A Temporal Logic for Asynchronous Hyperproperties

Hyperproperties are properties of computational systems that require more than one trace to evaluate, e.g., many information-flow security and concurrency requirements. Where a trace property defines a set of traces, a hyperproperty defines a set of sets of traces. The temporal logics HyperLTL and HyperCTL* have been proposed to express hyperproperties. However, their semantics are synchronous in the sense that all traces proceed at the same speed and are evaluated at the same position. This precludes the use of these logics to analyze systems whose traces can proceed at different speeds and allow that different traces take stuttering steps independently. To solve this problem in this paper, we propose an asynchronous variant of HyperLTL. On the negative side, we show that the model-checking problem for this variant is undecidable. On the positive side, we identify a decidable fragment which covers a rich set of formulas with practical applications. We also propose two model-checking algorithms that reduce our problem to the HyperLTL model-checking problem in the synchronous semantics.


Introduction
Hyperproperties [7] extend the conventional notion of trace properties [1] from a set of traces to a set of sets of traces.In other words, a hyperproperty stipulates a system property and not the property of just individual traces.Many interesting requirements in computing systems are hyperproperties and cannot be expressed by trace properties.Examples include (1) a wide range of information-flow security policies such as noninterference [13] and observational determinism [27], (2) sensitivity and robustness requirements in cyber-physical systems [26], and (3) consistency conditions such as linearizability in concurrent data structures [4].
HyperLTL [6] is a temporal logic for hyperproperties that enriches LTL with quantifiers allowing explicit and simultaneous quantification over multiple execution traces.For example, the observational determinism security policy [27] int l = 0; if ( h = 0) l := l + 1; else l := 1;  stipulates that any two executions that start in two low-equivalent states (i.e., states whose value of publicly observable variables are the same), should remain in low-equivalent states.This property can be expressed in HyperLTL as the following formula, called ϕ OD , ∀π.∀π .(lπ ↔ l π ) → (l π ↔ l π ).However, the semantics of HyperLTL (and other formal languages for hyperproperties) is synchronous, meaning that they completely abstract away the notion of time passage.In HyperLTL, all traces proceed at the same speed, as all temporal operators move the position on all traces simultaneously.Consider the program P 1 in Fig 1, where input values 0 and 1 are possible for high-secret variable h.This renders two possible traces shown in Fig. 4a that satisfy ϕ OD .
The synchronous semantics of HyperLTL has a shortcoming which has practical implications as well: formulas are not invariant under stuttering.Note that, contrary to LTL, disallowing the use of does not make the formula invariant under stuttering different, as traces can still stutter independently.This limits the scope of application of HyperLTL to only those settings where different traces can be perfectly aligned.For example, consider program P 2 in Fig. 2, where line 4 in P 1 is refined to its intermediate code using a register that stores the value l + 1 and then stores this value in memory location l in lines 4 and 5 , respectively.Applying the synchronous semantics of HyperLTL results in declaring a violation of ϕ OD in the second position.This, however, is not an accurate interpretation of ϕ OD (assuming that an attacker only has access to the memory footprint and not the CPU registers or a timing channel), as the two traces are stutter equivalent with respect to the state of variable l.In fact, the synchronous semantics of HyperLTL may incorrectly identify good programs as bad because it ignores the notion of relative time between traces.This problem is generally amplified in Kripke structures where self-loops correspond to non-deterministic choices that model that the system may remain in a state for some arbitrary time.For instance, consider K in Fig. 3 and HyperLTL formula ∀π.∀π .((bπ ↔ b π ) U (a π ↔ a π )).Only pairs of traces that take the self-loop the same number of times satisfy this formula.However, since the goal of employing a self-loop is typically to make the duration of staying in a state irrelevant, this semantics is too restrictive.
Besides HyperLTL, other logics have been proposed that allow trace quantification, for example, H µ [14], which adds trace quantifiers to the polyadic µ-calculus [2].For H µ , the model-checking problem is in general undecidable, but two fragments, the k-synchronous, k-context bounded fragments, have been identified for which model checking remains decidable [14].It is not known,   however, if any of the commonly used hyperproperties, like observational determinism, noninterference, or linearizability, can be encoded in these fragments.
In this paper, we propose an asynchronous temporal logic for hyperproperties.Our main motivation is to be able to reason about execution traces according to the relative order of the sequences of actions in each trace but not about the duration of each action.Software is inherently asynchronous, and so is hardware in many cases if one abstracts the execution platform or many features of the execution platform like pipelines, caches, memory contention, etc.We call our temporal logic Asynchronous HyperLTL or in short, A-HLTL.The key addition is the notion of trajectory that controls the relative speed at which traces progress by chosing at each instant which traces move and which traces stutter.For example, the trajectory shown in Fig. 4c for the two traces of the program in Fig. 2 allows the lower trace to stutter in the first position while the upper trace advances.On the contrary, in the third position, the upper trace stutters while the lower trace moves from the second to the third position.This trajectory enables identification of stutter equivalence of the two traces with respect to state variable l and, hence, successful verification of observational determinism.In order to reflect the notion of trajectories in our logic, we lift the syntax of HyperLTL by allowing a trajectory modality.This way, the corresponding formula for observational determinism in A-HLTL is the following: where E denotes the existence of a trajectory for temporal operator .The A-HLTL formula for the Kripke structure in Fig. 3 A-HLTL allows us to reason about relational properties between two different systems that differ on timing, like for example, translation validation [21], which relates executions of the target code with the source code with respect to a (trace or hyper) property.
We show an encoding of the PCP problem into model-checking a formula of the shape ∀π.∀π .E.(ψ 1 (π, π )∧ ψ 2 (π, π )), which implies that model-checking A-HLTL is undecidable, even for the universal fragment.On the positive side, we show two decidable fragments of A-HLTL.The first algorithm is based on a stuttering construction in which we modify the Kripke structure to accept all stuttering expansions of the original paths.This algorithm can handle fragment ∀π 1 . . .π n .E.ψ, where the ψ is a phase formula, a class of safety formulas that appear in many hyperproperties and are the building block of expressing trace equivalence.Our second algorithm uses an acceleration construction to convert a finite sequence of transitions that do not change phase, into a single transition.This algorithm is able to handle formulas with arbitrary quantification but a simpler kind of phase formulas.A-HLTL is, thus, the first logic for hyperproperties that can express the major asynchronous hyperproperties of interest within decidable fragments.Moreover, A-HLTL is the first logic for asynchronous hyperproperties with a practical model checking algorithm.Both algorithms use internally HyperLTL model-checking as a building block.However, the reduction from A-HLTL model-checking into HyperLTL requires modifying both the formula and the model in a highly non-trivial way, to encode the exitence of trajectories.The choice of using HyperLTL model-checking as a building block is based on the existence of tools, but it does not imply that asynchronous properties of interest can be expressed in HyperLTL directly.
We have evaluated the stuttering construction on two sets of cases studies: a range of compiler optimizations and an SPI bus protocol.In both case studies, we were able to prove system correctness using our reduction from A-HLTL to synchronous HyperLTL.
Organization.The rest of the paper is structured as follows.Section 2 contains the preliminaries, and Section 3 introduces A-HLTL and presents examples of properties expressible in A-HLTL.Sections 4 describes the decidable fragments and present procedures for the model-checking problem.Section 5 shows that the model-checking problem for general A-HLTL formulas is undecidable and present the lower-bound complexity.Experimental results are presented in Section 6.Finally, Section 7 discusses the related work, while Section 8 concludes.Detailed proofs appear in the appendix.

