HYPERATL ∗ : A LOGIC FOR HYPERPROPERTIES IN MULTI-AGENT SYSTEMS

,


Introduction
Hyperproperties [CS10] are system properties that relate multiple computation paths of a system.Such properties are of increasing importance as they can, for example, characterize the information-flow in a system.A prominent logic to express hyperproperties is HyperLTL, which extends linear-time temporal logic (LTL) with explicit path quantification [CFK + 14].HyperLTL can, for instance, express generalized non-interference (GNI) [McC88], stating that the high-security input of a system does not influence the observable output: Here H is a set of high-security input propositions and O a set of outputs (for simplicity, we assume that there are no low-security inputs).In our model, the system thus generates a set of computations paths over H ∪ O, where each path corresponds to a possible input-output interaction with the system.The GNI formula then states that for any pair of paths π, π ′ there exists a third path π ′′ that agrees with the high-security inputs of π and with the outputs of π ′ .The existence of π ′′ guarantees that any observation on the outputs is compatible with every possible sequence of high-security inputs; non-determinism is the sole explanation for the output.can also be applied to transition systems (the standard model for the remaining logics) by interpreting transition systems as 1-agent systems (see Remark 2.1); the reverse does not hold, i.e., logics that are interpreted on transitions systems cannot reason about strategic abilities in multi-agent systems.
Existing hyperlogics (like HyperLTL) consider a system as a set of paths and quantify (universally or existentially) over those paths.In this paper, we introduce a novel class of hyperproperties that reason about strategic behavior in a multi-agent system where the paths of the system are outcomes of games played on a game structure.We introduce HyperATL * , a temporal logic to express hyperproperties in multi-agent systems.Our logic builds on the foundation laid by alternating-time temporal logic (ATL * ) [AHK02]. 1 While strategy quantifiers in ATL * can be nested (similar to CTL * ), the logic is unable to express hyperproperties, as the scope of each quantifier is limited to the current path.
In HyperATL * , we combine quantification over strategic behavior with the ability to express hyperproperties.Syntactically, our logic combines the strategic quantifier of ATL * but binds the outcome to a path variable: 2 The HyperATL * formula ⟪A⟫π.φ specifies that the agents in A have a strategy such that all outcomes under that strategy, when bound to the path variable π, satisfy φ.Similar to HyperLTL, quantification is resolved incrementally.For example, ⟪A⟫π.⟪A ′ ⟫π ′ .φ requires the existence of strategy for the agents in A such that for all possible outcomes under that strategy, when bound to π, the agents in A ′ have a strategy such that all possible outcomes, when bounds to π ′ , satisfy φ.In particular, the quantification over strategies for A ′ takes 1 ATL * is a temporal logic that extends CTL * by offering selective quantification over paths that are possible outcomes of games [AHK02].The ATL * quantifier ⟪A⟫φ states that the players in A have a joint strategy such that every outcome under that strategy satisfies φ.
2 Similar to logics such as HyperLTL, we use path variables as a syntactic tool to refer to paths that are place after π is fixed. 3We endow our logic with an explicit construct to resolve multiple games simultaneously (syntactically, we surround quantifiers by [⋅] brackets).The formula [⟪A⟫π.⟪A ′ ⟫π ′ ] φ requires winning strategies for the agents in A (for the first copy) and for A ′ (for the second copy) in a game that progresses simultaneously, i.e., the players can observe the current state of both copies.The resulting logic is very expressive and subsumes both the existing hyperlogic HyperCTL * [CFK + 14] (the branching-time extension of HyperLTL) and the alternating-time logic ATL * [AHK02].The resulting expensiveness hierarchy is depicted in Figure 1.
Reasoning about strategic hyperproperties in multi-agent systems is useful in various settings, including information-flow control and asynchronous hyperproperties.Consider the following two examples that demonstrate how we can use HyperATL * to express such strategic hyperproperties.
Application 1: Information-flow Control.We consider a strategic information-flow control property.Imagine a system where the non-determinism arises from a scheduling decision between two subprograms P 1 and P 2 .Each subprogram reads the next highsecurity input h of the system.Suppose that P 1 assumes that h is even and otherwise leaks information, while P 2 assumes that h is odd and otherwise leaks information.We can check GNI on the resulting system.In HyperLTL, quantification is resolved incrementally, so the witness path π ′′ is chosen after π and π ′ are already fixed.In particular, all future highsecurity input h are already determined, so a leakage disproving path π ′′ can be constructed (by always scheduling the copy that does not leak information on the next input); the system satisfies GNI .By contrast, an actual scheduler, who determines which subprogram handles the next input, cannot avoid information leakage.HyperATL * can express a stricter information-flow policy.As a first step, we consider the system as a game structure with two players.Player ξ H chooses (in each step) the values for the high-security inputs, and player ξ N resolves the remaining non-determinism of the system (i.e., the nondeterminism not caused by input selection).We give a concrete semantics into such a game structure in Section 8.1.Consider the following HyperATL * specification: This formula requires that for every possible path π, the non-determinism player ξ N has a strategy to produce identical outputs on π ′ against all possible moves by ξ H .As we consider the system as a game structure, any strategy for ξ N does not know which moves ξ H will play in the future.Any possible output of the system is thus achievable by a strategy only knowing the finite input history but oblivious to the future high-security inputs.The system sketched above does not satisfy this property.
A particular strength of this formulation is that we can encode additional requirements on the strategy for the scheduler.For example, if the internal non-determinism arises from the scheduling decisions between multiple components, we can, in addition, require fairness of the scheduling strategy.⊲ 3 This incremental elimination of quantification ensures that HyperATL * is a proper extension of HyperCTL * but is also crucial for decidable model checking.In fact, model checking for any logic that could express the existence of a strategy such that the set of outcomes under that strategy satisfies a hyperproperty, would already subsume the realizability problem for hyperproperties, which is known to be undecidable already for very simple fragments Application 2: Asynchronous Hyperproperties.
Most existing hyperlogics traverse the paths of a system synchronously.However, in many applications (for example, when reasoning about software), we require an asynchronous traversal to, e.g., account for the unknown speed of execution of software that runs on some unknown platform or to abstract away from intermediate (non-observable) program steps.Strategic hyperproperties enable reasoning over asynchronous hyperproperties by considering the execution speed of a system as being controlled by a dedicated scheduling player, which we add via a system transformation.Direct reasoning about asynchronicity is then replaced by reasoning about the strategic abilities of the scheduling player.
As an example, consider the program in Figure 2. It continuously reads a high-security input h and, depending on h, flips the output o either directly or via a temporary variable.Consider the HyperLTL specification ∀π.∀π ′ .(o π ↔ o π ′ ).It expresses observationaldeterminism (OD), i.e., it states that the output should be identical across all paths [HWS06].In Figure 2, the value of o is flipped in each loop iteration, but the exact timepoint at which the flip occurs depends on the high-security input; the program does not satisfy OD in the synchronous HyperLTL semantics.However, when executing the program, we might assume that an observer cannot detect this small timing difference and, instead, only observes the value of o whenever it is changed.We thus require a property that allows the paths of the program to be executed at different speeds to realign the output.To reason about this in HyperATL * , we extend the system with a scheduling agent sched that can stutter the system.That is, sched can, in each step, decide if the system makes a step or remains in its current state (we give a concrete construction for including sched in Section 5).On the resulting multi-agent system (which now includes agent sched ) we check the following HyperATL * property: This formula requires that the scheduler has a strategy to align any two program paths such that the output agrees.The additional requirement fair π ∧ fair π ′ ensures that both copies are scheduled infinitely many times (see Section 5 for details).By surrounding the quantifier with [⋅], both paths are resolved simultaneously (instead of incrementally), so the strategies in both copies can collaborate.The program in Figure 2 (with an added asynchronous scheduler) satisfies this HyperATL * property.Any two paths in the original system can thus be aligned (by stuttering for any finite number of steps) such that the output agrees globally.
This general style of asynchronous reasoning turns out to be remarkably effective: Verification is possible (decidable) for the full logic, and the approach subsumes the largest known decidable fragment of a recent asynchronous extension of HyperLTL [BCB + 21].⊲ Model Checking.We show that model checking of HyperATL * on concurrent game structures is decidable and present an automata-based model checking algorithm.Our algorithm incrementally reduces model checking to the emptiness of an automaton.By using alternating automata, we encode the strategic behavior of a game structure within the transition function of the automaton.To characterize its complexity, we partition HyperATL * formulas based on the number of complex quantifiers (i.e., quantifiers where the set of agents is non-trivial) and simple quantifiers (i.e., quantifiers that reason about all possible paths, irrespective of the strategic behavior in the system).For each fragment, we derive upper bounds on the model checking complexity, both in the size of the system and specification.Different from HyperLTL -where each alternation results in an exponential blowup [FRS15,Rab16,BF23a] -the strategic quantification in HyperATL * results in a double exponential blowup with each complex quantifier.Using a novel counter construction, we prove matching lower bounds on the HyperATL * model checking problem (in the size of both specification and system).
Prototype Model Checker.On the practical side, we present hyperatlmc, a prototype model checker for a fragment of HyperATL * .The fragment supported by our tool does, in particular, include all alternation-free HyperLTL formulas [FRS15], the model checking approach from [CFST19], and the formulas arising when expressing asynchronous hyperproperties in HyperATL * .
Contributions.In summary, our contributions include the following: • We introduce HyperATL * , a novel logic to express strategic hyperproperties in multi-agent systems.We demonstrate that HyperATL * can express many existing information-flow policies and offers a natural formalism to express asynchronous hyperproperties (subsuming the largest known decidable fragment of the logic presented in [BCB + 21]).• We give an automata-based model checking algorithm for HyperATL * and analyze its complexity (both in system and specification size) based on the number and type of quantifiers.• We prove matching lower bounds on the HyperATL * model checking problem via a novel counter construction.• We present hyperatlmc, a prototype-model checker for a fragment of HyperATL * , and use it to verify information-flow policies and asynchronous hyperproperties in small systems.This paper is an extended version of a preliminary conference version [BF21].Compared to the conference paper, this version contains detailed and streamlined proofs of the theoretical results.Moreover, we extend our earlier complexity bounds by also analyzing HyperATL * model-checking in the size of the system (in [BF21] we only consider the complexity in the size of the specification) and derive uniform lower and upper bounds that are stated purely in the number and type of the quantifiers (without side conditions needed in [BF21]).
Structure.The remainder of this paper is structured as follows.In Section 2, we introduce basic preliminaries and in Section 3 we develop HyperATL * .Afterward, in Sections 4 and 5, we present examples (ranging from information-flow policies to asynchronous hyperproperties) expressible in HyperATL * and connect to existing asynchronous hyperlogics.We discuss model checking on finite-state game structures in Section 6.In Section 7, we show matching lower bounds on the model checking problem.Finally, in Section 8, we report on our prototype model checker and discuss related work in Section 9.

