## Swipe to navigate through the chapters of this book

Published in:

Open Access 2020 | OriginalPaper | Chapter

# Realizing $$\omega$$-regular Hyperproperties

Authors : Bernd Finkbeiner, Christopher Hahn, Jana Hofmann, Leander Tentrup

Published in:

Publisher:

print
PRINT
insite
SEARCH

## Abstract

We study the expressiveness and reactive synthesis problem of HyperQPTL, a logic that specifies $$\omega$$-regular hyperproperties. HyperQPTL is an extension of linear-time temporal logic (LTL) with explicit trace and propositional quantification and therefore truly combines trace relations and $$\omega$$-regularity. As such, HyperQPTL can express promptness, which states that there is a common bound on the number of steps up to which an event must have happened. We demonstrate how the HyperQPTL formulation of promptness differs from the type of promptness expressible in the logic Prompt-LTL. Furthermore, we study the realizability problem of HyperQPTL by identifying decidable fragments, where one decidable fragment contains formulas for promptness. We show that, in contrast to the satisfiability problem of HyperQPTL, propositional quantification has an immediate impact on the decidability of the realizability problem. We present a reduction to the realizability problem of HyperLTL, which immediately yields a bounded synthesis procedure. We implemented the synthesis procedure for HyperQPTL in the bounded synthesis tool BoSy. Our experimental results show that a range of arbiter satisfying promptness can be synthesized.
Notes
This work was partially supported by the Collaborative Research Center “Foundations of Perspicuous Software Systems” (TRR 248, 389792660) and by the European Research Council (ERC) Grant OSARES (No. 683300).

## 1 Introduction

Hyperproperties  [5], which are mainly studied in the area of secure information flow control, are a generalization from trace properties to sets of trace properties. That is, they relate multiple execution traces with each other. Examples are noninterference  [20], observational determinism  [34], symmetry  [16], or promptness  [24], i.e., properties whose satisfaction cannot be determined by analyzing each execution trace in isolation.
A number of logics have been introduced to express hyperproperties (examples are  [4, 19, 25]). They either add explicit trace quantification to a temporal logic or build on monadic first-order or second-order logics and add an equal-level predicate, which connects traces with each other. A comprehensive study comparing such hyperlogics has been initiated in  [6].
The most prominent hyperlogic is HyperLTL  [4], which extends classic linear-time temporal logic (LTL)  [26] with trace variables and explicit trace quantification. HyperLTL has been successfully applied in (runtime) verification, (e.g.,  [15, 21, 32]), specification analysis  [11, 14], synthesis  [12, 13], and program repair  [1] of hyperproperties. As an example specification, the following HyperLTL formula expresses observational determinism by stating that for every pair of traces, if the observable inputs I are the same on both traces, then also the observable outputs O have to agree
(1)
Thus, hyperlogics can not only specify functional correctness, but may also enforce the absence of information leaks or presence of information propagation. There is a great practical interest in information flow control, which makes synthesizing implementations that satisfy hyperproperties highly desirable. Recently  [12], it was shown that the synthesis problem of HyperLTL, although undecidable in general, remains decidable for many fragments, such as the $$\exists ^*\forall$$ fragment. Furthermore, a bounded synthesis procedure was developed, for which a prototype implementation based on BoSy [7, 9, 12] showed promising results.
HyperLTL is, however, intrinsically limited in expressiveness. For example, promptness is not expressible in HyperLTL. Promptness is a property stating that there is a bound b, common for all traces, on the number of steps up to which an event e must have happened. Additionally, just like LTL, HyperLTL can express neither $$\omega$$-regular nor epistemic properties  [2, 29]. Epistemic properties are statements about the transfer of knowledge between several components. An exemplary epistemic specification is described by the dining cryptographers problem  [3]: three cryptographers sit at a table in a restaurant. Either one of the cryptographers or, alternatively, the NSA must pay for their meal. The question is whether there is a protocol where each cryptographer can find out whether the NSA or one of the cryptographers paid the bill, without revealing the identity of the paying cryptographer.
In this paper, we explore HyperQPTL  [6, 29], a hyperlogic that is more expressive than HyperLTL. Specifically, we study its expressiveness and reactive synthesis problem. HyperQPTL extends HyperLTL with quantification over sequences of new propositions. What makes the logic particularly expressive is the fact that the trace quantifiers and propositional quantifiers can be freely interleaved. With this mechanism, HyperQPTL can not only express all $$\omega$$-regular properties over a sequences of n-tuples; it truly interweaves trace quantification and $$\omega$$-regularity. For example, promptness can be stated as the following HyperQPTL formula:
(2)
The formula states that there exists a sequence $$s \in (2^{\{ q \}})^\omega$$, such that event e holds on all traces before the first occurrence of b in s. In this paper, we argue that the type of promptness expressible in HyperQPTL is incomparable to the expressiveness of Prompt-LTL  [24], a logic introduced to express promptness properties. It is further known that HyperQPTL also subsumes epistemic extensions of temporal logics such as $$\text {LTL}_\mathcal {K}$$   [22], as well as the first-order hyperlogic FO[$$<, E$$]  [6, 19, 29]. Its expressiveness makes HyperQPTL particularly interesting. The model checking problem of HyperQPTL is, despite the logic being quite expressive, decidable  [29]. We also explore an alternative definition of HyperQPTL that would result in an even more expressive logic. However, we show that the logic would have an undecidable model checking problem, which constitutes a major drawback in the context of computer-aided verification. Furthermore, satisfiability is decidable for large fragments of the logic  [6]. Decidable HyperQPTL fragments can be described solely in terms of their trace quantifier prefix. This indicates that propositional quantification has no negative impact on the decidability, although it greatly increases the expressiveness. We establish that propositional quantification, in contrast to the satisfiability problem, has an impact on the realizability problem: it becomes undecidable when combining a propositional $$\forall \exists$$ quantifier alternation with a single universal trace quantifier. However, we show that the synthesis problem of large HyperQPTL fragments remains decidable, where one of these fragments contains promptness properties. We partially obtain these results by reducing the HyperQPTL realizability problem to the HyperLTL realizability problem. Based on this reduction, we extended the BoSy bounded synthesis tool to also synthesize systems respecting HyperQPTL specifications. We provide promising experimental results of our prototype implementation: using BoSy and HyperQPTL specifications, we were able to synthesize arbiters that respect promptness.
This paper is structured as follows. In Sect. 2, we give necessary preliminaries. In Sect. 3, we define HyperQPTL. We discuss an alternative approach to define a logic expressing $$\omega$$-regular hyperproperties, before pointing out that its model checking problem is undecidable. Subsequently, we give examples for the expressiveness of HyperQPTL, namely by characterizing the type of promptness properties HyperQPTL can express. Additionally, we recapitulate how HyperQPTL also subsumes epistemic properties. Section 4 discusses the realizability problem of HyperQPTL. We describe HyperQPTL fragments in terms of their quantifier prefixes. To present our results, we use the following notation. We write $$\forall _\pi$$ and $$\forall _q$$ for a single universal trace and propositional quantifier, respectively. To denote a sequence of universal trace and propositional quantifiers, we write $$\forall _\pi ^*$$ and $$\forall _q^*$$. Furthermore, we use $$\forall _{\pi /q}^*$$ for a sequence of mixed universal quantification. We use the analogous notation for existential quantifiers. Lastly, $$Q_\pi ^*$$ and $$Q_q^*$$ denote a sequence of mixed universal and existential trace and propositional quantifiers, respectively. As an example, the $$\forall _\pi ^* Q_q^*$$ fragment denotes all formulas of the form $$\forall \pi _1 \mathpunct {.}\ldots \forall \pi _m \mathpunct {.}\exists /\forall q_1 \mathpunct {.}\ldots \exists /\forall q_n \mathpunct {.}\varphi$$, where $$\varphi$$ is quantifier free. Figure 1 summarizes our results. We establish that a major factor for the decidability of the realizability problem consists in the number of universal trace occurring in a formula. Realizability of HyperQPTL formulas without $$\forall \pi$$ quantifiers is decidable (Sect. 4.1). Formulas with a single $$\forall \pi$$ are decidable if they belong to the $$\exists _{q/\pi }^*\forall _q^* \forall _{\pi } Q_q^*$$ fragment. This fragment also contains promptness. For more than one universal trace quantifier, we show that decidability can be guaranteed for a fragment that we call the linear $$\forall _{\pi }^*Q_q^*$$ fragment. We also show that all the above fragments are tight, i.e., realizability of all other formulas is in general undecidable. Lastly, Sect. 5 presents experiments for the prototype implementation of our bounded synthesis algorithm for HyperQPTL.

