# BDD-versus SAT-based bounded model checking for the existential fragment of linear temporal logic with knowledge: algorithms and their performance

- 5.6k Downloads
- 9 Citations

## Abstract

The paper deals with symbolic approaches to bounded model checking (BMC) for the existential fragment of linear temporal logic extended with the epistemic component (ELTLK), interpreted over interleaved interpreted systems. Two translations of BMC for ELTLK to SAT and to operations on BDDs are presented. The translations have been implemented, tested, and compared with each other as well as with another tool on several benchmarks for MAS. Our experimental results reveal advantages and disadvantages of SAT- versus BDD-based BMC for ELTLK.

### Keywords

Bounded model checking Binary decision diagrams Propositional satisfiability problem (SAT) Interpreted systems Interleaved interpreted systems Epistemic linear temporal logic## 1 Introduction

Verification of multi-agent systems (MAS) is an actively developing field of research [7, 8, 14, 24, 25, 30, 47]. Several approaches based on model checking [12, 48] have been put forward for the verification of MAS. Typically, they employ combinations of the epistemic logic with either branching [8, 30, 43] or linear time temporal logic [17, 22, 38]. Some approaches reduce the verification problem to the one for plain temporal logic [6, 22], while others treat typical MAS modalities such as (distributed, common) knowledge as first-class citizens and introduce novel algorithms for them [38, 43].

In an attempt to alleviate the state-space explosion problem (i.e., an exponential growth of the system state space with the number of the agents) two main approaches have been proposed based on combining bounded model checking (BMC) with symbolic verification using translations to either ordered binary decision diagrams (BDDs) [26] or propositional logic (SAT) [41]. However, the above approaches deal with the properties expressed in the existential fragment of CTLK (i.e., CTL extended with the existential epistemic components, called ECTLK) only. In the paper [46] a method for model checking LTLK formulae using BDDs is described, but it is not explained how it can be used for BMC.

In this paper we aim at completing the picture of applying the BMC-based symbolic verification to MAS by looking at the existential fragment of LTLK (i.e., LTL extended with the existential epistemic components, called ELTLK), interpreted over both the subclass of interpreted systems (IS) called interleaved interpreted systems (IIS) [31] and interpreted systems themselves. IIS are an asynchronous subclass of interpreted systems [16] in which only one action at a time is performed in a global transition. Our original contribution consists in defining the following four novel bounded model checking methods for ELTLK: the SAT-based BMC for IS and for IIS, and the BDD-based BMC for IS and for IIS. Moreover, we would like to point out that the proposed SAT-based BMC for ELTLK and for IS has never been defined and experimentally evaluated before. Next, both the presented BDD-based methods have been published earlier, but only in the informal proceedings of the LAM’2012 workshop.

All the proposed BMC methods have been implemented as prototype modules of Verics [28], tested, and compared with each other as well as with MCK [17] on three well-known benchmarks for MAS: a (faulty) train controller system [21], a (faulty) generic pipeline paradigm [40], and the dining cryptographers [10]. Our experimental results reveal not only advantages and disadvantages of ELTLK SAT- versus BDD-based BMC for MAS that are consistent with comparisons for temporal logics [9, 13], but also show two novel findings. Namely, IIS semantics can improve the practical applicability of BMC, and the BDD-based approach appears to be superior for IIS semantics, while the SAT-based approach appears to be superior for IS semantics.

The rest of the paper is organised as follows. In Sect. 2 we recall interpreted systems (IS), interleaved interpreted systems (IIS), the logic LTLK, and its two subsets: LTL and ELTLK (i.e., the existential fragment of LTLK). Section 3 deals with Bounded Model Checking (BMC), where Sect. 3.1 describes BDD-based BMC for ELTLK and Sect. 3.2 presents SAT-based BMC for ELTLK. In the last section we discuss our experimental results and conclude the paper.

### 1.1 Related work

Model checking of knowledge properties was first considered by Vardi and Halpern [20]. The complexity of the model checking problem for LTL combined with epistemic modalities in the perfect recall semantics was studied by van der Meyden and Shilov [38]. Raimondi et al. showed a BDD-based method for model checking CTLK[43]. Su et al [46]. described a method for model checking LTLK formulae using BDDs. Hoek et al. [22] proposed a method for model checking LTLK formulae using the logic of local propositions.

The origins of bounded model checking (BMC) go back to the seminal papers [4] and [3], where the method has been defined for the LTL properties and Boolean circuits. The main motivation of defining BMC was to take advantage of the immense success of SAT-solvers (i.e., tools implementing algorithms solving the satisfiability problem for propositional formulas). The first SAT-based BMC method for MAS was proposed in [41]. It deals with the existential fragment of the branching time logic extended with the epistemic components (ECTLK) and the interpreted systems. An implementation and experimental evaluation of this BMC method for the interleaved interpreted systems have been presented in [29]. For the same logic and for the standard interpreted systems, Jones et al. proposed a BMC method based on BDDs [26]. In [53] the SAT-based BMC method for the existential fragment of RTCTL augmented to include epistemic modalities (RTECTLK) and for the interleaved interpreted systems was introduced and experimentally evaluated. This BMC encoding takes into account the substantial improvement of the BMC encoding for ECTL that has been defined in [54]. Further, since RTECTLK is an extension of ECTLK such that a range of every temporal operator can be bounded, the BMC encoding of [53] substantially improves the BMC encoding presented in [29, 41]. In [37] a BDD-based BMC method for RTECTLK over interleaved interpreted systems was defined and compared to the corresponding SAT-based BMC method. Further, in [49] the SAT-based BMC method for the deontic interpreted systems and for ECTLK extended to include the existential deontic modalities was defined. A more efficient translation to SAT together with an implementation and an experimental evaluation of this BMC method are shown in [51], where the SAT-based BMC method for RTECTLK augmented to include the existential deontic modalities was defined. In [23] a new SAT-based BMC encoding for fair ECTLK was presented. Next, in [32] the SAT-based BMC method for the real-time interpreted systems and for the existential fragment of TCTL extend to include epistemic modalities was shown. All the above BMC approaches deal with the properties expressed in the existential fragments of branching time temporal logics only.

For the linear time temporal-epistemic properties, until now, the following BMC methods have been developed. In [42] a SAT-based BMC method for ELTLK over interleaved interpreted systems has been defined. The main difficulty in the extension of the SAT-based BMC method for ELTL to the properties expressible in ELTLK was in the encoding of the looping conditions. This difficulty arises from the fact that in SAT-based BMC for ELTLK we need to consider more than one path. The BMC encoding presented in [42] is not based on the state-of-the-art BMC method for \(\mathrm{ECTL}^{*}\) [55], which uses a reduced number of paths and a more efficient encoding of loops, what results in significantly smaller and less complicated propositional formulae that encode the ELTLK properties. For the same logic over the same systems, in [33] a BDD-based BMC method was introduced. Next, in [52] a SAT-based BMC method for the existential fragment of Metric LTL with epistemic and deontic modalities (EMTLKD) over deontic interleaved interpreted systems was defined.

The usefulness of SAT-based BMC for error tracking and complementarity to the BDD-based symbolic model checking have already been proven in several works, e.g., [9, 13, 35, 36]. Further, in [34] the semantics of interpreted systems and interleaved interpreted systems were experimentally evaluated by means of the BDD-based BMC method for LTLK. Partial-order reductions for model checking of interleaved interpreted systems were presented in [31].

Summary of the tools and model checking techniques for temporal-epistemic-deontic logics

SAT-BMC | BDD-BMC | NOT BMC | |
---|---|---|---|

CTLK | VerICS/IIS, MCK/IS | MCMAS/IS | MCMAS/IS, MCK/IS |

CTLKD | VerICS/IIS | MCMAS/IS | |

LTLK | VerICS/IS+IIS | VerICS/IS+IIS | MCK/IS |

\(\text {CTL}^{*}\text {K}\) | MCK/IS | MCK/IS | |

RTCTLK | VerICS/IIS | VerICS/IIS | |

RTCTLKD | VerICS/IIS |

This paper combines and refines our preliminary results published in informal proceedings of two workshops: the CS&P’2011 [33] and the LAM’2012 [34], in the conference paper [36], and in the journal [42]. More precisely, for the interleaved interpreted systems and for the ELTLK properties we present a BDD-based BMC technique and an improved SAT-based BMC method that previously appeared in, respectively, [33, 36] and [36, 42]. For the interpreted systems and for the ELTLK properties we present a BDD-based BMC technique that previously appeared in [34]. Both the SAT-based BMC method are based on the SAT-based BMC technique for \(\mathrm{ECTL}^{*}\) that was introduced in [55].

## 2 Preliminaries

In this section we introduce the basic definitions used in the paper. In particular, we define interpreted and interleaved interpreted systems, and syntax and semantics of linear temporal logic extended with the epistemic component (LTLK) and its two subsets ELTLK and LTL.

### 2.1 Interpreted systems

The semantics of interpreted systems (IS) provides a setting to reason about multi-agent systems (MASs) by means of specifications based on knowledge and linear or branching time. We report here the basic setting as popularised in [16].

We begin by assuming that a MAS is composed of \(n\) agents (by \({\mathcal{A }}=\{1,\ldots ,n\}\) we denote the non-empty set of agents) and a special agent \({e}\) which is used to model the environment in which the agents operate. We associate a set of *possible local states*\(L_{{ c}}\) and *actions*\(Act_{{ c}}\) to each agent \({ c}\in {\mathcal{A }} \cup \{{e}\}\). For any agent \({{ c}}\in {\mathcal{A }} \cup \{{e}\}\) we assume that the special action \(\epsilon _{{ c}}\), called the “null” action of agent \({{ c}}\), belongs to \(Act_{{ c}}\). For convenience, the symbol \(Act\) denotes the Cartesian product of the agents’ actions, i.e. \(Act = Act_1\times \dots \times Act_n \times Act_{{e}}\).

An element \(a \in Act\) is a tuple of actions (one for each agent) and is referred to as a *joint action*. Following closely the interpreted system model, we consider a *local protocol* modelling the program the agent is executing. Formally, for any agent \({{ c}}\in {\mathcal{A }} \cup \{{e}\}\), the actions of the agents are selected according to a *local protocol* function \(P_{{ c}}: L_{{ c}} \rightarrow 2^{Act_{{ c}}}\), which maps local states to sets of possible actions for agent \({ c}\). Further, for each agent \({{ c}}\) we define a (partial) evolution function \(t_{{ c}}: L_{{ c}} \times Act \rightarrow L_{{ c}}\). We assume that if \(\epsilon _{{ c}} \in P_{{ c}}(\ell )\), then \(t_{{ c}}(\ell ,(a_1,\ldots ,a_n,a_{{e}})) = \ell \) for \(a_{{ c}}=\epsilon _{{ c}}\) and \(a_i \in Act_i\) for \(1 {\,\leqslant \,}i {\,\leqslant \,}n\), and \(a_{{e}} \in Act_{{e}}\).

A *global state*\(g = (\ell _1, \dots , \ell _n, \ell _{{e}})\) is a tuple of local states for all the agents in the MAS corresponding to an instantaneous snapshot of the system at a given time. Given a global state \(g=(\ell _1,\dots , \ell _n, \ell _{{e}})\), we denote by \(l_{{ c}}(g)=\ell _{{ c}}\) the local component of agent \({{ c}} \in {\mathcal{A }}\cup \{{e}\}\) in \(g\).

*interpreted system*is a tuple

Given the notions above we can now define formally the global (partial) evolution function. Namely, the *global (partial) evolution* function \(t: G \times Act \rightarrow G\) is defined as follows: \(t(g,a)= g'\) iff for all \({ c}\in {\mathcal{A }},\,t_{{ c}}(l_{{ c}}(g),a) = l_{{ c}}(g')\) and \(t_{{e}} (l_{{e}}(g), a) = l_{{e}}(g')\). In brief we write the above as \(g \stackrel{a}{\longrightarrow } g'\).

*model*, which is a tuple

*epistemic indistinguishability*relation for each agent \({{ c}}\in \mathcal{A }\), defined by \(g \sim _{{ c}} r\) if \(l_{{ c}}(g) = l_{{ c}}(r)\), and \({\mathcal{V }}: G \rightarrow 2^{\mathcal{PV }}\) is the valuation function of IS.

### 2.2 Interleaved interpreted systems

Interleaved interpreted systems (IIS) [31] are a restriction of interpreted systems, where all the joint actions are of special form. To be more precise, we assume that if more than one agent is active at a given state, i.e., executes a non null-action, then all the active agents perform the same (shared) action in the round. Formally, for any agent \({{ c}}\in {\mathcal{A }} \cup \{{e}\}\) we assume that the special action \(\epsilon _{{ c}}\), called “null” action of agent \({{ c}}\), belongs to \(Act_{{ c}}\); as it will become clear below the local state of agent \({{ c}}\) remains the same if the null action is performed. Next, \(Act = \bigcup _{{ c}\in {\mathcal{A }}} Act_{{ c}} \cup Act_{{e}}\), and for each action \(a\), by \(Agent(a) \subseteq {\mathcal{A }}\cup \{{e}\}\) we mean all the agents \({ c}\) such that \(a \in Act_{{ c}}\), i.e., the set of agents potentially able to perform \(a\). Further, for each agent \({{ c}} \in {\mathcal{A }}\cup \{{e}\}\), the actions are selected according to a *local protocol* function \(P_{{ c}}: L_{{ c}} \rightarrow 2^{Act_{{ c}}}\) such that \(\epsilon _{{ c}} \in P_{{ c}}(\ell )\), for any \(\ell \in L_{{ c}}\), i.e., we insist on the null action to be enabled at every local state. Next, for each agent \({{ c}} \in {\mathcal{A }}\cup \{{e}\}\), we define a (partial) evolution function \(t_{{ c}}: L_{{ c}} \times Act_{{ c}} \rightarrow L_{{ c}}\), where \(t_{{ c}}(\ell ,\epsilon _{{ c}}) = \ell \) for each \(\ell \in L_{{ c}}\). The local evolution function considered here differs from the standard treatment in interpreted systems by having the local action as the parameter instead of the joint action.

*interleaved interpreted system*is a tuple

Given the notions above we can now define formally the global (partial) interleaved evolution function. Namely, the *global (partial) interleaved evolution* function \(t: G\times \prod _{{{ c}} = 1}^n Act_{{ c}} \times Act_{{e}} \rightarrow G\) is defined as follows: \(t(g,a_1,\dots , a_n, a_{{e}})= g'\) iff there exists an action \(a \in Act \setminus \{\epsilon _1,\ldots ,\epsilon _n, \epsilon _{{e}}\}\) such that for all \({{ c}} \in Agent(a),\,a_{{ c}} = a\) and \(t_{{ c}}(l_{{ c}}(g),a) = l_{{ c}}(g')\), and for all \({{ c}} \in ({\mathcal{A }} \cup \{{e}\}) \setminus Agent(a),\,a_{{ c}} = \epsilon _{{ c}}\) and \(t_{{ c}}(l_{{ c}}(g),\epsilon _{{ c}}) = l_{{ c}}(g)\). In brief we write the above as \(g \stackrel{a}{\longrightarrow } g'\).

Similar to blocking synchronisation in automata, the above insists on all agents performing the same non-epsilon action in a global transition; additionally, note that if an agent has the action being performed in its repertoire, it must be performed, for the global transition to be allowed. This assumes that the local protocols are defined to permit this; if a local protocol does not allow it, then the local action cannot be performed and therefore the global transition does not comply with the global interleaved evolution function as defined above.

*model*, which is a tuple

*epistemic indistinguishability*relation for each agent \({{ c}}\in \mathcal{A }\), defined by \(g \sim _{{ c}} r\) if \(l_{{ c}}(g) = l_{{ c}}(r)\), and \({\mathcal{V }}: G \rightarrow 2^{\mathcal{PV }}\) is the valuation function of IIS.

### 2.3 Runs and paths

Let \(M\) be a model generated by either IS or IIS. Then, an infinite sequence of global states \(\rho =g_0 g_1 g_2\dots \) is called a *run* originating at \(g_0\) if there is a sequence of transitions from \(g_0\) onwards, such that, \((g_i , g_{i+1})\in T \) for every \(i {\,\geqslant \,}0\). The \(m\)-th prefix of \(\rho \), denoted by \(\rho [..m]\), is defined as \(\rho [..m] = (g_0, g_1 ,\ldots , g_m)\). Any finite prefix of a run is called a *path*.

By \(length(\rho )\) we mean the number of the states of \(\rho \) if \(\rho \) is a path, and \(\omega \) if \(\rho \) is a run. In order to limit the indices range of \(\rho \), which can be either a path or a run, we define the relation \(\unlhd _\rho \). Let \(\unlhd _\rho \stackrel{def}{=}<\) if \(\rho \) is a run, and \(\unlhd _\rho \stackrel{def}{=}{\,\leqslant \,}\) if \(\rho \) is a path.

The set of all the paths and runs originating from \(g\) is denoted by \(\varPi (g)\). The set of all the paths and runs originating from all states in \(G\) is defined as \(\varPi = \bigcup _{g \in G} \varPi (g)\). The set of all the runs originating from \(g\) is denoted by \(\varPi ^\omega (g)\). The set of all the runs originating from all states in \(G\) is defined as \(\varPi ^\omega = \bigcup _{g \in G} \varPi ^\omega (g)\). A state \(g\) is *reachable* from \(g_0\) if there is a path \(\rho =g_0 g_1 g_2 \ldots g_n\) for \(n {\,\geqslant \,}0\) such that \(g = g_n\).

