Temporal Logics for Hyperproperties
Abstract
Two new logics for verification of hyperproperties are proposed. Hyperproperties characterize security policies, such as noninterference, as a property of sets of computation paths. Standard temporal logics such as LTL, CTL, and can refer only to a single path at a time, hence cannot express many hyperproperties of interest. The logics proposed here, HyperLTL and , add explicit and simultaneous quantification over multiple paths to LTL and to . This kind of quantification enables expression of hyperproperties. A model checking algorithm for the proposed logics is given. For a fragment of HyperLTL, a prototype model checker has been implemented.
1 Introduction
Trace properties, which developed out of an interest in proving the correctness of programs [35], characterize correct behavior as properties of individual execution traces. Although early verification techniques specialized in proving individual correctness properties of interest, such as mutual exclusion or termination, temporal logics soon emerged as a general, unifying framework for expressing and verifying trace properties. Practical model checking tools [31, 12, 18] based on those logics now enable automated verification of program correctness.
Verification of security is not directly possible with such tools, because some important security policies cannot be characterized as properties of individual execution traces [42]. Rather, they are properties of sets of execution traces, also known as hyperproperties [16]. Specialized verification techniques have been developed for particular hyperproperties [30, 5, 47, 45], as well as for 2safety properties [58], which are properties of pairs of execution traces. But a unifying program logic for expressing and verifying hyperproperties could enable automated verification of a wide range of security policies.
In this paper, we propose two such logics. Both are based, like hyperproperties, on examining more than one execution trace at a time. Our first logic, HyperLTL, generalizes lineartime temporal logic (LTL) [48]. LTL implicitly quantifies over only a single execution trace of a system, but HyperLTL allows explicit quantification over multiple execution traces simultaneously, as well as propositions that stipulate relationships among those traces. For example, HyperLTL can express informationflow policies such as observational determinism [41, 50, 68], which requires programs to behave as (deterministic) functions from lowsecurity inputs to lowsecurity outputs. The following two programs do not satisfy observational determinism, because they leak the value of highsecurity variable through lowsecurity variable , thus making the program behave nondeterministically from a lowsecurity user’s perspective:
Other program logics could already express observational determinism or closely related policies [7, 45, 33]. Milushev and Clarke [44, 46, 45] have even proposed other logics for hyperproperties, which we discuss in Section 8. But HyperLTL provides a simple and unifying logic in which many informationflow security policies can be directly expressed.
Informationflow policies are not onesizefitsall. Different policies might be needed depending on the power of the adversary. For example, the following program does not satisfy observational determinism, but the program might be acceptable if nondeterministic choices, denoted , are resolved such that the probability distribution on output value is uniform:
On the other hand, if the adversary can influence the resolution of nondeterministic choices, program (3) could be exploited to leak information. Similarly, the following program does satisfy observational determinism, but the program might be unacceptable if adversaries can monitor execution time:
In Section 3, we show how policies appropriate for the above programs, as well as other security policies, can be formalized in HyperLTL.
Our second logic, , generalizes a branchingtime temporal logic, [21]. Although already has explicit trace quantifiers, only one trace is ever in scope at a given point in a formula (see Section 5.1), so cannot directly express hyperproperties. But can, because it permits quantification over multiple execution traces simultaneously. HyperLTL and enjoy a similar relationship to that of LTL and : HyperLTL is the syntactic fragment of containing only formulas in prenex form—that is, formulas that begin exclusively with quantifiers and end with a quantifierfree formula. is thus a strict generalization of HyperLTL. also generalizes a related temporal logic, SecLTL [20], and subsumes epistemic temporal logic [22, 60] (see Section 5).
Having defined logics for hyperproperties, we investigate model checking of those logics. In Section 6, we show that for the model checking problem is decidable by reducing it to the satisfiability problem for quantified propositional temporal logic (QPTL) [56]. Since generalizes HyperLTL, we immediately obtain that the HyperLTL model checking problem is also decidable. We present a hierarchy of fragments, which allows us to precisely characterize the complexity of the model checking problem in the number quantifier alternations. The lowest fragment, which disallows any quantifier alternation, can be checked by a spaceefficient polynomialtime algorithm (NLOGSPACE in the number of states of the program).
We also prototype a model checker that can handle an important fragment of HyperLTL, including all the examples from Section 3. The prototype implements a new model checking algorithm based on a wellknown LTL algorithm [65, 66] and on a selfcomposition construction [7, 58]. The complexity of our algorithm is exponential in the size of the program and doubly exponential in the size of the formula—impractical for realworld programs, but at least a demonstration that model checking of hyperproperties formulated in our logic is possible.
This paper contributes to theoretical and foundational aspects of security by:

defining two new program logics for expressing hyperproperties,

demonstrating that those logics are expressive enough to formulate important informationflow policies,

proving that the model checking problem is decidable, and

prototyping a new model checking algorithm and using it to verify security policies.
The rest of the paper is structured as follows. Section 2 defines the syntax and semantics of HyperLTL. Section 3 provides several example formulations of informationflow policies. Section 4 defines the syntax and semantics of . Section 5 compares our two logics with other temporal and epistemic logics. Section 6 obtains a model checking algorithm for . Section 7 describes our prototype model checker. Section 8 reviews related work, and Section 9 concludes.
2 HyperLTL
HyperLTL extends propositional lineartime temporal logic (LTL) [48] with explicit quantification over traces. A trace is an infinite sequence of sets of atomic propositions. Let denote the set of all atomic propositions. The set of all traces is therefore .
We first define some notation for manipulating traces. Let be a trace. We use to denote element of , where . Hence, is the first element of . We write to denote the prefix of up to and including element , and to denote the infinite suffix of beginning with element .
Syntax.
Let be a trace variable from an infinite supply of trace variables. Formulas of HyperLTL are defined by the following grammar:
Connectives and are universal and existential trace quantifiers, read as “along some traces” and “along all traces.” For example, means that for all traces and , there exists another trace , such that holds on those three traces. (Since branchingtime logics also have explicit path quantifiers, it is natural to wonder why one of them does not suffice to formulate hyperproperties. Section 5.1 addresses that question.) A HyperLTL formula is closed if all occurrences of trace variables are bound by a trace quantifier.
An atomic proposition , where , expresses some fact about states. Since formulas may refer to multiple traces, we need to disambiguate which trace the proposition refers to. So we annotate each occurrence of an atomic proposition with a trace variable . Boolean connectives and have the usual classical meanings. Implication, conjunction, and biimplication are defined as syntactic sugar: , and , and . True and false, written and , are defined as and .
