Characteristic invariants in Hennessy–Milner logic

In this paper, we prove that Hennessy–Milner Logic (HML), despite its structural limitations, is sufficiently expressive to specify an initial property φ0\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\varphi _0$$\end{document} and a characteristic invariant χI\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\upchi _{_I}$$\end{document} for an arbitrary finite-state process P such that φ0∧AG(χI)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\varphi _0 \wedge \mathbf{AG }(\upchi _{_I})$$\end{document} is a characteristic formula for P. This means that a process Q, even if infinite state, is bisimulation equivalent to P iff Q⊧φ0∧AG(χI)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$Q \models \varphi _0 \wedge \mathbf{AG }(\upchi _{_I})$$\end{document}. It follows, in particular, that it is sufficient to check an HML formula for each state of a finite-state process to verify that it is bisimulation equivalent to P. In addition, more complex systems such as context-free processes can be checked for bisimulation equivalence with P using corresponding model checking algorithms. Our characteristic invariant is based on so called class-distinguishing formulas that identify bisimulation equivalence classes in P and which are expressed in HML. We extend Kanellakis and Smolka’s partition refinement algorithm for bisimulation checking in order to generate concise class-distinguishing formulas for finite-state processes.


Introduction
Branching time semantics [34,35] and, in particular, variants of bisimulation [32,33,35,37,38,40] together with their congruence properties [12,36,37] are topics that Rob van Glabbeek has at heart. This also comprises probabilistic behavior [8], a topic that we (Rob and Bernhard) cooperated on almost thirty years ago [39]. Hennessy-Milner logic (HML) [17] can be considered the most basic modal logic for capturing branching time semantics. It is therefore not surprising that Rob investigated its congruence properties [10,11]. The famous theorem of Hennessy and Milner [17] establishes the link between (strong) bisimulation and HML: two finitely branching processes can be separated by means of an HML formula if and only if they are not bisimulation equivalent. This is often stated as HML and bisimulation having the same distinguishing power. Characteristic formulas have a more ambitious role than separating two processes, they are meant to characterize entire bisimulation equivalence B Marc Jasper marc.jasper@cs.tu-dortmund.de Maximilian Schlüter maximilian.schlueter@cs.tu-dortmund.de Bernhard Steffen steffen@cs.tu-dortmund.de 1 TU Dortmund University, Dortmund, Germany classes: χ is a (bisimulation) characteristic formula for a process P if satisfaction of χ coincides with being bisimulation equivalent to P, i.e.:

∀Q. (Q | χ ⇐⇒ Q ∼ bisim P)
In [2], Browne et al. showed how characteristic formulas can be constructed for finite-state processes in computational tree logic (CTL). 1 Moreover, in [28], it was shown how such formulas can be generated within the modal μ-calculus (and HML with recursion, respectively).
In this paper, we prove that HML is sufficient to define an initial property ϕ 0 and a characteristic invariant χ I such that χ P = def ϕ 0 ∧ AG(χ I ) is a characteristic formula for a given finite-state process P. This means, in particular, that it is sufficient to check an HML formula for each reachable state of a finite-state process to verify that it is bisimulation equivalent to P. In fact, using e.g. the model checking algorithms presented in [5][6][7], context-free processes, pushdown-processes, and sequential processes can be checked for bisimulation equivalence with P.
Key to the construction of χ P is the separation of the specification of the one-step transition potential of states of P from their (loose) characterization. This separation essentially decomposes the global bisimulation property into a number of local-step properties in a way reminiscent of Floyd's inductive assertion method [9]: the global property is guaranteed via the consistency-here given by the local transition potential-of (loose) invariants. The latter are given by distinguishing formulas for the bisimulation equivalence classes of P.
Whereas the one-step transition potential can be specified in the way proposed in [2], the class-distinguishing formulas that separate non-bisimilar states can be constructed along the classical partition refinement process for minimization up to bisimulation [21]. Key is that the constructed set of distinguishing formulas Φ for P has the following two properties: -Each state of P satisfies some distinguishing formula.
-The partition of reachable states in P that is induced by Φ defines a bisimulation relation.
Throughout this paper, we only compare processes from a given universe that is specified by an alphabet Σ. This alphabet Σ comprises all considered process actions (transition labels). Based on Σ and the before-mentioned set of distinguishing formulas Φ, the desired HML invariant χ I for specifying the one-step potential of P can be derived as in [2]: The resulting characteristic formula ϕ 0 ∧ AG(χ I ) conceptually decomposes the verification process in a 'Floyd-like' manner using invariants and class-distinguishing formulas. In contrast, the characteristic formulas presented in [28] can rather be considered to be a monolithic, syntactic encoding of P.
After sketching some preliminaries in Sect. 2, Sect. 3 introduces our characteristic HML invariants based on class-distinguishing formulas and proves a corresponding characterization theorem. Subsequently, Sect. 4 presents the concept of a set of class-distinguishing formulas (SCDF) as a means to establish a sufficient condition for guaranteeing that our characteristic formula construction results in a formula that is satisfied by the argument LTS.
The effective construction of SCDFs from LTSs is described in Sect. 5. The underlying algorithm is an adaption of Kanellakis and Smolka's algorithm for checking bisimulation equivalence [21] to generate the required class-distinguishing formulas. Following a discussion of related work in Sect. 6, the paper closes with our conclusions and an outlook in Sect. 7.

