Quantified CTL: Expressiveness and Complexity

While it was defined long ago, the extension of CTL with quantification over atomic propositions has never been studied extensively. Considering two different semantics (depending whether propositional quantification refers to the Kripke structure or to its unwinding tree), we study its expressiveness (showing in particular that QCTL coincides with Monadic Second-Order Logic for both semantics) and characterise the complexity of its model-checking and satisfiability problems, depending on the number of nested propositional quantifiers (showing that the structure semantics populates the polynomial hierarchy while the tree semantics populates the exponential hierarchy).


Introduction
Temporal logics.Temporal logics extend propositional logics with modalities for specifying constraints on the order of events in time.Since [Pnu77, CE82, QS82], they have received much attention from the computer-aided-verification community, since they fit particularly well for expressing and automatically verifying (model checking) properties of reactive systems.
Two important families of temporal logics have been considered: linear-time temporal logics (e.g.LTL [Pnu77]) can be used to express properties of one single execution of the system under study, while branching-time temporal logics (e.g.CTL [CE82, QS82] and CTL * [EH86]) consider the execution tree.Since the 90s, many extensions of these logics have been introduced, of which alternating-time temporal logics (such as ATL, ATL * [AHK97]) extend CTL towards the study of open systems (involving several agents).
In this landscape of temporal logics, both CTL and ATL enjoy the nice property of having polynomial-time model-checking algorithms.In return for this, both logics have quite limited expressiveness.Several extensions have been defined in order to increase this limited expressive power.
Our contributions.We are interested in the present paper in the extension of CTL (and CTL * ) with propositional quantification [Sis83,ES84].In that setting, propositional quantification can take different meaning, depending whether the extra propositions label the Kripke structure under study (structure semantics) or its execution tree (tree semantics).While these extensions of CTL with propositional quantification have been in the air for thirty years, they have not been extensively studied yet: some complexity results have been published for existential quantification [Kup95], for the two-alternation fragment [KMTV00] and for the full extension [Fre01]; but expressiveness issues, as well as a complete study of model checking and satisfiability for the whole hierarchy, have been mostly overlooked.
We answer these questions in the present paper: in terms of expressiveness, we prove that QCTL and QCTL * are equally expressive, and coincide with Monadic Second-Order Logic 1 .As regards satisfiability and model-checking, we characterise the complexity of these problems depending on the quantifier alternation: under the structure semantics, the modelchecking problem populates the polynomial-time hierarchy (and satisfiability is undecidable); for the tree semantics, the model-checking problem populates the exponential-time hierarchy (and so does the satisfiability problem).Finally, we also characterise the model-and formulacomplexities of our problems, when one of the inputs to the model-checking problem is fixed.All these results are summarized in Tables 1 and 2, which are displayed in the conclusion of this paper.
Applications to alternating-time temporal logics.Our initial motivation for this work comes from alternating-time temporal logics.Indeed ATL also has several flaws in terms of expressiveness: namely, it can only focus on (some) zero-sum properties, i.e., on purely antagonist games, in which two coalitions fight with opposite objectives.In many situations, games are not purely antagonist, but involve several independent systems, each having its own objective.Recently, several extensions of ATL have been defined to express properties of such non-zero-sum games.Among those, our logic ATL sc [DLM10] extends ATL with strategy contexts, which provides a way of expressing interactions between strategies.Other similar approaches include Strategy Logics (SL) [CHP07,MMV10], (Basic) Strategy-Interaction Logic ((B)SIL) [WHY11], or Temporal Cooperation Logic (TCL) [HSW13].
Designing decision procedures for these extensions is much more difficult than for the standard ATL fragment.Interestingly, QCTL appears to be a convenient, uniform intermediary logic in order to obtain algorithms for ATL sc , SL and related formalisms.Indeed, strategies of the players can be represented 2 by a finite set of atomic propositions labelling the execution tree of the game structure under study.Strategy quantification is then naturally expressed as propositional quantification; since the resulting labelling is persistent, it can encode interactions between strategies.Notice that while the tree semantics of QCTL encodes plain strategies, the structure semantics also finds a meaning in that translation, as it may correspond to memoryless strategies [DLM12].
Using such a translation, any instance of the model-checking problem for ATL sc (or SL) can be translated into an instance of the model-checking problem for QCTL.The algorithms 1 This claim assumes a special notion of equivalence between formulas, since MSO is evaluated globally on a structure while QCTL formulas are evaluated at the initial state.This will be made clear in the paper.
2 Notice that the link between strategy quantification and propositional quantification already emerges in Qdµ [Pin07], which extends the decision µ-calculus with some flavour of propositional quantification.Also, the main motivation of [KMTV00] for studying the two-alternation fragment of QCTL is a hardness result for the control and synthesis of open systems.
proposed in this paper then yield algorithms for the former problems, which can be proved to have optimal complexity.Unfortunately, the satisfiability problem cannot follow the same reduction scheme: indeed, when translating an ATL sc formula into a QCTL one, we need to know the set of agents and their allowed moves.It turns out that satisfiability is undecidable for ATL sc and SL (while we prove it decidable for QCTL in the tree semantics).Interestingly, when restricting satisfiability checking to turn-based game structures, an alternative translation into QCTL can be used to obtain decidability of the problem.
Because they involve a lot of new definitions and technical proofs, we do not develop these questions here, and refer the interested reader to [LM14] for full details.
(Propositional) quantification was first used in temporal logics by Sistla and others, both for linear-time [Sis83,SVW87] and branching-time temporal logics [ES84], mainly with the aim of augmenting the expressiveness of the classical logics.In the linear-time setting, the model-checking problem for the k-alternation fragment was shown k-EXPSPACEcomplete [Sis83,SVW87].The stutter-invariant fragment of QLTL, with a restricted notion of propositional quantification, was developed in [Ete99].Proof systems for QLTL were developed in the linear-time setting, both with and without past-time modalities [KP02,FR03].
As regards branching time, the extension of CTL * with external existential quantification (hereafter called EQ 1 CTL * ) was proved as expressive as parity tree automata over binary tree [ES84].The existential logics EQ 1 CTL and EQ 1 CTL * were further studied in [Kup95], both in the structure-and in the tree semantics; model checking EQ 1 CTL and EQ 1 CTL * are shown NPand PSPACE-complete respectively (for the structure semantics) and EXPTIMEand 2-EXPTIME-complete respectively (for the tree semantics).The extensions of those logics with past-time modalities were studied in [KP95].The extensions with arbitrary quantification were studied in [Kai97,Fre01] (in slightly different settings): satisfiability of QCTL * was proven undecidable in the structure semantics, and decidable in the tree semantics [Fre01].
Several alternative semantics were proposed for quantification: the amorphous semantics defined in [Fre01] allows to take a bisimilar structure before labelling it.In [RP03], quantification is expressed as taking a synchronized product with a labelling automaton.Finally, quantification over states (rather than over atomic propositions) is studied in [PBD + 02, CDC04], where model checking is proved PSPACE-complete (both for branchingtime and for linear-time).
Finally, quantified temporal logics have found applications in model checking and control: AQ 1 LTL and AQ 1 CTL * have been used to reason about vacuity detection (checking whether a formula is satisfied "too easily") [AFF + 03, GC04, GC12].The one-alternation fragments (which we call EQ 2 CTL and EQ 2 CTL * hereafter) have been used in [KMTV00] to prove hardness results for the control problem with CTL and CTL * objectives.The linear-time logic EQLTL was used as the specification language for supervisory control of Petri nets in [Mar10].To conclude, propositional quantification was considered in the setting of timed temporal logics in [HRS98].

Preliminaries
2.1.Kripke structures and trees.We fix once and for all a set AP of atomic propositions.
is a labelling function.The size of S, denoted with |S|, is the size of Q (which can be infinite).
Let S be a Kripke structure Q, R, .In the following, we always assume that the set of states S is equipped with a total linear order .We use Succ S (q) to denote the ordered list q 0 , . . ., q k of successors of q in S (i.e., such that (q, q i ) ∈ R for any 0 ≤ i ≤ k, and such that q i q j if, and only if, i ≤ j).We write d S (q) for the degree of q ∈ Q, i.e., the size of Succ S (q).Finally Succ S (q, i) denotes the i-th successor of q in S for 0 ≤ i < d S (q), and this notation is extended to finite words over N * as follows: Succ S (q, ε) = q and Succ S (q, w • i) = Succ S (Succ S (q, w), i) when q = Succ S (q, w) is well defined and 0 ≤ i < d S (q ).
An execution (or path) in S is an infinite sequence ρ = (q i ) i∈N s.t.(q i , q i+1 ) ∈ R for all i ∈ N. We use Path(q) to denote the set of executions issued from q and Path f (q) for the set of all finite prefixes of executions of Path(q).Given ρ ∈ Path(q) and i ∈ N, we write ρ i for the path (q i+k ) k∈N of Path(q i ) (the i-th suffix of ρ), ρ i for the finite prefix (q k ) k≤i (the i-th prefix), and ρ(i) for the i-th state q i .Given a path ρ = (q i ) i∈N , we write (ρ) for the sequence ( (q i )) i∈N , and Inf(l(ρ)) for the set of letters in Σ that appear infinitely many times along (ρ).
Definition 2. Let Σ be a finite set.A Σ-labelled tree is a pair T = T, l , where • T ⊆ N * is a non-empty set of finite words on N satisfying the following constraints: for any non-empty word x = y • c in T with y ∈ N * and c ∈ N, the word y is in T and every word y • c with 0 ≤ c < c is also in T ; • l : T → Σ is a labelling function.
Let T = T, l be a Σ-labelled tree.The elements of T are the nodes of T and the empty word ε is the root of T .Such a tree can be seen as a Kripke structure, with T as set of states, and transitions from any node x ∈ T to any node of the form x • c ∈ T , for c ∈ N. The size of T , and the notions of successors of a node x (written Succ T (x)), of degree of a node x (written d T (x)), of path issued from the root (whose set is written Path T ), follow from this correspondence.
A tree has bounded branching if the degree of all its nodes is bounded.Given a finite set of integers D ⊆ N, a Σ, D -tree is a Σ-labelled tree T, l whose nodes have their degrees in D (i.e., for any x ∈ T , it holds d T (x) ∈ D).Given a node x ∈ T , we denote with T x the (sub)tree T x , l x rooted at x, defined by Definition 3. Given a finite-state Kripke structure S = Q, R, and a state q ∈ Q, the unwinding of S from q is the (bounded-degree) 2 AP -labelled tree T S (q) = T S,q , T defined as follows: (1) T S,q contains exactly all nodes x ∈ N * such that Succ S (q, x) is well-defined (2) T (x) = (Succ S (q, x)).
If D = q∈Q {d S (q)}, then T S (q) clearly is a 2 AP , D -tree.Note also that any 2 APlabelled tree can be seen as an infinite-state Kripke structure.
For a function : Q → 2 AP and P ⊆ AP, we write ∩ P for the function defined as ( ∩ P )(q) = (q) ∩ P for all q ∈ Q.
Definition 5.The syntax of QCTL * is defined by the following grammar: where p ranges over AP.Formulas defined as ϕ state are called state-formulas, while ϕ path defines path-formulas.Only state formulas are QCTL * formulas.

