IST Austria Technical Report by Chatterjee, Krishnendu et al.
Distributed Sytnehsis for LTL Fragments
Krishnendu Chatterjee and Thomas A. Henzinger and Jan Otop and Andreas Pavlogiannis
Technical Report No. IST-2013-130-v1+1
Deposited at 08 Jul 2013 08:35
http://repository.ist.ac.at/130/1/DistributedSynthesis.pdf
IST Austria (Institute of Science and Technology Austria)
Am Campus 1
A-3400 Klosterneuburg, Austria
Copyright © 2012, by the author(s).
All rights reserved.
Permission to make digital or hard copies of all or part of this work for personal or classroom
use is granted without fee provided that copies are not made or distributed for proﬁt or
commercial advantage and that copies bear this notice and the full citation on the ﬁrst page.
To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior
speciﬁc permission.
1Distributed Synthesis for LTL Fragments
Krishnendu Chatterjee, Thomas A. Henzinger, Jan Otop, Andreas Pavlogiannis
IST Austria
{chatterjee, tah, jotop, pavlogiannis}@ist.ac.at
Abstract—We consider the distributed synthesis problem for
temporal logic specifications. Traditionally, the problem has
been studied for LTL, and the previous results show that the
problem is decidable iff there is no information fork in the
architecture. We consider the problem for fragments of LTL
and our main results are as follows: (1) We show that the
problem is undecidable for architectures with information forks
even for the fragment of LTL with temporal operators restricted
to next and eventually. (2) For specifications restricted to globally
along with non-nested next operators, we establish decidability
(in EXPSPACE) for star architectures where the processes
receive disjoint inputs, whereas we establish undecidability for
architectures containing an information fork-meet structure. (3)
Finally, we consider LTL without the next operator, and establish
decidability (NEXPTIME-complete) for all architectures for a
fragment that consists of a set of safety assumptions, and a set
of guarantees where each guarantee is a safety, reachability, or
liveness condition.
I. INTRODUCTION
Synthesis and distributed synthesis. The synthesis problem
is the most rigorous form of systems design, where the goal
is to construct a system from a given temporal logic specifi-
cation. The problem was originally proposed by Church [1]
for synthesis of circuits, and has been revisited in many
different contexts, such as supervisory control of discrete event
systems [2], synthesis of reactive modules [3], and several
others. In a seminal work, Pnueli and Rosner [4] extended
the classical synthesis problem to a distributed setting. In
the distributed synthesis problem, the input consists of (i) an
architecture of synchronously communicating processes, that
exchange messages through communication channels; and
(ii) a specification given as a temporal logic formula; and the
synthesis question asks for a reactive system for each process
such that the specification is satisfied. The most common logic
to express the temporal logic specification is the linear-time
temporal logic (LTL) [5].
Previous results for distributed synthesis for LTL. In
general the distributed synthesis problem is undecidable for
LTL, but the problem is decidable for pipeline architec-
tures [4]. The undecidability proof uses ideas originating from
the undecidability proof of three-player imperfect-information
games [6], [7]. The decidability results for distributed syn-
thesis were extended to other similar architectures, such as
one-way rings [8], and also a distributed games framework
was proposed in [9]. Finally, a complete topological criterion
on the architecture for decidability of distributed synthesis for
LTL was presented [10], where it was shown that the problem
is decidable if and only if there is no information fork in
the underlying architecture. Architectures without information
forks can essentially be reduced to pipelines.
Fragments of LTL. While LTL provides a very rich frame-
work to express temporal logic specifications, in recent years,
several fragments of LTL have been considered for efficient
synthesis of systems in the non-distributed setting. Such
fragments often encompass a large class of properties that
arise in practice and admit efficient synthesis algorithms, as
compared to the whole LTL. In [11], [12] the authors con-
sidered a fragment of LTL with only eventually (reachability)
and globally (safety) as the temporal operators. In [13] LTL
with only eventually and globally operators (but without next
and until operators) was considered for efficient translation
to deterministic automata. The temporal logic specifications
for reactive systems often consist of a set of assumptions
and a set of guarantees, and the reactive system must satisfy
the guarantees if the environment satisfies the assumptions.
In [14] the GR1 (generalized reactivity 1) fragment of LTL was
introduced where each assumption and guarantee is a liveness
condition; and it has been shown that GR1 synthesis is very
effective to automatically synthesize industrial protocols such
as the AMBA protocol [15], [16].
Our contributions. In this work we consider the distributed
synthesis problem for fragments of LTL. The previous results
in literature considered the whole LTL and characterized
architectures that lead to decidability of distributed synthesis.
In contrast, we consider fragments of LTL to present finer
characterizations of the decidability results. Our main contri-
butions are as follows:
1) Reachability properties. First we consider the fragment
of LTL with next and eventually (reachability) as the
only temporal operators, and establish that the distributed
synthesis problem is undecidable if there is an infor-
mation fork in the underlying architecture. In particular,
the problem is undecidable with one nesting depth of
the next operator and only one eventually operator; i.e.,
if we consider the fragment of LTL that consists of
Boolean combinations of atomic propositions and next
of atomic propositions; and only one eventually as the
temporal operator, then the distributed synthesis problem
is undecidable iff there is an information fork in the
architecture.
2) Safety properties. We then consider the fragment of LTL
with next and globally (safety) as the only temporal op-
erators, with a single occurrence of the globally operator.
We show that the distributed synthesis problem can be
decidable under the existence of information forks; in
particular we establish decidability (in EXPSAPCE) for
the star architecture where processes have no common
inputs from the environment. However, we show that
2the problem remains undecidable for architectures con-
taining an information fork-meet, a structure in which
two processes receive sets of disjoint inputs, (as in the
information fork case), and a third process receives the
union of those sets. Moreover, our undecidability proof
again uses specifications that do not contain nested next
operators. In other words, if there is information fork,
the problem may be decidable, but if there is information
fork, and then the forked information meets again, then
we obtain undecidability.
3) Temporal specifications without the next operator. Since
our results show that even with one nesting depth of the
next operator, distributed synthesis is undecidable with
reachability and safety objectives, we finally consider the
problem without the next operator. We show that if we
consider a set of safety assumptions, and a set of guar-
antees such that each guarantee is a safety, reachability,
or a liveness guarantee, then the distributed synthesis
problem is decidable (and NEXPTIME-complete) for all
architectures.
Hence, our paper improves upon existing results by present-
ing finer (un)decidability characterizations of the distributed
synthesis problem for fragments of LTL. We also remark
that when we establish decidability, it is either EXPSPACE
or NEXPTIME-complete, as compared to previous proofs of
decidability in distributed synthesis setting where the complex-
ity is non-elementary. Thus as compared to the complexity
of previous decidability results (tower of exponentials), our
complexities (at most two exponentials) are very modest.
