QUASILINEAR-TIME COMPUTATION OF GENERIC MODAL WITNESSES FOR BEHAVIOURAL INEQUIVALENCE

. We provide a generic algorithm for constructing formulae that distinguish behaviourally inequivalent states in systems of various transition types such as nondeterministic, probabilistic or weighted; genericity over the transition type is achieved by working with coalgebras for a set functor in the paradigm of universal coalgebra. For every behavioural equivalence class in a given system, we construct a formula which holds precisely at the states in that class. The algorithm instantiates to deterministic finite automata, transition systems, labelled Markov chains, and systems of many other types. The ambient logic is a modal logic featuring modalities that are generically extracted from the functor; these modalities can be systematically translated into custom sets of modalities in a postprocessing step. The new algorithm builds on an existing coalgebraic partition refinement algorithm. It runs in time O (( m + n ) log n ) on systems with n states and m transitions, and the same asymptotic bound applies to the dag size of the formulae it constructs. This improves the bounds on run time and formula size compared to previous algorithms even for previously known specific instances, viz. transition systems and Markov chains; in particular, the best previous bound for transition systems was O ( mn ).


Introduction
For finite transition systems, the Hennessy-Milner theorem guarantees that two states are bisimilar if and only if they satisfy the same modal formulae.Equivalently, this means that whenever two states are not bisimilar, then one can find a modal formula that holds at one of the states but not at the other.Such a formula, usually called a distinguishing formula [Cle91], explains the difference in the behaviour of the two states.For example, in the transition system in Figure 1, the formula □♢⊤ distinguishes the states x and y; specifically it is satisfied at x but not at y.This gives rise to the verification task of actually computing distinguishing formulae.Cleaveland [Cle91] presents an algorithm that computes distinguishing formulae for states in a finite transition system with n states and m transitions in time O(mn).The algorithm builds on the Kanellakis-Smolka partition Logical characterizations of bisimulation analogous to the Hennessy-Milner theorem exist for other system types.For instance, Desharnais et al. [DEP98,DEP02] characterize probabilistic bisimulation on (labelled) Markov chains, in the sense of Larsen and Skou [LAS91] (for each label, every state has either no successors or a probability distribution on successors).In their logic, a formula ♢ ≥p ϕ holds at states that have a transition probability of at least p to states satisfying ϕ.For example, the state x in Figure 2 satisfies ♢ ≥0.5 ♢ ≥1 ⊤ but y does not.Desharnais et al. provide an algorithm that computes distinguishing formulae for labelled Markov chains in run time (roughly) O(n 4 ).
In the present work, we construct such counterexamples generically for a variety of system types.We achieve genericity over the system type by modelling state-based systems as coalgebras for a set functor in the framework of universal coalgebra [Rut00].Examples of coalgebras for a set functor include transition systems, deterministic automata, or weighted systems (e.g.Markov chains).Universal coalgebra provides a generic notion of behavioural equivalence that instantiates to standard notions for concrete system types, e.g.bisimilarity (transition systems), language equivalence (deterministic automata), or probabilistic bisimilarity (Markov chains).Moreover, coalgebras come equipped with a generic notion of modal logic that is parametric in a choice of modalities whose semantics is constructed so as to guarantee invariance w.r.t.behavioural equivalence; under easily checked conditions, such a coalgebraic modal logic in fact characterizes behavioural equivalence in the same sense as Hennessy-Milner logic characterizes bisimilarity [Pat04,Sch08].Hence, as soon as suitable modal operators are found, coalgebraic modal formulae serve as distinguishing formulae.
In a nutshell, the contribution of the present paper is an algorithm that computes distinguishing formulae for behaviourally inequivalent states, and in fact certificates that uniquely describe behavioural equivalence classes in a system, in quasilinear time and in coalgebraic generality.We build on an existing efficient coalgebraic partition refinement algorithm [WDMS20], thus achieving run time O(m log n) on coalgebras with n states and m transitions (in a suitable encoding).The dag size of formulae is also O(m log n) (for tree size, exponential lower bounds are known [FG10]); even for the basic case of transition systems, we thus improve the previous best bound O(mn) [Cle91] for both run time and formula size.We systematically extract the requisite modalities from the functor at hand, requiring binary and nullary modalities in the general case, and then give a systematic method to translate these generic modal operators into more customary ones (such as the standard operators of Hennessy-Milner logic).
We subsequently identify a notion of cancellative functor that allows for additional optimization.E.g. functors modelling weighted systems are cancellative if and only if the weights come from a cancellative monoid, such as (Z, +), or (R, +) as used in probabilistic systems.For cancellative functors, much simpler distinguishing formulae can be constructed: the binary modalities can be replaced by unary ones, and only conjunction is needed in the propositional base.On labelled Markov chains, this complements the result that a logic with only conjunction and different unary modalities (the modalities ♢ ≥p mentioned above) suffices for the construction of distinguishing formulae (but not certificates) [DEP02] (see also [Dob09]).Related Work.As mentioned above, Cleaveland's algorithm for labelled transition systems [Cle91] is based on Kanellakis and Smolka's partition refinement algorithm [KS90], while the coalgebraic partition refinement algorithm we employ [WDMS20] is instead related to the more efficient Paige-Tarjan algorithm [PT87].We do note that in the current paper we formally cover only unlabelled transition systems; the labelled case requires an elaboration of compositionality mechanisms in coalgebraic logic, which is not in the technical focus of the present work.Details are discussed in Remark 3.7.Hopcroft's automata minimization algorithm [Hop71] and its generalization to variable input alphabets [Gri73,Knu01] have quasi-linear run time; in these algorithms, a word distinguishing two inequivalent states of interest can be derived directly from a run of the algorithm.König et al. [KMMS20] extract formulae from winning strategies in a bisimulation game in coalgebraic generality, under more stringent restrictions on the functor than we employ here (specifically, they assume that the functor is separable by singletons, which is stronger than our requirement that the functor is zippable [KMMS20, Lemma 14]).Their algorithm runs in O(n 4 ); it does not support negative transition weights.Characteristic formulae for behavioural equivalence classes taken across all models require the use of fixpoint logics [DMSW18].The mentioned algorithm by Desharnais et al. for distinguishing formulae on labelled Markov processes [DEP02,Fig. 4] is based on Cleaveland's.No complexity analysis is made but the algorithm has four nested loops, so its run time is roughly O(n 4 ).Bernardo and Miculan [BM19] provide a similar algorithm for a logic with only disjunction.There are further generalizations along other axes, e.g. to behavioural preorders [CC95].The TwoTowers tool set for the analysis of stochastic process algebras [BCSS98,Ber04] computes distinguishing formulae for inequivalent processes, using variants of Cleaveland's algorithm.Some approaches construct alternative forms of certificates for inequivalence, such as Cranen et al.'s notion of evidence [CLW15] or methods employed on business process models, based on model differences and event structures [Dij08,AGD13,ABDG14].
In constructive mathematics, apartness relations capture provable difference of elements, and recently, Geuvers and Jacobs [GJ21] introduced apartness relations as an inductive notion for the inequality of states in a coalgebra, or in general, in a state-based system.In active automata learning, Vaandrager et al. [VGRW22] base their learning algorithm L # on an apartness notion for automata.Whenever two states turn out to be apart, this is witnessed by an input word for which the two states behave differently, and these witnesses are used in the subsequent learning process.Instead of words, we construct modal formulae as universal witnesses for systems of different type.In this sense, our results may eventually relate to variants of coalgebraic active automata learning in which words are similarly replaced with coalgebraic modal formulae [BKR19].
