Controller Synthesis for Hyperproperties
aa r X i v : . [ c s . L O ] J a n Controller Synthesis for Hyperproperties
Borzoo Bonakdarpour
Department of Computer Science and EngineeringMichigan State University, USAEmail: [email protected]
Bernd Finkbeiner
Reactive Systems GroupSaarland University, GermanyEmail: fi[email protected]
Abstract —We investigate the problem of controller synthesis for hyperproperties specified in the temporal logic HyperLTL.Hyperproperties are system properties that relate multiple exe-cution traces. Hyperproperties can elegantly express information-flow policies like noninterference and observational determinism.The controller synthesis problem is to automatically design acontroller for a plant that ensures satisfaction of a given specifi-cation in the presence of the environment or adversarial actions.We show that the controller synthesis problem is decidable forHyperLTL specifications and finite-state plants. We provide arigorous complexity analysis for different fragments of HyperLTLand different system types: tree-shaped, acyclic, and generalgraphs.
I. I
NTRODUCTION In program synthesis , an algorithm automatically constructsa program that satisfies a given high-level specification given insome formal logic [1], [2]. The controller synthesis [3] problemis a specific form of program synthesis where we ask whetherthe controllable transitions of a given system, called the plant ,can be selected in such a way that the resulting restrictedsystem satisfies the given specification. Algorithms for thisproblem automate the design of a controller that ensures thesatisfaction of the specification even in the presence of an adversary modeled by uncontrollable transitions . Synthesisguarantees correctness by construction and it enables users torefrain from the error-prone process of developing softwareand, instead, to focus on only analyzing the functional behaviorof the system. Thus, program synthesis exhibits its powerparticularly in automating the generation of intricate andcomplex parts of a system.A particular area where synthesis can play an importantrole is the construction of systems where the flow of in-formation is critical, for example to ensure confidentiality .This is because even a short transient violation of security or privacy policies may result in leaking private or highlysensitive information, compromising safety, or interruptingvital public or social services. The hacking of the emergencysystem in the city of Dallas [4], the Heartbleed error thatleaked records of 4.5 million patients [5], the data leak atYahoo, which resulted in stealing 500 million accounts [6],and the
Goto Fail bug, where the encryption of more than300 million devices was broken [7], only scratch the surfaceof high-profile examples of such security breaches. Synthesiswith respect to security policies is of particular interest as itcan construct protocols that are guaranteed to behave correctlyin the presence of adversarial attacks or untrusted parties. Also,given a set of actions and primitives of parties that participatein a protocol, synthesis can be used to synthesize trusted third parties that mediate between other parties (see Section III fora concrete example of an application of controller synthesis tonon-repudiation protocols).In order to express and reason about information-flowsecurity policies, we use the powerful formalism of hyper-properties [8]. Hyperproperties elevate trace properties froma set of execution traces to sets of sets of execution traces.
Temporal logics for hyperproperties such as HyperLTL [9]have been introduced to give clear syntax and semanticsto hyperproperties. HyperLTL allows for the simultaneousquantification over the temporal behavior of multiple executiontraces. Atomic propositions are indexed to refer to specifictraces. For example, noninterference [10] between a secretinput h and a public output o can be specified in HyperLTLby stating that, for all pairs of traces π and π ′ , if the input isthe same for all input variables I except h , then the output o must be the same at all times: ∀ π. ∀ π ′ . (cid:0) ^ i ∈ I \{ h } i π = i π ′ (cid:1) ⇒ ( o π = o π ′ ) Another prominent example is generalized noninterference (GNI) [11], which can be expressed as the following HyperLTLformula: ∀ π. ∀ π ′ . ∃ π ′′ . ( h π = h π ′′ ) ∧ ( o π ′ = o π ′′ ) The existential quantifier is needed to allow for nondetermin-ism. Generalized noninterference permits nondeterminism inthe low-observable behavior, but stipulates that low-securityoutputs may not be altered by the injection of high-securityinputs.Techniques for automatically constructing systems thatsatisfy a given set of information-flow properties are still intheir infancy. The general synthesis problem for HyperLTL isknown to be undecidable as soon as the formula contains twouniversal quantifiers [12]. To remedy this problem, boundedsynthesis [12], [13] restricts the search to implementations upto a given bound on the number of states. Bounded synthesisis decidable, but still very difficult, because the transitionstructure of the controller must be found. Bounded synthesishas been successfully applied to examples such as the diningcryptographers [14], but does not seem to scale to largesystems. Another prominent approach is program repair [15],where, for a given program that does not satisfy a HyperLTLproperty, transitions are eliminated until the program satisfiesthe property. Program repair has the advantage that the repairdirectly works on the state space of the given program.However, program repair is not reactive in the sense that itdoes not allow for modeling the actions of an adversarial yperLTLfragment Tree Acyclic General E ∗ L-complete (Theorem 1)
NL-complete (Theorem 5)
NL-complete (Theorem 9) E ∗ A Σ p (Theorem 7) PSPACE-complete (Theorem 11) AE ∗ P-complete (Theorem 2) Σ p -complete (Theorem 8) AA + NP-complete (Corollary 1)
NP-complete (Theorem 6)
NP-complete (Theorem 10) ( E ∗ A ∗ ) k , k ≥ Σ pk -complete (Theorem 8) ( k − -EXPSPACE-complete (Theorem 11) ( A ∗ E ∗ ) k , k ≥ Σ pk +1 -complete (Theorem 8) ( A ∗ E ∗ ) ∗ PSPACE (Corollary 3)
NONELEMENTARY (Corollary 4)
TABLE I: Complexity of the HyperLTL controller synthesis problem in the size of the plant, where k is the number of quantifieralternations in the formula.environment, which is vital to dealing with information-flowsecurity.This limitation is addressed by controller synthesis . Con-troller synthesis is based on a plant , which describes thesystem behavior in terms of controllable and uncontrollabletransitions. Like program repair, controller synthesis has theadvantage that the state space is already given. Unlike programrepair, controller synthesis distinguishes between controllableand uncontrollable transitions and therefore considers an ad-versary. The synthesized controller guarantees that, no matterhow the adversary behaves, the specification is satisfied.In this paper, we study the controller synthesis problem offinite-state systems with respect to HyperLTL specifications.We provide a detailed analysis of the complexity of the con-troller synthesis problem for different fragments of HyperLTLand different shapes of the plants motivated by the followingobservations: • The security and privacy policies of interest vary inthe quantifier structure that is needed to express thepolicy in HyperLTL. Typical examples are ∀∀ (non-interference), ∀∀∃ (generalized noninterference), and ∀∃ (noninference) [9]. Data minimization, a popularprivacy technique, is of the form ∀∀∃∃ [16]. Thenon-repudiation protocol discussed in Section III isspecified with a HyperLTL formula of the form ∃∀∀∀ . • The protocols and systems of interest vary in theshape of their state graphs. We are interested in general , acyclic , and tree-shaped plants. The need forinvestigating the controller synthesis problem for tree-shaped and acyclic plants stems from two reasons.First, many trace logs are in the form of a simplelinear collection of the traces seen so far. Or, forspace efficiency, the traces are organized by commonprefixes and assembled into a tree-shaped graphs, orby common prefixes as well as suffixes assembled intoan acyclic graphs. These example scenarios can beused to synthesize protocols, as has been done forsynthesizing distributed algorithms [17] that respect certain safety and liveness constraints. In the contextof security/privacy, the example scenarios would beused to synthesize a complete protocol that satisfya set of hyperproperties. The second reason is that,tree-shaped and acyclic graphs often occur as thenatural representation of the state space of a protocol.For example, certain security protocols, such as non-repudiation, authentication, and session-based proto-cols (e.g., TLS, SSL, SIP) go through a finite sequenceof phases , resulting in an acyclic plant A detailedexample of synthesizing a tree-shaped non-repudiationprotocol is presented in Section III.We investigate the difficulty of the controller synthesis prob-lem with respect to different combinations of the quantifierstructure of the HyperLTL formula and the shape of the plant.Table I summarizes the results of this paper. The complex-ities are in the size of the plant. This system complexity is themost relevant complexity in practice, because the system tendsto be much larger than the specification. Our results show thatthe shape of the plant plays a crucial role in the complexityof the controller synthesis problem. • Trees.
For trees, the complexity in the size of theplant does not go beyond NP . The problem for theexistential alternation-free fragment and the fragmentwith one quantifier alternation where the leading quan-tifier is existential is L-complete . The problem forthe fragment with one quantifier alternation where theleading quantifier is universal is
P-complete . However,the problem becomes
NP-complete as soon as there aretwo leading universal quantifiers. • Acyclic graphs.
For acyclic plants, the complexityis
NL-complete for the existential fragment. Simi-lar to tree-shaped graphs, the problem becomes
NP-complete as soon as there are two leading universalquantifiers. Furthermore, the complexity is in the levelof the polynomial hierarchy that corresponds to thenumber of quantifier alternations.2
General graphs.
