Distributed synthesis is simply undecidable  by Schewe, Sven
Information Processing Letters 114 (2014) 203–207Contents lists available at ScienceDirect
Information Processing Letters
www.elsevier.com/locate/ipl
Distributed synthesis is simply undecidable
Sven Schewe
University of Liverpool, United Kingdom
a r t i c l e i n f o a b s t r a c t
Article history:
Received 17 May 2013
Received in revised form 6 November 2013
Accepted 14 November 2013
Available online 26 November 2013
Communicated by L. Viganò
Keywords:
Formal methods
Distributed synthesis
Undecidability
Temporal logic
The distributed synthesis problem of safety and reachability languages is known to be
undecidable. In this article, we establish that this is the case for very simple languages,
namely for safety and reachability speciﬁcations in the intersection of LTL and ACTL.
© 2013 The Author. Published by Elsevier B.V. Open access under CC BY license.1. Distributed synthesis
Synthesis, also known as Church’s solvability prob-
lem [5], is the problem of deﬁning a circuit that contin-
ually reacts on an inﬁnite input stream by producing one
output letter after receiving one input letter. Church’s solv-
ability problem was ﬁrst raised for speciﬁcations in S1S
(monadic second order logic of one successor). It inspired
the great works of Büchi and Landweber on ﬁnite games
of inﬁnite duration [2–4] and of Rabin on ﬁnite automata
over inﬁnite structures [13,14].
Pnueli and Rosner extended the question to a setting,
where the processes have access to incomplete informa-
tion [12,10,9,7,1]. They introduced architectures, where the
communication from an external environment to work-
ing processes and the communication between working
processes is through boolean variables. The same boolean
variables serve as atomic propositions in the speciﬁcation.
Pnueli and Rosner have shown that the synthesis problem
is undecidable for the architecture shown in Fig. 1 [12]
and hence in general, and Finkbeiner and Schewe [7] have0020-0190 © 2013 The Author. Published by Elsevier B.V.
http://dx.doi.org/10.1016/j.ipl.2013.11.012
Open access under CC BYidentiﬁed the class of architectures, in which synthesis is
decidable.
In this article, we show that distributed synthesis is
undecidable even for the syntactic safety and reachability
fragments of LTL [11,6], of ACTL [6], and of their semantic
intersection. The undecidability of safety and reachability
languages has been established in [8], using a reduction to
tiling languages. Besides using weak fragments of temporal
logics, we use the standard reduction to halting problems.
We believe that this reduction is more accessible for the
community. It is also more instructive in that the adjust-
ments needed to the classic proof become clear.
We assume that the reader is familiar with tem-
poral logics [11,6] and the distributed synthesis ques-
tion [12,10,9,7]. For architectures [12,9,10,7], it is enough
to know that they are directed graphs, whose vertices are
processes that operate synchronously on a joint system
clock. The edges are labelled with variables that serve
as a means to communicate between processes, and as
the propositions of the speciﬁcation. The processes con-
sist of an environment, which cannot be controlled, and
provides an unconstrained behaviour, and processes for
which we want to construct a control strategy (the cir-
cuit in Church’s [5] terms). This control strategy may only
use information available to the processes through their license.
204 S. Schewe / Information Processing Letters 114 (2014) 203–207Fig. 1. The architecture from the classic undecidability proof of Pnueli and
Rosner [12].
respective input stream. The joint behaviour of the result-
ing system is required to satisfy the speciﬁcation.
We follow [7] by restricting the variables such that each
variable can only occur on the outgoing edges of one pro-
cess (but may be read by many processes) and by allowing
for processes that have a ﬁxed ﬁnite implementation. (For
such processes, no implementation needs to be synthe-
sised. Veriﬁcation can be viewed as the special case where
all processes have a ﬁxed implementation.)
2. The standard undecidability proof
We start by revising the classical argument of Pnueli
and Rosner that the architecture from Fig. 1 is undecid-
able. Their argument uses the incomplete information the
processes have, to force them to faithfully emit sequences
of conﬁgurations of deterministic Turing machines (DTMs).
A conﬁguration of a deterministic Turing machine
(DTM) is represented as a ﬁnite string C composed of:
1. the (possibly empty) sequence of tape symbols to the
left of the read–write head, followed by
2. the state of the DTM, followed by
3. the (possibly empty) sequence of tape symbols to the
right of the read–write head to the ﬁrst blank symbol.
