in polynomial space; let us denote by $\mathsf {G} '$ the game restricted to this set. The algorithm then consists in finding an outcome in $\mathsf {G} '$ satisfying $\bigwedge _{i\in \mathcal {P}} \phi _i$; that is, finding an outcome satisfying a Muller condition, which can be done in polynomial space. $\square $

8 Comparison of synthesis rules

In this section, we compare the synthesis rules to understand which ones yield solutions more often, and to assess their robustness. Some relations are easy to establish; for instance, rules $\mathsf {Win},\mathsf {AG} ^\vee ,\mathsf {AG} ^{\wedge },\mathsf {AA} $ imply Coop by definition (and Theorem 1). We summarize the implication relations between the rules in Fig. 5. A plain arrow from A to B means that if A has a solution, then so does B; while a dashed arrow with a cross means that this implication does not hold. We use some shortcuts for groups of rules: the arrow from Win to the group ${\mathsf {RS}}^\forall (\cdot )$ means that Win implies all of them. The dashed arrow from the whole group of ${\mathsf {RS}}^{\forall ,\exists }(\cdot )$ to Coop means that none of the rules in the box implies Coop. References to lemmas that prove the relations are given on each arrow. Missing arrows are either trivial relations or they are open; note that some relations can be deduced by transitivity (e.g. Win implies $\mathsf {AG} ^\wedge $). Note that an arrow does not imply an inclusion between the witnessing strategy profiles.

The following theorem states the correctness of our diagram.

Theorem 7

The implication relations of Fig. 5 hold.

We will present the proof of each comparison of the diagram in Fig. 5.

Remark 1

We have ${\mathsf {RS}}^\exists (\mathsf {SPE}) \Rightarrow {\mathsf {RS}}^\exists (\mathsf {NE})$ and ${\mathsf {RS}}^\forall (\mathsf {NE}) \Rightarrow {\mathsf {RS}}^\forall (\mathsf {SPE})$ because any subgame perfect equilibrium is also a Nash equilibrium. Moreover, in the definition of the rules ${\mathsf {RS}}$, the conditions for ${\mathsf {RS}}^\forall $ are stronger than for ${\mathsf {RS}}^\exists $, so ${\mathsf {RS}}^\forall (\mathsf {SPE}) \Rightarrow {\mathsf {RS}}^\exists (\mathsf {SPE})$, ${\mathsf {RS}}^\forall (\mathsf {NE}) \Rightarrow {\mathsf {RS}}^\exists (\mathsf {NE})$ and ${\mathsf {RS}}^\forall (\mathsf {Dom}) \Rightarrow {\mathsf {RS}}^\exists (\mathsf {Dom})$.

Lemma 24

$\mathsf {Win} \Rightarrow \mathsf {AA} \Rightarrow \mathsf {Coop} \Rightarrow {\mathsf {RS}}^\exists (\mathsf {SPE})$ and $\mathsf {Win} \Rightarrow \mathsf {AG} ^{\vee } \Rightarrow \mathsf {AG} ^\wedge \Rightarrow \mathsf {Coop} $,

Proof

This holds because winning strategies are always admissible [2], therefore a profile witness of Win satisfies condition 1 and 2 of the definition of assume-admissible.

This holds by Theorem 1.

Note that in order for ${\mathsf {RS}}$ to make sense we must have $\mathsf{sys} \in \mathcal {P}$. Assume $\mathsf {Coop} $ has a solution and let $\sigma _\mathcal {P}$ be a profile of strategy such that for all player $i$, $\sigma _\mathcal {P}\models \phi _i$.

We define a strategy profile $\sigma '_i$, that follows the path $\rho =\mathsf {Out}_\mathsf {G} (\sigma _i)$ when possible (that is: if h is a prefix of $\rho $ then play $\textsf {act}_{|h|}(\rho )$) and if not follows a subgame perfect equilibrium: that is, we select for each state s a subgame perfect equilibrium $\sigma ^s_\mathcal {P}$, there always exist one for Borel games (so in particular for Muller games) [32, Theorem 3.15]; then if h is not a prefix of $\rho $, let j be the last index such that $h_{\le j} = \rho _{\le j}$ and we define $\sigma '_\mathcal {P}(h) = \sigma ^{h_{j+1}}_\mathcal {P}(h_{\ge j+1})$.

Let h be a history. If h is a prefix of $\rho $ then the objective of each player is satisfied by following $\sigma '_i \circ h$ so none of them can gain by changing its strategy, therefore it is a Nash equilibrium from $\mathsf {last}(h)$. If h is not a prefix of $\rho $ then by definition of $\sigma '_i$, players follow a subgame-perfect equilibrium since h deviated from $\rho $, so in particular $\sigma '_i \circ h$ is a Nash equilibrium from $\mathsf {last}(h)$. Moreover the objective of the system is satisfied. Therefore $\sigma _\mathcal {P}$ is a solution to ${\mathsf {RS}}(\mathsf {SPE})$.

Let $\sigma _\mathcal {P}$ such that for each player $i$, $\sigma _i$ is winning for $\phi _i$. The first condition in the definition of $\mathsf {AG} ^\vee $ is satisfied because for all player $i$, $\mathsf {Out}_\mathsf {G} (\sigma _\mathcal {P}) $ satisfies $\phi _i$. The second condition is satisfied because for all strategy $\sigma '_{-i}$, we have that $\mathsf {Out}_\mathsf {G} (\sigma _i,\sigma '_{-i}) $ satisfies $\phi _i$, so in particular it satisfies $(\bigvee _{j\in \mathcal {P}\setminus \{i\}} \phi _j \Rightarrow \phi _i)$. Hence $\sigma _\mathcal {P}$ is a solution for $\mathsf {AG} ^\vee $.

This holds because the second condition in the definition of these rules is stronger for $\mathsf {AG} ^\vee $.

This implication holds simply because of the condition 1 in the definition of assume-guarantee, which corresponds to the definition of Cooperative synthesis. $\square $

Lemma 25

For all $\gamma \in \{\mathsf {NE}, \mathsf {SPE}, \mathsf {Dom} \}$, $\mathsf {Win} \Rightarrow {\mathsf {RS}}^\forall (\gamma )$, ${\mathsf {RS}}^\forall (\mathsf {Dom}) \not \Rightarrow {\mathsf {RS}}^\forall (\mathsf {NE})$ and ${\mathsf {RS}}^\exists (\mathsf {Dom}) \Rightarrow {\mathsf {RS}}^\exists (\mathsf {SPE})$.

Proof

Let $\sigma _\mathcal {P}$ be a strategy profile such that for each player $i$, $\sigma _i$ is winning for $\phi _i$.

We first show that $\Sigma ^\gamma _{\mathsf {G},\sigma _1}$ is not empty. For $\gamma \in \{\mathsf {NE},\mathsf {SPE} \}$ this is because there always exist a subgame perfect equilibrium for Borel games (so in particular for Muller games) [32, Theorem 3.15] and a subgame perfect equilibrium is a Nash equilibrium. For $\gamma =\mathsf {Dom} $, note that by definition of dominant strategies, winning strategies are dominant, so $\Sigma ^\mathsf {Dom} _{\mathsf {G},\sigma _1}$ contains at least $\sigma _{-1}$.

