On the Complexity of Linear Temporal with Team Semantics

Martin Lück

Leibniz Universität Hannover, Germany [email protected]

Abstract. A specification given as a formula in linear (LTL) defines a system by its set of traces. However, certain features such as informa- tion flow security constraints are rather modeled as so-called hyperproperties, which are sets of sets of traces. One logical approach to this is team logic, which is a logical framework for the specification of dependence and indepen- dence of information. LTL with team semantics has recently been discovered as a logic for hyperproperties. We study the complexity theoretic aspects of LTL with so-called synchronous team semantics and Boolean negation, and prove that both its model checking and satisfiability problems are highly undecidable, and equivalent tothe decision problem of third-order arithmetic. Furthermore, we prove that this complexity already appears at small temporal depth and with only the “future” modality F. Finally, we also introduce a team-semantical generalization of stutter-invariance.

Keywords: linear temporal logic, team semantics, complexity MSC 2010: 03B44; 03B60; 68Q60

1 Introduction

Linear temporal logic (LTL) [22] is a successful specification language for state-based transition systems, with many applications in software and hardware verification and protocol design [2, 24]. This is not limited to correctness of the program output with respect to the input, but also covers aspects such as fairness, safety and deadlock-freeness. The execution behaviour of a system is usually modeled as a trace, that is, an infinite

arXiv:2004.12682v1 [cs.LO] 27 Apr 2020 sequence of propositional assignments. However, certain important properties of systems are not expressible as classes of traces. One simple example is bounded termination of the system, that is, all traces reach some final state after at most 푐 steps, where 푐 does depend on the system not but on the trace. Another is observational determinism, also noninterference, which means that the externally visible development of a trace should only depend on the input from the view of an external observer.

1 Recent research on temporal logic has also accounted for such properties of systems as the above. Clarkson and Schneider [5] coined the name hyperproperties for these, which are formally sets of sets of traces. A logic to specify hyperproperties, called HyperLTL, was introduced by Clarkson et al. [4]. It extends LTL by universal and existential trace quantifiers, and can for example express observational determinism and has decidable model checking. On the other hand, its satisfiability problem is undecidable and it still lacks the expressive power for properties such as bounded termination [4]. Another novel logical framework useful for expressing hyperproperties is team seman- tics [13]. Generally speaking, team semantics extends classical logic such that formulas are evaluated not over single assignments, states, etc., but instead over sets of those. It has been studied in the context of first-order logic, propositional logic and , for example [28, 29, 32]. Team semantics has also been adapted to temporal like CTL [12] and recently LTL [13] by Krebs et al. They distinguish two kinds of team semantics for LTL: asyn- chronous semantics, which is strictly weaker than HyperLTL, and synchronous semantics, which is expressively incomparable to HyperLTL. Roughly speaking, the future operator F either “asynchronously” skips a finite amount of time on every trace that is unbounded and depends on the trace, or “synchronously” advances to a point in the future that is equal for all traces, and similarly for the other temporal operators. In team logic, often non-classical atoms are added to the syntax that express properties of teams. The prime example is the dependence atom dep(푝1, . . . , 푝푛; 푞), which was introduced by Väänänen [28] in the context of team semantics. It states that the value of 푞 functionally depends on the values of 푝1, . . . , 푝푛. Applied to traces, this defines a hyperproperty. In fact, the dependence atom allows to intuitively implement features like observational determinism, for example the formula

푘 ⋀︁ dep(in1,..., in푛; G(end → out푖)) 푖=1 states that the truth of the formulas G(end → out푖), and thus the values of out1,..., out푘 at the end of the computation on each trace, depend only on the values of the propositions in1,..., in푛 at the beginning of that trace. Several other non-classical atoms have been considered in the past, e.g., independence, inclusion, and exclusion constraints as well as atoms for counting. We refer the reader to the literature [1, 10] for further information. (Our results hold regardless of whether those atoms are available or not.) Team semantics generally lacks the Boolean negation, and although the connective ¬ is part of the syntax, it is not the classical negation and does not satisfy for example the law of excluded middle [28]. Sometimes Boolean negation, also called contradictory negation or strong negation, is re-introduced and denoted by ∼. This usually increases the expressive power greatly, as was shown for propositional, modal and first-order team logic [11, 28, 33]. On the other hand, this is not surprising, as in the context of proposition-based logics, the non-classical atoms of dependency, independence, inclusion and others are all expressible by polynomial-sized formulas if ∼ is available [19].

2 The most important logical decision problems are model checking (does the given system satisfy the given formula?) and satisfiability (is the given formula true in some system?). Not only model checking, but also satisfiability is routinely solved in practice, since an unsatisfiable and hence self-contradictory specification is of no use. Thus checking for satisfiability is a sensible heuristic to avoid errors in the specification. [2] Model checking and the satisfiability problem sometimes become easier for fragments of the logic. For example, while both problems are well-known to be PSPACE-complete for LTL [27], their complexity can drop down to NP or even less when the input formulas are restricted, for example if they use only certain subsets of temporal operators, if the nesting depth of temporal operators is small, or if the number of distinct propositional symbols is bounded [6, 25, 27]. For HyperLTL, some research in the same direction has been done, with focus on fragments of small alternation depth of trace quantifiers and small temporal depth [4, 7, 20]. Contributions. We consider the logic LTL(∼), which in this paper denotes linear temporal logic (LTL) with team semantics, with Boolean negation ∼, and with synchronous semantics of the temporal connectives. We begin with identifying a stutter-invariant fragment of LTL(∼). Classically, a formula 휙 being stutter-invariant means that finitely often repeating arbitrary labels on atrace does not change the truth of 휙. Peled and Wilke [21] showed that the stutter-invariant LTL-definable trace properties are exactly those that are definable without the “nexttime” operator X. One application of stutter-invariant formulas is the hierarchical refinement of specifications and structures, where atomic transitions are replaced by acomplex subroutine [15, 21]. In Section 3, we generalize the notion of stutter-equivalence to teams, and thus to hyperproperties, and partially obtain a similar result: we show that every X-free formula is stutter-invariant. Whether the converse holds like in the classical case is left open. Afterwards, we turn to the computational complexity of LTL(∼). It turns out that both its satisfiability and model checking problem are equivalent to third-order arithmetic. In particular, model checking and satisfiability have the same complexity, which is well-known feature of LTL that now recurs in team semantics. Moreover, we investigate the problem of countable satisfiability, which asks for a countable team satisfying a formula, as well as finite satisfiability, for which the team is induced as the set of traces of a finite Kripke structure. (Note that there are countable teams that not finitely generated, and finitely generated teams that are not countable.) For obvious reasons, the finite satisfiability problem is closer to practical applications than general satisfiability, and while these satisfiability notions coincide for classical LTL[27], they do not for, e.g., HyperLTL [20]. 3 We sum up our complexity theoretic results for LTL(∼). The bold-face symbol Δ0 refers 3 2 to the decision problem of third-order arithmetic 훥0 (and likewise Δ0 for second-order). These and other notions will be defined in Section 4.

Theorem 1.1. Model checking, satisfiability and finite satisfiability are equivalent to 3 2 Δ0 and countable satisfiability is equivalent to Δ0 w. r. t. logspace-reductions. Further- more, this already holds with only the temporal operator F and temporal depth two (for

3 satisfiability) and one (for model checking), respectively.

We also consider so-called 풞-restricted variants of the above problems, where 풞 is, e.g., the class of ultimately periodic traces. Here, of all traces generated by a given structure or contained in a satisfying team, we consider only those in 풞.

Theorem 1.2. If 풞 is the class of ultimately periodic traces or the class of ultimately constant traces, then 풞-restricted model checking, satisfiability and finite satisfiability 2 are equivalent to Δ0 w. r. t. logspace-reductions. Again, this already holds with only the temporal operator F and temporal depth two (for satisfiability) and one (for model checking), respectively.

In Section 4, we prove the upper bound of Theorem 1.1, which mostly amounts to 3 a translation from LTL(∼) to 훥0 on the level of formulas, which reduces both model 3 3 checking and satisfiability to Δ0. In Section 5, we then present a reduction of Δ0 back 3 to model checking. More precisely, given a 훥0-formula 휙, we compute a model 풦 and a temporal formula 휓 such that 휓 holds in the traces of 풦 iff 휙 is true in N. The reduction is surprisingly simple in the sense that it works already for a small fragment of formulas, namely with only F-operators and no temporal nesting. Next, in Section 6, we reduce the problem of model checking to satisfiability. It is a standard approach to reduce LTL model checking to (un-)satisfiability, and amounts to describing the structure of a model as a formula [25] (or alternatively as an 휔- automaton [30]). For LTL(∼), we do this only indirectly. In fact, we show that the full team of all possible traces is definable, and from it extract the subteam of precisely the traces of the structure. Like for model checking, already a weak fragment suffices for the hardness of satisfiability, namely only F and temporal depth two. By the above chain of reductions, then all these problems are logspace-equivalent. If the restriction is imposed that the teams in question are countable, for example by looking only at ultimately periodic traces, then all the above arguments can be carried out with 2 second-order arithmetic 훥0, by which we will prove Theorem 1.2.

2 Preliminaries

Basic notions The power set of a set 푋 is ℘푋. The set of non-negative integers is N = {0, 1, 2,...}, also denoted by 휔. For 푛 ∈ N, we write short [푛] for {1, 2, . . . , 푛}. The set of all infinite sequences over 푋 is 푋휔. The set of all 푛-tuples over 푋 is 푋푛, and the * set of all finite sequences is 푋 . We sometimes write an infinite sequence 푥 = 푥0, 푥1,... as (푥푖)푖≥0, and refer to the 푖-th element 푥푖 also as 푥(푖).

Computational complexity A (decision) problem is a subset 퐴 ⊆ 훴* of words over some finite alphabet 훴, which is assumed as 훴 = {0, 1} unless stated otherwise. A logspace- reduction from a problem 퐴 to a problem 퐵 is a function 푓 that is computable in space 풪(log 푛) such that 푥 ∈ 퐴 ⇔ 푓(푥) ∈ 퐵, for all 푥 ∈ 훴*. 퐴 and 퐵 are logspace-equivalent if they are mutually logspace-reducible.

4 All stated reductions are logspace-reductions. For a detailed introduction to computation theory and complexity, we refer the reader to standard literature [26].

Linear Temporal Logic Let AP = {푝1, 푝2,...} be a countably infinite set of atomic propositions. The set of all formulas of linear temporal logic (LTL) over AP is written LTL, and is defined by the grammar

휙 ::= 푝푖 | ¬휙 | 휙 ∧ 휙 | 휙 ∨ 휙 | X휙 | F휙 | G휙 | 휙U휙 | 휙R휙.

The connectives X (nexttime), F (future), G (globally), U (until), R (release) are called temporal operators. The temporal depth td(휙) is their nesting depth, that is,

td(푝푖) := 0 td(¬휙) := td(휙) td(휙 ∘ 휓) := max{td(휙), td(휓)} for ∘ ∈ {∧, ∨} td(푂휙) := td(휙) + 1 for 푂 ∈ {X, F, G} td(휙푂휓) := max{td(휙), td(휓)} + 1 for 푂 ∈ {U, R}.

The logic LTL푘(푂1, . . . , 푂푛), for 푛, 푘 ≥ 1, is the syntactical fragment of LTL that contains all formulas of temporal depth up to 푘, and in which only the temporal operators 푂1, . . . , 푂푛 ∈ {X, F, G, U, R} are used.

Traces A label is a subset of AP. If 푠 is a label, then we also write 푠푛 or 푠휔 for length 푛 resp. infinite sequences consisting only of the label 푠.A trace is an element of (℘AP)휔, i.e., an infinite sequence of labels. The suffix 푡(푖)푡(푖 + 1) ··· is 푡푖, where 푡0 = 푡. The projection of 푡 onto a set 훷 ⊆ AP is 푡훷, defined by 푡훷 := (푡(푖) ∩ 훷)푖≥0. A trace is ultimately periodic if there exist 푐, 푑 > 0 such that 푡(푛) = 푡(푛 + 푑) for all 푛 ≥ 푐. It is constant if 푡(0) = 푡(1) = ··· , and ultimately constant if 푡푖 is constant for some 푖.

Semantics LTL-formulas are evaluated on traces as follows, where 푡 is a trace and 푝 ∈ AP.

푘 푡  푝 ⇔ 푝 ∈ 푡(0) 푡  G휙 ⇔ ∀푘 ≥ 0 : 푡  휙 푘 푡  ¬휙 ⇔ 푡 2 휙 푡  휙U휓 ⇔ ∃푘 ≥ 0 : 푡  휓 푗 푡  휙 ∧ 휓 ⇔ 푡  휙 and 푡  휓 and ∀푗 < 푘 : 푡  휙 푘 푡  휙 ∨ 휓 ⇔ 푡  휙 or 푡  휓 푡  휙R휓 ⇔ ∀푘 ≥ 0 : 푡  휓 1 푗 푡  X휙 ⇔ 푡  휙 or ∃푗 < 푘 : 푡  휙 푘 푡  F휙 ⇔ ∃푘 ≥ 0 : 푡  휙 We employ the usual abbreviations, implication 휙 → 휓 ≡ ¬휙 ∨ 휓, equivalence 휙 ↔ 휓 ≡ (휙 → 휓) ∧ (휓 → 휙), truth ⊤ ≡ 푝 ∨ ¬푝, and falsity ⊥ ≡ 푝 ∧ ¬푝. As usual, we use  and ≡ for semantical entailment and equivalence.

5 Kripke structures A Kripke structure or just structure is a tuple 풦 = (푊, 푅, 휂, 푟) where 푊 is a non-empty set of states or worlds, 푅 ⊆ 푊 × 푊 is the transition relation, 휂 : 푊 → ℘AP maps each state to a label, and 푟 ∈ 푊 is the initial state or root of 풦. We assume that all structures are serial, or total, that is, for every 푤 ∈ 푊 there exists some 푣 ∈ 푊 such that (푤, 푣) ∈ 푅.A path in 풦 is a sequence 휋 ∈ 푊 휔 such that (휋(푖), 휋(푖 + 1)) ∈ 푅 for all 푖 ≥ 0, and 휋(0) = 푟. The trace induced by a path 휋 is 휂(휋) := (휂(휋(푖)))푖≥0. Note that paths and traces are different objects, and an aperiodic path may still induce a constant trace ifitcycles through states with equal labels. The set of all traces induced by paths in 풦 is 푇 (풦). A structure 풦 satisfies a formula 휙, in symbols 풦  휙, if 푡  휙 for all 푡 ∈ 푇 (풦). The classical model checking problem of LTL is now the set of all pairs (풦, 휙) where 풦 is a structure, 휙 is an LTL-formula, and 풦  휙. The subset of ultimately constant, resp. periodic, traces in 풦 is denoted by 푇ulc(풦), resp. 푇ulp(풦).