## 2 Preliminaries

We use $$\text {AP}$$ for a set of atomic propositions. A trace over $$\text {AP}$$ is an infinite sequence $$t \in (2^{\text {AP}})^\omega$$. For $$i \in \mathbb {N}$$, we write t[i] for the ith element of t and $$t[i, \infty ]$$ for the suffix of t starting from position i. For two traces $$t, t'$$ over $$\text {AP}$$ and a set $$\text {AP'}\subseteq \text {AP}$$, we write t = $$_\text {AP'}t'$$ to indicate that t and $$t'$$ agree on all $$a \in \text {AP'}$$, and respectively T = $$_\text {AP'}T'$$ for two sets of traces T and $$T'$$. Furthermore, we define a replacement function $$t [q \mapsto t_q]$$ that given a trace t and a trace $$t_q \in (2^{\{q\}})^\omega$$, replaces the occurrences of q in t according to $$t_q$$, such that $$t[q \mapsto t_q]$$ = $$_{\{q\}} t_q$$ and $$t[q \mapsto t_q]$$ = $$_{\text {AP}\backslash \{ q \}} t$$. We also lift this notation to sets of traces and define $$T[q \mapsto t_q] = \{ t[q \mapsto t_q] \mid t \in T \}$$.
QPTL  [31] extends Linear Temporal Logic (LTL) with quantification over propositions. QPTL formulas $$\varphi$$ are defined as follows.
where $$q \in \text {AP}$$ and $$\text {AP}$$ is a set of atomic propositions. For simplicity, we assume that variable names in formulas are cleared of double occurrences. The semantics of $$\varphi$$ over $$\text {AP}$$ is defined with respect to a trace $$t \in (2^{\text {AP}})^\omega$$.
We did not define the until operator as native part of the logic. It can be derived using propositional quantification  [23]. The boolean connectives $$\wedge , \rightarrow , \leftrightarrow$$ and the temporal operators globally and release are derived as usually.

## 3 $$\omega$$-Regular Hyperproperties

Just like LTL, HyperLTL cannot express $$\omega$$-regular languages  [29]. LTL can be extended to QPTL by adding quantification over atomic propositions. In QPTL, $$\omega$$-regular languages become expressible. We therefore study HyperQPTL [6, 29], the extension of HyperLTL with propositional quantification, to express $$\omega$$-regular hyperproperties. Given a set $$\text {AP}$$ of atomic propositions and a set $$\mathcal {V}$$ of trace variables, the syntax of HyperQPTL is defined as follows
where $$a, q \in \text {AP}$$ and $$\pi \in \mathcal {V}$$. As for QPTL, we assume that formulas are cleared of double occurrences of variable names. We require that in well-defined HyperQPTL formulas, each $$a_\pi$$ is in the scope of a trace quantifier binding $$\pi$$ and each q is in the scope of a propositional quantifier binding q. Note that atomic propositions $$a_\pi$$ refer to a quantified trace $$\pi$$, whereas quantified propositional variables q are independent of the traces. The semantics of a well-defined HyperQPTL formula over $$\text {AP}$$ is defined with respect to a set of traces $$T \subseteq (2^\text {AP})^\omega$$ and an assignment function $$\varPi : \mathcal {V}\rightarrow T$$. We define the satisfaction relation $$\varPi , i \models _T \varphi$$ as follows:
Note that the semantics of propositional quantification is defined in such a way that in the scope of a quantifier binding q, all traces agree on their q-sequence. We say that a set of traces T satisfies a HyperQPTL formula $$\varphi$$ if $$\emptyset , 0 \models _T \varphi$$, where $$\emptyset$$ is the empty trace assignment. QPTL formulas can be expressed in HyperQPTL using a single universal trace quantifier. Furthermore, HyperLTL  [4] is the syntactic subset of HyperQPTL that does not contain propositional quantification.
While HyperQPTL can express a wide range of properties (see Sect. 3.1), its model checking problem is still decidable  [29]. Furthermore, the syntactic fragments for which satisfiability is decidable can be expressed solely in terms of the occurring trace quantifiers: Just like for HyperLTL, satisfiability of a HyperQPTL formula is decidable if no $$\forall \pi$$ is followed by an $$\exists \pi$$  [6].
The definition of HyperQPTL is straightforward, however, one could argue that it is not the only way to extend QPTL to a hyperlogic. The original idea of QPTL is to “color” the trace by introducing additional atomic propositions. The way HyperQPTL is defined, that idea is translated to sets of traces by coloring the traces uniformly. An alternative approach could be to color every trace individually by introducing a full atomic proposition for every propositional quantification. This resembles full second-order quantification and would therefore result in a considerably more expressive logic. In particular, we show that the model checking problem would become undecidable, which is, especially in the context of automatic verification, unfavorable. For the remainder of this section, we call the logic resulting from the alternative definition HyperQPTL+. The syntax of HyperQPTL+ is similar to the one of HyperQPTL, just without the rule q for the evaluation of the propositional variables. This accounts for the idea that the propositional quantification can freely reassign atomic propositions; thus, there is no need to distinguish between free atomic propositions and quantified atomic propositions:
Semantically, only the rules for the quantification of the propositional quantifiers change:
\begin{aligned} \begin{array}{lll} \varPi ,i \models _T \exists a \mathpunct {.}\varphi &{} \text { iff } &{} \exists T' \subseteq (2^{\text {AP}})^\omega \mathpunct {.}T' =_{\text {AP}\backslash \{a\}} T \wedge \varPi , i \models _{T'} \varphi \\ \varPi ,i \models _T \forall a \mathpunct {.}\varphi &{} \text { iff } &{} \forall T' \subseteq (2^{\text {AP}})^\omega \mathpunct {.}T' =_{\text {AP}\backslash \{a\}} T \rightarrow \varPi , i \models _{T'} \varphi . \end{array} \end{aligned}
Lemma 1
The HyperQPTL+ model checking problem is undecidable.
Proof
Given a finite Kripke structure K and a HyperQPTL+ formula $$\varphi$$, the model checking problem asks whether the trace set T produced by K satisfies $$\varphi$$. The proof follows the undecidability proof for the model checking problem of S1S[E]  [6], a logic which lifts S1S to the level of hyperlogics. We describe a reduction from the halting problem of 2-counter machines (which are Turing complete) to the HyperQPTL+ model checking problem. A 2-counter machine (2CM) consists of a finite set of serially numbered instructions that modify two counters. A configuration of a 2CM is a triple $$(n, v_1, v_2) \in \mathbb {N}^3$$, where n determines the next instruction to be executed, and $$v_1$$ and $$v_2$$ assign the counter values. Each instruction can either increase or decrease one of the counters; or test either of the counters for zero and, depending on the outcome, jump to another instruction. Furthermore, we assume a special instruction $$i_ halt$$, which indicates that the machine has reached a halting state. A 2CM halts from initial configuration $$s_0$$ if there is a finite sequence $$s_0, \ldots , s_n$$ of configurations such that $$s_n$$ is a halting configuration and $$s_{i+1}$$ is a result of applying the instruction in $$s_i$$ to configuration $$s_i$$. Let $$\mathcal {M}$$ be a 2CM. We describe T and $$\varphi$$ such that $$T \models \varphi$$ iff $$\mathcal {M}$$ halts. We choose $$\text {AP}= \{ i, c_1, c_2 \}$$ and T is the set of all traces where each atomic proposition holds exactly once. That way, a trace t encodes a configuration of the machine: If $$i \in t[n]$$, $$c_1 \in t[v_1]$$, and $$c_2 \in t[v_2]$$, the machine is in configuration $$(n, v_1, v_2)$$. It is easy to see that T can be produced by a finite Kripke structure. To describe $$\varphi$$, we make two helpful observations. First, using propositional quantification, we can quantify a trace set $$T_q \subseteq T$$: a trace t is in $$T_q$$ iff the quantified proposition q eventually occurs on t. Second, for two traces $$t, t' \in T$$, we can state that $$t'$$ encodes a configuration which is the successor of the configuration encoded by t. Using these observations, we define $$\varphi = \exists q \mathpunct {.}\varphi '$$, where q encodes a set $$T_q \subseteq T$$ that is supposed to describe a halting computation. To ensure that $$T_q$$ describes a halting computation, $$\varphi '$$ is a conjunction of the following requirements: $$T_q$$ must
1.
be finite,