Preliminaries
In this section, we recall the basic concepts that our approach is based on. Central in this regard are the definition of labeled transition systems and the usual corresponding notion of a process.

Definition 1 (LTS and process)
with set S L of states, alphabet Σ L , 2 and transition relation → L ⊆ S L × Σ L × S L .
We use the notation p a → L q to denote that ( p, a, q) ∈→ L and omit the subscript L in cases where the LTS is unambiguous. Furthermore, given a state s ∈ S L and a label a ∈ Σ L , we define the following shorthand notation for the set of a-predecessors of state s This definition extends naturally to sets of states: for each S ⊆ S L , we have Every state s ∈ S L of an LTS L defines a process P L (s) that constraints initial transitions to start in s. A state s ∈ S L is reachable in P L (s), denoted by s → * L s , iff there exists a sequence of transitions s i a i → L s i+1 in → L with i ∈ 0 .. (k − 1) for some k ∈ N such that s 0 = s and s k = s . This notion naturally generalizes to a notion of reachability within an LTS L from any state s of L.
We are aiming at characterizing processes up to bisimulation, a semantic equivalence relation that is known to preserve properties expressed in most temporal logics, in particular those that can be expressed in the modal μ-calculus [1].
is called a bisimulation if the following holds for all ( p, q) ∈ R: Two states s, s ∈ S are called bisimilar in L, written as s ∼ L s , iff there exists a bisimulation R with (s, s ) ∈ R. 3 Given a second LTS L = (S L , Σ L , → L ), two processes P L (s) and P L (s ) are called bisimilar, written as P L (s) ∼ P L (s ), iff there exists a bisimulation in Our characteristic invariants are formulas specified in Hennessy-Milner logic (HML) [17] that extends propositional logic with a modal operator · (diamond): Definition 3 (HML) Given an alphabet Σ, Hennessy-Milner logic (HML) is defined by the following grammar in Backus-Naur form where α is a meta-variable for an arbitrary element of Σ. In addition, the following derived operators are frequently used: where s ∈ S, a ∈ Σ and ϕ, ϕ 1 , ϕ 2 ∈ HML. We omit the subscript L of | L if it is unambiguous in a given context, and often abbreviate p | L ϕ and q | L ϕ by p, q | L ϕ. In cases were we want to emphasize the process perspective, we write P L (s) | ϕ instead of s | L ϕ.
In the following, we will establish that HML is sufficient to define the invariants required for our characteristic formulas.

