Hennessy-Milner Results for Probabilistic PDL

Kozen introduced probabilistic propositional dynamic logic ( PPDL ) in 1985 as a compositional framework to reason about probabilistic programs. In this paper we study expressiveness for PPDL and provide a series of results analogues to the classical Hennessy-Milner theorem for modal logic. First, we show that PPDL charaterises probabilistic trace equivalence of probabilistic automata (with outputs). Second, we show that PPDL can be mildly extended to yield a characterisation of probabilistic state bisimulation for PPDL models. Third, we provide a diﬀerent extension of PPDL , this time characterising probabilistic event bisimulation.


Introduction
Probabilistic programming is an extension of imperative programming that enables the specification and implementation of randomized network and security protocols, machine learning and quantum algorithms. The variety of applications has recently led to a rapidly growing interest in the probabilistic perspective. Reasoning about the correctness of such programs, and more generally verifying properties such as convergence and termination, is quite intricate. It is thus important to establish formal techniques that enable these forms of reasoning.
The origins of the formal semantics of probabilistic programs can be traced back to the early 1980s. The seminal work by Kozen [13,14] describes how to use Markov Kernels to give precise denotational semantics to simple imperative probabilistic programs. Probabilistic programs allow to encode conditionals and iterations parametric on a coin flip: e.g., "execute program p with probability 0.3 and program q with probability 0.7". Thus, their semantics is not simply a relation from inputs to outputs, but rather a map from an initial state to a (sub-)distribution over possible final states. Reasoning about correctness of such programs differs from the classical setting in that one moves from a Boolean -is a property true or not -to a quantitative perspective -is a property true with high probability.
Probabilistic propositional dynamic logic (PPDL) [14] establishes a framework for expressing and verifying properties of probabilistic programs, which moves from the traditional truth-functional interpretation to a quantitative one. Many properties of probabilistic programs, like termination, can be encoded and verified in PPDL. The box and diamond modalities in PPDL can be thought of as probabilistic analogues of Dijkstra's weakest preconditions [5]. McIver and Morgan [15], and more recently, also Katoen and Kaminski [12,16], have developed a quantitative analogue of Dijkstra's calculus to reason about termination of probabilistic programs, which is closely related to PPDL. In addition to applications in verification, PPDL has found its way to other areas, e.g. it has been used to reason about uncertainty and knowledge in multi-agent systems [8].
On the other hand, Hennessy and Milner first noticed a relationship between bisimulation of labelled transition systems (LTS) and a simple modal logic, subsequently referred to as Hennessy-Milner logic (HML) [10]. In particular, they proved that HML characterises bisimilarity (the largest bisimulation) within the class of image-finite LTS: two states in an image-finite LTS are bisimilar if and only if they satisfy exactly the same HML formulas. The existence of such characterisation of bisimilarity has practical implications for verification of properties: if two states of a system belong to the same HM class, then they can be checked for bisimulation equivalence by looking at HML formulas instead. Moreover, and perhaps more interestingly, if two states are not bisimilar, then one can find an HML formula to witness the failure of (and serve as counter-example to) bisimilarity. For a simple logic such as HML, this is a considerable advantage.
Since the seminal paper of Hennessy and Milner, analogous characterisations have been studied for other logics and systems. In particular, there has been growing interest in the quantitative setting. For example, an HML-style simple logic, called L 0 , was introduced in [3,2] to characterise state and event bisimilarity for labelled Markov processes (LMPs). Later on, Desharnais et al. [4] proposed a realvalued logic which gives the same characterisation result for LMPs. Doberkat [6] studied stochastic Kripke models, and introduced (Boolean-valued) stochastic PDL to characterise behavioural equivalence of such models.
In this work, we continue this line of research by studying Hennessy-Milner properties for PPDL. The main contributions of the paper (and its technical roadmap) are as follows: (i) First, we show that PPDL functions (or, more precisely, PPDL with wellstructured programs) characterise probabilistic trace equivalence of PPDL models. These are the probabilistic analogues of Kripke models -probabilistic automata with a continuous state space and multiple output functions (Section 3). Not unexpectedly, the challenge here is to prove that trace equivalence implies PPDL equivalence.
(ii) In Section 4, we show that a small extension of PPDL, which we call PPDL + , characterises probabilistic state bisimilarity for PPDL models (with analytical state spaces). PPDL + extends PPDL with additional function constructors (for Boolean functions) of the form (−) > r, where r is arbitrary non-negative rational.
(iii) In Section 5, we show that a different extension of PPDL, which we call PPDL , characterises probabilistic event bisimilarity for PPDL models. Note that, differently from state bisimilation, this result does not require the state spaces to be analytical.

