Efficient Normalization of Linear Temporal Logic

In the mid 1980s, Lichtenstein, Pnueli, and Zuck proved a classical theorem stating that every formula of Past LTL (the extension of Linear Temporal Logic (LTL) with past operators) is equivalent to a formula of the form \(\bigwedge _{i=1}^n {\mathbf {G}}{\mathbf {F}}\varphi _i \vee {\mathbf {F}}{\mathbf {G}}\psi _i\) , where φi and ψi contain only past operators. Some years later, Chang, Manna, and Pnueli built on this result to derive a similar normal form for LTL. Both normalization procedures have a non-elementary worst-case blow-up, and follow an involved path from formulas to counter-free automata to star-free regular expressions and back to formulas. We improve on both points. We present direct and purely syntactic normalization procedures for LTL, yielding a normal form very similar to the one by Chang, Manna, and Pnueli, that exhibit only a single exponential blow-up. As an application, we derive a simple algorithm to translate LTL into deterministic Rabin automata. The algorithm normalizes the formula, translates it into a special very weak alternating automaton, and applies a simple determinization procedure, valid only for these special automata.


INTRODUCTION
In the late 1970s, Amir Pnueli introduced Linear Temporal Logic (LTL) into computer science as a framework for specifying and verifying concurrent programs [41,42], a contribution that earned him the 1996 Turing Award.During the 1980s and the early 1990s, Pnueli et al. proceeded to study the properties expressible in LTL.In 1985, Lichtenstein, Pnueli and Zuck introduced a classification of LTL properties [25], later described in detail by Manna and Pnueli in two famous monographs [30,31], where also gave it its current name, the safety-progress hierarchy (see also [40] for a brief account).The safety-progress hierarchy consists of a safety class of formulas, and five progress classes.The classes are defined semantically in terms of their models, and the largest class, called the reactivity class in [30,31], contains all properties expressible in LTL.Manna and Pnueli provide syntactic characterizations of each class.In particular, they state a fundamental theorem showing that every reactivity property is expressible as a conjunction of formulas of the form GF ∨ FG , where F and G mean that holds at some and at every point in the future, respectively, and , only contain past operators.Manna and Pnueli call this the normal form for Past LTL.
Technically, the works above consider Past LTL, an extension of LTL with past operators.In 1992, Chang, Manna, and Pnueli presented a different and very elegant characterization of the safety-progress hierarchy in terms of standard LTL, the logic containing only the future operators X (next), U (until), and W (weak until) [8].They showed that every reactivity formula is equivalent expressions to Past LTL as a subroutine, and so it is at least as complex as the one of [25,50].
• A normalization procedure for LTL of elementary complexity can be obtained by combining work by Maler and Pnueli on the Krohn-Rhodes decomposition [27][28][29] with a recent result by Boker, Lehtinen and Sickert on translating automata back into LTL (when possible) [2].The procedure has three steps.First, the formula is translated into a deterministic -regular automaton using e.g.Safra's double-exponential construction [44].Second, this automaton is translated into an equivalent deterministic and counter-free automaton, using the single-exponential construction of [28].Finally, this automaton is translated into a Δ 2 -formula using the triple-exponential construction of [2].This combination of constructions yields an elementary normalization procedure, which moreover produces an equivalent formula at the smallest possible level of the safety-progress hierarchy.However, the procedure is indirect and has high complexity.In particular, while future work may improve the blow-up of the last two steps, the double exponential bound on the translation of LTL into deterministic -automata is tight.Therefore, any procedure that constructs a deterministic -automaton as intermediate step must have at least double-exponential complexity.
• In [43] and [19], Reynolds and Guelev give direct proofs of the normalization theorem for Past LTL that do not require to translate formulas into automata.Both proofs rely on different versions of Gabbay's famous separation theorem, stating that every formula of Past LTL is equivalent to a Boolean combination of past and future formulas [15,17].Gabbay's theorem is proved by means of equivalence preserving syntactic transformations, and so are the proofs of [19,43].However, the only known upper bound on the blow-up in the size of the formula produced by Gabbay's separation procedure is nonelementary.Oliveira and Rasga give a double-exponential separation algorithm for a fragment of Past LTL that restricts the nesting of the since and until operators [38].
Manuscript submitted to ACM It is remarkable that, despite the prominence of the safety-bounded hierarchy in the work of Manna and Pnueli, the complexity of normalization procedures has not been studied further, even though no lower bound for the blow-up it involves is known.In particular, and contrary to the case of propositional and first-order logic, where efficient normalization algorithms for conjunctive and clausal normal form are essential part of SAT or first-order theorem provers, normalization has not been used in LTL to obtain more efficient algorithms for satisfiability, model-checking, or synthesis tasks.This paper contains three main results that, in our opinion, completely change this situation: (1) A simple proof of the Normalization Theorem for LTL.The proof is direct (it does not require any knowledge of automata or regular expressions), gives a clear intuitive explanation of why normalization is possible, and yields a closed form for the normalized formula with single-exponential blow-up.
(2) An efficient normalization algorithm.The normalization procedure given in (1) has exponential best-case complexity, and is not goal-oriented, in the sense that it does not only concentrate on those parts of the formula that do not belong to Δ 2 .
We provide a normalization algorithm consisting of six rewrite rules that solves these problems.In particular, the rewrite rules can be applied locally to "offending subformulas".
(3) A novel translation of LTL into deterministic Rabin automata (DRW) that exploits the results of ( 1) and (2).The translation normalizes the formula and then transforms it into an alternating Rabin automaton with at most one alternation between accepting and non-accepting states (A1W1).This automaton is determinized by means of a novel, dedicated algorithm for A1W1, with better properties than Safra's construction [44].In particular, the states of the DRW are pairs of sets of states of the A1W1, instead of trees of sets of states, as would be the case with Safra's construction.This simpler state structure leads to smaller DRW.
At the heart of our first result is a novel technique, interesting in its own, called contextual normalization.Loosely speaking, in order to normalize a formula interpreted on infinite words over some given alphabet Σ, the technique constructs a finite cover of the set Σ .This is achieved by carefully selecting a set of formulas , called a basis.The cover contains one set of words | for every ⊆ , defined as the set of the words satisfying all formulas of and none of \ .For every ⊆ , we find a formula | of Δ 2 equivalent to over all words of | (that is, every word of | satisfies either both formulas or none).Intuitively, | is equivalent to in the context of .Then we "patch together" these formulas to obtain a formula equivalent to on all words.
The second result shows that LTL formulas can also be normalized by means of a rewrite system, just as one brings a Boolean formula in CNF; the only difference is the need for contextual rewrite rules, specifying that a subformula of a formula can only be rewritten if the formula has a certain form.
The third result shows that, on top of the central role it plays in the work of Manna and Pnueli, normalization can lead to novel algorithms for questions in the theory and applications of LTL that continue to be investigated today.In particular, efficient translations from LTL to automata exhibiting different degrees of nondeterminism are being intensely studied, due to their applications to controller synthesis and probabilistic model checking, among others (see e.g.[4,5,11,12,21,22]).The translation of (3) based on normalization has already become part of the O library for -automata [23] and it is used in the S synthesis tool [34].
The paper is structured as follows.Section 2 introduces the syntax and semantics of LTL.Section 3 introduces Manna and Pnueli's safety-progress hierarchy-following the notation of Cerná and Pelánek [6]-and recalls the Normalization Theorem presented in [8,25,30].Section 4 presents our novel proof of the theorem based on contextual equivalence, and in particular Theorem 4.22 on page 14, our first normalization procedure.Section 5 describes a normalizing rewrite system for LTL consisting of the rules presented in Tables 1 and 2 in pages 25 and 25, respectively.Section 6 introduces a translation from LTL to deterministic Manuscript submitted to ACM Rabin automata based on normalization, summarized in Theorem 6.16 in page 35.Section 7 shows a tight correspondence between the classes of the safety-progress hierarchy and weak alternating automata.Section 8 contains some conclusions.
Remark.This paper is a revised and extended version of previous work by the authors published in [13,46].Results (1) and (3) above were first presented in [46], and result (2) in [13].

PRELIMINARIES
Let Σ be a finite alphabet.A word over Σ is an infinite sequence of letters 0 1 2 . . .with ∈ Σ for all ≥ 0. A finite word is a finite sequence of letters.The set of all words (finite words) is denoted Σ (Σ * ).We let [ ] (starting at = 0) denote the -th letter of a word .

