Arrow Research search

Author name cluster

Orna Kupferman

Possible papers associated with this exact author name in Arrow. This page groups case-insensitive exact name matches and is not a full identity disambiguation profile.

50 papers
2 author rows

Possible papers

50

CSL Conference 2026 Conference Paper

Memory Requirements in Non-Zero-Sum Games

  • Yoav Feinstein
  • Orna Kupferman

The interaction between a system and the components modeling its environment is traditionally modeled by a multi-player game played on a finite graph. In zero-sum games, the players have conflicting objectives, and it is clear that increasing the memory of the environment players can only make it harder for the system to win. In non-zero-sum games, the objectives of the players may overlap. There, typical questions concern the stability of the game and the equilibria the players may reach. In particular, in rational synthesis (RS), the goal is to find an equilibrium that satisfies the objective of the system. We study how the memory of the environment players may affect the existence of an RS solution. As we show, the picture is diverse, even when the objectives of all players are memoryless. On the one hand, when stability amounts to a Nash equilibrium (NE), then increasing the memory of the environment may only help the system to suggest an RS solution. On the other hand, when the notion of stability involves deviations by coalitions of environment players, for example in a strong Nash equilibrium (SNE), then increasing their memory may sometimes enable and sometimes prevent the existence of an RS solution. We study memory bounds for the players, showing that the memory required may be polynomial in an NE-RS solution and exponential in an SNE-RS solution. We also solve the SNE-RS problem, show that it is PSPACE-complete, and relate the differences between NE and SNE with the differences between cooperative and non-cooperative RS.

Details

MFCS Conference 2025 Conference Paper

Positional-Player Games

  • Orna Kupferman
  • Noam Shenwald

In reactive synthesis, we transform a specification to a system that satisfies the specification in all environments. For specifications in linear-temporal logic, research on bounded synthesis, where the sizes of the system and the environment are bounded, captures realistic settings and has lead to algorithms of improved complexity and implementability. In the game-based {a}pproach to synthesis, the system and its environment are modeled by strategies in a two-player game with an ω-regular objective, induced by the specification. There, bounded synthesis corresponds to bounding the memory of the strategies of the players. The memory requirement for various objectives has been extensively studied. In particular, researchers have identified positional objectives, where the winning player can follow a memoryless strategy - one that needs no memory. In this work we study bounded synthesis in the game setting. Specifically, we define and study positional-player games, in which one or both players are restricted to memoryless strategies, which correspond to non-intrusive control in various applications. We study positional-player games with Rabin, Streett, and Muller objectives, as well as with weighted multiple Büchi and reachability objectives. Our contribution covers their theoretical properties as well as a complete picture of the complexity of deciding the game in the various settings.

Details

MFCS Conference 2021 Conference Paper

A Hierarchy of Nondeterminism

  • Bader Abu Radi
  • Orna Kupferman
  • Ofer Leshkowitz

We study three levels in a hierarchy of nondeterminism: A nondeterministic automaton A is determinizable by pruning (DBP) if we can obtain a deterministic automaton equivalent to A by removing some of its transitions. Then, A is good-for-games (GFG) if its nondeterministic choices can be resolved in a way that only depends on the past. Finally, A is semantically deterministic (SD) if different nondeterministic choices in A lead to equivalent states. Some applications of automata in formal methods require deterministic automata, yet in fact can use automata with some level of nondeterminism. For example, DBP automata are useful in the analysis of online algorithms, and GFG automata are useful in synthesis and control. For automata on finite words, the three levels in the hierarchy coincide. We study the hierarchy for Büchi, co-Büchi, and weak automata on infinite words. We show that the hierarchy is strict, study the expressive power of the different levels in it, as well as the complexity of deciding the membership of a language in a given level. Finally, we describe a probability-based analysis of the hierarchy, which relates the level of nondeterminism with the probability that a random run on a word in the language is accepting.

Details

GandALF Workshop 2020 Workshop Paper

Canonicity in GFG and Transition-Based Automata

  • Bader Abu Radi
  • Orna Kupferman

Minimization of deterministic automata on finite words results in a canonical automaton. For deterministic automata on infinite words, no canonical minimal automaton exists, and a language may have different minimal deterministic Buchi (DBW) or co-Buchi (DCW) automata. In recent years, researchers have studied good-for-games (GFG) automata – nondeterministic automata that can resolve their nondeterministic choices in a way that only depends on the past. Several applications of automata in formal methods, most notably synthesis, that are traditionally based on deterministic automata, can instead be based on GFG automata. The minimization problem for DBW and DCW is NP-complete, and it stays NP-complete for GFG Buchi and co-Buchi automata. On the other hand, minimization of GFG co-Buchi automata with transition-based acceptance (GFG-tNCWs) can be solved in polynomial time. In these automata, acceptance is defined by a set α of transitions, and a run is accepting if it traverses transitions in α only finitely often. This raises the question of canonicity of minimal deterministic and GFG automata with transition-based acceptance. In this paper we study this problem. We start with GFG-tNCWs and show that the safe components (that is, these obtained by restricting the transitions to these not in α) of all minimal GFG-tNCWs are isomorphic, and that by saturating the automaton with transitions in α we get isomorphism among all minimal GFG-tNCWs. Thus, a canonical form for minimal GFG-tNCWs can be obtained in polynomial time. We continue to DCWs with transition-based acceptance (tDCWs), and their dual tDBWs. We show that here, while no canonical form for minimal automata exists, restricting attention to the safe components is useful, and implies that the only minimal tDCWs that have no canonical form are these for which the transition to the GFG model results in strictly smaller automaton, which do have a canonical minimal form.

PDF Details DOI

CSL Conference 2020 Conference Paper

Coverage and Vacuity in Network Formation Games

  • Gili Bielous
  • Orna Kupferman

The frameworks of coverage and vacuity in formal verification analyze the effect of mutations applied to systems or their specifications. We adopt these notions to network formation games, analyzing the effect of a change in the cost of a resource. We consider two measures to be affected: the cost of the Social Optimum and extremums of costs of Nash Equilibria. Our results offer a formal framework to the effect of mutations in network formation games and include a complexity analysis of related decision problems. They also tighten the relation between algorithmic game theory and formal verification, suggesting refined definitions of coverage and vacuity for the latter.