Preliminaries
In this section, we fix some basic notation and recall the necessary background on Markov Kernels, PPDL, and labelled Markov processes.

Measurable spaces, Markov Kernels, and Categories.
A measurable space is a set X equipped with a σ-algebra Σ X on X: Σ X ⊆ P(X) is a collection of subsets of X such that it includes X, is closed under complement, and is closed under countable intersections. When no confusion arises, we shall often refer to a measurable space simply by its underlying set. Given two measurable spaces (X, Σ X ) and (Y, Σ Y ), we recall the following notions: In particular, a (sub-)probability measure is one such that μ(X) = 1 (or μ(X) ≤ 1).
Finally, we recall the definition of analytic space -for more details, see e.g. [7]. A metric space M is complete if every Cauchy sequence of points in M has a limit in M, and separable if M contains a countable dense subset. A Polish space is the topological space underlying a complete and separable metric space. Suppose (X, Σ X ) is Polish. A subset C of X is analytic in X if it is the continuous image of some Polish space. A measurable space (Y, Σ Y ) is analytic if it is measurably isomorphic to some analytic set C in a Polish space (X, Σ X ).

Probabilistic propositional dynamic logic (PPDL)
We now recall the basic syntax and semantics for PPDL from [14]. A PPDL signature is a pair of finite sets (P, F), where P and F are respectively the sets of primitive programs and primitive functions. The programs, functions and formulas of PPDL are defined as: where a, b ∈ Q ≥0 are non-negative rational numbers. Often we shall omit the operators "·" and ";" when the context is clear, so that Bf and pq stand for B · f and p; q, respectively. Note that primitive functions F ∈ F appear also as Booleans. This is because, as we will see below, primitive functions are interpreted as {0, 1}valued measurable functions on the state space.

Remark 2.1
In the paper originally introducing PPDL [14], arbitrary linear combinations of functions are allowed. In our presentation, we admit only positive linear combinations for the sake of simplicity. Note that eliminating such restriction would not affect the results that we prove.

Remark 2.2
As we will see, PPDL formulas do not actually play a role in the results of the next sections, which instead revolve on PPDL functions. We still included formulas in our presentation for two reasons. First, to adhere to the original definition of PPDL, as in [14]. Second, to contrast formulas with the function constructor (−) > r that we will introduce in Section 4, see Remark 4.1 below.
To emphasise how PPDL programs capture standard programming constructs, we shall also use the following abbreviations: if B then p else q := (B?; p) + (¬B?; q) while B do p := (B?; p) * ; (¬B)?
In this paper we will focus on the fragment of well-structured programs, where the usage of linear combination and iteration is restricted: Such restriction, which already appears in [14], has a natural justification. Intuitively, the Kleene star p * of a program p describes finite iterations of execution of p, which may not always converge to a finite value for all inputs. The restriction to well-structured programs enforces the semantics of p * (and all programs as given above) to be defined everywhere and return a real value in [0, 1] (for a full proof see e.g. [17]).Whenever we want to emphasise such restriction, we will refer to the fragment of PPDL whose programs are well-structured as well-structured PPDL.
A PPDL model for the signature L = (P, F) is a tuple X = (X, Σ X , V P , V F ), where: • (X, Σ X ) is a measurable space (called the state space), and X is called the set of states.
• V F assigns to every F ∈ F a measurable function X → {0, 1}.
• Boolean functions are interpreted as {0, 1}-valued measurable functions: • Functions are interpreted as measurable functions X → [0, +∞): • Formulas are interpreted as {0, 1}-valued measurable functions: 0 otherwise A pointed PPDL model is a model X together with a state x ∈ X. We say two pointed models (X , x) and (Y, y) are equivalent with respect to PPDL functions (denoted as (X , , for all functions f . We will also encounter other logics, whose syntax does not have functions but just formulas: with slight abuse of notation, for such logic L, we will use ≡ L to mean the binary relation that two (pointed) L-models are equivalent with respect to all L-formulas.

