On the Translation of Automata to Linear Temporal Logic

While the complexity of translating future linear temporal logic (LTL) into automata on infinite words is well-understood, the size increase involved in turning automata back to LTL is not. In particular, there is no known elementary bound on the complexity of translating deterministic $\omega$-regular automata to LTL. Our first contribution consists of tight bounds for LTL over a unary alphabet: alternating, nondeterministic and deterministic automata can be exactly exponentially, quadratically and linearly more succinct, respectively, than any equivalent LTL formula. Our main contribution consists of a translation of general counter-free deterministic $\omega$-regular automata into LTL formulas of double exponential temporal-nesting depth and triple exponential length, using an intermediate Krohn-Rhodes cascade decomposition of the automaton. To our knowledge, this is the first elementary bound on this translation. Furthermore, our translation preserves the acceptance condition of the automaton in the sense that it turns a looping, weak, B\"uchi, coB\"uchi or Muller automaton into a formula that belongs to the matching class of the syntactic future hierarchy. In particular, it can be used to translate an LTL formula recognising a safety language to a formula belonging to the safety fragment of LTL (over both finite and infinite words).


Introduction
Linear Temporal Logic with only future temporal operators (from here on LTL) and ω-regular automata, whether deterministic, nondeterministic or alternating, are both well-established formalisms to describe properties of infinite-word languages. LTL is popular in formal verification and synthesis due to its simple syntax and semantics. Yet, while properties might be convenient to define in LTL, most verification and synthesis algorithms eventually compile LTL formulas into ω-regular automata. The expressiveness of both these key formalisms, as This is the full version of a chapter with the same title that appears in the FoSSaCS 2022 conference proceedings [5]. well as translations from LTL to automata of various types, are well understood. Here, we consider the converse translations, which, in comparison, have received less attention: up till now, no elementary upper bound on the size blow-up of going from automata to LTL was known.
The succinctness of various representations of LTL-definable languages is less clear: effective translations between the different models are far from straightforward, and their complexity is sometimes uncertain. In particular, to the best of our knowledge, up to now there has been no elementary bound even on the translation of deterministic counter-free automata, arguably the simplest automata model for this class of languages, into LTL formulas. (Considering LTL with both future and past temporal operators, there is a double-exponential upper bound on the length of the formula [26] 4 .) The complexity of obtaining a deterministic counter-free automaton from a nondeterministic one is also, to the best of our knowledge, open.
We study the complexity of translating automata to LTL (equivalently, to very weak alternating automata), considering formula length, size, and nesting depth of temporal operators.
We begin (Section 3), as a warm-up, with the unary alphabet case on finite words. We show that the size-blow up involved in translating deterministic, non-deterministic and alternating automata to LTL, when possible, is linear, quadratic and exponential, respectively, and these bounds are tight. In contrast, going from LTL to alternating, nondeterministic and deterministic automata is linear, exponential and double-exponential, respectively [33,41,19].
The case of non-unary alphabets is much more difficult. We provide a translation of counter-free deterministic ω-regular automata (with any acceptance condition) into LTL formulas with double exponential depth and triple exponential length. Our translation uses an intermediate Krohn-Rhodes reset cascade decomposition (wreath product) of deterministic automata, which is a deterministic automaton built from simple components.
Our main technical contribution consists of a translation of a reset cascade into an LTL formula of depth linear and length singly exponential in the number of cascade configurations. Combining this with Eilenberg's Holonomy translation of a semigroup into a cascade [14,Corollary II.7.2] and Pnueli and Maler's adaptation of it to automata [26, Theorem 3] (see Remark 1), we obtain a translation of counter-free deterministic ω-regular automata into LTL formulas of double exponential depth and triple exponential length. Our construction preserves the acceptance condition of the automaton in the sense that it turns a Büchi-looping, coBüchi-looping, weak, Büchi or coBüchi automaton into a formula that belongs to the matching class of the syntactic future hierarchy (see Definition 1 and [8]).

Related work
Finite words. While LTL is usually interpreted over infinite words, it also admits finite-word semantics that coincide with the finite word version of the other equivalent formalisms. The equivalence between FO and star-free languages on finite words is due to McNaughton and Papert [31]. Cohen, Perrin and Pin [10] used the Krohn-Rhodes decomposition to characterise the expressive power of LTL with only X and F (eventually), but do not provide bounds on the size trade-off between the different models. Wilke [42] gives a double-exponential translation from counter-free DFA to LTL. More recently, Bojańczyk provided an algebraically flavoured adaptation of Wilke's proof [2, Section 2.2.2].
Infinite words. With substantial effort over several decades, the above techniques have been extended to infinite words using intricate tools with opaque complexities. Ladner [22] and Thomas [38,39] for example extended the equivalence of star-free regular expressions and FO to infinite words, while the ω-extension of the equivalence with aperiodic languages is due to Perrin [34]. The correspondence with LTL is due to Kamp [18] and Gabbay, Pnueli, Shelah and Stavi [16]. Diekert and Gastin's survey [13] provides an algebraic translation into LTL via ωmonoids while Cohen-Chesnot gives a direct algebraic proof of the equivalence of star-free ω-regular expressions and LTL [11]. Wilke takes an automata-theoretic approach, using backward deterministic automata [43,44]. However, none of the above address the complexity of the transformations. Zuck's dissertation [46] gives a translation of star-free regular expressions into LTL, with at least nonelementary complexity. Subsequently, Chang, Mana and Pneuli [8] use Zuck's results to show that the levels of their hierarchy of future temporal properties coincide with syntactic fragments of LTL. Sickert and Esparza [37] gave an exponential translation of any LTL formula into level ∆ 2 of this hierarchy.
-Σ 0 = Π 0 = ∆ 0 is the least set containing all atomic propositions and their negations, and is closed under the application of conjunction and disjunction. -Σ i+1 is the least set containing Π i and negated formulas of Π i+1 closed under the application of conjunction, disjunction, and the X and U operators. -Π i+1 is the least set containing Σ i and negated formulas of Σ i+1 closed under the application of conjunction, disjunction, and the X and R operators. -∆ i+1 is the least set containing Σ i+1 and Π i+1 that is closed under the application of conjunction, disjunction, and negation.
Σ 1 is referred to as syntactic co-safety formulas, Π 1 as syntactic safety formulas.
Automata. A deterministic semiautomaton is a tuple D = (Σ, Q, δ), where Σ is an alphabet; Q is a finite nonempty set of states; and δ : Q × Σ → Q is a transition function and we extend it to finite words in the usual way. A path of D on a word w = σ 0 · σ 1 · · · is a sequence of states q 0 , q 1 , . . ., such that for every It is a reset semiautomaton if for every letter σ ∈ Σ, either i) for every state q ∈ Q we have δ(q, σ) = q, or ii) there exists a state q ∈ Q, such that for every state q ∈ Q we have δ(q, σ) = q .
