Extensions of LTL

3.3 Propositional Quantification

This logic contains a (unary) modal operator2together with the fixpoint operatorμ.

Formulas are built analogously as in LTL+μ, including the constraint concerning polarity.

The operators3andνare introduced as before. As indicated in Sect. 2.3, a Kripke structure K = ({ηι}ι∈K,)for an underlying setVof propositional constants consists of a non- empty setK, valuationsηι:V→ {ff,tt}for allι∈K, and a binary accessibility relation . Using an analogous notation as in the above main text with a valuationΞ = (ξι)ι∈K

(whereξι:V→ {ff,tt}forι∈K), the semantics of the operator2is given by Kι(2A) =tt ⇔ Kκ(A) =tt for everyκwithικ

which provides

Kι(3A) =tt ⇔ Kκ(A) =tt for someκwithικ

for the dual operator3. For the semantics ofμone defines, for any formulaF, the mapping ΥF: 2^K →2^K,

ΥF:E→F^Ξ[u:K ^E]

whereF^ΞK ={ι∈K |K^(Ξ)ι (F) =tt}andΞ[u:E]denotes the valuation(ξ_ι)ι∈K with ξι(u) =tt⇔ι∈Eandξι(u) =ξι(u)for all variablesuother thanu. Then

K^(Ξ)_ι (μuA) =tt ⇔ ι∈μΥA

and

K^(Ξ)ι (νuA) =tt ⇔ ι∈νΥA

whereμΥAandνΥAare the least and greatest fixpoints ofΥA, respectively (which can be shown to exist as in the case of LTL+μ).

From these definitions, the fixpoint characterization (Tμ1) for the temporal always oper- ator, and recalling the discussion in the above-mentioned Second Reading paragraph, it is evident that LTL+μcan be viewed as a special instant of MμC based on the operator d_(with distinguished Kripke structures). However, there is also another more general relationship between MμC and temporal logics (including even others outside the “LTL family”) that can all be “embedded” into MμC. This makes MμC a simple common “framework” for all such logics. We will briefly come back to this aspect in Sect. 10.4.

The notions of free and bound occurrences of variables, closed formula, substi- tution of formulas for free variables, etc. carry over fromL^μ_LTLtoL^q_LTLin the obvious way. We write

∀uA ≡ ¬∃u¬A

for the dual, universally quantified formula.

As in Sect. 3.2, the semantics of LTL+q is defined with respect to a valuation Ξ = (ξ₀, ξ₁, ξ₂, . . .),ξ_i : V → {ff,tt}of the propositional variables.K^(Ξ)_i replaces K_i again (with validity inKbeing defined as for LTL+μ), and the semantic clauses corresponding to the extended syntax are

• K^(Ξ)_i (u) =ξ_i(u) foru∈ V.

• K^(Ξ)_i (∃uA) =tt ⇔ there is aΞsuch thatΞ∼uΞandK^(Ξ_i ⁾(A) =tt.

The relation∼ubetween valuationsΞ = (ξ₀, ξ₁, ξ₂, . . .)andΞ = (ξ₀, ξ₁, ξ₂, . . .) is adapted from classical FOL:

Ξ∼uΞ ⇔ ξ_i(¯u) =ξ_i(¯u)for allu¯ ∈ Vother thanuand alli∈N. For∀uAwe clearly obtain

• K^(Ξ)_i (∀uA) =tt ⇔ K^(Ξ_i ⁾(A) =tt for allΞwithΞ ∼u Ξ.

Intuitively, the formula∃uAasserts that one can find a sequence of truth values forusatisfying the formulaA, and not just a single truth value. This is why quan- tification over propositional variables cannot simply be reduced to ordinary propo- sitional LTL (which is the case in classical propositional logic PL). Indeed, the fol- lowing example shows that inL^q_LTL, as inL^μ_LTL, one can define the binary temporal operators.

Example. Consider, forv₁,v₂∈V, the formula F ≡ ∃u(u∧2(u→v2∨(v1∧ eu)))

ofL^q_LTL. We claim that the following formula is valid:

F ↔v1unlv2.

(As in the similar situation in the previous section, we presuppose a corresponding language for which the semantical clause definingKi(v1unlv2)in LTL+b is trans- ferred toK^(Ξ)_i (v₁unlv₂)for every temporal structureK,i ∈N, and arbitraryΞ).

To show the “→” part, letK^(Ξ)_i (F) = tt, andΞ = (ξ₀, ξ₁, ξ₂, . . .)such that Ξ∼uΞand

(∗) K^(Ξ_i ⁾(u∧2(u →v2∨(v1∧ eu))) =tt.

