Process Equivalence Problems as Energy Games

We characterize all common notions of behavioral equivalence by one 6-dimensional energy game, where energies bound capabilities of an attacker trying to tell processes apart. The defender-winning initial credits exhaustively determine which preorders and equivalences from the (strong) linear-time--branching-time spectrum relate processes. The time complexity is exponential, which is optimal due to trace equivalence being covered. This complexity improves drastically on our recent approach for deciding groups of equivalences where exponential sets of distinguishing HML formulas are constructed on top of a super-exponential reachability game. In experiments using the VLTS benchmarks, the algorithm performs on par with the best similarity algorithm.


Introduction
Many verification tasks can be understood along the lines of "how equivalent" two models are. Figure 1 replicates a standard example, known for instance from the textbook Reactive Systems [3]: A specification of mutual exclusion Mx as two alternating users A and B entering their critical section ec A /ec B and leaving lc A /lc B before the other may enter; and the transition system of Peterson's [28] Pe · · · · · · · • · · •  mutual exclusion algorithm Pe, minimized by weak bisimilarity, with internal steps − → due to the coordination that needs to happen. For Pe to faithfully implement mutual exclusion, it should behave somewhat similarly to Mx.
Semantics in concurrent models must take nondeterminism into account. Setting the degree to which nondeterminism counts induces equivalence notions with subtle differences: Pe and Mx weakly simulate each other, meaning that a tree of options from one process can be matched by a similar tree of the other. This implies that they have the same weak traces, that is, matching paths. However, they are not weakly bi-similar, which would require a higher degree of symmetry than mutual simulation, namely, matching absence of options. There are many more such notions. Van Glabbeek's linear-time-branching-time spectrum [21] (cf. Figure 3) brings order to the hierarchy of equivalences. But it is notoriously difficult to navigate. In our example, one might wonder: Are there notions relating the two besides mutual simulation?
Our recent algorithm for linear-time-branching-time spectroscopy by Bisping, Nestmann, and Jansen [9,7] is capable of answering equivalence questions for finite-state systems by deciding the spectrum of behavioral equivalences in one go. In theory, that is. In practice, the algorithm of [7] runs out of memory when applied to the weak transition relation of even small examples like Pe. The reason for this is that saturating transition systems with the closure of weak steps adds a lot of nondeterminism. For instance, Pe may reach 10 different states by internal steps (− → * ). The spectroscopy algorithm of [7] builds a bisimulation game where the defender wins if the game starts at a pair of equivalent processes. To allow all attacks relevant for the spectrum, the [7]-game must consider partitionings of state sets reached through nondeterminism. There are 115,975 ways of partitioning 10 objects. As a consequence, the game graph of [7] comparing Pe and Mx has 266,973 game positions. On top of each postion, [7] builds sets of distinguishing formulas of Hennessy-Milner modal logic (HML) [24,21] with minimal expressiveness. These sets may grow exponentially. Game over! Contributions. In this paper, we adapt the spectroscopy approach of [9,7] to render small verification instances like Pe/Mx feasible. The key ingredients that will make the difference are: understanding the spectrum purely through depthproperties of HML formulas; using multidimensional energy games [15] instead of reachability games; and exploiting the considered spectrum to drastically reduce the branching-degree of the game as well as the height of the energy lattice. Figure 2 lays out the algorithm with pointers to key parts of this paper.
-Subsection 2.2 explains how the linear-time-branching-time spectrum can be understood in terms of six dimensions of HML expressiveness, and Subsection 3.1 introduces a class of declining energy games fit for our task. -In Subsection 3.2, we describe the novel spectroscopy energy game, and, in Subsection 3.3, prove it to characterize all notions of equivalence definable by the six dimensions.
-Subsection 3.4 shows that a more clever game with only linear branchingfactor still covers the spectrum.  2. Overview of the computations → and correspondences ∼ we will discuss.
-Subsection 4.1 provides an algorithm to compute winning initial energy levels for declining energy games with min {...} , which enables decision of the whole considered spectrum in 2 O(|P|) for systems with |P| processes (Subsection 4.2). -In Subsection 4.3, we add fine print on how to obtain equivalences and distinguishing formulas in the algorithm. -Section 5 compares to [7] and [29] through experiments with the widely used VLTS benchmark suite [18]. The experiments also reveal insights about the suite itself.