Syntax and semantics of Linear Temporal Logic
Formulas of Linear Temporal Logic (LTL) over a finite set of atomic propositions are constructed by the following syntax: where ∈ is an atomic proposition and X, U, W, R, and M are the next, (strong) until, weak until, (weak) release, and strong release operators, respectively.Further, we use the standard abbreviations F ≔ tt U (eventually) and G ≔ W ff (always).
The size of a formula is the number of nodes of its syntax tree.
Formulas are interpreted on words over the alphabet Σ ≔ 2 .Let be such a word and let be a formula.The satisfaction relation |= is inductively defined as the smallest relation satisfying: |= tt for every |= ff for every We let L( ) ≔ { ∈ Σ : |= } denote the language of .Two formulas and are equivalent, denoted ≡ , if L( ) = L( ).
We overload the definition of |= and write |= as a shorthand for L( ) ⊆ L( ).
Monotonic and dual operators.An operator P of arity ≥ 0 is monotonic if It is easy to see that all operators of the syntax, with the exception of negation, are monotonic.Two operators P and It is easy to see that tt and ff, ∨ and ∧, U and R, and W and M are dual, and X is self dual.

Negation normal form.
A formula is in negation normal form if negations appear only in front of atomic propositions.In other words, the syntax of formulas for negation normal form is obtained by substituting ¬ for ¬ in (1).
The following result is folklore: P 2.1.Every formula of size has an equivalent formula in negation normal form of size ( ).Further, for every formula in negation normal form of size there exists a formula in negation normal form of size such that ¬ ≡ .
Manuscript submitted to ACM P .Formulas are put in negation normal form by "pushing negations" across all operators using the duality relations, e.g.¬( 1 U 2 ) is replaced by ¬ 1 R ¬ 2 .These transformations only increase the size of the formula by one unit, and so the formula in negation normal form has size ( ).The formula is defined inductively using the duality relations, e.g. 1 U 2 ≔ 1 R 2 , X ≔ X , etc.; these transformations preserve the size of the formula.
Convention: In the rest of the paper we assume, without explicit mention, that formulas are in negation normal form.Abusing language, we call the negation of .

THE SAFETY-PROGRESS HIERARCHY
We recall the definition of the safety-progress hierarchy, the hierarchy of temporal properties studied by Manna and Pnueli [30].
We follow the formulation of Černá and Pelánek [6].The definition of the hierarchy formalizes the intuition that e.g. a safety property is violated by an execution iff one of its finite prefixes is "bad" or, equivalently, satisfied by an execution iff all its finite prefixes belong to a language of good prefixes.In the ensuing sections we describe structures that have a direct correspondence to this hierarchy and in this sense the hierarchy provides a map to navigate the results of this paper.Definition 3.1 ( [6,30]).Let ⊆ Σ be a property over Σ.
• is a safety property if there exists a language of finite words ⊆ Σ * such that ∈ iff all finite prefixes of belong to .
• is a guarantee property if there exists a language of finite words ⊆ Σ * such that ∈ iff there exists a finite prefix of which belongs to .
• is an obligation property if it can be expressed as a positive Boolean combination of safety and guarantee properties.
• is a recurrence property if there exists a language of finite words ⊆ Σ * such that ∈ iff infinitely many prefixes of belong to .
• is a persistence property if there exists a language of finite words ⊆ Σ * such that ∈ iff all but finitely many prefixes of belong to .
• is a reactivity property if can be expressed as a positive Boolean combination of recurrence and persistence properties.
The inclusions between these classes are shown in Figure 1a.Chang, Manna, and Pnueli give in [8] a syntactic characterization of the classes in terms of the following fragments of LTL: Definition 3.2 (Adapted from [6]).We define the following classes of LTL formulas: • The class Σ 0 = Π 0 = Δ 0 is the least set of formulas containing tt, ff, all atomic propositions and their negations, and is closed under the application of conjunction and disjunction.
• The class Σ +1 is the least set of formulas containing Π that is closed under the application of conjunction, disjunction, and the X, U, and M operators.
• The class Π +1 is the least set of formulas containing Σ that is closed under the application of conjunction, disjunction, and the X, R, and W operators.
• The class Δ +1 is the least set of formulas containing Σ +1 and Π +1 that is closed under the application of conjunction and disjunction.
Observe the behavior of the classes under negation.Given a set of formulas , let = { | ∈ }.By the definition of we have:  for properties specifiable in LTL.
In particular, Proposition 3.3 shows that a formula is equivalent to a formula of Δ 2 iff is.
The following result, a corollary of the proof of [8,Thm. 8], shows that the safety-progress hierarchy and the syntactic hierarchy of Definition 3.2 coincide: ]).A property that is specifiable in LTL is a guarantee (safety, obligation, persistence, recurrence, reactivity, respectively) property if and only if it is specifiable by a formula from the class Together with the result of [25], stating that every formula of LTL is equivalent to a reactivity formula, Chang, Manna, and Pnueli obtain: 25,30]).Every LTL formula is equivalent to a formula of Δ 2 .

A SIMPLE PROOF OF THE NORMALIZATION THEOREM
We present a simple proof of the Normalization Theorem.

Contextual equivalence
Consider the formula = FG( U ).It does not belong to Δ 2 , because of the alternation F-G, followed by the alternation G-U.
Let us see how to find an equivalent formula of Δ 2 .We consider the formula GF , and argument (informally!) as follows: • For words that do not satisfy GF , is equivalent to ff.Indeed, if |= GF , then holds for only finitely many suffixes of , and so U also holds for finitely many suffixes only.So cannot satisfy FG( U ).
• For words that satisfy GF , is equivalent to FG( W ). Indeed, if a word satisfies GF , then every suffix satisfies F , and so |= U iff |= W holds for every ≥ 0.
We say that is equivalent to FG( W ) in the context of GF , and equivalent to ff in the context of GF .We get FG( U ) ≡ (GF ∧ FG( W )) ∨ (GF ∧ ff) ≡ (GF ∧ FG( W )). Due to the elimination of U, this is a formula of Δ 2 .
We can proceed dually with the formula = GF( W ). We consider the formula FG , and argument as follows: • In the context of FG , is equivalent to tt.Indeed, if |= FG , then there is a suffix such that W holds for all suffixes of , and so in particular for infinitely many suffixes.
Due to the elimination of W, this is a formula of Δ 2 .
Our normalization strategy follows this pattern.Given a formula , we define a basis of formulas , and consider all contexts | , where ⊆ .Intuitively, a context | corresponds to a region of the set of all words containing the words satisfying all formulas of and none of \ , or, equivalently, all dual formulas of the formulas in \ .For every context | we find a formula | of Δ 2 equivalent to over all words of the corresponding region.Then we "patch together" these formulas to obtain a formula of Δ 2 that is equivalent to everywhere.
We formalize this idea in two steps.First we state and prove the Weak Contextual Equivalence Lemma, which is enough to normalize simple formulas like FG( U ) and GF( W ). In the second step we state and prove the Contextual Equivalence Lemma, which presents a technique to normalize arbitrary formulas.
Fix a set of atomic propositions , and let U be the set of all words over 2 .We collect some simple properties for later use:

P
. We proceed as follows: (1) Follows immediately from the definition.
(2) Let ∈ ′ | ′ .By definition we have |= for all ∈ ′ and |= for all ∈ ′ \ ′ .We have So |= for all ∈ ′ ∩ and |= for all ∈ \ ( ′ ∩ ).By definition, ∈ ( ′ ∩ ) | . ( , and | ≔ tt also satisfies the conditions, and we get The Weak Contextual Equivalence Lemma only shows how to normalize formulas under the assumption that one already knows how to normalize the formulas of the basis .Indeed, if contains formulas that are not in Δ 2 , then for any ⊆ containing such formulas the expression ∈ is also not in Δ 2 .But how can one normalize these formulas of ?The obvious idea is to recursively apply the lemma: find a second basis ′ of "simpler" formulas, reduce the problem of normalizing to normalizing ′ , and iterate until a basis containing only formulas of Δ 2 is reached.The Contextual Equivalence Lemma follows this idea, but also improves on it; instead of a sequence of bases, it only assumes a unique well-founded basis.
Definition 4.5.Let be a basis and (≺) ∈ × a well-founded order on .We say that ( , ≺) is a well-founded basis.Given a basis formula ∈ , we let ↓ denote the set { ∈ | ≺ }.
Intuitively, after applying weak contextual equivalence to with basis , we may need to apply it again to .But with which basis?The answer is with the (well-founded) basis ↓.Well-foundedness guarantees that this process terminates.The Contextual Equivalence Lemma also adds to the assumptions (i) and (ii) on similar assumptions (iii) and (iv) on the formulas ∈ .In the rest of the section we prove the Normalization Theorem by instantiating the Contextual Equivalence Lemma as follows: • In Section 4.2, we define a well-founded basis ( , ≺) for a given formula .Loosely speaking, contains formulas of the form GF and FG for certain subformulas of .Further, ≺ is induced by the subformula order: given basis formulas ( ) and ′ ( ′ ), where , ′ ∈ {GF, FG}, we say ( ) ≺ ′ ( ′ ) if is a proper subformula of ′ .
• In Section 4.3, we define formulas (FG ) | ↓ and (GF ) | ↓ of Δ 2 for all basis formulas FG , GF ∈ , and for every ⊆ .We prove that these formulas satisfy conditions (iii) and (iv) of the Contextual Equivalence Lemma.
• In Section 4.3.2,we define a formula | ∈ Δ 2 for every ⊆ , and prove that it satisfies conditions (i) and (ii) of the Contextual Equivalence Lemma.
The Contextual Equivalence Lemma yields that is equivalent to Since Δ 2 is closed under Boolean combinations, we obtain a contextual normalization procedure.

Contextual Normalization I:
The well-founded basis ( , ≺) In our introductory example at the beginning of Section 4.1, we normalize the formula FG( U ) with the help of a case distinction: for words satisfying GF the formula is equivalent to ff, and for words that do not satisfy GF the formula is equivalent to FG( U ).
This holds because is the right child of the until operator; indeed, the case distinction with GF does not work.Similarly, we normalize the formula GF( W ) by a case distinction on FG , and we succeed because is the left child of the weak until.This motivates the following definition of a well-founded basis for a given formula: Definition 4.8.Let be a formula and let sf ( ) denote the set of subformulas of .We define ≔ GF ∪ FG , where GF := Further, we define a well-founded partial order (≺) ⊆ × as follows: for every , ′ ∈ {GF, FG}, ( ) ≺ ′ ( ′ ) iff ∈ sf ( ′ ).

Contextual Normalization II: The formulas (FG ) | ↓ and (GF ) | ↓
For all basis formulas FG , GF ∈ and for all ⊆ ↓, we define formulas (FG ) | ↓ and (GF ) | ↓ and prove that the definitions satisfies conditions (iii) and (iv) of the Contextual Equivalence Lemma.We define (FG ) | ↓ and prove its properties in Section 4.3.1, and do the same for (GF ) | ↓ in Section 4.3.2.

The formula FG
| ↓ .Loosely speaking, we define (FG ) | ↓ in two steps: first, we assign to a formula of Π 1 , and then set Definition 4.10.Let FG ∈ FG be a formula, and let ⊆ ↓.Further, let be the formula inductively defined as follows.
If = tt, ff, , ¬ then := .For the operators ∨, ∧, X, W, and R, the formula is defined homomorphically. 1 For the operators U and M we set and We define (FG ) | ↓ ≔ FG( ).
We prove in Proposition 4.14 below that (FG ) | ↓ satisfies conditions (iii) and (iv) of the Contextual Equivalence Lemma.
First we need a definition and a technical lemma.Definition 4.12.Let ⊆ ↓ and ∈ | ↓ .The stabilization index of with respect to is the least index ≥ 0 such that + |= for every ≥ 0 and every formula GF ∈ ↓ \ .
The stabilization index exists because, by the definition of | ↓ , we have |= GF for every GF ∈ ↓ \ , and so there exists only finitely many suffixes of that satisfy each .Since ↓ is finite, we can choose the stabilization index as the least index such that no suffix + satisfies for any GF ∈ ↓ \ .The following lemma explains the relation between and .
(2) For every ≥ 0 : : Fix an ≥ such that |= .We prove |= by structural induction on .If = tt, ff, , then = , and we are done.For all cases defined homomorphically the result follows immediately from the induction hypothesis.Assume now = 1 U 2 .We claim GF 2 ∈ .Observe first that, by the definition of the basis, we have GF 2 ∈ ↓.Assume that GF 2 ∉ .
Then, since ∈ | ↓ and ≥ , we have + |= 2 for every ≥ 0, which implies |= 1 U 2 by the semantics of LTL.But this contradicts the assumption |= , and the claim is proved.Now we proceed as follows: , and the previous case we get (2): Fix an ≥ 0 such that |= .We prove |= by structural induction on .All cases but = 1 U 2 are proved as in (1).Assume now = 1 U 2 .By the definition of the basis, we have GF 2 ∈ ↓.We claim GF 2 ∈ .Assume the contrary.
Then, by the definition of we have = ff, contradicting that |= , and the claim is proved.Since GF 2 ∈ and (definition of and claim) The case = 1 M 2 is proved as in (1).P 4.14.Let FG be a basis formula.For every ⊆ ↓, the formula FG ( ) belongs to Δ 2 .Further, FG and We prove the three parts of the proposition separately.
( (3) If ⊆ ′ then FG ( ) |= FG ( ′ ).Assume ⊆ ′ .By the monotonicity of F and G it suffices to prove |= ′ .We proceed by structural induction on .The cases = tt, ff, , are trivial.We now consider the case = 1 W 2 , as a representative of the cases where is defined homomorphically.We have Proceed as in the previous case, replacing W by R.

4.3.2
The formula GF | ↓ .We define the formula (GF ) | ↓ and prove that it satisfies conditions (iii) and (iv) of the Contextual Equivalence Lemma.We use the duality between FG and GF.Recall from Section 2.1 that the dual of a formula in negation normal form replaces U by R, W by M, and vice versa.In particular we have FG = GF and GF = FG , Π 1 = Σ 1 , and )), also by the semantics of LTL.
.17, after distributing U over ∨), and since Proposition 4.18 suggests the following definition for the formula : Definition 4.19.For every ⊆ , the formula is inductively defined as follows.If = tt, ff, , then = .For the operators ∨, ∧, X, U, and M, we define homomorphically.Finally and Example 4.20.Let = (( W ) U ) W and ⊆ .With (( W ) U ) = ( W ) W we get: We get which concludes the proof.
(3) If ⊆ ′ then |= ′ .Follows from a straightforward structural induction, using |= ′ , and the monotonicity of all operators (recall that formulas are in negation normal form).

Contextual normalization IV: The Normalization Theorem
We insert Propositions 4.14, 4.16, and 4.21 into the Contextual Equivalence Lemma.This yields a closed expression for a formula of Δ 2 equivalent to a given formula.The normalized formula is exponentially larger than the original one.

T 4.22 (N T
).Let be a formula of length .We have
Moreover, the right-hand side formula is in Δ 2 and has length 2 ( ) .

P
. By the Contextual Equivalence Lemma, we have

GF( )
By Propositions 4.14, 4.16, and 4.21, the right-hand-side is a Boolean combination of formulas of Δ 2 , and so in Δ 2 itself.For the size, observe first that contains at most formulas, and so the right-hand-side is a disjunction of at most 2 formulas.
We bound the length of a disjunct.First we observe that | | ≤ ( 2), which follows easily from Definition 4.19.(For the cases defined homomorphically, the proof is a direct application of the induction hypothesis; for the case = 1 W 2 we have We have: • GF( We conclude with the following lemma that bounds the number of formulas in the normal form of Theorem 4.22.It will be used later in Section 6.3 to bound the size of some automata.P .This follows from the following claims: To prove (1), observe that sf ( ) ⊆ { ′ | ′ ∈ sf ( )}.This can be proven by a straightforward induction, which is trivial for the cases where is defined homomorphically.For = 1 U 2 , according to Definition 4.10, either Since is in the right-hand set by definition with ′ = , it remains to consider the subformulas of for = 1, 2. However, by induction hypothesis, for any ′′ ∈ sf ( ) there is a ′ ∈ sf ( ) ⊆ sf ( ) such that ′′ = ′ , and we are done.Using the just proven inclusion, we have and the cardinality of the latter set is clearly no more than |sf ( )|.The case of follows by duality.In the first case, by induction hypothesis, |sf ( The remaining subformulas in the left-hand side are only two, ff and itself, so they are at most 4|sf ( )|.In the second case, so we have the bound 4|sf The calculation (4) also holds with the last set replaced by

