The Complexity of Counting Models of Linear-time Temporal Logic

We determine the complexity of counting models of bounded size of specifications expressed in Linear-time Temporal Logic. Counting word models is #P-complete, if the bound is given in unary, and as hard as counting accepting runs of nondeterministic polynomial space Turing machines, if the bound is given in binary. Counting tree models is as hard as counting accepting runs of nondeterministic exponential time Turing machines, if the bound is given in unary. For a binary encoding of the bound, the problem is at least as hard as counting accepting runs of nondeterministic exponential space Turing machines. On the other hand, it is not harder than counting accepting runs of nondeterministic doubly-exponential time Turing machines.


Introduction
Model counting, the problem of computing the number of models of a logical formula, generalizes the satisfiability problem and has diverse applications: many probabilistic inference problems, such as Bayesian net reasoning [13], and planning problems, such as computing the robustness of plans in incomplete domains [15], can be formulated as model counting problems of propositional logic.Model counting for Linear-time Temporal Logic (LTL) has been recently introduced in [8].LTL is the most commonly used specification logic for reactive systems [16] and the standard input language for model checking [2,5] and synthesis tools [3,4,6].LTL model counting asks for computing the number of transition systems that satisfy a given LTL formula.As such a formula has either zero or infinitely many models one considers models of bounded size: for a formula ϕ and a bound k, the problem is to count the number of models of ϕ of size k.This is motivated by applications like bounded model checking [2] and bounded synthesis [7], where one looks for short error paths and small implementations, respectively, by iteratively increasing a bound on the size of the model.Just like propositional model counting generalizes satisfiability, by considering two types of bounded models, namely, word-models (of length k) and tree-models (of height k), the authors of [8] introduced quantitative extensions of model checking and synthesis.
Word-models are ultimately periodic words of the form u.v ω of bounded length |u.v|, which are used to model computations of a system.Counting wordmodels can be used in model checking to determine not only the existence of computations that violate the specification, but also the number of such violations.
To this end, one turns the model checking problem into an LTL satisfiability problem by encoding the transition system and the negation of the specification into a single LTL formula.Its models represent erroneous computations of the system, i.e., counting them gives a quantitative notion of satisfaction.
Tree-models are finite trees (of fixed out-degree) of bounded height with backedges at the leaves, i.e., tree-models can be exponentially-sized in the bound.They are used to describe implementations of the input-output behavior of reactive systems (see, e.g., [7]), namely the edges of a tree-model represent the input behavior of the environment and the nodes represent the corresponding output behavior of the system.In synthesis, counting tree-models can be used to determine not only the existence of an implementation that satisfies the specification, but also the number of such implementations.This number is a helpful metric to understand how much room for implementation choices is left by a given specification, and to estimate the impact of new requirements on the remaining design space.
For safety LTL specifications [18], algorithms solving the word-and the tree-model counting problem were presented in [8].The running time of the algorithms is linear in the bound and doubly-exponential respectively triplyexponential in the length of the formula.The high complexity in the formula is, however, not a major concern in practice, since specifications are typically small while models are large (cf. the state-space explosion problem).
Here, we complement these algorithms by analyzing the computational complexity of the model counting problems for full LTL by placing the problems into counting complexity classes.These classes are based on counting accepting runs of nondeterministic Turing machines.In his seminal paper on the complexity of computing the permanent [19], Valiant introduced the class #P of counting problems associated with counting accepting runs of nondeterministic polynomial time Turing machines: a function f : Σ * → N is in #P if there is a nondeterministic polynomial time Turing machine M such that f (w) is equal to the number of accepting runs of M on w.Furthermore, for a class C of decision problems, he defined 1 # o C to be the class of counting problems induced by counting accepting runs of a nondeterministic polynomial time Turing machine with an oracle from C.
A nondeterministic polynomial time Turing machine M (with or without oracle) has at most O(2 p(n) ) different runs on inputs of length n for some polynomial p.This means that there is an exponential upper bound on functions in #P and in # o C for every C.However, an LTL tautology has exponentially many word-models of length k and more than doubly-exponentially many tree-models of height k.This means, that no function in any of the counting classes defined above can capture the counting problems for LTL.
To overcome this, we consider counting classes obtained by lifting the restriction on considering only nondeterministic polynomial time (oracle) machines: a function f : Σ * → N is in #Pspace, if there is a nondeterministic polynomial space Turing machine M such that f (w) is equal to the number of accepting runs of M on w.The classes #Exptime, #Expspace, and #2Exptime are defined analogously2 .Some of these classes appeared in the literature, e.g., #Pspace was shown to be equal to FPspace [11] (if the output is encoded in binary).Also, computing a specific entry of a matrix power A n is in #Pspace, if A is represented succinctly and n in binary [14], and counting self-avoiding walks in succinctly represented hypercubes is complete for #Exptime [12] under rightbit-shift reductions.
