Asynchronous HyperLTL (A-HLTL)

• Asynchronous HyperLTL is a temporal hyperlogic that explicitly quantifies over system traces and fair stutterings, enabling precise specification of asynchronous hyperproperties.
• It introduces a game-based verification framework using Büchi games to handle nondeterministic trace alignments, offering finite-state approximations for complex systems.
• The logic overcomes limitations of synchronous hyperlogics by robustly addressing security, refinement, and consistency challenges in reactive systems.

Asynchronous HyperLTL (A-HLTL) is a temporal hyperlogic designed to express and verify hyperproperties of reactive systems where comparisons between execution traces must account for asynchronous progress, variable stuttering, and flexible trace alignments. Unlike synchronous HyperLTL, which enforces lockstep alignment between all quantified traces, A-HLTL introduces quantification over stutterings, permitting robust specification of complex security, refinement, and consistency hyperproperties that depend on asynchronous interactions between traces (Beutner et al., 29 Dec 2025).

1. Syntax and Formal Grammar

A-HLTL formulas consist of explicit first-order quantification over system traces and secondary quantification over fair stutterings of those traces. Let $X$ be a finite set of system variables, $V = \{\pi_1,\dots,\pi_n\}$ denote trace variables, and $B = \{\beta_1,\dots,\beta_k\}$ denote stuttering (alignment) variables. The fundamental syntax is as follows:

• Trace Quantification:
  • $\forall\,\pi\,.\,\varphi$ and $\exists\,\pi\,.\,\varphi$ (ranges over infinite system traces $\pi$)
• Stuttering Quantification:
  • $\forall\,\beta \triangleleft \pi\,.\,\psi$ and $\exists\,\beta \triangleleft \pi\,.\,\psi$ (ranges over fair stutterings $\beta$ of $\pi$)
• Temporal and Boolean:
  • $X\,\psi$, $\psi_1 U \psi_2$ (LTL next and until)
  • First-order predicates $\theta$ over the background theory $T$: atoms of form $x_\beta = y_\gamma$, $x_\beta \leq c$, etc.
  • Boolean combinations: $\neg$, $\land$, $\lor$

Thus, the full BNF is

$$\varphi ::= \forall\,\pi\,.\,\varphi \mid \exists\,\pi\,.\,\varphi \mid \psi$$

$$\psi ::= \forall\,\beta \triangleleft \pi\,.\,\psi \mid \exists\,\beta \triangleleft \pi\,.\,\psi \mid \theta \mid \neg\psi \mid \psi_1 \land \psi_2 \mid X\,\psi \mid \psi_1 U \psi_2$$

(Beutner et al., 29 Dec 2025).

2. Stuttering Semantics and Satisfaction

A transition system $T = (S, s_0, \kappa, \ell)$ comprises a set of states $S$, initial state $s_0$, transition function $\kappa: S \rightarrow 2^S \setminus \emptyset$, and labeling $\ell: S \rightarrow (X \rightarrow V)$. Traces are infinite words $t \in (X \rightarrow V)^\omega$ formed by pointwise application of $\ell$ to paths in $T$.

Fair Stuttering: A stuttering $t' \triangleleft t$ is defined via a surjective, monotonic function $f: \mathbb{N} \rightarrow \mathbb{N}$ such that $t'(i) = t(f(i))$. This models canonical asynchronous alignment: traces $t'$ and $t$ can be compared at positions that need not correspond to the same time step.

Satisfaction Relation: Given a trace assignment $\Pi: V \rightarrow (X \rightarrow V)^\omega$ and stuttering assignment $\Delta: B \rightarrow (X \rightarrow V)^\omega$, the main interpretation clause is:

• $$\Pi, \Delta, i \models \exists\,\beta \triangleleft \pi\,.\,\psi$$ iff there exists $t' \triangleleft \Pi(\pi)$ with $\Pi, \Delta[\beta \mapsto t'], i \models \psi$

All other clauses, including the interpretation of LTL operators and predicates, are lifted as usual but via the stuttering assignment. The satisfaction of the entire specification $T \models \varphi$ reduces to the satisfaction at $\emptyset, \emptyset, 0$ (Beutner et al., 29 Dec 2025).

3. Characteristic Examples of Asynchronous Hyperproperties

A-HLTL enables succinct specification of a wide range of asynchronous properties, notably those foundational in security and refinement theory:

• Observational Determinism (Zdancewic–Myers):

$$\varphi_{\mathsf{OD}} \equiv \forall\pi_1.\forall\pi_2.\exists\beta_1 \triangleleft \pi_1.\exists\beta_2 \triangleleft \pi_2.\; (l_{\beta_1}=l_{\beta_2} \rightarrow G\,(o_{\beta_1}=o_{\beta_2}))$$

This asserts equivalence of low-security outputs for any aligned low inputs, using asynchronous matching via stuttering variables.

