Modelos meteorológicos.

To show the practical effectiveness of the minimization in a compositional context, which we discussed in theory in Section 5.2.2, we consider two case studies that we fail to reduce otherwise, due to their prohibitive size: the Consensus Protocol with three parties and the Dining Cryptographers with four, eight, and ten cryptographers. For instance, by apply- ing Definition 4.6, the four cryptographers case requires 38416 states and 6380 transitions; eight and ten cryptographers are essentially intractable since they involve around 1.5 and 300 billions states, respectively. We avoid this by constructing the model compositionally, applying weak bisimulation minimization on the intermediate automata. Moreover, to make this compositional minimization more effective, we use the hiding operator as soon as possible to restrict the visibility of the actions that are “private” between two automata. Each of the Tables 5.6, 5.7 and 5.8 is split in two parts: the top part contains all interme- diate steps performed by the compositional minimization leading to the minimization of

90 Chapter 5 : Efficiency of Deciding Probabilistic Automata Weak Bisimulation 0 1 2 3 s 1 2 τ 1 2 1 2 τ 1 2 1 2 τ 1 2 succ

Figure 5.3: The minimized four dining cryptographers (anonymity)

the final automaton; in each row, the column t≈includes the value of the previous row, thus

reporting the total time used thus far. The bottom part of the table contains the number of states and transitions of the composed automata without intermediate minimization, and the time for the corresponding compositional minimization.

For the consensus protocol, we can see from the top part of Table 5.6 that the compo- sitional minimization allows us to reduce the automaton to a single state and transition, representing the fact that the consensus is reached with probability 1, whereas the same reduction can not be obtained within the time-out by first composing the parties and then minimizing the composed automaton. The time required for the former approach actually depends on the intermediate step, where we reduce the automaton[c3 k p1]≈ k p2, that

returns an automaton that is essentially half of the original one. The main motivation for this situation is that the intermediate automaton has still a lot of visible actions that can not be hidden since they are needed to synchronize with p3.

On the contrary, the dining cryptographers protocol is a good example that shows how using the hiding operator as soon as possible permits to drastically reduce the size of the minimized automaton. In fact, since the synchronization happens only between cryptog- raphers that are neighbors, such as diand di+1, and such synchronization has to be secret,

it makes sense to hide it just after having composed diand di+1. Consider the termination

of the dining cryptographers protocol with n= 4 cryptographers, as shown in the top part of Table 5.7: the proposed combination of hiding and compositional minimization permits to reduce any chain d1k · · · k dl, where 1< l < n, to an automaton with 6 states and 14

transitions. Then, for l= n−1, the synchronization of d1and dn−1with dncloses the circle of

cryptographers that once minimized shows that the protocol terminates with probability 1.

For the anonymity property, the reduction of each chain does not lead to the same size but to an automaton whose size grows linearly with the number of cryptographers. This is caused by the fact that we have to keep track of the sequence of agrees announced by the cryptographers and this number clearly depends on the involved cryptographers. As in the PRISM benchmark, we assume that one cryptographer is paying and we check a partic- ular outcome of the agreement, that is, we check that the probability of a given sequence of agrees and disagrees is1/2n−1_{. It is immediate to see that the minimized automaton satisfies} this property; see for instance the anonymity of four cryptographers in Figure 5.3, where the probability of reaching the state s is1/23_.

5.6. Concluding Remarks 91

It is clear that for the dining cryptographers protocol the compositional minimization approach outperforms the minimization of the composition and we expect that this ex- tends to all systems where few components share the same actions.

5.6

Concluding Remarks

In this chapter, we have considered efficiency analysis of deciding PA weak bisimulation which is known to be polynomial [TH15]. After a survey of available polynomial algo- rithms to solve an LP problem, we established an upper bound on the worst case complex- ity of the decision problem for general PA. We demonstrated that a small modification of the LP problem discussed in [TH15] enables taking advantage of the underlying network structure to improve the practical efficiency of solving the problem.

In addition, we have presented an implementation of the decision algorithm, in the form of a quotienting algorithm enabling to minimize probabilistic automata with respect to weak probabilistic bisimulation. We enhanced this algorithm with several heuristics that permit to reduce the running time of the program considerably, and have shown that min- imization can be applied effectively to standard benchmark models. We have also investi- gated how compositional minimization techniques can be exploited for models consisting of several sub-automata running in parallel.

Although, probabilistic automata weak bisimulation admits an efficient decision algo- rithm and also is a congruence for parallel composition, hiding, and other operators on PAs; defining similar equivalence relations for the probabilistic systems with parametric uncertainty is not so straightforward in terms of computational complexity and composi- tionality. The latter will be at the core of our studies in the forthcoming chapters.