The position of the read–write head is represented by
a state symbol (the set of state symbols contains the halt
symbol), while a position on the tape (different to blank) is
represented by a tape symbol. Thus, a conﬁguration is a se-
quence tape∗ state tape∗ blank. (For readability, we hence-
forth refer to the representation of C as C , too, as it is
always clear which of the two is meant.) When a start
symbol is issued by the environment, this is reﬂected by
start.
The fact that a conﬁguration C is the successor conﬁg-
uration of a conﬁguration D is denoted by D  C . When C
and D are emitted concurrently starting at the same time,
then D  C is a local property that can be reﬂected by
a small and simple LTL (or ACTL) formula, because the
read–write head can only move one ﬁeld and the tape can
only change below the read–write head.
Pnueli and Rosner have devised a speciﬁcation that
forces both processes of the architecture from Fig. 1 to
emit the correct sequence C1,C2,C3,C4, . . . of conﬁgura-
tions of a given DTM, such that C1 is the start conﬁgura-
tion and C1  C2  C3  C4  · · · holds, upon receiving their
respective start symbol through a conjunction of speciﬁca-
tions that require the following.
1. Before receiving the ﬁrst start symbol, the processes
emit a sequence of blank symbols.
2. After receiving the ﬁrst start signal, each process emits
sequences of conﬁgurations of the DTM.
3. After receiving the ﬁrst start signal, each process emits
the ﬁrst two conﬁgurations of the DTM correctly.4. If process pi and process p1−i start at the same time
to emit the conﬁgurations Ci and C1−i , respectively,
such that Ci  C1−i holds and pi emits the conﬁgura-
tion Di next, then p1−i emits the conﬁguration D1−i
with Di  D1−i next.
As the conjunction of these speciﬁcations forces the
processes p0 and p1 from Fig. 1 to emit the correct se-
quence of Turing machine conﬁgurations, we can reduce
the halting problem to the synthesis problem for the archi-
tecture from Fig. 1 by adding the following speciﬁcation.
5. A process that receives a start symbol eventually emits
a halting conﬁguration.
Theorem 2.1. (See [12].) The distributed synthesis problem for
the architecture from Fig. 1 is undecidable for LTL speciﬁcations.
3. Undecidability for temporal safety speciﬁcations
We ﬁrst show that this undecidability argument can be
adjusted to use only safety speciﬁcations. The ﬁrst obser-
vation is that, with safety speciﬁcations, we cannot require
that a conﬁguration is emitted, but we can require that
a sequence is outputted that can be extended to a con-
ﬁguration. For this we deﬁne pseudo-conﬁgurations and
require for a pseudo-conﬁguration C that it is composed
of the following:
1. a (possibly empty) sequence of tape symbols to the
left of the read–write head. This sequence might be
inﬁnite. If it is ﬁnite, it is followed by
2. a state of the DTM, which is followed by
3. a (possibly empty) sequence of tape symbols to the
right of the read–write head. This sequence may be
inﬁnite. If it is ﬁnite, it is followed by a blank symbol.
The requirement that a sequence encodes a pseudo-
conﬁguration can be represented by γ = tapeW (state ∧
©¬state)W tapeW blank. As a speciﬁcation, we consider
a conjunction of the following requirements.
1. Before and when receiving the ﬁrst start signal, the
processes emit a sequence of blank symbols:
(blank ∧ ¬start)W (blank ∧ start).
2. After receiving the ﬁrst start signal, each process emits
a sequence of pseudo-conﬁgurations of the DTM.
¬startW (start ∧φ) with φ = ¬blank ∨ ©γ .
3. After receiving the ﬁrst start signal, each process emits
the ﬁrst two conﬁgurations of the DTM correctly.
¬startW (start ∧ ψ), where ψ forces the correct
emission of the ﬁrst two conﬁgurations. Note
that ψ requires us to output a particular ﬁnite
sequence.
4. If process pi and process p1−i start at the same time
to emit the conﬁgurations Ci and C1−i , respectively,
such that Ci  C1−i holds, and pi emits the conﬁgura-
tion Di next, then p1−i emits the conﬁguration D1−i
with Di  D1−i next.
5. No process ever outputs a halt state.
¬halt.
S. Schewe / Information Processing Letters 114 (2014) 203–207 205Lemma 3.1. The resulting formulas are safety formulas that can
be expressed in LTL and ACTL.
