From Polynomial Invariants to Linear Loops

Loop invariants are software properties that hold before and after every iteration of a loop. As such, invariants provide inductive arguments that are key in automating the verification of program loops. The problem of generating loop invariants; in particular, invariants described by polynomial relations (so called polynomial invariants), is therefore one of the hardest problems in software verification. In this paper we advocate an alternative solution to invariant generation. Rather than inferring invariants from loops, we synthesise loops from invariants. As such, we generate loops that satisfy a given set of polynomials; in other words, our synthesised loops are correct by construction. Our work turns the problem of loop synthesis into a symbolic computation challenge. We employ techniques from algebraic geometry to synthesise loops whose polynomial invariants are described by pure difference binomials. We show that such complex polynomial invariants need “only” linear loops, opening up new venues in program optimisation. We prove the existence of non-trivial loops with linear updates for polynomial invariants generated by pure difference binomials. Importantly, we introduce an algorithmic approach that constructs linear loops from such polynomial invariants, by generating linear recurrence sequences that have specified algebraic relations among their terms.


I
Loop invariants, or more simply invariants in the sequel, are software properties that hold before and after every iteration of a loop.Invariants are often key to inductive arguments for automating the verification of programs with loops, see, e.g.[25,22,23,21,14].One challenging aspect in invariant synthesis is the derivation of polynomial invariants for loop programs over numeric data structures.Such invariants are defined by polynomial relations ( 1 , . . ., ) = 0 among the program variables 1 , . . ., .A nice property of polynomial invariants is that they define a polynomial ideal, called a polynomial invariant ideal [25,22].As such, the problem of generating (all) polynomial invariants is reduced to generating a finite basis of the polynomial invariant ideal.
In this paper, we reverse engineer the problem of polynomial invariant generation and propose an alternative solution to invariant synthesis.Rather than generating polynomial invariants for a given loop, we synthesise loops for a given polynomial invariant.Assume the postcondition of some section of code with a loop is given by a conjunction of polynomial equalities.Instead of generating an invariant that implies the postcondition, our solution comprises the synthesis of a new loop, one that is correct with respect to the specification-and that by construction.Linear Loop Synthesis.The key aspect of our work comes with considering homogeneous linear loops, hereafter simply linear loops.Linear loops are a class of single-path loops whose update assignments are determined by a homogeneous system of linear equations in the program variables.More specifically, a linear loop is a loop program of the form where is a -dimensional column vector of program variables, is a -dimensional vector with rational entries, and is a × -matrix with rational entries.Herein we employ the notation ★, instead of using true as loop guard, as our focus is on loop synthesis rather than proving loop termination.
Linear loops are fundamental objects in the computational study of recurrence.On the one hand, this class of loops represents a restrictive computational model.On the other hand, fundamental problems such as the decidability of the Halting Problem are open for this class [24].For the avoidance of doubt, we lose no generality by working over the class of linear loops rather than the class of affine loops (those single-path loop programs with update assignments of the form ← + where ∈ ℚ ).Indeed, the problem of studying the functional behaviour of affine loops can be reduced to that of studying linear loops; admittedly the reduction step will, in general, increase the number of program variables [25,22,24].Linear Loops and Recurrences.Given a (system of) polynomial relation(s), our work constructs a linear loop.By construction, each of the given polynomial relations is satisfied by the loop variables before and after each iteration; thus each relation is an invariant of the loop.(Specific details are given in the discussion on our contributions.)We employ techniques from algebraic geometry to synthesise loops whose polynomial invariants are described by pure difference binomials.For such polynomial invariants, the procedure in Section 3 shows that "only" linear loops are required, thus addressing challenging aspects of arithmetic reductions in program optimisation [2].Further, we prove the existence of non-trivial loops with linear updates for polynomial invariants generated by pure difference binomials (see Section 5).Examples 1.1 and 1.2 showcase linear loops that are synthesised by our work.We note that the study of pure difference ideals, those ideals generated by pure difference binomials, and their respective linear loops is well motivated.The classes of lattice and toric ideals (defined in Section 2) are pure difference ideals.Pure difference ideals also appear in the encoding of random walks on Markov chains of the form ℕ by way of the connected components of the underlying graph [6,16].( , ) := (1, 1); while ★ do := 2 ; := 2 ; end while ] generated by the polynomials 1 = 2 − and 2 = 3 − .Note that 1 and 2 are pure difference binomials in , , .The procedure of Section 3 outputs a linear loop ℒ 1 (see Fig. 1a).
Key to our work is modelling loops as linear recurrence sequences that have specified algebraic relations among their terms.Let denote the value of a loop variable at the th loop iteration.Recall that for a linear loop, is given by a linear recurrence sequence with constant coefficients, commonly known as a C-finite sequence [8].C-finite sequences are therefore key to our loop synthesis procedure (Section 3): we model program loops as systems of recurrence equations.Indeed, we aim to synthesise a system of C-finite recurrence sequences, and hence a linear loop, that satisfies given polynomial relations.