### 2.4 Examples of MASs and their models

In the section we present MASs modelled by means of interpreted systems and interleaved interpreted systems. We use the systems to appraise the bounded model checking methods considered in the paper. In what follows we denote by \(\overline{\epsilon }\) the joint null action, i.e., the action composed of the null actions only.

#### 2.4.1 A faulty train controller system (FTC)

In the model we assume the following set of proposition variables: \({\mathcal{PV }}\!=\!\{ InTunnel_1,\ldots , InTunnel_n \}\) with the following interpretation: \((M,g)\ \models InTunnel_i\) if \(l_{Train_i}(g)= Tunnel_i\)\(i\) for all \(i \in \{1,\ldots ,n\}\).

- Let \(1{\,\leqslant \,}i {\,\leqslant \,}n\). The local evolution function for Train \(i\) is defined as follows:
\(t_{Train_i}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_i(a)=\epsilon _i\)

\(t_{Train_i}(Away_i,a) = Wait_i\) if \(act_i(a)=approach_i\)

\(t_{Train_i}(Wait_i,a) = Tunnel_i\) if \(act_i(a)=in_i\) and \(act_C(a)=in_i\) and \(i\ne n\)

\(t_{Train_i}(Tunnel_i,a) = Away_i\) if \(act_i(a)=out_i\) and \(act_C(a)=out_i\) and \(i\ne n\)

\(t_{Train_n}(Wait_n,a) = Tunnel_n\) if \(act_n(a)=in_n\)

\(t_{Train_n}(Tunnel_n,a) = Away_n\) if \(act_n(a)=out_n\)

- the local evolution function for Controller is defined as follows:
\(t_{Controller}(state,a) = state\) if \(act_C(a)=\epsilon \)

\(t_{Controller}(Green,a) = Red\) if \(act_i(a)=in_i\) and \(act_C(a)=in_i\) and \(i\ne n\)

\(t_{Controller}(Red, a) = Green\)\(act_i(a)=out_i\) and \(act_C(a)=out_i\) and \(i\ne n\)

- for Train \(i,\,t_{Train_i}\) is defined as follows:
\(t_{Train_i}(state,\epsilon _i) = state\), for \(1{\,\leqslant \,}i {\,\leqslant \,}n\)

\(t_{Train_i}(Away_i,approach_i) = Wait_i\), for \(1{\,\leqslant \,}i {\,\leqslant \,}n\)

\(t_{Train_i}(Wait_n,in_n) = Tunnel_n\)

\(t_{Train_i}(Wait_i,in_i) = Tunnel_i\) if \(act_C(a)=in_i\) and \(act_j(a)=\epsilon _j\) for all \(1{\,\leqslant \,}j< n \) such that \(j\ne i\)

\(t_{Train_n}(Tunnel_n,out_n) = Away_n\)

\(t_{Train_i}(Tunnel_i,out_i) = Away_i\) if \(act_C(a)=out_i\) and \(act_j(a)=\epsilon _j\) for all \(1{\,\leqslant \,}j< n \) such that \(j\ne i\)

- for Controller, \(t_{Controller}\) is defined as follows:
\(t_{Controller}(state,\epsilon ) = state\)

\(t_{Controller}(Green,in_i) = Red\) if \(act_i(a)=in_i\), for \(1{\,\leqslant \,}i < n\)

\(t_{Controller}(Red, out_i) = Green\) if \(act_i(a)=out_i\), for \(1{\,\leqslant \,}i < n\)

#### 2.4.2 Faulty generic pipeline paradigm (FGPP)

\((M,g)\models ProdSend\) if \(l_{Producer}(g)=ProdSend\)

\((M,g)\models ConsReady\) if \(l_{Consumer}(g)=ConsReady\)

\((M,g)\models Problem_i\) if \(l_{Alarm i}(g)= Problemi\), for all \(1{\,\leqslant \,}i {\,\leqslant \,}n\)

\((M,g)\models Repair_i\) if \(l_{Alarm i}(g)= Repairi\), for all \(1{\,\leqslant \,}i {\,\leqslant \,}n\)

\((M,g)\models Alarm_iSend\) if \(l_{Alarm i}(g)= AlarmiSend\), for all \(1{\,\leqslant \,}i {\,\leqslant \,}n\)

\(t_P(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_P(a) = \epsilon _P\)

\(t_P(ProdReady, a) = ProdSend\) if \(act_P(a) = Producing\)

\(t_P(ProdSend, a ) = ProdReady\) if \(act_P(a) = Send_1\) and \(act_{N1}(a) = Send_1\)

\(t_C(state,a) = state\) if \(act_C(a) = \epsilon _C\)

\(t_C(ConsReady,a)=Received\) if \(act_C(a) = Send_{n+1}\) and \(act_{Nn}(a) = Send_{n+1}\)

\(t_C(Received, a)= ConsReady\) if \(act_C(a) = Consuming\)

- if \(n=1\)
\(t_{N1}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{N1}(a) = \epsilon _{N1}\)

\(t_{N1}(Node1Ready, a) = Node1Proc\) if \(act_{N1}(a) = act_P(a) = Send_1\)

\(t_{N1}(Node1Proc, a) = Node1Send\) if \(act_{N1}(a) = act_{A1}(a) = Processing_1\)

\(t_{N1}(Node1Proc, a) = Node1Proc\) if \(act_{N1}(a) = act_{A1}(a) = Hang\_up_1\)

\(t_{N1}(Node1Send,a)=Node1Ready\) if \(act_{N1}(a) = act_{C}(a) = Send_2\)

- if \(n=2\)
\(t_{N1}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{N1}(a) = \epsilon _{N1}\)

\(t_{N1}(Node1Ready, a) = Node1Proc\) if \(act_{N1}(a) = act_P(a) = Send_1\)

\(t_{N1}(Node1Proc, a) = Node1Send\) if \(act_{N1}(a) = act_{A1}(a) = Processing_1\)

\(t_{N1}(Node1Proc, a) = Node1Proc\) if \(act_{N1}(a) = act_{A1}(a) = Hang\_up_1\)

\(t_{N1}(Node1Send,a)=Node1Ready\) if \(act_{N1}(a) = act_{N2}(a) = Send_2\)

\(t_{N2}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{N2}(a) = \epsilon _{N2}\)

\(t_{N2}(Node2Ready, a) = Node2Proc\) if \(act_{N2}(a) = act_{N1}(a) = Send_2\)

\(t_{N2}(Node2Proc, a) = Node2Send\) if \(act_{N2}(a) = act_{A2}(a) = Processing_2\)

\(t_{N2}(Node2Proc, a) = Node2Proc\) if \(act_{N2}(a) = act_{A2}(a) = Hang\_up_2\)

\(t_{N2}(Node2Send,a)=Node2Ready\) if \(act_{N2}(a) = act_{C}(a) = Send_3\)

- if \(n{\,\geqslant \,}3\) and \(2{\,\leqslant \,}i < n\)
\(t_{N1}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{N1}(a) = \epsilon _{N1}\)

\(t_{N1}(Node1Ready, a) = Node1Proc\) if \(act_{N1}(a) = act_P(a) = Send_1\)

\(t_{N1}(Node1Proc, a) = Node1Send\) if \(act_{N1}(a) = act_{A1}(a) = Processing_1\)

\(t_{N1}(Node1Proc, a) = Node1Proc\) if \(act_{N1}(a) = act_{A1}(a) = Hang\_up_1\)

\(t_{N1}(Node1Send,a)=Node1Ready\) if \(act_{N1}(a) = act_{N2}(a) = Send_2\)

\(t_{Nn}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{Nn}(a) = \epsilon _{Nn}\)

\(t_{Nn}(NodeNReady, a) = NodeNProc\) if \(act_{Nn}(a) = act_{Nn-1}(a) = Send_n\)

\(t_{Nn}(NodeNProc, a) = NodeNSend\) if \(act_{Nn}(a) = act_{An}(a) = Processing_n\)

\(t_{Nn}(NodeNProc, a) = NodeNProc\) if \(act_{Nn}(a) = act_{An}(a) = Hang\_up_n\)

\(t_{Nn}(NodeNSend,a)=NodeNReady\) if \(act_{Nn}(a) = act_{C}(a) = Send_{n+1}\)

\(t_{Ni}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{Ni}(a) = \epsilon _{Ni}\)

\(t_{Ni}(NodeNReady, a) = NodeNProc\) if \(act_{Ni}(a) = act_{Nn-1}(a) = Send_i\)

\(t_{Ni}(NodeNProc, a) = NodeNSend\) if \(act_{Ni}(a) = act_{Ai}(a) = Processing_i\)

\(t_{Ni}(NodeNProc, a) = NodeNProc\) if \(act_{Ni}(a) = act_{Ai}(a) = Hang\_up_i\)

\(t_{Ni}(NodeNSend,a)=NodeNReady\) if \(act_{Ni}(a) = act_{Ni+1}(a) = Send_{i+1}\)

- Let \(1{\,\leqslant \,}i {\,\leqslant \,}n\):
\(t_{Ai}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{Ai}(a) = \epsilon _{Ai}\)

\(t_{Ai}(AlarmiReady,a) = Problemi\) if \(act_{Ai}(a) = act_{Ni} (a) = Hang\_up_i\)

\(t_{Ai}(AlarmiReady,a) = Repairi\) if \(act_{Ai}(a) = act_{Ni} (a) = Processing_i\)

\(t_{Ai}(Problemi,a) = Problemi'\) if \(act_{Ai}(a) = act_{Ni} (a) = Hang\_up_i\)

\(t_{Ai}(Problemi,a) = Repairi\) if \(act_{Ai}(a) = act_{Ni} (a) = Processing_i\)

\(t_{Ai}(Problemi',a) = AlarmiSend\) if \(act_{Ai}(a) = act_{Ni} (a) = Hang\_up_i\)

\(t_{Ai}(Problemi',a) = Repairi\) if \(act_{Ai}(a) = act_{Ni} (a) = Processing_i\)

\(t_{Ai} (AlarmiSend,a) = AlarmiSend\) if \(act_{Ai}(a) = act_{Ni} (a) = Hang\_up_i\)

\(t_{Ai} (Repairi,a) = AlarmiReady\) if \(act_{Ai}(a) = Reseti\).

#### 2.4.3 Dining cryptographers (DC)

We model \(n\) cryptographers sitting at a round table, with coins between them, every coin seen by a pair of respective neighbours. Let \(state\) denote a local state of an agent. Let \(C_i\) and \(Coin_i\) denote the \(i\)-th cryptographer and \(i\)-th coin, respectively. \(Counter\) denotes the agent counting utterances and \(Oracle_i\) determines if the agent \(i\) pays, or no agent pays at all. Thus, our DC system consists of \(3n+1\) components formed by \(n\) agents and the environment. More precisely, the \(i\)-th agent consists of the following three components: \(C_i,\,Coin_i\), and \(Oracle_i\). The component \(Counter\) defines the environment. We introduce a helper function to identify the right-side neighbour of the cryptographer \(i\): \(i^+ = (i+1) \) for \( 1 {\,\leqslant \,}i < n\), and \(i^+ = 1\) for \(i = n\).

\(Act_{Counter} = \{se_1, sd_1, \cdots , se_n, sd_n, \epsilon _{Counter}\}\),

\(Act_{Coin_i} = \{tt_i, hh_i, ht_i, th_i, tt_{i^+}, hh_{i^+},ht_{i^+},th_{i^+},\epsilon _{Coin_i}\}\),

\(Act_{Oracle_i} = \{pay_0, \dots , pay_{n},t_i,h_i paid_i, not\_paid_i, \epsilon _{Oracle_i}\}\), and

\(Act_{C_i} = \{pay_0, \dots , pay_{n},tt_i, hh_i, ht_i, th_i, not\_paid_i, paid_i, se_i, sd_i, \epsilon _{C_i}\}\),

- the local evolution for \(Oracle_i\) is defined as follows:
\(t_{Oracle_i}(state, a) = state\) iff \(a \ne {\overline{\epsilon }}\) and \(act_{Oracle_i}(a) =\epsilon _{Oracle_i}\)

\(t_{Oracle_i}(start, a) = tossed\) iff \(act_{Oracle_i}(a) = act_{Coin_i}(a)= t_i\) or \(act_{Oracle_i}(a) = act_{Coin_i}(a)= h_i\)

\(t_{Oracle_i}(tossed, a) = paid\) iff \(act_{Oracle_1}(a)= \ldots = act_{Oracle_n}(a) = pay_i\) and \(act_{C_1}(a)=\ldots =act_{C_n}(a) = pay_i\)

\(t_{Oracle_i}(tossed, a) = not\_paid\) iff either \(act_{Oracle_1}(a)= \ldots = act_{Oracle_n}(a) = pay_0\) and \(act_{C_1}(a)=\ldots =act_{C_n}(a) = pay_0\), or \(act_{Oracle_1}(a)=\ldots = act_{Oracle_n}(a) = pay_j\) and \(act_{C_1}(a)=\ldots =act_{C_n}(a) = pay_j\) for some \(j\) such that \(1{\,\leqslant \,}j {\,\leqslant \,}n\) and \(j \not =i\)

- the local evolution for \(C_i\) is defined as follows:
\(t_{C_i}(state, a) = state\) iff \(a \ne {\overline{\epsilon }}\) and \(act_{C_i}(a)=\epsilon _{C_i}\)

\(t_{C_i}(start, a) = decided\) iff \(act_{Oracle_1}(a)=\ldots = act_{Oracle_n}(a) = pay_j\) and \(act_{C_1}(a)=\ldots =act_{C_n}(a) = pay_j\) for some \(j\) such that \(0{\,\leqslant \,}j {\,\leqslant \,}n\)

\(t_{C_i}(decided, a) = {seeD}\) iff \(act_{C_i}(a) = act_{Coin_i}(a) = act_{Coin_{i^+}}(a) = th_i\)

\(t_{C_i}(decided, a) = {seeD}\) iff \(act_{C_i}(a) = act_{Coin_i}(a) = act_{Coin_{i^+}}(a) = ht_i\)

\(t_{C_i}(decided, a) = {seeE}\) iff \(act_{C_i}(a) = act_{Coin_i}(a) = act_{Coin_{i^+}}(a) = hh_i\)

\(t_{C_i}(decided, a) = {seeE}\) iff \(act_{C_i}(a) = act_{Coin_i}(a) = act_{Coin_{i^+}}(a) = tt_i\)

\(t_{C_i}(seeE, a) = {sayD}\) iff \(act_{C_i}(a) = act_{Oracle_i}(a) = paid_i\)

\(t_{C_i}(seeD, a) = {sayE}\) iff \(act_{C_i}(a) = act_{Oracle_i}(a) = paid_i\)

\(t_{C_i}(seeD, a) = {sayD}\) iff \(act_{C_i}(a) = act_{Oracle_i}(a) = not\_paid_i\)

\(t_{C_i}(seeE, a) = {sayE}\) iff \(act_{C_i}(a) = act_{Oracle_i}(a) = not\_paid_i\)

\((M,g)\models odd\) if \(l_{Counter}(g)= odd\),

\((M,g)\models paid_i\) if \(l_{Oracle_i}(g)= paid\), for all \(1{\,\leqslant \,}i {\,\leqslant \,}n\).

### 2.5 LTLKand its two subsets: ELTLKand LTL

Combinations of linear time with knowledge have long been used in the analysis of temporal epistemic properties of multi-agent systems [16]. We now recall the basic definitions and adapt them to our purposes when needed.

#### 2.5.1 Syntax

*until*and

*release*, respectively, \(\mathrm{X}\) is the next step modality. The derived basic temporal modalities are defined as follows: \(\mathrm{F}\varphi {\stackrel{def}{=}} {{true}}\mathrm{U}\varphi \) and \(\mathrm{G}\varphi {\stackrel{def}{=}} {false}\mathrm{R}\varphi \).

The epistemic operator \(K_{{ c}}\varphi \) represents “agent \({{ c}}\) knows \(\varphi \)” while the operator \({\overline{\mathrm{{K}}}}_{{ c}} \varphi \) is the corresponding dual one representing “agent \({{ c}}\) considers \(\varphi \) possible”. The epistemic operators \(\mathrm{{D}}_\varGamma , \mathrm{E}_\varGamma ,\) and \(\mathrm{{C}}_\varGamma \) represent distributed knowledge in the group \(\varGamma \), “everyone in \(\varGamma \) knows”, and common knowledge among agents in \(\varGamma \), respectively. The epistemic operator \({\overline{\mathrm{{D}}}}_\varGamma ,{\overline{\mathrm{E}}}_\varGamma ,\) and \({\overline{\mathrm{{C}}}}_\varGamma \) are the corresponding dual ones.

#### 2.5.2 Semantics

Let \(M=(G,\iota , T, \{\sim _{{ c}}\}_{{{ c}} \in \mathcal{A }}, \mathcal{V })\) be a model, and \(\rho \) be a path or run. By \(\rho (i)\) we denote the \(i\)-th state of \(\rho \), and by \(\rho [m]\) we denote the path or run \(\rho \) with a designated formula evaluation position \(m\), where \(m \unlhd _\rho length(\rho )\). Further, let \(\varGamma \subseteq \mathcal{A }\). We use the following standard relations to give semantics to the “everyone knows”, “common knowledge”, and “distributed knowledge” modalities: \(\sim ^E_\varGamma = \bigcup _{{{ c}} \in \varGamma }\sim _{{ c}},\,\sim ^C_\varGamma \) is the transitive closure of \(\sim ^E_\varGamma \), whereas \(\sim ^D_\varGamma = \bigcap _{{{ c}} \in \varGamma }\sim _{{ c}}\).