Preliminaries
In this section, we introduce basic preliminaries on transition systems, game structures and alternating automata.For a set X, we write X * for the set of finite sequences over X, X + for the set of non-empty finite sequences, and X ω for the set of in infinite sequences.For an 13:6 infinite sequence u ∈ X ω and i ∈ N, we write u(i) ∈ X for the ith element (starting at the 0th) and u[i, ∞] ∈ X ω for the infinite-suffix starting at position i.For u 1 , . . ., u n ∈ X ω , we define ⊗(u 1 , . . ., u n ) ∈ (X n ) ω as the pointwise product, i.e., ⊗(u 1 , . . ., u n )(i) ∶= (u 1 (i), . . ., u n (i)).In case of only two sequences u 1 , u 2 , we write u 1 ⊗ u 2 instead of ⊗(u 1 , u 2 ).The pointwise product extends to finite sequences of the same length.We fix a finite set of atomic propositions AP and define Σ ∶= 2 AP .Transition Systems.A transition system is a tuple T = (S, s 0 , δ, L) where S is a finite set of states, s 0 ∈ S is an initial state, δ ⊆ S × S is a transition relation, and L ∶ S → Σ is a labeling function.We assume that for every s ∈ S there is at least one s ′ such that (s, s ′ ) ∈ δ.A path in T is an infinite sequence p ∈ S ω such that p(0) = s 0 and for every i ∈ N, (p(i), p(i + 1)) ∈ δ.

Concurrent Game Structures.
As the basic model of multi-agent systems we use game structures.A concurrent game structure (CGS) [AHK02] is an extension of a transition system in which the transition relation is composed of the moves of individual agents (also called players).Formally, a CGS is a tuple G = (S, s 0 , Ξ, M, δ, L).The finite set of states S, the initial state s 0 ∈ S, and the labeling L ∶ S → Σ are as in a transition system.Additionally, Ξ is a finite and non-empty set of agents (or players), M is a finite and non-empty set of moves, and δ ∶ S × (Ξ → M) → S is a transition function.We call a mapping σ ∶ Ξ → M a global move vector.Given a state and global move vector, the transition function δ determines a unique successor state.For a set of agents A ⊆ Ξ we call a function σ ∶ A → M a partial move vector.For disjoint sets of agents A 1 , A 2 ⊆ Ξ and partial move vectors σ i ∶ A i → M for i ∈ {1, 2} we define σ 1 + σ 2 ∶ A 1 ⊍ A 2 → M as the move vector obtained as the combination of the individual choices.For σ ∶ A → M and A ′ ⊆ A, we define σ |A ′ ∶ A ′ → M by restricting the domain of σ to A ′ .Remark 2.1.We can naturally interpret a transition systems as a 1-player CGS in which the move of the unique player determines the successor state of the system.Any temporal logic that specifies properties on game structures is thus also applicable in transition systems.⊲ Multi Stage Concurrent Game Structures.In a concurrent game structure (as the name suggests), all agents choose their next move concurrently, i.e., without knowing what moves the other players have chosen.We introduce the concept of a multi-stage game structure (MSCGS), in which the move selection proceeds in stages and agents can base their decision on the already fixed moves of (some of the) other agents.This is particularly useful when we, e.g., want to base a scheduling decision on the moves selected by the other agents.Formally, a MSCGS is a CGS equipped with a function d ∶ Ξ → N, that orders the agents according to informedness.Whenever d(ξ 1 ) < d(ξ 2 ), ξ 2 can base its next move on the move selected by ξ 1 .A CGS thus naturally corresponds to a MSCGS with d = 0, where 0 is the constant 0 function.

Strategies in Game Structures.
A strategy in a game structure is a function that maps finite histories of plays in the game to a move in M. As the plays in an MSCGS progress in stages, each decision is based on the past sequence of states and the fixed moves of all agents in previous stages.Formally, a strategy for an agent ξ ∈ Ξ is a function Note that in case where d = 0, a strategy can be seen as a function S + → M.

13:7
Definition 2.2.Given a set of agents A, a set of strategies F A = {f ξ | ξ ∈ A}, and a state s ∈ S, we define out(G, s, F A ) ⊆ S ω as the set of all runs u ∈ S ω such that 1) u(0) = s, and 2) for every i ∈ N there exists a global move vector σ ∶ Ξ → M with δ(u(i), σ) = u(i + 1) and for all ξ ∈ A we have σ Alternating Automata.For a set X, we write B + (X) for the set of positive boolean formulas over X with the standard propositional semantics.Given Ψ ∈ B + (X) and B ⊆ X we write B ⊧ Ψ if the assignment obtained from B by mapping all x ∈ B to true and all x / ∈ B to false satisfies Ψ.An alternating parity automaton (APA) is a tuple A = (Q, q 0 , Σ, ρ, c) where is a transition function, and c ∶ Q → N is a coloring of states.A tree is a set T ⊆ N * that is prefixed closed, i.e., τ ⋅ n ∈ T implies τ ∈ T .We refer to elements in τ ∈ T as nodes and denote with |τ | the length of τ (or equivalently the depth of the node).For a node τ ∈ T , we define children(τ ) as the set of immediate children of τ , i.e., children(τ ) ∶= {τ ⋅ n ∈ T | n ∈ N}.An X-labeled tree is a pair (T, r) where T is a tree and r ∶ T → X labels nodes with an element in X.A run of an APA A = (Q, q 0 , Σ, ρ, c) on a word u ∈ Σ ω is a Q-labeled tree (T, r) such that 1) r(ϵ) = q 0 , and 2) for all τ ∈ T , {r(τ A run (T, r) is accepting if, for every infinite path in T , the minimal color that occurs infinitely many times (as given by c) is even.We denote with L(A) the set of words for which A has an accepting run.We call an alternating automaton A non-deterministic (resp.universal) if the codomain of the transition function ρ consists of disjunctions (resp.conjunction) of states.If the codomain of ρ consists of atomic formulas (i.e., formulas without boolean connectives that only consist of a single positive state atom), we call A deterministic. 4 Alternating, non-deterministic, universal, and deterministic parity automata all recognize the same class of languages (namely ω-regular ones) although they can be (double) exponentially more succinct.
Theorem 2.3 [MH84,DH94].For every alternating parity automaton A with n states, there exists a non-deterministic parity automaton A ′ with 2 O(n log n) states that accepts the same language.For every non-deterministic or universal parity automaton A with n states, there exists a deterministic parity automaton A ′ with 2 O(n log n) states that accepts the same language.
Theorem 2.4.For every alternating parity automaton A with n states, there exists an alternating parity automaton A with O(n) states that accepts the complemented language.If A is non-deterministic (resp.universal), A is universal (resp.non-deterministic).

HyperATL*
In this section, we introduce HyperATL * .Our logic extends CTL * [EH86] by introducing path variables (similar to HyperCTL * [CFK + 14]) and strategic quantification (similar to ATL * [AHK02]).Assume a fixed set of agents Ξ and let V be a finite set of path variables.HyperATL * formulas are generated by the following grammar In a non-deterministic or universal automaton, we interpret ρ as a function Q × Σ → 2 Q .In a deterministic automaton, we interpret ρ as a function Q × Σ → Q.