2.1 Team semantics A team 푇 is a (possibly empty) set of traces, formally 푇 ⊆ (℘AP)휔. As for traces, we define the suffix 푇 푖 := {푡푖 | 푡 ∈ 푇 }, and say that a team 푇 is constant, ultimately constant, or ultimately periodic, if all traces 푡 ∈ 푇 are. Also, we define the projection 푇 훷 := {푡훷 | 푡 ∈ 푇 }. Next, we introduce synchronous team semantics of LTL as defined by Krebs et al. [13]. Let 푇 be a team and 푝 ∈ AP. Then:

푇  푝 ⇔ ∀푡 ∈ 푇 : 푝 ∈ 푡(0) 푇  ¬휙 ⇔ ∀푡 ∈ 푇 : {푡} 2 휙 푇  휙 ∧ 휓 ⇔ 푇  휙 and 푇  휓 푇  휙 ∨ 휓 ⇔ ∃푆, 푈 ⊆ 푇 : 푆 ∪ 푈 = 푇, 푆  휙 and 푈  휓 1 푇  X휙 ⇔ 푇  휙 푘 푇  F휙 ⇔ ∃푘 ≥ 0 : 푇  휙 푘 푇  G휙 ⇔ ∀푘 ≥ 0 : 푇  휙 푘 푗 푇  휙U휓 ⇔ ∃푘 ≥ 0 : 푇  휓 and ∀푗 < 푘 : 푇  휙 푘 푗 푇  휙R휓 ⇔ ∀푘 ≥ 0 : 푇  휓 or ∃푗 < 푘 : 푇  휙

Note that the disjunction of team semantics is not Boolean, but instead splits the team into two parts. For example, the team {{푝}∅휔, ∅{푝}∅휔} does satisfy F푝 ∨ F푝, as each trace itself satisfies F푝, but the whole team does not satisfy F푝, as there is no single timestep 푘 푘 at which 푇  푝 [13]. Hence F푝 ∨ F푝 ̸≡ F푝. On single traces, classical semantics and team semantics coincide:

Proposition 2.1 ([13]). For all 휙 ∈ LTL and traces 푡, 푡  휙 iff {푡}  휙.

6 The following are standard properties of logics with team semantics: Definition 2.2 (Downward closure). A formula 휙 is downward closed if for all teams 푇 ′ ′ and 푇 ⊆ 푇 it holds that 푇  휙 implies 푇  휙. Definition 2.3 (Empty team satisfaction). A formula 휙 has empty team satisfaction if ∅  휙. Definition 2.4 (Union closure). A formula 휙 is union closed if for all sets 풯 of teams it ⋃︀ holds that ∀푇 ∈ 풯 : 푇  휙 implies 풯  휙. Definition 2.5 (Flatness). A formula 휙 is flat if for all teams 푇 it holds that 푇  휙 ⇔ ∀푡 ∈ 푇 : {푡}  휙. We say that a logic 퐿 has one of the above properties if all 퐿-formulas have the respective property. Observe that union closure implies empty team satisfaction, and that flatness is equivalent to simultaneous downward closure and union closure. Proposition 2.6 ([13]). LTL with team semantics has downward closure and empty team satisfaction. This property is shared with other related logics such as dependence logic [28]. However, unlike asynchronous semantics, the synchronous semantics we use is not union closed and hence not flat: Proposition 2.7 ([13]). The formula F푝 is not union closed. In fact, this already follows from the previous example, as in union closed logics 휙 ∨ 휙 ≡ 휙, but here F푝 ∨ F푝 2 F푝. Next, we introduce the dependence atom1 as an example for a non-classical formula in team-semantics. For LTL, it is defined as follows [13]: ′ 푇  dep(휙1, . . . , 휙푛; 휓) ⇔ ∀푡, 푡 ∈ 푇 : ′ ′ (∀푖 ∈ [푛]: {푡}  휙푖 ⇔ {푡 }  휙푖) ⇒ ({푡}  휓 ⇔ {푡 }  휓)

That is, whenever traces in 푇 agree on the truth of all 휙푖, then they agree on the truth of 휓, or in other words, 휓 is functionally determined by 휙1, . . . , 휙푛. For the case 푛 = 0 we just write dep(휓), which means that the truth of 휓 is constant among the team. Let LTL(dep) denote the extension of LTL by the dependence atom. The following result is analogous to first-order dependence logic [28]. Proposition 2.8. LTL(dep) has downward closure and empty team satisfaction. Theorem 2.9 ([13]). Model checking of LTL(dep) is hard for NEXPTIME. 1The term atom is used for historic reasons. In the first-order setting, the atom ranges only over individual variables and/or terms as arguments, and for this reason is indeed an atomic formula [28]. That the arguments themselves are formulas happens only in proposition-based logics. In the latter setting, usually, non-classical atoms such as the dependence atom range only over classical formulas, whereas here they range over arbitrary formulas. However, this does not affect our results, since Proposition 2.10 and the other translations [19] also hold for this more general syntax.

7 2.2 Team logic with negation In team logic, the contradictory negation, or Boolean negation, is denoted by ∼ to distinguish it from ¬:

푇  ∼휙 ⇔ 푇 2 휙

We write LTL(∼) for the extension of LTL by ∼, and define fragments of the form LTL푘(∼, 푂1, . . . , 푂푛) like for classical LTL. With the Boolean negation available, it is now possible to define the Boolean disjunction, the material implication, and equivalence on the level of teams:

휙 휓 := ∼(∼휙 ∧ ∼휓), 6 휙 휓 := ∼휙 휓, _ 6 휙 휓 := (휙 휓) ∧ (휓 휙). ] _ _ Observe that the formulas 휙 and ¬¬휙 are not equivalent, but ¬휙 and ¬¬¬휙 are (similarly to intuitionistic logic). The reason is that ¬¬휙 states that 휙 holds in all singletons.2 Furthermore, non-classical atoms such as the dependence atom become definable [19].

Proposition 2.10. The dependence atom is definable as follows:

푛 (︂ (︁ ⋀︁ )︁)︂ dep(휙1, . . . , 휙푛; 휓) ≡ ∼ ⊤ ∨ dep(휙푖) ∧ ∼dep(휓) 푖=1 where

dep(휙) ≡ ¬¬휙 ¬휙. 6 Proof. First, dep(휙) says that every trace satisfies either 휙 or ¬휙, and hence that 휙 is constant among all traces. For this reason, the part inside the outermost ∼ of the first line states that some subteam is constant in every 휙푖, but not in 휓, which is precisely the negation of the dependence atom.

Corollary 2.11. LTL(∼) is neither downward closed nor union closed. Also, this even holds without any temporal operators.

Proof. The formula dep(푝) is not union closed, and ∼푝, which states that at least one trace in the team satisfies ¬푝, is not downward closed.

2 In the team logic literature, usually ¬ is allowed only in front of atoms 푝푖. In such cases, ¬휙 is sometimes defined as an abbreviation for pushing ¬ inwards to the atomic level using the equivalences ¬(휙 ∧ 휓) ≡ ¬휙 ∨ ¬휓, ¬F휙 ≡ G¬휙, and so on. However, it will be useful to define ¬ in front of arbitrary formulas in a way that is consistent with its semantics on classical formulas, for example in order to succinctly define a “flat” approximation of a formula. With our definition, we follow Yang etal.[9,31, 33] and Kuusisto [14].

8 In fact, also the connective ¬ can be expressed with ∼, ⊥ and ∨ as follows [18]. First note that the constant ⊤ is equivalent to ∼(푝 ∧ ∼푝). Moreover, ⊥ holds only in the empty team, so non-emptiness can be expressed as ∼⊥. Now the formulas

∃⊆휙 := ⊤ ∨ 휙 ∀⊆휙 := ∼∃⊆∼휙 say that some (resp. every) subteam satisfies 휙, and

∃1휙 := ∃⊆(∼⊥ ∧ ∀⊆(⊥ 휙)) ∀1휙 := ∼∃1∼휙 6 say that some (resp. every) singleton subteam satisfies 휙. Intuitively, the formula ∃1휙 states that there is some non-empty subteam of which all non-empty subteams satisfy 휙, which is precisely the case if some singleton satisfies 휙. Thus we can write ¬휙 as ∀1∼휙. Sometimes it is necessary to “condition” a team 푇 to only those traces that satisfy a certain formula 휙. For this, we define the team 푇휙 := {푡 ∈ 푇 | {푡}  휙}. Observe that 푇휙 and 푇¬휙 always form a disjoint partition of 푇 . On the formula side, we use the connective 휙 ˓→ 휓 to express that 푇휙  휓. It is definable as ¬휙 ∨ (¬¬휙 ∧ 휓). Let us turn to the decision problems associated with LTL(∼). A formula is satisfiable if it is true in at least one team. The satisfiability problem of a logic 퐿 formally is the set of all satisfiable formulas 휙 ∈ 퐿. A team 푇 is finitely generated if 푇 = 푇 (풦) for some finite structure 풦, and a formula 휙 is finitely satisfiable if it satisfied by some finitely generated team. Also, 휙 is called countably satisfiable if it is satisfied by some countable team. For practical purposes, it is sometimes preferable to consider only traces that have a finite representation, which is the case for example for ultimately periodic traces.In general, if 풞 is some class of traces, then we say that a formula 휙 is 풞-satisfiable if there is a team 푇 such that 푇 ∩ 풞 satisfies 휙. Likewise, 휙 is finitely 풞-satisfiable if 푇 (풦) ∩ 풞 satisfies 휙 for some finite structure 풦. Note that it makes no sense to combine the restriction of finite satisfiability and countability alone: Proposition 2.12. If 풦 is a finite structure and 푇 (풦) is countable, then 푇 (풦) is already ultimately periodic. Proof. Proof by contraposition: Suppose some 푡 ∈ 푇 (풦) is not ultimately periodic. The path 휋 that induces 푡 must visit some state 푤 in 풦 infinitely often, say at positions 푖0, 푖1,.... If we now consider the intervals 푡(푖0) ··· 푡(푖1 − 1), 푡(푖1) ··· 푡(푖2 − 1),..., then at least two of them are distinct, since 푡 is not ultimately periodic. But then there are at least two cycles through 푤 with distinct labels, and hence 푇 (풦) is uncountable.

The model checking problem of 퐿 is the set of all pairs (풦, 휙) such that 휙 ∈ 퐿 and 3 푇 (풦)  휙 in team semantics. 3Here, formulas are written as strings over a suitable finite alphabet, with propositions encoded as binary numbers. A finite Kripke structure 풦 = (푊, 푅, 휂, 푟) is encoded by a number 푛 := |푊 |, lists of pairs of numbers (in binary) for with 푅 and 휂, and a single number for 푟.

9 Again, for a class 풞 of traces, the problem of 풞-model checking is the set of pairs (풦, 휙) where 푇 (풦)∩풞  휙. Recall that 푇ulp(풦) is the subteam of all ultimately periodic traces in 4 푇 (풦) (and analogously 푇ulc(풦)), and can thus be written as 푇 (풦) ∩ 풞 for appropriate 풞. For a class 풞 of traces, the corresponding decision problems are called 풞-restricted model checking, satisfiability, etc. If 풞 is the class of ultimately periodic (constant) traces, then we just call the 풞-restricted model checking problem ultimately periodic and ultimately constant model checking, respectively. For flat formulas, the complexity of these problems coincides with their classical counterparts. The underlying reductions for their lower bounds are all computable in logspace.

Proposition 2.13 ([27]). Model checking and satisfiability of classical LTL is PSPACE- complete.

Proposition 2.14 ([13]). The satisfiability problem for LTL-formulas in team semantics, restricted to non-empty teams, is PSPACE-complete.

Here, the empty team needs to be excluded since otherwise the problem becomes trivial due to empty team satisfaction. With negation ∼, this distinction becomes redundant, since 휙 is satisfiable iff 휙 ∨ ⊤ is satisfiable in a non-empty team, and 휙 is satisfiable in a non-empty team iff 휙 ∧ ∼⊥ is satisfiable.

Proposition 2.15 ([13]). The model checking problem for LTL-formulas in team seman- tics is PSPACE-hard.

3 A Stutter-Invariant Fragment of LTL(∼)

We begin by investigating the concept of stutter-equivalence and lift the classical definition to team semantics. We follow Peled and Wilke [21]. Two traces 푡, 푡′ are called stutter- equivalent if there are two sequences 0 = 푖0 < 푖1 < 푖2 < ··· and 0 = 푗0 < 푗1 < 푗2 < ··· ′ of indices such that, for all 푘 ≥ 0, it holds that 푡(푖푘) = ··· = 푡(푖푘+1 − 1) = 푡 (푗푘) = ′ ··· 푡 (푗푘+1 − 1). Intuitively, two traces are stutter-equivalent if one can be obtained from the other by adding and removing consecutive copies of labels (while leaving at least one copy), e.g., {푝}{푝}{푞}{푧}휔 is stutter-equivalent to {푝}{푞}{푞}{푧}휔, but {푝}{푧}휔 is not. Every X-free LTL-formula 휙 defines a stutter-invariant property in the sense that it ′ ′ cannot distinguish stutter-equivalent traces 푡 and 푡 , i.e., 푡  휙 ⇔ 푡  휙. Indeed, Peled and Wilke [21] show that the stutter-invariant properties definable in LTL are exactly those definable without X.

4Classically, there is no difference between full and ultimately periodic model checking. The reason is that every satisfiable LTL-formula is satisfied in some ultimately periodic trace [27], and that the traces of a structure 풦 are definable by a formula 휒풦 [25]. So if some trace 푡 in 풦 satisfies ¬휙, then 휒풦 ∧ ¬휙, and hence ¬휙, holds in some ultimately periodic trace in 풦.

10 ··· 푇 ··· 푓 : 0 ↦→ 0 1 ↦→ 1 2 ↦→ 3 3 ↦→ 4

푔 : 0 ↦→ 0 1 ↦→ 2 2 ↦→ 4 3 ↦→ 6 ··· 푇 ′ ···

Figure 1: Stutter-equivalence of teams witnessed by stuttering functions 푓 and 푔. Distinct propositional labels are encoded by different colors.

