Strong Invariants Are Hard: On the Hardness of Strongest Polynomial Invariants for (Probabilistic) Programs

We show that computing the strongest polynomial invariant for single-path loops with polynomial assignments is at least as hard as the Skolem problem, a famous problem whose decidability has been open for almost a century. While the strongest polynomial invariants are computable for affine loops, for polynomial loops the problem remained wide open. As an intermediate result of independent interest, we prove that reachability for discrete polynomial dynamical systems is Skolem-hard as well. Furthermore, we generalize the notion of invariant ideals and introduce moment invariant ideals for probabilistic programs. With this tool, we further show that the strongest polynomial moment invariant is (i) uncomputable, for probabilistic loops with branching statements, and (ii) Skolem-hard to compute for polynomial probabilistic loops without branching statements. Finally, we identify a class of probabilistic loops for which the strongest polynomial moment invariant is computable and provide an algorithm for it.


INTRODUCTION
Loop invariants describe valid program properties that hold before and after every loop iteration.Intuitively, invariants provide correctness information that may prevent programmers from introducing errors while making changes to the loop.As such, invariants are fundamental to formalizing program semantics as well as to automate the formal analysis and verification of programs.While automatically synthesizing loop invariants is, in general, an uncomputable problem, when considering only single-path loops with linear updates (linear loops), the strongest polynomial invariant is in fact computable [Karr 1976;Kovács 2008;Müller-Olm and Seidl 2004a].The computability remains intact for linear loops with non-deterministic branching [Hrushovski et al. 2018].Yet, already for single-path loops with "only" polynomial updates, computing the strongest invariant has been an open challenge since 2004 [Müller-Olm and Seidl 2004b].In this paper, we bridge the gap between the computability result for linear loops and the uncomputability result for general loops by providing, to the best of our knowledge, the first hardness result for computing the strongest polynomial invariant of single-path polynomial loops.
Problem setting.Let us motivate our hardness results using the two loops in Figure 1, showcasing that very small changes in loop arithmetic may significantly increase the difficulty of computing the strongest invariants.Figure 1a depicts an affine loop, that is, a loop where all updates are affine     ← 1 −1 2 0 while ★ do  ← 3 + 2 − 5  ←  + 3  ← 4 + 3 +   ←  +  + 2 end while (a) An affine loop from [Karimov et al. 2022].

𝑥 𝑦 ← 𝑥
(b) A polynomial loop, modelling the discrete-time Van der Pol oscillator [Dreossi et al. 2017] for some constant sampling time Δ  .combinations of program variables.On the other hand, Figure 1b shows a polynomial loop whose updates are polynomials in program variables.
An affine (polynomial) invariant is a conjunction of affine (polynomial) equalities holding before and after every loop iteration.The computability of both the strongest affine and polynomial invariant has been studied extensively.For affine loops, the seminal paper [Karr 1976] shows that the strongest affine invariant is computable, whereas [Kovács 2008] proves computability of the strongest polynomial invariant for single-path affine loops.Regarding polynomial programs, for example the one in Figure 1b, [Müller-Olm and Seidl 2004a] gives an algorithm to compute all polynomial invariants of bounded degree.
Based on these results, the strongest polynomial invariant of Figure 1a is thus computable.Yet, the more general problem of computing the strongest polynomial invariant for polynomial loops without any restriction on the degree remained an open challenge since 2004 [Müller-Olm and Seidl 2004b].In this paper, we address this challenge, which we coin as the SPInv problem and define below.
The SPInv Problem: Given a single-path loop with polynomial updates, compute the strongest polynomial invariant.
In Section 4, we prove that SPInv is very hard, essentially "defending" the state-of-the-art that so far failed to derive computational bounds on computing the strongest polynomial invariants of polynomial loops.The crux of our work is based on the Skolem problem, a prominent algebraic problem in the theory of linear recurrences [Everest et al. 2003;Tao 2008], which we briefly recall below and refer to Section 2.3 for details.
The Skolem Problem [Everest et al. 2003;Tao 2008]: Does a given linear recurrence sequence with constant coefficients have a zero?
The decidability of the Skolem problem has been open for almost a century, and its decidability is connected to far-fetching conjectures in number theory [Bilu et al. 2022;Lipton et al. 2022].In Section 4, we show that SPInv is at least as hard as the Skolem problem, providing thus a computational lower bound showcasing the hardness of SPInv.
To the best of our knowledge, our results from Section 4 are the first lower bounds for SPInv and provide an answer to the open challenge posed by [Müller-Olm and Seidl 2004a].While [Hrushovski et al. 2023] proved that the strongest polynomial invariant is uncomputable for multi-path polynomial programs, the computability of SPInv has been left open for future work.With our results proving that SPInv is Skolem-hard (Theorem 4.2), we show that the missing computability proof of SPInv is not surprising: solving SPInv is really hard.
Connecting invariant synthesis and reachability.A computational gap also exists in the realm of model-checking between affine and polynomial programs, similar to the computability of SPInv.Point-to-point reachability is arguably the simplest model-checking property; it asks whether a program can reach a given target state from a given initial state.For example, one may start the Van der Pol oscillator from Figure 1b in some initial configuration ( 0 ,  0 ) and certify that it will eventually reach a certain target configuration (  ,   ).Reachability, and even more involved modelchecking properties, are known to be decidable for affine loops [Karimov et al. 2022].However, the decidability or mere reachability of polynomial loops remains unknown without any existing non-trivial lower bounds.We refer to this reachability quest via the P2P problem.
The Point-To-Point Reachability Problem (P2P) : Given a single-path loop with polynomial updates, is a given target state reachable starting from a given initial state?
In Section 3, we resolve the lack of computational results on reachability in polynomial loops.In particular, we show that P2P is Skolem-hard (Theorem 3.3) as well.To reduce Skolem to P2P, we construct a polynomial loop from a given linear recurrence sequence, such that the loop reaches the all-zero state if and only if the linear recurrence sequence has a zero.For our reduction, a linear recurrence sequence of order  is encoded as a loop with  variables.The crux of the reduction in Section 3 is that every variable is a shifted "non-linear variant"of the original sequence such that, once any variable becomes 0, it remains 0 forever.Then, the resulting loop reaches the all-zero state if and only if the original sequence has a zero.To the best of our knowledge, this yields the first non-trivial hardness result for P2P.
In Section 4, we further show that P2P and SPInv are connected in the sense that P2P reduces to SPInv.To reduce P2P to SPInv, we show how to decide whether a given loop reaches a given target state only using polynomial invariants.For the reduction, we add an auxiliary variable to the loop that becomes and remains 0 as soon as the original loop reaches the given target state.Intuitively, the auxiliary variable is eventually invariant if and only if the original loop reaches the target state.Utilizing techniques from computational algebraic geometry, we show how to decide whether the auxiliary variable is eventually invariant given the strongest polynomial invariant.Hence, we show that SPInv is at least as hard as P2P.
Therefore, our reduction chain Skolem ≤ P2P ≤ SPInv implies that the decidability of P2P and/or SPInv would immediately solve the Skolem problem a longstanding conjecture in number theory.
Beyond (non)deterministic loops and invariants.In addition to computational limits within standard, (non)deterministic programs, we further establish computational (hardness) bounds in probabilistic loops.Probabilistic programs model stochastic processes and encode uncertainty information in standard control flow, used for example in cryptography [Barthe et al. 2012a], privacy [Barthe et al. 2012b], cyber-physical systems [Kofnov et al. 2022], and machine learning [Ghahramani 2015].
Because classical invariants, as in SPInv, do not account for probabilistic information, we provide a proper generalization of the strongest polynomial invariant for probabilistic loops in Section 5 (Lemma 5.5).With this generalization, we transfer the SPInv problem to the probabilistic setting.We hence consider the probabilistic version of SPInv as being the Prob-SPInv problem.
The Prob-SPInv Problem: Given a probabilistic loop with polynomial updates, compute the "probabilistic analog" of the strongest polynomial invariant.
In Section 5 we prove that Prob-SPInv inherits Skolem-hardness from its classical SPInv analog (Theorem 5.10).We also show that enriching the probabilistic program model with guards or branching statements renders the strongest polynomial (probabilistic) invariant uncomputable, even in the affine case (Theorems 5.8).We nevertheless provide a decision procedure when considering Prob-SPInv for a restricted class of polynomial loops: we define the class of moment-computable (polynomial) loops and show that Prob-SPInv is computable for such loops (Algorithm 1).Despite being restrictive, our moment-computable loops subsume affine loops with constant probabilistic choice.As such, Section 5 shows the limits of computability in deriving the strongest polynomial (probabilistic) invariants for probabilistic polynomial loops.
Our contributions.In conclusion, the main contributions of our work are as follows: • In Section 3, we provide a reduction from Skolem to point-to-point reachability for polynomial loops, proving that P2P is Skolem-hard (Theorem 3.3).
• Section 4 gives a reduction from P2P to the problem of computing the strongest polynomial invariant of polynomial loops, establishing the connection between P2P and SPInv.As such, we prove that SPInv is Skolem-hard (Theorem 4.2).
• In Section 5, we generalize the concept of strongest polynomial invariants to the probabilistic setting (Lemma 5.5).We show that Prob-SPInv is Skolem-hard (Theorem 5.10) and uncomputable for general polynomial probabilistic programs (Theorem 5.8), but it becomes computable for moment-computable polynomial probabilistic programs (Algorithm 1).