Temporal connective means that holds on the next state of every quantified trace. Likewise, means that will eventually hold of the states of all quantified traces that appear at the same index, and until then holds. The other standard temporal connectives are defined as syntactic sugar: , and , and , and .
We also introduce syntactic sugar for comparing traces. Given a set of atomic propositions, holds whenever the first state in both and agree on all the propositions in . And . That is,
Semantics.
The validity judgment for HyperLTL formulas is written , where is a set of traces, and is a trace assignment (i.e., a valuation), which is a partial function mapping trace variables to traces. Let denote the same function as , except that is mapped to . We write trace set as a subscript on , because propagates unchanged through the semantics; we omit when it is clear from context. Validity is defined as follows:
Trace assignment suffix denotes the trace assignment for all . If holds for the empty assignment , then satisfies .
We are interested in whether programs satisfy formulas, so we first derive a set of traces from a program, first using Kripke structures as a unified representation of programs. A Kripke structure is a tuple comprising a set of states , an initial state , a transition function , a set of atomic propositions , and a labeling function . To ensure that all traces are infinite, we require that is nonempty for every state .
The set of traces of is the set of all sequences of labels produced by the state transitions of starting from initial state. Formally, contains trace iff there exists a sequence of states, such that is the initial state, and for all , it holds that ; and . A Kripke structure satisfies , denoted by , if satisfies .
It will later be technically convenient to consider enlarging the set of atomic propositions permitted by a Kripke structure to a set , such that . We extend into the set of traces that is agnostic about whether each new proposition holds at each state. A trace whenever , and for all : . The final conjunct requires every possible set of new atomic propositions to be included in the traces.
3 Security Policies in HyperLTL
We now put HyperLTL into action by formulating several informationflow security policies, which stipulate how information may propagate from inputs to outputs. Informationflow is a very active field in security; see [53, 23] for surveys.
Noninterference.
A program satisfies noninterference [26] when the outputs observed by lowsecurity users are the same as they would be in the absence of inputs submitted by highsecurity users. Since its original definition, many variants with different execution models have been named “noninterference.” For clarity of our examples, we choose a simple statebased synchronous execution model in which atomic propositions of the traces contain the values of program variables, and in which progress of time corresponds to execution steps in the model. We also assume that the variables are partitioned into input and output variables, and into two security levels, high and low. (We could handle lattices of security levels by conjoining several formulas that stipulate noninterference between elements of the lattice.)
Noninference [42] is a variant of noninterference that can be stated in our simple system model. Noninference stipulates that, for all traces, the lowobservable behavior must not change when all high inputs are replaced by a dummy input , that is, when the high input is removed. Noninference, a liveness hyperproperty [16], can be expressed in HyperLTL as follows:
(5) 
where expresses that all of the high inputs in the current state of are , and expresses that all low variables in and have the same values.
Nondeterminism.
Noninterference was introduced for use with deterministic programs. Nonetheless, nondeterminism naturally arises when program specifications abstract from implementation details, so many variants of noninterference have been developed for nondeterministic programs. We formalize two variants here.
A (nondeterministic) program satisfies observational determinism [68] if every pair of traces with the same initial low observation remain indistinguishable for low users. That is, the program appears to be deterministic to low users. Programs that satisfy observational determinism are immune to refinement attacks [68], because observational determinism is preserved under refinement. Observational determinism, a safety hyperproperty [16], can be expressed in HyperLTL as follows:
(6) 
where and express that both traces agree on the low input and low output variables, respectively.
Generalized noninterference (GNI) [39] permits nondeterminism in the lowobservable behavior, but stipulates that lowsecurity outputs may not be altered by the injection of highsecurity inputs. Like noninterference, GNI was original formulated for eventbased systems, but it can also be formulated for statebased systems [42]. GNI is a liveness hyperproperty and can be expressed as follows:
(7) 
The trace in (7) is an interleaving of the high inputs of the first trace and the low inputs and outputs of the second trace. Other security policies based on interleavings, such as restrictiveness [40], separability [42], and forward correctability [43] can similarly be expressed in HyperLTL.
Declassification.
Some programs need to reveal secret information to fulfill functional requirements. For example, a password checker must reveal whether the entered password is correct or not. The noninterference policies we have examined so far prohibit such behavior. More flexible security policies have been designed to permit declassification of information; see [54] for a survey.
With HyperLTL, we easily specify customized declassification policies. For example, suppose that a system inputs a password in its initial state, then declassifies whether that password is correct in the next state. The following policy (a safety hyperproperty) stipulates that leaking the correctness of the password is permitted, but that otherwise observational determinism must hold:
(8) 
where atomic proposition expresses that the entered password is correct.
Quantitative noninterference.
Quantitative informationflow policies [27, 13, 34, 15] permit leakage of information at restricted rates. One way to measure leakage is with minentropy [57], which quantifies the amount of information an attacker can gain given the answer to a single guess about the secret. The bounding problem [67] for minentropy is to determine whether that amount is bounded from above by a constant . Assume that the program whose leakage is being quantified is deterministic, and assume that the secret input to that program is uniformly distributed. The bounding problem then reduces to determining that there is no tuple of lowdistinguishable traces [57, 67] (a safety hyperproperty). We can express that as follows:
(9) 
The initial negation can pushed inside to obtained a proper HyperLTL formula.
Quantitative flow and entropy naturally bring to mind probabilistic systems. We haven’t yet explored extending our logics to enable specification of policies that involve probabilities. Perhaps techniques previously used with epistemic logic [28] could be adapted; we leave this as future work.
Eventbased systems.
Our examples above use a synchronous statebased execution model. Many formulations of security policies, including the original formulation of noninterference [26], instead use an eventbased system model, in which input and output events are not synchronized and have no relation to time. HyperLTL can express policies for asynchronous execution models, too. For example, HyperLTL can express the original definition of noninterference [26] and observational determinism; Appendix 0.A shows how. The key idea is to allow the system to stutter and to quantify over all stuttered versions of the executions. We characterize the correct synchronization of a pair of traces as having updates to low variables only at the same positions. We then add an additional antecedent to the policy formula to require that only those pairs of traces that are synchronized correctly need to fulfill the security condition.
4
HyperLTL was derived from LTL by extending the models of formulas from single traces to sets of traces. However, like LTL, HyperLTL is restricted to linear time and cannot express branchingtime properties (e.g., all states that succeed the current state satisfy some proposition). We show now that a branchingtime logic for hyperproperties could be derived from a branchingtime logic for trace properties, such as [21]. We call this logic . The key idea is again to use sets instead of singletons as the models of formulas.
