Probabilistic Bisimulation for Parameterized Systems
Abstract
Probabilistic bisimulation is a fundamental notion of process equivalence for probabilistic systems. It has important applications, including the formalisation of the anonymity property of several communication protocols. While there is a large body of work on verifying probabilistic bisimulation for finite systems, the problem is in general undecidable for parameterized systems, i.e., for infinite families of finite systems with an arbitrary number n of processes. In this paper we provide a general framework for reasoning about probabilistic bisimulation for parameterized systems. Our approach is in the spirit of software verification, wherein we encode proof rules for probabilistic bisimulation and use a decidable firstorder theory to specify systems and candidate bisimulation relations, which can then be checked automatically against the proof rules.
We work in the framework of regular model checking, and specify an infinitestate system as a regular relation described by a firstorder formula over a universal automatic structure, i.e., a logical theory over the string domain. For probabilistic systems, we show how probability values (as well as the required operations) can be encoded naturally in the logic. Our main result is that one can specify the verification condition of whether a given regular binary relation is a probabilistic bisimulation as a regular relation. Since the firstorder theory of the universal automatic structure is decidable, we obtain an effective method for verifying probabilistic bisimulation for infinitestate systems, given a regular relation as a candidate proof. As a case study, we show that our framework is sufficiently expressive for proving the anonymity property of the parameterized dining cryptographers protocol and the parameterized grades protocol. Both of these protocols hitherto could not be verified by existing automatic methods. Moreover, with the help of standard automata learning algorithms, we show that the candidate relations can be synthesized fully automatically, making the verification fully automated.
1 Introduction
Equivalence checking using bisimulation relations plays a fundamental role in formal verification. Bisimulation is the basis for substitutability of systems: if two systems are bisimilar, their behaviors are the same and they satisfy the same formulas in expressive temporal logics. The notion of bisimulation is defined both for deterministic [39] and for probabilistic transition systems [34]. In both contexts, checking bisimulation has many applications, such as proving correctness of anonymous communication protocols [15], reasoning about knowledge [22], program optimization [32], and optimizations for computational problems (e.g. language equivalence and minimization) of finite automata [12].
The problem of checking bisimilarity of two given systems has been widely studied. It is decidable in polynomialtime for both probabilistic and nonprobabilistic finitestate systems [6, 17, 20, 52]. These algorithms form the basis of practical tools for checking bisimulation. For infinitestate systems, such as parameterized versions of communication protocols (i.e. infinite families of finitestate systems with an arbitrary number n of processes), the problem is undecidable in general. Most research hitherto has focused on identifying decidable subcases (e.g. strong bisimulations for pushdown systems for probabilistic and nonprobabilistic cases [25, 47, 48]), rather than on providing tool support for practical problems.
In this paper, we propose a firstorder verification approach—inspired by software verification techniques—for reasoning about bisimilarity for infinitestate systems. In our approach, we provide firstorder logic proof rules to determine if a given binary relation is a bisimulation. To this end, we must find an encoding of systems and relations and a decidable firstorder theory that can formalize the system, the property, and the proof rules. We propose to use the decidable firstorder theory of the universal automatic structure [8, 10]. Informally, the domain of the theory is a set of words over a finite alphabet \(\varSigma \), and it captures the firstorder theory of the infinite \(\varSigma \)ary tree with a relation that relates strings of the same level. The theory can express precisely the class of all regular relations [8] (a.k.a. automatic relations [10]), which are relations \(\varphi (x_1,\ldots ,x_k)\) over strings \(\varSigma ^*\) that can be recognized by synchronous multitape automata. It is also sufficiently powerful to capture many classes of nonprobabilistic infinitestate systems and regular model checking [3, 13, 49, 50, 51].
We demonstrate the effectiveness of the approach by encoding and automatically verifying some challenging examples from the literature of parameterized systems in our logic: the anonymity property of the parameterized dining cryptographers protocol [16] and the grades protocol [29]. These examples were only automatically verified for some fixed parameters using finitestate model checkers or equivalence checkers (e.g. see [28, 29]). Just as invariant verification for software separates out the proof rules (verification conditions in a decidable logic) from the synthesis of invariants, we separate out proof rules for bisimulation from the synthesis of bisimulation relations. We demonstrate how recent developments in generating and refining candidate proofs as automata (e.g. [18, 26, 27, 37, 38, 40, 41, 53]) can be used to automate the search of proofs, making our verification fully “push button.”
Contributions. Our contributions are as follows. First, we show how probabilistic infinitestate systems can be faithfully encoded in the firstorder theory of universal automatic structure. In the past, the theory has been used to reason about qualitative liveness of weaklyfinite MDPs (e.g. see [36, 37]), which allows the authors to disregard the actual nonzero probability values. To the best of our knowledge, no encoding of probabilistic transition systems in the theory was available. In order to be able to effectively encode probabilistic systems, our theory should typically be twosorted: one sort for encoding the configurations, and the other for encoding the probability values. We show how both sorts (and the operations required for the sorts) can be encoded in the universal automatic structure, which requires only the domain of strings. In the sequel, such transition systems will be called regular transition systems.
Second, using the minimal probability assumption on the transition systems [34] (i.e. there exists an \(\varepsilon > 0\) such that any nonzero transition probability is at least \(\varepsilon \))—which is often satisfied in practice—we show how the verification condition of whether a given regular binary relation is a probabilistic bisimulation can be encoded in the theory. The decidability of the firstorder theory over the universal automatic structure gives us an effective means of checking probabilistic bisimulation for regular transition systems. In fact, the theory can be easily reduced to the weak monadic theory WS1S of one successor (therefore, allowing highly optimized tools like Mona [31] and Gaston [23]) by interpreting finite words as finite sets (e.g. see [19, 46]).
Our framework requires the encoding of the systems and the proofs in the firstorder theory of the universal automatic structure. Which interesting examples can it capture? Our third contribution is to provide two examples from the literature of parameterized verification: the anonymity property of the parameterized dining cryptographers protocol [16] and of the parameterized grades protocol [29]. We study two versions of dining cryptographers protocol in this paper: the classical version where the secrets are single bits, and a generalized version where the secrets are bitvectors of arbitrary length.
Thus far, our framework requires a candidate proof to be supplied by the user. Our final contribution is to demonstrate how standard techniques from the synthesis literature (e.g. automata learning [18, 26, 27, 37, 38, 40, 41, 53]) can be used to fully automate the proof search. Using automata learning, we successfully pinpoint regular proofs for the anonymity property of the three protocols: the two dining cryptographers protocols are verified in 6 and 28 s, respectively, and the grades protocol in 35 s.