For a contradiction, assume moreover that K^(Ξ)_i (v1unlv2) = ff. Using the law (Tb14), it follows that K^(Ξ_i ⁾(v2) = K^(Ξ)_i (v2) = ff; therefore we must have K^(Ξ_i ⁾(v₁ ∧ eu) = tt by (∗), hence K^(Ξ)_i (v₁) = K^(Ξ_i ⁾(v₁) = tt. Again law (Tb14) then implies thatK^(Ξ)_i+1(v₁unlv₂) =ff. Continuing inductively, we find that K^(Ξ)_j (v1) = tt and K^(Ξ)_j (v1unlv2) = ff for all j ≥ i. In particular, we obtain K^(Ξ)_i (2v1) =tt. This impliesK^(Ξ)_i (v1unlv2) =ttby (Tb3), and a contradiction is reached.

For the opposite direction, let K^(Ξ)_i (v1unlv2) = ttandΞ = (ξ₀, ξ₁, ξ₂, . . .) such thatξ_k(u) =K^(Ξ)_k (v₁unlv₂)for everyk ∈ NandΞ ∼u Ξ. Then we have K^(Ξ_i ⁾(u) =ttandK_j^(Ξ)(v1unlv2) =ttfor everyj ≥iwithK^(Ξ_j ⁾(u) =tt. By law (Tb14) it follows thatK^(Ξ_j ⁾(v2∨(v1∧ e(v1unlv2))) =ttwhich, by the definition ofΞ, implies thatK^(Ξ_j ⁾(v2∨(v1∧ eu)) = ttfor everyj ≥ i. Together we thus

haveK^(Ξ)_i (F) =tt.

The semantic definitions for LTL+μand LTL+q have a “global” flavor in the sense that the valuation Ξ is used in its entirety for the definition of K^(Ξ)_i (A), and not just its suffixΞⁱ = (ξi, ξi+1, . . .). Nevertheless, a natural generalization of Lemma 2.1.5 holds for these logics, as we now show for the logic LTL+q. (An analogous proof holds for LTL+μ.)

Lemma 3.3.1. LetKbe a temporal structure andΞ be a propositional valuation.

Then(Kⁱ)^(Ξ_j ⁱ⁾(A) =K^(Ξ)_i+j(A)for everyj ∈Nand every formulaAofL^q_LTL. Proof. Adapting the proof of Lemma 2.1.5, we only need to prove the case of a quantified formula∃uA. From the definition we see that(Kⁱ)^(Ξ_j ⁱ⁾(∃uA) =ttif and only if(Kⁱ)^(Ξ_j ⁾(A) = ttfor some valuationΞ ∼u Ξⁱ. Now, any such valuation Ξcan be extended to a valuationΞ∼u Ξsuch thatΞ = (Ξ)ⁱ, and vice versa.

The preceding condition is therefore equivalent to requiring that(Kⁱ)^(Ξ_j ⁾ⁱ(A) =tt holds for someΞ∼uΞ, and by the induction hypothesis (applied to the valuation Ξ), the latter is equivalent toK^(Ξ_i+j⁾(A) =ttfor someΞ∼u Ξ, which just means

K^(Ξ)_i+j(∃uA) =tt.

As a particular consequence of Lemma 3.3.1 it follows that the two notions of validity that we have considered in Chap. 2 also coincide for LTL+q (and LTL+μ), that is, we again haveAif and only if ⁰Afor these logics. This equivalence is implied by Lemma 3.3.1 in the same way that Theorems 2.6.2 and 2.6.4 follow from Lemma 2.1.5.

A sound and weakly complete formal systemΣ_LTL^q for LTL+q is obtained by ex- tendingΣLTLby the following axioms and rules. For the formulation of rule (qltl-ind) we introduce some short notation: ifu= (u1,u2, . . . ,un)is a tuple of propositional variables then∃uFdenotes∃u₁∃u₂. . .∃u_nF. The notationΞ∼uΞis extended to tuples of variables in the obvious way. Furthermore, for two such tuplesu₁andu₂

of equal length,F_u1(u₂)denotes the result of simultaneously substituting the vari- ables ofu₂for the free occurrences of the variables (with the same index) ofu₁in F. Ifu₁= (u₁¹, . . . ,u₁ⁿ)andu₂= (u₂¹, . . . ,u₂ⁿ)are two such tuples, we also write u₂↔u₁as an abbreviation for(u₂¹↔u₁¹)∧. . .∧(u₂ⁿ↔u₁ⁿ).