Proof. For all but (4), the LTL speciﬁcations are de-
scribed. For (4), one can again use a speciﬁcation of the
form ¬startiW (starti ∧(¬blanki ∨ ¬blank1−i ∨ θ)). θ re-
quires that the next two pseudo-conﬁgurations emitted, Ci
and Di for process i and C1−i and D1−i for process 1 − i,
satisfy Ci  C1−i , or Ci  C1−i and Di  D1−i .
For pseudo-conﬁgurations Ci and C1−i , Ci  C1−i is
a safety property, whose violation occurs when Ci  C1−i
is observed. We formalise this safety speciﬁcation by re-
quiring an output sequence that satisﬁes:
• a sequence of equal tape symbols output by p0 and p1
(weak) until (the weak until is the LTL operator W)
there is a short sequence that is not equal and that
does not reﬂect a single step1 of the DTM, or
• a sequence of equal tape symbols output by p0 and p1
(weak) until there is a short sequence that reﬂects
a single step1 followed by a sequence of equal tape
symbols (weak) until different symbols are emitted.
Similarly, one can reﬂect Ci  C1−i and Di  D1−i by
a safety formula, taking into account that, if C1−i is longer
(which happens when the DTM writes, in the conﬁguration
represented by Ci , on a previously empty tape cell), then
each symbol of the conﬁguration Di must be compared
with the symbol emitted in the following step by D1−i .
The speciﬁcation we obtain by using these building
blocks is in the syntactic safety fragment of LTL. Adding
a universal path quantiﬁer in front of each temporal oper-
ator results in an equivalent speciﬁcation in the syntactic
safety fragment of ACTL. 
Lemma 3.2. The speciﬁcation is realisable if, and only if, the
Turing machine does not halt.
Proof. We show this by reduction from the halting prob-
lem.
If the DTM does not halt, then the speciﬁcation can be
satisﬁed by simply letting both processes emit the correct
sequence of conﬁgurations when prompted to do so by the
ﬁrst start symbol.
Let us assume for contradiction that the DTM halts but
the speciﬁcation is realisable in the given architecture, and
ﬁx one such implementation. There must be a smallest n
such that one of the processes, say pi , emits C1  C2 
· · ·  Cn−1, but does not continue with Cn . As the correct-
ness of n is hard-coded for n 2, n must be at least 3.
Let us consider such a sequence, and let the pro-
cess p1−i receive its ﬁrst start symbol |Cn−2| steps after pi .
Then p1−i starts emitting Cn−2 when pi emits Cn−1. By the
minimality of n, p1−i next emits Cn−1, and pi must there-
fore emit Cn .  
1 A single step can only affect the control state of the DTM, the tape
symbol under the read–write head, and the position of the read–write
head, which can only move forward or backward a single position. This is
therefore a local condition on three symbols.This provides us with our ﬁrst main theorem.
Theorem 3.3. The synthesis problem for the architecture from
Fig. 1 is undecidable for speciﬁcations in the syntactic safety
fragment of LTL and ACTL.
4. Undecidability for temporal reachability speciﬁcations
The adjustment to reachability speciﬁcations is slightly
more involved. A ﬁrst and rather general observation is
that, for reachability speciﬁcations, there must be ﬁnite
control. That is, a control strategy that can be represented
by a ﬁnite circuit. This is because the control objective
needs to be met in ﬁnitely many steps.
Lemma 4.1. Realisable reachability speciﬁcations must have ﬁ-
nite control.
Proof. Let us start with an arbitrary control strategy that
meets the reachability objective. Let us assume that the
objective is not met in a bounded number of steps. Then
the tree of initial sequences of runs where the reachability
objective is not yet met is an inﬁnite (and ﬁnite branching)
tree. Invoking König’s lemma, it has an inﬁnite path. This
path does not meet the reachability objective.  
The speciﬁcation from the standard argument does not
extend as easily to reachability. In particular, Lemma 4.1
implies that, if there is no start symbol, then the control
objective must be met within a ﬁnite number of steps.
We adjust the speciﬁcation by forcing both processes
to start by emitting sequences of conﬁgurations and use
restart as a restart command instead of a start command.
Intuitively, the ﬁrst restart symbol received forces the pro-
cesses to start again. We therefore use a safety speciﬁ-
cation as a core, which we do not then require to hold
forever, but only until a reachability condition is met.
