A uniform approach to the complexity and analysis of succinct systems by Peter, Hans-Jörg
U
N I
V E R S IT A S
S
A
R A V I E N
S I
S
A Uniform Approach to the Complexity
and Analysis of Succinct Systems
Dissertation zur Erlangung des Grades des Doktors der
Naturwissenschaften der Naturwissenschaftlich-Technischen Fakulta¨ten der
Universita¨t des Saarlandes
Hans-Jo¨rg Peter
Saarbru¨cken, 2012
Tag des Kolloquiums 2. November 2012
Dekan Prof. Dr. Mark Groves
Pru¨fungsausschuss
Vorsitzender Prof. Dr. Christoph Weidenbach
Berichterstattende Prof. Bernd Finkbeiner, Ph.D.
Prof. Jean-Franc¸ois Raskin, Ph.D.
Oded Maler, Ph.D.
Akademischer Beisitzer Bjo¨rn Brandenburg, Ph.D.
To my parents Gertrud and Michael

vAbstract
This thesis provides a unifying view on the succinctness of systems: the
capability of a modeling formalism to describe the behavior of a system of
exponential size using a polynomial syntax.
The key theoretical contribution is the introduction of sequential circuit
machines as a new universal computation model that focuses on succinctness
as the central aspect. The thesis demonstrates that many well-known mod-
eling formalisms such as communicating state machines, linear-time tem-
poral logic, or timed automata exhibit an immediate connection to this
machine model. Once a (syntactic) connection is established, many com-
plexity bounds for structurally restricted sequential circuit machines can be
transferred to a certain formalism in a uniform manner. As a consequence,
besides a far-reaching unification of independent lines of research, we are
also able to provide matching complexity bounds for various analysis prob-
lems, whose complexities were not known so far. For example, we establish
matching lower and upper bounds of the small witness problem and several
variants of the bounded synthesis problem for timed automata, a particu-
larly important succinct modeling formalism.
Also for timed automata, our complexity-theoretic analysis leads to the
identification of tractable fragments of the timed synthesis problem un-
der partial observability. Specifically, we identify timed controller synthesis
based on discrete or template-based controllers to be equivalent to model
checking. Based on this discovery, we develop a new model checking-based
algorithm to efficiently find feasible template instantiations.
From a more practical perspective, this thesis also studies the preserva-
tion of succinctness in analysis algorithms using symbolic data structures.
While efficient techniques exist for specific forms of succinctness considered
in isolation, we present a general approach based on abstraction refinement
to combine off-the-shelf symbolic data structures. In particular, for han-
dling the combination of concurrency and quantitative timing behavior in
networks of timed automata, we report on the tool Synthia which combines
binary decision diagrams with difference bound matrices. In a comparison
with the timed model checker Uppaal and the timed game solver Uppaal-
Tiga running on standard benchmarks from the timed model checking and
synthesis domain, respectively, the experimental results clearly demonstrate
the effectiveness of our new approach.
vi
Zusammenfassung
Diese Dissertation liefert eine vereinheitlichende Sicht auf die Kompak-
theit von Systemen: die Fa¨higkeit eines Modellierungsformalismus, das Ver-
halten eines Systems exponentieller Gro¨ße mit polynomieller Syntax zu
beschreiben.
Der wesentliche theoretische Beitrag ist die Einfu¨hrung von sequen-
ziellen Schaltkreis-Maschinen als neues universelles Berechnungsmodell, das
sich auf den zentralen Aspekt der Kompaktheit konzentriert. Die Disserta-
tion demonstriert, dass viele bekannte Modellierungsformalismen, wie z.B.
kommunizierende Zustandsmaschinen, linear-Zeit temporale Logik (LTL)
oder gezeitete Automaten eine direkte Verbindung zu diesem Maschi-
nenmodell aufzeigen. Sobald eine (syntaktische) Verbindung hergestellt
ist, ko¨nnen viele Komplexita¨tsschranken fu¨r strukturell beschra¨nkte se-
quenzielle Schaltkreis-Maschinen fu¨r einen bestimmten Formalismus ein-
heitlich u¨bernommen werden. Neben einer weitreichenden Vereinheitlichung
unabha¨ngiger Forschungsrichtungen ko¨nnen auch zahlreiche Komple-
xita¨tsschranken fu¨r Analyse-Probleme etabliert werden, deren genaue Kom-
plexita¨t bisher noch nicht bekannt war. Zum Beispiel werden passende un-
tere und obere Schranken des small witness Problems und mehrere Varianten
des Synthese-Problems von Controllern mit beschra¨nkter Gro¨ße fu¨r gezeitete
Automaten bewiesen.
Die theoretische Analyse deckt Fragmente geringerer Komplexita¨t des
partiell informierten Syntheseproblems fu¨r gezeitete Automaten auf. Es wird
im Besonderen gezeigt, dass das gezeitete Syntheseproblem fu¨r diskrete oder
Vorlagen-basierte Controller a¨quivalent zum Model Checking-Problem ist.
Basierend auf dieser Einsicht wird ein neuartiger Model Checking-basierter
Algorithmus zur effizienten Synthese von gu¨ltigen Instantiierungen von Vor-
lagen entwickelt.
Der praktische Beitrag der Dissertation untersucht die Erhaltung von
Kompaktheit in Analyse-Algorithmen durch die Benutzung symbolischer
Datenstrukturen. Es wird ein allgemeiner Ansatz zur Kombination von
Standard-Datenstrukturen vorgestellt, die jeweils bisher nur in Isolation ver-
wendet werden konnten. Insbesondere wird fu¨r die Analyse von Netzwerken
von gezeiteten Automaten das Tool Synthia vorgestellt, welches bina¨re
Entscheidungs-Diagramme mit Differenzen-Matrizen verbindet. In einem ex-
perimentellen Vergleich mit den Tools Uppaal und Uppaal-Tiga wird klar
die Effektivita¨t des neuen Ansatzes belegt.
vii
Acknowledgments
First of all, I want to express my deepest gratitude to my supervisor Bernd
Finkbeiner. As a mentor, his ongoing encouragement was the driving force
behind my research. As a colleague, his dedication to professionalism and
perfection was my guiding maxim. As a friend, his advice was and will be
invaluable to me.
I had the privilege to conduct my research in a very supportive and
inspiring environment. Foremost, I want to thank the former and current
members of the Reactive Systems Group at Saarland University, Je´roˆme
Creci, Rayna Dimitrova, Klaus Dra¨ger, Ru¨diger Ehlers, Peter Faymonville,
Michael Gerke, Lars Kuhtz, Andrey Kupriyanov, Markus Rabe, Christa
Scha¨fer, Sven Schewe, and Hazem Torfah.
I am also happy that I had the opportunity to work with a number of
remarkable people, such as Werner Damm, Alexandre David, Daniel Fass,
Holger Hermanns, Robert Mattmu¨ller, Linh Thi Xuan Phan, Andreas Podel-
ski, Jan Rakow, Christoph Scholl, Tobe Toben, and Bernd Westphal, to only
mention a few.
I am honored that Jean-Franc¸ois Raskin and Oded Maler joined my
thesis committee and reviewed this thesis. I am grateful for their valuable
comments.
Furthermore, I want to thank the German Research Foundation (DFG)
as part of the AVACS project as well as the International Max Planck Re-
search School for Computer Science (IMPRS-CS) for funding my research.
Many people outside academic computer science influenced this thesis.
First of all, I am deeply grateful for the inspiration and love that I found
in Barbara. Thank you for being part of my life! I cannot express in
words my gratitude to my family, Gertrud, Michael, and Henrike, for their
unconditional support and the values they taught me. I also want to thank
Renate, Harald, and Christian Breunig for their valuable advice and the
great time we had together. Finally, I am happy to have good friends on
whom I can always rely on, such as Martin Bauer, Karsten Koller, Christian
Krauß, Stefan Mann, Benjamin Ripperger, Stephan Sandvoss, and Oliver
Welsch.
Thank you!
viii
Contents
1 Introduction 1
1.1 Succinct Systems . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 The Complexity of Explicit Systems . . . . . . . . . . . . . . 4
1.3 A Uniform Approach to Succinctness . . . . . . . . . . . . . . 5
1.4 Succinctness and Nondeterminism . . . . . . . . . . . . . . . 6
1.5 Combined Succinctness . . . . . . . . . . . . . . . . . . . . . 7
1.6 Relation to Other Works . . . . . . . . . . . . . . . . . . . . . 8
1.7 Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.8 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . 10
I Sequential Circuit Machines 13
2 Preliminaries 15
2.1 General Notations and Basic Definitions . . . . . . . . . . . . 15
2.2 Boolean Functions and Combinatorial Circuits . . . . . . . . 16
2.2.1 Boolean Functions . . . . . . . . . . . . . . . . . . . . 16
2.2.2 Combinatorial Circuits . . . . . . . . . . . . . . . . . . 17
2.3 Turing Machines and Complexity Classes . . . . . . . . . . . 18
2.3.1 Turing Machines . . . . . . . . . . . . . . . . . . . . . 18
2.3.2 Complexity Classes . . . . . . . . . . . . . . . . . . . . 19
2.4 Two-Player Games . . . . . . . . . . . . . . . . . . . . . . . . 21
2.4.1 Game Arenas . . . . . . . . . . . . . . . . . . . . . . . 22
2.4.2 Views and Strategies . . . . . . . . . . . . . . . . . . . 22
2.4.3 Model Checking and Synthesis . . . . . . . . . . . . . 24
3 Succinctness Signatures and Sequential Circuit Machines 29
3.1 A Succinct View on Complexity . . . . . . . . . . . . . . . . . 29
3.2 Succinctness Signatures . . . . . . . . . . . . . . . . . . . . . 30
3.3 Sequential Circuit Machines . . . . . . . . . . . . . . . . . . . 33
3.3.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.3.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3.3 Completeness . . . . . . . . . . . . . . . . . . . . . . . 34
ix
x CONTENTS
3.4 Succinct Circuit Representations . . . . . . . . . . . . . . . . 36
3.5 Bibliographic Remarks . . . . . . . . . . . . . . . . . . . . . . 38
4 The Computational Power of Sequential Circuit Machines 43
4.1 Reductions between Sequential Circuit Machines . . . . . . . 43
4.2 Reductions from and to Turing Machines . . . . . . . . . . . 45
4.2.1 Machines without Universal Memory . . . . . . . . . . 45
4.2.2 Machines with Unbounded Existential Memory . . . . 47
4.2.3 Machines with Bounded Existential Memory . . . . . 53
4.3 Succinctness Unifies Space and Time . . . . . . . . . . . . . . 57
5 The Ubiquity of Sequential Circuit Machines 61
5.1 Communicating State Machines . . . . . . . . . . . . . . . . . 62
5.1.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . 62
5.1.2 Controller Synthesis . . . . . . . . . . . . . . . . . . . 64
5.1.3 Complexity Analysis . . . . . . . . . . . . . . . . . . . 66
5.1.4 Bibliographic Remarks . . . . . . . . . . . . . . . . . . 71
5.2 Linear-time Temporal Logic . . . . . . . . . . . . . . . . . . . 71
5.2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . 71
5.2.2 Satisfiability . . . . . . . . . . . . . . . . . . . . . . . 73
5.2.3 Complexity Analysis . . . . . . . . . . . . . . . . . . . 75
5.2.4 Bibliographic Remarks . . . . . . . . . . . . . . . . . . 77
5.3 Further Succinct Formalisms . . . . . . . . . . . . . . . . . . 77
II The Succinctness of Timed Automata 81
6 Controllable Timed Automata 83
6.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
6.1.1 Granularity and Constraints . . . . . . . . . . . . . . . 83
6.1.2 Timed Automata . . . . . . . . . . . . . . . . . . . . . 84
6.1.3 Networks . . . . . . . . . . . . . . . . . . . . . . . . . 85
6.2 Infinite Semantics . . . . . . . . . . . . . . . . . . . . . . . . . 86
6.2.1 Timed States and Transitions . . . . . . . . . . . . . . 86
6.2.2 Infinite Game Arena . . . . . . . . . . . . . . . . . . . 87
6.3 Controller Synthesis . . . . . . . . . . . . . . . . . . . . . . . 88
6.3.1 Plants and Controllers . . . . . . . . . . . . . . . . . . 88
6.3.2 Problem Definition . . . . . . . . . . . . . . . . . . . . 88
6.4 Finite Semantics . . . . . . . . . . . . . . . . . . . . . . . . . 89
6.4.1 The Region Abstraction . . . . . . . . . . . . . . . . . 89
6.4.2 Finite Game Arena . . . . . . . . . . . . . . . . . . . . 91
6.4.3 A Game-Theoretic Solution to Controller Synthesis . . 92
CONTENTS xi
7 The Complexity of Timed Controller Synthesis 93
7.1 Using Clocks to Represent Bits . . . . . . . . . . . . . . . . . 93
7.1.1 Unary Encoding of Constants . . . . . . . . . . . . . . 94
7.1.2 Binary Encoding of Constants . . . . . . . . . . . . . 94
7.2 Timed Automata and SCMs . . . . . . . . . . . . . . . . . . . 97
7.3 Complexity Analysis . . . . . . . . . . . . . . . . . . . . . . . 102
7.3.1 Model Checking . . . . . . . . . . . . . . . . . . . . . 102
7.3.2 Control with Full Observability . . . . . . . . . . . . . 102
7.3.3 Control with Partial Observability . . . . . . . . . . . 103
7.3.4 Discrete Controllers . . . . . . . . . . . . . . . . . . . 106
7.4 Bibliographic Remarks . . . . . . . . . . . . . . . . . . . . . . 109
8 Template-based Timed Controller Synthesis 111
8.1 Template Types . . . . . . . . . . . . . . . . . . . . . . . . . . 111
8.2 Definition and Complexity . . . . . . . . . . . . . . . . . . . . 113
8.3 Symbolic Parameter Synthesis . . . . . . . . . . . . . . . . . . 115
8.3.1 Precise Computation of the Feasible Instantiations . . 115
8.3.2 The Focus Abstraction . . . . . . . . . . . . . . . . . . 116
8.3.3 Abstraction Refinement . . . . . . . . . . . . . . . . . 119
8.3.4 Towards an Efficient Implementation . . . . . . . . . . 121
8.4 Bibliographic Remarks . . . . . . . . . . . . . . . . . . . . . . 122
9 Combined-Symbolic Analysis of Timed Systems 123
9.1 The Combined Succinctness of Timed Automata . . . . . . . 124
9.2 Combining Symbolic Data Structures . . . . . . . . . . . . . . 125
9.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 126
9.2.2 Representing the Edge Relation . . . . . . . . . . . . . 126
9.2.3 Syntactic Abstractions of Timed Automata . . . . . . 127
9.2.4 Computing the Reachable States . . . . . . . . . . . . 128
9.2.5 Local Refinement . . . . . . . . . . . . . . . . . . . . . 131
9.2.6 Abstraction Refinement . . . . . . . . . . . . . . . . . 132
9.2.7 Optimizations . . . . . . . . . . . . . . . . . . . . . . . 133
9.3 Bibliographic Remarks . . . . . . . . . . . . . . . . . . . . . . 135
10 Experimental Evaluation 137
10.1 Efficiency Considerations . . . . . . . . . . . . . . . . . . . . 137
10.1.1 Bad Cases . . . . . . . . . . . . . . . . . . . . . . . . . 137
10.1.2 Good Cases . . . . . . . . . . . . . . . . . . . . . . . . 138
10.2 The Tool Synthia . . . . . . . . . . . . . . . . . . . . . . . . 139
10.2.1 Availability and Usage . . . . . . . . . . . . . . . . . . 139
10.2.2 Implementation Details . . . . . . . . . . . . . . . . . 140
10.3 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . 141
10.3.1 Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . 141
10.3.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 142
xii CONTENTS
10.4 Template-based Synthesis . . . . . . . . . . . . . . . . . . . . 149
10.4.1 Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . 149
10.4.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 151
11 Conclusion and Outlook 153
11.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
11.2 Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Chapter 1
Introduction
1.1 Succinct Systems
In the last decades, as system designs have become increasingly more com-
plex, the need for computer-aided analysis techniques arose. At the same
time, the practically available computing power reached a level, where novel
algorithmic techniques enabled the automated reasoning about formally
specified systems. An important milestone was the introduction of model
checking [Clarke and Emerson, 1981, Queille and Sifakis, 1982], a verifica-
tion technique that automatically checks whether a given system satisfies a
specification.
The initial enthusiasm was soon damped by the discovery of the state
explosion problem: Despite the indisputable algorithmic simplicity of model
checking, for even the most technically elaborate approaches (based on, e.g.,
symbolic techniques [Burch et al., 1992, Clarke et al., 2001a] or abstraction
refinement [Clarke et al., 2003]), some instances of some model classes per-
sistently caused an exponential blow-up in the time and space complexity.
As a sobering insight, it turned out that this blow-up is inherent for almost
all interesting analysis problems for systems whose instances are based on
formalisms that allow the succinct specification of exponentially large state
spaces.
However, the usefulness of automatic analysis techniques such as model
checking becomes apparent especially when succinct systems are under inves-
tigation, whose manual verification represents a nontrivial task. In the last
decades, various modeling formalisms were introduced to succinctly describe
the behavior of systems. Three prominent examples for such formalisms are
communicating state machines, propositional planning tasks, and timed au-
tomata.1 While each formalism extends finite state machines differently (i.e.,
by introducing concurrency, propositions, or clocks, respectively), in princi-
1Which serve as motivating examples in this introduction, but which are also discussed
in more detail later in the thesis.
1
2 CHAPTER 1. INTRODUCTION
ple, their models compactly describe systems with an exponential number
of states.
After their introduction, for each formalism, independent lines of re-
search emerged aiming at deepen the understanding of the particular suc-
cinctness that is specific for the formalism, ranging from establishing worst-
case complexity bounds to the development of efficient analysis algorithms
and data structures. However, in the vast majority of the works that can
be found in the literature, the unifying aspect of succinctness was ignored:
From a theoretical point of view, the inherent exponential blow-ups in the
worst-case complexities of the main analysis problems were established for
each formalism individually. Figure 1.1 exemplarily shows the situation for
the reachability and alternating reachability problem.
By continuing these lines of research in isolation, we could devise indi-
vidual results for other problems of interest, each exploiting the particular
succinctness of the respective formalism. However, it would be much more
desirable to have a deeper understanding of succinctness in general; to have a
technique that captures the succinctness of a given modeling formalism, and
that can then be used to uniformly provide algorithmic insights for many
analysis problems.
In order to achieve this goal, we have to treat succinctness as the key as-
pect of modeling formalisms; we need to develop a methodology that can be
used to identify the degree of succinctness of a particular analysis problem.
Contribution of this thesis. The main contribution of this thesis is to
provide a unifying view on the succinctness of systems. In particular, we
have the following key contributions.
• The key theoretical contribution is the introduction of sequential cir-
cuit machines, a new universal computation model that focuses on
succinctness as the central aspect. We will demonstrate that many
well-known modeling formalisms exhibit an immediate connection to
this new machine model. Once a (syntactic) connection is established,
many complexity bounds for structurally restricted sequential circuit
machines can be transferred to a specific formalism in a uniform man-
ner.
• As a consequence, besides a far-reaching unification of independent
lines of research, we are also able to provide matching complexity
bounds for various analysis problems, whose complexities were not
known so far. For example, we establish matching lower and up-
per bounds of the small witness problem and several variants of the
bounded synthesis problem for timed automata, a particularly impor-
tant succinct modeling formalism.
1.1. SUCCINCT SYSTEMS 3
NLogSpace
[Jones, 1975]
PTime
[Immerman, 1981]
PSpace
[Harel et al., 1997]
ExpTime
[Harel et al., 1997]
+concurrency +alternation
+concurrency+alternation
(a) Communicating state machines.
NLogSpace
[Jones, 1975]
PTime
[Immerman, 1981]
PSpace
[Bylander, 1994]
ExpTime
[Littman, 1997]
+propositions +alternation
+propositions+alternation
(b) Propositional planning tasks.
NLogSpace
[Jones, 1975]
PTime
[Immerman, 1981]
PSpace
[Alur et al., 1990]
ExpTime
[Henzinger and Kopke, 1999]
+clocks +alternation
+clocks+alternation
(c) Timed automata.
Figure 1.1: The complexity of the reachability and alternating reachability
problem for three succinct modeling formalisms.
• Also for timed automata, our complexity-theoretic analysis leads to
the identification of tractable fragments of the timed synthesis problem
under partial observability. Specifically, we identify timed controller
4 CHAPTER 1. INTRODUCTION
synthesis based on discrete or template-based controllers to be equi-
valent to model checking. Based on this discovery, we develop a new
model checking-based algorithm to efficiently find feasible template
instantiations.
• From a more practical perspective, this thesis also studies the preser-
vation of succinctness in analysis algorithms using symbolic data struc-
tures. While efficient techniques exist for specific forms of succinct-
ness considered in isolation, we present a general approach based on
abstraction refinement to combine off-the-shelf symbolic data struc-
tures. In particular, for handling the combination of concurrency and
quantitative timing behavior in networks of timed automata, we re-
port on the tool Synthia which combines binary decision diagrams
with difference bound matrices. In a comparison with the timed model
checker Uppaal and the timed game solver Uppaal-Tiga running on
standard benchmarks from the timed model checking and synthesis
domain, respectively, the experimental results clearly demonstrate the
effectiveness of our new approach.
1.2 The Complexity of Explicit Systems
In theoretical computer science, the worst-case complexity of a problem
is defined in terms of the least computational power needed to solve its
hardest instances. This notion is usually formalized as a restriction imposed
on the resources of an underlying universal machine model. The oldest and
still most important such machine model is the Turing machine, originally
introduced by Alan M. Turing in a groundbreaking paper [Turing, 1937]
laying down the very foundations of computer science.
A Turing machine is a simple computation device that reads an input,
given as a binary string, and either halts eventually or diverges forever.
Each machine is supplemented with a (bounded or unbounded) work tape
representing a general purpose memory that can sequentially be accessed in
a read/write manner. Turing machines are regarded as the canonical uni-
versal computation model in the sense that, for a given amount of resources
(e.g., maximum running time or memory consumption), there is no other
formalism that strictly possesses more computational power – also known
as the Church-Turing Hypothesis.
The main purpose of Turing machines is to unify the various syntactic
flavors of programming languages and, more generally, to capture the essence
of sequential random access machines satisfying the von Neumann Property :
At each instant only a bounded amount of activity can occur.
It is therefore no surprise that in the definition of the model, the behavior
of a concrete machine is specified as a collection of instructions defining
1.3. A UNIFORM APPROACH TO SUCCINCTNESS 5
which action (i.e., change of state and manipulation of the memory) has
to be executed when the machine is in a particular configuration. Hereby,
the execution of an instruction may only depend on the current state of the
machine and the single memory cell that is currently selected. The effect of
an instruction also may only affect the current state and the current memory
cell.
1.3 A Uniform Approach to Succinctness
Explicit formalisms such as the Turing machine are perfect for unifying se-
quential computation models. However, they appear to be inappropriate
to capture the succinctness of modeling formalisms: Reductions from the
halting problem for resource-bounded Turing machines to a particular anal-
ysis problem for a succinct modeling formalism usually require nontrivial
constructions exploiting the succinctness of the formalism to cause an ex-
ponential blow-up in the space consumption or running time of the Turing
machine. For example, in the results depicted in Figure 1.1, each PSpace or
ExpTime hardness proof is based on a technically involved simulation of a
nondeterministic/alternating Turing machine. The question arises, whether
we can come up with a universal computation model, which is better suited
to capture the succinctness of systems.
As a starting point for our investigation, we recall the line of research on
problems defined on succinctly specified graphs that was started by Galperin
and Wigderson [1983] (see Section 3.5 on Page 38 for detailed bibliographic
remarks). Under the assumption that problem instances are given as Boo-
lean circuits, in these works, a general lifting technique was developed to
upgrade hardness proofs for explicitly (i.e., nonsuccinctly) given instances
to the exponentially harder succinct case.
Unfortunately, one cannot directly apply that lifting technique to a suc-
cinct computation model such as timed automata: Succinct modeling for-
malisms only indirectly (using, e.g., clocks, propositions, concurrency, etc.)
describe graphs of exponential size through their semantics, while the lift-
ing technique assumes that the entire problem instance is already given
succinctly. In fact, modeling formalisms often combine different forms of
succinctness. For example, the discrete behavior of timed automata is de-
scribed using an explicitly given control structure, while the timed behavior
can be succinctly defined using clock variables.
As a quintessence, on the one hand, we have Turing machines capturing
the sequential, state-based aspect of computation models, but that fail in
reflecting the succinctness in the specification of complex systems. On the
other hand, we have combinatorial (i.e., nonpersisting) Boolean circuits as a
generalization of succinctness. The key theoretical contribution of this thesis
is to introduce sequential circuit machines as a new universal computation
6 CHAPTER 1. INTRODUCTION
model that combines Turing machines with Boolean circuits. Instead of a
tape, a sequential circuit machine uses read/write registers to represent its
memory. Instead of an explicitly given transition function, the behavior of
a sequential circuit machine is defined as a Boolean circuit. In the step-wise
execution of a machine, the new values of the registers are computed by the
Boolean circuit that reads the old values of the registers. Analogously to
Turing machines, the notion of halting is defined in terms of the reachability
of a dedicated configuration.
As we will see later in this thesis, many well-known modeling formalisms
have an immediate correspondence with sequential circuit machines. On the
one hand, this results in an immediate unification of many (so-far unrelated)
complexity results that can be found in the literature. On the other hand,
once a result is established for sequential circuit machines in general, it can
easily be transferred to all formalisms proven to be equivalent. For exam-
ple, in this manner, we are able to establish the complexities for important
analysis problems on timed automata (such as the small witness problem or
various variants of the bounded synthesis problem), which were open until
now.
1.4 Succinctness and Nondeterminism
Orthogonally to its succinctness, the complexity of an analysis problem also
depends on the power of the existential and universal nondeterminism that
is needed to solve the problem. That is, the increase in complexity due
to the succinctness in the instance description depends on how these two
fundamental types of nondeterminism actually make use of it.
As it turns out, by treating the succinctness aspect as a “first class cit-
izen” in the underlying computation model, all major complexity classes2
between LogSpace and 2ExpTime can be characterized in terms of the
power that the existential and universal nondeterminism have at each step
of the computation. Note that this is in contrast to the usual characteri-
zation based on Turing machines, where one restricts resources such as the
maximum running time or memory consumption.
More clearly, in this thesis, we work out that every problem that is
complete for a major complexity class can be precisely characterized by the
following parameters.
(1) Degree of nondeterminism: the number of bits that the two types of
nondeterminism can determine in each step;
(2) Precision of observability : the number of bits determined by the univer-
sal nondeterminism that can be observed by the existential nondeter-
minism;
2which are precisely defined in Section 2.3.2 on Page 19
1.5. COMBINED SUCCINCTNESS 7
(3) Amount of memory : the number of bits that can be used by the two
types of nondeterminism to store information that can be recalled in
subsequent steps.
A key strength of sequential circuit machines is their ability to precisely
quantify the power of the existential and universal nondeterminism in this
respect. In our new setting, it is therefore much simpler to study the impact
of restricting the capabilities of a particular nondeterminism on the complex-
ity. For example, we discover the general fact that bounding the memory
available to the existential nondeterminism always dominates (complexity-
wise) the impact of a bounded observability. In particular, in the context
of controller synthesis for succinct systems, by assuming a unary bound on
the size of the controller (which, as we will see, corresponds to a bound on
the existential memory), every synthesis problem can be reduced to a model
checking problem.
Based on this insight, for the important class of timed automata, we ex-
emplarily develop the template-based approach to controller synthesis, which
represents the first efficient synthesis algorithm for timed controllers with
partial observability. The key idea is to restrict the model space to the
instantiations of a given template, represented as a timed automaton with
parametric control structure. Due to this restriction, synthesis now boils
down to a one-player search problem, which can be efficiently implemented
as a symbolic model checking algorithm. Synthesis based on templates is
thus significantly cheaper than standard synthesis and produces much sim-
pler controllers.
1.5 Combined Succinctness
A theoretically optimal, yet practically inefficient, analysis algorithm for a
certain class of succinct systems can easily be obtained by just applying
a nonsuccinct version of the algorithm on the explicit enumeration of the
exponentially large state space. However, despite the inherent theoretical
blow-up in the analysis of succinct systems, an efficient algorithm would try
to preserve the succinctness of the given model during the analysis as much
as possible. A promising approach into that direction is the use of symbolic
data structures and algorithms for representing and manipulating sets of (a
potentially infinite number of) states.
In practice, certain techniques have been proven effective for specific
forms of succinctness. For example, binary decision diagrams [Bryant, 1986]
and difference bound matrices [Dill, 1989] are two symbolic data structures
which, to a certain extend, nicely preserve the succinctness introduced by
concurrency [Burch et al., 1992] or timing behavior [Alur, 1999], respectively.
However, for models exhibiting two different forms of succinctness by, e.g.,
allowing both concurrency and timing behavior, a technique to combine
8 CHAPTER 1. INTRODUCTION
symbolic data structures is needed. In particular, for timed automata, the
development of such a technique has a long line of research (see Section 9.3
on Page 135 for detailed bibliographic remarks) and is still an active field of
research and engineering.
This thesis presents a solution to this practical challenge in form of a
general approach for combining symbolic data structures yielding promis-
ing experimental results. Based on the guiding principle to strictly keep
the discrete and the continuous state information apart, the key idea of
our approach is to use a data structure specialized for discrete state sets
to produce a sequence of syntactic abstractions of the original model with
increasing precision. For each abstraction, we apply standard analysis tech-
niques based on a data structure specialized for continuous state sets to
obtain an under- and an overapproximation of the precise analysis result
(e.g., approximations of the set of reachable states). The approximations
are used to (1) obtain refinements that increase the precision of the abstrac-
tions, and (2) identify irrelevant parts of the model that do not need to be
analyzed.
1.6 Relation to Other Works
In the literature, a vast amount of work can be found in which only a par-
ticular aspect of succinctness is considered (e.g., the research on concurrent
systems, propositional planning, or timed automata). As already indicated
in Section 1.1, the majority of these works only consider succinctness in
a specific form (e.g., succinctness based on concurrency, clocks, or propo-
sitions). A systematic analysis that studies the fundamental properties of
succinctness or that treats succinctness as a unifying computational aspect,
to the best of the author’s knowledge, has not been published yet.
The unifying theory on succinctness that is presented in this thesis is
in the same spirit as the line of research on parallel computations. In the
1970s and 1980s, numerous formalisms were proposed to model computa-
tions that are able to execute steps in parallel. From a complexity-theoretic
point of view, for each formalism it was observed that parallel running time
corresponds to space consumption in a pure sequential, nonparallel setting.
The unification of these results was achieved by extending nondeterministic
Turing machines by a universal nondeterminism resulting in the alternating
Turing machine model [Chandra et al., 1981] (see Section 3.5 on Page 38 for
a detailed related work survey). This thesis can be seen as a further gen-
eralization of that seminal result, as parallelism is just a particular form of
succinctness. In fact, our new machine model, sequential circuit machines,
generalizes alternating Turing machines, as the power of the existential and
universal nondeterminism can now be quantified in a much more fine-grained
way (in terms of observability and number of controllable bits per step).
1.7. PUBLICATIONS 9
As already mentioned in Section 1.3, this thesis is inspired by the line
of research on succinctly specified graphs that was started by Galperin and
Wigderson [1983]. In those works, the underlying structure (i.e., the prob-
lem instance) is succinctly described, which leads to a symmetric increase
of the power of the existential and universal nondeterminism. As an exten-
sion of that line of research, this work provides a more detailed analysis on
succinctness that also considers an asymmetric increase of the power of the
two types of nondeterminism.
This thesis is also inspired by circuit complexity, a branch of computa-
tional complexity theory in which complexity classes are characterized by
the expressivity of a certain class of Boolean circuits. The classic theory
only focuses on succinctness in memoryless computations, as only circuit
classes without memory elements are considered. This thesis extends that
line of research by introducing sequential, state-based computations, which
are described by combinatorial circuits.
A different approach to computational complexity is represented by de-
scriptive complexity theory. Here, a complexity class is characterized by
the expressiveness of a certain logic needed to specify the problems in that
class. Descriptive complexity theory and the unifying theory of succinctness
developed in this thesis have in common that both view at computational
complexity from a different (non Turing machine-based) perspective. They,
however, fundamentally differ with respect to that perspective.
From a more practical point of view, there has been a lot of research
concerning the development of symbolic algorithms and data structures for
the analysis of succinct systems. While efficient techniques exist for specific
forms of succinctness (see Section 9.3 on Page 135 for a detailed related work
survey), there is relatively little work on the treatment of combined forms
of succinctness. An exception are timed automata, where, in the last two
decades, several approaches were proposed to deal with both concurrency
and timing behavior. A convincing solution, however, has not been achieved
so far. This thesis also contributes in that research direction and provides
a general combination approach for off-the-shelf symbolic data structures
showing promising experimental results.
1.7 Publications
Material from this thesis has been published in the following works.
• Hans-Jo¨rg Peter and Bernd Finkbeiner. The Complexity of
Bounded Synthesis for Timed Control with Partial Observ-
ability. Proceedings of the 10th International Conference on Formal
Modeling and Analysis of Timed Systems (FORMATS 2012).
• Bernd Finkbeiner and Hans-Jo¨rg Peter. Template-based Con-
10 CHAPTER 1. INTRODUCTION
troller Synthesis for Timed Systems. Proceedings of the 18th
International Conference on Tools and Algorithms for the Construc-
tion and Analysis of Systems (TACAS 2012).
• Hans-Jo¨rg Peter, Ru¨diger Ehlers, and Robert Mattmu¨ller. Synthia:
Verification and Synthesis for Timed Automata. Proceedings
of the 23rd International Conference on Computer Aided Verification
(CAV 2011).
• Ru¨diger Ehlers, Daniel Fass, Michael Gerke, and Hans-Jo¨rg Peter.
Fully Symbolic Timed Model Checking using Constraint Ma-
trix Diagrams. Proceedings of the 31st IEEE Real-Time Systems
Symposium (RTSS 2010).
• Ru¨diger Ehlers, Michael Gerke, and Hans-Jo¨rg Peter. Making the
Right Cut in Model Checking Data-Intensive Timed Systems.
Proceedings of the 11th International Conference on Formal Engineer-
ing Methods (ICFEM 2010).
• Ru¨diger Ehlers, Robert Mattmu¨ller, and Hans-Jo¨rg Peter.
Combining Symbolic Representations for Solving Timed
Games. Proceedings of the 8th International Conference on Formal
Modelling and Analysis of Timed Systems (FORMATS 2010).
• Hans-Jo¨rg Peter and Robert Mattmu¨ller. Component-based Ab-
straction Refinement for Timed Controller Synthesis. Pro-
ceedings of the 30th IEEE Real-Time Systems Symposium (RTSS
2009).
1.8 Structure of the Thesis
The central theme of this thesis is the succinctness of systems. The general
style of writing is to start abstractly and to finish concretely.
Following this principle, Part I lays down the theoretical foundations
and formalizes the notion of succinctness by introducing sequential circuit
machines as an alternative to Turing machines. In particular, after recalling
the preliminaries in Chapter 2, Chapter 3 defines our new machine model to-
gether with its notion of completeness. Chapter 4 investigates equivalences
between different structural bounds on sequential circuit machines as well as
their relationship to Turing machines. This reveals that all major complex-
ity classes between LogSpace and 2ExpTime can now be characterized
in terms of syntactic restrictions on the new machine model. Chapter 5
demonstrates the applicability of our new model by connecting sequential
circuit machines to some well-known modeling formalisms from the litera-
ture, leading to a unification of so-far independent research directions.
1.8. STRUCTURE OF THE THESIS 11
Part II focuses on the timed automaton computation model, which, be-
sides its highly practical relevance, represents an interesting case to study
the combination of different forms of succinctness. In particular, after re-
calling the basic definitions of the timed automaton formalism in Chapter 6,
Chapter 7 establishes the connection to sequential circuit machines. Similar
to Chapter 5, this results in a drastic simplification of many complexity-
theoretic proofs for timed automata. Moreover, thanks to the connection to
sequential circuit machines, we are able to establish matching lower and up-
per complexity bounds for various timed synthesis problems, whose precise
complexity was unknown so far. In this context, we identify the subclass of
discrete controllers for timed plants as a tractable but still practically rele-
vant subproblem, leading to the template-based synthesis approach, which is
presented in Chapter 8. As a concrete enabling technique for template-based
synthesis and, more generally, to deal with orthogonal blow-ups induced by
different forms of succinctness, Chapter 9 presents a general combination
technique for symbolic data structures. Chapter 10 reports on an experi-
mental evaluation based on the tool Synthia.
The thesis concludes with a summary and an outlook in Chapter 11.
12 CHAPTER 1. INTRODUCTION
Part I
Sequential Circuit Machines
13

Chapter 2
Preliminaries
2.1 General Notations and Basic Definitions
General notations. When we write log(n), we always refer to the base 2
logarithm of n. For a set X, we write 2X to refer to the power set of X.
To define a (partial or total) function f : X → Y , we use the notation
[x 7→ y | P (x) ], where x ∈ X, y ∈ Y , and P (x) is a predicate over X. For an
object X, we define its cardinality (or, alternatively, its size or length) |X|.
For example, |X| refers to the sum of the cardinalities of the components if
X is a tuple, or the sum of the cardinalities of the contained elements if X
is a set). If X is infinite, by abuse of notation, we write |X| =∞.
A binary word (or just a word) is a sequence from {0, 1}∗. A binary
language (or just a language) is a set of words.
A class of functions F is an infinite set of functions of the form f :
N → N. If f ∈ F then we require that O(f) ⊆ F . We say that F is
nondecreasing iff all its subsumed functions are nondecreasing. We define
the following important classes of functions:
L = O(log n); P = nO(1); E = 2nO(1)
Here, we use the notation O(log(n)) to refer to the class of functions of the
type f(n) = c · log(n), for some c ∈ N. Similarly, we write nO(1) to refer to
the set of all polynomials with variable n.
Directed graphs. A finite or infinite directed graph is a tuple G = (V,E),
where V is a finite or infinite set of nodes and E ⊆ V × V is a finite or
infinite edge relation. A path in G is a sequence of nodes from V of the form
v1, . . . , vn such that, for all 1 ≤ i < n, (vi, vi+1) ∈ E. We say that G is a
directed acyclic graph (or just call G a DAG, for short) iff in every path of
G, a particular node occurs at most once. We define the indegree or fan-in
of a node v ∈ V as in(v) = |{v′ | (v′, v) ∈ E}|, and the outdegree or fan-out
of v as out(v) = |{v′ | (v, v′) ∈ E}|.
15
16 CHAPTER 2. PRELIMINARIES
Decision problems. A decision problem (or just a problem) P is a sen-
tence of the form “Does a property x hold for an object y?”, where x and y,
being mathematical objects, represent the input to P. For a given input i,
a decision problem P either yields yes or no, written as either P(i) = yes
or P(i) = no, respectively. A canonical representation for an input is its
binary encoding represented as a binary word. A decision problem is called
finite iff its input is finite.
Example 2.1.1. For a given directed graph G = (V,E), where V is a finite
set of nodes and E is represented as a set of pairs of nodes, an initial node
v0 ∈ V , and a bad node b ∈ V , the problem Unreachability is to decide
whether b is not reachable from v0 via the edges specified in E.
When we apply the notions introduced above to this example, we have
that the decision problem P = Unreachability and that the input is the
directed graph G, the initial node v0, and the bad node b. Hence, the size of
the input is |V |+ |E|+ 2.
2.2 Boolean Functions and Combinatorial Circuits
2.2.1 Boolean Functions
For a finite set of variables X, we write ~X to refer to the set of total functions
X → {false, true} that assign a Boolean value to each element in X. We
use 0 for false and 1 for true interchangeably. We write ~x = ~0 as an
abbreviation for ∀x ∈ X : ~x(x) = 0. For a set X ′ ⊆ X and a valuation
~x ∈ ~X, we write ~x(X ′) to refer to the projected valuation ~x′ ∈ ~X ′ such that
~x′(x) = ~x(x) for all x ∈ X ′. Similarly, for x ∈ X and b ∈ {false, true}, we
define ~x[x = b] to the valuation ~x′ such that
~x′(x′) =
{
b if x′ = x;
~x(x′) otherwise.
A Boolean function over X is a total function f that maps a valuation
~x from ~X to false or true. Syntactically, Boolean functions are composed
of the following subformulas:
false | true | x | ¬x | f1 ∧ . . . ∧ fn | f1 ∨ . . . ∨ fn,
where f1, . . . , fn are Boolean functions over X and x ∈ X. false and true
are called constants, subformulas of the form x and ¬x are called literals,
subformulas of the form f1∧ . . .∧fn called conjunctions, and subformulas of
the form f1 ∨ . . . ∨ fn called disjunctions. For two Boolean functions f and
g, we use f ⇒ g as an abbreviation for ¬f ∨ g, f ⇐ g as an abbreviation for
g ⇒ f , and f ⇔ g as an abbreviation for f ⇒ g∧g ⇒ f . Whenever we have
a formula of the form ¬(f1∧ . . .∧fn) or ¬(f1∨ . . .∨fn), we use De Morgan’s
2.2. BOOLEAN FUNCTIONS AND COMBINATORIAL CIRCUITS 17
law to push the negation inwards and obtain ¬f1∨. . .∨¬fn or ¬f1∧. . .∧¬fn,
respectively. For some x ∈ X and b ∈ {false, true}, we define f [x = b] to be
the Boolean function f ′, for which we have f ′(~x) = f(~x[x = b]). The size |f |
of a Boolean function f is the number of its subformulas. The alternation
depth of a Boolean function f is the maximal number of alternating nestings
of ∧ and ∨ operators. A Boolean formula f is disjunctive normal form
(DNF) iff f is a disjunction with alternation depth 2. A Boolean formula f
is conjunctive normal form (CNF) iff f is a conjunction with alternation
depth 2.
The formula DAG of a Boolean function f is defined as (G,L) = dag(f),
where G = (V,E) is a DAG and L : E ⇀ {x,¬x | x ∈ X} is a partial func-
tion that labels some edges of G with literals. We define dag(f) inductively
as follows:
dag(false) :=
(
({v0,⊥,>}, {(v0,⊥)}), ∅
)
;
dag(true) :=
(
({v0,⊥,>}, {(v0,>)}), ∅
)
;
dag(x) :=
(
({v0,⊥,>}, {(v0,>), (v0,⊥)}),
[ (v0,>) 7→ x, (v0,⊥) 7→ ¬x ]
)
;
dag(¬x) := (({v0,⊥,>}, {(v0,>), (v0,⊥)}),
[ (v0,⊥) 7→ x, (v0,>) 7→ ¬x ]
)
;
dag(f1 ∧ . . . ∧ fn) := dag(f1) >−→ · · · >−→ dag(fn);
dag(f1 ∨ . . . ∨ fn) := dag(f1) | · · · | dag(fn)
Here, we use the notation (G,L)
>−→ (G′, L′) to refer to the conjunctive com-
position of (G,L) and (G′, L′) such that all edges in G leading to G’s > node
are redirected to the unique root of G′. We use the notation (G,L) | (G′, L′)
to refer to the disjunctive composition of (G,L) and (G′, L′) such that the
root nodes of G and G′ are merged to a single root node. We define root(G)
to be the unique root of G, true(G) = ⊥, and false(G) = >.
