Synthesis from hyperproperties

The \(\text {HyperLTL}\) realizability problem subsumes the \(\text {LTL}\) realizability with incomplete information problem.

Given \({\langle \varphi , I, O, H \rangle }\), the following \(\text {HyperLTL}\) formula over inputs I and outputs O is equirealizable.\(\square \)

The \(\text {HyperLTL}\) realizability problem subsumes the distributed \(\text {LTL}\) realizability problem.

Given a distributed realizability problem \({\langle \varphi ,{\mathcal {A}} \rangle }\), the following \(\text {HyperLTL}\) formula over inputs \({\mathcal {O}}({p_\textit{env}})\) for \(P^{-}\) and outputs \(\bigcup _{p \in P^{-}} {\mathcal {O}}(p)\) is equirealizable:\(\square \)

The \(\text {HyperLTL}\) realizability problem subsumes the asynchronous distributed \(\text {LTL}\) realizability problem.

Let \({\mathcal {A}}= {\langle P, p_{env}, {\mathcal {I}}, {\mathcal {O}} \rangle }\) be a distributed architecture. To model scheduling, we introduce an additional set \( Sched = \{ sched _p \mid p \in P^{-}\}\) of atomic propositions. The valuation of \( sched _p\) indicates whether system process p is currently scheduled or not. A process \(p \in P^{-}\) may observe whether it is scheduled or not, that is, it may depend on \( sched _p\). The environment can decide at every step which processes to schedule. When a process is not scheduled, its output behavior does not change [28]. As the scheduling is controlled by the environment, we assume that every process is infinitely often scheduled, as otherwise, the environment wins by simply not scheduling any process.

Given an asynchronous distributed realizability problem \({\langle \varphi ,{\mathcal {A}} \rangle }\), the following \(\text {HyperLTL}\) formula over inputs \({\mathcal {O}}({p_\textit{env}}) \cup Sched \) and outputs \(\bigcup _{p \in P^{-}} {\mathcal {O}}_p\) is equirealizable:\(\square \)

The \(\text {HyperLTL}\) realizability problem subsumes the symmetric (distributed) \(\text {LTL}\) realizability problem.

Given a symmetric realizability problem over architecture \({\mathcal {A}}\) and specifications \(\varphi _1,\dots , \varphi _k\) for the k processes the following \(\text {HyperLTL}\) formula over inputs \({\mathcal {O}}({p_\textit{env}})\) for \(P^{-}\) and outputs \(\bigcup _{p \in P^{-}} {\mathcal {O}}(p)\) is equirealizable:\(\square \)

The \(\text {HyperLTL}\) realizability problem subsumes the fault-tolerant \(\text {LTL}\) realizability problem.

Given \({\langle {\mathcal {A}}, \varphi _1, \dots , \varphi _n \rangle }\), the following \(\text {HyperLTL}\) formula over inputs \({\mathcal {O}}({p_\textit{env}})\) and outputs \(\bigcup _{p \in P^{-}} {\mathcal {O}}_p\) is equirealizable:\(\square \)

An existential \(\text {HyperLTL}\) formula \(\varphi = \exists \pi _1 \cdots \exists \pi _n \mathpunct {.}\psi \) is realizable if, and only if, \(\varphi _{ sat } :=\exists \pi _1 \cdots \exists \pi _n \mathpunct {.}\forall \pi \forall \pi ' \mathpunct {.}\psi \wedge D^{\pi ,\pi '}_{I \mapsto O}\) is satisfiable.

Assume \(f :(2^{I})^* \rightarrow 2^{O}\) realizes \(\varphi \), that is \(f \vDash \varphi \). Let \(T = traces (f)\) be the set of traces generated by f. It holds that \(T \vDash \varphi \) and \(T \vDash \forall \pi ,\pi ' \mathpunct {.}D^{\pi ,\pi '}_{I \mapsto O}\). Therefore, T witnesses the satisfiability of \(\varphi _{ sat }\). For the reverse direction, assume that \(\varphi _{ sat }\) is satisfiable. Let S be a set of traces that satisfies \(\varphi _{ sat }\). We construct a strategy \(f :(2^{I})^* \rightarrow 2^{O}\) aswhere \(w|_I\) denotes the trace restricted to I, meaning that \(w_i \cap I\) for all \(i \ge 0\). Note that if there are multiple candidates \(w \in S\), then \(w_{|\sigma |} \cap O\) is equal across all of them due to the required determinism \(\forall \pi \forall \pi ' \mathpunct {.}D^{\pi ,\pi '}_{I \mapsto O}\). By construction, all traces in S are contained in f, and together with \(S \vDash \varphi \), it holds that \(f \vDash \varphi \) as the sets of sets of traces satisfying the existential formula \(\varphi \) are upward closed. \(\square \)

Realizability of existential \(\text {HyperLTL}\) specifications is decidable.

