Mc2022 Lec9 Slides

Model Checking
Complexity of LTL Model Checking

[Baier & Katoen, Chapter 5.2.1+5.2.2]
Joost-Pieter Katoen and Tim Quatmann
Software Modeling and Verification Group
RWTH Aachen, SoSe 2022
Joost-Pieter Katoen and Tim Quatmann Lecture #9 1/32

Topic
What is the theoretical complexity of LTL model checking?
Main Result:
[Sistla and Clarke, 1985]
The LTL model-checking problem is PSPACE-complete.

LTL Decision Problems
The LTL Model-Checking Problem (LTL)

Given a finite transition system TS and LTL-formula ϕ, is TS ⊧ ϕ?
The LTL Satisfiability Problem (LTLSAT )

Given LTL-formula ϕ, does there exist a transition system TS such that
TS ⊧ ϕ?
The LTL Validity Problem (LTLvalid )

Given LTL-formula ϕ, does TS ⊧ ϕ for all transition systems TS?
The validity problem for ϕ is equivalent to the satisfiability problem for ¬ϕ

Overview
1 co-NP Hardness of LTL Model Checking
2 PSPACE Completeness of LTL Model Checking
3 Complexity of LTL Satisfiability
4 Summary

co-NP Hardness of LTL Model Checking
Overview
4 Summary

Complexity Classes P and NP

Complexity Class co-NP

Co-NP Completeness

Complexity Classes P, NP, and co-NP

The Hamilton Path Problem

A Hamilton path of a (directed and finite) graph G = (V , E ) is a path
π = v1 . . . vn that visits each vertex of G exactly once, i.e.,
∀ v ∈ V . ∃ i ≤ n . (vi = v and ∀ j ≠ i . vj ≠ v ).
The Hamiltopn Path Problem (HAM)

Given a graph G, does G have a Hamilton path?
HAM is NP-complete.

Co-NP Hardness
The LTL model-checking problem (LTL) is co-NP-hard.
Proof.
▶ We show that LTL is NP-hard.
▶ To this end, we provide a polynomial reduction: HAM ≤poly LTL.
The complement LTL of the problem LTL asks:
/ ϕ?
Given finite TS and LTL-formula ϕ, is TS ⊧

Polynomial Reduction for HAM ≤poly LTL

Transform input G = (V , E ) for HAM to input (TS, ϕ) for LTL such that
G has a Hamilton path iff /ϕ

TS ⊧
▶ TS ≔ (V ⊎ {s⊥ } , {α} , → , V , V , L), where

▶ L(s⊥ ) ≔ ∅, ∀v ∈ V . L(v ) ≔ v , and
▶ → ≔ {(v , α, v ′ ) ∣ (v , v ′ ) ∈ E } ∪ {(s, α, {s⊥ }) ∣ s ∈ V ⊎ {s⊥ }}

Polynomial Reduction for HAM ≤poly LTL

Transform input G = (V , E ) for HAM to input (TS, ϕ) for LTL such that
G has a Hamilton path iff /ϕ

TS ⊧
▶ TS ≔ (V ⊎ {s⊥ } , {α} , → , V , V , L), where

▶ L(s⊥ ) ≔ ∅, ∀v ∈ V . L(v ) ≔ v , and
▶ → ≔ {(v , α, v ′ ) ∣ (v , v ′ ) ∈ E } ∪ {(s, α, {s⊥ }) ∣ s ∈ V ⊎ {s⊥ }}
▶ ϕ = ¬( ⋀ ◇v ∧ □(v ⇒ ◯ □ ¬v ))
v ∈V
∣TS∣ + ∣ϕ∣ is linear in the size of the graph ∣G∣

PSPACE Completeness of LTL Model Checking
Overview
4 Summary

The Complexity Class PSPACE
PSPACE is the set of decision problems that can be solved by a

deterministic, polynomially-bounded space algorithm.
Known facts:
▶ NP ⊆ PSPACE
▶ PSPACE = co-PSPACE (this holds for any deterministic complexity
class)
▶ PSPACE = NPSPACE (Savitch theorem)
Due to Savitch’s theorem, to show L is in PSPACE, it suffices to provide a

nondeterministic, polynomially-bounded space algorithm for L.