Additional axioms

(qltl1) A_u(B)→ ∃uA, (qltl2) ∃u eA↔ e∃uA, (qltl3) ∃u(u∧ e2¬u).

Additional rules

(qltl-part) A→B ∃uA→B if there is no free occurrence ofuinB, (qltl-ind) F → ∃u2 e((u2↔u1)∧Fu1(u2))

F → ∃u2((u2↔u1)∧2Fu1(u2))

if every occurrence of variablesu₁ⁱinF is in the scope of at most one eoperator and no other temporal operator.

The axiom (qltl1) and the rule (qltl-part) are rather obvious counterparts of the stan- dard quantifier axiom and the particularization rule of classical first-order logic as introduced in Sect. 1.2. The generalization rule of FOL can also be adapted provid- ing the derived rule

(qltl-gen) A→B A→ ∀uB if there is no free occurrence ofuinA.

Similarly, we obtain the derived law (Tq1) ∀uA→A_u(B).

The axiom (qltl2) asserts that existential quantification and the next-time operator commute. Its validity is easy to see:

K^(Ξ)_i (∃u eA) =tt ⇔ there is a Ξsuch that Ξ∼u Ξ and K^(Ξ_i ⁾(eA) =tt

⇔ there is a Ξsuch that Ξ∼u Ξ and K^(Ξ_i+1⁾(A) =tt

⇔ K^(Ξ)_i+1(∃uA) =tt

⇔ K^(Ξ)_i (e∃uA) =tt.

Axiom (qltl3) can be used to introduce a fresh propositional variable that marks the current state; its validity is obvious.

The rule (qltl-ind) formalizes a principle for defining a proposition by induc- tion. By the assumption that the variables inu₁ occur inF under the scope of at most one operator eand no other temporal operator, the value ofK^(Ξ)_i (F), where Ξ = (ξ0, ξ1, ξ2, . . .), does not depend on anyξj(u₁^k)forj ≥i+ 2. To understand the “correctness” of the rule, assume now that

(∗) _KF → ∃u2 e((u2↔u1)∧Fu1(u2))

and thatK^(Ξ)_i (F) =ttwhereΞ = (ξ0, ξ1, ξ2, . . .). By assumption(∗), there exists Ξ= (ξ₀, ξ₁, ξ₂, . . .)whereΞ ∼u2Ξsuch thatξ_i+1 (u₂^k) =ξi+1(u₁^k)for allk, and K^(Ξ_i+1⁾(Fu1(u2)) =tt. Defining the valuationΞ= (ξ₀, ξ₁, ξ₂, . . .)by

ξ_j(u) =

ξ_j(u₂^k)ifu ≡u₂^kandj ≥i+ 2, ξj(u) otherwise,

the above remark implies thatK^(Ξ_i+1⁾(F) = tt. Continuing in the same way, we find a valuationΞ = ( ˆξ0,ξˆ1,ξˆ2, . . .)such thatK⁽_i^Ξ) (F) =ttandξˆj =ξj for allj ≤i.

This is just a transcription of the conclusion of the rule (qltl-ind).

The statement of a Deduction Theorem for the formal systemΣ_LTL^q again requires some care. The restricted version mentioned in the previous section is also correct forΣ_LTL^q .

Example. We will demonstrate the use ofΣ^q_LTLby deriving the existence of an “os- cillating” sequence of truth values beginning with “true” and changing at every in- stant. More precisely, we derive the formula

∃u(u∧2(eu↔ ¬u))

inΣ_LTL^q . In this derivation we sometimes write (ltl) to denote valid LTL formulas, without deriving them formally.

(1) ∃u1(u1∧ e2¬u1) (qltl3)

(2) u1∧ e2¬u1→ ¬¬u1∧ e2¬u1 (taut) (3) ¬¬u1∧ e2¬u1→ ∃u2(¬u2∧ e2u2) (qltl1) (4) u1∧ e2¬u1→ ∃u2(¬u2∧ e2u2) (prop),(2),(3) (5) ∃u1(u1∧ e2¬u1)→ ∃u2(¬u2∧ e2u2) (qltl-part),(4)

(6) ∃u2(¬u2∧ e2u2) (mp),(1),(5)

(7) e∃u2(¬u2∧ e2u2) (nex),(6)

(8) ∃u2 e(¬u2∧ e2u2) (prop),(7),(qltl2)