Let $\sigma '_{-1}$ be a strategy profile for $\mathcal {P}\setminus \{1\}$. Since $\sigma _1$ is a winning we have that $\mathsf {G},\sigma _{1},\sigma '_{-1} \models \phi _1$. Therefore $\sigma _1$ is a solution for ${\mathsf {RS}}^\forall (\gamma )$.

Let $\sigma _\mathcal {P}$ be a witness for ${\mathsf {RS}}^\exists (\mathsf {Dom})$. We define a strategy profile $\sigma '_\mathcal {P}$ such that $\sigma '_i$ follows $\sigma _i$ on all histories compatible with $\sigma _i$ (that is if h prefix of $\rho \in \mathsf {Out}_\mathsf {G} (\sigma _i)$ then $\sigma '_i(h) = \sigma _i(h)$) and outside of these histories follows a subgame perfect equilibria: there always exist one for Borel games (so in particular for Muller games) [32, Theorem 3.15].

By definition of $\sigma '_\mathcal {P}$, the outcome $\mathsf {Out}_\mathsf {G} (\sigma '_\mathcal {P})$ is the same than $\mathsf {Out}_\mathsf {G} (\sigma _\mathcal {P})$. Because $\sigma _\mathcal {P}$ is a witness for ${\mathsf {RS}}^\forall (\mathsf {Dom})$, this outcome is winning for player $1$.

It remains to show that $\sigma '_{-1}$ is a subgame perfect equilibria. Let h be a history, i be a player different from player $1$, and $\sigma ''_i$ be a strategy for player $i$. We show that from h player i does not improve by switching from $\sigma '_i$ to another strategy $\sigma ''_i$, which will show that $\sigma '_\mathcal {P}\circ h$ is a Nash equilibrium from h.

If h is compatible with $\sigma _i$ then $\sigma '_i$ coincide with $\sigma _i$ from this history, so $\mathsf {Out}_\mathsf {G} (\sigma '_i,\sigma _{-i}) = \mathsf {Out}_\mathsf {G} (\sigma _\mathcal {P})$. Since $\sigma _i$ is a dominant strategy, if $\mathsf {G},\sigma ''_i, \sigma _{-i} \models \phi _i$ then $\mathsf {G},\sigma _i,\sigma _{-i} \models \phi _i$ and therefore this implies that $\mathsf {Out}_\mathsf {G} (\sigma '_i,\sigma _{-i})$ satisfy $\phi _i$. This means that i does not improve by switching from $\sigma '_i$ to $\sigma ''_i$.

If h is not compatible with $\sigma _i$, then $\sigma '_i$ plays according to a subgame-perfect equilibria since the first deviation. In particular, this strategy is a Nash equilibrium from h.

This shows that $\sigma '_{-1}$ is a subgame perfect equilibrium and has $\sigma '_\mathcal {P}\models \phi _1$, this is a witness for ${\mathsf {RS}}^\exists (\mathsf {SPE})$.

Consider the example given in Fig. 6. The strategy r for player $2$ is dominant and any strategy of player $3$ is dominant. The outcome of these strategies always go to the bottom state where $\phi _\mathsf{sys}$ is satisfied. Therefore there is a solution to ${\mathsf {RS}}^\forall (\mathsf {Dom})$.

However, we show that there is no solution to ${\mathsf {RS}}^\forall (\mathsf {NE})$.

Consider the strategy profile $(\cdot ,l,b)$, this is a Nash equilibrium (even a subgame Nash equilibrium) since no player can improve his/her strategy. Note that player $1$ is losing for that profile, hence no strategy of player $1$ can ensure that it will win for all Nash equilibria. $\square $

In the example of Sect. 4, we saw that more strategy profiles satisfied the assume-guarantee condition compared to assume-admissibility, including undesirable strategy profiles. We show that the rule $\mathsf {AG} ^\wedge $ is indeed more often satisfied than $\mathsf {AA} $; while the rules $\mathsf {AG} ^\vee $, and $\mathsf {AA} $ are incomparable.

Lemma 26

We have $\mathsf {AG} ^\wedge \not \Rightarrow \mathsf {AA} $; $\mathsf {AG} ^\vee \not \Rightarrow \mathsf {AA} $; $\mathsf {AA} \not \Rightarrow \mathsf {AG} ^\wedge $ and $\mathsf {AA} \not \Rightarrow \mathsf {AG} ^\vee $.

Proof

Consider the game represented in Fig. 7. In this example, we have $\mathsf{Adm}_1 = \Sigma _1$. Therefore player $2$ has no winning strategy against all admissible strategies of $\mathsf{Adm}_2$ (in particular the strategy of player $1$ that plays r, makes player $2$ lose). So $\mathsf {AA}$ fails. However, we do have $\mathsf {AG} ^\wedge $ by the profile $\sigma _1 :s_1 \mapsto l, \sigma _2 :s_2 \mapsto b, s_3 \mapsto c$. This profile also satisfies $\mathsf {AG} ^\vee $ which is equivalent to $\mathsf {AG} ^\wedge $ for two player games.

Consider the example of Fig. 8. The profile where player $1$ and player $2$ plays to the right is assume-admissible. However there is no solution to assume-guarantee synthesis: if player $1$ and player $2$ change their strategies to go to the state labeled $\phi _1, \phi _2$, then the condition $\mathcal {G},\sigma _3 \models (\phi _1 \wedge \phi _2) \Rightarrow \phi _3$ is not satisfied.

We will provide a counter-example to show our claim. Note that we need strictly more than two players since otherwise $\mathsf {AG} ^\vee $ is equivalent to $\mathsf {AG} ^\wedge $, and we have just shown that $\mathsf {AA} $ implies $\mathsf {AG} ^\wedge $.

Consider the game with three players in Fig. 9. Define the following objectives: $\phi _1 = \mathtt {G}\mathtt {F}(s_4 \vee s_7)$, $\phi _2 = \mathtt {G}\mathtt {F}(s_4 \vee s_6)$, $\phi _3 = \texttt {true}$,

where $\phi _i$ is player i’s objective. These are actually reachability objectives since the game ends in absorbing states.

Now, action b is dominated at states $s_2$ and $s_3$ for player 2. Thus player 1 has a $\mathsf {AA}$-winning strategy which consists in taking a at $s_1$. Player 2 has a winning strategy in the game (taking a at both states). Player 3 has a $\mathsf {AA}$-winning strategy too since actions b are eliminated for player 2. Therefore, there is an $\mathsf {AA}$-winning strategy profile which ends in $s_4$.

On the other hand, there is no $\mathsf {AG} ^\vee $ profile. In fact, player 1 has no winning strategy to ensure $\phi _2 \vee \phi _3 \Rightarrow \phi _1$, which is equivalent to $\phi _1$ since $\phi _3 = \texttt {true}$. $\square $

Lemma 27

For two player games, $\mathsf {AA} \Rightarrow \mathsf {AG} ^\wedge $.