Labelled Markov processes and probabilistic bisimulation.
Given a finite set of actions A, a labelled Markov process (LMP) is an A-labelled tuple (X, Σ X , τ a ) a∈A , where (X, Σ X ) is a measurable space, and for each a ∈ A, τ a : X × Σ X → [0, 1] is a sub-Markov kernel.
We are going to study two different notions of bisimulation for LMPs. Suppose (X, Σ X , τ a ) a∈A is an LMP. First, we introduce state bisimulation [18]. For a relation R ⊆ X × X and a subset A ⊆ X, we say that A is R-closed if for any xRx , one has x ∈ A if and only if x ∈ A. The relation R ⊆ X × X is a (LMP) state bisimulation if for any xRx , a ∈ A, and R-closed A ∈ Σ X , We say two pointed LMPs (X , x) and (X , x ) are state bisimilar, denoted as (X , x) s 0 (X , x ), if there exists a state bisimulation R ⊆ X × X such that xRx . There is another notion of bisimulation on LMPs, called event bisimulation [2]. A sub-σ-algebra Λ ⊆ Σ X is an event bisimulation if (X, Λ, τ a ) a∈A is also a LMP. Such Λ generates a binary relation R(Λ), such that (x, x ) ∈ R(Λ) if x ∈ A precisely when x ∈ A, for all A ∈ Λ. With a bit abuse of terminology, we may also refer to this R(Λ) as an event bisimulation when Λ is. We say two pointed LMPs (X , x) and (X , x ) are event bisimilar, denoted as (X , x) e 0 (X , x ), if there exists an event bisimulation Λ such that (x, x ) ∈ R(Λ).
It is worth noting that state and event bisimulation coincide in discrete settings and for analytic state spaces. However, in general, the two notions are orthogonal [2,20]. From a categorical point of view, LMP state bisimulation are spans in the category of LMPs with analytic state spaces (seen as coalgebras). Note that the spans are properly definable (as a weak pullback) only when the LMPs are analytic [3,18]. On the other hand, LMP event bisimulations are cospans of surjections in the category of LMPs, which are definable without any need of the analyticity restriction [2].

Logical characterisation of bisimilarity for LMPs.
For our later developments, it is important to recall two Hennessy-Milner results in the context of LMPs. The simple logic L 0 [3] is defined inductively as follows: where a ∈ A is an action and r is a rational number in [0, 1). A model for L 0 is a LMP (X, Σ X , τ a ) a∈A . Let · X L 0 denote the interpretation of L 0 in X , or simply · if the context is clear. Then There are two important results (which we will use in Section 4 and 5): (1) if we consider LMPs whose state spaces are analytic, then L 0 characterises LMP state bisimilarity [18]. (2) if we consider LMPs in general, then L 0 characterises LMP event bisimilarity [2].

Proposition 2.3 ([18]) For a countable action set
is an LMP with an analytic state space, and x, y are two states in X. Then (X , x) s 0 (X , y) if and only if (X , x) ≡ L 0 (X , y).

Proposition 2.4 ([2])
Suppose that X = (X, Σ X , τ a ) a∈A is an LMP, and x, y are two states in X.

PPDL characterises trace equivalence
In this section we provide a Hennessy-Milner property for PPDL (functions). First, we introduce the notion of trace equivalence between PPDL models, which is a generalization of that for probabilistic automata (PA). Then, we prove that PPDL characterises trace equivalence. Note that trace equivalence is a relatively weak notion, so the non-trivial direction is that trace equivalence implies PPDL equivalence (Prop. 3.6).
The first question to tackle is how to define a notion of trace equivalence for PPDL models in a principled way. To this aim, we use the observation that a PPDL model can be seen as a (continuous) probabilistic automaton (PA) with multiple output functions. The standard trace semantics of a PA is the set of its trace distributions, each of which is a probability distribution assigning to a certain set of traces a probability value [19]. Two pointed PAs are trace equivalent if the two states have exactly the same trace distributions. Motivated by this, we define trace distributions and trace equivalence between pointed PPDL models. Since we now work in the continuous case, the trace semantics consists of sets of probability measures (while in the discrete case we reason with sets of probability distributions).
To present our definition, we fix a finite signature (P, F). We define the alphabet as Σ := P B?, where B is the set of all Boolean combinations of F ∈ F, and B? = {B? | B ∈ B}; we use Σ * to denote the set of all finite words over Σ; in particular, is the empty word. Remark 3.1 Note that, since F is finite, there are only finitely many elements in B modulo logic equivalence ≡. With slight abuse of notation, henceforth we use B? to denote a finite set of letters, containing one fixed B? from each ≡-equivalence class in B. The choice of the representative of equivalence classes does not affect our results. Hence the alphabet Σ is finite.
Then the trace at state x is a function ρ x : Σ * × F → R such that given ω ∈ Σ * and F ∈ F, Given two pointed PPDL models (X , x) and (Y, y), we say they are trace equivalent Towards a characterisation result, our first observation is that PPDL equivalence entails trace equivalence.
Proof. By Definition 3.2 we have (X , x) ≈ tr (Y, y) if and only if that ρ x (ω, F ) = ρ y (ω, F ) holds for arbitrary primitive function F ∈ F and finite word ω ∈ Σ * . Note that every value ρ x (ω, F ) is exactly the interpretation of a PPDL formula ω F at the state x, so (X , x) ≡ PPDL (Y, y) implies ρ x (ω, F ) = ρ y (ω, F ), for all ω and F . 2 Remark 3.4 Note that the proof of Proposition 3.3 also implies a "minimal" realvalued logic which characterises trace equivalence between PPDL models. Its functions are of the form ω F , where ω ∈ Σ * and F ∈ F. This logic is "minimal" in the sense that it can be expressed by any real-valued logic characterising trace equivalence.
For the converse direction, namely trace equivalence implies PPDL equivalence, we need the following factorisation lemma.