3.1 Stutter-equivalence in team semantics The first step in this section is to generalize the definition of stutter-equivalence toteams. For this, note that the above definition of stutter-equivalence can also be written as ′ ′ follows: For all 푘, it holds that 푡(푖푘) = ··· = 푡(푖푘+1 − 1) and 푡 (푗푘) = ··· = 푡 (푗푘+1 − 푡 푡 푖 푡 푖 푡 푖 ··· 푡′ 1), and additionally the “filtered” traces ( 푖푘 )푘≥0 = ( 0) ( 1) ( 2) and ( 푗푘 )푘≥0 = ′ ′ ′ 푡 (푗0)푡 (푗1)푡 (푗2) ··· are identical. We generalize this equivalent definition to teams:

Definition 3.1 (Stuttering functions). A stuttering function of a trace 푡 is a strictly increasing function 푓 : N → N such that 푓(0) = 0 and 푡(푓(푘)) = ··· = 푡(푓(푘 + 1) − 1) for all 푘.A stuttering function of a team 푇 is a function 푓 that is a stuttering function for each trace 푡 ∈ 푇 .

In other words, the range of a stuttering function includes at least zero and all positions on which the trace differs from the predecessor.

Example Every trace of the form ∅푛{푝}∅휔 has infinitely many stuttering functions, whose range only needs to include zero, 푛+1, and an arbitrary infinite subset of {푛+2,...}. On the other hand, when combined to a team, the only stuttering function of {∅푛{푝}∅휔 | 푛 ≥ 0} is the identity; intuitively, there exists no position 푖 on which every trace stays unchanged compared to the previous position. If 푓 : N → N, then let 푡[푓] denote the trace 푡(푓(0))푡(푓(1))푡(푓(2)) ··· , and 푇 [푓] the team {푡[푓] | 푡 ∈ 푇 }.

Definition 3.2 (Stutter-equivalence). Teams 푇, 푇 ′ are stutter-equivalent, in symbols ′ ′ ′ ′ ′ 푇 ≡st 푇 , if there are stuttering functions 푓 of 푇 and 푓 of 푇 such that 푇 [푓] = 푇 [푓 ].

See also Figure 1 for two example teams that are stutter-equivalent. Next, we show that stutter-equivalent teams always have the same cardinality.

Proposition 3.3. If 푓 is a stuttering function of 푇 , then |푇 | = |푇 [푓]|.

11 Proof. We show that the surjective map 푡 ↦→ 푡[푓] from 푇 to 푇 [푓] is also injective. Let 푡, 푡′ ∈ 푇 such that 푡[푓] = 푡′[푓]. Then 푡(푓(푘)) = 푡′(푓(푘)) for all 푘. As 푓 is a stuttering function, also 푡(푗) = 푡(푓(푘)) = 푡′(푓(푘)) = 푡′(푗) for all 푗 such that 푓(푘) ≤ 푗 < 푓(푘 + 1) for some 푘, and hence for all 푗. Consequently, 푡 = 푡′.

Corollary 3.4. Any two stutter-equivalent teams have the same cardinality.

In our definition, a team is a set of traces, which consist of labels indexed by natural numbers. However, a team 푇 also intuitively corresponds to a single sequence which maps to each position a “snapshot” of all traces, indexed by the elements of 푇 . Let us relax the necessity of AP being countable in this section, then the resulting sequence is indeed a trace. Fix an index set 퐼. The snapshot trace sn(푇 ) of an 퐼-indexed team {푡푖}푖∈퐼 is a trace in 휔 (℘(AP × 퐼)) and is defined by (푝, 푖) ∈ sn(푇 )(푛) ⇔ 푝 ∈ 푡푖(푛).

′ ′ ′ Proposition 3.5. Let 푇 = {푡푖}푖∈퐼 and 푇 = {푡푖}푖∈퐼 be 퐼-indexed teams. Then 푇 and 푇 are stutter-equivalent teams if and only if sn(푇 ) and sn(푇 ′) are stutter-equivalent traces.

Proof. Clearly, a function 푓 is a stuttering function of a team 푇 if and only if it is one of the trace sn(푇 ). Also, clearly sn(푇 )[푓] = sn(푇 [푓]). As a consequence, 푇 [푓] = 푇 ′[푔] for stuttering functions 푓, 푔 if and only if sn(푇 )[푓] = sn(푇 ′)[푔].

The above statement can be extended to all teams, since stutter-equivalent teams have the same cardinality and thus can be indexed by the same set 퐼. A team 푇 has a stuttering position 푖 if 푡(푖) = 푡(푖 + 1) for all 푡 ∈ 푇 , but there are 푡 ∈ 푇 and 푗 > 푖 + 1 such that 푡(푖) ≠ 푡(푗). (So constant suffixes are not considered stuttering.) A trace or team with no stuttering positions is called stutter-free. Next, we prove the team analogs of several classical properties of stutter-equivalence.

Theorem 3.6. Stutter-equivalence on teams satisfies the following properties.

1. If 푇 is a stutter-free team, then 푇 = 푇 [푓] for every stuttering function 푓.

2. Every team 푇 has a unique stutter-free team that is stutter-equivalent to it.

3. Stutter-equivalence is reflexive, transitive and symmetric.

4. Every stutter-equivalence class contains exactly one stutter-free team.

Proof. 1.: Suppose 푇 ≠ 푇 [푓]. Then there exists a minimal 푖 such that 푓(푖) ≠ 푖. In particular, 푓(푖) > 푖 > 0. Let 푡 ∈ 푇 be arbitrary. By minimality of 푖, 푡(푖−1) = 푡(푓(푖−1)). By definition of stuttering function, 푡(푓(푖−1)) = ··· = 푡(푓(푖)−1). Since 푓(푖−1) ≤ 푖 ≤ 푓(푖)−1, it follows that 푡(푖 − 1) = 푡(푖). But 푇 was stutter-free, contradiction. 2.: Let 푗0, 푗1,... be all non-stuttering positions of 푇 in ascending order. Then 푓(0) := 0, 푓(푖 + 1) := 푗푖 + 1 is a stuttering function of 푇 (see Figure 2). So 푇 ≡st 푇 [푓] via the stuttering function 푓 for 푇 and the identity for 푇 [푓]. Moreover, the team 푇 [푓] is stutter-free. For the uniqueness part, suppose 푇1 ≡st 푇 and 푇2 ≡st 푇 for stutter-free 푇1 ≠ 푇2 via stuttering functions 푓1 for 푇1 and 푓2 for 푇2. By 1., then 푇 [푓1] = 푇1 and

12 ··· 푗0 푗1 푓(0) 푓(1) 푓(2)

Figure 2: Defining a stuttering function 푓 from the non-stuttering positions 푗푖.

⋆ ⋆ ⋆ 푇 [푓2] = 푇2. By distinctness, there is 푡 ∈ 푇 and a minimal 푖 > 0 with 푡 (푓1(푖)) ≠ 푡 (푓2(푖)), hence 푓1(푖) ≠ 푓2(푖). W.l.o.g. 푓1(푖) > 푓2(푖). By minimality of 푖, 푓1(푖 − 1) = 푓2(푖 − 1) < 푓2(푖) ≤ 푓1(푖) − 1, and by definition of stuttering function, 푡(푓2(푖 − 1)) = 푡(푓2(푖)) for all 푖−1 푡 ∈ 푇 . As 푇 [푓2] is stutter-free, the suffix 푇 [푓2] must already be constant. But then 푓 (푖−1) ⋆ ⋆ also the suffix 푇 2 of 푇 is constant, contradiction to 푡 (푓1(푖)) ≠ 푡 (푓2(푖)). 3.: We show that two teams are stutter-equivalent if and only if they are stutter- equivalent to a common stutter-free team. This relation is transitive due to 2., and it is clearly reflexive and symmetric. The direction⇐ “ ” follows from 1. For “⇒”, suppose ′ 푇1 ≡st 푇2, and 푇 := 푇1[푓1] = 푇2[푓2] for stuttering functions 푓1, 푓2. By 1. and 2., there ⋆ ⋆ ′ ⋆ exist 푔 and a stutter-free team 푇 with 푇 ≡st 푇 via 푇 [푔] = 푇 . Now, it is not hard to ⋆ check that 푓푖 ∘ 푔 is a stuttering function of 푇푖, 푖 ∈ {1, 2}. As a result, 푇1 ≡st 푇 ≡st 푇2. 4.: Follows from 2. and 3.

3.2 The stutter-invariance of X-free formulas In the remainder of this section, we prove that the X-free formulas of LTL(∼) are indeed stutter-invariant, where a formula 휙 ∈ LTL(∼) is stutter-invariant if, for all teams 푇, 푇 ′, ′ ′ 푇 ≡st 푇 implies 푇  휙 ⇔ 푇  휙. The proof requires a series of technical lemmas.

Lemma 3.7 (Splitting preserves stutter invariance). Let 푇, 푆 be teams. Then the following are equivalent:

1. 푇 ≡st 푆.

2. For all 푇1, 푇2 such that 푇 = 푇1 ∪ 푇2, there are teams 푆1, 푆2 such that 푆 = 푆1 ∪ 푆2 and 푇푖 ≡st 푆푖 for 푖 ∈ {1, 2}.

Proof. 2. to 1. is easy: Obviously 푇 = 푇 ∪ ∅, but ∅ is only stutter-equivalent to itself, so 푇 ≡st 푆. We proceed with 1. to 2. By assumption, there are stuttering functions 푓 of 푇 and 푔 of 푆 such that 푇 [푓] = 푈 = 푆[푔]. Let 푈푖 := 푇푖[푓] for 푖 ∈ {1, 2}, and let 푆푖 := {푡 ∈ 푆 | 푡[푔] ∈ 푈푖}. Then 푆푖[푔] = 푈푖 = 푇푖[푓]. Clearly 푓 and 푔 are stuttering functions for 푇푖 and 푆푖 as well, which yields 푇푖 ≡st 푆푖. Obviously 푆1 ∪ 푆2 ⊆ 푆, so it remains to show that 푆 ⊆ 푆1 ∪ 푆2. Let 푡 ∈ 푆. Then ′ ′ 푡[푔] ∈ 푆[푔] = 푇 [푓], so there is 푡 ∈ 푇 such that 푡 [푓] = 푡[푔]. As 푇 ⊆ 푇1 ∪ 푇2, there is ′ ′ 푖 ∈ {1, 2} such that 푡 ∈ 푇푖, consequently 푡[푔] = 푡 [푓] ∈ 푈푖. From 푡 ∈ 푆 and 푡[푔] ∈ 푈푖 we conclude 푡 ∈ 푆푖.

13 Lemma 3.8 (Future preserves stutter invariance). Let 푇, 푆 be teams. Then the following are equivalent:

1. 푇 ≡st 푆.

휇(푛) 휈(푛) 2. There are surjective, non-decreasing 휇, 휈 : N → N such that 푇 ≡st 푆 for all 푛 ≥ 0.

In particular, 2. implies that every suffix of 푇 is stutter-equivalent to a suffix of 푆 and vice versa, which will be necessary for stutter invariance of the temporal operators.

Proof. Again, 2. to 1. is easy, since necessarily 휇(0) = 휈(0) = 0. For 1. to 2., suppose 푇 [푓] = 푆[푔] for stuttering functions 푓, 푔. We construct the functions 휇, 휈 inductively such 휇(푛) 휈(푛) that always 푇 ≡st 푆 . At the same time, we will ensure another invariant necessary for showing the correctness of the construction, namely that for every 푛 there is 푘 such that 푓(푘) ≤ 휇(푛) < 푓(푘 + 1) and 푔(푘) ≤ 휈(푛) < 푔(푘 + 1). Intuitively, the functions 휇 and 휈 “run along” 푇 and 푆, with 휇 “waiting” on 푇 if 푆 stutters and vice versa (recall that 휇 and 휈 are only non-decreasing, not necessarily increasing). Positions of the form 푓(푘) and 푔(푘), in the range of the stuttering functions, are then crossed in lockstep, so to speak. We give the formal definition. First, let 휇(0) = 휈(0) = 0. For the inductive step to 푛 + 1, we distinguish two cases. First, if either 휇(푛) + 1 ∈/ ran 푓 or 휈(푛) + 1 ∈/ ran 푔 or both holds, let {︃ 휇(푛) if 휇(푛) + 1 ∈ ran 푓 휇(푛 + 1) := 휇(푛) + 1 if 휇(푛) + 1 ∈/ ran 푓 and analogously for 휈 and 푔. In other words, we can “advance” 휇 and/or 휈 as long 휇(푛) 휇(푛+1) as neither crosses the range of 푓 or 푔. In either case, clearly 푇 ≡st 푇 and 휈(푛) 휈(푛+1) 휇(푛+1) 휈(푛+1) 푆 ≡st 푆 , so 푇 ≡st 푆 by induction hypothesis. In the other case, both 휇(푛) + 1 ∈ ran 푓 and 휈(푛) + 1 ∈ ran 푔. Then we advance both 휇 and 휈 in lockstep: let 휇(푛+1) := 휇(푛)+1 and 휈(푛+1) := 휈(푛)+1. By induction hypothesis, there is a common 푘 such that 휇(푛 + 1) = 휇(푛) + 1 = 푓(푘) and 휈(푛 + 1) = 휈(푛) + 1 = 푔(푘). 푓(푘) 푔(푘) It remains to show that 푇 ≡st 푆 . 푓(푘) 푔(푘) For this, we define stuttering functions 푓푘 of 푇 and 푔푘 of 푆 such that 푇 [푓푘] = 푆 [푔푘] by 푓푘(푖) := 푓(푖 + 푘) − 푓(푘) and 푔푘(푖) := 푔(푖 + 푘) − 푔(푘). Clearly 푓푘(0) = 푔푘(0) = 0 and both are strictly increasing. We show that these are stuttering functions of 푇 푓(푘) and 푆푔(푘). For the sake of con- 푓(푘) 푔(푘) tradiction, suppose 푓푘 is not a stuttering function of 푇 (the proof for 푔푘 and 푆 is 푓(푘) analogous). Then there exist a position 0 < 푖∈ / ran 푓푘 and a trace 푡 ∈ 푇 such that 푡(푖 − 1) ≠ 푡(푖), or equivalently, 푡 ∈ 푇 such that 푡(푓(푘) + 푖 − 1) ≠ 푡(푓(푘) + 푖). However, this implies that 푓(푘) + 푖 ∈ ran 푓 as 푓 is a stuttering function of 푇 , so 푓(푘)+푖 = 푓(ℓ) for some ℓ. In particular, ℓ > 푘. But then 푓푘(ℓ−푘) = 푓(ℓ−푘 +푘)−푓(푘) = 푓(ℓ) − 푓(푘) = 푖, so 푖 ∈ ran 푓푘, contradiction. 푓(푘) 푔(푘) With 푓푘 and 푔푘 being stuttering functions, it remains to show 푇 [푓푘] = 푆 [푔푘]. For 푓(푘) 푘 푔(푘) 푘 this we prove 푇 [푓푘] = 푇 [푓] and 푆 [푔푘] = 푆[푔] , since 푇 [푓] = 푆[푔] by assumption,

14 푘 푘 푓(푘) 푘 which implies 푇 [푓] = 푆[푔] . We show 푇 [푓푘] = 푇 [푓] (the proof is again analogous for 푆). For this it suffices that for every trace 푡,

푓(푘) 푘 푡 [푓푘] = (푡(푓푘(푖) + 푓(푘)))푖≥0 = (푡(푓(푖 + 푘)))푖≥0 = 푡[푓] .

