On the expressiveness of QCTL Amélie David

Amélie David

, François Laroussinie

, and Nicolas Markey

1 LSV – CNRS, ENS Cachan & University Paris-Saclay – France 2 IRIF – University Paris Diderot & CNRS – France

Abstract

QCTL extends the temporal logic CTL with quantification over atomic propositions. While the algorithmic questions for QCTL and its fragments with limited quantification depth are well-understood (e.g. satisfiability of Q^kCTL, with at most k nested blocks of quantifiers, is (k+1)-EXPTIME-complete), very few results are known about the expressiveness of this logic.

We address such expressiveness questions in this paper. We first consider thedistinguishing power of these logics (i.e., their ability to separate models), their relationship with behavioural equi- valences, and their ability to capture the behaviours of finite Kripke structures with so-called characteristic formulas. We then consider their expressive power (i.e., their ability to express a property), showing that in terms of expressiveness the hierarchy Q^kCTL collapses at level 2 (in other terms, anyQCTLformula can be expressed using at most two nested blocks of quanti-

fiers).

Digital Object Identifier 10.4230/LIPIcs.CONCUR.2016.28

1 Introduction

Temporal logics have been introduced in computer science in the late 1970’s [18]; they provide a powerful formalism for specifying and verifying (e.g. model checking [19, 3]) correctness properties of (finite-state models representing) evolving systems. Various kinds of temporal logics have been defined, with different expressiveness, succinctness and algorithmic properties.

For instance, theComputation Tree Logic(CTL) expresses properties of the computation tree of the system under study; it has rather limited expressive power (it cannot express fairness), but enjoysPTIME-complete model-checking. TheLinear-time Temporal Logic(LTL) expresses properties of a single execution at a time. It can express fairness along that single execution, but cannot express properties of other possible executions;LTLmodel checking is PSPACE-complete. The logicCTL^∗ combinesCTLandLTL, offering better expressiveness thanCTLwith the same (theoretical) complexity asLTL.

In terms of expressiveness,CTL^∗ still has some limitations: in particular, it lacks the ability ofcounting. For instance, it cannot express that an event occurs (at least) at every even position along a path, or that a state has two successors. In order to cope with this, temporal logics have been extended with propositional quantifiers [20]: those quantifiers allow for adding fresh atomic propositions in the model before evaluating the truth value of a temporal- logic formula. That a state has at least two successors can then be expressed (inquantified CTL, hereafter writtenQCTL) by saying that it is possible to label the model with atomic propositionpin such a way there is a successor that is labelled withpand one that is not.

The algorithmic questions aboutQCTLhave been extensively studied [14, 7, 17, 8, 4, 15], with various semantic assumptions (in particular, depending on whether the labellings refer to the finite-state model or to its execution tree). In the latter case, model-checkingQCTL

Work supported by STREP project Cassting (FP7-601148) and ERC Stg Grant EQualIS (FP7-308087).

with at mostknested propositional quantifiers (writtenQ^kCTL) has been shownk-EXPTIME- complete [15], which tends to indicate that propositional quantification substantially increases the expressiveness of the logic.

However, the expressiveness of QCTLhas remained mostly unexplored, except for a few (rather straightforward) results: QCTL is as expressive as¹ MSO; QCTL and QCTL^∗ are equally expressive;QCTL formulas can be written in prenex normal form. To the best of our knowledge, no results are known about the relative expressiveness of QCTL and its fragmentsQ^kCTLwith limited quantification height.

In this paper, we focus on the so-calledtree semantics, where quantification refers to the execution tree. The main contributions presented in this paper are the following:

all logics fromQ¹CTLto fullQCTL^∗ have the samedistinguishing power. We define a bisimulation equivalence that precisely corresponds to the distinguishing power of these logics.

given a regular treeT, one can build a characteristic formulaΦT inQ²CTLsuch that any treeT⁰ satisfying Φ_T is isomorphic to T. This completes the result of [2], where a construction of characteristic formulas in CTL was presented for the bisimulation equivalence.

all logics fromQ²CTLtoQCTL^∗have the same expressiveness, but Q¹CTLandQ¹CTL^∗ are less expressive. In particular, anyQCTLor QCTL^∗ formula can be translated into a formula inQ²CTL(i.e., with at most two nested blocks of propositional quantifiers)². The outline of the paper is as follows: we begin with setting up the necessary formalism in order to define QCTL^∗and its fragments. We then devote Section 3 to the study of the distinguishing power of Q^kCTL, showing in particular that if QCTLcan distinguish between two finite-state models, then alreadyQ¹CTLcan. We also developcharacteristic formulas in this section. Finally, Section 4 focuses on expressiveness, with as main result the fact that any QCTL^∗ formula has an equivalent formula inQ²CTL, butQ²CTLis strictly more expressive thanQ¹CTL^∗.

2 Definitions 2.1 Words and trees

Let Σ be a finite alphabet. A finite word over Σ is a finite sequencew= (wi)_1≤i≤k. The in- tegerkis the length ofw, usually denoted by|w|. We writeεfor the empty word, which is the unique word of size zero, and identify the alphabet Σ with the set of words of length 1 as long as it raises no ambiguity. For a non-empty wordw, we letlast(w) =w_|w|. The concatenation of two wordswandw⁰, denotedw·w⁰, is the wordz of size|w|+|w⁰|defined as

zi =wi when 1≤i≤ |w| zi =w⁰_i−|w| when|w|+ 1≤i≤ |w|+|w⁰|.

For a finite wordwand a finite set of wordsS, we let w·S ={w·w⁰|w⁰∈S}. A wordw is a prefix of a wordzif there exists a wordw⁰ such thatz=w·w⁰. This defines a partial order≤over words. An infinite word is the limit of an infinite increasing sequence of finite

1 This requires adequate definitions, since a temporal logic formula may only deal with the reachable part of the model, whileMSOhas a moreglobalpoint of view.

