1 Introduction

Formal verification relies on the fact that formal specifications, which are precise descriptions of the design requirements, are either readily available or can be constructed easily. This assumption, however, often proves to be unrealistic as constructing specifications manually is not only tedious but also prone to errors. As a result, for years, the availability of precise, functional, and usable specifications has been one of the biggest bottlenecks of formal methods [3, 14, 50].

To tackle this serious limitation, recent research has concentrated on automatically generating specifications, especially in temporal logics. There is a large body of works targeted towards learning specifications in linear-time logics such as Linear Temporal Logic (LTL) [19, 41], Metric Temporal Logic (MTL) [45], Signal Temporal Logic (STL) [15, 39], etc. These approaches not only generate reliable specifications but can also be used to infer interpretable descriptions for complex temporal behaviors.

Along with linear-time logics, branching-time logics have had a significant impact on formal verification. Computation Tree Logic (CTL) [24], which combines temporal operators such as \({{\,\mathrm{\textbf{X}}\,}}\) (next), \({{\,\mathrm{\textbf{F}}\,}}\) (finally), \({{\,\mathrm{\textbf{G}}\,}}\) (globally) with the branching quantifiers \({{\,\mathrm{\textbf{E}\!}\,}}\) (exists) and \({{\,\mathrm{\textbf{A}\!}\,}}\) (all), is a specification language of choice for numerous verification tools [11, 22, 30]. Alternating-time Temporal Logic (ATL) [1], which augments CTL with a “cooperation” quantifier \(\langle \!\langle \cdot \rangle \!\rangle \) to reason about interaction of multiple agents, is popular in specifying properties for distributed and multi-agent systems [2, 36] and has several applications in AI domains [29, 38].

Despite the significance of branching-time logics, learning such specifications has received considerably less attention. The few existing works handle the problem of completing user-defined queries [20], i.e., specifications with missing parts, or searching for specifications based on few restricted templates [54] such as \({{\,\mathrm{\textbf{A}\!}\,}}{{\,\mathrm{\textbf{F}}\,}}?\), \({{\,\mathrm{\textbf{A}\!}\,}}{{\,\mathrm{\textbf{G}}\,}}(?_1 \rightarrow {{\,\mathrm{\textbf{F}}\,}}?_2)\), etc. These works are limited in their generality and require one to handcraft queries/templates suitable for learning.

Towards learning arbitrary branching-time properties, we consider the passive learning problem for both CTL and ATL. This problem requires, given a sample \(\mathcal {S}\) of positive (or desirable) and negative (or undesirable) structures, to infer a minimal CTL/ATL formula that is consistent with \(\mathcal {S}\). Passive learning is widely studied in the literature [13, 27, 41] and forms a significant part of many learning frameworks [19, 48] (see Sect. 3 for elaboration). In our learning problem, we consider, as input, structures typical for describing branching behavior: Kripke structures (KSs) and concurrent game structures (CGSs), which model single and multi-agent systems, respectively.

To address the passive learning problem, we design algorithms for CTL and ATL that employ constraint-solving techniques to learn prospective formulas. Following Neider and Gavran [41], our algorithms search for prospective formulas of size n for a given sample \(\mathcal {S}\), by encoding the problem into the satisfiability of a propositional formula \(\varOmega ^{\mathcal {S}}_{n}\). This formula is then solved using an off-the-shelf SAT solver to obtain a CTL/ATL formula of size n if one exists. The crux of the SAT encoding lies in symbolically encoding both the structure of the formula and the standard fixed-point based model-checking for the symbolic formula.

To present the technical details of the encoding, we focus on passive learning of ATL formulas from CGSs, as ATL and CGSs generalize CTL and KSs for multi-agent settings, respectively. In particular, restricting the number of agents to one simply reduces ATL to CTL and CGSs to KSs. Nonetheless, we highlight aspects of the learning algorithm that improve in the case of CTL passive learning.

We also initiate the theoretical study of the ATL passive learning problem . We study the decision problem of whether there is an ATL formula consistent with \(\mathcal {S}\). We extend already existing results for CTL to the case of ATL: we show that the decision problem for full ATL can be solved in polynomial time (Theorem 1, extending [17, Thm. 3.2, 3.9]). We also show that, for any fragment of ATL, the same decision problem can be decided in exponential time (Theorem 2, extending [34, Thm. 3]). In the same theorem, we exhibit an exponential bound on the size of the formulae that need to be considered to find a consistent one, regardless of the fragment considered (parallelizing [43, Coro. 1]).

We have implemented our learning algorithms in an open-source prototype that can access an array of SAT solvers. We evaluate the prototype on synthetic benchmarks consisting of samples of KSs and CGSs that reflect typical branching-time properties. We observed that our algorithms display the ability to learn formulas from samples of varying sizes. Further, we demonstrated improvements to the SAT encoding for enhanced runtime performance.

We include all missing proofs and experiments in an extended version [16].

Related Works. As alluded to above, most of the works in inferring temporal logics focus on linear-time logics. For LTL, many works consider learning based on handcrafted templates or queries, which are incomplete formulas [31, 35, 51]. Few others learn formulas of arbitrary syntactic structure in LTL (or its important fragments) either by exploiting constraint solving [19, 41, 46] or efficient enumerative search [44, 52]. Some recent works rely on neuro-symbolic approaches to learn LTL formulas from noisy data [37, 53]. For STL, most works focus on learning formulas of particular syntactic structure [15, 15] or searching time intervals for STL formulas of known structure [6, 32, 33]. A handful of works consider learning STL formulas of arbitrary structure [39, 42]. There are also works on learning several other logics such as Metric Temporal Logic [45], Past LTL [5], Property Specification Language [47], etc. In contrast, research on learning branching-time properties remains relatively sparse. Chan [20] considers the problem of completing CTL queries—incomplete CTL formulas with missing (Boolean combinations of) atomic propositions. A related work by Wasylkowski and Zeller [54] considers inferring operational preconditions for Java methods in CTL. Both of these works are limited in their ability to search through large number of CTL formulas of arbitrary syntactic structure. As a result, they resort to user-defined queries or handcrafted templates to reduce the search space of specifications.

A recent paper by Pommellet et al. [43] addresses the problem of learning CTL formulas from a sample of Kripke structures (KSs). Their learning algorithm follows a SAT-based paradigm and uses an encoding similar to ours. Our encoding for CTL was developed independently [49]. In this paper, we study the more general problem of learning ATL formulas from CGSs, which conceptually subsumes the problem of learning CTL formulas from KSs.

Another work that devises a similar encoding is the one by Bertrand et al. [12]. Their SMT encoding, albeit similar, is tailored towards solving a different problem of synthesizing small models for probabilistic CTL (PCTL) formulas.

2 Preliminaries

We refer to the set of positive integers by \(\mathbb {N}_1\). For \(n \in \mathbb {N}_1\), we let \(\llbracket 1,n \rrbracket \subseteq \mathbb {N}_1\) denote the set \(\{ 1,\ldots ,n \}\). For a non-empty set Q, we let \(Q^*,Q^+,Q^\omega \) denote the set of finite, non-empty finite, and infinite sequences of elements in Q, respectively. For all \(\bullet \in \{ *,+,\omega \}\), \(\rho \in Q^\bullet \), and \(i \in \mathbb {N}\), if \(\rho \) has at least \(i+1\) elements, we let \(\rho [i] \in Q\) denote the \((i+1)\)-th element in \(\rho \), \(\rho [:i] \in Q^+\) denote the finite sequence \(\rho _0 \cdots \rho _i \in Q^+\), and \(\rho [i:] \in Q^\bullet \) denote the sequence \(\rho _i \cdots \in Q^\bullet \).

