 # Lower Bounds for Symbolic Computation on Graphs: Strongly Connected Components, Liveness, Safety, and Diameter

A model of computation that is widely used in the formal analysis of reactive systems is symbolic algorithms. In this model the access to the input graph is restricted to consist of symbolic operations, which are expensive in comparison to the standard RAM operations. We give lower bounds on the number of symbolic operations for basic graph problems such as the computation of the strongly connected components and of the approximate diameter as well as for fundamental problems in model checking such as safety, liveness, and co-liveness. Our lower bounds are linear in the number of vertices of the graph, even for constant-diameter graphs. For none of these problems lower bounds on the number of symbolic operations were known before. The lower bounds show an interesting separation of these problems from the reachability problem, which can be solved with O(D) symbolic operations, where D is the diameter of the graph. Additionally we present an approximation algorithm for the graph diameter which requires Õ(n √(D)) symbolic steps to achieve a (1+ϵ)-approximation for any constant ϵ > 0. This compares to O(n · D) symbolic steps for the (naive) exact algorithm and O(D) symbolic steps for a 2-approximation. Finally we also give a refined analysis of the strongly connected components algorithms of Gentilini et al., showing that it uses an optimal number of symbolic steps that is proportional to the sum of the diameters of the strongly connected components.

## Authors

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Graph algorithms are central in the formal analysis of reactive systems. A reactive system consists of a set of variables and a state of the system corresponds to a set of valuations, one for each of these variables. This naturally induces a directed graph: Each vertex represents a state of the system and each directed edge represents a state transition that is possible in the system. As the number of vertices is exponential in the number of variables of the system, these graphs are huge and, thus, they are usually not explicitly represented during their analysis. Instead they are implicitly represented using e.g., binary-decision diagrams (BDDs) [Bryant86, Bryant92]. To avoid considering specifics of the implicit representation and their manipulation, an elegant theoretical model for algorithms that work on this implicit representation has been developed, called symbolic algorithms (see e.g. [BurchCMDH90, ClarkeMCH96, Somenzi99, ClarkeGP99, ClarkeGJLV03, GentiliniPP08, ChatterjeeHJS13]). In this paper we will give novel upper and (unconditional) lower bounds on the number of operations required by a symbolic algorithm for solving classic graph-algorithmic questions, such as computing the strongly connected components and the (approximate) diameter, as well as for graph-algorithmic questions that are important in the analysis of reactive systems, such as safety, liveness, and co-liveness objectives. Our lower bounds are based on new reductions of problems from communication complexity to symbolic algorithms.

Symbolic algorithms. A symbolic algorithm is allowed to use the same mathematical, logical, and memory access operations as a regular RAM algorithm, except for the access to the input graph: It is not given access to the input graph through an adjacency list or adjacency matrix representation but instead only through two types of symbolic operations:

1. One-step operations Pre and Post: Each predecessor (Pre) (resp., successor (Post)) operation is given a set of vertices and returns the set of vertices  with an edge to (resp., edge from) some vertex of .

2. Basic set operations: Each basic set operation is given one or two sets of vertices and performs a union, intersection, or complement on these sets.

An initial set of vertices is given as part of the input, often consisting of a single vertex.

Symbolic operations are more expensive than the non-symbolic operations and thus one is mainly interested in the number of symbolic operations of such an algorithm (and the exact number of non-symbolic operations is often neglected). Moreover, as the symbolic model is motivated by the compact representation of huge graphs, we aim for symbolic algorithms that only store or many sets of vertices as otherwise algorithms become impractical due to the huge space requirements. Additionally, every computable graph-algorithmic question can be solved with symbolic one-step operations when storing many sets (and allowing an unbounded number of non-symbolic operations): For every vertex perform a Pre and a Post operation, store the results, which represent the full graph, and then compute the solution on this graph, using only non-symbolic operations. Note, however, that our lower bounds do not depend on this requirement, i.e., they also apply to symbolic algorithms that store an arbitrary number of sets. Furthermore the basic set operations (that only require vertices, i.e., the current state variables) are computationally much less expensive than the one-step operations (that involve both variables of the current and of the next state). Thus, to simplify the analysis of symbolic algorithms, we only analyze the number of one-step operations in the lower bounds that we present. For all upper bounds in prior work and in our work the number of basic-set operations is at most linear in the number of one-step operations.

There is an interesting relationship between the two types of symbolic operations and Boolean matrix-vector operations: Interpreting the edge relationship as a Boolean matrix and a vertex set as a Boolean vector, the one-step operations correspond to (left- and right-sided) matrix-vector multiplication, where the matrix is the adjacency matrix, and basic set operations correspond to basic vector manipulations. Thus, an equivalent way of interpreting symbolic algorithms is by saying that the access to the graph is only allowed by performing a Boolean matrix-vector multiplication, where the vector represents a set of vertices and the matrix is the adjacency matrix.

Note also that there is a similarity to the CONGEST and the LOCAL model in synchronous distributed computation, as in these models each vertex in a synchronous network knows all its neighbors and can communicate with all of them in one round (exchanging bits in the CONGEST model), and the algorithmic complexity is measured in rounds of communication. While in these models all neighbors of every individual vertex, i.e., all edges of the graph, can be determined in one round of communication, in the symbolic model this might require Pre and Post operations, each on an singleton set. Thus, determining (and storing) all edges of a symbolically represented graph is expensive and we would ideally like to have algorithms that use sub-linear (in the number of vertices) many symbolic one-step operations.