Our Contributions.
(1) For a polynomial ideal, we consider the problem of synthesising a non-parametrised loop (i.e., synthesising both the loop body and concrete initial values) such that every polynomial in the ideal is an invariant of the loop.In particular, we demonstrate a procedure for synthesising loops from pure difference ideals.In fact, (a) Given a pure difference ideal , we describe a process that synthesises a linear loop with invariant ideal (Section 3).(b) Suppose that = 1 , . . ., is a polynomial ideal not necessarily generated by binomials, for which, by a change of coordinates, there exists a generating set of pure difference binomials.We present a procedure that outputs a linear loop such that any polynomial ∈ 1 , . . ., is an invariant of said loop (Section 4).
(2) Under reasonable assumptions about the input, the aforementioned generated loops are non-trivial.By non-trivial, we mean that the orbit (or trajectory) of the vector given by the values of the loop variables 1 , . . ., at the th loop iteration is infinite.That is to say, the loop program functions on an infinite-state system.We shall defer a formal definition of a non-trivial loop to Section 2. In Section 5, we consider corollaries to our loop synthesis procedure from Section 3. In particular, we consider specialisations for restrictive classes of input ideals.One corollary, concerning canonical pure difference binomials, is as follows.
where is an irreducible polynomial of the form . Then the procedure in Section 3 synthesises a linear loop for which is precisely the invariant ideal of the loop.
We end this note with a conclusion that discusses related work and proposes directions for future research (Section 6).

P
2.1.Abstract Algebra.Let be a field and the vector space of -tuples in .A monomial in the indeterminates (or polynomial variables) 1 , . . ., is an expression where each exponent is a non-negative integer.We employ the shorthand to denote such monomials.A polynomial is a finite linear combination of monomials.This can be extended to include the negative integer exponents, if needed.We shall explicitly refer to monomials with ∈ ℤ (or their linear combinations) as Laurent monomials (Laurent polynomials, respectively), whenever negative powers are considered.
Let [ 1 , . . ., ] be a polynomial ring, for brevity [ ].For computability reasons, throughout will be the field of algebraic numbers, so := ℚ.We employ the standard notation * to refer to the set \ {0} of invertible elements of the field and denote by GL ( ) the multiplicative group of × invertible matrices over .
2.2.Algebraic Geometry.We recall standard preliminary material and terminology from the field of algebraic geometry, and refer to [4,3] for more details.

Ideals.
A polynomial ideal is a subset ⊆ [ ] that satisfies the following properties: 0 ∈ ; is closed under addition; and for each ∈ [ ] and ∈ , necessarily ∈ .For a set of polynomials ⊆ [ ], the ideal generated by is given by

and is radical if
∈ implies that ∈ .Key to our discussion will be the bases for polynomial ideals.