Details

MFCS Conference 2020 Conference Paper

On Repetition Languages

  • Orna Kupferman
  • Ofer Leshkowitz

A regular language R of finite words induces three repetition languages of infinite words: the language lim(R), which contains words with infinitely many prefixes in R, the language ∞ R, which contains words with infinitely many disjoint subwords in R, and the language R^ω, which contains infinite concatenations of words in R. Specifying behaviors, the three repetition languages provide three different ways of turning a specification of a finite behavior into an infinite one. We study the expressive power required for recognizing repetition languages, in particular whether they can always be recognized by a deterministic Büchi word automaton (DBW), the blow up in going from an automaton for R to automata for the repetition languages, and the complexity of related decision problems. For lim R and ∞ R, most of these problems have already been studied or are easy. We focus on R^ω. Its study involves some new and interesting results about additional repetition languages, in particular R^#, which contains exactly all words with unboundedly many concatenations of words in R. We show that R^ω is DBW-recognizable iff R^# is ω-regular iff R^# = R^ω, and there are languages for which these criteria do not hold. Thus, R^ω need not be DBW-recognizable. In addition, when exists, the construction of a DBW for R^ω may involve a 2^{O(n log n)} blow-up, and deciding whether R^ω is DBW-recognizable, for R given by a nondeterministic automaton, is PSPACE-complete. Finally, we lift the difference between R^# and R^ω to automata on finite words and study a variant of Büchi automata where a word is accepted if (possibly different) runs on it visit accepting states unboundedly many times.

Details

MFCS Conference 2020 Conference Paper

Unary Prime Languages

  • Ismaël Jecker
  • Orna Kupferman
  • Nicolas Mazzocchi

A regular language L of finite words is composite if there are regular languages L₁, L₂, …, L_t such that L = ⋂_{i = 1}^t L_i and the index (number of states in a minimal DFA) of every language L_i is strictly smaller than the index of L. Otherwise, L is prime. Primality of regular languages was introduced and studied in [O. Kupferman and J. Mosheiff, 2015], where the complexity of deciding the primality of the language of a given DFA was left open, with a doubly-exponential gap between the upper and lower bounds. We study primality for unary regular languages, namely regular languages with a singleton alphabet. A unary language corresponds to a subset of ℕ, making the study of unary prime languages closer to that of primality in number theory. We show that the setting of languages is richer. In particular, while every composite number is the product of two smaller numbers, the number t of languages necessary to decompose a composite unary language induces a strict hierarchy. In addition, a primality witness for a unary language L, namely a word that is not in L but is in all products of languages that contain L and have an index smaller than L’s, may be of exponential length. Still, we are able to characterize compositionality by structural properties of a DFA for L, leading to a LogSpace algorithm for primality checking of unary DFAs.

Details

JAAMAS Journal 2019 Journal Article

Multi-player flow games

  • Shibashis Guha
  • Orna Kupferman
  • Gal Vardi

Abstract In the traditional maximum-flow problem, the goal is to transfer maximum flow in a network by directing, in each vertex in the network, incoming flow to outgoing edges. The problem corresponds to settings in which a central authority has control on all vertices of the network. Today’s computing environment, however, involves systems with no central authority. In particular, in many applications of flow networks, the vertices correspond to decision-points controlled by different and selfish entities. For example, in communication networks, routers may belong to different companies, with different destination objectives. This suggests that the maximum-flow problem should be revisited, and examined from a game-theoretic perspective. We introduce and study multi-player flow games (MFGs, for short). Essentially, the vertices of an MFG are partitioned among the players, and a player that owns a vertex directs the flow that reaches it. Each player has a different target vertex, and the objective of each player is to maximize the flow that reaches her target vertex. We study the stability of MFGs and show that, unfortunately, an MFG need not have a Nash Equilibrium. Moreover, the price of anarchy and even the price of stability of MFGs are unbounded. That is, the reduction in the flow due to selfish behavior is unbounded. We study the problem of deciding whether a given MFG has a Nash Equilibrium and show that it is \(\Sigma _2^P\) -complete, as well as the problem of finding optimal strategies for the players (that is, best-response moves), which we show to be NP-complete. We continue with some good news and consider a variant of MFGs in which flow may be swallowed. For example, when routers in a communication network may drop messages. We show that, surprisingly, while this model seems to incentivize selfish behavior, a Nash Equilibrium that achieves the maximum flow always exists, and can be found in polynomial time. Finally, we consider MFGs in which the strategies of the players may use non-integral flows, which we show to be stronger.

Details DOI

IJCAI Conference 2019 Conference Paper

Reasoning about Quality and Fuzziness of Strategic Behaviours

  • Patricia Bouyer
  • Orna Kupferman
  • Nicolas Markey
  • Bastien Maubert
  • Aniello Murano
  • Giuseppe Perelli

We introduce and study SL[F], a quantitative extension of SL (Strategy Logic), one of the most natural and expressive logics describing strategic behaviours. The satisfaction value of an SL[F] formula is a real value in [0, 1], reflecting ``how much'' or ``how well'' the strategic on-going objectives of the underlying agents are satisfied. We demonstrate the applications of SL[F] in quantitative reasoning about multi-agent systems, by showing how it can express concepts of stability in multi-agent systems, and how it generalises some fuzzy temporal logics. We also provide a model-checking algorithm for ourlogic, based on a quantitative extension of Quantified CTL*.