II. MODEL DESCRIPTION
Architectures. An architecture is a tuple A = (P, pe, V, E),
where P = {pe, p1, p2, . . . pn} is a set of n + 1 processes,
pe is a distinguished process representing the environment, V
is a set of (output) binary variables, and E : P × P → 2V
defines the communication variables between processes (i.e,
E(p, q) = {u, v} means that p writes to variables u, v, and q
reads from them). For every process p ∈ P , we denote with
O(p) =
⋃
q∈P E(p, q) the set of output variables of p, and
with I(p) =
⋃
q∈P E(q, p) the set of input variables of p. We
require that for all p, q ∈ P : O(p) ∩ O(q) = ∅, i.e., no two
processes write to the same variable. Finally, we will denote
with P− = P \ {pe}.
An architecture describes a distributed reactive system, with
the environment providing the inputs via O(pe), and the
system responding via I(pe). The pair (P, E) describes the
architecture of the system as a multigraph, with P being the
set of nodes, and E(p, q) the set of directed p→ q edges with
the corresponding variables as labels.
Trees. We define a (full) B-tree T over some finite set B as the
set of all nodes x ∈ (2B)∗. A (possibly infinite) sequence of
nodes pi = (x1, x2 . . . ) forms a path in T , if for every i ≥ 1 we
have xi+1 = xiz, for some z ∈ 2B . For such a path pi, we will
use pi[i] to denote the element of pi in the i-th position, while
pi[i,∞] denotes the infinite suffix of pi starting at position i.
An A-labeled B-tree Tλ is a B-tree equipped with a labeling
function of its nodes, λ :
(
2B
)∗ → 2A. For every node
x = yz ∈ Tλ with z ∈ 2B we denote with `λ(x) = z ∪ λ(x),
i.e., the `λ of x consists of the branch z from the parent and the
label λ of x. For a (possibly infinite) path pi = (x1, x2, . . . ),
we define with `λ(pi) = (`λ(x1), `λ(x2) . . . ).
Local strategies. For every process p ∈ P−, a local strategy
σp is a function σp :
(
2I(p)
)∗ → 2O(p), setting the output
variables of p according to the history of its input variables.
A local strategy σp has finite memory if there exists a finite
set M, m0 ∈ M, and functions f : M× 2I(p) → M and
g : M → 2O(p) such that for all x = x1x2 . . . xk with xi ∈
2I(p), we have σp(x) = g(f(. . . (f(f(m0, x1), x2) . . . , xk)).
The memory of σp is said to be |M|, while if |M| = 1, then
σp is called memoryless.
Collective strategies. Every such local strategy σp can be
viewed as a labeling of an O(p)-labeled I(p)-tree Tσp . The
collective strategy of the architecture A is a function σ :(
2O(pe)
)∗ → 2V \O(pe), mapping every finite sequence of the
outputs of the environment to a subset of the outputs of the
processes p according to the composition (σp : p ∈ P−).
The collective strategy σ can be viewed as a (V \ O(pe))-
labeled O(pe)-tree Tσ and for any infinite path pi in Tσ ,
we will call `σ(pi) a computation. Hence, Tσ describes a
distributed algorithm, and every infinite path pi = (x1, x2, . . . )
starting from the root represents a distributed computation
`σ(pi), according to the local strategies (σp : p ∈ P−).
Synthesis (realizability). We will consider distributed reactive
systems with specifications given by temporal logic formulas.
For temporal logic formulas we will consider LTL; see [5]
for the formal syntax and semantics of LTL. The problem of
realizability of a temporal logic formula φ in an architecture A
asks whether there exist local strategies σp for every process
p, such that for every infinite path pi of the (V \O(pe))-labeled
O(pe)-tree Tσ of the collective strategy σ, with pi starting from
the root, we have `σ(pi) |= φ. If φ admits such strategies σp for
every p ∈ P−, then it is called realizable, and the collective
strategy σ gives an implementation for φ on A.
III. SYNTHESIS FOR REACHABILITY SPECIFICATIONS
In the current section we discuss the synthesis problem
for reachability specifications, where the objective consists of
propositional formulas connected with Boolean operators and
non-nested X (next) operators. We will show that even under
such restrictions, the synthesis problem remains undecidable
for all architectures containing an information fork, via a
reduction from the halting problem of Turing machines.
Fragment LTL♦. We consider LTL♦ that consists of formulas
φ from the following LTL fragment:
θ = P | XP
ψ = θ1 ∧ θ2 | θ1 ∨ θ2 | ¬θ
φ = Q→ ♦ψ
where P , Q are propositional formulas, X is the next operator,
♦ is the eventually temporal operator. We consider the standard
semantics of LTL. Formula ♦ψ represents a reachability ob-
jective, and Q will capture the initial input in the architecture.
Turing machines. Let M be a deterministic Turing machine
fixed throughout this section and let Q be the set of states
3of M (see [17] for detailed descriptions of Turing machines).
The machine M works over the alphabet {0, 1,unionsq}, and its
tape is bounded by # symbols. The machine M cannot move
left on a # symbol, and moving right to a # symbol effects
in extending the tape by a blank symbol unionsq. In our analysis,
M starts with the empty tape. A configuration of M is a word
#vqauunionsq#, where a ∈ {0, 1}, v, u ∈ {0, 1}∗ and q ∈ Q. Such
a configuration has the standard interpretation as an infinite
tape such that v is the part of the tape preceding the head, q
is the current state of M , a is the letter under the head, and
u is a sequence of symbols succeeding the head. The blank
symbol unionsq represents the rightmost cell of the tape that has not
been altered by M . We define the projection pi⊥ over words
w from some alphabet containing ⊥, such that pi⊥(w) is the
result of omitting all ⊥ symbols from w. We define a scattered
configuration C of M as a word over Σ = {0, 1,unionsq,⊥,#}∪Q
such that pi⊥(C) is a configuration of M .
Information-fork architecture. We first consider the archi-
tecture A0 (Figure 1), characterized as an information fork
in [10], for which the problem of realizability has been
shown to be undecidable, using LTL formulae with nested
until operators (in [4]). Here we show that the problem
remains undecidable for A0 and specifications in the restricted
fragment of LTL♦. This is obtained through a reduction from
the halting problem of M , by constructing a specification
φ ∈ LTL♦ which is realizable iff M halts on the empty input.