Distinctions and Equivalences in Transition Systems
Two classic concepts of system analysis form the background of this paper: Hennessy-Milner logic (HML) interpreted over transition systems goes back to Hennessy and Milner [24] investigating observational equivalence in operational semantics. Van Glabbeek's linear-time-branching-time spectrum [21] arranges all common notions of equivalence as a hierarchy of HML sublanguages.

Transition Systems and Hennessy-Milner Logic
Definition 1 (Labeled transition system). A labeled transition system is a tuple S = (P, Σ, − →) where P is the set of processes, Σ is the set of actions, and − → ⊆ P × Σ × P is the transition relation. By I(p) we denote the actions enabled initially for a process p ∈ P, that is, Hennessy-Milner logic expresses observations that one may make on such a system. The set of formulas true of a process offers a denotation for its semantics.
Definition 2 (Hennessy-Milner logic). The syntax of Hennessy-Milner logic over a set Σ of actions, HML[Σ], is defined by the grammar:

Its semantics ·
S over a transition system S = (P, Σ, − →) is given as the set of processes where a formula "is true" by: HML basically extends propositional logic with a modal observation operation.
Conjunctions then bound trees of future behavior. Positive conjuncts mean lower bounds, negative ones impose upper bounds. For the scope of this paper, finite bounds suffice, i.e. , conjunctions are finite-width. The empty conjunction T := ∅ is usually omitted in writing.  We use Hennessy-Milner logic to capture differences between program behaviors. Depending on how much of its expressiveness we use, different notions of equivalence are characterized.
Definition 3 (Distinguishing formulas and preordering languages). A formula φ ∈ HML[Σ] is said to distinguish two processes p, q ∈ P iff p ∈ φ S and q / ∈ φ S . A sublanguage of Hennessy-Milner logic, O X ⊆ HML[Σ], either distinguishes two processes, p ̸ ⪯ X q, if it contains a distinguishing formula, or preorders them otherwise. If processes are preordered in both directions, p ⪯ X q and q ⪯ X p, then they are considered X-equivalent, p ∼ X q. Figure 3 charts the linear-time-branching-time spectrum. If processes are preordered/equated by one notion of equivalence, they also are preordered/equated by every notion below. We will later formally characterize the notions through Proposition 1. For a thorough presentation, we point to [23]. For those familiar with the spectrum, the following example serves to refresh memories.
Example 1. Figure 4 shows a tiny slice of the weak-step-saturated version of our initial example from Figure 1 that is at the heart of why Pe and Mx are not bisimulation-equivalent. The difference between S and S ′ is that S can internally transition to Div (labeled τ − →) without ever performing an ec A action. We can express this difference by the formula φ S := ⟨τ ⟩ {¬⟨ec A ⟩}, meaning "after τ , ec A may be impossible." It is true for S, but not for S ′ . Knowing a distinguishing formula means that S and S ′ cannot be bisimilar by the Hennessy-Milner theorem. The formula φ S is called a failure (or refusal ) as it specifies a set of actions that are disabled after a trace. In the other direction of comparison, the negation φ S ′ := {¬⟨τ ⟩ {¬⟨ec A ⟩}} distinguishes S ′ from S. The differences between the two processes cannot be expressed in HML without negation. Therefore the processes are simulation-equivalent, or similar, as similarity is characterized by the positive fragment of HML.