Evaluation
Our proof of the Normalization Theorem gives a good explanation of why the result holds.Roughly speaking, given a formula , the set of all words can be partitioned into contexts, such that within each context the formula is equivalent to a formula of Σ 2 derived from by means of a very simple syntactic transformation.The procedure also provides a single exponential asymptotic upper bound for the length of the equivalent Δ 2 -formula.However, the proof does not yield a normalization procedure efficient in practice.Indeed, a procedure based on Theorem 4.22 has exponential best-case complexity, since it requires to iterate over all subsets of GF and FG .Also, the procedure works top-down, and so it is particularly bad for families of formulas where, loosely speaking, the double alternation occurs near the bottom of the syntax tree.
Example 4.25.Consider the family of formulas for ≥ 3. The sets GF and FG have size − 1 and 1, respectively.The normalization procedure based on the Normalization Theorem yields a disjunction of 2 +1 formulas, and so it takes exponential time in .However, reasoning as at the beginning of Section 4.1, when we proved FG( U ) ≡ (GF ∧ FG( W )), one can show that is equivalent to a Δ 2 -formula of length Θ( ): Intuitively, in order to normalize it suffices to solve the "local" problem caused by the subformula which is in Σ 3 ; however, the procedure of Section 4 is blind to this fact, and generates 2 +1 formulas.

A NORMALIZING REWRITE SYSTEM
We present a system of rewrite rules that allow us to normalize every LTL formula.As a corollary, we obtain an alternative proof of the Normalization Theorem.The normalization algorithms derived from the rewriting rules are more efficient than the ones presented in the previous section.

Manuscript submitted to ACM
We first introduce a rewrite system for the fragment of the syntax without the operators R and M. The reasons are purely expository.The restriction to this fragment makes the proofs shorter, and the extension to a rewrite system for the full syntax, presented in Section 5.6, is routine.R 5.1.Recall also that the fragment without the operators R and M is as expressive as the full syntax.Indeed, exhaustively applying the well-known equivalences to a formula yields an equivalent formula of the fragment.However, in the worst case the formula of the fragment may be exponentially larger than the original one, and so eliminating the R and M operators and then applying the rewrite system for the fragment may be less efficient than a direct application of the rewrite system for the full syntax given in Section 5.6.
The key idea leading to the rewrite system is to treat the combinations GF (infinitely often) and FG (almost always) of temporal operators as atomic operators GF and FG (notice the typesetting with the two letters touching each other).We call them the limit operators; intuitively, whether a word satisfies a formula GF or FG depends only on its behavior "in the limit", in the sense that ′ satisfies GF or FG iff does.2So we add the limit operators to the fragment, yielding the following syntax: Definition 5.2.Extended LTL formulas over a set of atomic propositions are generated by the syntax: When determining the class of a formula in the syntactic future hierarchy, GF and FG are implicitly replaced by GF and FG.For example, FGF is rewritten into FGF , and so it is a formula of Σ 3 .
Convention: In the rest of the section we only consider extended formulas, which are by construction in negation normal form, and call them just formulas.
Let us now define our precise target normal form.Formulas of the form U , W , X , GF , and FG are called U-, W-, X-, GF -, and FG -formulas, respectively.We refer to these formulas as temporal formulas.The syntax tree of a formula is defined in the usual way, and | | denotes the number of nodes of .A node of is a U-node if the subformula rooted at it is a U-formula.
Definition 5.3.Let be an LTL formula.A node of is a limit node if it is either a GF -node or a FG -node.The formula is in normal form if satisfies the following properties: (1) No U-node is under a W-node.
(2) No limit node is under another temporal node.
(3) No W-node is under a GF -node, and no U-node is under a FG -node.R 5.4.Observe that formulas in normal form belong to Δ 2 .Even a slightly stronger statement holds: a formula in normal form is a positive Boolean combination of formulas of Σ 2 and formulas of the form GF such that ∈ Σ 1 (and so GF ∈ Π 2 ).
There is a dual normal form in which property (1) is replaced by "no W-node is under a U-node", and the other two properties do not change.Formulas in dual normal form are positive Boolean combination of formulas of Π 2 and formulas of the form FG such that ∈ Π 1 .Once the Normalization Theorem for the primal normal form is proved, a corresponding theorem for the dual form follows as an easy corollary (see Section 5.6).
(semantics of LTL) P 5.8.For every LTL formula there exists an equivalent formula ′ in 1-form such that for every subformula GF of ′ the formula is a subformula of , and every FG -subformula of ′ is also a subformula of .

P
. We associate to each formula a rank, defined by rank( Throughout the proof we say that a formula ′ satisfies the limit property if for every subformula GF of ′ the formula is a subformula of and every FG -subformula of ′ is also a subformula of (notice the asymmetry).Further, we say that a formula ′ satisfies the size property if | ′ | ≤ 4 rank ( ) • | | from which the claimed size bound immediately follows.
We prove by induction on rank( ) that is equivalent to a formula ′ in 1-form satisfying the limit and size properties.Within the inductive step we proceed by a case distinction of : If = tt, ff, GF , FG then is already in 1-form, and satisfies the limit and size properties.
by induction hypothesis 1 and 2 can be normalized into formulas ′ 1 and ′ 2 satisfying the limit and size properties.The formulas then in 1-form (the latter because the additional U-node is above any W-node) and satisfy the limit property.The size property holds because: If = X 1 , then by induction hypothesis there is a formula ′ 1 equivalent to 1 in 1-form, and so is equivalent to X ′ 1 , which is in 1-form and satisfies the limit and size properties.If = 1 W 2 and ( ) = 0, then 1 W 2 is already in 1-form and satisfies the limit and size properties.If = 1 W 2 and ( ) > 0, then we proceed by a case distinction: • 2 contains at least one U-node that is not under a limit node.Let 1 U 2 be such a U-node.We derive 2 [ ] from 2 by replacing each U-node labeled by 1 U 2 by the special atomic proposition [ ].By Lemma 5.7(5) we have: Since rank( 1 ) < rank( ), rank( 2 ) < rank( ), and rank( 1 W ff) < rank( ) (the latter because 2 contains at least one U-node), by induction hypothesis 1 , 2 , and 1 W ff can be normalized into formulas ′ 1 , ′ 2 , and ′ 3 satisfying the limit and size properties.So can be normalized into ′ = ′ 1 U ′ 2 ∨ ′ 3 .Moreover, ′ satisfies the limit property, because all GFand FG -subformulas of ′ are subformulas of ′ 1 , ′ 2 , or ′ 3 .For the size property we calculate: • Every U-node of 2 is under a limit node, and 1 contains at least one U-node that is not under any limit node.Then 1 contains a maximal subformula 1 U 2 (with respect to the subformula order) that is not under a limit node.We derive 1 [ ] from 1 by replacing each U-node labeled by 1 U 2 that does not appear under a limit node by the special atomic proposition [ ].By Lemma 5.7(6), we have In order to apply the induction hypothesis we argue that 1 , 2 , and 3 have rank smaller than , and thus can be normalized to ′ 1 , ′ 2 and ′ 3 satisfying the limit and size properties.The formula 1 has the same number of nodes as , but fewer U-nodes under W-nodes; so ( 1 ) < ( ) and thus rank( 1 ) < rank( ).The same argument applies to 3 .Finally, rank( 2 ) < rank( ) follows from the fact that 2 has fewer nodes than .So can be normalized to ′ = (GF 2 ∧ ′ 1 ) ∨ ( ′ 2 U ′ 3 ).We show that ′ satisfies the limit property.Let GF be a subformula of ′ .If GF = GF 2 , then we are done, because 2 is a subformula of .Otherwise GF is a subformula of ′ 1 , ′ 2 , or ′ 3 .Since all of them satisfy the limit property, is a subformula of , and we are done.Further, every FG -subformula of ′ belongs to ′ 1 , ′ 2 , or ′ 3 and so it is also subformula Manuscript submitted to ACM of .For the size property we calculate:
In this section, we address the second property of the normal form.The following lemma allows us to pull limit subformulas out of any temporal formula.(Note that the second rule is only necessary if the formula before stage 1 contained FG -subformulas, since stage 1 only creates new GF -formulas.)L 5.9.
Moreover, the size of the limit subformulas does not increase: for every > 0, if | | ≤ for every limit subformula of , then | ′ | ≤ for every limit subformula ′ if ′ .