Preliminaries
Let AP be a set of atomic propositions and Σ = 2 AP be the alphabet, where we call each element of Σ a letter.A trace is an infinite sequence σ = a 0 a 1 • • • of letters from Σ.We denote the set of all infinite traces by Σ ω .We use σ(i) for a i and σ i for the suffix a i a i+1 • • • .A pointed trace is a pair (σ, p), where p ∈ N 0 is a natural number (called the pointer).Pointed traces allow to traverse a trace by moving the pointer.Given a pointed trace (σ, p) and n > 0, we use (σ, p) + n as a short for (σ, p + n).We denote the set of all pointed traces by Two pointed traces (σ, p) and (σ , p ) are stuttering equivalent if there are two infinite sequences of indices p = i 0 < i 1 . . .and p = j 0 < j 1 . . .such that for all k ≥ 0 and for all l ∈ [i k , i k+1 ) and l ∈ [j k , j k+1 ), σ(l) = σ (l ).A pointed trace (σ , p ) is a stuttering expansion of (σ, p) if there is a sequence p = j 0 < j 1 < . . .such that for all k ≥ 0 and for all l ∈ [j k , j k+1 ), σ(p + k) = σ (l).We say that σ is stuttering equivalent to σ if (σ, 0) is stuttering equivalent to (σ , 0), and that σ is a stuttering expansion of σ if (σ , 0) is a stuttering expansion of (σ, 0).
A Kripke structure is a tuple K = S, S init , δ, L , where S is a set of states, S init ⊆ S is the set of initial states, δ ⊆ S × S is a transition relation, and L : S → Σ is a labeling function on the states of K. We require that for each s ∈ S, there exists s ∈ S, such that (s, s ) ∈ δ.
A path of a Kripke structure is an infinite sequence of states s(0)s(1) • • • ∈ S ω , such that s(0) ∈ S init and (s(i), s(i + 1)) ∈ δ, for all i ≥ 0. A trace of a Kripke structure is a trace σ(0)σ(1)σ(2) • • • ∈ Σ ω , such that there exists a path s(0)s(1) • • • ∈ S ω with σ(i) = L(s(i)) for all i ≥ 0. Abusing notation we use σ = L(ρ) to denote that σ is the trace corresponding to path ρ.We denote by Traces(K, s) the set of all traces of K with paths that start in state s ∈ S, We denote by Traces(K, A) the set of all traces that start from some state in A ⊆ S and Traces(K) as a short for Traces(K, S init ).
HyperLTL.HyperLTL [6] is a temporal logic that extends LTL [18,20] for hyperproperties, which allows reasoning about multiple execution traces simultaneously.The syntax of HyperLTL is: where π is a trace variable from an infinite supply of trace variables.The intended meaning of a π is that proposition a ∈ Σ holds in the current time in trace π.Trace quantifiers ∃π and ∀π allow reasoning simultaneously about different traces of the computation.Atomic predicates a π refer to a single trace π.Given a HyperLTL formula ϕ, we use Vars(ϕ) for the set of trace variables quantified in ϕ.A formula ϕ is well-formed if for all atoms a π in ϕ, π is quantified in ϕ (i.e., π ∈ Vars(ϕ)) and if no trace variable is quantified twice in ϕ.Given a set of traces T , the semantics of a HyperLTL formula ϕ is defined in terms of trace assignments, which is a (partial) map from trace variables to indexed traces Π : Vars(ϕ) PTR.The trace assignment with empty domain is denoted by Π ∅ .We use Dom(Π) for the subset of Vars(ϕ) for which Π is defined.Given a trace assignment Π, a trace variable π, a trace σ and a pointer p, we denote by Π[π → (σ, p)] the assignment that coincides with Π for every trace variable except for π, which is mapped to (σ, p).Also, we use Π + n to denote the trace assignment Π such that Π (π) = Π(π) + n for all π ∈ Dom(Π) = Dom(Π ).The semantics of HyperLTL is: and for all 0 ≤ i < j,(Π + i) |= ψ 1 Note that quantifiers assign traces to trace variables and set the pointer to the initial position 0. We say that a set of traces T is a model of a HyperLTL formula ϕ, denoted T |= ϕ whenever Π ∅ |= T ϕ.A Kripke structure K is a model of a HyperLTL formula ϕ, denoted by K |= ϕ, whenever Traces(K) |= ϕ.

Asynchronous HyperLTL
We introduce a temporal logic A-HLTL as an extension of HyperLTL to express asynchronous hyperproperties.
Trajectories.To model the asynchronous passage of time, we now introduce the notion of a trajectory, which chooses when traces move and when they stutter.Let V be a set of trace variables and let I ⊆ V.The I-successor of a trace assignment Π, denoted by Π + I, is the trace assignment Π such that Π (π) = Π(π) + 1 if π ∈ I and Π (π) = Π(π) otherwise.That is, the pointers of indices in I advance by one step, while the others remain the same.A trajectory t : t(0)t(1)t(2) • • • for a formula ϕ is an infinite sequence of non-empty subsets of Vars(ϕ).Essentially, in each step of the trajectory one or more of the traces make progress.A trajectory is fair for a trace variable π ∈ Vars(ϕ) if there are infinitely many positions j such that π ∈ t(j).A trajectory is fair it is fair for all trace variables in Vars(ϕ).Given a trajectory t, by t i , we mean the suffix t(i)t(i + 1) • • • .Furthermore, for a set of trace variables V, we use TRJ V for set of all trajectories for indices from V.