2.1 Concurrent Game Structure (CGS) and Kripke Structure

We model multi-agent systems with concurrent game structures defined below.

Definition 1

A concurrent game structure (CGS for short) is a tuple \(C = \langle Q,I,k,\mathcal {P}, \pi , d,\delta \rangle \) where Q is the finite set of states, \(I \subseteq Q\) is the set of initial states, \(k \in \mathbb {N}_1\) is the number of agents, we denote by \(\textsf{Ag}:= \llbracket 1,k \rrbracket \) the set of k agents. Furthermore, \(\mathcal {P}\) is the finite set of propositions (or observations) , \(\pi : Q\mapsto 2^{\mathcal {P}}\) maps each state \(q\in Q\) to the set of propositions \(\pi (q) \subseteq \mathcal {P}\) that hold in q. Finally, \(d: Q \times \textsf{Ag}\rightarrow \mathbb {N}_1\) maps each state and agent to the number of actions available to that agent at that state, and \(\delta : Q_\textsf{Act} \rightarrow Q\) is the function mapping every state and tuple of one action per agent to the next state, where \(Q_\textsf{Act} := \cup _{q \in Q} Q_\textsf{Act}(q)\) with \(Q_\textsf{Act}(q) := \{ (q,\alpha _1,\ldots ,\alpha _k) \mid \forall a \in \textsf{Ag},\; \alpha _a \in \llbracket 1,d(q,a) \rrbracket \}\) representing the set of tuples of actions available to the players at state q.

For all \(q \in Q\) and \(A \subseteq \textsf{Ag}\), we let \(\textsf{Act}_A(q) := \{ \alpha = (\alpha _a)_{a \in A} \in \prod _{a \in A} \{a\} \times \llbracket 1,d(q,a) \rrbracket \}\). Then, for all tuple \(\alpha \in \textsf{Act}_A(q)\) of one action per agent in A, we let:

$$\begin{aligned} \textsf{Succ}(q,\alpha ) := \{ q' \in Q \mid \exists \alpha ' \in \textsf{Act}_{\textsf{Ag}\setminus A}(q),\; \delta (q,(\alpha ,\alpha ')) = q' \} \end{aligned}$$

When \(k = 1\), the CGS C is called a Kripke structure. In that case, for all states \(q \in Q\), we have the set \(\textsf{Succ}(q) \subseteq Q\) of the successor states of Q.

Finally, we define the size |C| of the structure C by \(|C| = |Q_\textsf{Act}| + |\mathcal {P}| + |\textsf{Ag}|\).

Unless otherwise stated, a CGS C refers to the tuple \(C = \langle Q,I,k,\mathcal {P}, \pi , d,\delta \rangle \).

In a CGS, a strategy for an agent is a function that prescribes to the agent what to do as a function of the history of the game, i.e., the finite sequence of states seen so far. Moreover, given a coalition of agents and a tuple of one strategy per agent in the coalition, we define the set of infinite sequences of states that can occur with this tuple of strategies. Formally, we define this as follows.

Definition 2

Consider a CGS C and an agent \(a \in \textsf{Ag}\). A strategy for Agent a is a function \(s_a: Q^+ \rightarrow \mathbb {N}_1\) such that, for all \(\rho = \rho _0 \dots \rho _n \in Q^+\), we have \(s_a(\rho ) \le d(\rho _n,a)\). We let \(\textsf{S}_a\) denote the set of strategies available to Agent a.

Given a coalition (or subset) of agents \(A \subseteq \textsf{Ag}\), a strategy profile for the coalition A is a tuple \(s = (s_a)_{a \in A}\) of one strategy per agent in A. We denote by \(\textsf{S}_A\) the set of strategy profiles for the coalition A. For all \(s \in \textsf{S}_A\) and \(q \in Q\), we let \(\textsf{Out}^Q(q,s) \subseteq Q^\omega \) denote the set of infinite paths \(\rho \) compatible with s from q:

$$\begin{aligned} \textsf{Out}^Q(q,s) := \{ \rho \in Q^\omega \mid \rho [0] = q,\; \forall i \in \mathbb {N}, \rho [i+1] \in \textsf{Succ}(\rho [i],(s_a(\rho [:i]))_{a \in A}) \} \end{aligned}$$

2.2 Alternating-Time Temporal Logic

Alternating-time Temporal Logic (ATL) is a temporal logic that takes into accounts strategic behavior of the agents. It can be seen as a generalization of Computation Tree Logic (CTL) with more than one agent. There are two different kinds of ATL formulas: state formulas—where propositions and strategic operators occur—and path formulas – where temporal operators occur. To avoid confusion, we denote state formulas and path formulas with Greek capital letters and Greek lowercase letters, respectively. ATL state formulas over a set of propositions \(\mathcal {P}\) and a set of agents \(\textsf{Ag}\) are given by the grammar:

figure b

where \(p\in \mathcal {P}\) is a proposition, \(A \subseteq \textsf{Ag}\) is a coalition of agents and \(\varphi \) is a path formula. We include the Boolean constants \({{\,\mathrm{\textit{true}}\,}}\) and \({{\,\mathrm{\textit{false}}\,}}\) and other operators such as \(\varPhi \vee \varPhi _2\) and \(\varPhi _1\Rightarrow \varPhi _2\). Next, ATL path formulas are given by the grammar:

figure c

where \({{\,\mathrm{\textbf{X}}\,}}\) is the neXt operator, \({{\,\mathrm{\textbf{U}}\,}}\) is the Until operator, and \({{\,\mathrm{\textbf{G}}\,}}\) is the Globally operator. As syntactic sugar, we allow standard temporal operators \({{\,\mathrm{\textbf{F}}\,}}\), the Finally operator, which is defined in the usual manner: for any coalition of agents \(A \subseteq \textsf{Ag}\): \(\langle \!\langle A\rangle \!\rangle \! {{\,\mathrm{\textbf{F}}\,}}\varPhi {:}{=}\langle \!\langle A\rangle \!\rangle ({{\,\mathrm{\textit{true}}\,}}{{\,\mathrm{\textbf{U}}\,}}\varPhi )\).

A CTL formula is an ATL formula on a single agent \(\textsf{Ag}= \{1\}\). In particular, the path quantifiers of CTL can be obtained as follows: \({{\,\mathrm{\textbf{E}\!}\,}}\ \!\equiv \langle \!\langle 1\rangle \!\rangle \) and \({{\,\mathrm{\textbf{A}\!}\,}}\ \!\equiv \langle \!\langle \rangle \!\rangle \).