We will use Boolean functions as the most abstract form of a symbolic
representation for sets of binary words (e.g., for representing sets of discrete
states). A logarithmic encoding of a finite nonempty set Y is a set of Boolean
variables (̂Y ) such that each element y ∈ Y is characterized by a valuation (y)
over (̂Y ). Note that |(̂Y )| = dlog |Y |e. For a Boolean function f over (̂Y )
and a variable x ∈ (̂Y ), we write ∃x : f for f [x = 0] ∨ f [x = 1]. For a set of
variables {x1, . . . , xn} = X ⊆ (̂Y ), we write ∃X : f for ∃x1 : . . . ∃xn : f .
2.2.2 Combinatorial Circuits
A combinatorial circuit (or just a circuit) C is a tuple (V,E, I,O,G), where
(V,E) is a directed acyclic graph, I and O are finite sets containing the
names of the inputs and outputs of C, respectively, and G labels each node
18 CHAPTER 2. PRELIMINARIES
with a gate type G : V → {AND ,OR,NOT}∪ I ∪O. Here, we assume that
(I ∪ O) ∩ {AND ,OR,NOT} = ∅. We always assume that for every node
v ∈ V , the following holds: (1) if G(v) ∈ I, then in(v) = 0 and out(v) > 0;
(2) if G(v) ∈ O, then in(v) = 1 and out(v) = 0; (3) otherwise (if v is an
internal gate), in(v) > 0 and out(v) > 0 (i.e., we allow an unbounded fan-in
for all internal gates). The size of C is the defined as |C| = |V |+ |E|. The
depth of C is the length of the longest path from an input to an output in
C.
It is easy to see that every Boolean function f over a set of variables X
can be transformed into a circuit f c of the same size and (alternation) depth
that reads from inputs X and writes to a single output, such that, for every
valuation ~x ∈ ~X, f(~x) = true iff f c(~x) computes 1. For the converse, we
introduce the following property. We say that a circuit C = (V,E, I,O,G) is
shared sub-circuit free (or just C is simple), iff, for every v ∈ V , if G(v) 6∈ I∪
O then out(v) = 1 (i.e., every gate, except inputs and outputs, is connected
to exactly one successor gate). By pushing the NOT gates in front of the
inputs (and dualizing the AND and OR gates), one can easily obtain |O|
equivalent Boolean functions Cj : ~I → {false, true}, 1 ≤ j ≤ |O|, such
that |Cj | ≤ |C|, depth(Cj) ≤ depth(C), and, for a valuation ~i ∈ ~I, Cj(~i) =
true iff output j of C evaluates to 1 when the inputs are set to ~i. Note
that, as we assume an unbounded fan-in, many important circuits (such as
incrementers, adders, comparators, multiplexers, etc.) can be represented
as simple circuits with a constant depth (i.e., a depth that is independent
of the number of inputs).
We say that a circuit C = (V,E, I,O,G) reads from some elements I ′ iff
I ′ ⊆ I. Analogously, C writes to some elements O′ iff O′ ⊆ O.
2.3 Turing Machines and Complexity Classes
We assume that the reader is familiar with the concept of Turing machines
and complexity classes [see, e.g., Papadimitriou, 1994]. However, in this
section, we define our syntactic variant of the Turing machine model that
we will use in the rest of the thesis, and recall the definition of important
complexity classes.
2.3.1 Turing Machines
Without loss of generality, we assume that our Turing machines have access
to a read-only input tape and a read/write work tape. Also, we assume a
binary tape alphabet (for both input and work tape). An alternating Turing
machine T is represented by a tuple (Q, q0, T, δ), where
• Q is a finite set of states,
• q0 ∈ Q is the initial state,
2.3. TURING MACHINES AND COMPLEXITY CLASSES 19
• T : Q → {D,E,A,Acc} is a total function that assigns a type to each
state, and
• δ : Q× {0, 1}2 → S2 is the transition function.
Here, S = Q × {0, 1}3 is the set of steps T can perform. A step
(q′, γ′, di, dw) ∈ S defines the next state q′, the symbol γ′ that should be writ-
ten into the current work tape cell, and the directions di and dw in which the
head of the input and work tape should move, respectively. For a state q ∈ Q
and an input and work symbol γi, γw ∈ {0, 1}, let δ(q, γi, γw) = (s1, s2), q1
be the next state of s1, and q2 be the next state of s2. Now, q is accepting
iff either
• T (q) = Acc,
• T (q) = D and q1 is accepting,
• T (q) = E and q1 or q2 is accepting, and
• T (q) = A and both q1 and q2 are accepting.
We distinguish between the following types of Turing machines: T is
• existential nondeterministic if T (q) 6= A,
• universal nondeterministic if T (q) 6= E, and
• deterministic if T (q) 6= A and T (q) 6= E,
for all q ∈ Q.
We say that T accepts a word w ∈ {0, 1}∗ if, and only if, q0 is accepting
while w is stored in the input tape of T . We say that T decides a lan-
guage L ⊆ {0, 1}∗ if, and only if, for every word w ∈ {0, 1}∗, T accepts w
iff w ∈ L. The running time is defined as the number of steps T performs.
The space consumption is defined as the number of work tape cells T uses
up.
2.3.2 Complexity Classes
In this subsection, we recall the classical definition of complexity classes that
can be characterized by Turing machines with resource bounds.
Formally, a complexity class is a set of binary languages. Let f(n) ≥
log(n) be a nondecreasing function. We define Time(f) as the complexity
class that exactly contains those languages that can be decided by a deter-
ministic Turing machine with running time O(f(n)), where n is the length of
the input. We define Space(f) as the complexity class that exactly contains
those languages that can be decided by a deterministic Turing machine with
space consumption O(f(n)), where n is the length of the input.
20 CHAPTER 2. PRELIMINARIES
Depending on the underlying Turing machine type, we obtain the com-
plexity classes NTime and NSpace for existential nondeterministic (or just
nondeterministic) Turing machines, coNTime and coNSpace for universal
nondeterministic Turing machines1, and ATime and ASpace for alternating
Turing machines.
In the following, when we write, e.g., Time(F), for a class of functions F ,
we mean⋃{
Time(f) | f is of type F}.
For the class of polynomial functions P and the class of exponential func-
tions E , we define the following important time-bounded complexity classes:
PTime = Time(P);
NPTime = NTime(P);
coNPTime = coNTime(P);
APTime = ATime(P);
ExpTime = Time(E);
NExpTime = NTime(E);
coNExpTime = coNTime(E);
AExpTime = ATime(E);
2ExpTime = Time(2E)
Also, for the class of logarithmic functions L, the class of polynomial func-
tions P, and the class of exponential functions E , we define the following
important space-bounded complexity classes:
LogSpace = Space(L);
NLogSpace = NSpace(L);
coNLogSpace = coNSpace(L);
ALogSpace = ASpace(L);
PSpace = Space(P);
NPSpace = NSpace(P);
coNPSpace = coNSpace(P);
APSpace = ASpace(P);
ExpSpace = Space(E);
NExpSpace = NSpace(E);
coNExpSpace = coNSpace(E);
AExpSpace = ASpace(E)
1Not to be confused with universal Turing machines that simulate other Turing ma-
chines.
2.4. TWO-PLAYER GAMES 21
The scope of this thesis will focus solely on these classes, which we also call
major complexity classes.
The following relations are known (we refer to Papadimitriou [1994] for
a more detailed discussion):
LogSpace ⊆ NLogSpace = coNLogSpace ⊆ ALogSpace;
PTime ⊆ (co)NPTime ⊆ APTime;
PSpace = NPSpace = coNPSpace ⊆ APSpace;
ExpTime ⊆ (co)NExpTime ⊆ AExpTime;
ExpSpace = NExpSpace = coNExpSpace ⊆ AExpSpace
The equalities PSpace = NPSpace and ExpSpace = NExpSpace were
proven by Savitch [1970]. The NSpace = coNSpace equalities are due to
Szelepcse´nyi [1987] and Immerman [1988]. At the time this thesis is being
written, to the best of the author’s knowledge, none of the above inclusions
are proven to be strict.2 However, due to the time and space hierarchy
theorems [Hartmanis and Stearns, 1965, Stearns et al., 1965], the following
strict inclusions are known:
PTime ( ExpTime ( 2ExpTime;
LogSpace ( PSpace ( ExpSpace
The following equalities are due to Chandra et al. [1981]:
ALogSpace = PTime;
APTime = PSpace;
APSpace = ExpTime;
AExpTime = ExpSpace;
AExpSpace = 2ExpTime
2.4 Two-Player Games
We use infinite two-player games to model the reactive interaction between
the existential and universal nondeterminism during a computation. We
refer to the players as E and A, respectively, and always assume that they
have complementary winning objectives. In general, we always assume that
games are determined (i.e., there can be no draw in a given game – one
player wins iff the other loses). For the purpose of this thesis, it suffices
to focus on reachability and safety winning objectives for the players. As
a notation, for a player p ∈ {E,A}, we write p to refer to the player in
{E,A} \ {p}.
2It is, however, common believe that all inclusions are strict.
22 CHAPTER 2. PRELIMINARIES
2.4.1 Game Arenas
A game arena (or just an arena) A is a tuple (SE, SA, s0,ΣE,ΣA,∆), where
• S = SE unionmulti SA are the positions of the players,
• s0 ∈ S is the initial position,
• Σ = ΣE unionmulti ΣA are the decisions of the players, and
• ∆ : ((SE × ΣE) ∪ (SA × ΣA)) ⇀ S is a partial function defining the
moves of the players.
We require both ΣE and ΣA to be nonempty. For a player p ∈ {E,A}, we say
that p is deterministic in A iff p can only play a single move, i.e., |∆p| = 1.
We say that A is a p-arena iff p is deterministic in A. We say that A is a
one-player arena iff at least one player is deterministic in A. We say that
A is deterministic iff both players deterministic in A. We call A infinite if
S ∪ ΣE ∪ ΣA is infinite, otherwise we call A finite.
A play pi in A is a (finite or infinite) sequence of decisions of the form
(di)i∈N≥1 , where each di ∈ Σ. We write FinPlays(A) to refer to all finite
plays, and Plays(A) to refer to all (finite and infinite) plays in A. We define
the length of a play pi, written as |pi|, to be the number of decisions in the
finite sequence, or ∞ if pi is infinite. We write pi = ⊥, if |pi| = 0. For a
finite play pi and a decision d ∈ Σ, we use the notation pi ◦ d to denote the
finite play that is the concatenation of pi and d. We define the function
Pos : FinPlays→ S to refer to the position that is reached after a given finite
play:
Pos(pi) =
{
s0 if pi = ⊥;
s if pi′ = pi ◦ d and s = ∆(Pos(pi′), d).
2.4.2 Views and Strategies
For a Player p ∈ {E,A} and a game arena A = (SE, SA, s0,ΣE,ΣA,∆), a
view V for p on A is a tuple (Σobs, vis), where
• ∅ 6= Σobs ⊆ Σp is a subset of decisions of the opponent defining the
observations of Player p and
• vis : Σp → (Σobsunionmulti{ε}) is a function that projects an opponent decision
to its corresponding observation or to a dedicated symbol ε represent-
ing a stuttering event.
A stuttering event is a decision played by p that is not perceivable by p. Note
that this is in contrast to other decisions played by p that are observable
but not necessarily distinguishable by p. Since we have turn-based games,
2.4. TWO-PLAYER GAMES 23
we require Σobs to contain at least one element to notify Player E when he
has to move.
Clearly, if Σobs = Σp and vis is the identity function, then we say that p
plays a game of complete information (alternatively, we also say that p has
full observability). If Σobs is a singleton (i.e., Σobs is finite and |Σobs| = 1),
we say that p plays a blindfold game (alternatively, we also say that p has no
observability). Otherwise, we say that p plays a private game (alternatively,
we also say that p has partial observability).
By abuse of notation, for a play pi ∈ FinPlays(A), we define
vis(pi) =

⊥ if pi = ⊥;
vis(pi′) if pi′ = pi ◦ d and vis(d) = ε;
vis(pi′) ◦ vis(d) if pi′ = pi ◦ d and vis(d) 6= ε.
A function f : FinPlays(A) → Σp is called a strategy for Player p in
A iff for any finite play pi we have that if s = Pos(pi) ∈ Sp then ∃s′ : s′ =
∆p(s, f(pi)). We say that f respects a view V = (Σobs, vis), written as f |= V,
iff f does not distinguish between unobservable decisions: for all finite plays
pi1, pi2 ∈ FinPlays(A),
if vis(pi1) = vis(pi2) then f(pi1) = f(pi2).
The set of all strategies for a player p in A is defined as FpA.
We use Mealy machines as the standard representation for strategies.
Formally, a Mealy machine M is a tuple (Q, q0,ΣA,ΣE, T ) consisting of
• a set of states Q,
• an initial state q0 ∈ Q,
• a set of input actions ΣA,
• a set of output actions ΣE, and
• a partial function T : Q×ΣA ⇀ Q×ΣE defining the transitions of the
machine.
Assuming M represents a strategy for E, intuitively, in each round of a play,
after A made his decision, T is executed to query the next decision for E and
the target state for M . The size of a strategy (or, alternatively, the amount
of memory of a strategy) f is defined as |f | = |Q|, where Q is the set of
states of the smallest (in terms of states) Mealy machine representation of
f .
24 CHAPTER 2. PRELIMINARIES
2.4.3 Model Checking and Synthesis
The semantics of a game arena A = (SE, SA, s0,ΣE,ΣA,∆) is defined in
terms of the possible plays that arise in the interplay between the two play-
ers. For a strategy fe ∈ FEA and a strategy fa ∈ FAA, we define the outcome
as the unique play that arises when Player E sticks to fe and Player A sticks
to fa:
OutcomeA(fe, fa) =
{
pi ∈ Plays(A) | ∀1 ≤ i < |pi| :
pi[i+ 1] = δ(pi[1..i], fe, fa)
}
where
δ(pi, fe, fa) =
{
fe(pi) if Pos(pi) ∈ SE;
fa(pi) if Pos(pi) ∈ SA.
We define the set of traces of A as the set of all possible plays:
Traces(A) =
⋃
fe∈FEA,fa∈FAA
OutcomeA(fe, fa)
If A is a p-arena, for a player p ∈ {E,A}, by abuse of notation, we also
write OutcomeA(f) for an f ∈ FpA. We borrow some notations from CTL
model checking [Clarke and Emerson, 1981] and define, for a bound β ∈
N ∪ {∞} on the size of the strategy and a set of positions X ⊆ S,
A |=β EF(X) :⇐⇒
∃f ∈ FpA : (β =∞∨ |f | ≤ β) ∧
∃i ≥ 1 : Pos(OutcomeA(f)[1..i]) ∈ X;
A |=β EG(X) :⇐⇒
∃f ∈ FpA : (β =∞∨ |f | ≤ β) ∧
∀i ≥ 1 : Pos(OutcomeA(f)[1..i]) ∈ X;
A |=β AF(X) :⇐⇒
∀f ∈ FpA : (β =∞∨ |f | ≤ β) ∧
∃i ≥ 1 : Pos(OutcomeA(f)[1..i]) ∈ X;
A |=β AG(X) :⇐⇒
∀f ∈ FpA : (β =∞∨ |f | ≤ β) ∧
∀i ≥ 1 : Pos(OutcomeA(f)[1..i]) ∈ X.
For a one-player arena A, a set of positions X ⊆ S, and a property ϕ of the
form EF, EG, AF, or AG, we call problems deciding whether A |=∞ ϕ(X),
ϕ-model checking problems. For an additionally specified bound β ∈ N, we
call problems deciding whether A |=β ϕ(X), ϕ-small witness problems.
2.4. TWO-PLAYER GAMES 25
s0 s1 s2
s3
s4s5
a a
b c
c
a
c
Figure 2.1: Example one-player game arena with initial position s0 and bad
position s2.
Example 2.4.1. Figure 2.1 shows an example one-player game arena with
initial position s0. Let s2 be a dedicated bad position. The decisions are a,
b, and c.
A witness of size 3 for EG({s2}) is a(bc)ω and is shown in Figure 2.2(a).
However, the smallest witness is (ac)ω and is shown in Figure 2.2(b).
a
b
c
(a) Witness of size 3.
a
c
(b) Witness of size 2.
Figure 2.2: Witnesses for EG({s2}) for the game arena shown in Figure 2.1.
Assuming a two-player setting, for a view V for Player E, a bound β ∈
N ∪ {∞} on the size of the strategy for Player E, and a set of positions
26 CHAPTER 2. PRELIMINARIES
X ⊆ S, we define
A |=βV Enforce(X) :⇐⇒
∃fe ∈ FEA : fe |= V ∧ (β =∞∨ |fe| ≤ β) ∧
∀fa ∈ FAA ∃i ≥ 1 : Pos(OutcomeA(fe, fa)[1..i]) ∈ X;
A |=βV Avoid(X) :⇐⇒
∃fe ∈ FEA : fe |= V ∧ (β =∞∨ |fe| ≤ β) ∧
∀fa ∈ FAA ∀i ≥ 1 : Pos(OutcomeA(fe, fa)[1..i]) /∈ X.
For a two-player arenaA, a view V for Player E, and a set of positionsX ⊆ S,
we call problems deciding whether A |=∞V Enforce(X), reachability synthesis
problems, and problems deciding whether A |=∞V Avoid(X), safety synthesis
problems. For an additionally specified bound β ∈ N, we call problems
deciding whether A |=βV Enforce(X) or A |=βV Avoid(X), bounded safety
synthesis problems or bounded reachability synthesis problems, respectively.
Finally, a safety game G is a tuple (A, B,V, β) consisting of
• a game arena A = (SE, SA, s0,ΣE,ΣA,∆),
• a set of bad or losing positions B ⊆ S,
• a view V = (Σobs, vis) for Player E on A, and
• a bound β ∈ N∪{∞} on the size of the feasible strategies for Player E.
We say that G is finite iff A is finite. We say that Player E wins G iff
A |=βV Avoid(B).
Example 2.4.2. Figure 2.3 shows an example safety game with initial posi-
tion s0 and bad position s2. The positions of the Players E and A are drawn
as circles and squares, respectively. The decisions of E are e1, e2 and e3,
and the decisions of A are a1 and a2.
Player A has a winning strategy (that enforces a play to s2) from posi-
tions s4 and s5. However, assuming full observability, Player E can win the
game by playing one of the strategies shown in Figures 2.4(a) and 2.4(b).
Assuming a blindfold game, where Player E can only observe when it is her
turn, represented by the decision τ , she can still win by playing the strategy
shown in Figure 2.4(c).
2.4. TWO-PLAYER GAMES 27
s0 s1 s2
s3 s4 s5
s6 s7
a2
a1
e1
e3
e2
e1
e2
a1
a2
e1
e1
e2
a1
Figure 2.3: Example safety game with initial position s0 and bad position s2.
The positions of the Players E and A are drawn as circles and squares,
respectively.
a1/e1
a2/e2
a1/e1
(a) Winning strategy with two states.
a1/e1
a2/e2
a1/e2
(b) Alternative winning strategy.
τ/e1
(c) Blindfold winning strategy.
Figure 2.4: Winning strategies for E represented as Mealy machines for the
game shown in Figure 2.3.
28 CHAPTER 2. PRELIMINARIES
Chapter 3
Succinctness Signatures and
Sequential Circuit Machines
In this chapter, we develop our new universal computation model for succinct
systems.
We start in Section 3.1 with a fundamental consideration how decision
problems can be characterized according to their succinctness. Then, in
Section 3.2, we formalize these considerations by introducing succinctness
signatures, which serve as a uniform notion for comparing the succinctness
of problems. Section 3.3 represents the main part of this chapter, where we
introduce sequential circuit machines as the canonical computation model
for succinctness signatures. In that section, we also define the divergence
problem, the decision problem whether a dedicated state of a given sequential
circuit machine is unreachable, as the canonical complete decision problem
for a class of succinctness signatures. Section 3.4 gives sufficient conditions
when a given safety game can be represented as a divergence problem. The
chapter finishes with an overview on the related work in Section 3.5.
3.1 A Succinct View on Complexity
The purpose of the classical Turing machine model is to capture the essence
of sequential computations that only access a constant (i.e., independent
in the size of the input) number of state bits at each step. In succinct
computations, on the other hand, the number of state bits being accessed
at each step varies with the size of the input.
Hence, when going from Turing machines to a computation model that
captures the essence of succinct computations, the question arises, whether
the resource restrictions that were used for Turing machines to characterize
complexity classes are still meaningful in the succinct case. For example, the
running times (i.e., the number of steps) in the succinct world can be much
smaller than the ones in the explicit world, as succinct computations can
29
30 CHAPTER 3. SEQUENTIAL CIRCUIT MACHINES
modify many bits at once, which is in contrast to explicit computations. We
thus arrive at the question, which restrictions are meaningful in the succinct
world.
In this section, we give an answer to that question. It turns out that the
expressivity of succinct computations highly depends on the power that the
existential and universal nondeterminism have at each step of the computa-
tion.
We make this claim more precise by switching to a game-based inter-
pretation: In a turn-based safety game between Player A and Player E, we
identify the following capabilities of a particular player p ∈ {E,A}:
(1) Degree of nondeterminism: number of bits p can determine in each
round of the game;
(2) Precision of observability : number of bits determined by p in each round
that are observable by p;
(3) Amount of memory : number of bits p can use in each round to store
information that can be recalled in later rounds.
By capabilities of a game, we refer to the capabilities of the two players. We
can now state our (yet informal) central claim:
By seeing the instances of a decision problem P as games, we
can classify P according to the capabilities of its games.
One might ask the question, whether our selection of these three kinds
of capabilities is reasonable. As we will demonstrate later in Section 4.2,
this is indeed the case: We will prove that any decision problem that is
complete for a major complexity class can be characterized by a certain
class of capability-restricted games.
Moreover, as we will show in Chapters 5 and 7, it turns out that this
classification also perfectly captures well-known modeling and specification
formalisms such as concurrent state machines, linear-time temporal logic,
one-safe Petri nets, or timed automata.
3.2 Succinctness Signatures
This section introduces basic notions that serve as basis for characterizing
decision problems and complexity classes in terms of restrictions imposed
on the capabilities of the existential and the universal nondeterminism.
The instance signature σ of some finite decision problem P and an input
x for P, written as σ = sig(P, x), is represented by a tuple (N,M), where
N characterizes the amount of (existential and universal) nondeterminism
and M characterizes the amount of memory available to the two types of
nondeterminism that are needed to solve P on x. More precisely, N is a
tuple (nE, n
E
A, nA), where
3.2. SUCCINCTNESS SIGNATURES 31
• nE ∈ N specifies the number of bits controlled by the existential non-
determinism in one step,
• nA ∈ N specifies the number of bits controlled by the universal non-
determinism in one step, and
• nEA ∈ N ∪ {∞} specifies the number of bits determined by the uni-
versal nondeterminism in one step that are visible to the existential
nondeterminism.
The memory characterization M is a tuple (mE,mA), where
• mE ∈ N ∪ {∞} specifies the number of bits that can be used by the
existential nondeterminism to store information that can be used later,
and
• mA ∈ N specifies the number of bits that can be used by the universal
nondeterminism to store information.
If nEA =∞ then the existential nondeterminism can observe all decisions of
the universal nondeterminism. If mE = ∞ then the existential nondeter-
minism has an unbounded amount of memory available. For an instance
signature σ = ((nE, n
E
A, nA), (mE,mA)), as a shorthand, we define
log(σ) =
(
(dlog nEe, dlog nEAe, dlog nAe), (dlogmEe, dlogmAe)
)
and
O(σ) =
(
(O(nE), O(n
E
A), O(nA)), (O(mE), O(mA))
)
,
where, by abuse of notation, we define dlog∞e = O(∞) =∞.
A succinctness signature σ̂ is a tuple ((a, b, c), (d, e)) comprising five
nondecreasing functions a, c, e : N → N and b, d ∈ (N → N) ∪ {∞}. The
restriction of a decision problem P to σ̂, written as Pσ̂, is defined as the
decision problem P′ that accepts only inputs x for which sig(P, x) = σ̂(n),
where n = |x| and σ̂(n) is defined as ((a(n), b(n), c(n)), (d(n), e(n))).
A signature class is a set of succinctness signatures. For the definition
of signature classes, we introduce the C-notation, which is defined as fol-
lows. Let a, b, c, d, e represent each a class of functions, a constant, or ∞.
Then, we write C((a, b, c), (d, e)) to refer to the smallest set that contains all
succinctness signatures that can be obtained by instantiating the individual
functions. For example, when we write C((L,P, 42), (∞,P)), we actually
mean the signature class{(
(O(log n), nO(1), 42), (∞, nO(1))}.
For convenience, we define L∞ = L ∪ {∞} and P∞ = P ∪ {∞}.
A signature class C induces a complexity class: we then implicitly refer to
the set of binary encodings of those inputs x, for which there exists a decision
32 CHAPTER 3. SEQUENTIAL CIRCUIT MACHINES
Notion Characterizes Example
Instance signature Problem & input “Is the node v unreachable
from the initial node v0 in
the directed graph G?”
Succinctness signature Problem Unreachability for ex-
plicitly represented directed
graphs
Signature class Complexity class C((L, 0, 0), (∞,L))
NLogSpace
Table 3.1: Overview on the notions of signatures and what they characterize.
problem P and a succinctness signature σ̂ ∈ C such that sig(P, x) = σ̂(|x|)
and P(x) = yes. In the rest of this thesis, whenever we relate a signature
class to a (Turing machine-based) complexity class, we assume this implicit
notion. Table 3.1 summarizes the notions of signatures introduced in this
section.
The following example gives an intuition how succinctness signatures
and decision problems correlate. In the remainder of this chapter, we will
make the connection precise.
Example 3.2.1. Recall the problem Unreachability from Example 2.1.1.
For a given directed graph G = (V,E), where E is represented as an
adjacency matrix such that |E| = |V |2, an initial node v0 ∈ V , and a bad
node b ∈ V , Unreachability can be solved by iteratively letting the uni-
versal nondeterminism guess a sequence of adjacent nodes until b is reached
starting in v0, or to report that no such sequence exists [Jones, 1975].
Since we have no alternation and G is given explicitly (i.e., each node
in V can be represented using a logarithmic number of bits), a candidate
for an appropriate definition of sig(Unreachability, x), for a given input
x = ((V,E), v0, b), is
((0, 0, dlog |E|e), (0, dlog |V |e)) = ((0, 0, 2dlog |V |e), (0, dlog |V |e)).
We can hence conjecture that an appropriate succinctness signature for Un-
reachability is O((0, 0, log n), (0, log n)). Furthermore, we can also con-
jecture that Unreachability is complete for C((0, 0,L), (0,L)) (i.e., all
problems in C((0, 0,L), (0,L)) can be reduced to Unreachability and vice
versa).
In the next section, we will introduce the canonical computation model
for succinctness signatures and formally define its notion of completeness.
3.3. SEQUENTIAL CIRCUIT MACHINES 33
3.3 Sequential Circuit Machines
In this section, we present sequential circuit machines as the canonical com-
putation model for succinctness signatures. Just as the reachability (i.e.,
halting) problem for resource-bounded Turing machines characterizes com-
plexity classes, we will use the co-reachability (i.e., divergence) problem for
sequential circuit machines to characterize signature classes.
3.3.1 Syntax
A sequential circuit machine S is a tuple (σ,CA) represented in unary, com-
prising an instance signature σ = ((nE, n
E
A, nA), (mE,mA)) and a combina-
torial circuit CA such that
(1) CA reads from the circuit elements
• NA = {NAi | 1 ≤ i ≤ nA},
• NE = {NEi | 1 ≤ i ≤ nE},
• MA = {MAi | 1 ≤ i ≤ mA}, and
(2) CA writes to MA and a dedicated output h signaling whether S reached
a halting configuration.
We also call σ the resources of S. Thus, CA computes a Boolean function
CA : ~NE × ~NA × ~MA → ~MA × {0, 1}. The size of S is defined as |S| = |CA|.
We say that S is of type σ̂ if, and only if, for each n ∈ N, we have that
if |CA| = n then σ = σ̂(n) and depth(CA) = O(1). The structure of a
sequential circuit machine is shown in Figure 3.1.
CE
Memory for E
CA h
Memory for A
Nondeterministic inputs
NEA
ME
NE
NA
MA
Figure 3.1: Structure of a sequential circuit machine.
34 CHAPTER 3. SEQUENTIAL CIRCUIT MACHINES
3.3.2 Semantics
Intuitively, a machine S = (σ,CA) is executed together with a combinatorial
circuit CE in a sequential manner. In each cycle of the execution, first, values
for the inputs NA are nondeterministically chosen. Then, CE is executed and
produces values for the circuit elements NE, which, in turn, are read by CA
as inputs. The execution of CE may only depend on the subset N
E
A of NA.
After that, CA is executed and produces a value for the output h. Both
CE and CA are equipped with a read/write private memory ME and MA,
respectively, from which they can recall information from earlier execution
cycles.
We say that S halts iff there exists such a CE with inputs NEA ∪ME and
outputs NE ∪ME such that CA, controlled by CE via NE, always reaches
a halting configuration (i.e., a configuration where CA computes a 1 for
output h). Dually, we say that S diverges iff there exists a CE that controls
CA such that no halting configuration is ever reached. In the following, we
will formalize this informal description.
The semantics of a machine S = (((nE, nEA, nA), (mE,mA)), CA) is for-
mally defined as a finite game arena JSK = (SE, SA, s0,ΣE,ΣA,∆), where
• SE = {E} × ~MA × ~NA,
• SA = {A} × ~MA × {0, 1},
• s0 = (A,~0, 0),
• ΣE = ~NE,
• ΣA = ~NA,
• ∆((E, ( ~ma, ~na)), ~ne) = (A, CA( ~ne, ~na, ~ma)), and
• ∆((A, ( ~ma, h)), ~na) = (E, ( ~na, ~ma)).
The set of halting states is defined as
Halt(S) = {A} × ~MA × {1}.
3.3.3 Completeness
We now define the divergence problem for sequential circuit machines (i.e.,
deciding the unreachability of a configuration) as the canonical decision
problem that characterizes completeness for signature classes. As we will
show in Section 4.1 in more detail, we could have equivalently chosen the
halting problem (i.e., deciding the reachability of a configuration) as the
canonical decision problem. However, for the purpose of this thesis, regard-
ing the satisfiability and synthesis problems for succinct formalisms, whose
3.3. SEQUENTIAL CIRCUIT MACHINES 35
complexity we are going to analyze in Chapters 5 and 7, choosing divergence
over halting represents the more appropriate choice.
We define S ′ = S[CE ← C,ME ← M ] as the nonalternating sequential
circuit machine that is obtained by replacing the existential nondeterminism
in S with the concretely given combinatorial circuit C, which uses the private
memory M . More precisely, S ′ is obtained by integrating C into CA and M
into MA such that C deterministically generates values that are fed into the
original CA via the original NE. Figure 3.2 shows such a composed machine.
CE C CA h
Nondeterministic inputs
M MA
Figure 3.2: For a given sequential circuit machine S, a circuit C with private
memory M , the figure shows the structure of the composed sequential circuit
machine S ′ = S[CE ← C,ME ←M ].
Definition 3.3.1. For a sequential circuit machine S given in unary, the
problem Diverging is to decide whether there exists a combinatorial circuit
C with private memory M and |M | ≤ mE such that S ′ = S[CE ← C,ME ←
M ] and JS ′K |= AG(Halt(S ′)).
Theorem 3.3.2. For a sequential circuit machine S = (σ,CA) given in
unary with σ = ((nE, n
E
A, nA), (mE,mA)), Diverging(S) = yes iff Player E
wins
(JSK,Halt(S),VS ,mE), where VS = ( ~NEA , vis) with vis( ~na) := ~na(NEA).
Proof. We show that a winning strategy fE for Player E can be trans-
formed into a circuit C with private memory M and |M | ≤ mE such that
S ′ = S[CE ← C,ME ← M ] and JS ′K |= AG(Halt(S ′)), and vice versa. The
rest of the claim then easily follow from the definition of (the constituent
components of)
(JSK,Halt(S),VS ,mE).
36 CHAPTER 3. SEQUENTIAL CIRCUIT MACHINES
Assume we have a winning strategy fE |= VS for Player E with existential
memory bound mE. Let (Q, q0,ΣA,ΣE, T ) be the Mealy machine represent-
ing fE with ΣA =
~NEA and ΣE =
~NE. If mE 6= ∞, we have |Q| ≤ 2mE . We
choose M to be the logarithmic encoding of Q. Then, we can construct C as
a composition of Boolean functions each determining the value of a particu-
lar bit of M and the output of T depending on the bits encoding the current
state and the input representing the current observation. Since fE respects
the (potentially partial) view on JSK, it is safe to ignore all unobservable
bits in the construction of C.
For the other direction, we assume that there is a circuit C with private
memory M and |M | ≤ mE such that S ′ = S[CE ← C,ME ← M ] andJS ′K |= AG(Halt(S ′)). Based on that, a winning strategy for E is implicitly
given by the truth table of C seen as a Boolean function.
For any given signature class σ̂, we define Diverging, restricted to
machines of type σ̂, to be the most general problem for that signature class.
Definition 3.3.3. A decision problem P is complete for a signature class C
if, and only if, for every succinctness signature σ̂ in C, Divergingσ̂ and P
are LogSpace-reducible to each other.
Recall that Divergingσ̂ is the restriction of Diverging to machines of
type σ̂.
Example 3.3.4. Unreachability from Example 2.1.1 is complete for
C((0, 0,L), (0,L)):
For a succinctness signature σ̂ ∈ C((0, 0,L), (0,L)), the reduction from
Divergingσ̂ to Unreachability is just the application of Unreacha-
bility on the explicitly-represented directed graph (which is of polynomial
size) that is given by the semantics (i.e., the single-player game arena) of
the input of Diverging.
The reduction from Unreachability to Divergingσ̂ follows directly
from the fact that one can easily encode Jone’s Algorithm [Jones, 1975] as
a sequential circuit machine with a logarithmic amount of universal mem-
ory and universal nondeterminism. For this purpose, observe that one can
encode the explicitly given edge relation of the directed graph, which is the
input to Unreachability, as a DNF resulting in a combinatorial circuit
of polynomial size and constant depth (recall that our circuits may have an
unbounded fan-in).
3.4 Succinct Circuit Representations
This section provides a technique to transform finite safety games with cer-
tain properties into sequential circuit machines. It will prove useful in es-
tablishing upper complexity bounds.
3.4. SUCCINCT CIRCUIT REPRESENTATIONS 37
A finite safety game (A, B,V, β) allows a succinct circuit representation,
where A = (SE, SA, s0,ΣE,ΣA,∆) and V = (Σobs, vis), if it satisfies the
following properties:
(1) There is a logarithmic encoding (·) of the positions SE and SA, and the
decisions ΣE and ΣA.
(2) The move function ∆ can be represented as a simple combinatorial cir-
cuit representing a function ∆c : (S)× (Σ)→ {0, 1} × (S) such that for
any s, s′ ∈ Sp and a ∈ Σp, ∆c outputs (1, (s′)) if ∆(s, a) is defined to
be s′, or ∆c outputs (0, ~x) for some arbitrary valuation ~x, otherwise.
We furthermore require that the size of ∆c is at most polynomial in
|Σ| · log |S| while its depth is constant.
(3) B can be equivalently described as a simple combinatorial circuit Bc :
(S) → {0, 1} such that, for any s ∈ S, Bc((s)) = 1 iff s ∈ B. We
furthermore require that the size of Bc is at most polynomial in log |S|
while its depth is constant.
(4) V can be equivalently described as a subset of the variables (i.e. the
bits) of (̂ΣA).
As we will see later in Chapters 5 and 7 of this thesis, many well-known
modeling formalisms, whose semantics is defined in terms of game arenas,
indeed allow succinct circuit representations.
The following lemma will prove useful in establishing that a succinctly
representable finite safety game can always be transformed into a sequential
circuit machine of polynomial size and logarithmic resources.
Lemma 3.4.1. For a finite safety game G = (A, B,V, β) that allows a
succinct circuit representation, where A = (SE, SA, s0,ΣE,ΣA,∆) and V =
(Σobs, vis), one can construct in Space(log |G|) a sequential circuit machine
S = (σ,CA) such that |S| is polynomial in |G|,
σ =
(
(dlog |ΣE|e, dlog |Σobs|e, dlog |ΣA|e), (β,O(log |S|))
)
,
and Player E wins G iff Diverging(S) = yes.
Proof. We construct S = (((nE, nEA, nA), (mE,mA)), CA) in the following
way. The existential and universal choices in A correspond to the exis-
tential and universal guessing bits in S, i.e., nE = |(̂ΣE)| = dlog |ΣE|e and
nA = |(̂ΣA)| = dlog |ΣA|e. In case that Player E has partial (or no) ob-
servability we choose nEA = |(̂Σobs)|, otherwise we choose nEA = |(̂ΣA)|. Here,
recall that, by definition, V can be represented as a subset of the bits for rep-
resenting a decision of A. We use the universal memory of S to represent the
current game position in S = SE ∪SA, as well as a state counter that ranges
38 CHAPTER 3. SEQUENTIAL CIRCUIT MACHINES
from 0 to |S| − 1, i.e., mA = |(̂S)|+ dlog |S|e = O(log |S|). Furthermore, we
choose mE = β.
We define CA as follows. Recall that, by definition, the move function ∆
of A can also be represented by a Boolean function ∆c. We embed two ver-
sions of ∆c in CA: a sub-circuit ∆
c
E that reads from NE, and a sub-circuit ∆
c
A
that reads from NA. Both sub-circuits read from MA. Now, assuming that
the current game position is stored in MA and the existential and the univer-
sal nondeterminism determined their choices for NE and NA, respectively,
CA computes the next position by executing ∆
c
E and ∆
c
A (concurrently). De-
pending which valid bit is 1 (either the first output of ∆cE or the first output
of ∆cA), a multiplexer selects the corresponding next state that is written
into MA.
Since sequential circuit machines have no possibility to model stuttering
steps directly, with which Player A can execute arbitrarily many hidden
moves before the turn changes to Player E again, in our construction of S
we need to model them in a different way. The idea is to let Player A execute
|S| obfuscating moves in each round of the game before Player E can play
a responding move. In an obfuscating move, Player A can either execute
a move d ∈ ΣA for which vis(d) = ε, or a stuttering move that does not
change the contents of MA. After the execution of the obfuscating moves
(i.e., whenever the state counter overflows), A plays an ordinary move from
ΣA again. Observe that on each obfuscating move Player E (i.e., CE) is
activated but does not obtain any other information. Since the number of
these activations is always |S|, Player E’s strategy is indeed independent of
the ε moves.
What remains is to let CA produce h = 1 whenever the current position
is in B. This can be achieved by embedding Bc into CA such that B
c reads
from MA and outputs h.
Overall, observe that CA can be realized as a simple circuit of at most
polynomial size and constant depth (even if |S| is exponential), since we only
use incrementers, comparators, multiplexers, and the simple circuits ∆c and
Bc, which have a polynomial size and constant depth by definition.
3.5 Bibliographic Remarks
Sequential circuit machines can be seen as a continuation of several research
directions, each investigating a particular aspect of computational complex-
ity. While some aspects were introduced and analyzed individually, to the
best of the author’s knowledge, the combination of all in one uniform com-
putation model has not been investigated yet. In the following, we give an
overview on important works that are related to sequential circuit machines.
3.5. BIBLIOGRAPHIC REMARKS 39
Turing machine extensions. Savitch [1977] extended Turing machines
by allowing recursive calls. The introduction of a universal nondeterminism
is due to Chandra et al. [1981] resulting in the alternating Turing machine.
Reif [1984] introduced private and blindfold Turing machines and showed
that there is a general exponential increase in complexity in the presence of
partial information.
The impact of restricting the memory of the existential nondeterminism
(differently to sequential circuit machines, though) was investigated by Cai
and Furst [1991] by introducing bottleneck Turing machines, which extend
ordinary Turing machines by an additional read/write “safe storage” to store
a bounded amount of information. The execution of bottleneck Turing ma-
chines occurs in rounds. In each round, the machine can make polynomially
many steps. From one round to the next, the machine can only retain the
information in the safe storage.
Parallel computation models. Giving sequential random access ma-
chines (which are equivalent to Turing machines) the capability of access-
ing a shared memory in parallel results in parallel random access machines
(PRAMs) [Fortune and Wyllie, 1978, Goldschlager, 1978, Savitch and Stim-
son, 1979]. PRAMs and sequential circuit machine share the ability to access
many bits in one step. In the 1970s and 1980s, various PRAM models were
proposed in the literature. Similar to alternating Turing machines, all these
models have in common that they satisfy the Parallel Computation Thesis:
Parallel running time corresponds to sequential space consump-
tion.
A prominent PRAM representative is the vector processing machine intro-
duced by Pratt and Stockmeyer [1976]. Vector processing machines are
equipped with a collection of parallel processors together with a collection
of registers that can hold bit vectors. All processors execute the same pro-
gram whose instruction set consists of binary operations on the registers.
Savitch [1982] investigated the power of LPRAMs, parallel random ac-
cess machines with instructions for string manipulation. It was observed
that, in general, there is an exponential blow-up in the running times, when
going from nondeterministic LPRAMs to nondeterministic Turing machines.
Stockmeyer and Vishkin [1984] established the connection between PRAMs
and (purely combinatorial, i.e., memoryless) Boolean circuits: Parallel time
and number of processors for PRAMs correspond to depth and size for cir-
cuits, respectively. We refer to van Emde Boas [1990] for a comprehensive
survey on sequential and parallel machine models.
Uniform circuit complexity. For characterizing complexity classes
within PTime, complexity classes based on the computational power of com-
40 CHAPTER 3. SEQUENTIAL CIRCUIT MACHINES
binatorial Boolean circuits have been introduced. Borodin [1977] discovered
the relation between space in Turing machines and depth in circuits.
Pippenger [1979] and Cook [1979] discovered the NC-hierarchy, compris-
ing all complexity classes that are characterized by circuits with bounded
fan-in, polynomial size, and polylogarithmic depth. The connection be-
tween NC and alternating Turing machines was shown by Ruzzo [1981].
Wolf [1994] investigated NC circuits with nondeterministic gates. We refer
to Vollmer [1999] for a comprehensive survey on circuit complexity.
Succinct circuit representations. The research on the complexity of
succinct versions of graph-theoretic problems was started in the early 1980s
by Galperin and Wigderson [1983], where the exponential increase in the
complexity was first observed. A more general theorem for lifting reductions
(and therefore hardness proofs) from NPTime to NExpTime was given
by Papadimitriou and Yannakakis [1986]. The generalization to arbitrary
space- and time-bounded complexity classes was due to Lozano and Balca´zar
[1989].