2.
contain a halting configuration and the initial configuration,

3.
be predecessor closed with respect to the encoded configurations it contains (except for the initial configuration).

Finiteness of $$T_q$$ can be expressed by stating that there is an upper bound on the values of $$i, c_1$$, and $$c_2$$ on the traces in $$T_q$$. With the observations made before, stating the above requirements in HyperQPTL+ now remains a straightforward exercise.    $$\square$$
Since the model checking problem of HyperQPTL+ is undecidable, we focus on HyperQPTL to express $$\omega$$-regular hyperproperties. In particular, we show that HyperQPTL can express a range of relevant properties that are neither expressible in HyperLTL, nor in QPTL.

### 3.1 The Expressiveness of HyperQPTL

HyperQPTL combines trace quantification with $$\omega$$-regularity. The interplay between the two features enables HyperQPTL to express a variety of properties. In Sect. 1, we showed how HyperQPTL can express a form of promptness. In this section, we further elaborate on the type of properties HyperQPTL can express. In particular, we compare it to Prompt-LTL, a logic that extends LTL with bounded eventualities. Furthermore, HyperQPTL is also able to express epistemic properties by emulating the knowledge operator known from $$\text {LTL}_\mathcal {K}$$.
A straightforward class of properties HyperQPTL can express are $$\omega$$-regular properties over n-tuples of quantified traces. Formulas expressing this type of properties first have a trace quantifier prefix followed by a QPTL formula, i.e., they lie in the $$Q_\pi ^* Q_q^*$$ fragment. This fragment of HyperQPTL corresponds to the extension of QPTL with prenex trace quantification. However, the true expressive power of HyperQPTL originates from the fact that we allow the trace quantifiers and propositional quantifiers to alternate.
Promptness Properties. Promptness properties are an example for HyperQPTL’s interplay between trace quantification and propositional quantification. Promptness expresses that eventualities are fulfilled within a bounded number of steps. One way to express promptness properties is the logic Prompt-LTL, which extends LTL with the promptness operator . A system satisfies a Prompt-LTL formula $$\varphi$$ if there is a bound k such that all traces of the system fulfill the formula where each in $$\varphi$$ is replaced by , i.e., the system must fulfill all prompt eventualities within k steps. For example, holds in a system if there is a bound k such that all traces of the system at all times satisfy $$\psi$$ within k steps. HyperQPTL can express a different type of promptness properties. In Sect. 1, Formula 2, we showed how one can state in HyperQPTL that there is a bound, common for all traces, until which an eventuality has to be fulfilled. The idea is to quantify a new proposition b, such that the first position in which b is true serves as the bound. Compared to Prompt-LTL, HyperQPTL thus expresses a weaker form of promptness, while still being stronger than pure eventuality. This type of promptness only becomes meaningful when comparing several traces of the system: HyperQPTL can enforce that there is a common bound for all traces (the system cannot starve), but it does not make the bound explicit. The following example shows a more involved promptness property expressible in HyperQPTL.
Example 1
HyperQPTL can express bounded waiting for a grant. It states that if the system requests access to a shared resource at point in time t, then it will be granted access within a bounded amount of time. The bound may depend on the point in time t where access to the resource was requested. However, it may not depend on the current trace. We express this property in HyperQPTL as follows, also adding that the system will not request access twice without being granted access in between.
(1)
(2)
Formula 1 states that no second request is posed before being given a grant. Formula 2 expresses the bounded waiting property by universally quantifying a trace, then existentially quantifying a sequence of bounds b. Now, for every trace $$\pi '$$, whenever $$\pi$$ and $$\pi '$$ pose a request at the same point in time, both have to get access to the resource before b holds next. Therefore, for each point in time, there is a bound such that all traces posing a request at that point in time get access within a bounded number of steps. Note that this property differs from saying “all traces are eventually granted access”, where the bound may also depend on the trace under consideration. In this scenario, each of the infinitely many traces could wait arbitrarily long for the grant. In particular, it could happen that with each trace the waiting time is longer than before.
The above example shows how the interplay of trace quantifiers and propositional quantifiers can be leveraged to express a new class of promptness properties. We finally note that compared to Prompt-LTL, HyperQPTL cannot express that all eventualities must be fulfilled within a fixed k number of steps.
Corollary 1
The expressiveness of HyperQPTL and Prompt-LTL is incomparable.
Epistemic Properties. Another interesting class of properties that are not expressible in HyperLTL are epistemic properties. Epistemic properties describe the knowledge of agents that interact with each other in a system. Logics that express epistemic properties are often equipped with a so-called knowledge operator, e.g., $$\text {LTL}_\mathcal {K}$$, which is LTL extended with the knowledge operator $$\mathcal {K}_A \varphi$$. The operator denotes that an agent $$A \subseteq \text {AP}$$ knows $$\varphi$$. An agent A is characterized in terms of the atomic propositions he can observe. The semantics of the operator is described with the following rule
\begin{aligned} t, i \models \mathcal {K}_A \varphi \quad \text {iff} \quad \forall t' \mathpunct {.}t[0,i] =_A t'[0,i] \rightarrow t', i \models \varphi . \end{aligned}
The formula is evaluated with respect to a trace t and a position i. We omit the semantic definition for the rest of the logic, which corresponds to plain LTL. The semantic definition of the operator captures the idea that an agent knows some fact $$\varphi$$ if $$\varphi$$ holds on all traces that are indistinguishable for the agent.
Example 2 (Dining Cryptographers)
The dining cryptographers problem  [3] is an interesting example of how epistemic properties can characterize non-trivial protocols. The problem describes the following situation (see Fig. 2): three cryptographers $$C_1,C_2,$$ and $$C_3$$ sit at a table in a restaurant and either one of cryptographers or, alternatively, the NSA paid for their meal. The task for the cryptographers is to figure out whether the NSA or one of the cryptographers paid. However, if one of the cryptographers paid, then the others must not be able to infer who it was. Each cryptographer $$C_i$$ receives several bits of information: $$paid_i$$ indicating whether or not he pays the bill, and two secrets, each shared with one of the other cryptographers. The secrets can be used to encode the information they share as output $$out _i$$. By combining the outputs of all cryptographers, it must become clear whether the NSA or one of the group paid. The specification of the protocol can be easily formalized in $$\text {LTL}_\mathcal {K}$$. The following formula describes the desired behavior of agent $$C_1$$:
The knowledge operator can also be defined for hyperlogics  [29]. It receives an additional parameter $$\pi$$, indicating the trace the knowledge refers to. When added to HyperQPTL, it has the following semantics:
\begin{aligned}&\varPi , i \models _T \mathcal {K}_{A,\pi } \varphi \quad&\text {iff}&\quad \forall t' \in T \mathpunct {.}\varPi (\pi )[0, i] =_A t'[0, i] \rightarrow \varPi [\pi \mapsto t'], i \models _T \varphi . \end{aligned}
The knowledge operator, however, can be encoded in HyperQPTL using propositional quantification. Epistemic problems, such as the dining cryptographers problem, can thus be expressed in HyperQPTL.
Theorem 1
( [29). HyperQPTL can emulate the knowledge operator.
Proof
We recap the proof from  [29]: Let $$\varphi = Q_{\pi /q} \ldots Q_{\pi /q} \mathpunct {.}\varphi '$$ be a HyperQPTL formula, equipped with the knowledge operator as defined above. We assume that $$\varphi$$ is given in negated normal form, i.e. each $$\mathcal {K}_{A,\pi }$$ occurs either in positive position or in negated form. Let u and t be fresh propositions and let $$\pi '$$ be a fresh trace variable. Recursively, we replace each knowledge operator $$\mathcal {K}_{A,\pi }$$ occurring in $$\varphi$$ in positive position with the following formula
and each $$\mathcal {K}_{A,\pi }$$ occurring negatively with the following formula
where we use $$\varphi '[{\mathcal {K}_{A,\pi }} \psi \mapsto u]$$ to denote that in $$\varphi '$$, a single occurrence of the knowledge operator is replaced by u, and $$\psi [\pi \mapsto \pi ']$$ to denote the formula where $$\pi$$ is replaced by $$\pi '$$. The existentially quantified proposition u indicates the points in time where the knowledge operator is supposed to hold/not hold. The universally quantified proposition r is assumed to change once from r to $$\lnot r$$ and thereby point at one of the points in time picked by u. It is then used to compare the prefix of the old trace $$\pi$$ and an alternative trace quantified by the trace variable $$\pi '$$.    $$\square$$