Other Related Work. The verification framework we use in this paper can be construed as a regular model checking [3] framework using regular relations. The framework uses firstorder logic as the language, which makes it convenient to express many verification conditions (as is wellknown from firstorder theorem proving [14]). The use of the universal automatic structure allows us to express two different sorts (configurations and probability values) in one sort (i.e. strings). Most work in regular model checking focuses on safety and liveness properties (e.g. [2, 3, 11, 13, 27, 36, 37, 40, 42, 49, 51, 53]).
Some automated techniques can prove the anonymity property of the dining cryptographers protocol and the grades protocol in the finite case, e.g., the PRISM model checker [28, 45] and language equivalence by the tool APEX [29]. To the best of our knowledge, our method is the first automated technique proving the anonymity property of the protocols in the parameterized case.
Our work is in spirit of deductive software verification (e.g., [4, 14, 24, 35, 43, 44]), where one provides inductive invariants manually, and a tool automatically checks correctness of the candidate invariants. In theory, our result yields a fullyautomatic procedure by enumerating all candidate regular proofs, and at the same time enumerating all candidate counterexamples (note that we avoid undecidability by restricting attention to proofs encodable as regular relations). In our implementation, we use recent advances in automatalearning based synthesis to efficiently encode the search [18, 37].
2 Preliminaries
General Notation. We use \({{\mathbb {N}}}\) to denote nonnegative integers. Given \(a,b \in {\mathbb {R}}\), we use a standard notation \([a,b] := \{ c\in {\mathbb {R}}: a \le c \le b \}\) to denote real intervals. Given a set S, we use \(S^*\) to denote the set of all finite sequences of elements from S. The set \(S^*\) always includes the empty sequence which we denote by \(\varepsilon \). We call a function \(f : S \rightarrow [0,1]\) a probability distribution over S if \(\sum _{s\in S} f(s) = 1\). We shall use \(I_s\) to denote the probability distribution f with \(f(s)=1\), and \({\mathcal {D}}_S\) to denote the set of probability distributions over S. Given a function \(f : X_1\times \cdots \times X_n\rightarrow Y\), the graph of f is the relation \(\{(x_1,...,x_n,f(x_1,...,x_n)) : \forall i\in \{1,\ldots ,n\}.\ x_i \in X_i\}\). Whenever a relation R is an equivalence relation over set S, we use S / R to denote the set of equivalence classes created by R. Depending on the context, we may use \(p\,R\,q\) or R(p, q) to denote \((p,q)\in R\).
Words and Automata. We assume basic familiarity with word automata. Fix a finite alphabet \(\varSigma \). For each finite word \(w := w_1\ldots w_n \in \varSigma ^*\), we write w[i, j], where \(1 \le i \le j \le n\), to denote the segment \(w_i\ldots w_j\). Given an automaton \(\mathcal {A} := (\varSigma ,Q,\delta ,q_0,F)\), a run of \(\mathcal {A}\) on w is a function \(\rho : \{0,\ldots ,n\} \rightarrow Q\) with \(\rho (0) = q_0\) that obeys the transition relation \(\delta \). We may also denote the run \(\rho \) by the word \(\rho (0)\cdots \rho (n)\) over the alphabet Q. The run \(\rho \) is said to be accepting if \(\rho (n) \in F\), in which case we say that the word w is accepted by \(\mathcal {A}\). The language \(L(\mathcal {A})\) of \(\mathcal {A}\) is the set of words in \(\varSigma ^*\) accepted by \(\mathcal {A}\).
Transition Systems. We fix a set \(\mathsf {ACT}\) of action symbols. A transition system over \(\mathsf {ACT}\) is a tuple \({\mathfrak {S}}:= \langle S; \{\rightarrow _a\}_{a \in \mathsf {ACT}}\rangle \), where S is a set of configurations and \(\rightarrow _a\ \subseteq S \times S\) is a binary relation over S. We use \(\rightarrow \) to denote the relation \(\bigcup _{a \in \mathsf {ACT}} \rightarrow _a\). We say that a sequence \(s_1 \rightarrow \cdots \rightarrow s_{n+1}\) is a path in \({\mathfrak {S}}\) if \(s_1,...,s_{n+1}\in S\) and \(s_i \rightarrow s_{i+1}\) for \(i\in \{1,\ldots ,n\}\). A transition system is called bounded branching if the number of configurations reachable from a configuration in one step is bounded. Formally, this means that there exists an a priori integer N such that for all \(s\in S\), \(\{s'\in S: s\rightarrow s' \} \le N\).
Probabilistic Transition Systems. A probabilistic transition system (PTS) [34] is a structure \({\mathfrak {S}}:= \langle S; \{\delta _a \}_{a\in \mathsf {ACT}}\rangle \) where \(S\) is a set of configurations and \(\delta _a:S \rightarrow {\mathcal {D}}_S \cup \{{\overline{0}}\}\) maps each configuration to either a probability distribution or a zero function \({\overline{0}}\). Here \(\delta _a(s)={\overline{0}}\) simply means that s is a “dead end” for action a. We shall use \(\delta _a(s, s')\) to denote \(\delta _a(s)(s').\) In this paper, we always assume that \(\delta _a(s,s')\) is a rational number and \(\{s' : \delta _a(s, s') \ne 0\} < \infty \). The underlying transition graph of a PTS is a transition system \(\langle S; \{\rightarrow _a\}_{a\in \mathsf {ACT}}\rangle \) such that \(s \rightarrow _a s'\) iff \(\delta _a(s,s')\ne 0\).
It is standard (e.g. see [34]) to impose the minimal probability assumption on the PTS that we shall be dealing with, i.e., there is \(\epsilon > 0\) such that any transition with a nonzero probability p satisfies \(p > \epsilon \). This assumption is practically sensible since it is satisfied by most PTSs that we deal with in practice (e.g. finite PTS, probabilistic pushdown automata [21], and most examples from probabilistic parameterized systems [36, 37] including our examples from Sect. 5). The minimal probability assumption, among others, implies that the PTS is boundedbranching (i.e. that its underlying transition graph is boundedbranching). In the sequel, we shall adopt this assumption.
3 Framework of Regular Relations
In this section we describe the framework of regular relations for specifying probabilistic infinitestate systems, properties to verify, and proofs, all in a uniform symbolic way. The framework is amenable to automatatheoretic algorithms in the spirit of regular model checking [3, 13].