2 Notice that a similar result exists forMSOover trees: one alternation ofsecond-order quantifiersis enough to express anyMSOproperty. But while it relies on similar tree-automata techniques, our result does not directly follow from the result forMSO: the translatedMSOformula may containfirst-order quantifiers, which involves extra propositional quantifiers when translated toQCTL.

words; infinite words can equivalently be seen as infinite sequences of letters of Σ. The size of an infinite wordwis|w|= +∞. The notions of concatenation of a finite word with an infinite word, and of prefix of an infinite word, are easily obtained from the definitions for finite words.

We write Σ^∗for the set of finite words, and Σ^ω for the set of infinite words. Given an infinite wordw, we write Inf(w)⊆Σ for the set of letters that appear infinitely many times inw.

I Definition 1. Let D be a set and Σ be a finite alphabet. A Σ-labelled D-tree is a pairT =hT, li, where

T ⊆D^∗is a non-empty set of finite words onDsatisfying the following constraints: for any non-empty word x∈T, which can be written unequivocally as x=y·c withy ∈D^∗ andc∈D, the wordy is in T. Moreover, we require that for every word y∈T, there existsc∈D such thaty·c∈T.

l: T →Σ is a labelling function.

LetT =hT, libe a Σ-labelled tree. The elements ofT are thenodes ofT and the empty wordε, which is easily shown to necessarily belong to T, is the root of T. Given a node x∈T, we useSucc_T(x) (or Succ(x) when the underlying tree is clear) to denote the set of successors ofx, defined asx·Σ∩T. Thedegree ofx∈T, denoted d_T(x) (or d(x)), is the cardinality ofSucc(x). A tree hasbounded branching if the degree of all its nodes is bounded. Given a nodex∈T, we denote withTxthesubtreehTx, lxirooted atx, defined by Tx={y∈D^∗|x·y∈T}.

An (infinite)branch in T is an infinite increasing (for the prefix relation) sequence of nodes. A branch can be identified with an infinite word ρ = (xi)_i∈N over D; it can be associated with the infinite wordl(ρ) = (l(x_i))_i∈N over Σ. A branch ρcontains a nodex wheneverxis a prefix of ρ.

2.2 Kripke structures

Fix a finite setAPof atomic propositions.

IDefinition 2. AKripke structureis a tupleK=hV, E, `iwhereV is a finite set of vertices, E⊆V×V is a set of edges (requiring that for anyv∈V, there existsv<sup>0</sup>∈V s.t. (v, v<sup>0</sup>)∈E), and`:V →2^AP is a labelling function.

A path in a Kripke structure is a finite or infinite wordwoverV such that (w_i, w_i+1)∈E for all i < |w|. We write Path^∗_K andPath^ω_K for the sets of finite and infinite paths of K, respectively. Given a vertex v ∈ V, the execution tree of K from v is the 2^AP-labelled V-treeTK,v=hTK,v,`iˆ withTK,x ={w∈V<sup>∗</sup> |v·w∈Path<sup>∗</sup><sub>K</sub>} and ˆ`(v·w) = `(last(v·w)).

Notice that two nodeswandw⁰ of T_K,v for whichlast(w) =last(w⁰) give rise to the same subtrees. A tree is saidregular when it corresponds to the execution tree of some finite Kripke structure.

It will be convenient in some situations to allow Kripke structures to have infinitely many states. For instance, a tree can be seen as an infinite-state Kripke structure.

2.3 QCTL

and its fragments

This section is devoted to the definition of the logicQCTL^∗ and its fragments, and to the semantics of these logics.

2.3.1 Syntax and (tree) semantics

IDefinition 3. The syntax ofQCTL^∗ over a finite setAPof atomic propositions is defined by the following grammar:

QCTL^∗3ϕs, ψs::=q| ¬ϕs|ϕs∨ψs| Eϕp| Aϕp| ∃p. ϕs

ϕp, ψp::=ϕs| ¬ϕp|ϕp∨ψp|Xϕp|ϕpUψp

whereqandprange overAP. Formulasϕsandψsare calledstate formulas, whileϕp andψp

are path formulas. The size of a formulaϕ∈QCTL^∗, denoted |ϕ|, is the number of steps needed to builtϕ. The logicCTL^∗ is obtained fromQCTL^∗ by disallowing rule∃p. ϕs. The logicsQCTLandCTLare obtained by using path formulas built with the following grammar:

ϕp, ψp::=Xϕs|ϕsUψs.

Finally,LTLis the fragment ofCTL^∗ containing exactly one path quantifier³ (Eor A); it is easily seen that anyLTLformula can be written as Eϕor Aϕ, whereϕcontains no path quantifier.

QCTL^∗formulas are evaluated over (execution trees of) finite Kripke structures. We begin with defining the semantics ofCTL^∗ (andCTL). Given aCTL^∗ formulaϕ, an infinite 2^AP- labelledD-treeT =hT, li, a branchρand a node (i.e., a prefix)xofρ, we writeT, ρ, x|=ϕ to denote thatϕholds atxalongρ. This is defined inductively as follows:

T, ρ, x|=piffp∈l(x) T, ρ, x|=¬ϕiffT, ρ, x6|=ϕ

T, ρ, x|=ϕ∨ψiffT, ρ, x|=ϕorT, ρ, x|=ψ T, ρ, x|= Eϕp iff∃ρ⁰ containingx.T, ρ⁰, x|=ϕp

T, ρ, x|= Aϕp iff∀ρ⁰ containingx.T, ρ⁰, x|=ϕp

T, ρ, x|=Xϕ_p iff∃a∈D. x·a≤ρandT, ρ, x·a|=ϕ_p T, ρ, x|=ϕ_pUψ_p iff∃w∈D^∗. x·w≤ρand

T, ρ, x·w|=ψ_p and∀w⁰w.T, ρ, x·w⁰|=ϕ_p

In order to extend this definition toQCTL^∗, we first introduce some extra definitions. For a functionl:T →2^APandP ⊆AP, we writel∩Pfor the function defined as (l∩P)(q) =l(q)∩P for allx∈T. Now, forP ⊆AP, two treesT =hT, liandT⁰=hT⁰, l⁰iare saidP-equivalent (denoted byT ≡P T⁰) ifT =T⁰, andl∩P =l⁰∩P. Then:

T, ρ, x|=∃p. ϕ_s iff∃T⁰≡_AP\{p}T s.t. T⁰, ρ, x|=ϕ_s.

