We revisit a fundamental result in real-time veri fication, namely that the binary reachability relation between configurations of a given timed automaton is definable in linear arithmetic over the integers and reals. In this p a p er we give a new and sim p ler p roof of this result, building on the well-known reachability analysis of timed automata involving difference bound matrices. Using this new p roof, we give an ex p onential s p ace p rocedure for model checking the reachability fragment of the logic p arametric TCTL. Finally we show that the latter p roblem is NEXPTIME-hard.
I. INTRODUCTION
The PSPACE-completeness of the reach ability problem for timed automata is arguably the most fundamental result in real-time verification. This theorem was established by Alur and Dill in paper [1] for which they were awarded the Alonzo Church award in 20 16. The reach ability problem has been intensively studied in the intervening 20 years, leading to practical algorithms and generalisations to more expressive models. As of now, [1] is the most cited paper that has appeared in the journal Theoretical Computer Science.
Properly speaking, Alur and Dill considered reach ability between control states (also called locations). The problem of computing the binary reachability relation over configurations (both control states and clock valuations) is more involved.
Here the main result is due to Comon and lurski [2] , who showed that the reach ability relation of a given timed automa ton is effectively definable by a formula of first-order linear arithmetic over the reals augmented with a unary predicate denoting the integers. Importantly, this fragment of mixed linear arithmetic has a decidable satisfiability problem, e.g., by translation to SIS.
Despite its evident utility, particularly for parametric verifi cation, it is fair to say that the result of Comon and lurski has proven less influential than that of Alur and Dill. We believe that this is due both to the considerable technical complexity of the proof, which runs to over 40 pages in [3] , as well as the implicit nature of their algorithm, making it hard to extract complexity bounds.
In this paper we revisit the result of Comon and lurski. Our two main contributions as follows: • We give a new and conceptually simpler proof that generalises the classical reachability algorithm for timed automata involving difference bound matrices and stan dard operations thereon. The key new idea is to carry out 978-1 -5090-3018-7/17/$3 1.00 ©2017 IEEE the algorithm on a symbolically presented initial config uration. This approach is fu ndamentally different from that of [2] , the main part of which involves a syntactic transformation showing that every timed automaton can be effectively emulated by a fiat timed automaton, i.e., one that does not contain nested loops in its control graph. • We apply our strengthened formulation of the Comon lurski result to parametric model checking. We show that the formula representing the reach ability relation can be computed in time singly exponential in the size of the timed automaton. Using this bound on the formula size and utilising results of [4] , [5] on quantifier-elimination for first-order logic over the reals and integers, we show that the model checking problem for the reach ability frag ment of the temporal logic parametric TCTL is decidable in exponential space. We show in the main body of the paper that this problem is NEXPTIME-hard and sketch in the conclusion how to obtain matching upper and lower bounds.
There are two main steps in our approach to computing a formula representing the reachability relation. First, given a timed automaton .A and a configuration <£, v) of .A, we con struct a version of the region automaton of [1] that represents all configurations reachable from <£, v). Unlike [1] we do not identify all clock values above the maximum clock constant· so our version of the region automaton is a counter machin� rather than a finite state automaton. The counters are used to store the integer parts of clock valuations of reachable config urations, while the fr actional parts of the clock valuations are aggregated into zones that are represented within the control states of the counter machine by difference bound matrices. Since the counters mimic clocks they are monotonic and so the reachability relation on such a counter machine is definable in a weak fragment of Presburger arithmetic.
The second step of our approach is to make the previous construction parametric: we show that the form of the counter machine does not depend on the precise numerical values of the clocks in the initial valuation v, just on a suitable logical type of v. Given such a type, we develop a parametric version of the counter-machine construction. Combining this construction with the fact that the reach ability relation for the considered class of counter machines is definable in a fr agment of Presburger arithmetic, we obtain a formula that represents the full reachability relation of the timed automaton .A.