Price Spectra of Behavioral Equivalences
For algorithms exploring the linear-time-branching-time spectrum, it is convenient to have a representation of the spectrum in terms of numbers or "prices" of formulas as in [7]. We, here, use six dimensions to characterize the notions of equivalence depicted in Figure 3. The numbers define the HML observation languages that characterize the very preorders/equivalences. Intuitively, the {r} for some r ∈ Pos where expr 1 (ψ r ) maximal for Pos.  Circles mark the points that are counted. The formula itself expresses a so-called ready-trace observation: We observe a trace τ · ec A · lc A and, along the way, may check what other options would have been enabled or disabled. Here, we check that τ is enabled and ec B is disabled after the first τ -step. With the pricing, we can characterize all standard notions of equivalence: Proposition 1. On finite systems, the languages of formulas with prices below the coordinates given in Figure 3 characterize the named notions of equivalence, that is, p ⪯ X q with respect to equivalence X, iff no φ with expr(φ) ≤ e X distinguishes p from q.
Example 2. The formulas of Example 1 have prices: expr(⟨τ ⟩ {¬⟨ec A ⟩}) = (2, 2, 0, 0, 1, 1) for φ S and expr( {¬⟨τ ⟩ {¬⟨ec A ⟩}}) = (2, 3, 0, 0, 2, 2) for φ S ′ . The prices of the two are depicted as red marks in Figure 6. This also visualizes how φ S ′ is a counterexample for bisimilarity and how φ S is a counterexample for failure and finer preorders. Indeed the two preorders are coarsest ways of telling the processes apart. So, S and S ′ are equated by all preorders below the marks, i.e. similarity, S ∼ 1S S ′ , and coarser preorders (S ∼ T S ′ , S ∼ E S ′ ). This carries over to the initial example of Peterson's mutex protocol from Figure 1, where weak simulation, Pe ∼ 1WS Mx, is the most precise equivalence. Practically, this means that the specification Mx has liveness properties not upheld by the implementation Px.
Remark 1. Definition 5 deviates from our previous formula pricing of [7] in a crucial way: We only collect the maximal depths of positive clauses, whereas [7] tracks numbers of deep and flat positive clauses (where a flat clause is characterized by an observation depth of 1). Our change to a purely "depth-guided" spectrum will allow us to characterize the spectrum by an energy game and to eliminate the Bell-numbered blow up from the game's branching-degree. The special treatment of the deepest positive branch is necessary to address revival, failure trace, and ready trace semantics, which are popular in the CSP community [31,17].

An Energy Game of Distinguishing Capabilities
Conventional equivalence problems ask whether a pair of processes is related by a specific equivalence. These problems can be abstracted into a more general "spectroscopy problem" to determine the set of equivalences from a spectrum that relate two processes as in [7]. This section captures the spectrum of Figure 3 by one rather simple energy game.

Energy Games
Multidimensional energy games are played on graphs labeled by vectors to be added to (or subtracted from) a vector of "energies" where one player must pay attention to the energies not being exhausted. We plan to encode the distinction capabilities of the semantic spectrum as energy levels in an energy game enriched by min {...} -operations that takes minima of components. This way, energy levels where the defender has a winning strategy will correspond to equivalences that hold. We will just need updates decrementing or maintaining energy levels.
Definition 6 (Energy updates). The set of energy updates, Up, contains vectors (u 1 , . . . , u N ) ∈ Up where each component is of the form Applying an update to an energy, upd(e, u), where e = (e 1 , . . . , e N ) ∈ En (or En ∞ ) and u = (u 1 , . . . , u N ) ∈ Up, yields a new energy vector e ′ where kth components e ′ k := e k + u k for u k ∈ Z and e ′ k := min d∈D e d for u k = min D . Updates that would cause any component to become negative are illegal.
Definition 7 (Games). An N -dimensional declining energy game G[g 0 , e 0 ] = (G, G d , , w, g 0 , e 0 ) is played on a directed graph uniquely labeled by energy updates consisting of an initial position g 0 ∈ G, and an initial energy budget vector e 0 ∈ En ∞ .
The notation g u g ′ stands for g g ′ and w(g, g ′ ) = u.
Definition 8 (Plays, energies, and wins). We call the (finite or infinite) The energy level of a play ρ at round i, EL ρ (i), is recursively defined as EL ρ (0) := e 0 and otherwise as EL ρ (i + 1) := upd(EL ρ (i), u i ). If we omit the index, EL ρ , this refers to the final energy level of a finite run ρ, i.e. , EL ρ (|ρ| − 1).
Plays where energy levels become undefined (negative) are won by the defender. So are infinite plays. If a finite play is stuck (i.e. , g 0 . . . g n ̸ ), the stuck player loses: The defender wins if g n ∈ G a , and the attacker wins if g n ∈ G d .
Proposition 2. In this model, energy levels can only decline.
1. Updates may only decrease energies, upd(e, u) ≤ e. 2. Energy level changes are monotonic: If EL ρg ≤ EL σg and g g ′ then also has non-negative play ρ.

