Synthesis from hyperproperties

We study the reactive synthesis problem for hyperproperties given as formulas of the temporal logic HyperLTL. Hyperproperties generalize trace properties, i.e., sets of traces, to sets of sets of traces. Typical examples are information-flow policies like noninterference, which stipulate that no sensitive data must leak into the public domain. Such properties cannot be expressed in standard linear or branching-time temporal logics like LTL, CTL, or \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\hbox {CTL}^*$$\end{document}CTL∗. Furthermore, HyperLTL subsumes many classical extensions of the LTL realizability problem, including realizability under incomplete information, distributed synthesis, and fault-tolerant synthesis. We show that, while the synthesis problem is undecidable for full HyperLTL, it remains decidable for the \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\exists ^*$$\end{document}∃∗, \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\exists ^*\forall ^1$$\end{document}∃∗∀1, and the \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${{ linear }}\;\forall ^*$$\end{document}linear∀∗ fragments. Beyond these fragments, the synthesis problem immediately becomes undecidable. For universal HyperLTL, we present a semi-decision procedure that constructs implementations and counterexamples up to a given bound. We report encouraging experimental results obtained with a prototype implementation on example specifications with hyperproperties like symmetric responses, secrecy, and information flow.


Introduction
Hyperproperties [9] generalize trace properties in that they not only check the correctness of individual computation traces in isolation, but relate multiple computation traces to each other. HyperLTL [8] is a logic for expressing temporal hyperproperties, by extending lineartime temporal logic (LTL) with explicit quantification over traces. HyperLTL has been used to specify a variety of information-flow and security properties. Examples include classical security properties like non-interference [32] and observational determinism [38], as well as quantitative information-flow properties [7], symmetries in hardware designs, and formally verified error correcting codes [26]. For example, observational determinism can be expressed as the HyperLTL formula ∀π∀π . (I π = I π ) → (O π = O π ), stating that, for every pair This work was partially supported by the Collaborative Research Centers "Methods and Tools for Understanding and Controlling Privacy" (SFB 1223) and "Foundations of Perspicuous Software Systems" (TRR 248, 389792660), and by the European Research Council (ERC) Grant OSARES (No. 683300).
We answer the second question by studying the bounded version of the synthesis problem for the ∀ * fragment. In order to detect realizability, we ask whether, for a universal HyperLTL formula ϕ and a given bound n on the number of states, there exists a representation of the strategy tree as a finite-state machine with no more than n states that satisfies ϕ. To detect unrealizability, we check whether there exists a counterexample to realizability of bounded size. We show that both checks can be effectively reduced to SMT solving.
We base our algorithms on well-known synthesis algorithms such as bounded synthesis [28] that itself is an instance of Safraless synthesis [36] for ω-regular languages. A further technique that we adapt for hyperproperties is the bounded unrealizability method [29,30].
Hyperproperties [9] can be seen as a unifying framework for many different properties of interest in multiple distinct areas of research. Information-flow properties in security and privacy research are hyperproperties [8]. HyperLTL subsumes logics that reason over knowledge [8]. Information flow in distributed systems is another example of hyperproperties, and the HyperLTL realizability problem subsumes both the distributed synthesis problem [27,40] as well as synthesis of fault-tolerant systems [30]. In circuit verification, the semantic independence of circuit output signals on a certain set of inputs, enabling a range of potential optimizations, is a hyperproperty.

Structure of this article
We introduce HyperLTL and necessary preliminaries in Sect. 2. In Sect. 3 we define the realizability problem for HyperLTL and demonstrate the expressiveness compared to classical extensions of LTL realizability. In the following section, we investigate the decidability for the realizability problem, where we characterize fragments based on the quantifier prefix. In Sects. 5 and 6 we give algorithms for the bounded realizability and unrealizability problem of universal HyperLTL, i.e., we bound the size of the system and environment, respectively, in order to derive a semi-decision procedure. We report on experimental evaluation of our prototype synthesis tool on a variety of benchmarks, involving distributed architectures, fault-tolerance, and secrecy properties.

HyperLTL
HyperLTL [8] is a temporal logic for specifying hyperproperties. It extends LTL by quantification over trace variables π and a method to link atomic propositions to specific traces. The set of trace variables is V. Formulas in HyperLTL are given by the grammar ϕ ::= ∀π. ϕ | ∃π. ϕ | ψ, and where a ∈ AP and π ∈ V. The alphabet of a HyperLTL formula is 2 AP . We allow the standard boolean connectives ∧, →, ↔ as well as the derived LTL operators release ϕ R ψ ≡ ¬(¬ϕ U ¬ψ), eventually ϕ ≡ true U ϕ, globally ϕ ≡ ¬ ¬ϕ, and weak until The semantics is given by the satisfaction relation T over a set of traces T ⊆ (2 AP ) ω . We define an assignment Π : V → (2 AP ) ω that maps trace variables to traces. Π[i, ∞] is the trace assignment that for every π maps Π to the trace Π(π)[i, ∞], i.e., it removes the first i items from the traces.
We write T ϕ for {} T ϕ where {} denotes the empty assignment. Two HyperLTL formulas ϕ and ψ are equivalent, written ϕ ≡ ψ if they have the same models. A HyperLTL formula ϕ is denoted satisfiable if there is a set of traces T which satisfies ϕ, i.e., T ϕ. The satisfiability problem is undecidable for general HyperLTL formulas but becomes decidable if we renounce ∀ * ∃ * formulas which alternate the quantifier from ∀ to ∃ [18]. For an LTL formula ϕ, we denote by ϕ[π] the quantifier-free HyperLTL formula where every proposition a is replaced by a π .
(In)dependence is a hyperproperty that we will use multiple times in this article, thus, we define the following syntactic sugar. Given two disjoint subsets of atomic propositions C ⊆ AP and A ⊆ AP, we define independence as the following HyperLTL formula which requires that the valuations of propositions C on traces π and π have to be equal until and including the point in time where there is a difference in the valuation of some proposition in A. Prefacing universal quantification, that is, the formula ∀π∀π . D π,π A →C guarantees that every proposition c ∈ C solely depends on propositions in A.