For general plants, the complexityis
NL-complete for the existential fragment and
NP-complete for the universal fragment. The complexity is
PSPACE-complete for the fragment with one quantifieralternation and ( k − - EXPSPACE-complete in thenumber k of quantifier alternations.Surprisingly, the complexities identified in Table I are verymuch aligned with those reported for the program repairproblem [15]. The main exceptions are the complexity for theuniversal alternation-free fragment in tree-shaped and acyclicgraphs that are NP-complete in the case of controller synthesisand are
L-complete and
NL-complete , respectively, in case ofthe repair problem. This fragment is of particular interest, as ithosts many of the important information-flow security policies.We believe that the results of this paper provide thefundamental understanding of the controller synthesis problemfor secure information flow and pave the way for furtherresearch on developing efficient and scalable techniques.
Organization:
The remainder of this paper is organizedas follows. In Section II, we review HyperLTL. We presenta detailed motivating example in Section III. The formalstatement of the controller synthesis problem is in Section IV.Section V presents our results on the complexity of controllersynthesis for HyperLTL in the size of tree-shaped plants.Sections VI and VII present the results on the complexityof synthesis in acyclic and general graphs, respectively. Wediscuss related work in Section VIII and conclude with adiscussion of future work in Section IX.II. P
RELIMINARIES
A. Plants
Let AP be a finite set of atomic propositions and Σ =2 AP be the alphabet . A letter is an element of Σ . A trace t ∈ Σ ω over alphabet Σ is an infinite sequence of letters: t = t (0) t (1) t (2) . . . Definition 1: A plant is a tuple P = h S, s init , c , u , L i ,where • S is a finite set of states ; • s init ∈ S is the initial state ; • c , u ⊆ S × S are respectively sets of of controllable and uncontrollable transitions , where c ∩ u = {} , and • L : S → Σ is a labeling function on the states of P .We require that for each s ∈ S , there exists s ′ ∈ S , such that ( s, s ′ ) ∈ c ∪ u .Figure 1 shows an example plant, where transition ( s init , s ) is an uncontrollable transition while the rest arecontrollable, and L ( s init ) = { a } , L ( s ) = { b } , etc. The size of the plant is the number of its states. The directed graph F = h S, c ∪ u i is called the frame of the plant P . A loop in F is a finite sequence s s · · · s n , such that ( s i , s i +1 ) ∈ c ∪ u , forall ≤ i < n , and ( s n , s ) ∈ c ∪ u . We call a frame acyclic , ifthe only loops are self-loops on terminal states, i.e., on statesthat have no other outgoing transition.We call a frame tree-shaped , or, in short, a tree , if everystate s has a unique state s ′ with ( s ′ , s ) ∈ c ∪ u , except { a } s init { a } s { b } s { b } s Fig. 1: An acyclic plant.for the root node, which has no predecessor, and the leafnodes, which, again because of Definition 1, additionally havea self-loop but no other outgoing transitions. In some cases,the system at hand is given as a tree-shaped or acyclic plant.Examples include session-based security protocols and space-efficient execution logs, because trees allow us to organizethe traces according to common prefixes and acyclic graphsaccording to both common prefixes and common suffixes.A path of a plant is an infinite sequence of states s (0) s (1) · · · ∈ S ω , such that: • s (0) = s init , and • ( s ( i ) , s ( i + 1)) ∈ c ∪ u , for all i ≥ .A trace of a plant is a trace t (0) t (1) t (2) · · · ∈ Σ ω , such thatthere exists a path s (0) s (1) · · · ∈ S ω with t ( i ) = L ( s ( i )) forall i ≥ . We denote by Traces ( P ) the set of all traces of P with paths that start in state s init . B. The Temporal Logic HyperLTL
HyperLTL [9] is an extension of linear-time temporal logic(LTL) for hyperproperties. The syntax of HyperLTL formulasis defined inductively by the following grammar: ϕ ::= ∃ π.ϕ | ∀ π.ϕ | φφ ::= true | a π | ¬ φ | φ ∨ φ | φ U φ | φ where a ∈ AP is an atomic proposition and π is a tracevariable from an infinite supply of variables V . The Booleanconnectives ¬ and ∨ have the usual meaning, U is thetemporal until operator and is the temporal next operator.We also consider the usual derived Boolean connectives, suchas ∧ , ⇒ , and ⇔ , and the derived temporal operators eventually ϕ ≡ true U ϕ and globally ϕ ≡ ¬ ¬ ϕ . The quantifiedformulas ∃ π and ∀ π are read as ‘along some trace π ’ and‘along all traces π ’, respectively. For example, the followingformula: ∀ π. ∀ π ′ . ( a π ⇔ a π ′ ) intends to express that every pair of traces should always agreeon the position of proposition a .The semantics of HyperLTL is defined with respect toa trace assignment, a partial mapping Π :
V → Σ ω . Theassignment with empty domain is denoted by Π ∅ . Given a traceassignment Π , a trace variable π , and a concrete trace t ∈ Σ ω ,we denote by Π[ π → t ] the assignment that coincides with Π everywhere but at π , which is mapped to trace t . Furthermore, Π[ j, ∞ ] denotes the assignment mapping each trace π in Π ’sdomain to Π( π )( j )Π( π )( j +1)Π( π )( j +2) · · · . The satisfaction3f a HyperLTL formula ϕ over a trace assignment Π and a setof traces T ⊆ Σ ω , denoted by T, Π | = ϕ , is defined as follows: T, Π | = true T, Π | = a π iff a ∈ Π( π )(0) ,T, Π | = ¬ ψ iff T, Π = ψ,T, Π | = ψ ∨ ψ iff T, Π | = ψ or T, Π | = ψ ,T, Π | = ψ iff T, Π[1 , ∞ ] | = ψ,T, Π | = ψ U ψ iff ∃ i ≥ T, Π[ i, ∞ ] | = ψ ∧∀ j ∈ [0 , i ) : T, Π[ j, ∞ ] | = ψ ,T, Π | = ∃ π. ψ iff ∃ t ∈ T : T, Π[ π → t ] | = ψ,T, Π | = ∀ π. ψ iff ∀ t ∈ T : T, Π[ π → t ] | = ψ. We say that a set T of traces satisfies a sentence ϕ , denoted by T | = φ , if T, Π ∅ | = ϕ . If the set T = Traces ( P ) is generatedby a plant P , we write P | = ϕ .III. M OTIVATING E XAMPLE
In order to motivate the decision problem described inSection IV, we consider the application of controller synthesisto construct a trusted third party for a fair non-repudiationprotocol . The purpose of a non-repudiation protocol is to allowtwo parties to exchange a message without any party being ableto deny having participated in the exchange. For this purpose,the recipient of the message obtains a non-repudiation of origin (NRO) evidence and the sender of the message obtains a non-repudiation of receipt (NRR) evidence. The protocol is effective if it is possible to successfully transmit the messageto the recipient and the evidence to both parties. The protocolis fair if it is furthermore impossible for one party to obtain theevidence without the other party also receiving the evidence.Fairness in an effective protocol cannot be obtained withoutan external trusted agent, called the trusted third party , whichmediates the message exchange and ensures the delivery ofthe evidence. We now consider the problem of synthesizingsuch a trusted third party from the specification of fairnessand effectiveness.Let A be the sender of the message, B be the receiver,and T the trusted third party. A has 5 possible actions,corresponding to sending the message m or the NRO to either B or to T , or, alternatively, doing nothing at all: Act A = { A → B : m, A → T : m,A → B : NRO , A → T : NRO , A : skip } . Likewise, B can send the NRR to A or T , or do nothing atall: Act B = { B → A : NRR , B → T : NRR , B : skip } .T can send the NRR to A , the NRO or m to B , or do nothingat all: Act T = { T → A : NRR , T → B : NRO , T → B : m, T : skip } . We’ll assume that the three parties take turns and interact in afixed number of rounds. The plant, thus, is tree-shaped , wherealong each branch the states belong first to A , then to T , thento B , and then again A , then T , then B , etc. States that belongto A branch according to the actions in Act A , likewise statesthat belong to T branch according to Act T , and states thatbelong to B according to Act B . We label the states with theatomic propositions AP = { m, NRR , NRO } ∪