It is counter free if for every state q ∈ Q, finite word u ∈ Σ + , and number n ∈ N \ {0}, there is a self loop of q on u n iff there is a self loop of q on u.
A deterministic automaton is a tuple D = (Σ, Q, ι, δ, α), where (Σ, Q, δ) is a deterministic semiautomaton, ι ∈ Q is an initial state; and α is some acceptance condition, as detailed below. A run of D on a word w is a path of D on w that starts in ι. It is a reset or counter-free automaton if its semiautomaton is.
The acceptance condition of an automaton on finite words is a set F ⊆ Q; a run is accepting if it ends in a state q ∈ F . The acceptance condition of an ωregular automaton, on infinite words, is defined with respect to the set inf (r ) of states visited infinitely often along a run r. We define below several acceptance conditions that we use in the sequel; for other conditions, see, for example, [3].
The Muller condition is a set α = {M 1 , . . . , M k } of sets M i ⊆ Q of states, and a run r is accepting if there exists a set M i , such that M i = inf (r ). The Rabin condition is a set α = {(G 1 , B 1 ), . . . , (G k , B k )} of pairs of sets of states, and r is accepting if there exists a pair (G i , B i ), such that G i ∩ inf (r ) = ∅ and B i ∩ inf (r ) = ∅. The Büchi (resp. coBüchi ) condition is a set α ⊆ Q of states, and r is accepting if α ∩inf (r ) = ∅ (resp. α ∩inf (r ) = ∅). A weak automaton is a Büchi automaton, in which every strongly connected component (SCC) contains only states in α or only states out of α. A looping automaton is a Büchi or coBüchi automaton, where all states are in α, except for a single sink state.
Nondeterministic and alternating automata (to which we only refer in Section 3, on finite words over a unary alphabet) extend deterministic automata by having a transition function δ : Q × Σ → 2 Q and δ : Q × Σ → (positive Boolean formulas over Q), respectively. (See, for example, [7] for formal definitions.)

Unary Alphabet
Kupferman, Ta-Shma and Vardi [20] compared the succinctness of different automata models when counting, that is, recognising the singleton language {a k } for some k over the singleton alphabet {a}. For the succinctness gap between automata and LTL, we study the task of recognising arbitrary languages over the unary alphabet, which can be seen as sets of integers, rather than a single integer.
For a unary alphabet, since there is only one infinite word, only languages on finite words are interesting. We thus consider LTL formulas over (no) atomic propositions AP = ∅, and automata on finite unary words over the corresponding alphabet Σ = 2 AP = {∅}, where we use the shorthand a = ∅. The size of a deterministic automaton is the number of its states, of a nondeterministic automaton the number of its transitions, and of an alternating automaton the number of subformulas in its transition function.
We show that the size blow-up involved in translating deterministic, nondeterministic, and alternating automata to LTL, when possible, is linear, quadratic, and exponential, respectively.
In our analysis, we shall use the following folklore theorem, which extends Wolper's Theorem [45]. The proof is given in Appendix A.1.
Proposition 1 (Extended Wolper's theorem, Folklore). Consider an LTL formula ϕ with depth(ϕ) = n over the atomic propositions AP , and let Σ = 2 AP . Then for every words u ∈ Σ * , v ∈ Σ + and t ∈ Σ ω , and numbers i, j > n, ϕ has the same truth value on the words (uv i t) and (uv j t).
We use this to establish that unary LTL describes only finite and co-finite properties, and that there is a tight relation between the depth of LTL formulas and the length of words above which they are all in or all out of the language. Proposition 2. Given an LTL formula ϕ with depth(ϕ) = n on finite words over the unary alphabet {a}, a i ∈ L(ϕ) for all i > n or a i / ∈ L(ϕ) for all i > n.
Proposition 3. Consider a language L ⊆ {a} + that agrees on all words of length over n, that is, has the same truth value on all such words. Then there is an LTL formula of size in O(n) with language L.
We now establish the trade-off between LTL and alternating automata (AFA) over unary alphabets. AFA are closed under (linear) complementation, so we use a pumping argument to bound the length after which all words have the same truth value, giving an upper bound on the LTL formula. Lemma 1. Every alternating automaton with n states that recognises an LTLexpressible language L ⊆ {a} + is equivalent to an LTL formula of size in O(2 n ).
We show next that this upper bound is tight. Consider the language {a 2 n−1 }, which, according to Proposition 2, is only recognised by LTL formulas of size at least 2 n−1 . It is recognised by a weak alternating automaton with 2n states and size in O(n), using an automaton based on Leiss's construction [23]. Intuitively, the alternating automaton represents an n-bit up-counter with two states for each bit, one for 1 and one for 0 (see Fig. 1), where the universal transitions enforce that nondeterministic transitions correctly update the counter. We continue to nondeterministic automata (NFAs), for which the arguments are more involved as they do not allow for linear complementation.   Proof sketch. For finite L, by a pumping argument, A only accepts words up to length n, and by Proposition 3 we are done. We now consider a co-finite L.
We use 2-way deterministic automata, which are deterministic automata that process words of the form w , where and are start-and end-of-word markers respectively, and where transitions specify whether to read the letter to the right or to the left of the current position. They accept by reaching an end state, and reject by reaching a rejecting state or by failing to terminate [17], and every unary NFA A can be turned into a 2-way DFA D of size O(n 2 ) [9].
We construct from an NFA A a 2-way DFA D, and then a 2-way DFA D of the same size that recognises a * \ {a k }, where a k is the longest word not in L. We use the fact that a 2-way DFA of size m can be complemented into one of size 4m [17] to complement D into D that recognises {a k } and must therefore be of size at least k + 2 [1], so k, and by Proposition 2, an LTL formula for L, is in O(n 2 ).
We now show that this upper bound is tight. The previous lower bound ideas do not work with nondeterminism, since we need n states to recognise {a n } [20]. Yet, we need not count exactly to n for achieving a lower bound. We can use a variant of a language used in [4, pages [10][11]: For every positive integer k, define the set of positive integers S k = {m > 0 | ∃i, j ∈ N. m = ik + j(k + 1)}, and the language V k = {a m | m ∈ S k } ⊆ {a} * .
Proposition 4 (Folklore, [4,Theorem 3]). For every k ∈ N the number k 2 − k − 1 is the maximal number not in S k .
Proposition 5 ([4, proof of Theorem 4]). For every n ∈ N, there is an NFA of size in O(n) recognising a co-finite language L ⊆ {a} * , such that a k 2 −k−1 is not in L, while for every t ≥ k 2 − k, we have that a t ∈ L. Theorem 1. The size blow-up involved in translating deterministic, nondeterministic, and alternating automata on finite unary words to LTL, when possible, is Θ(n), Θ(n 2 ), and Θ(2 n ), respectively.

