Complexity bounds for the verification of real-time software by Chadha, Rohit et al.
Complexity bounds for the verification of
real-time software
Rohit Chadha1⋆, Axel Legay2, Pavithra Prabhakar3⋆⋆, and Mahesh
Viswanathan3⋆ ⋆ ⋆
1 LSV, ENS Cachan & CNRS & INRIA, France
2 Dept. of Computer Science, University of Illinois at Urbana-Champaign, U.S.A
3 IRISA, campus de Beaulieu, INRIA Rennes, France
chadha@lsv-ens.cachan.fr, alegay@irisa.fr, pprabha2@uiuc.edu,
vmahesh@uiuc.edu
Abstract. We present uniform approaches to establish complexity bounds
for decision problems such as reachability and simulation, that arise nat-
urally in the verification of timed software systems. We model timed
software systems as timed automata augmented with a data store (like a
pushdown stack) and show that there is at least an exponential blowup
in complexity of verification when compared with untimed systems. Our
proof techniques also establish complexity results for boolean programs,
which are automata with stores that have additional boolean variables.
1 Introduction
Timed automata [3] are a standard model for formally describing real-time sys-
tems. They are automata equipped with real-valued clocks that evolve contin-
uously with time and which can be compared to integers, and reset during dis-
crete transitions. When modelling concurrent real-time software systems, this
basic model must be augmented with various data structures to capture dif-
ferent features — a program stack (visible [4] or otherwise) to model recursive
procedure calls, a bag or buffer to model undelivered messages in a network,
or a higher-order stack to capture safe higher-order functions. In this paper, we
study the complexity of classical verification problems for such formal models
of real-time software, namely, invariant verification, µ-calculus model checking,
and simulation and bisimulation checking.
Our main thesis is that there is at least an exponential blowup in complexity
for verifying real-time systems when compared with non-real-time systems. More
precisely, the problem of verifying a property for automata with an auxiliary
data store (like stack, bag or higher-order stack) and clocks is exponentially
harder than checking the same property for the automata model without clocks.
⋆ The research was carried out while Rohit Chadha was at University of Illinois at
Urbana-Champaign. He was supported by NSF 0429639.
⋆⋆ Supported by NSF 0448178.
⋆ ⋆ ⋆ Supported by NSF 0448178.
In general, the increase in complexity could be worse than exponential. For
example, (timed) language containment for timed automata is undecidable [3],
but is decidable in PSPACE for finite automata (without clocks). However, we
also show that for certain properties (specifically, invariant and µ-calculus model
checking, simulation and bisimulation checking) the increase in complexity is
exactly exponential by establishing upper bounds for solving timed games.
This increase in complexity has been implicitly observed through a series
of results that established the complexity of verification problems for the basic
timed automata model. It has also been explicitly observed in [18] again for
timed automata. In this paper we extend this line of work for timed automata
with an auxiliary store. However, there is an important difference in the proof
techniques used in the earlier papers and the one we use here. While previous
papers established lower bounds by coming up with new, non-trivial reductions
for timed automata, we obtain our results by using a uniform method to lift lower
bound proofs for automata without clocks to automata with clocks, independent
of the verification problem and the auxiliary data store being considered.
More precisely, our main technical result is that if a verification problem for
automata without clocks is hard for complexity class C1 with respect to poly-log-
time reductions then the same verification problem is hard for an exponentially
larger class C2 with respect to polynomial time reductions. In order to prove this,
we rely on the following techniques. First, we draw on the ideas previously used
in proving the complexity of problems whose input is succinctly represented as
a circuit [13, 22, 6, 27] to show that verifying boolean automata is exponentially
harder. Boolean automata are automata with auxiliary data stores that have ad-
ditional boolean variables. Such models arise when a program is abstracted using
predicates [14] inferred through a process of counterexample-guided abstraction-
refinement [10]. Thus, our observations about boolean automata are of indepen-
dent interest. Next, we show that automata with clocks can mimic the behavior
of automata with boolean variables, and hence establishing the main lemma for
timed systems.
While poly-log-time reductions are a stricter class of reductions than polyno-
mial time reductions, we observe that typically reductions satisfy these stronger
conditions because they have a highly regular structure that depends only on
certain local bits. We establish that this intuition does indeed hold when consid-
ering the reductions that establish lower bounds for the invariant and µ-calculus
model checking, and simulation and bisimulation checking for finite state sys-
tems and pushdown systems. Thus, using our main technical lemma and our
observations about reductions used in classical verification problems, we estab-
lish new complexity results for timed automata with data stores, and re-establish
old results using new, uniform proof techniques.
Before concluding this introduction, we would like to make a couple of points
about our new proofs. First, the new proofs are significantly easier to establish,
as new reductions are not required. For the new proof, one needs to re-examine
classical reductions for automata problem to check that they are poly-log-time,
but this requires much less creativity than constructing a new reduction. Second,
and more importantly, from a philosophical standpoint the new proof is appeal-
ing since it highlights clearly some reasons why the verification of real-time and
embedded systems is harder than that of non-real-time systems.
Our Results: We show the following complexity results.
1. The control state reachability problem for timed automata is PSPACE-complete
and for pushdown timed automata is DEXPTIME-complete.
2. The bisimulation and simulation problems between timed automata is
DEXPTIME-complete.
3. The bisimulation and simulation problems between two visibly pushdown
timed automata is 2-DEXPTIME-complete.
4. The bisimulation and simulation problems between a timed automata and a
pushdown timed automata is 2-DEXPTIME-complete.
5. Model checking µ-calculus properties for order n higher order pushdown
timed systems is (n+ 1)-DEXPTIME-complete.
The first two results were previously known, but our proofs for them are new.
The remaining three results are completely new.
The rest of the paper is structured as follows. We start by discussing related
work. In Section 2, we recall background material that we will use. Next, in
Section 3, we establish lower bounds and upper bounds for boolean automata
with data stores. The complexity of the verification problems for timed automata
is studied in Section 4, and finally in Section 5 we present our conclusions.
1.1 Related Work
Verification problems for systems implicitly represented as a parallel composi-
tion of many processes, or using boolean variables has been studied since the
work of Harel et al., and Rabinovich [16, 23, 24], where the exponential blow-up
in complexity was first observed for model checking branching time modal logics.
This observation was extended to process algebraic equivalences and to timed
automata in [18]. All of these results were established through new reductions
for automata without an additional data store. Alur and Dill [3], introduced the
model of timed automata, and showed that the reachability problem is PSPACE-
complete. Decidability of simulation and bisimulation was shown in [8], while
tight lower bounds were established in [18]. Complexity of model checking µ-
calculus was shown in [2]. For timed automata A and B, the language contain-
ment problem (i.e., whether L(A) ⊆ L(B)), was shown to be decidable when B
has one clock [21], and undecidable otherwise; for infinite strings the language
containment is undecidable even when B has one clock [1]. The model of push-
down timed systems was first studied in [7] where reachability was shown to be
decidable; the decidability of binary reachability was demonstrated in [11]. The
language containment problem for timed systems with pushdown stacks and vis-
ibly pushdown stacks [4], was studied in [12]. For systems A and B, the problem
of whether L(A) ⊆ L(B) was shown to be undecidable when both A and B have
visibly pushdown stacks. They also conjectured that the problem is decidable
when B is a simple timed automata (without stack) with one clock; however,
this problem remains open.