Next, we discuss the expressive power of firstorder formulas over the universal automatic structures, and decision procedures for satisfiability of such formulas. In Sect. 4, we shall describe: (1) how to specify a PTS as a firstorder formula in \(\,{\mathfrak {U}}\,\), and (2) how to specify the verification condition for probabilistic bisimulation property in this theory. In Sect. 5, we shall show that the theory is sufficiently powerful for capturing probabilistic bisimulations for interesting examples.
Proposition 1
 1.
Given a formula \(\varphi ({\bar{x}})\) over \(\,{\mathfrak {U}}\,\), the relation \([\![\varphi ]\!]\) is effectively regular. Conversely, given a regular relation R, we can compute a formula \(\varphi ({\bar{x}})\) over \(\,{\mathfrak {U}}\,\) such that \([\![\varphi ]\!] = R\).
 2.
The firstorder theory of \(\,{\mathfrak {U}}\,\) is decidable.
The decidability of the firstorder theory of \(\,{\mathfrak {U}}\,\) follows using a standard automatatheoretic algorithm (e.g. see [9, 49]).
In the sequel, we shall also use the term regular relations to denote relations definable in \(\,{\mathfrak {U}}\,\). In addition, to avoid notational clutter, we shall freely use other regular relations (e.g. successor relation \(\prec _{succ}\) of the prefix \(\preceq \), and membership in a regular language) as syntactic sugar.
We note that the firstorder theory of \(\,{\mathfrak {U}}\,\) can also be reduced to weak monadic theory WS1S of one successor (therefore, allowing highly optimized tools like MONA [31] and Gaston [23]) by translating finite words to finite sets. The relationship between the universal automatic structure and WS1S can be made precise using the notion of finiteset interpretations [19, 46].
4 Probabilistic Bisimilarity Within Regular Relations
In this section, we show how the framework of regular relations can be used to encode a PTS, and the corresponding proof rules for probabilistic bisimulation.
4.1 Specifying a Probabilistic Transition System
Since we assume that all probability values specified in our systems are rational numbers, the fact that our PTS is boundedbranching implies that we can specify the probability values by natural weights (by multiplying the probability values by the least common multiple of the denominators). For example, if a configuration c has an action toss that takes it to \(c_1\) and \(c_2\), each with probability 1/2, then the new system simply changes both values of 1/2 to 1. This is a known trick in the literature of probabilistic verification (e.g. see [1]). Therefore, we can now assume that the transition probability functions have range \({{\mathbb {N}}}\). The challenge now is that our encoding of a PTS in the universal automatic structure must encode two different sorts as words over a finite alphabet \(\varSigma \): configurations and natural weights.
Now we are ready to show how to specify a PTS \({\mathfrak {S}}\) in our framework. Fix a finite alphabet \(\varSigma \) containing at least two letters 0 and 1. We encode the domain of \({\mathfrak {S}}\) as words over \(\varSigma \). In addition, a natural weight \(n \in {{\mathbb {N}}}\) can be encoded in the usual way as a binary string. This motivates the following definition.
Definition 1
Let \({\mathfrak {S}}\) be a PTS \(\langle S; \{\delta _a \}_{a\in \mathsf {ACT}}\rangle \). We say that \({\mathfrak {S}}\) is regular if the domain S is a regular subset of \(\varSigma ^*\) (i.e. definable by a firstorder formula \(\varphi (x)\) with one free variable over \(\,{\mathfrak {U}}\,\)), and if the graph of each function \(\delta _a\) is a ternary regular relation (i.e. definable by a firstorder formula \(\varphi (x,y,z)\) over \(\,{\mathfrak {U}}\,\), where x and y encode configurations, and z encodes a natural weight).
Definition 1 is quite general since it allows for an infinite number of different natural weights in the PTS. Note that we can make do without the second sort (of numeric weights) if we have only finitely many numeric weights \(n_1, \ldots , n_m\). This can be achieved by specifying a regular relation \(R_{a,i}\) for each action label \(a \in \mathsf {ACT}\) and numeric weight \(n_i\) with \(i \in \{1,\ldots ,m\}\).
Example 1
We show a regular encoding of a very simple PTS: a random walk on the set of natural numbers. At each position x, the system can nondeterministically choose to loop or to move. If the system chooses to loop, it will stay at the same position with probability 1. If the system chooses to move, it will move to \(x+1\) with probability 1/4, or move to \(\max (0,x1)\) with probability 3/4. Normalising the probability values by multiplying by 4, we obtain the numeric weights of 4, 1, and 3 for the aforementioned transitions, respectively.
Example 2
4.2 Proof Rules for Probabilistic Bisimulation
Fix the set \(\mathsf {ACT}\) of action symbols and the branching bound \(N\ge 1\), owing to the minimal probability assumption. Consider a twosorted vocabulary \(\sigma = \langle \{P_a\}_{a \in \mathsf {ACT}}, R, +\rangle \), where \(P_a\) is a ternary relation (with the first two arguments over the first sort, and the third argument over the second sort of natural numbers), R is a binary relation over the first sort, and \(+\) is the addition function over the second sort of natural numbers. The main result we shall show next is summarized in the following theorem:
Theorem 1
There is a fixed firstorder formula \(\varPhi \) over \(\sigma \) such that a binary relation R is a probabilistic bisimulation over a boundedbranching PTS \({\mathfrak {S}}= \langle S; \{\delta _a \}_{a\in \mathsf {ACT}}\rangle \) iff \(({\mathfrak {S}},R) \models \varPhi \). Furthermore, when \({\mathfrak {S}}\) is a regular PTS and R is a regular relation, we can compute in polynomial time a firstorder formula \(\varPhi '\) over \(\,{\mathfrak {U}}\,\) such that R is a probabilistic bisimulation over \({\mathfrak {S}}\) iff \(\,{\mathfrak {U}}\,\models \varPhi '\).
This theorem implies the following result:
Theorem 2
Given a regular relation \(E \subseteq \varSigma ^* \times \varSigma ^*\) and a boundedbranching regular PTS \({\mathfrak {S}}= \langle S; \{\delta _a \}_{a\in \mathsf {ACT}}\rangle \), there exists an algorithm that either finds \((u, v)\in E\) which are not probabilistically bisimilar or finds a regular probabilistic bisimulation relation R over \({\mathfrak {S}}\) such that \(E \subseteq R\) if one exists. The algorithm does not terminate iff E is contained in some probabilistic bisimulation relation but every probabilistic bisimulation R containing E is not regular.