PRELIMINARIES
Throughout the paper, we write N for the natural numbers, Q for the rationals, R for the reals, and Q for the algebraic numbers.We denote by K[ 1 , . . .,   ] the polynomial ring over  variables with coefficients in some field K. Further, we use the symbol P for probability measures and E for the expected value operator.
In a guarded program, each transition is additionally guarded by an equality/inequality predicate among variables of the state vector ì .If in some configuration the guard of an outgoing transition holds, we say that the transition is enabled, otherwise the transition is disabled.
(Non)Deterministic programs.If for any location  ∈  in a program P there is exactly one outgoing transition (,  ,  ′ ), then P is deterministic; otherwise P is nondeterministic.A deterministic guarded program may have multiple outgoing transitions from each location, but for any configuration, exactly one outgoing transition must be enabled.For a guarded nondeterministic program, we require that each configuration has at least one enabled outgoing transition.Deterministic, unguarded programs are called single-path programs.
To capture the concept of a loop invariant, we consider the collecting semantics of P, associating each location  ∈  with a set of vectors S  that are reachable from the initial state ( 0 , ì 0).More formally, the sets {S  |  ∈  } are the least solution of the inclusion system is an invariant with respect to program location  ∈ , if for all reachable configurations ì  ∈ S  the polynomial vanishes, that is  ( ì ) = 0.Moreover, for a loop L, the polynomial  is an invariant of L, if  is an invariant with respect to the looping state  1 .
Probabilistic programs.In probabilistic programs, a probability  is added to each program transition.That is,  ⊆  × Q[ 1 , . . .,   ]  × (0, 1] × , where we require that each location has countably many outgoing transitions and that their probabilities  sum up to 1.Under the intended semantics, a transition (,  , ,  ′ ) then maps a configuration (, ì ) to configuration ( ′ ,  ( ì )) with probability  .Again, for guarded probabilistic programs, we require that each configuration has at least one enabled outgoing transition and that the probabilities of the enabled transition sum up to 1.
For probabilistic programs P, we consider moment invariants over higher-order statistical moments of the probability distributions induced by P (see Section 5).In this respect, it is necessary to count the number of executed transitions in the semantics of P. Formally, the sets {S   |  ∈ ,  ∈ N 0 } are defined as for all (,  , ,  ′ ) ∈  and  ∈ N 0 .
In addition, the probability of a configuration ì  in location  after  iterations, in symbols P( ì  | S   ), can be defined inductively: (i) in the initial state, the configuration ì 0 after 0 executed transitions has probability 1; (ii) for any other state, the probability of reaching a specific configuration is defined by summing up the probabilities of all incoming paths.More formally, the probability P( ì We then define the th higher-order statistical moment of a monomial  in program variables as the expected value of  after  loop iterations.Namely, where  ( ì ) evaluates the monomial  in a specific configuration ì .
Example 2.2.The following loop encodes a symmetric 1-dimensional random walk starting at 0. In every step, the random walk moves left or right with probability 1 /2.The loop is given in code: Replacing the probabilistic choice in the loop body with non-deterministic choice, results in a non-deterministic program.
Universality of loops.In this paper, we focus on polynomial loops.This is justified by the universality of loops [Hrushovski et al. 2023, Section 4], as every polynomial program can be transformed into a polynomial loop that preserves the collecting semantics.Intuitively, this is done by merging all program states into the looping state and by introducing additional variables that keep track of which state is actually active while invalidating infeasible traces.It is then possible to recover the sets S ()  of the original program from the sets S ()  of the loop.

