Electronic Notes in Theoretical Computer Science
Developments in Computational Models DCM 2006 Venice, Italy
16 July 2006
Guest Editors:
Jean-Pierre Jouannaud and Ian Mackie
Contents Preface
v
ndez (Invited Speaker) Maribel Ferna Every computable function is linear (in a sense) . . . . . . . . . . . . . . . . . . . . . .
1
Michel Cosnard, Luigi Liquori and Raphael Chand Virtual Organizations in Arigatoni: the formal model . . . . . . . . . . . . . . . .
5
Marco Carbone, Kohei Honda and Nobuko Yoshida A Calculus of Global Interaction based on Session Types . . . . . . . . . . . . . 27 Mircea-Dan Hernest Light Dialectica Extraction from a Classical Fibonacci Proof . . . . . . . . . 35 Jayshan Raghunandan and Alexander J. Summers On the Computational Representation of Classical Logical Connectives 45 Germain Faure Term collections in lambda and rho-calculi . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Simon Gay, Rajagopal Nagarajan and Nikolaos Papanikolaou Probabilistic Model-Checking of Quantum Protocols . . . . . . . . . . . . . . . . . . 63 Luca Fossati Handshake Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Nikolaos Siafakas A fully labelled lambda calculus: Towards closed reduction in the Geometry of Interaction Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Bob Meyer Better Bubbling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
ii
Preface The Second International Workshop on Developments in Computational Models (DCM) was held in Venice, Italy, on the 16 July 2006, as a satellite event of ICALP 2006. This volume contains the papers presented at this workshop. The First International Workshop on Developments in Computational Models (DCM 2005) was held in Lisbon, Portugal in July 2005, also as a satellite event of ICALP. DCM focuses on abstract models of computation, and their associated programming paradigms. Several new models of computation have emerged in the last few years, and many developments of traditional computational models have been proposed with the aim of taking into account the new demands of computer systems users and the new capabilities of computation engines. A new computational model, or a new feature in a traditional one, usually is re ected in a new family of programming languages, and new paradigms of software development. The aim of DCM was to bring together researchers who are currently developing new computational models or new features for traditional computational models, in order to foster their interaction, to provide a forum for presenting new ideas and work in progress, and to enable newcomers to learn about current activities in this area. Topics of interest for DCM include all abstract models of computation and their applications to the development of programming languages and systems, for instance: Functional calculi: lambda-calculus, rho-calculus, term and graph rewrit-
ing;
Object calculi; Interaction-based systems: interaction nets, games; Concurrent models: process calculi, action graphs; Calculi expressing locality, mobility, and active data; Quantum computational models; Biological or chemical models of computation;
For DCM 2006, the Programme Committee selected 9 papers for inclusion in these proceedings, covering a wide range of the topics. In addition, the programme included an invited talk by Maribel Fernandez. The Programme Committee consisted of: Jos Baeten, Eindhoven University of Technology, The Netherlands Horatiu Cirstea, LORIA, France Mariangiola Dezani, University of Torino, Italy
iii
Francois Fages, INRIA, France Mario Florido, University of Porto, Portugal Simon Gay, University of Glasgow, UK Radha Jagadeesan, DePaul University, USA
Jean-Pierre Jouannaud, Ecole Polytechnique, France (Co-Chair) Ian Mackie, Ecole Polytechnique and King's College London (Co-Chair) Herbert Wiklicky, Imperial College London, UK
We would like to thank all those who contributed to DCM 2006. We are grateful to the Programme Committee members for their careful and ecient work in reviewing and selecting the submitted papers.
Jean-Pierre Jouannaud and Ian Mackie Paris, 20 June 2006
iv
DCM 2006
Every computable function is linear (in a sense)
Maribel Fern andez 1 King's College London, Department of Computer Science, Strand, London, WC2R 2LS, U.K. Email:
[email protected]
Computability theory has its roots in work done in the 1930's, by Alonzo Church, Haskell Curry, Kurt Godel, Jacques Herbrand, Stephen Kleene, and Alan Turing (among others). Turing, Church and Kleene developed, more or less at the same time, three dierent models of computation which are now the standard 'paradigms' of sequential computation: Turing Machines, the -calculus, and recursive functions. We will focus on the last two. Roughly speaking, the theory of recursive functions is based on the de nition of functions by equations. Each function has a name, and is de ned from a set of initial functions using composition, primitive recursion, and minimisation. By recursion here we mean explicit recursive calls, where a function f is de ned by means of an equation f(t) = C[f(u)]. The -calculus is also a theory of functions, but in this case functions don't have names, and we can build recursion in an implicit way, using xpoint operators. Both the explicit and the implicit approaches to recursion yield Turingcomplete models of computation. Together with recursion, a key mechanism in the process of computation is the ability for functions to duplicate and to discard their arguments (i.e., management of resources: erase and copy). Let us now focus on this aspect of computation, which has attracted a great deal of attention in recent years. We say that a function is linear if it uses its argument exactly once. We will give an alternative formulation of the theory of recursive functions, where each function is linear in this sense; we call this class of functions linear recursive functions. To de ne linear recursive functions we start by specifying a set of linear initial functions (projections are not linear, but permutations are, so we will 1
This research was carried out in collaboration with Sandra Alves, Luis Damas, Mario Florido and Ian Mackie, as part of the project \Linearity: Programming Languages and Implementations", partially funded by a Treaty of Windsor Grant. This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:
www.elsevier.nl/locate/entcs
ndez Ferna
use natural numbers, permutations, and composition of linear functions), together with a linear primitive recursive scheme (i.e., primitive recursion where each function uses its arguments exactly once). We will show that we can express both the process of copying a number and the process of erasing a number, as linear primitive recursive functions. Thus, any primitive recursive function can be de ned as a linear primitive recursive functions, indeed the two classes coincide. Linear primitive recursive functions are powerful: they oer an implicit approach to copying and erasing. Then, to get a Turing-complete computation model, we add an operator of minimisation on linear functions. The class of functions that can be de ned using linear primitive recursive and linear minimisation is called linear recursive. Using Kleene's normal form theorem (which says that any partial recursive function can be de ned using primitive recursive functions and one minimisation operator), we obtain an encoding of partial recursive functions into linear recursive functions. In this sense, we can say that every computable function is linear.
Related Work:
There are several formalisms based on the notion of linearity that limit the use of copy and erasing. This includes languages based on a version of the -calculus with a type system corresponding to intuitionistic linear logic [7]. One of the main features of the calculus (which can be seen as a minimal functional programming language) is that it provides explicit syntactical constructs for copying and erasing terms (corresponding to the exponentials in linear logic) [1]. From another perspective there have been a number of calculi, again many based on linear logic, for capturing speci c complexity classes ([3,6,8,4,9,10,5]). One of the main examples is that of bounded linear logic [8], which has as one of its main aims to nd a calculus in-between the linear -calculus and that with the exponentials (speci cally the polynomial time computable functions). In previous work [2] we showed that a simple extension of a typed, linear calculus, without the exponentials, i.e., a calculus that is syntactically linear, has an enormous computational power: exactly the same power as Godel's System T . More precisely, we demonstrated that without minimisation but with an iterator and higher-order constructs, any function de nable in Godel's System T is linear. These previous results inspired our work on linear primitive recursion. This work is part of a research programme which aims at studying the notion of linearity in computation, and at analysing the computational power of linear functions. 2
ndez Ferna
References [1] S. Abramsky. Computational Interpretations of Linear Logic. , 111:3{57, 1993. [2] S. Alves, M. Fernandez, M. Florido, and I. Mackie. The power of linear functions. In , Lecture Notes in Computer Science. Springer-Verlag, 2006. To appear. [3] A. Asperti. Light ane logic. In . IEEE Computer Society, 1998. [4] A. Asperti and L. Roversi. Intuitionistic light ane logic. , 2002. [5] P. Baillot and V. Mogbil. Soft lambda-calculus: a language for polynomial time computation. In , LNCS. Springer Verlag, 2004. [6] J. Girard. Light linear logic. , 1998. [7] J.-Y. Girard. Linear Logic. , 50(1):1{102, 1987. [8] J.-Y. Girard, A. Scedrov, and P. J. Scott. Bounded linear logic: A modular approach to polynomial time computability. , 97:1{66, 1992. [9] Y. Lafont. Soft linear logic and polynomial time. , 2004. [10] K. Terui. Ane lambda-calculus and polytime strong normalization. In . IEEE Computer Society, 2001.
Theoretical
Computer Science
Proceedings of CSL 2006, Computer Science Logic
Proc. Logic in Computer Science (LICS'98)
ACM Transactions
on Computational Logic
Proc. Foundations of Software Science and Computation
Structures (FOSSACS'04)
Information and Computation
Theoretical Computer Science
Theoretical Computer Science
Theoretical Computer Science
Proc.
Logic in Computer Science (LICS'01)
3
ndez Ferna
4
DCM 2006
Virtual Organizations in Arigatoni Michel Cosnard INRIA and UNSA, France
Luigi Liquori INRIA, France
Raphael Chand INRIA, France
Abstract Arigatoni is a lightweight communication model that deploys the Global Computing Paradigm over the Internet. Communications over the behavioral units of the model are performed by a simple Global Internet Protocol (GIP) on top of TCP or UDP protocol. Basic Global Computers Units (GCU) can communicate by rst registering to a brokering service and then by mutually asking and oering services.
Colonies and Communities are the main entities in the model. A Colony is a simple virtual organization composed by exactly one leader and some set (possibly empty) of individuals. A Community is a raw set of colonies and global computers (think it as a soup of colonies and global computer without a leader). We present an operational semantics via a labeled transition system, that describes the main operations necessary in the Arigatoni model to perform leader negotiation, joining/leaving a colony, linking two colonies and moving one GCU from one colony to another. Our formalization results to be adequate w.r.t. the algorithm performing peer logging/delogging and colony aggregation.
1 Introduction Eective use of computational grids via
P2P systems requires up-to-date
infor-
mation about widely-distributed resources. This is a challenging problem for very large distributed systems particularly when taking into account the continuously changing state of resources. Discovering dynamic resources must be scalable in number of resources and users and hence, as much as possible, fully decentralized. It should tolerate intermittent participation and dynamically changing status/availability. This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:
www.elsevier.nl/locate/entcs
Cosnard, Liquori and Chand
Reciprocity and organization in colony governed by a clear leader are the main achievements of the model. Global Computers belong to only one colony, and requests for resources located in the same or in another colony traverse a broker-2-broker negotiation whose security is guaranteed via
PKI
mechanisms.
The model is suitable to t with various global scenarios from classical
P2P
applications, like le sharing, or band-sharing, to more sophisticated
Grid
applications, like remote and distributed big (and small) computations, until possible, futuristic migration computations, i.e. transfer of a non completed local run in another
GCU, the latter scenario being useful in case of catastrophic
scenarios, like re, terrorist attack, earthquake etc., in the vein of a Global Programming Language à la
The Arigatoni Model
Obliq
or
Telescript.
is suitable to deploy, via the
Internet
the
Global
Computing Communication Paradigm, i.e. computation via a seamless, geographically distributed, open-ended network of bounded resources by agents acting with partial knowledge and no central coordination.
The model can
be deployed rstly in an intranet and further from intranet to intranet by overlapping an Overlay Network on the top of the actual network. An Over-
lay Network is an abstraction on top of a global network to yield another global network. Overlay examples are resource discovery services (notion of resource sharing in distributed networks), search engines (abstraction of information repository) or systems of trusted mobile agents (notion of autonomic, exploratory behavior) [6]. The
Arigatoni
model provides the necessary basic infrastructure necessary
for a real deployment of the overlay network itself. Moreover, our work abstracts on which kind of resource the overlay network is playing with; pragmatically speaking, this work could be useful for
Grid,
or for distributed le/band
sharing, or for more evolved scenarios like mobile and distributed objectoriented computation.
The Units in the Arigatoni model are one protocol, the Global Internet Protocol,
GIP,
and three main units:
A Global Computer Unit,
GCU,
i.e. the basic peer of the Global Computer
paradigm; it is typically a small device, like a nected with any
IP
PDA,
a laptop or a PC, con-
network, unrelated to the media used, wired or wireless,
etc.
A Global Broker Unit, register
GBU,
is the basic unit devoted to register and un-
GCUs, to receive service queries from client GCUs, to contact potenGCUs, to negotiate with the latter the given services, to trust
tial servants
clients and servers and to send all the information necessary to allow the client
GCU,
GCUs to communicate. Every GCU can register every GBU controls a colony (denoted by COL)
and the servants
to only one
GBU,
so that
of collaborating Global Computers. Hence, communication intra-colony is
GBU, while communication inter-colonies is initiated GBU-2-GBU message exchanges. In both cases, when a
initiated via only one through a chain of
6
Cosnard, Liquori and Chand
GBUg
is a (small) colony
f
GBU1 ; GCU1 : : : GCUm g
is a colony
f
subcolony z }| { fGBU1 ; GCU1 : : : GCUm ; fGBU2 ; GCUm+1 : : : GCUm+n gg is a colony (it contains a subcolony)
GBU1 ; GCU1 : : : GCUm ; GBU2 ; GCUm+1 : : : GCUm+n g
f
is not a colony (two
subcolony subcolony }| { z }| { fGBU3 ; fGBU1 ; GCU1 : : : GCUm g; fGBU2 ; GCUm+1 : : : GCUm+n g g
GBUs)
z
is a colony (with two subcolonies)
subcolony subcolony z }| { z }| { ffGBU1 ; GCU1 : : : GCUm g; fGBU2 ; GCUm+1 : : : GCUm+n gg is not a colony (no leader in the toplevel colony) but it is a community
Figure 1. Some Colony's Examples client
receives an acknowledgment for a request service (with related
GBU, GCU, i.e.
trust certicate) from the proper
then the client will enjoy the service
directly from the servant(s)
without a further mediation of the
GBU
GCU
itself.
A Global Router Unit,
GRU is a simple basic unit that is devoted to send and
receive packets of the Global Internet Protocol and to forward the payload to the units which are connected with this router.
GBU
has one personal
GRU,
Every
GCU
and every
with which it communicates via a suitable
The connection between router and peer is ensured via a suitable
Colonies and Individuals are the main entities in the model.
API.
API.
A Colony is
a simple virtual organization composed by exactly one leader and some set (possibly empty) of individuals. Individuals are Global Computers (think it as an Amoeba ), or (sub)colonies (think it as a Protozoa ). A formal denition of a colony is given using this simple
COL
::=
f
BNF
syntax:
GBUg j COL [ fGCUg j COL [ f COL g
The two main characteristics of a colony are: (i) a colony has exactly one leader
GBU
and at least one individual (the
GBU
itself ); (ii) a colony contains individuals (some
GCU's,
or other colonies).
Some examples of colonies are shown in Figure 1.
A Community
(denoted by
COM)
is a raw set of colonies and global com-
puters (think it as a soup of colonies and 7
GCU
without a leader). A formal
Cosnard, Liquori and Chand
denition of community is given using the
COM
::=
; j
BNF
syntax:
COM [ fGCUg j COM [ f COL g
A simple example of a community is shown in Figure 1. As one can see from the abstract syntax, a colony is a community but the reverse is not true.
Resource Discovery networks.
is one of the key issues in building overlay computer
Individuals (global computers) can register and unregister to a
colony. The same holds true for the subcolonies that, in turn, can (un)register to another colony. The main diculty in (un)registering is dealing with Ad-
ministrative Domains ; as well stated in the seminal Cardelli and Gordon paper on Mobile Ambients [3]:
In the early days of the by
IP
Internet one could rely on a at name space given IP address of a computer would very likely al-
addresses; knowing the
low now to talk to that computer in some way. This is no longer the case: rewalls partition the
Internet
into administrative domains that are isolated
from each other except for rigidly controlled pathways. System administrators enforce policies about what can move through rewalls and how [...]
(Un)Registering Modalities There are essentially two ways of registering to a
GBU
leader of a colony, the latter being not enforced by the
Arigatoni
model:
registration of an individual (GCU or colony) to a
GBU
leader of a colony
belonging to the same current administrative domain ;
registration via remote tunnelling of an individual (GCU or colony) to another
GBU leader of a colony belonging to a dierent
administrative domain.
In this case, we say that the individuals de facto are working in local mode
in the current administrative domain and in global mode in another administrative domain. In addition to this remote registration, the same individual can still register to the
GBU
leader of the colony belonging to the same administrative
domain in which it resides. As such, in its global mode, it will belong to the colony of the current administrative domain, and, in its local mode (via remote tunnelling), it will belong to another colony in another administrative domain. Counterwise, an individual can unregister according to the following simple rules d'étiquette :
unregistration is possible only when there are no pending services demanded or requested to the leader answer of the leader
GBU
GBU
of the colony it belongs: it must wait for an
or for a direct connection of the
GCU
requesting
the already oered service, or wait for a timeout. The colony accepts the unregistration only if the colony itself will not be corrupted ;
(as a corollary of the above) a
GBU
(i.e. it cannot discharge itself ).
cannot unregister from its own colony
However, for fault tolerance purposes, a 8
Cosnard, Liquori and Chand
GCU/GRU
GBU/GRU
GCU/GRU
GCU/GRU
GCU/GRU
Network
GBU/GRU
GBU/GRU
IP Router
IP Router
GBU/GRU
GBU/GRU
INTERNET
IP Router
IP Router
Network
GCU/GRU
GCU/GRU
Network
Network
GCU/GRU
GCU/GRU
GCU/GRU
GCU/GRU
Figure 2. ArigatoNet GBU
GCUs
can be faulty. In that case, the
will unregister one after the other
and the colony will disappear;
once a
GCU
(e.g. a laptop) has been disconnected from a colony belonging
to any administrative domain, it can migrate in another colony belonging to any other administrative domain; Summarizing, the original contributions of the paper are:
a formalization of the Registration and of the Resource Discovery Mechanism in the
Arigatoni
model in terms of a labeled transition system;
a complete domain independence of the model w.r.t. other models in the literature. In other words
Arigatoni
completely abstracts of its use, i.e.
Grid,
le/band sharing, web services, etc.
Some simulation results of the intermittent participation for a given network topology.
2 Units in a Nutshell A complete description of all the functional units of the given in [1, 2]; this section is an overview. 9
Arigatoni
model is
Cosnard, Liquori and Chand
2.1
Global Computer Unit
In the
Arigatoni
model, a Global Computer Unit (GCU) is a cheap computer
device. The computer should be able to work in Standalone Local Mode for all the tasks that it can do locally or in Global Mode, by rst registering itself in the
Arigatoni
architecture, and then by making a global request to the Overlay
ArigatoNet).
Network induced by the architecture (that we call, the
Arigatoni
GCU
model. The
must be able to perform the following tasks:
Discover, upon the physical arrival of the of a
GBU,
Figure 2 shows
GCU
in a new colony, the address
representing the leader of the colony;
GBU
Register/Unregister on the
Request some services to its
which manages the colony;
GBU,
and respond to some requests from the
GBU;
Upon reception from a
GBU
of a positive response to a request, be able to
connect directly with the servant(s)
GCU
in a
P2P
fashion, and oer/receive
the service.
2.2
Global Broker Unit
The Global Broker Unit (GBU) performs the following tasks
Discover the address of another super of the supercolony, where the every
GBU
GBU,
representing the superleader
GBU's colony is embedded. PKI certicate.
We assume that
comes with its proper
Register/Unregister the proper colony to the leader
GBU which manages the
supercolony;
Register/Unregister clients and servants Computers. By denition every
GCU
GCU
in its local base of Global
can register to at most one
Acknowledge the request of service of the client
Discover the resource(s) that satises the (local colony) of
GBU;
GCU;
GCU's
request in its local base
GCU; GBU
Delegate the request to another
Perform a combination of the above two actions;
Deal with all
Notify the client
PKI
governing another colony;
intra- and inter-colony policies;
GCU
or a delegating
GBU
the servant(s)
GCUs
that have
accepted to serve its request, or notify a failure of the request. Every
GCU
in the colony sends its request to the
GBU
which is the leader of
the colony. There are dierent scenarios concerning the demanded resource for service discovery, namely: (i) The broker nds all the resource(s) needed to satisfy the requested services of the
GCU
client locally in the intranet. Then it will send all the
information necessary to make the 10
GCU
client able to communicate with
Cosnard, Liquori and Chand
the
GCU
servants. This notication will be encoded using the
col. Then, the
GCU
GIP
GCU servant(s), P2P systems;
client will directly talk with
latter will manage the request, as in classical
proto-
and the
(ii) The broker did not nd all the resource(s) in its local intranet. In this case it will forward and delegate the request to another broker. For that purpose, it must rst register the whole colony to another supercolony; (iii) A combination of steps 1 + 2 could be envisaged depending on the capability of the
GBU
to combine resources that it manages and resources
that come from a delegate
GBU;
(iv) After a xed timeout period, or when all delegate satisfy the delegated request, the broker will notify
GBUs have failed to the GCU client of the
refusal of service. 2.3
Global Router Unit
The last unit in the
GRU
Arigatoni
model is the Global Router Unit (GRU).
The
implements all the low level network routines, those which really have
IP network. It is the only unit which eectively runs the GIP GRU can be implemented as a small daemon which runs on the same device as a GCU or a GBU, or as a shared library dynamically linked with a GCU or a GBU. The GRU is devoted to the following tasks:
access to the
protocol. The
GCU
Upon the initial startup of a
It checks the well-formedness and forwards toward their destinations.
GBU
in the
Arigatoni
GIP
it helps to register the unit to a
packets
GBU;
GIP packets across the ArigatoNet encode the requests of a GCU or a
network;
Upon the initial startup of a
GBU
it helps the unit with several other
GBUs
that it knows or discovers.
2.4
Unit Semantics
The formal semantics of the three formal units was rst presented in [2]: Figures 3 and 4 show the pseudo code embedded inside a
GCU
and a
GBU.
We write in blue the code not essential to the semantics of peer discovery and the virtual (un)growth of colonies, and we highlight in red the code which is essential.
3 Formal Semantics of the Virtual Organization : : :g does not limit an administrative domain (unlike Cardelli-
The notation f
Gordon ambients).
IPaddress. Let fGBU; : : :g
We assume that every individual comes with its own
denote a colony with its leader, e.g.
GBU; COL1 ; COL2 ; GCU1 ; GCU2 ; : : :g
f
11
Cosnard, Liquori and Chand
inparallel while true do // Registration loop GBU = Discover(MyCard ) case (GlobalMode,RegMode) is (true ,false ): ServiceReg(MyCard ,GBU,LOGIN) (false ,true ): ServiceReg(MyCard ,GBU,LOGOUT) otherwise: // Do nothing endcase endwhile with while true do // Shell loop Data = ListenLocal() Response = LocalServe(Data) case (Response,GlobalMode,RegMode) is (login ,_,_): // Open global mode GlobalMode = true (logout ,_,_): // Close global mode GlobalMode = false (true ,true ): // Ask to the GBU MetaData = PackScenario(Data) ServiceRequest(MyCard ,GBU,MetaData) otherwise: LocalReply(Response) endcase endwhile with while RegMode do // Global GBU listening MetaData = ListenGBU() case MetaData.CMD.SERVICE is SREG : // GBU responds if it accepts my registration
if CanJoin(MetaData) then RegMode = true endif
if CanLeave(MetaData) then RegMode = false endif SREQ : // GBU is asking for some resources if CanHelp(MetaData) then ServiceResponse(MyCard ,GBU,ACC ) else ServiceResponse(MyCard ,GBU,REJ ) endif SRESP : // GBU re-
sponds if it found some resources
if CanServe(MetaData) then Peers = GetPeers(MetaData) Response = GlobalServe(MyCard , Peers,MetaData) ServiceResponse(MyCard ,GBU,DONE ) LocalReply(Response) else LocalReply(fail ) endif endcase endwhile with while RegMode do // Global GCU listening MetaData = ListenGCU() if Verify(MetaData) then Data = UnPackScenario(MetaData) Response = LocalServe(Data) if Response == fail then ServiceResponse(MyCard ,GBU,ERR ) else ServiceResponse(MyCard ,GBU,DONE ) SendResult(MyCard ,GCU,Response) endif else ServiceResponse(MyCard ,GBU,SPOOF ) endif endwhile endinparallel
Figure 3. GCU pseudocode
denotes a colony with two subcolonies and two virtually addressed by the
IP
of its
GBU
GCUs
leader.
In general a community is simply denoted by f
f
highlighted. A colony is
: : :g, e.g.
COL1 ; COL2 ; GCU1 ; GCU2 g
denotes a community with two subcolonies and two
GCU's.
We present an operational semantics via a reduction relation !, between communities, that describes the main operations necessary in the
Arigatoni
model to perform leader discovery and colony's service registration, namely joining/leaving a colony, linking two colonies and moving one
GCU
from one
colony to another. As usual in process algebras, the reduction is quotiented by a set theoretical equivalence between communities. The reduction rules are listed below with a concise explication. 12
Cosnard, Liquori and Chand
inparallel while true do // Registration loop GBU = Discover(MyCard ) case (GlobalMode,RegMode) is (true ,false ): ServiceReg(MyCard ,GBU,LOGIN) (false ,true ): ServiceReg(MyCard ,GBU,LOGOUT) otherwise: // Do nothing endcase endwhile with while true do // Shell loop Data = ListenLocal() Response = LocalServe(Data) case (Response,GlobalMode,RegMode) is (login ,_,_): // Open global mode GlobalMode = true (logout ,_,_): // Close global mode GlobalMode = false (fail ,true ,true ): // You ask for you MetaData = PackScenario(Data) ServiceRequest(MyCard ,MyCard ,MetaData) otherwise: LocalReply(Response) endcase endwhile with while true do // Intra-colony listening MetaData = ListenPeer() PushHistory(MetaData) case MetaData.CMD.SERVICE is SREG : // A Peer is asking for (un)registration
foreach Peer in SubColony do // Broad-
cast intra
ServiceRequest(MyCard ,Peer,MetaData) endforeach SRESP : // A GCU responds to a request Sort&PushPeers4Id(MetaData) endcase endwhile with while true do // Spooling Peers4Id foreach (Id,Peers) in Peers4Id do if Timeout(Id) then ServiceResponse(MyCard ,{},NOTIME ) else if Satisfy(Peers,History(Id)) then ServiceResponse(MyCard , GetBestPeers4Id(Id), DONE ) endif endif PopPeers4Id(Id) endforeach endwhile with while RegMode do // Inter-colony listening MetaData = ListenGBU() PushHistory(MetaData) case MetaData.OPE is SREG : // Registration inter GBU ... as for
SREQ :
SREQ intra-colony
SREQ intra-colony // A leader GBU responds to a request ... as for
Update(Colony,MetaData) SREQ : // A Peer is asking for some request SubColony = SelectPeers(Colony,MetaData) if SubColony == {} // Broadcast inter then ServiceRequest(MyCard ,GBU,MetaData) endif
SRESP :
Sort&PushPeers4Id(MetaData) endcase endcase endwhile endinparallel
Figure 4. GBU pseudocode (i) A
GCU
joins a Colony in the same Administrative Domain
(
) = GBU samedom(GBU; GCU) = accept(GBU; GCU) = discover GCU
true true
( )= regmode(GCU) = gmode GCU
ffGBU; : : :g; GCUg ! ffGBU; GCU; : : :gg
false
(JoinGCU)
discover(GCU) = GBU discovers the leader-GBU unit, upon physical/logical insertion of the
true
GCU
in the
ArigatoNet
samedom(GBU; GCU) = true:
network;
both the broker and the global computer
reside in the same administrative domain;
accept(GBU; GCU) = true:
the broker accepts the global computer in its
colony;
gmode(GCU) = true & regmode(GCU) = false:
the global computer is
in global mode but not yet registered. The side eect of this rule is to set the registration mode to true. 13
Cosnard, Liquori and Chand
(ii) A
GCU
leaves a Colony in the same Administrative Domain
(
)= samedom(GBU; GCU) = accept(GBU; GCU) = pendingip GCU
false true false
( )= regmode(GCU) = gmode GCU
false true
ffGBU; GCU; : : :gg ! ffGBU; : : :g; GCUg
pendingip(GCU)
(LeaveGCU)
= false samedom(GBU; GCU) = true accept(GBU; GCU) = false gmode(GCU) = false & regmode(GCU) = true
: the global computer has no pending service
to give to its leader;
: both the broker and the global computer
reside in the same administrative domain;
: the broker accepts to delog the global com-
puter in its colony;
: the global computer is
in local mode but still registered. The side eect of this rule is to set its registration mode to false. (iii) A SubColony joins a Colony in the same Administrative Domain
(
) = GBU1 samedom(GBU1 ; GBU2 ) = gmode(GBU2 ) = accept(GBU1 ; GBU2 ) = regmode(GBU2 ) = discover GBU2
true
true
true
false
ffGBU1; : : :g; fGBU2; : : :gg ! ffGBU1; fGBU2; : : :g; : : :gg
discover(GBU2 )
= GBU1 GBU2 ArigatoNet samedom(GBU1 ; GBU2 ) = true accept(GBU1 ; GBU2 ) = true GBU1 gmode(GBU2 ) = true & regmode(GBU2 ) = false : the broker
discovers the broker
upon physical/logical insertion in the
(JoinCol) GBU1 ,
network;
: both reside in the same administrative
domain;
: the broker
accepts the subcolony in
its colony;
: the broker
GBU2
is in
global mode but not yet registered. The side eect of this rule is to set its registration mode to true. (iv) A SubColony leaves a Colony in the same Administrative Domain
(
)= samedom(GBU1 ; GBU2 ) = accept(GBU1 ; GBU2 ) = pendingip GBU2
false
true false
( )= regmode(GBU2 ) = gmode GBU2
false true
ffGBU1; fGBU2; : : :g; : : :gg ! ffGBU1; : : :g; fGBU2; : : :gg
pendingip(GBU2 ) give to its leader
= false
: the broker
GBU1 ;
14
GBU2
(LeaveCol)
has no pending service to
Cosnard, Liquori and Chand
samedom(GBU1 ; GBU2 ) = true:
both reside in the same administrative
domain;
accept(GBU1 ; GBU2 ) = false:
the broker
GBU1
does not accept the sub-
colony in its colony;
gmode(GBU2 )
= false & regmode(GBU2) = true
cal mode but still registered.
: the broker is in lo-
The side eect of this rule is to set its
registration mode to false. (v) Linking two Colonies in dierent Administrative Domains
( )= newgbu(GBU1 ; GBU2 ) = GBU3 gmode(GBU2 ) = samedom(GBU1 ; GBU2 ) = regmode(GBU1 ) = agree(GBU1 ; GBU2 ) = regmode(GBU2 ) = gmode GBU1
true true
false
false
true
false
ffGBU1; : : :g; fGBU2; : : :gg ! ffGBU3; fGBU1; : : :g; fGBU2; : : :ggg
newgbu(GBU1 ; GBU2 ) GBU1
and
GBU2 ; GBU1 ; GBU2
samedom(
= GBU3 ) = false
:
(LinkCol)
a new broker is created on behalf on
: both reside in the same administrative
domain;
agree(GBU1 ; GBU2 )
= true gmode(GBU1 ) = true & gmode(GBU2 ) = false & regmode(GBU2 ) = false
: an agreement between the two brokers is
signed;
true
& regmode(GBU1) =
: the brokers are in global mode but
still registered.
The side eect of this rule is to set the registration
mode of both brokers to true. (vi) Unlinking two Colonies in dierent Administrative Domains
( )= pendingip(GBU2 ) = pendingip(GBU3 ) = gmode(GBU1 ) = newgbu(GBU1 ; GBU2 ) = GBU3 gmode(GBU2 ) = samedom(GBU1 ; GBU2 ) = regmode(GBU1 ) = agree(GBU1 ; GBU2 ) = regmode(GBU2 ) = pendingip GBU1
false
false
false
false false
false
true
false
true
ffGBU3; fGBU1; : : :g; fGBU2; : : :ggg ! ffGBU1; : : :g; fGBU2; : : :gg
newgbu(GBU1 ; GBU2 ) GBU1
and
GBU2 ; GBU1 ; GBU2
samedom(
= GBU3 ) = true
:
(UnLinkCol)
a new broker is created on behalf of
: both reside in the same administrative
domain;
agree(GBU1 ; GBU2 )
= false pendingip(GBU1 ) = false & pendingip(GBU2 ) = false & pendingip(GBU3 ) = : an agreement between the two brokers is
withdrawn;
false: the brokers
GBU1;2;3
has no pending service; 15
Cosnard, Liquori and Chand
gmode(GBU1 ) = false & gmode(GBU2 ) = false & regmode(GBU1 ) = true & regmode(GBU2 ) = true: the brokers are in local mode but still registered. The side eect of this rule is to set their registration mode to false.
(vii) Contextual Rules and Congruence As usual in process algebras, we add the following congruence rules for set union and set minus, and Morris-style equivalence rules, where
COM
denotes communities,
COL
denotes colonies and
theoretical equality. All symbols can be indexed.
=
denotes the set
! COM2 (CommCup) COM1 [ COM3 ! COM2 [ COM3 COM1
COM1
= COM3 [ COM4
COM3 \ COM4
=;
COM3
! COM2
Rule
(CommMinus)
! COM2 n COM4 COM1 = COM3 COM3 ! COM4 COM4 = COM2 (MorrisEq) COM1 ! COM2 COM3
(CommCup) (CommMinus)
is the usual Contextual closure of the reduction rules,
while rule
states that a reduction can drop in its right-hand
side some individuals that are not essential to the ring of the reduction itself. As usual let !
be the reexive and transitive closure of !.
4 Join/Leave a Colony in a Dierent Administrative Domain The acute reader has observed that the above labeled transition system forbids an individual to join/leave another colony whose leader resides in a dierent
Administrative Domain.
This is sound in order to guarantee the integrity
and the security of the virtual organization induced by the
Arigatoni
model.
Crossing safely administrative domains is an important security problem that the model must take into account. However, the situation where one individual does not receive enough help from the local colony or, worst, where it is even rejected as an individual, could be very common.
In this case, it is highly
desirable that the model permits a mechanism to cross boundaries of the administrative domain in order to make a service request to another colony which resides in another administrative domain.
This can be done in two
ways: (i) the individual resident in an administrative domain
IP1
knows some
friends inhabitant of the colony resident in another administrative domain
IP2 (think of the individual as a laptop connected in a hot spot of
an airport, and think of the friend as the desktop in its own oce). Then, via an explicit
ssh
the laptop can log into the desktop and send
a global request to the mother colony. As such, the laptop works in its 16
Cosnard, Liquori and Chand
local mode while the desktop works in global mode. The nal result will be send, via
ssh-tunneling
to the laptop.
This mechanism of tunneling is well-known in common practice of nomadic behaviors and it does not require any ad hoc rewriting rules in the
Arigatoni
virtual organization since the connection individual-friend is
done explicitly and privately; (ii) the individual resident in an administrative domain
IP1 knows no inhabIP2 , but it
itant of the colony resident in another administrative domain knows the
IP
address of the leader of the colony. If the leader agrees, it
can arrange an
ssh-tunnel
by creating from scratch a virtual clone of
the remote individual and by registering it in the colony on behalf of the leader of the colony. As in the previous case, the laptop can log into the desktop and send a global request to the mother colony. As such, the laptop works in local mode while the clone works in global mode. nal result will be sent, via
ssh-tunneling
The
to the laptop.
This mechanism is well-known in common practice of nomadic behaviors and is reminiscent of the Virtual Private Network technology (VPN) [7].
To implement this
VPN-like
behavior, we must add four ad
hoc rewriting rules in the labeled transition system showed in Figure 5. For obvious lack of space those rules are not commented but left as an easy exercise to the interested reader.
5 Firing Free Riders Again, the acute reader has observed that the original labeled transition system allows free riders to become members of one colony.
In economics and political science, free riders are actors who consume more than their fair share of a resource, or shoulder less than a fair share of the costs of its production.
The free rider problem is the question of how to
prevent free riding from taking place, or at least limit its negative eects. Because the notion of fairness is a subject of controversy, free riding is usually only considered to be an economic problem when it leads to the non-production or under-production of a public good, and thus to Pareto ineciency, or when it leads to the excessive use of a common property resource. [From Wikipedia]. The selsh nodes in
P2P
networks, called free riders, only utilize other
peers resources without providing any contribution in return, have greatly jeopardized the fairness attribute of
P2P
networks. Figure 6 presents the two
rules that take into account the ratio between the number of services oered and the number of services demanded by an individual.
If the leader of a
colony nds that an individual ratio of fairness is too small (
),
for a given
it can arbitrarily decide to re that individual without notice In those
rules the function pendingip also checks that the individual has no pending 17
Cosnard, Liquori and Chand
(
) = GBU agree(GBU; GCU1) = samedom(GBU; GCU1 ) = gmode(GCU1 ) = newgcu(GBU; GCU1 ) = GCU2 regmode(GCU1 ) = samedom(GBU; GCU2 ) = gmode(GCU2 ) = accept(GBU; GCU2 ) = regmode(GCU2 ) = discover GCU1
true
false
true true
true
false
true
false
ffGBU; : : :g; GCU1g ! ffGBU; GCU2; : : :g; GCU1g
(
)= samedom(GBU; GCU1 ) = pendingip(GCU2 ) = newgcu(GBU; GCU1 ) = GCU2 gmode(GCU1 ; GCU2 ) = samedom(GBU; GCU2 ) = regmode(GCU1 ) = accept(GBU; GCU2 ) = regmode(GCU2 ) = agree GBU; GCU1
false
(JoinTunnelGCU)
false false false
true
false
false
true
ffGBU; GCU2; : : :g; GCU1g ! ffGBU; : : :g; GCU1g
(
) = GBU1 agree(GBU1; GBU2) = samedom(GBU1 ; GBU2 ) = gmode(GBU3 ) = newgbu(GBU1 ; GBU2 ) = GBU3 regmode(GBU3 ) = samedom(GBU1 ; GBU3 ) = gmode(GBU2 ) = accept(GBU1 ; GBU3 ) = regmode(GBU2 ) = discover GBU2
(LeaveTunnelGCU)
true
false
true true
true
false
true
false
ffGBU1; : : :g; fGBU2; : : :gg ! ffGBU1; fGBU3g; : : :g; fGBU2; : : :gg
(
)= samedom(GBU; GBU2 ) = pendingip(GBU3 ) = newgbu(GBU1 ; GBU2 ) = GBU3 gmode(GBU2 ; GBU3 ) = samedom(GBU1 ; GBU3 ) = regmode(GBU2 ) = accept(GBU1 ; GBU3 ) = regmode(GBU3 ) = agree GBU1 ; GBU2
false
(JoinTunnelCol)
false false false
true
true
false
false
ffGBU1; fGBU3g; : : :g; fGBU2; : : :gg ! ffGBU1; : : :g; fGBU2; : : :gg
(LeaveTunnelCol)
Figure 5. Extra Reduction Rules for Service Request via Tunnelling
à la
VPN
services to oer, or that the timeout of some promised services has expired, the latter case means that the free rider promised some services but nally did not provide any service at all (not trustfull). The function notiring sends a message to the free rider, notifying it that it was denitively red from the colony. 18
Cosnard, Liquori and Chand
(
)= gmode(GCU) = samedom(GBU; GCU) = regmode(GCU) = f airness(GBU; GCU) notifiring (GBU; GCU) pendingip GCU
false
true
true
true
ffGBU; GCU; : : :gg ! ffGBU; : : :g; GCUg
(
(FireGCU)
)= gmode(GBU2 ) = samedom(GBU1 ; GBU2 ) = regmode(GBU2 ) = f airness(GBU1 ; GBU2 ) notifiring (GBU1 ; GBU2 ) pendingip GBU2
false
true
true
true
ffGBU1; fGBU2; : : :g; : : :gg ! ffGBU1; : : :g; fGBU2; : : :gg Figure 6. Extra Reduction Rules for Firing
(FireCol)
Free Riders
6 Examples In [1, 2], a
Grid
scenario for Seismic Monitoring was presented. In this section
we briey recall the scenario and we present, by means of labeled transition system reductions, the evolution of the virtual organizations.
6.1
(Re)Setting the Scenario (from [1, 2])
John, chief engineer of the SeismicDataCorp Company, Taiwan, on board of the seismic data collector ship, has to decide on the next data collect campaign. For this he would like to process the 100 TeraBytes of seismic data that have been recorded on the mass data recorder located in the oshore data repository of the company, to be processed and then analyzed. He has written the processing program for modeling and visualizing the seismic cube using some parallel library like e.g.
MPI/PVM: his program can be
distributed over dierent machines that will compute a chunk of the whole calculus; However, the amount of computation is so big that a supercomputer (GCU and a cluster of PC (GCU
CLU
SCU )
) has to be rented by the SeismicDataCorp com-
pany. John will also ask for bandwidth via an
ISP located in Taiwan (GCUISPTW )
in order to get rid of any bottleneck related to the big amount of data to be transferred. Aftermath, the processed data should be analyzed using a Virtual Reality
Center,
VRC (GCUVCRCPU )
based in Houston, U.S.A. by a specialist team
and the resulting recommendations for the next data (GCU
VRCSPEC )
collect
campaign have to be sent to John. Hence one would like the following scenario to happen:
John logs with its laptop (GCU
John )
to the
Arigatoni
overlay network in a
given colony in Taiwan, and sends a quite complicated service request in order for the data to be processed using his own code. 19
Usually the
GBU
Cosnard, Liquori and Chand
Network Network
GBU Taiwan
John Taiwan
Seismic Data
ISP GBU ISP
Network Network
INTERNET INTERNET
Network Network
GBU/GRU
GBU/GRU
Network Network
GCU/GRU
Super computer
PCluster
VRC Houston
GIP REQUEST/RESPONSE
VERY HIGH SPEED ISP
Figure 7. A Grid Scenario for Seismic Monitoring
leader of the colony will receive and process the request;
If the resource discovery performed by the puter, a cluster and an
ISP
GBU
succeeds, i.e. a supercom-
are found, then the data are transferred at a
very high speed and processed;
John will order to the
GCUSDTW
containing the seismic data to dispatch
suitable chunks of data to the supercomputer and the cluster designated by the
GBU
to perform some pieces of computation;
John will assign to the supercomputer unit the task of collecting all intermediate results in order to compute the nal result (i.e. it will play the role of Maestro di Orchestra );
The processed data are then sent from the supercomputer, via the high speed
ISP
to the Houston center for being visualized and analyzed;
Finally, the specialist team's recommendations have to be sent to John's laptop.
This scenario is pictorially presented in Figure 7. 20
Cosnard, Liquori and Chand
6.2
Formalizing the Scenario
The initial community (the primitive Soup ) will be composed of the following elements:
=4 ffGBUSDTW g; GCUSDTW ; fGBUISPTW g; GCUISPTW ; fGBUCPUg;
COMSoup
GCUSCU ; GCUCLU ; fGBUVRC g; GCUVRCPU ; GCUVRCSPEC g
By applying ve times the reduction rule munity:
we obtain the new com-
=4 ffGBUSDTW ; GCUSDTW g; fGBUISPTW ; GCUISPTW g; fGBUCPU;
COM1
and
(JoinGCU)
GCUSCU ; GCUCLU g; fGBUVRC ; GCUVRCPU ; GCUVRCSPEC gg
COMSoup
!
5 COM1 .
Then by applying the reduction rule
(CommCup)
we
4 see John's laptop appear in the new community, COM2 = COM1 [ fGCUJohn g: 4 ; fGBU ; GCU g; fGBU ; GCU g; COM = fGCU
2
SDTW SDTW ISPTW ISPTW John fGBUCPU; GCUSCU; GCUCLUg; fGBUVRC; GCUVRCPU; GCUVRCSPECgg
By applying again
COM3
(JoinGCU)
we obtain the new community:
=4 ffGBUSDTW ; GCUSDTW ; GCUJohng; fGBUISPTW ; GCUISPTW g;
fGBUCPU; GCUSCU; GCUCLUg; fGBUVRC; GCUVRCPU; GCUVRCSPECgg
Now, if the community whose leader is whose leader is
agrees to join the colony
GBUISPTW (both are supposed to live in the same administrative
domain), by applying rule
COM4
GBUSDTW
(JoinCol)
, we obtain the new community:
=4 ffGBUISPTW ; GCUISPTW ; fGBUSDTW ; GCUSDTW ; GCUJohngg;
fGBUCPU; GCUSCU; GCUCLUg; fGBUVRC; GCUVRCPU; GCUVRCSPECgg
The colony in Taiwan and the colony whose leader is
GBUCPU
(they are
supposed to live in dierent administrative domain) sign an agreement, by applying rule
=4
COM5
(LinkCol)
, so giving the new community:
f fGBUISP&CPU; fGBUISPTW ; GCUISPTW ; fGBUSDTW ; GCUSDTW ; GCUJohngg; fGBUCPU; GCUSCU; GCUCLUg g; fGBUVRC; GCUVRCPU; GCUVRCSPECgg Finally, the colony containing John's laptop is ready to receive John's huge
Service Request, and, hopefully for John, the request will be accepted and performed . . . It is now time for John to come back home and the community
COM5
could then (but this is not mandatory) disintegrate. By applying
(LeaveGCU (LeaveCol) (CommCup) (CommMinus)
the dual reduction rules congruence rules soup, i.e.
COL5
!
),
and
, and
(UnLinkCol)
plus the
, we come back to the initial
COMSoup .
21
Cosnard, Liquori and Chand
7 Properties In this section we prove that our process algebra is able to model the virtual organization of the
Arigatoni
model.
Morris-style contextual equivalence [5] is the standard way of saying that two communities have the same behavior (are equivalent) if and only if whenever they are merged inside an arbitrary community, they admit the same elementary observations. In our setting and as usual in process algebras, contextual equivalence is formulated in terms of observing the presence of top-level colonies, as in the next denition.
Denition 7.1
[Colony Exhibition and Contextual Equivalence]
(i) a community
COL
COM
COL,
must exhibit a colony
COM #must COL, COL, i.e.
write
is a community containing a top-level colony
=4
COM #must COL (ii) a community
COM
COL,
=
may exhibit a colony
after a number of reductions, colony
COM
COL
f
if
: : : ; COL; : : :g
COL,
write
COM
#
may COL,
if
is a community containing a top-level
i.e.
=4
COM #may COL
COM
!
COM0
and
COM0
=
f
: : : ; COL; : : :g
C[] be a community containing zero or more holes, and COM let C[COM] be the community obtained by lling
(iii) let the context
for any community each hole in
C[] with a copy of COM.
community, write
COM
COM
'
COM , 0
'
COM0
=4
The contextual equivalence between
is dened as
for all
COL
and
C[] we have
C[COM] #may COL , C[COM ] #may COL 0
COM ! ' COM0 COM00 ' COM0 .
(iv) let
if there exists
COM00
such that
COM
!
COM00
and
Let C OM be the set of communities generated by the BNF syntax.
Theorem 7.2 (Closure Under Reduction) (i) If
COM
2 C OM,
(ii) If
COM
'
COM ,
(iii) If
COM
! '
0
and then
COM0 ,
COM
!
COM0 ,
COM; COM
then
0
COM
then
2 C OM;
2 C OM;
COM; COM0
2 C OM
Proof 1) By observing the reduction rules of the labeled transition system, one can verify that if the left-hand side belongs to 22
C OM,
then it is also the case
Cosnard, Liquori and Chand
for the right-hand side. The nal result can be obtained by induction on the number of reduction. 2,3) By point 1) using Denition 7.1.
2
Theorem 7.3 (Inversion) COM !(JoinGCU=COL) COM0 on the individual (GCU or COL), and COM0 !(LeaveGCU=COL) COM00 on the same individual, then COM COM00 ;
(i) If
(ii) If
COM
!
(LinkCol) COM
=
0
on two colonies, and
the same colonies, then
Proof
COM
= COM .
COM
0
00
!
(UnLinkCOL) COM
00
on
By observing the reduction rules, one can observe that the right-hand
(JoinGCU), (JoinCOL), and (LinkCOL) corresponds to the left-hand side of the dual reduction rules (LeaveGCU), (LeaveCOL), and (UnLinkCol), and conversely the left-hand side of the reduction rules (JoinGCU), (JoinCOL), and (LinkCOL) corresponds to the right-hand side of the dual reduction rules (LeaveGCU), (LeaveCOL), and (UnLinkCol). Applying one rule
side of the reduction rules
2
after the other clearly corresponds to an identity operation.
Theorem 7.4 (Adequacy of the labeled transition system w.r.t. the pseudocode) The labeled reduction system is adequate with the pseudocode of the of the
Proof
GCU
GBU
and
shown in Figure 3 and 4.
(Sketch) Observe that the red parts of the pseudocode of the
cerning the set and unset of the variables ring of the two rules
globalmode=regmode
(JoinGCU) and (LeaveGCU). GBU
of the pseudocode of the
GCU
con-
leads to the
Moreover, the red parts
concerning the set and unset of the variables
globalmode=regmode leads to to the ring of the two rules (JoinGCU) and (LeaveGCU). The last two rules of the transition systems, namely (LinkCol) and (UnLinkCol) are encapsulated (hence hidden) in the function calls Update(Colony,Metadata)
8 Experimental Evaluation In this section, we provide results from experimental evaluation.
We have
conducted simulations using large numbers of units and service requests. In this paper, we specically focus on the eect of individuals disconnections on the average service acceptation ratio. More precisely, we have implemented reduction rules
(JoinCol)
, and
(LeaveCol)
(JoinGCU); (LeaveGCU)
, that represent the "core" rewriting set to simulate
the dynamic behavior in the
Arigatoni
Overlay topology. We expect to imple-
ment the full set of rewriting rules dening the operational semantics soon.
8.1
Simulation Setup
We have generated a network topology using the transit-stub model of the Georgia Tech Internetwork Topology Models package [8], on top of which we 23
,
Cosnard, Liquori and Chand
Arigatoni
added the
Overlay Network. The resulting network topology, shown
in Figure 8, contains
103 GBU
GBU2
s.
(highlighted with a square in Figure 8)
was chosen as the root of the topology. We considered a nite set of resources 50
65
51 62
61
76
68
55
39 40
70
22 91
73
82
83 81
59
13
37
7
14
38
12
4
8
20
3
18
95 101
86
84
21
17 15
16
71 74
26
24 19
85 53
54
23
87 0
57 58
25 31
69
72 41
35
33
2
42
52
32
92
79
47
44
27
90 77
1
45
28
93
80
66
67
46 43
29
78 49
64
88
30
75
63
60
34
89
48
96 98
36
56
5
10
94 102
11 9
97
103 100
6 99
Figure 8. Simulated network topology with 103 GBUs
R1 Rr
of variable size
a resource.
r, and represented a service by a direct mapping to
In other words, a service expresses the conditional presence of
a single resource.
We have a set of
r
S1 Sr g,
services f
expresses the conditional presence of resource
Si
means that it can provide resource
Ri .
Ri .
A
GCU
where service
Si
declaring service
This model, while quite simple, is
still generic enough, and is sucient for the main purpose of our experiments, which is to study the impact of individuals disconnections on the average service acceptation ratio. Results are illustrated in Figure 9.
50
GCU load, we attached GCUs to each GBU; we then randomly added each service Si with probability at each GCU and had it registered via the registration service of Arigatoni. The routing tables of the GBUs were updated starting at the initial GBU and ending at the root of the topology, GBU2 . We then issued n service requests at GCUs chosen uniformly at random. To simulate
Each request contained one service also chosen uniformly at random.
Each
service request was then handled by the Resource Discovery mechanism of
Arigatoni
75%
(described in [4]). We used a service acceptation probability of
, which corresponds to the probability that a
GCU
=
that receives a service
request and that declared itself as a potential Individual for that service (i.e. that registered it), accepts to serve it. Upon completion of the
n requests, we computed the average service accep-
tation ratio as follows. For each
GCU,
we computed the local acceptation ratio
as the number of service requests that yielded a positive response (i.e. the system found at least one Individual), over the number of service requests issued 24
Cosnard, Liquori and Chand
at that
GCU.
We then computed the average acceptation ratio as the average
value over the number of
GCUs (that issued at least one service request). GBUs disconnections (i.e., rewriting rules JoinCol
(
To study the impact of and
(LeaveCol)
), we used a deconnection probability variable
)
that indicates
= 0% means all individuals are con = 100% means all individuals are disconnected). We then repeated the same experiment when of the GBUs population, chosen uniformly a fraction of disconnected individuals (
nected, while
at random, have been disconnected from their leader. When a subcolony has
GBU leader, it continues to operate in standalone GBU leader as the current broker. Therefore, the ser-
been disconnected from its mode, i.e. with its local
vices oered by the other colonies are unavailable inside, while services oered by the colony itself are not available outside. For each value of we repeated the same experiment
10
2 [0 100]%,
times, and measured the average value
of the acceptation ratio. In each of the
10
runs, the disconnected
GBUs
were
chosen uniformly at random, independently of the previous runs (i.e., with a dierent random seed). We then computed the standard deviation of the average service acceptation ratio (over the
10
values).
Starting from the fully connected topology
COM1
of Figure 8, the rationale
of the simulation corresponds to applying a number of
(JoinGBU)
rewriting
rules to have some Individuals join the Colony, and then applying a number of
(LeaveGBU)
rewriting rules to have some other Individuals leave the Colony,
and then performing the experiment 10 times.
COMi
!
(JoinGBU) COMi+1 !(LeaveGBU) COMi+1
0
We nally studied the eect of and
(LeaveGCU)
i = 1 : : : 10
GCUs disconnections (rewriting rules
), by repeating the same experiment when
ulation have been disconnected from their leader. connected
GCU
(JoinGCU)
of the GCUs pop-
Also in this case, a dis-
continues to work in standalone mode using only their own
resources. As for the
GBU
COMi
!
case, we have
(JoinGCU) COMi+1 !(LeaveGCU) COMi+1
0
i = 1 : : : 10
The Resource Discovery algorithm was implemented in C++ and compiled
GNU C++ version 2.95.3. Experiments were conducted on a 3.0 Intel Pentium machine with 2 GB of main memory running Linux 2.4.28.
using
dierent experimental parameters are summarized in Table 1. availability ratio,
,
was xed to a value of
service acceptation ratio of almost
100%
0:12%
Ghz The
The service
, which yields an average
with no subcolonies disconnections.
Figure 9(a) shows that the average service acceptation ratio decreases exponentially with the number of subcolonies (i.e.,
GBUs)
disconnections. This is
not surprising, since when a subcolony has been disconnected, all the services oered by the other colonies are unavailable. Conversely, all the services offered by the subcolony are unavailable for the other colonies. Note that when 25
Cosnard, Liquori and Chand
Parameter Description K r n
Value
Number of GBUs
103
Size of services pool
128
0:12% 75% 50000 [0 100]%
Service availability Service acceptation probability Number of service requests issued Fraction of disconnected individuals
Table 1 Parameters of the experiments (a) 100
Avg. acceptation ratio (GCU disconnections) Avg. acceptation ratio (GBU disconnections)
Acceptation Ratio (%)
80 60 40 20 0
0
20
40 60 80 Disconnected population (%)
100
(b) 100
(c) 16
Average service acceptation ratio (δ=10%)
14 12 Std deviation (%)
Acceptation Ratio (%)
80 60 40
10 8 6 4
20 0
Std deviation of acceptation ratio
2 0
1
2
3
4
5 Run
6
7
8
9
0
10
0
20 40 60 80 Fraction of disconnected population (%)
100
Figure 9. (a) Average service acceptation ratio w.r.t. fraction of disconnected population. (b) Average service acceptation ratio for the dierent runs of the value . (c) Standard deviation of the service acceptation ratio w.r.t. fraction of disconnected population.
= 10%
all subcolonies have been disconnected (
100%
), the average service accepta-
tion ratio is not null. Indeed, the local colony of a connected to the
GBU)
GCU
GCUs
GCU
directly
GCU
of the same colony.
disconnections have more impact on the average
service acceptation ratio than when a
GCUs
(i.e., the
remains operational, i.e., the services oered by a
are available for the other We observe that
GBU
GBU disconnections.
This is due to the fact that
is disconnected, all the services that it provided are unavailable
for the entire system and, conversely, all the services provided by the system are unavailable for it. acceptation ratio is
0
As expected, for a value of
= 100%
, the average
, as no service at all is unavailable.
Figure 9(a) shows the dierent values of the average service acceptation ratio obtained for a value of
= 10% 26
of the fraction of disconnected pop-
Cosnard, Liquori and Chand
ulation. of
103
As previously explained, for each run, we chose
10 GBU
s (
10%
) uniformely at random, independently of the previous runs, i.e., with
a dierent random seed.
In other words, the disconnected subcolonies are
dierent in each run. Figure 9(b) shows that subcolonies disconnections can have a very dierent impact on the acceptation ratio.
In fact, low level
subcolonies disconnections have a dramatic impact whereas high level subcolonies disconnections have a very limited, local impact. Figure 9(c) shows that, unsurprisingly, the level of the disconnected subcolony has less impact on the service acceptation ratio for higher values of
.
Acknowledgment The authors ack
Aeolus FP6-2004-IST-FET Proactive, and the French grant
ACI Modulogic.
References [1] D. Benza, M. Cosnard, L. Liquori, and M. Vesin. An Overlay Network for Grid and Global Computing [Extended Abstract]. Technical report, INRIA, November 2005. [2] D. Benza, M. Cosnard, L. Liquori, and M. Vesin. Arigatoni: Overlaying Internet via Low Level Network Protocols. Technical Report RR 5805, INRIA, January 2006. http://www.inria.fr/rrrt/rr-5805.html. [3] L. Cardelli and A. D. Gordon. Mobile Ambients. 240(1):177213, 2000.
,
Theoretical Computer Science
[4] R. Chand, M. Cosnard, and L. Liquori. Resource Discovery in the Arigatoni model. In Proc. of I2CS, LNCS. Springer-Verlag, 2006. [5] J. H. Morris. MIT, 1968.
Lambda-calculus models of programming languages
. PhD thesis,
[6] V. Sassone. Global Computing II: A New FET Program for FP6. Talk, Bruxelles, 4/6/04. [7] Virtual Private Network Consortium. http://www.vpnc.org/.
Virtual Private Network Home Page.
[8] E.W. Zegura, K. Calvert, and S. Bhattacharjee. How to Model an Internetwork. In Proceedings of INFOCOM 1996, San Francisco, March 1996.
27
DCM 2006
A Calculus of Global Interaction based on Session Types 1 Marco Carbone
2
Department of Computer Science Queen Mary and West eld College London, United Kingdom
Kohei Honda
3
Department of Computer Science Queen Mary and West eld College London, United Kingdom
Nobuko Yoshida
4
Department of Computing Imperial College London, United Kingdom
Abstract
This short note outlines two dierent ways of describing communication-centric software in the form of formal calculi and discuss their relationship. Two dierent paradigms of description, one centring on global message ows and another centring on local (end-point) behaviours, share the common feature, structured representation of communications. The global calculus originates from Choreography Description Language (CDL), a web service description language developed by W3C's WS-CDL Working Group. The local calculus is based on the -calculus, one of the representative calculi for communicating processes. We illustrate these two descriptive frameworks, outlines the static and dynamic semantics of these calculi, and discuss the basic idea of end-point projection, by which any well-formed description in the global calculus has a precise representation in the local calculus. Key words: Web Services, -calculus, Session Types. This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:
www.elsevier.nl/locate/entcs
Carbone, Honda and Yoshida
1 Introduction The purpose of the present note is two-fold. The rst is to introduce a formal calculus for communication and concurrency which fundamentally diers from existing concurrency formalisms. This calculus was born as a result of a dialogue between W3C's working group on web service standards, and is based on the idea of global description of interactions. Related descriptive methods have been practiced in varied contexts, including the standard notation for cryptographic protocols [13], message sequence charts (MSC) [11,8], a language related with MSC called DiCons [2], and UML sequence diagrams [14]. One may also view petri-net based description of various systems [16,3] as an instance of such global descriptions. The use of types in the formalism, based on session types [15,10,7,17,9], is the main dierence from these notations. As its origin in W3C standardisation suggests, this formalism is distillation of engineering needs for describing complex interaction which may occur in real world business processes. The associated long version [5] presents extensive examples of business protocols written in the proposed global formalism. The second aim of this note is to outline a theory which rigorously relates this engineeringly oriented formalism to a typed process calculus, which is based on the notion of processes and their interaction. Establishing this connection is important since, through this link, a rich theory of algebras, calculi and logics for processes becomes available for direct dialogue with engineering practice. The target of the mapping is an applied version of the -calculus based on session types (which can indeed be faithfully encodable in the -calculus [12]). The mapping from the global formalism to the process formalism is called end-point projection, or EPP for short, following the terminology of WS-CDL (where EPP is regarded as an underpinning of a variety of web service engineering, including monitoring, conformance and interoperatbility). EPP projects a given global description to a collection of end-point behaviours, whose mutual communication should realise the original global scenario. We naturally desire EPP to be sound and complete, in the sense that all and only globally described behaviour is realised in interactions among end-point behaviour. To make this possible, we impose simple descriptive principles to global descriptions. For those global descriptions which are well-typed and which follow these descriptive principles, there is a simple and direct EPP which is type preserving and which is sound and complete with respect to the original dynamic semantics. This EPP theory (including type disciplines and EPP mapping) will be published as a supplementary document 1
We would like to thank Gary Brown and Steve Ross-Talbot for their collaboration in the
development of this work. GR/T04236/01,
This work is partially supported by EPSRC GR/R03075/01,
GR/S55538/01,
GR/T04724/01,
MOBIUS.
2 3 4
Email: Email: Email:
[email protected] [email protected] [email protected]
28
GR/T03208/01
and
IST-2005-015905
Carbone, Honda and Yoshida
to the speci cation of WS-CDL 1.0, and will be implemented as part of an open-source reference implementation of WS-CDL [1]. Thus the present work started from practice, gets related to theory, and nally again comes back to practice. This will further motivate and encourage a dialogue between theoretical studies and engineering. We argue such a dialogue is highly bene cial, not only for advancement of rigorous engineering but also for enrichment of theory. It is worth outlining the direct engineering background of the present work, WS-CDL. WS-CDL, or formally Web Service Choreography Description Language [18], is an XML-based web service description language developed by W3C's WS-CDL Working Group, in collaboration with invited scientists including the present authors. WS-CDL has been developed in order to meet engineering needs for the development of business protocols on the world-wide web. The central engineering idea of WS-CDL is embodied by the term choreography in its name. The underlying intuition can be summarised as follows: \Dancers dance following a global scenario without a single point of control."
WS-CDL is about writing down such a \global scenario": in computational terms, it is a language for describing business protocols from a global viewpoint such that the description can be executed by individual distributed processes without a single point of control. In other words, if a designer writes a global description in WS-CDL, it should be realisable as communicating processes without any central controlling agent (which contrasts with the notion of orchestration, where one master component, \conductor", directly controls activity of one or more slave components). Thus the notion of choreography intrinsically demands an appropriate framework of EPP. A broader background of the present work is the explosive growth of the Internet and world-wide web which has given rise to, in the shape of de facto standards, an omnipresent naming scheme (URI/URL), an omnipresent communication protocols (HTTP/TCP/IP) and an omnipresent data format (XML). These three elements arguably oer the key infra-structural bases for application-level distributed programming. This engineering background makes it feasible and advantageous to develop applications which will be engaged in complex sequences of interactions among two or more parties. Another background is maturing of theories of processes centring on the calculus and its types. The two formalisms we shall discuss are based on a common notion of structured communication, called session. A session binds a series of communications between two parties into one, distinguishing them from communications belonging to other sessions. This is a standard practice in business protocols (where an instance of a protocol should be distinguished from another instance of the same or other protocols) and in distributed programming (where two interacting parties use multiple TCP connections for performing a unit of conversation). The type disciplines for sessions have been studied over long years in the context of the -calculus [10,7,17,4], where 29
Carbone, Honda and Yoshida
it has been shown that they oer a high-level abstraction for communication behaviour upon which further re ned reasoning techniques can be built. We shall discuss not only sessions oer a natural articulation for description of global description of complex interaction behaviour but also session types play an essential role in the presented theory of end-point projection. The next section of this abstract brie y outlines the global formalism (a distilled version of WS-CDL), the corresponding process formalism (called end-point calculus, which is an applied version of the -calculus), and a theory of EPP. Exploration of many examples, the full technical development of the theory, and detailed discussions on related works, can be found in [5,6].
2 Outline of Calculi and Formal Results The formal syntax of the global calculus is given by the standard BNF. Below symbols I; I 0 ; : : : denote terms of the global calculus, also called interactions. Terms describe a course of information exchange among two ore more parties from a global viewpoint. I ::= A ! B : c( s~) : I j A ! B : shop; e; y i : I j x@A := e : I j I1 j I2 j if e@A then I1 else I2 j I1 + I2 j ( s) I j X j rec X : I j
0
(init) (com) (assign) (par) (ifthenelse) (sum) (new) (recVar) (rec) (inaction)
Above a; b; c; ch; : : : range over service channels, which may be considered as shared channels of web services; s; s0 ; : : : range over session channels, which designate communication channels freshly generated for each session; s~ indicates a their vector; A; B; C; : : : range over participants. Each participant is equipped with its own local states, storing and updating values in its variables (x; y; z; : : :); X; Y; Z; : : : range over term variables, which are used to represent recurrence in combination with recursion rec X:I ; and a e; e0 ; : : : range over arithmetic and other standard rst-order expressions. The following gives an example of description, depicting a repeated interactions where Buyer asks Seller to give a good quote. Only when a quote is 30
Carbone, Honda and Yoshida
good, a buyer accepts, and Seller sends a shipping request to Shipper. Buyer ! Seller : ch1( s; t): Buyer ! Seller : shQuoteReq; prod@Buyer; prod@Selleri: rec X: Seller ! Buyer : thQuoteRes; quote@Seller; quote@Buyeri : if
reasonable(quote)@Buyer then Buyer ! Seller : shQuoteAcc; adr @Buyer;
adr@Selleri:
Seller ! Shipper : ch2( r ):
(omitted)
else Buyer ! Seller : shQuoteNoGoodi:X endif
where, for example, \prod@Buyer" indicates a variable prod located at Buyer. Many other examples of descriptions of complex protocols are found in [5,6]. The reduction of the global calculus is de ned using an intuitive notation, (I; )
!
(I 0 ; 0 )
which says a global description I in a state (which is the collection of all local states of the participants) will be changed into I 0 in a new con guration 0 . Samples of reduction rules are, writing [x@B 7! v] for the result of updating the variable x located at B : (A ! B : ch( s~): I; ) ! (( s~)I; ) (A ! B : shop; v; xi: I; ) ! (I; [x@B 7! v]) (x@A := v: I; ) ! (I; [x@A 7! v]) if (I1; ) (I1 + I2 ; ) ! (I10 ; 0 ) if (I1; ) (I1 jI2 ; ) ! (I10 jI2 ; 0 )
! !
(I10; 0 ) (I10; 0 )
Note updates of stores in the second and third rules are local to designated participants. The type discipline for the calculus is based on session types. Writing ; i ; ::: for rst-order value types, the grammar of types is given as:
::=
s I i hop ; i i: i t j 0 i
j
j
s J i hop ; i i: i
while the typing sequent has the form: 31
i
`
I
j
1 j 2
where:
j
rec
t:
Carbone, Honda and Yoshida
Typically contains a type assignment of the form ch@A : (~s), which says a service channel ch at A may be invoked with fresh s~ followed by a session . Typically contains a type assignment of the form s ~[A; B ] : , which says a session of type from A to B takes place via s~ (where uses at most s~). The typing rules are omitted, by which we have the standard properties such as subject reduction and minimal (principal) typing. The end-point calculus is an applied version of the -calculus [12]. The following grammar de nes processes (P; Q; : : :) and networks (M; N; : : :).
P ::=
(~s):P j ch( s~):P j s i opi (~yi ):Pi j x := e:P j if e then P1 else P2 j P Q j X j rec X:P j 0 ! ch
N ::= A[P ]
j
N1 j N2
j
( s)N
j
j j
s ophe~i:P P jQ j ( s)P
where A[P ] indicates a participant A whose behaviour is given by P and whose local state is . Reduction is given modulo the standard structural equality, with sample rules:
A[! ch(~s):P j R]A j B [ch( s~):Q j S ]B ! ( s ~)(A[P j ! ch(~s):P j R]A A[s i opi (yi ):Pi j R]A
j
B [s op hviQ j S ]B ! A[Pj j R]A [yj 7!v ]
j
B [Q j S ]B )
j
B [Q j S ]B
j
The typing for the end-point calculus uses the same set of types, with the two forms of sequent, one for processes and one for networks ( and are as above): `A P ; ` M where `A P designates, as subscript, the participant A in which the subject process P is to be located. The typing rules are those of the standard session typing [10] (extended to multiple session channels). One basic rule is the following initialisation rule: (init)
; ch@A :(~s) `A P s~ : ; ch@A :(~s) `A ! ch(~s):P
;
which demands linear session channels in the premise are abstracted in the conclusion (note the service channel ch is replicated). The typing system satis es the standard subject reduction, freedom from type errors, and the minimal (principal) typing. Finally we translate a global description to its end-point counterpart (endpoint projection, or EPP). The process of EPP can however be tricky, because 32
Carbone, Honda and Yoshida
we can easily produce a global description which does not correspond to realisable local counterpart. We have identi ed three descriptive principles, which are: Connectedness, a basic local causality principle. Well-threadedness, a stronger locality principle based on session types. Coherence, a consistency principle for description of each participant. All these principles are stipulated incrementally on the basis of well-typedness. They not only enunciate natural disciplines for well-structured global description, but also oer gradually deeper analysis of operational aspects of global description, guiding us to the simple de nition of an EPP map of essentially the following shape: (I; )
7!
A[P ]@A
j
B [ Q] @ B
j
C [R ] @ C
j
where P is the projection of I onto A, similarly for others. @A projects onto A. In [6] we have established that, when applied to well-structured interactions, the EPP mapping thus de ned satis es the following three properties: Type preservation: the typing is preserved through EPP. Soundness: nothing but behaviours (reductions) in I are in the image of its EPP. Completeness: all behaviours (reductions) in I are in the image of its EPP. Thus the resulting processes/networks never have a type error, and they realise all and only interactions prescribed in the original global description.
References [1] Pi-Calculus for SOA, https://sourceforge.net/projects/pi4soa/. [2] Baeten, J. C. M., H. M. A. van Beek and S. Mauw, Specifying internet applications with DiCons., in: SAC, 2001, pp. 576{584. [3] Basten, T., \In Terms of Nets," Ph.D. thesis, Eindhoven University of Technology (1998). [4] Bonelli, E., A. B. Compagnoni and E. L. Gunter, Correspondence assertions for process synchronization in concurrent communications., J. Funct. Program. 15 (2005), pp. 219{247. [5] Carbone, M., K. Honda and N. Yoshida, Theoretical basis of communicationcentred concurrent programming (part one), http://lists.w3.org/Archives/Public/public-ws-chor/2005Nov/att0015/part1 Nov25.pdf (2005). [6] Carbone, M., K. Honda and N. Yoshida, Theoretical basis of communicationcentred concurrent programming (part two), to appear as a technical report (May 2006).
33
Carbone, Honda and Yoshida
[7] Dezani-Ciancaglini, M., D. Mostrous, N. Yoshida and S. Drossopoulou, Session Types for Object-Oriented Languages, in: Proceedings of ECOOP'06, LNCS (2006). [8] Foster, H., \A Rigorous Approach to Engineering Web Service Compositions," Ph.D. thesis, Imperial College London, University of London, Department of Computing (2006). [9] Gay, S. J. and M. Hole, Subtyping for session types in the pi calculus., Acta Inf. 42 (2005), pp. 191{225. [10] Honda, K., V. T. Vasconcelos and M. Kubo, Language primitives and type discipline for structured communication-based programming, in: ESOP '98 (1998), pp. 122{138. [11] International Telecommunication Union, Recommendation Z.120: Message Sequence Chart (1996). [12] Milner, R., J. Parrow and D. Walker, A calculus of mobile processes, I and II, Information and Computation 100 (1992), pp. 1{40,41{77. [13] Needham, R. M. and M. D. Schroeder, Using encryption for authentication in large networks of computers., Commun. ACM 21 (1978), pp. 993{999. [14] OMG, Uni ed Modelling Language, Version 2.0 (2004). [15] Takeuchi, K., K. Honda and M. Kubo, An interaction-based language and its typing system., in: PARLE, Lecture Notes in Computer Science 817 (1994), pp. 398{413. [16] van der Aalst, W., Inheritance of interorganizational work ows: How to agree to disagree without loosing control?, Information Technology and Management Journal 2 (2002), pp. 195{231. [17] Vasconcelos, V. T., A. Ravara and S. J. Gay, Session types for functional multithreading., in: CONCUR, LNCS (2004), pp. 497{511. [18] W3C WS-CDL WG, Web Services Choreography Description Language Version 1.0., http://www.w3.org/TR/2004/WD-ws-cdl-10-20040427/ (2004).
34
DCM 2006
Light Dialectica program extraction from a classical Fibonacci proof Mircea-Dan Hernest
1;2
Laboratoire d'Informatique (LIX) Ecole Polytechnique F-91128 Palaiseau - FRANCE
Abstract We demonstrate program extraction by the Light Dialectica Interpretation (LDI) on a minimal logic proof of the classical existence of Fibonacci numbers. This semiclassical proof is available in MinLog's library of examples. The term of Godel's T extracted by the LDI is, after strong normalization, exactly the usual recursive algorithm which de nes the Fibonacci numbers (in pairs). This outcome of the Light Dialectica meta-algorithm is much better than the T-program extracted by means of the pure Godel Dialectica Interpretation. It is also strictly less complex than the result obtained by means of the re ned A-translation technique of Berger, Buchholz and Schwichtenberg, but otherwise it is identical with the term yielded by Berger's Kripke-style re ned A-translation. Key words: Program extraction from (classical) proofs, Complexity of extracted programs, Re ned A-translations, Quanti ers without computational meaning, Light Dialectica Interpretation, Computationally redundant contractions, Godel's functional \Dialectica" interpretation, Proof Mining
1
Introduction
There has been quite some work in the last years in the eld of program extraction from classical proofs. Although strong mathematical results have recently been obtained in the Proof Mining of classical analytical proofs (see, e.g., [15,16,17,19,21]), the computer-implemented program extraction metaalgorithms were able to produce only limited results, for rather small test-cases and even then, the extracted program is not the optimal one. 1
Project LogiCal - P^ ole Commun de Recherche en Informatique du Plateau de Saclay, CNRS, Ecole Polytechnique, INRIA et Universite Paris-Sud - FRANCE 2 Email:
[email protected] This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:
www.elsevier.nl/locate/entcs
Hernest Such an unsatisfying situation one encounters in the extraction of a rather unusual algorithm for the computation of Fibonacci numbers by means of the Berger-Buchholz-Schwichtenberg (BBS) re ned A-translation of [3]. The term tBBS of Godel's T extracted via this BBS re ned A-translation from the MinLog minimal logic proof of the weak (classical) existence of the Fibonacci numbers, followed by Kreisel's Modi ed Realizability [18] and nally strongly normalized [4,5] makes necessarily use of a type-2 Godel recursor. This is R (!!)! , where the type level (degree) of ( ! ! ) ! is 2 : Here is the base type which denotes the set of natural numbers IN and R is the denotation for the so-called \type- Godel recursor", which actually has the type ! ( ! ! ) ! ! in Godel's T . See paper [3] for full details. This is quite unexpected since the usual recursive de nition of Fibonacci numbers (in pairs) can be expressed in Godel's T by means of a type-0 Godel recursor only, namely R : Here denotes the pairing of types and : In fact such a T-term was actually extracted in MinLog [24] by pure Modi ed Realizability, from the usual pure intuitionistic proof of the strong (intuitionistic) existence of Fibonacci numbers, see [3] 3 . The point of the endeavour of extracting programs from classical rather than constructive or even purely intuitionistic proofs is that (semi-)classical proofs are much easier and more direct to build, both by human brain and also in the various computer-implemented proof-systems. It is therefore desirable that the algorithms synthesized from classical proofs by means of the more complex program extraction meta-algorithms 4 are at least as good as those yielded by the more common extraction techniques 5 from the corresponding constructive/purely intuitionistic proofs. When applied to the semi-classical MinLog Fibonacci proof (originally introduced in [24], but slightly re-adapted in [11]), this is not the case, neither for the BBS re ned A-translation (as described in detail in either of [2,3,23]), nor for the pure Godel Dialectica Interpretation, as we show later in the sequel. Whereas a repair of this situation was provided for the BBS re ned A-translation by Berger in [2] 6 , none of the monotone [14] or bounded [8] optimizations of Godel's technique can handle such an exact realizer extraction problem. It is the Light Dialectica interpretation (originally introduced in [12], but see also [13] for a much larger and more uni ed exposition) which gives the solution. 3 On the other hand, this linear - in the unary representation of natural numbers - algorithm is outperformed by other logarithmic algorithms, see [23] for such an example.
4 Here we think particularly (but not exclusively) at those from the Dialectica family (see
[22] for a nice uni cation work) and the Re ned A-translation family. 5 Basically variants of Kreisel's Modi ed Realizability [18], which is a simpler but weaker form of Godel's functional (Dialectica ) interpretation [1,10]. 6 Berger's Kripke-style re ned A-translation introduced in [2] nicely combines the optimizing (in the sense of the eciency of programs extracted from classical proofs) features of both the BBS [3] and the Coquand-Hofmann [7] re ned A-translations. It also furthermore adds the so-called uniform quanti ers, which are used to \label" and thus isolate parts of the input proof which are meant not to have a computational content under such a translation.
36
Hernest 2
The semi-classical Fibonacci proof in
MinLog
MinLog is an interactive proof- and program-extraction system developed
by H. Schwichtenberg and members of the logic group at the University of Munich. It is based on rst order Natural Deduction calculus and uses as primitive minimal rather than classical or intuitionistic logic. See [11,24] for full details.
De nition 2.1 [Fibonacci Numbers] The inductive de nition is as usual Base :
F0 : 0 ; F1 : 1
Step :
Fn+1 : Fn
+ Fn
1
for
n
1;
n 2
IN
The Fibonacci Numbers example was implemented in MinLog and it was comparatively analysed in [3] by both pure Modi ed Realizability (from the usual pure intuitionistic proof) and also by the BBS re ned A-translation (from a minimal logic proof of the weak, classical existence of Fibonacci Numbers; we dub such proofs as \semi-classical") followed by Modi ed Realizability. The semi-classical Fibonacci proof in MinLog is a Natural Deduction proof of 8n 9cl k G(n; k ) { where 9cl k G(n; k ) : (8k: G(n; k ) ! ?) ! ? { from assumptions expressing that G is the graph of the Fibonacci function, i.e., G(0; 0)
AND
G(1; 1)
AND
8n;
k; l: [ G(n; k ) ^ G(n
+ 1; l)] ! G(n + 2; k + l) ;
see Section 6 of [3] for full details. 3
The
light functional Dialectica interpretation
The \light" variant of Godel's functional \Dialectica" Interpretation was introduced in [12] as an optimization for term-extraction of Godel's original technique 7 from [10]. The main feature of \Dialectica Light" is the elimination already at extraction time of a number of relevant (for the Dialectica program extraction) Contractions which are identi ed as redundant and in consequence are isolated by means of an adaptation of Berger's quanti ers without computational content 8 (introduced in [2] as \uniform quanti ers"). Dialectica Light (abbreviated LDI) is a recursive syntactic translation from proofs in a semi-classical 9 weakly extensional arithmetical system in all nite types 10 (denoted WeZ9;nc+ ) to proofs in the corresponding purely intuitionistic system 11 (denoted WeZ9 ) such that the positive occurrences of the strong 7 Paper [1] provides a nice survey in English which includes the extensions to full Analysis. 8 In [12] we named these special existential and universal quanti ers \without (or non-)
computational meaning", abbreviated ncm . We here continue to use our own terminology.
9 This can be extended to fully classical proofs, modulo some double-negation translation. 10 System WeZ9;nc+ was denoted WE Z+ in [12]. It is nevertheless much better presented, with complete comparative details in [13], just like its corresponding WeZ9 ; see below. 11 System WeZ9 ; which was denoted WE Z in [12], is a Natural Deduction formulation of the weakly extensional Heyting Arithmetic in all nite types WE HA! from Section 1.6.12 of [25]. See also [3,23] for the original corresponding fully extensional variant Z9 Z + 9 :
37
Hernest and the negative occurrences of 8 in the proof's conclusion formula get actually realized by terms in Godel's T. These realizing terms are also called the programs extracted by the LDI and (if only the extracted programs are wanted) the translation process is also referred to as \program extraction". The LDI translation of proofs includes the following translation of formulas: 9
De nition 3.1 By quanti er-free (qfr) formula we understand a formula
built from prime formulas at(to ) and ? by means of ^ ; ! and, if 9 is available, also _ : The qfr formulas are all decidable in our systems. There exists a unique bijective association of boolean terms to quanti er-free formulas A0 7! tA0 such that ` A0 $ at(tA0 ) : Then the LDI translation of formulas is: D A : AD :
at(tA ) for quanti er-free formulas
A
D
(A ^ B ) : 9x; u 8y; v [ (A ^ B )D : AD (x; y ; a) ^ BD (u; v ; b) ] (9zA(z; a))D : 9zy ; x 8y [ (9zA(z; a))D (zy ; x; y ; a): AD (x; y ; zy ; a) ] (8zA(z; a))D : 9X 8zy ; y [ (8zA(z; a)) (X ; zy ; y ; a): A (X (zy ); y ; zy ; a) ] D
D
(9zA(z; a))D : 9x 8y [ (9zA(z; a))D (x; y ; a):9z AD (x; y ; z; a) ] (8zA(z; a))D : 9x 8y [ (8zA(z; a))D (x; y ; a):8z AD (x; y ; z; a) ] (A ! B )D : 9Y ; U 8x; v [ (A ! B )D : AD (x; Y (x; v )) ! BD (U (x); v ) ] where 7! y is a mapping which assigns to every given variable z a completely new variable zy which has the same type of z : The free variables of AD are exactly the free variables of A:
Remark 3.2 For the light Dialectica interpretation, the radical (or \root") formula AD (which is LDI associated to A) is not necessarily quanti er-free, like it is for the pure Godel's functional interpretation. It actually contains the translation of all ncm quanti ers to the corresponding regular quanti ers. Theorem 3.3 (Exact realizer synthesis by the Light Dialectica [12]) P
There exists an algorithm which, given at input a Natural Deduction proof : fC i gni=1 ` A 12 in WeZ9;nc+ ; it eventually produces at output the following:
(i) the tuples of terms fTi gni=1 and T ; (ii) the tuples of variables fxi gni=1 and y ; all together with (iii) the verifying proof PD : fCDi (xi ; Ti (x; y ))gni=1 ` AD (T (x); y ) in WeZ9 ; where x : x1 ; : : : ; xn : Moreover, the variables x and y do not occur in P (they are all completely new) the free variables of T and fTi gni=1 are among the free variables of A and 12 Hence of the formula A from the open assumption formulas C 1 ; : : : ; C n : Here \open" is
to be understood as \un-cancelled" or \un-discharged" and not necessarily as \un-closed".
38
Hernest { we call this \the free variable condition (FVC) for programs extracted by the LDI". i
n
fC gi=1
hence x and
y
also do not occur free in the extracted terms
n
fTi gi=1
and
T:
Remark 3.4 Godel's functional \Dialectica" interpretation becomes relatively
(far) more complicated at the moment when it has to face contraction. In the Natural Deduction setting, Contraction amounts to the discharging of at least two copies (from the same parcel 13 ) of an open assumption formula A dur[A] : : : =B : This is because, for the so-called ing an Implication Introduction A ! B
\Dialectica-relevant" contractions 14 , A becomes part of the (raw, i.e., not yet normalized) realizing term. Therefore, the a priori (i.e., already at the extraction stage) elimination of some of these D-relevant contractions, rather than a posteriori (i.e., during the subsequent strong normalization process), represents an important complexity improvement of the extracted program. 4
A comparison of the three extraction techniques
It can be immediately seen, also from the machine benchmarks below, that the program yielded by the Light Dialectica interpretation clearly outperforms the algorithm given by the BBS re ned A-translation. The latter is at its turn much more ecient than the term extracted by means of the pure Godel Dialectica interpretation, which contains an important quantity of redundant information. All three extracted (by the three program-synthesis techniques) terms are presented below in a human-processed adaptation of the raw MinLog output. See [11] for the pure machine-extracted programs. The subsequent computer benchmarks were performed on a DELL model X1 laptop (hence powered by an Intel Centrino CPU) running the Windows XP Professional operating system. We used the more special MinLog distribution [11], which is not yet integrated with the ocial MinLog [24]. As Scheme interpreter we used the Petite Chez Scheme 7.0a, see [20]. The quantitative measures of computing time and space overhead were obtained by means of the Scheme \time" procedure. 2) The (MinLog, adapted) outcome of pure Godel's Dialectica interpretation: .......................... (add-var-name "n" "m" (py "nat")) (add-var-name "G" (py "nat=>nat=>boole")) (add-var-name "H" (py "(nat@@(nat@@nat)@@(nat@@nat))")) 13 In the sense of the terminology from [9]. 14 See [13] for full details on this terminology and generally for a large and uni ed exposition of the Light Dialectica extraction.
39
Hernest .......................... > t_{PDI} == [G,n] left right ((Rec nat=>nat@@(nat@@nat)@@(nat@@nat))((0@0@0)@0@1) ([m,H] [if [if (G left left H left right left H) [if (G (Succ left left H) right right left H) (G (Succ(Succ left left H)) (left right left H + right right left H)) True] True] (m @ right H) (left H)] @ right right H@ left right H + right right H) n) > (time (nt (mk-term-in-app-form t_{PDI} (pt "G") (pt "5")))) 314 collections 6031 ms elapsed cpu time, including 676 ms collecting 6110 ms elapsed real time, including 687 ms collecting 341280176 bytes allocated, including 337674848 bytes reclaimed "5" > (time (nt (make-term-in-app-form t_{PDI} (pt "G") (pt "6")))) 2700 collections 56750 ms elapsed cpu time, including 9676 ms collecting 58375 ms elapsed real time, including 10008 ms collecting 2937460672 bytes allocated, including 2933419728 bytes reclaimed "8"
1) The outcome of the BBS re ned A-translation (MinLog output, adapted): .......................... (add-var-name "i" "j" "k" "l" "m" "n" (py "nat=>nat=>nat")) (add-var-name "f" (py "nat=>nat=>nat")) (add-var-name "H" (py "(nat=>nat=>nat)=>nat")) .......................... > > > t_{BBS} == "[k](Rec nat=>(nat=>nat=>nat)=>nat) ([f] f 0 1) ([l,H,f] H ([i,j] H ([n,m] f m (n+m)))) k ([n,m] n)" > (time (nt (make-term-in-app-form t_{BBS} (pt "12")))) 39 collections 813 ms elapsed cpu time, including 109 ms collecting 813 ms elapsed real time, including 107 ms collecting 42919528 bytes allocated, including 39266296 bytes reclaimed "144" > (time (nt (make-term-in-app-form t_{BBS} (pt "15")))) 321 collections 7094 ms elapsed cpu time, including 1153 ms collecting 7203 ms elapsed real time, including 1246 ms collecting
40
Hernest 348911096 bytes allocated, including 326154920 bytes reclaimed "610"
3) The outcome of Light Dialectica interpretation (MinLog output, adapted): .......................... (add-var-name "n" "m" (py "nat")) (add-var-name "G" (py "nat=>nat=>boole")) (add-var-name "H" (py "(nat@@nat)")) .......................... > t_{LDI} == "[G,n] left ((Rec nat=>nat@@nat) (0@1) ([m,H] right H @ left H + right H) n)" > (time (nt (mk-term-in-app-form t_{LDI} (pt "G") (pt "15")))) 6 collections 125 ms elapsed cpu time, including 0 ms collecting 140 ms elapsed real time, including 0 ms collecting 6802576 bytes allocated, including 6383624 bytes reclaimed "610" > (time (nt (mk-term-in-app-form t_{LDI} (pt "G") (pt "20")))) 68 collections 1343 ms elapsed cpu time, including 62 ms collecting 1344 ms elapsed real time, including 63 ms collecting 73584536 bytes allocated, including 71466424 bytes reclaimed "6765" > (time (nt (mk-term-in-app-form t_{LDI} (pt "G") (pt "25")))) 750 collections 16219 ms elapsed cpu time, including 2279 ms collecting 16657 ms elapsed real time, including 2331 ms collecting 816525224 bytes allocated, including 803991296 bytes reclaimed "75025" 5
Conclusions and future work
More practical examples should be found for the application of the \light" optimization of Godel's Dialectica interpretation. A negative result exists for the case of the MinLog-implemented semi-classical proof of Dickson's Lemma (see [6]). Here three nested Inductions give rise at three Contractions which are thus all three included in the extracted term(s), within the triply nested recursion. It is hence immediate to gure out that such a program would be very complex. Unfortunately, the Light Dialectica cannot repair this situation.
41
Hernest References
[1] Avigad, J. and S. Feferman, Godel's functional (`Dialectica') interpretation, in: S. Buss, editor, Handbook of Proof Theory, Studies in Logic and the Foundations of Mathematics 137, Elsevier, 1998 pp. 337{405. [2] Berger, U., Uniform Heyting Arithmetic, Annals of Pure and Applied Logic 133 (2005), pp. 125{148, Festschrift for H. Schwichtenbergs 60th birthday. [3] Berger, U., W. Buchholz and H. Schwichtenberg, Re ned program extraction from classical proofs, Annals of Pure and Applied Logic 114 (2002), pp. 3{25. [4] Berger, U., M. Eberl and H. Schwichtenberg, Normalization by Evaluation, in: B. Moller and J. Tucker, editors, Prospects for Hardware Foundations, LNCS 1546, Springer Verlag, 1998 pp. 117{137. [5] Berger, U., M. Eberl and H. Schwichtenberg, Term rewriting for Normalization by Evaluation, Information and Computation 183 (2003), pp. 19{42, International Workshop on Implicit Computational Complexity (ICC'99). [6] Berger, U., H. Schwichtenberg and M. Seisenberger, The Warshall algorithm and Dickson's lemma: Two examples of realistic program extraction, Journal of Automated Reasoning 26 (2001), pp. 205{221. [7] Coquand, T. and M. Hofmann, A new method for establishing conservativity of classical systems over their intuitionistic version, Mathematical Structures in Computer Science 9 (1999), pp. 323{333. [8] Ferreira, F. and P. Oliva, Bounded functional interpretation, Annals of Pure and Applied Logic 135 (2005), pp. 73{112. [9] Girard, J.-Y., P. Taylor and Y. Lafont, \Proofs and Types", Cambridge University Press, 1989.
[10] Godel, K., Uber eine bisher noch nicht benutzte Erweiterung des niten Standpunktes, Dialectica 12 (1958), pp. 280{287. [11] Hernest, M.-D., MinLog for Dialectica program-extraction, Free software, code source @ http://www.brics.dk/edanher/MinLogForDialectica, For the ocial MinLog see [24]. [12] Hernest, M.-D., Light Functional Interpretation, Lecture Notes in Computer Science (LNCS) 3634 (2005), pp. 477 { 492, Computer Science Logic: 19th International Workshop, CSL 2005. [13] Hernest, M.-D., \Feasible programs from (non-constructive) proofs by the light (monotone) Dialectica interpretation," PhD Thesis, Ecole Polytechnique and University of Munich (LMU) (2006), In preparation, draft available @ http://www.brics.dk/edanher/teza/. [14] Kohlenbach, U., Analysing proofs in Analysis, in: W. Hodges, M. Hyland, C. Steinhorn and J. Truss, editors, Logic: from Foundations to Applications, Keele, 1993, European Logic Colloquium (1996), pp. 225{260.
42
Hernest [15] Kohlenbach, U., Some logical metatheorems with applications in functional analysis, Transactions of the American Mathematical Society 357 (2005), pp. 89{128. [16] Kohlenbach, U., Proof Interpretations and the Computational Content of Proofs, Latest version in the author's web page (April 2006), vii + 420pp. [17] Kohlenbach, U. and P. Oliva, Proof mining: a systematic way of analysing proofs in Mathematics, Proceedings of the Steklov Institute of Mathematics 242 (2003), pp. 136{164. [18] Kreisel, G., Interpretation of analysis by means of constructive functionals of nite types, in: A. Heyting, editor, Constructivity in Mathematics, NorthHolland Publishing Company, 1959 pp. 101{128. [19] Leustean, L., A quadratic rate of asymptotic regularity for CAT(0)-spaces, Journal of Mathem. Analysis and Applications (2006), To appear, downloadable from Elsevier's \Science Direct", Articles in Press, Corrected Proof. [20] Cadence Research Systems, Chez Scheme, http://www.scheme.com (2006). [21] Oliva, P., Understanding and using Spector's bar recursive interpretation of classical analysis, in: Proceedings of CiE'2006, LNCS 3988 (2006), pp. 423{ 434, Available in the author's Web page @ http://www.dcs.qmul.ac.uk/epbo/. [22] Oliva, P., Unifying functional interpretations, Notre Dame Journal of Formal Logic (2006), to appear, downloadable from the author's Web page. [23] Schwichtenberg, H., Minimal logic for computable functions, Lecture course on program-extraction from (classical) proofs. Available in the author's web page or in the MinLog distribution [24]. [24] Schwichtenberg, H. and Others, Proof- and program-extraction system MinLog, Free code and documentation at http://www.minlog-system.de. [25] Troelstra, A., editor, \Metamathematical investigation of intuitionistic Arithmetic and Analysis," Lecture Notes in Mathematics 344, Springer-Verlag, Berlin - Heidelberg - New York, 1973.
43
Hernest
44
DCM 2006
On the Computational Representation of Classical Logical Connectives Jayshan Raghunandan and Alexander J. Summers Department of Computing, Imperial College London, 180 Queen’s Gate, London SW7 2RH, UK
Abstract Many programming calculi have been designed to have a Curry-Howard correspondence with a classical logic. We investigate the effect different choices of logical connective have on such calculi, and the resulting computational content. We identify two connectives ‘if-and-only-if’ and ‘exclusive or’ whose computational content is not well known, and whose cut elimination rules are non-trivial to define. In the case of the former, we define a term calculus and show that the computational content of several other connectives can be simulated. We show this is possible even for connectives not logically expressible with ‘if-and-only-if’.
1 Introduction There are many programming calculi which have been designed to have a CurryHoward correspondence with a logical proof system. In recent years, such calculi have been designed to explore the computational content of Classical Logic (for example [8,4,2,10,6,13,11]). Different authors have chosen different sets of logical connectives to treat as primitive in their logic, and designed the syntax and reduction rules of their calculi accordingly. Implication is the most popular choice of connective, since it is well-understood that its computational behaviour is related to function abstraction and application. There are calculi which do not use implication, for example that of Wadler [13]. Calculi exist which employ conjunction, disjunction, negation, and even more esoteric connectives such as difference [2,1] and constants for truth and falsity. We consider logics with different primitive connectives, and discuss general approaches to the design of corresponding term calculi. We restrict our attention to propositional logical connectives; an investigation of various approaches to employing quantifiers has been studied in [9]. 1
Email:
[email protected],
[email protected] This paper is ele troni ally published in Ele troni Notes in Theoreti al Computer S ien e URL:
www.elsevier.nl/lo ate/ent s
Raghunandan & Summers We work in the logical context of the sequent calculus in which one deals with sequents of the form A1 ; : : : ; Am ` B1 ; : : : ; Bn , read as “if all of A1 ; : : : ; Am are true, at least one of B1 ; : : : ; Bn is true”. Proof rules are defined for introducing a logical connective on the left and right of a sequent. In this paper we avoid the need for structural rules [3] by following the style of Kleene [5]. In brief, we treat the collections of formulas on the left and right of a sequent as sets, and allow extra formulas in the axioms of a derivation. An example of such a sequent calculus is specified by Figure 1 which is the basis of the X -calculus described in the following section.
; A ` A;
(Ax)
` A; B; ` (!L) ; A!B `
` ; A A; ` ( ut) ` ; A ` B; (!R) ` A!B;
Fig. 1. A sequent-calculus for implication
2 The
X -Calculus
Our work is based on the X -calculus [11]; a term annotation for classical implicative sequent calculus. We recall here the basic definitions. Definition 2.1 [X -Terms] The terms of the X -calculus are defined by the following syntax, where x; y range over the infinite set of sockets and ; over the infinite set of plugs (sockets and plugs together form the set of connectors).
P; Q ::= hx.i capsule
j ybP b j P b [y℄ xbQ j P b y xbQ j P b y xbQ j P b y xbQ export
mediator
cut
left-cut
right-cut
The ^ symbolises that the connector underneath is bound in the term. We will use fp(P ) to denote the free plugs of P , and similarly fs(P ) for free sockets. We work modulo -conversion (issues regarding -conversion have been studied in [12]). The reduction rules are as follows. Definition 2.2 [Logical Rules] The logical rules are presented by:
hy.ib y xbhx. i ! hy. i (ybP b )b y xbhx. i ! ybP b 62 fs(P ) hy.ib y xb(P b [x℄ zbQ) ! P8 b [y℄ zbQ 9 x 62 fs(P; Q) < Qb y yb(P b y zbR) = 62 fs(P ); b (exp-med) : (ybP )b y xb(Qb [x℄ zbR) ! : (Qb y ybP ) b y zbR ; x 62 fs(Q; R)
(cap) : (exp) : (med) :
The first three logical rules above specify a renaming (reconnecting) procedure, whereas the last rule specifies the basic computational step: it allows the body of the 46
Raghunandan & Summers function from the export to be inserted between the two subterms of the mediator (the resulting cuts may be bracketed either way, as shown). Definition 2.3 [Activation Rules] We define two cut-activation rules.
(act-L) : P b y xbQ ! P b y xbQ if P does not introduce (act-R) : P b y xbQ ! P b y xbQ if Q does not introduce x
= Q b [x℄ ybR and x 62 fs(Q; R), or P = hx.i P introduces : Either P = xbQ b and 62 fp(Q), or P = hx.i
where: P introduces x: Either P
An activated cut is processed by ‘pushing’ it systematically through the syntactic structure of the term in the direction indicated by the tilting of the dagger. This behaviour is expressed by the propagation rules. Definition 2.4 [Propagation Rules] Left Propagation:
(y y) : hy.ib y hy. ib y (y cap) : (y exp-outs) : (ybQ b )b y (y exp-ins) : (ybQ b )b y (y med) : (Q b [z ℄ ybR)b y (y cut-cap) : (Q b y ybhy .i)b y (y cut) : (Q b y ybR)b y
xbP xbP xbP xbP xbP xbP xbP
! hy.ib y xbP ! hy. i 6= ! (yb(Qb y xbP ) b )b y xbP ; fresh ! yb(Qb y xbP ) b ;
6= ! (Qb y xbP ) b [z℄ yb(Rb y xbP ) ! (Qb y xbP ) b y xbP ! (Qb y xbP ) b y yb(Rb y xbP ); R =6 hy.i
Right Propagation:
( yy) : P b ( ycap) : P b ( yexp) : P b ( ymed-outs) : P b
y xbhx. i y xbhy. i y xb(ybQ b ) y xb(Q b [x℄ ybR)
! P b y xbhx. i ! hy. i; y 6= x ! yb(P b y xbQ) b ! P b y zb((P b y xbQ) b [z℄ yb(P b y xbR));
z fresh ( ymed-ins) : P b y xb(Q b [z ℄ ybR) ! (P b y xbQ) b [z ℄ yb(P b y xbR); z 6= x ( ycut-cap) : P b y xb(hx. i b y ybR) ! P b y yb(P b y xbR) ( ycut) : P b y xb(Q b y ybR) ! (P b y xbQ) b y yb(P b y xbR); Q 6= hx. i We write ! for the reduction relation generated by the logical, propagation and activation rules. The following are admissible rules (see [11,12]). 47
Raghunandan & Summers Lemma 2.5 (Garbage Collection and Renaming)
(gc-L) : P b y xbQ ! P; if 62 fp(P ) (gc-R) : P b y xbQ ! Q; if x 62 fs(Q)
(ren-L) : P Æb y zbhz .i; ! P [=Æ ℄ (ren-R) : hz .ib y xbP ; ! P [z=x℄
3 The Computational Representation of a Connective In this section, we outline some of the techniques used in the rest of the paper for deriving suitable proof rules, and corresponding syntax representations and reduction rules to represent the inclusion of a particular logical connective. We use A; B; : : : as propositional variables and : to represent logical negation, which binds tighter than any other connective. We use Æ and to represent arbitrary binary connectives. For formulas F1 and F2 we write F1 F2 (and say the formulas are logically equivalent) if for all assignments of truth values to propositional variables, F1 and F2 evaluate to the same truth value. 3.1 Syntax We work in the style of the X -calculus, since this gives a simple and symmetric treatment of the inputs and outputs present within the syntax. When deriving the syntax to represent a particular proof rule, formulas which occur on the left of a sequent will become inputs (sockets) x; y; z; : : : while formulas on the right will be outputs (plugs) ; ; ; : : :. Any subproofs present in the rule will be represented as subterms of the syntax. Formulas which disappear from such subproofs by application of the proof rule (formulas which are bound by the rule) will correspond to bound connectors on the subterms, while the new formula which is introduced by the rule corresponds to a free connector of the appropriate kind. To see these ideas in practice, the reader may wish to compare Figure 1 with Definition 2.1. 3.2 Reduction Rules Whatever logical connectives are of interest, we will always keep the following X reduction rules (which deal with cuts and capsules) in place: cap; act-L; act-R; y y; y cap; y cut-cap; y cut;
yy; ycap; ycut-cap; ycut
The notion of a plug or socket being introduced can be generalised to say P introduces x (respectively, ) iff x is free in P but not in any of its subterms. Propagation rules must be defined for propagating left and right cuts through each syntactic construct. The general approach is to push copies of the cut into the subterms, leaving a copy on the outside if an occurrence of the desired connector was present at this level (c.f. ymed-outs). This leaves the appropriate extra logical reduction rules to be defined. Each new syntax construct warrants a logical rule to specify a renaming of its introduced con48
Raghunandan & Summers
` B;
;A ` ( L) ;A B `
; B ` A; ( R) ` A B;
Fig. 2. Sequent Rules for reverse implication
nector, via a cut with a capsule (see the rules exp and med, for example). Finally, for each logical connective employed, a logical rule must be defined to show how a cut between the right and left introduction of the connective may be reduced (c.f. the rule exp-med). We call this the principal logical rule for the connective, since it is the rule which specifies how these structures may be removed from a proof, creating new cuts between their subterms and simplifying the task of cut-elimination. The principal rule is the only one which cannot be methodically derived independent of the particular connective concerned. For this reason, when investigating the representation of a particular connective, as far as reduction rules are concerned we will only concern ourselves with the principal logical rule for the connective.
4 Comparing Logical Connectives In this section, we compare various logical connectives, focusing on relationships between them and how this affects their inclusion into a term calculus. For each connective, we are interested in the following three questions: (i) What is a suitable term representation of its proof rules? (ii) What is its principal reduction rule? (iii) What computational content is gained by its inclusion? A connective may apply to an arbitrary number of arguments (hereon its arity). It is rare in the literature to consider connectives with arity greater than two (although for an example, see [7]). We will henceforth only interest ourselves in connectives of arity 2 (and below), as is common practice. We are interested in the relationships between these connectives, and how they are reflected by their computational counterparts. For example, duality is a wellknown concept relating logical connectives, and this relationship carries over into their computational behaviour (c.f. [2,13]). We make use of the following relationships between connectives: Definition 4.1 [Relating connectives] For any two binary connectives Æ,: Duality We say is the dual of Æ iff A B
:(:A Æ :B ). Negation We say is the negation of Æ iff A B :(A Æ B ). Reversal We say is the reverse of Æ iff A B B Æ A. Flipping inputs We say is obtained from Æ by flipping an input if either A B :A Æ B or A B A Æ :B . In all but the last case, these concepts describe self-inverse functions (e.g. the dual of the dual of a connective is the connective itself). 49
Raghunandan & Summers D
F
F
> N
ID
D
?
^
N
N
:
"
D
F
F
F D
_ N
$ F F
#
D
N; D
N
!
F
D
F
Note:
" = nand, # = nor, = xor
Fig. 3. Binary Connectives
We argue that the effect of the ‘reversal’ of a connective is not significant with respect to our questions of interest. For example, consider the connective (reverse implication). A pair of sequent rules for this connective is shown in Figure 2. Deriving the syntax needed to represent these rules, we find that we can use exactly the same as that for implication. This is because the same inputs and outputs are bound and introduced in the rules; the only difference being the positioning of A and B , which is irrelevant once the types are removed. Similarly, the reduction rules required to represent this connective will be exactly the same as those for implication, and so will the computational content obtained. This generalises to any connective and its reverse. As a result of this observation, we choose to examine the binary connectives modulo reversals. These are shown in Figure 3, which includes arrows indicating duality (D), negation (N) and flipping inputs (F). It remains for us to explain the significance of these remaining three relations. Before examining the effect of negating a connective, it is useful to examine the negation connective itself. The sequent rules for negation are as follows:
` A; (:L) ; :A `
;A ` (:R) ` :A;
The first rule binds a formula on the left of the sequent and produces a new one on the right, while the second does the opposite. The syntax we choose to use for negation reflects this swapping of inputs for outputs in the simplest way possible; we write x P and y Q for the left and right terms respectively. The principal reduction rule for negation is as follows:
b
b
(xbP )b y yb(y Q b) ! Q b y xbP 62 fp(P ); y 62 fs(Q) Given the sequent rules for any connective it is straightforward to derive suitable sequent rules for the negation of the connective. Since negation swaps inputs with outputs, the rules will be exactly the same except that the formula introduced appears on the opposite side of the sequent. For example, the sequent rules for 50
Raghunandan & Summers difference ( ) are as follows.
; A ` B; ( ;A B `
L
;
)
` A; ; B ` D ( ` A B;
R
)
Similarly, appropriate syntax to represent difference will have the same subterms, inputs and outputs as for implication, except that the free connector introduced appears on the opposite side of the sequent. In defining a cut-elimination rule, one can see that the reduct of the key logical rule will be the same in the cases of ! and , and in general for a connective and its negation. The relationship between a connective and its dual, in terms of its computational representation, can also be seen to induce a relationship between their term representations. In this case, as well as the introduced formula ‘swapping sides’, the formulas which are bound in the proof rules also do so. For example, compare the rules for ^ and _:
; A; B ` (^L) ; A^B `
` A; ` B; (^R) ` A^B;
` A; B; (_R) ` A_B;
; A` ; B` (_L) ; A_B `
One can see a striking similarity here. In this sequent calculus setting, it is reasonable to view disjunction as another kind of ‘pairing’; the left rule is a pair of two proofs (binding a formula on the left of each), whereas the right rule provides the facility to interact with the members of such a pair. The effect of flipping an input is to negate only one of the inputs to a connective, which in turn corresponds to the bound occurrences of one of the formulas swapping sides in the rules. For example, implication can be obtained from disjunction by flipping the first input (A!B :A_B ). One can see this also by comparing the sequent rules. In this sense, it is possible in the sequent calculus to see even implication as a kind of pairing. Examining the syntax of X (for brevity, compared to dealing in the proof rules), one can regard the mediator Q [x℄ y R as a pair of two terms Q and R, binding an output of one and an input of another. The export z P is the term which can ‘deal with the pair’; providing connectors to connect to both elements of the pair, analogously with (for example) the ^L term. From the discussions above, it can be seen that once one knows the sequent rules (and hence, an appropriate term representation) for a particular connective, one can easily derive them for the negation and dual of the connective, and any connective which is obtained by flipping an input. In particular, the six connectives which are joined to each other by various arrows in Figure 3 (including ^,_ and !) all have related sequent rules. Each can in fact be regarded as a kind of pairing connective; the differences lie in whether inputs or outputs are bound in the two subterms which make up the pair, and whether the pair is made available on an introduced input or output. We will sometimes refer to these six connectives as the pairing connectives.
b b
b b
51
Raghunandan & Summers
` A; B;
; A; B ` ($ ) ; (A$B ) `
; A ` B; ; B ` A; ($ ) ` (A$B );
L
Fig. 4.
$
L
and
R
$
R
introduction rules
As can be seen from Figure 3, the remaining connectives come in related groups of two. Due to space considerations, we do not discuss here the computational content of the connectives ID , >, ?, although the latter two at least are of some interest. This leaves only two binary connectives to discuss; being $ (‘if-andonly-if’) and (exclusive or). These two are related in the diagram by negation, duality and that each may be obtained from the other by flipping either input. In a sense, the operations they describe are difficult to relate directly to any of the other connectives; there are no ‘simple’ equivalent formulas which express these connectives in terms of the others (all such equivalences must mention A and B more than once). It seems natural to investigate the computational content of these two connectives, which appears not to have been attempted so far in the literature. In particular, no cut-elimination rule (or analogously, proof reduction rule in a Natural Deduction setting) seems to have been defined for these connectives. It is these concerns which motivate the next section.
5 Interpreting
$
In this section we study the computational behaviour of the logical connective ‘ifand-only-if’ (‘iff’ for short) that evaluates to true only when its two operands are the same. We could have equally chosen to study the negation of this connective ‘exclusive-or’, whose X -style term representations will be almost the same except the free input (output) that is introduced in each term will be of the opposite kind. We are able to determine the form of the left and right introduction rules for the $ connective via the equivalence A$B :(A_B )_(A^B ). From this, we can construct derivations whose conclusions introduce this compound formula on the left and right of a sequent. Condensing these derivations gives us the ($L ) and ($R ) introduction rules shown in Figure 4, which we can inhabit with X -style terms in the usual way. We write the corresponding ‘iff-left’ and ‘iff-right’ terms as [M [y ℄ ijN ℄ and [xP ; z QÆ ℄: respectively. The principal cut-elimination rule for $ should transform a proof that cuts together an ($R ) formula with an ($L ) formula, or in X notation,
b
b bb b
([xbP b; zbQÆb℄: )b y yb([M [y ℄ ibjN ℄) ; ; y are introduced.
Unlike the connectives seen previously, the reduct is not straightforward to determine. The rules for the $ connective each bind two inputs and two outputs, and each rule has two subterms. We observe a striking resemblance between these terms and those used to represent the implication connective (i.e. the syn52
Raghunandan & Summers tax of X , Definition 2.1). The iff-right term is reminiscent of an export term, except two ‘functions’ are available over the same interface rather than one (n.b. A$B (A!B )^(B !A)). The iff-left term is reminiscent of a mediator with two binders over each of its subterms instead of one. We return to the previous method of determining the principal cut-elimination rule as detailed in Section 4, i.e. that of considering how one would reduce a cut between derivations that introduce a formula logically equivalent to A$B . We cut together the proofs that derive :(A_B )_(A^B ) on the left and right of the sequent and reduce them using the cut-elimination rules for negation, disjunction and conjunction. Condensing, then annotating the resulting proof yields the reduct:
((M b y xbP )b y bkhk.i)b y bj (((M b y zbQ)b y wbhw.Æ i)Æb y biN ) This reduct uses two copies of M , renaming their outputs (using capsules)
where necessary. A symmetrical alternative of the reduct renames inputs rather than outputs and requires two copies of N be made. A copy of either M or N is used to facilitate the connection of each output of M to each input of N . The question arises of whether this copying is necessary. We sought to explore other ways in which M and N could be connected and more specifically, whether it would be possible to obtain a solution without copying, since this would be significantly cheaper to evaluate. We discovered such a solution that renames one output in M and one input in N . This led us to the following definition for the principal iff cut-elimination rule. Definition 5.1 [Principal iff-reduction rule] The term
([xbP b; zbQÆb℄: )b y yb([M [y ℄ ibjN ℄) where, , y are introduced and k; fresh, reduces to one of the following variants. (a) ((M b y xbP )b y bkhk.i)b y zb(hz . ib y bj (QÆb y biN )) (b) ((M b y zbQ)b y bkhk.Æ i)Æb y xb(hx. ib y bi(P b y bj N ))
5.1 Simulating other connectives The only connectives logically expressible by $ are > and ID , which might lead us to believe its simulation capabilities are limited. However, we are able in fact to simulate the reductions of several other connectives, i.e. we can encode the syntax for these other connectives in such a way that reductions are preserved. When this is the case, we say we can computationally express the connective (which may or may not be expressible in a logical sense). As an example of a connective which can be computationally expressed, we show how to express the syntax and reduction behaviour of the X -calculus in a term calculus based on the $ connective (which we call X $ ). For brevity we omit the activated cuts, which should be treated analogously. 53
Raghunandan & Summers Definition 5.2 [Syntax for the calculus, X $ ]
M; N ::= hx.i j [M [z ℄ ibjN ℄ j [xbM b; zbN Æb℄: j M b y xbN axiom
iff-left
iff-right
cut
As remarked earlier, the iff-left term is reminiscent of a mediator with two binders over each of its subterms rather than one, and the iff-right term is reminiscent of an export, except that two ‘functions’ are available over the the same interface rather than one. With this observation in mind, we move towards an encoding of the X -calculus in X $ . We can sensibly assume that when encoding the export into an iff-right term [xP ; z QÆ ℄: , we require only one of the two subterms, say P . This leaves the question of what we should do with Q. By making Q the capsule hy .Æ i, we can give an encoding that is sound (no undesired reductions are possible) providing that we restrict the reduction to always use the first variant of the principal rule given in Definition 5.1. This does not seem a severe restriction; one might view this as a strategy on the reduction (one always has the choice of which variant of the principal $ rule to use). Our encoding is as follows.
b bb b
Definition 5.3 [Interpretation of X into X $ ]
ddhx.i
$ = hx.i ddxbP b
$ = [xbddP
$b; zbhy.ÆiÆb℄: z; y; Æ fresh ddM b [y℄ xbN
$ = [ddM
$ [y℄ z xddN
$℄ ; z fresh ddM b y xbN
$ = ddM
$b y xbddN
$ Notice that had we chosen Q to be hz .Æ i, this would have forced the types
for x and to be the same; our encoding would not preserve typeability. Due to space restrictions, we cannot discuss type-assignment in depth, but in brief it amounts to putting back the types which have been erased in the syntax. Typed terms correspond directly to sequent proofs (in which the formulas carry labels; the connector names). Regarding such type-systems, we have the following result: Theorem 5.4 (Preservation of typeability) For any ddP
$ is typeable.
X -term P , P
is typeable iff
In fact, the type derivations in the two systems are closely related; one can define a further encoding from a type-derivation for P in the usual X system to $ a type-derivation for ddP
in the corresponding X $ system. Such details are omitted here. To show that our encoding is sensible, we must also check that we can simulate the reductions of X . As pointed out in Section 3.2, the mechanism provided by the propagation and renaming rules is generic to any X -style term calculus; it performs the same basic task of pushing cuts through subterms and renaming connectors regardless of the syntax employed. To show that such rules are simulated 54
Raghunandan & Summers is straightforward, and we therefore only concern ourselves with the rule exp-med given in Definition 2.2. The following (abbreviated) reduction confirms that we can simulate the first variant of the the exp-med rule.
dd(xbP b )b y yb(M b [y℄ bj N )
$ = ([xbddP
$b; zbh .Æ iÆb℄: )b y yb([ddM
$ [y ℄ ibj ddN
$℄) (z; ; Æ; ; i fresh) ! ((ddM
$b y xbddP
$)b y bkhk.i)b y zb(hz.ib y bj (h .ÆiÆb y biddN
$)) (Def. 5.1(a)) ! (ddM
$b y xbddP
$)b y zbddN [z=j ℄
$ (act-R; gc-R; act-R; ren-R; act-L; gc-L) = ddM b y xb(P b y bj N )
$ (modulo -conversion) In fact, our encoding is only able to simulate this variant of the exp-med rule. The differently-bracketed alternatives of the exp-med rule do not reduce to each other and also do not always share the same normal forms. However, it is understood that the set of normal forms reachable from the two variants of exp-med, while not identical, differ only in some special cases, and even then only by permutations of structure in the terms. In this sense, our encoding captures all of the computations that can be performed within X . The principal cut-elimination rule for $ manipulates four subterms, while the principal rule for any pairing connective involves three. We encoded implication by choosing one of the four subterms to be a suitable capsule. Since the iff-terms bind many combinations of inputs and outputs, we can suitably restrict them to encode other pairing connectives in a similar way. We are able to encode the logical connectives ^ and " up to the same limitations as discussed above. Additionally, we are able to simulate fully (all reductions can be simulated) the : connective. While the $ connective is unable to logically express the connectives !, ^, ", :, we have shown we are able to simulate the significant computational behaviour of the corresponding terms. Similarly, the connective is able to simulate the computational behaviour for the dual pairing connectives , _, # and again the connective :.
6 Conclusions and Future Work This work has provided an analysis of the issues involved in deriving term calculi to correspond with arbitrary choices of logical connective. We have shown various general techniques for deriving suitable syntax, reduction rules and (to some extent) computational content corresponding with the inclusion of a logical connective of interest. The analysis of logical connectives purely in terms of the movement of their inputs and outputs, seems to yield interesting results, and this should be looked at more closely. For example, we hypothesise that a term calculus can express nonterminating terms if and only if it contains a connective which can ‘swap’ an input for an output. 55
Raghunandan & Summers Our investigation into the $ connective has shown that much more can be expressed than we first thought, and this directly relates to the inputs and outputs present. A more general investigation of the computational content of this connective (in particular, any examples which are not neatly expressed with other connectives) is the subject of future work. Our simulation result for X would also be strengthened by the formalisation of a suitable notion of equivalence on X -terms, which is likely to relate to Kleene permutations. This would also be useful future work for other research into the X -calculus.
References [1] Tristan Crolard. A formulae-as-types interpretation of subtractive logic. Journal of Logic and Computation, 14(4):529–570, 2004. [2] Pierre-Louis Curien and Hugo Herbelin. ICFP’00, pages 233–243. ACM, 2000.
The duality of computation.
In Proc.
[3] Gerhard Gentzen. Untersuchungen u¨ ber das logische Schliessen. Mathematische Zeitschrift, 39:176–210, 405–431, 1934. [4] Hugo Herbelin. A lambda-calculus structure isomorphic to Gentzen-style sequent calculus structure. In Proc. CSL ’94, volume 933 of LNCS, pages 61–75. Springer, 1994. [5] S.C. Kleene. Introduction to Metamathematics. North-Holland, 1952. [6] St´ephane Lengrand. Call-by-value, call-by-name, and strong normalization for the classical sequent calculus. In ENTCS, volume 86. Elsevier, 2003. [7] P.B. Levy. Jumbo lambda-calculus. In Proc. ICALP’06, LNCS. Springer-Verlag, 2006. [8] M. Parigot. An algorithmic interpretation of classical natural deduction. In Proc. LPAR’92, volume 624 of LNCS, pages 190–201. Springer-Verlag, 1992. [9] Alexander J. Summers and Steffen van Bakel. Approaches to polymorphism in classical sequent calculus. In ESOP’06, pages 84–99, 2006. [10] Christian Urban. Classical Logic and Computation. Cambridge, 2000.
PhD thesis, University of
[11] S. van Bakel, S. Lengrand, and P. Lescanne. The language and classical logic. In Proc. ICTCS’05, 2005.
X : circuits, computations
[12] Steffen van Bakel and Jayshan Raghunandan. Explicit alpha conversion and garbage collection in . In Proc. TERMGRAPH’06, ENTCS. Elsevier, 2006.
X
[13] Philip Wadler. Call-by-value is dual to call-by-name. In ICFP’03, pages 189–201. ACM Press, 2003.
56
DCM 2006
Term collections in
and -calculi
Germain Faure 1 LORIA, BP 239 54506 Vandoeuvre-lès-Nancy Cedex France
The -calculus, also called the rewriting calculus, originally emerged from dierent motivationsand from a dierent communitythan the -calculus. It was introduced to make explicit all the ingredients of rewriting such as rule application and result [CK01]. In ne the -calculus provides an extension of the -calculus with additional concepts originating from rewriting and functional programing, namely, pattern-matching, and a structure construction which provides collections of terms. There are several aspects of the -calculus that have been studied so far. The dynamics of the computations has been studied [FMS05] by dening interaction nets for the -calculus. We can mention also the study of type systems [BCKL03,Wac04] and its application in a proof theory that handles rich proof-terms in the generalized deduction modulo [Wac05]. On a more practical side, the -calculus has been used to give a semantics both to rewrite based languages [CK01] such as ELAN [BKK+98] and to the atelier FOCAL [Mod,Pre03], an environment dedicated to the development of certied computer algebra libraries (ongoing works). Also,+the -calculus has been used to implement ecient decision procedures [SDK 03]. The management of collections of terms is crucial in calculi like the -calculus, in logic programming or in web query languages. Typically, matching constraints that are involved in the calculus may have more than one solution this is also the case for example in programming language like TOM [Tom], Maude [Mau], ASF+SDF [ASF] or ELAN [Ela]and thus generates a collection of results. As previously mentioned, the -calculus extends the syntax and the operational semantics of the -calculus by providing matching constraints and collections of terms. For example, let be a commutative symbol, x; y be variables and a; b constants. In the -calculus, the pattern-matching constraint x x y a b , that is the application of the matching constraint x y a b to x, reduces to a collection of terms consisting of the two terms a and b and denoted a o b. In fact, the two solutions of the pattern matching problem x y a b, respectively fx a; y bg and fx b; y ag, are both applied to the body of the pattern matching constraint x and then we get the two results a and b. The corresponding evaluation rule is given by: +
[
+
+
+
+
1
Email:
+ ]
+
[email protected] This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:
www.elsevier.nl/locate/entcs
Faure
N ! M1 o : : : o M where f g =1 is the set of solutions of the matching problem P N . To handle collections of terms, we distribute the structure operator over the application and the abstraction operator: M1 o M2 N ! M1 N o M2 N x : M1 o M2 ! x : M1 o x : M2 The -calculus consists thus of four evaluation rules: the rule inherits from the -calculus, the rule to deal with pattern matching constraints and the rules to deal with collections of terms. Dierent works on the -calculus propose dierent approaches to deal with collections of terms. They were originally [CK01,Cir00] represented using sets. In more recent works [CLW03,RC], they are represented via a structure construction whose operational semantics is parametrised by a theory (typically a combination of the axioms of associativity, commutativity and/or idempotence) that the user chooses depending on the way s=he wants to deal with non-determinism in the calculus. For example, the original semantics of `sets of results' is recovered by considering the associative, commutative and idempotent (ACI) theory on structures. The generality given by those recent works is broken when the matching constraints involved in the calculus may have more than one solutions [Fau05]. In this case the theory on structures cannot be arbitrary and thus collections of results should be represented using sets. Moreover, two dierent derivations of a -term may only dier on the strategy used for the application of the rules. We propose to identify them by assuming that terms are taken modulo the equivalence relation generated by rules. More practically, we consider normalized rewriting [Mar96] by splitting the evaluation rules in two sets: the operational semantics now consists only of the two fundamental rules and the and on the other hand we use the rules to consider canonical sets, that is terms that are always normalized w.r.t. the rules. This is not only a matter of taste since this has strong impact on the fundamental understanding of the calculus. The computational mechanism of the calculus becomes easier to understand since the rules are no longer explicit evaluation steps. This opens in particular new possibilities in a deep study of the calculus such as a Böhm theorem [Kri90] for the -calculus. The same approach can be applied to other calculi like the -calculus with a parallel operator. In fact, the rst attempt to a denotational (Scott) semantics of the -calculus proposed in [FM05] enlighten a relation between the -calculus and the -calculus. The -calculus was introduced as a -calculus that is expressive for domains of parallel functions [Bou94]. Syntactically, it is an extension of the -calculus with a parallel operator that distributes 58 M [P
]
n i i
(
)
(
q
app
)
abs
q
n
Faure
left w.r.t the application and with the -abstraction (as the structure operator of the -calculus). It has been extended to parallel and non-deterministic -calculi like in [DCdP93]. Scott models for the -calculus are surprisingly close to the models of the -calculus (the parallel operator, respectively the structures are adequately represented by the join operator) and this suggests a relationship between the structure operator of the -calculus and the parallel operator of the -calculus. We introduce a new calculus that extends the syntax and the operational semantics of the -calculus to deal with canonical sets of terms. This calculus enjoys the Church-Rooser property and gives a new operational semantics for the -calculus (the work of [Bou94] mainly insists on models while in this work, we propose to look at the -calculus from an operational point of view). q
q
q
q
Contributions
We propose a new syntax and operational semantics for the -calculus. We introduce a new approach to deal with collections of results that can be applied both to the -calculus and to the -calculus. We also make clear the relationship between both formalisms. Finally, since the standard techniques of rewriting modulo [Hue80,KK99,Ohl98] cannot be applied to prove the ChurchRosser property, the approach followed hereinspired from [HR03] may be applied likewise in the abstract study of rewriting modulo an equivalence relation. We nally discuss an implementation of the calculus in TOM [Tom] and its link with canonical abstract syntax trees [Rei06]. q
q
Acknowledgments
Alexandre Miquel suggests to the author the reading of [HR03]. This was the starting point of the work. We also thank Lionel Vaux, Horatiu Cirstea and Claude Kirchner for useful interactions and comments on this work.
References [ASF] ASF+SDF. A component-based language development environment. http://www.cwi.nl/projects/MetaEnv/. [BCKL03] G. Barthe, H. Cirstea, C. Kirchner, and L. Liquori. Pure patterns type systems. In Principles of Programming Languages - POPL2003, New Orleans, USA. ACM, January 2003. [BKK+ 98] P. Borovanský, C. Kirchner, H. Kirchner, P.-E. Moreau, and C. Ringeissen. An overview of ELAN. In Proc. of WRLA, volume 15, http://www.elsevier.nl/locate/entcs/volume15.html. ENTCS, September 1998. [Bou94] G. Boudol. Lambda-calculi for (strict) parallel functions. Inf. Comput, 108(1), January 1994.
59
Faure [Cir00] H. Cirstea. Calcul de réécriture : fondements et applications. PhD thesis, Université Henri Poincaré - Nancy I, 2000. October 25. [CK01] H. Cirstea and C. Kirchner. The rewriting calculus Part I and II. Logic Journal of the Interest Group in Pure and Applied Logics, 9(3):427498, May 2001. [CLW03] H. Cirstea, L. Liquori, and B. Wack. Rewriting calculus with xpoints: Untyped and rst-order systems. volume 3085. Springer, 2003. [DCdP93] M. Dezani-Ciancaglini, U. de'Liguoro, and A. Piperno. Filter models for a parallel and non deterministic lambda-calculus. In A. M. Borzyszkowski and S. Sokolowski, editors, Mathematical Foundations of Computer Science 1993, 18th International Symposium, volume 711 of lncs, pages 403412, Gdansk, Poland, 30 August 3 September 1993. Springer. [Ela] Elan. The ELAN system:. http://elan.loria.fr/. [Fau05] G. Faure. A remark on the study of the rho-calculus in presence of symbols dened modulo an equational theory. Draft notes, LORIA, 2005. [FM05] G. Faure and A. Miquel. Towards a denotational semantics for the rhocalculus. Draft notes, LORIA, 2005. [FMS05] M. Fernández, I. Mackie, and F.-R. Sinot. Interaction nets vs. the rhocalculus: Introducing bigraphical nets. In Proceedings of EXPRESS'05, satellite workshop of Concur, San Francisco, USA, 2005, Electronic Notes in Computer Science. Elsevier, 2005. [HR03] T. Herhard and L. Reigner. The dierential lambda-calculus. Theoretical Computer Science, 309, 2003. [Hue80] G. Huet. Conuent reductions: Abstract properties and applications to term rewriting systems. Journal of the ACM, 27(4):797821, 1980. [KK99] C. Kirchner and H. Kirchner. Rewriting, solving, proving. A preliminary version of a book available at www.loria.fr/~ckirchne/rsp.ps.gz, 1999. [Kri90] J.-L. Krivine. Lambda-Calcul : Types et Modèles. Etudes et Recherches en Informatique. Masson, 1990. [Mar96] C. Marché. Normalized rewriting: An alternative to rewriting modulo a set of equations. J. Symb. Comput, 21(3), 1996. [Mau] Maude. The maude system:. http://maude.cs.uiuc.edu/. [Mod] Mod. Modulogic home page. http://modulogic.inria.fr. [Ohl98] E. Ohlebusch. Church-Rosser theorems for abstract reduction modulo an equivalence relation. In Proceedings of Rewriting Techniques and Applications (RTA-98), volume 1379 of LNCS, pages 1731. Springer, 1998.
60
Faure Conception et Implantation du langage FoC pour le développement de logiciels certiés. Thèse de doctorat, Université Paris
[Pre03] V. Prevosto.
6, September 2003.
[RC] Rewriting-Calculus. The -calculus home page. http://rho.loria.fr/. Canonical abstract syntax trees. In Proceedings of the 6th International Workshop on Rewriting Logic and its Applications.
[Rei06] A. Reilles.
Electronic Notes in Theoretical Computer Science, 2006. to appear.
[SDK+ 03] A. Stump, A. Deivanayagam, S. Kathol, D. Lingelbach, and D. Schobel. Rogue Decision Procedures. In C. Tinelli and S. Ranise, editors,
1st International Workshop on Pragmatics of Decision Procedures in Automated Reasoning, 2003.
[Tom] Tom. The Tom langage:. http://tom.loria.fr/. [Wac04] B. Wack. The simply-typed pure pattern type system ensures strong normalization. IFIP-WCC TCS, 2004. [Wac05] B. Wack.
A Curry-Howard-De Bruijn Isomorphism Modulo.
submission, 2005.
61
Under
Faure
62
DCM 2006
Probabilistic Model{Checking of Quantum Protocols Simon Gay
1
Department of Computing Science University of Glasgow Rajagopal Nagarajan
2;4
Nikolaos Papanikolaou
3;4
Department of Computer Science University of Warwick .
Abstract
We establish fundamental and general techniques for formal veri cation of quantum protocols. Quantum protocols are novel communication schemes involving the use of quantum-mechanical phenomena for representation, storage and transmission of data. As opposed to quantum computers, quantum communication systems can and have been implemented using present-day technology; therefore, the ability to model and analyse such systems rigorously is of primary importance. While current analyses of quantum protocols use a traditional mathematical approach and require considerable understanding of the underlying physics, we argue that automated veri cation techniques provide an elegant alternative. We demonstrate these techniques through the use of prism, a probabilistic model-checking tool. Our approach is conceptually simpler than existing proofs, and allows us to disambiguate protocol de nitions and assess their properties. It also facilitates detailed analyses of actual implemented systems. We illustrate our techniques by modelling a selection of quantum protocols (namely superdense coding, quantum teleportation, and quantum error correction) and verifying their basic correctness properties. Our results provide a foundation for further work on modelling and analysing larger systems such as those used for quantum cryptography, in which basic protocols are used as components.
1 Email: 2 Email:
[email protected] [email protected] [email protected]
3 Email: 4 R. Nagarajan and N. Papanikolaou are partially supported by EPSRC grant GR/S34090 This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:
www.elsevier.nl/locate/entcs
Gay, Nagarajan and Papanikolaou
1 Introduction
In the 1980s it was rst realized that quantum{mechanical phenomena can be exploited directly for the manipulation, storage and transmission of information. The discovery of quantum algorithms for prime factorization [16] and unstructured search [7], which outperformed the best classical algorithms for these tasks signi cantly, opened up new vistas for computer science and gave an initial thrust to the emerging eld of quantum computation. To implement a quantum algorithm, however, a large scale quantum computer is necessary and such a device has yet to be built. Research in quantum information, on the other hand, has shown that quantum eects can be harnessed to provide ecient and highly secure communication channels, which can be built using current technology. Entangled quantum states, superpositions and quantum measurement are among the characteristics of the subatomic world which nature puts at our disposal; these and related phenomena enable the development of novel techniques for computation and communication with no rival in classical computing and communication theory. The focus in this paper is on communication protocols involving the use of such phenomena. Quantum protocols have particularly important applications in cryptography. Several quantum protocols have been proposed for cryptographic tasks such as oblivious transfer, bit commitment and key distribution [8,11]. The BB84 protocol for quantum key distribution [2,12], which allows two users to establish a common secret key using a single quantum channel, has been shown to be unconditionally secure against all attacks [10]. Other quantum protocols include procedures for superdense coding [4], teleportation [3] and quantum error correction [17]. We assume that the reader is familiar with the basic concepts of quantum computing, as presented in [8,11]. We argue that detailed, automated analyses of protocols such as these facilitate our understanding of complex quantum behaviour and enable us to construct valuable proofs of correctness. Such analyses are especially important to manufacturers of commercial devices based on such protocols; the actual security of commercial quantum cryptographic systems, for example, is worth an in{depth investigation. Communication protocols have always been under scrutiny by computer scientists, who have developed numerous techniques for analysing and testing them, including process algebras, formal speci cation languages and automated veri cation tools. Automated veri cation techniques, such as model-checking and theorem proving, are frequently targeted at protocols and have been used to detect faults and subtle bugs. For instance, the fdr model-checker allowed Gavin Lowe to uncover a aw in the Needham{Schroeder security protocol [15]. Although current model-checkers were developed primarily for the analysis of classical systems, we have found ways of using them to model quantum behaviour. To account for the proband the EU Sixth Framework Programme (Project SecoQC: Development of a Global Network for Secure Communication based on Quantum Cryptography )
64
Gay, Nagarajan and Papanikolaou
abilism inherent in quantum systems, we have chosen to use a probabilistic model{checker, in particular, the prism tool developed at the University of Birmingham [14]. prism is an acronym for probabilistic symbolic model checker, and is designed for modelling and validating systems which exhibit probabilistic behaviour. A tool such as prism computes the probability with which a system model satis es a temporal formula , i.e. the value of P; = Prf j= g for given and . The models catered for by prism may incorporate speci c probabilities for various behaviors and so may the formulas used for veri cation. The application of probabilistic model{checking to quantum systems is entirely appropriate, since quantum measurement is inherently probabilistic; to reason about quantum behaviour one must certainly account for this. prism uses a built{in speci cation language based on Alur and Henzinger's reactive modules formalism (see [9,14] for details). Internally, a prism model is represented by a probabilistic transition system. The probabilistic temporal logic pctl [5] is used as the principal means for de ning properties of systems modelled in prism. 2 Fundamental Techniques
In order to use a classical probabilistic model{checker to verify quantum protocols, we need to model the quantum states that arise in a given protocol, and the eect of speci c quantum operations on these states. prism itself only allows positive integer and boolean variables to be used in models. So how can we model the states of quantum systems, and the quantum operations arising in protocols, using only classical data types and arithmetic? Single qubits can be in a superposition of two states, while classical variables can only take on a single value in any given state. The coecients of these states can be any two complex numbers whose moduli squared sum to unity, and there is an uncountable in nity of these; of course, prism can only work with a nite state space. Furthermore, quantum systems consisting of many qubits can be in entangled states, which, unlike classical systems, cannot be decomposed into products of individual states. What is needed, therefore, is a means of representing quantum states fully and consistently, in a form that prism can handle. Of all the possible quantum states of an n{qubit system, we identify the nite set of states which arise by applying the operations CNot, Hadamard (H ), and 0; 1; 2; 3 to input states. We con ne our analyses to protocols that involve only this restricted set of operations. At present, determining which states belong to this set is done manually, but we are considering ways of automating this. Consider a very simple system: a single qubit, being acted upon through the Hadamard gate and through measurement in the standard basis. For our purposes, the state of the qubit may be j0i ; j1i ; or an equal superposition of 65
Gay, Nagarajan and Papanikolaou
the two. In fact, these states are sucient to model the BB84 protocol for quantum key distribution [2]. The quantum states which we need to represent in order to model this simple system are thus: j0i ; j1i ; p1 (j0i + j1i) ; and p1 (j0i j1i) 2 2 To model this small, nite set of quantum states, which is closed under the operation of the Hadamard gate and the Pauli operators, we represent each state by assigning a unique integer from 0 to 3 to it, and we use straightforward transitions from one integer value to another to model the action of the gate. A protocol such as superdense coding, which we will discuss in Section 3.1, can be expressed as a step-by-step interaction with a two{qubit system. In order to model the states of 2{ and 3{qubit systems, the quantum operators and the measurements which arise in this and related protocols such as teleportation, we have developed a code generation tool called prismgen. This tool generates a prism code fragment, or module, in which each quantum state is represented by a unique positive integer. Every quantum operator used in a particular protocol is coded as a set of deterministic transitions from one quantum state to another. prismgen calculates these transitions by multiplying the unitary matrix, which corresponds to a particular operator, with each quantum state vector of interest. A measurement is modelled by a set of probabilistic transitions, leading to the various possible outcomes with equal probability. For simplicity, we have only considered states whose measurement outcomes are all equiprobable, although prism does allow us to model the more general case. From the overall state space for a two{qubit system, a certain subset is closed under the CNot, Hadamard and Pauli operations. This subset consists of 4 states corresponding to the four basis vectors, 12 states which are sums of two basis vectors, and 8 states which are sums of all four basis vectors. Proposition 2.1 The above set of 24 states is closed under the
CNot, Hadamard
and Pauli operations.
Proof.
(i) (ii)
These states can be expressed in the following way.
The single basis vectors: j00i, j01i, j10i, j11i The states containing two basis vectors can be separated into three subclasses: (a) 12 (j0i j1i) j0i, 12 (j0i j1i) j1i (b) j0i 12 (j0i j1i), j1i 12 (j0i j1i) (c) 12 (j00i j11i), 12 (j01i j10i) The states containing four basis vectors can be expressed in any of the forms: (a) 12 (j0i j1i) j0i 12 (j0i j1i) j1i (b) j0i 12 (j0i j1i) j1i 12 (j0i j1i) (c) 12 (j00i j01i j10i j11i) p
p
p
p
(iii)
p
p
p
p
p
p
66
Gay, Nagarajan and Papanikolaou
It is obvious that each set (1.){(3.) individually is closed under each i (applied to either qubit) and CNot (with either qubit as control) because these operations are permutations of the basis vectors. Each set has an evident symmetry among the basis vectors (taking (3.a) and expanding (2.) into an explicit list of states). Applying H to the rst qubit gives a bijection between (1.) and (2.a), between (2.b) and (3.a), and between (2.c) and (3.b). Applying H to the second qubit is similar.
2
Our prismgen tool enumerates these states and calculates the transitions corresponding to the various operations. The resulting prism module can be included as part of any model which involves measurements and the application of these operations to a system of two qubits. The situation with a system of three qubits is similar. We have developed a 3{qubit version of prismgen, which gives us the ability to model protocols such as those for quantum teleportation and quantum error correction. 3 Illustrative Examples
We have been able to model a certain number of quantum protocols using the aforementioned techniques. These include: (1) superdense coding, which is a procedure for encoding pairs of classical bits into single qubits; (2) quantum teleportation, which allows the transmission of a quantum state without the use of an intervening quantum channel; and (3) quantum error correction, namely the qubit ip code, which corrects a single bit ip error during transmission of quantum bits. The source les for the models in this section are available online from http://go.warwick.ac.uk/nikos/research/. 3.1
Superdense Coding
The simplest quantum protocol which we will use to illustrate our techniques is the superdense coding scheme [4]. This scheme makes it possible to encode a pair of classical bits on a single qubit. With superdense coding, a quantum channel with a capacity of a single qubit is all that is necessary to transmit twice as many bits as a serial classical channel. Superdense coding is essentially a computation on a two{qubit system; therefore, the prism model of this protocol uses the 2{qubit version of prismgen. We begin with a description of the protocol, and proceed to show how it is modelled and veri ed with prism. The setting for superdense coding involves two parties, conventionally named Alice and Bob, who are linked by a quantum channel and share a pair of entangled qubits. The objective is for Alice to communicate the binary number xy | henceforth termed the message and denoted by (x; y), with x; y 2 f0; 1g | by transmitting a single qubit to Bob. The superdense protocol takes advantage of the correlations between qubits P1 and P2, which are in an entangled quantum state. Alice essentially in uences this state in such 67
Gay, Nagarajan and Papanikolaou
a way that Bob's measurement outcome matches the message of her choice. The superdense coding protocol is as follows. (i) Two qubits, P1 and P2, are placed in an entangled state using the Hadamard and CNot operations. Alice is given P1, and Bob is given P2. (ii) Alice selects a message, (x; y), and applies the ith Pauli operator, i; to P1 , where i = y + x(2 + ( 1)y ). She transmits this particle to Bob. (iii) Bob applies the CNot gate from P1 to P2, and then he applies the Hadamard gate to the former. (iv) Bob measures the two particles, thus obtaining a pair of classical bits, (x ; y ). If no disturbance has occurred, this pair of bits will match the original message, i.e. (x ; y ) = (x; y). The model of superdense coding consists of four prism modules. Of these four, one module is generated automatically by prismgen and describes the possible states of the two qubits. There is a module specifying Alice's actions, and similarly one for Bob's. Before we examine the workings of this model in detail, consider the following observations, which highlight the capabilities of prism. In the prism model, Alice's rst action is to select one of the four possible messages (represented by the integers 0, 1, 2, 3); each message has an equal probability, 14 , of being chosen. This is an assumption we made when constructing this model, but it is possible to specify dierent respective probabilities for the four choices. Another point worth noting is that, depending on which message is chosen, the protocol proceeds in one of four distinct ways; prism actually considers all these possibilities when testing the validity of a property. This is precisely why we advocate the use of model-checking for these analyses, as opposed to simulation of quantum protocols, proposed elsewhere; simulators only treat one of several possible executions at a time. prism interprets the superdense coding model as a probabilistic transition system, which can be depicted as a graph. The nodes in the graph correspond to the internal state numbers which prism assigns to each step in the protocol. Each internal state number corresponds to a tuple with the states of all variables in a particular model. An illustration of this graph and the details of the internal state numbers will be included in the full paper. The quantum state of the two-qubit system is represented by the variable state in the prism model. When Bob has nished his measurement, and the dense coding protocol terminates, one of 4 nal states is reached (each representing a distinct possibility in the computation). The property required for veri cation must be expressed in terms of the nal state. When the dense coding protocol terminates, Bob's measurement result, i.e. the pair of classical bits (x ; y ), must match Alice's original choice (x; y). This requirement is expressed using pctl, as follows: 0
0
0
0
0
0
P > 1 [ true U ((protocol finished) ^ (result = msg)) ] 68
(1)
Gay, Nagarajan and Papanikolaou
The pctl formula in (1) stipulates that the probability of Bob's result matching Alice's choice is 1. Model{checking with prism con rms that this property holds (i.e. this property is true for all executions of the model). We have thus proven, using the prism model{checker, that the dense coding protocol always succeeds in transmitting two classical bits using a single qubit. Clearly, this is not dicult to prove by hand; however, we have used dense coding as a simple demonstration of our approach. 3.2
Quantum Teleportation
Our next example is the quantum teleportation protocol [3], which involves a computation on three qubits. Teleportation is a process that exploits entanglement in order to transmit an arbitrary qubit state using only a classical communications channel. The quantum circuit for teleportation is shown in Fig.1.
j i j0i j0i
H
H
NM
NM
i
j i
Fig. 1. Quantum circuit diagram for the teleportation protocol.
The prism model of teleportation is similar in appearance to that for superdense coding, and it is not included here due to lack of space. It is a transformation on a collection of three qubits, as opposed to the two for superdense coding. This calls for the 3-qubit version of prismgen. Other than this, the prism model itself is unremarkable, and matches the structure of the quantum circuit for teleportation, given in the appendix. Verifying the teleportation protocol with prism is more involved. Short of manual calculation, it is not possible to predict what the quantum state of the entire 3qubit system will be at the end of the teleportation protocol; indeed, there are several possible nal states, depending on which quantum state Alice chooses to transmit to start with. We are interested in checking that the state of Bob's qubit matches Alice's original qubit state, j i, which is assumed to be one of j0i ; j1i ; j+i j i : To formulate a usable property for veri cation, we need to express this requirement in terms of the overall state of the 3{qubit system. Formally, the speci cation of the teleportation protocol is this: if the initial state of the 3-qubit system is of the form j i j00i ; then the nal state will be of the form ji j i, where ji is a two{qubit state. Let's consider this in more detail. If Alice chooses to teleport j i = j0i ; the nal state of the 3{ qubit system will be of the form ji j0i. Similarly, if Alice chooses to teleport j i = j1i, the nal state of all three qubits will be of the form ji j1i. Finally, 69
Gay, Nagarajan and Papanikolaou
if Alice chooses to teleport the superposition j i = 12 j0i + 12 j1i, the nal state of the three qubits will be of the form ji 12 j0i + 12 j1i : Clearly, the pctl property necessary for veri cation will depend on the choice of j i; it will stipulate that, when the teleportation protocol has completed, the nal state of the 3-qubit system will have one of the forms given above. In particular, if the input state is j0i ; the necessary property is p
p
p
p
P > 1 [ true U ((telep end) ^ ((st = s1) _ _ (st = sn))) ] (2) where telep end is a predicate which is true when the protocol completes, and the values s1; : : : ; sn represent quantum states of the form ji j0i. If the input state is j1i ; the necessary property has exactly the same form as (2), but the values s1; : : : ; sn represent quantum states of the form ji j1i; similarly for the case when the input state is the superposition 12 j0i + 12 j1i. In other words, in order to formulate the property needed to verify the protocol, we need to choose the input states and determine the possible nal states of the three{qubit system in advance. This may be seen as begging the question; there is little point in verifying a protocol whose nal outcome has already been calculated by hand. We have developed an auxiliary tool to prismgen, which computes the internal state numbers s1 ; : : : ; sn corresponding to the desired nal states. When the pctl property for a particular input is supplied to prism, the tool proves that the teleportation model works as expected. Since the model{checker necessarily constructs a nite state space for the model, the teleportation protocol can only be veri ed for a speci c, known set of inputs, rather than an arbitrary quantum state. p
3.3
p
Quantum Error Correction
Our third and nal example is the quantum bit{ ip code for error correction [17]. In order to correct a single bit ip error, which may occur during the transmission of a single qubit state, this code represents the state by using a collection of three qubits. In particular, the qubit state j0i is encoded as j000i and the state j1i is encoded as j111i. A bit ip error on the second qubit, for example, transforms j000i into j010i. In order to detect such an error, two additional qubits are used; they are known as ancillas. By applying a sequence of operations and measurements to the ancillas, the so{called error syndrome is obtained, which determines the location of the error. Then, the 1 operator is applied to the erroneous qubit, thus restoring the initial quantum state of the 3{qubit system. The quantum circuit for the bit{ ip code is given in Fig. 2. For the diagram we have assumed that a bit{ ip error does occur prior to the computation of the syndrome. Our prism model of the protocol for the quantum bit{ ip code includes a channel which perturbs the transmitted qubit with a chosen probability; this 70
Gay, Nagarajan and Papanikolaou
j i
j0i j0i
j0i j0i
1;i
NM
j i
NM
Fig. 2. Quantum circuit diagram for the qubit bit{ ip code.
probability is a parameter of the model, and can be varied as required. The model uses the output from the 3{qubit version of the prismgen tool. When the syndrome computation is taken into account, there are in total ve qubits whose states need to be modelled; since we have not yet implemented a code generator for 5{qubit quantum systems, the state transitions for the syndrome computation are calculated in advance and manually coded into prism. To verify the correctness of the quantum bit{ ip code, we need to ensure that: independently of which of the three qubits is perturbed and with what probability this occurs, the protocol does succeed in correcting the error. Thus, at the end of the protocol, the state of the 3{qubit system should be in one of the following forms (where ji is a two{qubit state):
j0i ji ; if the input state was j0i j1i ji ; if the input state was j1i p1 j0i + p1 j1i ji ; if the input state was p1 (j0i + j1i)
(3) (4) (5)
2 2 2 The properties used in prism to verify the protocol are analogous to those for teleportation, taking the form
P > 1 [ true U ((qbf end) ^ ((st = s1) _ _ (st = sn))) ] (6) where qbf end is a predicate which holds when the protocol completes, and the values s1; : : : ; sn represent quantum states of one of the forms given in (3){ (5). prism con rms that the protocol does indeed leave the 3{qubit system in one of these forms, depending on the input, as expected. 4 Challenges and Future Prospects
We have demonstrated our approach to the analysis of quantum communication protocols using a simple examples. There is signi cant scope for future work, ranging from improvements to our current code{generation techniques, to the automated veri cation of larger systems, such as quantum cryptographic devices. 71
Gay, Nagarajan and Papanikolaou
At present we explicitly construct state spaces and transition tables for systems involving up to three qubits and the H , CNot and i operators. We have informally reached the conclusion that, for any number of qubits, there is a nite set of states which is closed under these operators. It is not directly obvious how many states these are, but this could be established computationally. There is a mathematical framework called the stabilizer formalism, which could be used to calculate these states. Investigating this formalism and its implications could lead to a more ecient model checking for protocols; it is already known that stabilizer circuits can be eciently simulated by a classical computer [1]. The guarded transitions of prism's modelling language make it awkward to express some basic control structures such as sequencing. Each prism module typically requires a variable which acts as a program counter and must be explicitly incremented in each transition. We intend to develop automatic translations from the high{level process calculus cqp [6] into prism's native language. Combining such a speci cation formalism for protocol models with a logic for de ning properties will allow us to verify quantum protocols at a higher level. Our ultimate aim is to construct models of larger systems which combine quantum and classical components, or which combine more than one quantum protocol. For example, we are working on augmenting an existing model [13] of the BB84 key{distribution protocol with descriptions of authentication, secret{key reconciliation, and privacy ampli cation protocols [8]. As prism allows probabilities of particular events to be calculated directly, we can obtain numerical values of probability, such as those that arise in mathematical analyses of security; we have taken advantage of this capability in our existing model of BB84. More complex protocols generally involve larger numbers of qubits, leading to ever greater state spaces for veri cation.
5 Conclusions
We have established, for the rst time, techniques for analyzing and verifying quantum communication systems. Our key contributions are the development of a general approach to modelling the state space of systems of several qubits, and the introduction of techniques for de ning properties of quantum protocols in the logic pctl. We have illustrated our approach by modelling and verifying three example protocols (focusing on superdense coding only here) using prism. Although these examples are simple, they are important building blocks of the theory of quantum communication. Having established fundamental and general techniques for formal veri cation of quantum protocols, we are in a strong position to carry out end{to{end veri cations of larger systems, such as those used for quantum cryptography. 72
Gay, Nagarajan and Papanikolaou
References [1] Aaronson, S. and D. Gottesman, Improved simulation of stabilizer circuits (2003), available at arXiv.org. Record: quant-ph/0406196. [2] Bennett, C. H. and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, in: Proceedings of International Conference on Computers, Systems and Signal Processing, 1984. [3] Bennett, C. H., G. Brassard, C. Crepeau, R. Jozsa, A. Peres and W. K. Wootters, Teleporting an unknown quantum state via dual classical and Einstein{Podolsky{Rosen channels, Physical Review Letters 70 (1993), pp. 1895{1899. [4] Bennett, C. H. and S. J. Wiesner, Communication via one- and two-particle operators on Einstein{Podolsky{Rosen states, Physical Review Letters 69 (1992), pp. 2881|2884. [5] Ciesinski, F. and M. Groer, On probabilistic computation tree logic., in: Validation of Stochastic Systems, 2004, pp. 147{188. [6] Gay, S. and R. Nagarajan, Communicating quantum processes, in: POPL '05: Proceedings of the 32nd ACM Symposium on Principles of Programming Languages, Long Beach, California, 2005. [7] Grover, L. K., A fast quantum mechanical algorithm for database search, in: Proc. 28th Annual ACM Symposium on the Theory of Computing (STOC), 1996, pp. 212{219. [8] Gruska, J., \Quantum Computing," McGraw{Hill International, 1999. [9] Kwiatkowska, M., G. Norman and D. Parker, Modelling and veri cation of probabilistic systems, in: P. Panangaden and F. V. Breugel, editors, Mathematical Techniques for Analyzing Concurrent and Probabilistic Systems, American Mathematical Society, 2004 Volume 23 of crm Monograph Series. [10] Mayers, D., Unconditional security in quantum cryptography, Journal of the acm 48 (2001), pp. 351|406. [11] Nielsen, M. A. and I. L. Chuang, \Quantum Computation and Quantum Information," Cambridge University Press, 2000. [12] Papanikolaou, N., Introduction to quantum cryptography, ACM Crossroads Magazine 11.3 (2005), pp. 10|16. [13] Papanikolaou, N., \Techniques for Design and Validation of Quantum Protocols," Master's thesis, Department of Computer Science, University of Warwick (2005). [14] Parker, D., G. Norman and M. Kwiatkowska, prism 2.0 users' guide (2004). [15] Ryan, P., S. Schneider, M. Goldsmith, G. Lowe and B. Roscoe, \Modelling and Analysis of Security Protocols," Pearson Education, 2001. [16] Shor, P., Algorithms for quantum computation: discrete logarithms and factoring, in: Proceedings of 35th Annual Symposium on Foundations of Computer Science (1994). [17] Steane, A. M., Quantum computing and error correction, in: A. Gonis and P. Turchi, editors, Proceedings of the NATO Advanced Research Workshop (2000), pp. 284|298.
73
Gay, Nagarajan and Papanikolaou
74
DCM 2006
Handshake Games Lu a Fossati 1 2 ;
Dipartimento di Informati a Universit a di Torino Torino, Italia
Abstra t
In this paper I present what I a
omplished so far. I present a game model for the semanti al analysis of handshake ir uits. I show how the model aptures ee tively the omposition of ir uits in an asso iative way. Then I build a ompa t- losed
ategory of handshake games and handshake strategies and I show informally how these an be applied in the semanti s, when events en oding data are also onsidered. In an appendix I show that the proposed reformulation of nondeterministi strategies works for the sequential ase (in the sense of [5℄) as well. Key words: Game semanti s, handshake ir uits, nondeterminism, on urren y, asso iativity.
1 Introdu tion The handshake proto ol has experien ed a great ommer ial su
ess as a paradigm for asyn hronous ommuni ation and omputation. It is a proto ol of ommuni ation between ir uits, whi h are onne ted through hannels over whi h they ex hange information. In parti ular a ir uit sends a message over a hannel through an interfa e alled port. In a ommuni ation over a single hannel, one ir uit takes the a tive role and sends the rst message while the other is initially waiting for an a tivation sign. Then the former waits for the latter to reply, and so on. From a ir uit's point of view, this behavior indu es an alternating sequen e of input and output messages, requests and a knowledges. The handshake te hnology has been employed in parts of several integrated systems, moreover in the Philips Resear h Labs it has been designed a programming language alled Tangram, whose programs are naturally translated 1
I thank Feli e Cardone for having started me on the subje t, Russ Harmer, Paul-Andre Mellies and Pierre-Louis Curien for useful hints on the riti al part. 2 Email: fossatidi.unito.it This paper is ele troni ally published in Ele troni Notes in Theoreti al Computer S ien e URL:
www.elsevier.nl/lo ate/ent s
Fossati into and implemented as handshake ir uits. With an ar hite ture that does not rely on a entral lo k, these ir uits gain in eÆ ien y and speed (a slow module has a lower impa t on the overall system) and pose less problems in the engineering phase. But in ontrast with the in rease of interest in the implementations of the proto ol, the foundational investigation rests still as it was ten years ago. For example, there is not yet an analysis of handshake pro esses whi h, in addition to ex hanging syn hronization events, also ex hange data in their ommuni ations. Moreover all the literature relies on a single model [13℄: indeed, a very natural hara terization of ir uits with a ni e analysis of their behavior; however some points are still not treated in suÆ ient detail. The main of these is surely the analysis of omposition. The property of delay insensitivity allows us to ignore the order in whi h messages rea h destination, to do as if it was the same order in whi h they have been sent ([13℄, page 75). Still, it remains not trivial to model omposition pre isely. Surely handshake ir uits ompose and surely they ompose in the same way no matter the order of ompositions (asso iativity): in the end it is just the same phisi al phenomenon observed from dierent angles: : : but, does the model apture the observation of the physi al phenomenon faithfully? is any quies ent point (inside a ommuni ation) taken into a
ount by the model? As expe ted, the problem rises in presen e of the \infamous" in nite internal
hatters and really auses big troubles, as asso iativity of omposition is a fundamental property. While looking deeper into the issue I found a ounter-example to the asso iativity of omposition in Van Berkel's model. Later on, Russ Harmer pointed out to me another (more general) ounter-example, due to Ros oe [12℄, whi h tells that any model of unbounded nondeterminism must list expli itly the possibly in nite ommuni ations inside the pro ess' des ription. My sear h for a solution was based on previous game semanti s of nondeterminism and on urren y [4℄[5℄[3℄[6℄[8℄ in whi h the problem of omposition is treated in full detail. The hoi e is in part motivated by the many similarities between the game paradigm and the handshake proto ol. The ommon view of omputation as intera tion is the key ingredient, from whi h follow several other orresponden es, where all the dualisms are re e ted. In most
ases it is just a matter of swit hing to a new vo abulary: player=opponent () system=environment; passive=a tive () negative=positive; move () message; P move=O move () input=output; query=response () request=a knowledge. One ould also argue that games orrespond to handshake stru tures and 76
Fossati strategies to handshake pro esses 3 but on these aspe ts the orresponden e is not so lear in the handshake ir uits literature. There is no lear distin tion between a pro ess and its stru ture, no on ept of a type. This is another motivation for adopting the game formalism: de nitely game models rely on powerful mathemati al stru tures su h as ategories and logi , and these are the perfe t tools for de ning a type theory. The work ould be pla ed inside Abramsky's program to bridge the histori al gap in formal semanti s, between the family of fun tional models (denotational semanti s) and models of on urren y (pro ess al uli) ([1℄ and [2℄, among other works). Combining nondeterminism with on urren y and asyn hrony has been a major issue to deal with. Mos hovakis published several works in that dire tion (starting from [10℄) but I believe the aim there was more dire ted to the veri ations of properties (fairness) than to the stru tural analysis, whi h makes his works essentially dierent from mine. A reasonable hoi e was to extend the model for nite nondeterminism of Harmer and M Cusker [4℄ but unfortunately that is justi ed only with the assumption of sequentiality of the overall ommuni ation (the stri t alternan e within plays). So I turned to ountable nondeterminism [5℄, reformulated in a way that allows extension to parallelism. Basi ally in the new formalism, nondeterministi strategies are seen as sums of deterministi strategies. The idea of su h a presentation was given me by Paul-Andre Mellies during a dis ussion and follows quite a few works in the literature, starting from [11℄ and in luding the works by Mos hovakis.
2 Notations In the following I will give a few de nitions that always turn out useful when dealing with the formal aspe ts of on urren y. Some are inherited from Mazurkiewi z's seminal work on tra e theory, even though I hanged them in order to t them in the urrent ontext. We de ne a on urrent alphabet as an alphabet M equipped with a binary re exive symmetri and transitive relation D over its letters (moves, as we will all them). D is alled the dependen e relation. Being an equivalen e relation, D de omposes the alphabet into equivalen e lasses whi h we all partitions. A string over hM; D i is just a string over M. The omplementary relation is independen e, I. Let hM; D i be a on urrent alphabet. Every string s over M has an underlying graph indu ed by D. The verti es are the moves in s and edges between two moves are present if and only if the two moves are dependent with ea h other. Any maximal lique is the underlying graph of a unique string t ontained in s, where moves appear in the same order in t as they appear in s. We 3
This would allow one to give a neat de nition of handshake ir uits as spe i ations of behaviors over stru tures.
77
Fossati say t is a thread of s. A thread ould also be seen as a string over a partition of hM; D i. The initial move of a thread t is the rst move that appears in t. The initial moves of a string s are the initial moves of ea h of its threads. Consider the above on urrent alphabet and let D 0 D. D 0 is a full subdependen e of D when it preserves re exivity, transitivity, and symmetry (the dependen e relation of a partition is a full subdependen e, for example). m 2 M is involved in D 0 when 9n 2 M su h that (m D 0 n). Now let D 0 be a full subdependen e of D, s a string over M and M 0 M the set of moves involved in D 0 . We an de ne s hM 0 ; D 0 i as the string obtained by keeping only the moves from M 0 in the same order as they appear in s. Normally we write just s M 0 assuming we have a full subdependen e asso iated to it. Finally re all the standard order v on strings s and t: svt
()
t = st0
where t0 is a string over hM; D i. possibly equipped with internal pointers as well as pointers to moves in s. We say that t is an extension of s with the moves in t0 . We write len(s) for the length of a string s.
3 Handshake Games De nition 3.1 A handshake game is a stru ture A = hMA ; DA; A i, where
MA is a set of moves and DA a dependen e relation on them. Together they form a on urrent alphabet on whi h we impose a nite number of partitions. A : MA ! f ; +g fR; Ag is a labelling fun tion, we denote with A+ and RA A its two proje tions. The rst one determines the polarity, the moves with positive polarity are alled player moves and those with negative polarity are alled opponent moves. The se ond proje tion distinguishes requests (R) from a knowledges (A). We impose no ambiguity of labels within a partition. Given m; n 2 MA su h that m DA n: + (m) = + (n)
()
RA (m) = RA (n)
Game. We an imagine a game 4 as providing a universal stru ture over whi h several pro esses of the same kind an be implemented.
Example 3.2 The simplest ase is the game asso iated to a port stru ture,
where all moves are in the same equivalen e lass, as they represent a set of messages whi h are all going to be sent over the same hannel. For example, we
an asso iate a generi passive port to a game A = hMA = M1 [ M2 ; DA ; A i su h that: M1 = freq(v) j v 2 V1 g and M2 = fa k(v) j v 2 V2 g; DA = MA MA ; 4
from now on we an leave the adje tive, handshake, impli it.
78
Fossati 8m 2 M1 ; ( + (m) = ) ^ (RA (m) = R); 8m 2 M2 ; ( + (m) = +) ^ (RA (m) = A). The port is passive, and this nds semanti orresponden e in that only the opponent an issue a request, only the opponent is allowed `to start'. The sets V1 and V2 represent the sets of values the two players an atta h to their moves. Spe ial ases o
ur when these sets are singletons, or equivalently when no data are added. In parti ular when there are only one request and one a knowledge we are representing a nonput port. Input ports are obtained by allowing the opponent to en ode data in its moves while in output ports it is the player who an en ode data in its moves. If they both an, then we have a byput port. Conne tives. A simple operation allows us to hange a game's polarity:
A? = hMA ; DA; A i: ?
+ Where A = h A+ ; RA when A+ gives + and vi evA i, and A gives ersa. So for example, a generi a tive port an be des ribed as the dual A? of the generi passive port A, des ribed above. We also have a binary onne tive, the ostar produ t. This allows us to give a representation to more omplex stru tures, stru tures with more than one port. Given two games A and B their ostar produ t is: ?
A B = hMA + MB ; DA + DB ; A + B i Note that DA and DB are full subdependen ies of DAB and MA (MB ) is exa tly the set of moves involved in DA (DB ). Then we an relax the de nition of restri tion and write s A (s B) instead of s hMA ; DA i (s hMB ; DB i). Play. As usual in games, player and opponent take turn to play the respe tive moves. Here though we liberalize things a little as we are working in a on urrent framework, we impose the turn alternation only on the threads of our play (look at it as if we were playing several games in parallel). Formally a play, on a game hMA ; DA; A i 5 is just a string over the on urrent alphabet hMA; DAi. A play is legal if and only if: all its initial moves are requests; all its threads are alternating sequen es of requests and a knowledges, player and opponent moves. ! We write LA for the set of legal plays over the game A. We write L n A and LA for the subsets of nite and in nite legal plays, respe tively. Note that a play over a game an only ontain a nite number of threads ( nite on urren y) be ause the alphabet of the game an only have a nite number of partitions. 5
The term play is inherited from game semanti s. It orresponds to the handshake tra es in the handshake ir uits theory.
79
Fossati The equivalen e on moves (DA ) indu es an equivalen e on plays, the homotopy relation A . Let s; t 2 LA , we say that s A t just when they have the same set of threads 6 . Prestrategy. I will introdu e strategies gradually: starting from the general lass of prestrategies I will hara terize positionality and determinism; by then we will be working with a tual strategies but in order to onsider nondeterministi behaviors as well we will need a new generalization. All of these
lasses really need the adje tive handshake as we are working in a handshake framework, but sin e it will be lear from the ontext I will leave it impli it. I start with some formal notions. Given a set of plays on a game A: The pre x- losure of is = fs 2 LA j s v t 2 g For a play s 2 , its su
essors set (with respe t to ) is:
su (s; ) = fm 2 MA j sm 2 g s is passive in , pas (s; ), i there is no move the player an make at s:
m 2 su (s; ) ) + (m) = P as () is the set of passive plays in the pre x- losure of :
P as () = fs 2 j pas (s; )g Given two independent moves, m; n 2 MA , and four plays r, s, t, u, of A, we de ne rA as the smallest binary relation su h that: (mn rA nm) () (( +(m) = ) _ ( +(m) = +(n))) 7 ; t rA t; (r rA s) ^ (s rA t) ) (r rA t); (r rA s) ^ (t rA u) ) (rt rA su). We say that s reorders t in A when s rA t 8 ; Let s, t be two plays of A and de ne s xA t if and only if s v t and t
ontains only opponent moves after s (we say that t is an input-extension of s in A).
De nition 3.3 A (handshake) prestrategy on a game A is a set of legal plays of A su h that: (i) 6= ; (non-empty);
6
The use of homotopy in on urrent games is due to Mellies and Mimram [8℄[9℄. Let me give one intuition here : : : We may re eive two inputs in any order and we may output two messages in any order. Also, an input may arrive before we output. The onverse does not hold though, we may have to wait for an input before we an output. 8 I hose to keep the de nition as in the original model instead of extending it to in nite sequen es of reorderings, this is oherent with the degree of 'intensionality' in the model
7
80
Fossati (ii) P as () v ( losed under passive pre xes); (iii) (t 2 ^ s rA t) ) s 2 (reorder losed); (iv) (s 2 ^ s xA s0 ) ) s0 2 (re eptive). is onveniently des ribed as a ouple hQ ; I i. Where quies ent and I the set of in nite plays of .
Q
is the set of
The expli it in lusion of in nite plays allows to distinguish when a strategy may follow an in nite ommuni ation but at a ertain point will surely stop and when instead it ould ontinue to the in nite. The quies ent plays represent the nite points in whi h the player may stop to wait for the opponent to move. The passive plays represent those points at whi h the player has no other hoi e but to wait: they need to be quies ent. In the ase of nonput ports, some well known prestrategies are ST OP and SKIP . ST OP simply a
epts opponent moves without a knoledging them, while SKIP does a knowledge to requests, but never starts a handshake itself: ST OPA = fs 2 LA j (s)+ = 0g; SKIPA = fs 2 LA j (s) = (s)+ g. Where (s) and (s)+ stand for the number of opponent and that of proponent moves in s, respe tively. It is interesting to see that if we add data to moves, a prestrategy like SKIP be omes a highly nondeterministi spe i ation after whi h a wide range of possible prestrategies ould be implemented. Let's
onsider the simple ase where A represents a single passive port. If data were added to requests no nondeterminism would be introdu ed. On the other hand if only booleans were added to a knowledges, the player would have many available options. It ould always answer tt or ff, or alternate the two answers, : : : Even more interesting if the port is a biput. Here the number of possible implementations is extremely high: identity, boolean not, onstant, integer su
essor, test for zero, : : : Composition. Given two prestrategies, on A? B and on B ? C, their omposition is soon de ned: Æ = fu A; C j u 2 LA;B;C ^ u A; B 2 ^ u B; C 2 g Two de nitions related to omposition. s 2 Lfin A;B;C is an interleaving in the omposition of and if and only if s A; B 2 and s B; C 2 . s is a witness (for s A; C) in the omposition of and if and only if s A; B 2 and s B; C 2 . Unfortunately, omposition of prestrategies is not well-de ned. Informally:
onsider the general prestrategy RUN whi h is always eager to get engaged in a handshake (whether its role is to start or to answer). Consider the omposition of RUNB with RUNB . Being dual pro esses they will never agree on being quies ent at the same time, ea h one will be willing to ontinue (or to start over) immediately when its turn omes. Then if the in nite play 81 ?
Fossati whi h emerges from this eternal ping-pong is not itself ontained in the two prestrategies, the omposition is empty. Positionality. We need to fo us on a subset of the set of prestrategies for whi h omposition works. It seems natural then to start with deterministi prestrategies. However it turns out that determinism is preserved by omposition only in presen e of another very important property of on urrent strategies, positionality. Positionality is based on the relation of homotopy between plays.
De nition 3.4 A prestrategy on a game A is positional if and only if, for nite s; s0 2 and in nite t; t0 2 L!A, with s s0 and t t0 , we have: (i) s s 2 ) s0 s 2 (positionality and pre xes); (ii) s 2 ) s0 2 (positionality and quies en e); (iii) t 2 ^ (8t < t0 ; t 2 ) ) t0 2 (positionality and in nite plays); Intuitively, a position is a state and we an rea h a ertain state in dierent ways but then however we got there we have the same options to move on or to wait. Determinism. Let A be a game and a and b two distin t player moves of A. A positional prestrategy on A is deterministi just when: (i) ta 2 ) t 2= ; (ii) ta 2 ^ tb 2 ) tab 2 ; (iii) I = ft 2 L!A j 8t0 < t; m 2 su (t0 ; ), + (m) = +; 9t00 < t s.t. t0 < t00 m < tg. The rst two onditions are the usual onditions for determinism. Moreover a deterministi strategy that has engaged in an in nite hatter may not de ide to quit anyhow. A mali ious opponent ould for e a deterministi strategy to follow the ourse that he wants, even to diverge. If the opponent a ts in this way there is no means for the deterministi strategy to es ape the mali ious design. The third ondition tells exa tly whi h are the in nite plays that a deterministi strategy must ontain. It's lear that the third ondition of determinism implies the third ondition of positionality. So for deterministi prestrategies positionality an be expressed with two properties. Composition. We now pro eed to the proof that omposition is well-de ned for deterministi positional prestrategies. In the following let and be two deterministi positional prestrategies on A? B and B ? C, respe tively. We start with two de nitions. Given u and v su h that u r v, we de ne dr (u; v), the reordering distan e between u and v: dr (u; v) = 0 () u = v dr (u; v) = 1 () (u = u0 a b u00 ) ^ (v = u0 b a u00 ), for two moves a 82
Fossati and b; In general dr (u; v) = n > 0 if and only if u 6= v and there are n + 1 (and no less) plays u0 ; u1 ; : : : un su h that u = u0 , un = v and dr (ui ; ui+1 ) = 1. In exa tly the same way we de ne the homotopy distan e d (u; v) on homotopi plays u v.
Lemma 3.5 Let s 2 Lfin A;B;C be an interleaving in the omposition of and . Then there is t w s and t is a witness in the omposition of and .
2 and s B; C 2 , s itself is the witness. Otherwise, suppose is not quies ent at s. Then s is not passive in , an play a move after s. We start by saturating the external threads of with player moves. Then we let play in B until quies en e, while must be ready to a
ept this stream (re eptivity). Now, if is quies ent we are done, otherwise we saturate it outside. If it be omes quies ent we are done as well otherwise we let it play inside until quies en e. Then it's 's turn again, and so on. If after a while they both be ome quies ent then we have our witness. Otherwise they run to the in nite, but then we also have our witness (determinism). 2 Lemma 3.6 Let t 2 ( Æ ) and let u and v be two interleavings for t in Æ . Then u an be ompleted with all the o
urren es of moves that are in v n u so to obtain an interleaving z for t in Æ . Proof. If s A; B
Proof. A few remarks. After () makes a move m it an still play all the
moves it ould play before but m itself (determinism). () instead an still play all the moves it ould play before and possibly more (re eptivity and reordering). It follows that if m is initial in v and m I u then u0 m u00 is still an interleaving for t in Æ , for any fa torization u0 u00 of u. Else if m D u then u = u0 n u00 , where m I u0 and m D n. If m and n were distin t ()
ould play m even after n (determinism). But this is not possible sin e they are dependent moves and ne essarily have the same polarity, then m = n. We an obtain z as the result of alling the following untyped informal pro edure on u and v: union(u; v)f m := head(u); u := tail(u); if (m I v) then if (u = ") then z := m v; else z := m union(u; v); else if (v = v 0 m v 00 ) then z := m union(u; v 0 v 00 ); return z;
g
2
83
Fossati
Theorem 3.7 Let and be two deterministi positional prestrategies on
A? B and B ? C , respe tively. Then, pre) Æ is a prestrategy; pos) Æ is positional; det) Æ is deterministi .
Proof.
pre) I skip the proof that every play in Æ is legal as it is almost immediate. (i) Æ is non-empty. Sin e neither nor is empty, then " is an interleaving of their omposition. Then lemma 3.5 applies and yields a witness t w " for some play in Æ ; (ii) Let s v s, with s 2 Æ and s 2 P as ( Æ ). By de nition there is t 2 LA;B;C su h that t A; B 2 , t B; C 2 and t A; C = s. Just ut t right after s is played out in the external game and all the resulting play t. Then lemma 3.5 applies and yields a witness t0 w t for some play in Æ . s is passive then t0 is a tually a witness for s 9 ; (iii) Let s rA ;C s. Consider d =dr (s; s): d = 0 Then there is a witness u of s whi h is also a witness of s; d = n Then there are s0 ; s1 ; : : : sn 2 LA;C and su h that s = s0 ; sn = s; dr (si ; si+1 ) = 1 for all 0 i n. For assumption we know that s1 2 ( Æ ). Let s1 = s0 m n s00 and s0 = s0 n m s00 . Moreover let's take a witness u1 2 LA;B;C of s1 of the form u1 = u0 m ub n u00 , where u0 and u00 are interleavings of s0 and s00 , respe tively, and ub is a sequen e of moves in B. If n is an opponent move then we de ne u0 = u0 n m ub u00 else m is a proponent move and then we de ne u0 = u0 ub n m u00 . In any
ase u0 A; C = s, u0 A; B rA ;B u1 A; B 2 and u0 B; C rB ;C u1 B; C 2 , then s 2 Æ . (iv) Let s 2 ( Æ ) and let s x s s0 . Reasoning as in the se ond point we
an nd an interleaving u for s in the omposition Æ . It follows from re eptiveness of the two prestrategies that u s0 is also an interleaving. Then lemma 3.5 applies and we are done. pos) As already remarked, the third property of positionality follows from determinism whi h will be proved later on. The rst two properties an be proved in exa tly the same way, so I prove just the rst one. Let s; s0 2 ( Æ ) , with s s0 , and let s s 2 ( Æ ) . The proof that s0 s 2 ( Æ ) is by indu tion on d (s; s0): If s = s0 then trivially s0 s 2 ( Æ ); If d (s; s0) = n + 1 then there is sn su h that d (s; sn) = n and d (sn; s0 ) = 1. By indu tive hypothesis sn s 2 ( Æ ) . Now, sn fa torizes as t0 a b t00 while s0 = t0 b a t00 . So sn has an interleaving un = u0 a ub b u00 , where ub is a sequen e of internal moves. The two prestrategies ?
?
9 0
t
?
Note that in the proof of the lemma no external opponent move is taken while making , then really no move is played outside.
84
Fossati are deterministi then it follows from the remarks made inside lemma 3.6 that u0 b a ub u00 is also an interleaving of Æ (in parti ular if b is by the opponent, re eptivity also plays a role). Finally by positionality of and we on lude s0 s 2 ( Æ ) . det)(i) Let t a 2 ( Æ ) , where a is a player move. By absurd, t 2 Æ . Then t has a witness u 2 LA;B;C . Consider the ase where u is nite. Sin e u A; B 2 and u B; C 2 , neither prestrategy an play at this point, the next move must be an opponent move in A or C, and this is enough for the rst ase. If u is in nite then any move that ould be played after a nite pre x will eventually be played somewhere in u, in luding a; (ii) Let s a; s b 2 ( Æ ) , where a and b are two distin t player moves. An interleaving for s a is of the form u0 a v 0 and an interleaving for s b is of the form u00 b v 00 . Where u0 and u00 are both interleavings for s and v 0 and v 00 are sequen es of internal moves. Then we an apply lemma 3.6 and
omplete u0 with the moves that are not in it but in u00 . In the same way we an omplete u00 with the moves that are not in it but in u0 . The two results are homotopi . Take one of them, u. By the remarks made inside lemma 3.6 and by positionality we have that u a is both an interleaving of s a and of s b, then the on lusion follows; (iii) This is a tually a double impli ation. Let s 2 L!A;C su h that all its pre xes are in the pre x- losure of Æ :
))
Suppose s 2 ( Æ ) and m 2 su (s0 ; Æ ), where s0 < s and su h that + (m) = +. Then s has a witness u 2 L!A;B;C . If either u A; B or u B; C is nite then respe tively and annot move anymore. That means that if it was 's ('s) duty to play (the o
urren e of) m then the move o
urs in the nite restri tion ( rst ondition of determinism). Suppose that m ould be played on the side of the ommuni ation whi h is in nite. Then again we know that the move will eventually o
ur (third ondition of determinism); () Suppose that forall s0 < s and m 2 su (s0; Æ ) with +(m) = + there exists s00 < s su h that s0 < s00 m < s. Take u 2 L!A;B;C su h that all the pre xes of u A; B are in the pre x- losure of , all the pre xes of u B; C are in the pre x- losure of and u A; C = s. For any u0 < u we know that if either prestrategy ould play an external move after u0 then this eventually o
urs in u, be ause the same move ould be played by Æ after the external restri tion of u0 . If either prestrategy ould play an internal move and the (o
urren e of the) move does not appear in u yet, then we add it, say, ten moves after u0 . This way we are assured that every move that ould be played after a nite pre x a tually o
urs inside a nite pre x 10 . The nal u is a tually a witness for s in Æ .
10 Note
that the number of moves that an be played at any point is nite, as the number of threads is nite ( nite on urren y) and the two prestrategies are deterministi .
85
Fossati 2
Sums and Strategies. We de ne the binary operation (sum ) whi h takes two prestrategies and on a game A and returns the union of their sets of plays.
Lemma 3.8 The sum of and is again a prestrategy. Proof. (i) The union of two non-empty sets is non-empty. (ii) s 2 P as ( ) ) s 2 ( ) ^ pas (s; ) ) (s 2 ^ pas (s; )) _ (s 2 ^ pas (s; )) ) (s 2 P as ) _ (s 2 P as ) ) (s 2 ) _ (s 2 ) )s 2 (iii) Reorder- losedness and re eptivity an be proven similarly, so we prove only the rst one of the two. Let t 2 ( ) ^ s rA t: t 2 ) (t 2 ) _ (t 2 ) t 2 ^ s rA t ) s 2 t 2 ^ s rA t ) s 2 (s 2 ) _ (s 2 ) ) s 2 2
We extend this operation to an arbitrary number of arguments in the expe ted way, then we are ready for strategies.
De nition 3.9 A (handshake) strategy is the sum of deterministi positional (handshake) prestrategies:
=
M i2I
i
where i are deterministi positional prestrategies indexed by elements of a non-empty set I. A strategy represents a pro ess. A strategy is a des ription of the behavior to follow. It is as if strategies ould hoose on e and for all among a set of possible behaviors. Afterwards they a t deterministi ally all the way. It follows that a deterministi positional prestrategy d is just a parti ular ase of strategy where the opponent may hoose only from a singleton set. We will just say that d is a deterministi strategy, assuming impli itly that it is positional, even if strategies are not positional in general. 86
Fossati
Lemma 3.10 Given two strategies and on a game A, their omposition is again a strategy.
Proof. Let
=
M i2I
i
=
M j 2J
j
where all i 's and j 's are deterministi prestrategies. Then we have: Æ = fu A; C j u 2 LA;B;C ^ u A; B 2 ^ u B; C 2 g = = fu A; C j u 2 LA;B;C ^ u A; B 2 i2I i ^ u B; C 2 j 2J j g = = fu A; C j u 2 LA;B;C ^ (9i 2 I; j 2 J s.t. u A; B 2 i ^ u B; C 2 j )g = = fu A; C j u 2 LA;B;C ^ u A; B 2 i ^ u B; C 2 j g = i2I;j 2J = (j Æ i ) i2I;j 2J
[ [
2
Category. We an form a ategory H whose obje ts are games and with morphisms from A to B the strategies on A? B. With abuse of notation we write for both the morphism : A ! B and the strategy : A? B. The identity morphism idA : A ! A is the well-known opy at strategy:
idA = fs 2 LA
?
A
j s A1 = s A2g;
where the indi es are used only to distinguish the left and the right opy of A. It is easy to he k that idA is a well-de ned prestrategy, that it is positional and deterministi , and that the identity equations Æ idA = = idB Æ ; hold. There only remains the proof of asso iativity of omposition, whi h we do next.
Theorem 3.11 Consider games A, B , C and D, and strategies : A ! B and : B ! C and : C
! D: ( Æ ) Æ = Æ ( Æ ) Proof. Let s 2 ( Æ ) Æ . There is a witness u 2 LA;B;D for s. Analogously we nd a witness v 2 LB;C;D for u B; D. Working in an asyn hronous world sometimes makes things easier (but only sometimes) so now we need no zipping or in nite zipping lemma, any interleaving w 2 LA;B;C;D of u and v works just ne. In parti ular any su h w satis es: w A; B = u A; B 2 ; w B; C = v B; C 2 ; w C; D = v C; D 2 ; 87
Fossati w A; D = u A; D = s. Then by de nition we have w A; C 2 Æ and s 2 Æ ( Æ ). The opposite dire tion is proved in exa tly the same way. 2
Categori al onstru tions turn out useful not only for stru tural hara terization, but also for semanti analysis. For example, we an lift to morphisms so to have an elegant alternative to the on ealment and extension operations of the pro ess al ulus in [13℄. Given : A ! B and 0 : A0 ! B 0 , we de ne 0 : A A0 ! B B 0 as 0 = fs 2 LA;A ;B;B j s A; B 2 ^ s A0 ; B 0 2 0 g 0
0
The fun toriality properties, ( Æ ) ( 0 Æ 0 ) = ( 0 ) Æ ( 0 ) and idA idB = idAB , are easily veri ed. Suppose we want to ompose strategies : A ! B and : B B 0 ! C. A possible way of doing this is by `extending' with the identity of B 0 . The omposition be omes Æ ( idB ). Another way is to restri t and substitute it with Æ (idB SKIPB !I ), where I is the game with just no moves. The ategory of handshake games and handshake strategies H is *-autonomous, it is symmetri monoidal losed with respe t to and has an isomorphism from A to A??. In parti ular the isomorphisms A ! I A and A ! A I are just opy at strategies and they follow from the isomorphisms between sets of moves, MA ! ; + MA and MA ! MA + ;, respe tively. The other isomorphisms required for symmetri monoidal losure are also opy at strategies derived from isomorphisms between sets of moves. The ase of selfduality is even simpler, A and A?? are the same game and the isomorphism between them is just the identity on A. We an further note that H is more than *-autonomous, it is ompa t losed, as you an easily he k A B = (A? B ?)?. 0
0
88
Fossati
4 Examples As an example we show here a ir uit that implements the onditional bran h
onstru t. The logi is a little simpler than that of Tangram's bran h, whi h employs guards and nondeterminism, but the essen e is there. B
trf
ifT
P
k ifT
not
Q
The big ir les represent some basi standard omponents, while the small ones are the ports (a tive ports are lled and passive ones are not). The lines
onne ting two ports represent the hannels. I will des ribe the strategies asso iated to the omponents as transition systems, as graphs where the edges represent the moves and the nodes represent the `positions' ( lass of plays for short).I will begin with the boolean negation not: a ka
a kp
f fa
ttp
0
f fp
tta
a kp
a ka
The index p is used for moves passing through the passive port and a for moves passing through the a tive port. The ir les around nodes indi ate quies ent positions and the initial position is marked with a 0. not is a strategy on the game Br? Br , where Br is the game for a passive input port (example 3.2) with boolean data en oded in the requests. As a onsequen e, the dual, Br?, be omes an a tive port with the same hara teristi s. Whatever input the strategy re eives on the passive port, it sends its negation on the a tive. On e this is a knowledged, it a knowledges the rst move. ifT : Br ! S is a test for true (S is the type of a nonput passive port, syn hronization-only):
89
Fossati
ffp
0
a kp
ttp
reqa
a kp
a ka
If it re eives true it handshakes on its a tive port, otherwise it returns immediately. The omposition of strategies orresponds to putting the two graphs aside and visiting them in parallel, while at the same time building the graph for the omposed strategy. Ea h time we pass by an `external' edge we add it to the new graph (provided it is not already there). As for the internal edges, they need to be played simultaneously on both sour e graphs. So, if we are in a position where we an play an internal move on one side but not on the other, we need to wait if we want to play that move. It is easy to
he k that the omposition of ifT and not yields a test for false, exa tly the opposite of ifT . The so alled P AR omponent k: Br Br ! Br a tivates two pro esses in parallel after re eipt of a request from the environment; on e both pro esses a knowledge, it too a knowledges to the rst request:
reqa1
0
a ka1
reqa2
reqa2
a ka1
a ka2
reqp
a k reqa2
k is omposed with ifT
reqa1
a ka2
a ka2
reqa1
0
a ka1
(not Æ ifT ) : S S
! Br Br , a strategy
that exe utes a test for true on one side and, in parallel, a test for false on the other. The ostar produ t of two strategies orresponds again to playing on the two games/graphs in parallel, with the dieren e that now all moves are external. As a result the nal graph may be ome very ompli ated. In the end, k Æ(ifT (not Æ ifT )) : S S ! Br is a strategy whi h depending on the input (true or false) a tivates one or the other strategy it is onne ted to; after re eiving the a knowledge it returns. The last omponent is a transferrer, asso iated to the strategy trf : Ba Br ! S, where Ba is the game for a passive port, this time with boolean data en oded in the a knowledges. On e 90
Fossati a tivated on the passive port S it requests a boolean value from Ba 11 whi h is immediately opied in a request and sent on Br , it waits for the a knowledge and then ompletes the rst handshake. We skip the graph for this strategy and we go straight to the strategy trf Æ (idBa (k Æ(ifT (not Æ ifT )))) : Ba S S ! S asso iated to the global if then else onstru t: reqP
a kP
ttB
a k
0
req
reqB f fB
a k reqQ
a kQ
Here the indexes indi ate the pro esses with whi h we are in ommuni ation. This strategy has the expe ted type (it takes as arguments a boolean and two ommands and gives a ommand in return) and behavior. With the same approa h, de omposition of the internal logi into smaller modules and omposition of the strategies asso iated to these modules, we an give a semanti s to any other programming onstru t, like the loop and su h. Also, the presentation of strategies as graphs is very intuitive and attra tive, it had already been adopted by Van Berkel [13℄ in the ontext of handshake
ir uits. In game semanti s this idea has been pushed further, there exists game models [6℄[8℄ in whi h graphs are employed not just as merely a way of presenting strategies but as a true semanti al des ription. Of ourse, in order to establish this orresponden e, there are some properties that need to be satis ed. I believe that positionality and asso iativity of omposition are ne essary rst steps towards the goal.
5 Future Work So, I built a model for handshake ir uits and I showed informally how it
ould be put into use. In the pro ess, I dealt with the problems arising in the modelling of ir uits' omposition and I ended with a ner hara terization of handshake strategies. In parti ular, the new property of positionality seems very interesting and worth exploiting. But the model ontains also a deeper stru tural analysis, with the onstru tion of a ompa t- losed ategory, a result that ould be used as a base for a type theory. Moreover I showed how to take advantage of ategori al tools like omposition of morphisms and the bifun tor , in the semanti s. And now? The next step is to formally de ne a semanti s for a language 11 On
the left side of the arrow, Ba be omes a tive, by the de nition of arrow.
91
Fossati based on handshake ir uits, for Tangram or for a whole new language. This semanti s should take into a
ount pro esses that an ex hange data as well as pro esses that an only syn hronize with their environment. The approa h to take should in lude redu tion of the language's onstru ts into a small set of ombinators and representation of these ombinators as general-purpose strategies. In [7℄ Josephs, Udding and Yant hev redu ed Van Berkel's al ulus [13℄ to just three operations, how mu h bigger would this set be ome when data are en oded in the messages? A parti ularly deli ate part in the de nition of a semanti s for handshake
ir uits will be the modelling of the sequential omposition of pro esses, where the pro ess P1 ; P2 behaves initially as P1 and then, on e all requests have been a knowledged and a y le is omplete, it ontinues as P2 . In [13℄ the task is a
omplished by assigning a set of terminal tra es to ea h pro ess, but this is only one possible solution. The idea that ea h pro ess follows a y li life suggests more abstra t representations for strategies, ways that ould allow to treat omposition more mathemati ally. The aim is to nd alternatives that ould allow simpler reasoning while keeping the substan e un hanged. Nonetheless, altering the proto ol of ommuni ation may also be of interest: what happens when we shift to slightly dierent ir uits, like speed-independent or delay-insensitive ir uits? On the side of game semanti s, handshake ir uits ould represent a on rete appli ation. Naturally the next step is to pla e this result inside the large
olle tion of models proposed. Surely the ompletely asyn hronous behavior makes handshake strategies and games dierent from their ounterparts, indeed the ategori al framework will help in making omparisons.
Referen es [1℄ S. Abramsky. Intera tion ategories (extended abstra t). In G. L. Burn, S. J. Gay, and M. D. Ryan, editors, Theory and Formal Methods 1993: Pro eedings
of the First Imperial College Department of Computing Workshop on Theory and Formal Methods, pages 57{70. Springer-Verlag Workshops in Computer
S ien e, 1993.
[2℄ S. Abramsky, S. Gay, and R. Nagarajan. Intera tion ategories and the foundations of types on urrent programming. In M. Broy, editor, Pro eedings of the 1994 Marktoberdorf Summer S hool on Dedu tive Program Design, pages 35{113. Springer-Verlag, Berlin, 1996. [3℄ S. Abramsky and P.-A. Mellies. Con urrent games and full ompleteness. In Logi in Computer S ien e 99, Trento, July 1999. IEEE Computer So iety Press. [4℄ Russell Harmer and Guy M Cusker. A fully abstra t game semanti s for nite nondeterminism. In Logi in Computer S ien e, pages 422{430, 1999.
92
Fossati [5℄ Russell Harmer and Guy M Cusker. nondeterminism. Unpublished, 2002.
A game semanti s for ountable
[6℄ M. Hyland and A. S halk. Games on graphs and sequentially realizable fun tional. In IEEE Computer So iety Press, pages 257{264, Kopenhavn, July 2002. [7℄ M.B. Josephs, J.T. Udding, and Y. Yant hev. Handshake algebra. Te hni al Report SBU-CISM-93-1, S hool of Computing, Information Systems and Mathemati s, South Bank University, London, 1993. [8℄ P.-A. Mellies. Asyn hronous games 2: the true on urren y of inno en e. In P. Gardner and N. Yoshida, editors, CONCUR'04, Le ture Notes in Computer S ien e. Springer Verlag, September 2004. [9℄ Samuel Mimram and Paul-Andre Mellies. Asyn hronous games 5: Nonalternating inno en e. Work in progress, 2006. [10℄ Y. Mos hovakis. A game-theoreti modeling of on urren y. In fourth annual symposium on Logi In Computer S ien e, pages 154{163. IEEE Computer So iety Press, 1989. [11℄ D. Park. The \fairness" problem and nondeterministi omputing networks. Foundations of Computer S ien e IV. Matematis h Centrum, Amsterdam, 1983. [12℄ A. W. Ros oe. Unbounded nondeterminism in CSP, volume 3 of Journal of Logi and Computation. April 1993. [13℄ K. Van Berkel. Handshake ir uits: an Asyn hronous ar hite ture for VLSI design, volume 5 of Cambridge International Series on Parallel Computation. Cambridge University Press, 1993.
6 Appendix: nondeterminism in the sequential ase The presentation of nondeterministi strategies in [5℄ is te hni ally dierent from the one I gave. However, the present formalism an be applied su
essfully also to the sequential ase, and with respe t to the model of Harmer and M Cusker, their de nition of strategy an be reformulated equivalently as sum of deterministi omponents, as I am now going to show. Assuming that everyone knows that in the sequential ase plays follow a proto ol of stri t alternation (like on urrent plays with only one thread) I go straight to the de nition of prestrategies. A prestrategy is a set of plays losed under even-length pre xes. The even-length plays of are alled tra es and are noted T , the odd-length plays of are alled divergen es and are noted D , while the in nite plays of are noted I . The domain of , written dom(), is those odd-length plays that are rea hable by , dom() = [s2T ie(s) 93
Fossati where the fun tion ie gives all the possible extensions of s with just one move, the immediate extensions of s. Given d 2 dom(), the range of at d, written rng (d), is ie(d) \ T . Now, a strategy is re eptive when for all d 2 dom(), d [ rng (d) 6= ; This ondition was not present in the original de nition in [5℄ as in their ase the re eptivity was left impli it: if neither a divergen e nor an answer to it were present it means that the strategy de ides not to respond there. However, even if it is only a te hni al detail, re eptivity needs to be stated expli itly in order to establish true equivalen e of the two de nitions. A prestrategy on a game A is deterministi if and only if sa; sb 2 T ) sa = sb; s 2 D () rng (s) = ;; s 2 L!A ^ (8s0