P
. We proceed by induction on the number of proper limit subformulas of .If does not contain any, then it is already in 1-2-form.Assume there exists such a proper limit subformula that is smaller (or incomparable) to all other limit subformulas of according to the subformula order.We derive [ ] from by replacing each limit-node labeled by by the special atomic proposition [ ].We then apply Lemma 5.9 to obtain: where = GF ′ , FG ′ .
Note that does not properly contain any limit subformula, and so it is in 1-2-form.Both [tt] and [ff] are still in 1-form and they have one limit operator less than .Thus they can be normalized by the induction hypothesis into ′ 1 and ′ 2 in 1-2-form.Finally, ′ = ( ∧ ′ 1 ) ∨ ′ 2 is a Boolean combination of formulas in 1-2-form, so it is in 1-2-form.The number of nodes of ′ can be crudely bounded as follows: To show that the size of the limit subformulas does not increase, let be a bound on the size of the GF -subformulas of .We claim that the size of each GF -subformula of ′ is also bounded by (the case of FG is analogous).Indeed, the GF -subformulas of ′ are (which is already in ) and the GF -subformulas of ′ 1 and ′ 2 .Since the GF -subformulas of [tt] and [ff] can only have decreased in size, by induction hypothesis the number of nodes of any GF -subformula of ′ 1 and ′ 2 is bounded by , and we are done.

Stage 3: Removing W-nodes (U-nodes) under GF -nodes (FG -nodes)
The normalization of LTL formulas is completed in this section by fixing the problems within limit subformulas.In order to do so, we introduce two new rewrite rules that allow us to pull W-subformulas out of GF -formulas, and U-subformulas out of FG -formulas.L 5.11. )

P
. Notice that ( 9) and ( 10) are instances of the Weak Contextual Equivalence Lemma (Lemma 4.3) with bases {FG 1 } and {GF 2 }, respectively.In the case of ( 9), the contextual formulas are (GF . The premises of the lemma are satisfied: and this implies the claim. (ii) Since 1 U 2 |= tt and by Lemma 5.6 (1), For (9), the formulas are and the premises of the lemma also hold: and this entails the desired equivalence.
there is a suffix of such that |= 2 for all ∈ N. In this case, by the semantics of LTL, 1 U 2 ≡ ff, so FG [ 1 U 2 ] ≡ FG [ff] by Lemma 5.6 (2).The conclusion follows again from the limit properties of FG .
(ii) Since ff |= 1 W 2 and by Lemma 5.6 (1), The following proposition repeatedly applies these rules to show that limit formulas can be normalized with an exponential blowup.P 5.12.For every LTL formula without limit operators, GF and FG can be normalized into formulas with at most

P
. A GF -obstacle of a formula is a W-node or a U-node under a W-node inside a GF -node.Similarly, a FG -obstacle is a U-node or a W-node under a U-node inside a FG -node.Finally, an obstacle is either a GF -obstacle or an FG -obstacle.We proceed by induction on the number of obstacles of GF or FG .If they have no obstacles, then they are already in normal form (Definition 5.3).
Assume GF has at least one obstacle.Then contains at least one maximal W-node 1 W 2 .We derive GF [ ] from GF by replacing each W-node labeled by 1 W 2 by the special atomic proposition [ ].By Lemma 5.11, We claim that each of GF [ 1 U 2 ], GF [tt], and FG 1 has fewer obstacles than GF [ 1 W 2 ], and so can be normalized by induction hypothesis.Indeed, GF [ 1 U 2 ], and GF [tt] have at least one W-node less than , and the number of U-nodes under a W-node, due to the maximality of 1 W 2 , has not increased, and as a consequence it has fewer GF -obstacles (and by definition no FG -obstacles).For FG 1 , observe first that every FG -obstacle of FG 1 is a GF -obstacle of GF [ 1 W 2 ].Indeed, the obstacles of FG 1 are the U-nodes and the W-nodes under U-nodes; the former were U-nodes under W-nodes in , and the latter were W-nodes of , and so both GF -obstacles of GF .Moreover, 1 W 2 is a GF -obstacle of , but not a FG -obstacle of FG 1 .Hence, the number of obstacles has decreased.
Assume now that FG has at least one obstacle.Then contains at least one maximal U-node 1 U 2 .We derive FG [ ] from FG by replacing each U-node labeled by 1 U 2 by the special atomic proposition [ ].By Lemma 5.11, and FG [ff] has fewer obstacles as FG [ 1 U 2 ], and can be normalized by induction hypothesis.
The proof is as above.
The size of the formula increases at most by a factor of 3 on each step, and the number of steps is bounded by the number of both W-nodes and U-nodes in , which is bounded by the total number of nodes in .So the formula has at most 3 | | | | nodes.

The Normalization Theorem
The main result directly follows from the previous propositions.According to Proposition 5.10, for every formula ′ in 1-form there is an equivalent formula ′′ in 1-2-form with This formula is a Boolean combination of limit formulas with at most | | nodes, not containing any proper limit node, and other temporal formulas containing neither limit nodes nor U-nodes under W-nodes.The latter are in Σ 2 and Proposition 5.12 deals with the former.Notice that every GF and FG subformula has at most | | nodes and thus can be normalized into a formula with at most 3 | | | | nodes.The result ′′′ of replacing these limit subformulas by their normal forms within ′′ is a Boolean combination of normal forms, and so we are done.The number of nodes in the resulting formula ′′′ is at most:

Summary of the normalization algorithm
We summarize the steps of the normalization algorithm described and proven in this section.Recall that a formula is in normal form iff it satisfies the following properties: (1) No U-node is under a W-node.
(2) No limit node is under another temporal node.
(3) No W-node is under a GF -node, and no U-node is under a FG -node.
The normalization algorithm applies the rules in Table 1 as follows to fix any violation of these properties: (1) U-nodes under W-nodes and not under limit nodes are removed using rules ( 5) and ( 6).This may introduce new GFsubformulas.By applying (6) only to highest U-nodes of 1 the number of new GF -subformulas is only linear in the size of the original formula.
(2) Limit nodes under other temporal nodes are pulled out using rules (7) and (8).By applying the rules only to the lowest limit nodes, it only needs to be applied once for each limit subformula.
(3) W-nodes under GF -nodes are removed using rule (9), and U-nodes under FG -nodes are removed using rule (10).This may produce new limit nodes of smaller size that are handled recursively.Choosing highest W-and U-nodes ensures that the process produces only a single exponential blowup over the initial size of the formula.
After the three steps, a formula in normal form is obtained with a single exponential blowup in the number of nodes.
Moreover, notice that 1 itself does not play any role in rules ( 5) and (10), and neither does 2 in (9).Hence, the application of (5) can be made more efficient by replacing not only every occurrence of 1 U 2 outside a limit subformula with 1 W 2 and ff, but also every occurrence of U 2 for any formula by W 2 and by ff.The same holds for rules (9) and (10).
Stage 1: Table 2. Normalization rules for R and M.
Example 5.14.Let us apply the procedure to the formula 25.In stage 1, rule (6) matches the subformula ( 0 U 1 ) W 2 and rewrites it to where ff W ff can be simplified to ff and removed from the disjunction.The rewritten formula is in 1-form, because there is no U-node under a W-node, so we can continue to stage 2. Now, we must pull the GF -node GF 1 out the cascade of U-nodes using rule (7).This yields Since the only remaining limit node is outside any temporal formula, we have obtained a formula in 1-2-form and the procedure arrives to stage 3. Again, the only limit subformula is GF 1 , and 1 does not contain any W-node, so the formula is completely normalized and we have finished.Observe that has been normalized by exactly two rule applications for all ≥ 3, so the algorithm proceeds in linear-time for this family of formulas.The result is not identical, but very similar to the one in Example 4.25.