Objectives. First we formally introduce the most relevant graph-algorithmic questions from the analysis of reactive systems [MannaP92]. Given a graph and a starting vertex , let be the set of infinite paths in starting from . Each objective corresponds to a set of requirements on an infinite path and the question that needs to be decided by the algorithm is whether there is a path in that satisfies these requirements, in which case we say the path satisfies the objective. An objective is the dual of an objective if a path satisfies iff it does not satisfy .

Let be a set of target vertices given as input. The most basic objective is reachability where an infinite path satisfies the objective if the path visits a vertex of  at least once. The dual safety objective is satisfied by infinite paths that only visit vertices of . The next interesting objective is the liveness (aka Büchi) objective that requires an infinite path to visit some vertex of  infinitely often. The dual co-liveness (aka co-Büchi) objective requires an infinite path to eventually only visit vertices in . Verifying these objectives are the most fundamental graph-algorithmic questions in the analysis of reactive systems.

Computing the strongly connected components (SCCs) is at the heart of the fastest algorithms for liveness and co-liveness: For example, there is a reduction from liveness to the computation of SCCs that takes symbolic steps in the order of the diameter of the graph. Thus, determining the symbolic complexity of SCCs also settles the symbolic complexity of liveness.

Furthermore, the diameter computation plays a crucial role in applications such as bounded model-checking [BiereCCSZ03], where the goal is to analyze the system for a bounded number of steps, and it suffices to choose the diameter of the graph as bound. Second, in many scenarios, such as in hardware verification, the graphs have small diameter, and hence algorithms that can detect if this is the case and then exploit the small diameter are relevant [BiereCCSZ03]. Motivated by these applications, we define the diameter of a graph as the largest finite distance in the graph, which coincides with the usual graph-theoretic definition on strongly connected graphs and is more general otherwise.

Note that linear lower bounds for the number of symbolic operations are non-trivial, since a one-step operation can involve all edges. For example, to determine all the neighbors of a given vertex takes one symbolic operation, while it takes many operations in the classic setting. In the following we use to denote the number of vertices of a graph  and to denote its diameter.

Previous results. To the best of our knowledge, no previous work has established lower bounds for symbolic computation.

There is some prior work on establishing upper bounds on the number of symbolic operations: In [GentiliniPP08] a symbolic algorithm that computes the SCCs with symbolic operations is presented. This algorithm leads to an algorithm for liveness and co-liveness with symbolic operations and improves on earlier work by [BloemGS06], which requires symbolic operations.

Note that for the reachability objective the straightforward algorithm requires symbolic operations: Starting from the set containing only the start vertex , repeatedly perform a Post-operation until is reached. For safety the straightforward algorithm takes symbolic operations: Iteratively remove from vertices that do not have an outgoing edge to another vertex of , i.e., vertices of , until a fixed point is reached.

Finally, there is a trivial algorithm for computing the diameter of the graph: Simply determine the depth of a breadth-first search from every vertex and output the maximum over all depths. Computing the depth of a breadth-first search can be done with many symbolic steps, thus this requires many symbolic steps in total. In a strongly connected graph a 2-approximation of the diameter of the graph can be obtained by computing one breadth-first search from and one to some arbitrary vertex and output the sum of the depths. This takes symbolic steps.

Our contributions. Our main contributions are novel lower bounds for the number of symbolic operations for many of the above graph-algorithmic questions, leading to an interesting separation between seemingly similar problems.

1. For reachability objectives, the basic symbolic algorithm requires symbolic operations. Quite surprisingly, we show that such diameter-based upper bounds are not possible for its dual problem, namely safety, and are also not possible for liveness and co-liveness objectives. Specifically, we present tight lower bounds to show that, even for constant-diameter graphs, one-step symbolic operations are required for safety, liveness, and co-liveness objectives. In addition we establish tight bounds for symbolic operations required for the computation of SCCs, showing a lower bound of for constant-diameter graphs. See Table 1 for a summary of these results.

2. We show that even for strongly-connected constant-diameter graphs approximating the diameter requires symbolic steps. More precisely, any -approximation algorithm requires symbolic one-step operations, even for undirected and connected graphs with constant diameter. We also give a novel upper bound: We present a -approximation algorithm for any constant that takes symbolic steps. This can be compared to the trivial 2-approximation algorithm and the exact algorithm. Notice that for explicitly represented graphs the approximation of the diameter is already hard for constant-diameter graphs while in the symbolic model there exists a trivial upper bound in this case, thus showing a lower bound of is non-trivial. See Table 2 for a summary of these results.

3. Finally we give a refined analysis of the number of symbolic steps required for computing strongly connected components based on a different problem parameter. Let be the set of all SCCs of and the diameter of the strongly connected component . We give matching upper and lower bounds showing that the SCCs can be computed with symbolic steps. Note that can be a factor larger than .

Key technical contribution. Our key technical contribution is based on the novel insight that lower bounds for communication complexity can be used to establish lower bounds for symbolic computation. We feel that this connection is of interest by itself and might lead to further lower bounds for symbolic algorithms.