The size \(|\varPhi |\) of an ATL formula \(\varPhi \) is then defined as size of the set of sub-formulas: \(|\varPhi | := |\textsf{SubF}(\varPhi )|\), which is defined inductively as follows:

  • \(\textsf{SubF}(p) := \{ p \}\) for all \(p \in \mathcal {P}\);

  • \(\textsf{SubF}(\lnot \varPhi ) := \{ \lnot \varPhi \} \cup \textsf{SubF}(\varPhi )\);

  • \(\textsf{SubF}(\varPhi _1 \wedge \varPhi _2) := \{ \varPhi _1 \wedge \varPhi _2 \} \cup \textsf{SubF}(\varPhi _1) \cup \textsf{SubF}(\varPhi _2)\);

  • \(\textsf{SubF}(\langle \!\langle A\rangle \!\rangle \! \bullet \varPhi ) := \{ \langle \!\langle A\rangle \!\rangle \! \bullet \varPhi \} \cup \textsf{SubF}(\varPhi )\) for \(\bullet \in \{ {{\,\mathrm{\textbf{X}}\,}},{{\,\mathrm{\textbf{G}}\,}}\}\) and \(A \subseteq \textsf{Ag}\);

  • \(\textsf{SubF}(\langle \!\langle A\rangle \!\rangle (\varPhi _1 {{\,\mathrm{\textbf{U}}\,}}\varPhi _2)) := \{ \langle \!\langle A\rangle \!\rangle (\varPhi _1 {{\,\mathrm{\textbf{U}}\,}}\varPhi _2) \} \cup \textsf{SubF}(\varPhi _1) \cup \textsf{SubF}(\varPhi _2)\) for \(A \subseteq \textsf{Ag}\).

We interpret ATL formulas over CGSs C using the standard definitions [1]. Given a state \(q \in Q\), we define when a state formula \(\varPhi \) holds in state q—denoted by \(q\models \varPhi \)—inductively as follows:

$$\begin{aligned} q \models p & \text { iif } p \in \pi (q), \\ q \models \lnot \varPhi & \text { iif } q \not \models \varPhi , \\ q\models \varPhi _1\wedge \varPhi _2 & \text { iif } q\models \varPhi _1 \text { and } q\models \varPhi _2, \\ q\models \langle \!\langle A\rangle \!\rangle \varphi & \text { iif } \exists s \in \textsf{S}_A,\; \forall \rho \in \textsf{Out}^Q(q,s),\; \rho \models \varphi \end{aligned}$$

Similarly, given a path \(\rho \in Q^\omega \) and a path formula \(\varphi \), we define when \(\varphi \) holds on path \(\rho \), denoted \(\rho \models \varphi \) as above, inductively as follows:

$$\begin{aligned} \rho \models {{\,\mathrm{\textbf{X}}\,}}\varPhi &\text { iif } \rho [1:] \models \varPhi \\ \rho \models \varPhi _1 {{\,\mathrm{\textbf{U}}\,}}\varPhi _2 & \text { iif } \exists j \in \mathbb {N},\; \rho [j] \models \varPhi _2 \text {, and }\forall k < j, \rho [k:]\models \varPhi _1 \\ \rho \models {{\,\mathrm{\textbf{G}}\,}}\varPhi & \text { iif } \forall j \in \mathbb {N},\; \rho [j:] \models \varPhi \end{aligned}$$

We say that an ATL formula \(\varPhi \) accepts (resp. rejects) a state q if \(q \models \varPhi \) (resp. \(q \not \models \varPhi \)). We say that it distinguishes two states \(q,q'\) if it accepts one and rejects the other. Finally, we then say that the ATL formula \(\varPhi \) accepts a CGS C, denoted by \(C\models \varPhi \), if \(\varPhi \) accepts all initial states of C.

Remark 1

When evaluated on turn-based game structures (i.e., where, at each state, at most one player has more than one action available), the formulas \(\langle \!\langle A\rangle \!\rangle \varphi \) and \(\lnot \langle \!\langle \textsf{Ag}\setminus A\rangle \!\rangle \lnot \varphi \) are equivalent (However, it is not the case when they are evaluated on arbitrary CGSs.)

3 Passive Learning for ATL

In this problem, we are given a sample \(\mathcal {S}=(P,N)\) consisting of a set P of positive structures and a set N of negative structures. The goal is to find a minimal formula \(\varPhi \) that is consistent with \(\mathcal {S}\), i.e., \(\varPhi \) must hold on all positive structures and must not hold on any negative structure. We are specifically searching for a minimal formula and the reason for this is two-fold: (1) the prospective formula will be more interpretable, and (2) it will not overfit the sample [41, 47]. Formally:

Problem 1

(Passive learning of ATL). Given a sample \(\mathcal {S}=(P,N)\) consisting of two finite sets P and N of concurrent game structures (CGSs) with the same set \(\textsf{Ag}\) of agents, find a minimal size ATL formula \(\varPhi \) on \(\textsf{Ag}\) that is consistent with \(\mathcal {S}\).

The passive learning problem of CTL can be obtained by simplifying Problem 1 by use of a single agent \(\textsf{Ag}=\{1\}\), which reduces CGSs to KSs and ATL to CTL.

Before describing our solution to Problem 1, we briefly discuss the source of the positive and negative structures. Passive learning, among several applications, constitutes a critical subroutine of certain learning frameworks. Active learning [4], which involves learning black-box systems by interacting with a teacher, often involves repeated passive learning on the counter-example models, i.e., the feedback, received from the teacher [19]. Furthermore, one-class classification, or learning from positive examples, leverages passive learning to derive candidate formulas [8, 48]. These formulas facilitate the generation of negative examples, which help refine the search for more concise and descriptive formulas.

A concrete application of Problem 1 would be to provide contrastive explanations [31] in a multi-agent setting. Consider a multi-agent system that is deemed to have some “good” positions and some “bad” positions. This system would yield positive and negative CGSs corresponding to the good and bad positions. To explain the dichotomy between these good and bad positions, one can learn an ATL formula that accepts the positive CGSs and rejects the negative ones.

3.1 SAT-Based Learning Algorithm

Our approach to solving Problem 1 is by reducing it to satisfiability problems in propositional logic. We thus provide a brief introduction to propositional logic.

Propositional Logic. Let \(\textsf{Var}\) be a set of propositional variables that can be set to Boolean values from \(\mathbb {B}= \{0,1\}\) (0 representing \({{\,\mathrm{\textit{false}}\,}}\) and 1 representing \({{\,\mathrm{\textit{true}}\,}}\)). Formulas in Propositional Logic are inductively constructed as follows:

figure d

To avoid confusion with ATL formulas, we will be exclusively using the letter \(\varOmega \) (along with its variants) to denote propositional formulas.

To assign values to propositional variables, we rely on a valuation function \(v: \textsf{Var} \rightarrow \mathbb {B}\). We exploit the valuation function v to define the satisfaction \(v \models \varOmega \) of a propositional formula \(\varOmega \); we use standard definitions for this. When \(v \models \varOmega \), we say that v satisfies \(\varOmega \) and call it a satisfying valuation of \(\varOmega \). A formula \(\varOmega \) is satisfiable if there exists a satisfying valuation v of \(\varPhi \). The satisfiability (SAT) problem for propositional logic is a well-known \(\textsf{NP}\)-complete problem, which asks if a propositional formula given as input is satisfiable. To handle SAT, numerous optimized decision procedures have been designed in recent years [7, 10, 40].

We now describe a reduction of Problem 1 to SAT , inspired by [19, 41]. Following their work, we design a propositional formula \(\varOmega ^{\mathcal {S}}_n\) that enables the search for an ATL formula of size at most n that is consistent with a sample \(\mathcal {S}\). The formula \(\varOmega ^{\mathcal {S}}_n\) has the following properties:

  1. 1.

    \(\varOmega ^{\mathcal {S}}_n\) is satisfiable if and only if there exists an ATL formula of size at most n that is consistent with \(\mathcal {S}\); and

  2. 2.

    from a satisfying valuation of \(\varOmega ^{\mathcal {S}}_n\), one can easily extract a suitable ATL formula of size at most n.