Proof idea. The architecture A0 consists of the environment pe
and two processes p1 and p2. The processes act as I/O streams,
outputting configurations of M ; the environment sends sepa-
rately to each process next and stall signals, indicating that
the corresponding process should output the next letter from
{0, 1,unionsq,#}∪Q of the current configuration of M , or it should
output ⊥.
Construction of ϕ. First, we will provide a regular safety
property ϕ which specifies that if the environment satisfies an
alternation assumption, i.e., every stall signal is followed by a
next signal, then p1 and p2 conform with a series of guarantees.
The property ϕ does not belong to the LTL♦ fragment, but we
will show how it can be expressed by a safety automaton Asafe.
Then, we will prove that if ϕ is realizable, and the environment
conforms with the alternation assumption, then the processes
output a legal sequence of configurations of M , scattered with
the ⊥ symbol.
Conversion to LTL♦. Next, we will provide the specification
for the synthesis problem φ ∈ LTL♦, such that φ is real-
izable iff ϕ is realizable and M halts on the empty input.
Formula φ does not express ϕ directly, but it asserts that the
environment simulates a run of Asafe faithfully, and finally
one of the processes outputs a halting configuration of M .
More precisely, the environment simulates a run of Asafe
storing the current state of Asafe in a set of hidden variables
{q1, . . . , qm} ∈ E(pe, pe), and φ encodes that eventually
either (i) the environment cheats in the simulation of Asafe,
or (ii) one of the processes outputs a halting state q of M ,
while the current state of Asafe is not rejecting (i.e., q was
reached legally with respect to M ). We will conclude that φ
is realizable iff M halts on the empty input.
pe
p1 p2
x1 x2
q1, . . . , qm
y1 y2
Fig. 1: The architecture A0 which consists an information fork.
Formal proof. A safety automaton cannot express a scattered
configuration that is finite. Thus, we define a scattered precon-
figuration C (of M ) as a (possibly infinite) word whose every
finite prefix can be extended to a scattered configuration of M .
A scattered preconfiguration is formally defined as a finite or
infinite word over Σ that begins with #, there is at most one
symbol from Q, there are no symbols after the second # and
the unionsq symbol is followed by the # symbol.
Let C1, C2 be scattered preconfigurations. We denote with
⊥(C) the set of positions in C where ⊥ occurs, and write
C1 ‖ C2 if the symmetric difference of ⊥(C1) and ⊥(C2) has
at most one element, i.e., |⊥(C1)4⊥(C2)| ≤ 1. We define as
C1 ` C2 if C1 ‖ C2 and
(i) pi⊥(C2) follows legally from pi⊥(C1) according to M ,
or
(ii) both C1, C2 are infinite preconfigurations such that every
finite prefix can be extended to finite preconfigurations
C ′1, C
′
2 such that pi⊥(C
′
2) follows legally from pi⊥(C
′
1).
For infinite words w1, w2, we define w1 ⊗ w2 as a word
over Σ × Σ such that the i-th letter of w1 ⊗ w2 is a pair
of the i-th letters of w1, w2. Observe that there are safety
automata working over Σ × Σ that recognize the languages
{C1 ⊗ C2 : C1 ‖ C2} and {C1 ⊗ C2 : C1 ` C2}.
Construction of ϕ. We first construct the regular safety prop-
erty ϕ = L → ∧0≤i≤4 Condi, where L (the alternation
assumption) and Condi are defined as follows:
L: for every process, every stall signal is followed by
a next signal.
Cond0: each process outputs ⊥ when its input is stall,
otherwise it outputs a letter from Σ \ {⊥},
Cond1: each process produces a sequence of scattered
preconfigurations,
Cond2: initially, each process produces two scattered con-
figurations of M , whose projections are the first two
valid configurations of M ,
Cond3: if starting from some position i, p1 outputs consec-
utively C1, C2 and p2 outputs consecutively C ′1, C
′
2,
then C ′1 ` C1 implies C ′2 ` C2 or C ′2 ∦ C2,
Cond4: if D,D′ are outputs of p1, p2 up to some positions
such that D ‖ D′ and |pi⊥(D)| = |pi⊥(D′)|, then
pi⊥(D) = pi⊥(D′).
We provide a high-level description of the construction of an
alternating safety automaton Asafe (see [18] for the definition
of alternating automata) which verifies that every execution
satisfies ϕ. Note that Asafe can be transformed to a non-
deterministic automaton by a standard power-set construction.
Clearly, conditions L, Cond0 and Cond1 can be expressed
4by a safety automaton. For the condition Cond2, observe
that the first two configurations of M have at most 9 letters
#q0 unionsq ##q1a unionsq #, with a ∈ {0, 1, }. To show that the
rest of conditions can be expressed by a safety automaton,
we assume that L is satisfied; otherwise those conditions
do not have to be checked (note that if L is violated, Asafe
accepts unconditionally). Because of L, Asafe can verify that
p1 and p2 conform with Cond2 by checking the first 18 output
letters. For the condition Cond3, Asafe operates as follows:
whenever it encounters a # symbol marking the beginning of a
configuration, it splits universally. One copy looks for the next
configuration, and the second copy, denoted by A3, verifies
that Cond3 holds at the current position, as follows. It ignores
⊥ symbols and compares whether C1 ‖ C ′1, configurations
pi⊥(C1) and pi⊥(C ′1) are equal everywhere except for positions
adjunct to the head of M , and the letters adjunct to the
head are consistent with the transition of M . If one of these
conditions is violated, C ′1 6` C1, therefore A3 accepts the
word regardless of what follows. Otherwise, if those conditions
hold, i.e., C ′1 ` C1, A3 non-deterministically verifies one
of the following conditions: C ′2 6‖ C2 or C ′2 ` C2. Both
conditions can be verified by safety automata, since C2 and
C ′2 either start concurrently, or C2 is delayed by 1 step from
C ′2. For the condition Cond4 observe that if D ‖ D′ and
|pi⊥(D)| = |pi⊥(D′)|, then ||D|−|D′|| ≤ 1 and the automaton
needs to remember at most one symbol to compare pi⊥(D) and
pi⊥(D′). We can now prove the following lemma.
Lemma 1. If ϕ is realizable, then for every k ∈ N , in all
executions where L holds, both p1 and p2 output sequences of
scattered configurations whose pi⊥ projections are sequences
of at least k consecutive valid configurations of M , starting
with the initial configuration on the empty input.