Proof

Assume $\mathcal {G}$ is a two player game and consider strategy profile $(\sigma _1, \sigma _2)$ witness of $\mathsf {AA}$.

Note that if player $j$ decreases his own value at position k then its value for $h_{\le k+1}$ will be smaller or equal to 0 which means player $j$ has no winning strategy from this history. By determinacy of turn-based zero-sum games, player $3$ $-j$ has a winning strategy for $\lnot \phi _j$. Therefore we can adjust the strategies $(\sigma _1,\sigma _2)$ such that if there is a player j that decreases his own value, the other player will make it lose. We write $(\sigma '_1,\sigma '_2)$ the strategies thus defined and we will show that they form a solution of Assume-Guarantee.

Let $\rho $ be the outcome of the strategy profile $(\sigma '_1,\sigma '_2)$. We can show that $\rho $ is also the outcome of $(\sigma _1,\sigma _2)$. First we recall that an admissible strategy does not decrease his own value (Lemma 4). Therefore each $\sigma '_i$ is identical to $\sigma _i$ on the run $\rho $. By Theorem 1, $\rho $ satisfies $\phi _1\wedge \phi _2$.

Let $\sigma _{1}''$ be an arbitrary strategy profile for 1, and consider $\rho ' = \mathsf {Out}_\mathsf {G} (\sigma _1'',\sigma '_{2})$. We show that $\rho ' \models \phi _1 \Rightarrow \phi _2$. Note that player $2$ cannot be the first to decrease its value during $\rho '$ since it behave according to $\sigma _2$ has long has there are no devition, and $\sigma _2$ is admissible and admissible strategies do not decrease their own values.

If player $1$ decreases its value during $\rho '$, player $2$ will play to make him lose and $\rho ' \not \models \phi _1$.

As a consequence $\rho ' \models \phi _1 \Rightarrow \phi _2$.
Otherwise no player decreases his own value during $\rho '$. We assume that $\rho ' \models \phi _1$ and show that $\rho ' \models \phi _2$.

Since $\rho ' \models \phi _1$, by Lemma 8, there is a strategy $\tau ''_1$ which is admissible and compatible with $\rho '$. Since $\rho '$ is an outcome of $\sigma _2'$, and of $\tau ''_1$,

we have $\mathsf {Out}_\mathsf {G} (\tau ''_1,\sigma _2) = \rho '$. Now, since $\tau ''_{1}$ is admissible and by the fact that $\sigma _2$ satisfies the condition 2 of $\mathsf {AA}$, we obtain $\rho ' \models \phi _2$, which proves the property.

We can show the same property replacing the roles of player $1$ and player $2$, thus showing that the profile is solution of $\mathsf {AG} ^\wedge $. $\square $

We now consider several non-implications of Fig. 5.

Lemma 28

$\mathsf {AA} \not \Rightarrow \mathsf {Win} $, $\mathsf {AG} ^\wedge \not \Rightarrow \mathsf {Win} $, $\mathsf {AG} ^\vee \not \Rightarrow \mathsf {Win} $, $\mathsf {Coop} \not \Rightarrow \mathsf {AA} $, $\mathsf {Coop} \not \Rightarrow \mathsf {AG} ^\wedge $, $\mathsf {Coop} \not \Rightarrow {\mathsf {RS}}^\exists (\mathsf {Dom})$, and for all $\gamma \in \{\mathsf {NE},\mathsf {SPE},\mathsf {Dom} \}$, ${\mathsf {RS}}^{\exists ,\forall }(\gamma ) \not \Rightarrow \mathsf {Coop} $.

Proof

Towards a contradiction assume $\mathsf {AA} \Rightarrow \mathsf {Win} $, then since we have $\mathsf {Win} \Rightarrow \mathsf {AG} ^\wedge $ (Lemma 24), we would have $\mathsf {AA} \Rightarrow \mathsf {AG} ^\wedge $ but this contradicts Lemma 26.

By Lemma 24, we have $\mathsf {AA} \Rightarrow \mathsf {AG} ^\wedge $, so $\mathsf {AG} ^\wedge \Rightarrow \mathsf {Win} $ would imply, by transitivity, $\mathsf {AA} \Rightarrow \mathsf {Win} $, which contradicts the previous case.

Towards a contradiction assume $\mathsf {AG} ^\vee \Rightarrow \mathsf {Win} $, then since we have $\mathsf {Win} \Rightarrow \mathsf {AA} $ (Lemma 26), we would have $\mathsf {AG} ^\vee \Rightarrow \mathsf {AA} $ but this contradicts Lemma 26.

In Fig. 7, we have an example of a game where there is no solution for $\mathsf {AA} $ (see the proof of Lemma 26 for details), however there is a solution for $\mathsf {Coop} $: (l, b).

Consider the example of Fig. 10. There is a solution for $\mathsf {Coop} $: player $1$ plays a. However there is no solution for $\mathsf {AG} ^\wedge $: player $2$ has no strategy to ensure that $\phi _1 \implies \phi _2$.

Consider the example of Fig. 11. This example has a solution for $\mathsf {Coop} $, for instance (l, ac) or (r, bd). However player $2$ has no dominant strategy: l looses against bd so it is dominated by r, and r looses against ac so it is dominated by l. Therefore ${\mathsf {RS}}^\exists (\mathsf {Dom})$ has no solution.

Consider the example of Fig. 12. There is no solution for $\mathsf {Coop} $: player $2$ can never win. However there is a solution for any concept in ${\mathsf {RS}}^{\exists ,\forall }(\gamma )$: player $1$ wins against any of the strategy satisfying these concepts since the only possible outcome is winning for him. $\square $

In the controller synthesis framework using two-player games between a controller and its environment, some works advocate the use of environment objectives which the environment can guarantee against any controller [8]. Under this assumption, Win-under-Hyp implies $\mathsf {AA}$:

Lemma 29

Let $\mathsf {G} =\langle \mathsf{A},\phi _1,\phi _2\rangle $ be a two-player game. If player 2 has a winning strategy for $\phi _2$ and Win-under-Hyp has a solution, then $\mathsf {AA}$ has a solution.

Proof

Assume that $\sigma _2^w$ is a winning strategy for $\phi _2$ and let $\sigma _1,\sigma _2$ be a solution of Win-under-Hyp. We have that $\forall \sigma '_2.\ \sigma _1,\sigma '_2 \models \phi _2 \Rightarrow \phi _1$ and $\forall \sigma '_1.\ \sigma '_1,\sigma _2 \models \phi _1 \Rightarrow \phi _2$.