For this, we add information to each output letter emit-
ted by p0 and p1 that reﬂects the status of the process:
(a) has not seen a start symbol or a halt state, (b) has
not seen a start symbol and has seen a halt state, but not
the end of the respective conﬁguration, (c) has not seen
a start symbol and has seen the end of the conﬁguration
afterwards, (d) has seen a start symbol, and no halt state
after this (e) has seen a start symbol, a halt state after this,
but no end of a conﬁguration after the halt state, (f) has
seen a start symbol, a halt state after this, and an end of
a conﬁguration after that. The correctness of this informa-
tion can be maintained until (and including) the ﬁrst point
in time, where both processes emit (c) or (f) at the same
time.
Exploiting this information about the status, we can use
the following reachability speciﬁcation.
1. For both processes, the additional information (a
through f ) is updated correctly (strong) until both
processes have a c or f status. (Strong until refers to
the LTL operator U .)
2. Initially, each process starts to emit the ﬁrst two
conﬁgurations of the DTM correctly (weak) until it
206 S. Schewe / Information Processing Letters 114 (2014) 203–207receives a restart symbol. (Weak until refers to the LTL
operator W .)
ψrestart , where ψrestart forces the correct emission of
the ﬁrst two conﬁgurations until both conﬁgurations
have been emitted or a restart symbol has been re-
ceived, whatever happens ﬁrst; this is a ﬁnite se-
quence.
3. After receiving the ﬁrst restart signal, each process
emits the ﬁrst two conﬁgurations of the DTM correctly,
unless the condition that both processes have a c or f
(abbreviated cf) is reached ﬁrst.
¬restartW (cf∨ restart∧ψ), where ψ forces the correct
emission of the ﬁrst two conﬁgurations of the DTM.
Note that this is a ﬁnite sequence.
4. Initially, each process emits a sequence of pseudo-
conﬁgurations of the DTM (weak) until a restart sym-
bol is received or cf holds.
φ′W (restart∨cf) with φ′ = ¬blank∨©γ ′ , where γ ′ =
tapeW (state∧©¬state)W tapeW (blank∨ restart∨ cf)
is the relaxation of γ that allows the process to
stop emitting a pseudo-conﬁguration upon receiving
a restart command or reaching cf.
5. When receiving the ﬁrst restart signal before cf is
reached, each process emits a sequence of pseudo-
conﬁgurations of the DTM, but it may stop after having
emitted an f information.
¬restartW (cf ∨ restart ∧ (φW f )) with φ = ¬blank ∨
©γ as in the safety speciﬁcation from Section 3.
6. Let the property ϑ describe the following: If pro-
cess pi and process p1−i start at the same time to
emit the conﬁgurations Ci and C1−i , respectively, such
that Ci  C1−i holds; and pi emits the conﬁguration
Di next, then p1−i emits the conﬁguration D1−i with
Di  D1−i next, provided no ﬁrst restart symbol is re-
ceived meanwhile (which can be read from the state
of the processes). We then add ϑ U cf.
The speciﬁcation is rather obviously a reachability spec-
iﬁcation. With the observation that the speciﬁcation is ex-
pressible in LTL and ACTL we get:
Lemma 4.2. The above speciﬁcation can be expressed in the
reachability fragments of LTL and ACTL. 
Lemma 4.3. The speciﬁcation is realisable if, and only if, the
Turing machine halts.
Proof. First, the speciﬁcation is realisable if the Turing ma-
chine halts: in this case, both processes can simply start by
emitting the true sequence of conﬁgurations of the Turing
machine initially, and restart doing this once they receive
the ﬁrst restart symbol.
To establish the ‘only if’ direction, assume that there
is an implementation that satisﬁes the speciﬁcation, while
the Turing machine does not halt. Therefore there is a low-
est natural number n such that one of the processes,
say pi , emits C1  C2  · · ·  Cn−1, but does not continue
with Cn , initially or after receiving the ﬁrst restart com-
mand from the environment. Note that n 2 is guaranteed
by the hard coded requirement to emit the ﬁrst two con-
ﬁgurations correctly.In case of the initial sequence, we consider a situation,
where the process p1−i receives one restart command, and
it received it after |Cn−1| steps. Then, by the minimality
of n, p1−i starts to emit Cn−2 when pi starts to emit Cn−1,
and p1−i continues after emitting Cn−2 by emitting Cn−1
by the minimality of n. As the reachability objective has
not been met, pi must emit Cn in order to satisfy the spec-
iﬁcation.
