On the Complexity of the Equivalence Problem for Probabilistic AutomataResearch supported by EPSRC grant EP/G069158. The first author is supported by a postdoctoral fellowship of the German Academic Exchange Service (DAAD).

On the Complexity of the Equivalence Problem for Probabilistic AutomataResearch supported by EPSRC grant EP/G069158. The first author is supported by a postdoctoral fellowship of the German Academic Exchange Service (DAAD).

Abstract

Deciding equivalence of probabilistic automata is a key problem for establishing various behavioural and anonymity properties of probabilistic systems. In recent experiments a randomised equivalence test based on polynomial identity testing outperformed deterministic algorithms. In this paper we show that polynomial identity testing yields efficient algorithms for various generalisations of the equivalence problem. First, we provide a randomized NC procedure that also outputs a counterexample trace in case of inequivalence. Second, we consider equivalence of probabilistic cost automata. In these automata transitions are labelled with integer costs and each word is associated with a distribution on costs, corresponding to the cumulative costs of the accepting runs on that word. Two automata are equivalent if they induce the same cost distributions on each input word. We show that equivalence can be checked in randomised polynomial time. Finally we show that the equivalence problem for probabilistic visibly pushdown automata is logspace equivalent to the problem of whether a polynomial represented by an arithmetic circuit is identically zero.

1Introduction

Probabilistic automata were introduced by Michael Rabin [20] as an extension of deterministic finite automata. Nowadays probabilistic automata, together with associated notions of refinement and equivalence, are widely used in automated verification and learning. Two probabilistic automata are said to be equivalent if each word is accepted with the same probability by both automata. Checking two probabilistic automata for equivalence has been shown crucial for efficiently establishing various behavioural and anonymity properties of probabilistic systems, and is the key algorithmic problem underlying the apex tool [18].

It was shown by Tzeng [27] that equivalence for probabilistic automata is decidable in polynomial time. By contrast, the natural analog of language inclusion, that one automaton accepts each word with probability at least as great as another automaton, is undecidable [6] even for automata of fixed dimension [4]. It has been pointed out in [8] that the equivalence problem for probabilistic automata can also be solved by reducing it to the minimisation problem for weighted automata and applying an algorithm of Schützenberger [23].

In [12] we suggested a new randomised algorithm which is based on polynomial identity testing. In our experiments [12] the randomised algorithm compared well with the Schützenberger-Tzeng procedure on a collection of benchmarks. In this paper we further explore the connection between polynomial identity testing and the equivalence problem of probabilistic automata. We show that polynomial identity testing yields efficient algorithms for various generalisations of the equivalence problem.

In Section 3 we give a new randomised NC algorithm for deciding equivalence of probabilistic automata. Recall that NC is the subclass of P containing those problems that can be solved in polylogarithmic parallel time [11] (see also Section 2). Tzeng [28] considers the path equivalence problem for nondeterministic automata which asks, given nondeterministic automata and , whether each word has the same number of accepting paths in as in . He gives a deterministic NC algorithm for deciding path equivalence which can be straightforwardly adapted to yield an NC algorithm for equivalence of probabilistic automata. Our new randomised algorithm has the same parallel time complexity as Tzeng’s algorithm, but it also outputs a word on which the automata differ in case of inequivalence, which Tzeng’s algorithm cannot. Our algorithm is based on the Isolating Lemma, which was used in [17] to compute perfect matchings in randomised NC. The randomised algorithm in [12], which relies on the Schwartz-Zippel lemma, can also output a counterexample, exploiting the self-reducibility of the equivalence problem—however it does not seem possible to use this algorithm to compute counterexamples in NC. Whether there is a deterministic NC algorithm that outputs counterexamples in case of inequivalence remains open.

In Section 4 we consider equivalence of probabilistic automata with one or more cost structures. Costs (or rewards, which can be considered as negative costs) are omnipresent in probabilistic modelling for capturing quantitative effects of probabilistic computations, such as consumption of time, (de-)allocation of memory, energy usage, financial gains, etc. We model each cost structure as an integer-valued counter, and annotate the transitions with counter changes.

In nondeterministic cost automata [2] the cost of a word is the minimum of the costs of all accepting runs on that word. In probabilistic cost automata we instead associate a probability distribution over costs with each input word, representing the probability that a run over that word has a given cost. Whereas equivalence for nondeterministic cost automata is undecidable [2], we show that equivalence of probabilistic cost automata is decidable in randomised polynomial time (and in deterministic polynomial time if the number of counters is fixed). Our proof of decidability, and the complexity bounds we obtain, involves a combination of classical techniques of [23] with basic ideas from polynomial identity testing.

