Verifying Hyperliveness

HyperLTL is an extension of linear-time temporal logic for the specification of hyperproperties, i.e., temporal properties that relate multiple computation traces. HyperLTL can express information flow policies as well as properties like symmetry in mutual exclusion algorithms or Hamming distances in error-resistant transmission protocols. Previous work on HyperLTL model checking has focussed on the alternation-free fragment of HyperLTL, where verification reduces to checking a standard trace property over an appropriate self-composition of the system. The alternation-free fragment does, however, not cover general hyperliveness properties. Universal formulas, for example, cannot express the secrecy requirement that for every possible value of a secret variable there exists a computation where the value is different while the observations made by the external observer are the same. In this paper, we study the more difficult case of hyperliveness properties expressed as HyperLTL formulas with quantifier alternation. We reduce existential quantification to strategic choice and show that synthesis algorithms can be used to eliminate the existential quantifiers automatically. We furthermore show that this approach can be extended to reactive system synthesis, i.e., to automatically construct a reactive system that is guaranteed to satisfy a given HyperLTL formula.


Introduction
HyperLTL [6] is a temporal logic for hyperproperties [7], i.e., for properties that relate multiple computation traces. Hyperproperties cannot be expressed in standard linear-time temporal logic (LTL), because LTL can only express trace properties, i.e., properties that characterize the correctness of individual computations. Even branching-time temporal logics like CTL and CTL * , which quantify over computation paths, cannot express hyperproperties, because quantifying over a second path automatically means that the subformula can no longer refer to the previously quantified path. HyperLTL addresses this limitation with quantifiers over trace variables, which allow the subformula to refer to all previously chosen traces. For example, noninterference [21] between a secret input h and a public output o can be specified in HyperLTL by requiring that all pairs of traces π and π that always have the same inputs except for h (i.e., all inputs in I \ {h} are equal on π and π ) also have the same output o at all times: This formula states that a change in the secret input h alone cannot cause any difference in the output o.
For certain properties of interest, the additional expressiveness of HyperLTL comes at no extra cost when considering the model checking problem. To check a property like noninterference, which only has universal trace quantifiers, one simply builds the self-composition of the system, which provides a separate copy of the state variables for each trace. Instead of quantifying over all pairs of traces, it then suffices to quantify over individual traces of the self-composed system, which can be done with standard LTL. Model checking universal formulas is NLOGSPACE-complete in the size of the system and PSPACE-complete in the the size of the formula, which is precisely the same complexity as for LTL.
Universal HyperLTL formulas suffice to express hypersafety properties like noninterference, but not hyperliveness properties that require, in general, quantifier alternation. A prominent example is generalized noninterference (GNI) [27], which can be expressed as the following HyperLTL formula: This formula requires that for every pair of traces π and π , there is a third trace π in the system that agrees with π on h and with π on o. The existence of an appropriate trace π ensures that in π and π , the value of o is not determined by the value of h. Generalized noninterference stipulates that low-security outputs may not be altered by the injection of high-security inputs, while permitting nondeterminism in the low-observable behavior. The existential quantifier is needed to allow this nondeterminism. GNI is a hyperliveness property [7] even though the underlying LTL formula is a safety property. The reason for that is that we can extend any set of traces that violates GNI into a set of traces that satisfies GNI, by adding, for each offending pair of traces π, π , an appropriate trace π . Hyperliveness properties also play an important role in applications beyond security. For example, robust cleanness [9] specifies that significant differences in the output behavior are only permitted after significant differences in the input: The differences are measured by a distance functiond and compared to constant thresholds κ i for the input and κ o for the output. The formula specifies the existence of a trace π that globally agrees with π on the input and where the difference in the output o between π and π is bounded by κ o , unless the difference in the input i between π and π was greater than κ i . Robust cleanness, thus, forbids unexpected jumps in the system behavior that are, for example, due to software doping, while allowing for behavioral differences due to nondeterminism.