PDF Details

LPAR Conference 2018 Conference Paper

Alternating Reachability Games with Behavioral and Revenue Objectives

  • Orna Kupferman
  • Tami Tamir

We introduce and study alternating reachability games with tolls (ARGTs). An ARGT is a multi-player game played on a directed graph. Each player has a source vertex and a set of target vertices. The vertices of the graph are partitioned among the players. Thus, each player owns a subset of the vertices. In the beginning of the game, each player places a token on her source vertex. Whenever a token reaches a vertex v, the owner of the token pays a toll to the owner of vertex v, who directs the token to one of the successors of v. The objective of each player combines a reachability objective with a minimal-cost maximal-profit objective. For the first, the token of the player needs to reach one of her target vertices. For the second, the player aims at decreasing the toll she pays to other players and increasing the toll paid to her due to visits in vertices she owns. ARGTs model settings in which the vertices are owned by entities who also use the network; for example, communication networks in which service providers own the routers and send messages. ARGTs also offer an extension of rational synthesis with rewards to actions. To the best of our knowledge, this model is the first to combine behavioral and revenue objectives. We study different instances of the game, distinguishing between various network topologies and various levels of overlap among the reachability objectives of the players. We analyze the stability of ARGTs, characterizing instances for which a Nash equilibrium is guaranteed to exist, and studying its inefficiency. We also analyze the problems of finding optimal strategies for the players and for the society as a whole.

Details

LPAR Conference 2018 Conference Paper

LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems

  • Rachel Faran
  • Orna Kupferman

The computational bottleneck in model-checking applications is the blow-up involved in the translation of systems to their mathematical model. This blow up is especially painful in systems with variables over an infinite domain, and in composite systems described by means of their underlying components. We introduce and study linear temporal logic with arithmetic (LTLA, for short), where formulas include variables that take values in Z, and in which linear arithmetic over these values is supported. We develop an automata-theoretic approach for reasoning about LTLA formulas and use it in order to solve, in PSPACE, the satisfiability problem for the existential fragment of LTLA and the model-checking problem for its universal fragment. We show that these results are tight, as a single universally- quantified variable makes the satisfiability problem for LTLA undecidable. In addition to reasoning about systems with variables over Z, we suggest applications of LTLA in reasoning about hierarchical systems, which consist of subsystems that can call each other in a hierarchical manner. We use the values in Z in order to describe the nesting depth of components in the system. A naive model-checking algorithm for hierarchical systems flattens them, which involves an exponential blow up. We suggest a model-checking algorithm that avoids the flattening and avoids a blow up in the number of components.

Details

AAMAS Conference 2018 Conference Paper

Multi-Player Flow Games

  • Shibashis Guha
  • Orna Kupferman
  • Gal Vardi

In the traditional maximum-flow problem, the goal is to transfer maximum flow in a network by directing, in each vertex in the network, incoming flow to outgoing edges. The problem corresponds to settings in which a central authority has control on all vertices of the network. Today’s computing environment, however, involves systems with no central authority. In particular, in many applications of flow networks, the vertices correspond to decisionpoints controlled by different and selfish entities. For example, in communication networks, routers may belong to different companies, with different destination objectives. This suggests that the maximum-flow problem should be revisited, and examined from a game-theoretic perspective. We introduce and study multi-player flow games (MFGs, for short). Essentially, the vertices of an MFG are partitioned among the players, and a player that owns a vertex directs the flow that reaches it. Each player has a different target vertex, and the objective of each player is to maximize the flow that reaches her target vertex. We study the stability of MFGs and show that, unfortunately, an MFG need not have a Nash Equilibrium. Moreover, the Price of Anarchy and even the Price of Stability of MFGs are unbounded. That is, the reduction in the flow due to selfish behavior is unbounded. We study the problem of deciding whether a given MFG has a Nash Equilibrium and show that it is ΣP 2 -complete, as well as the problem of finding optimal strategies for the players (that is, best-response moves), which we show to be NP-complete. We continue with some good news and consider a variant of MFGs in which flow may be swallowed. For example, when routers in a communication network may drop messages. We show that, surprisingly, while this model seems to incentivize selfish behavior, a Nash Equilibrium that achieves the maximum flow always exists, and can be found in polynomial time. Finally, we consider MFGs in which the strategies of the players may use non-integral flows, which we show to be stronger.

PDF

LPAR Conference 2018 Conference Paper

Playing with the Maximum-Flow Problem

  • Orna Kupferman

In the traditional maximum-flow problem, the goal is to transfer maximum flow in a network by directing, in each vertex in the network, incoming flow into outgoing edges. The problem has been extensively used in order to optimize the performance of networks in numerous application areas. The definition of the problem corresponds to a setting in which the authority has control on all vertices of the network. Today’s computing environment involves parties that should be considered adversarial. We survey recent studies on flow games, which capture settings in which the vertices of the network are owned by different and selfish entities. We start with the case of two players, max (the authority), which aims at maximizing the flow, and min (the hostile environment), which aims at minimizing the flow. We argue that such flow games capture many modern settings, such as partially- controlled pipe or road systems or hybrid software-defined communication networks. We then continue to the special case where all vertices are owned by min. This case captures evacuation scenarios, where the goal is to maximize the flow that is guaranteed to travel in the most unfortunate routing decisions. Finally, we study the general case, of multiple players, each with her own target vertex. In all settings, we study the problems of finding the maximal flows, optimal strategies for the players, as well as stability and equilibrium inefficiency in the case of multi-player games. We discuss additional variants and their applications, and point to several interesting open problems.

Details

MFCS Conference 2018 Conference Paper

Spanning-Tree Games

  • Dan Hefetz
  • Orna Kupferman
  • Amir Lellouche
  • Gal Vardi

We introduce and study a game variant of the classical spanning-tree problem. Our spanning-tree game is played between two players, min and max, who alternate turns in jointly constructing a spanning tree of a given connected weighted graph G. Starting with the empty graph, in each turn a player chooses an edge that does not close a cycle in the forest that has been generated so far and adds it to that forest. The game ends when the chosen edges form a spanning tree in G. The goal of min is to minimize the weight of the resulting spanning tree and the goal of max is to maximize it. A strategy for a player is a function that maps each forest in G to an edge that is not yet in the forest and does not close a cycle. We show that while in the classical setting a greedy approach is optimal, the game setting is more complicated: greedy strategies, namely ones that choose in each turn the lightest (min) or heaviest (max) legal edge, are not necessarily optimal, and calculating their values is NP-hard. We study the approximation ratio of greedy strategies. We show that while a greedy strategy for min guarantees nothing, the performance of a greedy strategy for max is satisfactory: it guarantees that the weight of the generated spanning tree is at least w(MST(G))/2, where w(MST(G)) is the weight of a maximum spanning tree in G, and its approximation ratio with respect to an optimal strategy for max is 1. 5+1/w(MST(G)), assuming weights in [0, 1]. We also show that these bounds are tight. Moreover, in a stochastic setting, where weights for the complete graph K_n are chosen at random from [0, 1], the expected performance of greedy strategies is asymptotically optimal. Finally, we study some variants of the game and study an extension of our results to games on general matroids.