The formula \(\varphi _{ sat }\) from Lemma 1 is in the \(\exists ^*\forall ^2\) fragment, for which satisfiability is decidable [18]. \(\square \)

Realizability of existential \(\text {HyperLTL}\) specifications is \(\textsc {PSpace}\)-complete.

Given an existential \(\text {HyperLTL}\) formula, we gave a linear reduction to the satisfiability of the \(\exists ^*\forall ^2\) fragment in Lemma 1. The satisfiability problem for a bounded number of universal quantifiers is in \(\textsc {PSpace}\) [18]. Hardness follows from \(\text {LTL}\) satisfiability [43], which is equivalent to the \(\exists ^1\) fragment. \(\square \)

The synthesis problem for universal \(\text {HyperLTL}\) becomes undecidable as soon as we have more than one universal quantifier.

In the \(\forall ^*\) fragment (and thus in the \(\exists ^*\forall ^*\) fragment), we can encode a distributed architecture [40], for which \(\text {LTL}\) synthesis is undecidable. In particular, we can encode the architecture shown in Fig. 1a. This architecture basically specifies c to depend only on a and analogously d on b. That can be encoded by \(D^{\pi ,\pi '}_{\{a\} \mapsto \{c\}}\) and \(D^{\pi ,\pi '}_{\{b\} \mapsto \{d\}}\). The \(\text {LTL}\) synthesis problem for this architecture is undecidable [40], i.e., given an \(\text {LTL}\) formula over \(I=\{a,b\}\) and \(O=\{c,d\}\), we cannot automatically construct processes \(p_1\) and \(p_2\) that realize the formula. \(\square \)

Either \(\varphi \equiv collapse (\varphi )\) or \(\varphi \) has no equivalent \(\forall ^1\) formula.

Suppose there is some \(\psi \in \forall ^1\) with \(\psi \equiv \varphi \). We show that \(\psi \equiv collapse (\varphi )\). Let T be an arbitrary set of traces. Let \({\mathcal {T}} = \{\{w\} \mid w \in T \}\). Because \(\psi \in \forall ^1\), \(T \vDash \psi \) is equivalent to \(\forall T' \in {\mathcal {T}} \mathpunct {.}T' \vDash \psi \), which is by assumption equivalent to \(\forall T' \in {\mathcal {T}} \mathpunct {.}T' \vDash \varphi \). Now, \(\varphi \) operates on singleton trace sets only. This means that all quantified paths have to be the same, which yields that we can use the same path variable for all of them. So \(\forall T' \in {\mathcal {T}} \mathpunct {.}T' \vDash \varphi \leftrightarrow T' \vDash collapse (\varphi )\) that is again equivalent to \(T \vDash collapse (\varphi )\). Because \(\psi \equiv collapse (\varphi )\) and \(\psi \equiv \varphi \) it holds that \(\varphi \equiv collapse (\varphi )\). \(\square \)

(linear fragment of\(\forall ^*\)) In the context of a synthesis problem with inputs I and outputs O, a formula \(\varphi \) is in the linear fragment of \(\forall ^*\) iff for all \(o_i \in O\) there is a \(J_i \subseteq I\) such that \(\forall \pi \mathpunct {.}\forall \pi '\mathpunct {.}\varphi \wedge D^{\pi ,\pi '}_{I \mapsto O} \equiv \forall \pi \mathpunct {.}\forall \pi '\mathpunct {.} collapse (\varphi ) \wedge \bigwedge _{o_i \in O} D^{\pi ,\pi '}_{J_i \mapsto \{o_i\}}\) and \(J_i \subseteq J_{i+1}\) for all i.

The realizability of the linear fragment of \(\text {HyperLTL}\) is decidable.

It holds that \(\forall \pi \mathpunct {.}\forall \pi '\mathpunct {.}\varphi \wedge D^{\pi ,\pi '}_{I \mapsto O} \equiv \forall \pi \mathpunct {.}\forall \pi '\mathpunct {.} collapse (\varphi ) \wedge \bigwedge _{o_i \in O} D^{\pi ,\pi '}_{J_i \mapsto \{o_i\}}\) for some \(J_i\)’s. The \(\text {LTL}\) distributed realizability problem for \( collapse (\varphi )\) in the constructed architecture A is equivalent to the \(\text {HyperLTL}\) realizability of \(\varphi \) as the architecture \({\mathcal {A}}\) represents exactly the input-determinism represented by formula \(\bigwedge _{o_i \in O} D^{\pi ,\pi '}_{J_i \mapsto \{o_i\}}\). The architecture is linear and, thus, the realizability problem is decidable. \(\square \)

The realizability problem of the linear fragment of \(\text {HyperLTL}\) can be checked in non-elementary time.