Our lower bounds are by two kinds of reductions, both from the communication complexity problem of Set Disjointness with elements. First, we give reductions that construct graphs such that one-step operations can be computed with bits of communication between Alice and Bob and thus allow for linear lower bounds on the number symbolic operations. Second, we give a reduction that constructs a graph with only many vertices, i.e., , but allows one-step operations to require bits of communication. This again results in linear lower bounds on the number of symbolic operations.

## 2 Preliminaries

Symbolic Computation. We consider symbolic computation on graphs. Given an input graph and a set of vertices , the graph  can be accessed only by the following two types of operations:

1. Basic set operations like , , , , and ;

2. One-step operations to obtain the predecessors or successors of the vertices of  in . In particular we define the operations

 Pre(S)={v∈V∣∃s∈S:(v,s)∈E}  % and  Post(S)={v∈V∣∃s∈S:(s,v)∈E}.

In the applications the basic set operations are much cheaper as compared to the one-step operations. Thus we aim for lower bounds on the number of one-step operations, while not accounting for set operations. In all our upper bounds the number of set operations is at most of the same order as the number of one-step operations. Note that there is a one-to-one correspondence between a one-step operation and a Boolean matrix-vector multiplication with the adjacency matrix and that for undirected graphs and are equivalent.

Communication Complexity Lower Bound for Set Disjointness. Our lower bounds are based on the known lower bounds for the communication complexity of the Set Disjointness problem. The classical symmetric two-party communication complexity model is as follows [KushilevitzN97]. There are three finite sets , the former two are possible inputs for a function , where the actual input is only known by Alice, and the actual input is only known by Bob. Alice and Bob want to evaluate a function while sending as few bits as possible to each other. The communication happens according to a fixed protocol, known to both players beforehand, that determines which player sends which bits when, and when to stop.

Set Disjointness. In the Set Disjointness problem we have a universe of elements and both sets , contain all bit vectors of length , i.e., they represent all possible subsets of and are of size . Alice has a vector and Bob has a vector , and the function is defined as if for all either or , and otherwise. We will sometimes use and to denote the sets corresponding to the vectors and , i.e., and and iff . We next state a fundamental lower bound for the communication complexity of the Set Disjointness problem which will serve as basis for our lower bounds on the number of symbolic operations.

###### Theorem 2.1 ([KalyanasundaramS92, Razborov92, Bar-YossefJKS04, HastadW07, KushilevitzN97]).

Any (probabilistic bounded error or deterministic) protocol for the Set Disjointness problem sends bits in the worst case over all inputs.

## 3 Lower Bounds

In this section we present our lower bounds, which are the main results of the paper.

### 3.1 Lower Bounds for Computing Strongly Connected Components

We first consider the problem of computing the strongly connected components (SCCs) of a symbolically represented graph. The best known symbolic algorithm is by Gentilini et al. [GentiliniPP08] and computes the SCCs of a Graph G with symbolic one-step operations and thus matches the linear running time of the famous Tarjan algorithm [Tarjan72] in the non-symbolic world.

We provide lower bounds showing that the algorithm is essentially optimal, in particular we show that algorithms are impossible. These lower bounds are by reductions from the communication complexity problem of Set Disjointness to computing SCCs in a specific graph. In particular, we show that any algorithm that computes SCCs with symbolic one-step operations would imply a communication protocol for the Set Disjointness problem with communication.

###### Reduction 3.1.

Let be an instance of Set Disjointness and let w.l.o.g.  for some integers . We construct a directed graph with vertices and edges as follows. (1) The vertices are given by with . (2) There is an edge from to if either or and . (3) For , there is an edge from to iff or .

In our communication protocol both Alice and Bob compute the number of SCCs on the graph from Reduction 3.1, according to a given algorithm. While both know all the vertices of the graph, they do not know all the edges (some depend on both and ) and thus whenever such an edge is relevant for the algorithm, Alice and Bob have to communicate with each other. We show that the graph is constructed such that for each subset the operations and can be computed with only four bits of communication between Alice and Bob.

###### Theorem 3.2.

Any (probabilistic bounded error or deterministic) symbolic algorithm that computes the SCCs of graphs with vertices needs symbolic one-step operations. Moreover, for a graph with the set of SCCs and diameter any algorithm needs symbolic one-step operations.

We first show that Reduction 3.1 is a valid reduction from the Set Disjointness problem to an SCC problem. The missing proofs are given in Section 6.1.

###### Lemma 3.3.

iff the graph constructed in Reduction 3.1 has exactly SCCs.

The critical observation for the proof of Theorem 3.2 is that any algorithm that computes SCCs with many symbolic one-step operations implies the existence of a communication protocol for Set Disjointness that only requires communication.

###### Lemma 3.4.

For any algorithm that computes SCCs with symbolic one-step operations there is a communication protocol for Set Disjointness that requires communication.

###### Proof.

In our communication protocol both Alice and Bob consider the graph from Reduction 3.1. We call edges of the graph that are present independently of and definite edges and edges whose presence depends on and possible edges.

Both Alice and Bob execute the given symbolic algorithm to decide whether the graph has SCCs (cf. Lemma 3.3). As both know all the vertices, they can execute set operations without communicating. Communication is only needed when executing symbolic one-step operations, since for these some of the possible edges might affect the outcome.