Theorem 2.1 (Hilbert's Basis Theorem). Every ideal in [ ] has a finite basis.
Seminal work by Buchberger introduced Gröbner bases for polynomial ideals, which permit the algorithmic computation of key properties of polynomial ideals [1,3], including ideal membership, ideal union/intersection, elimination ideals, and many more.A key property that we draw upon in our synthesis procedure is the computation of a basis for a saturation of an ideal.Given ∈ [ ], we compute a basis for the saturation of with respect to : ( ) ∞ := { ∈ [ ] : ∈ for some ∈ ℕ}.
We also recall relevant structural properties for classes of polynomial ideals.Varieties.The notion of an algebraic variety generalises the concept of algebraic curves to dimensions.An (affine) algebraic variety ⊆ is the locus of points satisfying a system of polynomial equations.In the sequel, we shall focus on the varieties associated with polynomial ideals.Let be a polynomial ideal in [ ].The locus of points in where the polynomials in simultaneously vanish is called the variety of the ideal and denoted by ( ).Specifically, A subvariety is a subset of a variety that is, itself, a variety.A variety is irreducible if when written as a union of subvarieties = 1 ∪ 2 then necessarily either 1 = or 2 = .An affine variety is irreducible if and only if ( ) is a prime ideal.
Let ⊆ be an affine variety.We endow with the Zariski topology by declaring that the closed sets of are precisely the subvarieties of .In this way, we extend the definition of Zariski closure as follows.The Zariski closure of a subset ⊆ is defined to be the smallest affine variety containing .

C-finite Sequences.
The class of C-finite sequences [18] consists of the real-algebraic linear sequences ∞ =0 that satisfy recurrence relations (1) 1) is entirely determined by its initial values 0 , . . ., −1 .The order of is the minimum length of the recurrence relations it satisfies.

Loop Invariants.
Let ℒ be a linear loop with variables = ( 1 , . . ., ).For each loop variable , let ( ) denote the sequence whose th term is given by the value of after the th loop iteration.A polynomial invariant of ℒ is a polynomial ∈ [ ] such that ( 1 ( ), . . ., ( )) = 0 holds for all ≥ 0. The set of polynomial invariants of ℒ forms an ideal, called the (polynomial) invariant ideal of ℒ [25,22].In other words, the invariant ideal of ℒ is the ideal of algebraic relations over among the sequences 1 ( ) , . . ., ( ) .We note that, in our setting, it is always possible to compute a finite basis for the invariant ideal using Gröbner bases computation [19,22].
The invariant ideal of ℒ is radical.It can be equivalently described by its variety ( ) ⊆ . Let be the orbit of the loop.Informally speaking, is the set of variable vectors that ℒ can reach during its execution.The Zariski closure of in is precisely the variety ( ) and, further, is the smallest algebraic variety that contains .The Zariski closure of is the strongest algebraic invariant of ℒ [12].We shall sometimes abuse terminology and refer to the Zariski closure of as the Zariski closure of ℒ.A loop ℒ is trivial if its orbit is a finite set.