Since $\sigma _2^w$ is a winning strategy, all admissible strategies of player 2 are winning. Then, for all $\sigma '_2 \in \mathsf{Adm}_2$, we have $\mathsf {G},\sigma _1,\sigma '_2 \models \phi _2$ and because $\forall \sigma '_2, \sigma _1,\sigma '_2 \models \phi _2 \Rightarrow \phi _1$, we also have that $G, \sigma _1,\sigma '_2 \models \phi _1$. If $\sigma _1$ is dominated, there exists a non-dominated strategy $\sigma ^a_1$ that dominates it [2, Thm. 11], otherwise we take $\sigma ^a_1 = \sigma _1$. In both cases $\sigma ^a_1$ is admissible. As $\sigma _1$ is dominated by $\sigma ^a_1$, $\mathsf {G}, \sigma _1, \sigma '_2 \models \phi _1$ implies $\mathsf {G}, \sigma ^a_1, \sigma '_2 \models \phi _1$. This shows that the condition $\forall \sigma '_2 \in \mathsf{Adm}_2(\mathsf {G}).\ \mathsf {G},\sigma _1^a,\sigma '_2\models \phi _1$ is satisfied. Since $\sigma ^w_2$ is winning, it is admissible and we also have $\forall \sigma '_1 \in \mathsf{Adm}_1(\mathsf {G}).\ \mathsf {G},\sigma '_1,\sigma ^w_2\models \phi _2$. Therefore all conditions of Assume-Admissible are satisfied by $(\sigma ^a_1,\sigma ^w_2)$. $\square $

Rectangularity We now consider the robustness of the profiles synthesized using the above rules. An $\mathsf {AA}$-winning strategy profile $\sigma _\mathcal {P}$ is robust in the following sense: The set of $\mathsf {AA}$-winning profiles is rectangular, i.e. any combination of $\mathsf {AA}$-winning strategies independently chosen for each player, is an $\mathsf {AA}$-winning profile. Second, if one replaces any subset of strategies in $\mathsf {AA}$-winning profile $\sigma _\mathcal {P}$ by arbitrary admissible strategies, the objectives of all the other players still hold. Formally, a rectangular set of strategy profiles is a set that is a Cartesian product of sets of strategies, given for each player. A synthesis rule is rectangular if the set of strategy profiles satisfying the rule is rectangular. The ${\mathsf {RS}}$ rules require a specific definition since player $1$ has a particular role: we say that ${\mathsf {RS}}^{\forall ,\exists }(\gamma )$ is rectangular if for any strategy $\sigma _1$ witnessing the rule, the set of strategy profiles $(\sigma _{2},\dots ,\sigma _n) \in \Sigma ^{\gamma }_{\mathsf {G},\sigma _1}$ s.t. $\mathsf {G}, \sigma _1,\dots ,\sigma _n \models \phi _1$ is rectangular. We show that apart from $\mathsf {AA} $, only $\mathsf {Win} $ and ${\mathsf {RS}}^\forall (\mathsf {Dom})$ are rectangular.

Theorem 8

We have 1. Rule $\mathsf {AA}$ is rectangular; and for all games $\mathsf {G} $, $\mathsf {AA}$-winning strategy profile $\sigma _P$, coalition $C\subseteq \mathcal {P}$, if $\sigma '_C \in \mathsf{Adm}_C(\mathsf {G})$, then $\mathsf {G},\sigma _{-C},\sigma '_C \models \bigwedge _{i \in -C} \phi _i$. 2. The rules $\mathsf {Win} $ and ${\mathsf {RS}}^\forall (\mathsf {Dom})$ are rectangular; the rules $\mathsf {Coop} $, $\mathsf {AG} ^\vee $, $\mathsf {AG} ^\wedge $, ${\mathsf {RS}}^\exists (\mathsf {NE},\mathsf {SPE},\mathsf {Dom})$, and ${\mathsf {RS}}^\forall (\mathsf {NE},\mathsf {SPE})$ are not rectangular.

Proof

If there is no solution to $\mathsf {AA}$, then the set of witness is empty, and therefore is rectangular. If there is only one solution, then it is the Cartesian product of singletons and therefore also a rectangular set.

Otherwise let $\sigma _\mathcal {P}$ and $\sigma '_\mathcal {P}$ be two solutions of $\mathsf {AA}$. Let i be a player of $\mathcal {P}$, we show that $\sigma _i,\sigma '_{-i}$ is also a solution of $\mathsf {AA}$. We have that $\sigma _i \in \mathsf{Adm}(\mathsf {G})$ and for all $j\ne i$, $\sigma _j\in \mathsf{Adm}(\mathsf {G})$, because condition 1 holds for $\sigma _\mathcal {P}$ and $\sigma '_\mathcal {P}$. Therefore condition 1 holds for $\sigma _i,\sigma '_{-i}$. Similarly, $\forall \sigma '_{-i} \in \mathsf{Adm}_{-i}(\mathsf {G}).\ \mathsf {G}, \sigma '_i,\sigma _i \models \phi _i$ and for all $j\ne i$, $\forall \sigma '_{-j} \in \mathsf{Adm}_{-j}(\mathsf {G}).\ \mathsf {G}, \sigma '_j,\sigma _j \models \phi _j$, because condition 2 holds for $\sigma _\mathcal {P}$ and $\sigma '_\mathcal {P}$. Therefore condition 2 holds for $\sigma _i,\sigma '_{-i}$ and it is a witness of $\mathsf {AA}$.

Let $\Sigma ^{aa}_i$ be the set of strategy $\sigma _i$ such that there exists $\sigma _{-i}$ such that $\sigma _{i},\sigma _{-i}$ is a witness of $\mathsf {AA}$. We can show that the set of witness of $\mathsf {AA}$ is the Cartesian product of the $\Sigma ^{aa}_i$. We obviously have that the set of solutions is included in $\prod _{i\in \mathcal {P}} \Sigma ^{aa}_i$. Let $\sigma _\mathcal {P}$ be a profile in $\prod _{i\in \mathcal {P}} \Sigma ^{aa}_i$, and $\sigma '_\mathcal {P}$ a witness of $\mathsf {AA}$. We can replace for one i at a time, the strategy $\sigma '_i$ by $\sigma _i$ in $\sigma '_\mathcal {P}$ and by the small property we previously proved, the strategy profile stays a solution of $\mathsf {AA}$. Therefore $\sigma _\mathcal {P}$ is a solution of $\mathsf {AA}$. This shows that the set of solutions is the rectangular set $\prod _{i\in \mathcal {P}} \Sigma ^{aa}_i$.

This claim follows from the definition of $\mathsf {AA}$-winning strategy profiles, since each strategy is winning against admissible strategies.

Now Consider any game $\mathsf {G} $ and fix a profile $\sigma _\mathcal {P}$ such that $\mathsf {G},\sigma _\mathcal {P}\models \bigwedge _{1\le i \le n} \phi _i$.

Assume $\sigma _\mathcal {P}$ is solution to $\mathsf {Win} $, then each $\sigma _i$ is a winning strategy. Let $\sigma '_i$ be a strategy part of another profile solution to $\mathsf {Win} $. Then the strategy $\sigma '_i$ ensures $\phi _i$ against any strategy profile for $-i$. If we replace $\sigma _i$ by $\sigma '_i$ in the profile $\sigma _\mathcal {P}$ then the condition for $\mathsf {Win} $ are still satisfied. Thus the rule $\mathsf {Win} $ is rectangular.

