Compositional synthesis of modular systems

In contrast to the breakthroughs in reactive synthesis of monolithic systems, distributed synthesis is not yet practical. Compositional approaches can be a key technique for scalable algorithms. Here, the challenge is to decompose a specification of the global system into local requirements on the individual processes. In this paper, we present and extend a sound and complete compositional synthesis algorithm that constructs for each process, in addition to the strategy, a certificate that captures the necessary interface between the processes. The certificates define an assume-guarantee contract that allows for formulating individual process requirements. By bounding the size of the certificates, we then bias the synthesis procedure towards solutions that are desirable in the sense that they have a small interface. We have implemented our approach and evaluated it on scalable benchmarks: It is much faster than standard methods for distributed synthesis as long as reasonably small certificates exist. Otherwise, the overhead of synthesizing additional certificates is small.


Introduction
In spite of the recent advances in practical reactive synthesis for monolithic systems, no scalable tools for the synthesis from arbitrary distributed system architectures exist. In verification, compositionality, i.e., breaking down the verification of a complex system into several smaller tasks over individual components, proved to be a key technique for scalable algorithms [8].
Developing compositional approaches for synthesis, however, is much more challenging: In practice, an individual process can rarely guarantee the satisfaction of the specification alone. Typically, there are input sequences preventing a process from satisfying the specification and the other processes in the system ensure that these sequences are  1 CISPA Helmholtz Center for Information Security, Saarbrücken, Germany not produced. Thus, a process needs information about the behavior of the other processes and therefore distributed synthesis cannot easily be broken down into tasks over the individual processes.
In this paper, we present and extend certifying synthesis [14], a compositional synthesis algorithm that constructs additional guarantees on the behavior of every process. These so-called certificates then define an assumeguarantee contract: A strategy is only required to satisfy the specification if the other processes do not deviate from their guaranteed behavior. This allows for considering a process independent of the other processes' strategies. Our algorithm is an extension of bounded synthesis [16] that incorporates the search for certificates into the synthesis task for the strategies.
Synthesizing additional certificates has several benefits: Since the strategies only depend on the other processes' certificates and not on their particular strategies, certifying synthesis enables modularity of the system: The certificates form a contract between the processes. Once the contract has been synthesized, strategies can be exchanged safely with other ones respecting the contract. Thus, strategies can be adapted flexibly without synthesizing a solution for the whole system again if requirements that do not affect the contract change.
Moreover, the certificates capture which information a process needs about the behavior of the other processes to be able to satisfy the specification while abstracting from their irrelevant behavior. Certifying synthesis thus allows for analyzing strategies locally and for recognizing the system's interconnections.
Certifying synthesis introduces bounds on the sizes of the certificates. Hence, it bounds the size of the interface between the processes. By starting with small bounds and by only increasing them if the specification is unrealizable for the given ones, our algorithm restricts synthesis to search for solutions with small interfaces which are often desired in practice. Thus, certifying synthesis guides the synthesis procedure.
We present two representations of certificates, as LTL formulas and as labeled transition systems. We prove soundness and completeness of certifying synthesis for both of them. Moreover, we extend the latter representation with nondeterminism, permitting smaller certificates for certain specifications. We present an optimization of certifying synthesis that reduces the number of considered certificates by determining relevant processes for each process. Soundness and completeness are preserved. Focusing on transition system certificates, both deterministic and nondeterministic, we present an algorithm for synthesizing certificates that is based on a reduction to a SAT constraint system.
We implemented the algorithm and compare it to an extension [2] of the bounded synthesis tool BoSy [10] to distributed systems and to a compositional synthesis algorithm based on dominant strategies [7]. The results clearly demonstrate the advantage of synthesizing certificates: If solutions with a small interface between the processes exist, our algorithm outperforms the other ones significantly. Otherwise, the overhead of synthesizing certificates is small. Permitting nondeterminism can reduce the strategy and certificate sizes notably. Related work There are several compositional synthesis approaches for monolithic systems [11][12][13]18,19]. We, however, focus on distributed synthesis algorithms. Assumeguarantee synthesis [5] is closest to our approach. There, each process provides a guarantee on its own behavior and, in return, makes an assumption on the behavior of the other processes. If, for each process, there is a strategy that satisfies the specification under the hypothesis that the other processes respect the assumption, and if the guarantee implies the assumptions of the other processes, a solution for the whole system is found. In contrast to our approach, most assume-guarantee synthesis algorithms [1,[3][4][5] either rely on the user to provide the assumptions or require that a strategy profile on which the strategies can synchronize is constructed prior to synthesis.
Assume-guarantee distributed synthesis [21] synthesizes assume-guarantee contracts using a negotiation algorithm. In contrast to our approach, the synthesized guarantees do not necessarily imply the assumptions of the other processes. Thus, the assumptions and guarantees need to be iteratively refined until a valid contract is found and therefore the algorithm is not complete. This iteration is circumvented in our approach since the assumptions are constructed from the certificates.
Using a weaker winning condition for synthesis, remorse-free dominance [6], avoids the explicit construction of assumptions and guarantees [7]. Yet, the implicit assumptions do not always suffice. Thus, although a dependency analysis of the specification allows for solutions for further systems and specifications [13], compositional solutions do not always exist.