• Non-Inference (McLean):

$$\varphi_{\mathsf{NI}} \equiv \forall\pi_1.\exists\pi_2.\exists\beta_1 \triangleleft \pi_1.\exists\beta_2 \triangleleft \pi_2.\; G(\forall x \in L.\, x_{\beta_1}=x_{\beta_2}) \land G(\forall h \in H.\, h_{\beta_2}=\bot)$$

For each run, there exists a dummy trace stutter-aligned to the low events but fixed on high variables.

• Stuttering Refinement:

$$\varphi_{\mathsf{ref}} \equiv \forall\pi_1.\exists\pi_2.\exists\beta_1 \triangleleft \pi_1.\exists\beta_2 \triangleleft \pi_2.\; G(\forall a \in Obs.\, a_{\beta_1}=a_{\beta_2})$$

System $T_2$ refines $T_1$ up to stuttering on invisible steps.

These patterns form the canonical examples motivating asynchronous semantics (Beutner et al., 29 Dec 2025).

4. Model-Checking via Verifier–Refuter Games

The general A-HLTL model-checking problem for formulas of the form (prenex $\forall^* \exists^*$ quantifiers over traces and stutterings) is undecidable. The key contribution is a novel game-based verification procedure:

• The verification is encoded as a Büchi game $G_{T,\varphi,Z}$.
• Game vertices encode the stage (automaton-update, universal-step, existential-step), windowed path assignments for traces, pointer maps for stutterings, DBA (deterministic Büchi automaton) state for the quantifier-free formula, and moved flags.
• At universal-steps, the refuter chooses successors for universally quantified traces and increments stutterings if desired. At existential-steps, the verifier chooses for existential variables.
• Winning strategies for the verifier correspond to concrete witnesses for existentially quantified traces and stutter alignments.

This game construction provides a finite-state approximation if a suitable bound $Z$ is fixed:

• For alternation-free fragments and certain admissible classes, $Z=1$ is sufficient, yielding finite-state completeness.
• For terminating systems, $Z$ determined by system depth $D$ suffices (Beutner et al., 29 Dec 2025).

5. Decidable Fragments and Complexity Bounds

There are notable fragments of A-HLTL admitting complete, sound, and tractable verification:

• Alternation-free (pure $\forall^*$ or $\exists^*$) with at most one stuttering variable per trace: Game $G_{T,\varphi,1}$ is finite; decision procedure is polynomial in $|G|$ for fixed system size.
• Terminating Systems: If $T$ has depth $D$, $G_{T,\varphi,D}$ is complete for arbitrary $\forall^*\exists^*$ formulas.
• Admissible Formulas: For formulas expressing Boolean combinations of state formulas and a single "phase" subformula (pairwise equalities under $G$ for some $P_{i,j}$), $Z=1$ suffices.
• Rectangle-closed invariants: Extends admissible formulas to more general equality relations with closure properties.

When $T$ is finite-state with $|S|$ states and formula contains $n$ traces and $k$ stutterings:

$$|G| = O\left((|S|^{Z+1})^{n} \cdot (Z+1)^{k} \cdot |Q_\psi|\right)$$

(Beutner et al., 29 Dec 2025).

6. Soundness and Completeness Theorems

The suite of main verification theorems, as stated in LaTeX, establishes the foundations of the game-based decision procedure:

• Soundness:

$$\text{If the verifier wins }G_{T,\varphi,Z}\text{ from all init. vertices, then }T\models\varphi.$$

• Monotonicity:

$$\text{If the verifier wins }G_{T,\varphi,Z}\text{ and }Z'\ge Z,\text{ then the verifier wins }G_{T,\varphi,Z'}.$$

• Alternation-Free Completeness:

$$\text{Let }\varphi\text{ be purely }\exists^*\text{ or purely }\forall^*\text{ with at most one }\beta\text{ per }\pi. \text{Then }T\models\varphi \iff \text{verifier wins }G_{T,\varphi,1}\,.$$

• Terminating Systems Completeness:

$$\text{If }T\text{ has depth }D\text{, then for any }\forall^*\exists^*\varphi\!, \; T\models\varphi \iff \text{verifier wins }G_{T,\varphi,D}\,.$$

• Admissible Completeness:

$$\text{If }\varphi\text{ is admissible, then } T\models\varphi \iff \text{verifier wins }G_{T,\varphi,1}\,.$$

These results yield a uniform finite-state verification method for many important and practically occurring asynchronous hyperproperties (Beutner et al., 29 Dec 2025).

7. Significance in Verification and Expressiveness

A-HLTL's core innovation is the explicit representation and quantification of asynchronous alignments (via fair stutterings), which were inaccessible to previous synchronous hyperlogics. The approach precisely captures real-world information-flow and refinement scenarios where observable outputs must be matched independently of internal stutter steps or asynchronous execution artifacts. This includes correctness in verification of concurrent programs and security policies robust against variable scheduling, message reordering, and implementation refinements.

Through explicit quantification over both traces and their stuttered alignments, the logic solves longstanding expressiveness limitations, enabling practical model checking for a wide class of asynchronous hyperproperties using the game-theoretic construction and associated complexity-theoretic guarantees (Beutner et al., 29 Dec 2025).