It is easily noticed that for any state formulaϕ_sof QCTL^∗and any two paths ρandρ⁰ containing node x, we have T, ρ, x |= ϕs if, and only if, T, ρ⁰, x |= ϕs. In view of this, we defineT, x|=ϕ_s in the natural way. Finally, for a Kripke structureK and one of its statesv, we write K, v|=ϕs wheneverT_K,v, ε|=ϕs.

In the sequel, we use standard abbreviations such as>=p∨ ¬p,⊥=¬ >,Fϕ=>Uϕ, Gϕ=¬F¬ϕand∀p. ϕs=¬∃p.¬ϕs. Also note that Aϕp=¬E¬ϕp.

3 It is more usual to assume thatLTLformulas contain no path quantifier at all; our definition allows for a more uniform presentation, and fits better in our branching-time setting, making it clear howLTL formulas are to be evaluated (existentially or universally) in a tree.

s t u⁰ s⁰ t⁰

Figure 1Two Kripke structures (with empty labelling functions) withsands⁰ being bisimilar

2.3.2 Discussion on the semantics.

Several other natural semantics coexist in the literature for propositional quantifiers. Above we have introduced thetree semantics: ∃p. ϕholds true when there exists ap-labelling of theexecution treeof the Kripke structure under whichϕholds. Therefore two nodes (in the tree) corresponding to the same state of the Kripke structure may be labelled differently with the newly-quantified propositions. For example, in the Kripke structure depicted at Fig. 1, we have: s|=∃p.(EXp∧EX EX¬p), because it is possible to label only the first occurrence oftwithpin the execution tree of this Kripke structure.

Another classical semantics (called the structure semantics) consists in labelling the Kripke structure directly. With this semantics,∃p.(EXp∧EX EX¬p) would not hold true in statesof Fig. 1: all the occurrences of statetin the execution tree would be labelled the same way.

These two semantics have very different properties (see [15] for a deeper study of these semantics). But none of them makeQCTLbisimulation-invariant⁴: as we exemplify in the next section, under both semantics,QCTLcan count the number of successors of a given state (and thus distinguish between statessands⁰ in Fig. 1, even though they are bisimilar).

Finally, let us mention theamorphous semantics[7], where∃p. ϕ holds true at a states in some Kripke structureKif, and only if, there exists some Kripke structureK⁰ with a state s⁰ such thatsands⁰ are bisimilar and for which there exists ap-labeling makingϕhold true ats⁰. With this semantics, the logic is insensitive to unwinding, and more generally it is bisimulation-invariant (for example, statessands⁰of Fig. 1 satisfy the same formulas). This semantics corresponds to bisimulation quantification as studied in [5, 9].

2.3.3 Fragments of QCTL

.

The central topic of this paper is the hierarchy of temporal logics defined by restricting quantifications in QCTL formulas. We define this hierarchy here. Given QCTL^∗ (state) formulas ϕ and (ψi)i, and atomic propositions (pi)i that appear free in ϕ (i.e., not as quantified propositions), we writeϕ[(pi→ψi)i] (orϕ[(ψi)i] when (pi)i are understood from the context) for the formula obtained fromϕby replacing each occurrence of pi withψi. Given two sublogicsL₁ andL₂ ofQCTL^∗, we writeL₁[L₂] ={ϕ[(ψi)_i]|ϕ∈L₁, (ψ_i)_i∈L₂}.

For a setP ={p_i|1≤i≤k} ⊆AP, we defineblocks of existential quantifiers∃P. ϕas a shorthand for∃p1. ∃p2. . .∃pk. ϕ. We write EQ¹CTLfor the set of formulas of the form

∃P. ϕforϕ∈CTL, and defineQ¹CTL=CTL[Q¹CTL] andQ^k+1CTL=Q¹CTL[Q^kCTL].

IExample 4. Consider formula

E₁Xϕ= EXϕ∧ ¬ ∃p. EX(p∧ϕ)∧EX(¬p∧ϕ)

(where we assume thatpdoes not appear inϕ). ThisQ¹CTLformula states that there is exactly one successor satisfying ϕ: if there were two of them, then labelling only one of them withp

4 The notion of bisimulation is formally defined in Section 2.4.

would falsify the formula. Now, forP ={pi|1≤i≤k} ⊆AP, consider the following formula ϕ_dupl(P)=∃{q1, q2}. E1X(q1)∧E1X(q2)∧AX(¬q1∨ ¬q2)∧

^

p∈P

EX(q₁∧p)⇔EX(q₂∧p) .

where P∩ {q1, q2}=∅. This formula in Q²CTLholds true whenever there are two different successor nodes that carry the same atomic propositions of P. Formula ϕ_exp=∀P. ϕdupl(P)

inQ³CTLis then true in nodes that have at least2^k+ 1successors: it states that any labelling withP gives rise to at least two successors with the exact same labelling. Of course, a simpler formula could be obtained for expressing the existence of exactly k successors satisfying a given property; for instance:

EkXϕ=∃P. h ^

1≤i≤k

E1Xpi∧ ^

1≤i6=j≤k

AX¬ pi∧pj

∧AX _

1≤i≤k

pi

⇔ϕi .

This formula is inQ²CTL. We can express that at leastk successors satisfy ϕinQ¹CTLas follows:

E_≥kXϕ=∃P. ^

1≤i≤k

EX pi∧^

i⁰6=i

¬pi⁰

∧AX _

1≤i≤k

pi

⇒ϕ .