A. Related Work
Dang [6] has generalised the result of Comon and Jurski, showing that the binary reach ability relation for pushdown timed automata is definable in linear arithmetic. The approach in [6] relies on a finite partition of the fractional parts of clock valuations into so-called patterns, which play a role analogous to types in our approach. The notion of pattern is ad-hoc and, as remarked by Dang, relatively complicated. In particular, patterns lack the simple characterisation in terms of difference constraints that is possessed by types. The latter is key to our result that the reachability relation can be expressed by a Boolean combination of difference constraints. Dima [7] gives an automata theoretic representation of the reach ability relation of a timed automaton. To this end he introduces a class of automata whose runs encode tuples in such a relation. The main technical result of [7] is to show that this class of automata is effectively closed under relational reflexive-transitive closure.
The model checking problem for parametric TCTL was studied by Bruyere et al. [8] , [9] in the case of integer-valued parameters. Here we allow real-valued parameters, which leads to a strictly more expressive semantics.
Parametric DBMs have been used in [10] , [l1] to analyse reachability in parametric timed automata. These are related to but different from the parametric DBMs occurring in Subsection III-C.
B. Organisation
We introduce and state our main results in the body of the paper. The central constructions underlying our proofs are also given in the body, along with illustrative examples.
Missing proofs can be found in the full version of this paper [12] .
II. MAIN DEFINITIONS AND RESULTS

A. Timed Automata
Given a set X = {Xl, ... , x n } of clocks, the set 1>(X) of clock constraints is generated by the grammar
where k E 1'<1 is a natural number and x EX. A clock valuation is a mapping v : X -> JR�o, where JR�o is the set of non negative real numbers. We denote by 0 the valuation such that O(x) = 0 for all x E X. Let JR: o be the set of all clock valuations. We write v F rp to denote that v satisfies the constraint rp. Given t E JR�o, we let v+t be the clock valuation
We typically write Vi as shorthand for V(Xi), and by convention we define Vo = O. For all , E JR, let frac (,) be the fractional part of" and l, J be the integer part. Denote by frac ( v) and lv J the valuations such that (frac (v))(Xi) = frac(vi) and lVJ(Xi) lvd for all clocks Xi E X.
A timed automaton is a tuple A = (L, X, E), where L is a finite set of locations, X is a finite set of clocks and E <;;; L x 1>(X) x 2.-1' X L is the set of edges.
The semantics of a timed automaton A = (L, X, E) is given by a labelled transition system (Q, =* ) with set of configurations Q = L x JR: o and set of transition labels JR�o. A configuration (£, v) consists of a location £ and a clock valuation v. Given two configurations (£, v) and (£', Vi), we postulate:
run p = qo =* ql =* q2 =* ... o · IS a nIte or In nIte sequence of delay and discrete transitions in (Q, =* ). We require infinite runs to have infinitely many discrete transitions and to be non-zeno, that is, we require 2:: 1 di to diverge.
Henceforth we assume that in any given timed automaton with set X of clocks, X n is a special reference clock that is never reset. Clearly this assumption is without loss of generality for encoding the reachability relation. Note that we consider timed automata without diagonal constraints, that is, guards of the form Xi -Xj � k, for k an integer. It is known that such constraints can be removed without affecting the reach ability relation (see [1] , [13] ).
B. Linear Arithmetic
In this section we introduce a first-order language LIR,Z in which to express the reachability relation of a timed automaton.
Language LIR,Z has two sorts: a real-number sort and an integer sort. The collection TiR of terms of real-number sort is specified by the grammar
where c E IQ is a constant and, E {' O , 'l, ... } is a real-valued variable. Given terms t, t' E TiR, we have an atomic formula t � t'. The collection Tz of terms of integer sort is specified by the grammar
where C E Z is a constant and z E {zo, Zl, ... } is an integer variable. Given terms t, t' E Tz, we have atomic formulas t � t' and t == t' (mod m) , where mE Z. Formulas of LIR,Z are constructed from atomic formulas using Boolean connectives and first-order quantifiers.
Throughout the paper we consider a fixed semantics for LIR,Z over the two-sorted structure in which the real-number sort is interpreted by JR, the integer sort by Z, and with the natural interpretation of addition and order on each sort.
The sublanguage LIR of LIR,Z involving only terms of real number sort is called real arithmetic. The sublanguage LZ involving only terms of integer sort is called Presburger arith metic. Optimal complexity bounds for deciding satisfiability of sentences of real arithmetic and Presburger arithmetic are given in [14] with, roughly speaking, real arithmetic requiring single exponential space and Presburger arithmetic double exponential space.
