Deciding All Behavioral Equivalences at Once: A Game for Linear-Time--Branching-Time Spectroscopy

We introduce a generalization of the bisimulation game that finds distinguishing Hennessy-Milner logic formulas from every finitary, subformula-closed language in van Glabbeek's linear-time--branching-time spectrum between two finite-state processes. We identify the relevant dimensions that measure expressive power to yield formulas belonging to the coarsest distinguishing behavioral preorders and equivalences; the compared processes are equivalent in each coarser behavioral equivalence from the spectrum. We prove that the induced algorithm can determine the best fit of (in)equivalences for a pair of processes.


Introduction
Have you ever looked at two system models and wondered what would be the finest notions of behavioral equivalence to equate them-or, conversely: the coarsest ones to distinguish them? We often run into this situation when analyzing models and, especially, when devising examples for teaching. We then find ourselves fiddling around with whiteboards and various tools, each implementing different equivalence checkers. Would it not be nice to decide all equivalences at once? Example 1.1. Consider the CCS process P 1 = a.(b + c) + a.d, shown in Figure 1. It describes a machine that can be activated (a) and then either is in a state where one can choose from b and c or where it can only be deactivated again (d). P 1 shares a lot of properties with P 2 = a.(b + d) + a.(c + d). For example, they have the same traces (and the same completed traces). Thus, they are (completed) trace equivalent.
But they also have differences. For instance, P 1 has a run where it executes a and then cannot do d, while P 2 does not have such a run. Hence, they are not failure equivalent. Moreover, P 1 may perform a and then choose from b and c, and P 2 cannot. This renders the two processes also not simulation equivalent. Failure equivalence and simulation equivalence are incomparable-that is, neither one follows from the other one. Both are maximally coarse ways of telling the processes apart. Other inequivalences, like bisimulation inequivalence, are implied by both. Together, they make (completed) trace equivalence the finest notion to equate the processes.
In the following, we present a uniform game-based way of finding the most fitting notions of (in)equivalence for process pairs like in Example 1.1.
Our approach is based on the fact that notions of process equivalence can be characterized by two-player games. The defender's winning region in the game corresponds to pairs of equivalent states, and the attacker's winning strategies correspond to distinguishing formulas in Hennessy-Milner logic (HML).
Each notion of equivalence in van Glabbeek's famous linear-time-branching-time spectrum [vG90] can be characterized by a subset of HML with specific distinguishing power. Some of the notions are incomparable. So, often a process pair that is equivalent with respect to one equivalence is distinguished by a set of slightly coarser or incomparable equivalences, without any one of them alone being the coarsest way to distinguish the pair. As with the spectrum of light where a mix of wave lengths shows to us as a color, there is a "mix" of distinguishing capabilities involved in establishing whether a specific equivalence is finest. We present an algorithm that is meant to analyze what is in the mix.
Contributions. More precisely, this paper makes the following contributions: • We rechart the linear-time-branching-time spectrum of observation languages using "formula prices" that capture six dimensions of expressive capabilities used in HML formulas (Subsection 2.4). • We introduce a special bisimulation game that neatly characterizes the distinguishing formulas of HML for pairs of states in finite transition systems (Subsection 3.2). • We show how to enumerate the relevant distinguishing formulas using the attacker's winning region in this game (Subsection 3.5). • We define an algorithm that constructs a finite set of distinguishing formulas guaranteed to contain observations of the weakest possible observation languages, which can be seen as a "spectroscopy" of the differences between two processes (Subsection 3.6). • We present a small web tool that is able to run the algorithm on finite-state processes and output a visual representation of the results (Subsection 4.1). We also report on the distinctions it finds for all the finitary examples from the report version of the linear-timebranching-time spectrum [vG01]. • Additionally, we quickly report on a browser computer game based on the spectroscopy mechanics (Subsection 4.2). In our examples, we use a small fragment of CCS to describe certain transition system states. This fragment is called BCCSP in [vG01]. It contains just action prefixing (a.P ), summation (P 1 + P 2 ), and the completed process (0). (Note that LTSs are more powerful than the simple examples; in particular, our tool is also able to handle recursively defined CCS terms.) This fragment only needs two rules for its semantics: (1) a.P a − → P for P ∈ CCS and a ∈ Σ, and (2) P 1 + P 2 a − → P i if there is i ∈ {1, 2} such that P i a − → P i . Silently assuming commutativity and associativity, we sometimes write P 1 + P 2 + · · · + P n .
Hennessy-Milner logic [HM80] describes observations (or "tests") on such a system. Intuitively, a ϕ means that one can observe a system transition labeled by a and then continue to make observation(s) ϕ. Conjunction and negation work as known from propositional logic. So, a ¬ d T can be read as "one can observe a in such a way that afterwards one cannot observe a d." We will provide a common game semantics for HML in the following subsection.
We often write {ϕ 0 , ϕ 1 , . . . } for i∈I ϕ i . T denotes ∅, the nil-element of the syntax tree, and a is a short-hand for a T. We also implicitly assume that formulas are flattened in the sense that conjunctions do not contain other conjunctions as immediate subformulas. We will sometimes talk about the syntax tree height of a formula and consider the height of T to equal 0.
In principle, Definition 2.2 can also be read to be infinitary with respect to branching degree or recursion depth. Allowing infinite index sets I enables formulas like n∈N a n , "one can observe an arbitrary number of as." A coinductive reading makes formulas like a ω , "one can observe an infinite sequence of as," possible. Note that the formulas both have infinite height. Obviously, this might add a lot of expressiveness to HML. For the scope of this paper, we are concerned with finite formulas only. The prices we are going to define do not distinguish properly between different infinitely branching or infinitely deep formulas.
2.2. Game Semantics of HML. Let us fix some notions for Gale-Stewart-style reachability games where the defender wins all infinite plays. ⊆ G × G, and • an initial position g 0 ∈ G.
Definition 2.4 (Plays and wins). We call the paths g 0 g 1 . . . ∈ G ∞ with g i g i+1 plays of G[g 0 ]. They may be finite or infinite. The defender wins infinite plays. If a finite play g 0 . . . g n is stuck, the stuck player loses: The defender wins if g n ∈ G a , and the attacker wins if g n ∈ G d .
Definition 2.5 (Strategies and winning strategies). A (positional, non-deterministic) attacker strategy is a subset of the moves starting in attacker states, F ⊆ (G a × G) ∩ . Similarly, a defender strategy is a subset of the moves starting in defender states, F ⊆ (G d × G) ∩ . If (fairly) picking elements of strategy F ensures a player to win, F is called a winning strategy for this player. The player with a winning strategy for G[g 0 ] is said to win G[g 0 ]. If F is a function on G a or G d , respectively, we call it a deterministic strategy.
The games we use in this paper essentially are parity games only colored by 0. So they are positionally determined. This means, for each possible initial position, exactly one of the two players has a positional deterministic winning strategy F . We call this partitioning of the game positions the winning regions.
Definition 2.6 (Winning regions). The set W a ⊆ G of all positions g where the attacker wins G[g] is called the attacker winning region. (The defender winning region W d is defined analogously.) It is well-known that winning regions of finite reachability games can be computed in linear time of the number of game moves. (An algorithm for this is discussed in Subsection 3.4.) This is why the spectroscopy game that we introduce in Subsection 3.2 can easily be used in algorithms. It derives from the following semantics game for HML, where the defender tries to prove a formula and the attacker tries to falsify it. Definition 2.7 (HML game). For a transition system S = (P, Σ, − →), the HML game , where the defender controls observations and negated conjunctions, that is (p, a ϕ) ∈ G d and (p, ¬ i∈I ϕ i ) ∈ G d (for all ϕ, p, I), and the attacker controls the rest.