2.4 Expressive power and distinguishing power

In the sequel, we compare the relative expressiveness of the fragmentsQ^kCTL. Several criteria are classically used to compare the expressiveness of temporal logics: one can compare their ability to distinguish between models (the distinguishing power), their ability to express properties (the expressive power), or theirsuccinctness. In this paper, we only consider the former two notions, which we now formally define.

Distinguishing power. A logic Lis said to beat least as distinguishing as another logicL⁰ over a classMof models, denotedL ≥ML⁰ (we may omit to mentionMwhen it is clear from the context), whenever any two statessands⁰ of any two structuresK andK⁰ inM that areL-equivalent (i.e., for allϕ∈ L, it holds K, s|=ϕif, and only if, K⁰, s⁰ |=ϕ) are alsoL⁰-equivalent. Both logics are saidequally distinguishing, writtenL ≡_ML⁰, ifL ≥_ML⁰, andL⁰≥_ML; finally, Lisstrictly more distinguishingthan L⁰, denoted L>_ML⁰, whenever L ≥ML⁰, andL⁰6≥ML. In our setting, Mis the class of all finite Kripke structures.

For classical branching-time temporal logics, it is well known [10] thatCTL^∗,CTL, and the fragmentB(X) ofCTLnot involving theUntil modality, all have the same distinguishing power. Note also that the distinguishing power is often related to some behavioral equivalence.

Here we recall the classical notion of (strong) bisimulation: given two Kripke structuresK= hV, E, `iandK<sup>0</sup> =hV<sup>0</sup>, E<sup>0</sup>, `⁰i, a relationR⊆V×V⁰is a bisimulation when for any (v, v⁰)∈R, the following properties hold:

`(v) =`⁰(v⁰);

for any transition (v, w)∈E, there is a transition (v⁰, w⁰)∈E such that (w, w⁰)∈R;

for any transition (v⁰, w⁰)∈E, there is a transition (v, w)∈E such that (w, w⁰)∈R.

Two statesv andv⁰ are bisimilar (denoted byv∼v⁰) whenever there exists a bisimulation relationRsuch that (v, v⁰)∈R.

Bisimilarity characterizes the distinguishing power ofCTL^∗,CTLandB(X) for finitely- branching Kripke structures: in particular, two bisimilar states cannot be distinguished byCTL[10]. For instance, CTLcannot distinguish between a finite Kripke structure and its execution tree.

Expressive power. A logicLis said to beat least as expressiveas a logicL⁰ over a classM of models, which we denote by L M L⁰ (omitting to mentionM if it is clear from the context), whenever for any formula ϕ⁰ ∈ L⁰, there is a ϕ ∈ L such that ϕ and ϕ⁰ are equivalent overM. Both logics LandL⁰ are equally expressive, denotedLuML⁰, when L L⁰ andL⁰ L; finally,Lis strictly more expressive thanL⁰, writtenL _ML⁰, ifL L⁰ andL⁰6 L.

One easily notices that expressive power is finer than distinguishing power: being more distinguishing implies being more expressive. The converse is not true: for instance,CTL^∗ is strictly more expressive thanCTL[6], andCTLis strictly more expressive thanB(X).

3 Distinguishing power of QCTL

In this section, we prove the following:

ITheorem 5. Over finite Kripke structures,CTL<Q¹CTL≡Q^kCTL≡Q^kCTL^∗≡QCTL≡ QCTL^∗ fork≥1.

ThatCTL<Q¹CTLis easily observed, for instance using the Kripke structures of Fig. 1:

statessands⁰ are bisimilar, thus equivalent forCTL, but formula E1X>(“there is exactly one successor”) is true insand false in s⁰. We now prove the equivalences of Theorem 5.

3.1 Characteristic formulas with QCTL

As said above,CTLhas enough power to distinguish between two non-bisimilar states. More precisely, given a finite Kripke structureK and a statev, one can build a CTLformula α_K,v such that for any Kripke structureK⁰ and any statev⁰, we have: K⁰, v⁰ |=α_K,vif, and only if, v∼v⁰ [2].

ForQCTL andQCTL^∗, the appropriate behavioural equivalence is the isomorphism of the execution tree. Two treesT =hT, `iandT<sup>0</sup>=hT<sup>0</sup>, `⁰iare said isomorphic if there exists a bijectionϕ: T →T⁰ such that `<sup>0</sup>(ϕ(t)) = `(t) for allt, andϕ(ε_T) = ε_T⁰ andϕ(u) is a successor ofϕ(t) inT⁰ if, and only if,uis a successor oft inT. As we now explain,QCTL can capture the behaviour ofKup totree isomorphism: there exists a Q²CTLformula β_K,v such that for any treeT⁰, it holdsT⁰|=β_K,v if, and only if,TK,vandT⁰ are isomorphic.

Given a finite Kripke structureK=hV, E, `i, and a vertexv∈V ={v0, . . . , vn}, we define theQ²CTLformulaβ_K,v as follows:

β_K,v=∃V.h

v∧AG

n

^

i=0

vi ⇒ ^

j6=i

¬vj∧ ^

p∈`(vi)

p∧ ^

p∈AP\V∪`(vi)

¬p∧

¬E_≥d(vi)+1X> ∧ ^

(v_i,v_j)∈E

E1Xvj

i

Formulaβ_K,v holds true at the root of a treeT⁰ when it is possible to associate with every node ofT a statev ofKin such a way that this node will behave exactly asv(same labelling and same successors).

I Lemma 6. Let K = (V, E, `) be a finite Kripke structure, and v ∈ V. For any tree T<sup>0</sup>= (T<sup>0</sup>, `⁰), we have: T⁰, ε_T⁰ |=β_K,v if, and only if, TK,v andT⁰ are isomorphic.

Lemma 6 shows thatQ²CTLis powerful enough to distinguish between two finite Kripke structures that do not have isomorphic execution trees. Conversely:

ILemma 7. Two finite Kripke structures that have isomorphic execution trees cannot be separated byQCTL^∗.

3.2 Q

CTL, QCTL and QCTL

have the same distinguishing power

We show in this section thatQ¹CTLis sufficient to separate non-isomorphic trees.