Syntax.
generalizes HyperLTL by allowing quantifiers to appear anywhere within a formula. Quantification in is over paths through a Kripke structure. A path is an infinite sequence of pairs of a state and a set of atomic propositions. Hence, a path differs from a trace by including a state of the Kripke structure in each element. Formally, , where is the states of the Kripke structure. As with traces, denotes the element of , and denotes the suffix of beginning with element . We also define a new notation: let be the state in element of .
In , is a path variable and is a path quantifier. Formulas of are defined by the following grammar:
We introduce all the syntactic sugar for derived logical operators, as for HyperLTL. The universal quantifier can now be defined as syntactic sugar, too: . A formula is closed if all occurrences of some path variable are in the scope of a path quantifier. A specification is a Boolean combination of closed formulas each beginning with a quantifier (or its negation).
Semantics.
The validity judgment for formulas is written , where is a Kripke structure, and is a path assignment, which is a partial function mapping path variables to paths. We write as a subscript on , because propagates unchanged through the semantics; we omit when it is clear from context. Validity is defined as follows:
In the clause for existential quantification, denotes the path variable most recently added to (i.e., closest in scope to ). If is empty, let be the initial state of . It would be straightforward but tedious to further formalize this notation, so we omit the details. That clause uses another new notation, , which is the set of paths produced by Kripke structure beginning from state . Formally, contains path , where and , iff there exists a sequence of states, such that is , and for all , it holds that and .
Like with in HyperLTL, we define as follows: We have iff , and for all , it holds that .
We say that a Kripke structure satisfies a specification , denoted by , if holds true for the empty assignment. The model checking problem for is to decide whether a given Kripke structure satisfies a given specification.
vs. HyperLTL.
LTL can be characterized as the fragment of containing formulas of the form , where is the universal path quantifier and contains no quantifiers. Formula A is satisfied in by a Kripke structure iff is satisfied in LTL by the traces of the Kripke structure.
A similar relationship holds between HyperLTL and : HyperLTL can be characterized as the fragment of containing formulas in prenex form—that is, a series of quantifiers followed by a quantifierfree formula. A formula in prenex form is satisfied in by a Kripke structure iff is satisfied in HyperLTL by the traces of the Kripke structure. is a strict generalization of HyperLTL, which extends HyperLTL with the capability to use quantified formulas as subformulas in the scope of temporal operators. For example, consider the program
5 Related Logics
We now examine the expressiveness of HyperLTL and compared to several existing temporal logics: LTL, , QPTL, ETL, and SecLTL. There are many other logics that we could compare to in future work; some of those are discussed in Section 8.
5.1 Temporal Logics
is an extension of and therefore subsumes LTL, CTL, and . Likewise, HyperLTL subsumes LTL. But temporal logics LTL, CTL, and cannot express informationflow policies. LTL formulas express properties of individual execution paths. All of the noninterference properties of Section 3 are properties of sets of execution paths [42, 16]. Explicit path quantification does enable their formulation in HyperLTL.
Even though CTL and have explicit path quantifiers, informationflow security policies, such as observational determinism (6), cannot be expressed with them. Consider the following fragment of semantics:
Path formulas are modeled by paths , and state formulas are modeled by states . State formula holds at state when all paths proceeding from satisfy . Any state formula can be treated as a path formula, in which case holds of the path iff holds in the first state on that path. Using this semantics, consider the meaning of , which is the form of observational determinism (6):
Note how the meaning of is ultimately determined by the meaning of , where is modeled by the single path . Path is ignored in determining the meaning of ; the second universal path quantifier causes to “leave scope.” Hence cannot express correlations between and , as observational determinism requires. So path quantifiers do not suffice to express informationflow policies. Neither do CTL path quantifiers, because CTL is a sublogic of . In fact, even the modal calculus does not suffice to express some informationflow properties [2].
By using the selfcomposition construction [7, 58], it is possible to express relational noninterference in CTL [7] and observational determinism in [33]. Those approaches resemble , but formulas express policies directly over the original system, rather than over a selfcomposed system. Furthermore, the selfcomposition approach does not seem capable of expressing policies that require both universal and existential quantifiers over infinite executions, like noninference (5) and generalized noninterference (7). It is straightforward to express such policies in our logics.
Qptl.
Quantified propositional temporal logic (QPTL) [56] extends LTL with quantification over propositions, whereas HyperLTL extends LTL with quantification over traces. Quantification over traces is more powerful than quantification over propositions, as we now show.
QPTL formulas are generated by the following grammar, where :
All QPTL connectives have the same semantics as in LTL, except for propositional quantification:
Theorem 5.1.
HyperLTL subsumes QPTL, but QPTL does not subsume HyperLTL.
Proof sketch.
To express a QPTL formula in HyperLTL, rewrite the formula to prenex form, and rename all bound propositions with unique fresh names from a set . These propositions act as free variables, which are unconstrained because they do not occur in the Kripke structure. Replace each propositional quantification in the QPTL formula by a path quantification in the HyperLTL formula. And replace each occurrence of by . The result is a HyperLTL formula that holds iff the original QPTL formula holds.
But not all HyperLTL formulas can be expressed in QPTL. For example, QPTL cannot express properties that require the existence of paths, such as . ∎
In Section 6, we exploit the relationship between HyperLTL and QPTL to obtain a model checking algorithm for HyperLTL.
5.2 Epistemic Logics
HyperLTL and express informationflow policies by explicit quantification over multiple traces or paths. Epistemic temporal logic has also been used to express such policies [29, 4, 11, 62] by implicit quantification over traces or paths with the knowledge connective of epistemic logic [22]. We do not yet know which is more powerful, particularly for informationflow policies. But we do know that HyperLTL subsumes a common epistemic temporal logic.
Define ETL (epistemic temporal logic) to be LTL with the addition of under its perfect recall semantics [60, 4, 22]. The model of an ETL formula is a pair of a Kripke structure and a set of equivalence relations on , called the agents; each relation models the knowledge of an agent. (Interpreted systems, rather than Kripke structures, are often used to model ETL formulas [60, 22]. Interpreted systems differ in style but can be translated to our formulation.) In the asynchronous semantics of ETL, holds on state of trace , denoted , iff
where denotes stutterequivalence on finite traces with respect to . In the synchronous semantics of ETL, stutterequivalence is replaced by stepwiseequivalence.