We place the LTL model counting problems in these classes.Unsurprisingly, the encoding of the bound k is crucial: for unary bounds, we show counting wordmodels to be #P-complete and show counting tree-models to be #Exptimecomplete.For binary bounds, the word-model counting problem is #Pspacecomplete and counting tree-models is #Expspace-hard and in #2Exptime.The upper bounds hold for full LTL while the formulas for the lower bounds define safety properties (using only the temporal operators next and release).Thus, the lower bounds already hold for the fragment considered in [8].
The algorithms we present to prove the upper bounds are not practical since they are based on guessing a word (tree) and then model checking it.Hence, a deterministic variant of these algorithms would enumerate all words (trees) of length (height) k and then run a model checking algorithm on them.In particular, the running time of the algorithms is exponential (or worse) in the bound k, which is in stark contrast to the practical algorithms [8].Our lower bounds are reductions from the problem of counting accepting runs of a Turing machine.For the word counting problem, the reductions are slight strengthenings of the reduction proving Pspace-hardness of the LTL model checking problem [17].However, the reductions in the tree case are more involved (and to the best of our knowledge new), since we have to deal with exponential time respectively exponential space Turing machines.The main technical difficulties are to encode runs of exponential length and with configurations of exponential size into tree-models of "small" LTL formulas and to ensure that there is a one-to-one correspondence between accepting runs and models of the constructed formula.
All missing proofs can be found in the appendix.

Preliminaries
We represent models as labeled transition systems.For a given finite set Υ of directions and a finite set Σ of labels, a Σ-labeled Υ -transition system is a tuple S = (S, s 0 , τ, o), consisting of a finite set of states S, an initial state s 0 ∈ S, a transition function τ : S × Υ → S, and a labeling function o : S → Σ.A path in S is a sequence π : N → S × Υ of states and directions that follows the transition function, i.e., for all i ∈ N if π(i) = (s i , e i ) and π(i + 1) = (s i+1 , e i+1 ), then s i+1 = τ (s i , e i ).We call the path initial if it starts with the initial state: π(0) = (s 0 , e) for some e ∈ Υ .We use Linear-time Temporal Logic (LTL) [16], with the usual temporal operators Next , Until U, Release V, and the derived operators Eventually and Globally .We use i to refer to i nested next operators.LTL formulas are defined over a set of atomic propositions AP = I ∪ O, which is partitioned into a set I of input propositions and a set O of output propositions.We denote the satisfaction of an LTL formula ϕ by an infinite sequence σ : N → 2 AP of valuations of the atomic propositions by σ |= ϕ.A 2 O -labeled 2 I -transition system S = (S, s 0 , τ, o) satisfies ϕ, if for every initial path π the sequence σ π : i → o(π(i)), where o(s, e) = (o(s) ∪ e), satisfies ϕ.Then S is a model of ϕ.
A k-word-model of an LTL formula ϕ over AP is a pair (u, v) of finite words over 2 AP such that |u.v| = k and u.v ω |= ϕ.We call u the prefix and v the period of (u, v).Note that an ultimately periodic word might be induced by more than one k-word-model, i.e., {a} ω is induced by the 2-word-models ({a}, {a}) and (ε, {a}{a}).A k-tree-model of an LTL formula ϕ over AP = I ∪O is a 2 O -labeled 2 I -transition system that forms a tree (whose root is the initial state) of height k with added back-edges from the leaves (for each leaf and direction, there is an edge to a state on the branch leading to the leaf) that satisfies ϕ. Figure 1 shows a tree-model of height one.
Fix AP = I ∪ O.For a formula ϕ and k ∈ N, the k-word (k-tree) counting problem asks to compute the number of k-word-models (k-tree-models up to isomorphism) of ϕ over AP.

Counting Complexity Classes
We use nondeterministic Turing machines with or without oracle access to define counting complexity classes, which we assume (without loss of generality) to terminate on every input.For background on (oracle) Turing machines and counting complexity we refer to [1].
A function f : Σ * → N is in the class #P [19] if there is a nondeterministic polynomial time Turing machine M such that f (w) is equal to the number of accepting runs of M on w.Similarly, for a given complexity class C of decision problems, a function f is in # o C [19,9] if there is a nondeterministic polynomial time oracle Turing machine M with oracle in C such that f (w) is equal to the number of accepting runs of M on w.As a nondeterministic polynomial time Turing machine M (with or without oracle) has at most O(2 p(n) ) runs on inputs of length n for some polynomial p (that only depends on M), we obtain an exponential upper bound on functions in #P and # o C for every C, which explains the need for larger counting classes to characterize the model counting problems for LTL.
A function f : Σ * → N is in #Pspace, if there is a nondeterministic polynomial space Turing machine M such that f (w) is equal to the number of accepting runs of M on w. #Exptime, #Expspace, and #2Exptime are defined by counting accepting runs of nondeterministic exponential time, exponential space, and doubly-exponential time machines.Proposition 1.
) for a polynomial p.
We continue by relating the oracle-based and the generalized classes introduced above.