## 4 HyperQPTL Realizability

In reactive synthesis, the task is, given a specification $$\varphi$$, to construct a system that satisfies the specification. More precisely, the system is assumed to receive some inputs from an environment and has to react with outputs such that the specification is fulfilled. The realizability problem asks for the existence of a so-called strategy tree, where the edges are labeled with all possible inputs and the task is to find a function f that labels the nodes with the corresponding outputs. Figure 3 shows a strategy tree for a single input bit i. We define strategies following  [12]. Let a set $$\text {AP}= I \mathbin {\dot{\cup }}O$$ be given. A strategy $$f :(2^{I})^* \rightarrow 2^{O}$$ maps sequences of input valuations $$2^{I}$$ to an output valuation $$2^{O}$$. For an infinite word $$w = w_0 w_1 w_2 \cdots \in (2^{I})^\omega$$, the trace corresponding to a strategy f is defined as $$(f(\epsilon ) \cup w_0)(f(w_0) \cup w_1)(f(w_0 w_1) \cup w_2)\ldots \in (2^{I \cup O})^\omega$$. For any trace $$w = w_0 w_1 w_2 \ldots \in (2^{I \cup O})^\omega$$ and strategy $$f :(2^{I})^* \rightarrow 2^{O}$$, we lift the set containment operator $$\in$$ defining that $$w \in f$$ iff $$f(\epsilon ) = w_0 \cap O$$ and $$f((w_0 \cap I) \cdots (w_i \cap I)) = w_{i+1} \cap O$$ for all $$i \ge 0$$. We say that a strategy f satisfies a HyperQPTL formula $$\varphi$$ over $$\text {AP}= I \mathbin {\dot{\cup }}O$$ iff $$\{ w ~|~ w \in f \}$$ satisfies $$\varphi$$.
With the definition of a strategy at hand, we can define the realizability problem of HyperQPTL formally.
Definition 1
(HyperQPTL Realizability). A HyperQPTL formula $$\varphi$$ over atomic propositions $$\text {AP}= I \mathbin {\dot{\cup }}O$$ is realizable if there is a strategy $$f :(2^{I})^* \rightarrow 2^{O}$$ that satisfies $$\varphi$$.
For technical reasons, we assume (without loss of generality) that quantified atomic propositions are classified as outputs, not inputs. This complies with the intuition that propositional quantifiers should be a means for additional expressiveness; they should not overwrite the inputs received from the environment. The definition of realizability of QPTL and HyperLTL specifications is inherited from the definition for HyperQPTL.
Compared to the standard realizability problem, the distributed realizability problem is defined over an architecture, containing a number of processes interacting with each other. The goal is to find a strategy for each of the processes. In the following proofs, we will make use of the distributed realizability problem of QPTL, which we therefore also define formally.
A distributed architecture  [17, 27] A over atomic propositions $$\text {AP}$$ is a tuple $$\langle P,p_ env ,\mathcal {I},\mathcal {O} \rangle$$, where P is a finite set of processes and $$p_ env \in P$$ is a designated environment process. The functions $$\mathcal {I}: P \rightarrow 2^\text {AP}$$ and $$\mathcal {O}: P \rightarrow 2^\text {AP}$$ define the inputs and outputs of processes. The output of one process can be the input of another process. The output of the processes must be pairwise disjoint, i.e., for all $$p \ne p' \in P$$ it holds that $$\mathcal {O}(p) \cap \mathcal {O}(p') = \emptyset$$. We assume that the environment process forwards inputs to the processes and has no input of its own, i.e., $$\mathcal {I}(p_ env ) = \emptyset$$.
Definition 2
(Distributed QPTL Realizability  [17]). A QPTL formula $$\varphi$$ over free atomic propositions $$\text {AP}$$ is realizable in an architecture $$A = \langle P,p_ env ,\mathcal {I},\mathcal {O} \rangle$$ if for each process $$p \in P$$, there is a strategy $$f_p :(2^{\mathcal {I}(p)})^* \rightarrow 2^{\mathcal {O}(p)}$$ such that the combination of all $$f_p$$ satisfies $$\varphi$$.
The distributed realizability problem for QPTL is (inherited from LTL) in general undecidable  [27]. However, we will use the result that the problem remains decidable for architectures without information forks [17]. The notion of information forks captures the flow of data in the system. Intuitively, an architecture contains an information fork if the processes cannot be ordered linearly according to their informedness. Formally, an information fork in an architecture $$A = \langle P,p_ env ,\mathcal {I},\mathcal {O} \rangle$$ is defined as a tuple $$(P',V', p, p')$$, where $$p,p'$$ are two different processes, $$P' \subseteq P$$, and $$V' \subseteq AP$$ is disjoint from $$\mathcal {I}(p) \cup \mathcal {I}(p')$$. $$(P',V', p, p')$$ is an information fork if $$P'$$ together with the edges that are labeled with at least one variable from $$V'$$ forms a subgraph rooted in the environment and there exist two nodes $$q,q' \in P'$$ that have edges to $$p,p'$$, respectively, such that $$\mathcal {O}(q)\cap \mathcal {I}(p) \nsubseteq \mathcal {I}(p')$$ and $$\mathcal {O}(q')\cap \mathcal {I}(p') \nsubseteq \mathcal {I}(p)$$. The definition formalizes the intuition that p and $$p'$$ receive incomparable input bits, i.e., they have incomparable information.
Example 3
Two example architectures are depicted in Fig. 4 [12]. The processes in Fig. 4a receive distinct inputs and thus neither process is more informed than the other. The architecture therefore contains an information fork with $$P' = \{ env , p, p' \}, V' = \{ i, i' \}, q = env , q' = env$$. The processes in Fig. 4b can be ordered linearly according to the subset relation on the inputs and thus the architecture contains no information fork.
In the following sections, we identify tight syntactic fragments of HyperQPTL for which the standard realizability problem is decidable. We give decidability proofs and show that formulas outside the decidable fragments are in general undecidable. An important aspect for decidability is the number of universal trace quantifiers that appear in the formula. We thus present our findings in three categories, depending on the number of universal trace quantifiers a formula has.