Details

IJCAI Conference 2018 Conference Paper

Synthesis of Controllable Nash Equilibria in Quantitative Objective Game

  • Shaull Almagor
  • Orna Kupferman
  • Giuseppe Perelli

In Rational Synthesis, we consider a multi-agent system in which some of the agents are controllable and some are not. All agents have objectives, and the goal is to synthesize strategies for the controllable agents so that their objectives are satisfied, assuming rationality of the uncontrollable agents. Previous work on rational synthesis considers objectives in LTL, namely ones that describe on-going behaviors, and in Objective-LTL, which allows ranking of LTL formulas. In this paper, we extend rational synthesis to LTL[F] -- an extension of LTL by quality operators. The satisfaction value of an LTL[F] formula is a real value in [0, 1], where the higher the value is, the higher is the quality in which the computation satisfies the specification. The extension significantly strengthens the framework of rational synthesis and enables a study its game- and social-choice theoretic aspects. In particular, we study the price of stability and price of anarchy of the rational-synthesis game and use them to explain the cooperative and non-cooperative settings of rational synthesis. Our algorithms make use of strategy logic and decision procedures for it. Thus, we are able to handle the richer quantitative setting using existing tools. In particular, we show that the cooperative and non-cooperative versions of quantitative rational synthesis are 2EXPTIME-complete and in 3EXPTIME, respectively -- not harder than the complexity known for their Boolean analogues.

PDF Details

MFCS Conference 2018 Conference Paper

Timed Network Games with Clocks

  • Guy Avni
  • Shibashis Guha
  • Orna Kupferman

Network games are widely used as a model for selfish resource-allocation problems. In the classical model, each player selects a path connecting her source and target vertices. The cost of traversing an edge depends on the load; namely, number of players that traverse it. Thus, it abstracts the fact that different users may use a resource at different times and for different durations, which plays an important role in determining the costs of the users in reality. For example, when transmitting packets in a communication network, routing traffic in a road network, or processing a task in a production system, actual sharing and congestion of resources crucially depends on time. In [G. Avni et al. , 2017], we introduced timed network games, which add a time component to network games. Each vertex v in the network is associated with a cost function, mapping the load on v to the price that a player pays for staying in v for one time unit with this load. Each edge in the network is guarded by the time intervals in which it can be traversed, which forces the players to spend time in the vertices. In this work we significantly extend the way time can be referred to in timed network games. In the model we study, the network is equipped with clocks, and, as in timed automata, edges are guarded by constraints on the values of the clocks, and their traversal may involve a reset of some clocks. We argue that the stronger model captures many realistic networks. The addition of clocks breaks the techniques we developed in [G. Avni et al. , 2017] and we develop new techniques in order to show that positive results on classic network games carry over to the stronger timed setting.

Details

IJCAI Conference 2017 Conference Paper

An Abstraction-Refinement Methodology for Reasoning about Network Games

  • Guy Avni
  • Shibashis Guha
  • Orna Kupferman

Network games (NGs) are played on directed graphs and are extensively used in network design and analysis. Search problems for NGs include finding special strategy profiles such as a Nash equilibrium and a globally optimal solution. The networks modeled by NGs may be huge. In formal verification, abstraction has proven to be an extremely effective technique for reasoning about systems with big and even infinite state spaces. We describe an abstraction-refinement methodology for reasoning about NGs. Our methodology is based on an abstraction function that maps the state space of an NG to a much smaller state space. We search for a global optimum and a Nash equilibrium by reasoning on an under- and an over-approximation defined on top of this smaller state space. When the approximations are too coarse to find such profiles, we refine the abstraction function. Our experimental results demonstrate the efficiency of the methodology.

PDF Details

MFCS Conference 2017 Conference Paper

Timed Network Games

  • Guy Avni
  • Shibashis Guha
  • Orna Kupferman

Network games are widely used as a model for selfish resource-allocation problems. In the classical model, each player selects a path connecting her source and target vertex. The cost of traversing an edge depends on the number of players that traverse it. Thus, it abstracts the fact that different users may use a resource at different times and for different durations, which plays an important role in defining the costs of the users in reality. For example, when transmitting packets in a communication network, routing traffic in a road network, or processing a task in a production system, the traversal of the network involves an inherent delay, and so sharing and congestion of resources crucially depends on time. We study timed network games, which add a time component to network games. Each vertex v in the network is associated with a cost function, mapping the load on v to the price that a player pays for staying in v for one time unit with this load. In addition, each edge has a guard, describing time intervals in which the edge can be traversed, forcing the players to spend time on vertices. Unlike earlier work that add a time component to network games, the time in our model is continuous and cannot be discretized. In particular, players have uncountably many strategies, and a game may have uncountably many pure Nash equilibria. We study properties of timed network games with cost-sharing or congestion cost functions: their stability, equilibrium inefficiency, and complexity. In particular, we show that the answer to the question whether we can restrict attention to boundary strategies, namely ones in which edges are traversed only at the boundaries of guards, is mixed.

Details

MFCS Conference 2016 Conference Paper

Eulerian Paths with Regular Constraints

  • Orna Kupferman
  • Gal Vardi

Labeled graphs, in which edges are labeled by letters from some alphabet Sigma, are extensively used to model many types of relations associated with actions, costs, owners, or other properties. Each path in a labeled graph induces a word in Sigma^* -- the one obtained by concatenating the letters along the edges in the path. Classical graph-theory problems give rise to new problems that take these words into account. We introduce and study the constrained Eulerian path problem. The input to the problem is a Sigma-labeled graph G and a specification L \subseteq Sigma^*. The goal is to find an Eulerian path in G that satisfies L. We consider several classes of the problem, defined by the classes of G and L. We focus on the case L is regular and show that while the problem is in general NP-complete, even for very simple graphs and specifications, there are classes that can be solved efficiently. Our results extend work on Eulerian paths with edge-order constraints. We also study the constrained Chinese postman problem, where edges have costs and the goal is to find a cheapest path that contains each edge at least once and satisfies the specification. Finally, we define and study the Eulerian language of a graph, namely the set of words along its Eulerian paths.