One can then iteratively search for a minimal, consistent formula: increment n by 1, check satisfiability of \(\varOmega ^{\mathcal {S}}_n\) and extract a formula if satisfiable; else repeat.

The formula \(\varOmega ^{\mathcal {S}}_n\) is defined as a conjunction of subformulas with distinct roles: \(\varOmega ^{\mathcal {S}}_n {:}{=}\varOmega ^{\textsf{str}}_n \wedge \varOmega ^{\textsf{sem}}_n \wedge \varOmega ^{\textsf{con}}_n\). The subformula \(\varOmega ^{\textsf{str}}\) encodes the structure of the prospective ATL formula \(\varPhi \). The subformula \(\varOmega ^{\textsf{sem}}\) encodes that the correct semantics of ATL is used to interpret the prospective ATL formula on the given CGSs. Finally, the subformula \(\varOmega ^{\textsf{con}}\) ensures that the prospective ATL formula holds on the models in P and not in the models in N. The formula used for CTL learning has an identical high-level structure, with similar subformulas.

We now describe the subformulas of \(\varOmega ^{\mathcal {S}}_n\) in detail.

Encoding the Structure of ATL Formulas. The structure of an ATL formula is symbolically encoded as a syntax DAG. A syntax DAG of an ATL formula is simply a syntax tree in which the common nodes are merged. Figure 1 depicts an example of a syntax tree and DAG of an ATL formula.

Fig. 1.
figure 1

Syntax DAG with identifiers (indicated above nodes) of \(\langle \!\langle 2\rangle \!\rangle \!{{\,\mathrm{\textbf{X}}\,}}p \vee \langle \!\langle 1\rangle \!\rangle (p {{\,\mathrm{\textbf{U}}\,}}\langle \!\langle 1,\!3\rangle \!\rangle \!{{\,\mathrm{\textbf{G}}\,}}q )\).

Full size image

To conveniently encode the syntax DAG of an ATL formula, we first fix a naming convention for its nodes. For a formula of size at most n, we assign to each of its nodes an identifier in \(\llbracket 1,n \rrbracket \) such that the identifier of each node is larger than those of its children, if applicable. Note that such a naming convention may not be unique. We then denote the sub-formula of \(\varPhi \) rooted at Node i as \(\varPhi [i]\). Thus, \(\varPhi [n]\) denotes the entire formula \(\varPhi \).

Next, to encode a syntax DAG symbolically, we introduce the following propositional variables: (i) \(x_{i,\lambda }\) for \(i\in \llbracket 1,n \rrbracket \) and \(\lambda \in \mathcal {P}\cup \Lambda \) with \(\Lambda := \{\lnot ,\wedge ,\langle \!\langle \cdot \rangle \!\rangle \!{{\,\mathrm{\textbf{X}}\,}},\langle \!\langle \cdot \rangle \!\rangle \!{{\,\mathrm{\textbf{G}}\,}},\langle \!\langle \cdot \rangle \!\rangle \!{{\,\mathrm{\textbf{U}}\,}}\}\); (ii) \(A_{i,a}\) for \(i\in \llbracket 1,n \rrbracket \) and \(a\in \textsf{Ag}\); and (iii) \(l_{i,j}\) and \(r_{i,j}\) for \(i\in \llbracket 1,n \rrbracket \) and \(j\in \llbracket 1,i-1 \rrbracket \). The variable \(x_{i,\lambda }\) tracks the operator labeled in Node i, meaning, \(x_{i,\lambda }\) is set to true if and only if Node i is labeled with \(\lambda \). The variable \(A_{i,a}\) is relevant only if \(x_{i,\langle \!\langle \cdot \rangle \!\rangle \bullet }\) is set to true for some temporal operator \(\bullet \in \{{{\,\mathrm{\textbf{X}}\,}},{{\,\mathrm{\textbf{G}}\,}},{{\,\mathrm{\textbf{U}}\,}}\}\). In such a case, the variables \((A_{i,a})_{a \in \textsf{Ag}}\) track which agents are in the coalition \(\langle \!\langle \cdot \rangle \!\rangle \) at Node i. The variable \(l_{i,j}\) (resp., \(r_{i,j}\)) tracks the left (resp., right) child of Node i, meaning, \(l_{i,j}\) (resp., \(r_{i,j}\)) is set to true if and only if the left (resp., right) child of Node i is Node j.

To ensure that these variables encode a valid syntax DAG, we impose structural constraints similar to the ones proposed by Neider and Gavran [41]. For instance, the constraint below ensures that each node is labeled with a unique operator:

$$\begin{aligned} \Big [ \bigwedge _{i\in \llbracket 1,n \rrbracket } \bigvee _{\lambda \in \Lambda } x_{i,\lambda } \Big ] \wedge \Big [\bigwedge _{i\in \llbracket 1,n \rrbracket } \bigwedge _{\lambda \ne \lambda ' \in \Lambda } \lnot x_{i,\lambda } \vee \lnot x_{i,\lambda '} \Big ] \end{aligned}$$

We impose similar constraints to ensure that each node has a unique left and right child. The formula \(\varOmega ^{\textsf{str}}_n\) is simply the conjunction of all such structural constraints.

Based on a satisfying valuation v of \(\varOmega ^{\textsf{str}}_n\), one can construct a unique ATL formula: label each Node i with the operator \(\lambda \) for which \(v(x_{i,\lambda })=1\), include players in a coalition for which \(v(A_{i,a})=1\), and mark the left (resp., right) child with Nodes j (resp., \(j'\)) for which \(v(l_{i,j})=1\) (resp., \(v(r_{i,j'})=1\)).

For encoding the structure of CTL, the only difference from that of ATL is that we rely on CTL operators, e.g., \(\Lambda {:}{=}\{\lnot ,\wedge ,{{\,\mathrm{\textbf{E}\!}\,}}{{\,\mathrm{\textbf{X}}\,}},{{\,\mathrm{\textbf{E}\!}\,}}{{\,\mathrm{\textbf{G}}\,}},{{\,\mathrm{\textbf{E}\!}\,}}{{\,\mathrm{\textbf{U}}\,}}\}\).

Encoding the Semantics of ATL Formulas. To symbolically encode the semantics of the prospective ATL formula \(\varPhi \) for a given CGS C, we rely on encoding the ATL model-checking procedure developed in [1, Section 4]. The procedure involves calculating, for each sub-formula \(\varPhi '\) of \(\varPhi \), the set \(\texttt{SAT}_{C}(\varPhi ') = \{q\in Q \mid q\models \varPhi '\}\) of the states of C where \(\varPhi '\) holds. Since we consider ATL formulas, we need to handle the strategic operators \(\langle \!\langle A\rangle \!\rangle \) for \(A \subseteq \textsf{Ag}\). To do so, given a coalition of agents \(A \subseteq \textsf{Ag}\) and some subset of states \(S \subseteq Q\), we let \(\textsf{Pre}_A(S) \subseteq Q\) denote the set of states from which the coalition A has a strategy to enforce reaching the set S in one step. That is: \(\textsf{Pre}_A(S) := \{ q \in Q \mid \exists \alpha \in \textsf{Act}_A(q),\; \textsf{Succ}(q,\alpha ) \subseteq S \}\).