Act A ∪ Act T ∪ Act B , where m indicates that B has received the message, NRO that B has received the NRO, NRR that A has received theNRR, and one of the actions in Act A ∪ Act T ∪ Act B that therespective action has just occurred. Since we are interested insynthesizing the trusted third party, the outgoing transitionsof states belonging to T are controllable, all other transitionsare uncontrollable. That is, we are only allowed to manipulatethe behavior of the trusted third party and not the originalparticipants in the protocol.We specify effectiveness by requiring that there is a se-quence of actions π such that the message, the NRR, and theNRO get received. For fairness , we additionally require that ifeither A executes the actions according to π (and B behavesarbitrarily) or B executes π (and A behaves arbitrarily), thenit must still hold that the NRR gets received if and only if theNRO gets received. ϕ = ∃ π. ∀ π ′ . ( m π ) ∧ ( NRR π ) ∧ ( NRO π ) (effectiveness) ∧ (cid:16) ( V a ∈ Act A a π ⇔ a π ′ ) ⇒ (cid:0) ( NRR π ′ ) ⇔ ( NRO π ′ ) (cid:1)(cid:17) (fairness for A ) ∧ (cid:16) ( V a ∈ Act B a π ⇔ a π ′ ) ⇒ (cid:0) ( NRR π ′ ) ⇔ ( NRO π ′ ) (cid:1)(cid:17) (fairness for B )The following trusted third party is a correct solution tothe controller synthesis problem: T correct : (1) skip until A : m → T ;(2) skip until A : NRO → T ;(3) T → B : m ;(4) skip until B → T : NRR ;(5) T → B : NRO ;(6) T → A : NRR .An incorrect solution to the controller synthesis problemwould, for example, be a trusted third party that does not waitfor the NRR from B before forwarding the NRO from A to B : now B could quit the protocol without ever providing theNRR. T incorrect : (1) skip until A : m → T ;(2) skip until A : NRO → T ;(3) T → B : m ;(4) T → B : NRO ;(5) skip until B → T : NRR ;(6) T → A : NRR . T incorrect violates the fairness requirement for A . Note,however, that ϕ also admits the following, somewhat counter-intuitive, solution T strange: T strange : (1) skip until A : m → B ;(2) T → B : NRO ;(3) T → A : NRR .In this solution, T transmits the NRO and NRR even thoughthe message m was sent directly from A to B without evergoing through T . The reason, why T strange can do this, isthat it can choose its actions based on complete information,i.e., based on the position in the tree. If we wish to restrict4he possible solutions for T to only those that are based onlyon the messages actually received by T , we need to add aconsistency condition for incomplete information: ∀ π. ∀ π ′ . (cid:16) ^ o ∈ Obs T o π ↔ o π ′ (cid:17) ⇒ (cid:16) ^ a ∈ Act T a π ⇔ a π ′ (cid:17) where Obs T = { A → T : m, A → T : NRO , B → T : NRR } consists of the actions that send a message to T .Constructing a trusted third party for fair non-repudiationthus requires solving a controller synthesis problem for atree-shaped plant. For effectiveness and fairness, a HyperLTLformula with quantifier prefix ∃ π. ∀ π ′ is required, for consis-tency under incomplete information, additionally a HyperLTLformula with quantifier prefix ∀ π. ∀ π ′ .IV. P ROBLEM S TATEMENT
The controller synthesis problem is the following decisionproblem. Let P = h S, s init , c , u , L i be a plant and ϕ be aclosed HyperLTL formula, where P may or may not satisfy ϕ . Does there exist a plant P ′ = h S ′ , s ′ init , c ′ , u ′ , L ′ i such that: • S ′ = S , • s ′ init = s init , • c ′ ⊆ c , • u ′ = u , • L ′ = L , and • P ′ | = ϕ ?In other words, the goal of the controller synthesis problemis to identify a plant P ′ , whose set of traces is a subset ofthe traces of P that satisfies ϕ , by only restricting the con-trollable transitions and without removing any uncontrollabletransitions. Note that since the witness to the decision problemis a plant, following Definition 1, it is implicitly implied thatin P ′ , for every state s ∈ S ′ , there exists a state s ′ such that ( s, s ′ ) ∈ c ′ ∪ u ′ . I.e., the synthesis does not create a deadlock state.We use the following notation to distinguish the differentvariations of the problem: CS[Fragment, Frame Type] ,where • CS is the controller synthesis decision problem asdescribed above; • Fragment is one of the following for ϕ : ◦ We use regular expressions to denote the orderand pattern of repetition of quantifiers. For ex-ample, E ∗ A ∗ -HyperLTL denotes the fragment,where an arbitrary (possibly zero) numberof existential quantifiers is followed by anarbitrary (possibly zero) number of univer-sal quantifiers. Also, AE + -HyperLTL means alead universal quantifier followed by one or more existential quantifiers. E ≤ A ∗ -HyperLTL denotes the fragment, where zero or one ex-istential quantifier is followed by an arbitrarynumber of universal quantifiers. ◦ (EA) k -HyperLTL , for k ≥ , denotes the frag-ment with k alternations and a lead existentialquantifier, where k = 0 means an alternation-free formula with only existential quantifiers; ◦ (AE) k -HyperLTL , for k ≥ , denotes the frag-ment with k alternations and a lead universalquantifier, where k = 0 means an alternation-free formula with only universal quantifiers, ◦ HyperLTL is the full logic HyperLTL, and • Frame Type is either tree , acyclic , or general .V. C OMPLEXITY OF C ONTROLLER S YNTHESIS FOR T REE - SHAPED G RAPHS
We begin by analyzing the complexity of the controllersynthesis problem for tree-shaped plants.
A. The E ∗ A Fragment
Our first result is that the controller synthesis problem fortree-shaped plants can be solved in logarithmic time in thesize of the plant for the fragment with only one quantifieralternation, where the leading quantifier is existential and thereis only one universal quantifier. This fragment is the leastexpensive to deal with in tree-shaped plants and, interestingly,the complexity is the same as for the model checking [18] andmodel repair problems [15].
Theorem 1:
CS[E ∗ A-HyperLTL, tree] is L-complete in thesize of the plant.
Proof:
We first show membership to L . We note that thenumber of traces in a tree is bounded by the number of states,i.e., the size of the plant. The synthesis algorithm enumerates(using the complete plant) all possible assignments for theexistential trace quantifiers. For each existential trace variable,we need a counter up to the number of traces, which requiresonly a logarithmic number of bits in the size of the plant.For the universal quantifier, the algorithm first checks ifassigning one of the traces that already have been assignedto the existential quantifiers now to the universal quantifierwill violate the formula. If so, the existential assignment isdisregarded. Otherwise, the algorithm proceeds to check if thetraces that must implicitly be present (because of uncontrol-lable transitions or because of potential deadlocks) satisfy theformula. For this purpose, the algorithm evaluates the nodesof the tree bottom-up, such that a controller exits iff the rootnode evaluates positively.Let n be a node in the tree whose children are all leaves.If all outgoing transitions are controllable, then n evaluatespositively iff the assigning the trace of one the children tothe universally quantified variable satisfies the formula. If atleast one of the transitions is uncontrollable, then n evaluatespositively iff all such assignments satisfy the formula.Now, let m be a node further upward in the tree. If alloutgoing transitions are controllable, then the node evaluates5o true iff some child evaluates to true. We evaluate bottom-up the first child by moving to the first leaf node reachablefrom the first child. If the evaluation is negative, we move tothe first leaf node reachable from the second child etc. If theevaluation of one of the children is positive we proceed to m ’sparent with a positive evaluation. If we have reached the lastchild with a negative evaluation, we proceed to the parent witha negative evaluation.If there is at least one uncontrollable transition, we dis-regard the controllable transitions and only step through theuncontrollable transitions, initially by moving to the first leafreachable through the first uncontrollable transition. If theevaluation is positive, we move to the first leave node reachablefrom the second child etc. If the evaluation of one of thechildren is negative we proceed to the parent with a negativeevaluation. If we have reached the last child with a positiveevaluation, we proceed to m ’s parent with a positive evaluation.The algorithm terminates when the root node has beenevaluated. During the entire bottom-up traversal, we only needto store a pointer to a single node of the tree in memory, whichcan be done with logarithmically many bits.In order to show completeness, we prove that the con-troller synthesis problem for the existential fragment is L-hard . The L -hardness for CS[E ∗ -HyperLTL, tree] follows fromthe L-hardness of ORD [19]. ORD is the graph-reachabilityproblem for directed line graphs. Graph reachabilityfrom s to t can be checked with the synthesis problems for ∃ π. ( s π ∧ t π ) or ∀ π. ( s π ∧ t π ) . B. The AE ∗ Fragment
We now study the complexity of the controller synthesisproblem for the fragment with only one quantifier alternation,where the leading quantifier is universal.
Theorem 2:
CS[AE ∗ -HyperLTL, tree] is P-complete in thesize of the plant.