13:8
where π ∈ V is a path variable, a ∈ AP an atomic proposition, and A ⊆ Ξ a set of agents.Quantification of the form ⟪A⟫π. φ binds a path to path variable π, and a π refers to the truth value of a on the path bound to variable π.A formula is closed if all sub-formulas a π occur in the scope of a quantifier that binds π; throughout the paper we assume all formulas to be closed.We use the usual derived boolean connectives ∨, →, ↔, the boolean constants true (⊺) and false ( ), and temporal operators eventually ( φ ∶= ⊺ U φ), globally ( φ ∶= ¬ ¬φ), and weak until (φ W ψ ∶= (φ U ψ) ∨ φ).
The strategic quantifier ⟪A⟫π.φ postulates that the agents in A have a joint strategy such that every outcome under that strategy, when bound to path variable π, satisfies φ.Trivial agent sets, i.e., A = ∅ or A = Ξ, correspond to classical existential or universal quantification.We therefore write ∀π.φ instead of ⟪∅⟫π.φ and ∃π.φ instead of ⟪Ξ⟫π.φ.For a single agent ξ ∈ Ξ, we sometimes write ⟪ξ⟫π.φ instead of ⟪{ξ}⟫π.φ.We define A π. φ ∶= ¬⟪A⟫π.¬φ which states that the agents in A have no strategy such that every outcome, when bound to π, avoids φ (see [AHK02]).We call a quantifier ⟪A⟫π simple if the agent-set A is trivial (∅ or Ξ) and otherwise complex.
A HyperATL * formula is linear if it consists of an initial quantifier prefix followed by a quantifier-free formula, i.e., has the form Q 1 π 1 . . .Q n π n .ψ where ψ is quantifier-free and each Q i is either ⟪A⟫ or A for some A. Linear-HyperATL * is thus the syntactic subfragment of HyperATL * that is analogous to the definition of HyperLTL as a syntactic fragment of HyperCTL * [CFK + 14].
Semantics.The semantics of HyperATL * is defined with respect to a game structure G = (S, s 0 , Ξ, M, δ, d, L) and a path assignment Π, which is a partial mapping Π ∶ V ⇀ S ω .For π ∈ V and path p ∈ S ω we write Π[π ↦ p] for the assignment obtained by updating the value of π to p.We write Π[i, ∞] to denote the path assignment defined by Π Here Π(ϵ) refers to the path that was last added to the assignment (similar to the HyperCTL * semantics [CFK + 14]). 5If Π is the empty assignment, we define Π(ϵ)(0) as the initial state s 0 of G.We say that G satisfies φ, written G ⊧ φ, if ∅ ⊧ G φ where ∅ is the empty path assignment.
Remark 3.1.Note that the games used to produce paths in a strategy quantification ⟪A⟫π.φ are local, i.e., the outcome of the game is fixed (and bound to π) before φ is evaluated further.The strategy for agents in A is quantified after the outer paths (those bound to the path variables that are free in ⟪A⟫π.φ) are already fixed.For example, in a formula of the form ∀π. ⟪A⟫π ′ .φ the agents in A know the already fixed path bound to π but behave as a strategy w.r.t.π ′ .In particular, any formula using only simple quantification 5 If we assume the path variables quantified in a formula are distinct (which we can always ensure by α-renaming), we can view a path assignment Π as a finite list of pairs in V × S ω , interpret Π[π ↦ p] as appending the pair (π, p) to the list, and interpret Π(ϵ) as the path of the last pair in the list. 13:9 (i.e., only ∀ and ∃ quantifiers) corresponds directly to the (syntactically identical) HyperCTL * property.⊲ Proposition 3.2.HyperATL * subsumes ATL * .When interpreting transitions systems as 1-player CGSs (cf.Rem.2.1), HyperATL * subsumes HyperCTL * (and thus HyperLTL).The resulting hierarchy is depicted in Figure 1.
Extension 1: Extended Path Quantification.Oftentimes, it is convenient to compare different game structures with respect to a hyperproperty.For linear HyperATL * properties, we consider formulas with extended path quantification.We write ⟪A⟫ G π. φ to quantify path π via a game played in G.For example, states that for each path π in G the agents in A have a strategy in G ′ that produces only paths π ′ which agree with π on o (where o is a shared proposition between G and G ′ ).6 Extension 2: Parallel Composition.We extend HyperATL * with a syntactic construct that allows multiple paths to be resolved in a single bigger game, where individual copies of the system progress in parallel.Consider the following modification to the HyperATL * syntax, where k ≥ 1: When surrounding strategy quantifiers by [⋅], the resulting paths are the outcome of a game played on a bigger, parallel game of the structure.Consequently, the agents in each copy can base their decisions not only on the current state of their copy but on the combined state of all k copies (which allows for a coordinated behavior among the copies).For a player ξ and CGS G = (S, s 0 , Ξ, M, δ, L), a k-fold strategy for ξ is a function f ξ ∶ (S k ) + → M.
We evaluate the resulting formula no longer on a single system G but on a mapping N that maps system variables to game structures.Each quantifier ⟪A⟫ν π. φ is then resolved on system N (ν).The interesting case in the semantics thus becomes Here, N (ν)0 is the initial state in game structure N (ν), and F A ranges over strategies for the agents in A in game structure N (ν).Note that this is only possible for linear formulas, as each play starts in the initial state of the game structure, irrespective of the current path assignment.See [Rab16, §5.4] for details on the extended path quantification in the context of HyperCTL * .

Strategic Hyperproperties and Information-Flow Control
Before discussing the automated verification of HyperATL * properties, we consider example properties expressed in HyperATL * .We organize our examples into two categories.We begin with examples from information-flow control and highlight the correspondence with existing properties and security paradigms (this is done in this section).Afterward (in Section 5), we show that strategic hyperproperties are naturally suited to express asynchronous hyperproperties.
Remark 4.1.In our discussion of information-flow policies, we focus on game structures that result from reactive systems.Let H, L, and O be pairwise disjoint sets of atomic propositions denoting high-security inputs, low-security inputs, and outputs, respectively.We consider a system as a 3-player game structure comprising agents ξ N , ξ H , and ξ L responsible for resolving non-determinism, selecting high-security, and selecting low-security inputs, respectively.In particular, the move from ξ H (resp. ξ L ) determines the values of the propositions in H (resp. L) in the next step.Agent ξ N resolves the remaining non-determines in the system.We call a CGS of the above form a progCGS (program-CGS).We will see a concrete transformation of programs into progCGSs in Section 8.1.For now, we rely on the reader's intuition.We call a progCGS input-total if, in each step, ξ H and ξ L can choose all possible valuations for the input propositions in H and L, respectively; we assume all progCGSs in this section to be input total.⊲ 4.1.Strategic Non-Interference.In the introduction, we already saw that, in some cases, generalized non-interference [McC88] is a too relaxed notion of security, as the witness path is fixed knowing the entire future input-output behavior.Recall the definition of GNI (compared to the definition in the introduction, we now also support low-security inputs): In HyperATL * , we express In this formula, a strategy for the ξ N and ξ L should construct a path π ′ that agrees with the low-security inputs and outputs of π.Note that ξ L only determines the value of the propositions in L, so any winning strategy for ξ L is "deterministic" in the sense that it needs to copy the low-security inputs from π. Agent ξ N needs to resolve the non-determinism but does not know the future high-security inputs on π ′ (as those are chosen by ξ H ). If there exists a winning strategy for ξ N that avoids information leakage, there also exists a path (in the sense of GNI ) that disproves leakage.
Proof.We show the contraposition and assume that G / ⊧ GNI.There thus exists paths p H and p L,O such that no path in G agrees with the high inputs of p H and low-security inputs and outputs of p L,O .We show that G / ⊧ stratNI.For the universally quantified path bound to π we choose p L,O and argue that ξ N , ξ L have no winning strategy to construct π ′ .A spoiling strategy for ξ H is the one that, in each step, chooses the high-security inputs in accordance with p H (which is possible as the system is input-total).A winning strategy for 13:11 ξ N and ξ L would then need to construct a path that agrees with p H on H and with p L,O on L ∪ O which, by assumption, does not exist.4.2.Parallel Composition and ∀∃-verification.Our next examples make use of the parallel composition offered by quantification of the form [⟪A 1 ⟫π 1 . . .⟪A k ⟫π k ].We consider the model checking algorithm for ∀ * ∃ * -HyperLTL formulas introduced by Coenen et al. [CFST19].The idea is to consider the verification of HyperLTL formula ∀π.∃π ′ .φ as a game between the ∀-player and ∃-player.The ∀-player moves through a copy of the state space (thereby producing a path π), and the ∃-player reacts with moves in a separate copy (thereby producing a path π ′ ).The ∃-player wins if π ′ combined with π satisfies φ, in which case the property holds. 7In HyperATL * , we can express this game-based verification approach as a logical statement: Formula [∀π.∃π ′ ] φ requires a strategy that constructs π ′ when played in parallel with a game that constructs π.A system thus satisfies [∀π.∃π ′ ] φ exactly if the property can be verified in the game-based approach from [CFST19].
Phrased differently, while [CFST19] derives a verification method, HyperATL * can express both the original HyperLTL property and its game-based verification method as formulas; the correctness of the algorithm from [CFST19] becomes a logical implication in HyperATL * .Lemma 4.3 states a more general implication (by considering a property of the form ∀π. ⟪A⟫π ′ .φ instead of ∀π.∃π ′ .φ).
Lemma 4.3.Let G be any game structure and φ be any be the set of strategies for the agents in A that is wining, i.e., for every (p, p ′ ) ∈ out(G, (s 0 , s 0 ), ∅, F A ) we have [π ↦ p, π ′ ↦ p ′ ] ⊧ φ.We show that G ⊧ ∀π.⟪A⟫π ′ .φ.Let Π = [π ↦ p] be any path assignment for π (which is universally quantified).We construct a winning strategy ξ disregards most of the already fixed path p and queries f ξ on prefixes of p.
Using Lemma 4.3 (which generalizes easily to formulas of the form ∀π 1 . . .∀π k .⟪A⟫π ′ .φ), we can, for example, strengthen GNI by surrounding the quantifier prefix with [⋅] brackets.We can manually increase the lookahead to enable the strategy that is constructing path π ′ to peek at future events on π 1 , . . ., π k by shifting the system.Definition 4.4.For a game structure G = (S, s init , Ξ, M, δ, L) and n ≥ 1 we define where s 0 , . . ., s n−1 are fresh states not already in S. The transition function δ ′ is defined by System shift(G, n) shifts the behavior of G by adding n initial steps before continuing as in G.We express a shifted approximation of GNI as follows.
We shift the behavior of the copy on which π ′′ is constructed by n positions which we correct using n s in the body of the formula.It is easy to see that if G ⊧ aproxGNI n for some n, then G ⊧ GNI.8 4.3.Simulation-based Non-Interference.The previously discussed information-flow policies are path-based.By contrast, simulation-based definitions of non-interference require a lock-step security simulation that disproves leakage (see, e.g., [SS00, Sab03, MS10]).Let G = (S, s 0 , {ξ N , ξ L , ξ H }, M, δ, L) be a progCGS.For states s, s ′ ∈ S and evaluations i L ∈ 2 L and i H ∈ 2 H , we write s , there exists a move vector σ such that δ(s, σ) = s ′ ).
Definition 4.5.A security simulation is a relation R ⊆ S × S such that whenever (s, t) ∈ R, we have 1) s and t agree on the output propositions, i.e., L(s) ∩ O = L(t) ∩ O, and 2) for any Note that this is not equivalent to the fact that R is a simulation in the standard sense [Mil80] as the second condition is asymmetric in the high-security inputs.We call G simulation secure if there exists a security simulation R with (s 0 , s 0 ) ∈ R [Sab03, SS00].It is easy to see that every input-total system that is simulation secure satisfies GNI .The converse does, in general, not hold.In HyperATL * , we can express simulation security.
Here we shift the path π ′ by one position (shift(G, 1)), which we correct using the .The shifting allows the strategy for ξ N in the second copy to base its decision on an already fixed step in the first copy, i.e., it corresponds to a strategy with a fixed lookahead of 1 step.
Lemma 4.6.A progCGS G is simulation secure if and only if G ⊧ simSec.
Proof.We only sketch the high-level idea as the proof is similar to the well-known characterization of simulations and bisimulations as two-player games [Sti95] .For the first direction, we assume that G is simulation secure and let R be a security simulation witnessing this.The idea of the strategy for ξ N is to choose successors such that the parallel game between both copies is always in R-related states (after shifting).This is possible as long as the premise of simSec is not violated.By the definition of security simulations, this already implies (⋀ a∈O a π ↔ ◯a π ′ ).Note that the shifting is key, so the strategy for ξ N fixes a move after the universally quantified path chooses a successor (as in the definition of security simulation).For the second direction, assume ξ N has a winning strategy.We construct the relation R by defining (s, t) ∈ R whenever the pair (s, t) occurs in the (shifted) parallel composition in any play for which the premise of simSec holds.4.4.Non-Deducibility of Strategies.As the last example in this section, we consider non-deducibility of strategies (NDS ) [WJ90].NDS requires that every possible output is compatible with every possible input-strategy (whereas GNI requires it to be compatible with every possible input-sequence).The subtle difference between sequences and strategies is important when a high-security input player can observe the internal state of a system.As a motivating example, consider the following (first introduced in [WJ90]): Example 4.7.Suppose we have a system that reads a binary input h from a high-security source and outputs o.The system maintains a bit b of information in its state, initially chosen non-deterministically.In each step, the system reads the input h, outputs h⊕b (where ⊕ is the xor-operation), non-deterministically picks a new value for b and then repeats.As ⊕ encodes an one-time pad, it is not hard to see that this system satisfies GNI : Given any input, any output is possible by resolving the non-deterministic choice of b appropriately.
If the input player is, however, able to observe the system (in the context of [WJ90] the system shares the internal bit on a private channel), she can communicate an arbitrary sequence of bits to the low-security environment.Whenever she wants to send bit c, she inputs h = c ⊕ b where b is the value of the internal bit (note that Instead of requiring that every output sequence is compatible with all possible highsecurity input sequences, we require it to be compatible with all possible high-security input strategies.Phrased differently, there should not be an output sequence such that a strategy for the input-player can avoid this output. This formula states that there does not exist a path π such that ξ H has a strategy to avoid the output of π (provided with the same low-security inputs).The system sketched in Example 4.7 does not satisfy NDS (there, e.g., exists a strategy for ξ H that ensures that the output o is always set to true).Note that, due to determinacy of parity games, NDS is equivalent to stratNI on turn-based game structures.

