Abstract
The paper deals with symbolic approaches to bounded model checking (BMC) for the existential fragment of linear temporal logic extended with the epistemic component (ELTLK), interpreted over interleaved interpreted systems. Two translations of BMC for ELTLK to SAT and to operations on BDDs are presented. The translations have been implemented, tested, and compared with each other as well as with another tool on several benchmarks for MAS. Our experimental results reveal advantages and disadvantages of SAT versus BDDbased BMC for ELTLK.
Introduction
Verification of multiagent systems (MAS) is an actively developing field of research [7, 8, 14, 24, 25, 30, 47]. Several approaches based on model checking [12, 48] have been put forward for the verification of MAS. Typically, they employ combinations of the epistemic logic with either branching [8, 30, 43] or linear time temporal logic [17, 22, 38]. Some approaches reduce the verification problem to the one for plain temporal logic [6, 22], while others treat typical MAS modalities such as (distributed, common) knowledge as firstclass citizens and introduce novel algorithms for them [38, 43].
In an attempt to alleviate the statespace explosion problem (i.e., an exponential growth of the system state space with the number of the agents) two main approaches have been proposed based on combining bounded model checking (BMC) with symbolic verification using translations to either ordered binary decision diagrams (BDDs) [26] or propositional logic (SAT) [41]. However, the above approaches deal with the properties expressed in the existential fragment of CTLK (i.e., CTL extended with the existential epistemic components, called ECTLK) only. In the paper [46] a method for model checking LTLK formulae using BDDs is described, but it is not explained how it can be used for BMC.
In this paper we aim at completing the picture of applying the BMCbased symbolic verification to MAS by looking at the existential fragment of LTLK (i.e., LTL extended with the existential epistemic components, called ELTLK), interpreted over both the subclass of interpreted systems (IS) called interleaved interpreted systems (IIS) [31] and interpreted systems themselves. IIS are an asynchronous subclass of interpreted systems [16] in which only one action at a time is performed in a global transition. Our original contribution consists in defining the following four novel bounded model checking methods for ELTLK: the SATbased BMC for IS and for IIS, and the BDDbased BMC for IS and for IIS. Moreover, we would like to point out that the proposed SATbased BMC for ELTLK and for IS has never been defined and experimentally evaluated before. Next, both the presented BDDbased methods have been published earlier, but only in the informal proceedings of the LAM’2012 workshop.
All the proposed BMC methods have been implemented as prototype modules of Verics [28], tested, and compared with each other as well as with MCK [17] on three wellknown benchmarks for MAS: a (faulty) train controller system [21], a (faulty) generic pipeline paradigm [40], and the dining cryptographers [10]. Our experimental results reveal not only advantages and disadvantages of ELTLK SAT versus BDDbased BMC for MAS that are consistent with comparisons for temporal logics [9, 13], but also show two novel findings. Namely, IIS semantics can improve the practical applicability of BMC, and the BDDbased approach appears to be superior for IIS semantics, while the SATbased approach appears to be superior for IS semantics.
The rest of the paper is organised as follows. In Sect. 2 we recall interpreted systems (IS), interleaved interpreted systems (IIS), the logic LTLK, and its two subsets: LTL and ELTLK (i.e., the existential fragment of LTLK). Section 3 deals with Bounded Model Checking (BMC), where Sect. 3.1 describes BDDbased BMC for ELTLK and Sect. 3.2 presents SATbased BMC for ELTLK. In the last section we discuss our experimental results and conclude the paper.
Related work
Model checking of knowledge properties was first considered by Vardi and Halpern [20]. The complexity of the model checking problem for LTL combined with epistemic modalities in the perfect recall semantics was studied by van der Meyden and Shilov [38]. Raimondi et al. showed a BDDbased method for model checking CTLK[43]. Su et al [46]. described a method for model checking LTLK formulae using BDDs. Hoek et al. [22] proposed a method for model checking LTLK formulae using the logic of local propositions.
The origins of bounded model checking (BMC) go back to the seminal papers [4] and [3], where the method has been defined for the LTL properties and Boolean circuits. The main motivation of defining BMC was to take advantage of the immense success of SATsolvers (i.e., tools implementing algorithms solving the satisfiability problem for propositional formulas). The first SATbased BMC method for MAS was proposed in [41]. It deals with the existential fragment of the branching time logic extended with the epistemic components (ECTLK) and the interpreted systems. An implementation and experimental evaluation of this BMC method for the interleaved interpreted systems have been presented in [29]. For the same logic and for the standard interpreted systems, Jones et al. proposed a BMC method based on BDDs [26]. In [53] the SATbased BMC method for the existential fragment of RTCTL augmented to include epistemic modalities (RTECTLK) and for the interleaved interpreted systems was introduced and experimentally evaluated. This BMC encoding takes into account the substantial improvement of the BMC encoding for ECTL that has been defined in [54]. Further, since RTECTLK is an extension of ECTLK such that a range of every temporal operator can be bounded, the BMC encoding of [53] substantially improves the BMC encoding presented in [29, 41]. In [37] a BDDbased BMC method for RTECTLK over interleaved interpreted systems was defined and compared to the corresponding SATbased BMC method. Further, in [49] the SATbased BMC method for the deontic interpreted systems and for ECTLK extended to include the existential deontic modalities was defined. A more efficient translation to SAT together with an implementation and an experimental evaluation of this BMC method are shown in [51], where the SATbased BMC method for RTECTLK augmented to include the existential deontic modalities was defined. In [23] a new SATbased BMC encoding for fair ECTLK was presented. Next, in [32] the SATbased BMC method for the realtime interpreted systems and for the existential fragment of TCTL extend to include epistemic modalities was shown. All the above BMC approaches deal with the properties expressed in the existential fragments of branching time temporal logics only.
For the linear time temporalepistemic properties, until now, the following BMC methods have been developed. In [42] a SATbased BMC method for ELTLK over interleaved interpreted systems has been defined. The main difficulty in the extension of the SATbased BMC method for ELTL to the properties expressible in ELTLK was in the encoding of the looping conditions. This difficulty arises from the fact that in SATbased BMC for ELTLK we need to consider more than one path. The BMC encoding presented in [42] is not based on the stateoftheart BMC method for \(\mathrm{ECTL}^{*}\) [55], which uses a reduced number of paths and a more efficient encoding of loops, what results in significantly smaller and less complicated propositional formulae that encode the ELTLK properties. For the same logic over the same systems, in [33] a BDDbased BMC method was introduced. Next, in [52] a SATbased BMC method for the existential fragment of Metric LTL with epistemic and deontic modalities (EMTLKD) over deontic interleaved interpreted systems was defined.
The usefulness of SATbased BMC for error tracking and complementarity to the BDDbased symbolic model checking have already been proven in several works, e.g., [9, 13, 35, 36]. Further, in [34] the semantics of interpreted systems and interleaved interpreted systems were experimentally evaluated by means of the BDDbased BMC method for LTLK. Partialorder reductions for model checking of interleaved interpreted systems were presented in [31].
Table 1 provides a summary of the existing implementations of model checking techniques for MAS in the BMC context. Table 2 summarises the existing BMC techniques for MAS.
`
This paper combines and refines our preliminary results published in informal proceedings of two workshops: the CS&P’2011 [33] and the LAM’2012 [34], in the conference paper [36], and in the journal [42]. More precisely, for the interleaved interpreted systems and for the ELTLK properties we present a BDDbased BMC technique and an improved SATbased BMC method that previously appeared in, respectively, [33, 36] and [36, 42]. For the interpreted systems and for the ELTLK properties we present a BDDbased BMC technique that previously appeared in [34]. Both the SATbased BMC method are based on the SATbased BMC technique for \(\mathrm{ECTL}^{*}\) that was introduced in [55].
Preliminaries
In this section we introduce the basic definitions used in the paper. In particular, we define interpreted and interleaved interpreted systems, and syntax and semantics of linear temporal logic extended with the epistemic component (LTLK) and its two subsets ELTLK and LTL.
Interpreted systems
The semantics of interpreted systems (IS) provides a setting to reason about multiagent systems (MASs) by means of specifications based on knowledge and linear or branching time. We report here the basic setting as popularised in [16].
We begin by assuming that a MAS is composed of \(n\) agents (by \({\mathcal{A }}=\{1,\ldots ,n\}\) we denote the nonempty set of agents) and a special agent \({e}\) which is used to model the environment in which the agents operate. We associate a set of possible local states \(L_{{ c}}\) and actions \(Act_{{ c}}\) to each agent \({ c}\in {\mathcal{A }} \cup \{{e}\}\). For any agent \({{ c}}\in {\mathcal{A }} \cup \{{e}\}\) we assume that the special action \(\epsilon _{{ c}}\), called the “null” action of agent \({{ c}}\), belongs to \(Act_{{ c}}\). For convenience, the symbol \(Act\) denotes the Cartesian product of the agents’ actions, i.e. \(Act = Act_1\times \dots \times Act_n \times Act_{{e}}\).
An element \(a \in Act\) is a tuple of actions (one for each agent) and is referred to as a joint action. Following closely the interpreted system model, we consider a local protocol modelling the program the agent is executing. Formally, for any agent \({{ c}}\in {\mathcal{A }} \cup \{{e}\}\), the actions of the agents are selected according to a local protocol function \(P_{{ c}}: L_{{ c}} \rightarrow 2^{Act_{{ c}}}\), which maps local states to sets of possible actions for agent \({ c}\). Further, for each agent \({{ c}}\) we define a (partial) evolution function \(t_{{ c}}: L_{{ c}} \times Act \rightarrow L_{{ c}}\). We assume that if \(\epsilon _{{ c}} \in P_{{ c}}(\ell )\), then \(t_{{ c}}(\ell ,(a_1,\ldots ,a_n,a_{{e}})) = \ell \) for \(a_{{ c}}=\epsilon _{{ c}}\) and \(a_i \in Act_i\) for \(1 {\,\leqslant \,}i {\,\leqslant \,}n\), and \(a_{{e}} \in Act_{{e}}\).
A global state \(g = (\ell _1, \dots , \ell _n, \ell _{{e}})\) is a tuple of local states for all the agents in the MAS corresponding to an instantaneous snapshot of the system at a given time. Given a global state \(g=(\ell _1,\dots , \ell _n, \ell _{{e}})\), we denote by \(l_{{ c}}(g)=\ell _{{ c}}\) the local component of agent \({{ c}} \in {\mathcal{A }}\cup \{{e}\}\) in \(g\).
Let \(G\) be a set of global states. For a given set of agents \(\mathcal{A }\), the environment \({e}\), and a set of propositional variables \(\mathcal{PV }\), which can be either true or false, an interpreted system is a tuple
where \(\iota \in G\) is the initial global state, and \({\mathcal{V }}: G \rightarrow 2^{\mathcal{PV }}\) is a valuation function.
Given the notions above we can now define formally the global (partial) evolution function. Namely, the global (partial) evolution function \(t: G \times Act \rightarrow G\) is defined as follows: \(t(g,a)= g'\) iff for all \({ c}\in {\mathcal{A }},\,t_{{ c}}(l_{{ c}}(g),a) = l_{{ c}}(g')\) and \(t_{{e}} (l_{{e}}(g), a) = l_{{e}}(g')\). In brief we write the above as \(g \stackrel{a}{\longrightarrow } g'\).
With each IS we associate a Kripke model, which is a tuple
where \(G=\prod _{{ c}=1}^n L_{{ c}}\times L_{{e}}\) is a set of the global states, \(\iota \in G\) is the initial (global) state, \(T \subseteq G \times G\) is a global transition relation on \(G\) defined by: \((g , g') \in T\) iff there exists an action \(a \in Act\) such that \(g \stackrel{a}{\longrightarrow } g'\). We assume that the relation is total, i.e., for any \(g\in G\) there exists an \(a \in Act\) such that \(g \stackrel{a}{\longrightarrow } g'\) for some \(g' \in G\), \(\sim _{{ c}} \subseteq G \times G\) is an epistemic indistinguishability relation for each agent \({{ c}}\in \mathcal{A }\), defined by \(g \sim _{{ c}} r\) if \(l_{{ c}}(g) = l_{{ c}}(r)\), and \({\mathcal{V }}: G \rightarrow 2^{\mathcal{PV }}\) is the valuation function of IS.
Interleaved interpreted systems
Interleaved interpreted systems (IIS) [31] are a restriction of interpreted systems, where all the joint actions are of special form. To be more precise, we assume that if more than one agent is active at a given state, i.e., executes a non nullaction, then all the active agents perform the same (shared) action in the round. Formally, for any agent \({{ c}}\in {\mathcal{A }} \cup \{{e}\}\) we assume that the special action \(\epsilon _{{ c}}\), called “null” action of agent \({{ c}}\), belongs to \(Act_{{ c}}\); as it will become clear below the local state of agent \({{ c}}\) remains the same if the null action is performed. Next, \(Act = \bigcup _{{ c}\in {\mathcal{A }}} Act_{{ c}} \cup Act_{{e}}\), and for each action \(a\), by \(Agent(a) \subseteq {\mathcal{A }}\cup \{{e}\}\) we mean all the agents \({ c}\) such that \(a \in Act_{{ c}}\), i.e., the set of agents potentially able to perform \(a\). Further, for each agent \({{ c}} \in {\mathcal{A }}\cup \{{e}\}\), the actions are selected according to a local protocol function \(P_{{ c}}: L_{{ c}} \rightarrow 2^{Act_{{ c}}}\) such that \(\epsilon _{{ c}} \in P_{{ c}}(\ell )\), for any \(\ell \in L_{{ c}}\), i.e., we insist on the null action to be enabled at every local state. Next, for each agent \({{ c}} \in {\mathcal{A }}\cup \{{e}\}\), we define a (partial) evolution function \(t_{{ c}}: L_{{ c}} \times Act_{{ c}} \rightarrow L_{{ c}}\), where \(t_{{ c}}(\ell ,\epsilon _{{ c}}) = \ell \) for each \(\ell \in L_{{ c}}\). The local evolution function considered here differs from the standard treatment in interpreted systems by having the local action as the parameter instead of the joint action.
Let \(G\) be a set of global states. For a given set of agents \(\mathcal{A }\), the environment \({e}\), and a set of propositional variables \(\mathcal{PV }\), which can be either true or false, an interleaved interpreted system is a tuple
where \(\iota \in G\) is the initial global state, and \({\mathcal{V }}: G \rightarrow 2^{\mathcal{PV }}\) is a valuation function.
Given the notions above we can now define formally the global (partial) interleaved evolution function. Namely, the global (partial) interleaved evolution function \(t: G\times \prod _{{{ c}} = 1}^n Act_{{ c}} \times Act_{{e}} \rightarrow G\) is defined as follows: \(t(g,a_1,\dots , a_n, a_{{e}})= g'\) iff there exists an action \(a \in Act \setminus \{\epsilon _1,\ldots ,\epsilon _n, \epsilon _{{e}}\}\) such that for all \({{ c}} \in Agent(a),\,a_{{ c}} = a\) and \(t_{{ c}}(l_{{ c}}(g),a) = l_{{ c}}(g')\), and for all \({{ c}} \in ({\mathcal{A }} \cup \{{e}\}) \setminus Agent(a),\,a_{{ c}} = \epsilon _{{ c}}\) and \(t_{{ c}}(l_{{ c}}(g),\epsilon _{{ c}}) = l_{{ c}}(g)\). In brief we write the above as \(g \stackrel{a}{\longrightarrow } g'\).
Similar to blocking synchronisation in automata, the above insists on all agents performing the same nonepsilon action in a global transition; additionally, note that if an agent has the action being performed in its repertoire, it must be performed, for the global transition to be allowed. This assumes that the local protocols are defined to permit this; if a local protocol does not allow it, then the local action cannot be performed and therefore the global transition does not comply with the global interleaved evolution function as defined above.
With each IIS we associate a Kripke model, which is a tuple
where \(G=\prod _{{ c}=1}^n L_{{ c}} \times L_{{e}}\) is a set of the global states, \(\iota \in G\) is the initial (global) state, \(T \subseteq G \times G\) is a global (interleaved) transition relation on \(G\) defined by: \((g , g') \in T\) iff there exists an action \(a \in Act \setminus \{\epsilon _1,\ldots ,\epsilon _n,\epsilon _{{e}}\}\) such that \(g \stackrel{a}{\longrightarrow } g'\). We assume that the relation is total, i.e., for any \(g\in G\) there exists an \(a \in Act \setminus \{\epsilon _1,\ldots ,\epsilon _n,\epsilon _{{e}}\}\) such that \(g \stackrel{a}{\longrightarrow } g'\) for some \(g' \in G\), \(\sim _{{ c}}\; \subseteq G \times G\) is an epistemic indistinguishability relation for each agent \({{ c}}\in \mathcal{A }\), defined by \(g \sim _{{ c}} r\) if \(l_{{ c}}(g) = l_{{ c}}(r)\), and \({\mathcal{V }}: G \rightarrow 2^{\mathcal{PV }}\) is the valuation function of IIS.
Runs and paths
Let \(M\) be a model generated by either IS or IIS. Then, an infinite sequence of global states \(\rho =g_0 g_1 g_2\dots \) is called a run originating at \(g_0\) if there is a sequence of transitions from \(g_0\) onwards, such that, \((g_i , g_{i+1})\in T \) for every \(i {\,\geqslant \,}0\). The \(m\)th prefix of \(\rho \), denoted by \(\rho [..m]\), is defined as \(\rho [..m] = (g_0, g_1 ,\ldots , g_m)\). Any finite prefix of a run is called a path.
By \(length(\rho )\) we mean the number of the states of \(\rho \) if \(\rho \) is a path, and \(\omega \) if \(\rho \) is a run. In order to limit the indices range of \(\rho \), which can be either a path or a run, we define the relation \(\unlhd _\rho \). Let \(\unlhd _\rho \stackrel{def}{=}<\) if \(\rho \) is a run, and \(\unlhd _\rho \stackrel{def}{=}{\,\leqslant \,}\) if \(\rho \) is a path.
The set of all the paths and runs originating from \(g\) is denoted by \(\varPi (g)\). The set of all the paths and runs originating from all states in \(G\) is defined as \(\varPi = \bigcup _{g \in G} \varPi (g)\). The set of all the runs originating from \(g\) is denoted by \(\varPi ^\omega (g)\). The set of all the runs originating from all states in \(G\) is defined as \(\varPi ^\omega = \bigcup _{g \in G} \varPi ^\omega (g)\). A state \(g\) is reachable from \(g_0\) if there is a path \(\rho =g_0 g_1 g_2 \ldots g_n\) for \(n {\,\geqslant \,}0\) such that \(g = g_n\).
Examples of MASs and their models
In the section we present MASs modelled by means of interpreted systems and interleaved interpreted systems. We use the systems to appraise the bounded model checking methods considered in the paper. In what follows we denote by \(\overline{\epsilon }\) the joint null action, i.e., the action composed of the null actions only.
A faulty train controller system (FTC)
The FTC (adapted from [21]) consists of a controller, and \(n\) trains (for \(n{\,\geqslant \,}2\)), one of which is dysfunctional. It is assumed that each train uses its own circular track for travelling in one direction. At one point, all trains have to pass through a tunnel, but because there is only one track in the tunnel, trains arriving from each direction cannot use it simultaneously. There are signals on both sides of the tunnel, which can be either red or green. All trains except one with a faulty signalling system notify the controller when they request entry to the tunnel or when they leave the tunnel. The controller controls the colour of the displayed signal. Figure 1 shows the local states, the possible actions, and the protocol for each agent. Null actions are omitted in the figure. Further, we assume that the local state \(Away_i\) is initial for Train \(i\), and the local state \(Green\) is initial for Controller.
In the model we assume the following set of proposition variables: \({\mathcal{PV }}\!=\!\{ InTunnel_1,\ldots , InTunnel_n \}\) with the following interpretation: \((M,g)\ \models InTunnel_i\) if \(l_{Train_i}(g)= Tunnel_i\) \(i\) for all \(i \in \{1,\ldots ,n\}\).
Let \(state\) denote a local state of an agent, \(Act=Act_{Train_1}\times \cdots \times Act_{Train_n} \times Act_{Controller}\) with \(Act_{Train_i} = \{approach_i,\) \( in_i, out_i, \epsilon _i\}\) where \(1{\,\leqslant \,}i {\,\leqslant \,}n\), and \(Act_{Controller} = \bigcup _{i=1}^{n1} \{in_i, out_i\} \cup \{\epsilon \}\). Moreover, let \(a \in Act,\,act_i(a)\) denote an action of Train \(i\), and \(act_C(a)\) denote an action of Controller. In the IS model of the system we assume the following local evolution functions:

Let \(1{\,\leqslant \,}i {\,\leqslant \,}n\). The local evolution function for Train \(i\) is defined as follows:

\(t_{Train_i}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_i(a)=\epsilon _i\)

\(t_{Train_i}(Away_i,a) = Wait_i\) if \(act_i(a)=approach_i\)

\(t_{Train_i}(Wait_i,a) = Tunnel_i\) if \(act_i(a)=in_i\) and \(act_C(a)=in_i\) and \(i\ne n\)

\(t_{Train_i}(Tunnel_i,a) = Away_i\) if \(act_i(a)=out_i\) and \(act_C(a)=out_i\) and \(i\ne n\)

\(t_{Train_n}(Wait_n,a) = Tunnel_n\) if \(act_n(a)=in_n\)

\(t_{Train_n}(Tunnel_n,a) = Away_n\) if \(act_n(a)=out_n\)


the local evolution function for Controller is defined as follows:

\(t_{Controller}(state,a) = state\) if \(act_C(a)=\epsilon \)

\(t_{Controller}(Green,a) = Red\) if \(act_i(a)=in_i\) and \(act_C(a)=in_i\) and \(i\ne n\)

\(t_{Controller}(Red, a) = Green\) \(act_i(a)=out_i\) and \(act_C(a)=out_i\) and \(i\ne n\)

In the IIS model of the system we assume the following local evolution functions:

for Train \(i,\,t_{Train_i}\) is defined as follows:

\(t_{Train_i}(state,\epsilon _i) = state\), for \(1{\,\leqslant \,}i {\,\leqslant \,}n\)

\(t_{Train_i}(Away_i,approach_i) = Wait_i\), for \(1{\,\leqslant \,}i {\,\leqslant \,}n\)

\(t_{Train_i}(Wait_n,in_n) = Tunnel_n\)

\(t_{Train_i}(Wait_i,in_i) = Tunnel_i\) if \(act_C(a)=in_i\) and \(act_j(a)=\epsilon _j\) for all \(1{\,\leqslant \,}j< n \) such that \(j\ne i\)

\(t_{Train_n}(Tunnel_n,out_n) = Away_n\)

\(t_{Train_i}(Tunnel_i,out_i) = Away_i\) if \(act_C(a)=out_i\) and \(act_j(a)=\epsilon _j\) for all \(1{\,\leqslant \,}j< n \) such that \(j\ne i\)


for Controller, \(t_{Controller}\) is defined as follows:

\(t_{Controller}(state,\epsilon ) = state\)

\(t_{Controller}(Green,in_i) = Red\) if \(act_i(a)=in_i\), for \(1{\,\leqslant \,}i < n\)

\(t_{Controller}(Red, out_i) = Green\) if \(act_i(a)=out_i\), for \(1{\,\leqslant \,}i < n\)

Faulty generic pipeline paradigm (FGPP)
The FGPP (adapted from [40]) consists of the following agents: the Producer that is able to produce data, the Consumer that is able to receive data, a chain of \(n\) intermediate Nodes that are able to receive, process, and send data, and a chain of \(n\) Alarms that are enabled when some error occurs, i.e. the \(Hung\)\(upi\,(1{\,\leqslant \,}i {\,\leqslant \,}n)\) operation is performed three times. If the \(Hung\)\(upi\) action is performed only once or only twice, than the system recovers from the error. Figure 2 shows the local states, the possible actions, and the protocol for each agent. From Fig. 2 we can also deduce the local evolution function of IIS. Null actions are omitted in the figure. Further, we assume that the following local states \(ProdReady,\,NodeiReady,\,ConsReady\) and \(AlarmiReady\) are initial, respectively, for Producer, Node \(i\), Consumer, and Alarm \(i\).
In the model we assume the following set of proposition variables: \({\mathcal{PV }}=\{ ProdSend, ConsReady,\,Problem_1,\,\ldots \), \(Problem_n,\,Repair_1,\,\ldots ,\,Repair_n,\,Alarm_1Send,\,\ldots ,\,Alarm_nSend \}\) with the following interpretation:

\((M,g)\models ProdSend\) if \(l_{Producer}(g)=ProdSend\)

\((M,g)\models ConsReady\) if \(l_{Consumer}(g)=ConsReady\)

\((M,g)\models Problem_i\) if \(l_{Alarm i}(g)= Problemi\), for all \(1{\,\leqslant \,}i {\,\leqslant \,}n\)

\((M,g)\models Repair_i\) if \(l_{Alarm i}(g)= Repairi\), for all \(1{\,\leqslant \,}i {\,\leqslant \,}n\)

\((M,g)\models Alarm_iSend\) if \(l_{Alarm i}(g)= AlarmiSend\), for all \(1{\,\leqslant \,}i {\,\leqslant \,}n\)
Let \(state\) denote a local state of an agent, \(P,\,C,\,Ni\), and \(Ai\) denote, respectively, Producer, Consumer, the \(i\)th Node, and the \(i\)th Alarm. Further, let \(Act=Act_{P}\times \prod _{i=1}^n Act_{Ni}\times \prod _{i=1}^n Act_{Ai} \times Act_{C}\) with \(Act_{P} = \{Producing, Send_1, \epsilon _P\},\,Act_{C} = \{Send_{n+1}, Consuming, \epsilon _C\},\,Act_{Ni} = \{Send_i,Send_{i+1},Processing_i, Hang\_up_i, \epsilon _{Ni}\}\), and \(Act_{Ai} = \{Processing_i, Hang\_up_i, Reset_i, \epsilon _{Ai}\}\). Moreover, let \(a \in Act\), and \(act_P(a),\,act_{Ni}(a),\,act_{Ai}(a)\), and \(act_C(a)\), respectively, denote an action of Producer, Node \(i\), Alarm \(i\), and Consumer. In the IS model of the system we assume the following local evaluation functions:

\(t_P(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_P(a) = \epsilon _P\)

\(t_P(ProdReady, a) = ProdSend\) if \(act_P(a) = Producing\)

\(t_P(ProdSend, a ) = ProdReady\) if \(act_P(a) = Send_1\) and \(act_{N1}(a) = Send_1\)

\(t_C(state,a) = state\) if \(act_C(a) = \epsilon _C\)

\(t_C(ConsReady,a)=Received\) if \(act_C(a) = Send_{n+1}\) and \(act_{Nn}(a) = Send_{n+1}\)

\(t_C(Received, a)= ConsReady\) if \(act_C(a) = Consuming\)

if \(n=1\)

\(t_{N1}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{N1}(a) = \epsilon _{N1}\)

\(t_{N1}(Node1Ready, a) = Node1Proc\) if \(act_{N1}(a) = act_P(a) = Send_1\)

\(t_{N1}(Node1Proc, a) = Node1Send\) if \(act_{N1}(a) = act_{A1}(a) = Processing_1\)

\(t_{N1}(Node1Proc, a) = Node1Proc\) if \(act_{N1}(a) = act_{A1}(a) = Hang\_up_1\)

\(t_{N1}(Node1Send,a)=Node1Ready\) if \(act_{N1}(a) = act_{C}(a) = Send_2\)


if \(n=2\)

\(t_{N1}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{N1}(a) = \epsilon _{N1}\)

\(t_{N1}(Node1Ready, a) = Node1Proc\) if \(act_{N1}(a) = act_P(a) = Send_1\)

\(t_{N1}(Node1Proc, a) = Node1Send\) if \(act_{N1}(a) = act_{A1}(a) = Processing_1\)

\(t_{N1}(Node1Proc, a) = Node1Proc\) if \(act_{N1}(a) = act_{A1}(a) = Hang\_up_1\)

\(t_{N1}(Node1Send,a)=Node1Ready\) if \(act_{N1}(a) = act_{N2}(a) = Send_2\)

\(t_{N2}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{N2}(a) = \epsilon _{N2}\)

\(t_{N2}(Node2Ready, a) = Node2Proc\) if \(act_{N2}(a) = act_{N1}(a) = Send_2\)

\(t_{N2}(Node2Proc, a) = Node2Send\) if \(act_{N2}(a) = act_{A2}(a) = Processing_2\)

\(t_{N2}(Node2Proc, a) = Node2Proc\) if \(act_{N2}(a) = act_{A2}(a) = Hang\_up_2\)

\(t_{N2}(Node2Send,a)=Node2Ready\) if \(act_{N2}(a) = act_{C}(a) = Send_3\)


if \(n{\,\geqslant \,}3\) and \(2{\,\leqslant \,}i < n\)

\(t_{N1}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{N1}(a) = \epsilon _{N1}\)

\(t_{N1}(Node1Ready, a) = Node1Proc\) if \(act_{N1}(a) = act_P(a) = Send_1\)

\(t_{N1}(Node1Proc, a) = Node1Send\) if \(act_{N1}(a) = act_{A1}(a) = Processing_1\)

\(t_{N1}(Node1Proc, a) = Node1Proc\) if \(act_{N1}(a) = act_{A1}(a) = Hang\_up_1\)

\(t_{N1}(Node1Send,a)=Node1Ready\) if \(act_{N1}(a) = act_{N2}(a) = Send_2\)

\(t_{Nn}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{Nn}(a) = \epsilon _{Nn}\)

\(t_{Nn}(NodeNReady, a) = NodeNProc\) if \(act_{Nn}(a) = act_{Nn1}(a) = Send_n\)

\(t_{Nn}(NodeNProc, a) = NodeNSend\) if \(act_{Nn}(a) = act_{An}(a) = Processing_n\)

\(t_{Nn}(NodeNProc, a) = NodeNProc\) if \(act_{Nn}(a) = act_{An}(a) = Hang\_up_n\)

\(t_{Nn}(NodeNSend,a)=NodeNReady\) if \(act_{Nn}(a) = act_{C}(a) = Send_{n+1}\)

\(t_{Ni}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{Ni}(a) = \epsilon _{Ni}\)

\(t_{Ni}(NodeNReady, a) = NodeNProc\) if \(act_{Ni}(a) = act_{Nn1}(a) = Send_i\)

\(t_{Ni}(NodeNProc, a) = NodeNSend\) if \(act_{Ni}(a) = act_{Ai}(a) = Processing_i\)

\(t_{Ni}(NodeNProc, a) = NodeNProc\) if \(act_{Ni}(a) = act_{Ai}(a) = Hang\_up_i\)

\(t_{Ni}(NodeNSend,a)=NodeNReady\) if \(act_{Ni}(a) = act_{Ni+1}(a) = Send_{i+1}\)


Let \(1{\,\leqslant \,}i {\,\leqslant \,}n\):

\(t_{Ai}(state,a) = state\) if \(a \ne {\overline{\epsilon }}\) and \(act_{Ai}(a) = \epsilon _{Ai}\)

\(t_{Ai}(AlarmiReady,a) = Problemi\) if \(act_{Ai}(a) = act_{Ni} (a) = Hang\_up_i\)

\(t_{Ai}(AlarmiReady,a) = Repairi\) if \(act_{Ai}(a) = act_{Ni} (a) = Processing_i\)

\(t_{Ai}(Problemi,a) = Problemi'\) if \(act_{Ai}(a) = act_{Ni} (a) = Hang\_up_i\)

\(t_{Ai}(Problemi,a) = Repairi\) if \(act_{Ai}(a) = act_{Ni} (a) = Processing_i\)

\(t_{Ai}(Problemi',a) = AlarmiSend\) if \(act_{Ai}(a) = act_{Ni} (a) = Hang\_up_i\)

\(t_{Ai}(Problemi',a) = Repairi\) if \(act_{Ai}(a) = act_{Ni} (a) = Processing_i\)

\(t_{Ai} (AlarmiSend,a) = AlarmiSend\) if \(act_{Ai}(a) = act_{Ni} (a) = Hang\_up_i\)

\(t_{Ai} (Repairi,a) = AlarmiReady\) if \(act_{Ai}(a) = Reseti\).

Dining cryptographers (DC)
The DC [10] is a scalable anonymity protocol, which has been formalised and analysed in many works, e.g., [27, 39]. Our formalisation of DC is shown in Fig. 3 and extends our earlier definition [27]. Null actions are omitted in the figure.
We model \(n\) cryptographers sitting at a round table, with coins between them, every coin seen by a pair of respective neighbours. Let \(state\) denote a local state of an agent. Let \(C_i\) and \(Coin_i\) denote the \(i\)th cryptographer and \(i\)th coin, respectively. \(Counter\) denotes the agent counting utterances and \(Oracle_i\) determines if the agent \(i\) pays, or no agent pays at all. Thus, our DC system consists of \(3n+1\) components formed by \(n\) agents and the environment. More precisely, the \(i\)th agent consists of the following three components: \(C_i,\,Coin_i\), and \(Oracle_i\). The component \(Counter\) defines the environment. We introduce a helper function to identify the rightside neighbour of the cryptographer \(i\): \(i^+ = (i+1) \) for \( 1 {\,\leqslant \,}i < n\), and \(i^+ = 1\) for \(i = n\).
The protocol works as follows: first the oracles determine who is the payer (either precisely one cryptographer or none of them). Then, every cryptographer looks at the two coins he can see (his and his right neighbour), and records the result (the states \(seeD\) and \(seeE\) correspond to seeing either different or equal coin sides, respectively). The final utterance of each cryptographer (\(sayD\) and \(sayE\) locations correspond to saying different and equal outcomes, respectively) depends of what result is seen and whether the cryptographer has paid or not. Finally, the counter counts the utterances, determining the final result of the protocol. Let \(Act=Act_{Counter}\times \prod _{i=1}^n Act_{C_i}\times \prod _{i=1}^n Act_{Coin_i} \times \prod _{i=1}^n Act_{Oracle_i}\) with

\(Act_{Counter} = \{se_1, sd_1, \cdots , se_n, sd_n, \epsilon _{Counter}\}\),

\(Act_{Coin_i} = \{tt_i, hh_i, ht_i, th_i, tt_{i^+}, hh_{i^+},ht_{i^+},th_{i^+},\epsilon _{Coin_i}\}\),

\(Act_{Oracle_i} = \{pay_0, \dots , pay_{n},t_i,h_i paid_i, not\_paid_i, \epsilon _{Oracle_i}\}\), and

\(Act_{C_i} = \{pay_0, \dots , pay_{n},tt_i, hh_i, ht_i, th_i, not\_paid_i, paid_i, se_i, sd_i, \epsilon _{C_i}\}\),
for all \(1{\,\leqslant \,}i {\,\leqslant \,}n\). Moreover, let \(a \in Act\), and \(act_{Counter}(a),\,act_{C_i}(a),\,act_{Coin_i}(a)\), and \(act_{Oracle}(a)\), respectively, denote an action of Oracle, Cryptographer \(i\), Coin \(i\), and Counter.
In the IS model of the system we assume the following local evolution functions (we provide definitions for \(C_i\) and \(Oracle_i\) components, the remaining ones are straightforward):

the local evolution for \(Oracle_i\) is defined as follows:

\(t_{Oracle_i}(state, a) = state\) iff \(a \ne {\overline{\epsilon }}\) and \(act_{Oracle_i}(a) =\epsilon _{Oracle_i}\)

\(t_{Oracle_i}(start, a) = tossed\) iff \(act_{Oracle_i}(a) = act_{Coin_i}(a)= t_i\) or \(act_{Oracle_i}(a) = act_{Coin_i}(a)= h_i\)

\(t_{Oracle_i}(tossed, a) = paid\) iff \(act_{Oracle_1}(a)= \ldots = act_{Oracle_n}(a) = pay_i\) and \(act_{C_1}(a)=\ldots =act_{C_n}(a) = pay_i\)

\(t_{Oracle_i}(tossed, a) = not\_paid\) iff either \(act_{Oracle_1}(a)= \ldots = act_{Oracle_n}(a) = pay_0\) and \(act_{C_1}(a)=\ldots =act_{C_n}(a) = pay_0\), or \(act_{Oracle_1}(a)=\ldots = act_{Oracle_n}(a) = pay_j\) and \(act_{C_1}(a)=\ldots =act_{C_n}(a) = pay_j\) for some \(j\) such that \(1{\,\leqslant \,}j {\,\leqslant \,}n\) and \(j \not =i\)


the local evolution for \(C_i\) is defined as follows:

\(t_{C_i}(state, a) = state\) iff \(a \ne {\overline{\epsilon }}\) and \(act_{C_i}(a)=\epsilon _{C_i}\)

\(t_{C_i}(start, a) = decided\) iff \(act_{Oracle_1}(a)=\ldots = act_{Oracle_n}(a) = pay_j\) and \(act_{C_1}(a)=\ldots =act_{C_n}(a) = pay_j\) for some \(j\) such that \(0{\,\leqslant \,}j {\,\leqslant \,}n\)

\(t_{C_i}(decided, a) = {seeD}\) iff \(act_{C_i}(a) = act_{Coin_i}(a) = act_{Coin_{i^+}}(a) = th_i\)

\(t_{C_i}(decided, a) = {seeD}\) iff \(act_{C_i}(a) = act_{Coin_i}(a) = act_{Coin_{i^+}}(a) = ht_i\)

\(t_{C_i}(decided, a) = {seeE}\) iff \(act_{C_i}(a) = act_{Coin_i}(a) = act_{Coin_{i^+}}(a) = hh_i\)

\(t_{C_i}(decided, a) = {seeE}\) iff \(act_{C_i}(a) = act_{Coin_i}(a) = act_{Coin_{i^+}}(a) = tt_i\)

\(t_{C_i}(seeE, a) = {sayD}\) iff \(act_{C_i}(a) = act_{Oracle_i}(a) = paid_i\)

\(t_{C_i}(seeD, a) = {sayE}\) iff \(act_{C_i}(a) = act_{Oracle_i}(a) = paid_i\)

\(t_{C_i}(seeD, a) = {sayD}\) iff \(act_{C_i}(a) = act_{Oracle_i}(a) = not\_paid_i\)

\(t_{C_i}(seeE, a) = {sayE}\) iff \(act_{C_i}(a) = act_{Oracle_i}(a) = not\_paid_i\)