Let $\sigma _1$ be a solution of ${\mathsf {RS}}^\forall (\mathsf {Dom})$. Let $\sigma _{2},\dots ,\sigma _n$ and $\sigma '_2,\dots ,\sigma '_n$ be profiles of $\Sigma ^\mathsf {Dom} _{\mathsf {G},\sigma _1}$ such that $\sigma _1,\sigma _{2},\dots ,\sigma _n \models \phi _1$ and $\sigma _1,\sigma '_2,\dots ,\sigma '_n \models \phi _1$. If we define a profile $\tau _2, \dots ,\tau _n$ where each $\tau _i$ is either $\sigma _i$ or $\sigma '_i$, then as each $\tau _i$ is dominant, we have $\sigma _1,\tau _2,\dots ,\tau _n \models \phi _1$ because $\sigma _1$ is a solution of ${\mathsf {RS}}^\forall (\mathsf {Dom})$. Therefore the profile belongs to $\Sigma ^\mathsf {Dom} _{\mathsf {G},\sigma _1}$ and makes $\sigma _1$ win. This shows that the rule is rectangular.

Consider the example of Fig. 13. Since player $2$ and player $3$ are always winning, all their strategies are dominant. There is only one strategy $\sigma _1$ for player $1$ since it controls no state. The profiles (a, c) and (b, d) are strategies of $\Sigma ^\mathsf {Dom} _{\mathsf {G},\sigma _1}$ such that $\sigma _1$ wins for $\phi _1$, but the profile $(\sigma _1,a,d)$ does not make $\phi _1$ hold. The rule is therefore not rectangular.

Consider the game represented in Fig. 14. Player 1 has only one strategy $\sigma _1$ and the other players have two possible strategies: a and b for player $2$ and c and d for player $3$. Since player $1$ is always winning, $\sigma _1$ is a solution for ${\mathsf {RS}}^\forall (\mathsf {NE},\mathsf {SPE})$. The profiles (a, c) and (b, d) are two (subgame perfect) Nash equilibria which make $\phi _1$ hold. However the profile (a, d) obtained by picking one strategy in each profile, is no longer a Nash equilibrium (and so not a subgame perfect equilibrium). Therefore ${\mathsf {RS}}^\forall (\mathsf {NE})$ and ${\mathsf {RS}}^\forall (\mathsf {SPE})$ are not rectangular.

Consider the game represented in Fig. 15.

Player 1 has only one strategy and the other players have two possible strategies: a and b for player $2$ and c and d for player $3$. The profiles (a, c) and (b, d) are two (subgame perfect) Nash equilibria which make $\phi _1$ hold. However the profile (a, d) obtained by taking one strategy in each profile, is no longer winning for player $1$.

Therefore ${\mathsf {RS}}^\exists (\mathsf {NE})$ and ${\mathsf {RS}}^\exists (\mathsf {SPE})$ are not rectangular.

Once again, consider the game represented in Fig. 15. The profiles (a, c) and (b, d) make all players win, but the profile (a, d), is no longer winning for the player $1$, so it is not a solution of $\mathsf {Coop}$. Therefore $\mathsf {Coop}$ is not rectangular.

Consider the game represented in Fig. 16. The profiles (a, c) and (b, d) make the two players win. Since all possible outcome of the game satisfy the implications $\phi _1\Rightarrow \phi _2$ and $\phi _2\Rightarrow \phi _1$, both profiles are solution to $\mathsf {AG} ^\vee $ and $\mathsf {AG} ^\wedge $ (note that the two concepts coincide here because there are only two players). However the profile (a, d) obtained by taking one strategy in each profile, is no longer winning for the player $1$. Therefore $\mathsf {AG} ^\vee $ and $\mathsf {AG} ^\wedge $ are not rectangular. $\square $

9 Conclusion

In this paper, we have introduced a novel synthesis rule, called the assume admissible synthesis, for the synthesis of strategies in non-zero sum n players games played on graphs with omega-regular objectives. We use the notion of admissible strategy, a classical concept from game theory, to take into account the objectives of the other players when looking for winning strategy of one player. We have compared our approach with other approaches such as assume guarantee synthesis and rational synthesis that target the similar scientific objectives. We have developed worst-case optimal algorithms to handle our synthesis rule as well as dedicated abstraction techniques.

The assume-admissible rule is useful to synthesize meaningful strategies which correctly take other players’ expected behaviors into account. Nevertheless, the rule might suffer some limitations that we describe here. First, the restriction to admissible strategies can be questionable in some settings. This assumption is justified when the underlying agents are unknown but can be assumed to act rationally in the sense of admissibility, or simply when we want to actually synthesize a strategy profile and commit to using the $\mathsf {AA}$ rule during the whole process. The $\mathsf {AA}$ rule cannot be used, for instance, if the behaviors of some agents cannot be determined yet and cannot be assumed to be rational (in the sense of admissibility) either. Another issue is that the rule provides solutions less often than the cooperative synthesis rule in general, and the assume-guarantee rule for the case of two players (see Sect. 8). Hence, the rule might fail to find a solution even though there exists an appropriate strategy profile. A related observation is that since the rule assumes that each agent acts admissibly, the rule might yield sub-optimal solutions if an additional global criterion was given. Indeed, if we were to extend our synthesis problem by adding, say, a global quantitative optimization objective, then restricting to admissible strategies would mean to be sub-optimal in general, while the cooperative synthesis rule can give the optimal solution.

We have seen in Sect. 8 (Theorem 7) that a set of objectives $(\phi _1,\phi _2,\ldots ,\phi _n)$ not having a solution for the $\mathsf {AA}$ rule can still have a solution with the $\mathsf {Coop} $ rule or with the $\mathsf {AG} ^{\wedge }$ rule (for two players). Indeed, because the $\mathsf {AA}$ rule leads to solution spaces that are rectangular (Theorem 8), for a $\mathsf {AA}$ solution to exist, this requires the objectives to be strong enough so that strategies for each player can be determined compositionally. So, the solution cannot not rely on the synchronization of all the players on particular strategies. Nevertheless, if there exists a $\mathsf {Coop} $ solution for objectives $(\phi _1,\ldots ,\phi _n)$, then there always exists a way to reinforce these original objectives so that there exists an $\mathsf {AA}$ solution. Indeed, if the regular play $w_1 \cdot (w_2)^{\omega }$ is a solution for $\mathsf {Coop} $, then the stronger objectives $(\{w_1 \cdot (w_2)^{\omega }\},\ldots ,\{w_1 \cdot (w_2)^{\omega }\})$ has trivially a solution for the $\mathsf {AA}$ rule. As a future work, we will study the problem of reinforcing automatically a specification $(\phi _1,\phi _2,\ldots ,\phi _n)$ that has no $\mathsf {AA}$ rule solution into a new specification $(\phi '_1,\phi '_2,\ldots ,\phi '_n)$ which has a $\mathsf {AA}$ solution, while $(\phi _1',\ldots ,\phi _n')$ is as weak as possible.

As further future work, we plan to investigate the admissibility notions on quantitative games, and to develop a tool prototype to support our assume admissible synthesis rule.

Notes

This rule was introduced in [11], under the name Doomsday equilibria, as a generalization of the AG rule of [7] to the case of n-players.