This paper is an extended and revised version of a conference publication [WMS21].It contains full proofs as well as additional material on simplifications that apply in case the coalgebra functor is cancellative (Section 4).Moreover, we include a new, elementary proof of the known fact that the tree size of certificates can be exponential [FG10] in Appendix A.

Preliminaries
We first recall some basic notation.We denote by 0 = ∅, 1 = {0}, 2 = {0, 1}, and 3 = {0, 1, 2} the sets representing the natural numbers 0, 1, 2 and 3.For every set X, there is a unique map !: X → 1.We write Y X for the set of functions X → Y , so e.g.X 2 ∼ = X × X.In particular, 2 X is the set of 2-valued predicates on X, which is in bijection with the powerset PX of X, i.e. the set of all subsets of X; in this bijection, a subset A ∈ PX corresponds to its characteristic function χ A ∈ 2 X , given by χ A (x) = 1 if x ∈ A, and χ(x) = 0 otherwise.We freely convert between predicates and subsets; in particular we apply set operations as well as the subset and elementhood relations to predicates, with the evident meaning.We generally indicate injective maps by ↣.Given maps f : Z → X, g : Z → Y , we write ⟨f, g⟩ for the map Z → X × Y given by ⟨f, g⟩(z) = (f (z), g(z)).We denote the disjoint union of sets X, Y by X + Y , with canonical inclusion maps More generally, we write i∈I X i for the disjoint union of an I-indexed family of sets (X i ) i∈I , and in i : X i ↣ i∈I X i for the i-th inclusion map.For a map f : X → Y (not necessarily surjective), we denote by ker(f ) ⊆ X × X the kernel of f , i.e. the equivalence relation . The partition corresponding to R is denoted by A signature is a set Σ, whose elements are called operation symbols, equipped with a function a : Σ → N assigning to each operation symbol its arity.We write σ/ n ∈ Σ for σ ∈ Σ with a(σ) = n.We will apply the same terminology and notation to collections of modal operators.
2.1.Coalgebra.Universal coalgebra [Rut00] provides a generic framework for the modelling and analysis of state-based systems.Its key abstraction is to parametrize notions and results over the transition type of systems, encapsulated as an endofunctor on a given base category.Instances cover, for example, deterministic automata, labelled (weighted) transition systems, and Markov chains.
Definition 2.2.A set functor F : Set → Set assigns to every set X a set F X and to every map f : X → Y a map F f : F X → F Y such that identity maps and composition are preserved: ) consisting of a set C (the carrier ) and a map c : C → F C (the structure).When F is clear from the context, we simply speak of a coalgebra.
In a coalgebra c : C → F C, we understand the carrier set C as consisting of states, and the structure c as assigning to each state x ∈ C a structured collection of successor states, with the structure of collections determined by F .In this way, the notion of coalgebra subsumes numerous types of state-based systems, as illustrated next.
Example 2.3.(1) The powerset functor P sends a set X to its powerset PX and a map f : X → Y to the map Pf = f [−] : PX → PY that takes direct images.A P-coalgebra c : C → PC is precisely a transition system: It assigns to every state x ∈ C a set c(x) ∈ PC of successor states, inducing a transition relation → given by x → y iff y ∈ c(x).Similarly, the coalgebras for the finite powerset functor P f (with P f X being the set of finite subsets of X) are precisely the finitely branching transition systems.
(2) Coalgebras for the functor F X = 2 × X A , where A is a fixed input alphabet, are deterministic automata (without an explicit initial state).Indeed, a coalgebra structure c = ⟨f, t⟩ : C → 2 × C A consists of a finality predicate f : C → 2 and a transition map (3) Every signature Σ defines a signature functor that maps a set X to the set whose elements we may understand as flat Σ-terms σ(x 1 , . . ., x n ) with variables from X.
The action of F Σ on maps f : X → Y is then given by For simplicity, we write σ (instead of in σ ) for the coproduct injections, and Σ in lieu of F Σ for the signature functor.A Σ-coalgebra is a kind of tree automaton: it consists of a set C of states and a transition map c : C → σ/n∈Σ C n , which essentially assigns to each state an operation symbol σ/n ∈ Σ and n-successor states.Hence, every state in a Σ-coalgebra describes a (possibly infinite) Σ-tree, that is, a rooted and ordered tree whose nodes are labelled by operation symbols from Σ such that a node with n successor nodes is labelled by an n-ary operation symbol.
(4) For a commutative monoid (M, +, 0), the monoid-valued functor M (−) [GS01] is defined on a set X by A coalgebra c : C → M (C) is a finitely branching weighted transition system: for x, x ′ ∈ C, c(x)(x ′ ) ∈ M is the transition weight from x to x ′ .For the Boolean monoid B = (2, ∨, 0), we recover P f = B (−) .Coalgebras for R (−) , with R understood as the additive monoid of the reals, are R-weighted transition systems.The functor , which assigns to a set X the set of all finite probability distributions on X (represented as finitely supported probability mass functions), is a subfunctor of R (−) .
(5) Functors can be composed; for instance, given a set A of labels, the composite of P and the functor A × (−) (whose action on sets maps a set X to the set A × X) is the functor F X = P(A × X), whose coalgebras are A-labelled transition systems.Coalgebras for (D(−) + 1) A have been termed probabilistic transition systems [LAS91] or labelled Markov chains [DEP02], and coalgebras for (D((−) + 1) + 1) A are partial labelled Markov chains [DEP02].Coalgebras for SX = P f (A × DX) are variously known as simple Segala systems or Markov decision processes.
We have a canonical notion of behaviour on F -coalgebras: Definition 2.4.An F -coalgebra morphism h : (C, c) → (D, d) is a map h : C → D such that the square below commutes: States x, y in an F -coalgebra (C, c) are behaviourally equivalent (notation: x ∼ y) if there exists a coalgebra morphism h such that h(x) = h(y).
Thus, we effectively define the behaviour of a state as those of its properties that are preserved by coalgebra morphisms.The notion of behavioural equivalence subsumes standard branching-time equivalences: Example 2.5.(1) For F ∈ {P, P f }, behavioural equivalence on F -coalgebras, i.e. on transition systems, is bisimilarity in the usual sense.
(2) For deterministic automata as coalgebras for F X = 2 × X A , two states are behaviourally equivalent iff they accept the same formal language.
(3) For a signature functor Σ, two states of a Σ-coalgebra are behaviourally equivalent iff they describe the same Σ-tree.
(4) For labelled transition systems as coalgebras for F X = P(A×X), coalgebraic behavioural equivalence precisely captures Milner's strong bisimilarity; this was shown by Aczel and Mendler [AM89].
Remark 2.6.(1) The notion of behavioural equivalence extends straightforwardly to states in different coalgebras, as one can canonically define the disjoint union of coalgebras: Given a pair of F -coalgebra (C, c) and (D, d), we have a canonical F -coalgebra structure on the disjoint union C + D of their carriers: where [−, −] denotes case distinction on the disjoint components F C and F D. It is easy to see that the canonical inclusion maps in 1 : C → C + D and in 2 : D → C + D are Fcoalgebra morphisms.We say that states x ∈ C and y ∈ D are behaviourally equivalent if in 1 (x) ∼ in 2 (y) holds in C + D. This definition coincides with the standard one, according to which x, y are behaviourally equivalent if there exist coalgebra morphisms f : (C, c) → (E, e) and g : (D, d) → (E, e) such that f (x) = g(y).Moreover, the extended definition is consistent with Definition 2.4 in the sense that states x, y in the coalgebra (C, c) are behaviourally equivalent according to Definition 2.4 iff in 1 (x) ∼ in 2 (y) in the canonical coalgebra on C + C.