2 Preliminaries
Transition Systems. Given a set of edge labels ΣE , a ΣE-transition system (tran-
sition system when ΣE is clear from the context) S is a tuple (S,−→, s0) such
that S is a set of configurations; ΣE is a finite set of labels; −→⊆ S ×ΣE ×S is
a set of transitions and s0 ∈ S is the initial configuration. A transition system
is said to be finite if ΣE and S are finite. We often write s
a
−→ s′ instead of
(s, a, s′) ∈−→. As usual, we can define s
w
−→ s′ for all w ∈ ΣE
∗. We say that
s −→∗ s′ if there exists w ∈ Σ∗E such that s
w
−→ s′. We assume the reader
is familiar with the definitions of reachability, simulation and bisimulation for
transition systems and the logic µ-calculus.
Decision problems, succinct and long representations. We assume that inputs to
decision problems are encoded as finite words over the alphabet Γ = {0, 1}. A
problem L over Γ is a subset of Γ ∗. Following [6], a succinct representation of
a word w ∈ Γ ∗ is a boolean circuit that on input (the binary representation of)
i outputs two boolean values, one indicating whether i is less than or equal to
the length of w and the other indicating, in that case, the i-th bit of w. Given
a problem L, the succinct representation of L, denoted s(L), is the set of all
boolean circuits which are succinct representations of words in L [6]. The set
long(L) is the set of all strings whose length is equal to the number represented
by some binary string 1w in L [6].
Indirect access Turing Machines and polylog-time computations. We recall the
definition of indirect access turing machines [6] used to define complexity classes
of low computational power. The Turing machines accepting languages in these
classes do not have enough time to read the whole input. Hence indirect access
turing machines are defined. The machine includes the following elements:
– an input tape;
– a fixed number of work tapes;
– a special tape (henceforth called the pointer tape) to point to a bit of the
input, which may be subsequently read in;
– a special tape (henceforth called the symbol tape) on which the symbol just
read from the input appears written;
– a “read” state.
The machine is otherwise standard. It reads its input in the following way: the
machine can write on the pointer tape the number of position i of the input tape;
whenever the “read” state is entered the machine gets (in one computation step)
in the symbol tape the contents of the i-th position of the input tape. If the input
has length less than i, then the machine does not get anything. The previous
content of the symbol tape is overwritten, but the contents of the pointer tape
and position of its head remain untouched.
We will denote by LT, the class of languages accepted by deterministic indi-
rect access Turing machines within a computation time bounded by O(log n).
The class PLT is the class of languages accepted by deterministic indirect access
Turing machines within a computation time bounded by O((log n)k) for some
natural number k and the class FLT is the class of all functions computable by
such machines in O((logn)k) time for some natural number k.
Polylog time and polynomial time reductions. Given two problems A and B, A
is polynomial time m-reducible to B, denoted A ≤Pm B, if and only if there is
a polynomial time computable function f such that w ∈ A ⇔ f(w) ∈ B for
every string w. Polylog time m-reducibility (abbreviated as PLT-reducibility and
denoted ≤PLTm ) is defined as follows. A is PLT-reducible to B if and only if there
is a function f such that i) w ∈ A⇔ f(w) ∈ B for every w; and ii) the following
function ϕ is computable in polylogarithmic time: for w ∈ {0, 1}∗ and i ∈ N,
ϕ(w, i) is the i-th bit of f(w) if i is less than or equal to the length of f(w) and
is undefined otherwise.
We now present two results from [6]. The first result relates PLT-reducibility
and polynomial-time m-reducibility4. The second result shows that the succinct
version of long(A) is at least as hard as A.
Lemma 1. If A ≤PLTm B, then s(A) ≤
P
m s(B).
Lemma 2. A ≤Pm s(long(A)).
Automata with auxiliary stores. An automata with auxiliary store [9] consists
of a control and an auxiliary store. Formally, an auxiliary store is a tuple D =
(D, p˜red, o˜p, di) such that D is a set, elements of which are called data values;
o˜p is a finite collection of functions f : D → D; p˜red is a finite collection of
unary predicates on D; and di is an element of D, called the initial data value.
It is assumed that the identity function id ∈ o˜p and the always true predicate
true ∈ p˜red. Pushdown stores, visibly pushdown stores [5], and higher-order
pushdown stores [15] can be seen as instances of auxiliary stores.
An automaton is defined over an auxiliary store and a finite alphabet (the al-
phabet is used to annotate the transitions of the automaton). Formally, given an
auxiliary store D = (D, p˜red, o˜p, di) and an alphabet ΣE, a (D, ΣE)-automaton
A is a tuple (Q, δ, qi), where
– Q is a finite set of control states.
– δ ⊆ Q× p˜red×ΣE × o˜p ×Q is a transition relation.
– qi is the initial state of the automaton A.
The semantics of A is described in terms of a ΣE-labeled transition system
(S,−→δ, si). The set of configurations is {(q, d) | q ∈ Q and d ∈ D} and (qi, di)
is the initial configuration. The transition relation −→δ is defined as follows–
(q, d)
a
−→δ (q′, d′) iff there exists p ∈ p˜red and g ∈ o˜p such that (q, p, a, g, q′) ∈ δ,
p(d) is true and g(d) = d′. We will assume the definition of isomorphism between
automata.
4 The result in [6] is only shown for log time m-reducibility, but the extension is
straightforward.
For example, a pushdown store on an alphabet Γ in a pushdown automaton
can be formalized as an auxiliary store in the following way. The set Γ ∗ (set
of all finite strings over Γ ) can be taken as the set of data values with the
empty string ǫ as the initial value. The set of predicates p˜red can be chosen as
{empty} ∪ {topγ | γ ∈ Γ} ∪ {true}, where empty = {ǫ}, topγ = {wγ |w ∈ Γ
∗}
(the top of stack is γ) and true = Γ ∗ (any stack). The set of functions o˜p can
be defined as {id} ∪ {pushγ | γ ∈ Γ} ∪ {popγ | γ ∈ Γ} where pushγ and popγ
are defined as follows. For all w ∈ Γ ∗, pushγ(w) = wγ and popγ(w) = w1 if
w = w1γ and w otherwise. In a pushdown system the function popγ will be
enabled only when the store satisfies topγ . The function pushγ is enabled when
the store satisfies true.
We also consider visibly pushdown automata (VPA) [5]. A VPA is a special
kind of pushdown automaton in which every symbol of the input alphabet is
designated as a call, return or internal. Every transition labelled by a call pushes
a symbol, those labelled by return pop a symbol and transitions labelled by
internal symbols do not push or pop any symbols.
The other kind of automata that will be considered are higher order pushdown
systems. First let us define a higher order store. Given an alphabet Σ, an order
1 store is a stack of elements from Σ, and an order n store for n > 1 is a stack
of elements from the set of stores of order n−1. The different kinds of operation
that can be performed on an order n store include pushw where w is a word of
the input alphabet, pushl where l ≤ n, popl where l ≤ n. A stack is written
with the top most element to the left. The first order 1 store in an order 2 store
ABC, where A, B and C are order 1 stores, is A, and the first order 2 store
is ABC itself. pushw pushes w onto the first order 1 stack in the store. pushl
pushes a copy of the first element of the first order l store to the first order l
store in the store, and popl pops the top element of the first order l store in
the store. There is another operation top which returns the top element of the
first order 1 store in the store. A higher order pushdown system of order n is
an automaton equipped with an order n store. A transition can be taken only
if the element returned by top matches the input symbol and the data store is
modified according to the operation. A formal description can be found in [15].
