Symmetric Synthesis by Ehlers, Ruediger & Finkbeiner, Bernd
ar
X
iv
:1
71
0.
05
63
3v
1 
 [c
s.L
O]
  1
6 O
ct 
20
17
Symmetric Synthesis∗
Rüdiger Ehlers1 and Bernd Finkbeiner2
1 University of Bremen, Bremen, Germany
ruediger.ehlers@uni-bremen.de
2 Saarland University, Saarbrücken, Germany
finkbeiner@cs.uni-saarland.de
Abstract
We study the problem of determining whether a given temporal specification can be implemented
by a symmetric system, i.e., a system composed from identical components. Symmetry is an
important goal in the design of distributed systems, because systems that are composed from
identical components are easier to build and maintain. We show that for the class of rotation-
symmetric architectures, i.e., multi-process architectures where all processes have access to all
system inputs, but see different rotations of the inputs, the symmetric synthesis problem is
EXPTIME-complete in the number of processes. In architectures where the processes do not
have access to all input variables, the symmetric synthesis problem becomes undecidable, even
in cases where the standard distributed synthesis problem is decidable.
1998 ACM Subject Classification D.2.4 Formal Methods
Keywords and phrases Reactive Synthesis, Symmetry
1 Introduction
Many classical protocols and distributed systems are symmetric. This means that every
process, independently of its identity, starts in the same initial state and follows the same
set of transitions. Symmetric systems are easier to understand and maintain; especially
in VLSI designs, which usually contain large numbers of identical components, this is a
significant cost factor. Constructing symmetric systems is also a step towards building
arbitrarily scalable systems [7, 2, 11].
There is a large body of results [1, 18, 5, 12, 26, 13] that deal with the question of which
distributed systems need symmetry breaking and which do not. Leader election among the
processes on a ring, for example, cannot be implemented symmetrically [1]; similarly, in
resource-sharing problems, like the Dining Philosophers, the only way to avoid starvation is
to break the symmetry [18].
Our goal is to automate this type of reasoning. Given a specification of a reactive system
in temporal logic, we wish to automatically determine whether there exists a symmetric
implementation. This is a refinement of the classic distributed synthesis problem, which asks
whether a temporal specification has an implementation where the processes are arranged
in a particular architecture. Distributed synthesis is well-studied [25, 21, 14, 15, 16, 9, 24].
∗ This work was partially supported by the Institutional Strategy of the University of Bremen, funded
by the German Excellence Initiative, by the German Research Foundation (DFG) within the program
“Performance Guarantees for Computer Systems” and the Transregional Collaborative Research Center
“Automatic Verification and Analysis of Complex Systems” (SFB/TR 14 AVACS), and by the European
Research Council (ERC) Grant OSARES (No. 683300).
p0 p1 p2
x0 x1 x2
pp0, yq pp1, yq pp2, yq
Figure 1 A simple rotation-symmetric architecture.
However, the approach presented in this paper is the first to synthesize symmetric im-
plementations. We consider rotation-symmetric system architectures. Rotation-symmetric
architectures are multi-process architectures where all processes have access to all system
inputs, but see different rotations of the inputs. Figure 1 shows a simple rotation-symmetric
architecture. Rotation-symmetric architectures are suitable to reason about distributed sys-
tems that lack a central coordination process. They can, for example, model leader election
scenarios and distributed traffic light controllers [6]. The fact that the processes obtain their
input in different rotations is important: since all processes have the same implementation,
they would otherwise also produce the same output. The synthesis problem for such systems
could trivially be reduced to the standard synthesis problem by adding a constraint that the
outputs are the same all the time.
We present an algorithm for the synthesis of symmetric systems in rotation-symmetric
architectures from specifications in linear-time temporal logic (LTL). Most standard syn-
thesis algorithms follow the automata-theoretic approach [22], whereby the given temporal
formula is translated into a tree automaton that accepts exactly those computation trees
that satisfy the formula. Hence, the specification is realizable if and only if the language
of the automaton is non-empty. The synthesis algorithm then simply extracts some finite-
state implementation from the language of the automaton. The situation is more difficult
when we wish to decide the existence of a symmetric solution, because the language of the
automaton may contain both computation trees that belong to symmetric implementations
and computation trees that belong to asymmetric implementations. As we show in Sec-
tion 4, symmetry is not a regular property: we therefore cannot check symmetry with a
separate tree automaton or encode symmetry as a temporal logic formula and add it to the
specification.
The key insight of our algorithm is that the paths in the computation trees produced
by symmetric implementations are guaranteed to be invariant under rotations: if, in each
position of two (finite or infinite) computation paths, the values of the input variables of
the jth process in the first path correspond to the values of the input variables of the
ppj ` kqmodnqth process, for some k, in the second path, then the values of the output
variables of the jth process must also, in each position, correspond to the values of the
output variables of the ppj ` kqmodnqth process (for all 0 ď j ă n, where n is the number of
processes). Our algorithm exploits this observation to simplify the computation trees. Paths
that are just rotations of each other are collapsed into a single representative. Computations
in different processes that must lead to identical outputs are thus kept in the same path of
the reduced tree; the paths only split when the symmetry is broken by some input. While
symmetry is difficult to check on the original computation tree, it becomes a local condition
on individual paths in the reduced tree: as long as the output never spontaneously introduces
asymmetry, i.e., as long as every asymmetry in the output can be explained by a previous
asymmetry in the input, the reduced tree can be expanded into a full computation tree that
we know, by construction, to be symmetric.
As we show in Section 4, the running time of our synthesis algorithm is single-exponential
in the number of processes. In Section 5, we show that our algorithm is asymptotically
optimal: the problem is EXPTIME-complete in the number of processes. In Section 6,
we study the extension of the synthesis problem to the case where the processes no longer
have access to all variables. Here, our result is negative: under incomplete information,
the symmetric synthesis problem is undecidable even for system architectures where the
standard synthesis problem is decidable. This paper is based on previously unpublished
results from the first author’s PhD thesis [6], where also additional details of the presented
results can be found.
2 Preliminaries
A reactive system produces a valuation to the output propositions in some set APO and
reads the values of the input propositions in some set API in every step of its execution.
The behavior of a reactive system can be described as a computation tree xT, τy, where
T “ p2AP
I
q˚ is the set of tree nodes and τ : T Ñ 2AP
O
labels every tree node t by the
output propositions τptq that the system sets to true after having read t as its (prefix)
input sequence.
A trace in a computation tree xT, τy is an infinite sequence pτpǫqYt0qpτpt0qYt1qpτpt0t1qY
t2qpτpt0t1t2q Y t3q . . . P p2
AP
IYAPO qω. Given some language L Ď p2AP
IYAPOqω, reactive
synthesis is the process of checking if there exists a computation tree xT, τy with T “
p2AP
I
q˚ as node set such that every trace of xT, τy is in L. A classical logic to denote
specification languages is linear temporal logic (LTL, [19]). LTL formulas for reactive system
specifications are built according to the grammar
ϕ :““ p |  ϕ | ϕ_ ϕ | ϕ^ ϕ | Xϕ | Gϕ | Fϕ | ϕU ϕ,
using the temporal operators G (globally), F (eventually), X (next), and U (until). All
elements from API and APO can be used as propositions p. A more formal definition of LTL
is given in [19, 4].
For LTL specifications, it is known that if and only if there exists a computation tree
all of whose traces satisfy a specification (i.e., the specification is realizable), there exists a
regular such computation tree. A computation tree is regular if it has only finitely many
different sub-trees. Given a computation tree xT, τy, a tree xT 1, τ 1y is a sub-tree of xT, τy if
and only if T “ T 1 and there exists a tˆ P T such that for every t P T , we have τ 1ptq “ τptˆtq.
Regular computation trees can be translated to finite-state machines and implemented in
hardware or software using a finite amount of memory. A tree language for some sets API
and APO is a subset of all trees xT, τy with T “ p2AP
I
q˚ and τ : T Ñ 2AP
O
. A tree or word
language is called regular if it can be recognized by some finite tree or word automaton (with
a Muller acceptance condition, see [10] for details).
In distributed synthesis, we search for a distributed implementation of a finite state-
machine. Given is an architecture that defines several processes and the signals that connect
the processes among themselves and with the global input and output of the architecture.
Starting from a specification over all signals, we search for implementations for all of the
processes such that the computation tree induced by the process implementations and the
architecture satisfies the specification. In the induced computation tree, all processes are
executed at the same time and in parallel, using the usual parallel composition semantics.
It is known since the seminal work by Pneuli and Rosner [21] that not all architectures
have a decidable distributed synthesis problem. Figure 2 depicts the A0 architecture that
they defined as an example for an undecidable architecture. Finkbeiner and Schewe [9]
later proved that the distributed synthesis problem is decidable if and only if there exists
no information fork in the architecture. An information fork is a pair of processes that are
incomparably informed, i.e., for which each of the processes has access to some global input
that the other process cannot read. For a more formal definition of distributed synthesis,
the interested reader is referred to [9].