We present a case study in which costs are used to model the computation time required by an RSA encryption algorithm, and show that the vulnerability of the algorithm to timing attacks depends on the (in-)equivalence of probabilistic cost automata. In [13] two possible defenses against such timing leaks were suggested. We also analyse their effectiveness.

In Section 5 we consider pushdown automata. Probabilistic pushdown automata are a natural model of recursive probabilistic procedures, stochastic grammars and branching processes [10]. The equivalence problem of deterministic pushdown automata has been extensively studied [25]. We study the equivalence problem for probabilistic visibly pushdown automata (VPA) [3]. In a visibly pushdown automaton, whether the stack is popped or pushed is determined by the input symbol being read.

We show that the equivalence problem for probabilistic VPA is logspace equivalent to Arithmetic Circuit Identity Testing (ACIT), which is the problem of determining equivalence of polynomials presented via arithmetic circuits [1]. Several polynomial-time randomized algorithms are known for ACIT, but it is a major open problem whether it can be solved in polynomial time by a deterministic algorithm. The inter-reducibility of probabilistic VPA equivalence and ACIT is reminiscent of the reduction of the positivity problem for arithmetic circuits to the reachability problem for recursive Markov chains [10]. However in this case the reduction is only in one direction—from circuits to recursive Markov chains.

In the technical development below it is convenient to consider -weighted automata, which generalise probabilistic automata. All our results and examples are stated in terms of -weighted automata.

2Preliminaries

2.1Complexity Classes

Recall that NC is the subclass of P comprising those problems considered efficiently parallelisable. NC can be defined via parallel random-access machines (PRAMs), which consist of a set of processors communicating through a shared memory. A problem is in NC if it can be solved in time (polylogarithmic time) on a PRAM with (polynomially many) processors. A more abstract definition of NC is as the class of languages which have L-uniform Boolean circuits of polylogarithmic depth and polynomial size. More specifically, denote by the class of languages which have circuits of depth . The complexity class RNC consists of those languages with randomized NC algorithms. We have the following inclusions none of which is known to be strict:

Problems in NC include directed reachability, computing the rank and determinant of an integer matrix, solving linear systems of equations and the tree-isomorphism problem. Problems that are P-hard under logspace reductions include circuit value and max-flow. Such problems are not in NC unless . Problems in RNC include matching in graphs and max flow in -valued networks. In both cases these problems have resisted classification as either in NC or P-hard. See [11] for more details about NC and RNC.

2.2Sequence Spaces

In this section we recall some results about spaces of sequences [22].

Given , define the following space of formal power series:

Then is a complete vector space under the norm . We can moreover endow with a Banach algebra structure with multiplication

Given we also consider the space of matrices with coefficients in . This is a complete normed linear space with respect to the infinity matrix norm

If we define matrix multiplication in the standard way, using the algebra structure on , then . In particular, if then we can define a Kleene-star operation by .

3Weighted Automata

To permit effective representation of automata we assume that all transition probabilities are rational numbers. In our technical development it is convenient to work with -weighted automata [23], which are a generalisation of Rabin’s probabilistic automata.

A -weighted automaton consists of a positive integer representing the number of states, a finite alphabet , a map assigning a transition matrix to each alphabet symbol, an initial (row) vector , and a final (column) vector . We extend to as the matrix product . The automaton assigns each word a weight , where . An automaton is said to be zero if for all . Two automata over the same alphabet are said to be equivalent if for all . In the remainder of this section we present a randomised algorithm for deciding equivalence of -weighted automata and, in case of inequivalence, outputting a counterexample.

Given two automata that are to be checked for equivalence, one can compute an automaton with for all . Then is zero if and only if and are equivalent. Given and , set with and

This reduction allows us to focus on zeroness, i.e., the problem of determining whether a given -weighted automaton is zero. (Since transition weights can be negative, zeroness is not the same as emptiness of the underlying unweighted automaton.) Note that a witness word against zeroness of is also a witness against the equivalence of and . The following result from [27] is crucial.

Our randomised procedure uses the Isolating Lemma of Mulmuley, Vazirani and Vazirani [17]. We use this lemma in a very similar way to [17], who are concerned with computing maximum matchings in graphs in RNC.