While these works assumed the graph to be represented as a combina-
torial circuit, Veith [1997] proved that the lifting argument (and thus the
exponential increase in complexity) still holds even when the graph is given
as a Boolean function. Similarly, Feigenbaum et al. [1999] proved that an
OBDD-based representation of the graph suffices to cause an exponential
blow-up in the complexity of both the nondeterministic and the alternat-
ing reachability problem. Borchert and Lozano [1996] made the connection
between succinct circuit representations and leaf language classes.
A first connection between a succinct modeling formalism (specifically,
Boolean automata) and the general lifting technique by Lozano and Balca´zar
[1989] was made by Chadha et al. [2010], who gave an explanation in terms
of succinct circuit representations, why certain reachability-related problems
on Boolean automata suffer from an exponential blow-up.
Descriptive complexity. In contrast to machine-based characterizations
of complexity classes, a fundamentally different approach represents descrip-
tive complexity theory, which was started by Ronald Fagin in the 1970s.
Here, a complexity class is characterized by the expressiveness of a certain
logic needed to specify the problems in that class. In a first paper, Fagin
[1974] established the equivalence of NPTime and the set of problems de-
scribable in second-order existential logic. Characterizations of other major
complexity classes followed such as PSpace [Immerman, 1980, Vardi, 1982],
or NLogSpace and PTime [Gra¨del, 1992]. We refer to Immerman [1999]
for a comprehensive survey on descriptive complexity theory.
Also from a pure logical perspective, Gottlob et al. [1999] showed that
the expression complexity [Vardi, 1982] of logics with the power of replacing
3.5. BIBLIOGRAPHIC REMARKS 41
inputs by Boolean combinations of inputs is generally exponentially harder
than their data complexity.
42 CHAPTER 3. SEQUENTIAL CIRCUIT MACHINES
Chapter 4
The Computational Power of
Sequential Circuit Machines
This chapter investigates the impact of imposing structural restrictions on
sequential circuit machines on their computational power.
Section 4.1 shows reductions between different classes of structurally re-
stricted sequential circuit machines. Then, Section 4.1 draws the connection
to Turing machines and identifies important structural restrictions to obtain
a wide range of complexity classes. The chapter finishes with an overview
on the results and a discussion in Section 4.3.
4.1 Reductions between Sequential Circuit Ma-
chines
In this section, we will prove some reductions between different classes of
structurally restricted sequential circuit machines, which will turn out useful
later in the thesis.
The first lemma ensures that one can always trade nondeterminism for
the same amount of universal space.
Lemma 4.1.1. Any given sequential circuit machine S = (σ,CA), where σ
is of the form(
(nE, 0, 0), (mE,mA)
)
,(
(0, 0, nA), (0,mA)
)
,(
(nE, 0, nA), (mE,mA)
)
,(
(nE,∞, nA), (mE,mA)
)
, or(
(nE, n
E
A, nA), (mE,mA)
)
,
for nE, nA ∈ N>1, nEA < nA, mE ∈ N∪{∞}, and mA ∈ N, can be transformed
in Space(log |S|) into a sequential circuit machine S ′ = (σ′, CA′) such that
43
44 CHAPTER 4. THE COMPUTATIONAL POWER OF SCMS
S diverges iff S ′ diverges, |S ′| = O(|S|), and σ′ is of the form(
(1, 0, 0), (mE +O(log nE),mA +O(nE))
)
,(
(0, 0, 1), (0,mA +O(nA))
)
,(
(1, 0, 1), (mE +O(log nE + log nA),mA +O(nE + nA))
)
,(
(1, 1, 1), (mE +O(log nE + log nA),mA +O(nE + nA))
)
, or(
(1, 1, 2), (mE +O(log nE + log nA),mA +O(nE + nA)))
)
,
respectively.
Proof. We construct S ′ as an extension of S: Instead of letting the two types
of nondeterminism determine the bits at once, we let the determination of
the bits performed step-by-step. For this purpose, we have to (1) store
the guessed bits in the universal memory, and (2) introduce counters to
control the iterations. Note that, in the blindfold and private cases, no
new information is leaked to CE due to the newly introduced iterations in
CA, because the number of those iterations is always the same in each step.
Also note that, in case of bounded existential memory, we need to give
CE the possibility to accommodate bits for counters used for iterating over
the universal and existential choices. Overall, we need to introduce further
nE +nA + dlog(nE + 1)e+ dlog(nA + 1)e universal memory bits, and the size
of CA
′ increases polynomially, while its depth remains constant, as we only
introduce incrementers.
With regard to the definition of the notion of acceptance for sequential
circuit machines, we now show that whether choosing halting or diverging
is not so important, as one can always obtain an equivalent machine with
the dual acceptance at the expense of increasing the universal memory.
Lemma 4.1.2. For every sequential circuit machine S =
(((nE, n
E
A, nA), (mE,mA)), CA), one can construct in Space(log |S|) a
sequential circuit machine S ′ = (((nE, nEA, nA), (mE,mA′)), CA′) with
|CA′| = O(|CA|) and mA′ = O(mA) such that S diverges iff S ′ halts.
Proof. If mA = 0, it suffices to choose mA
′ = 0 and let CA′ just invert the
output h of CA.
If mA > 0, we introduce a counter in S ′ with mA bits. This counter
deterministically (i.e., independently of the decisions of the two players)
counts the number of execution cycles. Observe that there can be at most
2mA − 1 cycles between two equivalent configurations of CA. Now, those
configurations of S ′ in which the cycle counter overflows are those in which
a configuration of S recurs. Hence, we can identify these configurations as
diverging in S and, consequently, mark the corresponding configurations in
S ′ as halting by letting CA′ produce an output h = 1.
4.2. REDUCTIONS FROM AND TO TURING MACHINES 45
What remains is to convert the halting configurations in S to diverging
ones in S ′. We achieve this by introducing an additional flag div that, once
set, prevents the halting flag h of S ′ ever to become 1. When executing a
cycle in S ′, CA′ sets div to 1 if either div was 1 in the previous cycle or CA
computed h = 1.
4.2 Reductions from and to Turing Machines
In this section, we investigate the relationship between the computational
power of sequential circuit machines and Turing machines. We thereby flesh
out our claim from Section 3.1 that any major complexity class can be
characterized by a certain signature class.
4.2.1 Machines without Universal Memory
We start with the case, where sequential circuit machines have no universal
memory. That is, the universal nondeterminism cannot accumulate any
information over multiple cycles.
The first theorem establishes the connection to nondeterministic time-
bounded complexity classes.
Theorem 4.2.1. The following equivalences hold, even when we only as-
sume simple circuits:
C((P, 0, 0), (0, 0)) = C((P, 0, 0), (∞, 0)) = NPTime;
C((0, 0,P), (0, 0)) = C((0, 0,P), (∞, 0)) = coNPTime
Proof. For proving the “⊆” direction, note that in all cases, only a single
execution of CA needs to be considered. This is because A cannot persist
any information, and therefore, he finds himself always in the same configu-
ration after executing CA. For the same reason, E does not gain additional
power by giving her more memory. Hence, by applying the definition of the
semantics of sequential circuit machines, checking whether a given machine
diverges that has a polynomial amount of (either existential or universal)
nondeterminism but no universal memory, amounts to checking the satisfi-
ability of the formulas
∃ ~NE : CA( ~NE) = 0 and (4.1)
∀ ~NA : CA( ~NA) = 0 ⇔ ¬(∃ ~NA : CA( ~NA) = 1). (4.2)
Formula 4.1 can be decided by a simple nondeterministic algorithm that
(1) first guesses values for ~NE in NPTime and (2) then validates the guess
by evaluating CA( ~NE) = 0. Formula 4.2 can be decided by a simple co-
nondeterministic algorithm that (1) first guesses values for ~NA in NPTime,
(2) then validates the guess by evaluating CA( ~NA) = 1, and (3) negating
46 CHAPTER 4. THE COMPUTATIONAL POWER OF SCMS
the overall result. Since computing the value of a circuit can be done in
PTime [Ladner, 1975] (so certainly in NPTime or coNPTime), we con-
clude that the two algorithms have an overall complexity of NPTime and
coNPTime, respectively.
The “⊇” direction immediately follows by reduction from Boolean SAT and
Tautology, which are known to be hard for NPTime and coNPTime,
respectively. For a given instance of SAT or Tautology, i.e., a Boolean
formula ϕ with free variables ~x, we construct CA such that h = 1 iff ¬ϕ(~x).
Now, in the case of SAT, we identify the free variables ~x with ~NE, and in the
case of Tautology, we identify ~x with ~NA. This way, by definition of the
semantics of sequential circuit machines, the constructed machine diverges
iff ϕ is satisfiable (in case of SAT) or ϕ is valid (in case of Tautology).
It turns out that when both the existential and universal nondeterminism
can determine the values of some bits, we arrive in the polynomial hierarchy.
Theorem 4.2.2. The following equivalences hold, even when we only as-
sume simple circuits:
C((P, 0,P), (0, 0)) = C((P, 0,P), (∞, 0)) = ΣP2 ;
C((P,P,P), (0, 0)) = C((P,P,P), (∞, 0)) = ΠP3 ;
C((P,∞,P), (0, 0)) = C((P,∞,P), (∞, 0)) = ΠP2
Proof. For proving the “⊆” direction, similar to the proof for Theorem 4.2.1,
observe that when having no universal memory, only a single execution of
CA needs to be considered and giving more memory to E does not make
a difference. But now, by definition of the semantics of sequential circuit
machines, the divergence problem for machines with both existential and
universal nondeterminism, but without universal memory, corresponds to
the satisfiability problem of Boolean formulas with more than one quantifier
alternation:
∃ ~NE ∀ ~NA : CA( ~NE, ~NA) = 0; (4.3)
∀ ~NEA ∃ ~NE ∀ ~NA : CA( ~NE, ~NEA , ~NA) = 0; (4.4)
∀ ~NA ∃ ~NE : CA( ~NE, ~NA) = 0. (4.5)
Formula 4.3 reflects the fact that E has no observability: she has to make
her decisions (i.e., the values for ~NE) independently from the decisions of
A (i.e., the values for ~NA). Formula 4.4 reflects the fact that E has only a
partial observability: A has to provide values for the visible decisions first
(i.e., the values for ~NEA), before E can react by providing her decisions (i.e.,
the values for ~NE), which must be independent of the unobservable decisions
of A. Lastly, Formula 4.5 reflects the fact that E has full observability: A
4.2. REDUCTIONS FROM AND TO TURING MACHINES 47
has to make all of his decisions first (i.e., the values for ~NA) before E can
react by providing her decisions (i.e., the values for ~NE).
Now, according to Wrathall [1976], deciding the satisfiability of the three
quantified Boolean formulas (with bounded alternation) can be done in
(1) NPTimecoNPTime = ΣP2 for the blindfold case,
(2) coNPTimeNPTime
coNPTime
= ΠP3 for the partially observable case, and
(3) coNPTimeNPTime = ΠP2 for the fully observable case.
The “⊇” direction for the three cases follows by reduction from QBF∃2 ,
QBF∀3 , and QBF
∀
2 , which, according to Wrathall [1976], are known to be
hard for ΣP2 , Π
P
3 , and Π
P
2 , respectively (here, QBF
Q
k refers to the quantified
Boolean formulas with k alternations and Q as the first quantifier). For a
given QBF formula of the form
∀x0, . . . , xa ∃y0, . . . , yb ∀z0, . . . , zc :
ϕ(x0, . . . , xa, y0, . . . , yb, z0, . . . , zc),
in our construction of a machine S = (((nE, nEA, nA), (0, 0)), CA), we define
NEA = {x0, . . . , xa}, NE = {y0, . . . , yb}, and NA = {z0, . . . , zc}. Similar to
the construction in the hardness proof of Theorem 4.2.1, we construct CA
such that h = 1⇔ ¬ϕ(x0, . . . , xa, y0, . . . , yb, z0, . . . , zc).
4.2.2 Machines with Unbounded Existential Memory
We now investigate the computational power of sequential circuit machines
with no restrictions on the memory of the existential nondeterminism.
Before we come to the main theorems, we first state the following two
lemmas, which will turn out to be useful. The first lemma is helpful in
establishing upper complexity bounds.
Lemma 4.2.3. For a given sequential circuit machine S = (σ,CA), the
following statements hold true:
if σ = ((0, 0, 0), (∞,mA)) then
Diverging(S) ∈ Space(mA)Eval(CA);
if σ = ((1, 0, 0), (∞,mA)) then
Diverging(S) ∈ NSpace(mA)Eval(CA);
if σ = ((0, 0, 1), (∞,mA)) then
Diverging(S) ∈ coNSpace(mA)Eval(CA);
if σ = ((1, 1, 1), (∞,mA)) then
Diverging(S) ∈ ASpace(mA)Eval(CA)
Proof. We first prove that if σ = ((1, 1, 1), (∞,mA)) then we have that
Diverging(S) is in ASpace(mA)Eval(CA). After that, we show how the
construction can be adapted to the other three (nonalternating) cases.
48 CHAPTER 4. THE COMPUTATIONAL POWER OF SCMS
For a given machine S = (((1, 1, 1), (∞,mA)), CA), we construct an alter-
nating Turing machine T = (Q, q0, T, δ) that uses at most O(mA) tape cells
and that accepts iff S diverges. The basic idea of our construction is that
T simulates the cycles of S in a sequential manner. Concurrently, T counts
the cycles using a counter with mA bits. Whenever this counter overflows,
which happens after 2mA cycles, we let T enter its accepting state. We use
mA tape cells to store the current contents of the universal memory.
In each cycle, first T makes a universal guess (0 or 1) and an existential
guess (0 or 1), which are stored (as 2 bits) on the tape. Then, CA is evaluated
on these bits and on the universal memory contents. For each bit in the
universal memory and the halting flag h, we obtain a new value by making
mA + 1 oracle calls to Eval(CA). The result of the evaluation is the new
contents of the universal memory, which is stored in another mA bits on
the tape, as well as the value of h. If h = 1, we let T enter a dead-end
state, where the cycle counter is not incremented anymore, and thus, the
accepting state is unreachable. Note that, if always h = 0, the cycle counter
overflows after 2mA cycles, exactly the number of maximal cycles when a
particular universal memory contents recurs. Thus, T accepts iff S diverges,
and deciding whether T accepts can be done in ASpace(mA)Eval(CA).
The adaptation to the three nonalternating cases is straightforward by
just skipping the guessing of the existential and/or the universal decision.
The second lemma establishes an upper bound for evaluating combina-
torial circuits.
Lemma 4.2.4. For a given combinatorial circuit C reading from inputs I
and a valuation ~i ∈ ~I, evaluating C on ~i is in Space(depth(C) · log |C|).
Proof. Consider an algorithm that, starting with its output, recursively eval-
uates C in a depth-first manner. At each level of the recursion, we iteratively
recur on the inputs of the current gate. If the current gate is an AND gate
and the propagated value is false, then we terminate the recursion for the
current gate and propagate false to the calling instance, otherwise (if all
inputs yield true) we return true. Dually, if the current gate is an OR gate
and the propagated value is true, then we terminate the recursion for the
current gate and propagate true to the calling instance, otherwise (if all
inputs yield false) we return false. If the recursion reaches an input i, then
~i(i) is propagated to the calling instance.
The recursion can be implemented using a stack with a height in the
length of the longest path in C, which corresponds to depth(C). The ele-
ments in the stack are used to remember the position (i.e., the index of a
particular gate of the circuit) and the last branching decision (i.e., the index
of an input to the gate) at each level of the recursion (i.e., a particular depth
4.2. REDUCTIONS FROM AND TO TURING MACHINES 49
in the circuit). As the indexes can be represented only using O(log n) bits,
it can be easily seen that the algorithm is in Space(depth(C) · log |C|).
We now come to the main theorems of this section. The following estab-
lishes the fact that universal memory in sequential circuit machines corre-
sponds to tape cells in (otherwise unbounded) Turing machines, assuming
no bound on the existential memory.
Theorem 4.2.5. For any nondecreasing class of functions F ≥ log n, the
following equivalences hold, even when we only assume simple circuits:
C((0, 0, 0), (∞,F)) = Space(F);
C((1, 0, 0), (∞,F)) = NSpace(F);
C((0, 0, 1), (∞,F)) = coNSpace(F);
C((1, 1, 1), (∞,F)) = ASpace(F)
Proof. We first prove the “⊆” direction. Let S = (σ,CA) and n = |S| = |CA|.
Recall that CA is of constant depth. Thus, according to Lemma 4.2.4, we
have that Eval(CA) is in Space(log n). Moreover, since O(log n) ≤ F , we
have that Eval(CA) is in Space(F). Hence, according to Lemma 4.2.3, the
upper bound complexities for deciding Diverging for the four cases are
Space(F)Space(F) = Space(F),
NSpace(F)Space(F) = NSpace(F),
coNSpace(F)Space(F) = coNSpace(F),
ASpace(F)Space(F) = ASpace(F),
respectively.
For proving the “⊇” direction, we first show the ASpace(F)-hardness of the
alternating case C((1, 1, 1), (∞,F)). For a given alternating Turing machine
T = (Q, q0, T, δ) that, without loss of generality, has a tape bound b = 2k and
|Q| = 2q, for some k, q ∈ N, we construct in LogSpace a sequential circuit
machine S = (((1, 1, 1), (∞,mA)), CA) such that T accepts iff S diverges.
We use the universal memory of S to store the contents of the b tape cells
(using b bits), the position of the tape head ranging from 0 to b − 1 (using
k bits), the state T is currently in (using q bits), a timeout counter that
counts the executions of T (using b bits), and a 1-bit flag div that indicates
whether an accepting configuration have been reached. Overall, we have
mA = O(b).
The transition function δ as well as the contents of the input tape are
encoded as CA: Based on the type of the state T is currently in (either E,
A, or D), CA either selects NE0, NA0, or constant 0, respectively, to resolve
the nondeterminism in δ. We let CA update the contents of the current tape
50 CHAPTER 4. THE COMPUTATIONAL POWER OF SCMS
cell and move the tape head. If the type of the current state is Acc, we let
CA set div = 1, otherwise we increment the timeout counter. If div = 0 and
the counter overflows, we let CA produce h = 1.
The translation of δ (which is explicitly given) into CA (which can be
of polynomial size, i.e., of size polynomial in |δ|) is straightforward, as we
can just obtain a DNF from δ of polynomial size. Overall, observe that CA,
besides the DNF for δ, only contains incrementer, decrementer, comparator,
and multiplexer circuits. While the first three types of circuits are used to
move the tape head and to update the counters, multiplexers are used to
read the contents of the currently selected tape cell and to look up the type
of the state T is currently in. Recall that we allow an unbounded fan-in for
combinatorial circuits, hence, all the sub-circuits have constant depth. This
concludes the proof of the ASpace(F)-hardness.
What remains is to adapt the construction to the three nonalternat-
ing cases. Note that NE0 and NA0 are only used in the sub-circuit of CA
representing T . Since the mode of acceptance of T only depends on the
definition of T , it is easy to see that the other cases are hard for Space(F),
NSpace(F), and coNSpace(F), respectively.
When restricting the existential nondeterminism to partial or no ob-
servability, we encounter the same exponential blow-up that was already
observed by Reif [1984] for alternating Turing machines in the nonsuccinct
case.
Theorem 4.2.6. For any nondecreasing class of functions F ≥ log n, the
following equivalences hold, even when we only assume simple circuits:
C((1, 0, 1), (∞,F)) = NSpace(2F );
C((1, 1, 2), (∞,F)) = ASpace(2F )
Proof. For proving the “⊆” direction, we first show the upper bound for
the private case: C((1, 1, 2), (∞,F)) ⊆ ASpace(2F ). The adaptation to the
blindfold case is straightforward.
For a given machine S = (((1, 1, 2), (∞,mA)), CA), we show that
Diverging(S) can be decided by an alternating algorithm with a mem-
ory consumption of O(2mA) bits. Recall that the semantics of S is defined
in terms of a private game: the existence of a feasible CE corresponds to
the existence of a strategy for Player E that respects the partial observ-
ability on the decisions of Player A. Now, by applying the belief set con-
struction by Reif [1984], we obtain a game of perfect information. In this
construction, the positions of the perfect-information game represent beliefs:
over-approximations of the positions in which the actual game might be cur-
rently in. Thus, compared to the original imperfect-information game, the
perfect-information game has an exponential number of positions. Recall
4.2. REDUCTIONS FROM AND TO TURING MACHINES 51
that games induced by sequential circuit machines are strictly turn-based
and the possible moves the players can play do not depend on the current
position. Hence, each belief can be clearly associated to a particular player
and the available moves are always the same for each belief. The set of
bad beliefs contains those beliefs that subsume a position with a halting
configuration. This concludes the proof of the ASpace(2F ) upper bound.
The adaptation to the blindfold case is straightforward. Observe that,
in this case, the belief set construction completely removed the universal
nondeterminism, so that the game of perfect information only contains the
existential nondeterminism. Hence, the algorithm runs in NSpace(2F ).
Similar to the upper bound, for proving the “⊇” direction, we first
show the ASpace(2F )-hardness of the alternating case C((1, 1, 2), (∞,F)).
For a given alternating Turing machine T = (Q, q0, T, δ) that, without
loss of generality, has a tape bound b = 2k and |Q| = 2q, for some
k, q ∈ N, we construct in LogSpace a sequential circuit machine S =
(((1, 1, 2), (∞,mA)), CA) such that T accepts iff S diverges and mA = O(k).
The basic idea is to let CE sequentially simulate the steps of T so that T
eventually reaches an accepting state. A single step of T is communicated
by CE to CA in a sequence of bits with constant length: q bits representing
the next state, 1 bit representing the contents to write into the current tape
cell, 1 bit indicating in which direction the input tape head moves, and 1
bit indicating in which direction the work tape head moves.
Similar to a proof presented by Rintanen [2004] in the planning setting,
instead of storing the contents of the whole tape, we let CA, unobservable for
CE, nondeterministically select a dedicated tape cell that is watched by CA.
We use k bits in the universal memory to represent the bits of some integer
variable ranging from 0 to b− 1. We introduce an integer variable watch to
store the index of the watched cell and another two integer variables input
and work to store the current positions of the tape heads of the input and
work tape, respectively. As an initialization step, unobservable for CE, CA
nondeterministically chooses a value for watch and sets input and work to
0. Then, CA keeps track of the movement of the tape head by decrementing
or incrementing input and work . Here, CA produces h = 1 whenever CE
proposes to move the head to the left and it is over the first cell, or to move
to the right and the head is over the last cell. If work 6= watch, CA ignores
the correctness of the tape operations (writing in a cell and moving the
head) determined by CE. If work = watch, the tape operations are verified
(CA checks if the proposed step is consistent with δ) and the writing of the
new tape symbol is memorized. The state T is currently in is represented
using q bits, and the contents of the watched tape cell is represented using
1 bit.
The transitions in δ are encoded in the following way. In case T is in an
existential state, CA expects that CE resolves the branching decision (0 or 1).
52 CHAPTER 4. THE COMPUTATIONAL POWER OF SCMS
In case T is in a universal state, CA first provides the branching decision,
which should then be considered by CE. Note that the latter decision is
visible for CE.
So far, S diverges whenever CE does faithfully simulate the steps of T .
However, what remains is to enforce that CE actually reaches an accepting
state of T eventually. We do this by introducing a timeout counter that
is incremented after a step of T is simulated, and in case it overflows, CA
produces h = 1. Observe that the maximal number of steps without visiting
a state twice corresponds to the number of possible configurations of T .
That is, we need to count steps up to a number bounded by 22
k
. As this
number is double exponential in the number of bits, we cannot use just
another b-bit integer variable to represent the timeout counter. Instead, we
construct an incrementation gadget that implements a carry chain adder of
length 2b. Now, the trick is to let CE do the incrementation: Before CE
performs a step of T , CE has to additionally produce a sequence of 2b bits
representing the current value of the timeout counter (ranging from 0 to
22
k−1). To verify that CE increments the timeout counter correctly, similar
to the watched tape cell explained above, we let CA nondeterministically
and unobservably for CE select a dedicated bit j, 0 ≤ j < 2b, whose correct
incrementation is verified. The actual gadget contains a loop that iterates
an integer variable i from 0 to 2b−1. In each iteration, CE has to provide the
carry flag before bit i is incremented, the new (incremented) value of bit i,
and the carry flag for bit i + 1. If i 6= j, we require that CE provides some
value for the carry flags and the new value of bit i. If i = j, we actually
check that Player E provides correct values. It is easy to see that the new
value of bit j only depends on its last value and the incoming carry flag.
Furthermore, if i = 0, we always require that the first carry flag is 1. If
i = 2b − 1 and the next carry flag is 1, the counter overflows, which means
that we have reached the timeout and let CA produce h = 1. This concludes
the proof of the ASpace(2F )-hardness.
Now, the adaptation to the blindfold case is straightforward: Without
having access to any decisions of CA, CE can only simulate an existential
nondeterministic Turing machine T . However, we can still use the hidden
universal nondeterminism to check whether CE simulates T correctly. Hence,
the NSpace(2F )-hardness.
Finally, combining Theorems 4.2.5 and 4.2.6 immediately reveals the fact
that privateness can always be traded for exponential universal space.
Corollary 4.2.7. For any nondecreasing class of functions F ≥ log n, the
following equivalences hold, even when we only assume simple circuits:
C((1, 0, 1), (∞,F)) = C((1, 0, 0), (∞, 2F ));
C((1, 1, 2), (∞,F)) = C((1, 1, 1), (∞, 2F ))
4.2. REDUCTIONS FROM AND TO TURING MACHINES 53
4.2.3 Machines with Bounded Existential Memory
In this section, we make the surprising discovery that bounding the memory
of the existential nondeterminism always dominates any restriction on the
observability or the power of both the universal and existential nondeter-
minism in general.
The first theorem establishes the fact that if the existential memory
bound of a sequential circuit machine is at most logarithmic in the universal
memory, then we have the same computational power as a nondeterministic
space-bounded Turing machine.
Theorem 4.2.8. For any nondecreasing class of functions F ≥ log n, the
following equivalence holds, even when we only assume simple circuits:
C((1, 0, 0), (0, 2F )) = C((1, 0, 0), (F , 2F )) =
C((1, 0, 1), (0, 2F )) = C((1, 0, 1), (F , 2F )) =
C((1, 1, 1), (0, 2F )) = C((1, 1, 1), (F , 2F )) =
C((1, 1, 2), (0, 2F )) = C((1, 1, 2), (F , 2F )) = NSpace(2F )
Proof. For showing the “⊆” direction, we prove the containment in
NSpace(2F ) for the most general case C((1, 1, 2), (F , 2F )), where we have
full alternation (i.e., we have both existential and universal nondeter-
minism) and where we assume partial information, which is clearly more
general than the blindfold and fully informed cases. For a given ma-
chine S = (((1, 1, 2), (mE,mA)), CA), let n = |S|, b = f(n), for some f
from F , mE = O(b), and mA = 2O(b). We show that Diverging(S) can
be decided by a nondeterministic algorithm with a memory consumption of
O(mA) bits.
First, observe that if there is a feasible CE, then it can be represented
by a truth table that, depending on the current contents of the existential
memory and the current universal decision, defines the existential decision.
Since there can be at most 2mE = 2O(b) distinct configurations of the existen-
tial memory but only one binary universal choice visible to CE, the table has
at most 2O(b) number of rows. And since there is only one binary existential
choice, the table has only a single column. Hence, the total number of en-
tries in the table is 2O(b), which can be guessed in 2O(b) steps. The validation
of the guess is done by integrating CE into S and deciding Diverging on
the machine so obtained (which has only universal nondeterminism). Since,
according to Theorem 4.2.5, deciding Diverging for such machines can be
done in coNSpace(2F ), the overall complexity is in
NTime(2F )coNSpace(2
F ) = NTime(2F )NSpace(2
F ) = NSpace(2F ).
The “⊇” direction easily follows from the NSpace(2F )-hardness of the most
restricted case C((1, 0, 0), (0, 2F )), where we only have existential but no
54 CHAPTER 4. THE COMPUTATIONAL POWER OF SCMS
universal nondeterminism. An even weaker case is when we assume F to
be minimal (i.e., F = L and thus 2F = P) and we neither have exis-
tential nor universal nondeterminism C((0, 0, 0), (0,P)), which is, accord-
ing to Theorem 4.2.5 and Savitch [1970], already hard for Space(P) =
NSpace(2F ).
The following theorem states that, if the existential memory bound is in
the order of the universal memory bound, we always obtain the computa-
tional power of nondeterministic time-bounded Turing machines.
Theorem 4.2.9. Let F be either L or P, the following equivalence holds,
even when we only assume simple circuits:
C((1, 0, 0), (F ,F)) =
C((1, 0, 1), (F ,F)) =
C((1, 1, 1), (F ,F)) =
C((1, 1, 2), (F ,F)) = NTime(2F ),
where NTime(2F ) is either NPTime or NExpTime, respectively.
Proof. For showing the “⊆” direction, we prove the containment in
NTime(2F ) for the most general case C((1, 1, 2), (F ,F)), where we have
full alternation (i.e., we have both existential and universal nondeter-
minism) and where we assume partial information, which is clearly more
general than the blindfold and fully informed cases. For a given machine
S = (((1, 1, 2), (mE,mA)), CA), let n = |S|, b = f(n), for some f from F ,
and mE,mA ∈ O(b). We prove that Diverging(S) can be decided by the
following nondeterministic algorithm that requires at most O(2mA) steps.
Analogously to the proof of the upper bound of Theorem 4.2.8, we guess
CE in form of a truth table. However, here, the number of rows of the ta-
ble is exponential in mE (while it still has only a single column). Hence,
guessing the table can be done in time exponential in mE. Also observe
that the table can be represented as a DNF of exponential size. We validate
the guess by integrating CE into S and deciding Diverging on the ma-
chine so obtained S ′ (which has only universal nondeterminism). According
to Lemma 4.2.4, evaluating CE can be done in Space(mE) ⊆ Space(F).
Moreover, according to 4.2.3, deciding Diverging for S ′ can thus be done
in coNSpace(F)Space(F) = NSpace(F). Thus, the overall complexity is in
NTime(2F )NSpace(F) = NTime(2F ).
The “⊇” direction follows from the NTime(2F )-hardness, F ∈ {L,P}, of
the most restricted case C((1, 0, 0), (F ,F)), where we only have a (minimal)
existential nondeterminism but no universal nondeterminism. Our hardness
proof is a generalization of the NExpTime-hardness proof by Kupferman
4.2. REDUCTIONS FROM AND TO TURING MACHINES 55
and Sheinvald-Faragy [2006, Theorem 5]. We give a reduction from Hamil-
tonian cycle if F = L or Succinct Hamiltonian cycle if F = P,
which are known to be NPTime-complete [Karp, 1972] and NExpTime-
complete [Galperin and Wigderson, 1983], respectively, to Diverging.
An instance of Hamiltonian cycle is a graph G, where we use n ∈ N
as the number of bits needed to represent a node of G. Without loss of
generality, we assume that n = 2k, for some k ∈ N. In a succinctly specified
instance, G is given implicitly as a combinatorial circuit with 2n inputs (or,
alternatively, as a Boolean function with arity 2n [Veith, 1997]). To unify
our reduction for both the enumerative case (F = L) and the succinct case
(F = P), we assume that the explicitly given graph is also represented as a
Boolean function. Hence, G is a Boolean function G : {0, 1}n × {0, 1}n →
{0, 1}, where, if F = L, n = dlog |Q|e assuming that the instance is explicitly
given as a tuple (Q,E). Two nodes v, v′ of G, represented using n bits each,
are connected iff G(v, v′) = 1.
For a given G, we construct a sequential circuit machine S = (σ,CA)
with σ = ((1, 0, 0), (mE,mA)), where mE = O(n) and mA = O(n), such
that G has a Hamiltonian cycle iff Diverging(S) = yes. The idea of the
construction of S is to let CE produce a path of length 2n and to let CA
(which is purely deterministic) validate whether this path is (1) a valid path
and (2) a Hamiltonian cycle in G. More precisely, CA expects the path as
a sequence of nodes provided by CE. A path contains 2
n nodes represented
as n2n bits, which are communicated from CE to CA in a cyclic iteration.
At any point in this iteration, CA maintains the current edge (a pair of
nodes) in its memory. Whenever a new edge is complete (i.e., the n bits of
the succeeding node are completely provided), CA checks whether the edge
actually exists by checking whether G evaluates to 1. If this is not the case,
S halts by letting CA produce h = 1, otherwise the iteration continues.
By limiting the number of bits per path to n2n, we make sure that the
path must cycle exactly according to the length of a (potential) Hamiltonian
cycle. To make sure that the proposed path is indeed Hamiltonian, we
have to enforce that every node of G is visited eventually. Observe that
it would be infeasible to introduce 2n bits to memorize whether a node
was visited. Instead, we adopt a technique proposed by Kupferman and
Sheinvald-Faragy [2006, Theorem 5] and introduce a node counter with n
bits that, starting with 0, is incremented whenever the value of the next
node provided by CE equals the current counter value. What remains to do
is to introduce a watchdog counter with n bits that makes sure that the node
counter ultimately overflows after that 2n cycles have been accomplished. If
the watchdog counter overflows without having seen an overflow of the node
counter, we let CA produce h = 1 again.
More technically, the current edge and the various counters can be rep-
resented using a linear amount of bits, thus mA = O(n). By choosing
mE = log(n2
n) = n + k, we bound the length of the candidate path. Ob-
56 CHAPTER 4. THE COMPUTATIONAL POWER OF SCMS
serve that a path that visits less than 2n nodes (which, of course, can never
be a Hamiltonian cycle) would be rejected by the watchdog counter.
In the actual construction of CA, besides an embedding of G, we also
need incrementer, multiplexer, and comparator sub-circuits, which are all
of polynomial size and constant depth (since we allow an unbounded fan-
in). However, we have to be a bit more careful with the embedding of the
Boolean function G into CA. If F = L and G is represented explicitly,
we can represent the edge relation of G as a simple DNF of polynomial
size. If F = P, we can apply the well-known technique by Tseitin [1968]
to transform G (which might be an arbitrary Boolean formula) into a CNF
(which is of constant depth), only suffering from a linear blow-up in the size
of the formula and the number of the node bits. The length of a sub sequence,
where CE communicates a node to CA, needs to be extended accordingly
(which also only requires a polynomial blowup).
Combining Theorems 4.2.1 and 4.2.9 immediately reveals the fact that
bounded existential memory can be traded for an exponential amount of
nondeterminism.
Corollary 4.2.10. The following equivalence holds, even when we only as-
sume simple circuits:
C((1, 0, 0), (L,L)) =
C((1, 0, 1), (L,L)) =
C((1, 1, 1), (L,L)) =
C((1, 1, 2), (L,L)) = C((P, 0, 0), (0, 0))
Concerning the size of the representation of the smallest feasible CE, if
there is one at all, the following two theorems state that it is highly unlikely1
that a compact CE always exists.
The first theorem considers the case of a logarithmic amount of existen-
tial memory.
Theorem 4.2.11. For a given sequential circuit machine S = (σ,CA) with
σ = ((1, 0, 0), (mE,mA)), mE = O(log |CA|), and mA ≥ mE, if there is a
combinatorial circuit C that uses a memory M with |M | ≤ mE such that
S[CE ← C,ME ← M ] diverges, then C cannot always be represented loga-
rithmically, unless PTime = NPTime.
Proof. We consider the most restricted case mA = log |S|: if CE cannot
(most probably) be of logarithmic size for a logarithmic amount of universal
memory, then it certainly cannot be of logarithmic size for a polynomial
amount of universal memory.
1as it is common belief that PTime ( NPTime as well as PSpace ( ExpTime (
NExpTime
4.3. SUCCINCTNESS UNIFIES SPACE AND TIME 57
We assume that CE can always be represented logarithmically (i.e.,
|CE| = O(log |S|) and can thus be represented using logarithmically many
bits). Then, we can guess CE in logarithmically many steps and represent
CE using logarithmic space. Hence, CE can be guessed in NLogSpace.
Validating the guess, according to Lemma 4.2.3 and Ladner [1975], can be
done in coNLogSpacePTime = PTime. Thus, the overall complexity is
NLogSpacePTime = PTime. However, according to Theorem 4.2.9, syn-
thesizing a CE is complete for NPTime. Thus, NPTime = PTime (under
the assumption that CE can always be represented logarithmically).
The second theorem considers the case of a polynomial amount of exis-
tential memory.
Theorem 4.2.12. For a given sequential circuit machine S = (σ,CA) with
σ = ((1, 0, 0), (mE,mA)), mE = |S|O(1), and mA = |S|O(1), if there is a
combinatorial circuit C that uses a memory M with |M | ≤ mE such that
S[CE ← C,ME ←M ] diverges, then C cannot always be represented polyno-
mially, unless PSpace = NExpTime.
Proof. We assume that CE can always be represented polynomially (i.e.,
|CE| = |S|O(1) and thus can be represented using polynomially many bits).
Then, we can always guess CE in polynomially many steps and repre-
sent CE using polynomial space. Hence, CE can be guessed in NPSpace.
Validating the guess, according to Lemma 4.2.3 and Ladner [1975], can
be done in coNPSpacePTime = NPSpace. Thus, the overall complex-
ity is NPSpaceNPSpace = NPSpace = PSpace. However, according to
Theorem 4.2.9, synthesizing a circuit CE is complete for NTime(2
P) =
NExpTime. Thus, NExpTime = PSpace (under the assumption that
CE can always be represented polynomially).
4.3 Succinctness Unifies Space and Time
Putting it all together, it turns out that the space of signature classes
whose unary representation is at most polynomial spans precisely the com-
putational power characterized by the (Turing machine-based) complexity
classes between LogSpace and 2ExpTime. This confirms our claim from
Section 3.1 that many natural problems can be classified according to the
amount of succinctness granted to the existential and universal nondeter-
minism.
Tables 4.1 and 4.2 summarize the equivalences between signature classes
and complexity classes characterized by space- or time-bounded Turing ma-
chines, respectively. In the tables, ∃ and ∀ represent the existential and
universal nondeterminism, respectively. From left to right, each row shows
the (Turing-machine based) complexity class, the power and the observabil-
ity of ∃, the power of ∀, the memory available to ∃, and the memory available
58 CHAPTER 4. THE COMPUTATIONAL POWER OF SCMS
to ∀. The power of both the universal and existential nondeterminism, the
observability, as well as the memory are shown in terms of number of bits.
Complexity class
Signature class
∃ nondet. obs. ∀ nondet. ∃ mem. ∀ mem.
LogSpace 0 0 0 ∞ L
NLogSpace
1 0 0 ∞ L
L 0 0 ∞ L
0 0 1 ∞ L
0 0 L ∞ L
PSpace
1 0 1 ∞ L
L 0 L ∞ L
0 0 0 0 P
L 0 0 L P
L 0 L L P
L L L L P
P 0 0 ∞ P
0 0 P ∞ P
ExpSpace
1 0 1 ∞ P
P 0 P ∞ P
Table 4.1: Equivalences between signature classes and complexity classes
characterized by space-bounded Turing machines.
Our results show that an unbounded amount of existential memory al-
ways corresponds to the computational power of space-bounded Turing ma-
chines. In case of full observability, one obtains alternating space-bounded
complexity classes, which, according to Chandra et al. [1981], correspond to
deterministic time-bounded complexity classes. When the amount of uni-
versal memory is at least exponential in the existential memory, one also
obtains the power of space-bounded computations. The general exponen-
tial increase in complexity due to partial observability, which was already
observed by Reif [1984] for alternating Turing machines, can also be shown
for the succinct case.
We also reveal the insight that a symmetric amount of existential and
universal memory always corresponds to the computational power of nonde-
terministic time-bounded Turing machines. Interestingly, this relationship
turns out to be invariant of the actual observational power of the existential
nondeterminism, which is in contrast to space-bounded computations.
4.3. SUCCINCTNESS UNIFIES SPACE AND TIME 59
Complexity class
Signature class
∃ nondet. obs. ∀ nondet. ∃ mem. ∀ mem.
PTime
1 1 1 ∞ L
L ∞ L ∞ L
NPTime
P 0 0 0 0
1 0 0 L L
L 0 0 L L
L 0 L L L
L L L L L
L ∞ L L L
coNPTime 0 0 P 0 0
ΣP2 P 0 P 0 0
ΠP3 P P P 0 0
ΠP2 P ∞ P 0 0
ExpTime
1 1 2 ∞ L
L L L ∞ L
1 1 1 ∞ P
P ∞ P ∞ P
NExpTime
1 0 0 P P
P 0 0 P P
P 0 P P P
P P P P P
P ∞ P P P
2ExpTime
1 1 2 ∞ P
P P P ∞ P
Table 4.2: Equivalences between signature classes and complexity classes
characterized by time-bounded Turing machines.
60 CHAPTER 4. THE COMPUTATIONAL POWER OF SCMS
Chapter 5
The Ubiquity of Sequential
Circuit Machines
We are now ready to demonstrate the relevance of our new universal com-
putation model by investigating the relation to other well-known formalisms
from the literature. Many formalisms that are unrelated at first sight share
a close connection to sequential circuit machines, in the sense that they can
be easily reduced to each other. In this chapter, we exploit these connections
to achieve two goals: (1) We first recover known complexity results from the
literature with drastically simpler proofs than the ones given in the original
papers. In fact, once the connection between a formalism and sequential cir-
cuit machines is established, many results immediately follow as corollaries.
(2) Using this new proof technique, we are also able to establish matching
lower and upper complexity bounds of some open problems.
The proposed approach is uniform for each formalism under considera-
tion: We pick a general decision problem P (one that subsumes many other
problems of interest) and define its succinctness signature σ̂ as a purely
syntactic function of the instance description. We then prove that P and
Divergingσ̂ are LogSpace-reducible to each other, thereby establishing
the completeness of P for the signature class that contains all succinctness
signatures subsumed by σ̂. Thanks to the syntactic connection between the
instances of P and succinctness signatures, we can now easily relate P and
its subproblems to signature classes, which, in turn, correspond to standard
complexity classes.
In Section 5.1, we start our investigation by relating the fundamental
principle of concurrency to succinctness. As a fundamentally different for-
malism, Section 5.2 demonstrates how a specification logic can be seen from
a succinctness perspective. Section 5.3 discusses further relations to other
succinct modeling formalisms.
61
62 CHAPTER 5. THE UBIQUITY OF SCMS
5.1 Communicating State Machines
We start with communicating state machines, a well-known and general com-
putation model for asynchronous systems. For this thesis, this formalism is
interesting for two reasons: First, it represents a canonical formalism to
capture concurrency, which, historically, was one of the first sources of com-
plexity for which the state explosion problem was observed. Second, other
formalisms (such as timed automata) introduce parallelism by adopting the
general principle behind communicating state machines. Understanding the
succinctness of this model will give a clearer picture of the succinctness of
timed automata in Part II of this thesis.
We first define the computation model, choose controller synthesis as
the general decision problem, and then, by establishing the connection to
sequential circuit machines, we uniformly obtain complexity results.
5.1.1 Definition
Syntax. A communicating state machine (also known as concurrent state
machine) (CSM) M is represented by a tuple (Q, q0,Σ, E), where
• Q is a finite set containing the states,
• q0 ∈ Q is the initial state,
• Σ is a finite and nonempty set of events, and
• E ⊆ Q× Σ×Q is a transition relation.