A Turing machine is a tuple M “ pQ,Σ,Γ, δ, q0, gq in which Q is a finite set of states, Σ
is an input alphabet, Γ Ě Σ is a (finite) tape alphabet, δ : Q ˆ Γ Ñ pQ ˆ Γ ˆ t´1, 0, 1uq2
encodes the Turing machine transition function, q0 P Q is an initial state, and g maps every
state to its type, which can be accepting, rejecting, or transient. The δ function maps every
state/tape content combination to exactly two possible successor state/tape content/tape
motion combinations. For deterministic Turing machines, the two successor combinations
are always the same. Alternating Turing machines [3] extend the non-deterministic Turing
machines by partitioning the transient states into universally branching and existentially
branching states. An (alternating) Turing machine accepts a word w P Σ˚ if there exists
an accepting run tree when starting in state q0 with the tape empty except for a copy of w
where the machine head starts on the first character of w. In all universal states, the Turing
machine execution must be accepting for both possible transitions.
We assume that the modulo function always returns a non-negative number, such that,
e.g., ´13 mod 5 “ 2.
3 The Symmetric Synthesis Problem
We consider distributed reactive synthesis problems in which all processes share the same
implementation. A process has an interface N “ pAPI ,APOq with the local input proposition
set API and a local output proposition set APO. The connections between the processes are
described in an architecture.
§ Definition 1 (Symmetric architecture). Given an interface N “ pAPI ,APOq, a symmetric
architecture over N is a tuple E “ pS, P,APIG, E
in , Eoutq with:
the set of (internal) signals S,
the process set P ,
the global input signal set APIG,
the input edge function Ein : pP ˆ APIq Ñ pS Y APIGq, and
the output edge function Eout : pP ˆ APOq Ñ S.
As an example, the architecture given in the right part of Figure 2 hosts processes with the
interface N “ ptau, tbuq and has the components S “ ty, zu, P “ t0, 1u, APIG “ txu, E
in “
tp0, aq ÞÑ x, p1, aq ÞÑ yu, and Eout “ tp0, bq ÞÑ y, p1, bq ÞÑ zu. We only consider architectures
in which every internal signal is written to by exactly one local output of one process. Given
a FSM for a process with an interface N and an architecture E “ pS, P,APIG, E
in, Eoutq over
N , we can construct an FSM with APIG as input proposition set and S as output proposition
set that implements the behavior of the complete architecture when using the FSM as process
implementation. Without loss of generality, we use the standard synchronous composition
semantics to do so. We define the symmetric synthesis problem as follows:
§ Definition 2. Given an interface N “ pAPI ,APOq, an architecture E “ pS, P,APIG, E
in ,
Eoutq, and a specification ϕ over the propositions APIGYS, the symmetric synthesis problem
is to check if an FSM implementation F with the input proposition set API and output
proposition set APO exists such that the FSM obtained by plugging F into E satisfies ϕ. In
case of a positive answer, we also want to obtain F .
4 Rotation-Symmetric Synthesis
Many symmetric architectures found in practice consist of a ring of processes, all of which
read all the input to the overall system. A slight generalization of this architecture shape is
the class of rotation-symmetric architectures.
§ Definition 3. A symmetric architecture E “ pS, P,APIG, E
in , Eoutq over the interface
N “ pAPI ,APOq with n processes is called rotation-symmetric if and only if there exists
a local designated proposition set APIL for every process instance such that the following
conditions hold:
APIG “ AP
I “ APIL ˆ t0, . . . , n´ 1u and P “ tp0, . . . , pn´1u.
S “ APO ˆ t0, . . . , n´ 1u
for every pi P P , every x P AP
I
L, and every j P t0, . . . , n´ 1u, we have E
inppi, px, jqq “
px, pj ´ iq mod nq, and
for every x P APO and pi P P , we have E
outppi, xq “ px, iq.
We show in this section that the symmetric synthesis problem for rotation-symmetric archi-
tectures and linear-time temporal logic (LTL) is decidable.
The key observation that we use to prove decidability is that the computation trees that
characterize the input/output behavior of a process implementation plugged into a rotation-
symmetric architecture have a useful property that we call the symmetry property. While
this property is non-regular and thus cannot be encoded into the specification (Lemma 6),
we show how to decompose it into two sub-properties, one of which is regular. The other
one is still non-regular, but has the advantage that we can enforce it in a synthesis process
by post-processing the computation tree obtained from a synthesis procedure to contain
only rotations of the computation tree paths along so-called normalized inputs. Since every
tree with the symmetry property is left unaltered by this step and we also describe how to
ensure that the result of the post-processing step is guaranteed to be a correct solution, this
approach is sound and complete.
We assume some fixed rotation-symmetric architecture E “ pS, P,APIG, E
in, Eoutq over
some local process interface pAPIL,AP
Oq to be given, define I “ 2AP
I
G to denote the global
input alphabet to all processes, while O “ 2tAP
Oˆt0,...,n´1uu denotes the global output. The
local output of one process is given as O “ 2AP
O
.
The following rotation function will become useful in the analysis below. Let U “
2APˆt0,...,n´1u for some other set AP. We define a rotation operator rot : U ˆ Z Ñ U with
rotpu, kq “ tpp, pj`kqmodnq | pp, jq P uu for every u P U and k P Z. Furthermore, we extend
the rot function to LTL formulas and define rotpψ, kq for an LTL formula ψ over the set of
propositions APˆt0, . . . , n´1u and k P Z to be ψ with all atomic propositions pp, jq replaced
by pp, pj`kqmodnq for p P AP, j P Z. For clarity, when dealing with the rot function for some
set U “ 2APˆt0,...,n´1u, we often partition the elements of APˆt0, . . . , n´1u by their process
indices and for example write pX0, . . . , Xn´1q instead of pX0ˆt0uqY . . .YpXn´1ˆtn´ 1uq
for X0, . . . , Xn´1 Ď AP. The rotation function is extended to sequences of elements in U by
rotating the individual sequence items.
§ Definition 4 (Symmetry property). Given a tree xT, τy over T “ I˚ and τ : T Ñ O, we
say that the tree has the symmetry property if for each t P T and 0 ď i ă n, τprotpt, iqq “
rotpτptq, iq.
§ Lemma 5 (Symmetry lemma). The set of regular trees having the symmetry property is
precisely the same as the set of trees that are induced by a rotation-symmetric architecture
for some process implementation.
A proof of the lemma can be found in the appendix. The symmetry property is not a regular
tree property, and hence cannot be encoded into a tree or word automaton.
§ Lemma 6. The set of symmetric computation trees for the two-process rotation-symmetric
architecture with process interface N “ pAPIL ˆ t0, 1u,AP
Oq and APIL “ tiu and AP
O “ tou
is not a regular tree language.
Proof. For a proof by contradiction, suppose that the set of symmetric computation trees
is regular. The language includes a tree with the symmetry property in which the node
labels on the path pH, tiuq˚ and, symmetrically, on the path ptiu,Hq˚ form the sequence
l “ pH,Hq1ptou, touqpH,Hq2ptou, touq . . ., i.e., the length of the pH,Hq-sequences grows
according to the distance to the root. According to the pumping lemma for regular tree
languages, however, the sequence l can be partitioned into l “ u ¨ v ¨ w, such that, for every
k ą 0, there exists a tree in the language where the label sequence on pH, tiuq˚ is l “ u¨vk ¨w,
while the label sequence on ptiu,Hq˚ is still l. Clearly, these trees are not symmetric. đ
Since the symmetry property is non-regular, we need to alter the synthesis process itself
to account for it. In order to synthesize an implementation for one process, we synthesize
implementations for all processes together. These only need to work correctly on normalized
input sequences t P I˚. An input sequence is normalized if mini rotpt, iq “ t, where the min
function uses the lexicographic ordering over the strings in I˚. For the ordering of the
elements in I, we consider the lexicographic ordering of their tuple representation. For
example, we have p0, 1, 0q ă p0, 1, 1q and p0, 1, 0q ă p1, 0, 0q for a three-process architecture.
A tree with the symmetry property is fully determined by the labels along normalized input
sequences, as for every non-normalized input sequence t1 P I˚, we have τpt1q “ rotpτptq, iq
for every i such that t1 “ rotpt, iq.
When only considering the normalized input sequences during synthesis, we can take
the computation tree for all processes in the architecture together and complete it by filling
all other tree labels with rotations of the tree labels along normalized inputs. We call the
resulting tree its symmetric completion. If afterwards, we have τprotpt, iqq “ rotpτptq, iq for
all t P I˚ and i P N, then the symmetry lemma guarantees that the resulting tree is induced
by some process instantiated in a rotation-symmetric architecture. So if we can guarantee
that (1) τprotpt, iqq “ rotpτptq, iq is actually the case for all normalized t and i P N and
(2) that the symmetric completion of the tree satisfies the specification along all paths,
then we can obtain a correct process implementation by synthesizing a computation tree for
the complete architecture. Our construction for symmetric synthesis consist of these two
components, which we describe in more detail below.