\(M,g \models \varphi \) iff \(M,\rho \models \varphi \) for all the runs \(\rho \in \varPi ^\omega (g)\).

\(M \models \varphi \) iff \(M,\iota \models \varphi \).

\(M,g \models ^\exists \varphi \) iff \(M,\rho \models \varphi \) for some path or run \(\rho \in \varPi (g)\).

\(Props(\varphi )\) is the set of the propositional variables appearing in \(\varphi \).

the LTLK formula \(\varphi \) holds in the model \(M\) (written \(M \models \varphi \)) iff \(M,\rho \models \varphi \) for all runs \(\rho \in \varPi ^\omega (\iota )\).

the ELTLK formula \(\varphi \) holds in the model \(M\) (written \(M \models ^{\exists } \varphi \)) iff \(M,\rho \models \varphi \) for some path or run \(\rho \in \varPi (\iota )\).

*existentially*(resp.

*universally*) valid in a model \(M\) is called an

*existential*(resp.

*universal*) model checking problem. In other words, the

*universal model checking problem*asks whether \(M \models \varphi \) and the

*existential model checking problem*asks whether \(M \models ^{\exists } \varphi \).

In order to solve the universal model checking problem, one can negate the formula and show that the existential model checking problem for the negated formula has no solution. Intuitively, we are trying to find a counterexample, and if we do not succeed, then the formula is universally valid. Now, since bounded model checking is designed for finding a solution to an existential model checking problem, in the paper we only consider the properties expressible in ELTLK. This is because finding a counterexample, for example, to \(M\models \mathrm{G}\mathrm{{K}}_{{ c}} p\) corresponds to the question whether there exists a witness to \(M\models ^\exists \mathrm{F}{\overline{\mathrm{{K}}}}_{{ c}}\lnot p\).

Our semantics meets two important properties. Firstly, for LTLK the definition of validity in a model \(M\) uses runs only. Secondly, if we replace each \(\varPi \) with \(\varPi ^\omega \), the semantics does not change as our models have total transition relations (each path is a prefix of some run). The semantics applied to submodels of \(M\) does not have the above property, but it preserves ELTLK over \(M\), which is shown in Lemma 1. Moreover, note that in the above semantics while we define the until operator, \(\rho \) could be an arbitrary path or run (i.e., \(\rho \in \varPi \)). However, while we define the release operator, we insist on \(\rho \) to be a run that starts in the initial state on the part of the definition that corresponds to the globally operator.

### 2.6 Comments on IS and IIS

There are variety of models of multi-agent systems. A fundamental dimension along which this models differ is the degree to which the activity of agents is synchronised. At one end of the spectrum is the *synchronous model* in which acting of agents proceeds in a sequence of rounds. In each round, an agent performs an action that affects the other agents, is affected by actions executed by the other agents in that round, and changes his/her state. All agents perform actions at exactly the same time. At the other end is the *asynchronous model* in which there is no bound on the amount of time that can elapse between agents’ actions, and there is no bound on the time it can take for an agent to act. Between these extremes there are the semi-synchronous models in which times of agents’ actions can vary, but are bounded between constant upper and lower bounds.

Now, observe that the agents over the interpreted systems semantics perform a joint action at a given time in a global state, which means that we assume the synchronous semantics of interpreted systems. Next, in the interleaved interpreted systems only one local or shared action may be performed by agents at a given time in a global state. This means that the interleaved interpreted systems define the asynchronous semantics.

Systems can be modelled using both IIS and IS. The idea is not to convert an IS into IIS, but rather using both the representations, which are independently defined starting from a description of a system. However, for many systems an IIS model is a submodel of the corresponding IS model, (i.e., the set of states of the IIS model is a subset of the set of states of the corresponding IS model and the transition relation of an IIS model is a subset of the transition relation of the corresponding IS model), and then we can discuss the complexity of converting an IS encoding into an IIS one. In such a case, from the definitions of IS and IIS it follows that each computation of the Kripke model generated by IIS is also a valid computation of the Kripke model generated by IS. Thus, if an ELTLK formula is valid in the model generated by IIS, then this formula is also valid in the model generated by IS. However, the converse of the implication does not hold. Further, if we have a propositional formula \(\varphi \) that encodes the transition relation of the Kripke model generated by an IS such that the null action is enabled at each local state, then we can convert it to the formula \(\varphi \wedge \varphi '\) that encodes the transition relation of the Kripke model generated by IIS and the length of \(\varphi '\) is \(O(n\cdot log(n))\), where \(n\) is the number of the agents. The formula \(\varphi '\) forces the agents to work in an asynchronous way.

## 3 Bounded model checking

The main idea of SAT-based BMC methods consists in translating the existential model checking problem [12, 48] for a modal (e.g., temporal, epistemic, deontic) logic to the propositional satisfiability problem, i.e., it consists in representing a counterexample-trace of bounded length by a propositional formula and checking the resulting propositional formula with a specialised SAT-solver. If the formula in question is satisfiable, then a satisfying assignment returned by the SAT-solver can be converted into a concrete counterexample that shows that the property is violated. Otherwise, the bound is increased and the process repeated.

### 3.1 BDD-based Approach

In this section we show how to perform bounded model checking for ELTLK using BDDs [12] by combining the standard approach for ELTL [11] with the method for the epistemic operators [43] similarly to the solution for \(\mathrm{CTL}^{*}\) of [12].

**Definition 1**

*number*\(\gamma {(\varphi )}\)

*of nested epistemic operators*in the formula:

if \(\varphi = p\), where \(p \in \mathcal{PV }\), then \(\gamma {(\varphi )} = 0\),

if \(\varphi = \odot \varphi '\) and \(\odot \in \{ \lnot , \mathrm{X}\}\), then \(\gamma {(\varphi )} = \gamma {(\varphi ')}\),

if \(\varphi = \varphi ' \odot \varphi ''\) and \(\odot \in \{ \wedge , \vee , \mathrm{U}, \mathrm{R}\}\), then \(\gamma {(\varphi )} = \gamma {(\varphi ')} + \gamma {(\varphi '')}\),

if \(\varphi = \mathrm{Y}\varphi '\) and \(\mathrm{Y}\in \{ {\overline{\mathrm{{K}}}}_{ c}, {\overline{\mathrm{E}}}_\varGamma , {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{{C}}}}_\varGamma \}\), then \(\gamma {(\varphi )} = \gamma {(\varphi ')} + 1\).

**Definition 2**

if \(\varphi = p\), where \(p \in \mathcal{PV }\), then \({\mathcal{Y }}(\varphi ) = \emptyset \),

if \(\varphi = \odot \varphi '\) and \(\odot \in \{ \lnot , \mathrm{X}\}\), then \({\mathcal{Y }}(\varphi ) = {\mathcal{Y }}(\varphi ')\),

if \(\varphi = \varphi ' \odot \varphi ''\) and \(\odot \in \{ \wedge , \vee , \mathrm{U}, \mathrm{R}\}\), then \({\mathcal{Y }}(\varphi ) = {\mathcal{Y }}(\varphi ') \cup {\mathcal{Y }}(\varphi '')\),

if \(\varphi = \mathrm{Y}\varphi '\) and \(\mathrm{Y}\in \{ {\overline{\mathrm{{K}}}}_{ c}, {\overline{\mathrm{E}}}_\varGamma , {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{{C}}}}_\varGamma \}\), then \({\mathcal{Y }}(\varphi ) = {\mathcal{Y }}(\varphi ') \cup \{\varphi \}\).

**Definition 3**

Let \(M= (G, \iota , T, \{\sim _{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V })\) and \(U\subseteq G\) with \(\iota \in U\). The *submodel* generated by \(U\) is a tuple \(M{|_U} = (U, \iota , T', \{\sim '_{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V }')\), where: \(T' = T \cap U^2,\,\sim _{ c}' =\ \sim _{ c}\cap ~U^2\) for each \({ c}\in \mathcal{A }\), and \(\mathcal{V }' = {\mathcal{V }} \cap U^2\).

For ELTLKformulae \(\varphi , \psi \), and \(\psi '\), by \(\varphi {[\psi \leftarrow \psi ']}\) we denote the formula \(\varphi \) in which every occurrence of \(\psi \) is replaced with \(\psi '\). Let \(M= (G, \iota , T, \{\sim _{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V })\) be a model, then by \({\mathcal{V }}_M\) we understand the valuation function \(\mathcal{V }\) of the model \(M\), and by \(G_R \subseteq G\) the set of its reachable states. Moreover, we define [\([\!\![{M,\varphi }]\!\!]] = \{ g\in G_R \mid M,g\models ^\exists \varphi \}\).

#### 3.1.1 Reduction of ELTLK to ELTL

Let \(M= (G, \iota , T, \{\sim _{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V })\) be a model, and \(\varphi \) an ELTLK formula. Here, we describe an algorithm for computing the set [\([\!\![{M,\varphi }]\!\!]\)]. The algorithm allows for combining any two methods for computing [\([\!\![{M,\varphi }]\!\!]\)] for each \(\varphi \) being an ELTL formula, or in the form \(\mathrm{Y}\!p\), where \(p \in \mathcal{PV }\), and \(\mathrm{Y}\in \{ {\overline{\mathrm{{K}}}}_{ c}, {\overline{\mathrm{E}}}_\varGamma , {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{{C}}}}_\varGamma \}\) (we use the algorithms from [11] and [43], respectively).

Algorithm 3 is used to compute the set \([[\!\![{M,\varphi }]\!\!]]\). In order to obtain this set, we construct a new model \(M'\) together with an ELTL formula \(\varphi '\), as described in Algorithm 3, and compute the set \([[\!\![{M', \varphi '}]\!\!]]\), which is equal to \([[\!\![{M,\varphi }]\!\!]]\). Initially \(\varphi '\) equals \(\varphi \), which is an ELTLK formula, and we process the formula in stages to reduce it to an ELTL formula by replacing with atomic propositions all its subformulae containing epistemic operators. We begin by choosing some epistemic subformula \(\psi \) of \(\varphi '\), which consists of exactly one epistemic operator, and process it in two stages. First, we modify the valuation function of \(M'\) such that every state initialising some path or run along which \(sub(\psi )\) holds is labelled with the new atomic proposition \(p_{sub(\psi )}\), and we replace with the variable \(p_{sub(\psi )}\) every occurrence of \(sub(\psi )\) in \(\psi \). In the second stage, we deal with the epistemic operators having in their scopes atomic propositions only. By modifying the valuation function of \(M'\) we label every state initialising some path or run along which the modified simple epistemic formula \(\psi \) holds with a new variable \(p_{\psi }\). Similarly to the previous stage, we replace every occurrence of \(\psi \) in \(\varphi '\) with \(p_{\psi }\). In the subsequent iterations, we process every remaining epistemic subformulae of \(\varphi '\) in the same way until there are no more nested epistemic operators in \(\varphi '\), i.e., we obtain an ELTL formula \(\varphi '\), and the model \(M'\) with the appropriately modified valuation function. Finally, we compute the set of all reachable states of \(M'\) that initialise at least one path or run along which \(\varphi '\) holds (line 13).

The correctness of the substitution used in Algorithm 3 is stated in the following lemma:

**Lemma 1**

\(p \in {\mathcal{V }}(g')\) iff \(p \in {\mathcal{V }}'(g')\) for all \(p\in \mathcal{PV }\) and \(g'\in G\),

\(M,g'\models ^\exists \varphi \) iff \(q\in {\mathcal{V }}'(g')\) for all \(g'\in G\).

*Proof*

*(Sketch)* The “\(\Rightarrow \)” case follows directly from the definition of \(V'\). The “\(\Leftarrow \)” case can be demonstrated by the induction on the length of a formula \(\varphi \). The base case follows directly for the atomic propositions and their negations. In the inductive step we assume that the lemma holds for all the proper subformulae of \(\varphi \), and use the definition of \(V'\), and the fact that \(M'\) contains exactly the same paths as \(M\).

#### 3.1.2 BMC Algorithm

The correctness of the results obtained by the bounded model checking algorithm is formulated by the following theorem:

**Theorem 1**

Let \(M= (G, \iota , T, \{\sim _{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V })\) be a model, \(\varPi \) a set of paths and runs of \(M,\,\varphi \) an ELTLK formula, and \(\rho \in \varPi \) a path or run with an evaluation position \(m\) such that \(m \unlhd _\rho length(\rho )\). Then, \(M,\rho [m] \models \varphi \) iff there exists \(G' \subseteq G\) such that \(\iota \in G'\), and \(M{|_{G'}},\rho [m] \models \varphi \).

*Proof*

“\(\Rightarrow \)” This way the proof is obvious as we simply take \(G' = G\).

- 1.
Let \(\varphi = \psi _1 \vee \psi _2\). By the semantics and the assumption (*), \(M{|_{G'}},\rho [m] \models \psi _1\) or \(M{|_{G'}},\rho [m] \models \psi _2\). Using the induction hypothesis and the definition of submodel (Definition 3), \(\rho \) exists also in the model \(M\), and \(M,\rho [m] \models \psi _1\) or \(M,\rho [m]\models \psi _2\), thus \(M,\rho [m] \models \psi _1 \vee \psi _2\).

- 2.
Let \(\varphi = \psi _1 \wedge \psi _2\). By the semantics and the assumption (*), \(M{|_{G'}},\rho [m] \models \psi _1\) and \(M{|_{G'}},\rho [m] \models \psi _2\). Using the induction hypothesis and the definition of submodel, \(\rho \) exists also in the model \(M\). Therefore, \(M,\rho [m] \models \psi _1\) and \(M,\rho [m]\models \psi _2\), thus \(M,\rho [m] \models \psi _1 \wedge \psi _2\).

- 3.
Let \(\varphi = \mathrm{X}\psi _1\). By the semantics and the assumption (*), \(length(\rho ) > m\), and \(M{|_{G'}},\rho [m+1] \models \psi _1\). Using the induction hypothesis and the definition of submodel, we get that \(\rho \) exists also in \(M\), and \(M,\rho [m+1] \models \psi _1\), therefore \(M, \rho [m] \models \mathrm{X}\psi _1\).

- 4.
Let \(\varphi = \psi _1 \mathrm{U}\psi _2\). By the semantics and the assumption (*), there exists \(k {\,\geqslant \,}m\), such that \(M{|_{G'}},\rho [k] \models \psi _2\), and \(M{|_{G'}},\rho [j] \models \psi _1\), for all \(m {\,\leqslant \,}j < k\). Using the induction hypothesis and the definition of submodel, we get that \(\rho \) exists also in \(M\). Therefore, from \(M, \rho [k] \models \psi _2\), and \(M, \rho [j] \models \psi _1\) for all \(m {\,\leqslant \,}j < k\), it follows that \(M,\rho [m] \models \psi _1 \mathrm{U}\psi _2\).

- 5.Let \(\varphi = \psi _1 \mathrm{R}\psi _2\). By the semantics and the assumption (*) we have one or both of the following cases:
- (a)
\(\rho \) is a path of \(M{|_{G'}}\), and \(M{|_{G'}}, \rho [k] \models \psi _2\) for all \(k {\,\geqslant \,}m\), then from the definition of submodel, \(\rho \) exists also in \(M\), and \(\rho \in \varPi ^\omega \). Using the induction hypothesis, we have that \(M, \rho [k] \models \psi _2\) for all \(k {\,\geqslant \,}m\). Therefore, it follows that \(M, \rho [m] \models \psi _1 \mathrm{R}\psi _2\).

- (b)
There exists \(k {\,\geqslant \,}m\) such that \(M{|_{G'}}, \rho [k] \models \psi _1\), and \(M{|_{G'}},\rho [j] \models \psi _2\) for all \(m {\,\leqslant \,}j {\,\leqslant \,}k\). From the definition of submodel, \(\rho \) also exists in \(M\), and using the induction hypothesis we get that \(M, \rho [k] \models \psi _1\), and \(M, \rho [j] \models \psi _2\) for all \(m {\,\leqslant \,}j {\,\leqslant \,}k\). Thus, \(M,\rho [m] \models \psi _1 \mathrm{R}\psi _2\).

- (a)
- 6.
Let \({ c}\in \mathcal{A }\) and \(\varphi = {\overline{\mathrm{{K}}}}_{ c}\psi _1\). By the semantics and the assumption (*), there exists such a path or run \(\rho '\) in \(M{|_{G'}}\) that \(\rho '(k) \sim _{ c}\rho (m)\) for some \(k {\,\geqslant \,}0\), and \(M{|_{G'}}, \rho '[k] \models \psi _1\). From the definition of submodel, \(\rho \) and \(\rho '\) also exist in \(M\). Using the induction hypothesis, we get that \(M, \rho '[k] \models \psi _1\) and \(\rho '(k) \sim _{ c}\rho (m)\). Thus, \(M, \rho [m] \models {\overline{\mathrm{{K}}}}_{ c}\psi _1\).