The following two theorems show that HyperLTL subsumes ETL:
Theorem 5.2.
In the synchronous semantics, for every ETL formula and every set of agents, there exists a HyperLTL formula such that for all Kripke structures , we have iff .
Theorem 5.3.
In the asynchronous semantics, for every ETL formula and every set of agents, there exists a HyperLTL formula such that for all asynchronous Kripke structures , we have iff .
Proofs of both theorems appear in Appendix 0.B. Theorem 5.3 requires an additional assumption that is an asynchronous Kripke structure, i.e. that it can always stutter in its current state and that it is indicated in an atomic proposition whether the last state was a stuttering step.
HyperLTL and ETL have the same worstcase complexity for model checking, which is nonelementary. But, as we show in Section 6, the complexity of our model checking algorithm on the informationflow policies of Section 3 is much better—only NLOGSPACE (for observational determinism, declassification, and quantitative noninterference for a fixed number of bits) or PSPACE (for noninference and generalized noninterference) in the size of the system. For those policies in NLOGSPACE, that complexity, unsurprisingly, is as good as algorithms based on selfcomposition [7]. This ability to use a generalpurpose, efficient HyperLTL model checking algorithm for information flow seems to be an improvement over encodings of information flow in ETL.
5.3 SecLTL
SecLTL [20] extends temporal logic with the hide modality , which allows to express information flow properties such as noninterference [26]. The semantics of SecLTL is defined in terms of labeled transition system, where the edges are labeled with valuations of the set of variables. The formula specifies that the current valuations of a subset of the input variables are kept secret from an attacker who may observe variables in until the release condition becomes true. The semantics is formalized in terms of a set of alternative paths to which the main path is compared:
where is the equivalent Kripke structure for the labeled transition system (we will explain the translation later in this section.) A path satisfies the SecLTL formula , denoted by , iff
A labeled transition system satisfies a SecLTL formula , denoted by , if every path starting in the initial state satisfies .
SecLTL can express properties like the dynamic creation of secrets discussed in Section 4, which cannot be expressed by HyperLTL. However, SecLTL is subsumed by . To encode the hide modality in , we first translate into a Kripke structure , whose states are labeled with the valuation of the variables on the edge leading into the state. The initial state is labeled with the empty set. In the modified system, corresponds to the current labels. We encode as the following formula:
Theorem 5.4.
For every SecLTL formula and transition system , there is a formula such that iff .
6 Model Checking and Satisfiability
In this section we exploit the connection between and QPTL to obtain a model checking algorithm for and study its complexity. We identify a hierarchy of fragments of characterized by the number of quantifier alternations. This hierarchy allows us to give a precise characterization of the complexity of the model checking problem. The fragment of formulas with quantifier alternation depth 0 includes already many formulas of interest and our result provides an NLOGSPACE algorithm in the size of the Kripke structure.
Definition 1 (Alternation Depth).
A formula in NNF has alternation depth 0 plus the highest number of alternations from existential to universal and universal to existential quantifiers along any of the paths of the formula’s syntax tree starting in the root. Occurrences of and count as an additional alternation.
Theorem 6.1.
The model checking problem for specifications with alternation depth on a Kripke structure is complete for NSPACE and it is in NSPACE for some .
The function denotes a tower of exponentials of height with argument : and . NSPACE denotes the class of languages accepted by a Turing machine bounded in space by . Abusing notation, we define and NSPACE in .
Proof.
Both directions, the lower bound and the upper bound, are based on the complexity of the satisfiability problem for QPTL formulas in prenex normal form and with alternation depth , which is complete for NSPACE [56].
For the upper bound on the model checking complexity, we first translate until operators as encode a Kripke structure , where , as a QPTL formula (cf. [37]) using the set of atomic propositions , which must contain atomic propositions replacing those of and additional atomic propositions to describe the states . The formula is linear in and does not require additional quantifiers. . Let
path quantifiers and are then encoded as and , where is a set of fresh atomic propositions including a copy of and additional atomic propositions to describe the states . The formula is obtained from by replacing all atomic propositions referring to path by their copies in . Atomic propositions in the formula that are not in (i.e. their interpretation is not fixed in ) need to be added to the sets accordingly.
For the lower bound, we reduce the satisfiability problem for a given QPTL formula in prenex normal form to a model checking problem of . We assume, without loss of generality, that is closed (if a free proposition occurs in , we bind it with an existential quantifier) and each quantifier in introduces a different proposition.
The Kripke structure consists of two states , is fully connected for all , and has a single atomic proposition . The states are labeled as follows: and . Essentially, paths in can encode all sequences of valuations of a variable in QPTL. To obtain the formula, we now simply replace every quantifier in the QPTL formula with a path quantifier. The only technical problem left is that quantification in QPTL allows to choose freely the value of in the current state, while path quantification in only allows the path to differ in the next state. We solve the issue by shifting the propositions using a next operator. ∎
Lower bounds in .
An NLOGSPACE lower bound in the size of the Kripke structure for fixed specifications with alternation depth 0 follows from the nonemptiness problem of nondeterministic Büchi automata. For alternation depth 1 and more we can derive PSPACE hardness in the size of the Kripke structure from the encoding of the logic SecLTL into (see Subsection 5.3).
The result can easily be transferred to HyperLTL, since in the SecLTL formula that is used to prove PSPACE hardness, the Hide operator does not occur in the scope of temporal operators and hence the translation yields a HyperLTL formula.
Theorem 6.2.
For HyperLTL formulas the model checking problem is hard for PSPACE in the size of the system.
A Remark on Efficiency
The use of the standard encoding of the until operator in QPTL with an additional quantifier shown above is, in certain cases, wasteful. The satisfiability of QPTL formulas can be checked with an automatatheoretic construction, where we first transform the formula into prenex normal form, then generate a nondeterministic Büchi automaton for the quantifierfree part of the formula, and finally apply projection and complementation to handle the existential and universal quantifiers. In this way, each quantifier alternation, including the alternation introduced by the encoding of the until operators, causes an exponential blowup. However, if an until operator occurs in the quantifierfree part, the standard transformation of LTL formulas to nondeterministic Büchi automata handle this until operator without requiring a quantifier elimination, resulting in an exponential speedup.
Using this insight, the model checking complexity for many of the formulas presented above and in Section 3 can be reduced by one exponent. Additionally, the complexity with respect to the size of the system reduces to NLOGSPACE for formulas where the leading quantifiers are all of the same type and are followed by some quantifierfree formula which may contain until operators without restriction. Observational determinism and the declassification policy discussed in Section 3 are examples for specifications in this fragment. This insight was used for the prototype implementation described in Section 7 and it avoids an additional complementation step for noninference (5).