∀z
Naturally, any QCTL * formula ϕ can be represented as a finite tree T ϕ , in which each node represents a subformula (see Fig. 2).Alternatively, formula ϕ can be seen as a finite acyclic Kripke structure S ϕ whose unwinding is T ϕ .The size of ϕ is the size of T ϕ , and its DAG-size (for directed-acyclic-graph size) is the size of the smallest Kripke structure S ϕ whose unwinding is T ϕ .Obviously, when sharing large subformulas, the size of a formula can be significantly larger than its DAG-size.
We use standard abbreviations as: and ∀p.ϕ = ¬ ∃p.¬ ϕ.The logic QCTL is a fragment of QCTL * where temporal modalities are under the immediate scope of path quantifiers: Definition 6.The syntax of QCTL is defined by the following grammar: Standard definition of CTL * and CTL are obtained by removing the use of quantification over atomic proposition (∃p.ϕ) in the formulas.In the following, ∃ and ∀ are called (proposition) quantifiers, while E and A are path quantifiers.
Given QCTL * (state) formulas ϕ and (ψ i ) i and atomic propositions (p i ) i appearing free in ϕ (i.e., not appearing as quantified propositions), we write ϕ[(p i → ψ i ) i ] (or ϕ[(ψ i ) i ] when (p i ) i are understood from the context) for the formula obtained from ϕ by replacing each occurrence of p i with ψ i .Given two sublogics L 1 and L 2 of QCTL * , we write 2.3.Structure-and tree semantics.Formulas of the form ∃p.ϕ can be interpreted in different manners (see [Kup95,Fre01,RP03]).Here we consider two semantics: the structure semantics and the tree semantics.
2.3.1.Structure semantics.Given a QCTL * state formula ϕ, a (possibly infinite-state) Kripke structure S = Q, R, and a state q ∈ Q, we write S, q |= s ϕ to denote that ϕ holds at q under the structure semantics.We extend the notation to S, ρ |= s ϕ when ϕ is a path formula and ρ is a path in S.This is defined as follows: Example 7. As an example, consider the formula selfloop = ∀z.(z⇒ EX z).If a state q in S satisfies this formula, then the particular labelling in which only q is labelled with z implies that q has to carry a self-loop.Conversely, any state that carries a self-loop satisfies this formula (for the structure semantics).
Let ϕ be a QCTL * formula, and consider now the formula In order to satisfy such a formula, at least one ϕ-state must be reachable.Assume now that two different such states q and q are reachable: then for the particular labelling where only q is labelled with z, the second part of the formula fails to hold.Hence uniq(ϕ) holds in a state (under the structure semantics) if, and only if, exactly one reachable state satisfies ϕ.
Similarly, we can count the number of successors satisfying a given formula: As another example, let us mention that propositional quantification can be used to flatten "until" formulas: (2.1) Actually, "until" can be expressed using only "next" and "always".This is easily achieved in QCTL * , where we would write e.g.
The expression in QCTL is more involved.We rely on a more general translation through the µ-calculus [Koz83]: in this formalism, we can express the "until" modality as a fixpoint: Now, a least-fixpoint formula µT.ϕ(T ) (where we assume that ϕ(T 1 ) ⊆ ϕ(T 2 ) whenever T 1 ⊆ T 2 ) can be expressed 4 in QCTL as follows: The first part of the formula (before quantifying over u) states that the labelling with t is a fixpoint.The second part enforces that it precisely corresponds to the least one.
2.3.2.Tree semantics.The tree-semantics is obtained from the structure semantics by seeing the execution tree as an infinite-state Kripke structure.We write S, q |= t ϕ to denote that formula ϕ holds at q under the tree semantics.Formally, seeing T S (q) as an infinite-state Kripke structure, we define: Clearly enough, selfloop is always false under the tree semantics, while uniq(ϕ) holds if, and only if, ϕ holds at only one node of the execution tree.
Example 8. Formula acyclic = AG ∃z.(z ∧ uniq(z) ∧ AX AG ¬ z) expresses that all infinite paths (starting from the current state) are acyclic, which for finite Kripke structures is always false under the structure semantics and always true under the tree semantics. 4We have to be careful here with the exact notion of equivalence.We keep it imprecise in this example, and develop the technical details in Section 3.2, where we prove that QCTL without "until" can actually express the whole Monadic Second-Order Logic.
2.3.3.Equivalences between QCTL * formulas.We consider two kinds of equivalences depending on the semantics we use.Two state formulas ϕ and ψ are said s-equivalent (resp.t-equivalent), written ϕ ≡ s ψ (resp.written ϕ ≡ t ψ) if for any finite-state Kripke structure S and any state q of S, it holds S, q |= s ϕ iff S, q |= s ψ (resp.S, q |= t ϕ iff S, q |= t ψ).We write ϕ ≡ s,t ψ when the equivalence holds for both ≡ s and ≡ t .
Note that both equivalences ≡ s and ≡ t are substitutive, i.e., a subformula ψ can be replaced with any equivalent formula ψ without changing the truth value of the global formula.Formally, if ψ ≡ s ψ (resp.ψ ≡ t ψ ), we have Φ for any QCTL * formula Φ.
2.4.Fragments of QCTL * .In the sequel, besides QCTL and QCTL * , we study several interesting fragments.The first one is the fragment of QCTL in prenex normal form, i.e., in which propositional quantification must be external to the CTL formula.We write EQCTL and EQCTL * for the corresponding logics 5We also study the fragments of these logics with limited quantification.For prenexnormal-form formulas, the fragments are defined as follows: • for any ϕ ∈ CTL and any p ∈ AP, ∃p.ϕ is an EQ 1 CTL formula, and ∀p.ϕ is in AQ 1 CTL; • for any ϕ ∈ EQ k CTL and any p ∈ AP, ∃p.ϕ is in EQ k CTL and ∀p.ϕ is in AQ k+1 CTL.
Symmetrically, if ϕ ∈ AQ k CTL, then ∃p.ϕ is in EQ k+1 CTL while ∀p.ϕ remains in AQ k CTL.Using similar ideas, we define fragments of QCTL and QCTL * .Again, the definition is inductive: Notice that a more refined definition of Q k CTL could be given, where the index k would count quantifier alternation (in a way similar to EQ k CTL) instead of the mere quantifier depth that we use here.This however requires taking care of the number of negations between two quantifiers, where "negation" here also includes hidden negations (e.g. a quantifier nested on the left-hand side of an "until" formula should be considered negated).Our results would carry on to this variant of Q k CTL.
The corresponding extensions of CTL * , which we respectively denote with EQ k CTL * , AQ k CTL * and Q k CTL * , are defined in a similar way.
Remark 9. Notice that EQ k CTL and AQ k CTL are (syntactically) included in Q k CTL, and EQ k CTL * and AQ k CTL * are fragments of Q k CTL * .