Theorem 3.9. Every X-free LTL(∼)-formula is stutter-invariant.

Proof. Due to the equivalences G휓 ≡ ∼F∼휓, F휓 ≡ ⊤U휓 and 휓R휃 ≡ ∼(∼휓U∼휃), it suffices to consider formulas 휙 ∈ LTL(∼, U). We have to show, for teams 푇 and 푆, that 푇 ≡st 푆 implies 푇  휙 ⇔ 푆  휙. Hence let 푇 and 푆 be stutter-equivalent teams via 푇 [푓] = 푆[푔]. The proof is now by induction on 휙.

• For all propositional formulas, e.g., 휙 = 푝, ¬푝, ⊤, ⊥ for 푝 ∈ AP, this is clear: Since 푓(0) = 0 = 푔(0), the teams 푇 and 푆 agree on the first position of traces.

• For the Boolean connectives, ∧ and ∼, the induction step is clear.

• For the case 휙 = ¬휓, recall from p. 9 that ¬휓 ≡ ∀1∼휓, which can be reduced to the connectives ⊥, ∼ and ∨.

• The ∨-case follows by induction hypothesis and Lemma 3.7.

• For the U-case, we show “⇒”, as “⇐” is symmetric. Suppose 푇  휓U휃, so there 푘 푗 is 푘 ≥ 0 such that 푇  휃 and 푇  휓 for all 푗 < 푘. We show that 푆  휓U휃. By 휇(푛) 휈(푛) Lemma 3.8, there are surjective, non-decreasing 휇, 휈 such that 푇 ≡st 푆 for 휈(푛) all 푛. In particular, 휇(푛) = 푘 for some 푛, so by induction hypothesis 푆  휃. It ℓ remains to show that 푆  휓 for all ℓ < 휈(푛). Choose 푛 minimal, i.e., such that 푛 = 0 or 휇(푛 − 1) < 푘. If 푛 = 0, then 휈(푛) = 0 and we are done. Otherwise let ℓ < 휈(푛) be arbitrary; then there exists 푚 < 푛 such that 휈(푚) = ℓ since 휈 is 휇(푚) surjective and non-decreasing. As 휇(푚) ≤ 휇(푛 − 1) < 푘, by assumption 푇  휓. 휈(푚) ℓ But then also 푆 = 푆  휓 by induction hypothesis.

4 From LTL(∼) to third-order arithmetic

In this section, we translate formulas of LTL(∼) into arithmetic formulas and by this obtain the upper complexity bounds for Theorem 1.1 and 1.2. Before we start, let us briefly introduce third-order arithmetic. For a full formal definition in the contextof higher order logic, we refer the reader to the literature [16]; here we need only a small part of it. In this context, we write N for the standard model of arithmetic with the usual interpretations for +, × and so on.

A (third-order) type is a tuple 휏 = (푛1, . . . , 푛푘), where 푘, 푛1, . . . , 푛푘 ≥ 1. For each type 휏 there is a set of (third-order) 휏-variables 풱휏 := {a, b, c,...}. Syntactically, third-order logic extends second-order logic as follows. We include all atomic formulas, connectives and quantifiers from second-order logic. Moreover, if a ∈ 풱휏 is a third-order variable of type 휏 = (푛1, . . . , 푛푘) and for each 푖 ∈ {1, . . . , 푘}, 퐴푖 is a second-order relation symbol of

15 5 arity 푛푖, then a(퐴1, . . . , 퐴푘) is an atomic formula. Finally, if 휙 is a formula and a is as above, then ∃a휙 and ∀a휙 are formulas. A formula is closed if it has no free variables. 푛1 푛 If 휏 = (푛1, . . . , 푛푘) is a type, then elements 풜 ∈ ℘(℘N × · · · × ℘N 푘 ) are called 휏-objects. For example, the subset relation ⊆ is a (1, 1)-object, and “⊆(퐴, 퐵)” would be an atomic formula if 퐴 and 퐵 are unary (set) variables. An example of a (2, 2)-object is the relation “is the transitive closure of ”. We extend the usual Tarski semantics to third-order logic, i.e., interpretations ℐ map 휏- variables to 휏-objects. An interpretation ℐ satisfies a(퐴1, . . . , 퐴푘) if (ℐ(퐴1),..., ℐ(퐴푘)) ∈ ℐ(a). The quantifiers work as expected. The set of all formulas of third-order arithmetic, that is, third-order formulas over the 3 vocabulary (+, ×, 0, 1, =, ≤), is written 훥0. Likewise, the set of formulas of second-order 2 arithmetic is 훥0. The subset of closed formulas that are true in N is denoted by a boldface 3 2 6 letter, i.e., Δ0 and Δ0, respectively.

4.1 The uncountable cases

We reduce LTL(∼) to third-order arithmetic as follows. The propositions 푝1, 푝2,... are identified with numbers 1, 2,.... The idea is now that a trace 푡 can be encoded as a binary relation 푆 such that 푆(푗, 푘) is true iff 푝푘 ∈ 푡(푗), and vice versa. Finally, a team is encoded as a unary third-order relation 풜 of binary relations 푆 such that 푆 ∈ 풜 iff 푆 represents 3 some trace 푡 ∈ 푇 . Now, we define a translation 휌a(휙) ∈ 훥0 of the LTL(∼)-formula 휙 with one free third-order variable a of type (2). The translation is faithful in the sense that a team 푇 satisfies 휙 if and only if (N, 풜)  휌a(휙), where 풜 is the third-order relation encoded by 푇 . In what follows, we restrict ourselves to the temporal operators X and U, since the remaining ones are expressible as G휙 ≡ ∼F∼휙, F휙 ≡ ⊤U휙 and 휙R휓 ≡ ∼(∼휙U∼휓). Moreover, we can assume that ¬ occurs only in front of atomic propositional formulas, by an argument as in the proof of Theorem 3.9. Let 푚 denote the term 1 + 1 + ··· + 1 for 푚 ≥ 1, or 0 if 푚 = 0, respectively. ⏟ ⏞ 푚 times The atomic formulas and Boolean connectives are straightforward:

휌a(푝푘) := ∀푆(a(푆) → 푆(0, 푘))

휌a(¬푝푘) := ∀푆(a(푆) → ¬푆(0, 푘))

휌a(휓 ∧ 휃) := 휌a(휓) ∧ 휌a(휃)

휌a(∼휓) := ¬휌a(휓)

For the splitting connective, we existentially quantify two subteams: (︀ )︀ 휌a(휓 ∨ 휃) := ∃b∃c ∀푆(a(푆) ↔ (b(푆) ∨ c(푆))) ∧ 휌b(휓) ∧ 휌c(휃)

5We leave out higher-order functions here, as they easily can be represented by a relation encoding their graph, analogously to the second-order case. 6 1 With the notation, we follow the convention for first-order arithmetic 훥0 and second-order arithmetic 2 3 2 훥0; an equivalent notation for 훥0 would be 훥휔 [23].

16 푑 For the temporal operators, we define an auxiliary formula a −→ b with a free first-order variable 푑 and two free third-order variables a and b, stating that b represents the team 푇 푑 when a represents the team 푇 :

푑 a −→ b := ∀푆(︀b(푆) ↔ ∃푆′(a(푆′) ∧ ∀푗∀푘(푆(푗, 푘) ↔ 푆′(푗 + 푑, 푘))))︀

Then we can translate X and U as follows: 1 휌a(X휓) := ∃b(a −→ b ∧ 휌b(휓)) (︀ 푑 푒 )︀ 휌a(휓U휃) := ∃푑 ∀푒 ∃b ∃c a −→ b ∧ a −→ c ∧ 휌b(휃) ∧ (푒 < 푑 → 휌c(휓))

Lemma 4.1. Let 휙 ∈ LTL(∼) and let 푇 be a team. Let

{︁{︀ 2 }︀ }︁ 풜푇 := (푗, 푘) ∈ N | 푝푘 ∈ 푡(푗) | 푡 ∈ 푇 .

Then 푇  휙 if and only if (N, 풜푇 )  휌a(휙). Proof. Straightforward induction on the syntax of 휙.

Theorem 4.2. Satisfiability and finite satisfiability of LTL(∼) are logspace-reducible to 3 Δ0. Proof. We apply the previous lemma. Assume 휙 ∈ LTL(∼). Clearly, by the above lemma, 휙 is satisfiable if and only if ∃a 휌a(휙) holds in N. The case where the team is finitely generated is more complicated. Suppose that 푇 = 푇 (풦), where 풦 = (푊, 푅, 휂, 푟) is a finite structure. Essentially, the idea is to first quantify the components of 풦 as second-order objects, and then to express in the logic that we are looking precisely at the traces in 푇 (풦). For this, w.l.o.g. 푊 ⊆ N, 푅 ⊆ N × N and 푟 = 0. The propositional assignment 휂 can equivalently be represented as a relation 휂^ := {(푛, 푘) | 푝푘 ∈ 휂(푛)}. We can then talk about 풦 inside arithmetic. First, the set 푊 should be finite and non-empty. Also, 푅 should be total and a subset of 푊 × 푊 :

휓frame(푊, 푅) := 푊 (0) ∧ ∃푛 ∀푚 (푊 (푚) → 푚 < 푛) ∧ ∀푚∃푛푅(푚, 푛) ∧ ∀푚∀푛(푅(푚, 푛) → (푊 (푚) ∧ 푊 (푛)))

A path 휋 through 풦 is then simply a function N → 푊 , hence a second-order object. We assert that 휋 is an 푅-path starting at the root, (︀ )︀ 휓path(푊, 푅, 휋) := 휋(0) = 0 ∧ ∀푗 푊 (휋(푗)) ∧ 푅(휋(푗), 휋(푗 + 1)) .

We model a trace 푡 as the relation 푆 := {(푗, 푘) | 푝푘 ∈ 푡푗}. We can state that a trace is in 푇 (풦) by saying that it is the trace of some path from 푤: (︀ )︀ 휓trace(푊, 푅, 휂,^ 푆) := ∃휋 휓path(푊, 푅, 휋) ∧ ∀푗∀푘(푆(푗, 푘) ↔ 휂^(휋(푗), 푘))

The formula

휓generated(푊, 푅, 휂,^ a) := ∀푆(a(푆) ↔ 휓trace(푊, 푅, 휂,^ 푆))

17 expresses that a contains precisely all traces in 푇 (풦). Now 휙 is satisfied by the team 푇 (풦), for some finite 풦, if and only if (︀ )︀ N  ∃푊 ∃푅∃휂^∃a 휓frame(푊, 푅) ∧ 휓generated(푊, 푅, 휂,^ a) ∧ 휌a(휙)

The formula constructed in the above reduction consists of the inductive translation of 휙 as well as a constant part. The terms 푘 have length linear in 푘, but w.l.o.g. 푘 is bounded by |휙|. For this reason, it is straightforward to show that 휌a(휙), and hence the whole formula, is computable in logarithmic space.

In the remainder of this section, we will present similar reductions, which all are logspace-computable as well.

3 Theorem 4.3. Model checking of LTL(∼) is logspace-reducible to Δ0. Proof. We proceed as in the proof for satisfiability restricted to finitely generated teams, but additionally have to claim on the level of formulas that the relations 푊 , 푅, and 휂^, which are quantified in the logic, are equal to the structure which is given as the input instance, say, (푊 ′, 푅′, 휂′, 푟′, 휙). W.l.o.g. the input structure is of the form 푊 ′ = {0, 1, . . . , 푚 − 1}, for some 푚 > 0, and 푟′ = 0. Then the conjunction of the formulas

휓=푊 ′ (푊 ) := ∀푛(푊 (푛) ↔ 푛 < 푚) ⋁︁ 휓=푅′ (푅) := ∀푛∀푚(푅(푛, 푚) ↔ (푛 = 푖 ∧ 푚 = 푗)) (푖,푗)∈푅 ⋁︁ 휓=휂′ (^휂) := ∀푛∀푘(^휂(푛, 푘) ↔ (푛 = 푖 ∧ 푘 = 푗) 푖<푚 ′ 푝푗 ∈휂 (푖) asserts that (푊 ′, 푅′, 휂′) = (푊, 푅, 휂). Hence in the reduction of the previous theorem, we can replace the subformula 휓generated(푊, 푅, 휂,^ a) by

휓generated(푊, 푅, 휂,^ a) ∧ 휓=푊 ′ (푊 ) ∧ 휓=푅′ (푅) ∧ 휓=휂′ (^휂)

which proves the theorem.

4.2 The countable cases 2 Next, we proceed with the decision problems that are reducible to Δ0, i.e., second-order arithmetic. Here, we can only manage countable teams, since the interpretations of second-order variables are always countable objects. Given such a team 푇 , we can assume that it is of the form {푡푖}푖∈퐼 for some 퐼 ⊆ N. 3 We encode 푇 as a pair (퐼, 푃 ) ∈ ℘N × ℘N (indices and propositions) such that 퐼 ⊆ N is as in the subscript of {푡푖}푖∈퐼 , and 푃 describes the traces in the sense that 푃 (푖, 푗, 푘) is true iff 푝푘 ∈ 푡푖(푗).