Definition 9 (Strategies and winning budgets).
An attacker strategy is a map from play prefixes ending in attacker positions to next game moves s : . Similarly, a defender strategy names moves starting in defender states. If all plays consistent with a strategy s ensure a player to win, s is called a winning strategy for this player. The player with a winning strategy for G[g 0 , e 0 ] is said to win G from position g 0 with initial energy budget e 0 . We call Win a (g) = {e | G[g, e] is won by the attacker} the attacker winning budgets.
Proposition 3. The attacker winning budgets at positions are upward-closed with respect to energy, that is, e ∈ Win a (g) and e ≤ e ′ implies e ′ ∈ Win a (g).
This means we can characterize the set of winning attacker budgets in terms of minimal winning budgets Win min a (g) = Min(Win a (g)), where Min(S) selects minimal elements {e ∈ S | ∄e ′ ∈ S. e ′ ≤ e ∧ e ′ ̸ = e}. Clearly, Win min a must be an antichain and thus finite due to the energies being well-partially-ordered [26]. Dually, we may consider the maximal energy levels winning for the defender, Win max d : G → 2 En∞ where we need extended energies to bound won half-spaces.

The Spectroscopy Energy Game
Let us now look at the "spectroscopy energy game" at the center of our contribution. Figure 7 gives a graphical representation. The intuition is that the attacker shows how to construct formulas that distinguish a process p from every q in a set of processes Q. The energies limit the expressiveness of the formulas. The first dimension bounds for how many turns the attacker may challenge observations of actions. The second dimension limits how often they may use conjunctions to resolve nondeterminism. The third, fourth, and fifth dimensions limit how where p, q ∈ P and Q, Q * ∈ 2 P , and six kinds of moves: The spectroscopy energy game is a bisimulation game in the tradition of Stirling [33].  In other words, if there are initial budgets winning for the attacker, then the compared processes can be told apart. For G △ , the attacker "unknown initial credit problem" in energy games [34] coincides with the "apartness problem" [20] for processes.
Example 3. Figure 8 shows the spectroscopy energy game starting at (S, {S ′ }) a from Example 1. The lower part of each node displays the node's Win min a . The magenta HML formulas illustrate distinctions relevant for the correctness ar-gument of the following Subsection 3.3. Section 4 will describe how to obtain attacker winning budgets and equivalences. The blue "symmetric" positions are definitely won by the defender-we omit the game graph below them. We also omit the move can be ignored as will be discussed in Subsection 3.4.

Correctness: Tight Distinctions
We will check that winning budgets indeed characterize what equivalences hold by constructing price-minimal distinguishing formulas from attacker budgets.
Definition 11 (Strategy formulas). Given the set of winning budgets Win a , the set of attacker strategy formulas Strat for a position with given energy level e is defined inductively as follows:  Proof. By induction on the tree of winning plays consistent with some attacker winning strategy implied by e 0 ∈ Win a ((p 0 , Q 0 ) a ). Full proof in the appendix on page 25.
Proof. By induction on the structure of φ with arbitrary p, Q, e, exploiting that Strat can only construct formulas with the invariant that they are true for p and false for each q ∈ Q. Full proof in the appendix on page 26.
Proof. By induction on the structure of φ with arbitrary p, Q, exploiting the alignment of game structure and HML semantics and the fact that expr cannot "overtake" inverse updates. Full proof in the appendix on page 26.