Proposition 1. Deciding the truth of a sentence in the exis tential fragment of .c1R,£: can be done in NP Proof The respective decision problems for the existential fragment of real arithmetic and the existential fragment of Presburger arithmetic are in NP [15] , [16] . Deciding the truth of a sentence in the existential fragment of .c1R,£: is therefore also in NP, since we can guess truth values for the Pres burger and real-arithmetic subformulas, and separately check realisability of the guessed truth values in non-deterministic polynomial time.
D
For the purpose of model checking, it will be useful to establish complexity bounds for a language .ciFe £: , intermediate between .c1R and the full language .c1R,£:. The ' language .ciFe ,£: arises from .c1R,£: by restricting the atomic formulas over terms of integer sort to have the form
for integer variables z, Z I and integers c, d.
Deciding the truth of a prenex-form sentence Q IXI ... Qn x n 'P in .ciFe £: can be done in space exponential in n and polynomial in 'P. '
Proof The proposition is known to hold separately for .c1R [4] and for the fragment of .c£: in which atomic formulas have the form shown in (1) [5, Section 4] . The respective arguments of [4] and [5] can be straightforwardly combined to prove the proposition; see Appendix A of the full version [12] for details.
D C. Definability of the Reachability Relation
Given a timed automaton .A with n clock variables, we express the reachability relation between every pair of loca tions £, £' by a formula ( I I I I ) 'PR,R' Zl,···, Z n ,rl, , ··· ,r n , Zl' ···' z n ,rll, ··· ,r n , in the existential fr agment of .c1R,£: where Zl, z� , ... , Z n , z� are integer variables and rl, r� , ... , r n , r� are real variables ranging over the interval [0 ,1 J. Our main result, Theorem 10, shows that there is a finite run in .A from configuration (£, v) to configuration (£', V i ) just in case (lVlJ, ... , lv n J, frac (vd, ... ,frac (v n ) , lv�J, ... , lv�J, frac (vD, ... , frac (v�) F 'PR,R'· Example 1. Consider the following timed automaton:
�®f---X _2 _= _I -+, �®
A brief inspection reveals that location £3 can be reached from a configuration (£ 0 , ( �� ) if and only if VI < V2 < 1. The reachability relation between locations £ 0 and £3 is expressed by the formula
, where the real-valued variables rl, r2, r� , r� range over the interval [0, 1 J.
Consider the following timed automaton:
We have
).
D. Parametric Timed Reachability Logic
Timed computation tree logic (TCTL) is an extension of computation tree logic for specifying real-time properties [17] . In [8] TCTL was generalised to allow parameters within timing constraints, yielding the logic parametric TCTL. In this paper we consider the fragment of parametric TCTL generated by the reach ability modality jO, which we call parametric timed reachability logic (PTRL).
Let AP be a set of atomic propositions and e a set of parameters. Formulas of PTRL of the first type are given by the grammar (2) where p E AP, � E {< , � , = , �, >}, and a E Que. Formulas of PTRL of the second type are given by grammar where 'P is a formula of the first type, e, e' E e, � E {< , �, = , �, >}, and CEQ. In the sequel we use If D �o: 'P as abbreviation for � jO �o:� 'P.
Formulas of PTRL are interpreted with respect to a timed automaton .A = (L, X, E) and labelling function LB :
Such a fu nction is extended to the rational numbers by writing �(c) = c for CEQ. Given a parameter valuation �, we define a satisfaction relation F E between configurations of .A and PTRL formulas by induction over the structure of formulas. The Boolean connectives are handled in the expected way, and we define q F E e -e' � c iff �(e) -�(e') � c. q F E jO �o: 'P iff there exists some infinite non-zeno d 1 d2 d3 .
run p = qo � ql � q2 � ... of .A and t E 1'<1 such that qo = q, dl + ... + di � �(a), and qi F 'P.
X, W;
Xl Xo Xl X2
Fig. I.
