Team Semantics for the Specification and Verification of Hyperproperties

09/25/2017 ∙ by Andreas Krebs, et al. ∙ UHasselt Universität Saarland uni hannover Universität Tübingen 0

We develop team semantics for Linear Temporal Logic (LTL) to express hyperproperties, which have recently been identified as a key concept in the verification of information flow properties. Conceptually, we consider an asynchronous and a synchronous variant of team semantics. We study basic properties of this new logic and classify the computational complexity of its satisfiability, path, and model checking problem. Eventually, we compare its expressivity to the one of HyperLTL, another recently introduced logic for hyperproperties. Our results show that LTL under team semantics is a viable alternative to HyperLTL, which complements the expressivity of HyperLTL and has better algorithmic properties.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.


We develop team semantics for Linear Temporal Logic (LTL) to express hyperproperties, which have recently been identified as a key concept in the verification of information flow properties. Conceptually, we consider an asynchronous and a synchronous variant of team semantics. We study basic properties of this new logic and classify the computational complexity of its satisfiability, path, and model checking problem. Further, we examine how extensions of these basic logics react on adding other atomic operators. Finally, we compare its expressivity to the one of HyperLTL, another recently introduced logic for hyperproperties. Our results show that LTL under team semantics is a viable alternative to HyperLTL, which complements the expressivity of HyperLTL and has partially better algorithmic properties.

1 Introduction

Guaranteeing security and privacy of user information is a key requirement in software development. However, it is also one of the hardest goals to accomplish. One reason for this difficulty is that such requirements typically amount to reasoning about the flow of information and relating different execution traces of the system. In particular, these requirements are no longer trace properties, i.e., properties whose satisfaction can be verified by considering each trace in isolation. For example, the property “the system terminates eventually” is satisfied if every trace eventually reaches a final state. Formally, a trace property  is a set of traces and a system satisfies if each of its traces is in .

In contrast, the property “the system terminates within a bounded amount of time” is no longer a trace property; consider a system that has a trace  for every , so that only reaches a final state after steps. This system does not satisfy the bounded termination property, but each individual trace  could also stem from a system that does satisfy it. Thus, satisfaction of the property cannot be verified by considering each trace in isolation.

Properties with this characteristic were termed hyperproperties by Clarkson and Schneider [DBLP:journals/jcs/ClarksonS10]. Formally, a hyperproperty  is a set of sets of traces and a system satisfies if its set of traces is contained in . The conceptual difference to trace properties allows specifying a much richer landscape of properties including information flow and trace properties. Further, one can also express specifications for symmetric access to critical resources in distributed protocols and Hamming distances between code words in coding theory [markusPhD]. However, the increase in expressiveness requires novel approaches to specification and verification.


Trace properties are typically specified in temporal logics, most prominently in Linear Temporal Logic ([Pnueli/1977/TheTemporalLogicOfPrograms]. Verification of specifications is routinely employed in industrial settings and marks one of the most successful applications of formal methods to real-life problems. Recently, this work has been extended to hyperproperties: , equipped with trace quantifiers, has been introduced to specify hyperproperties [DBLP:conf/post/ClarksonFKMRS14]. Accordingly, a model of a formula is a set of traces and the quantifiers range over these traces. This logic is able to express the majority of the information flow properties found in the literature (we refer to Section 3 of [DBLP:conf/post/ClarksonFKMRS14] for a full list). The satisfiability problem for is undecidable [finkbeiner_et_al:LIPIcs:2016:6170] while the model checking problem is decidable, albeit of non-elementary complexity [DBLP:conf/post/ClarksonFKMRS14, DBLP:conf/cav/FinkbeinerRS15]. In view of this, the full logic is too strong. Fortunately most information flow properties found in the literature can be expressed with at most one quantifier alternation and consequently belong to decidable (and tractable) fragments. Further works have studied runtime verification [DBLP:conf/rv/BonakdarpourF16, DBLP:conf/rv/FinkbeinerHST17], connections to first-order logic [DBLP:conf/stacs/Finkbeiner017], provided tool support [DBLP:conf/cav/FinkbeinerRS15, finkbeiner_et_al:LIPIcs:2016:6170], and presented applications to “software doping” [DBLP:conf/esop/DArgenioBBFH17] and the verification of web-based workflows [634]. In contrast, there are natural properties, e.g., bounded termination, which are not expressible in (which is an easy consequence of a much stronger non-expressibility result [BozzelliMP15]).