References

Bernet, J., Janin, D., Walukiewicz, I.: Permissive strategies: from parity games to safety games. RAIRO Theor. Inf. Appl. 36(3), 261–275 (2002)
Article MathSciNet MATH Google Scholar
Berwanger, D.: Admissibility in infinite games. In: Proceedings of STACS’07, vol. 4393 of LNCS, pp. 188–199. Springer, Berlin (2007)
Bloem, R., Ehlers, R., Jacobs, S., Könighofer, R.: How to handle assumptions in synthesis. In: SYNT’14, vol. 157 of EPTCS, pp. 34–50 (2014)
Brandenburger, A., Friedenberg, A., Keisler, H.J.: Admissibility in Games1. Econometrica 76(2), 307–352 (2008). doi:10.1111/j.1468-0262.2008.00835.x
Brenguier, R., Raskin, J.-F., Sassolas, M.: The complexity of admissibility in omega-regular games. In: CSL-LICS ’14, 2014. ACM (2014)
Brenguier, R., Raskin, J.-F., Sankur, O.: Assume-admissible synthesis. In: Aceto L., de Frutos Escrig, D. (eds). 26th International Conference on Concurrency Theory (CONCUR 2015), vol. 42 of Leibniz International Proceedings in Informatics (LIPIcs), pp. 100–113, Dagstuhl, Germany, 2015. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik
Chatterjee, K., Henzinger, T.A.: Assume-guarantee synthesis. In: TACAS’07, vol. 4424 of LNCS. Springer, Berlin (2007)
Chatterjee, K., Henzinger, T.A., Jobstmann, B.: Environment assumptions for synthesis. In: CONCUR 2008, vol. 5201 of LNCS, pp. 147–161. Springer, Berlin (2008)
Chatterjee, K., Henzinger, T.A., Jurdziński, M.: Games with secure equilibria. Theor. Comput. Sci. 365(1), 67–82 (2006)
Article MathSciNet MATH Google Scholar
Chatterjee, K., Henzinger, T.A., Piterman, N.: Strategy logic. Inf. Comput. 208(6), 677–693 (2010)
Article MathSciNet MATH Google Scholar
Chatterjee, K., Doyen, L., Filiot, E., Raskin, J.-F.: Doomsday equilibria for omega-regular games. In: VMCAI’14, vol. 8318, pp. 78–97. Springer, Berlin (2014)
Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching-time temporal logic. In: Logics of Programs, vol. 131 of LNCS, pp. 52–71. Springer, Berlin (1981)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL’77. ACM (1977)
Damm, W., Finkbeiner, B.: Automatic compositional synthesis of distributed systems. In: FM 2014, vol. 8442 of LNCS, pp. 179–193. Springer, Berlin (2014)
de Alfaro, L., Godefroid, P., Jagadeesan, R.: Three-valued abstractions of games: Uncertainty, but with precision. In: LICS’04. IEEE (2004)
Emerson, E.A.: Temporal and modal logic. Handb. Theor. Comput. Sci. Vol. B Formal Models Semat B 995, 1072 (1990)
Faella, M.: Admissible strategies in infinite games over graphs. In: MFCS 2009, vol. 5734 of Lecture Notes in Computer Science. pp. 307–318. Springer, Berlin (2009)
Fisman, D., Kupferman, O., Lustig, Y.: Rational synthesis. In: TACAS’10, vol. 6015 of LNCS, pp. 190–204. Springer, Berlin (2010)
Fudenberg, D., Tirole, J.: Game: Theory. MIT, Press, Cambridge, 1991 Translated into Chinesse by Renin University Press, Bejing (1991)
Han, Z.: Game Theory in Wireless and Communication Networks: Theory, Models, and Applications. Cambridge University Press, UK (2012)
MATH Google Scholar
Henzinger, T.A., Majumdar, R., Mang, F.Y.C., Raskin, J.-F.: Abstract interpretation of game properties. In: SAS, pp. 220–239 (2000)
Hunter, P.: Complexity and Infinite Games on Finite Graphs. Ph.D thesis, Computer Laboratory, University of Cambridge (2007)
Hunter, P., Dawar, A.: Complexity bounds for regular games. In: Jedrzejowicz, J., Szepietowski, A. (eds.) MFCS’05, vol. 3618 of LNCS. Springer, Berlin (2005)
Kupferman, O., Perelli, G., Vardi, M.Y.: Synthesis with rational environments. In: Proceedings of 12th European conference on multi-agent systems, LNCS. Springer, Berlin (2014)
Long, D.E., Browne, A., Clarke, E.M., Jha, S., Marrero, W.R.: An improved algorithm for the evaluation of fixpoint expressions. In: CAV’94, vol. 818 of LNCS. Springer, Berlin (1994)
Manna, Z., Wolper, P.: Synthesis of communicating processes from temporal logic specifications. In: Logics of Programs, vol. 131 of LNCS, pp. 253–281. Springer, Berlin (1981)
Mogavero, F., Murano, A., Vardi, M.Y.: Reasoning about strategies. In: FSTTCS 2010, vol. 8 of LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2010)
Nash, J.: Equilibrium points in $n$-person games. In: Proceedings of NAS (1950)
Neider, D., Rabinovich, R., Zimmermann, M.: Down the borel hierarchy: solving muller games via safety games. Theor. Comput. Sci. 560, 219–234 (2014)
Article MathSciNet MATH Google Scholar
Pnueli, A.: The temporal logic of programs. In: Foundations of Computer Science, 1977, 18th Annual Symposium on, pp. 46–57. IEEE (1977)
Seidl, H.: Fast and simple nested fixpoints. Inf. Proc. Lett. 59(6), 303–308 (1996)
Article MathSciNet MATH Google Scholar
Ummels, M.: Stochastic Multiplayer Games: Theory and Algorithms. Amsterdam University Press, UK (2010)
Book Google Scholar

Download references

Author information

Authors and Affiliations

Department of Computer Science, University of Oxford, Oxford, UK
Romain Brenguier
Département d’informatique, Université Libre de Bruxelles, Brussels, Belgium
Jean-François Raskin
CNRS, IRISA, Rennes, France
Ocan Sankur

Authors

Romain Brenguier
View author publications
You can also search for this author in PubMed Google Scholar
Jean-François Raskin
View author publications
You can also search for this author in PubMed Google Scholar
Ocan Sankur
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ocan Sankur.

Additional information

Supported by the ERC starting Grant inVEST (FP7-279499).

Appendices

Appendix 1: Proofs of Sect. 4

Lemma 30

Any strategy for Controller is admissible if, and only if it satisfies (C0), (C1), and (C2) at all histories.

Proof

Consider a strategy which does not satisfy the conditions. Note that (C0) cannot be violated. So we consider the two remaining cases.

Consider strategy $\sigma $ that violates (C1), say, at history h. We define $\sigma ' = \sigma [h \leftarrow \sigma _C]$, and show that $\sigma $ is dominated by $\sigma '$. In fact, both strategies are identical on outcomes that do not admit h as prefix. Now, given any strategy $\tau $ for Scheduler compatible with h, consider $\tau ' = \tau [h \leftarrow \sigma _S]$. Clearly, all outcomes that extend h and compatible with $\sigma $ are losing for Controller – since the safety specification fails after h, while the outcomes compatible with $\sigma '$ and $\tau '$ is winning. This shows that $\sigma '$ dominates $\sigma $.