Lemma 3.5 (Factorisation)
Every PPDL function f is equivalent to some PPDL function g (in the sense that f X = g X for all models X ) of the following form: where p is a program, a, b ∈ [0, +∞). In other words, one can always push the appearance of programs in PPDL functions to "the innermost layer".
Proof. The proof goes by induction on the complexity of PPDL functions. We show the only non-trivial case, which is f = p f for some f . First, let us write for semantic equivalence between PPDL functions, namely f g if f X = g X for all models X . We then prove by cases of the structure of f . If f = 1 or f = F for a primitive F , then f = p f is already in the correct shape. If f = af 0 +bf 1 , we have f = p (af 0 + bf 1 ) a p f 0 + b p f 1 , and we can apply the induction hypothesis on p B? f p; B? f , and again we can conclude using the induction hypothesis on f . Finally, if f = p f , we have that f = p p f p; p f , and we can conclude by induction hypothesis on f . 2 We are now ready to show that trace equivalence implies PPDL equivalence.
. It suffices to prove that (X , x) and (Y, y) agree on all functions g in Lemma 3.5. We reason by induction on the structure of g. We first consider the case where g is some G, defined as in (2). This has 4 sub-cases: • G is some Boolean combination B of primitive functions. This case follows from the fact that the value of B is totally determined by its component primitive functions.
We first show that every program p can be written as a (countable) sum of words in Σ * . Then p F X (x) = p F Y (y) is reduced to ω F X (x) = ω F Y (y) for any ω ∈ Σ * , which is exactly the definition of trace equivalence. We reason by induction on the structure of the programs. · The cases for p = P and p = B? are trivial, as they are already in the alphabet. · As for the cases for p = if B then p 0 else p 1 and p = while B do q, one simply spells out the definitions. · p = p 0 ; p 1 . By induction hypothesis, both p 0 and p 1 can be written as sums of words in Σ * , say p 0 = i∈I ω i , p 1 = j∈J π j , then p 0 ; p 1 = i∈I,j∈J ω i ; π j . Next we consider the remaining two cases for g, namely g = ag 0 + bg 1 and g = B · g . Both can be proved by straightforward application of the induction hypothesis.

Extended PPDL characterises state bisimilarity
Theorem 3.7 characterises trace equivalence in terms of PPDL. It is a natural question to ask what extra logical structure is needed in order to characterise state bisimularity and event bisimilarity for PPDL models. In this section we focus on state bisimulation (and leave event bisimulation to the next section). To this aim, we introduce a suitable extension of PPDL, called PPDL + , and we show that it characterises state bisimilarity over PPDL models with analytic state spaces.

PPDL +
We start with introducing the logic PPDL + as an extension of PPDL. The idea is that, since L 0 characterises LMP state bisimilarity (Proposition 2.3), we extend PPDL so that it can interpret L 0 formulas as functions. In the grammar below, we point out which clauses are the same as in PPDL to emphasise the difference between the two logics. PPDL + is defined as where a, b ∈ [0, +∞), and r is arbitrary rational number in [0, +∞). As in the case of PPDL, we always restrict to the well-structured programs for PPDL + . The resulting logic PPDL + has the same set of programs as PPDL, but with additional function constructors (for Boolean functions) of the form (−) > r.

Remark 4.1
Note that this new function constructor apparently resembles the shape of the constructor of PPDL formulas, but it is of a different nature: (−) > r is fixed for each rational number r ∈ Q ≥0 , and it yields a function, whereas (−) ≤ (−) in the PPDL syntax acts on two variable arguments, and it yields a formula.
The logic PPDL + is also interpreted on PPDL models. The (boolean) function f > r is interpreted as a {0, 1}-valued function such that f > r X (x) = 1 if f X (x) > r, and 0 otherwise (namely if f X (x) ≤ r).

State bisimulation
We now develop the characterisation result for state bisimilarity. For the reminder of this subsection, we restrict ourselves to those LMPs (and PPDL models) whose state spaces are analytic. The notion of state bisimulation for PPDL models is defined as the extension of the same notion on the underlying LMPs, by taking the extra weight structure into account.