Strategies
A strategy f : (2 I ) * → 2 O maps sequences of input valuations 2 I to an output valuation 2 O . The behavior of a strategy f : (2 I ) * → 2 O is characterized by an infinite tree, called computation tree, that branches by the valuations of I and whose nodes w ∈ (2 I ) * are labeled with the strategic choice f (w). For an infinite word w = w 0 w 1 w 2 · · · ∈ (2 I ) ω , the corresponding trace is defined as We lift the set containment operator ∈ to the containment of a trace w = w 0 w 1 w 2 · · · ∈ (2 I ∪O ) ω in a strategy tree induced by f :

HyperLTL synthesis
In this section, we introduce the realizability problem for HyperLTL and compare its expressiveness to various previous extensions of the LTL realizability problem.

Definition 1 (HyperLTL Realizability) A HyperLTL formula ϕ over atomic propositions
The fragment of HyperLTL with only a single, universal quantifier ∀π. ϕ is equivalent to the LTL realizability problem of ϕ. With two universal quantifiers, one can express relations between traces in the execution tree, thus, one can express the LTL realizability problem with restricted information flow like incomplete information [35], distributed synthesis [27,40], and fault-tolerant synthesis [13,30].

Incomplete information
The realizability problem with incomplete information [35] is a tuple ϕ, I , O, H , where ϕ is an LTL formula, I is a set of input propositions, O is a set of output propositions, and H ⊆ I is a set of hidden inputs not observable by the system. Thus, a realizing strategy f : (2 I \H ) * → 2 O has a computation tree that only branches by I \H . In order to evaluate ϕ, which may include propositions H , the computation tree is widened [35] by H . In HyperLTL, we can verify that a strategy f : (2 I ) * → 2 O has the same output-behavior as a H -widened strategy f by checking f ∀π∀π . D π,π I \H →O .

Distributed synthesis
The distributed synthesis problem was introduced by Pnueli and Rosner [40] and introduces the concept of architectures as a constraint on the information flow. An architecture is a set of processes P, with distinct environment process p env ∈ P, such that the processes produce outputs synchronously, but each process bases its decision only on the history of valuation of inputs that it observes. Formally, a distributed architecture A is a tuple P, p env , I, O where P is a finite set of processes with distinguished environment process p env ∈ P. The functions I : P → 2 AP and O : P → 2 AP define the inputs and outputs of processes. While processes may share the same inputs (in case of broadcasting), the outputs of processes must be pairwise disjoint, i.e., for all p = p ∈ P it holds that O( p) ∩ O( p ) = ∅. W.l.o.g. we assume that I( p env ) = ∅. We denote by P − = P\{ p env } the set of processes excluding the environment process.
The distributed realizability problem for architectures without information forks [27] is decidable. Intuitively, an information fork is a situation where two distinct processes p, p ∈ P receive environment inputs I and I (may be transitive through other processes) such that both observe inputs that the other process does not observe, i.e., there exist i ∈ I and i ∈ I such that i / ∈ I and i / ∈ I . We depict two example architectures in Fig. 1. The architecture in Fig. 1a contains an information fork while the architecture in Fig. 1b does not. Furthermore, the processes in Fig. 1b can be ordered linearly according to the subset relation on the inputs.

Theorem 2 The HyperLTL realizability problem subsumes the distributed LTL realizability problem.
Proof Given a distributed realizability problem ϕ, A , the following HyperLTL formula over inputs O( p env ) for P − and outputs p∈P − O( p) is equirealizable:

Asynchronous distributed synthesis
The asynchronous system model [42] is a generalization of the synchronous model discussed previously. In this model, we have a global scheduler, controlled by the environment, that decides when and which processes are scheduled. The resulting distributed realizability problem is already undecidable for LTL specifications and systems with more than one process [42].

Theorem 3 The HyperLTL realizability problem subsumes the asynchronous distributed LTL realizability problem.
Proof Let A = P, p env , I, O be a distributed architecture. To model scheduling, we introduce an additional set Sched = {sched p | p ∈ P − } of atomic propositions. The valuation of sched p indicates whether system process p is currently scheduled or not. A process p ∈ P − may observe whether it is scheduled or not, that is, it may depend on sched p . The environment can decide at every step which processes to schedule. When a process is not scheduled, its output behavior does not change [28]. As the scheduling is controlled by the environment, we assume that every process is infinitely often scheduled, as otherwise, the environment wins by simply not scheduling any process.
Given an asynchronous distributed realizability problem ϕ, A , the following HyperLTL formula over inputs O( p env ) ∪ Sched and outputs p∈P − O p is equirealizable:

Symmetric synthesis
A special case of distributed synthesis is symmetric synthesis [15], which, additionally to distributivity, requires that all system processes act exactly the same if they are given the same inputs. Formally, symmetric synthesis requires a symmetric architecture P, p env , I, O where for each process p ∈ P − , |I( p)| = n and |O( p)| = m for some n, m ∈ N. We assume an implicit ordering of inputs and output per process and use the notation I( p) j and O( p) j to access the j-th input and output of process p ∈ P − , respectively. Then, we can express the symmetry constraint as an LTL formula

Theorem 4 The HyperLTL realizability problem subsumes the symmetric (distributed) LTL realizability problem.
Proof Given a symmetric realizability problem over architecture A and specifications ϕ 1 , . . . , ϕ k for the k processes the following HyperLTL formula over inputs O( p env ) for P − and outputs p∈P − O( p) is equirealizable:

Fault-tolerant synthesis
We consider another extension to the distributed synthesis problem where we incorporate the possibility that communication between processes may be subject to faults, such as Byzantine faults [29,30]. In the distributed synthesis formulation above, communication from some process p to p was encoded as an atomic proposition a such that a ∈ O( p) and a ∈ I( p ). In the fault-tolerance encoding, we split this connection into a sending part a s ∈ O( p) and a receiving part a r ∈ I( p ) where a r ∈ O( p env ) is a proposition controlled by the environment. To relate a s and a r , we add the assumption (a s ↔ a r ) to the LTL specification. This encoding uses more atomic propositions and additional LTL constraints but is otherwise equivalent to the one presented before. This increased flexibility, that is, being able to specify communication using temporal logic, allows us to express unreliable communication. For example, using the assumption (a s ↔ a r ) specifies a delay of one time step on the receiver, a r specifies a stuck-at-one fault, and specifies a Byzantine fault where the environment takes over the communication. This alone is not enough though: if a process gets such a specification it knows which receiving propositions present actual values and which one is subject to a fault. Thus, the processes are challenged in multiple architectures, where each architecture may have a different set of communication faults as well as specifications: depending on the type of failure, the overall system may only be expected to satisfy a weaker property then the original, non-faulty one.
Formally, the fault-tolerant realizability problem is a tuple A, ϕ 1 , . . . , ϕ n , where A is a distributed architecture with the property that every process receives only environment inputs, i.e., are the non-faulty communication of architecture i and ψ i is the LTL specification that should be ensured.
As an example, consider the architecture This example specification asserts that ψ holds in all three architectures depicted in Fig. 2, i.e., if either p 1 x − → p 3 or p 2 y − → p 3 fails, but not both of them. Hence, process p 3 cannot know whether the information given via propositions b or c is correct.

Theorem 5 The HyperLTL realizability problem subsumes the fault-tolerant LTL realizability problem.
Proof Given A, ϕ 1 , . . . , ϕ n , the following HyperLTL formula over inputs O( p env ) and where the communication between p 1 → p 3 and p 2 → p 3 is intact. The two architectures on the right represent the case where either p 1 p 3 or p 2 p 3 . In this case, the receiving propositions b and c, respectively, are controlled by the environment. In fault-tolerant synthesis, we search for strategies for processes p 1 , p 2 , and p 3 such that the specification is satisfied in all architectures Table 1 Summary of decidability results We base our investigation on the structure of the quantifier prefix of the HyperLTL formulas. We call a HyperLTL formula ϕ (quantifier) alternation-free if the quantifier prefix consists solely of either universal or existential quantifiers. We denote the corresponding fragments as the (universal) ∀ * and the (existential) ∃ * fragment, respectively. A HyperLTL formula is in the ∃ * ∀ * fragment, if it starts with arbitrarily many existential quantifiers, followed by arbitrarily many universal quantifiers. Analogously for the ∀ * ∃ * fragment. For a given natural number n, we refer to a bounded number of quantifiers with ∀ n , respectively ∃ n . The ∀ 1 realizability problem is equivalent to the LTL realizability problem.

∃ * Fragment
We show that the realizability problem for existential HyperLTL is PSpace-complete. We reduce the realizability problem to the satisfiability problem for bounded one-alternating ∃ * ∀ 2 HyperLTL [18], i.e., finding a trace set T such that T ϕ. Lemma 1 An existential HyperLTL formula ϕ = ∃π 1 · · · ∃π n . ψ is realizable if, and only if, be the set of traces generated by f . It holds that T ϕ and T ∀π, π . D π,π I →O . Therefore, T witnesses the satisfiability of ϕ sat . For the reverse direction, assume that ϕ sat is satisfiable. Let S be a set of traces that satisfies ϕ sat . We construct a strategy f : where w| I denotes the trace restricted to I , meaning that w i ∩ I for all i ≥ 0. Note that if there are multiple candidates w ∈ S, then w |σ | ∩ O is equal across all of them due to the required determinism ∀π∀π . D π,π I →O . By construction, all traces in S are contained in f , and together with S ϕ, it holds that f ϕ as the sets of sets of traces satisfying the existential formula ϕ are upward closed.

Theorem 6 Realizability of existential HyperLTL specifications is decidable.
Proof The formula ϕ sat from Lemma 1 is in the ∃ * ∀ 2 fragment, for which satisfiability is decidable [18].

Corollary 1 Realizability of existential HyperLTL specifications is PSpace-complete.
Proof Given an existential HyperLTL formula, we gave a linear reduction to the satisfiability of the ∃ * ∀ 2 fragment in Lemma 1. The satisfiability problem for a bounded number of universal quantifiers is in PSpace [18]. Hardness follows from LTL satisfiability [43], which is equivalent to the ∃ 1 fragment.

∀ * Fragment
In the following, we will use the distributed synthesis problem defined before, i.e., the problem whether there is an implementation of processes in a distributed architecture (cf. Fig. 1) that satisfies an LTL formula.

Theorem 7 The synthesis problem for universal HyperLTL becomes undecidable as soon as we have more than one universal quantifier.
Proof In the ∀ * fragment (and thus in the ∃ * ∀ * fragment), we can encode a distributed architecture [40], for which LTL synthesis is undecidable. In particular, we can encode the architecture shown in Fig. 1a. This architecture basically specifies c to depend only on a and analogously d on b. That can be encoded by D π,π {a} →{c} and D π,π {b} →{d} . The LTL synthesis problem for this architecture is undecidable [40], i.e., given an LTL formula over I = {a, b} and O = {c, d}, we cannot automatically construct processes p 1 and p 2 that realize the formula.