• The defender can perform the moves: • and the attacker can move: Like in other logical games in the Ehrenfeucht-Fraïssé tradition, the attacker plays the conjunctions and universal quantifiers, whereas the defender plays the disjunctions and existential quantifiers. For instance, (p, a ϕ) is declared as defender position, since a ϕ is meant to become true precisely if there exists a state p reachable p a − → p where ϕ is true. As every move strictly reduces the height of the formula, the game must be finite-depth (and cycle-free) for finite-height formulas, and, for image-finite systems and formulas, also finite. It is determined and the following semantics is total.
Definition 2.8 (HML semantics). For a transition system S, the semantics of HML is given by defining that ϕ is true at p in S, written ϕ S p , iff the defender wins G S HML [(p, ϕ)].
Example 2.9. Continuing Example 1.1, a ¬ d CCS P 2 is false: No matter whether the defender plays to (b + d, ¬ d ) or to (c + d, ¬ d ), the attacker wins by moving to the stuck defender position (0, ¬T). (Recall that T is the empty conjunction.) 2.3. The Spectrum of Behavioral Equivalences. For different theoretical and practical applications, a universe of notions of behavioral equivalence has been developed. Those equivalences are often defined in terms of relations on transition system state spaces or sets of executions. For the purpose of our paper, we rather focus on the correspondence between HML observation languages and notions of behavioral equivalence. In this framework, equivalence of processes means that the same observations are true for them.
Definition 2.10 (Distinguishing formula). A formula ϕ distinguishes state p from q iff ϕ p is true and ϕ q is not. 1 Example 2.11. The formula a ¬ d distinguishes P 1 from P 2 in Example 1.1 (but not the other way around). The formula a { b , d } distinguishes P 2 from P 1 .
Definition 2.12 (Observational preorders and equivalences). A set of observations, O X ⊆ HML[Σ], preorders two states p, q, written p X q, iff no formula ϕ ∈ O X distinguishes p from q. If p X q and q X p, then the two are X-equivalent, written p ∼ X q. The enabledness equivalence ∼ E is presumably the coarsest equivalence that one may encounter in the literature. There are many noteworthy finer equivalences. A broad overview is given in Figure 2.
Definition 2.14 (Linear-time-branching-time observation languages [vG01]). The lineartime-branching-time spectrum is a lattice of observation languages (and of entailed process preorders and equivalences). Every observation language O X can perform trace observations, that is, T ∈ O X and, if ϕ ∈ O X , then a ϕ ∈ O X . At the more linear-time side of the spectrum we have: At the more branching-time side, we have simulation observations. Every simulation observation language O X S permits trace observation construction and has full conjunctive capacity, that is, if ϕ i ∈ O X S for all i ∈ I, then i∈I ϕ i ∈ O X S . The observation languages of the spectrum differ in how many of the syntactic features of HML one will encounter when descending into a formula's syntax tree. We will come back to this in Subsection 2.4. The languages of Definition 2.14 and O E can be ordered by subset relations between them. The resulting inclusion structure is depicted in Figure 2. For two observation languages has at most as much distinctive capability as O Y , and thus p Y q implies p X q. (Pay attention to the subset relation and the implication running in opposite directions!) Thus, the equivalences referred to in Figure 2 imply one-another downwards. Those implications usually are strict, albeit not for every transition system.
Note that we consider {ϕ} to be an alias for ϕ. With this aliasing, all the listed observation languages are closed in the sense that all subformulas and partial conjunctions (conjunctions of subsets) within each observation are themselves part of that language.
Definition 2.15 (Closed observation language). We say that an observation language O X is closed if: Proposition 2.16. The languages of Definition 2.14 and O E of Example 2.13 are closed.
Proof. This can be seen by examining the definition. The aliasing is necessary for all cases with negations under conjunctions. For instance, for failure observations O F , we have to prove that i∈I ¬ a i ∈ O F implies a i ∈ O F and ¬ a i ∈ O F for all i ∈ I, as well as i∈I ¬ a i ∈ O F with I ⊆ I. We easily see a i ∈ O F because a i ∈ O T ⊆ O F . The second term is not mentioned by the definition, but has {¬ a i } as an alias. The alias is mentioned by the definition, as are all i∈I ¬ a i ∈ O F with I ⊆ I. The other observation languages are equally immediate.
The languages of Definition 2.14 and O E thus are inductive in the sense that all observations with finite syntax tree height must be built from smaller observations of the same language. This is convenient in proofs by structural induction.
Example 2.17. As explained in Examples 1.1 and 2.11, process P 1 has a run where it executes a and then cannot do d, while P 2 does not have such a run, so P 1 F P 2 . This can be expressed by the HML formula a ¬ d ∈ O F , which distinguishes P 1 from P 2 .-Moreover, P 2 cannot simulate the transition P 1  • P 3 has the failure trace ∅a{f }c∅d∅, which is not a failure trace of P 4 , so P 3 FT P 4 . This corresponds to the HML formula a {¬ f , c d } ∈ O FT . • a, {b, c.d} is an impossible future of P 3 , meaning that after action sequence a it may reach a state where no trace from {b, c.d} can be executed, but this is not an impossible future of P 4 , so P 3 IF P 4 . This corresponds to the HML formula a {¬ b , ¬ c d } ∈ O IF . The three formulas mentioned (and a variant of each one, using the other branch of P 3 ) distinguish P 3 from P 4 . Note that none of the three languages are contained in another; they are all minimal ways to tell the processes apart.
Remark 2.18. Like Kučera and Esparza [KE99], who studied the properties of "good" observation languages, we glimpse over completed trace, completed simulation and possible worlds observations in Definition 2.14, because these observations need a special exhaustive a∈Σ ϕ a , where the ϕ a are deactivated actions for completed traces, and more complex trees for possible worlds. While it could be provided for with additional operators, it would break the closure property of observation languages, without giving much in return. For instance, for Σ = {a, b}, completed trace and completed simulation observations contain the observation {¬ a , ¬ b }, but not its subformula ¬ a .
2.4. Pricing Formulas. In our following quest for the coarsest behavioral preorders distinguishing two states, we actually are interested in the formulas that are part of the minimal observation languages from the spectrum (Definition 2.14). We can think of the amount of HML-expressiveness used by a formula as its price. So, our first contribution is overlaying the spectrum with a price metric.
Definition 2.19 (Formula price lattice). The formula price lattice Pr is the (complete) lattice over (N ∪ {∞}) 6 with the partial order defined by pointwise comparison, that is, e e iff e j ≤ e j and E = e iff e j = sup e∈E e j , for all j = 1, . . . , 6.
We use the six dimensions to catch the price structure of the spectrum from Definition 2.14. Intuitively, we employ the following metrics (listed in the order of the dimensions): 1. Observations: How many observations a . . . may one pass at most when descending down the syntax tree? (So we count levels of observations, not the total number of observations.) This is called the "depth" of modal operator nesting for a formula in [HM85,Mil90]. More formally, we compute the six dimensions as follows: Definition 2.20 (Formula expressiveness prices). We define the (expressiveness) price of a formula, expr : HML → Pr recursively by: In these calculations, expr j ( · ) stands for the jth dimension of the expressiveness price, pb is the set of positive branches of a conjunction, and pf is the set of positive flat branches. The price of a standalone formula ϕ is expr( ϕ). (We also apply · in the definition of expr( a ϕ) to ensure that negations following an observation are counted as implicit conjunctions.) Example 2.21. Let us calculate the prices of the formulas in Example 2.17. For a ¬ d (that distinguishes P 1 from P 2 ), the price of subformula ¬ d is calculated with an additional conjunction: expr( ¬ d ) = expr( {¬ d }) = (1, 1, 0, 0, 1, 1). This leads to expr( a ¬ d ) = (2, 1, 0, 0, 1, 1).-The other distinguishing formula a { b , c } has price (2, 1, 0, 2, 0, 0).  Observation language O b s e r v a t io n s C o n ju n c t io n s P o s it iv e d e e p b r . P o s it iv e b r a n c h e s N e g a t io n s N e g a t e d o b s e r v a t io n s The formulas that distinguish P 3 from P 4 have the prices: For both process pairs, there are multiple minimal-price distinguishing formulas, which are incomparable. This reflects our earlier observation that there are multiple minimal languages to tell the processes apart. We will make this more exact in Lemma 2.23 below.