### 4.1 No Universal Trace Quantifier

We show that the realizability problem of any HyperQPTL formula without a $$\forall _\pi$$ quantifier is decidable. The problem is reduced to QPTL realizability.
Theorem 2
Realizability of the $$(\exists _{\pi }^*Q_q^*)^*$$ fragment of HyperQPTL is decidable.
Proof
Let a $$(\exists _{\pi }^*Q_{q}^*)^*$$ HyperQPTL formula $$\varphi$$ over $$\text {AP}= I \mathbin {\dot{\cup }}O = \{a^0,\ldots ,a^{k}\}$$ with trace quantifiers $$\pi _0, \ldots \pi _n$$ be given. We reduce the problem to the realizability problem of QPTL, which is known to be decidable (since QPTL formulas can be translated to Büchi automata). The idea is to replace each existential trace quantifier $$\exists \pi _i$$ with quantification of propositions $$a^0_{\pi _i}, a^1_{\pi _i}, \ldots , a^k_{\pi _i}$$, one for each $$a^j \in \text {AP}$$, thereby mimicking the quantification of a trace. To make sure that only traces from an actual strategy tree are chosen, we add a dependency formula which forces the outputs to be dependent on the inputs. The following QPTL formula implements the idea.
We use the notation $$[i \le n: \exists \pi _i \mapsto \exists a^0_{\pi _i} \mathpunct {.}\ldots \exists a^k_{\pi _i} \mathpunct {.}]$$ to indicate that each $$\pi _i$$ for $$0 \le i \le n$$ is replaced with the respective series of existential propositional quantification. Furthermore, we write $$I_{\pi _i} \ne I_{\pi _j}$$ as syntactic sugar for $$\bigvee _{a \in I} a_{\pi _i} \nleftrightarrow a_{\pi _j}$$ (and similarly for $$O_{\pi _i} = O_{\pi _j}$$). We show that $$\varphi$$ and $$\varphi _ QPTL$$ are equirealizable. For the first direction, assume that $$\varphi$$ is realizable by a strategy f. Notice that all atomic propositions in $$\varphi _ QPTL$$ are bound by a propositional quantifier. Therefore, if the witness sequences for the quantified propositions can be chosen correctly, any strategy realizes $$\varphi _ QPTL$$. Propositions $$a_{\pi _i}^j$$ are chosen according to the witness traces of $$f \models \varphi$$. Witnesses for the remaining atomic propositions are also chosen according to their witnesses from $$f \models \varphi$$. Now, the first conjunct of $$\varphi _ QPTL$$ is fulfilled since $$f \models \varphi$$ holds. The second conjunct is fulfilled since any two traces $$\pi _i, \pi _j$$ of a strategy tree fulfill by construction . For the other direction, assume that $$\varphi _ QPTL$$ is realizable (by construction independently from the strategy). Let $$t_{a^0_{\pi _0}}, \ldots , t_{a^k_{\pi _n}}$$ be the witness sequences for the respective quantified atomic propositions. The following strategy realizes $$\varphi$$.
$$f(\sigma )= {\left\{ \begin{array}{ll} \{ t_{a_{\pi _i}} [| \sigma |] \mid a \in O \} \quad &{} \text {if for some } i \le n,\\ &{} \quad \sigma = \{ t_{a_{\pi _i}} [0] \mid a \in I \} \ldots \{ t_{a_{\pi _i}} [| \sigma |] \mid a \in I \} \\ \emptyset &{} \text {otherwise} \end{array}\right. }$$
Strategy f chooses the outputs according to the witnesses for the propositions encoding the traces. Note that because of the second conjunct in $$\varphi _ QPTL$$, the output is always unique, even if several encoded traces start with the same input sequence. Now, $$f \models \varphi$$ holds because of the first conjunct of $$\varphi _ QPTL$$.    $$\square$$