Automaton Problem. A k-tuple of automata with auxiliary store has signature
Sig = ((D1, ΣE1), · · · , (Dk, ΣEk)) if the i-th automaton in the tuple has auxiliary
store Di and alphabet ΣEi. A (k, Sig)-automaton problem is a set of k-tuples of
automata having signature Sig. For the rest of the paper, we assume that an
automaton problem is closed under isomorphism, i.e., if P is a k-automaton
problem, then for any k-tuple (A1,A2, · · · ,Ak), 1 ≤ i ≤ k, and A′i such that Ai
is isomorphic to A′i, (A1,A2, · · · , Ai, · · · Ak) ∈ P iff (A1,A2, · · · ,A
′
i, · · ·Ak) ∈ P .
For example, the simulation poblem between pushdown automata over the
same pushdown store over the same input alphabetΣE is the set of pairs (A1,A2)
such that A1 is simulated by A2.
Encoding of an automaton. We encode the automaton over an auxiliary store D
and an alphabet ΣE as a binary string. Let n1, n2, n3 and n4 be the least integers
such that |Q| ≤ 2n1 , |ΣE | ≤ 2n2 , |p˜red| ≤ 2n3 and |o˜p| ≤ 2n4 , respectively. We
will assume some enumeration of the elements in Q (the initial state will always
be numbered 0), ΣE , p˜red and o˜p. The automaton is then encoded as a binary
string w of length 2n, where n = n2 + n3 + n4 + 2n1 as follows. We basically
encode the transition function. Note that any position of the encoding can be
represented by a binary number of length n2 + n3 + n4 + 2n1. The first n2 bits
index the edge symbol of a transition, the next n3 bits index the predicate of
the transition, the next n4 bits index the operation and the next n1 bits index
the “current control state” and the final n1 bits index the “next control state”.
Before giving the formal encoding, let us fix some notation. Given a binary
string w ∈ Γ ∗, let |w| denote the length of w and wi denote its i-th symbol
(counting from left to right) of w. Given a binary string w, wˆ represents the
natural number whose binary expansion is w.
Let w be the encoding of the automaton. Then wi = 1 if and only if i = sˆ
and s = xvyuz where |x| = n2, |v| = n3, |y| = n4, |u| = n1 and |z| = n1, and
(q1, p1, e1, o1, q2) ∈ δ, where q1 is the uˆ-th symbol of |Q|, p1 is the vˆ-th symbol
of p˜red, e1 is the xˆ-th symbol of ΣE , o1 is the yˆ-th symbol of o˜p and q2 is the
zˆ-th symbol of Q. wi = 0, otherwise.
We now describe how a tuple (A1,A2, · · · ,An) of automata is encoded. Let
x1, · · · , xn be the encoding of the automata A1, · · · ,An, respectively as explained
above. Let k be the length of the maximum of the lengths of xis. We pad 0s
to the end of the xis if required so that their length is k. Let these new strings
be x′1, · · · , x
′
n. Let yi be a string of length k with ji 1s followed by 0s, where
ji is the number of bits required to index the states of Ai (which was n1 in
the encoding of the individual automaton). The encoding of the automata tuple
would be y1x
′
1y2x
′
2 · · · ynx
′
n.
3 Boolean Automata with Stores
In this section, we establish complexity bounds for the verification of boolean
automata, which we later use (in Section 4) to prove complexity bounds on the
verification of real-time software. Boolean automata with stores are automata
with auxiliary stores that are equipped with additional boolean variables that
influence the enabling condition for transitions. We show that solving an au-
tomaton problem when the inputs are given as boolean automata is at least as
hard as solving the same when the input automata are represented succinctly
using circuits. This observation allows us to lift lower bound proofs for automata
uniformly to those for boolean automata. Next we show that solving any problem
on boolean automata is at most exponentially worse than solving the same prob-
lem for automata without boolean variables. We conclude this section by using
these observations to establish the exact complexity for a variety of verification
problems for boolean automata.
Definitions and notations. Let Var = {x1, · · · , xn} be a finite set of boolean vari-
ables. A valuation of Var is a function v : Var→ {0, 1}. The set of boolean formu-
las over Var, denoted BFor(Var) is defined inductively as: ϕ := ⊤ |x | ¬ϕ |ϕ ∨
ϕ |ϕ ∧ ϕ, where x ∈ Var. Given ϕ ∈ BFor(Var), and a valuation v of Var,
(ϕ)v is defined inductively as (⊤)v = 1, (¬ϕ)v = 1 − (ϕ)v, (ϕ1 ∨ ϕ2)v =
max((ϕ1)v, (ϕ2)v), and (ϕ1 ∧ ϕ2)v = min((ϕ1)v, (ϕ2)v). Next we define the set
of reset expressions over Var, denoted BReset(Var), as the expressions of the
form x := y, x := 0, x := 1, or nondet(x), where x, y ∈ Var. Let us fix
Var = {x1, · · · , xn} with the ordering x1, · · · , xn for the rest of this section.
We define TReset(Var) to be n-tuples over BReset(Var) where the i-th compo-
nent of the tuple is of the form xi := xj , xi = 0, xi = 1 or nondet(xi). Given
η ∈ TReset(Var) we denote by ηi, the i-th component of η. (η)v gives the valu-
ations resulting from the application of η to v and is defined as follows. (η)v is
the set of valuations v′ such that for each i, v′(xi) is v(xj) if ηi is xi := xj , is 0
if ηi is xi := 0, is 1 if ηi is xi := 1, is either 0 or 1 if ηi = nondet(xi). Given a
valuation v, v¯ will denote the tuple (v(x1), · · · , v(xn)).
We now define a boolean automaton as an automaton augmented with a
finite set of boolean variables on which the transitions could depend. We have
the following definition.
Boolean Automaton. LetD be a store andΣE be an alphabet. A (D, ΣE)-boolean
automaton B is a tuple (Q,Var, δ, qi, vi), where
– Q is a finite set of control states.
– Var is a finite set of control variables.
– δ ⊆ Q × BFor(Var) × p˜red × ΣE × o˜p × TReset(Var) × Q is a finite set of
transitions.
– qi is the initial state of the automaton.
– vi is the initial valuation of the variables.
The semantics of B is the same as that of the (D, ΣE)-automaton [[B]] = (Q
′, δ′, q′i),
where Q′ = Q× {0, 1}n; q′i = (qi, v¯i); and ((q, v¯), p, e, o, (q
′, v¯′)) ∈ δ′ iff there ex-
ists g and r such that (q, g, p, e, o, r, q′) ∈ δ, and (g)v = 1 and v
′ ∈ (r)v.
In order to avoid clutter, we do not give the binary encoding of a boolean au-
tomaton, but it follows the same lines as the encoding of an automaton. The sig-
nature of a k-tuple of Boolean automata with auxiliary stores is defined as for the
case of automata. A k-boolean automaton problem is a set of k-tuples which have
the same signature. The boolean version of a k-automaton problem P , which we
denote b(P), is defined as b(P) = {(B1, B2, . . . Bk) | ([[B1]], [[B2]], . . . [[Bk]]) ∈ P}.