18 The temporal operators are implemented by “shifting” all entries in 푃 by an offset 푑. 3 This works similarly to the 훥0 case. The set 퐼 is unaffected by this. The atomic formulas and Boolean connectives are again straightforward:

휌퐼,푃 (푝푘) := ∀푖(퐼(푖) → 푃 (푖, 0, 푘))

휌퐼,푃 (¬푝푘) := ∀푖(퐼(푖) → ¬푃 (푖, 0, 푘))

휌퐼,푃 (휓 ∧ 휃) := 휌퐼,푃 (휓) ∧ 휌퐼,푃 (휃)

휌퐼,푃 (∼휓) := ¬휌퐼,푃 (휓)

For the splitting connective, we need to divide 퐼 only:

′ ′′(︀ ′ ′′ )︀ 휌퐼,푃 (휓 ∨ 휃) := ∃퐼 ∃퐼 ∀푖(퐼(푖) ↔ (퐼 (푖) ∨ 퐼 (푖))) ∧ 휌퐼′,푃 (휓) ∧ 휌퐼′′,푃 (휃)

For the temporal operators, we again define an auxiliary formula:

푑 푃 −→ 푄 := ∀푖∀푗∀푘(︀푄(푖, 푗, 푘) ↔ 푃 (푖, 푗 + 푑, 푘))︀ ′ 1 ′ 휌퐼,푃 (X휓) := ∃푃 (푃 −→ 푃 ∧ 휌퐼,푃 ′ (휓)) ′ ′′(︀ 푑 ′ 푒 ′′ 휌퐼,푃 (휓U휃) := ∃푑 ∀푒 ∃푃 ∃푃 푃 −→ 푃 ∧ 푃 −→ 푃 )︀ ∧ 휌퐼,푃 ′ (휃) ∧ (푒 < 푑 → 휌퐼,푃 ′′ (휓))

Lemma 4.4. Let 휙 be a formula and 푇 = {푡푖}푖∈퐼 a team, where 퐼 ⊆ N. Let 푃 := {(푖, 푗, 푘) | 푖 ∈ 퐼 and 푝푘 ∈ 푡푖(푗)}. Then 푇  휙 if and only if (N, 퐼, 푃 )  휌퐼,푃 (휙) is true. Proof. Easy induction on the syntax of 휙 analogous to Lemma 4.1.

Theorem 4.5. Countable satisfiability, 풞-restricted satisfiability and 풞-restricted finite 2 satisfiability of LTL(∼) are logspace-reducible to Δ0 if 풞 is the class of ultimately periodic traces or the class of ultimately constant traces.

Note that we do not consider countable finite satisfiability, as it coincides with finite satisfiability over ultimately periodic teams by Proposition 2.12.

Proof. A formula 휙 is satisfied in a countable team if and only if N  ∃퐼∃푃 휌퐼,푃 (휙). This immediately follows from Lemma 4.4. Moreover, the trace number 푖 represented in 푃 is ultimately periodic if (N, 푖, 푃 )  휓ulp(푖, 푃 ), where

휓ulp(푖, 푃 ) := ∃푐 ∃푑(푑 > 0 ∧ ∀푗∀푘 (푗 ≥ 푐 → (푃 (푖, 푗, 푘) ↔ 푃 (푖, 푗 + 푑, 푘))))).

It follows that (︀ )︀ N  ∃퐼 ∃푃 휌퐼,푃 (휙) ∧ ∀푖(퐼(푖) → 휓ulp(푖, 푃 )) iff 휙 is satisfied by some team of ultimately periodic traces. For ultimately constant traces we simply replace 푑 in 휓ulp by 1.

19 We proceed with the finitely satisfiable cases. For this, we use the formulas 휓generated and 휓frame from the proof of Theorem 4.2, but now with a pair (퐼, 푃 ) as argument instead of a higher-order relation. More precisely, the formula (︁(︁ 휓generated,ulp(푊, 푅, 휂,^ 퐼, 푃 ) := ∀푆 휓trace(푊, 푅, 휂,^ 푆) )︁ ∧ ∃푐∃푑(︀푑 > 0 ∧ ∀푗∀푘(푗 ≥ 푐 → (푆(푗, 푘) ↔ 푆(푗 + 푑, 푘))))︀ (︁ )︁)︁ ↔ ∃푖 ∀푗 ∀푘(푆(푗, 푘) ↔ 푃 (푖, 푗, 푘)) stores all ultimately periodic traces in (퐼, 푃 ), with 휓trace as in Theorem 4.2. Then (︁ )︁ N  ∃푊 ∃푅 ∃휂^∃퐼 ∃푃 휓frame(푊, 푅) ∧ 휓generated,ulp(푊, 푅, 휂,^ 퐼, 푃 ) ∧ 휌퐼,푃 (휙) iff 휙 is satisfied in the ultimately periodic traces of a finitely generated team. Again,the proof for the ultimately constant case is similar.

Theorem 4.6. Ultimately periodic and ultimately constant model checking of LTL(∼) 2 are reducible to Δ0. Proof. Completely analogous to Theorem 4.3 and 4.5. The formula is (︀ ∃푊 ∃푅 ∃휂^∃퐼 ∃푃 ∃퐼 휓frame(푊, 푅) ∧ 휓generated,ulp(푊, 푅, 휂,^ 퐼, 푃 ) )︀ ∧ 휓=푊 ′ (푊 ) ∧ 휓=푅′ (푅) ∧ 휓=휂′ (^휂) ∧ 휌퐼,푃 (휙) , with the ultimately constant case again similar.

5 From third-order arithmetic to model checking

In this section, we make the next step to prove Theorem 1.1 and 1.2: we state the lower 3 bounds of the model checking problem. For this, a given 훥0-formula 휙 is translated to an LTL(∼)-formula 휓 and a structure 풦 such that N  휙 ⇔ 푇 (풦)  휓. In the first subsection, we begin with some preprocessing on 휙. Mainly, we reduce the maximal arity of quantified relations, which simplifies the subsequent steps significantly. 3 Hence, let 휙 ∈ 훥0 be closed. First, we bring 휙 into prenex form by a routine transformation. So w.l.o.g. 휙 = 푄1푋1 ··· 푄푛푋푛휃, where 푛 ≥ 1, 휃 is quantifier-free, {푄1, . . . , 푄푛} ⊆ {∃, ∀}, and 푋1, . . . , 푋푛 are pairwise distinct (first-order, second-order, or third-order) variables.

3 5.1 A bounded-arity normal form of 훥0 It is a well-known fact that there are first-order definable pairing functions, i.e., bijections 휋 : N × N → N. One example is the Cantor polynomial, 1 휋(푛, 푚) := (︀(푛 + 푚)2 + 3푛 + 푚)︀. 2

20 It can easily be generalized to arbitrary arities by

(ℓ) (ℓ−1) (1) 휋 (푛1, . . . , 푛ℓ) := 휋(휋 (푛1, . . . , 푛ℓ−1), 푛ℓ), 휋 (푛) := 푛.

That this allows to reduce quantified relation symbols to unary ones is a standard result in second-order logic. Here, we prove it for formulas with third-order atoms. It is routine to simulate all quantified function symbols by relation symbols, so w.l.o.g. the only function symbols are +, × and the numerical constants. Moreover, we can assume that the built-in symbols +, ×, 0, 1, < do not occur inside higher-order atoms (otherwise we replace them by quantified copies). ℓ (ℓ) We naturally extend the definition of 휋 to relations 퐴 ⊆ N by 휋(퐴) := {휋 (n) | n ∈ ℓ ℓ 퐴}. Likewise, for higher-order relations a ⊆ ℘N 1 × · · · × ℘N 푘 , let

(ℓ1) (ℓ푘) 휋(a) := {(휋 (퐴1), . . . , 휋 (퐴푘)) | (퐴1, . . . , 퐴푘) ∈ a}.

Finally, for an interpretation ℐ, we write 휋(ℐ) for the interpretation that agrees with ℐ on first-order variables and has 휋(ℐ)(푋) = 휋(ℐ(푋)) for each (second- or third-order) variable 푋. In the interpretation 휋(ℐ), now all second-order variables are mapped to unary relations, i.e., sets, and all third-order variables are mapped to relations of type (1,..., 1).

′ Lemma 5.1. Let 푓ℓ be a fixed ℓ-ary function variable not occurring in 휙. Let 휙 be obtained from 휙 by replacing each atomic formula 퐴(푡1, . . . , 푡ℓ), where 퐴 is a second-order variable, by 퐴(푓ℓ(푡1, . . . , 푡ℓ)), and furthermore changing the arity of each second-order variable to one, and changing the type of each third-order variable to (1,..., 1). Then ′ (ℓ) (N, ℐ)  휙 ⇔ (N, 휋(ℐ))  휙 for all interpretations ℐ in which ℐ(푓ℓ) = 휋 . Proof. By induction on 휙. The only interesting cases are the following:

• If 휙 = 퐴(푡1, . . . , 푡ℓ) is atomic, with 퐴 a second-order variable and 푡1, . . . , 푡ℓ first-order terms, then the equivalence holds by definition, as

(N, ℐ)  퐴(푡1, . . . , 푡ℓ) ⇔ (ℐ(푡1),..., ℐ(푡ℓ)) ∈ ℐ(퐴) (ℓ) ⇔ 휋 (ℐ(푡1),..., ℐ(푡ℓ)) ∈ 휋(ℐ(퐴))

⇔ ℐ(푓ℓ(푡1, . . . , 푡ℓ)) ∈ 휋(ℐ(퐴)) = 휋(ℐ)(퐴) ⇔ (N, 휋(ℐ))  퐴(푓ℓ(푡1, . . . , 푡ℓ)).

• If 휙 is atomic third-order, then again by definition (ℐ(퐴1),..., ℐ(퐴푘)) ∈ ℐ(a) ⇔ (휋(ℐ(퐴1)), . . . , 휋(ℐ(퐴푘))) ∈ 휋(ℐ(a)) = 휋(ℐ)(a).

• If 휙 = ∃퐴 휓 and 퐴 is ℓ-ary second-order, then this follows from the fact that ℓ 휋 : ℘(N ) → ℘(N) as defined above is a bijection and by induction hypothesis. • If 휙 = ∃a 휓 and a is third-order, then the argument is similar.

21 Next, we aim at eliminating the newly introduced function 푓ℓ. The graph of the pairing (ℓ) function 휋 is definable by a formula 휓ℓ with ℓ + 1 arguments, viz.

휓ℓ(푡1, . . . , 푡ℓ, 푡) := ∃푥2 · · · ∃푥ℓ−1(휓2(푡1, 푡2, 푥2) ∧ · · · ∧ 휓2(푥ℓ−1, 푡ℓ, 푡)) where

휓2(푡1, 푡2, 푡) := (2 × 푡) = ((푡1 + 푡2) × (푡1 + 푡2)) + (3 × 푡1) + 푡2 defines the Cantor polynomial. By this, the formula 퐴(푓ℓ(푡1, . . . , 푡ℓ)) can equivalently be translated to ∃푥(휓(푡1, . . . , 푡ℓ, 푥) ∧ 퐴(푥)). As a consequence, we can assume that all second-order variables are unary. Next, we reduce the arity of third-order variables. As they now all have type (1,..., 1) 푘 this is straightforward; a suitable pairing function 훱 :(℘N) → ℘N is ⋃︁ 훱(퐴1, . . . , 퐴푘) := {푘 · 푛 + (푖 − 1) | 푛 ∈ 퐴푖}, 푖∈[푘] where (the graph of) 훱 is defined by (︀ ⋁︁ )︀ 휃푘(퐴1, . . . , 퐴푘, 퐵) := ∀푚 퐵(푚) ↔ ∃푛 (퐴푖(푛) ∧ 푚 = 푘 · 푛 + 푖 − 1)) . 푖∈[푘]

On the level of formulas, we replace a(퐴1, . . . , 퐴푘) with ∃퐵(휃푘(퐴1, . . . , 퐴푘, 퐵) ∧ a(퐵)), and make all third-order variables unary, analogously to the second-order case. Finally, we can assume that the only built-in non-logical symbol is <, since ≤, =, +, × and all numerical constants are easily definable from it as quantified relations. Observe that this re-introduces binary and ternary relation symbols, but ultimately, we have a constant bound of three on the arity. In fact, we could either reduce the arity of all relations to one and keep + and × to express the pairing function, or eliminate + and × but keep relations of arity ℓ > 1. But at least in second-order logic it is impossible to achieve both simultaneously, as the MSO(<)-theory of N is decidable, known as Büchi’s theorem [3]. For third-order logic, to the best of the author’s knowledge, this is open.

3 Corollary 5.2. For every closed formula 휙 ∈ 훥0 there is a logspace-computable closed 3 formula 휓 ∈ 훥0 such that N  휙 ⇔ N  휓 and furthermore,

1. 휓 is in prenex form, i.e., of the form 푄1푋1 ··· 푄푛푋푛 휃, where 휃 is quantifier-free, {푄1, . . . , 푄푛} ⊆ {∃, ∀}, and 푋1, . . . , 푋푛 are pairwise distinct (first-order, second- order, or third-order) variables.

2. All atomic formulas in 휓 are of the form

• a(퐴), with a unary third-order, 퐴 unary second-order, and {a, 퐴} ⊆ {푋1, . . . , 푋푛},

• 퐴(푥1, . . . , 푥ℓ), with ℓ ∈ {1, 2, 3}, 퐴 ℓ-ary second-order, 푥1, . . . , 푥ℓ first-order and {퐴, 푥1, . . . , 푥ℓ} ⊆ {푋1, . . . , 푋푛},

• or 푥1 < 푥2 with {푥1, 푥2} ⊆ {푋1, . . . , 푋푛}.

22 ∅ 0 1 0, end

Figure 3: Gadget where every number is represented by a trace 푡. The length of the first * 휔 cycle between ∅ and 1 determines the value, assuming 푡(1){0, 1} ∈ 0 10 .

5.2 Representing numbers and relations in traces and teams Next, we draw the connection to LTL(∼). The crucial idea is that (ℓ-tuples of) numbers, as well as sets thereof, can be encoded on traces. For this, we use propositions 훴 := {0, 1}. Since a trace consists of countably infinitely many positions in a well-ordered fashion, itis natural to represent a number 푛 by simply setting a bit on the 푛-th position. These are the traces generated by the structure shown in Figure 3, aside from the single trace that never reaches 1. In other words, the structure generates all traces of the form ∅{0}*{1}{0, end}휔 and ∅{0}휔. Note that our encoding does not count the initial state of a trace, because this is fixed by the structure (and in our case labeled with ∅). For relations, we simply set more bits to 1, i.e., a trace models a subset of N by setting a bit on every corresponding position. These traces are generated by the structure in Figure 4. 1 푛 휔 Formally, a trace 푡 now represents the number 푛 ∈ N if 푡 훴 = {0} {1}{0} . The special proposition end marks that 1 has been seen earlier on the trace. This will be necessary later in the reduction. For sets 퐴 ⊆ N, a trace now represents 퐴 if it holds for all 푛 ≥ 0 that 1 ∈ 푡(푛 + 1) iff 푛 ∈ 퐴. To account for ℓ-tuples of numbers, where ℓ ∈ {2, 3}, we introduce copies 훴푘 := {0푘, 1푘} of 훴, where 푘 ∈ {1, 2, 3}. The propositions 01 and 11 are identified with 0 and 1. A trace 푡 now represents the ℓ-tuple (푛1, . . . , 푛ℓ) if 푡훴푘 represents 푛푘 for all 푘 ∈ [ℓ]. A structure generating all ℓ-tuples is obtained from taking the ℓ-fold product of that in Figure 3 and labeling the propositions accordingly, see Figure 5 for the case of ℓ = 2. To encode more complex objects, we require teams. For binary or ternary second-order ℓ ℓ relations 퐴 ⊆ N , a team 푇 represents 퐴 if, for all tuples n = (푛1, . . . , 푛ℓ) ∈ N , we have n ∈ 퐴 iff n is represented by some trace 푡 ∈ 푇 . Finally, a team 푇 represents a third-order relation a ⊆ ℘N if, for all 퐴 ⊆ N, we have 퐴 ∈ a iff 퐴 is represented by some trace 푡 ∈ 푇 . Note that non-unary third-order relations or those with non-unary members could not feasibly be represented as set of traces, so the lengthy preprocessing of the previous subsection is crucial. ℓ Let us stress that “trace-like” objects comprise numbers 푛 ∈ N, tuples n ∈ N , and ℓ sets 퐴 ⊆ N, while “team-like” objects comprise sets of tuples 퐴 ⊆ N and higher-order sets a ⊆ ℘N. Also, note that all possible logical atoms as in Corollary 5.2 boil down to comparing trace-like objects to each other, as well as checking membership of a trace-like object in a team-like object. This crucially relies on the established normal form. In the Figures 3 to 5, we saw structures that generate the corresponding traces for the encoding. To potentially represent one number, tuple or relation for each variable

푋1, . . . , 푋푛, and to tell these apart, we meld together several instances 풦푋푖 of these

23 0

1

Figure 4: Gadget where every unary relation is represented by a trace. Visiting 1 after 푛 steps means that the relation contains the number 푛 − 1.