4.1 Ensuring Symmetric Completability
Not every O-labeled computation tree can easily be made symmetric by replacing the tree
labels for non-normalized input sequences. Take for example a tree xT, τy for the architecture
given in Figure 1 with τpǫq “ pH,H, tyuq. Since the output of the processes is initially
different, this means that they cannot have the same implementation. We show in this
section that detecting such cases is simple, and the formalization of the observation is a
regular property that can be easily encoded into LTL.
§ Definition 7. Let AP be some set, and P “ tp0, . . . , pn´1u be a list of process identifiers.
For every x Ď pAPˆ t0, . . . , n´ 1uq and w “ w0w1w2 . . . wl P p2
APˆt0,...,n´1uq˚, we define
reppxq “ |tj P t0, . . . , n´ 1u | rotpx, jq “ xu|
repSpǫq “ n
repSpwq “ gcdprepSpw0 . . . wn´1q, reppwnqq,
where gcd denotes the greatest common divisor function.
For some word t P I˚, repSptq represents how many different rotations in t0, . . . , n´ 1u of t
exist that map the word to itself.
§ Lemma 8 (Second symmetry lemma). Let xT, τy be a computation tree with T “ I˚ and
τ : T Ñ O for which for every t P T , we have that repSptq  repSpτptqq (where the 
symbol refers to division without remainder). The unique symmetric completion of xT, τy
has the symmetry property. Furthermore, if xT, τy is regular, then so is its unique symmetric
completion.
By the second symmetry lemma, it suffices for a computation tree to have repSptq  repSpτptqq
for all t P T to ensure that the symmetric completion of the tree has the symmetry property.
We can encode this requirement in LTL as
ϕoutcond “
ľ
dPt1,...,nu,dn
 psympI, d, nqU  sympO, d, nqq
for the function
sympAP, d, nq “
ľ
aPAP,jPt0,...,n´1u
pa, jq Ø pa, j `
n
d
q
that encodes, for each i Ď APˆ t0, . . . , n´ 1u whether d | reppiq (for d P N with d  n).
4.2 Ensuring That the Tree Completion Satisfies the Specification
If we have a computation tree xT, τy all of whose traces satisfy some linear-time specification
ϕ, this does not imply that its rotation-symmetric completion satisfies ϕ as well. If all traces
of xT, τy however satisfy ϕ^ rotpϕ, 1q ^ . . . ,^ rotpϕ, n´ 1q, then since we know that every
infinite trace in the rotation-symmetric completion is a rotation of a trace in the original
tree by some value i P N, we know that the rotation-symmetric completion also satisfies ϕ
along every trace. So if we synthesize a tree for ϕ1 “ ϕ ^ rotpϕ, 1q ^ . . . ^ rotpϕ, n ´ 1q as
specification instead of ϕ, taking the rotation-symmetric completion maintains ϕ.
Note that strengthening ϕ to ϕ1 comes without loss of generality if we are interested in
rotation-symmetric implementations. By the symmetry property, if the tree xT, τy induced
by a rotation-symmetric architecture and a process implementation satisfies ϕ, then it also
satisfies rotpϕ, iq for all i P N as every rotation of every trace in the tree is also a trace in
the tree. Hence, to satisfy ϕ, it also needs to satisfy rotpϕ, iq as otherwise we could take a
trace not satisfying rotpϕ, iq, rotate it by ´i, and obtain a trace that does not satisfy ϕ.
4.3 Putting Everything Together
Using the concepts defined above, we are now ready to tie them together to a complete
synthesis process. We start with a specification ϕ over the architecture input propositions
APIG and the output proposition set AP
O ˆ t0, . . . , n´ 1u for |P | “ n.
1. We modify the specification ϕ to ϕ1 “ ϕ^ rotpϕ, 1q ^ . . .^ rotpϕ, n´ 1q.
2. We modify ϕ1 to ϕ2 “ ϕ1 ^ ϕoutcond (as described in Section 4.2).
3. We synthesize a regular tree xT, τy that satisfies ϕ2 along all paths using a classical
reactive synthesis procedure. If there is no such tree, the specification is unrealizable.
4. If a regular computation tree xT, τy is found, we replace every label along non-normalized
directions by rotations of τ ’s labels along normalized directions to get a tree xT 1, τ 1y with
the symmetry property.
5. We cut off the labels of τ 1 except for the output of the first process in the architecture.
The resulting (regular) tree is the synthesized process implementation.
§ Proposition 9. The above synthesis process from LTL has a complexity that is 2EXPTIME
in the length of the specification and exponential-time in the number of processes.
Proof. We use the automata-theoretic approach to reactive system synthesis from [17, 24]
and the concepts defined in these works. We start by translating the specification to a
universal co-Büchi word (UCW) automaton, which is of size 2Op|ϕ|q in the size of the specifi-
cation. As UCWs do not blow up under conjunction, executing step 1 from the construction
above leads to an automaton of size n ¨ 2Op|ϕ|q. A deterministic automaton for the added
property in step 2 can be built with at most n states, so executing step 2 leads to at most n
additional states, and we obtain an automaton with n`n ¨ 2Op|ϕ|q “ n ¨ 2Op|ϕ|q many states.
The bounded synthesis approach works with specifications given as co-Büchi word automata
[24] and takes time exponential in the number of states of the automaton. The overall time
complexity so far is thus 2EXPTIME in |ϕ| and exponential in n. Step 4 leads to a blow-up
of at most a factor of n2 and can be done in time polynomial in the number of states in the
synthesized finite-state machine (whose size is proportional to the time complexity of the
synthesis procedure executed in the previous step). Step 5 is simple and takes time linear
in the size of the FSM. đ
Note that even though the construction above discards all non-normalized parts of the syn-
thesized computation tree, asking the synthesis algorithm to nevertheless synthesize these
parts according to the specification comes without loss of generality, as trees with the sym-
metry property (which we are actually searching for) fulfill ϕ2 along all paths if all of their
paths satisfy ϕ. So the synthesis process does not report spurious unrealizability.
5 Rotation-Symmetric Synthesis – Complexity
The symmetric synthesis construction from the previous section has a time complexity that is
doubly-exponential in the length of the specification and singly-exponential in the number of
processes. We want to show in this section that this matches the complexity of the problem
by giving a corresponding hardness result. The 2EXPTIME-hardness in the specification
length is inherited from the complexity of LTL synthesis [20]. For the EXPTIME complexity
in the number of processes, we provide the following result:
§ Lemma 10. Given an fpkq-space bounded alternating Turing machine M “ pQ,Σ,Γ, δ,
q0, gq, we can reduce the acceptance of a word w P Σ
k by M to the symmetric realizability
problem of n “ fpkq processes with a specification in LTL of size polynomial in |Q| ¨ |Γ| ¨ |w|.
u v
y z
x
y
za b a b
Figure 2 System architectures with undecidable synthesis problems. On the left: architecture
A0, as defined by Pnueli and Rosner [21]; on the right: the symmetric architecture S0. The
distributed synthesis problem of A0 and the symmetric synthesis problem of S0 are undecidable.
Proof. We build a specification that requires the processes to output the Turing tape con-
figuration along an execution of the machine. The specification is realizable if and only
if the Turing machine does not accept the word. Every process outputs the value of one
Turing tape cell and if the tape head is at the cell, also the state of the Turing machine.
There are n input signals to the architecture, and when the processes start, the left-most
local input signals of the processes is used to tell one or more processes that the Turing tape
computation should start at that cell with the tape head being initially there (with w as
the initial tape content). To account for the rotation-symmetry, the processes output not
only the tape content and tape head position, but also the current boundaries of the tape.
The specification is modeled such that if start and end markers collide, the simulation of
the Turing machine can stop.
The specification also includes conjuncts that require all processes together to simulate
the Turing machine computation correctly and to never reach an accepting state. Whenever
the alternating Turing machine branches universally, the left-most local process input signal
is used to select which successor state is picked. In case of existential branching, the processes
can decide which successor state to pick. Enforcing the specification to be realizable if and
only if the word w is not accepted by the Turing machine helps with taking care of the
diverging computations of the Turing machine and those computations that exceed the space
bound. Both count as non-accepting in the definition of space-bounded Turing machines.
Since these runs never visit accepting states and/or permit the simulation to stop, they are
allowed to be simulated by a synthesized implementation.
The specification can be written with size polynomial in |Q| ¨ |Γ| ¨ |w| as we only need
to define the specification for one process. By the symmetry of the architecture, the other
processes have to fulfill it as well. đ
A more detailed proof can be found in the appendix.
§ Corollary 11. The rotation-symmetric realizability problem (for LTL) has a time complexity
that is exponential in the number of processes.
Proof. Given the question whether a word w “ w0 . . . wk´1 is in the language defined by
some pc`1q-EXPTIME “ pcq-AEXPSPACE problem for some c P N, we can reduce it to the
symmetric realizability problem for an LTL specification of length polynomial in k and with
a number of processes that is pcq-exponential in k. Since by the space hierarchy theorem
[23], the pcq-EXPTIME hierarchy is strict for increasing c, we can conclude that in general,
we cannot solve the symmetric realizability problem faster than in time exponential in the
number of components. đ
u v w
x y z
o p q
a b c
e f g
a b c
e f g
Figure 3 Symmetric architecture S2. The symmetric synthesis problem for S2 is undecidable.