Proof.We show # o Pspace #Pspace, the other claims are proven analogously.Let f ∈ # o Pspace, i.e., there is a nondeterministic polynomial time Turing machine M with oracle A ∈ Pspace such that f (w) is equal to the number of accepting runs of M on w.Note that all oracle queries are polynomially-sized in the length |w| of the input to M, since M is polynomially time-bounded.Hence, in nondeterministic polynomial space one can simulate M and evaluate the oracle calls explicitly by running a deterministic machine deciding A in polynomial space.Since the oracle queries are evaluated deterministically, the simulation has as many accepting runs as M has.Thus, f ∈ #Pspace.Now, consider the function |w| → 2 2 |w| , which is in #Pspace, but not in # o Pspace.
We use parsimonious reductions to define hardness and completeness, i.e., the most restrictive notion of reduction for counting problems.A counting problem f is #P-hard, if for every f ′ ∈ #P there is a polynomial time computable function r such that f ′ (x) = f (r(x)) for all inputs x.In particular, if f ′ is induced by counting the accepting runs of M, then r depends on M (and possibly on its time-bound p(n)).Furthermore, f is #P-complete, if f is #P-hard and f ∈ #P.Hardness and completeness for the other classes are defined analogously.

Counting Word-Models
In this section, we provide matching lower and upper bounds for the complexity of counting k-word-models of an LTL specification.
Our hardness proofs are based on constructing an LTL formula ϕ w M for a given Turing machine M and an input w that encodes the accepting runs of M on w.Constructing such an LTL formula is straightforward and can be done in polynomial time for Turing machines with polynomially-sized configurations [17].However, the challenge is to construct ϕ w M such that the number of accepting runs on w is equal to the number of k-word-models of ϕ w M for a fixed bound k.To this end, we have to enforce that each accepting run is represented by a unique k-word-model, i.e., by a unique prefix and period of total length k.
We choose k such that a run on w of maximal length can be encoded in k − 1 symbols and define ϕ w M such that it has only k-word-models whose period has length one.If a run of M is shorter than the maximal-length run we repeat the final configuration until reaching the maximal length, which is achieved by accompanying the configurations in the encoding with consecutive id's.
For the upper bounds we show that there are appropriate nondeterministic Turing machines that guess an ultimately-periodic word and model check it against ϕ, i.e., the number of accepting runs on k and ϕ is equal to the number of k-word-models of ϕ.

The Case of Unary Encodings.
We show that counting word-models for unary bounds is #P-complete.Theorem 3. The following problem is #P-complete: Given an LTL formula ϕ and a bound k (in unary), how many k-word-models does ϕ have?
Proof.We start with the hardness proof.Let M = (Q, q ι , Q F , Σ, δ) be a onetape nondeterministic polynomial time Turing machine, where Q is the set of states, q ι is the initial state, Q F is the set of accepting states, Σ is the alphabet, and δ : is the transition function, where -1 and 1 encode the directions of the head.Note that the accepting states are terminal and that M rejects by terminating in a nonaccepting state.Let M be p(n)-time bounded for some polynomial p, and let w = w 0 • • • w n−1 be an input to M. We construct an LTL formula ϕ w M and define a bound k, both polynomial in |w| and |M|, such that the number of accepting runs of M on w is equal to the number of k-word-models of ϕ w M .A run of M on w is encoded by a finite alternating sequence of id's id i and configurations c i that is followed by an infinite repetition of a dummy symbol: Note that the period of the word-model is of the form ⊥ ℓ for some ℓ > 0. We will define k such that maximal-length runs of M on w can be encoded in the prefix, and such that the only possible period has length one by ensuring that exactly p(n) configurations are encoded (by repeating the final configuration if necessary).This ensures that an accepting run is encoded by exactly one k-wordmodel.Let l r = p(n) be the maximal length of a run of M on w.The size of a configuration of M on w is also bounded by l r .For the id's we use an encoding of a binary counter with l c = ⌈log l r ⌉ many bits.Let AP = (Q ∪ Σ) • ∪{b 1 , . . ., b lc , $, #, ⊥} be the set of atomic propositions.The atomic propositions in Q ∪ Σ are used to encode the configuration of M by encoding the tape contents, the state of the machine, and the head position.The atomic propositions b 1 , . . ., b lc represent the bit values of an id.The symbols $ and # are used as separators between id's and configurations, and ⊥ is a dummy symbol for the model's period.The distance between two $ symbols and also between two # symbols in the encoding is given by d = l r + 3 (see ( 1)).Then, ϕ w M is the conjunction of the following formulas: -Id encodes the id's of the configurations.It uses a formula that asserts that the number encoded by the bits b j after d steps is obtained by incrementing the number encoded at the current position.This formula will be reused in the tree case.-Init asserts that the run of M starts with the initial configuration.
-Accept asserts that the run must reach an accepting configuration.
-Config declares the consistency of two successive configurations with the transition relation of M. Here, we use d many next operators to relate the encoding of the two configurations.-Repeat asserts that the encoding of an accepting configuration is repeated until the maximal id is reached -Loop defines the period of the word-model, which may only contain ⊥.