(9) e(¬u₂∧ e2u₂)→ e¬u₂∧ ee2u₂ (prop),(T15) (10) e(¬u₂∧ e2u₂)→ ∃u₂(e¬u₂∧ ee2u₂) (qltl1) (11) ∃u₂ e(¬u₂∧ e2u₂)→ ∃u₂ e¬u₂∧ ee2u₂ (qltl-part),(10)

(12) ∃u₂ e¬u₂∧ ee2u₂ (mp),(8),(11)

(13) e¬u₂∧ ee2u₂ →

(¯u∧(e¯u↔ ¬¯u)→ e((u₂↔u¯)∧(eu₂↔ ¬u2))) (ltl) (14) e((u2↔u)¯ ∧( eu2↔ ¬u2)) →

∃u e((u ↔u)¯ ∧(eu↔ ¬u)) (qltl1) (15) e¬u2∧ ee2u2 →

(¯u∧(e¯u↔ ¬¯u)→ ∃u e((u↔u)¯ ∧(eu ↔ ¬u))) (prop),(13,(14) (16) ∃u2(e¬u2∧ ee2u2) →

(¯u∧(e¯u↔ ¬¯u)→ ∃u e((u↔u)¯ ∧(eu ↔ ¬u))) (qltl-part),(15) (17) ¯u∧( eu¯↔ ¬¯u)→ ∃u e((u↔¯u)∧(eu ↔ ¬u)) (mp),(12),(16)

(18) e∃u1(u1∧ e2¬u1) (nex),(1)

(19) ∃u1 e(u1∧ e2¬u1) (prop),(18),(qltl2) (20) e(u1∧ e2¬u1)→ eu1∧ ee2¬u1 (prop),(T15) (21) eu1∧ ee2¬u1→ ∃u1(eu1∧ ee2¬u1) (qltl1)

(22) e(u1∧ e2¬u1)→ ∃u1(eu1∧ ee2¬u1) (prop),(20),(21) (23) ∃u1 e(u1∧ e2¬u1)→ ∃u1(eu1∧ ee2¬u1) (qltl-part),(22)

(24) ∃u1(eu1∧ ee2¬u1) (mp),(19),(23)

(25) eu1∧ ee2¬u1 →

(¬¯u∧(eu¯↔ ¬¯u)→ e((u1↔¯u)∧(eu1↔ ¬u1)))(ltl)

(26) ¬¯u∧(eu¯↔ ¬u)¯ → ∃u e((u↔u¯)∧(eu ↔ ¬u)) from (24),(25) in the same way as (17) from (12),(13) (27) (eu¯↔ ¬u¯)→ ∃u e((u ↔u)¯ ∧(eu↔ ¬u)) (prop),(17),(26) (28) (eu¯↔ ¬u¯)→ ∃u((u↔u)¯ ∧2(eu ↔ ¬u)) (qltl-ind),(27) (29) ∀u((¯ eu¯ ↔ ¬u)¯ → ∃u((u↔u¯)∧2(eu↔ ¬u))) (qltl-gen),(28)

(30) u₁∧ e2¬u1→(eu₁↔ ¬u1) (ltl)

(31) u1∧ e2¬u1→ ∃u((u↔u1)∧2( eu↔ ¬u)) (prop),(29),(Tq1) (32) (u ↔u1)∧2(eu↔ ¬u)→(u1→u∧2(eu↔ ¬u))(taut)

(33) u∧2(eu↔ ¬u)→ ∃u(u∧2(eu ↔ ¬u)) (qltl1) (34) (u ↔u1)∧2(eu↔ ¬u) →

(u1→ ∃u(u∧2(eu↔ ¬u))) (prop),(32),(33) (35) ∃u((u↔u1)∧2( eu↔ ¬u)) →

(u1→ ∃u(u∧2(eu↔ ¬u))) (qltl-part),(34) (36) u1∧ e2¬u1→ ∃u(u∧2(eu ↔ ¬u)) (prop),(31),(35) (37) ∃u1(u1∧ e2¬u1)→ ∃u(u∧2(eu↔ ¬u)) (qltl-part),(36)

(38) ∃u(u∧2(eu ↔ ¬u)) (mp),(1),(37)

We conclude by listing some further laws that are not hard to derive inΣ_LTL^q . We will revisit this extension of LTL in Chap. 4 where its expressive power will be related with the fixpoint logic LTL+μconsidered in Sect. 3.2.

(Tq2) ∀u eA↔ e∀uA, (Tq3) ∀u2A↔2∀uA, (Tq4) ∃u3A↔3∃uA,

(Tq5) 2(A∨B)→ ∃u2((A∧u)∨(B∧ ¬u)).