Generalized characteristic HML invariant
Our definition of a generalized characteristic HML invariant follows the "diamond-boxpattern" originally introduced in [13,15]: Definition 5 (Generalized characteristic HML invariant) Let Σ be a global alphabet that contains all considered action labels. With a pair (Φ, Ψ ) such that Φ is a finite set of HML formulas and Ψ : Φ × Σ → 2 Φ a function we associate an HML formula χ I (Φ, Ψ ) called generalized characteristic invariant (GCI) as follows: Given an LTS L = (S, Σ L , →), we write L | AG(ϕ) iff s | L ϕ holds for all s ∈ S and say that χ I (Φ, Ψ ) is a GCI for L iff L | AG(χ I (Φ, Ψ )). We sometimes write χ I instead of χ I (Φ, Ψ ) iff the arguments are unambiguous in a given context.
In order to capture our notion of a GCI, we extend HML as follows.
Definition 6 (Syntax of HML AG ) Given an alphabet Σ, Hennessy-Milner logic with AG (HML AG ) is defined by the following grammar in Backus-Naur form where α is a meta-variable for an arbitrary element of Σ. The derived operators of HML are also used for HML AG . HML AG is equivalent to a logic called EF or UB − in the literature [25] and is itself a fragment of CTL. In this paper, we are only interested in two patterns of HML AG formulas, namely AG(χ I ) and ϕ 0 ∧ AG(χ I ) where ϕ 0 , χ I ∈ HML. Definition 6 therefore specifies AG instead of an EF operator.
Definition 7 (Semantics of H M L AG ) The semantics of HML AG are defined relative to a given LTS L = (S, Σ L , →). Given an LTS L, the satisfaction relation | L ⊆ S × HML AG extends Definition 4 with the following clause: iff ∀s ∈ S. s → * L s implies s | L ϕ where s ∈ S and ϕ ∈ HML AG . Shorthand notations are defined as in Definition 4.
Note the overloading of AG. In fact, we have: Please recall that we only consider LTSs and processes from a universe that is specified by an alphabet Σ, i.e. the set of possible actions. The following lemma illustrates the power of the "diamond-box-pattern" [13,15] that underlies our definition of GCIs.
Proof Let χ I (Φ, Ψ ) be a GCI that is based on some finite set Φ of HML formulas and some function Ψ : Φ × Σ → 2 Φ . Furthermore, let L be any LTS such that L | AG(χ I (Φ, Ψ )). As the empty relation is clearly a bisimulation, we can assume that R is not empty. Let us now consider an arbitrary pair ( p, q) ∈ R. Then there exists a formula ϕ ∈ Φ with p, q | ϕ. Therefore, we know due to L | AG(χ I (Φ, Ψ )) that both p and q satisfy a∈Σ, R is obviously symmetric. Therefore, it suffices to prove the defining invariance property of bisimulation (Definition 2). Let p b → p be an arbitrary transition starting in p. Looking at the subformula that must be satisfied by p, we know that p | ψ∈Ψ (ϕ,b) ψ. Therefore, there exists a ψ ∈ Ψ (ϕ, b) that is satisfied by p . The fact that q satisfies the subformula a ψ now yields that q satisfies b ψ , i.e., the existence of a transition q b → q such that q satisfies ψ . Thus, both p and q satisfy ψ which guarantees ( p , q ) ∈ R.
Of course, not every GCI fits each LTS L, e.g., the bisimulation guaranteed by the above characterization lemma may well be empty. GCIs develop their full characterizing power only in combination with an initial condition: be two LTSs with states s ∈ S L and s ∈ S L such that s | L ϕ 0 and s | L ϕ 0 , respectively. Then we have: Proof Let χ I be a GCI and L and L two LTS with states s ∈ S L and s ∈ S L such that s | L ϕ 0 and s | L ϕ 0 , respectively. In order to prove the first part of Lemma 2, we assume that L | AG(χ I ) and L | AG(χ I ) hold, and observe that is a well-defined LTS which also satisfies AG(χ I ) and in which both s and s satisfy ϕ 0 , i.e., s, s | L ϕ 0 . Thus, Lemma 1 guarantees that is a bisimulation. As s, s | L ϕ 0 also implies (s, s ) ∈ R, we can conclude that P L (s) and P L (s ) are bisimilar as desired. Our semantics of AG for an entire LTS coincides with the (standard) semantics for processes in which all states are reachable. Thus, the proof of the second part is a consequence of the well-known fact that bisimulation preserves e.g. all CTL and modal μ-calculus formulas.
The following theorem is a straightforward reformulation of Lemma 2 considering processes as models of the GCI instead of LTSs: be two LTSs with states s ∈ S L and s ∈ S L . Then we have: Whereas the implication from left to right is just a reformulation of Lemma 2(1), the converse implication exploits the fact that satisfaction of invariance properties of processes only concerns the reachable states.
The following section establishes a sufficient condition for sets of formulas Φ to serve as a basis for the definition of non-trivial GCIs for a finite-state LTS, i.e., GCIs that remain valid when initial conditions ϕ ∈ Φ are added, resulting in characteristic formulas for processes as shown in Theorem 1.