Computational Algebraic Geometry & Strongest Invariants
We study polynomial invariants  ( ì ) of polynomial programs; here,  ( ì ) are multivariate polynomials in program variables ì .We therefore recap necessary terminology from algebraic geometry [Cox et al. 1997], to support us in reasoning whether  ( ì ) = 0 is a loop invariant.In the following K denotes a field, such as R, Q or Q.The set  = ⟨ 1 , . . .,   ⟩ is an ideal, with the polynomials  1 , . . .,   being a basis of  .
Of particular importance to our work is the set of all polynomial invariants of a program location.It is easy to check that this set forms an ideal.
Definition 2.4 (Invariant Ideal).Let P be a program with location .The set I of all invariants with respect to the location  is called the invariant ideal of .If P is a loop and I is the invariant ideal with respect to the looping state  1 , we call I the invariant ideal of the loop P1 .
As the invariant ideal I of a loop L contains all polynomial invariants, a basis for I is the strongest polynomial invariant of L. This is further justified by the following key result, establishing that every ideal has a basis.Theorem 2.5 (Hilbert's Basis Theorem).Every ideal  ⊆ K[ 1 , . . .,   ] has a basis.That is,  = ⟨ 1 , . . .,   ⟩ for some  1 , . . .,   ∈  .
While an ideal  may have infinitely many bases, the work of [Buchberger 2006] proved that every ideal  has a unique (reduced) Gröbner basis, where uniqueness is guaranteed modulo some monomial order.A monomial order < is a total order on all monomials such that for all monomials  1 ,  2 ,  3 , if  1 <  2 then  1  3 <  2  3 .For instance, assume our polynomial ring is K[, , ], that is, over three variables , , and .A total order  <  <  over variables can be extended to a lexicographic ordering on monomials, denoted also by < for simplicity.In this case, for example,  3 <  2 and  2  < .For a given monomial order, one can consider the leading term of a polynomial  which we denote by  ().For a set of polynomials  we write  () for the set of all leading terms of all polynomials.Continuing the example mentioned before, we have Definition 2.6 (Gröbner Basis).Let  ⊆ K[ 1 , . . .,   ] be an ideal and fix a monomial order.A basis  = { 1 , . . .,   } of  is a Gröbner basis, if ⟨ ( 1 ), . . .,  (  )⟩ = ⟨ ( )⟩.Further,  is a reduced Gröbner basis if every   has leading coefficient 1 and for all , ℎ ∈  with  ≠ ℎ, no monomial in  is a multiple of  (ℎ).
Gröbner bases provide the workhorses to compute and implement algebraic operations over (infinite) ideals, including ideal intersections/unions, variable eliminations, and polynomial memberships.Given any basis for an ideal  , a unique reduced Gröbner basis with respect to any monomial ordering < is computable using Buchberger's algorithm [Buchberger 2006].A central property of Gröbner basis computation is that repeated division of a polynomial  by elements of a Gröbner basis results in a unique remainder, regardless of the order in which the divisions are performed.Hence, to decide if a polynomial  is an element of an ideal  , that is deciding polynomial membership, it suffices to divide  by a Gröbner basis of  and check if the remainder is 0.Moreover, eliminating a variable  from an ideal  ⊆ K[, ] is performed by computing the Gröber basis of the elimination ideal  ∩ K[] only over .

Recurrence Equations
Recurrence equations relate elements of a sequence to previous elements.There is a strong connection between recurrence equations and program loops: assignments in program loops relate values of program variables in the current iteration to the values in the next iteration.It is therefore handy to interpret a (polynomial) program loop as a recurrence.We briefly introduce linear and polynomial recurrence systems and refer to [Kauers and Paule 2011] for details.
We conclude this section by recalling the Skolem problem [Bilu et al. 2022;Lipton et al. 2022] related to linear recurrence sequences, whose decidability is an open question since the 1930s.We formally revise the definition from Section 1 as: The Skolem Problem [Everest et al. 2003;Tao 2008]: Given an LRS  (),  ∈ N 0 , does there exist some  ∈ N 0 such that  () = 0?
In the upcoming sections, we show that the Skolem problem is reducible to the decidability of three fundamental problems in programming languages, namely P2P, SPInv and Prob-SPInv from Section 1.As such, we prove that the Skolem problem gives us intrinsically hard computational lower bounds for P2P, SPInv, and Prob-SPInv.

HARDNESS OF REACHABILITY IN POLYNOMIAL PROGRAMS
We first address the computational limitations of reachability analysis within polynomial programs.
It is decidable whether a loop with affine assignments reaches a target state from a given initial state [Kannan and Lipton 1980].Additionally, even problems generalizing reachability are known to be decidable for linear loops, such as various model-checking problems [Karimov et al. 2022].However, reachability for loops with polynomial assignments, or equivalently discrete-time polynomial dynamical systems, has been an open challenge.In this section, we address this reachability challenge via our P2P problem, showing that reachability in polynomial program loops is at least as hard as the Skolem problem (Theorem 3.3).To this end, let us revisit and formally define our P2P problem from Section 1, as follows.
To the best of our knowledge, nothing is known about the hardness of P2P for polynomial recursive sequences2 , and hence for loops with arbitrary polynomial assignments, apart from the trivial lower bounds provided by the linear/affine cases [Kannan and Lipton 1980;Karimov et al. 2022].
In the sequel, in Theorem 3.3 we prove that the P2P problem for polynomial recursive sequences is at least as hard as Skolem.Doing so, we show that solving Skolem can be solved by reducing it to inputs for P2P, written in symbols as Skolem ≤ P2P.We thus establish a computational lower bound for P2P in the sense that providing a decision procedure for P2P for polynomial recursive sequences would prove the decidability of the long-lasting open decision problem given by Skolem.
Our reduction for Skolem ≤ P2P.In a nutshell, we fix an arbitrary Skolem instance, that is, a linear recurrence sequence  () of order .We say that the instance  () is positive, if there exists some  ∈ N 0 such that  () = 0, otherwise we call the instance negative.Our reduction Skolem ≤ P2P constructs an instance of P2P that reaches the all-zero vector ì 0 if and only if the Skolem instance is positive.Hence, a decision procedure for P2P would directly lead to a decision procedure for Skolem.Following (2), let our Skolem instance of order  to be the LRS  () : N 0 → Q specified by coefficients  0 , . . .  −1 ∈ Q such that  0 ≠ 0 and, for all  ∈ N 0 , we have (5) From our Skolem instance (5), we construct a system of  polynomial recursive sequences  0 , . . .,   −1 , as given in (4).Namely, the initial sequence values are defined inductively as With the initial values defined, the sequences  0 , . . .,   −1 are uniquely defined via the following system of recurrence equations: Intuitively, the   sequences are "non-linear variants" of the Skolem instance  () such that, once any   reaches 0,   remains 0 forever.The target vector for our P2P instance is therefore ì  = ì 0.
Let us illustrate the main idea of our construction with the following example.
Example 3.1.Assume our Skolem instance from ( 5) is given by the recurrence  we construct a system of polynomial recursive sequences   (): The first few sequence elements of  () and  0 () are shown in Figure 2 and illustrate the key property of our reduction: (i)  0 () is non-zero as long as  () is non-zero, which we prove in Lemma 3.2; (ii) if there is an  such that  ( ) = 0, it holds that for all  ≥  :  0 () = 0.The other sequences  1 and  2 in the system are "shifted" variants of  0 .Hence, the constructed sequences all eventually reach the all-zero configuration and remain there.In Theorem 3.3, we prove that this is the case if and only if the Skolem instance  () is positive.
Correctness of Skolem ≤ P2P.To prove the correctness of our reduction Skolem ≤ P2P and to assert the properties (i)-(ii) of Example 3.1 among  () and   (), we introduce  auxiliary variables  0 , . . .,   −1 defined as As illustrated in Example 3.1, the high-level idea of our reduction is that the   sequences are "non-linear variants" of the Skolem instance  () such that, once any   reaches 0,   remains 0 forever.With the next lemma, we make the connections between the sequences   () and  () precise, using the auxiliary sequences   ().The central connection is  0 () =  0 () •  () and  0 () = −1 =0  0 (), which we utilize in the correctness proof in Theorem 3.3.The main idea behind the construction of the P2P-instance is to ensure that this connection, and similar connections for the other sequences   and   , do hold.We formally prove these properties by induction.Lemma 3.2.For the system of polynomial recursive sequences in (6), it holds that ∀ ≥ 0 and 0 ≤  <    () =   () •  ( + ), and (7) Proof.We prove the two properties by well-founded induction on the lexicographic order (, ), where  ≥ 0 and 0 ≤  < .Here, (, ) ≤ ( ′ ,  ′ ) if and only if  <  ′ or  =  ′ ∧  <  ′ .The order has the unique least element (0, 0).
To prove property (8) for (+1, −1) we use the defining equation of   −1 (+1) and the induction hypothesis for (, −1): As we have covered all possible cases, we conclude the proof.□ Lemma 3.2 establishes two central properties of our reduction.We now use these properties to show that P2P is at least as hard as Skolem.
Proof.We show that our polynomial recursive system constructed in ( 6) reaches the all-zero vector from the initial value if and only if the original Skolem instance is positive.
(⇐) Assume that the Skolem instance is negative, meaning that the linear recurrence sequence  () does not have a 0. In particular,  () ≠ 0 for all 0 ≤  < .Therefore, by definition of the polynomial recursive system (6),   (0) ≠ 0 for all 0 ≤  < .Towards a contradiction, assume that the polynomial recursive system still reaches the all-zero vector.Hence, there is a smallest  ∈ N 0 such that   ( ) = 0 for all 0 ≤  < .In particular,  0 ( ) = 0.Moreover,  0 is the last sequence to reach 0, because of the recurrence equation   (+1) =  +1 () for 0 ≤  < .Therefore,  is also the smallest number such that  0 ( ) = 0.By property (7) of Lemma 3.2, we have However,  0 ( ) must be non-zero, because by property (8) of Lemma 3.2, and the fact that  is the smallest number such that  0 ( ) = 0. Then we necessarily have  ( ) = 0, yielding a contradiction.□ Theorem 3.3 shows that P2P for polynomial recursive sequences is at least as hard as the Skolem problem.Thus, reachability and model-checking of loops with polynomial assignments is Skolemhard.A decision procedure establishing decidability for P2P would lead to a major breakthrough in number theory, as by Theorem 3.3 this would imply the decidability of the Skolem problem.
Remark 1.In [Hrushovski et al. 2023] the authors show that the the strongest polynomial invariant is uncomputable for polynomial programs with nondeterminism.The proof reduces from an undecidable problem to finding the strongest polynomial invariant for nondeterministic polynomial programs.A similarity between our reduction from this section and the reduction in [Hrushovski et al. 2023] is the idea of projecting specific states to the zero vector.Nevertheless, the setting and reasons for using such a projection differ significantly between the two reductions.The reduction in [Hrushovski et al. 2023] maps invalid program traces to the zero state to argue about the dimension of an algebraic set.In contrast, our work maps the single program trace to the zero state if and only if the original Skolem instance is positive.

HARDNESS OF COMPUTING THE STRONGEST POLYNOMIAL INVARIANT
This section goes beyond reachability analysis and focuses on inferring the strongest polynomial invariants of polynomial loops.As such, we turn our attention to solving the SPInv problem of Section 1, which is formally defined as given below.
The SPInv Problem: Given an unguarded, deterministic loop with polynomial updates, compute a basis of its polynomial invariant ideal.
We prove that finding the strongest polynomial invariant for deterministic loops with polynomial updates, that is, solving SPInv, is at least as hard as P2P (Theorem 4.2).Hence, P2P ≤ SPInv.
Then, by the Skolem ≤ P2P hardness result of Theorem 3.3, we conclude the Skolem-hardness of SPInv, that is Skolem ≤ P2P ≤ SPInv.To the best of our knowledge, our Theorem 3.3 together with Theorem 4.2 provide the first computational lower bound on SPInv, when focusing on loops with arbitrary polynomial updates (see Table 1).
Let us illustrate the main idea of our P2P ≤ SPInv reduction via the following example.
SPInv instance for (S, t 1 ): The invariant ideals for both instances are given in terms of Gröbner bases with respect to the lexicographic order for the variable order  <  <  < .
For the instance with the reachable target ì  1 , we have  () = 0 for  ≥ 2. Hence, ( − 1)  is a polynomial invariant and must be in the invariant ideal of this SPInv instance; in fact, ( − 1)  is not only in the invariant ideal but even a basis element for the Gröbner basis with the chosen order.However, ( − 1)  is not in the ideal of the SPInv instance with the unreachable target ì  2 .These two SPInv instances illustrate thus how a basis of the invariant ideal can be used to decide P2P.
While, for simplicity, our recursive sequences  () and  () are linear, our approach to reducing P2P to SPInv also applies to polynomial recursive sequences.In Theorem 4.2, we show that a polynomial such as ( − 1)  is an element of the basis of the invariant ideal (with respect to a specific monomial order) if and only if the original P2P instance is positive.
Correctness of P2P ≤ SPInv.To show that it is decidable whether  () has a 0 given a basis of the invariant ideal, we employ Gröbner bases and an argument introduced in [Kauers 2005] for recursive sequences defined by rational functions, adjusted to our setting using recursive sequences defined by polynomials.Theorem 4.2 (Hardness of SPInv).SPInv is at least as hard as P2P.That is, P2P ≤ SPInv.
Proof.Assume we are given an oracle for SPInv, computing a basis  of the polynomial invariant ideal I = ⟨⟩ of our loop (11).We show that given such a basis , it is decidable whether  () has a root, which is equivalent to the fixed P2P instance being positive.
Note that by the construction of the loop (11), if  ( ) = 0 for some  ∈ N 0 , then ∀ ≥  :  () = 0.Moreover, such an  exists if and only if the P2P instance is positive.This is true if and only if there exists an  ∈ N 0 such that the sequence is 0 for all  ∈ N 0 .Consequently, the polynomial invariant ideal I contains a polynomial for some  ∈ N 0 only if the P2P instance (11) is positive.It is left to show that, given a basis  of I, it is decidable whether I contains a polynomial (12).Using Buchberger's algorithm [Buchberger 2006],  can be transformed into a Gröbner basis with respect to any monomial order.We choose a total order among program variables such that  <  <  1 , . . .,   .Without loss of generality, we assume that  is a Gröbner basis with respect to the lexicographic order extending the variable order.
In what follows, we argue that if a polynomial  as in ( 12) is an element of I, then  must be an element of the basis .As the leading term of  is   •  , there must be some polynomial  in  with a leading term that divides   •  .By the choice of the lexicographic order, this polynomial must be of the form  =  1 () •  −  2 (), since if any other term would occur in , it would necessarily be in the leading term.As both  ∈ I and  ∈ I, it holds that By expanding  and , we see that the above polynomial is equivalent to As this polynomial is in the ideal I, it follows that for all  ∈ N 0 : However, this implies that  2 () has infinitely many zeros, a property that is unique to the zero polynomial.Therefore, we conclude that  2 ≡ 0. Hence, if the original P2P instance is positive, there necessarily exists a basis polynomial of the form  1 () •  .
Therefore, we conclude that the P2P instance is positive if and only if the Gröbner basis contains a polynomial of the form (12).As the basis  is finite, this property can be checked by enumeration of the basis elements of .Hence, given an oracle for SPInv, we can decide if the P2P instance is positive or negative.□ Theorem 4.2 shows that SPInv is at least as hard as the P2P problem.Together with Theorem 3.3, we conclude that SPInv is Skolem-hard.
An improved direct reduction from Skolem to SPInv.Theorem 4.2 together with Theorem 3.3 yields the chain of reductions Skolem ≤ P2P ≤ SPInv.
Within these reductions, a Skolem instance of order  yields a P2P instance with  sequences, which in turn reduces to a SPInv instance over +2 variables.
We conclude this section by noting that, if the linear recurrence sequence of the Skolem-instance is an integer sequence, then a reduction directly from Skolem to SPInv can be established by using only +1 variables.A slight modification of Skolem ≤ P2P reduction of Section 3 results in a reduction from Skolem instances of order  directly to SPInv instances with +1 variables.Any system of polynomial recursive sequences can be encoded in a loop with polynomial updates.Hence, the instance produced by the Skolem ≤ P2P reduction can be interpreted as a loop.It is sufficient to modify the resulting loop in the following way: As in the reduction in Section 3, the equation  0 () =  0 ()  0 () still holds and the resulting loop reaches the all-zero configuration if and only if the original Skolem-instance is positive (the integer sequence has a 0).Additionally, the resulting loop has infinitely many different configurations if and only if the Skolem instance is positive, as the additional factor in the updates forces a strict increase in |  −1 |.Assuming a solution to SPInv for the constructed loop, that is a basis of the polynomial invariant ideal, it is decidable whether the number of reachable program locations (and its algebraic closure) is finite or not [Cox et al. 1997].Therefore, an oracle for SPInv implies the decidability of Skolem for integer sequences, while the chain of reductions Skolem ≤ P2P ≤ SPInv is also valid for rational sequences.For more details, we refer to [Müllner 2023].
Summary of computability results in polynomial (non)determinstic loops.We conclude this section by overviewing our computability results in Table 1, focusing on the strongest polynomial invariants of (non)deterministic loops and in relation to the state-of-the-art.

STRONGEST INVARIANT FOR PROBABILISTIC LOOPS
In this section, we finally go beyond (non-)deterministic programs and address computational challenges in probabilistic programming, in particular loops.Unlike the programming models of Section 3-4, probabilistic loops follow different transitions with different probabilities (cf.Example 2.2).
Recall that the standard definition of an invariant  , as given in Definition 2.1, demands that  holds in every reachable configuration and location.As such, when using Definition 2.1 to define an invariant  of a probabilistic loop, the information provided by the probabilities of reaching a configuration within the respective loop is omitted in  .However, Definition 2.1 captures an invariant  of a probabilistic loop when every probabilistic loop transition is replaced by a nondeterministic transition.
Nevertheless, for incorporating probability-based information in loop invariants, Definition 2.1 needs to be revised to consider expected values and higher (statistical) moments describing the value distributions of probabilistic loop variables [Kozen 1983;McIver and Morgan 2005].For instance, the symmetric 1-dimensional random walk from Example 2.2 does not have any non-trivial polynomial invariants.However, considering expected values of program variables, E[] = 0 is an invariant property of Example 2.2.Therefore, in Definition 5.2 we introduce polynomial moment invariants to reason about value distributions of probabilistic loops.We do so by utilizing higher moments of the probability distributions induced by the value distributions of loop variables during the execution (Section 5.1).The notion of polynomial moment invariants is the main contribution of this section as it allows us to transfer specific (un)computability results for classical invariants to the probabilistic case.We prove that polynomial moment invariants generalize classical invariants (Lemma 5.5) and show that the strongest moment invariants up to moment order ℓ are computable for the class of so-called moment-computable polynomial loops (Section 5.2).In this respect, in Algorithm 1 we give a complete procedure for computing the strongest moment invariants of moment-computable polynomial loops.When considering arbitrary polynomial probabilistic loops, we prove that the strongest moment invariants are (i) not computable for guarded probabilistic loops (Section 5.3) and (ii) Skolem-hard to compute for unguarded probabilistic loops (Section 5.4).

Polynomial Moment Invariants
Higher moments capture expected values of monomials over loop variables, for example, E[ 2 ] and E[] respectively yield the second-order moment of  and a second-order mixed moment.Such higher moments are necessary to characterize, and potentially recover, the value distribution of probabilistic loop variables, allowing us to reason about statistical properties, such as variance or skewness, over probabilistic value distributions.
When reasoning about moments of probabilistic program variables, note that in general neither hold, due to potential dependencies among the (random) loop variables  and .Therefore, describing all polynomial invariants among all higher moments by finitely many polynomials is futile.A natural restriction and the one we undertake in this paper is to consider polynomials over finitely many moments, which we do as follows.
Definition 5.1 (Moments of Bounded Degree).Let ℓ be a positive integer.Then the set of program variable moments of order at most ℓ is given by Classical invariants are defined over a finite set of program variables.In the probabilistic setting, the elements of E ≤ℓ serve as the formal variables over which moment invariants are defined.As such, bounding the degrees of the moments is different from bounding the degrees of the invariants, which is a common technique for classical programs [Müller-Olm and Seidl 2004b].Although the moments in E ≤ℓ are bounded, in this section, we study unbounded polynomial invariants involving these moments.While Definition 5.1 uses a bound ℓ to define the set of moments of bounded degree, our subsequent results apply to any finite set of moments of program variables.
Recall that Section 2.1 defines the semantics S   of a probabilistic loop with respect to the location  ∈  and the number of executed transitions  ≥ 0. The set S   in combination with the probability of each configuration allows us to define the moments of program variables after  transitions.Further, for a monomial  in program variables, we defined E[  ] in (1) to be the expected value of  after  transitions.For example, E[  ] denotes the expected value of the program variable  after  transitions.With this, we define the set of polynomial invariants among moments of program variables, as follows.
We refer to elements of I ≤ℓ as polynomial moment invariants.
Intuitively, the moment invariant ideal I ≤ℓ is the set of all polynomials in the moments E ≤ℓ that vanish after any number of executed transitions.For example, using Definition 5.
Basis of the moment invariant ideal I ≤2 : and E[()  ] after all number of iterations  ∈ N 0 .The ideal provides information about the stochastic process encoded by the loop.For instance, using the basis, it can be automatically checked that is an invariant, witnessing  and  being uncorrelated.
Moment invariant ideals of Definition 5.2 generalize the notion of classical invariant ideals of Definition 2.4 for nonprobabilistic loops.For a program variable  of a nonprobabilistic loop, the expected value of  after  transitions is just the value of  after  iterations, that is corresponds to the classical invariant  6 −  3 .To formalize this observation, we introduce a function  mapping invariants involving moments to classical invariants.Definition 5.4 (From Moment Invariants to Invariants).Let P be a program with variables  1 , . . .,   .We define the natural ring homomorphism  : The function  maps polynomials over moments to polynomials over program variables, for example, ) is in general not a classical invariant.However, for nonprobabilistic programs,  () is necessarily an invariant for every moment invariant , as we show in the next lemma.Lemma 5.5 (Moment Invariant Ideal Generalization).Let L be a nonprobabilistic loop.Let I be the classical invariant ideal and I ≤ℓ the moment invariant ideal of order ℓ.Then, I ≤ℓ and I are identical under  , that is  I ≤ℓ :=  () |  ∈ I ≤ℓ = I.
Proof.We show that  (I ≤ℓ ) ⊆ I.The reasoning for I ⊆  (I ≤ℓ ) is analogous.

Computability of Moment Invariant Ideals
We next consider a special class of probabilistic loops, called moment-computable polynomial loops.
For such loops, we prove that the bases for moment invariant ideals I ≤ℓ are computable for any order ℓ.Moreover, in Algorithm 1 we give a decision procedure computing moment invariant ideals of moment-computable polynomial loops.
Let us recall the semantical notion of moment-computable loops [Moosbrugger et al. 2022], which we adjusted to our setting of polynomial probabilistic loops.As stated in [Kauers and Paule 2011], we note that any LRS (2) has an exponential polynomial as closed form.As proven in [Moosbrugger et al. 2022], when considering loops with affine assignments, probabilistic choice with constant probabilities, and drawing from probability distributions with constant parameters and existing moments, all moments of program variables follow linear recurrence sequences.Moreover, one may also consider polynomial (and not just affine) loop updates such that non-linear dependencies among variables are acyclic.If-statements can also be supported if the loop guards contain only program variables with a finite domain.Under such structural considerations, the resulting probabilistic loops are moment-computable loops [Moosbrugger et al. 2022]: expected values E[  ] for monomials  over loop variables are exponential polynomials in .Furthermore, a basis for the polynomial relations among exponential polynomials is computable [Kauers and Zimmermann 2008].We thus obtain a decision procedure computing the bases of moment invariant ideals of moment-computable polynomial loops, as given in Algorithm 1 and discussed next.
The procedure compute_closed_form(L, ) in Algorithm 1 takes as inputs a moment-computable polynomial loop L and a set  of moments of loop variables and computes exponential polynomial closed forms of the moments in ; here, we adjust results of [Moosbrugger et al. 2022] to

Algorithm 1 Computing moment invariant ideals
Input: A moment-computable polynomial loop L and an order ℓ ∈ N Output: A basis  for the moment invariant ideal I ≤ℓ ⊲ Closed forms of moments as exponential polynomials  ← compute_closed_forms(L, E ≤ℓ ) ⊲ A basis for the ideal of all algebraic relations among sequences in   ← compute_algebraic_relations() return  implement compute_closed_form(L, ).Further, compute_algebraic_relations() in Algorithm 1 denotes a procedure that takes a set  of exponential polynomial closed forms as input and computes a basis for all algebraic relations among them; in our work, we use [Kauers and Zimmermann 2008] to implement compute_algebraic_relations().Soundness of Algorithm 1 follows from the soundness arguments of [Kauers and Zimmermann 2008;Moosbrugger et al. 2022].
We implemented Algorithm 1 in our tool called Polar4 , allowing us to automatically derive the strongest polynomial moment invariants of moment-computable polynomial loops.
Example 5.7.Using Algorithm 1 for the probabilistic loop of Example 5.3, we compute a basis for the moment invariant ideal I ≤2 in approximately 0.4 seconds and for I ≤3 in roughly 0.8 seconds, on a machine with a 2.6 GHz Intel i7 processor and 32 GB of RAM.

Hardness for Guarded Probabilistic Loops
As Algorithm 1 provides a decision procedure for moment-computable polynomial loops, a natural question is whether the moment invariant ideals remain computable if we relax (C1) the restrictions on the guards, (C2) the structural requirements on the polynomial assignments of moment-computable polynomial loops.
We first focus on (C1), that is, lifting the restriction on guards and show that in this case a basis for the moment invariant ideal of any order becomes uncomputable (Theorem 5.8).
We recall the seminal result of [Müller-Olm and Seidl 2004b] proving that the strongest polynomial invariant for nonprobabilistic loops with affine updates, nondeterministic choice, and guarded transitions is uncomputable.Interestingly, nondeterministic choice can be replaced by uniform probabilistic choice, allowing us to also establish the uncomputability of the strongest polynomial moment invariants, which means a basis for the ideal I ≤ℓ , for any order ℓ.
Theorem 5.8 (Uncomputability of Moment Invariant Ideal).For the class of guarded probabilistic loops with affine updates, a basis for the moment invariant ideal I ≤ℓ is uncomputable for any order ℓ. Proof.
•    Note that the tuple elements may be of different lengths.Moreover, any instance of the PCP over a finite alphabet Σ can be equivalently represented over the alphabet {0, 1} by a binary encoding.Now, given an instance of the (binary) PCP, we construct the guarded probabilistic loop with affine updates shown in Figure 3.We encode the binary strings as integers and denote a transition with probability  , guard  and updates  as [1] : ⊤ : , ,  ← 0, 0, 0 for each 1 ≤  ≤  : The idea is to pick a pair of integer-encoded strings uniformly at random and append them to the string built so far.This is done by left-shifting the existing bits of the string (by multiplying by a power of 2) and adding the randomly selected string.
If the PCP instance does not have a solution, we have  = 0 after every transition.Hence, E[] = 0 must be an invariant.Therefore, E[] is necessarily an element of I ≤ℓ for any order ℓ.Consequently, for all orders ℓ, the PCP instance has a solution if and only if E[] is an element of I ≤ℓ .However, given a basis, checking for ideal membership is decidable (cf.Section 2.2).Hence, a basis for the moment invariant ideal I ≤ℓ must be uncomputable for any order ℓ.□ Note that the PCP reduction within the proof of Theorem 5.8 requires only affine updates and affine invariants.Therefore, allowing loop guards renders even the problem of finding the strongest affine invariant for a finite set of moments uncomputable for probabilistic loops with affine updates.

Hardness for Unguarded Polynomial Probabilistic Loops
In this section we address challenge (C2), that is, study computational lower bounds for computing a basis of moment invariant ideals for probabilistic loops that lack guards and nondeterminism, but feature arbitrary polynomial updates.We show that addressing (C2) boils down to solving the Prob-SPInv problem of Section 1, which in turn we prove to be Skolem-hard (Theorem 5.10).
As such, computing the moment invariant ideals of probabilistic loops with arbitrary polynomial updates as stated in (C2) is Skolem-hard.
We restrict our attention to moment invariant ideals of order 1.Intuitively, a basis for I ≤1 is easier to compute than I ≤ℓ for ℓ > 1.A formal justification in this respect is given by the following lemma.
Lemma 5.9 (Moment Invariant Ideal of Order 1).Given a basis for the moment invariant ideal I ≤ℓ for any order ℓ ∈ N, a basis for I ≤1 is computable.
Proof.The moment invariant ideal I ≤ℓ is an ideal in the polynomial ring with variables E ≤ℓ .
Moreover, E ≤1 ⊆ E ≤ℓ .Hence, , meaning I ≤1 is an elimination ideal of I ≤ℓ .Given a basis for a polynomial ideal, bases for elimination ideals are computable [Cox et al. 1997].□ Using Lemma 5.9, we translate challenge (C2) into the Prob-SPInv problem of Section 1, formally defined as follows.
The Prob-SPInv Problem: Given an unguarded, probabilistic loop with polynomial updates and without nondeterministic choice, compute a basis of the moment invariant ideal of order 1.
Recall that computing a basis for the classical invariant ideal for nonprobabilistic programs with arbitrary polynomial updates, that is, deciding SPInv, is Skolem-hard (Theorem 3.3 and Theorem 4.2).We next show that SPInv reduces to Prob-SPInv, thus implying Skolem-hardness of Prob-SPInv as a direct consequence of Lemma 5.5.
Proof.Assume L is an instance of SPInv.That is, L is a deterministic loop with polynomial updates.Let  1 , . . .,   be the program variables and I the classical invariant ideal of L. Note that L is also an instance of Prob-SPInv and assume  is a basis for the moment invariant ideal I ≤1 .From Lemma 5.5 we know that  (I ≤1 ) = I.For order 1, the function  is a ring isomorphism between the polynomial rings Q[ 1 , .Recall that for proving the uncomputability of moment invariant ideals for guarded probabilistic programs in Theorem 5.8, we replaced nondeterministic choice with probabilistic choice.The "nondeterministic version" of Prob-SPInv refers to computing the strongest polynomial invariant for nondeterministic polynomial programs, which has been recently established as uncomputable [Hrushovski et al. 2023].Therefore, it is natural to consider transferring the uncomputability results of [Hrushovski et al. 2023] to Prob-SPInv by replacing nondeterministic choice with probabilistic choice.However, such a generalization of [Hrushovski et al. 2023] to the probabilistic setting poses considerable problems and ultimately fails to establish the potential uncomputability of Prob-SPInv, for the reasons discussed next.
The proof in [Hrushovski et al. 2023] et al. 1998] and therefore instrumental in the reduction of [Hrushovski et al. 2023].
Namely, in the reduction of [Hrushovski et al. 2023] and Seidl 2004b].To avoid zero-testing the variables before executing a transition, the crucial point in the reduction of [Hrushovski et al. 2023] is to map invalid traces to the vector ì 0 and faithfully simulate valid executions.By properties of the reduction, it holds that the configuration ( 0 , . . .,   ) is reachable in P, if and only if there exists a corresponding configuration 1 / 0 • ( 1 , . . .,   ) in V. Essential to the reduction of [Hrushovski et al. 2023] is, that even though there may be multiple configurations in P for each configuration in V, all these configurations are only scaled by the factor  0 and hence collinear.By collinearity, the variety of the invariant ideal can be covered by a finite set of lines if and only if the set of reachable VASS configurations is finite.Testing this property is decidable, and hence finding the invariant ideal must be undecidable.
Transferring the reduction of [Hrushovski et al. 2023] to the probabilistic setting of Prob-SPInv by replacing nondeterministic choice with probabilistic choice poses the following problem: in the nondeterministic setting, any path is independent of all other paths.However, this does not hold in the probabilistic setting of Prob-SPInv.The expected value operator E[  ] aggregates all possible valuations of  in iteration  across all possible paths through the program.Specifically, the expected value is a linear combination of the possible configurations of V, which is not necessarily limited to a collection of lines but may span a higher-dimensional subspace.This is the step where a reduction similar to [Hrushovski et al. 2023] fails for Prob-SPInv.
Example 5.11.Consider a Reset VASS V with variable  initialized to 0, initial state  0 , and additional state  1 .Assume a single transition from  0 to  1 incrementing  and two transitions from  1 to  1 .One transition from  1 to  1 decrements , whereas the other leaves  unchanged.In a Reset VASS, it is forbidden to decrement a zero-valued variable.Therefore, the set of reachable configurations in  1 is {0, 1} and hence finite.The reduction in [Hrushovski et al. 2023] constructs from V a nondeterministic polynomial program P with two variables  and .Similar to V, the program P has two states q0 and q1 , one transition from q0 to q1 and two transitions from q1 to itself.In contrast to V, the transitions in P model polynomial assignments for the variables  and .For more details on the reduction, we refer to [Hrushovski et al. 2023].Important are the reachable configurations of P depicted in the computation tree in Figure 4.For every reachable configuration (, ) ≠ (0, 0) we have  / ∈ {0, 1} Hence, all reachable configurations lie on finitely many lines.Replacing nondeterministic choice in the state q1 by uniform probabilistic choice and considering expected values breaks this central property of the reduction.The sequence of expected values for  and  can be obtained by averaging the variable values for every level in the computation tree in Figure 4 and is (1, 0), (4, 4), (48, 32), (4096, 6656), . . . .It can be calculated that the ratios of the (2 11 , 0) . . .
(2 14 , 2 14 ) . . .expected values after  ≥ 1 transitions are given by It is however worth noting how well-suited the Boundedness Problem for Reset VASS is for proving the undecidability of problems for unguarded programs.A Reset VASS is not powerful enough to determine if a variable is zero, yet the Boundedness Problem is still undecidable.The vast majority of other undecidable problems that may be used in a reduction are formulated in terms of counter-machines, Turing machines, or other automata that rely on explicitly determining if a given variable is zero, hindering a straightforward simulation as unguarded programs.Therefore, we conjecture that any attempt towards proving (un)computability of Prob-SPInv would require a new methodology, unrelated to [Hrushovski et al. 2023].We leave this task as an open challenge for future work.

Summary of Computability Results for Probabilistic Polynomial Loop Invariants
We finally conclude this section by summarizing our computability results on the strongest polynomial (moment) invariants of probabilistic loops.We overview our results in Table 2

RELATED WORK
We discuss our work in relation to the state-of-the-art in computing strongest (probabilistic) invariants and analyzing point-to-point reachability.
Strongest Invariants.Algebraic invariants were first considered for unguarded deterministic programs with affine updates [Karr 1976].Here, a basis for both the ideal of affine invariants and for the ideal of polynomial invariants is computable [Karr 1976;Kovács 2008].
For unguarded deterministic programs with polynomial updates, all invariants of bounded degree are computable [Müller-Olm and Seidl 2004a], while the more general task of computing a basis for the ideal of all polynomial invariants, that is solving our SPInv problem, was stated as an open problem.In Section 4 we proved that SPInv is at least as hard as Skolem and P2P.Strengthening these results by proving computability for SPInv would result in a major breakthrough in number theory, as this would imply the decidability of the Skolem problem.
For guarded deterministic programs, the strongest affine invariant is uncomputable, even for programs with only affine updates.This is a direct consequence of the fact that this model is sufficient to encode Turing machines and allows us to encode the Halting problem [Hopcroft and Ullman 1969].Nevertheless, there exists a multitude of incomplete methods capable of extracting useful invariants even for non-linear programs, for example, based on abstract domains [Kincaid et al. 2018], over-approximation in combination with recurrences [Farzan and Kincaid 2015;Kincaid et al. 2019] or using consequence finding in tractable logical theories of non-linear arithmetic [Kincaid et al. 2023].
For nondeterministic programs with affine updates, a basis for the invariant ideal is computable [Karr 1976].Furthermore, the set of invariants of bounded degree is computable for nondeterministic programs with polynomial updates, while bases for the ideal of all invariants are uncomputable [Hrushovski et al. 2023;Müller-Olm and Seidl 2004a].Additionally, even a single transition guarded by an equality or inequality predicate renders the problem uncomputable, already for affine updates [Müller-Olm and Seidl 2004b].
Point-To-Point Reachability.The Point-To-Point reachability problem formalized by our P2P problem appears in various areas dealing with discrete systems, such as dynamical systems, discrete mathematics, and program analysis.For linear dynamical systems, P2P is known as the Orbit problem [Chonev et al. 2013], with a significant amount of work on analyzing and proving decidability of P2P for linear systems [Baier et al. 2021;Chonev et al. 2013Chonev et al. , 2015;;Kannan and Lipton 1980].In contrast, for polynomial systems, the P2P problem remained open regarding decidability or computational lower bounds.Existing techniques in this respect resorted to approximate techniques [Dang and Testylier 2012;Dreossi et al. 2017].Contrarily to these works, in Section 3 we rigorously proved that P2P for polynomial systems is at least as hard as the Skolem problem.The P2P problem is essentially undecidable already for affine systems that additionally include nondeterministic choice [Finkel et al. 2013;Ko et al. 2018].
Probabilistic Invariants.Invariants for probabilistic loops can be defined in various incomparable ways, depending on the context and use case.Dijkstra's weakest-precondition calculus for classical programs was generalized to the weakest-preexpectation (wp) calculus in the seminal works [Kozen 1983[Kozen , 1985;;McIver and Morgan 2005].In the wp-calculus, the semantics of a loop can be described as the least fixed point of the characteristic function of the loop in the lattice of so-called expectations [Kaminski et al. 2019].Invariants are expectations that over-or under-approximate this fixed point and are called super-or sub-invariants, respectively.One line of research is to synthesize such invariants using templates and constraint-solving methods [Batz et al. 2023a[Batz et al. , 2021;;Gretz et al. 2013].A calculus, analogous to the wp-calculus, has been introduced for expected runtime analysis [Kaminski et al. 2018] and amortized expected runtime analysis [Batz et al. 2023b].The work of [Chatterjee et al. 2017] introduces the notion of stochastic invariants, that is, expressions that are violated with bounded probability.Other notions of probabilistic invariants involve martingale theory [Barthe et al. 2016] or utilize bounds on the expected value of program variable expressions [Chakarov and Sankaranarayanan 2014].The techniques presented in [Bartocci et al. 2019;Moosbrugger et al. 2022] compute closed forms for moments of program variables parameterized by the loop counter.
The different notions of probabilistic invariants, in general, do not form ideals or are relative to some other expression.Furthermore, the existing procedures to compute invariants are heuristics-driven and hence incomplete.Contrarily to these, our polynomial moment invariants presented in Section 5 form ideals and relate all variables.Moreover, our Algorithm 1 computes a basis for all moment invariants and is complete for the class of moment-computable polynomial loops.Going beyond such loops, we showed that Prob-SPInv is Skolem-hard and/or uncomputable (Theorem 5.10 and Theorem 5.8).

CONCLUSION
We prove that computing the strongest polynomial invariant for single-path loops with polynomial assignments (SPInv) is at least as hard as the Skolem problem, a famous problem whose decidability has been open for almost a century.As such, we provide the first non-trivial lower bound for computing the strongest polynomial invariant for deterministic polynomial loops, a quest introduced in [Müller-Olm and Seidl 2004b].As an intermediate result, we show that point-to-point reachability in deterministic polynomial loops (P2P), or equivalently in discrete-time polynomial dynamical systems, is Skolem-hard.Further, we devise a reduction from P2P to SPInv.We generalize the notion of invariant ideals from classical programs to the probabilistic setting, by introducing moment invariant ideals and addressing the Prob-SPInv problem.We show that the strongest polynomial moment invariant, and hence Prob-SPInv, is (i) computable for the class of moment-computable probabilistic loops, but becomes (ii) uncomputable for probabilistic loops with branching statements and (iii) Skolem-hard for polynomial probabilistic loops without branching statements.Going beyond Skolem-hardness of Prob-SPInv and SPInv are open challenges we aim to further study.
Definition 5.6 (Moment-Computable Polynomial Loops).A polynomial probabilistic loop L is momentcomputable if, for any monomial  in loop variables of L, we have that E[  ] exists and is computable as E[  ] =  (), where  () is an exponential polynomial in , describing sums of polynomials multiplied by exponential terms in .That is,  () =  =0   () •   where all   ∈ Q[] are polynomials and  ∈ Q.
If the PCP instance does have a solution (  ), 1 ≤  ≤ , then after exactly  =  + 2 transitions it holds that P(  =   ) ≥ 1   , as this is the probability of choosing the correct sequence uniformly at random.Because  is an indicator variable, E[  ] = P(  = 1) = P(  =   ) ≥ 1   > 0. Hence, E[  ] ≠ 0 after  transitions and E[] cannot be an element of I ≤ℓ for any order ℓ.

Fig. 4 .
Fig. 4. Computation tree of the program P from Example 5.11.

,
and hence the points {(E[  ], E[  ]) |  ∈ N} cannot be covered with finitely many lines.
2, a polynomial  (E[], E[]) in the expected values of the variables  and  is a polynomial moment invariant, if  (E[  ], E[  ]) = 0 for all number of transitions  ∈ N 0 .Note that, although E ≤ℓ is a finite set, the moment invariant ideal I ≤ℓ is, in general, an infinite set.Consider two asymmetric random walks   and   that both start at the origin.Both random walks increase or decrease with probability 1 /2, respectively.The random walk   either decreases by 2 or increases by 1, while   behaves conversely, which means   either decreases by 1 or increases by 2. Following is a probabilistic loop encoding this process together with the moment invariant ideal I ≤2 .The loop is given as program code.The intended meaning of the expression  1 [ ] 2 is that it evaluates to  1 with probability  and to  2 with probability 1− .
The proof is by reduction from Post's correspondence problem (PCP), which is undecidable[Post 1946].A PCP instance consists of a finite alphabet Σ and a finite set of tuples {(  ,   ) | 1 ≤  ≤  ,   ,   ∈ Σ * }.A solution is a sequence of indices (  ), 1 ≤  ≤  where   ∈ {1, . . .,  } and the concatenations of the substrings indexed by the sequence are identical, written in symbols as . .,   ] and Q[E[ 1 ], . .., E[  ]].Hence, the set { () |  ∈ } is a basis for I. Therefore, given a basis for I ≤1 , a basis for I is computable.□Theorem 5.10 shows that Prob-SPInv is at least as hard as the SPInv problem.Together with Theorem 3.3 and Theorem 4.2, we conclude the following chain of reductions: Skolem ≤ P2P ≤ SPInv ≤ Prob-SPInv On attempting to prove uncomputability of Prob-SPInv-A remaining open challenge.While Theorem 5.10 asserts that Prob-SPInv is Skolem-hard, it could be that Prob-SPInv is uncomputable.
reduces the Boundedness problem for Reset Vector Addition System with State (VASS) to the problem of finding the strongest polynomial invariant for nondeterministic polynomial programs.A Reset VASS is a nondeterministic program where any transition may increment, decrement, or reset a vector of unbounded, non-negative variables.Importantly, a transition can only be executed if no zero-valued variable is decremented.The Boundedness Problem for Reset VASS asks, given a Reset VASS and a specific program location, whether the set of reachable program configurations is finite.The Boundedness Problem for Reset VASS is undecidable[Dufourd to prove uncomputability of the strongest polynomial invariant for nondeterministic polynomial programs, an arbitrary Reset VASS V with  variables  1 , . ..,   is simulated by a nondeterministic polynomial program P with +1 variables  0 , . . ..Note that the programming model is purely nondeterministic, that is, without equality guards, since introducing guards would render the problem immediately undecidable[Müller-Olm