Note that when verifying parameterized systems we are typically interested in checking bisimilarity over a set of pairs (instead of just one pair) of configurations, and hence E in the above statement.
Proof of Theorem 2
To prove this, we provide two semialgorithms, one for checking the existence of R and the other for showing that a pair \((v,w) \in E\) is a witness for nonbisimilarity.
By Theorem 1, we can enumerate all possible candidate regular relation R and effectively check that R is a probabilistic bisimulation over \({\mathfrak {S}}\). The condition that \(E \subseteq R\) is a firstorder property, and so can be checked effectively.
To show nonbisimilarity is recursively enumerable, observe that if we fix \((v,w) \in E\) and a number d, then the restrictions \({\mathfrak {S}}_v\) and \({\mathfrak {S}}_w\) to configurations that are of distance at most d away from v and w (respectively) are finite PTS. Therefore, we can devise a semialgorithm which enumerates all \((v,w) \in E\), and all probabilistic modal logic (PML) formulas [34] F over \(\mathsf {ACT}\) containing only rational numbers (i.e. a formula of the form \(\langle a\rangle _\mu F'\), where \(\mu \in [0,1]\) is a rational number, which is sufficient because we assume only rational numbers in the PTS). We need to check that \({\mathfrak {S}}_v,v \models F\), but \({\mathfrak {S}}_w,w \nvDash F\). Model checking PML formulas over finite systems is decidable (in fact, the logic is subsumed by Probabilistic CTL [7]), which makes our check effective. \(\square \)
4.3 Proof of Theorem 1
Before we describe \(\varphi _a(p,q)\), we provide some intuition and define some intermediate macros. Fix configurations p and q. Informally, \(\varphi _a(p,q)\) will first guess a set of configurations \(u_1,\ldots , u_N\) containing the successors of p on action a, and a set of configurations \(v_1, \ldots , v_N\) containing the successors of q on action a. Second, it will guess labellings \(\alpha _1,\ldots ,\alpha _N\) and \(\beta _1,\ldots ,\beta _N\) which correspond to partitionings of the configurations \(u_1,\ldots , u_N\) and \(v_1, \ldots , v_N\), respectively. The intuition is that the \(\alpha \)’s and \(\beta \)’s “name” the partitions: if \(\alpha _i = \alpha _j\) (resp. \(\beta _i = \beta _j\)), then \(u_i\) and \(u_j\) (resp. \(v_i\) and \(v_j\)) are guessed to be in the same partition. The formula then checks that the guessed partitioning is compatible with the equivalence relation R (i.e. if the labelling claims \(u_i\) and \(u_j\) are in the same partition, then indeed \(R(u_i, u_j)\) holds), and that the probability masses of the partitions assigned by configurations p and q satisfy the constraint given in (1).
Example 3
We remark that the firstorder theory of \(\,{\mathfrak {U}}\,\) is sufficient to encode any probabilistic pushdown automaton, not just this example. \(\square \)
We proceed to show that if R and \(\delta _a\) are firstorder definable over \(\,{\mathfrak {U}}\,\) then so are \(\psi _a\) and \(\varphi _a\). Suppose that \(\delta _a\) is encoded using the ternary relation \(\delta _a(x, y, z)\), as stated in the previous section. (We shall reuse the symbol \(\delta \) here to avoid a clash of names).
5 Application to Anonymity Verification
In this section, we show how to verify the anonymity property of cryptographic protocols via computation of probabilistic bisimulations. We shall first formalize the connection between the concepts of anonymity and probabilistic bisimulation. We then introduce a verification framework and apply it to verify the anonymity property of the dining cryptographers protocol [16] and the grades protocol [29].
A (discrete time) Markov chain (a.k.a. DTMC) is a structure \(\,{\mathfrak {M}}\,:= \langle S; \delta ; L\rangle \) where \(S\) is a set of configurations, \(\delta : S\rightarrow {\mathcal {D}}_{S}\) is a family of probability distributions, and \(L: S\rightarrow \mathsf {ACT}\) is a labelling of the states. We shall use \(\delta (s, s')\) to denote \(\delta (s)(s')\), the transition probability from s to \(s'\). A sequence \(s_0 \dots s_n \in S^*\) is called a path of \(\,{\mathfrak {M}}\,\) if \(\delta (s_i, s_{i+1}) >0\) for \(i \in \{0,\ldots ,n1\}\). The probability distribution induced by the paths in a DTMC can be defined using a standard cylinder construction (see e.g. [33]) as follows. Given a finite path \(\pi := s_0 \cdots s_n \in S^*\), we set \(Run_{\pi }\) to be a basic cylinder, which is the set of all finite/infinite paths with \(\pi \) as a prefix. We associate this cylinder with probability \(\Pr ^{s_0}(Run_{\pi }) = \prod _{i=0}^{n1} \delta (s_i,s_{i+1})\). This gives rise to a unique probability measure for the \(\sigma \)algebra over the set of all paths from \(s_0\).
Given a PTS \({\mathfrak {S}}:= \langle S; \{\delta _a \}_{a\in \mathsf {ACT}}\rangle \), an adversary \(f: S^* \rightarrow \mathsf {ACT}\) resolves the nondeterminacy of \({\mathfrak {S}}\) and induces a DTMC \({\mathfrak {S}}_f := \langle S'; \delta '; L' \rangle \). Here \(S' := S^* \cup \{\$\}\) contains all finite paths of \({\mathfrak {S}}\) plus a “sink state” \({ \$}\) such that \(\delta '(\pi ) := I_{ \$}\)^{2} if and only if either \(\pi = { \$}\), or \(\delta _{f(\pi )}\) is the zero function. We define \(\delta '(\pi ) := \delta _{f(\pi )}\) otherwise. The labelling of \({\mathfrak {S}}_f\) is defined as \(L'({ \$}) := \bot \) and \(L'(\pi ) := f(\pi )\) for \(\pi \in S^*\).
Given a DTMC \(\langle S; \delta ; L\rangle \), the trace of a path \(\pi := s_0 \cdots s_n \in S^*\) is defined as \(\tau (\pi ) := L(s_0)\cdots L(s_n)\). A trace event \({\mathcal {T}}\) is a set of finite traces; the probability of \({\mathcal {T}}\) with respect to a configuration s is specified with \(\Pr ^s({\mathcal {T}}) := \Pr ^s(\bigcup \{Run_\pi : \tau (\pi )\in {\mathcal {T}}, \pi { startsfrom}s \})\).