Proof:
We show membership to P with a simple markingalgorithm. Let ϕ = ∀ π . ∃ π . ψ . We begin by marking allleaves. We then proceed in several rounds, such that in eachround, at least one mark is removed. We, hence, terminatewithin linearly many rounds in the size of the tree-shapedplant.In each round, we go through all marked leaves v andinstantiate π with the trace leading to v . We then again gothrough all marked leaves v and instantiate π with the traceleading to v , and check ψ on the pair of traces, which can bedone in linear time [18]. If the check is successful for someinstantiation of π , we leave v marked, otherwise we removethe mark. If no mark was removed by the end of the round, weterminate. Each round of the marking algorithm takes lineartime in the size of the tree, the complete algorithm thus takesquadratic time. Once the marking algorithm has terminated,we remove all branches of the tree that are not marked. Asestablished by the final round of the marking algorithm, theremaining tree satisfies ϕ . For additional existential quantifiers,we go in each round through the possible instantiations of allthe existential quantifiers, which can be done in polynomialtime. In case we reach a situation, where the only way to satisfy the formula is to remove an uncontrollable transition,then the answer to the synthesis problem is negative.For the lower bound, we reduce HORN-SAT, which is P-complete , to the synthesis problem for AE ∗ formulas. HORN-SAT is the following problem:Let X = { x , x , . . . , x n } be a set of propositionalvariables. A Horn clause is a clause over X with atmost one positive literal. Is y = y ∧ y ∧ · · · ∧ y m ,where each y j is a Horn clause for all j ∈ [1 , m ] ,satisfiable? That is, does there exist an assignmentof truth values to the variables in X , such that allclauses of y evaluate to true?In the following, we work with a modified version of HORN-SAT, where every clause consists of two negative and onepositive literals. In order to transform any arbitrary Hornformula y to another one y ′ that consists of two negative andone positive literals, we apply the following: • To ensure that every clause contains a positive literal,we introduce a fresh variable ⊥ with the intendedmeaning “false”. We add ⊥ as a positive literal toall clauses that have no positive literal. • To ensure that every clause contains at least twonegative literals, we introduce a fresh variable ⊤ withthe intended meaning “true”. We add ⊤ as a negativeliteral to all clauses that have no negative literals.(Clauses with only one negative literal count as clauseswith two negative literals with two identical negativeliterals.) • To ensure that no clause contains more than twonegative literals, we reduce the number of negativeliterals as follows: Let l and l be two negative literalsin a clause with more than two negative literals. Weintroduce a fresh variable f and replace l and l with ¬ f ; we furthermore add { l , l , f } as a new clause. • In order to account for the intended meaning of ⊤ and ⊥ , we modify the HORN-SAT problem to checkif there exists a truth assignment to the variables in X ∪ {⊤ , ⊥} (union fresh variables f to break clausesas described above), such that all clauses in y evaluateto true and ⊥ evaluates to false and ⊤ evaluates totrue.For example, we transform Horn formula: y = ( ¬ x ∨ ¬ x ∨ ¬ x ∨ x ) ∧ ( ¬ x ∨ x ) ∧ ( ¬ x ) to the following: y ′ =( ¬ x ∨ ¬ x ∨ f ) ∧ ( ¬ x ∨ ¬ f ∨ x ) ∧ ( ¬ x ∨ ¬ x ∨ x ) ∧ ( ¬ x ∨ ¬ x ∨ ⊥ ) Hence, the set of propositional variables for the transformedformula y ′ is updated to X = {⊥ , x , x , x , x , f, ⊤} . Sincethe modified problem and the original problem are obviouslyequivalent, it follows that the modified problem is P-complete as well. We now describe our mapping (see Fig. 2 for anexample).
Plant.
We translate the (modified) HORN-SAT problem to atree-shaped plant P = h S, s init , c , u , L i as follows. Our general6 init v f v x v ⊥ { neg , pos }{ neg }{ pos } { neg , neg }{ neg }{ neg , pos } { neg , neg }{ pos } { neg , neg } b b b b b b b b b b b b b b b b Fig. 2: The plant for Horn formula y = ( ¬ x ∨ ¬ x ∨ ¬ x ∨ x ) ∧ ( ¬ x ∨ x ) ∧ ( ¬ x ) .idea is to create a tree, where each branch represents a clausein the input HORN-SAT problem and states of each branchare labeled according to the bitstring encoding of the literalsin that clause. Thus, the length of each branch needs to be log( | X | ) . We now present the details: • (Atomic propositions AP ) We include atomic proposi-tions neg and neg to indicate negative literals and pos for the positive literals in a Horn clause. Thus, AP = { neg , neg , pos } . • (Set of states S ) We now identify the members of S : ◦ First, we include an initial state s init , which islabeled with the empty set of atomic proposi-tions. ◦ For each propositional variable x ∈ X thatappears as a positive literal in a clause, weadd a state v x . The idea here is to ensure thatif a positive literal appears on some clause inthe synthesized plant, then all clauses with thesame positive literal must be preserved duringsynthesis. These state are not labeled by anyatomic propositions in AP . ◦ For each clause y j , where j ∈ [1 , m ] , weinclude a bitstring that represents which liter-als participate in y j . That is, we include thefollowing in S : n b j i | j ∈ [1 , m ] ∧ i ∈ [0 , log( | X | )) o . We represent literals in each clause by labelingthe states of the clause according to the ap-pearance of the propositional variables x i ∈ X (i.e., the updated set including ⊤ , ⊥ , and fresh f variables), where i ∈ [0 , log( | X | )) , as anegative or positive literal. More specifically,let y j = {¬ x n ∨ ¬ x n ∨ x p } be a Hornclause. We label states b j , b j , . . . , b j log( X ) − by atomic proposition neg according to thebitsequence of n , atomic proposition neg according to the bitsequence of n , and atomicproposition pos according to the bitsequenceof p . We reserve values and | X | − for ⊥ and ⊤ , respectively (see Fig 2). • (Uncontrollable transitions u ) For each state v x , weadd an uncontrollable transition from v x to any state b j , where propositional variable x appears as a pos-itive literal in clause y j . These transitions ensure thatif a variable that appears a positive literal in two ormore clauses, all or none of the associated clauses arepreserved. • (Controllable transitions c ) We represent each Hornclause as a branch of the plant. That is, we includethe following transitions: ◦ We connect the states that represent bitstringsas follows: n ( b j i , b j i +1 ) | j ∈ [1 , m ] ∧ i ∈ [0 , log( X )) o . ◦ We also connect the initial state to each v x state, where x is a propositional variable thatappears as a positive literal in some Hornclause. ◦ Finally, we add a self-loop to the end of eachbranch, that is, n ( b j log( X ) − , b j log( X ) − ) | j ∈ [1 , m ] o . It is easy to see that the plant that represents the Hornclauses is a tree. It branches into the paths that represent theclauses (see Fig. 2).
HyperLTL formula.
We interpret the synthesized plant asa solution to HORN-SAT assigning false to every variable x that appears as a positive literal on some path but v x is not reachable from the initial state and true to every variable x ′ that appears as a positive literal on some path but v x ′ is reachable from the initial state. We define a HyperLTL formulathat ensures that this valuation satisfies the clause set. Let ϕ map = ϕ ⊥ ∧ ϕ ⊤ ∧ ϕ C be a HyperLTL formula with the following conjuncts: • Formula ϕ ⊤ enforces that ⊤ is assigned to true. Thisis expressed by requiring that, on all traces, ⊤ doesnot appear as a positive literal. That is, ϕ ⊤ = ∀ π . ( ¬ pos π ) . • Formula ϕ ⊥ stipulates that ⊥ is assigned to false.This is expressed by requiring that there exists a tracewhere ⊥ appears as a positive literal. That is, ϕ ⊥ = ∃ π . ( ¬ pos π ) . • Formula ϕ C ensures that all clauses are satisfied. Thisis expressed as a forall-exists formula that requires,for every trace in the synthesized plant, that for oneof the variables that appear as negative literals inthe clause, there must exist a trace where the samevariable appears as the positive literal. That is, ϕ C = ∀ π . ∃ π . (cid:16) ( neg π ⇔ pos π ) ∨ ( neg π ⇔ pos π ) (cid:17) . ϕ map needs only one universal and one existentialquantifier and it is straightforward to see that the input HORN-SAT formula is satisfiable if and only if the answer to thecontroller synthesis problem is affirmative. C. The Full Logic
We now turn to full HyperLTL. We show that the controllersynthesis problem is in NP . NP -hardness holds already for thefragment with two universal quantifiers. Theorem 3:
CS[HyperLTL, tree] is in NP in the size of theplant. Proof:
We nondeterministically guess a solution P ′ inpolynomial time. Since determining whether or not P ′ | = ϕ can be solved in logarithmic space [18], the synthesis problemis in NP . Theorem 4:
CS[AA-HyperLTL, tree] is NP-hard in the sizeof the plant.