A timed automaton where the satisfaction relation of PTRL with parameters ranging over non-negative real numbers is different from the relation when parameters are restricted to naturals. The locations £1 and £3 are labelled by propositions PI and P2. respectively. The set A of clocks that are reset by a transitions are shown by A <-0; for example. the transition from £3 to £4 is guarded by X2 = 1 and resets Xl· For all 0 < (j < 1, we have (£0,0) F O30(PI 1\ 30=9 P2) , whereas there exists no n E N such that (£0,0) F O30(PI 1\ 3 O=n P 2).
q FI; 381jJ iff there exists a parameter valuation e such that q Fe 1jJ and ce agree on 8\{8}.
expresses that some P2-state is reachable in at most the same time as any PI -state is reachable.
The paper [8] considered a semantics for parametric TCTL in which parameters range over naturals N. Here we have given a more general semantics in which parameters range over non negative real numbers lR�o. The following example shows that the satisfaction relation changes under this extension.
Example 4. Consider the timed automaton in Figure 1 with two clocks Xl, x2. Clock valuations v are denoted by vec tors (��). Let cp = 30(Pl /\ 30=0 P2). All non-zeno infinite runs of the timed automaton, from configuration (Co, 0), start with the following prefix (Co, (8) 
where 0 < t < 1. Now we have that (Cl, (n) F (PI /\ 30=1-tP2). As a result, (Co, O) F 30(Pl /\ VO=O P2) only for o < 8 < 1. Thus (Co, 0) F 38 cp when the parameter 8 ranges over lR�o but not when 8 ranges over N.
Let A = (L, X, E) be a timed automaton augmented with a labelling function LB : L --> 2 AP . Let cp be a PTRL formula in which all occurrences of parameters are bound. The model checking problem of A against cp asks, given a
The model checking procedure for parametric TCTL with integer-valued parameters, developed in [8] , relies on the region abstraction. In particular, formulas in this logic have the same truth value for all configurations in a given region. However, as the following example shows, region invariance fails when parameters range over the set of real numbers. satisfies cp just in case tl, t2 < 1 and 2tl -t2 < 1, for 8 = (1 -t2)/2.
In Section V we show that model checking PTRL over real-valued parameters is decidable in EXPSPACE and it is NEXPTIME-hard.
III. DIFFERENCE B OUND MATRICES
A. Basic Definitions
In this section we review the notions of clock zones and difference bound matrices; see [18] , [19] for further details. Let X = {Xl, ... , x n } be a set of clock variables. A zone Z � lR� o is a set of valuations defined by a conjunction of dif f erence constraints Xj -Xi < c for c E lR and < E {< , �}. Note that we allow real-valued constants in difference constraints.
Zones and operations thereon can be efficiently represented An atomic DBM M' is one that represents a single con straint Xi -Xj � c, where � E {< , �} and C E R Note that all but one entry of an atomic DBM is the trivial constraint «, CD). We often denote DBMs by the constraints that they represent.
Define a total order �v on
Here we adopt the convention that m We now define operations on DBMs that correspond to time elapse, projection, and intersection on zones.
If M is canonical, then M is also canonical and we have
Intersection. Our presentation of intersection of DBMs is slightly non-standard. First, we only consider intersection with atomic DBMs. (Clearly this is without loss of generality since any DBM can be written as an intersection of atomic DBMs.) Under this restriction we combine intersection and canonisation, so that our intersection operation yields a DBM in canonical form if the input DBM is in canonical form. 
We make three observations about this definition. First, notice that in the first item we only require closure with respect to intersection with constraints with integer constants. Observe also that in the second item the time elapse operation has been relativized to [0 , I] n . This ensures that every DBM N E closure (M ) denotes a subset of [0, I] n . It follows that any consistent DBM in closure(M) is I-bounded. Finally, note that the clock X n is treated in a special way (in keeping with our assumptions about timed automata in Section II-A): it is only reset when it reaches 1.
Let v E [0, I] n be a clock valuation, and recall that, by convention, Vo = 0. We write Mv for the I-bounded DBM Mv = (-<i, j, mi,j), where -<i, j = � and mi, j = Vj -Vi for all ° � i , j � n. Then Mv is in canonical form and [Mv] = {v}.
We say a DBM M = (-<i, j, mi,j) E closure(Mv) is well supported, if each entry mi,j can be written in the form c + vj' -Vi' for some c E {-I, O, I} and indices ° � i' , j' � n. Clearly Mv is well-supported.