We say that a formula ϕ 1 dominates ϕ 2 if ϕ 1 has lower or equal values than ϕ 2 in each dimension of the metrics with at least one entry strictly lower, for which we write expr( ϕ 1 ) < expr( ϕ 2 ).
Note that this inversion of domination can only happen for the dimensions expr 3 (positive deep branches) and expr 4 (positive branches), as all other dimensions in Definition 2.20 are clearly monotonic. Then the context must contain a conjunction i∈I ϕ i and the local formula must be a conjunct ϕ i , the cheaper local formula is an observation formula and the other a negation formula.
Vol. 18:3 LINEAR-TIME-BRANCHING-TIME SPECTROSCOPY 19:11 Table 1 gives an overview of how many syntactic HML-features the observation languages of the spectrum (Definition 2.14) may use at most-these are the least upper bounds of the prices for the contained observations. So, we are talking budgets, in the price analogy.
Lemma 2.23. A formula ϕ is in an observation language O X with expressiveness price bound e X from Table 1 precisely if its price is within the bound, that is expr( ϕ) e X .
Proof Sketch. ϕ ∈ O X implies expr( ϕ) e X as the e X in the table exactly are the least upper bounds ϕ∈O X expr( ϕ). That expr( ϕ) e X implies ϕ ∈ O X , is more involved. Basically it amounts to constructing the fiber function expr −1 and noticing that a partial evaluation of expr −1 (e X ) looks exactly like the cases in Definition 2.14. For failures for instance, one would Note that no strict subset of these dimensions distinguishes all languages of Definition 2.14 and O E .
Example 2.24. We can now compare the formula prices calculated in Example 2.21 with the expressiveness price bounds: The price of a ¬ d ∈ O F is (2, 1, 0, 0, 1, 1), which is cheaper than the price bound e F = (∞, 1, The formulas that distinguish P 3 from P 4 are within the following price bounds: Not every conceivable observation language can soundly be characterized by our metric. For instance, the "two-as-may-happen-equivalence" with observation language { a a , T} would have coordinates (2, 0, 0, 0, 0, 0) but does not contain the formula a even though expr( a ) = (1, 0, 0, 0, 0, 0) is below. However, all common closed observation languages have characteristic coordinates in our price lattice.
Remark 2.25 (New prices). Definition 2.20 of formula expressiveness prices and the spectrum characterization differ from the conference version [BN21] in that the fourth dimension counts positive branches instead of positive flat branches and in that the last dimension "negated observations" measures the observation depth instead of negated syntax tree height. We will use these two changes in the proof of Theorem 3.14.
Not counting flat positive branches resolves some technical problems that existed around readiness and failure trace languages. The advantage of this definition of formula price is that we have expr( This way, ¬ a {¬ b , ¬ a }, ¬ a {¬ b } and ¬ a ¬ b all have expr( · ) = (2, 2, 0, 0, 2, 2) as price. Using syntax tree height, the sixth dimension would be 3 for the last formula and 4 for the other two. Also, if we would not include an implicit conjunction before each negation, the last formula would have a smaller value in the second dimension.
2.5. Double Negations and Negated Conjunctions. When searching distinguishing formulas in the observation languages considered, double negations and negated conjunctions are not useful and can be suppressed.
A double negation ¬¬ϕ is more expensive than ϕ in most contexts. Only in a conjunction, a double negation can mask a positive branch; for example, Note that a formula containing a double negation is in 3-nested simulation O 3S or a larger language, where the number of positive (deep) branches is irrelevant. Therefore, double negations are not useful, and we forbid them in distinguishing formulas.
Negated conjunctions are disjunctions. (In this paragraph, we use the abbreviation i∈I ϕ i for ¬ i∈I ¬ϕ i .) They can be replaced by (almost always cheaper) formulas without Note that the disjuncts a ¬ b and a ¬ c also distinguish a.c and a.b, respectively, from a.(b + c).
In general, any formula containing a disjunction can be transformed into a kind of disjunctive normal form i∈I ϕ i , where the ϕ i do not contain any disjunctions. When a concrete process p needs to be distinguished from some process q, one of the disjuncts ϕ i can be used instead of the whole formula. The transformation to disjunctive normal form will almost always lead to disjuncts that are cheaper than or as cheap as the original formula. The only exception is the case where a disjunction masks a double negation in a conjunction; for example, As explained above, this only happens in 3-nested simulation O 3S and larger languages, where the number of positive (deep) branches is irrelevant. Therefore, like double negations, negated conjunctions are not useful, and we forbid them in distinguishing formulas as well.

A Game to Find Distinguishing Formulas
This section introduces our main contribution: the spectroscopy game (Definition 3.3), and how to build all interesting distinguishing HML formulas from its winning region (Definition 3.6).

The Abstract Observation Preorder Problem.
In what follows, we generalize the problem whether an observation language preorders two states (Definition 2.12) in two ways: (1) We not only consider one observation language O X from Definition 2.14 or O E but all of them at the same time.
(2) We do not compare one process p to another q, but rather one p to a set Q ⊆ P.
The first generalization is the main objective of this paper. The second one enables the construction of a uniform algorithm. The abstracted problem thus becomes: Problem 3.1 (Abstract observation preorder problem). Given a process p and a set of processes Q, what are the observation languages from Definition 2.14 (including O E ) for which p is preordered to every q ∈ Q?
Our approach to solve this problem looks for the set of minimal languages to tell the processes apart. We characterize these minimal distinguishing languages through a set of coordinates from the price lattice (Definition 2.19), where every coordinate is justified by a distinguishing formula with this price. In line with Subsection 2.5, we do not care about formulas with double negations and negated conjunctions.
Problem 3.2 (Cheapest distinction problem). Given a process p and a set of processes Q, what is the set of minimal prices (according to Definition 2.20) of formulas with neither double negations nor negated conjunctions that distinguish p from every q ∈ Q? What are illuminating witness formulas for each such price?
There is a straightforward way of turning the problem whether an observation language O X preorders p and q into a game: Have the attacker pick a supposedly distinguishing formula ϕ ∈ O X , and then have the defender choose whether to play the HML game (Definition 2.7) for ¬ϕ p or for ϕ q . One can examine the attacker winning strategies comprised of priceminimal formulas and solve Problem 3.2. This direct route will yield infinite games for infinite O X -and all the languages from Definition 2.14 are infinite.
To bypass the infinity issue, the next subsection will introduce a variation of this game where the attacker gradually chooses their attacking formula implicitly. In particular, this means that the attacker decides which observations to play. In return, the defender does not need to pick a side in the beginning and may postpone the decision where (on the side of ϕ q ) an observation leads. Postponing decisions here means that the defender state is modeled non-deterministically, moving to multiple process states at once. The mechanics are analogous to the standard powerset construction when transforming non-deterministic finite automata into deterministic ones. In effect, the attacker tries to show that a formula ϕ ∈ O X distinguishes p from every q ∈ Q, and the defender tries to prove that no such formula exists.
