A Remark on the Expressivity of Asynchronous TeamLTL and HyperLTL

In 1977 Amir Pnueli [15] introduced a core concept in verification of reactive and concurrent systems: model checking of formulae of linear temporal logic ($\mathrm{LTL}$). The idea is to view the accepting executions of the system as a set of infinite sequences, called traces, and check whether this set satisfies specifications expressed in $\mathrm{LTL}$. The properties that can be checked by observing every execution of the system in isolation are called trace properties. An oft-cited example of a trace property is termination, which states that a system terminates if each of its computations terminates. Classical $\mathrm{LTL}$ is fit for the verification of such propositional trace properties, however some properties relevant in, for instance, information flow security are not trace properties. These properties profoundly speak of relations between traces. Clarkson and Schneider [3] coined the term hyperproperties to refer to such properties that lie beyond what $\mathrm{LTL}$ can express. Bounded termination is an easy to grasp example of a hyperproperty: whether every computation of a system terminates within some bound common for all traces, cannot be determined by looking at traces in isolation. In information flow security, dependencies between public observable outputs and secret inputs constitute possible security breaches; checking for hyperproperties becomes invaluable. Two well-known examples of hyperproperties from this field are noninterference  [17, 14], where a high-level user cannot affect what low-level users see, and observational determinism [20], meaning that if two computations are in the same state according to a low-level observer, then the executions will be indistinguishable. However, hyperproperties are not limited to information flow security; examples from different fields include distributivity and other system properties such as fault tolerance [6].

Given this background, several approaches to formally specifying hyperproperties have been proposed since 2010, with families of logics emerging from these approaches. The two major streams in the research regarding capturing hyperproperties are hyperlogics and logics that employ team semantics. In the hyperlogics approach, logics that capture trace properties are extended with trace quantification, extending logics such as $\mathrm{LTL}$, computation tree logic ($\mathrm{CTL}$) or quantified propositional temporal logic ($\mathrm{QPTL}$), into $\mathrm{HyperLTL}$ [2], $\mathrm{HyperCTL^{*}}$ [2], and $\mathrm{HyperQPTL}$ [16, 4], respectively. An alternative approach is to lift the semantics of the temporal logics from being defined on traces to sets of traces, by using what is known as team semantics. This approach yields logics such as $\mathrm{TeamLTL}$ [13, 8] and $\mathrm{Team}\mathrm{CTL}$[12, 8]. Since its conception, $\mathrm{TeamLTL}$ has been considered in two distinct variants: a synchronous semantics, where the team of traces agrees on the time step of occurrence when evaluating temporal operators; and an asynchronous semantics, where the temporal operators are evaluated independently on each trace. An example that illustrates the difference between these two semantics is the aforementioned termination and bound termination pair of properties. If we write $\operatorname{\mathsf{F}}$ for the future-operator and $\mathrm{terminate}$ for a proposition symbol representing the trace terminating, we can write the formula $\operatorname{\mathsf{F}}\mathrm{terminate}$, which under the synchronous semantics expresses the hyperproperty “bounded termination”, while under the asynchronous semantics the same formula defines the trace property “termination”. Not only is the above formulation of bounded termination clear and concise, it also illuminates a key difference between hyperlogics and team logics: while each formula of hyperlogic has a fixed number of quantifiers, which restricts the number of traces that can be referred to in a formula, which restricts the number of traces between which dependencies can be characterised by formulae, team logics have the ability to refer to an unbounded number of traces, even an infinite collection.

One of the original motivations behind team semantics [18] was to enable the definition of novel atomic formulae, and this is another important defining feature of team temporal logics as well. Among these atoms the dependence atom $\operatorname{\mathrm{dep}}(\bar{x},\bar{y})$ and inclusion atom $\bar{x}\subseteq\bar{y}$ stand out as the most influential. They respectively state that the variables $\bar{y}$ are functionally dependent on the variables $\bar{x}$, and that the values of the variables $\bar{x}$ also occur among the values of variables $\bar{y}$. As an example of the use of the inclusion atom, let the proposition symbols $o_{1},\dots,o_{n}$ denote public observable bits and assume that the proposition symbol $s$ is a secret bit. The atomic formula $(o_{1},\dots o_{n},s)\subseteq(o_{1},\dots o_{n},\neg s)$ expresses a form of non-inference by stating that an observer cannot infer the value of the confidential bit from the outputs.

While the expressivity of $\mathrm{HyperLTL}$ and other hyperlogics has been studied extensively, where the many extensions of $\mathrm{TeamLTL}$ lie in relation the hyperlogics is still not completely understood. The connections for the logics without extensions were already established in Krebs et al. [13], where they showed that synchronous $\mathrm{TeamLTL}$ and $\mathrm{HyperLTL}$ are expressively incomparable and that the asynchronous variant collapses to $\mathrm{LTL}$. With regards to the expressivity of synchronous semantics, Virtema et al. [19] showed that the extensions of $\mathrm{TeamLTL}$ can be translated to $\mathrm{HyperQPTL\textsuperscript{\hskip-2.0pt\small+}}$, which in turn extends $\mathrm{HyperLTL}$ with (non-uniform) quantification of propositions. Relating the logics to the first-order context, Kontinen and Sandström [10] defined Kamp-style translations from extensions of both semantics of $\mathrm{TeamLTL}$ to the three-variable fragment of first-order team logic. It is worth noting that recently asynchronous hyperlogics have been considered also in several other articles (see, e.g., [9, 1]). An example of the significant rift between asynchronous and synchronous $\mathrm{TeamLTL}$ is that the asynchronous semantics is essentially a first-order logic, while the synchronous semantics has second-order aspects. Especially the set-based variant of asynchronous $\mathrm{TeamLTL}$ can be translated, using techniques in [10], into first-order logic under team semantics, which is known to be first-order logic [18]. Similarly, $\mathrm{HyperLTL}$ is equally expressive as the guarded fragment of first-order logic with the equal level predicate, as was shown by Finkbeiner and Zimmermann [7].

In this article we focus on exploring the connections between fragments of $\mathrm{HyperLTL}$ and extensions of $\mathrm{TeamLTL}$. The set-based asynchronous semantics that we consider here was defined in Kontinen et al. [11] in order to further study the complexity of the model checking problem for these logics. Prior to that, the literature on temporal team semantics employed a semantics based on multisets of traces. In the wider team semantics literature, this often carries the name strict semantics, in contrast to lax semantics which is de facto a set-based semantics. This relaxation of the semantics enabled the definition of normal forms for the logics, which we use in this article to explore the connection with $\mathrm{HyperLTL}$.

Our contribution. We show correspondences in expressivity between the set-based variant of linear temporal logic under asynchronous team semantics and fragments of the Boolean closure of $\mathrm{HyperLTL}$. In particular we show that $\mathrm{LTL}$ under team semantics with the Boolean disjunction, $\mathrm{TeamLTL}(\varovee)$, is equi-expressive with the positive Boolean closure of $\mathrm{HyperLTL}$ restricted to only one universal quantifier, while the left downward closed fragment of $\mathrm{TeamLTL}(\sim)$ is equi-expressive with the Boolean closure of $\mathrm{HyperLTL}$ restricted to one universal quantifier.

We begin by defining the variant of $\mathrm{TeamLTL}$ and its extensions, as in [11].

Let $\mathrm{AP}$ be a set of atomic propositions. The formulae of $\mathrm{LTL}$ (over $\mathrm{AP}$) is attained by the grammar:

where $p\in\mathrm{AP}$. We follow the convention that all formulae of $\mathrm{TeamLTL}$ are given in negation normal form, where $\neg$ is only allowed before atomic propositions, as is customary when dealing with team semantics.