We can now describe how to compute the set \(\texttt{SAT}_{C}(\varPhi )\). It is done inductively on the structure of the ATL formula \(\varPhi \) as follows:

$$\begin{aligned} &\texttt{SAT}_{C}(p) = \{ q \in Q~|~p \in \pi (q) \}, \text { for any }p\in \mathcal {P},\end{aligned}$$
(1)
$$\begin{aligned} &\texttt{SAT}_{C}(\varPhi \wedge \varPsi ) = \texttt{SAT}_{C}(\varPhi ) \cap \texttt{SAT}_{C}(\varPsi ),\end{aligned}$$
(2)
$$\begin{aligned} &\texttt{SAT}_{C}(\lnot \varPhi ) = Q \setminus \texttt{SAT}_{C}(\varPhi ),\end{aligned}$$
(3)
$$\begin{aligned} &\texttt{SAT}_{C}(\langle \!\langle A\rangle \!\rangle \!{{\,\mathrm{\textbf{X}}\,}}\varPhi ) = \textsf{Pre}_A(\texttt{SAT}_{C}(\varPhi )),\end{aligned}$$
(4)
$$\begin{aligned} &\texttt{SAT}_{C}(\langle \!\langle A\rangle \!\rangle (\varPhi _1 {{\,\mathrm{\textbf{U}}\,}}\varPhi _2)) \text { is the smallest }T \subseteq Q, \text { such that }\nonumber \\ &(1)\ \texttt{SAT}_{C}(\varPhi _2) \subseteq T\text { and } (2)\ \texttt{SAT}_{C}(\varPhi _1)\cap \textsf{Pre}_A(T)\subseteq T ,\end{aligned}$$
(5)
$$\begin{aligned} &\texttt{SAT}_{C}(\langle \!\langle A\rangle \!\rangle \!{{\,\mathrm{\textbf{G}}\,}}\varPhi )\text { is the largest }T \subseteq Q,\text { such that }\nonumber \\ &(1)\ T \subseteq \texttt{SAT}_{C}(\varPhi )\text { and }(2)\ T\subseteq \textsf{Pre}_A(T) \end{aligned}$$
(6)

Our goal is to symbolically encode the above-described computation. To do so, we introduce the propositional variables \(y^{C}_{i,q}\) for each \(i\in \llbracket 1,n \rrbracket \), \(q\in Q\) that track whether a state \(q \in Q\) belongs to \(\texttt{SAT}_{C}(\varPhi [i])\) for a sub-formula \(\varPhi [i]\) of \(\varPhi \) . That is, \(y^{C}_{i,q}\) is set to true if and only if \(\varPhi [i]\) holds in state q, i.e. \(q\in \texttt{SAT}_{C}(\varPhi [i])\).

Before defining the propositional formulas that ensure the desired meaning of the variables \(y^{C}_{i,q}\), we introduce formulas to keep track of whether a state belongs to the set \(\textsf{Pre}_A(S)\). Formally, for all \(q \in Q\) and \(i \in \llbracket 1,n \rrbracket \), given any predicate \(y_S: Q \Rightarrow \mathbb {B}\) (encoding a set \(S = (y_S)^{-1}[true] \subseteq Q\)), we define the formula \(\varOmega _{q,i}^{\textsf{Pre}}(y_S)\) that encodes the fact that \(q \in \textsf{Pre}_{A_i}(S)\), where \(A_i\) is the coalition of agents defined by the variables \((A_{i,a})_{a \in \textsf{Ag}}\) . This formula is defined as follows:

$$\begin{aligned} \varOmega _{q,i}^{\textsf{Pre},C}(y_S) := \bigvee _{\alpha \in \textsf{Act}_\textsf{Ag}(q)} \bigwedge _{\alpha ' \in \textsf{Act}_\textsf{Ag}(q)} \big [(\bigwedge _{a \in \textsf{Ag}} A_{i,a} \Rightarrow (\alpha _a = \alpha '_a)) \Rightarrow y_S(\delta (q,\alpha ')) \big ] \end{aligned}$$

This formula can be informally read as follows: there exists an action tuple for the coalition A (the disjunction), such that for all action tuples for the opposing coalition (the conjunction), the corresponding state is in the set S (indicated by \(y_S(\delta (q,\alpha '))\)). Since we do not know, a priori, what the coalition \(A_i\) is, we quantify over action tuples for all the agents both in the disjunction and the conjunction. However, the rightmost implication of the formula ensures that the only relevant tuples of actions \(\alpha ' \in \textsf{Act}_\textsf{Ag}(q)\) are those for which the action for the agents in the coalition \(A_i\) are given by the tuple of actions \(\alpha \in \textsf{Act}_\textsf{Ag}(q)\).

We define the formulas ensuring the intended meaning of the variables \(y_{i,q}\).

$$\begin{aligned} \varOmega ^{\textsf{sem}}_{\mathcal {P},C} & := \bigwedge _{p \in \mathcal {P}} \bigwedge _{i \in \llbracket 1,n \rrbracket } \Big [ x_{i,p} \Rightarrow \bigwedge _{q\in Q,\; p\in \pi (q)} y^{C}_{i,q} \; \wedge \bigwedge _{q\in Q,\; p\notin \pi (q)} \lnot y^{C}_{i,q} \Big ] \\ \varOmega ^{\textsf{sem}}_{\wedge ,C} & := \bigwedge _{\begin{array}{c} {i \in \llbracket 1,n \rrbracket }\\ {j,j' \in \llbracket 1,i-1 \rrbracket } \end{array}} \Big [ [x_{i,\wedge }\wedge l_{i,j}\wedge r_{i,j'}] \Rightarrow \bigwedge _{q\in Q}\big [ y^{C}_{i,q} \Leftrightarrow [y^{C}_{j,q} \wedge y^{C}_{j',q}]\big ]\Big ] \\ \varOmega ^{\textsf{sem}}_{\lnot ,C} & := \bigwedge _{\begin{array}{c} {i \in \llbracket 1,n \rrbracket }\\ {j \in \llbracket 1,i-1 \rrbracket } \end{array}} \Big [ [x_{i,\lnot }\wedge l_{i,j}] \Rightarrow \bigwedge _{q\in Q}\big [ y^{C}_{i,q} \Leftrightarrow \lnot y^{C}_{j,q}\big ]\Big ] \\ \varOmega ^{\textsf{sem}}_{{{\,\mathrm{\textbf{X}}\,}},C} & := \bigwedge _{\begin{array}{c} {i \in \llbracket 1,n \rrbracket }\\ {j \in \llbracket 1,i-1 \rrbracket } \end{array}} \Big [ [x_{i,\langle \!\langle \cdot \rangle \!\rangle \!{{\,\mathrm{\textbf{X}}\,}}}\wedge l_{i,j}] \Rightarrow \bigwedge _{q\in Q}\big [ y^{C}_{i,q} \Leftrightarrow \varOmega _{q,i}^{\textsf{Pre},C}(y^C_{j,\cdot }) \big ]\Big ] \end{aligned}$$

The above formulas encode, via a straightforward translation, the \(\texttt{SAT}_{C}\) computation for the propositions, Boolean operators and the \(\langle \!\langle \cdot \rangle \!\rangle \! {{\,\mathrm{\textbf{X}}\,}}\) operator.