The dashed arrows in the process boxes show how the specification given in the proof of Lemma 13
requires the processes to forward the local input streams.
6 The General Case – Undecidability
The synthesis problem for standard, not necessarily symmetric, distributed systems is de-
cidable as long as the processes can be ordered with respect to their relative knowledge
about the system inputs [9]. The problem becomes undecidable as soon as it contains an
information fork, i.e., a pair of processes with incomparable knowledge. The simplest such
architecture is Pnueli and Rosner’s A0 architecture [21], shown on the left in Fig. 2. In this
section, we show that for symmetric synthesis, even architectures without information forks,
such as the S0 architecture shown on the right in Fig. 2, are undecidable. Our proof is based
on Pnueli and Rosner’s undecidability argument for A0:
§ Lemma 12 ([21]). For a given Turing machine M , there exists an LTL formula ψ that
is realizable in the distributed architecture A0 if and only if M halts and such that the two
processes of the unique implementation of M sequentially output binary encodings of the
configurations of the Turing machine on y (or z, respectively) upon the first true value on
the input u (or v, respectively).
Because of the undecidability of the halting problem, Lemma 12 means that the dis-
tributed synthesis problem of architecture A0 is undecidable. We prove the undecidability
of the symmetric synthesis problem of architecture S0 in two steps. First, we establish the
undecidability of the larger architecture S2, depicted in Figure 3, by showing that the realiz-
ability of ψ in A0 can be reduced to the symmetric realizability of an LTL formula over S2;
in the second step, we encode the synthesis problem of S0 into the synthesis problem of S2
and thus establish that the synthesis problem for the simpler architecture S0 is undecidable
as well.
§ Lemma 13. The symmetric synthesis problem for architecture S2 is undecidable.
01. . . x1
11. . . x2
00. . . x3
10. . . x4
. . .
CSS 0 1 0 1 CSS 1 1 0 0
Figure 4 An example for compressing a word with |AP| “ 4.
Proof. We show that there exists an implementation for the specification ψ in the A0
architecture if and only if there exists a joint implementation for the two processes in the
S2 architecture that satisfies ψ1 “ ψd ^ Gpv Ø Xoq ^ Gpw Ø Xpq, where ψd results from
prefixing all occurrences of the signals y and z in ψ with a next-time operator.
The results of the two synthesis problems can be translated into each other. A distributed
implementation of ψ over A0 is necessarily symmetric: both processes output the same
bitstream when reading a true value as their local input for the first time. To obtain an
implementation for S2, we simulate the process with input a and use g as the local output.
Additionally, we copy all values from b to e, and c to f .
Conversely, an implementation found by the symmetric synthesis of S2 provides an im-
plementation of ψ in A0. The key property of the architecture S2 is that the process does
not know if the local input b is the (delayed) a input to the other process, or if its c input
is the (Turing machine tape) output of the other process. Thus, it cannot find out if it is
the top process or the bottom process in the architecture and must prevent violating the
specification in either case. A more detailed proof is given in the appendix. đ
In order to reduce the symmetric synthesis problem of S2 to the symmetric synthesis
problem of S0, we introduce compression functions that time-share multiple signals of S2
into a single signal in S0.
Let AP be a set of signals. We call a function f : p2APqω Ñ p2tχuqω for some Boolean
variable χ a compression function if f is injective. We call a function f 1 that maps a
specification over the signal set AP to a different specification over the signal set tχu the
adjunct compression function to f if for all w P p2APqω and specifications ψ over AP, we
have that w |ù ψ if and only if fpwq |ù f 1pψq.
In the appendix, we give such a pair of compression functions for LTL. The compression
mechanism is illustrated in Figure 4. One clock cycle in the four-bit-per-character version of
a word is spread to 10 computation cycles in the one-bit-per-character version of the word.
Every 10 cycles, the 2-cycle character start sequence (CSS) tχutχu is instantiated, followed
by four two-cycle slots for every signal in AP. Note that the construction ensures that
whenever we have tχutχuH as a part in a compressed word, then we know that a character
start sequence begins on the first occurrence of tχu in this part.
§ Theorem 14. The symmetric synthesis problem for architecture S0 is undecidable.
Proof. In order to reduce the symmetric synthesis problem of architecture S0 to the sym-
metric synthesis problem of architecture S2, we compress u, v, w into signal x; o, p, q into
signal y; and x, y, z into signal z. A more detailed proof is given in the appendix. đ
7 Conclusions
In this paper, we have studied the problem of synthesizing symmetric systems. Our new
synthesis algorithm is a useful tool in the development of distributed algorithms, because it
checks automatically if certain properties in a design problem require symmetry breaking.
Our algorithm synthesizes implementations of rotation-symmetric architectures, i.e., ar-
chitectures where the processes observe all inputs. The undecidability result for the archi-
tecture S0 indicates that it is impossible to extend the synthesis algorithm to architectures
where the processes no longer have access to all inputs. A promising direction of research,
however, is to use our results to extend existing semi-algorithms for synthesis under incom-
plete information to such symmetric architectures. An example for such an approach is
bounded synthesis [24], which determines if there exists an implementation with at most n
states, where n is a given bound. The specification is translated into a universal co-Büchi
automaton, which is then, together with the bound n, encoded into a satisfiability modulo
theory problem. To ensure correctness under incomplete information, constraints are added
that ensure that if a process cannot distinguish two inputs, it transitions to the same suc-
cessor state. Similarly, for symmetric synthesis, constraints can be added that ensure that
the outputs of the individual processes are identical in states that are indistinguishable for
them.
Algorithms for symmetric synthesis procedures also offer a new perspective on the prob-
lem of synthesizing arbitrarily scalable (i. e. parametric) systems. Due to the undecidability
of the problem, only very limited solutions to this problem have been found so far. For
example, Jacobs and Bloem [11] tackle the case of asynchronous processes with local input
in a ring architecture and use the bounded synthesis approach mentioned above. Emerson
and Srinivasan [7] present a solution for a multi-process version of a small subset of the
temporal logic CTL while Attie and Emerson [2] give a different solution allowing a bigger
subset of CTL but only guaranteeing correctness of the solution if certain other conditions
are fulfilled, like the dead-lock freeness of the solution produced. In such a setting, symmet-
ric synthesis can be used to detect specifications that are unrealizable even for small system
sizes – if there is no solution for a fixed number of processes n, then there is certainly none
for scalable systems as well.
References
1 Dana Angluin. Local and global properties in networks of processors (extended abstract).
In Twelfth Annual ACM Symposium on Theory of Computing (STOC), pages 82–93, 1980.
2 Paul C. Attie and E. Allen Emerson. Synthesis of concurrent systems with many similar
processes. ACM Trans. Program. Lang. Syst., 20(1):51–115, 1998. URL: http://doi.acm.
org/10.1145/271510.271519, doi:10.1145/271510.271519.
3 Ashok K. Chandra, Dexter Kozen, and Larry J. Stockmeyer. Alternation. J. ACM,
28(1):114–133, 1981.
4 E. M. Clarke, Orna Grumberg, and Doron Peled. Model Checking. MIT Press, 1999.
5 Shimon Cohen, Daniel J. Lehmann, and Amir Pnueli. Symmetric and economical solutions
to the mutual exclusion problem in a distributed system. Theor. Comput. Sci., 34:215–225,
1984.
6 Rüdiger Ehlers. Symmetric and efficient synthesis. PhD thesis, Saarland University, 2013.
URL: http://scidok.sulb.uni-saarland.de/volltexte/2013/5607/.
7 E. Allen Emerson and Jai Srinivasan. A decidable temporal logic to reason about many
processes. In Proc. PODC, pages 233–246, 1990.
8 N. J. Fine and H. S. Wilf. Uniqueness theorems for periodic functions. Proceedings of the
American Mathematical Society, 16:109–114, 1965.
9 Bernd Finkbeiner and Sven Schewe. Uniform distributed synthesis. In Proc. LICS, pages
321–330, 2005.
10 Jörg Flum, Erich Grädel, and Thomas Wilke, editors. Logic and Automata: History and
Perspectives [in Honor of Wolfgang Thomas], volume 2 of Texts in Logic and Games.
Amsterdam University Press, 2008.
11 Swen Jacobs and Roderick Bloem. Parameterized synthesis. Logical Methods in Computer
Science, 10(1), 2014. doi:10.2168/LMCS-10(1:12)2014.
12 Ralph E. Johnson and Fred B. Schneider. Symmetry and similarity in distributed systems.
In Proc. PODC, pages 13–22. ACM, 1985.
13 Evangelos Kranakis. Invited talk: Symmetry and computability in anonymous networks.
In Nicola Santoro and Paul G. Spirakis, editors, Proc. SIROCCO, pages 1–16. Carleton
Scientific, 1996.