Expressiveness
As a preliminary remark, let us mention that propositional quantification increases the expressive power of CTL.For example, it is easy to see that the formula uniq(P ) defined in the previous section allows us to distinguish between two bisimilar structures; therefore such a formula cannot be expressed in CTL * .Note also that it makes QCTL (and QCTL * ) to not be bisimilar invariant.This observation motivated an alternative semantics, called the amorphous semantics, for the propositional quantifications, in order to make QCTL (and QCTL * ) bisimilar invariant.We do not develop this semantics further, and refer the reader to [Fre01] for more details.
In this section we present several results about the expressiveness of our logics for both the structure-and the tree semantics.We show that QCTL, QCTL * and Monadic Second-Order Logic are equally expressive.First we show that any QCTL formula is equivalent to a formula in prenex normal form (which extends to QCTL * thanks to Proposition 17).
3.1.Prenex normal form.By translating path quantification into propositional quantification, we can extract propositional quantification out of purely temporal formulas: for instance, EX (Q.ϕ) where Q is some propositional quantification is equivalent to ∃z.Q.uniq(z) ∧ EX (z ∧ ϕ) .This generalizes to full QCTL under both semantics: Proposition 10.In both semantics, EQCTL and QCTL are equally expressive.
Proof.We prove the result for structure equivalence, turning a given a QCTL formula ϕ into prenex normal form.The transformation being correct also for infinite-state Kripke structures, the result for tree-equivalence follows.
In the following, we assume w.l.o.g.no atomic proposition is quantified twice.We use Q to denote a sequence of quantifications, and write Q for the dual sequence.Our translation is defined as a sequence of rewriting rules that are to be applied in a bottom-up manner, first replacing innermost subformulas with s-equivalent ones.As for CTL, we only consider the temporal modalities EX, EU and EG (which is sufficient since For propositional and Boolean subformulas, we have: We now present the transformation for all three temporal modalities.Extracting a bloc of quantifiers out of an EX operator can be done as follows: Here variable z (which is assumed to not appear in Q.ϕ) is used to mark an immediate successor that satisfies Q.ϕ.We require z to be unique: allowing more than one successor would make the equivalence to be wrong, as can be seen on the Kripke structures S 0 of Fig. 1 using formula EX (∀p.[( EF p) ⇒ p]) (this formula is false, while formula ∃z.∀p.EX (z ∧[( EF p) ⇒ p]) is true by labelling both states with z).
Note that the right-hand-side formula is not yet in prenex form, because uniq(z) involves a universal quantifier under a Boolean operator; applying the above rules for Boolean subformulas concludes the translation for this case.
For EG (Q.ϕ), the idea again is to label a short (lasso-shaped) path with z, ensuring that Q.ϕ always holds along that path: using Equivalence (2.1), and by noticing that Before we prove correctness of the above equivalences, we introduce a useful lemma: Lemma 11.Consider a Kripke structure S = Q, R, , a state q and a QCTL formula We have S, q |= s Q.ϕ if, and only if, there is a non-empty family ξ of Kripke structures such that (1) each S ∈ ξ is of the form Q, R, where and coincide over AP \ {z 1 , . . ., z k }; (2) for any S = Q, R, in ξ, any i with Q i = ∀, and any lab z i : Q → 2 {z i } , there exists Q, R, ∈ ξ such that ∩ {z i } = lab z i , and and coincide over A non-empty set ξ satisfying the first two properties of Lemma 11 is said to be (Q, S)compatible.
Proof.The proof proceeds by induction on the number of quantifiers in Q.The equivalence is trivial when there is no quantification.Now assume that the equivalence holds for some quantification Q.
We first consider formula ∃z.Q.ϕ.Assume S, q |= s ∃z.Q.ϕ.Then there exists a structure S = Q, R, , with coincides with over AP \ {z}, such that S , q |= s Q.ϕ.Applying the induction hypothesis to S , we obtain a family of structures satisfying conditions (1) to (3) for S and Q.ϕ.One easily checks that the very same family also fulfills all three conditions for S and ∃z.Q.ϕ.
Conversely, if there is a family of structures satisfying all three conditions for S and (∃z.Q).ϕ.Pick any structure S = Q, R, in that family.It holds S , q |= s ∃z.Q.ϕ, and moreover and coincide over Now consider formula ∀z.Q.ϕ, and assume S, q |= s ∀z.Q.ϕ.Then for any S = Q, R, where and coincide over AP \ {z}, we have S , q |= s Q.ϕ.Applying the induction hypothesis, for each such S , we get a family of Kripke structures satisfying all three conditions for S and Q.ϕ.Let ξ be the union of all those families.Then ξ clearly fulfills conditions (1) and (3).Condition (2) for universal quantifiers in Q follows from the induction hypothesis.For the universal quantifier on z, pick S = Q, R, and lab z .Then by construction, ξ contains a structure S = Q, R, where ∩ {z} = lab z .By construction, ξ contains a family of structures satisfying all three conditions for S and Q.ϕ, which entails the result.
If conversely there is a family ξ of structures satisfying the conditions of the lemma, then for each lab z , this family contains a structure S = Q, R, with ∩ {z} = lab z and satisfying Q.ϕ, which entails the result.
We now proceed to the proof of the previous equivalences.We omit the easy cases of propositional and Boolean formulas, and focus on EX and EG: • Then there exists (q, q ) ∈ R such that S, q |= s Q.ϕ.Therefore there exists a set ξ of Kripke structures that is (Q, S)-compatible and such that S , q |= s ϕ for every S ∈ ξ.Now consider the set ξ defined as follows: Then ξ is (∃z.Q, S)-compatible, and for every Kripke structure S ∈ ξ , we have: Then there exists a Kripke structure S ≡ AP\{z} S such that S , q |= s Q. uniq(z) ∧ EX (z ∧ ϕ) .In particular, only one state q of S is labelled with z, and q is a successor of q.Moreover, there exists a (Q, S )-compatible set ξ such that for any S ∈ ξ, it holds S , q |= s EX (z ∧ ϕ).Since only q is labelled with z, we have S , q |= s ϕ, for all S ∈ ξ.Hence S , q |= s Q.ϕ, and S , q |= s EX (Q.ϕ).Finally, the formula is independent of z, so that also S, q |= s EX (Q.ϕ).
• EG (Q.ϕ): Assume S, q |= s EG (Q.ϕ).There must exist a lasso-shape path ρ = q 0 q 1 q 2 . . .(q i . . .q j ) ω , with q 0 = q, along which Q.ϕ always holds.We can also assume that ρ is a direct path, i.e., that S does not contain a transition (q k , q l ) unless l = k + 1 (otherwise a simpler witnessing path would exist).Thus labeling all states of ρ with z makes the formula (z ∧ AG (z ⇒ EX 1 z) hold at q.Moreover, for every k < j, we have S, q k |= s Q.ϕ, so that there exists a set ξ k of Kripke structures that are (Q, S)-compatible and such that S , q k |= s ϕ for every S ∈ ξ k .Now, let ξ be the following set of Kripke structures: For every S ∈ ξ, we have But the set ξ is not (∃z.∀z.Q, S)-compatible: it only contains Kripke structures in which z labels a single state of ρ, while condition (2) requires that we consider all labellings.It suffices to extend ξ with arbitrary Kripke structures involving all other forms of z -labellings to obtain a compatible set ξ.Note that the additional Kripke structures still satisfy (uniq(z ) ⇒ AG ((z ∧ z ⇒ ϕ))).Applying Lemma 11, Conversely, assume that this formula holds true at q in S. Accordingly, let S ≡ AP\{z} S be the structure obtained from S by extending its labelling with z in such a way that (1) S , q The first property ensures that the z-labelling describes a lasso-shape path starting from q.The second one entails that there exists a (∀z Q, S )-compatible set ξ s.t. for every S ∈ ξ, we have S , q |= s uniq(z ) ⇒ AG ((z ∧ z ) ⇒ ϕ).This entails that for any position k along the z-path, there exists a (Q, S )-compatible set in which S, q k |= s ϕ, which entails the result.
Let us briefly measure the size and alternation depth of the resulting formula: in terms of its size, the transformation never duplicates subformulas of the initial formula, so that the final size is linear in the size of the original formula.Regarding proposition quantifiers, it can be checked that the alternation depth of the resulting formula is at most two plus the sum of the number of nested quantifiers in the original formula.In the end, the number of quantifier alternations of the resulting formula is linear in the number of quantifiers in the original formula.
Remark 12.The translation used in the proof above to transform any QCTL formula into an equivalent formula in prenex normal form has been defined for the structure semantics.It is still correct when considering the tree semantics but in this framework, we could define a simpler transformation (in particular, we can get rid of the dpath(z 0 , z 2 ) formula).