3.1 Lower bounds for boolean automata
We now show that the boolean version of an automaton problem is at least
exponentially harder than the automaton problem itself. We first show that the
boolean version of an automaton problem is at least as hard as its succinct
version. This result will allow us to lift lower bound proofs uniformly. In order
to carry out these steps, we need the technical definition of a two-step automaton
which follows next.
Two-step automaton. Informally, a two-step of an automaton A is a collection
of automata, where an automaton in this collection is obtained by replacing
each transition of A by two consecutive transitions having the same label as the
original transition. In addition there are one or more transitions out of every state
to some dead states. Formally, given a (D, ΣE)-automaton A = (Q, δ, ΣE), an
automaton A′ = (Q′, δ′, Σ′E) is in two-step(A), if there exists a set Y (disjoint
from Q and δ) such that the following conditions hold. The states of Q′ are
Q ∪ δ ∪ Y . For every transition x = (q1, p, e, o, q2) in A, there are transitions
(q1, true, e, id, x) and (x, p, e, o, q2) in A′. For every q1 ∈ Q and e, there are
transitions (q1, true, e, id, q2) in A′, for one or more q2 ∈ Y . Y represents the
dead states. There are no other transitions.
For a k-automaton problem P , we define two-step(P) to be {(A′1,A
′
2, . . . ,A
′
k)|
A′i ∈ two-step(Ai) and (A1,A2, . . . ,Ak) ∈ P}. Given an automaton problem P ,
we say that P is two-step expansion invariant if two-step(P) ⊆ P . For example,
consider an automaton problem P which corresponds to pairs of automata which
are bisimilar. Then P is two-step expansion invariant, since whenever A and B
are bisimilar andA′ ∈ two-step(A) and B′ ∈ two-step(B),A′ and B′ are bisimilar.
The following important lemma states that the succinct version of an automa-
ton problem can be reduced to the boolean version of its two-step expansion.
Lemma 3. Let P be an automaton problem, then s(P) ≤Pm b(two-step(P)).
Proof (Sketch.) We show the reduction for a 1-automaton problem, the exten-
sion to the k-automaton problem is direct. Let P be an automaton problem. Let
A ∈ P be an automaton and C be its succinct representation. We construct in
time polynomial in |C|, the boolean automaton B such that [[B]] ∈ two-step(A),
i.e., B ∈ b(two-step(A)).
The circuit C computes the encoding of the automaton A. The first half of
the encoding consists of n 1s followed by zero or more 0s where n is the number
of bits used to represent the states in A. The second half encodes the transition
relation. Hence in time polynomial in the size of |C|, we can compute the value
of n and also fix the most significant bit of the input of C to 1 to obtain the
circuit Cδ which encodes only the transition relation. From now on by C we
mean Cδ.
Let us name the inputs of C by variables in sets X , P , O, E and Y (will
assume the sets are ordered) such that the inputs corresponding to variables X
are used to index the current state; similarly the inputs labelled by P , O, E and
Y are used to index the predicates, operations, edge labels and next states of a
tuple (q1, p, o, e, q2), respectively. A valuation v to the variables corresponding to
the tuple (q1, p, o, e, q2) when input to C evaluates to 1 if and only if (q1, p, o, e, q2)
is a transition of A. (Note the number of variables in X and Y are the same.)
The idea is to encode the states of A using boolean variables and use the
circuit to somehow verify the transition relation. Since the boolean automa-
ton can have boolean formulas as guards and not circuits, we verify the tran-
sition relation by converting the circuit C(X,P,O,E, Y ) to a boolean guard
ϕ(X,P,O,E, Y, I) such that for a transition t = (q1, p, o, e, q2), C(q1, p, o, e, q2) =
1 iff ϕ(q1, p, o, e, q2, I) is satisfiable, when I is a new set of variables.
However to check the satisfiability of ϕ(X,P,O,E, Y, I) we need to guess
the values of the variables in I. Hence the boolean automaton B we construct
has two states, namely, the current and the guess state. There are six sets of
variables X , P , O, E, Y and I. In the current state only the variables of X
are non-zero and they correspond to an encoding of a state of the automaton
A. From the current state there is a transition to the guess state in which the
variables in X remain intact but the variables in P , O, E, Y and I are all non-
deterministically set to 0 or 1. The transition is labelled by the label encoded
in E, the predicate is a boolean formula which checks that the edge label of
the transition is same as that encoded by the variables in E, and the operation
is the identity operation id. The values of the variables in P , O, E and Y are
used to encode the predicate, operation, edge label and the next state, whereas
the variables in I correspond to the intermediate variables which arise in the
conversion from the circuit to the boolean guard. From the guess state there is
a transition to the current state only if the variables satisfy the guard ϕ. Then
the values of the variables in Y are copied to the corresponding variables of X
and all variables other than those in X are set to 0. The edge label, predicate,
operation of this transition are those encoded in E, P and O respectively.
This construction takes time polynomial in |C| since the number of states
is 2, the number of variables is less than the size of |C| (it is just all the input
variables and one intermediate variable for each gate in the circuit), and boolean
formula is polynomial in the size of |C| (in fact linear) and can be computed in
time polynomial in |C|. Hence the boolean automaton constructed is polynomial
in the size of |C| and the reduction takes polynomial time.
It is easy to see that [[B]] is in two-step(A). Different valuations in the current
state correspond to different states of A. Every transition of A is mimicked in
[[B]] by two consecutive transition, the first one going into the guess state and
the other from the guess state to the current state. There are some transitions
into the guess state which cannot be verified in the sense that the values of
the variables do not satisfy the guard on the transition to the current state,
these will occur as transitions from the current state to dead states (which are
accommodated in the definition of two-step). 
The next theorem establishes the fact that the boolean version of an automa-
ton problem is at least exponentially harder than the automaton problem.
Theorem 1. Let C1 and C2 be arbitrary complexity classes such that for every
problem P1 in C1, long(P1) is in C2. Then for every automaton problem P2 which
is two-step expansion invariant, if P2 is hard for C2 under PLT-reducibility, then
b(P2) is hard for C1 under polynomial time m-reducibility.
Proof Let P1 ∈ C1, we need to show that P1 ≤Pm b(P2). Since long(P1) ∈ C2,
and long(P1) ≤PLTm P2, we have from Lemma 1, that s(long(P1)) ≤
P
m s(P2).
But P1 ≤Pm s(long(P1)), from Lemma 2. Hence P1 ≤
P
m s(P2). Now from Lemma
3, we have s(P2) ≤Pm b(two-step(P2)). But since P2 is expansion invariant we
have s(P2) ≤Pm b(P2). Hence P1 ≤
P
m b(P2). Therefore b(P2) is hard for C1 under
m-reducibility. 
Note that if C1 is an exponentially larger class than C2, then they satisfy the
condition in the above theorem. Hence if an automaton problem is hard for C2,
then its boolean version is at least exponentially harder.
3.2 Upper bounds for boolean automata
We can also show that solving the boolean version of an automaton problem is
at most exponentially harder than the automaton problem itself.
Proposition 1. Let P be a k-automaton problem. If t(n) ≥ n and P ∈ DTIME(t(n))
(or P ∈ NTIME(t(n))) then the boolean automaton problem b(P) ∈ DTIME(t(2O(n)))
(or b(P) ∈ NTIME(t(2O(n))), respectively). If s(n) ≥ log(n) and P ∈ DSPACE(s(n))
(or P ∈ NSPACE(s(n))) then b(P) ∈ DSPACE(s(2O(n))) (or b(P) ∈ NSPACE(s(2O(n))),
respectively).