Because of the way in which the local evolution functions are defined obtaining the global evolution function for IIS requires only that the components not mentioned in every of the above definitions, execute their respective \(\epsilon \) actions. For example, because we provide separate actions for every payment configuration, there is no need to enforce any additional conditions at the global level.
In the model we assume the following set of propositional variables: \({\mathcal{PV }}=\{ odd, paid_1, \ldots paid_n \}\) with the following interpretation:

\((M,g)\models odd\) if \(l_{Counter}(g)= odd\),

\((M,g)\models paid_i\) if \(l_{Oracle_i}(g)= paid\), for all \(1{\,\leqslant \,}i {\,\leqslant \,}n\).
LTLKand its two subsets: ELTLKand LTL
Combinations of linear time with knowledge have long been used in the analysis of temporal epistemic properties of multiagent systems [16]. We now recall the basic definitions and adapt them to our purposes when needed.
Syntax
Let \(\mathcal{PV }\) be a set of propositional variables to be interpreted over the global states of a system, \(p \in \mathcal{PV }\), and \({\varGamma } \subseteq \mathcal{A }\). The LTLK formulae in the negation normal form are given by the following grammar:
The temporal modalities \(\mathrm{U}\) and \(\mathrm{R}\) are named as usual until and release, respectively, \(\mathrm{X}\) is the next step modality. The derived basic temporal modalities are defined as follows: \(\mathrm{F}\varphi {\stackrel{def}{=}} {{true}}\mathrm{U}\varphi \) and \(\mathrm{G}\varphi {\stackrel{def}{=}} {false}\mathrm{R}\varphi \).
The epistemic operator \(K_{{ c}}\varphi \) represents “agent \({{ c}}\) knows \(\varphi \)” while the operator \({\overline{\mathrm{{K}}}}_{{ c}} \varphi \) is the corresponding dual one representing “agent \({{ c}}\) considers \(\varphi \) possible”. The epistemic operators \(\mathrm{{D}}_\varGamma , \mathrm{E}_\varGamma ,\) and \(\mathrm{{C}}_\varGamma \) represent distributed knowledge in the group \(\varGamma \), “everyone in \(\varGamma \) knows”, and common knowledge among agents in \(\varGamma \), respectively. The epistemic operator \({\overline{\mathrm{{D}}}}_\varGamma ,{\overline{\mathrm{E}}}_\varGamma ,\) and \({\overline{\mathrm{{C}}}}_\varGamma \) are the corresponding dual ones.
Note that LTL is the sublogic of LTLK which consists only of the formulae built without the epistemic operators, i.e., LTL formulae are defined by the following grammar:
ELTLKis the existential fragment of LTLK, defined by the following grammar:
Observe that we assume that the LTLK (and so LTL and ELTLK) formulae are given in the negation normal form (NNF), in which the negation can be only applied to propositional variables.
Semantics
Let \(M=(G,\iota , T, \{\sim _{{ c}}\}_{{{ c}} \in \mathcal{A }}, \mathcal{V })\) be a model, and \(\rho \) be a path or run. By \(\rho (i)\) we denote the \(i\)th state of \(\rho \), and by \(\rho [m]\) we denote the path or run \(\rho \) with a designated formula evaluation position \(m\), where \(m \unlhd _\rho length(\rho )\). Further, let \(\varGamma \subseteq \mathcal{A }\). We use the following standard relations to give semantics to the “everyone knows”, “common knowledge”, and “distributed knowledge” modalities: \(\sim ^E_\varGamma = \bigcup _{{{ c}} \in \varGamma }\sim _{{ c}},\,\sim ^C_\varGamma \) is the transitive closure of \(\sim ^E_\varGamma \), whereas \(\sim ^D_\varGamma = \bigcap _{{{ c}} \in \varGamma }\sim _{{ c}}\).
We say that an LTLK formula \(\varphi \) is true along \(\rho \) (in symbols \(M,\rho \models \varphi \)) iff \(M, \rho [0] \models \varphi \), where
Let \(g\) be a global state of \(M\) and \(\varphi \) an LTLK formula. We assume the following notations:

\(M,g \models \varphi \) iff \(M,\rho \models \varphi \) for all the runs \(\rho \in \varPi ^\omega (g)\).

\(M \models \varphi \) iff \(M,\iota \models \varphi \).

\(M,g \models ^\exists \varphi \) iff \(M,\rho \models \varphi \) for some path or run \(\rho \in \varPi (g)\).

\(Props(\varphi )\) is the set of the propositional variables appearing in \(\varphi \).
Let \(m\) be a formula evaluation position, and \(p,q \in \mathcal{PV }\). An illustration of the semantics is shown in Figs. 4, 5, 6.
Given the above, we say that:

the LTLK formula \(\varphi \) holds in the model \(M\) (written \(M \models \varphi \)) iff \(M,\rho \models \varphi \) for all runs \(\rho \in \varPi ^\omega (\iota )\).

the ELTLK formula \(\varphi \) holds in the model \(M\) (written \(M \models ^{\exists } \varphi \)) iff \(M,\rho \models \varphi \) for some path or run \(\rho \in \varPi (\iota )\).
Determining whether an LTLK formula \(\varphi \) is existentially (resp. universally) valid in a model \(M\) is called an existential (resp. universal) model checking problem. In other words, the universal model checking problem asks whether \(M \models \varphi \) and the existential model checking problem asks whether \(M \models ^{\exists } \varphi \).
In order to solve the universal model checking problem, one can negate the formula and show that the existential model checking problem for the negated formula has no solution. Intuitively, we are trying to find a counterexample, and if we do not succeed, then the formula is universally valid. Now, since bounded model checking is designed for finding a solution to an existential model checking problem, in the paper we only consider the properties expressible in ELTLK. This is because finding a counterexample, for example, to \(M\models \mathrm{G}\mathrm{{K}}_{{ c}} p\) corresponds to the question whether there exists a witness to \(M\models ^\exists \mathrm{F}{\overline{\mathrm{{K}}}}_{{ c}}\lnot p\).
Our semantics meets two important properties. Firstly, for LTLK the definition of validity in a model \(M\) uses runs only. Secondly, if we replace each \(\varPi \) with \(\varPi ^\omega \), the semantics does not change as our models have total transition relations (each path is a prefix of some run). The semantics applied to submodels of \(M\) does not have the above property, but it preserves ELTLK over \(M\), which is shown in Lemma 1. Moreover, note that in the above semantics while we define the until operator, \(\rho \) could be an arbitrary path or run (i.e., \(\rho \in \varPi \)). However, while we define the release operator, we insist on \(\rho \) to be a run that starts in the initial state on the part of the definition that corresponds to the globally operator.
Comments on IS and IIS
There are variety of models of multiagent systems. A fundamental dimension along which this models differ is the degree to which the activity of agents is synchronised. At one end of the spectrum is the synchronous model in which acting of agents proceeds in a sequence of rounds. In each round, an agent performs an action that affects the other agents, is affected by actions executed by the other agents in that round, and changes his/her state. All agents perform actions at exactly the same time. At the other end is the asynchronous model in which there is no bound on the amount of time that can elapse between agents’ actions, and there is no bound on the time it can take for an agent to act. Between these extremes there are the semisynchronous models in which times of agents’ actions can vary, but are bounded between constant upper and lower bounds.
Now, observe that the agents over the interpreted systems semantics perform a joint action at a given time in a global state, which means that we assume the synchronous semantics of interpreted systems. Next, in the interleaved interpreted systems only one local or shared action may be performed by agents at a given time in a global state. This means that the interleaved interpreted systems define the asynchronous semantics.
Systems can be modelled using both IIS and IS. The idea is not to convert an IS into IIS, but rather using both the representations, which are independently defined starting from a description of a system. However, for many systems an IIS model is a submodel of the corresponding IS model, (i.e., the set of states of the IIS model is a subset of the set of states of the corresponding IS model and the transition relation of an IIS model is a subset of the transition relation of the corresponding IS model), and then we can discuss the complexity of converting an IS encoding into an IIS one. In such a case, from the definitions of IS and IIS it follows that each computation of the Kripke model generated by IIS is also a valid computation of the Kripke model generated by IS. Thus, if an ELTLK formula is valid in the model generated by IIS, then this formula is also valid in the model generated by IS. However, the converse of the implication does not hold. Further, if we have a propositional formula \(\varphi \) that encodes the transition relation of the Kripke model generated by an IS such that the null action is enabled at each local state, then we can convert it to the formula \(\varphi \wedge \varphi '\) that encodes the transition relation of the Kripke model generated by IIS and the length of \(\varphi '\) is \(O(n\cdot log(n))\), where \(n\) is the number of the agents. The formula \(\varphi '\) forces the agents to work in an asynchronous way.
Bounded model checking
The main idea of SATbased BMC methods consists in translating the existential model checking problem [12, 48] for a modal (e.g., temporal, epistemic, deontic) logic to the propositional satisfiability problem, i.e., it consists in representing a counterexampletrace of bounded length by a propositional formula and checking the resulting propositional formula with a specialised SATsolver. If the formula in question is satisfiable, then a satisfying assignment returned by the SATsolver can be converted into a concrete counterexample that shows that the property is violated. Otherwise, the bound is increased and the process repeated.
Let \(M\) be a model for a system \(S,\,\varphi \) an existential formula describing a property \(P\) to be tested, and \(k \in \mathrm{I\!N}\) a bound. Moreover, let \(tr_k(\varphi )\) be a propositional formula that is satisfiable if and only if the formula \(\varphi \) holds in the model \(M\). Algorithm 1 shows the general SATbased BMC approach. In Algorithm 1 we use the procedure \(checkSat(\gamma )\) that for any given propositional formula \(\gamma \) returns one of the three possible values: \(\mathsf SAT ,\,\mathsf UNSAT \), or \(\mathsf UNKNOWN \). The meanings of the values \(\mathsf SAT \) and \(\mathsf UNSAT \) are selfevident. The value \(\mathsf UNKNOWN \) is returned either if the procedure \(checkSat\) is not able to decide the satisfiability of its argument within some preset timeout period or has to terminate itself due to exhaustion of the memory available.
The crux of BDDbased BMC is to interleave the verification with the construction of the reachable states. Algorithm 2 illustrates a general idea of the BDDbased bounded model checking method. With \(\mathcal{M }_0\) we denote the submodel that consists of the initial state of \(M\) only, and \({\mathcal{M }}_{\leadsto }\) denotes the model that extends the model \(\mathcal{M }\) with all the immediate successors of the states of \(\mathcal M \). At each step of the state space construction we obtain a submodel (denoted with \(\mathcal M \)) of the analysed model \(M\), which is used to verify (line 4) the existential formula. These steps are applied repetitively until the fixed point for the state space construction is reached, i.e., \(\mathcal{M } = \mathcal{M }'\), or a witness for the verified formula is found. The number of iterations needed for the algorithm to complete is counted using the variable \(k\), which is later used in the evaluation of the approach.
BDDbased Approach
In this section we show how to perform bounded model checking for ELTLK using BDDs [12] by combining the standard approach for ELTL [11] with the method for the epistemic operators [43] similarly to the solution for \(\mathrm{CTL}^{*}\) of [12].
Definition 1
Let \(\mathcal{PV }\) be a set of propositions. For an ELTLK formula \(\varphi \) we define inductively the number \(\gamma {(\varphi )}\) of nested epistemic operators in the formula:

if \(\varphi = p\), where \(p \in \mathcal{PV }\), then \(\gamma {(\varphi )} = 0\),

if \(\varphi = \odot \varphi '\) and \(\odot \in \{ \lnot , \mathrm{X}\}\), then \(\gamma {(\varphi )} = \gamma {(\varphi ')}\),

if \(\varphi = \varphi ' \odot \varphi ''\) and \(\odot \in \{ \wedge , \vee , \mathrm{U}, \mathrm{R}\}\), then \(\gamma {(\varphi )} = \gamma {(\varphi ')} + \gamma {(\varphi '')}\),

if \(\varphi = \mathrm{Y}\varphi '\) and \(\mathrm{Y}\in \{ {\overline{\mathrm{{K}}}}_{ c}, {\overline{\mathrm{E}}}_\varGamma , {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{{C}}}}_\varGamma \}\), then \(\gamma {(\varphi )} = \gamma {(\varphi ')} + 1\).
Definition 2
Let \(\mathrm{Y}\in \{ {\overline{\mathrm{{K}}}}_{ c}, {\overline{\mathrm{E}}}_\varGamma , {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{{C}}}}_\varGamma \}\). If \(\varphi = \mathrm{Y}\psi \) is an ELTLK formula, by \(sub(\varphi )\) we denote the immediate subformula \(\psi \) of the epistemic operator \(\mathrm{Y}\). Moreover, for an arbitrary ELTLK formula \(\varphi \) we define inductively the set \({\mathcal{Y }}(\varphi )\) of its subformulae in the form \(\mathrm{Y}\psi \):

if \(\varphi = p\), where \(p \in \mathcal{PV }\), then \({\mathcal{Y }}(\varphi ) = \emptyset \),

if \(\varphi = \odot \varphi '\) and \(\odot \in \{ \lnot , \mathrm{X}\}\), then \({\mathcal{Y }}(\varphi ) = {\mathcal{Y }}(\varphi ')\),

if \(\varphi = \varphi ' \odot \varphi ''\) and \(\odot \in \{ \wedge , \vee , \mathrm{U}, \mathrm{R}\}\), then \({\mathcal{Y }}(\varphi ) = {\mathcal{Y }}(\varphi ') \cup {\mathcal{Y }}(\varphi '')\),

if \(\varphi = \mathrm{Y}\varphi '\) and \(\mathrm{Y}\in \{ {\overline{\mathrm{{K}}}}_{ c}, {\overline{\mathrm{E}}}_\varGamma , {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{{C}}}}_\varGamma \}\), then \({\mathcal{Y }}(\varphi ) = {\mathcal{Y }}(\varphi ') \cup \{\varphi \}\).
Definition 3
Let \(M= (G, \iota , T, \{\sim _{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V })\) and \(U\subseteq G\) with \(\iota \in U\). The submodel generated by \(U\) is a tuple \(M{_U} = (U, \iota , T', \{\sim '_{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V }')\), where: \(T' = T \cap U^2,\,\sim _{ c}' =\ \sim _{ c}\cap ~U^2\) for each \({ c}\in \mathcal{A }\), and \(\mathcal{V }' = {\mathcal{V }} \cap U^2\).
For ELTLKformulae \(\varphi , \psi \), and \(\psi '\), by \(\varphi {[\psi \leftarrow \psi ']}\) we denote the formula \(\varphi \) in which every occurrence of \(\psi \) is replaced with \(\psi '\). Let \(M= (G, \iota , T, \{\sim _{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V })\) be a model, then by \({\mathcal{V }}_M\) we understand the valuation function \(\mathcal{V }\) of the model \(M\), and by \(G_R \subseteq G\) the set of its reachable states. Moreover, we define [\([\!\![{M,\varphi }]\!\!]] = \{ g\in G_R \mid M,g\models ^\exists \varphi \}\).
Reduction of ELTLK to ELTL
Let \(M= (G, \iota , T, \{\sim _{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V })\) be a model, and \(\varphi \) an ELTLK formula. Here, we describe an algorithm for computing the set [\([\!\![{M,\varphi }]\!\!]\)]. The algorithm allows for combining any two methods for computing [\([\!\![{M,\varphi }]\!\!]\)] for each \(\varphi \) being an ELTL formula, or in the form \(\mathrm{Y}\!p\), where \(p \in \mathcal{PV }\), and \(\mathrm{Y}\in \{ {\overline{\mathrm{{K}}}}_{ c}, {\overline{\mathrm{E}}}_\varGamma , {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{{C}}}}_\varGamma \}\) (we use the algorithms from [11] and [43], respectively).
Algorithm 3 is used to compute the set \([[\!\![{M,\varphi }]\!\!]]\). In order to obtain this set, we construct a new model \(M'\) together with an ELTL formula \(\varphi '\), as described in Algorithm 3, and compute the set \([[\!\![{M', \varphi '}]\!\!]]\), which is equal to \([[\!\![{M,\varphi }]\!\!]]\). Initially \(\varphi '\) equals \(\varphi \), which is an ELTLK formula, and we process the formula in stages to reduce it to an ELTL formula by replacing with atomic propositions all its subformulae containing epistemic operators. We begin by choosing some epistemic subformula \(\psi \) of \(\varphi '\), which consists of exactly one epistemic operator, and process it in two stages. First, we modify the valuation function of \(M'\) such that every state initialising some path or run along which \(sub(\psi )\) holds is labelled with the new atomic proposition \(p_{sub(\psi )}\), and we replace with the variable \(p_{sub(\psi )}\) every occurrence of \(sub(\psi )\) in \(\psi \). In the second stage, we deal with the epistemic operators having in their scopes atomic propositions only. By modifying the valuation function of \(M'\) we label every state initialising some path or run along which the modified simple epistemic formula \(\psi \) holds with a new variable \(p_{\psi }\). Similarly to the previous stage, we replace every occurrence of \(\psi \) in \(\varphi '\) with \(p_{\psi }\). In the subsequent iterations, we process every remaining epistemic subformulae of \(\varphi '\) in the same way until there are no more nested epistemic operators in \(\varphi '\), i.e., we obtain an ELTL formula \(\varphi '\), and the model \(M'\) with the appropriately modified valuation function. Finally, we compute the set of all reachable states of \(M'\) that initialise at least one path or run along which \(\varphi '\) holds (line 13).
The correctness of the substitution used in Algorithm 3 is stated in the following lemma:
Lemma 1
Let \(M= (G, \iota , T, \{\sim _{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V })\) be a model over \(\mathcal{PV },\,\varphi \) an ELTLK formula, and \(g\in G\) some state of \(M\). We define \(M' = (G, \iota , T, \{\sim _{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V }')\) over \({\mathcal{PV }}' = {\mathcal{PV }} \cup \{ q \}\), where \(q\) is an atomic proposition such that \(q\not \in \mathcal{PV }\), and \(\mathcal{V }'\) is defined as follows:

\(p \in {\mathcal{V }}(g')\) iff \(p \in {\mathcal{V }}'(g')\) for all \(p\in \mathcal{PV }\) and \(g'\in G\),

\(M,g'\models ^\exists \varphi \) iff \(q\in {\mathcal{V }}'(g')\) for all \(g'\in G\).
Then, \(M',g\models ^\exists q\) iff \(M,g\models ^\exists \varphi \).
Proof
(Sketch) The “\(\Rightarrow \)” case follows directly from the definition of \(V'\). The “\(\Leftarrow \)” case can be demonstrated by the induction on the length of a formula \(\varphi \). The base case follows directly for the atomic propositions and their negations. In the inductive step we assume that the lemma holds for all the proper subformulae of \(\varphi \), and use the definition of \(V'\), and the fact that \(M'\) contains exactly the same paths as \(M\).
BMC Algorithm
To perform bounded model checking of an ELTLK formula, we use Algorithm 4. Given a model \(M\) and an ELTLK formula \(\varphi \), the algorithm checks if there exists a path or run initialised in \(\iota \) on which \(\varphi \) holds, i.e., if \(M,\iota \models ^\exists \varphi \). For any \(X~\subseteq G\) by \({X}_{\leadsto } \stackrel{def}{=}\{ g' \in G\mid (\exists {g\in X}) (\exists {\rho \in \varPi (g)}) ~g' = \rho (1) \}\) we mean the set of the immediate successors of all the states in \(X\). The algorithm starts with the set \({Reach}\) of reachable states that initially contains only the state \(\iota \). With each iteration the verified formula is checked (line 4), and the set \({Reach}\) is extended with new states (line 8). The algorithm operates on submodels \(M_{{Reach}}\) generated by the set \({Reach}\) to check if the initial state \(\iota \) is in the set of states from which there is a path or run on which \(\varphi \) holds. The loop terminates if there is such a path or run in the obtained submodel, and the algorithm returns \(\mathsf TRUE \) (line 4). The search continues until no new states can be reached from the states in \({Reach}\). When we obtain the set of reachable states, and a path or run from the initial state on which \(\varphi \) holds could not be found in any of the obtained submodels, the algorithm terminates with \(\mathsf FALSE \).
The correctness of the results obtained by the bounded model checking algorithm is formulated by the following theorem:
Theorem 1
Let \(M= (G, \iota , T, \{\sim _{ c}\}_{{ c}\in \mathcal{A }}, \mathcal{V })\) be a model, \(\varPi \) a set of paths and runs of \(M,\,\varphi \) an ELTLK formula, and \(\rho \in \varPi \) a path or run with an evaluation position \(m\) such that \(m \unlhd _\rho length(\rho )\). Then, \(M,\rho [m] \models \varphi \) iff there exists \(G' \subseteq G\) such that \(\iota \in G'\), and \(M{_{G'}},\rho [m] \models \varphi \).
Proof
“\(\Rightarrow \)” This way the proof is obvious as we simply take \(G' = G\).
“\(\Leftarrow \)” This way the proof is more involved. It is by induction on the length of a formula \(\varphi \). The base case is straightforward as the lemma follows directly for the propositional variables and their negations. Assume, the statement holds for all the proper subformulae of \(\varphi \). Let \(G' \subseteq G\) be a set of states such that \(M{_{G'}}\) contains \(\rho \), and (*) let \(m \in \mathrm{I\!N}\) be an evaluation position such that \(M{_{G'}}, \rho [m] \models \varphi \).