Satisfiability.
The positive result regarding the model checking problem for does not carry over to the satisfiability problem. The finitestate satisfiability problem consists of the existence of a finite model, while the general satisfiability problem asks for the existence of a possibly infinite model.
Theorem 6.3.
For , finitestate satisfiability is hard for and general satisfiability is hard for .
In the proof, located in Appendix 0.C, we reduce the LTL synthesis problem of distributed systems to the satisfiability problem of .
7 Prototype Model Checker
The results of the previous section yield a model checking algorithm for all of . But most of our informationflow policy examples do not require the full expressiveness of . In fact, we have been able implement a prototype model checker for an expressive fragment of the logic mostly using offtheshelf components.
Define as the fragment of HyperLTL (and of ) in which the series of quantifiers at the beginning of a formula may involve at most one alternation. Every formula in thus may begin with at most two (whence the name) kinds of quantifiers—a sequence of ’s followed by a sequence of ’s, or viceversa. For example, and are allowed, but is not. suffices to express all the security policies formulated in Section 3. (Another logic for hyperproperties, [45], similarly restricts fixpoint operator alternations with no apparent loss in expressivity for security policies.)
Our model checking algorithm for , detailed in Appendices 0.D and 0.E, is based on algorithms for LTL model checking [25, 64, 24]. Those LTL algorithms determine whether a Kripke structure satisfies an LTL formula by performing various automata constructions and by checking language containment. Our algorithm likewise uses automata constructions and language containment, as well as self composition [7, 58] and a new projection construction.
We prototyped this algorithm in about 3,000 lines of OCaml code. Our prototype accepts as input a Kripke structure and a formula, then constructs the automata required by our algorithm, and outputs a countermodel if the formula does not hold of the structure. For automata complementation, our prototype outsources to GOAL [59], an interactive tool for manipulating Büchi automata. We have used the prototype to verify noninference (5), observational determinism (6), and generalized noninterference (7) for small Kripke structures (up to 10 states); running times were about 10 seconds or less.
Since our algorithm uses automata complementation, the worstcase running time is exponential in the size of the Kripke structure’s state space and doubly exponential in the formula size. So as one might expect, our prototype currently does not scale to mediumsized Kripke structures (up to 1,000 states). But our purpose in building this prototype was to demonstrate a proofofconcept for model checking of hyperproperties. We conjecture that practical symbolic model checking algorithms, such as BMC and IC3, could be used to scale up our approach to realworld systems.
8 Related Work
McLean [42] formalizes security policies as closure with respect to selective interleaving functions. He shows that trace properties cannot express security policies such as noninterference and average response time, because those are not properties of single execution traces. Mantel [38] formalizes security policies with basic security predicates, which stipulate closure conditions for trace sets.
Clarkson and Schneider [16] introduce hyperproperties, a framework for expressing security policies. Hyperproperties are sets of trace sets, and are able to formalize security properties such as noninterference, generalized noninterference, observational determinism and average response time. Clarkson and Schneider use secondorder logic to formulate hyperproperties. That logic isn’t verifiable, in general, because it cannot be effectively and completely axiomatized. Fragments of it, such as HyperLTL and , can be verified.
Alur et al. [2] show that modal calculus is insufficient to express all opacity policies [9], which prohibit observers from discerning the truth of a predicate. (Alur et al. [2] actually write “secrecy” rather than “opacity.”) Simplifying definitions slightly, a trace property is opaque iff for all paths of a system, there exists another path of that system, such that and are lowequivalent, and exactly one of and satisfies . Noninference (5) is an opacity policy [52] that HyperLTL can express.
Huisman et al. reduce observationaldeterminism properties to properties in [33] and in modal calculus [32] on a selfcomposed system. Barthe et al. use self composition to verify observational determinism [7] and noninterference [6] on terminating programs. Van der Meyden and Zhang [63] reduce a broader class of informationflow policies to safety properties on a selfcomposed system expressible in standard linear and branching time logics, and use model checking to verify noninterference policies. Their methodology requires customized model checking algorithms for each security policy, whereas this work proposes a single algorithm for all policies.
Balliu et al. [4] use a lineartime temporal epistemic logic to specify many declassification policies derived from noninterference. Their definition of noninterference, however, seems to be that of observational determinism (6). They do not consider any informationflow policies involving existential quantification, such as noninference. They also do not consider systems that accept inputs after execution has begun. Halpern and O’Neill [29] use a similar temporal epistemic logic to specify secrecy policies, which subsume many definitions of noninterference; they do not pursue model checking algorithms.
Alur et al. [1] discuss branchingtime logics with path equivalences that are also able to express certain security properties. The authors introduce operators that resemble the knowledge operator of epistemic logics. As the logics build on branchingtime logics they are not subsumed by HyperLTL. The relationship to is still open.
Milushev and Clarke [44, 46, 45] propose three logics for hyperproperties:

Holistic hyperproperty logic , which is based on coinductive predicates over streams. Holistic hyperproperties “talk about whole traces at once; their specifications tend to be straightforward, but they are difficult to reason about, exemplified by the fact that no general approach to verifying such hyperproperties exists” [44]. HyperLTL and are logics that talk about whole traces at once, too; and they have straightforward specifications as well as a general approach to verification.

Another incremental hyperproperty logic , a fragment of polyadic modal calculus [3] that permits at most one quantifier alternation (a greatest fixedpoint followed by a least fixedpoint). There is an automated model checking technique [45] for based on parity games. That technique has been prototyped and applied to a few programs.
All these logics suffice to express security policies such as noninterference and generalized noninterference. Like our logics, the exact expressive limitation is still an open problem.
As the preceding discussion makes clear, the expressiveness of HyperLTL and versus several other logics is an open question. It’s possible that some of those logics will turn out to be more expressive or more efficiently verifiable than HyperLTL or . It’s also possible that it will turn out to be simply a matter of taste which style of logic is more suitable for hyperproperties. The purpose of this paper was to explore one design option: a familiar syntax, based on widelyused temporal logics, that can straightforwardly express wellknown hyperproperties.
