Logic-based Speciﬁcation and Veriﬁcation of Homogeneous Dynamic Multi-agent Systems

. We develop a logic-based framework for formal speciﬁcation and algorithmic veriﬁcation of homogeneous and dynamic concurrent multi-agent transition systems (HDMAS). Homogeneity means that all agents have the same available actions at any given state and the actions have the same eﬀects regardless of which agents perform them. The state transitions are therefore determined only by the vector of numbers of agents performing each action and are speciﬁed symbolically, by means of conditions on these numbers deﬁnable in Presburger arithmetic. The agents are divided into controllable (by the system supervisor/controller) and uncontrollable , representing the environment or adversary. Dynam-icity means that the numbers of controllable and uncontrollable agents may vary throughout the system evolution, possibly at every transition. As a language for formal speciﬁcation we use a suitably extended version of Alternating-time Temporal Logic (ATL), where one can specify properties of the type “a coalition of (at least) n controllable agents can ensure against (at most) m uncontrollable agents that any possible evolution of the system satisﬁes a given objective γ ”, where γ is speciﬁed again as a formula of that language and each of n and m is either a ﬁxed number or a variable that can be quantiﬁed over. We provide formal semantics to our logic L hdmas and deﬁne normal form of its formulae. We then prove that every formula in L hdmas is equivalent in the ﬁnite to one in a normal form and develop an algorithm for global model checking of formulae in normal form in ﬁnite HDMAS models, which invokes model checking truth of Presburger formulae. We establish worst case complexity estimates for the model checking algorithm and illustrate it on a running example.


Introduction
The framework.We consider discrete concurrent multi-agent transition systems, i.e. multi-agent systems (MAS) in which the transitions take place in a discrete succession of steps, as a result of a simultaneous (or, at least mutually independent) actions performed by all agents.Such MAS are typically modelled as concurrent game models (cf [1] or [6]).
Here we focus on a special type of concurrent MAS, which are homogeneous and dynamic, in a sense explained below.
The homogeneity means that all agents are essentially indistinguishable from each other, as their possible behaviours are determined by the same protocol.In particular, they have the same available actions at each state and the effect of these actions depends not on which agents perform them, but only on how many agents perform each action.Thus, the transitions in such systems are determined not by the specific action profiles, but only by the vector of numbers of agents that perform each of the possible actions in these action profiles.The latter can be regarded as an abstraction of the action profile.The transitions are specified symbolically, by means of conditions on these vectors, definable in Presburger arithmetic.
Typical examples of such homogeneous systems include: voting procedures, where the outcome only depends on how many agents vote for each possible alternative, but not who votes for what.These also involve voting procedures where anonymity is required and the identity of agents should not be inferred by observing the system's evolution [17,14]; -sensor networks of a type where protocols only depend on how many sensors send any given signal [20]; -computer network servers, the functioning of which only depends on how many currently connected users are performing any given action (e.g.uploading or downloading data, sending printing jobs, communicating over common channels, etc); -markets, the dynamics of which only depends on how many agents are selling and how many are buying any given stock (assuming the transactions are per unit) but not exactly who does what.
The dynamicity of the systems that we consider means that the set (hence, the number) of agents being present (or, just acting) in the system may vary throughout the system evolution, possibly at every transition from a state to a state.All examples listed above naturally have that dynamic feature.There are different ways to interpret such dynamicity.In the extreme version, agents literally appear and disappear from the system, e.g.users joining and leaving an open network.A less radical interpretation is where the agents are in the system all the time but may become active and inactive from time to time, e.g.voters, or members of a committee, may abstain from voting in one election or decision making round, and then become active again in the next one.A more refined version is where at every state of the system performance each agent decides to act (i.e.take one of the available actions) or pass/idle, formally by performing the 'pass/idle' action.Technically, all these interpretations seem to be reducible to the latter one.However, the way we model the dynamicity here is by assuming that there is an unbounded, and possibly infinite set of 'potentially existing' agents, but that only finitely many of them are 'actually existing/present' at each stage of the evolution of the system.Therefore, at each transition round, only finitely many currently existing agents can possibly perform an action, and each of these may also choose not to perform any action (i.e., remain inactive in that round).However, the currently inactive (or, 'non-existing') agents do not have any individual influence on the transitions.Thus, the number of currently active agents, who determine the next transition, can change from any instant to the next one, while always remaining finite.We note, however, the difference between dynamic systems, in the sense described above, and simply parametric systems, where the number of agents is taken as a parameter but remains fixed during the whole evolution of the system.In that sense, the present study applies both to parametric and truly dynamic systems.
In this work we develop a logic-based framework for formal specification and algorithmic verification of the behaviour of homogeneous dynamic multi-agent systems (hdmas) of the type described above.We focus, in particular, on scenarios where the agents are divided into controllable (by the system supervisor or controller) and uncontrollable, representing the environment or an adversary.Both numbers, of controllable and uncontrollable agents, may be fixed or varying throughout the system evolution, possibly at every transition.The controllable agents are assumed to act according to a joint strategy prescribed by the supervisor/controller, with the objective to ensure the desired behaviour of the system (e.g.reaching an outcome in the voting procedure, or keeping the demand and supply of a given stock within desired bounds, or ensuring that the server will not be deadlocked by a malicious attack of adversary users, etc).