- 7.
Let \(\varGamma \subseteq \mathcal{A }\) and \(\varphi = \overline{\mathrm{Y}}_\varGamma \psi _1\), where \(\mathrm{Y}\in \{ \mathrm{{D}}, \mathrm{E}, \mathrm{{C}}\}\). By the semantics and the assumption (*), there exists such a path or run \(\rho '\) in \(M{|_{G'}}\) that \(\rho '(k) \sim _\varGamma ^\mathrm{Y}\rho (m)\) for some \(k {\,\geqslant \,}0\), and \(M{|_{G'}}, \rho '[k] \models \psi _1\). From the definition of submodel, \(\rho \) and \(\rho '\) also exist in \(M\). Using the induction hypothesis, we get that \(M, \rho '[k] \models \psi _1\) and \(\rho '(k) \sim _\varGamma ^\mathrm{Y}\rho (i)\). Thus, \(M, \rho [m] \models \overline{\mathrm{Y}}_\varGamma \psi _1\).

#### 3.1.3 Model Checking ELTL

In Algorithm 3, to compute the sets of states in which ELTL formulae hold, it is possible to use any method that computes the set \([[\!\![{M,\varphi }]\!\!]]\) for \(\varphi \) being an ELTL formula. The method described in [11] uses a tableau construction for which many improvements have been proposed, e.g., [15, 18, 19, 45], but for the purpose of implementing a complete solution for the BDD-based bounded model checking of ELTLK, we use the basic symbolic model checking method of [11]. This method is based on checking the non-emptiness of Büchi automata. Given a model \(M\) and an ELTL formula \(\varphi \), we begin with constructing the tableau for \(\varphi \) (as described in [11]), that is then combined with \(M\) to obtain their product, which contains these runs of \(M\) where \(\varphi \) potentially holds. Next, the product is verified in terms of the CTL model checking of \(\mathrm{E}\mathrm{G}{true}\) formula under fairness constraints. Those constraints, corresponding to sets of states, allow to choose only the runs of the model, along which at least one state in each set representing fairness constraints appears in a cycle. In case of ELTL model checking, fairness guarantees that \(\varphi \mathrm{U}\psi \) really holds, i.e., eliminates the runs where \(\varphi \) holds continuously, but \(\psi \) never holds. Finally, we choose only these reachable states of the product that belong to some particular set of states computed for the formula. The corresponding states of the verified system that are in this set, comprise the set \([[\!\![{M, \varphi }]\!\!]]\), i.e., the reachable states where the verified formula holds. For more details, we refer the reader to [11].

The method described above has some limitations when used for bounded model checking, where it is preferable to detect counterexamples using not only the runs but also the paths of the submodel. As totality of the transition relation of the verified model is assumed, counterexamples are found only along the runs of the model. However, the method remains correct even if the final submodel only has the total transition relation: in the worst case the detection of the counterexample is delayed to the last iteration, i.e., when all the reachable states are computed. Nonetheless, this should not keep us from assessing the potential efficiency of our approach.

#### 3.1.4 Model checking epistemic modalities

In the case of the formulae of the form \(\mathrm{Y}p\), where \(p \in \mathcal{PV }\), and \(\mathrm{Y}\in \{ {\overline{\mathrm{{K}}}}_{ c}, {\overline{\mathrm{E}}}_\varGamma , {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{{C}}}}_\varGamma \}\), for the implementation purposes we use the algorithms described in [43]. The procedures simply follow from the semantics of ELTLK. The algorithm for \({\overline{\mathrm{{C}}}}_\varGamma \) involves a fixpoint computation, whereas for the remaining operators the algorithms are based on simple non-iterative computations.

### 3.2 SAT-based Approach

In this section we present two SAT-based BMC methods for ELTLK. The first one is defined for interleaved interpreted systems while the second one is defined for interpreted systems. The main difference between the two methods is in the propositional encoding of the transition relation of the model under consideration.

In SAT-based BMC we construct a propositional formula that is satisfiable if and only if there exists a finite set of paths of the underlying model that is a solution to the existential model checking problem. In order to construct the propositional formula, first we need to define the bounded semantics for the underlying logic (i.e., in our case for ELTLK), then to encode the semantics by means of a propositional formula, and finally to represent a part of the model by a propositional formula.

The bounded semantics and the encoding for ELTLK, which is presented in this section, is based on the semantics and encoding of [55] for the temporal fragment and on the semantics and encoding of [52] for the epistemic fragment of ELTLK. This bounded semantics differs from the bounded semantics for ELTLK defined in [42] in the definition of the \(k\)-*path* that allows to replace two separate bounded semantics for \(k\)-paths that are loops and for \(k\)-paths that do not need to be loops, with one bounded semantics that is simpler, more elegant, and results in a more efficient translation of the bounded model checking problem to the SAT problem.

The propositional formula that encodes the bounded semantics for ELTLK is independent of the type of the considered model, i.e., the encoding is the same for both the interpreted systems and the interleaved interpreted systems. This encoding differs from the one defined in [42] in the definiion of the looping condition, and in using an appropriately chosen subsets of symbolic paths that are needed to encode subformulae of a formula in question.

We start with presenting the definition of the bounded semantics for ELTLK and showing that the bounded and unbounded semantics are equivalent. Then, we show a translation of the existential model checking problem for ELTLK to the propositional satisfiability problem. Finally, we prove correctness and completeness of the translation to SAT.

#### 3.2.1 Bounded semantics for ELTLK

Let \(M =(G,\iota ,T,\{\sim _{{ c}}\}_{{{ c}} \in \mathcal{A }},\mathcal{V })\) be a model defined for either IIS or IS, and \(k \in \mathrm{I\!N}\) a bound. A \(k\)-*path* is a pair \((\rho , l)\), also denoted by \(\rho _l\), where \(0 {\,\leqslant \,}l {\,\leqslant \,}k\), and \(\rho \) is a finite sequence \( \rho = (g_{0}, \ldots , g_{k})\) of states such that \((g_{j}, g_{j+1}) \in T\) for each \(0{\,\leqslant \,}j < k \). A \(k\)-path \(\rho _l\) is a *loop* if \(l < k\) and \(\rho (k) = \rho (l)\). By \({\varPi _k}(g)\) we denote the set of all the \(k\)-paths \(\rho _l\) with \(\rho (0) = g\). If a \(k\)-path \(\rho _l\) is a loop, then it represents the run of the form \(uv^{\omega }\), where \(u=(\rho (0),\ldots ,\rho (l))\) and \(v=(\rho (l+1),\ldots ,\rho (k))\). We denote this unique run by \(\varrho (\rho _l)\).

As in the definition of the semantics one needs to define the satisfiability relation on suffixes of \(k\)-paths, we denote by \(\rho _l[m]\) the \(k\)-path \(\rho _l\) together with the designated starting point \(m\), where \(0 {\,\leqslant \,}m {\,\leqslant \,}k\).

**Definition 4**

*Bounded semantics*) Let \(M =(G,\iota ,T,\{\sim _{{ c}}\}_{{{ c}} \in \mathcal{A }},\mathcal{V })\) be a model defined for either IIS or IS, \(k {\,\geqslant \,}0\) a bound, and \(\varphi \) an ELTLK formula. The formula \(\varphi \) is \(k\)—true along the \(k\)-path \(\rho _l\) (in symbols \(M,\rho _l \models _k \varphi \)) iff \(M, \rho _l[0] \models _k \varphi \), where

We use the following notation \(M \models ^{\exists }_{k} \varphi \) iff \(M,\rho _l \models _k \varphi \) for some \(\rho _l \in {\varPi _k}(\iota )\). *The SAT-based bounded model checking problem* consists in finding out whether there exists \(k \in \mathrm{I\!N}\) such that \(M \models ^{\exists }_k \varphi \).

#### 3.2.2 Equivalence of the bounded and unbounded semantics

Now, we show that for some particular bound the bounded semantics is equivalent to the unbounded semantics.

**Lemma 2**

- 1.
if \(\rho _l\) is not a loop, then \(M, \pi [m] \models \varphi \) for each run \(\pi \) in \(M\) such that \(\pi [..k] = \rho \).

- 2.
if \(\rho _l\) is a loop, then \(M, \varrho (\rho _l)[m] \models \varphi \).

*Proof*

- 1.
Let \(\varphi =\psi _1 \vee \psi _2 \mid \psi _1 \wedge \psi _2 \mid \mathrm{X}\psi \mid \psi _1 \mathrm{U}\psi _2 \mid \psi _1 \mathrm{R}\psi _2\). By induction hypothesis—see Lemma 2.1. of [55].

- 2.
\(\varphi = {\overline{\mathrm{{K}}}}_{{ c}}\psi \). From \(M, \rho _l[m] \models _{k} \varphi \) it follows that \((\exists \rho '_{l'} \in {\varPi _k}(\iota ))(\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k})\,({M,\rho '_{l'}}[j] \models _k \psi \) and \(\rho (m) \sim _{{ c}} \rho '(j))\). Assume that both \(\rho _l\) and \(\rho '_{l'}\) are not loops. By inductive hypothesis, for every run \(\pi '\) in \(M\) such that \(\pi '[..k] = \rho ',\,(\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k})(M,\pi '[j] \models \psi \) and \(\rho (m) \sim _{{ c}} \pi '(j))\). Further, for every run \(\pi \) in \(M\) such that \(\pi [..k] = \rho \), we have that \(\pi (m) \sim _{{ c}} \rho '(j)\). Thus, for every run \(\pi \) in \(M\) such that \(\pi [..k] = \rho ,\,M, \pi [m] \models \varphi \). Now assume that \(\rho '_{l'}\) is not a loop and \(\rho _l\) is a loop. By inductive hypothesis, for every run \(\pi '\) in \(M\) such that \(\pi '[..k] = \rho ',\,(\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k}) (M,\pi '[j] \models \psi \) and \(\rho (m) \sim _{{ c}} \pi '(j))\). Further, observe that \(\varrho (\rho _l)(m)=\rho (m)\), thus \(M, \varrho (\rho _l)[m] \models \varphi \). Now assume that both \(\rho _l\) and \(\rho '_{l'}\) are loops. By inductive hypothesis, \((\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k})\)\(({M,\varrho (\rho '_{l'})}[j] \models \psi \) and \(\rho (m) \sim _{{ c}} \varrho (\rho '_{l'})(j))\). Further, observe that \(\varrho (\rho _l)(m)=\rho (m)\), thus \(M, \varrho (\rho _l)[m] \models \varphi \). Now assume that \(\rho '_{l'}\) is a loop, and \(\rho _l\) is not a loop. By inductive hypothesis, \((\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k})(M,\varrho (\rho '_{l'})[j] \models \psi \) and \(\rho (m) \sim _{{ c}} \varrho (\rho '_{l'})(j))\). Further, for every run \(\pi \) in \(M\) such that \(\pi [..k] = \rho \), we have that \(\pi (m) \sim _{{ c}} \varrho (\rho '_{l'})(j)\). Thus, for every run \(\pi \) in \(M\) such that \(\pi [..k] = \rho ,\,M, \pi [m] \models \varphi \).

- 3.
Let \(\varphi =\overline{Y}_{\varGamma }\psi \), where \(Y \in \{ \mathrm{{D}},\mathrm{E},\mathrm{{C}}\}\). These cases can be proven analogously to the case 2.

**Lemma 3**

(Theorem 3.1 of [5]) Let \(M\) be a model, \(\alpha \) an LTL formula, and \(\rho \) a run. Then, the following implication holds: \(M, \rho \models \alpha \) implies that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k \alpha \) with \(\rho [..k] = \pi \).

**Lemma 4**

Let \(M\) be a model, \(\alpha \) an LTL formula, \(Y \in \{{\overline{\mathrm{{K}}}}_{{ c}}, {\overline{\mathrm{{D}}}}_{\varGamma }, {\overline{\mathrm{E}}}_{\varGamma }, {\overline{\mathrm{{C}}}}_{\varGamma }\}\), and \(\rho \) a run. Then, the following implication holds: \(M,\rho \models Y\alpha \) implies that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k Y\alpha \) with \(\rho [..k] = \pi \).

*Proof*

- 1.
Let \(Y = {\overline{\mathrm{{K}}}}_{{ c}}\). Then \(M,\rho \models {\overline{\mathrm{{K}}}}_{{ c}}\alpha \) iff \(M,\rho [0] \models {\overline{\mathrm{{K}}}}_{{ c}}\alpha \) iff \((\exists \rho ' \in \varPi (\iota ))\)\((\exists j{\,\geqslant \,}0)[\rho '(j) \sim _{{ c}} \rho (0)\) and \(M,\rho '[j] \models \alpha ]\). Since \(\rho '(j)\) is reachable from the initial state of \(M\), the checking of \(M,\rho '[j] \models \alpha \) is equivalent to the checking of \(M,\rho '[0] \models \mathrm{X}^j\alpha \). Now since \(\mathrm{X}^j\alpha \) is a pure LTL formula, by Lemma 3 we have that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi '_l[0] \models _k \mathrm{X}^j\alpha \) with \(\rho '[..k] = \pi '\). This implies that \(M,\pi '_l[j] \models _k \alpha \) with \(\rho '[..k] = \pi '\), for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k\). Now, since \(\rho '(j) \sim _{{ c}} \rho (0)\), we have \(\pi '(j) \sim _{{ c}} \pi (0)\). Thus, by the bounded semantics we have that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k {\overline{\mathrm{{K}}}}_{{ c}}\alpha \) with \(\rho [..k] = \pi \).

- 2.
Let \(Y = {\overline{\mathrm{{D}}}}_{\varGamma }\). Then \(M,\rho \models {\overline{\mathrm{{D}}}}_{\varGamma }\alpha \) iff \(M,\rho [0] \models {\overline{\mathrm{{D}}}}_{\varGamma }\alpha \) iff \((\exists \rho ' \in \varPi (\iota ))(\exists j{\,\geqslant \,}0)\)\([\rho '(j) \sim ^\mathrm{{D}}_\varGamma \rho (0)\) and \(M,\rho '[j] \models \alpha ]\). Since \(\rho '(j)\) is reachable from the initial state of \(M\), the checking of \(M,\rho '[j] \models \alpha \) is equivalent to the checking of \(M,\rho '[0] \models \mathrm{X}^j\alpha \). Now since \(\mathrm{X}^j\alpha \) is a pure LTL formula, by Lemma 3 we have that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi '_l[0] \models _k \mathrm{X}^j\alpha \) with \(\rho '[..k] = \pi '\). This implies that \(M,\pi '_l[j] \models _k \alpha \) with \(\rho '[..k] = \pi '\), for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k\). Now, since \(\rho '(j) \sim ^{\mathrm{{D}}}_{\varGamma } \rho (0)\), we have \(\pi '(j) \sim ^{\mathrm{{D}}}_{\varGamma } \pi (0)\). Thus, by the bounded semantics we have for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\rho _l \models _k {\overline{\mathrm{{D}}}}_{\varGamma }\alpha \) with \(\rho [..k] = \pi \).

- 3.
Let \(Y = {\overline{\mathrm{E}}}_{\varGamma }\). Since \({\overline{\mathrm{E}}}_{\varGamma }\alpha = \bigvee _{{ c}\in \varGamma } {\overline{\mathrm{{K}}}}_{{ c}} \alpha \), the lemma follows from the case 1.

- 4.
Let \(Y = {\overline{\mathrm{{C}}}}_{\varGamma }\). Since \({\overline{\mathrm{{C}}}}_{\varGamma }\alpha = \bigvee _{i=1}^{n} ({\overline{\mathrm{E}}}_{\varGamma })^i \alpha \), where \(n\) is the size of the model \(M\), the lemma follows from the case 3.

**Lemma 5**

Let \(M\) be a model, \(\varphi \) an ELTLK formula, and \(\rho \) a run. Then, the following implication holds: \(M,\rho \models \varphi \) implies that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k \varphi \) with \(\rho [..k] = \pi \).

*Proof*

- 1.
\(\varphi = \psi _1 \vee \psi _2 \mid \psi _1 \wedge \psi _2 \mid \mathrm{X}\psi \mid \psi _1 \mathrm{U}\psi _2 \mid \psi _1 \mathrm{R}\psi _2\). Straightforward by the induction hypothesis and Lemma 3.

- 2.
Let \(\varphi =Y\alpha \), and \(Y,Y_1,\ldots ,Y_n, Z \in \{{\overline{\mathrm{{K}}}}_{{ c}}, {\overline{\mathrm{{D}}}}_{\varGamma }, {\overline{\mathrm{E}}}_{\varGamma }, {\overline{\mathrm{{C}}}}_{\varGamma }\}\). Moreover, let \(Y_1\alpha _1, \ldots ,\)\(Y_n \alpha _n\) be the list of all “top level” proper \(Y\)-subformulas of \(\alpha \) (i.e., each \(Y_i\alpha _i\) is a subformula of \(Y\alpha \), but it is not a subformula of any subformula \(Z\beta \) of \(Y\alpha \), where \(Z\beta \) is different from \(Y\alpha \) and from \(Y\alpha _i\) for \(i=1, \ldots , n\)). If this list is empty, then \(\alpha \) is a “pure” LTL formula with no nested epistemic modalities. Hence, by Lemma 4 we have \(M,\rho \models \varphi \) implies that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k \varphi \) with \(\rho [..k] = \pi \). Otherwise, introduce for each \(Y_i\alpha _i\) a new proposition \(q_i\), where \(i=1,\ldots ,n\). By Lemma 1, we can augment with \(q_i\) the labelling of each state \(s\) of \(M\) initialising some run along which the epistemic formula \(Y_i\alpha _i\) holds, and then translate the formula \(\alpha \) to the formula \(\alpha '\), which instead of each subformula \(Y_i\alpha _i\) contains adequate propositions \(q_i\). Therefore, we obtain “pure” LTL formula. Hence, by Lemma 4 we have \(M,\rho \models \varphi \) implies that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k \varphi \) with \(\rho [..k] = \pi \).