If $\sigma $ violates (C2), this means that at some history h where $a_i$ just became pending, some history $h'$ compatible with $\sigma $, and extending h for k steps, does not set $r_i$ to true although $r_i$ is not constantly pending.

Let $h''$ denote the longest prefix of $h'$ that ends in a Controller state. By assumption $r_i$ is not pending at $h''$ and $\sigma (h'')$ does not set $r_i$ to true. We define $\sigma '$ identical to $\sigma $ for all histories that do not admit $h''$ as prefix. From history $h''$, $\sigma '$ sets $r_i$ to true, and then sets $r_{3-i}$ to true in the next round, and then always plays $\bot $. Consider strategies for User and Scheduler that are compatible with $h''$, and from $h''$, constantly play $\bot $ and $q_1q_2$ respectively (they are defined arbitrarily elsewhere). It follows that the generated outcome compatible with $\sigma '$ extending $h''$ is winning for Controller; while all outcomes of $\sigma $ extending $h''$ are losing since they immediately violate $\phi _\mathsf{Controller}$. Since all other outcomes of $\sigma '$ which do not extend $h''$ are identical to those of $\sigma $, this shows that $\sigma $ is dominated by $\sigma '$.

Conversely, consider any strategy $\sigma $ that satisfies (C0)–(C2), and assume, towards a contradiction that there exists $\sigma '$ that dominates $\sigma $. Consider any finite history h such that $\sigma (h) \ne \sigma '(h)$, and such that $\sigma '$ has an outcome that extends h and satisfies $\phi _\mathsf{Controller}$. Such a history exists since there is a strategy profile for other players against which $\sigma '$ wins but not $\sigma $. Note that $\phi _\mathsf{Controller}$ is not violated by h since $\sigma '$ has a compatible outcome extending h that satisfies this property.

We construct an outcome $\rho $ compatible with $\sigma $ that extends h and satisfies $\phi _\mathsf{Controller}$ as follows. We set both $a_1,a_2$ constantly to false, and $q_1, q_2$ to true from history $h\sigma (h)$, while the variables of Controller are chosen according to $\sigma $. Thus, no request is pending when Scheduler plays at history $h\sigma (h)$. By (C2), the outcome satisfies $\mathtt {G}(\forall i, a_i \rightarrow \mathtt {F}_{\le k} r_i)$. In fact, we know that the property is satisfiable from h (since $\sigma '$ satisfies it), and none of the requests are pending after $h\sigma (h)$. Moreover, by (C1), we also have the second part of the formula. Hence, the outcome satisfies $\phi _\mathsf{Controller}$.

We now prove that $\sigma '$ cannot dominate $\sigma $. In fact, let $(\tau _U,\tau _S)$ be a strategy profile compatible with $\rho $, which at history $h\sigma '(h)$ switches to $(\sigma _U,\hat{\sigma }_S)$. It follows that $(\sigma ,\tau _U,\tau _S) \models \phi _\mathsf{Controller}$ while $(\sigma ',\tau _U,\tau _S) \not \models \phi _\mathsf{Controller}$, a contradiction. $\square $

Lemma 31

Any Scheduler strategy is admissible if, and only if it satisfies (C3), (C4), (C5), and (C6) at all histories.

Proof

Consider a strategy $\tau $ that does not satisfy one of the conditions at history h. Then, all outcomes that extend h are losing for Scheduler since the temporal constraints on both requests cannot be satisfied. We describe a strategy $\tau '$ that dominates $\tau $. Assume that $\tau $ violates (C3) at h. We define $\tau '$ from $\tau $, which is identical to $\tau $ at all histories that do not contain h as prefix. At h, $\tau '$ sets $q_1$ to true in the first round, and $q_2$ in the second round, and continues as $\sigma _S$. Now, for any strategy of Controller which, at h, plays $\bot $ twice, and switches to $\sigma _C$, all outcomes from h compatible with both described strategies satisfy $\phi _\mathsf{Scheduler}$. This shows that $\tau '$ dominates $\tau $. The case of other conditions (C4) or (C5) being violated by $\tau $ are treated similarly. Note that (C6) cannot be violated by definition.

Conversely, we show that any strategy $\tau $ that satisfy (C3)–(C6) is admissible. Consider any admissible strategy $\tau '$ that dominates $\tau $; we will show a contradiction. Note that $\tau '$ must satisfy all four conditions by the previous case. Let h be a maximal finite prefix compatible with $\tau $ and $\tau '$ with $\tau (h) \ne \tau '(h)$, and such that some outcome compatible with $\tau '$ extending h is winning for Scheduler. Such a history exists since the two strategies must be different, and because $\tau '$ dominates $\tau $.

Define a Controller strategy $\sigma $ compatible with h, which

from $h\tau (h)$, constantly sets all $r_i$ to false,
and from $h\tau '(h)$, constantly sets all $r_i$ to true.

Note that all outcomes are losing from $h\tau '(h)$ (this behavior corresponds to $\hat{\sigma }_C$). It thus suffices to show that some outcome compatible with $\tau $ and $\sigma $, and extending $h\tau (h)$ is winning for Scheduler to obtain a contradiction.

First, observe that no prefix of h satisfies (C6) since from the same history, $\tau '$ has a winning possible outcome. In particular, this is the case of h itself. Since $\tau (h) \ne \tau '(h)$ although both satisfy (C3)–(C5), h does not satisfy any of the hypotheses of these conditions. It must be that no request is pending from the previous round (that is, in the previous round, $r_2$ was false, and either $r_1$ was false or it was followed by $q_1$). So in the current round, either no request was made, or only one request was made. It follows that any strategy satisfying (C3)–(C5) sets $q_1$ and $q_2$ so as to satisfy $\phi _\mathsf{Scheduler}$, given that no new request is made under $\sigma $. Thus, this particular outcome is compatible with $\tau $ and satisfies $\phi _\mathsf{Scheduler}$, contradicting that $\tau '$ dominates $\tau $. $\square $

Lemma 32

For all $k\ge 4$, all strategy profiles $(\sigma _U,\sigma _C,\sigma _S)$ satisfying (C1)–(C6) also satisfy $\phi _\mathsf{User} \wedge \phi _\mathsf{Controller} \wedge \phi _\mathsf{Scheduler}$.

Proof

We first show that $\phi _\mathsf{Scheduler}$ holds for all outcomes under condition (C1) and (C3)–(C5). Let us denote by (H3), (H4), and (H5) the hypotheses of conditions (C3), (C4), and (C5) respectively. We also define the following:

(H6)
No request is pending from the previous round, and at most one request is made in the current round.

We are going to show that under these conditions, any history ending at Scheduler’s states satisfy one of the conditions among (H3)–(H6). We proceed by induction on the length of the history.

Initially, this is the case since if both requests are made by Controller, then we are in (H3). Otherwise, at most one request is made, and (H6) holds.