2.5.Lattices.Let ( , +) be an additive abelian group.A set ⊆ is linearly independent if for any 1 , . . ., ∈ ℤ and any pairwise distinct 1 , . . ., ∈ a linear combination An abelian group that has a finite basis is referred to as lattice.It is known that a lattice has fixed basis size, called rank and, furthermore, every lattice of rank ≥ 1 is isomorphic to ℤ as a group.A saturation of a lattice ⊆ ℤ is a sublattice of ℤ defined as Sat( ) := { ∈ ℤ : ∈ for some ∈ ℤ \ {0}}.
If = Sat( ), the lattice is said to be saturated.
An important class of lattices are those that describe the multiplicative relations among algebraic numbers.The exponent lattice of 1 , . . ., ∈ * is given by exp ( 1 , . . .,    First, we can view as a linear transformation : ℤ → ℤ such that ( ) = .Thus we define the kernel of by ker := ∈ ℤ : ( ) = 0 .
It is easy to see that ker ⊆ ℤ is a lattice.In particular, one can define a lattice ideal for ker .Moreover, ker is saturated.Second, we can consider the columns of as Laurent monomials over the indeterminates 1 , . . ., .Formally, a column of defines a Laurent monomial as ( 1 , . . ., ) = 1 1 . . . .We define the ring homomorphism : ] by mapping the variables 1 , . . ., to 1 , . . ., .The codomain of the homomorphism is the ring of Laurent polynomials over with variables.
The toric ideal associated with matrix is the kernel of .The ideal is a pre-image of a prime ideal, and hence is itself a prime ideal of [ ].
As shown in [4, Proposition 1.1.9],a toric ideal has an equivalent definition as a lattice ideal that is, as an ideal of a lattice ker .We emphasise that not every lattice is a kernel of a linear transformation and respectively, lattice ideals are not necessarily toric.In fact, toric ideals are precisely the prime lattice ideals [4, Proposition 1. 1.11].
The homomorphism of -algebras is naturally associated with a group homomorphism : → , defined by The vanishing set of a toric ideal is the Zariski closure of ( ).Such irreducible varieties of are called toric varieties.They share a number of important properties and have been widely studied along with their ideals [4,27].
We refer to binomials of the form − as pure difference binomials.A pure difference ideal is generated by pure difference binomials.Note that lattice and, in particular, toric ideals are pure difference ideals.Let = Remark 2.3.Clearly, there are infinitely many pairwise distinct pure difference binomials sharing the same exponent vector -the vector is invariant when we multiply a pure difference binomial by a monomial, e.g., 2 − 2 and 3 − 3 .For a given exponent vector = ( 1 , . . ., ) ∈ ℤ , we define a unique canonical (pure difference) binomial as ( 1 , . . ., ) := + − − , where is the canonical binomial associated with the vector (2, −2), whereas 3 − 3 (see also Example 1.2) is not canonical.