(2) As shown by Trnková [Trn71], we may assume without loss of generality that a set functor F preserves injective maps (see also Barr [Bar93,Proof of Thm. 3.2]) that is, F f is injective whenever f is.In fact, for every set functor F there exists a set functor F (called the Trnková hull of F [ABLM12]) that coincides with F on nonempty sets and functions and preserves injections.
Moreover, F preserves all finite intersections (pullbacks of pairs of injective maps); it is even the reflection of F in the category of set functors preserving finite intersections [ABLM12, Cor.VII.2].
Since F only differs from F on the empty set, both functors have the same coalgebras and coalgebra morphisms.All functors in Example 2.3 already preserve injective maps.
2.2.Coalgebraic Logics.We continue with a brief review of basic concepts of coalgebraic modal logic [Pat03,Sch08].Coalgebraic modal logics are parametric in a functor F determining the type of systems underlying the semantics, and additionally in a choice of modalities interpreted in terms of predicate liftings.For now, we use F = P as a basic example, deferring further examples to Section 5.
Semantics.We interpret formulae as sets of states in F -coalgebras.This interpretation arises by assigning to each modal operator ♡/ n ∈ Λ an n-ary predicate lifting ♡ [Pat03, Sch08], i.e. a family of maps ♡ X : (2 X ) n → 2 F X , one for every set X, such that the naturality condition holds for all f : X → Y and all P 1 , . . ., P n ∈ 2 X .Thus, ♡ X lifts n given predicates on states to a predicate on structured collections of states.Categorically speaking, ♡ is a natural transformation (2 (−) ) n → 2 F op ; that is, the naturality square −) denotes the contravariant powerset functor, which sends a set X to the set 2 X of 2-valued predicates on X (equivalently to the powerset of X), and a map f : Given the above data, the extension of a formula ϕ in an F -coalgebra (C, c) is a predicate ϕ (C,c) , or just ϕ , on C, recursively defined by (Recall that we implicitly convert between predicates and subsets.)We say that a state x ∈ C satisfies ϕ if x ∈ ϕ .Notice how the clause for modalities says that x satisfies ♡(ϕ 1 , . . ., ϕ n ) iff c(x) satisfies the predicate obtained by lifting the predicates ϕ 1 , . . ., ϕ n on C to a predicate on F C according to ♡ .
Example 2.9.Over F = P, we interpret ♢ by the predicate lifting The arising notion of satisfaction over P-coalgebras (C, c) is precisely the standard one: ) for some transition x → y.
The naturality condition (2.3) of predicate liftings guarantees invariance of the logic under coalgebra morphisms, and hence under behavioural equivalence: Proposition 2.10 (Adequacy [Pat03,Sch08]).Behaviourally equivalent states satisfy the same formulae: x ∼ y implies that for all formulae ϕ, we have x ∈ ϕ iff y ∈ ϕ .
In our running example F = P, this instantiates to the well-known fact that modal formulae are bisimulation-invariant, that is, bisimilar states in transition systems satisfy the same formulae of Hennessy-Milner logic.

Constructing Distinguishing Formulae
A proof method certifying behavioural equivalence of states x, y in a coalgebra is immediate by definition: One simply needs to exhibit a coalgebra morphism h such that h(x) = h(y).In fact, for many system types, it suffices to relate x and y by a coalgebraic bisimulation in a suitable sense (e.g.[AM89, Rut00, GS13, MV15]), generalizing the Park-Milner bisimulation principle [Mil89,Par81].It is less obvious how to certify behavioural inequivalence x ̸ ∼ y, showing that such a morphism h does not exist.By Proposition 2.10, one option is to exhibit a (coalgebraic) modal formula ϕ that is satisfied by x but not by y.In the case of (image-finite) transition systems, such a formula is guaranteed to exist by the Hennessy-Milner theorem, which moreover is known to generalize to coalgebras [Pat04,Sch08].More generally, we consider separation of sets of states by formulae, following Cleaveland [Cle91, Def.2.4]: Note that ϕ distinguishes X from Y iff ¬ϕ distinguishes Y from X. Certificates have also been referred to as descriptions [FG10].If ϕ is a certificate of a behavioural equivalence class [x] ∼ , then by definition, ϕ distinguishes x from y whenever x ̸ ∼ y.To obtain distinguishing formulae for behaviourally inequivalent states in a coalgebra, it therefore suffices to construct certificates for all behavioural equivalence classes, which indeed is what our algorithm does.
Of course, every certificate must be at least as large as a smallest distinguishing formula.However, already on transition systems, distinguishing formulae and certificates have the same asymptotic worst-case size (cf.Section 6).
A natural approach to computing certificates for behavioural equivalence classes is to extend algorithms that compute these equivalence classes.In particular, partition refinement algorithms compute a sequence C/R 0 , C/R 1 , . . . of consecutively finer partitions (i.e.R i+1 ⊆ R i for every i ≥ 0) on the state space, where every block B ∈ C/R i is a union of behavioural equivalence classes.Since C is finite, this sequence stabilizes, and the final partition is precisely C/∼.Indeed, Cleaveland's algorithm for computing certificates on (labelled) transition systems [Cle91] correspondingly extends Kanellakis and Smolka's partition refinement algorithm [KS83,KS90], which runs in O(mn) on systems with n = |C| states and m transitions.Our generic algorithm will be based on a more efficient partition refinement algorithm.
3.1.Paige-Tarjan with Certificates.Before we turn to constructing certificates in coalgebraic generality, we informally recall and extend the Paige-Tarjan algorithm [PT87], which computes the partition modulo bisimilarity of a given transition system with n states and m transitions in time O((m + n) log n).We fix a given finite transition system, viewed as a P-coalgebra c : C → PC.
The algorithm computes two sequences (C/P i ) i∈N and (C/Q i ) i∈N of partitions of C (with Q i , P i equivalence relations), where only the most recent partition is held in memory and i indexes the iterations of the main loop.Throughout the execution, C/P i is finer than C/Q i (that is, P i ⊆ Q i for every i ≥ 0), and the algorithm terminates when P i = Q i .Intuitively, P i is 'one transition ahead' of Q i : if Q i distinguishes states x and y, then P i is based on distinguishing transitions to x from transitions to y.