The case of the \(\langle \!\langle \cdot \rangle \!\rangle \!{{\,\mathrm{\textbf{U}}\,}}\) and \(\langle \!\langle \cdot \rangle \!\rangle \!{{\,\mathrm{\textbf{G}}\,}}\) operators require some innovation. Indeed, as can be seen in Eqs. (5) and (6), the \(\texttt{SAT}_{C}\) involves a least and greatest fixed-point, respectively . To circumvent this difficulty, we mimic the steps of the fixed-point computation algorithm [1, Fig. 3] in propositional logic. Let us recall how they are computed. Given an ATL formula \(\varPhi = \langle \!\langle A\rangle \!\rangle \varPhi _1 {{\,\mathrm{\textbf{U}}\,}}\varPhi _2\), the way \(\texttt{SAT}_{C}(\varPhi )\) is computed from \(\texttt{SAT}_{C}(\varPhi _1)\) and \(\texttt{SAT}_{C}(\varPhi _2)\) is described in Algorithm 1. Similarly, given an ATL formula \(\varPhi = \langle \!\langle A\rangle \!\rangle \! {{\,\mathrm{\textbf{G}}\,}}\varPhi '\), the way \(\texttt{SAT}_{C}(\varPhi )\) is computed from \(\texttt{SAT}_{C}(\varPhi ')\) is described in Algorithm 2. Note that, instead of using while loops, as in  [1, Fig. 3], that are necessarily exited after at most |Q| steps, we use for loops.

Algorithm 1
figure e

. Compute \(\texttt{SAT}_{C}(\varPhi )\) for \(\varPhi = \langle \!\langle A\rangle \!\rangle \! \; \varPhi _1 {{\,\mathrm{\textbf{U}}\,}}\varPhi _2\)

Full size image
Algorithm 2
figure f

. Compute \(\texttt{SAT}_{C}(\varPhi )\) for \(\varPhi = \langle \!\langle A\rangle \!\rangle \! \; {{\,\mathrm{\textbf{G}}\,}}\varPhi '\)

Full size image

As can be seen in both algorithms, the fixed-point computation algorithm internally maintains an estimate of the \(\texttt{SAT}_{C}\) set and updates it iteratively. Thus, to encode the fixed-point computation, we introduce propositional variables that encode whether a state q of a CGS C belongs to a particular estimate of \(\texttt{SAT}_{C}\). Formally, we introduce propositional variables \(y^{C}_{i,q,k}\) for each \(i\in \llbracket 1,n \rrbracket \), \(q\in A\), and \(k\in \llbracket 0,|Q| \rrbracket \), where the parameter \(k\in \llbracket 0,|Q| \rrbracket \) tracks which iterative step of the fixed-point computation the variable \(y^{C}_{i,q,k}\) encodes. We define the formulas below to ensure the intended meaning of these introduced variables:

$$\begin{aligned} \varOmega ^{\textsf{sem}}_{{{\,\mathrm{\textbf{U}}\,}},C} &:= \bigwedge _{\begin{array}{c} {i \in \llbracket 1,n \rrbracket }\\ {j,j' \in \llbracket 1,n \rrbracket } \end{array}} [x_{i,\langle \!\langle \cdot \rangle \!\rangle \!{{\,\mathrm{\textbf{U}}\,}}}\wedge l_{i,j}\wedge r_{i,j'}] \Rightarrow \bigwedge _{q\in Q}\Big [ \big [y^{C}_{i,q,0} \Leftrightarrow y^{C}_{j',q}\big ] \wedge \\ &\bigwedge _{0\le k\le |Q|-1} \big [ y^{C}_{i,q,k+1} \Leftrightarrow [y^{C}_{i,q,k} \vee [y^{C}_{j,q} \wedge \varOmega _{q,i}^{\textsf{Pre}}(y^C_{i,\cdot ,k}) ]] \big ] \wedge \; [y^{C}_{i,q} \Leftrightarrow y^{C}_{i,q,|Q|}] \Big ] \\ \varOmega ^{\textsf{sem}}_{{{\,\mathrm{\textbf{G}}\,}},C} &:= \bigwedge _{\begin{array}{c} {i \in \llbracket 1,n \rrbracket }\\ {j \in \llbracket 1,i-1 \rrbracket } \end{array}} [x_{i,\langle \!\langle \cdot \rangle \!\rangle \!{{\,\mathrm{\textbf{G}}\,}}}\wedge l_{i,j}] \Rightarrow \bigwedge _{q\in Q}\Big [ \big [y^{C}_{i,q,0} \Leftrightarrow y^{C}_{j,q}\big ] \wedge \\ &\bigwedge _{0\le k\le |Q|-1} \big [ y^{C}_{i,q,k+1} \Leftrightarrow [y^{C}_{i,q,k} \wedge \varOmega _{q,i}^{\textsf{Pre}}(y^C_{i,\cdot ,k}) ] \big ] \wedge \; [y^{C}_{i,q} \Leftrightarrow y^{C}_{i,q,|Q|}] \Big ] \end{aligned}$$

The formula \(\varOmega ^{\textsf{sem}}_n\) is simply defined as the conjunction of all the formulas above.

For the semantics of CTL, the main difference is that the formula \(\varOmega _{q,i}^{\textsf{Pre}}(y_S)\) encoding the fact that \(q\in \textsf{Pre}(S)\) can be greatly simplified (for the quantifier \({{\,\mathrm{\textbf{E}\!}\,}}\)):

$$\begin{aligned} \hat{\varOmega }_{q,i}^{\textsf{Pre}}(y_S) := \bigvee _{q' \in \textsf{Succ}(q)} y_S(q') \end{aligned}$$

Encoding the Consistency with the Models. Finally, to encode that the prospective formula is consistent with \(\mathcal {S}\), we have the following formula:

$$\begin{aligned} \varOmega ^{\textsf{con}}_n := \big [\bigwedge _{C\in P}\bigwedge _{s\in I} y^{C}_{n,s}\big ] \wedge \big [\bigwedge _{C\in N}\bigvee _{s\in I} \lnot y^{C}_{n,s}\big ] \end{aligned}$$

The size of the formula \(\varOmega ^{\mathcal {S}}_n\), and the number of variables involved in it, is polynomial in n and the size of \(\mathcal {S}\), \(|\mathcal {S}|{:}{=}\sum _{C \in P \cup N} |C|\). Furthermore, we have the lemma below establishing the correctness of the encoding.

Proposition 1

Let \(\mathcal {S}=(P,N)\) be a sample and \(n \in \mathbb {N}\setminus \{0\}\) . Then:

  1. 1.

    If an ATL formula of size at most n consistent with \(\mathcal {S}\) exists, then the propositional formula \(\varOmega ^{\mathcal {S}}_n\) is satisfiable.

  2. 2.

    If a valuation v is such that \(v\models \varOmega ^{\mathcal {S}}_n\), then there is an ATL formula \(\varPhi ^v\) of size at most n that is consistent with \(\mathcal {S}\).

3.2 Deciding the Separability

Given a sample \(\mathcal {S}\), by iteratively checking if \(\varOmega ^{\mathcal {S}}_0\) is satisfiable, if \(\varOmega ^{\mathcal {S}}_1\) is satisfiable, etc., we can find a minimal size formula consistent with \(\mathcal {S}\) if one exists. However, if there is no such formula, the above iteration would not terminate. To circumvent that issue, there are two possibilities. We may first decide the separability of the sample, i.e., if there exists an ATL formula consistent with it; or we may exhibit a bound B, expressed as a function of \(\mathcal {S}\), such that if there is a separating formula, there is one of size at most B. In this subsection, we tackle both of these issues.

It was shown in [17, Section 3, Thm. 3.2, 3.9] that the separability can be decided in polynomial time for full CTL (i.e., all operators can be used) with Kripke structures. Furthermore, in [43, Coro. 1], the results of [17] are used to exhibit an exponential bound on the size of the CTL formulas to be considered.