We will consider the extensions of $\mathrm{TeamLTL}$ with the Boolean disjunction $\varovee$, denoted $\mathrm{TeamLTL}(\varovee)$, and Boolean negation $\sim$, denoted $\mathrm{TeamLTL}(\sim)$.

A trace $t$ over $\mathrm{AP}$ is an infinite sequence of sets of proposition symbols from $(2^{\mathrm{AP}})^{\omega}$. Given a natural number $i\in\mathbb{N}$, we denote by $t[i]$ the $(i+1)$th element of $t$ and by $t[i,\infty]$ the suffix $(t[j])_{j\geq i}$ of $t$. We call a set of traces a team.

We write $\mathcal{P}(\mathbb{N})^{+}$ to denote $\mathcal{P}(\mathbb{N})\setminus\{\emptyset\}$. For a team $T\subseteq(2^{\mathrm{AP}})^{\omega}$ a function $f\colon T\rightarrow\mathcal{P}(\mathbb{N})^{+}$, we set $T[f,\infty]\mathrel{\mathop{:}}=\{t[s,\infty]\mid t\in T,s\in f(t)\}$. For $T^{\prime}\subseteq T$, $f\colon T\to\mathcal{P}(\mathbb{N})^{+}$, and $f^{\prime}\colon T^{\prime}\to\mathcal{P}(\mathbb{N})^{+}$, we define that $f^{\prime}<f$ if and only if

Note that the Boolean disjunction is definable in $\mathrm{TeamLTL}(\sim)$, as the dual of conjunction, i.e. $T\mathrel{\models^{l}}\varphi\varovee\psi$ if and only if $T\mathrel{\models^{l}}\sim(\sim\varphi\wedge\sim\psi)$.

Two important properties of team logics are flatness and downward closure. A logic has the flatness property if $T\mathrel{\models^{l}}\varphi$ if and only if $\{t\}\mathrel{\models^{l}}\varphi$ for all $t\in T$, holds for all formulae $\varphi$ of the logic. A logic is downward closed if for all formulae $\varphi$ of the logic if $T\mathrel{\models^{l}}\varphi$ and $S\subseteq T$ then $S\mathrel{\models^{l}}\varphi$. The following Proposition was proven in [11].

We consider the left-downward closed fragment of $\mathrm{TeamLTL}^{l}(\sim)$, denoted $\text{left-dc--}\mathrm{TeamLTL}^{l}(\sim)$, where every subformula of the form $\operatorname{\mathsf{G}}\psi$ or $\psi\operatorname{\mathsf{U}}\theta$, the subformula $\psi$ is a $\mathrm{TeamLTL}(\varovee)$-formula

It was established in [11] that any formula of $\mathrm{TeamLTL}^{l}(\varovee)$ can be equivalently expressed in $\varovee$-disjunctive normal form, i.e. in the form

where $\alpha_{i}$ are $\mathrm{LTL}$-formulae.

Similarly by [11], every formula of $\text{left-dc--}\mathrm{TeamLTL}^{l}(\sim)$ can be equivalently stated in quasi-flat normal form, which means in the form

where $\alpha_{i}$ and $\beta_{i,j}$ are $\mathrm{LTL}$-formulae, and $\exists\beta_{i,j}$ is an abbreviation for the formula $\sim\beta^{d}_{i,j}$, where $\beta^{d}_{i,j}$ is the formula obtained from $\neg\beta$, after $\neg$ has been pushed down to the atomic level.

Next we state the syntax and semantics of $\mathrm{HyperLTL}$, as defined in [2], as well as the Boolean closure concepts we are concerned with.

We denote the set of all traces by $\mathrm{TR}$ and the set of all trace variables by $\mathcal{V}$. For a trace assignment function $\Pi\colon\mathcal{V}\to\mathrm{TR}$, we write $\Pi[i,\infty]$ for the trace assignment defined through $\Pi[i,\infty]=\Pi(\pi)[i,\infty]$, and $\Pi[\pi\mapsto t]$ for the assignment that assigns $t$ to $\pi$, but otherwise is identical to $\Pi$.