01, 02 01, 12 01, 02 11, 02

11, 12 01, 02, end

∅ 11, 02 01, 02 01, 12

Figure 5: Gadget where every 2-tuple is represented by a trace 푡 that is a “superposition” * 휔 of two words of the form ∅{0} {1}{0} , that is, the projections 푡훴1 and 푡훴2 are such words.

24 structures, 푖 ∈ [푛], depending on what kind of variable each 푋푖 is.

• If 푋푖 is first-order, and thus should represent a number, let 풦푋푖 be the structure shown in Figure 3. We will quantify a single trace from it.

• If 푋푖 is either second-order or third-order, but unary, let 풦푋푖 be the structure shown in Figure 4. In the former case, we are interested in single traces, and in the latter case in sets of traces.

• Finally, if 푋푖 is second-order and of arity ℓ > 1, then 풦푋푖 is constructed by taking the ℓ-ary product of Figure 3 as demonstrated in Figure 5.

Given a formula 휙 with variables 푋1, . . . , 푋푛, we now in general define the structure 휙 풦 to be the disjoint union of the 풦푋1 ,..., 풦푋푛 , except that the roots of the 풦푋푖 are identified in 풦; call this world 푟. Moreover, all non-root worlds from the respective 풦푋푖 are marked with the proposition 푋푖 (not shown in the figures), so as to cleanly separate the values represented for each 푋푖 in 풦푋푖 . With the proposition 푋푖 (or the formula F푋푖, if we are still in the root) we can determine whether a trace runs through the respective

풦푋푖 . 휙 A team 푇 ⊆ 푇 (풦 ) now induces an interpretation ℐ푇 of the variables 푋푖 as described above, depending on which traces of the respective 풦푋푖 are in 푇 . Recall that the notation 푇휙 refers to the subteam {푡 ∈ 푇 | {푡}  휙} of 푇 .

• If 푋푖 is first-order, 푇F푋푖 = {푡} for some trace 푡, and 푡  Fend, then ℐ푇 (푋푖) is the 1 푛 휔 unique number 푛 such that 푡 훴 = {0} {1}{0} .

• If 푋푖 is second-order and unary, and 푇F푋푖 = {푡} for some trace 푡, then ℐ푇 (푋푖) := {푛 ∈ N | 1 ∈ 푡(푛 + 1)}. ℓ • If 푋푖 is second-order and binary or ternary, then ℐ푇 (푋푖) := {(푛1, . . . , 푛ℓ) ∈ N | 1 푛푗 휔 ∃푡 ∈ 푇F푋푖 : ∀푗 ∈ [ℓ]: 푡 훴푗 = {0} {1}{0} }.

• If 푋푖 is third-order, then ℐ푇 (푋푖) := {퐴 ⊆ N | ∃푡 ∈ 푇F푋푖 : 푡 represents 퐴}. Next, we explain how the team is manipulated in order to implement arithmetical quantifiers. Suppose we start with the team 푇 = 푇 (풦휙) and the outermost quantifier is

∃푋1. The ideas is then to non-deterministically shrink the subteam 푇푋1 , where 푋1 is one of the above cases, to a suitable subteam 푈 ⊆ 푇푋1 representing a value for 푋1. If 푋1 is for example first-order, then 푈 should be a singleton. Then we proceed with the team

(푇 ∖ 푇푋1 ) ∪ 푈, and (existentially or universally) quantify an interpretation for 푋2, and so on.

To confine the manipulation to a certain subteam 푇푋푖 , we use “subteam quantifiers” ⊆ 1 ⊆ 1 ∃휙 and ∃휙 similar to ∃ and ∃ defined on p. 9. Let 휙 ∈ LTL and 휓 ∈ LTL(∼), and let

⊆ ∃휙 휓 := ¬¬휙 ∨ 휓 1 ⊆ 1 ⊆ 1 ∃휙휓 := ∃휙 ((∃ 휙) ∧ ∼∃휙 ((∃ 휙) ∧ ∼휓)).

25 ⊆ Then ∃휙 intuitively says that we can shrink the subteam 푇휙 without touching the subteam 1 푇¬휙. Likewise, ∃휙 says that we can shrink 푇휙 to a singleton. The next lemma states this ⊆ ⊆ 1 1 formally. As before, the duals ∀휙 휓 := ∼∃휙 ∼휓 and ∀휙휓 := ∼∃휙∼휓 work as expected. ⊆ Lemma 5.3. A team 푇 satisfies ∃휙 휓 if and only if there is a subteam 푆 ⊆ 푇휙 such that 1 (푇 ∖ 푇휙) ∪ 푆  휓. A team 푇 satisfies ∃휙휓 if and only if there is a trace 푡 ∈ 푇휙 such that (푇 ∖ 푇휙) ∪ {푡}  휓. Proof. This was proved for so-called model team logic in [17, Proposition 5.3]. For LTL(∼), the proof is identical.

5.3 Translating arithmetic formulas 3 In this section, we translate 훥0-formulas into team logic. First, let us repeat the definitions of the various non-classical connectives from team semantics (pp. 8–9), as we need those in the remainder of the paper.

Boolean connectives, including those definable from ∧ and ∼:

푇  휙 ∧ 휓 ⇔ 푇  휙 and 푇  휓 푇  휙 휓 ⇔ 푇  휙 or 푇  휓 6 푇  휙 휓 ⇔ 푇  휙 implies 푇  휓 _ 푇  휙 휓 ⇔ 푇  휙 iff 푇  휓 ] Subteam connectives, including those definable from ∧, ∨, ∼, ⊤, ⊥:

푇  ¬휙 ⇔ ∀푡 ∈ 푇 : {푡} 2 휙 푇  휙 ∨ 휓 ⇔ 푇 = 푆 ∪ 푈 such that 푆  휙, 푈  휓 푇  휙 ˓→ 휓 ⇔ 푇휙  휓, where 푇휙 := {푡 ∈ 푇 | {푡}  휙} 1 푇  ∃ 휙 ⇔ ∃푡 ∈ 푇 : {푡}  휙 1 푇  ∀ 휙 ⇔ ∀푡 ∈ 푇 : {푡}  휙 ⊆ ′ ′ 푇  ∃ 휙 ⇔ ∃푇 ⊆ 푇 : 푇  휙 ⊆ ′ ′ 푇  ∀ 휙 ⇔ ∀푇 ⊆ 푇 : 푇  휙 1 푇  ∃휙휓 ⇔ ∃푡 ∈ 푇휙 :(푇 ∖ 푇휙) ∪ {푡}  휓 1 푇  ∀휙휓 ⇔ ∀푡 ∈ 푇휙 :(푇 ∖ 푇휙) ∪ {푡}  휓 ⊆ ′ ′ 푇  ∃휙 휓 ⇔ ∃푇 ⊆ 푇휙 :(푇 ∖ 푇휙) ∪ 푇  휓 ⊆ ′ ′ 푇  ∀휙 휓 ⇔ ∀푇 ⊆ 푇휙 :(푇 ∖ 푇휙) ∪ 푇  휓

We are now in the position to state the inductive translation 휌(휙) ∈ LTL(∼), where 3 휙 ∈ 훥0. Formally, 휌 should satisfy that 푇  휌(휙) iff ℐ푇  휙. We begin with the atomic formula 푥1 < 푥2, for which we have to compare two represented numbers 푛1 and 푛2, respectively.

26 It is straightforward to see that the formula

휌(푥1 < 푥2) := F((푥1 ˓→ end) ∧ (푥2 ˓→ 1)) implements 푥1 < 푥2, as it states that the digit 1 on the trace of 푛2 appears at some position where it already appeared beforehand (indicated by end) on the trace of 푛1. This clearly hinges on the fact that we have synchronous semantics. Let us proceed with the atomic formula 퐴(푥1, . . . , 푥ℓ), where 퐴 is second-order. Assume that 푇푥푖 represents a number 푛푖 for each 푖 ∈ [ℓ], and that 푇퐴 represents an ℓ-ary relation, ℓ ∈ {1, 2, 3}. Then (푛1, . . . , 푛ℓ) ∈ ℐ(퐴) iff 푇 satisfies

1 ⋀︁ 휌(퐴(푥1, . . . , 푥ℓ)) := ∃F퐴 F((푥푗 ˓→ 1) ∧ (퐴 ˓→ 1푗)). 푗∈[ℓ]

1 Intuitively, with ∃F퐴 we select a trace 푡 in 풦퐴 (in case ℓ = 1 this has no effect, as unary relations are already encoded by single traces), and in the rest of the formula then check for each 푗 ∈ [ℓ] that the 1 on the trace of 푥푗 appears on 푡훴푗 at the same position. Finally, we consider the higher-order atom a(퐴). Here, 퐴 must be a unary relation symbol, so suppose 푇퐴 is a single trace that represents a set of numbers. Then a(퐴) is translated to

1 휌(a(퐴)) := ∃FaG((a ˓→ 1) (퐴 ˓→ 1)), ] which selects a witness trace from 푇a (representing a member of a) and compares it to the single trace in 푇퐴. To compare two unary relations, we synchronously traverse the traces with G and check that the ones’ positions coincide. After the atomic formulas, we now proceed with the remaining connectives. The Boolean operators are straightforward: 휌(휓1 ∧ 휓2) := 휌(휓1) ∧ 휌(휓2) and 휌(¬휓) := ∼휌(휓). Finally, the quantifiers of arithmetic will be simulated by ∃1 and ∃⊆, where we have additional subformulas that ensure that the resulting subteam still represents a number or relation, respectively. We can assume that all quantifiers are existential since ∀푋휓 ≡ ¬∃푋¬휓. For first-order 푥, let

1 휌(∃푥 휓) := ∃F푥((F푥 ˓→ Fend) ∧ 휌(휓)) where F푥 ˓→ Fend excludes the trace that gets stuck in a loop of zeroes (cf. Figure 3). For unary second-order 푋, we simply map

1 휌(∃푋 휓) := ∃F푋 휌(휓) since any trace in 푇F푥 represents a unary relation and vice versa (cf. Figure 4). For arity ℓ > 1, recall that a relation is represented as a set of ℓ-tuples, each sitting on its own trace (cf. Figure 5). Consequently, ⊆ (︀ )︀ 휌(∃푋 휓) := ∃F푋 (F푋 ˓→ ¬¬Fend) ∧ 휌(휓) .

27 Here, with ¬¬Fend we say that no trace indefinitely avoids end, in other words, all traces represent some tuple. Third-order relations are again easy, ⊆ 휌(∃a 휓) := ∃Fa휌(휓), since again any subteam of 푇a represents a valid subset of ℘N and vice versa (cf. Figure 4). In the next lemma, let 풦휙 again be the full structure defined as on p. 25. 휙 Lemma 5.4. N  휙 iff 푇 (풦 )  휌(휙). Proof. By straightforward induction.

Note that all constructed formulas are expressible in LTL1(∼, F), i.e., with only the temporal operator F and without nesting of temporal operators. In particular, observe ⊆ that constructs such as ∃F푋 휓 and F푋 ˓→ 휓 do not add to the nesting depth of 휓. Since all the above formulas only involve standard recursion, they are easily shown logspace-computable. Likewise, the structure 풦휙 is logspace-computable as it only consists of 푛 instances of constant substructures, where 푛 is the quantifier rank of 휙, with added propositions. This concludes the main theorem of this section. 3 Theorem 5.5. Δ0 is reducible to model checking of LTL1(∼, F). In fact, this yields also lower bounds for some countable cases. For this, observe that all gadgets except Figure 4 also work if we consider only ultimately periodic (or even ultimately constant) traces, that is, if every trace carries only finite information. As a consequence, if we forbid third-order variables and also represent unary relations as (infinite) sets of traces representing 1-tuples, then the reduction goes through and utilizes only ultimately constant traces. This leads to the following result: 2 Theorem 5.6. Δ0 is reducible to ultimately periodic model checking and ultimately constant model checking of LTL1(∼, F). In the next section, we reduce model checking to satisfiability, and thus close the circle 3 2 of logspace-reductions between these two problems and Δ0 (resp. Δ0).