Proof:
We reduce the 3-SAT problem to the controllersynthesis problem. The 3SAT problem is as follows:Let { x , x , . . . , x n } be a set of propositional vari-ables. Given is a Boolean formula y = y ∧ y ∧· · ·∧ y m , where each y j , for j ∈ [1 , m ] , is a disjunctionof exactly three literals. Is y satisfiable? That is,does there exist an assignment of truth values to x , x , . . . , x n , such that y evaluates to true.We now present a mapping from an arbitrary instance of3SAT to the synthesis problem of a tree-shaped plant and aHyperLTL formula of the form ∀ π. ∀ π ′ .ψ . Then, we show thatthe plant satisfies the HyperLTL formula if and only if theanswer to the 3SAT problem is affirmative. Figure 3 shows anexample. Plant P = h S, s init , c , u , L i : • (Atomic propositions AP ) We include two atomicpropositions: pos and neg to mark the positive andnegative literals in each clause. Thus, AP = (cid:8) pos , neg } . • (Set of states S ) We now identify the members of S : ◦ First, we include an initial state s init . Then, foreach clause y j , where j ∈ [1 , m ] , we includea state r j . ◦ Let y j = ( l, l ′ , l ′′ ) be a clause in the 3SATformula. We include the following set of states: n v j i , v ′ j i , v ′′ j i | i ∈ [1 , n ] o , where n is the number of propositional vari-ables. If l = x i is in y j , then we label state v j i with proposition pos . If l = ¬ x i in y j ,then we label state v j i with proposition neg .We analogously label v ′ and v ′′ associated to l ′ and l ′′ , respectively.Thus, we have S = n r j | j ∈ [1 , m ] o ∪ n v j i , v ′ j i , v ′′ j i | i ∈ [1 , n ] ∧ j ∈ [1 , m ] o . r r { neg } v v v v v ′ { neg } v ′ v ′ v ′ v ′′ v ′′ { pos } v ′′ v ′′ { pos } v v v v v ′ { pos } v ′ v ′ v ′ v ′′ v ′′ v ′′ { neg } v ′′ Fig. 3: The plant for the 3SAT formula ( ¬ x ∨ ¬ x ∨ x ) ∧ ( x ∨ x ∨ ¬ x ) . The truth assignment x = true , x = false , x = false , x = false renders the tree with white branches,i.e., the grey branches are removed during synthesis. • (Uncontrollable transitions u ) We include an uncon-trollable transition ( s init , r j ) , for each clause y j in the3SAT formula, where j ∈ [1 , m ] : u = n ( s init , r j ) | j ∈ [1 , m ] o . These uncontrollable transitions ensure that duringsynthesis, all clauses are preserved. • (Controllable transitions c ) We now identify the mem-bers of c : ◦ We connect all the states corresponding tothe states corresponding to the propositionalvariables in a sequence. That is, we includethe following transitions for each j ∈ [1 , m ] : n ( r j , v j ) , ( r j , v ′ j ) , ( r j , v ′′ j ) o ∪ n ( v j i , v j i +1 ) , ( v ′ j i , v ′ j i +1 ) , ( v ′′ j i , v ′′ j i +1 ) | i ∈ [1 , n ) o ◦ We also add a self-loop at each leaf state: n ( v j n , v j n ) , ( v ′ j n , v ′ j n ) , ( v ′′ j n , v ′′ j n ) | j ∈ [1 , m ] o HyperLTL formula:
The HyperLTL formula in our mappingis the following: ϕ map = ∀ π . ∀ π . (cid:16) ¬ pos π ∨ ¬ neg π (cid:17) We now show that the given 3SAT formula is satisfiable ifand only if the plant obtained by our mapping can be controlledto satisfy the HyperLTL formula ϕ map :8 ( ⇒ ) Suppose the 3SAT formula y is satisfiable, i.e.,there exists an assignment to the propositional vari-ables x , x , . . . , x n that satisfies y . This implies thateach y j becomes true, which in turn means that thereexists at least one literal in each y j that evaluates totrue. Now, given this assignment, we identify a plant P ′ that satisfies the conditions of the controller synthe-sis problem stated in Section IV. Suppose y j = ( l ∨ l ′ ∨ l ′′ ) , for some j ∈ [1 , m ] . Also, suppose that l = x i , forsome i ∈ [1 , n ] . If x i = true in the answer to the 3SATproblem, then we keep states v j , v j , . . . , v j n and allincoming and outgoing transitions to them. We alsoremove states v ′ j , v ′ j , . . . , v ′ j n and v ′′ j , v ′′ j , . . . , v ′′ j n .Likewise, suppose that l = ¬ x i , for some i ∈ [1 , n ] .If x i = false in the answer to the 3SAT problem, thenwe keep states v j , v j , . . . , v j n and all incoming andoutgoing transitions to them. We also remove states v ′ j , v ′ j , . . . , v ′ j n and v ′′ j , v ′′ j , . . . , v ′′ j n and all incomingand outgoing transitions to them. The case for literals l ′ , l ′′ and states v ′ , v ′′ follows trivially.It is straightforward to see that the plant obtained afterremoving the aforementioned states satisfies ϕ map .This is because a propositional variable cannot be si-multaneously true and false in the answer to the 3SATproblem. Thus, if we keep the states corresponding toa true variable x i , the branches where some v j i islabeled by neg is removed. The same argument holdsfor states v ′ and v ′′ and the case where a variableevaluates to false. • ( ⇐ ) Suppose the answer to the synthesis problem isaffirmative, i.e., there is a synthesized plant P ′ thatsatisfies the HyperLTL formula ϕ map . This means that(1) all the r states are preserved, since we cannotremove uncontrollable transitions, and (2) there areno pairs of v , v ′ , or v ′′ states at the same heightof the tree of the synthesized plant, such that both pos and neg are true. We now describe how one canobtain a truth assignment to the propositional variablesthat satisfies the input 3SAT formula. Suppose thatstate v j , v j , . . . , v j n appear in P ′ for some i and j , such that some state v j i is labeled by pos . Weassign truth value true to variable x i . This assignmentmakes clause y j true, since x i is a literal in y j . Onthe contrary, if state v j i is labeled by neg , then weassign truth value false to variable x i . This assignmentmakes clause y j true, since ¬ x i is a literal in y j . Sameargument holds for states v ′ and v ′′ . Furthermore,since all r states are preserved all clauses evaluateto true and, hence, y evaluates to true .This concludes the proof. Corollary 1:
CS[AA-HyperLTL, tree] is NP-complete in thesize of the plant.Corollary 1 shows a significant difference between programrepair [15] and controller synthesis: while the program repairproblem for the AA ∗ fragment is L-complete , the problembecomes
NP-complete for controller synthesis.
Corollary 2:
CS[HyperLTL, tree] is NP-complete in the sizeof the plant. VI. C
OMPLEXITY OF C ONTROLLER S YNTHESIS FOR A CYCLIC G RAPHS
In this section, we analyze the complexity of the controllersynthesis problem for acyclic plants.
A. The Alternation-free Fragment
We start with the existential fragment. It turns out thatfor this fragment, controller synthesis and model checking areactually the same problem; hence, the complexity of controllersynthesis is
NL-complete , as known from model checking [18].
Theorem 5:
CS[E ∗ -HyperLTL, acyclic] is NL-complete inthe size of the plant.
Proof:
For existential formulas, the synthesis problemis equivalent to the model checking problem. A given plantsatisfies the formula iff there is a solution to the synthesisproblem, as we are only dealing with existential quantifiers. Ifthe formula is satisfied, the witness to the synthesis problem issimply the original plant. Since the model checking problemfor existential formulas over acyclic graphs is NL -complete [18,Theorem 2], the same holds for the synthesis problem.We now switch to the universal fragment, where thecomplexity of the problem jumps to NP-complete . Theorem 6:
CS[A ∗ -HyperLTL, acyclic] is NP-complete inthe size of the plant.
Proof:
For the upper bound, one can guess a solutionto the synthesis problem and verify in polynomial time. Thelower bound follows the lower bound of
CS[AA-HyperLTL, tree] shown in Theorem 4.
B. Formulas with Quantifier Alternation
We first build on Theorem 6 to study the complexity of thesynthesis problem for the E ∗ A ∗ Fragment.