3.2. The Spectroscopy Game. Let us now look at the "spectroscopy game." It forms the heart of this paper. Figure 4 gives a graphical representation.

Definition 3.3 (Spectroscopy game). For a transition system
where Q ∈ 2 P contains at least two elements; the symbol " ≯ " indicates that conjunct challenge moves are not allowed there, and four kinds of moves:  Figure 4: Schematic spectroscopy game G of Definition 3.3.
Attacker moves are labeled with the syntactic HML constructs from which they originate. This does not change expressive power but is helpful for formula reconstruction in the next section. Accordingly, attacker strategies for spectroscopy games are subsets of labeled moves.
Example 3.4. Let us say we want to compare the processes a.b and a.(a + b) + a.b.b + a. Figure 5 shows the game graph. Recall from Definition 2.4 that the attacker wins in defender positions that are stuck, concretely in position (0, ∅) d . The defender wins infinite plays, concretely from position (0, {0}) a , where the only play loops infinitely in place. Elsewhere, the player that can force the play into one of these two positions wins. The black part represents the attacker winning region, which corresponds to processes that can be distinguished by HML formulas. The edge labels already hint at how to construct such formulas. The (thin, small) red part corresponds to processes that cannot be distinguished and thus are won by the defender. We will make this more precise in the next subsections.
3.3. Relationship to Bisimulation. Comparing G to the standard bisimulation game from the literature (amending games originating from [Sti96] with symmetry moves, see e.g. [BNP20]), we can easily transfer attacker strategies from there. In the standard bisimulation game, the attacker will play (p, q) (a, p , q) with p a − → p and the defender has to answer by (a, p , q) (p , q ) with q a − → q . In the spectroscopy game, the attacker can enforce analogous moves by playing which will make the defender pick (p , {{q * } | q * ∈ Q }) d * (p , {q }) a . The opposite direction of transfer is not so easy, as the attacker has more ways of winning in G . But this asymmetry is precisely why we have to use the spectroscopy game instead of the standard bisimulation game if we want to learn about, for example, interesting failure-trace attacks.  Figure 5: The spectroscopy game that distinguishes process a.b from a.(a + b) + a.b.b + a.
Parts where the defender wins are drawn thin, small, and red.
Indeed, the spectroscopy game does characterize bisimilarity. Bisimilarity denotes the existence of a bisimulation relation R that has the properties that R ⊆ R −1 (symmetry) and Proof. We use that bisimilarity is equivalent to the existence of a bisimulation relation, and that winning is equivalent to the existence of a positional strategy.
• Construct the relation R = {(p, q) | (p, {q}) a ∈ W d }. This must be a symmetric simulation (and thus a bisimulation).
-Symmetry: Assume (p, q) ∈ R. As the attacker can play from (p, {q}) a to (q, {p}) a , the two can only be in the defender winning region together. Thus (q, p) ∈ R. -Simulation: Assume (p, q) ∈ R and p a − → p . Then there is an attacker move (p, {q}) a to (p , Q ) a for Q = {q | q a − → q }. We must have (p , Q ) a ∈ W d (otherwise, (p, {q}) a would be winning for the attacker); this excludes in particular Q = ∅. If Q is a singleton, say Q = {q }, we get (p , q ) ∈ R and the simulation is proven. Otherwise, the attacker can take a conjunct challenge to (p , {{q } | q ∈ Q }) d . There must be a move from this position to some (p , {q 0 }) a that is still in the defender winning region W d . As q 0 ∈ Q , we can be sure that q a − → q 0 , so that (p , q 0 ) ∈ R completes this case. If G [(p 0 , {q 0 }) a ] is won by the defender, this means (p 0 , {q 0 }) a ∈ W d and thus (p 0 , q 0 ) ∈ R.
• Assume R is a bisimulation relation and (p 0 , q 0 ) ∈ R. Construct the defender strategy the attacker plays and whatever moves the defender chooses from F , we prove that the play will maintain the invariant that for attacker positions (p, Q) a or (p, Q) ≯ a there will always be q ∈ Q such that (p, q) ∈ R, and similarly for defender positions (p,Q ) d there will always be Q ∈ Q and q ∈ Q such that (p, q) ∈ R.
-Observation moves: At (p, Q) a , the attacker moves to (p , Q ) a with p a − → p and Q reachable by q a − →. By the invariant, there was q ∈ Q such that (p, q) ∈ R. As R is a simulation, there must be q ∈ Q with (p , q ) ∈ R.
-Conjunct challenges: At (p, Q) a , the attacker moves to (p,Q ) d . As Q covers Q, the invariant is maintained. 3.4. Deciding the Spectroscopy Game. Due to the partition construction over subsets of P, the worst-case game size is proportional to the Bell number B(1 + |P|), which is somewhat worse than exponential. Going at least exponential is necessary, as we want to also characterize weaker preorders like the trace preorder, where exponential P-subset or Σ * -word constructions cannot be circumvented. However, for moderate real-world systems, such constructions will not necessarily show their full exponential blow-up (cf. [CH93]). In our case, we went beyond exponential complexity in order to correctly address failure trace and ready trace languages, as will be explained in Subsection 3.8.
To be more precise, the game size is asymptotically described by the number of conjunct answers, |P| 2 · B(1 + |P|). In detail: There are |P| · 2 |P| potential attacker positions. For every such position, there are Bell-number many conjunct challenges and corresponding defender positions (so |P| · B(1 + |P|) in total, each) with up to |P| 2 · B(1 + |P|) conjunct answers. Moreover, there are up to |p · − → ·| observation moves for each attacker position, totalling to | · − →| · 2 |P| . Finally, there are the |P| 2 negation moves, which clearly are dominated by the other complexities.
For our approach in the next section, we will need to know (and process) the whole attacker winning region of size O(|P| · B(1 + |P|)). We use Algorithm 1 to compute the winning region of reachability games (derived from [Grä07]). It starts by assuming that every position is won by the defender, and then proceeds by visiting positions where the defender does not have any options or where the attacker has an option. Every move in the game will lead to at most one invocation of the inner-most operations, which renders the algorithm linear-time with respect to game moves. The algorithm keeps information on every game position, making the space complexity linear in the number of game positions and thus Bell-number super-exponential with respect to |P|.
3.5. Building Distinguishing Formulas from Attacker Strategies. Attacker strategies in G correspond to sets of HML formulas. If the strategies are winning, the formulas are distinguishing.
Definition 3.6 (Strategy formulas). Given a (positional, non-deterministic, labeled) attacker strategy F ⊆ (G a × L × G) ∩ for the spectroscopy game G , the set of strategy formulas, Strat F , is inductively defined by: • If ϕ ∈ Strat F (g a ) and (g a , b , g a ) ∈ F , then b ϕ ∈ Strat F (g a ), • if ϕ ∈ Strat F (g a ) and (g a , ¬, g a ) ∈ F , then ¬ϕ ∈ Strat F (g a ), • if ϕ ∈ Strat F (g d ) and (g a , ∧, g d ) ∈ F , then ϕ ∈ Strat F (g a ), and • if ϕ g a ∈ Strat F (g a ) for all g a ∈ I = {g a | g d * g a } then g a ∈I ϕ g a ∈ Strat F (g d ).
Example 3.7. The attacks (P 1 , on the system of Example 1.1 give rise to the formula a {¬ d T}, which can be written as a ¬ d . The definition will never generate disjunctive subformulas: The target of a negation move is always a position (p, {q}) a with singleton {q}, and only observation moves and negation moves are generated in such positions.