QCTL and Monadic
Second-Order Logic.We briefly review Monadic Second-Order Logic (MSO) over trees and over finite Kripke structures (i.e., labelled finite graphs).In both cases, we use constant monadic predicates P a for a ∈ AP and a relation Edge either for the immediate successor relation in a 2 AP -labelled tree T, l or for the relation R in a finite KS Q, R, .
MSO is built with first-order (or individual) variables for vertices (denoted with lowercase letters x, y, ...), monadic second-order variables for sets of vertices (denoted with uppercase letters X, Y, ...).Atomic formulas are of the form x = y, Edge(x, y), x ∈ X, and P a (x).Formulas are constructed from atomic formulas using the boolean connectives and the first-and second-order quantifier ∃.We write ϕ(x 1 , ..., x n , X 1 , ..., X k ) to state that x 1 , ..., x n and X 1 , ..., X k may appear free (i.e.not within the scope of a quantifier) in ϕ.A closed formula contains no free variable.We use the standard semantics for MSO, writing M, s 1 , ..., s n , S 1 , ..., S k |= ϕ(x 1 , ..., x n , X 1 , ..., X k ) when ϕ holds on M when s i (resp.S j ) is assigned to the variable x i (resp.X j ) for i = 1, ..., n (resp.j = 1, ..., k).
In the following, we compare the expressiveness of QCTL with MSO over the finite Kripke structures (the structure semantics) and the execution trees corresponding to a finite Kripke structure (tree semantics).First note that MSO formulas may express properties on the whole trees or graphs, while our logics are interpreted over states of these structures.Therefore we use MSO formulas with one free variable x, which represents the state where the formula is evaluated.Moreover, we restrict the evaluation of MSO formulas to the reachable part of the model from the given state.This last requirement makes an important difference for the structure semantics, since MSO can express e.g. that a graph is not connected while QCTL can only deal with what is reachable from the initial state.
Formally, for the tree semantics, we say that ϕ(x) ∈ MSO is t-equivalent to some QCTL * formula ψ (written ϕ(x) ≡ t ψ) when for any finite Kripke structure S and any state q ∈ T S , it holds T S (q), q |= ϕ(x) iff T S (q), q |= s ψ.Similarly, for the structure semantics: ϕ(x) is s-equivalent to ψ (written ϕ(x) ≡ s ψ) iff for any finite Kripke structure S and any state q ∈ S, it holds S q , q |= ϕ(x) iff S q , q |= s ψ, where S q is the reachable part of S from q.For these definitions, we have: Proposition 13.Under both semantics, MSO and QCTL are equally expressive.
Proof.The translation from QCTL to MSO is easy: translating CTL into MSO is standard and adding propositional quantifications can be managed with second-order quantifications.Now we consider the translation from MSO to QCTL.This translation (which is valid for both semantics) is defined inductively with a set of rewriting rules.Given ϕ(x) ∈ MSO, we define ϕ ∈ QCTL as follows: The last rule not listed above concerns Edge(x i , x), and depends on the semantics: in the tree semantics, there is no edges coming back to the root and the formula is then equivalent to false; in the structure semantics, we have to mark the root with an individual variable and use the same kind of rule as above: in the structure semantics.
The correctness of the translation w.r.t.both semantics is stated in the two following Lemmas, whose inductive proofs are straightforward: Lemma 14.For any ϕ(x, x 1 , ..., x n , X 1 , ..., X k ) ∈ MSO, any finite Kripke structure S and any state q, we have: where T S and T S only differ in the labelling of propositions p x i and p X i : in T S , no state is labelled with these propositions, while in T S , we have (1) As a special case, we get that T S (q), q |= ϕ(x) if, and only if, T S (q), q |= s ϕ, which entails ϕ(x) ≡ t ϕ.
As regards the structure semantics, using similar ideas, we have: Lemma 15.For any ϕ(x, x 1 , ..., x n , X 1 , ..., X k ) ∈ MSO, any finite Kripke structure S and and state q, we have: S q , q, s 1 , ..., s n , S 1 , ..., S k |= ϕ(x, x 1 , ..., x n , X 1 , ..., X k ) iff S q , q |= s ϕ where S q and S q only differ in the labelling of propositions p x i and p X i : in S q , no state is labelled with these propositions, while in S q we have (1) p x ∈ (s) iff s = q, (2) In the end, after labelling state q with p x , we obtain S q , q |= ϕ(x) if, and only if, S q , q |= s ϕ, where S q only differs from S q by the fact that q is labelled with p x .It follows that ϕ(x) ≡ s ∃p x .(px ∧ uniq(p x ) ∧ ϕ).
Remark 16.One can also notice that it is easy to express fixpoint operators with QCTL in both semantics, thus µ-calculus can be translated into QCTL.For instance, the least fixpoint equation µT.[b ∨(a ∧ EX T )] would be written as Such a formula says that there is a fixpoint T such that for any fixpoint U , T is included in U ; this precisely characterises least fixpoints.Since the µ-calculus extended with counting capabilities has the same expressiveness as MSO on trees [MR03], we get another evidence that QCTL can express all MSO properties when interpreted over trees.
3.3.QCTL and QCTL * .Finally, we show that QCTL * and QCTL are equally expressive for both semantics.The main idea of the proof is an inductive replacement of quantified subformulas with extra atomic propositions.Indeed note that for any CTL * state formula Φ and any QCTL * state formula ψ, we have Φ[ψ] ≡ s,t ∃p ψ .Φ[p ψ ] ∧ AG (p ψ ⇔ ψ) where p ψ is a fresh atomic proposition.We have: Proposition 17.Under both semantics, QCTL * and QCTL are equally expressive.
Proof.The result for the tree semantic has been shown in [Fre01].Here we give a different translation, which is correct for both semantics.Consider a QCTL * formula Φ.The proof is by induction over the number k of subformulas of Φ that are not in QCTL.If k = 0, Φ already belongs to QCTL.Otherwise let ψ be one of the smallest Φ-subformulas in QCTL * \ QCTL.Let α i s with i = 1, . . ., m be the largest ψ-subformulas belonging to QCTL (these are state formulas).Then ψ[(α i ← p i ) i=1,...,m ] is a CTL * formula: every subformula of the form ∃p. ξ in ψ belongs to some QCTL formula α i , since ψ is one of the smallest QCTL * \ QCTL subformula.Therefore ψ is equivalent (w.r.t.both semantics) to: Since CTL * can be translated into the µ-calculus [Dam94], and the µ-calculus can in turn be translated into QCTL (see Remark.16), we get that ψ[(α i ← p i ) i=1,...,m ] is equivalent to some QCTL formula Ω. Hence Now, consider the formula obtained from Φ by replacing ψ with the right-hand-side formula above.This formula is equivalent to Φ and has at most k − 1 subformulas in QCTL * \ QCTL, so that the induction hypothesis applies.
Remark 19.In [Fre01], Tim French considers a variant of QCTL * (which we call FQCTL * ), with propositional quantification within path formulas: ∃p.ϕ path is added in the definition of path formulas.The semantics is defined as follows: It appears that this logic is not very different from QCTL * under the tree semantics: French showed that QCTL is as expressive as FQCTL * .Things are different in the structure-semantics setting, where we now show that FQCTL * is strictly more expressive than MSO.To begin with, consider the following formula: This formula expresses the existence of an (infinite) path along which, between any two occurrences of the same state, all the other reachable states will be visited.This precisely corresponds to the existence of a Hamilton cycle, which is known not to be expressible in MSO [EF95, Cor.6.3.5].However, note that the existence of a Hamilton cycle can be expressed in Guarded Second Order Logic GSO6 , in which quantification over sets of edges is allowed (in addition to quantification over sets of states).Still, FQCTL * is strictly more expressive than GSO, as it is easy to modify the above formula to express the existence of Euler cycles: EG ∃x.∃y.∀x .∀y .tr(x, y) ∧ tr(x , y ) ∧ next tr(x, y) ∧ ¬ next tr(x , y ) ⇒ X (¬ next tr(x, y) U next tr(x , y )) where tr(x, y) = uniq(x) ∧ uniq(y) ∧ EF (x ∧ X y) states that x and y mark the source and target of a reachable transition, and next tr(x, y) = x ∧ X y states that the next transition along the current path jumps from x to y.This can be seen to express the existence of an Euler cycle, which cannot be expressed in GSO (otherwise evenness could also be expressed).
Proposition 20.Under the structure semantics, FQCTL * is more expressive than QCTL * and MSO.
Nevertheless FQCTL * model checking (see next section) is decidable: for the tree semantics, it suffices to translate FQCTL * to QCTL, as proposed by French [Fre01].The problem in the structure semantics can then be encoded in the tree semantics: for this we first need to extend the labelling of the Kripke structure S with fresh propositions, one per state (e.g.assume that state q is labeled by p q ).Let S be such an extension (notice that the existence of an Euler path in such a Kripke structure can be expressed in CTL).Then any quantification ∃P.ϕ in some FQCTL * formula Φ (for the structure semantics) is considered in the tree semantics.For this to be correct, we augment Φ with the extra requirement that any two copies of the same state receive the same labelling.We thus build a formula Φ S , by replacing every subformula ∃P.ψ in Φ with ∃P.

Model checking
We now consider the model-checking problem for QCTL * and its fragments under both semantics: given a finite Kripke structure S, a state q and a formula ϕ, is ϕ satisfied in state q in S under the structure (resp.tree) semantics?In this section, we characterise the complexity of this problem.A few results already exist, e.g. for EQ 1 CTL and EQ 1 CTL * under both semantics [Kup95].Hardness results for EQ 2 CTL and EQ 2 CTL * under the tree semantics can be found in [KMTV00].Here we extend these results to all the fragments of QCTL * we have defined.We also characterize the program-and formula-complexities [Var82] of modelchecking for these fragments: the formula complexity (resp.program complexity) consists in evaluating the complexity of the problem S |= ϕ when the model S (resp.formula ϕ) is assumed to be fixed.Except for Theorem 28, our results hold true irrespective of the notion of size (classical size of DAG-size) we use for QCTL * formulas.Appendix A proposes a short introduction to the complexity classes used in the rest of the paper (especially the polynomial-time and exponential hierarchies).
4.1.Model checking for the structure semantics.
4.1.1.Fragments of QCTL.First we consider the fragments of QCTL with limited quantifications: EQ k CTL, AQ k CTL, and Q k CTL.Prenex-normal-form formulas are (technically) easy to handle inductively: a formula in EQ k CTL can be checked by non-deterministically guessing a labelling and applying a model-checking procedure for AQ k−1 CTL.We prove that the model-checking problems for these fragments populate the polynomial-time hierarchy [Sto76]: Theorem 21.Under the structure semantics, model checking EQ k CTL is Σ P k -complete and model checking AQ k CTL is Π P k -complete.Proof.We begin with noticing that an AQ k CTL formula is nothing but the negation of an EQ k CTL formula.Hence it suffices to prove the result for EQ k CTL.The case where k = 0 corresponds to CTL model-checking, which is PTIME-complete.For k > 0, hardness is easy, as EQ k CTL model checking subsumes the following problem, which is known to be Σ P k -complete [Pap94]: true, where Q i is ∃ (resp.∀) when i is odd (resp.even)?
Membership in Σ P k is proved inductively: an EQ 1 CTL instance ∃u 1 1 . . .∃u 1 k .ϕ can be solved in NP =Σ P 1 by non-deterministically picking a labelling of the Kripke structure under study with atomic propositions u 1 1 to u 1 k , and then checking (in polynomial time) whether the CTL formula ϕ holds true in the resulting Kripke structure.Similarly, an EQ k CTL formula ∃u 1 1 . . .∃u 1 k .ϕ, where ϕ is in AQ k−1 CTL, can be checked by first non-deterministically labelling the Kripke structure with atomic propositions u 1 1 to u 1 k , and checking the remaining AQ k−1 CTL formula ϕ in the resulting Kripke structure.The latter is in Π P k−1 according to the induction hypothesis, so that the whole procedure is in Σ P k .When dropping the prenex-normal-form restriction, we get Theorem 22.Under the structure semantics, model checking Proof.We define the algorithm for Q k CTL inductively: when k = 0, we just have a CTL model-checking problem, which is complete for . Assume that we have a ∆ P k+1 [O(log n)] algorithm for the Q k CTL model-checking problem, and consider a formula ϕ ∈ Q k+1 CTL: it can be written under the form ϕ = Φ[(q i → ∃P i .ψ i ) i ] with Φ being a CTL formula involving fresh atomic propositions q i , and ∃P i .ψ i are subformulas 7 of ϕ.The existential quantifiers in these subformulas are the outermost propositional quantifiers in ϕ, and ψ i belongs to Q k CTL, as we assume that Φ is a CTL formula.As a consequence, ∃P i .ψ i is a state-formula, whose truth value only depends on the state in which it is evaluated.For such a formula, we can non-deterministically label the Kripke structure with propositions in P i , and check whether ψ i holds in the resulting Kripke structure.Computing the set of states satisfying ∃P i .ψ i is then achieved in , which is equal to Σ P k+1 .
7 ∃Pi denotes a sequence of existential quantifications.
Moreover, the queries for all the selected subformulas are independent and can be made in parallel.It just remains to check whether the CTL formula Φ holds, which can be achieved in polynomial time.This algorithm is thus in (see [Wag90]).
We prove hardness using problems PARITY(Σ P k ), defined as follows: , where Q i j = ∃ when j is odd and Q i j = ∀ otherwise; Question: is the number of positive instances even?
SAT is encoded as in the previous reduction, using a one-state Kripke structure S i that will be labelled with atomic propositions u i j,l .The Q k CTL formula to be checked is then Ψ i itself.We label the unique state of that Kripke structure with an atomic proposition x i , that will be used in the sequel of the reduction.Now, consider the Kripke structure S obtained as the "union" of the one-state Kripke structures above, augmented with an extra state x m+1 and transitions (x i , x i+1 ), for each 1 ≤ i ≤ m.We define ϕ = 1≤i≤m (x i ∧ Ψ i ).This formula holds true in those states x i of S whose corresponding Σ P k SAT instance is positive.It remains to build a formula for "counting" these sets: we let and It is easily seen that ψ s holds true in state x 1 of S iff exactly s of the m instances of Σ P k SAT are positive.Moreover, each ψ i has quantifier height at most k.The final formula is then the disjunction of the formulas ψ 2i , for 0 ≤ i ≤ m/2.4.1.2.EQCTL and extensions of CTL * .When considering logics with no quantification restriction or the extensions of CTL * , model-checking complexity becomes PSPACE-complete: Theorem 23.Under the structure semantics, model checking EQCTL, QCTL, EQ k CTL * , AQ k CTL * , Q k CTL * , EQCTL * and QCTL * is PSPACE-complete.
Proof.PSPACE-hardness is straightforward because (1) any instance of QBF is a special case of a model checking problem for every logic with unbounded quantifications (EQCTL, QCTL, EQCTL * and QCTL * ) and (2) the model-checking problem is PSPACE-hard for CTL * [SC85], hence also for any extension thereof.
For PSPACE membership, it is sufficient to show the result for QCTL * .Consider a formula Φ = ∃p 1 . . .∃p k .ϕwith ϕ ∈ CTL * .We can easily consider the same kind of algorithm we used for EQ k CTL in Theorem 21: we only replace the CTL model-checking algorithm with a CTL * model-checking algorithm running in polynomial space [CES86].Since NP PSPACE = PSPACE, the resulting algorithm is in PSPACE.This clearly provides a PSPACE algorithm for any QCTL * formula.