Class-distinguishing formulas
Our notion of class-distinguishing formulas is directly based on the concept of bisimulation: Fig. 1. The history tree in Fig. 2

Example 1 (Set of class-distinguishing formulas (SCDF)) Consider the LTS L depicted in
as an SCDF for L. The subscript i in ϕ i correlates with the corresponding state identifier s i such that s i | ϕ i . Note that state 2 is bisimilar to state 5 and that state 3 is bisimilar to state 4.
Being HML formulas, the elements of an SCDF Φ for L can, in general, not fully characterize the behavior of states in L. They are only sufficient to identify bisimulation equivalence classes in the context of L. In the following, we will see how the "diamond-box-pattern" turns this property into a property that universally characterizes processes up to bisimulation, even in the context of infinite-state systems.
Then χ I (Φ, Ψ ) is called a GCI for L based on Φ.
A GCI χ I based on an SCDF for L is sufficient to guarantee that L | AG(χ I ). Proof Let L = (S, Σ L , →) be an LTS, Φ an SCDF for L, and χ I (Φ, Ψ ) a GCI for L based on Φ. Then we have to prove that L satisfies the following formula: According to the semantics of L | AG(ϕ) for some ϕ ∈ HML, it suffices to show that every state s ∈ S satisfies the conjunction χ I (Φ, Ψ ) that serves as the argument of the AG operator. Let s ∈ S and ϕ ∈ Φ be arbitrary but fixed elements. We can assume that s | ϕ, because otherwise the implication is trivially satisfied. Thus, it remains to be shown that holds. Therefore, let ϕ c be any of the conjuncts in that HML formula. In order to show its validity, we distinguish between two cases: Because of ψ ∈ Ψ (ϕ, a), there exist states p, q ∈ S and a transition p a → q with p | ϕ and q | ψ. Thus, we have p | ϕ c . In addition, s, p | ϕ implies s ∼ L p according to the definition of an SCDF. As bisimilar states satisfy the same HML formulas [17], this yields s | ϕ c , which closes the first case. Case 2: ϕ c = [a] δ with δ = ψ∈Ψ (ϕ,a) ψ for some a ∈ Σ.
In this case, the following has to be shown: Therefore, let s ∈ S be any state such that s a → s and ψ ∈ Φ be a corresponding formula with s | ψ. Such a formula exists due to the definition of an SCDF. Now, s | ϕ implies ψ ∈ Ψ (ϕ, a) by definition of Ψ which guarantees that ψ is a disjunct in δ and therefore that s | δ as desired.
The following theorem follows straightforwardly from Lemma 3 and the definition of SCDFs.
Theorem 2 (Sufficiency for characterization) Let L = (S, Σ L , →) be any LTS with s 0 ∈ S, Φ an SCDF for L, and χ I a GCI for L based on Φ. Then there exists a ϕ 0 ∈ Φ such that s 0 | ϕ 0 and we have: The presented construction of a GCI for an LTS L depends on a corresponding SCDF (Definition 8). The next section introduces an approach that allows us to elegantly generate these sets of class-distinguishing formulas for any finite-state LTS.

Generation of characteristic invariants for finite-state LTSs
In this section, we present an algorithm that automatically generates a finite set of classdistinguishing formulas (SCDF) for any finite-state LTS L. Given this SCDF, a GCI for L can be generated according to Sect. 4.
After a brief sketch of partition refinement [16,19] and so called splitters, Sect. 5.2 introduces the class-distinguishing functions that we use to generate an SCDF. Afterwards, Sect. 5.3 presents our algorithm together with an accompanying example.