With quantifier alternation, the model checking problem becomes much more difficult. Model checking HyperLTL formulas of the form ∀ * ∃ * ϕ, where ϕ is a quantifier-free formula, is PSPACE-complete in the size of the system and EXPSPACE-complete in the formula. The only known model checking algorithm replaces the existential quantifier with the negation of a universal quantifier over the negated subformula; but this requires a complementation of the system behavior, which is completely impractical for realistic systems.
In this paper, we present an alternative approach to the verification of hyperliveness properties. We view the model checking problem of a formula of the form ∀π.∃π . ϕ as a game between the ∀-player and the ∃-player. While the ∀player moves through the state space of the system building trace π, the ∃-player must match each move in a separate traversal of the state space resulting in a trace π such that the pair π, π satisfies ϕ. Clearly, the existence of a winning strategy for the ∃-player implies that ∀π.∃π . ϕ is satisfied. The converse is not necessarily true: Even if there always is a trace π that matches the universally chosen trace π, the ∃-player may not be able to construct this trace, because she only knows about the choices made by the ∀-player in the finite prefix of π that has occurred so far, and not the choices that will be made by the ∀-player in the infinite future. We address this problem by introducing prophecy variables into the system. Without changing the behavior of the system, the prophecy variables give the ∃-player the information about the future that is needed to make the right choice after seeing only the finite prefix. Such prophecy variables can be provided manually by the user of the model checker to provide a lookahead on future moves of the ∀-player.
This game-theoretic approach provides an opportunity for the user to reduce the complexity of the model checking problem: If the user provides a strategy for the ∃-player, then the problem reduces to the cheaper model checking problem for universal properties. We show that such strategies can also be constructed automatically using synthesis. Beyond model checking, the game-theoretic approach also provides a method for the synthesis of systems that satisfy a conjunction of hypersafety and hyperliveness properties. Here, we do not only synthesize the strategy, but also construct the system itself, i.e., the game graph on which the model checking game is played. While the synthesis from ∀ * ∃ * hyperproperties is known to be undecidable in general, we show that the game-theoretic approach can naturally be integrated into bounded synthesis, which checks for the existence of a correct system up to a bound on the number of states.
Related Work. While the verification of general HyperLTL formulas has been studied before [6,17,18], there has been, so far, no practical model checking algorithm for HyperLTL formulas with quantifier alternation. The existing algorithm involves a complementation of the system automaton, which results in an ex-ponential blow-up of the state space [18]. The only existing model checker for HyperLTL, MCHyper [18], was therefore, so far, limited to the alternation-free fragment. Although some hyperliveness properties lie in this fragment, quantifier alternation is needed to express general hyperliveness properties like GNI. In this paper, we present a technique to model check these hyperliveness properties and extend MCHyper to formulas with quantifier alternation.
The situation is similar in the area of reactive synthesis. There is a synthesis algorithm that automatically constructs implementations from HyperLTL specifications [13] using the bounded synthesis approach [20]. This algorithm is, however, also only applicable to the alternation-free fragment of HyperLTL. In this paper, we extend the bounded synthesis approach to HyperLTL formulas with quantifier alternation. Beyond the model checking and synthesis problems, the satisfiability [11,12,14] and monitoring [15,16,22] problems of HyperLTL have also been studied in the past.
For certain information-flow security policies, there are verification techniques that use methods related to our model checking and synthesis algorithms. Specifically, the self-composition technique [2,3], a construction based on the product of copies of a system, has been tailored for various trace-based security definitions [10,23,28]. Unlike our algorithms, these techniques focus on specific information-flow policies, not on a general logic like HyperLTL.
The use of prophecy variables [1] to make information about the future accessible is a known technique in the verification of trace properties. It is, for example, used to establish simulation relations between automata [26] or in the verification of CTL * properties [8].
In our game-theoretic view on the model checking problem for ∀ * ∃ * hyperproperties the ∃-player has an infinite lookahead. There is some work on finite lookahead on trace languages [24]. We use the idea of finite lookahead as an approximation to construct existential strategies and give a novel synthesis construction for strategies with delay based on bounded synthesis [20].