Initially, C/Q 0 := {C} consists of only one block and C/P 0 of two blocks: the live states and the deadlocks (i.e.states with no outgoing transitions).If P i ⫋ Q i , then there is a block B ∈ C/Q i that is the union of at least two blocks in C/P i .In such a situation, the algorithm chooses S ⊆ B in C/P i to have at most half the size of B and then splits the block B into S and B \ S in the partition C/Q i : This is correct because every state in S is already known to be behaviourally inequivalent to every state in B \ S. By the definition of bisimilarity, this implies that every block T ∈ C/P i with some transition to B may contain behaviourally inequivalent states as illustrated in Figure 3; that is, T may need to be split into smaller blocks, as follows: (C1) states in T with successors in S but not in B \ S (e.g.x 1 in Figure 3), (C2) states in T with successors in S and B \ S (e.g.x 2 ), and (C3) states in T with successors B \ S but not in S (e.g.x 3 ).The partition C/P i+1 arises from C/P i by splitting all such predecessor blocks T of B accordingly.The algorithm terminates as soon as P i+1 = Q i+1 holds.It is straightforward to construct certificates for the blocks arising during the execution: • The certificate for the only block C ∈ C/Q 0 is ⊤, and the blocks for live states and deadlocks in C/P 0 have certificates ♢⊤ and ¬♢⊤, respectively.• In the refinement step, suppose that δ, β are certificates of S ∈ C/P i and B ∈ C/Q i , respectively, where S ⫋ B. For every predecessor block T of B, the three blocks obtained by splitting T are distinguished (in the sense of Definition 3.1) as follows: Of course these formulae only distinguish the states in T from each other (e.g.there may be states in other blocks with transitions to both S and B).Hence, given a certificate ϕ of T , one obtains certificates of the three resulting blocks in C/P i+1 via conjunction: Upon termination, every bisimilarity class [x] ∼ in the transition system is annotated with a certificate.A key step in the generic development will be to come up with a coalgebraic generalization of the formulae for (C1)-(C3).

Generic Partition
Refinement.The Paige-Tarjan algorithm has been adapted to other system types, e.g.weighted systems [VF10], and it has recently been generalized to coalgebras [DMSW17,WDMS20].A crucial step in this generalization is to rephrase the case distinction (C1)-(C3) in terms of the functor P: Given a predecessor block T in C/P i for S ⫋ B ∈ C/Q i , we define the map χ B S : C → 3 by We then consider the composite

The three cases (C1)-(C3) distinguish between the equivalence classes [x] Pχ
Since T is a predecessor block of B, the 'fourth case' 2 ̸ ∈ t ̸ ∋ 1 is not possible.There is a transition from x to some state outside B iff 0 ∈ t.However, because of the previous refinement steps performed by the algorithm, either every or no state of T has an edge to C \ B (a property called stability [PT87]), hence no distinction on 0 ∈ t is necessary.
It is now easy to generalize from transition systems to coalgebras by simply replacing the functor P with F in the refinement step.We recall the algorithm: In the main loop, blocks S ∈ C/P i and B ∈ C/Q i witnessing P i ⫋ Q i are picked, and B is split into S and B \ S, like in the Paige-Tarjan algorithm.Note that step (A2) is equivalent to directly defining the equivalence relation Q i+1 as A similar intersection of equivalence relations is performed in step (A3).The intersection splits every block T ∈ C/P i into smaller blocks such that x, x ′ ∈ T end up in the same block iff Again, this corresponds to the distinction of the three cases (C1)-(C3).
Example 3.4.For F X = 2 × X A , there are |F 3| = 2 • 3 |A| cases to be distinguished, and so every T ∈ C/P i is split into at most that many blocks in C/P i+1 .
The following property of F is needed for correctness [WDMS20, Ex. 5.11].
Definition 3.5 [WDMS20].A functor F is zippable if the following maps are injective: for all sets A, B.
Intuitively, t ∈ F (A + B) is a structured collection of elements from A and B. If F is zippable, then t is uniquely determined by the two structured collections in F (A + 1) and F (1 + B) obtained by identifying all B-and all A-elements, respectively, with 0 ∈ 1.
Example 3.6.The functor F X = X × X is zippable: , and similarly for the three other cases of t.
In fact, all signature functors as well as P and all monoid-valued functors (see Example 2.3(4)) are zippable.Moreover, the class of zippable functors is closed under products, coproducts, and subfunctors but not under composition, e.g.PP is not zippable [WDMS20].The intuitive reason why PP is not zippable is that PP has two 'unordered levels', and so we can not uniquely reconstruct t ∈ PP(A + B) given only the restrictions to PP(A + 1) and PP(1 + B).In the following example, we take distinct a 1 , a 2 ∈ A and b 1 , b 2 ∈ B, and omit some of the coproduct injections for the sake of brevity: Both the left-hand and the right-hand set of sets yield the same terms when restricting to A + 1 and 1 + B separately, showing that the map in Definition 3.5 is not injective for PP.This example extends to a coalgebra for which partition refinement based on characteristic maps χ B S would compute wrong results [WDMS20, Ex. 5.11].Remark 3.7.To apply the algorithm to coalgebras for composites F G of zippable functors, e.g.P(A × (−)), there is a reduction [WDMS20, Section 8] that embeds every F G-coalgebra into a coalgebra for the zippable functor (F + G)(X) := F X + GX.This reduction preserves and reflects behavioural equivalence, but introduces an intermediate state for every transition.The reduction factors through an encoding of composite functors via multisorted coalgebra [SP11], in which, e.g., a composite functor F G would be represented in a setting with two sorts 1, 2 as a pair of functors F , Ĝ, one going from sort 1 to sort 2 and one going the other way around.The multisorted framework comes with a corresponding multisorted coalgebraic modal logic.There are conversion functors between multisorted coalgebras (e.g. for a multisorted functor made up of F and Ĝ) and single-sorted coalgebras (e.g. for F G) which, in the end, guarantee compositionality (w.r.t.functor composition, including composition with multi-argument functors such as binary sum) of most semantic and algorithmic properties of coalgebraic modal logics, including the Hennessy-Milner property (see [SP11] for details).
In principle, these results imply in particular that the algorithms and complexity results developed in the present paper are compositional w.r.t.functor composition.Establishing this formally will require transferring the framework of multisorted coalgebraic modal logic along the above-mentioned translation from multisorted coalgebras to single-sorted coalgebras for sums of functors.To keep the paper focused, we refrain from carrying this out in the present paper.We do note that this implies that we do not, at the moment, cover labelled transition systems, i.e. coalgebras for the composite functor P • (A × (−)), in full formality.
In the correctness proof, the zippability is used to show that it is sufficient to incrementally refine the partition using the characteristic map χ B S under the functor F in step (A3).When constructing certificates in the following, this refinement turns into a logical conjunction and the characteristic map under the functor turns into a modal operator.
3.3.Generic Modal Operators.The extended Paige-Tarjan algorithm (Section 3.1) constructs a distinguishing formula according to the three cases (C1)-(C3).In the coalgebraic Algorithm 3.2, these cases correspond to elements of F 3, which determine in which block an element of a predecessor block T ends up.Indeed, the elements of F 3 will also serve as generic modalities in characteristic formulae for blocks of states, essentially by the equivalence between n-ary predicate liftings and (in this case, singleton) subsets of F (2 n ) (Lemma 2.8); such singletons are also known as tests [Kli05].
The map q satisfies By Lemma 2.8, the corresponding predicate lifting is given by: The intended use of ⌜t⌝ is as follows: Suppose a block B is split into subblocks S ⊆ B and B \ S, with certificates δ and β for S and B, respectively; that is, δ = S and β = B.As in Figure 3, we then split every predecessor block T of B into smaller parts, each of which is uniquely characterized by the formula ⌜t⌝(δ, β) for some t ∈ F 3.