14 Orna Kupferman and Moshe Y. Vardi. Synthesis with incomplete information. In Proc.
ICTL, 1997.
15 Orna Kupferman and Moshe Y. Vardi. µ-calculus synthesis. In Proc. MFCS, pages 497–507,
2000.
16 Orna Kupferman and Moshe Y. Vardi. Synthesizing distributed systems. In 16th Annual
IEEE Symposium on Logic in Computer Science (LICS 2001), July 2001.
17 Orna Kupferman and Moshe Y. Vardi. Safraless decision procedures. In FOCS, pages
531–542. IEEE, 2005.
18 Daniel J. Lehmann and Michael O. Rabin. On the advantages of free choice: A symmetric
and fully distributed solution to the dining philosophers problem. In Proc. POPL, 1981.
19 Amir Pnueli. The temporal logic of programs. In FOCS, pages 46–57. IEEE, 1977.
20 Amir Pnueli and Roni Rosner. On the synthesis of an asynchronous reactive module. In
Giorgio Ausiello, Mariangiola Dezani-Ciancaglini, and Simona Ronchi Della Rocca, editors,
ICALP, volume 372 of Lecture Notes in Computer Science, pages 652–671. Springer, 1989.
21 Amir Pnueli and Roni Rosner. Distributed reactive systems are hard to synthesize. In
FOCS, volume II, pages 746–757. IEEE, 1990.
22 Michael O. Rabin. Automata on Infinite Objects and Church’s Problem. American Mathe-
matical Society, 1972.
23 Desh Ranjan, Richard Chang, and Juris Hartmanis. Space bounded computations: review
and new separation results. Theoretical Computer Science, 80(2):289 – 302, 1991. doi:
10.1016/0304-3975(91)90391-E.
24 Sven Schewe and Bernd Finkbeiner. Bounded synthesis. In Kedar S. Namjoshi, Tomohiro
Yoneda, Teruo Higashino, and Yoshio Okamura, editors, ATVA, volume 4762 of Lecture
Notes in Computer Science, pages 474–488. Springer, 2007.
25 Pierre Wolper. Synthesis of Communicating Processes from Temporal-Logic Specifications.
PhD thesis, Stanford University, 1982.
26 Masafumi Yamashita and Tiko Kameda. Computing on an anonymous network. In Proc.
PODC, pages 117–130, 1988.
A Appendix – Proof Details
A.1 Additional Preliminaries
We use Moore machines as finite-state model for regular computation trees. Formally,
a Moore machine is a tuple M “ pS, I, O, δ, sinit , Lq with the (finite) set of states S,
the input alphabet I, the output alphabet O, the initial state sinit P S, and the la-
belling function L : S Ñ O. A Moore machine induces a computation tree xT, τy with
T “ I˚ and τ : T Ñ O such that for all t0 . . . tn P T , we have that τpt0 . . . tnq “
Lpδpδp. . . pδpδpsinit , t0q, t1q, . . .q, tn´1q, tnqq. Moore machines induce regular computation
trees, i.e., computation trees that only have a finite number of distinct sub-trees.
Given a Moore machine, an extended computation tree induced by it is the same as a
computation tree induced by the Moore machine, except that the tree labels are in S ˆ O,
where for every node t, the first label element of τptq describes the state of the Moore machine
after reading the input t from the initial state, and the second label element describes the
last output after reading t from the initial state as before.
A.2 Additional Definitions
In Definition 2, we used the standard definition of parallel composition to say what it
means to plug a process implementation into a symmetric architecture. For the sake of
completeness, let us formally define this special case of parallel composition.
§ Definition 15. Given an architecture E “ pS, P,APIG, E
in , Eoutq for some process interface
N “ pAPI ,APOq and some Moore machine M “ pQ, I,O, δ, q0, Lq with I “ 2
AP
I
and
O “ 2AP
O
, we define the aggregated Moore machine of the architecture and M as M1 “
pQ1, I 1, O1, δ1, q10, L
1q with:
Q1 “ pP Ñ Qq,
I 1 “ 2AP
I
G ,
O1 “ 2S ,
for all f P Q1, we have L1pfq “ ts P S | Dpp, xq P P ˆAPO : Eoutpp, xq “ s, x P Lpfppqqu,
for all f P Q1 and X Ď APIG, δ
1pf,Xq “ f 1 such that for all p P P , f 1ppq “ δpfppq, tx P
APIL | E
inpp, xq P pX Z Lpfqquq, and
for all p P P , q0ppq “ q0.
This definition ensures that the values of all signals are “exported” from the aggregated
finite-state machine. Thus, when specifying the system behaviour of an aggregated system
in a language such as linear-time temporal logic (LTL), we can refer to the signals used
internally between the components.
In the main part of the paper, we also define computation trees that encode the behavior
of a rotation-symmetric architecture after we plug one process into it. If the process is a
finite-state machine, then the resulting computation tree for the behavior of the complete
architecture is regular, and hence can be translated (back) to a Moore machine. We call
this Moore machine for the behavior of the complete rotation-symmetric architecture imple-
mentation the symmetric product of the single process, whose definition we give next. The
reader is reminded that O and O are defined on page 5.
§ Definition 16 (Symmetric product). Given a Moore machine M “ pS, I, O, δ, s0, Lq, we say
that a Moore machine M1 “ pS1, I,O, δ1, s10, L
1q is the symmetric product of M if S1 “ Sn,
s10 “ ps0q
n, and for all s20, . . . , s
2
n´1 P S, pi0, . . . , in´1q P I:
δ1pps20, . . . , s
2
n´1q, pi0, . . . , in´1qq “ ps
3
0 , . . . , s
3
n´1q
s. t. @0 ď j ă n : s3j “ δps
2
j , rotppi0, . . . , in´1q,´jqq and L
1ps20, . . . , s
2
n´1q “ pLps
2
0q, Lps
2
1q,
. . . , Lps2n´1qq.
Note that Definition 16 is just a combination of Definition 3 and the usual definition of
parallel composition of Moore machines, applied to architectures consisting of a single cycle
of processes.
A.3 Proof of the Symmetry Lemma
Let in the following for every i P N the expression Oi denote the local output of process i,
i.e., let us define Oi “ 2
AP
Oˆtiu.
Proof. ð: The fact that the computation tree induced by the symmetric product of some
Moore machine has the symmetry property follows directly from the definitions.
ñ: For the converse direction, we prove that from every regular computation tree with
the symmetry property, we can construct a Moore machine that is an implementation for one
process, and by taking the symmetric product of the Moore machine, we obtain a product
machine whose computation tree is in turn the one that we started with.
Let xT, τy be the computation tree to start with. As it is regular, we have an equivalence
relation over the nodes in the tree. Let r¨s be the function that maps a tree node in t onto
a tree node representing its equivalence class, so for all t, t1 P T , we have that the sub-trees
induced by t and t1 are the same if and only if rts “ rt1s, and for every t there is some t1
such that rts “ t1. We build a Moore machine for one process in the symmetric architecture
from xT, τy by setting M “ pS, I, O, δ, sinit , Lq with:
S “ trts | t P T u
δps, xq “ rsxs for all x P I and s P S
sinit “ rǫs
Lpsq “ τpsq|O0 for all s P S
We now show that the symmetric product of M induces a computation tree that is the
same as xT, τy. If we take the symmetric product (Definition 16) of M, we obtain M1 “
pS1, I,O, δ1, s1init , L
1q with:
S1 “ tprt0s, . . . , rtn´1sq | t0, . . . , tn´1 P T u
δ1ppt0, . . . , tn´1q, xq “ prt0 rotpx, 0qs, rt1 rotpx,´1qs, . . . , rtn´1 rotpx,´n` 1qsq
sinit “ prǫs, . . . , rǫsq
L1ppt0, . . . , tn´1qq “ pτpt0q|O0 , τpt1q|O0 , . . . , τptn´1q|O0q
Let xT 1, τ 1y be the extended computation tree induced by M1 with τ 1 : T 1 Ñ S1 ˆ O.
We can show by induction that for every t P T , we have that τ 1ptq|S1 “ prrotpt, 0qs,
rrotpt,´1qs, rrotpt,´2qs, . . . , rrotpt,´n` 1qsq. The induction basis is trivial, as τ 1ptq|S1pǫq “
prǫs, rǫs, rǫs, . . . , rǫsq. For the inductive step, we have:
τ 1ptxq|S1 (1)
“ prt0 rotpx, 0qs, rt1 rotpx,´1qs, . . . , rtn´1 rotpx,´n` 1qsq (2)
for τ 1ptq|S1ptq “ pt0, t1, . . . , tn´1q
“ prrrotpt, 0qs rotpx, 0qs, . . . , rrrotpt,´n` 1qs rotpx,´n` 1qsq (3)
“ prrotpt, 0q rotpx, 0qs, . . . , rrotpt,´n` 1q rotpx,´n` 1qsq (4)
“ prrotptx, 0qs, . . . , rrotptx,´n` 1qsq (5)
In step (1)-(2) of this deduction, we applied the definitions of the elements of M and M1.
