Complexity Analysis of a Unifying Algorithm for Model Checking Interval Temporal Logic

The model-checking (MC) problem of Halpern and Shoham Interval Temporal Logic (HS) has been recently investigated in some papers and is known to be decidable. An intriguing open question concerns the exact complexity of the problem for full HS: it is at least EXPSPACE-hard, while the only known upper bound is non-elementary and is obtained by exploiting an abstract representation of Kripke structure paths called descriptors. In this paper we generalize the approach by providing a uniform framework for model-checking full HS and meaningful (almost maximal) fragments, where a specialized type of descriptor is defined for each fragment. We then devise a general MC alternating algorithm parameterized by the type of descriptor which has a polynomially bounded number of alternations and whose running time is bounded by the length of minimal representatives of descriptors (certificates). We analyze the time complexity of the algorithm and give, by non-trivial arguments, tight bounds on the length of certificates. For two types of descriptors, we obtain exponential upper and lower bounds which lead to an elementary MC algorithm for the related HS fragments. For the other types of descriptors, we provide non-elementary lower bounds. This last result addresses a question left open in some papers regarding the possibility of fixing an elementary upper bound on the size of the descriptors for full HS. 2012 ACM Subject Classification Theory of computation → Logic and verification


Introduction
Model checking (MC) is a well-established formal-method technique to automatically check for global correctness of finite-state reactive systems.Finite systems are usually modelled as labelled state-transition graphs (finite Kripke structures), while the properties of interest are specified in standard Point-based temporal logics (PTLs), such as, for instance, the linear-time temporal logic LTL [22] and the branching-time temporal logics CTL and CTL * [9].Interval temporal logics (ITLs) provide an alternative setting for reasoning about time [11,21,25].ITLs assume intervals, instead of points, as their primitive temporal entities allowing to specify relevant temporal properties that involve, e.g., actions with duration, accomplishments, and temporal aggregations, which are inherently "interval-based", and thus cannot be naturally expressed by PTLs.ITLs find applications in a variety of computer science fields, including artificial intelligence (reasoning about action and change, qualitative reasoning, planning, and natural language processing), theoretical computer science (specification and verification of programs), and temporal and spatio-temporal databases (e.g.see [13,21,23]).Among ITLs, the landmark is Halpern and Shoham's modal logic of time intervals (HS) [11] which features one modality for each of the 13 possible ordering relations between pairs of intervals (the so-called Allen's relations [1]), apart from equality.The satisfiability problem for HS is undecidable over all relevant classes of linear orders, and most of its fragments (with some meaningful exceptions [7,8,20]) are undecidable as well [6,12,15].

Model-Checking Interval Temporal Logic
Model checking of (finite) Kripke structures against HS has been investigated only very recently [13,14,16,2,5,4,3,18,19].The idea is to interpret each finite path of a Kripke structure as an interval, whose labelling is defined on the basis of the labelling of the component states: a proposition letter holds over an interval if and only if it holds over each component state (homogeneity assumption [24]).In this paper, we focus on the MC problem of HS under the state-based semantics (time branches both in the future and in the past) proved decidable in [16].In this setting, the temporal modalities for the Allen's relations started-by (B), finished-by (E), and contains (D), have a "linear-time" character: they allows to select either proper prefixes (B), or proper suffixes (E), or internal subpaths (D) of the current path.The modalities associated with the other Allen's relations are instead "branching-time": they allow either to non-deterministically extend a prefix (resp., suffix, resp., subpath) of the current path in the future or in the past, or to non-deterministically select an independent path whose start point (resp., ending point) is reachable from (resp., can reach) the ending point (resp., start point) of the current path.The expressiveness of the state-based semantics of HS has been studied in [5] together with two other decidable variants: the computation-tree-based semantics, that allows time to branch only in the future, and the trace-based semantics, that disallows time branching.The computation-tree-based variant of HS is expressively equivalent to finitary CTL * (the variant of CTL * with quantification over finite paths), while the trace-based variant is equivalent to LTL (but at least exponentially more succinct).The state-based variant is more expressive than the computation-tree-based variant and expressively incomparable with both LTL and CTL * .
As far as concerns the complexity of the state-based MC problem, for the full logic HS, the problem is at least EXPSPACE-hard [2], while the only known upper bound is non-elementary [16].The approach for full HS [16] consists in defining a finite abstraction over the (possibly infinite) set of finite paths of a Kripke structure.This abstraction is parameterized by a natural number h and is based on the h-level BE-descriptor of a path: a tree-like structure of depth h which conveys information about the states occurring in prefixes and suffixes of the path.Paths having the same h-level BE-descriptor (i) are indistinguishable with respect to the fulfillment of HS formulas having nesting depth of modalities for prefixes (B) and suffixes (E) at most h, and (ii) admit a bounded minimal representative (h-level BE-certificate) whose length is at most a tower of exponentials of height h.The model-checking procedure for full HS based on BE-descriptors is only sketched in [16] and, in particular, the succinctness of BE-descriptors has not been investigated so far.In subsequent papers [3,19,4,17], the focus has been on some syntactical fragments of HS: the fragment featuring only the modalities for the contains relation (D), and fragments featuring modalities for a subset of the Allen relations meets (A), started-by (B), finished-by (E) and their transposed relations A, B, and E, respectively (see Table 1 for a graphical intuition of relations).The complete picture of known results is reported in Figure 1.
In this paper, we first provide a uniform framework for the state-based MC problem against the HS syntactical fragments obtained by combining the modalities of a linear-time basis B (i.e, a non-empty subset of non-interdefinable Allen's relations in {B, E, D}) with the modalities for the (branching-time) Allen's relations in {A, L, O, A, L, B, E, D, O} but not including either the modalities for overlap O or the modalities of its transposed relation O (the fragment for the complete basis {B, E} expresses the full logic HS).The proposed approach generalizes the one provided in [16], where only the full logic HS is considered: for each basis B, it defines a finite abstraction of the set of paths of a Kripke structure based on the notion of h-level B-descriptor (coinciding with the BE-descriptor for the complete basis B = {B, E}).As for the basis {B, E}, we show that for all the other bases with the exception of {D}, paths having the same h-level B-descriptor (i) are indistinguishable with respect to the fulfillment of HS formulas having nesting depth of modalities for B at most h, and (ii) admit a bounded minimal representative (h-level B-certificate).We exploit these results for devising an alternating algorithm, parameterized in the basis B = {D}, for model-checking the associated fragment, which runs in time bounded by the maximal length of h-level B-certificates of the input Kripke structure, with h being the B-nesting depth of the input formula, and whose number of alternations between existential and universal choices is at most the size of the input formula.
As a second contribution, for each basis B, we provide tight bounds on the length of h-level B-certificates.For the bases {B} and {E}, we prove singly-exponential upper and lower bounds.Hence, by the proposed alternating algorithm, we argue that model-checking for the fragments AABBDELLO and AABDEELLO is in the complexity class AEXP pol of problems decided by exponential-time bounded alternating Turing Machines with a polynomially bounded number of alternations (a class included in EXPSPACE which captures the precise complexity of some relevant problems, e.g., the first-order theory of real addition with order [10]).On the other hand, for all bases B distinct from {B} and {E}, we state a non-elementary lower bound.In particular, the result obtained for the basis {B, E} negatively answers a question left open in [16] regarding the possibility of fixing an elementary upper bound on the size of BE-descriptors, and at the same time provides new insight on the MC problem for full HS: if elementary procedures are possible, they have certainly to exploit less powerful structures than descriptors.
The paper is organised as follows.In Section 2, we recall the state-based model-checking framework for HS.In Section 3, we introduce for each basis B, the notion of B-descriptor, and describe the algorithm to solve the MC problem for the associated fragment.In Section 4, we fix tight bounds on the length of B-certificates giving conclusions in Section 5.