F
We now describe our loop synthesis approach, by restricting our input polynomials/ideals to pure difference binomials/ideals.Given a pure difference ideal as an input, our procedure outputs a linear loop such that each polynomial in is an invariant of the loop.We thus show that loop synthesis is decidable for pure difference polynomials/ideals.
We next outline our loop synthesis procedure and illustrate its main steps in Table 1.

Loop Synthesis
Step 2a: Sat( ) 2 − , 3 − − Step 2b: We further detail each component of our synthesis procedure, proving correctness of each step of the synthesis process.
Input.The input for the synthesis process is a (possibly empty) finite list 1 , . . ., of pure difference binomials.Let denote the pure difference polynomial ideal := 1 , . . ., in [ ] generated by this finite set.Our goal is to synthesise a linear loop ℒ for which is an invariant.
Each generator ℓ of the ideal has the form ℓ = ℓ ℓ , where 1 , . . ., are monomials and so Note that is contained in and, in general, this inclusion is strict.In particular, in Example 1.2, see also Table 1.
Step 2a: Saturated lattice ideal Sat( ) .Before we proceed with Step 2 of our loop synthesis process, we briefly reflect on the lattice ideals that contain .Notice that in Step 1 we not only found one of them, , but we also pointed out that its lattice had already been computed.Indeed, the generating set 1 , . . ., of is obtained from the pure difference binomials directly.While the generating polynomials can also be computed (e.g. by employing Gröbner bases techniques from [20,Section 5] to compute the saturation of ), our computation proceeds with vectors and lattices rather than polynomials and ideals.
Since is a radical ideal (Theorem 3.2), admits a unique decomposition (see Theorem 2.2).We adjust a general result by Eisenbud and Sturmfels [7], which concerns decompositions of binomial ideals, to our setting.As an aside, work by Grigoriev et al. [10] presents an alternative approach to this step.Therein those authors decompose a so-called binomial variety ( ) into a finite union of irreducible varieties.
In the computational part of Step 2 that follows, we compute a prime lattice ideal Sat( ) that contains .
Proposition 3.4 follows from the next technical lemma.
Proof.Let ∈ ℤ × be the matrix with rows 1 , . . ., .The row space Row( ) over ℚ is thus equal to .The orthogonal complement of Row( ) is Row( ) ⊥ = Null( ).It follows that Null( ) has a basis of − linearly independent vectors, which we denote by 1 , . . ., − , provided that < .On the other hand, if = , then is not a proper subspace of ℚ , from which it follows that Null( ) = {0}.Let be the matrix with rows 1 , . . ., − (and defined as a single row vector 0 in the case = ).Then, by definition, Row( ) = Null( ).The result follows by elementary properties of orthogonal decomposition in finite-dimensional vector spaces.Indeed, we have Herein we distinguish between a ℚ-subspace of vectors orthogonal to the row space of a given integer matrix (commonly its null space) and a sublattice of orthogonal integer vectors (commonly its kernel).
Generally speaking, the matrix constructed above has rational entries; however, multiplying the entries of a matrix by a scalar does not change the null space.Thus we can assume, without loss of generality, that has integer entries and preserves the property Null( ) = , as desired.
Proof of Proposition 3.4.There are two statements to prove in Proposition 3.4 depending on the cases < or = .Note that the latter statement, that = 0 ∈ ℤ 1× if = , was dealt with in the proof of Lemma 3.5.Thus all that remains it to establish the former statement.To this end, we show that Sat( ) = ker for the matrix constructed in the proof of Lemma 3.5.We note that Sat( ) is equal to as desired.
Step 3: Synthesise linear loop ℒ.We take a brief pause and reflect on the combination of Lemma 3.3 and Proposition 3.4 together with the formal definitions presented in Section 2. The sum total is a threefold equivalence between i) toric ideals, ii) ideals of saturated lattices, and iii) ideals of lattices presented as ker .Our objective, to synthesise a loop with prescribed polynomial invariants, relies on the constructive aspect of each of the preceding steps.In this final step, we will use the matrix , constructed in Proposition 3.4, to synthesise a linear loop with invariant ideal Sat( ) .
In the proof of Theorem 3.7, we will employ the following result due to Kauers and Zimmermann [19,Proposition 5] concerning algebraic relations among C-finite sequences.
We now turn to our main result in this step.Theorem 3.7.Let 1 , . . ., ∈ [ 1 , . . ., ] be pure difference binomials and let ⊂ ℤ be the lattice spanned by their exponent vectors.There exists a linear loop ℒ with a diagonal update matrix ∈ ℚ × such that Sat( ) is the invariant ideal of ℒ.
Proof.Following Proposition 3.4, it remains to prove that the ideal of a saturated lattice Sat( ) can be realised as the ideal of all polynomial invariants of a linear loop.Our proof adapts the argument in [9, Proposition 3.7] due to Galuppi and Stanojkovski.
Since there are no non-trivial multiplicative relations among pairwise distinct primes, a vector := ( 1 , . . ., ) is a member of the exponent lattice of { 1 , . . ., } if and only if simultaneously achieves unity; i.e., Finally, let be the ideal generated by the algebraic relations among the C-finite sequences 1 ∈ℕ , . . ., ∈ℕ .Mutatis Mutandis, the argument in Proposition 3.6 holds for natural-indexed sequences.Taken in combination with the above argument, it follows that = Sat( ) .
Output.From our starting point of a pure difference ideal , we constructed an integer matrix such that Sat( ) is a toric ideal associated with , and ⊆ Sat( ) .We output the linear loop ℒ with the invariant ideal Sat( ) .Since ⊆ Sat( ) , the loop ℒ meets our objective: each of the polynomials in is invariant under the action of ℒ. Correctness of the procedure follows from Proposition 3.4 and Theorem 3.7.
The following corollary summarises our synthesis procedure.

T
The procedure in Section 3 synthesises linear loops from ideals generated by pure difference binomials.In this section, we demonstrate that, subject to certain assumptions on the input, we can also synthesise linear loops for non-binomial ideals.
We call a polynomial ideal 1 , . . ., ∈ [ ] a transformed pure difference ideal if there exists an invertible linear change of coordinates for which each in the generating set is a pure difference binomial after the coordinate change.Here, by an invertible linear change of coordinates we mean that the associated change-of-basis matrix is an element of GL ( ).Theorem 4.1.Let be a transformed pure difference ideal with associated changeof-basis matrix ∈ GL ( ).Then there exists a computable linear loop ℒ such that is an invariant of ℒ.
We take = 1 , . . ., and as above.Further, let := 1 , . . ., be the associated pure difference ideal after the change of coordinates .The synthesis procedure summarised in Corollary 3.8 outputs a loop ℒ ′ for which the pure difference ideal = 1 , . . ., is invariant.More specifically, ℒ ′ is the loop with update assignments described by a diagonal update matrix and initial vector in = (1, . . ., 1) such that each polynomial in ideal is an invariant of ℒ ′ .The proof of Theorem 4.1 is as an immediate corollary of the next lemma, which outputs the desired linear loop ℒ. Lemma 4.2.Let ℒ be the linear loop with update assignment matrix −1 and initial vector −1 in .Then every polynomial in is an invariant of ℒ.
Remark 4.4.The approach of Theorem 4.1 relies on the existence of an appropriate change of coordinates that moves ideal to a pure difference ideal and further, that a change-of-basis matrix is given explicitly.The problem of determining the existence of such appears to be a challenging task.
A similar challenge is addressed by Katthän et al. [17].Their algorithmic approach [17, Algorithm 4.5] can generate all matrices ∈ GL ( ) that move an ideal to a unital ideal .Recall that unital ideals are those generated by pure difference binomials and monomials, and hence pure difference ideals are a strict subclass.A straightforward approach to transform an ideal to a pure difference ideal is to apply the procedure of [17] and to manually check whether any of the transformed ideals output has a basis without monomials.If is such an ideal, then Theorem 4.1 can be employed to synthesise a linear loop for the initial ideal .

F
In this section, we gather together corollaries of our synthesis procedure from Section 3. Proof.In light of Corollary 3.8, it suffices to show that ℒ generated by the procedure described in Section 3 is non-trivial.
Recall that a linear loop ℒ is trivial if the input vector has finite orbit.For such loops, the variable vector ( 1 , . . ., ) is attained at two different iterations of ℒ. Since, by construction, the update matrix := diag( 1 , . . ., ), the loop ℒ is trivial if and only if 1 = • • • = = 1 for some ≥ 0. This implies that all diagonal entries of the loop update matrix are roots of unity.However, by construction, the entries 1 , . . ., are positive rational numbers (see proof of Theorem 3.7).Therefore, 1 = • • • = = 1 is a necessary condition for ℒ to be trivial.
From the proof of Proposition 3.4, the matrix has rank 0 if and only if the associated lattice is spanned by = linearly independent vectors.By assumption, has rank at most − 1 because it is generated by at most − 1 exponent vectors.Thus ≠ diag(1, . . ., 1) and so ℒ is non-trivial.
The next theorem is a specialisation of Theorem 5.1 and follows from Step 3 of the synthesis procedure in Section 3.
Proof.We recall that toric ideals are precisely the lattice ideals of saturated lattices Sat( ) = ker .Due to Theorem 3.7, a loop ℒ with invariant ideal Sat( ) can be generated for an arbitrary saturated lattice Sat( ) = ker .Observe that from the proof of Theorem 5.1, ℒ is trivial if and only if Sat( ) = ℤ .This, in turn, is equivalent to Given polynomials 1 , . . ., , a necessary condition for a non-trivial loop to simultaneously satisfy = 0 for all = 1, . . ., , is the existence of infinitely many rational solutions to a system of equations 1 = 0 ∧ • • • ∧ = 0.When 1 , . . ., are pure difference binomials with ≤ − 1, the system indeed has infinitely many solutions-and this is utilised in Theorem 5.1.However, determining whether an arbitrary system of polynomial equations has infinitely many rational solutions is a highly non-trivial problem, as witnessed by the example below.Note that determining whether an equation has infinitely many integer solutions is undecidable [5].5.2.Modifications to the Synthesis Process.A higher objective than that set in Section 3 is as follows: given a polynomial ideal , construct a linear loop whose invariant ideal is precisely .The invariant ideals are radical, and so, for this question, one may assume that the given ideal is radical.Equivalently, the objective is to construct a linear loop whose Zariski closure is the variety ( ).Our synthesis procedure does not generally achieve this goal because each inclusion in the chain of ideals considered in Section 3 is, in general, strict.Here stands for the ideal generated by the canonical binomials, as in e.g.Lemma 3.1.
Remark 5.4.On the one hand, ker of any integer × -matrix is a sublattice of ℤ .On the other hand, the converse statement is not true since there are lattices that cannot be represented as matrix kernels.For example, := ℤ(2, −2) ⊂ ℤ 2 is not saturated and hence not a kernel of a matrix: (2, −2) ∈ but (1, −1) ∉ .

By Remark 5.4, we generally have Sat(
) .An examination of Example 1.2 (see also Table 1), shows how most of the inclusions in (3) are strict; in this example, only the equality = holds.Nevertheless, its (general) violation is witnessed elsewhere in the literature (cf. the discussion that follows [11,Corollary 3.21]).
In special cases, we can simplify the procedure of Section 3 by observing (introduced) redundancy.In this direction, we provide a list of sufficient conditions for equalities to hold in (3).Proposition 5.5.Let ⊆ [ 1 , . . ., ] be a pure difference ideal.
(1) Suppose that = is a principal ideal for which is a canonical pure difference binomial.Then = .If, in addition, is irreducible, then = Sat( ) holds.
(2) Suppose that is generated by pure difference binomials and at least one of the generators 1 , . . ., has a positive exponent vector ∈ ℤ >0 .Then, = .
Proof.Regarding (1), we consider the principal ideal of = − with gcd( , ) = 1.Let be the lattice ideal of := ℤ • ( − ).This lattice ideal is generated by pure difference binomials.Each such generator takes the form − for some positive integer , or − − − for some negative integer .Polynomials of this form are divisible by − .It quickly follows that ⊆ and hence = .If, in addition, is irreducible, then is prime ( [ 1 , . . ., ] is a unique factorisation domain).Thus = = is prime and so is saturated.Therefore = = Sat( ) .Assertion (2), in turn, is a modification of [27,Lemma 12.4].Without loss of generality, let be an ideal generated by canonical pure difference binomials 1 , . . ., , where 1 's exponent vector is positive.Then Note that Corollary 1.3 follows from Proposition 5.5 (i): an irreducible pure difference binomial is clearly canonical.A loop synthesised for Sat( ) then has as its invariant ideal by Theorem 3.7.