Extensions and fragments
The operators R and M. We have omitted these operators from the proof and the normalization procedure, since they can be expressed in terms of the subset of operators we have considered.However, this translation exponentially increases the number of nodes of the formula, so handling them directly is convenient for efficiency.Their role at every step of the procedure is analogous to that of the U and W operators, i.e. we treat R in the same way as W and we treat M in the same way as U.The corresponding rules are shown in Table 2.
Dual normal form.Recall that a formula is in dual normal form if it satisfies conditions 2 and 3 of Definition 5.3 and no W-node is under a U-node.Given a formula , let be a formula in primal normal form equivalent to .Since ≡ ¬ ≡ ¬ , pushing the negation into yields a formula equivalent to in dual normal form.
Past LTL.Past LTL is an extension of LTL with past operators like yesterday (Y), since (S), etc.In an appendix of [16], Gabbay introduced eight rewrite rules to pull future operators out of past operators.Combining these rules with ours yields a procedure that transforms a Past LTL formula into a normalized LTL formula, where past operators are gathered in past-only subformulas, and so can be considered atomic propositions.
LTL[F, G, X].Note that LTL is equivalent to first-order logic (FO) over words [10].In particular a translation from LTL to firstorder logic that uses only three variables can be obtained by replacing LTL operators by their respective semantic definitions which are already FO-formulas (See Definition 2.2.).Thus, in fact LTL is equivalent to FO [3], where 3 denotes the number of variables that are used.If we restrict LTL to the unary temporal operators (F, G, and X) and apply the same idea, we obtain formulas with at most 2 variables (FO [2]).Indeed, FO [2] is equivalent to LTL[F, G, X] [14].However, our normalization procedure does not take this into account: if we start with a formula from LTL[F, G, X] and apply Theorem 5.13 we do not necessarily obtain a normalized formula from LTL[F, G, X].Is the introduction of U that are not equivalent to F unavoidable?Luckily, no.We can update our rewrite rules such that if we start with a formula from LTL[F, G, X] we also obtain a normalized formula from LTL[F, G, X].The rules are in Table 3 and the correctness proofs proceed as before.The idea is now that we proceed by a case distinction over each F and split into three cases: (a) F never holds, (b) F holds at least once, but finitely often, (c) F always holds.Moreover, since XF ≡ FX and XG ≡ GX , every G-subformula with a nested F-subformula can always be reduced to one or more formulas G(F ∨ G [F ]) by pushing next operators inside F and G, calculating the conjunctive normal form of the argument, and splitting the G operator over the conjunctions.

Manuscript submitted to ACM
Weak and very weak automata.Let A = Σ, , 0 , , be an alternating (co-)Büchi automaton.We write −→ ′ if there is ∈ Σ such that ′ belongs to some minimal model of ( , ).An automaton A is weak if there is a partition 0 , . . ., of such that • for every , ′ ∈ , if −→ ′ then there are ≤ such that ∈ and ′ ∈ , and • for every 0 ≤ ≤ : A is very weak or linear if it is weak and every class of the partition is a singleton (that is, | | = 1) [24,36].We let AWW and A1W denote the set of weak and very weak alternating automata, respectively.
Example 6.3.Figure 3 shows the relation −→ between the states of the automaton of Example 6.1.For example, we have The automaton is very weak because of the partition Observe that for every weak automaton with a co-Büchi acceptance condition we can define a Büchi acceptance condition on the same structure recognizing the same language.Thus, we will from now on assume that every weak automaton is equipped with a Büchi acceptance condition.
We define the alternation height of a weak alternating automaton.The definition is very similar, but not identical, to the standard one as presented in e.g.[49].A weak automaton A = Σ, , 0 , , has alternation height if every path → ′ → ′′ • • • of A alternates at most − 1 times between and \ .The automaton of Example 6.1 (see also Figure 3) has height 3 because of the path 0 → 1 → 2 , which exhibits two alternations.

Translation of LTL to A1W[2]
In the standard translation of LTL to A1W, the states of the A1W for a formula are subformulas of [36,49].We show that, at the price of a slightly more complicated translation, the resulting A1W for a Δ -formula belongs to A1W[ ].Thus, by the Normalization Theorem every LTL formula can be translated into an equivalent A1W [2].The idea of the construction is to use subformulas of the formulas as states, ensuring that (1) transitions can only lead from a subformula to itself or to another of a smaller in the syntactic-future hierarchy (Figure 1b); and (2) accepting states are subformulas of the Π-classes of the hierarchy.These two conditions immediately imply that the alternating automaton for a formula of Σ has alternation height ; indeed, every change of state involves going down in the hierarchy.There are two small technical problems.First, at the bottom of the hierarchy we have Σ 0 = Π 0 , and so it is not well defined whether bottom formulas are accepting states or not.Fortunately, in our automata such states are not reachable, and so this question is irrelevant.Second, the hierarchy level of a formula is not always well-defined, classes.Since the states of are those annotated with Π classes, there are also at most ( − 1) alternations between and nonstates in a path.
To show that A has at most 2 states, observe that for every formula there are at most two smallest classes of the syntacticfuture hierarchy containing .So A has at most two states for each proper subformula of .
To prove that A recognizes L( ) one shows by induction on that A recognizes L( ) from every marked formula Γ .The proof is completely analogous to the one given in [49].
More precisely, given an AWW[2, R], we construct an equivalent deterministic co-Büchi automaton, and given an AWW[2, A], we construct an equivalent deterministic Büchi automaton.We only describe the construction for AWW[2, R], as the one for AWW[2, A] is dual.
The section is structured as follows.First, we introduce the notion of the level sequence of a run.Second, we present the fundamental property of AWW[2, R] that the procedure will exploit.Third, we describe the procedure itself.Finally, we combine the procedures for AWW[2, R] and AWW[2, A] into a procedure that, given an arbitrary AWW [2], constructs an equivalent deterministic Rabin automaton.
6.3.1 Level sequence of a run.Let A = Σ, , 0 , , be an alternating Büchi automaton.A set ⊆ of states is called a level.If ⊆ , then is an -level.Given two levels , ′ and a letter ∈ Σ, we say that ′ is a successor of w.r.t.∈ Σ, also called an -successor of , if for every ∈ there is a minimal model of ( , ) such that ′ = ∈ .We make two observations: • The empty set of states is a level, and moreover an -level for any ⊆ .The empty level has exactly one -successor for every ∈ Σ, namely the empty level itself.
• A level has no -successors if and only if it contains a state such that ( , ) = ff.Indeed, if ( , ) = ff then there is no minimal model of ( , ).Conversely, if ( , ) ≠ ff for every ∈ , then ( , ) has at least one minimal model for every state ∈ , and the set ′ := ∈ is a (possibly empty) -successor of .
Recall that, given a run = ( , ) on a word , we define for every ≥ 0 the set := { : ( , ) ∈ }.By the definitions of run and level, for every ≥ 0 either ( , ) = ff for some ∈ , or +1 is a [ ]-successor of .We define the level sequence of as a certain prefix of the infinite sequence 0 1 2 . ..: • If there exists a smallest ≥ 0 such that has no [ ]-successor, then the level sequence is the finite sequence 0 1 • • • .
• Otherwise, the level sequence of is the infinite sequence 0 1 2 • • • itself.Example 6.9.Let us compute the level sequences of the four runs of Figure 2.
• Third run: { 0 } { 1 } { 1 , 2 } .Observe that although the first and third runs have the same sequence of levels, the first run is accepting but the second one is not.
While the run itself is finite, its level sequence is infinite.
The first and third runs of Example 6.9 have the same level sequence, but one is accepting and the other is not.Therefore, the level sequence of a run does not determine in general whether the run is accepting.
of an AWW is a set of states) and Promising ⊆ 2 ∩ Levels.Since there exist 3 2 pairs satisfying these conditions, D has at most Let us first give an informal but hopefully intuitive description of the transitions and acceptance condition of the deterministic co-Büchi automaton.The transitions of D are chosen to ensure that, after reading a finite word 0 = 0 . . ., the automaton is in the state (Levels , Promising ), where • Levels contains the -th levels of all runs of A on all words having 0 as prefix (when they exist); and • Promising ⊆ Levels contains some -levels of Levels .These levels are "promising", intuitively meaning that they could belong to the infinite tail of -levels of the level sequence of an accepting run.
For this, when D reads +1 , it moves from (Levels , Promising ) to (Levels +1 , Promising +1 ), where Levels +1 contains all the +1 -successors of the levels of Levels , and Promising +1 is defined as follows: • If Promising ≠ ∅, then Promising +1 contains the +1 -successors of Promising .(Recall that A is an AWW[2, R], and so if Promising contains -levels, then so does Promising +1 .)• If Promising = ∅, then Promising +1 contains all -levels of Levels +1 .
Finally, the co-Büchi condition contains the states (Levels, Promising) such that Promising = ∅.
Intuitively, during its run on a word , the automaton D tracks the promising levels, removing those without successors, because they can not belong to an accepting run.If some run of A accepts , then by Lemma 6.10 the level sequence 0 1 2 • • • of is infinite, and there is ≥ 0 such that the levels , +1 , +2  Let be an infinite tree of .Since it is both finite and finitary, by the König lemma, there is an infinite branch ( , ), ( +1 , + 1), . ... We can then extract the infinite sequence +1 • • • satisfying the conditions in the statement of the lemma.
For the formal definition of D it is convenient to identify subsets of 2 and 2 with formulas of B + ( ), B + ( ) (i.e., we identify a formula and its set of models).Further, we lift : × Σ ↦ → B + ( ) to : B + ( ) × Σ ↦ → B + ( ) in the canonical way.
Finally, given ∈ B + ( ) and ⊆ , we let [ff/ ] denote the result of substituting ff for every state of in .With these notations, the deterministic Büchi automaton D equivalent to A can be described in four lines: D = Σ, ′ , ′ 0 , ′ , ′ , where P .Let A = Σ, , 0 , , .Given ′ ⊆ , let A ′ be the AWW [2] obtaining from A by substituting ∈ ′ for the initial formula 0 .We claim that for each minimal model ∈ M 0 we can construct a deterministic Rabin automaton (DRW) D with at most 2 2 +2 states and a single Rabin pair, recognizing the same language as A .Let us first see how to construct D, assuming the claim holds.By the claim we have L(A) = ∈ M 0 L(A ).So we define D as the union of all the automata D .Recall that given two DRWs with 1 , 2 states and 1 , 2 Rabin pairs we can construct a DRW for the union of their languages with 1 × 2 states and 1 + 2 pairs.Since 0 has models, D has at most Rabin pairs and 2 2 +2 = 2 2 +log 2 +2 states.It remains to prove the claim.Partition into ∩ and \ .We have A ∩ ∈ AWW[2, A] and A \ ∈ AWW[2, R].By Lemma 6.12 there exists a deterministic Büchi automaton D ∩ and a deterministic co-Büchi automaton D \ equivalent to A ∩ and A \ , respectively, both with at most 3 2 states.Intersecting these two automata yields a deterministic Rabin automaton with at most 3
The key result is that each , has a small number of different proper subformulas.(In fact, the number is even linear in the number of subformulas of .)Invoking Lemma 6.8 we obtain an A1W [2] with (|sf ( )|) states that recognizes L( , ).L 6.15.Let be a formula.For every ⊆ GF and ⊆ FG , there exists an A1W [2] with (|sf ( )|) states that recognizes L( , ).

