Developments in Computational Models

0 downloads 0 Views 3MB Size Report
Jul 16, 2006 - Electronic Notes in Theoretical Computer Science ..... Cosnard, Liquori and Chand ... possible, futuristic migration computations, i.e. transfer of a non ..... The free rider problem is the question of how to ...... 0015/part1 Nov25.pdf (2005). ...... considerable understanding of the underlying physics, we argue.
Electronic Notes in Theoretical Computer Science

Developments in Computational Models DCM 2006 Venice, Italy

16 July 2006

Guest Editors:

Jean-Pierre Jouannaud and Ian Mackie

Contents Preface

v

ndez (Invited Speaker) Maribel Ferna Every computable function is linear (in a sense) . . . . . . . . . . . . . . . . . . . . . .

1

Michel Cosnard, Luigi Liquori and Raphael Chand Virtual Organizations in Arigatoni: the formal model . . . . . . . . . . . . . . . .

5

Marco Carbone, Kohei Honda and Nobuko Yoshida A Calculus of Global Interaction based on Session Types . . . . . . . . . . . . . 27 Mircea-Dan Hernest Light Dialectica Extraction from a Classical Fibonacci Proof . . . . . . . . . 35 Jayshan Raghunandan and Alexander J. Summers On the Computational Representation of Classical Logical Connectives 45 Germain Faure Term collections in lambda and rho-calculi . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Simon Gay, Rajagopal Nagarajan and Nikolaos Papanikolaou Probabilistic Model-Checking of Quantum Protocols . . . . . . . . . . . . . . . . . . 63 Luca Fossati Handshake Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Nikolaos Siafakas A fully labelled lambda calculus: Towards closed reduction in the Geometry of Interaction Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Bob Meyer Better Bubbling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

ii

Preface The Second International Workshop on Developments in Computational Models (DCM) was held in Venice, Italy, on the 16 July 2006, as a satellite event of ICALP 2006. This volume contains the papers presented at this workshop. The First International Workshop on Developments in Computational Models (DCM 2005) was held in Lisbon, Portugal in July 2005, also as a satellite event of ICALP. DCM focuses on abstract models of computation, and their associated programming paradigms. Several new models of computation have emerged in the last few years, and many developments of traditional computational models have been proposed with the aim of taking into account the new demands of computer systems users and the new capabilities of computation engines. A new computational model, or a new feature in a traditional one, usually is re ected in a new family of programming languages, and new paradigms of software development. The aim of DCM was to bring together researchers who are currently developing new computational models or new features for traditional computational models, in order to foster their interaction, to provide a forum for presenting new ideas and work in progress, and to enable newcomers to learn about current activities in this area. Topics of interest for DCM include all abstract models of computation and their applications to the development of programming languages and systems, for instance:  Functional calculi: lambda-calculus, rho-calculus, term and graph rewrit-

ing;

 Object calculi;  Interaction-based systems: interaction nets, games;  Concurrent models: process calculi, action graphs;  Calculi expressing locality, mobility, and active data;  Quantum computational models;  Biological or chemical models of computation;

For DCM 2006, the Programme Committee selected 9 papers for inclusion in these proceedings, covering a wide range of the topics. In addition, the programme included an invited talk by Maribel Fernandez. The Programme Committee consisted of:  Jos Baeten, Eindhoven University of Technology, The Netherlands  Horatiu Cirstea, LORIA, France  Mariangiola Dezani, University of Torino, Italy

iii

 Francois Fages, INRIA, France  Mario Florido, University of Porto, Portugal  Simon Gay, University of Glasgow, UK  Radha Jagadeesan, DePaul University, USA

  Jean-Pierre Jouannaud, Ecole Polytechnique, France (Co-Chair)   Ian Mackie, Ecole Polytechnique and King's College London (Co-Chair)  Herbert Wiklicky, Imperial College London, UK

We would like to thank all those who contributed to DCM 2006. We are grateful to the Programme Committee members for their careful and ecient work in reviewing and selecting the submitted papers.

Jean-Pierre Jouannaud and Ian Mackie Paris, 20 June 2006

iv

DCM 2006

Every computable function is linear (in a sense)

Maribel Fern andez 1 King's College London, Department of Computer Science, Strand, London, WC2R 2LS, U.K. Email: [email protected]

Computability theory has its roots in work done in the 1930's, by Alonzo Church, Haskell Curry, Kurt Godel, Jacques Herbrand, Stephen Kleene, and Alan Turing (among others). Turing, Church and Kleene developed, more or less at the same time, three di erent models of computation which are now the standard 'paradigms' of sequential computation: Turing Machines, the -calculus, and recursive functions. We will focus on the last two. Roughly speaking, the theory of recursive functions is based on the de nition of functions by equations. Each function has a name, and is de ned from a set of initial functions using composition, primitive recursion, and minimisation. By recursion here we mean explicit recursive calls, where a function f is de ned by means of an equation f(t) = C[f(u)]. The -calculus is also a theory of functions, but in this case functions don't have names, and we can build recursion in an implicit way, using xpoint operators. Both the explicit and the implicit approaches to recursion yield Turingcomplete models of computation. Together with recursion, a key mechanism in the process of computation is the ability for functions to duplicate and to discard their arguments (i.e., management of resources: erase and copy). Let us now focus on this aspect of computation, which has attracted a great deal of attention in recent years. We say that a function is linear if it uses its argument exactly once. We will give an alternative formulation of the theory of recursive functions, where each function is linear in this sense; we call this class of functions linear recursive functions. To de ne linear recursive functions we start by specifying a set of linear initial functions (projections are not linear, but permutations are, so we will 1

This research was carried out in collaboration with Sandra Alves, Luis Damas, Mario Florido and Ian Mackie, as part of the project \Linearity: Programming Languages and Implementations", partially funded by a Treaty of Windsor Grant. This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:

www.elsevier.nl/locate/entcs

ndez Ferna

use natural numbers, permutations, and composition of linear functions), together with a linear primitive recursive scheme (i.e., primitive recursion where each function uses its arguments exactly once). We will show that we can express both the process of copying a number and the process of erasing a number, as linear primitive recursive functions. Thus, any primitive recursive function can be de ned as a linear primitive recursive functions, indeed the two classes coincide. Linear primitive recursive functions are powerful: they o er an implicit approach to copying and erasing. Then, to get a Turing-complete computation model, we add an operator of minimisation on linear functions. The class of functions that can be de ned using linear primitive recursive and linear minimisation is called linear recursive. Using Kleene's normal form theorem (which says that any partial recursive function can be de ned using primitive recursive functions and one minimisation operator), we obtain an encoding of partial recursive functions into linear recursive functions. In this sense, we can say that every computable function is linear.

Related Work:

There are several formalisms based on the notion of linearity that limit the use of copy and erasing. This includes languages based on a version of the -calculus with a type system corresponding to intuitionistic linear logic [7]. One of the main features of the calculus (which can be seen as a minimal functional programming language) is that it provides explicit syntactical constructs for copying and erasing terms (corresponding to the exponentials in linear logic) [1]. From another perspective there have been a number of calculi, again many based on linear logic, for capturing speci c complexity classes ([3,6,8,4,9,10,5]). One of the main examples is that of bounded linear logic [8], which has as one of its main aims to nd a calculus in-between the linear -calculus and that with the exponentials (speci cally the polynomial time computable functions). In previous work [2] we showed that a simple extension of a typed, linear calculus, without the exponentials, i.e., a calculus that is syntactically linear, has an enormous computational power: exactly the same power as Godel's System T . More precisely, we demonstrated that without minimisation but with an iterator and higher-order constructs, any function de nable in Godel's System T is linear. These previous results inspired our work on linear primitive recursion. This work is part of a research programme which aims at studying the notion of linearity in computation, and at analysing the computational power of linear functions. 2

ndez Ferna

References [1] S. Abramsky. Computational Interpretations of Linear Logic. , 111:3{57, 1993. [2] S. Alves, M. Fernandez, M. Florido, and I. Mackie. The power of linear functions. In , Lecture Notes in Computer Science. Springer-Verlag, 2006. To appear. [3] A. Asperti. Light ane logic. In . IEEE Computer Society, 1998. [4] A. Asperti and L. Roversi. Intuitionistic light ane logic. , 2002. [5] P. Baillot and V. Mogbil. Soft lambda-calculus: a language for polynomial time computation. In , LNCS. Springer Verlag, 2004. [6] J. Girard. Light linear logic. , 1998. [7] J.-Y. Girard. Linear Logic. , 50(1):1{102, 1987. [8] J.-Y. Girard, A. Scedrov, and P. J. Scott. Bounded linear logic: A modular approach to polynomial time computability. , 97:1{66, 1992. [9] Y. Lafont. Soft linear logic and polynomial time. , 2004. [10] K. Terui. Ane lambda-calculus and polytime strong normalization. In . IEEE Computer Society, 2001.

Theoretical

Computer Science

Proceedings of CSL 2006, Computer Science Logic

Proc. Logic in Computer Science (LICS'98)

ACM Transactions

on Computational Logic

Proc. Foundations of Software Science and Computation

Structures (FOSSACS'04)

Information and Computation

Theoretical Computer Science

Theoretical Computer Science

Theoretical Computer Science

Proc.

Logic in Computer Science (LICS'01)

3

ndez Ferna

4

DCM 2006

Virtual Organizations in Arigatoni Michel Cosnard INRIA and UNSA, France

Luigi Liquori INRIA, France

Raphael Chand INRIA, France

Abstract Arigatoni is a lightweight communication model that deploys the Global Computing Paradigm over the Internet. Communications over the behavioral units of the model are performed by a simple Global Internet Protocol (GIP) on top of TCP or UDP protocol. Basic Global Computers Units (GCU) can communicate by rst registering to a brokering service and then by mutually asking and oering services.

Colonies and Communities are the main entities in the model. A Colony is a simple virtual organization composed by exactly one leader and some set (possibly empty) of individuals. A Community is a raw set of colonies and global computers (think it as a soup of colonies and global computer without a leader). We present an operational semantics via a labeled transition system, that describes the main operations necessary in the Arigatoni model to perform leader negotiation, joining/leaving a colony, linking two colonies and moving one GCU from one colony to another. Our formalization results to be adequate w.r.t. the algorithm performing peer logging/delogging and colony aggregation.

1 Introduction Eective use of computational grids via

P2P systems requires up-to-date

infor-

mation about widely-distributed resources. This is a challenging problem for very large distributed systems particularly when taking into account the continuously changing state of resources. Discovering dynamic resources must be scalable in number of resources and users and hence, as much as possible, fully decentralized. It should tolerate intermittent participation and dynamically changing status/availability. This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:

www.elsevier.nl/locate/entcs

Cosnard, Liquori and Chand

Reciprocity and organization in colony governed by a clear leader are the main achievements of the model. Global Computers belong to only one colony, and requests for resources located in the same or in another colony traverse a broker-2-broker negotiation whose security is guaranteed via

PKI

mechanisms.

The model is suitable to t with various global scenarios from classical

P2P

applications, like le sharing, or band-sharing, to more sophisticated

Grid

applications, like remote and distributed big (and small) computations, until possible, futuristic migration computations, i.e. transfer of a non completed local run in another

GCU, the latter scenario being useful in case of catastrophic

scenarios, like re, terrorist attack, earthquake etc., in the vein of a Global Programming Language à la

The Arigatoni Model

Obliq

or

Telescript.

is suitable to deploy, via the

Internet

the

Global

Computing Communication Paradigm, i.e. computation via a seamless, geographically distributed, open-ended network of bounded resources by agents acting with partial knowledge and no central coordination.

The model can

be deployed rstly in an intranet and further from intranet to intranet by overlapping an Overlay Network on the top of the actual network. An Over-

lay Network is an abstraction on top of a global network to yield another global network. Overlay examples are resource discovery services (notion of resource sharing in distributed networks), search engines (abstraction of information repository) or systems of trusted mobile agents (notion of autonomic, exploratory behavior) [6]. The

Arigatoni

model provides the necessary basic infrastructure necessary

for a real deployment of the overlay network itself. Moreover, our work abstracts on which kind of resource the overlay network is playing with; pragmatically speaking, this work could be useful for

Grid,

or for distributed le/band

sharing, or for more evolved scenarios like mobile and distributed objectoriented computation.

The Units in the Arigatoni model are one protocol, the Global Internet Protocol, 

GIP,

and three main units:

A Global Computer Unit,

GCU,

i.e. the basic peer of the Global Computer

paradigm; it is typically a small device, like a nected with any

IP

PDA,

a laptop or a PC, con-

network, unrelated to the media used, wired or wireless,

etc. 

A Global Broker Unit, register

GBU,

is the basic unit devoted to register and un-

GCUs, to receive service queries from client GCUs, to contact potenGCUs, to negotiate with the latter the given services, to trust

tial servants

clients and servers and to send all the information necessary to allow the client

GCU,

GCUs to communicate. Every GCU can register every GBU controls a colony (denoted by COL)

and the servants

to only one

GBU,

so that

of collaborating Global Computers. Hence, communication intra-colony is

GBU, while communication inter-colonies is initiated GBU-2-GBU message exchanges. In both cases, when a

initiated via only one through a chain of

6

Cosnard, Liquori and Chand

GBUg

is a (small) colony

f

GBU1 ; GCU1 : : : GCUm g

is a colony

f

subcolony z }| { fGBU1 ; GCU1 : : : GCUm ; fGBU2 ; GCUm+1 : : : GCUm+n gg is a colony (it contains a subcolony)

GBU1 ; GCU1 : : : GCUm ; GBU2 ; GCUm+1 : : : GCUm+n g

f

is not a colony (two

subcolony subcolony }| { z }| { fGBU3 ; fGBU1 ; GCU1 : : : GCUm g; fGBU2 ; GCUm+1 : : : GCUm+n g g

GBUs)

z

is a colony (with two subcolonies)

subcolony subcolony z }| { z }| { ffGBU1 ; GCU1 : : : GCUm g; fGBU2 ; GCUm+1 : : : GCUm+n gg is not a colony (no leader in the toplevel colony) but it is a community

Figure 1. Some Colony's Examples client

receives an acknowledgment for a request service (with related

GBU, GCU, i.e.

trust certicate) from the proper

then the client will enjoy the service

directly from the servant(s)

without a further mediation of the

GBU 

GCU

itself.

A Global Router Unit,

GRU is a simple basic unit that is devoted to send and

receive packets of the Global Internet Protocol and to forward the payload to the units which are connected with this router.

GBU

has one personal

GRU,

Every

GCU

and every

with which it communicates via a suitable

The connection between router and peer is ensured via a suitable

Colonies and Individuals are the main entities in the model.

API.

API.

A Colony is

a simple virtual organization composed by exactly one leader and some set (possibly empty) of individuals. Individuals are Global Computers (think it as an Amoeba ), or (sub)colonies (think it as a Protozoa ). A formal denition of a colony is given using this simple

COL

::=

f

BNF

syntax:

GBUg j COL [ fGCUg j COL [ f COL g

The two main characteristics of a colony are: (i) a colony has exactly one leader

GBU

and at least one individual (the

GBU

itself ); (ii) a colony contains individuals (some

GCU's,

or other colonies).

Some examples of colonies are shown in Figure 1.

A Community

(denoted by

COM)

is a raw set of colonies and global com-

puters (think it as a soup of colonies and 7

GCU

without a leader). A formal

Cosnard, Liquori and Chand

denition of community is given using the

COM

::=

; j

BNF

syntax:

COM [ fGCUg j COM [ f COL g

A simple example of a community is shown in Figure 1. As one can see from the abstract syntax, a colony is a community but the reverse is not true.

Resource Discovery networks.

is one of the key issues in building overlay computer

Individuals (global computers) can register and unregister to a

colony. The same holds true for the subcolonies that, in turn, can (un)register to another colony. The main diculty in (un)registering is dealing with Ad-

ministrative Domains ; as well stated in the seminal Cardelli and Gordon paper on Mobile Ambients [3]:

In the early days of the by

IP

Internet one could rely on a at name space given IP address of a computer would very likely al-

addresses; knowing the

low now to talk to that computer in some way. This is no longer the case: rewalls partition the

Internet

into administrative domains that are isolated

from each other except for rigidly controlled pathways. System administrators enforce policies about what can move through rewalls and how [...]

(Un)Registering Modalities There are essentially two ways of registering to a

GBU

leader of a colony, the latter being not enforced by the

Arigatoni

model: 

registration of an individual (GCU or colony) to a

GBU

leader of a colony

belonging to the same current administrative domain ; 

registration via remote tunnelling of an individual (GCU or colony) to another

GBU leader of a colony belonging to a dierent

administrative domain.

In this case, we say that the individuals de facto are working in local mode

in the current administrative domain and in global mode in another administrative domain. In addition to this remote registration, the same individual can still register to the

GBU

leader of the colony belonging to the same administrative

domain in which it resides. As such, in its global mode, it will belong to the colony of the current administrative domain, and, in its local mode (via remote tunnelling), it will belong to another colony in another administrative domain. Counterwise, an individual can unregister according to the following simple rules d'étiquette : 

unregistration is possible only when there are no pending services demanded or requested to the leader answer of the leader

GBU

GBU

of the colony it belongs: it must wait for an

or for a direct connection of the

GCU

requesting

the already oered service, or wait for a timeout. The colony accepts the unregistration only if the colony itself will not be corrupted ; 

(as a corollary of the above) a

GBU

(i.e. it cannot discharge itself ).

cannot unregister from its own colony

However, for fault tolerance purposes, a 8

Cosnard, Liquori and Chand

GCU/GRU

GBU/GRU

GCU/GRU

GCU/GRU

GCU/GRU

Network

GBU/GRU

GBU/GRU

IP Router

IP Router

GBU/GRU

GBU/GRU

INTERNET

IP Router

IP Router

Network

GCU/GRU

GCU/GRU

Network

Network

GCU/GRU

GCU/GRU

GCU/GRU

GCU/GRU

Figure 2. ArigatoNet GBU

GCUs

can be faulty. In that case, the

will unregister one after the other

and the colony will disappear; 

once a

GCU

(e.g. a laptop) has been disconnected from a colony belonging

to any administrative domain, it can migrate in another colony belonging to any other administrative domain; Summarizing, the original contributions of the paper are: 

a formalization of the Registration and of the Resource Discovery Mechanism in the



Arigatoni

model in terms of a labeled transition system;

a complete domain independence of the model w.r.t. other models in the literature. In other words

Arigatoni

completely abstracts of its use, i.e.

Grid,

le/band sharing, web services, etc. 

Some simulation results of the intermittent participation for a given network topology.

2 Units in a Nutshell A complete description of all the functional units of the given in [1, 2]; this section is an overview. 9

Arigatoni

model is

Cosnard, Liquori and Chand

2.1

Global Computer Unit

In the

Arigatoni

model, a Global Computer Unit (GCU) is a cheap computer

device. The computer should be able to work in Standalone Local Mode for all the tasks that it can do locally or in Global Mode, by rst registering itself in the

Arigatoni

architecture, and then by making a global request to the Overlay

ArigatoNet).

Network induced by the architecture (that we call, the 

Arigatoni

GCU

model. The

must be able to perform the following tasks:

Discover, upon the physical arrival of the of a

GBU,

Figure 2 shows

GCU

in a new colony, the address

representing the leader of the colony;

GBU



Register/Unregister on the



Request some services to its

which manages the colony;

GBU,

and respond to some requests from the

GBU; 

Upon reception from a

GBU

of a positive response to a request, be able to

connect directly with the servant(s)

GCU

in a

P2P

fashion, and oer/receive

the service.

2.2

Global Broker Unit

The Global Broker Unit (GBU) performs the following tasks 

Discover the address of another super of the supercolony, where the every



GBU

GBU,

representing the superleader

GBU's colony is embedded. PKI certicate.

We assume that

comes with its proper

Register/Unregister the proper colony to the leader

GBU which manages the

supercolony; 

Register/Unregister clients and servants Computers. By denition every

GCU

GCU

in its local base of Global

can register to at most one



Acknowledge the request of service of the client



Discover the resource(s) that satises the (local colony) of

GBU;

GCU;

GCU's

request in its local base

GCU; GBU



Delegate the request to another



Perform a combination of the above two actions;



Deal with all



Notify the client

PKI

governing another colony;

intra- and inter-colony policies;

GCU

or a delegating

GBU

the servant(s)

GCUs

that have

accepted to serve its request, or notify a failure of the request. Every

GCU

in the colony sends its request to the

GBU

which is the leader of

the colony. There are dierent scenarios concerning the demanded resource for service discovery, namely: (i) The broker nds all the resource(s) needed to satisfy the requested services of the

GCU

client locally in the intranet. Then it will send all the

information necessary to make the 10

GCU

client able to communicate with

Cosnard, Liquori and Chand

the

GCU

servants. This notication will be encoded using the

col. Then, the

GCU

GIP

GCU servant(s), P2P systems;

client will directly talk with

latter will manage the request, as in classical

proto-

and the

(ii) The broker did not nd all the resource(s) in its local intranet. In this case it will forward and delegate the request to another broker. For that purpose, it must rst register the whole colony to another supercolony; (iii) A combination of steps 1 + 2 could be envisaged depending on the capability of the

GBU

to combine resources that it manages and resources

that come from a delegate

GBU;

(iv) After a xed timeout period, or when all delegate satisfy the delegated request, the broker will notify

GBUs have failed to the GCU client of the

refusal of service. 2.3

Global Router Unit

The last unit in the

GRU

Arigatoni

model is the Global Router Unit (GRU).

The

implements all the low level network routines, those which really have

IP network. It is the only unit which eectively runs the GIP GRU can be implemented as a small daemon which runs on the same device as a GCU or a GBU, or as a shared library dynamically linked with a GCU or a GBU. The GRU is devoted to the following tasks:

access to the

protocol. The

GCU



Upon the initial startup of a



It checks the well-formedness and forwards toward their destinations.

GBU 

in the

Arigatoni

GIP

it helps to register the unit to a

packets

GBU;

GIP packets across the ArigatoNet encode the requests of a GCU or a

network;

Upon the initial startup of a

GBU

it helps the unit with several other

GBUs

that it knows or discovers.

2.4

Unit Semantics

The formal semantics of the three formal units was rst presented in [2]: Figures 3 and 4 show the pseudo code embedded inside a

GCU

and a

GBU.

We write in blue the code not essential to the semantics of peer discovery and the virtual (un)growth of colonies, and we highlight in red the code which is essential.

3 Formal Semantics of the Virtual Organization : : :g does not limit an administrative domain (unlike Cardelli-

The notation f

Gordon ambients).

IPaddress. Let fGBU; : : :g

We assume that every individual comes with its own

denote a colony with its leader, e.g.

GBU; COL1 ; COL2 ; GCU1 ; GCU2 ; : : :g

f

11

Cosnard, Liquori and Chand

inparallel while true do // Registration loop GBU = Discover(MyCard ) case (GlobalMode,RegMode) is (true ,false ): ServiceReg(MyCard ,GBU,LOGIN) (false ,true ): ServiceReg(MyCard ,GBU,LOGOUT) otherwise: // Do nothing endcase endwhile with while true do // Shell loop Data = ListenLocal() Response = LocalServe(Data) case (Response,GlobalMode,RegMode) is (login ,_,_): // Open global mode GlobalMode = true (logout ,_,_): // Close global mode GlobalMode = false (true ,true ): // Ask to the GBU MetaData = PackScenario(Data) ServiceRequest(MyCard ,GBU,MetaData) otherwise: LocalReply(Response) endcase endwhile with while RegMode do // Global GBU listening MetaData = ListenGBU() case MetaData.CMD.SERVICE is SREG : // GBU responds if it accepts my registration

if CanJoin(MetaData) then RegMode = true endif

if CanLeave(MetaData) then RegMode = false endif SREQ : // GBU is asking for some resources if CanHelp(MetaData) then ServiceResponse(MyCard ,GBU,ACC ) else ServiceResponse(MyCard ,GBU,REJ ) endif SRESP : // GBU re-

sponds if it found some resources

if CanServe(MetaData) then Peers = GetPeers(MetaData) Response = GlobalServe(MyCard , Peers,MetaData) ServiceResponse(MyCard ,GBU,DONE ) LocalReply(Response) else LocalReply(fail ) endif endcase endwhile with while RegMode do // Global GCU listening MetaData = ListenGCU() if Verify(MetaData) then Data = UnPackScenario(MetaData) Response = LocalServe(Data) if Response == fail then ServiceResponse(MyCard ,GBU,ERR ) else ServiceResponse(MyCard ,GBU,DONE ) SendResult(MyCard ,GCU,Response) endif else ServiceResponse(MyCard ,GBU,SPOOF ) endif endwhile endinparallel

Figure 3. GCU pseudocode

denotes a colony with two subcolonies and two virtually addressed by the

IP

of its

GBU

GCUs

leader.

In general a community is simply denoted by f

f

highlighted. A colony is

: : :g, e.g.

COL1 ; COL2 ; GCU1 ; GCU2 g

denotes a community with two subcolonies and two

GCU's.

We present an operational semantics via a reduction relation  !, between communities, that describes the main operations necessary in the

Arigatoni

model to perform leader discovery and colony's service registration, namely joining/leaving a colony, linking two colonies and moving one

GCU

from one

colony to another. As usual in process algebras, the reduction is quotiented by a set theoretical equivalence between communities. The reduction rules are listed below with a concise explication. 12

Cosnard, Liquori and Chand

inparallel while true do // Registration loop GBU = Discover(MyCard ) case (GlobalMode,RegMode) is (true ,false ): ServiceReg(MyCard ,GBU,LOGIN) (false ,true ): ServiceReg(MyCard ,GBU,LOGOUT) otherwise: // Do nothing endcase endwhile with while true do // Shell loop Data = ListenLocal() Response = LocalServe(Data) case (Response,GlobalMode,RegMode) is (login ,_,_): // Open global mode GlobalMode = true (logout ,_,_): // Close global mode GlobalMode = false (fail ,true ,true ): // You ask for you MetaData = PackScenario(Data) ServiceRequest(MyCard ,MyCard ,MetaData) otherwise: LocalReply(Response) endcase endwhile with while true do // Intra-colony listening MetaData = ListenPeer() PushHistory(MetaData) case MetaData.CMD.SERVICE is SREG : // A Peer is asking for (un)registration

foreach Peer in SubColony do // Broad-

cast intra

ServiceRequest(MyCard ,Peer,MetaData) endforeach SRESP : // A GCU responds to a request Sort&PushPeers4Id(MetaData) endcase endwhile with while true do // Spooling Peers4Id foreach (Id,Peers) in Peers4Id do if Timeout(Id) then ServiceResponse(MyCard ,{},NOTIME ) else if Satisfy(Peers,History(Id)) then ServiceResponse(MyCard , GetBestPeers4Id(Id), DONE ) endif endif PopPeers4Id(Id) endforeach endwhile with while RegMode do // Inter-colony listening MetaData = ListenGBU() PushHistory(MetaData) case MetaData.OPE is SREG : // Registration inter GBU ... as for

SREQ :

SREQ intra-colony

SREQ intra-colony // A leader GBU responds to a request ... as for

Update(Colony,MetaData) SREQ : // A Peer is asking for some request SubColony = SelectPeers(Colony,MetaData) if SubColony == {} // Broadcast inter then ServiceRequest(MyCard ,GBU,MetaData) endif

SRESP :

Sort&PushPeers4Id(MetaData) endcase endcase endwhile endinparallel

Figure 4. GBU pseudocode (i) A

GCU

joins a Colony in the same Administrative Domain

(

) = GBU samedom(GBU; GCU) = accept(GBU; GCU) = discover GCU

true true

( )= regmode(GCU) = gmode GCU

ffGBU; : : :g; GCUg ! ffGBU; GCU; : : :gg 

false

(JoinGCU)

discover(GCU) = GBU discovers the leader-GBU unit, upon physical/logical insertion of the



true

GCU

in the

ArigatoNet

samedom(GBU; GCU) = true:

network;

both the broker and the global computer

reside in the same administrative domain; 

accept(GBU; GCU) = true:

the broker accepts the global computer in its

colony; 

gmode(GCU) = true & regmode(GCU) = false:

the global computer is

in global mode but not yet registered. The side eect of this rule is to set the registration mode to true. 13

Cosnard, Liquori and Chand

(ii) A

GCU

leaves a Colony in the same Administrative Domain

(

)= samedom(GBU; GCU) = accept(GBU; GCU) = pendingip GCU

false true false

( )= regmode(GCU) = gmode GCU

false true

ffGBU; GCU; : : :gg ! ffGBU; : : :g; GCUg 

pendingip(GCU)

(LeaveGCU)

= false samedom(GBU; GCU) = true accept(GBU; GCU) = false gmode(GCU) = false & regmode(GCU) = true

: the global computer has no pending service

to give to its leader; 

: both the broker and the global computer

reside in the same administrative domain; 

: the broker accepts to delog the global com-

puter in its colony; 

: the global computer is

in local mode but still registered. The side eect of this rule is to set its registration mode to false. (iii) A SubColony joins a Colony in the same Administrative Domain

(

) = GBU1 samedom(GBU1 ; GBU2 ) = gmode(GBU2 ) = accept(GBU1 ; GBU2 ) = regmode(GBU2 ) = discover GBU2

true

true

true

false

ffGBU1; : : :g; fGBU2; : : :gg ! ffGBU1; fGBU2; : : :g; : : :gg 

discover(GBU2 )

= GBU1 GBU2 ArigatoNet samedom(GBU1 ; GBU2 ) = true accept(GBU1 ; GBU2 ) = true GBU1 gmode(GBU2 ) = true & regmode(GBU2 ) = false : the broker

discovers the broker

upon physical/logical insertion in the



(JoinCol) GBU1 ,

network;

: both reside in the same administrative

domain; 

: the broker

accepts the subcolony in

its colony;



: the broker

GBU2

is in

global mode but not yet registered. The side eect of this rule is to set its registration mode to true. (iv) A SubColony leaves a Colony in the same Administrative Domain

(

)= samedom(GBU1 ; GBU2 ) = accept(GBU1 ; GBU2 ) = pendingip GBU2

false

true false

( )= regmode(GBU2 ) = gmode GBU2

false true

ffGBU1; fGBU2; : : :g; : : :gg ! ffGBU1; : : :g; fGBU2; : : :gg 

pendingip(GBU2 ) give to its leader

= false

: the broker

GBU1 ;

14

GBU2

(LeaveCol)

has no pending service to

Cosnard, Liquori and Chand



samedom(GBU1 ; GBU2 ) = true:

both reside in the same administrative

domain; 

accept(GBU1 ; GBU2 ) = false:

the broker

GBU1

does not accept the sub-

colony in its colony;



gmode(GBU2 )

= false & regmode(GBU2) = true

cal mode but still registered.

: the broker is in lo-

The side eect of this rule is to set its

registration mode to false. (v) Linking two Colonies in dierent Administrative Domains

( )= newgbu(GBU1 ; GBU2 ) = GBU3 gmode(GBU2 ) = samedom(GBU1 ; GBU2 ) = regmode(GBU1 ) = agree(GBU1 ; GBU2 ) = regmode(GBU2 ) = gmode GBU1

true true

false

false

true

false

ffGBU1; : : :g; fGBU2; : : :gg ! ffGBU3; fGBU1; : : :g; fGBU2; : : :ggg



newgbu(GBU1 ; GBU2 ) GBU1



and

GBU2 ; GBU1 ; GBU2

samedom(

= GBU3 ) = false

:

(LinkCol)

a new broker is created on behalf on

: both reside in the same administrative

domain; 

agree(GBU1 ; GBU2 )

= true gmode(GBU1 ) = true & gmode(GBU2 ) = false & regmode(GBU2 ) = false

: an agreement between the two brokers is

signed; 

true

& regmode(GBU1) =

: the brokers are in global mode but

still registered.

The side eect of this rule is to set the registration

mode of both brokers to true. (vi) Unlinking two Colonies in dierent Administrative Domains

( )= pendingip(GBU2 ) = pendingip(GBU3 ) = gmode(GBU1 ) = newgbu(GBU1 ; GBU2 ) = GBU3 gmode(GBU2 ) = samedom(GBU1 ; GBU2 ) = regmode(GBU1 ) = agree(GBU1 ; GBU2 ) = regmode(GBU2 ) = pendingip GBU1

false

false

false

false false

false

true

false

true

ffGBU3; fGBU1; : : :g; fGBU2; : : :ggg ! ffGBU1; : : :g; fGBU2; : : :gg 

newgbu(GBU1 ; GBU2 ) GBU1



and

GBU2 ; GBU1 ; GBU2

samedom(

= GBU3 ) = true

:

(UnLinkCol)

a new broker is created on behalf of

: both reside in the same administrative

domain; 

agree(GBU1 ; GBU2 )

= false pendingip(GBU1 ) = false & pendingip(GBU2 ) = false & pendingip(GBU3 ) = : an agreement between the two brokers is

withdrawn; 

false: the brokers

GBU1;2;3

has no pending service; 15

Cosnard, Liquori and Chand



gmode(GBU1 ) = false & gmode(GBU2 ) = false & regmode(GBU1 ) = true & regmode(GBU2 ) = true: the brokers are in local mode but still registered. The side eect of this rule is to set their registration mode to false.

(vii) Contextual Rules and Congruence As usual in process algebras, we add the following congruence rules for set union and set minus, and Morris-style equivalence rules, where

COM

denotes communities,

COL

denotes colonies and

theoretical equality. All symbols can be indexed.

=

denotes the set

! COM2 (CommCup) COM1 [ COM3 ! COM2 [ COM3 COM1

COM1

= COM3 [ COM4

COM3 \ COM4

=;

COM3

! COM2

Rule

(CommMinus)

! COM2 n COM4 COM1 = COM3 COM3 ! COM4 COM4 = COM2 (MorrisEq) COM1 ! COM2 COM3

(CommCup) (CommMinus)

is the usual Contextual closure of the reduction rules,

while rule

states that a reduction can drop in its right-hand

side some individuals that are not essential to the ring of the reduction itself. As usual let !



be the reexive and transitive closure of !.

4 Join/Leave a Colony in a Dierent Administrative Domain The acute reader has observed that the above labeled transition system forbids an individual to join/leave another colony whose leader resides in a dierent

Administrative Domain.

This is sound in order to guarantee the integrity

and the security of the virtual organization induced by the

Arigatoni

model.

Crossing safely administrative domains is an important security problem that the model must take into account. However, the situation where one individual does not receive enough help from the local colony or, worst, where it is even rejected as an individual, could be very common.

In this case, it is highly

desirable that the model permits a mechanism to cross boundaries of the administrative domain in order to make a service request to another colony which resides in another administrative domain.

This can be done in two

ways: (i) the individual resident in an administrative domain

IP1

knows some

friends inhabitant of the colony resident in another administrative domain

IP2 (think of the individual as a laptop connected in a hot spot of

an airport, and think of the friend as the desktop in its own oce). Then, via an explicit

ssh

the laptop can log into the desktop and send

a global request to the mother colony. As such, the laptop works in its 16

Cosnard, Liquori and Chand

local mode while the desktop works in global mode. The nal result will be send, via

ssh-tunneling

to the laptop.

This mechanism of tunneling is well-known in common practice of nomadic behaviors and it does not require any ad hoc rewriting rules in the

Arigatoni

virtual organization since the connection individual-friend is

done explicitly and privately; (ii) the individual resident in an administrative domain

IP1 knows no inhabIP2 , but it

itant of the colony resident in another administrative domain knows the

IP

address of the leader of the colony. If the leader agrees, it

can arrange an

ssh-tunnel

by creating from scratch a virtual clone of

the remote individual and by registering it in the colony on behalf of the leader of the colony. As in the previous case, the laptop can log into the desktop and send a global request to the mother colony. As such, the laptop works in local mode while the clone works in global mode. nal result will be sent, via

ssh-tunneling

The

to the laptop.

This mechanism is well-known in common practice of nomadic behaviors and is reminiscent of the Virtual Private Network technology (VPN) [7].

To implement this

VPN-like

behavior, we must add four ad

hoc rewriting rules in the labeled transition system showed in Figure 5. For obvious lack of space those rules are not commented but left as an easy exercise to the interested reader.

5 Firing Free Riders Again, the acute reader has observed that the original labeled transition system allows free riders to become members of one colony.

In economics and political science, free riders are actors who consume more than their fair share of a resource, or shoulder less than a fair share of the costs of its production.

The free rider problem is the question of how to

prevent free riding from taking place, or at least limit its negative eects. Because the notion of fairness is a subject of controversy, free riding is usually only considered to be an economic problem when it leads to the non-production or under-production of a public good, and thus to Pareto ineciency, or when it leads to the excessive use of a common property resource. [From Wikipedia]. The selsh nodes in

P2P

networks, called free riders, only utilize other

peers resources without providing any contribution in return, have greatly jeopardized the fairness attribute of

P2P

networks. Figure 6 presents the two

rules that take into account the ratio between the number of services oered and the number of services demanded by an individual.

If the leader of a

colony nds that an individual ratio of fairness is too small (

),

 for a given

it can arbitrarily decide to re that individual without notice In those

rules the function pendingip also checks that the individual has no pending 17

Cosnard, Liquori and Chand

(

) = GBU agree(GBU; GCU1) = samedom(GBU; GCU1 ) = gmode(GCU1 ) = newgcu(GBU; GCU1 ) = GCU2 regmode(GCU1 ) = samedom(GBU; GCU2 ) = gmode(GCU2 ) = accept(GBU; GCU2 ) = regmode(GCU2 ) = discover GCU1

true

false

true true

true

false

true

false

ffGBU; : : :g; GCU1g ! ffGBU; GCU2; : : :g; GCU1g

(

)= samedom(GBU; GCU1 ) = pendingip(GCU2 ) = newgcu(GBU; GCU1 ) = GCU2 gmode(GCU1 ; GCU2 ) = samedom(GBU; GCU2 ) = regmode(GCU1 ) = accept(GBU; GCU2 ) = regmode(GCU2 ) = agree GBU; GCU1

false

(JoinTunnelGCU)

false false false

true

false

false

true

ffGBU; GCU2; : : :g; GCU1g ! ffGBU; : : :g; GCU1g

(

) = GBU1 agree(GBU1; GBU2) = samedom(GBU1 ; GBU2 ) = gmode(GBU3 ) = newgbu(GBU1 ; GBU2 ) = GBU3 regmode(GBU3 ) = samedom(GBU1 ; GBU3 ) = gmode(GBU2 ) = accept(GBU1 ; GBU3 ) = regmode(GBU2 ) = discover GBU2

(LeaveTunnelGCU)

true

false

true true

true

false

true

false

ffGBU1; : : :g; fGBU2; : : :gg ! ffGBU1; fGBU3g; : : :g; fGBU2; : : :gg

(

)= samedom(GBU; GBU2 ) = pendingip(GBU3 ) = newgbu(GBU1 ; GBU2 ) = GBU3 gmode(GBU2 ; GBU3 ) = samedom(GBU1 ; GBU3 ) = regmode(GBU2 ) = accept(GBU1 ; GBU3 ) = regmode(GBU3 ) = agree GBU1 ; GBU2

false

(JoinTunnelCol)

false false false

true

true

false

false

ffGBU1; fGBU3g; : : :g; fGBU2; : : :gg ! ffGBU1; : : :g; fGBU2; : : :gg

(LeaveTunnelCol)

Figure 5. Extra Reduction Rules for Service Request via Tunnelling

à la

VPN

services to oer, or that the timeout of some promised services has expired, the latter case means that the free rider promised some services but nally did not provide any service at all (not trustfull). The function notiring sends a message to the free rider, notifying it that it was denitively red from the colony. 18

Cosnard, Liquori and Chand

(

)= gmode(GCU) = samedom(GBU; GCU) = regmode(GCU) = f airness(GBU; GCU)   notifiring (GBU; GCU) pendingip GCU

false

true

true

true

ffGBU; GCU; : : :gg ! ffGBU; : : :g; GCUg

(

(FireGCU)

)= gmode(GBU2 ) = samedom(GBU1 ; GBU2 ) = regmode(GBU2 ) = f airness(GBU1 ; GBU2 )   notifiring (GBU1 ; GBU2 ) pendingip GBU2

false

true

true

true

ffGBU1; fGBU2; : : :g; : : :gg ! ffGBU1; : : :g; fGBU2; : : :gg Figure 6. Extra Reduction Rules for Firing

(FireCol)

Free Riders

6 Examples In [1, 2], a

Grid

scenario for Seismic Monitoring was presented. In this section

we briey recall the scenario and we present, by means of labeled transition system reductions, the evolution of the virtual organizations.

6.1

(Re)Setting the Scenario (from [1, 2])

John, chief engineer of the SeismicDataCorp Company, Taiwan, on board of the seismic data collector ship, has to decide on the next data collect campaign. For this he would like to process the 100 TeraBytes of seismic data that have been recorded on the mass data recorder located in the oshore data repository of the company, to be processed and then analyzed. He has written the processing program for modeling and visualizing the seismic cube using some parallel library like e.g.

MPI/PVM: his program can be

distributed over dierent machines that will compute a chunk of the whole calculus; However, the amount of computation is so big that a supercomputer (GCU and a cluster of PC (GCU

CLU

SCU )

) has to be rented by the SeismicDataCorp com-

pany. John will also ask for bandwidth via an

ISP located in Taiwan (GCUISPTW )

in order to get rid of any bottleneck related to the big amount of data to be transferred. Aftermath, the processed data should be analyzed using a Virtual Reality

Center,

VRC (GCUVCRCPU )

based in Houston, U.S.A. by a specialist team

and the resulting recommendations for the next data (GCU

VRCSPEC )

collect

campaign have to be sent to John. Hence one would like the following scenario to happen: 

John logs with its laptop (GCU

John )

to the

Arigatoni

overlay network in a

given colony in Taiwan, and sends a quite complicated service request in order for the data to be processed using his own code. 19

Usually the

GBU

Cosnard, Liquori and Chand

Network Network

GBU Taiwan

John Taiwan

Seismic Data

ISP GBU ISP

Network Network

INTERNET INTERNET

Network Network

GBU/GRU

GBU/GRU

Network Network

GCU/GRU

Super computer

PCluster

VRC Houston

GIP REQUEST/RESPONSE

VERY HIGH SPEED ISP

Figure 7. A Grid Scenario for Seismic Monitoring

leader of the colony will receive and process the request; 

If the resource discovery performed by the puter, a cluster and an

ISP

GBU

succeeds, i.e. a supercom-

are found, then the data are transferred at a

very high speed and processed; 

John will order to the

GCUSDTW

containing the seismic data to dispatch

suitable chunks of data to the supercomputer and the cluster designated by the 

GBU

to perform some pieces of computation;

John will assign to the supercomputer unit the task of collecting all intermediate results in order to compute the nal result (i.e. it will play the role of Maestro di Orchestra );



The processed data are then sent from the supercomputer, via the high speed



ISP

to the Houston center for being visualized and analyzed;

Finally, the specialist team's recommendations have to be sent to John's laptop.

This scenario is pictorially presented in Figure 7. 20

Cosnard, Liquori and Chand

6.2

Formalizing the Scenario

The initial community (the primitive Soup ) will be composed of the following elements:

=4 ffGBUSDTW g; GCUSDTW ; fGBUISPTW g; GCUISPTW ; fGBUCPUg;

COMSoup

GCUSCU ; GCUCLU ; fGBUVRC g; GCUVRCPU ; GCUVRCSPEC g

By applying ve times the reduction rule munity:

we obtain the new com-

=4 ffGBUSDTW ; GCUSDTW g; fGBUISPTW ; GCUISPTW g; fGBUCPU;

COM1

and

(JoinGCU)

GCUSCU ; GCUCLU g; fGBUVRC ; GCUVRCPU ; GCUVRCSPEC gg

COMSoup

!

5 COM1 .

Then by applying the reduction rule

(CommCup)

we

4 see John's laptop appear in the new community, COM2 = COM1 [ fGCUJohn g: 4 ; fGBU ; GCU g; fGBU ; GCU g; COM = fGCU

2

SDTW SDTW ISPTW ISPTW John fGBUCPU; GCUSCU; GCUCLUg; fGBUVRC; GCUVRCPU; GCUVRCSPECgg

By applying again

COM3

(JoinGCU)

we obtain the new community:

=4 ffGBUSDTW ; GCUSDTW ; GCUJohng; fGBUISPTW ; GCUISPTW g;

fGBUCPU; GCUSCU; GCUCLUg; fGBUVRC; GCUVRCPU; GCUVRCSPECgg

Now, if the community whose leader is whose leader is

agrees to join the colony

GBUISPTW (both are supposed to live in the same administrative

domain), by applying rule

COM4

GBUSDTW

(JoinCol)

, we obtain the new community:

=4 ffGBUISPTW ; GCUISPTW ; fGBUSDTW ; GCUSDTW ; GCUJohngg;

fGBUCPU; GCUSCU; GCUCLUg; fGBUVRC; GCUVRCPU; GCUVRCSPECgg

The colony in Taiwan and the colony whose leader is

GBUCPU

(they are

supposed to live in dierent administrative domain) sign an agreement, by applying rule

=4

COM5

(LinkCol)

, so giving the new community:

f fGBUISP&CPU; fGBUISPTW ; GCUISPTW ; fGBUSDTW ; GCUSDTW ; GCUJohngg; fGBUCPU; GCUSCU; GCUCLUg g; fGBUVRC; GCUVRCPU; GCUVRCSPECgg Finally, the colony containing John's laptop is ready to receive John's huge

Service Request, and, hopefully for John, the request will be accepted and performed . . . It is now time for John to come back home and the community

COM5

could then (but this is not mandatory) disintegrate. By applying

(LeaveGCU (LeaveCol) (CommCup) (CommMinus)

the dual reduction rules congruence rules soup, i.e.

COL5

!

),

and



, and

(UnLinkCol)

plus the

, we come back to the initial

COMSoup .

21

Cosnard, Liquori and Chand

7 Properties In this section we prove that our process algebra is able to model the virtual organization of the

Arigatoni

model.

Morris-style contextual equivalence [5] is the standard way of saying that two communities have the same behavior (are equivalent) if and only if whenever they are merged inside an arbitrary community, they admit the same elementary observations. In our setting and as usual in process algebras, contextual equivalence is formulated in terms of observing the presence of top-level colonies, as in the next denition.

Denition 7.1

[Colony Exhibition and Contextual Equivalence]

(i) a community

COL

COM

COL,

must exhibit a colony

COM #must COL, COL, i.e.

write

is a community containing a top-level colony

=4

COM #must COL (ii) a community

COM

COL,

=

may exhibit a colony

after a number of reductions, colony

COM

COL

f

if

: : : ; COL; : : :g

COL,

write

COM

#

may COL,

if

is a community containing a top-level

i.e.

=4

COM #may COL

COM

!



COM0

and

COM0

=

f

: : : ; COL; : : :g

C[] be a community containing zero or more holes, and COM let C[COM] be the community obtained by lling

(iii) let the context

for any community each hole in

C[] with a copy of COM.

community, write

COM

COM

'

COM , 0

'

COM0

=4

The contextual equivalence between

is dened as

for all

COL

and

C[] we have

C[COM] #may COL , C[COM ] #may COL 0

COM ! ' COM0 COM00 ' COM0 .

(iv) let

if there exists

COM00

such that

COM

!



COM00

and

Let C OM be the set of communities generated by the BNF syntax.

Theorem 7.2 (Closure Under Reduction) (i) If

COM

2 C OM,

(ii) If

COM

'

COM ,

(iii) If

COM

! '

0



and then

COM0 ,

COM

!



COM0 ,

COM; COM

then

0

COM

then

2 C OM;

2 C OM;

COM; COM0

2 C OM

Proof 1) By observing the reduction rules of the labeled transition system, one can verify that if the left-hand side belongs to 22

C OM,

then it is also the case

Cosnard, Liquori and Chand

for the right-hand side. The nal result can be obtained by induction on the number of reduction. 2,3) By point 1) using Denition 7.1.

2

Theorem 7.3 (Inversion) COM !(JoinGCU=COL) COM0 on the individual (GCU or COL), and COM0 !(LeaveGCU=COL) COM00 on the same individual, then COM COM00 ;

(i) If

(ii) If

COM

!

(LinkCol) COM

=

0

on two colonies, and

the same colonies, then

Proof

COM

= COM .

COM

0

00

!

(UnLinkCOL) COM

00

on

By observing the reduction rules, one can observe that the right-hand

(JoinGCU), (JoinCOL), and (LinkCOL) corresponds to the left-hand side of the dual reduction rules (LeaveGCU), (LeaveCOL), and (UnLinkCol), and conversely the left-hand side of the reduction rules (JoinGCU), (JoinCOL), and (LinkCOL) corresponds to the right-hand side of the dual reduction rules (LeaveGCU), (LeaveCOL), and (UnLinkCol). Applying one rule

side of the reduction rules

2

after the other clearly corresponds to an identity operation.

Theorem 7.4 (Adequacy of the labeled transition system w.r.t. the pseudocode) The labeled reduction system is adequate with the pseudocode of the of the

Proof

GCU

GBU

and

shown in Figure 3 and 4.

(Sketch) Observe that the red parts of the pseudocode of the

cerning the set and unset of the variables ring of the two rules

globalmode=regmode

(JoinGCU) and (LeaveGCU). GBU

of the pseudocode of the

GCU

con-

leads to the

Moreover, the red parts

concerning the set and unset of the variables

globalmode=regmode leads to to the ring of the two rules (JoinGCU) and (LeaveGCU). The last two rules of the transition systems, namely (LinkCol) and (UnLinkCol) are encapsulated (hence hidden) in the function calls Update(Colony,Metadata)

8 Experimental Evaluation In this section, we provide results from experimental evaluation.

We have

conducted simulations using large numbers of units and service requests. In this paper, we specically focus on the eect of individuals disconnections on the average service acceptation ratio. More precisely, we have implemented reduction rules

(JoinCol)

, and

(LeaveCol)

(JoinGCU); (LeaveGCU)

, that represent the "core" rewriting set to simulate

the dynamic behavior in the

Arigatoni

Overlay topology. We expect to imple-

ment the full set of rewriting rules dening the operational semantics soon.

8.1

Simulation Setup

We have generated a network topology using the transit-stub model of the Georgia Tech Internetwork Topology Models package [8], on top of which we 23

,

Cosnard, Liquori and Chand

Arigatoni

added the

Overlay Network. The resulting network topology, shown

in Figure 8, contains

103 GBU

GBU2

s.

(highlighted with a square in Figure 8)

was chosen as the root of the topology. We considered a nite set of resources 50

65

51 62

61

76

68

55

39 40

70

22 91

73

82

83 81

59

13

37

7

14

38

12

4

8

20

3

18

95 101

86

84

21

17 15

16

71 74

26

24 19

85 53

54

23

87 0

57 58

25 31

69

72 41

35

33

2

42

52

32

92

79

47

44

27

90 77

1

45

28

93

80

66

67

46 43

29

78 49

64

88

30

75

63

60

34

89

48

96 98

36

56

5

10

94 102

11 9

97

103 100

6 99

Figure 8. Simulated network topology with 103 GBUs

R1    Rr

of variable size

a resource.

r, and represented a service by a direct mapping to

In other words, a service expresses the conditional presence of

a single resource.

We have a set of

r

S1    Sr g,

services f

expresses the conditional presence of resource

Si

means that it can provide resource

Ri .

Ri .

A

GCU

where service

Si

declaring service

This model, while quite simple, is

still generic enough, and is sucient for the main purpose of our experiments, which is to study the impact of individuals disconnections on the average service acceptation ratio. Results are illustrated in Figure 9.

50

GCU load, we attached GCUs to each GBU; we then randomly added each service Si with probability  at each GCU and had it registered via the registration service of Arigatoni. The routing tables of the GBUs were updated starting at the initial GBU and ending at the root of the topology, GBU2 . We then issued n service requests at GCUs chosen uniformly at random. To simulate

Each request contained one service also chosen uniformly at random.

Each

service request was then handled by the Resource Discovery mechanism of

Arigatoni

75%

(described in [4]). We used a service acceptation probability of

, which corresponds to the probability that a

GCU

=

that receives a service

request and that declared itself as a potential Individual for that service (i.e. that registered it), accepts to serve it. Upon completion of the

n requests, we computed the average service accep-

tation ratio as follows. For each

GCU,

we computed the local acceptation ratio

as the number of service requests that yielded a positive response (i.e. the system found at least one Individual), over the number of service requests issued 24

Cosnard, Liquori and Chand

at that

GCU.

We then computed the average acceptation ratio as the average

value over the number of

GCUs (that issued at least one service request). GBUs disconnections (i.e., rewriting rules JoinCol

(

To study the impact of and

(LeaveCol)

), we used a deconnection probability variable

)

 that indicates

 = 0% means all individuals are con = 100% means all individuals are disconnected). We then repeated the same experiment when  of the GBUs population, chosen uniformly a fraction of disconnected individuals (

nected, while

at random, have been disconnected from their leader. When a subcolony has

GBU leader, it continues to operate in standalone GBU leader as the current broker. Therefore, the ser-

been disconnected from its mode, i.e. with its local

vices oered by the other colonies are unavailable inside, while services oered by the colony itself are not available outside. For each value of we repeated the same experiment

10

 2 [0    100]%,

times, and measured the average value

of the acceptation ratio. In each of the

10

runs, the disconnected

GBUs

were

chosen uniformly at random, independently of the previous runs (i.e., with a dierent random seed). We then computed the standard deviation of the average service acceptation ratio (over the

10

values).

Starting from the fully connected topology

COM1

of Figure 8, the rationale

of the simulation corresponds to applying a number of

(JoinGBU)

rewriting

rules to have some Individuals join the Colony, and then applying a number of

(LeaveGBU)

rewriting rules to have some other Individuals leave the Colony,

and then performing the experiment 10 times.

COMi

!

(JoinGBU) COMi+1 !(LeaveGBU) COMi+1 

0

We nally studied the eect of and

(LeaveGCU)



i = 1 : : : 10

GCUs disconnections (rewriting rules

), by repeating the same experiment when

ulation have been disconnected from their leader. connected

GCU

(JoinGCU)

 of the GCUs pop-

Also in this case, a dis-

continues to work in standalone mode using only their own

resources. As for the

GBU

COMi

!

case, we have

(JoinGCU) COMi+1 !(LeaveGCU) COMi+1 

0



i = 1 : : : 10

The Resource Discovery algorithm was implemented in C++ and compiled

GNU C++ version 2.95.3. Experiments were conducted on a 3.0 Intel Pentium machine with 2 GB of main memory running Linux 2.4.28.

using

dierent experimental parameters are summarized in Table 1. availability ratio,

,

was xed to a value of

service acceptation ratio of almost

100%

0:12%

Ghz The

The service

, which yields an average

with no subcolonies disconnections.

Figure 9(a) shows that the average service acceptation ratio decreases exponentially with the number of subcolonies (i.e.,

GBUs)

disconnections. This is

not surprising, since when a subcolony has been disconnected, all the services oered by the other colonies are unavailable. Conversely, all the services offered by the subcolony are unavailable for the other colonies. Note that when 25

Cosnard, Liquori and Chand

Parameter Description K r  n 

Value

Number of GBUs

103

Size of services pool

128

0:12% 75% 50000 [0 100]%

Service availability Service acceptation probability Number of service requests issued Fraction of disconnected individuals



Table 1 Parameters of the experiments (a) 100

Avg. acceptation ratio (GCU disconnections) Avg. acceptation ratio (GBU disconnections)

Acceptation Ratio (%)

80 60 40 20 0

0

20

40 60 80 Disconnected population (%)

100

(b) 100

(c) 16

Average service acceptation ratio (δ=10%)

14 12 Std deviation (%)

Acceptation Ratio (%)

80 60 40

10 8 6 4

20 0

Std deviation of acceptation ratio

2 0

1

2

3

4

5 Run

6

7

8

9

0

10

0

20 40 60 80 Fraction of disconnected population (%)

100

Figure 9. (a) Average service acceptation ratio w.r.t. fraction of disconnected population. (b) Average service acceptation ratio for the dierent runs of the value  . (c) Standard deviation of the service acceptation ratio w.r.t. fraction of disconnected population.

= 10%

all subcolonies have been disconnected (

100%

), the average service accepta-

tion ratio is not null. Indeed, the local colony of a connected to the

GBU)

GCU

GCUs

GCU

directly

GCU

of the same colony.

disconnections have more impact on the average

service acceptation ratio than when a

GCUs

(i.e., the

remains operational, i.e., the services oered by a

are available for the other We observe that

GBU

GBU disconnections.

This is due to the fact that

is disconnected, all the services that it provided are unavailable

for the entire system and, conversely, all the services provided by the system are unavailable for it. acceptation ratio is

0

As expected, for a value of



= 100%

, the average

, as no service at all is unavailable.

Figure 9(a) shows the dierent values of the average service acceptation ratio obtained for a value of



= 10% 26

of the fraction of disconnected pop-

Cosnard, Liquori and Chand

ulation. of

103

As previously explained, for each run, we chose

10 GBU

s (

10%

) uniformely at random, independently of the previous runs, i.e., with

a dierent random seed.

In other words, the disconnected subcolonies are

dierent in each run. Figure 9(b) shows that subcolonies disconnections can have a very dierent impact on the acceptation ratio.

In fact, low level

subcolonies disconnections have a dramatic impact whereas high level subcolonies disconnections have a very limited, local impact. Figure 9(c) shows that, unsurprisingly, the level of the disconnected subcolony has less impact on the service acceptation ratio for higher values of

.

Acknowledgment The authors ack

Aeolus FP6-2004-IST-FET Proactive, and the French grant

ACI Modulogic.

References [1] D. Benza, M. Cosnard, L. Liquori, and M. Vesin. An Overlay Network for Grid and Global Computing [Extended Abstract]. Technical report, INRIA, November 2005. [2] D. Benza, M. Cosnard, L. Liquori, and M. Vesin. Arigatoni: Overlaying Internet via Low Level Network Protocols. Technical Report RR 5805, INRIA, January 2006. http://www.inria.fr/rrrt/rr-5805.html. [3] L. Cardelli and A. D. Gordon. Mobile Ambients. 240(1):177213, 2000.

,

Theoretical Computer Science

[4] R. Chand, M. Cosnard, and L. Liquori. Resource Discovery in the Arigatoni model. In Proc. of I2CS, LNCS. Springer-Verlag, 2006. [5] J. H. Morris. MIT, 1968.

Lambda-calculus models of programming languages

. PhD thesis,

[6] V. Sassone. Global Computing II: A New FET Program for FP6. Talk, Bruxelles, 4/6/04. [7] Virtual Private Network Consortium. http://www.vpnc.org/.

Virtual Private Network Home Page.

[8] E.W. Zegura, K. Calvert, and S. Bhattacharjee. How to Model an Internetwork. In Proceedings of INFOCOM 1996, San Francisco, March 1996.

27

DCM 2006

A Calculus of Global Interaction based on Session Types 1 Marco Carbone

2

Department of Computer Science Queen Mary and West eld College London, United Kingdom

Kohei Honda

3

Department of Computer Science Queen Mary and West eld College London, United Kingdom

Nobuko Yoshida

4

Department of Computing Imperial College London, United Kingdom

Abstract

This short note outlines two di erent ways of describing communication-centric software in the form of formal calculi and discuss their relationship. Two di erent paradigms of description, one centring on global message ows and another centring on local (end-point) behaviours, share the common feature, structured representation of communications. The global calculus originates from Choreography Description Language (CDL), a web service description language developed by W3C's WS-CDL Working Group. The local calculus is based on the  -calculus, one of the representative calculi for communicating processes. We illustrate these two descriptive frameworks, outlines the static and dynamic semantics of these calculi, and discuss the basic idea of end-point projection, by which any well-formed description in the global calculus has a precise representation in the local calculus. Key words: Web Services,  -calculus, Session Types. This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:

www.elsevier.nl/locate/entcs

Carbone, Honda and Yoshida

1 Introduction The purpose of the present note is two-fold. The rst is to introduce a formal calculus for communication and concurrency which fundamentally di ers from existing concurrency formalisms. This calculus was born as a result of a dialogue between W3C's working group on web service standards, and is based on the idea of global description of interactions. Related descriptive methods have been practiced in varied contexts, including the standard notation for cryptographic protocols [13], message sequence charts (MSC) [11,8], a language related with MSC called DiCons [2], and UML sequence diagrams [14]. One may also view petri-net based description of various systems [16,3] as an instance of such global descriptions. The use of types in the formalism, based on session types [15,10,7,17,9], is the main di erence from these notations. As its origin in W3C standardisation suggests, this formalism is distillation of engineering needs for describing complex interaction which may occur in real world business processes. The associated long version [5] presents extensive examples of business protocols written in the proposed global formalism. The second aim of this note is to outline a theory which rigorously relates this engineeringly oriented formalism to a typed process calculus, which is based on the notion of processes and their interaction. Establishing this connection is important since, through this link, a rich theory of algebras, calculi and logics for processes becomes available for direct dialogue with engineering practice. The target of the mapping is an applied version of the -calculus based on session types (which can indeed be faithfully encodable in the -calculus [12]). The mapping from the global formalism to the process formalism is called end-point projection, or EPP for short, following the terminology of WS-CDL (where EPP is regarded as an underpinning of a variety of web service engineering, including monitoring, conformance and interoperatbility). EPP projects a given global description to a collection of end-point behaviours, whose mutual communication should realise the original global scenario. We naturally desire EPP to be sound and complete, in the sense that all and only globally described behaviour is realised in interactions among end-point behaviour. To make this possible, we impose simple descriptive principles to global descriptions. For those global descriptions which are well-typed and which follow these descriptive principles, there is a simple and direct EPP which is type preserving and which is sound and complete with respect to the original dynamic semantics. This EPP theory (including type disciplines and EPP mapping) will be published as a supplementary document 1

We would like to thank Gary Brown and Steve Ross-Talbot for their collaboration in the

development of this work. GR/T04236/01,

This work is partially supported by EPSRC GR/R03075/01,

GR/S55538/01,

GR/T04724/01,

MOBIUS.

2 3 4

Email: Email: Email:

[email protected] [email protected] [email protected]

28

GR/T03208/01

and

IST-2005-015905

Carbone, Honda and Yoshida

to the speci cation of WS-CDL 1.0, and will be implemented as part of an open-source reference implementation of WS-CDL [1]. Thus the present work started from practice, gets related to theory, and nally again comes back to practice. This will further motivate and encourage a dialogue between theoretical studies and engineering. We argue such a dialogue is highly bene cial, not only for advancement of rigorous engineering but also for enrichment of theory. It is worth outlining the direct engineering background of the present work, WS-CDL. WS-CDL, or formally Web Service Choreography Description Language [18], is an XML-based web service description language developed by W3C's WS-CDL Working Group, in collaboration with invited scientists including the present authors. WS-CDL has been developed in order to meet engineering needs for the development of business protocols on the world-wide web. The central engineering idea of WS-CDL is embodied by the term choreography in its name. The underlying intuition can be summarised as follows: \Dancers dance following a global scenario without a single point of control."

WS-CDL is about writing down such a \global scenario": in computational terms, it is a language for describing business protocols from a global viewpoint such that the description can be executed by individual distributed processes without a single point of control. In other words, if a designer writes a global description in WS-CDL, it should be realisable as communicating processes without any central controlling agent (which contrasts with the notion of orchestration, where one master component, \conductor", directly controls activity of one or more slave components). Thus the notion of choreography intrinsically demands an appropriate framework of EPP. A broader background of the present work is the explosive growth of the Internet and world-wide web which has given rise to, in the shape of de facto standards, an omnipresent naming scheme (URI/URL), an omnipresent communication protocols (HTTP/TCP/IP) and an omnipresent data format (XML). These three elements arguably o er the key infra-structural bases for application-level distributed programming. This engineering background makes it feasible and advantageous to develop applications which will be engaged in complex sequences of interactions among two or more parties. Another background is maturing of theories of processes centring on the calculus and its types. The two formalisms we shall discuss are based on a common notion of structured communication, called session. A session binds a series of communications between two parties into one, distinguishing them from communications belonging to other sessions. This is a standard practice in business protocols (where an instance of a protocol should be distinguished from another instance of the same or other protocols) and in distributed programming (where two interacting parties use multiple TCP connections for performing a unit of conversation). The type disciplines for sessions have been studied over long years in the context of the -calculus [10,7,17,4], where 29

Carbone, Honda and Yoshida

it has been shown that they o er a high-level abstraction for communication behaviour upon which further re ned reasoning techniques can be built. We shall discuss not only sessions o er a natural articulation for description of global description of complex interaction behaviour but also session types play an essential role in the presented theory of end-point projection. The next section of this abstract brie y outlines the global formalism (a distilled version of WS-CDL), the corresponding process formalism (called end-point calculus, which is an applied version of the  -calculus), and a theory of EPP. Exploration of many examples, the full technical development of the theory, and detailed discussions on related works, can be found in [5,6].

2 Outline of Calculi and Formal Results The formal syntax of the global calculus is given by the standard BNF. Below symbols I; I 0 ; : : : denote terms of the global calculus, also called interactions. Terms describe a course of information exchange among two ore more parties from a global viewpoint. I ::= A ! B : c( s~) : I j A ! B : shop; e; y i : I j x@A := e : I j I1 j I2 j if e@A then I1 else I2 j I1 + I2 j ( s) I j X j rec X : I j

0

(init) (com) (assign) (par) (ifthenelse) (sum) (new) (recVar) (rec) (inaction)

Above a; b; c; ch; : : : range over service channels, which may be considered as shared channels of web services; s; s0 ; : : : range over session channels, which designate communication channels freshly generated for each session; s~ indicates a their vector; A; B; C; : : : range over participants. Each participant is equipped with its own local states, storing and updating values in its variables (x; y; z; : : :); X; Y; Z; : : : range over term variables, which are used to represent recurrence in combination with recursion rec X:I ; and a e; e0 ; : : : range over arithmetic and other standard rst-order expressions. The following gives an example of description, depicting a repeated interactions where Buyer asks Seller to give a good quote. Only when a quote is 30

Carbone, Honda and Yoshida

good, a buyer accepts, and Seller sends a shipping request to Shipper. Buyer ! Seller : ch1( s; t): Buyer ! Seller : shQuoteReq; prod@Buyer; prod@Selleri: rec X: Seller ! Buyer : thQuoteRes; quote@Seller; quote@Buyeri : if

reasonable(quote)@Buyer then Buyer ! Seller : shQuoteAcc; adr @Buyer;

adr@Selleri:

Seller ! Shipper : ch2( r ): 

(omitted)   

else Buyer ! Seller : shQuoteNoGoodi:X endif

where, for example, \prod@Buyer" indicates a variable prod located at Buyer. Many other examples of descriptions of complex protocols are found in [5,6]. The reduction of the global calculus is de ned using an intuitive notation, (I; )

!

(I 0 ; 0 )

which says a global description I in a state  (which is the collection of all local states of the participants) will be changed into I 0 in a new con guration 0 . Samples of reduction rules are, writing @B 7! v] for the result of updating the variable x located at B : (A ! B : ch( s~): I; ) ! (( s~)I; ) (A ! B : shop; v; xi: I; ) ! (I; @B 7! v]) (x@A := v: I; ) ! (I; @A 7! v]) if (I1; ) (I1 + I2 ; ) ! (I10 ; 0 ) if (I1; ) (I1 jI2 ; ) ! (I10 jI2 ; 0 )

! !

(I10; 0 ) (I10; 0 )

Note updates of stores in the second and third rules are local to designated participants. The type discipline for the calculus is based on session types. Writing ; i ; ::: for rst-order value types, the grammar of types is given as:



::=

s I i hop ; i i: i t j 0 i

j

j

s J i hop ; i i: i

while the typing sequent has the form: 31

i

`

I

j

1 j 2

  where:

j

rec

t:

Carbone, Honda and Yoshida

Typically contains a type assignment of the form ch@A : (~s) , which says a service channel ch at A may be invoked with fresh s~ followed by a session .  Typically  contains a type assignment of the form s ~[A; B ] : , which says a session of type from A to B takes place via s~ (where uses at most s~). The typing rules are omitted, by which we have the standard properties such as subject reduction and minimal (principal) typing. The end-point calculus is an applied version of the -calculus [12]. The following grammar de nes processes (P; Q; : : :) and networks (M; N; : : :). 

P ::=

(~s):P j ch( s~):P j s  i opi (~yi ):Pi j x := e:P j if e then P1 else P2 j P  Q j X j rec X:P j 0 ! ch

N ::= A[P ]

j

N1 j N2

j

( s)N

j

j j

s  ophe~i:P P jQ j ( s)P



where A[P ] indicates a participant A whose behaviour is given by P and whose local state is . Reduction is given modulo the standard structural equality, with sample rules:

A[! ch(~s):P j R]A j B [ch( s~):Q j S ]B ! ( s ~)(A[P j ! ch(~s):P j R]A A[s  i opi (yi ):Pi j R]A

j

B [s  op hviQ j S ]B ! A[Pj j R]A [yj 7!v ]

j

B [Q j S ]B )

j

B [Q j S ]B

j

The typing for the end-point calculus uses the same set of types, with the two forms of sequent, one for processes and one for networks ( and  are as above): `A P  ; ` M   where `A P   designates, as subscript, the participant A in which the subject process P is to be located. The typing rules are those of the standard session typing [10] (extended to multiple session channels). One basic rule is the following initialisation rule: (init)

; ch@A :(~s) `A P  s~ : ; ch@A :(~s) `A ! ch(~s):P 

;

which demands linear session channels in the premise are abstracted in the conclusion (note the service channel ch is replicated). The typing system satis es the standard subject reduction, freedom from type errors, and the minimal (principal) typing. Finally we translate a global description to its end-point counterpart (endpoint projection, or EPP). The process of EPP can however be tricky, because 32

Carbone, Honda and Yoshida

we can easily produce a global description which does not correspond to realisable local counterpart. We have identi ed three descriptive principles, which are:  Connectedness, a basic local causality principle.  Well-threadedness, a stronger locality principle based on session types.  Coherence, a consistency principle for description of each participant. All these principles are stipulated incrementally on the basis of well-typedness. They not only enunciate natural disciplines for well-structured global description, but also o er gradually deeper analysis of operational aspects of global description, guiding us to the simple de nition of an EPP map of essentially the following shape: (I; )

7!

A[P ]@A

j

B [ Q]  @ B

j

C [R ] @ C

j 

where P is the projection of I onto A, similarly for others. @A projects  onto A. In [6] we have established that, when applied to well-structured interactions, the EPP mapping thus de ned satis es the following three properties:  Type preservation: the typing is preserved through EPP.  Soundness: nothing but behaviours (reductions) in I are in the image of its EPP.  Completeness: all behaviours (reductions) in I are in the image of its EPP. Thus the resulting processes/networks never have a type error, and they realise all and only interactions prescribed in the original global description.

References [1] Pi-Calculus for SOA, https://sourceforge.net/projects/pi4soa/. [2] Baeten, J. C. M., H. M. A. van Beek and S. Mauw, Specifying internet applications with DiCons., in: SAC, 2001, pp. 576{584. [3] Basten, T., \In Terms of Nets," Ph.D. thesis, Eindhoven University of Technology (1998). [4] Bonelli, E., A. B. Compagnoni and E. L. Gunter, Correspondence assertions for process synchronization in concurrent communications., J. Funct. Program. 15 (2005), pp. 219{247. [5] Carbone, M., K. Honda and N. Yoshida, Theoretical basis of communicationcentred concurrent programming (part one), http://lists.w3.org/Archives/Public/public-ws-chor/2005Nov/att0015/part1 Nov25.pdf (2005). [6] Carbone, M., K. Honda and N. Yoshida, Theoretical basis of communicationcentred concurrent programming (part two), to appear as a technical report (May 2006).

33

Carbone, Honda and Yoshida

[7] Dezani-Ciancaglini, M., D. Mostrous, N. Yoshida and S. Drossopoulou, Session Types for Object-Oriented Languages, in: Proceedings of ECOOP'06, LNCS (2006). [8] Foster, H., \A Rigorous Approach to Engineering Web Service Compositions," Ph.D. thesis, Imperial College London, University of London, Department of Computing (2006). [9] Gay, S. J. and M. Hole, Subtyping for session types in the pi calculus., Acta Inf. 42 (2005), pp. 191{225. [10] Honda, K., V. T. Vasconcelos and M. Kubo, Language primitives and type discipline for structured communication-based programming, in: ESOP '98 (1998), pp. 122{138. [11] International Telecommunication Union, Recommendation Z.120: Message Sequence Chart (1996). [12] Milner, R., J. Parrow and D. Walker, A calculus of mobile processes, I and II, Information and Computation 100 (1992), pp. 1{40,41{77. [13] Needham, R. M. and M. D. Schroeder, Using encryption for authentication in large networks of computers., Commun. ACM 21 (1978), pp. 993{999. [14] OMG, Uni ed Modelling Language, Version 2.0 (2004). [15] Takeuchi, K., K. Honda and M. Kubo, An interaction-based language and its typing system., in: PARLE, Lecture Notes in Computer Science 817 (1994), pp. 398{413. [16] van der Aalst, W., Inheritance of interorganizational work ows: How to agree to disagree without loosing control?, Information Technology and Management Journal 2 (2002), pp. 195{231. [17] Vasconcelos, V. T., A. Ravara and S. J. Gay, Session types for functional multithreading., in: CONCUR, LNCS (2004), pp. 497{511. [18] W3C WS-CDL WG, Web Services Choreography Description Language Version 1.0., http://www.w3.org/TR/2004/WD-ws-cdl-10-20040427/ (2004).

34

DCM 2006

Light Dialectica program extraction from a classical Fibonacci proof Mircea-Dan Hernest

1;2

Laboratoire d'Informatique (LIX)  Ecole Polytechnique F-91128 Palaiseau - FRANCE

Abstract We demonstrate program extraction by the Light Dialectica Interpretation (LDI) on a minimal logic proof of the classical existence of Fibonacci numbers. This semiclassical proof is available in MinLog's library of examples. The term of Godel's T extracted by the LDI is, after strong normalization, exactly the usual recursive algorithm which de nes the Fibonacci numbers (in pairs). This outcome of the Light Dialectica meta-algorithm is much better than the T-program extracted by means of the pure Godel Dialectica Interpretation. It is also strictly less complex than the result obtained by means of the re ned A-translation technique of Berger, Buchholz and Schwichtenberg, but otherwise it is identical with the term yielded by Berger's Kripke-style re ned A-translation. Key words: Program extraction from (classical) proofs, Complexity of extracted programs, Re ned A-translations, Quanti ers without computational meaning, Light Dialectica Interpretation, Computationally redundant contractions, Godel's functional \Dialectica" interpretation, Proof Mining

1

Introduction

There has been quite some work in the last years in the eld of program extraction from classical proofs. Although strong mathematical results have recently been obtained in the Proof Mining of classical analytical proofs (see, e.g., [15,16,17,19,21]), the computer-implemented program extraction metaalgorithms were able to produce only limited results, for rather small test-cases and even then, the extracted program is not the optimal one. 1

Project LogiCal - P^ ole Commun de Recherche en Informatique du Plateau de Saclay,  CNRS, Ecole Polytechnique, INRIA et Universite Paris-Sud - FRANCE 2 Email: [email protected] This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:

www.elsevier.nl/locate/entcs

Hernest Such an unsatisfying situation one encounters in the extraction of a rather unusual algorithm for the computation of Fibonacci numbers by means of the Berger-Buchholz-Schwichtenberg (BBS) re ned A-translation of [3]. The term tBBS of Godel's T extracted via this BBS re ned A-translation from the MinLog minimal logic proof of the weak (classical) existence of the Fibonacci numbers, followed by Kreisel's Modi ed Realizability [18] and nally strongly normalized [4,5] makes necessarily use of a type-2 Godel recursor. This is R (!!)! , where the type level (degree) of ( !  ! ) !  is 2 : Here  is the base type which denotes the set of natural numbers IN and R is the denotation for the so-called \type- Godel recursor", which actually has the type  ! ( !  ! ) !  !  in Godel's T . See paper [3] for full details. This is quite unexpected since the usual recursive de nition of Fibonacci numbers (in pairs) can be expressed in Godel's T by means of a type-0 Godel recursor only, namely R  : Here    denotes the pairing of types  and  : In fact such a T-term was actually extracted in MinLog [24] by pure Modi ed Realizability, from the usual pure intuitionistic proof of the strong (intuitionistic) existence of Fibonacci numbers, see [3] 3 . The point of the endeavour of extracting programs from classical rather than constructive or even purely intuitionistic proofs is that (semi-)classical proofs are much easier and more direct to build, both by human brain and also in the various computer-implemented proof-systems. It is therefore desirable that the algorithms synthesized from classical proofs by means of the more complex program extraction meta-algorithms 4 are at least as good as those yielded by the more common extraction techniques 5 from the corresponding constructive/purely intuitionistic proofs. When applied to the semi-classical MinLog Fibonacci proof (originally introduced in [24], but slightly re-adapted in [11]), this is not the case, neither for the BBS re ned A-translation (as described in detail in either of [2,3,23]), nor for the pure Godel Dialectica Interpretation, as we show later in the sequel. Whereas a repair of this situation was provided for the BBS re ned A-translation by Berger in [2] 6 , none of the monotone [14] or bounded [8] optimizations of Godel's technique can handle such an exact realizer extraction problem. It is the Light Dialectica interpretation (originally introduced in [12], but see also [13] for a much larger and more uni ed exposition) which gives the solution. 3 On the other hand, this linear - in the unary representation of natural numbers - algorithm is outperformed by other logarithmic algorithms, see [23] for such an example.

4 Here we think particularly (but not exclusively) at those from the Dialectica family (see

[22] for a nice uni cation work) and the Re ned A-translation family. 5 Basically variants of Kreisel's Modi ed Realizability [18], which is a simpler but weaker form of Godel's functional (Dialectica ) interpretation [1,10]. 6 Berger's Kripke-style re ned A-translation introduced in [2] nicely combines the optimizing (in the sense of the eciency of programs extracted from classical proofs) features of both the BBS [3] and the Coquand-Hofmann [7] re ned A-translations. It also furthermore adds the so-called uniform quanti ers, which are used to \label" and thus isolate parts of the input proof which are meant not to have a computational content under such a translation.

36

Hernest 2

The semi-classical Fibonacci proof in

MinLog

MinLog is an interactive proof- and program-extraction system developed

by H. Schwichtenberg and members of the logic group at the University of Munich. It is based on rst order Natural Deduction calculus and uses as primitive minimal rather than classical or intuitionistic logic. See [11,24] for full details.

De nition 2.1 [Fibonacci Numbers] The inductive de nition is as usual Base :

F0 : 0 ; F1 : 1

Step :

Fn+1 : Fn

+ Fn

1

for

n 

1;

n 2

IN

The Fibonacci Numbers example was implemented in MinLog and it was comparatively analysed in [3] by both pure Modi ed Realizability (from the usual pure intuitionistic proof) and also by the BBS re ned A-translation (from a minimal logic proof of the weak, classical existence of Fibonacci Numbers; we dub such proofs as \semi-classical") followed by Modi ed Realizability. The semi-classical Fibonacci proof in MinLog is a Natural Deduction proof of 8n 9cl k G(n; k ) { where 9cl k G(n; k ) : (8k: G(n; k ) ! ?) ! ? { from assumptions expressing that G is the graph of the Fibonacci function, i.e., G(0; 0)

AND

G(1; 1)

AND

8n;

k; l: [ G(n; k ) ^ G(n

+ 1; l)] ! G(n + 2; k + l) ;

see Section 6 of [3] for full details. 3

The

light functional Dialectica interpretation

The \light" variant of Godel's functional \Dialectica" Interpretation was introduced in [12] as an optimization for term-extraction of Godel's original technique 7 from [10]. The main feature of \Dialectica Light" is the elimination already at extraction time of a number of relevant (for the Dialectica program extraction) Contractions which are identi ed as redundant and in consequence are isolated by means of an adaptation of Berger's quanti ers without computational content 8 (introduced in [2] as \uniform quanti ers"). Dialectica Light (abbreviated LDI) is a recursive syntactic translation from proofs in a semi-classical 9 weakly extensional arithmetical system in all nite types 10 (denoted WeZ9;nc+ ) to proofs in the corresponding purely intuitionistic system 11 (denoted WeZ9 ) such that the positive occurrences of the strong 7 Paper [1] provides a nice survey in English which includes the extensions to full Analysis. 8 In [12] we named these special existential and universal quanti ers \without (or non-)

computational meaning", abbreviated ncm . We here continue to use our own terminology.

9 This can be extended to fully classical proofs, modulo some double-negation translation. 10 System WeZ9;nc+ was denoted WE Z+ in [12]. It is nevertheless much better presented, with complete comparative details in [13], just like its corresponding WeZ9 ; see below. 11 System WeZ9 ; which was denoted WE Z in [12], is a Natural Deduction formulation of the weakly extensional Heyting Arithmetic in all nite types WE HA! from Section 1.6.12 of [25]. See also [3,23] for the original corresponding fully extensional variant Z9  Z + 9 :

37

Hernest and the negative occurrences of 8 in the proof's conclusion formula get actually realized by terms in Godel's T. These realizing terms are also called the programs extracted by the LDI and (if only the extracted programs are wanted) the translation process is also referred to as \program extraction". The LDI translation of proofs includes the following translation of formulas: 9

De nition 3.1 By quanti er-free (qfr) formula we understand a formula

built from prime formulas at(to ) and ? by means of ^ ; ! and, if 9 is available, also _ : The qfr formulas are all decidable in our systems. There exists a unique bijective association of boolean terms to quanti er-free formulas A0 7! tA0 such that ` A0 $ at(tA0 ) : Then the LDI translation of formulas is: D A : AD :

at(tA ) for quanti er-free formulas

A

D

(A ^ B ) : 9x; u 8y; v [ (A ^ B )D : AD (x; y ; a) ^ BD (u; v ; b) ] (9zA(z; a))D : 9zy ; x 8y [ (9zA(z; a))D (zy ; x; y ; a): AD (x; y ; zy ; a) ] (8zA(z; a))D : 9X 8zy ; y [ (8zA(z; a)) (X ; zy ; y ; a): A (X (zy ); y ; zy ; a) ] D

D

(9zA(z; a))D : 9x 8y [ (9zA(z; a))D (x; y ; a):9z AD (x; y ; z; a) ] (8zA(z; a))D : 9x 8y [ (8zA(z; a))D (x; y ; a):8z AD (x; y ; z; a) ] (A ! B )D : 9Y ; U 8x; v [ (A ! B )D : AD (x; Y (x; v )) ! BD (U (x); v ) ] where  7! y is a mapping which assigns to every given variable z a completely new variable zy which has the same type of z : The free variables of AD are exactly the free variables of A:

Remark 3.2 For the light Dialectica interpretation, the radical (or \root") formula AD (which is LDI associated to A) is not necessarily quanti er-free, like it is for the pure Godel's functional interpretation. It actually contains the translation of all ncm quanti ers to the corresponding regular quanti ers. Theorem 3.3 (Exact realizer synthesis by the Light Dialectica [12]) P

There exists an algorithm which, given at input a Natural Deduction proof : fC i gni=1 ` A 12 in WeZ9;nc+ ; it eventually produces at output the following:

(i) the tuples of terms fTi gni=1 and T ; (ii) the tuples of variables fxi gni=1 and y ; all together with (iii) the verifying proof PD : fCDi (xi ; Ti (x; y ))gni=1 ` AD (T (x); y ) in WeZ9 ; where x : x1 ; : : : ; xn : Moreover,  the variables x and y do not occur in P (they are all completely new)  the free variables of T and fTi gni=1 are among the free variables of A and 12 Hence of the formula A from the open assumption formulas C 1 ; : : : ; C n : Here \open" is

to be understood as \un-cancelled" or \un-discharged" and not necessarily as \un-closed".

38

Hernest { we call this \the free variable condition (FVC) for programs extracted by the LDI". i

n

fC gi=1

hence x and

y

also do not occur free in the extracted terms

n

fTi gi=1

and

T:

Remark 3.4 Godel's functional \Dialectica" interpretation becomes relatively

(far) more complicated at the moment when it has to face contraction. In the Natural Deduction setting, Contraction amounts to the discharging of at least two copies (from the same parcel 13 ) of an open assumption formula A dur[A] : : : =B : This is because, for the so-called ing an Implication Introduction A ! B

\Dialectica-relevant" contractions 14 , A becomes part of the (raw, i.e., not yet normalized) realizing term. Therefore, the a priori (i.e., already at the extraction stage) elimination of some of these D-relevant contractions, rather than a posteriori (i.e., during the subsequent strong normalization process), represents an important complexity improvement of the extracted program. 4

A comparison of the three extraction techniques

It can be immediately seen, also from the machine benchmarks below, that the program yielded by the Light Dialectica interpretation clearly outperforms the algorithm given by the BBS re ned A-translation. The latter is at its turn much more ecient than the term extracted by means of the pure Godel Dialectica interpretation, which contains an important quantity of redundant information. All three extracted (by the three program-synthesis techniques) terms are presented below in a human-processed adaptation of the raw MinLog output. See [11] for the pure machine-extracted programs. The subsequent computer benchmarks were performed on a DELL model X1 laptop (hence powered by an Intel Centrino CPU) running the Windows XP Professional operating system. We used the more special MinLog distribution [11], which is not yet integrated with the ocial MinLog [24]. As Scheme interpreter we used the Petite Chez Scheme 7.0a, see [20]. The quantitative measures of computing time and space overhead were obtained by means of the Scheme \time" procedure. 2) The (MinLog, adapted) outcome of pure Godel's Dialectica interpretation: .......................... (add-var-name "n" "m" (py "nat")) (add-var-name "G" (py "nat=>nat=>boole")) (add-var-name "H" (py "(nat@@(nat@@nat)@@(nat@@nat))")) 13 In the sense of the terminology from [9]. 14 See [13] for full details on this terminology and generally for a large and uni ed exposition of the Light Dialectica extraction.

39

Hernest .......................... > t_{PDI} == [G,n] left right ((Rec nat=>nat@@(nat@@nat)@@(nat@@nat))((0@0@0)@0@1) ([m,H] [if [if (G left left H left right left H) [if (G (Succ left left H) right right left H) (G (Succ(Succ left left H)) (left right left H + right right left H)) True] True] (m @ right H) (left H)] @ right right H@ left right H + right right H) n) > (time (nt (mk-term-in-app-form t_{PDI} (pt "G") (pt "5")))) 314 collections 6031 ms elapsed cpu time, including 676 ms collecting 6110 ms elapsed real time, including 687 ms collecting 341280176 bytes allocated, including 337674848 bytes reclaimed "5" > (time (nt (make-term-in-app-form t_{PDI} (pt "G") (pt "6")))) 2700 collections 56750 ms elapsed cpu time, including 9676 ms collecting 58375 ms elapsed real time, including 10008 ms collecting 2937460672 bytes allocated, including 2933419728 bytes reclaimed "8"

1) The outcome of the BBS re ned A-translation (MinLog output, adapted): .......................... (add-var-name "i" "j" "k" "l" "m" "n" (py "nat=>nat=>nat")) (add-var-name "f" (py "nat=>nat=>nat")) (add-var-name "H" (py "(nat=>nat=>nat)=>nat")) .......................... > > > t_{BBS} == "[k](Rec nat=>(nat=>nat=>nat)=>nat) ([f] f 0 1) ([l,H,f] H ([i,j] H ([n,m] f m (n+m)))) k ([n,m] n)" > (time (nt (make-term-in-app-form t_{BBS} (pt "12")))) 39 collections 813 ms elapsed cpu time, including 109 ms collecting 813 ms elapsed real time, including 107 ms collecting 42919528 bytes allocated, including 39266296 bytes reclaimed "144" > (time (nt (make-term-in-app-form t_{BBS} (pt "15")))) 321 collections 7094 ms elapsed cpu time, including 1153 ms collecting 7203 ms elapsed real time, including 1246 ms collecting

40

Hernest 348911096 bytes allocated, including 326154920 bytes reclaimed "610"

3) The outcome of Light Dialectica interpretation (MinLog output, adapted): .......................... (add-var-name "n" "m" (py "nat")) (add-var-name "G" (py "nat=>nat=>boole")) (add-var-name "H" (py "(nat@@nat)")) .......................... > t_{LDI} == "[G,n] left ((Rec nat=>nat@@nat) (0@1) ([m,H] right H @ left H + right H) n)" > (time (nt (mk-term-in-app-form t_{LDI} (pt "G") (pt "15")))) 6 collections 125 ms elapsed cpu time, including 0 ms collecting 140 ms elapsed real time, including 0 ms collecting 6802576 bytes allocated, including 6383624 bytes reclaimed "610" > (time (nt (mk-term-in-app-form t_{LDI} (pt "G") (pt "20")))) 68 collections 1343 ms elapsed cpu time, including 62 ms collecting 1344 ms elapsed real time, including 63 ms collecting 73584536 bytes allocated, including 71466424 bytes reclaimed "6765" > (time (nt (mk-term-in-app-form t_{LDI} (pt "G") (pt "25")))) 750 collections 16219 ms elapsed cpu time, including 2279 ms collecting 16657 ms elapsed real time, including 2331 ms collecting 816525224 bytes allocated, including 803991296 bytes reclaimed "75025" 5

Conclusions and future work

More practical examples should be found for the application of the \light" optimization of Godel's Dialectica interpretation. A negative result exists for the case of the MinLog-implemented semi-classical proof of Dickson's Lemma (see [6]). Here three nested Inductions give rise at three Contractions which are thus all three included in the extracted term(s), within the triply nested recursion. It is hence immediate to gure out that such a program would be very complex. Unfortunately, the Light Dialectica cannot repair this situation.

41

Hernest References

[1] Avigad, J. and S. Feferman, Godel's functional (`Dialectica') interpretation, in: S. Buss, editor, Handbook of Proof Theory, Studies in Logic and the Foundations of Mathematics 137, Elsevier, 1998 pp. 337{405. [2] Berger, U., Uniform Heyting Arithmetic, Annals of Pure and Applied Logic 133 (2005), pp. 125{148, Festschrift for H. Schwichtenbergs 60th birthday. [3] Berger, U., W. Buchholz and H. Schwichtenberg, Re ned program extraction from classical proofs, Annals of Pure and Applied Logic 114 (2002), pp. 3{25. [4] Berger, U., M. Eberl and H. Schwichtenberg, Normalization by Evaluation, in: B. Moller and J. Tucker, editors, Prospects for Hardware Foundations, LNCS 1546, Springer Verlag, 1998 pp. 117{137. [5] Berger, U., M. Eberl and H. Schwichtenberg, Term rewriting for Normalization by Evaluation, Information and Computation 183 (2003), pp. 19{42, International Workshop on Implicit Computational Complexity (ICC'99). [6] Berger, U., H. Schwichtenberg and M. Seisenberger, The Warshall algorithm and Dickson's lemma: Two examples of realistic program extraction, Journal of Automated Reasoning 26 (2001), pp. 205{221. [7] Coquand, T. and M. Hofmann, A new method for establishing conservativity of classical systems over their intuitionistic version, Mathematical Structures in Computer Science 9 (1999), pp. 323{333. [8] Ferreira, F. and P. Oliva, Bounded functional interpretation, Annals of Pure and Applied Logic 135 (2005), pp. 73{112. [9] Girard, J.-Y., P. Taylor and Y. Lafont, \Proofs and Types", Cambridge University Press, 1989.

 [10] Godel, K., Uber eine bisher noch nicht benutzte Erweiterung des niten Standpunktes, Dialectica 12 (1958), pp. 280{287. [11] Hernest, M.-D., MinLog for Dialectica program-extraction, Free software, code source @ http://www.brics.dk/edanher/MinLogForDialectica, For the ocial MinLog see [24]. [12] Hernest, M.-D., Light Functional Interpretation, Lecture Notes in Computer Science (LNCS) 3634 (2005), pp. 477 { 492, Computer Science Logic: 19th International Workshop, CSL 2005. [13] Hernest, M.-D., \Feasible programs from (non-constructive) proofs by the  light (monotone) Dialectica interpretation," PhD Thesis, Ecole Polytechnique and University of Munich (LMU) (2006), In preparation, draft available @ http://www.brics.dk/edanher/teza/. [14] Kohlenbach, U., Analysing proofs in Analysis, in: W. Hodges, M. Hyland, C. Steinhorn and J. Truss, editors, Logic: from Foundations to Applications, Keele, 1993, European Logic Colloquium (1996), pp. 225{260.

42

Hernest [15] Kohlenbach, U., Some logical metatheorems with applications in functional analysis, Transactions of the American Mathematical Society 357 (2005), pp. 89{128. [16] Kohlenbach, U., Proof Interpretations and the Computational Content of Proofs, Latest version in the author's web page (April 2006), vii + 420pp. [17] Kohlenbach, U. and P. Oliva, Proof mining: a systematic way of analysing proofs in Mathematics, Proceedings of the Steklov Institute of Mathematics 242 (2003), pp. 136{164. [18] Kreisel, G., Interpretation of analysis by means of constructive functionals of nite types, in: A. Heyting, editor, Constructivity in Mathematics, NorthHolland Publishing Company, 1959 pp. 101{128. [19] Leustean, L., A quadratic rate of asymptotic regularity for CAT(0)-spaces, Journal of Mathem. Analysis and Applications (2006), To appear, downloadable from Elsevier's \Science Direct", Articles in Press, Corrected Proof. [20] Cadence Research Systems, Chez Scheme, http://www.scheme.com (2006). [21] Oliva, P., Understanding and using Spector's bar recursive interpretation of classical analysis, in: Proceedings of CiE'2006, LNCS 3988 (2006), pp. 423{ 434, Available in the author's Web page @ http://www.dcs.qmul.ac.uk/epbo/. [22] Oliva, P., Unifying functional interpretations, Notre Dame Journal of Formal Logic (2006), to appear, downloadable from the author's Web page. [23] Schwichtenberg, H., Minimal logic for computable functions, Lecture course on program-extraction from (classical) proofs. Available in the author's web page or in the MinLog distribution [24]. [24] Schwichtenberg, H. and Others, Proof- and program-extraction system MinLog, Free code and documentation at http://www.minlog-system.de. [25] Troelstra, A., editor, \Metamathematical investigation of intuitionistic Arithmetic and Analysis," Lecture Notes in Mathematics 344, Springer-Verlag, Berlin - Heidelberg - New York, 1973.

43

Hernest

44

DCM 2006

On the Computational Representation of Classical Logical Connectives Jayshan Raghunandan and Alexander J. Summers Department of Computing, Imperial College London, 180 Queen’s Gate, London SW7 2RH, UK

Abstract Many programming calculi have been designed to have a Curry-Howard correspondence with a classical logic. We investigate the effect different choices of logical connective have on such calculi, and the resulting computational content. We identify two connectives ‘if-and-only-if’ and ‘exclusive or’ whose computational content is not well known, and whose cut elimination rules are non-trivial to define. In the case of the former, we define a term calculus and show that the computational content of several other connectives can be simulated. We show this is possible even for connectives not logically expressible with ‘if-and-only-if’.

1 Introduction There are many programming calculi which have been designed to have a CurryHoward correspondence with a logical proof system. In recent years, such calculi have been designed to explore the computational content of Classical Logic (for example [8,4,2,10,6,13,11]). Different authors have chosen different sets of logical connectives to treat as primitive in their logic, and designed the syntax and reduction rules of their calculi accordingly. Implication is the most popular choice of connective, since it is well-understood that its computational behaviour is related to function abstraction and application. There are calculi which do not use implication, for example that of Wadler [13]. Calculi exist which employ conjunction, disjunction, negation, and even more esoteric connectives such as difference [2,1] and constants for truth and falsity. We consider logics with different primitive connectives, and discuss general approaches to the design of corresponding term calculi. We restrict our attention to propositional logical connectives; an investigation of various approaches to employing quantifiers has been studied in [9]. 1

Email: [email protected], [email protected] This paper is ele troni ally published in Ele troni Notes in Theoreti al Computer S ien e URL:

www.elsevier.nl/lo ate/ent s

Raghunandan & Summers We work in the logical context of the sequent calculus in which one deals with sequents of the form A1 ; : : : ; Am ` B1 ; : : : ; Bn , read as “if all of A1 ; : : : ; Am are true, at least one of B1 ; : : : ; Bn is true”. Proof rules are defined for introducing a logical connective on the left and right of a sequent. In this paper we avoid the need for structural rules [3] by following the style of Kleene [5]. In brief, we treat the collections of formulas on the left and right of a sequent as sets, and allow extra formulas in the axioms of a derivation. An example of such a sequent calculus is specified by Figure 1 which is the basis of the X -calculus described in the following section.

; A ` A; 

(Ax)

` A;  B; `  (!L) ; A!B ` 

` ; A A; `  ( ut) ` ; A ` B;  (!R) ` A!B; 

Fig. 1. A sequent-calculus for implication

2 The

X -Calculus

Our work is based on the X -calculus [11]; a term annotation for classical implicative sequent calculus. We recall here the basic definitions. Definition 2.1 [X -Terms] The terms of the X -calculus are defined by the following syntax, where x; y range over the infinite set of sockets and ; over the infinite set of plugs (sockets and plugs together form the set of connectors).

P; Q ::= hx. i capsule

j ybP b j P b [y℄ xbQ j P b y xbQ j P b y xbQ j P b y xbQ export

mediator

cut

left-cut

right-cut

The ^ symbolises that the connector underneath is bound in the term. We will use fp(P ) to denote the free plugs of P , and similarly fs(P ) for free sockets. We work modulo -conversion (issues regarding -conversion have been studied in [12]). The reduction rules are as follows. Definition 2.2 [Logical Rules] The logical rules are presented by:

hy. i b y xbhx. i ! hy. i (ybP b ) b y xbhx. i ! ybP b 62 fs(P ) hy. i b y xb(P b [x℄ zbQ) ! P8 b [y℄ zbQ 9 x 62 fs(P; Q) < Qb y yb(P b y zbR) = 62 fs(P ); b (exp-med) : (ybP  ) b y xb(Qb [x℄ zbR) ! : (Qb y ybP ) b y zbR ; x 62 fs(Q; R)

(cap) : (exp) : (med) :

The first three logical rules above specify a renaming (reconnecting) procedure, whereas the last rule specifies the basic computational step: it allows the body of the 46

Raghunandan & Summers function from the export to be inserted between the two subterms of the mediator (the resulting cuts may be bracketed either way, as shown). Definition 2.3 [Activation Rules] We define two cut-activation rules.

(act-L) : P b y xbQ ! P b y xbQ if P does not introduce (act-R) : P b y xbQ ! P b y xbQ if Q does not introduce x

= Q b [x℄ ybR and x 62 fs(Q; R), or P = hx. i P introduces : Either P = xbQ b and 62 fp(Q), or P = hx. i

where: P introduces x: Either P

An activated cut is processed by ‘pushing’ it systematically through the syntactic structure of the term in the direction indicated by the tilting of the dagger. This behaviour is expressed by the propagation rules. Definition 2.4 [Propagation Rules] Left Propagation:

(y y) : hy. i b y hy. i b y (y cap) : (y exp-outs) : (ybQ b ) b y (y exp-ins) : (ybQ b ) b y (y med) : (Q b [z ℄ ybR) b y (y cut-cap) : (Q b y ybhy . i) b y (y cut) : (Q b y ybR) b y

xbP xbP xbP xbP xbP xbP xbP

! hy. i b y xbP ! hy. i 6= ! (yb(Q b y xbP ) b )b y xbP ; fresh ! yb(Q b y xbP ) b ;

6= ! (Q b y xbP ) b [z℄ yb(R b y xbP ) ! (Q b y xbP ) b y xbP ! (Q b y xbP ) b y yb(R b y xbP ); R =6 hy. i

Right Propagation:

( yy) : P b ( ycap) : P b ( yexp) : P b ( ymed-outs) : P b

y xbhx. i y xbhy. i y xb(ybQ b ) y xb(Q b [x℄ ybR)

! P b y xbhx. i ! hy. i; y 6= x ! yb(P b y xbQ) b ! P b y zb((P b y xbQ) b [z℄ yb(P b y xbR));

z fresh ( ymed-ins) : P b y xb(Q b [z ℄ ybR) ! (P b y xbQ) b [z ℄ yb(P b y xbR); z 6= x ( ycut-cap) : P b y xb(hx. i b y ybR) ! P b y yb(P b y xbR) ( ycut) : P b y xb(Q b y ybR) ! (P b y xbQ) b y yb(P b y xbR); Q 6= hx. i We write ! for the reduction relation generated by the logical, propagation and activation rules. The following are admissible rules (see [11,12]). 47

Raghunandan & Summers Lemma 2.5 (Garbage Collection and Renaming)

(gc-L) : P b y xbQ ! P; if 62 fp(P ) (gc-R) : P b y xbQ ! Q; if x 62 fs(Q)

(ren-L) : P Æb y zbhz . i; ! P [ =Æ ℄ (ren-R) : hz . i b y xbP ; ! P [z=x℄

3 The Computational Representation of a Connective In this section, we outline some of the techniques used in the rest of the paper for deriving suitable proof rules, and corresponding syntax representations and reduction rules to represent the inclusion of a particular logical connective. We use A; B; : : : as propositional variables and : to represent logical negation, which binds tighter than any other connective. We use Æ and  to represent arbitrary binary connectives. For formulas F1 and F2 we write F1  F2 (and say the formulas are logically equivalent) if for all assignments of truth values to propositional variables, F1 and F2 evaluate to the same truth value. 3.1 Syntax We work in the style of the X -calculus, since this gives a simple and symmetric treatment of the inputs and outputs present within the syntax. When deriving the syntax to represent a particular proof rule, formulas which occur on the left of a sequent will become inputs (sockets) x; y; z; : : : while formulas on the right will be outputs (plugs) ; ; ; : : :. Any subproofs present in the rule will be represented as subterms of the syntax. Formulas which disappear from such subproofs by application of the proof rule (formulas which are bound by the rule) will correspond to bound connectors on the subterms, while the new formula which is introduced by the rule corresponds to a free connector of the appropriate kind. To see these ideas in practice, the reader may wish to compare Figure 1 with Definition 2.1. 3.2 Reduction Rules Whatever logical connectives are of interest, we will always keep the following X reduction rules (which deal with cuts and capsules) in place: cap; act-L; act-R; y y; y cap; y cut-cap; y cut;

yy; ycap; ycut-cap; ycut

The notion of a plug or socket being introduced can be generalised to say P introduces x (respectively, ) iff x is free in P but not in any of its subterms. Propagation rules must be defined for propagating left and right cuts through each syntactic construct. The general approach is to push copies of the cut into the subterms, leaving a copy on the outside if an occurrence of the desired connector was present at this level (c.f. ymed-outs). This leaves the appropriate extra logical reduction rules to be defined. Each new syntax construct warrants a logical rule to specify a renaming of its introduced con48

Raghunandan & Summers

` B; 

;A `  ( L) ;A B ` 

; B ` A;  ( R) ` A B; 

Fig. 2. Sequent Rules for reverse implication

nector, via a cut with a capsule (see the rules exp and med, for example). Finally, for each logical connective employed, a logical rule must be defined to show how a cut between the right and left introduction of the connective may be reduced (c.f. the rule exp-med). We call this the principal logical rule for the connective, since it is the rule which specifies how these structures may be removed from a proof, creating new cuts between their subterms and simplifying the task of cut-elimination. The principal rule is the only one which cannot be methodically derived independent of the particular connective concerned. For this reason, when investigating the representation of a particular connective, as far as reduction rules are concerned we will only concern ourselves with the principal logical rule for the connective.

4 Comparing Logical Connectives In this section, we compare various logical connectives, focusing on relationships between them and how this affects their inclusion into a term calculus. For each connective, we are interested in the following three questions: (i) What is a suitable term representation of its proof rules? (ii) What is its principal reduction rule? (iii) What computational content is gained by its inclusion? A connective may apply to an arbitrary number of arguments (hereon its arity). It is rare in the literature to consider connectives with arity greater than two (although for an example, see [7]). We will henceforth only interest ourselves in connectives of arity 2 (and below), as is common practice. We are interested in the relationships between these connectives, and how they are reflected by their computational counterparts. For example, duality is a wellknown concept relating logical connectives, and this relationship carries over into their computational behaviour (c.f. [2,13]). We make use of the following relationships between connectives: Definition 4.1 [Relating connectives] For any two binary connectives Æ,: Duality We say  is the dual of Æ iff A  B

 :(:A Æ :B ). Negation We say  is the negation of Æ iff A  B  :(A Æ B ). Reversal We say  is the reverse of Æ iff A  B  B Æ A. Flipping inputs We say  is obtained from Æ by flipping an input if either A  B  :A Æ B or A  B  A Æ :B . In all but the last case, these concepts describe self-inverse functions (e.g. the dual of the dual of a connective is the connective itself). 49

Raghunandan & Summers D

F

F

> N

ID

D

?

^

N

N

:

"

D

F

F

F D

_ N

$ F F

#

D

N; D

N

!

F

D



F

Note:

" = nand, # = nor, = xor

Fig. 3. Binary Connectives

We argue that the effect of the ‘reversal’ of a connective is not significant with respect to our questions of interest. For example, consider the connective (reverse implication). A pair of sequent rules for this connective is shown in Figure 2. Deriving the syntax needed to represent these rules, we find that we can use exactly the same as that for implication. This is because the same inputs and outputs are bound and introduced in the rules; the only difference being the positioning of A and B , which is irrelevant once the types are removed. Similarly, the reduction rules required to represent this connective will be exactly the same as those for implication, and so will the computational content obtained. This generalises to any connective and its reverse. As a result of this observation, we choose to examine the binary connectives modulo reversals. These are shown in Figure 3, which includes arrows indicating duality (D), negation (N) and flipping inputs (F). It remains for us to explain the significance of these remaining three relations. Before examining the effect of negating a connective, it is useful to examine the negation connective itself. The sequent rules for negation are as follows:

` A;  (:L) ; :A ` 

;A `  (:R) ` :A; 

The first rule binds a formula on the left of the sequent and produces a new one on the right, while the second does the opposite. The syntax we choose to use for negation reflects this swapping of inputs for outputs in the simplest way possible; we write x  P and y Q  for the left and right terms respectively. The principal reduction rule for negation is as follows:

b

b

(xbP  ) b y yb(y  Q b) ! Q b y xbP 62 fp(P ); y 62 fs(Q) Given the sequent rules for any connective it is straightforward to derive suitable sequent rules for the negation of the connective. Since negation swaps inputs with outputs, the rules will be exactly the same except that the formula introduced appears on the opposite side of the sequent. For example, the sequent rules for 50

Raghunandan & Summers difference ( ) are as follows.

; A ` B;  ( ;A B ` 

L

;

)

` A;  ; B ` D ( ` A B; 

R

)

Similarly, appropriate syntax to represent difference will have the same subterms, inputs and outputs as for implication, except that the free connector introduced appears on the opposite side of the sequent. In defining a cut-elimination rule, one can see that the reduct of the key logical rule will be the same in the cases of ! and , and in general for a connective and its negation. The relationship between a connective and its dual, in terms of its computational representation, can also be seen to induce a relationship between their term representations. In this case, as well as the introduced formula ‘swapping sides’, the formulas which are bound in the proof rules also do so. For example, compare the rules for ^ and _:

; A; B `  (^L) ; A^B ` 

` A;  ` B;  (^R) ` A^B; 

` A; B;  (_R) ` A_B; 

; A` ; B` (_L) ; A_B ` 

One can see a striking similarity here. In this sequent calculus setting, it is reasonable to view disjunction as another kind of ‘pairing’; the left rule is a pair of two proofs (binding a formula on the left of each), whereas the right rule provides the facility to interact with the members of such a pair. The effect of flipping an input is to negate only one of the inputs to a connective, which in turn corresponds to the bound occurrences of one of the formulas swapping sides in the rules. For example, implication can be obtained from disjunction by flipping the first input (A!B  :A_B ). One can see this also by comparing the sequent rules. In this sense, it is possible in the sequent calculus to see even implication as a kind of pairing. Examining the syntax of X (for brevity, compared to dealing in the proof rules), one can regard the mediator Q [x℄ y R as a pair of two terms Q and R, binding an output of one and an input of another. The export z P  is the term which can ‘deal with the pair’; providing connectors to connect to both elements of the pair, analogously with (for example) the ^L term. From the discussions above, it can be seen that once one knows the sequent rules (and hence, an appropriate term representation) for a particular connective, one can easily derive them for the negation and dual of the connective, and any connective which is obtained by flipping an input. In particular, the six connectives which are joined to each other by various arrows in Figure 3 (including ^,_ and !) all have related sequent rules. Each can in fact be regarded as a kind of pairing connective; the differences lie in whether inputs or outputs are bound in the two subterms which make up the pair, and whether the pair is made available on an introduced input or output. We will sometimes refer to these six connectives as the pairing connectives.

b b

b b

51

Raghunandan & Summers

` A; B; 

; A; B `  ($ ) ; (A$B ) ` 

; A ` B;  ; B ` A;  ($ ) ` (A$B ); 

L

Fig. 4.

$

L

and

R

$

R

introduction rules

As can be seen from Figure 3, the remaining connectives come in related groups of two. Due to space considerations, we do not discuss here the computational content of the connectives ID , >, ?, although the latter two at least are of some interest. This leaves only two binary connectives to discuss; being $ (‘if-andonly-if’) and (exclusive or). These two are related in the diagram by negation, duality and that each may be obtained from the other by flipping either input. In a sense, the operations they describe are difficult to relate directly to any of the other connectives; there are no ‘simple’ equivalent formulas which express these connectives in terms of the others (all such equivalences must mention A and B more than once). It seems natural to investigate the computational content of these two connectives, which appears not to have been attempted so far in the literature. In particular, no cut-elimination rule (or analogously, proof reduction rule in a Natural Deduction setting) seems to have been defined for these connectives. It is these concerns which motivate the next section.

5 Interpreting

$

In this section we study the computational behaviour of the logical connective ‘ifand-only-if’ (‘iff’ for short) that evaluates to true only when its two operands are the same. We could have equally chosen to study the negation of this connective ‘exclusive-or’, whose X -style term representations will be almost the same except the free input (output) that is introduced in each term will be of the opposite kind. We are able to determine the form of the left and right introduction rules for the $ connective via the equivalence A$B  :(A_B )_(A^B ). From this, we can construct derivations whose conclusions introduce this compound formula on the left and right of a sequent. Condensing these derivations gives us the ($L ) and ($R ) introduction rules shown in Figure 4, which we can inhabit with X -style terms in the usual way. We write the corresponding ‘iff-left’ and ‘iff-right’ terms as [M  [y ℄ ijN ℄ and [xP ; z QÆ ℄: respectively. The principal cut-elimination rule for $ should transform a proof that cuts together an ($R ) formula with an ($L ) formula, or in X notation,

b

b bb b

([xbP b; zbQÆb℄: )b y yb([M   [y ℄ ibjN ℄) ; ; y are introduced.

Unlike the connectives seen previously, the reduct is not straightforward to determine. The rules for the $ connective each bind two inputs and two outputs, and each rule has two subterms. We observe a striking resemblance between these terms and those used to represent the implication connective (i.e. the syn52

Raghunandan & Summers tax of X , Definition 2.1). The iff-right term is reminiscent of an export term, except two ‘functions’ are available over the same interface rather than one (n.b. A$B (A!B )^(B !A)). The iff-left term is reminiscent of a mediator with two binders over each of its subterms instead of one. We return to the previous method of determining the principal cut-elimination rule as detailed in Section 4, i.e. that of considering how one would reduce a cut between derivations that introduce a formula logically equivalent to A$B . We cut together the proofs that derive :(A_B )_(A^B ) on the left and right of the sequent and reduce them using the cut-elimination rules for negation, disjunction and conjunction. Condensing, then annotating the resulting proof yields the reduct:

((M b y xbP )b y bkhk. i) b y bj (((M b y zbQ)b y wbhw.Æ i)Æb y biN ) This reduct uses two copies of M , renaming their outputs (using capsules)

where necessary. A symmetrical alternative of the reduct renames inputs rather than outputs and requires two copies of N be made. A copy of either M or N is used to facilitate the connection of each output of M to each input of N . The question arises of whether this copying is necessary. We sought to explore other ways in which M and N could be connected and more specifically, whether it would be possible to obtain a solution without copying, since this would be significantly cheaper to evaluate. We discovered such a solution that renames one output in M and one input in N . This led us to the following definition for the principal iff cut-elimination rule. Definition 5.1 [Principal iff-reduction rule] The term

([xbP b; zbQÆb℄: )b y yb([M   [y ℄ ibjN ℄) where, , y are introduced and k;  fresh, reduces to one of the following variants. (a) ((M b y xbP )b y bkhk. i) b y zb(hz . ib y bj (QÆb y biN )) (b) ((M b y zbQ)b y bkhk.Æ i)Æb y xb(hx. ib y bi(P b y bj N ))

5.1 Simulating other connectives The only connectives logically expressible by $ are > and ID , which might lead us to believe its simulation capabilities are limited. However, we are able in fact to simulate the reductions of several other connectives, i.e. we can encode the syntax for these other connectives in such a way that reductions are preserved. When this is the case, we say we can computationally express the connective (which may or may not be expressible in a logical sense). As an example of a connective which can be computationally expressed, we show how to express the syntax and reduction behaviour of the X -calculus in a term calculus based on the $ connective (which we call X $ ). For brevity we omit the activated cuts, which should be treated analogously. 53

Raghunandan & Summers Definition 5.2 [Syntax for the calculus, X $ ]

M; N ::= hx. i j [M   [z ℄ ibjN ℄ j [xbM b; zbN Æb℄: j M b y xbN axiom

iff-left

iff-right

cut

As remarked earlier, the iff-left term is reminiscent of a mediator with two binders over each of its subterms rather than one, and the iff-right term is reminiscent of an export, except that two ‘functions’ are available over the the same interface rather than one. With this observation in mind, we move towards an encoding of the X -calculus in X $ . We can sensibly assume that when encoding the export into an iff-right term [xP ; z QÆ ℄: , we require only one of the two subterms, say P . This leaves the question of what we should do with Q. By making Q the capsule hy .Æ i, we can give an encoding that is sound (no undesired reductions are possible) providing that we restrict the reduction to always use the first variant of the principal rule given in Definition 5.1. This does not seem a severe restriction; one might view this as a strategy on the reduction (one always has the choice of which variant of the principal $ rule to use). Our encoding is as follows.

b bb b

Definition 5.3 [Interpretation of X into X $ ]

ddhx. i

$ = hx. i ddxbP b 

$ = [xbddP

$ b; zbhy.ÆiÆb℄: z; y; Æ fresh ddM b [y℄ xbN

$ = [ddM

$ [y℄ z xddN

$℄ ; z fresh ddM b y xbN

$ = ddM

$ b y xbddN

$ Notice that had we chosen Q to be hz .Æ i, this would have forced the types

for x and to be the same; our encoding would not preserve typeability. Due to space restrictions, we cannot discuss type-assignment in depth, but in brief it amounts to putting back the types which have been erased in the syntax. Typed terms correspond directly to sequent proofs (in which the formulas carry labels; the connector names). Regarding such type-systems, we have the following result: Theorem 5.4 (Preservation of typeability) For any ddP

$ is typeable.

X -term P , P

is typeable iff

In fact, the type derivations in the two systems are closely related; one can define a further encoding from a type-derivation for P in the usual X system to $ a type-derivation for ddP

in the corresponding X $ system. Such details are omitted here. To show that our encoding is sensible, we must also check that we can simulate the reductions of X . As pointed out in Section 3.2, the mechanism provided by the propagation and renaming rules is generic to any X -style term calculus; it performs the same basic task of pushing cuts through subterms and renaming connectors regardless of the syntax employed. To show that such rules are simulated 54

Raghunandan & Summers is straightforward, and we therefore only concern ourselves with the rule exp-med given in Definition 2.2. The following (abbreviated) reduction confirms that we can simulate the first variant of the the exp-med rule.

dd(xbP b  )b y yb(M b [y℄ bj N )

$ = ([xbddP

$ b; zbh .Æ iÆb℄: )b y yb([ddM

$  [y ℄ ibj ddN

$℄) (z; ; Æ; ; i fresh) ! ((ddM

$b y xbddP

$)b y bkhk. i) b y zb(hz.ib y bj (h .ÆiÆb y biddN

$)) (Def. 5.1(a)) ! (ddM

$b y xbddP

$) b y zbddN [z=j ℄

$ (act-R; gc-R; act-R; ren-R; act-L; gc-L) = ddM b y xb(P b y bj N )

$ (modulo -conversion) In fact, our encoding is only able to simulate this variant of the exp-med rule. The differently-bracketed alternatives of the exp-med rule do not reduce to each other and also do not always share the same normal forms. However, it is understood that the set of normal forms reachable from the two variants of exp-med, while not identical, differ only in some special cases, and even then only by permutations of structure in the terms. In this sense, our encoding captures all of the computations that can be performed within X . The principal cut-elimination rule for $ manipulates four subterms, while the principal rule for any pairing connective involves three. We encoded implication by choosing one of the four subterms to be a suitable capsule. Since the iff-terms bind many combinations of inputs and outputs, we can suitably restrict them to encode other pairing connectives in a similar way. We are able to encode the logical connectives ^ and " up to the same limitations as discussed above. Additionally, we are able to simulate fully (all reductions can be simulated) the : connective. While the $ connective is unable to logically express the connectives !, ^, ", :, we have shown we are able to simulate the significant computational behaviour of the corresponding terms. Similarly, the connective is able to simulate the computational behaviour for the dual pairing connectives , _, # and again the connective :.

6 Conclusions and Future Work This work has provided an analysis of the issues involved in deriving term calculi to correspond with arbitrary choices of logical connective. We have shown various general techniques for deriving suitable syntax, reduction rules and (to some extent) computational content corresponding with the inclusion of a logical connective of interest. The analysis of logical connectives purely in terms of the movement of their inputs and outputs, seems to yield interesting results, and this should be looked at more closely. For example, we hypothesise that a term calculus can express nonterminating terms if and only if it contains a connective which can ‘swap’ an input for an output. 55

Raghunandan & Summers Our investigation into the $ connective has shown that much more can be expressed than we first thought, and this directly relates to the inputs and outputs present. A more general investigation of the computational content of this connective (in particular, any examples which are not neatly expressed with other connectives) is the subject of future work. Our simulation result for X would also be strengthened by the formalisation of a suitable notion of equivalence on X -terms, which is likely to relate to Kleene permutations. This would also be useful future work for other research into the X -calculus.

References [1] Tristan Crolard. A formulae-as-types interpretation of subtractive logic. Journal of Logic and Computation, 14(4):529–570, 2004. [2] Pierre-Louis Curien and Hugo Herbelin. ICFP’00, pages 233–243. ACM, 2000.

The duality of computation.

In Proc.

[3] Gerhard Gentzen. Untersuchungen u¨ ber das logische Schliessen. Mathematische Zeitschrift, 39:176–210, 405–431, 1934. [4] Hugo Herbelin. A lambda-calculus structure isomorphic to Gentzen-style sequent calculus structure. In Proc. CSL ’94, volume 933 of LNCS, pages 61–75. Springer, 1994. [5] S.C. Kleene. Introduction to Metamathematics. North-Holland, 1952. [6] St´ephane Lengrand. Call-by-value, call-by-name, and strong normalization for the classical sequent calculus. In ENTCS, volume 86. Elsevier, 2003. [7] P.B. Levy. Jumbo lambda-calculus. In Proc. ICALP’06, LNCS. Springer-Verlag, 2006. [8] M. Parigot. An algorithmic interpretation of classical natural deduction. In Proc. LPAR’92, volume 624 of LNCS, pages 190–201. Springer-Verlag, 1992. [9] Alexander J. Summers and Steffen van Bakel. Approaches to polymorphism in classical sequent calculus. In ESOP’06, pages 84–99, 2006. [10] Christian Urban. Classical Logic and Computation. Cambridge, 2000.

PhD thesis, University of

[11] S. van Bakel, S. Lengrand, and P. Lescanne. The language and classical logic. In Proc. ICTCS’05, 2005.

X : circuits, computations

[12] Steffen van Bakel and Jayshan Raghunandan. Explicit alpha conversion and garbage collection in . In Proc. TERMGRAPH’06, ENTCS. Elsevier, 2006.

X

[13] Philip Wadler. Call-by-value is dual to call-by-name. In ICFP’03, pages 189–201. ACM Press, 2003.

56

DCM 2006

Term collections in

 and -calculi

Germain Faure 1 LORIA, BP 239 54506 Vandoeuvre-lès-Nancy Cedex France

The -calculus, also called the rewriting calculus, originally emerged from dierent motivationsand from a dierent communitythan the -calculus. It was introduced to make explicit all the ingredients of rewriting such as rule application and result [CK01]. In ne the -calculus provides an extension of the -calculus with additional concepts originating from rewriting and functional programing, namely, pattern-matching, and a structure construction which provides collections of terms. There are several aspects of the -calculus that have been studied so far. The dynamics of the computations has been studied [FMS05] by dening interaction nets for the -calculus. We can mention also the study of type systems [BCKL03,Wac04] and its application in a proof theory that handles rich proof-terms in the generalized deduction modulo [Wac05]. On a more practical side, the -calculus has been used to give a semantics both to rewrite based languages [CK01] such as ELAN [BKK+98] and to the atelier FOCAL [Mod,Pre03], an environment dedicated to the development of certied computer algebra libraries (ongoing works). Also,+the -calculus has been used to implement ecient decision procedures [SDK 03]. The management of collections of terms is crucial in calculi like the -calculus, in logic programming or in web query languages. Typically, matching constraints that are involved in the calculus may have more than one solution this is also the case for example in programming language like TOM [Tom], Maude [Mau], ASF+SDF [ASF] or ELAN [Ela]and thus generates a collection of results. As previously mentioned, the -calculus extends the syntax and the operational semantics of the -calculus by providing matching constraints and collections of terms. For example, let be a commutative symbol, x; y be variables and a; b constants. In the -calculus, the pattern-matching constraint x x y  a b , that is the application of the matching constraint x y  a b to x, reduces to a collection of terms consisting of the two terms a and b and denoted a o b. In fact, the two solutions of the pattern matching problem x y  a b, respectively fx a; y bg and fx b; y ag, are both applied to the body of the pattern matching constraint x and then we get the two results a and b. The corresponding evaluation rule is given by: +

[

+

+

+

+

1

Email:

+ ]

+

[email protected] This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:

www.elsevier.nl/locate/entcs

Faure

 N ! M1 o : : : o M where f g =1 is the set of solutions of the matching problem P  N . To handle collections of terms, we distribute the structure operator over the application and the abstraction operator: M1 o M2 N ! M1 N o M2 N x : M1 o M2 ! x : M1 o x : M2 The -calculus consists thus of four evaluation rules: the rule inherits from the -calculus, the  rule to deal with pattern matching constraints and the  rules to deal with collections of terms. Dierent works on the -calculus propose dierent approaches to deal with collections of terms. They were originally [CK01,Cir00] represented using sets. In more recent works [CLW03,RC], they are represented via a structure construction whose operational semantics is parametrised by a theory (typically a combination of the axioms of associativity, commutativity and/or idempotence) that the user chooses depending on the way s=he wants to deal with non-determinism in the calculus. For example, the original semantics of `sets of results' is recovered by considering the associative, commutative and idempotent (ACI) theory on structures. The generality given by those recent works is broken when the matching constraints involved in the calculus may have more than one solutions [Fau05]. In this case the theory on structures cannot be arbitrary and thus collections of results should be represented using sets. Moreover, two dierent derivations of a -term may only dier on the strategy used for the application of the  rules. We propose to identify them by assuming that terms are taken modulo the equivalence relation generated by  rules. More practically, we consider normalized rewriting [Mar96] by splitting the evaluation rules in two sets: the operational semantics now consists only of the two fundamental rules and the  and on the other hand we use the  rules to consider canonical sets, that is terms that are always normalized w.r.t. the  rules. This is not only a matter of taste since this has strong impact on the fundamental understanding of the calculus. The computational mechanism of the calculus becomes easier to understand since the  rules are no longer explicit evaluation steps. This opens in particular new possibilities in a deep study of the calculus such as a Böhm theorem [Kri90] for the -calculus. The same approach can be applied to other calculi like the -calculus with a parallel operator. In fact, the rst attempt to a denotational (Scott) semantics of the -calculus proposed in [FM05] enlighten a relation between the -calculus and the  -calculus. The  -calculus was introduced as a -calculus that is expressive for domains of parallel functions [Bou94]. Syntactically, it is an extension of the -calculus with a parallel operator that distributes 58 M [P

]



n i i

(

)

(

q

app

)

abs

q

n

Faure

left w.r.t the application and with the -abstraction (as the structure operator of the -calculus). It has been extended to parallel and non-deterministic -calculi like in [DCdP93]. Scott models for the -calculus are surprisingly close to the models of the  -calculus (the parallel operator, respectively the structures are adequately represented by the join operator) and this suggests a relationship between the structure operator of the -calculus and the parallel operator of the  -calculus. We introduce a new calculus that extends the syntax and the operational semantics of the -calculus to deal with canonical sets of terms. This calculus enjoys the Church-Rooser property and gives a new operational semantics for the  -calculus (the work of [Bou94] mainly insists on models while in this work, we propose to look at the  -calculus from an operational point of view). q

q

q

q

Contributions

We propose a new syntax and operational semantics for the  -calculus. We introduce a new approach to deal with collections of results that can be applied both to the  -calculus and to the -calculus. We also make clear the relationship between both formalisms. Finally, since the standard techniques of rewriting modulo [Hue80,KK99,Ohl98] cannot be applied to prove the ChurchRosser property, the approach followed hereinspired from [HR03] may be applied likewise in the abstract study of rewriting modulo an equivalence relation. We nally discuss an implementation of the calculus in TOM [Tom] and its link with canonical abstract syntax trees [Rei06]. q

q

Acknowledgments

Alexandre Miquel suggests to the author the reading of [HR03]. This was the starting point of the work. We also thank Lionel Vaux, Horatiu Cirstea and Claude Kirchner for useful interactions and comments on this work.

References [ASF] ASF+SDF. A component-based language development environment. http://www.cwi.nl/projects/MetaEnv/. [BCKL03] G. Barthe, H. Cirstea, C. Kirchner, and L. Liquori. Pure patterns type systems. In Principles of Programming Languages - POPL2003, New Orleans, USA. ACM, January 2003. [BKK+ 98] P. Borovanský, C. Kirchner, H. Kirchner, P.-E. Moreau, and C. Ringeissen. An overview of ELAN. In Proc. of WRLA, volume 15, http://www.elsevier.nl/locate/entcs/volume15.html. ENTCS, September 1998. [Bou94] G. Boudol. Lambda-calculi for (strict) parallel functions. Inf. Comput, 108(1), January 1994.

59

Faure [Cir00] H. Cirstea. Calcul de réécriture : fondements et applications. PhD thesis, Université Henri Poincaré - Nancy I, 2000. October 25. [CK01] H. Cirstea and C. Kirchner. The rewriting calculus  Part I and II. Logic Journal of the Interest Group in Pure and Applied Logics, 9(3):427498, May 2001. [CLW03] H. Cirstea, L. Liquori, and B. Wack. Rewriting calculus with xpoints: Untyped and rst-order systems. volume 3085. Springer, 2003. [DCdP93] M. Dezani-Ciancaglini, U. de'Liguoro, and A. Piperno. Filter models for a parallel and non deterministic lambda-calculus. In A. M. Borzyszkowski and S. Sokolowski, editors, Mathematical Foundations of Computer Science 1993, 18th International Symposium, volume 711 of lncs, pages 403412, Gdansk, Poland, 30 August 3 September 1993. Springer. [Ela] Elan. The ELAN system:. http://elan.loria.fr/. [Fau05] G. Faure. A remark on the study of the rho-calculus in presence of symbols dened modulo an equational theory. Draft notes, LORIA, 2005. [FM05] G. Faure and A. Miquel. Towards a denotational semantics for the rhocalculus. Draft notes, LORIA, 2005. [FMS05] M. Fernández, I. Mackie, and F.-R. Sinot. Interaction nets vs. the rhocalculus: Introducing bigraphical nets. In Proceedings of EXPRESS'05, satellite workshop of Concur, San Francisco, USA, 2005, Electronic Notes in Computer Science. Elsevier, 2005. [HR03] T. Herhard and L. Reigner. The dierential lambda-calculus. Theoretical Computer Science, 309, 2003. [Hue80] G. Huet. Conuent reductions: Abstract properties and applications to term rewriting systems. Journal of the ACM, 27(4):797821, 1980. [KK99] C. Kirchner and H. Kirchner. Rewriting, solving, proving. A preliminary version of a book available at www.loria.fr/~ckirchne/rsp.ps.gz, 1999. [Kri90] J.-L. Krivine. Lambda-Calcul : Types et Modèles. Etudes et Recherches en Informatique. Masson, 1990. [Mar96] C. Marché. Normalized rewriting: An alternative to rewriting modulo a set of equations. J. Symb. Comput, 21(3), 1996. [Mau] Maude. The maude system:. http://maude.cs.uiuc.edu/. [Mod] Mod. Modulogic home page. http://modulogic.inria.fr. [Ohl98] E. Ohlebusch. Church-Rosser theorems for abstract reduction modulo an equivalence relation. In Proceedings of Rewriting Techniques and Applications (RTA-98), volume 1379 of LNCS, pages 1731. Springer, 1998.

60

Faure Conception et Implantation du langage FoC pour le développement de logiciels certiés. Thèse de doctorat, Université Paris

[Pre03] V. Prevosto.

6, September 2003.

[RC] Rewriting-Calculus. The -calculus home page. http://rho.loria.fr/. Canonical abstract syntax trees. In Proceedings of the 6th International Workshop on Rewriting Logic and its Applications.

[Rei06] A. Reilles.

Electronic Notes in Theoretical Computer Science, 2006. to appear.

[SDK+ 03] A. Stump, A. Deivanayagam, S. Kathol, D. Lingelbach, and D. Schobel. Rogue Decision Procedures. In C. Tinelli and S. Ranise, editors,

1st International Workshop on Pragmatics of Decision Procedures in Automated Reasoning, 2003.

[Tom] Tom. The Tom langage:. http://tom.loria.fr/. [Wac04] B. Wack. The simply-typed pure pattern type system ensures strong normalization. IFIP-WCC TCS, 2004. [Wac05] B. Wack.

A Curry-Howard-De Bruijn Isomorphism Modulo.

submission, 2005.

61

Under

Faure

62

DCM 2006

Probabilistic Model{Checking of Quantum Protocols Simon Gay

1

Department of Computing Science University of Glasgow Rajagopal Nagarajan

2;4

Nikolaos Papanikolaou

3;4

Department of Computer Science University of Warwick .

Abstract

We establish fundamental and general techniques for formal veri cation of quantum protocols. Quantum protocols are novel communication schemes involving the use of quantum-mechanical phenomena for representation, storage and transmission of data. As opposed to quantum computers, quantum communication systems can and have been implemented using present-day technology; therefore, the ability to model and analyse such systems rigorously is of primary importance. While current analyses of quantum protocols use a traditional mathematical approach and require considerable understanding of the underlying physics, we argue that automated veri cation techniques provide an elegant alternative. We demonstrate these techniques through the use of prism, a probabilistic model-checking tool. Our approach is conceptually simpler than existing proofs, and allows us to disambiguate protocol de nitions and assess their properties. It also facilitates detailed analyses of actual implemented systems. We illustrate our techniques by modelling a selection of quantum protocols (namely superdense coding, quantum teleportation, and quantum error correction) and verifying their basic correctness properties. Our results provide a foundation for further work on modelling and analysing larger systems such as those used for quantum cryptography, in which basic protocols are used as components.

1 Email: 2 Email:

[email protected] [email protected] [email protected]

3 Email: 4 R. Nagarajan and N. Papanikolaou are partially supported by EPSRC grant GR/S34090 This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:

www.elsevier.nl/locate/entcs

Gay, Nagarajan and Papanikolaou

1 Introduction

In the 1980s it was rst realized that quantum{mechanical phenomena can be exploited directly for the manipulation, storage and transmission of information. The discovery of quantum algorithms for prime factorization [16] and unstructured search [7], which outperformed the best classical algorithms for these tasks signi cantly, opened up new vistas for computer science and gave an initial thrust to the emerging eld of quantum computation. To implement a quantum algorithm, however, a large scale quantum computer is necessary and such a device has yet to be built. Research in quantum information, on the other hand, has shown that quantum e ects can be harnessed to provide ecient and highly secure communication channels, which can be built using current technology. Entangled quantum states, superpositions and quantum measurement are among the characteristics of the subatomic world which nature puts at our disposal; these and related phenomena enable the development of novel techniques for computation and communication with no rival in classical computing and communication theory. The focus in this paper is on communication protocols involving the use of such phenomena. Quantum protocols have particularly important applications in cryptography. Several quantum protocols have been proposed for cryptographic tasks such as oblivious transfer, bit commitment and key distribution [8,11]. The BB84 protocol for quantum key distribution [2,12], which allows two users to establish a common secret key using a single quantum channel, has been shown to be unconditionally secure against all attacks [10]. Other quantum protocols include procedures for superdense coding [4], teleportation [3] and quantum error correction [17]. We assume that the reader is familiar with the basic concepts of quantum computing, as presented in [8,11]. We argue that detailed, automated analyses of protocols such as these facilitate our understanding of complex quantum behaviour and enable us to construct valuable proofs of correctness. Such analyses are especially important to manufacturers of commercial devices based on such protocols; the actual security of commercial quantum cryptographic systems, for example, is worth an in{depth investigation. Communication protocols have always been under scrutiny by computer scientists, who have developed numerous techniques for analysing and testing them, including process algebras, formal speci cation languages and automated veri cation tools. Automated veri cation techniques, such as model-checking and theorem proving, are frequently targeted at protocols and have been used to detect faults and subtle bugs. For instance, the fdr model-checker allowed Gavin Lowe to uncover a aw in the Needham{Schroeder security protocol [15]. Although current model-checkers were developed primarily for the analysis of classical systems, we have found ways of using them to model quantum behaviour. To account for the proband the EU Sixth Framework Programme (Project SecoQC: Development of a Global Network for Secure Communication based on Quantum Cryptography )

64

Gay, Nagarajan and Papanikolaou

abilism inherent in quantum systems, we have chosen to use a probabilistic model{checker, in particular, the prism tool developed at the University of Birmingham [14]. prism is an acronym for probabilistic symbolic model checker, and is designed for modelling and validating systems which exhibit probabilistic behaviour. A tool such as prism computes the probability with which a system model  satis es a temporal formula , i.e. the value of P; = Prf j= g for given  and . The models catered for by prism may incorporate speci c probabilities for various behaviors and so may the formulas used for veri cation. The application of probabilistic model{checking to quantum systems is entirely appropriate, since quantum measurement is inherently probabilistic; to reason about quantum behaviour one must certainly account for this. prism uses a built{in speci cation language based on Alur and Henzinger's reactive modules formalism (see [9,14] for details). Internally, a prism model is represented by a probabilistic transition system. The probabilistic temporal logic pctl [5] is used as the principal means for de ning properties of systems modelled in prism. 2 Fundamental Techniques

In order to use a classical probabilistic model{checker to verify quantum protocols, we need to model the quantum states that arise in a given protocol, and the e ect of speci c quantum operations on these states. prism itself only allows positive integer and boolean variables to be used in models. So how can we model the states of quantum systems, and the quantum operations arising in protocols, using only classical data types and arithmetic? Single qubits can be in a superposition of two states, while classical variables can only take on a single value in any given state. The coecients of these states can be any two complex numbers whose moduli squared sum to unity, and there is an uncountable in nity of these; of course, prism can only work with a nite state space. Furthermore, quantum systems consisting of many qubits can be in entangled states, which, unlike classical systems, cannot be decomposed into products of individual states. What is needed, therefore, is a means of representing quantum states fully and consistently, in a form that prism can handle. Of all the possible quantum states of an n{qubit system, we identify the nite set of states which arise by applying the operations CNot, Hadamard (H ), and 0; 1; 2; 3 to input states. We con ne our analyses to protocols that involve only this restricted set of operations. At present, determining which states belong to this set is done manually, but we are considering ways of automating this. Consider a very simple system: a single qubit, being acted upon through the Hadamard gate and through measurement in the standard basis. For our purposes, the state of the qubit may be j0i ; j1i ; or an equal superposition of 65

Gay, Nagarajan and Papanikolaou

the two. In fact, these states are sucient to model the BB84 protocol for quantum key distribution [2]. The quantum states which we need to represent in order to model this simple system are thus: j0i ; j1i ; p1 (j0i + j1i) ; and p1 (j0i j1i) 2 2 To model this small, nite set of quantum states, which is closed under the operation of the Hadamard gate and the Pauli operators, we represent each state by assigning a unique integer from 0 to 3 to it, and we use straightforward transitions from one integer value to another to model the action of the gate. A protocol such as superdense coding, which we will discuss in Section 3.1, can be expressed as a step-by-step interaction with a two{qubit system. In order to model the states of 2{ and 3{qubit systems, the quantum operators and the measurements which arise in this and related protocols such as teleportation, we have developed a code generation tool called prismgen. This tool generates a prism code fragment, or module, in which each quantum state is represented by a unique positive integer. Every quantum operator used in a particular protocol is coded as a set of deterministic transitions from one quantum state to another. prismgen calculates these transitions by multiplying the unitary matrix, which corresponds to a particular operator, with each quantum state vector of interest. A measurement is modelled by a set of probabilistic transitions, leading to the various possible outcomes with equal probability. For simplicity, we have only considered states whose measurement outcomes are all equiprobable, although prism does allow us to model the more general case. From the overall state space for a two{qubit system, a certain subset is closed under the CNot, Hadamard and Pauli operations. This subset consists of 4 states corresponding to the four basis vectors, 12 states which are sums of two basis vectors, and 8 states which are sums of all four basis vectors. Proposition 2.1 The above set of 24 states is closed under the

CNot, Hadamard

and Pauli operations.

Proof.

(i) (ii)

These states can be expressed in the following way.

The single basis vectors: j00i, j01i, j10i, j11i The states containing two basis vectors can be separated into three subclasses: (a) 12 (j0i  j1i) j0i, 12 (j0i  j1i) j1i (b) j0i 12 (j0i  j1i), j1i 12 (j0i  j1i) (c) 12 (j00i  j11i), 12 (j01i  j10i) The states containing four basis vectors can be expressed in any of the forms: (a) 12 (j0i  j1i) j0i  12 (j0i  j1i) j1i (b) j0i 12 (j0i  j1i)  j1i 12 (j0i  j1i) (c) 12 (j00i  j01i  j10i  j11i) p

p

p

p

(iii)

p

p

p

p

p

p

66

Gay, Nagarajan and Papanikolaou

It is obvious that each set (1.){(3.) individually is closed under each i (applied to either qubit) and CNot (with either qubit as control) because these operations are permutations of the basis vectors. Each set has an evident symmetry among the basis vectors (taking (3.a) and expanding (2.) into an explicit list of states). Applying H to the rst qubit gives a bijection between (1.) and (2.a), between (2.b) and (3.a), and between (2.c) and (3.b). Applying H to the second qubit is similar.

2

Our prismgen tool enumerates these states and calculates the transitions corresponding to the various operations. The resulting prism module can be included as part of any model which involves measurements and the application of these operations to a system of two qubits. The situation with a system of three qubits is similar. We have developed a 3{qubit version of prismgen, which gives us the ability to model protocols such as those for quantum teleportation and quantum error correction. 3 Illustrative Examples

We have been able to model a certain number of quantum protocols using the aforementioned techniques. These include: (1) superdense coding, which is a procedure for encoding pairs of classical bits into single qubits; (2) quantum teleportation, which allows the transmission of a quantum state without the use of an intervening quantum channel; and (3) quantum error correction, namely the qubit ip code, which corrects a single bit ip error during transmission of quantum bits. The source les for the models in this section are available online from http://go.warwick.ac.uk/nikos/research/. 3.1

Superdense Coding

The simplest quantum protocol which we will use to illustrate our techniques is the superdense coding scheme [4]. This scheme makes it possible to encode a pair of classical bits on a single qubit. With superdense coding, a quantum channel with a capacity of a single qubit is all that is necessary to transmit twice as many bits as a serial classical channel. Superdense coding is essentially a computation on a two{qubit system; therefore, the prism model of this protocol uses the 2{qubit version of prismgen. We begin with a description of the protocol, and proceed to show how it is modelled and veri ed with prism. The setting for superdense coding involves two parties, conventionally named Alice and Bob, who are linked by a quantum channel and share a pair of entangled qubits. The objective is for Alice to communicate the binary number xy | henceforth termed the message and denoted by (x; y), with x; y 2 f0; 1g | by transmitting a single qubit to Bob. The superdense protocol takes advantage of the correlations between qubits P1 and P2, which are in an entangled quantum state. Alice essentially in uences this state in such 67

Gay, Nagarajan and Papanikolaou

a way that Bob's measurement outcome matches the message of her choice. The superdense coding protocol is as follows. (i) Two qubits, P1 and P2, are placed in an entangled state using the Hadamard and CNot operations. Alice is given P1, and Bob is given P2. (ii) Alice selects a message, (x; y), and applies the ith Pauli operator, i; to P1 , where i = y + x(2 + ( 1)y ). She transmits this particle to Bob. (iii) Bob applies the CNot gate from P1 to P2, and then he applies the Hadamard gate to the former. (iv) Bob measures the two particles, thus obtaining a pair of classical bits, (x ; y ). If no disturbance has occurred, this pair of bits will match the original message, i.e. (x ; y ) = (x; y). The model of superdense coding consists of four prism modules. Of these four, one module is generated automatically by prismgen and describes the possible states of the two qubits. There is a module specifying Alice's actions, and similarly one for Bob's. Before we examine the workings of this model in detail, consider the following observations, which highlight the capabilities of prism. In the prism model, Alice's rst action is to select one of the four possible messages (represented by the integers 0, 1, 2, 3); each message has an equal probability, 14 , of being chosen. This is an assumption we made when constructing this model, but it is possible to specify di erent respective probabilities for the four choices. Another point worth noting is that, depending on which message is chosen, the protocol proceeds in one of four distinct ways; prism actually considers all these possibilities when testing the validity of a property. This is precisely why we advocate the use of model-checking for these analyses, as opposed to simulation of quantum protocols, proposed elsewhere; simulators only treat one of several possible executions at a time. prism interprets the superdense coding model as a probabilistic transition system, which can be depicted as a graph. The nodes in the graph correspond to the internal state numbers which prism assigns to each step in the protocol. Each internal state number corresponds to a tuple with the states of all variables in a particular model. An illustration of this graph and the details of the internal state numbers will be included in the full paper. The quantum state of the two-qubit system is represented by the variable state in the prism model. When Bob has nished his measurement, and the dense coding protocol terminates, one of 4 nal states is reached (each representing a distinct possibility in the computation). The property required for veri cation must be expressed in terms of the nal state. When the dense coding protocol terminates, Bob's measurement result, i.e. the pair of classical bits (x ; y ), must match Alice's original choice (x; y). This requirement is expressed using pctl, as follows: 0

0

0

0

0

0

P > 1 [ true U ((protocol finished) ^ (result = msg)) ] 68

(1)

Gay, Nagarajan and Papanikolaou

The pctl formula in (1) stipulates that the probability of Bob's result matching Alice's choice is 1. Model{checking with prism con rms that this property holds (i.e. this property is true for all executions of the model). We have thus proven, using the prism model{checker, that the dense coding protocol always succeeds in transmitting two classical bits using a single qubit. Clearly, this is not dicult to prove by hand; however, we have used dense coding as a simple demonstration of our approach. 3.2

Quantum Teleportation

Our next example is the quantum teleportation protocol [3], which involves a computation on three qubits. Teleportation is a process that exploits entanglement in order to transmit an arbitrary qubit state using only a classical communications channel. The quantum circuit for teleportation is shown in Fig.1.



j i j0i j0i

H



H



NM

 



 

NM

 

i

j i

Fig. 1. Quantum circuit diagram for the teleportation protocol.

The prism model of teleportation is similar in appearance to that for superdense coding, and it is not included here due to lack of space. It is a transformation on a collection of three qubits, as opposed to the two for superdense coding. This calls for the 3-qubit version of prismgen. Other than this, the prism model itself is unremarkable, and matches the structure of the quantum circuit for teleportation, given in the appendix. Verifying the teleportation protocol with prism is more involved. Short of manual calculation, it is not possible to predict what the quantum state of the entire 3qubit system will be at the end of the teleportation protocol; indeed, there are several possible nal states, depending on which quantum state Alice chooses to transmit to start with. We are interested in checking that the state of Bob's qubit matches Alice's original qubit state, j i, which is assumed to be one of j0i ; j1i ; j+i j i : To formulate a usable property for veri cation, we need to express this requirement in terms of the overall state of the 3{qubit system. Formally, the speci cation of the teleportation protocol is this: if the initial state of the 3-qubit system is of the form j i j00i ; then the nal state will be of the form ji j i, where ji is a two{qubit state. Let's consider this in more detail. If Alice chooses to teleport j i = j0i ; the nal state of the 3{ qubit system will be of the form ji j0i. Similarly, if Alice chooses to teleport j i = j1i, the nal state of all three qubits will be of the form ji j1i. Finally, 69

Gay, Nagarajan and Papanikolaou

if Alice chooses to teleport the superposition j i = 12 j0i + 12 j1i, the nal state of the three qubits will be of the form ji 12 j0i + 12 j1i : Clearly, the pctl property necessary for veri cation will depend on the choice of j i; it will stipulate that, when the teleportation protocol has completed, the nal state of the 3-qubit system will have one of the forms given above. In particular, if the input state is j0i ; the necessary property is p

p

p

p

P > 1 [ true U ((telep end) ^ ((st = s1) _    _ (st = sn))) ] (2) where telep end is a predicate which is true when the protocol completes, and the values s1; : : : ; sn represent quantum states of the form ji j0i. If the input state is j1i ; the necessary property has exactly the same form as (2), but the values s1; : : : ; sn represent quantum states of the form ji j1i; similarly for the case when the input state is the superposition 12 j0i + 12 j1i. In other words, in order to formulate the property needed to verify the protocol, we need to choose the input states and determine the possible nal states of the three{qubit system in advance. This may be seen as begging the question; there is little point in verifying a protocol whose nal outcome has already been calculated by hand. We have developed an auxiliary tool to prismgen, which computes the internal state numbers s1 ; : : : ; sn corresponding to the desired nal states. When the pctl property for a particular input is supplied to prism, the tool proves that the teleportation model works as expected. Since the model{checker necessarily constructs a nite state space for the model, the teleportation protocol can only be veri ed for a speci c, known set of inputs, rather than an arbitrary quantum state. p

3.3

p

Quantum Error Correction

Our third and nal example is the quantum bit{ ip code for error correction [17]. In order to correct a single bit ip error, which may occur during the transmission of a single qubit state, this code represents the state by using a collection of three qubits. In particular, the qubit state j0i is encoded as j000i and the state j1i is encoded as j111i. A bit ip error on the second qubit, for example, transforms j000i into j010i. In order to detect such an error, two additional qubits are used; they are known as ancillas. By applying a sequence of operations and measurements to the ancillas, the so{called error syndrome is obtained, which determines the location of the error. Then, the 1 operator is applied to the erroneous qubit, thus restoring the initial quantum state of the 3{qubit system. The quantum circuit for the bit{ ip code is given in Fig. 2. For the diagram we have assumed that a bit{ ip error does occur prior to the computation of the syndrome. Our prism model of the protocol for the quantum bit{ ip code includes a channel which perturbs the transmitted qubit with a chosen probability; this 70

Gay, Nagarajan and Papanikolaou

j i

j0i j0i







 



 

 

j0i j0i

 

1;i



 

NM

 

 



j i

 

NM

Fig. 2. Quantum circuit diagram for the qubit bit{ ip code.

probability is a parameter of the model, and can be varied as required. The model uses the output from the 3{qubit version of the prismgen tool. When the syndrome computation is taken into account, there are in total ve qubits whose states need to be modelled; since we have not yet implemented a code generator for 5{qubit quantum systems, the state transitions for the syndrome computation are calculated in advance and manually coded into prism. To verify the correctness of the quantum bit{ ip code, we need to ensure that: independently of which of the three qubits is perturbed and with what probability this occurs, the protocol does succeed in correcting the error. Thus, at the end of the protocol, the state of the 3{qubit system should be in one of the following forms (where ji is a two{qubit state):

j0i ji ; if the input state was j0i j1i ji ; if the input state was j1i  p1 j0i + p1 j1i ji ; if the input state was p1 (j0i + j1i)

(3) (4) (5)

2 2 2 The properties used in prism to verify the protocol are analogous to those for teleportation, taking the form

P > 1 [ true U ((qbf end) ^ ((st = s1) _    _ (st = sn))) ] (6) where qbf end is a predicate which holds when the protocol completes, and the values s1; : : : ; sn represent quantum states of one of the forms given in (3){ (5). prism con rms that the protocol does indeed leave the 3{qubit system in one of these forms, depending on the input, as expected. 4 Challenges and Future Prospects

We have demonstrated our approach to the analysis of quantum communication protocols using a simple examples. There is signi cant scope for future work, ranging from improvements to our current code{generation techniques, to the automated veri cation of larger systems, such as quantum cryptographic devices. 71

Gay, Nagarajan and Papanikolaou

At present we explicitly construct state spaces and transition tables for systems involving up to three qubits and the H , CNot and i operators. We have informally reached the conclusion that, for any number of qubits, there is a nite set of states which is closed under these operators. It is not directly obvious how many states these are, but this could be established computationally. There is a mathematical framework called the stabilizer formalism, which could be used to calculate these states. Investigating this formalism and its implications could lead to a more ecient model checking for protocols; it is already known that stabilizer circuits can be eciently simulated by a classical computer [1]. The guarded transitions of prism's modelling language make it awkward to express some basic control structures such as sequencing. Each prism module typically requires a variable which acts as a program counter and must be explicitly incremented in each transition. We intend to develop automatic translations from the high{level process calculus cqp [6] into prism's native language. Combining such a speci cation formalism for protocol models with a logic for de ning properties will allow us to verify quantum protocols at a higher level. Our ultimate aim is to construct models of larger systems which combine quantum and classical components, or which combine more than one quantum protocol. For example, we are working on augmenting an existing model [13] of the BB84 key{distribution protocol with descriptions of authentication, secret{key reconciliation, and privacy ampli cation protocols [8]. As prism allows probabilities of particular events to be calculated directly, we can obtain numerical values of probability, such as those that arise in mathematical analyses of security; we have taken advantage of this capability in our existing model of BB84. More complex protocols generally involve larger numbers of qubits, leading to ever greater state spaces for veri cation.

5 Conclusions

We have established, for the rst time, techniques for analyzing and verifying quantum communication systems. Our key contributions are the development of a general approach to modelling the state space of systems of several qubits, and the introduction of techniques for de ning properties of quantum protocols in the logic pctl. We have illustrated our approach by modelling and verifying three example protocols (focusing on superdense coding only here) using prism. Although these examples are simple, they are important building blocks of the theory of quantum communication. Having established fundamental and general techniques for formal veri cation of quantum protocols, we are in a strong position to carry out end{to{end veri cations of larger systems, such as those used for quantum cryptography. 72

Gay, Nagarajan and Papanikolaou

References [1] Aaronson, S. and D. Gottesman, Improved simulation of stabilizer circuits (2003), available at arXiv.org. Record: quant-ph/0406196. [2] Bennett, C. H. and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, in: Proceedings of International Conference on Computers, Systems and Signal Processing, 1984. [3] Bennett, C. H., G. Brassard, C. Crepeau, R. Jozsa, A. Peres and W. K. Wootters, Teleporting an unknown quantum state via dual classical and Einstein{Podolsky{Rosen channels, Physical Review Letters 70 (1993), pp. 1895{1899. [4] Bennett, C. H. and S. J. Wiesner, Communication via one- and two-particle operators on Einstein{Podolsky{Rosen states, Physical Review Letters 69 (1992), pp. 2881|2884. [5] Ciesinski, F. and M. Groer, On probabilistic computation tree logic., in: Validation of Stochastic Systems, 2004, pp. 147{188. [6] Gay, S. and R. Nagarajan, Communicating quantum processes, in: POPL '05: Proceedings of the 32nd ACM Symposium on Principles of Programming Languages, Long Beach, California, 2005. [7] Grover, L. K., A fast quantum mechanical algorithm for database search, in: Proc. 28th Annual ACM Symposium on the Theory of Computing (STOC), 1996, pp. 212{219. [8] Gruska, J., \Quantum Computing," McGraw{Hill International, 1999. [9] Kwiatkowska, M., G. Norman and D. Parker, Modelling and veri cation of probabilistic systems, in: P. Panangaden and F. V. Breugel, editors, Mathematical Techniques for Analyzing Concurrent and Probabilistic Systems, American Mathematical Society, 2004 Volume 23 of crm Monograph Series. [10] Mayers, D., Unconditional security in quantum cryptography, Journal of the acm 48 (2001), pp. 351|406. [11] Nielsen, M. A. and I. L. Chuang, \Quantum Computation and Quantum Information," Cambridge University Press, 2000. [12] Papanikolaou, N., Introduction to quantum cryptography, ACM Crossroads Magazine 11.3 (2005), pp. 10|16. [13] Papanikolaou, N., \Techniques for Design and Validation of Quantum Protocols," Master's thesis, Department of Computer Science, University of Warwick (2005). [14] Parker, D., G. Norman and M. Kwiatkowska, prism 2.0 users' guide (2004). [15] Ryan, P., S. Schneider, M. Goldsmith, G. Lowe and B. Roscoe, \Modelling and Analysis of Security Protocols," Pearson Education, 2001. [16] Shor, P., Algorithms for quantum computation: discrete logarithms and factoring, in: Proceedings of 35th Annual Symposium on Foundations of Computer Science (1994). [17] Steane, A. M., Quantum computing and error correction, in: A. Gonis and P. Turchi, editors, Proceedings of the NATO Advanced Research Workshop (2000), pp. 284|298.

73

Gay, Nagarajan and Papanikolaou

74

DCM 2006

Handshake Games Lu a Fossati 1 2 ;

Dipartimento di Informati a Universit a di Torino Torino, Italia

Abstra t

In this paper I present what I a

omplished so far. I present a game model for the semanti al analysis of handshake ir uits. I show how the model aptures e e tively the omposition of ir uits in an asso iative way. Then I build a ompa t- losed

ategory of handshake games and handshake strategies and I show informally how these an be applied in the semanti s, when events en oding data are also onsidered. In an appendix I show that the proposed reformulation of nondeterministi strategies works for the sequential ase (in the sense of [5℄) as well. Key words: Game semanti s, handshake ir uits, nondeterminism, on urren y, asso iativity.

1 Introdu tion The handshake proto ol has experien ed a great ommer ial su

ess as a paradigm for asyn hronous ommuni ation and omputation. It is a proto ol of ommuni ation between ir uits, whi h are onne ted through hannels over whi h they ex hange information. In parti ular a ir uit sends a message over a hannel through an interfa e alled port. In a ommuni ation over a single hannel, one ir uit takes the a tive role and sends the rst message while the other is initially waiting for an a tivation sign. Then the former waits for the latter to reply, and so on. From a ir uit's point of view, this behavior indu es an alternating sequen e of input and output messages, requests and a knowledges. The handshake te hnology has been employed in parts of several integrated systems, moreover in the Philips Resear h Labs it has been designed a programming language alled Tangram, whose programs are naturally translated 1

I thank Feli e Cardone for having started me on the subje t, Russ Harmer, Paul-Andre Mellies and Pierre-Louis Curien for useful hints on the riti al part. 2 Email: fossatidi.unito.it This paper is ele troni ally published in Ele troni Notes in Theoreti al Computer S ien e URL:

www.elsevier.nl/lo ate/ent s

Fossati into and implemented as handshake ir uits. With an ar hite ture that does not rely on a entral lo k, these ir uits gain in eÆ ien y and speed (a slow module has a lower impa t on the overall system) and pose less problems in the engineering phase. But in ontrast with the in rease of interest in the implementations of the proto ol, the foundational investigation rests still as it was ten years ago. For example, there is not yet an analysis of handshake pro esses whi h, in addition to ex hanging syn hronization events, also ex hange data in their ommuni ations. Moreover all the literature relies on a single model [13℄: indeed, a very natural hara terization of ir uits with a ni e analysis of their behavior; however some points are still not treated in suÆ ient detail. The main of these is surely the analysis of omposition. The property of delay insensitivity allows us to ignore the order in whi h messages rea h destination, to do as if it was the same order in whi h they have been sent ([13℄, page 75). Still, it remains not trivial to model omposition pre isely. Surely handshake ir uits ompose and surely they ompose in the same way no matter the order of ompositions (asso iativity): in the end it is just the same phisi al phenomenon observed from di erent angles: : : but, does the model apture the observation of the physi al phenomenon faithfully? is any quies ent point (inside a ommuni ation) taken into a

ount by the model? As expe ted, the problem rises in presen e of the \infamous" in nite internal

hatters and really auses big troubles, as asso iativity of omposition is a fundamental property. While looking deeper into the issue I found a ounter-example to the asso iativity of omposition in Van Berkel's model. Later on, Russ Harmer pointed out to me another (more general) ounter-example, due to Ros oe [12℄, whi h tells that any model of unbounded nondeterminism must list expli itly the possibly in nite ommuni ations inside the pro ess' des ription. My sear h for a solution was based on previous game semanti s of nondeterminism and on urren y [4℄[5℄[3℄[6℄[8℄ in whi h the problem of omposition is treated in full detail. The hoi e is in part motivated by the many similarities between the game paradigm and the handshake proto ol. The ommon view of omputation as intera tion is the key ingredient, from whi h follow several other orresponden es, where all the dualisms are re e ted. In most

ases it is just a matter of swit hing to a new vo abulary:  player=opponent () system=environment;  passive=a tive () negative=positive;  move () message;  P move=O move () input=output;  query=response () request=a knowledge. One ould also argue that games orrespond to handshake stru tures and 76

Fossati strategies to handshake pro esses 3 but on these aspe ts the orresponden e is not so lear in the handshake ir uits literature. There is no lear distin tion between a pro ess and its stru ture, no on ept of a type. This is another motivation for adopting the game formalism: de nitely game models rely on powerful mathemati al stru tures su h as ategories and logi , and these are the perfe t tools for de ning a type theory. The work ould be pla ed inside Abramsky's program to bridge the histori al gap in formal semanti s, between the family of fun tional models (denotational semanti s) and models of on urren y (pro ess al uli) ([1℄ and [2℄, among other works). Combining nondeterminism with on urren y and asyn hrony has been a major issue to deal with. Mos hovakis published several works in that dire tion (starting from [10℄) but I believe the aim there was more dire ted to the veri ations of properties (fairness) than to the stru tural analysis, whi h makes his works essentially di erent from mine. A reasonable hoi e was to extend the model for nite nondeterminism of Harmer and M Cusker [4℄ but unfortunately that is justi ed only with the assumption of sequentiality of the overall ommuni ation (the stri t alternan e within plays). So I turned to ountable nondeterminism [5℄, reformulated in a way that allows extension to parallelism. Basi ally in the new formalism, nondeterministi strategies are seen as sums of deterministi strategies. The idea of su h a presentation was given me by Paul-Andre Mellies during a dis ussion and follows quite a few works in the literature, starting from [11℄ and in luding the works by Mos hovakis.

2 Notations In the following I will give a few de nitions that always turn out useful when dealing with the formal aspe ts of on urren y. Some are inherited from Mazurkiewi z's seminal work on tra e theory, even though I hanged them in order to t them in the urrent ontext. We de ne a on urrent alphabet as an alphabet M equipped with a binary re exive symmetri and transitive relation D over its letters (moves, as we will all them). D is alled the dependen e relation. Being an equivalen e relation, D de omposes the alphabet into equivalen e lasses whi h we all partitions. A string over hM; D i is just a string over M. The omplementary relation is independen e, I. Let hM; D i be a on urrent alphabet. Every string s over M has an underlying graph indu ed by D. The verti es are the moves in s and edges between two moves are present if and only if the two moves are dependent with ea h other. Any maximal lique is the underlying graph of a unique string t ontained in s, where moves appear in the same order in t as they appear in s. We 3

This would allow one to give a neat de nition of handshake ir uits as spe i ations of behaviors over stru tures.

77

Fossati say t is a thread of s. A thread ould also be seen as a string over a partition of hM; D i. The initial move of a thread t is the rst move that appears in t. The initial moves of a string s are the initial moves of ea h of its threads. Consider the above on urrent alphabet and let D 0 D. D 0 is a full subdependen e of D when it preserves re exivity, transitivity, and symmetry (the dependen e relation of a partition is a full subdependen e, for example). m 2 M is involved in D 0 when 9n 2 M su h that (m D 0 n). Now let D 0 be a full subdependen e of D, s a string over M and M 0  M the set of moves involved in D 0 . We an de ne s  hM 0 ; D 0 i as the string obtained by keeping only the moves from M 0 in the same order as they appear in s. Normally we write just s  M 0 assuming we have a full subdependen e asso iated to it. Finally re all the standard order v on strings s and t: svt

()

t = st0

where t0 is a string over hM; D i. possibly equipped with internal pointers as well as pointers to moves in s. We say that t is an extension of s with the moves in t0 . We write len(s) for the length of a string s.

3 Handshake Games De nition 3.1 A handshake game is a stru ture A = hMA ; DA; A i, where

MA is a set of moves and DA a dependen e relation on them. Together they form a on urrent alphabet on whi h we impose a nite number of partitions. A : MA ! f ; +g  fR; Ag is a labelling fun tion, we denote with A+ and RA A its two proje tions. The rst one determines the polarity, the moves with positive polarity are alled player moves and those with negative polarity are alled opponent moves. The se ond proje tion distinguishes requests (R) from a knowledges (A). We impose no ambiguity of labels within a partition. Given m; n 2 MA su h that m DA n:  + (m) =  + (n)

()

RA (m) = RA (n)

Game. We an imagine a game 4 as providing a universal stru ture over whi h several pro esses of the same kind an be implemented.

Example 3.2 The simplest ase is the game asso iated to a port stru ture,

where all moves are in the same equivalen e lass, as they represent a set of messages whi h are all going to be sent over the same hannel. For example, we

an asso iate a generi passive port to a game A = hMA = M1 [ M2 ; DA ; A i su h that:  M1 = freq(v) j v 2 V1 g and M2 = fa k(v) j v 2 V2 g;  DA = MA  MA ; 4

from now on we an leave the adje tive, handshake, impli it.

78

Fossati  8m 2 M1 ; ( + (m) = ) ^ (RA (m) = R);  8m 2 M2 ; ( + (m) = +) ^ (RA (m) = A). The port is passive, and this nds semanti orresponden e in that only the opponent an issue a request, only the opponent is allowed `to start'. The sets V1 and V2 represent the sets of values the two players an atta h to their moves. Spe ial ases o

ur when these sets are singletons, or equivalently when no data are added. In parti ular when there are only one request and one a knowledge we are representing a nonput port. Input ports are obtained by allowing the opponent to en ode data in its moves while in output ports it is the player who an en ode data in its moves. If they both an, then we have a byput port. Conne tives. A simple operation allows us to hange a game's polarity:

A? = hMA ; DA; A i: ?

+ Where A = h A+ ; RA when A+ gives + and vi evA i, and A gives ersa. So for example, a generi a tive port an be des ribed as the dual A? of the generi passive port A, des ribed above. We also have a binary onne tive, the ostar produ t. This allows us to give a representation to more omplex stru tures, stru tures with more than one port. Given two games A and B their ostar produ t is: ?

A  B = hMA + MB ; DA + DB ; A + B i Note that DA and DB are full subdependen ies of DAB and MA (MB ) is exa tly the set of moves involved in DA (DB ). Then we an relax the de nition of restri tion and write s  A (s  B) instead of s  hMA ; DA i (s  hMB ; DB i). Play. As usual in games, player and opponent take turn to play the respe tive moves. Here though we liberalize things a little as we are working in a on urrent framework, we impose the turn alternation only on the threads of our play (look at it as if we were playing several games in parallel). Formally a play, on a game hMA ; DA; A i 5 is just a string over the on urrent alphabet hMA; DAi. A play is legal if and only if:  all its initial moves are requests;  all its threads are alternating sequen es of requests and a knowledges, player and opponent moves. ! We write LA for the set of legal plays over the game A. We write L n A and LA for the subsets of nite and in nite legal plays, respe tively. Note that a play over a game an only ontain a nite number of threads ( nite on urren y) be ause the alphabet of the game an only have a nite number of partitions. 5

The term play is inherited from game semanti s. It orresponds to the handshake tra es in the handshake ir uits theory.

79

Fossati The equivalen e on moves (DA ) indu es an equivalen e on plays, the homotopy relation A . Let s; t 2 LA , we say that s A t just when they have the same set of threads 6 . Prestrategy. I will introdu e strategies gradually: starting from the general lass of prestrategies I will hara terize positionality and determinism; by then we will be working with a tual strategies but in order to onsider nondeterministi behaviors as well we will need a new generalization. All of these

lasses really need the adje tive handshake as we are working in a handshake framework, but sin e it will be lear from the ontext I will leave it impli it. I start with some formal notions. Given a set of plays  on a game A:  The pre x- losure of  is   = fs 2 LA j s v t 2  g  For a play s 2   , its su

essors set (with respe t to ) is:

su  (s; ) = fm 2 MA j sm 2   g  s is passive in , pas  (s; ), i there is no move the player an make at s:

m 2 su  (s; ) )  + (m) =  P as  () is the set of passive plays in the pre x- losure of :

P as  () = fs 2   j pas  (s; )g  Given two independent moves, m; n 2 MA , and four plays r, s, t, u, of A, we de ne rA as the smallest binary relation su h that:  (mn rA nm) () (( +(m) = ) _ ( +(m) =  +(n))) 7 ;  t rA t;  (r rA s) ^ (s rA t) ) (r rA t);  (r rA s) ^ (t rA u) ) (rt rA su). We say that s reorders t in A when s rA t 8 ;  Let s, t be two plays of A and de ne s xA t if and only if s v t and t

ontains only opponent moves after s (we say that t is an input-extension of s in A).

De nition 3.3 A (handshake) prestrategy  on a game A is a set of legal plays of A su h that: (i)  6= ; (non-empty);

6

The use of homotopy in on urrent games is due to Mellies and Mimram [8℄[9℄. Let me give one intuition here : : : We may re eive two inputs in any order and we may output two messages in any order. Also, an input may arrive before we output. The onverse does not hold though, we may have to wait for an input before we an output. 8 I hose to keep the de nition as in the original model instead of extending it to in nite sequen es of reorderings, this is oherent with the degree of 'intensionality' in the model

7

80

Fossati (ii) P as  () v  ( losed under passive pre xes); (iii) (t 2  ^ s rA t) ) s 2  (reorder losed); (iv) (s 2   ^ s xA s0 ) ) s0 2   (re eptive).  is onveniently des ribed as a ouple hQ ; I i. Where quies ent and I the set of in nite plays of .

Q

is the set of

The expli it in lusion of in nite plays allows to distinguish when a strategy may follow an in nite ommuni ation but at a ertain point will surely stop and when instead it ould ontinue to the in nite. The quies ent plays represent the nite points in whi h the player may stop to wait for the opponent to move. The passive plays represent those points at whi h the player has no other hoi e but to wait: they need to be quies ent. In the ase of nonput ports, some well known prestrategies are ST OP and SKIP . ST OP simply a

epts opponent moves without a knoledging them, while SKIP does a knowledge to requests, but never starts a handshake itself:  ST OPA = fs 2 LA j (s)+ = 0g;  SKIPA = fs 2 LA j (s) = (s)+ g. Where (s) and (s)+ stand for the number of opponent and that of proponent moves in s, respe tively. It is interesting to see that if we add data to moves, a prestrategy like SKIP be omes a highly nondeterministi spe i ation after whi h a wide range of possible prestrategies ould be implemented. Let's

onsider the simple ase where A represents a single passive port. If data were added to requests no nondeterminism would be introdu ed. On the other hand if only booleans were added to a knowledges, the player would have many available options. It ould always answer tt or ff, or alternate the two answers, : : : Even more interesting if the port is a biput. Here the number of possible implementations is extremely high: identity, boolean not, onstant, integer su

essor, test for zero, : : : Composition. Given two prestrategies,  on A?  B and  on B ?  C, their omposition is soon de ned:  Æ  = fu  A; C j u 2 LA;B;C ^ u  A; B 2  ^ u  B; C 2  g Two de nitions related to omposition. s 2 Lfin A;B;C is an interleaving in the omposition of  and  if and only if s  A; B 2   and s  B; C 2   . s is a witness (for s  A; C) in the omposition of  and  if and only if s  A; B 2  and s  B; C 2 . Unfortunately, omposition of prestrategies is not well-de ned. Informally:

onsider the general prestrategy RUN whi h is always eager to get engaged in a handshake (whether its role is to start or to answer). Consider the omposition of RUNB with RUNB . Being dual pro esses they will never agree on being quies ent at the same time, ea h one will be willing to ontinue (or to start over) immediately when its turn omes. Then if the in nite play 81 ?

Fossati whi h emerges from this eternal ping-pong is not itself ontained in the two prestrategies, the omposition is empty. Positionality. We need to fo us on a subset of the set of prestrategies for whi h omposition works. It seems natural then to start with deterministi prestrategies. However it turns out that determinism is preserved by omposition only in presen e of another very important property of on urrent strategies, positionality. Positionality is based on the relation of homotopy between plays.

De nition 3.4 A prestrategy  on a game A is positional if and only if, for nite s; s0 2   and in nite t; t0 2 L!A, with s  s0 and t  t0 , we have: (i) s  s 2   ) s0  s 2   (positionality and pre xes); (ii) s 2  ) s0 2  (positionality and quies en e); (iii) t 2  ^ (8t < t0 ; t 2   ) ) t0 2  (positionality and in nite plays); Intuitively, a position is a state and we an rea h a ertain state in di erent ways but then however we got there we have the same options to move on or to wait. Determinism. Let A be a game and a and b two distin t player moves of A. A positional prestrategy  on A is deterministi just when: (i) ta 2   ) t 2= ; (ii) ta 2   ^ tb 2   ) tab 2   ; (iii) I = ft 2 L!A j 8t0 < t; m 2 su  (t0 ; ),  + (m) = +; 9t00 < t s.t. t0 < t00  m < tg. The rst two onditions are the usual onditions for determinism. Moreover a deterministi strategy that has engaged in an in nite hatter may not de ide to quit anyhow. A mali ious opponent ould for e a deterministi strategy to follow the ourse that he wants, even to diverge. If the opponent a ts in this way there is no means for the deterministi strategy to es ape the mali ious design. The third ondition tells exa tly whi h are the in nite plays that a deterministi strategy must ontain. It's lear that the third ondition of determinism implies the third ondition of positionality. So for deterministi prestrategies positionality an be expressed with two properties. Composition. We now pro eed to the proof that omposition is well-de ned for deterministi positional prestrategies. In the following let  and  be two deterministi positional prestrategies on A?  B and B ?  C, respe tively. We start with two de nitions. Given u and v su h that u r v, we de ne dr (u; v), the reordering distan e between u and v:  dr (u; v) = 0 () u = v  dr (u; v) = 1 () (u = u0  a  b  u00 ) ^ (v = u0  b  a  u00 ), for two moves a 82

Fossati and b;  In general dr (u; v) = n > 0 if and only if u 6= v and there are n + 1 (and no less) plays u0 ; u1 ; : : : un su h that u = u0 , un = v and dr (ui ; ui+1 ) = 1. In exa tly the same way we de ne the homotopy distan e d (u; v) on homotopi plays u  v.

Lemma 3.5 Let s 2 Lfin A;B;C be an interleaving in the omposition of  and  . Then there is t w s and t is a witness in the omposition of  and  .

2  and s  B; C 2 , s itself is the witness. Otherwise, suppose  is not quies ent at s. Then s is not passive in ,  an play a move after s. We start by saturating the external threads of  with player moves. Then we let  play in B until quies en e, while  must be ready to a

ept this stream (re eptivity). Now, if  is quies ent we are done, otherwise we saturate it outside. If it be omes quies ent we are done as well otherwise we let it play inside until quies en e. Then it's 's turn again, and so on. If after a while they both be ome quies ent then we have our witness. Otherwise they run to the in nite, but then we also have our witness (determinism). 2 Lemma 3.6 Let t 2 ( Æ ) and let u and v be two interleavings for t in  Æ  . Then u an be ompleted with all the o

urren es of moves that are in v n u so to obtain an interleaving z for t in  Æ  . Proof. If s  A; B

Proof. A few remarks. After  () makes a move m it an still play all the

moves it ould play before but m itself (determinism).  () instead an still play all the moves it ould play before and possibly more (re eptivity and reordering). It follows that if m is initial in v and m I u then u0  m  u00 is still an interleaving for t in  Æ , for any fa torization u0  u00 of u. Else if m D u then u = u0  n  u00 , where m I u0 and m D n. If m and n were distin t  ()

ould play m even after n (determinism). But this is not possible sin e they are dependent moves and ne essarily have the same polarity, then m = n. We an obtain z as the result of alling the following untyped informal pro edure on u and v: union(u; v)f m := head(u); u := tail(u); if (m I v) then if (u = ") then z := m  v; else z := m  union(u; v); else if (v = v 0  m  v 00 ) then z := m  union(u; v 0  v 00 ); return z;

g

2

83

Fossati

Theorem 3.7 Let  and  be two deterministi positional prestrategies on

A?  B and B ?  C , respe tively. Then, pre)  Æ  is a prestrategy; pos)  Æ  is positional; det)  Æ  is deterministi .

Proof.

pre) I skip the proof that every play in  Æ  is legal as it is almost immediate. (i)  Æ  is non-empty. Sin e neither  nor  is empty, then " is an interleaving of their omposition. Then lemma 3.5 applies and yields a witness t w " for some play in  Æ ; (ii) Let s v s, with s 2  Æ  and s 2 P as  ( Æ ). By de nition there is t 2 LA;B;C su h that t A; B 2 , t B; C 2  and t A; C = s. Just ut t right after s is played out in the external game and all the resulting play t. Then lemma 3.5 applies and yields a witness t0 w t for some play in  Æ . s is passive then t0 is a tually a witness for s 9 ; (iii) Let s rA ;C s. Consider d =dr (s; s): d = 0 Then there is a witness u of s whi h is also a witness of s; d = n Then there are s0 ; s1 ; : : : sn 2 LA;C and su h that s = s0 ; sn = s; dr (si ; si+1 ) = 1 for all 0  i  n. For assumption we know that s1 2 ( Æ ). Let s1 = s0  m  n  s00 and s0 = s0  n  m  s00 . Moreover let's take a witness u1 2 LA;B;C of s1 of the form u1 = u0  m  ub  n  u00 , where u0 and u00 are interleavings of s0 and s00 , respe tively, and ub is a sequen e of moves in B. If n is an opponent move then we de ne u0 = u0  n  m  ub  u00 else m is a proponent move and then we de ne u0 = u0  ub  n  m  u00 . In any

ase u0  A; C = s, u0  A; B rA ;B u1  A; B 2  and u0  B; C rB ;C u1  B; C 2 , then s 2  Æ . (iv) Let s 2 ( Æ ) and let s x s  s0 . Reasoning as in the se ond point we

an nd an interleaving u for s in the omposition  Æ . It follows from re eptiveness of the two prestrategies that u  s0 is also an interleaving. Then lemma 3.5 applies and we are done. pos) As already remarked, the third property of positionality follows from determinism whi h will be proved later on. The rst two properties an be proved in exa tly the same way, so I prove just the rst one. Let s; s0 2 ( Æ ) , with s  s0 , and let s  s 2 ( Æ ) . The proof that s0  s 2 ( Æ ) is by indu tion on d (s; s0):  If s = s0 then trivially s0  s 2 ( Æ );  If d (s; s0) = n + 1 then there is sn su h that d (s; sn) = n and d (sn; s0 ) = 1. By indu tive hypothesis sn  s 2 ( Æ ) . Now, sn fa torizes as t0  a  b  t00 while s0 = t0  b  a  t00 . So sn has an interleaving un = u0  a  ub  b  u00 , where ub is a sequen e of internal moves. The two prestrategies ?

?

9 0

t

?

Note that in the proof of the lemma no external opponent move is taken while making , then really no move is played outside.

84

Fossati are deterministi then it follows from the remarks made inside lemma 3.6 that u0  b  a  ub  u00 is also an interleaving of  Æ  (in parti ular if b is by the opponent, re eptivity also plays a role). Finally by positionality of  and  we on lude s0  s 2 ( Æ ) . det)(i) Let t  a 2 ( Æ ) , where a is a player move. By absurd, t 2  Æ . Then t has a witness u 2 LA;B;C . Consider the ase where u is nite. Sin e u  A; B 2  and u  B; C 2 , neither prestrategy an play at this point, the next move must be an opponent move in A or C, and this is enough for the rst ase. If u is in nite then any move that ould be played after a nite pre x will eventually be played somewhere in u, in luding a; (ii) Let s  a; s  b 2 ( Æ ) , where a and b are two distin t player moves. An interleaving for s  a is of the form u0  a  v 0 and an interleaving for s  b is of the form u00  b  v 00 . Where u0 and u00 are both interleavings for s and v 0 and v 00 are sequen es of internal moves. Then we an apply lemma 3.6 and

omplete u0 with the moves that are not in it but in u00 . In the same way we an omplete u00 with the moves that are not in it but in u0 . The two results are homotopi . Take one of them, u. By the remarks made inside lemma 3.6 and by positionality we have that u  a is both an interleaving of s  a and of s  b, then the on lusion follows; (iii) This is a tually a double impli ation. Let s 2 L!A;C su h that all its pre xes are in the pre x- losure of  Æ :

))

Suppose s 2 ( Æ ) and m 2 su  (s0 ;  Æ ), where s0 < s and su h that  + (m) = +. Then s has a witness u 2 L!A;B;C . If either u  A; B or u  B; C is nite then respe tively  and  annot move anymore. That means that if it was 's ('s) duty to play (the o

urren e of) m then the move o

urs in the nite restri tion ( rst ondition of determinism). Suppose that m ould be played on the side of the ommuni ation whi h is in nite. Then again we know that the move will eventually o

ur (third ondition of determinism); () Suppose that forall s0 < s and m 2 su  (s0;  Æ ) with  +(m) = + there exists s00 < s su h that s0 < s00  m < s. Take u 2 L!A;B;C su h that all the pre xes of u  A; B are in the pre x- losure of , all the pre xes of u  B; C are in the pre x- losure of  and u  A; C = s. For any u0 < u we know that if either prestrategy ould play an external move after u0 then this eventually o

urs in u, be ause the same move ould be played by  Æ  after the external restri tion of u0 . If either prestrategy ould play an internal move and the (o

urren e of the) move does not appear in u yet, then we add it, say, ten moves after u0 . This way we are assured that every move that ould be played after a nite pre x a tually o

urs inside a nite pre x 10 . The nal u is a tually a witness for s in  Æ .

10 Note

that the number of moves that an be played at any point is nite, as the number of threads is nite ( nite on urren y) and the two prestrategies are deterministi .

85

Fossati 2

Sums and Strategies. We de ne the binary operation  (sum ) whi h takes two prestrategies  and  on a game A and returns the union of their sets of plays.

Lemma 3.8 The sum of  and  is again a prestrategy. Proof. (i) The union of two non-empty sets is non-empty. (ii) s 2 P as  (  ) ) s 2 (  ) ^ pas  (s;   ) ) (s 2  ^ pas  (s; )) _ (s 2   ^ pas  (s; )) ) (s 2 P as  ) _ (s 2 P as  ) ) (s 2 ) _ (s 2 ) )s 2    (iii) Reorder- losedness and re eptivity an be proven similarly, so we prove only the rst one of the two. Let t 2 (  ) ^ s rA t: t 2    ) (t 2 ) _ (t 2 ) t 2  ^ s rA t ) s 2  t 2  ^ s rA t ) s 2  (s 2 ) _ (s 2 ) ) s 2    2

We extend this operation to an arbitrary number of arguments in the expe ted way, then we are ready for strategies.

De nition 3.9 A (handshake) strategy  is the sum of deterministi positional (handshake) prestrategies:

=

M i2I

i

where i are deterministi positional prestrategies indexed by elements of a non-empty set I. A strategy represents a pro ess. A strategy is a des ription of the behavior to follow. It is as if strategies ould hoose on e and for all among a set of possible behaviors. Afterwards they a t deterministi ally all the way. It follows that a deterministi positional prestrategy d is just a parti ular ase of strategy where the opponent may hoose only from a singleton set. We will just say that d is a deterministi strategy, assuming impli itly that it is positional, even if strategies are not positional in general. 86

Fossati

Lemma 3.10 Given two strategies  and  on a game A, their omposition is again a strategy.

Proof. Let

=

M i2I

i

=

M j 2J

j

where all i 's and j 's are deterministi prestrategies. Then we have:  Æ  = fu  A; C j u 2 LA;B;C ^ u  A; B 2  ^ u  B; C 2  g = = fu  A; C j u 2 LA;B;C ^ u  A; B 2 i2I i ^ u  B; C 2 j 2J j g = = fu  A; C j u 2 LA;B;C ^ (9i 2 I; j 2 J s.t. u  A; B 2 i ^ u  B; C 2 j )g = = fu  A; C j u 2 LA;B;C ^ u  A; B 2 i ^ u  B; C 2 j g = i2I;j 2J = (j Æ i ) i2I;j 2J

[ [

2

Category. We an form a ategory H whose obje ts are games and with morphisms from A to B the strategies on A?  B. With abuse of notation we write  for both the morphism  : A ! B and the strategy  : A?  B. The identity morphism idA : A ! A is the well-known opy at strategy:

idA = fs 2 LA

?

A

j s  A1 = s  A2g;

where the indi es are used only to distinguish the left and the right opy of A. It is easy to he k that idA is a well-de ned prestrategy, that it is positional and deterministi , and that the identity equations  Æ idA =  = idB Æ ; hold. There only remains the proof of asso iativity of omposition, whi h we do next.

Theorem 3.11 Consider games A, B , C and D, and strategies  : A ! B and  : B ! C and  : C

! D: ( Æ ) Æ  =  Æ ( Æ ) Proof. Let s 2 ( Æ ) Æ . There is a witness u 2 LA;B;D for s. Analogously we nd a witness v 2 LB;C;D for u  B; D. Working in an asyn hronous world sometimes makes things easier (but only sometimes) so now we need no zipping or in nite zipping lemma, any interleaving w 2 LA;B;C;D of u and v works just ne. In parti ular any su h w satis es:  w  A; B = u  A; B 2 ;  w  B; C = v  B; C 2 ;  w  C; D = v  C; D 2 ; 87

Fossati  w  A; D = u  A; D = s. Then by de nition we have w  A; C 2  Æ  and s 2  Æ ( Æ ). The opposite dire tion is proved in exa tly the same way. 2

Categori al onstru tions turn out useful not only for stru tural hara terization, but also for semanti analysis. For example, we an lift  to morphisms so to have an elegant alternative to the on ealment and extension operations of the pro ess al ulus in [13℄. Given  : A ! B and  0 : A0 ! B 0 , we de ne    0 : A  A0 ! B  B 0 as    0 = fs 2 LA;A ;B;B j s  A; B 2  ^ s  A0 ; B 0 2  0 g 0

0

The fun toriality properties, ( Æ )  ( 0 Æ  0 ) = (   0 ) Æ (   0 ) and idA  idB = idAB , are easily veri ed. Suppose we want to ompose strategies  : A ! B and  : B  B 0 ! C. A possible way of doing this is by `extending'  with the identity of B 0 . The omposition be omes  Æ (  idB ). Another way is to restri t  and substitute it with  Æ (idB  SKIPB !I ), where I is the game with just no moves. The ategory of handshake games and handshake strategies H is *-autonomous, it is symmetri monoidal losed with respe t to  and has an isomorphism from A to A??. In parti ular the isomorphisms A ! I  A and A ! A  I are just opy at strategies and they follow from the isomorphisms between sets of moves, MA ! ; + MA and MA ! MA + ;, respe tively. The other isomorphisms required for symmetri monoidal losure are also opy at strategies derived from isomorphisms between sets of moves. The ase of selfduality is even simpler, A and A?? are the same game and the isomorphism between them is just the identity on A. We an further note that H is more than *-autonomous, it is ompa t losed, as you an easily he k A  B = (A?  B ?)?. 0

0

88

Fossati

4 Examples As an example we show here a ir uit that implements the onditional bran h

onstru t. The logi is a little simpler than that of Tangram's bran h, whi h employs guards and nondeterminism, but the essen e is there. B 

trf

ifT

P

k ifT

not

Q

The big ir les represent some basi standard omponents, while the small ones are the ports (a tive ports are lled and passive ones are not). The lines

onne ting two ports represent the hannels. I will des ribe the strategies asso iated to the omponents as transition systems, as graphs where the edges represent the moves and the nodes represent the `positions' ( lass of plays for short).I will begin with the boolean negation not: a ka

a kp

f fa

ttp

0

f fp

tta

a kp

a ka

The index p is used for moves passing through the passive port and a for moves passing through the a tive port. The ir les around nodes indi ate quies ent positions and the initial position is marked with a 0. not is a strategy on the game Br?  Br , where Br is the game for a passive input port (example 3.2) with boolean data en oded in the requests. As a onsequen e, the dual, Br?, be omes an a tive port with the same hara teristi s. Whatever input the strategy re eives on the passive port, it sends its negation on the a tive. On e this is a knowledged, it a knowledges the rst move. ifT : Br ! S is a test for true (S is the type of a nonput passive port, syn hronization-only):

89

Fossati

ffp

0

a kp

ttp

reqa

a kp

a ka

If it re eives true it handshakes on its a tive port, otherwise it returns immediately. The omposition of strategies orresponds to putting the two graphs aside and visiting them in parallel, while at the same time building the graph for the omposed strategy. Ea h time we pass by an `external' edge we add it to the new graph (provided it is not already there). As for the internal edges, they need to be played simultaneously on both sour e graphs. So, if we are in a position where we an play an internal move on one side but not on the other, we need to wait if we want to play that move. It is easy to

he k that the omposition of ifT and not yields a test for false, exa tly the opposite of ifT . The so alled P AR omponent k: Br  Br ! Br a tivates two pro esses in parallel after re eipt of a request from the environment; on e both pro esses a knowledge, it too a knowledges to the rst request:

reqa1

0

a ka1

reqa2

reqa2

a ka1

a ka2

reqp

a k reqa2

k is omposed with ifT

reqa1

a ka2

a ka2

reqa1

0

a ka1

 (not Æ ifT ) : S  S

! Br  Br , a strategy

that exe utes a test for true on one side and, in parallel, a test for false on the other. The ostar produ t of two strategies orresponds again to playing on the two games/graphs in parallel, with the di eren e that now all moves are external. As a result the nal graph may be ome very ompli ated. In the end, k Æ(ifT  (not Æ ifT )) : S  S ! Br is a strategy whi h depending on the input (true or false) a tivates one or the other strategy it is onne ted to; after re eiving the a knowledge it returns. The last omponent is a transferrer, asso iated to the strategy trf : Ba  Br ! S, where Ba is the game for a passive port, this time with boolean data en oded in the a knowledges. On e 90

Fossati a tivated on the passive port S it requests a boolean value from Ba 11 whi h is immediately opied in a request and sent on Br , it waits for the a knowledge and then ompletes the rst handshake. We skip the graph for this strategy and we go straight to the strategy trf Æ (idBa  (k Æ(ifT  (not Æ ifT )))) : Ba  S  S ! S asso iated to the global if then else onstru t: reqP

a kP

ttB

a k

0

req

reqB f fB

a k reqQ

a kQ

Here the indexes indi ate the pro esses with whi h we are in ommuni ation. This strategy has the expe ted type (it takes as arguments a boolean and two ommands and gives a ommand in return) and behavior. With the same approa h, de omposition of the internal logi into smaller modules and omposition of the strategies asso iated to these modules, we an give a semanti s to any other programming onstru t, like the loop and su h. Also, the presentation of strategies as graphs is very intuitive and attra tive, it had already been adopted by Van Berkel [13℄ in the ontext of handshake

ir uits. In game semanti s this idea has been pushed further, there exists game models [6℄[8℄ in whi h graphs are employed not just as merely a way of presenting strategies but as a true semanti al des ription. Of ourse, in order to establish this orresponden e, there are some properties that need to be satis ed. I believe that positionality and asso iativity of omposition are ne essary rst steps towards the goal.

5 Future Work So, I built a model for handshake ir uits and I showed informally how it

ould be put into use. In the pro ess, I dealt with the problems arising in the modelling of ir uits' omposition and I ended with a ner hara terization of handshake strategies. In parti ular, the new property of positionality seems very interesting and worth exploiting. But the model ontains also a deeper stru tural analysis, with the onstru tion of a ompa t- losed ategory, a result that ould be used as a base for a type theory. Moreover I showed how to take advantage of ategori al tools like omposition of morphisms and the bifun tor , in the semanti s. And now? The next step is to formally de ne a semanti s for a language 11 On

the left side of the arrow, Ba be omes a tive, by the de nition of arrow.

91

Fossati based on handshake ir uits, for Tangram or for a whole new language. This semanti s should take into a

ount pro esses that an ex hange data as well as pro esses that an only syn hronize with their environment. The approa h to take should in lude redu tion of the language's onstru ts into a small set of ombinators and representation of these ombinators as general-purpose strategies. In [7℄ Josephs, Udding and Yant hev redu ed Van Berkel's al ulus [13℄ to just three operations, how mu h bigger would this set be ome when data are en oded in the messages? A parti ularly deli ate part in the de nition of a semanti s for handshake

ir uits will be the modelling of the sequential omposition of pro esses, where the pro ess P1 ; P2 behaves initially as P1 and then, on e all requests have been a knowledged and a y le is omplete, it ontinues as P2 . In [13℄ the task is a

omplished by assigning a set of terminal tra es to ea h pro ess, but this is only one possible solution. The idea that ea h pro ess follows a y li life suggests more abstra t representations for strategies, ways that ould allow to treat omposition more mathemati ally. The aim is to nd alternatives that ould allow simpler reasoning while keeping the substan e un hanged. Nonetheless, altering the proto ol of ommuni ation may also be of interest: what happens when we shift to slightly di erent ir uits, like speed-independent or delay-insensitive ir uits? On the side of game semanti s, handshake ir uits ould represent a on rete appli ation. Naturally the next step is to pla e this result inside the large

olle tion of models proposed. Surely the ompletely asyn hronous behavior makes handshake strategies and games di erent from their ounterparts, indeed the ategori al framework will help in making omparisons.

Referen es [1℄ S. Abramsky. Intera tion ategories (extended abstra t). In G. L. Burn, S. J. Gay, and M. D. Ryan, editors, Theory and Formal Methods 1993: Pro eedings

of the First Imperial College Department of Computing Workshop on Theory and Formal Methods, pages 57{70. Springer-Verlag Workshops in Computer

S ien e, 1993.

[2℄ S. Abramsky, S. Gay, and R. Nagarajan. Intera tion ategories and the foundations of types on urrent programming. In M. Broy, editor, Pro eedings of the 1994 Marktoberdorf Summer S hool on Dedu tive Program Design, pages 35{113. Springer-Verlag, Berlin, 1996. [3℄ S. Abramsky and P.-A. Mellies. Con urrent games and full ompleteness. In Logi in Computer S ien e 99, Trento, July 1999. IEEE Computer So iety Press. [4℄ Russell Harmer and Guy M Cusker. A fully abstra t game semanti s for nite nondeterminism. In Logi in Computer S ien e, pages 422{430, 1999.

92

Fossati [5℄ Russell Harmer and Guy M Cusker. nondeterminism. Unpublished, 2002.

A game semanti s for ountable

[6℄ M. Hyland and A. S halk. Games on graphs and sequentially realizable fun tional. In IEEE Computer So iety Press, pages 257{264, Kopenhavn, July 2002. [7℄ M.B. Josephs, J.T. Udding, and Y. Yant hev. Handshake algebra. Te hni al Report SBU-CISM-93-1, S hool of Computing, Information Systems and Mathemati s, South Bank University, London, 1993. [8℄ P.-A. Mellies. Asyn hronous games 2: the true on urren y of inno en e. In P. Gardner and N. Yoshida, editors, CONCUR'04, Le ture Notes in Computer S ien e. Springer Verlag, September 2004. [9℄ Samuel Mimram and Paul-Andre Mellies. Asyn hronous games 5: Nonalternating inno en e. Work in progress, 2006. [10℄ Y. Mos hovakis. A game-theoreti modeling of on urren y. In fourth annual symposium on Logi In Computer S ien e, pages 154{163. IEEE Computer So iety Press, 1989. [11℄ D. Park. The \fairness" problem and nondeterministi omputing networks. Foundations of Computer S ien e IV. Matematis h Centrum, Amsterdam, 1983. [12℄ A. W. Ros oe. Unbounded nondeterminism in CSP, volume 3 of Journal of Logi and Computation. April 1993. [13℄ K. Van Berkel. Handshake ir uits: an Asyn hronous ar hite ture for VLSI design, volume 5 of Cambridge International Series on Parallel Computation. Cambridge University Press, 1993.

6 Appendix: nondeterminism in the sequential ase The presentation of nondeterministi strategies in [5℄ is te hni ally di erent from the one I gave. However, the present formalism an be applied su

essfully also to the sequential ase, and with respe t to the model of Harmer and M Cusker, their de nition of strategy an be reformulated equivalently as sum of deterministi omponents, as I am now going to show. Assuming that everyone knows that in the sequential ase plays follow a proto ol of stri t alternation (like on urrent plays with only one thread) I go straight to the de nition of prestrategies. A prestrategy is a set of plays losed under even-length pre xes. The even-length plays of  are alled tra es and are noted T , the odd-length plays of  are alled divergen es and are noted D , while the in nite plays of  are noted I . The domain of , written dom(), is those odd-length plays that are rea hable by , dom() = [s2T ie(s) 93

Fossati where the fun tion ie gives all the possible extensions of s with just one move, the immediate extensions of s. Given d 2 dom(), the range of  at d, written rng (d), is ie(d) \ T . Now, a strategy  is re eptive when for all d 2 dom(), d [ rng (d) 6= ; This ondition was not present in the original de nition in [5℄ as in their ase the re eptivity was left impli it: if neither a divergen e nor an answer to it were present it means that the strategy de ides not to respond there. However, even if it is only a te hni al detail, re eptivity needs to be stated expli itly in order to establish true equivalen e of the two de nitions. A prestrategy  on a game A is deterministi if and only if  sa; sb 2 T ) sa = sb;  s 2 D () rng (s) = ;;  s 2 L!A ^ (8s0