We next argue that each symbolic one-step operations can be executed with a constant number of bits of communication. First notice that as both Alice and Bob execute the same algorithm simultaneously, they both know the input set to an operation and they only need communication about the possible edges that can change the output. Both can independently identify these possible edges and they can decide whether such an edge exists by sending one bit each. We next argue that for each one-step operation we need to consider at most two possible edges. For this we consider the vertices in their linear ordering given by , e.g., and .

operation: Let be the input set and let the vertex with the minimum index in . Then we have and potentially also and can be in , but no other vertices. That is, we have . To decide whether is in , we first check whether and if so we check whether the edge is present. To decide , we check whether the edge is present. That is, to compute we only access two possible edges.

operation: Let be the input set and let the vertex with the maximum index in . Then we have and potentially also and can be in , but no other vertices. That is, we have . To decide whether is in , we first check whether and if so we check whether the edge is present. To decide if , we check whether the edge is present. That is, we can compute with accessing only two possible edges.

By the above we have that a symbolic algorithm with one-step operations gives rise to a communication protocol for Set Disjointness with bits of communication. ∎

By Lemma 3.4 we have that any algorithm computing SCCs with symbolic one-step operations would contradict Theorem 2.1. Now inspecting the graph of Reduction 3.1, we observe that its diameter is equal to , which leads to the following lower bounds. For the graph has diameter and thus the holds even for graphs of constant diameter. On the other side, for disjoint sets and correspond to strongly connected graphs and thus the lower bounds also holds for graphs with a bounded number of SCCs, i.e., there are no symbolic algorithms. Finally for we obtain a lower bound.

###### Remark 3.5.

By the above no algorithm can compute SCCs with or symbolic one-step operations for any function . In contrast, if we consider both parameters simultaneously, there is an symbolic algorithm.

The above lower bounds for computing SCCs match the bound by the algorithm of Gentilini et al. [GentiliniPP08]. One way to further improve the algorithm is to not consider the diameter of the whole graph but the diameter of each single SCC . In that direction the previous reduction already gives us an lower bound and we will next improve it to an lower bound (i.e., it is even if ). These two bounds differ if the graph has a large number of trivial SCCs. Thus we next give a reduction that constructs a graph that has only trivial SCCs if and are disjoint.

###### Reduction 3.6.

Given an instance of Set Disjointness, we construct a directed graph with vertices and edges as follows. (1) The vertices are given by . (2) There is an edge from to for . (3) For there is an edge from to iff and .

###### Theorem 3.7.

Any (probabilistic bounded error or deterministic) symbolic algorithm that computes the SCCs needs symbolic one-step operations.

### 3.2 Lower Bounds for Liveness, Reachability, and Safety Objectives

In this section we extend our lower bounds for SCC computation to Liveness, Reachability, and Safety Objectives on graphs.

Lower Bounds for Reachability. The lower bounds for Reachability are an immediate consequence from our lower bounds for SCC computation in Theorem 3.2. When setting in Reduction 3.1 then the vertex is reachable from all vertices iff the graph is strongly connected iff the sets and are disjoint.

###### Theorem 3.8.

Any (probabilistic bounded error or deterministic) symbolic algorithm that solves Reachability in graphs with diameter requires symbolic one-step operations.

Lower Bounds for Liveness. To show an lower bound for Liveness objectives which holds even for graphs of bounded diameter, we introduce another reduction. This reduction is again from the Set Disjointness Problem and also constructs a graph such that and operations can be executed with a constant number of bits of communication between Alice and Bob.

###### Reduction 3.9.

Given an instance of Set Disjointness, we construct a directed graph with vertices and edges as follows. (1) The vertices are given by . (2) There is an edge from to for and there is a loop edge . (3) For there is a loop edge iff and .

Notice that the graph in Reduction 3.9 has diameter and thus allows to show the lower bounds stated in Theorem 3.10 when considering , with the exception of (2) which is by Reduction 3.1 and .

###### Theorem 3.10.

For any (probabilistic bounded error or deterministic) symbolic algorithm that solves the following lower bounds on the required number of symbolic one-step operations hold: (1)  even for instances with constant ; (2)  even for instances with ; (3)  even for instances with constant ; (4) ; and (5) .

Lower Bounds for co-Liveness and Safety. The following lower bounds are by Reduction 3.9 (and variations of it) and the set of safe vertices .

###### Theorem 3.11.

For any (probabilistic bounded error or deterministic) symbolic algorithm that solves or the following lower bounds on the required number of symbolic one-step operations hold: (1)  even for constant diameter graphs; (2)  even for constant diameter graphs; and (3)  even for constant diameter graphs.

Notice that the parameters diameter, number of SCCs, or diameters of SCCs do not help in the case of Safety. This is because every graph can be reduced to a strongly connected graph with diameter without changing the winning set as follows: Add a new vertex that has an edge to and an edge from all original vertices but do not add to the safe vertices .

We complete this section with a lower bound for which is by a variant of Reduction 3.1.

###### Proposition 3.12.

Any (probabilistic bounded error or deterministic) symbolic algorithm that solves on graphs with diameter needs symbolic one-step operations.