For fragments of CTL (i.e. CTL formulas that can use only some operators), it was shown in [34, Thm. 3], as a corollary of a “meta theorem” with applications to various logic, that the separability can be decided in exponential time.

Here, we extend these results to ATL formulas. We consider two settings: full ATL and any fragment of ATL. In the first setting, we show that separability can also be decided in polynomial time. In the second setting, we show that separability can be decided in exponential time. We deduce an exponential bound on the size of the formulas that need to be considered, which hold regardless of the fragment considered (including full ATL).

Separability for full ATL. For full ATL, our goal is to show the theorem below.

Theorem 1

Given a sample \(\mathcal {S}= (P,N)\) of CGS, we can decide in time polynomial in \(|\mathcal {S}|\) if the sample \(\mathcal {S}\) is separable with (arbitrary) ATL formulas.

Due to space constraint, we only provide an informal explanation here. The first step is to prove that it is sufficient to consider only ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formulas, i.e., ATL formulas whose only used temporal operator is \({{\,\mathrm{\textbf{X}}\,}}\). This may seem counterintuitive since given an ATL formula \(\varPhi \) using the operator \({{\,\mathrm{\textbf{G}}\,}}\) (or the operator \({{\,\mathrm{\textbf{U}}\,}}\)), there does not exist ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formula equivalent to \(\varPhi \) because the number of states of the CGS on which \(\varPhi \) may be evaluated is arbitrarily large. However, given a sample \(\mathcal {S}\) of finitely many CGS, there is a bound on the number of states used in all the CGS of \(\mathcal {S}\). Hence, there is an ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formula equivalent to \(\varPhi \) on all the CGS of \(\mathcal {S}\).

Lemma 1

Consider a sample \(\mathcal {S}= (P,N)\) of CGS. If there exists an ATL formula consistent with \(\mathcal {S}\), then there is one that is an ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formula.

Let us now consider the set \(\textsf{Distinguish}(\mathcal {S}) \subseteq Q^2\) of pairs of states that we can distinguish with an ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formula.

Definition 3

Consider a sample \(\mathcal {S}\) of CGS. We let Q denote the set of all the states occurring in all CGS of \(\mathcal {S}\). We let:

$$\begin{aligned} \textsf{Distinguish}(\mathcal {S}){:}{=}\{ (q,q') \in Q^2~|~\text {there is ATL-}{{\,\mathrm{\textbf{X}}\,}}\text { formula } \varPhi \text { s.t. } q\models \varPhi \Leftrightarrow q' \not \models \varPhi \} \end{aligned}$$

Given a sample \(\mathcal {S}\), we claim the following: 1) it is possible to compute in time polynomial in \(|\mathcal {S}|\) the set \(\textsf{Distinguish}(\mathcal {S})\), and 2) given \(\textsf{Distinguish}(\mathcal {S}) \subseteq Q^2\), we can decide in polynomial time if there is an ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formula consistent with \(\mathcal {S}\).

We start with the second claim. The reason why it holds is the following: there is an ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formula consistent with \(\mathcal {S}\) iff, for all negative structures \(C_N\) of \(\mathcal {S}\), there is a starting state \(q_N \in I_{C_N}\) such that, for all starting states \(q_P\) of all positive structures of \(\mathcal {S}\), we have \((q_P,q_N) \in \textsf{Distinguish}(\mathcal {S})\), which can be checked in polynomial time. The “only if” implication comes directly from the definition of a formula consistent with a sample. The “if” implication is a consequence of the fact that ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formulas can use conjunctions, disjunctions, and negations.

Let us now consider the first claim. We say that two sets of states \(T,T' \subseteq Q\) are ATL-\({{\,\mathrm{\textbf{X}}\,}}\) distinguishable if there is an ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formula \(\varPhi \) and a state \(t'\in T'\) such that for all \(t \in T\), \(t \models \varPhi \) and \(t' \not \models \varPhi \). Now, given a set R of pairs of states , let us define the set \(\textsf{Dist}_{{{\,\mathrm{\textbf{X}}\,}}}(R) \subseteq Q^2\) of pairs of states that we know can be distinguished by ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formulas whose first operator used is \({{\,\mathrm{\textbf{X}}\,}}\), assuming all pairs of states in R can be distinguished by ATL-\({{\,\mathrm{\textbf{X}}\,}}\) formulas.

Definition 4

Given a sample \(\mathcal {S}\) of CGS and some \(R \subseteq Q^2\), we let:

$$\begin{aligned} \textsf{Dist}_{{{\,\mathrm{\textbf{X}}\,}}}(R) := \{ & (q,q'),(q',q) \in Q^2 \mid \exists A \subseteq \textsf{Ag},\; \exists \alpha \in \textsf{Act}_{A}(q),\; \forall \alpha ' \in \textsf{Act}_{A}(q'),\\ & \textsf{Succ}(q,\alpha ) \text { and }\textsf{Succ}(q',\alpha ') \text { are ATL-}{{\,\mathrm{\textbf{X}}\,}}\text { distinguishable } \} \end{aligned}$$

Given a set R, we can compute in polynomial time the set \(\textsf{Dist}_{{{\,\mathrm{\textbf{X}}\,}}}(R)\). This may be counterintuitive since checking all coalitions of agents \(A \subseteq \textsf{Ag}\) would take time exponential in \(|\mathcal {S}|\). However, to compute the set \(\textsf{Dist}_{{{\,\mathrm{\textbf{X}}\,}}}(R)\), it is sufficient to consider coalitions of agents \(A \subseteq \textsf{RelAg}(q,q')\), where \(\textsf{RelAg}(q,q') := \{ a \in \textsf{Ag}\mid d(q,a) \cdot d(q',a) \ge 2\}\). Indeed, the agents not in \(\textsf{RelAg}(q,q')\) have only one action available at both states q and \(q'\). They are, therefore, irrelevant in those states to determine the set of states reachable by a coalition. Looking over all such coalitions now takes time polynomial in \(|\mathcal {S}|\) because \(|2^{\textsf{RelAg}(q,q')}| \le |Q_\textsf{Act}(q)| \times |Q_\textsf{Act}(q')|\).

Interestingly, we have the following characterization of the set \(\textsf{Distinguish}(\mathcal {S})\).

Lemma 2

Consider a sample \(\mathcal {S}\) of CGS. The set \(\textsf{Distinguish}(\mathcal {S})\) is the smallest set of \(Q^2\) such that: \(\{ (q,q') \in Q^2 \mid \pi (q) \ne \pi (q') \} \subseteq \textsf{Distinguish}(\mathcal {S})\), and \(\textsf{Dist}_{{{\,\mathrm{\textbf{X}}\,}}}(\textsf{Distinguish}(\mathcal {S})) \subseteq \textsf{Distinguish}(\mathcal {S})\).

With the help of this lemma, given a sample \(\mathcal {S}\) of CGS, it follows that we can compute in polynomial time the set \(\textsf{Distinguish}(\mathcal {S})\). Indeed, this can be done with a computation similar to that of the set \(\texttt{SAT}_{C}(\langle \!\langle A\rangle \!\rangle \varPhi _1 {{\,\mathrm{\textbf{U}}\,}}\varPhi _2)\) in Algorithm 1, where \(\texttt{SAT}_{C}(\langle \!\langle A\rangle \!\rangle \varPhi _1 {{\,\mathrm{\textbf{U}}\,}}\varPhi _2)\) is defined as a smallest set satisfying a specific property in Eq. (5). Overall, from both our claims 1) and 2), we do obtain that the separability of a sample of CGS can be decided in polynomial time.