As an example of the application of this proposition, problem of deciding whether
two boolean automata (with no store) are trace equivalent is easily seen to be
in EXPSPACE as the trace equivalence problem between finite automata is in
PSPACE.
3.3 Results
We demonstrate that Theorem 1 and Proposition 1 can be used to show that
for a variety of automata problems, there is exactly an exponential blowup in
complexity when we consider inputs that are boolean automata. For the rest of
this section, by pushdown boolean automata we shall mean boolean automata
with a pushdown stack as the auxiliary store and by boolean automata we shall
mean a boolean automata with no store.5
We can extend the results on bisimulation and simulation between finite
state machines [25], bisimulation and simulation between visibly pushdown au-
tomata [26], bisimulation and simulation between finite state systems and push-
down automata [19, 17] and model-checking µ-calculus properties for higher or-
der pushdown automata [20] to obtain the following result.
Theorem 2.
1. The problem of control state reachability in boolean automata is PSPACE-
complete.
2. The problem of bisimulation and simulation between boolean automata is
DEXPTIME-complete.
3. The problem of bisimulation and simulation between two boolean VPAs is
2-DEXPTIME-complete.
4. The problem of bisimulation and simulation between boolean automata and
pushdown boolean automata is 2-DEXPTIME-complete.
5. Model checking µ-calculus properties for order n higher order pushdown
boolean automata is (n+ 1)-DEXPTIME-complete.
5 No store is modeled by taking the set of data values to be a singleton.
Proof (U pper bounds) First consider the problem of control state reachabil-
ity in boolean automata. The problem of control state reachability for automata
is easily seen to be PTIME-equivalent to the problem P of deciding given an edge
label a, whether there is a trace from the initial state in which action a occurs.
(Note that P can be expressed as an automaton problem in our framework.)
Since the problem P is easily seen to be in NLOGSPACE for automata without
store, the control state reachability for automata is in NLOGSPACE. Hence we
get that control state reachability problem for boolean automata is in PSPACE.
The other upperbounds are obtained by direct application of Proposition
1 to the problem of bisimulation and simulation between automata which is
PTIME-complete [25], the problem of bisimulation and simulation between two
VPAs which is DEXPTIME-complete [26], the problem of bisimulation and simu-
lation between automata and pushdown boolean automata which is DEXPTIME-
complete [20], and model checking µ-calculus properties for order n higher order
pushdown automata which is n-DEXPTIME-complete.
(Lower bounds) It is easy to see that the problem of reachability in directed
graphs is logtime 6 reducible to P . Thus, the succinct version of graph reachabil-
ity is polynomial time reducible to the problem b(two-step(P)) (see Lemma 3).
Now, the succinct version of graph reachability is PSPACE-hard [6]. Also P is
two-step expansion invariant. Therefore b(P) is PSPACE-hard which implies that
the control state reachability problem for boolean automata is PSPACE-hard.
Next consider the problem of deciding whether a boolean automaton is simu-
lated by a boolean pushdown automaton. Now, the problem of deciding whether
a finite state system is simulated by a pushdown automaton is DEXPTIME-
complete [17]. The DEXPTIME-hardness of the problem is shown by a reduction
from the problem of acceptance by a linear bounded alternating automaton. The
following theorem whose proof is sketched in the Appendix 6.1 states that the
reduction is in fact done in polylog time.
Theorem 3. The problem of simulation of a FS by a PDA is DEXPTIME-hard
with respect to polylog time reductions.
Since the problem of simulation is two-step expansion invariant, using Theo-
rem 1, we get that the problem of simulation of boolean automata by boolean
pushdown automata is 2-DEXPTIME hard. The other results can be obtained
similarly using Theorem 1 on the lower bounds of the automata versions of the
corresponding problems. 
The first two items have been established in [18, 24], albeit by different
methods. The last three items are new. The last item also implies that the µ-
calculus satisfiability of boolean automata is DEXPTIME-complete and that of
boolean pushdown automata is 2-DEXPTIME-complete since these correspond
to order 0 and 1 higher order pushdown boolean systems respectively.
6 Log-time reductions are a special kind of PLT reductions, where the reduction takes
place in O(log n) time, as opposed to poly-log-time.
4 Timed Automata
In this section we define timed automata with auxiliary stores and prove lower
and upper bounds for problems on them. Let C be a finite set of symbols,
henceforth called clocks. The set ΦC of clock constraints over C is defined by
φ ::= true |x ∼ k |x ∼ y | ¬φ |φ ∧ φ |φ ∨ φ, where k ∈ N stands for any non-
negative integer and ∼∈ {=, <,>,≤,≥} is a comparison operator. A valuation
for C is a function from the set of clocks to the set of positive reals, i.e., v : C →
R≥0. Let ValSet(C) be the set of all valuations of C. We say that v satisfies φ,
denoted v |= φ, if φ is true when the variables of φ are replaced by their values,
i.e., x is replaced by v(x). We denote by v+ t the function mapping x to v(x)+ t,
and by v[X → 0] the function which maps x to 0 if x ∈ X and maps x to v(x)
otherwise.
Timed Automaton. Let D be an auxiliary store and ΣE be an alphabet. A
(D,ΣE)-timed automaton is a tuple (Q, C, δ, qi), where:
– Q is a finite set of control states,
– C is a finite set of clocks,
– δ ⊆ Q× ΦC × p˜red×ΣE × o˜p× 2C ×Q is a finite set of transitions, and
– qi ∈ Q is the initial state.
The semantics of a (D, ΣE)-timed automaton T = (Q, C, δ, qi) is described in
terms of a ΣE×R≥0-labeled transition system (S,−→δ, si), where S = Q×D×
ValSet(C); si = (qi, di, v[C → 0]); and (q1, d1, v1)
(a,t)
−→δ (q2, d2, v2) iff there exists
a transition (q1, φ, p, a, o, C1, q2) ∈ δ such that v1 + t |= φ, (v1 + t)[C1 → 0] = v2,
p(d1) is true, and o(d1) = d2.
4.1 Lower bounds for timed automata with store
Our goal is to show that solving a timed automaton problem with store is at
least as hard as solving a corresponding boolean automaton problem with store.
First, we will construct a timed automaton Timedk(B) for a boolean automaton
B which has the following property. The construction of Timedk(B) is along the
lines of [18], and is omitted here for lack of space.
Lemma 4. Let B1 be a (D1, ΣE1)-boolean automata and B2 be a (D2, ΣE2)-
boolean automata, and k be the maximum of the number of variables in B1 and
B2. Then Timedk(B1) and Timedk(B2) are bisimilar iff B1 and B2 are bisimilar.
Also Timedk(B1) is simulated by Timedk(B2) iff B1 is simulated by B2.
Proof The construction of Timedk(B) is along the lines of [18]. Given a (D, ΣE)-
boolean automaton B = (Q,Var, δ, qi) with |Var| = n, we define the (D, ΣE)-
timed automaton Timedk(B) = (Q
′, C, δ′, q′i) for k ≥ n as follows. Q
′ is (Q× (δ∪
(δ× [2k])∪ {guess}))∪ {q′i}. C = X ∪ Y ∪Z ∪W ∪ {step}, where X =
⋃n
i=1 xi,
Y =
⋃n
i=1 yi, Z =
⋃n
i=1 zi and W =
⋃n
i=1 wi. The clocks in X and Y will be
used to store the corresponding values of the boolean variables in the following
way. If variable vi has value 0, then the corresponding clock values of xi and yi
will be such that xi = yi, and if vi has value 1, then xi < yi.