P
. Due to Lemma 6.15, the alternating automaton A , that recognizes L( , ) belongs to A1W [2] and has ( ) states.Applying the construction of Lemma 6.13 we obtain a DRW with 2 2 ( ) states and a single Rabin pair.Using the union operation for DRWs we obtain a DRW for with 2 2 ( ) 2 ( ) = 2 2 ( ) states and 2 Rabin pairs.

Determinization of Lower Classes
We now determinize AWW [1].A deterministic automaton is terminal-accepting if all states are rejecting except a single accepting sink with a self-loop, and terminal-rejecting if all states are accepting except a single rejecting sink with a self-loop.It is easy to see that terminal-accepting and terminal-rejecting deterministic automata are closed under union and intersection.When applied to AWW[1, A], the construction of Lemma 6.12, yields automata whose states have a trivial Promising set (either the empty set or the complete level).Further, the successor of an -level is also an -level.From these observations we easily get: C 6.17.Let A be an automaton with states.

A HIERARCHY OF ALTERNATING WEAK AND VERY WEAK AUTOMATA
The expressive power of weak and very weak alternating automata has been studied by Gurumurthy et al. in [20] and by Pelánek and Strejcek in [39], respectively.Both papers identify the number of alternations between accepting and non-accepting states as an important parameter, and define a hierarchy of automata classes based on it.Let AWW G [ ] denote the class of AWW with at most ( −1) alternations defined in [20].Similarly, let A1W PS [ , A] and A1W PS [ , R] denote the classes of A1W with at most ( −1) alternations and accepting or non-accepting initial state, respectively, defined in [39].Finally, define A1W PS [ ] = A1W PS [ , A] ∪ A1W PS [ , R]4 .Figure 1 shows the results of [20] and [39].We abuse language, and, for example, write Π 2 = A1W PS [2, A] to denote that the class of languages satisfying formulas in Π 2 and the class of languages recognized by automata in A1W PS [2, A] coincide.
Unfortunately, the results of [20] and [39] do not "match".Due to slight differences in the definitions of height, e.

P
. We sketch the proof of ( 1) and ( 3).The proof of ( 2) is analogous to that of (1).
(1): The ⊆-inclusion follows immediately from Lemmas 6.12 and 6.13 and Corollary 6.17.The ⊇-inclusion is a slight adaptation of similar proofs in [20].In order to translate a DCW into a AWW[2, R] we duplicate the set of states into two sets of marked and unmarked states.We remove from the marked states all rejecting states, and add transitions that allow unmarked states to nondeterministically choose to move to another unmarked state, or to its marked copy.Finally, we define all unmarked states to be rejecting and all marked states to be accepting.The proof of AWW[2, A] ⊇ DBW is dual.Finally, the inclusion AWW [2] ⊇ -regular follows from the previous two results; indeed, every -regular language is recognized by a DRW [44], and every DRW is equivalent to a Boolean combination of DBWs and DCWs, which we can express in the initial formula 0 of the AWW [2].
(3): The ⊇-inclusion for Δ is proven in Lemma 6.8.For a formula that belongs to Σ (Π ) we also rely on Lemma 6.8, but add a new initial state, Σ ( Π ) that is marked as rejecting (accepting) such that the automaton belongs to A1W[ , R] (A1W[ , A]).
For the ⊆-inclusion, let A = Σ, , 0 , , be a very weak alternating automaton with Σ = 2 .We use the translation from A1W to LTL presented in [26,Thm. 6], with minimal modifications, to define a formula A such that L( A ) = L(A).Then, we show that when A belongs to one of the classes in the hierarchy, A belongs to the corresponding class of formulas.For the proof of correctness of the translation we refer the reader to [26].
For the definition of A , we assign to every ∈ B + ( ) an LTL formula ( ) such that L( ( )) = L(A ), where A denotes A with as initial formula, and set A := ( 0 ).Similarly, for the definition of ( ), we first assign a formula ( ) to every state , and then define ( ) as the result of substituting ( ) for in , for every state .It remains to define ( ).Using that A is very weak, we proceed inductively, i.e., we assume that ( ′ ) has already been defined for all ′ such that → ′ and ≠ ′ .For every ∈ and ∈ 2 , let , and ′ , be formulas such that ( , ) ≡ ( ∧ , ) ∨ ′ , (it is easy to see that they exist).Define Since this translation assigns to each U-formula a rejecting state and to each W-formula an accepting state, the syntax tree of A has an alternation between U and W exactly when there is an alternation between accepting and non-accepting states.This yields all the desired inclusions in Σ 1 , Π 1 , . . ., Δ 2 .
Moreover, our single exponential normalization procedure for LTL transfers to a single exponential normalization procedure for A1W: L 7.2.Let A be an A1W with states over an alphabet with letters.There exists A ′ ∈ A1W [2] with 2 O ( ) states such that L(A) = L(A ′ ).

P
. The translation from A1W to LTL used in Proposition 7.1 (an adaption of [26]) yields a formula A with at most O ( ) proper subformulas.Applying our normalization procedure to A yields an equivalent formula in Δ 2 with at most 2 O ( ) proper subformulas (Lemma 6.15).Applying Lemma 6.8 we obtain the postulated automaton A ′ .