In step (2)-(3), we used the inductive hypothesis. In step (3)-(4), we used the regularity of
the tree: for some t P T and x P I, we need to have rrtsxs “ rtxs as the subtree induced by
rtsx has to be the same as the one induced by tx, as otherwise rts and t would not be in
the same equivalence class of subtrees (which is a contradiction). The last step uses the fact
that if we concatenate two strings that are rotated by the same number of indices, then we
can also first concatenate, and then rotate.
Now let us have a look at the outputs in the extended computation tree xT 1, τ 1y. For
every t P T 1, we have:
τ 1ptq|O (6)
“ L1pτ 1ptq|S1q (7)
“ L1prrotpt, 0qs, . . . , rrotpt,´n` 1qsq (8)
“ pτprrotpt, 0qsq|O0 , . . . , τprrotpt,´n´ 1qsq|O0q (9)
“ pτprotpt, 0qq|O0 , . . . , τprotpt,´n´ 1qq|O0q (10)
“ pτptq|O0 , τptq|O1 , . . . , τptq|On´1q (11)
“ τptq (12)
In step (8)-(9), we simply applied the definition of L1. In step (9)-(10), we used the fact
that we are dealing with equivalence classes over nodes in the computation tree xT, τy that
respect the labelling of the system. In step (10)-(11), we use the symmetry property of
xT, τy. For every i P t0, . . . , n´ 1u, we have τprotpt, iqq|O0 “ rotpτptq, iq|O0 by this property,
and then rotpτptq, iq|O0 “ τptq|Oi by renaming. In the last step, we just plug together the
tuple. đ
A.4 Correctness of the repS Function
The definition of the repS function in Section 4.1 is supposed to describe how to compute
the symmetry degree of a word, i.e., the number of processes getting the same rotations of
an input proposition valuation or the number of rotations of the output of the processes that
lead to the same element of O. We prove that the definition of the repS function achieves
this goal in two steps and start with the following sub-lemma:
§ Lemma 17. If there are precisely m values j P t0, . . . , n´ 1u (for some m P N) such that
rotpt, jq “ t for some t P I˚, then the list of indices L “ t 0¨n
m
, 1¨n
m
, . . . ,
pm´1q¨n
m
u is precisely
the list of indices ě 0 but ă n such that for all l P L, we have rotpt, lq “ t but for all l1 R L,
we have rotpt, l1q ‰ t or either l1 ă 0 or l1 ě n.
Proof. For all j, j1 P L, we know that j ` j1 P L as well since for all t P I˚, rotpt, j ` j1q “
rotprotpt, j1q, jq “ rotpt, j1q “ t. Furthermore, rotpt, nq “ t.
To show that all elements in LYtnu are equally spaced (modulo n), consider the converse.
So we have 0 ď l ă l1 ă l2 ă n with l1 ´ l ‰ l2 ´ l1 and there are no indices in L in between
l1 and l or l2 and l1, respectively. By the argument above if l1 ´ l ă l2 ´ l1 we also have
l1 ` pl1 ´ lq P L or if l1 ´ l ą l2 ´ l1 we also have l ` pl2 ´ l1q P L, which is a contradiction.
The case that involves wrapping around in the modulo space can be proven similarly.
So we know that there are m equally spaced elements in L, and by the same line of
reasoning, we can also deduce that the spacing between the elements in L is the same as
the spacing between n and the largest element in L. Since furthermore rotpt, 0q “ t and
rotpt, nq “ t for all t P I˚, the claim follows. đ
Lemma 17 can alternatively be shown by applying a theorem by Fine and Wilf [8] on the
combinatorics on words. To use it, we would however have to rearrange the letters in a
word, and describing that construction would be more complicated than giving a direct
proof, which is why the latter has been done here.
§ Lemma 18. For every t0 . . . tk´1 P I
k, k P N, we have
repSpt0 . . . tk´1q “ |tj P t0, . . . , n´ 1u : rotpt0 . . . tk´1, jq “ t0 . . . tk´1u|
Proof. The proof is done by induction on the length of t.
Basis: Trivial, since rotpǫ, jq “ ǫ for every j P Z.
Inductive step: Assume that the number of neutral rotations for t0 . . . tk´2 is m (we
denote those rotation values j of t0 . . . tk´2 to be neutral for which rotpt0 . . . tk´2, jq “
t0 . . . tk´2) and the number of neutral rotations for t0 . . . tk´1 is m
1 . By the inductive
hypothesis, repSpt0 . . . tk´2q “ m.
Clearly, m1 is a divisor of m since otherwise there exists a y P t 0¨n
m1
, . . . ,
pm1´1q¨n
m1
u such
that rotpt0 . . . tk´2, yq ‰ t0 . . . tk´2, so:
rotpt0 . . . tk´1, yq “ rotpt0 . . . tk´2, yq rotptk´1, yq ‰ t0 . . . tk´2 rotptk´1, yq “ t0 . . . tk´1
Analogously,m1 is a divisor of repptkq. In both cases, we would otherwise get a contradiction
with Lemma 17.
On the other hand, for every m1 that is a divisor of m and repptkq, we have for all
y P t 0¨n
m1
, . . . ,
pm1´1q¨n
m1
u:
rotpt0 . . . tk´1, yq
“ rotpt0 . . . tk´2, yq rotptk´1, yq
“ t0 . . . tk´2 rotptk´1, yq by Lemma 17
“ t0 . . . tk´2tk´1 by Lemma 17
“ t0 . . . tk´1
Clearly, the greatest common divisor of m and repptkq is the (unique) greatest such number,
therefore repSpt0 . . . tk´1q “ m
1. đ
A.5 Proof of Lemma 8 (The Second Symmetry Lemma)
To keep the presentation of the following proof concise, we need to give a name to the
normalization function that maps all input streams that can be unified by rotation onto the
same input stream. For all t P I˚, we define:
ηSptq “ min
iPt0,...,n´1u
rotpt, iq
§ Definition 19 (Symmetric completion). Let xT, τy be a computation tree with T “ I˚ and
τ : T Ñ O. We call a tree xT, τ 1y with τ 1 : T Ñ O a symmetric completion of xT, τy if for
all t P T , we have τ 1ptq “ rotpτpηSptqq, iq for some i P N with rotpηSptq, iq “ t.
We are now ready to discuss the proof of Lemma 8.
Proof. The first part of the claim follows directly from the definition of the symmetric
completion. For all t P T , i P N, we have
τprotpt, iqq
“ τprotpηSptq, i` jqq
“ rotpτpηSptqq, i` jq
“ rotpτptq, iq
for j “ minj1PN rotpr,´j
1q if the symmetric completion actually exists. The symmetric com-
pletion exists if and only if having τ 1ptq “ rotpτpηSptqq, iq for some i P N with rotpηSptq, iq “ t
for every t P T is possible. The only way for this property to be unfulfillable is if for some
t P T and i, j P N, we have rotpt, iq “ rotpt, jq but τprotpt, iqq ‰ τprotpt, jqq. Equivalently we
can ask if there is the possibility to have t “ rotpt, j´ iq but τptq ‰ τprotptq, j´ iq. Since we
require xT, τy to have the property that for every t P T , we have repSptq  repSpτptqq and
by Lemma 17, the neural rotations are evenly spaced, we can see that t “ rotpt, j ´ iq and
τptq ‰ τprotpt, j ´ iqq cannot hold at the same time.
For the second part, we assume that we are given some finite-state machine M “
pS, I,O, sinit , δ, Lq that induces the computation tree xT, τy. Since the classes of regular
trees and finite-state (Moore) machines M are isomorphic, this assumption comes without
loss of generality.
We prove the regularity of xT, τ 1y by building a finite-state machine M1 “ pS1, I,O, s1
init
,
δ1, L1q that induces xT, τ 1y.
The states in M are the equivalence classes of nodes in xT, τy. Without loss of generality,
let us assume that elements t, t1 P T such that repSptq ‰ repSpt
1q are never put into the same
equivalence class. Note that this can only blow up the number of equivalence classes by a
factor of at most n.1 Furthermore assume that the representative element chosen for every
equivalence class is a normalized prefix input whenever possible (again, without loss of
generality). Thus, for every s P S representing a normalized input sequence and i P I,
minuPN rotpsi, uq is normalised as well, and so is then rminuPN rotpsi, uqs. We construct M
1
as follows:
S1 “ S ˆ t0, . . . ,´n´ 1u
s1
init
“ psinit , 0q
δ1pps, kq, iq “ prmin
jPN
rotprotps, kqi, jqs,´ argmin
jPN
rotprotps, kqi, jqq
L1ps, kq “ rotpLpsq, kq
Let us now prove that M1 represents the symmetric completion of xT, τy. For this, it suffices
to show that for every t P T , we have δ1psinit , tq “ prηSptqs,´ argminjPN rotpt, jqq. By the
definition of L1, we then have that L1pδ1psinit , tqq “ rotpLpηSptqq,´ argminjPN rotpt, jqq (as
LprηSptqsq “ LpηSptqq), which corresponds to the symmetric completion of xT, τy.