Initially, the automaton has a transition from q′i to (qi, guess) with constraint
step = 1. During this transitions the clocks in Xi and Yi are reset so that they
represent the values of the initial valuation vi of B. Unless specified the constraint
and predicate is taken to be true, the operator is taken to be id and the set of
clocks to be reset is taken to be ∅.
From every state (q, guess), there is a transition to every (q, tr), where tr =
(q, g, p, e, o, r, q′), with constraint step = 1 ∧ guard where guard corresponds to
the boolean guard g, and step is reset to 0.
Next, the reset r of the transition tr of the boolean automaton is simulated
by 2k steps of the timed automaton. (This is the reason for storing the transition
tr of the boolean automaton to be simulated in the state.) Let the valuation of
the boolean variables be changed from v to v′. At the beginning the clocks in
X and Y store v as explained above. Note that if we do not reset these clocks
then their values will always correspond to v. In the first n steps, the values of
the clocks in Z and W are reset to values which correspond to v′. From a state
(q, tr), there are one or two transitions to (q, tr, 1) having constraint step = 1,
and similarly there are transitions from (q, tr, i − 1) to (q, tr, i) with constraint
step = i, for each i ∈ {2, · · · , 2k}. The transition from (q, tr, i − 1) to (q, tr, i)
resets the clocks zi and wi if required so that they correspond to the value v
′(xi).
(Note that the constraints may use the values of xj and yj). For example if there
is an assignment vi := vj in r, then there will be two transitions which contain
step = i, one of which checks if xj < yj and resets zi, and the other checks if
xj = yj and resets both zi and wi. Similarly other resets of the boolean variables
can be taken care of. In the time steps n < i ≤ k, no clocks are reset. In the next
n steps, that is, k < i ≤ k + n, the clocks in Xi and Yj are reset to “copy” the
values of Zi and Wi in the following sense. If zi < wi then xi is reset to ensure
that xi < yi, and if zi = wi, then both xi and yi are reset to ensure xi = yi.
Again no clocks are reset in the steps k+n < i ≤ 2k. Finally there is a transition
from (q, tr, 2k) to (q′, guess), with predicate p, operation o, and the clocks in
Z ∪W ∪ {step} are reset. All the above transitions are labelled by e. 
The above lemma allows us to conclude the following results from the lower
bound results of Theorem 2:
Theorem 4.
1. The problem of control state reachability in timed automata is PSPACE-hard.
2. The problem of bisimulation and simulation between timed automata is
DEXPTIME-hard.
3. The problem of simulation and bisimulation between two timed VPA is
2-DEXPTIME-hard.
4. The problem of bisimulation and simulation between timed automata and
pushdown timed automata is 2-DEXPTIME-hard.
5. Model checking timed µ-calculus properties for order n higher order pushdown
timed systems is (n+ 1)-DEXPTIME-hard.
We note that the first result above has also been established in [3], while the sec-
ond result was established in [18]. The last three results are however new and (to
the best of our knowledge) do not appear in literature. As a byproduct we obtain
that model-checking timed µ-calculus formulas for timed systems and pushdown
timed systems is DEXPTIME-hard and 2-DEXPTIME-hard by instantiating n to
0 and 1 respectively in the last item.
4.2 Upper bounds for timed automata with store
We now show that the lower bounds for decision problems obtained in Section
4.1 are tight. As these decision problems are mainly concerned with simulation
and bisimulation, they can be converted to decision problems on game graphs
by standard techniques. The game graphs that will arise for timed automata
will be infinitely branching and we shall appeal to the region construction [3] in
order to deal with the ”infinite-branching.” We start by recalling the definition
of regions and game graphs.
Regions. Regions were introduced in [3] in order to show that reachability in
timed systems is decidable. Given a finite set of clocks C and a natural number
nmax, we can define an equivalence class on the set of real-valuations ValSet(C)
as follows. For a real number r, let ⌊r⌋ denote the integral value of r and frac(r)
the fractional value of r. We say that for valuations v1, v2 ∈ ValSet(C), v1 is
equivalent to v2 (denoted as v1 ≡ v2) iff for all c, c1, c2 ∈ C:
1. v1(c) > nmax iff v2(c) > nmax;
2. if v1(c), v2(c) ≤ nmax, then ⌊v1(c)⌋ = ⌊v2(c)⌋;
3. if v1(c), v2(c) ≤ nmax, then frac(v1(c)) = 0 iff frac(v2(c)) = 0; and
4. if v1(c1), v1(c2), v2(c1), v2(c2) ≤ nmax, then frac(v1(c1)) ≤ frac(v1(c2)) iff
frac(v2(c1)) ≤ frac(v2(c2)).
The equivalence relation ≡ is of finite index and the set of equivalence classes
under ≡ shall henceforth be denoted as Reg(nmax, C). The following proposition
states some well known facts about the region construction [3].
Proposition 2. Given two valuations v1 and v2 such that Reg (nmax, v1) =
Reg(nmax, v2), we have the following:
1. For each t1 ∈ R there is a t2 ∈ R such that Reg(nmax, v1+t1) =Reg(nmax, v2+
t2).
2. For any C0 ⊆ C we have Reg(nmax, v1[C0 → 0]) = Reg(nmax, v2[C0 → 0]).
3. For any clock constraint φ defined over C such that the maximum integer
appearing in C is less than nmax, we have v1 |= φ iff v2 |= φ.
Game graphs. A game graph is a graph G = (VP ∪VO, E) such that VP ∩VO = ∅
and E ⊆ (VP × VO) ∪ (VO × VP ). The nodes in the set VP are called proponent
nodes and the nodes in the set VO are called opponent nodes. A binary relation
R ⊆ (VP × VP ) ∪ (VO × VO) is a game bisimulation if for every (v1, v2) ∈ R the
following two conditions hold:
1. For every v′1 ∈ VP ∪ VO such that (v1, v
′
1) ∈ E, there is a v
′
2 ∈ VP ∪ VO such
that (v′1, v
′
2) ∈ R and (v2, v
′
2) ∈ E.
2. For every v′2 ∈ VP ∪ VO such that (v2, v
′
2) ∈ E, there is a v
′
1 ∈ VP ∪ VO such
that (v′1, v
′
2) ∈ R and (v1, v
′
1) ∈ E.
The set of plays and strategies are defined in the standard way. It is well-
known that simulation and bisimulation between transition systems can be
stated as reachability games on appropriate game graphs.
Consider, for example, the problem of simulation of a timed transition system
G0 by G1 (by a timed transition system we mean a transition system arising out of
a timed automaton). A proponent node will correspond to a pair of configurations
of G0 and G1. Since every move of G0 needs to be simulated by G1, the proponent
moves are those of G0. Consider the proponent node (C1, C2) where C1 is the
configuration of G0 and C2 the configuration of G1. Suppose G0 takes a transition
(a, t) and moves to C′1. Then, for G0 to be simulated by G1, G1 has to take a
transition (a, t) from C2 . Therefore, the proponent move corresponding to G0
transitioning to C′1 leads us to the opponent node (C
′
1, C2, a, t). Now if G2 can
take a (a, t) transition from C2 to C
′
2 then we move from the opponent node
(C′1, C2, a, t) to the proponent node (C
′
1, C
′
2). It is easy to see that G0 is simulated
by G1, iff proponent does not have a strategy to reach an opponent node from
which there is no transition. The case of bisimulation is similar except that the
proponent must have moves corresponding to both G0 and G1, and a proponent
move corresponding to G0 must be answered by a move of G1 (and vice-versa).