As a logical language for formal specification we introduce a suitably extended version, L hdmas , of the Alternating time temporal logic ATL ( [1]).In L hdmas one can specify properties of the type "A team of (at least) n controllable agents can ensure, against at most m active uncontrollable agents, that any possible evolution of the system satisfies a given objective γ", where the objective γ is specified again as a formula of that language, and each of n and m is either a fixed number, a parameter, or a variable that can be quantified over.
Structure and content of the paper.In Section 2 we introduce the hdmas framework, provide a running example, and prove some technical results needed to introduce counting abstractions of joint actions and strategy profiles.Using these counting abstractions, in Section 3 we provide formal semantics in hdmas models for the logic L hdmas which we introduce there.We then define normal form of formulae of L hdmas and the fragment L NF hdmas , consisting of formulae in normal form.The key technical result obtained in that section is that every formula in L hdmas is equivalent in the finite to one in L NF hdmas .In Section 4 we develop an algorithm for global model checking of formulae in L NF hdmas in finite hdmas models, which invokes model checking truth of their respective translations into Presburger formulae, and illustrate that algorithm on running examples.In Section 5 we establish some refined complexity estimates for the model checking algorithm, using recent complexity results obtained in [11] for fragments of Presburger arithmetic.We end with some concluding remarks on extensions and possible applications of our work in Section 6.
Related work.While we are not aware of work that considers formal models and verification methods for the same type of multi-agent scenarios, there are several threads of essentially related work.In all frameworks mentioned below, however, the number of agents is fixed along system executions, possibly as a parameter and the formal specification languages do not explicitly allow quantification over the number of agents.
-Counting abstraction for verification of parametric systems has been studied in [10] and [4], where techniques based on Petri nets or Vector Addition Systems with States (VASS) are used to obtain decidability of model checking.
-The work in [18] is closer to ours, as strategic reasoning is considered but only for a restricted set of properties such as reachability, coverability and deadlock avoidance.Also, assumptions on the system evolutions are made and, in particular, monotonicity with respect to a well-quasi-ordering.
-In [15] temporal epistemic properties of parametric interpreted systems are checked irrespective of the number of agents by using cutoff techniques.
-Modular Interpreted Systems [13] is a MAS framework where a decoupling between local agents and global system description is achieved, thus possibly amenable to model dynamical MAS frameworks.
-Homogeneous MAS with transitions determined by the number of acting agents have been introduced in [17].
-Population protocols [2] are parametric systems of homogeneous agents, and decidability of model checking against probabilistic linear-time specification is studied in [9].
-In [7], instead of verifying MAS with unknown number of agents, the authors propose a technique to find the minimal number of agents which, once deployed and suitably orchestrated, can carry out a manufacturing task.

Preliminaries and modelling framework
We start by introducing the basic ingredients of our framework.We assume a hereafter fixed (finite, or possibly countably infinite) universe of agents Ag = {ag 1 , ag 2 , . ..}, but only finite subsets of which will be assumed currently present, or 'currently existing', at any time instant or stage of the evolution of the system.
An action profile over a given set of actions Act ′ ⊆ Act + is defined as a function p : Ag → Act ′ , assigning an action from Act ′ to each agent in Ag.More generally, for any subset of agents A ⊆ Ag, a joint action of A over a set of actions Act ′ ⊆ Act + is a function p A assigning an action from Act ′ to each agent in A.
Given a function f , we will write: dom(f ) for the domain of f ; f | Z for the restriction of f to a domain Z ⊆ dom(f ); and f [Z] for the image of Z under f .For technical purposes, we also consider a (unique) function f ∅ with an empty domain.
Definition 1 (Guards).A (transition) guard g is an open (quantifier-free)1 formula of Presburger arithmetic PrA with predicates = and < over variables from the set of action counters X .Definition 2. An action distribution is any function act : X ′ → N, where X ′ ⊆ X + .The domain X ′ is denoted, as usual, by dom(act).Intuitively, an action distribution assigns for every action act , through the value of the action counter µ(act ), the number of agents who are assigned the action act .
Given an action distribution act we define: -act |= g, for a given guard g, if act satisfies g with the expected standard semantics of PrA.-sum(act) := x∈dom(act) act(x); -H| m := {act | sum(act) = m}; -H := m∈N H| m ; We also define the mapping ⊕ : H × H × P(X + ) H, which, given two action distributions act 1 and act 2 and Z ⊆ X + such that dom(act 1 ) ∩ Z = dom(act 2 ) ∩ Z := Z ′ , returns a new action distribution, act 1 | Z ⊕ act 2 | Z , with domain Z ′ , defined component-wise as the sum of act 1 and act 2 , i.e.
Remark 1.Note that guards are defined over the set of variables X , while the domain of action distributions can also include x ε .It follows that, for any action distribution act, the value act(x ε ) does not have any influence on the satisfiability of a guard.More generally, for every act ∈ H and g ∈ G we have act |= g iff act| Var (g) |= g.