Proof: First note that there exist executions where the
environment indeed satisfies L, and thus p1 and p2 satisfy con-
ditions Cond0-Cond4. The lemma clearly holds for k = 1, 2,
due to conditions Cond0 − Cond2. For the inductive step,
assume that the lemma holds for k ≥ 2. Consider a sequence
of inputs to p1 consisting of next signals only. Then, there
is a sequence of inputs to p2 consisting of some number
of next signals and exactly |pi⊥(Ck)| stall signals placed
in a such way that p1 outputs C1 . . . CkCk+1, p2 outputs
C ′1 . . . C
′
k−1C
′
k, and CkCk+1, C
′
k−1C
′
k are synchronized, i.e.
they start at the same position and Ck ‖ C ′k−1, Ck+1 ‖ C ′k. By
the induction assumption pi⊥(C ′k−1) and pi⊥(Ck) = pi⊥(C
′
k)
are, respectively, (k − 1)-th and k-th configurations of M .
Therefore, C ′k−1 ` Ck and, by Cond3, C ′k ` Ck+1. This
implies that Ck+1 is a finite scattered preconfiguration and
pi⊥(Ck+1) is the (k + 1)-th configuration of M .
Given that for an input consisting of next signals only, p1
outputs C1 . . . CkCk+1 satisfying the statement, we can show
that regardless of the number of stall signals, under condition
L, p1, p2 output k + 1 scattered configurations satisfying the
statement. First, the condition Cond4 implies that if p2 also
has an input sequence consisting of next signals alone, it will
output the same sequence, that is, C1 . . . CkCk+1. By a simple
induction on the number of stall signals each process receives,
and condition Cond4, we conclude that for any number of stall
signals, as long as L is satisfied by the environment, p1, p2
output k + 1 scattered configurations whose projections are
the first k + 1 consecutive configurations of M .
Conversion to LTL♦. Given the safety automaton Asafe which
verifies that ϕ is satisfied, we can construct a specification
φ ∈ LTL♦, such that φ is realizable if and only if the Turing
machine M does not halt on the empty input. The environment
uses the hidden (not visible to p1, p2) variables q1, . . . , qk ∈
E(pe, pe) to simulate the automaton Asafe. We provide a high
level description of the following formulas:
Q specifies that the first state of Asafe according to the output
variables {q1, . . . qm} is compatible with the initial values
of x1, x2, y1 and y2 (i.e. {q1, . . . qm} represent the state
of Asafe reached from the initial state after reading the
initial values of x1, x2, y1 and y2; Q is propositional)
ψ1 specifies that Asafe has a transition from the current state
to the next state, encoded by the values of {q1, . . . qm}
in the current and the next round, according to the value
of variables x1, x2, y1 and y2 in the next round (i.e., pe
simulates Asafe faithfully; ψ1 contains only propositionals
and non-nested X operators).
ψ2 specifies that the current state of Asafe is not rejecting,
and p1 or p2 output a halting state of M (i.e., a halting
configuration of M was reached by some process, and
both processes behaved according to Asafe; ψ2 is propo-
sitional).
Finally, we construct φ = Q → ♦(¬ψ1 ∨ ψ2), with
φ ∈ LTL♦. If φ is realizable, the processes satisfy ψ2 in
all runs where the environment faithfully simulates Asafe and
conforms with condition L(i.e., Q and ψ1 are true). Then
p1, p2 output a halting state of M and satisfy ϕ, which by
Lemma 1, guarantees that the halting state was reached by a
legal sequence of configurations of M . In the inverse direction,
if M halts, then φ is realizable by (finite) local strategies
which output a finite, legal sequence of configurations of M
and conform with condition Cond0. Hence, we obtain the
following theorem.
Theorem 1. The realizability of specifications from LTL♦ in
A0 is undecidable.
Similarly as in [10], the above argument can be carried out
to any architecture which contains an information fork, by
introducing additional safety conditions in ϕ, which require
that all processes propagate the inputs of the environment to
the two processes constituting the information fork. It has also
been shown in [10] that in architectures without information
forks, the realizability of every LTL specification is decidable.
Hence, Theorem 1 together with the results from [10] lead to
the following corollary.
Corollary 1. For every architecture A, the realizability of
specifications from LTL♦ in A is decidable iff A does not
contain an information fork.
IV. SYNTHESIS FOR SAFETY SPECIFICATIONS
In the current section we consider safety specifications
where the safety condition consists of propositional formulas
5connected with Boolean operators, and the X temporal oper-
ator. First, we show that the synthesis problem is undecidable
for architectures containing an information fork-meet (see
Figure 3), by a similar construction as in the case of LTL♦.
Then we show that the problem is decidable for the family of
star architectures, despite the existence of information forks.
Fragment LTL. We consider LTL that consists of formulas
φ from the following LTL fragment:
ψ = P | ψ1 ∧ ψ2 | ψ1 ∨ ψ2 | ¬ψ | Xψ
φ = Q ∧ψ
where P , Q are propositional formulas, and  is the globally
operator. We consider the standard semantics of LTL. The ψ
part of φ specifies a safety condition, and we interpret the Q
part as the initial conditions. The fragment LTL can express
safety specifications, one of the most basic specification in
verification.
While the information fork criterion is decisive for the
undecidability of reachability specifications, here we extend
this criterion to the family of star architectures of n + 1
processes, denoted as Sn (i.e., pe is the central process ,
and
⋃
i I(pi) = O(pe)) (Figure 2) and show that: (i) the
realizability of some φ ∈ LTL in Sn is decidable if all
processes receive pairwise disjoint inputs, (ii) it is undecidable
if n ≥ 3 and we allow overlapping inputs. The latter can be
generalized to all architectures which contain such a structure,
which we call an information fork-meet.
pe p1
I(p1) O(p1)
p2
I(p2)
O(p2)
pn
I(pn)O(pn)
Fig. 2: The family of start architectures Sn.
A. Overlapping inputs
Here we demonstrate undecidability of realizability of spec-
ifications φ ∈ LTL for star architectures with overlapping
inputs, and with φ having X -depth 1 (i.e., φ belongs to a
subclass of LTL where X operators are not nested). We
first consider the star architecture A1 (Figure 3), and obtain
the undecidability of realizability of such specifications via a
reduction from the (non) halting problem.
Given a Turing machine M , recall the specification ϕ (from
Section 3 for LTL♦) encoding conditions L and Cond0 −
Cond4 through the safety automaton Asafe. In contrast with
the previous section, here we require that process p3 (instead
of pe) faithfully simulates the safety automaton Asafe using
the output variables q1, . . . qm ∈ E(p3, pe). Note that Asafe
operates on the variables x1, x2, y1, y2, while p3 does not have
access to y1 and y2. However, it can infer these values by
simulating p1 and p2 internally, since p3 receives both x1 and
x2 (overlapping inputs).
pe
p2
x2
y2
p1
x1
y1 p3
x1 x2
q1, . . . , qm
Fig. 3: The architecture A1 consists an information fork-meet.