Syntax and Semantics of Asynchronous HyperLTL
The syntax of Asynchornous HyperLTL is: where a ∈ AP, π is a trace variable from an infinite supply V of trace variables, E is the existential trajectory modality and A is the universal trajectory modality.The intended meaning of E is that there is a trajectory that gives an intenrpretation of the relative passage of time between the traces for which the temporal formula that relates the traces is satisfied.Dualy, A means that for all trajectories, the resulting alignment makes the inner formula true.It is important to note that there is no nesting of trajectory modalities and that all temporal operators in a formula are interpreted with respect to a single modality.We use the usual syntactic sugar for Boolean operators true As before, we use trace assignments for the semantics of A-HLTL.Given (Π, t) where Π is a trace assignment and t a trajectory, we use (Π, t) + 1 for the successor of (Π, t) defined as (Π , t ) where t = t 1 , and Π (π) = Π(π) + 1 if π ∈ t(0) and Π (π) = Π(π) otherwise.We use (Π, t) + k as the k-th successor of (Π, t).
The satisfaction of an asynchronous HyperLTL formula ϕ over a trace assignment Π and a set of traces T , denoted by Π |= T ϕ is defined as follows: for some i ≥ 0 : (Π, t) + i |= ψ 2 and for all j < i : (Π, t) We say that a set T of traces satisfies a closed sentence ϕ, denoted by We say that a Kripke structure K satisfies an A-HLTL formula ϕ (and write K |= ϕ) if and only if we have Traces(K, S init ) |= ϕ.

Examples of A-HLTL
We illustrate the expressive power of A-HLTL by introducing the asynchronous version of well-known properties.
Linearizability [15] requires that any history of execution of a concurrent data structure (i.e., sequence of invocation and response by different threads) matches some sequential order of invocations and responses: where history denotes method invocations (and not the actual execution of the internal instructions of the concurrent library) by the different threads and the response observed, trace π ranges over the concurrent data structure and π ranges over its sequential counterpart.
Goguen and Meseguer's noninterference (GMNI) [13] stipulates that, for all traces, the low-observable output must not change when all high inputs are removed: where λ π expresses that all of the high inputs in the current state of π have dummy value λ, and denotes low-observable output proposition.
Not never terminates [17] requires that for every initial state, there is a terminating trace and a non-terminating trace: Termination-insensitive noninterference [24] requires that for two executions that start from a low-observable states, information leaks are permitted if they are transmitted purely by the program's termination behavior.That is, the program may diverge on some high inputs and terminate on others: Termination-sensitive noninterference [3] Termination-sensitive noninterference is the same as termination insensitive, except that it forbids one trace to diverge and the other to terminate: 4 Model-Checking A-HLTL In this section, we show the decidability of the model-checking problem for two classes of A-HLTL formulas using two different algorithms: (1) a stuttering construction in which we modify the Kripke structure K to accept all stuttering expansions of paths in K; and (2) an acceleration construction in which the modified Kripke structure accelerates jumping directly to the synchronization points.In both cases the problem is reduced to model-checking HyperLTL formulas, which is known to be decidable [6,11].We describe each construction separately.