Definition 3.8 (Winning strategy graph). Given the attacker winning region W a and a starting position g 0 ∈ W a , the attacker winning strategy graph F a is the subset of the -graph that can be visited from g 0 when following all -edges unless they lead out of W a . complex LTSs could contain cycles.) However, if the attacker plays inside their winning region according to F a , they will always have paths to their final winning positions. So even though the attacker could loop (and thus introduce double negations or lose), they can always end the game and win in the sense of Definition 2.5 without generating double negations.
Example 3.9. Figure 6 continues the comparison of a.b with a.(a + b) + a.b.b + a from Example 3.4. The game constructs the following three distinguishing formulas: • a {¬ a , b ¬ b }. This formula has price (3, 2, 1, 1, 1, 1) and shows that the processes can be distinguished by a failure trace, namely ∅a{a}b{b}: this is a failure trace of a.b but not of a + a.b.b + a.(a + b). • ¬ a a , with price expr( · ) = (2, 1, 0, 0, 1, 2). This formula shows that the processes are not in the impossible-futures preorder. • a {¬ a , ¬ b b , b }. This formula has price (3, 1, 0, 1, 1, 2) and shows that the processes can be distinguished by the possible-futures preorder. While this formula is strictly more expensive than ¬ a a (and therefore will be suppressed in the final output), it cannot be deleted altogether because it may be needed as part of a larger formula in other states.
In particular, its negation is strictly cheaper than the negation of the first constructed formula, similar to Example 2.22.
The construction of other formulas is aborted as soon as they are recognized as more expensive in every relevant context, as we will discuss in the next subsection.
Let us quickly prove the soundness of the strategy formulas obtained from winning strategies.
Theorem 3.10. If W a is the attacker winning region of the spectroscopy game G and F a the derived strategy graph, every ϕ ∈ Strat Fa ((p, Q) a ) distinguishes p from every q ∈ Q.
Proof. We proceed by induction on the structure of Strat Fa with arbitrary p, Q.
• Assume ϕ ∈ Strat Fa ((p , Q ) a ), and ((p, Q) a , b , (p , Q ) a ) ∈ F a . By induction hypothesis, ϕ must be true for p and false for all q ∈ Q . Due to the structure of G , we know that p b − → p and that Q contains all b-reachable states for Q. Thus, b ϕ ∈ Strat Fa ((p, Q) a ) must be true for p and false for all q ∈ Q. Likewise, in the case of ((p, Q) and ((p, Q) a , ¬, (p , Q ) a ) ∈ F a . By the construction of G , Q = {p } and Q = {p}. By induction hypothesis, ϕ must be true for p and false for p. So, ¬ϕ ∈ Strat Fa ((p, Q) a ) must be true for p and false for all elements of {p } = Q. • Assume ϕ g a ∈ Strat Fa (g a ) for all g a ∈ I = {g a | g d * g a }, and also ((p, Q) a , ∧, g d ) ∈ F a . Due to the construction of G , Q = {q | (p , {q }) a ∈ I} ∪ {q | ∃Q . q ∈ Q ∧ (p , Q ) ≯ a ∈ I} and p = p. By induction hypothesis, every ϕ g a is true for p and false for all its respective q ∈ Q . So, the conjunction g a ∈I ϕ g a ∈ Strat Fa ((p, Q) a ) must be distinguishing for p and Q.
Note that the theorem is only one-way, as every distinguishing formula can neutrally be extended by stating that some additional clause that is true for both processes does hold. Definition 3.6 will not find such bloated formulas.
We prove that a neatly constructed subset of the cheapest strategy formulas suffices for reaching completeness in Theorem 3.14.  Figure 6: The winning region of the spectroscopy game of Figure 5, together with distinguishing formulas. Every node displays in the top half the game position and in the bottom half the relevant cheap strategy formulas in Strat Fa for that position.
Formulas that are recognized as too expensive to be interesting are pruned away, as will be explained more formally in Definition 3.12. Edges that are used to construct the main distinguishing formulas are thick . Due to the cycles in the game graph, Strat Fa usually yields infinitely many formulas, unbounded in length and price. The next section will discuss how to find a finite subset of Strat Fa that solves Problem 3.2.
3.6. Retrieving Cheapest Distinguishing Formulas. We are now at the point where the recharting of the spectrum from Subsection 2.4 pays off. With the pricing metric on formulas, the coarsest ways of telling two states p, q apart are precisely given by the formulas Φ ∆ ⊆ Strat Fa ((p, {q}) a ) that are not dominated by any other formula in the set.
There might well be multiple such minimal-price formulas ϕ ∆ ∈ Φ ∆ with differing expr prices for the same pair of processes. Due to Lemma 2.23, the processes then are distinguished with respect to every equivalence X where the budget vector e X from Table 1 is above the price of one of the formulas, that is, where expr( ϕ ∆ ) e X for a ϕ ∆ ∈ Φ ∆ . At the same time, the processes are preordered with respect to all the other notions of equivalence from the table, because these do not have sufficient distinguishing capabilities.
The extraction of cheapest formulas from Strat Fa presents itself as a very special kind of "shortest-distance" problem (cf. [Moh02]) between the positions immediately won by the attacker and the initial game position. It is just that the "distances" we have to keep track of are no numbers but sets of formulas. Those are peculiar as we have seen in Example 2.22.

Vol. 18:3 LINEAR-TIME-BRANCHING-TIME SPECTROSCOPY 19:21
We cannot really calculate with them but only compare their expr values and construct more complex formula sets. The rest of this subsection is about designing a fixed point algorithm around this strange problem space. In order to be efficient, the algorithm should discard distinguishing formulas that are already recognized as not-cheapest as early as possible.
Algorithm 2 gives an overview of how the results of previous subsections and two following definitions play together. It constructs the spectroscopy game G S (Definition 3.3), finds the attacker winning region using Algorithm 1 and computes its attacker winning strategy graph F a (Definition 3.8). If the attacker cannot win, the algorithm returns a bisimulation relation derived from the defender winning region (Lemma 3.5). Otherwise, it constructs the distinguishing formulas: It keeps a map strats of strategy formulas that have been found so far and a list of game positions todo that have to be updated. In every round, we take a game position g from todo. If some of its successors have not been visited yet, we add them to the top of the work list. Otherwise we call Strat Fa,strats (g) (to be introduced in Definition 3.11) to compute distinguishing formulas using the follow-up formulas strats. From the found formulas, prune_dominated removes formulas that are recognized as too expensive to be interesting (to be introduced in Definition 3.12). If the result changes strats[g], we enqueue each game predecessor to propagate the update there.
The fixed point approach needs Strat F from Definition 3.6 in a more stepwise formulation that is not recursive. The function Strat F,strats mostly corresponds to Definition 3.6 with the twist that tentative follow-ups are used instead of recursion.