Now we are ready to define the concept of anonymity. Fix \({\mathfrak {S}}:= \langle S; \{\delta _a \}_{a\in \mathsf {ACT}}\rangle \) and a set \({\mathcal {I}} \subseteq S\) of initial configurations. We say \({\mathfrak {S}}\) is anonymous to an adversary f if for all \(s \in {\mathcal {I}}\) and trace event \({\mathcal {T}}\), the value of \(\Pr ^s({\mathcal {T}})\) in \({\mathfrak {S}}_f\) is solely determined by \({\mathcal {T}}\). Intuitively, this means that the adversary cannot obtain any information about a specific initial configuration by experimenting on the system and observing the traces.
We shall only consider external adversaries in this paper. An adversary \(f: S^* \rightarrow \mathsf {ACT}\) is external if \(f(s_0\cdots s_n) = f(s_0'\cdots s_n')\) when \(L(s_i) = L(s_i')\) for \(i \in \{0,\ldots ,n\}\). That is, an external adversary takes action solely based on the trace she has observed so far. We call a PTS anonymous if it is anonymous to any external adversary. The following result establishes a connection between the anonymity property and probabilistic bisimulations.
Proposition 2
Let \({\mathfrak {S}}:= \langle S; \{\delta _a \}_{a\in \mathsf {ACT}}\rangle \) be a PTS and f be an external adversary for \({\mathfrak {S}}\). Then for all \(u,v \in S\) such that \(u \sim v\), \(\Pr ^u({\mathcal {T}}) = \Pr ^v({\mathcal {T}})\) holds for any trace event \({\mathcal {T}}\) in \({\mathfrak {S}}_f\). That is, configurations u and v induce the same trace distribution in \({\mathfrak {S}}_f\).
Based on Proposition 2, we propose a framework to verify the anonymity property of \({\mathfrak {S}}\) as follows. We first specify a “reference system” \({\mathfrak {S}}' := \langle S; \{\delta _a' \}_{a\in \mathsf {ACT}}\rangle \) that has the same initial configurations and actions as those of \({\mathfrak {S}}\), except that the trace distribution of \({\mathfrak {S}}'_f\) is independent of specific initial configurations for any adversary f. We then try to find a bisimulation relation R between \({\mathfrak {S}}\) and the reference system \({\mathfrak {S}}'\) satisfying \(R \supseteq \{ (s,s') \in {\mathcal {I}} \times {\mathcal {I}}' : s = s' \}\). When such a relation R is found, we can conclude that the trace distribution of \({\mathfrak {S}}_f\) is also independent of the initial configurations for any adversary f, and hence prove the anonymity property of \({\mathfrak {S}}\).
The Dining Cryptographers Protocol. Dining cryptographers protocol [16] is a multiparty computation algorithm aiming to securely compute the XOR of the secret bits held by the participants. More precisely, consider a ring of \(n\ge 3\) participants \(p_0,\dots ,p_{n1}\) such that each participant \(p_i\) holds a secret bit \(x_i\). To compute \(x_0 \oplus \cdots \oplus x_{n1}\) without revealing information about the values of \(x_0,\ldots ,x_{n1}\), the participants carry out a twostage computation as follows: (i) Each two adjacent participants \(p_i\), \(p_{i+1}\) compute a random bit \(b_i\) that is accessible only to them; (ii) Each participant \(p_i\) announces the value \(a_i := x_i \oplus b_i \oplus b_{i1}\)^{3} to the other participants. Hence, every participant \(p_i\) can observe the values of \(x_i\), \(b_i\), \(b_{i1}\) and \(a_0, \ldots , a_{n1}\). It turns out that \(a_0 \oplus \cdots \oplus a_{n1} = x_0 \oplus \cdots \oplus x_{n1}\), so all participants are able to compute the XOR of the secret bits after executing the protocol. Furthermore, the anonymity property of the protocol assures that any individual participant \(p_i\) cannot infer the values of the other secret bits from the information she has observed during the execution of the protocol.
We model the protocol as a lengthpreserving regular PTS. The configurations of a ring of n participants are encoded as words of size n. The initial configurations are words \(w \in \{0,1\}^*\) such that w[i] represents \(x_i\) for \(i \in \{0,\ldots ,w1\}\). The transition relation consists of six transitions: observer nondeterministically tossing head (via action \(\mathsf{head}\)), observer nondeterministically tossing tail (via action \(\mathsf{tail}\)), nonobserver tossing head with probability 0.5 (via action \(\mathsf{toss}\)), nonobserver tossing tail with probability 0.5 (via action \(\mathsf{toss}\)), participant announcing zero (via action \(\mathsf{zero}\)), and participant announcing one (via action \(\mathsf{one}\)). The outcomes of the tosses by the observer are visible (i.e. as actions \(\mathsf{head}\) and \(\mathsf{tail}\)), while the outcomes of the tosses by the other participants are hidden (i.e. as action \(\mathsf{toss}\)). Each maximal trace from an initial configuration of size n consists of n successive tossing actions, followed by n successive announcing actions. Starting from an initial configuration w and for \(i \in \{0,\ldots ,n1\}\), the ith toss action updates the value of w[j] to \(w[j] \oplus b_i\) for \(j \in \{i, {i+1}\}\), where \(b_i = 1\) if a head is tossed and \(b_i=0\) otherwise. Any configuration v reached after n tosses would satisfy \(v[i] = x_i \oplus b_i \oplus b_{i1}\) for \(i \in \{0,\ldots ,n1\}\). The PTS then “prints out” the configuration by going through n announcement transitions via actions \(a_0, \dots , a_{n1}\), such that \(a_i\) is \(\mathsf{one}\) if \(v[i] = 1\) and \(a_i\) is \(\mathsf{zero}\) if \(v[i] = 0\).