The following lemma states that if we take all possible bounds into account, then the bounded and unbounded semantics are equivalent.

**Lemma 6**

Let \(M\) be a model, \(\varphi \) an ELTLK formula. Then the following equivalence holds: \(M \models ^{\exists } \varphi \) iff there exists \(k{\,\geqslant \,}0\) such that \(M \models ^{\exists }_{k} \varphi \).

*Proof*

(“\(\Leftarrow \)”) Follows directly from Lemma 2. (“\(\Rightarrow \)”) Follows directly from Lemma 5.

#### 3.2.3 Translation to the propositional satisfiability problem

Let \(M =(G,\iota ,T,\{\sim _{{ c}}\}_{{{ c}} \in \mathcal{A }},\mathcal{V })\) be a model generated by IS or IIS—the encoding of global states of \(M\) is independent of the kind of considered interpreted system—and \(k \in \mathrm{I\!N}\) be a bound. Since the set of global states of \(M\) is finite, every element \(g=(\ell _1,\ldots ,\ell _n,\ell _{{e}})\) of \(G\) can be encoded as a bit vector of some length \(r\). Then, each state of \(M\) can be represented by a valuation of a vector \(w=(\mathtt{w}_1, \ldots , \mathtt{w}_r)\) (called a *symbolic state*) of different propositional variables called *state variables*; further we assume that \(SV\) denotes the set of all the state variables, \(SV(w)\) denotes the set of all the state variables occurring in the symbolic state \(w\), and \(I_{{ c}}\) denote the set of indexes of state variables that represent local states of agent \({ c}\).

*Example 1*

Let \(SV=\{\mathtt{w}_1,\mathtt{w}_2,\ldots \}\) be an infinite set of state variables. Consider the FTC system shown on Fig. 1 for two trains. A propositional encoding of all the local states of the two agents representing trains and an agent representing Controller is the following:

\(Train \;1\) | \(Train \;2\) | ||||||
---|---|---|---|---|---|---|---|

\(State\) | \(Bit_2\) | \(Bit_1\) | \(Formula\) | \(State\) | \(Bit_4\) | \(Bit_3\) | \(Formula\) |

\(Away_1\) | 0 | 0 | \(\lnot \mathtt{w}_1 \wedge \lnot \mathtt{w}_2\) | \(Away_2\) | 0 | 0 | \(\lnot \mathtt{w}_3 \wedge \lnot \mathtt{w}_4\) |

\(Wait_1\) | 1 | 0 | \(\lnot \mathtt{w}_1 \wedge \mathtt{w}_2\) | \(Wait_2\) | 1 | 0 | \(\lnot \mathtt{w}_3 \wedge \mathtt{w}_4\) |

\(Tunnel_1\) | 0 | 1 | \(\mathtt{w}_1 \wedge \lnot \mathtt{w}_2\) | \(Tunnel_2\) | 0 | 1 | \(\mathtt{w}_3 \wedge \lnot \mathtt{w}_4\) |

\(Controller\) | ||
---|---|---|

\(Location\) | \(Bit_5\) | \(Formula\) |

\(Green\) | 0 | \(\lnot \mathtt{w}_5\) |

\(Red\) | 1 | \(\mathtt{w}_5\) |

Thus, given the above, it is easy to see that each state of the model of the FTC system can be represented by a valuation of a symbolic state \(w = (\mathtt{w}_1, \ldots , \mathtt{w}_5)\).

*natural variables*, such that \(SV \cap NV = \emptyset \). Moreover, let \(u = (\mathtt{u}_1 , \ldots , \mathtt{u}_t )\) be a vector of natural variables of some length \(t\), which we call a

*symbolic number*, and \(NV(u)\) denote the set of all the natural variables occurring in \(u\). Further, let \(PV = SV \cup NV\) and \(V: PV \rightarrow \{0,1\}\) be a

*valuation of propositional variables*(a

*valuation*for short). Each valuation induces the functions \({\mathbf{S}}: SV^r \rightarrow \{0,1\}^r\) and \(\mathbf{J}: NV^t \rightarrow \mathrm{I\!N}\) defined in the following way:

\(I_g(w):{=} \bigwedge _{i=1}^r lit(g[i],\mathtt{w}_i)\), where \(lit: \{0,1\}\times PV \rightarrow PV \cup \{ \lnot q \mid q \in PV \}\) is a function defined as: \(lit(1,q)=q\) and \(lit(0,q)= \lnot q\). This formula, defined over \(SV(w)\), encodes the state \(g\) of the model \(M\).

*Example 2*

Consider the FTC system shown on Fig. 1 for two trains. Then, the propositional formula \(I_{\iota }(w)\), which encodes the initial global state of the system, is defined as follows: \(I_{\iota }(w)= \lnot \mathtt{w}_1 \wedge \lnot \mathtt{w}_2 \wedge \lnot \mathtt{w}_3 \wedge \lnot \mathtt{w}_4 \wedge \lnot \mathtt{w}_5\).

\(H(w,w') :{=} \bigwedge _{i=1}^r \mathtt{w}_i \Leftrightarrow \mathtt{w'}_i \). This formula, defined over \(SV(w) \cup SV(w')\), encodes equivalence between two symbolic states. It represent the fact that the symbolic states \(w\) and \(w'\) represent the same states.

\(H_{{ c}}(w,w'):{=} \bigwedge _{i\in I_{{ c}} } \mathtt{w}_i \Leftrightarrow \mathtt{w'}_i \). This formula, defined over \(SV(w) \cup SV(w')\), represent the fact that the local states of agent \({ c}\) are the same in the symbolic states \(w\) and \(w'\).

\(p(w)\) is a formula over \(SV(w)\) that is true for a valuation \(V\) iff \(p \in {\mathcal{V }}(\mathbf{S}(w))\). This formula encodes a set of the states of \(M\) in which proposition variable \(p \in \mathcal{PV }\) holds.

\({\mathcal{R }}(w,w')\) is a formula over \(SV(w) \cup SV(w')\) that is true for a valuation \(V\) iff \((\mathbf{S}(w), \mathbf{S}(w')) \in T\). This formula encodes the transition relation of \(M\). The formal definition of this formula is different for \(M\) which is generated for IS and for \(M\) which is generated for IIS.

\({\mathcal{B }}_j^{\thicksim }(u)\) is a formula over \(NV(u)\) that is true for a valuation \(V\) iff \(j \thicksim \mathbf{J}(u)\), where \(\thicksim \in \{<,>,\leqslant ,=,\geqslant \}\).

\(f_k({{true}}) = f_k({false}) = f_k(p) =f_k(\lnot p)= 0\), if \(p \in \mathcal{PV }\),

\(f_k(\varphi \vee \psi ) = max\{f_k(\varphi ) , f_k(\psi )\}\),

\(f_k(\varphi \wedge \psi ) = f_k(\varphi ) + f_k(\psi )\),

\(f_k(\mathrm{X}\varphi ) = f_k(\varphi )\),

\(f_k(\varphi \mathrm{U}\psi ) = k \cdot f_k(\varphi ) + f_k(\psi )\),

\(f_k(\varphi \mathrm{R}\psi ) = (k+1) \cdot f_k(\psi )+ f_k(\varphi )\),

\(f_k(\overline{Y} \varphi ) = f_k(\varphi ) +1\), for \(\overline{Y} \in \{{\overline{\mathrm{{K}}}}_{{ c}}, {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{E}}}_\varGamma \}\),

\(f_k({\overline{\mathrm{{C}}}}_\varGamma \varphi ) = f_k(\varphi ) + k\).

Now since in the BMC method we deal with the existential validity \((\models ^{\exists })\), the number of \(k\)-paths sufficient to validate \(\varphi \) is given by the function \(\widehat{f_k} : {\mathrm{ELTLK }}\rightarrow \mathrm{I\!N}\) that is defined as \(\widehat{f_k}(\varphi ) = f_k(\varphi ) + 1\).

*Example 3*

Let \(\varphi =\mathrm{F}p \). Then, \(\widehat{f_k}(\mathrm{F}p)=\)\(f_k(\mathrm{F}p)+1=f_k(p)+1= 1\); note that \(\mathrm{F}\alpha = {{true}}\mathrm{U}\alpha \).

Let \(\varphi =\mathrm{G}\mathrm{F}p \). Then, \(\widehat{f_k}(\mathrm{G}\mathrm{F}p)=\)\(f_k(\mathrm{G}\mathrm{F}p)+1=\)\((k+1) \cdot f_k(\mathrm{F}p)+1=\)\((k+1) \cdot f_k(p)+1= 1\); note that \(\mathrm{G}\alpha = {false}\mathrm{R}\alpha \).

Let \(\varphi =\mathrm{G}\mathrm{F}{\overline{\mathrm{{K}}}}_{{ c}}\!p\). Then, \(\widehat{f_k}(\mathrm{G}\mathrm{F}{\overline{\mathrm{{K}}}}_{{ c}}\!p)\)\(=f_k(\mathrm{G}\mathrm{F}{\overline{\mathrm{{K}}}}_{{ c}}\!p)+1\)\(=(k+1) \cdot f_k(\mathrm{F}{\overline{\mathrm{{K}}}}_{{ c}}\!p)+1\)\(=(k+1) \cdot f_k({\overline{\mathrm{{K}}}}_{{ c}}\!p)+1\)\(=(k+1) \cdot (f_k(p)+1)+1\)\(=(k+1) \cdot 1+1 = k+2\). An example of a model and a witness for the formula is shown on Fig. 13. Observe that while the value \(\widehat{f_1}(\varphi )\) is 3, and the witness for \(\varphi \) can be of the form shown on Fig. 13b, there is a witness for \(\varphi \) which consists of two 1-paths only—see Fig. 13c. Thus, one can observe that the function \(\widehat{f_k}\) only gives an upper bound on the number of \(k\)-paths that form a witness for an ELTLK formula.

Note that Formula 4 encodes \(\widehat{f_k}(\varphi )\) valid \(k\)-paths of the model \(M\) that start at the initial state \(\iota \). In particular, the formula defines \(\widehat{f_k}(\varphi )\)*symbolic*\(k\)-*paths* such that the \(j\)-th symbolic \(k\)-path \({\varvec{\pi }}_j\) is of the form \(((w_{0,j},\ldots ,w_{k,j}),u_j)\), where \(w_{i,j}\) is a symbolic state for \(1 {\,\leqslant \,}j {\,\leqslant \,}\widehat{f_k}(\varphi )\) and \(0 {\,\leqslant \,}i {\,\leqslant \,}k\), and \(u_j\) is a symbolic number for \(1 {\,\leqslant \,}j {\,\leqslant \,}\widehat{f_k}(\varphi )\).

For every ELTLK formula \(\varphi \) the function \(\widehat{f_k}\) determines how many symbolic \(k\)-paths are needed for translating the formula \(\varphi \). Given a formula \(\varphi \) and a set \(A\) of \(k\)-paths such that \(|A| = \widehat{f_k}(\varphi )\), we divide the set \(A\) into subsets needed for translating the subformulae of \(\varphi \). To accomplish this goal we need some auxiliary functions that were defined in [55]. We recall the definitions of these functions. First, the relation \(\prec \) is defined on the power set of \(\mathrm{I\!N}\) as follows: \(A \prec B\) iff for all natural numbers \(x\) and \(y\), if \(x \in A\) and \(y \in B\), then \(x < y\).

\(g_l(A, d)\) denotes the subset \(B\) of \(A\) such that \(|B| = d\) and \(B \prec A \setminus B\), e.g., \(g_l(\{4,5,6,7,8\}, 3) = \{4,5,6\}\).

\(g_r(A, d)\) denotes the subset \(C\) of \(A\) such that \(|C| = d\) and \(A \setminus C \prec C\), e.g., \(g_r(\{4,5,6,7,8\}, 3) = \{6,7,8\}\).

\(g_s(A)\) denotes the set \(A \setminus \{min(A)\}\), e.g., \(g_{s}(\{4,5,6,7,8\}) = \{5,6,7,8\}\).

if \(n\) divides \(|A| - d\), then \(hp(A, d, n)\) denotes the sequence \((B_0, \ldots , B_{n})\) of subsets of \(A\) such that \(\bigcup _{j=0}^{n} B_j = A,\,|B_0| = \ldots = |B_{n-1}|,\,|B_{n}| = d\), and \(B_i \prec B_j\) for every \(0 \;{\,\leqslant \,}\; i < j {\,\leqslant \,}n\). Now let \({{h}_{k}^{\mathrm{U}}}(A, d)\) := \(hp(A, d, k)\) and \({{h}_{k}^{\mathrm{R}}}(A,d)\) := \(hp(A,d,k+1)\). Note that if \({{h}_{k}^{\mathrm{U}}}(A, d) = (B_0, \ldots , B_{k})\), then \({{h}_{k}^{\mathrm{U}}}(A, d)(j)\) denotes the set \(B_j\), for every \(0 {\,\leqslant \,}j {\,\leqslant \,}k\). Similarly, if \({{h}_{k}^{\mathrm{R}}}(A, d) = (B_0, \ldots , B_{k+1})\), then \({{h}_{k}^{\mathrm{R}}}(A, d)(j)\) denotes the set \(B_j\), for every \(0 \leqslant j \leqslant k + 1\). For example, if \(A \!=\! \{1,2,3,4,5,6\}\), then \(h_3^{\mathrm{U}}(A, 0) \!=\! (\{1,2\},\{3,4\},\{5,6\},\emptyset ),\,h_3^{\mathrm{U}}(A, 3) = (\{1\},\{2\},\{3\},\{4,5,6\}),\,h_3^{\mathrm{U}}(A, 6) = (\emptyset ,\emptyset , \emptyset ,\{1,2,3,4,5,6\}),\,h_3^{\mathrm{U}}(A, d)\) is undefined for \(d \in \{0,\ldots ,7\} \setminus \{0, 3,6\}\). Next, \(h_4^{\mathrm{R}}(A, 2) = (\{1\},\{2\},\{3\},\{4\},\{5,6\}),\,h_4^{\mathrm{R}}(A, 6) = (\emptyset ,\emptyset , \emptyset ,\emptyset ,\{1,2,3,4,5,6\})\), and \(h_4^{\mathrm{R}}(A, d)\) is undefined for \(d \in \{0,\ldots ,7\} \setminus \{2,6\}\).

The function \(g_{s}\) is used in the translation of the formulae with the main connective \(\mathrm{{Q}}\in \{{\overline{\mathrm{{K}}}}_{{ c}},{\overline{\mathrm{{D}}}}_{\varGamma },{\overline{\mathrm{E}}}_{\varGamma }\}\): for a given ELTLK formula \(\mathrm{{Q}}\varphi \), if the set \(A\) is to be used to translate this formula, then the path of the number \(min(A)\) is used to translate the operator \(\mathrm{{Q}}\) and the set \(g_{s}(A)\) is used to translate the subformula \(\varphi \).

The function \({{h}_{k}^{\mathrm{U}}}\) is used in the translation of subformulae of the form \(\varphi \mathrm{U}\psi \): if the set \(A\) is to be used to translate the subformula \(\varphi \mathrm{U}\psi \) at the symbolic \(k\)-path \({\varvec{\pi }}_n\) (with the starting point \(m\)), then for every \(j\) such that \(m {\,\leqslant \,}j {\,\leqslant \,}k\), the set \({{h}_{k}^{\mathrm{U}}}(A, f_k(\psi ))(k)\) is used to translate the formula \(\psi \) along the symbolic path \({\varvec{\pi }}_n\) with starting point \(j\); moreover, for every \(i\) such that \(m {\,\leqslant \,}i < j\), the set \({{h}_{k}^{\mathrm{U}}}(A, f_k(\psi ))(i)\) is used to translate the formula \(\varphi \) along the symbolic path \({\varvec{\pi }}_n\) with starting point \(i\). Notice that if \(k\) does not divide \(|A| - d\), then \({{h}_{k}^{\mathrm{U}}}(A, d)\) is undefined. However, for every set \(A\) such that \(|A| = f_k(\varphi \mathrm{U}\psi )\), it is clear from the definition of \(f_k\) that \(k\) divides \(|A| - f_k(\psi )\).

The function \({{h}_{k}^{\mathrm{R}}}\) is used in the translation of subformulae of the form \(\varphi \mathrm{R}\psi \): if the set \(A\) is used to translate the subformula \(\varphi \mathrm{R}\psi \) along a symbolic \(k\)-path \({\varvec{\pi }}_n\) (with the starting point \(m\)), then for every \(j\) such that \(m {\,\leqslant \,}j {\,\leqslant \,}k\), the set \({{h}_{k}^{\mathrm{R}}}(A, f_k(\varphi ))(k+1)\) is used to translate the formula \(\varphi \) along the symbolic paths \({\varvec{\pi }}_n\) with starting point \(j\); moreover, for every \(i\) such that \(m {\,\leqslant \,}i {\,\leqslant \,}j\), the set \({{h}_{k}^{\mathrm{R}}}(A,f_k(\varphi ))(i)\) is used to translate the formula \(\psi \) along the symbolic path \({\varvec{\pi }}_n\) with starting point \(i\). Notice that if \(k + 1\) does not divide \(|A| - 1\), then \({{h}_{k}^{\mathrm{R}}}(A, p)\) is undefined. However, for every set \(A\) such that \(|A| = f_k(\varphi \mathrm{R}\psi )\), it is clear from the definition of \(f_k\) that \(k + 1\) divides \(|A| - f_k(\varphi )\).