Realizability of \(\exists ^* \forall ^1 \text {HyperLTL}\) specifications is decidable.

Let \(\varphi \) be \(\exists \pi _1 \cdots \exists \pi _n \mathpunct {.}\forall \pi ' \mathpunct {.}\psi \). We reduce the realizability problem of \(\varphi \) to the distributed realizability problem for \(\text {LTL}\). Intuitively, we use a two-process distributed architecture where the first process p is supposed to produce the traces for the leading existential quantification and the second process \(p'\) represents the realizing strategy. The architecture is depicted in Fig. 3.

For every existential trace quantifier \(\pi \), we introduce a copy of every atomic proposition for the distributed realizability problem, written \(a^{\pi }\) for \(a \in \text {AP}\). We use the same notation for sets of atomic propositions, e.g., \(I^{\pi } = \{i^\pi \mid i \in I\}\). Process p has no inputs, thus, produces only a single trace, and it controls the outputs \(\bigcup \limits _{1 \le i \le n} (I^{\pi _i} \cup O^{\pi _i})\). Using an appropriate valuation of its outputs, process p selects the paths in the strategy tree corresponding to the existential trace quantifiers \(\exists \pi _1 \cdots \exists \pi _n\). Thus, those output propositions of process p have to encode an actual path in the strategy tree produced by \(p'\). To ensure this, we add the \(\text {LTL}\) constraint that asserts that if the inputs correspond to some path in the strategy tree, the outputs on those paths have to be the same. The resulting architecture \({\mathcal {A}}_\varphi \) isIt is easy to verify that \({\mathcal {A}}_\varphi \) does not contain an information fork, thus the realizability problem is decidable [27]. The \(\text {LTL}\) specification \(\theta \) is where we replace every \(a_\pi \) by \(a^\pi \) for existential traces and \(a_{\pi '}\) to a in \(\psi \). The implementation of process \(p'\) (if it exists) is a realizing strategy for the \(\text {HyperLTL}\) formula (process p producing witnesses for the \(\exists \) quantifiers): Assume that there are realizing strategies for \({\langle {\mathcal {A}}_\varphi ,\theta \rangle }\), i.e., \(f_{p} :(2^{\emptyset })^* \rightarrow 2^{\bigcup _{1 \le i \le n} (I^{\pi _i} \cup O^{\pi _i})}\) and \(f_{p'} :(2^{I})^* \rightarrow 2^{O}\). \(f_{p'}\) is a realizing strategy for \(\varphi \) as well: By the HyperLTL semantics, we have to show that there is a trace assignment \(\varPi :{\mathcal {V}}_\exists \rightarrow traces (f_{p'})\) such that for all \(t \in traces (f_{p'})\) it holds that \(\varPi [\pi ' \rightarrow t] \vDash _{ traces (f_{p'})} \psi \). We define \(\varPi \) in the following. Note that \( traces (f_p)\) is a singleton set and let \(t_p \in \left( 2^{\bigcup _{1 \le i \le n} (I^{\pi _i} \cup O^{\pi _i})} \right) ^\omega \) be the corresponding trace. For every \(\pi _i \in \{\pi _1,\ldots ,\pi _n\}\), we define \(\varPi (\pi _i) = t_p|_{I^{\pi _i}}\) where we replace \(a^{\pi _i}\) by a for every \(a \in \text {AP}\). This, together with \(\theta \) shows that \(\psi \) holds for every chosen path \(t \in traces (f_{p'})\) for \(\pi '\).

Conversely, a model for \(\varphi \) can be used as an implementation of p and \(p'\): Let \(f :(2^{I})^* \rightarrow 2^{O}\) be a realizing strategy of \(\varphi \). We use f as a strategy for \(p'\). We construct the single trace produced by p using the existential trace assignment \(\varPi :{\mathcal {V}}_\exists \rightarrow traces (f)\). Let \(t_1,\ldots ,t_n \in traces (f)\) be the corresponding traces. We construct a single trace \(t_p\) by replacing propositions \(a \in \text {AP}\) by \(a^{\pi _i}\) for every \(t_i\) and the subsequent union of the resulting traces (which now have pairwise disjoint propositions). Due to the construction, \(f_{p}\) satisfies and thus, the distributed architecture satisfies \(\theta \). Hence, the distributed synthesis problem \({\langle {\mathcal {A}}_\varphi ,\theta \rangle }\) has a solution if, and only if, \(\varphi \) is realizable. \(\square \)

Realizability of \(\forall ^* \exists ^*\)HyperLTL is undecidable.