All these properties can be expressed with polynomially-sized formulas, which can be found in the appendix.Furthermore, we need a formula to specify technical details: atomic propositions encoding the id's are not allowed to appear in the configurations and vice versa, symbols such as $ and # only to appear as separators, each separator appears p(n) times every d positions, configuration encodings are represented by singleton sets of letters in Σ with the exception of one set that contains a symbol from Q to determine the head position and the state of M, etc.
For k = l r • (l r + 3) + 1, each accepting run of M on w corresponds to exactly one k-word-model of ϕ w M that encodes the run in its prefix.Thus, the number of k-word-models is equal to the number of accepting runs of M on w.The formula ϕ w M can be obtained in polynomial time in |w| + |M|, and k (thus also its unary encoding) is polynomial in |w|.
To show that the problem is in #P we define a nondeterministic polynomial time Turing machine M as follows.M guesses a prefix u and a period v of an ultimately periodic word u.v ω with |u.v| = k, and checks deterministically in polynomial time [10], whether u.v ω satisfies ϕ.Hence, for each k-word-model (u, v) of ϕ there is exactly one accepting run of M. Thus, counting the k-word-models of ϕ can be done by counting the accepting runs of M on the input (k, ϕ).

4.2
The Case of Binary Encodings.Now, we consider the word counting problem for binary bounds.As the input is more compact, we have to deal with a larger complexity class.
Theorem 4. The following problem is #Pspace-complete: Given an LTL formula ϕ and a bound k (in binary), how many k-word-models does ϕ have?
Proof.The hardness proof is similar to the one for Theorem 3: for a nondeterministic polynomial space Turing machine M bounded by a polynomial p(n) and an input word w we can define a formula ϕ w M in the same way as in Theorem 3. The reason lies in that the size of configurations remains polynomial and the exponential number of configurations in a run can still be counted with a binary counter of polynomial size, i.e., we only have to use more bits b j to encode the id's.Furthermore, we have to choose k = 2 p ′ (n) (p(n) + 3) + 1 which can still be encoded using polynomially many bits.Here, p ′ (n) is a polynomial (which only depends on M) such that M terminates in at most 2 p ′ (n) steps on inputs of length n.
For the proof of the upper bound we cannot just guess a k-model in polynomial space as in Theorem 3, since the bound k is encoded in binary.Instead, we guess and verify the model on-the-fly relying on standard techniques for LTL model checking.
Formally, we construct a nondeterministic polynomial space Turing machine M which guesses a k-word-model (u, v) by guessing symbol by symbol in a backwards fashion.Here, $ is a fresh symbol to denote the beginning of the period.To meet the space requirement, M only stores the currently guessed symbol w(j), discards previously guessed symbols, and uses a binary counter to guess exactly k symbols.
To verify whether u.v ω satisfies ϕ, M also creates for every j in the range 0 ≤ j < k a set C j of subformulas of ϕ with the intention of C j containing exactly the subformulas which are satisfied in position j of u.v ω .Due to space-requirements, M only stores the set C k−1 as well as the sets C j and C j+1 , if w(j) is the currently guessed symbol.The set C k−1 is guessed by M and the sets C j for j < k − 1 are uniquely determined by the following rules: -The membership of atomic propositions in C j is determined by w(j), i.e., C j ∩ AP = w(j).-Conjunctions, disjunctions, and negations can be checked locally for consistency, e.g., ¬ψ ∈ C j if and only if ψ / ∈ C j .--formulas are propagated backwards using the following equivalence: ψ ∈ C j if and only if ψ ∈ C j+1 (recall that M stores C j and C j+1 ).-U-formulas are propagated backwards using the following equivalence: -V-formulas can be rewritten into U-formulas.
Once M has guessed the complete period v = w(i) • • • w(k − 1) it also checks that the guess of C k−1 is correct (recall that C k−1 is not discarded), which is the case if the following two requirements are met: -For every subformula ψ we have ψ ∈ C k−1 if and only if ψ ∈ C i .
-For every subformula ψ 0 Uψ 1 we have Furthermore, we have to require that ψ 0 Uψ 1 ∈ C j for some j in the range i ≤ j < k implies ψ 1 ∈ C j ′ for some j ′ in the range i ≤ j ′ < k.The latter condition can be checked on-the-fly while computing the C j 's.
A straightforward structural induction over the construction of ϕ shows that we have ψ ∈ C j if and only if w(j)w(j +1) • • • w(k−1)v ω |= ψ for every subformula ψ of ϕ.Hence, u.v ω is a model of ϕ if and only if ϕ ∈ C 0 .Thus, M accepts if this is the case.

Counting Tree-Models
In this section, we consider the tree counting problem for unary and binary bounds.There are at least doubly-exponentially many trees of height k.Hence, if k is encoded in binary, there are at least triply-exponentially many (in the size of the encoding of k) k-tree-models of a tautology.In order to capture these cardinalities using counting classes, we have to consider machines with that many runs, i.e., exponential time and exponential space machines.