### 4.2 Single Universal Trace Quantifier

In this fragment, we allow exactly one universal trace quantifier. It is particularly interesting as it contains many promptness properties. For example, the following promptness formulation mentioned in the introduction lies within the fragment:
Theorem 3
Realizability of the $$\exists _{q/\pi }^*\forall _q^*\forall _{\pi }Q_q^*$$ fragment is decidable.
We show the theorem in two steps. First, we generalize a proof from [12], showing that realizability of the $$\exists _{\pi }^* \forall _{\pi } Q_q^*$$ fragment is decidable. Second, we show that we can reduce the realizability problem of any HyperQPTL formula to a formula where some propositional quantifiers are replaced with trace quantifiers.
Lemma 2
Realizability of the $$\exists _{\pi }^* \forall _{\pi } Q_q^*$$ fragment is decidable.
Proof
The reasoning generalizes the proof in  [12] showing that realizability $$\exists _\pi ^* \forall _\pi$$ HyperLTL formulas is decidable. We reduce the problem to the distributed realizability problem of QPTL without information forks, which is—since QPTL is subsumed by the $$\mu$$-calculus—decidable  [17]. Let a HyperQPTL formula $$\varphi = \exists \pi _1 \mathpunct {.}\ldots \exists \pi _n \mathpunct {.}\forall \pi \mathpunct {.}\psi$$ over $$AP = I \mathbin {\dot{\cup }}O$$ be given, where $$\psi$$ is from the $$Q^*_q$$ fragment. We define a distributed architecture $$\mathcal {A}$$ over an extended set of atomic propositions $$\text {AP}' = I \cup O \cup I' \cup O'$$. Similarly to the proof in Theorem 2, $$I'$$ and $$O'$$ are composed of a copy of the atomic propositions for each existentially quantified variable $$\pi _j$$. Formally, $$I' = \bigcup _{1 \le j \le n} \{ i_{\pi _j} \mid i \in I \}$$ and $$O' = \bigcup _{1 \le j \le n} \{ o_{\pi _j} \mid o \in O \}$$. Now we define $$\mathcal {A}$$ as follows.
The architecture is displayed in Fig. 5. The idea is that process $$p_1$$ sets the values of all $$i_{\pi _j}$$ and $$o_{\pi _j}$$ (for $$j \le n$$) and thereby determines the choice for the existentially quantified traces. Process $$p_1$$ receives no input and therefore needs to make a deterministic choice. Process $$p_2$$ then solves the realizability of formula $$\forall \pi \mathpunct {.}\psi$$. The following QPTL formula $$\varphi '$$ encodes the idea.
where $$\psi '$$ is defined as $$\psi$$, where all $$a_\pi$$ are replaced by a (but atomic propositions $$a_{\pi _j}$$ are still part of $$\psi '$$!). Note that QPTL formulas implicitly quantify over all traces universally. Similarly to the proof in Theorem 2, the second conjunct ensures that process $$p_1$$ encodes actual paths from the strategy tree of process $$p_2$$ (which is also the strategy tree for formula $$\varphi$$). Thus, $$\varphi '$$ is realizable for the distributed architecture $$\mathcal {A}$$ iff $$\varphi$$ is realizable.    $$\square$$
To state the second lemma, we need to define what it means to replace quantifiers in a formula. Let $$\varphi = Q_{\pi /q}, \ldots , Q_{\pi /q} \mathpunct {.}\psi$$ be a HyperQPTL formula, and J be a set of indices such that for all $$j \in J$$, there exists a propositional quantifier $$\exists q_j$$ or $$\forall q_j$$ in $$\varphi$$. Furthermore, assume that no $$\pi _j$$ with $$j \in J$$ occurs in $$\varphi$$ and that $$a \in \text {AP}$$. We denote by $$\varphi [J \hookrightarrow _a \pi ]$$ the formula where each propositional quantifier $$\exists q_j$$ (or $$\forall q_j$$, respectively) with $$j \in J$$ is replaced with the corresponding trace quantifier $$\exists \pi _{j}$$ (or $$\forall \pi _{j}$$, respectively); and each $$q_j$$ in $$\psi$$ is replaced by $$a _{\pi _{j}}$$.
Lemma 3
Let any HyperQPTL formula $$\varphi$$ over $$\text {AP}= I \mathbin {\dot{\cup }}O$$ and a set of indices J be given. If $$\varphi [J \hookrightarrow _i \pi ]$$ is realizable, then so is $$\varphi$$, where $$i \in I$$ is an arbitrary input, assuming w.l.o.g., that I is non-empty.
Proof
Let $$\varphi$$ and J be given. Formula $$\varphi [J \hookrightarrow _i \pi ]$$ replaces the quantification over sequences $$(2^{\{q\}})^\omega$$ with trace quantification, where the trace is only used for statements about a single input i. We thus exploit the fact that in the realizability problem, there is a trace for every input sequence. Therefore, the transformed formula is equirealizable.    $$\square$$
Now, we have everything we need to prove Theorem 3.
Proof (of Theorem 3)
Let $$\varphi$$ be a HyperQPTL formula of the $$\exists _{q/\pi }^*\forall _q^*\forall _{\pi }Q_q^*$$ fragment. First, observe that in the quantifier prefix of $$\varphi$$, the $$\forall _q^*$$ quantifiers and the $$\forall _{\pi }$$ can be swapped. The resulting formula belongs to the $$\exists _{q/\pi }^*\forall _{\pi }Q_q^*$$ fragment. By Lemma 3, the formula can be transformed to a equirealizable formula of the $$\exists _{\pi }^*\forall _{\pi }Q_q^*$$ fragment, for which realizability is decidable by Lemma 2.    $$\square$$
Lemma 3 allows us to decide realizability of a HyperQPTL formula by replacing propositional quantifiers with trace quantifiers. Thus, we can reduce HyperQPTL realizability to HyperLTL realizability, a fact that we use in Sect. 5 to describe a bounded synthesis algorithm for HyperQPTL.
Corollary 2
The realizability problem of HyperQPTL can be soundly reduced to the realizability problem of HyperLTL.
Lastly, we show that the decidable fragment is tight in the class of formulas with a single universal trace quantifier. We do so by showing that a propositional $$\forall ^*_q \exists ^*_q$$ quantifier alternation followed by a single trace quantifier $$\forall _{\pi }$$ leads to an undecidable realizability problem. The proof is carried out by a reduction from Post’s Correspondence Problem.
Theorem 4
Realizability is undecidable for HyperQPTL formulas with a single $$\forall _\pi$$ quantifier outside the $$\exists _{q/\pi }^*\forall _q^*\forall _{\pi }Q_q^*$$ fragment.
Proof
Inherited from HyperLTL, realizability of formulas with a $$\forall _\pi$$ quantifier followed by an $$\exists _\pi$$ quantifier is undecidable  [12]. It remains to show that realizability of formulas from the $$\forall _q^*\exists _q^*\forall _\pi$$ fragment is in general undecidable. We give a reduction from Post’s Correspondence Problem (PCP)  [28] to a HyperQPTL formula from the $$\forall _q^* \exists _q^* \forall _\pi$$ fragment. In PCP, we are given two equally long lists $$\alpha$$ and $$\beta$$ consisting of finite words from some alphabet $$\varSigma$$ of size n. PCP is the problem to find an index sequence $$(i_k)_{1 \le k \le K}$$ with $$K \ge 1$$ and $$1 \le i_k \le n$$, such that $$\alpha _{i_1}\dots \alpha _{i_K}=\beta _{i_1}\dots \beta _{i_K}$$. Intuitively, PCP is the problem of choosing an infinite sequence of domino stones (with finitely many different stones), where each stone consists of two words $$\alpha _i$$ and $$\beta _i$$. Let a PCP instance with $$\varSigma = \{a_1,a_2,..., a_n\}$$ and two lists $$\alpha$$ and $$\beta$$ be given. We choose our set of atomic propositions as follows: with $$I := \{i\}$$ and , where we use the dot symbol to encode that a stone starts at this position of the trace. We write $$\tilde{a}$$ to denote either a or $$\dot{a}$$. The single input i spans a binary strategy tree. We encode the PCP instance into a HyperQPTL formula that is realizable if and only if the PCP instance has a solution:
where $$\mathbf {q}$$ and $$\mathbf {p}$$ are sequences of universally and existentially quantified propositional variables, such that for each $$(o,o') \in O$$, there is a $$q_{(o,o')} \in \mathbf {q}$$ and a $$p_{(o,o')} \in \mathbf {p}$$. Together with $$q_i$$ and $$p_i$$ for the input i, they simulate a universally and an existentially quantified trace from the model. The notation $$\pi = \mathbf {q}$$ denotes that for every $$q_a \in \mathbf {q}$$, it holds that $$a_\pi \leftrightarrow q_a$$. As seen before, the premise and the conjunct ensure that the propositions $$(q_i, \mathbf {q})$$ and $$(p_i, \mathbf {p})$$ are chosen to represent actual traces from the model. The universal quantification $$\pi$$ thus only ensures that $$(q_i, \mathbf {q})$$ and $$(p_i, \mathbf {p})$$, which are used for the main reduction, are chosen correctly. The reduction is implemented in the formula $$\varphi _ reduc$$ and follows the construction in  [10], where it is shown that the satisfiability and realizability problem of HyperLTL are undecidable for a $$\forall \exists$$ trace quantifier prefix.
\begin{aligned} \varphi _ reduc (q_i, \mathbf {q}, p_i, \mathbf {p}) := \;&\varphi _ rel (q_i) \rightarrow \varphi _ is++ (q_i,p_i)\\&{} \wedge \varphi _ start (\varphi _ stone \& shift (\mathbf {q},\mathbf {p}),q_i) \wedge \varphi _ sol (q_i,\mathbf {q}) \end{aligned}
• defines the set of relevant traces trough the binary strategy tree (see Fig. 6).
• defines that a relevant trace is the direct successor trace of another relevant trace.
• ensures that the path on which globally i holds is a “solution” trace, i.e., encodes the PCP solution sequence.
• cuts off an irrelevant prefix until $$\varphi$$ starts.
• $$\varphi _ stone \& shift (\mathbf {q},\mathbf {p})$$ encodes that the trace simulated by $$\mathbf {q}$$ starts with a valid encoding of a stone from the PCP instance and that the trace simulated by $$\mathbf {p}$$ encodes the same trace but with the first stone removed (see  [10]).
For example, let $$\alpha$$ with $$\alpha _1 = a$$, $$\alpha _2 = ab$$, $$\alpha _3 = bba$$, and $$\beta$$ with $$\beta _1 = baa$$, $$\beta _2 = aa$$ and $$\beta _3 = bb$$ be given. A possible solution for this PCP instance is be (3, 2, 3, 1), since $$bbaabbbaa = i_\alpha = i_\beta$$. The full sequence at the trace represents the solution with the outputs
$$(\dot{b}, \dot{b})(b, b)(a, \dot{a})(\dot{a}, a)(b, \dot{b})(\dot{b}, b)(b, \dot{b})(a, a)(\dot{a}, a)(\#, \#)(\#, \#)\dots$$
The next relevant trace, therefore, contains
$$(\dot{a}, \dot{a})(b, a)(\dot{b}, \dot{b})(b, b)(a, \dot{b})(\dot{a}, a)(\#, a)(\#, \#)(\#, \#)\dots$$
Continuing this, the following relevant traces are:
\begin{aligned}&(\dot{b}, \dot{b})(b, b)(a, \dot{b})(\dot{a}, a)(\#, a)(\#, \#)(\#, \#)\dots \\&(\dot{a}, \dot{b})(\#, a)(\#, a)(\#, \#)(\#, \#)\dots \\&(\#, \#)(\#, \#)\dots \end{aligned}
The relevant traces verify the solution provided on the trace by removing one stone after the other. Thus, the formula is realizable iff the PCP instance has a solution.    $$\square$$