We consider the case where the first participant of the protocol is the observer. The maximal traces of the PTS in this case are in form of \(t \cdot t'\), where \(t = t'\), \(t \in \{\mathsf{head}, \mathsf{tail}\}\,\mathsf{toss}^*\{\mathsf{head}, \mathsf{tail}\}\), and \(t' \in \{\mathsf{zero},\mathsf{one}\}^*\). For example, \(\mathsf{head}\) \(\mathsf{toss}\) \(\mathsf{tail}\) \(\mathsf{one}\) \(\mathsf{zero}\) \(\mathsf{zero}\) is a maximal trace starting from initial configuration 010. To prove anonymity, we define a reference system such that the initial configurations and the actions are the same as those of the original PTS, except that the announcements \(a_0, \dots , a_{n1}\) encoded in the maximal traces from an initial configuration w are uniformly distributed over \(\{ (a_0, \dots , a_{n1}) : a_0 \oplus \cdots \oplus a_{n1} = w[0] \oplus \cdots \oplus w[n1], ~a_0 = w[0] \oplus b_0 \oplus b_{n1}\}\).^{4} In this way, the distribution of the announcements is independent of the initial configuration once the values of \(x_0 \oplus \cdots \oplus x_{n1}\), \(x_0\), \(b_0\), and \(b_{n1}\) (i.e. the information revealed to the first participant) are fixed. We then compute a probabilistic bisimulation between the original system and the reference system, establishing the anonymity property that the first participant cannot infer the secret bits of the other participants from the information she observes.
A generalized Dining Cryptographers Protocol. We have also considered a generalized dining cryptographers protocol where the secret messages \(x_0, \ldots , x_{n1}\) of the n participants are bitvectors of the same size. Note that the set of the initial configurations is not regular when the size of the secret messages is parameterized. To construct a regular model, we allow a configuration to encode secret messages of different sizes, and devise the transition system such that an initial configuration w can finish the protocol (i.e. can have a trace containing all of the announcements \(a_0, \ldots , a_{n1}\)) if and only if the messages encoded in w have same size. The resulting PTS is a regular system; it overapproximates the PTS of the generalized dining cryptographers protocol in the sense that the anonymity property of the former implies that of the latter.
The Grades Protocol. The grades protocol [29] is a multiparty computation algorithm aiming to securely compute the sum of the secrets held by the participants. The setting of the protocol is pretty similar to that of the dining cryptographers: given \(n\ge 3\) and \(g \ge 2\), we have a ring of n participants \(p_0, \ldots , p_{n1}\) where each participant \(p_i\) holds a secret \(x_i \in \{0,\ldots ,g1\}\). Note that both g and n are parameterized in this protocol. The goal of the participants is to compute the sum \(x_0 + \cdots + x_{n1}\) without revealing information about the individual secrets. Define \(M := (g1) \cdot n + 1\). The protocol consists of two steps: (i) Each two adjacent participants \(p_i\), \(p_{i+1}\) compute a random number \(y_i \in \{0,\ldots ,M1\}\); (ii) Each participant \(p_i\) announces \(a_i := (x_i + y_i  y_{i1})~\mathrm{mod}~M\) to the other participants. After executing the protocol, the participants compute \(a := a_0 + \cdots + a_{n1}~\mathrm{mod}~M\). Because of the ring structure, the \(y_i\)’s will be cancelled out in the sum. Thus the value of a will equal to the sum of all secrets. The anonymity property of the protocol asserts that no participant can infer the secrets held by the other participants from the information she has observed.
We consider a variant of the grades protocol where M can be any power of two greater than \((g1) \cdot n\). Observe that the same anonymity and correctness property of the original protocol also holds for this variant. To verify the anonymity property, we model an overapproximation of the protocol where the secrets are allowed to range over \(\{0,\ldots ,M1\}\). This model is similar to the one we have constructed for the generalized dining cryptographers protocol except that, e.g., the XOR operations are now replaced with bitwise additions and negations. A reference system is specified such that the announcements \(a_1, \ldots , a_{n1}\) observed by the first participant \(p_0\) are uniformly distributed over the values satisfying \(a_0 + \cdots + a_{n1}~\mathrm{mod}~M = x_0 + \cdots + x_{n1}~\mathrm{mod}~M\). By computing a probabilistic bisimulation between the original system and the reference system, we establish the anonymity property that the grades protocol is anonymous whenever M is chosen as a power of two with \(M \ge (g1) \cdot n + 1\).
6 Learning Probabilistic Bisimulations
Since \(L^*\)style learning requires the taught language to be uniquely defined, our approach attempts to learn a representation of the greatest lengthpreserving probabilistic bisimulation relation \({\bar{R}} \subseteq (\varSigma \times \varSigma )^*\), which is the unique bisimulation relation formed by the union of all lengthpreserving probabilistic bisimulations of \({\mathfrak {S}}\), i.e., \({\bar{R}} = \bigcup _{n\ge 1} {\bar{R}}_n\). Because \({\bar{R}}\) is not in general computable, the learning process might diverge and fail to produce any probabilistic bisimulation. It can also happen that learning terminates, but yields a probabilistic bisimulation relation strictly smaller than \({\bar{R}}\).

membership queries, i.e., whether a pair (v, w) of words should be accepted by the automaton to be learned. Since our learner tries to learn the greatest bisimulation, the teacher can answer this query by checking whether the configurations v, w are bisimilar; this is done by computing the greatest bisimulation \({\bar{R}}_{v}\) restricted to configurations of any length \(v = w\), and checking whether or not \((v, w) \in \bar{R}_{v}\).

equivalence queries, i.e., whether a candidate automaton \({{\mathcal {H}}}\) is the correct language to be learned. Such queries can essentially be answered by checking whether the language \({{{\mathcal {L}}}}({{{\mathcal {H}}}})\) satisfies the formula \(\varPhi (R)\) from (3). The complete algorithm for answering equivalence queries is given in Algorithm 1. The algorithm first attempts to find a shortest counterexample to the proof rule. If a counterexample of length n is found, then the difference set \({{{\mathcal {L}}}}({{{\mathcal {H}}}}) \,\varDelta \, {\bar{R}}_n\) must contain at least one pair of length n. Any of such pairs is a valid counterexample for automata learning since the learner tries to learn the greatest bisimulation. The teacher thus reports one such pair to be a positive or negative counterexample according to its membership in \({\bar{R}}_n\).
Optimization with Inductive Invariants. There is a natural way to optimize the learning procedure by only considering a regular inductive invariant \( Inv \) such that \( Inv \) contains the set of reachable configurations and \(E \subseteq Inv \times Inv \). The optimization is done by simply replacing the greatest finitelength bisimulations \({\bar{R}}_i\) in Algorithm 1, and when answering membership queries, with the greatest bisimulation \(\bar{R}_i^I = {\bar{R}}_i \cap Inv \) on the inductive invariant. Since \({\bar{R}}_i^I\) can be a lot smaller than \({\bar{R}}_i\), this can lead to significant speedups. Note that a bisimulation \(R'\) on \( Inv \) can be extended to a bisimulation R on all configurations by setting \(R = R' \cup \{(v, v) : v \not \in Inv \}\). The inductive invariant \( Inv \) may be manually specified, or automatically generated using techniques like in [18, 54].