Running example
In many modern factories, autonomous robots are a crucial component in the production line. Since the correctness of their implementation is essential, they are a natural target for synthesis. Consider a factory with two robots that carry production parts from one machine to another. There is a crossing that is used by both robots. The robots are required to prevent a crash at the crossing: ϕ safe := ¬((at_c 1 ∧ go 1 ) ∧ (at_c 2 ∧ go 2 )), where at_c i is an input variable denoting that robot r i arrived at the crossing, and go i is an output variable of robot r i denoting that r i moves ahead. Moreover, both robots need to cross the intersection at some point in time after arriving there: ϕ cross i := (at_c i → go i ). In addition, both robots have further objectives ϕ add i that are specific to their area of application. For instance, they may capture which machines have to be approached.
None of the robots can satisfy ϕ safe ∧ ϕ cross i alone: No matter when r i enters the crossing, r j might enter it at the same time. Thus, strategies cannot be synthesized individually without information on the other robot's behavior. Due to ϕ add i , the parallel composition of the strategies can be large and complex. Hence, understanding why the overall specification is met and recognizing the individual strategies is challenging.
If the robots commit to their behavior at crossings, however, individual solutions can be found. For instance, if r 2 guarantees to always give priority to r 1 , a strategy for r 1 that enters crossings regardless of r 2 satisfies ϕ safe ∧ ϕ cross 1 since r 1 may assume that r 2 will not deviate from its certificate. If r 1 guarantees to not block crossings, r 2 can satisfy ϕ safe ∧ϕ cross 2 as well. Since the assumptions of the robots are constructed from the certificates and thus from the guaranteed behavior, the parallel composition of the robots' strategies satisfies the whole specification as long as the strategies satisfy the additional requirements ϕ add i as well.
Furthermore, we then know that the robots solely interfere at crossings. Thus, the certificates provide insight in the required communication of the robots and abstract away the irrelevant behavior, i.e., the behavior aside from crossings, of the other robot. Particularly for large ϕ add i , this significantly increases the understandability of why r i 's strategy satisfies ϕ i . Moreover, the certificates form a contract of safe behavior at crossings: If ϕ add i changes, it suffices to synthesize a new strategy for r i . Provided r i does not change its behavior at crossings, r j 's strategy can be left unchanged.
Throughout this paper, we explain the introduced concepts and formalisms using the above example. The individual explanations, that are all marked with "running example", can then be used to retrace the whole synthesis procedure for the manufacturing robots. Furthermore, we provide a summary of the individual steps for certifying synthesis with deterministic certificates together with the synthesized strategies and certificates at the end of Sect. 5.

Preliminaries
Notation. We denote the prefix of length t of an infinite word LTL. Linear-time temporal logic (LTL) [22] is a specification language for linear-time properties. For a finite set of atomic propositions and a ∈ , the syntax of LTL is given by We define the temporal operators ϕ = true U ϕ and ϕ = ¬ ¬ϕ and use the standard semantics. The language L(ϕ) of a formula ϕ is the set of infinite words that satisfy ϕ. The atomic propositions in ϕ are denoted by prop(ϕ). We represent a formula ϕ = ξ 1 ∧ . . . ∧ ξ k also by the set of its conjuncts, i.e., ϕ = {ξ 1 , . . . , ξ k }. Automata. Given a finite alphabet , a universal co-Büchi automaton A = (Q, q 0 , δ, F) over consists of a finite set of states Q, an initial state q 0 ∈ Q, a transition relation δ : Q × 2 × Q, and a set F ⊆ Q of rejecting states. For an infinite word σ = σ 0 σ 1 . . . ∈ (2 ) ω , a run of σ on A is an infinite sequence q 0 q 1 . . . ∈ Q ω of states with (q i , σ i , q i+1 ) ∈ δ for all i ≥ 0. A run is called accepting if it contains only finitely many visits to rejecting states. A accepts a word σ if all runs of σ on A are accepting. The language L(A) of A is the set of all accepted words. An LTL formula ϕ can be translated into an equivalent universal co-Büchi automaton A ϕ , i.e., and automaton with L(ϕ) = L(A ϕ ), with a single exponential blow up [20].
Architectures. An architecture A is a tuple (P, V , I , O), where P is a set of processes consisting of the environment process env and a set of n system processes P − = P\{env}, V is a set of variables, I = I 1 , . . . , I n assigns a set I j ⊆ V of input variables to each system process p j , and O = O env , O 1 , . . . O n assigns a set O j ⊆ V of output variables to each process p j . For all p j , p k ∈ P − with j = k, we have I j ∩ O j = ∅ and O j ∩ O k = ∅. The variables V j of p j ∈ P − are its inputs and outputs, i.e., V j = I j ∪ O j . The variables V of the whole system are defined by V = p j ∈P − V j . We define inp = p j ∈P − I j and out = p j ∈P − O j . An architecture is called distributed if |P − | ≥ 2 and monolithic otherwise. In the remainder of this paper, we assume that a distributed architecture is given.
where (t j , γ j , t j+1 ) ∈ τ . The projection of a path to the variables is called trace. The parallel composition of two TS Strategies. We model a strategy s i of process p i ∈ P − as a Moore transition system T i over I i and O i . The trace produced by T i on γ ∈ (2 I i ) ω is called the computation of s i on γ , denoted comp(s i , γ ). For an LTL formula ϕ over V , Synthesis. Given a formal specification ϕ, synthesis derives strategies s 1 , . . . , s n for the system processes such that s 1 || · · · || s n | ϕ holds. If such strategies exist, ϕ is called realizable. Bounded synthesis [16] additionally bounds the size of the strategies. The search for strategies of a certain size is encoded into a constraint system that is satisfiable if, and only if, ϕ is realizable for the bound. There are SMT, SAT, QBF, and DQBF encodings for monolithic [9] and distributed [2] architectures.