Theorem 1 (Correctness).
For any equivalence X with coordinate e X , p ⪯ X q, precisely if all e pq ∈ Win min a ((p, {q}) a ) are above or incomparable, e pq ̸ ≤ e X .
Proof. By contraposition, in both directions.
-Assume there is e pq ∈ Win min a ((p, {q}) a ) with e pq ≤ e X . By Lemma 3, there is φ ∈ Strat((p, {q}) a , e pq ). Due to Lemma 4, φ must be distinguishing for p and q, and due to Lemma 2, expr(φ) ≤ e pq ≤ e X .
The theorem basically means that by fixing an initial budget in G △ , we can obtain a characteristic game for any notion from the spectrum.

Becoming More Clever by Looking One Step Ahead
The spectroscopy energy game G △ of Definition 10 may branch exponentially with respect to |Q| at conjunction challenges after (p, Q) a . For the spectrum we are interested in, we can drastically limit the sensible attacker moves to four options by a little lookahead into the enabled actions I(q) of q ∈ Q and I(p).
Definition 12 (Clever spectroscopy game). The clever spectroscopy game, G ▲ , is defined exactly like the previous spectroscopy energy game of Definition 10 with the restriction of the conjunction challenges Proof. The implication from the clever spectroscopy game G ▲ to the full spectroscopy game G △ is trivial as the attacker moves in ▲ are a subset of those in △ and the defender has the same moves in both games. For the other direction, we have to show that any move (p, Q) a

Computing Equivalences
The previous section has shown that attacker winning budgets in the spectroscopy energy game characterize distinguishable processes and, dually, that the defender's wins characterize equivalences. We now examine how to actually compute the winning budgets of both players.

Computation of Attacker Winning Budgets
The winning budgets of the attacker (Definition 9) are characterized inductively: -Where the defender is stuck, g ∈ G d and g ̸ , the attacker wins with any budget, (0, 0, 0, 0, 0, 0) ∈ Win min a (g). -Where the defender has moves, g ∈ G d and g u i g ′ i (for some indexing i ∈ I over all possible moves), the attacker wins if they have a budget equal or above to all budgets that might be necessary after the defender's move: If upd(e, u i ) ∈ Win a (g ′ i ) for all i ∈ I, then e ∈ Win a (g). -Where the attacker moves, g ∈ G a and g u g ′ , upd(e, u) ∈ Win a (g ′ ) implies e ∈ Win a (g).
By Proposition 3, it suffices to find the finite set of minimal winning budgets, Win min a . Turning this into a computation is not as straightforward as in other energy game models. Due to the min D -updates, the energy update function upd(·, u) is neither injective nor surjective.
We must choose an inversion function upd −1 that picks minimal solutions and that minimally "casts up" inputs that are outside the image of upd(·, u), i.e., such that upd −1 (e ′ , u) = inf{e | e ′ ≤ upd(e, u)}. We compute it as follows:  With upd −1 , we only need to find the Win min a relation as a least fixed point of the inductive description. This is done by Algorithm 1. Every time a new way of winning a position for the attacker is discovered, this position is added to the todo. Initially, these are the positions where the defender is stuck. The update at an attacker position in Line 8 takes the inversely updated budgets (upd −1 ) of successor positions to be tentative attacker winning budgets. At a defender position, the attacker only wins if they have winning budgets for all follow-up positions (Line 12). Any supremum of such budgets covering all follow-ups will be winning for the attacker (Line 13). At both updates, we only select the minima as a finite representation of the infinitely many attacker budgets.