Formal proof. We provide a high level description of the
following formulas:
Q specifies that the first state of Asafe according to the output
variables {q1, . . . qm} is compatible with the initial values
of x1, x2, y1 and y2 (i.e. {q1, . . . qm} represent the state
of Asafe reached from the initial state after reading the
initial values of x1, x2, y1 and y2; Q is propositional)
ψ1 specifies that Asafe has a transition from the current state
to the next state, encoded by the values of {q1, . . . qm}
in the current and the next round, according to the value
of variables x1, x2, y1 and y2 in the next round (i.e., pe
simulates Asafe faithfully; ψ1 contains only propositionals
and non-nested X operators).
ψ2 specifies that p1 and p2 do not output a halting state of
M (i.e., M does not terminate; ψ2 is propositional).
ψ3 specifies that Asafe does not reach a rejecting state (i.e.,
the processes conform to conditions Cond0-Cond4 or the
environment violates L; ψ3 is propositional).
We construct φ = Q∧(ψ1 ∧ψ2 ∧ψ3). Similarly as in the
case of LTL♦, if φ is realizable, p3 faithfully simulates Asafe
(Q and ψ1 are true), and p1, p2 satisfy ϕ in all runs where
the environment conforms with condition L (ψ3 is true). By
Lemma 1, p1 and p2 output a legal sequence of configurations
of M , and ψ2 guarantees that M does not halt. In the inverse
direction, if M does not halt, then φ is realizable by local
strategies for which (i) p1, p2 output a legal sequence of
configurations of M and conform with condition Cond0, and
(ii) p3 faithfully simulates Asafe. Hence we have the following
result.
Theorem 2. The realizability of specifications from LTL in
A1 is undecidable.
Remark 1. We remark that our proof of undecidability in
Theorem 2 makes use of infinite-memory strategies, since the
processes p1 and p2 are required to output an infinite, non-
halting computation. However, we show that even if we restrict
the problem to finite-memory strategies, the realizability prob-
lem for LTL in A1 still remains undecidable.
Undecidability for finite-memory strategies. We define the
looping problem as follows. Given a deterministic Turning
Machine M , decide whether M , started on the empty tape,
uses only finite memory and does not terminate. The looping
problem is undecidable. Indeed, consider the following reduc-
tion from the halting problem to the looping problem. For
a Turing Machine N , we construct Turing Machine N̂ that
simulates N and counts the number of steps taken by N . This
6counter is stored on the tape of N̂ . If N halts, N̂ loops at the
last configuration and does not increase the counter. Clearly, N
started on the empty tape halts iff N̂ uses only finite memory
and does not terminate.
Observe that the reduction in Theorem 2 restricted to finite-
memory strategies yields a reduction from the looping problem
to the finite-memory realizability problem of LTL in the
architecture A1.
Indeed, recall that for a (deterministic) Turing Machine M ,
there are strategies σ1, σ2 that realize the specification φ iff M
does not halt. Let C0, C1, . . . be a sequence of configurations
of M started at the empty input. Observe that M loops started
on the empty tape iff C0, C1, . . . are of bounded length. It
remains to be shown that C0, C1, . . . are of bounded length iff
σ1, σ2 are finite memory.
Assume that C0, C1, . . . are of bounded length. Since M is
deterministic, the infinite sequence of configurations is of the
form C1 . . . Ck(Ck+1 . . . Cm)ω , for some k,m with k < m.
It follows that there are finite-memory strategies that realize
the specification φ. Conversely, assume that σ1, σ2 are finite-
memory strategies realizing the specification φ. Consider a
run where the environment gives only next signals to the
process p1. Since the strategies are deterministic, the length
of configuration is bounded by the size of the memory of σ1
and σ2, or it is infinite because a strategy loops. As σ1, σ2
output infinitely many configurations, all the configurations
C0, C1, . . . are finite, and thus they are of length bounded by
the memory of σ1 and σ2.
Information fork-meet. We say that an architecture A =
(P, pe, V, E) has an information fork-meet if there are three
processes p1, p2, p3 ∈ P \ {pe} and paths pi1, pi2 in the
underlying graph such that
1) the first edges in pi1, pi2 are labeled by output variables
of pe,
2) the last edge of pi1 is an input variable of p1, but not p2
3) the last edge of pi2 is an input variable of p2, but not p1
4) the last edges of pi1, pi2 are input variables of p3
Observe that an information fork-meet is a special case
of information fork, with a third process that collects all
information that is divided between p1 and p2.
As in the case of LTL♦, the undecidablity argument can
be carried to any architecture containing such a structure, by
introducing additional conditions in ϕ which require the rest
of the processes to propagate the inputs of the environment to
p1, p2 and p3 accordingly.
Corollary 2. The realizability of specifications from LTL in
architectures containing an information fork-meet is undecid-
able.
B. Pairwise disjoint inputs
In this subsection we discuss synthesis for formulas φ ∈
LTL for the class of star architectures, with the additional
property that all pairs of processes receive disjoint inputs (i.e.,
∀i 6= j : I(pi) ∩ I(pj) = ∅), denoted as Sn. Our goal is to
prove decidability of realizability of such φ ∈ LTL in every
architecture A ∈ Sn, by showing that whenever such φ is
realizable, it admits strategies of bounded memory.
Consider some architecture A ∈ Sn and an arbitrary φ =
ψ ∈ LTL, with the nesting level of X operators in ψ
being k. Assume that φ is realizable in A by local strategies
σi for every process pi. These strategies can be represented by
O(pi)-labeled I(pi)-trees Tσi . We will show how to construct
strategies τi that also realize φ, where each tree I(pi)-tree Tτi
representing τi is defined from first 22
k|V | + 1 levels of Tσi
by applying a folding function given below. We first define the
notion of some i ∈ N closing ¬ψ.
Definition 1. For a computation `(pi) and some i ∈ N we
say that i closes ¬ψ in `(pi) if `(pi)[i− k,∞] |= ¬ψ.
Remark 2. `(pi) |= φ iff no i closes ¬ψ in `(pi).
Let σ1, . . . , σn be local strategies and σ be the collective
strategy induced by σ1, . . . , σn. For every i ∈ {1, . . . , n}, the
local strategy σi is represented by an O(pi)-labeled I(pi)-tree
Tσi . For every node x ∈ Tσi , with |x| ≥ k, we denote with
pix = (xk, xk−1 . . . x1) the k-node suffix of the unique path to
x = x1, and define the type of x under σi as tσi(x) = `σi(pix).