In our hardness proofs, we again construct formulas ϕ w M that encode accepting runs of M on w in trees.We choose binary trees, i.e., we consider a singleton set I of input propositions.Recall that the power set of I is used to (deterministically) label the edges in the tree.In the following, we identify the two elements of 2 I with the directions left and right.Note that we have to formalize the structure of our models and have to encode the runs of the machines using LTL.The semantics require a formula to be satisfied on all paths, which requires us to write conditional formulas of the form "if the path has a certain form, then some property is satisfied".We use two types of formulas: the ones of the first type describe the structure of the tree (e.g., it is complete and the targets of the back-edges) while the ones of the second type encode the actual run relying on this structure.The formulas of type one often assign addresses to nodes (sequences of bits that uniquely identify a leaf).
In the word case, we encoded runs of Turing machines whose configurations are of polynomial length.Hence, the distance between encodings of a tape cell in two successive configurations could be covered by a polynomial number of nextoperators.Here, configurations are of exponential size.Thus, the challenge is to encode a run in a tree-model such that properties of two successive configurations can still be encoded by an LTL formula of polynomial size.We present two such encodings, one for unary and one for binary bounds.
For the upper bounds we show that there are appropriate nondeterministic machines that guess a finite tree with back-edges and model check it deterministically against ϕ, i.e., the number of accepting runs on k and ϕ is equal to the number of k-tree-models of ϕ.

The Case of Unary Encodings
First, we consider tree-model counting for unary bounds.Proof.We start with the hardness proof.Let M = (Q, q ι , Q F , Σ, δ) be a one-tape nondeterministic exponential time Turing machine.Let M be 2 p(n) -time bounded for a polynomial p and let w = w 0 • • • w n−1 be an input to M. We construct an LTL formula ϕ w M and define a bound k, both polynomial in |w| and |M|, such that the number of accepting runs of M on w is equal to the number of k-treemodels of ϕ w M .A run of M is encoded in the leaves of a binary tree-model.Let l r = 2 p(n) be the maximal length of a run of M on w, which also bounds the size of a configuration.We choose k = 2p(n) to be the height of our tree-models.By using a formula labeling each of the first k levels of the tree by a unique proposition we enforce that every model of height k is complete.Thus, it has l 2 r many leaves, enough to encode a run of maximal length.Figure 2 shows the structure of our tree-model.
Each configuration in the run is encoded in the leaves of a subtree of height p(n), referred to as a lower -tree (depicted by the light gray trees).The lowertrees are uniquely determined by a leaf of the upper -tree (depicted in dark gray), which is the root of the lower-tree.By giving the leaves of the upper-tree id's, we also obtain unique id's for each of the lower-trees.These id's are used to enumerate the configurations of the run, i.e., two neighboring lower-trees encode two successive configurations of the run.The id's can be determined by a binary counter with polynomially many bits.We also provide each leaf in a lower-tree with a unique id within this lower-tree.This is used to compare the contents of a tape cell in two successive configurations by comparing the labels of leaves with the same leaf id in two successive lower-trees.Thus, every leaf stores the id encoding of the configuration it is part of and the number of the cell it encodes.
Recall that in a tree-model each leaf has a back-edge for every direction.For the direction left we require a transition to the root of the upper-tree, and for right a transition to the root of the own lower-tree.This enables us to compare two leaves in a lower-tree, or two leaves with the same id in two different lower-trees, with polynomially large formulas.
The following formulas define the structure of our tree-models as explained above and also provide the nodes of the tree with correct id's.We begin with Addr (root,a 1 , . . ., a d ) which specifies a unique id for each leaf of a complete binary tree of height d using bits a 1 , . . ., a d , and provides the root of the tree with a label root.The id of a node depends on the sequence of left and right edges on the path from the root to this node, which is encoded in the bits a 1 , . . ., a d : We use the formula Addr (upper,u 1 , . . ., u p(n) ) to address the upper-tree.This gives each lower-tree a unique id via the id of its root.We also supply each node in a lower-tree with the id of its root in the upper-tree: p(n)≤i<k i ( p(n) j=1 (u j ↔ u j )).Furthermore, we use the formula p(n) Addr(lower, l 1 , . . ., l p(n) ) to assign every leaf in a lower-tree a unique id within its lower-tree which essentially encodes the number of the tape cell it encodes.The next two formulas define the back-edges of the lower-trees.From each leaf, the left transition leads back to the root of the upper-tree (recall that back-edges lead from a leaf to an ancestor), i.e., k (left → upper), and the right transition to the root of the lower-tree, i.e., k (right → lower).After setting up the structure of the trees, it remains to show how we encode a run in the leaves.We proceed with the same scheme as in the word case, and use the formula ∆ h (a 1 , . . ., a m ) which is satisfied, if and only if the bits a 1 , . . ., a m encode the number h < 2 m .
-The formula Init encodes the initial configuration in the lower-tree with id 0.