### 3.3 Lower Bound for Approximate Diameter

The Approximate Diameter Problem. Let be a directed graph with vertices  and edges . Let denote the shortest distance from to in , i.e., the smallest number of edges of any path from to in . Recall that we define the diameter of  as the maximum of over all pairs for which can reach  in . 111Usually the diameter is defined over all pairs of vertices, not just the reachable ones, and is therefore if is not strongly connected. Our definition is more general since determining whether the graph is strongly connected takes only symbolic steps and additionally our definition is more natural in the symbolic setting as it provides an upper bound on the number of one-step operations needed until a fixed point is reached, which is an essential primitive in symbolic graph algorithms. We consider the problem of approximating the diameter  of a graph by a factor

, where the goal is to compute an estimate

such that . As undirected graphs are special cases of directed graphs, the lower bound is presented for undirected graphs and the upper bound for directed graphs (see Section 4), i.e., both hold for undirected and directed graphs.

Result. We show a lower bound of on the number of symbolic steps needed to distinguish between a diameter of 2 and a diameter of 3, even in an undirected connected graph. The basic symbolic algorithm for computing the diameter exactly takes many symbolic steps. Thus our lower bound is tight for constant-diameter graphs.

Outline Lower Bound. We show how to encode an instance of the Set Disjointness Problem with a universe of size in an (undirected, connected) graph with vertices and edges such that 1) in a communication protocol any symbolic one-step operation can be simulated with bits and 2) the graph has diameter 2 if the two sets are disjoint and diameter 3 otherwise. Thus the communication complexity lower bound of for Set Disjointness implies a lower bound of for the number of symbolic one-step operations to compute a -approximation of the diameter of a graph with vertices.

###### Reduction 3.13.

Let be an instance of the Set Disjointness problem of size and let . We construct an undirected graph with vertices and edges as follows. (1) There are three sets with vertices each and two auxiliary vertices  and . We denote the -th vertex of each of with a lowercase letter indicating the set and subscript . (2) There is an edge between and and between and each vertex of and and between and each vertex of . (3) For each there is an edge between and . (4) For let be such that . There is an edge between and iff and there is an edge between and iff .

We first show that this graph has diameter  if and are disjoint and diameter  otherwise and then show how Alice can obtain a communication protocol for the Set Disjointness problem from any symbolic algorithm that can distinguish these two cases.

###### Lemma 3.14.

Let be the graph given by Reduction 3.13 and let denote its diameter. If , then , otherwise .

In the graph given by Reduction 3.13 Alice knows all the vertices of the graph and all the edges except those who are constructed based on , i.e., Alice does not know the edges between and . To take into account the edges between and , Alice has to communicate with Bob. To show a lower bound on the number of symbolic steps, we show next an upper bound on the number of bits of communication between Alice and Bob needed to simulate a symbolic one-step operation on . With the simulation of the one-step operations, the symbolic algorithm can be used as a communication protocol for distinguishing whether has diameter or and thus by Lemma 3.14 to solve the Set Disjointness problem. Whenever the symbolic algorithm performs a or operation (which are equivalent on undirected graphs) for a set that contains vertices of or , then Alice can simulate this one-step operation by specifying the vertices of and that are in with a bit vector of size , where Bob answers with a bit vector, again of size , that indicates all vertices that are adjacent to . Thus the communication protocol can simulate a symbolic algorithm that performs one-step operations with at most bits of communication. Hence we have by Theorem 2.1 that and thus . Together with Lemma 3.14, this proves the following theorem. Note that any -approximation algorithm for the diameter of a graph can distinguish between diameter 2 and 3.

###### Theorem 3.15.

Any (probabilistic bounded error or deterministic) symbolic algorithm that computes a -approximation of the diameter of an undirected connected graph with vertices needs symbolic one-step operations.

## 4 Upper Bounds

In this work we present the following upper bounds.

### 4.1 Upper Bounds for Computing Strongly Connected Components

We revisit the symbolic algorithm of Gentilini et al. [GentiliniPP08] that computes the SCCs and present a refined analysis to show that it only requires symbolic operations, improving the previously known bound and matching the lower bound of Theorem 3.7 (details in Section 6.4).

###### Theorem 4.1.

The algorithm of Gentilini et al. [GentiliniPP08] computes the SCCs of a graph  with symbolic operations.

### 4.2 Upper Bounds for Liveness, Reachability, and Safety Objectives

The upper bounds for Reachability, Safety, Liveness, and co-Liveness, are summarized in the following proposition, which is straightforward to obtain as discussed below.

###### Proposition 4.2.

Let be the number of symbolic steps required to compute the SCCs of the graph and let be the set of target/safe vertices. Then can be solved with symbolic operations; can be solved with symbolic operations; can be solved with symbolic operations; and can be solved with symbolic operations.

Algorithm for Reachability. Given a target set , we can easily compute the vertices that can reach by iteratively applying operations until a fixed-point is reached. By the definition of diameter, this requires only symbolic operations.