The Stuttering Construction
We consider first A-HLTL formulas of the form ∀π 1 . . .π n .E.ψ.We will then extend our results to the ∃ * fragment, to handle the A trajectory modality and to a larger collection of predicates.The class of temporal formulas ψ that we handle are called admissible formulas, and are defined as the Boolean combination of: 1. any number of state formulas, which may relate propositions p πi of different traces arbitrarily; 2. any number temporal formulas (called monadic temporal formulas), each of which only uses one trace variable and is invariant under stuttering (guaranteed for example by forbidding the use of ), and 3. one phase formula, which is an invariant that can relate different traces in a restricted way (see below).Given an admissible formula ψ, we use ψ ph for its phase formula, and we use ψ[ψ ph ξ] for the formula that results from ψ by replacing ψ ph with ξ.Since ψ ph occurs only once in ψ, we use the fact that ψ ph appears with a single polarity.We present here the construction for positive polarity which is the case in all practical formulas (the case for negative polarity is analogous).
The algorithm has two parts.First, we generate the stuttering Kripke structure K st whose paths are the stuttering expansions of paths in the original Kripke structure K.Then, we modify the admissible formula ψ into ψ sync such that K |= ∀π 1 . . .π n .E.ψ if and only if K st |= ∀π 1 . . .π n .ψsync .We describe each of the concepts separately.
Phase formulas.We first define atomic phase formulas ( p∈P p πi ↔ p πj ) which are characterized by (π i , π j , P ), where P ⊆ AP and π i and π j are two different trace variables.We use color to refer to a valuation of the variables in P .Essentially, an atomic phase formula asserts that all propositions in P coincide in both traces at all points in time, that is, both traces exhibit the same sequence of colors.Since the passage of time proceeds at different speeds in the different traces-according to the trajectory-atomic phase formulas state the traces for π i and π j are sequences of phases of the same color, where corresponding phases may have different lengths.A phase formula is formed from atomic formulas as follows: We use P : {(π 1 i , π 1 j , P 1 ), . . ., (π k i , π k j , P k )} for the collection of predicates and trace variables that characterize a phase formula.
Stuttering Kripke structure.We start from K and create K st that accepts the stuttering expansions of traces in K. First, the alphabet of atomic propositions is enriched with a fresh proposition st, that is AP st = AP∪{st}, to encode whether the state represents a real move or a stuttering move.Given K = S, S init , δ, L , the stuttering Kripke structure is K st = S st , S init , δ st , L st where: -S st = S ∪ {s st | s ∈ S} contains two copies of each state in S, where we use s st to denote the stuttering state that corresponds to s; The construction generates a Kripke structure which is linear in the size of the original Kripke structure.It is easy to see that every stuttering expansion of a path of K has a corresponding path in K st , where the repeated version of state s is captured by state s st .Conversely every path ρ in K st whose trace satisfies ¬st can be turned into its "stuttering compression" by removing all stuttering states, which is a path of K.Note that the constraint ¬st guarantees that there are infinitely many non-stuttering positions in ρ , so ρ is well-defined.This constructions makes a one-to-one correspondence between a trajectory and a tuple of traces of K, with a corresponding tuple of traces of K st .
State and monadic formulas are not affected by trajectories.State formulas are relational formulas that are evaluated at the beginning of the computation.Temporal monadic formulas only refer to one trace variable and are stuttering invariant by definition.Therefore, none of these formulas are affected by the stuttering induced by a trajectory, as the relative stuttering among traces does not affect their truth valuation.We first note that given a trace assigned for each of the trace variables in Vars(ϕ) the truth value of state formulas and monadic formulas does not depend on the trajectory chosen.
Phase alignment of asynchronous sequences.We use the stuttering in K st to encode the relative progress of traces as dictated by a trajectory.We will now introduce synchronous HyperLTL formulas to reason in K st about the corresponding states during the asynchronous evaluation in K.The important concept is that of "phase changes", which are the points in a trace σ at which the valuation of the predicates P in an atomic phase formula (π i , π j , P ) change.Let Π be a trace assignment for traces in K that maps π i to a pointed trace (σ, l).We say that in assignment Π, trace variable π i is about to change phase with respect to (π i , π j , P ) if for some p ∈ P either p ∈ σ(l) but p / ∈ σ(l + 1) or p / ∈ σ(l) but p ∈ σ(l + 1).Note that in K st the next relevant letter (the one corresponding to σ(l + 1) is the first letter that is not a stuttering letter).Formula change P (π i ) captures that the next non-stuttering step of π i is a phase change (with respect to predicates in P and therefore with respect to atomic phase formula α): A phase change for π i in atomic phase formula (π i , π j , P ) implies that π j must also proceed to change phase.The second observation is that when π i and π j are not changing phases, any choice that the trajectory makes will preserve the valuation of the atomic phase formula.
We now capture formally this intuition as formulas.Predicate move(π i ) def = (¬st πi ) indicates whether trace variable π i will move (and not stutter) at a given instant of the computation.The following temporal formula captures the consistency criteria of phase changes as a synchronized decision for moving traces π i and π j related by an atomic phase formula (π i , π j , P ): We will reduce the model-checking problem in A-HLTL to checking in K st that tuples of traces that align phase changes-for all atomic phase formulas-satisfy all sub-formulas of the specification ψ.The following two formulas express that all atomic phase formulas align, and that all traces are fair (all traces eventually move): We will then check in K st that all stuttering traces that align phases and are fair satisfy the desired formula ψ, that is (phase ∧ fair) → ψ.Note that all those tuples of traces that do not align phases are ruled out in the antecedent.
A final technical detail in the construction is that we must guarantee that for all tuples of paths of K there are stuttering expansions that are fair and align phases, and that they have the same number of phases.Otherwise, there are paths of K that cannot be aligned, which inevitably leads to a violation of ψ ph .It could be the case that some tuple of traces of K cannot possibly align the phase changes corresponding to all atomic phase formulas.This can happen in two cases: (1) when two traces have different number of phases, and (2) when there is a circular dependency between the atomic formulas that force the trajectory to synchronize the traces in incompatible orders.The first case is captured by: The second case is captured by the following formula, where cycles(ψ ph ) are the sequences of atomic formulas that form a simple cycle, that is [(π 0 , π 1 , P 0 ), (π 1 , π 2 , P 1 ) . . .(π k , π 0 , P k )] such that the second trace variable is the first trace variable of the next atomic phase formula, circularly (see Ex. 1 below): Essentially, block encodes whether the set of traces involved cannot proceed without violating phase, because align forbids all traces involved to move.Hence, the formula phase U (missalign ∨ block) captures to those traces of K st that contain an aligned prefix of computation that lead to a miss-alignment or a block.The proof of correctness shows that given a tuple of traces of K, if there is a trajectory that aligns the phase changes (which must exist if there is a trajectory that makes ψ ph true), then all trajectories that respect phase will also align the phase changes (and also satisfy ψ ph ).
We are finally ready to describe the synchronous phase formula ψ sync .First, this formula is only evaluated against tuples of fair traces, which correspond to the stuttering extensions of paths of K.Then, the phase formula ψ ph is translated into a formula that captures (1) that following a phase alignment cannot lead to a block or to two traces changing phases a different number of times, and (2) that if phases are aligned then ψ ph holds.Formally, where We illustrate the previous definitions with the Kripke structures K 1 , K 2 and K 3 in Fig. 5 and their stuttering variants K st 1 , K st 2 and K st 3 Consider formula ∀π 1 .∀π 2 .E.(a π1 ↔ a π2 ).Consider the following trace assignments: Consider the trace assignment Π 1 on the left, where π 1 is a trace of K st 1 corresponding to the path of K 1 that visits s 1 , and π 2 corresponds to the path that visits s 2 .This trace assignment aligns the atomic phase formula (π 1 , π 2 , {a}) at all positions.In particular, at position 0, we have change {a} (π 1 ), but ¬change {a} (π 2 ), and ¬move(π 1 ) and move(π 2 ), as align {a} requires.
We are now ready to state the main result of this section.The proof of Theorem 2 takes a witness tuple and trajectory in K and shows that the induced tuple in K st is fair, satisfies phase and that the valuation of ψ ph is preserved.Similarly, as before, tuples of traces of K st that are fair and follow phase alignments induce a trajectory on their stuttering compression that also preserve ψ ph .
We finally consider the negation of phase formulas, called co-phase formulas, which are formulas of the form ¬R where R a conjunction of atomic phase formulas.Interestingly, deciding co-admissible formulas (consisting of Boolean combinations of state-formulas, monadic temporal formulas and one co-phase formula in positive polarity) is easier than before, as one can turn the cophase formula into a monadic formula enumerating all the violations of the atomic phase formulas (p ∈ P such that p πi ↔ p πj ) turns the atomic phase formula into ( p πi ∧ ¬p πj ∨ ( ¬p πi ∧ p πj .It follows that modelchecking co-admissible formulas is also decidable (for both ∀ * and ∃ * ).Note that an admissible formula in negative polarity is a co-admissible formula in positive polarity (and vice versa).Finally, since K |= ∀π 1 . . .∀π n .A.ψ if and only if K |= ∃π 1 . . .∃π n .E.¬ψ, it follows that model-checking is also decidable for the A modality for both admissible and co-admissible formulas (in both polarities), and for both the ∀ * and ∃ * fragments.Theorem 3. Model-checking ∀ * or ∃ * admissible and co-admissible formulas is decidable both for formulas with E and formulas with A.