Program-complexity. Now we consider the program complexity (or model complexity)
of model checking for the structure semantics.In this context, we assume that the formula is fixed, and the complexity is then expressed only in terms of the size of the model.
Theorem 24.Under the structure semantics, for any k > 0, the program-complexity of model checking is Σ P k -complete for EQ k CTL and EQ k CTL * , and Π P k -complete for AQ k CTL and AQ k CTL * .Proof.Membership in Σ P k for EQ k CTL and AQ k CTL comes directly from the general algorithms (Theorem 21).For EQ k CTL * and AQ k CTL * , we can use the same approach: fix a formula Φ = ∃u 1 1 . . .∃u 1 k .ϕwith ϕ ∈ CTL * .Deciding the truth value of Φ can be done in NP by first non-deterministically guessing a labelling of the model with {u 1 1 , ..., u 1 k } and then checking the fixed formula ϕ (model checking a fixed formula of CTL * is NLOGSPACEcomplete [Sch03]).Thus with the same argument we used for the proof of Theorem 21, we get a Σ P k algorithm for any fixed EQ k CTL * formula (and a Π P k algorithm for a AQ k CTL * formula).
We now prove hardness in Σ P k for EQ k CTL (the results for EQ k CTL * , AQ k CTL and AQ k CTL * are proven similarly).We begin with the case where k = 1 (for which the result is already given in [Kup95] with a proof derived from [HK94]): quantification is encoded in the (fixed) EQ k CTL formula, while the model encodes the SAT formula to be checked.We begin with an NP-hardness proof for EQ 1 CTL, and then explain how it can be extended to EQ k CTL.
Consider an instance ∃P.ϕ b (P ), where P is a set of variables.We assume w.l.o.g. that propositional formula ϕ b is a conjunction of disjunctive clauses.We begin with defining the model associated to ϕ b , and then build the formula, which will depend neither on ϕ b , nor on P .
Write ϕ b = 1≤i≤m 1≤j≤n i,j , where l i,j is in {p k , ¬p k | p k ∈ P }.The model is defined as follows: • it has one initial state, named ϕ b , m states named C i for 1 ≤ i ≤ m, and 3|P | states named p k , ¬ p k and test(p k ) for each p k ∈ P .• there is a transition from ϕ b to each C i and to each test(p k ), a transition from each test(p k ) to the corresponding p k and ¬p k , and a transition from each C i to its constitutive literals i,j .Finally, each p k and ¬p k carries a self-loop.• states test(p k ) are labelled with an atomic proposition test, which is the only atomic proposition in the model.Figure 3 displays an example of this construction.The intuition is as follows: one of the states p k and ¬p k will be labelled (via the EQCTL formula) with an extra proposition ⊕.That exactly one of them is labelled will be checked by the test-states.That the labelling defines a satisfying assignment will be checked by the C i -states.The formula writes as follows: One is easily convinced that a labelling with ⊕ defines a valuation of the propositions in P (by the first part of Φ), and that ϕ b evaluates to true under that valuation (by the second part of Φ).Conversely, a satisfying assignment can be used to prove that Φ holds true in the model.This reduction can be extended to prove Σ P k -hardness of model checking a fixed formula of EQ k CTL.Consider an instance of Σ P k SAT of the form ∃P 1 . . .Q k P k .ϕ b (P 1 , . . ., P k ), assuming w.l.o.g. that the sets P i are pairwise disjoint.The model now involves k testpropositions test 1 to test k , and a test-state associated with a proposition in P l is labelled with test l .The rest of the construction is similar.Assuming that k is even (in which case Q k is universal, and ϕ b is a disjunction of conjunctive clauses-the dual case being similar), formula Φ k then writes as follows: For Q k CTL and Q k CTL * , we have: Theorem 25.Under the structure semantics, for any k > 0, the program-complexity of model checking is Proof.To prove membership in ∆ P k+1 [O(log n)] for Q k CTL * , we reuse the same algorithm as for Theorem 22: we get the same complexity for Q k CTL * and Q k CTL because programcomplexity for CTL * is in PTIME (as for CTL).Now we prove hardness in ∆ P k+1 [O(log n)] for the fixed-formula model-checking problem for Q k CTL.Fix some k, and consider of PARITY (Σ P k ), made of m instances of Σ P k SAT, which we write Φ i (U i 1 , . . ., U i k ) (assuming w.l.o.g. that they all begin with an existential quantifier).We begin with defining a partial view of the Kripke structure that we will use for the construction: it has an initial state init and a final state final, and, for each 1 ≤ i ≤ m, four states labelled with i and either 0 or 1 (to indicate the parity of the number of positive formulas up to Φ i ) and either ⊕ or (to indicate the validity of the i-th instance).Transitions are defined as follows: from init, there is a transition to (1, 0, ⊕) and (1, 0, ); from (i, 0, ⊕) and (i, 1, ), there are transitions to (i+1, 1, ⊕) and to (i+1, 1, ); from (i, 1, ⊕) and (i, 0, ), there are transitions to (i+1, 0, ⊕) and (i+1, 0, ).Finally, there is a transition from (m, 0, ) and (m, 1, ⊕) to final, and self-loops on final, (m, 0, ⊕) and (m, 1, ).Consider a path in such a Kripke structure, and assume that we can enforce that the path visits a ⊕-state if, and only if, the corresponding Σ P k SAT instance is positive.Then this path reaches final if, and only if, the total number of positive instances is even.Otherwise, the path will be stuck in (m, 0, ⊕) or in (m, 1, ).In other words, formula EF final holds true if, and only if, the number of positive instances is even.It remains to enforce the correspondence between positive states and positive instances of Σ P k SAT.This is achieved using the reduction of the proof of Theorem 24: we first extend the above Kripke structure by plugging, at each state (i, j, k), one copy of the Kripke structure built in the proof of Theorem 24.Now, the formula to be checked in the resulting structure has to be reinforced as follows: where Φk is (a slightly modified version of) the formula built in the proof of Theorem 24.
When model checking a fixed formula of QCTL * (hence with fixed alternation depth), there is no hope of being able to encode arbitrary alternation: the program complexity of QCTL * (and QCTL) model checking thus lies in the small gap between PH and PSPACE, unless the polynomial-time hierarchy collapses: Theorem 26.Under the structure semantics, the program-complexity of model checking is PH-hard but not in PH, and in PSPACE but not PSPACE-hard, for EQCTL, QCTL, EQCTL * and QCTL * (unless the polynomial-time hierarchy collapses).
Proof.From Theorem 24, model-checking a fixed formula in EQCTL or EQCTL * is PH-hard.Membership in PSPACE follows from Theorem 23.If these problems were in PH, they would lie in Σ P k for some k, and the polynomial-hierarchy would collapse.Similarly, if they were PSPACE-hard, then a fixed formula (in EQCTL or EQCTL * , hence in EQ k CTL or EQ k CTL * for some k) could be used to encode any instance of QSAT, again collapsing the polynomialtime hierarchy.The same method applies to QCTL and QCTL * thanks to Theorem 25. 4.1.4.Formula-complexity.Now we consider the formula complexity of model checking for the structure semantics.In this context we assume that the the model is assumed to be fixed, and the complexity is then expressed only in term of the size of the formula.We will see that every complexity result obtained for combined complexity also holds for the formula complexity: these logics are expressive enough to provide complexity lower bounds for fixed models.
In Theorem 21, complexity lower-bounds for model-checking EQ k CTL and AQ k CTL are proved with a fixed model.Therefore these results apply also to formula complexity: Theorem 27.Under the structure semantics, the formula-complexity of model checking is Σ P k -complete for EQ k CTL and Π P k -complete for AQ k CTL.For Q k CTL, we have the following result: Theorem 28.Under the structure semantics, the formula-complexity is ∆ P k+1 [O(log n)]complete for Q k CTL when considering the DAG-size of QCTL formulas.When considering the standard size of formulas, the problem is in ∆ P k+1 [O(log n)] and BH(Σ P k )-hard.
Proof.Membership in ∆ P k+1 [O(log n)] can be proved using the same algorithm as in the proof of Theorem 22, and noticing that its complexity is unchanged when considering the DAG-size of the formula.
In order to prove hardness in ∆ P k+1 [O(log n)], we again reduce PARITY (Σ P k ) to a modelchecking problem for Q k CTL over the Kripke structure S with one state and a self-loop as follows: consider an instance I of PARITY (Σ P k ) consisting in m instances Ψ i (i = 1, . . ., m) of Σ P k SAT.We let Clearly α i holds in S iff there is an even number of positive instances in the set {Ψ 1 , . . ., Ψ i }, so that the instance I is positive iff α m holds in S.However, since α i is duplicated in the definition of α i+1 , the reduction is in logarithmic space only if we represent the formula as a DAG.
If we consider the usual notion of size of a formula, one can easily see that formula complexity of Q k CTL model checking is Σ P k -hard and Π P k -hard.Actually, as CTL is closed under Boolean combinations, the problem is hard for any level of the Boolean hierarchy BH(Σ P k ) over Σ P k (we refer to [Hem98] for more details about Boolean hierarchies).Finally formula complexity of CTL * model-checking is already PSPACE-hard [Sch03] and any QBF instance can be reduced to a model-checking problem for EQCTL over a fixed structure.This provides the complexity lower-bounds of the following result (the complexity upper-bound come from the general case, see Theorem 23): Theorem 29.Under the structure semantics, the formula-complexity is PSPACE-complete for EQ k CTL * , AQ k CTL * , Q k CTL * , EQCTL, QCTL, EQCTL * , and QCTL * .