Algorithms for Liveness. A simple algorithm for Liveness first starts an algorithm for computing SCCs and whenever an SCC is reported it tests whether the SCC contains one of the target vertices and if so adds all vertices of the SCC to the winning set. Finally, after all SCCs have been processed, the algorithm computes all vertices that can reach the current winning set and adds them to the winning set. That is, in total the algorithm only needs many symbolic operations where is the number of symbolic operations required by the algorithm. An alternative algorithm for Liveness with symbolic operations is as follows. For each check with symbolic one-step operations whether the vertex can reach itself and if not remove the vertex from . Then do a standard reachability with the updated set as target, again with symbolic one-step operations.

Algorithm for co-Liveness. Given a set of safe vertices, an algorithm for co-Liveness first restricts the graph to the vertices of ; in the symbolic model this can be done by intersecting the outcome of each and operation with . One then uses an SCC algorithm and whenever a non-trivial SCC is reported, all its vertices are added to the winning set. Finally, after all SCCs have been processed, all vertices that can reach the current winning set in the original graph are added to the winning set. That is, in total the algorithm only needs many symbolic operations, where comes from the linear number of symbolic operations required by the algorithm for the modified graph.

Algorithm for Safety. Given a set of safe vertices, an algorithm for safety first restricts the graph to the vertices of . One then uses an SCC algorithm and whenever a non-trivial SCCs is reported, all its vertices are added to the winning set. Finally, after all SCCs have been processed, all vertices that can reach, within , the current winning set are added to the winning set. That is, in total the algorithm only needs symbolic operations as both the algorithm for the modified graph and reachability in the modified graph are in . Also notice that reachability is not bounded by as restricting the graph to vertices of can change the diameter.

Notice that none of the above algorithms stores all the SCCs, but processes one SCC at a time. That is, the algorithms themselves only need a constant number of sets plus the sets stored in the algorithm for computing SCCs (which can be done with many sets).

### 4.3 Upper Bounds for Approximate Diameter

We present a -approximation algorithm for the diameter (for any constant ) that takes symbolic operations (the -notation hides logarithmic factors).

###### Theorem 4.3.

A -approximation of the diameter of a directed graph for any constant can be obtained with symbolic operations, using many sets.

Technical Overview -Approximation Algorithm. The symbolic algorithm is based on the -approximation algorithm by Aingworth et al. [AingworthCIM99] for explicit graphs, we give a high-level overview of the differences here. An expensive step in the algorithm of [AingworthCIM99] is the computation of -partial BFS trees that contain vertices closest to a root vertex  and can be determined with explicit operations (this part was later replaced and improved upon by [RodittyW13, ChechikLRSTW14]). In the symbolic model computing -partial BFS trees would be less efficient, however, we can compute all vertices with distance at most  from with only many symbolic operations. The limitation of the approximation ratio  to in the algorithm of [AingworthCIM99] comes from having to deal with vertices for which less than vertices are within distance at most . In the symbolic model we do not have to consider this case since with a budget of operations we can always reach at least vertices (assuming for now that the graph is strongly connected and ). Thus the algorithm simplifies to the second part of their algorithm, whose core part is to find a vertex within distance at most for each vertex of the graph by using a greedy approximation algorithm for dominating set. However, in the symbolic model storing a linear number of sets is too costly, hence we inherently use that we can recompute vertices at distance at most efficiently when needed. Details are presented in Section 6.5.

## 5 Discussion

### 5.1 SCCs and Verification Objectives

First, our results show that the symbolic SCC algorithm by Gentilini et al. [GentiliniPP08] is essentially optimal. That is, we have the three upper bounds of , and and matching lower bounds of (Theorem 3.2), (Theorem 3.2), and (Theorem 3.7).

Our results for the different kinds of verification objectives are summarized in Table 4. We have an interesting separation between the reachability objective and the other objectives in terms of the diameter . While reachability can be solved with symbolic operations, all the other objectives require symbolic one-step operation on graphs of constant diameter.

When considering the diameters of the SCCs we get another separation. There we have that Liveness and Reachability can be solved with many symbolic operations, while Safety and co-Liveness requires symbolic one-step operations on strongly connected graphs with constant diameter. This reflects the fact that in the standard algorithm for Safety and co-Liveness the SCC computation is performed on a modified graph.

### 5.2 Approximate Diameter

For explicitly represented graphs a -approximation of the diameter can be computed in time [RodittyW13, ChechikLRSTW14], while under the strong exponential time hypothesis no time algorithm exists to distinguish graphs of diameter 2 and 3 (i.e., no -approximation can be obtained) [RodittyW13]. The fastest exact algorithms take time. While for explicitly represented graphs small, constant diameters are a hard case, the current results suggest that in the symbolic model the diameter of graphs with constant diameter can be determined more efficiently than for large diameters, as both the upper bound for exact and approximate computation of the diameter depend on the diameter of the graph and are linear when the diameter is constant. While the threshold of an approximation ratio of appears in our (linear) lower bound, the current symbolic upper bounds do not show this behavior. Several interesting open questions remain: Is there a c-approximation algorithm when ? Is there a linear -approximation algorithm for graphs with super-constant diameter? Or are there better lower bounds?

## 6 Detailed Proofs

### 6.1 Proofs of Section 3.1

###### Proof of Lemma 3.3..

We have to show that iff the graph constructed in Reduction 3.1 has exactly SCCs.

First notice that there are no edges from a set to a set if and thus there are at least SCCs, independently of the actual values of and .