For two states q, q′ ∈ Q and an a, we write q a−→ q′ iff (1) a ∈ Σ and
(q, a, q′) ∈ E, or (2) a /∈ Σ and q = q′. We require CSMs to be event-
deterministic: for any two edges (q1, a1, q
′
1), (q2, a2, q
′
2) ∈ E, we require
(q1 = q2 ∧ a1 = a2)⇒ (q′1 = q′2).
A network of communicating state machines is a finite set of CSMs
N = {M1,M2, . . . ,Mn} that run asynchronously and synchronize on shared
events. We also call the elements of a network components and use
M1‖M2‖ . . . ‖Mn
as an alternative notation. In the following, we define
Q =
n∏
i=1
Qi and Σ =
n⋃
i=1
Σi
as those sets that contain the global states and the decisions of N , re-
spectively. We assume that a global state ~q ∈ Q is represented as an n-
dimensional vector. For two global states ~q, ~q′ ∈ Q, and an event a ∈ Σ,
5.1. COMMUNICATING STATE MACHINES 63
we write ~q
a−→ ~q′ iff, for all 1 ≤ i ≤ n, ~q[i] a−→ ~q′[i]. A situation in which
no further transition can be executed is called a deadlock. The set of all
deadlock states is defined as
Deadlock(N ) = {~q ∈ Q | ¬∃a ∃~q′ : ~q a−→ ~q′}.
A controllable network of CSMs is a network of CSMs N (also called a
plant) whose events are partitioned into controllable events Σin ⊆ Σ (over
which N can be influenced) and into uncontrollable events Σout ⊆ Σ (which
are emitted by N and which can be observed externally). We assume that
each component (Qi, q
i
0,Σi, Ei) in N is input enabled : for each q ∈ Qi and
each a ∈ Σin, we require that
a ∈ Σi ⇒ ∃q′ ∈ Qi : (q, a, q′) ∈ Ei.
Example 5.1.1. Figure 5.1 shows an example network of two state ma-
chines communicating via actions a, c, and d. Observe that the network
runs into a deadlock state after two a events are produced.
s0
s1
s2
a b
c d
t0 t1
t2
a
c
ad
‖
Figure 5.1: Example network of communicating state machines.
Semantics. The semantics of a controllable network of CSMs N with
events Σ = Σin unionmulti Σout is formally described as the finite game arena JN K =
(SE, SA, s0,ΣE,ΣA,∆), where
• SE = {E} × (Q1 × . . .×Qn),
• SA = {A} × (Q1 × . . .×Qn),
• s0 = (A, (q10, . . . , qn0 )),
64 CHAPTER 5. THE UBIQUITY OF SCMS
• ΣE = Σin unionmulti {τ},
• ΣA = Σout unionmulti {τ},
• ∆((p, ~q), a) = s′, where
s′ =
{
(p, ~q) if a = τ ;
(A, ~q′) if ~q a−→ ~q′.
For a set of states Y ⊆ Q, we write JN K |= AG(Y ) as a shorthand forJN K |= AG({E,A} × Y ).
5.1.2 Controller Synthesis
Problem definition. An input to the safety controller synthesis prob-
lem for controllable networks of CSMs CsmSynth is represented by a tu-
ple (N ,Σobsout, qb, qmax), where
• N is a controllable network of CSMs,
• Σobsout ⊆ Σout are the observable output events,
• qb ∈
⋃
1≤i≤nQi is a dedicated bad state, and
• qmax ∈ N ∪ {∞} is a bound on the number of states of the controller.
Deciding CsmSynth on x is to check whether there exists a controller
component C = (Qc, q
c
0,Σin ∪ Σobsout, Ec) such that the following conditions
are satisfied:
(1) C satisfies the state bound : |Qc| ≤ qmax;
(2) C is nonblocking : if JN K |= AG(Deadlock(N )) then JN‖CK |=
AG(Deadlock(N‖C));
(3) C is safe: JN‖CK |= AG(Sb), where Sb is the set of those states, where
the component that contains qb is in qb.
For convenience, we define Σunobsout = Σ \ (Σin ∪ Σobsout) to refer to all un-
observable events. We say that CsmSynth is under full observability if
Σunobsout = ∅. We say that CsmSynth is under no observability if Σobsout = ∅.
Example 5.1.2. Figure 5.2(a) shows an example network of communicating
state machines. The input actions are a and c, while the output actions are b
and d. The state u3 of the third component is the dedicated bad state, which
is reached whenever the first two components enter the states s1 and t1 at
the same time. A feasible four-state controller is shown in Figure 5.2(b),
which ensures that u3 is never reached.
5.1. COMMUNICATING STATE MACHINES 65
s0
s1
a? b!
t0
t1
c? d!
u0
u1 u2
u3
a?
b! c?
d!
c? a?
‖ ‖
(a) Example network of CSMs.
c0 c1
c2c3
a!
b?
c!
d?
(b) Example controller.
Figure 5.2: Example network of communicating state machines with a
controller that ensures that u3 is never reached.
Game-theoretic solution. An input x to CsmSynth, where x =
(N ,Σobsout, qb, qmax) induces a finite safety game
G(CsmSynth, x) = (A, B,V, β),
which is defined as follows:
• A = JN K.
• B is defined as those states, where the component that contains qb is
in qb.
• The fact that the controller can only observe the last visible event
emitted byN (but not the current state of the components) is reflected
in the definition of the view of Player E on A:
V = (Σobsout unionmulti {τ}, vis),
66 CHAPTER 5. THE UBIQUITY OF SCMS
where
vis(d) =
{
d if d ∈ Σobsout ∪ {τ};
ε otherwise.
• β = qmax.
Theorem 5.1.3. For a given input x, CsmSynth(x) = yes iff Player E
wins G(CsmSynth, x).
Proof. The statement immediately follow from the definition of (the con-
stituent components of) (A, B,V, β).
5.1.3 Complexity Analysis
For an input x = (N ,Σobsout, qb, qmax) to CsmSynth, we define the instance
signature sig(CsmSynth, x) as
log
(
(|Σin|+ 1, |Σobsout|+ 1, |Σout|+ 1), (qmax, |
∏
M∈N
MQ|)
)
.
Note that we have not yet specified whether qmax is given in unary or binary.
As a basis for obtaining the complexity of model checking and synthesis
for communicating state machines, we first show that one can use sequential
circuit machines to decide CsmSynth.
Lemma 5.1.4. For an input x, G(CsmSynth, x) allows a succinct circuit
representation of signature sig(CsmSynth, x).
Proof. We show that the definition of G(CsmSynth, x) matches the prop-
erties required for succinct circuit representations from Section 3.4.
(1) There is a logarithmic encoding of the controllable decisions Σin ∪ {τ}
since Σin is explicitly given. We introduce the bits
̂(Σobsout ∪ {τ}) for repre-
senting the observable uncontrollable events. We also introduce the bits
̂(Σunobsout ) for representing the unobservable uncontrollable events. Then,
the bits for the logarithmic encoding of all uncontrollable decisions are
̂(Σobsout ∪ {τ}) unionmulti ̂(Σunobsout ).
The logarithmic encoding of the positions can be obtained by combin-
ing the local logarithmic encodings of the components, whose states are
given explicitly. One extra bit is additionally needed to encode the in-
formation, which player can move. A position can thus be represented
as a bit string whose length is bounded by |N | · dlogQmax e + 1, where
Qmax = max1≤i≤|N|(|Qi|).
(2) Concerning the move function ∆, we first obtain |N | sub-circuits rep-
resenting the local transition relations of the individual components. Let
5.1. COMMUNICATING STATE MACHINES 67
b = dlog |Qi|e be the number of node bits for component Ni, 1 ≤ i ≤ |N |.
Since each Ei is explicitly given, for each Ei, we can obtain a DNF of size
polynomial in |Qi| · |Σ| that computes a Boolean function Eci (s, d) = (v, s′)
that, for a state s ∈ Qi and a decision d ∈ Σ, computes a valid flag v ∈ {0, 1}
and a successor state s′ ∈ Qi such that v = 1 iff (s, d, s′) ∈ Ei. The simple
circuit ∆c representing the move function of JN K can now be obtained by
executing the various Eci in parallel for computing the bits of the global
successor state. The global valid flag is just the conjunction of all local
valid flags. Hence, it can be easily seen that the size of ∆c is bounded by
O(|Qmax | · |Σ|) and its depth is constant.
(3) Similar to (2), we construct Bc as a DNF that yields a 1 whenever the
component that contains state qb is in qb.
(4) We represent V as the subset ̂(Σobsout ∪ {τ}) ⊆ ̂(Σout ∪ {τ}).
By combining Lemma 5.1.4 and Lemma 3.4.1, we immediately obtain that
every given instance of CsmSynth can be transformed into an instance of
Diverging for sequential circuit machines with the same signature.
Lemma 5.1.5. For a succinctness signature σ̂ ∈ C((L,L∞,L), (P∞,P)),
CsmSynthσ̂ is LogSpace-reducible to Divergingσ̂.
With the following lemma, we establish the opposite direction:
Lemma 5.1.6. For a succinctness signature σ̂ ∈ C((L,L∞,L), (P∞,P)),
Divergingσ̂ is LogSpace-reducible to CsmSynthσ̂.
Proof. For a given machine S = (((nE, nEA, nA), (mE,mA)), CA), we construct
an input (N ,Σobsout, qb, qmax) to CsmSynth in the following way. Without
loss of generality, we assume CA has no shared sub-circuits and, thus, is
represented as a Boolean expression, where CA(MAi) is the Boolean function
that computes the new value for MAi, 1 ≤ i ≤ mA, and CA(h) computes the
value of the halting flag.
The idea of our construction is to use independent components to repre-
sent bits. For representing the bits of the circuit elements, for each element
x in NA ∪ NE ∪ MA ∪ {h}, and the updated universal memory MA′, we
introduce a component Mx = (Qx, qx0 ,Σ
x, Ex), which is defined as follows:
Qx = {mx0 ,mx1};
qx0 = m
x
0 ;
Σx = {r(x, 0), r(x, 1), w(x, 0), w(x, 1)};
Ex = { (mx0 , w(x, 0),mx0), (mx0 , w(x, 1),mx1), (mx0 , r(x, 0),mx0),
(mx1 , w(x, 0),m
x
0), (m
x
1 , w(x, 1),m
x
1), (m
x
1 , r(x, 1),m
x
1) }
We define the set of observable uncontrollable events as Σobsout =
~NEA ,
the set of unobservable uncontrollable events as Σunobsout = {}, and the set of
68 CHAPTER 5. THE UBIQUITY OF SCMS
controllable events as Σin = ~NE. To simulate the actual sequential execution
of S, we introduce a control component M c = (Qc, qc0,Σc, Ec), which is
constructed as follows. First, for determining values for the unobservable
universal guessing bits, we let M c nondeterministically branch with an -
edge to a particular chain of write events of the form
gu1
w(NA1,v1)−−−−−−→ . . .→ gu
nA−nEA
w(NA
nA−nEA
,v
nA−nEA
)
−−−−−−−−−−−−−→ guf ,
where (v1, . . . , vnA−nEA) represents a vector from
~NA \NEA . Here, we con-
sider 2nA−nEA branching decisions to cover all possible choices. Then, for
determining values for the observable universal guessing bits, M c nondeter-
ministically branches with an edge labeled with a ~nea ∈ ~NEA to a particular
chain of widgets of the form
go1
w(NO1, ~nea[1])−−−−−−−−→ . . .→ go
nEA
w(NO
nE
A
, ~nea[n
E
A])−−−−−−−−−−→ gof ,
Here, we consider 2n
E
A branching decisions to cover all possible choices. After
the universal guessing bits are determined, M c awaits the values for the
circuit elements NE from the controller. For this purpose, we let P receive
a controllable event ~ne ∈ Σin and then branch to a chain of widgets of the
form
ge1
w(NE1, ~ne[1])−−−−−−−−→ . . .→ genE
w(NEnE , ~ne[nE])−−−−−−−−−−→ gef ,
Since we have only a logarithmic number of guessing bits, the exponential
blowup due the nondeterministic branching results only in a polynomial
control structure.
Now, for each Boolean formula CA(y), y ∈ MA ∪ {h}, we embed its
formula DAG D = dag(CA(y)) (recall Section 2.2) into the control structure
of M c: For each node in D, we add a state to Qc, and for each edge in D,
we add an edge to Ec, such that for some circuit element z ∈ NA∪NE∪MA,
if the original edge is labeled with the literal z then the corresponding edge
in Ec carries the event r(z, 1), and if the original edge is labeled with the
literal ¬z then the corresponding edge in Ec carries the event r(z, 0). We
identify root(D) with cy, true(D) with sy0, and false(D) with s
y
1. We connect
the various sub components with each other by adding the following edges
to Ec:
(1) (gyf , w(y, v), g
y′
1 ), where v ∈ {0, 1} and y, y′ ∈ NE ∪ NA as-
suming that y′ succeeds y in the total order of the circuit ele-
ments NE1, . . . ,NEnE ,NA1, . . . ,NAnA ;
(2) (syv, w(y′′, v), cy
′
), where v ∈ {0, 1}, and y, y′ ∈MA∪{h} assuming that y′
succeeds y in the total order of the circuit elements MA1, . . . ,MAmA , h,
5.1. COMMUNICATING STATE MACHINES 69
and that y′′ is either the corresponding updated memory element if
y ∈MA, or h otherwise;
(3) (shv, w(h, v), g1), where v ∈ {0, 1} and assuming that g1 is the first guess-
ing state or cMA1 if NA = NE = ∅.
Note that the only existential nondeterminism in M c occurs for resolving
the branching decisions for the existential guessing bits. The universal non-
determinism is used for resolving the branching decisions for the universal
guessing bits and for resolving the nondeterminism in the DAGs of the Boo-
lean formulas. Before the execution of a cycle finishes, we copy the contents
of the updated memory MA
′ to MA by the following chain of events:
d1
r(MA
′
1,v1)−−−−−−→ dv11
w(MA1,v1)−−−−−−→ . . .→
dmA
r(MA
′
mA
,vmA )−−−−−−−−−→ dvmAmA
w(MAmA
,vmA )−−−−−−−−−→ df
We finish our construction by defining the set of processes
N = {M c,Mx | x ∈ NE ∪NA ∪MA ∪ {h}}
and the bad state qb as m
h
1.
The combination of Lemma 5.1.5 and Lemma 5.1.6 gives the desired
connection between CSMs and SCMs:
Theorem 5.1.7. For a succinctness signature σ̂ ∈ C((L,L∞,L), (P∞,P)),
CsmSynthσ̂ and Divergingσ̂ are LogSpace-reducible to each other.
When we assume a one-player setting (by either choosing Σin = ∅ or
Σout = ∅), controller synthesis reduces to the safety model checking problem.
The combination of Theorem 5.1.7, Lemma 4.1.1, and Theorem 4.2.5 yields
the complexity for safety model checking of CSMs:
Corollary 5.1.8. The AG-model checking problem for networks of CSMs is
complete for
• C((0, 0,L), (0,L)) = NLogSpace, if only a constant number of com-
ponents is allowed, and
• C((0, 0,L), (0,P)) = PSpace, in the general case, respectively.
The EG-model checking problem for networks of CSMs is complete for
• C((L, 0, 0), (∞,L)) = NLogSpace, if only a constant number of com-
ponents is allowed, and
• C((L, 0, 0), (∞,P)) = PSpace, in the general case, respectively.
70 CHAPTER 5. THE UBIQUITY OF SCMS
When we assume two players, by combining Lemma 4.1.1 and Theo-
rems 4.2.5, 4.2.6, and 5.1.7, we obtain the complexities for controller syn-
thesis under no, partial, and full observability:
Corollary 5.1.9. The unbounded safety controller synthesis problem for
controllable networks of CSMs is complete for
• C((L, 0,L), (∞,P)) = ExpSpace, assuming no observability,
• C((L,L,L), (∞,P)) = 2ExpTime, assuming partial observability, and
• C((L,∞,L), (∞,P)) = ExpTime, assuming full observability, respec-
tively.
By imposing a bound on the number of processes in the plant and/or
on the states of the controller, by combining Theorem 5.1.7, Lemma 4.1.1,
and Theorems 4.2.8 and 4.2.9, we obtain the complexities for finding small
witnesses and bounded controller synthesis:
Corollary 5.1.10. The EG-small witness problem for networks of CSMs is
complete for
• C((L, 0, 0), (L,L)) = NPTime if only a constant number of compo-
nents is allowed and the bound on the length of the witness is encoded
in unary,
• C((L, 0, 0), (L,P)) = PSpace if the bound on the length of the witness
is encoded in unary, and
• C((L, 0, 0), (P,P)) = NExpTime if the bound on the length of the
witness is encoded in binary, respectively.
Corollary 5.1.11. The bounded safety controller synthesis problem for con-
trollable networks of CSMs is complete for
• C((L,L,L), (L,L)) = NPTime if only a constant number of compo-
nents is allowed and the bound on the states of the controller is encoded
in unary,
• C((L,L,L), (L,P)) = PSpace if the bound on the states of the con-
troller is encoded in unary, and
• C((L,L,L), (P,P)) = NExpTime if the bound on the states of the
controller is encoded in binary, respectively.
5.2. LINEAR-TIME TEMPORAL LOGIC 71
5.1.4 Bibliographic Remarks
The NLogSpace-completeness result of deciding (co-)reachability in an ex-
plicitly given (i.e., unary-encoded) directed graph is due to Jones [1975].
The unavoidable exponential increase to PSpace in the model checking
complexity for CSMs was shown by Harel et al. [1997]. Also, the ExpTime-
completeness result for the alternating (i.e., safety synthesis) case can easily
be deduced from that work. Kupferman and Sheinvald-Faragy [2006] estab-
lished the NPTime-, PSpace-, and NExpTime-completeness for the small
witness problem for nondeterministic, alternating, and concurrent Bu¨chi
word automata1, respectively, where the bound on the length of the witness
is given in binary. The NPTime-completeness of bounded synthesis against
a specification in form of an automaton, for a bound given in unary, was
shown by Schewe and Finkbeiner [2007] and Kupferman et al. [2011]. The
latter work also proved that when imposing unary bounds on the controller
and the environment, the problem becomes ΣP2 -complete, a result that, in
principle, can also be easily established using sequential circuit machines.
Based on the connection to sequential circuit machines, we are able to fill
in the missing gaps: For instance, the Corollaries 5.1.10 and 5.1.11 establish
the PSpace-completeness of both finding shortest witnesses and bounded
synthesis for CSMs, where the bounds are given in unary.
5.2 Linear-time Temporal Logic
In the previous section, we saw how one can use sequential circuit machines
to uniformly obtain various complexity results for an automata-based mod-
eling formalism. One might ask the question, whether one could apply the
same technique to obtain complexity results for specification logics, a fun-
damentally different kind of formalism.
As a proof of concept, in this section, we make the connection between
sequential circuit machines and Linear-time Temporal Logic (LTL) [Pnueli,
1977]. Using sequential circuit machines, the PSpace-hardness proof of LTL
satisfiability gets surprisingly simple and intuitive.
We first recall the definition of the safety fragment of LTL and choose sat-
isfiability as the main decision problem. We then establish the connection to
sequential circuit machines and finally obtain a new PSpace-completeness
proof.
5.2.1 Definition
For a comprehensive overview on LTL, we refer to Baier and Katoen [2008,
Chapter 5].
1Even though Bu¨chi acceptance is more general than safety acceptance, it is easily seen
that their proofs of the lower bounds also apply to the safety case.
72 CHAPTER 5. THE UBIQUITY OF SCMS
Syntax. Let AP be a finite set of atomic propositions. The set of all LTL
formulas LTL(AP) is inductively defined by the following rules:
• true;
• false;
• a, for a a ∈ AP ;
• ¬a, for a a ∈ AP ;
• ϕ ∧ ψ, for ϕ,ψ ∈ LTL(AP);
• ϕ ∨ ψ, for ϕ,ψ ∈ LTL(AP);
• Xϕ, for ϕ ∈ LTL(AP);
• Gϕ, for ϕ ∈ LTL(AP);
• Fϕ, for ϕ ∈ LTL(AP);
• ϕUψ, for ϕ,ψ ∈ LTL(AP);
• ϕRψ, for ϕ,ψ ∈ LTL(AP).
Here, X, G, U, and R are called the temporal operators. We write [ϕ] to refer
to the set of subformulas of ϕ. The temporal depth of ϕ is the maximal
number of nestings of temporal operators. We say that a formula ϕ is in
the syntactic safety fragment if the only temporal operators occurring in ϕ
are X and G. Let SafeLTL(AP) contain all formulas in the syntactic safety
fragment.
Semantics. For a given finite set of atomic propositions AP , a path over
AP is defined as an infinite sequence of sets of atomic propositions. We
define the set of all paths as Paths(AP) =
(
2AP
)ω
. If p ∈ Paths(AP) is of
the form
A1 A2 A3 . . .
then, for an i ∈ N≥1, we write p[i] to refer to Ai and p[i . . .] to refer to the
infinite subsequence
Ai Ai+1 Ai+2 . . . .
The semantics of LTL-formulas is defined in terms of the satisfaction
relation |=. For a given path p ∈ Paths(AP) and an LTL-formula ϕ ∈
LTL(AP), we define p |= ϕ as follows:
• p |= true;
5.2. LINEAR-TIME TEMPORAL LOGIC 73
• p 6|= false;
• p |= a iff a ∈ p[1];
• p |= ¬a iff a /∈ p[1];
• p |= ϕ ∧ ψ iff p |= ϕ and p |= ψ;
• p |= ϕ ∨ ψ iff p |= ϕ or p |= ψ;
• p |= Xϕ iff p[2 . . .] |= ϕ;
• p |= Gϕ iff for all i > 0, p[i . . .] |= ϕ;
• p |= ϕUψ iff there is an i > 0 such that p[i . . .] |= ψ and for all
0 < j < i, p[j . . .] |= ϕ;
• p |= Fϕ iff p |= trueUϕ;
• p |= ϕRψ iff p |= Gψ ∨ ψU(ϕ ∧ ψ).
5.2.2 Satisfiability
Problem definition. For a given set of atomic propositions AP and
an LTL formula ϕ ∈ LTL(AP), the problem LtlSat(AP , ϕ) is to decide
whether there exists a path p ∈ Paths(AP) such that p |= ϕ.
Example 5.2.1. The LTL formula aU(bX(Gc)) is satisfied by the path
{a}{a}{a}{b}{c}ω. The LTL formula (G¬a) ∧ (bUa) is unsatisfiable.
The problem SafeLtlSat(AP , ϕ) is the restriction of LtlSat to the
syntactic safety fragment (i.e., assuming that ϕ ∈ SafeLTL(AP)).
Game-theoretic solution. We give a solution for SafeLtlSat in terms
of a blindfold game that is played between Players E and A. It can be
seen as a game-theoretic extension of the approach based on alternating au-
tomata [Vardi, 1997] proposed by Manna and Sipma [2000]. To the best of
the author’s knowledge, this is the first such interpretation of LTL satisfia-
bility.
For a given formula ϕ, the idea of our construction is that Player E
stepwise proposes a path p and resolves the disjunctions in ϕ. Player A
resolves the conjunctions in ϕ and checks whether the proposed p satisfies
ϕ. We use the blindfoldedness of E to hide all the verification steps that A
nondeterministically performs to validate p.
The actual interplay between E and A alternates between a proposal
and a verification phase. In the proposal phase, E determines which atomic
propositions are part of the next step of p. A nondeterministically (and
74 CHAPTER 5. THE UBIQUITY OF SCMS
unobservably for E) chooses a certain subformula that should be faithfully
checked in the verification phase.
In the verification phase, A nondeterministically (and, again, unobserv-
ably for E) navigates through adjacent subformulas until he reaches (1) a
subformula true or false, (2) an atomic proposition check (of the form
a or ¬a, for an a ∈ AP), or (3) a next operator (of the form Xψ, for a
ψ ∈ LTL(AP)). In cases (1) or (2), either the game stops by entering a
dedicated bad state if the propositional check is negative or it enters a state
from which the bad state is not reachable. In case (3), A remains at the cur-
rent subformula Xψ and waits until the verification phase ends, whereupon
ψ is chosen as the next subformula. In each round of the verification phase,
E proposes a sequence of bits of constant length to resolve the disjunctions
in ϕ. This way, E does not need to know which subformula A has chosen.
More formally, a set of atomic propositions AP = {a0, a1, . . . , an} and
an LTL formula ϕ ∈ SafeLTL(AP) induce an unbounded blindfold safety
game
G(SafeLtlSat, (AP , ϕ)) = (A, B,Vτ ,∞),
which is defined in the following.
A = (SE, SA, s0,ΣE,ΣA,∆) is a game arena that models the game con-
struction explained above, where
• the positions are divided into the proposal and the verification phase:
SE = ({P} × {E} × [ϕ]×AP × {0, 1}2 × {0, . . . , |AP |}) ∪
({V } × {E} × [ϕ]×AP × {0, 1} × {0, . . . , |[ϕ]|}2) ∪
{true},
SA = ({P} × {A} × [ϕ]×AP × {0, 1}2 × {0, . . . , |AP |}) ∪
({V } × {A} × [ϕ]×AP × {0, 1} × {0, . . . , |[ϕ]|}2) ∪
{false},
• s0 = (P,E, ϕ, a, 0, 0, 0) for some arbitrary a ∈ AP ,
• ΣE = {0, 1},
• ΣA = {0, 1},
• the proposal phase is defined as ∆((P, p, ϕ1, a, q, q′, c), d) = s′, where
s′ =

(P,A, ϕ1, a, q, d, c) if p = E, c < |AP |;
(P,E, ϕ1, ac, q
′, q′, c+ 1) if p = A, c < |AP |, d = 0;
(P,E, ϕ1, a, q, q
′, c+ 1) if p = A, c < |AP |, d = 1;
(V,E, ϕ1, a, q, 0, 0) if c = |AP |;
5.2. LINEAR-TIME TEMPORAL LOGIC 75
• the proposal of the disjunctions in the verification phase is defined as
∆((V,E, ϕ1, a, q, ce, ca), d) = s
′, where
s′ =

(V,E, ϕ1, a, q, ce + 1, ca) if ce < |[ϕ]|, ce 6= idx (ϕ1);
(V,E, ϕ2, a, q, ce + 1, ca) if ce = idx (ϕ1), ϕ1
d−→E ϕ2;
(V,A, ϕ1, a, q, 0, ca) if ce = |[ϕ]|;
• the actual verification is defined as ∆((V,A, ϕ1, a, q, ce, ca), d) = s′,
where
s′ =

(V,E, ϕ2, a, q, 0, ca + 1) if ca < |[ϕ]|, ϕ1 d−→A ϕ2;
(P,E, ψ, a, q, q, 0) if c = |[ϕ]|, ϕ1 ≡ Xψ;
a′ = a⇒ q = 1 if c = |[ϕ]|, ϕ1 ≡ a′;
a′ = a⇒ q = 0 if c = |[ϕ]|, ϕ1 ≡ ¬a′;
true if c = |[ϕ]|, ϕ1 ≡ true;
false if c = |[ϕ]|, ϕ1 ≡ false.
Here, the relations→E and→A connect adjacent subformulas in ϕ and thus
constitute its subformula tree. Let ϕ1 be a subformula of ϕ and p ∈ {E,A},
then we generally have ϕ1
d−→p ϕ1, for a d ∈ {0, 1}, except for the following
cases:
• if ϕ1 ≡ ϕ2 ∧ ψ2 and p = A then ϕ1 0−→A ϕ2 and ϕ1 1−→A ψ2;
• if ϕ1 ≡ ϕ2 ∨ ψ2 and p = E then ϕ1 0−→E ϕ2 and ϕ1 1−→E ψ2;
• if ϕ1 ≡ Gϕ2 and p = A then ϕ1 0−→A ϕ2 and ϕ1 1−→A Xϕ1.
Note that we assume for [ϕ], without loss of generality, for each subfor-
mula Gϕ1 there is also a subformula XGϕ1.
We finish our game construction by defining the set of bad states as the
singleton set B = {false}.
Theorem 5.2.2. For a given set of atomic propositions AP and an LTL
formula ϕ ∈ SafeLTL(AP), LtlSat(AP , ϕ) = yes iff Player E wins
G(SafeLtlSat, (AP , ϕ)).
Proof. The statement immediately follows from the definition of (the con-
stituent components of) G(SafeLtlSat, (AP , ϕ)).
5.2.3 Complexity Analysis
Similar to the previous section, we first define the instance signature of a
dedicated problem, which is SafeLtlSat in this case. For a set of atomic
76 CHAPTER 5. THE UBIQUITY OF SCMS
propositions AP and an LTL formula ϕ ∈ SafeLTL(AP), we define the
instance signature sig(SafeLtlSat, (AP , ϕ)) as(
(1, 0, 1), (∞, O(log |[ϕ]|+ log |AP |))).
Hence, a candidate signature class for which we want to prove completeness
is C((1, 0, 1), (∞,L)).
We first show that we can use sequential circuit machines to encode the
game construction described above.
Lemma 5.2.3. For a set of atomic propositions AP and an LTL for-
mula ϕ ∈ SafeLTL(AP), G(SafeLtlSat, (AP , ϕ)) allows a succinct cir-
cuit representation of signature sig(SafeLtlSat, (AP , ϕ)).
Proof. Since every component of G(SafeLtlSat, (AP , ϕ)) is given explic-
itly, it can be easily seen that its definition matches the properties required
for succinct circuit representations from Section 3.4. The move function ∆
and the bad states B can be represented as DNFs.
The combination of Lemma 5.2.3 and Lemma 3.4.1, we immediately ob-
tain that every given instance of SafeLtlSat can be transformed into an
instance of Diverging for sequential circuit machines with an equivalent
signature.
Lemma 5.2.4. For a succinctness signature σ̂ ∈ C((1, 0, 1), (∞,L)),
SafeLtlSatσ̂ is LogSpace-reducible to Divergingσ̂.
With the following lemma, we establish the opposite direction:
Lemma 5.2.5. For a succinctness signature σ̂ ∈ C((1, 0, 1), (∞,L)),
Divergingσ̂ is LogSpace-reducible to SafeLtlSatσ̂.
Proof. For a given sequential circuit machine S = (σ,CA), we describe a
LogSpace reduction that constructs a set of atomic proposition AP and an
LTL formula ϕ ∈ SafeLTL(AP) such that
sig(SafeLtlSat, (AP , ϕ)) = σ
and SafeLtlSat(AP , ϕ) = yes iff S diverges. Since, according to Corol-
lary 4.2.7, C((1, 0, 1), (∞,L)) = C((1, 0, 0), (∞,P)), we can also assume
σ = ((1, 0, 0), (∞,mA)) with mA being polynomial in the size of AP and
ϕ.
The basic idea of our reduction is to use AP to represent the universal
memory and to use ϕ to encode the semantics of S. Note that, without loss
of generality, we assume that CA can be represented by a Boolean formula,
which can thus be embedded into ϕ. Formally, we define AP = MA and
ϕ ≡ G
∨
e∈{0,1}
(
¬CA(h) ∧
∧
a∈MA
(
Xa⇔ CA(a)
) )
,
5.3. FURTHER SUCCINCT FORMALISMS 77
where CA(x) is the Boolean formula with free variables MA ∪ {e} that com-
putes x ∈ MA ∪ {h}. Furthermore, note that the negation in front of the
next operator does not do any harm since ¬Xa ≡ X¬a.
The combination of Lemma 5.2.4 and Lemma 5.2.5 gives the desired
connection between LTL and SCMs:
Theorem 5.2.6. For a succinctness signature σ̂ ∈ C((1, 0, 1), (∞,L)),
SafeLtlSatσ̂ and Divergingσ̂ are LogSpace-reducible to each other.
Finally, the combination of Theorem 5.2.6 and Theorem 4.2.5 yields the
complexity for satisfiability of the syntactic safety fragment of LTL:
Corollary 5.2.7. SafeLtlSat is complete for C((1, 0, 1), (∞,L)), that is
PSpace-complete, even when we assume that formulas have a maximal tem-
poral depth of 2.
5.2.4 Bibliographic Remarks
The PSpace-completeness of LTL satisfiability was first established by Sistla
and Clarke [1985]. The more precise result of the PSpace-hardness even
when formulas may only have a temporal depth of at most 2 is due to
Demri and Schnoebelen [2002] [see Schnoebelen, 2002, for a comprehensive
summary]. However, our hardness proof (i.e., the proof of Lemma 5.2.5) is
much more succinct than the classical proof.
5.3 Further Succinct Formalisms
In this section, we discuss the relationship of sequential circuit machines to
some other well-known formalisms from the literature.
Boolean automata. A Boolean automaton is a finite state automaton
extended with Boolean variables. The variables may be referenced in con-
straints that are used as guards defining when an edge can be executed.
When executing an edge, the values of some variables can be set to a new
value.
The correspondence between sequential circuit machines and Boolean
automata is obvious: One can use the Boolean variables to represent the
values of the various circuit elements. Combinatorial circuits (for which we
assume that they are simple, without loss of generality) are represented as
guards. Now, when we ask for the complexity of (un)bounded (alternating)
reachability or safety under no, partial, or full observability, respectively,
instead of establishing every single result individually, we just need to carry
over all the results for sequential circuit machines from Section 4.2.
78 CHAPTER 5. THE UBIQUITY OF SCMS
We note that Laroussinie and Schnoebelen [2000] first showed that, for
checking bisimilarity, there is a complexity-theoretic connection between
Boolean automata, timed automata, and one-safe Petri nets. Later, Chadha
et al. [2010] made the connection between Boolean automata and the more
general lifting lemma by Lozano and Balca´zar [1989] for establishing the
complexity of problems defined on succinct instances.
Propositional planning. For a given set of discrete state variables, a
planning task describes update rules in form of p→ q, where p is a conjunc-
tive condition on the values of the state variables and q is a list of variable
assignments. A solution to a given planning task is a plan that defines an
execution sequence of rules so that some goal state is reached from a given
initial variable valuation.
Again, the correspondence to sequential circuit machines is obvious: One
can use the state variables to model the values of the circuit elements, and
the choice of the rules to model the existential nondeterminism. Combina-
torial circuits (for which we assume that they are simple, without loss of
generality) are represented using the preconditions of the update rules. In
the presence of nondeterministic operators (i.e., in an alternating planning
setting), we just need to add universal nondeterminism in the sequential
circuit machine. The extension to partial information and/or boundedness
can also be achieved easily.
We note that Bylander [1994] established the PSpace-completeness of
the basic version of the problem (with only one player and no bounds).
The extension to the alternating case was considered by Littman [1997],
where the ExpTime-completeness result was established. Ba¨ckstro¨m and
Nebel [1995] investigated the impact of imposing a (polynomial, i.e., unary-
encoded) bound on the length of the plan and established several complete-
ness results between NPTime and PSpace. The extension to the setting of
partial information was investigated by Rintanen [2004].
Now, by carrying over the complexity results from Section 4.2, we are
able to extend that line of research by, e.g., introducing the NExpTime-
completeness of deciding the existence of deterministic or nondeterministic
bounded plans under no, partial, or full observability, respectively, where
the bound is encoded in binary.
One-safe Petri nets. Petri nets [see Esparza, 1996, for a survey] are a
popular formalism for modeling concurrent systems. A Petri net is basically
a directed graph with two kinds of nodes: places and transitions. Two
places are connected via a transition. The purpose of places is to accumulate
tokens, while transitions remove tokens from their source places and add new
tokens to their target places. An execution of a Petri net is a sequence of
transition firings. Now, one-safe Petri nets are a special case, where each
5.3. FURTHER SUCCINCT FORMALISMS 79
place may only accumulate a single token.
The connection to sequential circuit machines can be established by rep-
resenting the value of the circuit elements as tokens on places. Combina-
torial circuits (for which we assume that they are simple, without loss of
generality) are simulated as a propagation of a value through a Boolean
expression, which corresponds to propagating a token through a directed
acyclic net. Figure 5.3 depicts the important constructions for simulating
computation steps of sequential circuit machines by transition firings. The
hardness proof (that shows that one-safe Petri nets can simulate sequential
circuit machines) uses these constructions as modular widgets, which are
connected via their entry places (drawn as circles with an incoming arrow)
and exit places (drawn as circles with a double border).
The PSpace-completeness of deciding whether a state (including dead-
locks) is reachable in a given one-safe Petri net was shown by Cheng et al.
[1995]. The ExpTime-completeness of the global controller synthesis prob-
lem (i.e., the fully informed alternating extension) was established by Katz
et al. [2011].
Again, by carrying over the complexity results from Section 4.2, we are
able to fill in the missing gaps. For instance, to the best of the author’s
knowledge, there has not been a result published on the bounded synthe-
sis problem for one-safe Petri nets: Having the connection to sequential
circuit machines, we can immediately obtain the PSpace- and NExpTime-
completeness for both the smallest witness and the bounded synthesis prob-
lem for unary and binary encodings of the bound, respectively.
80 CHAPTER 5. THE UBIQUITY OF SCMS
a b c
. . .
(a) Nondeterministic choice of the values for the circuit elements a, b, c.
a
(b) A token reaches the exit place
iff circuit element a has value 1.
a
(c) A token reaches the exit place iff circuit element a has
value 0.
Figure 5.3: Constructions for simulating sequential circuit machines using
one-safe Petri nets.
Part II
The Succinctness of Timed
Automata
81

Chapter 6
Controllable Timed
Automata
In this chapter, we recall the timed automaton formalism by Alur and Dill
[1994]. We also introduce the extension to the turn-based, alternating case
assuming full [Maler et al., 1995, Asarin et al., 1998] and partial informa-
tion [Bouyer et al., 2003, Bouyer and Chevalier, 2006].
For a comprehensive and recent survey on timed automata, we refer to
Waez et al. [2011].
6.1 Syntax
Intuitively, timed automata extend finite state machines with real-valued
clock variables.
6.1.1 Granularity and Constraints
The granularity of a timed automaton defines its timing resources, i.e., the
clocks and the constants against which the clocks are compared to [D’Souza
and Madhusudan, 2002]. Formally, a granularity is represented by a tuple
µ = (X,m, cmax), where X is a finite set of real-valued clocks, m ∈ N≥1,
and cmax ∈ Q≥0. We call the value of a clock x ∈ X maximal if it is strictly
greater than cmax. The combination of two granularities µ1 = (X1,m1, c
max
1 )
and µ2 = (X2,m2, c
max
2 ) is defined as
µ1 ⊗ µ2 =
(
X1 ∪X2, lcm(m1,m2), max(cmax1 , cmax2 )
)
.
We say that µ1 is finer than or equal to µ2, written as µ1 ≤ µ2, iff
X1 ⊇ X2 ∧ m1 ≥ m2 ∧ cmax1 ≥ cmax2 .
We say that µ1 is strictly finer (or just finer) than µ2, written as µ1 < µ2,
iff µ1 ≤ µ2 and µ1 6= µ2.
83
84 CHAPTER 6. CONTROLLABLE TIMED AUTOMATA
A (rectangular) clock constraint ϕ ∈ CC(µ) is of the form
true | x ≤ c | c ≤ x | x < c | c < x | ϕ1 ∧ ϕ2,
where x is a clock from X, ϕ1 and ϕ2 are clock constraints from CC(µ), and
c is a constant from Q≥0 that satisfies the following constraints: (1) c can
be represented as c = k ·m−1, for some k ∈ N, and (2) c is less than or equal
to cmax. We write CC≤(µ) to refer all constraints ϕ of the form
true | x ≤ c | ϕ1 ∧ ϕ2,
where x, c, ϕ1, and ϕ2 are defined analogously to the definition from above.
We assume that constants are always encoded in binary unless stated oth-
erwise.
6.1.2 Timed Automata
For a granularity µ = (X,m, cmax), a µ-granular timed automaton T is a
tuple (Q, q0,Σ, E, I), where
• Q is a finite set of control locations,
• q0 ∈ Q is the initial location,
• Σ is a finite set of events,
• E ⊆ Q× Σ× CC(µ)× 2X ×Q is an edge relation defining the control
structure of T , and
• I : Q → CC≤(µ) is a total function that assigns an invariant to each
location.
Sometimes, for the sake of simplifying the illustration, we also use disjunc-
tions in clock guards, which can be easily resolved by splitting the corre-
sponding edge. We write Tµ to refer to µ. Without loss of generality, we
assume that it is syntactically ensured that taking an edge always ends
up in a location whose invariant is satisfied. We require timed automata
to be event-deterministic: for any two edges e1 = (q1, a1, ϕ1, r1, q
′
1) and
e2 = (q2, a2, ϕ2, r2, q
′
2) from E, we require
(q1 = q2 ∧ a1 = a2)⇒ (e1 = e2 ∨ ϕ1 ∧ ϕ2 ≡ false).
Example 6.1.1. Figure 6.1 shows an example timed automaton with four
locations and two clocks. While the locations l1 and l3 have invariants y ≤ 5
and y ≤ 15, the other locations l2 and l4 have no invariants (i.e., they have
the invariant true).
Intuitively, the execution starts in l1 with x = y = 0. Due to l1’s in-
variant, the execution has to leave l1 within 5 time units. There is an edge
6.1. SYNTAX 85
y ≤ 5
y ≤ 15
l1 l2
l3l4
a, x := 0
b, y > 2 c, x ≥ 4
b, y > 8
c, y := 0
Figure 6.1: Example timed automaton with clocks x and y, and events a, b,
and c.
leading to l2, which is labeled with event a and resets the clock x. Another
edge, labeled with event b and performing no resets, leads to l3, and, due to
its guard y > 2, can only be taken after strictly 2 time units. In this manner,
the execution continues either at l2 or l3.
We refer to Section 6.2 for a formal definition of the semantics of timed
automata.
6.1.3 Networks
Similar to communicating state machines, timed automata can be syn-
tactically composed into networks, in which the automata run in paral-
lel and synchronize on shared events. For a µ1-granular timed automa-
ton T1 = (Q1, q10,Σ1, E1, I1) and a µ2-granular timed automaton T2 =
(Q2, q
2
0,Σ2, E2, I1), we define the parallel composition of T1 and T2, written
as T1‖T2, as the (µ1⊗µ2)-granular timed automaton (Q1×Q2, (q10, q20),Σ1∪
Σ2, E, I), where I(q1, q2) = I1(q1) ∧ I2(q2), for all q1 ∈ Q1 and q2 ∈ Q2, and
E is the smallest set that satisfies the following conditions:
E ⊇ {((q1, q2), a, ϕ1 ∧ ϕ2, r1 ∪ r2, (q′1, q′2)) |
a ∈ Σ1 ∩ Σ2 ∧
(q1, a, ϕ1, r1, q
′
1) ∈ E1 ∧ (q2, a, ϕ2, r2, q′2) ∈ E2};
E ⊇ {((q1, q2), a, ϕ1, r1, (q′1, q2)) |
a ∈ Σ1 \ Σ2 ∧ (q1, a, ϕ1, r1, q′1) ∈ E1};
E ⊇ {((q1, q2), a, ϕ2, r2, (q1, q′2)) |
a ∈ Σ2 \ Σ1 ∧ (q2, a, ϕ2, r2, q′2) ∈ E2}.