We will prove this theorem by reducing Post’s Correspondence Problem (PCP) [41] to synthesizing an \(\forall ^1\exists ^1\) formula. This proof follows the one from [18]. In PCP, we are given two lists \(\alpha \) and \(\beta \) of same length which consist of finite words from some alphabet \(\varSigma \). For example, \(\alpha \), with \(\alpha _1 = a\), \(\alpha _2 = ab\) and \(\alpha _3 = bba\) and \(\beta \), with \(\beta _1 = baa\), \(\beta _2 = aa\) and \(\beta _3 = bb\). Here \(\alpha _i\) denotes the ith element of the list, and \(\alpha _{i,j}\) denotes the jth symbol of the ith element. In this example, \(\alpha _{3,1}\) corresponds to b. PCP is the problem to find an index sequence \((i_k)_{1 \le k \le K}\) with \(K \ge 1\) and \(1 \le i_k \le n\) for all k, such that \(\alpha _{i_1}\dots \alpha _{i_K}=\beta _{i_1}\dots \beta _{i_K}\). We denote the finite words of a PCP solution with \(i_\alpha \) and \(i_\beta \), respectively. It is a useful intuition to think of the PCP instance as a set of n domino stones. A possible solution for this PCP instance would be (3, 2, 3, 1), since this stone sequence produces the same word, i.e., \(bbaabbbaa = i_\alpha = i_\beta \).

Let a PCP instance with \(\varSigma = \{a_1,a_2,\ldots , a_n\}\) and two lists \(\alpha \) and \(\beta \) be given. We choose our set of atomic propositions as follows: \({ AP } := I\;{{\dot{\cup }}}\;O\) with \(I := \{i\}\) and \(O:= (\varSigma \cup \{{\dot{a}}_1, {\dot{a}}_2,\ldots ,{\dot{a}}_n\} \cup {\#})^2\), where we use the dot symbol to encode that a stone starts at this position of the trace. We write \({\tilde{a}}\) if we do not care if this symbol is an a or \({\dot{a}}\) and use \(*\) as syntactic sugar for an arbitrary symbol of the alphabet.

We encode the PCP instance into a HyperLTL formula that is realizable if and only if the PCP instance has a solution as follows:With this construction, we now force by the synthesis algorithm to yield a list of paths which represent the PCP solution step-wise. To get the list of stones used for this PCP solution, we can just examine the first path (with ) and look at the outputs. As we know that the dots above the letters indicate a new stone, we can slice the sequence \(i_\alpha \) to \(\alpha _{i_1}\dots \alpha _{i_K}\) and same for \(i_\beta \). This shows that we can solve PCP if we can solve the synthesis problem for \(\forall ^1\exists ^1\) formulas. \(\square \)

Throughout this section, we will use the following (simplified) running example. Assume we want to synthesize a system that keeps decisions secret until it is allowed to publish. Thus, our system has three input signals decision, indicating whether a decision was made, the secret value, and a signal to publish results. Furthermore, our system has two outputs, an undisclosed output internal that stores the value of the last decision, and a public output result that indicates the result. No information about decisions should be inferred until publication. To specify the functionality, we propose the \(\text {LTL}\) specificationThe solution produced by the LTL synthesis tool BoSy [17], shown in Fig. 4a, clearly violates our intention that results should be secret until publish: Whenever a decision is made, the output result changes as well.

We formalize the property that no information about the decision can be inferred from result until publication as the \(\text {HyperLTL}\) formulaIt asserts that for every pair of traces, the result signals have to be the same until (if ever) there is a publish signal on either trace. A solution satisfying both, the functional specification and the hyperproperty, is shown in Fig. 4b. The system switches states whenever there is a decision with a different value than before and only exposes the decision in case there is a prior publish command.

A transition system \({\mathcal {S}}\) satisfies the universal \(\text {HyperLTL}\) formula \(\varphi =\)\(\forall \pi _1 \cdots \forall \pi _n \mathpunct {.}\psi \), if, and only if, the run graph of \({\mathcal {S}}^n\) on \({\mathcal {A}}_\psi \) is accepting.

The constraint system is satisfiable with bound b if, and only if, there is a transition system \({\mathcal {S}}\) of size b that realizes the \(\text {HyperLTL}\) formula.