9 Concluding Remarks
In designing a logic for hyperproperties, starting with HyperLTL was natural, because hyperproperties are sets of trace sets, and LTL uses trace sets to model programs. From HyperLTL, the extension to was also natural: we simply removed the restrictions on where quantifiers could appear. The curtailment to was also natural, because it was the fragment needed to express informationflow security policies. permits up to one quantifier alternation, but what about hyperproperties with more? We do not yet know of any security policies that are examples. As Rogers [49] writes, “The human mind seems limited in its ability to understand and visualize beyond four or five alternations of quantifier. Indeed, it can be argued that the inventions…of mathematics are devices for assisting the mind in dealing with one or two additional alternations of quantifier.” For practical purposes, we might not need to go much higher than one quantifier alternation.
Acknowledgements.
Fred B. Schneider suggested the name “HyperLTL.” We thank him, Rance Cleaveland, Rayna Dimitrova, Dexter Kozen, José Meseguer, and Moshe Vardi for discussions about this work. Adam Hinz worked on an early prototype of the model checker. This work was supported in part by AFOSR grant FA95501210334, NSF grant CNS1064997, the German Research Foundation (DFG) under the project SpAGAT within the Priority Program 1496 “Reliably Secure Software Systems — RS,” and Spanish Project “TIN201239391C0401 STRONGSOFT.”
References
 [1] R. Alur, P. Cerný, and S. Chaudhuri. Model checking on trees with path equivalences. In Proc. Tools and Algorithms for the Construction and Analysis of Systems, pages 664–678, Mar. 2007.
 [2] R. Alur, P. Černý, and S. Zdancewic. Preserving secrecy under refinement. In Proc. International Colloquium on Automata, Languages and Programming, pages 107–118, 2006.
 [3] H. R. Andersen. A polyadic modal mucalculus. Technical Report 1994145, Technical University of Denmark (DTU), 1994.
 [4] M. Balliu, M. Dam, and G. L. Guernic. Epistemic temporal logic for information flow security. In Proc. Workshop on Programming Languages and Analysis for Security, June 2011.
 [5] A. Banerjee and D. A. Naumann. Stackbased access control and secure information flow. Journal of Functional Programming, 15(2):131–177, 2005.
 [6] G. Barthe, J. M. Crespo, and C. Kunz. Beyond 2safety: asymmetric product programs for relational program verification. In Proc. Logical Foundations of Computer Science, pages 29–43, Jan. 2013.
 [7] G. Barthe, P. R. D’Argenio, and T. Rezk. Secure information flow by selfcomposition. In Proc. IEEE Computer Security Foundations Workshop, pages 100–114, June 2004.
 [8] J. Bradfield and C. Stirling. Modal mucalculi. In Handbook of Modal Logic, pages 721–756. Elsevier, Amsterdam, The Netherlands, 2007.
 [9] J. Bryans, M. Koutny, L. Mazaré, and P. Y. A. Ryan. Opacity generalised to transition systems. In Proc. Formal Aspects in Security and Trust, pages 81–95, July 2005.
 [10] J. R. Büchi. On a decision method in restricted second order arithmetic. In Proc. Logic, Methodology, and Philosophy of Science, pages 1–12, 1962.
 [11] R. Chadha, S. Delaune, and S. Kremer. Epistemic logic for the applied pi calculus. In Proc. Formal Techniques for Distributed Systems, pages 182–197, June 2009.
 [12] A. Cimatti, E. M. Clarke, F. Giunchiglia, and M. Roveri. NuSMV: A new symbolic model verifier. In Proc. Computer Aided Verification, pages 495–499, July 1999.
 [13] D. Clark, S. Hunt, and P. Malacaria. Quantified interference for a while language. Electronic Notes in Theoretical Computer Science, 112:149–166, Jan. 2005.
 [14] E. M. Clarke, O. Grumberg, and D. Peled. Model Checking. The MIT Press, Dec. 1999.
 [15] M. R. Clarkson, A. C. Myers, and F. B. Schneider. Quantifying information flow with beliefs. Journal of Computer Security, 17(5):655–701, Oct. 2009.
 [16] M. R. Clarkson and F. B. Schneider. Hyperproperties. Journal of Computer Security, 18(6):1157–1210, 2010.
 [17] M. Cohen and A. Lomuscio. Nonelementary speed up for model checking synchronous perfect recall. In Proc. European Conference on Artificial Intelligence, pages 1077–1078, Aug. 2010.
 [18] B. Cook, E. Koskinen, and M. Vardi. Temporal property verification as a program analysis task. In Proc. Computer Aided Verification, pages 333–348, July 2011.
 [19] C. Courcoubetis, M. Vardi, P. Wolper, and M. Yannakakis. Memoryefficient algorithms for the verification of temporal properties. Formal Methods in System Design, 1(2/3):275–288, Oct. 1992.
 [20] R. Dimitrova, B. Finkbeiner, M. Kovács, M. N. Rabe, and H. Seidl. Model checking information flow in reactive systems. In Proc. International Conference on Verification, Model Checking, and Abstract Interpretation, pages 169–185, Jan. 2012.
 [21] E. A. Emerson and J. Y. Halpern. “Sometimes” and “not never” revisited: On branching versus linear time temporal logic. Journal of the ACM, 33(1):151–178, Jan. 1986.
 [22] R. Fagin, J. Y. Halpern, Y. Moses, and M. Y. Vardi. Reasoning About Knowledge. MIT Press, Cambridge, 1995.
 [23] R. Focardi and R. Gorrieri. Classification of security properties (Part I: Information flow). In International School on Foundations of Security Analysis and Design: Tutorial Lectures, pages 331–396, 2000.
 [24] P. Gastin and D. Oddoux. Fast LTL to Büchi automata translation. In Proc. Computer Aided Verification, pages 53–65, July 2001.
 [25] R. Gerth, D. Peled, M. Y. Vardi, and P. Wolper. Simple onthefly automatic verification of linear temporal logic. In Proc. Protocol Specification, Testing and Verification, pages 3–18, June 1995.
 [26] J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symposium on Security and Privacy, pages 11–20, Apr. 1982.
 [27] J. W. Gray, III. Toward a mathematical foundation for information flow security. In Proc. IEEE Symposium on Security and Privacy, pages 210–34, May 1991.
 [28] J. W. Gray, III and P. F. Syverson. A logical approach to multilevel security of probabilistic systems. Distributed Computing, 11(2):73–90, 1998.
 [29] J. Y. Halpern and K. R. O’Neill. Secrecy in multiagent systems. ACM Transactions on Information and System Security, 12(1):5:1–47, Oct. 2008.
 [30] C. Hammer and G. Snelting. Flowsensitive, contextsensitive, and objectsensitive information flow control based on program dependence graphs. International Journal of Information Security, 8(6):399–422, Dec. 2009.