Complexity Landscape
PSPACE is the set of decision problems that can be solved by a

deterministic, polynomially-bounded space algorithm
Complexity Landscape

Existential LTL Model-Checking

The Existential LTL Model-Checking Problem (∃LTL)
Given a finite transition system TS and LTL-formula ϕ, is there some path
π in TS such that π ⊧ ϕ?
/ ϕ.
▶ Recall: LTL asks if TS ⊧
▶ The problems ∃LTL and LTL are equally hard:
(TS, ϕ) ∈ ∃LTL iff ∃π ∈ Paths(TS) . π ⊧ ϕ

/ ¬ϕ
iff ∃π ∈ Paths(TS) . π ⊧
iff not (∀π ∈ Paths(TS) . π ⊧ ¬ϕ)
/ ¬ϕ
iff TS ⊧
iff (TS, ¬ϕ) ∈ LTL

LTL Model Checking is PSPACE-complete
Proof.
We prove that the existential LTL model-checking problem (∃LTL) is
(a) in NPSPACE (and thus in PSPACE), and
(b) PSPACE-hard.
It follows that ∃LTL (and thus also LTL) is PSPACE-complete. The claim
follows from co-PSPACE = PSPACE.

∃LTL is in NPSPACE—Proof Idea
The Existential LTL Model-Checking Problem (∃LTL)

Given finite TS and LTL-formula ϕ, ∃π ∈ Paths(TS) . π ⊧ ϕ?
Goal:
Find a criterion for the existence of a path π in TS with π ⊧ ϕ that can be
checked non-deterministically in poly-space
Idea:
Use the GNBA Gϕ for ϕ
Problem: The size of Gϕ can be exponential in ∣ϕ∣

Criterion For ∃LTL Properties
There exists a path π in TS with π ⊧ ϕ iff there exist:
▶ an initial path fragment s0 s1 . . . sn . . . sn+m in TS, and

ÍÒÒ Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ñ Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò Ò ÒÏ
π
▶ a run B0 B1 . . . Bn+1 . . . Bn+m+1 in GNBA Gϕ for trace(π)

such that:
1. ⟨sn , Bn+1 ⟩ = ⟨sn+m , Bn+m+1 ⟩
2. if ψ1 U ψ2 ∈ Bn+1 ∪ . . . ∪ Bn+m then ψ2 ∈ Bn+1 ∪ . . . ∪ Bn+m
∣cl(ϕ)∣ ∣cl(ϕ)∣
3. n ≤ ∣S∣ ⋅ 2 and m ≤ ∣S∣ ⋅ 2 ⋅ ∣ϕ∣

NPSPACE Algorithm for the ∃LTL Problem (1)
1. Guess nondeterministically a path:

ω
π = u0 u1 . . . un−1 (un . . . un+m ) in TS ⊗ Gϕ
where GNBA Gϕ is obtained as explained in the previous lecture
2. Check whether the guessed path is accepted by Gϕ

PSPACE Algorithm for the ∃LTL Problem (2)

▶ Guess natural numbers n, m ≤ ∣S∣ ⋅ 2∣cl(ϕ)∣ ⋅ ∣ϕ∣ such that m > 0
▶ Guess initial path fragment π = s0 s1 . . . sn . . . sn+m in TS
▶ Guess subsets B0 , . . . , Bn , . . . , Bn+m+1 of cl(ϕ)
▶ Check whether the following three conditions hold:

1. ⟨sn , Bn+1 ⟩ = ⟨sn+m , Bn+m+1 ⟩
2. B0 . . . Bn . . . Bn+m+1 is an initial run for trace(π sn ) in Gϕ
3. {ψ2 ∣ ψ1 U ψ2 ∈ ⋃n<i≤n+m Bi } ⊆ ⋃n<i≤n+m Bi
If so, return “yes”, otherwise return “no”.
Guessing and Checking can be implemented in an interleaved way so that
the complete path does not need to be stored.