Details

CSL Conference 2016 Conference Paper

High-Quality Synthesis Against Stochastic Environments

  • Shaull Almagor
  • Orna Kupferman

In the classical synthesis problem, we are given a linear temporal logic (LTL) formula psi over sets of input and output signals, and we synthesize a transducer that realizes psi: with every sequence of input signals, the transducer associates a sequence of output signals so that the generated computation satisfies psi. One weakness of automated synthesis in practice is that it pays no attention to the quality of the synthesized system. Indeed, the classical setting is Boolean: a computation satisfies a specification or does not satisfy it. Accordingly, while the synthesized system is correct, there is no guarantee about its quality. In recent years, researchers have considered extensions of the classical Boolean setting to a quantitative one. The logic FLTL is a multi-valued logic that augments LTL with quality operators. The satisfaction value of an FLTL formula is a real value in [0, 1], where the higher the value is, the higher is the quality in which the computation satisfies the specification. Decision problems for LTL become search or optimization problems for FLTL. In particular, in the synthesis problem, the goal is to generate a transducer that satisfies the specification in the highest possible quality. Previous work considered the worst-case setting, where the goal is to maximize the quality of the computation with the minimal quality. We introduce and solve the stochastic setting, where the goal is to generate a transducer that maximizes the expected quality of a computation, subject to a given distribution of the input signals. Thus, rather than being hostile, the environment is assumed to be probabilistic, which corresponds to many realistic settings. We show that the problem is 2EXPTIME-complete, like classical LTL synthesis. The complexity stays 2EXPTIME also in two extensions we consider: one that maximizes the expected quality while guaranteeing that the minimal quality is, with probability 1, above a given threshold, and one that allows assumptions on the environment.

Details

CSL Conference 2015 Conference Paper

On Relative and Probabilistic Finite Counterability

  • Orna Kupferman
  • Gal Vardi

A counterexample to the satisfaction of a linear property psi in a system S is an infinite computation of S that violates psi. Counterexamples are of great help in detecting design errors and in modeling methodologies such as CEGAR. When psi is a safety property, a counterexample to its satisfaction need not be infinite. Rather, it is a bad-prefix for psi: a finite word all whose extensions violate psi. The existence of finite counterexamples is very helpful in practice. Liveness properties do not have bad-prefixes and thus do not have finite counterexamples. We extend the notion of finite counterexamples to non-safety properties. We study counterable languages - ones that have at least one bad-prefix. Thus, a language is counterable iff it is not liveness. Three natural problems arise: (1) Given a language, decide whether it is counterable, (2) study the length of minimal bad-prefixes for counterable languages, and (3) develop algorithms for detecting bad-prefixes for counterable languages. We solve the problems for languages given by means of LTL formulas or nondeterministic Büchi automata. In particular, our EXPSPACE-completeness proof for the problem of deciding whether a given LTL formula is counterable, and hence also for deciding whether it is liveness, settles a long-standing open problem. We also make finite counterexamples more relevant and helpful by introducing two variants of the traditional definition of bad-prefixes. The first adds a probabilistic component to the definition. There, a prefix is bad if almost all its extensions violate the property. The second makes it relative to the system. There, a prefix is bad if all its extensions in the system violate the property. We also study the combination of the probabilistic and relative variants. Our framework suggests new variants also of safety and liveness languages. We solve the above three problems for the different variants. Interestingly, the probabilistic variant not only increases the chances to return finite counterexamples, but also makes the solution of the three problems exponentially easier.

Details

EUMAS Conference 2014 Conference Paper

Synthesis with Rational Environments

  • Orna Kupferman
  • Giuseppe Perelli
  • Moshe Y. Vardi

Abstract Synthesis is the automated construction of a system from its specification. The system has to satisfy its specification in all possible environments. The environment often consists of agents that have objectives of their own. Thus, it makes sense to soften the universal quantification on the behavior of the environment and take the objectives of its underlying agents into an account. Fisman et al. introduced rational synthesis: the problem of synthesis in the context of rational agents. The input to the problem consists of temporal-logic formulas specifying the objectives of the system and the agents that constitute the environment, and a solution concept (e. g. , Nash equilibrium). The output is a profile of strategies, for the system and the agents, such that the objective of the system is satisfied in the computation that is the outcome of the strategies, and the profile is stable according to the solution concept; that is, the agents that constitute the environment have no incentive to deviate from the strategies suggested to them. In this paper we continue to study rational synthesis. First, we suggest an alternative definition to rational synthesis, in which the agents are rational but not cooperative. In the non-cooperative setting, one cannot assume that the agents that constitute the environment take into account the strategies suggested to them. Accordingly, the output is a strategy for the system only, and the objective of the system has to be satisfied in all the compositions that are the outcome of a stable profile in which the system follows this strategy. We show that rational synthesis in this setting is 2 ExpTime - complete, thus it is not more complex than traditional synthesis or cooperative rational synthesis. Second, we study a richer specification formalism, where the objectives of the system and the agents are not Boolean but quantitative. In this setting, the goal of the system and the agents is to maximize their outcome. The quantitative setting significantly extends the scope of rational synthesis, making the game-theoretic approach much more relevant.

Details

MFCS Conference 2013 Conference Paper

Prime Languages

  • Orna Kupferman
  • Jonathan Mosheiff

Abstract We say that a deterministic finite automaton (DFA) \(\mathcal{A}\) is composite if there are DFAs \(\mathcal{A}_1, \ldots, \mathcal{A}_t\) such that \(L(\mathcal{A}) = \bigcap_{i=1}^t L(\mathcal{A}_i)\) and the index of every \(\mathcal{A}_i\) is strictly smaller than the index of \(\mathcal{A}\). Otherwise, \(\mathcal{A}\) is prime. We study the problem of deciding whether a given DFA is composite, the number of DFAs required in a decomposition, methods to prove primality, and structural properties of DFAs that make the problem simpler or are retained in a decomposition.