Let us show that we have δ1psinit , tq “ prηSptqs,´ argminjPN rotpt, jqq for every t P T by
induction. The induction basis for t “ ǫ is trivial. For the inductive step, we have (for t P T
and x P I):
δ1psinit , txq “ prmin
jPN
rotprotprηSptqs,´ argmin
jPN
rotpt, jqqx, jqs,
1 In principle, forcing two tree nodes to not be in the same equivalence class if they do not have some
common property can make the number of equivalence classes infinite. This is however not the case here
as for every t P T and x P I, repSptxq can be computed from repSptq and x. This way, computing the
repS values of the prefix input stream can be done on-the-fly by a finite-state machine while reading
the input, and when we compute its product with M, the set of states of the resulting finite-state
machine is then finite and serves as set of equivalence classes for the tree xT, τy such that no tree nodes
with different rep
S
values are put into the same equivalence class.
´ argmin
jPN
rotprotprηSptqs,´ argmin
jPN
rotpt, jqqx, jqq (13)
“ prmin
jPN
rotprotprmin
lPN
rotpt, lqs,´ argmin
jPN
rotpt, jqqx, jqs,
´ argmin
jPN
rotprotprmin
lPN
rotpt, lqs,´ argmin
jPN
rotpt, jqqx, jqq (14)
“ prmin
jPN
rotprotpmin
lPN
rotpt, lq,´ argmin
jPN
rotpt, jqqx, jqs,
´ argmin
jPN
rotprotpmin
lPN
rotpt, lq,´ argmin
jPN
rotpt, jqqx, jqq (15)
“ prmin
jPN
rotptx, jqs,´ argmin
jPN
rotptx, jqq (16)
“ prηSptxqs,´ argmin
jPN
rotptx, jqq (17)
The first line in this deduction is obtained by applying the induction hypothesis to the
definition of δ. From line (13) to line (14), we applied the definition of ηS . From line (14) to
line (15), we used the property that by the fact that we are concerned with an equivalence
relation over subtrees, we know that for all t P T and i P I, we have rrtsxs “ rtxs. This
fact also holds for all rotations of rtsx and tx. From line (15) to line (16), we simplify
rotpminlPN rotpt, lq,´ argminjPN rotpt, jqq to t, as in this equation, the two rotations even up.
The step to the last line just uses the definition of the ηS function. đ
A.6 A Complete Proof of EXPTIME-hardness (in the Number of
Processes) for Rotation-symmetric Synthesis
We start by concretizing the definition of space-bounded alternating Turing machines.
§ Definition 20 ([3]). We say that the Turing machineM “ pQ,Σ,Γ, δ, q0, gq is fpkq-SPACE
bounded for some function f : NÑ N if for every accepted word of length k, M also accepts
the word when considering all runs whose space usage exceeds fpkq to be rejecting.
For the scope of this paper, when discussing fpkq-space bounded Turing machines, we only
consider functions fpkq that are easy to compute (in time polynomial in fpkq). For every
accepted word, we can arrange a set of runs of an alternating Turing machine for that word
in a run tree that splits whenever a state with universal branching is visited. All runs in
this tree also do not exceed the space bound. By definition, for every accepted word, there
exists such a tree, and all of its leafs are accepting configurations.
§ Lemma 21. Given an fpkq-space bounded alternating Turing machine M “ pQ,Σ,Γ, δ,
q0, gq, we can reduce the acceptance of a word w P Σ
k by M to the symmetric realizability
problem of n “ fpkq processes with a specification in LTL of size polynomial in |Q| ¨ |Γ| ¨ |w|.
Proof. The proof is done by constructing a specification ψ that is realizable in the symmetric
setting if and only if w “ w0 . . . wk´1 is not accepted. We define ψ “ ψ1^ψ2 for ψ1 and ψ2 to
be given below. We have APIL “ tCu and AP
O “ tS0, . . . , S|AP
O|u of sufficient cardinality to
encode every element from the set Γ1 “ pΓYtǫuYpQˆΓqqˆ2tt,uu. This way, the output signals
of the individual processes represent locations on the Turing machine tape. For simplicity, in
the following, for all 0 ď j ă n, we denote the set of output atomic propositions for process
j by Sj (with the additional shorthand S´1 :“ Sk´2). We also encode the current state of
the machine and tape end markers onto the tape. Note that in the symmetric setting we do
not have a designated process for the initial state. The formula ψ1 makes sure that precisely
the processes retrieving a C in the first round start a Turing computation (provided that the
initial tapes would not collide), so ψ1 “ p C´k`1^ . . .^ C´1^C0^ C1^ . . .^ Ck´1q ñ
pS0 “ pq0, w0, ttuq ^ S1 “ pw1,Hq ^ . . . ^ Sk´2 “ pwk´2,Hq ^ Sk´1 “ pwk´1, tuuqq.
In order to deal with multiple computations starting in the first round, the delimiters t
and u mark the ends of the tape of a machine. The specification part ψ2 makes sure that
the simulated Turing machine(s) do(es) not accept the input word, i. e. the processes have
to simulate the computation on the Turing tape(s) but never reach an accepting state. For
this, we let the choice of the next state for existential branching be made by the external
input whereas for universal branching, the choice is made by the system.
We syntactically extend LTL slightly for improved readability by allowing Boolean op-
erations over sets of symbols. For example, S0 “ XpS0q can be unfolded to
Ź
pPS0
ppØ Xsq.
Furthermore, S´1, S0, S`1
δ
ÝÑ
a
XpS´1q,XpS0q,XpS`1q for a Ď t1, 2u is true if for the part of
the tape represented by S´1|Γ, S|Γ, S`1|Γ, the transition from S0|Q can be made such that
afterwards S´1, S0, S`1 is a valid part of the configuration (at the same place on the tape),
the next state is included at the respective position on the tape, and we have taken the bth
of the two possible transitions for b P a. Furthermore the tape is extended correctly such
that the computation is never left of the t marker or right of the u marker (as seen from the
initial configuration). If two markers collide, the next configuration is obtained by simply
removing the state information from the part of the tape. If a rejecting state is reached,
this rule is also applied. Note that without loss of generality, we can assume that precisely
two transitions are possible in each state. For Γ˜ “ pǫY Γq ˆ 2tt,uu, we set:
ψ2 “ GpS0 is in Qˆ Γˆ 2
tt,uu ^ gpS0|Qq “ “^”Ñ
pS´1, S0, S`1
δ
ÝÝÝÑ
t1,2u
XpS´1q,XpS0q,XpS`1qqq
^ GpS0 is in Qˆ Γˆ 2
tt,uu ^ gpS0|Qq “ “_”^ C Ñ
pS´1, S0, S`1
δ
ÝÝÑ
t1u
XpS´1q,XpS0q,XpS`1qqq
^ GpS0 is in Qˆ Γˆ 2
tt,uu ^ gpS0|Qq “ “_”^ C Ñ
pS´1, S0, S`1
δ
ÝÝÑ
t2u
XpS´1q,XpS0q,XpS`1qqq
^ GppS0 is in Γ˜q ^ pS´1 is in Γ˜q ^ pS`1 is in Γ˜q Ñ
S0 “ XpS0qq
^ Gp gpS0|Qq is acceptingq
Assume that there exists an accepting tree of M ’s computations for w. In this case,
the environment could set the input to the first process to true in the first round and to
false for the other processes. Hence, there is only one computation of the Turing machine
being simulated. By the environment choosing the existential branching according to the
acceptance tree it can be assured that eventually an accepting state is reached, which is not
allowed by ψ. Therefore ψ is unrealizable in this setting.
On the other hand, if w is not accepted by M , then there exists no tree of accepting runs
of M (that do not use more than fpkq space) for w. Since in this case the implementation
can decide which transition to take in case of universal branching, it can assure that the run
simulated by an implementation of ψ either ends in a rejecting state or exceeds the space
limit. Since in case of collisions of end markers on the tape, the state information can be
removed from the output and the processes can then output their last tape contents forever,
the specification is trivially fulfilled in this case. The same applies for the case of reaching
a rejecting state, so ψ is realizable by a symmetric system. đ
A.7 Proof of Lemma 13
Proof. Let ψ be the specification from Lemma 12. We show that there exists an imple-
mentation for the specification ψ in the A0 architecture if and only if there exists a joint
implementation for the two processes in the S2 architecture that satisfies ψ1 “ ψd ^ Gpv Ø
Xoq ^ Gpw Ø Xpq, where ψd results from prefixing all occurrences of the signals y and z
in ψ with a next-time operator. Without loss of generality, we assume that ψ encodes the
termination of a Turing machine.
ñ: If we have an implementation for the A0 architecture satisfying ψ, then the imple-
mentation needs to be a symmetric one: both processes output the same bitstream when
reading a true value from their respective local input signal for the first time. We can take
an implementation for one of these processes, and turn it into an implementation for a pro-
cess in the S2 architecture: just simulate the process over the input signal a and use g as the
local output for the tape content. At the same time, copy all values from b to e, and from
c to f . This makes sure that Gpv Ø Xoq ^ Gpw Ø Xpq is satisfied by the resulting system.