When pi has received the ﬁrst restart command, we en-
counter a similar situation when process p1−i receives the
restart command |Cn−1| steps after process pi . 
This provides us with our second main theorem.
Theorem 4.4. The synthesis problem for the architecture from
Fig. 1 is undecidable for the reachability fragments of LTL and
ACTL. 
5. Decidable architectures
The extension to decidable architectures is a straight-
forward adaptation from the extension described by Fink-
beiner and Schewe [7]. Their argument is that, in the case
where there is an information fork, a situation where there
are two processes p0 and p1 who can receive informa-
tion from the environment – directly or forwarded through
a communication chain of arbitrary length – such that this
pathway cannot be intercepted by the other process, then
synthesis is undecidable. They also provide a decision pro-
cedure for all architectures without information forks.
In a nutshell, the argument is that the environment can
forward more information than just the start signal: be-
sides the start signal, it can transfer a perfect XOR key. This
can be used to encrypt the output of the processes, such
that neither process can make use of a potential access to
the output of the respective other process.
This speciﬁcation is naturally in the safety fragment of
ACTL and LTL, but can likewise be encoded in the reacha-
bility fragment of ACTL and LTL in the same way as before:
it is only maintained until both processes have reached a c
or f status a the same time.
Theorem 5.1. The restriction to the safety or reachability frag-
ment of ACTL ∩ LTL does not affect the set of decidable architec-
tures. 
Acknowledgements
I would like to thank Bernd Puchala for the extensive
discussion on the subject and the reviewers for their valu-
able and constructive critique. This work was supported by
EPSRC grant EP/H046623/1.
References
[1] A. Arnold, I. Walukiewicz, Nondeterministic controllers of nondeter-
ministic processes, in: Proc. of Logic and Automata: History and Per-
spectives, in: Texts in Logic and Games, 2008, pp. 29–52.
[2] J.R. Büchi, On a decision method in restricted second order arith-
metic, in: Logic, Methodology and Philosophy of Science, 1962,
pp. 1–11.
S. Schewe / Information Processing Letters 114 (2014) 203–207 207[3] J.R. Büchi, L.H. Landweber, Solving sequential conditions by ﬁnite-
state strategies, Trans. Am. Math. Soc. 138 (1969) 295–311.
[4] J.R. Büchi, L.H. Landweber, Deﬁnability in the monadic second-order
theory of successor, J. Symb. Log. 34 (1969) 166–170.
[5] A. Church, Logic, arithmetics, and automata, in: I. Mittag-Leﬄer (Ed.),
Proc. Int. Congress of Mathematicians, 1962, 1963, pp. 23–35.
[6] E.A. Emerson, Temporal and Modal Logic, MIT Press, 1990.
[7] B. Finkbeiner, S. Schewe, Uniform distributed synthesis, in: Proc. of
LICS 2005, IEEE Computer Society Press, 2005, pp. 321–330.
[8] D. Janin, On the (high) undecidability of distributed synthesis prob-
lems, in: Proc. of SOFSEM 2007, in: Lect. Notes Comput. Sci.,
vol. 4362, Springer, 2007.
[9] O. Kupferman, M.Y. Vardi, Synthesizing distributed systems, in: Proc.
of LICS 2001, IEEE Computer Society Press, 2001, pp. 389–398.[10] P. Madhusudan, P.S. Thiagarajan, Distributed controller synthesis for
local speciﬁcations, in: Proc. of ICALP 2001, in: Lect. Notes Comput.
Sci., Springer, 2001, pp. 396–407.
[11] A. Pnueli, The temporal logic of programs, in: Proc. of FOCS 1977,
IEEE Computer Society Press, 1977, pp. 46–57.
[12] A. Pnueli, R. Rosner, Distributed reactive systems are hard to syn-
thesize, in: Proc. of FOCS 1990, IEEE Computer Society Press, 1990,
pp. 746–757.
[13] M.O. Rabin, Decidability of second order theories and automata on
inﬁnite trees, Trans. Am. Math. Soc. 141 (1969) 1–35.
[14] M.O. Rabin, Automata on Inﬁnite Objects and Church’s Problem,
CBMS Reg. Conf. Ser. Math., vol. 13, Amer. Math. Soc., 1972.