Details

GandALF Workshop 2013 Workshop Paper

Profile Trees for Büchi Word Automata, with Application to Determinization

  • Seth Fogarty
  • Orna Kupferman
  • Moshe Y. Vardi
  • Thomas Wilke

The determinization of Buchi automata is a celebrated problem, with applications in synthesis, probabilistic verification, and multi-agent systems. Since the 1960s, there has been a steady progress of constructions: by McNaughton, Safra, Piterman, Schewe, and others. Despite the proliferation of solutions, they are all essentially ad-hoc constructions, with little theory behind them other than proofs of correctness. Since Safra, all optimal constructions employ trees as states of the deterministic automaton, and transitions between states are defined operationally over these trees. The operational nature of these constructions complicates understanding, implementing, and reasoning about them, and should be contrasted with complementation, where a solid theory in terms of automata run DAGs underlies modern constructions. In 2010, we described a profile-based approach to Buchi complementation, where a profile is simply the history of visits to accepting states. We developed a structural theory of profiles and used it to describe a complementation construction that is deterministic in the limit. Here we extend the theory of profiles to prove that every run DAG contains a profile tree with at most a finite number of infinite branches. We then show that this property provides a theoretical grounding for a new determinization construction where macrostates are doubly preordered sets of states. In contrast to extant determinization constructions, transitions in the new construction are described declaratively rather than operationally.

PDF Details DOI

CSL Conference 2011 Conference Paper

Unifying Büchi Complementation Constructions

  • Seth Fogarty
  • Orna Kupferman
  • Moshe Y. Vardi
  • Thomas Wilke

Complementation of Buechi automata, required for checking automata containment, is of major theoretical and practical interest in formal verification. We consider two recent approaches to complementation. The first is the rank-based approach of Kupferman and Vardi, which operates over a DAG that embodies all runs of the automaton. This approach is based on the observation that the vertices of this DAG can be ranked in a certain way, termed an odd ranking, iff all runs are rejecting. The second is the slice-based approach of Kahler and Wilke. This approach tracks levels of "split trees" - run trees in which only essential information about the history of each run is maintained. While the slice-based construction is conceptually simple, the complementing automata it generates are exponentially larger than those of the recent rank-based construction of Schewe, and it suffers from the difficulty of symbolically encoding levels of split trees. In this work we reformulate the slice-based approach in terms of run DAGs and preorders over states. In doing so, we begin to draw parallels between the rank-based and slice-based approaches. Through deeper analysis of the slice-based approach, we strongly restrict the nondeterminism it generates. We are then able to employ the slice-based approach to provide a new odd ranking, called a retrospective ranking, that is different from the one provided by Kupferman and Vardi. This new ranking allows us to construct a deterministic-in-the-limit rank-based automaton with a highly restricted transition function. Further, by phrasing the slice-based approach in terms of ranks, our approach affords a simple symbolic encoding and achieves Schewe's tight bound.

Details

SODA Conference 2009 Conference Paper

Reasoning about online algorithms with weighted automata

  • Benjamin Aminof
  • Orna Kupferman
  • Robby Lampert

We describe an automata-theoretic approach for the competitive analysis of online algorithms. Our approach is based on weighted automata, which assign to each input word a cost in IR ≥0. By relating the “unbounded look ahead” of optimal offline algorithms with nondeterminism, and relating the “no look ahead” of online algorithms with determinism, we are able to solve problems about the competitive ratio of online algorithms, and the memory they require, by reducing them to questions about determinization and approximated determinization of weighted automata.

Details

LPAR Conference 2008 Conference Paper

On the Relative Succinctness of Nondeterministic Büchi and co-Büchi Word Automata

  • Benjamin Aminof
  • Orna Kupferman
  • Omer Lev

Abstract The practical importance of automata on infinite objects has motivated a re-examination of the complexity of automata-theoretic constructions. One such construction is the translation, when possible, of nondeterministic Büchi word automata (NBW) to nondeterministic co-Büchi word automata (NCW). Among other applications, it is used in the translation (when possible) of LTL to the alternation-free μ -calculus. The best known upper bound for the translation of NBW to NCW is exponential (given an NBW with n states, the best translation yields an equivalent NCW with 2 O ( n log n ) states). On the other hand, the best known lower bound is trivial (no NBW with n states whose equivalent NCW requires even n + 1 states is known). In fact, only recently was it shown that there is an NBW whose equivalent NCW requires a different structure. In this paper we improve the lower bound by showing that for every integer k ≥ 1 there is a language L k over a two-letter alphabet, such that L k can be recognized by an NBW with 2 k + 1 states, whereas the minimal NCW that recognizes L k has 3 k states. Even though this gap is not asymptotically very significant, it nonetheless demonstrates for the first time that NBWs are more succinct than NCWs. In addition, our proof points to a conceptual advantage of the Büchi condition: an NBW can abstract precise counting by counting to infinity with two states. To complete the picture, we consider also the reverse NCW to NBW translation, and show that the known upper bound, which duplicates the state space, is tight.

Details

CSL Conference 2007 Invited Paper

Tightening the Exchange Rates Between Automata

  • Orna Kupferman

Abstract Automata on infinite objects were the key to the solution of several fundamental decision problems in mathematics and logic. Today, automata on infinite objects are used for formal specification and verification of reactive systems. The practical importance of automata in formal methods has motivated a re-examination of the blow up that translations among different types of automata involve. For most translations, the situation is satisfying, in the sense that even if there is a gap between the upper and the lower bound, it is small. For some highly practical cases, however, the gap between the upper and the lower bound is exponential or even larger. The article surveys several such frustrating cases, studies features that they share, and describes recent efforts (with partial success) to close the gaps.

Details

LPAR Conference 2006 Conference Paper

On Locally Checkable Properties

  • Orna Kupferman
  • Yoad Lustig
  • Moshe Y. Vardi

Abstract The large computational price of formal verification of general ω -regular properties has led to the study of restricted classes of properties, and to the development of verification methodologies for them. Examples that have been widely accepted by the industry include the verification of safety properties, and bounded model checking. We introduce and study another restricted class of properties – the class of locally checkable properties. For an integer k ≥1, a language L ⊆ Σ ω is k-checkable if there is a language R ⊆ Σ k (of “allowed subwords”) such that a word w belongs to L iff all the subwords of w of length k belong to R. A property is locally checkable if its language is k -checkable for some k. Locally checkable properties, which are a special case of safety properties, are common in the specification of systems. In particular, one can often bound an eventuality constraint in a property by a fixed time frame. The practical importance of locally checkable properties lies in the low memory demand for their run-time verification. A monitor for a k -checkable property needs only a record of the last k computation cycles. Furthermore, even if a large number of k -checkable properties are monitored, the monitors can share their memory, resulting in memory demand that do not depend on the number of properties monitored. This advantage of locally checkable properties makes them particularly suitable for run-time verification. In the paper, we define locally checkable languages, study their relation to other restricted classes of properties, study the question of deciding whether a property is locally checkable, and study the relation between the size of the property (specified by an LTL formula or an automaton) and the smallest k for which the property is k -checkable.

Details

FOCS Conference 2005 Conference Paper

Safraless Decision Procedures

  • Orna Kupferman
  • Moshe Y. Vardi

The automata-theoretic approach is one of the most fundamental approaches to developing decision procedures in mathematical logics. To decide whether a formula in a logic with the tree-model property is satisfiable, one constructs an automaton that accepts all (or enough) tree models of the formula and then checks that the language of this automaton is nonempty. The standard approach translates formulas into alternating parity tree automata, which are then translated, via Safra's determinization construction, into nondeterministic parity automata. This approach is not amenable to implementation because of the difficulty of implementing Safra's construction and the nonemptiness test for nondeterministic parity tree automata. In this paper, we offer an alternative to the standard automata-theoretic approach. The crux of our approach is avoiding the use of Safra's construction and of nondeterministic parity tree automata. Our approach goes instead via universal co-Buchi tree automata and nondeterministic Buchi tree automata. Our translations are significantly simpler than the standard approach, less difficult to implement, and have practical advantages like being amenable to optimizations and a symbolic implementation. We also show that our approach yields better complexity bounds.

Details

LPAR Conference 2004 Conference Paper

Reasoning About Systems with Transition Fairness

  • Benjamin Aminof
  • Thomas Ball 0001
  • Orna Kupferman

Abstract Formal verification methods model systems by Kripke structures. In order to model live behaviors of systems, Kripke structures are augmented with fairness conditions. Such conditions partition the computations of the systems into fair computations, with respect to which verification proceeds, and unfair computations, which are ignored. Reasoning about Kripke structures augmented with fairness is typically harder than reasoning about non-fair Kripke structures. We consider the transition fairness condition, where a computation π is fair iff each transition that is enabled in π infinitely often is also taken in π infinitely often. Transition fairness is a natural and useful fairness condition. We show that reasoning about Kripke structures augmented with transition fairness is not harder than reasoning about non-fair Kripke structures. We demonstrate it for fair CTL and LTL model checking, and the problem of calculating the dominators and postdominators.

Details

MFCS Conference 2002 Conference Paper

An Improved Algorithm for the Membership Problem for Extended Regular Expressions

  • Orna Kupferman
  • Sharon Zuhovitzky

Abstract Extended regular expressions (ERE) define regular languages using union, concatenation, repetition, intersection, and complementation operators. The fact ERE allow intersection and complementation makes them exponentially more succinct than regular expressions. The membership problem for extended regular expressions is to decide, given an expression r and a word w, whether w belongs to the language defined by r. Since regular expressions are useful for describing patterns in strings, the membership problem has numerous applications. In many such applications, the words w are very long and patterns are conveniently described using ERE, making efficient solutions to the membership problem of great practical interest. In this paper we introduce alternating automata with synchronized universality and negation and use them in order to obtain a simple and efficient algorithm for solving the membership problem for ERE. Our algorithm runs in time O ( m · n 2 ) and space O ( m · n + k · n 2 ), where m is the length of r, n is the length of w, and k is the number of intersection and complementation operators in r. This improves the best known algorithms for the problem.

Details

LPAR Conference 2002 Conference Paper

Pushdown Specifications

  • Orna Kupferman
  • Nir Piterman
  • Moshe Y. Vardi

Abstract Traditionally, model checking is applied to finite-state systems and regular specifications. While researchers have successfully extended the applicability of model checking to infinite-state systems, almost all existing work still consider regular specification formalisms. There are, however, many interesting non-regular properties one would like to model check. In this paper we study model checking of pushdown specifications. Our specification formalism is nondeterministic pushdown parity tree automata (PD-NPT). We show that the model-checking problem for regular systems and PD-NPT specifications can be solved in time exponential in the system and the specification. Our model-checking algorithm involves a new solution to the nonemptiness problem of nondeterministic pushdown tree automata, where we improve the best known upper bound from a triple-exponential to a single exponential. We also consider the model-checking problem for context-free systems and PD-NPT specifications and show that it is undecidable.

Details

CSL Conference 2002 Conference Paper

Trading Probability for Fairness

  • Marcin Jurdzinski
  • Orna Kupferman
  • Thomas A. Henzinger

Abstract Behavioral properties of open systems can be formalized as objectives in two-player games. Turn-based games model asynchronous interaction between the players (the system and its environment) by interleaving their moves. Concurrent games model synchronous interaction: the players always move simultaneously. Infinitary winning criteria are considered: Büchi, co-Büchi, and more general parity conditions. A generalization of determinacy for parity games to concurrent parity games demands probabilistic (mixed) strategies: either player 1 has a mixed strategy to win with probability 1 (almost-sure winning), or player 2 has a mixed strategy to win with positive probability. This work provides efficient reductions of concurrent probabilistic Büchi and co-Büchi games to turn-based games with Büchi condition and parity winning condition with three priorities, respectively. From a theoretical point of view, the latter reduction shows that one can trade the probabilistic nature of almost-sure winning for a more general parity (fairness) condition. The reductions improve understanding of concurrent games and provide an alternative simple proof of determinacy of concurrent Büchi and co-Büchi games. From a practical point of view, the reductions turn solvers of turn-based games into solvers of concurrent probabilistic games. Thus improvements in the well-studied algorithms for the former carry over immediately to the latter. In particular, a recent improvement in the complexity of solving turn-based parity games yields an improvement in time complexity of solving concurrent probabilistic co-Büchi games from cubic to quadratic.