General Alphabet
In this section we consider the more challenging task of turning counter-free ωregular automata over arbitrary alphabets into LTL. We use the fact that these automata can be turned into reset cascade automata (Krohn-Rhodes-Holonomy decomposition), which we describe in Section 4.1. Our technical contribution is then the translation of reset cascade automata into LTL.
In brief, we build, in Section 4.2, a parameterised LTL formula that is satisfied by a word w iff the run of the cascade on w, starting in the parameter configuration S, reaches a parameter configuration T , such that the remaining suffix of w satisfies a parameter LTL formula τ . We then use this formula, in Section 4.4, to describe the automaton's acceptance condition.
When encoding the behavior of a cascade by an LTL formula, we need to overcome two major challenges: First, the cascade is a formalism that looks at the past, namely at the word read so far, to determine the next configuration, while an LTL formula obtains its value only from the future. Second, the cascade has an internal state, while an LTL formula does not. Our reachability formulas are therefore quite involved, built inductively over the number of levels in the cascade, and implicitly allowing to track the internal configuration of the cascade.
In Section 4.3 we analyse the length and depth of the resulting formulas.

Cascaded Automata
Cascades. A cascaded semiautomaton (analogous to the algebraic wreath product) over an alphabet Σ is a semiautomaton that can be described as a sequence of simple semiautomata, such that the alphabet of each of them is Σ together with the current state of each of the preceding semiautomata in the sequence. It is a reset cascade if it is a sequence of reset semiautomata. Formally, a cascaded semiautomaton, or just cascade, over alphabet Σ with n levels is a tuple An i-configuration S of A is a tuple q 1 , q 2 , . . . , q i ∈ Q 1 × · · · × Q i . If q i+1 ∈ Q i+1 is a state of level i + 1, we write S, q i+1 for the (i + 1)-configuration q 1 , . . . , q i , q i+1 . Note that the 0-configuration is the empty tuple . Further, we derive the transition relation for configurations by point-wise application of the respective δ i 's. We define δ ≤i ( q 1 , q 2 , . . . q i , σ) as δ 1 (q 1 , σ ), δ 2 (q 2 , σ, q 1 ), . . . . Note that we will omit the "≤ i"-subscript if it is clear from context, and by just writing "configuration", we mean an n-configuration.
Notice that A describes a standard semiautomaton D A over Σ, whose states are the configurations of A of level n, and its transition function is δ ≤n . If there are up to j states in each level of A, there are up to j n states in D A . Observe that when A is a reset cascade, it can be translated to an equivalent reset cascade with up to n log j levels, and 2 states in each level [14, Ex. I. 10.2].
For a state q ∈ Q i of level i of a reset cascade, we denote by Enter(q), Stay(q), and Leave(q) ⊆ Σ × Q 1 × · · · × Q i−1 the sets of (combined) letters that enter q, stay in it, and leave it, respectively. These are sets of pairs σ, S , where S is an (i−1)-configuration and σ ∈ Σ. Notice that Enter(q) ⊆ Stay(q), and that Leave(q) is the complement of Stay(q) (w.r.t. the relevant (combined) letters).
Proposition 6 (Part of the Krohn-Rhodes-Holonomy Decomposition [14, Corollary II.7.2], [26, Theorem 3]). Every counter-free deterministic semiautomaton D with n states is homomorphic to a reset cascade A with up to 2 n levels and 2 n states in each level. Remark 1. The Krohn-Rhodes and Holonomy decomposition theorems consider also more general cascades and give results with respect to arbitrary semiautomata. The Holonomy decomposition in [14], as opposed to many other proofs of the Krohn-Rhodes decomposition, guarantees up to 2 n levels with up to 2 n states in each level. Yet, it shows that A covers D, allowing A to operate over an alphabet different from that of D. In [26,27,25], the algebraic proof of [14] is translated to an automata-theoretic one, providing the stated homomorphism. It is also stated in [26, Theorem 3.1], [27, Corollary 20], and [25, Corollary 2] that the number of configurations in A is singly exponential in n, but to the best of our understanding they do not provide an explicit proof for it.
Cascades with acceptance conditions. As a cascade A describes a standard semiautomaton (whose states are the configurations of A), we can add to it an initial configuration and an acceptance condition to make it a standard deterministic automaton. We show below that the homomorphism between an automaton and a cascade can be extended to also transfer the same acceptance condition.
Proposition 7. Let D be a deterministic Büchi, coBüchi or Rabin automaton, with a semiautomaton homomorphic to a cascade A. There is respectively a deterministic Büchi, coBüchi or Rabin automaton D equivalent to D with semiautomaton A. For Rabin, D and D have the same number of acceptance pairs. Proposition 8. Consider a deterministic Muller automaton D with n states, whose semiautomaton is homomorphic to a reset cascade A with m configurations. Then there is a deterministic Muller automaton D equivalent to D, whose semiautomaton is A and its Muller condition has up to 2 O(mn) acceptance sets.

Encoding Reachability within Reset Cascades by LTL Formulas
For the rest of this section, let us fix a set of atomic propositions AP , an alphabet Σ = 2 AP , and a reset cascade A = Σ, A 1 , A 2 , . . . , A n .
The main reachability formula. For every level i of A, three configurations S, B and T of level i, and two LTL formulas β and τ , we will define the LTL formula T (τ ) with the intended semantics that it holds on a word w ∈ Σ ω iff A goes from the 'starting' configuration S to the 'target' configuration T along some prefix u of w, such that the suffix of w after u satisfies τ and the path along u avoids the 'bad' configuration B with a suffix satisfying β.
Auxiliary reachability formulas. We will formally define the main reachability formula by induction on the level i of the involved configurations, and using four auxiliary formulas, whose intended semantics is described in Table 1. These formulas distinguish between the case that the top-level state is unchanged along the reachability path, denoted with a solid arrow − − →, and the case that it is changed, denoted by a dashed arrow . They also have dual, weak, versions.
Formulas 1 and 2. The main formula is simply defined as the union of two auxiliary formulas, corresponding to whether or not the top-level state changes, and its weak version is defined to be its dual.
Since the formula should ensure that the top-level state s is unchanged, we first distinguish between four cases, depending on which of the source configuration S, s , bad configuration B, b , and target configuration T, t are equal. The definitions of the four cases only differ in whether or not each of β and τ are satisfied in the first position of the word. We define them using an intermediate common formula that is indifferent to the first position, which we mark by "> 0" on top of the arrow. We then define the "> 0" formula by using the main reachability formula with respect to a lower level, namely with respect to the configurations S and T instead of S, s and T, t , and having corresponding disjunctions and conjunctions on all the combined letters of the top level that belong to Stay(s) and Leave(s). Table 1. The intended semantics of reachability formulas. Orange subformulas show the difference between the auxiliary formulas and the first or second (main) formula.