Separability for any Fragment of ATL. Let us now consider the case of an arbitrary fragment of ATL. Now, the above-described algorithm a priori does not work. Among other things, one of the issues is that, possibly, we may not be able to use the operator \({{\,\mathrm{\textbf{X}}\,}}\) . Therefore, given a sample \(\mathcal {S}\), instead of iteratively constructing a subset of \(\textsf{Distinguish}(\mathcal {S}) \subseteq Q^2\) of distinguishable pairs of states, we iteratively compute a subset \(\textsf{Acc}(\mathcal {S}) \subseteq 2^Q\) of sets of states that can be accepted with a formula in the fragment considered, while the complement set is rejected. We can then prove a lemma similar to Lemma 2 except that we additionally have to be able to handle the operators \({{\,\mathrm{\textbf{G}}\,}}\) and \({{\,\mathrm{\textbf{U}}\,}}\), which is done by using Algorithms 12.

Since we manipulate subsets of \(2^Q\), we obtain an exponential time algorithm. Interestingly, the correctness proof of this algorithm gives information on the size of consistent ATL formulas. Indeed, we can show that when there is a consistent formula, there is one for which each of its sub-formulas corresponds to a different set in \(\textsf{Acc}(\mathcal {S}) \subseteq 2^Q\). Therefore, the size of this formula is at most \(|2^Q| = 2^{|Q|}\).

Theorem 2

Consider a sample \(\mathcal {S}\) and a fragment ATL’ of ATL. We can decide in time exponential in \(|\mathcal {S}|\) if the sample \(\mathcal {S}\) is separable with ATL’ formulas. If it is, then there exists an ATL’ formula consistent with \(\mathcal {S}\) of size at most \(2^{|Q|}\).

4 Experimental Evaluation

To test the ability of our learning algorithms (from Sect. 3.1), we implement them in an open-source prototypeFootnote 1. The prototype is developed in Python3 and utilizes the PySMT library [26], providing us access to an array of SAT solvers. Moreover, it offers configurable parameters for learning, including options to specify the model type (KS or CGS) and the formula type (CTL or ATL).

To test various aspects of our algorithms, we rely on synthetic benchmarks generated from a set of chosen formulas as is common in the literature [19, 41]. We first identified some common CTL and ATL formulas from standard sources: the book on model-checking by Baier and Katoen [9, Example 6.3] for CTL and the seminal work by Alur et al. [1, Examples 3.1,3.2] for ATL. Figure 2 displays a selection of formulas (with the rest in the extended version [16]); we used abstract propositions and players in the formulas to maintain uniformity. The CTL formulas reflect properties occurring in distributed systems, such as mutual exclusion, request-response progress, etc. The ATL formulas describe various properties of a train-controller (multi-agent) system.

We generated samples following a random generation technique. To construct a structure C for a sample, we iteratively added states to C ensuring its connectedness; assigned random propositions to each state of C; and added random edges, labeled with action tuples if generating a CGS. For CGSs, we focussed on generating turn-based games, i.e., games where only one player has actions in each state, due to their prevalence in verification and synthesis. We split the randomly generated structures into P and N based on the selected formula.

Fig. 2.
figure 2

Runtime of CTL and ATL learning algorithms on samples with varying number of examples (considering structures of size \(\le 20\)).

Full size image

Overall, from six CTL formulas and six ATL formulas, we generated two benchmark suites, the first one consisting of 144 samples of KSs and the second one consisting of 144 samples of CGSs, respectively. The number of examples in the suites ranges from 20 to 120 and 10 to 60, respectively. Moreover, the sizes of the KSs range from 1 to 40, while the size of the CGSs range from 1 to 20.

All tests were run on Intel Xeon Gold 6142 CPU (at 2.6 GHz) using up to 10 GB of RAM using MathSAT solver [23]Footnote 2, with a timeout of 2400 s.

How effective are the algorithms in learning CTL/ATL formulas? To answer this, we ran the CTL and ATL learning algorithms on the first and second benchmark suites, respectively. Figure 2 depicts runtimes of both algorithms for samples generated from a selection of formulas. Both algorithms exhibit reasonable runtime performance for small samples. As the samples size increases, the runtime also increases, more prominently for the larger formulas in our selection. For the smaller formulas, however, the runtime of the algorithms remains reasonable even when the samples size increases.

Fig. 3.
figure 3

Runtime improvement with optimized encodings for CTL and ATL learning on first and second benchmark suites, respectively. The runtimes are in seconds and ‘TO’ represents timeout.

Full size image

Which parts of the SAT encoding contribute significantly towards the runtime? To understand this, we profiled both algorithms to identify the constraints responsible for significant runtime increases. Notably, generating constraints for the \({{\,\mathrm{\textbf{U}}\,}}\) operators (i.e., \({{\,\mathrm{\textbf{E}\!}\,}}{{\,\mathrm{\textbf{U}}\,}}\), \({{\,\mathrm{\textbf{A}\!}\,}}{{\,\mathrm{\textbf{U}}\,}}\) for CTL and \(\langle \!\langle \cdot \rangle \!\rangle \!{{\,\mathrm{\textbf{U}}\,}}\) for ATL) turned out to be the most time-consuming among all operators. Consequently, we compared runtime performance with and without these operators. (Note that we included \({{\,\mathrm{\textbf{F}}\,}}\) and \({{\,\mathrm{\textbf{G}}\,}}\) operators in both cases.) Learning without the \({{\,\mathrm{\textbf{U}}\,}}\) operator is often justified, since several properties do not require the \({{\,\mathrm{\textbf{U}}\,}}\) operator [44]. Figure 3a depicts this comparison for CTL learning; the average runtime improvement is 46%.

Moreover, computing the constraints for \(\varOmega _{q,i}^{\textsf{Pre}}(y)\) happens to be expensive due to the nesting of conjunction and disjunction of propositional formulas. As a result, we noticed an improvement when we used the following optimized encoding designed specifically for turn-based games:

$$\begin{aligned} \bar{\varOmega }_{q,i}^{\textsf{Pre}}(y_S) {:}{=}[A_{i, \sigma (q)} \Rightarrow \bigvee _{\alpha \in \textsf{Act}_\textsf{Ag}(q)} y_S(\delta (q,\alpha )] \wedge [\lnot A_{i, \sigma (q)} \Rightarrow \bigwedge _{\alpha \in \textsf{Act}_\textsf{Ag}(q)} y_S(\delta (q,\alpha )], \end{aligned}$$

where \(\sigma (q)\) denotes the Agent owning the state q. Figure 3b illustrates this improvement; the average runtime improvement is 52%.

Overall, we demonstrated that our learning algorithms can successfully infer several CTL and ATL formulas from samples of varying sizes.

5 Conclusion

In this work, we address the passive learning problem for CTL and ATL, proposing a constraint-solving technique that encodes search and model-checking of formulas in propositional logic. We additionally investigate the separability of ATL formulas and develop decision procedures for it. Our experimental evaluations validate the efficacy of our algorithms in inferring useful CTL/ATL formulas.

As future work, we like to explore the computational hardness of the passive learning problems for CTL/ATL, similar to [25]. We also plan to improve our prototype by adding heuristics, such as the ones discussed in [43]. Finally, we like to lift our techniques to probabilistic logics such as PCTL [28] and PATL [21].