Assume now that this holds in the previous round. If (H3) holds, then by (C3), (H4) holds in the next round. If (H4) holds, then by (C4), either (H5) or (H6) hold in the next round. If (H5) holds, then by (C5), either (H4) or (H6) holds in the next round. If (H6) holds, and no request is pending, then (H6) holds in the next round. If some request is pending, by (C1), we are in (H3) or (H4) in the next round depending on which request is pending.

Since in each case the corresponding request is granted in time, this shows that any outcome satisfying these conditions satisfies $\phi _\mathsf{Scheduler}$.

Let us argue that $\phi _\mathsf{Controller}$ holds too. First, (C1) implies $\mathtt {G}(\forall i, r_i \rightarrow X(\lnot r_i \mathtt {W}q_i))$ by definition. Second, by $\phi _\mathsf{Scheduler}$, all requests are granted in at most two rounds, thus for any incoming action $a_i$, if $r_i$ is pending (that is, $r_i$ was set to true in the previous round), $q_i$ will be set to true in the current round; thus it will not be pending in the beginning of the next round (note that if $r_i$ is set to true in the next round, it arrives precisely 4 steps after $a_i$).

It follows from (C2) that for each pending action $a_i$, $r_i$ is set to true within k steps. Thus $\phi _\mathsf{Controller}$ holds too.$\square $

Appendix 2: Admissible strategies not monotonous under game abstractions

In [15], existential and universal abstractions are defined on two-player games, which generalize the corresponding abstraction technique for automata. Given a game G, the idea is to obtain a game $\underline{G}$ by applying state-space abstraction, which is harder to win, and conversely, a game $\overline{G}$ which is easier to win. Any winning strategy for $\underline{G}$ can be mapped to a winning strategy in G, and conversely, if $\overline{G}$ cannot be won, then nor can G be. The goal is to only explore the abstract state space to check a sufficient condition for the existence of a winning strategy, or to prove there is none.

More precisely, given a partition $S_1,\ldots , S_n$ of the states respecting the players, the game $\underline{G}$ is defined on states $\{S_1,\ldots ,S_n\}$. If $S_i$ is made of player 1 states, then we put an edge from $S_i$ to $S_j$ if from all $s \in S_i$ there is an edge to some state of $S_j$ in G. We say that any edge from s to $S_j$ is mapped to the edge $(S_i,S_j)$. If $S_i$ is made of player 2 states, then we put an edge $(S_i,S_j)$ if for some state $s \in S_i$, there is an edge from s to $S_j$.

The game $\overline{G}$ is defined by inverting the abstractions applied to both players.

One can wonder whether admissible strategies of $\underline{G}$ map to admissible strategies of G, or whether there is any relation of this sort. We answer this question negatively in the following remark.

Remark 2

Given a strategy $\underline{\sigma }$ of $\underline{G}$, we consider its concretization $\gamma (\underline{\sigma })$ as the set of strategies of G, which from any history h, take edges that map to the edge $\underline{\sigma }(\alpha {h})$, where $\alpha {h}$ is the projection of h in the abstract state space.

We give some examples to show that any of the following cases is possible:

$\mathsf{Adm}_1(G) \subseteq \gamma (\mathsf{Adm}_1(\underline{G}))$,
$\gamma (\mathsf{Adm}_1(\underline{G})) \subseteq \mathsf{Adm}_1(G)$,
$\mathsf{Adm}_1(G) \not \subseteq \gamma (\mathsf{Adm}_1(\underline{G}))$, and $\gamma (\mathsf{Adm}_1(\underline{G})) \not \subseteq \mathsf{Adm}_1(G)$,

showing that $\underline{G}$ cannot be used to derive systematically an under- or over-approximation of the set $\mathsf{Adm}_1(G)$.

Consider the game in Fig. 17, where Player 1 plays from circular states and has the safety objective of avoiding $\times $. The original game G is given on the left. On the right, $\underline{G}$ is given, which is obtained by existential abstraction by merging states 1, 2.

We will refer to edges by their labels, and identify strategies with edges since there is a single state for Player 1. We have $\mathsf{Adm}_1(G) = \{a\}$ but $\gamma (\mathsf{Adm}_1(\underline{G})) = \{a,b\}$. In fact, The only edge from state 0 defines an admissible strategy (which is also the only strategy), and both edges a and b of G map to this edge. This shows $ \mathsf{Adm}_1(G) \subseteq \gamma (\mathsf{Adm}_1(\underline{G}))$.

As a second example, consider the game of Fig. 18 where the goal is to reach the state $\checkmark $. The only admissible strategy in $\underline{G'}$ is taking the edge a, so $\gamma (\mathsf{Adm}_1(\underline{G'}))=\{a\}$. However, in the original game $G'$, we have $\mathsf{Adm}_1(G') = \{a,b\}$ since both are winning. This shows $\gamma (\mathsf{Adm}_1(\underline{G'})) \subseteq \mathsf{Adm}_1(G')$.

More generally, by combining the two small games given here (for instance, taking their union), one can obtain games where $\mathsf{Adm}_1(G)$ and $\gamma (\mathsf{Adm}_1(\underline{G}))$ are incomparable.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Brenguier, R., Raskin, JF. & Sankur, O. Assume-admissible synthesis. Acta Informatica 54, 41–83 (2017). https://doi.org/10.1007/s00236-016-0273-2

Download citation

Received: 30 November 2015
Accepted: 21 June 2016
Published: 13 July 2016
Issue Date: February 2017
DOI: https://doi.org/10.1007/s00236-016-0273-2

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Assume-admissible synthesis

Abstract

Similar content being viewed by others

Synthesis with Rational Environments

Synthesis with rational environments

Non-Zero Sum Games for Reactive Synthesis

1 Introduction

2 Definitions

2.1 Multiplayer arenas

2.2 Objectives and games

2.3 Dominance

3 Synthesis rules

Proposition 1

Proof

Example 1

4 Synthesis rules in the light of an example

Lemma 1

Lemma 2

Lemma 3

5 Algorithm for assume-admissible synthesis

5.1 Values and admissible outcomes

Definition 1

Example 2

Lemma 4

Lemma 5

Lemma 6

Lemma 7

Lemma 8

Proof

Example 3

Lemma 9

Proof

5.2 Algorithm for Müller objectives

Lemma 10

Proof

Lemma 11

Proof

Lemma 12

Proof

Theorem 1

Theorem 2

Proof

5.3 Algorithm for Büchi objectives

Theorem 3

Lemma 13

Proof

Theorem 4

Proof

6 Abstraction framework

6.1 Abstract games

Lemma 14

Proof

Lemma 15

Proof

6.2 Value-preserving strategies

Lemma 16

Proof

Lemma 17

Proof

Lemma 18

Proof

Lemma 19

Proof

6.3 Help states

Lemma 20

Proof

6.4 Abstract synthesis of \(\mathsf {AA}\)-winning strategies

Lemma 21

Proof

Lemma 22

Proof

Theorem 5

7 Algorithm for assume-guarantee synthesis

Example 4

Lemma 23

Proof

Theorem 6

Proof

8 Comparison of synthesis rules

Theorem 7