Complexity and How to Flatten It
For finite games, Algorithm 1 is sure to terminate in exponential time of game graph branching degree and dimensionality.  We thus have established the approach to be double-exponential. The complexity of the previous spectroscopy algorithm [7] has not been calculated. One must presume it to be equal or higher as the game graph has Bell-numbered branching degree and as the algorithm computes formulas, which entails more options than the direct computation of energies. This is what lies behind the introduction's observation that moderate nondeterminism already renders [7] unusable.
Our present energy game reformulation allows us to use two ingredients to do way better than double-exponentially when focussing on the common linear-time-branching-time spectrum: First, Subsection 3.4 has established that most of the partitionings in attacker conjunction moves can be disregarded by looking at the initial actions of processes.
Second, Fahrenberg et al. [15] have shown that considering just "capped" energies in a grid En K = {0, . . . , K} N can reduce complexity. Such a flattening of the lattice turns the space of possible energies into constant factor (K + 1) N (with (K + 1) N −1 -sized antichains) independent of input size. For Algorithm 1, space complexity needed for attacker_win drops to O(|G|) and time complexity to | | · 2 O(o) . If we are only interested in finitely many notions of equivalence as in the case of Figure 3, we can always bound the energies to range to the maximal appearing number plus one. The last number represents all numbers outside the bound up to infinity.
Deciding trace equivalence in nondeterministic systems is PSPACE-hard and will thus take at least exponential time. Therefore, the exponential time of the "clever" spectroscopy algorithm restricted to a finite spectrum is about as good as it may get, asymptotically speaking.

Equivalences and Distinguishing Formulas from Budgets
For completeness, let us briefly flesh out how to actually obtain equivalence information from the minimal attacker winning budgets Win min a ((p, {q}) a ) we compute.

Definition 14.
For an antichain Mn ⊆ En characterizing an upper part of the energy space, the complement antichain Mn ) has the complement energy space as its downset.  ((q, {p}) a ), will thus characterize the finest intersection of equivalences to equate p and q.
If we just wonder which of the equivalences from the spectrum hold, we may establish this more directly by checking which of them are not dominated by attacker wins.
From the information, we can also easily build witness relations to certify that we return sound equivalence results. In particular, the pairs won with arbitrary attacker budgets, } are a bisimulation. Similarly, the strategy formulas of Definition 9 can directly be computed to explain inequivalence.
If we use symbolic winning budgets capped as proposed at the end of Subsection 4.2, the formula reconstruction will be harder and the Win min a ((p, {q}) a ) might be below the maximal defender winning budgets if these exceed the bound. But this will not matter as long as we choose a cap beyond the natural numbers that characterize our spectrum.

Exploring Minimizations
Our algorithm can be used to analyze the equivalence structure of moderatelysized real-world transition systems. In this section, we take a brief look at its performance on the VLTS ("very large transition systems") benchmark suite [18] and return to our initial Peterson example.
The energy spectroscopy algorithm has been added to the Linear-Time-Branching-Time Spectroscope of [7] and can be tried on transition systems at https://equiv.io/. Table 1 reports the results of running the implementation of [7] and this paper's implementation in variants using the spectroscopy energy game G △ and the clever spectroscopy energy game G ▲ . We tested on the VLTS examples of up to 25,000 states and the Peterson example (Figure 1). The table lists the P-sizes of the input transition systems and of their bisimilarity quotient system P /∼B . The spectroscopies have been performed on the bisimilarity quotient systems by constructing the game graph underneath positions comparing all pairs of enabledness-equivalent states. The middle three groups of columns list the resource usage for the three implementations using: the [7]-spectroscopy, the energy game G △ , and the clever game G ▲ . For each group, the first column reports traversed game size, and the second gives the time the spectroscopy took in seconds. Where the tests ran out of memory or took longer than five minutes (in the Java Virtual Machine with 8 GB heap space, at 4 GHz, single-threaded), the cells are left blank. The last three columns list the output sizes of state spaces reduced with respect to enabledness ∼ E , traces ∼ T , and simulation ∼ 1S -as one would hope, all three algorithms returned the same results.
From the output, we learn that the VLTS examples, in a way, lack diversity: Bisimilarity ∼ B and trace equivalence ∼ T mostly coincide on the systems (third and penultimate column).
Concerning the algorithm itself, the experiments reveal that the computation time grows mostly linearly with the size of the game move graph. Our algorithm can deal with bigger examples than [7] (which fails at peterson, vasy_10_56 and cwi_1_2, and takes more than 500 seconds for vasy_8_24). Even where [7] has a smaller game graph (e.g. cwi_3_14), the exponential formula construction renders it slower. Also, the clever game graph ▲ indeed is much smaller than △ for examples with a lot of nondeterminism such as peterson.
Of those terminating, the heavily nondeterministic cwi_1_2 is the most expensive example. As many coarse notions must record the nondeterministic options, this blowup is to be expected. If we compare to the best similarity algorithm by Ranzato and Tapparo [29], they report their algorithm SA to tackle cwi_1_2 single-handedly. Like our implementation, the prototype of SA [29] ran out of memory while determining similarity for vasy_18_73. This is in spite of SA theoretically having optimal complexity and similarity being less complex (cubic) than trace equivalence, which we need to cover. The benchmarks in [29] failed at vasy_10_56, and vasy_25_25, which might be due to 2010's tighter memory requirements (they used 2 GB of RAM) or the degree to which bisimilarity and enabledness in the models is exploited.