Experimental results. For each case study, we list the size of the final proof produced by our tool, the time taken by Mona to verify the candidate automata, the time taken by our tool to compute the fixedlength bisimulations, and the total computation time of the learning procedure. Experiments are run on a Windows laptop with 2.4 GHz Intel i5 processor and 2 GB memory limit.
Case study  #states  #trans  Mona  Bisim  Total 

Dining cryptographers, singlebit  13  832  2 s  2 s  6 s 
Dining cryptographers, multibit  16  1024  3 s  24 s  28 s 
The grades protocol  25  1600  5 s  28 s  35 s 
Footnotes
 1.
Here, “universal” simply means that all automatic structures are firstorder interpretable in this structure.
 2.
Recall that \(I_s\) denotes the point distribution at s, namely \(I_s(s)=1\).
 3.
All arithmetical operations on the subscripts are performed modulo n to take the ring structure into account.
 4.
Such a distribution can be obtained by (i) choose \(a_1, \dots , a_{n2}\in \{0,1\}\) uniformly at random; (ii) set \(a_0 = w[0] \oplus b_0 \oplus b_{n1}\); (iii) set \(a_{n1} = a_0 \oplus \cdots \oplus a_{n2} \oplus w[0] \oplus \cdots \oplus w[n1]\).
References
 1.Abdulla, P.A., Henda, N.B., Mayr, R.: Decisive Markov chains. Log. Methods Comput. Sci. 3(4), 1–32 (2007) MathSciNetzbMATHGoogle Scholar
 2.Abdulla, P.A., Jonsson, B., Nilsson, M., d’Orso, J., Saksena, M.: Regular model checking for LTL(MSO). STTT 14(2), 223–241 (2012)zbMATHGoogle Scholar
 3.Abdulla, P.A., Jonsson, B., Nilsson, M., Saksena, M.: A survey of regular model checking. In: Gardner, P., Yoshida, N. (eds.) CONCUR 2004. LNCS, vol. 3170, pp. 35–48. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540286448_3Google Scholar
 4.Ahrendt, W., Beckert, B., Bubel, R., Hähnle, R., Schmitt, P.H., Ulbrich, M. (eds.): Deductive Software Verification  The KeY Book  From Theory to Practice. LNCS, vol. 10001. Springer, Cham (2016)Google Scholar
 5.Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987)MathSciNetzbMATHGoogle Scholar
 6.Baier, C.: Polynomial time algorithms for testing probabilistic bisimulation and simulation. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 50–61. Springer, Heidelberg (1996). https://doi.org/10.1007/3540614745_57Google Scholar
 7.Baier, C., Katoen, J.P.: Principles of Model Checking. MIT Press, Cambridge (2008)zbMATHGoogle Scholar
 8.Benedikt, M., Libkin, L., Schwentick, T., Segoufin, L.: Definable relations and firstorder query languages over strings. J. ACM 50(5), 694–751 (2003)MathSciNetzbMATHGoogle Scholar
 9.Blumensath, A.: Automatic structures. Diploma thesis, RWTHAachen (1999)Google Scholar
 10.Blumensath, A., Grädel, E.: Finite presentations of infinite structures: automata and interpretations. Theory Comput. Syst. 37(6), 641–674 (2004)MathSciNetzbMATHGoogle Scholar
 11.Boigelot, B., Legay, A., Wolper, P.: Iterating transducers in the large (extended abstract). In: Hunt, W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 223–235. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540450696_24Google Scholar
 12.Bonchi, F., Pous, D.: Checking NFA equivalence with bisimulations up to congruence. In: The 40th Annual ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, POPL 2013, Rome, Italy 23–25 January 2013, pp. 457–468 (2013)Google Scholar
 13.Bouajjani, A., Jonsson, B., Nilsson, M., Touili, T.: Regular model checking. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 403–418. Springer, Heidelberg (2000). https://doi.org/10.1007/10722167_31Google Scholar
 14.Bradley, A.R., Manna, Z.: The Calculus of Computation: Decision Procedures with Applications to Verification. Springer, Heidelberg (1998)zbMATHGoogle Scholar
 15.Chatzikokolakis, K., Norman, G., Parker, D.: Bisimulation for demonic schedulers. In: de Alfaro, L. (ed.) FoSSaCS 2009. LNCS, vol. 5504, pp. 318–332. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642005961_23Google Scholar
 16.Chaum, D.: The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol. 1(1), 65–75 (1988)MathSciNetzbMATHGoogle Scholar
 17.Chen, D., van Breugel, F., Worrell, J.: On the complexity of computing probabilistic bisimilarity. In: Birkedal, L. (ed.) FoSSaCS 2012. LNCS, vol. 7213, pp. 437–451. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642287299_29zbMATHGoogle Scholar
 18.Chen, Y., Hong, C., Lin, A.W., Rümmer, P.: Learning to prove safety over parameterised concurrent systems. In: 2017 Formal Methods in Computer Aided Design, FMCAD 2017, Vienna, Austria, 2–6 October 2017, pp. 76–83 (2017)Google Scholar
 19.Colcombet, T., Löding, C.: Transforming structures by set interpretations. Log. Methods Comput. Sci. 3(2), 1–36 (2007)MathSciNetzbMATHGoogle Scholar
 20.Derisavi, S., Hermanns, H., Sanders, W.H.: Optimal statespace lumping in Markov chains. Inf. Process. Lett. 87(6), 309–315 (2003)MathSciNetzbMATHGoogle Scholar
 21.Esparza, J., Etessami, K.: Verifying probabilistic procedural programs. In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 16–31. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540305385_2Google Scholar
 22.Fagin, R., Halpern, J.Y., Moses, Y., Vardi, M.Y.: Reasoning About Knowledge. MIT Press, Cambridge (2003)zbMATHGoogle Scholar
 23.Fiedor, T., Holík, L., Janků, P., Lengál, O., Vojnar, T.: Lazy automata techniques for WS1S. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10205, pp. 407–425. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662545775_24Google Scholar
 24.Flanagan, C., Leino, K., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: PLDI 02: Programming Language Design and Implementation, pp. 234–245. ACM (2002)Google Scholar
 25.Forejt, V., Jancar, P., Kiefer, S., Worrell, J.: Bisimilarity of probabilistic pushdown automata. In: IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2012, Hyderabad, India, 15–17 December 2012, pp. 448–460 (2012)Google Scholar
 26.Garg, P., Neider, D., Madhusudan, P., Roth, D.: Learning invariants using decision trees and implication counterexamples. In: Proceedings of the 43rd Annual ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, POPL 2016, St. Petersburg, FL, USA, 20–22 January 2016, pp. 499–512 (2016)Google Scholar
 27.Habermehl, P., Vojnar, T.: Regular model checking using inference of regular languages. Electr. Notes Theor. Comput. Sci. 138(3), 21–36 (2005)MathSciNetzbMATHGoogle Scholar
 28.Hinton, A., Kwiatkowska, M., Norman, G., Parker, D.: PRISM: a tool for automatic verification of probabilistic systems. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 441–444. Springer, Heidelberg (2006). https://doi.org/10.1007/11691372_29Google Scholar
 29.Kiefer, S., Murawski, A.S., Ouaknine, J., Wachter, B., Worrell, J.: APEX: an analyzer for open probabilistic programs. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 693–698. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642314247_51Google Scholar
 30.Klarlund, N., Møller, A.: Mona version 1.4: User manual. BRICS, Department of Computer Science, University of Aarhus Denmark (2001)Google Scholar
 31.Klarlund, N., Møller, A., Schwartzbach, M.I.: MONA implementation secrets. Int. J. Found. Comput. Sci. 13(4), 571–586 (2002). World Scientific Publishing Company. Earlier version in Proc. 5thInternational Conference on Implementation and Application of Automata (CIAA) 2000, SpringerVerlag LNCS vol. 2088MathSciNetzbMATHGoogle Scholar
 32.Kundu, S., Tatlock, Z., Lerner, S.: Proving optimizations correct using parameterized program equivalence. In: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009, pp. 327–337. ACM, New York (2009)Google Scholar
 33.Kwiatkowska, M.Z., Model checking for probability and time: from theory to practice. In: 18th IEEE Symposium on Logic in Computer Science (LICS 2003), Ottawa, Canada, 22–25 June 2003, Proceedings, p. 351 (2003)Google Scholar
 34.Larsen, K.G., Skou, A.: Bisimulation through probabilistic testing. Inf. Comput. 94(1), 1–28 (1991)MathSciNetzbMATHGoogle Scholar
 35.Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR 2010. LNCS (LNAI), vol. 6355, pp. 348–370. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642175114_20zbMATHGoogle Scholar
 36.Lengál, O., Lin, A.W., Majumdar, R., Rümmer, P.: Fair termination for parameterized probabilistic concurrent systems. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10205, pp. 499–517. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662545775_29Google Scholar
 37.Lin, A.W., Rümmer, P.: Liveness of randomised parameterised systems under arbitrary schedulers. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780, pp. 112–133. Springer, Cham (2016). https://doi.org/10.1007/9783319415406_7Google Scholar
 38.Löding, C., Madhusudan, P., Neider, D.: Abstract learning frameworks for synthesis. In: Chechik, M., Raskin, J.F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 167–185. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662496749_10Google Scholar
 39.Milner, R.: Communication and Concurrency. Prentice Hall, Upper Saddle River (1989)zbMATHGoogle Scholar
 40.Neider, D., Jansen, N.: Regular model checking using solver technologies and automata learning. In: Brat, G., Rungta, N., Venet, A. (eds.) NFM 2013. LNCS, vol. 7871, pp. 16–31. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642380884_2Google Scholar
 41.Neider, D., Topcu, U.: An automaton learning approach to solving safety games over infinite graphs. In: Chechik, M., Raskin, J.F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 204–221. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662496749_12Google Scholar
 42.Nilsson, M.: Regular model checking. Ph.D. thesis, Uppsala Universitet (2005)Google Scholar
 43.Padon, O., Losa, G., Sagiv, M., Shoham, S.: Paxos made EPR: decidable reasoning about distributed protocols. In: PACMPL, 1(OOPSLA), pp. 108:1–108:31 (2017)Google Scholar
 44.Padon, O., McMillan, K.L., Panda, A., Sagiv, M., Shoham, S.: Ivy: safety verification by interactive generalization. In: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2016, Santa Barbara, CA, USA, 13–17 June 2016, pp. 614–630 (2016)Google Scholar
 45.PRISM case study: Dining Cryptographers. http://www.prismmodelchecker.org/casestudies/diningcrypt.php
 46.Rubin, S.: Automatic structures. Ph.D. thesis, University of Auckland, New Zealand (2004)Google Scholar
 47.Sénizergues, G.: The bisimulation problem for equational graphs of finite outdegree. SIAM J. Comput. 34(5), 1025–1106 (2005)MathSciNetzbMATHGoogle Scholar
 48.Srba, J.: Roadmap of Infinite Results. Formal Models and Semantics, vol. 2. World Scientific Publishing Co., Singapore (2004)zbMATHGoogle Scholar
 49.To, A.W.: Model checking infinitestate systems: generic and specific approaches. Ph.D. thesis, LFCS, School of Informatics, University of Edinburgh (2010)Google Scholar
 50.To, A.W., Libkin, L.: Recurrent reachability analysis in regular model checking. In: Cervesato, I., Veith, H., Voronkov, A. (eds.) LPAR 2008. LNCS (LNAI), vol. 5330, pp. 198–213. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540894391_15Google Scholar
 51.To, A.W., Libkin, L.: Algorithmic metatheorems for decidable LTL model checking over infinite systems. In: Ong, L. (ed.) FoSSaCS 2010. LNCS, vol. 6014, pp. 221–236. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642120329_16Google Scholar
 52.Valmari, A., Franceschinis, G.: Simple O(m logn) time Markov chain lumping. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 38–52. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642120022_4Google Scholar
 53.Vardhan, A.: Learning to verify systems. Ph.D. thesis, Department of Computer Science, University of Illinois at UrbanaChampaign (2006)Google Scholar
 54.Vardhan, A., Sen, K., Viswanathan, M., Agha, G.: Learning to verify safety properties. In: Davies, J., Schulte, W., Barnett, M. (eds.) ICFEM 2004. LNCS, vol. 3308, pp. 274–289. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540304821_26Google Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.