The following is the main technical result in this section. See Appendix B of the full version [12] for the full proof. .(n) ---> IR mapping ri to Vi (recalling the convention that Vo = 0). Given a clock valuation v E [0, I] n , the type of v is the set of atomic LIR-formulas t � t', with t, t' E 'JW;. (n) that are satisfied by the valuation v. A collection of atomic formulas T is said to be an n-type if it is the type of some clock valuation v E [O, I] n . Note that every type contains the inequalities ro � ° and ° � ro.
Given an n-type T, we define an equivalence relation on the set of terms 'JW;. (n) that relates terms t and t' just in case the formulas t � t' and t' � t both lie in T. We write [t] for the equivalence class of term t and denote by 'JW;. Given an n-type T, a parametric DBM of dimension n over 'JW;. (T) is an (n + 1) x (n + 1) matrix with entries in ({< , �} X 'JW;.(T)) U {«, oo)} .
We use letters in calligraphic font to denote parametric DBMs, and roman font for concrete DBMs. Given a parametric DBM M, we obtain a concrete DBM v(M) by applying v pointwise to the entries of M.
The time elapse and reset operations on DBMs, defined in Section III-A, formally carry over to parametric DBMs. Since the notions of addition and minimum are well-defined on 7jR (T), we can also formally carry over the definition of intersection to parametric DBMs. The significance of Corollary 6 is that the only part of the type T required to determine closure(MT) is the finite collection of formulas t � t' in T such that t, t' E DTJR(n). Thus closure(MT) is finite. Indeed it is not hard to see from Corollary 6 that I closure (MT) I � 2 po1y ( n ) .
IV. A FAMILY OF REGION AUTOMATA
Let A be a timed automaton. Our aim in this section is to define a finite collection of counter machines that represents the reachability relation on A. Intuitively the counters in these machines are used to store the integer parts of clock valuations of reachable configurations, while the fr actional parts of the clock valuations are aggregated into zones which are represented by difference bound matrices encoded within control states.
A. Monotonic Counter Machine
In this subsection we introduce the class of monotonic counter machines and show that the reachability relation for a machine in this class is definable in Presburger arithmetic. The proof is straightforward, and is related to the fact that the reachability relation of every reversal-bounded counter machine is Pres burger definable [20] .
Let C = {C I , "" c n } be a finite set of counters. The collection of guards, denoted 1>( C), is given by the grammar The proof of the following result is given in Appendix C of the full version [12] . Proposition 7. Let C be a monotonic counter machine with n counters. Given states s, s' of C, the reachability relation
is definable by a formula in the existential fragment of Pres burger arithmetic that has size exponential in C.
B. Concrete Region Automata
Let A = (L, X, E) be a timed automaton and (e, v) a con figuration of A. We define a monotonic counter machine C(e,v) whose configuration graph represents all configurations of A that are reachable from (e, v).
Let X = {Xl, ... , X n } be the set of clocks in A. Recall fr om Section II-A the assumption that clock X n is never reset by the timed automaton. To simplify the construction, we also assume that each transition in A resets at most one clock. This is without loss of generality with respect to reachability. Given a clock constraint '-P E <I>(X), we decompose '-P into an integer constraint '-P int E <I> ( C) and a real constraint '-Pfrae E <I>(X) such that for every clock valuation v' E lR: o , v ' F '-P iff lv ' J F '-Pine and frac (v ') F '-Pfrae
The definition of '-P int and '-Pfrae is by induction on the structure of '-P. The details are given in The proposition is a straightforward variant of the soundness and completeness of the DBM-based forward reach ability algorithm for timed automata, as shown, e.g., in [2 1, Theorem 1]. We give a proof in Appendix D of the fu ll version [12] . We illustrate the translation from timed automata to counter machines with the following example. Example 6. Consider the timed automaton A in Figure 3 with clocks X = {Xl, xd, where X2 is the reference clock. Let the configuration (fo, v) be such that v = ( O c,6). Also shown in Figure 3 is the counter machine C(Ro,v) that is constructed from A and (fo, v) in the manner described above. The control states of this machine are pairs (f , M), where f is a location of A and M is a consistent DBM in closure (Mv). The machine C<Ro,v) has two counters, respectively denoted by Cl and C 2.