Formula 5. The definition of the last reachability formula is the most challenging, since the top-level state changes (s = t), which prevents the direct usage of lower level configurations. Intuitively, before reaching the target configuration T, t , the run must see a combined letter σ, T ∈ Enter(t), after which the top-level state t is preserved and the bad situation B, b (β) is avoided. This is line (1) of the definition.
The run must also not see B, b (β) before reaching T , which is handled in line (2), whose difference from line (1) is the additional constraint on the path from S to T . (Line (1) is required for the case that Enter(b) is empty.) We use Formula 4 for that constraint, rather than Formula 3 which could also be used, in order to ensure that Formula 5 can be a syntactic co-safety formula.
Lastly, line (3) ensures that the top-level state is indeed changed.
We prove the correctness of the above definitions with respect to the intended meaning of Table 1 by induction on the level of the involved configurations.  Table 1 hold for all infinite words w ∈ Σ ω = (2 AP ) ω , configurations S, B, T of level m ≤ n, states s, b, t in level m + 1 (when m < n), and LTL formulas β and τ over AP .
Using the same induction principle we prove that the reachability formulas stay within certain classes of the syntactic future hierarchy (Definition 1). We T (Y ) ∈ Z as a shorthand for saying that for every formulas β ∈ X and τ ∈ Y , the formula S ∼∼∼∼ X X Lemma 5. Let S, B, T be configurations of level m ≤ n, and let s, b, t be states in level m + 1 (when m < n). Then for i ≥ 1 it holds that:

Depth and Length Analysis
We analyze the length and temporal-nesting depth of the LTL reachability formulas defined in Section 4.2. Notice that both measures are of independent interest, as there might be a non-elementary gap between the depth and length of LTL formulas [15,Theorem 6]. Since we provide upper bounds, the bound on the length of formulas obviously gives also a bound on their size. We consider a reset cascade A with n levels, as in Section 4.2, and further assume for the length and depth analysis that it has up to n states in each level. (This assumption holds in the reset cascades that result from the Krohn-Rohdes decomposition as per Proposition 6.) We define for each of the five reachability formulas a depth function D x (i, d) and a length function L x (i, l), where x refers to the number of the reachability formula, to bound the depth and length of the formulas. These depend on the level i of its input configurations S, B and T , and the maximal depth d and length l of its input formulas β and τ . For the main (first) reachability formula, we also use D and L, standing for D 1 and L 1 . For example, the length of the first formula S ∼∼∼∼ X X B(β) T (τ ) over configurations S, B and T of level 7 and formulas β and τ of length up to 77 is bounded by the value of L 1 (7, 77). For simplicity, we consider the LTL representation of an alphabet letter σ ∈ Σ to be of length 1, while its actual length is 3 log 2 |Σ|. This increase is due to the need to encode an alphabet letter σ ∈ Σ = 2 AP as a conjunction of atomic propositions in AP . The representation length can be multiplied by the total length of the final relevant formula (e.g., a formula equivalent to the entire reset cascade), since it remains constant along all steps of our inductive computation.
We provide in Table 2 upper bounds on the depth and length functions, relative to values of other depth and length functions with respect to configurations of the same or lower-by-one level. The table is constructed by following the syntactic definitions of the reachability formulas, and applying basic simplifications to the resulting expressions. For example, L 1 (0, l) = 2+2l standing for the length of (¬β)Uτ . In Lemma 6 we will use Table 2 to bound the absolute depth and length of the main reachability formula.
Depth Analysis. The temporal nesting depth of the main reachability formula T (τ ) is intuitively exponential in the number n of levels of the reset cascade (linear in the number of configurations), since it is defined inductively along these levels, and the depth of a level-(i + 1) formula is about twice the depth of a level-i formula. The parameters of the reachability formula are both the configurations S, B and T of level i, and the formulas β and τ ; yet, the depth of the reachability formula only linearly depends on the depth of β and τ .
Length Analysis. Intuitively, the overall length of the main reachability formula T (τ ) with respect to configurations of the top level is doubly exponential in the number n of levels of the reset cascade (and thus singly exponential in the number of configurations), since the formula is defined inductively along these levels, and the length L(i, l) is roughly L(i−1, l) · L(i−1, l). More precisely, T, t (τ ). It is a level-(i−1) reachability formula whose formulaparameters are themselves auxiliary reachability formulas of level i with formula parameters of length l. The length of an auxiliary reachability formula of level i is roughly as of the main reachability formula of level i−1, implying that the length As for the many disjunctions and conjunctions that appear in the formulas, observe that the number of disjuncts and conjuncts does not depend on the Reachability formula ϕ Bounds on depth(ϕ) and length |ϕ| Table 2. The relative depths and lengths of the reachability formulas over configurations of level i, and LTL formulas β and τ of depth at most d and length at most l. For the first two reachability formulas, we consider i ≥ 0 and for the other formulas i ≥ 1.
formula-parameters β and τ , but only the level i of the configurations S, B, and T . Hence, they do not dominate the growth rate of the overall formula length.
Lemma 6. Consider a reset cascade A with n levels and up to n states in each level, and a formula ζ = S ∼∼∼∼ X X

Translating Deterministic Counter-Free Automata to LTL
We use the reachability formulas of Section 4.2 to translate a reset cascade A to an equivalent LTL formula. Our LTL formulation of A's acceptance condition is based on an LTL formulation of "C is visited finitely/infinitely often along a run of A on a word w", for a given configuration C of A. It thus applies to every ω-regular acceptance condition and by Propositions 6 and 8 to every deterministic counter-free ω-regular automaton. We introduce two shorthands to the main reachability formula: the first is satisfied if we reach T from S without any side constraints (which is always satisfied in the case that S = T ), and the second requires that we reach it along a nonempty prefix.
With Lemmas 4 and 5 we then obtain (a proof is given in Appendix A.5): Lemma 7. Consider a reset cascade A = 2 AP , A 1 , . . . , A n together with an initial configuration ι and some configuration C. Then for a word w ∈ (2 AP ) ω , the run of A on w starting in ι visits C finitely often iff w satisfies the formula We are now in position to give our main result.
Proof. We first prove the general result, w.r.t. an arbitrary counter-free deterministic automaton D, and then take into account D's acceptance condition, to establish the last part of the theorem. Consider a counter-free deterministic ω-regular automaton D with some acceptance condition and n states. Recall that there is a Muller automaton D equivalent to D over the semiautomaton of D. By Propositions 6 and 8, D is equivalent to a deterministic Muller automaton D that is described by a reset cascade A with up to m = 2 n levels and m states in each level (and thus up to m m configurations), and whose acceptance condition has up to k ∈ 2 O(m m n) = 2 O(m m ) acceptance sets. An LTL formula ϕ equivalent to D can be defined by formulating the acceptance condition of D along Lemma 7.