86 CHAPTER 6. CONTROLLABLE TIMED AUTOMATA
Example 6.1.2. Figure 6.2 shows a network of two timed automata. They
synchronize on the events a and c: Provided that the clock guards are sat-
isfied, an automaton can only execute an edge labeled with an event a or c
if the other automaton executes an edge with the same label concurrently.
Otherwise, the two automata run asynchronously: They can independently
execute edges labeled with an event b or d.
y ≤ 5
y ≤ 15
l1 l2
l3l4
a, x := 0
b, y > 2 c, x ≥ 4
b, y > 8
c, y := 0 ‖
z ≤ 7
l5
l6
a, z := 0c
d, z > 1,
z := 0
Figure 6.2: Example network comprising two timed automata that synchro-
nize on events a and c.
6.2 Infinite Semantics
Due to the continuous value domain of the clocks, in the analysis of timed
automata, one has to deal with an uncountable number of states.
6.2.1 Timed States and Transitions
For a set of clocks X, a clock valuation ~t : X → R≥0 assigns a nonnegative
value to each clock and can also be represented by a |X|-dimensional vector
~t ∈ RX≥0. For a d ∈ R>0, we write ~t+d as a shorthand for a vector ~t′, where
~t′(x) = ~t(x) + d, for every x ∈ X. Also, for an r ⊆ X, we write ~t[r := 0] as
a shorthand for a vector ~t′, where
~t′(x) =
{
0 if x ∈ r;
~t(x) otherwise.
For a given timed automaton T = (Q, q0,Σ, E, I), a timed state of T is
a tuple (q,~t) comprising a location q ∈ Q and a clock valuation ~t ∈ RX≥0.
6.2. INFINITE SEMANTICS 87
Two timed states s = (q,~t) and s′ = (q′,~t′) are connected via the following
two kinds of timed transitions:
(1) Discrete transitions: for an edge (q, d, ϕ, r, q′) ∈ E, there is a discrete
transition between s and s′, written as s a−→ s′, if ~t |= ϕ, ~t′ = ~t[r := 0],
and ~t′ |= I(q′).
(2) Delay transitions: for a delay d ∈ R>0, there is a delay transition
between s and s′, written as s d−→ s′, if q′ = q, ~t′ = ~t+ d, and ~t′ |= I(q);
A situation in which a further progress of time would violate the current
location invariant but no edges are enabled is called a timelock. The set of
all timelock states is defined as
Timelock(T ) = {(q,~t) | ∀ > 0 : ~t+  6|= I(q) ∧
¬∃a ∃q′ ∃~t′ : (q,~t) a−→ (q′,~t′)}.
6.2.2 Infinite Game Arena
The infinite semantics of a controllable timed automaton T with T =
(Q, q0,Σ, E, I) and Σ = Σin unionmulti Σout is formally described as an infinite game
arena JT K = (SE, SA, s0,ΣE,ΣA,∆), where
• SE = {E} ×R>0 × (Q×RX≥0),
• SA = {A} ×R>0 × (Q×RX≥0),
• s0 = (A, 0, (q0,~0)),
• ΣE = Σin unionmultiR>0,
• ΣA = Σout unionmultiR>0,
• ∆((p, d, t),m) = s′, where
s′ =

(A, 0, t′) if p = A, m ∈ ΣA and t m−→ t′;
(E,m, t) if p = A and m ∈ R>0;
(E, d−m, t′) if p = E, m ∈ R>0, m < d and t m−→ t′;
(A, 0, t′) if p = E, m ∈ R>0, m ≥ d and t d−→ t′;
(A, 0, t′) if p = E, m ∈ ΣE and t m−→ t′.
For a set of states Y ⊆ Q×RX≥0, we write JT K |= AG(Y ) as a shorthand forJT K |= AG({E,A} ×R>0 × Y ).
88 CHAPTER 6. CONTROLLABLE TIMED AUTOMATA
6.3 Controller Synthesis
6.3.1 Plants and Controllers
A (X,m, cmax)-granular timed automaton P = (Q, q0,Σ, E, I) is called a
(timed) plant if it satisfies the following conditions:
(1) P has an input/ouput interface: the events Σ are partitioned into con-
trollable events Σin ⊆ Σ (over which P can be influenced) and into
uncontrollable events Σout ⊆ Σ (which are emitted by P and can be
observed externally);
(2) P is input enabled : for each q ∈ Q and each a ∈ Σin, we require that
I(q) ⇒
(∨
(q,d,ϕ,r,q′)∈E ϕ
)
.
A (Xc,mc, c
max
c )-granular timed automaton C = (Qc, q
c
0,Σin ∪ Σobsout, Ec) is
called a controller for P if it satisfies the following conditions:
(1) C is nonintrusive: for each (q, d, ϕ, r, q′) ∈ Ec we have r ∩X = ∅;
(2) C is nonblocking :
if JP K |= AG(Timelock(P )) then JP‖CK |= AG(Timelock(P‖C));
(3) C is nonrestricting : for each pi ∈ Traces(JP‖CK) and each 1 ≤ i < |pi|
with pi[1..i] ∈ Traces(JP K) and pi[i+1] ∈ Σout, we require that pi[1..i+1] ∈
Traces(JP‖CK).
6.3.2 Problem Definition
We now formally define the safety controller synthesis problem for control-
lable timed automata Timed synthesis.
An input to Timed synthesis is a tuple (P,Σobsout, qb, µc, q
max), where
• P = (Q, q0,Σ, E, I) is a plant with Σ = Σin unionmulti Σout,
• Σobsout ⊆ Σout are the observable output events,
• qb ∈ Q is a dedicated bad location,
• µc = (Xc,mc, cmaxc ) is the controller granularity, and
• qmax ∈ N∪{∞} is a bound on the number of locations of the controller,
given in binary unless stated otherwise.
Definition 6.3.1. For a given input (P,Σobsout, qb, µc, q
max), the prob-
lem Timed synthesis is to check whether there exists a timed automa-
ton C = (Qc, q
c
0,Σin ∪ Σobsout, Ec) that satisfies the following conditions:
(1) C is a µc-granular controller for P ;
6.4. FINITE SEMANTICS 89
(2) C satisfies the location bound: |Qc| ≤ qmax;
(3) C is safe: JP‖CK |= AG({qb} ×Qc ×RX≥0).
For convenience, we define Xobs = X ∩ Xc as the observable clocks,
Σunobsout = Σ \ (Σin ∪Σobsout) as the unobservable events, and Xunobs = X \Xobs
as the unobservable clocks. We say that Timed synthesis is under full
observability if Xunobs = ∅ and Σunobsout = ∅. We say that Timed synthesis
is under no observability if Xobs = ∅ and Σobsout = ∅.
6.4 Finite Semantics
The decidability of the (alternating) reachability problem of timed automata
relies on the existence of the region equivalence relation [Alur and Dill, 1994]
on RX≥0, which has a finite index.
6.4.1 The Region Abstraction
In the following, we fix a µ-granular timed automaton T with µ =
(X,m, cmax) and T = (Q, q0,Σ, E, I). We say that two clock valuations
~t1,~t2 ∈ RX≥0 are in the same clock region, denoted ~t1 ∼µ ~t2, if the following
conditions are satisfied:
• the set of clocks with maximal value is the same in ~t1 and in ~t2:
∀x ∈ X : ~t1(x) > cmax ⇔ ~t2(x) > cmax;
• m ·~t1 and m ·~t2 agree (1) on the integer parts of the clock values, (2)
on the relative order of the fractional parts of the clock values, and (3)
on the equality of the fractional parts of the clock values with 0. That
is, for all clocks x and y in X with nonmaximal value, it holds that
(1) bm · ~t1(x)c = bm · ~t2(x)c,
(2) fr(m · ~t1(x)) ≤ fr(m · ~t1(y))⇔ fr(m · ~t2(x)) ≤ fr(m · ~t2(y)), and
(3) fr(m · ~t1(x)) = 0 iff fr(m · ~t2(x)) = 0,
where fr(m · ~ti(x)) = m · ~ti(x)− bm · ~ti(x)c for i ∈ {1, 2}.
The set of all clock regions of a granularity µ is defined as [µ]. We denote
by
[~t]µ = {~t′ ∈ RX≥0 | ~t ∼µ ~t′}
the clock region ~t ∈ RX≥0 belongs to. We say that two timed states s1 =
(q1,~t1) and s2 = (q2,~t2) of T are region-equivalent, denoted by s1 ∼µ s2, if
(1) their locations are the same: q1 = q2; and (2) the clock valuations are in
the same clock region: ~t1 ∼µ ~t2. For a timed state s ∈ Q×RX≥0, we denote
by
[s]µ = {s′ ∈ Q×RX≥0 | s ∼µ s′}
90 CHAPTER 6. CONTROLLABLE TIMED AUTOMATA
the equivalence class of region-equivalent states (or just the region) that s
belongs to. The set of all regions of T is defined as [T ]µ = Q× [µ]. Alur and
Dill [1994] showed that, the number of regions for a given timed automaton
is linear in its locations and exponential in its granularity:
Lemma 6.4.1. [Alur and Dill, 1994] For a µ-granular timed automaton
T = (Q, q0,Σ, E, I) with µ = (X,m, cmax), we have the following upper
bound on its number of regions:
|[T ]µ| ≤ |Q| · |X|! · 2|X|−1 ·
∏
x∈X
O(m · cmax)
= |Q| · |X|! ·O(m · cmax)|X|
For convenience, for a set of timed states S ⊆ Q×RX≥0, we write
[S]µ = {r ∈ [T ]µ | r ⊆ S}
to refer to the set of regions that constitute S, and for a location q ∈ Q, we
write
[q]µ = {r ∈ [T ]µ | ∀(q′,~t) ∈ r : q′ = q}
to refer to the set of regions with location q. Note that, in the rest of
this thesis, we always assume that each set of timed states S is expressible
as a partitioning of regions r1, . . . , rn ∈ [T ]µ of the form S =
⊎
1≤i≤n ri.
For a coarser granularity µ′ ≥ µ with clocks X ′ ⊆ X and for a timed
state (q,~t) ∈ Q×RX≥0, by abuse of notation, we define
[(q,~t)]µ′ = {(q′,~t′) ∈ Q×RX≥0 | q′ = q ∧
∃~t′′ ∈ [~t′X ′]µ′ : ∀x ∈ X ′ : ~t′(x) = ~t′′(x)}
as the widening of (q,~t) on µ′.
Regions are a suitable semantics for the abstraction of timed automata
because they essentially preserve the time-abstracted behavior: If there is a
discrete transition s
a−→ s′ from a state s to a state s′ of a timed automaton,
then there is, for all states t with t ∼µ s, a state t′ with t′ ∼µ s′ such that
t
a−→ t′ is a discrete transition with the same event. For delay transitions,
a slightly weaker property holds: If there is a delay transition s
d−→ s′ from
a state s to a state s′, then there is, for all states t with t ∼µ s, a state t′
with t′ ∼µ s′ such that there is a timed transition t d
′−→ t′ (but possibly with
d′ 6= d).
Formally, two regions r, r′ ∈ [T ]µ are connected via the following two
kinds of steps:
6.4. FINITE SEMANTICS 91
(1) Discrete steps: If
∀s ∈ r : ∃a ∈ Σ : ∃s′ ∈ r′ : s a−→ s′
then there is a discrete step between r and r′, written as r a−→ r′.
(2) Delay steps: If
∀s ∈ r : ∃d ∈ R>0 : ∃s′ ∈ r′ : s d−→ s′ ∧ ∀d′ < d : s+ d′ ∈ r ∪ r′
then there is a delay step between r and r′, written as r τ−→ r′.
Timed automata are time-deterministic: any given region has exactly one
successor region, except for the region in which all clock values are maximal,
which has no successor.
For a granularity µ′ ≥ µ and a region r ∈ [µ], we define
r |= µ′ :⇐⇒ ∀(q,~t) ∈ r : ∀d ∈ R>0 : (q,~t− d) /∈ [(q,~t)]µ′ \ r,
Intuitively, r |= µ′ if, and only if, entering r by letting time pass is observable
through granularity µ′.
6.4.2 Finite Game Arena
For a granularity µ = (X,m, cmax), the µ-granular finite semantics of a µ′-
granular controllable timed automaton T = (Q, q0,Σ, E, I) with µ′ ≤ µ
and events Σ = Σin unionmulti Σout is formally described as the finite game arenaJT Kµ = (SE, SA, s0,ΣE,ΣA,∆), where
• SE = {E} × [T ]µ,
• SA = {A,D} × [T ]µ,
• s0 = (A, [(q0,~0)]µ),
• ΣE = Σin unionmulti {τ},
• ΣA = Σout unionmulti {τ} unionmulti [µ],
• ∆((p, r),m) = s′, where
s′ =

(E, r) if p = A and m = τ ;
(D, r) if p = E and m = τ ;
(A, r′) if p = D, m = r′ and r τ−→ r′;
(A, r′) if m ∈ Σ and r m−→ r′.
For the one-player case, we have the following classical result:
92 CHAPTER 6. CONTROLLABLE TIMED AUTOMATA
Lemma 6.4.2. [Alur and Dill, 1994] For a µ-granular timed automaton T
and a set of timed states Y , the following statements hold:
• JT K |= EF(Y ) if, and only if, JT Kµ |= EF([Y ]µ);
• JT K |= EG(Y ) if, and only if, JT Kµ |= EG([Y ]µ);
• JT K |= AF(Y ) if, and only if, JT Kµ |= AF([Y ]µ);
• JT K |= AG(Y ) if, and only if, JT Kµ |= AG([Y ]µ).
Note that the successor of a state (p, r), where p ∈ {E,A} and r ∈ [T ]µ,
is determined by Player p, who chooses among polynomially many moves.
Due to the fact that timed automata are time-deterministic, the successor
of a state (D, r) is determined deterministically (and does not depend on a
choice of a particular player).
6.4.3 A Game-Theoretic Solution to Controller Synthesis
An input i = (P,Σobsout, qb, µc, q
max) to Timed synthesis induces a finite
safety game G(Timed synthesis, i) = (A, B,V, β), which is defined as fol-
lows:
• A = JT Kµ′ with the combined granularity µ′ = Tµ ⊗ µc.
• B = {E,A,D} × ([qb]µ′ ∪ [Timelock(A)]µ′).
• The fact that the controller can only observe some clocks and some
events emitted by T is reflected in the definition of the view V of
Player E on A:
V = (Σobsout unionmulti {τ}, vis),
where
vis(m) =

m if m ∈ Σobsout;
τ if m ∈ [µ′] and m |= µc;
ε otherwise.
• β = qmax · |[µc]| is the existential memory bound.
Indeed, solving this safety game is a decision procedure for Timed syn-
thesis.
Theorem 6.4.3. [Bouyer et al., 2003] For a given input x,
Timed synthesis(x) = yes iff
Player E wins G(Timed synthesis, x).
Chapter 7
The Complexity of Timed
Controller Synthesis
This chapter investigates the complexity of several important analysis prob-
lems for timed automata.1
We first present two ways to exploit the succinctness of timed automata
to simulate the manipulation of bits in Section 7.1. Based on that, we make
the connection to sequential circuit machines in Section 7.2. We are then
ready to establish complexity results in Section 7.3.
7.1 Using Clocks to Represent Bits
In this section, we will present how to represent a set of bits B using clocks
assuming a unary or a binary encoding of the constants. We will also show
the construction of two widgets TEST(b, v) and SET(b, v), v ∈ {0, 1}, for
testing and setting a particular bit b ∈ B, respectively. Later, in the proof
of Lemma 7.2.3, we abstract from the actual representation of the bits by
treating the two widgets as partial black-box timed automata that can be
embedded into the control structure of another timed automaton.
Independent of the actual representation, we always assume that a
TEST(b, v) widget has a unique entry location and two exit locations: (1)
a false location that is entered when the value of b not equals v, and (2) a
true location that is entered when the value of b equals v. For a SET(b, v)
widget, we always assume that there is a unique entry and a unique exit lo-
cation. As a general pre- and postcondition, we always assume that the bits
are in their respective normal form representation before or after executing
a widget. Furthermore, we will construct the widgets in such a way that
they are completely deterministic.
1The results of this chapter on bounded synthesis for timed automata have been pub-
lished in [Peter and Finkbeiner, 2012].
93
94 CHAPTER 7. COMPLEXITY
7.1.1 Unary Encoding of Constants
In this subsection, we will demonstrate how to represent and manipulate an
array of n bits using n + 1 clocks. The constraints in the TEST and SET
widgets only use the constants 0 and 1.
For a set of bits B = {b1, . . . , bn}, we introduce a set of clocks X =
{x1, . . . , xn, z}, where z is an auxiliary clock. For a clock valuation ~x ∈ RX≥0
and a bit valuation ~b ∈ ~B, we say that ~x represents ~b in unary normal form
iff
∀b ∈ B : ~b(b) = 0 ⇔ ~x(xb) = 0,
where we write xb to refer to the clock that represents b.
For this kind of encoding, the TEST(b, v) widget, for a bit b ∈ B and a
value v ∈ {0, 1}, is a simple construction that is shown in Figure 7.1. We
have an edge with guard xb = 0 to test whether b = 0, and we have an
edge with guard xb > 0 to test whether b = 1. For all locations, we have
the invariant z = 0 in order to ensure that executing TEST does not harm
the unary normal form representation. We use a double border to indicate
exits.
z = 0
z := 0
z = 0false z = 0 true
xb = 0 ∧ v = 1
xb > 0 ∧ v = 0 xb = 0 ∧ v = 0
xb > 0 ∧ v = 1
Figure 7.1: The TEST(b, v) widget for testing whether bit b has value v,
assuming a unary encoding of the constants.
The SET(b, v) widget, for a bit b ∈ B and a value v ∈ {0, 1}, is con-
structed as follows. The basic idea is to let exactly one time unit elapse at
the beginning, and then, to reset all clocks whose value is exactly 1, except
for xb if v = 1. More technically, we construct the SET widget as a chain
of conditional resets, which is shown in Figure 7.2. Clearly, on exiting the
SET widget, we have the unary normal form representation again.
Observe that in both widgets, except for the entry location of the SET
widget, we prevent time from elapsing by assigning the invariant z = 0 to
every location. Also, observe that all widgets are deterministic.
7.1.2 Binary Encoding of Constants
In this subsection, we will demonstrate how to represent and manipulate an
array of n bits only using three clocks, which can be compared to arbitrary
7.1. USING CLOCKS TO REPRESENT BITS 95
z ≤ 1
z := 0
z = 0 z = 0 z = 0 z = 0
z = 0
z = 1
z := 0
otherwise
xb1 = 1 ∧
¬(b1 = b ∧ v = 1)
xb1 := 0
. . . otherwise
xbn = 1 ∧
¬(bn = b ∧ v = 1)
xbn := 0
v = 1
v = 0
xb := 0
Figure 7.2: The SET(b, v) widget for setting bit b to v, assuming a unary
encoding of the constants.
constants encoded in binary. The maximal constant that is used in the
constraints of the TEST and SET widgets is 2n.
For a set of bits B = {b1, . . . , bn}, we introduce a set of clocks X =
{x, y, z}, where the value of x represents the values of the bits in B, and y
and z are auxiliary clocks. For a clock valuation ~x ∈ RX≥0 and a bit valuation
~b ∈ ~B, we say that ~x represents ~b in binary normal form iff
~x(x) =
n∑
i=1
~b(bi) · 2i−1.
Before we come to the TEST and SET widgets, we first introduce three
auxiliary widgets. First, we introduce a widget ADD(c) for adding a constant
c ∈ {0, . . . , 2n} to x. Here, the idea is to use z to let exactly 2n time units
elapse. At the same time, we reset x whenever x reaches 2n−c. By resetting
y whenever y reaches 2n, we make sure that y will have the same value as
before. The construction of ADD is shown in Figure 7.3. We easily obtain
a widget SUB(c) for subtracting a constant c ∈ {0, . . . , 2n} from x by using
ADD(2n − c) instead.
A last auxiliary widget we need to introduce is the COPY(p, q) widget
that copies the value of clock q ∈ {x, y} to the value of clock p ∈ {x, y}\{q}.
Here, the construction is similar to the one of the ADD widget. But now,
whenever q reaches 2n, we reset q and p. The construction of COPY is shown
in Figure 7.4.
With these auxiliary widgets, we can now give the construction of the
TEST and SET widgets for binary encodings. In the construction of the
96 CHAPTER 7. COMPLEXITY
x ≤ 2n − c
y ≤ 2n
z := 0
y ≤ 2n
z ≤ 2n z = 0
y = 2n
y := 0
x = 2n − c
x := 0
y = 2n
y := 0
z = 2n
z := 0
Figure 7.3: The ADD(c) widget for adding a nonnegative constant c to
clock x.
b ≤ 2n
z ≤ 2nz := 0 z = 0
b = 2n
a := 0, b := 0
z = 2n ∧ b < 2n
z := 0
z = 2n ∧ b = 2n
z := 0
Figure 7.4: The COPY(a, b) widget that copies the current value of clock b
to clock a.
TEST(bi, v) widget, for the i
th bit bi and a value v ∈ {0, 1}, we first backup
the current values of all bits, using the auxiliary clock y. Then, for accessing
the ith bit, we reset all bits above i in x, so that we can use the simple clock
constraints x > 2i and x ≤ 2i to check whether the ith bit is set or not,
respectively. Finally, we have to restore the original value from y in x again.
The construction is shown in Figure 7.5.
Now, the construction of the SET(bi, v) widget, for the i
th bit bi and a
value v ∈ {0, 1}, is straightforward. If v = 0, we check whether the ith bit
is set and, if this is the case, we reset the bit by calling SUB(2i). If v = 1,
we check whether the ith bit is not set and, if this is the case, we set the bit
by calling ADD(2i). The construction is shown in Figure 7.6.
Observe that during an execution of an auxiliary widget ADD, SUB, or
7.2. TIMED AUTOMATA AND SCMS 97
COPY(y, x)
z = 0
SUB(2n−1)
z = 0 z = 0
z = 0
z = 0
COPY(x, y)
COPY(x, y)
true
false
x > 2n−1
x ≤ 2n−1 . . .
x > 2i ∧ v = 1 ∨
x ≤ 2i ∧ v = 0
x > 2i ∧ v = 0 ∨
x ≤ 2i ∧ v = 1
Figure 7.5: The TEST(bi, v) widget for testing whether the i
th bit is v,
assuming a binary encoding of the constants.
COPY, exactly 2n time units elapse. When executing SET or TEST, no time
elapses. Thus, it can be easily seen that the binary normal form is always
maintained outside an execution of SET or TEST. Also, observe that all
widgets are deterministic.
7.2 Timed Automata and Sequential Circuit Ma-
chines
In this section, we show the equivalence of timed automata with sequential
circuit machines based on the constructions from the previous section.
For an input P = (P,Σobsout, qb, µc, qmax) to Timed synthesis, where T =
(Q, q0,Σ, E, I) is a µ-granular controllable timed automaton with Σ = Σinunionmulti
Σout, we define the instance signature
sig(Timed synthesis,P) =
log
((|Σin|+ 1, |Σobsout|+ 2, |Σout|+ 2), (qmax · |[µc]|, |[T ]µ′ |)),
where µ′ = µ⊗ µc.
98 CHAPTER 7. COMPLEXITY
z = 0z := 0
TEST(bi, 1) SUB(2i)
TEST(bi, 0) ADD(2i)
z = 0
v = 0
true
false
v = 1
false
true
Figure 7.6: The SET(bi, v) widget for setting the i
th bit to v, assuming a
binary encoding of the constants.
We first show that one can use sequential circuit machines to decide
Timed synthesis.
Lemma 7.2.1. For an input y, G(Timed synthesis, y) allows a succinct
circuit representation of signature sig(Timed synthesis, y).
Proof. Let y = (P,Σobsout, qb, µc, q
max) with P = (Q, q0,Σ, E, I), we show that
the definition of G(Timed synthesis, y) matches the properties required for
succinct circuit representations from Section 3.4.
(1) There is a logarithmic encoding of the controllable decisions Σin ∪ {τ}
since Σin is explicitly given. We introduce the bits
̂(Σobsout ∪ {τ, τ ot }) for rep-
resenting the observable uncontrollable events, where τ ot represents a visible
elapsing of time (i.e., advancing to the successor region). We also intro-
duce the bits ̂(Σunobsout ∪ {τut }) for representing the unobservable uncontrol-
lable events, where τut represents an invisible elapsing of time. The idea
is that whenever Player A proposes a delay step, he must play a move τ ot
if this step is observable through the controller’s granularity, or a move τut
if it is unobservable. Then, the bits for the logarithmic encoding of all
uncontrollable decisions are ̂(Σobsout ∪ {τ, τ ot }) unionmulti ̂(Σunobsout ∪ {τut }).
The logarithmic encoding of the positions (i.e., the regions of P )
looks as follows. Notice that we can identify a region from a granular-
ity µ = (X,m, cmax) as a tuple containing (i) the location P is currently
in, (ii) an |X|-dimensional vector over tuples of the form (v,≺, p), where
v ∈ {0, . . . , k}|X| and k = m · cmax (here called the clock’s value), ≺∈ {=, <}
(here called the clock’s sign), and p ∈ {1, . . . , |X|} (here called the clock’s
7.2. TIMED AUTOMATA AND SCMS 99
position). Hence, we can represent a region using an array of
dlog |Q|e + |X| · (dlog(k + 1)e+ 1 + dlog |X|e)
(i.e., polynomially many) bits. One extra bit is additionally needed to en-
code the information, which player can move.
(2) Concerning the move function ∆, we construct ∆c using the follow-
ing sub-circuits. We implement the discrete steps of P by constructing a
DNF of polynomial size from E, similar to the construction in the proof of
Lemma 5.1.4. The guards can be implemented by independent comparator
circuits whose output bits can be used in the DNF. Executing resets can be
done by the following simple sub-circuit:
reset(x, (v,≺, p), r) =
{
(0,=, p′) if x ∈ r;
(v,≺, p+ |r|) if x /∈ r,
where p′ is the position of x in the ordered set r. Notice that we statically
create such a sub-circuit reset for each clock x and for each distinct reset
appearing in E. Each reset sub-circuit has a constant depth. We embed all
reset sub-circuits in ∆c in the following way: To update each clock x, we
use a multiplexer that selects for a given decision the corresponding reset
sub-circuit whose output is used to update the game position for x.
For executing the delay step, we introduce the following simple sub-
circuits:
advance(x) :⇔ sign(0) = “ <′′ ∧
∧
p≥pos(x)
(sign(p) = “ =′′)
where pos(x) and sign(x) are simple sub-circuits of constant depth that
compute the current position and sign of x, respectively. Now, we update
the entries of each clock using the following simple sub-circuit:
delay(x, (v,≺, p)) =
(v,<, p) if p = 0 and ≺= “ =′′;
(v + 1,=, p+ a− |X|) if p ≥ |X| − a;
(v,≺, p+ a) otherwise,
where a = |{x | advance(x) = true} is the number of clocks that advance
to their next value. Overall, it can be easily seen that the size of ∆c is
polynomial in |P | and its depth is at most logarithmic in |P |.
(3) We can construct Bc as a sub-circuit of polynomial size and constant
depth: The discrete part of B can be easily checked by a DNF over the lo-
cation bits. For the timed part of B, observe that for each location of P , the
time lock region can be characterized by a conjunction of clock constraints.
100 CHAPTER 7. COMPLEXITY
Hence, one can construct a simple circuit of constant depth that checks time
locks.
(4) We represent V as the subset ̂(Σobsout ∪ {τ, τ ot }) ⊆ ̂(Σout ∪ {τ, τ ot }).
Combining Lemma 7.2.1 and Lemma 3.4.1, we immediately obtain that
every given instance of Timed synthesis can be transformed into an in-
stance of Diverging for sequential circuit machines with the same signa-
ture.
Lemma 7.2.2. For a succinctness signature σ̂ ∈ C((L,L∞,L), (P∞,P)),
Timed synthesisσ̂ is LogSpace-reducible to Divergingσ̂.
With the following lemma, we establish the opposite direction:
Lemma 7.2.3. For a succinctness signature σ̂ ∈ C((L,L∞,L), (P∞,P)),
Divergingσ̂ is LogSpace-reducible to Timed synthesisσ̂.
Proof. For a given machine S = (((nE, nEA, nA), (mE,mA)), CA), we construct
an input (P,Σobsout, qb, µc, q
max) to Timed synthesis in the following way.
Without loss of generality, we assume CA has no shared sub-circuits and,
thus, is represented as a Boolean expression, where CA(MAi) is the Boolean
function that computes the new value for MAi, 1 ≤ i ≤ mA, and CA(h)
computes the value of the halting flag.
We construct the plant P = (Q, q0,Σ, E, I) in such a way that it sim-
ulates the sequential execution of S. Depending on the type of encoding
of the constants (either unary or binary, see Section 7.1), we represent the
n bits of the circuit elements NA, NE, MA, h, and the updated universal
memory MA
′, either as (1) n clocks or (2) clock values ranging from 0 to
2n − 1, respectively. For a circuit element x ∈ NA ∪ NE ∪MA ∪MA′ ∪ {h}
and a v ∈ {0, 1}, we assume we have the widgets SET(x, v) and TEST(x, v)
at our disposal.
We define the set of observable uncontrollable events as Σobsout =
~NEA ,
the set of unobservable uncontrollable events as Σunobsout = {}, and the set
of controllable events as Σin = ~NE. Now, the simulation of a cycle looks as
follows. First, for determining values for the unobservable universal guessing
bits, we let P nondeterministically branch with an -edge to a particular
chain of widgets of the form
SET(NA1, v1)→ . . .→ SET(NAnA−nEA , vnA−nEA),
where (v1, . . . , vnA−nEA) represents a vector from
~NA \NEA . Here, we consider
2nA−nEA branching decisions to cover all possible choices. Then, for determin-
ing values for the observable universal guessing bits, P nondeterministically
7.2. TIMED AUTOMATA AND SCMS 101
branches with an edge labeled with a ~nea ∈ ~NEA to a particular chain of
widgets of the form
SET(NO1, ~nea[1])→ . . .→ SET(NOnEA , ~nea[n
E
A]).
Here, we consider 2n
E
A branching decisions to cover all possible choices. Af-
ter the universal guessing bits are determined, P awaits the values for the
circuit elements NE from the controller. For this purpose, we let P receive
a controllable event ~ne ∈ Σin and then branch to a chain of widgets of the
form
SET(NE1, ~ne[1])→ . . .→ SET(NEnE , ~ne[nE]).
Since we have only a logarithmic number of guessing bits, the exponential
blowup due the nondeterministic branching results only in a polynomial
control structure.
The actual execution of CA is simulated by P as follows. For each
Boolean formula CA(y), y ∈ MA ∪ {h}, we embed its formula DAG
D = dag(CA(y)) (recall Section 2.2) into the control structure of P : For
each edge in D, we execute a widget for testing the corresponding bit: For
some circuit element z ∈ NA ∪NE ∪MA, if the original edge in D is labeled
with the literal z then the widget TEST(z, 1) is executed, and if the original
edge in D is labeled with the literal ¬z then the widget TEST(z, 0) is exe-
cuted. If the execution of D in P ends up in true(D) the widget SET(z′, 0)
is executed, if the execution ends up in false(D) the widget SET(z′, 1) is
executed, where z′ is either the corresponding updated memory element if
z ∈ MA, or h otherwise. We execute these testing and setting widgets in
a sequential manner. Note that the only nondeterminism in P occurs for
resolving the branching decisions for the guessing bits. Note that the only
existential nondeterminism in P occurs for resolving the branching deci-
sions for the existential guessing bits. The universal nondeterminism is used
for resolving the branching decisions for the universal guessing bits and for
resolving the nondeterminism in the DAGs of the Boolean formulas. Be-
fore the execution of a cycle finishes, we copy the contents of the updated
memory MA
′ to MA by the following chain of widgets:
TEST(MA′1, v1)→ SET(MA1, v1)→ . . .→
TEST(MA′mA , vmA)→ SET(MAmA , vmA)
We finish our construction by defining the bad location qb to be
false(dag(CA(h))), the controller granularity µc as (∅, 1, 0), and the bound
on the locations of the controller qmax as mE. Note that we require the con-
troller to have no clocks at all. This way, we make sure that the controller
only uses locations to represent its memory.
102 CHAPTER 7. COMPLEXITY
The combination of Lemma 7.2.2 and Lemma 7.2.3 gives the desired
connection between timed automata and sequential circuit machines:
Theorem 7.2.4. For a succinctness signature σ̂ ∈ C((L,L∞,L), (P∞,P)),
Timed synthesisσ̂ and Divergingσ̂ are LogSpace-reducible to each
other.
7.3 Complexity Analysis
Based on the connection to sequential circuit machines established in the
previous section, we are now ready to obtain complexity bounds.
7.3.1 Model Checking
When we assume a one-player setting (by either choosing Σin = ∅ or Σout =
∅), controller synthesis boils down to the safety model checking problem.
The combination of Theorem 7.2.4, Lemma 4.1.1, and Theorem 4.2.5 yields
the complexity for safety model checking of timed automata:
Corollary 7.3.1. The EG-model checking problem for timed automata is
complete for C((L, 0, 0), (∞,P)) = PSpace. The AG-model checking prob-
lem for timed automata is complete for C((0, 0,L), (∞,P)) = PSpace.
The combination of Theorem 7.2.4, Lemma 4.1.1, and Theorem 4.2.9
reveals the complexities of finding small witnesses for timed automata:
Corollary 7.3.2. The EG-small witness problem for timed automata is com-
plete for
• C((L, 0, 0), (L,P)) = PSpace if the bound on the length of the witness
is encoded in unary, and
• C((L, 0, 0), (P,P)) = NExpTime if the bound on the length of the
witness is encoded in binary, respectively.
7.3.2 Control with Full Observability
Assuming two players and full observability, by combining Lemma 4.1.1,
Theorem 4.2.5, and Theorem 7.2.4, we obtain the complexity for unbounded
synthesis for timed automata under full observability:
Corollary 7.3.3. The unbounded safety controller synthesis problem for
controllable timed automata under full observability is complete for
C((L,∞,L), (∞,P)) = ExpTime.
The combination of Theorem 7.2.4, Lemma 4.1.1, and Theorem 4.2.9
reveals the complexities of bounded synthesis:
7.3. COMPLEXITY ANALYSIS 103
Corollary 7.3.4. The bounded safety controller synthesis problem for con-
trollable timed automata with full observability is complete for
• C((L,∞,L), (L,P)) = PSpace if the bound on the number of locations
of the controller is encoded in unary, and
• C((L,∞,L), (P,P)) = NExpTime if the bound on the number of lo-
cations of the controller is encoded in binary, respectively.
7.3.3 Control with Partial Observability
Assuming partial observability without imposing a bound on neither the
existential memory nor the observability results in undecidability.
Theorem 7.3.5. [Bouyer et al., 2003] For a given timed plant P =
(Q, q0,Σ, E, I) with Σ = Σin unionmulti Σout, a set of observable events Σobsout ⊆ Σout,
and a dedicated bad location qb ∈ Q, deciding whether there is a granular-
ity µc such that
Timed synthesis(P,Σobsout, qb, µc,∞) = yes
is undecidable.
Only bounding the number of clocks of the controller, while leaving the
number of locations unrestricted, does not suffice to obtain decidability,
since the existential memory and the observability are still unbounded.
Theorem 7.3.6. For a given timed plant P = (Q, q0,Σ, E, I) with Σ = Σinunionmulti
Σout, a set of observable events Σ
obs
out ⊆ Σout, a dedicated bad location qb ∈ Q,
and a bound on the number of clocks of the controller k ∈ N≥1, deciding
whether there is a granularity µc = (Xc,mc, c
max
c ) with |Xc| ≤ k such that
Timed synthesis(P,Σobsout, qb, µc,∞) = yes
is undecidable.
Proof. We show undecidability by a reduction from the halting problem of a
given two-counter Minsky machine, which is known to be undecidable [Min-
sky, 1967]. The basic idea is to let the synthesis algorithm generate a con-
troller that simulates an accepting run of the machine, or to report that no
such controller/run exists. Following the construction proposed by Bouyer
and Chevalier [2006], which, in turn, is an extension of the one proposed by
Alur and Dill [1994], we let the plant nondeterministically and unobservably
for the controller verify that it faithfully performs the simulation. We refer
to Bouyer and Chevalier [2006] for details on the modeling of the verifica-
tion widgets. Note that the goal state of the machine is reached after finitely
many steps m ∈ N≥1 for a configuration with some maximal counter value
104 CHAPTER 7. COMPLEXITY
bounded by m. Hence, the synthesis algorithm must somehow determine
m (or report that no such m exists) and fix a sufficiently large number of
locations and fine granularity ({z}, 4m, 1) to accommodate the necessary
information to keep track of the machine’s configurations arising during its
execution. We let the controller and the plant communicate via the actions
a, b, c, and d. Without loss of generality, we assume that the states of the
given machine have a unique index and their number is less than m.
As usual for such proofs, a configuration is encoded as a sequence of
actions dsac1bc2cc3 representing the current state of the machine with index
s, the current values of the two machine counters c1 and c2, and the value of
a step counter c3. Here, c3 is necessary to force the controller to reach the
goal state within a finite amount of steps. After the ith step of the machine,
we let the controller produce the current configuration sequence within the
time interval [i, i+ 1). Here, we force the controller that the delay between
corresponding actions in two successive configurations is exactly one time
unit. This can be achieved by a plant component that nondeterministically
chooses an action, waits exactly one time unit, and then verifies whether
the controller immediately produces that action. Hereby, we exploit the
partial observability to completely hide these verification steps. In the first
configuration, we let the controller choose an appropriate value for c3 > 0.
After each step, we require that the controller decrements c3 by one. If c3
becomes 0, we let the plant go into a bad state.
Now, assuming that the goal state of the given machine is reachable, let
us fix some m. It is easy to see that the number of distinct configurations
of the machine along with a certain step count is bounded by m4. Hence,
a feasible controller could have O(m8) locations, i.e., O(m2) locations to
represent and produce the current configuration of the machine as well as
the step count. If the machine is in a certain configuration after a certain
number of steps, the corresponding part of the controller’s control structure
is of the following form:
ld
d,z= 1
4m
,z:=0−−−−−−−−→ . . . d,z=
1
4m
,z:=0−−−−−−−−→︸ ︷︷ ︸
s times
l′d
,z= 1
4m
,z:=0−−−−−−−−→ . . . ,z=
1
4m
,z:=0−−−−−−−−→︸ ︷︷ ︸
m− s times
l′′d ,
for representing the current machine state s;
la
a,z= 1
4m
,z:=0−−−−−−−−→ . . . a,z=
1
4m
,z:=0−−−−−−−−→︸ ︷︷ ︸
c1 times
l′a
,z= 1
4m
,z:=0−−−−−−−−→ . . . ,z=
1
4m
,z:=0−−−−−−−−→︸ ︷︷ ︸
m− c1 times
l′′a,
for representing the current value of the machine counter c1;
lb
b,z= 1
4m
,z:=0−−−−−−−−→ . . . b,z=
1
4m
,z:=0−−−−−−−−→︸ ︷︷ ︸
c2 times
l′b
,z= 1
4m
,z:=0−−−−−−−−→ . . . ,z=
1
4m
,z:=0−−−−−−−−→︸ ︷︷ ︸
m− c2 times
l′′b ,
7.3. COMPLEXITY ANALYSIS 105
for representing the current value of the machine counter c2;
lc
c,z= 1
4m
,z:=0−−−−−−−−→ . . . c,z=
1
4m
,z:=0−−−−−−−−→︸ ︷︷ ︸
c3 times
l′c
,z= 1
4m
,z:=0−−−−−−−−→ . . . ,z=
1
4m
,z:=0−−−−−−−−→︸ ︷︷ ︸
m− c3 times
l′′c ,
for representing the current step count c3.
Thus, there is a controller iff there is an accepting run, and furthermore,
if there is a controller at all then there is one that can be represented using
a single clock.
On the other hand, only bounding the number of locations of the con-
troller, while leaving the number of clocks unrestricted, does not suffice to
obtain decidability either.
Theorem 7.3.7. For a given timed plant P = (Q, q0,Σ, E, I) with Σ = Σinunionmulti
Σout, a set of observable events Σ
obs
out ⊆ Σout, a dedicated bad location qb ∈
Q, and a bound on the number of locations of the controller qmax ∈ N≥1,
deciding whether there is a granularity µc such that
Timed synthesis(P,Σobsout, qb, µc, q
max) = yes
is undecidable.
Proof. To show undecidability, we give a similar reduction from the halting
problem of a given two-counter Minsky machine as the one used in the
proof of Theorem 7.3.6. But now, the synthesized controller generating an
accepting run (if there is one) has only one location and uses its clocks to
represent all information necessary to keep track of the machine’s current
configuration. Such a one-location controller is a translation of the one-
clock controller from above, where the location-based control structure is
simulated by a pure clock-based control structure. In the following, we
explain this translation.
Without loss of generality, we assume that the one-clock controller con-
tains 2b locations, for some b ∈ N. We introduce b clocks in the one-location
controller x1, . . . , xb. Also, we assume that each location has a unique index
between 0 and 2b− 1. The one-clock controller is in location with index l iff
~x = l, where
~x = l :⇐⇒
b∧
i=1
xi ≤ 1
4m
⇔ li = 0
and li refers to the i
th bit of l. Since each step in the one-clock controller
takes exactly 14m time units, we also have an auxiliary clock z in the one-
location controller that is reset on every discrete step. For each edge be-
tween two locations l and l′ in the one-clock controller, we introduce a
106 CHAPTER 7. COMPLEXITY
corresponding (self-looping) edge in the one-location controller with guard
z = 14m ∧ ~x = l that resets all clocks in ~x whose corresponding bit in l′ is
zero.
Thus, if there is a controller at all then there is one that can be repre-
sented using a single location.
However, when bounding the granularity of the controller one obtains
decidability, since the existential memory (which is still unbounded) only
needs to remember a finite amount of observations. By combining Theo-
rem 7.2.4, Lemma 4.1.1, and Theorem 4.2.6, we obtain the complexities for
controller synthesis under no and partial observability:
Corollary 7.3.8. The unbounded safety controller synthesis problem for
controllable timed automata is complete for
• C((L, 0,L), (∞,P)) = ExpSpace, assuming no observability, and
• C((L,L,L), (∞,P)) = 2ExpTime, assuming partial observability, re-
spectively.
We note that the second claim was already proven by Bouyer et al. [2003].
The first claim, to the best of the author’s knowledge, is a new result that
is firstly proven in this thesis.
If we impose a bound on the number of locations of the controller, the
combination of Theorem 7.2.4, Lemma 4.1.1, and Theorem 4.2.9 reveals the
complexity of bounded synthesis for timed automata under no and partial
observability:
Corollary 7.3.9. The bounded safety controller synthesis problem for con-
trollable timed automata with no or partial observability, where the bound on
the number of locations of the controller is either given in unary or binary,
is complete for
• C((L, 0,L), (P,P)) = NExpTime, assuming no observability, and
• C((L,L,L), (P,P)) = NExpTime, assuming partial observability, re-
spectively.