For every level l ≥ k we define the type of l under σ as
tσ(l) = {tσi(x) : i ∈ {1, . . . , n}, x ∈ Tσi and |x| = l}, i.e.,
the type of a level l is the set of the types of the nodes of level
l of every Tσi , where i ∈ {1, . . . , n}. Note that there exist at
most 2k|V | distinct types of nodes. Consequently, there exist
at most 22
k|V |
distinct types of levels.
We naturally extend the definition of types to nodes of
the (V \ O(pe))-labeled O(pe)-tree Tσ as tσ(x) = `σ(pix).
Consider some computation `σ(pi) in Tσ . Observe that whether
some i closes ¬ψ in pi depends only on the `σ(pi)[i] i.e., the
type tσ(pi[i]) determines whether i closes ¬ψ in pi. Hence, we
have the following remark:
Remark 3. For a formula φ ∈ LTL there exists a set of
types ∆ such that for every tree Tσ , a path pi in Tσ satisfies
φ if for i ∈ N , we have tσ(pi[i]) ∈ ∆, i.e., the set of types of
nodes in Tσ is a subset of ∆.
Folding function. Assume that there exist two levels l1 < l2
such that tσ(l1) = tσ(l2). Then for every tree Tσi , for every
node x in level l2 there exists a node y in level l1 such that
tσi(x) = tσi(y), i.e., x and y have the same type. For such
l1, l2, and every process pi, we define the folding function
fi :
(
2I(pi)
)∗ → (2I(pi))∗ recursively as follows:
fi(x) =

x if |x| < l2
y if |x| = l2 where |y| = l1 and tσi(x) = tσi(y)
fi(fi(y)z) if |x| > l2 for x = yz with z ∈ 2I(p)
and construct local strategies τi(x) = σi(fi(x)). Hence, every
strategy τi behaves as σi up to level l2, while for nodes further
below, it maps them to nodes between levels l1 and l2, by
recursively folding the levels l1 and l2 with respect to the
types of their nodes.
The strategies τi have the property that they preserve the
types of all local nodes up to level l2, and only those. Because
of the pairwise disjoint inputs, this property is implied for the
global nodes of the collective strategy τ as well. Observe that
the set of all such types serves as the set ∆ of Remark 3,
7which in turn guarantees that the collective strategy τ also
realizes φ. We formalize these arguments below.
The following lemma establishes that for all nodes x in all
Tτi , the type of x is the same as the type of its image under
fi in the corresponding Tσi .
Lemma 2. For every x ∈ (2I(pi))∗ with |x| ≥ k, we have
that tτi(x) = tσi(fi(x)).
Proof: Our proof proceeds by induction on |x|:
1) |x| < l2: For all nodes w in pix, we have that τi(w) =
σi(fi(w)) = σi(w), hence `τi(pix) = `σi(pix) and thus
tτi(x) = tσi(f(x)).
2) |x| = l2: The statement holds by definition.
3) |x| = m+ 1: Let x = yz with |y| = m. By the inductive
hypothesis, tτi(y) = tσi(fi(y)). We distinguish between
the following cases, depending on whether fi(y) extended
by z hits the level l2 (Figure 4):
(i) |fi(y)| < l2 − 1: Then fi(x) = fi(fi(y)z) = fi(y)z,
that is, if we reach node x by extending node y by an
edge z, the same holds for their corresponding images
under fi. Then τi(x) = σi(fi(x)) = σi(fi(y)z), thus
tτi(x) = tσi(fi(y)z) = tσi(fi(x)) (i.e., the strategy τi
will label x as σi labels its image fi(x), thus the types
of these two nodes are equal).
(ii) |fi(y)| = l2 − 1: By construction, tσi(fi(x)) =
tσi(fi(y)z) (i.e., fi(y) extended by z hits level l2, and
the folding function fi will bring x to level l1, to a node
of the same type). Then τi(x) = σi(fi(x)) = σi(fi(y)z),
hence as in (i), tτi(x) = tσi(fi(y)z) = tσi(x).
The desired result follows.
l1
l2
z
y
x
z
fi(y)
fi(x)
(a) Case (i)
l1
l2
z
y
x
z
fi(y)
fi(x)
(b) Case (ii)
Fig. 4: The two cases of the inductive step of Lemma 2.
The following remark observes that for every architecture
from Sn, every node in the collective strategy tree corresponds
to a unique set of nodes in the local strategy trees and vice
versa, and that the collective strategy on that node equals the
union of the local strategies on the corresponding local nodes.
Remark 4. The following assertions hold:
1) For every global node x = x1x2 . . . xm in Tσ with every
xi ∈ 2O(pe), for every tree Tσj , there exists a (unique)
node xj = x1jx
2
j . . . x
m
j such that x
i
j = x
i ∩ 2I(pj), and
2) for every set of nodes {xj = x1jx2j . . . xmj } with one xj
from each Tσj , there exists a (unique) global node x such
that for all i we have xi =
⋃
j x
i
j .
Moreover, for every collective strategy σ, we have σ(x) =⋃
j σj(xj).
It follows from the above remark and Lemma 2, that
for every x ∈ Tσ we have that tτ (x) = tσ(f(x)), where
f(x) =
⋃
i fi(xi). That is, the local folding functions fi result
in a unique, global folding function f , and the types in the
corresponding collective strategy tree are preserved between
the global nodes, and their images under f . This implies that
the set of types occurring in Tτ is a subset of types of Tσ .
Then, by Remark 3 we conclude:
Lemma 3. The collective strategy τ implements φ.
Hence, whenever for a realizable φ ∈ LTL exist levels
l1 and l2 with the same type under σ, we can construct a
collective strategy τ for which every local strategy τi uses
only the first l2 levels of the corresponding σi, and Lemma 3
guarantees that τ implements φ. By our previous observation
and the pigeonhole principle, l2 is upper bounded by 22
k|V |
+1,
and thus every local strategy τi operates in the first 22
k|V |
+ 1
levels of the corresponding I(pi)-tree. There are a bounded
number of local strategies with this property, thus the problem
of realizability in this case reduces to exhaustively exploring
all of them. Moreover, it follows from our analysis that local
nodes in the same level and having the same type can be
merged, since the local strategy that behaves identically in
both subtrees preserves the set of types appearing in the global
tree. Hence, the width of each level is bounded by the number
of different possible types, 2k|V |.
Theorem 3. The realizability of φ ∈ LTL for the class Sn
of star architectures with pairwise disjoint inputs is decidable
in EXPSPACE.