-The formula Accept checks whether the rightmost lower-tree encodes an accepting configuration: k ((∆ lr (u 1 , . . ., u p(n) ) ∧ q∈Q q) → q∈QF q).-The formulas config q,α and config α for states q and symbols α encode the transition relation.For a leaf with labels q and α (leaf 1 in Figure 2) and a transition (q, α, q ′ , β, dir), we have to check three leaves in the next lowertree, namely, the leaf with the same id (leaf 2) has to be labeled with β, and depending on dir either the successor leaf (leaf 3) or the predecessor leaf (leaf 4) has to be labeled with q ′ .The premise of the following formula only holds for paths that visit these leaves in the order given above, i.e., paths that lead to a leaf in a lower-tree, loop back to the root of the full tree and then lead to the same leaf id in the successor lower-tree (this takes k + 1 edges), loop back to the root of this lower-tree and visit the leaf to the right (this takes p(n) + 1 edges), back to the root of this lower-tree again and then to the leaf to the left (this takes p(n) + 1 edges).To specify such a path, we use the formula Inc to reach the successor leaf and a dual formula called Dec to reach the predecessor leaf.This formula implements a decrement of a nonzero counter.Note that we have to require the paths to visit the successor and predecessor leaf in the next lower-tree, i.e., we have to check the bits u j to reach the next lower-tree and the bits l j to reach the leaves.Thus, config q,α for q ∈ Q \ Q F is given by: Here, we have c dir = 1, if dir = 1, and The formula config α determines the relation between the other tape cells' contents, namely where the head is not pointing to: -The formula Repeat repeats accepting states in the next lower-tree, if the id of the current lower-tree is not maximal.The repetition of the letters is being taken care of by config α .
Similar to the word case we need some additional formulas to prevent atomic propositions of configurations to appear elsewhere in the tree to guarantee the one-to-one relation between runs and tree-models.For example to prevent a state label from appearing twice in a configuration we use a formula that asserts that from a leaf in which a state is encoded, no other leaf with a state label is reachable within p(n) + 1 steps, i.e., in the same lower-tree.This ensures that every configuration has exactly one state.
To show that the problem is in #Exptime we define a nondeterministic exponential time Turing machine M as follows.M guesses a tree of height k (which is of exponential size) and checks whether it satisfies ϕ using the classical model checking algorithm: M constructs the Büchi automaton recognizing the language of ¬ϕ and checks whether the product of the tree and the automaton has an empty language.The automaton and the product are of exponential size and the emptiness check can be performed in deterministic polynomial time (in the size of the product).Hence, M runs in exponential time in k and the size of ϕ.For each k-tree-model of ϕ, there is exactly one accepting run in M. Thus, counting the k-tree-models of ϕ can be done by counting the accepting runs of M on the input (k, ϕ).

The Case of Binary Encodings.
In this section, we consider tree-model counting for binary bounds.Since the bound is encoded compactly, the trees we work with have exponential height and therefore doubly-exponential size.Unfortunately, our upper and lower bounds do not match (see the discussion in the next section).
Theorem 6.The following problem is #Expspace-hard and in #2Exptime: Given an LTL formula ϕ and a bound k (in binary), how many k-tree-models does ϕ have?
Proof.Let M = (Q, q ι , Q F , Σ, δ) be a one-tape nondeterministic exponential space Turing machine and let w = w 0 • • • w n−1 be an input to M. Furthermore, let l c = 2 p(n) − 2 be the maximal configuration length (for some polynomial p) and let l r = 2 2 p ′ (n) be the maximal length of a run of M on w (p ′ is a polynomial which only depends on M).
We choose k = m • 2 p ′ (n) to be the height of our tree-models, where m is the smallest power of two greater than p(n).Figure 3 shows the main structure of our tree-models.We use nonbalanced binary trees that are composed of trees of height m.We refer to the latter trees as the inner -trees.The outermost leaves of an inner-tree are inner nodes and the others are leaves in the tree-model.Hence, each inner-tree has two children, which are again inner-trees rooted at the leftmost respectively the rightmost leaf.
In each inner-tree, we will encode a configuration in a similar way as in the unary case (Theorem 5), namely in the leaves (except the two leaves serving as roots for other inner trees, which explains the −2 in the definition of l c ).We encode the configurations of a run in the tree-model such that we traverse the inner-trees in a depth-first search manner (DFS).In Figure 3, we can see how a run of 16 configurations can be encoded in a tree-model with four layers of inner-trees.To encode the DFS structure, we label each root of an inner-tree with its level (the number of inner-tree ancestors) and with its so-called rightchild-depth: the number of right-child-inner-trees visited since the last left child to reach this tree (e.g., this value is 0 for the left children C 1 , C 2 , C 3 , C 7 ; it is 1 for C 6 and 3 for C 15 ).This will help to determine the next inner-tree in line in the DFS structure.We need a polynomial number of bits to encode these addresses.
With the right transition we allow the leaves of an inner-tree to reach its root and we use left in the inner-tree of maximal level to reach the parent of the next inner-tree in DFS order.In this way, the distance between the encoding of a tape cell in two successive configurations is polynomial.