The Accelerating Construction
The admissible formula in the stuttering construction can express many formulas of interest, but the quantifier structure admits no quantifier alternation.We now consider a second decidable fragment for A-HLTL formulas consisting of formulas with arbitrary quantification where ψ is an admissible formula where all atomic phase formulas use the same atomic predicates P ⊆ AP.We call these admissible formulas simple admissible formulas.The proof of decidability proceeds this time by creating the accelerated Kripke structure K acc , where paths jump in one step to the next phase change, and reducing to a HyperLTL model-checking problem on K acc .Accelerated Kripke structure.The main idea of the acceleration construction is to convert a finite sequence of transitions in K that only change phase in the last transition into a single transition in K acc .Also, an infinite sequence of transitions with no phase change is transformed into a self-loop around a sink state.The alphabet remains the same, AP.Given K = S, S init , δ, L , the accelerated Kripke structure is K acc = S acc , S init , δ acc , L acc where: -S acc = S ∪ {s ⊥ | s ∈ S} contains two copies of each state in S, where we use s ⊥ to denote the sink state associated with s.We use color(s) for the phase of s, that is, the concrete valuation in s of the Boolean predicates in P of the atomic phase formula.-For every states s, s ∈ S such that color(s) = color(s ), if there is a finite path ss 2 s 3 . . .
then we add a transition (s, s ) to δ acc .These transitions model the jump at the frontier of phase changes.Additionally, if s can be a sink we add a transition (s, s ⊥ ) and a self-loop from s ⊥ to itself.-L acc (s) = L(s) for s ∈ S, and L acc (s ⊥ ) = L(s).
This construction can, with standard techniques, be enriched to encode the satisfaction of the temporal monadic formulas along paths of K, and then also accelerate the fairness conditions (annotating the accepting states reached along the accelerated paths) into K acc .
Relating paths to accelerated paths.We now define two auxiliary functions to aid in the proof.
-The first function, acc, maps paths in K into paths in K acc .Let s be an arbitrary state of K and ρ : ss 1 s 2 s 3 . . .an outgoing path from s. Either there are infinitely many phase changes in ρ or only finitely many changes.We create the path ρ = acc(ρ) as follows.The initial state of ρ, that is, s, is preserved.The states s ij in σ that are color changes (that is color(s ij −1 ) = color(s ij ) are also preserved, while the states s k with color(s k−1 ) = color(s k ) are removed from ρ.If there are only finitely many color changes in ρ, with r being the last state preserved, then we pad the path with r ω ⊥ , so ρ is also an infinite path.It is easy to see that ρ is a path of K acc outgoing s.It is also easy to see that the phase changes in ρ and ρ are the same.
-The second map, dec, takes a path ρ : ss 1 s 2 . . . of K acc and maps it to a path of K as follows.For every transition (s i , s i+1 ) in ρ such that s i+1 is not of the form r ⊥ , there is a finite path r 1 r 2 . . .r m in K from s i into s i+1 that visits only states with the same color as s i , except s i+1 that is a color change.In ρ, we insert r 1 r 2 . . .r m between s i and s i+1 .Now, if for some j, s j is of the form r ⊥ then s k = r ⊥ for all k > j.In K there must an infinite path from s j that only visits the same color as s j .We remove all successor states after the first such r ⊥ state and replace it with one such infinite path.
The main result for the accelerating construction follows immediately from this observation and allows to reduce the model-checking problem to HyperLTL.Theorem 4. Let K be an arbitrary Kripke structure,

Decidable Practical A-HLTL formulas
We revisit the properties expressed in Section 3.2.
-Linearizability.The property ϕ LNZ is of the form ∀π.∃π .E.(history π ↔ history π ) where the temporal formula is a simple admissible formula.Therefore ϕ LNZ is decidable by the accelerating construction.-Goguen and Meseguer's non-interference.The property ϕ GMNI is expressed by ∀π.∃π .E.(λ π ) ∧ (lo π ↔ lo π ), that is, a Boolean combination of a monadic temporal formula and a simple admissible formula.Therefore, ϕ GMNI is decidable by the acceleration algorithm.-Not never terminates.Formula ϕ NNT is simply a Boolean combination of state formulas and monadic temporal formulas: , so it is again decidable by the acceleration construction.-Termination-insensitive noninterference.To handle ϕ TIN we rewrite the formula as follows Note that (l π ∧ term π ) can be turned into a state predicate of π.This formula is equivalent because the last case is evaluates precisely to l π ↔ l π when both traces terminate.This formula can be handled by the stuttering construction.-Termination-sensitive noninterference.Similarly, to handle ϕ TSN we rewrite the formula as This is again equivalent because the last case again is the only relevant case when both paths terminate.Again, this case is covered by the stuttering construction.

Undecidability and Lower-bound Complexity
In this section, we show that the general problem of model-checking A-HLTL is undecidable.Then, we show a polynomial reduction from the synchronous Hy-perLTL model-checking into A-HLTL model-checking, which shows that even for those A-HLTL formulas for which the model-checking is decidable, this problem is no easier than the corresponding problem for HyperLTL, which is known to be PSPACE-hard in the size of the Kripke structure.
Theorem 5. Let K be a Kripke structure and ϕ be an asynchronous HyperLTL formula.The problem of determining whether or not K |= ϕ is undecidable.
Proof (sketch).We reduce the complement of the post correspondence problem (PCP) [22,25] to the A-HLTL model checking problem.PCP consists of a set of dominos, for example, of the form } and the problem is to decide whether there is a sequence of dominos (with possible repetitions), such that the upper and lower finite strings of the dominos are equal.A solution to the above set of dominos is the sequence ].We map a given set of dominos to a Kripke structure that allows arranging the dominos in a sequence (see Fig. 6 for an example), where v and w indicate lower and upper words, respectively, dom i is for each domino [ wi vi ], and proposition lc marks whether or not a new letter is processed.The A-HLTL formula in our reduction is the following such that dom πw The intention of formula ϕ pcp is that the Kripke structure is a model of the formula if and only if the original PCP problem has no solution.Intuitively, formula ϕ type forces trace π w (respectively, π v ) to traverse only the traces labeled by w (respectively, v) to build a w-word (respectively, v-word).Formula ϕ domino establishes that the trajectory aligns the positions at which the domino indices are checked and at last once the index is different.Finally, formula ϕ word captures if π w and π v are aligned to compare the letters, at least one pair of the letters prescribed by the existential trajectory are different.In the detailed proof in the appendix, we show that the constructed Kripke structure satisfies formula ϕ pcp if and only if the answer to deciding PCP is negative.
Theorem 5 above implies that there is no algorithm to decide the modelchecking problem correctly for every formula and every system.However, as we saw in Section 4 for some formulas the model-checking problem is decidable.We now show that in these cases the problem is at least as hard as model-checking HyperLTL, which is known to be PSPACE-hard [6,23].Theorem 6.Given a HyperLTL formula ϕ and a Kripke structure K there is a A-HLTL formula ϕ and a Kripke structure K such that K is linear in the size of K, ϕ is polynomial on the size of ϕ and K |= ϕ if and only if K |= ϕ .
The proof proceeds as follow.Giving K we build a Kripke structure K that alternates between real states in K and synchronization states.Then the formula is transformed to force alternations at every other step, therefore forcing the trajectory to synchronize (see Appendix A.2 for details).Since the model-checking problem for HyperLTL is PSPACE-hard on the size of the Kripke structure, the same follows for A-HLTL.
Corollary 2. For asynchronous HyperLTL formulas, the model checking problem is PSPACE-hard in the size of the system.

Case Studies and Evaluation
We evaluated our algorithm for the ∀ * π E A-HLTL fragment on several examples.After reducing the asynchronous model checking problem to a synchronous one, we use MCHyper [9,10] to check our property.MCHyper is a model checker for synchronous HyperLTL that can handle formulas with up to one quantifier alternation.It computes the self composition of the system and composes it with the formula automaton.ABC [5] is then used as the backend tool checking the reachability of a violation.
Our reduction from the asynchronous to the synchronous semantics follows the stuttering construction described in Section 4.1.To model check a system against an A-HLTL formula, we first add a stuttering input to the system that forces the system to stutter in the current state.The transformed formula ensures that the stuttering guarantees synchronous phase changes.Currently, the transformation stage is only partially automated while the synchronous verification is fully automated.Future work includes the full automation of all steps.We now describe the various case studies4 .All our experiments were performed on a MacBook Pro with a 3.3GHz processor and 16GB of RAM running MacOS 11.1.