**Definition 5**

*Translation of the ELTLK formulae*) Let \(M\) be a model, \(\varphi \) an ELTLK formula, and \(k {\,\geqslant \,}0\) a bound. We define inductively the translation of \(\varphi \) over a path number \(n \in F_k(\varphi )\) starting at the symbolic state \(w_{m,n}\) as shown below, where \(n'=min(A),\,{{h}_{k}^{\mathrm{U}}}={{h}_{k}^{\mathrm{U}}}(A,f_k(\psi _2))\), and \({{h}_{k}^{\mathrm{R}}}={{h}_{k}^{\mathrm{R}}}(A,f_k(\psi _1))\). We assume that \({\mathcal{L }}_k^l({\varvec{\pi }}_n) :{=} {\mathcal{B }}_l^{=}(u_n)\wedge H(w_{k,n}, w_{l,n})\).

For representing the propositional formula \([M,\varphi ]_{k}\) reduced Boolean circuits (RBC) [1] are used. An RBC represents subformulae of \([M,\varphi ]_{k}\) by fresh propositions such that each two identical subformulae correspond to the same proposition.^{1} Following van der Meyden at al. [23], instead of using RBCs, we could directly encode \([M,\varphi ]_{k}\) in such a way that each subformula \(\psi \) of \([M,\varphi ]_{k}\) occurring within the scope of a \(k\)-element disjunction or conjunction is replaced with a propositional variable \(p_{\psi }\) and the reduced formula \([M,\varphi ]_{k}\) is conjuncted with the implication \(p_{\psi } \Rightarrow \psi \). However, in this case our method, as the one proposed in [23], would not be complete. Nonetheless, the completeness can be achieved, by using \(p_{\psi } \Leftrightarrow \psi \) instead of \(p_{\psi } \Rightarrow \psi \). This however can give a formula of an exponential size during the transformation into clausal normal form. ^{2}

Our encoding of the ELTLK formulae is defined recursively over the structure of an ELTLK formula \(\varphi \), over the current position \(n\) of the \(m\)-th symbolic \(k\)-path, and over the set \(A\) of symbolic k-paths, which is initially equal to \(F_k(\varphi )\). Next, our encoding does not translate looping and non-looping witnesses separately, but it combines both of them. Further, it is parameterised by the bound \(k\), the set of symbolic \(k\)-paths, and closely follows the bounded semantics of Def. 4. Therefore, for fixed \(n,\,m,\,k\) and \(A\), each subformula \(\psi \) of \(\varphi \) requires the constraints of size \(O(k\cdot f_k(\varphi ))\) using the encoding of \(\psi \) at various positions. Moreover, since the encoding of a subformula \(\psi \) is only dependent on \(m,\,n,\,k\), and \(A\), and, multiple occurrences of the encoding of \(\psi \) over the same set of parameters can be shared, the overall size can be bounded by \(O(|\varphi | \cdot k \cdot f_k(\varphi ))\). Further the size of the formula \([M,\varphi ]_k\) is bounded by \(O(|T|\cdot k \cdot f_k(\varphi ) + |\varphi | \cdot k \cdot f_k(\varphi ))\).

#### 3.2.4 Correctness and completeness of the translation

The lemmas below state the correctness and the completeness of the presented translation.

In the next two lemmas we use the following auxiliary notation. By \(V{\,\Vdash \,}\xi \) we mean that the valuation \(V\) satisfies the propositional formula \(\xi \). Moreover, we write \(g_{i,j}\) instead of \(\mathbf{S}(w_{i,j})\), and \(l_j\) instead of \(\mathbf{J}(u_j)\).

**Lemma 7**

(Correctness of the translation) Let \(M\) be a model, \(\alpha \) an ELTLK formula, and \(k \in \mathrm{I\!N}\). For every subformula \(\varphi \) of the formula \(\alpha \), every \((m, n) \in \{0,\ldots ,k\} \times F_k(\alpha )\), every \(A\,\subseteq \,F_k(\alpha )\setminus \{n\}\) such that \(|A| = f_k(\varphi )\), and every valuation \(V\), the following condition holds: \(V {\,\Vdash \,}[\varphi ]^{[\alpha ,m,n,A]}_{k}\) implies \(M, ((g_{0,n},\ldots ,g_{k,n}), l_n)[m] \models _k \varphi \).

*Proof*

- 1.
\(\varphi \in \{{{true}}, {false}\}\). The thesis of the lemma is obvious in this case.

- 2.
\(\varphi = p\), where \(p \in \mathcal{PV }\). Then, \(V {\,\Vdash \,}[p]^{[\alpha ,m,n,A]}_{k} \iff V {\,\Vdash \,}p(w_{m,n}) \iff p \in {\mathcal{V }}(g_{m,n}) \iff M,\rho _l[m] \models _k p\).

- 3.
\(\varphi = \lnot p\), where \(p \in \mathcal{PV }\). Then, \( V{\,\Vdash \,}[\lnot p]^{[\alpha ,m,n,A]}_{k} \iff V {\,\Vdash \,}\lnot p(w_{m,n}) \iff p \notin {\mathcal{V }}(g_{m,n}) \iff M,\rho _l[m] \models _k \lnot p\).

- 4.
\(\varphi = \psi _1 \wedge \psi _2\). Let \(B = g_l(A,f_k(\psi _1))\) and \(C = g_r(A,f_k(\psi _2))\). From \(V{\,\Vdash \,}[\psi _1 \wedge \psi _2]^{[\alpha ,m,n,A]}_k\), we get \(V {\,\Vdash \,}[\psi _1]^{[\alpha ,m,n,B]}_k\) and \(V {\,\Vdash \,}[\psi _2]^{[\alpha ,m,n,C]}_k\). By inductive hypotheses, \(M,\rho _l[m] \models _k \psi _1\) and \(M,\rho _l[m] \models _k \psi _2\). Thus \(M,\rho _l[m] \models _k \psi _1 \wedge \psi _2\).

- 5.
\(\varphi = \psi _1 \vee \psi _2\). Let \(B = g_l(A,f_k(\psi _1))\) and \(C = g_l(A,f_k(\psi _2))\). From \(V{\,\Vdash \,}[\psi _1 \vee \psi _2]^{[\alpha ,m,n,A]}_k\), we get \(V {\,\Vdash \,}[\psi _1]^{[\alpha ,m,n,B]}_k\) or \(V {\,\Vdash \,}[\psi _2]^{[\alpha ,m,n,C]}_k\). By inductive hypotheses, \(M,\rho _l[m] \models _k \psi _1\) or \(M,\rho _l[m] \models _k \psi _2\). Thus \(M,\rho _l[m] \models _k \psi _1 \vee \psi _2\).

- 6.
Let \(\varphi = \mathrm{X}\psi \mid \psi _1 \mathrm{U}\psi _2 \mid \psi _1 \mathrm{R}\psi _2\) with \(p\in \mathcal{PV }\). See Lemma 3.1. of [55].

- 7.
Let \(\varphi ={\overline{\mathrm{{K}}}}_{{ c}} \psi \). Let \(n' = \min (A)\), and \(\widetilde{\rho }_{l'}\) denote the \(k\)-path \(((g_{0,n'},\ldots ,g_{k,n'}), l_{n'})\). By the definition of the translation we have that \(V {\,\Vdash \,}[{\overline{\mathrm{{K}}}}_{{ c}} \psi ]^{[\alpha ,m,n,A]}_{k}\) implies \(V {\,\Vdash \,}I_{\iota }(w_{0,n'}) \wedge \bigvee ^{k}_{j=0}([\psi ]^{[\alpha ,j,n',g_s(A)]}_{k} \wedge H_{{ c}}(w_{m,n},w_{j,n'}))\). Since \(V {\,\Vdash \,}H_{{ c}}(w_{m,n},w_{j,n'})\) we have \(g_{m,n} \sim _{{ c}} g'_{j,n'}\), for some \(j \in \{0,\ldots ,k\}\). Therefore, by inductive hypotheses we get \((\exists 0 {\,\leqslant \,}j {\,\leqslant \,}k) (M,\widetilde{\rho }_{l'}[j] \models _k \psi \) and \(g_{m,n} \sim _{{ c}} g'_{j,n'})\). Thus we have \(M, ((g_{0,n},\ldots ,g_{k,n}), l_n)[m] \models _k {\overline{\mathrm{{K}}}}_{{ c}} \psi \).

- 8.
Let \(\varphi =\overline{Y}_{\varGamma }\psi \), where \(Y \in \{ \mathrm{{D}},\mathrm{E},\mathrm{{C}}\}\). These cases can be proven analogously to the case 7.

Let \(B\) and \(C\) be two finite sets of indices. Then, by \(Var(B)\) we denote the set of all the state variables appearing in all the symbolic states of all the symbolic \(k\)-paths whose indices are taken from the set \(B\). Moreover, for every valuation \(V\) and every set of indices \(B\), by \(V\!\uparrow \!B\) we denote the restriction of the valuation \(V\) to the set \(Var(B)\). Notice that if \(B \cap C = \emptyset \), then \(Var(B) \cap Var(C) = \emptyset \). This property is used in the proof of the following lemma.

**Lemma 8**

(Completeness of the translation) Let \(M\) be a model, \(k \in \mathrm{I\!N}\), and \(\alpha \) an ELTLK formula such that \(f_k(\mathrm{E}\alpha ) > 0\). For every subformula \(\varphi \) of the formula \(\alpha \), every \((m, n) \in \{(0, 0)\} \cup \{0,\ldots ,k\} \times F_k(\alpha )\), every \(A\,\subseteq \,F_k(\alpha )\setminus \{n\}\) such that \(|A| = f_k(\varphi )\), and every \(k\)-path \(\rho _l\), the following condition holds: \(M, \rho _l[m] \models _k \varphi \) implies that there exists a valuation \(V\) such that \(\rho _l = ((g_{0,n},\ldots ,g_{k,n}), l_n)\) and \(V {\,\Vdash \,}[\varphi ]^{[\alpha ,m,n,A]}_{k}\).

*Proof*

First, note that given an ELTLK formula \(\alpha \), and natural numbers \(k,\,m,\,n\) with \(0 \leqslant m \leqslant k\) and \(n \in F_k(\alpha )\), there exists a valuation \(V\) such \(V{\,\Vdash \,}[M]_k^{F_k(\alpha )}\). This is because \(M\) has no terminal states. Now we proceed by induction on the complexity of \(\varphi \).

- 1.
Let \(\varphi =p \mid \lnot p\mid \psi _1 \vee \psi _2 \mid \psi _1 \wedge \psi _2 \mid \mathrm{X}\psi \mid \psi _1 \mathrm{U}\psi _2 \mid \psi _1 \mathrm{R}\psi _2\) with \(p\in \mathcal{PV }\). See the proof of Lemma 3.3. of [55].

- 2.
Let \(\varphi ={\overline{\mathrm{{K}}}}_{{ c}} \psi \). Since \(M,\rho _l[m] \models _k {\overline{\mathrm{{K}}}}_{{ c}}\psi \), we have that \((\exists \rho '_{l'} \in {\varPi _k}(\iota )) (\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k})\)\((M, \rho '_{l'}[j] \models _k \psi \)) and \(\rho (m) \sim _{{ c}} \rho '(j))\). Let \(n' = \min (A)\) and \(B = g_s(A)\). By the inductive hypothesis and the definition of the formula \(H_{{ c}}\), there exists a valuation \(V'\) such that \(V' {\,\Vdash \,}[M]_k^{F_k(\alpha )}\) and \(V' {\,\Vdash \,}[\psi ]^{[j,n',B]}_k \wedge H_{{ c}}(w_{m,n},w_{j,n'})\) for some \(j \in \{0,\ldots ,k\}\). Hence we have \(V' {\,\Vdash \,}\bigvee ^{k}_{j=0}([\psi ]^{[j,n',B]}_k \wedge H_{{ c}}(w_{m,n},w_{j,n'}))\). Further, since \(\rho '_{l'} \in {\varPi _k}(\iota ),\,\rho '_{l'}(0)=\iota \). Thus, by the definition of the formula \(I\), we get that \(V' {\,\Vdash \,}I_{\iota }(w_{0,n'})\). Therefore we have \(V' {\,\Vdash \,}I_{\iota }(w_{0,n'}) \wedge \bigvee ^{k}_{j=0}([\psi ]^{[j,n',B]}_k \wedge H_{{ c}}(w_{m,n},w_{j,n'}))\), which implies that \(V' {\,\Vdash \,}{[{\overline{\mathrm{{K}}}}_{{ c}}\psi ]}^{[m,n,A]}_{k}\). Since \(n' \notin B\) and \(n \notin A\), there exists a valuation \(V\) such that \(V\!\uparrow \!B = V'\!\uparrow \!B\) and moreover \(V {\,\Vdash \,}[M]_k^{F_k(\alpha )}\) and \(V {\,\Vdash \,}{[{\overline{\mathrm{{K}}}}_{{ c}}\psi ]}^{[m,n,A]}_{k}\). Therefore we get \(V {\,\Vdash \,}[{\overline{\mathrm{{K}}}}_{{ c}}\psi ]^{[\alpha ,m,n,A]}_k\).

- 3.
Let \(\varphi =\overline{Y}_{\varGamma }\psi \), where \(Y \in \{ \mathrm{{D}},\mathrm{E},\mathrm{{C}}\}\). These cases can be proven analogously to the case 2.

The correctness of the SAT-based translation scheme for ELTLK is guaranteed by the following theorem.

**Theorem 2**

Let \(M\) be a model, and \(\varphi \) an ELTLK formula. Then for every \(k \in \mathrm{I\!N},\,M \models ^{\exists }_k \varphi \) if, and only if, the propositional formula \([M,\varphi ]_{k}\) is satisfiable.

*Proof*

\((\Longrightarrow )\) Let \(k \in \mathrm{I\!N}\) and \(M, \rho _l \models _k \varphi \) for some \(\rho _l \in \varPi _k(\iota )\). By Lemma 8 it follows that there exists a valuation \(V\) such that \(\rho _l = ((g_{0,0},\ldots ,g_{k,0}), l_0)\) with \({\mathbf{S}}(w_{0,0}) = g_{0,0}=\iota \) and \(V {\,\Vdash \,}[\varphi ]^{[\varphi ,0,0,F_k(\varphi )]}_{k}\). Hence, \(V {\,\Vdash \,}I(w_{0,0})\wedge [M]_{k}^{F_k(\varphi )} \wedge {[\varphi ]}^{[0,0,F_k(\varphi )]}_{k}\). Thus \(V{\,\Vdash \,}[M^{\varphi ,\iota }]_k\).

\((\Longleftarrow )\) Let \(k \in \mathrm{I\!N}\) and \([M^{\varphi ,\iota }]_k\) be satisfiable. It means that there exists a valuation \(V\) such that \(V{\,\Vdash \,}[M^{\varphi ,\iota }]_k\). So, \(V{\,\Vdash \,}I(w_{0,0})\) and \(V{\,\Vdash \,}[M]_k^{F_k(\varphi )} \wedge {[\varphi ]}^{[0,0,F_k(\varphi )]}_{k}\). Hence, by Lemma 7 it follows that \(M, ((g_{0,0},\ldots ,g_{k,0}), l_0) \models _k \varphi \) and \({\mathbf{S}}(w_{0,0}) = g_{0,0} = \iota \). Thus \(M \models ^{\exists }_k \varphi \).

## 4 Experimental results

In this section we experimentally evaluate the performance of our four different BMC encodings: two SAT-based BMC (over the IIS and IS semantics) and two BDD-based BMC (over the IIS and IS semantics), all implemented as extensions of our tool Verics [28], so the inputs to the four algorithms are the same. We compare our experimental results with these of the MCK tool (version 0.5.1),^{3} the only existing tool that is suitable with respect to the input formalism (i.e., interpreted systems) and checked properties (i.e., ELTLK). We have done our best to compare our BMC approaches and the SAT-based BMC module of MCK on the same models. We would like to point out that the manual for MCK states that the tool supports SAT-based BMC for \(\mathrm{ECTL}^{*}\mathrm{K}\) (i.e., \(\mathrm{ECTL}^{*}\) augmented to include epistemic components). Unfortunately, no theory behind this implementation has ever been published. We are aware of the paper [23], which describes SAT-based BMC for ECTLK, but it does not discuss how this approach can be extended to \(\mathrm{ECTL}^{*}\mathrm{K}\). Therefore, we are unable to compare our SAT-based BMC algorithms for ELTLK with the one for \(\mathrm{ECTL}^{*}\mathrm{K}\) implemented in MCK.

We have conducted the experiments using two classical multi-agent protocols: the *(faulty) train controller system* and *the dining cryptographers protocol*, and one benchmark that is not yet so popular in the multi-agent community, i.e., the *(faulty) generic pipeline paradigm*. However, we would like to point out that (F)GPP is a very useful and scalable example, which has a potential to become a standard benchmark in this community. Further, we specify each property for the considered benchmarks in the universal form by an LTLK formula, for which we verify the corresponding counterexample formula, i.e., the negated universal formula in ELTLK which is interpreted existentially. Moreover, for every specification given, there exists a counterexample, i.e., the ELTLK formula specifying the counterexample holds in the model of the benchmark.