Compositional synthesis with certificates
In this section, we present a sound and complete compositional synthesis algorithm for distributed systems. The main idea is to synthesize strategies for the system processes individually. Thus, in contrast to classical distributed synthesis, where strategies s 1 , . . . , s n are synthesized such that s 1 || · · · || s n | ϕ holds, we require that s i | ϕ i holds for all p i ∈ P − . Here, ϕ i is a subformula of ϕ that captures the parts of ϕ affecting p i . As long as ϕ i contains all parts of ϕ that restrict the behavior of s i , the satisfaction of ϕ by s 1 || · · · || s n is guaranteed. Computing specification decompositions is not the main focus of this paper; in fact, our algorithm can be used with any decomposition fulfilling the above requirement. There is work on obtaining small subspecifications, e.g., [12], we, however, use an easy decomposition in the following for simplicity: Intuitively, the subspecification ϕ i contains all conjuncts of ϕ that contain outputs of p i as well as all input-only conjuncts. In the remainder of this paper, we assume that both prop(ϕ) ⊆ V and L(ϕ) ∈ (2 V ) ω hold for all specifications ϕ. Then, every atomic proposition occurring in ϕ is an input or output of at least one system process and thus p i ∈P − ϕ i = ϕ holds.
Running example Recall the robots from Sect. 2 and assume for simplicity that both do not have any additional objectives ϕ add i . Thus, the overall specification is given by ϕ = ϕ safe ∧ ϕ cross 1 ∧ ϕ cross 1 . Then, we obtain the subspecifications ϕ i = ϕ safe ∧ ϕ cross i with Definition 4.1 since ϕ cross 1−i does not contain any output variables of r i , while ϕ safe and ϕ cross i clearly do.
Although we decompose the specification, a process p i usually cannot guarantee the satisfaction of ϕ i alone; rather, it depends on the cooperation of the other processes. For instance, robot r 1 from Sect. 2 cannot guarantee that no crash will occur when entering the crossing since r 2 can enter it at the same point in time. Thus, we additionally synthesize a guarantee on the behavior of each process, the so-called certificate. The certificates then provide essential information to the processes: If p i commits to a certificate, the other processes can rely on p i 's strategy to not deviate from this behavior. In particular, the strategies only need to satisfy the specification as long as the other processes stick to their certificates. Thus, a process is not required to react to all behaviors of the other processes but only to those that truly occur when the processes interact. In this section, we represent the certificate of a process p i by an LTL formula ψ i .

Running example
If robot r 2 guarantees to always give priority to r 1 at crossings, its LTL certificate can be given by ψ 2 = (at_c 1 → ¬go 2 ), for instance. Since r 1 can assume that r 2 does not deviate from its certificate ψ 2 , a strategy for r 1 that enters crossings regardless of r 2 satisfies ϕ safe ∧ ϕ cross 1 .
To ensure that p i does not deviate from its own certificate ψ i , we require its strategy s i to satisfy ψ i . To model that s i only has to satisfy its specification if the other processes stick to their certificates, it has to satisfy i → ϕ i , where , i is the conjunction of the certificates of the other processes. Using this, we define certifying synthesis:

Definition 4.2 (Certifying synthesis)
Let ϕ be an LTL formula. Certifying synthesis for ϕ derives vectors S = s 1 , . . . , s n and = ψ 1 , . . . , ψ n of strategies and LTL certificates, respectively, for the system processes such that Classical algorithms for distributed synthesis reason globally about the satisfaction of the specification by the parallel composition of the synthesized strategies. Certifying synthesis, in contrast, reasons locally about the satisfaction of the subspecifications for the individual processes, i.e., without considering the composition of the strategies. Hence the strategies can be considered separately, greatly improving the understandability of the synthesized solutions. Moreover, local reasoning is sound and complete. Intuitively, soundness follows from the fact that every system process is required to satisfy its own certificate. Completeness is obtained since every strategy can serve as its own certificate. Formally: Theorem 4.1 Let ϕ be an LTL formula. Moreover, let S = s 1 , . . . , s n be a vector of strategies. There is a vector = ψ 1 , . . . , ψ n of LTL certificates such that (S, ) realizes ϕ if, and only if s 1 || · · · || s n | ϕ holds.
Proof Suppose that (S, ) realizes ϕ for some . Let 1≤i≤n ψ i and thus σ | i for all 1 ≤ i ≤ n. Therefore, σ | 1≤i≤n ϕ i follows. Since 1≤i≤n ϕ i = ϕ, we obtain s 1 || · · · || s n | ϕ. Let s 1 || · · · || s n | ϕ. We construct LTL formulas ψ i that describe exactly the behavior of s i , i.e., such that L( . By assumption and since Certifying synthesis thus enables modularity and increases the understandability of the system due to local reasoning, while ensuring to find solutions for all specifications that are realizable in the architecture. Moreover, the parallel composition of the synthesized strategies is a correct solution for the whole system.

Synthesis with deterministic certificates
There are several quality measures for certificates, for instance their size. We focus on certificates that are easy to synthesize in the sense that certifying synthesis can be integrated into existing synthesis algorithms. Therefore, we model certificates with labeled transition systems in the following. In this section, we restrict certificates to be deterministic. This avoids an exponential blowup due to determinization [23] when determining whether a strategy sticks to its own certificate. In Sect. 8, we lift this restriction and consider certificates modeled by nondeterministic transition systems. Note that while enforcing determinism may yield larger certificates, it does not rule out any strategy that can be found with nondeterministic certificates: Since strategies are per se deterministic, there exists at least one deterministic certificate for them: The strategy itself.