We will apply the Isolating Lemma in conjunction with Proposition ? to decide zeroness of a weighted automaton . Suppose has states and alphabet . Given and , choose a weight independently and uniformly at random from the set . Define the weight of a word , , to be . (The reader should not confuse this with the weight assigned to by the automaton .) Then we obtain a univariate polynomial from automaton as follows:

If is equivalent to the zero automaton then clearly . On the other hand, if is non-zero, then by Proposition ? the set is non-empty. Thus there is a unique minimum-weight word with probability at least by the Isolating Lemma. In this case contains the monomial with coefficient as its smallest-degree monomial. Thus with probability at least .

It remains to observe that from the formula

and the fact that iterated products of matrices of univariate polynomials can be computed in [7] we obtain an algorithm for determining zeroness of weighted automata.

It is straightforward to extend the above algorithm to obtain an procedure that not only decides zeroness of but also outputs a word such that in case is non-zero. Assume that is non-zero and that the random choice of weights has isolated a unique minimum-weight word such that . To determine whether is the -th letter of we can increase the weight by while leaving all other weights unchanged and recompute the polynomial . Then is the -th letter in if and only if the minimum-degree monomial in changes. All of these tests can be done independently, yielding an procedure.

4Weighted Cost Automata

In this section we consider weighted automata with costs. Each transition has a cost, and the cumulative cost of a run is recorded in a tuple of counters. Transitions can also have negative costs, which can be considered as rewards. Note though that the counters do not affect the control flow of the automata. In Example ? we use costs to record the passage of time in an encryption protocol. We explicitly include -transitions in our automata because they are convenient for applications (cf. Example ?) and we cannot rely on existing -elimination results in the presence of costs.

Let be a finite alphabet not containing the symbol . A -weighted cost automaton is a tuple , where is the number of states; is the number of counters; is the transition function, where is the set of elementary cost vectors; is an initial (row) vector; is a final (column) vector. In this definition, represents the weight of a -transition from state to with cost vector . For the semantics to be well-defined we assume that the total weight of all outgoing -labelled transitions from any given state is strictly less than .

In order to define the semantics of weighted cost automata it is convenient to use results on matrices of formal power series from Section 2. We can regard as an matrix whose entries are elements of the space of formal power series, where for . Our convention on the total weight of -transitions is equivalent to the requirement that . We next extend to a map such that, given a word and states , is the total weight of all -labelled paths from state to state with accumulated cost . Given a word , we define

Finally, given we define . Then is an element of such that gives the total weight of all accepting runs with accumulated cost .

Let be a vector of variables, one for each counter. Our equivalence algorithm is based on a representation of as a rational function in , following classical ideas [19]. Given we denote by the monomial . (Note that we allow negative powers in monomials.) We say that has finite support if for all but finitely many . We identify such an with the polynomial . We furthermore say that is rational if there exist with finite support such that . We then identify with the rational function

Note that we can clear all negative exponents from the numerator and denominator of such an expression. Note also that sums and products of rational functions correspond to sums and products in in the above representation.

From equation (Equation 1) it suffices to show that can be represented as a matrix of rational functions with appropriate degree bounds. Recall that , so it suffices to show that (considered as a matrix of polynomials) has an inverse that can be represented as a matrix of rational functions. But the determinant formula yields that is a (non-zero) polynomial in , thus the cofactor formula for inverting matrices yields a representation of as a matrix of rational functions in of degree at most .

An automaton is said to be zero if for all . Two automata over the same alphabet with the same number of counters are said to be equivalent if for all . As in Section 3, the equivalence problem can be reduced to the zeroness problem, so we focus on the latter.

The following proposition states that if there is a word witnessing that is non-zero, then there is a “short” such word.

The proof, given in full , is similar to the linear algebra arguments from [23], but involves an additional twist. The key idea is to substitute concrete values for the variables , thereby transforming from the setting of infinite-dimensional vector spaces of rational functions in to a finite dimensional setting where the arguments of [23] apply.

The decidability of zeroness (and hence equivalence) for weighted cost automata follows immediately from Proposition ?. However, using polynomial identity testing, we arrive at the following theorem.

We have already observed that the equivalence problem can be reduced to the zeroness problem. We now reduce the zeroness problem to polynomial identity testing.

Given an automaton , for each word of length at most we have a rational expression in variables which has degree at most by Proposition ?.

Now consider the set . Suppose that we pick uniformly at random. Denote by the result of substituting for in the rational expression . Clearly if is a zero automaton then for all . On the other hand, if is non-zero then by Proposition ? there exists a word of length at most such that . Since the degree of the rational expression is at most it follows from the Schwartz-Zippel theorem [9] that the probability that is at most .