IProposition 8. Q¹CTLhas the same distinguishing power asQCTLandQCTL^∗ over finite Kripke structures.

Proof. Given a finitetreeU, we can easily define aQ¹CTLformula γU expressing thatU is embedded as a subtree, in the following sense: any infinite treeT satisfyingγ_U contains a subtree that is isomorphic toU. WriteU ={pi|0≤i≤k} for the set of nodes ofU (with p0=ε_U being the root ofU). Formulaγ_U first existentially quantifies overp0, . . . , pk (seen here as atomic propositions), labelling nodes ofT with names of nodes ofU. Thenγ_U checks that

p₀ holds true initially;

at most onepi can be true at a time;

ifpj is a successor ofpi in U, then γ_U enforces AG(pi⇒EXpj);

the labelling function ofT matches that ofU.

Notice that we do not prevent any of thepi to hold true at several places, which would require an extra universal quantification. Obviously, any treeT containing a subtree isomorphic toU satisfiesγ_U. The converse also holds: assuming T has been labelled with{pi|0≤i≤k}, we extract a subtreeV as follows: the root of T (labelled with p₀) is in V, and for each nodeninV labelled with somepi, for each successorpj ofpi inU, we insert intoV exactly one successor ofnlabelled with pj (γ_U enforces the existence of such a node). It is easily seen thatV is isomorphic toU.

Now, if two regular trees are not isomorphic, there must exist a finite subtreeU of one of them that cannot be embedded into the second one. Thenγ_U will distinguish between these two trees. It follows thatQ¹CTLandQCTL(andQCTL^∗) have the same distinguishing

power over finite Kripke structures. J

3.3 Behavioural equivalences for Q

CTL

We conclude our study of the fragments of QCTL by defining intermediary notions of bisimulations which we prove characterize each level of the Q^kCTLhierarchy. We begin with defining those refined bisimulations. In this definition, for two labelling functions`:T →2<sup>AP</sup> andν:T →2<sup>P</sup> withP ⊆AP, we write`◦ν:T →2^AP for the labelling function mapping eacht∈T to [`(t)∩(AP\P)]∪ν(t).

I Definition 9. Consider two regular trees T = hT, `i and T<sup>0</sup> = hT<sup>0</sup>, `⁰i. A relation R⊆T×T⁰is ak-labelling bisimulation ifRis a bisimulation and eitherk= 0, ork >0 and for any (t, t⁰)∈R, for anyP ⊆APand any regular labellingν:T →2^P (resp.ν⁰:T →2^P), there exists a regular labelling ν⁰: T⁰ → 2^P (resp. ν:T → 2^P) such that there exists a (k−1)-labelling bisimulation in the treesU =hT, `∪νiandU<sup>0</sup>=hT<sup>0</sup>, `⁰∪ν⁰icontaining (t, t⁰).

We writet≈k t⁰ when there exists ak-labelling bisimulation containing (t, t⁰).

Notice that for allk, it holds≈_k+1⊆ ≈_k. The relation ≈_∞ can thus be defined as the limit of these sequences of relations.

In this definition, withregular labelling of a regular treehT, `i, we mean a labellingνsuch thathT, `◦νiis still regular. We let∃rp.ϕbe a newQCTL^∗modality where the quantification ranges only over regular labellings. Formally:

T, ρ, x|=∃rp.ϕiff∃ν:T →2^{p}. νis regular andhT, `◦νi, ρ, x|=ϕ.

Quantifying over regular labelling does not restrict the expressive power of our logics:

Kp s0

r a t

[p]

[2]

K⁰_p s⁰₀

r a t

[2] [p]

[2]

Figure 2The states s0 ands⁰₀ can be distinguished by E1X(E1Xa) (we use double arrows labelled with [k] to indicate the presence ofkarrows).

ILemma 10. Given a finite Kripke structure K, a state s, and aQCTL^∗ formula ∃p.ϕ, K, s|=∃p.ϕ iffK, s|=∃_rp.ϕ

Fix two Kripke structures K and K⁰, and a logic L (intended to range over Q^kCTL andQ^kCTL^∗). For any two statessands⁰, inK andK⁰ respectively, we writes≡_Ls⁰ when sands⁰ areL-equivalent (i.e., when they cannot be distinguished byL). It is easily noticed that ifL ⊆ L⁰, then ≡L⁰ ⊆ ≡L.

I Lemma 11. Over finite Kripke structures, for any k ≥ 0, the relations ≈k, ≡_QkCTL

and≡_QkCTL^∗ coincide. More precisely, for any two statessands⁰, s≈ks⁰ iffs≡_QkCTLs⁰ iffs≡_QkCTL^∗s⁰.

As a corollary of Lemmas 6, 7 and 11, we get:

I Corollary 12. For every k, k⁰, k⁰⁰ ≥ 2, the relations ≡_QkCTL^∗, ≡_Qk0

CTL, ≡QCTL, ≈k⁰⁰, and≈_∞ coincide.

4 Expressive power of QCTL

We now focus on the relativeexpressive power of theQ^kCTLhierarchy. Notice that being more distinguishing implies being more expressive. Hence we already haveCTL≺Q¹CTL.

In this section, we prove the following:

I Theorem 13. Over finite Kripke structures, CTL ≺ Q¹CTL Q¹CTL^∗ ≺ Q²CTL u Q^kCTLuQ^kCTL^∗uQCTLuQCTL^∗ fork≥2.

4.1 Q

CTL is strictly more expressive than Q

CTL and Q

CTL

In order to prove this, we have to exhibit a formula ofQ²CTLwith no equivalent formula inQ¹CTL. First consider the Kripke structures depicted at Fig. 2. Those structures depend on an integer parameterp. As stated in the following lemma, these structures cannot be distinguished by anyQ¹CTL^∗ formula of size less thanp:

ILemma 14. For the Kripke structures Kp andK⁰_p of Fig. 2, and for any ϕ∈Q¹CTL^∗ of size less thanpit holdsKp, s0|=ϕif, and only if, K_p⁰, s⁰₀|=ϕ.

ITheorem 15. We haveQ²CTLQ¹CTLandQ²CTLQ¹CTL^∗.

Proof. Q¹CTLis syntactically contained in Q²CTL, so thatQ²CTLQ¹CTL. Moreover, from Theorem 16, everyQCTL^∗ formula can be expressed inQ²CTL, i.e. Q²CTLQCTL^∗, which in particular entailsQ²CTLQ¹CTL^∗.

Moreover theQ²CTLformula E₁X(E₁Xa) (which states that there exists a unique path leading to a state where there is a unique successor verifying a) allows us to distinguish the trees of Fig. 2 (for anyp): indeed E1X(E1Xa) holds true ins0, but not ins⁰₀.

Now assume that E1X(E1Xa) have an equivalent formula inQ¹CTL^∗. On the one hand, for any p, this formula would holds true in s₀ and not ins⁰₀; on the other hand, it would have a given sizep0, and according to Lemma 14 it could not distinguish betweens0 ands⁰₀.

Hence E₁X(E₁Xa) has noQ¹CTL^∗ formula. J

4.2 QCTL and Q

CTL are equally expressive

In this section we prove that the hierarchiesQ^kCTLandQ^kCTL^∗ also collapse in terms of expressive power. We propose an effective translation, using symmetric tree automata, which proves the following result:

ITheorem 16. AnyQCTL^∗ formula can be translated into an equivalent formula inQ²CTL.

4.2.1 Symmetric tree automata

We consider here so-called symmetric tree automata (i.e., automata overunranked trees of arbitrary branching), borrowing formalism fromMSO-automata of [12, 13, 24], in order to prove that the expressiveness hierarchy of Q^kCTLcollapses: the proof consists in first translating any QCTL formula into a (symmetric) tree automaton, and then expressing acceptance of such a tree automaton as aQ²CTLformula. Using “classical” tree automata (as in [16]), the second step would not be possible (at least not easily), as QCTL cannot distinguish the different successors in a ranked tree; moreover, it would only provide an equivalent formula for a limited branching degree.

In the literature, a similar construction is done forMSO[23, 11, 1, 24]: MSO-automata are powerful tree automata whose transition functions are defined with first-order-logic formulas (where the states of the automata are used as unary predicates); this provides a powerful way of describing transition functions for unranked trees with arbitrary branching.

Then anyMSOformula ϕcan be turned into aMSO-automatonAϕ recognizing exactly the trees satisfyingϕ. Here we use an slightly different (but equally expressive) model of tree automata, which correspond toMSO-automata where transition functions are in a so-called basic form (see [24] for full details). Formally:

I Definition 17. Fix an alphabet Σ. A symmetric parity tree automaton over Σ is a tupleA=hQ, q0, δ,Ωiwhere

Qis the finite set of states of the automaton, and q0 is the initial state;

δ: Q×Σ→2^(N2

Q×2^2Q)is the transition function;

Ω :Q→N defines the parity acceptance condition.

An execution of such a tree automatonhQ, q₀, δ,Ωiover a Σ-labelledD-treeT =hT, liis a Q×T-labelled Q×D-treeT⁰ =hT⁰, l⁰isatisfying the following requirements:

l⁰(ε_T⁰) = (q₀, ε_T), and for any noden= (q_i, d_i)_1≤i≤k, it holdsl⁰(n) = (q_k,(d_i)_1≤i≤k);

for any noden= (qi, di)_1≤i≤k ofT⁰, there is a tuple (E, U)∈δ(l⁰(n)) such that, writing e = P

s∈2^QE(s) and viewing E as a multiset {Ej | 1 ≤ j ≤ e}, there exists a set

∆ ={d⁰_j|1≤j≤e}ofedistinct directions inD such that for all 1≤j ≤e, it holds (d_i)1≤i≤k·d⁰_j∈T,

for all 1≤j ≤e, and for allq∈Ej, noden·(q, d⁰_j) is inT⁰,

for all node (di)_1≤i≤k+1 inT such thatdk+1∈/ ∆, for there existsq∈U, such that for allq∈q, node n·(q, dk+1) is in T⁰.

A branch of an execution tree is accepting if its associated sequence of states ofAsatisfies the parity condition (the least priority appearing infinitely often is even). An execution tree is accepting whenever all its branches are. The languageL(A) of such an automatonAis the set of trees over whichAhas an accepting execution tree.

IExample 18. LetAP={a, b}andΣ = 2^AP. LetAbe the automaton with states{q0, q1, q2}, withq₀ being the initial state, and with

δ(q₀, σ) =

((q17→1;q0) ifa∈σ

(∅;q0) otherwise δ(q₁, σ) =











(∅;q2) if b /∈σ (q₁7→1;q₀) if a, b∈σ (∅;q0) otherwise

andδ(q2, σ) = (∅;q2)for any σ. The transitionδ(q0, a) = (q17→1;q0)means that when the automaton is visiting some node nin stateq₀, one successor ofn will be visited in stateq₁, and all the other nodes will be visited in state q0. Similarly,δ(q2, σ) = (∅;q2)indicates that when the automaton is in stateq₂, it will remain in stateq₂ when visiting all the successors of the node being visited; in this case,∅represents the empty multiset, or equivalently the constant function 0. In the end, assuming thatq₀ andq₁ are accepting (Büchi condition), this automaton accepts those tree in which any node labelled witha has a successor labelled withb.

As defined above, symmetric tree automata are alternating, in the sense that they may launch several computations along the same subtree of the input tree. A symmetric tree automaton is saidnon-alternating⁵when the transition function takes values in 2^(NQ×2Q). One may notice that in this case, any execution tree can be seen as aD-tree, instead of a Q×D-tree. The automaton of Example 18 is non-alternating.

It is not difficult to notice that symmetric tree automata are closed under union: given two symmetric tree automataAandB, there exists a tree automatonC accepting the union of the set of trees accepted byAandB. Similarly,non-alternating symmetric tree automata are easily seen to be closed under projection.