We model the certificate g i of a system process p i as a TS T G i , called guarantee transition system (GTS), over inputs I i and guarantee output variables O G i ⊆ O i . The computation of a GTS is the trace produced by it. Only considering a subset of O i as output variables allows the certificate to abstract from outputs of p i whose valuation is irrelevant for all other processes. In the following, we assume the guarantee output variables of p i to be both an output of p i and an input of some other process, i.e., i cannot be observed by any other process. Thus, a guarantee on its behavior does not influence any process and hence it can be omitted. The variables V G i of the GTS of p i are given by V G i : = I i ∪ O G i . In certifying synthesis, it is crucial that a strategy only needs to satisfy the specification if the other processes do not deviate from their certificates. For LTL certificates, we use an implication in the local objective to model this. When representing certificates as GTS, we use so-called valid histories to determine whether a sequence matches the certificates of the other processes.
Intuitively, a valid history with respect to a set G i of GTS is a finite sequence that is a prefix of a computation of all GTS in G i . Thus, a valid history can be produced by the parallel composition of the GTS. Note that since strategies cannot look into the future, a finite word satisfies the requirements of a valid history either for all of its infinite extensions or for none of them.
Running example Suppose that robot r 2 guarantees to give priority to r 1 at crossings and to move forward if r 1 is not at the crossing. A GTS g 2 for r 2 is depicted in Fig. 1. Since r 2 never outputs go 2 if r 1 is at the crossing (left state), the finite sequence {at_c 1 }{go 2 } is no valid history with respect to {g 2 }. Since r 2 outputs go 2 otherwise (right state), e.g., {at_c 2 }{go 2 } is a valid history with respect to {g 2 }.
Since valid histories determine whether the other processes deviate from their certificates, a strategy is required to locally satisfy the specification in certifying synthesis with GTS if its computation is a valid history respecting the GTS of the other processes:  Fig. 2 Strategy for robot r 1 . The labels of the states denote the output of the TS in the respective state Intuitively, requiring a strategy to locally satisfy a specification allows us to formulate the implication i → ϕ i used in certifying synthesis with LTL certificates also for certificates represented by GTS.
Running example If r 2 sticks to its certificate g 2 depicted in Fig. 1, r 1 can enter crossings regardless of r 2 . Such a strategy s 1 for r 1 is shown in Fig. 2. Since neither σ : = {at_c 1 }{go 2 } nor any finite sequence containing σ is a valid history with respect to g 2 , no transition for input go 2 has to be considered for local satisfaction when r 1 is at the crossing (left state). Therefore, these transitions are depicted in gray. Similarly, no transition for ¬go 2 has to be considered when r 1 is not at the crossing (right state). The other transitions match valid histories and thus they are taken into account. Since no crash occurs when considering the black transitions only, s 1 | {g 2 } ϕ safe ∧ ϕ cross i holds.
Using local satisfaction, we define certifying synthesis with GTS: Given a specification ϕ, certifying synthesis for ϕ derives strategies s 1 , . . . , s n and guarantee transition systems g 1 , . . . , g n for the system processes. For all p i , s i needs to locally satisfy its specification ϕ i with respect to the GTS of the other processes, i.e., To ensure that a strategy does not deviate from its certificate, g i is required to simulate s i , i.e., s i g i needs to hold.
In the following, we show that solutions of certifying synthesis with LTL certificates can be translated into solutions with GTS and vice versa. Intuitively, we construct LTL certificates from GTS that capture the exact behavior of the corresponding GTS: Lemma 5.1 Let ϕ be an LTL formula. Let S and G be vectors of strategies and GTS for the system processes, respectively. If (S, G) realizes ϕ, then there is a vector of LTL certificates such that (S, ) realizes ϕ.
Since strategies cannot look into the future, the above holds for all infinite extensions of σ and thus in particular for comp(s i , γ ) ∪ γ . Hence, by construction of ψ j , we have comp(s i , γ ) ∪ γ / ∈ L(ψ j ) and therefore comp( Given a solution of certifying synthesis with LTL certificates, we intuitively construct GTS that match the strategies of the given solution:  = g 1 , . . . , g n and G i : = {g j | p j ∈ P − \{ p i }}. We claim that (S, G) realizes ϕ. We show that s i g i and s i | G i ϕ i hold for all p i ∈ P − . Let p i ∈ P − . First, we prove s i g i : By construction of g i , s i and g i only differ in their labels and the labels agree on the variables in O G i . Since the variables in O G i are the only output variables that are shared by s i and g i and, in particular, O G i ⊆ O i holds, s i g i follows.
Next, we prove s i | G i ϕ i , i.e., we show that for all γ ∈ Hence, it follows that (S, G) indeed realizes ϕ.
Since we can translate solutions of certifying synthesis with LTL certificates and solutions of certifying synthesis with GTS into each other, we can reuse the results from Sect Hence, similar to LTL certificates, certifying synthesis with GTS allows for local reasoning and thus enables modularity of the system while it still ensures that correct solutions are found for all realizable specifications. In particular, enforcing certificates to be deterministic does not rule out strategies that can be obtained with certifying synthesis with nondeterministic certificates such as certificates given by LTL formulas.
Running example (Synthesizing Certificates) As an example of the synthesis procedure of a distributed system with certifying synthesis and GTS, consider the manufacturing robots from Sect. 2. For simplicity, suppose that the robots do not have individual additional requirements ϕ add i . Hence, the full specification is given by ϕ safe ∧ϕ cross 1 ∧ϕ cross 2 . Since go i is an output variable of robot r i , we obtain the subspecifications ϕ i = ϕ safe ∧ϕ cross i . A solution of certifying synthesis is then given by the strategies depicted in Figs. 2, 3 and GTS depicted in Figs. 1 and 4. Note that s 2 only locally satisfies ϕ cross 2 with respect to g 1 when assuming that r 1 is not immediately again at the intersection after crossing it. However, there are solutions with slightly more complicated certificates that do not need this assumption. The parallel composition of s 1 and s 2 is depicted in Fig. 5. It is a strategy that allows r 1 to move forwards if it is at the crossing and that allows r 2 to move forwards otherwise.

Computing relevant processes
Both variants of certifying synthesis introduced in the previous sections consider the certificates of all other system processes in the local objective of a process p i . This is not always necessary since ϕ i might be satisfiable even if another process deviates from its guaranteed behavior. In this section, we present an optimization of certifying synthesis that reduces the number of considered certificates. For every p i , we compute a set of relevant processes R i ⊆ P − \{ p i }.
Certifying synthesis then only considers the certificates of the relevant processes: For GTS, s i g i and s i | G R i ϕ i need to hold. We denote such solutions of certifying synthesis with (S, ) R and (S, G) R .
The construction of the set of relevant processes R i has to ensure that certifying synthesis is still sound and complete. In the following, we introduce a syntactic definition of relevant processes that does so. It excludes processes from p i 's set of relevant processes R i whose output variables do not occur in the subspecification ϕ i : Definition 6.1 (Relevant processes) Let ϕ be an LTL formula with decomposition ϕ 1 , . . . , ϕ n . The relevant processes Intuitively, since O j ∩ prop(ϕ i ) = ∅ holds for a process p j ∈ P − \R i with i = j, ϕ i does not restrict the satisfying valuations of the output variables of p j . Thus, if a sequence satisfies ϕ i , then it does so for any valuations of the variables in O j . Hence, the guaranteed behavior of p j does not influence the satisfiability of ϕ i and thus p i does not need to consider it: Theorem 6.1 Let ϕ be an LTL formula. Moreover, let S = s 1 , . . . , s n be a vector of strategies.
Next, we consider certificates represented by GTS. Suppose that s 1 || · · · || s n | ϕ holds. Let S and be the vectors of strategies and LTL certificates constructed as in the first part of this proof such that (S , ) R realizes ϕ. Let We construct a GTS g i as follows: g i is a copy of s i , yet, the labels of g i ignore output variables v ∈ O i that are not con- Then, (S , G) R realizes ϕ. For the proof, we refer to [15].
For certifying synthesis with relevant processes, we can only guarantee that for every vector of strategies s 1 , . . . , s n with s 1 || · · · || s n | ϕ, there are some strategies that are part of a solution of certifying synthesis. These strategies are not necessarily s 1 , . . . , s n : A strategy s i may make use of the certificate of a process p j outside of R i . That is, it may violate ϕ i on an input sequence γ that does not stick to g j although ϕ i is satisfiable for γ . Strategy s i is not required to satisfy ϕ i on γ , a strategy that may only consider the certificates of the relevant processes, however, is. As long as the definition of relevant processes allows for finding some solution of certifying synthesis, like the one introduced in Definition 6.1 does as a result of Theorem 6.1, certifying synthesis is nevertheless sound and complete.

Synthesizing certificates
In this section, we describe an algorithm for practically synthesizing strategies and certificates represented by GTS. Our approach is based on bounded synthesis [16] and bounds the size of the strategies and of the certificates. This allows for producing size-optimal solutions in either terms of strategies or certificates. Like for monolithic bounded synthesis [9,16], we encode the search for a solution of certifying synthesis of a certain size into a SAT constraint system. We reuse parts of the constraint system for monolithic systems.
An essential part of bounded synthesis is to determine whether a strategy s i satisfies an LTL formula ϕ i . To do so, we construct an equivalent universal co-Büchi automaton A i with L(A i ) = L(ϕ i ). Then, we check whether A i accepts comp(s i , γ ) ∪ γ for all γ ∈ (2 I i ) ω , γ ∈ (2 V \V i ) ω , i.e., whether all runs of A i induced by comp(s i , γ ) ∪ γ contain only finitely many visits to rejecting states. So far, we used local satisfaction to formalize that in compositional synthesis with GTS a strategy only needs to satisfy its specification as long as the other processes stick to their guarantees, i.e., we changed the satisfaction condition. To reuse existing algorithms for bounded synthesis, however, we now incorporate this property of certifying synthesis into the strategy instead: We utilize the observation that a finite run of an ω-automaton can never visit rejecting states infinitely often. Hence, by ensuring that the automaton produces finite runs on all sequences that deviate from a certificate, checking whether a strategy satisfies a specification can still be done by checking whether the runs of the automaton induced by the computations of the strategy visit rejecting states only finitely often.
In the following, we therefore model strategies with incomplete transition systems. The domain of definition of their transition function is defined such that the computation of a strategy is infinite if, and only if, the other processes stick to their guarantees: holds for all points in time t.
Intuitively, a local strategy thus omits all transitions that are invoked by an input that may only occur if the other processes deviate from their certificates.
Running example Consider strategy s 1 for robot r 1 and GTS g 2 for r 2 , depicted in Figs. 1 and 2, respectively. From s 1 , we can construct a local strategy s 1 for robot r 1 with respect to {g 2 } by eliminating the gray transitions.
Given a specification ϕ, certifying synthesis with local strategies derives GTS g 1 , . . . , g n and local strategies s 1 , . . . , s n respecting these guarantees, such that for all p i ∈ P − , s i g i holds and all runs of A i induced by comp(s i , γ ) ∪ γ contain only finitely many visits to rejecting states for all Every solution of certifying synthesis for a specification ϕ with local strategies can be translated into a solution of certifying synthesis for ϕ with local satisfaction and vice versa: We can extend the local strategy of p i with p i 's guaranteed behavior, i.e., we obtain a complete strategy from the local one by reconstructing the missing transitions from the corresponding GTS. Vice versa, we can restrict a complete strategy obtained by certifying synthesis with local satisfaction to those transitions that match the GTS of the other processes, i.e., we delete all transitions of the strategy that can only be taken if the other processes deviate from their specifications. For the formal constructions of the translations and their proofs of correctness, we refer to [15].
Yet, local strategies obtained by restricting complete strategies only realize ϕ if the satisfaction of each sub-specification ϕ i solely depends on the variables that the corresponding process can observe. This is due to a slight difference in the satisfaction of ϕ i with local strategies and local satisfaction with complete strategies: The latter requires a strategy s i to satisfy ϕ i if all processes stick to their guarantees. The former, in contrast, requires s i to satisfy ϕ i if all processes producing observable outputs stick to their guarantees. Hence, if p i cannot observe whether p j deviates from its guarantee, satisfaction with local strategies requires s i to satisfy ϕ i even if p j deviates, while local satisfaction does not.
Thus, while soundness of certifying synthesis with local strategies follows from the corresponding result for certifying synthesis with local satisfaction and the fact that the parallel composition of local strategies coincides with the parallel composition of their extensions, we only obtain conditional completeness: The slight difference between local strategies and local satisfaction yielding only conditional completeness for certifying synthesis with local strategies is needed in order to technically incorporate the requirements of certifying synthesis into the strategy and thus to be able to reuse existing bounded synthesis frameworks. Although this is at general completenesses expanse, we experienced that in practice many distributed systems indeed satisfy the condition that is needed for completeness. In fact, all benchmarks described in Sect. 9 satisfy it.
We encode the search for local strategies and GTS satisfying the requirements of certifying synthesis with local strategies into a SAT constraint system:

Theorem 7.2 Let A be an architecture, let ϕ be an LTL formula, and let B be the size bounds. There is a SAT constraint system C A,ϕ,B such that (1) if C A,ϕ,B is satisfiable, then ϕ is realizable in A, (2) if ϕ is realizable in A for the bounds B
and additionally prop(ϕ i ) ⊆ V i holds for all p i ∈ P − , then C A,ϕ,B is satisfiable.
The constraint system C A,ϕ,B consists of n slightly adapted copies of the SAT constraint system for monolithic systems [9,16], one for each system process. For each copy, we add variables encoding the GTS representing the certificates as well as constraints that ensure that the local strategies and certificates indeed fulfill the conditions of certifying synthesis: To ensure that s j g j holds, we add a constraint that explicitly encodes the existence of a simulation relation. To encode that the local strategies respect the GTS, we need to encode that s j only produces infinite sequences if the other processes do not deviate from their guarantees. To recognize whether the other processes stick to their guarantees, we extend s j with associated outputs: Variables that are inputs of p j and outputs of a relevant process p k ∈ R j of p j . Then, we require that s j simulates g k for every relevant process p k ∈ R j of p j with respect to the variables in I j ∩ O k . Note that we use a slightly more general definition of simulation here than introduced in the preliminaries: We do not require that I j = I k and O j ⊆ O k holds. Instead, we only consider successors for inputs that agree on shared variables and that may occur if the other processes stick to their guarantees. Then, we only require that the successors agree on the variables in I j ∩ O k . Moreover, we add a constraint encoding that the transition system representing s i only has an outgoing transition with a certain input if the valuations of s i 's associated outputs in it match the valuations of s i 's associated outputs in the current state. The constraint system C A,ϕ,B is presented in Fig. 6. A more detailed description of the single constraints is given in [15].
Note that we build a single constraint system for the whole certifying synthesis task. Thus, the strategies and certificates of the individual processes are not synthesized completely independently. This is one of the main differences of our approach to the negotiation-based assume-guarantee synthesis algorithm [21]. While this prevents separate synthesis tasks and thus parallelizability, it eliminates the need for a negotiation between the processes. Moreover, it allows for completeness of the synthesis algorithm. Although the syn-thesis tasks are not fully separated, the constraint system C A,ϕ,B is in most cases still significantly smaller and easier to solve than the one of classical distributed synthesis.

Adding nondeterminism to GTS
We focused on certifying synthesis with guarantee transition systems in the previous two sections, and in [14], since representing certificates with GTS ensures deterministic guarantees. This avoids the blowup of determinizing the certificate in order to check whether a strategy satisfies its own certificate. In this section, we investigate the effect of permitting nondeterminism in GTS. We first define nondeterministic guarantee transition systems (NGTS), adapt the notion of valid histories to NGTS, and define certifying synthesis with NGTS, both in the setting with local satisfaction and with local strategies. We establish soundness and completeness of certifying synthesis with NGTS. Moreover, we present the changes in the constraint system C A,ϕ,B that are needed to search for NGTS instead of GTS. Lastly, we discuss the advantages and disadvantages of permitting nondeterminism in the GTS.
We model the certificate g i of a process p i as a nondeterministic TS T G n,i = (T , t 0 , τ, o), called nondeterministic guarantee transition system (NGTS), over inputs I i and guarantee outputs O G i ⊆ O i . The NGTS is nondeterministic in the sense that both nondeterministic transitions and nondeterministic labelings are allowed. Thus, τ : The computation comp n (g j , γ ) of a NGTS g i on input γ ∈ (2 I i ) ω is the set of traces produced by g j on γ .
For NGTS, valid histories are similar to those for GTS. Yet, we require that one trace in the computation of the NGTS satisfies the requirements: holds for all k with 1 ≤ k ≤ t and all infinite extensionsσ of σ . H t G i denotes the set of all valid histories of length t with respect to G i .
Utilizing valid histories for NGTS, the definition of certifying synthesis with GTS directly carries over to NGTS: For ϕ, we derive strategies s 1 , . . . , s n and NGTS g 1 , . . . , g n such that both s i | G i ϕ i and s i g i hold for all p i ∈ P − . Soundness and completeness for NGTS then follows from Theorem 5.1 and the fact that we can resolve the nondeterministic choices in an NGTS while maintaining the properties of certifying synthesis: Proof Since every GTS is an NGTS as well, completeness follows immediately from Theorem 5.1. Next, suppose that there is a vector G = g 1 , . . . , g n of NGTS such that (S, G) realizes ϕ. Let g i be the GTS obtained by resolving nondeterminism in g i while maintaining the simulation requirements: g i is a copy of g i , yet, in every state we keep only a single label and, for every input, a single outgoing edge that satisfies the simulation requirements. Since s i g i holds by assumption, such a GTS always exists. Let G : = g 1 , . . . , g n and p i ∈ P − . By construction of g i , s i g i holds and s i | G i ϕ i since all valid histories with respect to G i are valid histories with respect to G i as well. Thus, (S, G ) realizes ϕ and hence s 1 || · · · || s n | ϕ follows with Theorem 5.1.
Nondeterministic GTS are particularly beneficial if a process only needs information about the behavior of another process in a certain step. For instance, consider a system with two processes p 1 , p 2 with specifications ϕ 1 Process p 2 only needs information about p 1 's behavior in the very first step, the other steps are irrelevant. The certificates for p 1 with GTS and NGTS are depicted in Fig. 7. With deterministic GTS, p 1 's certificate consists of five states, while the NGTS only has two states. Thus, the certificate size can be reduced significantly for certain specifications when using NGTS.
Moreover, permitting nondeterminism compensates overapproximations in the set of relevant processes: If knowledge on the behavior of a process is not needed although it is relevant according to the syntactic criterion stated in Definition 6.1, we can derive a single-state NGTS, while a deterministic GTS needs to describe the processes' full behavior on the guarantee outputs.
Similar to Theorem 8.1, certifying synthesis with GTS and local strategies carries over to NGTS. With the very same construction as for local satisfaction, soundness and conditional completeness follows: To practically synthesize a solution of certifying synthesis with NGTS, we encode the search for strategies and certificates into a SAT constraint system. We reuse most of the constraint system for certifying synthesis with GTS shown in Fig. 6, and only need to adapt a few variable encodings and constraints: The labeling function of the NGTS in state u for output v is not encoded by a single variable o G, j u,v anymore, but with two variables denoting that v is true or false in u, respectively, enabling that v can be both true and false. All constraints using the labeling function are adapted accordingly. Moreover, we drop the constraint encoding that there is at most one outgoing edge for every state and input, i.e., the constraint encoding determinism.
Due to the nondeterminism in the GTS, the search space clearly gets larger. However, it also allows for certificates   with fewer states, enabling us to find solutions with smaller bounds and thus to reduce the search space again. To investigate this trade-off on different benchmarks, we compare certifying synthesis with GTS and NGTS experimentally in the next section.

Experimental results
We have implemented certifying synthesis with local strategies and both deterministic and nondeterministic GTS. Our implementation expects an LTL formula and its decomposition as well as the system architecture and bounds on the strategy and certificate sizes as input. Specification decomposition can easily be automated by, e.g., implementing Definition 4.1. Our implementation extends the bounded synthesis tool BoSy [10] for monolithic systems to certifying synthesis for distributed systems. In particular, we extend and adapt BoSy's SAT encoding [9] as described in Sect. 7. We compare our deterministic approach to two extensions of BoSy: One for distributed systems [2] and one for synthesizing dominant process strategies separately, implementing  the compositional synthesis algorithm presented in [7]. The results are shown in Tables 1 and 2. We used a machine with a 3.1 GHz Dual-Core Intel Core i5 processor and 16 GB of RAM, and a timeout of 60 min. We use the SMT encoding of distributed BoSy since the other ones either do not support most of our architectures (QBF), or cause memory errors frequently (SAT). Since the running times of the underlying SMT solver vary immensely, we report on the average running time of 10 runs. Synthesizing dominant strategies separately is incomplete and thus we cannot report on results for all benchmarks. We could not compare our algorithm to the iterative distributed synthesis tool Agnes [21], since it currently does not support most of our architectures or specifications. Four benchmarks stem from the synthesis competition [17]. The latch is parameterized in the number of bits, the generalized buffer in the number of senders, the load balancer in the number of servers, and the shift in the number of inputs. The fifth benchmark, a ripple-carry adder, is parameterized in the number of bits. The last benchmark describes the robots from Sect. 2 and is parameterized in the size of the objectives ϕ add i . The system architectures are given in [15].
For the latch, the generalized buffer, the ripple-carry adder, and the shift, certifying synthesis clearly outperforms distributed BoSy. For many parameters, the latter does not terminate within 60 min, while certifying synthesis solves the tasks in less than 13 s. Here, a process does not need to know the full behavior of the relevant processes. Thus, the certificates are notably smaller than the strategies. A process of the adder, for instance, only needs information about the carry bit of the previous process, the sum bit is irrelevant.
In contrast, the load balancer requires the certificates to contain the full behavior of the processes. Thus, the benefit of the compositional approach lies solely in the specification decomposition. This advantage suffices to produce a solution faster than distributed BoSy. Yet, for other benchmarks with full certificates, the overhead of synthesizing certificates dominates the benefit of specification decomposition for larger parameters, showcasing that certifying synthesis is particularly beneficial if a small interface between the processes exists.
The robot benchmark is designed such that the interface stays small for all parameters. Thus, it demonstrates the advantage of abstracting away irrelevant behavior. We scale ϕ add i , while ϕ safe and ϕ cross i are not changed: k i denotes that r i needs to visit a machine in every k i th step. Certifying synthesis clearly outperforms distributed BoSy on all instances. The size of the solutions of certifying synthesis only depends on the parameter of the respective robot and the size of the other robot's certificate, which is two for all parameters, while the size of the solution with distributed BoSy depends on the parameters for both robots. Therefore, the solution sizes and thus the running times do not grow in parallel. This demonstrate that certifying synthesis is extremely beneficial for specifications where small certificates exist. This directly corresponds to the existence of a small interface between the processes of the system. Hence, bounding the size of the certificates indeed guides the synthesis procedure in finding solutions fast.
The weaker winning condition dominance [6] poses implicit assumptions on the behavior of the other processes. These assumptions do not always suffice: There are no independent dominant strategies for the load balancer, the ripple-carry adder, and the robots. While certifying synthesis performs better for the generalized buffer, the overhead of synthesizing explicit certificates becomes clear for the latch and the shift: For larger parameters, synthesizing dominant strategies outperforms certifying synthesis. However, the implicit assumptions do not encapsulate the required interface between the processes and thus they do not increase the understandability of the system's interconnections.
In a third line of experiments, we compared our implementations with GTS and NGTS. We synthesized solutions with NGTS for the benchmarks presented in Table 1. Note that there is no smaller NGTS for any of these benchmarks, i.e., there is no advantage in permitting nondeterminism. In contrast to GTS, the running times vary widely with NGTS. Most likely, permitting nondeterminism increases the degree of freedom and thus the possibility for the underlying SAT solver to "take a wrong path", yielding the varying running times. Hence, we consider the average running time over 10 runs. For smaller parameters, the running times of certifying synthesis with NGTS are similar to those with GTS. For larger parameters, the overhead increases: For the 7-ary latch, we have an overhead of 12%, for the generalized parameter with three senders of 11%, and for the shift with eight inputs of 23%.
To analyze the advantage of nondeterministic certificates, we consider a benchmark with two processes, where, similar to the example in Sect. 8, the NGTS for p 1 stays small, while the size of the GTS increases with the parameter. Here, due to the larger GTS certificate the strategy sizes for both p 1 and p 2 also increase. The results are shown in Table 3. Reported is the parameter, the strategy and certificate sizes (of the form: size strat. p 1 , size strat. p 2 -size cert. p 1 ), and the running time in seconds. For the second process, the certificate is of size 2 for all parameters Bold values highlight the lowest (and thus best) running time in the comparison depicted Permitting nondeterminism has a clear benefit on the running time: With GTS, certifying synthesis does not terminate within 60 min from k = 7 on, while we still synthesize a solution with NGTS in less than 8 min up to k = 20. The fact that not only the certificate sizes but also the strategy sizes increase for GTS has a great impact on this significant difference. For benchmarks where only the certificate sizes differ, the running times do not differ as much. Oftentimes, however, large certificates yield an increase in the strategy size as well. Hence, the experiment demonstrates again that certifying synthesis strives when solutions with small certificates exist.

Conclusion
We have presented a sound and complete synthesis algorithm that reduces the complexity of distributed synthesis by decomposing the global specification into local requirements on the individual processes. It synthesizes additional certificates that capture a certain behavior a process commits to. The certificates then form an assume-guarantee contract, allowing a process to rely on the other processes to not deviate from their guaranteed behavior. The certificates increase the understandability of the system and the solution since the certificates capture which agreements the processes have to establish. Moreover, the certificates form a contract between the processes: The synthesized strategies can be exchanged safely as long as the new strategy still complies with the contract, i.e., as long as it does not deviate from the certificate, enabling modularity. We have introduced two representations of the certificates, as LTL formulas and as labeled transition systems. For the latter one, we presented an encoding of the search for strategies and certificates into a SAT constraint solving problem. Moreover, we have introduced a technique for reducing the number of certificates that a process needs to consider by determining relevant processes. We have implemented the certifying synthesis algorithm and compared it to two extensions of the synthesis tool BoSy to distributed systems. Furthermore, we analyzed the advantage of permitting nondeterminism in the certificates. The results clearly show the advantage of compositional approaches as well as of guiding the synthesis procedure by bounding the size of the certificates: For benchmarks where small interfaces between the processes exist, certifying synthesis outperforms the other algorithms significantly. If no solution with small interfaces exist, the overhead of certifying synthesis is small. Permitting nondeterminism can reduce the strategy and certificate sizes significantly.
Funding Open Access funding enabled and organized by Projekt DEAL.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.