We now relate action profiles with action distributions.Every action profile is associated with the action distribution that counts, for each action, the number of agents performing it.In that sense, action distributions are counting abstractions for action profiles.The formal definition follows, where we denote the set of all action profiles over Act by P and define the inverse of an action profile p as the function p −1 : Act → ℘(Ag) such that p −1 (act ) = {ag ∈ Ag | p(ag ) = act }.The function α partitions the set P into equivalence classes of action profiles having the same abstraction.
We now introduce the abstract models of our framework. . ., g 7 are listed below the picture, and an arrow is drawn from s i to s j and labeled with g k iff δ(s i , s j ) = g k .The label of each state is given next to it, defined by the labelling function: λ(s 1 ) = ∅, λ(s 2 ) = λ(s 3 ) = λ(s 4 ) = {p} and λ(s 5 ) = λ(s 6 ) = {q}.
The restriction on δ ensures that for any number of agents and their action profile of available actions, the next state is uniquely defined.Thus, the dynamics of the system in terms of possible state transitions is fully determined symbolically by the transitions guard function δ, as defined formally below.Definition 5. Given a hdmas M, a transition in M is a triple (s, p, s ′ ), where s, s ′ ∈ S and p ∈ P, such that: 1) each agent ag performs an available action: p(ag ) ∈ d (s); 2) the abstraction α(p) satisfies the (unique) guard that labels the transition from s to s ′ , i.e., α(p) |= δ(s, s ′ ).
Since transitions only depend on the abstractions of the action profiles, that is, on action distributions, it is immediate to see that actions profiles with the same abstraction, applied at the same state, lead to the same successor state.Formally, the following holds.
Lemma 1.Given a hdmas M as above, for every s, s ′ ∈ S , and every  Lemma 1 enables us to define the transition function 2 of M directly on action distributions, rather than on action profiles.Definition 6.Let M be a hdmas.The transition function of M is the partial mapping ∆ : S × H S defined as follows.For each s ∈ S and act ∈ H, the outcome state ∆(s, act) of act at s is defined and equal to s ′ ∈ S iff there exists p ∈ P such that (s, p, s ′ ) is a transition and α(p) = act; otherwise ∆(s, act) is undefined.
Infinite sequences of successor states will be called 'plays'.Formally, a play is a sequence π = s 0 , s 1 , . . . in S ω , such that for every stage (of the play) i ∈ N, there is act i ∈ H such that ∆(s i , act i ) = s i+1 .We denote by π[i] the state of the i-th stage of the play, for each i ∈ N.
Since transitions from a given state s are defined only for action profiles that assigns to all agents only actions that are available at s, we call these available 2 We remark that the assumption of determinism of hdmas is common in the study of multi-agent systems, because non-determinism can be settled easily by adding a fictitious new agent (Nature) that does that with its actions.Intuitively, we can transform a nondeterministic hdmas to a deterministic one as follows: we add actions that resolve the non-determinism; we translate specifications from the latter to the former, by adding controllable or non-controllable agents that could execute these actions.
action profiles in s.We formally define for each state s ∈ S the set of available action profiles in s as More generally, for each set of agents A ⊆ Ag we define likewise the set of joint actions for A available in s as where P A denotes (with a mild abuse of notation) the set of all possible joint actions for A.
Next, we define a positional strategy for a given coalition of agents A as a mapping that assigns to each state s an available joint action for A. Definition 7. Let A be a (possibly empty) set of agents and M be a hdmas with a state space S .A joint (positional) strategy for the coalition A is a function σ A : S → P| A such that σ A (s) ∈ P s | A for each s ∈ S .The empty coalition has only one joint strategy σ ∅ , assigning the empty joint action at every state.
Hereafter we assume that at every stage of the play representing the evolution of the system, the set of all currently present agents is partitioned into two: the set of controllable agents, denoted by C, and the set of uncontrollable agents, denoted by N .Definition 8. Let M be a hdmas, s ∈ S be a state in it, C, N ⊆ Ag be the respective current sets of controllable and uncontrollable agents, and let p C ∈ P s | C .The outcome set of p C at s is defined as follows: Respectively, given a joint strategy σ C for C we define the set of outcome plays of p C at s (against N ) as out(s, σ C , N ) := π = s 0 , s 1 , ... | s 0 = s and for all i ∈ N there exists The action profile abstraction function α from Definition 3 is readily extended over the joint actions of any set of agents and it defines an equivalence relation between joint actions of any two sets of the same size.This is further extended likewise to equivalence relation between joint strategies of such sets of agents.The formal definition follows.Definition 9. Let M be a hdmas, C 1 , C 2 ⊆ Ag and p C 1 , p C 2 be respective joint actions for C 1 and C 2 .We say that p C 1 and p C 2 are equivalent, denoted Likewise, we say that joint strategies σ C 1 and σ C 2 are equivalent, denoted σ C1 ≡ σ C2 if they prescribe equivalent joint actions for C 1 and C 2 at every state.

Note that if p
. Therefore, we obtain that . The proof of the converse inclusion is completely symmetric.
(2) The claim follows easily by using (1).Indeed, every play π = s 0 , s 1 , ... in out(s, σ C 1 , N 1 ) can be generated step-by-step as a play in out (s, σ C 2 , N 2 ), by using the equivalence of σ C 1 and σ C 2 and applying (1) at every step of the construction.We leave out the routine details.Thus, out(s, σ C1 , N 1 ) ⊆ out(s, σ C 2 , N 2 ).Again, the converse inclusion is completely symmetric.

⊓ ⊔
We now prove that, as expected, the outcome sets from joint actions and strategies do not depend on the actual sets of controllable and uncontrollable agents, but only on their sizes.Lemma 3. Let M be a hdmas, s ∈ S , with C, N ⊆ Ag be the respective current sets of controllable and uncontrollable agents (hence, assumed disjoint), and let p C ∈ P s | C be an available joint action for C at s. Then for every C ′ ⊆ Ag such that |C ′ | = |C| there exists an available joint action p C ′ for C ′ at s, such that for every N ′ ⊆ Ag where Lemma 3 easily extends to joint strategies, as follows.
Lemma 4. Let M be a hdmas, s ∈ S , with C, N ⊆ Ag be the respective current (disjoint) sets of controllable and uncontrollable agents, and let σ C be a joint strategy for C. Then for every C ′ ⊆ Ag with |C ′ | = |C| there exists a joint strategy σ C ′ such that for every N ′ ⊆ Ag where Proof.The argument is similar to the previous proof.Fix any Lemmas 3 and 4 essentially say that the strategic abilities in a hdmas are determined not by the concrete sets of controllable and uncontrollable agents, but only by their respective sizes.This justifies abstracting the notions of coalitional actions and strategies in terms of action profile abstractions, to be used thereafter in our semantics and verification procedures.Thus, an abstract joint action for a given coalition at state s prescribes for each action available at s how many agents from the coalition take that action.
1.2.The outcome set of states of the abstract joint action act C of C controllable agents against N uncontrollable agents at s is the set of states 2.1.An abstract (positional) joint strategy for a coalition of C agents is a function ρ C : S → H| C such that for each s ∈ S , ρ C (s) is an abstract joint action such that dom(ρ 2.2.The outcome set of plays of an abstract joint strategy ρ C of C controllable agents against N uncontrollable agents is the set of plays out (s, ρ C , N ) := π = s 0 , s 1 , ... | s 0 = s and for all i ∈ N there is

Logic for specification and verification of hdmas
We now introduce a logic L hdmas for specifying and verifying properties of hdmas, based on the Alternating-time Temporal Logic ATL.It features a strategic operator that expresses the capability of a set of controllable agents to guarantee the satisfaction a temporal objective regardless of the actions taken by the set of uncontrollable agents.As shown in the previous section, such capability only depends on the sizes of these sets.Therefore, our strategic operator * , * takes two arguments: the first one represent the number of controllable agents and the second -the number of uncontrollable agents currently present in the system.Intuitively, a formula of the kind C, N χ, with C, N ∈ N and χ being a (path) formula of L hdmas specifies the property: "A coalition of C controllable agents has a joint strategy to guarantee satisfaction of the objective χ against N uncontrollable agents, on every play consistent with that strategy".
Each of the arguments of * , * may be a concrete number, a parameter, or a variable that can be quantified over.

Formal syntax and semantics
We now fix a set of atomic propositions Φ = {p 1 , p 2 , ....}, a set of two special variables Y = {y 1 , y 2 }, ranging over N, which we call agent counters.We also fix a set of agent counting parameters Z = {z 1 , z 2 , . ..}, again ranging over N, and define the set of terms3 as T = Y ∪ Z ∪ N.These will be used as arguments of the strategic operators in the logical language defined below.
Definition 11.The logic L hdmas has two sorts of formulae, defined by mutual induction with the following grammars, where free (and bound) occurrences of variables are defined like in first-order logic (FOL): where ϕ, ψ are state formulae.

State formulae: ϕ
where p ∈ Φ, t 1 ∈ T \ {y 2 }, t 2 ∈ T \ {y 1 }, y ∈ Y , and χ is a path formula.To avoid vacuous quantification, we require in the cases of ∀yϕ and ∃yϕ that y has a free occurrence in ϕ.
Note that y 1 can only occur in the first position of t 1 , t 2 and y 2 can only occur in the second position.
The propositional connectives ⊥, →, ↔ are defined as usual.Also, we define Hereafter, by L hdmas -formulae we will mean, unless otherwise specified, state formulae of L hdmas .
We call all path formulae χ temporal objectives in L hdmas .In particular, for any L hdmas -formula φ of the type t 1 , t 2 χ, the path subformula χ is called the temporal objective of φ.
Atomic propositions and L hdmas -formulae of the type t 1 , t 2 χ will be called primitive formulae of L hdmas .Some examples of L hdmas formulae: -∀y 2 7, y 2 X p, saying that 7 controllable agents have a (abstract) joint action ensuring against any number y 2 of uncontrollable agents that any outcome state satisfies p. -∀y 2 ∃y 1 y 1 , y 2 G ¬p: for any number (y 2 ) of uncontrollable agents there is a number (y 1 ) of controllable agents who have an (abstract) joint strategy to ensure that any outcome play will never reach a state that satisfies p.
The semantics of L hdmas is based on the standard, positional strategy semantics of ATL (cf [1] or [6]), applied in hdmas models, but uses abstract joint actions and strategy profiles, rather than concrete ones.In order to evaluate formulas that contain free variables and parameters, we use a version of FOL assignment, here defined as a function θ : T → N, where θ(i) = i for i ∈ N. Definition 12. Let M be a hdmas, s be a state and θ an assignment in it.The satisfaction relation |= is inductively defined on the structure of L hdmasformulas as follows: The notions of validity and (logical) equivalence in L hdmas are defined as expected, and we will use the standard notation for them, viz.|= ϕ for validity and ϕ 1 ≡ ϕ 2 for equivalence.We also say that two L hdmas -formulae, ϕ 1 and ϕ 2 are equivalent in the finite, denoted ϕ 1 ≡ fin ϕ 2 , if M, s, θ |= ϕ 1 iff M, s, θ |= ϕ 2 for any finite hdmas model M and state s and assignment θ in M.
Remark 2. Note the following: 1. Defining the semantics in terms of abstract joint actions and strategies in the truth definitions of the strategic operators, rather than concrete ones, is justified by Lemmas 3 and 4 which imply that the 'concrete' and the 'abstract' semantics are equivalent.
2. Just like in FOL, the truth of any L hdmas -formula ϕ only depends on the assignment of values to the parameters that occur in ϕ and to the variables that occur free in ϕ.In particular, it does not depend at all on the assignment for closed formulae (containing no parameters and free variables).In such cases we simply write M, s |= ϕ.
Example 2. Consider the hdmas M in Example 1.
1.The closed formula ϕ = 7, 5 X p is satisfied in state s 1 of M. Indeed, any abstract joint strategy ρ 7 that prescribes ε to 2 of the controllable agents (ρ 7 (s 1 )(ε) = 2) and act 3 to 4 of them (ρ 7 (s 1 )(act 3 ) = 4) guarantees that guard g 2 is satisfied, enforcing transition from s 1 to s 3 .2. M, s 1 |= ∀y¬ y, 11 X p. Indeed, the abstract joint action profile for the uncontrollable agents that prescribes to all of them to perform act 3 falsifies both g 1 and g 2 , thus forces a loop to s 1 where p is false.3. M, s 4 |= 7, 4 X (∀y 2 ∃y 1 y 1 , y 2 G p), as we show in Section 4.

Normal form reductions and fixpoint equivalences
Definition 13.A L hdmas -formula ψ is in a normal form if: 1.There are no occurrences of ∀y 1 or ∃y 2 in ψ. 2. Every subformula t 1 , t 2 χ of ψ where either t 1 = y 1 or t 2 = y 2 (but not both) and that variable occurrence is bound in ψ, is immediately preceded respectively by ∃y 1 or ∀y 2 .3. Every subformula y 1 , y 2 χ, where both these variable occurrences are bound in ψ, is immediately preceded either by ∀y 2 ∃y 1 or ∃y 1 ∀y 2 .
Of the examples given in Section 3.1, the first two are in normal form, while the last one is not.We denote by L NF hdmas the fragment of L hdmas consisting of all formulae in normal form.We can give a more explicit definition of the formulae of L NF hdmas , by modifying the recursive definition of state formulae of L hdmas as follows: i) the terms t 1 , t 2 in all clauses of the type t 1 , t 2 χ are required not to be variables, and ii) the clauses ∀yϕ and ∃yϕ are replaced with the following, where χ is a temporal objective and t 1 , t 2 ∈ T such that t 1 = y 2 and t 2 = y 1 : We are going to prove that every formula in L hdmas is logically equivalent to one in L NF hdmas .For that we will need a series of technical lemmas.
Lemma 5.For every hdmas M, state s, assignment θ in M, term t, and temporal objective χ in L hdmas , the following monotonicity properties hold. Proof.
(C-mon): Let M, s, θ |= C, t χ.Let ρ C be an abstract strategy for C controllable agents such that every play π in the outcome set out(s, ρ C , θ(t)) against θ(t) uncontrollable agents satisfies the temporal objective χ.Then for every C ′ > C, the strategy ρ C can be extended to strategy ρ C ′ whereby the additional C ′ − C many agents always perform the idle action ε.Clearly, ρ C ′ ensures that M, s, θ |= C ′ , t χ.
(N-mon): Likewise, let M, s, θ |= t, N χ and let ρ C be an abstract strategy for C = θ(t) controllable agents such that every play π in the outcome set out(s, ρ C , N ) against N uncontrollable agents satisfies the temporal objective χ.Then the same strategy would ensure M, s, θ |= t, N ′ χ for every N ′ < N , since every joint action of N ′ can be lifted to a joint action of N leading to the same outcome, where the remaining N − N ′ agents always perform the idle action ε.
⊓ ⊔ Lemma 6.For every term t and temporal objective χ in L hdmas , the following hold. 6.
The implication from left to right is again by FOL.For the converse, suppose The implication from left to right is by FOL.The converse follows from claim (2) in Lemma 6.Let φ be a positively boolean L hdmas -formula.Then we define the transformed formulae (φ) 1 , (φ) 2 , (φ) 12 , (φ) 21 respectively as follows.
We will provide a representative selection of proofs for some of the cases and will leave out the rest, which are essentially analogous, though possibly even longer.

Case (1G ): ∃y
Let ϕ be a positive boolean combination of ψ 1 , ..., ψ k where each ψ i is either a primitive formula or a negation of a primitive formula.Each ψ i which gets modified when producing (ϕ) For the converse, suppose M, s, θ |= ∃y 1 y 1 , t G (ϕ) 1 for some finite M with state space S , assignment θ and s ∈ S .Fix any C ∈ N such that M, s, θ |= C, t G (ϕ) 1 .Note that y 1 does not occur free in (ϕ) 1 .Besides, θ fixes the values of all terms, so we can treat (ϕ) 1 as a closed formula.
M be its extension in M (which depends on θ) and let w ∈ W .For each ψ i in ϕ of the type y 1 , t i χ i we consider the respective M be its extension.Let f i : S i → N be a mapping assigning to every u ∈ S i a number f i (u) such that M, u, θ |= f i (u), t i χ i .Let4 f * i := max u∈Si f i (u).For all ψ j which are not of the type y 1 , t i χ i , we put f * j := 0. Now, let C * i = max(f * i , C).Then, by (C-mon), M, w, θ |= C * , t i χ i for each ψ i = y 1 , t i χ i such that M, w, θ |= ∃y 1 y 1 , t i χ i .Therefore (using again (C-mon), and that all other ψ i in ϕ are unchanged in (ϕ) 1 ), we obtain M, w, θ |= ϕ, for each Thus, ∃y 1 y 1 , t G (ϕ) 1 → ∃y 1 y 1 , t G ϕ is valid in the finite, whence the claim.
Again, let ϕ be a positive boolean combination of ψ 1 , ..., ψ k where each ψ i is either a primitive formula or a negation of a primitive formula.Each ψ i which is modified when producing (ϕ) 2 is of the type t i , y 2 χ i or ¬ t i , y 2 χ i .
Clearly, |= ∀y For the converse, suppose M, s, θ |= ∀y 2 t i , y 2 G ϕ, for some finite M with state space S , assignment θ and s ∈ S .Then, for every N ∈ N there is an abstract positional joint strategy σ N for θ(t i ) many controllable agents, such that ϕ is true at every state on every outcome play enabled by σ N against N uncontrollable agents.Since there are only finitely many abstract positional joint strategies for θ(t i ) many controllable agents in M, there is one which works for infinitely many values of N , and therefore, by (N-mon), it works for all N ∈ N. Let us fix such strategy σ c .We will show that M, s, θ |= ∀y 2 t i , y 2 G (ϕ) 2 by proving that for every N ∈ N the strategy σ c ensures the truth of M, s, θ |= t i , N G (ϕ) 2 .Suppose this is not the case for some N ∈ N. Then there is an abstract joint strategy σ n for N uncontrollable agents that guarantees reaching a state w where (ϕ) 2 fails on the play generated by the pair of joint strategies (σ c , σ n ).Thus, M, w, θ |= (ϕ) 2 , i.e., M, w, θ |= ¬(ϕ) 2 .We will reach a contradiction with the choice of σ c if we succeed to show that there is a Now, let us re-write up to equivalence the formula ¬ϕ as a positive boolean combination of ¬ψ 1 , ..., ¬ψ k , by driving the negation inwards (and cancelling double negations).Note that, for each ψ i of the type t i , y 2 χ i , the formula ¬ψ i in ¬ϕ is replaced in ¬(ϕ) 2 by ¬∀y 2 t i , y 2 χ i ≡ ∃y 2 ¬ t i , y 2 χ i and for each ψ i of the type ¬ t i , y 2 χ i the formula ¬ψ i in ¬ϕ is replaced in ¬(ϕ) 2 by ¬¬ t i , 0 χ i ≡ t i , 0 χ i .
By (N-mon), if M, w, θ |= ¬ t i , N ′ χ i for some N ′ , then M, w, θ |= ¬ t i , N ′′ χ i for all N ′′ > N ′ .Now, by an argument dually similar to the one in the previous case, we can pick a large enough N * such that M, w, θ |= ¬ t i , N * χ i for each i such that ¬∀y 2 t i , y 2 χ i is true at M, w, θ.We can also assume that N * ≥ N for the earlier chosen N .Then we have M, w, θ[y 2 := N * ] |= ¬ϕ, which, as indicated above, is a contradiction.This completes the proof for this case.
For the converse implication, let ϕ be a positive boolean combination of ψ 1 , ..., ψ k where each ψ i is either a primitive formula or a negation of a primitive formula.Suppose M, s, θ |= ∃y 1 ∀y 2 y 1 , y 2 G (ϕ) 12 for some finite M with state space S , assignment θ and s ∈ S .
Similarly as in the proof of (1G ) we can find a large enough Case (4G ): Essentially analogous to (3G ), using (1G ).
⊓ ⊔ Theorem 1.Every formula φ of L hdmas is equivalent in the finite to a formula φ NF in L NF hdmas , which can be computed effectively and has length linearly bounded above by |φ|.
Proof.We transform φ into an equivalent one in L NF hdmas , inductively on the structure of φ.The only non-trivial cases are those where φ = Q i y i ϕ, or φ = Q i y i Q j y j ϕ, for i, j = 1, 2, i = j and Q i , Q j ∈ {∀, ∃} and ϕ being a boolean combination of formulae from L NF hdmas .In these cases we do the following.
1. drive Q i y i , respectively Q i y i Q j y j , immediately in front of subformulae beginning with t ′ , t ′′ or with Q j y j , by distributing it, up to equivalence, over ∧ and ∨ by using Lemma 7 plus the standard swaps of quantifiers whenever negations are met; 2. remove the occurring vacuous quantifiers, if any; 3. apply Lemma 6 to eliminate the occurrences of ∀y 1 and ∃y 2 .4. apply Lemma 8 to drive the occurrences of the quantifier prefixes inside the temporal objectives. 5. apply the inductive hypothesis to replace the transformed subformulae occurring as arguments of the temporal objectives by formulae from L NF hdmas .
The resulting formula φ NF is in L NF hdmas , and is equivalent in the finite to the original formula because every step in the procedure above preserves such equivalence.
Finally, note that every distribution of a quantifier prefix only adds a number of symbols linear in the length |φ| of the formula and that, after removing vacuous quantifiers, each quantifier prefix occurring in the transformed formula has length at most 2.
⊓ ⊔ Lemma 9.For every terms t, t ′ , t ′′ ∈ T and closed L hdmas -formulae ϕ, ψ the following equivalences hold, where (Qy)φ means Qyφ if y occurs free in φ, else just φ; the vacuous quantifiers are omitted likewise in (Q i y i Q j y j )φ.
Let ϕ be any state formula of L hdmas , M be a hdmas, s a state and θ an assignment in M. The local model checking problem is the problem of deciding whether M, s, θ |= ϕ, while the global model checking problem is the computational problem that returns the set of states in M where the input formula ϕ is satisfied, i.e. it is the problem of computing the state extension of ϕ in M given θ, formally defined as: For closed formulae ϕ, [[ϕ]] θ M does not depend on the assignment θ, so we omit it and write [[ϕ]] M .
Algorithm 4 presented here solves the global model checking problem for all L NF hdmas formulae.The core sub-procedure of the algorithm is the function preImg which, given a set Q of states in S and C, N ∈ N, returns the set of states from which C controllable agents have a joint action, which, when played against any joint action of other N uncontrollable agents produces an outcome state in Q.We will call that set the (C, N )-controllable pre-image of Q. Often we will omit (C, N ), when unspecified or fixed in the context, and will write simply "the controllable pre-image of Q".We also extend that notion to " (t 1 , t 2 )-controllable pre-image", for any terms t 1 , t 2 , the values of which are given by the assignment.It computes the state extension of t 1 , t 2 X ψ when M , which is parameterised by terms t 1 , t 2 (by means of their values θ(t 1 ) and θ(t 2 )).We then extend that further to quantified extensions of t 1 , t 2 X ψ, by adding the respective quantification to the result.In all cases, we reduce the problem of computing the controllable pre-images to checking the truth of Presburger formulae.
We now proceed with some technical preparation.Recall that X + is the set of n + 1 action counters.We will be using integer variables k 1 , . . ., k n , k ε and ℓ 1 , . . ., ℓ n , ℓ ε not contained in X + .Each k i (respectively, ℓ i ) represents the number of controllable (respectively, uncontrollable) agents performing action act i ; likewise for k ε (resp., ℓ ε ) for the number of controllable (resp., uncontrollable) agents performing the idle action.Also, for each s in S and i ∈ {1, . . ., n} we introduce an auxiliary propositional constant d i s which is true if and only if action act i is available in s, i.e., act i ∈ d (s).Definition 15.Given a hdmas M with a state space S , state s in S , a subset Q of S , and terms t 1 , t 2 , we define the following Presburger formulae: The formula PrF(M, s, t 1 , t 2 , Q) intuitively says that there is a tuple of available actions at s such that when played by t 1 many (controllable) agents and combined with any tuple of available actions for t 2 many (uncontrollable) agents, it satisfies a guard of a transition leading to a state in Q. (The formula can be shortened somewhat, if the quantification is restricted only to k− and ℓ−variables that correspond to action counters that appear in the guard g s Q , which would improve the complexity estimates, as shown in Section 5.) That formula and its extensions with quantifiers over t 1 (when equal to y 1 ) and t 2 (when equal to y 2 ) will be used by the global model checking algorithm to compute the controllable pre-images of state extensions.
Example 3. Let us compute the state extension of the formula ϕ = ∃y 1 ∀y 2 y 1 , y 2 X (p ∨ q) in the model M of Example 1. First, we compute [[p ∨ q]] M = {s 2 , s 3 , s 4 , s 5 , s 6 }.Then, for each state s ∈ M we check the truth of the closed Presburger formula ∃y 1 ∀y 2 PrF(M, s,

Complexity estimates
As well-known from [1], the time complexity of model checking of ATL formulae is linear in both the size of the model5 and the length of the formula.Note that in standard concurrent game models the number of agents is fixed and the transition relation is represented explicitly, by means of transitions from each state labelled with each action profile.In hdmas models, however, the transitions are represented symbolically, in terms of the guards that determine them.An explicit representation would be infinite, in general.Thus, the question of how to measure the size of hdmas models arises.Given a hdmas M, we consider the following parameters: the size |S | of the state space; the size n of the action set Act, and the size |δ| of the symbolic transition guard function.The latter is defined as the sum of the length of all guards appearing in δ, where we assume a binary encoding of numbers.
Given a L NF hdmas formula ϕ and a hdmas M, the number of fixpoint computations in the global model checking algorithm is bounded by the length of |ϕ|.Each computation executes the while cycle at most |S | times, and at each iteration, the function preImage is called.The pre-image algorithm cycles through all states again and invokes model checking of a PrA formula PrF each time.In the worst case |PrF| = |δ|, as g s Q could be the disjunction of almost all guards in M. The complexity of checking the truth of a PrA-formula depends not just on its size, but more precisely on the numbers of quantifier alternations and of quantified variables in any quantifier block (cf.[12]).In our case, the maximum number of quantifier alternations is 4, while the number of variables in any quantifier block is at most n + 1.By applying results from [11] (cf. also [12]), these yield a worst case complexity Σ EXP 3 , or more precisely STA( * , 2 |δ| O (1) , 3) when the model is not fixed, or at least n is unbounded, but it is down to STA( * , |δ| O (1) , 3) when n is fixed.
Thus, the number of variables and quantifier alternation depth in PrFformulas crucially affect the complexity of model checking of L NF hdmas -formulae.We can distinguish the following cases of lower complexity bounds: 1.When no quantifier patterns ∀y 2 ∃y 1 occur, the maximal alternation depth is 3, hence the complexity is reduced to STA( * , 2 |δ| O(1) , 2), respectively STA( * , |δ| O(1) , 2). 2. If no quantification ∀y 2 is allowed, but the number of uncontrollable agents is a parameter, the maximal alternation depth is 2, hence the complexity is reduced to STA( * , 2 |δ| O(1) , 1), respectively STA( * , |δ| O(1) , 1). 3. In the case when the number of either controllable or uncontrollable agents is fixed or bounded, the resulting PrF-formulas become either existential or universal (by replacing the quantifiers over the actions of the bounded set of agents with conjunctions, resp.disjunctions), In these cases, the complexity drops to NP-complete if the number of actions is unbounded, resp.P-complete if that number is fixed or bounded.

Concluding remarks
The framework and results presented here are amenable to various extensions, e.g.allowing any PrA-formulae as guards in hdmas models; allowing more expressive languages, e.g. with arbitrary LTL or parity objectives, with more liberal quantification patterns in L hdmas (i.e., formulae of the type ∀y y, y X ϕ and ∃y y, y X ϕ can be added easily), several super-agents, etc.One currently open question is whether and how the model checking procedure can be lifted to an extension of L hdmas , allowing unrestricted quantification (with shared variables) over controllable and uncontrollable agents.
Of the numerous possible applications we only mention a natural link with the Colonel Blotto games [5], [19], where two players simultaneously distribute military force units across n battlefields, and in each battlefield the player (if any) that has allocated the higher number of units wins.Our framework can be readily applied to model and verify extensions to repeated or extensive Colonel Blotto games, which we leave to future work.More generally, dynamic resource allocation games [3] as well as verification of parameterised fault-tolerance in multi-agent systems [16] seem naturally amenable to applications of the present work.

Definition 10 .
Let M be a hdmas and C, N ∈ N. 1.1.An abstract joint action for a coalition of C agents at state s ∈ S is an action distribution act C ∈ H| C such that dom(act C ) = µ[d (s)] (recall notation from Definition 2).
∈ S and for each act ∈ H| µ[d(s)] , there exists a unique s ′ ∈ S such that act |= δ(s, s ′ ) (every possible action profile over the set of actions available at the current state determines a unique transition).-AP={p 1 , p 2 , ...} is a finite set of atomic propositions; -λ : S → ℘(AP ) is a labelling function, assigning to any state s the set of atomic propositions that are true at s. Example 1.An example of a hdmas is given in Figure1, where states in S are displayed as circles.The set of actions is Act = {act 1 , act 2 , act 3 } and the action availability function is defined byd (s 1 ) = d (s 3 ) = d (s 4 ) = Act + , d (s 2 ) = {act 1 , act 3 , ε}, d (s 5 ) = {act 2 ,act 3 , ε} and d (s 6 ) = {act 1 , ε}.The guards g 1 , .