Conclusion and Related Work
This paper has connected two strands of research in the field of system analysis: The strand of equivalence games on transition systems starting with Stirling's bisimulation game [33,32,12,7] and the strand of energy games for systems of bounded resources [14,10,11,15,2,30,34,16,27]. The connection rests on the insight that levels of equivalence correspond to resources available to an attacker who tries to tell two systems apart. This parallel is present in recent work within the security domain [25] just as much as in the first thoughts on observable nondeterminism by Hennessy and Milner [24].
The paper has not examined the precise relationship of the games of Section 3 to the whole zoo of VASS, energy, mean-payoff, monotonic [1], and counter games. The spectroscopy energy game deviates slightly from common multi-energy games due to min D -updates and due to the attacker being energy-bound (instead of the defender). As the energies cannot be exhausted by defender moves, the game can also be interpreted as a VASS game [10,2] where the attacker is stuck if they run out of energy. Our algorithm complexity matches that of general lower-bounded N -dimensional energy games [15]. Links between our declining energy games and other games from the literature might enable slight improvements of the algorithm. For instance, reachability in VASS games can turn polynomial [11].
In the strand of generalized game characterizations for equivalences [32,12,7], this paper extends applicability for real-world systems. The implementation performs on par with the most efficient similarity algorithm [29]. Given that among the hundreds of equivalence algorithms and tools most primarily address bisimilarity [19], a tool for coarser equivalences is a worthwhile addition. Although our previous algorithm [7] is able to solve the spectroscopy problem, its reliance on super-exponential partitions of the state space makes it ill-fit for transition systems with significant nondeterminism. In comparison, our new algorithm also needs one less layer of complexity because it determines equivalences without constructing distinguishing formulas.
These advances enable a spectroscopy of systems saturated by weak transitions. We can thus analyze weak equivalences such as in the example of Peterson's mutex. For special weak equivalences without a strong counterpart such as branching bisimilarity [22], deeper changes to the modal logic are necessary [6].
The increased applicability has allowed us to exhaustively consider equivalences on the smaller systems of the widely-used VLTS suite [18]. The experiments reveal that the spectrum between trace equivalence and bisimilarity mostly collapses for the examined systems. It may often be reasonable to specify systems in such a way that the spectrum collapses. In a benchmark suite, however, a lack of semantic diversity can be problematic: For instance, otherwise sensible techniques like polynomial-time reductions [13] will not speed up language inclusion testing, and nuances of the weak equivalence spectrum [8] will falsely seem insignificant. One may also overlook errors and performance degradations that appear only for transition systems where equal traces do not imply equivalent branching behavior. We hope this blind spot does not affect the validity of any of the numerous studies relying on VLTS benchmarks.
We prove inductively that plays with the defender applying this strategy will only reach positions with the invariant that (p, q) ∈ R at (p, q) ∧ a , respectively, for some q ∈ Q at (p, Q) a , and for some q ∈ Q ∪ Q * at (p, Q, Q * ) d , rendering the picks well-defined.
• At steps following ρ · (p, Q) a , the invariant is maintained due to the simulation property of R. • At steps following ρ · (p, Q, Q * ) d , the invariant is maintained due to the definition of s d . • At steps following ρ · (p, q) ∧ a , symmetry of R ensures the invariant. As this shows that the defender will not get stuck following s d regardless of energy, the defender wins with every energy, i.e. , (∞, ∞, ∞, ∞, ∞, ∞) ∈ R must be a bisimulation relating p 0 and q 0 .