Symmetric tree automata can also be proven to be closed under complement; this however involves dualizing the transition function and writing it back under the expected basic form. Finally, any symmetric tree automaton can be transformed into a non-alternating one accepting the same set of trees. This can be achieved by a refined powerset construction, as explained in [24]. In the end:

ITheorem 19 ([24]). Any symmetric tree automaton can be made non-alternating. Non- alternating symmetric tree automata are closed under union, intersection, projection and complement.

4.2.2 From QCTL to symmetric tree automata

In this section, we briefly explain how a state formula ofQCTL^∗can be translated into a (non- alternating) symmetric tree automaton accepting the same tree language. This construction

5 The classical terminology for this class of automata isnon-deterministic, for historical reasons. We prefer usingnon-alternating, which better characterizes this class.

follows the same ideas as explained in [16]: in that paper however, the construction builds a “classical” tree automaton, running on bounded-branching ranked trees. The translation back to QCTLis not possible for such tree automata, asQCTLcannot distinguish between ranked successors of a node.

The construction is inductive, using Theorem 19 for the various rules defining state- formulas of QCTL^∗. The basic cases of atomic propositions and boolean operations are easy to handle. Existential quantification over atomic propositions is handled by projection:

given a tree automatonAϕcorresponding to aQCTL^∗ formulaϕ, the projection ofAϕ from alphabet 2^AP to alphabet 2^AP\{p} yields a tree automaton characterizing formula∃p. ϕ.

Finally, formulas of the form Eϕp and Aϕp are handled by considering word automata for the path formulaϕp: nestedQCTLsubformulas can be handled separately, by induction, and replaced by fresh atomic propositions. The resulting formula ˜ϕ_p is a pure LTLformula, and can be turned into a deterministic parity word automaton, which in turn is easily turned into a symmetric tree automaton for Eϕ˜_por Aϕ˜_p. The nestedQCTLsubformulas can then be included back by plugging the corresponding symmetric tree automata where needed.

Notice that this construction involves several exponential blowups in the size of the automaton and in the number of priorities. Since model checking Q^kCTL formulas is k-EXPTIME-complete, there is no hope of avoiding this non-elementary explosion in the construction of the automaton (because our translation back intoQ²CTLis linear in the size of the automaton, as we explain below).

4.2.3 From symmetric tree automata to Q

CTL

In this section, we turn a non-alternating symmetric tree automatonA= (Q, q0, δ,Ω) into a QCTLformula ΦAsuch thatT ∈ L(A)⇔ T, ε|= ΦA for any 2^AP-labelled treeT.

We begin with a preliminary lemma, which we believe is interesting in itself but will be used in a special case in the sequel.

ILemma 20. For anyLTL formula Eϕ, there exists a Q¹CTL formulaΨEϕ such that for all tree T, it holdsT, ε|= Eϕ if, and only if,T, ε|= Ψ_Eϕ.

Proof. Following classical techniques [22, 21], we associate withϕa Büchi (word) automaton B_ϕ =hQ, q₀, δ, Fi accepting exactly the set of infinite words in whichϕholds. The auto- matonBϕ is a non-deterministic word automaton, so that for anyq∈Qand anyσ∈2^AP, it holdsδ(q, σ)⊆Q. The acceptance condition is defined in terms of a setF ⊆Qof states:

an execution is accepting if some state ofF is visited infinitely many times.

We use this automaton in order to write a Q¹CTL-formula characterizing those trees containing (at least) one branch accepted byBϕ. The formula expresses that the tree can be (partially) labelled with states ofBϕin such a way that at least one branch is fully labelled with a sequence of states corresponding to an accepting run ofB_ϕ. Following this intuition, we use the states of Q={qi | 0≤i≤n=|Q| −1} as new atomic propositions. For the sake of readability, we define the following two shorthand formulas: for a subset S ⊆Q, formula λS is the propositional formulaW

q∈Sq, while forP, P⁰ ⊆AP, we write χP,P⁰ for V

p∈Pp∧V

p⁰∈P⁰¬p⁰. We then let ΨEϕ=∃q₀. . .∃q_n. ΨeEϕ, withΨeEϕ being defined as q₀∧

n

^

i=0

AG

q_i⇒

¬λ_Q\{qi}∧h _

P⊆AP⁰

(χ_P,AP⁰_\P∧EXλ_δ(qi,P)∧ ¬ EXλ_Q\δ(qi,P))i

∧

AG AF(¬λ_Q∨λ_F)

whereAP⁰ stands forAP\ {q₀, . . . , qn}. Formula ΨEϕ reads as follows: it is possible to label the input tree with propositions (qi)0≤i≤n in such a way that the root is labelled withq0, and any node labelled with someqi is not labelled with any other state and has a successor node labelled with a possible successor state ofBϕ. This in particular entails that at least one branchρis fully labelled with states ofQ. Finally, the second part of the formula asserts that any branch has to fulfill the Büchi acceptance condition or to contain unlabelled nodes.

In particular, the branchρidentified above satisfies the Büchi condition.

It is now easy to prove equivalence of Eϕand ΨEϕ:

consider a treeT =hT, liin which one branchρsatisfies ϕ: thenBϕ has an accepting run onl(ρ), and this run can be used to labelT with states ofB_ϕso as to fulfillΨe_Eϕ; conversely, ifT can be labelled with states ofQin order to fulfillΨeEϕ, then one branch has to be fully labelled, and each node along that branch will be labelled with exactly one state of Q. Formula Ψ_Eϕ then enforces that the labelling of consecutive nodes is coherent with the transition function ofBϕ, and that it satisfies the Büchi condition. J

We now describe our main construction: we consider a non-alternating symmetric parity tree automatonA=hQ, q0, δ,Ωi, whereQ={qi|0≤i≤n=|Q|−1}andδ(q, σ)⊆N^Q×2^Q is a set of pairs (E, U) with E:Q → N and U ⊆ Q. For such a pair (E, U), we write k(E) =P

q∈QE(q), and we letkmax be the largest such value appearing inδ. We also seeE as a multiset{Ei|1≤i≤k(E)}.