We have computed our experimental results on a computer with Intel Xeon 2 GHz processor and 4 GB of RAM, running Linux 2.6, with the default limits of 2 GB of memory and 2000 seconds. Moreover, similarly to the MCK tool, we used PicoSAT [2] to test the satisfiability of the propositional formulae generated by our SAT-based BMC encodings. Our SAT-based implementation uses PicoSAT in version 957. The implementation of the BDD-based method employs the CUDD 2.5.0 [44] library for operations on BDDs.

\(\varphi _1\) = \(\mathrm{G}(InTunnel_1 \rightarrow \mathrm{{K}}_{Train_1} (\bigwedge _{i=2}^n \lnot InTunnel_i) )\) – it expresses that whenever train one is in the tunnel, it knows that no other train is in the tunnel,

\(\varphi _2\) = \(\mathrm{G}(\mathrm{{K}}_{Train_1}\bigwedge _{i=1,j=2, i<j}^n \)\(\lnot (InTunnel_i \wedge InTunnel_j))\) – it represents that the trains are aware of the mutually exclusive access to the tunnel.

The FTC system with \(n\) trains

Verics, SAT-BMC | Verics, BDD-BMC | MCK, SAT-BMC | ||||
---|---|---|---|---|---|---|

Formula | IS-k | IIS-k | \(\widehat{f}_k\) | IS-k | IIS-k | IS |

\(\varphi _1\) | 2 | 4 | 2 | 2 | 4 | 3 |

\(\varphi _2\) | 2 | 4 | 2 | 2 | 4 | 3 |

The FGPP system with \(n\) nodes

Verics, SAT-BMC | Verics, BDD-BMC | MCK, SAT-BMC | ||||
---|---|---|---|---|---|---|

Formula | IS-k | IIS-k | \(\widehat{f}_k\) | IS-k | IIS-k | IS |

\(\varphi _1\) | \(2n+2\) | \(2n+2\) | 3 | \(2n+2\) | \(2n+2\) | \(6n+4\) |

\(\varphi _2\) | \(2n+2\) | \(2n+4\) | 1 | \(2n+1\) | \(2n+3\) | \(6n-1\) |

\(\varphi _3\) | 4 | 6 | 1 | 3 | 5 | 8 |

\(\varphi _4\) | 4 | 6 | 2 | 3 | 5 | 5 |

The DC system with \(n\) cryptographers

Verics, SAT-BMC | Verics, BDD-BMC | MCK, SAT-BMC | ||||
---|---|---|---|---|---|---|

Formula | IS-k | IIS-k | \(\widehat{f}_k\) | IS-k | IIS-k | IS |

\(\varphi _1\) | \(n+4\) | \(4n+1\) | \(n\) | \(n+4\) | \(4n+1\) | 7 |

\(\varphi _2\) | 0 | 0 | 2 | 2 | \(4n+1\) | 1 |

\(\varphi _3\) | \(n+4\) | \(4n+1\) | \(n+1\) | \(n+4\) | \(4n+1\) | 7 |

\(\varphi _1\) = \(\mathrm{G}(ProdSend \rightarrow \mathrm{{K}}_{C} \mathrm{{K}}_{P} ConsReady)\)—it states that if Producer produces a commodity, then Consumer knows that Producer knows that Consumer has not received the commodity.

\(\varphi _2\) = \(\mathrm{G}(Problem_n \rightarrow (\mathrm{F}Repair_n \vee \mathrm{G}Alarm_nSend ))\)—it expresses that each time a problem occurs at node \(n\), then either it is repaired, or the alarm of node \(n\) is enabled.

\(\varphi _3\) = \(\bigwedge _{i=1}^n\mathrm{G}(Problem_i \rightarrow (\mathrm{F}Repair_i \vee \mathrm{G}Alarm_iSend ))\)—it expresses that each time a problem occurs at a node, then either it is repaired or the alarm is on.

\(\varphi _4\) = \(\bigwedge _{i=1}^n\mathrm{G}\mathrm{{K}}_{P}(Problem_i \rightarrow (\mathrm{F}Repair_i \vee \mathrm{G}Alarm_iSend))\)—it expresses that Producer knows that each time a problem occurs at a node, then either it is repaired or the alarm is on.

\(\varphi _1\) = \(\mathrm{G}(odd \wedge \lnot paid_1 \rightarrow \bigvee _{i=2}^n\mathrm{{K}}_1({paid}_i))\)—it expresses that always when the number of uttered differences is odd, and the first cryptographer has not paid for dinner, then he knows which cryptographer has.

\(\varphi _2\) = \(\mathrm{G}(\lnot paid_1 \rightarrow \mathrm{{K}}_1(\bigvee _{i=2}^n {paid}_i))\)—it states that it is always true that if the first cryptographer has not paid for dinner, then he knows that some other cryptographer has.

\(\varphi _3\) = \(\mathrm{G}(odd \rightarrow \mathrm{{C}}_{\{ 1,\ldots ,n \}}\lnot (\bigvee _{i=1}^n {paid}_i))\)—it states that always when the number of uttered differences is odd, than it is common knowledge of all the cryptographers that none of the cryptographers has paid for dinner.

### 4.1 Performance evaluation

Results for selected witnesses generated by the SAT-based BMC translations

Formula | Semantics | \((\text {Max}^\triangledown \)) nr of components | Length of the witness | Nr of paths | Nr of variables | Nr of clauses |
---|---|---|---|---|---|---|

Faulty train controller | ||||||

\(\varphi _1\) | IIS | \(650^\triangledown \) | 4 | 2 | 619982 | 1677373 |

\(\varphi _1\) | IS | 650 | 2 | 2 | 250690 | 618440 |

\(\varphi _1\) | IS | \(5500^\triangledown \) | 2 | 2 | 2564618 | 6262036 |

\(\varphi _2\) | IIS | \(450^\triangledown \) | 4 | 2 | 937878 | 2687061 |

\(\varphi _2\) | IS | 450 | 2 | 2 | 473350 | 1331220 |

\(\varphi _2\) | IS | \(1800^\triangledown \) | 2 | 2 | 5623947 | 16452621 |

Faulty generic pipeline paradigm | ||||||

\(\varphi _1\) | IIS | \(30^\triangledown \) | 62 | 3 | 1024009 | 2869312 |

\(\varphi _1\) | IS | 30 | 62 | 3 | 844630 | 2257822 |

\(\varphi _1\) | IS | \(40^\triangledown \) | 82 | 3 | 1476472 | 3919425 |

\(\varphi _2\) | IIS | \(35^\triangledown \) | 74 | 1 | 517280 | 1449202 |

\(\varphi _2\) | IS | 35 | 72 | 1 | 390327 | 1044692 |

\(\varphi _2\) | IS | \(55^\triangledown \) | 112 | 1 | 979275 | 2608936 |

\(\varphi _3\) | IIS | \(1200^\triangledown \) | 6 | 1 | 1647007 | 4261015 |

\(\varphi _3\) | IS | 1200 | 6 | 1 | 2100292 | 5772169 |

\(\varphi _3\) | IS | \(1300^\triangledown \) | 6 | 1 | 1838281 | 4771037 |

\(\varphi _4\) | IIS | \(1100^\triangledown \) | 6 | 2 | 3886556 | 10690351 |

\(\varphi _4\) | IS | 1100 | 6 | 2 | 3033586 | 7868443 |

\(\varphi _4\) | IS | \(1200^\triangledown \) | 6 | 2 | 3253362 | 8400171 |

Dining cryptographers | ||||||

\(\varphi _1\) | IIS | \(6^\triangledown \) | 25 | 6 | 551041 | 1639542 |

\(\varphi _1\) | IS | 6 | 9 | 6 | 122437 | 348178 |

\(\varphi _1\) | IS | \(16^\triangledown \) | 19 | 16 | 2473680 | 7083283 |

\(\varphi _2\) | IIS | \(2300^\triangledown \) | 0 | 2 | 508521 | 793923 |

\(\varphi _2\) | IS | 2300 | 0 | 2 | 80601 | 131343 |

\(\varphi _2\) | IS | \(2350^\triangledown \) | 0 | 2 | 82351 | 134193 |

\(\varphi _3\) | IIS | \(5^\triangledown \) | 21 | 22 | 2014710 | 6344695 |

\(\varphi _3\) | IS | 5 | 9 | 10 | 267628 | 805315 |

\(\varphi _3\) | IS | \(11^\triangledown \) | 15 | 16 | 2167850 | 6635325 |

As one can see from the line charts for the FTC system, in the case of this benchmark over the IIS semantics, the BDD-based BMC performs much better in terms of the total time and the memory consumption for the formula \(\varphi _1\). More precisely, in the time limit set for the benchmarks, the BDD-based BMC is able to verify the formula \(\varphi _1\) for 2,500 trains, while the SAT-based BMC can handle 650 trains only. For \(\varphi _2\) the BDD-based BMC is still more efficient—it is able to verify 1,700 trains, whereas the SAT-based BMC verifies only 450 trains. However, in the case of the IS semantics the SAT-based BMC is superior to the BDD-based BMC for all the tested formulae. Namely, in the set time limit, the SAT-based BMC is able to verify the formula \(\varphi _1\) for 5,500 trains, while BDD-based BMC can handle 16 trains only.

Similarly, in the case of the formula \(\varphi _2\) the SAT-based BMC is able to verify 1,800 trains, while BDD-based BMC computes the results for 16 trains only.

As one can see from the line charts for the FGPP system, in the case of this benchmark over the IIS semantics the SAT-based BMC performs much better in terms of the total time and the memory consumption for the formulae \(\varphi _2,\,\varphi _3\), and \(\varphi _4\), but it is worse for the formula \(\varphi _1\). More precisely, in the set time limit, the SAT-based BMC is able to verify the formulae \(\varphi _2,\,\varphi _3\) and \(\varphi _4\), respectively, for 35, 1200, and 1100 nodes, while the BDD-based BMC has computes the results, respectively, for 30, 10, and 600 nodes only. In the case of the formula \(\varphi _1\) the BDD-based BMC is able to verify the formula for 40 nodes, whereas the SAT-based BMC can verify this formula for 30 nodes only. Here, the reason for a higher efficiency of the BDD-based BMC is the presence of the knowledge operator that causes the partitioning of the problem to several smaller ELTL verification problems, which are handled much better by the operations on BDDs. The reason for a higher efficiency of the SAT-based BMC for the formulae \(\varphi _2\), and \(\varphi _3\) is the translation which uses only one symbolic \(k\)-path, whereas a higher efficiency for the formula \(\varphi _4\) results from the constant length of the counterexample.

As far as the FGPP system under the IS semantics is considered, the SAT-based BMC is superior to BDD-based BMC for all the tested formulae. Namely, in the set time limit, the SAT-based BMC is able to verify the formulae \(\varphi _1,\,\varphi _2,\,\varphi _3\) and \(\varphi _4\), respectively, for 40, 55, 1300 and 1200 nodes, while BDD-based BMC computes the results, respectively, for 6, 5, 9 and 13 nodes only.

As one can see from the line charts for the DC system, in the case of this benchmark over the IIS semantics the BDD-based approach significantly outperforms the SAT-based BMC for the formulae \(\varphi _1\) and \(\varphi _3\), but for the formula \(\varphi _2\) this is the other way around. Namely, in the set time limit, the BDD-based BMC is able to verify the formulae \(\varphi _1\) and \(\varphi _3\) for 12 cryptographers, while SAT-based BMC computes the results, respectively, for 6 and 5 cryptographers only. In the case of formula \(\varphi _2\) SAT-based BMC computes the results for 2,300 cryptographers, whereas BDD-based BMC for 15 only.

For the formulae \(\varphi _1\) and \(\varphi _3\) the reason of a higher efficiency of the BDD-based BMC is that the SAT-based BMC deals with a huge number of symbolic \(k\)-paths. In the case of \(\varphi _1\) this number results from the fact that \(\varphi _1\) contains the disjunction of the knowledge operators, whereas in the case of \(\varphi _3\) the huge number of symbolic \(k\)-paths follows from the fact that \(\varphi _3\) contains the common knowledge operator. A noticeable superiority of the SAT-based BMC for \(\varphi _2\) follows from the following two facts: (1) the length of the SAT counterexample is constant and very small, and (2) a small number of symbolic paths in the SAT counterexample (only 2 symbolic \(k\)-paths).

As fas as the DC system under the IS semantics is considered, the SAT-based BMC is superior to BDD-based BMC for all the tested formulae. Namely, in the set time limit, the SAT-based BMC is able to verify the formulae \(\varphi _1,\,\varphi _2\), and \(\varphi _3\), respectively, for 16, 2,350 and 11 cryptographers, while BDD-based BMC computes the results, respectively, for 4, 7 and 4 cryptographers only.

For the IIS semantics, the reordering of the BDD variables does not cause any improvement of the performance in the case of the benchmarks FTC and FGPP, but for the benchmark DC it reduces the memory consumption. This means that the fixed interleaving order we used can often be considered optimal, but the loss in the verification time to reorder the variables, in favour of reducing the memory consumption, is also not significant and is often worth the tradeoff. Therefore, in the results for IIS we include only the BDD-based BMC variant using automatic reordering of the variables. In the case of the IS semantics the fixed interleaving order appears to be more efficient than the used reordering method. For this reason, we include only the results for the fixed interleaving order.

From our analyses we can conclude that the BDD-based BMC method is more efficient when verifying systems with the IIS semantics, whereas the SAT-based BMC method is superior when used with systems with the IS semantics. Moreover, in most cases, the BDD-based BMC spends a considerable amount of time on encoding the system, whereas the SAT-based BMC on verifying the formula. Therefore, the BDD-based BMC may provide additional time gains when verifying multiple specifications of the same system.

#### 4.1.1 Comparison with MCK

While MCK enables verification of LTLK properties and implements the semantics of IS, it differs from our approaches in the way in which the systems are specified. We carefully inspected how the systems are represented in MCK and what a state is composed of, using the feature of printing out the state space for explicit-state reachability analysis, and noticed that the differences with our modelling are not merely syntactic. The state space is constructed by MCK in a significantly different way, for example a program counter is added for each agent, and channels are the standard way of inter-process communication.

Taking the above facts into account, we have found it not to be justified to get the numbers of states exactly equal to the ones reported by our tools. Reaching this aim could be not possible at all or would require to specify examples for MCK in an unnatural way, possibly penalising the performance. Instead, we have done our best to model the benchmarks in MCK in a way as close as possible to our approach, but modelling similarly to the ones distributed with MCK and available at the MCK web page. To this aim we have used the observable semantics while dealing with the knowledge of agents as opposed to the perfect recall semantics, which is also available in MCK.

Next, we have modelled concurrent executions in the analysed systems by means of the message-passing communication instead of the hand-shake communication. The reason is that in the message-passing communication model the protocol specification for an agent allows to have a communication channel as an argument, which enables establishing a two-point communication. Based on the knowledge available to the user, a corresponding construction for the hand-shaking approach is unsupported by MCK as an agent identifier cannot be used as an argument in the protocol definition. The hand-shaking communication is used in MCK example benchmarks and in the documentation for unscalable systems only. In the Dining Cryptographers code available at the MCK web page, the message-passing communication approach is used.

Therefore, forcing the hand-shaking communication model in MCK for our benchmarks would be very unnatural and clearly cause a performance penalty. Further, we have ensured that for each considered benchmark, the counterexamples found by the tools are of similar size, i.e., either they are constant or their complexity is the same with respect to the number of the processes. Of course, we restrict our comparisons to the IS case. While we possibly could force the IIS semantics in the IS systems, this would be inefficient.

In the comparison of MCK with our methods, the lengths of counterexamples behave similarly, i.e. either unfold to the depth proportional to the benchmark parameter or have a fixed number of steps (with the exception of the DC model, what is described below), thus minimising the factor played by different communication schemes. These lengths are in general not equal, and do not scale in the exactly the same way, what can be seen especially for formulae \(\varphi _1\) and \(\varphi _2\) for FGPP. This may have two reasons: the way in which the model description is translated into the model itself, and the encoding for checking the requested properties. We can say little about the latter as no detailed counterexamples are produced by the tool. Concerning the former, we figured out by looking into the structure of the model reported for simple reachability properties that the bigger lengths are caused by a different approach to specifying systems. For example, a synchronous change of state for several components is performed in one step in our approaches, as variable values are represented by interpreted system states. On the contrary, in MCK communications via channels as well as testing and assigning of variables result in more steps. Additionally, sending and receiving messages combined with reading and assigning variables can possibly result in several values of a program counter. The comparison shows that for FGPP and FTC our BDD-BMC and SAT-BMC are superior to MCK for all the tested formulae (sometimes by several orders of magnitude). MCK consumes all the available memory even when the formulae are surprisingly small (approx. \(10^6\) clauses and \(10^5\) variables) compared to those successfully tested in our SAT-based BMC experiments (more than \(10^8\) clauses and variables in some cases).