Preliminaries
For tuples x ∈ X n and y ∈ X m over set X, we use x · y ∈ X n+m to denote the concatenation of x and y. Given a function f : X → Y and a tuple x ∈ X n , we define by f • x ∈ Y n the tuple (f (x[1]), . . . , f (x[n])). Let AP be a finite set of atomic propositions and let Σ = 2 AP be the corresponding alphabet. A trace t ∈ Σ ω is an infinite sequence of elements of Σ. We denote a set of traces by Tr ⊆ Σ ω . We define t[i, ∞] to be the suffix of t starting at position i ≥ 0.
We call a Q + Q + ϕ HyperLTL formula (for Q, Q ∈ {∀, ∃} and quantifier-free formula ϕ) alternation-free iff Q = Q . Further, we say that Q + Q + ϕ has one quantifier alternation (or lies in the one-alternation fragment) iff Q = Q .
The semantics of HyperLTL is given by the satisfaction relation Tr over a set of traces Tr ⊆ Σ ω . We define an assignment Π : V → Σ ω that maps trace variables to traces. Π[π → t] updates Π by assigning variable π to trace t.
We write Tr ϕ for {}, 0 Tr ϕ where {} denotes the empty assignment. Every hyperproperty is an intersection of a hypersafety and a hyperliveness property [7]. A hypersafety property is one where there is a finite set of finite traces that is a bad prefix, i.e., that cannot be extended into a set of traces that satisfies the hypersafety property. A hyperliveness property is a property where every finite set of finite traces can be extended to a possibly infinite set of infinite traces such that the resulting trace set satisfies the hyperliveness property.
Automata. An alternating parity automaton A over a finite alphabet Σ is a tuple Q, q 0 , δ, α , where Q is a finite set of states, q 0 ∈ Q is the designated initial state, δ : Q × Σ → B + (Q) is the transition function, and α : Q → C is a function that maps states of A to a finite set of colors C ⊂ N. For C = {0, 1} and C = {1, 2}, we call A a co-Büchi and Büchi automaton, respectively, and we use the sets F ⊆ Q and B ⊆ Q to represent the rejecting (C = 1) and accepting (C = 2) states in the respective automaton (as a replacement of the coloring function α). A safety automaton is a Büchi automaton where every state is accepting. The transition function δ maps a state q ∈ Q and some a ∈ Σ to a positive Boolean combination of successor states δ(q, a). An automaton is non-deterministic or universal if δ is purely disjunctive or conjunctive, respectively.
A run of an alternating automaton is a Q-labeled tree. A tree T is a subset of N * >0 such that for every node n ∈ N * >0 and every positive integer i ∈ N >0 , if n · i ∈ T then (i) n ∈ T (i.e., T is prefix-closed), and (ii) for every 0 < j < i, n · j ∈ T . The root of T is the empty sequence and for a node n ∈ T , |n| is the length of the sequence n, in other words, its distance from the root. A run of A on an infinite word ρ ∈ Σ ω is a Q-labeled tree (T, r) such that r( ) = q 0 and for every node n ∈ T with children n 1 , . . . , n k the following holds: 1 ≤ k ≤ |Q| and {r(n 1 ), . . . , r(n k )} δ(q, ρ[i]), where q = r(n) and i = |n|. A path is accepting if the highest color appearing infinitely often is even. A run is accepting if all its paths are accepting. The language of A, written L(A), is the set {ρ ∈ Σ ω | A accepts ρ}. A transition system S is accepted by an automaton Strategies. Given two disjoint finite alphabets Υ and Γ , a strategy σ : Υ * → Γ is a mapping from finite histories of Υ to Γ . A transition system S = S, s 0 , τ, l generates the strategy σ if σ(υ) = l(τ * (υ)) for every υ ∈ Υ * . A strategy σ is called finite-state if there exists a transition system that generates σ.
Model Checking HyperLTL. We recap the model checking of universal Hyper-LTL formulas. This case, as well as the dual case of only existential quantifiers, is well-understood and, in fact, efficiently implemented in the model checker MCHyper [18]. The principle behind the model checking approach is selfcomposition, where we check a standard trace property on a composition of an appropriate number of copies of the given system.
