The Complexity of HyperQPTL

HyperQPTL and HyperQPTL$^+$ are expressive specification languages for hyperproperties, properties that relate multiple executions of a system. Tight complexity bounds are known for HyperQPTL finite-state satisfiability and model-checking. Here, we settle the complexity of satisfiability for HyperQPTL as well as satisfiability, finite-state satisfiability, and model-checking for HyperQPTL$^+$: the former is $Σ^2_1$-complete, the latter are all equivalent to truth in third-order arithmetic, i.e., all four are very undecidable.

💡 Research Summary

The paper investigates the decision problems associated with two expressive hyperproperty specification languages, HyperQPTL and its extension HyperQPTL⁺. Hyperproperties are properties that relate multiple executions (traces) of a system, and they have found applications in security, privacy, epistemic reasoning, and verification. While model checking for many hyperlogics (e.g., HyperLTL, HyperCTL*) is decidable—though often with very high complexity—satisfiability tends to be far more difficult, frequently landing in undecidable or highly undecidable regions of the arithmetic and analytical hierarchies.

The authors first formalise the syntax and semantics of HyperQPTL. Formulas may quantify over trace variables (π) and over propositional variables (q). The crucial semantic distinction is that quantification over a proposition in HyperQPTL is uniform: after quantifying a proposition p, all traces in the model must agree on the truth value of p at each position. HyperQPTL⁺ relaxes this to non‑uniform quantification, allowing each trace to assign its own truth values to the quantified proposition. This non‑uniformity dramatically increases expressive power.

The main contributions are twofold:

1. Complexity of HyperQPTL satisfiability
   The authors prove that the satisfiability problem for HyperQPTL is Σ²₁‑complete. The lower bound (Σ²₁‑hardness) is established by a polynomial‑time reduction from any Σ²₁ sentence of third‑order arithmetic (∃Y₁…∃Y_k ψ, where ψ contains only first‑ and second‑order quantifiers) to a HyperQPTL formula. The reduction encodes sets of natural numbers as traces using a distinguished atomic proposition x. A global formula θ_all forces the model to contain a trace for every possible subset of ℕ, guaranteeing that the model can represent any set needed for the arithmetic encoding. Consistency of markings across traces is enforced by a set of marker propositions m_j and a consistency formula θ_cons. Arithmetic operations (addition, multiplication) are simulated using known HyperLTL constructions (θ(+ ,·)). The translation of ψ into HyperQPTL (the hyp(·) mapping) systematically replaces each arithmetic quantifier with an appropriate trace quantifier and uses the encoding to represent membership, ordering, and arithmetic relations. The authors argue that the original Σ²₁ sentence holds in the standard model of arithmetic iff the constructed HyperQPTL formula is satisfiable.

   For the upper bound, they show that any HyperQPTL formula can be encoded as a Σ²₁ sentence. Traces are represented as sets of natural numbers, and the semantics of the temporal operators (X, F) and propositional quantifiers can be expressed using first‑order arithmetic. Because the size of any model is bounded by the cardinality of the continuum (c), the existential third‑order quantifier needed to guess a set of traces can be captured by a Σ²₁ existential quantifier over a set of sets of naturals. Hence HyperQPTL satisfiability lies in Σ²₁, establishing Σ²₁‑completeness.

2. Complexity of HyperQPTL⁺ problems
   The paper then turns to HyperQPTL⁺ and shows that its satisfiability, finite‑state satisfiability, and model‑checking problems are all equivalent to truth in third‑order arithmetic. The key observation is that HyperQPTL⁺ can simulate quantification over arbitrary sets of traces, which is precisely the power of second‑order quantification over sets of naturals. By proving that HyperQPTL⁺ and Hyper2LTL (a second‑order hyperlogic) have the same expressive power, the authors reduce the three verification problems to the decision problem “does a given third‑order arithmetic sentence hold in the standard model of arithmetic?” This problem is known to be very undecidable: it lies beyond the arithmetical hierarchy and is not even recursively enumerable. Consequently, all three HyperQPTL⁺ problems inherit this extreme undecidability.

The paper also includes auxiliary results, such as a theorem demonstrating the existence of a satisfiable HyperQPTL sentence whose only models have cardinality equal to the continuum, underscoring the necessity of handling models of maximal size in the reductions.

In summary, the authors settle several open complexity questions in the landscape of hyperlogics. HyperQPTL satisfiability is precisely Σ²₁‑complete, placing it at the second level of the analytical hierarchy but still within the realm of definable decision problems. In stark contrast, HyperQPTL⁺ pushes the verification problems into the realm of third‑order arithmetic, rendering them “very undecidable.” These results delineate a clear boundary between the expressive capabilities of uniform versus non‑uniform propositional quantification in hyperlogics and provide a rigorous foundation for understanding the limits of automated reasoning about hyperproperties.