Thus our randomised procedure is to pick uniformly at random and to check whether for some . It remains to show how we can do this check in polynomial time. To achieve this we show that there is a -weighted automaton with no counters such that for all , since we can then check for zeroness using, e.g., Tzeng’s algorithm [27]. The automaton has the form , where , , and for all .

for a proof.

5Pushdown Automata and Arithmetic Circuits

In a visibly pushdown automaton [3] the stack operations are determined by the input word. Consequently VPA have a more tractable language theory than ordinary pushdown automata. The main result of this section shows that the equivalence problem for weighted VPA is logspace equivalent to the problem ACIT of determining whether a polynomial represented by an arithmetic circuit is identically zero.

A visibly pushdown alphabet consists of a finite set of calls , a finite set of returns , and a finite set of internal actions . A visibly pushdown automaton over alphabet is restricted so that it pushes onto the stack when it reads a call, pops the stack when it reads a return, and leaves the stack untouched when reading internal actions. Due to this restriction visibly pushdown automata only accept words in which calls and returns are appropriately matched. Define the set of well-matched words to be , where and .

A -weighted visibly pushdown automaton on alphabet is a tuple , where is the number of states, is an -dimensional initial (row) vector, is an -dimensional final (column) vector, is a finite stack alphabet, and is a tuple of matrix-valued transition functions with types , and . If and then gives the weight of an -labelled transition from state to state that pushes on the stack. If and then gives the weight of an -labelled transition from state to that pops from the stack.

For each well-matched word we define an rational matrix whose -th entry denotes the total weight of all paths from state to state along input . The definition of follows the inductive definition of well-matched words. The base cases are and . The inductive cases are

for , .

The weight assigned by to a well-matched word is defined to be . We say that two weighted VPA and are equivalent if for each well-matched word we have .

An arithmetic circuit is a finite directed acyclic multigraph whose vertices, called gates, have indegree or . Vertices of indegree are called input gates and are labelled with a constant or , or a variable from the set . Vertices of indegree are called internal gates and are labelled with one of the arithmetic operations , or . We assume that there is a unique gate with outdegree called the output. Note that is a multigraph, so there can be two edges between a pair of gates, i.e., both inputs to a given gate can lead from the same source. We call a circuit variable-free if all inputs gates are labelled or .

The Arithmetic Circuit Identity Testing (ACIT) problem asks whether the output of a given circuit is equal to the zero polynomial. ACIT is known to be in coRP but it remains open whether there is a polynomial or even sub-exponential algorithm for this problem [1]. Utilising the fact that a variable-free arithmetic circuit of size can compute , Allender et al. [1] give a logspace reduction of the general ACIT problem to the special case of variable-free circuits. Henceforth we assume without loss of generality that all circuits are variable-free. Furthermore we recall that ACIT can be reformulated as the problem of deciding whether two variable-free circuits using only the arithmetic operations and compute the same number [1].

The proof of the following proposition is given

In the remainder of this section we give a converse reduction: from equivalence of weighted VPA to ACIT. The following result gives a decision procedure for the equivalence of two weighted VPA and .

Recall that for each balanced word we have rational matrices and giving the respective state-to-state transition weights of and on reading . These two families of matrices can be combined into a single family

of matrices. Let us also write for the subset of generated by those well-matched words .

Let and be the respective initial and final-state vectors of and . Then is equivalent to if and only if

for all . It follows that is equivalent to if and only if (Equation 2) holds for all in , where the span is taken in the rational vector space of rational matrices. But is an ascending sequence of vector spaces:

It follows from a dimension argument that this sequence stops in at most steps and we conclude that .

From the definition of the language and the family of matrices we have:

The above equation implies that we can compute in logarithmic space a circuit that represents . The result of the proposition immediately follows by premultiplying by the initial state vector and postmultiplying by the final state vector.

A key property of weighted VPA is their closure under product.

The proof of Proposition ?, exploits the fact that the stack height is determined by the input word, so the respective stacks of and operating in parallel can be simulated in a single stack.

Let and be weighted visibly pushdown automata with a total of states between them. Then

Thus is equivalent to iff . But Propositions ? and ? allow us to translate the above equation into an instance of ACIT.

The trick of considering sums-of-squares of acceptance weights in the above proof is inspired by [28].