7.3.4 Discrete Controllers
In the previous subsections, we have seen that even under the assumption
of full observability, timed controller synthesis is an inherently intractable
problem.2 In this subsection, we identify discrete controllers that commu-
nicate synchronously with arbitrary timed plants as a subclass of the syn-
thesis problem which exhibits a better worst-case complexity. In contrast
2In the sense that, for some instances, there is always an exponential blow up in the
running time, as it is a well-known fact that PTime 6= ExpTime [Hartmanis and Stearns,
1965].
7.3. COMPLEXITY ANALYSIS 107
to general timed controllers, discrete controllers may only react to discrete
observations of the plant; they are not allowed to measure the time between
two observed events.
More formally, for a safety controller synthesis problem for control-
lable timed automata i, where i = (P,Σobsout, qb, µc, q
max), where P =
(Q, q0,Σ, E, I) with Σ = Σin unionmulti Σout and Pµ = (X,m, cmax), we call a con-
troller timed automaton C = (Qc, q
c
0,Σin ∪Σobsout, Ec), representing a solution
to i, discrete if the following conditions are satisfied:
(1) µc = (Xc, 1, 0) and |Xc| = 1;
(2) for each pi ∈ Traces(JP‖CK) and each 1 ≤ i < |pi|,
whenever pi[i+ 1] ∈ Σin we require that pi[i] ∈ Σobsout.
We point out that discrete controllers differ from controllers with a fixed
sampling rate considered by Henzinger and Kopke [1999] or Cassez et al.
[2002].
Example 7.3.10. Figure 7.7 shows a controllable timed automaton with
output action a and input actions b and c modeling a plant, and a discrete
controller that ensures that the bad location (drawn with a double border) is
never reached.
Obviously, the only meaningful bound which one can impose on dis-
crete controllers is to restrict the number of locations. In the following, we
investigate the complexity of the unbounded and the bounded case.
It turns out that the restriction to discrete controllers does not pay
off in the case with an unbounded number of locations. The combination
of Theorem 7.2.4, Lemma 4.1.1, and Theorems 4.2.5 and 4.2.6 reveals the
following complexity results:
Corollary 7.3.11. The unbounded safety controller synthesis problem for
discrete controllable timed automata is complete for
• C((L, 0,L), (∞,P)) = ExpSpace, assuming no observability,
• C((L,L,L), (∞,P)) = 2ExpTime, assuming partial observability, and
• C((L,∞,L), (∞,P)) = ExpTime, assuming full observability, respec-
tively.
We point out that, for establishing the lower bounds, a direct adapta-
tion of the classical ExpTime- and 2ExpTime-hardness proofs given by
Henzinger and Kopke [1999] and D’Souza and Madhusudan [2002], respec-
tively, is not possible, as these proofs rely on the assumption of a timed
controller.
By imposing a bound on the number of locations of a discrete controller,
we can combine Theorem 7.2.4, Lemma 4.1.1, and Theorem 4.2.9 to obtain
the following complexity results:
108 CHAPTER 7. COMPLEXITY
w ≤ 10
w ≤ 0
a!, w > 8
b?
x := 0
w := 0
c?
y := 0
w := 0
x > 24
∨ y > 24
z ≤ 0
z ≤ 0
a?
z := 0
b!
a?
z := 0
c!‖
Figure 7.7: Plant timed automaton (on the left) controlled by a discrete
controller (on the right) that ensures that the bad location (drawn with a
double border) is never reached.
Corollary 7.3.12. The bounded safety controller synthesis problem for dis-
crete controllable timed automata, where the bound on the number of loca-
tions of the controller is given in binary, is complete for
• C((L, 0,L), (P,P)) = NExpTime, assuming no observability,
• C((L,L,L), (P,P)) = NExpTime, assuming partial observability, and
• C((L,∞,L), (P,P)) = NExpTime, assuming full observability, re-
spectively.
By assuming a unary encoding of the bound on the number of locations,
the controller can only access a logarithmic number of bits in its memory.
We thus obtain:
Corollary 7.3.13. The bounded safety controller synthesis problem for dis-
crete controllable timed automata, where the bound on the number of loca-
tions of the controller is given in unary, is complete for
• C((L, 0,L), (L,P)) = PSpace, assuming no observability,
• C((L,L,L), (L,P)) = PSpace, assuming partial observability, and
7.4. BIBLIOGRAPHIC REMARKS 109
• C((L,∞,L), (L,P)) = PSpace, assuming full observability, respec-
tively.
In conclusion, whenever one restricts the controller to use only a loga-
rithmic amount of memory, synthesis becomes as easy as model checking. As
we will see in the next chapters, we can indeed exploit the drastic decrease
in complexity from 2ExpTime to PSpace and devise an effective synthe-
sis algorithm based on model checking that can be efficiently implemented
using symbolic data structures.
7.4 Bibliographic Remarks
To the best of the author’s knowledge, this thesis presents the first
complexity-theoretic analysis of bounded synthesis for timed automata,
providing matching lower and upper complexity bounds for various rele-
vant problems. Moreover, this thesis also presents the first ExpSpace-
completeness proof of timed controller synthesis under no observability and
the first NExpTime-completeness proof of the small witness problem for
timed automata. Tables 7.1 and 7.2 provide an overview.
``````````````Branching
Witness
Unconstrained Binary bounded Unary bounded
Nondeterministic PSpace-c NExpTime-c PSpace-c
Alternating ExpTime-c NExpTime-c PSpace-c
Blindfold alternating ExpSpace-c NExpTime-c PSpace-c
Private alternating Undecidable NExpTime-c PSpace-c
Table 7.1: Overview on the complexities of the reachability problem for
timed automata. The results written in bold face are established in this
thesis, the PSpace-completeness result is due to Alur et al. [1990], the
ExpTime-completeness result is due to Henzinger and Kopke [1999], and
the undecidability result is due to Bouyer et al. [2003].
Since our analysis uniformly bases on a connection to sequential circuit
machines, every result that we establish is precise3 with respect to the num-
ber of clocks and the encoding of the constants.
Timed automata were introduced in a sequence of papers in the early
1990s [Alur et al., 1990, Alur and Dill, 1990, Alur et al., 1993a, Alur and Dill,
1994]. PSpace-completeness of the model checking problem was established
by Alur et al. [1990]. Courcoubetis and Yannakakis [1992] showed that the
PSpace-hardness of the reachability problem for timed automata already
3there are still many open problems for timed automata with two clocks and constants
encoded in binary
110 CHAPTER 7. COMPLEXITY
XXXXXXXXXXXTiming
Locations
Unconstrained Binary bounded Unary bounded
Unconstrained Undecidable Undecidable Undecidable
Bounded 2ExpTime-c NExpTime-c NExpTime-c
None (discrete) 2ExpTime-c NExpTime-c PSpace-c
Table 7.2: Overview on the complexities of the bounded synthesis problem
for timed controllers with partial observability. The results written in bold
face are established in this thesis, the two other results are due to Bouyer
et al. [2003].
occurs for either a polynomial number of clocks with integer constants 0 and
1, or for timed automata with precisely three clocks and integer constants
encoded in binary. The complexity of model checking timed automata with
one or two clocks was investigated by Laroussinie et al. [2004]. Tripakis
[2003] and Finkel [2005] proved the undecidability of various problems con-
cerning the minimization and determinization of timed automata.
The extension to controller synthesis, i.e., the turn-based two-player
case, is due to Maler et al. [1995] and Asarin et al. [1998], who introduced
turn-based timed game automata. The decidability of the safety controller
synthesis problem was shown by demonstrating that the attractor construc-
tion [see, e.g., Gra¨del et al., 2002] can be carried out using clock zones
(polyhedra that symbolically represent sets of clock values). Henzinger and
Kopke [1999] showed that the discrete attractor construction on the region
graph of the plant is theoretically optimal by proving that the problem is
ExpTime-complete, assuming a polynomial number of clocks. Later, Chen
and Lu [2008] made the lower bound more precise and proved that the ex-
ponential blow-up already occurs assuming only three clocks and a binary
encoding of the constants.
D’Souza and Madhusudan [2002] investigated the complexity of timed
controller synthesis against external specifications (i.e., specifications given
as another timed automaton). Cassez et al. [2002] showed that the controller
synthesis problem with an unknown sampling rate is undecidable for timed
automata. Bouyer et al. [2003] were the first who investigated the impact of
partial observability. Besides the fundamental undecidability result for the
general problem, they also showed that one obtains a 2ExpTime-complete
synthesis procedure when the granularity of the controller is fixed in advance.
Recently, Peter and Finkbeiner [2012] extended this line of research and
established complexity bounds for various bounded synthesis problems for
timed automata.
Chapter 8
Template-based Timed
Controller Synthesis
At the end of the previous chapter, we have seen that the complexity of syn-
thesis boils down to the complexity of model checking whenever we assume
that the memory of the controller is at least exponentially smaller than the
memory of the plant. In this chapter, we build upon that observation and
propose a new synthesis approach, where the size and general shape of the
controller is fixed in advance in the form of a template.
Template-based synthesis has several attractive features: Since the ob-
servations of the controller are limited by the template, template-based syn-
thesis naturally solves the controller synthesis problem with partial observ-
ability. The size of the controller is also limited by the size of the template.
Because the templates model standard types of controllers, the synthesized
controllers are well-structured, resembling a manually built controller.1
We first give an overview on different types of templates in Section 8.1.
Then, in Section 8.2, we give a formal definition of the template-based syn-
thesis problem and provide a complexity analysis. In Section 8.3, we describe
effective algorithms to find feasible parameter instantiations. The chapter
concludes with an overview on related works in Section 8.4.
8.1 Template Types
A template is a timed or untimed automaton with parametric control struc-
ture. To illustrate the basic idea behind template-based controller synthesis,
in the following, we present some standard template types.
Cyclic executive. In the cyclic-executive template, shown in Figure 8.1,
the controller implements some schedule according to which the events emit-
1The template-based synthesis approach has been published in [Finkbeiner and Peter,
2012].
111
112 CHAPTER 8. TEMPLATE-BASED SYNTHESIS
ted by the plant are handled; the controller alternates between waiting for
an uncontrollable observation and responding with some controllable action.
We use the parametric control structure to abstract from the actual events
that are communicated between plant and controller. The template families
are organized according to the number of phases. Typically, we start the
synthesis process with small templates and then iteratively increase the size
until an optimal controller is found.
phase 1
wait
z ≤ 0
phase 1
react
. . .
phase n
wait
z ≤ 0
phase n
react
obs(?)
z := 0
send(?) obs(?)
z := 0
send(?)
Figure 8.1: Cyclic executive template with n phases.
Wait for. In the wait-for template, shown in Figure 8.2, the controller
is represented as a sequence of control points. For each control point, we
have a Boolean expression over discrete plant variables that are visible to
the controller. Whenever the condition is satisfied, a given effect is executed
that changes the value of some controllable variable that affects the behavior
of the plant. We use the parametric control structure to abstract from the
actual integer values in the conditions and the effects.
z ≤ 1
control
point 1
. . . z ≤ 1
control
point n
z ≤ 0
z := 0
sensor < ?
sensor ≥ ?
mode := ?
z := 0
z := 0
sensor < ?
sensor ≥ ?
mode := ?
z := 0
Figure 8.2: Wait-for template with n control points.
8.2. DEFINITION AND COMPLEXITY 113
Distributed controllers. A template is not restricted to be a mono-
lithic automaton; we can also use the template-based synthesis approach to
synthesize a distributed controller, shown in Figure 8.3, which is given as a
network of monolithic template automata. Following this modeling pattern,
it is possible to introduce individual controllers each capturing a particular
aspect of the plant. In principle, one can assume an arbitrary communica-
tion topology among the plant and the controllers. We note that the general
distributed synthesis problem is undecidable even for pure discrete systems
[Pnueli and Rosner, 1990, Finkbeiner and Schewe, 2005].
Plant
Controller
template
Controller
template
Controller
template
Figure 8.3: For a network containing several monolithic template automata
and a timed automaton representing the plant, template-based synthesis
yields a distributed controller.
8.2 Definition and Complexity
In this section, we formalize the template-based synthesis problem and an-
alyze its complexity.
A controller template is a tuple (T , P,Π) consisting of a timed automa-
ton T = (Q, q0,Σ, E, I), a finite set of Boolean parameters P , and a total
function Π : ~P → 2E defining which edges are enabled for a given parameter
valuation, where ~P = P → {false, true} is the set of all parameter valua-
tions. In the following, we will assume that the timed automaton modeling
the environment (or plant) is already integrated (by parallel composition) in
T . As usual, we assume that the controller does neither reset plant clocks,
inhibit plant actions, nor introduce timelocks.
Definition 8.2.1. For a controller template (T , P,Π) and a set of bad
states B, where T = (Q, q0,Σ, E, I), the instantiation problem asks for
a parameter valuation ~p ∈ ~P such that I = (Q, q0,Σ,Π(~p), I) and I 6|= B.
We call an instantiation of the template that satisfies the condition of the
definition feasible. Synthesizing a template-based controller corresponds to
114 CHAPTER 8. TEMPLATE-BASED SYNTHESIS
statically finding a feasible instantiation. Observe that this is in contrast to
the classical formulation of the timed controller synthesis problem by Maler
et al. [1995], Asarin et al. [1998], where the controller is an arbitrary timed
automaton whose behavior depends dynamically on the observed events of
the plant.
In terms of sequential circuit machines, template-based synthesis cor-
responds to a setting, where the universal memory contains a polynomial
number of bits while the existential player has no memory at all and can
only observe logarithmically many bits.
Theorem 8.2.2. The instantiation problem for a controller template and a
set of bad states is complete for C((1,L,L), (0,P)) = PSpace.
Proof. According to Corollary 7.3.1, AG-model checking for timed automata
is complete for C((0, 0,L), (0,P)) = PSpace, which, according to Theo-
rem 4.2.8, coincides with C((1,L,L), (0,P)). Thus, the hardness for the tem-
plate instantiation problem follows immediately, since timed model checking
is just the special case, where we have no parameters at all (i.e., if for all
controller templates (T , P,Π) we have P = ∅).
For the upper bound, observe that we can transform a given template
instantiation problem into a bounded controller synthesis problem, where
the plant queries the controller whenever a value for a parameter needs
to be determined. By disallowing any existential memory, we make sure
that the controller always gives consistent answers. Since there can be at
most a polynomial number of parameters, the plant (i.e., Player A) only
needs logarithmically many bits to communicate the parameter index to
the controller (i.e., Player E). In turn, Player E responds with the value
of the parameter, which just requires a single bit. Hence, containment in
C((1,L,L), (0,P)).
We note that for the general timed synthesis problem as introduced by
Maler et al. [1995] and Bouyer et al. [2003], the size of the controller can be
exponential or even, in case of partial observability, doubly-exponential in
the size of the plant. This contrasts with template-based synthesis, which
has not only a much smaller worst-case complexity, but also has the advan-
tage that the size of the controller is fixed in advance.
Template-based synthesis thus provides a much more promising setting
for effective controller synthesis than the standard approach. The remainder
of this chapter is devoted to the development of an efficient template-based
synthesis algorithm, which is supplemented with an experimental evaluation
in the next chapter.
8.3. SYMBOLIC PARAMETER SYNTHESIS 115
8.3 Symbolic Parameter Synthesis
We now present a symbolic algorithm for finding feasible instantiations for
a given controller template (T , P,Π) with T = (Q, q0,Σ, E, I) and a set of
bad states B ⊆ S, where S is the set of states of T . In the rest of this
section, we assume that T , P , Π, S, and B are fixed.
We develop the algorithm in three steps: first, we describe the imme-
diate, exact, computation of the set of feasible instantiations based on for-
ward and backward propagation; then we give an approximate computation
based on an abstraction of the template; finally, we describe an abstraction
refinement procedure, which increases the precision of the approximate com-
putation until either a feasible instantiation has been found, or it has been
shown that no feasible instantiation exists.
8.3.1 Precise Computation of the Feasible Instantiations
The precise set of feasible instantiations can be computed in a standard fixed
point construction that either starts from the initial state and propagates,
in a forward manner, the reachable combinations of states and parameter
valuations, or starts with the bad states and propagates, in a backward
manner, those combinations of states and parameter valuations that have a
path to the bad states.
To accommodate both directions, we define a successor and a predecessor
propagation function Succ,Pred : 2S×~P → 2S×~P with
Succ(Y ) =
{
(s′, ~p) ∈ S × ~P |
∃δ ∈ Π(~p) : ∃s ∈ S : (s, ~p) ∈ Y ∧ s δ−→ s′} and
Pred(Y ′) =
{
(s, ~p) ∈ S × ~P |
∃δ ∈ Π(~p) : ∃s′ ∈ S : (s′, ~p) ∈ Y ′ ∧ s δ−→ s′}.
The set FR of forward-reachable states and parameter valuations and the
set BR of backward-reachable states and parameter valuations are obtained
by the following fixed point computations (the index identifies the round of
the fixed point iteration):
FR0 = {(l0,~0)} × ~P BR0 =B × ~P
FRi+1 = Succ(FRi) ∪ FRi BRi+1 = Pred(BRi) ∪ BRi
FR = limi FRi BR = limi BRi.
Clearly, if there is some (s, ~p) ∈ FRi then this means that state s is reached
after i ∈ N forward steps for parameter valuation ~p, which corresponds to
a path s0
δ1−→ s1 δ2−→ . . . δi−→ s, where each δ1, δ2, . . . , δi is in Π(~p). Dually,
if there is some state (s, ~p) ∈ BRi then this means that state s is reached
116 CHAPTER 8. TEMPLATE-BASED SYNTHESIS
after i ∈ N backward steps for parameter valuation ~p, which corresponds to
a path s
δ1−→ s1 δ2−→ . . . δi−→ b, where b ∈ B and each δ1, δ2, . . . , δi is in Π(~p).
We can obtain the feasible instantiations either by looking for parameter
valuations in FR that are not paired up with bad states, or by looking for
parameter valuations in BR that are not paired up with the initial state.
Both constructions identify the same set of feasible instantiations.
Theorem 8.3.1. The set
G = {~p ∈ ~P | (B × {~p}) ∩ FR = ∅} = {~p ∈ ~P | ((l0,~0), ~p) 6∈ BR}
consists of exactly the feasible instantiations.
Proof. It is easy to see that Gf = {~p ∈ ~P | B×{~p}∩FR = ∅} contains exactly
those parameter valuations for which no bad state is forward reachable.
Hence, by definition, G = Gf .
On the other hand, because for every forward reachable state s, the
initial state s0 is also backward reachable from s, we have that Gb = {~p ∈
~P | ((l0,~0), ~p) 6∈ BR} coincides with Gf . Hence, G = Gf = Gb.
In practice, neither construction performs well. The problem is that
it is difficult and expensive to maintain the correlation between parameter
valuations and reachable states; typically, each parameter valuation results
in a different set of states.
Instead of directly computing the precise set of parameter valuations, in
the next subsection, we will present an abstraction technique that allows us
to reason about approximations of parameter valuations.
8.3.2 The Focus Abstraction
We now consider an abstraction of the template based on a given set P ⊆ ~P
of parameter valuations, which we call focus. We use the parameter valu-
ations in P to obtain an over- or underapproximation of the sets FR and
BR, by considering P as an equivalence class: we require that a transition
must exist for some or all parameter valuations in P , respectively. In the
following, we use an overapproximation for the forward construction and an
underapproximation for the backward construction; obviously, all construc-
tions can also be dualized. We obtain the following approximate successor
and predecessor functions: Succ
P
,PredP : 2S → 2S with
Succ
P
(Y ) =
{
s′ ∈ S | ∃~p ∈ P : ∃δ ∈ Π(~p) : ∃s ∈ Y : s δ−→ s′} and
PredP (Y ′) =
{
s ∈ S | ∀~p ∈ P : ∃δ ∈ Π(~p) : ∃s′ ∈ Y ′ : s δ−→ s′}.
Replacing the precise Succ and Pred operators in the fixed point construc-
tion from Subsection 8.3.1, we obtain two new fixed point constructions for
the approximations FR
P
and BRP :
8.3. SYMBOLIC PARAMETER SYNTHESIS 117
FR
P
0 = {(l0,~0)} BRP0 =B
FR
P
i+1 = Succ
P
(FR
P
i ) ∪ FRPi BRPi+1 = PredP (BRPi ) ∪ BRPi
FR
P
= limi FR
P
i BR
P = limi BR
P
i .
Clearly, if there is some state s ∈ FRPi then this means that state s is
reached after i ∈ N forward steps for a set of parameter valuations P , which
corresponds to a path
s0
δ1−→ s1 δ2−→ . . . δi−→ s,
where, for each δi, there is a ~pi ∈ P such that δi in Π(~pi). Dually, if there
is some state s ∈ BRPi then this means that state s is reached after i ∈ N
backward steps for a set of parameter valuations P , which corresponds to a
path
s
δ1−→ s1 δ2−→ . . . δi−→ b,
where b ∈ B and, for each δi and each ~p ∈ P , we have δi in Π(~p).
The following lemma clarifies the relationships between the approximate
and precise versions of FR and BR: FR
P
overapproximates FR on P , BRP
underapproximates BR on P .
Lemma 8.3.2. For every set P ⊆ ~P of parameter valuations, it holds that
FR
P ⊇ {s ∈ S | ∃~p ∈ P : (s, ~p) ∈ FR} and
BRP ⊆ {s ∈ S | ∃~p ∈ P : (s, ~p) ∈ BR}.
Proof. We first show FR
P ⊇ Y = {s ∈ S | ∃~p ∈ P : (s, ~p) ∈ FR}. By
definition, for every state s contained in Y , there is a ~p ∈ P such that there
is a path
s0
δ0−→ s1 δ1−→ . . . δn−→ s,
where, for each 0 ≤ i ≤ n, δi ∈ Π(~p). On the other hand, by definition, for
every state s contained in FR
P
, there is a path
s0
δ0−→ s1 δ1−→ . . . δn−→ s,
where, for each δi, 0 ≤ i ≤ n, there is a ~pi ∈ P such that δi in Π(~pi). Now,
when we fix each ~pi = ~p, for some ~p ∈ P , then we get Y . Hence, FRP ⊇ Y .
Secondly, we show BRP ⊆ Y = {s ∈ S | ∃~p ∈ P : (s, ~p) ∈ BR}. By
definition, for every state s contained in Y , there is a b ∈ B and a ~p ∈ P
such that there is a path
s
δ0−→ s1 δ1−→ . . . δn−→ b,
118 CHAPTER 8. TEMPLATE-BASED SYNTHESIS
where, for each 0 ≤ i ≤ n, δi ∈ Π(~p). On the other hand, by definition, for
every state s contained in BRP , there is a b ∈ B such that there is a path
s
δ0−→ s1 δ1−→ . . . δn−→ b,
where, for each δi, 0 ≤ i ≤ n, and each ~p ∈ P , we have δi ∈ Π(~p). Now, it is
easy to see that every state s in BRP , is backward reachable for an arbitrary
~p ∈ P , and thus, also contained in Y . Hence, BRP ⊆ Y .
Combining Lemma 8.3.2 with Theorem 8.3.1, we obtain that the focus
abstraction allows us to approximate the set of feasible instantiations: A
set of parameter valuations P definitely represents feasible instantiations
if no bad states appear in FR
P
. Dually, the parameter valuations in P
definitely represent infeasible instantiations if the initial state appears in
BRP . Hence, we obtain the following lower and upper bounds for the set of
feasible instantiations.
Theorem 8.3.3. Let G be the precise set of feasible instantiations. For
every set P ⊆ ~P , it holds that
{
~p ∈ P | B ∩ FRP = ∅} ⊆ G ⊆ {~p ∈ ~P | ~p ∈ P ⇒ (l0,~0) 6∈ BRP}.
Proof. We first show that Y =
{
~p ∈ P | B ∩ FRP = ∅} ⊆ G. By
Lemma 8.3.2, FR
P
overapproximates those states that are precisely forward
reachable for P . By definition of Y , either (1) Y = ∅ ⊆ G, if B ∩ FRP 6= ∅,
or (2) Y = P , if B∩FRP = ∅, i.e., surely no bad state is reachable for P . By
Theorem 8.3.1, a parameter valuation is feasible if no bad state is forward
reachable. Hence, also in case (2), Y = P ⊆ G.
Secondly, we prove that G ⊆ Y = {~p ∈ ~P | ~p ∈ P ⇒ (l0,~0) 6∈ BRP} by
showing that every ~p ∈ G is also contained in Y . We distinguish two cases.
Case 1: assume ~p ∈ G ∩ P . By Theorem 8.3.1, since ~p ∈ G, the initial state
is not backward reachable for ~p. By Lemma 8.3.2, BRP underapproximates
those states that are precisely backward reachable for P . Since ~p ∈ P , we
have that the premise and the implicant of the definition of Y are true, and
thus, ~p is also contained in Y .
Case 2: assume ~p ∈ G \ P . ~p violates the premise in the implication of the
definition of Y , and thus, is trivially contained in Y .
Hence, G ⊆ Y .
In the next subsection, we will describe an automatic refinement algo-
rithm for the Focus abstraction.
8.3. SYMBOLIC PARAMETER SYNTHESIS 119
8.3.3 Abstraction Refinement
We now describe a refinement procedure that computes an increasingly pre-
cise approximation of the set of feasible instantiations. The procedure starts
with the set ~P of all parameter valuations, and then splits the set into smaller
and smaller subsets, until either a feasible instance is found, or it is estab-
lished that no feasible instance exists.
Algorithm 1 Solve(P ): The algorithm computes a safe subset of a given
set P of parameter valuations, or returns fail if no safe subset exists.
1: if P = ∅ then
2: return fail
3: else if (l0,~0) ∈ BRP then
4: return fail
5: else if FR
P ∩ BRP = ∅ then
6: return P
7: else
8: P1 := Refine(P )
9: R1 := Solve(P1)
10: if R1 6= fail then
11: return R1
12: else
13: P2 := P \ P1
14: return Solve(P2)
15: end if
16: end if
The procedure is shown as Algorithm 1. The input to the procedure is
the current focus P , for which we initially use ~P . Unless the (un)reachability
of some bad state can be surely established, after each refinement step, Solve
recurs on the refined focus. In each call of Solve, the set of bad states are
augmented with the states in BRP . This is justified by the following lemmas,
which state that the old underapproximation BRP is a subset of the new
underapproximation BRP
′
for a refinement P ′ ⊂ P , and that excluding
BRP from FR
P
does not affect the resulting upper bound on the feasible
instantiations.
Lemma 8.3.4. For two sets P, P ′ ⊆ ~P of parameter valuations such that
P ′ ⊂ P , it holds that BRP ⊆ BRP ′.
Proof. We assume P ′ ⊂ P and prove BRP ⊆ BRP ′ by showing that every
state in BRP is also contained in BRP
′
. By definition, for every state s ∈
BRP , there is a b ∈ B such that there is a path
s
δ0−→ s1 δ1−→ . . . δn−→ b,
120 CHAPTER 8. TEMPLATE-BASED SYNTHESIS
where, for each δi, 0 ≤ i ≤ n, and each ~p ∈ P , we have δi ∈ Π(~p). Now, it is
easy to see that the same path also exists for the smaller set P ′ ⊂ P .
Lemma 8.3.5. For every set P ⊆ ~P of parameter valuations, it holds that{
~p ∈ P | B ∩ FRP = ∅} = {~p ∈ P | BRP ∩ FRP = ∅}.
Proof. Let Y =
{
~p ∈ P | B∩FRP = ∅} and Y ′ = {~p ∈ P | BRP ∩FRP = ∅}.
We distinguish two cases:
Case 1: assume B ∩ FRP 6= ∅. In this case, since B ⊆ BRP , Y = Y ′ = ∅.
Case 2: assume B ∩ FRP = ∅. Observe that, for each state s ∈ BRP , there
is a path from s to some state b ∈ B, for all parameter valuations in P . On
the other hand, by assumption, FR
P
does not contain any states leading to
some bad state for some parameter valuation in P . Hence, BRP ∩ FRP = ∅,
and thus, Y = Y ′.
It remains to specify the function Refine, which is called in procedure
Solve to find an appropriate subset of ~P to split on. Since ~P is finite, we
could, in principle, choose any strict (and non-empty) subset of ~P during
the refinement step. In the following we describe a heuristic choice that has
proved useful in practice: we choose a set of parameter valuations that are
guaranteed to increase BRP in the next iteration.
Suppose the termination conditions of procedure Solve are not true yet,
i.e., the initial state is not in BRP and there are still states in FR
P ∩ BRP .
We choose a state s ∈ FRP \ BRP and a state s′ ∈ BRP , such that there
exists a transition δ ∈ Π(~p) that leads from s to s′ for some ~p ∈ P , but not
for all ~p ∈ P . The refinement proceeds with the parameter valuations that
allow a transition from s to s′:
Refine(P ) = {~p ∈ P | ∃δ ∈ Π(~p) : s δ−→ s′}
Since such a pair s, s′ of states can be found until the termination condi-
tions of procedure Solve become true, we obtain that Refine always ensures
progress of our refinement algorithm.
Lemma 8.3.6. For every set of parameter valuations P ⊆ ~P , if P 6= ∅,
(l0,~0) 6∈ BRP , and FRP ∩BRP 6= ∅, then there is a state s ∈ FRP \BRP and
a state s′ ∈ BRP such that
∅ 6= Refine(P ) ( P.
Proof. By assumption, since FR
P ∩BRP 6= ∅, there is a path from s0 = (l0,~0)
to some state b ∈ BRP of the form
s0
δ0−→ s1 δ1−→ . . . sn δn−→ b,
8.3. SYMBOLIC PARAMETER SYNTHESIS 121
where, for each δi, 0 ≤ i ≤ n, there is a ~pi ∈ P such that δi in Π(~pi). Since
s0 6∈ BRP , there is surely some si ∈ FRP \ BRP , whose successor si+1 is in
BRP . In fact, if b is the first state from BRP , which appears on the path,
then a candidate edge for refinement is sn
δn−→ b, i.e., s = sn and s′ = b.
Thus, ∅ ⊂ Refine(P ) as Refine(P ) contains those ~p ∈ P , for which δn ∈ Π(~p).
On the other hand, if Refine(P ) subsumes exactly those ~p ∈ P , for which
δn ∈ Π(~p), we can conclude that Refine(P ) ⊂ P , as sn would be contained
in BRP in the first place if δn would be available for all ~p ∈ P .
Putting everything together, we obtain the following correctness theorem
for Solve(~P ), where Lemma 8.3.6 guarantees termination and Theorem 8.3.3
guarantees soundness of the result.
Theorem 8.3.7. Called with the set ~P of parameter valuations, Procedure
Solve(~P ) terminates after at most |~P | refinement steps and either computes
a feasible template instantiation or reports failure, in which case no feasible
template instantiation exists.
Proof. Termination of Solve(~P ) is easily established by Lemma 8.3.6, which
ensures progress of each refinement step. Since there are only finitely many
parameter valuations in ~P , the focus P will eventually, after at most |~P |
refinement steps, end up with ∅ or some parameter valuations, for which
one of the termination conditions becomes true.
Soundness of Solve(~P ) follows immediately from Theorem 8.3.3.
Completeness of Solve(~P ) is established by the fact that Solve does not
miss any parameter valuation: in the lines 9 and 14 of Algorithm 1, Solve
recurs on the refinement P1 and on P \ P1.
8.3.4 Towards an Efficient Implementation
In conclusion, the focus abstraction reduces controller synthesis to an ab-
straction refinement-based reachability analysis. Here, we extend timed
automata by discrete parameter variables that succinctly represent sets of
template instantiations. An efficient implementation of Algorithm 1 thus
requires an efficient treatment of both sets of clock and parameter values.
While specialized data structures exist for efficiently representing sets
that consists only of clock values or only of discrete values, the combined
treatment of both is a challenging technical problem that arises in the anal-
ysis of timed systems with a succinctly specified control structure. The
next chapter addresses this problem and presents a general technique to
efficiently treat orthogonal sources of complexity induced by independent
forms of succinctness. For timed automata and template-based synthesis in
particular, in Chapter 10, we will present the tool Synthia and report on
an experimental evaluation.
122 CHAPTER 8. TEMPLATE-BASED SYNTHESIS
8.4 Bibliographic Remarks
A first more practical approach to timed controller synthesis, implemented
in the tool SynthKro, was proposed by Altisen and Tripakis [2002]. The
approach requires, however, an expensive preprocessing step. Cassez et al.
[2005] presented a symbolic algorithm, implemented in the tool Uppaal-
Tiga [Behrmann et al., 2007], that avoids the upfront state explosion by
combining the backward attractor construction with a forward zone graph
exploration. The first practical work on timed controller synthesis under
incomplete information is due to Cassez et al. [2007], who proposed to re-
strict the choices and the observability of the controller so that a zone-based
synthesis algorithm remains possible. An extension of this work uses alter-
nating timed simulation relations to efficiently control partially observable
systems [Chatain et al., 2009]. This approach has also been implemented
in Uppaal-Tiga. The template-based synthesis approach presented in this
chapter was introduced by Finkbeiner and Peter [2012].
Template-based synthesis is related to the bounded synthesis ap-
proach [Schewe and Finkbeiner, 2007], where one fixes the size (but not the
structure) of the controller. Bounded synthesis has so far been limited to
purely discrete systems. There are efficient algorithms for bounded synthe-
sis based on SMT-solving [Finkbeiner and Schewe, 2007], antichains [Filiot
et al., 2009], and BDDs [Ehlers, 2010], which, however, unfortunately do
not seem to have straight-forward extensions to the timed case. Another
interesting restriction on the type of controllers to be considered has been
proposed by Lustig and Vardi [2009]: synthesis from component libraries at-
tempts to construct a controller by assembling routines from a given library.
The difference to template-based synthesis is that the synthesized controller
is a combination of predefined components rather than an instantiation of
a parametric template. Currently, this approach is also limited to discrete
systems.
Chapter 9
Combined-Symbolic Analysis
of Timed Systems
In Chapter 7, we have seen that the source of the exponential blow-up in the
analysis of timed automata is the fact that clocks can be used to succinctly
encode state spaces of exponential size. Hence, from a theoretical point of
view, unless PTime = PSpace, any actual analysis algorithm will intrinsi-
cally suffer from an exponential blow-up in at least some cases. Left with
this rather pessimistic insight, the best one can achieve is to devise heuris-
tics that avoid the exponential blow-up, maybe not for all, but hopefully for
many practically relevant cases.
Independently of the complexity induced by clocks, timed systems can
orthogonally suffer from an exponential blow-up caused by a succinctly spec-
ified control structure. For example, in Section 5.1, we have seen that net-
works of communicating state machines, which represent an untimed sub-
class of networks of timed automata, are already succinct enough to cause
an exponential blow-up in their analysis.
A crucial point in any analysis algorithm for timed automata is how
sets of states are symbolically represented.1 The choice of the right data
structure is essential for preserving the succinctness during the analysis.
While there exist efficient techniques for representing sets that contain either
only clock values or only discrete values, the efficient representation and
manipulation of sets of pairs of continuous and discrete state information
is widely regarded as an important open problem since the introduction of
timed automata.
This chapter addresses this practical challenge and, based on an insight-
ful circuit-based interpretation of the semantics of timed automata in Sec-
tion 9.1, in Section 9.2, we present a solution that yields promising ex-
perimental results, which will be presented in Chapter 10. This chapter
1Necessarily, one has to employ some symbolic representation as there are uncountably
many timed states.
123
124 CHAPTER 9. COMBINED-SYMBOLIC ANALYSIS
concludes with an overview on efficient techniques for the analysis of timed
automata in Section 9.3.
9.1 The Combined Succinctness of Timed Au-
tomata
C
Location
NA
NE T
Clocks
enabled
τ
(ϕ1, r1)
· · ·
(ϕk, rk)
edge
sel.
Figure 9.1: The main circuit CA of the finite semantics of timed automata
can be divided into a sub-circuit C representing the discrete behavior and a
sub-circuit T representing the timed behavior.
A closer look on the circuit-based interpretation of the semantics of timed
automata reveals a minimal cut in the communication structure: As shown
in Figure 9.1, when we divide the combinatorial circuit representing the
transitions of the finite semantics (1) into a sub-circuit C that operates on
the state bits representing the control locations and (2) into a sub-circuit T
that operates on the state bits representing the clocks, we notice that C
only needs dlog(k + 1)e bits to communicate which clock operation should
be executed to T , where k is the number of distinct pairs of clock constraints
and resets that appear in the given automaton. For the other direction, T
only needs 1 bit to communicate whether the operation could be executed
(i.e., whether the current clock values satisfy the selected guard). Recall
from Chapter 7 that the number of state bits of T can be polynomial in the
number of clocks and the size of the binary representation of the constants of
the given timed automaton. According to Section 5.1, in case of networks of
timed automata or due to the introduction of discrete parameter variables,
the number of state bits of C can be polynomial in the number of the
components.
The separation of C and T also makes sense concerning the way how
both circuits manipulate their respective state bits: When executing a dis-
9.2. COMBINING SYMBOLIC DATA STRUCTURES 125
crete step, C only manipulates the local state bits of those components that
synchronize. Also, in the presence of discrete parameter variables, whose
values are determined statically (i.e., they are initially chosen and remain
fixed), executing a discrete step only changes the state bits of some com-
ponents, but not the bits of the parameter values. On the other hand, the
computation of the timed successor states is more of arithmetic nature and
may change all timed state bits at once: While elapsing of time corresponds
to an incrementation operation, as clocks (whose values need to be preserved
in the state bits) are de facto integer counters, resetting corresponds to an
addition / subtraction operation, as clock differences (whose values also need
to be preserved in the state bits) are de facto integer counters as well.
Being aware of this difference, it gets clear that an efficient treatment
of one part might be very inefficient for the other one. Therefore, instead
of aiming for a monolithic approach that represents every aspect of the
state space in a single data structure, we rather propose to exploit the
(hopefully) slack interface between the discrete and the timing part and aim
for a combination of two different symbolic representations, each specialized
for a particular aspect.
In the rest of this chapter, we will work out such a combination approach
for the reachability analysis of timed automata that can be used to combine
BDDs with DBMs.
9.2 Combining Symbolic Data Structures
Based on the fundamental considerations in Section 9.1, we now describe
our combination approach in more technical detail.2
In the following, for the sake of simplicity, we assume that discrete pa-
rameter variables are incorporated as additional locations in the control
structure of the network of timed automata under consideration. For this
entire section, we fix a network of timed automata
N = T1‖T2‖ . . . ‖Tn
and an n-dimensional location vector ~qb representing the global bad location.
For each 1 ≤ i ≤ n, we assume Ti = (Qi, qi0,Σi, Ei, Ii) and we define
Q =
n∏
i=1
Qi and Σ =
n⋃
i=1
Σi
2The idea of analyzing timed systems in sequences of syntactic abstractions with in-
creasing precision, which can be seen as a precursor work to the combination approach,
has been published in [Peter and Mattmu¨ller, 2009]. The idea of strictly separating the
discrete and the timing part along with a first experimental evaluation has been published
in [Ehlers et al., 2010b]. The combination approach itself has been published in [Ehlers
et al., 2010c].
126 CHAPTER 9. COMBINED-SYMBOLIC ANALYSIS
9.2.1 Overview
The idea of our combination approach is to use a data structure specialized
for Boolean functions to produce a sequence of syntactic abstractions of N
with increasing precision. We obtain the abstractions by merging locations
such that the abstract control structure either under- or overapproximates
the behavior of N . For each abstraction, we apply the standard zone-based
reachability algorithm (to be defined in Section 9.2.4) to obtain an under-
or an overapproximation of the reachable states.
Instead of computing the reachable states on the most precise control
structure of N directly, our key idea is to analyze a sequence of simpler
timed automata, where each analysis process reuses the approximations ob-
tained from the previous one. That is, we use reachable state set approxima-
tions computed on coarse (and therefore simple) abstractions to (1) obtain
refinements that increase the precision of the abstractions, and (2) identify
irrelevant parts of N that do not need to be analyzed. Both soundness and
effectiveness of our approach rely on the fact that whenever an abstract
state appears in an underapproximation, all subsumed concrete states are
surely reachable, and dually, whenever an abstract state is not contained in
an overapproximation, all subsumed concrete states are surely unreachable.
9.2.2 Representing the Edge Relation
We introduce the following Boolean variables.
• (̂Qi) and (̂Qi)
′
, for every Qi,
• (̂Σ)d, for the decisions Σ,
• (̂Ci)
c
, for every set Ci that contains all the clock constraints that ap-
pear in Ei or Ii, and
• (̂Ri)
r
, for every set Ri that contains all clock resets r that appear in
Ei.
For any two distinct decisions d, d′ ∈ Σ, we require (d)d ∧ (d′)d ≡ false.
Also, for two locations q, q′ ∈ Qi of the same component Ti, we require
(q) ∧ (q′) ≡ false and (q)′ ∧ (q′)′ ≡ false. Since the components of N are
explicitly given, the number of Boolean variables is only logarithmic per
component.
Now, we define the Boolean function that encodes the unsynchronized
global edge relation as
∆e ≡
∧
1≤i≤n
∨
(q,d,ϕ,r,q′)∈Ei
(q) ∧ (d)d ∧ (ϕ)c ∧ (r)r ∧ (q′)′.
9.2. COMBINING SYMBOLIC DATA STRUCTURES 127
Since we only consider (un)reachability properties, we construct the follow-
ing Boolean function to incorporate the invariants into the guards:
I ≡
∧
1≤i≤n
∧
q∈Qi
(q)⇒ (Ii(q))c
We combine both Boolean functions by taking their conjunction and ex-
istentially quantifying over the Boolean variables that are used to define
the synchronization events. We thus obtain the synchronized global edge
relation:
∆ ≡ ∃(·)d : ∆e ∧ I
Obviously, N can take a discrete step between a global location ~q to
another global location ~q′, with guard ϕ and clock resets r, iff(
∆ ∧ (~q) ∧ (ϕ)c ∧ (r)r ∧ (~q′)′) 6≡ false.
For a set of locations L, the discrete successors Succb((L)) of L are rep-
resented by the following Boolean function, which is defined over the (·)′
variables:
Succb((L)) ≡ ∃(·) ∃(·)c ∃(·)r : ∆ ∧ (L) ∧ (ϕ)c ∧ (r)r
Similarly, the discrete predecessors Predb((L)) of L are represented by the
following Boolean function, which is defined over the (·) variables:
Predb((L)) ≡ ∃(·)′ ∃(·)c ∃(·)r : ∆ ∧ (L)′ ∧ (ϕ)c ∧ (r)r
9.2.3 Syntactic Abstractions of Timed Automata
We obtain syntactic abstractions of N by merging its locations according to
a partitioning
Π ⊆ 2Q such that
⊎
Π = Q.
For a partition pi ∈ Π, we write (pi) or (pi)′ to refer to the Boolean function
that characterizes pi, defined over unprimed or primed Boolean location
variables, respectively. We define
ΠN0 =
{{~q0}, {~qb}, Q \ {~q0, ~qb}}
as the initial partition of N that just separates the global initial location ~q0
and the bad location ~qb from each other and the remaining locations of N .
We define the quotient of N with respect to Π as the timed automa-
ton (Q, q0,Σ, E, I) = N/Π, where
• Q = Π,
128 CHAPTER 9. COMBINED-SYMBOLIC ANALYSIS
• q0 = pi0, where pi0 is the unique partition from Π that contains ~q0,
• Σ = {d}, and
• I = [ q 7→ true | q ∈ Q ].