CHAPTER

6

Compositional Minimization for Model

Checking of Interval MDPs

In this chapter, we define the first bisimulation for model checking PCTL properties of interval MDPs which is in turn the first bisimulation for MDPs with uncertain transitions in general. Furthermore, we show how to compute the coarsest bisimulation by an algorithm based on comparing polytopes of probability distributions associated with each transition. We also discuss the worst case time complexity of the decision problem and show that it is coNP-complete. Afterwards, we build a bridge between Probabilistic Verification and Robust Optimization and establish a novel modelling of the probabilistic bisimulation problem for interval MDPs as an instance of an uncertain LP problem. In particular, we show that deciding bisimilarity of a pair of states can be encoded as the adjustable robust counterpart of an uncertain LP. We prove that using affine decision rules, probabilistic bisimulation relation can be approximated in polynomial time. We have implemented our approach and demonstrate its effectiveness on several case studies.

Finally, we address the key ingredients to build up the operations of parallel composi- tion for composing interval MDP components at run-time. More precisely, we investigate how the parallel composition operator for interval MDPs can be defined so as to arrive at a congruence closure. As a result, we show that probabilistic bisimulation for interval MDPs is congruence with respect to two facets of parallelism, namely synchronous product and interleaving.

The material presented in this chapter is an extended version of the results reported in [HHK14, HHS+16b, HHHT16, HHT16].

Organization of the chapter. We start with Probabilistic Computation Tree Logic (PCTL) in Section 6.1 to express and analyse properties of IMDPs. In Section 6.2 we address the probabilistic bisimulation for model checking PCTL properties of IMDPs and afterwards, we focus on the computational complexity of the decision problem and the ways we can compute it algorithmically. In Section 6.3 we discuss compositionality methods for rea- soning about IMDPs. Furthermore, we demonstrate the effectiveness of our approach on several case studies in Section 6.4. Finally, Section 6.5 concludes the chapter.

94 Chapter 6 : Compositional Minimization for Model Checking of Interval MDPs s_|=(∀)true s|=(∀)x iff x∈ L(s) s|=(∀)¬ϕ iff s6|=(∀)ϕ s|=(∀)ϕ1∧ ϕ2 iff s|=(∀)ϕ1∧ s |=(∀)ϕ2 s|=(∀)P1p(ψ) iff ∀σ ∈ Σ, ∀π ∈ Π : Prσ,πs |=(∀)ψ  1 p ξ |=(∀) Xϕ iff s2|= ϕ

ξ |=(∀) ϕ1U≤kϕ2 iff there exists i≤ k such that si|=(∀)ϕ2

and sj|=(∀)ϕ1for every 1≤ j < i ξ |=(∀) ϕ1Uϕ2 iff there exists k∈ N such that

ξ |=(∀)ϕ1U≤kϕ2

Table 6.1: PCTL semantics for model checking IMDPs

6.1

Probabilistic Computation Tree Logic (PCTL)

Formal verification of properties of IMDPs requires a proper language to precisely describe such properties. There are various ways to specify properties of IMDPs. Throughout this thesis, we focus on Probabilistic Computation Tree Logic (PCTL), a probabilistic logic de- rived from CTL [HJ94]. The syntax of PCTL state formulasϕ and PCTL path formulas ψ is given by:

ϕ := true | x | ¬ϕ | ϕ1∧ ϕ2| P1p(ψ) ψ := Xϕ | ϕ1Uϕ2| ϕ1U≤kϕ2

where x∈

AP

The semantics of the logic PCTL depends essentially on the way nondeterminism is resolved for the probabilistic operator P_1p(ψ). In particular, in the setting of model check- ing we aim to check if the IMDPMsatisfies the PCTL propertyϕ under all resolutions of nondeterminism, resolved by a scheduler and all resolutions of uncertainty, resolved by a nature. Thus, for the purpose of model checking PCTL properties, we quantify both the nondeterminisms universally and define the satisfaction relation s |=(∀)ϕ as reported in

Table 6.1. In the semantics description, |=(∀) ψ denotes the set of infinite paths ξ of the

form ξ = s1s2· · · which satisfy ψ, i.e., {ξ ∈ Paths inf

M | ξ |=(∀) ψ}. It is easy to show that

the set|=(∀)ψ is measurable for any path formula ψ, hence the definition is correct. We

will explain the PCTL semantics for other ways of resolving nondeterminisms in the next chapter.

6.2

Probabilistic Bisimulation for Model Checking IMDPs