Definition 4.2 (State bisimulation for
, for any P ∈ P and R-closed A ∈ Σ X (for the definition of R-closure, see Section 2).
Given two states x, x ∈ X, we say the two pointed PPDL models (X , x) and (X , x ) are state bisimilar (denoted as (X , x) s (X , x )) if there exists a state bisimulation R ⊆ X × X such that xRx . Although the above definition only concerns a single model X , for bisimulation between two models X and Y, one can simply apply the definition to their disjoint union X Y. It is an immediate observation that condition (i) above, can be extended to τ ω for arbitrary program ω ∈ Σ * (where Σ = P B? as defined in Section 3): Proof. We prove the statement by induction on ω.
• ω = : we need to show that x ∈ A if and only if x ∈ A, which holds because xRx and set A is R-closed.
• ω = P , where P ∈ P: we need to show that V P (P )(x, A) = V P (P )(x , A), and this is already (part of) the definition of state bisimulation.
, and x ∈ A if and only if x ∈ A. They follow immediately from condition 2 in Definition 4.2 and that A is R-closed.
The next observation is that, as in the non-probabilistic setting, state bisimulation implies trace equivalence.
Proof. Suppose R ⊆ X × X is a state bisimulation on X such that xRx . We make a case distinction on ω ∈ Σ * to show that ρ x (ω, F ) = ρ x (ω, F ), for any F ∈ F.
The above observation, paired with our characterisation of trace equivalence in terms of PPDL (Theorem 3.7), yields the question of how PPDL fails to characterise the stronger notion of state bisimilarity, thus making necessary the introduction of PPDL + . The following counterexample illustrates this point.
For the non-trivial direction of the characterisation, namely ≡ PPDL + implies state bisimilarity, the idea is to start from some simple logic L, resembling L 0 (see Section 2), such that ≡ L implies state bisimilarity. If we can show that PPDL + can express L, then ≡ PPDL + implies ≡ L , and we are done. This motivates us to introduce L 1 as an extension of L 0 , based on the observation that the main difference between PPDL models and LMPs is that the former has some extra weight structure (namely V F ). Differently from L 0 , in L 1 we have those primitive functions F in F as primitive formulas: where F ∈ F, P ∈ P, and r is arbitrary rational number in [0, 1). The logic L 1 is interpreted on PPDL models, and the semantics is similar to that for L 0 on LMP. In particular (X , x) F if V F (F )(x) = 1. We can show the following proposition as the analogue of Proposition 2.3 for the case of PPDL model. The proof can be found in Appendix A. Then, in order to show that PPDL + equivalence imply state bisimilarity, it suffices to show that PPDL + can encode L 1 (as defined in (3)). In the following lemma, let ≈ denote the binary relation between L 1 formulas and PPDL + (boolean) functions, such that φ ≈ f if and only if they are semantically equivalent: for any PPDL model X and x ∈ X, X , x φ if and only if f X (x) = 1, and X , x φ if and only if f X (x) = 0.

Proof.
We reason by induction on L 1 formulas φ. Note that For the case φ = a r ψ, suppose by induction hypothesis that ψ ≈ f . Then one may check that a r ψ ≈ ( a f ) > r. 2 We are now ready to prove the main result of this subsection. For the other direction, suppose (X , x) ≡ PPDL + (X , y). We construct a binary relation R ⊆ X × X, and check the two conditions in Definition 4.2. By Lemma 4.8, (X , y). So simply let R be ≡ L 1 , and xRy. Then apply Proposition 4.7, we know that (X , x) s (X , y) under bisimulation R.2 Example 4. 10 We recall Example 4.6, where (X , x 0 ) are and (X , y 0 ) are not state bisimilar. Then Theorem 4.9 implies that there is some PPDL + function that can distinguish the two pointed models. For example, let f = a b (F ) > 1 3 > 2 3 . Then one can calculate that: which entails that f X (x 0 ) = 1 and f Y (y 0 ) = 0. So f can distinguish (X , x 0 ) and (Y, y 0 ).

Extended PPDL characterises event bisimilarity
This section is devoted to showing that another mild extension of PPDL can be used to characterise event bisimilarity for PPDL models. The notion of event bisimulation was proposed in [2] as a more appropriate way than state bisimulation to define behavioural equivalence for LMPs, because it does not require the underlying state spaces to be analytic. In what follows, we first introduce the new logic, then the notion of event bisimulation for PPDL models, and finally show their correspondence.