Theorem 2 (Complexity of model checking universal formulas [18]). The model checking problem for universal HyperLTL formulas is PSPACEcomplete in the size of the formula and NLOGSPACE-complete in the size of the transition system.
The complexity of verifying universal HyperLTL formulas is exactly the same as the complexity of verifying LTL formulas. For HyperLTL formulas with quantifier alternations, the model checking problem is significantly more difficult.
Theorem 3 (Complexity of model checking formulas with one quantifier alternation [18]). The model checking problem for HyperLTL formulas with one quantifier alternation is in EXPSPACE in the size of the formula and in PSPACE in the size of the transition system.
One way to circumvent this complexity is to fix the existential choice and strengthen the formula to the universal fragment [9,13,18]. While avoiding the complexity problem, this transformation requires deep knowledge of the system, is prone to errors, and cannot be verified automatically as the problem of checking implications becomes undecidable [11]. In the following section, we present a technique that circumvents the complexity problem while still inheriting strong correctness guarantees. Further, we provide a method that can, under certain restrictions, derive a strategy for the existential choice automatically.

Model Checking with Given Strategies
Our first goal is the verification of HyperLTL formulas with one quantifier alternation, i.e., formulas of the form ∀ * ∃ * ϕ or ∃ * ∀ * ϕ, where ϕ is a quantifier-free formula. Note that the presented techniques can, similar to skolemization, be extended to more than one quantifier alternation. Quantifier alternation introduces dependencies between the quantified traces. In a ∀ * ∃ * ϕ formula, the choices of the existential quantifiers depend on the choices of the universal quantifiers preceding them. In a formula of the form ∃ * ∀ * ϕ, however, there has to be a single choice for the existential quantifiers that works for all choices of the universal quantifiers. In this case, the existentially quantified variables do not depend on the universally quantified variables. Hence, the witnesses for the existential quantifiers are traces rather than functions that map tuples of traces to traces.
As established above, the model checking problem for HyperLTL formulas with quantifier alternation is known to be significantly more difficult than the model checking problem for universal formulas.
Our verification technique for formulas with quantifier alternation is to substitute strategic choice for existential choice. As discussed in the introduction, the existence of a strategy implies the existence of a trace.
An application of the theorem reduces the verification problem of a HyperLTL formula with one quantifier alternation to the verification problem of a universal HyperLTL formula. If a sufficiently small strategy can be found, the reduction in complexity is substantial: Corollary 1 (Model checking with Given Strategies). The model checking problem for HyperLTL formulas with one quantifier alternation and given strategies for the existential quantifiers is in PSPACE in the size of the formula and NLOGSPACE in the size of the product of the strategy and the system.
Note that the converse of Theorem 4 is not in general true. The satisfaction of a ∀ * ∃ * HyperLTL formula does not imply the existence of a strategy, because at any given point in time the strategy only knows about a finite prefix of the universally quantified traces. Consider the formula ∀π∃π . a π ↔ a π and a system that can produce arbitrary sequences of a and ¬a. Although the system satisfies the formula, it is not possible to give a strategy that allows us to prove this fact. Whatever choice our strategy makes, the next move of the ∀-player can make sure that the strategy's choice was wrong. In the following, we present a method that addresses this problem.
Prophecy Variables. A classic technique for resolving future dependencies is the introduction of prophecy variables [1]. Prophecy variables are auxiliary variables that are added to the system without affecting the behavior of the system. Such variables can be used to make predictions about the future.
We use prophecy variables to define strategies that depend on the future. In the example discussed above, ∀π∃π . a π ↔ a π , the choice of the value of a π in the first position depends on the value of a π in the second position. We introduce a prophecy variable p that predicts in the first position whether a π is true in the second position. With the prophecy variable, there exists a strategy that correctly assigns the value of p whenever the prediction is correct: The strategy chooses to set a π if, and only if, p holds.