LTL Model Checking is PSPACE-complete
Proof.
We prove that the existential LTL model-checking problem (∃LTL) is
(a) in NPSPACE (and thus in PSPACE), and
(b) PSPACE-hard.
It follows that ∃LTL (and thus also LTL) is PSPACE-complete. The claim
follows from co-PSPACE = PSPACE.
We now show PSPACE-hardness of ∃LTL by a polynomial reduction from a
PSPACE-hard problem

Deterministic Turing Machines
A deterministic Turing machine (DTM) is a tuple M = (Q, Σ, δ, qI , qF )

with
▶ finite state space Q, initial state qI ∈ Q, accept state qF ⊆ Q
▶ tape alphabet Σ, and
▶ transition function δ∶ Q × Σ → Q × Σ × {L, N, R} such that
δ(qF , A) = (qF , A, N) for all A ∈ Σ.
▶ δ(q, A) = (p, B, L) means: at state q with current tape cell content A,

write B to the tape, go to state p, and move the cursor to the left
▶ A configuration is a triple c = (q, i, w ) ∈ Q × N × Σ∗ with i ≤ ∣w ∣
▶ The (unique) run on input word w ∈ Σ∗ is the infinite sequence of
configurations starting with (qI , 0, w ) as predetermined by the
transition function δ
▶ M accepts input word w ∈ Σ∗ iff the run on w reaches qF
A PSPACE-hard Problem
The polynomially bounded DTM-Acceptence Problem (polyDTM)

∗
Given a DTM M, input word w ∈ Σ , and a polynomial P∶ N → N, does M
accept w using at most P(∣w ∣) tape cells?
polyDTM is PSPACE-hard.
To show PSPACE-hardness of ∃LTL we now show
polyDTM ≤poly ∃LTL
by providing a transformation from an input (M, w , P) for polyDTM to an

input (TS, ϕ) for ∃LTL.

Transformation: (M, w , P) ↦ (TS, ϕ)

Transformation: (M, w , P) ↦ (TS, ϕ)

ϕ asserts that a trace of TS encodes the valid run of M on w :
ϕ = ϕstart ∧ ϕconf ∧ ϕδ ∧ ϕacc
▶ ϕstart encodes the start configuration—for w = A1 . . . An we get

n 2i−1 2i−1
ϕstart = ◯ qI ∧ ⋀i=1 ◯ Ai ∧ ⋀i=n+1 ◯ ␣
▶ ϕconf ensures a valid encoding of a sequence of configurations
▶ ϕδ encodes the transition function of M
▶ ϕacc = ◇qF encodes that the run is accepting
We get that (M, w , P) ∈ polyDTM iff σ ⊧ ϕ for some trace σ of TS.

Complexity of LTL Satisfiability
Overview
4 Summary

Complexity of LTL Satisfiability
LTL Satisfiability is PSPACE Complete

The LTL Satisfiability Problem (LTLSAT )
Given LTL-formula ϕ, does there exist TS such that TS ⊧ ϕ?
The LTL satisfiability problem is PSPACE-complete.
Proof (sketch).
▶ The satisfiability of LTL-formula ϕ amounts to checking whether
Words(ϕ) ≠ ∅ or—equivalently—Lω (Gϕ ) ≠ ∅.
▶ LTLSAT is in NPSPACE = PSPACE: guess and check an accepting run
of the GNBA Gϕ as in our proof for ∃LTL.
▶ LTLSAT is PSPACE-hard: show that ∃LTL ≤poly LTLSAT

Summary
Overview
4 Summary

Summary
Summary
▶ The LTL model-checking problem is PSPACE-complete
▶ The LTL satisfiability problem is PSPACE-complete
▶ The Hamiltonian path problem is polynomially reducible to the

complement of the LTL model-checking problem.