### 4.3 Multiple Universal Trace Quantifiers

When considering multiple universal trace quantifiers $$\forall ^*_\pi$$, the problem becomes undecidable. This is because in HyperLTL, one can encode distributed architectures – for which the problem is undecidable – directly into the formula without using any propositional quantification  [12].
Corollary 3
Realizability of the $$\forall ^*_\pi$$ fragment is in general undecidable.
However, we show that the realizability problem for formulas with more than one universal trace quantifier is decidable if we restrict ourselves to formulas in the so-called linear fragment, i.e., that does not allow an encoding of a distributed architecture. We define the linear fragment of HyperQPTL, where the definitions are adopted from  [12].
Let $$A,C \subseteq \text {AP}$$. We define that atomic propositions $$c \in C$$ do solely depend on propositions $$a \in A$$ as the HyperQPTL formula
We define a collapse function, which collapses a HyperQPTL formula with a $$\forall _\pi ^*$$ universal quantifier prefix into a formula with a single $$\forall _\pi$$ quantifier. Propositional quantifiers are preserved by the operation. Let $$\varphi$$ be $$\forall \pi _1 \cdots \forall \pi _n \mathpunct {.}Q_q^* \mathpunct {.}\psi$$. We define the collapsed formula of $$\varphi$$ as where $$\psi [\pi _i \mapsto \pi ]$$ replaces all occurrences of $$\pi _i$$ in $$\psi$$ with $$\pi$$.
Lemma 4
Either $$\varphi \equiv collapse (\varphi )$$ or $$\varphi$$ has no equivalent $$\forall _\pi ^1 \mathpunct {.}Q_q^*$$ formula.
Proof
The collapse function solely works on the trace quantification mechanism of the HyperQPTL formula, by reducing them to a single universal quantification. The theorem has been proven for $$\forall ^*$$ HyperLTL formulas in  [12]. Inner propositional quantification does not interfere with this mechanism, hence, the proof can be carried out identically.    $$\square$$
Now we can formally define the linear $$\forall _{\pi }^*$$ fragment. Intuitively, we require that every input-output dependency can be ordered linearly, i.e., we are restricted to linear architectures without information forks (see Example 3).
Definition 3
Let $$O = \{o_1,\ldots , o_n\}$$. A HyperQPTL formula $$\varphi$$ is called linear if for all $$o_i \in O$$ there is a $$J_i \subseteq I$$ such that $$\varphi \wedge D_{I \mapsto O} \equiv collapse (\varphi ) \wedge \bigwedge _{o_i \in O} D_{J_i \mapsto \{ o_i \}}$$ and $$J_i \subseteq J_{i+1}$$ for all $$i \le n$$.
This results in the following corollary. Since the universal quantifiers can be collapsed, the resulting problem is the realizability problem of QPTL in a linear architecture, which is decidable  [17].
Corollary 4
Realizability of the linear $$\forall _\pi ^* Q_q^*$$ fragment is decidable.
Remark on Complexities. Our aim was to work out the largest possible fragments for which the realizability problem of HyperQPTL remains decidable. The three fragments for which we could prove decidability all subsume the logic QPTL, for which the realizability problem is known to be non-elementary (already its satisfiability problem is non-elementary  [30]). Hence, realizability of the discussed HyperQPTL fragments has a non-elementary lower bound. Finding interesting fragments for which the problem has a more feasible complexity therefore remains an open challenge.
Table 1.
Experimental results for prompt arbiter
Instance
Bound on system
Bound on $$\exists$$-strategy
Result
Time [sec.]
arbiter-2-prompt
2
1
unsat
<1
2
2
sat
<1
arbiter-2-full-prompt
3
1
unsat
2.4
3
2
sat
6.0
arbiter-3-prompt
3
1
unsat
4.2
3
2
sat
9.5
arbiter-4-prompt
4
1
unsat
97
4
2
?
TO

## 5 Experiments

We have implemented a prototype tool that can solve the HyperQPTL realizability problem using the bounded synthesis approach  [18]. More concretely, we extended the HyperLTL synthesis tool BoSy  [7, 9, 12]. Bosy reduces the HyperLTL synthesis problem to a SMT constraint system which is then solved by $$\textsc {z3}$$  [8] (for more see  [12]). We implemented the reduction of HyperQPTL synthesis to HyperLTL synthesis (Corollary 2) in BoSy, such that the tool can also handle HyperQPTL formulas. We evaluated the tool against a range of benchmarks sets, shown in Table 1. The first column indicates the parameterized benchmark name. The second and third columns indicate the bounds given to the bounded synthesis procedure. The second column is the bound on the size of the system. The newest version of BoSy also bounds the size of the strategy for the existential player, this bound is given in column three. For a detailed explanation of how existential strategies are bounded in BoSy, we refer to  [7].
We synthesized a range of resource arbiters. Our benchmark set is parametric in the number of clients that can request access to the shared resource (written arbiter-k-prompt where k is the number of clients in Table 1). Unlike normal arbiters, we require the arbiter to fulfill promptness for some of the clients, i.e., requests must be answered within a bounded number of steps  [33]. We state the promptness requirement in HyperQPTL by applying the alternating-color technique from  [24]. Intuitively, the alternating-color technique works as follows: We quantify a q-sequence that “changes color" between q and $$\lnot q$$. Each change of color is used as a potential bound. Once a request occurs, the grant must be given withing two changes of color. Thus, the HyperQPTL formulation amounts to the following specifications, here exemplary for 2 clients, where we require promptness only for client 1.
(1)
(2)
(3)
(4)
Formula 1 states mutual exclusion. Formula 2 states that client 2 must be served eventually (but not within a bounded number of steps). Formula 3 states the promptness requirement for client 1. It quantifies an alternating q-sequence, which serves as a sequence of global bounds that must be respected on all traces $$\pi$$. Then, if client 1 poses a request, the grant must be given within two changes of the value of q. Formula 4 is only added in benchmarks named arbiter-k-full-prompt. It specifies that no spurious grants should be given.
BoSy successfully synthesizes prompt arbiter of up to 3 states. For a 4-state prompt arbiter BoSy did not return in reasonable time.