Partition refinement
Partition refinement serves as the underlying concept of many analysis and verification techniques [31].
Definition 10 (Partition refinement) Given a set S, P ⊆ 2 S is a partition of S iff its elements, called classes, are non-empty, pairwise disjoint, and cover S when merged ( X ∈P X = S). Given two partitions P and Q of S, P refines Q, denoted by P Q, iff for each X ∈ P there exists a Y ∈ Q such that X ⊆ Y . We write P ≺ Q iff P Q and P = Q.
Our algorithm that is presented in Sect. 5.3 relies on partition refinement: it extends the algorithm by Kanellakis and Smolka [21] for the minimization of non-deterministic systems up to bisimulation. Our extension computes HML formulas that allow to identify the individual classes of the partitions that arise during the refinement algorithm.
Partition refinement within this algorithm is based on witnesses, called splitters, which prove that one or more classes contain states that are not bisimilar.  P based on (B, a). [21] proved that exhaustive splitting while starting with the trivial partition inevitably results in the coarsest partition that defines a bisimulation. The next section shows how we obtain formulas that uniquely identify the classes of this partition by the corresponding satisfaction relation, a property that makes the set of those formulas an SCDF.

Class-distinguishing functions
The SCDFs that we construct depend on the concrete chain of refinements produced by the (typically non-deterministic) partition refinement algorithm. Thus, let us consider an arbitrary but fixed scenario in this subsection, i.e.: Let L = (S, Σ L , →) be a finite-state LTS, P 0 = {S}, (B 0 , a 0 ) , . . . , (B m−1 , a m−1 ) a sequence of m splitters, and P 0 , . . . , P m the corresponding sequence of m + 1 (refined) partitions such that for all k ∈ 0 .. m − 1, we have 1. (B k , a k ) is a splitter of some Y ∈ P k , 2. P k+1 is the refinement of P k based on (B k , a k ), and 3. P m cannot be refined based on splitting.
This allows for the following inductive definition: Definition 13 (Class-distinguishing functions) The sequence ϕ 0 , . . . , ϕ m with ϕ k : P k → HML for all k ∈ 0 .. m inductively defined by ϕ 0 (S) = tt and is called sequence of class-distinguishing functions.
Note that the three cases in the definition of ϕ k+1 (X ) are disjoint and that Y is unique in the first two cases. For this sequence of class-distinguishing functions, which is uniquely determined by the considered scenario, we have: Proof We prove the validity of the statement by induction over k ∈ 0 .. m.
Induction step (k → k + 1): Let X ∈ P k+1 and s ∈ S be both arbitrary but fixed. We proceed by proving the two required implications depending on the cases within Definition 13 for the construction of ϕ k+1 (X ).
We assume that s ∈ X . Because of (B k , a k ) | Y , we know that X ⊂ Y and therefore s ∈ Y . Due to the induction hypothesis, we have s | ϕ k (Y ). Based on s ∈ Y a k B k , we know that s has an a k -successor in B k (Definition 11). Let s denote such a successor. By induction hypothesis, it follows that s | ϕ k (B k ). Due to s a k → s and HML semantics, we know that s | a k ϕ k (B k ). Thus, we have We assume s | ϕ k+1 (X ), which means that s | ϕ k (Y ) ∧ a k ϕ k (B k Fig. 2 Partition refinement history and corresponding class-distinguishing predicates based on the input-LTS from Fig. 1 as generated by a tool that implements Algorithm 1. Dotted arrows denote splitters Analogous to case 1. Then X ∈ P k and ϕ k+1 (X ) = ϕ k (X ) and therefore by induction as desired: In summary, the class-distinguishing functions are defined such that they reflect information about each splitter in HML. This information can be summarized on the basis of a decision tree with node set N = k∈0 .. m P k and edges set where for each k ∈ 0 .. m − 1, all the nodes C ∈ P k that are split by (B k , a k ) are annotated with the predicate a k ϕ k (B k ). If this predicate evaluates to true, then one continues with C a k B k , otherwise with C a k B k . Figure 2 illustrates such a decision tree based on the LTS depicted in Fig. 1. As Fig. 2 is intended to also display the partition classes, the predicates were moved to the edges.
In the following, we present our algorithm that incorporates both the partition refinement and the corresponding labeling based on class-distinguishing functions.