Strategic and Asynchronous Hyperproperties
Most existing hyperlogics traverse the paths of a system synchronously.However, especially when reasoning about software systems, one requires an asynchronous traversal to account, for example, for the unknown execution speed or to abstract away from intermediate (nonobservable) program steps.In this section, we outline how strategic hyperproperties are useful to express such asynchronous hyperproperties.The idea is to express asynchronous hyperproperties by viewing the stuttering of a system (i.e., whether a system progresses or remains in its current state) as being resolved by a dedicated player (which we call scheduling player).Quantification over strategies of the scheduling player then naturally corresponds to asynchronous reasoning.That is, instead of reasoning about the (asynchronous) scheduling of a system directly, we reason about strategies for the scheduling agent.This style of asynchronous reasoning can express many properties while remaining fully decidable (as model checking of HyperATL * is decidable, see Section 6) and yields formulas that are automatically checkable (see Section 8).
13:14 5.1.Scheduling Player and Stuttering Transformation.We call a player sched an asynchronous scheduler if it can decide whether the system progresses (as decided by the other agents) or stutters.Note that this differs from the asynchronous turn-based games as defined in [AHK02].In our setting, the scheduler does not control which of the player controls the next move but rather decides if the system as a whole progresses or stutters.In cases where the system does not already include an asynchronous scheduler, we can include a scheduler via a simple system transformation.
Definition 5.1.Given a game structure G = (Q, q 0 , Ξ, M, δ, d, L) over AP and a fresh agent sched not already included in Ξ, define the stutter version of G, denoted G stut , as the game structure over AP ⊍ {stut} by Here, proj i is the projection of the ith element in a tuple, ○ denotes function composition, and represents an arbitrary value in that position.In G stut , the agents of the original game structure G, fix moves in M and thereby determine the next state of the system.In addition, the {↣, }-decision of scheduling player determines if the move is actually executed (↣) or if the system remains in its current state ( ).As sched sits in the last stage of the MSCGS, the scheduling decision is based on the already fixed moves of the agents in Ξ.The extended state-space Q × {0, 1} is used to keep track of the stuttering, which becomes visible via the new atomic proposition stut.

Observational Determinism.
As a warm-up, we again consider the property of observational-determinism which states that the output along all paths is identical, i.e., ∀π.∀π ′ .( ⋀ a∈O a π ↔ a π ′ ).We already argued that the example program in the introduction (in Figure 2) does not satisfy this property (if interpreted as a transition system in the natural way), as the output changes at different time points.To express an asynchronous version of OD, we reason about (a strategy for) the scheduling player on the transformed system.
where fair π ∶= ¬stut π , asserts that the system may not be stuttered forever.Note that we encapsulated the quantifiers by [⋅], thus resolving the games in parallel.Note that sched only controls the stuttering and not the path of the underlying system.The example from Figure 2, after the stuttering transformation, satisfies this formula, as the output can be aligned by the scheduling player.5.3.One-Sided Stuttering.By resolving the stuttered paths incrementally (i.e., omitting the [⋅]-brackets), we can also express one-sided stuttering, i.e., allow only the second copy to be stuttered.As an example, assume P h is a program written in a higher-level programming language and P l the complied program into a low-level language (e.g., assembly code).Let T h and T l be transition systems of both programs, and consider the property that the low-level program exhibits the same output as the original program.As the compiler breaks 13:15 each program statement into multiple low-level instructions, the outputs will not match in a synchronous manner.Instead, the system T h may need to stutter for the low-level program to "catch up".Using Definition 5.1 we can express this as follows.
i.e., for every execution π of low-level program we can stutter the high-level program such that the observations align.5.4.Asynchronous HyperLTL.We compare the strategic approach to asynchronicity of HyperATL * (in Section 5.2) with asynchronous HyperLTL (AHLTL for short) [BCB + 21], a recent extension of HyperLTL specifically designed to express asynchronous properties.AHLTL is centered around the stuttering of a path.A path p ′ is a stuttering of p, written p ⊴ p ′ , if it is obtained by stuttering each step in p finitely often.Formulas in AHLTL quantify universally or existentially over stuttering of paths.For example, the AHLTL formula ∀π 1 . . .∀π n .E. φ holds on a transition system T (written T ⊧ AHLTL ∀π 1 . . .∀π n .E. φ) if for all path p 1 , . . ., p n in the T , there exists stutterings p ′ 1 , . . ., p ′ n (i.e., p i ◁ p ′ i for all i) that (when bound to π 1 , . . ., π n ) satisfy φ.Different from the asynchronous treatment in HyperATL * , the stuttering in AHLTL is thus quantified after all paths are fixed.
Finite-state model checking of AHLTL is undecidable, already for formulas of the form ∀π 1 .∀π 2 .E. φ [BCB + 21].The largest known fragment of AHLTL with decidable model checking problem are formulas of the form ∀π 1 . . .∀π n .E. φ where φ is an admissible formula.An admissible formula has the form where φ state is a state-formula, i.e., uses no temporal operators, each φ i stut is a stutter invariant formula that only refers to a single path variable, and φ phase is a phase formula which is a conjunction of formulas of the form ⋀ a∈P (a π i ↔ a π j ).The phase formula requires the two paths π i and π j to traverse the same sequence (phases) of "colors" (as defined by P ).See [BCB + 21, §4.1] for a more detailed discussion.
By replacing the stuttering quantifier E in AHLTL with strategy quantification in HyperATL * we obtain a sound approximation for formulas of the form ∀π 1 . . .∀π n .E. φ.
Proof.Let T = (S, s 0 , δ, L).We first show that 5.1 implies 5.2.Assume 5.1 and let f i sched ∶ (S n ) + → M × {↣, } for 1 ≤ i ≤ n be a winning strategy for the scheduler.To show 5.2, let p 1 , . . ., p n be any paths in T .For each 1 ≤ i ≤ n we define a stuttered version p ′ i such that p i ⊴ p ′ i .As intermediate steps we define p 1,m , . . ., p n,m ∈ S m and c 1,m , . . ., c n,m ∈ N for each m ∈ N ≥1 by recursion on m.For m = 1, we set p i,1 = p i (0), i.e., a path of length 1 and We then set p i,m ∶= p i,m ⋅ p i (c i,m ) (where ⋅ denotes sequence concatenation).Define p ′ i ∈ S ω as the limit of {p i,m } m∈N ≥1 (which exists as p i,m is a prefix of p i,m+1 for every m).It is easy to see that p i ⊴ p ′ i (the fairness assumption in 5.1 ensures that a path is not stuttered forever).Moreover [π 1 ↦ p ′ 1 , . . ., π n ↦ p ′ n ] ⊧ φ holds as {f i sched } n i=1 is winning, and so [π 1 ↦ p 1 , . . ., π n ↦ p n ] ⊧ AHLTL E. φ as required.
For the second direction, assume that 5.2 holds and that φ is admissible.Let φ = φ state ∧ ( ⋀ l i=1 φ i stut ) ∧ φ phase .State formula φ state only refers to the initial states (as it is free of temporal operators) and φ i stut is, by assumption, stutter invariant, so any fair scheduling chosen by sched satisfies both φ state and ⋀ l i=1 φ i stut .Let φ phase = ⋀ a∈P (a π 1 ↔ a π 2 ) be the phase formula.We say two states s, s ′ ∈ S are about to change phase if for some a ∈ P we have a ∈ L(s) / ↔ a ∈ L(s ′ ).In this case, we write change(s, s ′ ).The strategy for the scheduler has access to both the current state s 1 , s 2 of both copies and the next state s ′ 1 , s ′ 2 in both copies (as the scheduler sits at the last stage of T stut ).The joint strategy for the scheduler in both copies behaves as follows: If change(s 1 , s ′ 1 ) ↔ change(s 2 , s ′ 2 ) holds, i.e., either both or none of the copies are about to change phase, it schedules both copies.Otherwise, it only schedules the copy that is not about to change phase.This ensures that phase changes occur synchronized in both copies.As we assumed 5.2, there is a stuttering for all paths in the system such that φ phase holds, i.e., all paths traverse the same phases, albeit at possibly different speeds.It is easy to see that the strategy defined above creates an alignment into identical phases for any two paths of the system.Consequently, any play compatible with this strategy satisfies φ phase (and therefore also φ), and so 5.1 holds as required.
Theorem 5.2 gives a sound approximation of the (undecidable) AHLTL model checking that is exact for admissible formulas.As HyperATL * model checking is decidable (see Section 6) and the stuttering construction T stut is effectively computable, we derive an alternative proof of the decidability result from [BCB + 21].In summary, HyperATL * subsumes the largest (known) decidable fragment of AHLTL, while enjoying decidable model checking for the full logic (see the following Section 6).Moreover, the HyperATL * formula 5.1 constructed in Theorem 5.2 falls in the fragment supported by our model checker (see Section 8).

Automata-Based Model Checking
In this section, we present an automata-based model checking algorithm for HyperATL * , i.e., given a formula φ (we use the dot to refer to the original formula and use φ, ψ to refer to sub-formulas of φ) and a game structure G = (S, s 0 , Ξ, M, δ, d, L) we decide if G ⊧ φ.Before discussing our verification approach, let us briefly recall ATL * model checking [AHK02] and why the approach is not applicable to HyperATL * .In ATL * , checking if ⟪A⟫φ holds in some state s can be reduced to the non-emptiness check of the intersection of two tree automata.One accepting all possible trees that can be achieved via a strategy for players in A starting in s, and one accepting all trees whose paths satisfy the path formula φ [AHK02].In our hyperlogic, this is not possible.When checking ⟪A⟫π.φ, we cannot construct an automaton accepting all trees that satisfy φ, as the satisfaction of φ depends on the paths assigned to the outer path-quantifiers (which are not yet fixed).
Instead, we construct an automaton that accepts all path assignments for the outer quantifiers for which there exists a winning strategy for the agents in A (similar to the model checking approach for HyperCTL * [FRS15]).Different from the approach for HyperCTL * , we 13:17 cannot resolve path quantification via an existential or universal product construction and instead encode the strategic behavior of G within the transition function of an alternating automaton.
In the following, we 1) define a notion of equivalence between formulas and automata and discuss the overall model checking algorithm (in Section 6.1), 2) give an inductive construction of an equivalent automaton (in Section 6.2), 3) prove the construction correct (in Section 6.3), and 4) discuss the complexity of our algorithm (in Section 6.4).
6.1.G-Equivalence and Model Checking Algorithm.Recall that for paths p 1 , . . ., p n ∈ S ω , ⊗(p 1 , . . ., p n ) ∈ (S n ) ω denotes the pointwise product (also called the zipping).Assume that some HyperATL * formula ψ contains free path variables π 1 , . . ., π n (in our algorithm ψ is a sub-formula of φ that occurs under path quantifiers that bind π 1 , . . ., π n ).We say that an automaton A over alphabet Σ ψ ∶= S n is G-equivalent to ψ, if for any paths p 1 , . . ., p n it holds that That is, A accepts a zipping of paths exactly if the path assignment constructed from those paths satisfies the formula; A summarizes all path assignments for the free variables that satisfy a formula.Now let φ be the formula to be checked.Our model checking algorithm progresses in an (inductive) bottom-up manner and constructs an automaton A ψ that is G-equivalent for each subformula ψ of φ (we give the construction in the next section).Consequently, we obtain an automaton A φ over alphabet Σ φ = S 0 that is G-equivalent to φ.By definition of G-equivalence, A φ is non-empty iff ∅ ⊧ G φ iff G ⊧ φ.As emptiness of alternating parity automata is decidable [MH84,BKR10] we can decide whether G ⊧ φ. 6.2.Construction of G-Equivalent Automata.In the following, we give a construction of a G-equivalent automaton for each syntactic construct of HyperATL * .The most interesting case is the construction for a formula φ = ⟪A⟫π.ψ where we construct an automaton A φ over Σ φ = S n from an automaton A ψ over Σ ψ = S n+1 by a suitable product construction with G that takes the strategic behavior in the game structure into account.We split the construction into the cases of logical and temporal operators (in Figure 3), simple quantification (in Figure 4), and complex quantification (in Figure 5).
Boolean And Temporal Operators.For the boolean combinators and temporal operators, our construction follows the standard translation from LTL to alternating automata (see, e.g., [MSS88] or [FRS15] for details).We give the construction in Figure 3. Simple Quantification.We now consider the case where φ = ⟪A⟫π.ψ and focus on the case where the quantifier is simple.Assume that A = Ξ, i.e., φ = ∃π.ψ.The construction of A φ is similar to the one in [FRS15,BF23a] by building a product of A ψ and G.We give the construction in Figure 4.Here A ndet ψ is a non-deterministic automaton equivalent to A ψ , which we can obtain (with an exponential blowup) via Theorem 2.3.The automaton A φ guesses a path in G and tracks the acceptance of A ψ on this path combined with the input word over S n , i.e., every accepting run of A φ on ⊗(p 1 , . . ., p n ) guesses a path p in G such that A ψ accepts ⊗(p 1 , . . ., p n , p).Note that in this case A φ , is again a non-deterministic automaton.The case where A = ∅ (i.e., φ = ∀π.ψ) can be handled using complementation: . Automaton construction for boolean and temporal operators.
Here, A ψ i = (Q i , q 0,i , Σ ψ i , ρ i , c i ) for i ∈ {1, 2} are inductively constructed alternating automata for sub-formulas ψ 1 and ψ 2 .We assume that Q 1 and Q 2 are disjoint sets of states and q init is a fresh state.For two colorings We write [q ↦ n] for the function {q} → N that maps q to n.
As ∀π.φ ≡ ¬∃π.¬φ we can combine the construction for existential quantification (in Figure 4) with the construction for negation in Figure 3. Importantly, in cases where A = ∅, the automaton A φ is universal.
Strategic Quantification.Lastly, we consider the case of (proper) complex quantification, i.e., the case where φ = ⟪A⟫π.ψ and A ≠ ∅ and A ≠ Ξ. 9 In our construction, A φ encodes the strategic behavior of the agents in A. We achieve this by encoding the strategic play of the game structure within the transition function of A φ .We give the construction in Figure 5.Here A det ψ is a deterministic automaton equivalent to A ψ which we obtain (with a double exponential blowup) via Theorem 2.3.The transition function encodes the strategic behavior by disjunctively choosing moves for players in A, followed by a conjunctive 9 Note that the construction in Figure 5 subsumes the construction in Figure 4. We give an explicit construction for the case of simple quantification (in Figure 4) as the resulting automaton is exponentially smaller, giving tight complexity results (see Section 6.4).
where c ′ (s, q) ∶= c(q) and c ′ (q init ) can be chosen arbitrarily.The nondeterministic transition function where we define s ○ n ∶= s n if n ≥ 1 and otherwise s ○ n ∶= s 0 (where s 0 is the initial state of G).
where c ′ (s, q) ∶= c(q) and c ′ (q init ) can be chosen arbitrarily.The transition function where we define s ○ n ∶= s n if n ≥ 1 and otherwise s ○ n ∶= s 0 (where s 0 is the initial state of G).The sets A i and A i are defined as automaton that is equivalent to the inductive constructed alternating automaton A ψ for ψ. treatment of all adversarial players.The stages of G naturally correspond to the order of the move selection (as captured in the sets A i and A i ), giving an alternating sequence of disjunctions and conjunctions.In the case where the MSCGS G is a CGS, i.e., d = 0, the transition function has the form of a (positive) DNF (a boolean formula of the form ⋁ ⋀), where the moves of agents in A are considered disjunctively and the moves by all other agents conjunctively.Our construction can be extended to handle formulas of the form [⟪A 1 ⟫π 1 . . .⟪A k ⟫π k ] ψ by joining the stage across k copies of the game structure.For the dual strategic quantifier A π. ψ we can again make use of the fact that A π. ψ ≡ ¬⟪A⟫.¬ψ and combine the construction in Figure 5 with that for negation in Figure 3. 6.3.Correctness.The correctness of our construction in Section 6.2 is stated by the following proposition.Proposition 6.1.For any HyperATL * formula φ, A φ is G-equivalent to φ.
The proof of Proposition 6.1 goes by induction on φ following the construction of A φ .For the logical and temporal connectives (in Figure 3) and pure existential quantification (in Figure 4), the statement is obvious (see, e.g., [MSS88] for the logical and temporal connectives and [FRS15] for the case of simple quantification).A proof for the case where φ = ⟪A⟫π.ψ (in Figure 5) can be found in Appendix A.

Complexity Upper Bounds.
The complexity of our model checking algorithm hinges on the size of the automaton A φ.The constructions in Figure 3 only increase the size of the automaton by a polynomial amount, but the constructions for path quantification in Figures 4 and 5 increase the number of states exponentially.We observe a difference in blowup between simple quantification and complex quantification.The former requires (in general) a conversion of the alternating automaton A ψ to a non-deterministic automaton (A ndet ψ in Figure 4) causing an exponential blowup, whereas the latter requires a full determinization (A det ψ in Figure 5) causing a double exponential blowup.
To capture the size of the automaton and the resulting complexity of our algorithm, we define Tower c (k, n) as a tower of k exponents (with base c), i.e., Tower c (0, n) ∶= n For k ≥ 1, we define k-EXPSPACE as the class of languages recognized by a deterministic (or, due to Savitch's theorem [Sav70], equivalently, non-deterministic) Turing machine (TM) with space Tower c (k, n) for some fixed c ∈ N. Analogously, we define k-EXPTIME as the class of languages recognizable by a deterministic TM in time Tower c (k, n) for some fixed c.We define 0-EXPTIME := PTIME and 0-EXPSPACE := PSPACE.For k < 0, we define k-EXPSPACE := NLOGSPACE.
Complexity Based on Prefix-Cost.We characterize the cost of our algorithm for HyperATL * model checking.We distinguish between the complexity in the size of the specification (the length of the formula, i.e., the number of nodes in the AST) and the size of the system (the number of states).Our complexity analysis is parametric in the structure of the quantifier prefix of a formula. 10We focus our discussion on HyperATL * formulas 10 If we consider arbitrary HyperATL * formulas, model checking is non-elementary in both the size of the specification and the size of the system (as HyperATL * subsumes HyperLTL; see [Rab16] for details).If we instead consider formulas with a fixed quantifier structure, we can derive elementary complexity bounds (in terms of specification size and system size) for all formulas with the fixed quantifier structure. 13:21 Prefix-cost w.r.t. the size of the specification.Here, ψ is the quantifier-free body of the formula.The definition of the cost function q is given in Figure 6c.
. the size of the system.Here, ψ is the quantifier-free body of the formula.The definition of the cost function q is given in Figure 6c.
Note that the cost matrix symmetric.
Figure 6.Definition of prefix-cost w.r.t. the size of the specification and the size of the system.Here ⟪A⟫ and A represent a proper complex quantifier, i.e., a quantifier where A ≠ ∅ and A ≠ Ξ. that are linear. 11To differentiate formulas based on the structure of their quantifier prefix, we assign each formula φ two quantities: the specification-based prefix-costs d spec (φ) and system-based prefix-costs d sys (φ).Both are defined inductively in Figures 6a and 6b.Our measures generalize the alteration-depth of a HyperLTL formula. 12Theorem 6.2.Model checking of a linear HyperATL * formula φ is (1) in d spec (φ)-EXPTIME in the size of the specification, and (2) in d sys (φ)-EXPTIME in the size of the system Proof.Let formula φ and system G be given.Abbreviate d spec ∶= d spec (φ) and d sys ∶= d sys (φ).Using the constructions in Figures 4 and 5, we observe that the size of A φ is at most Tower c (d spec , |φ|) and Tower c (d sys , |G|) for some base c that depends only on d spec and d sys .
To argue this, we consider all variations of consecutive types of quantifiers and their cost assigned in Figure 6c.For example, for a formula ∃π.⟪A⟫π ′ .φ, the alternating automaton A ⟪A⟫π ′ .φneeds to be translated to a non-deterministic automaton when performing the construction in Figure 4, which incurs a single exponential blowup.For a formula ⟪A⟫π.⟪A ′ ⟫π ′ .φ, automaton A ⟪A ′ ⟫π ′ .φneeds to be determinized, causing a double exponential blowup.For a formula ⟪A⟫π.∃π ′ .φ, the automaton A ∃π ′ .φ is already nondeterministic, so we can perform a determinization with a single exponential blowup.The cost for all 11 To stay as flexible as possible, we include A as a first-class quantifier (instead of a derived one).
Focusing on linear formulas allows for a simpler characterization of the model checking complexity.We discuss the case of non-linear formulas later in Remark 6.6.
12 The alteration-depth denotes the number of quantifier alternations (between ∃ and ∀) in the quantifier prefix and is used to characterize the HyperLTL model checking complexity [FRS15,Rab16].For any (linear) HyperATL * formula φ that uses only simple quantification (so φ is also a HyperLTL formula), dsys (φ) gives a (in some cases tight) upper bound the alternation-depth of φ.Note that in this case, dspec(φ) = dsys (φ) + 1.

13:23
(2k + l − 3)-EXPSPACE bound.It remains to show point (1).If k ≥ 1, we get the even better bound of (2k + l − 2)-EXPTIME from point (2).In case k = 0 (so all quantifiers are simple), we again assume that the outermost quantifier is existential.It is easy to see that the size of A φ is at most Tower c (2k + l − 1, |G|) and non-deterministic, so the bound follows from the NLOGSPACE emptiness check.Note that the case where k = 0 corresponds directly to HyperLTL model checking [FRS15,Rab16,BF23a].
Remark 6.6.So far, we have focused on linear HyperATL * formulas as this allows for a precise yet succinct analysis.Analogous to point (1) of Proposition 6.4 we can easily see that we can check an arbitrary (possibly non-linear) formula φ with k complex and l simple quantifiers in (2k + l)-EXPTIME in the size of the specification and (2k + l − 1)-EXPTIME in the size of the system (by simply analyzing the size of A φ ).Deriving more precise bounds by generalizing the specification-based and system-based prefix-cost to non-linear formulas is challenging.⊲