Compiler Optimizations
We modeled the source and target programs of different compiler optimization techniques (from [19]) as finite state machines encoded as circuits, and used asynchronous hyperproperties to prove the correspondence between both programs.We analyzed the following optimizations: -Common Branch Factorization (CBF), where expressions occurring in both branches of a conditional are factored out; -Loop Peeling (LP), which consists in unrolling of a loop that is executed at least once; -Dead Branch Elimination (DBE), that is, removing conditional checks and their branches that are unreachable; and -Expression Flatting (EF), which splits complex computations into several explicit steps.Besides evaluating each optimization individually, we also examined several combinations of these optimizations.Each optimization affects the alignment between source and target program, so synchronous hyperproperties fail to recognize the correspondence between both programs.Using asynchronous hyperproperties instead allows us to compensate for this misalignment by stuttering the programs accordingly.Essentially, each optimization is checked against the following A-HLTL formula in which π represents traces from the source program and π traces from the target program: This formula states that for all pairs of traces that initially agree on the inputs from the set I there exists a trajectory that aligns the phase changes of the outputs in set O. We use the stuttering construction and MCHyper to verify that in all cases the source and target programs go through the same phases of possibly different length.The results of this case study are summarized in Table 1(a).We note that A-HLTL model-checking subsumes the approach in [19] based on construction of a buffer automaton to reason about the alignment of executions.1: Verification times and system sizes in number of latches (#ls) and and-gates (#ands) for the case studies.

SPI Bus Protocol
The Serial Peripheral Interface (SPI) is a bus protocol that supports a single main component's communication with multiple secondary components.Each secondary can be selected individually by the main via the secondary's own ss ("secondary select") input signal.If a secondary is enabled (that is, if ¬ss holds as the secondary select is "active low"), it reads the mosi (main out, secondary in) signal and writes to the miso (main in, secondary out) wire.We verify the behavior of a single SPI secondary component that receives an input which it sends to the main component upon request.This behavior should always be the same, independent of when the secondary is enabled or how fast the bus protocol's "serial clock" (sclk ) set by the main component ticks compared to the secondary's internal clock.The A-HLTL formula we check is the following (see observational determinism in Section 1): ensures that for all pairs of traces π and π that agree on the initial configuration, on the input, and additional SPI input assumptions, there is a trajectory that aligns their relevant behavior.We consider it relevant that both secondaries agree on their miso output whenever they are enabled and the sclk is low.Checking miso only when the sclk is low is sufficient as changes on miso only occur at falling edges of the sclk .The SPI input assumptions are required to guarantee the implicit assumptions of the protocol, for example, that the sclk behaves as an infinitely ticking clock.By introducing additional variables and applying logical transformations, we obtain an equivalent formula that syntactically lies in the fragment of the stuttering construction.Again, we reduce this model checking problem to the synchronous semantics and use MCHyper to perform the verification.
In a second experiment, we modified the system to send the value only once and checked it for termination insensitive noninterference SPI-term (see Sections 3.2 and 4.3).In our setup, we use the variable term to flag that the secondary has sent the full value.In the premise of the formula, we require that the input value is equal on both traces and again assume that the inputs conform to the SPI protocol.The conclusion checks if both secondaries have sent the same values by using additional variables that are set together with term.The results of this case study are summarized in Table 1(b).

Related Work
The study of specific hyperproperties, such as noninterference, dates back to the seminal work by Goguen and Meseguer [13] in the 1980s.The first systematic study of hyperproperties is due to Clarkson and Schneider [7].
It is well-known that classic specification languages like LTL cannot express hyperproperties.There are two principal methods with which the standard logics have been extended to express hyperproperties: -The first method is the quantification over variables that identify specific paths or traces.The temporal logics LTL, CTL * have been extended with quantification over traces and paths, resulting in the temporal logics Hyper-LTL and HyperCTL * [6].There are also extensions of the µ-calculus, most recently, the temporal fixpoint calculus H µ [14], which adds path quantifiers to the polyadic µ-calculus [2].-The second method is the addition of the equal-level predicate E to firstorder and second-order logics, like MPL, MSO, FOL, and S1S, which results in the logics FOL [8,12].
HyperCTL * , MPL[E], and MSO[E] are branching-time logics, we therefore focus in the following on the linear-time logics HyperLTL, H µ , FOL[E], and S1S[E].Among these logics, HyperLTL is the only logic for which practical model-checking algorithms are known [9,10,16].For HyperLTL, the algorithms have been implemented in the model checkers MCHyper and bounded model checker HyperQube.As discussed in this paper, HyperLTL is limited to synchronous hyperproperties.
FOL[E] can express a limited form of asynchronous hyperproperties.As shown in [8], FOL[E] is subsumed by HyperLTL with additional quantification over predicates.Using such predicates as "markers," one can relate different positions in different traces.However, only a finite number of such predicates is available in each formula.S1S[E] is known to be strictly more expressive than FOL[E] [8], and conjectured to subsume H µ [14].For S1S[E] and H µ , the model checking problem is in general undecidable; for H µ , two fragments, the ksynchronous, k-context bounded fragments, have been identified for which model checking remains decidable [14].It is not known, however, if any of the commonly used hyperproperties, like observational determinism, noninterference, or linearizability, can be encoded in these fragments.
Like S1S[E] and H µ , asynchronous HyperLTL has an (in general) undecidable model checking problem.However, in this paper we have identified decidable fragments of asynchronous HyperLTL that can express observational determinism, noninterference, and linearizability.A-HLTL is thus the first logic for hyperproperties that can express the major asynchronous hyperproperties of interest within decidable fragments.Furthermore, asynchronous HyperLTL is the first logic for asynchronous hyperproperties with a practical model checking algorithm.