Technically, the proof technique introduces a set of fresh input variables P into the system. For a Γ -labeled Υ -transition system S = S, s 0 , τ, l , we define the Γ -labeled (Υ ∪ P )-transition system S P = S, s 0 , τ P , l including the inputs P where τ P : S × (Υ ∪ P ) → S. For all s ∈ S and υ P ∈ Υ ∪ P , τ P (s, υ P ) = τ (s, υ) for υ ∈ Υ obtained by removing the variables in P from υ P (i.e., υ = \P υ P ). Moreover, the proof technique modifies the specification so that the original property only needs to be satisfied if the prediction is actually correct. We obtain the modified specification ∀π∃π .(p π ↔ a π ) → ( a π ↔ a π ) in our example. The following theorem describes the general technique for one prophecy variable.
Theorem 5 (Model checking with Prophecy Variables). For a transition system S and a quantifier-free formula ϕ, let ψ be a quantifier-free formula over the universally quantified trace variables π 1 , π 2 . . . π n and let p be a fresh atomic proposition. It holds that S ∀π 1 ∀π 2 . . . ∀π n . ∃π 1 ∃π 2 . . . ∃π m . ϕ if, and only if, Note that ψ is restricted to refer only to universally quantified trace variables. Without this restriction, the method would not be sound. In our example, ψ = a π would lead to the modified formula ∀π∃π .(p π ↔ a π ) → ( a π ↔ a π ), which could be satisfied with the strategy that assigns a π to true iff p π is false, and thus falsifies the assumption that the prediction is correct, rather than ensuring that the original formula is true.
Proof. It is easy to see that the original specification implies the modified specification, since the original formula is the conclusion of the implication. Assume that the modified specification holds. Since the prophecy variable p is a fresh atomic proposition, and ψ does not refer to the existentially chosen traces, we can, for every choice of the universally quantified traces, always choose the value of p such that it guesses correctly, i.e., that p is true whenever ψ holds. In this case, the conclusion and therefore the original specification must be true.
Unfortunately, prophecy variables do not provide a complete proof technique. Consider a system allowing arbitrary sequences of a and b and this specification: ∧ (a π → (a π W (b π ∧ ¬a π ))) ∧ (¬a π → (a π W (¬b π ∧ ¬a π ))) Intuitively, π has to be able to predict whether π will stop outputting a at an even or odd position of the trace. There is no HyperLTL formula to be used as ψ in Theorem 5, because, like LTL, HyperLTL can only express noncounting properties. It is worth noting that in our practical experiments, the incompleteness was never a problem. In many cases, it is not even necessary to add prophecy variables at all. The presented proof technique is, thus, practically useful despite this incompleteness result.

Model Checking with Synthesized Strategies
We now extend the model checking approach with the automatic synthesis of the strategies for the existential quantifiers. For a given HyperLTL formula of the form ∀ n ∃ m ϕ and a transition system S, we search for a transition system S ∃ = X, x 0 , µ, l ∃ , where X is a set of states, x 0 ∈ X is the designated initial state, µ : X ×Υ n → X is the transition function, and l ∃ : X → Υ m is the labeling function, such that S n × (S m || S ∃ ) zip(ϕ). (Since for formulas of the form ∃ m ∀ n ϕ the problem only differs in the input of S ∃ , we focus on ∀∃ HyperLTL.) Theorem 6. The strategy realizability problem for ∀ * ∃ * formulas is 2ExpTimecomplete.
Proof (Sketch). We reduce the strategy synthesis problem to the problem of synthesizing a distributed reactive system with a single black-box process. This problem is decidable [19] and can be solved in 2ExpTime. The lower bound follows from the LTL realizability problem [30].
The decidability result implies that there is an upper bound on the size of S ∃ that is doubly exponential in ϕ. Thus, the bounded synthesis approach [20] can be used to search for increasingly larger implementations, until a solution is found or the maximal bound is reached, yielding an efficient decision procedure for the strategy synthesis problem. In the following, we describe this approach in detail.
Bounded Synthesis of Strategies. We transform the synthesis problem into an SMT constraint satisfaction problem, where we leave the representation of strategies uninterpreted and challenge the solver to provide an interpretation. Given a HyperLTL formula ∀ n ∃ m ϕ where ϕ is quantifier-free, the model checking is based on the product of the n-fold self composition of the transition system S, the m-fold self-composition of S where the strategy S ∃ controls the inputs, and the universal co-Büchi automaton A ϕ representing the language L(ϕ) of ϕ.