Algorithm for generating an SCDF
We use Algorithm 1 to generate an SCDF (Definition 8). This algorithm is conceptually based on the "naive method" from [21]. As such, the derived partition P is actually the coarsest partition w.r.t. bisimulation. Additionally, our iteratively defined class-distinguishing function (Definition 13) is incorporated.

Algorithm 1 Algorithm for generating an SCDF
Input: A finite-state LTS L = (S, Σ L , →) Output: An SCDF of L 1: function StateFormulas(S, Σ L , →) 2: for all Y ∈ P which are split by (B, α) do 9: The worklist of Algorithm 1 contains potential splitters (Definition 11). Whenever the current partition P is refined and new classes are thereby added to it, these classes are combined with every possible transition label and added to the worklist (Algorithm 2). Every time that such a partition refinement occurs, the class-distinguishing function ϕ is updated according to Definition 13 in order to incorporate information about the most recent splitter (lines 11-13 of Algorithm 1). Note that the order in which splitters are applied is not defined by Algorithm 1. In the following, we assume a fixed order of splitters. As stated in Sect. 5.2 and visible in the pseudo code (lines 12 and 13 of Algorithm 1), the definition of the class-distinguishing function throughout the algorithm's execution is based on that order of splitters. The sequence of splitters is exactly the sequence of those pairs received in line 6 of Algorithm 1 for which the inner for-all loop (line 8) executes at least one iteration. Fig. 1 as input for Algorithm 1. Figure 2 illustrates the two refinements during an execution of Algorithm 1 for this input LTS. The actual class-distinguishing formulas generated by Algorithm 1 are as follows. In line with Sect. 5.2, we use a subscript index to refer to different refinements (Definition 12).

Example 2 (Algorithm 1) Consider the LTS in
The The second splitter is ({1, 2, 5}, a). Note that in the meantime, several other checks for possible refinements may have been performed that failed. For simplicity, we will only list actual splitters (Definition 11). The splitter ({1, 2, 5}, a) Note that states 2 and 5 as well as 3 and 4 are bisimilar, respectively. The algorithm terminates (after potentially executing a few more checks for splitters) because the splitter potential is exhausted.
Algorithm 1 resembles the "naive" algorithm by Kanellakis and Smolka [21] which is known to run in cubic time and to terminate with the coarsest partition up to bisimulation. Thus, the following theorem is a consequence of Theorem 3 which guarantees the correct labeling of the partition classes.

Theorem 4 (Correctness of Algorithm 1) Given an LTS L, Algorithm 1 terminates with an SCDF for L.
The following theorem summarizes the main result of this paper. Please recall that by definition of an SCDF, every state s ∈ S has a formula ϕ ∈ Φ with s | L ϕ: Theorem 5 (Main theorem) Let L be an LTS L = (S, Σ L , →), Φ an SCDF for L generated by Algorithm 1, χ I the GCI for L based on Φ, and s ∈ S, ϕ ∈ Φ with s | L ϕ. Then for any P L (s ) based on some LTS L = (S , Σ L , → ) with s ∈ S , we have: Proof Theorem 4 guarantees that Φ is an SCDF which, by Theorem 2, implies P L (s) | ϕ ∧ AG(χ I ). Thus, applying Theorem 1 yields the desired statement.

Discussion of related work
The coincidence theorem of Hennessy and Milner states that, given a finitely-branching LTS, two states are bisimilar if and only if they enjoy the same set of HML formulas (first stated 1980 in [17] and again in [18]). Thus, HML has distinguishing power: any two non-bisimilar finitely-branching LTSs can be distinguished by a formula in HML.
The idea of characteristic formulas goes beyond distinguishability: It requires that, given a finitely-branching LTS, there exists a (single) formula that distinguishes this LTS from any other non-bisimilar (finitely-branching) LTS. It is clear that this "swap of quantifiers" leads to a requirement that cannot be satisfied by HML as HML formulas are limited in their sensitivity to finite prefixes of computation trees.
In 1984, Graf and Sifakis published a scheme by which characteristic formulas for finite CCS processes 5 can be derived [13,15]. Such a scheme is usually referred to as (characteristic) translation. The pattern introduced by Graf and Sifakis, which we refer to as "diamond-boxpattern", is used in almost all following publications on characteristic formulas, including this paper (see Definition 5). Graf and Sifakis also extended the idea of Hennessy and Milner in the sense that they interpret the coincidence theorem as a strict requirement for sensible temporal logics [14]. Thereby such logics are "sufficiently powerful to distinguish noncongruent terms". Indeed, as later shown in various publications, many famous temporal logics such as HML, CTL, and μ-calculus satisfy this claim.
Browne, Clarke, and Grumberg were the first to take the step from finite to finite-state systems in 1987, again based on the "diamond-box-pattern" by Graf and Sifakis, but this time generalized using implication in order to deal with cycles [2]. The key idea, which is also used in this paper, consists of two steps. First, find a formula for each state that distinguishes it from every other state of the considered finite-state system. Second, show that the generalized "diamond-box-pattern" for connecting these distinguishing formulas is sufficient to define characteristic formulas for finite-state systems. In essence, they observed that non-bisimilar states of finite-state systems can be distinguished by a finite prefix of the corresponding computation tree 6 which allowed them to infer their distinguishing formulas simply as characteristic formulas up to a certain depth of bisimilarity.
The paper [28] introduced a technique for deriving characteristic formulas in the modal μ-calculus for finite-state processes (with divergence potential [26,27]). Key idea was to associate each state of the LTS with a fixed point variable and to construct a modal equational system on the basis of the "diamond-box-pattern" which can then be translated into the modal μ-calculus. As this translation leads to formulas of exponential size, [30] focused on modal equational systems as they provide characterizations that are linear in the size of a property, making bisimulation checking via model checking attractive.
Like [2], the approach presented in this paper is based on the combination of distinguishing formulas using the generalized "diamond-box-pattern". The main difference is the construction of the distinguishing SCDF based on Algorithm 1 which has a reduced form of linear size in terms of a recursion-free equational system. Key to this construction is an extension of Kanellakis and Smolka's partition refinement algorithm for bisimulation checking [21] in order to incrementally compute distinguishing formulas for the individual partition classes. By construction, this leads to distinguishing formulas with linearly many distinct subformulas. Therefore, their corresponding representation in terms of a directed acyclic graph or, equivalently, as recursion-free equational system, is guaranteed to be linear in the number of bisimulation equivalence classes. Thus, the characteristic formulas proposed in this paper can be regarded as very concise versions and therefore practical optimizations of the characteristic formulas of [2].

Conclusion and outlook
We have shown that HML, despite its structural limitations, is sufficiently expressive to specify an initial property ϕ 0 and a characteristic invariant χ I for an arbitrary finite-state process P such that ϕ 0 ∧ AG(χ I ) is a characteristic formula for P. This means, in particular, that it is sufficient to check an HML formula for each state of a candidate finite-state process to verify that it is bisimulation equivalent to P. In fact, our proofs do not require the candidate processes to be finite state. In particular, our theorem also holds for context-free [5] and push-down candidate systems [6].
The first model checking algorithm for context-free systems has been presented in 1992 in [5]. It was linear in the size of the context-free process representation and exponential in the size of the, in this case alternation-free, modal μ-calculus formula, or better, in the size of a corresponding modal equational system. Extensions covered pushdown-processes [6] and later sequential processes for the full modal μ-calculus [7]. Combining these algorithms, whose implementation in the fixed point analysis machine has been presented in CONCUR 1995 [29], with an algorithm that constructs characteristic formulas in terms of modal equational systems (e.g. [30]) immediately implies: Bisimulation checking of context-free processes with a finite-state process can be performed in exponential time via model checking of characteristic formulas.
Currently, we are re-implementing the algorithms for characteristic formula construction and context-free model checking, also with the goal to experimentally evaluate their practical efficiency. Our model checking algorithm uses shared BDDs 7 to efficiently represent the property transformers that are characteristic of our second-order treatment of context-free systems. It is not clear how the choice of characteristic formula construction interferes with the second-order fixed point computation, whether there are advantageous process patterns, or whether there are certain technological bottlenecks that can be overcome. An example for the latter category is the treatment of the identity function, which is intuitively very simple, but whose representation in terms of shared BDDs is bound to explode.