 [31] G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23:279–295, 1997.
 [32] M. Huisman and H. Blondeel. Modelchecking secure information flow for multithreaded programs. In Proc. Theory of Security and Applications, pages 148–165, Mar. 2011.
 [33] M. Huisman, P. Worah, and K. Sunesen. A temporal logic characterisation of observational determinism. In Proc. IEEE Computer Security Foundations Workshop, pages 3–15, July 2006.
 [34] B. Köpf and D. Basin. An informationtheoretic model for adaptive sidechannel attacks. In Proc. ACM Conference on Computer and Communications Security, pages 286–296, Oct. 2007.
 [35] L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, 3(2):125–143, 1977.
 [36] P. Li and S. Zdancewic. Downgrading policies and relaxed noninterference. In Proc. Principles of Programming Languages, pages 158–170, Jan. 2005.
 [37] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems: Specification. SpringerVerlag, New York, 1992.
 [38] H. Mantel. Possibilistic definitions of security—an assembly kit. In Proc. IEEE Computer Security Foundations Workshop, pages 185–199, July 2000.
 [39] D. McCullough. Noninterference and the composability of security properties. In Proc. IEEE Symposium on Security and Privacy, pages 177–186, Apr. 1988.
 [40] D. McCullough. A hookup theorem for multilevel security. Proc. IEEE Transactions on Software Engineering, 16(6):563–568, June 1990.
 [41] J. McLean. Proving noninterference and functional correctness using traces. Journal of Computer Security, 1(1):37–58, 1992.
 [42] J. McLean. A general theory of composition for trace sets closed under selective interleaving functions. In Proc. IEEE Symposium on Security and Privacy, pages 79–93, Apr. 1994.
 [43] J. K. Millen. Unwinding forward correctability. In Proc. IEEE Computer Security Foundations Workshop, pages 2–10, June 1994.
 [44] D. Milushev and D. Clarke. Towards incrementalization of holistic hyperproperties. In Proc. Conference on Principles of Security and Trust, pages 329–348, 2012.
 [45] D. Milushev and D. Clarke. Incremental hyperproperty model checking via games. In Proc. Nordic Conference on Secure IT Systems, pages 247–262, Oct. 2013.
 [46] D. V. Milushev. Reasoning about Hyperproperties. PhD thesis, Katholieke Universiteit Leuven, June 2013.
 [47] A. C. Myers. JFlow: Practical mostlystatic information flow control. In Proc. ACM Symposium on Principles of Programming Languages, pages 228–241, 1999.
 [48] A. Pnueli. The temporal logic of programs. In Proc. Foundations of Computer Science, pages 46–57, Sept. 1977.
 [49] H. Rogers. Theory of Recursive Functions and Effective Computability. MIT Press, Cambridge, Massachusetts, 1987.
 [50] A. W. Roscoe. CSP and determinism in security modelling. In Proc. IEEE Symposium on Security and Privacy, pages 114–127, May 1995.
 [51] R. Rosner. Modular synthesis of reactive systems. PhD thesis, The Weizmann Institue of Science, 1992.
 [52] P. Y. A. Ryan and T. Peacock. Opacity—further insights on an information flow property. Technical Report CSTR958, Newcastle University, Apr. 2006.
 [53] A. Sabelfeld and A. C. Myers. Languagebased informationflow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, Jan. 2003.
 [54] A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proc. IEEE Computer Security Foundations Workshop, pages 255–269, 2005.
 [55] S. Safra. Complexity of Automata on Infinite Objects. PhD thesis, The Weizmann Institue of Science, 1989.
 [56] A. P. Sistla, M. Y. Vardi, and P. Wolper. The complementation problem for Büchi automata with appplications to temporal logic. Theoretical Computer Science, 49:217–237, 1987.
 [57] G. Smith. On the foundations of quantitative information flow. In Proc. Conference on Foundations of Software Science and Computation Structures, pages 288–302, Mar. 2009.
 [58] T. Terauchi and A. Aiken. Secure information flow as a safety problem. In Proc. Static Analysis, pages 352–367, Sept. 2005.
 [59] Y. Tsay, Y. Chen, M. Tsai, K. Wu, and W. Chan. GOAL: a graphical tool for manipulating Büchi automata and temporal formulae. In Proc. Tools and Algorithms for the Construction and Analysis of Systems, pages 466–471, Mar. 2007.
 [60] R. van der Meyden. Axioms for knowledge and time in distributed systems with perfect recall. In Proc. IEEE Symposium on Logic in Computer Science, pages 448–457, 1993.
 [61] R. van der Meyden and N. V. Shilov. Model checking knowledge and time in systems with perfect recall. In Proc. Foundations of Software Technology and Theoretical Computer Science, pages 432–445, Dec. 1999.
 [62] R. van der Meyden and T. Wilke. Preservation of epistemic properties in security protocol implementations. In Proc. ACM Conference on Theoretical Aspects of Rationality and Knowledge, pages 212–221, 2007.
 [63] R. van der Meyden and C. Zhang. Algorithmic verification of noninterference properties. Electronic Notes in Theoretical Computer Science, 168:61–75, Feb. 2007.
 [64] M. Y. Vardi. An automatatheoretic approach to linear temporal logic. In Proc. Banff Higher Order Workshop, pages 238–266, Aug. 1996.
 [65] M. Y. Vardi and P. Wolper. Reasoning about infinite computations. Information and Computation, 115(1):1–37, 1994.
 [66] P. Wolper. Constructing automata from temporal logic formulas: A tutorial. In Lectures on Formal Methods and Performance Analysis, First EEF/Euro Summer School on Trends in Computer Science, pages 261–277. Springer, 2000.
 [67] H. Yasuoka and T. Terauchi. On bounding problems of quantitative information flow. In Proc. European Symposium on Research in Computer Security, pages 357–372, Sept. 2010.
 [68] S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In Proc. IEEE Computer Security Foundations Workshop, pages 29–43, June 2003.
Appendix 0.A Eventbased Execution Model
0.a.1 Goguen and Meseguer’s noninterference
Noninterference.
A point of reference for most of the literature on information flow is the definition of noninterference that was introduced by Goguen and Meseguer in 1982 [26]. In this subsection, we show how to express noninterference in a simple HyperLTL formula.
The system model used in [26], which we will refer to as deterministic state machines, operates on commands that are issued by different users . The evolution of a deterministic state machine is governed by the transition function and there is a separate observation function that for each user indicates what he can observe.