Since the bottom process in the S2 architecture then outputs q with one computation cycle
of delay to y, y in the S2 architecture always represents the output of the left process in the
A0 architecture with a delay of one cycle. For the signal line from v to z, the same line of
reasoning holds: the data from v appears at the signal o with a delay of one, and then, since
every process in the S2 architecture simulates a process in the A0 architecture reading from
a and writing to g, z is the output of the A0 process for the input v with a delay of one
cycle. Thus, ψd is fulfilled by the system. Taking all of these facts together, the architecture
with the implementation also fulfills ψ.
ð: Assume that ψ1 is realizable for the S2 architecture and we have a process that
ensures that ψ1 is satisfied in the Moore machine that represents the behavior of the complete
architecture with the process implementation. We argue that the process has to behave like
a process for the A0 architecture for the input a and output g. The important feature of this
architecture is that the process does not know if the local input b is the (delayed) a input to
the other process, or if its c input is the (Turing machine tape) output of the other process.
Thus, it cannot find out if it is the top process or the bottom process in the architecture
and must prevent violating the specification in either case.
Recall that without loss of generality, we assumed ψD to encode the computation/accep-
tance of a Turing machine (in the same way as Pnueli and Rosner defined it [21]). First of
all, in order to satisfy the specification, both processes have to output the first two Turing
tape computations on their g outputs when obtaining a true value to the a input. This
follows from the fact that the specification only allows the processes to forward information
from the inputs b and c, so the overall requirement to start with the first two tape contents
on y when reading a true-bit on u, and to start with the first two tape contents on z when
reading from v can only be fulfilled by distributing the writing of the two tapes among the
processes.
Now assume that a process receives the first Turing tape configurations on local input c,
then a start signal on input a while the second Turing tape content starts, and after both
Turing tape contents have been seen, we get a starting signal on b. Let this input stream
be called the reference stream.
Since the process does not know whether it is the top-most one in the architecture, it
also has to output the third Turing tape configuration on its local output g after the first
two of these, as the input to b might have been forwarded to the bottom-most process, where
it triggered the other process to output the first two tape configurations. Then, ψD would
be violated if the top-most process did not output the first three configurations. But then,
if the process is the lower-most one, as the local input c might actually be the output of the
top-most process, must also output the first three Turing tape configurations in order not
to violate the specification. Note that the lower-most process must do that regardless of its
local input b, as it is just forwarded garbage from global input w then.
But then, this means that the top-most process also has to output the first four Turing
tape configurations when reading the reference stream by the same reasoning - it might be
the top-most process, and since it has forwarded a signal that would trigger the other process
to start the Turing tape computation one tape content later, it would otherwise violate the
specification.
We can iterate this argument ad infinitum. Now if the process ensures that the overall
system, when the process is instantiated in the S2 architecture, satisfies the specification,
then this means that the Turing machine has to terminate — since we can force the system
to output the correct Turing tape computations along a run of the Turing machine, and
we also require it to eventually halt, there is no other way that the specification can be
satisfied. đ
A.8 Proof of Theorem 14
We first provide a pair of compression functions for LTL.
§ Definition 22. Let AP be some set of signals, which, w.l.o.g, we assume to be tx1, . . . , xnu.
We define a compression function fLTL over AP as follows: for every w “ w0w1w2 . . . P
p2APqω , we set fLTLpwq “ w10w
1
1w
1
2w
1
3 . . . such that:
@i P N, w1
2ipn`1q “ w
1
2ipn`1q`1 “ tχu,
@i P N and j P t1, . . . , nu, we have w1
2ipn`1q`2j “ H, and
@i P N and j P t1, . . . , nu, we have χ P w1
2ipn`1q`2j`1 if and only if xj P wi.
The compression function fLTL is exemplified in Figure 4.
Our interest in fLTL lies in the fact fLTL has an adjunct specification compression func-
tion f 1LTL for LTL properties. For the following lemma, we use the fact that the LTL
operators F and G can be encoded using the X and U operators, so we only need to consider
the latter two here. Given a word w “ w0w1w2w3 . . . P p2
APqω, an index i P N, and an LTL
formula ϕ, we write w, i |ù ϕ if and only if wiwi`1wi`2 . . . |ù ϕ.
§ Lemma 23. A specification compression function f 1LTL that corresponds to fLTL can be
defined inductively over the structure of an LTL formula as follows (for AP “ tx1, . . . , xnu):
For ψ “ false, we set f 1LTLpψq “ false. Likewise, for ψ “ true, we set f 1LTLpψq “
true.
For ψ “ ψ1 ^ ψ2, ψ “ ψ1 _ ψ2, and ψ “  ψ1 for some LTL formulas ψ1 and ψ2,
we have f 1LTLpψq “ f 1LTLpψ1q ^ f
1LTLpψ2q, f
1LTLpψq “ f 1LTLpψ1q _ f
1LTLpψ2q, and
f 1LTLpψq “  f 1LTLpψ1q, respectively.
For ψ “ xj for some xj P AP, we set f
1LTLpψq “ X2j`1χ.
For ψ “ Xψ1 for some LTL formula ψ1, we set f
1LTLpψq “ X2pn`1qf 1LTLpψ1q.
For ψ “ ψ1 U ψ2, we set f
1LTLpψq “ ppχ^Xχ^X2 χq Ñ ψ1q U ppχ^Xχ^X
2 χq^ψ2q.
Proof. We show the lemma by structural induction. More specifically, we show that for
every w P p2APqω and i P N, we have w, i |ù ψ if and only if w1, 2pn` 1q ¨ i |ù f 1LTLpψq for
w1 “ fLTLpwq.
Case ψ “ true, ψ “ false: trivial
Case ψ “ xj for some xj P AP. The definition of f
LTL ensures that for all j P t1, . . . , nu,
we have xj P wi if and only χ P w
1
2ipn`1q`2j`1. Thus, we have w
1, 2ipn` 1q |ù X2j`1χ if
and only if w, i |ù xj .
Case ψ “ ψ1 ^ ψ2, ψ “ ψ1 _ ψ2, and ψ “  ψ1: trivial
Case ψ “ Xψ1: follows from the inductive hypothesis and the definitions of f
LTL and
f 1LTL
Case ψ “ ψ1 U ψ2. Here, χ ^ Xχ ^ X
2 χ is true precisely at time points 2pn ` 1qi
for some i P N, thus anything of interest for evaluating f 1LTLpψq happens at these
time instants. For f 1LTLpψq to be true, we must have that for some i, w1, we get that
w1, 2pn` 1qi |ù f 1LTLpψ2q, which by the induction hypothesis is equivalent to w, i |ù ψ2.
For all j ă i, we must have w1, 2pn`1qj |ù f 1LTLpψ1q, which by the induction hypothesis
is equivalent to w, j |ù ψ1.
đ
Reconsider the setting from Figure 4. As an example, the specification x4 U x3 for the
original case translates to ppχ ^ Xχ ^ X2 χq Ñ X9χq U ppχ ^ Xχ ^ X2 χq ^ X7χq for the
compressed case. In both variants, the specification is not fulfilled for this example.
Using Lemma 23, we can now prove Theorem 14:
Proof. Since we can compress (1) the input signals u,v, and z into one signal (named x in
the S0 architecture), (2) o, p, and q into one signal, (3) u, v, and z into one signal, and
(4) adapt ψ1 accordingly (and all of these compressions can use the same encoding), the
undecidability of the symmetric synthesis problem for the S0 architecture follows from the
undecidability of the symmetric synthesis problem for the S2 architecture. Definition 22
and Lemma 23 describe how this word compression step can be performed. However, we
need to make sure that (1) the correct functioning of the processes in the S0 architecture is
only enforced on input streams that result from compressing a word over 2u,v,w according to
Definition 22 and (2) the output streams of the processes need to be correct compressions
if the input to the first process is a valid compressed word. For this, we take the adapted
version of ψ1 and replace it by pψ1 ^ φcorrectq _ Fφinvalid1 _ φinvalid2, where φinvalid1 and
φinvalid2 encode that a part of the input stream is found that shows that it can not have
been obtained by word compression according to Definition 22. Formally, we can describe
these properties as:
φinvalid1 “ χ^ Xχ^ XX χ^
¨
˝ X8χ_ X9χ_ X10χ_ ł
iPt1,...,3u
X2iχ
˛
‚
φinvalid2 “  χ_ Xχ_ XXχ
Intuitively, φinvalid1 states that starting from a character start sequence, the next character
start sequence does not come after exactly 8 cycles (or we have an illegal bit encoding along
the way), and φinvalid2 states that the input stream does not start with a character start
sequence. In the same way, we can encode that y and z represent correctly compressed
streams:
φcorrect “
ľ
pPtx,yu
p^ Xp^ X2 p^ G
ˆ
 p_ Xp_ X2p_
´ ľ
iPt1,...,3u
X2ip
¯
^ X8p ^ X9p^ X10 p
˙
(18)
đ