Recall that the Muller condition is a k-elements disjunction, where each disjunct M is a conjunction of requirements to visit infinitely often every configuration from some set G and finitely often every configuration not in G. Observe that M can be formulated as a disjunction over all the configurations in D (at most m m ), having for each configuration C the LTL formula Fin(C) or ¬Fin(C), as defined in Lemma 7, depending on whether or not C ∈ G. Hence, the overall formula ϕ is a combination of disjunctions and conjunctions of up to k · m m subformulas of the form Fin(C) or ¬Fin(C). Therefore, the depth of ϕ is the same as of Fin(C), while |ϕ| ∈ O(km m |Fin(C)|) ≤ 2 O(m m ) |Fin(C)|. For calculating depth(Fin(C)) and |Fin(C)|, we use Lemma 6 bottom up over the subformulas of Fin(C).
Expressing the length of ϕ with respect to the number n of states in the automaton D, and taking into account the fact that the alphabet Σ has at most n n different letters (any additional letter must have the same behavior as another letter), we have: We now sketch the second part of the theorem connecting the syntactic hierarchy and the different acceptance conditions of D. We only consider the cases in which D is either a Muller or a coBüchi automaton. The complete analysis is given in Appendix A.5. If D is a Muller automaton, then the overall formula ϕ is in ∆ 2 , since it is a Boolean combination of Fin(C) formulas, which by Lemma 7 belong to Σ 2 . If D is a coBüchi automaton, then we construct the formula ϕ directly from the coBüchi condition α: ϕ is a conjunction of Fin(C) formulas over all configurations C that are mapped to states in α. As Fin(C) belongs to Σ 2 , so does ϕ.
Observe that by Theorem 2, we get the following result, extending the result of [39, Theorem 3.2] that only considers Rabin automata. Corollary 1. Every counter-free deterministic ω-regular automaton (with any acceptance condition) recognises an LTL-definable language.
Proof. Recall that every deterministic ω-regular automaton is equivalent to a deterministic Muller automaton over the same semiautomaton (see, e.g., [3]). The claim is then a direct consequence of Theorem 2.
Remark 2. Theorem 2 can be adapted to the finite-word setting. While on infinite words, the neXt operator is self-dual, i.e., ¬Xψ is equivalent to X¬ψ, over finite words, this equivalence does not hold on words of length 1. Thus X gains a dual weak next, defined asXψ := ¬X¬ψ. In the finite word case, syntactic cosafety (safety) formulas are constructed from true, false, a, ¬a, ∨, ∧, and the temporal operators U and X (R andX). Observe that X andX differ only on words of length 1, and thus the only required change in our translation scheme is to replace some Xs withXs in the reachability formula 4. For finite words a translation of a counter-free DFA to an LTL formula with only a double exponential size blow-up is known [42]; however, unlike our translation, it does not guarantee syntactic safety (cosafety) formulas for safety (cosafety) languages.
Lastly, we provide a corollary on looping automata, using Theorem 2 and the following known result.
Proposition 9 (Rephrased Theorem 13 from [29]). Let D be a deterministic looping-Büchi automaton with n states that recognises an LTL-definable language. Then there exists an equivalent counter-free deterministic looping-Büchi automaton D with at most n states.
Corollary 2. Every deterministic looping-Büchi (looping-coBüchi) automaton with n states that recognises an LTL-definable language is equivalent to an LTL formula ϕ ∈ Π 1 (Σ 1 ) of temporal nesting depth in O(2 2 n ) and length in 2 2 O(2 n ) . This is an elementary upper bound for two constructions for which either the upper bound was unknown or non-elementary: the liveness-safety decomposition of LTL [29] and the translation of semantic safety LTL to syntactic safety LTL.

Conclusions
We have studied the size trade-offs between LTL and automata. Over a unary alphabet, the situation is straightforward and we provided tight complexity bounds. The general case of infinite words over an arbitrary alphabet is more complex. We gave to our knowledge the first elementary complexity bound on the translation of counter-free deterministic ω-regular automata into LTL formulas.
Every ω-regular automaton recognising an LTL-definable language can be translated to a counter-free deterministic automaton [39, Theorem 3.2]. Yet, we are unaware of a bound on the size blow-up involved in such a translation. Once established, it can be combined with our translation to get a general bound on the translation of automata to LTL. It will also provide a (currently unknown 6 ) elementary upper bound on the translation of LTL with both future and past operators to LTL with only future operators (which is the version of LTL that we have considered), as (both version of) LTL can be translated to nondeterministic Büchi automata with a single exponential size blow-up [41, Theorem 2.1].
While going from non-elementary to double-exponential depth and triple-exponential length is an improvement, these upper bounds might not be tightthere is currently no known non-linear lower bound! Closing this gap is a challenging open problem, which might require new lower bound techniques for alternating automata, as LTL formulas are an inherently alternating model. The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

A Omitted Proofs
A.1 Proofs from Section 3 Proposition 1 (Extended Wolper's theorem, Folklore). Consider an LTL formula ϕ with depth(ϕ) = n over the atomic propositions AP , and let Σ = 2 AP . Then for every words u ∈ Σ * , v ∈ Σ + and t ∈ Σ ω , and numbers i, j > n, ϕ has the same truth value on the words (uv i t) and (uv j t).
Proof. Consider an LTL formula ϕ and words w i = (uv i t) and w j = (uv j t), such that i, j > depth(ϕ). We prove the claim by induction on the structure of ϕ.
Base case: ϕ is an atomic proposition or a Boolean constant. Indeed, depth(ϕ) = 0 and we have that w i |= ϕ iff w j |= ϕ, because the first letter of these two words, which is the first letter of u if u is not empty and the first letter of v otherwise, is the same.
If w i satisfies ϕ then there is a position p of w i , such that w p i |= ψ 2 and for every k < p, w k i |= ψ 1 . Let o be the position of w i that appears at the beginning of the v-block that is depth(ϕ) blocks of v before the t part of w i , namely o = |uv i−depth(ϕ) |. (See Figure 2.) We split the proof into disjoint cases, depending on the location of p within w i .
• p < |u|: Let u be the infix of w j from p to the end of u, namely u = w i [p..|u| − 1]. Then w p i = u v i t and w p j = u v j t. Since i, j > depth(ϕ) > depth(ψ 2 ), by the induction assumption w p i |= ψ 2 iff w p j |= ψ 2 and therefore w p j |= ψ 2 . Likewise, since i, j > depth(ϕ) > depth(ψ 1 ), by the induction assumption for every position m < p, w m i |= ψ 1 iff w m j |= ψ 1 and therefore w m j |= ψ 1 . • p ∈ [|u|..o − 1]: Let p be the position in w j that appears in the first v-block after u and that is located within that v-block like p is located within its v-block. That is, p = |u| + ((p − |u|) mod |v|). Let u be the remaining suffix in the v-block of p and p , that is u = w j [p +1..|u|+|v|].