{( °( 6)}. The counter-machine state (fo, Mo) in tandem with counter valuation (g) represents the configuration (fo, v) of A.
There is a delay edge in C(Ro,v) from (fo, Mo) to (fo, Ml),
where Ml = � n n7= 1 (Xi � 1). We then have [Md = {(00 6) +t : 0 � t � 0.4}. The single transition of A yields a discrete edge in C<Ro,v) from (fo, M1) to (f1' M2)' This transition in A has guard def 0
'-P = < Xl < . 1, IS ecomposes mto separate constramts on the integer and fractional parts, respectively given by def () def ( ) '-P int = Cl = 0 and '-Pfrae = 0 < Xl < 1 .
The integer part CPint becomes the guard of the corresponding edge in C(eo,v>' The fractional part CPfrac is incorporated into the DBM M2, which is defined as
There is a further delay edge in C(Ro,v> from <f1, M2) to <f1, M3).
There is a wrapping edge from <f1, M3) to <f1, M4), where M4 = (M3 n (X2 = 1))[x2 +-0]. The counter C 2 is incremented along this edge, corresponding to the integer part of clock X2 increasing by 1 as time progresses.
The remaining states and edges of C(eo,v> are illustrated in 
D. Reachability Formula
We are now in a position to state our main result.
Theorem 10. Given a timed automaton A with n clocks and locations f, R', we can compute in exponential time a formula in the existential fragment l of LIR,£; such that there is a finite run in A from state <f, v) to state <f', v') just in case <lvJ, frac(v), lv'J, frac(v') F CPR,e' .
Proof We give the definition of CP R,R ' below and justify the complexity bound in Appendix E of the full version [12] . For simplicity we write formula CPe,e' as a disjunction over the collection TP n of all n-types. However each disjunct only depends on the restriction of the type T to the (finite) set of atomic formulas t � t' with t, t' E VTIR(n); so CPe,e' can equivalently be written as a finite disjunction. We define
where the subformulas aT and x I R ' are defined below.
The Hintikka formula a T (r1" .' . , r n )2 is defined by T def a = /\ �(t � t'). Fix the type T1 for the valuation ( 0 06). We illustrate the relevant part of the counter machine C ( eO ,T l > in Figure 5 .
States <f, M) of the machine comprise a location f and parametric DBM M. Moreover, Mo = MT1. The placement of a transition between <f1, M5) and <f1, M2) relies on the fact that terms -r2 and 0 are equivalent with respect to the equivalence relation on terms induced by T1. I We claim that this result can be strengthened to state that the reachability relation can be expressed by a quantifier-free formula, again computable in exponential time. To do this one can exploit structural properties of the class of monotonic counter machine that arise from timed automata. We omit details. (e O ,M1) nop ( (":,0) (":,-r1) (,,:,-r2) ) (,,:,n) (,,:,0) (":,r1-r2) ---+ (,,:,r2) (,,:,rz-r,) (,,:,0) ( (,,:,0) (":,-r1) (,,:,-r2) ) (,,:,1) (,,:,0) (":,r1-r2) (":,r2-r1+1) (,,:,r2-r,) (,,:,0) counter machine C(£O, T l) Let a T 1 be the Hintikka formula of the type 71. Clearly, (0.6,0) F a T 1 . We define X£O ,£, as follows:
where 'l/J1, 'l/J2, 'l/J3 and 'l/J4 are given in the following:
'l/J2 = (r� = 0) /\ (r2 � r� < r2 -r1 + 1),
The formulae 'l/Ji (with i E {2, 3, 4, 5}) summarise the constraints placed on r� and ,� by the parametric DBMs Mi in the counter machine C(£O, T 1 )' See Figure 5 for the given constraints in the parametric DBMs Mi. Recall that real valued variables ri, r; range over the interval [0,1].
Let 72 be the type for the valuation (0°2), In comparison with C(£O, T 1 )' we present the counter machine C( R O, T 2 ) in Figure 6 in Appendix F of the full version [12] .
The formula !.pRo,R" expressing the set of valuations v and V i such that (e1, V i ) is reachable from (eo, v), is then the disjunction of all formulas a T /\ X£O ,£, for types 7 E TP n : In this section we prove the following result.
Theorem 11. The model-checking problem for PTRL is de cidable in EXPSPACE and is NEXPTIME-hard.