For a quantifier-free HyperLTL formula ϕ, we construct the universal co-Büchi automaton A ϕ such that L(A ϕ ) is the set of words w such that unzip(w) ϕ, i.e., the tuple of traces satisfies ϕ. We get this automaton by dualizing the non-deterministic Büchi automaton for ¬ψ [6], i.e., changing the branching from non-deterministic to universal and the acceptance condition from Büchi to co-Büchi. Hence, S satisfies a universal HyperLTL formula ∀π 1 . . . ∀π n . ϕ if the traces generated by the self-composition S n are a subset of L(A ϕ ).
In more detail, the algorithm searches for a transition system S ∃ = X, x 0 , µ, l ∃ such that the run graph of S n , S m || S ∃ , and A ϕ , written S n × (S m || S ∃ ) × A ϕ , is accepting. Formally, given a Γ -labeled Υ -transition system S = S, s 0 , τ, l and a universal co-Büchi automaton A ϕ = Q, q 0 , δ, F , where δ : Q × Υ n+m × Γ n+m → 2 Q , the run graph S n × (S m || S ∃ ) × A ϕ is the directed graph (V, E), with the set of vertices V = S n × S m × X × Q, initial vertex v init = ((s 0 , . . . , s 0 ), (s 0 , . . . , s 0 ), x 0 , q 0 ) and the edge relation E ⊆ V × V satisfying ((s n , s m , x, q), (s n , s m , x , q )) ∈ E if, and only if Theorem 7. Given S, S ∃ , and a HyperLTL formula ∀ n ∃ m ϕ where ϕ is quantifier-free. Let A ϕ be the universal co-Büchi automaton for ϕ. If the run graph S n × (S m || S ∃ ) × A ϕ is accepting, then S ∀ n ∃ m ϕ.
Proof. Follows from Theorem 4 and the fact that A ϕ represents L(ϕ).
The acceptance of a run graph is witnessed by an annotation λ : V → N∪{⊥} which is a function mapping every reachable vertex v ∈ V in the run graph to a natural number λ(v), i.e., λ(v) = ⊥. Intuitively, λ(v) returns the number of visits to rejecting states on any path from the initial vertex v init to v. If we can bound this number for every reachable vertex, the annotation is valid and the run graph is accepting. Formally, an annotation λ is valid, if (1) the initial state is reachable (λ(v init ) = ⊥) and (2) for every ( Such an annotation exists if, and only if, the run graph is accepting [20].
We encode the search for S ∃ and the annotation λ as an SMT constraint system. Therefore, we use uninterpreted function symbols to encode S ∃ and λ.
A transition system S is represented in the constraint system by two functions, the transition function τ : S × Υ → S and the labeling function l : S → Γ . The annotation is split into two parts, a reachability constraint λ B : V → B indicating whether a state in the run graph is reachable and a counter λ # : V → N that maps every reachable vertex v to the maximal number of rejecting states λ # (v) visited by any path from the initial vertex to v. The resulting constraint asserts that there is a transition system S ∃ with an accepting run graph. Note, that the functions representing the system S (τ : S × Υ → S and l : S → Γ ) are given, that is, they are interpreted.
where is > if q ∈ F and ≥ otherwise. The bounded synthesis algorithm increases the bound of the strategy S ∃ until either the constraints system becomes satisfiable, or a given upper bound is reached. In the case the constraint system is satisfiable, we can extract interpretations for the functions µ and l ∃ using a solver that is able to produce models. These functions then represent the synthesized transition system S ∃ . Corollary 2. Given S and a HyperLTL formula ∀ * ∃ * ϕ where ϕ is quantifierfree. If the constraint system is satisfiable for some bound on the size of S ∃ then S ∀ * ∃ * ϕ.
Proof. Follows immediately by Theorem 7.
As the decision problem is decidable, we know that there is an upper bound on the size of a realizing S ∃ and, thus, the bounded synthesis approach is a decision procedure for the strategy realizability problem.