The definition of the edge relation E depends on whether the may quo-
tient dN/Πe or the must quotient bN/Πc should be constructed. The edge
relation of the may quotient is defined as
Emay = {(pi, d, ϕ, r, pi′) | (pi) ∧ (ϕ)c ∧ (r)r ∧ (pi′)′ ∧∆ 6≡ false}.
The definition of the edge relation of the must quotient Emust is a bit more in-
volved. We define Emust to be the set that contains those edges (pi, d, ϕ, r, pi
′),
for which the following conditions hold:
(1) pi, pi′ are partitions from Π, r is a set of clock resets, and ϕ1, . . . , ϕk are
clock constraints;
(2) ϕ ≡ ∧1≤j≤k ϕj 6≡ false;
(3)
(
(pi)⇒ ∨1≤i≤k ∃(·)′ ∃(·)c ∃(·)r : ((ϕi)c ∧ (ri)r ∧ (pi′)′ ∧∆)) ≡ true.
Whenever we have two edges e1 = (q, d, ϕ1, r, q
′) and e2 = (q, d, ϕ2, r, q′′)
in E, where E is either Emay or Emust , with ϕ1 ⇒ ϕ2, we remove e1 from
E.
Clearly, the number of edges in an abstraction scales with the number
of distinct clock guard/reset pairs N exhibits. Note that this performance
bottleneck of our approach corresponds to the communication bandwidth
between the control and the timing part mentioned in Section 9.1. We refer
to Section 10.1.1 on Page 137 for a more detailed discussion concerning this
issue.
9.2.4 Computing the Reachable States
For a given abstract timed automaton, we compute the set of reachable
states using the zone graph3 construction [Henzinger et al., 1994, Alur, 1999].
We now briefly recall the basic definitions for clock zones, difference bound
matrices, and the semi-symbolic reachability analysis on timed automata.
For a detailed overview, we refer to Clarke et al. [2001b, Section 17.5].
Clock zones and difference bound matrices. We fix a granular-
ity µ = (X,m, cmax). A convex clock zone (or just a clock zone) z over µ is
represented by a |X ′| × |X ′| difference bound matrix [Dill, 1989] (DBM) M ,
where X ′ is the ordered set {x0}unionmultiX and x0 is a dedicated clock whose value
3also sometimes called the simulation graph [e.g., by Bouajjani et al., 1997]
9.2. COMBINING SYMBOLIC DATA STRUCTURES 129
is always 0. Each column x and each row y of M correspond to a clock in X ′.
Semantically, M represents a conjunction of inequalities of clock differences
of the form∧
y,x∈X′
y − x ≺M(y,x) M(y, x),
where each ≺M(y,x)∈ {<,≤} and M(y, x) ∈ Q∪{∞} with −cmax ≤M(y, x) ≤
cmax and M(y, x) = k ·m−1, for some k ∈ Z, unless M(y, x) =∞. We write
Z to refer to the set of all clock zones.
DBMs are a convenient data structure for computing fixed points, be-
cause they have a normal form property. We say that a DBM M is in
canonical normal form iff for every x, y, z ∈ X ′ we have that(
M(y, x),≺M(y,x)
) ≤ (M(y, z),≺M(y,z) )+ (M(z, x),≺M(z,x) ),
where
(c1,≺1) + (c2,≺2) :=
{
(c1 + c2,≤) if ≺1=≤ and ≺2=≤;
(c1 + c2, <) otherwise;
and
(c1,≺1) ≤ (c2,≺2) :⇔
(c1 < c2) ∨ (c1 = c2) ∧ (≺1=≤ ∨ ≺2=<).
One can use the Floyd-Warshall algorithm [Floyd, 1962, Warshall, 1962]
[Cormen et al., 2009, Section 25.2], which runs in O(|X ′|3), to transform a
DBM into its canonical normal form. We always assume that every DBM is
in canonical normal form (i.e., we always execute the canonization algorithm
whenever the normal form property is violated).
The conjunction of two DBMs M and N is obtained by taking the con-
junction of the individual inequalities:
M ∧N := M ′, where, for each x, y ∈ X ′,
(
M ′(y, x),≺M ′(y,x)
)
=

(
M(y, x),≺M(y,x)
)
if M(y, x) < N(y, x);(
N(y, x),≺N(y,x)
)
if N(y, x) < M(y, x);(
M(y, x),≺M(y,x)
)
if M(y, x) = N(y, x)
and ≺M(y,x)=≺N(y,x);(
M(y, x), <
)
if M(y, x) = N(y, x)
and ≺M(y,x) 6=≺N(y,x).
The future operation for a DBM M widens M such that, after the widening,
it contains all states that are reachable by letting time elapse:
130 CHAPTER 9. COMBINED-SYMBOLIC ANALYSIS
M⇑ := M ′, where, for each x, y ∈ X ′,
(
M ′(y, x),≺M ′(y,x)
)
=
{(∞, < ) if y 6= x0 and x = x0;(
M(y, x),≺M(y,x)
)
otherwise.
The reset operation for a DBM M resets the clocks r ⊆ X in M :
M [r := 0] := M ′, where, for each x, y ∈ X ′,
(
M ′(y, x),≺M ′(y,x)
)
=

(
0,≤ ) if y ∈ r and x ∈ r;(
M(x0, x),≺M(x0,x)
)
if y ∈ r and x /∈ r;(
M(y, x0),≺M(y,x0)
)
if y /∈ r and x ∈ r;(
M(y, x),≺M(y,x)
)
if y /∈ r and x /∈ r.
The existential quantification (or inverse reset) operation for a DBM M
existentially quantifies over the clocks in r ⊆ X \ {x0}:
∃r : M := M ′, where, for each x, y ∈ X ′,
(
M ′(y, x),≺M ′(y,x)
)
=

(∞, < ) if y ∈ r and x ∈ r;(∞, < ) if y ∈ r and x /∈ r;(
M(y, x0),≺M(y,x0)
)
if y /∈ r and x ∈ r;(
M(y, x),≺M(y,x)
)
if y /∈ r and x /∈ r.
The result of a negation or a disjunction operation applied on DBMs
might not be convex anymore, and thus, cannot be represented as a single
DBM. That is why we introduce clock federations (or just federations) to
represent sets of DBMs. The set of all clock federations is F = 2Z . The
convex operations on DBMs introduced above can be extended to federations
in a straightforward way. As all the operations are distributive with respect
to disjunction, for a federation f ∈ F , it suffices to perform a particular
operation on f just by applying the operation on the subsumed DBMs in f .
Semi-symbolic reachability analysis. As we assume a coarse abstrac-
tion of the exponential control structure of N , we employ the semi-symbolic
representation, where the set of reachable states R is represented as an ex-
plicit mapping of locations to clock federations. That is, R is a mapping
R : Q → F . We note that standard timed model checking tools such as
Kronos [Yovine, 1997] or Uppaal [Bengtsson et al., 1995, Behrmann et al.,
2004] are implemented based on this representation.4
For a federation f and an edge e = (q, d, ϕ, r, q′), the strongest timed
postcondition of f after e is defined as
Succt(f, e) :=
∨
z∈f
(z ∧ ϕ)[r := 0]⇑ ∧ I(q′).
4To the best of the author’s knowledge, without a symbolic treatment of the discrete
state information.
9.2. COMBINING SYMBOLIC DATA STRUCTURES 131
For a given (abstract) timed automaton, Algorithm 2 computes the least
fixed point of Succt to obtain the set of forward reachable states based on a
semi-symbolic representation. In order to ensure termination, we implicitly
apply maximal constant widening [Behrmann et al., 2006] on the result of
Succt. In our case, such a widening exists as we only allow rectangular clock
constraints in the definition of our timed automata [Bouyer, 2003].
Algorithm 2 ReachForward(T ): For a given timed automaton T =
(Q, q0,Σ, E, I), the algorithm returns the forward reachable states of (q0,~0)
based on a semi-symbolic representation.
1: R := [ q0 7→ ~0⇑ ]
2: Q := ∅
3: push(Q, q0)
4: while Q 6= ∅ do
5: q := pop(Q)
6: for all e ∈ E with source location q do
7: f := Succt(R[q], e)
8: if f 6⇒ R[q′] then
9: R[q′] := R[q′] ∨ f
10: push(Q, q′)
11: end if
12: end for
13: end while
14: return R
The weakest timed precondition of f before e is defined as
Predt(f, e) :=
∨
z∈f
(∃r : (z ∧ (r = 0) ∧ ϕ))⇓.
Algorithm 3 computes the least fixed point of Predt to obtain the set of
backward reachable states based on a semi-symbolic representation.
9.2.5 Local Refinement
Refining our syntactic abstractions corresponds to selecting a set of loca-
tions and split the partitions in Π according to this set. Clearly, any re-
finement that increases Π would ensure progress and would ultimately lead
to the most precise partitioning whose elements are the singleton sets of
the concrete locations of N . However, in this section, we propose a refine-
ment heuristic that is guided by the current approximations of the reachable
states, which has proven effective in practice.
For a partitioning Π, an edge relation of a may quotient Emay , an overap-
proximation of the forward reachable states Rf , and an underapproximation
132 CHAPTER 9. COMBINED-SYMBOLIC ANALYSIS
Algorithm 3 ReachBackward(T , qb): For a given timed automaton T =
(Q, q0,Σ, E, I) and a location qb ∈ Q, the algorithm returns the backward
reachable states of (qb, true) based on a semi-symbolic representation.
1: R := [ qb 7→ true ]
2: Q := ∅
3: push(Q, qb)
4: while Q 6= ∅ do
5: q′ := pop(Q)
6: for all e ∈ E with target location q′ do
7: f := Predt(R[q
′])
8: if f 6⇒ R[q] then
9: R[q] := R[q] ∨ f
10: push(Q, q)
11: end if
12: end for
13: end while
14: return R
of the backward reachable states Rb, where R = Rf ∧Rb 6≡ false, we define
the refinement of Π as the function Refine(Π, Tmay , Tmust , Rf , Rb).
We pick some e = (pi, d, ϕ, r, pi′) from Emay such that(
Predt(R[pi
′], e) ∧Rf [pi]
) 6≡ false
and
Predt(R[pi
′], e) 6⇒ Rb[pi].
Then, the refinement is defined as
Refine(Π, Tmay , Tmust , Rf , Rb) := (pi) ∧ Predb((pi′)′, e).
Note that this kind of refinement can be seen as a precise backward
propagation of the bad states that is guided by an overapproximated for-
ward analysis. This resembles the on-the-fly algorithm proposed by Cassez
et al. [2005] for computing winning strategies in timed games. However, the
crucial improvement of the approach presented here is that both locations
and clock values are represented symbolically.
9.2.6 Abstraction Refinement
The core part of our combination approach is the abstraction refinement
loop shown as Algorithm 4.
In Lines 1–3, Reachable first initializes the partitioning Π and constructs
the initial abstractions Tmay and Tmust with respect to Π. Then, in the
9.2. COMBINING SYMBOLIC DATA STRUCTURES 133
Algorithm 4 Reachable(N , B): The algorithm decides whether a set of
timed states B is reachable in a network of timed automata N , where ~q0 is
the global initial location of N .
1: Π := ΠN0
2: Tmay := dN/Πe
3: Tmust := bN/Πc
4: while true do
5: Rb := ReachBackward(Tmust , qb)
6: if (~q0,~0) ∈ Rb then
7: return true
8: end if
9: Rf := ReachForward(Tmay)
10: if Rf ∧Rb ≡ false then
11: return false
12: end if
13: Π := Refine(Π, Tmay , Tmust , Rf , Rb)
14: end while
actual loop, in Line 5, Reachable computes an underapproximation of the
backward reachable states Rb by running Algorithm 3 on Tmust . At this
point, in Line 6, we check whether the initial state of N is already contained
in the underapproximation. If this is the case, we terminate the loop and
report that some of the bad states are reachable. Otherwise, we continue
and, in Line 9, we compute an overapproximation of the forward reachable
states Rf by running Algorithm 2 on Tmay . During this analysis, if no state
from Rb is visited, we terminate the loop and report that no bad state is
reachable. If neither reachability nor unreachability can be established, we
refine Π and continue the loop.
Note that, instead of underapproximating the backward reachable states
while using an overapproximation of the forward reachable states for guiding
the refinement, Algorithm 4 can also be dualized such that the forward
reachable states are underapproximated while an overapproximation of the
backward reachable states is used to guide the forward refinement.
9.2.7 Optimizations
Precomputational discrete analysis. The symbolic treatment of the
locations allows us to apply computationally cheap but effective optimiza-
tions based on pure discrete analyses of the control structure of N . For
instance, we can restrict the locations in the partitioning Π in Algorithm 4
only to those locations which are both forward reachable from the initial
locations and backward reachable from the bad locations.
Also, before constructing the initial abstraction, we can enlarge the set
134 CHAPTER 9. COMBINED-SYMBOLIC ANALYSIS
of bad locations by those locations from which a bad state is discretely
reachable. More precisely, each edge e = (q, d, ϕ, r, q′), for which
Predt(true, e) ≡ true,
can be used to identify additional bad locations. Figure 9.2 shows an exam-
ple.
q
x > 2
Figure 9.2: Location q can be added to the bad locations.
Reusing approximations. Whenever a timed state appears in an un-
derapproximation of the reachable states, then it is certainly contained in
the precisely reachable states. During the refinement, when splitting a parti-
tion pi into finer partitions pi1 and pi2, we can exploit this fact and let pi1 and
pi2 inherit the underapproximation of the reachable states for pi. Also, we
can reuse the underapproximation of all other locations of the abstraction.
For overapproximations, however, one has to be more careful. When a
refinement changes the structure of the abstractions, we can only reuse the
overapproximation for those locations that are not reachable from those lo-
cations affected by the refinement. The overapproximations for the locations
reachable from the changed locations need to be discarded.
Lazy constraints. In case that N exhibits exponentially many distinct
clock guards (see Section 10.1.1 on Page 137 for such a scenario), in order
to avoid the up-front explosion in the construction of Tmay , one can approx-
imate the guards of its edges. Recall from Section 9.2.2 that the global edge
relation ∆ is defined as a CNF of polynomial size. When constructing Tmay ,
for connecting two abstract locations pi1 and pi2, one first computes
(e) ≡ ∆ ∧ (pi1) ∧ (pi2)′.
Now, for some clock resets r, instead of computing the precise guard
ϕ ≡
k∨
i=1
ϕi
by enumerating all k combinations of clock guards ϕi, for which
ϕi 6≡ false and
(
(e) ∧ (ϕi)c ∧ (r)r
) 6≡ false,
one can obtain a structurally simpler but approximate guard ϕ′ ⇐ ϕ just
by omitting some clauses in (e) interpreted as CNF.
9.3. BIBLIOGRAPHIC REMARKS 135
9.3 Bibliographic Remarks
Symbolic data structures. The efficiency of an analysis algorithm for
timed automata strongly depends on the way in which the state space is
represented. In the last two decades, several techniques to represent state
spaces that consist of a discrete and a continuous part were proposed. These
techniques can broadly be classified into two categories: semi-symbolic and
fully symbolic approaches [Henzinger et al., 1994, Seshia and Bryant, 2003].
A semi-symbolic state space representation completely focuses on effi-
ciently representing and manipulating sets of clock values, while leaving
the discrete state information explicit. Kronos [Yovine, 1997] and Up-
paal [Bengtsson et al., 1995, Behrmann et al., 2004] are the oldest and
most prominent representatives of this approach that use difference bound
matrices [Dill, 1989] to implement (a heuristic variant of) the zone-based
reachability algorithm [Henzinger et al., 1994, Alur, 1999]. Instead of a
matrix-based representation of clock zones, Larsen et al. [1997] investigated
the use of weighted directed graphs to store only a minimal set of constraints.
A first approach towards a diagram-based representation that also in-
corporates discrete state information was given by Asarin et al. [1997], who
used BDDs to encode sets of clock valuations as numerical decision diagrams
using a discretization scheme based on region equivalence. Similarly, Bozga
et al. [1997] approximated the precise clock values to discrete time steps,
resulting in a pure discrete semantics allowing a state space representation
using a single BDD. In the same spirit, based on closed timed automata,
a restricted form of classical timed automata where only nonstrict clock
constraints are allowed, Beyer [2001] introduced an integer semantics where
clock values and location information can be represented jointly in a sin-
gle BDD. The latter approach was implemented in the Rabbit tool [Beyer
et al., 2003]. Besides the fact that the performance of such pure BDD-based
approaches is very sensitive to the magnitude of the clocks, it has been ob-
served that the BDDs can blow-up significantly due to interdependencies in
the timing behavior of the system.
Seshia and Bryant [2003] solved the TCTL model checking problem by
representing sets of states by difference logic formulas which, in turn, are
represented as BDDs using a binary encoding. The clock differences that
need to be tracked in the fixed-point computation are encoded in so-called
transitivity constraints, which are added on-the-fly during the model check-
ing process. Even though they added some specialized optimizations for
this case, the experimental results are inconclusive. Møller et al. [1999] in-
troduced difference decision diagrams, a BDD-like data structure in which
each diagram node is labeled with a difference constraint. Here, the Boolean
constraints, represented as special differences, are interleaved with the clock
constraints in the diagram structure. Larsen et al. [1999], Behrmann et al.
[1999b] proposed clock difference diagrams (CDDs), a more space-efficient
136 CHAPTER 9. COMBINED-SYMBOLIC ANALYSIS
data structure, which benefits from sharing clock constraints for several clock
zones. CDDs store intervals of clock valuations in a BDD-like structure as
a rooted, directed, and acyclic graph. As a further extension, Wang [2004]
proposed clock restriction diagrams (CRDs), in which the disjointness re-
quirement is dropped. In contrast to CDDs, CRDs only store upper bounds
of clock differences. Location information is added to CRDs by adding Boo-
lean variable nodes. Recently, Morbe´ et al. [2011] proposed and-inverter
graphs with linear constraints as a diagram-based data structure to perform
a fully symbolic reachability analysis of timed automata.
Yamane and Nakamura [2004] combined DBMs with BDDs for imple-
menting an approximation technique proposed by Dill and Wong-Toi [1995].
More recently, Ehlers et al. [2010b] introduced a model checking approach
based on clock zone maps, where clock zones, represented as DBMs, are
mapped onto sets of locations, represented as BDDs. As a continuation of
the latter approach, Ehlers et al. [2010a] introduced constraint matrix dia-
grams, a diagram-based data structure that generalizes CDDs, CRDs, and
DBMs.
Abstraction refinement. Mo¨ller et al. [2002] investigated the theoreti-
cal foundations of applying predicate abstraction [Graf and Sa¨ıdi, 1997] for
model checking dense real-time systems against µ-calculus specifications.
The basic principle of counterexample-guided abstraction refinement (the
so-called CEGAR approach) is due to Clarke et al. [2003]. From a more
applied perspective, Dierks et al. [2007] proposed an abstraction refinement
technique for PLC automata, a subclass of timed automata. Peter and
Mattmu¨ller [2009] presented a component-based abstraction refinement ap-
proach for timed controller synthesis (where reachability checking is a special
case), which can be seen as a timed extension of the compositional analysis
approach for pure discrete systems by Behrmann et al. [1999a]. The combi-
nation approach based on abstraction refinement, which is presented in this
chapter, was introduced by Ehlers et al. [2010c] for timed games and im-
plemented in the tool Synthia [Peter et al., 2011]. The idea of using fixed
point approximations to guide a refinement was independently developed by
Ganty et al. [2010] for purely discrete alternating automata.
Chapter 10
Experimental Evaluation
In this chapter, we report on the tool Synthia1 and an experimental eval-
uation of the techniques presented in the previous two chapters.
10.1 Efficiency Considerations
Before we come to the actual experimental evaluation, we first discuss more
generally in which cases the combination approach from the last chapter pays
off and where it does not. We fix a given network of timed automata N .
10.1.1 Bad Cases
The number of edges in Tmay , and therefore also the efficiency of the whole
approach, depends on the number of distinct clock guard/reset pairs k (re-
call from Section 9.1 that k is exponential in the bandwidth of the com-
munication interface between the control and the timed part). Clearly, k is
bounded by the number of synchronized discrete steps the components in N
can jointly take. If N does not have any synchronization at all, k is bounded
by the number of edges of all components (i.e., k is polynomial). If, on the
other hand, all components share some common synchronization events, and
the components’ control structures are discretely nondeterministic, k can be
exponential in the number of the components. Figure 10.1 depicts such a
situation.
However, for realistic examples, a more natural assumption is that the
number of possible nondeterministic synchronizations in N is bounded (e.g.,
if at most a constant number of components synchronize on a shared deci-
sion).
1Synthia has been published in [Peter et al., 2011].
137
138 CHAPTER 10. EXPERIMENTAL EVALUATION
d
x1 > 0
d
x1 = 0 ‖ · · · ‖
d
xn > 0
d
xn = 0
Figure 10.1: A network of timed automata with an exponential number of
distinct clock guard/reset pairs.
10.1.2 Good Cases
Our combination approach based on abstraction refinement greatly unfolds
its potential whenever we can identify irrelevant parts of the control struc-
ture of N in an early (and therefore coarse) abstraction. Such a situation is
shown in Figure 10.2.
A D B
C
E
x := 0 x < 2
x > 4
x < 7
x ≤ 10
Figure 10.2: An abstract timed automaton with may and must edges, drawn
as dashed and solid lines, respectively. The abstract locations C and E can
be completely ignored, as both can be identified as not contributing to the
backward reachable states at D.
In this example, the underapproximation of the backward reachable
states for location B is x ≤ 10, and for D it is x < 2. The only incom-
10.2. THE TOOL SYNTHIA 139
ing edge to D is from location A and resets x. Hence, the successor states
after executing that edge are always subsumed by the underapproximation
at D. Consequently, no further refinement beyond D is necessary anymore
as we can conclude that location C does not contribute to the forward reach-
ability of some bad state. Observe that a pure propagation-based approach
that just incrementally computes the set of forward or backward reachable
states would not be capable of identifying C and E as being redundant.
10.2 The Tool Synthia
We now present the tool Synthia, which we will use as a basis for our
experimental evaluation.
Synthia is the first certifying model checker for open real-time systems
modeled as networks of timed automata. The key innovation of Synthia
is its ability to justify why a given system is correct by providing a correct-
ness certificate to the user. Such certificates are easy-to-validate deductive
proofs that only reflect the specification-critical properties of the system.
Synthia can also handle partially implemented systems, in which case it
certifies their realizability by synthesizing reference implementations for the
unimplemented parts.
Synthia’s core algorithm is the abstraction refinement approach pre-
sented in Chapter 9 that combines binary decision diagrams with differ-
ence bound matrices. The synthesized correctness certificates are the final
syntactic abstractions exported as timed automata. As an extension, the
template-based synthesis approach from Chapter 8 is available as a special-
ized refinement strategy.
10.2.1 Availability and Usage
Synthia is licensed under the GNU General Public License and available
for download at
http://react.cs.uni-saarland.de/tools/synthia.
Providing a comprehensive reference manual for Synthia is out of the
scope of this thesis. Instead, some standard usage scenarios are presented.
A detailed description of the command line parameters, the file format, as
well as a step-by-step tutorial can be found on the tool’s website.
A specification is given in form of an XML file and essentially contains
a plant model with requirements. Assuming that fischer.xml represents a
specification, then the simplest way to execute Synthia is the following:
$ synthia fischer.xml
140 CHAPTER 10. EXPERIMENTAL EVALUATION
This lets Synthia check whether the given model satisfies its requirements,
both specified in fischer.xml. Specifications can have parameters with
default values which can be overridden using the -D command line argument:
-Dprocesses:2 -Ddelay:23 -Dtimeout:42
Requirements are given as conjunctions of assumptions and guarantees. A
system does not satisfy its requirements if (1) there is a trace that eventu-
ally violates the guarantees, and (2) each prefix of that trace satisfies the
assumptions. For example, the following lines of an XML specification file
encode a requirement describing a location invariant and a bounded reach-
ability guarantee:
<assume>
in(loc) imply (x <= {delay})
</assume>
<guarantee>
(not in(goal)) imply (y <= {timeout})
</guarantee>
Additionally to its model checking capabilities, Synthia can also be
used as a synthesis tool to generate controllers for open plants modeled as
timed game automata. For example, to let Synthia synthesize a controller
for a partially specified plant given in fischer.xml, the following command
line parameters can be used:
$ synthia robot.xml
--synth-cont controller.xml
$ synthia robot.xml
--synth-cont-plant controlled_plant.xml
The former call generates a model (in the Synthia file format) that only
comprises the controller, while the latter generates a model where the syn-
thesized controller is embedded into the original plant.
10.2.2 Implementation Details
Synthia is written in C++ and uses, besides some standard Boost libraries,
the CUDD BDD library [Somenzi, 2009] for representing transition relations
and sets of locations, as well as the Uppaal DBM library [David, 2011] for
representing and manipulating clock zones / federations.
After parsing the specification, as explained in Section 9.2 on Page 125,
Synthia constructs a BDD-based representation of the control structure
and sets up the initial abstraction. Synthia’s main analysis procedure
10.3. MODEL CHECKING 141
essentially bases on Algorithm 4 with the optimizations proposed in Sec-
tion 9.2.7. In case a controller is to be generated for an open plant, instead
of computing the backward reachable states, Synthia computes the set of
winning states (the so-called attractor set [Gra¨del et al., 2002]) of the reach-
ability player (representing the hostile environment that tries to violate the
guarantees) and deduces a safety controller.
10.3 Model Checking
This section presents the results of an experimental evaluation of Synthia
performing model checking. We compare Synthia’s performance with the
model checker Uppaal [Behrmann et al., 2004].
10.3.1 Benchmarks
To assess the practical efficiency of the combination approach from Chap-
ter 9, we have chosen standard benchmarks from the literature that exhibit
both timed and concurrent behavior as two independent sources of suc-
cinctness. While Fischer’s mutual exclusion protocol and the carrier sense,
multiple access with collision detection protocol are such benchmarks consist-
ing of many concurrent processes running asynchronously, we also consider
the gear production stack as a benchmark that is more representative for
sequential real-time systems.
Fischer’s mutual exclusion protocol. This is a standard benchmark
(Fischer) from the real-time verification community devised by Michael Fis-
cher [see Abadi and Lamport, 1991, for a detailed description]. It models
a distributed mutual exclusion protocol, in which asynchronous processes
access a common resource. Each process has a unique nonzero number. The
processes communicate via a single shared variable id , which ranges over the
various process numbers and 0. Before a particular process p accesses the
resource, it checks whether id = 0. If this is the case, p nondeterministically
waits at most D time units before it sets id to its own number j. If, after T
more time units, id still equals j, p accesses the resource. When p releases
the resource again, it sets id to zero.
The processes are parametrized in D and T . The size of a benchmark
instance is measured in the number of processes. We check the safety prop-
erty, whether it is possible that any two processes access the resource at the
same time.
Carrier sense, multiple access with collision detection protocol.
This benchmark (CSMA/CD) stems from a case study, where a commu-
nication protocol for a distributed network of stations communicating over
142 CHAPTER 10. EXPERIMENTAL EVALUATION
a shared bus is modeled. Whenever a particular station has data to sent
and the bus is idle (i.e., no other station is transmitting), the station begins
sending its message. If, on the other hand, the bus is busy, the station waits
a nondeterministic amount of time until it retries sending a message. In
case a collision occurs (because several stations transmit simultaneously),
all transmissions are aborted and, after a nondeterministic amount of time,
each station tries to transmit its message again.
The original model on which this benchmark is based was given by Yovine
[1997]. In our evaluation, we use the version due to Mo¨ller [2001]. The size
of a benchmark instance is measured in the number of stations. We check
the safety property, whether a particular station A detects a collision timely
when another station B is simultaneously transmitting.
Gear production stack. This case study (GPS) represents a manufac-
turing plant that consists of communicating processing stations for work-
pieces [Finkbeiner et al., 2008]. Whenever a workpiece is loaded into the
plant, it gets processed by each station in a sequential manner. In principle,
the stations, where each is specialized in a certain treatment of the work-
piece, run asynchronously. However, they synchronize with their predecessor
station, whenever they receive the workpiece.
The size of a benchmark instance is measured in the number of stations.
We check the bounded liveness property whether workpieces are always pro-
cessed within a certain amount of time.
10.3.2 Results
We now present the actual experimental results of the comparison of the per-
formance of Synthia version 1.2.1 against Uppaal version 4.1.4 running on
the benchmarks described in the previous section. Synthia was compiled
using GCC version 4.4.3. We executed Uppaal with various combinations
of command line options and have chosen the best one for the comparison:
For all safe instances (where the bad state is unreachable), we either used no
command line options (default mode), ‘-C’ (disable most memory reduction
techniques), ‘-S2’ (optimize space consumption), or ‘-C -S2’. For all un-
safe instances (where the bad state is reachable), we additionally executed
Uppaal with the ‘-o1’ command line option (perform a depth-first search).
Running times are given in seconds and the memory consumptions are
given in MB. The time limit was set to 2 hours, and the memory limit was
set to 4 GB. All experiments were conducted on a 2.6 GHz AMD Opteron
computer running Ubuntu 10.04.
A direct comparison of the running times of Synthia and Uppaal run-
ning on Fischer with safe timing parameters is shown in Figure 10.3. As one
can see, Synthia clearly outperforms Uppaal by several orders of magni-
tude. The reason for this tremendous gain of efficiency is the effectiveness
10.3. MODEL CHECKING 143
10 15 20 25 30 35 40 45
100
101
102
103
104
Fischer instance size [processes]
R
u
n
n
in
g
ti
m
e
[s
ec
]
Synthia
Uppaal
Figure 10.3: Comparison of the running times of Synthia and Uppaal
running on Fischer with safe timing parameters.
of Synthia’s abstraction refinement algorithm. As shown in Figure 10.4,
Synthia produces abstractions of only quadratic size, which are already
sufficient to establish the unreachability of the bad state.
Also interesting is that there is only a moderate increase in the mem-
ory consumption of Synthia for larger instances of Fischer, as shown in
Figure 10.5. The small oscillation effect (i.e., the fact that some smaller
instances have a higher memory consumption than some larger ones) is
caused by the variable reordering and caching heuristics of the CUDD li-
brary. This BDD-related phenomenon is also observable in other contexts
[see, e.g., Bloem et al., 2007].
The picture changes when we look at those instances of Fischer, where
the bad state is reachable (by modeling the last process with an unsafe tim-
ing behavior). In this case, thanks to its capability to perform a depth-first
search (manually enabled using the -o1 option), Uppaal is able to detect
the error in the model much faster than Synthia’s abstraction refinement
algorithm. However, sometimes (e.g., for 40 or especially 70 processes) Up-
paal’s internal search heuristics fail in finding the bad state quickly.
Table 10.1 shows a detailed summary of the experimental results for
Fischer. From left to right, the columns show the size of the instance in
terms of processes, whether it was an unsafe or safe instance, the number
of refinement steps Synthia needed to produce the final abstraction, whose
size in terms of locations is shown in the next column, the running time and
144 CHAPTER 10. EXPERIMENTAL EVALUATION
10 15 20 25 30 35 40 45
102
103
Fischer instance size [processes]
F
in
al
ab
st
ra
ct
io
n
si
ze
[l
o
c]
Synthia
Figure 10.4: Size of the final abstraction generated by Synthia for Fischer
with safe timing parameters.
memory consumption of Synthia, the command line arguments for which
Uppaal showed the best results, the number of states Uppaal explored,
and the running time and memory consumption of Uppaal.
Figure 10.6 shows the comparison of the running times of Synthia and
Uppaal on CSMA/CD. While both tools suffer from an exponential blow-up
in the number of stations, the increase in Synthia’s running time is far less
dramatic than the increase for Uppaal. The reason for this gain of efficiency
is, again, due to the effectiveness of the abstraction refinement algorithm:
As shown in Table 10.2 (which is analogously structured as Table 10.1),
after only 4 refinement steps, Synthia is able to find a sufficiently precise
abstraction with only 5 locations, independent of the size of the instance.
The blow-up that still occurs is due to the exponential number of distinct
guard/reset pairs.
The results for GPS are shown in Table 10.3 (which is analogously struc-
tured as Table 10.1). In the unsafe instances, we choose a too short time
bound, in which the workpieces must be processed by the stations. Similar
to Fischer, in these cases, when the bad state is reachable, manually setting
Uppaal into depth-first search mode yields the best results. However, for
the safe instances, already in the (optimized) initial abstraction, Synthia
is able to detect the unreachability of the bad state, allowing to analyze
instances with more than 300 stations.
10.3. MODEL CHECKING 145
10 15 20 25 30 35 40 45
102
102.2
102.4
102.6
102.8
Fischer instance size [processes]
M
em
or
y
co
n
su
m
p
ti
on
[M
B
]
Synthia
Figure 10.5: Memory consumption of Synthia running on Fischer with
safe timing parameters.
10 12 14 16 18 20 22
100
101
102
103
104
CSMA/CD instance size [stations]
R
u
n
n
in
g
ti
m
e
[s
ec
]
Synthia
Uppaal
Figure 10.6: Running time comparison between Synthia and Uppaal for
the CSMA/CD protocol.
146 CHAPTER 10. EXPERIMENTAL EVALUATION
Instance Synthia Uppaal
Size Safe Steps Abs Time Mem Mode States Time Mem
15 No 16 19 3 82 -o1 166 1 24
20 No 28 31 5 100 -o1 8 0 6
25 No 38 41 14 109 -o1 8 1 6
30 No 50 53 41 215 -o1 1648 1 28
35 No 60 63 91 218 -o1 239 1 28
40 No 72 75 181 363 -o1 60803 137 194
45 No 82 85 255 390 -o1 209 2 31
50 No 94 97 1247 650 -o1 224 1 33
55 No 104 107 1263 744 -o1 36 1 33
60 No 116 119 2563 1286 -o1 334 4 38
65 No 126 129 5029 1286 -o1 180 3 39
69 No TIMEOUT -o1 690 7 46
70 No TIMEOUT MEMOUT
71 No TIMEOUT -o1 735 11 45
72 No TIMEOUT -o1 7 1 40
10 Yes 100 103 2 82 -C -S2 836128 23 51
11 Yes 121 124 2 83 -C -S2 2752774 88 108
12 Yes 144 147 3 84 -C -S2 8985344 339 351
13 Yes 169 172 4 86 -C -S2 29122758 1282 1127
14 Yes 196 199 5 88 -C -S2 93835680 4732 3501
15 Yes 225 228 7 91 MEMOUT
16 Yes 256 259 11 100 MEMOUT
17 Yes 289 292 13 105 MEMOUT
18 Yes 324 327 17 107 MEMOUT
19 Yes 361 364 25 109 MEMOUT
20 Yes 400 403 32 111 MEMOUT
25 Yes 625 628 127 154 MEMOUT
30 Yes 900 903 384 222 MEMOUT
35 Yes 1225 1228 1101 383 MEMOUT
45 Yes 2025 2028 5440 729 MEMOUT
46 Yes 2116 2119 6732 750 MEMOUT
47 Yes TIMEOUT MEMOUT
Table 10.1: Overview on the experimental results of Synthia and Uppaal
running on Fischer.
10.3. MODEL CHECKING 147
Instance Synthia Uppaal
Size Safe Steps Abs Time Mem Mode States Time Mem
10 Yes 4 5 0 21 -C 123140 3 30
11 Yes 4 5 1 81 -C 316420 9 73
12 Yes 4 5 1 81 -C -S2 797700 23 164
13 Yes 4 5 1 84 -C 1978372 65 424
14 Yes 4 5 2 94 -C 4837380 169 1052
15 Yes 4 5 5 115 -C -S2 11681796 442 2639
16 Yes 4 5 6 156 27901956 1295 3073
17 Yes 4 5 15 247 MEMOUT
18 Yes 4 5 44 438 MEMOUT
19 Yes 4 5 125 870 MEMOUT
20 Yes 4 5 348 1784 MEMOUT
21 Yes 4 5 1147 3781 MEMOUT
22 Yes MEMOUT MEMOUT
Table 10.2: Overview on the experimental results of Synthia and Uppaal
running on CSMA/CD.
148 CHAPTER 10. EXPERIMENTAL EVALUATION
Instance Synthia Uppaal
Size Safe Steps Abs Time Mem Mode States Time Mem
25 No 52 29 2 82 -o1 49 1 6
30 No 62 34 4 84 -o1 59 0 6
35 No 72 39 10 86 -o1 69 1 6
40 No 82 44 19 98 -o1 79 0 6
45 No 92 49 35 107 -o1 89 1 6
50 No 102 54 62 103 -o1 99 0 6
75 No 152 79 600 145 -o1 149 1 6
100 No 202 104 3072 225 -o1 199 0 6
125 No TIMEOUT -o1 249 1 6
150 No TIMEOUT -o1 299 2 39
13 Yes 0 3 1 53 69632 2 27
14 Yes 0 3 1 53 -C 147456 4 31
15 Yes 0 3 1 53 -C 311296 9 57
16 Yes 0 3 1 53 -C 655360 21 92
17 Yes 0 3 1 53 -C -S2 1376274 51 193
18 Yes 0 3 1 53 -C -S2 2883603 118 401
19 Yes 0 3 1 53 -C 6029312 275 848
20 Yes 0 3 1 21 -C -S2 12582933 626 1796
21 Yes 0 3 1 53 -C 26214400 1467 3834
22 Yes 0 3 1 53 MEMOUT
23 Yes 0 3 1 53 MEMOUT
24 Yes 0 3 1 53 MEMOUT
25 Yes 0 3 1 53 MEMOUT
50 Yes 0 3 4 89 MEMOUT
75 Yes 0 3 16 118 MEMOUT
100 Yes 0 3 55 159 MEMOUT
150 Yes 0 3 282 282 TIMEOUT
200 Yes 0 3 1033 450 TIMEOUT
250 Yes 0 3 3178 758 TIMEOUT
300 Yes 0 3 6751 1058 TIMEOUT
350 Yes TIMEOUT TIMEOUT
Table 10.3: Overview on the experimental results of Synthia and Uppaal
running on GPS.
10.4. TEMPLATE-BASED SYNTHESIS 149
10.4 Template-based Synthesis
The template-based synthesis algorithm from Chapter 8 (i.e., the Focus
Abstraction) is realized as a specialized refinement procedure for Synthia’s
standard abstraction refinement loop. Whenever an edge for refinement
is found, we identify the parameter valuations associated with that edge
and split the global abstraction with these valuations. In the subsequent
refinement step, we focus (i.e., we restrict the forward exploration) on the
identified parameters of the last refinement.
This section presents the results of an experimental evaluation of Syn-
thia performing template-based synthesis. We compare Synthia’s perfor-
mance with the controller synthesis tool Uppaal-Tiga [Behrmann et al.,
2007].
10.4.1 Benchmarks
As synthesis benchmarks, we have chosen standard examples from control
theory.
Chinese juggler. In the Chinese juggler benchmark [Larsen et al., 2004],
a performer needs to stabilize spinning plates to prevent them from falling.
After a certain amount of time has passed since a plate was stabilized, it
can nondeterministically become unstable. If no restabilization takes place,
it ultimately falls down. The plates have different sizes, and hence, different
times to become unstable. It takes the performer one time unit to stabilize
a certain plate. During that time, he cannot stabilize another plate. The
controller synthesis task consists in finding a safe strategy for the performer
such that no plate will ever fall down.
The benchmark size is parametrized in the number of plates n. For
the template-based synthesis, we use a generic cyclic-executive template
(see Section 8.1) with n phases. In each step of the cyclic execution, the
controller decides which plate should be stabilized next.
Dam controller. In the dam controller benchmark, depicted in Fig-
ure 10.7, a controller is to be synthesized that determines the speed of the
inflow to a dam. The controller can either stop the inflow or choose between
a slow or a fast inflow speed. The bounded reachability requirement is that
the fill level should reach a certain value between a minimal and maximal
bound. While a fast speed might reach the desired fill level more quickly,
the variance of the actual inflow is larger so that the maximal level might
be exceeded. On the other hand, being in slow mode, it takes longer to
reach the desired fill level, but the variance is not so high so that it is always
possible to exactly reach a desired fill level. Thus, being in one mode all the
150 CHAPTER 10. EXPERIMENTAL EVALUATION
time is not feasible, since a feasible controller must alternate between fast
and slow at least once to fulfill the requirement.
The benchmark size is parametrized in the degree of precision in which
the fill level and the inflow amount is digitized. For the template-based
synthesis, we use a controller template that models a two-phase program:
in the first phase, a certain inflow speed is set until a threshold of the
current fill level is passed. Then, the controller enters the second phase with
a possibly different speed. The controller stops as soon as a desired fill level
is reached. The first and the second speed, as well as the phase-switching
threshold are parameters, for which feasible instantiations are to be found.
inflow
outflow
level
(a) Principle setting.
Plant
z ≤ 1
z ≤ 1
z := 0
level < ?
outflow := ?
z := 0
level ≥ ?
z := 0
level < ?
outflow := ?
z := 0
level ≥ ?
two-phase program
outflow
level
(b) Provided template.
Figure 10.7: The Dam Controller benchmark.
10.4. TEMPLATE-BASED SYNTHESIS 151
10.4.2 Results
We now present the actual experimental results of the comparison of the
performance of Synthia version 1.2.1 against Uppaal-Tiga version 4.1.4-
0.16 running on the benchmarks described in the previous section. Synthia
was compiled using GCC version 4.4.3. We executed Uppaal-Tiga with
various command line options and have chosen the best one for the compar-
ison. It turned out that we always obtained the best performance using the
default options.
Running times are given in seconds and the memory consumptions are
given in MB. The time limit was set to 2 hours, and the memory limit was
set to 4 GB. All experiments were conducted on a 2.6 GHz AMD Opteron
computer running Ubuntu 10.04.
Instance Template-based Synthia Uppaal-Tiga
size Steps Abs Time Mem States Time Mem
2 6 19 0 53 57 0 6
3 38 136 0 61 477 0 6
4 110 421 2 87 6755 6 57
5 423 1899 59 247 81292 1095 79
6 1445 8335 1932 1335 TIMEOUT
7 TIMEOUT TIMEOUT
Table 10.4: Overview on the experimental results of Synthia and Uppaal-
Tiga running on the Chinese Juggler benchmark.
Instance Template-based Synthia Uppaal-Tiga
size Steps Abs Time Mem States Time Mem
5 58 100 1 80 88592 2 65
25 268 380 13 87 3114648 307 443
50 530 730 87 105 13545848 5018 2355
75 793 1080 329 111 TIMEOUT
100 1055 1430 927 143 TIMEOUT
125 1318 1780 1949 149 TIMEOUT
150 1580 2130 3483 153 TIMEOUT
175 1843 2480 5127 213 TIMEOUT
200 TIMEOUT TIMEOUT
Table 10.5: Overview on the experimental results of Synthia and Uppaal-
Tiga running on the Dam Controller benchmark.