Preliminaries
In this section, after introducing some notations we recall in Subsection 2.1 the logic HS [11] and the state-based model-checking framework for verifying HS formulas [16].
Let N be the set of natural numbers.For all i, j ∈ N, with i ≤ j, [i, j] denotes the set of natural numbers h such that i ≤ h ≤ j.For all n, h ∈ N, Tower(n, h) denotes a tower of exponentials of height h and argument n: Tower(n, 0) = n and Tower(n, h + 1) = 2 Tower(n,h) .Let Σ be a finite alphabet.The set of all the finite words over Σ is denoted by Σ * , and Σ + := Σ * \ {ε}, where ε is the empty word.Let w be a finite word over Σ.We denote by |w| the length of w.For all i, j ∈ N, with i ≤ j, w(i) is the i-th letter of w (w(0) is the first letter) while w[i, j] denotes the infix of w given by w(i)

The Interval Temporal Logic HS
An interval algebra to reason about intervals and their relative orders was proposed by Allen in [1], while a systematic logical study of interval representation and reasoning was done a few years later by Halpern and Shoham, who introduced the interval temporal logic HS featuring one modality for each Allen relation, but equality [11].Let AP be a finite set of atomic propositions.HS formulas ψ over AP are defined as follows: where p ∈ AP and X is the existential temporal modality for the (non-trivial) Allen's relations X ∈ {A, L, B, E, D, O, A, L, B, E, D, O}.The size |ψ| of a formula ψ is the number of distinct subformulas of ψ.We also exploit the standard logical connectives ∨ (disjunction) and → (implication) as abbreviations, and for any temporal modality X , the dual universal modality [X] defined as: [X] ψ := ¬ X ¬ψ.An HS formula ψ is in positive normal form (PNF ) if negation is applied only to atomic formulas in AP .By using De Morgan's laws and for any existential modality X , the dual universal modality [X], we can convert in linear-time an HS formula ψ into an equivalent formula in PNF, called the PNF of ψ.For a formula ψ in PNF, the dual ψ of ψ is the PNF of ¬ψ.
Given a set U ⊆ {A, L, B, E, D, O, A, L, B, E, D, O} of Allen's relations, the joint nesting depth of U in a formula ψ denoted by depth U (ψ) is defined as: (i) depth U (p) = 0, for any Given any subset of Allen's relations {X 1 , .., X n }, we denote by X 1 • • • X n the HS fragment featuring existential (and universal) modalities for X 1 , .., X n only.
We assume the non-strict semantics of HS, which admits intervals consisting of a single point (all the results proved in the paper hold for the strict semantics as well).Under such an assumption, all HS-temporal modalities can be expressed in terms of B , E , B , and E [25].HS can thus be regarded as a multi-modal logic with B , E , B , and E as primitive modalities and its semantics can be defined over a multi-modal Kripke structure, called abstract interval model (AIM for short), where intervals are treated as atomic objects and Allen's relations as binary relations over intervals.
Definition 1 (Abstract interval models [16]).An abstract interval model (AIM) over AP is a tuple A = (AP , I, B I , E I , Lab I ), where I is a possibly infinite set of worlds (abstract intervals), B I and E I are two binary relations over I, and Lab I : I → 2 AP is a labeling function, which assigns a set of proposition letters from AP to each abstract interval.
In the interval setting, I is interpreted as a set of intervals and B I and E I as Allen's relations B (started-by) and E (finished-by), respectively; Lab I assigns to each interval in I the set of atomic propositions that hold over it.Given an interval I ∈ I, the truth of an HS formula over I is inductively defined as follows (the Boolean connectives are treated as usual): A, As an example, D can be expressed in terms of B and E as D ψ := B E ψ, while A can be expressed in terms of E and B as A