6 From Model Checking to Satisfiability

A well-known feature of classical LTL is that its model checking problem can be reduced to satisfiability (cf. Sistla and Clarke [27]). The idea is, given a structure 풦, to encode it in a “characteristic formula” 휒풦 such that 푡  휒풦 if and only if 푡 is a trace in 풦. As a consequence, 휒풦 → 휙 is valid (that is, its negation unsatisfiable) if and only if 푇 (풦)  휙. We elaborate a bit, following Schnoebelen [25]. Let 풦 = (푊, 푅, 휂, 푟) be a structure over a finite set 훷 ⊆ AP of propositions. W.l.o.g. there are distinct propositions 푝푤 for every ′ ′ 푤 ∈ 푊 such that 푝푤 ∈ 휂(푤) and 푝푤 ∈/ 휂(푤 ) for 푤 ≠ 푤. Then the formula 휒풦 is: ⋁︁ (︁ ⋀︁ ⋀︁ ⋀︁ ⋁︁ )︁ 휒풦 := 푝푟 ∧ G 푝푤 ∧ ¬푝푤′ ∧ 푞 ∧ ¬푞 ∧ X푝푤′ 푤∈푊 푤′∈푊 푞∈휂(푤) 푞∈훷 (푤,푤′)∈푅 푤′̸=푤 푞∈ /휂(푤)

28 Every trace in 풦 satisfies 휒풦, and conversely, a trace that satisfies 휒풦 is in 풦. An analogous construction for LTL(∼) would be a formula 휒 such that 푇  휒 if and only if 푇 = 푇 (풦). However, in team-semantics, things become complicated: Any classical formula, such as 휒풦, defines a downward closed class of traces, and as such itdefines the subteams of 푇 (풦). This is sufficient if 휙 itself is downward closed, and indeed, then 푇 (풦)  휙 iff ¬휒풦 ∨휙 is valid, which reduces the model checking problem in team semantics to the validity problem. If now 휙 itself is not downward closed, then we need some non-classical formula that requires the actual existence of traces of 풦 in the team (which is again not a downward closed property). A formula 휙 defines a team 푇 (up to 훷) if it defines the class of teams 푇 ′ such that ′ 푇 훷 = 푇 . Thus we need to define the team 푇 (풦) up to 훷, where 훷 is the set of all propositions that occur in 휙. Our approach works in two steps. First we give a formula 휉 that defines the full team 휔 T = (℘훷) , and then we use the formula 휒풦 to “weed out” traces not in 푇 (풦). For this, we use the fact that T휒풦 = 푇 (풦); recall that 푇휓 = {푡 ∈ 푇 | {푡}  휓}. Also recall that 푇  휙1 ˓→ 휙2 iff 푇휙1  휙2. Then we obtain

푇 (풦)  휙 ⇔ T  휒풦 ˓→ 휙, and (⋆) T  휓 ⇔ 휉 ∧ 휓 is satisfiable (⇔ 휉 휓 is valid), (⋆⋆) _ for all formulas 휙, 휓 that contain only propositions from 훷. Combining (⋆) and (⋆⋆) yields a reduction from model checking to satisfiability. It remains to construct the formula 휉 that defines T. We split this task into two steps, which each can be implemented in LTL(∼):

1. Force all traces of the form ∅*{푝}∅휔 to appear in the team, where 푝 ∈ 훷.

⋃︀ ′ 2. For every subset 푇 of traces as in 1., force that the trace defined by 푡(푖) := 푡′∈푇 푡 (푖) exists as well. As every trace can be expressed this way, this yields T.7

To simplify the constructions, we make some refinements to this idea. First, we introduce an auxiliary proposition # ∈/ 훷 to mark the positions after {푝}. We also define the augmented team

T# := T ∪ {∅푛{푝}{#}휔 | 푛 ≥ 0, 푝 ∈ 훷}.

# Defining this team clearly suffices, as T 훷 = T. In what follows, we refer to traces of the form ∅*{푝}{#}휔 as prototraces, as we build all other traces from these. Prototraces are easily recognized in the team as they satisfy the LTL-formula F#, while “regular” traces do not.

7Readers familiar with HyperLTL will notice that this is why LTL(∼) can enforce uncountable teams and HyperLTL cannot. Roughly speaking, HyperLTL quantifies traces and binds them to trace variables, but cannot quantify and bind infinitely many traces at once.

29 The following LTL-formula defines prototraces, as it states that exactly one proposition 푝 appears, that # must appear directly afterwards, and that from that position on, #∧¬푝 holds forever.

⋁︁ (︁ ⋀︁ ′ )︁ 휉⊆proto := ¬¬ F푝 ∧ G¬푝 ∧ G(푝 → X#) ∧ G(# → ¬푝 ∧ G#) 푝∈훷 푝′∈훷∖{푝}

Conversely, the non-classical formula

⋀︁ 1 휉⊇proto := G∃ 푝 푝∈훷 states for every 푖 ≥ 0 and 푝 ∈ 훷 that 푝 appears on some trace at position 푖. Consequently, 휉proto := 휉⊆proto ∧ 휉⊇proto means that the team contains precisely all prototraces. Now we can quantify over sets of prototraces and state that their position-wise union appears as a trace, by saying that 푝 is false iff it is false in all prototraces:

⊆ 1 ⋀︁ (︀ )︀ 휉 := (F# ˓→ 휉proto) ∧ ∀F#∃¬F# G (¬F# ˓→ ¬푝) (F# ˓→ ¬푝) 푝∈훷 ]

Altogether, 휉 is the desired formula that defines T#. A short inspection of the involved formulas reveals that they are all expressible in 1 1 LTL2(∼, F, X). For this, again note that ˓→, ∀ , ∃ and so on do not increase temporal nesting, and that G is the same as ∼F∼.

Theorem 6.1. Let 푘 ≥ 2. Then the model checking problem of LTL푘(∼, F, X) is reducible to its satisfiability problem. In fact, it is possible to eliminate X from the reduction (assuming that 휙 itself is an X-free formula). This is shown in the next subsection.

6.1 A hard stutter-invariant fragment Let again a formula 휙 and an input structure 풦 = (푊, 푅, 휂, 푟) be given, but now with 휙 ∈ LTL1(∼, F). In particular, 휙 is now stutter-invariant. By Theorem 5.5, this fragment of model checking is already as hard as the full problem. First, we restate the first part of the reduction, that is, from model checking totruth in T#, in the stutter-invariant fragment:

Lemma 6.2. The model checking problem of LTL1(∼, F) is reducible to truth of LTL2(∼, F)- formulas in T#.

This requires eliminating the X-operator in the formula 휒풦 (cf. p. 28). The idea is to simulate it by using “helper” prototraces. The following table illustrates this.

푡 · · · ∅ {푥}{#}{#}··· 푡′ · · · ∅ ∅ {푦}{#}··· 푡′′ ··· 휂(푤) 휂(푤′) 휂(푤′′) 휂(푤′′′) ···

30 We arbitrarily pick two distinct propositions 푥, 푦 ∈ 훷 (w.l.o.g. |훷| ≥ 2). Call a trace 푡 active at position 푖 if 푡(푖) ∩ 훷 ̸= ∅. We quantify two prototraces 푡, 푡′ such that 푡 is active with 푥 first, and 푡′ is active with 푦 directly after. We say this by stating that 푥 and 푦 do not occur together, and also # may not occur simultaneously with 푥 or ∅, so 푦 must appear immediately when 푥 is gone. (︀ )︀ 휁1 := F# ˓→ G ∼(푥 ∨ 푦) ∧ ∼(# ∨ 푥) ∧ ∼(# ∨ (¬푥 ∧ ¬푦 ∧ ¬#)

This enables us to access consecutive positions in 푡′′ by querying whether a prototrace is active with 푥 or 푦, respectively. Hence we can state that 푥 and 푦 appear together with ′ propositions 푝푤 and 푝푤′ , respectively, such that 푤, 푤 are successors: ⋁︁ 휁2 := G((F# ˓→ ¬푥) (¬F# ˓→ 푝푤)) ∧ G((F# ˓→ ¬푦) (¬F# ˓→ 푝푤′ )) (푤,푤′)∈푅 6 6

1 1 1 Let 휁 := ∀¬F# ∀(F#∧F푥) ∀(F#∧F푦) (휁1 휁2). Then 휁 says that every non-prototrace _ contains a sequence 푝푤1 , 푝푤2 ,... of variables only if 푤1, 푤2,... is a path in 풦. The formula ′ 휒풦 that replaces 휒풦 can now be chosen as (︂ )︂ ′ (︁ ⋁︁ ⋀︁ ⋀︁ ⋀︁ )︁ 휒풦 := (¬F#) ˓→ ¬¬ 푝푟 ∧ G (푝푤 ∧ ¬푝푤′ ∧ 푞 ∧ ¬푞) ∧ 휁 푤∈푊 푤′∈푊 푞∈휂(푤) 푞∈ /휂(푤) 푤′̸=푤

As before, we want to check 휙 only in 푇 (풦), so we split the full team into 푇 (풦) and 휔 (℘훷) ∖ 푇 (풦). However, in contrast to before we cannot simply write 휒풦 ˓→ 휙 anymore. The reason is that both sides of the splitting now need access to prototraces, but due to ˓→ T# the definition of (p. 9), the subteam 휒풦 would not contain any. ′′ ′ To solve this, let 휒풦 be a copy of the formula 휒풦, but with the propositions 푥 and 푦 replaced by different distinct propositions 푥′ and 푦′, which are w.l.o.g. in 훷. One subteam # ′ of T now contains all traces in 푇 (풦), witnessed by 휒풦 using prototraces for 푥 and 푦; and the remaining subteam contains all traces in (℘훷)휔 ∖ 푇 (풦), witnessed by prototraces for 푥′ and 푦′:

# (︁ ′ ′ ′ )︁ 푇 (풦)  휙 ⇔ T  (F# ˓→ G(¬푥 ∧ ¬푦 )) ∧ 휒풦 ∧ (¬F# ˓→ 휙) (︁ ′′ )︁ ∨ (F# ˓→ G(¬푥 ∧ ¬푦)) ∧ ∼휒풦

# The above formula is a reduction from model checking to truth in T for LTL2(∼, F)- formulas. Next, we proceed with the second step by mapping the set of formulas true in T# to the satisfiability problem.

# Lemma 6.3. Truth of LTL2(∼, F)-formulas in T is reducible to the satisfiability problem of LTL2(∼, F).

31 # This boils down to finding an LTL2(∼, F)-formula that defines T (up to stutter- equivalence). We start with the formula that defines prototraces. Without X, we can only define traces of the form ∅*{푝}+{#}휔, which are stutter-equivalent to prototraces. For this, the formula 휉 (cf. p. 30) is changed to 휉′ where the subformula G(푝 → X#) is replaced with G(푝 → (F# ∧ G(푝 ∨ #))). A problem arises when considering teams: It may still be that the whole team is not stutter-equivalent to a team of prototraces, although every trace is, as the following example illustrates. The team depicted below is stutter-free, but not stutter-equivalent to a team of prototraces.

푡 ∅ {푝}{푝}{#}{#}··· 푡′ ∅ ∅ {푞}{푞}{#}···

So we need to control the stuttering throughout the team. The following formula stipulates that whenever prototraces overlap, in the sense that they have a common active position, their active positions are identical altogether (but not necessarily the labeled proposition). ⋁︀ ⋁︀ We write 훷 short for 푝∈훷 푝.

⊆ (︁ (︁ ⋁︁ ⋁︁ ⋁︁ )︁)︁ 휓stutter,1 := ∀F# #F ˓→ (F 훷) G((¬# ∧ ¬ 훷) # 훷) _ 6 6 With this, the situation depicted before cannot occur, and we obtain a team that is stutter-equivalent to a team of prototraces. However, this is still not sufficient when other traces come into play, as the following example shows:

푡 ∅ {푝}{푝}{#}{#}··· 푡′ ∅ ∅ ∅ {푞}{#}··· 푡′′ 휂(푤) 휂(푤′) 휂(푤′′) ·········

The “regular” traces can still advance faster than the supposed prototraces, and as a consequence, the whole team is again not stutter-equivalent to T#. This can be remedied as follows. We stipulate that, whenever a prototrace 푡 is active, no non-prototrace may change its label until 푡 switches to #:

1 1 ⋀︁ (︁ (︀ )︀ 휓stutter,2 := ∀F#∀¬F# F (F# ˓→ 푞) ∧ (¬F# ˓→ ℓ) 푝∈훷 (︀ )︀)︁ ℓ∈{푝,¬푝} G (F# ˓→ 푞) (¬F# ˓→ ℓ) 푞∈훷 _ _ Here, the first line asks whether there is some common position where a prototrace 푡 is active and a normal trace 푡′ satisfies some literal ℓ. If so, then the second line states that ′ 푡 must satisfy ℓ in all positions where 푡 is active. Let 휓stutter := 휓stutter,1 ∧ 휓stutter,2. Now we have achieved that the whole team stutters whenever a prototrace stays active. For this reason, every prototrace stays active for effectively only one time step. Formally, ′ # for any team 푇 , it holds that 푇  휉 ∧ 휓stutter if and only if 푇 ≡st T . As a consequence,

32 we obtain

# # T  휙 ⇔ ∃푇 : 푇 ≡st T and 푇  휙 (as 휙 is stutter-invariant) ′ ′ ⇔ ∃푇 : 푇  휉 ∧ 휓stutter ∧ 휙 (construction of 휉 and 휓stutter) ′ ⇔ 휉 ∧ 휓stutter ∧ 휙 is satisfiable.

Again, all formulas have temporal depth at most two and use only temporal operators F and G. Combining Lemma 6.2 and Lemma 6.3 yields:

Theorem 6.4. Let 푘 ≥ 2. Then the model checking problem of LTL푘(∼, F) is reducible to its satisfiability problem.

6.2 The countable cases We showed in Theorem 4.6 and 5.6 that model checking of ultimately periodic/constant 2 traces in a structure is equivalent to Δ0. Here, we transfer this result also to the satisfiability problem. We focus on ultimately constant traces as our result will also cover the ultimately periodic case. # # Let Tulc resp. Tulc be the team of all ultimately constant traces in T resp. T . Then, we need the following result, analogously to Lemma 6.2:

푇ulc(풦)  휙 ⇔ Tulc  휒풦 ˓→ 휙

But we need to address a subtle issue first. For the formula 휒풦 to work, we assumed that each state 푤 of the structure has some proposition 푝푤 labeled uniquely in that state. For general model checking, this was no loss of generality. But unfortunately, adding such propositions changes the set of ultimately constant paths! The following example illustrates this.

0 0 푤 푤′

This structure has exactly one path from any state, which also induces an ultimately constant trace. But adding propositions as mentioned before leads to the situation that the team of ultimately constant traces is empty, and certainly this is not a valid reduction. To make the same reduction work, we need to ensure that ultimately constant traces are induced by paths through the structure that themselves are “ultimately constant”, 2 i.e., visit only one state infinitely often. However, note that the reduction from Δ0 in Section 5 uses precisely such structures. In these, the ultimately constant traces are only induced by paths that get stuck in a loop, i.e., in an edge of a state to itself. Therefore we can strengthen Theorem 5.6 and obtain the following lemma.

2 Lemma 6.5. Δ0 is reducible to ultimately constant model checking of LTL1(∼, F) on structures where all states have pairwise distinct labels.

33 Thus we can assume the propositions 푝푤 for 푤 ∈ 푊 labeled as before, and obtain

푇ulc(풦)  휙 ⇔ Tulc  휒풦 ˓→ 휙.