Theorem 7:
CS[E ∗ A ∗ -HyperLTL, acyclic] is in Σ p2 in thesize of the plant. Proof:
We show membership to Σ p2 . Since the plant isacyclic, the length of the traces is bounded by the num-ber of states. We can thus nondeterministically guess thewitness to the existentially quantified traces in polynomialtime, and then solve the problem for the remaining formula,which has only universal quantifiers. By Theorem 6 (i.e., NP-hardness of the problem for the A ∗ fragment), it holds that CS[E ∗ A ∗ -HyperLTL, acyclic] is in Σ p2 .Next, we consider formulas where the number of quantifieralternations is bounded by a constant k . We show that changingthe frame structure from trees to acyclic graphs results in asignificant increase in complexity (see Table I). The complex-ity of the synthesis problem is similar to the model checkingproblem, with the synthesis problem being one level higherin the polynomial hierarchy (cf. [18]). This also means thatcomplexity of the problem is aligned with the complexity ofthe model repair problem [15]. Theorem 8:
For k ≥ , CS[(EA) k -HyperLTL, acyclic] is Σ pk -complete in the size of the plant. For k ≥ , CS[(AE) k -HyperLTL, acyclic] is Σ pk + -complete in the size ofthe plant.9 roof: We show membership in Σ pk and Σ pk + , respectively,as follows. Suppose that the first quantifier is existential.Since the plant is acyclic, the length of the traces is boundedby the number of states. We can thus nondeterministicallyguess the witness to the existentially quantified traces inpolynomial time, and then verify the correctness of the guessby model checking the remaining formula, which has k − quantifier alternations and begins with a universal quantifier.The verification can be done in Π pk − [18, Theorem 3]. Hence,the synthesis problem is in Σ pk .If the first quantifier is universal, we apply the sameprocedure except that we only guess the solution to thesynthesis problem (there are no leading existential quantifiers).In this case, the formula for the model checking problem has k quantifier alternations. Hence, we solve the model checkingproblem in Π pk and the synthesis problem in Σ pk + .We give a matching lower bound for CS[(AE) k -HyperLTL, acyclic] . Since the (AE) k -HyperLTLformulas are contained in the (EA) k + 1 -HyperLTLformulas (not using the outermost existential quantifiers),this also provides a matching lower bound for CS[(EA) k -HyperLTL, acyclic] .We establish the lower bound for CS[(AE) k -HyperLTL, acyclic] via a reduction from the quantified Boolean formula (QBF) satisfiability problem [20]: Given is a set of Boolean variables, { x , x , . . . , x n } , and a quantified Boolean formula y = Q x . Q x . . . Q n − x n − . Q n x n . ( y ∧ y ∧· · ·∧ y m ) where each Q i ∈ {∀ , ∃} ( i ∈ [1 , n ] ) and each clause y j ( j ∈ [1 , m ] ) is a disjunction of three literals(3CNF). Is y true? If Q = ∃ and y is restricted to at most k alternations ofquantifiers, then QBF satisfiability is complete for Σ pk . We notethat in the given instance of the QBF problem: • The clauses may have more than three literals, butthree is sufficient of our purpose; • The inner Boolean formula has to be in conjunctivenormal form in order for our reduction to work; • Without loss of generality, the variables in the literalsof the same clause are different (this can be achievedby a simple pre-processing of the formula), and • If the formula has k alternations, then it has k + 1 alternation depths . For example, formula ∀ x . ∃ x . ( x ∨ ¬ x ) has one alternation, but two alternation depths: one for ∀ x and the second for ∃ x . By d ( x i ) , we mean thealternation depth of Boolean variable x i .We now present, for k ≥ , a mapping from an arbitraryinstance of QBF with k alternations and where Q = ∃ to thesynthesis problem of an acyclic plant and a HyperLTL formulawith k − quantifier alternations and a leading universalquantifier. Then, we show that the plant can be pruned so thatit satisfies the HyperLTL formula if and only if the answer tothe QBF problem is affirmative. π d traces π ′ traces { q , p } { q , ¯ p }{ q , p } { q , ¯ p }{ q , p } { q , ¯ p } { c }{ q , p }{ q , ¯ p }{ q , p } { c }{ q , ¯ p }{ q , p }{ q , ¯ p } Fig. 4: Plant for the formula y = ∃ x . ∀ x . ∃ x . ( x ∨ ¬ x ∨ x ) ∧ ( ¬ x ∨ x ∨ ¬ x ) .The reduction is similar to the reduction from QBF satis-fiability to the HyperLTL model checking problem [18, The-orem 3] except for the treatment of the outermost existentialquantifiers. In the reduction to the model checking problem,these quantifiers are translated to trace quantifiers, resultingin a HyperLTL formula with k quantifier alternations and aleading existential quantifier. In the reduction to the synthesisproblem, the outermost existential quantifiers are resolved bythe pruning of controllable transitions. For this reason, itsuffices to build a HyperLTL formula with one less quantifieralternation, i.e., with k − quantifier alternations, and a leadinguniversal quantifier.In the following, we first describe the plant from thereduction to the model checking problem [18, Theorem 3] andthen describe the necessary additions for the reduction to thesynthesis problem. Figure 4 shows an example. Plant P = h S, s init , c , u , L i : • (Atomic propositions AP ) For each alternation depth d ∈ [1 , k + 1] , we include an atomic proposition q d .We furthermore include three atomic propositions: c isused to mark the clauses, p is used to force clauses tobecome true if a Boolean variable appears in a clause,and proposition ¯ p is used to force clauses to becometrue if the negation of a Boolean variable appears ina clause in our reduction. • (Set of states S ) We now identify the members of S : ◦ First, we include an initial state s init anda state r . Then, for each clause y j , where j ∈ [1 , m ] , we include a state r j , labeled byproposition c . ◦ For each clause y j , where j ∈ [1 , m ] , weintroduce the following n states: n v ji , u ji | i ∈ [1 , n ] o . v ji is labeled with propositions q d ( x i ) , and with p if x i is a literal in y j , orwith ¯ p if ¬ x i is a literal in y j . ◦ For each Boolean variable x i , where i ∈ [1 , n ] ,we include three states s i , ¯ s i , and ˆ s i . Each state s i (respectively, ¯ s i ) is labeled by p and q d ( x i ) (respectively, ¯ p and q d ( x i ) ).Thus, S = (cid:8) s init (cid:9) ∪ (cid:8) r j | j ∈ [0 , m ] (cid:9) ∪ (cid:8) v ji , u ji , s i , ¯ s i , ˆ s i | i ∈ [1 , n ] ∧ j ∈ [1 , m ] (cid:9) . • (Uncontrollable transitions u ) The set of uncontrol-lable transitions include the following: ◦ We add outgoing transitions from the initialstate of P to clause states as well as the statethat represent the first propositional variable.The idea here is to make these transitionsuncontrollable to ensure that during synthesisthe clauses and the diamond structure for allalternation depths except k + 1 are preserved. ◦ For each i ∈ [1 , n ] , we include transitions ( s i , ˆ s i ) and (¯ s i , ˆ s i ) . For each i ∈ [1 , n ) , weinclude transitions (ˆ s i , s i +1 ) and (ˆ s i , ¯ s i +1 ) .Thus, u = (cid:8) ( s init , r j ) | j ∈ [0 , m ] (cid:9) ∪ (cid:8) ( r , s ) , ( r , ¯ s ) (cid:9) ∪ (cid:8) ( s i , ˆ s i ) , (¯ s i , ˆ s i ) | i ∈ [1 , n ] (cid:9) ∪ (cid:8) (ˆ s i , s i +1 ) , (ˆ s i , ¯ s i +1 ) | i ∈ [1 , n ) (cid:9) . • (Controllable transitions c ) We now identify the mem-bers of c : ◦ We add transitions ( r j , v j ) for each j ∈ [1 , m ] . ◦ For each i ∈ [1 , n ] and j ∈ [1 , m ] , we includetransitions ( v ji , u ji ) . For each i ∈ [1 , n ) and j ∈ [1 , m ] , we include transitions ( u ji , v ji +1 ) . ◦ We include two transitions ( r , s ) and ( r , ¯ s ) . ◦ Finally, we include self-loops (ˆ s n , ˆ s n ) and ( u jn , u jn ) , for each j ∈ [1 , m ] .Thus, c = (cid:8) ( r j , v j ) , ( u jn , u jn ) | j ∈ [1 , m ] (cid:9) ∪ (cid:8) ( v ji , u ji ) | i ∈ [1 , n ] ∧ j ∈ [1 , m ] (cid:9) ∪ (cid:8) ( u ji , v ji +1 ) | i ∈ [1 , n ) ∧ j ∈ [1 , m ] (cid:9) . HyperLTL formula:
The role of the HyperLTL formula inour reduction is to ensure that the QBF instance is satisfiableiff the HyperLTL formula is satisfied on the solution to the synthesis problem: ϕ map = ∀ π k +1 . ∀ π k . ∃ π k − · · · ∃ π . ∀ π . ∀ π ′ . V d ∈{ , ,...,k } ¬ c π d ∧ c π ′ ! ⇒ V d ∈{ , ,...,k +1 } ¬ c π d ∧ (cid:20) W d ∈ [1 ,k +1] (cid:16)(cid:0) q dπ d ⇔ q dπ ′ (cid:1) ∧ (cid:0) ( p π ′ ∧ p π d ) ∨ (¯ p π ′ ∧ ¯ p π d ) (cid:1)(cid:17)(cid:21)! Intuitively, ϕ map expresses the following: for all the clausetraces π ′ and all traces that valuate universally quantified vari-ables ( π , π , . . . ), there exist traces evaluating the existentiallyquantified variables ( π , π , . . . ), where either p or ¯ p eventuallymatches its counterpart position in the clause trace π ′ . Thedependencies between the trace quantifiers for the valuation ofthe variables match the dependencies in the quantified Booleanformula. A special case are the outermost existential variablesin the QBF. The corresponding trace quantifier (for π k +1 ) isuniversal, rather than existential. As a result, the formula hasonly k − alternations. We allow synthesis to reduce thevaluations for the outermost existential variables to a singlevaluation. Hence, universal and existential quantification is thesame.Finally, Theorem 8 implies that the synthesis problemfor acyclic plants and HyperLTL formulas with an arbitrarynumber of quantifiers is in PSPACE . Corollary 3:
CS[HyperLTL, acyclic] is in
PSPACE in thesize of the plant.VII. C
OMPLEXITY OF C ONTROLLER S YNTHESIS FOR G ENERAL G RAPHS
In this section, we investigate the complexity of the con-troller synthesis problem for general graphs. We again beginwith the alternation-free fragment and then continue withformulas with quantifier alternation.
A. The Alternation-free Fragment
We start with the existential fragment. As for acyclicgraphs, the controller synthesis problem is already solved bymodel checking.
Theorem 9:
CS[E ∗ -HyperLTL, general] is NL-complete inthe size of the plant.
Proof:
Analogously to the proof of Theorem 5, wenote that, for existential formulas, the synthesis problem isequivalent to the model checking problem. A given plantsatisfies the formula if and only if it has a solution to thesynthesis problem. If the formula is satisfied, then the solutionis simply the original plant. Since the model checking problemfor existential formulas for general graphs is NL -complete [21],the same holds for the synthesis problem.Similar to tree-shaped and acyclic graphs, the synthesisproblem for the universal fragment is also NP-complete .11 heorem 10:
CS[A + -HyperLTL, general] is NP-complete inthe size of the plant.
Proof:
For membership in NP , we nondeterministicallyguess a solution to the synthesis problem, and verify thecorrectness of the universally quantified HyperLTL formulaagainst the solution in polynomial time in the size of the plant. NP-hardness follows from the
NP-hardness of the synthesisproblem for LTL [22].
B. Formulas with Quantifier Alternation
Next, we consider formulas where the number of quantifieralternations is bounded by a constant k . We show that changingthe frame structure from acyclic to general graphs results in asignificant increase in complexity (see Table I). Theorem 11:
CS[E ∗ A ∗ -HyperLTL, general] is in PSPACE in the size of the plant.
CS[A ∗ E ∗ -HyperLTL, general] is PSPACE -complete in the size of the plant. For k ≥ , CS[(EA) k -HyperLTL, general] and CS[(AE) k -HyperLTL, general] are ( k − -EXPSPACE -complete in the size of the plant. Proof:
The claimed complexities are those of the modelchecking problem [23]. For the upper bound, we guess, in
PSPACE , a solution to the control problem and then verify,using the model checking algorithm for the considered frag-ment of HyperLTL, that the solution satisfies the HyperLTLformula.For the lower bound, we reduce the model checkingproblem to the controller synthesis problem by identifying eachtransition of the given plant as an uncontrollable transition ofthe plant. In this way, the controller synthesis cannot modifythe plant, and the synthesis succeeds iff the given plant inthe model checking problem already satisfies the HyperLTLformula.Finally, Theorem 11 implies that the repair problem forgeneral plants and HyperLTL formulas with an arbitrary num-ber of quantifiers is in
NONELEMENTARY . Corollary 4:
CS[HyperLTL, general] is NONELEMENTARY in the size of the plant.VIII. R
ELATED W ORK
There has been a lot of recent progress in automaticallyverifying [13], [21], [24], [25] and monitoring [16], [26]–[31] HyperLTL specifications. HyperLTL is also supportedby a growing set of tools, including the model checkerMCHyper [13], [21], the satisfiability checkers EAHyper [32]and MGHyper [33], and the runtime monitoring tool RVHy-per [30].The closest work to the study in this paper is the analysisof the program repair problem for HyperLTL [15]. The repairproblem is to find a subset of traces of a Kripke structurethat satisfies a given HyperLTL formula. Thus, the repairproblem is similar to the controller synthesis problem studiedin this paper. In both problems, the goal is to prune the set oftransitions of the given plant or model. However, in programrepair, all transitions are controllable, whereas in controllersynthesis the pruning cannot be applied to uncontrollable transitions. We draw the following comparison and contrastbetween the results in [15] and this paper: • The general positive result of this paper is that al-though controller synthesis is typically perceived asa more difficult problem than program repair (dueto the existence of uncontrollable transitions), ourstudy, summarized in Table I, shows that the com-plexity of controller synthesis and program repairfor HyperLTL remain pretty close. This result mayappear counterintuitive. For some cases, there is asimple explanation why the complexities are similar.For example, for general graphs, the complexity isdominated by the model checking complexity. Bothproblems can be solved by first guessing a solutionand then verifying it. The complexity of the modelchecking problem (which is the dominating factor)is the same for both problems and as a result, thecomplexity of program repair and controller synthesisis the same (
NONELEMENTARY ). However, this isnot always the case. For example, for acyclic graphs,the fact that guessing the controller is more difficultthan guessing the repair leads to a higher complexity(within the polynomial hierarchy). Another interestingobservation is the effect of the universal quantifiersin the ∀∀ fragment. While the repair problem forthe ∀∀ fragment is L-complete for tree-shaped graphs,the problem becomes
NP-complete for the controllersynthesis problem. Also, while the repair problem forthe ∀∀ fragment is NL-complete for acyclic graphs,it becomes
NP-complete for the controller synthesisproblem. This is significant, because many importantsecurity policies such as certain types of noninterfer-ence [10] and observational determinism [34] fit inthis fragment. • Although the proof techniques in this paper are similarto those in [15], leveraging the existence of uncon-trollable transitions has made our lower bound proofsmore elegant. In particular, the proofs in [15] needto incorporate complex constraints in the HyperLTLformulas to make sure that during reductions, parts ofthe state space related to clauses of the input (e.g., SATor QBF) formulas are not removed. Here, we mimicthis in a more elegant way by using uncontrollabletransitions, which cannot be removed during synthesis.The controller synthesis problem studied in this paper isalso related to classic supervisory control , where, for a givenplant, a supervisor is constructed that selects an appropriatesubset of the plant’s controllable actions to ensure that theresulting behavior is safe [35]–[37].Directly related to the controller synthesis problem studiedin this paper is the satisfiability . The satisfiability problem forHyperLTL was shown to be decidable for the ∃ ∗ ∀ ∗ fragmentand for any fragment that includes a ∀∃ quantifier alterna-tion [38]. The hierarchy of hyperlogics beyond HyperLTL hasbeen studied in [39].The general synthesis problem differs from controllersynthesis in that the solutions are not limited to the stategraph of the plant. For HyperLTL, synthesis was shown tobe undecidable in general, and decidable for the ∃ ∗ and12 ∗ ∀ fragments [12]. While the synthesis problem becomes,in general, undecidable as soon as there are two universalquantifiers, there is a special class of universal specifications,called the linear ∀ ∗ -fragment, which is still decidable. Thelinear ∀ ∗ -fragment corresponds to the decidable distributedsynthesis problems [40]. The bounded synthesis problem [12],[13] considers only systems up to a given bound on the numberof states. Bounded synthesis has been successfully applied tovarious benchmarks including the dining cryptographers [14].The problem of model checking hyperproperties for tree-shaped and acyclic graphs was studied in [18]. Earlier, a similarstudy of the impact of structural restrictions on the complexityof the model checking problem has also been carried out forLTL [41].Our motivating example draws from the substantial lit-erature on specifying and verifying non-repudiation proto-cols [42]–[45]. In particular, [45] discusses the need for theconsideration of incomplete information. We are not aware,however, of previous work on the automatic synthesis oftrusted third parties for such protocols.IX. C ONCLUSION AND F UTURE W ORK
We have presented a rigorous classification of the com-plexity of the controller synthesis problem for hyperproperties expressed in HyperLTL. We considered general, acyclic, andtree-shaped plants. We showed that for trees, the complexityof the synthesis problem in the size of the plant does notgo beyond NP . While the problem is complete for L forthe alternation-free existential fragment, it is complete for NP for the alternation-free universal fragment. The problemis complete for P for the fragment with only one quantifieralternation, where the leading quantifier is universal. Foracyclic plants, the complexity is in PSPACE (in the level ofthe polynomial hierarchy that corresponds to the number ofquantifier alternations). The problem is
NL-complete for thealternation-free existential fragment. Similar to trees, the prob-lem is
NP-complete for the alternation-free universal fragment.For general graphs, the problem is
NONELEMENTARY foran arbitrary number of quantifier alternations. For a boundednumber k of alternations, the problem is ( k − - EXPSPACE-complete .It is interesting to compare controller synthesis to programrepair [18]. With the notable exception the universal fragmentof HyperLTL for trees and acyclic graphs, the complexitiesof controller synthesis and program repair are largely aligned.This is mainly due to the fact that synthesizing a controllerinvolves computing a subset of the controllable transitionssuch that the specification is satisfied. This is also the casefor program repair, except that all transitions of the systemare controllable.As for future work, we plan to develop efficient controllersynthesis algorithms for different fragments of HyperLTLalong the lines of QBF-based synthesis methods for hyper-properties [12], [13]. It would furthermore be interesting tosee if the differences we observed for HyperLTL carry over toother hyperlogics beyond HyperLTL (cf. [9], [39], [46], [47]). A
CKNOWLEDGMENTS
This work is sponsored in part by the United States NSFSaTC Award 1813388. It was also supported by the Ger-man Research Foundation (DFG) as part of the CollaborativeResearch Center “Methods and Tools for Understanding andControlling Privacy” (CRC 1223) and the Collaborative Re-search Center “Foundations of Perspicuous Software Systems”(TRR 248, 389792660), and by the European Research Council(ERC) Grant OSARES (No. 683300).R
EFERENCES[1] E. A. Emerson and E. M. Clarke, “Using branching time temporallogic to synthesize synchronization skeletons,”
Science of ComputerProgramming , vol. 2(3), pp. 241–266, 1982.[2] Z. Manna and P. Wolper, “Synthesis of communicating processes fromtemporal logic specifications,”
ACM Transactions on ProgrammingLanguages and Systems (TOPLAS) , vol. 6(1), pp. 68–93, 1984.[3] P. J. Ramadge and W. M. Wonham, “The control of discrete eventsystems,”
Proceedings of the IEEE
Journal ofComputer Security , vol. 18, no. 6, pp. 1157–1210, 2010.[9] M. R. Clarkson, B. Finkbeiner, M. Koleini, K. K. Micinski, M. N. Rabe,and C. S´anchez, “Temporal logics for hyperproperties,” in
Proceedingsof the 3rd Conference on Principles of Security and Trust POST , 2014,pp. 265–284.[10] J. A. Goguen and J. Meseguer, “Security policies and security models,”in
IEEE Symp. on Security and Privacy , 1982, pp. 11–20.[11] D. McCullough, “Noninterference and the composability of securityproperties,” in
Proceedings of the 1988 IEEE Symposium on Securityand Privacy , 1988, pp. 177–186.[12] B. Finkbeiner, C. Hahn, P. Lukert, M. Stenger, and L. Tentrup, “Syn-thesis from hyperproperties,”
Acta Inf. , vol. 57, no. 1, pp. 137–163,2020.[13] N. Coenen, B. Finkbeiner, C. S´anchez, and L. Tentrup, “Verifyinghyperliveness,” in
Proceedings of the 31st International Conference onComputer Aided Verification (CAV) , 2019, pp. 121–139.[14] D. Chaum, “Security without identification: Transaction systems tomake big brother obsolete,”
Communications of the ACM , vol. 28,no. 10, pp. 1030–1044, 1985.[15] B. Bonakdarpour and B. Finkbeiner, “Program repair for hyperproper-ties,” in
Proceedings of the 17th Symposium on Automated Technologyfor Verification and Analysis (ATVA) , 2019, pp. 423–441.[16] S. Stucki, C. S´anchez, G. Schneider, and B. Bonakdarpour, “Grayboxmonitoring of hyperproperties,” in
Proceedings of the 23rd InternationalSymposium on Formal Methods (FM) , 2019, to appear.[17] R. Alur and S. Tripakis, “Automatic synthesis of distributed protocols,”
SIGACT News , vol. 48, no. 1, pp. 55–90, 2017.[18] B. Bonakdarpour and B. Finkbeiner, “The complexity of monitoringhyperproperties,” in
Proceedings of the 31st IEEE Computer SecurityFoundations Symposium CSF , 2018, pp. 162–174.[19] K. Etessami, “Counting quantifiers, successor relations, and logarithmicspace,”
Journal of Compuer and System Sciences , vol. 54, no. 3, pp.400–411, 1997.[20] M. Garey and D. Johnson,
Computers and Intractability: A Guide tothe Theory of NP-Completeness . New York: W. H. Freeman, 1979.[21] B. Finkbeiner, M. N. Rabe, and C. S´anchez, “Algorithms for modelchecking HyperLTL and HyperCTL*,” in
Proceedings of the 27thInternational Conference on Computer Aided Verification (CAV) , 2015,pp. 30–48.[22] B. Bonakdarpour, A. Ebnenasir, and S. S. Kulkarni, “Complexity resultsin revising UNITY programs,”
ACM Transactions on Autonomous andAdaptive Systems (TAAS) , vol. 4, no. 1, pp. 1–28, January 2009.
23] M. N. Rabe, “A temporal logic approach to information-flow control,”Ph.D. dissertation, Saarland University, 2016.[24] B. Finkbeiner, C. M¨uller, H. Seidl, and E. Zalinescu, “Verifying SecurityPolicies in Multi-agent Workflows with Loops,” in
Proceedings ofthe 15th ACM Conference on Computer and Communications Security(CCS) , 2017.[25] B. Finkbeiner, C. Hahn, and H. Torfah, “Model checking quantitativehyperproperties,” in
Proceedings of the 30th International Conferenceon Computer Aided Verification , 2018, pp. 144–163.[26] S. Agrawal and B. Bonakdarpour, “Runtime verification of k -safety hy-perproperties in HyperLTL,” in Proceedings of the IEEE 29th ComputerSecurity Foundations (CSF) , 2016, pp. 239–252.[27] B. Finkbeiner, C. Hahn, M. Stenger, and L. Tentrup, “Monitoringhyperproperties,”
Formal Methods in System Design (FMSD) , vol. 54,no. 3, pp. 336–363, 2019.[28] N. Brett, U. Siddique, and B. Bonakdarpour, “Rewriting-based runtimeverification for alternation-free HyperLTL,” in
Proceedings of the 23rdInternational Conference on Tools and Algorithms for the Constructionand Analysis of Systems (TACAS) , 2017, pp. 77–93.[29] B. Bonakdarpour, C. S´anchez, and G. Schneider, “Monitoring hyper-properties by combining static analysis and runtime verification,” in
Proceedings of the 8th Leveraging Applications of Formal Methods,Verification and Validation (ISoLA) , 2018, pp. 8–27.[30] B. Finkbeiner, C. Hahn, M. Stenger, and L. Tentrup, “RVHyper: Aruntime verification tool for temporal hyperproperties,” in
Proceedingsof the 24th International Conference on Tools and Algorithms for theConstruction and Analysis of Systems (TACAS) , 2018, pp. 194–200.[31] C. Hahn, M. Stenger, and L. Tentrup, “Constraint-based monitoring ofhyperproperties,” in
Proceedings of the 25th International Conferenceon Tools and Algorithms for the Construction and Analysis of Systems(TACAS) , 2019, pp. 115–131.[32] B. Finkbeiner, C. Hahn, and M. Stenger, “EAHyper: Satisfiability, im-plication, and equivalence checking of hyperproperties,” in
Proceedingsof the 29th International Conference on Computer Aided Verification(CAV) , 2017, pp. 564–570.[33] B. Finkbeiner, C. Hahn, and T. Hans, “MGHyper: Checking satisfiabilityof HyperLTL formulas beyond the ∃ ∗ ∀ ∗ fragment,” in Proceedingsof the 16th International Symposium on Automated Technology forVerification and Analysis (ATVA) , 2018, pp. 521–527.[34] S. Zdancewic and A. C. Myers, “Observational determinism for con-current program security,” in
Proceedings of the 16th IEEE ComputerSecurity Foundations Workshop (CSFW) , 2003, p. 29.[35] J. G. Thistle and W. M. Wonham, “Control problems in a temporallogic framework,”
International Journal of Control , vol. 44, no. 4, pp.943–976, 1986.[36] F. Lin, “Analysis and synthesis of discrete event systems using temporallogic,” in
Proceedings of the 1991 IEEE International Symposium onIntelligent Control , Aug 1991, pp. 140–145.[37] S. Jiang and R. Kumar, “Supervisory control of discrete event systemswith CTL* temporal logic specifications,”
SIAM Journal on Controland Optimization , vol. 44, no. 6, pp. 2079–2103, 2006.[38] B. Finkbeiner and C. Hahn, “Deciding hyperproperties,” in
Proceedingsof the 27th International Conference on Concurrency Theory (CON-CUR) , 2016, pp. 13:1–13:14.[39] N. Coenen, B. Finkbeiner, C. Hahn, and J. Hofmann, “The hierarchyof hyperlogics,” in
Proceedings 34th Annual ACM/IEEE Symposium onLogic in Computer Science (LICS) , 2019, pp. 1–13.[40] B. Finkbeiner and S. Schewe, “Uniform distributed synthesis,” in
Proceedings of the 20th ACM/IEEE Symposium on Logic in ComputerScience (LICS) , 2005, pp. 321–330.[41] L. Kuhtz and B. Finkbeiner, “Weak Kripke structures and LTL,” in
Proceedings of the 22nd International Conference on ConcurrencyTheory (CONCUR) , 2011, pp. 419–433.[42] P. D. Ezhilchelvan and S. K. Shrivastava, “Systematic developmentof a family of fair exchange protocols,” in
Data and ApplicationsSecurity XVII: Status and Prospects, IFIP TC-11 WG 11.3 SeventeenthAnnual Working Conference on Data and Application Security, August4-6, 2003, Estes Park, Colorado, USA , 2003, pp. 243–258.[43] P. Liu, P. Ning, and S. Jajodia, “Avoiding loss of fairness owing toprocess crashes in fair data exchange protocols,” in ,2000, pp. 631–640.[44] S. Kremer and J.-F. Raskin, “A game-based verification of non-repudiation and fair exchange protocols,” in
CONCUR 2001 — Concur-rency Theory , K. G. Larsen and M. Nielsen, Eds. Berlin, Heidelberg:Springer Berlin Heidelberg, 2001, pp. 551–565.[45] W. Jamroga, S. Mauw, and M. Melissen, “Fairness in non-repudiationprotocols,” in
Security and Trust Management , C. Meadows andC. Fernandez-Gago, Eds. Berlin, Heidelberg: Springer Berlin Hei-delberg, 2012, pp. 122–139.[46] B. Finkbeiner, C. M¨uller, H. Seidl, and E. Zalinescu, “Verifying SecurityPolicies in Multi-agent Workflows with Loops,” in
Proceedings ofthe 15th ACM Conference on Computer and Communications Security(CCS) , 2017, pp. 633–645.[47] E. ´Abrah´am and B. Bonakdarpour, “HyperPCTL: A temporal logic forprobabilistic hyperproperties,” in
Proceedings of the 15th InternationalConference on Quantitative Evaluation of Systems (QEST) , 2018, pp.20–35., 2018, pp.20–35.