Conclusion
We have introduced A-HLTL, a temporal logic to describe asynchronous hyperproperties.This logic extends HyperLTL with trajectory modalities, which control when a trace proceeds and when it stutters.Synchronous HyperLTL corresponds to a trajectory that always moves all paths in a lock-step manner.This notion of trajectory allows to define formulas that are invariant under stuttering, paving the way for relevant model-checking optimizations such a partial order reduction and abstraction-refinement techniques in the context of hyperproperties.We show that model-checking A-HLTL formulas is in general undecidable, and identify two fragments of A-HLTL formulas, which cover a rich set of security requirements and can be decided by a reduction to HyperLTL model-checking.This in turn has allowed us to the reuse the existing model-checker McHyper.
Future work includes the study of larger decidable fragments (that encompass both fragments studied here), extending the logic allowing several trajectory modalities, as well as their implementation in practical tools.Extending bounded model-checking [16] to A-HLTL is another interesting research problem.Asynchronous hyperproperties are important for applying a logic-based verification approach to verify hyperproperties for software programs, because the relative speed of the execution of programs depends on many factors like the compiler, hardware, execution platform and concurrent running programs, that the analysis must tolerate.Therefore, future work includes adapting techniques for infinite-state software model-checking, like deductive methods, abstraction, etc to verify A-HLTL properties of software systems.

A.1 Undecidability of Asynchronous HyperLTL
We show now the full proof of undecidability of full A-HLTL via reduction from PCP (Theorem 5) Theorem 5. Let K be a Kripke structure and ϕ be an asynchronous HyperLTL formula.The problem of determining whether or not K |= ϕ is undecidable.
Proof.In order to show the undecidability of model-checking A-HLTL, we reduce the complement of the post correspondence problem (PCP), which is a wellknown undecidable problem [22,25], to our model checking problem.The PCP is as follows.Let Σ pcp be an alphabet of size at least two.The input to the decision problem is a collection of dominos of the form: The decision problem consists of checking whether there exists a finite sequence of dominos of the form where each index i j ∈ [1, k], such that the upper and lower finite strings of the dominos are equal, i.e., For some collection of dominos, it is impossible to find a match.An example is the following: We now start from an arbitrary instance } of the PCP and create a Kripke structure K pcp = S, S init , δ, L and an asynchronous HyperLTL formula ϕ pcp (i.e., no solution to PCP), and later show that the PCP instance has no solution if and only if K pcp |= ϕ pcp .To illustrate the construction, we use the following instance of PCP as a running example.The alphabet is Σ pcp = {a, b, c} and the set of dominos [25] is: Kripke structure.We map the PCP instance to K pcp as follows (see Fig. 6 for example): -Atomic propositions: The set AP of atomic propositions include the following: • Two propositions v and w to indicate that a state belongs to a path that builds a v-word in the instance of PCP, or to a path that builds a w-word.• A proposition dom i for each domino from [ wi vi ], where i ∈ [1, k], that indicates the domino that contains a word from v i or w i that has been processed.
• A letter clock proposition lc, which serves the purpose of marking whether or not a new letter is processed.• A proposition end , which serves the purpose of marking the end of sequencing dominos.• A proposition for each letter in the PCP alphabet Σ pcp .Thus, we have: -States and transitions: We include the following states S and transitions δ: • We include a single initial state s init with no labels and an end state s e labeled by {end } with a self-loop (s e , s e ).• For each word we include a path of length 2l that starts and ends in s init , and whose states are only reachable in the given path.More specifically, * For each j ∈ [1, l], we introduce two states s j wi and u j wi .Each state s j wi , where i ∈ [1, k], is labeled by {w, w j i , lc}.This state indicates a new letter in the word w i .Each state u j wi , where j ∈ [1, l), is labeled by {w}.This state does not correspond to a letter and its purpose is to server as separation between two letters within the same word.In this manner, a word is encoded by a sequence of letter/no-letter states.Finally, state u l wi is labeled by {dom i , w}, which is used for synchronizing the end of words w i and v i in domino i. * We add a transition (s j wi , u j wi ) for each j ∈ [1, l] and a transition (u j wi , s j+1 wi ) for each j ∈ [1, l).* We also add transitions (s init , s 1 wi ), (u l wi , s init ).
we include a path in the same way as we did for w i , except that all instances of "w" are replaced by "v".

Asynchronous HyperLTL formula
The formula that will be checked against the Kripke structure is the following: where and The intention of formula ϕ pcp is that the Kripke structure is a model of the formula if and only if the original PCP problem has no solution.Intuitively, formula ϕ type forces trace π w (respectively, π v ) to traverse only the traces labeled by w (respectively, v) to build a w-word (respectively, v-word).When such traces are built (i.e., the left side of the implication), PCP has no solution when at least one of the following conditions hold: either (1) the order of dominos in π w and π v is not legitimate, or (2) the letters do not match.More formally, formula ϕ domino establishes that the trajectory aligns the positions at which the domino indices are checked and at last once the index is different.Finally, formula ϕ word captures if π w and π v are aligned to compare the letters, at least one pair of the letters prescribed by the existential trajectory are different.
We now show that the given PCP instance has no matching if and only if K pcp |= ϕ pcp : -(⇒) Supposed that the PCP instance has no solution.That is, no sequence of the dominos of the form: constructs a matching where w i1 w i1 . . .w im = v i1 v i1 . . .v im .In our running example, the following is a sequence of dominos that does not render a good matching: But the following is a solution to the problem: not satisfy formula ϕ type , then they are representing two words that are actually not viable w and v words.This makes ϕ pcp vacuously true.So, let us consider the case where π w and π v satisfy ϕ type .For example, Fig. 7 shows an instantiation of traces π w and π v with sequence (2) that satisfies ϕ type .Now, we consider two cases: either the words represented by π w and π v do not establish a legitimate sequence of dominos or they do.If they do not, then traces π w and π v satisfy formula ϕ domino and, hence, we have K pcp |= ϕ pcp .Now, consider the case where π w and π v do establish a legitimate sequence of dominos.Since there is no solution to PCP, the words represented by π w and π v cannot match.That means there is at least one pair of letters that do not match, which in turn implies the existence of a trajectory that finds this mistmatch and indeed satifies formula ϕ word .Put it another way, sine there is no solution the to PCP, the sequence that reaches a letter mismatch construct the witness to the existential trajectory quantifier.Fig. 7 shows the trajectory that identifies the mismatched letters in our running example.Therefore, we have K pcp |= ϕ pcp .
-(⇒) Now, suppose we have K pcp |= ϕ pcp .This implies that for any pair of traces π v and π w that represent legitimate w and v words (i.e., where ϕ type holds), there exists a trajectory that satisfies (ϕ domino ∨ ϕ word ).This means that for the chosen pair of traces π v and π w , the existential trajectory has found either illegitimate alignment of dominos, or letters that do not match.In our example, the existential trajectory can be instantiated by the trajectory shown in Fig. 7.Such a witness trajectory shows that for a pair of traces that represent ligitimate w and v words, either they do not establish a legitimate sequence of dominos or not all letters along the words match.Since this holds for any such pair of traces that explore any ordering of w and v words, it means that there is no solution to PCP.
This shows that the K pcp |= ϕ pcp if and only if the PCP instance w v has no solution.Consequently, the model-checking problem for asynchronous HyperLTL is undecidable.