CONCLUSION
We have presented two purely syntactic normalization procedures for LTL that transform a given formula into an equivalent formula in Δ 2 , i.e., a formula with at most one alternation between least-and greatest-fixpoint operators.The procedure has single exponential blow-up, improving on the prohibitive non-elementary cost of previous constructions.The much better complexity of the new procedure (recall that normalization procedures for CNF and DNF are also exponential) makes it attractive for its implementation and use in tools.We have presented a first promising application, namely a novel translation from LTL to DRW with double exponential blow-up.Finally, we have shown that the normalization procedure for LTL can be transferred to a normalization procedure for very weak alternating automata.
We think that these results demystify the Normalization Theorem of Chang, Manna, and Pnueli, which heavily relied on automata-theoretic results, and involved a nonelementary blowup.Indeed, the only conceptual difference between our rewrite system and the one for bringing Boolean formulas in CNF is the use of rewrite rules with contexts.
Our normalization procedure has already found applications to the translation of LTL formulas into deterministic or limitdeterministic -automata [23,34].Until now normalization had not been considered, because of the non-elementary blow-up, much higher than the double exponential blow-up of existing constructions.With our new procedure, translations that first normalize the formula, and then apply efficient formula-to-automaton procedures specifically designed for formulas in normal form, have become competitive.Our system of rewriting rules makes this even more attractive.More generally, we think that the design of analysis procedures for formulas in normal form (to check satisfiability, equivalence, or other properties) should be further studied in the coming years.
Manuscript submitted to ACM

Definition 4 . 1 (
Basis and equivalence under context).Let be a finite set of formulas over , called a basis.A context is a partition of into a set ⊆ and the set \ .We denote a context by | .The language | ⊆ U of | is the set of words that satisfy every formula of and no formula of \ .Two formulas 1 , 2 are equivalent under context | if ( |= 1 ⇔ |= 2 ) holds for every ∈ | .

R 4 . 7 .
The Weak Contextual Equivalence Lemma is a corollary of the Contextual Equivalence Lemma.Indeed, the weak statement is obtained by choosing ≺ as the empty order (no two basis formulas are ordered), which is trivially well-founded.This implies ↓= ∅ and, by Lemma 4.2, we are forced to take | ↓ = | ∅ = for any ∈ and context ⊆ ∅.

P.
Let = ( , ) be the graph with vertices = ≥ {( , ) | ∈ Promising } and edges = ≥ {(( , ), ( ′ , + 1)) | ∈ Promising and ′ is a [ ]-successor of }.This is well-defined since such a ′ belongs to Promising +1 by definition. is infinite because Promising ≠ ∅ for all ≥ , and the degree of each vertex is finite since |Promising | ≤ 2 | | .Moreover, is acyclic, because the second entry of the pair is monotonically increasing, and consists of as many connected components as ∈ Promising .Indeed, +1 ∈ Promising +1 is a [ + 1]-successor of some ∈ Promising by definition of the Promising sets, so inductively, we can go back to a set ∈ Promising .Hence, is the union of |Promising | ≤ 2 | | trees, and at least one of them must be infinite because is.
Proposition 3.3.Moreover, by Lemma 4.2(4) two formulas are equivalent under context | iff they are equivalent under the dual context | .This is all we need.Observe that the form of this statement is already close to condition (i) of the Contextual Equivalence Lemma.The final trick is to choose as the stabilization index of with respect to .Applying Lemma 4.13 we obtain that G is equivalent , it suffices to show that they are equivalent under context| GF since GF ⊆ .We prove |= G iff |= U G ( ) iff |= G ( ) Rfor every ∈ | GF .So fix an arbitrary ∈ | GF .Assume |= G .Then, in particular, we have |= FG .By Lemma 4.13, ( |= ⇔ ) holds for every beyond the stabilization index of with respect to .So, in particular, we have |= FG ( ).It follows that |= G ∧ FG ( G , either G holds and we are already done, or we can apply the previous argument with only ≤ instead of < .It is easy to extend Lemma 4.17 to all W-and R-formulas.Let 1 and 2 be formulas.(1)Forevery⊆GF , the formulas 1 W 2 and 1 U ( 2 ∨ G (1)) are equivalent under context .(2)For every ⊆ GF , the formulas 1 R 2 and ( 1 ∨ G ( 2 )) M 2 are equivalent under context .If |= G 1 , then we have |= 1 W 2 iff |= 1 U 2 by the semantics of LTL, and then |= 1 U 2 implies Definition 4.15.Let GF ∈ and let ⊆ ↓.We define ≔ and (GF ) | ↓ ≔ GF( ).Since ∈ Π 1 , we have ∈ Π 1 = Σ 1 .We now prove the counterpart of Proposition 4.14: P 4.16.Let GF be a basis formula.For every ⊆ ↓, the formula GF ( ) belongs to Δ 2 .Further, GF and GF ( ) are equivalent under context | ↓ .Finally, if ⊆ ′ then GF ( ) |= GF ′ .P .Each of the three statements follows by duality from Proposition 4.14.Given any formula GF and any two sets , ′ ⊆ ↓, we instantiate Proposition 4.14 with GF , , and ′ .For the first statement, we have GF( ) = FG( ) ∈ Δ 2 = Δ 2 .Let us now prove that GF and GF ( ) are equivalent under context | ↓ .We have GF = FG and GF( ) = FG( ) by definition.So it suffices to show that FG and FG( ) are equivalent under | ↓ , and, by Lemma 4.2(4), that they are equivalent under context | ↓ .But this follows from Proposition 4.16.Finally, let ⊆ ′ .We show GF ( ) |= GF ′ .Since ⊆ ′ , we have ′ ⊆ and so ¬ GF ( ′ ) ≡ FG ( ′ ) |= FG ( ) ≡ GF ( ) ≡ ¬GF( ), where the |=-step applies Proposition 4.14.By modus tollens, we are done.4.4 Contextual normalization III: The formula | We search for a formula | that satisfies conditions (i) and (ii) of the Contextual Equivalence Lemma, and belongs to Δ 2 .Lemma 4.17 gives such a formula for the case in which = G for some formula .Let us first explain the idea.By the equivalence G ≡ U G , given a word and ⊆ , the following is true for every index ≥ 0: |= U G iff |= for every ≤ and |= G .P .We only prove the first case.If | GF = ∅, the proposition trivially holds.Let ∈ | GF .(⇒) Assume |= 1 W 2 , and consider two cases.If |= G 1 , then |= 1 U G( 1 ) (Lemma 4.17), and so |= 1 U ( 2 ∨ G ( 1 )).
The formulas and are equivalent under context | .ByLemma 4.2(3), it suffices to show that ( |= ⇐⇒ |= ) holds for every ⊆ GF and for every ∈ | GF .We proceed by structural induction on .We use the identity The base of the induction is ∈ {tt, ff, , ¬ }.In all these cases we have = by definition, and we are done.All cases in which is defined homomorphically are handled in the same way, and so we consider only the case = 1 U 2 .Fix ⊆ GF and ∈ | GF .We prove ( |= ⇐⇒ |= ).Applying the induction hypothesis to 1 and 2 , and are equivalent under context | GF .Moreover, ∈ | GF for all ≥ 0 by the limit properties of GF-subformulas, and this yields: • • • are all promising.So the sets Promising , Promising +1 , Promising +2 • • • are all nonempty, and D accepts.Conversely, assume there is such that Promising , Promising +1 , Promising +2 • • • are all nonempty.Then we can construct a run of A on by picking a sequence of levels [ ]-successor of −1 for every > , which belong by definition to Promising , and then picking 0 1 • • • −1 such that ∈ Levels for every 0 ≤ ≤ − 1.The level sequence of this run is infinite, and from onwards it only contains -levels, which implies that the run is accepting.
[2]] ≤ 2 2 +2 states and a single Rabin pair, and we are done.The construction of Lemma 6.12 is close to Miyano and Hayashi's translation of alternating automata to non-deterministic automata[35], and to Schneider's translation of Σ 2 formulas to deterministic co-Büchi automata[45, p.219], all based on the break-point idea.6.4Translation of LTL to DRWCombining a normalization procedure LTL→ Δ 2 , the procedure Δ 2 → A1W[2]of Section 6.2 and the determinization procedure of Section 6.3, we obtain a translation LTL→DRW.Since the procedures involve a single-exponential, a linear, and a doubleexponential blow-up, respectively, a straightforward composition only yields a triple-exponential bound.However, a closer examination of the closed-form Δ 2 -formula provided by Theorem 4.22 allows us to reduce the bound to double-exponential.