# Next, we show that X can again be eliminated from 휒풦. As Tulc includes all prototraces (which are ultimately constant), we can use the same formula as before on p. 31:

# (︁ ′ ′ ′ )︁ 푇ulc(풦)  휙 ⇔ Tulc  (F# ˓→ G(¬푥 ∧ ¬푦 )) ∧ 휒풦 ∧ (¬F# ˓→ 휙) (︁ ′′ )︁ ∨ (F# ˓→ G(¬푥 ∧ ¬푦)) ∧ ∼휒풦

This leads to the analogous reduction:

Lemma 6.6. Ultimately constant model checking of LTL1(∼, F) on structures where all # states have pairwise distinct labels is reducible to truth of LTL2(∼, F) in Tulc. # It remains to reduce the truth problem of Tulc to the satisfiability problem, as done before for T# in Lemma 6.3. There, we showed that

# ′ T  휙 ⇔ (휉 ∧ 휓stutter ∧ 휙) is satisfiable,

′ # where 휉 , 휓stutter and 휙 all are LTL2(∼, F)-formulas. To define the team T by a formula, we previously used the formula 휉′, in particular the subformula

⊆ 1 ⋀︁ (︀ )︀ ∀F#∃¬F# G (¬F# ˓→ ¬푝) (F# ˓→ ¬푝) (⋆) 푝∈훷 ] of 휉′ (cf. p. 30) claimed that the position-wise union of every subset of prototraces appears as a regular trace in the team. This now has to be restricted to ultimately constant traces. Ultimately constant traces are defined by the LTL-formula ⋀︁ 훼 := (FG푝 ∨ FG¬푝). 푝∈훷

However, we want to express something slightly different: that the union of the currently selected (ultimately constant) prototraces is still ultimately constant, which is not the case in general. For this, we state that, in some suffix, 푝 ∈ 훷 either appears in no prototrace (that is, FG¬푝 holds), or that at every position, 푝 appears in some prototrace (FG∼¬푝 holds): ⋀︁ 훼′ := F# ˓→ (FG¬푝 FG∼¬푝) 푝∈훷 6

Accordingly, we obtain the formula 휉′′ by adding 훼′ to the above subformula (⋆) of 휉′:

⊆ (︁ ′ 1 ⋀︁ (︀ )︀)︁ ∀F# 훼 ∃¬F# G (¬F# ˓→ ¬푝) (F# ˓→ ¬푝) _ 푝∈훷 ]

34 By this, we force only the ultimately constant traces to appear. In total, we change the reduction to

′′ 휙 ↦→ 휉 ∧ 휓stutter ∧ ¬¬훼 ∧ 휙.

′′ # Now 휉 ∧ 휓stutter ∧ ¬¬훼 defines Tulc up to stuttering. More precisely, a similar equivalence chain as in the proof for Theorem 6.4 follows:

# # Tulc  휙 ⇔ Tulc  ¬¬훼 ∧ 휙 (as ¬¬훼 defines ultimately constant teams) # ⇔ ∃ 푇 : 푇 ≡st Tulc and 푇  ¬¬훼 ∧ 휙 (as ¬¬훼 and 휙 are stutter-invariant) ′′ ′′ ⇔ ∃푇 : 푇  휉 ∧ 휓stutter ∧ ¬¬훼 ∧ 휙 (construction of 휉 and 휓stutter) ′′ ⇔ 휉 ∧ 휓stutter ∧ ¬¬훼 ∧ 휙 is satisfiable.

Lemma 6.7. Let 풞 contain at least all ultimately constant traces. Then the truth # of LTL2(∼, F)-formulas in Tulc is reducible to the 풞-restricted satisfiability problem of LTL2(∼, F).

The combination of Lemmas 6.5 to 6.7 yields:

2 Theorem 6.8. Let 풞 contain at least all ultimately constant traces. Then Δ0 is reducible to the 풞-restricted satisfiability problem of LTL2(∼, F).

In particular, the reduction in Lemma 6.7 produces formulas that are either unsatisfiable, or satisfied by some ultimately constant and hence countable team:

2 Corollary 6.9. Δ0 is reducible to the countable satisfiability problem of LTL2(∼, F).

6.3 Finite satisfiability Finally, we investigate the complexity of the problem of finite satisfiability, i.e., whether a formula is true in some team generated by a finite structure. Unlike in classical LTL, this is a genuinely different problem. In LTL, every satisfiable formula is satisfied by an ultimately periodic trace [27], which itself is always finitely generated. However, for example, the LTL(∼)-formula

(G∃1(푝 ∧ X¬푝)) ∧ ∀1(푝UG¬푝) defines the team {{푝}푛∅휔 | 푛 ≥ 1}, which is not generated by any finite structure [20]. The full team T is not finitely generated for the simple reason that its traces differ on # # the first position. The same holds for T , Tulc and Tulc. However, avoiding this problem is not too difficult, we will show that these teams can actually be simulated bytraces with a common root. The idea is to “delay” the first label—we do not ask if a proposition 푝 is true at the beginning, but rather if there is some point in the future where 푝← holds, where 푝← is a fresh proposition that does not interact with the formula otherwise.

35 We add a new proposition root and claim that it is true in some non-empty, finite prefix of the team, consistently across all traces, and that nothing else is labeled simultaneously:

⋀︁ ← 휓root := root ∧ F¬root ∧ G((root ∧ ¬# ∧ (¬푝 ∧ ¬푝 )) G¬root) 푝∈훷 6

Modulo stuttering, this is of course equivalent to every trace 푡 having the initial label 푡(0) = {root} and root ∈/ 푡(1), 푡(2), ··· . In the initial prefix, the value of any proposition 푝 ∈ 훷 on a trace is now simulated by the truth of F푝←. We carefully replace 푝 in the formulas as follows in order to not increase the temporal depth to three.

• In 훼 and 훼′, that is, the formulas stated on p. 34 that say that a trace is ultimately constant, we change nothing, since disturbing 푝 on a finite prefix of a trace does not alter whether it is ultimately constant or not.

• The subformula G(푝 → (F# ∧ G(푝 ∨ #))) of 휉′, which states that on prototraces the proposition 푝 is followed by # (after possible stuttering of 푝), is replaced by G(︀(푝 ∨ F푝←) → (F# ∧ G(root ∨ 푝 ∨ #)))︀.

• Every other occurrence of 푝 ∈ 훷 has been only at temporal depth at most one, and can thus be replaced with 푝 (root ∧ ¬¬F푝←) without increasing the total temporal depth of two. 6

Afterwards, the formula 휓root is appended to the reduction. The team T# with the above changes is finitely generated: Add arcs from a root state with label {root} to a fully connected set of states, one for each possible label, to generate T. For the prototraces, add a single path from the root that cycles through an empty label (or skips this altogether), eventually visits some 푝 ∈ 훷 and then cycles through {#}. # Moreover, the ultimately constant traces in this structure form precisely the team Tulc. By this, we can adapt Theorem 6.8 to the case of finitely generated teams.

2 Theorem 6.10. Let 풞 contain at least all ultimately constant traces. Then Δ0 is reducible to the 풞-restricted finite satisfiability problem of LTL2(∼, F).

7 Conclusion

In this article, we studied the computational complexity of the logic we called LTL(∼), i.e., LTL with synchronous team semantics and with Boolean negation ∼. We showed that both the model checking and the satisfiability problem are highly undecidable, each 3 equivalent to Δ0, that is, the set of all true formulas of third-order arithmetic. The idea is that infinite traces can be seen as the characteristic sequences of subsetsof N, and teams hence represent sets of subsets of N, which are third-order objects. As one step in the hardness proof, we used the fact that LTL(∼) can enforce uncountable teams, which is possible in neither of the related logics HyperLTL [8] and team-logical LTL without

36 negation [13]. Over countable teams, for example when using only ultimately periodic 2 traces, the complexity drops down to Δ0, that is, “only” second-order arithmetic. Several known features of the high expressivity of HyperLTL manifest in LTL(∼) as well. For example, Finkbeiner and Zimmermann [8] showed that HyperLTL can enforce aperiodic traces, which is a crucial step also for our reduction to LTL(∼) where infinite sets of numbers are identified with traces. The lower complexity bounds already hold for weak fragments such as stutter-invariant LTL(∼), and in fact with only the future modality F available and temporal depth two. For model checking, even temporal depth one suffices. This deviates from classical LTL, where temporal depth at least two is required for the full hardness, for any combination of temporal operators [6, 25]. The satisfiability problem of HyperLTL, however, is undecidable already for temporal depth one [20, Theorem 5]. The question whether a similar result holds for LTL1(∼) is open. In future research, studying other weak fragments could yield further insight. Be- sides LTL1(∼), examples are the fragments using only X or with a bounded number of propositional variables, which has also been considered for classical LTL [6]. Also, the asynchronous operators might be worth investigating. With its high complexity, LTL(∼) is much harder than HyperLTL, which has a non- elementary but decidable model checking problem [4]. In fact, it seems plausible that 2 HyperLTL satisfiability is reducible to Δ0, since every satisfiable formula has a countable model [8, Theorem 2], which would again be easier than satisfiability of LTL(∼). The lower bounds presented here heavily utilize the unrestricted Boolean negation ∼ in team semantics in combination with team splitting. A sensible restriction of negation may be a first step towards finding more tractable fragments.

References

[1] Samson Abramsky, Juha Kontinen, Jouko Väänänen and Heribert Vollmer, eds. Dependence Logic, Theory and Applications. Springer, 2016. [2] Christel Baier and Joost-Pieter Katoen. Principles of model checking. MIT Press, 2008. [3] J Richard Büchi. Symposium on Decision Problems: On a Decision Method in Restricted Second Order Arithmetic. Studies in Logic and the Foundations of Mathematics. 44. Elsevier, 1966, pp. 1–11. [4] Michael R. Clarkson, Bernd Finkbeiner, Masoud Koleini, Kristopher K. Micinski, Markus N. Rabe and César Sánchez. Temporal Logics for Hyperproperties. POST. 8414. Lecture Notes in Computer Science. Springer, 2014, pp. 265–284. [5] Michael R. Clarkson and Fred B. Schneider. Hyperproperties. CSF. IEEE Computer Society, 2008, pp. 51–65. [6] Stéphane Demri and Philippe Schnoebelen. The Complexity of Propositional Linear Temporal Logics in Simple Cases. Inf. Comput. 174 (2002), no. 1, pp. 84–103.

37 [7] Bernd Finkbeiner and Christopher Hahn. Deciding Hyperproperties. CONCUR. 59. LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2016, 13:1–13:14. [8] Bernd Finkbeiner and Martin Zimmermann. The First-Order Logic of Hyperproper- ties. STACS. 66. LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2017, 30:1–30:14. [9] Rosalie Iemhoff and Fan Yang. Structural completeness in propositional logics of dependence. Archive for Mathematical Logic 55 (2016), no. 7-8, pp. 955–975. [10] Juha Kontinen. Dependence Logic: A survey of some recent work. Philosophy Compass 8 (2013), no. 10, pp. 950–963. [11] Juha Kontinen, Julian-Steffen Müller, Henning Schnoor and Heribert Vollmer. A Van Benthem Theorem for Modal Team Semantics. CSL. 41. LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2015, pp. 277–291. [12] Andreas Krebs, Arne Meier and Jonni Virtema. A Team Based Variant of CTL. TIME. IEEE Computer Society, 2015, pp. 140–149. [13] Andreas Krebs, Arne Meier, Jonni Virtema and Martin Zimmermann. Team Seman- tics for the Specification and Verification of Hyperproperties. MFCS. 117. LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2018, 10:1–10:16. [14] Antti Kuusisto. A Double Team Semantics for Generalized Quantifiers. Journal of Logic, Language and Information 24 (2015), no. 2, pp. 149–191. [15] Leslie Lamport. What Good Is Temporal Logic? Information Processing 83, R. E. A. Mason, ed., Elsevier Publishers 83 (1983), pp. 657–668. [16] Daniel Leivant. Higher order logic. Handbook of Logic in Artificial Intelligence and Logic Programming (2). Oxford University Press, 1994, pp. 229–322. [17] Martin Lück. Canonical Models and the Complexity of Modal Team Logic. Logical Methods in Computer Science Volume 15, Issue 2 (Apr. 2019). [18] Martin Lück. Team logic: axioms, expressiveness, complexity. PhD thesis. University of Hanover, Hannover, Germany, 2020. [19] Martin Lück and Miikka Vilander. On the Succinctness of Atoms of Dependency. Logical Methods in Computer Science 15 (2019), no. 3. [20] Corto Mascle and Martin Zimmermann. The Keys to Decidable HyperLTL Satisfia- bility: Small Models or Very Simple Formulas. CoRR abs/1907.05070 (2019). [21] Doron A. Peled and Thomas Wilke. Stutter-Invariant Temporal Properties are Expressible Without the Next-Time Operator. Inf. Process. Lett. 63 (1997), no. 5, pp. 243–246. [22] Amir Pnueli. The Temporal Logic of Programs. FOCS. IEEE Computer Society, 1977, pp. 46–57. [23] Hartley Rogers. Theory of recursive functions and effective computability. MIT Press, 1987.

38 [24] Klaus Schneider. Verification of Reactive Systems - Formal Methods and Algorithms. Texts in Theoretical Computer Science. An EATCS Series. Springer, 2004. [25] Philippe Schnoebelen. The Complexity of Temporal Logic Model Checking. Advances in modal logic 4 (2002), no. 393-436, p. 35. [26] Michael Sipser. Introduction to the Theory of Computation. 3rd ed. Cengage learning, 2012. [27] Aravinda Prasad Sistla and Edmund M. Clarke. The Complexity of Propositional Linear Temporal Logics. J. ACM 32 (1985), no. 3, pp. 733–749. [28] Jouko Väänänen. Dependence logic: A New Approach to Independence Friendly Logic. London Mathematical Society student texts 70. Cambridge University Press, 2007. [29] Jouko Väänänen. Modal dependence logic. New perspectives on games and interac- tion 4 (2008), pp. 237–254. [30] Moshe Y. Vardi and Pierre Wolper. An Automata-Theoretic Approach to Automatic Program Verification. LICS. IEEE Computer Society, 1986, pp. 332–344. [31] Fan Yang. Modal dependence logics: Axiomatizations and model-theoretic properties. Logic Journal of the IGPL 25 (2017), no. 5, pp. 773–805. [32] Fan Yang and Jouko Väänänen. Propositional logics of dependence. Annals of Pure and Applied Logic 167 (2016), no. 7, pp. 557–589. [33] Fan Yang and Jouko Väänänen. Propositional team logics. Annals of Pure and Applied Logic 168 (July 2017), no. 7, pp. 1406–1441.

39