State-based model-checking against HS.
In the context of MC, finite state systems are usually modelled as finite Kripke structures over a finite set AP of atomic propositions which represent predicates over the states of the system.Definition 2. A Kripke structure over AP is a tuple K = (AP , S, E, Lab, s 0 ), where S is a set of states, E ⊆ S × S is a transition relation, Lab : S → 2 AP is a labelling function assigning to each state s the set of propositions that hold over it, and s 0 ∈ S is the initial state.We say that K is finite if S is finite.
Let K = (AP , S, E, Lab, s 0 ) be a Kripke structure.A path π of K is a non-empty finite word over S such that for all 0 ≤ i < |π|, (π(i), π(i + 1)) ∈ E. A sub-path (resp., internal sub-path) of π is a path of K which is a subword (resp., internal subword) of π.A path is initial if it starts from the initial state of K .
We now recall the state-based approach [16] for model checking Kripke structures against HS formulas which consists in defining a mapping from a Kripke structure K to an AIM A K , where the abstract intervals correspond to the paths of the Kripke structure, the relations B I and E I of A K are interpreted as the Allen's relations B and E over the set of K -paths, respectively, and the following assumption is adopted: a proposition holds over an interval if and only if it holds over all its subintervals (homogeneity principle).
, where I is the set of paths of K , and: T I M E 2 0 1 9 18:6

Model-Checking Interval Temporal Logic
Note that for a finite Kripke structure K , the number of paths in K may be infinite (this happens when K has loops), hence the number of intervals in A K may be infinite.A Kripke structure K over AP is a model of an HS formula ψ over AP , written K |= ψ, if for all initial paths π of K , A K , π |= ψ.In the following, we also write K , π |= ψ to mean A K , π |= ψ.The (finite) model-checking problem (against HS) consists in checking whether K |= ψ for a given HS formula ψ and a finite Kripke structure K .
We observe that the temporal modalities for the Allens's relations in {B, E, D} have a "linear-time" semantics, i.e., they allow to select only slices (subpaths) of the current timeline (path).The semantics of the temporal modalities associated with the other Allen's relations (i.e., the ones in {A, L, O, A, L, B, E, D, O}) is instead "branching-time" (i.e., they allow to non-deterministically extend the current timeline in the future or in the past).Accordingly, a non-empty subset of non-interdefinable Allen's relations in {B, E, D} is called a linear-time basis B of HS.Hence, the possible bases are {B}, {E}, {D}, {B, D}, {B, E}, and {E, D}.

Decision procedures based on descriptors
In this section, we provide a uniform framework for model-checking finite Kripke structures against the HS syntactical fragments, denoted by HS B (F), obtained by combining the modalities of a linear-time basis B of HS distinct from {D} with the branching-time modalities for the Allen's relations in F = {A, A, B, E, L, L}.Note that for the complete basis {B, E}, we obtain the full logic HS.Moreover, the Allen relation D can be expressed in terms of B,E: The proposed approach is a generalization of the one provided in [16], where only the full logic HS is considered.In particular, given a finite Kripke structure K , for each linear-time basis B of HS, we define a finite abstraction of the set of K -paths parameterized by a natural number h.This abstraction induces in turn a finite abstract interval model, which, in case B = {D}, is equivalent to A K with respect to the fulfillment of all the formulas in HS B (F) having joint B-nesting depth at most h.This allows us to provide in Subsection 3.1 an alternating algorithm, parameterized in the basis B = {D}, for model-checking the fragment HS B (F), which given a finite Kripke structure K and a formula ψ, runs in time bounded by the size of the finite abstraction for the basis B, the Kripke structure K and the parameter h = depth B (ψ), and whose number of alternations between existential and universal choices is at most O(|ψ|).For each basis B, we define in the following the notion of B-descriptor which allows to construct the above mentioned finite abstraction.The definition of B-descriptors exploits h-level Σ-terms and h-level bipartite Σ-terms, where Σ denotes a given finite alphabet and h a natural number.Intuitively, an h-level Σ-term corresponds to an unordered finite tree of height h such that subtrees rooted at distinct children of the same node are not isomorphic.An h-level bipartite Σ-term is similar but additionally we require that each edge in the tree has a color from a set of two colors.Formally, the set of h-level Σ-terms t is inductively defined as follows: if h = 0, then t = a for some a ∈ Σ; otherwise, t has the form (a, T ) where a ∈ Σ and T is a (possibly empty) subset of (h − 1)-level Σ-terms.The set of h-level bipartite Σ-terms t is inductively defined as follows: if h = 0, then t = a for some a ∈ Σ; otherwise t is of the form (a, T 1 , T 2 ) where a ∈ Σ and T 1 and T 2 are (possibly empty) subsets of (h − 1)-level Σ-terms.