Lower Bounds for Model Checking
In this section, we establish lower bounds on the HyperATL * model checking problem.Our lower bounds show that strategic quantification in the context of hyperproperties results in a logic that is strictly harder (w.r.t.model checking) than both a hyperlogic without strategic quantification (such as HyperLTL) and a non-hyper logic with strategic quantification (such as ATL * ).We establish the following bounds: Theorem 7.1.Model checking of a linear HyperATL * formula with k complex and l simple quantifiers is (2k + l − 1)-EXPSPACE-hard in the size of the specification.
Theorem 7.2.Model checking of a linear HyperATL * formula with k complex and l simple quantifiers is (2k + l − 3)-EXPSPACE-hard in the size of the system.
Complexity in the Specification Size.If we consider the HyperATL * model checking complexity in terms of the specification size, Proposition 6.4 and Theorem 7.1 span the landscape depicted in Figure 7a.For all prefix structures, we get an upper bound of (2k + l)-EXPTIME and a lower bound of (2k + l − 1)-EXPSPACE-hardness.In two cases, we can improve the upper or lower bounds further and get tight results: If k = 1 and l = 0, we get a better 2-EXPTIME lower bound from the ATL * model checking [AHK02] and thus 2-EXPTIME-completeness.In case l ≥ 1, we get a matching (2k + l − 1)-EXPSPACE upper bound and thus (2k + l − 1)-EXPSPACE-completeness (note that this subsumes the already known HyperLTL bounds in case k = 0 [Rab16]).
Complexity in the System Size.If we consider the complexity in the size of the system, Proposition 6.5 and Theorem 7.2 span the landscape depicted in Figure 7b.In case k = 0 (where the formula is a HyperLTL formula), we get (l − 2)-EXPSPACE-completeness [Rab16].
In the case where k ≥ 1 (i.e., the formula is a "proper" HyperATL * formula), we get a upper bound of (2k + l − 2)-EXPTIME and a lower bound of (2k + l − 3)-EXPSPACE-hardness.In two cases we can tighten the results: In case k = 1 and l = 0, we get a better lower bound from the ATL * model checking and thus PTIME-completeness [AHK02].In the cases where l ≥ 1 and the outermost quantifier is simple, we get an improved upper bound resulting in (2k + l − 3)-EXPSPACE-completeness.
Figure 7. Upper and lower bounds on the complexity of model checking linear HyperATL * formulas with k complex and l simple quantifiers.The bounds are given in the size of the specification (Figure 7a) and size of the system (Figure 7b).
7.1.Proof Preliminaries.The remainder of this section is devoted to a proof of Theorem 7.1 and Theorem 7.2.Readers less interested in a formal proof can skip to Section 8. Our proof encodes the acceptance of space-bounded Turing machines (TM).It builds on ideas used for the HyperLTL lower bounds shown by Rabe [Rab16] (adopting earlier ideas from Stockmeyer [Sto74]) but uses a novel construction to achieve a doubly exponential increase using complex quantification.The main idea of our construction is to design a HyperATL * formula that requires a player to output a yardstick, which is a formula that specifies a fixed distance between two points along a path.We can then encode the acceptance of a TM by using the yardstick to compare consecutive configurations of the TM.We recommend having a look at the HyperLTL lower bound shown by Rabe [Rab16,§5.6].Precise Tower Length.We use a slightly larger tower of exponents.For k, n ∈ N define C(k, n) ∈ N as follows: It is easy to see that for every k ≥ 1, we have C(k, n) ≥ Tower 2 (2k, n) for every n.We design a formula with k complex and 0 simple quantifier that specifies a yardstick of length C(k, n). 13 This will later allow us to encode the acceptance of a C(k, n)-space bounded TM.In our construction, the size of the game structure is constant, and the size of the formula depends on n.
7.2.Direct Counter Verification.We first consider the case where k = 1 and construct a formula that ensures a yardstick of length C(1, n).The idea is to describe a counter with 2 n many bits that is incremented in each step and resets to 0 once the maximal value is reached.Consequently, there are 2 2 n counter configurations between two resets of the counter.
Structure of a Counter.To ensure the correctness of the counter with 2 n bits, we use a second counter with n bits.The bits of the larger counter (with 2 n bits) are given via atomic proposition b (called the b-counter), and the bits of the smaller counter (with n bits) by proposition a (called the a-counter).Together, the counter uses atomic propositions {•, △, ▲, a, b}, where •, △, ▲ are separating constructs and a, b are propositions that give the value of the counter-bits (if, e.g., proposition a is set, we interpret this as a 1-bit and otherwise as a 0-bit of the a-counter).A correct counter has the form depicted in Figure 8. Proposition • occurs every n steps and separates two configurations of the a-counter.The a-counter should continuously count from 0 to 2 n − 1 (in binary) and then restart at 0 (we use a big-endian encoding where the least significant bit is the last position of a count). 13In our proof, we encode the acceptance of Tower 2(⋅, n)-space bounded TMs, i.e., we fix the base to 2. Our construction easily extends to an arbitrary (but fixed) base c by using ⌈log 2 c⌉ propositions for our counter construction.We stick with c = 2 to keep the notation simple.
A prefix of a correct counter in the case where n = 2.The trace is read from left to right, where each column gives the evaluation of each atomic proposition at that step.∎ means that the proposition holds, and ◻ that it does not hold.The last two rows give the value of each a-configuration and b-configuration, respectively.Each a-configuration has length 2 (= n), and each b-configuration has length 8 (= n ⋅ 2 n ) with 4 (= 2 n ) relevant bits.The positions where proposition b is irreverent for the counter are left blank.
The △ occurs every n ⋅ 2 n steps and marks the position where the a-counter resets to 0, i.e., △ holds whenever the following a-configuration is 0. Proposition b is used for the second counter with 2 n many bits.Each b-configuration is separated by △ (i.e., one b-configuration has exactly the length in which the a-counter counts from 0 to 2 n − 1).The relevant bits for the b-counter are only those positions where • holds, so each b-configuration has 2 n relevant bits (marked as blue boxes in Figure 8).The b-counter should count from 0 to 2 2 n − 1 (in binary) and then restart at 0. We mark the reset of the b-counter by ▲, i.e., ▲ holds whenever the following b-configuration is 0. Consequently, ▲ holds every steps.An explicit prefix of a correct counter in the case where n = 2 is depicted in Figure 9.
Counter as a Game.We interpret the construction of the counter as a game between a verifier (V) and a refuter (R).The verifier selects, in each step, the evaluation of the propositions in {•, △, ▲, a, b} that form the counter.Meanwhile, the refuter can challenge the correctness of the counter (we make this precise below).We design a specification and game structure such that the only winning strategy for V is to produce a correct counter.Consequently, on any play compatible with any winning strategy for V, ▲ holds every C(1, n) steps.
Game Structure.In our game structure, V sets the values of the propositions in {•, △, ▲, a, b} and R can challenge the correctness by setting proposition error and errorStart.
We allow R to postpone the start of the counter.Consider the following game structure over atomic propositions AP ∶= {•, △, ▲, a, b, error , errorStart}: We omit the label in case it is empty.
the moves are given by M ∶= 2 {•,△,▲,a,b,error } × B. Transition function δ ∶ S × ({V, R} → M) → S is defined by where denotes an arbitrary value.The labeling L ∶ S → 2 {•,△,▲,a,b,error } is defined by Once a state s O for some O ⊆ {•, △, ▲, a, b, error } is reached, the verifier can determine which of the propositions in {•, △, ▲, a, b} hold at the next step and refuter decides if error holds (the first case in the definition of δ).This part of the state space is responsible for generating the actual counter.The remaining states (s init , s 1 , s 2 , s 3 , and s 4 ) are used to determine when the counter should start.The structure is sketched in Figure 10.States s init , s 1 , and s 2 are controlled by R, i.e., the move selected by R determines the successor state, whereas state s 4 is controlled by V (see the definition δ).If R moves to s 1 , the start of the actual counter can be delayed by looping in s 1 .If R moves to s 2 , the errorStart proposition occurs at some point, and afterward, V can decide when the counter starts by looping in s 4 (this will be of importance to verify the construction in the case k > 1).
wrongConfiguration i • wrongBit i expresses that errorStart π i−1 and error π i do not point to the same bit in the two consecutive b-configurations.We again use the fact that a bit of the b-counter is precisely characterized by the a-configuration that starts at the bit.If R moved the game producing π i−1 to s 3 (which he did as errorStart π i−1 occurs), V can loop in state s 4 and decide when to start the counter.To show that errorStart π i−1 and error π i point to different b-bits on π i , V should loop in s 4 and find a bit position at which the a-configuration that starts at position errorStart π i−1 and the a-configuration that starts at position error π i differ.We define wrongBit i as follows: wrongBit i (7.17) Formula 7.16 ensures that V starts the counter soon enough by leaving s 4 , i.e., after errorStart π i−1 is set, the counter on π i−1 is started within the same a-configuration on π i (before • π i holds).Formula 7.17 states that V started the counter at a time that shows that R set errorStart π i−1 at a wrong location (i.e., did not point to a genuine error).That is, the bit of the a-configuration where ▲ π i−1 holds (for the first time) after errorStart π i−1 differs from the value of the a-configuration where ▲ π i−1 holds (for the first time) after error π i .
7.4.Lower Bound Proofs.We use the counter construction to prove Theorem 7.1 and Theorem 7.2.
Theorem 7.1.Model checking of a linear HyperATL * formula with k complex and l simple quantifiers is (2k + l − 1)-EXPSPACE-hard in the size of the specification.
Proof.In the case where k = 0, the HyperATL * formula is a HyperLTL formula and we can reuse the (l − 1)-EXPSPACE lower bound shown by Rabe [Rab16].So let us assume that k ≥ 1.We distinguish if l ≥ 1 or l = 0. and a game structure G T (the size of which is constant and does not depend on w), such that G T ⊧ (7.18) iff T accepts w.The idea of this encoding is similar to [Rab16]: First, formula ψ (T ,w) contains ⋀ k i=1 correct i as a conjunct to ensure that the counters on paths π 1 , . . ., π k are correct.In addition, the path π should enumerate consecutive configurations of T (each of which is C(k, n) steps long).The initial configuration should contain the input w (which we simply hard-code in the formula).Using the yardstick (which R can start at any time), we can compare positions which are C(k, n)-steps apart and -as transitions of a TM are local -enforce that π encodes a valid accepting computation (see [Rab16, Lemma 5.6.3]for details).Model checking of a formula of the form (7.18) (with k complex and 1 simple quantifier) is thus 2k-EXPSPACE-hard (Note that C(k, n) ≥ Tower 2 (2k, n).We can scale the counter to an arbitrary base c > 2 by using ⌈log 2 c⌉ propositions for the counter).In cases of more than a single simple quantifier, we can construct a larger yardstick by adding the construction of Rabe [Rab16] (which extends the length by one exponent with each simple quantifier) to ours (which extends the length by two exponents with each complex quantifier).See [Rab16, Lemma 5.6.2]for details.
• If l = 0: Similar to the previous case, we use our counter construction.Assume we are given a 2 C(k−1,n) -space-bounded Turing machine T and an input w (with |w| = n).We design a formula ⟪V⟫π.⟪V⟫π k−1 . . .⟪V⟫π 1 .ψ (T ,w) (7.19) and game structure such that V on path π should produce a correct counter with C(k−1, n) many bits (similar to the a-counter) and in place of the b-counter output configurations of T (so each configuration has length 2 C(k−1,n) ).We use the yardstick of length C(k −1, n) on π k−1 to verify the correctness of the a-counter on π (if k = 1, we verify it directly using s).We verify that consecutive configurations of T are correct similar to the verification of the b-counter via the error proposition (which now points to errors in the TM configurations as opposed to errors in the b-counter).Model checking a formula with k complex quantifiers is thus (2k − 1)-EXPSPACE-hard.
Theorem 7.2.Model checking of a linear HyperATL * formula with k complex and l simple quantifiers is (2k + l − 3)-EXPSPACE-hard in the size of the system.
Proof.If k = 0, we get an (l − 2)-EXPSPACE lower bound from HyperLTL model checking hardness [Rab16] which is even better than the (l − 3)-EXPSPACE bound required.So let us assume that k ≥ 1.We distinguish if l ≥ 1 or l = 0.
• If l ≥ 1: We first observe that we can construct a formula of the form of constant size and a CGS G (whose size depends on n) such that V is required to output a yardstick of length C(k − 1, n) on π k .The construction is similar to the counter defined in Section 7.2 and Section 7.3 but modifies correct 1 (note that the size of correct 1 depends on n).We ensure that π 1 no longer produces a yardstick of length C(1, n) but only of length n.We modify the game structure such that n is hard-coded (i.e., ▲ occurs exactly every n steps) and can ensure the correctness of the n-bit counter between two ▲s with  bwhile programs are then generated by the following grammar: where x ∈ X .Most language constructs are standard: x ← Read H (resp. x ← Read L ) reads the value of x from a high-security (resp.low security) source, P 1 ⊕ P 2 is a nondeterministic choice between P 1 and P 2 and ♭ is the terminated program.We endow our language with a standard small-step semantics operating on configurations of the form ⟨P, µ⟩ where P is a program and µ ∶ X → B a memory.The reduction steps are standard; we give them in Figure 11 for completeness.To obtain a game structure, we associated each program P to a player P ∈ {ξ N , ξ H , ξ L }, where player P decides on the successor state of P .We define P as follows: x ← Read L ∶= ξ L x ← e ∶= ξ N x ← Read H ∶= ξ H if(e, P 1 , P 2 ) ∶= ξ N P 1 ⊕ P 2 ∶= ξ N while(e, P ) ∶= ξ N P 1 ; P 2 ∶= P 1 ♭ ∶= ξ N Given a program Ṗ , we define the game structure G Ṗ over agents {ξ N , ξ H , ξ L } as follows: The states of G Ṗ are all configurations ⟨P, µ⟩ where P is a program and µ a memory.The initial state is ⟨ Ṗ , λ .⟩ (i.e., the initial memory assigns all variables to ).In state ⟨P, µ⟩, player P decides on a successor state from the set {⟨P ′ , µ ′ ⟩ | ⟨P, µ⟩ ↝ ⟨P ′ , µ ′ ⟩}.14 G Ṗ is a turn-based game in the sense of [AHK02].Note that the state-space of G Ṗ is infinite (as there are infinitely many programs), but the reachable fragment is finite and computable.The atomic propositions in G Ṗ are all variables from X that are used in Ṗ .An atomic proposition (variable) x ∈ X holds in state ⟨P, µ⟩ iff µ(x) = ⊺.
8.2.Experiments.We applied hyperatlmc to small bwhile programs and checked synchronous and asynchronous information flow policies.
configuration (so the player is irrelevant).As expected, ξ L chooses the successor of a program x ← Read L and thereby fixes the next value of x (and similarly for ξ H and x ← Read H ). In a non-deterministic branching P1 ⊕ P2, player ξ N decides which branch to take.Information-Flow Policies.We created a small benchmark of simple programs that distinguish different synchronous information-flow policies.See Figure 12. 15 We checked the following properties: (OD) is the observational determinism property stating that the output is identical among all paths, i.e.,∀π.∀π ′ .(o π ↔ o π ′ ).(NI) is a simple formulation of non-interference due to Goguen and Meseguer [GM82] that states that the output is fully determined by the low-security inputs, i.e., ∀π.∀π ′ .(l π ↔ l π ′ ) → (o π ↔ o π ′ ).(simSec) is simulation-based security as discussed in Section 4.3.(aproxGNI 3 ) is the approximation of generalized non-interference with fixed lookahead of 3 as discussed in Section 4.2.The results and running times for each instance (obtained using hyperatlmc) are given in Table 1.
Asynchronous Hyperproperties.Our model checker implements the transformation of a game structure to include an asynchronous scheduler (cf.Definition 5.1).Using hyperatlmc, we checked synchronous observational-determinism (OD) and asynchronous versions of observational-determinism (OD asynch ) and non-interference (NI) asynch .Note that while (OD asynch ) is expressible in the decidable fragment of AHLTL, (NI asynch ) is not an admissible formula (and cannot be handled in [BCB + 21]).As non-interference only requires the outputs to align provided the inputs do, one needs to take care that the asynchronous scheduler does 15 We choose very simple programs to easily distinguish between the different security notions.Our tool hyperatlmc can handle more complex programs with larger bitwidths.
The resulting logic, ATEL, can express properties of the form "if ξ knows ϕ, then she can enforce ψ via strategy."The natural extension of ATEL that allows for arbitrary nesting of quantification and temporal operators (i.e., an extension of ATL * instead of ATL), is incomparable to HyperATL * .
Model Checking.Decidable model checking is a crucial prerequisite for the effective use of a logic.Many of the existing (synchronous) hyperlogics admit decidable finite-state model checking, although mostly with non-elementary complexity [CFK + 14].Most hyperproperties encountered in practice can be expressed with few (if any) quantifier alternations.Alternationfree HyperLTL properties can be checked very efficiently by constructing the self-composition [BDR11], as, e.g., implemented in the MCHyper tool [FRS15].Properties with quantifier alternations can be checked by using automata complementations or language inclusion checks, as, e.g., implemented in the AutoHyper tool [BF23a].For properties in the ∀ * ∃ * fragment, efficient approximations, such as the game-based approach [CFST19, BF22a], are applicable, even in infinite-state systems [BF22b].For alternating-time temporal logic (in the non-hyper realm), model checking is efficient, especially when temporal operators cannot be nested as in ATL [AHK02, AHM + 98].In the presence of arbitrary nesting (as in ATL * ), model checking subsumes LTL realizability [PR89].This causes a jump in the model checking complexity to 2-EXPTIME-completeness [AHK02].ATL model checking has also been investigated in the presence of imperfect information [J Å06, DT11, BGJ15, BMM17], and imperfect recall [Sch04].Strategy logic [CHP10, MMPV14] (strictly) generalizes ATL * by considering strategies as first class objects that can be quantified.Model checking of strategy logic is decidable, but nonelementary-hard [CHP10,MMPV14].
Our lower bounds demonstrate that the combination of strategic quantification and hyperproperties results in a logic that is algorithmically harder (for model checking) than non-strategic hyperlogics (such as HyperLTL) or strategic (non-hyper) logics (such as ATL * ).The fragment of HyperATL * supported by hyperatlmc is algorithmically cheaper than full HyperATL * ; it is 2-EXPTIME-complete in the size of the specification and PTIME-complete in the size of the system.
Satisfiability.The satisfiability of a formula (i.e., checking if a formula has a satisfying model) is relevant during the development of a specification.It can be used as a sanity check (to ensure that the specification is not already contradictory) or to determine implications between different specifications.The hardness of HyperLTL satisfiability can be characterized in terms of the structure of the quantifier prefix.Satisfiability is decidable (and EXPSPACEcomplete) for formulas in the ∃ * ∀ * fragment and undecidable for all prefixes that contain a ∀∃ alternation [FH16].For HyperCTL * , alternation-free formulas (where the quantifier structure is defined with respect to the scope of quantifiers in a negation-normal form) are decidable [Hah21].However, already ∃ * ∀ * formulas lead to undecidability as quantification can occur at all points along a path (by placing quantification below a ) and create a comb-like structure that can "simulate" a ∀∃ alternation [Hah21].Fortin et al. show that satisfiability of HyperLTL and HyperCTL * is highly undecidable; deciding satisfiability of a HyperLTL formula is Σ 1 1 -complete and deciding satisfiability of a HyperCTL * formula is Σ 2 1 -complete [FKTZ21].By restricting the body of a formula and distinguishing between hyperproperty and trace property, one can identify classes of HyperLTL within the ∀ * ∃ * fragment for which satisfiability remains decidable [BCF + 22].ATL * satisfiability was studied