1.
Let \(\varphi = \psi _1 \vee \psi _2\). By the semantics and the assumption (*), \(M{_{G'}},\rho [m] \models \psi _1\) or \(M{_{G'}},\rho [m] \models \psi _2\). Using the induction hypothesis and the definition of submodel (Definition 3), \(\rho \) exists also in the model \(M\), and \(M,\rho [m] \models \psi _1\) or \(M,\rho [m]\models \psi _2\), thus \(M,\rho [m] \models \psi _1 \vee \psi _2\).

2.
Let \(\varphi = \psi _1 \wedge \psi _2\). By the semantics and the assumption (*), \(M{_{G'}},\rho [m] \models \psi _1\) and \(M{_{G'}},\rho [m] \models \psi _2\). Using the induction hypothesis and the definition of submodel, \(\rho \) exists also in the model \(M\). Therefore, \(M,\rho [m] \models \psi _1\) and \(M,\rho [m]\models \psi _2\), thus \(M,\rho [m] \models \psi _1 \wedge \psi _2\).

3.
Let \(\varphi = \mathrm{X}\psi _1\). By the semantics and the assumption (*), \(length(\rho ) > m\), and \(M{_{G'}},\rho [m+1] \models \psi _1\). Using the induction hypothesis and the definition of submodel, we get that \(\rho \) exists also in \(M\), and \(M,\rho [m+1] \models \psi _1\), therefore \(M, \rho [m] \models \mathrm{X}\psi _1\).

4.
Let \(\varphi = \psi _1 \mathrm{U}\psi _2\). By the semantics and the assumption (*), there exists \(k {\,\geqslant \,}m\), such that \(M{_{G'}},\rho [k] \models \psi _2\), and \(M{_{G'}},\rho [j] \models \psi _1\), for all \(m {\,\leqslant \,}j < k\). Using the induction hypothesis and the definition of submodel, we get that \(\rho \) exists also in \(M\). Therefore, from \(M, \rho [k] \models \psi _2\), and \(M, \rho [j] \models \psi _1\) for all \(m {\,\leqslant \,}j < k\), it follows that \(M,\rho [m] \models \psi _1 \mathrm{U}\psi _2\).

5.
Let \(\varphi = \psi _1 \mathrm{R}\psi _2\). By the semantics and the assumption (*) we have one or both of the following cases:

(a)
\(\rho \) is a path of \(M{_{G'}}\), and \(M{_{G'}}, \rho [k] \models \psi _2\) for all \(k {\,\geqslant \,}m\), then from the definition of submodel, \(\rho \) exists also in \(M\), and \(\rho \in \varPi ^\omega \). Using the induction hypothesis, we have that \(M, \rho [k] \models \psi _2\) for all \(k {\,\geqslant \,}m\). Therefore, it follows that \(M, \rho [m] \models \psi _1 \mathrm{R}\psi _2\).

(b)
There exists \(k {\,\geqslant \,}m\) such that \(M{_{G'}}, \rho [k] \models \psi _1\), and \(M{_{G'}},\rho [j] \models \psi _2\) for all \(m {\,\leqslant \,}j {\,\leqslant \,}k\). From the definition of submodel, \(\rho \) also exists in \(M\), and using the induction hypothesis we get that \(M, \rho [k] \models \psi _1\), and \(M, \rho [j] \models \psi _2\) for all \(m {\,\leqslant \,}j {\,\leqslant \,}k\). Thus, \(M,\rho [m] \models \psi _1 \mathrm{R}\psi _2\).

(a)

6.
Let \({ c}\in \mathcal{A }\) and \(\varphi = {\overline{\mathrm{{K}}}}_{ c}\psi _1\). By the semantics and the assumption (*), there exists such a path or run \(\rho '\) in \(M{_{G'}}\) that \(\rho '(k) \sim _{ c}\rho (m)\) for some \(k {\,\geqslant \,}0\), and \(M{_{G'}}, \rho '[k] \models \psi _1\). From the definition of submodel, \(\rho \) and \(\rho '\) also exist in \(M\). Using the induction hypothesis, we get that \(M, \rho '[k] \models \psi _1\) and \(\rho '(k) \sim _{ c}\rho (m)\). Thus, \(M, \rho [m] \models {\overline{\mathrm{{K}}}}_{ c}\psi _1\).

7.
Let \(\varGamma \subseteq \mathcal{A }\) and \(\varphi = \overline{\mathrm{Y}}_\varGamma \psi _1\), where \(\mathrm{Y}\in \{ \mathrm{{D}}, \mathrm{E}, \mathrm{{C}}\}\). By the semantics and the assumption (*), there exists such a path or run \(\rho '\) in \(M{_{G'}}\) that \(\rho '(k) \sim _\varGamma ^\mathrm{Y}\rho (m)\) for some \(k {\,\geqslant \,}0\), and \(M{_{G'}}, \rho '[k] \models \psi _1\). From the definition of submodel, \(\rho \) and \(\rho '\) also exist in \(M\). Using the induction hypothesis, we get that \(M, \rho '[k] \models \psi _1\) and \(\rho '(k) \sim _\varGamma ^\mathrm{Y}\rho (i)\). Thus, \(M, \rho [m] \models \overline{\mathrm{Y}}_\varGamma \psi _1\).
Model Checking ELTL
In Algorithm 3, to compute the sets of states in which ELTL formulae hold, it is possible to use any method that computes the set \([[\!\![{M,\varphi }]\!\!]]\) for \(\varphi \) being an ELTL formula. The method described in [11] uses a tableau construction for which many improvements have been proposed, e.g., [15, 18, 19, 45], but for the purpose of implementing a complete solution for the BDDbased bounded model checking of ELTLK, we use the basic symbolic model checking method of [11]. This method is based on checking the nonemptiness of Büchi automata. Given a model \(M\) and an ELTL formula \(\varphi \), we begin with constructing the tableau for \(\varphi \) (as described in [11]), that is then combined with \(M\) to obtain their product, which contains these runs of \(M\) where \(\varphi \) potentially holds. Next, the product is verified in terms of the CTL model checking of \(\mathrm{E}\mathrm{G}{true}\) formula under fairness constraints. Those constraints, corresponding to sets of states, allow to choose only the runs of the model, along which at least one state in each set representing fairness constraints appears in a cycle. In case of ELTL model checking, fairness guarantees that \(\varphi \mathrm{U}\psi \) really holds, i.e., eliminates the runs where \(\varphi \) holds continuously, but \(\psi \) never holds. Finally, we choose only these reachable states of the product that belong to some particular set of states computed for the formula. The corresponding states of the verified system that are in this set, comprise the set \([[\!\![{M, \varphi }]\!\!]]\), i.e., the reachable states where the verified formula holds. For more details, we refer the reader to [11].
The method described above has some limitations when used for bounded model checking, where it is preferable to detect counterexamples using not only the runs but also the paths of the submodel. As totality of the transition relation of the verified model is assumed, counterexamples are found only along the runs of the model. However, the method remains correct even if the final submodel only has the total transition relation: in the worst case the detection of the counterexample is delayed to the last iteration, i.e., when all the reachable states are computed. Nonetheless, this should not keep us from assessing the potential efficiency of our approach.
Model checking epistemic modalities
In the case of the formulae of the form \(\mathrm{Y}p\), where \(p \in \mathcal{PV }\), and \(\mathrm{Y}\in \{ {\overline{\mathrm{{K}}}}_{ c}, {\overline{\mathrm{E}}}_\varGamma , {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{{C}}}}_\varGamma \}\), for the implementation purposes we use the algorithms described in [43]. The procedures simply follow from the semantics of ELTLK. The algorithm for \({\overline{\mathrm{{C}}}}_\varGamma \) involves a fixpoint computation, whereas for the remaining operators the algorithms are based on simple noniterative computations.
SATbased Approach
In this section we present two SATbased BMC methods for ELTLK. The first one is defined for interleaved interpreted systems while the second one is defined for interpreted systems. The main difference between the two methods is in the propositional encoding of the transition relation of the model under consideration.
In SATbased BMC we construct a propositional formula that is satisfiable if and only if there exists a finite set of paths of the underlying model that is a solution to the existential model checking problem. In order to construct the propositional formula, first we need to define the bounded semantics for the underlying logic (i.e., in our case for ELTLK), then to encode the semantics by means of a propositional formula, and finally to represent a part of the model by a propositional formula.
The bounded semantics and the encoding for ELTLK, which is presented in this section, is based on the semantics and encoding of [55] for the temporal fragment and on the semantics and encoding of [52] for the epistemic fragment of ELTLK. This bounded semantics differs from the bounded semantics for ELTLK defined in [42] in the definition of the \(k\)path that allows to replace two separate bounded semantics for \(k\)paths that are loops and for \(k\)paths that do not need to be loops, with one bounded semantics that is simpler, more elegant, and results in a more efficient translation of the bounded model checking problem to the SAT problem.
The propositional formula that encodes the bounded semantics for ELTLK is independent of the type of the considered model, i.e., the encoding is the same for both the interpreted systems and the interleaved interpreted systems. This encoding differs from the one defined in [42] in the definiion of the looping condition, and in using an appropriately chosen subsets of symbolic paths that are needed to encode subformulae of a formula in question.
We start with presenting the definition of the bounded semantics for ELTLK and showing that the bounded and unbounded semantics are equivalent. Then, we show a translation of the existential model checking problem for ELTLK to the propositional satisfiability problem. Finally, we prove correctness and completeness of the translation to SAT.
Bounded semantics for ELTLK
Let \(M =(G,\iota ,T,\{\sim _{{ c}}\}_{{{ c}} \in \mathcal{A }},\mathcal{V })\) be a model defined for either IIS or IS, and \(k \in \mathrm{I\!N}\) a bound. A \(k\)path is a pair \((\rho , l)\), also denoted by \(\rho _l\), where \(0 {\,\leqslant \,}l {\,\leqslant \,}k\), and \(\rho \) is a finite sequence \( \rho = (g_{0}, \ldots , g_{k})\) of states such that \((g_{j}, g_{j+1}) \in T\) for each \(0{\,\leqslant \,}j < k \). A \(k\)path \(\rho _l\) is a loop if \(l < k\) and \(\rho (k) = \rho (l)\). By \({\varPi _k}(g)\) we denote the set of all the \(k\)paths \(\rho _l\) with \(\rho (0) = g\). If a \(k\)path \(\rho _l\) is a loop, then it represents the run of the form \(uv^{\omega }\), where \(u=(\rho (0),\ldots ,\rho (l))\) and \(v=(\rho (l+1),\ldots ,\rho (k))\). We denote this unique run by \(\varrho (\rho _l)\).
To illustrate the notion of \(k\)paths and loops, let us consider the following model shown in Fig. 7. Observe that the pairs: \(\rho _0 = ((g_0, g_1, g_0, g_2, g_0), 0),\,\rho _1 = ((g_0, g_1, g_0, g_2, g_0), 1),\,\rho _2 = ((g_0, g_1, g_0, g_2, g_0), 2),\,\rho _3 = ((g_0, g_1, g_0, g_2, g_0), 3),\,\rho _4 = ((g_0, g_1, g_0, g_2, g_0), 4)\) are \(k\)paths for \(k = 4\). Moreover, only \(\rho _0\) and \(\rho _2\) are loops. Observe also that the \(k\)path \(\rho _2\) represents the following path: \((g_0, g_1)(g_0, g_2)^{\omega } = (g_0, g_1, g_0, g_2, g_0, g_2, g_0, g_2,\ldots )\).
As in the definition of the semantics one needs to define the satisfiability relation on suffixes of \(k\)paths, we denote by \(\rho _l[m]\) the \(k\)path \(\rho _l\) together with the designated starting point \(m\), where \(0 {\,\leqslant \,}m {\,\leqslant \,}k\).
Definition 4
(Bounded semantics) Let \(M =(G,\iota ,T,\{\sim _{{ c}}\}_{{{ c}} \in \mathcal{A }},\mathcal{V })\) be a model defined for either IIS or IS, \(k {\,\geqslant \,}0\) a bound, and \(\varphi \) an ELTLK formula. The formula \(\varphi \) is \(k\)—true along the \(k\)path \(\rho _l\) (in symbols \(M,\rho _l \models _k \varphi \)) iff \(M, \rho _l[0] \models _k \varphi \), where
We use the following notation \(M \models ^{\exists }_{k} \varphi \) iff \(M,\rho _l \models _k \varphi \) for some \(\rho _l \in {\varPi _k}(\iota )\). The SATbased bounded model checking problem consists in finding out whether there exists \(k \in \mathrm{I\!N}\) such that \(M \models ^{\exists }_k \varphi \).
Let \(m\) be a formula evaluation position, \(k\) a bound, and \(p,q \in \mathcal{PV }\). An illustration of the bounded semantics is shown in Figs. 8, 9, 10, 11, 12.
Equivalence of the bounded and unbounded semantics
Now, we show that for some particular bound the bounded semantics is equivalent to the unbounded semantics.
Lemma 2
Let \(M\) be a model, \(\varphi \) an ELTLK formula, \(k>0\) a bound, \(\rho _l\) a \(k\)path in \(M\), and \(0{\,\leqslant \,}m {\,\leqslant \,}k\). The following implication holds: \(M,\rho _l[m] \models _k \varphi \) implies

1.
if \(\rho _l\) is not a loop, then \(M, \pi [m] \models \varphi \) for each run \(\pi \) in \(M\) such that \(\pi [..k] = \rho \).

2.
if \(\rho _l\) is a loop, then \(M, \varrho (\rho _l)[m] \models \varphi \).
Proof
(Induction on the length of \(\varphi \)) The lemma follows directly for the propositional variables and their negations. Consider \(\varphi \) to be of the following form:

1.
Let \(\varphi =\psi _1 \vee \psi _2 \mid \psi _1 \wedge \psi _2 \mid \mathrm{X}\psi \mid \psi _1 \mathrm{U}\psi _2 \mid \psi _1 \mathrm{R}\psi _2\). By induction hypothesis—see Lemma 2.1. of [55].

2.
\(\varphi = {\overline{\mathrm{{K}}}}_{{ c}}\psi \). From \(M, \rho _l[m] \models _{k} \varphi \) it follows that \((\exists \rho '_{l'} \in {\varPi _k}(\iota ))(\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k})\,({M,\rho '_{l'}}[j] \models _k \psi \) and \(\rho (m) \sim _{{ c}} \rho '(j))\). Assume that both \(\rho _l\) and \(\rho '_{l'}\) are not loops. By inductive hypothesis, for every run \(\pi '\) in \(M\) such that \(\pi '[..k] = \rho ',\,(\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k})(M,\pi '[j] \models \psi \) and \(\rho (m) \sim _{{ c}} \pi '(j))\). Further, for every run \(\pi \) in \(M\) such that \(\pi [..k] = \rho \), we have that \(\pi (m) \sim _{{ c}} \rho '(j)\). Thus, for every run \(\pi \) in \(M\) such that \(\pi [..k] = \rho ,\,M, \pi [m] \models \varphi \). Now assume that \(\rho '_{l'}\) is not a loop and \(\rho _l\) is a loop. By inductive hypothesis, for every run \(\pi '\) in \(M\) such that \(\pi '[..k] = \rho ',\,(\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k}) (M,\pi '[j] \models \psi \) and \(\rho (m) \sim _{{ c}} \pi '(j))\). Further, observe that \(\varrho (\rho _l)(m)=\rho (m)\), thus \(M, \varrho (\rho _l)[m] \models \varphi \). Now assume that both \(\rho _l\) and \(\rho '_{l'}\) are loops. By inductive hypothesis, \((\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k})\) \(({M,\varrho (\rho '_{l'})}[j] \models \psi \) and \(\rho (m) \sim _{{ c}} \varrho (\rho '_{l'})(j))\). Further, observe that \(\varrho (\rho _l)(m)=\rho (m)\), thus \(M, \varrho (\rho _l)[m] \models \varphi \). Now assume that \(\rho '_{l'}\) is a loop, and \(\rho _l\) is not a loop. By inductive hypothesis, \((\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k})(M,\varrho (\rho '_{l'})[j] \models \psi \) and \(\rho (m) \sim _{{ c}} \varrho (\rho '_{l'})(j))\). Further, for every run \(\pi \) in \(M\) such that \(\pi [..k] = \rho \), we have that \(\pi (m) \sim _{{ c}} \varrho (\rho '_{l'})(j)\). Thus, for every run \(\pi \) in \(M\) such that \(\pi [..k] = \rho ,\,M, \pi [m] \models \varphi \).

3.
Let \(\varphi =\overline{Y}_{\varGamma }\psi \), where \(Y \in \{ \mathrm{{D}},\mathrm{E},\mathrm{{C}}\}\). These cases can be proven analogously to the case 2.
Lemma 3
(Theorem 3.1 of [5]) Let \(M\) be a model, \(\alpha \) an LTL formula, and \(\rho \) a run. Then, the following implication holds: \(M, \rho \models \alpha \) implies that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k \alpha \) with \(\rho [..k] = \pi \).
Lemma 4
Let \(M\) be a model, \(\alpha \) an LTL formula, \(Y \in \{{\overline{\mathrm{{K}}}}_{{ c}}, {\overline{\mathrm{{D}}}}_{\varGamma }, {\overline{\mathrm{E}}}_{\varGamma }, {\overline{\mathrm{{C}}}}_{\varGamma }\}\), and \(\rho \) a run. Then, the following implication holds: \(M,\rho \models Y\alpha \) implies that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k Y\alpha \) with \(\rho [..k] = \pi \).
Proof
Let \(X^j\) denote the nexttime operator applied \(j\) times, i.e., \(X^j = \underbrace{X\ldots X}_{j}\).

1.
Let \(Y = {\overline{\mathrm{{K}}}}_{{ c}}\). Then \(M,\rho \models {\overline{\mathrm{{K}}}}_{{ c}}\alpha \) iff \(M,\rho [0] \models {\overline{\mathrm{{K}}}}_{{ c}}\alpha \) iff \((\exists \rho ' \in \varPi (\iota ))\) \((\exists j{\,\geqslant \,}0)[\rho '(j) \sim _{{ c}} \rho (0)\) and \(M,\rho '[j] \models \alpha ]\). Since \(\rho '(j)\) is reachable from the initial state of \(M\), the checking of \(M,\rho '[j] \models \alpha \) is equivalent to the checking of \(M,\rho '[0] \models \mathrm{X}^j\alpha \). Now since \(\mathrm{X}^j\alpha \) is a pure LTL formula, by Lemma 3 we have that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi '_l[0] \models _k \mathrm{X}^j\alpha \) with \(\rho '[..k] = \pi '\). This implies that \(M,\pi '_l[j] \models _k \alpha \) with \(\rho '[..k] = \pi '\), for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k\). Now, since \(\rho '(j) \sim _{{ c}} \rho (0)\), we have \(\pi '(j) \sim _{{ c}} \pi (0)\). Thus, by the bounded semantics we have that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k {\overline{\mathrm{{K}}}}_{{ c}}\alpha \) with \(\rho [..k] = \pi \).

2.
Let \(Y = {\overline{\mathrm{{D}}}}_{\varGamma }\). Then \(M,\rho \models {\overline{\mathrm{{D}}}}_{\varGamma }\alpha \) iff \(M,\rho [0] \models {\overline{\mathrm{{D}}}}_{\varGamma }\alpha \) iff \((\exists \rho ' \in \varPi (\iota ))(\exists j{\,\geqslant \,}0)\) \([\rho '(j) \sim ^\mathrm{{D}}_\varGamma \rho (0)\) and \(M,\rho '[j] \models \alpha ]\). Since \(\rho '(j)\) is reachable from the initial state of \(M\), the checking of \(M,\rho '[j] \models \alpha \) is equivalent to the checking of \(M,\rho '[0] \models \mathrm{X}^j\alpha \). Now since \(\mathrm{X}^j\alpha \) is a pure LTL formula, by Lemma 3 we have that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi '_l[0] \models _k \mathrm{X}^j\alpha \) with \(\rho '[..k] = \pi '\). This implies that \(M,\pi '_l[j] \models _k \alpha \) with \(\rho '[..k] = \pi '\), for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k\). Now, since \(\rho '(j) \sim ^{\mathrm{{D}}}_{\varGamma } \rho (0)\), we have \(\pi '(j) \sim ^{\mathrm{{D}}}_{\varGamma } \pi (0)\). Thus, by the bounded semantics we have for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\rho _l \models _k {\overline{\mathrm{{D}}}}_{\varGamma }\alpha \) with \(\rho [..k] = \pi \).

3.
Let \(Y = {\overline{\mathrm{E}}}_{\varGamma }\). Since \({\overline{\mathrm{E}}}_{\varGamma }\alpha = \bigvee _{{ c}\in \varGamma } {\overline{\mathrm{{K}}}}_{{ c}} \alpha \), the lemma follows from the case 1.

4.
Let \(Y = {\overline{\mathrm{{C}}}}_{\varGamma }\). Since \({\overline{\mathrm{{C}}}}_{\varGamma }\alpha = \bigvee _{i=1}^{n} ({\overline{\mathrm{E}}}_{\varGamma })^i \alpha \), where \(n\) is the size of the model \(M\), the lemma follows from the case 3.
Lemma 5
Let \(M\) be a model, \(\varphi \) an ELTLK formula, and \(\rho \) a run. Then, the following implication holds: \(M,\rho \models \varphi \) implies that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k \varphi \) with \(\rho [..k] = \pi \).
Proof
(Induction on the length of \(\varphi \)) The lemma follows directly for the propositional variables and their negations. Assume that the hypothesis holds for all the proper subformulas of \(\varphi \) and consider \(\varphi \) to be of the following form:

1.
\(\varphi = \psi _1 \vee \psi _2 \mid \psi _1 \wedge \psi _2 \mid \mathrm{X}\psi \mid \psi _1 \mathrm{U}\psi _2 \mid \psi _1 \mathrm{R}\psi _2\). Straightforward by the induction hypothesis and Lemma 3.

2.
Let \(\varphi =Y\alpha \), and \(Y,Y_1,\ldots ,Y_n, Z \in \{{\overline{\mathrm{{K}}}}_{{ c}}, {\overline{\mathrm{{D}}}}_{\varGamma }, {\overline{\mathrm{E}}}_{\varGamma }, {\overline{\mathrm{{C}}}}_{\varGamma }\}\). Moreover, let \(Y_1\alpha _1, \ldots ,\) \(Y_n \alpha _n\) be the list of all “top level” proper \(Y\)subformulas of \(\alpha \) (i.e., each \(Y_i\alpha _i\) is a subformula of \(Y\alpha \), but it is not a subformula of any subformula \(Z\beta \) of \(Y\alpha \), where \(Z\beta \) is different from \(Y\alpha \) and from \(Y\alpha _i\) for \(i=1, \ldots , n\)). If this list is empty, then \(\alpha \) is a “pure” LTL formula with no nested epistemic modalities. Hence, by Lemma 4 we have \(M,\rho \models \varphi \) implies that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k \varphi \) with \(\rho [..k] = \pi \). Otherwise, introduce for each \(Y_i\alpha _i\) a new proposition \(q_i\), where \(i=1,\ldots ,n\). By Lemma 1, we can augment with \(q_i\) the labelling of each state \(s\) of \(M\) initialising some run along which the epistemic formula \(Y_i\alpha _i\) holds, and then translate the formula \(\alpha \) to the formula \(\alpha '\), which instead of each subformula \(Y_i\alpha _i\) contains adequate propositions \(q_i\). Therefore, we obtain “pure” LTL formula. Hence, by Lemma 4 we have \(M,\rho \models \varphi \) implies that for some \(k{\,\geqslant \,}0\) and \(0 {\,\leqslant \,}l {\,\leqslant \,}k,\,M,\pi _l \models _k \varphi \) with \(\rho [..k] = \pi \).
The following lemma states that if we take all possible bounds into account, then the bounded and unbounded semantics are equivalent.
Lemma 6
Let \(M\) be a model, \(\varphi \) an ELTLK formula. Then the following equivalence holds: \(M \models ^{\exists } \varphi \) iff there exists \(k{\,\geqslant \,}0\) such that \(M \models ^{\exists }_{k} \varphi \).
Proof
(“\(\Leftarrow \)”) Follows directly from Lemma 2. (“\(\Rightarrow \)”) Follows directly from Lemma 5.
Translation to the propositional satisfiability problem
Let \(M =(G,\iota ,T,\{\sim _{{ c}}\}_{{{ c}} \in \mathcal{A }},\mathcal{V })\) be a model generated by IS or IIS—the encoding of global states of \(M\) is independent of the kind of considered interpreted system—and \(k \in \mathrm{I\!N}\) be a bound. Since the set of global states of \(M\) is finite, every element \(g=(\ell _1,\ldots ,\ell _n,\ell _{{e}})\) of \(G\) can be encoded as a bit vector of some length \(r\). Then, each state of \(M\) can be represented by a valuation of a vector \(w=(\mathtt{w}_1, \ldots , \mathtt{w}_r)\) (called a symbolic state) of different propositional variables called state variables; further we assume that \(SV\) denotes the set of all the state variables, \(SV(w)\) denotes the set of all the state variables occurring in the symbolic state \(w\), and \(I_{{ c}}\) denote the set of indexes of state variables that represent local states of agent \({ c}\).
Example 1
Let \(SV=\{\mathtt{w}_1,\mathtt{w}_2,\ldots \}\) be an infinite set of state variables. Consider the FTC system shown on Fig. 1 for two trains. A propositional encoding of all the local states of the two agents representing trains and an agent representing Controller is the following:
\(Train \;1\)  \(Train \;2\)  

\(State\)  \(Bit_2\)  \(Bit_1\)  \(Formula\)  \(State\)  \(Bit_4\)  \(Bit_3\)  \(Formula\) 
\(Away_1\)  0  0  \(\lnot \mathtt{w}_1 \wedge \lnot \mathtt{w}_2\)  \(Away_2\)  0  0  \(\lnot \mathtt{w}_3 \wedge \lnot \mathtt{w}_4\) 
\(Wait_1\)  1  0  \(\lnot \mathtt{w}_1 \wedge \mathtt{w}_2\)  \(Wait_2\)  1  0  \(\lnot \mathtt{w}_3 \wedge \mathtt{w}_4\) 
\(Tunnel_1\)  0  1  \(\mathtt{w}_1 \wedge \lnot \mathtt{w}_2\)  \(Tunnel_2\)  0  1  \(\mathtt{w}_3 \wedge \lnot \mathtt{w}_4\) 
\(Controller\)  

\(Location\)  \(Bit_5\)  \(Formula\) 
\(Green\)  0  \(\lnot \mathtt{w}_5\) 
\(Red\)  1  \(\mathtt{w}_5\) 
Thus, given the above, it is easy to see that each state of the model of the FTC system can be represented by a valuation of a symbolic state \(w = (\mathtt{w}_1, \ldots , \mathtt{w}_5)\).
Let \(NV\) denote the set of propositional variables, called the natural variables, such that \(SV \cap NV = \emptyset \). Moreover, let \(u = (\mathtt{u}_1 , \ldots , \mathtt{u}_t )\) be a vector of natural variables of some length \(t\), which we call a symbolic number, and \(NV(u)\) denote the set of all the natural variables occurring in \(u\). Further, let \(PV = SV \cup NV\) and \(V: PV \rightarrow \{0,1\}\) be a valuation of propositional variables (a valuation for short). Each valuation induces the functions \({\mathbf{S}}: SV^r \rightarrow \{0,1\}^r\) and \(\mathbf{J}: NV^t \rightarrow \mathrm{I\!N}\) defined in the following way:
Now let \(w\) and \(w'\) be two symbolic states such that \(SV(w) \cap SV(w') = \emptyset \), and \(u\) be a symbolic number. We recall the definitions of the following auxiliary propositional formulae:

\(I_g(w):{=} \bigwedge _{i=1}^r lit(g[i],\mathtt{w}_i)\), where \(lit: \{0,1\}\times PV \rightarrow PV \cup \{ \lnot q \mid q \in PV \}\) is a function defined as: \(lit(1,q)=q\) and \(lit(0,q)= \lnot q\). This formula, defined over \(SV(w)\), encodes the state \(g\) of the model \(M\).
Example 2
Consider the FTC system shown on Fig. 1 for two trains. Then, the propositional formula \(I_{\iota }(w)\), which encodes the initial global state of the system, is defined as follows: \(I_{\iota }(w)= \lnot \mathtt{w}_1 \wedge \lnot \mathtt{w}_2 \wedge \lnot \mathtt{w}_3 \wedge \lnot \mathtt{w}_4 \wedge \lnot \mathtt{w}_5\).

\(H(w,w') :{=} \bigwedge _{i=1}^r \mathtt{w}_i \Leftrightarrow \mathtt{w'}_i \). This formula, defined over \(SV(w) \cup SV(w')\), encodes equivalence between two symbolic states. It represent the fact that the symbolic states \(w\) and \(w'\) represent the same states.

\(H_{{ c}}(w,w'):{=} \bigwedge _{i\in I_{{ c}} } \mathtt{w}_i \Leftrightarrow \mathtt{w'}_i \). This formula, defined over \(SV(w) \cup SV(w')\), represent the fact that the local states of agent \({ c}\) are the same in the symbolic states \(w\) and \(w'\).

\(p(w)\) is a formula over \(SV(w)\) that is true for a valuation \(V\) iff \(p \in {\mathcal{V }}(\mathbf{S}(w))\). This formula encodes a set of the states of \(M\) in which proposition variable \(p \in \mathcal{PV }\) holds.

\({\mathcal{R }}(w,w')\) is a formula over \(SV(w) \cup SV(w')\) that is true for a valuation \(V\) iff \((\mathbf{S}(w), \mathbf{S}(w')) \in T\). This formula encodes the transition relation of \(M\). The formal definition of this formula is different for \(M\) which is generated for IS and for \(M\) which is generated for IIS.

\({\mathcal{B }}_j^{\thicksim }(u)\) is a formula over \(NV(u)\) that is true for a valuation \(V\) iff \(j \thicksim \mathbf{J}(u)\), where \(\thicksim \in \{<,>,\leqslant ,=,\geqslant \}\).
Let \(M =(G,\iota ,T,\{\sim _{{ c}}\}_{{{ c}} \in \mathcal{A }},\mathcal{V })\) be a model, \(\varphi \) an ELTLK formula, and \(k{\,\geqslant \,}0\) a bound. We translate the problem of checking whether \(M\) is a model for \(\varphi \) to the problem of checking the satisfiability of the following propositional formula:
In order to define the formula \([M^{\varphi ,\iota }]_k\) we need to specify the number of \(k\)paths of the model \(M\) that are sufficient to validate \(\varphi \). To calculate the number, we need the following auxiliary function \(f_k : {\mathrm{ELTLK }}\rightarrow \mathrm{I\!N}\):

\(f_k({{true}}) = f_k({false}) = f_k(p) =f_k(\lnot p)= 0\), if \(p \in \mathcal{PV }\),

\(f_k(\varphi \vee \psi ) = max\{f_k(\varphi ) , f_k(\psi )\}\),

\(f_k(\varphi \wedge \psi ) = f_k(\varphi ) + f_k(\psi )\),

\(f_k(\mathrm{X}\varphi ) = f_k(\varphi )\),

\(f_k(\varphi \mathrm{U}\psi ) = k \cdot f_k(\varphi ) + f_k(\psi )\),

\(f_k(\varphi \mathrm{R}\psi ) = (k+1) \cdot f_k(\psi )+ f_k(\varphi )\),

\(f_k(\overline{Y} \varphi ) = f_k(\varphi ) +1\), for \(\overline{Y} \in \{{\overline{\mathrm{{K}}}}_{{ c}}, {\overline{\mathrm{{D}}}}_\varGamma , {\overline{\mathrm{E}}}_\varGamma \}\),

\(f_k({\overline{\mathrm{{C}}}}_\varGamma \varphi ) = f_k(\varphi ) + k\).
Note that \({\overline{\mathrm{{C}}}}_\varGamma \varphi = \bigvee _{i=1}^{k} ({\overline{\mathrm{E}}}_\varGamma )^i\varphi \) and \(f_k(({\overline{\mathrm{E}}}_\varGamma )^1\varphi ) =f_k({\overline{\mathrm{E}}}_\varGamma \varphi ) = f_k(\varphi ) + 1\). It is easy to show, by induction on \(i\), that \(f_k(({\overline{\mathrm{E}}}_\varGamma )^i\varphi ) = f_k(\varphi ) + i\), for \(i \in \{1, \ldots ,k\}\). Therefore, \(f_k({\overline{\mathrm{{C}}}}_\varGamma \varphi )=f_k(\bigvee _{i=1}^{k} ({\overline{\mathrm{E}}}_\varGamma )^i\varphi )=max\{f_k(({\overline{\mathrm{E}}}_\varGamma )^1\varphi ), \ldots , f_k(({\overline{\mathrm{E}}}_\varGamma )^k\varphi )\}=f_k(({\overline{\mathrm{E}}}_\varGamma )^k\varphi )=f_k(\varphi )+k\).
Now since in the BMC method we deal with the existential validity \((\models ^{\exists })\), the number of \(k\)paths sufficient to validate \(\varphi \) is given by the function \(\widehat{f_k} : {\mathrm{ELTLK }}\rightarrow \mathrm{I\!N}\) that is defined as \(\widehat{f_k}(\varphi ) = f_k(\varphi ) + 1\).
Example 3
Let \(p\in \mathcal{PV },\,k\) be a bound. Now we calculate the number of \(k\)paths that are sufficient to validate different ELTLK formulae.

Let \(\varphi =\mathrm{F}p \). Then, \(\widehat{f_k}(\mathrm{F}p)=\) \(f_k(\mathrm{F}p)+1=f_k(p)+1= 1\); note that \(\mathrm{F}\alpha = {{true}}\mathrm{U}\alpha \).

Let \(\varphi =\mathrm{G}\mathrm{F}p \). Then, \(\widehat{f_k}(\mathrm{G}\mathrm{F}p)=\) \(f_k(\mathrm{G}\mathrm{F}p)+1=\) \((k+1) \cdot f_k(\mathrm{F}p)+1=\) \((k+1) \cdot f_k(p)+1= 1\); note that \(\mathrm{G}\alpha = {false}\mathrm{R}\alpha \).

Let \(\varphi =\mathrm{G}\mathrm{F}{\overline{\mathrm{{K}}}}_{{ c}}\!p\). Then, \(\widehat{f_k}(\mathrm{G}\mathrm{F}{\overline{\mathrm{{K}}}}_{{ c}}\!p)\) \(=f_k(\mathrm{G}\mathrm{F}{\overline{\mathrm{{K}}}}_{{ c}}\!p)+1\) \(=(k+1) \cdot f_k(\mathrm{F}{\overline{\mathrm{{K}}}}_{{ c}}\!p)+1\) \(=(k+1) \cdot f_k({\overline{\mathrm{{K}}}}_{{ c}}\!p)+1\) \(=(k+1) \cdot (f_k(p)+1)+1\) \(=(k+1) \cdot 1+1 = k+2\). An example of a model and a witness for the formula is shown on Fig. 13. Observe that while the value \(\widehat{f_1}(\varphi )\) is 3, and the witness for \(\varphi \) can be of the form shown on Fig. 13b, there is a witness for \(\varphi \) which consists of two 1paths only—see Fig. 13c. Thus, one can observe that the function \(\widehat{f_k}\) only gives an upper bound on the number of \(k\)paths that form a witness for an ELTLK formula.
Let \(W=\{SV(w_{i,j}) \mid 0 {\,\leqslant \,}i {\,\leqslant \,}k\text { and } 1 {\,\leqslant \,}j {\,\leqslant \,}\widehat{f_k}(\varphi )\} \cup \{NV(u_j) \mid 1 {\,\leqslant \,}j {\,\leqslant \,}\widehat{f_k}(\varphi )\}\) be a set of propositional variables. The propositional formula \([M^{\varphi ,\iota }]_k\) is defined over the set \(W\) in the following way:
where \(w_{i,j}\) and \(u_j\) are, respectively, symbolic states and a symbolic number for \(0{\,\leqslant \,}i {\,\leqslant \,}k\) and \(1 {\,\leqslant \,}j {\,\leqslant \,}\widehat{f_k}(\varphi )\).
Note that Formula 4 encodes \(\widehat{f_k}(\varphi )\) valid \(k\)paths of the model \(M\) that start at the initial state \(\iota \). In particular, the formula defines \(\widehat{f_k}(\varphi )\) symbolic \(k\)paths such that the \(j\)th symbolic \(k\)path \({\varvec{\pi }}_j\) is of the form \(((w_{0,j},\ldots ,w_{k,j}),u_j)\), where \(w_{i,j}\) is a symbolic state for \(1 {\,\leqslant \,}j {\,\leqslant \,}\widehat{f_k}(\varphi )\) and \(0 {\,\leqslant \,}i {\,\leqslant \,}k\), and \(u_j\) is a symbolic number for \(1 {\,\leqslant \,}j {\,\leqslant \,}\widehat{f_k}(\varphi )\).
The next step is a translation of an ELTLK formula \(\varphi \) to a propositional formula
where \(F_k(\varphi ) = \{j \in \mathrm{I\!N}\;\;1 {\,\leqslant \,}j {\,\leqslant \,}\widehat{f_k}(\varphi )\}\), and \([\varphi ]^{[m,n,A]}_k\) denotes the translation of \(\varphi \) along the \(n\)th symbolic path \({\varvec{\pi }}^m_n\) with the starting point \(m\) by using the set \(A \subseteq F_k(\varphi )\).
For every ELTLK formula \(\varphi \) the function \(\widehat{f_k}\) determines how many symbolic \(k\)paths are needed for translating the formula \(\varphi \). Given a formula \(\varphi \) and a set \(A\) of \(k\)paths such that \(A = \widehat{f_k}(\varphi )\), we divide the set \(A\) into subsets needed for translating the subformulae of \(\varphi \). To accomplish this goal we need some auxiliary functions that were defined in [55]. We recall the definitions of these functions. First, the relation \(\prec \) is defined on the power set of \(\mathrm{I\!N}\) as follows: \(A \prec B\) iff for all natural numbers \(x\) and \(y\), if \(x \in A\) and \(y \in B\), then \(x < y\).
Now, let \(A \subset \mathrm{I\!N}\) be a finite nonempty set, and \(n, d \in \mathrm{I\!N}\), where \(d \leqslant A\). Then,

\(g_l(A, d)\) denotes the subset \(B\) of \(A\) such that \(B = d\) and \(B \prec A \setminus B\), e.g., \(g_l(\{4,5,6,7,8\}, 3) = \{4,5,6\}\).