For membership in EXPSPACE, given a timed automa ton A, a configuration (e, v) of A, and a sentence 'I/J of PTRL, we construct in exponential time a sentence ;j; of .c� z that is true if and only if (e, v) F 'I/J. We thereby obt�in an exponential space algorithm for the model checking problem. We then prove NEXPTIME-hardness by a reduction from SUCCINCT 3-SAT.
A. Reduction of Model Checking to Satisfiability
The model checking procedure for PTRL relies on a "cut down" version of Theorem 10, concerning the logical defin ability of the reachability relation. In this version, given as Lenuna 12 below, we do not represent the full reachability relation, but instead abstract the integer parts of all clocks except the reference clock Xn. This abstraction is sufficient for model-checking PTRL, and moreover allows us to obtain a formula that lies in the sub-logic .c � z, which has better complexity bounds than the fu ll logic .c�, z .
Given N E N, define the set RN of regions to be RN = {O, ... , N} u {CfJ}. A counter valuation vEN n is abstracted
The following lemma is proved in Appendix C of the full version [12] . To keep things simple, we assume that every configuration of A can generate an infinite non-zeno run. It is not difficult to drop this assumption since the collection of configurations from which there exists such a run is a union of clock regions and hence is definable in .eli z. We also assume, without loss of generality, that the refere�ce clock Xn is not mentioned in any guard of A.
�
The construction of 1/;e , R is by induction on the structure of 1/;. The induction cases for the Boolean connectives are straightforward and we concentrate on the induction step for the connective 30 � o . In fact we only consider the case that � is the equality relation = , the cases for < and > being very similar.
Suppose that 1/; == 30=0,1/;' for some PTRL-formula 1/;' and i E {I, ... , k}. Then we define ::(;e , R (r , w , s ) �f V 3 r '3z' CP e , R , e ', R ' (0, r , z ' , r ' ) e ', R ' /\ (I� = Si /\ Z ' = Wi) /\ ::(;'e" R ' ('�'" " �_I' O, W , S )
where CP e , R , R ' , R ' is the reachability formula defined in Lelmna 12. Note that this definition relies on the assumption that the clock Xn is never reset by the timed automaton and hence can be used to keep track of global time.
This completes the translation of PTRL-formulas of the first type to formulas of .eli z. Extending this inductive translation to PTRL-formulas of ' the second type is straightforward, bearing in mind that we represent each parameter ei by a variable Wi for its integer part and a variable Si for its fractional part. Thus, e.g., the PTRL-formula 3ei1/; is translated as 3Wi3si(0 � Si < 1 /\ ::(;).
Given a sentence 1/; of PTRL, location £ of A, and R E RN, our translation yields a formula ::(;e , R ('I , " ., In) such that for any valuation v witb Reg(lvJ) = R we have (£, vi F 1/; if and only if frac(v) F 1/;e , R. By Lemma 12, formula 1/;e , R has size singly exponential in the size of 1/; and A and quantifier-depth linear in the size of 1/;. The model checking problem then reduces to determining the truth of ::(;e , R on frac(v), where Reg(lvJ) = R. Since sat isfiability for sentences of .eli z can be decided in polynomial space in the formula size and �xponential space in the number of quantifiers (by Proposition 2), the model checking problem of PTRL lies in EXPSPACE.
B. NEXP TIME-Hardness
In this section we show that model checking timed automata against the fixed PTRL sentence 3eVO =0 p is NEXPTIME hard. We remark that, due to the punctual constraint = e, the above formula expresses a synchronization property-there exists a duration e such that all runs are in a p-state af ter time exactly e.
Recall that a Boolean circuit is a finite directed acyclic graph, whose nodes are called gates. An input gate is a node with indegree O. All other gates have label either v, /\, or --'. An output gate is a node with outdegree O.