Proof. The existence of such an upper bound follows from Theorem 6.
Approximating Prophecy. We introduce a new parameter to the strategy synthesis problem to approximate the information about the future that can be captured using prophecy variables. This bound represents a constant lookahead into future choices made by the environment. In other words, for a given k ≥ 0, the strategy S ∃ is allowed to depend on choices of the ∀-player in the next k steps. While constant lookahead is only an approximation of infinite clairvoyance, it suffices for many practical situations as shown by prior case studies [9,18].
We present a solution to synthesizing transition systems with constant lookahead for k ≥ 0 using bounded synthesis. To simplify the presentation, we present the stand-alone problem with respect to a specification given as a universal co-Büchi automaton. The integration into the constraint system for the ∀ * ∃ * HyperLTL synthesis as presented in the previous section is then straightforward. First, we present an extension to the transition system model that incorporates the notion of constant lookahead. The idea of this extension is to replace the initial state s 0 by a function init : Υ k → S that maps input sequences of length k to some state. Thus, the transition system observes the first k inputs, chooses some initial state based on those inputs, and then progresses with the same pace as the input sequence. Next, we define the run graph of such a system S k = S, init, τ, l and an automaton A = Q, q 0 , δ, F , where δ : Q × Υ × Γ → Q, as the directed graph (V, E) with the set of vertices V = S × Q × Υ k , the initial vertices (s, q 0 , υ) ∈ V such that s = init(υ) for every υ ∈ Υ k , and the edge relation E ⊆ V × V satisfying ((s, q, υ 1 υ 2 · · · υ k ), (s , q , υ 1 υ 2 · · · υ k )) ∈ E if, and only if Lemma 1. Given a universal co-Büchi automaton A and a k-lookahead transition system S k . S k A if, and only if, the run graph S k × A is accepting.
Finally, synthesis amounts to solving the following constraint system: Corollary 4. Given some k ≥ 0, if the constraint system is satisfiable for some bound on the size of S k then S k A.

Synthesis with Quantifier Alternations
We now build on the introduced techniques to solve the synthesis problem for HyperLTL with quantifier alternation, that is, we search for implementations that satisfy the given properties. In previous work [13], the synthesis problem for ∃ * ∀ * HyperLTL was solved by a reduction to the distributed synthesis problem. We present an alternative synthesis procedure that (1) introduces the necessary concepts for the synthesis of the ∀ * ∃ * fragment and that (2) strictly decomposes the choice of the existential trace quantifier from the implementation.
Fix a formula of the form ∃ m ∀ n ϕ. We again reduce the verification problem to the problem of determining whether a run graph is accepting. As the existential quantifiers do not depend on the universal ones, there is no future dependency and thus no need for prophecy variables or bounded lookahead. Formally, S ∃ is a tuple X, x 0 , µ, l ∃ such that X is a set of states, x 0 ∈ X is the designated initial state, µ : X → X is the transition function, and l ∃ : X → Υ m is the labeling function. S ∃ produces infinite sequences of (Υ m ) ω , without having any knowledge about the behavior of the universally quantified traces. The run graph is then (S m || S ∃ )×S n ×A ϕ . The constraint system is built analogously to Sec. 3.2, with the difference that the representation of the system S is now also uninterpreted. In the resulting SMT constraint system, we have two bounds, one for the size of the implementation S and one for the size of S ∃ .
The synthesis problem for formulas in the ∀ * ∃ * HyperLTL fragment uses the same reduction to a constraint system as the strategy synthesis in Sec. 3.2, with the only difference that the transition system S itself is uninterpreted. In the resulting SMT constraint systems, we have three bounds, the size of the implementation S, the size of the strategy S ∃ , and the lookahead k. Corollary 6. Given a HyperLTL formula ∀ n ∃ m ϕ where ϕ is quantifier-free. ∀ n ∃ m ϕ is realizable if the SMT constraint system corresponding to the run graph S n × (S m || S ∃ ) × A ϕ is satisfiable for some bounds on S, S ∃ , and lookahead k.