Details

LPAR Conference 2001 Conference Paper

On Bounded Specifications

  • Orna Kupferman
  • Moshe Y. Vardi

Abstract Bounded model checking methodologies check the correctness of a system with respect to a given specification by examining computations of a bounded length. Results from set-theoretic topology imply that sets in Σ ω that are both open and closed ( clopen sets ) are precisely bounded sets: membership of a word in a clopen set can be determined by examining a bounded prefix of it. Clopen sets correspond to specifications that are both safety and co-safety. In this paper we study bounded specifications from this perspective. We consider both the linear and the branching frameworks. In the linear framework, we show that when clopen specifications are given by word automata or temporal logic formulas, we can identify a bound and translate the specification to bounded formalisms such as cycle-free automata and bounded LTL. In the branching framework, we show that while clopen sets of trees with infinite branching degrees may not be bounded, we can extend the results from the linear framework to clopen specifications given by tree automata or temporal logic formulas, even for trees with infinite branching degrees. There, we can identify a bound and translate clopen specifications to cycle-free automata and modal logic. Finally, we show how our results imply that the bottom levels of the μ-calculus hierarchy coalesce.

Details

MFCS Conference 2000 Conference Paper

µ-Calculus Synthesis

  • Orna Kupferman
  • Moshe Y. Vardi

Abstract In system synthesis, we transform a specification into a system that is guaranteed to satisfy the specification. When the system is open, it interacts with an environment via input and output signals and its behavior depends on this interaction. An open system should satisfy its specification in all possible environments. In addition to the input signals that the system can read, an environment can also have internal signals that the system cannot read. In the above setting, of synthesis with incomplete information, we should transform a specification that refers to both readable and unreadable signals into a system whose behavior depends only on the readable signals. In this work we solve the problem of synthesis with incomplete information for specifications in μ-calculus. Since many properties of systems are naturally specified by means of fixed points, the μ-calculus is an expressive and important specification language. Our results and technique generalize and simplify previous work on synthesis. In particular, we prove that the problem of μ-calculus synthesis with incomplete information is EXPTIME-complete. Thus, it is not harder than the satisfiability or the synthesis problems for this logic.

Details

FOCS Conference 1998 Conference Paper

Concurrent Reachability Games

  • Luca de Alfaro
  • Thomas A. Henzinger
  • Orna Kupferman

An open system can be modeled as a two-player game between the system and its environment. At each round of the game, player 1 (the system) and player 2 (the environment) independently and simultaneously choose moves, and the two choices determine the next state of the game. Properties of open systems can be modeled as objectives of these two-player games. For the basic objective of reachability-can player 1 force the game to a given set of target states? -there are three types of winning states, according to the degree of certainty with which player 1 can reach the target. From type-1 states, player 1 has a deterministic strategy to always reach the target. From type-2 states, player 1 has a randomized strategy to reach the target with probability 1. From type-3 states, player 1 has for every real /spl epsi/>0 a randomized strategy to reach the target with probability greater than 1-/spl epsi/. We show that for finite state spaces, all three sets of winning states can be computed in polynomial time: type-1 states in linear time, and type-2 and type-3 states in quadratic time. The algorithms to compute the three sets of winning states also enable the construction of the winning and spoiling strategies. Finally, we apply our results by introducing a temporal logic in which all three kinds of winning conditions can be specified, and which can be model checked in polynomial time. This logic, called Randomized ATL, is suitable for reasoning about randomized behavior in open (two-agent) as well as multi-agent systems.

Details

CSL Conference 1998 Conference Paper

Existence of Reduction Hierarchies

  • Orna Kupferman
  • Robert P. Kurshan
  • Mihalis Yannakakis

Abstract In the automata-theoretic approach to verification, we model programs and specifications by automata on infinite words. Correctness of a program with respect to a specification can then be reduced to the language-containment problem. In a concurrent setting, the program is typically a parallel composition of many coordinating processes, and the language-containment problem that corresponds to verification is $$(\dag )\mathcal{L}(P_1 ) \cap \mathcal{L}(P_2 ) \cap. .. \cap \mathcal{L}(P_n ) \subseteq \mathcal{L}(T), $$ where P 1, P 2, .. ., P n are automata that model the underlying coordinating processes, and T is the task they should perform. In 1994, Kurshan suggested the heuristic of Reduction Hierarchies for circumventing the exponential blow-up introduced by conventional methods that solve the problem (†). In the reduction-hierarchy heuristic, we solve the problem (†) by solving a sequence of easier problems, which involve only automata of tractable sizes. Complexity-theoretic conjectures (NP ≠ PSPACE) imply that there are settings in which the heuristic cannot circumvent the exponential blow-up. In this paper, we demonstrate the strength of the heuristic, study its properties, characterize settings in which it performs effectively, and suggest a method for searching for reduction hierarchies. In particular, we prove, independently of the NP ≠ PSPACE question, that reduction hierarchies of tractable sizes do not always exist.

Details

FOCS Conference 1997 Conference Paper

Alternating-time Temporal Logic

  • Rajeev Alur
  • Thomas A. Henzinger
  • Orna Kupferman

Temporal logic comes in two varieties: linear-time temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branching-time temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternating-time temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While linear-time and branching-time logics are natural specification languages for closed systems, alternating-time logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also the problems of receptiveness, realizability, and controllability can be formulated as model-checking problems for alternating-time formulas.

Details