As the distance between an inner-tree and its successor is polynomial, the formulas for encoding the run in the tree-model adapt the ideas of the formulas in the unary case with slight modifications that deal with the DFS order of innertrees.A detailed description of the construction can be found in the appendix.
The upper bound is proved using the same algorithm as in the proof of Theorem 5.

Discussion
We investigated the complexity of the model counting problem for specifications in Linear-time temporal logic.The word-model counting problems are #P-complete (for unary bounds) respectively #Pspace-complete (for binary bounds) while the tree-model counting problems are #Exptime-complete respectively #Expspace-hard and in #2Exptime, i.e., the exact complexity of the tree-model counting problem for binary bounds is open.
The problem we face trying to lower the upper bound is that we cannot guess the complete tree-model in nondeterministic exponential space.To meet the space-requirements, we have to construct it step by step, as in the proof of the corresponding upper bound in the word case.However, the correctness of the onthe-fly model checking procedure described there relies on the fact that the model is an ultimately-periodic word.It is open whether the technique can be extended to tree-models.On the other hand, if we try to raise the lower bound, we have to encode doubly-exponential time Turing machines, which seems challenging using polynomially-sized LTL formulas.
To conclude, let us mention another variation of the model counting problem: counting arbitrary transition systems, where the bound k now refers to the size of the transition system.For unary bounds, the problem is #P-hard, which can be shown by strengthening Theorem 3, and in # o Pspace, since LTL model checking is in Pspace.For binary bounds, the construction presented in Theorem 5 yields #Exptime-hardness and the problem is in #Exptime, which can be shown by adapting the algorithm presented in the theorem.

A Appendix
A.1 Proof of Theorem 3 In this section, we present the formulas omitted in the proof of #P-hardness of the word counting problem for unary bounds.
We start with the formula Id, which uses the formula Inc that enforces an increment of a binary counter.For later reuse, Inc is parameterized by the propositions b 1 , . . ., b ℓ encoding the bits and the distance d between the two positions to be compared.Intuitively, the different subformulas distinguish whether the increment ripples through to the current bit b i or not.Note that the increment property only has to hold if there is no overflow of the counter.
Now, the formula Id is defined by initializing the counter to zero and always requiring an increment after a $-separator: We continue with the formula Init.In the initial configuration the tape of M contains the input word w, the head is on the first cell, and M is in its initial state: ) ) The symbol refers to the blank cells of the tape.The formula Accept considers the maximal id and checks whether it is followed by an accepting configuration: For atomic propositions q ∈ Q \ Q F and α ∈ Σ a formula config q,α asserts the relation between the states, the head positions, and the content of the cell where the head is pointing to in two successive configurations: Another formula config α asserts the relation of the other tape cells of successive configurations; the content of these cells is copied, unless the id is maximal3 : Config is the conjunction of all formulas config α and config q,α .
The formula Repeat requires an accepting configuration to be repeated if the id is not yet maximal.The repetition of the letters is taken care of by the formulas config α .Hence, Repeat only requires to copy the state and the head position.
Finally, the period of the model is fixed by the formula Loop which requires the symbol ⊥ to be repeated after reaching the configuration with the maximal id: A.2 Proof of Theorem 6 The following formulas define the structure of our tree models and also provide them with the correct level and right-child-depth.We use propositions ι 1 , . . ., ι m to give ids to the leaves of an inner-tree.For the 2 p ′ (n) different levels of innertrees in our tree models we use propositions l 1 , . . ., l h , where h = p ′ (n), to encode for each inner-tree its l evel.We also give internally for each node in an innertree its d epth in this tree via d 1 , . . ., d log(m) (remember that m is a power of 2).Propositions r 1 , . . ., r h are used to determine the inner-tree's r ight-child-depth.The maximum right-child-depth that can be reached is 2 p ′ (n) , namely for the rightmost inner-tree at the maximal level.We start by labeling each root of an inner-tree (and no other vertices) with the label root: The negation of the big conjunction over propositions l i is used to exclude innertrees of the last level.How the levels are defined in the tree is shown in more detail in the formula depth.
We encode a configuration in the leaves of an inner-tree in the same way as in the unary case (Lemma 5).Therefore, we provide the leaves with unique id's, which enable us to compare the contents of tape cells in two successive configurations by comparing leaves with the same id in two successive innertrees.To this end, we use the formula Addr, as defined in the unary case, to equip the leaves with unique id's within their inner-tree: (root → Addr(root, ι 1 , . . ., ι m )) The next formula uses the propositions l 1 , . . ., l h to supply each inner-tree with its level, which is equal to the number of root labels visited from the root to this inner-tree.Line (1) assigns the root of the tree model with level 0. Line (2) assigns each node in an inner-tree, with the exception of the leaves labeled with root (the outermost leaves in all levels but the last), with the level of its inner-tree root.Line (3) gives, inductively, each root of an inner-tree its inner-tree level.
If depth is satisfied then the tree contains a doubly-exponential number of inner-trees, enough to encode a run of M on w.