A.2 Lower Bound Complexity
We show now construction of the lower bound complexity using a reduction to HyperLTL model-checking.The main results is Corollary 2 that follows from the following theorem.Theorem 6.Given a HyperLTL formula ϕ and a Kripke structure K there is a A-HLTL formula ϕ and a Kripke structure K such that K is linear in the size of K, ϕ is polynomial on the size of ϕ and K |= ϕ if and only if K |= ϕ Proof.We reduce the HyperLTL model-checking problem, which is known to be PSPACE-hard to asynchronous HyperLTL model-checking.
Consider an instance of the HyperLTL model-checking problem consist of a Kripke structure K = S, S init , δ, L and a HyperLTL formula of the form: where each Q i ∈ {∀, ∃} is a trace quantifier (i ∈ [1, n]).We map this instance to asynchronous HyperLTL model-checking problem as follows: -Kripke structure.We now transform K into another Kripke structure K = S , s init , δ , L as follows: • First, we set the set of atomic propositions as AP ∪ {sync}.
• For each transition (s 0 , s 1 ) ∈ δ, we introduce a new state u (s0,s1) labeled only by proposition sync.That is: The set of labels of states in S remains unchanged.• We replace transition (s 0 , s 1 ) by two transitions (s 0 , u (s0,s1) ) and (u (s0,s1) , s 1 ): That is, δ = {(s 0 , u (s0,s1) ), (u (s0,s1) , s 1 ) | (s 0 , s 1 ) ∈ δ}.-Formula.We first map subformulas of ψ using the following g function: Intuitively, function g ensures that (1) state formulas are evaluated in the same fashion as in HyperLTL semantics (2) the next operator is evaluated within two steps (instead of one) due to the existence of intermediate sync states, and (3) both sides of the until operator are only evaluated over sync states.The asynchronous HyperLTL formula will be the following: Intuitively, formula ψ sync enforces the synchronous semantics.That is, each step of trajectory τ alternates between all sync and all ¬sync states across all traces.Formula ψ map ensures that all subformulas of the given HyperLTL formula are evaluated only in sync states across all traces.We now show that K |= ϕ if and only if K |= ϕ : -(⇒) Suppose that K |= ϕ holds.To show that K |= ϕ , we instantiate all existential trace quantifiers in ϕ as we do for K to satisfy ϕ (except that traces in Traces(K , s init ) have the additional intermediate sync state in between each two consecutive states of traces of K).Moreover, we instantiate τ in ϕ with a trajectory that advances all traces in all its steps (i.e., identical to the semantics of synchronous HyperLTL).It is straightforward to see that this trajectory satisfies ψ sync , as in each step of the trajectory, sync is alternatively true and false either across all traces or none.We now show that ψ map is also satisfied by structural induction: • If ψ map is a state formula (i.e., an atomic proposition, negation or disjunction), then it is trivially satisfied, as g(ψ) = ψ.• If ψ holds in K, then ψ holds in two steps in τ , as an intermediate sync state is inserted in each transition of δ of K .This implies that τ τ ψ holds in K .• Suppose ψ 1 U ψ 2 holds in K.Then, since there exists some step i ≥ 0 in instantiated traces from Traces(K, s init ) such that ψ 2 holds.This means that in the instantiated traces from Traces(K , s init ), g(ψ 2 ) holds in 2i steps, where sync is false across all traces.This the right side of the until holds in K .Also, for all j ∈ [0, i), in instantiated traces from Traces(K, s init ), ψ 1 holds.This means that in instantiated traces from Traces(K , s init ), g(ψ 1 ) also holds if sync is false in states across all traces.Hence, we have K |= ϕ .-(⇐) Suppose that we have K |= ϕ .To show that K |= ϕ, we instantiate all existential trace quantifiers in ϕ as we do for K to satisfy ϕ (except that in traces of Traces(K, s init ), intermediate u states in between each two consecutive states of traces of K are eliminated).Since, ψ sync holds in ϕ , there exists a trajectory τ which advances all traces in all its steps such that in each step of the trajectory, sync is alternatively true and false either across all traces or none.We now show that ϕ holds in K by structural induction: • If ψ is a state formula (i.e., an atomic proposition, negation or disjunction), then it is trivially satisfied, as ψ = g(ψ).• First, notice that the number of nested next operators in ϕ is always even.If ψ holds in K , then ψ holds in two steps in τ .When the u state is eliminated, ψ will hold in the next state.This implies that ψ holds in K.
• Suppose ψ 1 U ψ 2 holds in K .Then, there exists some step i ≥ 0 in instantiated traces from Traces(K , s init ) such that ψ 2 holds.In this step, sync has to be false states across all traces.This means that in the instantiated traces from Traces(K, s init ), g −1 (ψ 2 ) (obtained by removing the right side of the conjunction when computing g of an until) holds in i/2 steps.Also, ψ 1 holds in all states j ∈ [0, i), in instantiated traces from Traces(K , s init ).This means that in all j ∈ [0, i/2) in the instantiated traces from Traces(K, s init ), g −1 (ψ 1 ) (obtained by removing the left side of the implication when computing g) holds.It is easy to see that the size of K is linear in the size of K and that ϕ is polynomial on the size of ϕ.
Corollary 2. For asynchronous HyperLTL formulas, the model-checking problem is PSPACE-hard in the size of the system.

B.1 The Stuttering Construction
Since there is only one occurrence of ψ ph in ψ we present here the case where the occurrence is with positive polarity as in Section 4. The case for negative polarity is analogous.We will use the fact that ψ ph occurs with positive polarity to spuriously evaluate ψ (the formula that ψ ph gets translated into) into true for those tuples of paths of K st for which the evaluation is not relevant (non-aligned traces).The final verdict will depend on those paths that are aligned.
We first prove some auxiliary lemmas.Proof.The proof proceeds by proving that the valuations of ψ ph at color-changing positions and non color-changing positions coincide for all atomic phase formulas.
-(Π + k) |= missalign.Let π i and π j be the paths that are miss-aligned.This means that in from Π and Π + k, Π (π i ) and Π (π j ) change P -phases the same number of times, and one of them (say π i ) will not change color and the other will.If Π is stuttering equivalent to Π , then Π (π i ) and Π (π j ) will also change a different colors a different number of times, which contradicts that Π |= phase.-(Π + k) |= block.In this case, the cycle implies each trace involved performs at k, a fix-number of color-changes at its k-th position for each of its each two atomic phase formulas, and that the circular constraint is mutually unsatisfiable.IF Π is stuttering equivalent to Π , phase would imply that each trace involved in the cycle will be with the same number of color changes after reaching the position equivalent to k in Π , therefore violating the constraint as well.
A consequence of Lemma 2 and Lemma 4 is the following corollary.
We are ready to prove the main result.