Figure 1 .
Figure1.Hierarchy of expressiveness of temporal logics.An arrow A → B indicates that A is a (syntactic) fragment of B. Logics in the blue, dashed area can express hyperproperties.Logics in the red, dotted area can express strategic properties in multi-agent systems.Logics that are interpreted on multi-agent systems (ATL, ATL * , and HyperATL * ) can also be applied to transition systems (the standard model for the remaining logics) by interpreting transition systems as 1-agent systems (see Remark 2.1); the reverse does not hold, i.e., logics that are interpreted on transitions systems cannot reason about strategic abilities in multi-agent systems.

Figure 4 .
Figure 4. Construction of a G-equivalent automaton for φ = ∃π.ψ.Here, A ndet and m is the maximal element in the codomain of d.

Figure 8 .
Figure8.The basic structure of a correct counter of length C(1, n).Proposition • holds every n steps and separates two a-configurations.Proposition △ holds every n ⋅ 2 n step and separates two b-configurations.▲ holds every n ⋅ 2 n ⋅ 2 2 n steps.Propositions a and b give the bits of a-counter and b-counter, respectively.The a proposition is relevant for the a-counter at all positions, marked by red boxes.The relevant positions for the b-counter are only those where • holds, marked by blue boxes.Consequently, there are 2 n relevant positions for the b-counter between any two occurrences of △.

Definition 7. 3 .Figure 10 .
Figure10.The game structure G counter that is used to produce the counter.The part surrounded by the dashed box, generates the actual counter and includes all states of the form s O for some O ⊆ {•, △, ▲, a, b, error }.The remaining states are used to determine the time point at which the counter should start.The verifier decides the successor whenever in s 4 , and the refuter decides the successor for states s init , s 1 , s 2 (state s 3 has a unique successor).We omit the label in case it is empty.

Figure 11 .
Figure11.Small-step semantics for bwhile.A step has the form ⟨P, µ⟩ ↝ ⟨P ′ , µ ′ ⟩ where program P in memory µ steps to program P ′ and memory µ ′ .For a boolean expression e and memory µ we write e (µ) ∈ B for the value of e in µ (defined as expected).

Table 1 .
Figure12.Simple bwhile example programs that distinguish different information-flow policies.We write if ⋆ then P 1 else P 2 instead of P 1 ⊕ P 2 .Model checking results for information-flow properties (expressed in HyperATL * ) on the small bwhile programs from Figure12.We give the model checking result (Res) (✓ indicates that the property holds, and ✗ that it is violated) and time taken by hyperatlmc in milliseconds (t).