The following formula gives each inner-tree its right-child-depth in the tree model.If we are at a root of an inner-tree we reach the root of its left and right child in m steps via the outermost leaves.The formula counts the number of right-children visited along the way including the visited tree (Line (3)).Every time we visit a left-child the counter is reset (Line (4)).We again supply each node in an inner-tree, with the exception of the outermost leaves (Line (5)), with the right-child-depth of this tree.However the outermost leaves of all maximallevel inner-trees are labeled with the right-child-depth of the inner-tree. (( ∧ (( Now that we have defined all the id's we need we show how to route the transitions at the leaves to the DFS positions as described earlier.To compute the correct node we only need to compute its level, because in the definition of our tree models we force a back-edge to go to an ancestor node.This level can be computed as follows.If we are at a leaf of an inner-tree in the maximal level, reached by j many right children since the last left child the back-edge goes to the root with level 2 p ′ (n) − (j + 1) (cf. Figure 3).This can be formulated by incrementing the right-child-depth described with bits r 1 , . . ., r h and inverting the bits of the result.The propositions d 1 , . . ., d log(m) are used to talk about the leaves of an inner-tree.If we are at a leaf in an inner-tree of maximal level we move with direction left the next DFS position, namely the root of the next inner-tree in the DFS Line (computed by addNflip): where: Notice that addNflip is similar to Inc with the difference of flipping the bit.Finally, a formula that asserts that from leaves of maximal level inner-trees a right transition goes to the root of these trees (Line (1)).For leaves of innertrees of non-maximal level (the outermost leaves are not considered leaves of the tree model as their right and left transitions lead to subtrees), we move with both left and right to the root of their inner-trees (Line (2)): Now, we present the formulas that encode the run of the Turing machine.Here, we again use the formula ∆ h (a 1 , . . ., a m ) which is satisfied, if and only if the bits a 1 , . . ., a m encode the number h < 2 m .
-The formula Init : Init = m ((∆ 1 (ι 1 , . . ., ι m ) → q ι ) ∧ ( 0≤j<n (∆ j+1 (ι 1 , . . ., ι m ) → w j )) ∧ (( 0<j≤n (¬∆ j (ι 1 , . . ., ι m )) → ))) Note that we encode the input word w = w 0 • • • w n−1 in the leaves with id's 1 to n − 1.In our encoding the outermost leaves of the inner-trees will not encode any tape content of the Turing machine.This is due to the fact that in some inner-trees these leaves have no back-edges from which we can directly reach the leaves of the next inner-tree in DFS order.Thus, the content in the next configuration is not accessible.-The formula Accept checks the last inner-tree in DFS order for an accepting configuration.The first release formula selects the outermost right path and stops at the root of the last inner-tree.If we arrive at this root we assert that the state in the configuration of this inner-tree must be accepting: (right ∧ ¬∆ 2 h −1 (l 1 , . . ., l h ))V(∆ 2 h −1 (l 1 , . . ., l h ) (1) → (right ∧ ¬∆ 2 h −1 (l 1 , . . ., l h ))V (2) -We define the formula Next to determine the successor inner-tree of an innertree, i.e., the formula holds at a vertex on a path if after m steps on this path the root of the next inner-tree in DFS order is reached: → right ∧ ( ∧ [( → left ∧ ( We distinguish two cases asserted by Lines (1) and ( 3), namely the case of an inner-tree in the maximal level and one in a non-maximal level.In the second case, the successor tree is the left child of the current inner-tree.Here, we go up to the root of the inner-tree and traverse down the left side to the root of the left child (Line (2)).If we are in the maximal level the successor tree is reached via the DFS order, which means, going to the inner-tree in DFS order and traversing down the right side to the right child (Line (4)).
-If we are at a leaf with symbol α ∈ Σ and state q ∈ Q \ Q F we move to the root of the next inner-tree in DFS order (this is determined by the formula Next ).In this tree we have to check whether α is rewritten to the correct symbol and whether the head moved to the correct position.This is checked in the same way as in the proof of the unary case, namely, in three phases: we consider a path that leads to a leaf in successor inner-tree with the same leaf id, loops back up to the root of the inner-tree, and leads down to the same tree and visits the leaf to the right, loops back up and down the same tree and visits the leaf on the left (Lines (2),( 3)).In Line (4), the distance 2m + 1 results from going one step in the inner-tree and then going 2m steps down to the leaves of the successor tree.The distance 3m + 2 results from looping in the same tree a second time, and 4m + 3 from looping a third time.
Here, we again use the formulas Inc and Dec introduced in the previous section of the appendix.
-Finally the formula Repeat propagates all final states q to the successor tree: Again we need an additional formula that for example forces the atomic propositions to appear only in the designated node or to have only one state label in each inner-tree, and some more for other technical properties.

Theorem 5 .Fig. 2 .
Fig. 2. Encoding an exponentially long run in a tree-model of polynomial height.The configurations are encoded in the lower-trees (light gray subtrees).