An additional comment is required for the DC benchmark, where for the formulae \(\varphi _1\) and \(\varphi _3\), there are differences in the length of counterexamples: constant for MCK and linear for our methods. This can be traced back to the presence of the counter. In our modelling, the counter works sequentially. It introduces some limited concurrency as its actions can interleave with the preceding actions of cryptographers (to the limited degree, because the order of counting cryptographers is fixed). In MCK, there is an XOR operation available, computed in a single step. We have decided not to add a sequential counter in this case, finding it unnatural. However, it should be noted that the models are not the same for MCK and our tools for the DC benchmark, what influences the efficiency when they are explored to the full length (the diamater of the model).

The general conclusion is that while our methods can be found to be much more efficient, MCK offers a much richer specification language, which in certain situations (see DC) results in a more efficient modelling.

## 5 Final remarks

We have proposed, implemented, and experimentally evaluated SAT- and BDD-based bounded model checking approaches for ELTLK interpreted over both the standard interpreted systems and the interleaved interpreted systems. The experimental results show that the approaches are complementary, and that the BDD-based BMC approach appears to be superior for the IIS semantics, while the SAT-based approach appears to be superior for the IS semantics. This is a novel and interesting result, which shows that the choice of the semantics should depend on the symbolic method applied.

We have also done our best to provide a comparison of our BMC methods with the MCK tool. This comparison shows that the efficiency of the verification approach is strongly influenced by the semantics used to model MAS, i.e., whether IS or IIS are applied.

In the future we are going to extend the presented algorithms to handle also the \(\mathrm{ECTL}^{*}\mathrm{K}\) properties.

## Footnotes

- 1.
We would like to stress that we have used the RBC structure in our BMC implementations since 2003 [50], although we have not stated this explicitly in our previous works.

- 2.
Let \(\alpha \) be a formula. Its clausal form is a set of clauses which is satisfiable if and only if \(\alpha \) is satisfiable.

- 3.

## Notes

### Acknowledgments

Partly supported by National Science Center under the Grant No. 2011/01/B/ST6/05317 and 2011/01/B/ST6/01477. Artur Mȩski acknowledges the support of the EU, European Social Fund. Project PO KL “Information technologies: Research and their interdisciplinary applications” (UDA-POKL.04.01.01-00-051/10-00).

### References

- 1.Abdulla, P. A., Bjesse, P., & Eén, N. (2000). Symbolic reachability analysis based on SAT-solvers. In
*Proceedings of the 6th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’00). Lecture Notes in Computer Science*, (Vol. 1785, pp. 411–425). Berlin: Springer.Google Scholar - 2.Biere, A. (2008). PicoSAT essentials.
*Journal on Satisfiability Boolean Modeling and Computation (JSAT)*,*4*, 75–97.MATHGoogle Scholar - 3.Biere, A., Cimatti, A., Clarke, E., Fujita, M., & Zhu, Y. (1999). Symbolic model checking using SAT procedures instead of BDDs. In
*Proceedings of the ACM/IEEE Design Automation Conference (DAC’99)*(pp. 317–320).Google Scholar - 4.A. Biere, A. Cimatti, E. Clarke, & Y. Zhu. (1999). Symbolic model checking without BDDs. In
*Proceedings of the 5th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’99). Lecture Notes in Computer Science*(Vol. 1579, pp. 193–207). Berlin: Springer.Google Scholar - 5.Biere, A., Heljanko, K., Junttila, T., Latvala, T., & Schuppan, V. (2006). Linear encodings of bounded LTL model checking.
*Logical Methods in Computer Science*,*2*(5:5), 1–64.MathSciNetGoogle Scholar - 6.R. Bordini, M. Fisher, C. Pardavila, W. Visser, & M. Wooldridge. (2003). Model checking multi-agent programs with CASP. In
*Proceedings of the 15th International Conference on Computer Aided Verification (CAV’03). Lecture Notes in Computer Science*(Vol. 2725, pp. 110–113). Springer.Google Scholar - 7.Bordini, R. H., Fisher, M., Wooldridge, M., & Visser, W. (2009). Property-based slicing for agent verification.
*Journal of Logic and Computation*,*19*(6), 1385–1425.CrossRefMATHMathSciNetGoogle Scholar - 8.N. Bulling & W. Jamroga. (2010). Model checking agents with memory is harder than it seemed. In
*Proceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems (AAMAS’10)*(pp. 633–640). International Foundation for Autonomous Agents and Multiagent Systems.Google Scholar - 9.Cabodi, G., Camurati, P., & Quer, S. (2002). Can BDD compete with SAT solvers on bounded model checking?. In
*Proceedings of the 39th Design Automation Conference (DAC’02)*(pp. 117–122).Google Scholar - 10.Chaum, D. (1988). The dining cryptographers problem: Unconditional sender and recipient untraceability.
*Journal of Cryptology*,*1*(1), 65–75.CrossRefMATHMathSciNetGoogle Scholar - 11.Clarke, E., Grumberg, O., & Hamaguchi, K. (1994). Another look at LTL model checking. In
*Proceedings of the 6th International Conference on Computer Aided Verification (CAV’94). Lecture Notes in Computer Science*(Vol. 818, pp. 415–427). Berlin: Springer.Google Scholar - 12.Clarke, E., Grumberg, O., & Peled, D. (1999).
*Model checking*. Cambridge: MIT Press.Google Scholar - 13.Copty, F., Fix, L., Fraer, R.., Giunchiglia, E., Kamhi, G.., Tacchella, A., & Vardi, M. (2001). Benefits of bounded model checking at an industrial setting. In
*Proceedings of the 13th International Conference on Computer Aided Verification (CAV’01). Lecture Notes in Computer Science*(Vol. 2102, pp. 436–453). Berlin: Springer.Google Scholar - 14.Dennis, L. A., Fisher, M., Webster, M. P., & Bordini, R. H. (2012). Model checking agent programming languages.
*Automated Software Engineering*,*19*(1), 5–63.CrossRefGoogle Scholar - 15.Etessami, K., & Holzmann, G. J. (2000). Optimizing büchi automata. In
*Proceedings of the 11th International Conference on Concurrency Theory (CONCUR’00). Lecture Notes in Computer Science*(Vol. 1877, pp. 153–167). Berlin: Springer.Google Scholar - 16.Fagin, R., Halpern, J. Y., Moses, Y., & Vardi, M. (1995).
*Reasoning about Knowledge*. Cambridge: MIT Press.MATHGoogle Scholar - 17.Gammie, P., & Meyden, R. (2004). MCK: Model checking the logic of knowledge. In
*Proceedings of the 16th International Conference on Computer Aided Verification (CAV’04). Lecture Notes in Computer Science*(Vol. 3114, pp. 479–483). Berlin: Springer.Google Scholar - 18.Gastin, P., & Oddoux, D. (2001). Fast LTL to Büchi automata translation. In
*Proceedings of the 13th International Conference on Computer Aided Verification (CAV’01). Lecture Notes in Computer Science*(Vol. 2102, pp. 53–65). Berlin: Springer.Google Scholar - 19.Gerth, R., Peled, D., Vardi, M., & Wolper, P. (1995). Simple on-the-fly automatic verification of linear temporal logic. In
*Proceedings of IFIP/WG6.1 Symposium. Protocol Specification, Testing and Verification (PSTV’95)*(pp. 3–18). Chapman & Hall.Google Scholar - 20.Halpern, J., & Vardi, M. (1991). Model checking vs. theorem proving: A manifesto. In
*Proceedings of the 2nd International Conference on Principles of Knowledge Representation and Reasoning (KR’91)*(pp. 325–334). Cambridge: Morgan Kaufmann.Google Scholar - 21.Hoek, W., & Wooldridge, M. (2003). Cooperation, knowledge, and time: Alternating-time temporal epistemic logic and its applications.
*Studia Logica*,*75*(1), 125–157.CrossRefMATHMathSciNetGoogle Scholar - 22.Hoek, W. V., & Wooldridge, M. (2002). Model checking knowledge and time. In
*Proceedings of the 9th International SPIN Workshop on Model Checking of Software (SPIN’2002). Lecture Notes in Computer Science*(Vol. 2318, pp. 95–111). Berlin: Springer.Google Scholar - 23.Huang, X., Luo, C., & van der Meyden, R. (2011). Improved bounded model checking for a fair branching-time temporal epistemic logic. In
*Proceedings of the 6th Workshop on Model Checking and Artificial Intelligence (MoChArt’2010), LNAI*(Vol. 6572, pp. 95–111). Berlin: Springer.Google Scholar - 24.Jamroga, W., & Dix, J. (2008). Model checking abilities of agents: A closer look.
*Theory of Computing Systems*,*42*(3), 366–410.CrossRefMATHMathSciNetGoogle Scholar - 25.Jamroga, W., & Penczek, W. (2012). Specification and verification of multi-agent systems. In
*Lectures on Logic and Computation (ESSLLI’2010, ESSLLI’2011). Lecture Notes in Computer Science*(Vol. 7388, pp. 210–263). Berlin: Springer.Google Scholar - 26.Jones, A. V., & Lomuscio, A. (2010). Distributed BDD-based BMC for the verification of multi-agent systems. In
*Proceedings of the 9th International Conference on Autonomous Agents and Multi-Agent systems (AAMAS’2010)*(pp. 675–682). Toronto: IFAAMAS Press.Google Scholar - 27.Kacprzak, M., Lomuscio, A., Niewiadomski, A., Penczek, W., Raimondi, F., & Szreter, M. (2006). Comparing BDD and SAT based techniques for model checking Chaum’s dining cryptographers protocol.
*Fundamenta Informaticae*,*72*(1–2), 215–234.MATHMathSciNetGoogle Scholar - 28.Kacprzak, M., Nabiałek, W., Niewiadomski, A., Penczek, W., Półrola, A., Szreter, M., et al. (2008). Verics 2007—a model checker for knowledge and real-time.
*Fundamenta Informaticae*,*85*(1–4), 313–328.MATHMathSciNetGoogle Scholar - 29.Lomuscio, A., Lasica, T., & Penczek, W. (2003). Bounded model checking for interpreted systems: Preliminary experimental results. In
*Proceedings of the 2nd NASA Workshop on Formal Approaches to Agent-Based Systems (FAABS’02), LNAI*(Vol. 2699, pp. 115–125). Berlin: Springer.Google Scholar - 30.Lomuscio, A., Pecheur, C., & Raimondi, F. (2007). Automatic verification of knowledge and time with nusmv. In
*Proceedings of International Conference on Artificial Intelligence (IJCAI’07)*( pp. 1384–1389).Google Scholar - 31.Lomuscio, A., Penczek, W., & Qu, H. (2010). Partial order reduction for model checking interleaved multi-agent systems. In
*Proceedings of the 9th International Conference on Autonomous Agents and Multi-Agent systems (AAMAS’2010)*(pp. 659–666). Toronto: FAAMAS Press.Google Scholar - 32.Lomuscio, A., Penczek, W., & Woźna, B. (2007). Bounded model checking for knowledge and real time.
*Artificial Intelligence*,*171*, 1011–1038.CrossRefMATHMathSciNetGoogle Scholar - 33.Mȩski, A., Penczek, W., & Szreter, M. (2011). Bounded model checking linear time and knowledge using decision diagrams. In
*Proceedings of the International Workshop on Concurrency, Specification and Programming (CS &P’11)*(pp. 363–375).Google Scholar - 34.Mȩski, A., Penczek, W., & Szreter, M. (2012). BDD-based bounded model checking for LTLK over two variants of interpreted systems. In
*Proceedings of 5th International Workshop on Logics, Agents, and Mobility*(pp. 35–50).Google Scholar - 35.Mȩski, A., Penczek, W., Szreter, M., Woźna-Szcześniak, B., & Zbrzezny, A. (2012). Bounded model checking for knowledge and linear time. In
*Proceedings of the 11th International Conference on Autonomous Agents and Multi-Agent systems (AAMAS’2012)*(pp. 1447–1448). Toronto: IFAAMAS Press.Google Scholar - 36.Mȩski, A., Penczek, W., Szreter, M., Woźna-Szcześniak, B., & Zbrzezny, A. (2012). Two approaches to bounded model checking for linear time logic with knowledge. In
*The Proceedings of the 6th KES International Conference on Agent and Multi-Agent Systems, Technologies and Applications (KES-AMSTA’2012). Lecture Notes in Computer Science*(Vol. 7327, pp. 514–523). Berlin: Springer.Google Scholar - 37.Mȩski, A., Woźna-Szcześniak, B., Zbrzezny, A. M., & Zbrzezny, A. (2013). Two approaches to bounded model checking for a soft real-time epistemic computation tree logic. In
*Proceedings of the 10th International Symposium on Distributed Computing and Artificial Intelligence (DCAI’2013), Advances in Intelligent and Soft-Computing*, (Vol. 217, pp. 483–492). Berlin: Springer.Google Scholar - 38.Meyden, R., & Shilov, N. V. (1999). Model checking knowledge and time in systems with perfect recall. In
*Proceedings of the 19th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS’99). Lecture Notes in Computer Science*(Vol. 1738, pp. 432–445). Berlin: Springer.Google Scholar - 39.Meyden, R., & Su, K. (2004). Symbolic model checking the knowledge of the dining cryptographers. In
*Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW-17)*(pp. 280–291). IEEE Computer Society.Google Scholar - 40.Peled D. (1993). All from one, one for all: On model checking using representatives. in
*Proceedings of the 5th International Conference on Computer Aided Verification (CAV’93). Lecture Notes in Computer Science*(Vol. 697, pp. 409–423). Berlin: Springer.Google Scholar - 41.Penczek, W., & Lomuscio, A. (2003). Verifying epistemic properties of multi-agent systems via bounded model checking.
*Fundamenta Informaticae*,*55*(2), 167–185.MATHMathSciNetGoogle Scholar - 42.Penczek, W., Woźna-Szcześniak, B., & Zbrzezny, A. (2012). Towards SAT-based BMC for LTLK over interleaved interpreted systems.
*Fundamenta Informaticae*,*119*(3–4), 373–392.MATHMathSciNetGoogle Scholar - 43.Raimondi, F., & Lomuscio, A. (2007). Automatic verification of multi-agent systems by model checking via OBDDs.
*Journal of Applied Logic*,*5*(2), 235–251.CrossRefMATHMathSciNetGoogle Scholar - 44.Somenzi, F. CUDD: CU decision diagram package—release 2.3.1. http://vlsi.colorado.edu/~fabio/CUDD/cuddIntro.html.
- 45.Somenzi, F., Bloem, R. (2000). Efficient Büchi automata from LTL formulae. In
*Proceedings of the 12th International Conference on Computer Aided Verification (CAV’00). Lecture Notes in Computer Science*(Vol. 1855, pp. 248–263). Berlin: Springer.Google Scholar - 46.Su, K., Sattar, A., & Luo, X. (2007). Model checking temporal logics of knowledge via OBDDs.
*The Computer Journal*,*50*(4), 403–420.CrossRefGoogle Scholar - 47.Troquard, N., Hoek, W. V. D., & Wooldridge, M. (2009). Model checking strategic equilibria. In
*Proceedings of the 5th International Workshop on Model Checking and Artificial Intelligence (MOCHART’2008), LNAI*(Vol. 5348, pp. 166–188). Berlin: Springer.Google Scholar - 48.Wooldridge, M. (2002).
*An introduction to multiagent systems*. Chichester: Wiley.Google Scholar - 49.Woźna, B., Lomuscio, A., & Penczek, W. (2005). Bounded model checking for deontic interpreted systems. In
*Proceedings of the 2nd International Workshop on Logic and Communication in Multi-Agent Systems (LCMAS’04), ENTCS*(Vol. 126, pp. 93–114). Amsterdam: Elsevier.Google Scholar - 50.Woźna, B., Zbrzezny, A., & Penczek, W. (2003). Checking reachability properties for timed automata via SAT.
*Fundamenta Informaticae*,*55*(2), 223–241.MATHMathSciNetGoogle Scholar - 51.Woźna-Szcześniak, B., & Zbrzezny, A. (2012). Sat-based bounded model checking for deontic interleaved interpreted systems. In
*The Proceedings of the 6th KES International Conference on Agent and Multi-Agent Systems, Technologies and Applications (KES-AMSTA’2012). Lecture Notes in Computer Science*(Vol. 7327, pp. 494–503). Berlin: Springer.Google Scholar - 52.Woźna-Szcześniak, B., & Zbrzezny, A. (2013). SAT-based bmc for deontic metric temporal logic and deontic interleaved interpreted systems. In
*Declarative Agent Languages and Technologies X. The 10th International Workshop (DALT’2012), LNAI*(Vol. 7784, pp. 70–189). Berlin: Springer.Google Scholar - 53.Woźna-Szcześniak, B., Zbrzezny, A. M., & Zbrzezny, A. (2011). The BMC method for the existential part of RTCTLK and interleaved interpreted systems. In
*In Proceedings of the 15th Portuguese Conference on Artificial Intelligence (EPIA’2011), LNAI*(Vol. 7026, pp. 551–565). Berlin: Springer.Google Scholar - 54.Zbrzezny, A. (2008). Improving the translation from ECTL to SAT.
*Fundamenta Informaticae*,*85*(1–4), 513–531.MATHMathSciNetGoogle Scholar - 55.Zbrzezny, A. (2012). A new translation from \(\text{ ECTL }^{*}\) to SAT.
*Fundamenta Informaticae*,*120*(3–4), 377–397.Google Scholar

## Copyright information

**Open Access**This article is distributed under the terms of the Creative Commons Attribution License which permits any use, distribution, and reproduction in any medium, provided the original author(s) and the source are credited.