Team Semantics

Intriguingly, there exists another modern family of logics, Dependence Logics [vaananen07, DKV16], which operate as well on sets of objects instead of objects alone. Informally, these logics extend first-order logic (FO) by atoms expressing, e.g., that “the value of a variable  functionally determines the value of a variable ” or that “the value of a variable  is informationally independent of the value of a variable ”. Obviously, such statements only make sense when being evaluated over a set of assignments. In the language of dependence logic, such sets are called teams and the semantics is termed team semantics.

In 1997, Hodges introduced compositional semantics for Hintikka’s Independence-friendly logic [Hodges97c]. This can be seen as the cornerstone of the mathematical framework of dependence logics. Intuitively, this semantics allows for interpreting a team as a database table. In this approach, variables of the table correspond to attributes and assignments to rows or records. In 2007, Väänänen [vaananen07] introduced his modern approach to such logics and adopted team semantics as a core notion, as dependence atoms are meaningless under Tarskian semantics.

After the introduction of dependence logic, a whole family of logics with different atomic statements have been introduced in this framework: independence logic [gv13] and inclusion logic [Galliani12] being the most prominent. Interest in these logics is rapidly growing and the research community aims to connect their area to a plethora of disciplines, e.g., linguistics [dagstuhl15], biology [dagstuhl15], game [bradfield15] and social choice theory [shpitser15], philosophy [shpitser15], and computer science [dagstuhl15]. We are the first to exhibit connections to formal languages via application of Büchi automata (see Theorem 4.1). Team semantics has also found their way into modal [va08] and temporal logic [kmv15], as well as statistics [dhkmv16].

Recently, Krebs et al. [kmv15] proposed team semantics for Computation Tree Logic (CTL), where a team consists of worlds of the transition system under consideration. They considered synchronous and asynchronous team semantics, which differ in how time evolves in the semantics of the temporal operators. They proved that satisfiability is -complete under both semantics while model checking is -complete under synchronous semantics and -complete under asynchronous semantics.

Our Contribution

The conceptual similarities between and team semantics raise the question how an variant under team semantics relates to . For this reason, we develop team semantics for , analyse the complexity of its satisfiability and model checking problems, and subsequently compare the novel logic to .

When defining the logic, we follow the approach of Krebs et al. [kmv15] for defining team semantics for : we introduce synchronous and asynchronous team semantics for , where teams are now sets of traces. In particular, as a result, we have to consider potentially uncountable teams, while all previous work on model checking problems for logics under team semantics has been restricted to the realm of finite teams.

We prove that the satisfiability problem for team is -complete under both semantics, by showing that the problems are equivalent to satisfiability under classical semantics. Generally, we observe that for the basic asynchronous variant all of our investigated problems trivially reduce to and from classical semantics. However, for the synchronous semantics this is not the case for two variants of the model checking problem. As there are uncountably many traces, we have to represent teams, i.e., sets of traces, in a finitary manner. The path checking problem asks to check whether a finite team of ultimately periodic traces satisfies a given formula. As our main result, we establish this problem to be -complete for synchronous semantics. In the (general) model checking problem, a team is represented by a finite transition system. Formally, given a transition system and a formula, the model checking problem asks to determine whether the set of traces of the system satisfies the formula. For the synchronous case we give a polynomial space algorithm for the model checking problem for the disjunction-free fragment, while we leave open the complexity of the general problem. Disjunction plays a special role in team semantics, as it splits a team into two. As a result, this operator is commonly called splitjunction instead of disjunction. In our setting, the splitjunction requires us to deal with possibly infinitely many splits of uncountable teams, if a splitjunction is under the scope of a -operator, which raises interesting language-theoretic questions.