Let h be the number of v-blocks that appear after p and before the t , we have by the induction assumption that w p j |= ψ 2 iff w p i |= ψ 2 , and therefore w p j |= ψ 2 . Now, for every position m < p , let u be the infix of w j from m to the end of the first v-block of w j , that is u = w j [m..|u|+|v|]. Then w m i = u v i−1 t and w m j = u v j−1 t. Since i−1 > depth(ψ 1 ) and j −1 > depth(ψ 1 ), by the induction assumption w m i |= ψ 1 iff w m j |= ψ 1 and therefore w m j |= ψ 1 . |= ψ 1 (as both words have the same prefix until the end of the first v block, followed by at least depth(ψ 1 ) + 1 blocks of v and then t), implying that w m j |= ψ 1 . Finally, for every position m ∈ [0..|u| − 1], we have by the induction assumption that w m i |= ψ 1 iff w m j |= ψ 1 , implying that w m j |= ψ 1 .

Proposition 2.
Given an LTL formula ϕ with depth(ϕ) = n on finite words over the unary alphabet {a}, a i ∈ L(ϕ) for all i > n or a i / ∈ L(ϕ) for all i > n.
Proof. Let # = {p} be the shorthand for a new atomic proposition p. Given a unary LTL formula recognising L ⊆ {a} + , it can be turned into a general LTL formula of linear length that recognises L = {v# ω | v ∈ L} over the alphabet Σ = 2 {p} . Then, the statement is a direct consequence of Proposition 1.
Proposition 3. Consider a language L ⊆ {a} + that agrees on all words of length over n, that is, has the same truth value on all such words. Then there is an LTL formula of size in O(n) with language L.
Proof. The very weak deterministic automaton for L consists of n + 2 states {0, . . . , n + 1}, with an a-transition from state i to state i + 1 and a self loop at state n + 1. The state i is accepting whenever a i ∈ L.
Proof. Deterministic automata: For the upper bound, consider a DFA A recognising an LTL definable language. By a pumping argument, if w ∈ L(A) for some w longer than n, then L(A) is infinite. Considering the dual automaton A of A, recognising the complement language, by the pumping argument if w ∈ L(A) for some w longer than n, then the complement of L(A) is infinite. Hence, by Proposition 2, L(A) agrees on all words of length more than n, and by Proposition 3 there is an LTL formula for it of length in O(n). As for the lower bound, since there is a DFA of size n recognising a k , it directly follows from Proposition 1. Nondeterministic automata: Directly follows from Lemmas 1 and 2.
Alternating automata: Directly follows from Lemma 3 and Proposition 5.
Lemma 1. Every alternating automaton with n states that recognises an LTLexpressible language L ⊆ {a} + is equivalent to an LTL formula of size in O(2 n ).
Proof. First recall that the run of an alternating automaton is a tree, of which all paths are accepting if and only if the run itself is accepting. These runs can be pumped in the same way as runs of nondeterministic automata, except that the run to be pumped must be of length over 2 n to guarantee that the set of states in a cross-section of the run are repeated. Then, by a pumping argument, if w ∈ L(A) for some w longer than 2 n , then L(A) is infinite: indeed, let A be an NFA equivalent to A of size at most 2 n ; if A accepts a word longer than 2 n , then its run sees some state more than once and can be pumped to build infinitely many accepting runs. Dually, since AFA are easy to complement, if w / ∈ L(A) for some w longer than 2 n , then Σ * \L(A) is infinite. The existence of both w ∈ L(A) and w / ∈ L(A) longer than 2 n therefore contradicts Lemma 2. We conclude that L(A) agrees on all words of length over 2 n . Thus, by Proposition 3 there is an LTL formula for L(A) of length in O(2 n ). Proof. The idea of the construction is that it represents an n-bit up-counter, having two states for each bit, one corresponding to 1, one to 0 (see Fig. 1).
Given a way to resolve the nondeterministic choices, the resulting set of "active" states of the automaton represents a configuration of the counter: The nondeterminism in each bit-state chooses whether to change the bit's value (going left in Fig. 1), in which case the universality ensures that all lower bits are set to 0, or to preserve the bit's value (going right in Fig. 1), in which case the universality ensures that at least one lower bit is set to 1.
The automaton thus preserves the invariant that a correct update (for example from 011 to 100) ensures that the number of active states is constant, in particular, if all updates are correct, then exactly one state per bit is active at a time; an incorrect update on the other hand increases the number of active states. The set of accepting states corresponds to the bit-configuration for 2 n−1 , where a transition to a state q i,0 , for every i < n, can be changed to a move to q acc , provided that it is on the last letter of the input word. (There is no transition out of q acc ). The only way to build an accepting run is to correctly update the counter at each step; an incorrect update ensures that both states of some bit are set from thereon, of which one must be rejecting.
As for the automaton size, which is the number of subformulas in the transition function, observe that it is linear in n, since there are 2n states and the total number of subformulas in the transition function is as follows: The transition functions of q 1,0 and q 1,1 have together four subformulas, and the transition function of every other state q (i,·) adds up to 4 subformulas: (i) the topmost disjunction of whether to change the bit's value or not; (ii)&(iii) the universality involved in each of these two options; and (iv) within each of the two universality subformulas -a disjunction or conjunction between q (i−1,·) and (q (i−1,·) , . . . , q (i−1,·) ), where the latter subformula (within the parenthesis) is already used in the transition function of q (i−1,·) and these two formulas (one of conjunction and one of disjunction) is used by both q i,0 and q i,1 (except for q n,1 = q acc , which has no outgoing transitions). Proof. If L(A) is finite, then by a pumping argument, A only accepts words up to length n, and by Proposition 3 we are done. We consider co-finite L(A).
We will argue using 2-way deterministic automata, which are deterministic automata that process words of the form w , where and are start-and end-of-word markers respectively, and where transitions specify whether to read the letter to the right or to the left of the current position. They accept by reaching an end state, and reject by reaching a rejecting state or by failing to terminate. For a more formal definition, see [17]. We will use the facts that a unary NFA can be turned into a 2-way DFA of size O(n 2 ) [9], that a 2-way DFA of size m can be complemented into one of size 4m [17], and that the smallest 2-way DFA recognising {a k } is of length k + 2 [1].
The NFA A can be turned into a 2-way DFA D with O(n 2 ) states recognising the same language. From D, we can obtain a 2-way DFA D that recognises a * \ {a k }, where a k is the longest word not in L(A), as follows: we keep the states and transitions involved in the run of D on a k , which is rejecting and must read (since, by the co-finiteness of L(A), there are accepted words longer than a k ). Notice that states in D may have only some of the transitions they had in D -only those that are involved in the run on a k . We then add an a-transition and a -transition from all states without such transitions, and these all lead to the (accepting) end state.