We formalize these game graphs as timed game graphs.
Timed Game Graph. As already described above, simulation and bisimulation
between timed automata can be cast as reachability games on game graphs.
Given a (D0, ΣE)-timed automaton G0 = (Q0, C0, δ0, qˆ0) and a (D1, ΣE)-timed
automaton G1 = (Q1, C1, δ1, qˆ1), let (Conf0,−→δ0 , s00) and (Conf1,−→δ1 , s01) be
the timed transition systems associated with them. We assume that C0 ∩ C1 = ∅
(we can always rename clocks). Let Players be a non-empty subset of {0, 1} and
Moves = ΣE × R. The timed game graph corresponding to G0, G1 and Players is
given by the game graph G = (VP ∪ VO, E) where:
1. VP = {(Players, Conf0, Conf1) | Confi ∈ Confi for i = 0, 1}.
2. Let V 0O =(P × Conf0 × Conf1 ×Moves) where P = {1− i | i ∈ Players}.
3. For (v, w) ∈ VP × VO, (v, w) ∈ E iff v = (Players, Conf0, Conf1), w =
(P,Conf ′0, Conf
′
1, (a, t)) and there exists i ∈ Players such that Confi
(a,t)
−→δ0
Conf ′i , P = {1− i} and Conf
′
1−i = Conf1−i.
For (w, v) ∈ VO × VP , (w, v) ∈ E iff w = (i, Conf0, Conf1, (a, t)) and
v = (Players, Conf ′0, Conf
′
1), where Confi
(a,t)
−→δ0 Conf
′
i and Conf
′
1−i =
Conf1−i.
So the question of simulation can be cast as a question on the game graph G.
Note that G is potentially infinite-branching and it is not immediately obvious
as to how to solve the game problem. We appeal to the region construction to
eliminate the infinite branching as follows.
The idea behind our construction is to use regions on clocks of both the
systems (a similar strategy has been used in [8] to show that bisimulation
between two timed systems without store is decidable). Let nmax be some in-
teger such that nmax is greater than any integer occurring in the clock con-
straints of δ0 and δ1. Given v0 ∈ ValSet(C0) and v1 ∈ ValSet(C1), we use
Reg(nmax, v0, v1) for the region Reg(nmax, v)(the equivalence class of v), where
v ∈ ValSet(C0 ∪C1) is the valuation such that v(c) = v0(c) for c ∈ C0 and v(c) =
v1(c) for c ∈ C1. Let Conf0 ∈ Conf0 and Conf1 ∈ Conf1 be configurations such
that Conf0 = (q0, d0, v0) and Conf1 = (q1, d1, v1). For a proponent node v =
(Players, Conf0, Conf1), let H(v) = (q0, d0, q1, d1,Reg(nmax, v1, v2)). For an op-
ponent node w = (i, Conf0, Conf1, (a, t)), letH(w) = (i, a, q0, d0, q1, d1,Reg(nmax,
v′0, v
′
1)), where v
′
i = vi + t and v
′
1−i = v1−i. We have the following result.
Theorem 5. The relation R = {(u1, u2) | H(u1) = H(u2)} is a game bisimula-
tion on the timed game graph.
Proof(Sketch.) Clearly, R ⊆ (VP × VP ) ∪ (VO × VO). We show that R is
a simulation (that R−1 is also a simulation can be shown similarly). In other
words, for any (u1, u2) ∈ R and (u1, u′1) ∈ E, there is a u
′
2 such that (u2, u
′
2) ∈ E
and (u′1, u
′
2) ∈ R. There are two cases– either u1, u2 ∈ VP or u1, u2 ∈ VO. We
consider the case where u1, u2 ∈ VP (the other case is similar).
Let u1 = (Conf0, Conf1) and u2 = (Conf3, Conf4). There are two possibil-
ities for u′1: either u
′
1 = (1, Conf
′
0, Conf1, (a, t)) in which case 0 ∈ Players and
Conf0
(a,t)
−→δ0 Conf
′
0 or u
′
1 = (0, Conf0, Conf
′
1, (a, t)) in which case 1 ∈ Players
and Conf1
(a,t)
−→δ1 Conf
′
1. We consider the case u
′
1 = (1, Conf
′
0, Conf1, (a, t))
(the other case is similar).
Let Conf0 = (q0, d0, v0), Conf1 = (q1, d1, v1) and Conf
′
0 = (q
′
0, d
′
0, v
′
0). We
have that Conf0
(a,t)
−→δ0 Conf
′
0. As Conf0
(a,t)
−→δ0 Conf
′
0 there must be a transition
(q0, φ, p, a, g, C, q′0) ∈ δ0 such that p(d0) is true g(d0) = d
′
0, v0 + t |= φ and
(v0 + t)[C → 0] = v′0.
Now, as H(u1) = H(u2), it must be the case that Conf3 = (q0, d0, v3) and
Conf4(q1, d1, v4) where v3, v4 are such that Reg(nmax, v0, v1) = Reg(nmax, v3, v4).
Now, we have by Proposition 2 that there is a t′ such that Reg(nmax, v0 + t, v1 +
t) = Reg(nmax, v3+ t
′, v4+ t
′). This implies that v3+ t
′ |= φ. Hence, we have that
Conf3
(a,t′)
−→ δ0 Conf
′
3 where Conf
′
3 = (q
′
0, d
′
0, v
′
3) with v
′
3 = (v3 + t
′))[C → 0]. We
have that (u2, u
′
2) ∈ E where u
′
2 = (1, Conf
′
3, Conf4, (a, t
′)).
Note that thanks to Proposition 2, Reg(nmax, (v0 + t, v1 + t)[C → 0]) =
Reg(nmax, (v3 + t
′, v4 + t
′)[C → 0]). But Reg(nmax, (v0 + t, v1 + t)[C → 0]) =
Reg(nmax, v
′
0, v1+t) and Reg(nmax, (v3+t
′, v4+t
′)[C → 0]) = Reg(nmax, v
′
3, v4+t
′).
We get that H(u′1) = H(u
′
2). Therefore, we get that (u
′
1, u
′
2) ∈ R also. 
Hence, while solving the problems of simulation and bisimulation between timed
automata, one can appeal to Theorem 5 and reduce the timed game problem to
one without time by constructing the H-bisimulation quotient. Then a winning
strategy for the proponent in the timed game graph is obtained by “mimick-
ing” the strategy in the bisimulation quotient. For example, simulation between
timed automata and pushdown timed automata can be converted to a game on
pushdown graph by constructing the H-bisimulation of the graph G. Note that
the description of the resulting pushdown game however is exponential in size of
the input as one needs to construct the regions on the clocks. Further, since the
reachability game can be solved in PTIME for finite game graphs and DEXPTIME
for pushdown games, we obtain the following results.
Theorem 6.
1. The control state reachability problem of timed automata is in PSPACE.
2. The bisimulation and simulation problems between two timed automata is in
DEXPTIME.
3. The problem of simulation and bisimulation between two timed VPA is in
2-DEXPTIME.