Proof: We describe a non-deterministic Turing machine
N which, given an architecture A ∈ Sn and a specification
φ ∈ LTL as input, decides whether there exist local strategies
σi which realize φ. The machine N operates in levels, as
follows: It first guesses the top k levels of each strategy σi, it
verifies that φ has not been violated, and it computes the set
∆i of all types of nodes in the k-th level of each σi. Then,
iteratively for each level j up to 22
k|V |
+ 1, it guesses the
sets ∆ji of types of nodes of the new level of each σi, such
that ∆ji is compatible with ∆
j−1
i , and verifies that all possible
combinations of types between all ∆ji do not violate φ.
It is straightforward to verify that if N accepts, φ is
realizable by local strategies σi, such that for every x ∈ Tσi ,
the strategy σi assigns to x the value of a type in ∆
|x|
i which
is compatible with x. Conversely, if there are local strategies
σi that realize φ, the machine N can guess their levels, and
thus accept. Therefore, if N rejects, no such strategies exist.
Finally, N operates in NEXPSPACE, since |∆i| ≤ 2k|V |, and
the first k levels of each σi have less than 2k|V | nodes. By
Savitch’s Theorem [19], NEXPSPACE = EXPSPACE.
V. SYNTHESIS WITHOUT THE NEXT OPERATOR
In the current section we consider a fragment of LTL
without the X operator, for which the problem of realizability
is decidable in non-deterministic exponential time in the size
of the specification.
8Fragment LTLAG. We consider LTLAG that consists of for-
mulas φ from the following LTL fragment:
φ =
∧
i
Pi →
(∧
i
Qi ∧
∧
i
♦Ri ∧
∧
i
♦Fi
)
≡ 
∧
i
Pi →
(

∧
i
Qi ∧
∧
i
♦Ri ∧
∧
i
♦Fi
)
≡ P →
(
Q ∧
∧
i
♦Ri ∧
∧
i
♦Fi
)
for i ∈ {1, . . .m}, with Pi, Qi, Ri, Fi propositional formulas,
and P =
∧
i Pi, Q =
∧
iQi. We consider the standard
semantics of LTL. We first observe that every realizable safety
formula ψ = Q, where Q is propositional, admits mem-
oryless strategies. The LTLAG can express specification that
conists of conjunction of safety assumptions, and guarantees
where each guarantee is a safety, reachability, or a liveness
condition.
Lemma 4. Let A be any architecture. Every formula ψ = Q,
for some propositional Q, is realizable in A iff it is realizable
by memoryless strategies.
Proof: The right to left direction is immediate. For the
left to right direction, assume that ψ is realizable, and let σi
be the strategy of process pi ∈ P in A. Construct strategies
τi such that τi(x) = σi(z) for every x = zy ∈
(
2I(pi)
)
and
z ∈ 2I(pi), and let τ be the collective strategy of τi. For every
infinite path in T , we have that `τ (pi)[i] = `σ(pi)[1] for all
i ∈ N . Since σ implements ψ, it follows that `σ(pi)[1] |= Q.
Hence for all i, we have `τ (pi)[i] |= Q, and thus `τ (pi) |= ψ,
and all ti are memoryless strategies.
The following lemma establishes that reachability and safety
specifications of propositional formulas are equivalent with
respect to realizability.
Lemma 5. Let A be any architecture. For every formula ψ =
Q for some propositional Q, ψ is realizable inA iff ψ′ = ♦Q
is realizable in A.
Proof: The the left to right direction is immediate. For the
right to left direction, assume that there exist local strategies
σi such that the collective strategy σ implements ψ′, and let
Tσ be the corresponding collective strategy tree. Then there
exists some node x ∈ Tσ such that for all z ∈ 2O(pe), we
have `(xz) |= Q, otherwise we can construct an infinite path
pi such that pi[i] 6|= Q for all i ∈ N (and thus `(pi) 6|= ψ′), by
choosing for every x ∈ Tσ a z ∈ 2O(pe) such that `(xz) 6|= Q.
It follows that for local strategies τi such that τi(yz) = σi(xz)
for all y, z, the collective strategy τ realizes ψ.
Lemma 6 shows that the realizability of some φ ∈ LTLAG
reduces to realizing a set of safety formulas of the form of
Lemma 4.
Lemma 6. Let A be any architecture. Every formula φ ∈
LTLAG is realizable in A iff every φRi = (P → (Q ∧ Ri))
and every φFi = (P → (Q ∧ Fi)) is realizable in A.
Proof: (i) For the right to left direction, assume that there
exist families of memoryless (by Lemma 4) local strategies
(σRij ) and (σ
Fi
j ) for every process pj , such that the collective
strategy σRi implements φRi , and the collective strategy σ
Fi
implements φFi . Construct local strategies τj such that for
every x = yz with |z| = (1 + |x| mod 2m), we have
τj(x) = σ
R|z|
j (z) if |z| ≤ m, and τj(x) = σ
F|z|−m
j (z) if
|z| > m (i.e. the local strategy τj repeatedly alternates between
all the strategies σRij in the first m steps, and between all
the strategies σFij the next m steps). Let τ be the collective
strategy of all τj and consider an arbitrary path pi in T . Either
`τ (pi)[k] |= ¬P for some k, or for all k, it holds `τ (pi)[k] |= P ,
and by construction, for i = 1 + k mod 2m, we have
`τ (pi)[k] |= Q ∧ Ri when i ≤ m and `τ (pi)[k] |= Q ∧ Fi−m
when i > m. In both cases, `τ (pi) |= φ.
(ii) For the left to right direction, assume that for some i, φRi
is not realizable (the analysis is similar for φFi ). By Lemma 5,
♦(P → (Q ∧ Ri) is not realizable. Hence, for any collective
strategy σ there exists some path pi in Tσ , such that for all
k, we have `σ(pi)[k] |= P ∧ (¬Q ∨ ¬Ri), and σ does not
implement φ.
Hence, Lemma 6 establishes that every formula φ ∈ LTLAG
is realizable if and only if it admits local strategies for all
the corresponding φi, by providing a constructive argument.
As a consequence of Lemma 4, deciding whether every φi
is realizable reduces to realizing the propositional formula
(P → (Q ∧ Ri ∧ Fi). This can be done in NEXPTIME,
by having a non-deterministic Turing machine guessing the
local strategies of all processes, and verifying that such
strategies satisfy the formula under all the (exponentially
many) possible inputs of the environment. We show that
the problem is also NEXPTIME-hard, via a reduction from
the Dependency Quantifier Boolean Formula (DQBF) validity
problem introduced in [20] to study time bounded multi-
player alternating machines. A DQBF is a quantified Boolean
formula with a succinct description of dependencies between
the quantified variables. Every DQBF has an equivalent
form in which all existentially quantified variables are sub-
stituted by existentially quantified Skolem functions defined
over their dependencies, and appearing at the beginning of
the formula (e.g. ∀x1∀x2∃y1(x1)∃y2(x2)ϕ(x1, x2, y1, y2) is
a DQBF stating that yi depends on xi, and has a functional
form ∃σ1∃σ2∀x1∀x2ϕ(x1, x2, σ1(x1), σ2(x2)) with σ1, σ2 the
Skolem functions).