Definition 3.11 (Tentative strategy formulas). Given a labeled attacker strategy F ⊆ (G a × L × G) for the spectroscopy game G and an approximation of strategy formulas strats : G → HML[Σ], the next tentative strategy formulas, Strat F,strats , are defined for g a ∈ G a and g d ∈ G d as: Intuitively, strats corresponds to intermediate candidates for reaching the target region in a shortest-distance problem. Strat F,strats corresponds to the addition of outgoing edge weights to the candidates when updating nodes. For a shortest-distance algorithm, we need one more ingredient: the criterion to select best candidates. In conventional shortestdistance problems, the minimum function (min) plays this role. Strat already implicitly does something comparable to min: It forms the union of all the formula sets that are implied by outgoing game moves. This union on its own has the problem that formulas may be unfolded beyond all bounds, accumulating more and more information in arbitrarily expensive distinguishing formulas. For the fixed point algorithm to terminate, there must be a pointwise bound on the growth of strats with only finitely many possible sets of formulas below. For instance, one could restrict the formulas to have expressiveness prices below (|S|, |S|, |S|, |S|, |S|, |S|). This would guarantee a safe solution, but it can result in insane running times. Instead, we use the following function: Definition 3.12 (Pruning of dominated formulas). prune_dominated is defined as prune_dominated removes all formulas that are dominated with respect to the metrics by any other formula in this set, where observations may only be dominated by observations, and negations only by negations (but double negations are always dropped because we forbid them in distinguishing formulas). We need to keep minimum-price negations because of inversion of dominance in cases like Example 2.22. We also need to keep minimum-price observation formulas, at least in game positions (p, {q}) a , because only such formulas are allowed under a negation. Other dominated formulas will not be important later on to find the cheapest options.
Example 3.13. If we look back at Figure 6 (used for Example 3.9), we can now see why it is important that dominated formulas are pruned away at the right steps. In the figure, pruned formulas are striked out.
If a game position (p, {q}) a allows a positive and a negative distinguishing formula, we need to maintain the cheapest ones of either kind. For example, we kept both b ¬ b and the (more expensive) ¬ b b in (b, {b.b}) a , which allowed to construct two minimal-price distinguishing formulas in (b, {{a + b}, {b.b}, {0}}) d : one formula with two positive branches and a small depth of negated observations, the other with one positive branch but deeper negated observations. However, one of them is pruned away in (b, {a + b, b.b, 0}) a because the latter position has another successor that generates a strictly cheaper formula.
All in all, the algorithm structure in Algorithm 2 is mostly usual fixed point machinery. It terminates because, for each state in a finite transition system, there must be a bound on the distinguishing mechanisms necessary with respect to our metrics. Strat will only generate finitely many formulas under this bound. prune_dominated ensures that not too many more formulas are generated.

3.7.
Correctness of the Algorithm. We will now prove that Algorithm 2-in spite of the pruning-generates enough formulas to solve Problem 3.2.
Theorem 3.14. Assume a finite formula ϕ that distinguishes p from every q ∈ Q. Assume also that ϕ does not contain double negations or negated conjunctions (i.e. does not have subformulas of the form ¬¬ψ or ¬ i∈I ψ i ). Then we claim about the sets strats[(p, Q) a ] and strats[(p, Q) ≯ a ] of distinguishing formulas produced by Algorithm 2: (1) strats[(p, Q) a ] contains a formula that is cheaper than or as cheap as ϕ.
(2) If ϕ is an observation formula, strats[(p, Q) ≯ a ] contains a formula that is cheaper than or as cheap as ϕ. (This necessarily is an observation formula.) (3) If ϕ is an observation formula or a negation formula and Q is a singleton, strats[(p, Q) a ] contains a formula of the same kind that is cheaper than or as cheap as ϕ.
Proof. First, strats[(p, ∅) a ] = {T}, and T is the cheapest of all formulas, so the claims hold if Q = ∅. In the rest of the proof we assume that Q = ∅ (and therefore ϕ = T). We prove the three claims of the theorem simultaneously by induction over the structure of ϕ with arbitrary p and Q.
Case ϕ = a ψ: This means that there exists p such that p a − → p and ψ distinguishes p from Q = {q | ∃q ∈ Q. q a − → q }. The game graph contains an observation move Then we apply the induction hypothesis to (p , Q ) a and ψ, and we conclude that a formula ψ ∈ strats[(p , Q ) a ] is found such that expr( ψ ) expr( ψ). Therefore, either a ψ ∈ strats[(p, Q) a ] (respectively a ψ ∈ strats[(p, Q) ≯ a ]); or, if a ψ is pruned away, this must have been justified by a formula strictly cheaper than a ψ in strats[(p, Q) a ] (or a ψ ∈ strats[(p, Q) ≯ a ]), and this cheaper formula must have been an observation formula according to Definition 3.12 (this is needed to prove Claim (3) if |Q| = 1). This proves all three claims. Case ϕ = i∈I ψ i : (Only Claim (1) needs to be proven.) Note that I = ∅. Assign to every q ∈ Q a conjunct ψ i that distinguishes p from q; we denote this conjunct with ψ q . If every q ∈ Q is assigned the same formula ψ i 0 (e.g. if Q is a singleton), apply the induction hypothesis to (p, Q) a and ψ i 0 . Otherwise, define a partition of Q as follows: The set Q − contains singleton blocks for every process in Q that is associated with a negation formula. Every block in Q + is associated with an observation formula. As we excluded nested conjunctions, each ψ i can only be a negation or an observation formula. The game graph contains a conjunct challenge (p, Q) a ∧ (p,Q ) d . We apply the induction hypothesis to the targets of the corresponding conjunct answers: • If some {q } ∈ Q is a singleton, we apply the induction hypothesis Claim (3) to (p, {q }) a and formula ψ q . Then there will be a formula of the same kind as ψ q , denoted ψ {q } ∈ strats[(p, {q }) a ], with expr( ψ {q } ) expr( ψ q ).
• If some Q ∈ Q is not a singleton, then Q ∈ Q + and ψ q (for q ∈ Q ) is an observation formula. We apply the induction hypothesis Claim (2) to (p, Q ) ≯ a and ψ q . Then there will be an observation formula, denoted ψ Q ∈ strats[(p, Q ) ≯ a ], with expr( ψ Q ) expr( ψ q ). Further note that if ψ q = a is a positive flat branch, then the formula found ψ Q is also a positive flat branch (otherwise it would be more expensive than ψ q ). Then, the conjunction Q ∈Q ψ Q satisfies: • It contains no more positive branches than i∈I ψ i ; 2 • It contains no more positive deep branches than i∈I ψ i ; • For every ψ Q , there is a ψ i such that expr( ψ Q ) expr( ψ i ).
From this, we can conclude that expr( Q ∈Q ψ Q ) expr( i∈I ψ i ).
2 But the number of positive flat branches (with observation height 1) could have been increased. This is why the first change described in Remark 2.25 is necessary. Now either Q ∈Q ψ Q ∈ strats[(p, Q) a ], or a formula that is strictly cheaper is in strats[(p, Q) a ]. Claim (1) holds in both cases. Case ϕ = ¬ψ: Note that ψ is an observation formula. Assume for now that Q is a singleton {q}. The game graph contains a negation move (p, {q}) a ¬ (q, {p}) a . We apply the induction hypothesis Claim (3) to (q, {p}) a and ψ and conclude that there is some observation formula ψ ∈ strats[(q, {p}) a ] with expr( ψ ) expr( ψ). But then, either ¬ψ ∈ strats[(p, {q}) a ], or a negation formula strictly cheaper than ¬ψ is in strats[(p, {q}) a ]. This proves Claims (1) and (3) for singleton Q.
Now if Q contains more than one element, only Claim (1) needs to be proven. The game graph contains a conjunct challenge (p, Q) a ∧ (p, {{q} | q ∈ Q}) d , and we can apply the above argumentation to the targets (p, {q}) a of the conjunct answers. So, for every q ∈ Q, there is some negation formula ¬ψ q ∈ strats[(p, {q}) a ] with expr( ¬ψ q ) expr( ¬ψ). Consequently, either the conjunction q∈Q ¬ψ q ∈ strats[(p, Q) a ], or a formula that is strictly cheaper is in strats[(p, Q) a ]. As formula prices do not count negative branches in a conjunction, expr( q∈Q ¬ψ q ) = expr( q∈Q ¬ψ q ) expr( {¬ψ}) = expr( ¬ψ). So the claim on formula prices holds. 3 In Subsection 2.4, we have chosen to describe limits on upper bounds by the depth of negated observations (dimension 6). An alternative choice could have been to restrict the number of negative deep branches, but that would make the correctness proof of Theorem 3.14 more difficult. The proof uses the technical property that a formula with more negative branches is not more expensive than a similar formula with fewer (but more than zero) negative branches. A formula with one negative branch gives another, technical, reason why negations under observations should count as implicit conjunctions.