18:7
We say that a is the root of t.The size of an h-level (bipartite) Σ-term is the number of nodes in the associated tree representation.The following holds.
An example of 2-level {B}-descriptor is depicted in Figure 2. Intuitively, in case B = {D}, the h-level B-descriptor B h (π) of a Kripke structure path π has enough information for checking the fulfillment of HS B (F) formulas with joint B-nesting depth at most h: for checking the fulfillment of proposition letters, B h (π) keeps tracks at each node of the set of states visited by the current subpath of π; to deal with the branching-time modalities for the Allen's relations in F, B h (π) keeps tracks at each node also of the first and last states of the current subpath; finally, for checking the fulfillment of the linear-time modalities for the basis B, B h (π) keeps information about all the subpaths of the current subpath π which can be obtained from π by applying the Allen's relations in the basis B.
For a basis B = {X, Y } (resp., B = {X}), an h-level B-descriptor is also called h-level XY -descriptor (resp., h-level X-descriptor) and for a non-empty word, we write XY h (w) (resp., X h (w)) to mean B h (w).For a finite Kripke structure K , a basis B, and h ≥ 0, we denote by B h (K ) the finite set of h-level B-descriptors associated with the paths of K .
In the following we show that paths of K which have the same h-level B-descriptor with B = {D} satisfy the same formulas in HS B (F) whose joint B-nesting depth is at most h.As a preliminary step, we show that the property of two paths π and π to have the same h-level B-descriptor is preserved by right (resp., left) -concatenation with another path of K .This result is used for handling the branching-time modalities B and E .Proposition 6.Let h ≥ 0, B = {D} a basis, and π and π be two paths of a finite Kripke structure K having the same h-level B-descriptor.Then, for all paths π L and π R of K such that π L π and π π R are defined, the following holds: (1) T I M E 2 0 1 9 18:8

Model-Checking Interval Temporal Logic
We note that Proposition 6 does not hold in general for the basis B = {D}.As an example, let us consider a Kripke structure K consisting of three states s 1 , s 2 , and s 3 such that (s i , s j ) is an edge of K for all 1 ≤ i, j ≤ 3. Let us consider the two paths π = s 1 (s 2 s 3 ) 3 s 1 and π = s 1 (s 3 s 2 ) 3 s 1 .One can check that π and π have the same 1-level D-descriptor.On the other hand, π • s 1 and π • s 1 have distinct 1-level D-descriptors: in particular, while π • s 1 has the internal subword s 3 s 1 , there is no internal subword ν of π • s 1 such that fst(ν ) = s 3 , lst(ν ) = s 1 , and internal(ν ) = ∅.By Proposition 6, we can obtain the following result.

Algorithm for model-checking the logics HS B (F )
In this section, by exploiting Propositions 6-8, for each basis B = {D}, we provide an alternating MC algorithm for the logic HS B (F) (recall that F = {A, A, B, E, L, L}).We assume that HS B (F) formulas are in PNF.As complexity measures of a formula ϕ, we consider the size |ϕ| and the standard alternation depth, denoted by Υ(ϕ), between the existential X and universal modalities [X] occurring in the PNF of ϕ for X ∈ {B, E}.Formally, we establish the following result, where MC B is the set of pairs (K , ϕ) consisting of a finite Kripke structure K and a HS B (F) formula ϕ such that K |= ϕ.To prove the assertion of Theorem 10 we define a procedure, parametric in the basis B = {D}, which can be easily translated into an ATM.To this end, we introduce some auxiliary notation.Let us fix a finite Kripke structure K and an HS B (F) formula ϕ in PNF.For two states s and s , we write s → + K s to mean that s is reachable from s by a path of length at least 2. Let π be a B-certificate for (K , ϕ) and h = depth B (ϕ).For each X ∈ B, an X-witness of π is a non-empty proper prefix (resp., non-empty proper suffix, resp., non-empty internal subpath) of π if X = B (resp., X = E, resp., X = D).A B-witness (resp., E-witness) of π for (K , ϕ), is a B-certificate π of (K , ϕ) such that π has the same h-level B descriptor of a path of the form π π (resp., π π) for some B-certificate π of (K , ϕ) with |π | > 1.By SD(ϕ) we denote the set consisting of the subformulas ψ of ϕ and the duals ψ.By Propositions 6-8, we easily deduce the following property.Proposition 11.Let B = {D} be a basis, ϕ an HS B (F) formula in PNF, K a finite Kripke structure, and π a B-certificate for (K , ϕ).Then, for each X ψ ∈ SD(ϕ) with X ∈ {B, E}, K , π |= X ψ iff there is an X-witness π of π for (K , ϕ) such that K , π |= ψ.