\(g_r(A, d)\) denotes the subset \(C\) of \(A\) such that \(C = d\) and \(A \setminus C \prec C\), e.g., \(g_r(\{4,5,6,7,8\}, 3) = \{6,7,8\}\).

\(g_s(A)\) denotes the set \(A \setminus \{min(A)\}\), e.g., \(g_{s}(\{4,5,6,7,8\}) = \{5,6,7,8\}\).

if \(n\) divides \(A  d\), then \(hp(A, d, n)\) denotes the sequence \((B_0, \ldots , B_{n})\) of subsets of \(A\) such that \(\bigcup _{j=0}^{n} B_j = A,\,B_0 = \ldots = B_{n1},\,B_{n} = d\), and \(B_i \prec B_j\) for every \(0 \;{\,\leqslant \,}\; i < j {\,\leqslant \,}n\). Now let \({{h}_{k}^{\mathrm{U}}}(A, d)\) := \(hp(A, d, k)\) and \({{h}_{k}^{\mathrm{R}}}(A,d)\) := \(hp(A,d,k+1)\). Note that if \({{h}_{k}^{\mathrm{U}}}(A, d) = (B_0, \ldots , B_{k})\), then \({{h}_{k}^{\mathrm{U}}}(A, d)(j)\) denotes the set \(B_j\), for every \(0 {\,\leqslant \,}j {\,\leqslant \,}k\). Similarly, if \({{h}_{k}^{\mathrm{R}}}(A, d) = (B_0, \ldots , B_{k+1})\), then \({{h}_{k}^{\mathrm{R}}}(A, d)(j)\) denotes the set \(B_j\), for every \(0 \leqslant j \leqslant k + 1\). For example, if \(A \!=\! \{1,2,3,4,5,6\}\), then \(h_3^{\mathrm{U}}(A, 0) \!=\! (\{1,2\},\{3,4\},\{5,6\},\emptyset ),\,h_3^{\mathrm{U}}(A, 3) = (\{1\},\{2\},\{3\},\{4,5,6\}),\,h_3^{\mathrm{U}}(A, 6) = (\emptyset ,\emptyset , \emptyset ,\{1,2,3,4,5,6\}),\,h_3^{\mathrm{U}}(A, d)\) is undefined for \(d \in \{0,\ldots ,7\} \setminus \{0, 3,6\}\). Next, \(h_4^{\mathrm{R}}(A, 2) = (\{1\},\{2\},\{3\},\{4\},\{5,6\}),\,h_4^{\mathrm{R}}(A, 6) = (\emptyset ,\emptyset , \emptyset ,\emptyset ,\{1,2,3,4,5,6\})\), and \(h_4^{\mathrm{R}}(A, d)\) is undefined for \(d \in \{0,\ldots ,7\} \setminus \{2,6\}\).
The functions \(g_l\) and \(g_r\) are used in the translation of the formulae with the main connective being either conjunction or disjunction: for a given ELTLK formula \(\varphi \wedge \psi \), if the set \(A\) is used to translate this formula, then the set \(g_l(A, f_k(\varphi ))\) is used to translate the subformula \(\varphi \) and the set \(g_r(A, f_k(\psi ))\) is used to translate the subformula \(\psi \); for a given ELTLK formula \(\varphi \vee \psi \), if the set \(A\) is used to translate this formula, then the set \(g_l(A, f_k(\varphi ))\) is used to translate the subformula \(\varphi \) and the set \(g_l(A, f_k(\psi ))\) is used to translate the subformula \(\psi \).
The function \(g_{s}\) is used in the translation of the formulae with the main connective \(\mathrm{{Q}}\in \{{\overline{\mathrm{{K}}}}_{{ c}},{\overline{\mathrm{{D}}}}_{\varGamma },{\overline{\mathrm{E}}}_{\varGamma }\}\): for a given ELTLK formula \(\mathrm{{Q}}\varphi \), if the set \(A\) is to be used to translate this formula, then the path of the number \(min(A)\) is used to translate the operator \(\mathrm{{Q}}\) and the set \(g_{s}(A)\) is used to translate the subformula \(\varphi \).
The function \({{h}_{k}^{\mathrm{U}}}\) is used in the translation of subformulae of the form \(\varphi \mathrm{U}\psi \): if the set \(A\) is to be used to translate the subformula \(\varphi \mathrm{U}\psi \) at the symbolic \(k\)path \({\varvec{\pi }}_n\) (with the starting point \(m\)), then for every \(j\) such that \(m {\,\leqslant \,}j {\,\leqslant \,}k\), the set \({{h}_{k}^{\mathrm{U}}}(A, f_k(\psi ))(k)\) is used to translate the formula \(\psi \) along the symbolic path \({\varvec{\pi }}_n\) with starting point \(j\); moreover, for every \(i\) such that \(m {\,\leqslant \,}i < j\), the set \({{h}_{k}^{\mathrm{U}}}(A, f_k(\psi ))(i)\) is used to translate the formula \(\varphi \) along the symbolic path \({\varvec{\pi }}_n\) with starting point \(i\). Notice that if \(k\) does not divide \(A  d\), then \({{h}_{k}^{\mathrm{U}}}(A, d)\) is undefined. However, for every set \(A\) such that \(A = f_k(\varphi \mathrm{U}\psi )\), it is clear from the definition of \(f_k\) that \(k\) divides \(A  f_k(\psi )\).
The function \({{h}_{k}^{\mathrm{R}}}\) is used in the translation of subformulae of the form \(\varphi \mathrm{R}\psi \): if the set \(A\) is used to translate the subformula \(\varphi \mathrm{R}\psi \) along a symbolic \(k\)path \({\varvec{\pi }}_n\) (with the starting point \(m\)), then for every \(j\) such that \(m {\,\leqslant \,}j {\,\leqslant \,}k\), the set \({{h}_{k}^{\mathrm{R}}}(A, f_k(\varphi ))(k+1)\) is used to translate the formula \(\varphi \) along the symbolic paths \({\varvec{\pi }}_n\) with starting point \(j\); moreover, for every \(i\) such that \(m {\,\leqslant \,}i {\,\leqslant \,}j\), the set \({{h}_{k}^{\mathrm{R}}}(A,f_k(\varphi ))(i)\) is used to translate the formula \(\psi \) along the symbolic path \({\varvec{\pi }}_n\) with starting point \(i\). Notice that if \(k + 1\) does not divide \(A  1\), then \({{h}_{k}^{\mathrm{R}}}(A, p)\) is undefined. However, for every set \(A\) such that \(A = f_k(\varphi \mathrm{R}\psi )\), it is clear from the definition of \(f_k\) that \(k + 1\) divides \(A  f_k(\varphi )\).
Definition 5
(Translation of the ELTLK formulae) Let \(M\) be a model, \(\varphi \) an ELTLK formula, and \(k {\,\geqslant \,}0\) a bound. We define inductively the translation of \(\varphi \) over a path number \(n \in F_k(\varphi )\) starting at the symbolic state \(w_{m,n}\) as shown below, where \(n'=min(A),\,{{h}_{k}^{\mathrm{U}}}={{h}_{k}^{\mathrm{U}}}(A,f_k(\psi _2))\), and \({{h}_{k}^{\mathrm{R}}}={{h}_{k}^{\mathrm{R}}}(A,f_k(\psi _1))\). We assume that \({\mathcal{L }}_k^l({\varvec{\pi }}_n) :{=} {\mathcal{B }}_l^{=}(u_n)\wedge H(w_{k,n}, w_{l,n})\).
For representing the propositional formula \([M,\varphi ]_{k}\) reduced Boolean circuits (RBC) [1] are used. An RBC represents subformulae of \([M,\varphi ]_{k}\) by fresh propositions such that each two identical subformulae correspond to the same proposition.^{Footnote 1} Following van der Meyden at al. [23], instead of using RBCs, we could directly encode \([M,\varphi ]_{k}\) in such a way that each subformula \(\psi \) of \([M,\varphi ]_{k}\) occurring within the scope of a \(k\)element disjunction or conjunction is replaced with a propositional variable \(p_{\psi }\) and the reduced formula \([M,\varphi ]_{k}\) is conjuncted with the implication \(p_{\psi } \Rightarrow \psi \). However, in this case our method, as the one proposed in [23], would not be complete. Nonetheless, the completeness can be achieved, by using \(p_{\psi } \Leftrightarrow \psi \) instead of \(p_{\psi } \Rightarrow \psi \). This however can give a formula of an exponential size during the transformation into clausal normal form. ^{Footnote 2}
Our encoding of the ELTLK formulae is defined recursively over the structure of an ELTLK formula \(\varphi \), over the current position \(n\) of the \(m\)th symbolic \(k\)path, and over the set \(A\) of symbolic kpaths, which is initially equal to \(F_k(\varphi )\). Next, our encoding does not translate looping and nonlooping witnesses separately, but it combines both of them. Further, it is parameterised by the bound \(k\), the set of symbolic \(k\)paths, and closely follows the bounded semantics of Def. 4. Therefore, for fixed \(n,\,m,\,k\) and \(A\), each subformula \(\psi \) of \(\varphi \) requires the constraints of size \(O(k\cdot f_k(\varphi ))\) using the encoding of \(\psi \) at various positions. Moreover, since the encoding of a subformula \(\psi \) is only dependent on \(m,\,n,\,k\), and \(A\), and, multiple occurrences of the encoding of \(\psi \) over the same set of parameters can be shared, the overall size can be bounded by \(O(\varphi  \cdot k \cdot f_k(\varphi ))\). Further the size of the formula \([M,\varphi ]_k\) is bounded by \(O(T\cdot k \cdot f_k(\varphi ) + \varphi  \cdot k \cdot f_k(\varphi ))\).
Correctness and completeness of the translation
The lemmas below state the correctness and the completeness of the presented translation.
Now, let \(\alpha \) be an ELTLK formula. For every ELTLK subformula \(\varphi \) of \(\alpha \), we denote by \([\varphi ]^{[\alpha ,m,n,A]}_{k}\) the propositional formula
where \([M]_k^{F_k(\alpha )}:{=} \bigwedge _{j\in F_k(\alpha )} \bigwedge ^{k1}_{i=0} {\mathcal{R }}(w_{i,j}, w_{i+1,j}) \wedge \bigwedge _{j\in F_k(\alpha )} \bigvee _{l=0}^{k} B_l^{=}(u_{j})\).
In the next two lemmas we use the following auxiliary notation. By \(V{\,\Vdash \,}\xi \) we mean that the valuation \(V\) satisfies the propositional formula \(\xi \). Moreover, we write \(g_{i,j}\) instead of \(\mathbf{S}(w_{i,j})\), and \(l_j\) instead of \(\mathbf{J}(u_j)\).
Lemma 7
(Correctness of the translation) Let \(M\) be a model, \(\alpha \) an ELTLK formula, and \(k \in \mathrm{I\!N}\). For every subformula \(\varphi \) of the formula \(\alpha \), every \((m, n) \in \{0,\ldots ,k\} \times F_k(\alpha )\), every \(A\,\subseteq \,F_k(\alpha )\setminus \{n\}\) such that \(A = f_k(\varphi )\), and every valuation \(V\), the following condition holds: \(V {\,\Vdash \,}[\varphi ]^{[\alpha ,m,n,A]}_{k}\) implies \(M, ((g_{0,n},\ldots ,g_{k,n}), l_n)[m] \models _k \varphi \).
Proof
Let \(n \in F_k(\alpha ),\,A\) be a set such that \(A \subseteq F_k(\alpha ) \setminus \{n\}\) and \(A = f_k(\varphi ),\,m\) be a natural number such that \(0 \leqslant m \leqslant k,\,\rho _l\) denote the \(k\)path \(((g_{0,n},\ldots ,g_{k,n}), l_n)\), and \(V\) a valuation. Suppose that \(V {\,\Vdash \,}[\varphi ]^{[\alpha ,m,n,A]}_{k}\) and consider the following cases:

1.
\(\varphi \in \{{{true}}, {false}\}\). The thesis of the lemma is obvious in this case.

2.
\(\varphi = p\), where \(p \in \mathcal{PV }\). Then, \(V {\,\Vdash \,}[p]^{[\alpha ,m,n,A]}_{k} \iff V {\,\Vdash \,}p(w_{m,n}) \iff p \in {\mathcal{V }}(g_{m,n}) \iff M,\rho _l[m] \models _k p\).

3.
\(\varphi = \lnot p\), where \(p \in \mathcal{PV }\). Then, \( V{\,\Vdash \,}[\lnot p]^{[\alpha ,m,n,A]}_{k} \iff V {\,\Vdash \,}\lnot p(w_{m,n}) \iff p \notin {\mathcal{V }}(g_{m,n}) \iff M,\rho _l[m] \models _k \lnot p\).

4.
\(\varphi = \psi _1 \wedge \psi _2\). Let \(B = g_l(A,f_k(\psi _1))\) and \(C = g_r(A,f_k(\psi _2))\). From \(V{\,\Vdash \,}[\psi _1 \wedge \psi _2]^{[\alpha ,m,n,A]}_k\), we get \(V {\,\Vdash \,}[\psi _1]^{[\alpha ,m,n,B]}_k\) and \(V {\,\Vdash \,}[\psi _2]^{[\alpha ,m,n,C]}_k\). By inductive hypotheses, \(M,\rho _l[m] \models _k \psi _1\) and \(M,\rho _l[m] \models _k \psi _2\). Thus \(M,\rho _l[m] \models _k \psi _1 \wedge \psi _2\).

5.
\(\varphi = \psi _1 \vee \psi _2\). Let \(B = g_l(A,f_k(\psi _1))\) and \(C = g_l(A,f_k(\psi _2))\). From \(V{\,\Vdash \,}[\psi _1 \vee \psi _2]^{[\alpha ,m,n,A]}_k\), we get \(V {\,\Vdash \,}[\psi _1]^{[\alpha ,m,n,B]}_k\) or \(V {\,\Vdash \,}[\psi _2]^{[\alpha ,m,n,C]}_k\). By inductive hypotheses, \(M,\rho _l[m] \models _k \psi _1\) or \(M,\rho _l[m] \models _k \psi _2\). Thus \(M,\rho _l[m] \models _k \psi _1 \vee \psi _2\).

6.
Let \(\varphi = \mathrm{X}\psi \mid \psi _1 \mathrm{U}\psi _2 \mid \psi _1 \mathrm{R}\psi _2\) with \(p\in \mathcal{PV }\). See Lemma 3.1. of [55].

7.
Let \(\varphi ={\overline{\mathrm{{K}}}}_{{ c}} \psi \). Let \(n' = \min (A)\), and \(\widetilde{\rho }_{l'}\) denote the \(k\)path \(((g_{0,n'},\ldots ,g_{k,n'}), l_{n'})\). By the definition of the translation we have that \(V {\,\Vdash \,}[{\overline{\mathrm{{K}}}}_{{ c}} \psi ]^{[\alpha ,m,n,A]}_{k}\) implies \(V {\,\Vdash \,}I_{\iota }(w_{0,n'}) \wedge \bigvee ^{k}_{j=0}([\psi ]^{[\alpha ,j,n',g_s(A)]}_{k} \wedge H_{{ c}}(w_{m,n},w_{j,n'}))\). Since \(V {\,\Vdash \,}H_{{ c}}(w_{m,n},w_{j,n'})\) we have \(g_{m,n} \sim _{{ c}} g'_{j,n'}\), for some \(j \in \{0,\ldots ,k\}\). Therefore, by inductive hypotheses we get \((\exists 0 {\,\leqslant \,}j {\,\leqslant \,}k) (M,\widetilde{\rho }_{l'}[j] \models _k \psi \) and \(g_{m,n} \sim _{{ c}} g'_{j,n'})\). Thus we have \(M, ((g_{0,n},\ldots ,g_{k,n}), l_n)[m] \models _k {\overline{\mathrm{{K}}}}_{{ c}} \psi \).

8.
Let \(\varphi =\overline{Y}_{\varGamma }\psi \), where \(Y \in \{ \mathrm{{D}},\mathrm{E},\mathrm{{C}}\}\). These cases can be proven analogously to the case 7.
Let \(B\) and \(C\) be two finite sets of indices. Then, by \(Var(B)\) we denote the set of all the state variables appearing in all the symbolic states of all the symbolic \(k\)paths whose indices are taken from the set \(B\). Moreover, for every valuation \(V\) and every set of indices \(B\), by \(V\!\uparrow \!B\) we denote the restriction of the valuation \(V\) to the set \(Var(B)\). Notice that if \(B \cap C = \emptyset \), then \(Var(B) \cap Var(C) = \emptyset \). This property is used in the proof of the following lemma.
Lemma 8
(Completeness of the translation) Let \(M\) be a model, \(k \in \mathrm{I\!N}\), and \(\alpha \) an ELTLK formula such that \(f_k(\mathrm{E}\alpha ) > 0\). For every subformula \(\varphi \) of the formula \(\alpha \), every \((m, n) \in \{(0, 0)\} \cup \{0,\ldots ,k\} \times F_k(\alpha )\), every \(A\,\subseteq \,F_k(\alpha )\setminus \{n\}\) such that \(A = f_k(\varphi )\), and every \(k\)path \(\rho _l\), the following condition holds: \(M, \rho _l[m] \models _k \varphi \) implies that there exists a valuation \(V\) such that \(\rho _l = ((g_{0,n},\ldots ,g_{k,n}), l_n)\) and \(V {\,\Vdash \,}[\varphi ]^{[\alpha ,m,n,A]}_{k}\).
Proof
First, note that given an ELTLK formula \(\alpha \), and natural numbers \(k,\,m,\,n\) with \(0 \leqslant m \leqslant k\) and \(n \in F_k(\alpha )\), there exists a valuation \(V\) such \(V{\,\Vdash \,}[M]_k^{F_k(\alpha )}\). This is because \(M\) has no terminal states. Now we proceed by induction on the complexity of \(\varphi \).
Let \(n \in F_k(\alpha ),\,A\) be a set such that \(A \subseteq F_k(\alpha ) \setminus \{n\}\) and \(A = f_k(\varphi ),\,\rho _l\) be a \(k\)path in \(M\), and \(m\) be a natural number such that \(0 \leqslant m \leqslant k\). Suppose that \(M,\rho _l[m] \models _k \varphi \) and consider the following cases:

1.
Let \(\varphi =p \mid \lnot p\mid \psi _1 \vee \psi _2 \mid \psi _1 \wedge \psi _2 \mid \mathrm{X}\psi \mid \psi _1 \mathrm{U}\psi _2 \mid \psi _1 \mathrm{R}\psi _2\) with \(p\in \mathcal{PV }\). See the proof of Lemma 3.3. of [55].