Lemma 7. Given an architecture A and a formula φ ∈ LTLAG,
deciding whether φ is realizable in A is NEXPTIME-hard.
Proof: Consider any DQBF formula ψ :
∀x1 . . . ∀xk∃y1(−→x1) . . . ∃yn(−→xn)ϕ(x1, . . . xk, y1 . . . yn) with
k universally quantified variables xi and n existentially
quantified variables yi. We assume w.l.o.g. that the
dependencies of each yi are only on some universally
quantified variables −→xi . We construct the architecture
A = (P, pe, V, E), where P contains n + 1 processes,
V = {xi ∈ ψ} ∪ {yi ∈ ψ}, process pi receives as inputs
from the environment all −→x i, outputs variable yi, while the
environment uses all remaining xj as hidden variables. We
construct the specification φ = ϕ ∈ LTLAG. Both A and
φ are polynomial in the size of ψ. Because of Lemma 4,
9φ is realizable in A iff ϕ is realizable in A. In turn, ϕ is
realizable iff ψ is valid, with local strategies σi corresponding
to the Skolem functions in the functional form of ψ, and
universal variables corresponding to all possible choices of the
environment in A. Since DQBF validity is NEXPTIME-hard
[20], the statement follows.
Hence, we have the following result.
Theorem 4. Given an architecture A and a specification φ ∈
LTLAG, the realizability of φ in A is NEXPTIME-complete.
Observe that Lemma 6 reduces the problem of realizability
of some ϕ ∈ LTLAG to realizing a set of formulas of the
form Q, where Q is propositional. This in turn is reducible
to DQBF validity (because of Lemma 4), and because of
Lemma 7, the two problems are equivalent. In consequence,
efficient algorithms for solving DQBF, such as [21], yield
efficient synthesis procedures for LTLAG, and vice versa.
Moreover, if the DQBF tool outputs the corresponding Skolem
functions, then a witness collective strategy for realizability
can be obtained.
VI. CONCLUSIONS
In this paper we studied the distributed synthesis prob-
lem for relevant fragments of LTL. We presented a much
finer characterization of undecidability results for distributed
synthesis in terms of LTL fragments that uses eventually,
globally and next operators. In contrast to previous decidability
results that were non-elementary, we identify fragments where
the complexity is EXPSPACE (or NEXPTIME-complete). An
interesting direction of future work would be to develop
algorithms for the problems for which we establish decid-
ability, obtain efficient implementations of the algorithms for
distributed synthesis problems, and finally consider some case-
studies of practical exmaples.
Acknowledgements. The research was supported by Austrian
Science Fund (FWF) Grant No P 23499- N23, FWF NFN
Grant No S11407-N23 (RiSE), ERC Start grant (279307:
Graph Games), Microsoft faculty fellows award, the Austrian
Science Fund NFN RiSE (Rigorous Systems Engineering),
the ERC Advanced Grant QUAREM (Quantitative Reactive
Modeling).
REFERENCES
[1] A. Church, “Logic, arithmetic and automata,” in Proceedings of the
international congress of mathematicians, pp. 23–35, 1962.
[2] P. Ramadge and W. Wonham, “Supervisory control of a class of discrete
event processes,” SIAM Journal on Control and Optimization, vol. 25,
no. 1, pp. 206–230, 1987.
[3] A. Pnueli and R. Rosner, “On the synthesis of a reactive module,” POPL
’89, pp. 179–190, ACM, 1989.
[4] A. Pnueli and R. Rosner, “Distributed reactive systems are hard to
synthesize,” SFCS ’90, pp. 746–757 vol.2, 1990.
[5] A. Pnueli, “The temporal logic of programs,” in FOCS, pp. 46–57, 1977.
[6] J. H. Reif, “Universal games of incomplete information,” STOC ’79,
pp. 288–308, ACM, 1979.
[7] G. L. Peterson and J. H. Reif, “Multiple-person alternation,” in FOCS,
pp. 348–363, 1979.
[8] O. Kupferman and M. Y. Vardi, “Synthesizing distributed systems,” in
LICS, pp. 389–398, 2001.
[9] S. Mohalik and I. Walukiewicz, “Distributed games,” in FSTTCS,
pp. 338–351, 2003.
[10] B. Finkbeiner and S. Schewe, “Uniform distributed synthesis,” LICS,
pp. 321–330, 2005.
[11] R. Alur, S. La Torre, and P. Madhusudan, “Playing games with boxes
and diamonds,” in CONCUR, pp. 127–141, 2003.
[12] R. Alur and S. La Torre, “Deterministic generators and games for ltl
fragments,” ACM Trans. Comput. Log., vol. 5, no. 1, pp. 1–25, 2004.
[13] J. Kretı´nsky´ and J. Esparza, “Deterministic automata for the (f, g)-
fragment of ltl,” in CAV, pp. 7–22, 2012.
[14] N. Piterman, A. Pnueli, and Y. Sa’ar, “Synthesis of reactive(1) designs,”
in VMCAI, LNCS 3855, Springer, pp. 364–380, 2006.
[15] Y. Godhal, K. Chatterjee, and T. A. Henzinger, “Synthesis of AMBA
AHB from formal specification: A case study,” STTT, 2011.
[16] R. Bloem, S. J. Galler, B. Jobstmann, N. Piterman, A. Pnueli, and
M. Weiglhofer, “Interactive presentation: Automatic hardware synthesis
from specifications: a case study,” in DATE, pp. 1188–1193, 2007.
[17] C. Papadimitriou, Computational complexity. Addison-Wesley, 1994.
[18] O. Kupferman, M. Y. Vardi, and P. Wolper, “An automata-theoretic
approach to branching-time model checking,” Journal of the ACM
(JACM), vol. 47, no. 2, pp. 312–360, 2000.
[19] W. J. Savitch, “Relationships between nondeterministic and deterministic
tape complexities,” JCSS, vol. 4, no. 2, pp. 177 – 192, 1970.
[20] G. Peterson, J. Reif, and S. Azhar, “Lower bounds for multiplayer non-
cooperative games of incomplete information,” Journal of Computers
and Mathematics with Applications, vol. 41, pp. 957–992, 2001.
[21] A. Fro¨hlich, G. Kova´sznai, and A. Biere, “A dpll algorithm for solving
dqbf,” Pragmatics of SAT, vol. 2012, 2012.