Theorem 10. For each basis B = {D}, one can construct a time-bounded Alternating Turing Machine (ATM) accepting MC B which, given an input (K , ϕ), has a number of alternations (between existentially and universal choices) at most Υ(ϕ) + 2 and runs in time
The set AALL(ϕ) is the set of formulas in SD(ϕ) of the form X ψ or [X] ψ with X ∈ {A, A, L, L}.An AALL-labeling L for (K , ϕ) is a mapping associating with each state s of K a maximally consistent set of subformulas of AALL(ϕ).More precisely, for all s ∈ S, L(s) is such that for all ψ, ψ ∈ AALL(ϕ), L(s) ∩ {ψ, ψ} is a singleton.L is valid if for all states s ∈ S and ψ ∈ L(s), K , s |= ψ (we consider s as a length-1 path).Finally, a well-formed set for (K , ϕ) is a finite set W consisting of pairs (ψ, π) such that ψ ∈ SD(ϕ) and π is a B-certificate of (K , ϕ).W is said universal if each formula occurring in W is of the form [X] ψ with X ∈ {B, E}.The dual W of W is the well-formed set obtained by replacing each pair (ψ, π) ∈ W with ( ψ, π).A well-formed set W is valid if for each (ψ, π) ∈ W, K , π |= ψ.
The procedure check B in Figure 3 defines the ATM required to prove the assertion of Theorem 10 for a basis B = {D}.It takes a pair (K , ϕ) as input, where ϕ is an HS B (F) formula, and: (1) it guesses an AALL-labeling L for (K , ϕ); (2) it checks that the guessed labeling L is valid; (3) for every B-certificate π of (K , ϕ) starting from the initial state, it checks that K , π |= ϕ.To perform steps (2)-(3), it exploits the auxiliary ATM procedure checkTrue B reported in Figure 4.The procedure checkTrue B takes as input a well-formed set W for (K , ϕ) and, assuming that the current AALL-labeling L is valid, checks whether W is valid.For each pair (ψ, π) ∈ W such that ψ is not of the form [X] ψ with X ∈ {B, E}, T I M E 2 0 1 9 18:10 Model-Checking Interval Temporal Logic checkTrueB(K , ϕ, L, W) [W is a well-formed set and L is an AALL-labeling for (K , Φ)] end while if W = ∅ then accept else universally choose (ψ, π) ∈ W and call checkFalseB(K , ϕ, L, {(ψ, ρ)}) checkTrue B checks whether K , π |= ψ.In order to allow a deterministic choice of the current element of the iteration, we assume that the set W is implemented as an ordered data structure.At each iteration of the while loop in checkTrue B , the current pair (ψ, π) ∈ W is processed according to the semantics of HS, exploiting the guessed AALL-labeling L and Proposition 11.The processing is either deterministic or based on an existential choice, and the currently processed pair (ψ, π) is either removed from W, or replaced with pairs (ψ , π ) such that ψ is a strict subformula of ψ.
At the end of the while loop, the resulting well formed set W is either empty or universal.In the former case, the procedure accepts.In the latter case, there is a switch in the current operation mode.For each element (ψ, π) in the dual of W (note that the root modality of ψ is either E or B ), the auxiliary ATM procedure checkFalse B is invoked, which accepts the input {(ψ, π)} iff K , π |= ψ.The procedure checkFalse B is the dual of checkTrue B : it is simply obtained from checkTrue B by switching accept and reject, by switching existential choices and universal choices, and by converting the last call to checkFalse B into checkTrue B .Thus checkFalse B accepts an input W iff W is not valid.
Note that the number of alternations of the ATM check B between existential and universal choices is the number of switches between the calls to the procedures checkTrue B and checkFalse B plus two.The correctness of the algorithm follows from Propositions 7, 8 and 11.

Tight bounds on the length of certificates
In this section, for each basis B (except {D}), we provide tight bounds on the length of h-level B-certificates.For the bases {B} and {E} (see Subsection 4.1), we prove singly exponential upper bounds and matching lower bounds.By Theorem 10, we deduce that model-checking the logics HS {B} (F) and HS {E} (F) is in the complexity class AEXP pol of problems decided by exponential-time bounded alternating Turing Machines with a polynomially bounded number of alternations.On the other hand, for all bases B distinct from {B} and {E}, we state a non-elementary lower bound (see Subsection 4.2).In particular, the result obtained for the basis {B, E} negatively answers a question left open in [16] regarding the possibility of fixing an elementary upper bound on the size of BE-descriptors.

Tight bounds on the length of B-certificates and E-certificates
In this section, we provide exponential upper bounds and exponential lower bounds on the length of h-level B-certificates and E-certificates of a finite Kripke structure.Considering that AEXP pol ⊆ EXPSPACE, our result improves the EXPSPACE upper-bounds for the smaller fragments AABBE and AAEBE obtained in [17] by a much more involved technique.In the following, we prove Theorem 12 focusing on B-certificates (the proof for E-certificates is similar and omitted).
Upper bound in Theorem 12 for B-certificates.In order to prove Theorem 12(1), for a given finite alphabet Σ and h ≥ 0, we first define a variant of the notion of h-level Bdescriptor, called ordered h-prefix descriptor over Σ, which is not related to a specific word over Σ.The set OPD h of ordered h-prefix descriptors over Σ is partitioned into |Σ| subsets OPD b h (for each b ∈ Σ), where each of them is equipped with a strict partial order.We show that (i) each strict ascendent chain of elements in OPD b h has length at most O(|Σ| 2h+1 ), (ii) the h-level B-descriptor of a word w ∈ Σ + is an element in OPD h , and (iii) for each w ∈ Σ + , the h-level B-descriptors associated to the prefixes of w can be grouped into at most |Σ| non-strict ascendent chains.Thus, by Proposition 6 and reasoning as in Proposition 8, we fix the upper bound on the length of h-level B-certificates for a given finite Kripke structure.
Let h ≥ 0. For a (Σ × 2 Σ × Σ)-term t with root (a, I, b), we say that a (resp., b) is the first symbol (resp., last symbol) of t.Definition 14 (Ordered prefix descriptors).Let Σ be a finite alphabet and h ≥ 0. We define by induction on h a pair

. , t n be ordered h-prefix descriptors having last symbol b such that t
Proof.The proof is by induction on h ≥ 0. For h = 0, there is a ∈ Σ s.t. for all i ∈ [1, n], t i = (a, I i , b) for some I i ⊆ Σ, and I 1 ⊂ I 2 ⊂ . . .⊂ I n .Hence, n ≤ |Σ| and the result follows.Now, let h > 0. Hence, there is a ∈ Σ s.t. for all i ∈ [1, n], t i is of the form t i = ((a, I i , b), T i ).By hypothesis, I 1 ⊆ I 2 ⊆ . . .⊆ I n .Moreover, for each i ∈ [1, n], T i can be partitioned into at most |Σ| strict ascendent chains of ordered h − 1-prefix descriptors having the same last symbol.Thus, by the induction hypothesis, we have that By exploiting Proposition 15, we deduce the following proposition, from which the upper bound for the h-level B-certificates in Theorem 12 directly follows.Proposition 16.Let K be a finite Kripke structure with set of states S, h ≥ 0, and π a path of K .Then, the following holds: Proof.Property 1 can be proved by a straightforward induction on h ≥ 0. Now, let us consider Property 2. By reasoning as in the proof of Proposition 8, there is a path π of K having the same h-level B-descriptor as π and such that distinct non-empty prefixes of π have distinct h-level B-descriptors as well.Let s be a state visited by π , then by Property 1, the set of h-level B-descriptors associated with the non-empty prefixes of π ending at state s form a strict ascending chain (with respect ≺ h ) whose length n s coincides with the set of positions i of π such that π (i) = s.By Proposition 15, n s ≤ |S| 2h+1 .Since |π | = s∈S(π ) n s where S(π ) is the set of states visited by π , we obtain that |π | ≤ |S| 2h+2 .
Lower bound in Theorem 12 for B-certificates.For each n ≥ 1, let Σ n = {a 1 , . . ., a n } be an alphabet consisting of n distinct symbols a 1 , . .., a n .We exhibit a family (w h n ) h≥0 of nonempty words over Σ n such that for each h ≥ 0, the length of w h n is at least 1 h+1 • ( n h+1 ) h+1 • e h and w h n is a minimal representative of the h + 1-level B-descriptor B h+1 (w h n ).Fix n ≥ 1. Formally, for all i, j ∈ [1, n] and h ≥ 0, we define by induction on h ≥ 0, a non-empty word w i,j,h over Σ n called (i, j, h)-miniword: 1. Case h = 0: if i ≤ j, then w i,j,h = a i a i+1 . . .a j .Otherwise, w = a j a j−1 . . .a i .The set of main positions of w i,j,h is the set of all its positions.

Case h >
where for each ∈ [j, i], u is the ( , i, h − 1)-miniword.The subwords w (resp., u ) with ∈ [i, j] (resp., ∈ [j, i]) are called secondary subwords of w i,j,h , while a main position of w i,j,h is a position which is not associated to a secondary-subword position.
We say that w i,j,h has level h.Note that by construction, for each symbol a occurring in w i,j,h , the smallest position such that w i,j,h ( ) = a is a main position.We can show that distinct prefixes of h-level miniwords have distinct h-level B-descriptors as well.
Proposition 17.Let n ≥ 1 and h ≥ 0.Then, for each miniword w over Σ n of level h, distinct prefixes of w have distinct h-level B-descriptors.
For Σ n = {a 1 , . . ., a n }, let K(Σ n ) be the Kripke structure (Σ n , Σ n , E, Lab, a 1 ), where Lab is the identity and (a i , a j ) ∈ E for all i, j ∈ [1, n].The set of paths in K(Σ n ) is the set of non-empty finite words over Σ n .Hence, the lower bound in Theorem 12 for B-certificates directly follows from the following result which is obtained by exploiting Proposition 17.
Proposition 18.Let n ≥ 1, i, j ∈ [1, n], and h ≥ 0. For the (i, j, h) miniword w i,j,h over Σ n , the length of w i,j,h is at least 1 h+1 • ( |i−j|+1 h+1 ) h+1 • e h and there is no smaller word u over Σ n (i.e., such that |u| < |w i,j,h |) having the same h + 1-level B-descriptor as w i,j,h .Proof.For the (i, j, k) miniword w i,j,h , let p = |i − j| + 1.By construction, the length of w i,j,h , denoted by L(p, h), depends only on h and p, and satisfies the recurrence: L(p, h) = p if h = 0, and L(p, h) = p + =p =1 L( , h − 1) otherwise.We first show by induction on h ≥ 0 that L(p, h) ≥ p h+1 (h+1)! .The base case (h = 0) is obvious.Now, let h > 0. By the induction hypothesis and the fact that h+1 (Faulhaber's formula), we have that , the claimed lower bound follows.Now, let T be the set of h-level B-descriptors of the non-empty proper prefixes of w i,j,h , and u a non-empty word having the same h + 1-level B-descriptor as w i,j,h .Since the number of non-empty proper prefixes of a non-empty word w is

Non-elementary lower bounds on the length of BD-certificates, BE-certificates, and ED-certificates
In this section, for each linear-time basis B ∈ {{B, D}, {B, E}, {E, D}}, we establish a non-elementary lower bound on the length of h-level B-certificates.Hence, in particular, we obtain a non-elementary lower bound on the running time of the algorithm for model-checking the logic HS B (F) presented in Section 3.1.

Theorem 19.
There is a family {K n } n≥1 of finite Kripke structures such that for all n ≥ 1, K n has O(n) states and for all k ∈ [0, n − 1] and basis B with B ∈ {{B, D}, {E, D}} (resp., B = {B, E}), there are k-level (resp., 2k-level) B-certificates of K n having length at least Ω(Tower(n, k + 1)).
In the rest of this section we provide a proof of Theorem 19.We first show as an intermediate and crucial step that there is a family {Σ n } n≥1 of finite alphabets such that for all n ≥ 1, Σ n has cardinality O(n) and for all h ∈ [0, n − 1], there are Ω(Tower(n, h + 1)) words over Σ n having pairwise distinct h-level D-descriptors (resp., 2h-level BE-descriptors).
Fix n ≥ 1 and let Σ n be the finite alphabet having cardinality O(n) given by

18:14 Model-Checking Interval Temporal Logic
For each h ∈ [1, n], we define a suitable encoding of the natural numbers in [0, Tower(n, h)−1] by finite words over Σ h n , called (n, h)-blocks.In particular, for h > 1, a (n, h)-block encoding a natural number m ∈ [0, Tower(n, h) − 1] is a sequence of Tower(n, h − 1) (n, h − 1)-blocks, where the i th (n, h − 1)-block encodes both the value and (recursively) the position of the i th -bit in the binary representation of m.Formally, the set of (n, h)-blocks is defined by induction on h as follows: Base Step: h = 1.A (n, 1)-block is a finite word bl over Σ 1 n of length n + 2 having the form bl = ($ 1 , bit)(1, bit 1 ) . . .(n, bit n )($ 1 , bit) such that bit, bit 1 , . . ., bit n ∈ {0, 1}.The content of bl is bit, and the index of bl is the natural number in [0, Tower(n, 1) − 1] (recall that Tower(n, 1) = 2 n ) whose binary code is bit 1 . . .bit n .
and for all i ∈ [0, ], bl i is a (n, h − 1)-block having index i.The content of bl is bit and the index of bl is the natural number in [0, Tower(n, h) − 1] whose binary code is given by bit 0 , . . ., bit , where bit i is the content of the sub-block bl i for all 0 ≤ i ≤ .

18:15
We first consider the D-descriptors.Let (D 0 (bl), T ) (resp., (D 0 (bl), T )) be the (h − 1)level D-descriptor of bl (resp., bl ).We show that for each non-empty internal subword w of bl, the (h − 2)-level D-descriptor D h−2 (w) of w is distinct from the (h − 2)-level descriptor D h−2 (sb i ) of sb i .Hence, D h−2 (sb i ) / ∈ T .Since D h−2 (sb i ) ∈ T , we obtain that T = T and the result follows.Fix a non-empty internal subword w of bl.By hypothesis and construction, there is no subword of bl which coincides with sb i .We distinguish the following cases: w is an (n, h − 1)-block.Since w is internal subword of bl and no subword of bl coincides with sb i , it hold that w = sb i .Hence, by the induction hypothesis, D h−2 (w) = D h−2 (sb i ).
It remains to consider the BE-descriptors.
Let (BE 0 (bl), T P , T S ) (resp., (BE 0 (bl ), T P , T S )) be the (2h − 2)-level BE-descriptor of bl (resp., bl ), and w sb i be the unique proper prefix of bl having sb i as a proper suffix.We show that for each non-empty proper prefix w p of bl, BE 2h−3 (w sb i ) = BE 2h−3 (w p ).Hence, BE 2h−3 (w sb i ) / ∈ T P .Since BE 2h−3 (w sb i ) ∈ T P , we obtain that T P = T P and the result follows.Fix a non-empty proper prefix w p of bl.Note that since h ≥ 2, BE 2h−3 (w p ) is of the form (BE 0 (w p ), R P , R S ) and BE 2h−3 (w sb i ) is of the form (BE 0 (w sb i ), R P , R S ).Thus, it suffices to prove that R S = R S .Since a proper suffix of a proper prefix of a word u is an internal word of u and BE 2h−4 (sb i ) ∈ R S , we just need to show that for each non-empty internal subword u of bl, BE 2h−4 (sb i ) = BE 2h−4 (u).For this we proceed as for the case of the D-descriptors but this time we apply the induction hypothesis on the BE 2h−4 -descriptors.This concludes the proof of Lemma 22.
Proof of Theorem 19.Let n ≥ 1, a n be a designated letter in the alphabet Σ n and K n the finite Kripke structure over Σ n given by K n = (Σ n , Σ n , E n , Lab n , a n ), where (a, a ) ∈ E n and Lab n (a) = {a} for all a, a ∈ Σ n .Hence, the paths of K n correspond to the non-empty finite words over Σ n .We show that for all k ∈ [0, n − 1] and basis B with B ∈ {{B, D}, {E, D}} (resp., B = {B, E}), there are Ω(Tower(n, k+1)) distinct k-level (resp., 2k-level) B-certificates of K n .Hence, Theorem 19 directly follows.By Remark 20, there are 2•Tower(n, k+1) distinct (n, k + 1)-blocks.Thus, for the basis {B, E}, the result directly follows from Lemma 22.For the bases {B, D} and {E, D}, the result follows from Lemma 22 and the fact that words having distinct 2k-level D-descriptors have distinct 2k-level BD-descriptors (resp., distinct 2k-level ED-descriptors) as well.

Conclusions
We have addressed open complexity issues about the known approach to model-checking the logic HS, based on abstract representations of paths in Kripke structures (BE-descriptors).
In particular, we have proposed a unifying framework for model-checking full HS and large HS-fragments obtained by (i) introducing for each basis B, a specialized type of descriptor (B-descriptor) and (ii) designing an alternating-time MC algorithm with a polynomially bounded number of alternations which is parametric w.r.

Figure 1
Figure 1 Complexity of the MC problem for HS fragments.

Proposition 7 .
Let h ≥ 0, B = {D} a basis, and π and π be two paths of a finite Kripke structure K having the same h-level B-descriptor.Then, for each HS B (F) formula ψ withdepth B (ψ) ≤ h, it holds that K , π |= ψ iff K , π |= ψ.By Proposition 6, for each B = {D}, we can also state a bounded path property which intuitively provides a bounded witness for each B h -descriptor associated with an arbitrary path of a finite Kripke structure.The bounded path property will be crucial in Subsection 3.1 to design the MC algorithm for the logic HS B (F).Proposition 8 (Bounded Path Property).Let B = {D} be a basis, K a finite Kripke structure, h ≥ 0 and π a K -path.Then, there exists a path π having the same h-level B-descriptor of π and whose length is bounded by |B h (K )| (i.e., the number of distinct h-level B-descriptors of the K -paths).Proof.Let |π| = n.Since there are n distinct non-empty prefixes of π, if n > |B h (K )|, then π can be written in the form π = ν • ν • ν such that |ν| > 0, |ν | > 0, and ν and ν • ν have the same h-level B-descriptor.By Proposition 6, the strictly smaller path ν • ν has the same h-level B-descriptor as π.We can iterate such a contraction process until there are no more pairs of prefixes with the same h-level B-descriptor proving the statement.By Propositions 7 and 8 we can define bounded minimal representatives (B-certificates) of paths used in the MC algorithm defined in the next section.Definition 9 (B-certificate).Given a basis B = {D}, a finite Kripke structure K , and h ≥ 0, an h-level B-certificate of K is a path π of K such that there is no path π so that |π | < |π| and π and π have the same h-level B-descriptor.Given an HS B (F) formula ϕ, a B-certificate for (K , ϕ) is an h-level B-certificate of K where h = depth B (ϕ).By Proposition 8 an upper bound on the length of B-certificates for (K , ϕ) is |B h (K )| with h = depth B (ϕ).
where M B (K , ϕ) is the maximal length of a B-certificate for the input, and d = 2 if D ∈ B and d = 1 otherwise.

Figure 4
Figure 4 Procedure checkTrueB for a linear-time basis B = {D}.

Corollary 13 .
For the basis B = {B} (resp., B = {E}), model-checking the logic HS B (F) is in AEXP pol and at least PSPACE-hard.
equality between the initial symbols) and (ii) I ∪ {b} ⊆ I ∪ {b }, and either b = b or

Proposition 15 .
The binary relation ≺ h is defined as follows:((a, I, b), T ) ≺ h ((a , I , b ), T ) if a = a , I ∪ {b} ⊆ I ∪ {b }, T ⊆ T ; either b = b or I ∪ {b} ⊂ I ∪ {b } or T ⊂ T .By construction for each b ∈ Σ, the binary relation ≺ h is a strict partial order over the set OPD b h of ordered h-prefix descriptors over Σ having the same last symbol b.Additionally, we show that a strict ascendent chain of elements in OPD b h has length at most |Σ| 2h+1 .Let h ≥ 0, Σ be a finite alphabet, b ∈ Σ, and t 1 , . .

T I M E 2 0 1 9 18: 16
t. the chosen basis B and runs in time bounded by the length of B-descriptor certificates.As a main result, for each basis B, Model-Checking Interval Temporal Logic we have provided tight bounds on the length of B-certificates: exponential for the bases {B} and {E} (which lead to AEXP pol procedures for the related fragments), and non-elementary for the other bases.Future work will be devoted to solve the hard open question about the existence of an elementary procedure for the MC problem for the full logic, and to settle the exact complexity for model-checking the HS-fragments for the bases {B} and {E}.
• • • w(j).If w = ε, then we denote by fst(w) and lst(w) the first and last symbol of w, and by internal(w) the set of letters in Σ occurring in w[1, n − 1] where |w| = n + 1.The concatenation of two finite words w and w is denoted by w • w .Moreover, if lst(w) = fst(w ), w w represents w[0, n − 1] • w , where |w| = n + 1 ( -concatenation).The set Pref(w) of non-empty proper prefixes of w is the set of non-empty finite words u such that w = u • v for some non-empty word v.The set Suff(w) of non-empty proper suffixes of w is the set of non-empty words u such that w = v • u for some non-empty finite word v.A subword (resp., internal subword) of w is a word w such that w is of the form w = u • w • v for some words (resp., for some non-empty words) u and v.

Table 1
descriptors of the non-empty proper prefixes (resp., non-empty proper suffixes, resp., non-empty internal subwords) of w.Case B = {B, E}: B h (w) = (B 0 (w), T B , T E ) with T B (resp., T E ) the set of (h − 1)-level B-descriptors of the non-empty proper prefixes (resp., non-empty proper suffixes) of w.
Case B = {B, D} (resp., B = {E, D}): as in case B = {B, E} by replacing T E (resp., T B ) with the set of (h − 1)-level B-descriptors of the non-empty internal subwords of w.(a, {a, b}, b)

Theorem 12 .
The following holds: Upper bound: let K be a finite Kripke structure with set of states S and h ≥ 0.Then, each h-level B-certificate (resp., h-level E-certificate) has length at most |S| 2h+2 .Lower bound: there is a family {K n } n≥1 of finite Kripke structures such that for all n ≥ 1, K n has O(n) states and for all h ≥ 1, there are h-level B-certificates (resp., h-level E-certificates) of K n whose length is at least 1 h+1 • ( n h+1 ) h+1 • e h .By Theorem 10 and the upper bound in Theorem 12, and considering that model-checking B and E is already PSPACE-hard, we obtain the following result.