2.
Let \(\varphi ={\overline{\mathrm{{K}}}}_{{ c}} \psi \). Since \(M,\rho _l[m] \models _k {\overline{\mathrm{{K}}}}_{{ c}}\psi \), we have that \((\exists \rho '_{l'} \in {\varPi _k}(\iota )) (\exists {0 {\,\leqslant \,}j {\,\leqslant \,}k})\) \((M, \rho '_{l'}[j] \models _k \psi \)) and \(\rho (m) \sim _{{ c}} \rho '(j))\). Let \(n' = \min (A)\) and \(B = g_s(A)\). By the inductive hypothesis and the definition of the formula \(H_{{ c}}\), there exists a valuation \(V'\) such that \(V' {\,\Vdash \,}[M]_k^{F_k(\alpha )}\) and \(V' {\,\Vdash \,}[\psi ]^{[j,n',B]}_k \wedge H_{{ c}}(w_{m,n},w_{j,n'})\) for some \(j \in \{0,\ldots ,k\}\). Hence we have \(V' {\,\Vdash \,}\bigvee ^{k}_{j=0}([\psi ]^{[j,n',B]}_k \wedge H_{{ c}}(w_{m,n},w_{j,n'}))\). Further, since \(\rho '_{l'} \in {\varPi _k}(\iota ),\,\rho '_{l'}(0)=\iota \). Thus, by the definition of the formula \(I\), we get that \(V' {\,\Vdash \,}I_{\iota }(w_{0,n'})\). Therefore we have \(V' {\,\Vdash \,}I_{\iota }(w_{0,n'}) \wedge \bigvee ^{k}_{j=0}([\psi ]^{[j,n',B]}_k \wedge H_{{ c}}(w_{m,n},w_{j,n'}))\), which implies that \(V' {\,\Vdash \,}{[{\overline{\mathrm{{K}}}}_{{ c}}\psi ]}^{[m,n,A]}_{k}\). Since \(n' \notin B\) and \(n \notin A\), there exists a valuation \(V\) such that \(V\!\uparrow \!B = V'\!\uparrow \!B\) and moreover \(V {\,\Vdash \,}[M]_k^{F_k(\alpha )}\) and \(V {\,\Vdash \,}{[{\overline{\mathrm{{K}}}}_{{ c}}\psi ]}^{[m,n,A]}_{k}\). Therefore we get \(V {\,\Vdash \,}[{\overline{\mathrm{{K}}}}_{{ c}}\psi ]^{[\alpha ,m,n,A]}_k\).

3.
Let \(\varphi =\overline{Y}_{\varGamma }\psi \), where \(Y \in \{ \mathrm{{D}},\mathrm{E},\mathrm{{C}}\}\). These cases can be proven analogously to the case 2.
The correctness of the SATbased translation scheme for ELTLK is guaranteed by the following theorem.
Theorem 2
Let \(M\) be a model, and \(\varphi \) an ELTLK formula. Then for every \(k \in \mathrm{I\!N},\,M \models ^{\exists }_k \varphi \) if, and only if, the propositional formula \([M,\varphi ]_{k}\) is satisfiable.
Proof
\((\Longrightarrow )\) Let \(k \in \mathrm{I\!N}\) and \(M, \rho _l \models _k \varphi \) for some \(\rho _l \in \varPi _k(\iota )\). By Lemma 8 it follows that there exists a valuation \(V\) such that \(\rho _l = ((g_{0,0},\ldots ,g_{k,0}), l_0)\) with \({\mathbf{S}}(w_{0,0}) = g_{0,0}=\iota \) and \(V {\,\Vdash \,}[\varphi ]^{[\varphi ,0,0,F_k(\varphi )]}_{k}\). Hence, \(V {\,\Vdash \,}I(w_{0,0})\wedge [M]_{k}^{F_k(\varphi )} \wedge {[\varphi ]}^{[0,0,F_k(\varphi )]}_{k}\). Thus \(V{\,\Vdash \,}[M^{\varphi ,\iota }]_k\).
\((\Longleftarrow )\) Let \(k \in \mathrm{I\!N}\) and \([M^{\varphi ,\iota }]_k\) be satisfiable. It means that there exists a valuation \(V\) such that \(V{\,\Vdash \,}[M^{\varphi ,\iota }]_k\). So, \(V{\,\Vdash \,}I(w_{0,0})\) and \(V{\,\Vdash \,}[M]_k^{F_k(\varphi )} \wedge {[\varphi ]}^{[0,0,F_k(\varphi )]}_{k}\). Hence, by Lemma 7 it follows that \(M, ((g_{0,0},\ldots ,g_{k,0}), l_0) \models _k \varphi \) and \({\mathbf{S}}(w_{0,0}) = g_{0,0} = \iota \). Thus \(M \models ^{\exists }_k \varphi \).
Experimental results
In this section we experimentally evaluate the performance of our four different BMC encodings: two SATbased BMC (over the IIS and IS semantics) and two BDDbased BMC (over the IIS and IS semantics), all implemented as extensions of our tool Verics [28], so the inputs to the four algorithms are the same. We compare our experimental results with these of the MCK tool (version 0.5.1),^{Footnote 3} the only existing tool that is suitable with respect to the input formalism (i.e., interpreted systems) and checked properties (i.e., ELTLK). We have done our best to compare our BMC approaches and the SATbased BMC module of MCK on the same models. We would like to point out that the manual for MCK states that the tool supports SATbased BMC for \(\mathrm{ECTL}^{*}\mathrm{K}\) (i.e., \(\mathrm{ECTL}^{*}\) augmented to include epistemic components). Unfortunately, no theory behind this implementation has ever been published. We are aware of the paper [23], which describes SATbased BMC for ECTLK, but it does not discuss how this approach can be extended to \(\mathrm{ECTL}^{*}\mathrm{K}\). Therefore, we are unable to compare our SATbased BMC algorithms for ELTLK with the one for \(\mathrm{ECTL}^{*}\mathrm{K}\) implemented in MCK.
We have conducted the experiments using two classical multiagent protocols: the (faulty) train controller system and the dining cryptographers protocol, and one benchmark that is not yet so popular in the multiagent community, i.e., the (faulty) generic pipeline paradigm. However, we would like to point out that (F)GPP is a very useful and scalable example, which has a potential to become a standard benchmark in this community. Further, we specify each property for the considered benchmarks in the universal form by an LTLK formula, for which we verify the corresponding counterexample formula, i.e., the negated universal formula in ELTLK which is interpreted existentially. Moreover, for every specification given, there exists a counterexample, i.e., the ELTLK formula specifying the counterexample holds in the model of the benchmark.
We have computed our experimental results on a computer with Intel Xeon 2 GHz processor and 4 GB of RAM, running Linux 2.6, with the default limits of 2 GB of memory and 2000 seconds. Moreover, similarly to the MCK tool, we used PicoSAT [2] to test the satisfiability of the propositional formulae generated by our SATbased BMC encodings. Our SATbased implementation uses PicoSAT in version 957. The implementation of the BDDbased method employs the CUDD 2.5.0 [44] library for operations on BDDs.
The first benchmark we have considered is the faulty train controller system (FTC) – see Sect. 2.4 for the description of the model. This system is scaled according to the number of trains (agents), i.e., the problem parameter \(n\) is the number of trains. The specifications (universal formulae) we consider are as follows:

\(\varphi _1\) = \(\mathrm{G}(InTunnel_1 \rightarrow \mathrm{{K}}_{Train_1} (\bigwedge _{i=2}^n \lnot InTunnel_i) )\) – it expresses that whenever train one is in the tunnel, it knows that no other train is in the tunnel,

\(\varphi _2\) = \(\mathrm{G}(\mathrm{{K}}_{Train_1}\bigwedge _{i=1,j=2, i<j}^n \) \(\lnot (InTunnel_i \wedge InTunnel_j))\) – it represents that the trains are aware of the mutually exclusive access to the tunnel.
The size of the reachable state space of the FTC system is \(3\cdot (n+1)\cdot 2^{n2}\), for \(n{\,\geqslant \,}2\). The sizes of the counterexamples for the above formulae, and for all our BMC methods, as well as for MCK are shown in Table 3.
We would like to point out that in the case of the SATbased BMC by size we mean the length of the \(k\)path in the counterexample (i.e., the value \(k\)) multiplied by the number of \(k\)paths (i.e., the value of the function \(\widehat{f}_k\)). In the case of the BDDbased BMC by size we mean the number of full iterations needed to find the counterexample. In Tables 3, 4, 5 we denote by ISk and IISk, respectively, the minimal value of the bound in BMC that yields a counterexample for the IS and IIS semantics.
The second benchmark we have considered is the faulty generic pipeline paradigm (FGPP)—see Sect. 2.4 for the description of the model. This system is scaled according to the number of its Nodes (agents), i.e., the problem parameter \(n\) is the number of Nodes. The specifications (universal formulae) we consider are as follows:

\(\varphi _1\) = \(\mathrm{G}(ProdSend \rightarrow \mathrm{{K}}_{C} \mathrm{{K}}_{P} ConsReady)\)—it states that if Producer produces a commodity, then Consumer knows that Producer knows that Consumer has not received the commodity.

\(\varphi _2\) = \(\mathrm{G}(Problem_n \rightarrow (\mathrm{F}Repair_n \vee \mathrm{G}Alarm_nSend ))\)—it expresses that each time a problem occurs at node \(n\), then either it is repaired, or the alarm of node \(n\) is enabled.

\(\varphi _3\) = \(\bigwedge _{i=1}^n\mathrm{G}(Problem_i \rightarrow (\mathrm{F}Repair_i \vee \mathrm{G}Alarm_iSend ))\)—it expresses that each time a problem occurs at a node, then either it is repaired or the alarm is on.

\(\varphi _4\) = \(\bigwedge _{i=1}^n\mathrm{G}\mathrm{{K}}_{P}(Problem_i \rightarrow (\mathrm{F}Repair_i \vee \mathrm{G}Alarm_iSend))\)—it expresses that Producer knows that each time a problem occurs at a node, then either it is repaired or the alarm is on.
The size of the reachable state space of the FGPP system is \(4\cdot 3^{2n}\), for \(n{\,\geqslant \,}1\). The sizes of the counterexamples for the above formulae, and for all our BMC methods, as well as for MCK are shown in Table 4.
The third benchmark we have considered is the dining cryptographers protocol (DC)—see Sect. 2.4 for the description of the model. This system is scaled according to the number of cryptographers, i.e., the problem parameter \(n\) is the number of cryptographers (together with the coins and the oracles). The specifications (universal formulae) we consider are as follows:

\(\varphi _1\) = \(\mathrm{G}(odd \wedge \lnot paid_1 \rightarrow \bigvee _{i=2}^n\mathrm{{K}}_1({paid}_i))\)—it expresses that always when the number of uttered differences is odd, and the first cryptographer has not paid for dinner, then he knows which cryptographer has.

\(\varphi _2\) = \(\mathrm{G}(\lnot paid_1 \rightarrow \mathrm{{K}}_1(\bigvee _{i=2}^n {paid}_i))\)—it states that it is always true that if the first cryptographer has not paid for dinner, then he knows that some other cryptographer has.