• R is symmetric. As the energy level is unbounded, the attacker may Therefore, the defender wins from (p, {q}) a iff they win from (q, {p}) a . • R is a simulation. With unbounded energy levels, the attacker may There, the defender only wins if there is a q ′ such that they win after (p ′ , Q ′ , ∅) d (p ′ , q ′ ) ∧ a (p ′ , {q ′ }) a . Therefore, the defender winning (p, {q}) a unboundedly and p a − → p ′ implies unbounded winning of (p ′ , {q ′ }) a for some q ′ with q a − → q ′ .
Remark 2. For finite-state systems, Proposition 1 and Theorem 1 would already prove Lemma 1. The preceding proof of Lemma 1 is more general as it also goes through for infinite-state systems.
Proof. By induction on the structure of φ with arbitrary p, Q, e.
• If ψ q with q ̸ = * is positive, ψ q = φ q , it must be due to a move like (p, q) We know by the definition of expr and with the obtained inequalities that sup({min(e 1 , e 3 ) | * ∈ Q ′ }∪{min(e 1 , e 3 , e 4 ) | ψ q positive}∪{min(e 1 , e 5 ) | ψ q negative}) and, from the definition of Win min a , that the expressiveness price at the defender position is a supremum of the budgets that are winning in the next moves so that expr( q∈Q ′ ψ q ) ∈ Win a ((p, Q) a ).
Proof. e 0 ∈ Win a ((p 0 , Q 0 ) a ) means that the attacker has a winning strategy s a such that all plays consistent with the strategy that start at energy level e 0 lead to a position where the defender is stuck. Without loss of generality, we may suppose that the attacker strategy does not use conjunction challenges immediately after conjunction answers or revivals. (If it did, we could transform it to a strategy where the attacker would make up their mind at the first conjunction of a sequence.) Consider the tree of such s a -plays, in particular the recurring attacker nodes of the form (p, Q) a at energy level e, which must be e = EL ρ·(p,Q) a ∈ Win a ((p, Q) a ) after play ρ. Let us induct over this tree, proving Strat((p, Q) a , e) to be nonempty at each node.
Proof. The implication from the clever spectroscopy game G ▲ to the full spectroscopy game G △ is trivial as the attacker moves in ▲ are a subset of those in △ and the defender has the same moves in both games. For the other direction, we have to show that any move (p, Q) a (0,−1,0,0,0,0) △ (p, Q \ Q * , Q * ) d winning at energy level e can be simulated by a winning move (p, Q) a (0,−1,0,0,0,0) ▲ (p, Q \ Q ′ , Q ′ ) d . Without loss of generality, we assume that the attacker winning strategy for G △ does not immediately nest conjunctions, i.e. , that the attacker will play an observation at the next occasion. Therefore, all q ∈ Q that can only be beaten by negation moves must be in Q \ Q * . If e 3 = e 4 , then the attacker in the clever game can just use (p, Q) a Each energy can trigger such an update only once at each position. So, the first tentative set of winning budgets assigned bounds the further updates in the order of energies below it. These are are polynomially bounded by the size of the N -dimensional hypercube / grid containing these first tentative budgets and the zero-vector. Each first assignment is bounded in each dimension by the length of simple paths originating from a position, which can be over-approximated by |G| for each position.
Two things follow from this: First, the amount of antichains in the grid of occurring tentative budgets is bounded by |G| N −1 , leading to a space complexity due to attacker_win of |G| · |G| N −1 . Second, the points in the grid bound the proper updates a position can experience to |G| N . Collectively, these can trigger at most move-many updates, so | | · |G| N bounds the updates. Every update must consider up to out-degree o many successors. At defender nodes, the update may take |G| (N −1)·o combinations into account. This culminates in a time complexity of O(| | · |G| N · (o + |G| (N −1)·o )).
Proof of (Lemma 7, full spectroscopy complexity). Time complexity of computing winning budgets for the full spectroscopy energy game G △ is in 2 O(|P|·2 |P| ) .