Example 3.11.For F = P, the formula ⌜{0, 2}⌝(δ, β) is equivalent to Lemma 3.12.Given an F -coalgebra (C, c), a state x ∈ C, and formulae δ and β such that δ ⊆ β ⊆ C, we have Proof.This follows directly from Definition 3.9 applied to S := ϕ S and B := ϕ B , using that S ∩ B = S: In the initial partition C/P 0 on a transition system (C, c), we used the formulae ♢⊤ and ¬♢⊤ to distinguish live states and deadlocks.In general, we can similarly describe the initial partition using modalities induced by elements of F 1: Notation 3.13.Define the injective map j 1 : 1 ↣ 3 by j 1 (0) = 2. Then the injection F j 1 : F 1 ↣ F 3 provides a way to interpret elements t ∈ F 1 as nullary modalities ⌜t⌝: (Alternatively, we could introduce ⌜t⌝ directly as a nullary modality.) Lemma 3.14.Given a coalgebra c : C → F C, a state x ∈ C, and t ∈ F 1, we have In the last step we use our running assumption that, w.l.o.g., F preserves injective maps (Remark 2.6(2)).
3.4.Algorithmic Construction of Certificates.The F 3-modalities introduced above (Definition 3.9) induce an instance of coalgebraic modal logic (Section 2.2).We refer to coalgebraic modal formulae employing the F 3-modalities as F 3-modal formulae, and write M for the set of F 3-modal formulae.As in the extended Paige-Tarjan algorithm (Section 3.1), we annotate every block arising during the execution of Algorithm 3.2 with a certificate in the shape of an F 3-modal formula.Annotating blocks with formulae means that we construct maps As in Algorithm 3.2, i indexes the loop iterations.For blocks B, S in the respective partition, we denote by β i (B) and δ i (S) the corresponding certificates.We shall prove in Theorem 3.16 further below that the following invariants hold, which immediately imply correctness: We construct β i (B) and δ i (S) iteratively, using certificates for the blocks S ⫋ B at every iteration: Algorithm 3.15.We extend Algorithm 3.2 as follows.We add initializations β 0 ({C}) := ⊤ and δ 0 ([x] P 0 ) := ⌜F !(c(x))⌝ for every [x] P 0 ∈ C/P 0 .
In the i-th iteration, we add the following assignments to steps (A2) and (A3), respectively: Upon termination, return δ i .
Like in Section 3.1, the only block of C/Q 0 has β 0 ({C}) = ⊤ as a certificate.The partition C/P 0 distinguishes by the 'output' F !(c(x)) ∈ F 1 (e.g.final vs. non-final states of an automaton), and by Lemma 3.14, the certificate of [x] P 0 specifies precisely this output; in particular, δ 0 ([x] P 0 ) is well-defined.
In the i-th iteration of the main loop, we have certificates δ i (S) and β i (B) for S ⫋ B in step (A1) satisfying (3.3) available from the previous iterations.In (A'2), the Boolean connectives describe how B is split into S and B\S.In (A'3), new certificates are constructed for every predecessor block T ∈ C/P i that is refined.If T does not change, then neither does its certificate.Otherwise, the block T = [x] P i is split into the blocks [x] F χ B S (c(x)) for x ∈ T in step (A3), which is reflected by the F 3 modality ⌜F χ B S (c(x))⌝ as per Lemma 3.12.Theorem 3.16.For every zippable functor F , Algorithm 3.15 is correct: the invariants in (3.3) hold.Thus, upon termination δ i assigns certificates to each block of C/∼ = C/P i .
Proof.(1) We first observe that given x ∈ C, S ⊆ B ⊆ C, and certificates ϕ S and ϕ B of S and B, respectively, we have: where the first equation uses Lemma 3.12 and the second one holds because ϕ B = B and ϕ S = S.
• In the base case i = 0, we have β 0 ({C}) = ⊤ = C for the only block in X/Q 0 .Since P 0 = ker(F !• c), δ 0 is well-defined, and by Lemma 3.14 we have • The inductive hypothesis states that We prove that β i+1 is correct: For δ i+1 , we compute as follows: The assumption of zippability is used in the correctness of the underlying partition refinement algorithm.But for the construction of certificates, this assumption translates into the ability to describe certificates as only a conjunction of F 3-modalities in (A'3).As a consequence, we obtain a Hennessy-Milner-type property of our F 3-modal formulae: Corollary 3.17.For zippable F , states x, y in a finite F -coalgebra are behaviourally equivalent iff they agree on all F 3-modal formulae.
Construction 3.18.Given a coalgebra c : C → F C and states x, y ∈ C, a smaller formula distinguishing a state x from a state y can be extracted from the certificates of the behavioural equivalence classes of x and y in time O(|C|): It is the leftmost conjunct that is different in the respective certificates of x and y.In other words, this is the subformula starting at the modal operator introduced in δ i for the least i with (x, y) / ∈ P i ; hence, x satisfies ⌜t⌝(δ, β) but y satisfies ⌜t ′ ⌝(δ, β) for some t ′ ̸ = t in F 3.
Hence, when only distinguishing formula for states x, y is of interest, it is sufficient to run the algorithm until x is split from y, and the distinguishing formula is conjunct added in step (A'3).This leads to an earlier termination in practice but does not change the run time complexity in O-notation.
Proposition 3.19.Construction 3.18 correctly extracts a formula distinguishing x from y.
Proof.In order to verify that the first differing conjunct is a distinguishing formula, we distinguish cases on the least i such that (x, y) / ∈ P i : If x and y are already split by P 0 , then the conjunct at index 0 in the respective certificates of [x] ∼ and [y] ∼ differs, and we have t = F !(c(x)) and t ′ = F !(c(y)).By Lemma 3.14, ⌜t⌝ distinguishes x from y (and ⌜t ′ ⌝ distinguishes y from x).

Complexity Analysis.
The operations introduced by Algorithm 3.15 can be implemented with only constant run time overhead.To this end, one implements β and δ as arrays of formulae of length |C| (note that at any point, there are at most |C|-many blocks).In the refinable-partition data structure [VL08], every block has an index (a natural number) and there is an array of length |C| mapping every state x ∈ C to the block it is contained in.Hence, for both partitions C/P and C/Q, one can look up a state's block and a block's certificate in constant time.
It is very likely that the certificates contain a particular subformula multiple times and that certificates of different blocks share common subformulae.For example, every certificate of a block refined in the i-th iteration using S ⫋ B contains the subformulae δ i (S) and β i (B).Therefore, it is advantageous to represent all certificates constructed as one directed acyclic graph (dag) with inner nodes labelled by either a modal operator or conjunction and having precisely two outgoing edges, and leaf nodes labelled by either ⊤ or a nullary modal operator.Moreover, edges have a binary flag indicating whether they represent negation ¬.Initially, there is only one (leaf) node representing ⊤, and the operations of Algorithm 3.15 allocate new nodes and update the arrays for β and δ to point to the right nodes.For example, if the predecessor block T ∈ C/P i is refined in step (A'3), yielding a new block [x] P i+1 , then a new node labelled ∧ is allocated with edges to the nodes δ i (T ) and to another new node labelled F χ B S (c(x)) with edges to the nodes δ i (S) and δ i (B).For purposes of estimating the size of formulae generated by the algorithm, we use a notion of transition in coalgebras, inspired by the notion of canonical graph [Gum05].Definition 3.20.For states x, y in an F -coalgebra (C, c), we say that there is a transition x → y if c(x) ∈ F C is not in the image F i[F (C \ {y})] (⊆ F C), where i : C \ {y} ↣ C is the inclusion map.
Theorem 3.21.For a coalgebra with n states and m transitions, the formula dag constructed by Algorithm 3.15 has at most 2 • m • (log 2 n + 1) + 2 • n nodes, each with outdegree ≤ 2, and a height of at most n + 1.Hence, the dag size is in O(m • log 2 n + n).
Before proving Theorem 3.21, we need to establish a sequence of lemmas on the underlying partition refinement algorithm.Recall from Remark 2.6(2) that we may assume that F preserves finite intersections by working with its Trnková hull instead.
Let (C, c) be a coalgebra for F .We define a binary relation → on P(C) by for T, S ⊆ C. In other words, we write T → S if there is a transition from some state of T to some state of S. Also we define the set pred(S) of predecessor states of a set S as Lemma 3.22.For every F -coalgebra (C, c), x ∈ C, and S ⊆ B ⊆ C with S finite, we have Proof.For every y ∈ S, we have that x ̸ → y.Hence, for every y ∈ S, there exists The set C \ S is the intersection of all sets C \ {y} with y ∈ S: Since F preserves finite intersections and S is finite, we have that Since c(x) ∈ F C is contained in every F (C \ {y}) (as witnessed by t y ) it is also contained in their intersection.That is, for m : C \ S ↣ C being the inclusion map, there is t ′ ∈ F (C \ S) such that F m(t ′ ) = c(x).Now consider the following diagrams: ).The classical Paige-Tarjan algorithm maintains the invariant that the partition P i is stable [PT87], meaning that for all states (x, x ′ ) ∈ P i in the same block, either both x, x ′ or none of x, x ′ have a transition to a given block in C/Q i .In terms of characteristic functions χ B ∅ and for general F , this can be rephrased as follows.Lemma 3.23.For all (x, x ′ ) ∈ P i and B ∈ C/Q i in Algorithm 3.2, we have One can show [WDMS20, Prop.4.12] that in every iteration i we have a map c i : where the maps [−] P i , [−] Q i send elements of C to their equivalence class (Notation 2.1).The map χ B ∅ : C → 3 for B ∈ C/Q i can be decomposed as follows: Combining these two diagrams, we obtain Since for all (x, x ′ ) ∈ P i , we have [x] P i = [x ′ ] P i , we conclude that Combining the previous two lemmas, we obtain that in the refinement step for S ⫋ B, only predecessor blocks of S need to be adjusted in (A3), so that only the formulae for these blocks need to be updated: Lemma 3.24.For S ⫋ B ∈ C/Q i in the ith iteration of Algorithm 3.2, a block T ∈ C/P i with no edge to S is not modified; in symbols: for all T ∈ C/P i .
Proof.Since T ̸ → S, we have {x} ̸ → S and {x ′ } ̸ → S for all x, x ′ ∈ T .Thus, The above lemma shows that the number of blocks T that are split is bounded by the number of predecessor blocks of the state set S. Since most of the resulting smaller blocks T ′ in the new partition C/P i+1 must have an edge to S, the number of these new blocks must also be bounded essentially in the predecessors of S, as we show next: Lemma 3.25.For S ⊆ C and finite C in the ith iteration of Algorithm 3.2, Proof.Let S ⫋ B ∈ C/Q i be used for splitting in iteration i.If T ′ ∈ C/P i+1 and T ′ ̸ ∈ C/P i , then the block T ∈ C/P i with T ′ ⊆ T satisfies T ̸ ∈ C/P i+1 and therefore, by Lemma 3.24, has a transition to S. By finiteness of C, T is split into finitely many blocks T 1 , . . ., T k ∈ C/P i+1 , representing the equivalence classes of the kernel of F χ B S • c : C → F 3. By Lemma 3.22 we know that if x ∈ T has no transition to S, then F χ B S (c(x)) = F χ B ∅ (c(x)).Moreover, all elements of T ∈ C/P i are sent to the same value by F χ B ∅ • c (Lemma 3.23).Hence, there is at most one block T j with no transition to S, and all other blocks T j ′ , j ′ ̸ = j, have transitions to S. Therefore, the number k of blocks T j is at most |T ∩ pred(S)| + 1. Summing over all predecessor blocks T of S, we obtain We can now show a bound for the total number of blocks that exist at some point during the execution of the partition refinement algorithm: Lemma 3.26.Given an input coalgebra (C, c) with n = |C| states and m transitions, the following holds throughout the execution of Algorithm 3.2: Note that the proof is similar to arguments given in the complexity analysis of the Paige-Tarjan algorithm (cf.[PT87, p. 980]).
Proof.Since |S| ≤ 1 2 • |B| holds in step (A1) of Algorithm 3.2, one can show that every state x ∈ C is contained in the set S picked in step (A1) in at most log 2 (n)+1 iterations [WDMS20, Lem.7.15].More formally, let S i ⊊ B i ∈ C/Q i be the blocks picked in the ith iteration of Algorithm 3.2.Then we have Let the algorithm terminate after ℓ iterations, returning C/P ℓ .Then, the number of new blocks introduced by step (A3) is bounded as follows: The only blocks we have not counted so far are the blocks of C/P 0 .Since Every block in the final or intermediate partitions C/P i corresponds to a certificate that is constructed at some point.Hence, the bound on the blocks is also a bound for the dag size of formulae created by Algorithm 3.15.
Proof of Theorem 3.21.Regarding the height of the dag, it is immediate that δ i and for all i, there are at most n iterations, with the final partition being C/P n+1 = C/Q n+1 .
In Algorithm 3.15 we create a new modal operator in the dag whenever Algorithm 3.2 creates a new block in C/P i (either by initialization or in step (A'3)).By Lemma 3.26, the number of modalities in the dag is thus bounded by In every iteration of the main loop, β is extended by two new formulae, one for S and one for B \ S. The formula β i+1 (S) does not increase the size of the dag, because no new node needs to be allocated.For β i+1 (B \ S), we need to allocate one new node for the conjunction, so there are at most n new such nodes allocated throughout the execution of the whole algorithm.Thus, the total number of nodes in the dag is bounded by and each such node has an outdegree of at most 2 by construction.
Theorem 3.27.Algorithm 3.15 adds only constant run time overhead per step of Algorithm 3.2, and thus has the same asymptotic run time as Algorithm 3.2.
Like for the run time analysis of the underlying Algorithm 3.2, we assume that the memory model supports random access, i.e. array access runs in constant time.
Proof.The arrays for β and δ are re-used in every iteration.Hence, the index i can be neglected; it is only used to refer to a value before or after the loop iteration.The analysis then proceeds as follows: (1) Initialization step: • The only block {C} in C/Q 0 has index 0, and so we make β(0) point to the node ⊤, which takes constant time.• For every block T in C/P 0 , Algorithm 3.2 has computed F !(c(x)) ∈ F 1 for some (in fact every) x ∈ T .Since F 1 canonically embeds into F 3 (Notation 3.13), we create a new node labelled ⌜F j 1 (F !(c(x)))⌝ with two edges to ⊤.For every T ∈ C/P 0 , this runs in constant time, which we allocate to the step where Algorithm 3.2 creates T .
(2) In the refinement step, we can look up the certificates δ i (S) and β i (B) in constant time using the indices of the blocks S and B. Whenever the original algorithm creates a new block, we also immediately construct the certificate of this new block by creating at most two new nodes in the dag (with at most four outgoing edges).However, if a block does not change (that is, ), then the corresponding certificate is not changed in step (A'2) or step (A'3), respectively.
In the loop body we update the certificates as follows: (A'2) The new block S ∈ C/Q i+1 just points to the certificate δ i (S) constructed earlier.
For the new block (B \ S) ∈ C/Q i+1 , we allocate a new node ∧, with one edge to β i (B) and one negated edge to δ i (S).
(A'3) Not all resulting blocks have a transition to S. There may be (at most) one new block T ′ ∈ C/P i+1 , T ′ ⊆ T with no transition to S (see the proof of Lemma 3.25).In the refinable partition structure, such a block will inherit the index from T (i.e. the index of T in C/P i equals the index of T ′ in C/P i+1 ).Moreover, every x ∈ T ′ satisfies F χ B S (c(x)) = F χ B ∅ (c(x)) (by Lemma 3.22), and F χ B ∅ (c(x)) = F χ B ∅ (c(y)) for every y ∈ T (by Lemma 3.23).Now, one first saves the node of the certificate δ i (T ) in some variable δ ′ , say.Then the array δ is updated at index T by the formula for an arbitrary y ∈ T .
Consequently, a block T ′ inheriting the index of T automatically has the correct certificate.The allocation of nodes for this formula is completely analogous to the one for an ordinary block [x] P i+1 ⫋ T having edges to S: One allocates a new node labelled ∧ with edges to the saved node δ ′ (the original value of δ i (T )) and to another newly allocated node labelled ⌜F χ B S (c(x))⌝ with edges to the nodes δ i (S) and δ i (B).In order to keep the formula size smaller, one can implement the following optimization.Intuitively, note that for S ∈ X/P i and B ∈ X/Q i such that S ⊆ B ⊆ C, every conjunct of β i (B) is also a conjunct of δ i (S).In β i (B) ∧ ¬δ i (S), one can hence remove all conjuncts of β i (B) from δ i (S), obtaining a formula δ ′ , and then equivalently use β i (B) ∧ ¬δ ′ in the definition of β i+1 (D).
Proposition 3.28.In step (A'2), β i+1 (D) can be simplified to be no larger than δ i (S) without increasing the overall run time.
Proof.Mark every modal operator node ⌜t⌝(δ, β) in the formula dag with a boolean flag expressing whether ⌜t⌝(δ, β) is a conjunct of some β i -formula.Thus, every new modal operator in (A'3) is marked 'false' initially.When the block B in C/Q i is split into S and B \ S in step (A'2), the formula for block B \ S is a conjunction of β i (B) and the negation of all conjuncts of δ i (S) marked 'false'.Afterwards these conjuncts are all marked 'true', because they are inherited by β i (S).The conjuncts marked 'false' always form a prefix of all conjuncts of a formula in δ i .It therefore suffices to greedily take conjuncts from the root of a formula dag while they are marked 'false'.
As a consequence, step (A'3) no longer runs in constant time but instead takes as many steps as there are conjuncts marked 'false' in δ i (S).However, over the whole execution of the algorithm this eventually amortizes because every newly allocated modal operator is initially marked 'false' and later marked 'true' precisely once.Thus, in the analysis conducted in the proof of Theorem 3.27, the additional run time can be neglected asymptotically.
For a tighter run time analysis of the underlying partition refinement algorithm, one additionally requires that F is equipped with a refinement interface [WDMS20, Def.6.4], which is based on a given encoding of F -coalgebras in terms of edges between states (encodings serve only as data structures and have no direct semantic meaning, in particular do not entail a semantic reduction to relational structures).This notion of edge yields the same numbers (in O-notation) as Definition 3.20 for all functors considered.All zippable functors we consider here have refinement interfaces [WDMS20,WDMS21].In presence of a refinement interface, step (A3) can be implemented efficiently, with resulting overall run time O((m + n) • log n • p(c)) where n = |C|, m is the number of edges in the encoding of the input coalgebra (C, c), and the run-time factor p(c) is associated with the refinement interface.In most instances, e.g. for P, R (−) , one has p(c) = 1; in particular, the generic algorithm has the same run time as the Paige-Tarjan algorithm.Usually, it is less of a challenge to find some refinement interface for a functor F but more to find one with low run time, i.e. low p(c).For example, for general monoid-valued functors F X = M (X) the refinement interface uses binary search trees as additional data structures resulting in an additional logarithmic factor p(c) = log m [WDMS21].
Remark 3.29.The claimed run time relies on close attention to a number of implementation details.This includes use of an efficient data structure for the partition C/P i [Knu01, VL08]; the other partition C/Q i is only represented implicitly in terms of a queue of blocks S ⫋ B witnessing P i ⫋ Q i , requiring additional care when splitting blocks in the queue [VF10, Fig. 3].Moreover, grouping the elements of a block by F 3 involves the consideration of a possible majority candidate [VF10].
Theorem 3.30.For a zippable set functor with a refinement interface with factor p(c) and an input coalgebra with n states and m transitions, Algorithm 3.15 runs in time Indeed, the time bound holds for the underlying Algorithm 3.2, and is inherited by Algorithm 3.15 due to Theorem 3.27.
If the functor F satisfies additional assumptions, we can simplify the certificates even further, as discussed next.

Cancellative Functors
Our use of binary modalities relates to the fact that, as observed already by Paige and Tarjan, when splitting a block according to an existing partition of a block B into S ⊆ B and B \ S, it is not in general sufficient to look only at the successors in S.However, this does suffice for some transition types.E.g.Hopcroft's algorithm for deterministic automata [Hop71] and Valmari and Franceschinis' algorithm for weighted systems (e.g.Markov chains) [VF10] both split only with respect to S. In the following, we exhibit a criterion on the level of functors that captures that splitting w.r.t.only S is sufficient: To understand the role of the above map, recall the function χ B S : C → 3 from (3.2) and note that so the composite ⟨F χ {1,2} , F χ {2} ⟩ • F χ B S yields information about the accumulated transition weights into B and S but not about the one into B \ S. The injectivity condition means that for cancellative functors, this information suffices in the splitting step for S ⊆ B ⊆ C. The term cancellative stems from the respective property on monoids; recall that a monoid M is 4.1.Properties of Cancellative Functors.Before presenting the optimized algorithm, we gather properties of cancellative functors and compare them to zippability and related notions, starting with the property that gave cancellative functors their name.
Proposition 4.2.The monoid-valued functor M (−) for a commutative monoid M is cancellative if and only if M is a cancellative monoid.
All signature functors are cancellative: Proposition 4.4.The class of cancellative functors contains the identity functor and all constant functors, and is closed under subfunctors, products, and coproducts. Proof.
(2) For the constant functor C X with value X, C X (χ S ) is the identity map on X for every set S. Therefore C X is cancellative.
(3) Let α : F ↣ G be a natural transformation with injective components and let G be cancellative.Combining the naturality squares of α for χ {1,2} and χ {2} , we obtain the commutative square in which the composite F 3 → G2 × G2 is injective by hypothesis.Hence, ⟨F χ {1,2} , F χ {2} ⟩ is injective as well, showing that the subfunctor F is cancellative.(4) Let (F i ) i∈I be a family of cancellative functors, and suppose that we have elements Write pr i for the ith projection function from the product.For every i ∈ I we have: and Since every F i is cancellative, we have pr i (s) = pr i (t) for every i ∈ I.This implies s = t since the product projections (pr i ) i∈I are jointly injective.
(5) Again, let (F i ) i∈I be a family of cancellative functors.Suppose that we have elements This implies that there exists an i ∈ I and s ′ , t ′ ∈ F i 3 with s = in i (s ′ ), t = in i (t ′ ), and Since F i is cancellative, we have s ′ = t ′ , which implies s = t.
A consequence of closure under subfunctors is that, for example, D is cancellative, being a subfunctor of R (−) , but P is not, as we have already seen that its subfunctor P f fails to be cancellative.
Proposition 4.5.Cancellative functors are neither closed under quotients nor under composition.Zippability and cancellativity are independent properties.
Proof.Table 2 shows an overview of all counterexamples used in the present proof.
A concrete example of such a functor is given by which sends a map f : X → Y to the map F f : F X → F Y defined by In related work, König et al. [KMMS20] construct distinguishing formulae in coalgebraic generality.Their assumption is a generalized version of zippability, where the binary coproduct is replaced with an m-ary coproduct for m ∈ N: is injective.Explicitly, unzip m is given by ) where m is the set m = {1, . . ., m} and the map ∆ i,j is defined by Ordinary zippability is then equivalent to 2-zippability.
Proof.First, we show that for a zippable and cancellative set functor F , the map is injective for all sets A, B. Indeed, we have the following chain of injective maps, where the index at the 1 is only notation to distinguish coproduct components more easily: Call this composite f .It factorizes through g A,B , because it matches with g A,B on the components F (A + 1) and F (1 + B), and for the other components, one has the map . Since f is injective, g A,B must be injective, too.Also note that a rewriting Definition 4.1 along the isomorphisms 1 + 1 + 1 ∼ = 3 and 1 + 1 ∼ = 2, we obtain that a functor F is cancellative iff the map ⟨F (1+!), F (! + 1)⟩ : F (1 + 1 + 1) −→ F (1 + 1) × F (1 + 1) (where !: 1 + 1 → 1) is injective.
We now proceed with the proof of the desired implication by induction on m.In the base cases m = 0 and m = 1, there is nothing to show because every functor is 0-and 1-zippable, and for m = 2, the implication is trivial (zippability coincides with 2-zippability by definition).In the inductive step, given that F is 2-zippable, m-zippable (m ≥ 2), and cancellative, we show that F is (m + 1)-zippable.
We have the following chain of injective maps, where we again annotate some of the singleton sets 1 with indices to indicate from which coproduct components they come: (the above injective helper map g) This composite thus is injective as well, and coincides with unzip m+1 , showing that F is (m + 1)-zippable.
The converse, however, does not hold because the finite powerset functor P f is m-zippable for all m [KMMS20, Ex. 10, Lem.14], but not cancellative as we have seen.4.2.Optimized Partition Refinement and Certificates.The optimization present in the algorithms for Markov chains [VF10] and automata [Hop71] can now be adapted to coalgebras for cancellative functors, where it suffices to split only according to transitions into S, ignoring transitions into B \ S.More formally, this means that we replace the three-valued χ B S : C → 3 with χ S : C → 2 in the refinement step (A3): Proposition 4.8.Let F be a cancellative set functor.For S ∈ C/P i in the i-th iteration of Algorithm 3.2, we have Proof.From the definition (2.1) of the kernel, we immediately obtain the following properties for all maps f, g : Y → Z, h : X → Y :  Let B ∈ C/Q i be the block that is split into S and B \ S in iteration i.Since P i is finer than Q i and B ∈ C/Q i , we have P i ⊆ Q i ⊆ ker(F χ B • c); thus: The last step is follows from P i+1 = P i ∩ ker(F χ S • c) (see Proposition 4.8).
The formulae resulting from the optimized construction involve only ∧, ⊤, and modalities from the set F 2 (or F 3 with the second parameter fixed to ⊤), which we term F 2-modalities.Thus, Hennessy-Milner Theorem (Corollary 3.17) can be sharpened for cancellative functors as follows.
Corollary 4.16.For a zippable and cancellative set functor F , states in a finite F -coalgebra are behaviourally equivalent iff they agree on modal formulae built using ⊤, ∧, and unary F 2-modalities.
The certificates thus computed are reduced to roughly half the size compared to Algorithm 3.15; the asymptotic run time and formula size (Section 3.5) remain unchanged.

Domain-Specific Certificates
On a given specific system type, one is typically interested in certificates and distinguishing formulae expressed via modalities whose use is established in the respective domain, e.g.□ and ♢ for transition systems.We next describe how the generic F 3 modalities can be rewritten to domain-specific ones in a postprocessing step.The domain-specific modalities will not always be equivalent to F 3-modalities, but still yield certificates.
Definition 5.1.The Boolean closure Λ of a modal signature Λ has as n-ary modalities propositional combinations of atoms of the form ♡(i 1 , . . ., i k ), for ♡/ k ∈ Λ, where i 1 , . . ., i k are propositional combinations of elements of {1, . . ., n}.Such a modality λ/ n is interpreted by predicate liftings λ X : (2 X ) n → F X defined inductively in the obvious way.
Definition 5.2.Given a modal signature Λ for a functor F , a domain-specific interpretation consists of functions τ : F 1 → Λ and λ : F 3 → Λ assigning to each o ∈ F 1 a nullary modality τ o and to each t ∈ F 3 a binary modality λ t such that the predicate liftings Thus, τ o holds precisely at states with output behaviour o ∈ F 1. Intuitively, λ t (δ, ρ) describes the refinement step of a predecessor block T when splitting B := δ ∪ ρ into S := δ and B \ S := ρ (Figure 3), which translates into the arguments {2} and {1} of λ t 3 .In the refinement step, we know from previous iterations that all elements have the same behaviour w.r.t.B. This is reflected in the intersection with [t] F χ {1,2} .The given condition on λ t thus guarantees that λ t characterizes t ∈ F 3 uniquely, but only within the equivalence class representing a predecessor block.Thus, λ t can be much smaller than equivalents of ⌜t⌝ (cf.Example 3.11): Example 5.3.We provide examples for set functors of interest; the verification that these are indeed domain-specific interpretations follows in Lemma 5.6 further below.
(4) For labelled Markov chains, i.e.F X = (DX + 1) A , let Λ = {⟨a⟩p/1 | a ∈ A, p ∈ [0, 1]}, where ⟨a⟩ p ϕ denotes that on input a, the next state will satisfy ϕ with probability at least p, as in cited work by Desharnais et al. [DEP02].This gives rise to the interpretation: To ease the verification of the requisite properties of interpretations, we will now show that for cancellative F , domain-specific interpretations can be derived from a simpler kind of interpretation, one where the set F 3 in Example 5.3 is replaced with F 2. Definition 5.4.Given a modal signature Λ for a functor F , a simple domain-specific interpretation consists of functions τ : F 1 → Λ and κ : F 2 → Λ assigning a nullary modality τ o to each o ∈ F 1 and a unary modality κ s to each s ∈ F 2 such that the predicate liftings τ o X ∈ 2 F X and κ s : 2 X → 2 F X satisfy Proposition 5.5.Let Λ be a modal signature for a cancellative functor F , and (τ, κ) a simple domain-specific interpretation.Define λ : F 3 → Λ by λ t (δ, ρ) = κ F χ {2} (t) (δ).Then (τ, λ) is a domain-specific interpretation.6:33 Proof.Given t ∈ F 3, we put s = F χ {2} (t) ∈ F 2. We have to show that By the naturality of the predicate lifting κ s , the following square commutes (recall that 2 (−) is contravariant): κs 3 (5.1) We thus have = 2 F χ {2} ( κ s 2 ({1})) (by (5.1))For the last step, recall that ⟨F χ {1,2} , F χ {2} ⟩ is injective because F is cancellative.

Figure 2 .
Figure 2. Example of a Markov chain

Table 1 .
Correspondence between properties of the functor and the monoid