References

1. On the complexity of numerical analysis.
E.E. Allender, P. Bürgisser, J. Kjeldgaard-Pedersen, and P. Bro Miltersen. SIAM J. Comput., 38(5):1987–2006, 2009.
2. What’s decidable about weighted automata?
S. Almagor, U. Boker, and O. Kupferman. In ATVA, volume 6996 of LNCS, pages 482–491. Springer, 2011.
3. Visibly pushdown languages.
R. Alur and P. Madhusudan. In Proc. 36th Annual ACM Symposium on Theory of Computing STOC, pages 202–211. ACM, 2004.
4. Undecidable problems for probabilistic automata of fixed dimension.
V. D. Blondel and V. Canterini. Theoretical Computer Science, 36 (3):231–245, 2003.
5. Remote timing attacks are practical.
D. Brumley and D. Boneh. Computer Networks, 48(5):701–716, 2005.
6. On the complexity of space bounded interactive proofs (extended abstract).
A. Condon and R. Lipton. In Proceedings of FOCS, pages 462–467, 1989.
7. A taxonomy of problems with fast parallel algorithms.
S. A. Cook. Information and Control, 64(1-3):2–22, 1985.
8. On the computation of some standard distances between probabilistic automata.
C. Cortes, M. Mohri, and A. Rastogi. In Proc. of CIAA, pages 137–149, 2006.
9. A probabilistic remark on algebraic program testing.
R. DeMillo and R. Lipton. Inf. Process. Lett., 7(4):193–195, 1978.
10. Recursive Markov chains, stochastic grammars, and monotone systems of nonlinear equations.
K. Etessami and M. Yannakakis. J. ACM, 56(1):1:1–1:66, 2009.
11. Limits to parallel computation: P-completeness theory.
R. Greenlaw, H.J. Hoover, and W.L. Ruzzo. Oxford University Press, 1995.
12. Language equivalence for probabilistic automata.
S. Kiefer, A.S. Murawski, J. Ouaknine, B. Wachter, and J. Worrell. In CAV, volume 6806 of LNCS, pages 526–540, 2011.
13. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems.
P.C. Kocher. In CRYPTO, volume 1109 of LNCS, pages 104–113. Springer, 1996.
14. The equality problem for rational series with multiplicities in the tropical semiring is undecidable.
D. Krob. Int. Journal of Alg. and Comp., 4(3):232–249, 1994.
15. Model checking probabilistic pushdown automata.
A. Kučera, J. Esparza, and R. Mayr. Logical Methods in Computer Science, 2(1):1–31, 2006.
16. On automated verification of probabilistic programs.
A. Legay, A. S. Murawski, J. Ouaknine, and J. Worrell. In TACAS, volume 4963 of LNCS, pages 173–187. 2008.
17. Matching is as easy as matrix inversion.
K. Mulmuley, U. V. Vazirani, and V. V. Vazirani. In STOC, pages 345–354, 1987.
18. On probabilistic program equivalence and refinement.
A. S. Murawski and J. Ouaknine. In CONCUR, volume 3653 of LNCS, pages 156–170. 2005.
19. Formal power series.
I. Niven. American Mathematical Monthly, 76(8):871–889, 1969.
20. Probabilistic automata.
M. O. Rabin. Inf. and Control, 6 (3):230–245, 1963.
21. A method for obtaining digital signatures and public-key cryptosystems.
R. L. Rivest, A. Shamir, and L. Adleman. Communications of the ACM, 21:120–126, 1978.
22. Functional analysis.
W. Rudin. International Series in Pure and Applied Mathematics. McGraw-Hill Inc., New York, second edition, 1991.
23. On the definition of a family of automata.
M.-P. Schützenberger. Inf. and Control, 4:245–270, 1961.
24. Fast probabilistic algorithms for verification of polynomial identities.
J. Schwartz. J. ACM, 27(4):701–717, 1980.
25. The equivalence problem for deterministic pushdown automata is decidable.
G. Sénizergues. In ICALP, volume 1256 of LNCS. Springer, 1997.
26. Deciding DPDA equivalence is primitive recursive.
C. Stirling. In ICALP, volume 2380 of Lecture Notes in Computer Science, pages 821–832. Springer, 2002.
27. A polynomial-time algorithm for the equivalence of probabilistic automata.
W. Tzeng. SIAM Journal on Computing, 21(2):216–227, 1992.
28. On path equivalence of nondeterministic finite automata.
W. Tzeng. Inf. Process. Lett., 58(1):43–46, 1996.
29. Probabilistic algorithms for sparse polynomials.
R. Zippel. In EUROSAM, volume 72 of Lecture Notes in Computer Science, pages 216–226. Springer, 1979.
24828