Using the theorem, we can state the correctness of the algorithm easily.
Corollary 3.15. Assume a spectroscopy game position (p, Q) a . For every language in Definition 2.14 (and, in relevant cases, O E ) that distinguishes p from every q ∈ Q, Algorithm 2 will find a minimal-price formula in the distinguishing formulas (without double negations or negated conjunctions) in this language.
Proof. Assume that some observation language O X distinguishes p from every q ∈ Q. In line with Subsection 2.5, we can limit our attention to formulas without double negations or negated conjunctions. Then there exists some formula ϕ ∈ O X with minimal formula price that distinguishes p from every q ∈ Q. Now apply Theorem 3.14 to ϕ. Algorithm 2 will therefore find a formula with the same formula price (price-minimality implies that there is no cheaper distinguishing formula than ϕ), which consequently is in the same distinguishing language O X .
Example 3.16. Now that we have proven the main correctness theorem, we can conclude even more about the minimal-price formulas found in Example 3.9. As stated there, the processes are not preordered by failure traces nor by impossible futures (a.b FT a.(a + b) + a.b.b + a  and a.b IF a.(a + b) + a.b.b + a), but Corollary 3.15 also implies that these are the coarsest ways of telling the processes apart. The processes are in every preorder in Figure 2 that is not above one of these two. So, we can conclude that they are simulation-preordered and readiness-preordered.
3 If ϕ = ¬ a ¬ b , the algorithm might find a formula of the form ¬ a {¬ b , ¬ a }. The latter formula should not be more expensive than the former. This is why the second change in Remark 2.25 is necessary.  [BN21].
In the conference version, each attacker position had only one outgoing conjunction move. Definition 3.3 now has one conjunction move from (p, Q) a per partition of Q. This adds a lot of possible game positions and moves. However, this has been necessary to fix an error in the algorithm.
In order to understand the problem, let us reexamine the graph in Figure 6. So, without the correction, the algorithm published originally picks the ready-trace showing that the processes can be distinguished by a ready trace, namely {a}a{b}b∅. While this formula does distinguish a.b from a.(a + b) + a.b.b + a, and even is semantically equivalent to the failure-trace formula above, it is not in the cheapest possible language. Erroneously assuming ready traces to be a minimal language to tell the processes apart leads to the wrong conclusion that the processes would be failure-tracepreordered, which they are not.
The TACAS'21 version lacked a theorem like Theorem 3.14. The paper, however, was confident that a similar result could be established. In light of the problem presented here, it is clear that the original algorithm was not complete in the sense of the theorem.
There are several ways of correcting the problem. We have chosen the least invasive fix by considering all partitions and not just the finest ones. Together with some slight simplifications of metric and pruning, this allowed us to provide a completeness proof while staying close to the conference version.

Linear-Time-Branching-Time Spectroscopy in the Browser
There are two implementations of the algorithm described in this article. In Subsection 4.1, we describe the analysis of transition systems in a web tool built around the algorithm. In Subsection 4.2, we give a short account of a computer game implementation. 4.1. A Webtool for Equivalence Spectroscopy. We have implemented the game and the generation of minimal distinguishing formulas in the "Linear-Time-Branching-Time Spectroscope," a Scala.js program that can be run in the browser on https://concurrency-theory. org/ltbt-spectroscope/.
The tool (screenshot in Figure 7) consists of a text editor to input finite-state CCS-style processes (including recursively defined processes) and a view of the transition system graph. When queried to compare two processes, the tool yields the cheapest distinguishing HMLformulas it can find for both directions. From the found formulas, the tool infers the finest fitting preorders for the relevant pairs of processes. In the process, distinguishing formulas that do not contribute to this question are discarded in order to reduce the noise of the output.
To "benchmark" the quality of the distinguishing formulas, we have run the algorithm on all the finitary counterexample processes from the report version of "The Linear-Time-Branching-Time Spectrum" [vG01]. Table 2 reports the output of our tool, on how to distinguish certain processes. The results match the (in)equivalences given in [vG01]. In some cases, the tool finds slightly better ways of distinction using impossible futures equivalence, The formulas explained in Example 2.17 p. 21 which was not known at the time of the original paper. All the computed formulas are reasonably small. For each of the examples (from papers) we have considered, the browser's capacities sufficed to run the algorithm with pruning in 30 to 250 milliseconds. This does not mean that one should expect the algorithm to work for systems with thousands of states. There, the exponentialities of game and formula construction would hit. However, such big instances would usually stem from preexisting models where one would very much hope for the designers to already know under which semantics to interpret their model. The practical applications of our browser tool are more on the research side: When devising compiler optimizations, encodings, or distributed algorithms, it can be very handy to fully grasp the equivalence structure of isolated instances. The Linear-Time-Branching-Time Spectroscope supports this process.

4.2.
A Spectroscopy Browser Game. In order to make the spectroscopy game more explainable, Trzeciakiewicz [Trz21] implemented the computer game "The Spectroscopy Invaders" where one plays the attacker. A play of the game corresponds to constructing a distinguishing formula. To reach higher scores, one has to construct minimal formulas in the sense of this paper. Under the hood, a TypeScript implementation of Algorithm 2 is used. The game can be played in the browser at https://concurrency-theory.org/ltbt-game/.
A screenshot of the game is given in Figure 8. The player's task is to distinguish w.(r+y.y) (left) from w.(r + y) + w.y.y (right). The current game position is (r + y.y, {r + y, y.y}) a , as indicated by the human figure in the left LTS and the two elves in the right LTS. The player can click the "conjunction" button , which will split the position into (r + y.y, {r + y}) a Trzeciakiewicz [Trz21] limits the scope to trace, failure, possible-future, simulation, and bisimulation equivalences, excluding readiness, ready traces, and failure traces. In effect, the spectrum can be relieved of the issues that come from situations where positive deep branches in a conjunction have to be counted. This is another way of circumventing the problems discussed in Subsection 3.8. In particular, this allows the game mechanics to stay clear of non-trivial partitions, as they did originally in [BN21].
Moreover, the game is single-player: there is no defender picking a conjunction answer. Instead, the attacker has to name attacks for every right-hand state. Due to nested conjunctions, the game positions thus actually are sets of (p, Q) a tuples.

Related Work and Alternatives
The game and the algorithm presented fill a blank spot in between the following previous directions of work: Distinguishing Formulas in General. Cleaveland [Cle91] showed how to restore (small but non-minimal) distinguishing formulas for bisimulation equivalence from the execution of a bisimilarity checker based on the splitting of blocks. He mentioned as possible future work to extend the construction to other notions of the spectrum. We are not aware of any place where this has previously been done completely. Korver [Kor92] extended this work to branching bisimulation; he needed to extend HML with an until modality that restricts intermediate internal steps. For example, ϕ 1 a ϕ 2 means "the current state can take an a-step to a state that satisfies ϕ 2 , while every intermediate state visited before the a-step satisfies ϕ 1 ." However, the algorithm in [Kor92] would not always produce a minimal formula in any sense. There are related islands like the encoding between CTL and failure traces by Bruda and Zhang [BZ10]. There is also more recent work like Jasper et al. [JSS20] extending to the generation of characteristic invariant formulas for bisimulation classes, and like Wißmann et al. [WMS21] about generating distinguishing formulas for bisimulation in a general coalgebraic setting. Previous algorithms for bisimulation inequivalence tend to generate formulas that alternate a and [b] ≡ ¬ b ¬ observations. Such formulas can not as easily be linked to the spectrum as ours.