The semantics for the Boolean closures are attained by relaxing the definition of conjunction $\wedge$, disjunction $\vee$, and $\neg$ to apply to any formula of the Boolean closure.

Using a suitable algorithm, all $\mathrm{BC}(\mathcal{L})$-formulae can be equivalently expressed in disjunctive normal form, i.e. as a disjunction of conjunctions with possibly a negation in front of each formula of $\mathcal{L}$. Similarly, all $\mathrm{PBC}(\mathcal{L})$-formulae can be equivalently expressed as

for some formulae $\varphi_{i,j}\in\mathcal{L}$ and index sets $I$ and $J$. From here on we use $I$ and $J$ to denote arbitrary index sets.

In this section we will explore the relationship between the logics by proving some correspondence theorems. First, however, we prove some pertinent propositions regarding the Boolean closure of $\mathrm{HyperLTL}$, showing that conjunction, disjunction and negation distribute over the quantifiers in a manner analogous to first-order logic. We go through these propositions in some detail as, although they appear familiar from the first-order setting, $\mathrm{HyperLTL}$ is usually considered only in the prenex normal form and thus these basic results are not explicitly addressed in the literature. Moreover, the proofs feature arguments that will be useful in subsequent proofs.

As usual, for logics $\mathcal{L}$ and $\mathcal{L}^{\prime}$, we write $\mathcal{L}\leq\mathcal{L}^{\prime}$, if for every $\mathcal{L}$-formula there exists an equivalent $\mathcal{L}^{\prime}$-formula. We write $\mathcal{L}\equiv\mathcal{L}^{\prime}$, if both $\mathcal{L}\leq\mathcal{L}^{\prime}$ and $\mathcal{L}^{\prime}\leq\mathcal{L}$.

The following remark, familiar from first-order logics, can be proven with a straight-forward induction over the length of the quantifier block.

One last remark before we get to the core results of this article, this time relating quantifier-free $\mathrm{HyperLTL}$-formulae with $\mathrm{LTL}$-formulae. The remark can again be proven by induction on the structure of the formula.

Using the above propositions we may now proceed with proving our main results: correspondence theorems between team logics and the Boolean closures of hyperlogics.

Note that $\mathrm{TeamLTL}$ has no separation between closed and open formulae, and has no features to encode trace assignments. Thus, when $\varphi$ is a formula of some team based logic $\mathcal{L}$ and $\psi$ is a formula of a hyper logic $\mathcal{L}^{\prime}$ without free variables, we say that $\varphi$ and $\psi$ are equivalent, if the equivalence $T\models\varphi\Leftrightarrow\emptyset\models_{T}\psi$, holds for all sets of traces $T$. The notations $\mathcal{L}\leq\mathcal{L}^{\prime}$ and $\mathcal{L}\equiv\mathcal{L}^{\prime}$ are then defined in the obvious way, by restricting $\mathcal{L}^{\prime}$ to formulae without free variables.

As a corollary we get that $\mathrm{TeamLTL}^{l}(\varovee)$ is subsumed by the universal fragment of $\mathrm{HyperLTL}$, which follows from Theorem 3.1 and the observations made in the proof of Proposition 2.

Note that another consequence of Theorem 3.1 is that $\forall\mathrm{HyperLTL}$ is strictly less expressive than $\mathrm{PBC}(\forall\mathrm{HyperLTL})$, as the former is equivalent with $\mathrm{LTL}$ [5] and thus has the flatness property, while the latter is equivalent with $\mathrm{TeamLTL}(\varovee)$, which does not satisfy flatness. This stands in contrast to the unrestricted universal fragment $\forall^{*}\mathrm{HyperLTL}$, which by Proposition 2 is equivalent to its positive Boolean closure.