Linear ∀ * fragment
As we have already seen in Theorem 2, we can represent distributed architectures in Hyper-LTL by using the dependency formulas D π,π I →O . In this section, we do the reverse direction. Given a HyperLTL formula ϕ, we try to find an equivalent formula which has the distributed form ∀π. ∀π . ϕ ∧ (dep) where ϕ only uses the path variable π and where (dep) is a conjunction of dependency formulas. These formulas can then be translated to distributed architectures on which we can use the already existent techniques to deal with the synthesis problem. In particular, we can check whether the resulting distributed synthesis problem has an information fork. If this is not the case, the problem is decidable [27].
For finding the distributed form, we need to find the "LTL-part" ϕ of the HyperLTL property ϕ. We call this collapsing ϕ to ϕ . This transformation collapses the universal quantifier into a single one and renames the path variables accordingly. For example, ∀π 1 ∀π 2 . a π 1 ∨ a π 2 is transformed into an equivalent ∀ 1 formula ∀π. a π ∨ a π . However, this transformation does not always produce equivalent formulas as ∀π 1 ∀π 2 . (a π 1 ↔ a π 2 ) is not equivalent to its collapsed form ∀π. (a π ↔ a π ). Let ϕ be ∀π 1 · · · ∀π n . ψ. We define the collapsed formula of ϕ as collapse(ϕ) where ψ[π i → π] replaces all occurrences of π i in ψ with π. Although the collapsed term is not always equivalent to the original formula, we can use it as an indicator whether it is possible at all to express a universal formula with only one quantifier as stated in the following lemma.
which is by assumption equivalent to ∀T ∈ T . T ϕ. Now, ϕ operates on singleton trace sets only. This means that all quantified paths have to be the same, which yields that we can use the same path variable for all of them. So Now that we have the ϕ -part of the distributive form, we need to find the variable dependencies. More precisely, given a formula ϕ, we seek for variable dependencies of the form D π,π J →{o} with J ⊆ I for every output o ∈ O. These J s can be brute-forced. For doing so, we just check for each case the equivalence between ϕ and ∀π. ∀π If this is the case and furthermore, the D π,π J i →{o i } constraints can be ordered such that J i ⊆ J i+1 for all i, we have a linear architecture. Linear architectures are architectures without information fork. Thus, they are decidable. We define the linear fragment to encompass exactly these linear architectures. All in all, there are three steps to check whether ϕ is in the linear fragment: 1. First, we have to add input-determinism to the formula ϕ det := ∀π. ∀π . ϕ ∧ D π,π I →O . This preserves realizability as strategies are input-deterministic.

Theorem 8 The realizability of the linear fragment of HyperLTL is decidable.
Proof It holds that ∀π. ∀π . ϕ ∧ D π,π I →O ≡ ∀π. ∀π . collapse(ϕ) ∧ o i ∈O D π,π J i →{o i } for some J i 's. The LTL distributed realizability problem for collapse(ϕ) in the constructed architecture A is equivalent to the HyperLTL realizability of ϕ as the architecture A represents exactly the input-determinism represented by formula o i ∈O D π,π J i →{o i } . The architecture is linear and, thus, the realizability problem is decidable.

Corollary 2 The realizability problem of the linear fragment of HyperLTL can be checked in non-elementary time.
The reason for this is that solving the distributed synthesis problem takes non-elementary time in the amount of variables. Surprisingly, this runtime is not (more than linearly) dependent on the amount of quantifiers as they are directly reduced to two.

∃ * ∀ 1 Fragment
In this fragment, we consider arbitrary many existential trace quantifiers followed by a single universal trace quantifier. This fragment turns out to be still decidable. We solve the realizability problem for this fragment by reducing it to a decidable fragment of the distributed realizability problem for LTL.
Proof Let ϕ be ∃π 1 · · · ∃π n . ∀π . ψ. We reduce the realizability problem of ϕ to the distributed realizability problem for LTL. Intuitively, we use a two-process distributed architecture where the first process p is supposed to produce the traces for the leading existential quantification and the second process p represents the realizing strategy. The architecture is depicted in Fig. 3.
For every existential trace quantifier π, we introduce a copy of every atomic proposition for the distributed realizability problem, written a π for a ∈ AP. We use the same notation for sets of atomic propositions, e.g., I π = {i π | i ∈ I }. Process p has no inputs, thus, produces only a single trace, and it controls the outputs 1≤i≤n (I π i ∪ O π i ). Using an appropriate valuation of its outputs, process p selects the paths in the strategy tree corresponding to the existential trace quantifiers ∃π 1 · · · ∃π n . Thus, those output propositions of process p have to encode an actual path in the strategy tree produced by p . To ensure this, we add the LTL constraint that asserts that if the inputs correspond to some path in the strategy tree, the outputs on those paths have to be the same. The resulting architecture A ϕ is It is easy to verify that A ϕ does not contain an information fork, thus the realizability problem is decidable [27]. The LTL specification θ is ψ ∧ 1≤i≤n (I π i = I ) → (O π i = O) where we replace every a π by a π for existential traces and a π to a in ψ. The implementation of process p (if it exists) is a realizing strategy for the HyperLTL formula (process p producing witnesses for the ∃ quantifiers): Assume that there are realizing strategies for A ϕ , θ , i.e., f p : (2 ∅ ) * → 2 1≤i≤n (I π i ∪O π i ) and f p : be the corresponding trace. For every π i ∈ {π 1 , . . . , π n }, we define Π(π i ) = t p | I π i where we replace a π i by a for every a ∈ AP. This, together with θ shows that ψ holds for every chosen path t ∈ traces( f p ) for π . Conversely, a model for ϕ can be used as an implementation of p and p : Let f : (2 I ) * → 2 O be a realizing strategy of ϕ. We use f as a strategy for p . We construct the single trace produced by p using the existential trace assignment Π : V ∃ → traces( f ). Let t 1 , . . . , t n ∈ traces( f ) be the corresponding traces. We construct a single trace t p by replacing propositions a ∈ AP by a π i for every t i and the subsequent union of the resulting traces (which now have pairwise disjoint propositions). Due to the construction, f p satisfies 1≤i≤n (I π i = I ) → (O π i = O) and thus, the distributed architecture satisfies θ . Hence, the distributed synthesis problem A ϕ , θ has a solution if, and only if, ϕ is realizable.

∀ * ∃ * Fragment
The last fragment to consider are formulas in the ∀ * ∃ * fragment. Whereas the ∃ * ∀ 1 fragment remains decidable, the realizability problem of ∀ * ∃ * turns out to be undecidable even when restricted to only one quantifier of both sorts (∀ 1 ∃ 1 ).

Theorem 10 Realizability of ∀ * ∃ * HyperLTL is undecidable.
Proof We will prove this theorem by reducing Post's Correspondence Problem (PCP) [41] to synthesizing an ∀ 1 ∃ 1 formula. This proof follows the one from [18]. In PCP, we are given two lists α and β of same length which consist of finite words from some alphabet Σ. For example, α, with α 1 = a, α 2 = ab and α 3 = bba and β, with β 1 = baa, β 2 = aa and β 3 = bb. Here α i denotes the ith element of the list, and α i, j denotes the jth symbol of the ith element. In this example, α 3,1 corresponds to b. PCP is the problem to find an index sequence (i k ) 1≤k≤K with K ≥ 1 and 1 ≤ i k ≤ n for all k, such that α i 1 . . . α i K = β i 1 . . . β i K . We denote the finite words of a PCP solution with i α and i β , respectively. It is a useful intuition to think of the PCP instance as a set of n domino stones. A possible solution for this PCP instance would be (3, 2, 3, 1), since this stone sequence produces the same word, i.e., bbaabbbaa = i α = i β .
Let a PCP instance with Σ = {a 1 , a 2 , . . . , a n } and two lists α and β be given. We choose our set of atomic propositions as follows: AP := I∪ O with I := {i} and O := (Σ ∪ {ȧ 1 ,ȧ 2 , . . . ,ȧ n } ∪ #) 2 , where we use the dot symbol to encode that a stone starts at this position of the trace. We writeã if we do not care if this symbol is an a orȧ and use * as syntactic sugar for an arbitrary symbol of the alphabet.
We encode the PCP instance into a HyperLTL formula that is realizable if and only if the PCP instance has a solution as follows: Here, we associate the left part of the pairs with the upper (α) part of the domino stones and the right part with the lower (β) part of the domino stones. And only taking the left side of the pairs along the path π we should get i α , respectively for i β . Therefore, this formula essentially states that the path which has i encodes our solution and has i α = i β . The # symbols at the end are placeholders for ensuring that the sequence has a finite size.
ϕ rel (π) := ¬i π U i π . This defines the set of relevant traces trough our strategy tree.
They can be imagined being parallel to each other or thought of as the solution trace i but with some additional ¬i in front. -ϕ is++ (π, π ) := (¬i π ∧ ¬i π ) U ( i π ∧ ¬i π ∧ i π ). This defines that a trace π is a successor of π. It essentially states that π has exactly one more ¬i at the beginning than π, i.e., it is the next parallel trace.
-Essentially, we now want π to be exactly π but with the first stone removed and the rest shifted to the front. This can be best illustrated with the example from above. The full sequence at the trace i represents the solution with the outputs Note that now the symbols are not aligned any more because the first stone did not have an equal length of the upper and lower part. We continue this sequence by removing the next stones: Now, the formula ϕ stone&shift (π, π ) encodes that π is π with the first stone removed and the rest shifted as illustrated in the example. This can be done with a disjunction over all possible stones. See [18] for more details. -ϕ start (ϕ, π) := ¬i ß U ϕ ∧ i π cuts off the irrelevant prefix until ϕ starts. This irrelevant prefix is exactly the part where the ¬i appear. We are only interested in looking at the i part of the traces because they are not shared by the different relevant traces. -We furthermore assume that only singletons are allowed what can be achieved by a disjunction for each pair of atomic propositions. See [18] as well.
With this construction, we now force by the synthesis algorithm to yield a list of paths which represent the PCP solution step-wise. To get the list of stones used for this PCP solution, we can just examine the first path (with i) and look at the outputs. As we know that the dots above the letters indicate a new stone, we can slice the sequence i α to α i 1 . . . α i K and same for i β . This shows that we can solve PCP if we can solve the synthesis problem for ∀ 1 ∃ 1 formulas.

Bounded realizability
We propose an algorithm to synthesize strategies from specifications given in universal HyperLTL by searching for finite generators of realizing strategies. We encode this search as a satisfiability problem for a decidable constraint system.

Transition systems
A transition system S is a tuple S, s 0 , τ, l where S is a finite set of states, s 0 ∈ S is the designated initial state, τ : S × 2 I → S is the transition function, and l : S → 2 O is the state-labeling or output function. We generalize the transition function to sequences over 2 I by defining τ * : (2 I ) * → S recursively as τ * ( ) = s 0 and τ * (w 0 · · · w n−1 w n ) = τ (τ * (w 0 · · · w n−1 ), w n ) for w 0 · · · w n−1 w n ∈ (2 I ) + . A transition system S generates the strategy f if f (w) = l(τ * (w)) for every w ∈ (2 I ) * . A strategy f is called finite-state if there exists a transition system that generates f .

Overview
We first sketch the synthesis procedure and then proceed with a description of the intermediate steps. Let ϕ be a universal HyperLTL formula ∀π 1 · · · ∀π n . ψ. We build the automaton A ψ whose language is the set of tuples of traces that satisfy ψ. We then define the acceptance of a transition system S on A ψ by means of the self-composition of S. Lastly, we encode the existence of a transition system accepted by A ψ as an SMT constraint system. Example 1 Throughout this section, we will use the following (simplified) running example. Assume we want to synthesize a system that keeps decisions secret until it is allowed to publish. Thus, our system has three input signals decision, indicating whether a decision was made, the secret value, and a signal to publish results. Furthermore, our system has two outputs, an undisclosed output internal that stores the value of the last decision, and a public output result that indicates the result. No information about decisions should be inferred until publication. To specify the functionality, we propose the LTL specification The solution produced by the LTL synthesis tool BoSy [17], shown in Fig. 4a, clearly violates our intention that results should be secret until publish: Whenever a decision is made, the output result changes as well.  We formalize the property that no information about the decision can be inferred from result until publication as the HyperLTL formula ∀π∀π . (publish π ∨ publish π ) R (result π ↔ result π ). (4) It asserts that for every pair of traces, the result signals have to be the same until (if ever) there is a publish signal on either trace. A solution satisfying both, the functional specification and the hyperproperty, is shown in Fig. 4b. The system switches states whenever there is a decision with a different value than before and only exposes the decision in case there is a prior publish command.
We proceed with introducing the necessary preliminaries for our algorithm.

Automata
A universal co-Büchi automaton A over finite alphabet Σ is a tuple Q, q 0 , δ, F , where Q is a finite set of states, q 0 ∈ Q the designated initial state, δ ⊆ Q × Σ × Q is the transition relation, and F ⊆ Q is the set of rejecting states. Given an infinite word σ ∈ Σ ω , a run of σ on A is a finite or infinite path q 0 q 1 q 2 · · · ∈ (Q * ∪ Q ω ) where for all i ≥ 0 it holds that (q i , σ i , q i+1 ) ∈ δ. A run is accepting, if it contains only finitely many rejecting states, i.e., either the run is finite or there exists a i ≥ 0 such that for all j ≥ i it holds that q j / ∈ F. A accepts a word σ , if all runs of σ on A are accepting. The language of A, written L(A), is the set {σ ∈ Σ ω | A accepts σ }. We represent automata as directed graphs with vertex set Q and a symbolic representation of the transition relation δ as propositional formulas B(Σ). The rejecting states in F are marked by double lines. The automata for the LTL and HyperLTL specifications from Example 1 are depicted in Fig. 5.

Run graph
The run graph of a transition system S = S, s 0 , τ, l on a universal co-Büchi automaton A = Q, q 0 , δ, F is a directed graph V , E where V = S × Q is the set of vertices and E ⊆ V × V is the edge relation with ((s, q), (s , q )) ∈ E iff A run graph is accepting if every path (starting at the initial vertex (s 0 , q 0 )) has only finitely many visits of rejecting states. To show acceptance, we annotate every reachable node in the run graph with a natural number m, such that any path, starting in the initial state, contains less than m visits of rejecting states. Such an annotation exists if, and only if, the run graph is accepting [28].

Self-composition
The model checking of universal HyperLTL formulas [26] is based on self-composition. Let prj i be the projection to the i-th element of a tuple. Let zip denote the usual function that maps an n-tuple of sequences to a single sequence of n-tuples, for example, zip( [1,2,3], [4,5,6]) = [ (1,4), (2,5), (3,6)], and let unzip denote its inverse. The transition system S n is the n-fold self-composition of S = S, s 0 , τ, l , if S n = S n , s n 0 , τ , l n and for all s, s ∈ S n , α ∈ (2 I ) n , and β ∈ (2 O ) n we have that τ (s, α) = s and l n (s) = β iff for all 1 ≤ i ≤ n, it holds that τ (prj i (s), prj i (α)) = prj i (s ) and l(prj i (s)) = prj i (β). If T is the set of traces generated by S, then {zip(t 1 , . . . , t n ) | t 1 , . . . , t n ∈ T } is the set of traces generated by S n .
We construct the universal co-Büchi automaton A ψ such that the language of A ψ is the set of words w such that unzip(w) = Π and Π ∅ ψ, i.e., the tuples of traces that satisfy ψ. We get this automaton by dualizing the non-deterministic Büchi automaton for ¬ψ [28], i.e., changing the branching from non-deterministic to universal and the acceptance condition from Büchi to co-Büchi. Hence, S satisfies a universal HyperLTL formula ϕ = ∀π 1 · · · ∀π n . ψ if the traces generated by self-composition S n are a subset of L(A ψ ).
Lemma 3 A transition system S satisfies the universal HyperLTL formula ϕ = ∀π 1 · · · ∀π n . ψ, if, and only if, the run graph of S n on A ψ is accepting.

Synthesis
Let S = S, s 0 , τ, l and A ψ = Q, q 0 , δ, F . We encode the synthesis problem as an SMT constraint system. Therefore, we use uninterpreted function symbols to encode the transition system and the annotation. For the transition system, those functions are the transition function τ : S × 2 I → S and the labeling function l : S → 2 O . The annotation is split into two parts, a reachability constraint λ B : S n × Q → B indicating whether a vertex in the run graph is reachable and a counter λ # : S n × Q → N that maps every reachable vertex to the maximal number of rejecting vertices visited by any path starting in the initial vertex. The resulting constraint asserts that there is a transition system with an accepting run graph.
where is > if q ∈ F and ≥ otherwise.

Theorem 11 The constraint system is satisfiable with bound b if, and only if, there is a transition system S of size b that realizes the HyperLTL formula.
We extract a realizing implementation by asking the satisfiability solver to generate a model for the uninterpreted functions that encode the transition system.

Bounded unrealizability
So far, we focused on the positive case, providing an algorithm for finding small solutions, if they exist. In this section, we shift to the case of detecting if a universal HyperLTL formula is unrealizable. We adapt the definition of counterexamples to realizability for LTL [29] to HyperLTL in the following. Let ϕ be a universal HyperLTL formula ∀π 1 · · · ∀π n . ψ over inputs I and outputs O, a counterexample to realizability is a set of input traces P ⊆ (2 I ) ω such that for every strategy f : (2 I ) * → 2 O the labeled traces P f ⊆ (2 I ∪O ) ω satisfy ¬ϕ = ∃π 1 · · · ∃π n . ¬ψ. Proposition 1 A universal HyperLTL formula ϕ = ∀π 1 · · · ∀π n . ψ is unrealizable if, and only if, there is a counterexample P to realizability.
Proof Let P be a counterexample to realizability. Assume for contradiction that ϕ is realizable by a strategy f . By definition of P, we know that P f ∃π 1 · · · ∃π n . ¬ψ. This means that there exists an assignment Π P : V → P f with Π P P f ¬ψ, which is equivalent to Π P P f ψ. Therefore, not all assignments Π : V → P f satisfy Π P f ψ, which implies that P f ∀π 1 · · · ∀π n . ψ = ϕ. Hence, f ϕ, which concludes the contradiction.
Let ϕ be unrealizable. We show that the set P = (2 I ) ω is a counterexample to realizability. Let f : (2 I ) * → 2 O be an arbitrary strategy, and let P f be the corresponding set of labeled traces. From the unrealizability of ϕ, we now that f ∀π 1 · · · ∀π n . ψ. Thus, there exists a trace assignment Π P : V → P f with Π P P f ¬ψ, which is equivalent to P ∃π 1 · · · ∃π n . ¬ψ.
Despite being independent of strategy trees, there are in many cases finite representations of P. Consider, for example, the unrealizable specification ϕ 1 = ∀π∀π . (i π ↔ i π ), where the set P 1 = {∅ ω , {i} ω } is a counterexample to realizability. As a second example, consider ϕ 2 = ∀π∀π . (o π ↔ o π ) ∧ (i π ↔ o π ) with conflicting requirements on o. P 1 is a counterexample to realizability for ϕ 2 as well: By choosing a different valuation of i in the first step of P 1 , the system is forced to either react with different valuations of o (violating the first conjunct), or not correctly repeating the initial value of i (violating the second conjunct).
There are, however, already linear specifications where the set of counterexample traces is not finite and depends on the strategy tree [30]. For example, the specification is unrealizable as the system cannot predict future values of the environment. There is no finite set of traces witnessing this: For every finite set of traces, there is a strategy tree such that (o π ↔ i π ) holds on every such trace. On the other hand, there is a simple counterexample strategy, that is a strategy that observes output sequences and produces inputs, depicted in Fig. 6. In this example, the counterexample strategy inverts the outputs given by the system, thus it is guaranteed that (o i) for every system strategy. We combine those two approaches, selecting counterexample traces and using strategic behavior. A k-counterexample strategy for ∀ n HyperLTL observes k output sequences and produces k inputs, where k is a new parameter. We require that k is at least the number of universal quantifiers n. The counterexample strategy is winning if (1) either the traces given by the system player do not correspond to a strategy, or (2) the body of the HyperLTL formula is violated for any n subset of k traces. Regarding property (1), consider the two traces where the system player produces different outputs initially. Clearly, those two traces cannot be generated by any system strategy since the initial state (root labeling) is fixed.
We reduce the search for a k-counterexample strategy to LTL synthesis. For every atomic proposition a ∈ AP, we produce k copies a 1 , . . . , a k . We use the same notation for sets of atomic propositions, e.g., I j = {i j | i ∈ I } for 1 ≤ j ≤ k. The search for a k-counterexample strategy can be reduced to LTL synthesis using k-tuple input propositions O k , k-tuple output propositions I k , and the formula where ψ[P] denotes the replacement of a π i by the P i th position of the combined input/output k-tuple. The formula strategic(I k , O k ) enforces that the behavior of the system player is strategic and is defined as This is an instance of the formula (sym) given in Sect. 3.
Proof Fix ϕ and let f cex : (2 O k ) + → 2 I k be a k-counterexample strategy. Assume for contradiction that f : (2 I ) * → 2 O is a strategy realizing ϕ. Let f k : (2 I k ) * → 2 O k be the strategy that represents the k-fold self-composition of f (adapting atomic propositions as described earlier). By combining f and f cex , we get an infinite sequence t ∈ (2 I k ∪O k ) ω : . . This sequence represents a k-tuple cex k = (I ∪ O) k . As f k satisfies strategic(I k , O k ), there is a n-tuple cex n build from elements of cex k such that for the corresponding trace assignment Π it holds that Π ¬ψ. This contradicts our assumption that f is a realizing strategy.

Evaluation
We implemented a prototype synthesis tool, called BoSyHyper, 1 for universal HyperLTL based on the bounded synthesis algorithm described in Sect. 5. Furthermore, we implemented the search for counterexamples proposed in Sect. 6. Thus, BoSyHyper is able to characterize realizability and unrealizability of universal HyperLTL formulas. We base our implementation on the LTL synthesis tool BoSy [17]. For efficiency, we split the specifications into two parts, a part containing the linear (LTL) specification, and a part containing the hyperproperty given as HyperLTL formula. Consequently, we build two constraint systems, one using the standard bounded synthesis approach [28] and one using the approach described in Sect. 5. Before solving, those constraints are combined into a single SMT query. This results in a much more concise constraint system compared to the one where the complete specification is interpreted as a HyperLTL formula. For solving the SMT queries, we use the Z3 solver [12]. We continue by describing the benchmarks used in our experiments.

Symmetric mutual exclusion
Our first example demonstrates the ability to specify symmetry in HyperLTL for a simple mutual exclusion protocol. Let r 1 and r 2 be input signals representing mutually exclusive requests to a critical section and g 1 /g 2 the respective grants to enter the section. Every request should be answered eventually (r i → g i ) for i ∈ {1, 2}, but not at the same time ¬(g 1 ∧ g 2 ). The minimal LTL solution is depicted in Fig. 7a. It is well known that no mutex protocol can ensure perfect symmetry [37], thus when adding the symmetry constraint specified by the HyperLTL formula ∀π∀π . (r 1π r 2π ) R (g 1π ↔ g 2π ) the formula becomes unrealizable. Our tool produces the counterexample shown in Fig. 7b. By adding another input signal tie, that breaks the symmetry in case of simultaneous requests and modifying the symmetry constraint ∀π∀π . ((r 1π r 2π ) ∨ (tie π ¬tie π ))R(g 1π ↔ g 2π ) we obtain the solution depicted in Fig. 7c. We further evaluated the same properties on a version that forbids spurious grants, which are reported in Table 2 with prefix full.

Distributed and fault-tolerant systems
In Sect. 4 we presented a reduction of arbitrary distributed architectures to HyperLTL. As an example for our evaluation, consider a setting with two processes, one for encoding input signals and one for decoding. Both processes can be synthesized simultaneously using a single HyperLTL specification. The (linear) correctness condition states that the decoded signal is always equal to the inputs given to the encoder. Furthermore, the encoder and decoder should solely depend on the inputs and the encoded signal, respectively. Additionally, we can specify desired properties about the encoding like fault-tolerance [30] or Hamming distance of code words [26]. An example solution for 2 input bits and 3 encoded bits is shown in Fig. 8. For the encoding, we required that for every change in the input, two encoding bits change. The synthesized solution uses a parity bit as the third encoded bit and the encoding and decoding parts are strictly independent. The results are reported in Table 2 where i-j-x means i input bits, j encoded bits, and x represents the property. The property is either tolerance against a single Byzantine signal failure or a guaranteed Hamming distance of code words.

CAP Theorem
The CAP Theorem due to Brewer [5] states that it is impossible to design a distributed system that provides Consistency, Availability, and Partition tolerance (CAP) simultaneously. This example has been considered before [30] to evaluate a technique that could automatically detect unrealizability. However, when we drop either Consistency, Availability, or Partition tolerance, the corresponding instances (AP, CP, and CA) become realizable, which the previous work was not able to prove. We show that our implementation can show both, unrealizability of CAP and realizability of AP, CP, and CA. In contrast to the previous encoding [30] we are not limited to acyclic architectures.

Long-term information flow
Previous work on model-checking hyperproperties [26] found that an implementation for the commonly used I2C bus protocol could remember input values ad infinitum. For example, it could not be verified that information given to the implementation eventually leaves it, i.e., is forgotten. This is especially unfortunate in high security contexts. We consider a simple bus protocol which is inspired by the widely used I2C protocol. Our example protocol has the inputs send for initiating a transmission, in for the value that should be transferred, and an acknowledgment bit indicating successful transmission. The bus master waits in an idle state until a send is received. Afterwards, it transmits a header sequence, followed by the value of in, waits for an acknowledgement and then indicates success or failure to the sender before returning to the idle state. We specify the property that the input has no influence on the data that is send, which is obviously violated (instance NI1). As a second property, we check that this information leak cannot happen arbitrary long (NI2) for which there is a realizing implementation. They ran on a machine with a dual-core Core i7, 3.3 GHz, and 16 GB memory

Dining cryptographers
Recap the dining cryptographers problem introduced earlier. This benchmark is interesting as it contains two types of hyperproperties. First, there is information flow between the three cryptographers, where some secrets (s ab , s ac , s bc ) are shared between pairs of cryptographers.
In the formalization, we have 4 entities: three processes describing the 3 cryptographers (out i ) and one process computing the result ( p g ), i.e., whether the group has paid or not, from out i . Second, the final result should only disclose whether one of the cryptographers has paid or the NSA. This can be formalized as a indistinguishability property between different executions. For example, when we compare the two traces π and π where C a has paid on π and C b has paid on π , then the outputs of both have to be the same, if their common secret s ab is different on those two traces (while all other secrets s ac and s bc are the same). This ensures that from an outside observer, a flipped output can be either result of a different shared secret or due to the announcement. Lastly, the linear specification asserts that p g ↔ ¬p NSA . This question can be encoded as a synthesis problem for HyperLTL. What makes this example particularly interesting is the combination of multiple information-flow requirements: Representation of the solution for an encoder with 2 input bits and 3 encoded bits as And-Inverter-Graph. The solution is produced by BoSyHyper where the specification is given as a single HyperLTL formula specifying both, the encoder and the decoder, as well as the distributivity constraints. Note that although BoSyHyper produces a global implementation, the implementation is actually distributed as decoder and encoder do not share gates 1. The setting is distributed, we have four entities: The three cryptographers (C a , C b , and C c ), where each cryptographer shares a secret bit with each other (denoted s ab for the shared secret of C a and C b ). The fourth entity is the process that receives the output from the cryptographers (out a , out b , and out c ) and computes the result whether one of them has paid the bill (output p g ). Figure 9 gives a visual representation of this distributed architecture. 2. The secrecy requirement is formalized as requiring indistinguishability between different executions for an outside party (observing out a , out b , and out c ). For example, when we compare the two execution traces π and π where C a has paid on π and C b has paid on π . Then the outputs of both have to be the same, if their common secret s ab is different on those two traces (while all other secrets s ac and s bc are the same). This ensures that We now formalize this as a HyperLTL synthesis problem. The set of atomic propositions is partitioned into environment outputs I = {p NSA , p a , p b , p c , s ab , s ac , s bc } and system outputs O = {out a , out b , out c , p g }. The functional (LTL) requirements are simple, assuming that exactly one of p NSA , p a , p b , and p c is true, the output of p g is the negation of p NSA . As an LTL formula The distributed architecture is encoded as a conjunction of HyperLTL formulas ensuring independence of non-observable inputs, i.e., ∀π. ∀π .D π,π { p a ,s ab ,s ac } →{out a } ∧ D π,π { p b ,s ab ,s bc } →{out b } ∧D π,π { p c ,s ac ,s bc } →{out c } ∧ D π,π {out a ,out b ,out c } →{ p g } Lastly, the indistinguishability (exemplified for C a and C b ) is formalized as ∀π∀π . (( p π a ∧ ¬p π a ) ∧ (¬ p π b ∧ p π b ) ∧ (s π ab s π ab ) ∧ (s π bc ↔ s π bc ) ∧ (s π ac ↔ s π ac ) → (out π a ↔ out π a ) ∧ (out π b ↔ out π b )) for every pair of cryptographers. Neither LTL synthesis nor its distributed variant can express the combination of those requirements. Our HyperLTL synthesis tool BoSyHyper [20] is able to find a solution to this problem. A closer look in the implementation reveals, that the tool has synthesized the XOR scheme presented in the original solution [6]. Table 2 reports on the results of the benchmarks. We distinguish between state-labeled (Moore) and transition-labeled (Mealy) transition systems. Note that the counterexample strategies use the opposite transition system, i.e., a Mealy system strategy corresponds to a state-labeled (Moore) environment strategy. Typically, Mealy strategies are more compact, i.e., need smaller transition systems and this is confirmed by our experiments. BoSyHyper is able to solve most of the examples, providing realizing implementations or counterexamples. Regrading the unrealizable benchmarks we observe that usually two simultaneously generated paths (k = 2) are enough with the exception of the encoder example. Overall the results are encouraging showing that we can solve a variety of instances with non-trivial information flow.

Conclusion
In this paper, we have studied the reactive realizability problem for specifications given in the temporal logic HyperLTL. We showed that this problem subsumes various extensions of the LTL realizability problem: synthesis under incomplete information, distributed synthesis, symmetric synthesis, and fault-tolerant synthesis can all be encoded in the synthesis problem of HyperLTL. We gave a complete characterization of the decidable fragments based on the quantifier prefix and, additionally, identified a decidable fragment in the, in general undecidable, universal fragment of HyperLTL. Furthermore, we presented two algorithms to detect realizable and unrealizable HyperLTL specifications, one based on bounding the system implementation and one based on bounding the number of counterexample traces. Our prototype implementation shows that our approach is able to synthesize systems with complex information-flow properties.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.