PPDL
The logic characterising event bisimilarity for PPDL models will be called PPDL . Intuitively, PPDL is obtained by adding L 0 to PPDL in a "minimal" way: unlike PPDL + , where (−) > r can be applied to arbitrary functions, in PPDL only certain instances of f > r are admitted. More precisely, PPDL programs p, p and PPDL functions f are defined as follows, where we highlight when the grammar has the same clauses as PPDL.

PPDL Booleans
PPDL formulas φ ::= f ≤ g As in the case of PPDL, we always restrict to the well-structured programs. Note a PPDL function f is defined to be either a PPDL function g, or a function C in which a new function constructor P (·) > r may appear. Intuitively, the reason for considering PPDL instead of PPDL + is that event bisimulation is too weak to preserve arbitrary functions of the type p f , as allowed by PPDL + syntax, and instead requires functions to enjoy some structural property, as the one guaranteed by Lemma 3.5 for PPDL functions. The semantics of PPDL is based on PPDL models: all the programs and functions are interpreted as in PPDL, whereas the new function construct P (C) > r is interpreted as a measurable {0, 1}-valued function

Event bisimulation
As for state bisimulation, we can define event bisimulation for PPDL models as a mild extension on the same notion on LMPs.

Definition 5.1 (Event bisimulation for PPDL models) An event bisimulation
In other words, Λ is an event bisimulation on X if Λ is an event bisimulation on the LMP (X, Σ X , V P (P )) P ∈P , and V F (F ) ∈ Λ for all F ∈ F. Note that Λ generates an equivalence relation R(Λ) on X: xR(Λ)y if and only if x ∈ A precisely when y ∈ A, for all A ∈ Λ. We say two states x and y are event bisimilar (denoted as (X , x) e (X , y)) if there exists an event bisimulation Λ such that xR(Λ)y. Intuitively, two states x and y are event bisimilar by Λ if they cannot be separated by any set in Λ.

Remark 5.2
Just as for state bisimulation (Lemma 4.5), one may prove that event bisimulation entails trace equivalence. We do not elaborate further on this result, as it is not needed for the sequel.
We now move on to proving the characterisation result for event bisimilarity. The idea is similar to that for state bisimilarity, but here the non-trivial direction is that PPDL is invariant under event bisimulation. We present a simple logic L ¬,∨ 1 which is invariant under (actually, characterises) event bisimulation. Then we show that, L ¬,∨ 1 is strong enough to "express" PPDL (Lemma 5.7). The (Boolean) logic L ¬,∨ 1 is defined by adding Boolean operators ¬ and ∨ to L 1 : where F ∈ F, P ∈ P, and r ranges over all rational numbers in [0, 1). The semantics of L ¬,∨ 1 on PPDL models is the same as that of L 1 w.r.t. , F 's, ∧ and modality; ∨ and ¬ are interpreted as boolean operaters as usual.
We now establish a characterisation result of the logic L ¬,∨ 1 . First, we need to introduce some terminology. With a bit abuse of notation, we use · L ¬,∨ 1 to denote the interpretation of L ¬,∨ 1 , or simply · when the context is clear. We also need the notion of stability from [2]: a set Λ ⊆ Σ is stable w.r.t. Σ if for all P ∈ P, A ∈ Λ, and all rational numbers r ∈ [0, 1], the set P r (A) := {y ∈ X | V P (P )(y, A) > r} is in Λ. We use L 1 to denote the set { φ | φ ∈ L 1 } ⊆ P(X) of interpretations of all L 1 formulas, and likewise for L ¬,∨ 1 . Recall that a π-system C on set X is a subset of P(X) such that X ∈ C and C is closed under intersection. Given C ⊆ P(X), we use σ(C) to denote the σ-algebra generated by C. We would like to point out that the following proof of Proposition 5.5 via Lemma 5.3 and 5.4 has a similar structure to the proof of that L 0 characterises LMP event bisimulation in [2]. Lemma 5.3 L 1 is the smallest stable π-system w.r.t. Σ X that contains F for all F ∈ F.

Proof.
To see that L 1 is a π-system, simply note that X = is in L 1 , and ∧ is interpreted as intersection. To see that L 1 is stable, given φ ∈ L 1 , then P r ( φ ) = P r φ ∈ L 1 . It is the smallest because if C is a stable π-system containing all F , • If φ ∈ C, P ∈ F, and rational number r ∈ [0, 1), then P r φ = P r ( φ ) ∈ C, since C is stable.