## 6 Conclusion

We studied the hyperlogic HyperQPTL, which combines the concepts of trace relations and $$\omega$$-regularity. We showed that HyperQPTL is very expressive, it can express properties like promptness, bounded waiting for a grant, epistemic properties, and, in particular, any $$\omega$$-regular property. Those properties are not expressible in previously studied hyperlogics like HyperLTL. At the same time, we argued that the expressiveness of HyperQPTL is optimal in a sense that a more expressive logic for $$\omega$$-regular hyperproperties would have an undecidable model checking problem. We furthermore studied the realizability problem of HyperQPTL. We showed that realizability is decidable for HyperQPTL fragments that contain properties like promptness. But still, in contrast to the satisfiability problem, propositional quantification does make the realizability problem of hyperlogics harder. More specifically, the HyperQPTL fragment of formulas with a universal-existential propositional quantifier alternation followed by a single trace quantifier is undecidable in general, even though the projection of the fragment to HyperLTL has a decidable realizability problem. Lastly, we implemented the bounded synthesis problem for HyperQPTL in the prototype tool BoSy. Using BoSy with HyperQPTL specifications, we have been able to synthesize several resource arbiters. The synthesis problem of non-linear-time hyperlogics is still open. For example, it is not yet known how to synthesize systems from specifications given in branching-time hyperlogics like HyperCTL$$^*$$.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
print
PRINT
Literature
1.
Bonakdarpour, B., Finkbeiner, B.: Program repair for hyperproperties. In: Chen, Y.-F., Cheng, C.-H., Esparza, J. (eds.) ATVA 2019. LNCS, vol. 11781, pp. 423–441. Springer, Cham (2019). https://​doi.​org/​10.​1007/​978-3-030-31784-3_​25 CrossRef
2.
Bozzelli, L., Maubert, B., Pinchinat, S.: Unifying hyper and epistemic temporal logics. In: Pitts, A. (ed.) FoSSaCS 2015. LNCS, vol. 9034, pp. 167–182. Springer, Heidelberg (2015). https://​doi.​org/​10.​1007/​978-3-662-46678-0_​11
3.
Chaum, D.: Security without identification: transaction systems to make big brother obsolete. Commun. ACM 28(10), 1030–1044 (1985). https://​doi.​org/​10.​1145/​4372.​4373 CrossRef
4.
Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 265–284. Springer, Heidelberg (2014). https://​doi.​org/​10.​1007/​978-3-642-54792-8_​15 CrossRef
5.
Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010). https://​doi.​org/​10.​3233/​JCS-2009-0393 CrossRef
6.
Coenen, N., Finkbeiner, B., Hahn, C., Hofmann, J.: The hierarchy of hyperlogics. In: 34th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS 2019), pp. 1–13 (2019). https://​doi.​org/​10.​1109/​LICS.​2019.​8785713
7.
Coenen, N., Finkbeiner, B., Sánchez, C., Tentrup, L.: Verifying hyperliveness. In: Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11561, pp. 121–139. Springer, Cham (2019). https://​doi.​org/​10.​1007/​978-3-030-25540-4_​7 CrossRef
8.
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://​doi.​org/​10.​1007/​978-3-540-78800-3_​24 CrossRef
9.
Faymonville, P., Finkbeiner, B., Tentrup, L.: BoSy: an experimentation framework for bounded synthesis. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 325–332. Springer, Cham (2017). https://​doi.​org/​10.​1007/​978-3-319-63390-9_​17 CrossRef
10.
Finkbeiner, B., Hahn, C.: Deciding hyperproperties. In: Proceedings of CONCUR. LIPIcs, vol. 59, pp. 13:1–13:14. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2016). https://​doi.​org/​10.​4230/​LIPIcs.​CONCUR.​2016.​13
11.
Finkbeiner, B., Hahn, C., Hans, T.: MGH yper: checking satisfiability of hyperltl formulas beyond the $$\exists ^*\forall ^*$$ fragment. In: Lahiri, S.K., Wang, C. (eds.) ATVA 2018. LNCS, vol. 11138, pp. 521–527. Springer, Cham (2018). https://​doi.​org/​10.​1007/​978-3-030-01090-4_​31 CrossRef
12.
Finkbeiner, B., Hahn, C., Lukert, P., Stenger, M., Tentrup, L.: Synthesizing reactive systems from hyperproperties. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 289–306. Springer, Cham (2018). https://​doi.​org/​10.​1007/​978-3-319-96145-3_​16 CrossRef
13.
Finkbeiner, B., Hahn, C., Lukert, P., Stenger, M., Tentrup, L.: Synthesis from hyperproperties. Acta Inf. 57(1), 137–163 (2020). https://​doi.​org/​10.​1007/​s00236-019-00358-2
14.
Finkbeiner, B., Hahn, C., Stenger, M.: EAHyper: satisfiability, implication, and equivalence checking of hyperproperties. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 564–570. Springer, Cham (2017). https://​doi.​org/​10.​1007/​978-3-319-63390-9_​29 CrossRef
15.
Finkbeiner, B., Hahn, C., Torfah, H.: Model checking quantitative hyperproperties. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 144–163. Springer, Cham (2018). https://​doi.​org/​10.​1007/​978-3-319-96145-3_​8 CrossRef
16.
Finkbeiner, B., Rabe, M.N., Sánchez, C.: Algorithms for model checking hyperLTL and hyperCTL $$^*$$. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 30–48. Springer, Cham (2015). https://​doi.​org/​10.​1007/​978-3-319-21690-4_​3 CrossRef
17.
Finkbeiner, B., Schewe, S.: Uniform distributed synthesis. In: Proceedings of LICS, pp. 321–330. IEEE Computer Society (2005). https://​doi.​org/​10.​1109/​LICS.​2005.​53
18.
Finkbeiner, B., Schewe, S.: Bounded synthesis. STTT 15(5–6), 519–539 (2013). https://​doi.​org/​10.​1007/​s10009-012-0228-z
19.
Finkbeiner, B., Zimmermann, M.: The first-order logic of hyperproperties. In: Proceedings of STACS. LIPIcs, vol. 66, pp. 30:1–30:14. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2017). https://​doi.​org/​10.​4230/​LIPIcs.​STACS.​2017.​30
20.
Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proceedings of S&P, pp. 11–20. IEEE Computer Society (1982). https://​doi.​org/​10.​1109/​SP.​1982.​10014
21.
Hahn, C.: Algorithms for monitoring hyperproperties. In: Finkbeiner, B., Mariani, L. (eds.) RV 2019. LNCS, vol. 11757, pp. 70–90. Springer, Cham (2019). https://​doi.​org/​10.​1007/​978-3-030-32079-9_​5 CrossRef
22.
Halpern, J.Y., Vardi, M.Y.: The complexity of reasoning about knowledge and time. i. lower bounds. J. Comput. Syst. Sci. 38(1), 195–237 (1989). https://​doi.​org/​10.​1016/​0022-0000(89)90039-1
23.
Kaivola, R.: Using automata to characterise fixed point temporal logics. Ph.D. thesis (1997)
24.
Kupferman, O., Piterman, N., Vardi, M.Y.: From liveness to promptness. Formal Methods Syst. Des. 34(2), 83–103 (2009). https://​doi.​org/​10.​1007/​s10703-009-0067-z
25.
Nguyen, L.V., Kapinski, J., Jin, X., Deshmukh, J.V., Johnson, T.T.: Hyperproperties of real-valued signals. In: Proceedings of MEMOCODE, pp. 104–113. ACM (2017). https://​doi.​org/​10.​1145/​3127041.​3127058
26.
Pnueli, A.: The temporal logic of programs. In: Proceedings of FOCS, pp. 46–57. IEEE Computer Society (1977). https://​doi.​org/​10.​1109/​SFCS.​1977.​32
27.
Pnueli, A., Rosner, R.: Distributed reactive systems are hard to synthesize. In: Proceedings of FOCS, pp. 746–757. IEEE Computer Society (1990). https://​doi.​org/​10.​1109/​FSCS.​1990.​89597
28.
Post, E.L.: A variant of a recursively unsolvable problem. Bull. Am. Math. Soc. 52(4), 264–268 (1946)
29.
Rabe, M.N.: A temporal logic approach to information-flow control. Ph.D. thesis, Saarland University (2016)
30.
Sistla, A.P., Vardi, M.Y., Wolper, P.: The complementation problem for Büchi automata with applications to temporal logic. In: Brauer, W. (ed.) ICALP 1985. LNCS, vol. 194, pp. 465–474. Springer, Heidelberg (1985). https://​doi.​org/​10.​1007/​BFb0015772 CrossRef
31.
Sistla, A.P.: Theoretical issues in the design and verification of distributed systems, Ph.D. thesis (1983)
32.
Stucki, S., Sánchez, C., Schneider, G., Bonakdarpour, B.: Gray-box monitoring of hyperproperties. In: ter Beek, M.H., McIver, A., Oliveira, J.N. (eds.) FM 2019. LNCS, vol. 11800, pp. 406–424. Springer, Cham (2019). https://​doi.​org/​10.​1007/​978-3-030-30942-8_​25 CrossRef
33.
Tentrup, L., Weinert, A., Zimmermann, M.: Approximating optimal bounds in prompt-ltl realizability in doubly-exponential time. In: Proceedings of GandALF, EPTCS, vol. 226, pp. 302–315 (2016). https://​doi.​org/​10.​4204/​EPTCS.​226.​21
34.
Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proceedings of CSFW, p. 29. IEEE Computer Society (2003). https://​doi.​org/​10.​1109/​CSFW.​2003.​1212703