· Contents Preface v Maribel Fern andez (Invited Speaker) Every computable function is linear (in a sense) ...................... 1 Michel Cosnard, Luigi Liquori and

Electronic Notes in Theoretical Computer Science

Developments in Computational Models

DCM 2006

Venice, Italy

16 July 2006

Guest Editors:

Jean-Pierre Jouannaud and Ian Mackie

Contents

Preface v

Maribel Fern�andez (Invited Speaker)Every computable function is linear (in a sense) . . . . . . . . . . . . . . . . . . . . . . 1

Michel Cosnard, Luigi Liquori and Raphael Chand

Virtual Organizations in Arigatoni: the formal model . . . . . . . . . . . . . . . . 5

Marco Carbone, Kohei Honda and Nobuko Yoshida

A Calculus of Global Interaction based on Session Types . . . . . . . . . . . . . 27

Mircea-Dan Hernest

Light Dialectica Extraction from a Classical Fibonacci Proof . . . . . . . . . 35

Jayshan Raghunandan and Alexander J. Summers

On the Computational Representation of Classical Logical Connectives 45

Germain Faure

Term collections in lambda and rho-calculi . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Simon Gay, Rajagopal Nagarajan and Nikolaos Papanikolaou

Probabilistic Model-Checking of Quantum Protocols . . . . . . . . . . . . . . . . . . 63

Luca Fossati

Handshake Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Nikolaos Siafakas

A fully labelled lambda calculus: Towards closed reduction in the Ge-ometry of Interaction Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Bob Meyer

Better Bubbling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

ii

Preface

The Second International Workshop on Developments in Computational Models

(DCM) was held in Venice, Italy, on the 16 July 2006, as a satellite event ofICALP 2006. This volume contains the papers presented at this workshop.The First International Workshop on Developments in Computational Models(DCM 2005) was held in Lisbon, Portugal in July 2005, also as a satellite eventof ICALP.

DCM focuses on abstract models of computation, and their associated pro-gramming paradigms. Several new models of computation have emerged inthe last few years, and many developments of traditional computational modelshave been proposed with the aim of taking into account the new demands ofcomputer systems users and the new capabilities of computation engines. A newcomputational model, or a new feature in a traditional one, usually is re ectedin a new family of programming languages, and new paradigms of softwaredevelopment.

The aim of DCM was to bring together researchers who are currently devel-oping new computational models or new features for traditional computationalmodels, in order to foster their interaction, to provide a forum for presentingnew ideas and work in progress, and to enable newcomers to learn about currentactivities in this area. Topics of interest for DCM include all abstract modelsof computation and their applications to the development of programming lan-guages and systems, for instance:

� Functional calculi: lambda-calculus, rho-calculus, term and graph rewrit-ing;

� Object calculi;

� Interaction-based systems: interaction nets, games;

� Concurrent models: process calculi, action graphs;

� Calculi expressing locality, mobility, and active data;

� Quantum computational models;

� Biological or chemical models of computation;

For DCM 2006, the Programme Committee selected 9 papers for inclusionin these proceedings, covering a wide range of the topics. In addition, theprogramme included an invited talk by Maribel Fern�andez.

The Programme Committee consisted of:

� Jos Baeten, Eindhoven University of Technology, The Netherlands

� Horatiu Cirstea, LORIA, France

� Mariangiola Dezani, University of Torino, Italy

iii

� Fran�cois Fages, INRIA, France

� Mario Florido, University of Porto, Portugal

� Simon Gay, University of Glasgow, UK

� Radha Jagadeesan, DePaul University, USA

� Jean-Pierre Jouannaud, �Ecole Polytechnique, France (Co-Chair)

� Ian Mackie, �Ecole Polytechnique and King's College London (Co-Chair)

� Herbert Wiklicky, Imperial College London, UK

We would like to thank all those who contributed to DCM 2006. We aregrateful to the Programme Committee members for their careful and e�cientwork in reviewing and selecting the submitted papers.

Jean-Pierre Jouannaud and Ian Mackie

Paris, 20 June 2006

iv

DCM 2006

Every computable function is linear (in a sense)

Maribel Fern�andez 1

King's College London,Department of Computer Science,Strand, London, WC2R 2LS, U.K.Email: [email protected]

Computability theory has its roots in work done in the 1930's, by AlonzoChurch, Haskell Curry, Kurt G�odel, Jacques Herbrand, Stephen Kleene, andAlan Turing (among others).

Turing, Church and Kleene developed, more or less at the same time,three di�erent models of computation which are now the standard 'paradigms'of sequential computation: Turing Machines, the �-calculus, and recursivefunctions. We will focus on the last two.

Roughly speaking, the theory of recursive functions is based on the de�ni-tion of functions by equations. Each function has a name, and is de�ned froma set of initial functions using composition, primitive recursion, and minimi-sation. By recursion here we mean explicit recursive calls, where a function fis de�ned by means of an equation f(t) = C[f(u)].

The �-calculus is also a theory of functions, but in this case functions don'thave names, and we can build recursion in an implicit way, using �xpointoperators.

Both the explicit and the implicit approaches to recursion yield Turing-complete models of computation.

Together with recursion, a key mechanism in the process of computationis the ability for functions to duplicate and to discard their arguments (i.e.,management of resources: erase and copy). Let us now focus on this aspectof computation, which has attracted a great deal of attention in recent years.

We say that a function is linear if it uses its argument exactly once. We willgive an alternative formulation of the theory of recursive functions, where eachfunction is linear in this sense; we call this class of functions linear recursivefunctions.

To de�ne linear recursive functions we start by specifying a set of linearinitial functions (projections are not linear, but permutations are, so we will

1 This research was carried out in collaboration with Sandra Alves, Luis Damas, M�arioFlorido and Ian Mackie, as part of the project \Linearity: Programming Languages andImplementations", partially funded by a Treaty of Windsor Grant.

This paper is electronically published inElectronic Notes in Theoretical Computer Science

URL: www.elsevier.nl/locate/entcs

Fern�andez

use natural numbers, permutations, and composition of linear functions), to-gether with a linear primitive recursive scheme (i.e., primitive recursion whereeach function uses its arguments exactly once). We will show that we canexpress both the process of copying a number and the process of erasing anumber, as linear primitive recursive functions. Thus, any primitive recursivefunction can be de�ned as a linear primitive recursive functions, indeed thetwo classes coincide. Linear primitive recursive functions are powerful: theyo�er an implicit approach to copying and erasing.

Then, to get a Turing-complete computation model, we add an operatorof minimisation on linear functions. The class of functions that can be de-�ned using linear primitive recursive and linear minimisation is called linearrecursive. Using Kleene's normal form theorem (which says that any partialrecursive function can be de�ned using primitive recursive functions and oneminimisation operator), we obtain an encoding of partial recursive functionsinto linear recursive functions. In this sense, we can say that every computablefunction is linear.

Related Work:There are several formalisms based on the notion of linearity that limit

the use of copy and erasing. This includes languages based on a version of the�-calculus with a type system corresponding to intuitionistic linear logic [7].One of the main features of the calculus (which can be seen as a minimalfunctional programming language) is that it provides explicit syntactical con-structs for copying and erasing terms (corresponding to the exponentials inlinear logic) [1].

From another perspective there have been a number of calculi, again manybased on linear logic, for capturing speci�c complexity classes ([3,6,8,4,9,10,5]).One of the main examples is that of bounded linear logic [8], which has as oneof its main aims to �nd a calculus in-between the linear �-calculus and thatwith the exponentials (speci�cally the polynomial time computable functions).

In previous work [2] we showed that a simple extension of a typed, linear �-calculus, without the exponentials, i.e., a calculus that is syntactically linear,has an enormous computational power: exactly the same power as Godel'sSystem T . More precisely, we demonstrated that without minimisation butwith an iterator and higher-order constructs, any function de�nable in G�odel'sSystem T is linear.

These previous results inspired our work on linear primitive recursion. Thiswork is part of a research programme which aims at studying the notion oflinearity in computation, and at analysing the computational power of linearfunctions.

2

Fern�andez

References

[1] S. Abramsky. Computational Interpretations of Linear Logic. TheoreticalComputer Science, 111:3{57, 1993.

[2] S. Alves, M. Fern�andez, M. Florido, and I. Mackie. The power of linearfunctions. In Proceedings of CSL 2006, Computer Science Logic, Lecture Notesin Computer Science. Springer-Verlag, 2006. To appear.

[3] A. Asperti. Light a�ne logic. In Proc. Logic in Computer Science (LICS'98).IEEE Computer Society, 1998.

[4] A. Asperti and L. Roversi. Intuitionistic light a�ne logic. ACM Transactionson Computational Logic, 2002.

[5] P. Baillot and V. Mogbil. Soft lambda-calculus: a language for polynomialtime computation. In Proc. Foundations of Software Science and ComputationStructures (FOSSACS'04), LNCS. Springer Verlag, 2004.

[6] J. Girard. Light linear logic. Information and Computation, 1998.

[7] J.-Y. Girard. Linear Logic. Theoretical Computer Science, 50(1):1{102, 1987.

[8] J.-Y. Girard, A. Scedrov, and P. J. Scott. Bounded linear logic: A modularapproach to polynomial time computability. Theoretical Computer Science,97:1{66, 1992.

[9] Y. Lafont. Soft linear logic and polynomial time. Theoretical Computer Science,2004.

[10] K. Terui. A�ne lambda-calculus and polytime strong normalization. In Proc.Logic in Computer Science (LICS'01). IEEE Computer Society, 2001.

3

Fern�andez

4

DCM 2006

Virtual Organizations in Arigatoni

Michel Cosnard

INRIA and UNSA, France

Luigi Liquori

INRIA, France

Raphael Chand

INRIA, France

AbstractArigatoni is a lightweight communication model that deploys the Global ComputingParadigm over the Internet. Communications over the behavioral units of the modelare performed by a simple Global Internet Protocol (GIP) on top of TCP or UDPprotocol. Basic Global Computers Units (GCU) can communicate by �rst registeringto a brokering service and then by mutually asking and o�ering services.Colonies and Communities are the main entities in the model. A Colony is a

simple virtual organization composed by exactly one leader and some set (possiblyempty) of individuals. A Community is a raw set of colonies and global computers(think it as a soup of colonies and global computer without a leader).We present an operational semantics via a labeled transition system, that describes

the main operations necessary in the Arigatoni model to perform leader negotiation,joining/leaving a colony, linking two colonies and moving one GCU from one colonyto another. Our formalization results to be adequate w.r.t. the algorithm performingpeer logging/delogging and colony aggregation.

1 Introduction

E�ective use of computational grids via P2P systems requires up-to-date infor-mation about widely-distributed resources. This is a challenging problem forvery large distributed systems particularly when taking into account the con-tinuously changing state of resources. Discovering dynamic resources must bescalable in number of resources and users and hence, as much as possible, fullydecentralized. It should tolerate intermittent participation and dynamicallychanging status/availability.



Cosnard, Liquori and Chand

Reciprocity and organization in colony governed by a clear leader are themain achievements of the model. Global Computers belong to only one colony,and requests for resources located in the same or in another colony traverse abroker-2-broker negotiation whose security is guaranteed via PKI mechanisms.

The model is suitable to �t with various global scenarios from classicalP2P applications, like �le sharing, or band-sharing, to more sophisticated Gridapplications, like remote and distributed big (and small) computations, untilpossible, futuristic migration computations, i.e. transfer of a non completedlocal run in another GCU, the latter scenario being useful in case of catastrophicscenarios, like �re, terrorist attack, earthquake etc., in the vein of a GlobalProgramming Language à la Obliq or Telescript.The Arigatoni Model is suitable to deploy, via the Internet the GlobalComputing Communication Paradigm, i.e. computation via a seamless, geo-graphically distributed, open-ended network of bounded resources by agentsacting with partial knowledge and no central coordination. The model canbe deployed �rstly in an intranet and further from intranet to intranet byoverlapping an Overlay Network on the top of the actual network. An Over-lay Network is an abstraction on top of a global network to yield anotherglobal network. Overlay examples are resource discovery services (notion ofresource sharing in distributed networks), search engines (abstraction of infor-mation repository) or systems of trusted mobile agents (notion of autonomic,exploratory behavior) [6].

The Arigatoni model provides the necessary basic infrastructure necessaryfor a real deployment of the overlay network itself. Moreover, our work ab-stracts on which kind of resource the overlay network is playing with; pragmat-ically speaking, this work could be useful for Grid, or for distributed �le/bandsharing, or for more evolved scenarios like mobile and distributed object-oriented computation.

The Units in the Arigatoni model are one protocol, the Global Internet Pro-tocol, GIP, and three main units:

� A Global Computer Unit, GCU, i.e. the basic peer of the Global Computerparadigm; it is typically a small device, like a PDA, a laptop or a PC, con-nected with any IP network, unrelated to the media used, wired or wireless,etc.

� A Global Broker Unit, GBU, is the basic unit devoted to register and un-register GCUs, to receive service queries from client GCUs, to contact poten-tial servants GCUs, to negotiate with the latter the given services, to trustclients and servers and to send all the information necessary to allow theclient GCU, and the servants GCUs to communicate. Every GCU can registerto only one GBU, so that every GBU controls a colony (denoted by COL)of collaborating Global Computers. Hence, communication intra-colony isinitiated via only one GBU, while communication inter-colonies is initiatedthrough a chain of GBU-2-GBU message exchanges. In both cases, when a

6


fGBUg is a (small) colony

fGBU1;GCU1 : : :GCUmg is a colony

fGBU1;GCU1 : : :GCUm;

subcolonyz }| {fGBU2;GCUm+1 : : :GCUm+ngg

is a colony (it contains a subcolony)

fGBU1;GCU1 : : :GCUm;GBU2;GCUm+1 : : :GCUm+ng

is not a colony (two GBUs)

fGBU3;

subcolonyz }| {fGBU1;GCU1 : : :GCUmg;

subcolonyz }| {fGBU2;GCUm+1 : : :GCUm+ng g

is a colony (with two subcolonies)

f

subcolonyz }| {fGBU1;GCU1 : : :GCUmg;

subcolonyz }| {fGBU2;GCUm+1 : : :GCUm+ngg

is not a colony (no leader in the toplevel colony) but it is a community

Figure 1. Some Colony's Examples

client GCU receives an acknowledgment for a request service (with relatedtrust certi�cate) from the proper GBU, then the client will enjoy the servicedirectly from the servant(s) GCU, i.e. without a further mediation of theGBU itself.

� A Global Router Unit, GRU is a simple basic unit that is devoted to send andreceive packets of the Global Internet Protocol and to forward the payloadto the units which are connected with this router. Every GCU and everyGBU has one personal GRU, with which it communicates via a suitable API.The connection between router and peer is ensured via a suitable API.

Colonies and Individuals are the main entities in the model. A Colony isa simple virtual organization composed by exactly one leader and some set(possibly empty) of individuals. Individuals are Global Computers (think itas an Amoeba), or (sub)colonies (think it as a Protozoa). A formal de�nitionof a colony is given using this simple BNF syntax:

COL ::= fGBUg j COL [ fGCUg j COL [ fCOL g

The two main characteristics of a colony are:

(i) a colony has exactly one leader GBU and at least one individual (the GBUitself);

(ii) a colony contains individuals (some GCU's, or other colonies).

Some examples of colonies are shown in Figure 1.

A Community (denoted by COM) is a raw set of colonies and global com-puters (think it as a soup of colonies and GCU without a leader). A formal

7


de�nition of community is given using the BNF syntax:

COM ::= ; j COM [ fGCUg j COM [ fCOL g

A simple example of a community is shown in Figure 1. As one can see fromthe abstract syntax, a colony is a community but the reverse is not true.

Resource Discovery is one of the key issues in building overlay computernetworks. Individuals (global computers) can register and unregister to acolony. The same holds true for the subcolonies that, in turn, can (un)registerto another colony. The main di�culty in (un)registering is dealing with Ad-ministrative Domains ; as well stated in the seminal Cardelli and Gordon paperon Mobile Ambients [3]:

�In the early days of the Internet one could rely on a �at name space givenby IP addresses; knowing the IP address of a computer would very likely al-low now to talk to that computer in some way. This is no longer the case:�rewalls partition the Internet into administrative domains that are isolatedfrom each other except for rigidly controlled pathways. System administra-tors enforce policies about what can move through �rewalls and how [...]�

(Un)Registering Modalities There are essentially two ways of registeringto a GBU leader of a colony, the latter being not enforced by the Arigatonimodel:

� registration of an individual (GCU or colony) to a GBU leader of a colonybelonging to the same current administrative domain;

� registration via remote tunnelling of an individual (GCU or colony) to an-other GBU leader of a colony belonging to a di�erent administrative domain.In this case, we say that the individuals de facto are working in local modein the current administrative domain and in global mode in another admin-istrative domain.In addition to this remote registration, the same individual can still reg-

ister to the GBU leader of the colony belonging to the same administrativedomain in which it resides. As such, in its global mode, it will belong to thecolony of the current administrative domain, and, in its local mode (via re-mote tunnelling), it will belong to another colony in another administrativedomain.

Counterwise, an individual can unregister according to the following simplerules d'étiquette:

� unregistration is possible only when there are no pending services demandedor requested to the leader GBU of the colony it belongs: it must wait for ananswer of the leader GBU or for a direct connection of the GCU requestingthe already o�ered service, or wait for a timeout. The colony accepts theunregistration only if the colony itself will not be corrupted ;

� (as a corollary of the above) a GBU cannot unregister from its own colony(i.e. it cannot discharge itself). However, for fault tolerance purposes, a

8


Netw

ork

INT

ER

NE

T

GC

U/G

RU

GC

U/G

RU

GC

U/G

RU

GC

U/G

RU

GC

U/G

RU

GC

U/G

RU

GC

U/G

RU

GC

U/G

RU

GC

U/G

RU

GC

U/G

RU

GB

U/G

RU

GB

U/G

RU

GB

U/G

RU

GB

U/G

RU

Netw

ork

Netw

ork

Netw

ork IP R

outer

IP R

outer

IP R

outerIP

Router

GB

U/G

RU

Figure 2. ArigatoNet

GBU can be faulty. In that case, the GCUs will unregister one after the otherand the colony will �disappear�;

� once a GCU (e.g. a laptop) has been disconnected from a colony belongingto any administrative domain, it can migrate in another colony belongingto any other administrative domain;

Summarizing, the original contributions of the paper are:

� a formalization of the Registration and of the Resource Discovery Mecha-nism in the Arigatoni model in terms of a labeled transition system;

� a complete domain independence of the model w.r.t. other models in theliterature. In other words Arigatoni completely abstracts of its use, i.e. Grid,�le/band sharing, web services, etc.

� Some simulation results of the intermittent participation for a given networktopology.

2 Units in a Nutshell

A complete description of all the functional units of the Arigatoni model isgiven in [1, 2]; this section is an overview.

9


2.1 Global Computer Unit

In the Arigatoni model, a Global Computer Unit (GCU) is a cheap computerdevice. The computer should be able to work in Standalone Local Mode for allthe tasks that it can do locally or in Global Mode, by �rst registering itself inthe Arigatoni architecture, and then by making a global request to the OverlayNetwork induced by the architecture (that we call, ArigatoNet). Figure 2 showsthe Arigatoni model. The GCU must be able to perform the following tasks:

� Discover, upon the physical arrival of the GCU in a new colony, the addressof a GBU, representing the leader of the colony;

� Register/Unregister on the GBU which manages the colony;

� Request some services to its GBU, and respond to some requests from theGBU;

� Upon reception from a GBU of a positive response to a request, be able toconnect directly with the servant(s) GCU in a P2P fashion, and o�er/receivethe service.

2.2 Global Broker Unit

The Global Broker Unit (GBU) performs the following tasks

� Discover the address of another super GBU, representing the superleaderof the supercolony, where the GBU's colony is embedded. We assume thatevery GBU comes with its proper PKI certi�cate.

� Register/Unregister the proper colony to the leader GBU which manages thesupercolony;

� Register/Unregister clients and servants GCU in its local base of GlobalComputers. By de�nition every GCU can register to at most one GBU;

� Acknowledge the request of service of the client GCU;� Discover the resource(s) that satis�es the GCU's request in its local base(local colony) of GCU;

� Delegate the request to another GBU governing another colony;

� Perform a combination of the above two actions;

� Deal with all PKI intra- and inter-colony policies;

� Notify the client GCU or a delegating GBU the servant(s) GCUs that haveaccepted to serve its request, or notify a failure of the request.

Every GCU in the colony sends its request to the GBU which is the leader ofthe colony. There are di�erent scenarios concerning the demanded resourcefor service discovery, namely:

(i) The broker �nds all the resource(s) needed to satisfy the requested ser-vices of the GCU client locally in the intranet. Then it will send all theinformation necessary to make the GCU client able to communicate with

10


the GCU servants. This noti�cation will be encoded using the GIP proto-col. Then, the GCU client will directly talk with GCU servant(s), and thelatter will manage the request, as in classical P2P systems;

(ii) The broker did not �nd all the resource(s) in its local intranet. In thiscase it will forward and delegate the request to another broker. For thatpurpose, it must �rst register the whole colony to another supercolony;

(iii) A combination of steps 1 + 2 could be envisaged depending on the ca-pability of the GBU to combine resources that it manages and resourcesthat come from a delegate GBU;

(iv) After a �xed timeout period, or when all delegate GBUs have failed tosatisfy the delegated request, the broker will notify the GCU client of therefusal of service.

2.3 Global Router Unit

The last unit in the Arigatoni model is the Global Router Unit (GRU). TheGRU implements all the low level network routines, those which really haveaccess to the IP network. It is the only unit which e�ectively runs the GIPprotocol. The GRU can be implemented as a small daemon which runs on thesame device as a GCU or a GBU, or as a shared library dynamically linked witha GCU or a GBU. The GRU is devoted to the following tasks:

� Upon the initial startup of a GCU it helps to register the unit to a GBU;� It checks the well-formedness and forwards GIP packets across the ArigatoNettoward their destinations. GIP packets encode the requests of a GCU or aGBU in the Arigatoni network;

� Upon the initial startup of a GBU it helps the unit with several other GBUsthat it knows or discovers.

2.4 Unit Semantics

The formal semantics of the three formal units was �rst presented in [2]:Figures 3 and 4 show the pseudo code embedded inside a GCU and a GBU.We write in blue the code not essential to the semantics of peer discovery andthe virtual (un)growth of colonies, and we highlight in red the code which isessential.

3 Formal Semantics of the Virtual Organization

The notation f: : :g does not limit an administrative domain (unlike Cardelli-Gordon ambients). We assume that every individual comes with its ownIPaddress.

Let fGBU; : : :g denote a colony with its leader, e.g.

fGBU;COL1;COL2;GCU1;GCU2; : : :g

11


inparallelwhile true do // Registration loopGBU = Discover(MyCard )case (GlobalMode,RegMode) is(true ,false ):ServiceReg(MyCard ,GBU,LOGIN)

(false ,true ):ServiceReg(MyCard ,GBU,LOGOUT)

otherwise: // Do nothingendcaseendwhilewithwhile true do // Shell loopData = ListenLocal()Response = LocalServe(Data)case (Response,GlobalMode,RegMode) is(login ,_,_): // Open global modeGlobalMode = true(logout ,_,_): // Close global modeGlobalMode = false(true ,true ): // Ask to the GBUMetaData = PackScenario(Data)ServiceRequest(MyCard ,GBU,MetaData)otherwise: LocalReply(Response)

endcaseendwhilewithwhile RegMode do // Global GBU listeningMetaData = ListenGBU()case MetaData.CMD.SERVICE isSREG : // GBU responds if it ac-

cepts my registrationif CanJoin(MetaData)then RegMode = trueendif

if CanLeave(MetaData)then RegMode = falseendifSREQ : // GBU is asking for some resourcesif CanHelp(MetaData)then ServiceResponse(MyCard ,GBU,ACC )else ServiceResponse(MyCard ,GBU,REJ )endifSRESP : // GBU re-

sponds if it found some resourcesif CanServe(MetaData)then Peers = GetPeers(MetaData)

Response = GlobalServe(MyCard ,Peers,MetaData)

ServiceResponse(MyCard ,GBU,DONE )LocalReply(Response)

else LocalReply(fail )endif

endcaseendwhilewithwhile RegMode do // Global GCU listeningMetaData = ListenGCU()if Verify(MetaData)then Data = UnPackScenario(MetaData)

Response = LocalServe(Data)if Response == failthen ServiceResponse(MyCard ,GBU,ERR )else ServiceResponse(MyCard ,GBU,DONE )

SendResult(MyCard ,GCU,Response)endif

else ServiceResponse(MyCard ,GBU,SPOOF )endif

endwhileendinparallel

Figure 3. GCU pseudocode

denotes a colony with two subcolonies and two GCUs highlighted. A colony isvirtually addressed by the IP of its GBU leader.

In general a community is simply denoted by f: : :g, e.g.

fCOL1;COL2;GCU1;GCU2g

denotes a community with two subcolonies and two GCU's.We present an operational semantics via a reduction relation �!�, between

communities, that describes the main operations necessary in the Arigatonimodel to perform leader discovery and colony's service registration, namelyjoining/leaving a colony, linking two colonies and moving one GCU from onecolony to another.

As usual in process algebras, the reduction is quotiented by a set theoreticalequivalence between communities. The reduction rules are listed below witha concise explication.

12


inparallelwhile true do // Registration loopGBU = Discover(MyCard )case (GlobalMode,RegMode) is(true ,false ):ServiceReg(MyCard ,GBU,LOGIN)

(false ,true ):ServiceReg(MyCard ,GBU,LOGOUT)

otherwise: // Do nothingendcaseendwhilewithwhile true do // Shell loopData = ListenLocal()Response = LocalServe(Data)case (Response,GlobalMode,RegMode) is(login ,_,_): // Open global modeGlobalMode = true(logout ,_,_): // Close global modeGlobalMode = false(fail ,true ,true ): // You ask for youMetaData = PackScenario(Data)ServiceRequest(MyCard ,MyCard ,MetaData)otherwise: LocalReply(Response)

endcaseendwhilewithwhile true do // Intra-colony listeningMetaData = ListenPeer()PushHistory(MetaData)case MetaData.CMD.SERVICE isSREG : // A Peer is ask-

ing for (un)registrationUpdate(Colony,MetaData)SREQ : // A Peer is asking for some requestSubColony = SelectPeers(Colony,MetaData)if SubColony == {} // Broadcast interthenServiceRequest(MyCard ,GBU,MetaData)

endif

foreach Peer in SubColony do // Broad-cast intra

ServiceRequest(MyCard ,Peer,MetaData)endforeachSRESP : // A GCU responds to a requestSort&PushPeers4Id(MetaData)

endcaseendwhilewithwhile true do // Spooling Peers4Idforeach (Id,Peers) in Peers4Id doif Timeout(Id)then ServiceResponse(MyCard ,{},NOTIME )else if Satisfy(Peers,History(Id))

thenServiceResponse(MyCard ,

GetBestPeers4Id(Id),DONE )

endifendifPopPeers4Id(Id)endforeachendwhilewithwhile RegMode do // Inter-colony listeningMetaData = ListenGBU()PushHistory(MetaData)case MetaData.OPE isSREG : // Registration inter GBU... as for SREQ intra-colony

SREQ :... as for SREQ intra-colony

SRESP : // A leader GBU re-sponds to a request

Sort&PushPeers4Id(MetaData)endcase

endcaseendwhileendinparallel

Figure 4. GBU pseudocode

(i) A GCU joins a Colony in the same Administrative Domain

discover(GCU) = GBUsamedom(GBU;GCU) = true gmode(GCU) = true

accept(GBU;GCU) = true regmode(GCU) = false

ffGBU; : : :g;GCUg ! ffGBU;GCU; : : :gg(JoinGCU)

� discover(GCU) = GBU discovers the leader-GBU unit, upon physical/logicalinsertion of the GCU in the ArigatoNet network;

� samedom(GBU;GCU) = true: both the broker and the global computerreside in the same administrative domain;

� accept(GBU;GCU) = true: the broker accepts the global computer in itscolony;

� gmode(GCU) = true & regmode(GCU) = false: the global computer isin global mode but not yet registered. The side e�ect of this rule is toset the registration mode to true.

13


(ii) A GCU leaves a Colony in the same Administrative Domain

pendingip(GCU) = falsesamedom(GBU;GCU) = true gmode(GCU) = false

accept(GBU;GCU) = false regmode(GCU) = true

ffGBU;GCU; : : :gg ! ffGBU; : : :g;GCUg(LeaveGCU)

� pendingip(GCU) = false: the global computer has no pending serviceto give to its leader;

� samedom(GBU;GCU) = true: both the broker and the global computerreside in the same administrative domain;

� accept(GBU;GCU) = false: the broker accepts to delog the global com-puter in its colony;

� gmode(GCU) = false & regmode(GCU) = true: the global computer isin local mode but still registered. The side e�ect of this rule is to setits registration mode to false.

(iii) A SubColony joins a Colony in the same Administrative Domain

discover(GBU2) = GBU1samedom(GBU1;GBU2) = true gmode(GBU2) = true

accept(GBU1;GBU2) = true regmode(GBU2) = false

ffGBU1; : : :g; fGBU2; : : :gg ! ffGBU1; fGBU2; : : :g; : : :gg(JoinCol)

� discover(GBU2) = GBU1: the broker GBU2 discovers the broker GBU1,upon physical/logical insertion in the ArigatoNet network;

� samedom(GBU1;GBU2) = true: both reside in the same administrativedomain;

� accept(GBU1;GBU2) = true: the broker GBU1 accepts the subcolony inits colony;

� gmode(GBU2) = true & regmode(GBU2) = false: the broker GBU2 is inglobal mode but not yet registered. The side e�ect of this rule is to setits registration mode to true.

(iv) A SubColony leaves a Colony in the same Administrative Domain

pendingip(GBU2) = falsesamedom(GBU1;GBU2) = true gmode(GBU2) = false

accept(GBU1;GBU2) = false regmode(GBU2) = true

ffGBU1; fGBU2; : : :g; : : :gg ! ffGBU1; : : :g; fGBU2; : : :gg(LeaveCol)

� pendingip(GBU2) = false: the broker GBU2 has no pending service togive to its leader GBU1;

14



� accept(GBU1;GBU2) = false: the broker GBU1 does not accept the sub-colony in its colony;

� gmode(GBU2) = false & regmode(GBU2) = true: the broker is in lo-cal mode but still registered. The side e�ect of this rule is to set itsregistration mode to false.

(v) Linking two Colonies in di�erent Administrative Domains

gmode(GBU1) = truenewgbu(GBU1;GBU2) = GBU3 gmode(GBU2) = true

samedom(GBU1;GBU2) = false regmode(GBU1) = falseagree(GBU1;GBU2) = true regmode(GBU2) = false

ffGBU1; : : :g; fGBU2; : : :gg ! ffGBU3; fGBU1; : : :g; fGBU2; : : :ggg(LinkCol)

� newgbu(GBU1;GBU2) = GBU3: a new broker is created on behalf onGBU1 and GBU2;

� samedom(GBU1;GBU2) = false: both reside in the same administrativedomain;

� agree(GBU1;GBU2) = true: an agreement between the two brokers issigned;

� gmode(GBU1) = true & gmode(GBU2) = true & regmode(GBU1) =false & regmode(GBU2) = false: the brokers are in global mode butstill registered. The side e�ect of this rule is to set the registrationmode of both brokers to true.

(vi) Unlinking two Colonies in di�erent Administrative Domains

pendingip(GBU1) = false pendingip(GBU2) = falsependingip(GBU3) = false gmode(GBU1) = false

newgbu(GBU1;GBU2) = GBU3 gmode(GBU2) = falsesamedom(GBU1;GBU2) = false regmode(GBU1) = true

agree(GBU1;GBU2) = false regmode(GBU2) = true

ffGBU3; fGBU1; : : :g; fGBU2; : : :ggg ! ffGBU1; : : :g; fGBU2; : : :gg(UnLinkCol)

� newgbu(GBU1;GBU2) = GBU3: a new broker is created on behalf ofGBU1 and GBU2;


� agree(GBU1;GBU2) = false: an agreement between the two brokers iswithdrawn;

� pendingip(GBU1) = false& pendingip(GBU2) = false& pendingip(GBU3) =false: the brokers GBU1;2;3 has no pending service;

15


� gmode(GBU1) = false & gmode(GBU2) = false & regmode(GBU1) =true & regmode(GBU2) = true: the brokers are in local mode but stillregistered. The side e�ect of this rule is to set their registration modeto false.

(vii) Contextual Rules and CongruenceAs usual in process algebras, we add the following congruence rules

for set union and set minus, and Morris-style equivalence rules, whereCOM denotes communities, COL denotes colonies and = denotes the settheoretical equality. All symbols can be indexed.

COM1 ! COM2

COM1 [ COM3 ! COM2 [ COM3(CommCup)

COM1 = COM3 [ COM4 COM3 \ COM4 = ; COM3 ! COM2

COM3 ! COM2 n COM4(CommMinus)

COM1 = COM3 COM3 ! COM4 COM4 = COM2

COM1 ! COM2(MorrisEq)

Rule (CommCup) is the usual Contextual closure of the reduction rules,while rule (CommMinus) states that a reduction can drop in its right-handside some individuals that are not essential to the �ring of the reductionitself. As usual let !� be the re�exive and transitive closure of !.

4 Join/Leave a Colony in a Di�erent Administrative Do-main

The acute reader has observed that the above labeled transition system forbidsan individual to join/leave another colony whose leader resides in a di�erentAdministrative Domain. This is sound in order to guarantee the integrityand the security of the virtual organization induced by the Arigatoni model.Crossing safely administrative domains is an important security problem thatthe model must take into account. However, the situation where one individualdoes not receive enough help from the local colony or, worst, where it is evenrejected as an individual, could be very common. In this case, it is highlydesirable that the model permits a mechanism to cross boundaries of theadministrative domain in order to make a service request to another colonywhich resides in another administrative domain. This can be done in twoways:

(i) the individual resident in an administrative domain IP1 knows some�friends� inhabitant of the colony resident in another administrative do-main IP2 (think of the individual as a laptop connected in a hot spot ofan airport, and think of the �friend� as the desktop in its own o�ce).Then, via an explicit ssh the laptop can log into the desktop and senda global request to the �mother colony�. As such, the laptop works in its

16


local mode while the desktop works in global mode. The �nal result willbe send, via ssh-tunneling to the laptop.This mechanism of tunneling is well-known in common practice of no-

madic behaviors and it does not require any ad hoc rewriting rules inthe Arigatoni virtual organization since the connection individual-friend isdone explicitly and privately;

(ii) the individual resident in an administrative domain IP1 knows no inhab-itant of the colony resident in another administrative domain IP2, but itknows the IP address of the leader of the colony. If the leader agrees, itcan arrange an ssh-tunnel by creating from scratch a virtual clone ofthe remote individual and by registering it in the colony on behalf of theleader of the colony. As in the previous case, the laptop can log into thedesktop and send a global request to the �mother colony�. As such, thelaptop works in local mode while the clone works in global mode. The�nal result will be sent, via ssh-tunneling to the laptop.This mechanism is well-known in common practice of nomadic be-

haviors and is reminiscent of the Virtual Private Network technology(VPN) [7]. To implement this VPN-like behavior, we must add four adhoc rewriting rules in the labeled transition system showed in Figure 5.For obvious lack of space those rules are not commented but left as aneasy exercise to the interested reader.

5 Firing Free Riders

Again, the acute reader has observed that the original labeled transition sys-tem allows free riders to become members of one colony.

In economics and political science, free riders are actors who consume morethan their fair share of a resource, or shoulder less than a fair share of thecosts of its production. The free rider problem is the question of how toprevent free riding from taking place, or at least limit its negative e�ects.Because the notion of �fairness� is a subject of controversy, free riding isusually only considered to be an economic �problem� when it leads to thenon-production or under-production of a public good, and thus to Paretoine�ciency, or when it leads to the excessive use of a common propertyresource. [From Wikipedia].

The sel�sh nodes in P2P networks, called free riders, only utilize otherpeers resources without providing any contribution in return, have greatlyjeopardized the fairness attribute of P2P networks. Figure 6 presents the tworules that take into account the ratio between the number of services o�eredand the number of services demanded by an individual. If the leader of acolony �nds that an individual ratio of fairness is too small (� � for a given�), it can arbitrarily decide to �re that individual without notice In thoserules the function pendingip also checks that the individual has no pending

17


discover(GCU1) = GBU agree(GBU;GCU1) = truesamedom(GBU;GCU1) = false gmode(GCU1) = true

newgcu(GBU;GCU1) = GCU2 regmode(GCU1) = truesamedom(GBU;GCU2) = true gmode(GCU2) = false

accept(GBU;GCU2) = true regmode(GCU2) = false

ffGBU; : : :g;GCU1g ! ffGBU;GCU2; : : :g;GCU1g(JoinTunnelGCU)

agree(GBU;GCU1) = falsesamedom(GBU;GCU1) = false pendingip(GCU2) = false

newgcu(GBU;GCU1) = GCU2 gmode(GCU1;GCU2) = falsesamedom(GBU;GCU2) = true regmode(GCU1) = false

accept(GBU;GCU2) = false regmode(GCU2) = true

ffGBU;GCU2; : : :g;GCU1g ! ffGBU; : : :g;GCU1g(LeaveTunnelGCU)

discover(GBU2) = GBU1 agree(GBU1;GBU2) = truesamedom(GBU1;GBU2) = false gmode(GBU3) = true

newgbu(GBU1;GBU2) = GBU3 regmode(GBU3) = truesamedom(GBU1;GBU3) = true gmode(GBU2) = false

accept(GBU1;GBU3) = true regmode(GBU2) = false

ffGBU1; : : :g; fGBU2; : : :gg ! ffGBU1; fGBU3g; : : :g; fGBU2; : : :gg(JoinTunnelCol)

agree(GBU1;GBU2) = falsesamedom(GBU;GBU2) = false pendingip(GBU3) = falsenewgbu(GBU1;GBU2) = GBU3 gmode(GBU2;GBU3) = false

samedom(GBU1;GBU3) = true regmode(GBU2) = trueaccept(GBU1;GBU3) = false regmode(GBU3) = false

ffGBU1; fGBU3g; : : :g; fGBU2; : : :gg ! ffGBU1; : : :g; fGBU2; : : :gg(LeaveTunnelCol)

Figure 5. Extra Reduction Rules for Service Request via Tunnelling à la VPN

services to o�er, or that the timeout of some promised services has expired,the latter case means that the free rider promised some services but �nally didnot provide any service at all (not trustfull). The function noti�ring sends amessage to the free rider, notifying it that it was de�nitively �red from thecolony.

18


pendingip(GCU) = false gmode(GCU) = truesamedom(GBU;GCU) = true regmode(GCU) = true

fairness(GBU;GCU) � � notifiring(GBU;GCU)

ffGBU;GCU; : : :gg ! ffGBU; : : :g;GCUg(FireGCU)

pendingip(GBU2) = false gmode(GBU2) = truesamedom(GBU1;GBU2) = true regmode(GBU2) = true

fairness(GBU1;GBU2) � � notifiring(GBU1;GBU2)

ffGBU1; fGBU2; : : :g; : : :gg ! ffGBU1; : : :g; fGBU2; : : :gg(FireCol)

Figure 6. Extra Reduction Rules for Firing Free Riders

6 Examples

In [1,2], a Grid scenario for Seismic Monitoring was presented. In this sectionwe brie�y recall the scenario and we present, by means of labeled transitionsystem reductions, the evolution of the virtual organizations.

6.1 (Re)Setting the Scenario (from [1,2])

John, chief engineer of the SeismicDataCorp Company, Taiwan, on board ofthe seismic data collector ship, has to decide on the next data collect campaign.For this he would like to process the 100 TeraBytes of seismic data that havebeen recorded on the mass data recorder located in the o�shore data repositoryof the company, to be processed and then analyzed.

He has written the processing program for modeling and visualizing theseismic cube using some parallel library like e.g. MPI/PVM: his program can bedistributed over di�erent machines that will compute a chunk of the wholecalculus;

However, the amount of computation is so big that a supercomputer (GCUSCU)and a cluster of PC (GCUCLU) has to be rented by the SeismicDataCorp com-pany. John will also ask for bandwidth via an ISP located in Taiwan (GCUISPTW)in order to get rid of any bottleneck related to the big amount of data to betransferred.

Aftermath, the processed data should be analyzed using a Virtual RealityCenter, VRC (GCUVCRCPU) based in Houston, U.S.A. by a specialist teamand the resulting recommendations for the next data (GCUVRCSPEC) collectcampaign have to be sent to John.

Hence one would like the following scenario to happen:

� John logs with its laptop (GCUJohn) to the Arigatoni overlay network in agiven colony in Taiwan, and sends a quite complicated service request inorder for the data to be processed using his own code. Usually the GBU

19


Seism

icD

ata

GB

U T

aiwan

GB

U/G

RU

GB

U/G

RU

Super com

puter

VR

C H

ouston

Netw

orkN

etwork

Netw

orkN

etwork

Netw

orkN

etwork

GC

U/G

RU

John Taiw

an

GB

U IS

P

ISP

INT

ER

NE

TIN

TE

RN

ET

Netw

orkN

etwork

PC

luster

GIP

RE

QU

ES

T/R

ES

PO

NS

E

VE

RY

HIG

H S

PE

ED

ISP

Figure 7. A Grid Scenario for Seismic Monitoring

leader of the colony will receive and process the request;

� If the resource discovery performed by the GBU succeeds, i.e. a supercom-puter, a cluster and an ISP are found, then the data are transferred at avery high speed and processed;

� John will order to the GCUSDTW containing the seismic data to dispatchsuitable chunks of data to the supercomputer and the cluster designated bythe GBU to perform some pieces of computation;

� John will assign to the supercomputer unit the task of collecting all inter-mediate results in order to compute the �nal result (i.e. it will play the roleof Maestro di Orchestra);

� The processed data are then sent from the supercomputer, via the highspeed ISP to the Houston center for being visualized and analyzed;

� Finally, the specialist team's recommendations have to be sent to John'slaptop.

This scenario is pictorially presented in Figure 7.

20


6.2 Formalizing the Scenario

The initial community (the primitive Soup) will be composed of the followingelements:

COMSoup4= ffGBUSDTWg;GCUSDTW; fGBUISPTWg;GCUISPTW; fGBUCPUg;

GCUSCU;GCUCLU; fGBUVRCg;GCUVRCPU;GCUVRCSPECg

By applying �ve times the reduction rule (JoinGCU) we obtain the new com-munity:

COM14= ffGBUSDTW;GCUSDTWg; fGBUISPTW;GCUISPTWg; fGBUCPU;

GCUSCU;GCUCLUg; fGBUVRC;GCUVRCPU;GCUVRCSPECgg

and COMSoup !5 COM1. Then by applying the reduction rule (CommCup) we

see John's laptop appear in the new community, COM24= COM1[fGCUJohng:

COM24= fGCUJohn; fGBUSDTW;GCUSDTWg; fGBUISPTW;GCUISPTWg;

fGBUCPU;GCUSCU;GCUCLUg; fGBUVRC;GCUVRCPU;GCUVRCSPECgg

By applying again (JoinGCU) we obtain the new community:

COM34= ffGBUSDTW;GCUSDTW;GCUJohng; fGBUISPTW;GCUISPTWg;


Now, if the community whose leader is GBUSDTW agrees to join the colonywhose leader is GBUISPTW (both are supposed to live in the same administrativedomain), by applying rule (JoinCol), we obtain the new community:

COM44= ffGBUISPTW;GCUISPTW; fGBUSDTW;GCUSDTW;GCUJohngg;


The colony in Taiwan and the colony whose leader is GBUCPU (they aresupposed to live in di�erent administrative domain) sign an �agreement�, byapplying rule (LinkCol), so giving the new community:

COM54=

f fGBUISP&CPU; fGBUISPTW;GCUISPTW; fGBUSDTW;GCUSDTW;GCUJohngg;

fGBUCPU;GCUSCU;GCUCLUg g;

fGBUVRC;GCUVRCPU;GCUVRCSPECgg

Finally, the colony containing John's laptop is ready to receive John's hugeService Request, and, hopefully for John, the request will be accepted andperformed . . . It is now time for John to come back home and the commu-nity COM5 could then (but this is not mandatory) disintegrate. By applyingthe �dual� reduction rules (LeaveGCU), (LeaveCol), and (UnLinkCol) plus thecongruence rules (CommCup) and (CommMinus), we come back to the initialsoup, i.e. COL5 !� COMSoup.

21


7 Properties

In this section we prove that our process algebra is able to model the virtualorganization of the Arigatoni model.

Morris-style contextual equivalence [5] is the standard way of saying thattwo communities have the same behavior (are equivalent) if and only if when-ever they are merged inside an arbitrary community, they admit the sameelementary observations.

In our setting and as usual in process algebras, contextual equivalence isformulated in terms of observing the presence of top-level colonies, as in thenext de�nition.

De�nition 7.1 [Colony Exhibition and Contextual Equivalence]

(i) a community COM must exhibit a colony COL, write COM #must COL, ifCOL is a community containing a top-level colony COL, i.e.

COM #must COL4= COM = f: : : ;COL; : : :g

(ii) a community COM may exhibit a colony COL, write COM #may COL, ifafter a number of reductions, COL is a community containing a top-levelcolony COL, i.e.

COM #may COL4= COM!� COM0 and COM0 = f: : : ;COL; : : :g

(iii) let the context C[�] be a community containing zero or more holes, andfor any community COM let C[COM] be the community obtained by �llingeach hole in C[�] with a copy of COM. The contextual equivalence betweencommunity, write COM ' COM0, is de�ned as

COM ' COM0 4= for all COL and C[�] we have

C[COM] #may COL, C[COM0] #may COL

(iv) let COM !�' COM0 if there exists COM00 such that COM !� COM00 andCOM00 ' COM0.

Let COM be the set of communities generated by the BNF syntax.

Theorem 7.2 (Closure Under Reduction)

(i) If COM 2 COM, and COM!� COM0, then COM 2 COM;

(ii) If COM ' COM0, then COM;COM0 2 COM;

(iii) If COM!�' COM0, then COM;COM0 2 COM

Proof

1) By observing the reduction rules of the labeled transition system, one canverify that if the left-hand side belongs to COM, then it is also the case

22


for the right-hand side. The �nal result can be obtained by induction onthe number of reduction.

2,3) By point 1) using De�nition 7.1.

2

Theorem 7.3 (Inversion)

(i) If COM!(JoinGCU=COL) COM0 on the individual (GCU or COL), andCOM0 !(LeaveGCU=COL) COM00 on the same individual, then COM = COM00;

(ii) If COM!(LinkCol) COM0 on two colonies, and COM0 !(UnLinkCOL) COM00 onthe same colonies, then COM = COM00.

Proof By observing the reduction rules, one can observe that the right-handside of the reduction rules (JoinGCU), (JoinCOL), and (LinkCOL) correspondsto the left-hand side of the dual reduction rules (LeaveGCU), (LeaveCOL), and(UnLinkCol), and conversely the left-hand side of the reduction rules (JoinGCU),(JoinCOL), and (LinkCOL) corresponds to the right-hand side of the dual re-duction rules (LeaveGCU), (LeaveCOL), and (UnLinkCol). Applying one ruleafter the other clearly corresponds to an identity operation. 2

Theorem 7.4 (Adequacy of the labeled transition system w.r.t. the pseudocode)The labeled reduction system is adequate with the pseudocode of the GBU andof the GCU shown in Figure 3 and 4.

Proof (Sketch) Observe that the red parts of the pseudocode of the GCU con-cerning the set and unset of the variables globalmode=regmode leads to the�ring of the two rules (JoinGCU) and (LeaveGCU). Moreover, the red partsof the pseudocode of the GBU concerning the set and unset of the variablesglobalmode=regmode leads to to the �ring of the two rules (JoinGCU) and(LeaveGCU). The last two rules of the transition systems, namely (LinkCol)and (UnLinkCol) are encapsulated (hence hidden) in the function calls Update(Colony,Metadata).2

8 Experimental Evaluation

In this section, we provide results from experimental evaluation. We haveconducted simulations using large numbers of units and service requests. Inthis paper, we speci�cally focus on the e�ect of individuals disconnections onthe average service acceptation ratio.

More precisely, we have implemented reduction rules (JoinGCU); (LeaveGCU),(JoinCol), and (LeaveCol), that represent the "core" rewriting set to simulatethe dynamic behavior in the Arigatoni Overlay topology. We expect to imple-ment the full set of rewriting rules de�ning the operational semantics soon.

8.1 Simulation Setup

We have generated a network topology using the transit-stub model of theGeorgia Tech Internetwork Topology Models package [8], on top of which we

23


added the Arigatoni Overlay Network. The resulting network topology, shownin Figure 8, contains 103 GBUs. GBU2 (highlighted with a square in Figure 8)was chosen as the root of the topology. We considered a �nite set of resources

34

3332

31

3029

28

99

27

9

98

26

8

97

25

7

96

24

6

95

23

5

94

22

4

93

21

3

92

20

192

91

18

1

89

90

17

0

88

16

87

15

86

1485 13

84

12

83

11

82

1081

79

8078

77

7675

103

74

102

73

101

72

100

71

69

70

68

6766

65

64

6362

61

59

60

58

57

56

55

54 53

52

51

49

5048

47

46

4544

43

42

4140

39

38

37

36

35

Figure 8. Simulated network topology with 103 GBUs

R1 � � �Rr of variable size r, and represented a service by a direct mapping toa resource. In other words, a service expresses the conditional presence ofa single resource. We have a set of r services fS1 � � �Srg, where service Siexpresses the conditional presence of resource Ri. A GCU declaring serviceSi means that it can provide resource Ri. This model, while quite simple, isstill generic enough, and is su�cient for the main purpose of our experiments,which is to study the impact of individuals disconnections on the averageservice acceptation ratio. Results are illustrated in Figure 9.

To simulate GCU load, we attached 50 GCUs to each GBU; we then randomlyadded each service Si with probability � at each GCU and had it registeredvia the registration service of Arigatoni. The routing tables of the GBUs wereupdated starting at the initial GBU and ending at the root of the topology,GBU2.

We then issued n service requests at GCUs chosen uniformly at random.Each request contained one service also chosen uniformly at random. Eachservice request was then handled by the Resource Discovery mechanism ofArigatoni (described in [4]). We used a service acceptation probability of � =75%, which corresponds to the probability that a GCU that receives a servicerequest and that declared itself as a potential Individual for that service (i.e.that registered it), accepts to serve it.

Upon completion of the n requests, we computed the average service accep-tation ratio as follows. For each GCU, we computed the local acceptation ratioas the number of service requests that yielded a positive response (i.e. the sys-tem found at least one Individual), over the number of service requests issued

24


at that GCU. We then computed the average acceptation ratio as the averagevalue over the number of GCUs (that issued at least one service request).

To study the impact of GBUs disconnections (i.e., rewriting rules (JoinCol)and (LeaveCol)), we used a deconnection probability variable � that indicatesa fraction of disconnected individuals (� = 0% means all individuals are con-nected, while � = 100% means all individuals are disconnected). We then re-peated the same experiment when � of the GBUs population, chosen uniformlyat random, have been disconnected from their leader. When a subcolony hasbeen disconnected from its GBU leader, it continues to operate in standalonemode, i.e. with its local GBU leader as the current broker. Therefore, the ser-vices o�ered by the other colonies are unavailable inside, while services o�eredby the colony itself are not available outside. For each value of � 2 [0 � � � 100]%,we repeated the same experiment 10 times, and measured the average valueof the acceptation ratio. In each of the 10 runs, the disconnected GBUs werechosen uniformly at random, independently of the previous runs (i.e., witha di�erent random seed). We then computed the standard deviation of theaverage service acceptation ratio (over the 10 values).

Starting from the fully connected topology COM1 of Figure 8, the rationaleof the simulation corresponds to applying a number of (JoinGBU) rewritingrules to have some Individuals join the Colony, and then applying a number of(LeaveGBU) rewriting rules to have some other Individuals leave the Colony,and then performing the experiment 10 times.

COMi !�(JoinGBU) COM

0i+1 !

�(LeaveGBU) COMi+1 i = 1 : : : 10

We �nally studied the e�ect of GCUs disconnections (rewriting rules (JoinGCU)and (LeaveGCU)), by repeating the same experiment when � of the GCUs pop-ulation have been disconnected from their leader. Also in this case, a dis-connected GCU continues to work in standalone mode using only their ownresources.

As for the GBU case, we have

COMi !�(JoinGCU) COM

0i+1 !

�(LeaveGCU) COMi+1 i = 1 : : : 10

The Resource Discovery algorithm was implemented in C++ and compiledusing GNU C++ version 2.95.3. Experiments were conducted on a 3.0 GhzIntel Pentium machine with 2 GB of main memory running Linux 2.4.28. Thedi�erent experimental parameters are summarized in Table 1. The serviceavailability ratio, �, was �xed to a value of 0:12%, which yields an averageservice acceptation ratio of almost 100% with no subcolonies disconnections.Figure 9(a) shows that the average service acceptation ratio decreases expo-nentially with the number of subcolonies (i.e., GBUs) disconnections. This isnot surprising, since when a subcolony has been disconnected, all the serviceso�ered by the other colonies are unavailable. Conversely, all the services of-fered by the subcolony are unavailable for the other colonies. Note that when

25


Parameter Description Value

K Number of GBUs 103

r Size of services pool 128

� Service availability 0:12%� Service acceptation probability 75%n Number of service requests issued 50000� Fraction of disconnected individuals [0 � � � 100]%

Table 1Parameters of the experiments

(a)

0

20

40

60

80

100

0 20 40 60 80 100

Acce

ptat

ion

Ratio

(%)

Disconnected population (%)

Avg. acceptation ratio (GCU disconnections)Avg. acceptation ratio (GBU disconnections)

(b)

0

20

40

60

80

100

0 1 2 3 4 5 6 7 8 9 10

Acce

ptat

ion

Ratio

(%)

Run

Average service acceptation ratio (δ=10%)

(c)

0

2

4

6

8

10

12

14

16

0 20 40 60 80 100

Std

devia

tion

(%)

Fraction of disconnected population (%)

Std deviation of acceptation ratio

Figure 9. (a) Average service acceptation ratio w.r.t. fraction of disconnected pop-ulation. (b) Average service acceptation ratio for the di�erent runs of the value� = 10%. (c) Standard deviation of the service acceptation ratio w.r.t. fraction ofdisconnected population.

all subcolonies have been disconnected (100%), the average service accepta-tion ratio is not null. Indeed, the local colony of a GBU (i.e., the GCUs directlyconnected to the GBU) remains operational, i.e., the services o�ered by a GCUare available for the other GCUs of the same colony.

We observe that GCU disconnections have more impact on the averageservice acceptation ratio than GBU disconnections. This is due to the fact thatwhen a GCU is disconnected, all the services that it provided are unavailablefor the entire system and, conversely, all the services provided by the systemare unavailable for it. As expected, for a value of � = 100%, the averageacceptation ratio is 0, as no service at all is unavailable.

Figure 9(a) shows the di�erent values of the average service acceptationratio obtained for a value of � = 10% of the fraction of disconnected pop-

26


ulation. As previously explained, for each run, we chose 10 GBUs (� 10%of 103) uniformely at random, independently of the previous runs, i.e., witha di�erent random seed. In other words, the disconnected subcolonies aredi�erent in each run. Figure 9(b) shows that subcolonies disconnections canhave a very di�erent impact on the acceptation ratio. In fact, �low level�subcolonies disconnections have a dramatic impact whereas �high level� sub-colonies disconnections have a very limited, local impact. Figure 9(c) showsthat, unsurprisingly, the level of the disconnected subcolony has less impacton the service acceptation ratio for higher values of �.

Acknowledgment

The authors ack Aeolus FP6-2004-IST-FET Proactive, and the French grantACI Modulogic.

References

[1] D. Benza, M. Cosnard, L. Liquori, and M. Vesin. An Overlay Network for Gridand Global Computing [Extended Abstract]. Technical report, INRIA, November2005.

[2] D. Benza, M. Cosnard, L. Liquori, and M. Vesin. Arigatoni: Overlaying Internetvia Low Level Network Protocols. Technical Report RR 5805, INRIA, January2006. http://www.inria.fr/rrrt/rr-5805.html.

[3] L. Cardelli and A. D. Gordon. Mobile Ambients. Theoretical Computer Science,240(1):177�213, 2000.

[4] R. Chand, M. Cosnard, and L. Liquori. Resource Discovery in the Arigatonimodel. In Proc. of I2CS, LNCS. Springer-Verlag, 2006.

[5] J. H. Morris. Lambda-calculus models of programming languages. PhD thesis,MIT, 1968.

[6] V. Sassone. Global Computing II: A New FET Program for FP6. Talk, Bruxelles,4/6/04.

[7] Virtual Private Network Consortium. Virtual Private Network Home Page.http://www.vpnc.org/.

[8] E.W. Zegura, K. Calvert, and S. Bhattacharjee. How to Model an Internetwork.In Proceedings of INFOCOM 1996, San Francisco, March 1996.

27

http://www.inria.fr/rrrt/rr-5805.html

http://www.vpnc.org/

DCM 2006

A Calculus of Global Interaction based onSession Types 1

Marco Carbone 2

Department of Computer ScienceQueen Mary and West�eld College

London, United Kingdom

Kohei Honda 3

Department of Computer ScienceQueen Mary and West�eld College


Nobuko Yoshida 4

Department of ComputingImperial College


Abstract

This short note outlines two di�erent ways of describing communication-centricsoftware in the form of formal calculi and discuss their relationship. Two di�erentparadigms of description, one centring on global message ows and another centringon local (end-point) behaviours, share the common feature, structured representa-tion of communications. The global calculus originates from Choreography De-scription Language (CDL), a web service description language developed by W3C'sWS-CDL Working Group. The local calculus is based on the �-calculus, one of therepresentative calculi for communicating processes. We illustrate these two descrip-tive frameworks, outlines the static and dynamic semantics of these calculi, anddiscuss the basic idea of end-point projection, by which any well-formed descriptionin the global calculus has a precise representation in the local calculus.

Key words: Web Services, �-calculus, Session Types.



Carbone, Honda and Yoshida

1 Introduction

The purpose of the present note is two-fold. The �rst is to introduce a formalcalculus for communication and concurrency which fundamentally di�ers fromexisting concurrency formalisms. This calculus was born as a result of a dia-logue between W3C's working group on web service standards, and is basedon the idea of global description of interactions. Related descriptive methodshave been practiced in varied contexts, including the standard notation forcryptographic protocols [13], message sequence charts (MSC) [11,8], a lan-guage related with MSC called DiCons [2], and UML sequence diagrams [14].One may also view petri-net based description of various systems [16,3] as aninstance of such global descriptions. The use of types in the formalism, basedon session types [15,10,7,17,9], is the main di�erence from these notations. Asits origin in W3C standardisation suggests, this formalism is distillation ofengineering needs for describing complex interaction which may occur in realworld business processes. The associated long version [5] presents extensiveexamples of business protocols written in the proposed global formalism.

The second aim of this note is to outline a theory which rigorously re-lates this engineeringly oriented formalism to a typed process calculus, whichis based on the notion of processes and their interaction. Establishing thisconnection is important since, through this link, a rich theory of algebras,calculi and logics for processes becomes available for direct dialogue with en-gineering practice. The target of the mapping is an applied version of the�-calculus based on session types (which can indeed be faithfully encodablein the �-calculus [12]). The mapping from the global formalism to the pro-cess formalism is called end-point projection, or EPP for short, following theterminology of WS-CDL (where EPP is regarded as an underpinning of avariety of web service engineering, including monitoring, conformance and in-teroperatbility). EPP projects a given global description to a collection ofend-point behaviours, whose mutual communication should realise the origi-nal global scenario. We naturally desire EPP to be sound and complete, in thesense that all and only globally described behaviour is realised in interactionsamong end-point behaviour. To make this possible, we impose simple descrip-tive principles to global descriptions. For those global descriptions which arewell-typed and which follow these descriptive principles, there is a simple anddirect EPP which is type preserving and which is sound and complete withrespect to the original dynamic semantics. This EPP theory (including typedisciplines and EPP mapping) will be published as a supplementary document

1 We would like to thank Gary Brown and Steve Ross-Talbot for their collaboration in thedevelopment of this work. This work is partially supported by EPSRC GR/R03075/01,GR/T04236/01, GR/S55538/01, GR/T04724/01, GR/T03208/01 and IST-2005-015905MOBIUS.2 Email: [email protected] Email: [email protected] Email: [email protected]

28


to the speci�cation of WS-CDL 1.0, and will be implemented as part of anopen-source reference implementation of WS-CDL [1]. Thus the present workstarted from practice, gets related to theory, and �nally again comes back topractice. This will further motivate and encourage a dialogue between theo-retical studies and engineering. We argue such a dialogue is highly bene�cial,not only for advancement of rigorous engineering but also for enrichment oftheory.

It is worth outlining the direct engineering background of the present work,WS-CDL. WS-CDL, or formally Web Service Choreography Description Lan-guage [18], is an XML-based web service description language developed byW3C's WS-CDL Working Group, in collaboration with invited scientists in-cluding the present authors. WS-CDL has been developed in order to meetengineering needs for the development of business protocols on the world-wideweb. The central engineering idea of WS-CDL is embodied by the term chore-ography in its name. The underlying intuition can be summarised as follows:

\Dancers dance following a global scenario without a single point of control."

WS-CDL is about writing down such a \global scenario": in computationalterms, it is a language for describing business protocols from a global view-point such that the description can be executed by individual distributed pro-cesses without a single point of control. In other words, if a designer writes aglobal description in WS-CDL, it should be realisable as communicating pro-cesses without any central controlling agent (which contrasts with the notionof orchestration, where one master component, \conductor", directly controlsactivity of one or more slave components). Thus the notion of choreographyintrinsically demands an appropriate framework of EPP.

A broader background of the present work is the explosive growth of theInternet and world-wide web which has given rise to, in the shape of defacto standards, an omnipresent naming scheme (URI/URL), an omnipresentcommunication protocols (HTTP/TCP/IP) and an omnipresent data format(XML). These three elements arguably o�er the key infra-structural basesfor application-level distributed programming. This engineering backgroundmakes it feasible and advantageous to develop applications which will beengaged in complex sequences of interactions among two or more parties.Another background is maturing of theories of processes centring on the �-calculus and its types. The two formalisms we shall discuss are based on acommon notion of structured communication, called session. A session bindsa series of communications between two parties into one, distinguishing themfrom communications belonging to other sessions. This is a standard practicein business protocols (where an instance of a protocol should be distinguishedfrom another instance of the same or other protocols) and in distributed pro-gramming (where two interacting parties use multiple TCP connections forperforming a unit of conversation). The type disciplines for sessions havebeen studied over long years in the context of the �-calculus [10,7,17,4], where

29


it has been shown that they o�er a high-level abstraction for communica-tion behaviour upon which further re�ned reasoning techniques can be built.We shall discuss not only sessions o�er a natural articulation for descriptionof global description of complex interaction behaviour but also session typesplay an essential role in the presented theory of end-point projection.

The next section of this abstract brie y outlines the global formalism (adistilled version of WS-CDL), the corresponding process formalism (calledend-point calculus, which is an applied version of the �-calculus), and a theoryof EPP. Exploration of many examples, the full technical development of thetheory, and detailed discussions on related works, can be found in [5,6].

2 Outline of Calculi and Formal Results

The formal syntax of the global calculus is given by the standard BNF. Belowsymbols I; I 0; : : : denote terms of the global calculus, also called interactions.Terms describe a course of information exchange among two ore more partiesfrom a global viewpoint.

I ::= A!B : c(�� ~s) : I (init)j A!B : shop; e; yi : I (com)j x@A := e : I (assign)j I1 j I2 (par)j if e@A then I1 else I2 (ifthenelse)j I1 + I2 (sum)j (�s) I (new)j X (recVar)j rec X : I (rec)j 0 (inaction)

Above a; b; c; ch; : : : range over service channels, which may be considered asshared channels of web services; s; s0; : : : range over session channels, whichdesignate communication channels freshly generated for each session; ~s indi-cates a their vector; A;B;C; : : : range over participants. Each participant isequipped with its own local states, storing and updating values in its variables(x; y; z; : : :); X; Y; Z; : : : range over term variables, which are used to representrecurrence in combination with recursion rec X:I; and a e; e0; : : : range overarithmetic and other standard �rst-order expressions.

The following gives an example of description, depicting a repeated inter-actions where Buyer asks Seller to give a good quote. Only when a quote is

30


good, a buyer accepts, and Seller sends a shipping request to Shipper.

Buyer!Seller : ch1(�� s; t):

Buyer!Seller : shQuoteReq; prod@Buyer; prod@Selleri:

rec X:

Seller!Buyer : thQuoteRes; quote@Seller; quote@Buyeri :

if reasonable(quote)@Buyer then

Buyer!Seller : shQuoteAcc; adr@Buyer; adr@Selleri:

Seller!Shipper : ch2(�� r):

� � � (omitted) � � �

else

Buyer!Seller : shQuoteNoGoodi:X

endif

where, for example, \prod@Buyer" indicates a variable prod located at Buyer.Many other examples of descriptions of complex protocols are found in [5,6].

The reduction of the global calculus is de�ned using an intuitive notation,

(I; �) ! (I 0; �0)

which says a global description I in a state � (which is the collection of all localstates of the participants) will be changed into I 0 in a new con�guration �0.Samples of reduction rules are, writing �[x@B 7! v] for the result of updatingthe variable x located at B:

(A!B : ch(�� ~s): I; �) ! ((�� ~s)I; �)

(A!B : shop; v; xi: I; �) ! (I; �[x@B 7! v])

(x@A := v: I; �) ! (I; �[x@A 7! v])

(I1 + I2; �) ! (I 01; �0) if (I1; �) ! (I 01; �

0)

(I1jI2; �) ! (I 01jI2; �0) if (I1; �) ! (I 01; �

0)

Note updates of stores in the second and third rules are local to designatedparticipants.

The type discipline for the calculus is based on session types. Writing�; �i; ::: for �rst-order value types, the grammar of types is given as:

� ::= s I �ihopi; �ii: �i j s J �ihopi; �ii: �i j �1 jjj�2 j rec t:�

j t j 0

while the typing sequent has the form: � ` I � � where:

31


� Typically � contains a type assignment of the form ch@A : (~s)�, which saysa service channel ch at A may be invoked with fresh ~s followed by a session�.

� Typically � contains a type assignment of the form ~s[A;B] : �, which saysa session of type � from A to B takes place via ~s (where � uses at most ~s).

The typing rules are omitted, by which we have the standard properties suchas subject reduction and minimal (principal) typing.

The end-point calculus is an applied version of the �-calculus [12]. Thefollowing grammar de�nes processes (P;Q; : : :) and networks (M;N; : : :).

P ::= ! ch(~s):P j ch(�� ~s):P j s� �iopi(~yi):Pi j s� oph~ei:P

j x := e:P j if e then P1 else P2 j P �Q j P jQ j (�� s)P

j X j rec X:P j 0

N ::= A[P ]� j N1 jN2 j (�� s)N j �

where A[P ]� indicates a participant A whose behaviour is given by P andwhose local state is �. Reduction is given modulo the standard structuralequality, with sample rules:

A[! ch(~s):P jR]�A j B[ch(�� ~s):Q jS]�B! (�� ~s)(A[P j ! ch(~s):P jR]�A j B[Q jS]�B)

A[s� �iopi(yi):Pi jR]�A j B[s� opjhviQ jS]�B! A[Pj jR]�A[yj 7!v] j B[Q jS]�B

The typing for the end-point calculus uses the same set of types, with thetwo forms of sequent, one for processes and one for networks (� and � are asabove):

� À P � �; � ` M � �

where � À P � � designates, as subscript, the participant A in which thesubject process P is to be located. The typing rules are those of the standardsession typing [10] (extended to multiple session channels). One basic rule isthe following initialisation rule:

(init)�; ch@A : (~s)� À P � ~s :�

�; ch@A : (~s)� À ! ch(~s):P � ;

which demands linear session channels in the premise are abstracted in theconclusion (note the service channel ch is replicated). The typing systemsatis�es the standard subject reduction, freedom from type errors, and theminimal (principal) typing.

Finally we translate a global description to its end-point counterpart (end-point projection, or EPP). The process of EPP can however be tricky, because

32


we can easily produce a global description which does not correspond to real-isable local counterpart. We have identi�ed three descriptive principles, whichare:

� Connectedness, a basic local causality principle.

� Well-threadedness, a stronger locality principle based on session types.

� Coherence, a consistency principle for description of each participant.

All these principles are stipulated incrementally on the basis of well-typedness.They not only enunciate natural disciplines for well-structured global descrip-tion, but also o�er gradually deeper analysis of operational aspects of globaldescription, guiding us to the simple de�nition of an EPP map of essentiallythe following shape:

(I; �) 7! A[P ]�@A j B[Q]�@B j C[R]�@C j � � �

where P is the projection of I onto A, similarly for others. �@A projects �onto A. In [6] we have established that, when applied to well-structured inter-actions, the EPP mapping thus de�ned satis�es the following three properties:

� Type preservation: the typing is preserved through EPP.

� Soundness: nothing but behaviours (reductions) in I are in the image of itsEPP.

� Completeness: all behaviours (reductions) in I are in the image of its EPP.

Thus the resulting processes/networks never have a type error, and they realiseall and only interactions prescribed in the original global description.

References

[1] Pi-Calculus for SOA, https://sourceforge.net/projects/pi4soa/.

[2] Baeten, J. C. M., H. M. A. van Beek and S. Mauw, Specifying internetapplications with DiCons., in: SAC, 2001, pp. 576{584.

[3] Basten, T., \In Terms of Nets," Ph.D. thesis, Eindhoven University ofTechnology (1998).

[4] Bonelli, E., A. B. Compagnoni and E. L. Gunter, Correspondence assertionsfor process synchronization in concurrent communications., J. Funct. Program.15 (2005), pp. 219{247.

[5] Carbone, M., K. Honda and N. Yoshida, Theoretical basis of communication-centred concurrent programming(part one), http://lists.w3.org/Archives/Public/public-ws-chor/2005Nov/att-0015/part1 Nov25.pdf (2005).

[6] Carbone, M., K. Honda and N. Yoshida, Theoretical basis of communication-centred concurrent programming (part two), to appear as a technical report(May 2006).

33


[7] Dezani-Ciancaglini, M., D. Mostrous, N. Yoshida and S. Drossopoulou, SessionTypes for Object-Oriented Languages, in: Proceedings of ECOOP'06, LNCS(2006).

[8] Foster, H., \A Rigorous Approach to Engineering Web Service Compositions,"Ph.D. thesis, Imperial College London, University of London, Department ofComputing (2006).

[9] Gay, S. J. and M. Hole, Subtyping for session types in the pi calculus., Acta Inf.42 (2005), pp. 191{225.

[10] Honda, K., V. T. Vasconcelos and M. Kubo, Language primitives and typediscipline for structured communication-based programming, in: ESOP '98(1998), pp. 122{138.

[11] International Telecommunication Union, Recommendation Z.120: MessageSequence Chart (1996).

[12] Milner, R., J. Parrow and D. Walker, A calculus of mobile processes, I and II,Information and Computation 100 (1992), pp. 1{40,41{77.

[13] Needham, R. M. and M. D. Schroeder, Using encryption for authentication inlarge networks of computers., Commun. ACM 21 (1978), pp. 993{999.

[14] OMG, Uni�ed Modelling Language, Version 2.0 (2004).

[15] Takeuchi, K., K. Honda and M. Kubo, An interaction-based language and itstyping system., in: PARLE, Lecture Notes in Computer Science 817 (1994), pp.398{413.

[16] van der Aalst, W., Inheritance of interorganizational work ows: How to agreeto disagree without loosing control?, Information Technology and ManagementJournal 2 (2002), pp. 195{231.

[17] Vasconcelos, V. T., A. Ravara and S. J. Gay, Session types for functionalmultithreading., in: CONCUR, LNCS (2004), pp. 497{511.

[18] W3C WS-CDL WG,Web Services Choreography Description Language Version1.0., http://www.w3.org/TR/2004/WD-ws-cdl-10-20040427/ (2004).

34

DCM 2006

Light Dialectica program extraction from aclassical Fibonacci proof

Mircea-Dan Hernest 1;2

Laboratoire d'Informatique (LIX)�Ecole Polytechnique

F-91128 Palaiseau - FRANCE

Abstract

We demonstrate program extraction by the Light Dialectica Interpretation (LDI)on a minimal logic proof of the classical existence of Fibonacci numbers. This semi-classical proof is available in MinLog's library of examples. The term of G�odel'sT extracted by the LDI is, after strong normalization, exactly the usual recursivealgorithm which de�nes the Fibonacci numbers (in pairs). This outcome of theLight Dialectica meta-algorithm is much better than the T-program extracted bymeans of the pure G�odel Dialectica Interpretation. It is also strictly less complexthan the result obtained by means of the re�ned A-translation technique of Berger,Buchholz and Schwichtenberg, but otherwise it is identical with the term yieldedby Berger's Kripke-style re�ned A-translation.

Key words: Program extraction from (classical) proofs,Complexity of extracted programs, Re�ned A-translations,Quanti�ers without computational meaning, Light DialecticaInterpretation, Computationally redundant contractions, G�odel'sfunctional \Dialectica" interpretation, Proof Mining

1 Introduction

There has been quite some work in the last years in the �eld of programextraction from classical proofs. Although strong mathematical results haverecently been obtained in the Proof Mining of classical analytical proofs (see,e.g., [15,16,17,19,21]), the computer-implemented program extraction meta-algorithms were able to produce only limited results, for rather small test-casesand even then, the extracted program is not the optimal one.

1 Project LogiCal - Pole Commun de Recherche en Informatique du Plateau de Saclay,CNRS, �Ecole Polytechnique, INRIA et Universit�e Paris-Sud - FRANCE2 Email: [email protected]



Hernest

Such an unsatisfying situation one encounters in the extraction of a ratherunusual algorithm for the computation of Fibonacci numbers by means ofthe Berger-Buchholz-Schwichtenberg (BBS) re�ned A-translation of [3]. Theterm tBBS of G�odel's T extracted via this BBS re�ned A-translation from theMinLog minimal logic proof of the weak (classical) existence of the Fibonaccinumbers, followed by Kreisel's Modi�ed Realizability [18] and �nally stronglynormalized [4,5] makes necessarily use of a type-2 G�odel recursor. This isR(�!�!�)!� , where the type level (degree) of (� ! � ! �) ! � is 2: Here �is the base type which denotes the set of natural numbers IN and R� is thedenotation for the so-called \type-� G�odel recursor", which actually has thetype �! (�! �! �)! �! � in G�odel's T. See paper [3] for full details.

This is quite unexpected since the usual recursive de�nition of Fibonaccinumbers (in pairs) can be expressed in G�odel's T by means of a type-0 G�odelrecursor only, namely R�� : Here �� denotes the pairing of types � and � : Infact such a T-term was actually extracted in MinLog [24] by pure Modi�ed Re-alizability, from the usual pure intuitionistic proof of the strong (intuitionistic)existence of Fibonacci numbers, see [3] 3 .

The point of the endeavour of extracting programs from classical ratherthan constructive or even purely intuitionistic proofs is that (semi-)classicalproofs are much easier and more direct to build, both by human brain and alsoin the various computer-implemented proof-systems. It is therefore desirablethat the algorithms synthesized from classical proofs by means of the morecomplex program extraction meta-algorithms 4 are at least as good as thoseyielded by the more common extraction techniques 5 from the correspondingconstructive/purely intuitionistic proofs.

When applied to the semi-classical MinLog Fibonacci proof (originally in-troduced in [24], but slightly re-adapted in [11]), this is not the case, neither forthe BBS re�ned A-translation (as described in detail in either of [2,3,23]), norfor the pure G�odel Dialectica Interpretation, as we show later in the sequel.Whereas a repair of this situation was provided for the BBS re�ned A-translationby Berger in [2] 6 , none of the monotone [14] or bounded [8] optimizations ofG�odel's technique can handle such an exact realizer extraction problem. It isthe Light Dialectica interpretation (originally introduced in [12], but see also[13] for a much larger and more uni�ed exposition) which gives the solution.

3 On the other hand, this linear - in the unary representation of natural numbers - algorithmis outperformed by other logarithmic algorithms, see [23] for such an example.4 Here we think particularly (but not exclusively) at those from the Dialectica family (see[22] for a nice uni�cation work) and the Re�ned A-translation family.5 Basically variants of Kreisel's Modi�ed Realizability [18], which is a simpler but weakerform of G�odel's functional (Dialectica) interpretation [1,10].6 Berger's Kripke-style re�ned A-translation introduced in [2] nicely combines the optimiz-ing (in the sense of the e�ciency of programs extracted from classical proofs) features ofboth the BBS [3] and the Coquand-Hofmann [7] re�ned A-translations. It also furthermoreadds the so-called uniform quanti�ers, which are used to \label" and thus isolate parts of theinput proof which are meant not to have a computational content under such a translation.

36

Hernest

2 The semi-classical Fibonacci proof in MinLog

MinLog is an interactive proof- and program-extraction system developedby H. Schwichtenberg and members of the logic group at the University of Mu-nich. It is based on �rst order Natural Deduction calculus and uses as primitiveminimal rather than classical or intuitionistic logic. See [11,24] for full details.

De�nition 2.1 [Fibonacci Numbers] The inductive de�nition is as usual

Base : F0 :� 0; F1 :� 1 Step : Fn+1 :�Fn + Fn�1 for n � 1; n 2 IN

The Fibonacci Numbers example was implemented in MinLog and it wascomparatively analysed in [3] by both pure Modi�ed Realizability (from theusual pure intuitionistic proof) and also by the BBS re�ned A-translation (froma minimal logic proof of the weak, classical existence of Fibonacci Numbers;we dub such proofs as \semi-classical") followed by Modi�ed Realizability.

The semi-classical Fibonacci proof in MinLog is a Natural Deduction proofof 8n9clk G(n; k) { where 9clk G(n; k) :� (8k:G(n; k) ! ?) ! ? { fromassumptions expressing that G is the graph of the Fibonacci function, i.e.,

G(0; 0) AND G(1; 1) AND 8n; k; l: [G(n; k) ^G(n+ 1; l)]! G(n+ 2; k + l) ;

see Section 6 of [3] for full details.

3 The light functional Dialectica interpretation

The \light" variant of G�odel's functional \Dialectica" Interpretation wasintroduced in [12] as an optimization for term-extraction of G�odel's originaltechnique 7 from [10]. The main feature of \Dialectica Light" is the elimi-nation already at extraction time of a number of relevant (for the Dialecticaprogram extraction) Contractions which are identi�ed as redundant and inconsequence are isolated by means of an adaptation of Berger's quanti�erswithout computational content 8 (introduced in [2] as \uniform quanti�ers").

Dialectica Light (abbreviated LDI) is a recursive syntactic translation fromproofs in a semi-classical 9 weakly extensional arithmetical system in all �nitetypes 10 (denoted WeZ9;nc+) to proofs in the corresponding purely intuitionisticsystem 11 (denoted WeZ9) such that the positive occurrences of the strong

7 Paper [1] provides a nice survey in English which includes the extensions to full Analysis.8 In [12] we named these special existential and universal quanti�ers \without (or non-)computational meaning", abbreviated ncm. We here continue to use our own terminology.9 This can be extended to fully classical proofs, modulo some double-negation translation.10 System WeZ9;nc+ was denoted WE�Z+ in [12]. It is nevertheless much better presented,with complete comparative details in [13], just like its corresponding WeZ9 ; see below.11 System WeZ9 ; which was denoted WE�Z� in [12], is a Natural Deduction formulation ofthe weakly extensional Heyting Arithmetic in all �nite types WE�HA! from Section 1.6.12of [25]. See also [3,23] for the original corresponding fully extensional variant Z9 � Z+ 9:

37

Hernest

9 and the negative occurrences of 8 in the proof's conclusion formula getactually realized by terms in G�odel's T. These realizing terms are also calledthe programs extracted by the LDI and (if only the extracted programs arewanted) the translation process is also referred to as \program extraction".The LDI translation of proofs includes the following translation of formulas:

De�nition 3.1 By quanti�er-free (qfr) formula we understand a formulabuilt from prime formulas at(to) and ? by means of ^; ! and, if 9 is avail-able, also _: The qfr formulas are all decidable in our systems. There ex-ists a unique bijective association of boolean terms to quanti�er-free formulasA0 7! tA0

such that ` A0 $ at(tA0) : Then the LDI translation of formulas is:

AD :�AD :� at(tA) for quanti�er-free formulas A

(A ^B)D :� 9x; u8y; v [ (A ^B)D :�AD(x; y; a) ^BD(u; v; b) ]

(9zA(z; a))D :� 9zy; x8y [ (9zA(z; a))D(zy; x; y; a):�AD(x; y; zy; a) ]

(8zA(z; a))D :� 9X 8zy; y [ (8zA(z; a))D(X; zy; y; a):�AD(X(zy); y; zy; a) ]

(9zA(z; a))D :� 9x8y [ (9zA(z; a))D(x; y; a):�9z AD(x; y; z; a) ]

(8zA(z; a))D :� 9x8y [ (8zA(z; a))D(x; y; a):�8z AD(x; y; z; a) ]

(A! B)D :� 9Y ; U 8x; v [ (A! B)D :�AD(x;Y (x; v))! BD(U(x); v) ]

where � 7! �y is a mapping which assigns to every given variable z a completelynew variable zy which has the same type of z: The free variables of AD areexactly the free variables of A:

Remark 3.2 For the light Dialectica interpretation, the radical (or \root")formula AD (which is LDI associated to A) is not necessarily quanti�er-free,like it is for the pure G�odel's functional interpretation. It actually containsthe translation of all ncm quanti�ers to the corresponding regular quanti�ers.

Theorem 3.3 (Exact realizer synthesis by the Light Dialectica [12])There exists an algorithm which, given at input a Natural Deduction proof

P : fCigni=1 ` A 12 in WeZ9;nc+ ; it eventually produces at output the following:

(i) the tuples of terms fTigni=1 and T ;

(ii) the tuples of variables fxigni=1 and y; all together with

(iii) the verifying proof PD : fCiD(xi;Ti(x; y))gni=1 ` AD(T (x); y) in WeZ9 ;

where x :� x1; : : : ; xn :

Moreover,

� the variables x and y do not occur in P (they are all completely new)� the free variables of T and fTigni=1 are among the free variables of A and

12 Hence of the formula A from the open assumption formulas C1; : : : ; Cn : Here \open" isto be understood as \un-cancelled" or \un-discharged" and not necessarily as \un-closed".

38

Hernest

fCigni=1 { we call this \the free variable condition (FVC) for programsextracted by the LDI".

hence x and y also do not occur free in the extracted terms fTigni=1 and T :

Remark 3.4 G�odel's functional \Dialectica" interpretation becomes relatively(far) more complicated at the moment when it has to face contraction. In theNatural Deduction setting, Contraction amounts to the discharging of at leasttwo copies (from the same parcel 13 ) of an open assumption formula A dur-

ing an Implication Introduction[A] : : : =B

A! B: This is because, for the so-called

\Dialectica-relevant" contractions 14 , A becomes part of the (raw, i.e., notyet normalized) realizing term. Therefore, the a priori (i.e., already at theextraction stage) elimination of some of these D-relevant contractions, ratherthan a posteriori (i.e., during the subsequent strong normalization process),represents an important complexity improvement of the extracted program.

4 A comparison of the three extraction techniques

It can be immediately seen, also from the machine benchmarks below, thatthe program yielded by the Light Dialectica interpretation clearly outperformsthe algorithm given by the BBS re�ned A-translation. The latter is at its turnmuch more e�cient than the term extracted by means of the pure G�odelDialectica interpretation, which contains an important quantity of redundantinformation. All three extracted (by the three program-synthesis techniques)terms are presented below in a human-processed adaptation of the raw MinLogoutput. See [11] for the pure machine-extracted programs.

The subsequent computer benchmarks were performed on a DELL model X1laptop (hence powered by an Intel Centrino CPU) running the Windows XPProfessional operating system. We used the more special MinLog distribu-tion [11], which is not yet integrated with the o�cial MinLog [24]. As Schemeinterpreter we used the Petite Chez Scheme 7.0a, see [20]. The quantita-tive measures of computing time and space overhead were obtained by meansof the Scheme \time" procedure.

2) The (MinLog, adapted) outcome of pure G�odel's Dialectica interpretation:

..........................(add-var-name "n" "m" (py "nat"))(add-var-name "G" (py "nat=>nat=>boole"))(add-var-name "H" (py "(nat@@(nat@@nat)@@(nat@@nat))"))

13 In the sense of the terminology from [9].14 See [13] for full details on this terminology and generally for a large and uni�ed expositionof the Light Dialectica extraction.

39

Hernest

..........................> t_{PDI} == [G,n] left right((Rec nat=>nat@@(nat@@nat)@@(nat@@nat))((0@0@0)@0@1)

([m,H] [if[if (G left left H left right left H)

[if (G (Succ left left H) right right left H)(G (Succ(Succ left left H))

(left right left H + right right left H))True]

True](m @ right H) (left H)] @ right right H@

left right H + right right H)n)

> (time (nt (mk-term-in-app-form t_{PDI} (pt "G") (pt "5"))))314 collections6031 ms elapsed cpu time, including 676 ms collecting6110 ms elapsed real time, including 687 ms collecting341280176 bytes allocated, including 337674848 bytes reclaimed

"5"> (time (nt (make-term-in-app-form t_{PDI} (pt "G") (pt "6"))))

2700 collections56750 ms elapsed cpu time, including 9676 ms collecting58375 ms elapsed real time, including 10008 ms collecting2937460672 bytes allocated, including 2933419728 bytes reclaimed

"8"

1) The outcome of the BBS re�ned A-translation (MinLog output, adapted):

..........................(add-var-name "i" "j" "k" "l" "m" "n" (py "nat=>nat=>nat"))(add-var-name "f" (py "nat=>nat=>nat"))(add-var-name "H" (py "(nat=>nat=>nat)=>nat"))..........................> > > t_{BBS} == "[k](Rec nat=>(nat=>nat=>nat)=>nat)([f] f 0 1) ([l,H,f] H ([i,j] H ([n,m] f m (n+m))))k ([n,m] n)"> (time (nt (make-term-in-app-form t_{BBS} (pt "12"))))

39 collections813 ms elapsed cpu time, including 109 ms collecting813 ms elapsed real time, including 107 ms collecting42919528 bytes allocated, including 39266296 bytes reclaimed

"144"> (time (nt (make-term-in-app-form t_{BBS} (pt "15"))))

321 collections7094 ms elapsed cpu time, including 1153 ms collecting7203 ms elapsed real time, including 1246 ms collecting

40

Hernest

348911096 bytes allocated, including 326154920 bytes reclaimed"610"

3) The outcome of Light Dialectica interpretation (MinLog output, adapted):

..........................(add-var-name "n" "m" (py "nat"))(add-var-name "G" (py "nat=>nat=>boole"))(add-var-name "H" (py "(nat@@nat)"))..........................> t_{LDI} == "[G,n] left ((Rec nat=>nat@@nat) (0@1)([m,H] right H @ left H + right H) n)"> (time (nt (mk-term-in-app-form t_{LDI} (pt "G") (pt "15"))))6 collections125 ms elapsed cpu time, including 0 ms collecting140 ms elapsed real time, including 0 ms collecting6802576 bytes allocated, including 6383624 bytes reclaimed

"610"> (time (nt (mk-term-in-app-form t_{LDI} (pt "G") (pt "20"))))68 collections1343 ms elapsed cpu time, including 62 ms collecting1344 ms elapsed real time, including 63 ms collecting73584536 bytes allocated, including 71466424 bytes reclaimed

"6765"> (time (nt (mk-term-in-app-form t_{LDI} (pt "G") (pt "25"))))750 collections16219 ms elapsed cpu time, including 2279 ms collecting16657 ms elapsed real time, including 2331 ms collecting816525224 bytes allocated, including 803991296 bytes reclaimed

"75025"

5 Conclusions and future work

More practical examples should be found for the application of the \light"optimization of G�odel's Dialectica interpretation. A negative result exists forthe case of the MinLog-implemented semi-classical proof of Dickson's Lemma(see [6]). Here three nested Inductions give rise at three Contractions whichare thus all three included in the extracted term(s), within the triply nestedrecursion. It is hence immediate to �gure out that such a program would bevery complex. Unfortunately, the Light Dialectica cannot repair this situation.

41

Hernest

References

[1] Avigad, J. and S. Feferman, G�odel's functional (`Dialectica') interpretation, in:S. Buss, editor, Handbook of Proof Theory, Studies in Logic and the Foundationsof Mathematics 137, Elsevier, 1998 pp. 337{405.

[2] Berger, U., Uniform Heyting Arithmetic, Annals of Pure and Applied Logic 133(2005), pp. 125{148, Festschrift for H. Schwichtenbergs 60th birthday.

[3] Berger, U., W. Buchholz and H. Schwichtenberg, Re�ned program extractionfrom classical proofs, Annals of Pure and Applied Logic 114 (2002), pp. 3{25.

[4] Berger, U., M. Eberl and H. Schwichtenberg, Normalization by Evaluation, in:B. M�oller and J. Tucker, editors, Prospects for Hardware Foundations, LNCS1546, Springer Verlag, 1998 pp. 117{137.

[5] Berger, U., M. Eberl and H. Schwichtenberg, Term rewriting for Normalizationby Evaluation, Information and Computation 183 (2003), pp. 19{42,International Workshop on Implicit Computational Complexity (ICC'99).

[6] Berger, U., H. Schwichtenberg and M. Seisenberger, The Warshall algorithmand Dickson's lemma: Two examples of realistic program extraction, Journal ofAutomated Reasoning 26 (2001), pp. 205{221.

[7] Coquand, T. and M. Hofmann, A new method for establishing conservativity ofclassical systems over their intuitionistic version, Mathematical Structures inComputer Science 9 (1999), pp. 323{333.

[8] Ferreira, F. and P. Oliva, Bounded functional interpretation, Annals of Pureand Applied Logic 135 (2005), pp. 73{112.

[9] Girard, J.-Y., P. Taylor and Y. Lafont, \Proofs and Types", CambridgeUniversity Press, 1989.

[10] G�odel, K., �Uber eine bisher noch nicht ben�utzte Erweiterung des �nitenStandpunktes, Dialectica 12 (1958), pp. 280{287.

[11] Hernest, M.-D., MinLog for Dialectica program-extraction, Free software, codesource @ http://www.brics.dk/edanher/MinLogForDialectica, For the o�cialMinLog see [24].

[12] Hernest, M.-D., Light Functional Interpretation, Lecture Notes in ComputerScience (LNCS) 3634 (2005), pp. 477 { 492, Computer Science Logic: 19thInternational Workshop, CSL 2005.

[13] Hernest, M.-D., \Feasible programs from (non-constructive) proofs by thelight (monotone) Dialectica interpretation," PhD Thesis, �Ecole Polytechniqueand University of Munich (LMU) (2006), In preparation, draft available @http://www.brics.dk/edanher/teza/.

[14] Kohlenbach, U., Analysing proofs in Analysis, in: W. Hodges, M. Hyland,C. Steinhorn and J. Truss, editors, Logic: from Foundations to Applications,Keele, 1993, European Logic Colloquium (1996), pp. 225{260.

42

Hernest

[15] Kohlenbach, U., Some logical metatheorems with applications in functionalanalysis, Transactions of the American Mathematical Society 357 (2005),pp. 89{128.

[16] Kohlenbach, U., Proof Interpretations and the Computational Content of Proofs,Latest version in the author's web page (April 2006), vii + 420pp.

[17] Kohlenbach, U. and P. Oliva, Proof mining: a systematic way of analysingproofs in Mathematics, Proceedings of the Steklov Institute of Mathematics242 (2003), pp. 136{164.

[18] Kreisel, G., Interpretation of analysis by means of constructive functionalsof �nite types, in: A. Heyting, editor, Constructivity in Mathematics, North-Holland Publishing Company, 1959 pp. 101{128.

[19] Leu�stean, L., A quadratic rate of asymptotic regularity for CAT(0)-spaces,Journal of Mathem. Analysis and Applications (2006), To appear, downloadablefrom Elsevier's \Science Direct", Articles in Press, Corrected Proof.

[20] Cadence Research Systems, Chez Scheme, http://www.scheme.com (2006).

[21] Oliva, P., Understanding and using Spector's bar recursive interpretation ofclassical analysis, in: Proceedings of CiE'2006, LNCS 3988 (2006), pp. 423{434, Available in the author's Web page @ http://www.dcs.qmul.ac.uk/epbo/.

[22] Oliva, P., Unifying functional interpretations, Notre Dame Journal of FormalLogic (2006), to appear, downloadable from the author's Web page.

[23] Schwichtenberg, H., Minimal logic for computable functions, Lecture course onprogram-extraction from (classical) proofs. Available in the author's web pageor in the MinLog distribution [24].

[24] Schwichtenberg, H. and Others, Proof- and program-extraction system MinLog,Free code and documentation at http://www.minlog-system.de.

[25] Troelstra, A., editor, \Metamathematical investigation of intuitionisticArithmetic and Analysis," Lecture Notes in Mathematics 344, Springer-Verlag,Berlin - Heidelberg - New York, 1973.

43

Hernest

44

DCM 2006On the Computational Representation of

Classical Logical Connectives

Jayshan Raghunandan and Alexander J. Summers

Department of Computing, Imperial College London,180 Queen’s Gate, London SW7 2RH, UK

Abstract

Many programming calculi have been designed to have a Curry-Howard correspondencewith a classical logic. We investigate the effect differentchoices of logical connective haveon such calculi, and the resulting computational content.

We identify two connectives ‘if-and-only-if’ and ‘exclusive or’ whose computationalcontent is not well known, and whose cut elimination rules are non-trivial to define. In thecase of the former, we define a term calculus and show that the computational content ofseveral other connectives can be simulated. We show this is possible even for connectivesnot logically expressible with ‘if-and-only-if’.

1 Introduction

There are many programming calculi which have been designedto have a Curry-Howard correspondence with a logical proof system. In recent years, such calculihave been designed to explore the computational content of Classical Logic (forexample [8,4,2,10,6,13,11]). Different authors have chosen different sets of logicalconnectives to treat as primitive in their logic, and designed the syntax and reduc-tion rules of their calculi accordingly. Implication is themost popular choice ofconnective, since it is well-understood that its computational behaviour is relatedto function abstraction and application. There are calculiwhich do not use impli-cation, for example that of Wadler [13]. Calculi exist which employ conjunction,disjunction, negation, and even more esoteric connectivessuch as difference [2,1]and constants for truth and falsity.

We consider logics with different primitive connectives, and discuss generalapproaches to the design of corresponding term calculi. We restrict our attentionto propositionallogical connectives; an investigation of various approaches to em-ploying quantifiers has been studied in [9].1 Email: [email protected], [email protected] paper is ele troni ally published inEle troni Notes in Theoreti al Computer S ien eURL: www.elsevier.nl/lo ate/ent s

Raghunandan & SummersWe work in the logical context of the sequent calculus in which one deals with

sequents of the formA1; : : : ; Am ` B1; : : : ; Bn, read as “if all ofA1; : : : ; Am aretrue, at least one ofB1; : : : ; Bn is true”. Proof rules are defined for introducing alogical connective on the left and right of a sequent. In thispaper we avoid the needfor structural rules [3] by following the style of Kleene [5]. In brief, we treat thecollections of formulas on the left and right of a sequent as sets, and allow extraformulas in the axioms of a derivation. An example of such a sequent calculus isspecified by Figure1which is the basis of theX -calculus described in the followingsection. (Ax)�; A ` A;� � ` �; A A;� ` � ( ut)� ` �� ` A;� B;� ` � (!L)�; A!B ` � �; A ` B;� (!R)� ` A!B;�

Fig. 1. A sequent-calculus for implication

2 TheX -Calculus

Our work is based on theX -calculus [11]; a term annotation for classical implica-tive sequent calculus. We recall here the basic definitions.

Definition 2.1 [X -Terms] The terms of theX -calculus are defined by the follow-ing syntax, wherex; y range over the infinite set ofsocketsand�; � over the infiniteset ofplugs(sockets and plugs together form the set ofconnectors).P;Q ::= hx.�i j byP b� �� j P b� [y℄ bxQ j P b� y bxQ j P b� y bxQ j P b� y bxQ

capsule export mediator cut left-cut right-cut

The � symbolises that the connector underneath is bound in the term. We willusefp(P ) to denote the free plugs ofP , and similarlyfs(P ) for free sockets. Wework modulo�-conversion (issues regarding�-conversion have been studied in[12]). The reduction rules are as follows.

Definition 2.2 [Logical Rules] The logical rules are presented by:(cap) : hy.�ib� y bxhx.�i ! hy.�i(exp) : (byP b� ��)b� y bxhx. i ! byP b� � � 62 fs(P )(med) : hy.�ib� y bx(P b� [x℄ bzQ) ! P b� [y℄ bzQ x 62 fs(P;Q)(exp-med) : (byP b� ��)b� y bx(Qb [x℄ bzR) ! 8<:Qb y by(P b� y bzR)(Qb y byP )b� y bzR9=; � 62 fs(P );x 62 fs(Q;R)The first three logical rules above specify a renaming (reconnecting) procedure,

whereas the last rule specifies the basic computational step: it allows the body of the

46

Raghunandan & Summersfunction from the export to be inserted between the two subterms of the mediator(the resulting cuts may be bracketed either way, as shown).

Definition 2.3 [Activation Rules] We define twocut-activationrules.(act-L) : P b� y bxQ ! P b� y bxQ if P does not introduce�(act-R) : P b� y bxQ ! P b� y bxQ if Q does not introducexwhere:P introducesx: EitherP = Qb� [x℄ byR andx 62 fs(Q;R), orP = hx.�iP introduces�: EitherP = bxQb� �� and� 62 fp(Q), orP = hx.�i

An activated cut is processed by ‘pushing’ it systematically through the syntac-tic structure of the term in the direction indicated by the tilting of the dagger. Thisbehaviour is expressed by the propagation rules.

Definition 2.4 [Propagation Rules]Left Propagation:(y y) : hy.�ib� y bxP ! hy.�ib� y bxP(y cap) : hy.�ib� y bxP ! hy.�i � 6= �(y exp-outs) : (byQb� ��)b� y bxP ! (by(Qb� y bxP )b� � )b y bxP ; fresh(y exp-ins) : (byQb� � )b� y bxP ! by(Qb� y bxP )b� � ; 6= �(y med) : (Qb� [z℄ byR)b� y bxP ! (Qb� y bxP )b� [z℄ by(Rb� y bxP )(y cut-cap) : (Qb� y byhy.�i)b� y bxP ! (Qb� y bxP )b� y bxP(y cut) : (Qb� y byR)b� y bxP ! (Qb� y bxP )b� y by(Rb� y bxP ); R 6= hy.�iRight Propagation:( yy) : P b� y bxhx.�i ! P b� y bxhx.�i( ycap) : P b� y bxhy.�i ! hy.�i; y 6= x( yexp) : P b� y bx(byQb� � ) ! by(P b� y bxQ)b� � ( ymed-outs) : P b� y bx(Qb� [x℄ byR) ! P b� y bz((P b� y bxQ)b� [z℄ by(P b� y bxR));z fresh( ymed-ins) : P b� y bx(Qb� [z℄ byR) ! (P b� y bxQ)b� [z℄ by(P b� y bxR); z 6= x( ycut-cap) : P b� y bx(hx.�ib� y byR) ! P b� y by(P b� y bxR)( ycut) : P b� y bx(Qb� y byR) ! (P b� y bxQ)b� y by(P b� y bxR); Q 6= hx.�i

We write! for the reduction relation generated by the logical, propagation andactivation rules. The following are admissible rules (see [11,12]).

47

Raghunandan & SummersLemma 2.5 (Garbage Collection and Renaming)(gc-L) : P b� y bxQ ! P; if � 62 fp(P )(gc-R) : P b� y bxQ ! Q; if x 62 fs(Q) (ren-L) : PbÆ y bzhz.�i; ! P [�=Æ℄(ren-R) : hz.�ib� y bxP ; ! P [z=x℄3 The Computational Representation of a Connective

In this section, we outline some of the techniques used in therest of the paper forderiving suitable proof rules, and corresponding syntax representations and reduc-tion rules to represent the inclusion of a particular logical connective.

We useA;B; : : : as propositional variables and: to represent logical negation,which binds tighter than any other connective. We useÆ and� to represent arbitrarybinary connectives. For formulasF1 andF2 we writeF1 � F2 (and say the formu-las arelogically equivalent) if for all assignments of truth values to propositionalvariables,F1 andF2 evaluate to the same truth value.

3.1 Syntax

We work in the style of theX -calculus, since this gives a simple and symmetrictreatment of the inputs and outputs present within the syntax. When deriving thesyntax to represent a particular proof rule, formulas whichoccur on the left of asequent will become inputs (sockets)x; y; z; : : : while formulas on the right will beoutputs (plugs)�; �; ; : : :. Any subproofs present in the rule will be representedas subterms of the syntax. Formulas which disappear from such subproofs by ap-plication of the proof rule (formulas which areboundby the rule) will correspondto bound connectors on the subterms, while the new formula which is introducedby the rule corresponds to a free connector of the appropriate kind. To see theseideas in practice, the reader may wish to compare Figure1 with Definition2.1.

3.2 Reduction Rules

Whatever logical connectives are of interest, we will always keep the followingXreduction rules (which deal with cuts and capsules) in place:

cap; act-L; act-R; y y; y cap; y cut-cap; y cut; yy; ycap; ycut-cap; ycut

The notion of a plug or socket beingintroducedcan be generalised to sayPintroducesx (respectively,�) iff x is free inP but not in any of its subterms.

Propagation rules must be defined for propagating left and right cuts througheach syntactic construct. The general approach is to push copies of the cut into thesubterms, leaving a copy on the outside if an occurrence of the desired connectorwas present at this level (c.f.ymed-outs).

This leaves the appropriate extra logical reduction rules to be defined. Each newsyntax construct warrants a logical rule to specify a renaming of its introduced con-

48

Raghunandan & Summers� ` B;� �; A ` � ( L)�; A B `� �; B ` A;� ( R)� ` A B;�Fig. 2. Sequent Rules for reverse implication

nector, via a cut with a capsule (see the rulesexpandmed, for example). Finally,for each logical connective employed, a logical rule must bedefined to show howa cut between the right and left introduction of the connective may be reduced (c.f.the ruleexp-med). We call this theprincipal logical rulefor the connective, since itis the rule which specifies how these structures may be removed from a proof, cre-ating new cuts between their subterms and simplifying the task of cut-elimination.The principal rule is the only one which cannot be methodically derived indepen-dent of the particular connective concerned. For this reason, when investigating therepresentation of a particular connective, as far as reduction rules are concerned wewill only concern ourselves with the principal logical rulefor the connective.

4 Comparing Logical Connectives

In this section, we compare various logical connectives, focusing on relationshipsbetween them and how this affects their inclusion into a termcalculus. For eachconnective, we are interested in the following three questions:

(i) What is a suitable term representation of its proof rules?

(ii) What is its principal reduction rule?

(iii) What computational content is gained by its inclusion?

A connective may apply to an arbitrary number of arguments (hereon itsar-ity). It is rare in the literature to consider connectives with arity greater than two(although for an example, see [7]). We will henceforth only interest ourselves inconnectives of arity2 (and below), as is common practice.

We are interested in the relationships between these connectives, and how theyare reflected by their computational counterparts. For example, duality is a well-known concept relating logical connectives, and this relationship carries over intotheir computational behaviour (c.f. [2,13]).

We make use of the following relationships between connectives:

Definition 4.1 [Relating connectives] For any two binary connectivesÆ,�:Duality We say� is thedualof Æ iff A �B � :(:A Æ :B).Negation We say� is thenegationof Æ iff A �B � :(A ÆB).Reversal We say� is thereverseof Æ iff A �B � B Æ A.

Flipping inputs We say� is obtained fromÆ by flipping an inputif eitherA�B �:A ÆB orA �B � A Æ :B.

In all but the last case, these concepts describe self-inverse functions (e.g. the dualof the dual of a connective is the connective itself).

49

Raghunandan & Summers> ID ^ _ � $? : " # !

DDN N N;DFFF

FFNDFDFN DFF FN D

Note: " = nand,# = nor, = xor

Fig. 3. Binary Connectives

We argue that the effect of the ‘reversal’ of a connective is not significant withrespect to our questions of interest. For example, considerthe connective (re-verse implication). A pair of sequent rules for this connective is shown in Figure2.Deriving the syntax needed to represent these rules, we find that we can use exactlythe same as that for implication. This is because the same inputs and outputs arebound and introduced in the rules; the only difference beingthe positioning ofAandB, which is irrelevant once the types are removed. Similarly,the reductionrules required to represent this connective will be exactlythe same as those for im-plication, and so will the computational content obtained.This generalises to anyconnective and its reverse.

As a result of this observation, we choose to examine the binary connectivesmodulo reversals. These are shown in Figure3, which includes arrows indicatingduality (D), negation (N) and flipping inputs (F). It remainsfor us to explain thesignificance of these remaining three relations.

Before examining the effect of negating a connective, it is useful to examine thenegation connective itself. The sequent rules for negationare as follows:� ` A;� (:L)�;:A ` � �; A ` � (:R)� ` :A;�The first rule binds a formula on the left of the sequent and produces a new oneon the right, while the second does the opposite. The syntax we choose to use fornegation reflects this swapping of inputs for outputs in the simplest way possible;we writex � P b� andbyQ � � for the left and right terms respectively. The principalreduction rule for negation is as follows:(bxP � �)b� y by(y �Qb�) ! Qb� y bxP � 62 fp(P ); y 62 fs(Q)

Given the sequent rules for any connective it is straightforward to derive suit-able sequent rules for the negation of the connective. Sincenegation swaps inputswith outputs, the rules will be exactly the same except that the formula introducedappears on the opposite side of the sequent. For example, thesequent rules for

50

Raghunandan & Summersdifference (�) are as follows.�; A ` B;� (�L)�; A�B `� �; ` A;� �; B ` D (�R)� ` A�B;�

Similarly, appropriate syntax to represent difference will have the same sub-terms, inputs and outputs as for implication, except that the free connector intro-duced appears on the opposite side of the sequent. In defininga cut-eliminationrule, one can see that the reduct of the key logical rule will be the same in the casesof! and�, and in general for a connective and its negation.

The relationship between a connective and its dual, in termsof its computa-tional representation, can also be seen to induce a relationship between their termrepresentations. In this case, as well as the introduced formula ‘swapping sides’,the formulas which are bound in the proof rules also do so. Forexample, comparethe rules for and_:�; A; B ` � (^L)�; A^B ` � � ` A; � � ` B; � (^R)� ` A^B; �� ` A; B; � (_R)� ` A_B; � �; A ` � �; B ` � (_L)�; A_B `�One can see a striking similarity here. In this sequent calculus setting, it is reason-able to view disjunction as another kind of ‘pairing’; the left rule is a pair of twoproofs (binding a formula on the left of each), whereas the right rule provides thefacility to interact with the members of such a pair.

The effect of flipping an input is to negate only one of the inputs to a connective,which in turn corresponds to the bound occurrences of one of the formulas swap-ping sides in the rules. For example, implication can be obtained from disjunctionby flipping the first input (A!B � :A_B). One can see this also by comparingthe sequent rules. In this sense, it is possible in the sequent calculus to see evenimplication as a kind of pairing. Examining the syntax ofX (for brevity, comparedto dealing in the proof rules), one can regard the mediatorQb� [x℄ byR as a pair oftwo termsQ andR, binding an output of one and an input of another. The exportbzP b� � is the term which can ‘deal with the pair’; providing connectors to connectto both elements of the pair, analogously with (for example)the^L term.

From the discussions above, it can be seen that once one knowsthe sequentrules (and hence, an appropriate term representation) for aparticular connective,one can easily derive them for the negation and dual of the connective, and anyconnective which is obtained by flipping an input. In particular, the six connectiveswhich are joined to each other by various arrows in Figure3 (including^,_ and!) all have related sequent rules. Each can in fact be regardedas a kind of pairingconnective; the differences lie in whether inputs or outputs are bound in the twosubterms which make up the pair, and whether the pair is made available on anintroduced input or output. We will sometimes refer to thesesix connectives as thepairing connectives.

51

Raghunandan & Summers� ` A;B;� �; A; B ` � ($L)�; (A$B) ` � �; A ` B;� �; B ` A;� ($R)� ` (A$B);�Fig. 4.$L and$R introduction rules

As can be seen from Figure3, the remaining connectives come in related groupsof two. Due to space considerations, we do not discuss here the computationalcontent of the connectivesID, >, ?, although the latter two at least are of someinterest. This leaves only two binary connectives to discuss; being$ (‘if-and-only-if’) and (exclusive or). These two are related in the diagram by negation,duality and that each may be obtained from the other by flipping either input. Ina sense, the operations they describe are difficult to relatedirectly to any of theother connectives; there are no ‘simple’ equivalent formulas which express theseconnectives in terms of the others (all such equivalences must mentionA andBmore than once).

It seems natural to investigate the computational content of these two connec-tives, which appears not to have been attempted so far in the literature. In particular,no cut-elimination rule (or analogously, proof reduction rule in a Natural Deduc-tion setting) seems to have been defined for these connectives. It is these concernswhich motivate the next section.

5 Interpreting $In this section we study the computational behaviour of the logical connective ‘if-and-only-if’ (‘iff’ for short) that evaluates to true only when its two operands arethe same. We could have equally chosen to study the negation of this connective‘exclusive-or’, whoseX -style term representations will be almost the same exceptthe free input (output) that is introduced in each term will be of the opposite kind.

We are able to determine the form of the left and right introduction rules for the$ connective via the equivalenceA$B � :(A_B)_(A^B). From this, we canconstruct derivations whose conclusions introduce this compound formula on theleft and right of a sequent.

Condensing these derivations gives us the ($L) and ($R) introduction rulesshown in Figure4, which we can inhabit withX -style terms in the usual way.We write the corresponding ‘iff-left’ and ‘iff-right’ terms as[M �� [y℄ bijN ℄ and[bxP b�; bzQbÆ℄: respectively.

The principal cut-elimination rule for$ should transform a proof that cutstogether an ($R) formula with an ($L) formula, or inX notation,([bxP b�; bzQbÆ℄: )b y by([M �� [y℄ bijN ℄) ; ; y are introduced.

Unlike the connectives seen previously, the reduct is not straightforward to de-termine. The rules for the$ connective each bindtwo inputs andtwo outputs,and each rule has two subterms. We observe a striking resemblance betweenthese terms and those used to represent the implication connective (i.e. the syn-

52

Raghunandan & Summerstax of X , Definition 2.1). The iff-right term is reminiscent of an export term,except two ‘functions’ are available over the same interface rather than one (n.b.A$B�(A!B)^(B!A)). The iff-left term is reminiscent of a mediator with twobinders over each of its subterms instead of one.

We return to the previous method of determining the principal cut-eliminationrule as detailed in Section4, i.e. that of considering how one would reduce a cutbetween derivations that introduce a formula logically equivalent toA$B. Wecut together the proofs that derive:(A_B)_(A^B) on the left and right of thesequent and reduce them using the cut-elimination rules fornegation, disjunctionand conjunction.

Condensing, then annotating the resulting proof yields thereduct:((Mb� y bxP )b� ybkhk.�i)b� ybj(((Mb� y bzQ)b� y bwhw.Æi)bÆ ybiN)This reduct uses two copies ofM , renaming their outputs (using capsules)

where necessary. A symmetrical alternative of the reduct renames inputs ratherthan outputs and requires two copies ofN be made. A copy of eitherM or N isused to facilitate the connection of each output ofM to each input ofN . The ques-tion arises of whether this copying is necessary. We sought to explore other waysin which M andN could be connected and more specifically, whether it wouldbe possible to obtain a solution without copying, since thiswould be significantlycheaper to evaluate. We discovered such a solution that renamesoneoutput inMandone input in N . This led us to the following definition for the principal iffcut-elimination rule.

Definition 5.1 [Principal iff-reduction rule] The term([bxP b�; bzQbÆ℄: )b y by([M �� [y℄ bijN ℄)where, , y are introducedandk; � fresh, reduces to one of the following variants.(a) ((Mb� y bxP )b� ybkhk.�i)b� y bz(hz.�ib� ybj(QbÆ ybiN))(b) ((Mb� y bzQ)b� ybkhk.Æi)bÆ y bx(hx.�ib� ybi(P b� ybjN))5.1 Simulating other connectives

The only connectives logically expressible by$ are> and ID, which might leadus to believe its simulation capabilities are limited. However, we are able in fact tosimulate the reductions of several other connectives, i.e.we can encode the syntaxfor these other connectives in such a way that reductions arepreserved. When thisis the case, we say we cancomputationally expressthe connective (which may ormay not be expressible in a logical sense).

As an example of a connective which can be computationally expressed, weshow how to express the syntax and reduction behaviour of theX -calculus in aterm calculus based on the$ connective (which we callX$). For brevity we omitthe activated cuts, which should be treated analogously.

53

Raghunandan & SummersDefinition 5.2 [Syntax for the calculus,X$]M;N ::= hx.�i j [M �� [z℄ bijN ℄ j [bxM b�; bzNbÆ℄: j M b� y bxN

axiom iff-left iff-right cut

As remarked earlier, the iff-left term is reminiscent of a mediator with twobinders over each of its subterms rather than one, and the iff-right term is remi-niscent of an export, except that two ‘functions’ are available over the the sameinterface rather than one. With this observation in mind, wemove towards an en-coding of theX -calculus inX$.

We can sensibly assume that when encoding the export into an iff-right term[bxP b�; bzQbÆ℄: , we require only one of the two subterms, sayP . This leaves thequestion of what we should do withQ. By makingQ the capsulehy.Æi, we cangive an encoding that is sound (no undesired reductions are possible) providingthat we restrict the reduction to always use the first variantof the principal rulegiven in Definition5.1. This does not seem a severe restriction; one might viewthis as a strategy on the reduction (one always has the choiceof which variant ofthe principal$ rule to use). Our encoding is as follows.

Definition 5.3 [Interpretation ofX intoX$]ddhx.�i $ = hx.�iddbxP b�� $ = [bxddP $b�; bzhy.ÆibÆ℄: z; y; Æ freshddM b� [y℄ bxN $ = [ddM $ �� [y℄ zxddN $℄ �; z freshddM b� y bxN $ = ddM $b� y bxddN $Notice that had we chosenQ to be hz.Æi, this would have forced the types

for x and� to be the same; our encoding would not preserve typeability.Dueto space restrictions, we cannot discuss type-assignment in depth, but in brief itamounts to putting back the types which have been erased in the syntax. Typedterms correspond directly to sequent proofs (in which the formulas carry labels; theconnector names). Regarding such type-systems, we have thefollowing result:

Theorem 5.4 (Preservation of typeability) For anyX -termP , P is typeable iffddP $ is typeable.

In fact, the type derivations in the two systems are closely related; one candefine a further encoding from a type-derivation forP in the usualX system toa type-derivation forddP $ in the correspondingX$ system. Such details areomitted here.

To show that our encoding is sensible, we must also check thatwe can simu-late the reductions ofX . As pointed out in Section3.2, the mechanism providedby the propagation and renaming rules is generic to anyX -style term calculus; itperforms the same basic task of pushing cuts through subterms and renaming con-nectors regardless of the syntax employed. To show that suchrules are simulated

54

Raghunandan & Summersis straightforward, and we therefore only concern ourselves with the ruleexp-medgiven in Definition2.2.

The following (abbreviated) reduction confirms that we can simulate the firstvariant of the theexp-medrule.dd(bxP b�� )b y by(Mb� [y℄ bjN) $= ([bxddP $b�; bzh .ÆibÆ℄: )b y by([ddM $ �� [y℄ bijddN $℄) (z; ; Æ; �; i fresh)! ((ddM $b� y bxddP $)b� ybkhk.�i)b� y bz(hz.�ib� ybj(h .ÆibÆ ybiddN $)) (Def. 5.1(a))! (ddM $b� y bxddP $)b� y bzddN [z=j℄ $ (act-R; gc-R; act-R; ren-R; act-L; gc-L)= ddMb� y bx(P b� ybjN) $ (modulo�-conversion)

In fact, our encoding is only able to simulate this variant oftheexp-medrule.The differently-bracketed alternatives of theexp-medrule do not reduce to eachother and also do not always share the same normal forms. However, it is under-stood that the set of normal forms reachable from the two variants ofexp-med,while not identical, differ only in some special cases, and even then only by per-mutations of structure in the terms. In this sense, our encoding captures all of thecomputations that can be performed withinX .

The principal cut-elimination rule for$ manipulates four subterms, while theprincipal rule for any pairing connective involves three. We encoded implicationby choosing one of the four subterms to be a suitable capsule.Since the iff-termsbind many combinations of inputs and outputs, we can suitably restrict them toencode other pairing connectives in a similar way. We are able to encode the logicalconnectives and" up to the same limitations as discussed above. Additionally,we are able to simulate fully (all reductions can be simulated) the: connective.

While the$ connective is unable to logically express the connectives!, ^, ",:, we have shown we are able to simulate the significant computational behaviourof the corresponding terms. Similarly, the connective is able to simulate thecomputational behaviour for the dual pairing connectives�, _, # and again theconnective:.

6 Conclusions and Future Work

This work has provided an analysis of the issues involved in deriving term calculito correspond with arbitrary choices of logical connective. We have shown variousgeneral techniques for deriving suitable syntax, reduction rules and (to some extent)computational content corresponding with the inclusion ofa logical connective ofinterest.

The analysis of logical connectives purely in terms of the movement of theirinputs and outputs, seems to yield interesting results, andthis should be looked atmore closely. For example, we hypothesise that a term calculus can express non-terminating terms if and only if it contains a connective which can ‘swap’ an inputfor an output.

55

Raghunandan & SummersOur investigation into the$ connective has shown that much more can be ex-

pressed than we first thought, and this directly relates to the inputs and outputspresent. A more general investigation of the computationalcontent of this connec-tive (in particular, any examples which are not neatly expressed with other con-nectives) is the subject of future work. Our simulation result for X would also bestrengthened by the formalisation of a suitable notion of equivalence onX -terms,which is likely to relate to Kleene permutations. This wouldalso be useful futurework for other research into theX -calculus.

References

[1] Tristan Crolard. A formulae-as-types interpretation of subtractive logic. Journal ofLogic and Computation, 14(4):529–570, 2004.

[2] Pierre-Louis Curien and Hugo Herbelin. The duality of computation. InProc.ICFP’00, pages 233–243. ACM, 2000.

[3] Gerhard Gentzen. Untersuchungen uber das logische Schliessen. MathematischeZeitschrift, 39:176–210, 405–431, 1934.

[4] Hugo Herbelin. A lambda-calculus structure isomorphicto Gentzen-style sequentcalculus structure. InProc. CSL ’94, volume 933 ofLNCS, pages 61–75. Springer,1994.

[5] S.C. Kleene.Introduction to Metamathematics. North-Holland, 1952.

[6] Stephane Lengrand. Call-by-value, call-by-name, andstrong normalization for theclassical sequent calculus. InENTCS, volume 86. Elsevier, 2003.

[7] P.B. Levy. Jumbo lambda-calculus. InProc. ICALP’06, LNCS. Springer-Verlag,2006.

[8] M. Parigot. An algorithmic interpretation of classicalnatural deduction. InProc.LPAR’92, volume 624 ofLNCS, pages 190–201. Springer-Verlag, 1992.

[9] Alexander J. Summers and Steffen van Bakel. Approaches to polymorphism inclassical sequent calculus. InESOP’06, pages 84–99, 2006.

[10] Christian Urban. Classical Logic and Computation. PhD thesis, University ofCambridge, 2000.

[11] S. van Bakel, S. Lengrand, and P. Lescanne. The languageX : circuits, computationsand classical logic. InProc. ICTCS’05, 2005.

[12] Steffen van Bakel and Jayshan Raghunandan. Explicit alpha conversion and garbagecollection inX . In Proc. TERMGRAPH’06, ENTCS. Elsevier, 2006.

[13] Philip Wadler. Call-by-value is dual to call-by-name.In ICFP’03, pages 189–201.ACM Press, 2003.

56

DCM 2006

Term collections in � and �-calculi

Germain Faure 1

LORIA, BP 239 54506 Vandoeuvre-lès-Nancy Cedex France

The �-calculus, also called the rewriting calculus, originally emerged fromdi�erent motivations�and from a di�erent community�than the �-calculus.It was introduced to make explicit all the ingredients of rewriting such as ruleapplication and result [CK01]. In �ne the �-calculus provides an extension ofthe �-calculus with additional concepts originating from rewriting and func-tional programing, namely, pattern-matching, and a structure constructionwhich provides collections of terms.

There are several aspects of the �-calculus that have been studied so far.The dynamics of the computations has been studied [FMS05] by de�ning in-teraction nets for the �-calculus. We can mention also the study of typesystems [BCKL03,Wac04] and its application in a proof theory that han-dles rich proof-terms in the generalized deduction modulo [Wac05]. On amore practical side, the �-calculus has been used to give a semantics both torewrite based languages [CK01] such as ELAN [BKK+98] and to the atelierFOCAL [Mod,Pre03], an environment dedicated to the development of certi-�ed computer algebra libraries (ongoing works). Also, the �-calculus has beenused to implement e�cient decision procedures [SDK+03].

The management of collections of terms is crucial in calculi like the �-calculus,in logic programming or in web query languages. Typically, matching con-straints that are involved in the calculus may have more than one solution�this is also the case for example in programming language like TOM [Tom],Maude [Mau], ASF+SDF [ASF] or ELAN [Ela]�and thus generates a collec-tion of results.

As previously mentioned, the �-calculus extends the syntax and the op-erational semantics of the �-calculus by providing matching constraints andcollections of terms. For example, let + be a commutative symbol, x; y bevariables and a; b constants. In the �-calculus, the pattern-matching con-straint x[x + y � a + b], that is the application of the matching constraintx+y � a+ b to x, reduces to a collection of terms consisting of the two termsa and b and denoted a o b. In fact, the two solutions of the pattern matchingproblem x+ y � a+ b, respectively fx a; y bg and fx b; y ag, areboth applied to the body of the pattern matching constraint x and then weget the two results a and b. The corresponding evaluation rule is given by:

1 Email: [email protected] paper is electronically published in

Electronic Notes in Theoretical Computer ScienceURL: www.elsevier.nl/locate/entcs

Faure

M [P � N ] !� M�1 o : : : oM�n

where f�igni=1 is the set of solutions of the matching problem P � N .

To handle collections of terms, we distribute the structure operator overthe application and the abstraction operator:

(M1 oM2)N !�app M1N oM2N

�x : (M1 oM2) !�abs �x :M1 o �x :M2

The �-calculus consists thus of four evaluation rules: the � rule inheritsfrom the �-calculus, the � rule to deal with pattern matching constraints andthe � rules to deal with collections of terms.

Di�erent works on the �-calculus propose di�erent approaches to deal withcollections of terms. They were originally [CK01,Cir00] represented using sets.In more recent works [CLW03,RC], they are represented via a structure con-struction whose operational semantics is parametrised by a theory (typicallya combination of the axioms of associativity, commutativity and/or idempo-tence) that the user chooses depending on the way s=he wants to deal withnon-determinism in the calculus. For example, the original semantics of `setsof results' is recovered by considering the associative, commutative and idem-potent (ACI) theory on structures.

The generality given by those recent works is broken when the matchingconstraints involved in the calculus may have more than one solutions [Fau05].In this case the theory on structures cannot be arbitrary and thus collectionsof results should be represented using sets. Moreover, two di�erent derivationsof a �-term may only di�er on the strategy used for the application of the �rules. We propose to identify them by assuming that terms are taken modulothe equivalence relation generated by � rules. More practically, we considernormalized rewriting [Mar96] by splitting the evaluation rules in two sets: theoperational semantics now consists only of the two fundamental rules � andthe � and on the other hand we use the � rules to consider canonical sets, thatis terms that are always normalized w.r.t. the � rules.

This is not only a matter of taste since this has strong impact on thefundamental understanding of the calculus. The computational mechanismof the calculus becomes easier to understand since the � rules are no longerexplicit evaluation steps. This opens in particular new possibilities in a deepstudy of the calculus such as a Böhm theorem [Kri90] for the �-calculus.

The same approach can be applied to other calculi like the �-calculus witha parallel operator. In fact, the �rst attempt to a denotational (Scott) se-mantics of the �-calculus proposed in [FM05] enlighten a relation between the�-calculus and the �q-calculus. The �q-calculus was introduced as a �-calculusthat is expressive for domains of parallel functions [Bou94]. Syntactically,it is an extension of the �-calculus with a parallel operator that distributes

58

Faure

left w.r.t the application and with the �-abstraction (as the structure opera-tor of the �-calculus). It has been extended to parallel and non-deterministic�-calculi like in [DCdP93].

Scott models for the �-calculus are surprisingly close to the models of the�q-calculus (the parallel operator, respectively the structures are adequatelyrepresented by the join operator) and this suggests a relationship between thestructure operator of the �-calculus and the parallel operator of the �q-calculus.

We introduce a new calculus that extends the syntax and the operationalsemantics of the �-calculus to deal with canonical sets of terms. This calculusenjoys the Church-Rooser property and gives a new operational semanticsfor the �q-calculus (the work of [Bou94] mainly insists on models while in thiswork, we propose to look at the �q-calculus from an operational point of view).

ContributionsWe propose a new syntax and operational semantics for the �q-calculus. We

introduce a new approach to deal with collections of results that can be appliedboth to the �q-calculus and to the �-calculus. We also make clear the rela-tionship between both formalisms. Finally, since the standard techniques ofrewriting modulo [Hue80,KK99,Ohl98] cannot be applied to prove the Church-Rosser property, the approach followed here�inspired from [HR03] �may beapplied likewise in the abstract study of rewriting modulo an equivalence re-lation. We �nally discuss an implementation of the calculus in TOM [Tom]and its link with canonical abstract syntax trees [Rei06].

AcknowledgmentsAlexandre Miquel suggests to the author the reading of [HR03]. This was

the starting point of the work. We also thank Lionel Vaux, Horatiu Cirsteaand Claude Kirchner for useful interactions and comments on this work.

References

[ASF] ASF+SDF. A component-based language development environment.http://www.cwi.nl/projects/MetaEnv/.

[BCKL03] G. Barthe, H. Cirstea, C. Kirchner, and L. Liquori. Pure patterns typesystems. In Principles of Programming Languages - POPL2003, NewOrleans, USA. ACM, January 2003.

[BKK+98] P. Borovanský, C. Kirchner, H. Kirchner, P.-E. Moreau, andC. Ringeissen. An overview of ELAN. In Proc. of WRLA, volume15, http://www.elsevier.nl/locate/entcs/volume15.html. ENTCS,September 1998.

[Bou94] G. Boudol. Lambda-calculi for (strict) parallel functions. Inf. Comput,108(1), January 1994.

59

Faure

[Cir00] H. Cirstea. Calcul de réécriture : fondements et applications. PhD thesis,Université Henri Poincaré - Nancy I, 2000. October 25.

[CK01] H. Cirstea and C. Kirchner. The rewriting calculus � Part I and II. LogicJournal of the Interest Group in Pure and Applied Logics, 9(3):427�498,May 2001.

[CLW03] H. Cirstea, L. Liquori, and B. Wack. Rewriting calculus with �xpoints:Untyped and �rst-order systems. volume 3085. Springer, 2003.

[DCdP93] M. Dezani-Ciancaglini, U. de'Liguoro, and A. Piperno. Filter models fora parallel and non deterministic lambda-calculus. In A. M. Borzyszkowskiand S. Sokolowski, editors, Mathematical Foundations of ComputerScience 1993, 18th International Symposium, volume 711 of lncs, pages403�412, Gdansk, Poland, 30 August� 3 September 1993. Springer.

[Ela] Elan. The ELAN system:. http://elan.loria.fr/.

[Fau05] G. Faure. A remark on the study of the rho-calculus in presence ofsymbols de�ned modulo an equational theory. Draft notes, LORIA, 2005.

[FM05] G. Faure and A. Miquel. Towards a denotational semantics for the rho-calculus. Draft notes, LORIA, 2005.

[FMS05] M. Fernández, I. Mackie, and F.-R. Sinot. Interaction nets vs. the rho-calculus: Introducing bigraphical nets. In Proceedings of EXPRESS'05,satellite workshop of Concur, San Francisco, USA, 2005, Electronic Notesin Computer Science. Elsevier, 2005.

[HR03] T. Herhard and L. Reigner. The di�erential lambda-calculus. TheoreticalComputer Science, 309, 2003.

[Hue80] G. Huet. Con�uent reductions: Abstract properties and applications toterm rewriting systems. Journal of the ACM, 27(4):797�821, 1980.

[KK99] C. Kirchner and H. Kirchner. Rewriting, solving, proving. A preliminaryversion of a book available at www.loria.fr/~ckirchne/rsp.ps.gz,1999.

[Kri90] J.-L. Krivine. Lambda-Calcul : Types et Modèles. Etudes et Recherchesen Informatique. Masson, 1990.

[Mar96] C. Marché. Normalized rewriting: An alternative to rewriting modulo aset of equations. J. Symb. Comput, 21(3), 1996.

[Mau] Maude. The maude system:. http://maude.cs.uiuc.edu/.

[Mod] Mod. Modulogic home page. http://modulogic.inria.fr.

[Ohl98] E. Ohlebusch. Church-Rosser theorems for abstract reduction moduloan equivalence relation. In Proceedings of Rewriting Techniques andApplications (RTA-98), volume 1379 of LNCS, pages 17�31. Springer,1998.

60

Faure

[Pre03] V. Prevosto. Conception et Implantation du langage FoC pour ledéveloppement de logiciels certi�és. Thèse de doctorat, Université Paris6, September 2003.

[RC] Rewriting-Calculus. The �-calculus home page. http://rho.loria.fr/.

[Rei06] A. Reilles. Canonical abstract syntax trees. In Proceedings of the6th International Workshop on Rewriting Logic and its Applications.Electronic Notes in Theoretical Computer Science, 2006. to appear.

[SDK+03] A. Stump, A. Deivanayagam, S. Kathol, D. Lingelbach, and D. Schobel.Rogue Decision Procedures. In C. Tinelli and S. Ranise, editors,1st International Workshop on Pragmatics of Decision Procedures inAutomated Reasoning, 2003.

[Tom] Tom. The Tom langage:. http://tom.loria.fr/.

[Wac04] B. Wack. The simply-typed pure pattern type system ensures strongnormalization. IFIP-WCC TCS, 2004.

[Wac05] B. Wack. A Curry-Howard-De Bruijn Isomorphism Modulo. Undersubmission, 2005.

61

Faure

62

DCM 2006

Probabilistic Model{Checkingof Quantum Protocols

Simon Gay 1Department of Computing ScienceUniversity of Glasgow

Rajagopal Nagarajan 2;4 Nikolaos Papanikolaou 3;4Department of Computer ScienceUniversity of Warwick

.AbstractWe establish fundamental and general techniques for formal veri�cation of quantumprotocols. Quantum protocols are novel communication schemes involving the useof quantum-mechanical phenomena for representation, storage and transmission ofdata. As opposed to quantum computers, quantum communication systems canand have been implemented using present-day technology; therefore, the ability tomodel and analyse such systems rigorously is of primary importance.While current analyses of quantum protocols use a traditional mathematical ap-proach and require considerable understanding of the underlying physics, we arguethat automated veri�cation techniques provide an elegant alternative. We demon-strate these techniques through the use of prism, a probabilistic model-checkingtool. Our approach is conceptually simpler than existing proofs, and allows usto disambiguate protocol de�nitions and assess their properties. It also facilitatesdetailed analyses of actual implemented systems. We illustrate our techniques bymodelling a selection of quantum protocols (namely superdense coding, quantumteleportation, and quantum error correction) and verifying their basic correctnessproperties. Our results provide a foundation for further work on modelling andanalysing larger systems such as those used for quantum cryptography, in whichbasic protocols are used as components.1 Email: [email protected] Email: [email protected] Email: [email protected] R. Nagarajan and N. Papanikolaou are partially supported by EPSRC grant GR/S34090This paper is electronically published inElectronic Notes in Theoretical Computer ScienceURL: www.elsevier.nl/locate/entcs

Gay, Nagarajan and Papanikolaou1 IntroductionIn the 1980s it was �rst realized that quantum{mechanical phenomena canbe exploited directly for the manipulation, storage and transmission of in-formation. The discovery of quantum algorithms for prime factorization [16]and unstructured search [7], which outperformed the best classical algorithmsfor these tasks signi�cantly, opened up new vistas for computer science andgave an initial thrust to the emerging �eld of quantum computation. To im-plement a quantum algorithm, however, a large scale quantum computer isnecessary and such a device has yet to be built. Research in quantum infor-mation, on the other hand, has shown that quantum e�ects can be harnessedto provide e�cient and highly secure communication channels, which can bebuilt using current technology. Entangled quantum states, superpositions andquantum measurement are among the characteristics of the subatomic worldwhich nature puts at our disposal; these and related phenomena enable thedevelopment of novel techniques for computation and communication with norival in classical computing and communication theory.The focus in this paper is on communication protocols involving the useof such phenomena. Quantum protocols have particularly important appli-cations in cryptography. Several quantum protocols have been proposed forcryptographic tasks such as oblivious transfer, bit commitment and key distri-bution [8,11]. The BB84 protocol for quantum key distribution [2,12], whichallows two users to establish a common secret key using a single quantumchannel, has been shown to be unconditionally secure against all attacks [10].Other quantum protocols include procedures for superdense coding [4], tele-portation [3] and quantum error correction [17]. We assume that the reader isfamiliar with the basic concepts of quantum computing, as presented in [8,11].We argue that detailed, automated analyses of protocols such as these fa-cilitate our understanding of complex quantum behaviour and enable us toconstruct valuable proofs of correctness. Such analyses are especially impor-tant to manufacturers of commercial devices based on such protocols; theactual security of commercial quantum cryptographic systems, for example,is worth an in{depth investigation. Communication protocols have alwaysbeen under scrutiny by computer scientists, who have developed numeroustechniques for analysing and testing them, including process algebras, formalspeci�cation languages and automated veri�cation tools. Automated veri�ca-tion techniques, such as model-checking and theorem proving, are frequentlytargeted at protocols and have been used to detect faults and subtle bugs. Forinstance, the fdr model-checker allowed Gavin Lowe to uncover a aw in theNeedham{Schroeder security protocol [15]. Although current model-checkerswere developed primarily for the analysis of classical systems, we have foundways of using them to model quantum behaviour. To account for the prob-and the EU Sixth Framework Programme (Project SecoQC: Development of a Global Net-work for Secure Communication based on Quantum Cryptography)64

Gay, Nagarajan and Papanikolaouabilism inherent in quantum systems, we have chosen to use a probabilisticmodel{checker, in particular, the prism tool developed at the University ofBirmingham [14].prism is an acronym for probabilistic symbolic model checker, and is de-signed for modelling and validating systems which exhibit probabilistic be-haviour. A tool such as prism computes the probability with which a systemmodel � satis�es a temporal formula �, i.e. the value of P�;� = Prf� j= �gfor given � and �. The models catered for by prism may incorporate speci�cprobabilities for various behaviors and so may the formulas used for veri�ca-tion. The application of probabilistic model{checking to quantum systems isentirely appropriate, since quantum measurement is inherently probabilistic;to reason about quantum behaviour one must certainly account for this.prism uses a built{in speci�cation language based on Alur and Henzinger'sreactive modules formalism (see [9,14] for details). Internally, a prismmodel is represented by a probabilistic transition system. The probabilistictemporal logic pctl [5] is used as the principal means for de�ning propertiesof systems modelled in prism.2 Fundamental TechniquesIn order to use a classical probabilistic model{checker to verify quantum pro-tocols, we need to model the quantum states that arise in a given protocol,and the e�ect of speci�c quantum operations on these states. prism itself onlyallows positive integer and boolean variables to be used in models. So how canwe model the states of quantum systems, and the quantum operations arisingin protocols, using only classical data types and arithmetic?Single qubits can be in a superposition of two states, while classical vari-ables can only take on a single value in any given state. The coe�cients ofthese states can be any two complex numbers whose moduli squared sum tounity, and there is an uncountable in�nity of these; of course, prism can onlywork with a �nite state space. Furthermore, quantum systems consisting ofmany qubits can be in entangled states, which, unlike classical systems, cannotbe decomposed into products of individual states. What is needed, therefore,is a means of representing quantum states fully and consistently, in a formthat prism can handle.Of all the possible quantum states of an n{qubit system, we identify the�nite set of states which arise by applying the operations CNot, Hadamard(H), and �0; �1; �2; �3 to input states. We con�ne our analyses to protocolsthat involve only this restricted set of operations. At present, determiningwhich states belong to this set is done manually, but we are considering waysof automating this.Consider a very simple system: a single qubit, being acted upon throughthe Hadamard gate and through measurement in the standard basis. For ourpurposes, the state of the qubit may be j0i ; j1i ; or an equal superposition of65

Gay, Nagarajan and Papanikolaouthe two. In fact, these states are su�cient to model the BB84 protocol forquantum key distribution [2]. The quantum states which we need to representin order to model this simple system are thus:

j0i ; j1i ; 1p2 (j0i+ j1i) ; and 1p2 (j0i � j1i)To model this small, �nite set of quantum states, which is closed under theoperation of the Hadamard gate and the Pauli operators, we represent eachstate by assigning a unique integer from 0 to 3 to it, and we use straightforwardtransitions from one integer value to another to model the action of the gate.A protocol such as superdense coding, which we will discuss in Section 3.1,can be expressed as a step-by-step interaction with a two{qubit system. Inorder to model the states of 2{ and 3{qubit systems, the quantum operatorsand the measurements which arise in this and related protocols such as tele-portation, we have developed a code generation tool called prismgen. Thistool generates a prism code fragment, or module, in which each quantum stateis represented by a unique positive integer. Every quantum operator used ina particular protocol is coded as a set of deterministic transitions from onequantum state to another. prismgen calculates these transitions by multi-plying the unitary matrix, which corresponds to a particular operator, witheach quantum state vector of interest. A measurement is modelled by a set ofprobabilistic transitions, leading to the various possible outcomes with equalprobability. For simplicity, we have only considered states whose measure-ment outcomes are all equiprobable, although prism does allow us to modelthe more general case.From the overall state space for a two{qubit system, a certain subset isclosed under the CNot, Hadamard and Pauli operations. This subset consistsof 4 states corresponding to the four basis vectors, 12 states which are sumsof two basis vectors, and 8 states which are sums of all four basis vectors.Proposition 2.1 The above set of 24 states is closed under the CNot, Hadamardand Pauli operations.Proof. These states can be expressed in the following way.(i) The single basis vectors: j00i, j01i, j10i, j11i(ii) The states containing two basis vectors can be separated into three subclasses:(a) 1p2 (j0i � j1i) j0i, 1p2 (j0i � j1i) j1i(b) j0i 1p2 (j0i � j1i), j1i 1p2 (j0i � j1i)(c) 1p2(j00i � j11i), 1p2(j01i � j10i)(iii) The states containing four basis vectors can be expressed in any of the forms:(a) 1p2 (j0i � j1i) j0i � 1p2 (j0i � j1i) j1i(b) j0i 1p2 (j0i � j1i) � j1i 1p2 (j0i � j1i)(c) 12(j00i � j01i � j10i � j11i)

66

Gay, Nagarajan and PapanikolaouIt is obvious that each set (1.){(3.) individually is closed under each �i (appliedto either qubit) and CNot (with either qubit as control) because these operationsare permutations of the basis vectors. Each set has an evident symmetry amongthe basis vectors (taking (3.a) and expanding (2.) into an explicit list of states).Applying H to the �rst qubit gives a bijection between (1.) and (2.a), between (2.b)and (3.a), and between (2.c) and (3.b). Applying H to the second qubit is similar.2Our prismgen tool enumerates these states and calculates the transitionscorresponding to the various operations. The resulting prism module can beincluded as part of any model which involves measurements and the appli-cation of these operations to a system of two qubits. The situation with asystem of three qubits is similar. We have developed a 3{qubit version ofprismgen, which gives us the ability to model protocols such as those forquantum teleportation and quantum error correction.

3 Illustrative ExamplesWe have been able to model a certain number of quantum protocols using theaforementioned techniques. These include: (1) superdense coding, which is aprocedure for encoding pairs of classical bits into single qubits; (2) quantumteleportation, which allows the transmission of a quantum state without theuse of an intervening quantum channel; and (3) quantum error correction,namely the qubit ip code, which corrects a single bit ip error during trans-mission of quantum bits. The source �les for the models in this section areavailable online from http://go.warwick.ac.uk/nikos/research/.3.1 Superdense CodingThe simplest quantum protocol which we will use to illustrate our techniquesis the superdense coding scheme [4]. This scheme makes it possible to encodea pair of classical bits on a single qubit. With superdense coding, a quantumchannel with a capacity of a single qubit is all that is necessary to transmittwice as many bits as a serial classical channel. Superdense coding is essentiallya computation on a two{qubit system; therefore, the prism model of thisprotocol uses the 2{qubit version of prismgen. We begin with a descriptionof the protocol, and proceed to show how it is modelled and veri�ed withprism.The setting for superdense coding involves two parties, conventionallynamed Alice and Bob, who are linked by a quantum channel and share apair of entangled qubits. The objective is for Alice to communicate the bi-nary number xy| henceforth termed the message and denoted by (x; y), withx; y 2 f0; 1g | by transmitting a single qubit to Bob. The superdense proto-col takes advantage of the correlations between qubits P1 and P2, which arein an entangled quantum state. Alice essentially in uences this state in such67

http://go.warwick.ac.uk/nikos/research/

Gay, Nagarajan and Papanikolaoua way that Bob's measurement outcome matches the message of her choice.The superdense coding protocol is as follows.(i) Two qubits, P1 and P2, are placed in an entangled state using the Hadamardand CNot operations. Alice is given P1, and Bob is given P2.(ii) Alice selects a message, (x; y), and applies the ith Pauli operator, �i; toP1, where i = y + x(2 + (�1)y). She transmits this particle to Bob.(iii) Bob applies the CNot gate from P1 to P2, and then he applies the Hadamardgate to the former.(iv) Bob measures the two particles, thus obtaining a pair of classical bits,(x0; y0). If no disturbance has occurred, this pair of bits will match theoriginal message, i.e. (x0; y0) = (x; y).The model of superdense coding consists of four prism modules. Of thesefour, one module is generated automatically by prismgen and describes thepossible states of the two qubits. There is a module specifying Alice's actions,and similarly one for Bob's. Before we examine the workings of this modelin detail, consider the following observations, which highlight the capabilitiesof prism. In the prism model, Alice's �rst action is to select one of thefour possible messages (represented by the integers 0, 1, 2, 3); each messagehas an equal probability, 14 , of being chosen. This is an assumption we madewhen constructing this model, but it is possible to specify di�erent respectiveprobabilities for the four choices. Another point worth noting is that, depend-ing on which message is chosen, the protocol proceeds in one of four distinctways; prism actually considers all these possibilities when testing the validityof a property. This is precisely why we advocate the use of model-checkingfor these analyses, as opposed to simulation of quantum protocols, proposedelsewhere; simulators only treat one of several possible executions at a time.prism interprets the superdense coding model as a probabilistic transitionsystem, which can be depicted as a graph. The nodes in the graph correspondto the internal state numbers which prism assigns to each step in the proto-col. Each internal state number corresponds to a tuple with the states of allvariables in a particular model. An illustration of this graph and the detailsof the internal state numbers will be included in the full paper.The quantum state of the two-qubit system is represented by the variablestate in the prism model. When Bob has �nished his measurement, andthe dense coding protocol terminates, one of 4 �nal states is reached (eachrepresenting a distinct possibility in the computation). The property requiredfor veri�cation must be expressed in terms of the �nal state. When the densecoding protocol terminates, Bob's measurement result, i.e. the pair of classicalbits (x0; y0), must match Alice's original choice (x; y). This requirement isexpressed using pctl, as follows:

P > 1 [ true U ((protocol finished) ^ (result = msg)) ] (1)68

Gay, Nagarajan and PapanikolaouThe pctl formula in (1) stipulates that the probability of Bob's resultmatching Alice's choice is 1. Model{checking with prism con�rms that thisproperty holds (i.e. this property is true for all executions of the model).We have thus proven, using the prism model{checker, that the dense codingprotocol always succeeds in transmitting two classical bits using a single qubit.Clearly, this is not di�cult to prove by hand; however, we have used densecoding as a simple demonstration of our approach.

3.2 Quantum TeleportationOur next example is the quantum teleportation protocol [3], which involves acomputation on three qubits. Teleportation is a process that exploits entan-glement in order to transmit an arbitrary qubit state using only a classicalcommunications channel. The quantum circuit for teleportation is shown inFig.1.

j i � H NM �j0i H � �� NM �j0i �� i j i

Fig. 1. Quantum circuit diagram for the teleportation protocol.The prism model of teleportation is similar in appearance to that forsuperdense coding, and it is not included here due to lack of space. It isa transformation on a collection of three qubits, as opposed to the two forsuperdense coding. This calls for the 3-qubit version of prismgen. Otherthan this, the prism model itself is unremarkable, and matches the structureof the quantum circuit for teleportation, given in the appendix. Verifyingthe teleportation protocol with prism is more involved. Short of manualcalculation, it is not possible to predict what the quantum state of the entire 3-qubit system will be at the end of the teleportation protocol; indeed, there areseveral possible �nal states, depending on which quantum state Alice choosesto transmit to start with. We are interested in checking that the state of Bob'squbit matches Alice's original qubit state, j i, which is assumed to be one ofj0i ; j1i ; j+i j�i : To formulate a usable property for veri�cation, we need toexpress this requirement in terms of the overall state of the 3{qubit system.Formally, the speci�cation of the teleportation protocol is this: if the initialstate of the 3-qubit system is of the form j i j00i ; then the �nal state willbe of the form j�i j i, where j�i is a two{qubit state. Let's consider thisin more detail. If Alice chooses to teleport j i = j0i ; the �nal state of the 3{qubit system will be of the form j�ij0i. Similarly, if Alice chooses to teleportj i = j1i, the �nal state of all three qubits will be of the form j�ij1i. Finally,69

Gay, Nagarajan and Papanikolaouif Alice chooses to teleport the superposition j i = 1p2 j0i + 1p2 j1i, the �nalstate of the three qubits will be of the form j�i � 1p2 j0i+ 1p2 j1i� :Clearly, the pctl property necessary for veri�cation will depend on thechoice of j i; it will stipulate that, when the teleportation protocol has com-pleted, the �nal state of the 3-qubit system will have one of the forms givenabove. In particular, if the input state is j0i ; the necessary property is

P > 1 [ true U ((telep end) ^ ((st = s1) _ � � � _ (st = sn))) ] (2)where telep end is a predicate which is true when the protocol completes,and the values s1; : : : ; sn represent quantum states of the form j�i j0i. Ifthe input state is j1i ; the necessary property has exactly the same form as(2), but the values s1; : : : ; sn represent quantum states of the form j�i j1i;similarly for the case when the input state is the superposition 1p2 j0i+ 1p2 j1i.In other words, in order to formulate the property needed to verify theprotocol, we need to choose the input states and determine the possible �nalstates of the three{qubit system in advance. This may be seen as beggingthe question; there is little point in verifying a protocol whose �nal outcomehas already been calculated by hand. We have developed an auxiliary tool toprismgen, which computes the internal state numbers s1; : : : ; sn correspond-ing to the desired �nal states. When the pctl property for a particular inputis supplied to prism, the tool proves that the teleportation model works asexpected. Since the model{checker necessarily constructs a �nite state spacefor the model, the teleportation protocol can only be veri�ed for a speci�c,known set of inputs, rather than an arbitrary quantum state.3.3 Quantum Error CorrectionOur third and �nal example is the quantum bit{ ip code for error correction[17]. In order to correct a single bit ip error, which may occur during thetransmission of a single qubit state, this code represents the state by using acollection of three qubits. In particular, the qubit state j0i is encoded as j000iand the state j1i is encoded as j111i. A bit ip error on the second qubit, forexample, transforms j000i into j010i.In order to detect such an error, two additional qubits are used; they areknown as ancillas. By applying a sequence of operations and measurements tothe ancillas, the so{called error syndrome is obtained, which determines thelocation of the error. Then, the �1 operator is applied to the erroneous qubit,thus restoring the initial quantum state of the 3{qubit system. The quantumcircuit for the bit{ ip code is given in Fig. 2.For the diagram we have assumed that a bit{ ip error does occur prior to thecomputation of the syndrome.Our prism model of the protocol for the quantum bit{ ip code includes achannel which perturbs the transmitted qubit with a chosen probability; this70

Gay, Nagarajan and Papanikolaouj i � � � � �1;i j ij0i �� j0i ��

j0i �� NM �j0i �� NM �

Fig. 2. Quantum circuit diagram for the qubit bit{ ip code.probability is a parameter of the model, and can be varied as required. Themodel uses the output from the 3{qubit version of the prismgen tool. Whenthe syndrome computation is taken into account, there are in total �ve qubitswhose states need to be modelled; since we have not yet implemented a codegenerator for 5{qubit quantum systems, the state transitions for the syndromecomputation are calculated in advance and manually coded into prism.To verify the correctness of the quantum bit{ ip code, we need to ensurethat: independently of which of the three qubits is perturbed and with whatprobability this occurs, the protocol does succeed in correcting the error. Thus,at the end of the protocol, the state of the 3{qubit system should be in oneof the following forms (where j�i is a two{qubit state):

j0i j�i ; if the input state was j0i (3)j1i j�i ; if the input state was j1i (4)� 1p2 j0i+ 1p2 j1i� j�i ; if the input state was 1p2(j0i+ j1i) (5)

The properties used in prism to verify the protocol are analogous to thosefor teleportation, taking the formP > 1 [ true U ((qbf end) ^ ((st = s1) _ � � � _ (st = sn))) ] (6)

where qbf end is a predicate which holds when the protocol completes, andthe values s1; : : : ; sn represent quantum states of one of the forms given in (3){(5). prism con�rms that the protocol does indeed leave the 3{qubit systemin one of these forms, depending on the input, as expected.4 Challenges and Future ProspectsWe have demonstrated our approach to the analysis of quantum communica-tion protocols using a simple examples. There is signi�cant scope for futurework, ranging from improvements to our current code{generation techniques,to the automated veri�cation of larger systems, such as quantum crypto-graphic devices. 71

Gay, Nagarajan and PapanikolaouAt present we explicitly construct state spaces and transition tables forsystems involving up to three qubits and the H, CNot and �i operators. Wehave informally reached the conclusion that, for any number of qubits, thereis a �nite set of states which is closed under these operators. It is not directlyobvious how many states these are, but this could be established computa-tionally. There is a mathematical framework called the stabilizer formalism,which could be used to calculate these states. Investigating this formalism andits implications could lead to a more e�cient model checking for protocols;it is already known that stabilizer circuits can be e�ciently simulated by aclassical computer [1].The guarded transitions of prism's modelling language make it awkward toexpress some basic control structures such as sequencing. Each prism moduletypically requires a variable which acts as a program counter and must beexplicitly incremented in each transition. We intend to develop automatictranslations from the high{level process calculus cqp [6] into prism's nativelanguage. Combining such a speci�cation formalism for protocol models witha logic for de�ning properties will allow us to verify quantum protocols at ahigher level.Our ultimate aim is to construct models of larger systems which combinequantum and classical components, or which combine more than one quan-tum protocol. For example, we are working on augmenting an existing model[13] of the BB84 key{distribution protocol with descriptions of authentication,secret{key reconciliation, and privacy ampli�cation protocols [8]. As prismallows probabilities of particular events to be calculated directly, we can ob-tain numerical values of probability, such as those that arise in mathematicalanalyses of security; we have taken advantage of this capability in our existingmodel of BB84. More complex protocols generally involve larger numbers ofqubits, leading to ever greater state spaces for veri�cation.

5 ConclusionsWe have established, for the �rst time, techniques for analyzing and verifyingquantum communication systems. Our key contributions are the develop-ment of a general approach to modelling the state space of systems of severalqubits, and the introduction of techniques for de�ning properties of quantumprotocols in the logic pctl. We have illustrated our approach by modellingand verifying three example protocols (focusing on superdense coding onlyhere) using prism. Although these examples are simple, they are importantbuilding blocks of the theory of quantum communication. Having establishedfundamental and general techniques for formal veri�cation of quantum proto-cols, we are in a strong position to carry out end{to{end veri�cations of largersystems, such as those used for quantum cryptography.72

Gay, Nagarajan and PapanikolaouReferences[1] Aaronson, S. and D. Gottesman, Improved simulation of stabilizer circuits(2003), available at arXiv.org. Record: quant-ph/0406196.[2] Bennett, C. H. and G. Brassard, Quantum cryptography: Public key distributionand coin tossing, in: Proceedings of International Conference on Computers,Systems and Signal Processing, 1984.[3] Bennett, C. H., G. Brassard, C. Cr�epeau, R. Jozsa, A. Peres andW. K. Wootters, Teleporting an unknown quantum state via dual classicaland Einstein{Podolsky{Rosen channels, Physical Review Letters 70 (1993),pp. 1895{1899.[4] Bennett, C. H. and S. J. Wiesner, Communication via one- and two-particleoperators on Einstein{Podolsky{Rosen states, Physical Review Letters 69(1992), pp. 2881|2884.[5] Ciesinski, F. and M. Gr�o�er, On probabilistic computation tree logic., in:Validation of Stochastic Systems, 2004, pp. 147{188.[6] Gay, S. and R. Nagarajan, Communicating quantum processes, in: POPL'05: Proceedings of the 32nd ACM Symposium on Principles of ProgrammingLanguages, Long Beach, California, 2005.[7] Grover, L. K., A fast quantum mechanical algorithm for database search, in:Proc. 28th Annual ACM Symposium on the Theory of Computing (STOC),1996, pp. 212{219.[8] Gruska, J., \Quantum Computing," McGraw{Hill International, 1999.[9] Kwiatkowska, M., G. Norman and D. Parker, Modelling and veri�cationof probabilistic systems, in: P. Panangaden and F. V. Breugel, editors,Mathematical Techniques for Analyzing Concurrent and Probabilistic Systems,American Mathematical Society, 2004 Volume 23 of crm Monograph Series.[10] Mayers, D., Unconditional security in quantum cryptography, Journal of theacm 48 (2001), pp. 351|406.[11] Nielsen, M. A. and I. L. Chuang, \Quantum Computation and QuantumInformation," Cambridge University Press, 2000.[12] Papanikolaou, N., Introduction to quantum cryptography, ACM CrossroadsMagazine 11.3 (2005), pp. 10|16.[13] Papanikolaou, N., \Techniques for Design and Validation of QuantumProtocols," Master's thesis, Department of Computer Science, University ofWarwick (2005).[14] Parker, D., G. Norman and M. Kwiatkowska, prism 2.0 users' guide (2004).[15] Ryan, P., S. Schneider, M. Goldsmith, G. Lowe and B. Roscoe, \Modelling andAnalysis of Security Protocols," Pearson Education, 2001.[16] Shor, P., Algorithms for quantum computation: discrete logarithms andfactoring, in: Proceedings of 35th Annual Symposium on Foundations ofComputer Science (1994).[17] Steane, A. M., Quantum computing and error correction, in: A. Gonis andP. Turchi, editors, Proceedings of the NATO Advanced Research Workshop(2000), pp. 284|298.

73

Gay, Nagarajan and Papanikolaou

74

DCM 2006Handshake GamesLu a Fossati 1;2Dipartimento di Informati aUniversit�a di TorinoTorino, ItaliaAbstra tIn this paper I present what I a omplished so far. I present a game model for thesemanti al analysis of handshake ir uits. I show how the model aptures e�e tivelythe omposition of ir uits in an asso iative way. Then I build a ompa t- losed ategory of handshake games and handshake strategies and I show informally howthese an be applied in the semanti s, when events en oding data are also onsid-ered. In an appendix I show that the proposed reformulation of nondeterministi strategies works for the sequential ase (in the sense of [5℄) as well.Key words: Game semanti s, handshake ir uits,nondeterminism, on urren y, asso iativity.1 Introdu tionThe handshake proto ol has experien ed a great ommer ial su ess as aparadigm for asyn hronous ommuni ation and omputation. It is a proto- ol of ommuni ation between ir uits, whi h are onne ted through hannelsover whi h they ex hange information. In parti ular a ir uit sends a messageover a hannel through an interfa e alled port. In a ommuni ation over asingle hannel, one ir uit takes the a tive role and sends the �rst messagewhile the other is initially waiting for an a tivation sign. Then the formerwaits for the latter to reply, and so on. From a ir uit's point of view, this be-havior indu es an alternating sequen e of input and output messages, requestsand a knowledges.The handshake te hnology has been employed in parts of several integratedsystems, moreover in the Philips Resear h Labs it has been designed a pro-gramming language alled Tangram, whose programs are naturally translated1 I thank Feli e Cardone for having started me on the subje t, Russ Harmer, Paul-Andr�eMelli�es and Pierre-Louis Curien for useful hints on the riti al part.2 Email: fossati�di.unito.itThis paper is ele troni ally published inEle troni Notes in Theoreti al Computer S ien eURL: www.elsevier.nl/lo ate/ent s

Fossatiinto and implemented as handshake ir uits. With an ar hite ture that doesnot rely on a entral lo k, these ir uits gain in eÆ ien y and speed (a slowmodule has a lower impa t on the overall system) and pose less problems inthe engineering phase. But in ontrast with the in rease of interest in theimplementations of the proto ol, the foundational investigation rests still asit was ten years ago. For example, there is not yet an analysis of handshakepro esses whi h, in addition to ex hanging syn hronization events, also ex- hange data in their ommuni ations. Moreover all the literature relies on asingle model [13℄: indeed, a very natural hara terization of ir uits with ani e analysis of their behavior; however some points are still not treated insuÆ ient detail.The main of these is surely the analysis of omposition. The propertyof delay insensitivity allows us to ignore the order in whi h messages rea hdestination, to do as if it was the same order in whi h they have been sent([13℄, page 75). Still, it remains not trivial to model omposition pre isely.Surely handshake ir uits ompose and surely they ompose in the same wayno matter the order of ompositions (asso iativity): in the end it is just thesame phisi al phenomenon observed from di�erent angles: : : but, does themodel apture the observation of the physi al phenomenon faithfully? is anyquies ent point (inside a ommuni ation) taken into a ount by the model?As expe ted, the problem rises in presen e of the \infamous" in�nite internal hatters and really auses big troubles, as asso iativity of omposition is afundamental property.While looking deeper into the issue I found a ounter-example to the asso- iativity of omposition in Van Berkel's model. Later on, Russ Harmer pointedout to me another (more general) ounter-example, due to Ros oe [12℄, whi htells that any model of unbounded nondeterminism must list expli itly thepossibly in�nite ommuni ations inside the pro ess' des ription.My sear h for a solution was based on previous game semanti s of nonde-terminism and on urren y [4℄[5℄[3℄[6℄[8℄ in whi h the problem of ompositionis treated in full detail. The hoi e is in part motivated by the many similar-ities between the game paradigm and the handshake proto ol. The ommonview of omputation as intera tion is the key ingredient, from whi h followseveral other orresponden es, where all the dualisms are re e ted. In most ases it is just a matter of swit hing to a new vo abulary:� player=opponent () system=environment;� passive=a tive () negative=positive;� move () message;� P �move=O �move () input=output;� query=response () request=a knowledge.One ould also argue that games orrespond to handshake stru tures and76

Fossatistrategies to handshake pro esses 3 but on these aspe ts the orresponden e isnot so lear in the handshake ir uits literature. There is no lear distin tionbetween a pro ess and its stru ture, no on ept of a type. This is anothermotivation for adopting the game formalism: de�nitely game models relyon powerful mathemati al stru tures su h as ategories and logi , and theseare the perfe t tools for de�ning a type theory. The work ould be pla edinside Abramsky's program to bridge the histori al gap in formal semanti s,between the family of fun tional models (denotational semanti s) and modelsof on urren y (pro ess al uli) ([1℄ and [2℄, among other works).Combining nondeterminism with on urren y and asyn hrony has beena major issue to deal with. Mos hovakis published several works in thatdire tion (starting from [10℄) but I believe the aim there was more dire ted tothe veri� ations of properties (fairness) than to the stru tural analysis, whi hmakes his works essentially di�erent from mine. A reasonable hoi e was toextend the model for �nite nondeterminism of Harmer and M Cusker [4℄ butunfortunately that is justi�ed only with the assumption of sequentiality ofthe overall ommuni ation (the stri t alternan e within plays). So I turnedto ountable nondeterminism [5℄, reformulated in a way that allows extensionto parallelism. Basi ally in the new formalism, nondeterministi strategiesare seen as sums of deterministi strategies. The idea of su h a presentationwas given me by Paul-Andr�e Melli�es during a dis ussion and follows quitea few works in the literature, starting from [11℄ and in luding the works byMos hovakis.2 NotationsIn the following I will give a few de�nitions that always turn out useful whendealing with the formal aspe ts of on urren y. Some are inherited fromMazurkiewi z's seminal work on tra e theory, even though I hanged themin order to �t them in the urrent ontext.We de�ne a on urrent alphabet as an alphabet M equipped with a binaryre exive symmetri and transitive relation D over its letters (moves, as wewill all them). D is alled the dependen e relation. Being an equivalen erelation, D de omposes the alphabet into equivalen e lasses whi h we allpartitions. A string over hM;Di is just a string over M . The omplementaryrelation is independen e, I.Let hM;Di be a on urrent alphabet. Every string s over M has an under-lying graph indu ed by D. The verti es are the moves in s and edges betweentwo moves are present if and only if the two moves are dependent with ea hother. Any maximal lique is the underlying graph of a unique string t on-tained in s, where moves appear in the same order in t as they appear in s. We3 This would allow one to give a neat de�nition of handshake ir uits as spe i� ations ofbehaviors over stru tures. 77

Fossatisay t is a thread of s. A thread ould also be seen as a string over a partitionof hM;Di. The initial move of a thread t is the �rst move that appears in t.The initial moves of a string s are the initial moves of ea h of its threads.Consider the above on urrent alphabet and let D0�D. D0 is a full subde-penden e ofD when it preserves re exivity, transitivity, and symmetry (the de-penden e relation of a partition is a full subdependen e, for example). m 2Mis involved in D0 when 9n 2 M su h that (m D0 n). Now let D0 be a fullsubdependen e of D, s a string over M and M 0 �M the set of moves involvedin D0. We an de�ne s � hM 0; D0i as the string obtained by keeping only themoves from M 0 in the same order as they appear in s. Normally we write justs�M 0 assuming we have a full subdependen e asso iated to it.Finally re all the standard order v on strings s and t:s v t () t = st0where t0 is a string over hM;Di. possibly equipped with internal pointers aswell as pointers to moves in s. We say that t is an extension of s with themoves in t0. We write len(s) for the length of a string s.3 Handshake GamesDe�nition 3.1 A handshake game is a stru ture A = hMA; DA; �Ai, whereMA is a set of moves and DA a dependen e relation on them. Together theyform a on urrent alphabet on whi h we impose a �nite number of partitions.�A : MA ! f�;+g � fR;Ag is a labelling fun tion, we denote with ��+Aand �RAA its two proje tions. The �rst one determines the polarity, the moveswith positive polarity are alled player moves and those with negative polarityare alled opponent moves. The se ond proje tion distinguishes requests (R)from a knowledges (A). We impose no ambiguity of labels within a partition.Given m;n 2MA su h that m DA n:��+(m) = ��+(n) () �RA(m) = �RA(n)Game. We an imagine a game 4 as providing a universal stru ture overwhi h several pro esses of the same kind an be implemented.Example 3.2 The simplest ase is the game asso iated to a port stru ture,where all moves are in the same equivalen e lass, as they represent a set ofmessages whi h are all going to be sent over the same hannel. For example, we an asso iate a generi passive port to a game A = hMA = M1 [M2; DA; �Aisu h that:� M1 = freq(v) j v 2 V1g and M2 = fa k(v) j v 2 V2g;� DA= MA �MA;4 from now on we an leave the adje tive, handshake, impli it.78

Fossati� 8m 2 M1; (��+(m) = �) ^ (�RA(m) = R);� 8m 2 M2; (��+(m) = +) ^ (�RA(m) = A).The port is passive, and this �nds semanti orresponden e in that only theopponent an issue a request, only the opponent is allowed `to start'. Thesets V1 and V2 represent the sets of values the two players an atta h to theirmoves. Spe ial ases o ur when these sets are singletons, or equivalentlywhen no data are added. In parti ular when there are only one request andone a knowledge we are representing a nonput port. Input ports are obtainedby allowing the opponent to en ode data in its moves while in output portsit is the player who an en ode data in its moves. If they both an, then wehave a byput port.Conne tives. A simple operation allows us to hange a game's polarity:A? = hMA; DA; �A?i:Where �A? = h��+A ; �RAA i, and ��+A gives � when ��+A gives + and vi ev-ersa. So for example, a generi a tive port an be des ribed as the dual A?of the generi passive port A, des ribed above.We also have a binary onne tive, the ostar produ t. This allows us to givea representation to more omplex stru tures, stru tures with more than oneport. Given two games A and B their ostar produ t is:A � B = hMA +MB; DA + DB; �A + �BiNote that DA and DB are full subdependen ies of DA�B and MA (MB) isexa tly the set of moves involved inDA (DB). Then we an relax the de�nitionof restri tion and write s�A (s�B) instead of s�hMA; DAi (s�hMB; DBi).Play. As usual in games, player and opponent take turn to play the re-spe tive moves. Here though we liberalize things a little as we are working ina on urrent framework, we impose the turn alternation only on the threads ofour play (look at it as if we were playing several games in parallel). Formallya play, on a game hMA; DA; �Ai 5 is just a string over the on urrent alphabethMA; DAi. A play is legal if and only if:� all its initial moves are requests;� all its threads are alternating sequen es of requests and a knowledges, playerand opponent moves.We write LA for the set of legal plays over the game A. We write L�nA and L!Afor the subsets of �nite and in�nite legal plays, respe tively. Note that a playover a game an only ontain a �nite number of threads (�nite on urren y)be ause the alphabet of the game an only have a �nite number of partitions.5 The term play is inherited from game semanti s. It orresponds to the handshake tra esin the handshake ir uits theory. 79

FossatiThe equivalen e on moves (DA) indu es an equivalen e on plays, the homotopyrelation �A. Let s; t 2 LA, we say that s �A t just when they have the sameset of threads 6 .Prestrategy. I will introdu e strategies gradually: starting from the gen-eral lass of prestrategies I will hara terize positionality and determinism; bythen we will be working with a tual strategies but in order to onsider non-deterministi behaviors as well we will need a new generalization. All of these lasses really need the adje tive handshake as we are working in a handshakeframework, but sin e it will be lear from the ontext I will leave it impli it.I start with some formal notions. Given a set of plays � on a game A:� The pre�x- losure of � is�� = fs 2 LA j s v t 2 �g� For a play s 2 ��, its su essors set (with respe t to �) is:su � (s; �) = fm 2 MA j sm 2 ��g� s is passive in �, pas � (s; �), i� there is no move the player an make at s:m 2 su � (s; �)) ��+(m) = �� Pas � (�) is the set of passive plays in the pre�x- losure of �:Pas � (�) = fs 2 �� j pas � (s; �)g� Given two independent moves, m;n 2 MA, and four plays r, s, t, u, of A,we de�ne rA as the smallest binary relation su h that:� (mn rA nm) () ((��+(m) = �) _ (��+(m) = ��+(n))) 7 ;� t rA t;� (r rA s) ^ (s rA t)) (r rA t);� (r rA s) ^ (t rA u)) (rt rA su).We say that s reorders t in A when s rA t 8 ;� Let s, t be two plays of A and de�ne s xA t if and only if s v t and t ontains only opponent moves after s (we say that t is an input-extensionof s in A).De�nition 3.3 A (handshake) prestrategy � on a game A is a set of legalplays of A su h that:(i) � 6= ; (non-empty);6 The use of homotopy in on urrent games is due to Melli�es and Mimram [8℄[9℄.7 Let me give one intuition here : : : We may re eive two inputs in any order and we mayoutput two messages in any order. Also, an input may arrive before we output. The onversedoes not hold though, we may have to wait for an input before we an output.8 I hose to keep the de�nition as in the original model instead of extending it to in�nitesequen es of reorderings, this is oherent with the degree of 'intensionality' in the model80

Fossati(ii) Pas � (�) v � ( losed under passive pre�xes);(iii) (t 2 � ^ s rA t)) s 2 � (reorder losed);(iv) (s 2 �� ^ s xA s0)) s0 2 �� (re eptive).� is onveniently des ribed as a ouple hQ�; I�i. Where Q� is the set ofquies ent and I� the set of in�nite plays of �.The expli it in lusion of in�nite plays allows to distinguish when a strategymay follow an in�nite ommuni ation but at a ertain point will surely stopand when instead it ould ontinue to the in�nite. The quies ent plays repre-sent the �nite points in whi h the player may stop to wait for the opponentto move. The passive plays represent those points at whi h the player has noother hoi e but to wait: they need to be quies ent.In the ase of nonput ports, some well known prestrategies are STOP andSKIP . STOP simply a epts opponent moves without a knoledging them,while SKIP does a knowledge to requests, but never starts a handshake itself:� STOPA = fs 2 LA j (s)+ = 0g;� SKIPA = fs 2 LA j (s)� = (s)+g.Where (s)� and (s)+ stand for the number of opponent and that of proponentmoves in s, respe tively. It is interesting to see that if we add data to moves, aprestrategy like SKIP be omes a highly nondeterministi spe i� ation afterwhi h a wide range of possible prestrategies ould be implemented. Let's onsider the simple ase where A represents a single passive port. If data wereadded to requests no nondeterminism would be introdu ed. On the otherhand if only booleans were added to a knowledges, the player would havemany available options. It ould always answer tt or ff , or alternate the twoanswers, : : : Even more interesting if the port is a biput. Here the number ofpossible implementations is extremely high: identity, boolean not, onstant,integer su essor, test for zero, : : :Composition. Given two prestrategies, � on A? � B and � on B?� C,their omposition is soon de�ned:� Æ � = fu�A;C j u 2 LA;B;C ^ u�A;B 2 � ^ u�B;C 2 �gTwo de�nitions related to omposition. s 2 LfinA;B;C is an interleaving inthe omposition of � and � if and only if s�A;B 2 �� and s�B;C 2 ��. s isa witness (for s�A;C) in the omposition of � and � if and only if s�A;B 2 �and s�B;C 2 � .Unfortunately, omposition of prestrategies is not well-de�ned. Informally: onsider the general prestrategy RUN whi h is always eager to get engagedin a handshake (whether its role is to start or to answer). Consider the om-position of RUNB with RUNB? . Being dual pro esses they will never agreeon being quies ent at the same time, ea h one will be willing to ontinue (orto start over) immediately when its turn omes. Then if the in�nite play81

Fossatiwhi h emerges from this eternal ping-pong is not itself ontained in the twoprestrategies, the omposition is empty.Positionality. We need to fo us on a subset of the set of prestrategies forwhi h omposition works. It seems natural then to start with deterministi prestrategies. However it turns out that determinism is preserved by om-position only in presen e of another very important property of on urrentstrategies, positionality. Positionality is based on the relation of homotopybetween plays.De�nition 3.4 A prestrategy � on a game A is positional if and only if, for�nite s; s0 2 �� and in�nite t; t0 2 L!A, with s � s0 and t � t0, we have:(i) s � �s 2 �� ) s0 � �s 2 �� (positionality and pre�xes);(ii) s 2 � ) s0 2 � (positionality and quies en e);(iii) t 2 � ^ (8�t < t0; �t 2 ��)) t0 2 � (positionality and in�nite plays);Intuitively, a position is a state and we an rea h a ertain state in di�erentways but then however we got there we have the same options to move on orto wait.Determinism. Let A be a game and a and b two distin t player moves ofA. A positional prestrategy � on A is deterministi just when:(i) ta 2 �� ) t =2 �;(ii) ta 2 �� ^ tb 2 �� ) tab 2 ��;(iii) I� = ft 2 L!A j 8t0 < t;m 2 su � (t0; �), ��+(m) = +; 9t00 < t s.t. t0 <t00 �m < tg.The �rst two onditions are the usual onditions for determinism. More-over a deterministi strategy that has engaged in an in�nite hatter may notde ide to quit anyhow. A mali ious opponent ould for e a deterministi strat-egy to follow the ourse that he wants, even to diverge. If the opponent a tsin this way there is no means for the deterministi strategy to es ape the ma-li ious design. The third ondition tells exa tly whi h are the in�nite playsthat a deterministi strategy must ontain.It's lear that the third ondition of determinism implies the third on-dition of positionality. So for deterministi prestrategies positionality an beexpressed with two properties.Composition. We now pro eed to the proof that omposition is well-de�nedfor deterministi positional prestrategies. In the following let � and � be twodeterministi positional prestrategies on A? � B and B?� C, respe tively.We start with two de�nitions.Given u and v su h that u r v, we de�ne dr (u; v), the reordering distan ebetween u and v:� dr (u; v) = 0 () u = v� dr (u; v) = 1 () (u = u0 � a � b � u00) ^ (v = u0 � b � a � u00), for two moves a82

Fossatiand b;� In general dr (u; v) = n > 0 if and only if u 6= v and there are n + 1 (andno less) plays u0; u1; : : : un su h that u = u0, un = v and dr (ui; ui+1) = 1.In exa tly the same way we de�ne the homotopy distan e d� (u; v) on homo-topi plays u � v.Lemma 3.5 Let s 2 LfinA;B;C be an interleaving in the omposition of � and � .Then there is t w s and t is a witness in the omposition of � and � .Proof. If s � A;B 2 � and s � B;C 2 � , s itself is the witness. Otherwise,suppose � is not quies ent at s. Then s is not passive in �, � an play a moveafter s. We start by saturating the external threads of � with player moves.Then we let � play in B until quies en e, while � must be ready to a ept thisstream (re eptivity). Now, if � is quies ent we are done, otherwise we saturateit outside. If it be omes quies ent we are done as well otherwise we let it playinside until quies en e. Then it's �'s turn again, and so on. If after a whilethey both be ome quies ent then we have our witness. Otherwise they run tothe in�nite, but then we also have our witness (determinism). 2Lemma 3.6 Let t 2 (� Æ �)� and let u and v be two interleavings for t in� Æ �. Then u an be ompleted with all the o urren es of moves that are inv n u so to obtain an interleaving z for t in � Æ �.Proof. A few remarks. After � (�) makes a move m it an still play all themoves it ould play before but m itself (determinism). � (�) instead an stillplay all the moves it ould play before and possibly more (re eptivity andreordering). It follows that if m is initial in v and m I u then u0 �m �u00 is stillan interleaving for t in � Æ �, for any fa torization u0 � u00 of u. Else if m D uthen u = u0 � n � u00, where m I u0 and m D n. If m and n were distin t � (�) ould play m even after n (determinism). But this is not possible sin e theyare dependent moves and ne essarily have the same polarity, then m = n.We an obtain z as the result of alling the following untyped informalpro edure on u and v:union(u; v)fm := head(u);�u := tail(u);if (m I v) thenif (�u = ") then z := m � v;else z := m � union(�u; v);else if (v = v0 �m � v00) thenz := m � union(�u; v0 � v00);return z;g283

FossatiTheorem 3.7 Let � and � be two deterministi positional prestrategies onA? � B and B?� C, respe tively. Then,pre) � Æ � is a prestrategy;pos) � Æ � is positional;det) � Æ � is deterministi .Proof.pre) I skip the proof that every play in � Æ � is legal as it is almost immediate.(i) � Æ� is non-empty. Sin e neither � nor � is empty, then " is an interleavingof their omposition. Then lemma 3.5 applies and yields a witness t w "for some play in � Æ �;(ii) Let s v �s, with �s 2 � Æ � and s 2 Pas � (� Æ �). By de�nition there is�t 2 LA;B;C su h that �t �A;B 2 �, �t�B;C 2 � and �t �A;C = �s. Just ut �tright after s is played out in the external game and all the resulting playt. Then lemma 3.5 applies and yields a witness t0 w t for some play in� Æ �. s is passive then t0 is a tually a witness for s 9 ;(iii) Let s rA?;C �s. Consider d =dr (s; �s):d = 0 Then there is a witness �u of �s whi h is also a witness of s;d = n Then there are s0; s1; : : : sn 2 LA;C and su h that s = s0; sn = �s; dr(si; si+1) = 1 for all 0 � i � n. For assumption we know that s1 2 (� Æ�).Let s1 = s0 �m �n � s00 and s0 = s0 �n �m � s00. Moreover let's take a witnessu1 2 LA;B;C of s1 of the form u1 = u0 �m � ub � n � u00, where u0 and u00 areinterleavings of s0 and s00, respe tively, and ub is a sequen e of moves inB. If n is an opponent move then we de�ne u0 = u0 � n �m � ub � u00 elsem is a proponent move and then we de�ne u0 = u0 � ub � n �m � u00. In any ase u0 �A;C = s, u0 �A;B rA?;B u1 �A;B 2 � and u0 �B;C rB?;C u1 �B;C 2 � , then s 2 � Æ �.(iv) Let s 2 (� Æ �)� and let s x s � s0. Reasoning as in the se ond point we an �nd an interleaving u for s in the omposition � Æ �. It follows fromre eptiveness of the two prestrategies that u � s0 is also an interleaving.Then lemma 3.5 applies and we are done.pos) As already remarked, the third property of positionality follows from deter-minism whi h will be proved later on. The �rst two properties an be provedin exa tly the same way, so I prove just the �rst one. Let s; s0 2 (� Æ �)�,with s � s0, and let s � �s 2 (� Æ �)�. The proof that s0 � �s 2 (� Æ �)� is byindu tion on d� (s; s0):� If s = s0 then trivially s0 � �s 2 (� Æ �)�;� If d� (s; s0) = n + 1 then there is sn su h that d� (s; sn) = n and d�(sn; s0) = 1. By indu tive hypothesis sn � �s 2 (� Æ �)�. Now, sn fa torizesas t0 � a � b � t00 while s0 = t0 � b � a � t00. So sn has an interleaving un = u0 � a �ub � b � u00, where ub is a sequen e of internal moves. The two prestrategies9 Note that in the proof of the lemma no external opponent move is taken while makingt0, then really no move is played outside. 84

Fossatiare deterministi then it follows from the remarks made inside lemma 3.6that u0 � b � a � ub � u00 is also an interleaving of � Æ � (in parti ular if b is bythe opponent, re eptivity also plays a role). Finally by positionality of �and � we on lude s0 � �s 2 (� Æ �)�.det)(i) Let t � a 2 (� Æ �)�, where a is a player move. By absurd, t 2 � Æ �. Thent has a witness u 2 LA;B;C . Consider the ase where u is �nite. Sin eu �A;B 2 � and u �B;C 2 � , neither prestrategy an play at this point,the next move must be an opponent move in A or C, and this is enoughfor the �rst ase. If u is in�nite then any move that ould be played aftera �nite pre�x will eventually be played somewhere in u, in luding a;(ii) Let s � a; s � b 2 (� Æ �)�, where a and b are two distin t player moves. Aninterleaving for s �a is of the form u0 �a �v0 and an interleaving for s � b is ofthe form u00 �b �v00. Where u0 and u00 are both interleavings for s and v0 andv00 are sequen es of internal moves. Then we an apply lemma 3.6 and omplete u0 with the moves that are not in it but in u00. In the same waywe an omplete u00 with the moves that are not in it but in u0. The tworesults are homotopi . Take one of them, u. By the remarks made insidelemma 3.6 and by positionality we have that u � a is both an interleavingof s � a and of s � b, then the on lusion follows;(iii) This is a tually a double impli ation. Let s 2 L!A;C su h that all its pre-�xes are in the pre�x- losure of � Æ �:)) Suppose s 2 (� Æ �) and m 2 su � (s0; � Æ �), where s0 < s and su h that��+(m) = +. Then s has a witness u 2 L!A;B;C. If either u � A;B oru �B;C is �nite then respe tively � and � annot move anymore. Thatmeans that if it was �'s (� 's) duty to play (the o urren e of) m thenthe move o urs in the �nite restri tion (�rst ondition of determinism).Suppose that m ould be played on the side of the ommuni ation whi his in�nite. Then again we know that the move will eventually o ur(third ondition of determinism);() Suppose that forall s0 < s and m 2 su � (s0; � Æ �) with ��+(m) = +there exists s00 < s su h that s0 < s00 �m < s. Take u 2 L!A;B;C su h thatall the pre�xes of u �A;B are in the pre�x- losure of �, all the pre�xesof u�B;C are in the pre�x- losure of � and u�A;C = s. For any u0 < uwe know that if either prestrategy ould play an external move after u0then this eventually o urs in u, be ause the same move ould be playedby � Æ � after the external restri tion of u0. If either prestrategy ouldplay an internal move and the (o urren e of the) move does not appearin u yet, then we add it, say, ten moves after u0. This way we are assuredthat every move that ould be played after a �nite pre�x a tually o ursinside a �nite pre�x 10 . The �nal �u is a tually a witness for s in � Æ �.10Note that the number of moves that an be played at any point is �nite, as the numberof threads is �nite (�nite on urren y) and the two prestrategies are deterministi .85

Fossati2Sums and Strategies. We de�ne the binary operation � (sum) whi h takestwo prestrategies � and � on a game A and returns the union of their sets ofplays.Lemma 3.8 The sum of � and � is again a prestrategy.Proof.(i) The union of two non-empty sets is non-empty.(ii) s 2 Pas � (� � �)) s 2 (� � �)� ^ pas � (s; � � �)) (s 2 �� ^ pas � (s; �)) _ (s 2 �� ^ pas � (s; �))) (s 2 Pas � �) _ (s 2 Pas � �)) (s 2 �) _ (s 2 �)) s 2 � � �(iii) Reorder- losedness and re eptivity an be proven similarly, so we proveonly the �rst one of the two. Let t 2 (� � �) ^ s rA t:t 2 � � �) (t 2 �) _ (t 2 �)t 2 � ^ s rA t) s 2 �t 2 � ^ s rA t) s 2 �(s 2 �) _ (s 2 �)) s 2 � � �2We extend this operation to an arbitrary number of arguments in theexpe ted way, then we are ready for strategies.De�nition 3.9 A (handshake) strategy � is the sum of deterministi posi-tional (handshake) prestrategies: � =Mi2I �iwhere �i are deterministi positional prestrategies indexed by elements of anon-empty set I.A strategy represents a pro ess. A strategy is a des ription of the behaviorto follow. It is as if strategies ould hoose on e and for all among a setof possible behaviors. Afterwards they a t deterministi ally all the way. Itfollows that a deterministi positional prestrategy �d is just a parti ular aseof strategy where the opponent may hoose only from a singleton set. Wewill just say that �d is a deterministi strategy, assuming impli itly that it ispositional, even if strategies are not positional in general.86

FossatiLemma 3.10 Given two strategies � and � on a game A, their ompositionis again a strategy.Proof. Let � =Mi2I �i � =Mj2J �jwhere all �i's and �j's are deterministi prestrategies. Then we have:� Æ �= fu�A;C j u 2 LA;B;C ^ u�A;B 2 � ^ u�B;C 2 �g == fu�A;C j u 2 LA;B;C ^ u�A;B 2 �i2I�i ^ u�B;C 2 �j2J�jg == fu�A;C j u 2 LA;B;C ^ (9i 2 I; j 2 J s.t. u�A;B 2 �i ^ u�B;C 2 �j)g == [i2I;j2Jfu�A;C j u 2 LA;B;C ^ u�A;B 2 �i ^ u�B;C 2 �jg == [i2I;j2J(�j Æ �i)2Category. We an form a ategory H whose obje ts are games and withmorphisms from A to B the strategies on A? � B. With abuse of notationwe write � for both the morphism � : A ! B and the strategy � : A? � B.The identity morphism idA : A! A is the well-known opy at strategy:idA = fs 2 LA?�A j s�A1 = s�A2g;where the indi es are used only to distinguish the left and the right opy of A.It is easy to he k that idA is a well-de�ned prestrategy, that it is positionaland deterministi , and that the identity equations� Æ idA = � = idB Æ �;hold. There only remains the proof of asso iativity of omposition, whi h wedo next.Theorem 3.11 Consider games A, B, C and D, and strategies � : A ! Band � : B ! C and � : C ! D:(� Æ �) Æ � = � Æ (� Æ �)Proof. Let s 2 (� Æ �) Æ �. There is a witness u 2 LA;B;D for s. Analogouslywe �nd a witness v 2 LB;C;D for u � B;D. Working in an asyn hronousworld sometimes makes things easier (but only sometimes) so now we need nozipping or in�nite zipping lemma, any interleaving w 2 LA;B;C;D of u and vworks just �ne. In parti ular any su h w satis�es:� w �A;B = u�A;B 2 �;� w �B;C = v �B;C 2 � ;� w �C;D = v �C;D 2 �; 87

Fossati� w �A;D = u�A;D = s.Then by de�nition we have w �A;C 2 � Æ � and s 2 � Æ (� Æ �). The oppositedire tion is proved in exa tly the same way. 2Categori al onstru tions turn out useful not only for stru tural hara teri-zation, but also for semanti analysis. For example, we an lift� to morphismsso to have an elegant alternative to the on ealment and extension operationsof the pro ess al ulus in [13℄. Given � : A! B and �0 : A0 ! B0, we de�ne� � �0 : A � A0 ! B � B0 as� � �0 = fs 2 LA;A0;B;B0 j s�A;B 2 � ^ s�A0; B0 2 �0gThe fun toriality properties, (� Æ �) � (� 0 Æ �0) = (� � � 0) Æ (� � �0) andidA � idB = idA�B, are easily veri�ed. Suppose we want to ompose strategies� : A! B and � : B � B0 ! C. A possible way of doing this is by èxtending'� with the identity of B0. The omposition be omes � Æ (� � idB0). Anotherway is to restri t � and substitute it with � Æ (idB � SKIPB0!I), where I isthe game with just no moves.The ategory of handshake games and handshake strategies H is *-auto-nomous, it is symmetri monoidal losed with respe t to � and has an iso-morphism from A to A??. In parti ular the isomorphisms A ! I � A andA! A � I are just opy at strategies and they follow from the isomorphismsbetween sets of moves, MA ! ;+MA and MA ! MA + ;, respe tively. Theother isomorphisms required for symmetri monoidal losure are also opy atstrategies derived from isomorphisms between sets of moves. The ase of self-duality is even simpler, A and A?? are the same game and the isomorphismbetween them is just the identity on A.We an further note that H is more than *-autonomous, it is ompa t- losed, as you an easily he k A � B = (A? � B?)?.

88

Fossati4 ExamplesAs an example we show here a ir uit that implements the onditional bran h onstru t. The logi is a little simpler than that of Tangram's bran h, whi hemploys guards and nondeterminism, but the essen e is there.k ifT

not ifTPQBtrf�

The big ir les represent some basi standard omponents, while the smallones are the ports (a tive ports are �lled and passive ones are not). The lines onne ting two ports represent the hannels. I will des ribe the strategiesasso iated to the omponents as transition systems, as graphs where the edgesrepresent the moves and the nodes represent the `positions' ( lass of plays forshort).I will begin with the boolean negation not:0a kaffa a kpttp ffp ttaa kaa kpThe index p is used for moves passing through the passive port and afor moves passing through the a tive port. The ir les around nodes indi atequies ent positions and the initial position is marked with a 0. not is a strategyon the game B?r � Br, where Br is the game for a passive input port (example3.2) with boolean data en oded in the requests. As a onsequen e, the dual,B?r , be omes an a tive port with the same hara teristi s. Whatever inputthe strategy re eives on the passive port, it sends its negation on the a tive.On e this is a knowledged, it a knowledges the �rst move. ifT : Br ! S is atest for true (S is the type of a nonput passive port, syn hronization-only):89

Fossati0a kpffp ttp reqaa kaa kpIf it re eives true it handshakes on its a tive port, otherwise it returnsimmediately. The omposition of strategies orresponds to putting the twographs aside and visiting them in parallel, while at the same time building thegraph for the omposed strategy. Ea h time we pass by an èxternal' edge weadd it to the new graph (provided it is not already there). As for the internaledges, they need to be played simultaneously on both sour e graphs. So, ifwe are in a position where we an play an internal move on one side but noton the other, we need to wait if we want to play that move. It is easy to he k that the omposition of ifT and not yields a test for false, exa tly theopposite of ifT . The so alled PAR omponent k: Br � Br ! Br a tivatestwo pro esses in parallel after re eipt of a request from the environment; on eboth pro esses a knowledge, it too a knowledges to the �rst request:

0 0reqp reqa1reqa2a ka1reqa2reqa1a ka2

reqa2a ka1a ka2reqa1a ka2a ka1 a k

k is omposed with ifT � (not Æ ifT ) : S � S ! Br � Br, a strategythat exe utes a test for true on one side and, in parallel, a test for false on theother. The ostar produ t of two strategies orresponds again to playing onthe two games/graphs in parallel, with the di�eren e that now all moves areexternal. As a result the �nal graph may be ome very ompli ated. In theend, k Æ(ifT � (not Æ ifT )) : S � S ! Br is a strategy whi h depending onthe input (true or false) a tivates one or the other strategy it is onne ted to;after re eiving the a knowledge it returns. The last omponent is a transferrer,asso iated to the strategy trf : Ba � Br ! S, where Ba is the game for apassive port, this time with boolean data en oded in the a knowledges. On e90

Fossatia tivated on the passive port S it requests a boolean value from Ba 11 whi h isimmediately opied in a request and sent on Br, it waits for the a knowledgeand then ompletes the �rst handshake. We skip the graph for this strategyand we go straight to the strategy trf Æ (idBa � (k Æ(ifT � (not Æ ifT )))) :Ba � S � S ! S asso iated to the global if then else onstru t:0 req reqB ttBffB

reqPreqQ

a kPa kQ

a ka kHere the indexes indi ate the pro esses with whi h we are in ommuni a-tion. This strategy has the expe ted type (it takes as arguments a booleanand two ommands and gives a ommand in return) and behavior.With the same approa h, de omposition of the internal logi into smallermodules and omposition of the strategies asso iated to these modules, we angive a semanti s to any other programming onstru t, like the loop and su h.Also, the presentation of strategies as graphs is very intuitive and attra tive,it had already been adopted by Van Berkel [13℄ in the ontext of handshake ir uits. In game semanti s this idea has been pushed further, there existsgame models [6℄[8℄ in whi h graphs are employed not just as merely a wayof presenting strategies but as a true semanti al des ription. Of ourse, inorder to establish this orresponden e, there are some properties that need tobe satis�ed. I believe that positionality and asso iativity of omposition arene essary �rst steps towards the goal.5 Future WorkSo, I built a model for handshake ir uits and I showed informally how it ould be put into use. In the pro ess, I dealt with the problems arising in themodelling of ir uits' omposition and I ended with a �ner hara terization ofhandshake strategies. In parti ular, the new property of positionality seemsvery interesting and worth exploiting. But the model ontains also a deeperstru tural analysis, with the onstru tion of a ompa t- losed ategory, a re-sult that ould be used as a base for a type theory. Moreover I showed howto take advantage of ategori al tools like omposition of morphisms and thebifun tor �, in the semanti s.And now? The next step is to formally de�ne a semanti s for a language11On the left side of the arrow, Ba be omes a tive, by the de�nition of arrow.91

Fossatibased on handshake ir uits, for Tangram or for a whole new language. Thissemanti s should take into a ount pro esses that an ex hange data as wellas pro esses that an only syn hronize with their environment. The approa hto take should in lude redu tion of the language's onstru ts into a small setof ombinators and representation of these ombinators as general-purposestrategies. In [7℄ Josephs, Udding and Yant hev redu ed Van Berkel's al ulus[13℄ to just three operations, how mu h bigger would this set be ome whendata are en oded in the messages?A parti ularly deli ate part in the de�nition of a semanti s for handshake ir uits will be the modelling of the sequential omposition of pro esses, wherethe pro ess P1;P2 behaves initially as P1 and then, on e all requests have beena knowledged and a y le is omplete, it ontinues as P2. In [13℄ the task isa omplished by assigning a set of terminal tra es to ea h pro ess, but this isonly one possible solution.The idea that ea h pro ess follows a y li life suggests more abstra t rep-resentations for strategies, ways that ould allow to treat omposition moremathemati ally. The aim is to �nd alternatives that ould allow simpler rea-soning while keeping the substan e un hanged. Nonetheless, altering the pro-to ol of ommuni ation may also be of interest: what happens when we shift toslightly di�erent ir uits, like speed-independent or delay-insensitive ir uits?On the side of game semanti s, handshake ir uits ould represent a on- rete appli ation. Naturally the next step is to pla e this result inside the large olle tion of models proposed. Surely the ompletely asyn hronous behaviormakes handshake strategies and games di�erent from their ounterparts, in-deed the ategori al framework will help in making omparisons.Referen es[1℄ S. Abramsky. Intera tion ategories (extended abstra t). In G. L. Burn, S. J.Gay, and M. D. Ryan, editors, Theory and Formal Methods 1993: Pro eedingsof the First Imperial College Department of Computing Workshop on Theoryand Formal Methods, pages 57{70. Springer-Verlag Workshops in ComputerS ien e, 1993.[2℄ S. Abramsky, S. Gay, and R. Nagarajan. Intera tion ategories and thefoundations of types on urrent programming. In M. Broy, editor, Pro eedingsof the 1994 Marktoberdorf Summer S hool on Dedu tive Program Design, pages35{113. Springer-Verlag, Berlin, 1996.[3℄ S. Abramsky and P.-A. Melli�es. Con urrent games and full ompleteness. InLogi in Computer S ien e 99, Trento, July 1999. IEEE Computer So ietyPress.[4℄ Russell Harmer and Guy M Cusker. A fully abstra t game semanti s for �nitenondeterminism. In Logi in Computer S ien e, pages 422{430, 1999.92

Fossati[5℄ Russell Harmer and Guy M Cusker. A game semanti s for ountablenondeterminism. Unpublished, 2002.[6℄ M. Hyland and A. S halk. Games on graphs and sequentially realizablefun tional. In IEEE Computer So iety Press, pages 257{264, Kopenhavn, July2002.[7℄ M.B. Josephs, J.T. Udding, and Y. Yant hev. Handshake algebra. Te hni alReport SBU-CISM-93-1, S hool of Computing, Information Systems andMathemati s, South Bank University, London, 1993.[8℄ P.-A. Melli�es. Asyn hronous games 2: the true on urren y of inno en e. InP. Gardner and N. Yoshida, editors, CONCUR'04, Le ture Notes in ComputerS ien e. Springer Verlag, September 2004.[9℄ Samuel Mimram and Paul-Andr�e Melli�es. Asyn hronous games 5: Non-alternating inno en e. Work in progress, 2006.[10℄ Y. Mos hovakis. A game-theoreti modeling of on urren y. In fourth annualsymposium on Logi In Computer S ien e, pages 154{163. IEEE ComputerSo iety Press, 1989.[11℄ D. Park. The \fairness" problem and nondeterministi omputing networks.Foundations of Computer S ien e IV. Matematis h Centrum, Amsterdam, 1983.[12℄ A. W. Ros oe. Unbounded nondeterminism in CSP, volume 3 of Journal ofLogi and Computation. April 1993.[13℄ K. Van Berkel. Handshake ir uits: an Asyn hronous ar hite ture for VLSIdesign, volume 5 of Cambridge International Series on Parallel Computation.Cambridge University Press, 1993.6 Appendix: nondeterminism in the sequential aseThe presentation of nondeterministi strategies in [5℄ is te hni ally di�erentfrom the one I gave. However, the present formalism an be applied su ess-fully also to the sequential ase, and with respe t to the model of Harmerand M Cusker, their de�nition of strategy an be reformulated equivalentlyas sum of deterministi omponents, as I am now going to show.Assuming that everyone knows that in the sequential ase plays follow aproto ol of stri t alternation (like on urrent plays with only one thread) I gostraight to the de�nition of prestrategies. A prestrategy is a set of plays losedunder even-length pre�xes. The even-length plays of � are alled tra es andare noted T�, the odd-length plays of � are alled divergen es and are notedD�, while the in�nite plays of � are noted I�. The domain of �, writtendom(�), is those odd-length plays that are rea hable by �,dom(�) = [s2T� ie(s)93

Fossatiwhere the fun tion ie gives all the possible extensions of s with just one move,the immediate extensions of s. Given d 2 dom(�), the range of � at d, writtenrng�(d), is ie(d)\T�. Now, a strategy � is re eptive when for all d 2 dom(�),d [ rng�(d) 6= ;This ondition was not present in the original de�nition in [5℄ as in their asethe re eptivity was left impli it: if neither a divergen e nor an answer to itwere present it means that the strategy de ides not to respond there. However,even if it is only a te hni al detail, re eptivity needs to be stated expli itly inorder to establish true equivalen e of the two de�nitions.A prestrategy � on a game A is deterministi if and only if� sa; sb 2 T� ) sa = sb;� s 2 D� () rng�(s) = ;;� s 2 L!A ^ (8s0 <even s; s0 2 �)) s 2 �.As in the handshake model, L!A denotes the set of in�nite legal plays over thearena A. Note also that the se ond onstraint implies re eptivity. Let � and� be prestrategies. � is re�ned by � (� � �) if and only if:� T� � T� ;� s 2 (� n �)) 9d 2 D�; d v sAnd now the �nal de�nition. A re eptive prestrategy � is a strategy if andonly if for all s 2 T� there is a deterministi prestrategy �s su h that � � �sand s 2 �s.Proposition 6.1 Let � be a strategy. Then � = �i2I�i, where I is a non-empty set of indexes and �i is a deterministi strategy for all i 2 I.Proof. It suÆ es to show that every play s 2 � is an element of a determinis-ti strategy that is a subset of �. We des ribe a potentially in�nite algorithmto build the desired deterministi strategy �s. If s 2 D� [ I�, we initially set�s to fsg [ even(fsg�), the set ontaining s and all its even length pre�xes.Otherwise if s 2 T�, there is a deterministi strategy that re�nes � and on-tains s: we set �s to the interse tion between � and this strategy. Now, forall d 2 dom(�s) su h that d [ rng�s(d) = ;, if d 2 � add it to �s, otherwiserng�(d) 6= ;. Then pi k a play from rng�(d) and add it to �s. If the pro ess ontinues to the in�nite it means that there are some new in�nite hains thatsatisfy the third ondition of determinism, then these need to be added to �too. 2Proposition 6.2 Let �i be deterministi strategies indexed by elements of anon-empty set I. Then � = �i2I�i is a strategy.Proof. 8t 2 T�; 9�i 3 t, for some i 2 I. Moreover T�i � T� as �i � �; andfor the same reason �i n � = ;. Then � � �i. 294

DCM 2006A fully labelled lambda al ulus: Towards losed redu tion in the Geometry of Intera tionMa hineNikolaos Siafakas 1Department of Computer S ien eKing's College London, UKAbstra tWe investigate the possibility of performing new redu tion strategies with the Ge-ometry of Intera tion Ma hine (GOIm). To this purpose, we appeal to L�evy'slabelled lambda al ulus whose labels des ribe: a) the path that the original GOImwill follow in the graph of a term and b) the operations that the GOIm requiresto ompute the multipli ative part from the Multipli ative and Exponential LinearLogi en oding that the ma hine uses. Our goal is to unveil the missing exponentialinformation in the stru ture of the labels. This will provide us with a tool to talkabout strategies for omputing paths with the GOIm.Key words: Lambda al ulus, Labels, Paths, Geometry OfIntera tion1 Introdu tionThere is a well established onne tion between labels in L�evy's labelled �- al ulus and paths in the graph of a term [1,4,2℄. If we ompute the normalform of a term in the labelled �- al ulus, then the resulting label will des ribea path in the graph of the term. The Geometry Of Intera tion Ma hine [11℄,whi h is an implementation of Girard's Geometry of Intera tion semanti sfor Linear Logi [9℄, will follow exa tly the path indu ed by the label. Theinvestigation of the stru ture of the labels allowed the identi� ation of the all-return symmetry [4℄, whi h has led to optimisations [6,7℄ where the length ofthe path to be traversed is signi� antly redu ed. However:� The stru ture of the labels is di�erent from the stru ture of paths: labelstalk about redex ontra tions whereas paths about the dynami s of LinearLogi ut elimination.1 email:nikolaos.siafakas�k l.a .ukThis paper is ele troni ally published inEle troni Notes in Theoreti al Computer S ien eURL: www.elsevier.nl/lo ate/ent s

Siafakas� The stru ture of the paths depends on the hoi e of translation of the �- al ulus into Linear Logi proof nets (Call by Value or Call by Name).� Many equivalen es are known to date but properties found in labels haveto be transposed to paths and vi e versa.Our goal is to identify stru ture in the labels whi h will allow us to reasonabout new ways for omputing paths with the GOIm. To this purpose, weinvestigate a new set of labels whi h orrespond loser to the paths.2 Ba kground and MotivationIn this se tion we set up the onventions that we will use in the rest of thepaper. Our point of departure is L�evy's labelled lambda al ulus [10℄ whoselabels give a simple notion for a \path in a term".De�nition 2.1 [Labels℄ The set of labels is formed by the following grammar�; � := aj��j�j�where a is an atomi label. Labelled terms are terms of the �- al ulus whereea h sub-term T has a label atta hed on it: T �. Labelled beta redu tion isgiven by ((�x:M)�N)� ! �� M [� �N=x℄where � on atenates labels with labelled terms, de�ned by � � T � = T ��.Substitution is impli it and operates as follows:x�[N=x℄ = � �Ny�[N=x℄ = y�(�y:M)�[N=x℄ = (�y:M [N=x℄)�(MN)�[P=x℄ = (M [P=x℄N [P=x℄)�Example 2.2 The term III, I = �x:x redu es as follows:λx

x

@

λx

x

@

λx

x

λx

x

@

λx

x

λx

x

a

b

c

d

e

f

g

h

ebabd

h

g

fc

f

hebabdcebabdg

If we reverse the underlines then the resulting label indu es a path, whi hthe Geometry of Intera tion Ma hine will ompute without redu ing the term.However, the GOIm does not a t on syntax trees of the �- al ulus but on96

Siafakasgraphs, whi h are translations of the �- al ulus into Linear Logi proof nets.Computation then follows the idea of a token traversing the edges of the graph.Here we provide the CBV translation T (�) with whi h we will work throughoutthis paper [11℄.De�nition 2.3 The general form of a term is given byM

a

where we atta h an atomi label to the root of ea h sub-term. Edges at thebottom of the stru ture denote the free variables of the term. The translationis given by the following re ursive de�nition:T (x) = T (λx.M) =

T (M)

O

? ?

!

T (MN) =

D

⊗

T (M) T (N)

R S

T (M)

O

? ?

!

W

x /∈ FV (M)Some remarks are in order: In T (�x:M), we assume that the bound vari-able x is at the leftmost edge of the free variables of T (M). We atta h a nodeW if x 62 fv(M). Intuitively, the box stru ture gives a notion for \the s ope"of a fun tion. We distinguish between two kinds of nodes:(i) Multipli ative nodes: Tensor (), Par(O)(ii) Exponential nodes: Of Course (!), Dereli tion (D), Weakening (W ), WhyNot (?), Contra tion (R; S)The overlining and underlining in L�evy's labelled �- al ulus aptures redexeswhi h have been ontra ted during redu tion. In other words, these labelsmark the points of onta t of the (virtual) redexes in a term. If we transposethis information to proof nets, then overlining and underlining hints aboutwhere the multipli ative nodes are lo ated. This is also the ase for the CallBy Name translation whi h we do no onsider here.In the next se tion we show that it is possible to add the missing expo-nential information during labelled redu tion where we make use of a weakalpha onversion free al ulus. A weak al ulus has also been used in [5℄,whi h orresponds loser to Wadsworth's graph representations. In se tion 4we relate the stru ture obtained in the labels with Linear Logi proof net utelimination where we make the notion of \ onne tivity" important (see forinstan e [3℄). In se tion 5 we omment on how the extra stru ture leads tonew strategies for the GOIm. 97

Siafakas3 Paths in the al ulus of losed fun tionsOur approa h is similar to L�evy's labelled redu tion where we atta h labelsto terms and apture information during redu tion. The labelled �-redu tionstep an provide some information about the lo ation of the exponential nodes.In the CBV translation, it is trivial to identify the lo ation of D-nodes and!-nodes sin e these live beneath the multipli ative nodes. Note that the trans-lation of a redex involves multipli ative nodes whi h are inter epted by a Dand a !-node. Unfortunately, the �-redu tion step annot help further; wehave to fo us on the substitutions in order to identify the lo ations of theremaining exponential nodes. However, substitutions are propagated exhaus-tively and in an un ontrolled way. For instan e, it is known that paths anbe opied but this is not resembled by opying the substitution in:(MN)�[P=x℄ = (M [P=x℄N [P=x℄)�The expli it substitution al uli in [8℄ over ome these de� ien ies. In thisse tion we provide a labelled version of the \ al ulus of losed fun tions"(� f), whi h is able to give expli it paths for the CBV translation.Terms in the � f - al ulus are �-terms with expli it onstru ts for opying(Æ) and erasing (�) and are presented along with their variable onstraints:Term Variable Constraint Free variablesx - fxg�x:M x 2 fv(M) fv(M)� fxgMN fv(M) \ fv(N) = ; fv(M) [ fv(N)�x:M x 62 fv(M) fv(M) [ fxgÆy;zx :M x 62 fv(M); y 6= z; fy; zg � fv(M) (fv(M)� fy; zg) [ fxgM [N=x℄ x 2 fv(M); (fv(M)� fxg) \ fv(N) = ; (fv(M)� fxg) [ fv(N)Lambda terms are ompiled into this set of terms (� ) via the translation hh�iifrom [8℄. We assume ompilation of losed terms:hhxii = xhhMNii = hhMiihhNiihh�x:Mii = �x:[[x℄℄hhMii if x 2 fv(M)= �x:�x:hhMii otherwiseand [[�℄℄ is de�ned by 98

Siafakas[[x℄℄x = x[[x℄℄(�y:M) = �y:[[x℄℄M[[x℄℄(MN) = Æy;zx :[[y℄℄(M [x := y℄)[[z℄℄(N [x := z℄) ; x free inM andN= ([[x℄℄M)N ; x free in M only= M([[x℄℄N) ; x free in N only[[x℄℄(�y:M) = �y:[[x℄℄M[[x℄℄(Æu;vy :M) = Æu;vy :[[x℄℄MExample 3.1 Here are some example terms that are yielded by the ompila-tion:� hh�x:�y:xii = �x:�y:�y:x� hh(�x:xx)(�x:x)ii = (�x:Æy;zx :yz)(�x:x)De�nition 3.2 Labelled terms are � -terms where every pure sub-term T hasa label: T �. The set of labels is de�ned by the following grammar:�; � := aj��j�j�jC; C := �!E j �E ; E := Dj!j?jRjSjW ;This is the same set as the set of L�evy's labels where we add markers forexponential nodes, ea h of whi h has an asso iated dire tion. Multipli ativeinformation is kept impli it via overlining and underlining.De�nition 3.3 [Labelled Redu tion℄ The beta rule of the labelled al ulus�l f is de�ned by((�x:M)�N)� !�l f ��!D� �! �M [(�!D� �! )r �N=x℄where we impose the ondition that fv((�y:M)�) = ?. The operator � andthe fun tion (�)r whi h reverses a label are de�ned as follows::(a)r = a � � x� = x��(��)r = (�)r � (�)r � � (�x:M)� = (�x:M)��(�)r = (�)r � � (MN)� = (MN)��(�)r = (�)r � � (Æy zx :M) = (Æy zx :� �M)(�!E )r = �E � � (�x:M) = (�x:� �M)( �E )r = �!ESubstitution is pla ed at the same level as the Beta rule and is given inTable 1.Remark 3.4 The only rule that reates a substitution is the Beta rule. Therule Lam aptures the situation where the substitution has to leave the fun -99

SiafakasRule Redu tion ConditionLam (�y:M)�[N=x℄ !�l f (�y:M [�!? �N=x℄)� fv(N) = ?App1 (MN)�[P=x℄ !�l f (M [P=x℄N)� x 2 fv(M)App2 (MN)�[P=x℄ !�l f (MN [P=x℄)� x 2 fv(N)Cpy1 (Æy zx :M)[N=x℄ !�l f M [�!R �N=x℄[�!S �N=x℄ fv(N) = ?Cpy2 (Æy zx :M)[N=x0℄ !�l f (Æy zx :M [N=x0℄) ~Ers1 (�x:M)[N=x℄ !�l f M; f�!W �Ng [B fv(N) = ?Ers2 (�x:M)[N=x0℄ !�l f (�x:M [N=x0℄) ~Var x�[N=x℄ !�l f � �N ~Cmp M [P=y℄[N=x℄ !�l f M [P [N=x℄=y℄ x 2 fv(P )Table 1Labelled substitution (�) rulestion s ope of the abstra tion in whi h the substitution has been originally reated and enters a sub-fun tion s ope. The ontrolled opying and erasing(Cpy1 and Ers1) of substitutions allows the identi� ation of paths that startfrom ontra tion nodes and weakening nodes respe tively. Erased paths arekept in a set B. Note that expli it labelling on opying (Æ) and erasing (�) onstru ts is omitted: these are used just to guide the substitutions. We in-herit a number of properties from � f : our al ulus is �- onversion free and losed substitutions do not remain blo ked. On the other hand, the al ulusis weak but is adequate for the evaluation of programs ( losed terms). Theseevaluate to pure terms.In the remainder of this se tion we show that the labelled ase preserves on uen e. The proofs presented here are an adaption from [8℄ to the labelled ase.Lemma 3.5 For � and substitution we have (� �M)[N=x℄ = � � (M [N=x℄).Proof. By indu tion on the stru ture of M . We show the ase for Æ-terms:M = (Æy zx :P ). The lhs is(� � (Æy zx :P ))[N=x℄ = (Æy zx :(� � P ))[N=x℄ by de�nition of �!�l f (� � P )[�!R �N=y℄[�!S �N=z℄= � � (P [�!R �N=y℄)[�!S �N=z℄ by IHand the rhs: � � ((Æy zx :P )a1[N=x℄) !�l f � � P [�!R �N=y℄[�!S �N=z℄where substitution asso iates to the left. 2100

SiafakasProposition 3.6 (lo al on uen e) There are seven riti al pairs in �l fall of whi h are joinable.Proof. We distinguish the ases whi h are interesting w.r.t. the labels.(i) Superposition of Beta-App2: ((�y:M)�N)�[P=x℄, where x 2 fv(N),gives rise to the riti al pair 1 � 2 with 1 = ��!D� �! �M [�!! �r �D �N=y℄[P=x℄ 2 = ((�y:M)�(N [P=x℄))�whi h onverges as shown bellow: 1 !Cmp ��!D� �! �M [�!! � �D �N [P=x℄=y℄ 2 !Beta ��!D� �! �M [�!! � �D � (N [P=x℄)=y℄and 1 = 2 by the previous lemma.(ii) For y�[N=y℄[P=x℄, 1 = � � N [P=x℄ and 2 = y�[N [P=x℄=y℄. After oneappli ation of the rule Beta we have 2 ! � �N [P=x℄ = 1The remaining riti al pairs arise from superpositions between App1-Cmp,App2-Cmp, Cpy2-Cmp, Ers2-Cmp and Cmp-Cmp. It is important to notethat all riti al pairs onverge without requesting label sensitive rules (Beta,Lam, Cpy1, Ers1, and Var). 2Remark 3.7 The onditions on the rewrite rules are essential. If we drop the ondition of the beta rule then the overlap ((�y:M)�N)�[P=x℄, x 2 M givesrise to a riti al pair whi h is not joinable:((λy.M)αN)β [P/x]

β−→

Dα←−

! •M [−→

! αr←−D •N/y][P/x]

((λy.M)α[P/x]N)β

β−→

Dα←−

! •M [−→

? • P/x][−→

! αr←−D •N/y]

((λy.M [−→

? • P/x])αN)β

≡?Having a property of ommutation of substitutions would not help sin e thereis still a �!? in the right bran h to deal with.In order to show on uen e, we split the system into two relations, !�and �beta , show that both are on uent and then dedu e on uen e for �l ffrom Rosen's lemma, whi h states that the union of two systems is on uentif both are on uent and ommute.� The �rst system onsists of of all �-rules in �l f . Note that the riti al pairsof !� are the ones presented earlier ex ept the �rst one. Additionally,these riti al pairs do not the request the Beta rule and therefore !� islo ally on uent. Moreover, there are no in�nite redu tion sequen es in!�. Hen e, !� is on uent. 101

Siafakas� �beta is de�ned to be the Beta rule of �l f whi h ontra ts in parallelall beta redi es at any position in a �l f -term. To obtain on uen e weshow that �beta has the diamond property (strong on uen e), that is, ifM �beta M 0 and M �beta M 00 then there exists N su h that M 0 �beta Nand M 00 �beta N . The proof is by indu tion on M �beta M 0. Clearly,!beta��beta and!�beta=��beta, whi h also makes the original beta rule on- uent.Lemma 3.8 ( ommutation of � =�) If M ��beta M 0 and M !�� M 00 thenthere exists N su h that M 0 !�� N and M 00 ��beta N .Proof. We �rst show that the diagram weakly ommutes by indu tion on thede�nition of �beta . We distinguish the following ases:� LetM = ((�y:P )�O)�;�beta applies at the root of the term,M 0 = ��!D� �! �Pb[�!! �r �D � Ob=x℄, P !beta Pb, O !beta Ob; !� is internal to P or O,M 00 = ((�y:P�)O)� or M 00 = ((�y:P )O�)� whenever P !� P� or O!� O�.By IH , there exists a term Pv su h that Pb !� Pv and P� !beta Pv or thereexists a term Ov su h that Ob !� Ov and O� !beta Ov. Take N = Pv[Ob=x℄for the �rst ase and N = Pb[Ov=x℄ for the se ond ase.� Let M = P [O=x℄, M 0 = Pb[Ob=x℄, M 00 = P�[O=x℄ or M 00 = P [O�=x℄, wherea �-rule does not apply at the root of M and all redu tions are internal toP or O. Hen e the property holds by IH. On the other hand, if the sigmarule is appli able at the root of M then we have to onsider di�erent ases:a) we may have an overlap between a beta rule (P is a beta redex) and thesigma rule. In this ase only App2 an be applied sin e the fun tional partof the beta redex has to be losed. This ase is similar to the �rst riti alpair presented earlier where the pair onverges at N . b) In any other ase,take P to be the lhs (L) of one of the �-rules, M = L[O=x℄, M 0 = L[Ob=x℄,M 00 = R[O=x℄; the diagram ommutes with N = R[Ob=x℄.Commutation is obtained by indu tion on the length of the derivationM ��BetaM 0. Sin e!�beta=��beta we lose the diagram and on lude that �l f is on u-ent by Rosen's lemma. 24 Stru ture of the labelsThe markers in the labels add only positions of exponential information to thepaths, that is, we still only know about the points of onta t of the multipli a-tive nodes (and onsequently D�! nodes). We remark that the the translationof the �- al ulus into CBV proof nets has a ri her set of redu ible onstru tsi.e. more points of onta t: a) Multipli ative ut �O b) exponential uts:!�D, !�?, !�W , !� C.De�nition 4.1 We de�ne depth(�) to be the overall nesting of a label. Thisis the total number of overlines and underlines that surround a label.102

SiafakasO

!

D

⊗

O

⊗

!

O

D

?

!

D

⊗

O

!

k

h

e

d

c

a

b

j

i

f

g

O

D

⊗

!

D

⊗

O

!

m

e

O

!

⊗

DO

!

⊗D

j

d

c

a b

i

f

e g

h

l

k

R SFig. 1. CBV graphs for (�xy:xy)II and (�x:xx)(II)IProposition 4.2 (Virtual Cuts) Let be an overlined (resp. underlined)label at depth k and let Exp be the multiset of all atomi exponential markersat depth k + 1. The multipli ity of �!! 2 Exp (resp. �! 2 Exp) is 1. Ea hexponential marker other than the Of Course marker in the multiset forms avirtual exponential ut with that Of Course marker.Proof. [sket h℄ To reate a virtual multipli ative ut (in the sense of virtualredex), a number of exponential uts have to be performed �rst. The dereli -tion ut is the last one in the sequen e sin e it \opens the box". Note thatpaths that form virtual multipli ative uts and dereli tion uts oin ide: Allexponential uts that take pla e during the formation of a multipli ative uthave to be against the same box that the dereli tion opens. 2Example 4.3 Here we provide two example paths yielded by the labelled re-du tion of the terms (�xy:xy)II and (�x:xx)(II)I. The orresponding graphsare presented in Figure 1.(((�x:(�y:(xayb) )d)e(�x:xf )g)h(�x:xi)j)k !��l f (�x:xi)�withφ = k

−→

Dh−→

De←−

! d←−

! c−→

Da−→

?−→

! e←−

D g←−

! f−→

! g−→

De←−

!←−

? a←−

D b−→

! d−→

! e←−

Dh←−

D jwhere we highlight the boundaries of the box and the virtual ommutative(!�?) ut. Note that the dire tion of the arrow of ea h Of Course marker fa esthe dire tion of the arrow of the exponential marker with whi h it forms a ut.The se ond example is slightly more ompli ated and shows how information ows through ontra tion nodes:(((�x:(Æp;ox (paob) ))d((�x:xe)f (�x:xg)h)i)j(�x:xk)l)m !��l f (�x:xk)�103

Siafakaswith � = m g rl and is given bellow:−→

D j−→

Dd←−

! c−→

Da−→

R−→

! d←−

D i−→

Df←−

! e−→

! f←−

Dh←−

! g−→

! h−→

Df←−

! e−→

! f←−

D i−→

Dd←−

!←−

R a←−

D b−→

S−→

! d←−

D i−→

Df←−

! e−→

! f←−

Dh←−

!We have split the ontra tion nodes into R and S to apture the di�erentroutes that paths an take through ontra tion nodes.5 Towards Closed Redu tion in the GOImThe main interest in examining strategies for the GOIm omes from the fa tthat the length of the paths to be traversed an be signi� antly redu ed.The reader should note that strategy here means omputing the same pathsdi�erently. For instan e, the ma hine presented in [6℄ short uts paths that areunderlined: note that these are the same as the overlined paths, but in reverseorder. The Call by Value GOIm presented in [7℄ adds on top of this idea andshort uts sub-redundan ies like the ones highlighted in our se ond example.Here we provide an informal des ription on how a losed strategy a ts.Computation is initialised by following a normal ow in the traversal of thegraph but on e the strategy dete ts the appearan e of ?-nodes in boxes, thenormal ow is put on hold in order to deal with the ?-nodes �rst. The goalis to remove ?-nodes from the graph by installing short uts su h that ?-nodesare pra ti ally invisible on e the normal ow of the omputation resumes.In terms of Linear Logi , the strategy performs ommutative ut eliminationsteps as soon as possible.We re all the graph and the label from the �rst example for a more on retesituation: Computation starts by traversing the edges kDhDe!d. Up to thispoint, we follow exa tly what the label � di tates. Sin e we arrive at a boxthat ontains a ?-node we have to initialise a sear h starting from that ?-nodeto �nd the !-node with whi h it forms a virtual ommutative ut. The paththat we traverse is ?!eDg whi h leads us to the mat hing !-node. Now werewire the edge a of the ?-node with the root of the mat hing !-node andresume the normal ow of the omputation. This was at edge d. The paththat we traverse from now on is exa tly what the label � di tates but now wejump all virtual ommutative uts that are highlighted in the label.6 Con lusionIn this work we presented a al ulus whose labels provide suÆ ient stru turein order to experiment with new strategies for the Geometry Of Intera tionma hine. As pointed out in the introdu tion, there are other ways to obtainthe same paths and stru ture. The di�eren e here is in that we now havea lambda al ulus whi h is able to add expli it positions during redu tion.A helpful re�nement would be to onne t the new points of onta t on the104

Siafakas y. Initial investigations show that simulating a all by value strategy duringlabelled redu tion might be able to do that.7 A knowledgementsWe would like to thank Ian Ma kie for his ontributions to this paper.Referen es[1℄ A. Asperti, V. Danos, C. Laneve, and L. Regnier. Paths in the lambda- al ulus.In Logi in Computer S ien e, pages 426 { 436, 1994.[2℄ A. Asperti and S. Guerrini. The optimal implementation of fun tionalprogramming languages. Cambridge University Press, New York, NY, USA,1998.[3℄ A. Asperti and C. Laneve. Intera tion systems I: The theory of optimalredu tions. Mathemati al Stru tures in Computer S ien e, 4(4):457{504, 1994.[4℄ A. Asperti and C. Laneve. Paths, omputations and labels in the lambda- al ulus. In RTA-93: Sele ted papers of the �fth international onferen eon Rewriting te hniques and appli ations, pages 277{297, Amsterdam, TheNetherlands, The Netherlands, 1995. Elsevier S ien e Publishers B. V.[5℄ T. Blan , J.-J. L�evy, and L. Maranget. Sharing in the weak lambda- al ulus.In A. Middeldorp, V. van Oostrom, F. van Raamsdonk, and R. C. de Vrijer,editors, Pro esses, Terms and Cy les, volume 3838 of Le ture Notes in ComputerS ien e, pages 70{87. Springer, 2005.[6℄ V. Danos and L. Regnier. Reversible, irreversible and optimal lambda-ma hines. Theoreti al Computer S ien e, 227:79 { 97, 1999.[7℄ M. Fern�andez and I. Ma kie. Call-by-value lambda-graph rewriting withoutrewriting. In ICGT '02: Pro eedings of the First International Conferen e onGraph Transformation, pages 75{89, London, UK, 2002. Springer-Verlag.[8℄ M. Fern�andez, I. Ma kie, and F.-R. Sinot. Closed redu tion: expli itsubstitutions without �- onversion. Mathemati al. Stru tures in Comp. S i.,15(2):343{381, 2005.[9℄ J.-Y. Girard. Geometry of intera tion 1: Interpretation of System F. InR. Ferro, C. Bonotto, S. Valentini, and A. Zanardo, editors, Logi Colloquium88, volume 127 of Studies in Logi and the Foundations of Mathemati s, pages221{260. North Holland Publishing Company, Amsterdam, 1989.[10℄ J.-J. Levy. Redu tions orre tes et optimales dans le lambda- al ul. these dedo torat d'etat, universite paris vii. 1978.[11℄ I. Ma kie. The geometry of intera tion ma hine. In POPL '95: Pro eedings ofthe 22nd ACM SIGPLAN-SIGACT symposium on Prin iples of programminglanguages, pages 198{208, New York, NY, USA, 1995. ACM Press.105

Siafakas

106

The Better Bubbling Lemma [email protected]

7 May 2006, Revised 11 June 2006

Abstract. [1] relies for its modelings of λ calculus in intersection type filters on a key theorem which Dezani and her colleagues have come to call the Bubbling Lemma (BL, here). This lemma has been extended in [2] to encompass union types as well; I call the extended lemma the Better Bubbling Lemma (BBL, here). There are resonances, explored in [3] and [2], between intersection and union type theories and the already existing minimal positive relevant logic B+ of [4]. (Indeed [5] applies BL and BBL to get further results linking combinators to relevant theories and propositions.) On these resonances the filters of algebra become the theories of logic. The semantics of [4] yields here a new and short proof of BBL, which encompasses not merely B+ but its Boolean extension CB [6, 7]. Our vocabulary here will be dual purpose (as in [3]). We begin with atoms ‘p’, etc., taken indifferently as propositional or type variables. There will be a constant T (a formula entailed by everything, or the whole space ω of [1]). Formulae (or types) ‘A’, ‘B’, etc., shall be built up from atoms and T under the binary operations ∧ (conjunction, or intersection) and → (implication, or function space constructor). Statements are of the form A ≤ B, where ≤ (logical entailment, or sub-type) is a binary relation symbol and A and B are formulae (or types). Thus our formal systems are, in the style of Curry [8], relational ones, more natural (as in [2, 7]) for contact with sub-typing ideas. We have just described the basic language LT. We extend it to the language L+T by adding the additional operation ∨ (disjunction, or union). Binary operations shall be ranked ∧, ∨ (when present), → in order of increasing scope, with association otherwise to the right. We have in mind an additional language L¬, which results when the additional unary connective ¬ (Boolean negation, or complement) is added. (Note: in L¬ both ∨ and T may be taken as defined: A∨B by ¬(¬A∧¬B) and T by p∨¬p, where p is first.) We shall characterize the theorems of corresponding systems semantically. (For syntactic characterizations see the cited papers.) A 3-frame K shall here be a triple <K, ≤, R>, where K is a set (of states), ≤ is a partial order on K and R is a 3-place relation on K, subject to the monotonic conditions a ≤ a’ & b ≤ b’ & c’ ≤ c Ra’b’c’ Rabc That is, the ternary relation R is, with respect to the partial order ≤, monotone decreasing in its first two arguments and increasing in its last argument. (Pleasant anticipation: = is reflexive, transitive and anti-symmetric, whence equality is certainly a partial order satisfying by substitution the monotonic conditions. Upshot: at the minimal level considered here we can forget about ≤, thinking of our frames simply as pairs <K, R>.) Let K be a 3-frame, and let L be one of our languages above. Let 2 = {0, 1} be the set {false, true} of truth-values. A possible interpretation I of L in K shall be any function I :

L×K → 2. That is, a possible interpretation is any function which assigns exactly one truth-value to each formula A in L at each state s in K. Not all possible interpretations count as interpretations. This is semantics, and some attention to the meanings of the particles is in order. That attention is supplied by (i) truth-conditions on the primitive particles and (ii) a heredity condition sensitive to the partial order. Writing [A]c for I(A, c) = 1 and ¬[A]c for I(A, c) = 0 and using intuitive connectives and quantifiers in obvious ways, we have the following: Truth-conditions:

Tω. [T]c always T∧. [A∧B]c = [A]c ∧ [B]c T∨. [A∨B]c = [A]c ∨ [B]c T¬. [¬A]c = ¬[A]c T→. [A→B]c = ∀a,b∈K (Rcab [A]a [B]b)

Heredity condition:

H. b ≤ c [A]b [A]c Note that the heredity condition is otiose in the situation that we are aiming for, in which equality is the relation that we have in mind. A possible interpretation I is an interpretation provided that all applicable truth and heredity conditions hold for I. We have now Verification condition on an interpretation I in a 3-frame K: VI. A ≤ B is verified on I in K iff ∀c∈K([A]c [B]c) Validity condition in a 3-frame K: VK. A ≤ B is valid in K iff A ≤ B is verified on all I in K Basic validity condition: VB. A ≤ B is basically valid iff A ≤ B is valid in all 3-frames K This brings us to our main topic, the Bubbling and Better Bubbling Lemmas. I shall henceforth simply write ‘A ≤ B’ when that statement is basically valid. Let I be a finite index set. Then the Bubbling Lemma says BL. Suppose ∧i∈I(Ai → Bi) ≤ A → B. Then there is a subset J ⊆ I such that A ≤ ∧j∈J Aj and ∧j∈J Bj ≤ B. I put BL thus on the usual lattice-theoretic convention that, where Λ is the null set,

∧j∈Λ Aj = T.

The utility of BL in [1] and associated work is that it assures that the interpretants of terms of the form λx.M are indeed filters (= theories). On, now, to Better Bubbling! The Better Bubbling Lemma BBL (e. g., of [2]) has two parts. BBL1. Suppose that ∧i∈I(Ai → Bi) ≤ ∨j∈J(Cj → Dj). Then there is a particular j in J such that ∧i∈I(Ai → Bi) ≤ Cj → Dj. BBL2. Suppose that ∧i∈I(Ai → Bi) ≤ A → B. Then for each subset J ⊆ I we have

(i) A ≤ ∨j∈J Aj, OR (ii) ∧k∈I\J Bk ≤ B

It is the case that Better Bubbling entails Bubbling. But I shall not go into all that now. Instead I will prove Better Bubbling SEMANTICALLY. (I note that the person who discovered BBL, according to Dezani, is Giuseppe Castagna.) And I shall first prove BBL2 for the full Boolean (conservative) extension CB of B+, which replaces as promised the above postulates and heredity condition with the simple p0. c ≤ d iff c = d, for all c, d ∈ K Proof of BBL2 for CB. The proof is by reductio. The lemma claims that, if a conjunction over an index set I of → formulae Ai→Bi entails an → formula A→B, then for every subset J of I we have either

i. A ≤ ∨j∈J Aj, OR ii. ∧k∈I\J Bk ≤ B

So suppose, for some subset J of I, both i and ii are semantically invalid. We use this hypothesis to show that, in this case, the statement

iii. ∧i∈I(Ai → Bi) ≤ A → B is also semantically invalid. BBL2 then follows by contraposition. Let then J be the subset of I for which both i and ii fail. By VI, T∨, there is then by the failure of i, some interpretation Ia in a 3-frame Ka = <Ka, Ra> such that, on Ia, we have at a state a ∈ Ka and for all j ∈ J,

(1) [A] a (2) ¬[Aj] a

Meanwhile, by the failure of ii, there is some interpretation Ib in a 3-frame Kb = <Kb, Rb> such that, on Ib, we have by VI, T∧ a state b ∈ Kb such that, for all k ∈ I\J,

(3) [Bk]b (4) ¬[B]b

Let x be a new element foreign to both Ka and Kb. We construct a new 3-frame K = <K, R>, where K = {x} ∪ Ka ∪ Kb. By defining R appropriately on K, we shall make the antecedent of iii true at x but its consequent false at x. This will suffice for the invalidity of iii, ending the argument. We specify R as follows: (5) Rxab. (6) For c, d, e ∈ Ka, Rcde iff Racde. (7) For c, d, e ∈ Kb, Rcde iff Rbcde. (8) Otherwise Rcde fails, for all c, d, e ∈ K. The idea of this

specification is that we are simply pasting together the two 3-frames that we already have, joining them at x via Rxab. We continue the pasting by defining an interpretation I in K that copies Ia on the Ka side and Ib on the Kb side. Specifically, for all c ∈ Ka and d ∈ Kb, we lay down for each atom p that I(p, c) = Ia(p, c) and I(p, d) = Ib(p, d). As for the new element x, we simply set I(p, x) = 0 for all p. The imposition of the truth-conditions T→, T∧, T¬ (and, by definition, T∨ and Tω as well) then assures that I is well-defined on all formulae E at each state e in K. It is now an elementary structural induction, safely left to the reader, to show that I agrees with Ia on all E at every state e in Ka, and with Ib on all E at every e in Kb. As for what it does at x, we must check that I makes the antecedent of iii true there but its consequent false. There is no problem with the latter. I(A,a) = Ia(A,a) = 1 and I(B,b) = Ib(B,b) = 0; whence, since Rxab, we have I(A→B,x) = 0 by T→. But we need also to check that each Ai→Bi is true on I at x (whence by T∧, so is the whole antecedent of iii). It all depends on whether i is in the special subset J from which we started. If i ∈ J then I(Ai,a) = Ia(Ai,a) = 0, by (2) above. But then, since Rxab is the only triple involving x, we have I(Ai→Bi, x) = 1 (by, so to speak, falsity of antecedent in T→). On the other hand, if i ∈ I\J, we then have I(Bi,b) = Ib(Bi,b) = 1, by (4) above. This also enforces I(Ai→Bi, x) = 1 (by, so to speak, truth of consequent in T→). Thus all the → formulae in the antecedent of iii are true at x on I. But the consequent of iii was false at x on I. Thus iii is not basically valid, if any subset J ⊆ I fails to satisfy one of (i), (ii). Contraposing, this ends the semantical proof of BBL2 for CB. Proof of BBL1. By contraposition. Suppose that, for each j ∈ J, the statement

(5) ∧i∈I(Ai → Bi) ≤ Cj → Dj is not basically valid. We shall show that

(6) ∧i∈I(Ai → Bi) ≤ ∨j∈J(Cj → Dj) is also invalid. Accordingly, since BBL assumes the validity of (2), there is a j ∈ J for which (1) holds. We proceed to construct, very carefully, for each j ∈ J an interpretation Ij in a 3-frame Kj = <Kj, Rj>. We might as well take the index j itself as the “state” at which the antecedent of (1) turns out true on Ij and its consequent false. That is, we have on Ij (using our abbreviated notation again), new states cj, dj such that, applying T∧, T→, we get

(7) Rj jcjdj (8) [Cj] cj

(9) ¬[Dj] dj (10) for each i ∈ I, [Ai → Bi] j

There is a very important point in this observation—namely, that we can always choose a fresh and new cj and dj when we are falsifying → statements at j.1 In many logics, we do

1 My former student and later ANU boss John Slaney e-mailed an elegant proof that this is the case. He and my ANU colleague Raje’ev Goré have my thanks, as do the graduate

not have this luxury; for example one of the postulates of the logic R states that Rxxx always, whence we must attend to repetitions of the arguments of the ternary relation. We note moreover that there is no reason to make any atom p true at any of the special states j ∈ J. So w. l. o. g., Ij (p, j) = 0 for all atoms p and j ∈ J. Having carefully falsified each of the instances of (1), we now construct a countermodel to (2). We may assume, for j≠k (j,k∈ J), that Kj ∩ Kk is the empty set. Let K0 = ∪j∈J Kj. Let x be an element not in K0, and let K = {x} ∪ K0. We define the ternary relation R on K as follows, for each j ∈ J:

(1) If a, b, c ∈ Kj then Rabc iff Rj abc. (2) If a, b ∈ Kj then Rxab iff Rj jab. (3) Otherwise Rabc fails.

This will make K = <K, R> a 3-frame. We go on to define an interpretation I in K, thus: (4) For all atoms p and aj ∈ Kj, I(p, aj) = Ij (p, aj). (5) For all atoms p and j ∈ J, I(p, x) = Ij (p, j) = 0. (6) For compound formulae C and all states c ∈ K, let I(C,c) be determined in K

by imposing the truth-conditions T→, T∧, T¬. Lemma 1. For all formulae A and all aj ∈ Kj, I(A, aj) = Ij (A, aj). Proof. Obvious by structural induction, since truth-conditions are the same. Lemma 2. For all j ∈ J and consequents Cj → Dj of (1), I(Cj → Dj, x) = 0. Proof. By lemma 1, condition (2) above, and T→. Lemma 3. For all conjoined antecedents Ai → Bi of (1), I(Ai → Bi, x) = 1. Proof. All of the Ij agree in making the Ai → Bi true. Suppose, for reductio, that I(Ai→Bi, x) were nonetheless false. Then there would be a, b such that Rxab and I(Ai,a)=1 and I(Bi,b)=0. But then, by (2), there is a j such that both a,b ∈ Kj and Rjjab. Whence, by lemma 1 and T→, Ij(Ai→Bi, j) = 0, which is impossible. Theorem. BBL1 holds. Proof. As indicated. Suppose that (2) holds, but that (1) fails for all j ∈ J. Construct the interpretation I in the 3-frame K = <K, R>. On I we have, on abbreviated notation,

(7) [∧i∈I (Ai → Bi)]x (8) ¬[∨j∈J (Cj → Dj)]x

We have (7) by T∧, because each Ai → Bi is true at x by lemma 3. And we have (8) by T∨, since each Cj → Dj is false at x by lemma 2. This shows that (2) is invalid after all, a contradiction, ending the semantic proof of BBL1.2

students Chunlai Zhou (Indiana University) and Koushik Pal (UC, Berkeley) for incisive insights. 2 I have been chided by a referee, who correctly insists that the contributions of Castagna, Frisch and Benzaken in [9] and [10] are at the heart of the topic of semantic subtyping.

References for The Better Bubbling Lemma The following abbreviations are used: AJL Australasian Journal of Logic JPL Journal of Philosophical Logic JSL The Journal of Symbolic Logic NDJFL Notre Dame Journal of Formal Logic [1] Barendregt, Henk, Mario Coppo and Mariangiola Dezani-Ciancaglini, 1983. A filter lambda model and the

completeness of type assignment, JSL 48: 931-940. [2] Dezani-Ciancaglini, M., A. Frisch, E. Giovannetti and Y. Motohama, 2002. The Relevance of Semantic Subtyping,

Electronic Notes in Theoretical Computer Science 70 No. 1, 15pp. [3] Dezani-Ciancaglini, M., R. K. Meyer and Y. Motohama, 2002. The semantics of entailment omega, NDJFL 43:

129-145. [4] Routley, Richard, and Robert K. Meyer. 1972, The semantics of entailment III, JPL 1: 192-208.

[5] Pal, Koushik, and Robert K. Meyer. 2005. Basic relevant theories for combinators at levels I and II, AJL 3,

http://www.philosophy.unimelb.edu.au/2005/2003_2.pdf, 19 pages.

[6] Meyer, Robert K., 1995. Types and the Boolean system B+ [7] Meyer, Robert K., Yoko Motohama and Viviana Bono, Truth translations of relevant logics, forthcoming. [8] Curry, Haskell B., 1963. Foundations of Mathematical Logic, McGraw-Hill, N. Y. [9] Castagna, Giuseppe, and Alain Frisch. A gentle introduction to semantic subtyping. In PPDP05, ACM Press (full version) and ICALP05, LNCS volume 3580, Springer- Verlag (summary), 2005. Joint ICALP-PPDP keynote talk. [10] Frisch, Alain, Giuseppe Castagna, and Véronique Benzaken. Semantic subtyping. In LICS02, pages 137-146. IEEE Computer Society Press, 2002.

Documents

· Contents Preface v Maribel Fern andez (Invited Speaker) Every computable function is linear (in a sense) ...................... 1 Michel Cosnard, Luigi Liquori and