We show NEXPTIME-hardness by reduction fr om the SUC CINCT 3-SAT problem. The input of SUCCINCT 3-SAT is a Boolean circuit C, representing a 3-CNF formula CPc, and the output is whether or not CPc is satisfiable. Specifically, C has 2 output gates, and the input gates are partitioned into two nonempty sets of respective cardinalities n and m. The formula CPc has 2 n variables and 2m clauses (in particular, the number of variables and clauses in CPc can be exponential in the size of C). The first n inputs of C represent the binary encoding of the index i of a variable, and the remaining m inputs of C represent the binary encoding of the index j of a clause in cpc. The output of C indicates whether the i-th variable occurs positively, negatively, or not at all in the j-th clause of cpc. The SUCCINCT 3-SAT problem is NEXPTIME-complete [22] .
Given an instance of SUCCINCT 3-SAT, that is, a Boolean circuit C as described above, we construct a timed automaton
A augmented with a labelling function LB such that the 3-CNF formula CPc encoded by circuit C is satisfiable if and only if (£, 0) F 3eV 0 =0 p for some designated location £.
There are two ideas behind the reduction. First we construct a linear bounded automaton 5 from the circuit C such that, roughly speaking, the 3-CNF formula CPc is satisfiable if and only if there exists an integer N such that, starting from an initial configuration, all length-N paths in the configuration graph of 5 end in a configuration with label p. The second part of the reduction is to simulate encode the configuration graph of 5 as the configuration graph of a timed automaton A.
We construct 5 such that its number of control states is polynomial in the size of C, and we fix an initial tape configuration of 5 of length likewise bounded by a polynomial in the size of C. We designate certain transitions of 5 as ..( transitions. In every computation of 5, the sequence of steps between the i-th and (i + 1 )-st ..( -transitions, for i E fiI, is referred to as the i-th phase of the computation. We design 5 so that the number of steps in the i-th phase is independent of the nondeterministic choices along the run.
The definition of B is predicated on a numerical encoding of propositional valuations. Suppose that Xl, ... , X2" are the variables occurring in CPc, and write PI, ... ,P2" for the first 2n prime numbers in increasing order. Given a positive integer N, we obtain a Boolean valuation of Xl, " . , X2" in which Xj is false if, and only if, N mod Pj = O. With this encoding in hand, we proceed to define B: 1) In the first phase, B guesses three n-bit numbers 1 � i I , i2, i3 � 2n and a single m-bit number 1 � j � 2m and writes them on its tape.
2) In the second phase, B computes the three prime num bers Pi1 ,Pi2 ' Pi3 and writes them on its tape.
3) In the third phase, by simulating the circuit C, B deter mines whether the propositional variables Xi I ' Xi 2, Xi3 appear in the j-th clause of CPc, henceforth denoted 'ljJj . It remains to explain how from B one can define a timed automaton A whose configuration graph embeds the config uration graph of B. The construction is adapted from the PSPACE-hardness proof for reachability in timed automata [1] . We refer to Appendix G of the full version [12] for details of this construction. In the end, the initial configuration (g,O) of A satisfies :lB' , 'if 0=11 P if and only if CPc is satisfiable.
VI. CONCLUSION
We have given a new proof of the result of Comon and lurski that the reachability relation of a timed automaton is definable in linear arithmetic. In addition to making the result more accessible, our main motivations in revisiting this result concerned potential applications and generalisations. With regard to applications, we have already put the new proof to work in deriving complexity bounds for model checking the reach ability fragment of parametric TCTL. In future work we would like to see whether ideas from this paper can be applied to give a more fine-grained analysis of extensions of timed automata, such as timed games and priced timed automata.
We claim that a finer analysis of the complexity of our deci sion procedure for model checking PTRL yields membership of the problem in the complexity class STA( *, 20 ( n ) , n) , i.e., the class of languages accepted by alternating Turing machines running in time 20 ( n ) and making at most n alternations on an input of length n. This improved upper bound follows fr om a refinement of the statement of Proposition 2, on the complexity of the decision problem for £� z, to state that the truth of a prenex-form sentences of size n a�d with k quantifier alternations can decided by a polynomial time alternating Turing machine, making at most k alternations.
We claim also that our NEXPTIME-hardness result can be strengthened to match the new upper bound. The idea here would be to reduce a version of SUCCINCT 3-SAT with quantifier alternation to model checking PT RL formulas of the form QIBI ... QkBk'if 0=111 ... 'if O=lIk P for Q I , " . , Qk a sequence of quantifiers with k alternations.
Details of the improved upper and lower complexity bound will appear in a subsequent version of this paper.