If then all possible edges exists and it is easy to verify that the SCCs of the graphs are exactly the sets for .

If then there are , such that there is no edge from to . Now the set splits up in at least two SCCs and thus there are at least SCCs. ∎

###### Proof of Theorem 3.7..

We have to show that any (probabilistic bounded error or deterministic) symbolic algorithm that computes the SCCs needs symbolic one-step operations.

First consider Reduction 3.1 and notice that for the constructed graph . Then by Theorem 3.2 we already have a bound. Now consider Reduction 3.6 and notice that the constructed graph has SCCS iff and are disjoint. Now we can use the same argument as in the proof of Theorem 3.2 that each symbolic one-step operations just needs constant communication. The instances where and are disjoint have SCCs and . Hence an algorithm with symbolic one-step operations would imply a communication protocol with communication, a contradiction to Theorem 2.1. By combining the two lower bounds we get the desired bound. ∎

### 6.2 Proofs of Section 3.2

###### Proof of Theorem 3.8..

We have to show that any (probabilistic bounded error or deterministic) symbolic algorithm that solves Reachability in graphs with diameter requires symbolic one-step operations.

Consider the graph from Reduction 3.1 with parameter . We have that is reachable from all vertices iff the graph is strongly connected. From the proof of Theorem 3.2 we have that testing whether the graph is strongly connected requires symbolic one-step operations. Now notice that (a) the graph is strongly connected iff can reach and that (b) if the graph is strongly connected then . ∎

###### Proof of Theorem 3.10..

For (1) & (3) consider the graph constructed in Reduction 3.9 and the target set . We have a valid reduction from the Set Disjointness problem as the vertex is winning for iff there is a loop for one of the vertices in iff . By the same argument as in the proof of Theorem 3.2 we have that each symbolic one-step operations just needs constant communication. Hence an algorithm with , or symbolic one-step operations would imply a communication protocol with communication, a contradiction.

For (2) consider the graph constructed in Reduction 3.1 with and the target set . It is easy to verify that the vertex is winning if it can reach . Thus the lower bound for reachability also applies here. Notice that this also gives a lower bound.

The lower bound in (4) is a direct consequence of the lower bound for instances with constant size target sets , and the lower bound for instances with constant diameter .

Finally, (5) is by the bound from Reduction 3.9 and the bound by Reduction 3.1 with . ∎

###### Proof of Theorem 3.11..

1) & 2) Consider the graph constructed in Reduction 3.9 and the set of safe vertices . We have a valid reduction from the Set Disjointness problem as the vertex is winning for iff there is a loop for one of the vertices in iff . By the same argument as in the proof of Theorem 3.2 we have that each symbolic one-step operations just needs constant communication. Thus an algorithm with or symbolic one-step operations would imply a communication protocol with communication, a contradiction.

3) Consider the graph constructed in Reduction 3.9 but replace the edge by the edge . When considering the set of safe vertices the same arguments as above apply and thus we get a lower bound. However, the graph is strongly connected and has diameter and thus . ∎

###### Proof of Proposition 3.12..

Consider the graph constructed in Reduction 3.1 with , add an additional loop edge , and consider the set of safe vertices, i.e., is the only safe vertex. It is easy to verify that the vertex is winning in if it can reach . Thus the lower bound for reachability also applies here. ∎

### 6.3 Proofs of Section 3.3

###### Proof of Lemma 3.14..

Let be the graph given by Reduction 3.13 and let denote its diameter. We have to show that if , then , otherwise .

First note that through the edges adjacent to the auxiliary vertices the diameter of is at most . Furthermore we have for all that , , and , for all additionally , and for all it holds that and . Thus whether is or depends only on the maximum over all of and .

If , then for each pair of indices at least one of the edges and exists. Since , we have for all and all that and hence .

If , let and let be such that . Then neither the edge nor the edge exists. Thus the vertex , and analogously the vertex , has edges to the following vertices only: the auxiliary vertex , the vertex , and vertices with . The vertex has edges only to the auxiliary vertex  and to vertices and with . Hence none of the vertices adjacent to , and respectively for , is adjacent to and thus we have . ∎

### 6.4 An Improved Upper Bound for Strongly Connected Components

Result. Gentilini et al. [GentiliniPP08] provide a symbolic algorithm for computing the strongly connected components (SCCs) and show a bound of on the number of its symbolic operations for a directed graph with vertices, diameter , and many SCCs. Let be the diameter of an SCC . We give a tighter analysis of the algorithm of [GentiliniPP08] that shows an upper bound of symbolic operations that matches our lower bound (Theorem 3.7). We have both and and thus our upper bound is always at most the previous one. We additionally observe that the algorithm can be implemented with many sets (when the SCCs are output immediately and not stored). We first explain the intuition behind the algorithm of [GentiliniPP08] and then present the improved analysis of its number of symbolic steps.

Symbolic Breadth-First Search. While explicit algorithms for SCCs are based on depth-first search (DFS), DFS is impractical in the symbolic model. However, breadth-first search (BFS) from a set can be performed efficiently symbolically, namely proportional to its depth, as defined below.

###### Definition 6.1 (Symbolic BFS).

A forward search from a set of vertices is given by a sequence of operations such that for until we have . We call the -th level of the forward search and the index of the last non-empty level the depth of the forward search. Let be the forward set, which is equal to the vertices reachable from . Analogously we define the backward search of depth and the backward set for operations. We denote a singleton set by .

There is a simple algorithm for computing the SCCs symbolically with BFS that takes many symbolic steps: Start with an arbitrary vertex . Compute the SCC containing by taking the intersection of and , remove the obtained SCC from the graph, and repeat.

Skeleton-based Ordering. The importance of DFS for SCCs lies in the order in which the SCCs are computed. Starting from a vertex  that lies in an SCC without outgoing edges (i.e. a sink in the DAG of SCCs of the graph), the forward search does not leave the SCC and for computing SCCs the backward search can be restricted to the vertices of , i.e., the SCC of can be determined with proportional to the diameter of the SCC many symbolic steps. The DFS-based SCC algorithm of [Tarjan72] finds such an SCC first. The algorithm of [GentiliniPP08] is based on an ordering obtained via BFS that achieves a DFS-like ordering suitable for computing SCCs symbolically. Our tighter analysis essentially shows that their approach achieves the best ordering we can hope for. The ordering is given by so-called skeletons.

###### Definition 6.2.

A pair with and is a skeleton of for if has maximum distance from and the vertices of form a shortest path from to .

Let denote the SCC containing . The SCCs of the vertices of will be computed in the following order: First is computed by performing a backward search from  within . The remaining SCCs of of the vertices of are then computed in the reverse order of the path induced by , starting with . We now describe the overall algorithm, where in addition to the SCCs of are computed (potentially using a different, previously computed skeleton).

The Algorithm. The pseudo-code of the algorithm is given in Algorithm LABEL:alg:SymbolicSCC, the pseudo-code for the sub-procedure for computing a forward set including a skeleton in Algorithm LABEL:alg:Skeleton. Processing a graph , the algorithm proceeds as follows: it starts from some vertex  and computes the set of reachable vertices, i.e, the forward set , including a skeleton that includes exactly one vertex of each level of the forward search and forms a shortest path in . It then starts a backward search starting from in the subgraph induced by . Clearly the SCC of is given by the vertices that are reached by the backward search. The algorithm returns this SCC as an SCC of  and recurses on (a) the subgraph induced by the vertices of and (b) the subgraph induced by the vertices of . For the recursion on (a) we update a potentially already existing skeleton by removing all vertices that are in the current SCC (initially we have an empty skeleton) while for the recursion on (b) we use the skeleton computed by the forward search (but also remove vertices of the current SCC). The skeleton is then used to select the starting vertex in the consecutive steps of the algorithm: when the algorithm is called with skeleton , then the forward search is started from ; when the skeleton was computed in a forward search from a vertex , then this corresponds to the vertex of the skeleton that is furthest away from  and contained in this recursive call.

algocf[t]

algocf[t]

A Refined Analysis. The correctness of the algorithm is by [GentiliniPP08]. Notice that the algorithm would be correct even without the usage of skeletons but the skeletons are necessary to make it efficient, i.e., to avoid unnecessarily long forward searches. We show the following theorem.

###### Theorem 6.3 (Restatement of Theorem 4.1).

With input Algorithm LABEL:alg:SymbolicSCC computes the SCCs of and requires symbolic operations.

The analysis of [GentiliniPP08] of the number of symbolic steps of Algorithm LABEL:alg:SymbolicSCC uses that (1) each vertex is added to at most two skeletons, (2) the steps of the forward searches can be charged to the vertices in the skeletons, and (3) backward searches are only performed to immediately identify an SCC and thus can be charged to the vertices of the SCC; hence both the steps of the forward and of the backward searches can be bounded with . For the backward searches it can easily be seen that the number of operations to identify the SCC  is also bounded by . For the forward searches we show that each part of the skeleton (that in turn is charged for the forward search) can be charged to for some SCC ; this in particular exploits that skeletons are shortest paths (in the graph in which they are computed).

###### Lemma 6.4 ([GentiliniPP08]).

For each recursive call of LABEL:alg:SymbolicSCC with input we have that is a set of vertices that induces a shortest path in the graph  and is the last vertex of this path.

We first recall the result from [GentiliniPP08] that shows that the number of symbolic operations in an execution of LABEL:alg:Skeleton is proportional to the size of the computed skeleton.

###### Lemma 6.5 ([GentiliniPP08]).

LABEL:alg:Skeleton only requires symbolic operations, i.e., is linear in the output, and can be implemented using only constantly many sets.

###### Proof.

For each level of the forward search we need one operation in the first while loop and one operation in the second while loop, and the number of set operations is in the order of one-step operations. As for each level we add one vertex to , the result follows. Moreover, there is no need to explicitly store all the levels as they can be easily recomputed from the next level when needed, increasing the number of symbolic operations only by a constant factor. ∎

###### Remark 6.6.

Given Lemma 6.5 we can implement LABEL:alg:SymbolicSCC using many sets at a time by recursing on the smaller of the two sub-graphs and first.

We split the cost of symbolic operations for LABEL:alg:Skeleton into two parts: the part where is the SCC identified in this level of recursion and the part that is passed to one of the recursive calls. The following lemma shows that the first part and the subsequent backward search can be charged to , using that is a shortest path in .