\(\varphi _3\) = \(\mathrm{G}(odd \rightarrow \mathrm{{C}}_{\{ 1,\ldots ,n \}}\lnot (\bigvee _{i=1}^n {paid}_i))\)—it states that always when the number of uttered differences is odd, than it is common knowledge of all the cryptographers that none of the cryptographers has paid for dinner.
The size of the reachable state space of the system is \(3^n + (n + 1) \cdot 2^n \cdot (n + 1 + \sum _{k = 1}^{n} 2 \cdot 3^{n  k} \cdot k )\) for \(n{\,\geqslant \,}3\). The sizes of the counterexamples for the above formulae, and for all our BMC methods, as well as for MCK are shown in Table 5.
Performance evaluation
The experimental results show that the SATbased BMC with the IS semantics outperforms the SATbased BMC with the IIS semantics in both the memory consumption and the execution time (as shown below in the line charts), but for the BDDbased BMC this is the other way around. The reason for this is that the SATbased BMC with the IS semantics produces a significantly smaller set of clauses (as shown in Table 6), and the SAT solver is given this smaller set. Moreover, the produced set of clauses by the SATbased BMC with the IS semantics is not only smaller, but also ’easier’ for the SAT solver, which further boosts the performance of the SATbased BMC method with the IS semantics. The reason for the inferiority of the BDDbased BMC with the IS semantics in all of our results most likely follows from the fact that in the IS semantics, the BDDbased approach is faced with larger sets of successors in each iteration, compared to the IIS case.
As one can see from the line charts for the FTC system, in the case of this benchmark over the IIS semantics, the BDDbased BMC performs much better in terms of the total time and the memory consumption for the formula \(\varphi _1\). More precisely, in the time limit set for the benchmarks, the BDDbased BMC is able to verify the formula \(\varphi _1\) for 2,500 trains, while the SATbased BMC can handle 650 trains only. For \(\varphi _2\) the BDDbased BMC is still more efficient—it is able to verify 1,700 trains, whereas the SATbased BMC verifies only 450 trains. However, in the case of the IS semantics the SATbased BMC is superior to the BDDbased BMC for all the tested formulae. Namely, in the set time limit, the SATbased BMC is able to verify the formula \(\varphi _1\) for 5,500 trains, while BDDbased BMC can handle 16 trains only.
Similarly, in the case of the formula \(\varphi _2\) the SATbased BMC is able to verify 1,800 trains, while BDDbased BMC computes the results for 16 trains only.
As one can see from the line charts for the FGPP system, in the case of this benchmark over the IIS semantics the SATbased BMC performs much better in terms of the total time and the memory consumption for the formulae \(\varphi _2,\,\varphi _3\), and \(\varphi _4\), but it is worse for the formula \(\varphi _1\). More precisely, in the set time limit, the SATbased BMC is able to verify the formulae \(\varphi _2,\,\varphi _3\) and \(\varphi _4\), respectively, for 35, 1200, and 1100 nodes, while the BDDbased BMC has computes the results, respectively, for 30, 10, and 600 nodes only. In the case of the formula \(\varphi _1\) the BDDbased BMC is able to verify the formula for 40 nodes, whereas the SATbased BMC can verify this formula for 30 nodes only. Here, the reason for a higher efficiency of the BDDbased BMC is the presence of the knowledge operator that causes the partitioning of the problem to several smaller ELTL verification problems, which are handled much better by the operations on BDDs. The reason for a higher efficiency of the SATbased BMC for the formulae \(\varphi _2\), and \(\varphi _3\) is the translation which uses only one symbolic \(k\)path, whereas a higher efficiency for the formula \(\varphi _4\) results from the constant length of the counterexample.
As far as the FGPP system under the IS semantics is considered, the SATbased BMC is superior to BDDbased BMC for all the tested formulae. Namely, in the set time limit, the SATbased BMC is able to verify the formulae \(\varphi _1,\,\varphi _2,\,\varphi _3\) and \(\varphi _4\), respectively, for 40, 55, 1300 and 1200 nodes, while BDDbased BMC computes the results, respectively, for 6, 5, 9 and 13 nodes only.
As one can see from the line charts for the DC system, in the case of this benchmark over the IIS semantics the BDDbased approach significantly outperforms the SATbased BMC for the formulae \(\varphi _1\) and \(\varphi _3\), but for the formula \(\varphi _2\) this is the other way around. Namely, in the set time limit, the BDDbased BMC is able to verify the formulae \(\varphi _1\) and \(\varphi _3\) for 12 cryptographers, while SATbased BMC computes the results, respectively, for 6 and 5 cryptographers only. In the case of formula \(\varphi _2\) SATbased BMC computes the results for 2,300 cryptographers, whereas BDDbased BMC for 15 only.
For the formulae \(\varphi _1\) and \(\varphi _3\) the reason of a higher efficiency of the BDDbased BMC is that the SATbased BMC deals with a huge number of symbolic \(k\)paths. In the case of \(\varphi _1\) this number results from the fact that \(\varphi _1\) contains the disjunction of the knowledge operators, whereas in the case of \(\varphi _3\) the huge number of symbolic \(k\)paths follows from the fact that \(\varphi _3\) contains the common knowledge operator. A noticeable superiority of the SATbased BMC for \(\varphi _2\) follows from the following two facts: (1) the length of the SAT counterexample is constant and very small, and (2) a small number of symbolic paths in the SAT counterexample (only 2 symbolic \(k\)paths).
As fas as the DC system under the IS semantics is considered, the SATbased BMC is superior to BDDbased BMC for all the tested formulae. Namely, in the set time limit, the SATbased BMC is able to verify the formulae \(\varphi _1,\,\varphi _2\), and \(\varphi _3\), respectively, for 16, 2,350 and 11 cryptographers, while BDDbased BMC computes the results, respectively, for 4, 7 and 4 cryptographers only.
For the IIS semantics, the reordering of the BDD variables does not cause any improvement of the performance in the case of the benchmarks FTC and FGPP, but for the benchmark DC it reduces the memory consumption. This means that the fixed interleaving order we used can often be considered optimal, but the loss in the verification time to reorder the variables, in favour of reducing the memory consumption, is also not significant and is often worth the tradeoff. Therefore, in the results for IIS we include only the BDDbased BMC variant using automatic reordering of the variables. In the case of the IS semantics the fixed interleaving order appears to be more efficient than the used reordering method. For this reason, we include only the results for the fixed interleaving order.
From our analyses we can conclude that the BDDbased BMC method is more efficient when verifying systems with the IIS semantics, whereas the SATbased BMC method is superior when used with systems with the IS semantics. Moreover, in most cases, the BDDbased BMC spends a considerable amount of time on encoding the system, whereas the SATbased BMC on verifying the formula. Therefore, the BDDbased BMC may provide additional time gains when verifying multiple specifications of the same system.
Comparison with MCK
While MCK enables verification of LTLK properties and implements the semantics of IS, it differs from our approaches in the way in which the systems are specified. We carefully inspected how the systems are represented in MCK and what a state is composed of, using the feature of printing out the state space for explicitstate reachability analysis, and noticed that the differences with our modelling are not merely syntactic. The state space is constructed by MCK in a significantly different way, for example a program counter is added for each agent, and channels are the standard way of interprocess communication.
Taking the above facts into account, we have found it not to be justified to get the numbers of states exactly equal to the ones reported by our tools. Reaching this aim could be not possible at all or would require to specify examples for MCK in an unnatural way, possibly penalising the performance. Instead, we have done our best to model the benchmarks in MCK in a way as close as possible to our approach, but modelling similarly to the ones distributed with MCK and available at the MCK web page. To this aim we have used the observable semantics while dealing with the knowledge of agents as opposed to the perfect recall semantics, which is also available in MCK.
Next, we have modelled concurrent executions in the analysed systems by means of the messagepassing communication instead of the handshake communication. The reason is that in the messagepassing communication model the protocol specification for an agent allows to have a communication channel as an argument, which enables establishing a twopoint communication. Based on the knowledge available to the user, a corresponding construction for the handshaking approach is unsupported by MCK as an agent identifier cannot be used as an argument in the protocol definition. The handshaking communication is used in MCK example benchmarks and in the documentation for unscalable systems only. In the Dining Cryptographers code available at the MCK web page, the messagepassing communication approach is used.
Therefore, forcing the handshaking communication model in MCK for our benchmarks would be very unnatural and clearly cause a performance penalty. Further, we have ensured that for each considered benchmark, the counterexamples found by the tools are of similar size, i.e., either they are constant or their complexity is the same with respect to the number of the processes. Of course, we restrict our comparisons to the IS case. While we possibly could force the IIS semantics in the IS systems, this would be inefficient.
In the comparison of MCK with our methods, the lengths of counterexamples behave similarly, i.e. either unfold to the depth proportional to the benchmark parameter or have a fixed number of steps (with the exception of the DC model, what is described below), thus minimising the factor played by different communication schemes. These lengths are in general not equal, and do not scale in the exactly the same way, what can be seen especially for formulae \(\varphi _1\) and \(\varphi _2\) for FGPP. This may have two reasons: the way in which the model description is translated into the model itself, and the encoding for checking the requested properties. We can say little about the latter as no detailed counterexamples are produced by the tool. Concerning the former, we figured out by looking into the structure of the model reported for simple reachability properties that the bigger lengths are caused by a different approach to specifying systems. For example, a synchronous change of state for several components is performed in one step in our approaches, as variable values are represented by interpreted system states. On the contrary, in MCK communications via channels as well as testing and assigning of variables result in more steps. Additionally, sending and receiving messages combined with reading and assigning variables can possibly result in several values of a program counter. The comparison shows that for FGPP and FTC our BDDBMC and SATBMC are superior to MCK for all the tested formulae (sometimes by several orders of magnitude). MCK consumes all the available memory even when the formulae are surprisingly small (approx. \(10^6\) clauses and \(10^5\) variables) compared to those successfully tested in our SATbased BMC experiments (more than \(10^8\) clauses and variables in some cases).
An additional comment is required for the DC benchmark, where for the formulae \(\varphi _1\) and \(\varphi _3\), there are differences in the length of counterexamples: constant for MCK and linear for our methods. This can be traced back to the presence of the counter. In our modelling, the counter works sequentially. It introduces some limited concurrency as its actions can interleave with the preceding actions of cryptographers (to the limited degree, because the order of counting cryptographers is fixed). In MCK, there is an XOR operation available, computed in a single step. We have decided not to add a sequential counter in this case, finding it unnatural. However, it should be noted that the models are not the same for MCK and our tools for the DC benchmark, what influences the efficiency when they are explored to the full length (the diamater of the model).
The general conclusion is that while our methods can be found to be much more efficient, MCK offers a much richer specification language, which in certain situations (see DC) results in a more efficient modelling.
Final remarks
We have proposed, implemented, and experimentally evaluated SAT and BDDbased bounded model checking approaches for ELTLK interpreted over both the standard interpreted systems and the interleaved interpreted systems. The experimental results show that the approaches are complementary, and that the BDDbased BMC approach appears to be superior for the IIS semantics, while the SATbased approach appears to be superior for the IS semantics. This is a novel and interesting result, which shows that the choice of the semantics should depend on the symbolic method applied.
We have also done our best to provide a comparison of our BMC methods with the MCK tool. This comparison shows that the efficiency of the verification approach is strongly influenced by the semantics used to model MAS, i.e., whether IS or IIS are applied.
In the future we are going to extend the presented algorithms to handle also the \(\mathrm{ECTL}^{*}\mathrm{K}\) properties.
Notes
 1.
We would like to stress that we have used the RBC structure in our BMC implementations since 2003 [50], although we have not stated this explicitly in our previous works.
 2.
Let \(\alpha \) be a formula. Its clausal form is a set of clauses which is satisfiable if and only if \(\alpha \) is satisfiable.
 3.
References
 1.
Abdulla, P. A., Bjesse, P., & Eén, N. (2000). Symbolic reachability analysis based on SATsolvers. In Proceedings of the 6th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’00). Lecture Notes in Computer Science, (Vol. 1785, pp. 411–425). Berlin: Springer.
 2.
Biere, A. (2008). PicoSAT essentials. Journal on Satisfiability Boolean Modeling and Computation (JSAT), 4, 75–97.
 3.
Biere, A., Cimatti, A., Clarke, E., Fujita, M., & Zhu, Y. (1999). Symbolic model checking using SAT procedures instead of BDDs. In Proceedings of the ACM/IEEE Design Automation Conference (DAC’99) (pp. 317–320).
 4.
A. Biere, A. Cimatti, E. Clarke, & Y. Zhu. (1999). Symbolic model checking without BDDs. In Proceedings of the 5th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’99). Lecture Notes in Computer Science (Vol. 1579, pp. 193–207). Berlin: Springer.
 5.
Biere, A., Heljanko, K., Junttila, T., Latvala, T., & Schuppan, V. (2006). Linear encodings of bounded LTL model checking. Logical Methods in Computer Science, 2(5:5), 1–64.
 6.
R. Bordini, M. Fisher, C. Pardavila, W. Visser, & M. Wooldridge. (2003). Model checking multiagent programs with CASP. In Proceedings of the 15th International Conference on Computer Aided Verification (CAV’03). Lecture Notes in Computer Science (Vol. 2725, pp. 110–113). Springer.
 7.
Bordini, R. H., Fisher, M., Wooldridge, M., & Visser, W. (2009). Propertybased slicing for agent verification. Journal of Logic and Computation, 19(6), 1385–1425.
 8.
N. Bulling & W. Jamroga. (2010). Model checking agents with memory is harder than it seemed. In Proceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems (AAMAS’10) (pp. 633–640). International Foundation for Autonomous Agents and Multiagent Systems.
 9.
Cabodi, G., Camurati, P., & Quer, S. (2002). Can BDD compete with SAT solvers on bounded model checking?. In Proceedings of the 39th Design Automation Conference (DAC’02) (pp. 117–122).
 10.
Chaum, D. (1988). The dining cryptographers problem: Unconditional sender and recipient untraceability. Journal of Cryptology, 1(1), 65–75.
 11.
Clarke, E., Grumberg, O., & Hamaguchi, K. (1994). Another look at LTL model checking. In Proceedings of the 6th International Conference on Computer Aided Verification (CAV’94). Lecture Notes in Computer Science (Vol. 818, pp. 415–427). Berlin: Springer.
 12.
Clarke, E., Grumberg, O., & Peled, D. (1999). Model checking. Cambridge: MIT Press.
 13.
Copty, F., Fix, L., Fraer, R.., Giunchiglia, E., Kamhi, G.., Tacchella, A., & Vardi, M. (2001). Benefits of bounded model checking at an industrial setting. In Proceedings of the 13th International Conference on Computer Aided Verification (CAV’01). Lecture Notes in Computer Science (Vol. 2102, pp. 436–453). Berlin: Springer.
 14.
Dennis, L. A., Fisher, M., Webster, M. P., & Bordini, R. H. (2012). Model checking agent programming languages. Automated Software Engineering, 19(1), 5–63.
 15.
Etessami, K., & Holzmann, G. J. (2000). Optimizing büchi automata. In Proceedings of the 11th International Conference on Concurrency Theory (CONCUR’00). Lecture Notes in Computer Science (Vol. 1877, pp. 153–167). Berlin: Springer.
 16.
Fagin, R., Halpern, J. Y., Moses, Y., & Vardi, M. (1995). Reasoning about Knowledge. Cambridge: MIT Press.
 17.
Gammie, P., & Meyden, R. (2004). MCK: Model checking the logic of knowledge. In Proceedings of the 16th International Conference on Computer Aided Verification (CAV’04). Lecture Notes in Computer Science (Vol. 3114, pp. 479–483). Berlin: Springer.
 18.
Gastin, P., & Oddoux, D. (2001). Fast LTL to Büchi automata translation. In Proceedings of the 13th International Conference on Computer Aided Verification (CAV’01). Lecture Notes in Computer Science (Vol. 2102, pp. 53–65). Berlin: Springer.
 19.
Gerth, R., Peled, D., Vardi, M., & Wolper, P. (1995). Simple onthefly automatic verification of linear temporal logic. In Proceedings of IFIP/WG6.1 Symposium. Protocol Specification, Testing and Verification (PSTV’95) (pp. 3–18). Chapman & Hall.
 20.
Halpern, J., & Vardi, M. (1991). Model checking vs. theorem proving: A manifesto. In Proceedings of the 2nd International Conference on Principles of Knowledge Representation and Reasoning (KR’91) (pp. 325–334). Cambridge: Morgan Kaufmann.
 21.
Hoek, W., & Wooldridge, M. (2003). Cooperation, knowledge, and time: Alternatingtime temporal epistemic logic and its applications. Studia Logica, 75(1), 125–157.
 22.
Hoek, W. V., & Wooldridge, M. (2002). Model checking knowledge and time. In Proceedings of the 9th International SPIN Workshop on Model Checking of Software (SPIN’2002). Lecture Notes in Computer Science (Vol. 2318, pp. 95–111). Berlin: Springer.
 23.
Huang, X., Luo, C., & van der Meyden, R. (2011). Improved bounded model checking for a fair branchingtime temporal epistemic logic. In Proceedings of the 6th Workshop on Model Checking and Artificial Intelligence (MoChArt’2010), LNAI (Vol. 6572, pp. 95–111). Berlin: Springer.
 24.
Jamroga, W., & Dix, J. (2008). Model checking abilities of agents: A closer look. Theory of Computing Systems, 42(3), 366–410.
 25.
Jamroga, W., & Penczek, W. (2012). Specification and verification of multiagent systems. In Lectures on Logic and Computation (ESSLLI’2010, ESSLLI’2011). Lecture Notes in Computer Science (Vol. 7388, pp. 210–263). Berlin: Springer.
 26.
Jones, A. V., & Lomuscio, A. (2010). Distributed BDDbased BMC for the verification of multiagent systems. In Proceedings of the 9th International Conference on Autonomous Agents and MultiAgent systems (AAMAS’2010) (pp. 675–682). Toronto: IFAAMAS Press.
 27.
Kacprzak, M., Lomuscio, A., Niewiadomski, A., Penczek, W., Raimondi, F., & Szreter, M. (2006). Comparing BDD and SAT based techniques for model checking Chaum’s dining cryptographers protocol. Fundamenta Informaticae, 72(1–2), 215–234.
 28.
Kacprzak, M., Nabiałek, W., Niewiadomski, A., Penczek, W., Półrola, A., Szreter, M., et al. (2008). Verics 2007—a model checker for knowledge and realtime. Fundamenta Informaticae, 85(1–4), 313–328.
 29.
Lomuscio, A., Lasica, T., & Penczek, W. (2003). Bounded model checking for interpreted systems: Preliminary experimental results. In Proceedings of the 2nd NASA Workshop on Formal Approaches to AgentBased Systems (FAABS’02), LNAI (Vol. 2699, pp. 115–125). Berlin: Springer.
 30.
Lomuscio, A., Pecheur, C., & Raimondi, F. (2007). Automatic verification of knowledge and time with nusmv. In Proceedings of International Conference on Artificial Intelligence (IJCAI’07) ( pp. 1384–1389).
 31.
Lomuscio, A., Penczek, W., & Qu, H. (2010). Partial order reduction for model checking interleaved multiagent systems. In Proceedings of the 9th International Conference on Autonomous Agents and MultiAgent systems (AAMAS’2010) (pp. 659–666). Toronto: FAAMAS Press.
 32.
Lomuscio, A., Penczek, W., & Woźna, B. (2007). Bounded model checking for knowledge and real time. Artificial Intelligence, 171, 1011–1038.
 33.
Mȩski, A., Penczek, W., & Szreter, M. (2011). Bounded model checking linear time and knowledge using decision diagrams. In Proceedings of the International Workshop on Concurrency, Specification and Programming (CS &P’11) (pp. 363–375).
 34.
Mȩski, A., Penczek, W., & Szreter, M. (2012). BDDbased bounded model checking for LTLK over two variants of interpreted systems. In Proceedings of 5th International Workshop on Logics, Agents, and Mobility (pp. 35–50).
 35.
Mȩski, A., Penczek, W., Szreter, M., WoźnaSzcześniak, B., & Zbrzezny, A. (2012). Bounded model checking for knowledge and linear time. In Proceedings of the 11th International Conference on Autonomous Agents and MultiAgent systems (AAMAS’2012) (pp. 1447–1448). Toronto: IFAAMAS Press.
 36.
Mȩski, A., Penczek, W., Szreter, M., WoźnaSzcześniak, B., & Zbrzezny, A. (2012). Two approaches to bounded model checking for linear time logic with knowledge. In The Proceedings of the 6th KES International Conference on Agent and MultiAgent Systems, Technologies and Applications (KESAMSTA’2012). Lecture Notes in Computer Science (Vol. 7327, pp. 514–523). Berlin: Springer.
 37.
Mȩski, A., WoźnaSzcześniak, B., Zbrzezny, A. M., & Zbrzezny, A. (2013). Two approaches to bounded model checking for a soft realtime epistemic computation tree logic. In Proceedings of the 10th International Symposium on Distributed Computing and Artificial Intelligence (DCAI’2013), Advances in Intelligent and SoftComputing, (Vol. 217, pp. 483–492). Berlin: Springer.
 38.
Meyden, R., & Shilov, N. V. (1999). Model checking knowledge and time in systems with perfect recall. In Proceedings of the 19th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS’99). Lecture Notes in Computer Science (Vol. 1738, pp. 432–445). Berlin: Springer.
 39.
Meyden, R., & Su, K. (2004). Symbolic model checking the knowledge of the dining cryptographers. In Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW17) (pp. 280–291). IEEE Computer Society.
 40.
Peled D. (1993). All from one, one for all: On model checking using representatives. in Proceedings of the 5th International Conference on Computer Aided Verification (CAV’93). Lecture Notes in Computer Science (Vol. 697, pp. 409–423). Berlin: Springer.
 41.
Penczek, W., & Lomuscio, A. (2003). Verifying epistemic properties of multiagent systems via bounded model checking. Fundamenta Informaticae, 55(2), 167–185.
 42.
Penczek, W., WoźnaSzcześniak, B., & Zbrzezny, A. (2012). Towards SATbased BMC for LTLK over interleaved interpreted systems. Fundamenta Informaticae, 119(3–4), 373–392.
 43.
Raimondi, F., & Lomuscio, A. (2007). Automatic verification of multiagent systems by model checking via OBDDs. Journal of Applied Logic, 5(2), 235–251.
 44.
Somenzi, F. CUDD: CU decision diagram package—release 2.3.1. http://vlsi.colorado.edu/~fabio/CUDD/cuddIntro.html.
 45.
Somenzi, F., Bloem, R. (2000). Efficient Büchi automata from LTL formulae. In Proceedings of the 12th International Conference on Computer Aided Verification (CAV’00). Lecture Notes in Computer Science (Vol. 1855, pp. 248–263). Berlin: Springer.
 46.
Su, K., Sattar, A., & Luo, X. (2007). Model checking temporal logics of knowledge via OBDDs. The Computer Journal, 50(4), 403–420.
 47.
Troquard, N., Hoek, W. V. D., & Wooldridge, M. (2009). Model checking strategic equilibria. In Proceedings of the 5th International Workshop on Model Checking and Artificial Intelligence (MOCHART’2008), LNAI (Vol. 5348, pp. 166–188). Berlin: Springer.
 48.
Wooldridge, M. (2002). An introduction to multiagent systems. Chichester: Wiley.
 49.
Woźna, B., Lomuscio, A., & Penczek, W. (2005). Bounded model checking for deontic interpreted systems. In Proceedings of the 2nd International Workshop on Logic and Communication in MultiAgent Systems (LCMAS’04), ENTCS (Vol. 126, pp. 93–114). Amsterdam: Elsevier.
 50.
Woźna, B., Zbrzezny, A., & Penczek, W. (2003). Checking reachability properties for timed automata via SAT. Fundamenta Informaticae, 55(2), 223–241.
 51.
WoźnaSzcześniak, B., & Zbrzezny, A. (2012). Satbased bounded model checking for deontic interleaved interpreted systems. In The Proceedings of the 6th KES International Conference on Agent and MultiAgent Systems, Technologies and Applications (KESAMSTA’2012). Lecture Notes in Computer Science (Vol. 7327, pp. 494–503). Berlin: Springer.
 52.
WoźnaSzcześniak, B., & Zbrzezny, A. (2013). SATbased bmc for deontic metric temporal logic and deontic interleaved interpreted systems. In Declarative Agent Languages and Technologies X. The 10th International Workshop (DALT’2012), LNAI (Vol. 7784, pp. 70–189). Berlin: Springer.
 53.
WoźnaSzcześniak, B., Zbrzezny, A. M., & Zbrzezny, A. (2011). The BMC method for the existential part of RTCTLK and interleaved interpreted systems. In In Proceedings of the 15th Portuguese Conference on Artificial Intelligence (EPIA’2011), LNAI (Vol. 7026, pp. 551–565). Berlin: Springer.
 54.
Zbrzezny, A. (2008). Improving the translation from ECTL to SAT. Fundamenta Informaticae, 85(1–4), 513–531.
 55.
Zbrzezny, A. (2012). A new translation from \(\text{ ECTL }^{*}\) to SAT. Fundamenta Informaticae, 120(3–4), 377–397.
Acknowledgments
Partly supported by National Science Center under the Grant No. 2011/01/B/ST6/05317 and 2011/01/B/ST6/01477. Artur Mȩski acknowledges the support of the EU, European Social Fund. Project PO KL “Information technologies: Research and their interdisciplinary applications” (UDAPOKL.04.01.0100051/1000).
Author information
Affiliations
Corresponding author
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution License which permits any use, distribution, and reproduction in any medium, provided the original author(s) and the source are credited.
About this article
Cite this article
Mȩski, A., Penczek, W., Szreter, M. et al. BDDversus SATbased bounded model checking for the existential fragment of linear temporal logic with knowledge: algorithms and their performance. Auton Agent MultiAgent Syst 28, 558–604 (2014). https://doi.org/10.1007/s1045801392322
Published:
Issue Date:
Keywords
 Bounded model checking
 Binary decision diagrams
 Propositional satisfiability problem (SAT)
 Interpreted systems
 Interleaved interpreted systems
 Epistemic linear temporal logic