Remark 5.6
It is worth noticing that a similar argument as the one above may show that L 1 (defined as in (3)) also characterises event bisimilarity. Then, one may wonder why we introduced L ¬,∨ 1 in first place. This has to do with our overall aim, of proving that PPDL characterises event bisimilarity. The non-trivial direction of this result is that event bisimulation perserves PPDL functions. For this purpose, we want to use a logic L such that event bisimulation preserves L functions, and L can "almost" express PPDL (for example, a PPDL formula can be expressed by an infinite conjunction of L formulas). It turns out L 1 is too simple for the task, whence the introduction of L ¬,∨ 1 .
The next lemma is needed to show that event bisimulation implies PPDL equivalence. It focusses on PPDL functions of the form p B , whereB is any Boolean (c.f. (4)) and p ∈ Σ * . Intuitively, it states that L ¬,∨ 1 can express such functions, provided that we allow infinite conjunctions. The proof for Lemma 5.7 can be found in Appendix A. We are now ready to prove our Hennessy-Milner result for PPDL and event bisimilarity. Proof. We first prove the simpler direction. Suppose that (X , x) ≡ PPDL (X , y). Note that PPDL + can encode L ¬,∨ 1 , so this implies (X , x) ≡ L ¬,∨ 1 (X , y). By Lemma 5.5, x and y are bisimular, as witnessed in particular by the bisimulation R(σ( L ¬,∨ 1 )). As for the non-trivial direction, suppose (X , x) e (X , y). We need to prove that f X (x) = f Y (y), for all PPDL functions f . Recall that, by definition as in Equation (7), PPDL functions can be of two kinds.
• First, f might be a PPDL function (as in (6)). So Lemma 3.5 applies, and we may assume f = p B, where B is some PPDL Boolean. By the semantics of PPDL, it suffices to show that x and y have the same value for all functions of the type p B, where p ∈ Σ * = (P ∪ B?) * . This is proved in Lemma 5.7.
• The second case is when f is C, for C defined as in (5). Note that each such C can be expressed as a L ¬,∨ 1 formula, so by Proposition 5.5, C X (x) = C Y (y) for all Cs.
Therefore for any PPDL function f we have f X (x) = f Y (y). 2

Remark 5.9
Note that in the discrete case, the notions of state bisimulation and event bisimulation coincide [2]. So the two pointed models (X , x 0 ) and (Y, y 0 ) in Example 4.6 are not event bisimilar. According to Theorem 5.8, there is some PPDL function that distinguishes the two models. In fact, the function f = a b (F ) > 2 3 > 1 2 from Example 4.10 still works here, since such f is also a PPDL function.

Discussion
In this paper we provided three Hennessy-Milner style characterisation results. First, we showed that PPDL functions characterises trace equivalence. Second, we extended PPDL with a new function constructor (−) > r for any rational r ∈ [0, 1], which allows us to express "threshold check" of function values. The resulting logic, PPDL + , characterises state bisimilarity of PPDL models with analytic state spaces. Third, we studied a different extension PPDL of PPDL, in which the use of the function constructor (−) > r is restricted: one can only apply multiple constructors of the form a (−) > r to PPDL Booleans. We proved that PPDL characterises event bisimulation between PPDL models. Note that, in the characterisations of PPDL + and PPDL , a key step was to show that they can encode the simple logic L 0 : this allowed us to exploit the results in in [18], relating L 0 to bisimilarity for LMPs. With respect to [4], we characterised a richer class of models (namely PPDL models instead of LMPs) using logics with extra structure in the modality. Also, we considered both bisimilarity and trace equivalence.

Comparison with PDL.
In the non-probabilistic case, finiteness of branching of the models plays a role in the characterisation results: PDL, similarly to modal logic [1], characterises only bisimilarity of finitely branching Kripke models but not bisimilarity of arbitrarily branching models. In contrast, such restrictions are not needed in the probabilistic case: in fact, though we chose to present our results using continuous distributions, the same results also hold if one restricts to the discrete case. From a categorical point of view, it means that our results cover models that are elements of the Kleisli category of both the Giry monad G ≤1 (continuous) and the sub-distribution monad D ≤1 (discrete). Note that in the non-probabilistic setting, finitely-branching Kripke models are precisely the Kleisli arrows of the finite powerset monad P f and possibly infinite-branching Kripke models are the Kleisli arrows of the unrestricted powerset monad P.
To illustrate this, we now provide a counterexample showing that PDLequivalence does not imply P-bisimulation -to the best of our knowledge this observation is novel. Let the alphabet set be Σ = {a, b}, and fix an infinite string ω ∈ Σ ∞ as follows: More precisely, there are n + 1 appearances of label a right after n appearances of label b, and n + 2 appearances of label b right after n + 1 appearances of label a, for all n ∈ N. The key property of ω is that it is acyclic. Then consider the following two pointed relational models (X , x) and (Y, y): y 2 In words, in (X , x) all the finite paths x · · · x n (n ∈ N) exhaust all the finite initial segments of ω, and all infinite paths xx j · · · exhaust the infinite paths in Σ ∞ \ {ω}.
The same holds for (Y, y), except that y has an extra successor y ω , such that the infinite path yy ω · · · forms the sequence ω. It is not hard to check that (X , x) and (Y, y) are equivalent with regard to all PDL formulas, but they are not bisimilar.
Outlook: coalgebraic charaterisations. Finally, we also regard our work as a starting point of further investigation on Hennessy-Milner results for the generic coalgebraic dynamic logic (CoDL) [11,9]. The analogy between the case of CoDL and that of PPDL is summarised by the following table.