Notice that D is still deterministic and not larger than D. It still rejects a k , on which it has the same run as D, but accepts all other words, which are either shorter than a k and therefore accepted via one of the new -transitions, or are longer than a k and accepted when they read the k + 1 th letter.
We can then complement D into a 2-way DFA D of size linear in the size of D , namely in O(n 2 ), that recognises {a k }. However, since D must be of size at least k + 2, we get that k + 2 is at most in O(n 2 ), meaning that the longest word rejected by A, which is of length k, is of length in O(n 2 ).
Then, there is an equivalent very weak automaton of the size of the longest word not in L(A), from Lemma 2.
A.2 Proofs from Section 4.1 Proposition 7. Let D be a deterministic Büchi, coBüchi or Rabin automaton, with a semiautomaton homomorphic to a cascade A. There is respectively a deterministic Büchi, coBüchi or Rabin automaton D equivalent to D with semiautomaton A. For Rabin, D and D have the same number of acceptance pairs. Proof. We provide the proof for Rabin automata. The proofs for Büchi and coBüchi automata are special cases of the Rabin case.
Let D = (Σ, Q, ι, δ, α), and h be the mapping via which (Σ, Q, δ) is homomorphic to A. We shall define a configuration ι of A, and a set α of pairs of sets of configurations of A that will provide the initial state and acceptance condition of D , making it equivalent to D.
For the initial state of D , one can choose any configuration ι ∈ h −1 (ι): A run of A starting in ι corresponds via h to a run of D starting in h(ι ) = ι.
As for the acceptance condition, consider the run r of D on a word w, starting in ι , and let r = h(r ) be the corresponding run of D on w. (With h(r ), we mean the sequence of states of D, obtained by mapping with h each configuration of r .) Then, r should be accepting iff r is.
Thus, r should visit infinitely often some configuration in G = h −1 (G) and finitely often every configuration in B = h −1 (B). Hence, there are k acceptance pairs (G , B ) in α , each corresponding to an acceptance pair (G, B) in D.
Proposition 8. Consider a deterministic Muller automaton D with n states, whose semiautomaton is homomorphic to a reset cascade A with m configurations. Then there is a deterministic Muller automaton D equivalent to D, whose semiautomaton is A and its Muller condition has up to 2 O(mn) acceptance sets.
Proof. Let D = (Σ, Q, ι, δ, α), and h be the mapping via which (Σ, Q, δ) is homomorphic to A. We shall define a configuration ι of A, and a set α of sets of configurations of A that will provide the initial state and acceptance condition of D , making it equivalent to D.
For the initial state of D , one can choose any configuration ι ∈ h −1 (ι): A run of A starting in ι corresponds via h to a run in D starting in h(ι ) = ι.
As for the acceptance condition, consider the run r of D on w, starting in ι , and let r = h(r ) be the run of D on w (that is defined by mapping each configuration of r to a state of D via h). Then, r should be accepting iff r is.
Recall that r is accepting iff inf (r ) = M , for some M = {q 1 , . . . q l } ∈ α. Hence, r should be accepting "according to M " iff h(inf (r )) = M . Thus, r should visit finitely often every configuration in h −1 (Q \ M ), and for every i ∈ [1..l], visit some configurations in G i = h −1 (q i ) infinitely often.
Since we should consider every choice of configurations in G i = h −1 (q i ), where |G i | ≤ m, there are up to 2 m choices for G i , and therefore up to (2 m ) n choices for M , each providing a Muller set G of configurations to be visited infinitely often.
As there are up to 2 n sets in α, we end up with up to 2 n (2 m ) n ∈ 2 O(mn) sets in α .

A.3 Proofs from Section 4.2
Lemma 4. The intended semantics of Table 1 hold for all infinite words w ∈ Σ ω = (2 AP ) ω , configurations S, B, T of level m ≤ n, states s, b, t in level m + 1 (when m < n), and LTL formulas β and τ over AP .
Proof. Observe first that there is no circularity in the definitions of the five reachability formulas, even though they are defined by each other: Formula 2 is defined on top of formula 1, which is defined on top of formulas 3 and 5, while formulas 3, 4, and 5 are defined with respect to reachability formulas over configurations of a lower level.
We prove the statement by induction on the level m of the configurations S, B, T in the reachability formulas. We split the proof to five cases corresponding to the five reachability formulas in Table 1. In order to clarify which equivalence of the induction hypothesis is used we denote by (I.H.1) the equivalence in Table 1 for reachability formula 1, (I.H.2) the equivalence for reachability formula 2, and so on.
Reachability formula 1 (m = 0): There is exactly one configuration of level 0 and it is the empty configuration. Thus S = T = B = . We then derive: .] |= β (m → m + 1): Let S, s , T, t , B, b ∈ Q 1 × · · · × Q m+1 be arbitrary config-the equation is satisfied by w. Thus let k ∈ [0..i) be the smallest non-negative integer such that: w[k], δ(S, w [0..k) ) ∈ Leave(s) Since k < i, we immediately obtain one of the missing preconditions for applying (I.H.5): The second missing precondition is that we need to find a j 1 ∈ [0..i) such that w[j 1 ], δ(S, w [0..j1) ) ∈ Enter(t): In the case s = t this is straightforward, since after reading w [0..i) we reach T, t , and thus there must be a j 1 < i such that w[j 1 ], δ(S, w [0..j1) ) ∈ Enter(t). Thus let us assume s = t. In general there might be not such an index j 1 . However, we have shown that w[k], δ(S, w [0..k) ) ∈ Leave(s) for some k < i and by the same reasoning as above there must be j 1 between k and i such that w[j 1 ], δ(S, w [0..j1) ) ∈ Enter(t).
We now can apply (I.H.5) and conclude this direction of the proof. Thus we can assume that w satisfies ϕ and using the same reasoning we know that either δ( S, s , w [0..0) ) = B, b or w [0..] |= β does not hold, which takes care of the case j 1 = 0 in the second line of the right-hand side, assuming i > 0.
Since we have w |= ϕ, there must be a σ, T ∈ Stay(s) with δ( T , s , σ) = T, t such that the matching disjunct ψ of ϕ is satisfied by w. Note that this immediately implies that s = t. Observe that ψ is a conjunction of formulas with the shape and we now apply (I.H.1) to all reachability formulas. Since they all share the same target, we can instantiate them to the same i (where i is the smallest non-negative integer satisfying the conditions) such that: .i ) at least one of the following statements holds: We now instantiate i of the right-hand side with i + 1. Remember that we have σ, T ∈ Stay(s) and together with (a-c) we obtain the first conjunct of the right hand side.
Thus without loss of generality we can assume i > 0 from now on. Further, due to (c) we have that either S, s = B, b or w |= β. Thus it remains to show that w |= S, s (a) For every η, L ∈ Leave(s) at least one of the following statements holds: For every ρ, B ∈ Stay(s) such that δ( B , s , ρ) = B, b at least one of the following statements holds: Because w and the sequence of generated configurations does not contain a combined letter that leaves s due to (a), we do have w We now assume that there exists a tuple σ, T such that w satisfies the matching disjunct χ of line (1). Note that the existence of σ, T immediately implies s = t. Moreover, we can assume that w does not satisfy the disjunct ψ from line (2) T (σ ∧ Xτ ) and we now apply the induction hypothesis to all reachability formulas. Since they all share the same "target", we can instantiate the nested existential quantification to the same j (where j is the smallest non-negative integer satisfying the condition) such that: .j ] at least one of the following statements holds: In order to show that w satisfy the right-hand side of the equation, let now i ≥ 0 be an arbitrary integer and we need to prove: The case i = 0 was already discussed in the second paragraph. Further, if i > j + 1, then (a-c) show that j can be instantiated with j + 1. Thus assume that i ∈ [1..(j + 1)]. Further, since j was chosen to be the smallest integer such that (a-c) holds, we can simplify the expression we need to prove to: Note that second conjunct is direct consequence of (d). For the first conjunct, we proceed by contradiction and assume that i is the smallest integer such that: (⇐): We assume that w satisfies the right-hand side. We first consider the case that the nested existential quantification is not true for any i ≥ 0. Thus for all i ≥ 0 it holds that: We then apply the induction hypothesis (I.H.2) to (a',b') and obtain that w satisfies the disjunct of line (2).
We now consider the second case and assume that there is a j such that: Without loss of generality, we can assume j to be the smallest integer with such a property. Further, since w satisfies the right-hand side, we have: If j = 0, then w immediately satisfies the left-hand side. Thus assume j > 0. Due to (c), we have that σ, T = w [j−1] , δ(S, w [0..j−1) ) ∈ Stay(s) and δ( δ(S, w [0..j−1) ), s , w [j−1] ) = T, t . Thus there exists a matching disjunct for σ, T in line (1) and we know it is satisfied by w due the (a, b, d) and the induction hypothesis (I.H.2).

Reachability formula 5
We want to prove the following equivalence: T, t (τ ) holds and proceed by first constructing a witness for i 2 and then one for i 1 .
(∃i 2 ): Since w satisfies line (3), there must be a combined letter σ, L ∈ Leave(s) such that w satisfies the corresponding disjunct. We apply to this disjunct the induction hypothesis (I.H.3) and instantiate the existential quantifier to i 2 (which we intend to be the witness for ∃i 2 ) with the following properties: Observe that due to (1,2) we have w[i 2 ], δ(S, w [0..i2) ) ∈ Leave(s) and together with (2,3) one can see that i 2 is a sufficient witness for the ∃i 2 in the right-hand side of the equation we want to prove. Note that property (4) is not useless and will be of importance later. (∃i 1 ): Since w also satisfies lines (1,2), there must be a combined letter σ, T ∈ Enter(t) such that w satisfies the corresponding disjunct. We then apply the induction hypothesis (I.H.1) to all terms of the matching conjunction in lines (1,2). Since all reachability formulas share the same target configuration and formula, we can instantiate all existential quantifiers to the same integer k by picking the smallest instance for each existential quantifier. Let now k be this smallest nonnegative integer. We introduce the following two abbreviations T = δ( T , · , σ) and R η = δ( R, · , η) for some η, R ∈ Enter(b). Note that we can leave out the last state in the definition of T , since for all states q, p the transition relation maps the the same successor configuration, i.e., δ( T , q , σ) = δ( T , p , σ). Analogously, for we omit it from R η . We now list all relevant properties of k derived from applying the induction hypothesis: 5. δ(S, w [0..k) ) = T Lemma 5. Let S, B, T be configurations of level m ≤ n, and let s, b, t be states in level m + 1 (when m < n). Then for i ≥ 1 it holds that: -S ∼∼∼∼∼ X X X Reachability formula 5. Let β ∈ Π i and let τ ∈ Σ i . By an analogous argument to the two preceding cases we obtain that the formulas in line (1) and (3)  Proof. We first prove the upper bound on the depth of the formula and then move on to the claim about the length of the formula. Depth Analysis. We prove the claim by induction on the level i. For the base case of i = 0, the main reachability formula is just (¬β)Uτ , having D(0, d) = d + 1, which is equal to d + 3 0 , as required. For the induction step of a general level i > 0, we will first establish a bound on D(i, d) that is relative to D(i−1, d), and then get from it an absolute bound, using the induction hypothesis.
Observe that D(i, d) is bounded in Table 2 to the maximum between D 3 (i, d) and Length Analysis. We prove the claim by induction on the level i. For the base case of i = 0, the main reachability formula is just (¬β)Uτ , having L(0, l) = 2 + 2l, which is indeed not larger than l · (10|Σ| 2 n) 4 i . For the induction step of a general level i > 0, we will first establish a bound on L(i, l) relative to L(i−1, ·), and then apply the induction hypothesis to get an absolute bound.
Proof. We complete the proof of the Theorem and give a complete analysis of all six acceptance conditions: -D is a Muller automaton: the overall formula ϕ is in ∆ 2 , since it is a Boolean combination of Fin(C) formulas, which by Lemma 7 belong to Σ 2 . -D is a coBüchi automaton: we construct the formula ϕ directly from the coBüchi condition α, having a conjunction of Fin(C) formulas, over all configurations C that are mapped to states in α. As Fin(C) belongs to Σ 2 , so does ϕ. -D is a Büchi automaton: we can complement it, apply the above argument over the resulting coBüchi automaton, and negate the resulting formula to obtain a formula from Π 2 . -D is a looping-coBüchi automaton: Let s ∈ Q be the unique sink state that all accepting runs end up in, and let S be the set of configurations mapped to s. We then define ϕ as C∈S ι ∼∼∼ C. Note that ϕ belongs to Σ 1 since every disjunct belongs to Σ 1 due to Lemma 5. -D is a looping-Büchi automaton: the dual of the previous argument.
-D is a weak automaton: Let G ⊆ Q be an accepting SCC of D and G ⊆ Q be all states that are reachable from G, but are not in G. Let H and H be the set of configurations that are mapped to G and G , respectively. Then by Lemma 4, we have that ( C∈H ι ∼∼ C) ∧ ( C ∈H ¬ι ∼∼ C ) exactly captures all words that are accepted by eventually ending up in G. The overall formula ϕ is then the disjunction of these formulas constructed for each accepting SCC of D. The membership in ∆ 1 then follows immediately from Lemma 5.