D C
Related Works.On the one hand, deriving polynomial invariants for the class of loops with (non-linear) polynomial arithmetic in their update assignments is, in general, undecidable [12].On the other hand, for restricted classes of loops there are efficient procedures for synthesising invariants.Indeed, the restricted classes of polynomial arithmetic in so-called solvable loops [25]-loops with (blocks of) affine assignments, admit such procedures [22,23,14,21].Previous works synthesising linear loops from non-linear polynomial invariants include [13].Their approach is also based on algebraic reasoning about the C-finite sequences generated by linear loops.Yet, the synthesis problem is translated into a constraint solving task in non-linear arithmetic, by relying on loop templates and using a conflict resolution procedure based on cylindrical algebraic decomposition/Gröbner basis computation [15].Unlike [13], our synthesis procedure restricts to linear algebraic reasoning.The algorithm of [13] is relative complete as it generates all linear loops satisfying a given invariant of a bounded degree.As such, and in contrast to our results from Theorems 5.1 and 5.2, the work of [13] gives no sufficient conditions for the existence of at least one non-trivial loop satisfying the invariant.
The approach in [9] studies cyclic semigroups and sheds light on their geometry.In particular, irreducible components of Zariski closures for cyclic semigroups are shown to be isomorphic to toric varieties.Using the terminology in this note, their observation that toric ideals are precisely the invariant ideals of some linear loops is the key motivation for our synthesis procedure.Conclusions and Future Directions.Using machinery from algebraic geometry, we identify classes of polynomial invariants for which synthesis becomes decidable.Our synthesis procedure can produce infinitely many different loops that, by construction, all have the same invariant.For a given input, the number of variables of the procedurally generated output loops is equal to the number of indeterminates in the input polynomials.Observe that linear loops with > variables can still satisfy invariants from [ 1 , . . ., ] on a subset of their variables.The challenge of deriving an upper bound on the number of program variables for the invariant, also raised in [13,Section 4.2], remains open.
We aim to analyse the bit complexity of our procedure in the future.Note that in Step 3, prime numbers are raised to the powers that are, in general, exponential in the number of variables .Therefore, the generated update matrix might have entries with exponentially many (in ) bits, cf. the worstcase double exponential running time of Gröbner basis computation for the invariant ideal.
We intent to extend our synthesis approach to synthesise loops whose invariant ideals are non-prime lattice ideals.One challenge to be addressed is the classification of Zariski closures of the orbits of linear loops, cf.[9].In this direction, it is of interest whether loops with non-diagonalisable matrices have invariant ideals structurally different from those of loops synthesised in Sections 3 and 4.
We conclude this paper by highlighting the following limitation of our approach, which we intend to address in future work.The construction in Step 1, that introduces the lattice ideal , entails that we can only synthesise loops whose invariant ideals are lattice ideals.Further, Theorem 3.2 implies that ( ) is the Zariski closure of ( ) \ ( =1 ), cf. and initial vector init = (1, 0) is precisely the ideal .
The loop ℒ ′ in the example above stands in contrast to the synthesised loop ℒ in Example 1.2 because ( ) is the strongest algebraic invariant of ℒ ′ .In contrast, the strongest algebraic invariant of ℒ is ( − ).R

Theorem 2 . 2 ([ 3 ,
Theorem 6, Chapter 4.6]).Each radical polynomial ideal in [ ] admits a unique decomposition as an intersection of finitely many prime ideals = 1 ∩ • • • ∩ such that for each pair ⊄ .The decomposition is commonly referred to as the minimal decomposition of a radical ideal.

5. 1 .Theorem 5 . 1 .
Existence of Non-Trivial Linear Loops.Theorems 5.1 and 5.2 next show that, subject to certain restrictions on the input ideal, there are always non-trivial loops that witness a given input as an invariant.Let be an ideal generated by at most − 1 pure difference binomials in [ 1 , . . ., ].There exists a non-trivial linear loop ℒ such that any polynomial ∈ is an invariant of ℒ.

[ 3 ,Example 6 . 1 .
Chapter 4.4,  Theorem 10].Our procedure thus only synthesises loops whose orbits lie outside of the coordinate hyperplanes.We revisit the synthesis problem for an ideal = 3 − 3 of Example 1.2.The invariant ideal of a linear loop ℒ ′ with update matrix Synthesise a linear loop ℒ with a diagonal update matrix whose diagonal entries are determined by the columns of .The ideal Sat( ) is the invariant ideal of ℒ. Output: Linear loop ℒ with invariants 1 , . . ., .
T 1. Loop synthesis for our running examples Example 1.1 Example 1.2