Tables 10.4 and 10.5 show the results for the Chinese Juggler and the
Dam Controller benchmark, respectively. From left to right, the columns
152 CHAPTER 10. EXPERIMENTAL EVALUATION
show the size of the instance in terms of plates, the number of refinement
steps Synthia needed to produce the final abstraction, whose size in terms
of locations is shown in the next column, the running time and memory
consumption of Synthia, the number of states Uppaal-Tiga explored,
and the running time and memory consumption of Uppaal-Tiga.
For both benchmarks, template-based Synthia clearly outperforms the
game-based synthesis techniques implemented in Uppaal-Tiga. A closer
look at the Chinese Juggler example reveals that a major source of complex-
ity results from the subtraction operation that occurs in the backwards com-
putation of the winning states. Subtraction is expensive because it does not
preserve convexity, and therefore requires a split into multiple zones [Cassez
et al., 2005]. The much better performance of template-based synthesis is
due to the fact that template-based synthesis is based on model checking,
rather than game solving, and model checking does not require such non-
convex operations.
In the Dam Controller example, we observe that the size of the abstrac-
tion, and, thus, the running time, of the template-based approach increases
polynomially in the size of the benchmark, while Uppaal-Tiga suffers from
an exponential blow-up in the number of explored states.
Our results thus demonstrate that template-based synthesis is an at-
tractive alternative to the standard game-based approach to timed synthe-
sis. Template-based synthesis has the better worst-case complexity, is easier
to implement with symbolic data structures such as DBMs, and produces
nicely structured controllers with a small number of locations.
Chapter 11
Conclusion and Outlook
11.1 Conclusion
This thesis introduces sequential circuit machines, a new universal com-
putation model that focuses on succinctness as the central computational
resource. As demonstrated in Chapters 5 and 7, many well-known model-
ing formalisms from the literature exhibit an immediate connection to our
new machine model. Once a (syntactic) connection is established, many
complexity bounds for structurally restricted sequential circuit machines,
proven in Chapter 4, can be uniformly transferred to a specific formalism.
As a consequence, besides a drastic unification of independent lines of re-
search, this thesis also provides matching complexity bounds for various
analysis problems, whose complexity was not known so far.
Beyond their applicability as a new lower-bound technique, sequential
circuit machines per se represent an interesting object worth studying. In
Chapter 4, we provide an insightful overview on the computational power
of the existential and universal nondeterminism depending on the degree of
succinctness granted to them. By seeing explicitness as succinctness over
logarithmically many bits, we can characterize all major complexity classes
between LogSpace and 2ExpTime in terms of structurally restricted se-
quential circuit machines.
For timed automata, as a particular important modeling formalism, our
complexity-theoretic analysis in Chapter 7 leads to the discovery of tractable
fragments of the timed synthesis problem. Specifically, we identify timed
controller synthesis based on discrete or template-based controllers to be as
complex as model checking. Based on this insight, in Chapter 8, we develop
a new model checking-based abstraction refinement algorithm to efficiently
find feasible template instantiations.
From a more practical perspective, this thesis also studies the preserva-
tion of succinctness in analysis algorithms using symbolic data structures.
While efficient techniques exist for specific forms of succinctness considered
153
154 CHAPTER 11. CONCLUSION AND OUTLOOK
in isolation, Chapter 9 presents a general approach to combine off-the-shelf
symbolic data structures. Especially in the analysis of timed automata,
additionally to the exponential blow-up due to the introduction of clocks,
one often also faces a discrete blow-up, e.g., when using networks of timed
automata to succinctly model timed systems consisting of concurrent com-
ponents. Also, due to the exponential number of feasible instantiations,
template-based synthesis can cause a similar discrete blow-up. In Chap-
ter 10, we report on an implementation of the combination approach in the
tool Synthia. In an experimental evaluation, it turns out that our new
approach dramatically outperforms Uppaal and Uppaal-Tiga running on
standard model checking and synthesis benchmarks, respectively.
11.2 Outlook
Extending sequential circuit machines. Not in the scope of this the-
sis, but in principle also possible, is the syntactic characterization of other
complexity classes using a slight modification of our machine model. For ex-
ample, assuming reductions weaker than LogSpace, one could immediately
characterize classes from the AC or NC hierarchy [Pippenger, 1979]. One
could also prove that, by fixing a constant amount of universal memory, one
obtains classes from the polynomial hierarchy [Stockmeyer, 1976].
Beyond 2ExpTime, one could also characterize classes in the exponential
hierarchy [see Papadimitriou, 1994, Pages 497–498] by cascading succinct-
ness (e.g., assuming a binary encoding of sequential circuit machines) or
by cascading observability (e.g., by assuming multiple black-box circuits ar-
ranged in a pipelined architecture [Pnueli and Rosner, 1990]). In this man-
ner, one could also introduce information forks [Finkbeiner and Schewe,
2005] in sequential circuit machines to arrive at full Turing completeness.
Alternatively, one could think of an extension, where the amount of universal
nondeterminism is generally unbounded and the existential quantification,
additionally to the black-box circuit, also comprises the amount of existen-
tial nondeterminism.
Imposing more fine-grained restrictions. So far, we only considered
restricting the computational power of sequential circuit machines by lim-
iting the number of bits controllable by both the universal and existential
nondeterminism. That is, we have seen that by restricting the interface
(i.e., the number of inputs and outputs) of the combinatorial circuit CA, one
obtains the computational power equivalent to a particular major complex-
ity class between LogSpace and 2ExpTime. An interesting direction for
future research is to investigate the impact of restricting the structure of
CA on the computational power, which might lead to the discovery of new
syntactic complexity classes with complete problems. This fundamentally
11.2. OUTLOOK 155
new characterization of complexity classes might shed new light on certain
formidable problems for which the best known lower bound is NPTime and
the best known upper bound is PSpace, such as the reachability problem
for timed automata with two-clocks [Laroussinie et al., 2004] or the interval-
bound problem for weighted automata [Bouyer et al., 2008].
Quasi-complete template-based synthesis. Beyond timed automata
with a parametric control structure, in future work, one could expand the
class of templates considered by the synthesis algorithm from Chapter 8.
Particularly interesting is the introduction of parameters in the clock con-
straints. Results from parametric timed model checking [Alur et al., 1993b]
indicate that the analysis of such templates is in general undecidable. How-
ever, subclasses of parametric timed automata, such as L/U automata [Hune
et al., 2001], for which the emptiness problem is decidable, are promising
candidates for a more expressive and yet computationally feasible class of
templates.
The long-term goal is to obtain a succinct but comprehensive library
of practically meaningful templates. Then, for a given plant, an automatic
synthesis procedure could heuristically search that library for a feasible in-
stantiation. We call such a procedure quasi-complete because it either finds a
practically meaningful controller, or it reports that no such controller exists.
Extending the combination approach. In the abstraction refinement
approach presented in Chapter 9, the refinement is computed based on a
propagation of states. A natural extension would be to adapt advances from
the field of model checking based on counter example-guided abstraction re-
finement [Clarke et al., 2003] and interpolation [McMillan, 2003, Bru¨ckner
et al., 2008] to compute refinements for decreasing overapproximations. In
some sense dual to that, one could develop techniques similar to accelera-
tion [Boigelot and Wolper, 1994, Hendriks and Larsen, 2002, Bardin et al.,
2005], for a faster increasing of underapproximations.
In the current implementation of Synthia, the CNF of the global edge
relation (see Section 9.2.2 on Page 126) is represented explicitly as a list
of clauses over Boolean functions and clock constraints. Instead, one could
think of a symbolic representation using, e.g., diagram-based data struc-
tures [Ehlers et al., 2010a, Morbe´ et al., 2011]. Based on that, one could
also think of a fully symbolic representation of the set of reachable states.
Moreover, one could even think of a symbolic representation of the abstract
control structures, avoiding the potentially expensive CNF to DNF conver-
sion.
A more far-reaching extension is to generalize the combination approach
from timed to arbitrary systems by allowing an arbitrary partitioning of the
state bits. Having such a generalization, one could tackle other domains,
156 CHAPTER 11. CONCLUSION AND OUTLOOK
where one also has a combination of different forms of succinctness. For ex-
ample, in the hardware verification domain, a design is usually divided into
two parts: (1) the datapath for performing data processing operations (such
as arithmetic operations), and (2) the control unit that determines the sig-
nals that control the functional units in the datapath (such as multiplexers,
clock signals for registers, etc.). While efficient analysis techniques exists for
each individual part, the combination of both still represents a challenging
task.
Bibliography
Mart´ın Abadi and Leslie Lamport. An old-fashioned recipe for real time.
In J. W. de Bakker, Cornelis Huizing, Willem P. de Roever, and Grze-
gorz Rozenberg, editors, REX Workshop, volume 600 of Lecture Notes in
Computer Science, pages 1–27. Springer, 1991. ISBN 3-540-55564-1.
Karine Altisen and Stavros Tripakis. Tools for controller synthesis of timed
systems. In 2nd Workshop on Real-Time Tools (RT-TOOLS’02), 2002.
Rajeev Alur. Timed automata. In Nicolas Halbwachs and Doron Peled,
editors, CAV, volume 1633 of Lecture Notes in Computer Science, pages
8–22. Springer, 1999. ISBN 3-540-66202-2.
Rajeev Alur and David L. Dill. Automata for modeling real-time systems. In
Mike Paterson, editor, ICALP, volume 443 of Lecture Notes in Computer
Science, pages 322–335. Springer, 1990. ISBN 3-540-52826-1.
Rajeev Alur and David L. Dill. A theory of timed automata. Theor. Comput.
Sci., 126(2):183–235, 1994.
Rajeev Alur, Costas Courcoubetis, and David L. Dill. Model-checking for
real-time systems. In LICS, pages 414–425. IEEE Computer Society, 1990.
ISBN 0-8186-2073-0.
Rajeev Alur, Costas Courcoubetis, and David L. Dill. Model-checking in
dense real-time. Inf. Comput., 104(1):2–34, 1993a.
Rajeev Alur, Thomas A. Henzinger, and Moshe Y. Vardi. Parametric real-
time reasoning. In S. Rao Kosaraju, David S. Johnson, and Alok Aggar-
wal, editors, STOC, pages 592–601. ACM, 1993b. ISBN 0-89791-591-7.
Eugene Asarin, Marius Bozga, Alain Kerbrat, Oded Maler, Amir Pnueli,
and Anne Rasse. Data-structures for the verification of timed automata.
In Oded Maler, editor, HART, volume 1201 of LNCS, pages 346–360.
Springer, 1997. ISBN 3-540-62600-X.
Eugene Asarin, Oded Maler, Amir Pnueli, and Joseph Sifakis. Controller
synthesis for timed automata. In J.-F. Lafay, editor, Proc. 5th IFAC
157
158 BIBLIOGRAPHY
Conference on System Structure and Control, pages 469–474. Elsevier,
1998.
Christer Ba¨ckstro¨m and Bernhard Nebel. Complexity results for sas+ plan-
ning. Computational Intelligence, 11:625–656, 1995.
Christel Baier and Joost-Pieter Katoen. Principles of model checking. MIT
Press, 2008. ISBN 978-0-262-02649-9.
Se´bastien Bardin, Alain Finkel, Je´roˆme Leroux, and Ph. Schnoebelen. Flat
acceleration in symbolic model checking. In Doron Peled and Yih-Kuen
Tsay, editors, ATVA, volume 3707 of Lecture Notes in Computer Science,
pages 474–488. Springer, 2005. ISBN 3-540-29209-8.
Gerd Behrmann, Kim Guldstrand Larsen, Henrik Reif Andersen, Henrik
Hulgaard, and Jørn Lind-Nielsen. Verification of hierarchical state/event
systems using reusability and compositionality. In Rance Cleaveland, ed-
itor, TACAS, volume 1579 of Lecture Notes in Computer Science, pages
163–177. Springer, 1999a. ISBN 3-540-65703-7.
Gerd Behrmann, Kim Guldstrand Larsen, Justin Pearson, Carsten Weise,
and Wang Yi. Efficient timed reachability analysis using clock difference
diagrams. In CAV, volume 1633 of LNCS, pages 341–353, 1999b. ISBN
3-540-66202-2.
Gerd Behrmann, Alexandre David, and Kim Guldstrand Larsen. A tutorial
on uppaal. In Marco Bernardo and Flavio Corradini, editors, SFM, vol-
ume 3185 of Lecture Notes in Computer Science, pages 200–236. Springer,
2004. ISBN 3-540-23068-8.
Gerd Behrmann, Patricia Bouyer, Kim Guldstrand Larsen, and Radek
Pela´nek. Lower and upper bounds in zone-based abstractions of timed
automata. STTT, 8(3):204–215, 2006.
Gerd Behrmann, Agne`s Cougnard, Alexandre David, Emmanuel Fleury,
Kim Guldstrand Larsen, and Didier Lime. UPPAAL-Tiga: Time for play-
ing games! In Werner Damm and Holger Hermanns, editors, Proc. 19th
International Conference on Computer Aided Verification (CAV’07), vol-
ume 4590 of Lecture Notes in Computer Science, pages 121–125. Springer,
2007.
Johan Bengtsson, Kim Guldstrand Larsen, Fredrik Larsson, Paul Pettersson,
and Wang Yi. Uppaal - a tool suite for automatic verification of real-time
systems. In Rajeev Alur, Thomas A. Henzinger, and Eduardo D. Son-
tag, editors, Hybrid Systems, volume 1066 of Lecture Notes in Computer
Science, pages 232–243. Springer, 1995. ISBN 3-540-61155-X.
BIBLIOGRAPHY 159
Dirk Beyer. Improvements in BDD-based reachability analysis of timed
automata. In Jose´ Nuno Oliveira and Pamela Zave, editors, FME, volume
2021 of LNCS, pages 318–343. Springer, 2001. ISBN 3-540-41791-5.
Dirk Beyer, Claus Lewerentz, and Andreas Noack. Rabbit: A tool for bdd-
based verification of real-time systems. In Jr. and Somenzi [2003], pages
122–125. ISBN 3-540-40524-0.
Roderick Bloem, Stefan J. Galler, Barbara Jobstmann, Nir Piterman, Amir
Pnueli, and Martin Weiglhofer. Specify, compile, run: Hardware from psl.
Electr. Notes Theor. Comput. Sci., 190(4):3–16, 2007.
Bernard Boigelot and Pierre Wolper. Symbolic verification with periodic
sets. In David L. Dill, editor, CAV, volume 818 of Lecture Notes in Com-
puter Science, pages 55–67. Springer, 1994. ISBN 3-540-58179-0.
Bernd Borchert and Antoni Lozano. Succinct circuit representations and leaf
language classes are basically the same concept. Electronic Colloquium on
Computational Complexity (ECCC), 3(6), 1996.
Allan Borodin. On relating time and space to size and depth. SIAM J.
Comput., 6(4):733–744, 1977.
Ahmed Bouajjani, Stavros Tripakis, and Sergio Yovine. On-the-fly symbolic
model checking for real-time systems. In Lin [1997], pages 25–.
Patricia Bouyer. Untameable timed automata! In Helmut Alt and Michel
Habib, editors, STACS, volume 2607 of Lecture Notes in Computer Sci-
ence, pages 620–631. Springer, 2003. ISBN 3-540-00623-0.
Patricia Bouyer and Fabrice Chevalier. On the control of timed and hybrid
systems. EATCS Bulletin, 89:79–96, June 2006.
Patricia Bouyer, Deepak D’Souza, P. Madhusudan, and Antoine Petit.
Timed control with partial observability. In Jr. and Somenzi [2003], pages
180–192. ISBN 3-540-40524-0.
Patricia Bouyer, Ulrich Fahrenberg, Kim Guldstrand Larsen, Nicolas
Markey, and Jir´ı Srba. Infinite runs in weighted timed automata with
energy constraints. In Franck Cassez and Claude Jard, editors, FOR-
MATS, volume 5215 of Lecture Notes in Computer Science, pages 33–47.
Springer, 2008. ISBN 978-3-540-85777-8.
Marius Bozga, Oded Maler, Amir Pnueli, and Sergio Yovine. Some progress
in the symbolic verification of timed automata. In Orna Grumberg, editor,
CAV, volume 1254 of LNCS, pages 179–190. Springer, 1997. ISBN 3-540-
63166-6.
160 BIBLIOGRAPHY
Ingo Bru¨ckner, Klaus Dra¨ger, Bernd Finkbeiner, and Heike Wehrheim. Slic-
ing abstractions. Fundam. Inform., 89(4):369–392, 2008.
Randal E. Bryant. Graph-based algorithms for boolean function manipula-
tion. IEEE Trans. Computers, 35(8):677–691, 1986.
Jerry R. Burch, Edmund M. Clarke, Kenneth L. McMillan, David L. Dill,
and L. J. Hwang. Symbolic model checking: 1020 states and beyond. Inf.
Comput., 98(2):142–170, 1992.
Tom Bylander. The computational complexity of propositional strips plan-
ning. Artif. Intell., 69(1-2):165–204, 1994.
Jin-yi Cai and Merrick L. Furst. PSPACE survives constant-width bottle-
necks. Int. J. Found. Comput. Sci., 2(1):67–76, 1991.
Franck Cassez, Thomas A. Henzinger, and Jean-Franc¸ois Raskin. A compar-
ison of control problems for timed and hybrid systems. In Claire Tomlin
and Mark R. Greenstreet, editors, HSCC, volume 2289 of Lecture Notes in
Computer Science, pages 134–148. Springer, 2002. ISBN 3-540-43321-X.
Franck Cassez, Alexandre David, Emmanuel Fleury, Kim Guldstrand
Larsen, and Didier Lime. Efficient on-the-fly algorithms for the analysis
of timed games. In Mart´ın Abadi and Luca de Alfaro, editors, Proc. 16th
International Conference on Concurrency Theory (CONCUR’05), volume
3653 of Lecture Notes in Computer Science, pages 66–80. Springer, 2005.
Franck Cassez, Alexandre David, Kim Guldstrand Larsen, Didier Lime, and
Jean-Franc¸ois Raskin. Timed control with observation based and stutter-
ing invariant strategies. In Namjoshi et al. [2007], pages 192–206. ISBN
978-3-540-75595-1.
Rohit Chadha, Axel Legay, Pavithra Prabhakar, and Mahesh Viswanathan.
Complexity bounds for the verification of real-time software. In Gilles
Barthe and Manuel V. Hermenegildo, editors, VMCAI, volume 5944 of
Lecture Notes in Computer Science, pages 95–111. Springer, 2010. ISBN
978-3-642-11318-5.
Ashok K. Chandra, Dexter Kozen, and Larry J. Stockmeyer. Alternation.
J. ACM, 28(1):114–133, 1981.
Thomas Chatain, Alexandre David, and Kim G. Larsen. Playing games
with timed games. In Alessandro Giua, Manuel Silva, and Janan Za-
ytoon, editors, Proceedings of the 3rd IFAC Conference on Analysis
and Design of Hybrid Systems (ADHS’09), Zaragoza, Spain, Septem-
ber 2009. URL http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/
CDL-adhs09.pdf.
BIBLIOGRAPHY 161
Taolue Chen and Jian Lu. Towards the complexity of controls for timed
automata with a small number of clocks. In Jun Ma, Yilong Yin, Jian Yu,
and Shuigeng Zhou, editors, FSKD (5), pages 134–138. IEEE Computer
Society, 2008. ISBN 978-0-7695-3305-6.
Allan Cheng, Javier Esparza, and Jens Palsberg. Complexity results for
1-safe nets. Theor. Comput. Sci., 147(1&2):117–136, 1995.
Edmund M. Clarke and E. Allen Emerson. Design and synthesis of synchro-
nization skeletons using branching-time temporal logic. In Dexter Kozen,
editor, Logic of Programs, volume 131 of Lecture Notes in Computer Sci-
ence, pages 52–71. Springer, 1981. ISBN 3-540-11212-X.
Edmund M. Clarke, Armin Biere, Richard Raimi, and Yunshan Zhu.
Bounded model checking using satisfiability solving. Formal Methods in
System Design, 19(1):7–34, 2001a.
Edmund M. Clarke, Orna Grumberg, and Doron Peled. Model Checking.
MIT Press, 2001b. ISBN 978-0-262-03270-4.
Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut
Veith. Counterexample-guided abstraction refinement for symbolic model
checking. J. ACM, 50(5):752–794, 2003.
Stephen A. Cook. Deterministic cfl’s are accepted simultaneously in poly-
nomial time and log squared space. In Michael J. Fischer, Richard A.
DeMillo, Nancy A. Lynch, Walter A. Burkhard, and Alfred V. Aho, edi-
tors, STOC, pages 338–345. ACM, 1979.
Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford
Stein. Introduction to Algorithms (3. ed.). MIT Press, 2009. ISBN 978-
0-262-03384-8.
Costas Courcoubetis and Mihalis Yannakakis. Minimum and maximum de-
lay problems in real-time systems. Formal Methods in System Design, 1
(4):385–415, 1992.
Alexandre David. UPPAAL DBM Library release 2.0.8, 2011.
Ste´phane Demri and Philippe Schnoebelen. The complexity of propositional
linear temporal logics in simple cases. Inf. Comput., 174(1):84–103, 2002.
Henning Dierks, Sebastian Kupferschmid, and Kim Guldstrand Larsen. Au-
tomatic abstraction refinement for timed automata. In Jean-Franc¸ois
Raskin and P. S. Thiagarajan, editors, FORMATS, volume 4763 of Lec-
ture Notes in Computer Science, pages 114–129. Springer, 2007. ISBN
978-3-540-75453-4.
162 BIBLIOGRAPHY
David L. Dill. Timing assumptions and verification of finite-state concurrent
systems. In Joseph Sifakis, editor, Automatic Verification Methods for
Finite State Systems, volume 407 of Lecture Notes in Computer Science,
pages 197–212. Springer, 1989. ISBN 3-540-52148-8.
David L. Dill and Howard Wong-Toi. Verification of real-time systems by
successive over and under approximation. In Pierre Wolper, editor, CAV,
volume 939 of LNCS, pages 409–422. Springer, 1995. ISBN 3-540-60045-0.
Deepak D’Souza and P. Madhusudan. Timed control synthesis for external
specifications. In Helmut Alt and Afonso Ferreira, editors, STACS, vol-
ume 2285 of Lecture Notes in Computer Science, pages 571–582. Springer,
2002. ISBN 3-540-43283-3.
Ru¨diger Ehlers. Symbolic bounded synthesis. In Tayssir Touili, Byron Cook,
and Paul Jackson, editors, CAV, volume 6174 of Lecture Notes in Com-
puter Science, pages 365–379. Springer, 2010. ISBN 978-3-642-14294-9.
Ru¨diger Ehlers, Daniel Fass, Michael Gerke, and Hans-Jo¨rg Peter. Fully
symbolic timed model checking using constraint matrix diagrams. In
RTSS, pages 360–371. IEEE Computer Society, 2010a. ISBN 978-0-7695-
4298-0.
Ru¨diger Ehlers, Michael Gerke, and Hans-Jo¨rg Peter. Making the right cut
in model checking data-intensive timed systems. In Jin Song Dong and
Huibiao Zhu, editors, ICFEM, volume 6447 of Lecture Notes in Computer
Science, pages 565–580. Springer, 2010b. ISBN 978-3-642-16900-7.
Ru¨diger Ehlers, Robert Mattmu¨ller, and Hans-Jo¨rg Peter. Combining sym-
bolic representations for solving timed games. In Krishnendu Chatterjee
and Thomas A. Henzinger, editors, FORMATS, volume 6246 of Lecture
Notes in Computer Science, pages 107–121. Springer, 2010c. ISBN 978-
3-642-15296-2.
Javier Esparza. Decidability and complexity of petri net problems - an
introduction. In Wolfgang Reisig and Grzegorz Rozenberg, editors, Petri
Nets, volume 1491 of Lecture Notes in Computer Science, pages 374–428.
Springer, 1996. ISBN 3-540-65306-6.
Ronald Fagin. Generalized first-order spectra and polynomial-time recog-
nizable sets. In Richard M. Karp, editor, Complexity of Computation,
volume 7 of SIAM AMS Proceedings, pages 43–73, 1974.
Joan Feigenbaum, Sampath Kannan, Moshe Y. Vardi, and Mahesh
Viswanathan. The complexity of problems on graphs represented as ob-
dds. Chicago J. Theor. Comput. Sci., 1999, 1999.
BIBLIOGRAPHY 163
Emmanuel Filiot, Naiyong Jin, and Jean-Franc¸ois Raskin. An antichain al-
gorithm for ltl realizability. In Ahmed Bouajjani and Oded Maler, editors,
CAV, volume 5643 of Lecture Notes in Computer Science, pages 263–277.
Springer, 2009. ISBN 978-3-642-02657-7.
Bernd Finkbeiner and Hans-Jo¨rg Peter. Template-based controller synthesis
for timed systems. In Cormac Flanagan and Barbara Ko¨nig, editors,
TACAS, volume 7214 of Lecture Notes in Computer Science, pages 392–
406. Springer, 2012. ISBN 978-3-642-28755-8.
Bernd Finkbeiner and Sven Schewe. Uniform distributed synthesis. In LICS,
pages 321–330. IEEE Computer Society, 2005. ISBN 0-7695-2266-1.
Bernd Finkbeiner and Sven Schewe. SMT-based synthesis of distributed sys-
tems. In Proceedings of the 2nd Workshop on Automated Formal Methods
(AFM 2007), 6 November, Atlanta, Georgia, USA, pages 69–76. ACM
Press, 2007.
Bernd Finkbeiner, Hans-Jo¨rg Peter, and Sven Schewe. Synthesizing cer-
tificates in networks of timed automata. In IEEE Real-Time Systems
Symposium, pages 183–194. IEEE Computer Society, 2008. ISBN 978-0-
7695-3477-0.
Olivier Finkel. On decision problems for timed automata. Bulletin of the
EATCS, 87:185–190, 2005.
Robert W. Floyd. Algorithm 97: Shortest path. Commun. ACM, 5(6):345,
1962.
Steven Fortune and James Wyllie. Parallelism in random access machines.
In Lipton et al. [1978], pages 114–118.
Hana Galperin and Avi Wigderson. Succinct representations of graphs.
Information and Control, 56(3):183–198, 1983.
Pierre Ganty, Nicolas Maquet, and Jean-Franc¸ois Raskin. Fixed point guided
abstraction refinement for alternating automata. Theor. Comput. Sci., 411
(38-39):3444–3459, 2010.
Leslie M. Goldschlager. A unified approach to models of synchronous parallel
machines. In Lipton et al. [1978], pages 89–94.
Ganesh Gopalakrishnan and Shaz Qadeer, editors. Computer Aided Verifi-
cation - 23rd International Conference, CAV 2011, Snowbird, UT, USA,
July 14-20, 2011. Proceedings, volume 6806 of Lecture Notes in Computer
Science, 2011. Springer. ISBN 978-3-642-22109-5.
164 BIBLIOGRAPHY
Georg Gottlob, Nicola Leone, and Helmut Veith. Succinctness as a source of
complexity in logical formalisms. Ann. Pure Appl. Logic, 97(1-3):231–260,
1999.
Erich Gra¨del. Capturing complexity classes by fragments of second-order
logic. Theor. Comput. Sci., 101(1):35–57, 1992.
Erich Gra¨del, Wolfgang Thomas, and Thomas Wilke, editors. Automata,
Logics, and Infinite Games: A Guide to Current Research [outcome of
a Dagstuhl seminar, February 2001], volume 2500 of Lecture Notes in
Computer Science, 2002. Springer. ISBN 3-540-00388-6.
Susanne Graf and Hassen Sa¨ıdi. Construction of abstract state graphs with
pvs. In Orna Grumberg, editor, CAV, volume 1254 of Lecture Notes in
Computer Science, pages 72–83. Springer, 1997. ISBN 3-540-63166-6.
David Harel, Orna Kupferman, and Moshe Y. Vardi. On the complexity
of verifying concurrent transition systems. In Antoni W. Mazurkiewicz
and Jo´zef Winkowski, editors, CONCUR, volume 1243 of Lecture Notes in
Computer Science, pages 258–272. Springer, 1997. ISBN 3-540-63141-0.
Juris Hartmanis and Richard Edwin Stearns. On the computational com-
plexity of algorithms. Transactions of the AMS, 117:285–306, 1965.
Martijn Hendriks and Kim Guldstrand Larsen. Exact acceleration of real-
time model checking. Electr. Notes Theor. Comput. Sci., 65(6):120–139,
2002.
Thomas A. Henzinger and Peter W. Kopke. Discrete-time control for rectan-
gular hybrid automata. Theoretical Computer Science, 221(1-2):369–392,
1999.
Thomas A. Henzinger, Xavier Nicollin, Joseph Sifakis, and Sergio Yovine.
Symbolic model checking for real-time systems. Inf. Comput., 111(2):
193–244, 1994.
Thomas Hune, Judi Romijn, Marie¨lle Stoelinga, and Frits W. Vaandrager.
Linear parametric model checking of timed automata. In Tiziana Margaria
and Wang Yi, editors, TACAS, volume 2031 of Lecture Notes in Computer
Science, pages 189–203. Springer, 2001. ISBN 3-540-41865-2.
Neil Immerman. Upper and lower bounds for first order expressibility. In
FOCS, pages 74–82. IEEE Computer Society, 1980.
Neil Immerman. Number of quantifiers is better than number of tape cells.
J. Comput. Syst. Sci., 22(3):384–406, 1981.
Neil Immerman. Nondeterministic space is closed under complementation.
SIAM J. Comput., 17(5):935–938, 1988.
BIBLIOGRAPHY 165
Neil Immerman. Descriptive complexity. Graduate texts in computer sci-
ence. Springer, 1999. ISBN 978-0-387-98600-5.
Neil D. Jones. Space-bounded reducibility among combinatorial problems.
J. Comput. Syst. Sci., 11(1):68–85, 1975.
Warren A. Hunt Jr. and Fabio Somenzi, editors. Computer Aided Verifi-
cation, 15th International Conference, CAV 2003, Boulder, CO, USA,
July 8-12, 2003, Proceedings, volume 2725 of Lecture Notes in Computer
Science, 2003. Springer. ISBN 3-540-40524-0.
Richard M. Karp. Reducibility among combinatorial problems. In Ray-
mond E. Miller and James W. Thatcher, editors, Complexity of Computer
Computations, The IBM Research Symposia Series, pages 85–103. Plenum
Press, New York, 1972. ISBN 0-306-30707-3.
Gal Katz, Doron Peled, and Sven Schewe. Synthesis of distributed control
through knowledge accumulation. In Gopalakrishnan and Qadeer [2011],
pages 510–525. ISBN 978-3-642-22109-5.
Orna Kupferman and Sarai Sheinvald-Faragy. Finding shortest witnesses to
the nonemptiness of automata on infinite words. In Christel Baier and
Holger Hermanns, editors, CONCUR, volume 4137 of Lecture Notes in
Computer Science, pages 492–508. Springer, 2006. ISBN 3-540-37376-4.
Orna Kupferman, Yoad Lustig, Moshe Y. Vardi, and Mihalis Yannakakis.
Temporal synthesis for bounded systems and environments. In Thomas
Schwentick and Christoph Du¨rr, editors, STACS, volume 9 of LIPIcs,
pages 615–626. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2011.
ISBN 978-3-939897-25-5.
Richard E. Ladner. The circuit value problem is log space complete for P.
SIGACT News, 7(1):18–20, 1975.
Franc¸ois Laroussinie and Philippe Schnoebelen. The state explosion prob-
lem from trace to bisimulation equivalence. In Jerzy Tiuryn, editor, FoS-
SaCS, volume 1784 of Lecture Notes in Computer Science, pages 192–207.
Springer, 2000. ISBN 3-540-67257-5.
Franc¸ois Laroussinie, Nicolas Markey, and Philippe Schnoebelen. Model
checking timed automata with one or two clocks. In Philippa Gardner
and Nobuko Yoshida, editors, CONCUR, volume 3170 of Lecture Notes in
Computer Science, pages 387–401. Springer, 2004. ISBN 3-540-22940-X.
Kim G. Larsen, Carsten Weise, Wang Yi, and Justin Pearson. Clock Differ-
ence Diagrams. Nordic Journal of Computing, 6(3):271–298, 1999.
166 BIBLIOGRAPHY
Kim G. Larsen, Gerd Behrmann, and Arne Skou. Exercises for Uppaal.
http://www.cs.aau.dk/~bnielsen/TOV08/ESV04/exercises, 2004.
Kim Guldstrand Larsen, Fredrik Larsson, Paul Pettersson, and Wang Yi.
Efficient verification of real-time systems: compact data structure and
state-space reduction. In Lin [1997], pages 14–24.
Kwei-Jay Lin, editor. Proceedings of the 18th IEEE Real-Time Systems
Symposium (RTSS ’97), December 3-5, 1997, San Francisco, CA, USA,
1997. IEEE Computer Society.
Richard J. Lipton, Walter A. Burkhard, Walter J. Savitch, Emily P. Fried-
man, and Alfred V. Aho, editors. Proceedings of the 10th Annual ACM
Symposium on Theory of Computing, May 1-3, 1978, San Diego, Califor-
nia, USA, 1978. ACM.
Michael L. Littman. Probabilistic propositional planning: Representations
and complexity. In Benjamin Kuipers and Bonnie L. Webber, editors,
AAAI/IAAI, pages 748–754. AAAI Press / The MIT Press, 1997. ISBN
0-262-51095-2.
Antoni Lozano and Jose´ L. Balca´zar. The complexity of graph problems
for succinctly represented graphs. In Manfred Nagl, editor, WG, volume
411 of Lecture Notes in Computer Science, pages 277–286. Springer, 1989.
ISBN 3-540-52292-1.
Yoad Lustig and Moshe Y. Vardi. Synthesis from component libraries. In
Luca de Alfaro, editor, FOSSACS, volume 5504 of Lecture Notes in Com-
puter Science, pages 395–409. Springer, 2009. ISBN 978-3-642-00595-4.
Oded Maler, Amir Pnueli, and Joseph Sifakis. On the synthesis of discrete
controllers for timed systems (an extended abstract). In Ernst W. Mayr
and Claude Puech, editors, Proc. 12th Annual Symposium on Theoretical
Aspects of Computer Science (STACS’95), volume 900 of Lecture Notes
in Computer Science, pages 229–242. Springer, 1995.
Zohar Manna and Henny Sipma. Alternating the temporal picture for safety.
In Ugo Montanari, Jose´ D. P. Rolim, and Emo Welzl, editors, ICALP, vol-
ume 1853 of Lecture Notes in Computer Science, pages 429–450. Springer,
2000. ISBN 3-540-67715-1.
Kenneth L. McMillan. Interpolation and sat-based model checking. In Jr.
and Somenzi [2003], pages 1–13. ISBN 3-540-40524-0.
Marvin Minsky. Computation: Finite and Infinite Machines. Prentice-Hall,
Inc, 1967.
BIBLIOGRAPHY 167
Jesper B. Møller, Jakob Lichtenberg, Henrik Reif Andersen, and Henrik
Hulgaard. Fully symbolic model checking of timed systems using difference
decision diagrams. ENTCS, 23(2), 1999.
M. Oliver Mo¨ller. CSMA/CD model generator for Uppaal. http://www.it.
uu.se/research/group/darts/uppaal/benchmarks/genCSMA_CD.awk,
2001.
M. Oliver Mo¨ller, Harald Rueß, and Maria Sorea. Predicate abstraction for
dense real-time system. Electr. Notes Theor. Comput. Sci., 65(6):218–237,
2002.
Georges Morbe´, Florian Pigorsch, and Christoph Scholl. Fully symbolic
model checking for timed automata. In Gopalakrishnan and Qadeer [2011],
pages 616–632. ISBN 978-3-642-22109-5.
Kedar S. Namjoshi, Tomohiro Yoneda, Teruo Higashino, and Yoshio Oka-
mura, editors. Automated Technology for Verification and Analysis, 5th
International Symposium, ATVA 2007, Tokyo, Japan, October 22-25,
2007, Proceedings, volume 4762 of Lecture Notes in Computer Science,
2007. Springer. ISBN 978-3-540-75595-1.
Christos H. Papadimitriou. Computational complexity. Addison-Wesley,
1994. ISBN 978-0-201-53082-7.
Christos H. Papadimitriou and Mihalis Yannakakis. A note on succinct
representations of graphs. Information and Control, 71(3):181–185, 1986.
Hans-Jo¨rg Peter and Bernd Finkbeiner. The complexity of bounded synthe-
sis for timed control with partial observability. accepted for publication.
In Marcin Jurdzinski and Dejan Nickovic, editors, FORMATS, Lecture
Notes in Computer Science. Springer, 2012.
Hans-Jo¨rg Peter and Robert Mattmu¨ller. Component-based abstraction re-
finement for timed controller synthesis. In Theodore P. Baker, editor,
IEEE Real-Time Systems Symposium, pages 364–374. IEEE Computer
Society, 2009. ISBN 978-0-7695-3875-4.
Hans-Jo¨rg Peter, Ru¨diger Ehlers, and Robert Mattmu¨ller. Synthia: Verifi-
cation and synthesis for timed automata. In Gopalakrishnan and Qadeer
[2011], pages 649–655. ISBN 978-3-642-22109-5.
Nicholas Pippenger. On simultaneous resource bounds. In FOCS, pages
307–311. IEEE Computer Society, 1979.
Amir Pnueli. The temporal logic of programs. In FOCS, pages 46–57. IEEE
Computer Society, 1977.
168 BIBLIOGRAPHY
Amir Pnueli and Roni Rosner. Distributed reactive systems are hard to
synthesize. In FOCS, pages 746–757. IEEE Computer Society, 1990.
Vaughan R. Pratt and Larry J. Stockmeyer. A characterization of the power
of vector machines. J. Comput. Syst. Sci., 12(2):198–221, 1976.
Jean-Pierre Queille and Joseph Sifakis. Specification and verification of
concurrent systems in cesar. In Mariangiola Dezani-Ciancaglini and Ugo
Montanari, editors, Symposium on Programming, volume 137 of Lecture
Notes in Computer Science, pages 337–351. Springer, 1982. ISBN 3-540-
11494-7.
John H. Reif. The complexity of two-player games of incomplete information.
J. Comput. Syst. Sci., 29(2):274–301, 1984.
Jussi Rintanen. Complexity of planning with partial observability. In Shlomo
Zilberstein, Jana Koehler, and Sven Koenig, editors, ICAPS, pages 345–
354. AAAI, 2004. ISBN 1-57735-200-9.
Walter L. Ruzzo. On uniform circuit complexity. J. Comput. Syst. Sci., 22
(3):365–383, 1981.
Walter J. Savitch. Relationships between nondeterministic and deterministic
tape complexities. J. Comput. Syst. Sci., 4(2):177–192, 1970.
Walter J. Savitch. Recursive turing machines. Internat. J. Comput. Math.,
6:3–31, 1977.
Walter J. Savitch. Parallel random access machines with powerful instruc-
tion sets. Mathematical Systems Theory, 15(3):191–210, 1982.
Walter J. Savitch and Michael J. Stimson. Time bounded random access
machines with parallel processing. J. ACM, 26(1):103–118, 1979.
Sven Schewe and Bernd Finkbeiner. Bounded synthesis. In Namjoshi et al.
[2007], pages 474–488. ISBN 978-3-540-75595-1.
Philippe Schnoebelen. The complexity of temporal logic model checking.
In Philippe Balbiani, Nobu-Yuki Suzuki, Frank Wolter, and Michael Za-
kharyaschev, editors, Advances in Modal Logic, pages 393–436. King’s
College Publications, 2002. ISBN 0-9543006-2-9.
Sanjit A. Seshia and Randal E. Bryant. Unbounded, fully symbolic model
checking of timed automata using boolean methods. In CAV, volume 2725
of LNCS, pages 154–166, 2003. ISBN 3-540-40524-0.
A. Prasad Sistla and Edmund M. Clarke. The complexity of propositional
linear temporal logics. J. ACM, 32(3):733–749, 1985.
BIBLIOGRAPHY 169
Fabio Somenzi. CUDD: CU Decision Diagram package release 2.4.2, 2009.
Richard Edwin Stearns, Juris Hartmanis, and Philip M. Lewis II. Hierar-
chies of memory limited computations. In SWCT (FOCS), pages 179–190.
IEEE Computer Society, 1965.
Larry J. Stockmeyer. The polynomial-time hierarchy. Theor. Comput. Sci.,
3(1):1–22, 1976.
Larry J. Stockmeyer and Uzi Vishkin. Simulation of parallel random access
machines by circuits. SIAM J. Comput., 13(2):409–422, 1984.
Ro´bert Szelepcse´nyi. The method of forcing for nondeterministic automata.
Bulletin of the EATCS, 33:96–99, 1987.
Stavros Tripakis. Folk theorems on the determinization and minimization of
timed automata. In Kim Guldstrand Larsen and Peter Niebert, editors,
FORMATS, volume 2791 of Lecture Notes in Computer Science, pages
182–188. Springer, 2003. ISBN 3-540-21671-5.
Grighori S. Tseitin. On the complexity of derivation in propositional calcu-
lus. Studies in Constructive Mathematics and Mathematical Logic, Part
2, pages 115–125, 1968.
Alan M. Turing. On computable numbers, with an application to the
entscheidungsproblem. Proc. London Math. Society, 2(42):230–265, 1937.
Peter van Emde Boas. Machine models and simulation. In Handbook of The-
oretical Computer Science, Volume A: Algorithms and Complexity (A),
pages 1–66. Elsevier, 1990.
Moshe Y. Vardi. The complexity of relational query languages (extended
abstract). In Harry R. Lewis, Barbara B. Simons, Walter A. Burkhard,
and Lawrence H. Landweber, editors, STOC, pages 137–146. ACM, 1982.
ISBN 0-89791-070-2.
Moshe Y. Vardi. Alternating automata: Unifying truth and validity checking
for temporal logics. In William McCune, editor, CADE, volume 1249 of
Lecture Notes in Computer Science, pages 191–206. Springer, 1997. ISBN
3-540-63104-6.
Helmut Veith. Languages represented by boolean formulas. Inf. Process.
Lett., 63(5):251–256, 1997.
Heribert Vollmer. Introduction to circuit complexity - a uniform approach.
Texts in theoretical computer science. Springer, 1999. ISBN 978-3-540-
64310-4.
170 BIBLIOGRAPHY
Md Tawhid Bin Waez, Juergen Dingel, and Karen Rudie. Timed automata
for the development of real-time systems. Technical report, Queen’s Uni-
versity, Ontario, Canada, 2011. URL http://research.cs.queensu.ca/
TechReports/Reports/2011-579.pdf.
Farn Wang. Efficient verification of timed automata with BDD-like data
structures. STTT, 6(1):77–97, 2004.
Stephen Warshall. A theorem on boolean matrices. J. ACM, 9(1):11–12,
1962.
Marty J. Wolf. Nondeterministic circuits, space complexity and quasigroups.
Theor. Comput. Sci., 125(2):295–313, 1994.
Celia Wrathall. Complete sets and the polynomial-time hierarchy. Theor.
Comput. Sci., 3(1):23–33, 1976.
Satoshi Yamane and Kazuhiro Nakamura. Development and evaluation of
symbolic model checker based on approximation for real-time systems.
Systems and Computers in Japan, 35(10):83–101, 2004.
Sergio Yovine. Kronos: A verification tool for real-time systems. STTT, 1
(1-2):123–133, 1997.