4. The bisimulation and simulation problems between a timed automaton and
a pushdown timed automaton is in 2-DEXPTIME.
5. Model checking timed µ-calculus properties for order n higher order pushdown
timed systems is (n+ 1)-DEXPTIME-complete.
The first two results are known [3, 18, 2] and the last three are new.
5 Conclusions
We established the exact complexity of the problems of reachability, simulation,
bisimulation, and µ-calculus model checking for timed automata, timed push-
down automata, and timed higher order pushdown automata. Our proof relied
on ideas from succinct representations to uniformly lift lower bound proofs for
finite automata, pushdown automata, and higher order pushdown automata to
the corresponding timed versions. As an intermediate step we established com-
plexity bounds on the verification of boolean automata (without stacks, with
stacks, and with higher order stacks), which are also important models that
arise in verification. Thus we re-established some previously known results for
timed automata using new proof techniques, and proved many new results about
timed pushdown automata and timed higher order pushdown automata.
References
1. P.A. Abdulla, J. Deneux, J. Ouaknine, and J. Worrell. Decidability and complexity
results for timed automata via channel machines. In International Colloquium on
Automata, Languages and Programming, pages 1089–1101, 2005.
2. L. Aceto and F. Laroussinie. Is you model checker on time? In International
Symposium on the Mathematical Foundations of Computer Science, pages 125–
136, 1999.
3. R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science,
126:183–235, 1994.
4. R. Alur and P. Madhusudan. Visibly Pushdown Automata. In ACM Symposium
on Theory of Computation, pages 202–211, 2004.
5. Rajeev Alur and P. Madhusudan. Visibly pushdown languages. In La´szlo´ Babai,
editor, STOC, pages 202–211. ACM, 2004.
6. J.L. Balca´zar, A. Lozano, and J. Tora´n. The complexity of algorithmic problems
on succinct instances. Computer Science, pages 351–377, 1992.
7. A. Bouajjani, R. Echahed, and R. Robbana. On the automatic verification of
systems with continuous variables and unbounded discrete data structures. In
International Conference on Hybrid Systems: Computation and Control, pages 64–
85, 1994.
8. K. Cerans. Decidability of bisimulation equivalence for parallel timer processes. In
International Conference on Computer-Aided Verification, pages 302–315, 1993.
9. R. Chadha and M. Viswanathan. Decidability results for well-structured transition
systems with auxiliary storage. In 18th. International Conference on concurrency
theory, volume 4703, pages 136–150, 2007.
10. E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided
Abstraction-refinement. In International Conference on Computer-Aided Verifica-
tion, pages 154–169, 2000.
11. Z. Dang. Pushdown timed automata: A binary reachability characterization and
safety verification. Theoretical Computer Science, 302:93–121, 2003.
12. M. Emmi and R. Majumdar. Decision Problems for the Verification of Real-
time Software. In International Conference on Hybrid Systems: Computation and
Control, pages 200–211, 2006.
13. H. Galperin and A. Wigderson. Succinct representations of graphs. Information
and Computation, 56:183–198, 1983.
14. S. Graf and H. Sa¨ıdi. Construction of abstract state graphs with PVS. In Inter-
national Conference on Computer-Aided Verification, pages 72–83, 1997.
15. Matthew Hague and C.-H. Luke Ong. Symbolic backwards-reachability analysis
for higher-order pushdown systems. In Helmut Seidl, editor, FoSSaCS, volume
4423 of Lecture Notes in Computer Science, pages 213–227. Springer, 2007.
16. D. Harel, O. Kupferman, and M.Y. Vardi. On the complexity of verifying con-
current transition systems. In International Conference on Concurrency Theory,
pages 258–272, 1997.
17. A. Kucera. On simulation-checking with sequential systems. In Asian Computing
Science Conference, pages 133–148, 2000.
18. F. Laroussinie and P. Schnoebelen. The State Explosion Problem from Trace
to Bisimulation Equivalence. In 3rd International Conference on Foundation of
software Science and Computation Structures, pages 192–207, 2000.
19. R. Mayr. On the complexity of bisimulation problems for pushdown automata. In
IFIP TCS, pages 474–488, 2000.
20. C.-H. Luke Ong. On model checking trees generated by higher order recursion
schemes. In IEEE Symposium on Logic in Computer Science, pages 81–90, 2006.
21. J. Ouaknine and J. Worrell. On the language inclusion problem for timed automata:
Closing a decidability gap. In IEEE Symposium on Logic in Computer Science,
pages 54–63, 2004.
22. C. Papadimitriou and M. Yannakakis. A note on succinct representation of graphs.
Information and Computation, 71:181–185, 1986.
23. A. Rabinovich. Complexity of equivalence problems for concurrent finite agents.
Information and Computation, 139(2):111–129, 1997.
24. A. Rabinovich. Symbolic model checking for µ-calculus requires exponential time.
Theoretical Computer Science, 243(2):467–475, 2000.
25. Z. Sawa and P. Jancar. P-Hardness of Equivalence Testing on Finite-State Pro-
cesses. In Conference on the Current Trends in Theory and Practice of Informatics,
pages 326–335, 2001.
26. J. Srba. Visibly pushdown automata: From language equivalence to simulation
and bisimulation. In International Workshop on Computer Science Logic, pages
89–103, 2006.
27. H. Veith. Succinct representation, leaf languages, and projection reductions. In
IEEE Conference on Computational Complexity, pages 118–126, 1996.
6 Appendix
6.1 Proof of Theorem 3
Proof(Proof Sketch.) The problem of “acceptance by alternating linear bounded
automata” (LBA acceptance) is EXPTIME-hard with respect to poly-logtime-
reductions. We observe that the reduction from LBA acceptance to simulation
between PDA processes and deterministic FS processes given in [17] can be
done in poly-logtime. Given an alternating TMM and a word w, they construct
a finite state machine A and a PDA B such that P simulates F iff M does
not accept w. The idea behind the simulation is the following. The PDA wants
to prove that M does not accept w and F wants to prove otherwise. So the
PDA stores in its stack the current configuration. If the configuration consists
of an universal state of M , then F gets to choose the next transition, and PDA
executes it by guessing the next configuration. F then might ask P to verify for
it that the next configuration was valid. F does that by dictating P to pop the
stack and nondeterministically asking it to verify some triple. (Note that the
PDA does not gain by cheating because its aim is to show that M accepts w).
If the PDA is in an existential state then it gets to choose the next transition.
If P ever reaches an accepting configuration, then it has no transitions out of
the state, hence will not be able to simulate the moves of F . If P reaches a
non-accepting configuration, then it simulates F thereafter.
To show that the reduction is logtime we need to spit out the bits of F and P
in poly-logtime. This is possible because to compute a particular bit of F or P ,
say whether there is a transition between two states with some label and some
operation on the pushdown store, we need only local information. For example, to
verify that a triple of the next configuration is consistent with previous, the PDA
needs to only do local computation like reading the three bits into its control
state and then maintaining a counter which will enable it to reach the triple
of the previous configuration. It is easy to see in this case that whether there
is transition between two states can be computed in poly-log time. (Verifying
that the counter value was incremented might take (log(n)) time where n is the
length of |w|).
Hence there is a poly-logtime reduction from LBA acceptance to simulation
between of PDA and FS. Therefore the problem is EXPTIME-hard with respect
to poly-logtime reductions. 