Sets Meas
Monad More details on the items appearing in the column for CoDL can be found in [11].
The column for PPDL simply reformulates categorically the presentation of PPDL semantics in Section 2, where Meas is the category of measurable spaces and G ≤1 is the sub-Giry monad on Meas.
There are various interesting observations on CoDL that can be made exploiting this analogy. For example, if in a CoDL-system L (defined in [11]) the proposition operators distribute over modalities, then a similar argument as the one of Proposition 3.6 shows that L characterises trace equivalence. We leave further developments as future work.

A Missing Proofs
Proof. [Lemma 4.7] The forward direction is easy, so we do not elaborate it here. As for the other direction, we apply Proposition 2.4. We first construct a LMP S from X . S has the action set A := P F?, where F? := {F ? | F ∈ F}. The state space (S, Σ S ) of S is the same as (X, Σ X ). For the transition functions, define: Then (X, Σ X , τ a ) a∈A is a LMP. In the rest of this proof let L 0 (A) be the simple logic L 0 based on this new signature A. Then (S, Σ S , τ a ) a∈A is a model for L 0 (A). Suppose (X , x) ≡ L 1 (X , y). We claim that (S, x) ≡ L 0 (A) (S, y). This is proved by a stronger result: for every L 0 (A) formula φ, there exists a L 1 formula κ(φ) such that (S, x) φ if and only if (X , x) κ(φ). We reason by induction on the structure of L 0 (A) formulas.
We need to check that such κ indeed works. For example, (S, x) F ? r ψ is defined as ρ F ? (x, {u ∈ S | (S, u) ψ}) > r. Note that rational number r takes value in [0, 1), so the inequality holds if and only if V F (F )(x) = 1 and (S, x) ψ. Then by induction hypothesis we know that this is equivalent to that (X , x) F ∧ κ(ψ). Now apply Proposition 2.3 to (S, x) ≡ L 0 (A) (S, y), and we know that (S, x) s 0 (S, y), where the state bisimulation here is between pointed LMPs. We claim that if (S, x) s 0 (S, y) under some LMP state bisimulation R, then R is also a state bisimulation such that (X , x) s (X , y). We simply check the two conditions: • Let P ∈ P, and A ∈ Σ X be R-closed. Then by definition of LMP state bisimulation, we know that V P (P )(x, A) = ρ P (x, A) = ρ P (y, A) = V P (P )(y, A).
• Let F ∈ F be a primitive function, and x , y be two states in X such that x Ry . . Therefore V F (F )(x ) = V F (F )(y ).
In particular, according to the proof of Proposition 2.3 in [18], we know that ≡ L 1 is a state bisimulation on X . (ii) p is some primitive program P ∈ P. Then define Φ(P ) := { P rB | r is a rational number in [0, 1)} To see that this Φ(P ) works, suppose that x and y agree on all formulas in Φ(P )[B/B], but P B (x) = P B (y). Without loss of generality, we assume that P B (x) < P B (y). Then there exists some rational number r ∈ [0, 1) such that P B (x) < r < P B (y). But this means that X , x P r B while X , y P r B, contradicting the assumption that x and y agree on all formulas in Φ(P )[B/B]. (v) p = p ; Q, where Q ∈ P. Let Φ(p) be the following set: {ψ[ Q rB /B] | ψ ∈ Φ(p ), r is rational number in [0, 1)}.
Let B be an arbitrary PPDL Boolean, and x and y be two states that agree on all formulas in Φ(p)[B/B]. We add a new pseudo function symbol Q r B, whose value at any state x is the same as the truth value of the L 1 formula Q r at state x. Then x and y also agree on Φ(p)[ Q r B/B], for arbitrary rational r ∈ [0, 1). By induction hypothesis, p Q r B(x) = p Q r B(y), for any rational r ∈ [0, 1). Note that so we have p (x, Q r B ) = p (y, Q r B ), for all rational numbers r ∈ [0, 1). Lebesgue's convergence theorem tells us the following: