\subsubsection{Syntax} \erin % Provide formal syntax % Provide intuitive semantics % Provide formal semantics This subsection describes the syntax of PLTL. PLTL uses the same operators as LTL and adds two additional operators: $\Pop$ (pronounced \enquote{previously}) and $\Sop$ (pronounced \enquote{since}). The $\Pop$-modality is comparable to $\Xop$. Formula $\Pop\phi$ holds at some moment if $\phi$ held in the previous \enquote{step}. The $\Sop$-modality is comparable to $\Uop$: $\phi_1\Sop\phi_2$ holds if $\phi_2$ held at some previous moment and $\phi_1$ held ever after that moment up to and including the current moment. \begin{definition}[Syntax of PLTL] \label{def:syntax} PLTL formulae over the set $AP$ of atomic propositions are formed according to the following grammar: \[ \phi ::= \left.\raisebox{0pt}[5pt][5pt]{} \top \enspace\middle|\enspace a \enspace\middle|\enspace \phi_1 \land \phi_2 \enspace\middle|\enspace \lnot \phi \enspace\middle|\enspace \Xop \phi \enspace\middle|\enspace \phi_1 \Uop \phi_2 \enspace\middle|\enspace \Pop \phi \enspace\middle|\enspace \phi_1 \Sop \phi_2 \right. \] where $a \in AP$. \end{definition} \camil We additionally define $\lor, \rightarrow, \leftrightarrow, \bot$ using this syntax as usual. The precedence order of the operators borrowed from LTL remains the same. $\Pop$ binds equally strong as $\Xop$ and $\lnot$. $\Sop$ takes precedence over $\Uop$, and like $\Uop$ is right-associative. In discourse, it can be helpful to distinguish different kinds of PLTL formulas. \begin{definition}[Well-formed PLTL formulas (following \citet{Gabbay1989})] A well-formed PLTL formula (\wff) is any formula adhering to the syntax of \cref{def:syntax} (ignoring, for simplicity, parentheses). Additionally, we define the classes \wffn\ (pure present \wff), \wfff\ (pure future \wff) and \wffp\ (pure past \wff) inductively as the smallest classes conforming to the following rules: \begin{itemize} \item Atomic propositions and $\top$ are \wffn. \item If $\phi,\psi \in \wffn \cup \wfff$, then $\phi \Uop \psi, \Xop\phi \in \wfff$. \item If $\phi,\psi \in \wffn \cup \wffp$, then $\phi \Sop \psi, \Xop^{-1}\phi \in \wffp$. \item If $\phi,\psi \in W$, then $\lnot\phi, \phi\land\psi \in W$, for all $W \in \{\wffn,\wffp,\wfff\}$. \qedhere \end{itemize} \end{definition} Note that the classes \wffn, \wffp\ and \wfff\ are mutually disjoint. Furthermore, there are \wff\ which are neither, like $\Xop a \land \Xop^{-1} a$. However, as we will see in \cref{pltl:to-ltl:syntactic}, every PLTL formula can be written as a boolean combination of $\wfff \cup \wffp \cup \wffn$. As with LTL, we can also derive additional operators in PLTL. They can be seen as counterparts of the derived LTL modalities $\square$ and $\lozenge$: $\square^{-1}$ (\enquote{was always}, since the beginning until now) and $\lozenge^{-1}$ (\enquote{was sometime}, now or at some point before now). \erin \begin{definition}[Derived PLTL operators] Given $\phi \in PLTL$, then: \[ \begin{array}{rlrl} \Fop \phi &\defeq \top \Uop \phi \qquad & \Gop \phi &\defeq \neg \Fop \neg \phi \\ \Fop^{-1} \phi &\defeq \top \Sop \phi & \Gop^{-1} \phi &\defeq \neg \Fop^{-1} \neg \phi \end{array} \qedhere \] \end{definition} Their intuitive meaning is as follows. $\Fop^{-1} \phi$ ensures that at some point in the past $\phi$ was true. $\Gop^{-1} \phi$ is satisfied when there is no moment in the past on which $\phi$ did not hold. In other words, $\Gop^{-1}$ entails that $\phi$ held globally until this point. \Cref{fig:PLTL_intuitive} shows the intuitive meanings of the past modalities for the simple case where $a$ and $b$ are the only atomic propositions. The left hand side of the figure shows some PLTL formulae; the right hand side shows sequences for which this formula holds. Since we need to also consider the past, we include an arrow that points to the state for which the formula holds. \begin{figure} \tikzset{intuitive semantics/.style={shorten >=1pt,node distance=16mm,on grid,initial text={},baseline=-0.5ex,->}} \tikzset{arbitrary/.style={state,label={[font=\relsize{-2}]arbitrary}}} \centering \[\begin{array}{rcl} \text{since} & a \Sop b & \begin{tikzpicture}[intuitive semantics] \node (0) {\dots}; \node[arbitrary] (1) [right of=0] {}; \node[state,label=$b$] (2) [right of=1] {}; \node[state,label=$a$] (3) [right of=2] {}; \node (4) [right of=3] {\dots}; \node[state,label=$a$,initial below] (5) [right of=4] {}; \node (6) [right of=5] {\dots}; \path (0) edge (1)(1) edge (2)(2) edge (3)(3) edge (4)(4) edge (5)(5) edge (6); \end{tikzpicture}\\ \text{previously} & \Pop a & \begin{tikzpicture}[intuitive semantics] \node (0) {\dots}; \node[arbitrary] (1) [right of=0] {}; \node[arbitrary] (2) [right of=1] {}; \node[arbitrary] (3) [right of=2] {}; \node[state,label=$a$] (4) [right of=3] {}; \node[arbitrary,initial below] (5) [right of=4] {}; \node (6) [right of=5] {\dots}; \path (0) edge (1)(1) edge (2)(2) edge (3)(3) edge (4)(4) edge (5)(5) edge (6); \end{tikzpicture}\\ \text{was sometime} & \Fop^{-1} a & \begin{tikzpicture}[intuitive semantics] \node (0) {\dots}; \node[arbitrary] (1) [right of=0] {}; \node[state,label=$a$] (2) [right of=1] {}; \node[arbitrary] (3) [right of=2] {}; \node (4) [right of=3] {\dots}; \node[arbitrary,initial below] (5) [right of=4] {}; \node (6) [right of=5] {\dots}; \path (0) edge (1)(1) edge (2)(2) edge (3)(3) edge (4)(4) edge (5)(5) edge (6); \end{tikzpicture}\\ \text{was always} & \Gop^{-1} a & \begin{tikzpicture}[intuitive semantics] \node[state,label=$a$] (0) {}; \node[state,label=$a$] (1) [right of=0] {}; \node[state,label=$a$] (2) [right of=1] {}; \node (3) [right of=2] {\dots}; \node[state,label=$a$] (4) [right of=3] {}; \node[state,label=$a$,initial below] (5) [right of=4] {}; \node (6) [right of=5] {\dots}; \path (0) edge (1)(1) edge (2)(2) edge (3)(3) edge (4)(4) edge (5)(5) edge (6); \end{tikzpicture} \end{array}\] \caption{% Intuitive semantics of past modalities. The current state is indicated with an arrow below. All states following the current state are arbitrary.} \label{fig:PLTL_intuitive} \end{figure} \camil \label{pltl:dual-modalities} Dual modalities, like the LTL $\square\lozenge$ \enquote{infinitely often} and \enquote{eventually forever}, are less useful with past modalities. $\square^{-1}\lozenge^{-1}\phi$ intuitively holds when at every point in the past, $\phi$ held or there was a previous moment at which $\phi$ held. This is satisfied precisely when $\phi$ held at the first moment in time. Interestingly, $\lozenge^{-1}\square^{-1}\phi$ means the same: it holds when $\phi$ held from the beginning until some moment in the past. The reason that dual past modalities are less useful is that we still consider traces with a fixed starting point. Thus, while with future modalities it is possible to look infinitely far in the future, it is not possible to look infinitely far in the past. Before turning to the formal semantics in the next subsection, we provide some examples of PLTL formulae and their uses. \begin{example}[Properties for a Traffic Light] We return to the traffic light of Example 5.4. Since dual past modalities are less useful than dual future modalities, we cannot express the liveness property $\square\lozenge\textsl{green}$ with a pure past formula. However, the requirement \enquote{once red, the light cannot become green immediately} \emph{can} be expressed with past modalities. To rewrite it, consider that this requirements is equivalent to \enquote{if green, the light cannot have been red previously}. This yields the formula: \[\square(\textsl{green} \rightarrow \lnot \Pop\textsl{red}) \qedhere\] \end{example} \begin{example}[A property for an Authentication System] \label{ex:pltl:authentication-system} \citet{FiterauBrostean2017} use past modalities to describe properties of the Secure Shell (SSH) protocol. One property says that if a channel is opened, there must have been some successful authentication attempt in the past~\citep[p.~149]{FiterauBrostean2017}. Also, since that successful authentication, no authentication failure must have occurred. This formula is intuitively expressed by $\square(\textsl{hasOpenedChannel} \rightarrow \lnot \textsl{authFailure} \Sop \textsl{authSuccess})$. An equivalent LTL formula is $\lnot \psi \land \square\lnot(\textsl{authFailure} \land \psi)$, where $\psi = \lnot\textsl{authSuccess} \Uop (\textsl{hasOpenedChannel} \land \lnot\textsl{authSuccess})$. If $\psi$ holds, a channel will be opened without prior authentication success. Therefore, $\psi$ should not hold at the beginning or when authentication fails. The LTL formula is derived algorithmically in \cref{ex:pltl-to-ltl:authentication}. The LTL formula is slightly larger than the PLTL formula and is slightly less understandable. \end{example} \begin{example}[Protocol Dependencies] \label{ex:pltl:protocol-dependencies} Past modalities can be useful to describe a protocol in which messages have dependencies. For example, the Secure Shell (SSH) protocol requires that keys have been exchanged between two machines before an authentication request can be handled: if authentication is handled before keys are exchanged, the communication could be intercepted, leaking login details. On an abstract level, there are formulas $\phi_1,\dots,\phi_n,\psi$ and $\psi$ should only hold if $\phi_1,\dots,\phi_n$ held previously (and in that order). In the case of SSH, $\psi$ is the handling of an authentication request; $\phi_1,\dots,\phi_n$ indicate that keys are exchanged correctly. \citet{FiterauBrostean2017} modelled this property using the $\lozenge^{-1}$ modality, which can easily model this dependency. It is here given for $n=3$ (as is the case for SSH): \[ \square \big(\psi \rightarrow \lozenge^{-1} (\phi_3 \land \lozenge^{-1} (\phi_2 \land \lozenge^{-1} \phi_1))\big) \qedhere \] \end{example} \begin{remark}[Other Notations] Like for LTL, many different notations are used in literature for PLTL. These include $\mathbf X^{-1}, \mathbf G^{-1}, \mathbf F^{-1}$~\citep{Markey2003}, but also \raisebox{-1pt}{\tikz\draw[black,fill=black](0,0)circle(.4em);}$,\blacksquare,\blacklozenge$~\citep{Gabbay1989} and $\stackinset{c}{}{c}{}{$\cdot$}{$\Xop$},\boxdot,\stackinset{c}{}{c}{}{$\cdot$}{$\lozenge$}$~\citep{Havelund2002}. \end{remark} \cbend