Summary
Next Lecture
Monday May 16, 10:30

Mc2022 Lec9 Slides

Uploaded by

Copyright:

Available Formats

You might also like

Mc2022 Lec9 Slides

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mc2022 Lec9 Slides

Uploaded by

Copyright:

Available Formats

Model Checking

Complexity of LTL Model Checking

Joost-Pieter Katoen and Tim Quatmann

Software Modeling and Verification Group

RWTH Aachen, SoSe 2022

Joost-Pieter Katoen and Tim Quatmann Lecture #9 1/32

What is the theoretical complexity of LTL model checking?

[Sistla and Clarke, 1985]

The LTL model-checking problem is PSPACE-complete.

Joost-Pieter Katoen and Tim Quatmann Lecture #9 2/32

The LTL Model-Checking Problem (LTL)

The LTL Satisfiability Problem (LTLSAT )

The LTL Validity Problem (LTLvalid )

The validity problem for ϕ is equivalent to the satisfiability problem for ¬ϕ

Joost-Pieter Katoen and Tim Quatmann Lecture #9 3/32

1 co-NP Hardness of LTL Model Checking

2 PSPACE Completeness of LTL Model Checking

3 Complexity of LTL Satisfiability

Joost-Pieter Katoen and Tim Quatmann Lecture #9 4/32

1 co-NP Hardness of LTL Model Checking

2 PSPACE Completeness of LTL Model Checking

3 Complexity of LTL Satisfiability

Joost-Pieter Katoen and Tim Quatmann Lecture #9 5/32

Complexity Classes P and NP

Joost-Pieter Katoen and Tim Quatmann Lecture #9 6/32

Complexity Class co-NP

Joost-Pieter Katoen and Tim Quatmann Lecture #9 7/32

Joost-Pieter Katoen and Tim Quatmann Lecture #9 8/32

Complexity Classes P, NP, and co-NP

Joost-Pieter Katoen and Tim Quatmann Lecture #9 9/32

The Hamilton Path Problem

The Hamiltopn Path Problem (HAM)

Joost-Pieter Katoen and Tim Quatmann Lecture #9 10/32

The LTL model-checking problem (LTL) is co-NP-hard.

The complement LTL of the problem LTL asks:

Joost-Pieter Katoen and Tim Quatmann Lecture #9 11/32

Polynomial Reduction for HAM ≤poly LTL

G has a Hamilton path iff /ϕ

▶ TS ≔ (V ⊎ {s⊥ } , {α} , → , V , V , L), where

Joost-Pieter Katoen and Tim Quatmann Lecture #9 12/32

Polynomial Reduction for HAM ≤poly LTL

G has a Hamilton path iff /ϕ

▶ TS ≔ (V ⊎ {s⊥ } , {α} , → , V , V , L), where

∣TS∣ + ∣ϕ∣ is linear in the size of the graph ∣G∣

Joost-Pieter Katoen and Tim Quatmann Lecture #9 12/32

1 co-NP Hardness of LTL Model Checking

2 PSPACE Completeness of LTL Model Checking

3 Complexity of LTL Satisfiability

Joost-Pieter Katoen and Tim Quatmann Lecture #9 13/32

The Complexity Class PSPACE

PSPACE is the set of decision problems that can be solved by a

Due to Savitch’s theorem, to show L is in PSPACE, it suffices to provide a

Joost-Pieter Katoen and Tim Quatmann Lecture #9 14/32

PSPACE is the set of decision problems that can be solved by a

Joost-Pieter Katoen and Tim Quatmann Lecture #9 16/32

Existential LTL Model-Checking

▶ The problems ∃LTL and LTL are equally hard:

(TS, ϕ) ∈ ∃LTL iff ∃π ∈ Paths(TS) . π ⊧ ϕ

Joost-Pieter Katoen and Tim Quatmann Lecture #9 17/32