Game Characterizations of the Spectrum. After Shukla et al. [SHR96] had shown how to characterize many notions of equivalence by HORNSAT games, Chen and Deng [CD08] presented a hierarchy of games characterizing all the equivalences of the linear-time-branchingtime spectrum. The games from [CD08] allow word moves and thus are infinite already for finite transition systems with cycles. Therefore, they cannot be applied as easily as ours in algorithms. Constructing distinguishing formulas from attacker strategies of these games would be less convenient than in our solution. Their parametric approach is comparable to fixing maximal price budgets ex ante. Our on-the-fly picking of minimal prices provides more flexibility. Using Game Characterizations for Distinguishing Formulas. There is recent work by Mika-Michalski et al. [KMS20] on constructing distinguishing formulas using games in a more abstract coalgebraic setting focussed on the absence of bisimulation. The game and formula generation there, however, cannot easily be adapted for our purpose of performing a spectroscopy also for weaker notions.
Generalizations of the Spectrum. As a by-product of our work, Subsection 2.4 has recharted the linear-time-branching-time spectrum in a way that corresponds nicely with our algorithm. Each coordinate in the price lattice can be seen as characterizing a conceivable notion of equivalence. Thus, this characterization generalizes (a part of) the [vG01]-spectrum. For instance, we have not considered the revivals semantics [Ros09], but it can easily be characterized by e R e FT = (∞, 1, 0, 1, 1, 1). So let us briefly mention important generalizations of the spectrum. For instance, Lange et al. [LLV14] introduce a higher-order dyadic µ-calculus where each single formula characterizes a notion of equivalence. This, too, allows a more unified computational treatment of the spectrum's members and many conceivable siblings.
The most complete observational generalization of [vG01] has been provided by de Frutos Escrig et al. [dFGPR13]. Their main dimensions are five layers of simulation, which correspond to classes of localizable annotations on an observaion tree (viz.: no local observations, deadlock detection, enabled actions, enabled traces, enabled trees), and in which way to compare these annotations. The second main dimension actually is a combination of 5 to 9 sub-dimensions: (1) whether to compare only along one linear path, deterministic branching paths or all branching paths, whether to check for (2) superset and/or (3) subset relationship between annotations, and whether to do (each of) this (4) along the paths and/or (5) at the leafs of observation trees. Their lattice cannot only cover interesting notions of equivalence unreachable by ours (for instance impossible-futures-along-a-trace), but is also nicely linked to a unified system of axiomatic characterizations. Still, their characterization is less general than our price lattice in other regards. For instance, it cannot cover counting equivalences like i-step bisimilarity, (i, ∞, ∞, ∞, ∞, ∞) or n-nested similarity.
Apartness and Simulation Distances. Published around the same time as the conference version of the present paper, Geuvers and Jacobs [GJ21] discussed apartness as the inductively defined dual of bisimulation. This is closely related to the approach of the present paper. We also tackle the hierarchy of equivalence problems by rather addressing the dual question of how easy it is to tell two processes apart. In this view, the expressiveness prices output by our algorithm provide information on "how far apart" two models are.
Another view on "how far apart" models are is provided by (bi)simulation distances as researched by Černý et al. [ČHR12], and by Romero Hernández and de Frutos Escrig [RdF12]. In this line of work, distances quantify how many and how relevant changes need to be made to a process in order to make it equivalent to another process with respect to a fixed semantics. This is orthogonal to what we are doing: Bisimulation distances are about "how much cheating" in a (bi)simulation game the defender would need to win. Our multidimensional discrete expressiveness prices are about "how much semantics" the attacker needs to win in a bisimulation game without cheating. Alternatives. One can also find the finest notion of equivalence between two states by gradually minimizing the transition system with ever coarser equivalences from bisimulation to trace equivalence until the states are conflated (possibly also trying branches of the spectrum). Within a big tool suite of highly optimized algorithms this should be quite efficient. We preferred the game approach, because it can uniformly be extended to the whole spectrum and also has the big upside of explaining the in-equivalences by distinguishing formulas.
A variation of our approach, which we have already tried, is to run the formula search on a directed acyclic subgraph of the winning strategy graph. For our purpose of finding most fitting equivalences, DAG-ification may preclude the algorithm from finding the right formulas. On the other hand, if one for instance is mainly interested in a short distinguishing formula with low depth, one can speed up the process with DAG-ification by the order of remaining game rounds.
Optimizations. The algorithm in this article has more than exponential time complexity. To improve on that, one could reduce the number of conjunct challenges generated as follows. First one only explores the finest conjunct challenge move (p, Q) a ∧ (p, {{q} | q ∈ Q}) d , and if that succeeds and leads to a formula with multiple positive branches, one only needs to explore one or two additional conjunct challenges to find out whether there is a formula with a single positive (deep) branch. Only formulas with one positive (deep) branch may be in a smaller language than the previously found formula. This faster variant would still generate distinguishing formulas from the cheapest languages (i.e. they solve Problem 3.1) but these formulas are not always the cheapest ones in themselves (i.e. they do not solve Problem 3.2). This would require to interleave the game graph construction (line 2 of our Algorithm 2) with the generation of distinguishing formulas (lines 5-20).
There are some other avenues for small optimizations: For instance, the pruning of Definition 3.12 can be changed to take game positions into account. If the right-hand state set Q of (p, Q) a has more than one element, dominated formulas can be pruned regardless of their kind. Also, the game construction can be sped up a bit by stopping the construction of attacker moves in positions that cannot be winning for the attacker. In particular, this is the case for (p, Q) a if p ∈ Q. The downside of this is that it becomes a little more difficult to retrieve a proper bisimulation relation in positions where the attacker does not win.

Conclusion
In this paper, we have established a convenient way of finding distinguishing formulas that use a minimal amount of expressiveness.
System analysis tools can employ the algorithm to tell their users in more detail how equivalent two process models are. While the generic approach is costly, instantiations to more specific, symbolic, compositional, on-the-fly or depth-bounded settings may enable wider applications. There are also some algorithmic tricks (like building the concrete formulas only after having found the price bounds and heuristics in handling the game graph) we have not explored in this paper.
More clever ways of characterizing the spectrum, the formula prices, and instances of admissible pruning might further improve the applicability of the approach.
So far, we have only looked at strong notions of equivalence [vG90]. It is an interesting question how to extend our algorithm, so it also deals with weak notions of equivalence [vG93]. These equivalences abstract over τ -actions representing "internal activity" and correspond to observation languages with a special temporal -observation (cf. [GFM20]). Such an extension would generalize work on weak game characterizations such as de Frutos Escrig et al.'s [dFKW17] and our own [BN19, BNP20, BM21,SMJ16].
A roadblock to expanding the approach to the weak spectrum lies in the fact that, with the conventional modal characterizations of the weak equivalences, the observation languages are not closed. Subformulas would need to be more expensive than their parent formulas. For instance, a T is a valid weak trace observation but its subformula a T is not. In order to apply our algorithm, one would need a different modal language, perhaps similar to Korver's until operator [Kor92].
The vision is to arrive at one certifying algorithm that can yield finest equivalences and cheapest distinguishing formulas as witnesses for the whole spectrum.