Reusing ideas (and notations) of the proof of Lemma 20, and withAP⁰=AP\ {q0, . . . , qn, p₁, . . . , p_kmax}, our formula Φ_A is written as ∃q₀. . .∃q_n.∃p₁. . .∃p_kmax. Φe_A, where Φe_A is defined as

q0∧

n

^

i=0

AGh qi ⇒

¬λ_Q\{qi}∧ _

P⊆AP⁰

χP,AP⁰\P∧ _

(E,U)∈δ(qi,P)

Ψ(E,U)

i

∧ ¬ΨE¬parity(Ω)

where Ψ_(E,U)encodes the transition (E, U) of Aand Ψ_{E¬parity(Ω)}encodes the parity accept- ance condition. Using Lemma 20, the latter formula can be expressed as aQ¹CTLformula (since parity acceptance condition can be expressed inLTL). Now, we let

Ψ_(E,U)=

k(E)

^

j=1

h

E1Xpj∧EX

pj∧ ^

1≤j⁰≤kmax

∧j⁰6=j

¬pj⁰∧Ej

∧AX (

k

^

j=1

¬pj)⇒ _

q∈U

qi

Note that Ψ_(E,U)belongs toQ¹CTL(because it uses E1Xpj), so that Φ_Ais inQ²CTL. It is not hard to see that Φ_A characterizes the behaviour ofA, since the labelling of a tree T with{qi |0≤i≤n} corresponds to an execution tree of AonT. This ends the proof of Theorem 16.

5 Concluding remarks

We see two main directions for future work. First it would be interesting to consider the expressiveness of QCTL^∗ fragments when the size of block of quantifiers (i.e.the number of atomic propositions used in a block) is bounded (several of our proofs use arbitrary many propositions). The second direction is to analyze the expressiveness of these logics in the context of thestructure semantics(when the labellings apply to Kripke structures instead of execution trees) in order to see whether the hierarchy also collapses for this semantics.

References

1 D. Berwanger and A. Blumensath. The monadic theory of tree-like structures. InAutomata, Logics, and Infinite Games, volume 2500 ofLNCS, pages 285–302. Springer, 2002.

2 M. C. Browne, E. M. Clarke, and O. Grumberg. Characterizing finite Kripke structures in propositional temporal logic. Theoretical Computer Science, 59(1-2):115–131, 1988.

3 E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In LOP’81, volume 131 of LNCS, pages 52–71. Springer, 1982.

4 A. Da Costa, F. Laroussinie, and N. Markey. Quantified CTL: Expressiveness and model checking. InCONCUR’12, volume 7454 ofLNCS, pages 177–192. Springer, 2012.

5 G. D’Agostino and M. Hollenberg. Logical questions concerning theµ-calculus: Interpola- tion, lyndon and łoś-tarski. Journal of Symbolic Logic, 65(1):310–332, 2000.

6 E. A. Emerson and J. Y. Halpern. "Sometimes" and "not never" revisited: On branching versus linear time temporal logic. Journal of the ACM, 33(1):151–178, 1986.

7 T. French. Decidability of quantified propositional branching time logics. In AJCAI’01, volume 2256 ofLNCS, pages 165–176. Springer, 2001.

8 T. French. Quantified propositional temporal logic with repeating states. In TIME- ICTL’03, pages 155–165. IEEE Comp. Soc. Press, 2003.

9 T. French. Bisimulation Quantifiers for Modal Logics. Ph.D. thesis, School of Computer Science & Software Engineering, University of Western Australia, 2006.

10 M. C. B. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency.

Journal of the ACM, 32(1), 1985.

11 D. Janin and G. Lenzi. On the relationship between monadic and weak monadic second order logic on arbitrary trees. Fundamenta Informaticae, 61(3-4):247–265, 2004.

12 D. Janin and I. Walukiewicz. Automata for the modal µ-calculus and related results. In MFCS’95, volume 969 ofLNCS, pages 552–562. Springer, 1995.

13 J. Johannsen and M. Lange. CTL⁺is complete for double exponential time. InICALP’03, volume 2719 ofLNCS, pages 767–775. Springer, 2003.

14 O. Kupferman. Augmenting branching temporal logics with existential quantification over atomic propositions. InCAV’95, volume 939 ofLNCS, pages 325–338. Springer, 1995.

15 F. Laroussinie and N. Markey. Quantified CTL: expressiveness and complexity. Logicical Methods in Computer Science, 10(4), 2014.

16 F. Laroussinie and N. Markey. Augmenting ATL with strategy contexts. Information and Computation, 245:98–123, 2015.

17 A. C. Patthak, I. Bhattacharya, A. Dasgupta, P. Dasgupta, and P. P. Chakrabarti. Quan- tified computation tree logic. Information Processing Letters, 82(3):123–129, 2002.

18 A. Pnueli. The temporal logic of programs. In FOCS’77, pages 46–57. IEEE Comp. Soc.

Press, 1977.

19 J.-P. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR.

InSOP’82, volume 137 ofLNCS, pages 337–351. Springer, 1982.

20 A. P. Sistla. Theoretical Issues in the Design and Verification of Distributed Systems. PhD thesis, Harvard University, Cambridge, Massachussets, USA, 1983.

21 M. Y. Vardi. Nontraditional applications of automata theory. InTACS’94, volume 789 of LNCS, pages 575–597. Springer, 1994.

22 M. Y. Vardi and P. Wolper. Automata theoretic techniques for modal logics of programs.

Journal of Computer and System Sciences, 32(2):183–221, 1986.

23 I. Walukiewicz. Monadic second order logic on tree-like structures. Theoretical Computer Science, 275(1-2):311–346, 2002.

24 F. Zanasi. Expressiveness of Monadic Second-Order Logics on Infinite Trees of Arbitrary Branching Degrees. Master’s thesis, Amsterdam University, the Netherlands, 2012.