Implementations and Experimental Evaluation
We have integrated the model checking technique with a manually provided strategy into the HyperLTL hardware model checker MCHyper 3 . For the synthesis of strategies and reactive systems from hyperproperties, we have developed a separate bounded synthesis tool based on SMT-solving. In the following, we describe these implementations and report on experimental results. All experiments ran on a machine with dual-core Core i7, 3.3 GHz, and 16 GB memory.
Hardware Model Checking with Given Strategies. We have extended the model checker MCHyper [18] from the alternation-free fragment to formulas with one quantifier alternation. The input to MCHyper is a circuit description as an And-Inverter-Graph in the Aiger format and a HyperLTL formula. Figure 1a and Figure 1b show the model checking process in MCHyper without and with quantifier alternation, respectively. For formulas with quantifier alternation, the model checker now also accepts a strategy as an additional Aiger circuit C σ . Based on this strategy, MCHyper creates a new circuit where only the inputs of the universal system copies are exposed and the inputs of the existential system copies are determined by the strategy. The new circuit is then model checked as described in [18] with abc [4]. We evaluate our extension of MCHyper on formulas with quantifier alternation based on benchmarks from software doping [9] and symmetry in mutual exclusion algorithms [18]. Both considered problems have previously been analyzed with MCHyper; however, since the properties in both problems require quantifier alternation, we were previously limited to a (manually obtained) approximation of the properties as universal formulas. The correctness of manual approximations is not given but has to be shown separately. By directly model checking the formula with quantifier alternation we know that we are checking the correct formula without needing any additional proof of correctness. Software Doping. D'Argenio et al. [9] examined a clean and a doped version of an emission control program of a car and used the previous version of MCHyper to formally verify approximations of these properties. Robust cleanness is expressed in the one-alternation fragment using two ∀ 2 ∃ 1 HyperLTL formulas (given in Prop. 19 in [9], cf. Sec. 1). In [9], the formulas were strengthened into alternationfree formulas that imply the original properties. Despite the quantifier alternation, Table 1 shows that the new version of MCHyper verifies the precise formulas in roughly the same time as the alternation-free approximations [9] while giving stronger correctness guarantees. Symmetry in Mutual Exclusion Protocols. ∀ * ∃ * HyperLTL allows us to specify symmetry for mutual exclusion protocols. In such protocols, we wish to guarantee that every request is eventually answered, and the grants are mutually exclusive. In our experiments, we used an implementation of the Bakery protocol [25]. Table 1 shows the verification results for the precise ∀ 1 ∃ 1 properties. Comparing these results to the performance on the approximations of the symmetry properties [18], we, again, observe that the verification times are similar. However, we gain the additional correctness guarantees as described above.
Strategy and System Synthesis. For the synthesis of strategies for existential quantifiers and for the synthesis of reactive systems from hyperproperties, we have developed a separate bounded synthesis tool based on SMT-solving with z3 [29]. Our evaluation is based on two benchmark families, the dining cryptographers problem [5] and a simplified version of the symmetry problem in mutual exclusion protocols discussed previously. The results are shown in Table 2. Obviously, synthesis operates at a vastly smaller scale than model checking with given strategies. In the dining cryptographers example, z3 was unable to find an implementation for the full synthesis problem, but could easily synthesize strategies for the existential trace quantifiers when provided with an implementation. With the progress of constraint solver that employ quantification over Boolean functions [31] we expect scalability improvements of our synthesis approach.

Conclusions
We have presented model checking and synthesis techniques for hyperliveness properties expressed as HyperLTL formulas with quantifier alternation. The alternation makes it possible to specify hyperproperties such as generalized noninterference, symmetry, and deniability. Our approach is the first method for the synthesis of reactive systems from HyperLTL formulas with quantifier alternation and the first practical method for the verification of such specifications. The approach is based on a game-theoretic view of existential quantifiers, where the ∃-player reacts to decisions of the ∀-player. The key advantage is that the complementation of the system automaton is avoided (cf. [18]). Instead, a strategy must be found for the ∃-player. Since this can be done either manually or through automatic synthesis, the user of the model checking or synthesis tool has the opportunity to trade some automation for a significant gain in performance.