Further, we study the effects for complexity that follow when our logics are extended by dependence atoms and the contradictory negation. Finally, we show that under team semantics is able to specify properties which are not expressible in and vice versa.

Recall that satisfiability for is undecidable and model checking of non-elementary complexity. Our results show that similar problems for under team semantics have a much simpler complexity while some hyperproperties are still expressible (e.g., input determinism, see page 5, or bounded termination). This proposes under team semantics to be a significant alternative for the specification and verification of hyperproperties that complements .

2 Preliminaries

The non-negative integers are denoted by and the power set of a set  is denoted by . Throughout the paper, we fix a finite set  of atomic propositions.

Computational Complexity

We will make use of standard notions in complexity theory. In particular, we will use the complexity classes and . Most reductions used in the paper are -reductions, that is, polynomial time, many-to-one reductions.


A trace over is an infinite sequence from ; a finite trace is a finite sequence from . The length of a finite trace  is denoted by . The empty trace is denoted by and the concatenation of two finite traces  and by . Unless stated otherwise, a trace is always assumed to be infinite. A team is a (potentially infinite) set of traces.

Given a trace  and , we define , which we lift to teams  by defining . A trace  is ultimately periodic, if it is of the form  for two finite traces  and with . As a result, an ultimately periodic trace is finitely represented by the pair ; we define . Given a set  of such pairs, we define , which is a team of ultimately periodic traces. We call a team encoding of .

Linear Temporal Logic

The formulas of Linear Temporal Logic ([Pnueli/1977/TheTemporalLogicOfPrograms] are defined via the grammar where ranges over the atomic propositions in . The length of a formula is defined to be the number of Boolean and temporal connectives occurring in it. The length of an formula is often defined to be the number of syntactically different subformulas, which might be exponentially smaller. Here, we need to distinguish syntactically equal subformulas which becomes clearer after defining the semantics (see also Example 2 afterwards on this). As we only consider formulas in negation normal form, we use the full set of temporal operators.

Next, we recall the classical semantics of before we introduce team semantics. For traces  we define if , if , if , if , if , if , if , if and   , if or   .

Team Semantics for LTL

Next, we introduce two variants of team semantics for , which differ in their interpretation of the temporal operators: a synchronous semantics (), where time proceeds in lockstep along all traces of the team, and an asynchronous semantics () in which, on each trace of the team, time proceeds independently. We write whenever a definition coincides for both semantics. For teams let if , if , if and , if and , if . This concludes the cases where both semantics coincide. Next, we present the remaining cases for the synchronous semantics, which are inherited from the classical semantics of .

if ,
if ,
if and , and
if or .

Finally, we present the remaining cases for the asynchronous semantics. Note that, here there is no unique timepoint , but a timepoint for every trace , i.e., time evolves asynchronously between different traces.

if , for each :
if , for each : ,
if , for each : , and
  , for each : , and
if , for each : or
  , for each : .

We call expressions of the form splitjunctions to emphasise on the team semantics where we split a team into two parts. Similarly, the -operator is referred to as a splitjunction.

Let us illustrate the difference between synchronous and asynchronous semantics with an example involving the operator. Similar examples can be constructed for the other temporal operators (but for ) as well.


Let . We have that , as we can pick if , and if . On the other hand, there is no single  such that , as the occurrences of are at different positions. Consequently .

Moreover, consider the formula which is satisfied by on both semantics. However, is not satisfied by under synchronous semantics. Accordingly, we need to distinguish the two disjuncts and of to assign them to different teams.

property definition
empty team property
downwards closure implies :
union closure implies
flatness if and only if :
singleton equivalence if and only if
Figure 1: Structural properties overview.

In contrast, synchronous satisfaction implies asynchronous satisfaction, i.e., implies . The simplest way to prove this is by applying downward closure, singleton equivalence, and flatness (see Fig. 1). Example 2 shows that the converse does not hold.

Next, we define the most important verification problems for in team semantics setting, namely satisfiability and two variants of the model checking problem: For classical , one studies the path checking problem and the model checking problem. The difference between these two problems lies in the type of structures one considers. Recall that a model of an formula is a single trace. In the path checking problem, a trace  and a formula  are given, and one has to decide whether . This problem has applications to runtime verification and monitoring of reactive systems [kf09, ms03]. In the model checking problem, a Kripke structure  and a formula  are given, and one has to decide whether every execution trace  of satisfies .

The satisfiability problem of under team semantics is defined as follows.


LTL satisfiability w.r.t. teams () for .


formula .


Is there a non-empty team  such that ?

The non-emptiness condition is necessary, as otherwise every formula is satisfiable due to the empty team property (see Fig. 1).

We consider the generalisation of the path checking problem for (denoted by ), which asks for a given ultimately periodic trace  and a given formula , whether holds. In the team semantics setting, the corresponding question is whether a given finite team comprised of ultimately periodic traces satisfies a given formula. Such a team is given by a team encoding . To simplify our notation, we will write instead of .


TeamPathChecking () for .


formula and a finite team encoding .



Consider the generalised model checking problem where one checks whether the team of traces of a Kripke structure satisfies a given formula. This is the natural generalisation of the model checking problem for classical semantics, denoted by , which asks, for a given Kripke structure  and a given formula , whether for every trace of .

A Kripke structure  consists of a finite set  of worlds, a left-total transition relation , a labeling function , and an initial world . A path  through is an infinite sequence  such that and for every . The trace of is defined as . The Kripke structure  induces the team .


TeamModelChecking () for .


formula and a Kripke structure .



3 Basic Properties

We consider several standard properties of team semantics (cf., e.g. [DKV16]) and verify which of these hold for our two semantics for . These properties are later used to analyse the complexity of the satisfiability and model checking problems. To simplify our notation, denotes or . See Figure 1 for the definitions of the properties and a summary for which semantics the properties hold. The positive results follow via simple inductive arguments. For the fact that synchronous semantics is not union closed, consider teams and . Then, we have and but . Note also that flatness is equivalent of being both downward and union closed.

It turns out that, by Figure 1, under asynchronous team semantics is essentially classical LTL with a bit of universal quantification: for a team  and an -formula , we have if and only if . This however does not mean that under asynchronous team semantics is not worth of a study; it only means that asynchronous is essentially classical if we do not introduce additional atomic formulas that describe properties of teams directly. This is a common phenomenon in the team semantics setting. For instance, team semantics of first-order logic has the flatness property, but its extension by so-called dependence atoms, is equi-expressive with existential second-order logic [vaananen07]. Extensions of under team semantics are discussed in Section 5.

At this point, it should not come as a surprise that, due to the flatness property and singleton equivalence, the complexity of satisfiability, path checking, and model checking for under asynchronous team semantics coincides with those of classical semantics. Firstly, note that an -formula is satisfiable under asynchronous or synchronous team semantics if and only if there is a singleton team that satisfies the formula. Secondly, note that to check whether a given team satisfies under asynchronous semantics, it is enough to check whether each trace in the team satisfies under classical ; this can be computed by an -circuit using oracle gates for . Putting these observations together, we obtain the following results from the identical results for under classical semantics [Kuhtz10, kf09, ms03, SistlaC85].

The circuit complexity class encompass of polynomial sized circuits of depth and unbounded fan-in; is similarly defined but with bounded fan-in. A language is constant-depth reducible to a language , in symbols , if there exists a logtime-uniform -circuit family with oracle gates for that decides membership in . In this context, logtime-uniform

means that there exists a deterministic Turing machine that can check the structure of the circuit family

in time . For further information on circuit complexity, we refer the reader to the textbook of Vollmer [vol99]. Furthermore, is the set of languages which are logspace reducible to a deterministic context-free language.


  1. , , and are -complete w.r.t. -reductions.

  2. is in and -hard w.r.t. -reductions.

4 Classification of Decision Problems Under Synchronous Semantics

In this section, we examine the computational complexity of path and model checking with respect to the synchronous semantics. Our main result settles the complexity of . It turns out that this problem is harder than the asynchronous version.

if ,




if ,

at positions
Figure 2: Traces for the reduction defined in the proof of Lemma 4.

is -hard w.r.t. -reductions.


Determining whether a given quantified Boolean formula (qBf) is valid () is a well-known -complete problem [lad77]. The problem stays -complete if the matrix (i.e., the propositional part) of the given qBf is in 3CNF. To prove the claim of the lemma, we will show that . Given a quantified Boolean formula , we stipulate, w.l.o.g., that is of the form , where , , and are exactly the free variables of and pairwise distinct.

In the following we define a reduction which is composed of two functions and . Given a qBf , the function will define an -formula and will define a team such that is valid if and only if . Essentially, the team will contain three kinds of traces, see Figure 2: (i) traces which are used to mimic universal quantification ( and ), (ii) traces that are used to simulate existential quantification (), and (iii) traces used to encode the matrix of (). Moreover the trace (, resp.) is used inside the proof to encode an assignment that maps the variable true (false, resp.). Note that, are technically singleton sets of traces. For convenience, we identify them with the traces they contain.

Next we inductively define the reduction function that maps qBf-formulas to -formulas:

where is the 3CNF-formula with free variables ,

The reduction function that maps qBf-formulas to teams is defined as follows with respect to the traces in Figure 2.

where is the 3CNF-formula with free variables and

In Fig. 2, the first position of each trace is marked with a white circle. For instance, the trace of is then encoded via

The reduction function showing is then . Clearly and can be computed in linear time with respect to .

Intuitively, for the existential quantifier case, the formula allows to continue in with exactly one of or . If is a truth value then selecting in the team is the same as setting to . For the case of , the formula with respect to the team is similar to the existential case choosing to be whereas for one selects to be . The use of the until operator in combination with and then forces both cases to happen.

Let , where and let be an assignment of the variables in for . Then, let

We claim if and only if .

Note that when it follows that and that . Accordingly, the lemma follows from the claim of correctness. The claim is proven by induction on the number of quantifier alternations in .

Induction basis.

, this implies that is quantifier-free and .

”: Let s.t.  and . We assume w.l.o.g.  and to be disjoint, which is possible due to downwards closure. We then have that and , for, , does not appear positively in the trace . Due to construction of the traces, can only satisfy the subformula for . Moreover, note that there exists no such that for all ; hence falsifies . These two combined imply that , for each . However, for each , any two of , , can belong to and hence exactly one belongs to .

Now such that . Note that can be satisfied by only for . Since , it follows that , for each . Note also that, if it has to be in where is the variable of . By construction of the traces, if we have and if then . Thus, by construction of the traces , if then . Since, for each , there is a such that it follows that .

”: Now assume that . As a result, pick for each a single such that . Denote this sequence of choices by . Choose as follows:

Then , for exactly two traces per clause are in , and we can divide where

and, by construction of the traces, , for all . Further, note that , where

There are two possibilities:

  • : then .

  • : then .

In both cases, , and thus . Hence it follows that and the induction basis is proven.

Induction Step.

“Case .” We show that if and only if .

First note that iff , by the definitions of and . Clearly, , but both and . Observe that and does not appear positively anywhere in . Accordingly, and by downwards closure, if and only if


Since , Equation (1) holds if and only if , for some bit . By the induction hypothesis, the latter holds if and only if there exists a bit s.t. . Finally by the semantics of this holds if and only if .

“Case .” We need to show that if and only if