4.2.
Model checking for the tree semantics.This section is devoted to QCTL model checking over the tree semantics.We begin with proving a hardness result, extended techniques of [SVW87] (for QLTL) to the branching-time setting.
Hardness proof.We prove that the Q k CTL model-checking problems populate the exponential-time hierarchy: Theorem 30.Model checking EQ k CTL under the tree semantics is k-EXPTIME-hard (for positive k).
Proof.The proof uses the ideas of [KMTV00, SVW87]: we encode an alternating Turing machine M whose tape is bounded by the following recursively-defined function: An execution of M on an input word y of length n is then a tree.Our reduction consists in building a Kripke structure K and a Q k CTL formula ϕ such that ϕ holds true in K (for the tree semantics) iff M accepts y.
As a first step, we design a set of (polynomial-size) formulas of EQ k CTL that are able to relate two states that are at distance E(k, n) (actually, a slightly different value).This will be used in our reduction to ensure that the content of one cell of the Turing machine is preserved from one configuration to the next one, unless the tape head is around.Define and assume we are given a tree labelled with atomic propositions s and t (among others).We first require that s and t appear exactly once along any branch, by means of the following formula once(ϕ) = AF ϕ ∧ AG (ϕ ⇒ AX AG ¬ ϕ).
Our formula for requiring one occurrence of s and t (in that order) along each branch then reads delimiters(s, t) = once(s) ∧ once(t) ∧ AG (s ⇒ AF t). (4.1)

Fig. 5: Encoding runs of M
We now inductively build our "yardstick" formulas enforcing that, along any branch, the distance between the occurrence of s and that of t is precisely F (k, n) (see Fig. 4).When k = 0, this is easy: For the subsequent cases, we use propositional quantification to insert a number of intermediary points (labelled with r), at distance F (k − 1, n) apart.We then associate with each occurrence of r a counter, encoded in binary (with least significant bit on the right) using a fresh proposition c on the F (k − 1, n) cells between the present occurrence of r and the next one.Our global formula then looks as follows: yardstick n k = ∃r.∃c.(graduation k (r, s, t) ∧ counter k (c, r, s, t)). (4.3) When k = 1, graduation 1 (r, s, t) is rather easy (notice that we allow graduations outside the [s, t]-interval): r).As regards the counter, we have to enforce that, between s and t, it has value zero exactly at s and value 2 n − 1 exactly at t, and that it increases between two consecutive r-delimited intervals: r, s, t) The first two formulas are easy: zeros 1 requires that s be the only position that can be followed by only zeros until the next occurrence of r; ones 1 expresses that in the last rdelimited interval before t, c always equals 1.Finally, increment 1 requires that, starting from s, the value of c is changed from one interval to the next one if, and only if, c equals one in all subsequent positions of the first interval.One can check that this correctly encodes the incrementation of the counter.In the end, yardstick 1 is an EQ 1 CTL formula.
For any k ≥ 2, yardstick k is obtained using similar ideas, with slightly more involved formulas.
Roughly, this states that the labelling with r has to satisfy the constraint that, between any two points u and v at distance F (k − 1, n) apart, there must be exactly one r.Notice that formula yardstick n k−1 appears negated in graduation k .Regarding the counter, formulas zeros k and ones k are the same as zeros 1 and ones 1 , respectively.Incrementation is handled using the same trick as for graduation k : This formula is a mix between increment 1 , in that it uses the same trick of requiring that the value of c is preserved if there is a zero at a lower position, and the labelling with u and v to consider all positions that are at distance is in EQ k CTL (notice that yardstick n k−1 appears negated after the universal quantifiers on u and v).
We now explain how we encode the problem whether a word y is accepted by an alternating Turing machine equipped with a tape of size E(k − 1, |y|) into an EQ k CTL model-checking problem.Assume we are given such a Turing machine M = Q, q 0 , δ, F on a two-letter alphabet Σ = {α, β}, and an input word y ∈ Σ n .An execution of M on y is encoded as (abstractly) depicted on Fig. 5, with one configuration being encoded as a sequence of cells, and branching occurring only between two consecutive configurations.
With M, we associate a Kripke structure S M = S, R, where S = (Q ∪ { }) × (Σ ∪ {•}) ∪ {#} (where • denotes empty cells of the tape and # will be used to delineate the successive configurations of M), R = S × S is the complete transition relation, and labels each state with its name (hence the initial set of atomic propositions is S).We write s 0 for the state #, where our formula will be evaluated.
The execution tree of S M from s 0 contains as branches any word in s 0 • S ω .We use symbol # to divide that tree into slices of height enforces that along any branch, symbol # occurs at every level multiple of Notice that this formula is in AQ k−1 CTL, since the yardstick n k−1 formula is in EQ k−1 CTL.Notice that when k = 1, a simpler CTL formula can be used.Now, not all branches of the execution tree of S M are needed in order to represent an accepting execution of M: only states labelled with # may have several successors (see Fig. 5).In order to keep track of the relevant branches, we label them with a fresh, existentially-quantified proposition a.The fact that branching only occurs at #-nodes can be expressed as Enforcing the initial state of the Turing machine (namely, that the tape contains y, Turing machine is in state q 0 and the tape head is on the first letter of y) is straightforward (by expressing that a must label the corresponding sequence of states in the tree).Expressing "local" requirements on the encoding of a configuration (e.g. that each configuration contains exactly one state representing a position for the tape head) is straightforward, using the delimiter #.The fact that an accepting state is reached along any a-branch is also easy.It only remains to express that there is a transition linking any configuration with its successor configurations.This can be achieved using similar formulas as formula (4.4), using delimiters u and v to ensure that the content of the tape is preserved and that the tape head has been moved by one position.
In the end, the global formula has an external existential quantification on a, followed by formulas in AQ k−1 CTL similar to formula (4.4) (of CTL formulas when k = 1).The whole formula is then in EQ k CTL, which concludes the proof that model checking this logic is k-EXPTIME-hard.
When using CTL * , the above proof can be improved to handle one more exponential: indeed, using CTL * , formula yardstick n 0 (s, t) can be made to enforce that the distance between s and t is 2 n .This way, using k quantifier alternations, we can encode the computation of an alternating Turing machine running in space (k+1)-exponential.In the end: Theorem 31.Model checking EQ k CTL * under the tree semantics is (k + 1)-EXPTIME-hard (for positive k).
Algorithms for the tree semantics.We use tree-automata techniques to develop modelchecking algorithms for our logics.We recall the definitions and main results of this classical setting, and refer to [MS87, MS95, Tho97, KVW00] for a more detailed presentation.
We begin with defining alternating tree automata, which we will use in the proof.This requires the following definition: the set of positive boolean formulas over a finite set P of propositional variables, denoted with PBF(P ), is the set of formulas defined as where p ranges over P .That a valuation v : P → { , ⊥} satisfies a formula in PBF(P ) is defined in the natural way.We abusively say that a subset P of P satisfies a formula ϕ ∈ PBF(P ) iff the valuation 1 P (mapping the elements of P to and the elements of P P to ⊥) satisfies ϕ.Since negation is not allowed, if P |= ϕ and P ⊆ P , then also P |= ϕ.
Definition 32.Let Σ be a finite alphabet.Let D ⊆ N be a finite subsets of degrees.An alternating parity D-tree automaton on Σ, or D, Σ -APT, is a 4-tuple A = Q, q 0 , τ, Ω where • τ is a family of transition functions (τ d ) d∈D such that for all d ∈ D, it holds • Ω : Q → {0, . . ., k − 1} is a parity acceptance condition.The size of A, denoted by |A|, is the number of states in Q.The range k of Ω is the index of A, denoted by idx(A).
A non-deterministic D-tree automaton on Σ, or D, Σ -NPT, is a D, Σ -APT where for any d ∈ D, q ∈ Q and σ ∈ Σ, we have: We now define the semantics of our tree automata.Notice that contrary to the classical setting, where tree automata are defined to deal with fixed-arity trees, we better use the setting of [KVW00], where the transition function depends on the arity of the node where it is applied.Let A = Q, q 0 , τ, Acc be an D, Σ -APT, and T = T, l T be a Σ, D -tree.An execution tree of A on T is a T × Q-labelled tree E = E, p such that • p( ) = ( , q 0 ), • for each node e ∈ E with p(e) = (t, q) and d = d T (t), there exists a set ξ = {(c 0 , q 0 ), . . ., (c m , q m )} ⊆ {0, . . ., d − 1} × Q such that ξ |= τ d (q, l T (t)), and for i = 0, . . ., m, we have e • i ∈ E and p(e • i) = (t • c i , q i ).We write p Q for the labelling function restricted to the second component: when p(e) = (t, q), then p Q (e) = q.Given an infinite path π ∈ Path E in an execution tree, p Q (π) is the set of states of visited along π, and Inf(p Q (π)) is the set of states visited infinitely many times.An execution tree is accepting if min{Ω(q) | q ∈ Inf(p Q (π))} is even for every infinite path π ∈ Path E .A tree T is accepted by A if there exists an accepting execution tree of A on T .
Deciding whether a given tree is accepted by a tree automaton is decidable.More precisely, given a tree automaton A and a regular tree T (i.e., a tree for which there exists a finite Kripke structure S and a state q such that T = T S (q)), the problem whether T is accepted by A is decidable.Moreover, given a tree automaton A, the problem whether A accepts some tree at all is also decidable8 , and when the answer is positive, A accepts a regular tree.We summarise these results in the following theorem: Theorem 33.The problem whether an APT A with d priorities accepts regular tree T represented as a Kripke structure S can be solved in time O((|A| • |S|) d ).Checking the emptiness of an APT A is EXPTIME-complete [Löd13].Additionally, If A accepts some infinite tree, then it accepts a regular one [Rab72].
We now recall some standard properties of APT, which we will use later to define our model-checking algorithm for Q k CTL.First note that the use of Boolean formulae in the transition function makes the treatment of operations like union, intersection and complement easy to handled with APT and there is no cost in term of the size of the resulting automata [MS87].Now we assume we are given a Kripke structure S = Q, R, on a set AP of atomic propositions, and we write D for the set of degrees in S.
Lemma 34.[KVW00] Given a CTL formula ϕ over AP and a set D of degrees, we can construct a D, 2 AP -APT A ϕ accepting exactly the 2 AP -labelled D-trees satisfying ϕ.The automaton A ϕ has size linear in the size of ϕ, and uses a constant number of priorities.Sketch of proof.We only describe the construction, and refer to [KVW00] for a detailed proof of the result.W.l.o.g.we assume that negations in ϕ are followed by atomic propositions; This might require adding the two extra modalities E W and A W , which satisfy the following equivalences: The automaton A ϕ = Q ϕ , q 0 , τ, Ω ϕ is defined as follows: • Q ϕ is the set of state subformulas (not including and ⊥), • the initial state q 0 is ϕ, • given a degree d ∈ D, ψ ∈ Q ϕ and σ ∈ 2 AP , we define τ d (ψ, σ) as follows: • the acceptance condition is defined as Note that the definition of Ω ϕ for other nodes (i.e., boolean combinations) is not needed as these nodes cannot be visited infinitely often along a branch.
QCTL quantifications over atomic propositions will be handled with the projection operation on tree automata.To this aim, we will use the following lemma (notice that it requires non-deterministic tree automata as input): Lemma 35.[MS85] Let A be a D, 2 AP -NPT, with AP = AP 1 ∪ AP 2 .For all i ∈ {1, 2}, we can build a D, 2 AP -NPT B i such that, for any 2 AP -labelled D-tree T , it holds: T ∈ L(B i ) iff ∃T ∈ L(A).T ≡ AP i T .The size and index of B i are those of A.
In order to use this result, we will have to apply the simulation theorem, which allows for turning APTs into NPTs.Having varying degrees does not change the result (for example, one can adapt the proofs of Lemma 3.9 and Theorem 3.10 in [Löd13] in order to get the result in our extended setting): Lemma 36.[MS95] Let A be a D, 2 AP -APT.We can build an D, 2 AP -NPT N accepting the same language as A, and such that |N | ∈ 2 O(|A|idx(A)•log(|A|idx(A))) and idx(N Theorem 39.Model checking Q k CTL * under the tree semantics is in (k + 1)-EXPTIME (for positive k).
Proof.The proof proceeds along the same lines as in the proof of Theorem 37.However, we have to build automata for a CTL * formula in the base case, so that the automaton for a Q 1 CTL * formula has size 2-exponential and number of priorities exponential.
During the induction step, we consider automata for Q k−1 CTL * formulas, apply the simulation theorem and projection, and combine them with an (exponential-size) automaton for a CTL * formula [KVW00].One can easily see that the resulting automaton has size k + 1-exponential, and number of priorities k-exponential.Theorem 33 then entails the result.
From Theorems 30, 31, 38 and 39, we obtain: Corollary 40.Under the tree semantics, for any k > 0, model checking EQ k CTL, AQ k CTL and Q k CTL is k-EXPTIME-complete, and model checking EQ k CTL * , AQ k CTL * and Q k CTL * is (k + 1)-EXPTIME-complete.

It follows:
Theorem 41.Model checking EQCTL, QCTL, EQCTL * and QCTL * under the tree semantics is TOWER-complete.4.2.1.Program-complexity.When fixing the formula, the problem becomes much easier (in terms of its theoretical complexity): given ϕ, one can build an automaton A 2 ϕ such that for every Kripke structure S, deciding whether S, q |= t ϕ is equivalent to deciding whether the unfolding of a variant of S is accepted by A 2 ϕ which can be done in polynomial time (because |A 2 ϕ | is assumed to have constant size).First consider a finite Kripke structure S = Q, R, .We define q) = (q) for q ∈ Q and 2 (q) = {p int } for q ∈ Q int (p int is a fresh atomic proposition).Finally Q int and R 2 are defined in order to mimic S-transitions with nodes of degree 2: if q 1 , . . ., q k (with k > 1) are the k successors of q in S, we have a transition (q, q ) ∈ R 2 and q is the root of a complete binary tree with k leaves q 1 , . . ., q k .For this, we need k − 1 internal nodes (including q ).If q has a unique successor q in S, we just add the transition (q, q ) to R 2 .Thus the size of Q int is q∈Q d(x) − 1.Now consider a QCTL formula Φ (that does not use p int ).Let Φ be the QCTL formula defined as follows: The following lemma which relates the truth value of Φ on S with that of Φ on S 2 : Lemma 42.For any Kripke structure S = Q, R, , for any QCTL formula Φ, and for any q ∈ Q, we have S, q |= t Φ if, and only if, S 2 , q |= t Φ.
Proof.The proof is done by structural induction over Φ.
Theorem 43.Under the tree semantics, the program-complexity of model-checking is PTIME-complete for all our fragments between EQ 1 CTL and AQ 1 CTL to QCTL * .
Proof.Let Ψ be a QCTL * formula.By Proposition 17, we can build an equivalent QCTL formula Φ.Now consider Φ as above.Let A Φ be the alternating tree automaton built for proving Theorem 38 when D = {1, 2}.It is easy to see that A Φ recognizes the 2 AP -labeled trees having nodes with degrees in {1, 2} and satisfying Φ.Now consider a model-checking instance S, q |= t Φ, it clearly reduces to S 2 , q |= t Φ and then to T S 2 (q) ∈ L(A Φ ).This last problem can be solved in polynomial time (in |S 2 |) when the size of A Φ is assumed to be fixed: following Theorems 33 and 37, the polynomial has degree

Fig. 6: A monotone boolean circuit
We now prove hardness in PTIME, by reducing the CIRCUIT-VALUE problem (actually a simplified version of it, with no negation [GJ79]) to a modelchecking problem for a fixed formula in EQ 1 CTL.Pick a monotone circuit with fan-out 2 (i.e., an acyclic Kripke structure in which all states are labelled with ∨ or ∧ and have two outgoing edges, except for two "terminal" states respectively labelled with 0 and 1, and which only have a self-loop as outgoing edges).The value of the circuit is the value of its initial node, defined in the natural way.See Fig. 6 for an instance of CIRCUIT-VALUE (self-loops omitted) whose initial node evaluates to 1.
Consider the CTL formula and choose a labelling of the circuit with a new atomic proposition p satisfying ϕ (in the initial state).By an easy induction, we get that a state is labelled with p if, and only if, its value is 1.As a consequence, the circuit has value one if, and only if, the initial state of its associated Kripke structure satisfies the fixed EQ 1 CTL formula ∃p.(p ∧ ϕ).The same equivalence holds for the AQ 1 CTL formula ∀p.(ϕ ⇒ p), as it is easily seen that only one p-labelling satisfies ϕ.
4.2.2.Formula-complexity.The reductions used in general cases can be made to work with a fixed model.Thus we have: Theorem 44.Under the tree semantics, the formula-complexity of model-checking is k-EXPTIME-complete for EQ k CTL and Q k CTL, and it is (k + 1)-EXPTIME-complete for EQ k CTL * and Q k CTL * , for positive k.
Proof.Membership in k-EXPTIME (resp. in (k + 1)-EXPTIME) follows from the general case.We can adapt the hardness proof for EQ k CTL (Theorem 30) to work with a fixed Kripke structure S. Let M be a (k − 1)-EXPSPACE alternating Turing machine Q, q 0 , δ, F with Q = {q 1 , . . ., q l } and let y be an input word over Σ. Assume (w.l.o.g.) that Σ = {α, β}.In order to reuse the reduction performed for the general case, we need to encode the unfolding of S M (defined in the proof of Theorem 30) with an unfolding of some fixed Kripke structure S (hence with a fixed arity and a fixed labelling).For this we use the Kripke structure S = S, R, with S = {s 0 , s 1 }, R = {(s 0 , s 0 ), (s 0 , s 1 ), (s 1 , s 0 ), (s 1 , s 1 )} and (s i ) = ∅ for i = 0, 1: its unfolding is a binary tree and it contains no atomic proposition.We use intermediary states (labeled by p int ) to encode the arity of the states of S M (i.e., every "regular" node s will be the root of some finite binary tree labeled with p int and whose leaves correspond to all possible successors of s in K M ), and we use an additional existential propositional quantification to describe the states (content of the tape, control state, separator, ...).Let AP be the set {q 1 , . . ., q l , α, β, #}.The EQ k CTL specification used to describe the existence of an accepting run of M over y is the following formula Φ where Φ M,y is a slight variant of the EQ k CTL formula used in the proof of Theorem 30 and Φ b is a CTL formula described below: Formula Φ b describes the labelling of the binary tree with {p int , p q 0 , . . ., p q l , α, β, #}: • ¬ p int is true initially, • every state satisfying ¬ p int satisfies exactly one proposition in {α, β, #} and at most one in {p q 0 , . . ., p q l } can be associated with α or β, • every ¬ p int state can reach (along a p int -labeled path) every ¬ p int state with one the following labellings: {{α}, {β}, {#}, {α, q 0 }, . . ., {α, q l }, {β, q 0 }, . . ., {β, q l }} • and every p int state satisfies AF ¬ p int (every intermediary state is inevitably followed by a regular state).In Φ M,y , the only change we have to do is for yardstick n 0 (s, t): we replace AX n by a sequence of n nested formulae of the form " AX ( Ap int U (¬ p int ∧ . ..))" in order to find the n-th cell without considering intermediary states.Clearly Φ is still in EQ k CTL and we have y ∈ L(M) iff K, s 0 |= Φ.
The same approach can be done for EQ k CTL * and Q k CTL * with an extra exponential level due to the ability of CTL * to describe a run of length 2 n .As a consequence of the previous result, we have: Theorem 45.Under the tree semantics, the formula-complexity of model-checking is TOWER-complete for EQCTL, QCTL, EQCTL * and QCTL * .

Satisfiability
We now address the satisfiability problem for our two semantics: given formula ϕ in QCTL * (or a fragment thereof), does there exist a finite Kripke structure S such that S, q |= ϕ for some state q of S? Structure semantics.As a corollary of our Prop.13 and of the undecidability of MSO over finite graphs [See76], we have Theorem 46.For the structure semantics, satisfiability of QCTL and QCTL * is undecidable.
Notice that satisfiability of QCTL and QCTL * is clearly recursively enumerable: the finite Kripke structures can be enumerated and checked against the considered formula, using our model-checking algorithms.
Similar undecidability results were already proved by French: in [Fre01], he proved that satisfiability of QCTL (more precisely, AQ 1 CTL) is undecidable over infinite-state Kripke structure; in [Fre03], he proved that satisfiability of QLTL over finite-state Kripke structures is undecidable (from which we get the result for AQ 1 CTL * ).
To complete the picture, we prove the following results: Theorem 47.Under the structure semantics, the satisfiability problem is undecidable for AQ k CTL (when k ≥ 1) and EQ k CTL (when k ≥ 2).
Notice that satisfiability for EQ 1 CTL and EQ 1 CTL * under the structure semantics is nothing but satisfiability of CTL and CTL * , respectively: if ϕ is in CTL * , ∃p.ϕ is satisfiable if, and only if, ϕ is.
The core of the reduction is an EQ 2 CTL formula characterising those Kripke structures that are finite grids 10 .We say that a Kripke structure is a finite grid when it is linear (i.e., the underlying graph for some m) or when it is isomorphic to a product L m × L n for some integers m and n.The outermost existential quantifiers of our EQ 2 CTL formula can then be handled together with the existential quantification on the Kripke structure (because we deal with satisfiability), so that our reduction will work for AQ 1 CTL.
The main idea behind our formula is a labelling of every other horizontal (resp.vertical) line of the structures with atomic propositions h (resp.v).Using universal quantification, we impose alternation between lines of h-states and lines of ¬ h-states using the following formula of the following form, enforcing small squares as depicted on Fig. 7: The full formula and a proof that it correctly characterises finite grids are given in Appendix B.
Fig. 7: The horizontal and vertical lines of a grid 10 This follows the same ideas as in [Fre01] for proving undecidability of AQ 1 CTL over infinite Kripke structures.However, the restriction to finite grids comes with many more technicalities (not all states will have two successors, to begin with).
Proof of Theorem 47.We consider the following tiling problem: given a finite set of different tiles, is it possible to tile any finite grid?This problem is easily shown undecidable, e.g. by encoding the computations of a Turing machine.Now, we encode the dual problem, expressing the existence of a finite grid for which any tiling has a local mismatch.This can be achieved using the formula for grids and an additional (universal) quantification for placing tiles on that grid, for which a CTL formula will express the existence of a position where neighboring tiles do not match.
Tree semantics.We prove the following result: Theorem 48.Under the tree semantics, satisfiability is (k + 1)-EXPTIME-complete for AQ k CTL and Q k CTL, and it is k-EXPTIME-complete for EQ k CTL (for positive k).
Proof.We first prove (k + 1)-EXPTIME-hardness for AQ k CTL satisfiability.This is a straightforward adaptation of the proof of Theorem 30: in that proof, from an input word y and an alternating Turing machine M equipped with a tape of size E(k, |y|), we built an EQ k+1 CTL formula of the form ∃a. Φ, where Φ is in AQ k CTL, which is true in the Kripke structure S M if, and only if, M accepts the input word y.Now we claim that it is also equivalent to the satisfiability of Φ ∧ χ M , where χ M is an AQ 1 CTL-formula that encodes the Kripke structure S M .Letting AP = (Q ∪ { }) × (Σ ∪ {•}) ∪ {#}, formula χ M expresses the fact that # is the initial state, and that any reachable state has exactly one successor labelled with p, for each p ∈ AP (see the proof of Theorem 30 for the definition of S M ).More precisely, χ M can be written as We write Φ M for Φ ∧ χ M .
First assume that ∃a.Φ is true in S M (for the tree semantics).Then also ∃a.(Φ M ) is true in that Kripke structure (notice that χ M does not depend on a).Applying Theorem 37 to Φ M for D = {|AP|}, we know that there is an alternating tree automaton A Φ M accepting exactly the D-trees in which Φ M holds.Since ∃a.(Φ M ) is true in S M , we know that A Φ accepts at least one tree.From Theorem 33, it accepts a regular tree.As a consequence, there is a finite-state Kripke structure where Φ M holds.Conversely, if Φ M is satisfiable, then ∃a.Φ M also is (for the tree semantics).Pick a Kripke structure S satisfying ∃a.Φ M .Then S satisfies χ M , so that the unwindings of S and of S M are the same, and state # of S M satisfies ∃a.Φ.This proves the lower bound for AQ k CTL and Q k CTL.As EQ k CTL contains AQ k−1 CTL, it also gives the complexity lower-bound for EQ k CTL.Now we prove membership in (k + 1)-EXPTIME for Q k CTL satisfiability.Let Φ be a Q k CTL formula.Let Φ be the corresponding formula over {1, 2}-trees, as defined at Section 4.2.1.Let Φ 2 be the CTL formula ¬ p int ∧ AG AF ¬ p int .The following lemma allows us to reduce the satisfiability problem for Φ to the satisfiability problem for Φ ∧ Φ 2 for {1, 2}-trees: Lemma 49.There exists a Kripke structure S with a state q such that S, q |= t Φ if, and only if, there exists a regular {1, 2}-tree T such that Temporal logics extended with propositional quantification are simple, yet very powerful extensions of classical temporal logics.They have a natural semantics, and optimal algorithms based on standard automata constructions.Their powerful expressiveness is very convenient to encode more intricate problems over extensions of temporal logics, as was done for multi-agent systems in [LM14].We expect that QCTL will find more applications in related areas shortly.

Appendix A. The polynomial-time and exponential hierarchies
In this section, we briefly define the complexity classes that are used in the paper.More details about those complexity classes can be found e.g. in [Pap94].
We write PTIME (resp.NP) for the class of decision problems that can be decided in polynomial time by a deterministic (resp.non-deterministic) Turing machine.
Given a decision problem L (for instance SAT), a Turing machine with oracle L is a Turing machine equipped with an extra tape (the oracle tape) and three special states q oracle , q yes and q no .During the computation, whenever the Turing machine enters state q oracle , it directly jumps to q yes if the instance of L written on the oracle tape is positive, and to q no otherwise.
We write PTIME L for the set of languages accepted by deterministic Turing machines with oracle L and halting in polynomial time (in the size of the input).We write NP L for the analogous class defined with non-deterministic machines.When L is complete for some complexity class C, we also write PTIME C for PTIME L (and NP C for NP L ).Notice that these definitions do not depend on the selected C-complete problem.We also define PTIME C[log n] as the subclass of problems of PTIME C that can be solved by a deterministic Turing machine in polynomial time but with only a logarithmic number of visits to the q oracle -state.Finally, PTIME C is the subclass of problems of PTIME C that can be solved in polynomial time by a deterministic Turing machine slightly different from the previous ones: several queries can be written on the oracle tape, but once the oracle state is visited, the oracle tape cannot be modified anymore.This can be seen as solving all queries in parallel.
The polynomial-time hierarchy is the following sequence of complexity classes, defined recursively with Σ P 0 = PTIME and Σ P i+1 = NP The classes in this hierarchy lie between PTIME and PSPACE (and it is an open problem whether the hierarchy collapses).Notice for instance that Σ P 1 = NP, since an oracle for PTIME problems is useless to a non-deterministic Turing machine running in polynomial time.Similarly, ∆ P 1 = PTIME.On the other hand, ∆ P 2 = PTIME NP contains those problems that can be solved in polynomial time by a deterministic Turing machine with an NP oracle.This includes both NP and coNP.
A natural problem in Σ P i is the problem QSAT i of finding the truth value of ∃X 1 .∀X 2 .∃X 3 . . .Q i X i .ϕ(X 1 , X 2 , X 3 , . . ., X i ) where ϕ is a boolean formula with variables in X 1 to X i .The dual problem (where the sequence of quantifications begins with a universal one) is Π P i -complete.The problem SNSAT i , made of several instances of QSAT i where the k-th instance uses the truth value of the k − 1 previous ones, is an example of a ∆ P i+1 -complete problem [LMS01].The complexity class PH is the union of all the classes in the polynomial-time hierarchy.Equivalently, PH = i∈N Σ P i .Clearly, PH ⊆ PSPACE.Whether these two classes are equal is open.Notice that PH is not known to contain complete problems: if a problem is complete for PH, then it is at least as hard as any other problem in PH, but on the other hand is belongs to Σ P i for some i, which implies that the polynomial-time hierarchy would collapse.
We then impose that if a state has two successors, then those two successors have a common successor, as depicted on Fig. 7.This is expressed as follows: We also impose globally that each state can be reached from the initial state by two particular paths that are made of one "horizontal part" followed by a "vertical part" (and conversely).This is expressed as follows: ∀γ. EF γ ⇒ hq∈{h,¬ h} vq∈{v,¬ v} hγ ∈{h,¬ h} vγ ∈{v,¬ v} Eh q U (h q ∧ Ev γ U (v γ ∧ γ)) ∧ Ev q U (v q ∧ Eh γ U (h γ ∧ γ)) (B.6) Symmetrically, from any state, the s-state can be reached using similar paths.Here we have to enumerate the possible values for h and v in the s-state: hs∈{h,¬ h} vs∈{v,¬ v} AG hq∈{h,¬ h} vq∈{v,¬ v} Eh q U (h q ∧ Ev s U (v s ∧ s)) ∧ Ev q U (v q ∧ Eh s U (h s ∧ s)) (B.7) • finally, we label the left, right, top and bottom borders of the grid, which we define as follows: Propositions h and v are used to mark "horizontal" and "vertical" lines.A successor u of a state u is a horizontal successor if both u and u have the same labelling w.r.t.h.Similarly, it is a vertical successor when they have the same labelling w.r.t.v. Similarly, a horizontal path (resp.vertical path) is a path in S along which the truth value of h (resp. of v) is constant.Finally, we let L, R, T and B be the sets of states labelled with l, r, t and b, respectively.
We now give a few intermediary results that will be convenient for proving that the conjunction of the formulas above characterises grids.These lemmas assume that the initial state q of S satisfies the conjunction of Formulas (B.1) to (B.8), and that all states of S are reachable from q.
Lemma 53.Pick two states u and u in S, such that there is a transition between u and u (in either direction).Then • either u and u are the same state (hence they are labelled with s),

Fig. 3 :
Fig. 3: The model used for proving Σ P k -hardness of model checking a fixed EQ k CTL formula.