We define standard notions on sequences of users and events. For and let denote the projection of to the commands issued by the users in . Further, we extend the transition function to sequences, , where the dot indicates concatenation. Finally, we extend the observation function to sequences , indicating the observation after : . Noninterference is then defined as a property on systems . A set of users does not interfere with a second group of users , if
That is, we ask whether the same output would be produced by the system, if all actions issued by any user in were removed.
Encoding GM’s System Model
First, we need to map their system model into Kripke structures as used for the formulation of (which, obviously, must not solve problem by itself). We choose an intuitive encoding of state machines in Kripke structures that indicates in every state (via atomic propositions) which observations can be made for the different users, and also which action was issued last, including the responsible user.
We choose a simple translation that maps a state machine to the Kripke structure , where , , , and the labeling function is defined as for the initial state and for all other states.
The transition function is defined as
Each state (except for the initial state) has labels indicating the command that was issued last, and the user that issued the command. The remaining labels denote the observations that the individual users can make in this state.
To access these two separate pieces of information, we introduce functions , which is not defined for , and (by abusing notation slightly), with their obvious meanings.
In this system model let mean that if we entered one of the states and with a user not in the users and commands must be identical. If both states are entered by users in then the commands may be different. The output equality on states , shall refer to the observations the users can make at this state. Then, noninterference can be expressed as follows:
Theorem 0.A.1.
There is a HyperLTL formula and an encoding of state machines into Kripke structures such that for every state machine , and groups of users and it holds iff does not interfere with in .
Proof.
The formula pattern
The subformula then requires that, if from that position on ’s input differs from the input of only in that it has an additional (secret) action by some user in , both paths must look equivalent from the view point of the users in . The interesting part here is the use of the next operator, as it enables the comparison of different positions of the traces. Thus, we compare path to all other paths that have one secret action less than itself. Hence, by transitivity of equivalence, we compare all paths to a version of itself that is stripped of all secret actions. ∎
0.a.2 Observational determinism
Theorem 0.A.2.
There is an encoding of programs as defined in [33] into Kripke structures, such that can express observational determinism.
Proof.
Huisman et al. [33] define observational determinism over programs in a simple while language, which is very similar to the execution model of [68]. First, they define a special version of selfcomposition on their programs that allows both sides to move independently by introduces stuttering steps. Then, they encode programs into Kripke structures that do not only maintain the current state, but also remember the last state. The formula is then proved to precisely express observational determinism. Since subsumes , we can make use of the same encoding of programs into Kripke structures, but we leave out the selfcomposition operation on programs. In order to reenable the correct synchronization of paths, however, we have to introduce stutter steps for single, not selfcomposed that is, programs.
We prepend the formula with two path quantifiers over paths and and we let those propositions of the formula that referred to the two copies of the program now refer to the two paths, respectively. ∎
0.a.3 Declassification
Likewise, HyperLTL can also express declassification properties in a programming language setting.
Corollary 1.
HyperLTL can express the declassification properties discussed in [4].
Appendix 0.B Epistemic Logics
We start with the proof that subsumes epistemic temporal logics under the assumption of synchronous time. That is, we assume the Kripke structure to have an atomic proposition that does nothing but switching its value in every step and that is observable by every agent. By this, the stutterequivalent comparison collapses to a stepwise comparison.
Theorem 0.B.1.
Under synchronous time semantics, for every epistemic temporal logic formula and every set of agents , there is a HyperLTL formula such that for all Kripke structures it holds iff .
Proof.
We start by considering the extension of HyperLTL with the knowledge operator with the semantics above. We prepend a universal path quantifier to the formula and apply a stepwise transformation to eliminate all knowledge operators. (Note that the semantics relations of linear time epistemic logics and and of have different parameters, but it is plain how to join them into a single relation .)
Let be a HyperLTL formula in NNF that possibly has knowledge operators. For brevity, we summarize the leading quantifiers of with , such that where is quantifierfree. Let and be propositions that does not refer to and that are not in the alphabet of the Kripke structure. In case a knowledge operator occurs in with positive polarity, translate into the following HyperLTL formula:
and, if the knowledge operator occurs negatively,
where denotes that in one positive or one negative occurrence, respectively, of the knowledge operator is replaced by proposition , and where is the path on which the knowledge operator that we currently eliminate was applied on (which could be a different path to the first one, in case of nested knowledge operators). We repeat this transformation until no knowledge operators remain.
Paths and are only used to carry the information about proposition and , respectively. That is, we use these paths to quantify over a sequence of atomic propositions, the same way the QPTL quantification works. The sequence of the atomic proposition indicates at which positions of a given trace the knowledge operator needs to be evaluated. There can be multiple such sequences (e.g. for a formula ) that would make the formula satisfied, so the sequence is existentially quantified (). We need to fix one particular of these sequences of applications of the knowledge operator in advance, because we cannot go back in time to the initial state where the quantification knowledge operator happens.
The sequence of atomic propositions is restricted to be true initially until it is globally false. In this way, we select a point in time until which the paths and are required to be equal w.r.t. the observations of agent (). At this selected point in time, if also the knowledge operator is required to hold (indicated by ) we need to check that the subformula of the knowledge operator is checked on the alternative path. We relaxed this condition to simplify the formula. Instead of the point in the sequence where switches from true to false, we apply subformula on all positions before the that point (). Since the sequences of are allquantified, this does not affect the meaning of the formula. ∎
Note that using past operator would simplify the encoding substantially, since we could more easily refer to the initial state where all paths in epistemic temporal logics branch.
We now discuss the adaptations necessary to extend the encoding from the proof of Theorem 0.B.1 to nonsynchronous systems. For asynchronous systems it is natural to assume that they may stutter in their current state. In this discussion, we also assume that it is visible whether an asynchronous system has last performed a stuttering step, or whether it performed an action. (It may also be possible for a Kripke structure to perform an action that stays in a state.) We call a Kripke structure with these properties an asynchronous Kripke structure.
The following proof of Theorem 5.3 is also a good example for the general treatment of asynchronous executions in .
Theorem 0.B.2.
For every epistemic temporal logic formula and every set of agents , there is a HyperLTL formula such that for all asynchronous Kripke structures it holds iff .
Proof.
We assume that the atomic proposition stutter describes that no action was performed in the last step.
Since there always is the option to stutter in a stat, the number of paths we quantify over is larger. The idea of the proof is to restrict this enlarged set of paths to those that do not stutter forever () and that synchronize correctly (
The encoding from the proof of Theorem 0.B.1 is now modified as follows for positively occurring knowledge operators:
and, for negatively occurring knowledge operators: