The aim of the Parsifal team is to develop and exploit *proof
theory* and *type theory* in the specification and
verification of computational systems.

*Expertise*: the team conducts basic research in proof
theory and type theory. In particular, the team is developing
results that help with automated deduction and with the
manipulation and communication of formal proofs.

*Design*: based on experience with computational systems
and theoretical results, the team develops new logical principles,
new proof systems, and new theorem proving environments.

*Implementation*: the team builds prototype systems to
help validate basic research results.

*Examples*: the design and implementation efforts are
guided by examples of specification and verification problems.
These examples not only test the success of the tools but also
drive investigations into new principles and new areas of proof
theory and type theory.

The foundational work of the team focuses on *structural* and
*analytic* proof theory, *i.e.*, the study of formal
proofs as algebraic and combinatorial structures and the study of
proof systems as deductive and computational formalisms. The main
focus in recent years has been the study of the *sequent
calculus* and of the *deep inference* formalisms.

An important research question is how to reason about computational
specifications that are written in a *relational* style. To
this end, the team has been developing new approaches to dealing
with induction, co-induction, and generic quantification. A second
important question is of *canonicity* in deductive systems,
*i.e.*, when are two derivations “essentially the same”? This
crucial question is important not only for proof search, because it
gives an insight into the structure and an ability to manipulate the
proof search space, but also for the communication of *proof
objects* between different reasoning agents such as automated
theorem provers and proof checkers.

Important application areas currently include:

Meta-theoretic reasoning on functional programs, such as terms
in the

Reasoning about behaviors in systems with concurrency and
communication, such as the *etc.*

Combining interactive and automated reasoning methods for induction and co-induction

Verification of distributed, reactive, and real-time algorithms that are often specified using modal and temporal logics

Representing proofs as documents that can be printed, communicated, and checked by a wide range of computational logic systems.

Stefan Hetzl received his Habilitation 5 November 2012 from the Technical University of Vienna.

Kaustuv Chaudhuri and Stefan Hetzl organized "Collegium Logicum 2012: Structural Proof Theory" at Inria-Saclay.

Dale Miller and Gopalan Nadathur (Professor at the University of Minnesota) published a book title "Programming with higher-order logic" (June 2012, Cambridge University Press).

There are two broad approaches for computational specifications. In
the *computation as model* approach, computations are encoded as
mathematical structures containing nodes, transitions, and state.
Logic is used to *describe* these structures, that is, the
computations are used as models for logical expressions. Intensional
operators, such as the modals of temporal and dynamic logics or the
triples of Hoare logic, are often employed to express propositions
about the change in state.

The *computation as deduction* approach, in contrast, expresses
computations logically, using formulas, terms, types, and proofs as
computational elements. Unlike the model approach, general logical
apparatus such as cut-elimination or automated deduction becomes
directly applicable as tools for defining, analyzing, and animating
computations. Indeed, we can identify two main aspects of logical
specifications that have been very fruitful:

*Proof normalization*, which treats the state of a
computation as a proof term and computation as normalization of the
proof terms. General reduction principles such as

*Proof search*, which views the state of a computation as a
a structured collection of formulas, known as a *sequent*, and
proof search in a suitable sequent calculus as encoding the dynamics
of the computation. Logic programming is based on proof
search , and different proof search
strategies can be used to justify the design of new and different
logic programming languages .

While the distinction between these two aspects is somewhat informal, it helps to identify and classify different concerns that arise in computational semantics. For instance, confluence and termination of reductions are crucial considerations for normalization, while unification and strategies are important for search. A key challenge of computational logic is to find means of uniting or reorganizing these apparently disjoint concerns.

An important organizational principle is structural proof theory,
that is, the study of proofs as syntactic, algebraic and
combinatorial objects. Formal proofs often have equivalences in
their syntactic representations, leading to an important research
question about *canonicity* in proofs – when are two proofs
“essentially the same?” The syntactic equivalences can be used to
derive normal forms for proofs that illuminate not only the proofs
of a given formula, but also its entire proof search space. The
celebrated *focusing* theorem of
Andreoli identifies one such normal form
for derivations in the sequent calculus that has many important
consequences both for search and for computation. The combinatorial
structure of proofs can be further explored with the use of
*deep inference*; in particular, deep inference allows access
to simple and manifestly correct cut-elimination procedures with
precise complexity bounds.

Type theory is another important organizational principle, but most
popular type systems are generally designed for either search or for
normalization. To give some examples, the Coq
system that implements the Calculus of Inductive
Constructions (CIC) is designed to facilitate the expression of
computational features of proofs directly as executable functional
programs, but general proof search techniques for Coq are rather
primitive. In contrast, the Twelf system
that is based on the LF type theory (a subsystem of the CIC), is
based on relational specifications in canonical form (*i.e.*,
without redexes) for which there are sophisticated automated
reasoning systems such as meta-theoretic analysis tools, logic
programming engines, and inductive theorem provers. In recent years,
there has been a push towards combining search and normalization in
the same type-theoretic framework. The Beluga
system , for example, is an extension of
the LF type theory with a purely computational meta-framework where
operations on inductively defined LF objects can be expressed as
functional programs.

The Parsifal team investigates both the search and the normalization aspects of computational specifications using the concepts, results, and insights from proof theory and type theory.

The team has spent a number of years in designing a strong new logic
that can be used to reason (inductively and co-inductively) on
syntactic expressions containing bindings. This work has been
published is a series of papers by McDowell and Miller
, Tiu and Miller
, and Gacek, Miller, and
Nadathur . Besides presenting
formal properties of these logic, these papers also documented a
number of examples where this logic demonstrated superior approaches
to reasoning about a number of complex formal systems, ranging from
programming languages to the

The team has also been working on three different prototype theorem proving system that are all related to this stronger logic. These systems are the following.

Abella, which is an interactive theorem prover for the full logic.

Bedwyr, which is a model checker for the “finite” part of the logic.

Tac, which is a sophisticate tactic for automatically completing simple proofs involving induction and unfolding.

We are now in the process of attempting to make all of these system
communicate properly. Given that these systems have been authored by
different team members at different times and for different reasons,
they do not formally share the same notions of syntax and proof. We
are now working to revisit all of these systems and revise them so
that they all work on the *same* logic and so that they can share
their proofs with each other.

Currently, Chaudhuri, Miller, and Accattoli are working with our technical staff member, Heath, to redesign and restructure these systems so that they can cooperate in building proofs.

The team has been considering how it might be possible to define a universal format for proofs so that any existing theorem provers can have its proofs trusted by any other prover. This is a rather ambitious project and involves a great deal of work at the infrastructure level of computational logic. As a result, we have put significant energies into considering the high-level objectives and consequences of deploying such proof certificates.

Our current thinking on this point is roughly the following. Proofs, both formal and informal, are documents that are intended to circulate within societies of humans and machines distributed across time and space in order to provide trust. Such trust might lead a mathematician to accept a certain statement as true or it might help convince a consumer that a certain software system is secure. Using this general definition of proof, we have re-examined a range of perspectives about proofs and their roles within mathematics and computer science that often appears contradictory.

Given this view of proofs as both document and object,
that need to be communicated and checked, we have attempted to define
a particular approach to a *broad spectrum proof certificate*
format that is intended as a universal language for communicating
formal proofs among computational logic systems. We identify four
desiderata for such proof certificates: they must be

checkable by simple proof checkers,

flexible enough that existing provers can conveniently produce such certificates from their internal evidence of proof,

directly related to proof formalisms used within the structural proof theory literature, and

permit certificates to elide some proof information with the expectation that a proof checker can reconstruct the missing information using bounded and structured proof search.

We consider various consequences of these desiderata, including how they can mix computation and deduction and what they mean for the establishment of marketplaces and libraries of proofs. More specifics can be found in Miller's papers and .

In order to develop an approach to proof certificates that is as comprehensive as possible, one needs to handle theorems and proofs in both classical logic and intuitionistic logic. Yet, building two separate libraries, one for each logic, can be inconvenient and error-prone. An ideal approach would be to design a single proof system in which both classical and intuitionistic proofs can exist together. Such a proof system should allow cut-elimination to take place and should have a sensible semantic framework.

Liang and Miller have recently been working on exactly that problem. In their paper , they showed how to describe a general setting for specifying proofs in intuitionistic and classical logic and to achieve one framework for describing initial-elimination and cut-elimination for such these two logics. That framework allowed for some mixing of classical and intuitionistic features in one logic. A more ambitious merging of these logics was provided in their work on “polarized intuitionistic logic” in which classical and intuitionistic connectives can be used within the same formulas .

Deep inference , is a novel methodology for presenting deductive systems. Unlike traditional formalisms like the sequent calculus, it allows rewriting of formulas deep inside arbitrary contexts. The new freedom for designing inference rules creates a richer proof theory. For example, for systems using deep inference, we have a greater variety of normal forms for proofs than in sequent calculus or natural deduction systems. Another advantage of deep inference systems is the close relationship to categorical proof theory. Due to the deep inference design one can directly read off the morphism from the derivations. There is no need for a counter-intuitive translation.

The following research problems are investigated by members of the Parsifal team:

Find deep inference system for richer logics. This is necessary for making the proof theoretic results of deep inference accessible to applications as they are described in the previous sections of this report.

Investigate the possibility of focusing proofs in deep inference. As described before, focusing is a way to reduce the non-determinism in proof search. However, it is well investigated only for the sequent calculus. In order to apply deep inference in proof search, we need to develop a theory of focusing for deep inference.

Proof nets and atomic flows are abstract (graph-like) presentations of proofs such that all "trivial rule permutations" are quotiented away. Ideally the notion of proof net should be independent from any syntactic formalism, but most notions of proof nets proposed in the past were formulated in terms of their relation to the sequent calculus. Consequently we could observe features like “boxes” and explicit “contraction links”. The latter appeared not only in Girard's proof nets for linear logic but also in Robinson's proof nets for classical logic. In this kind of proof nets every link in the net corresponds to a rule application in the sequent calculus.

Only recently, due to the rise of deep inference, new kinds of proof nets have been introduced that take the formula trees of the conclusions and add additional “flow-graph” information (see e.g., , and . On one side, this gives new insights in the essence of proofs and their normalization. But on the other side, all the known correctness criteria are no longer available.

This directly leads to the following research questions investigated by members of the parsifal team:

Finding (for classical logic) a notion of proof nets that is deductive, i.e., can effectively be used for doing proof search. An important property of deductive proof nets must be that the correctness can be checked in linear time. For the classical logic proof nets by Lamarche and Straßburger this takes exponential time (in the size of the net).

Studying the normalization of proofs in classical logic using atomic flows. Although there is no correctness criterion they allow to simplify the normalization procedure for proofs in deep inference, and additionally allow to get new insights in the complexity of the normalization.

Automated theorem proving has traditionally focused on classical first-order logic, but non-classical logics are increasingly becoming important in the specification and analysis of software. Most type systems are based on (possibly second-order) propositional intuitionistic logic, for example, while resource-sensitive and concurrent systems are most naturally expressed in linear logic.

The members of the Parsifal team have a strong expertise in the design and implementation of performant automated reasoning systems for such non-classical logics. In particular, the Linprover suite of provers continue to be the fastest automated theorem provers for propositional and first-order linear logic.

Any non-trivial specification, of course, will involve theorems that are simply too complicated to prove automatically. It is therefore important to design semi-automated systems that allow the user to give high level guidance, while at the same time not having to write every detail of the formal proofs. High level proof languages in fact serve a dual function – they are more readily comprehended by human readers, and they tend to be more robust with respect to maintenance and continued evolution of the systems. Members of the Parsifal team, in association with other Inria teams and Microsoft Research, have been building a heterogeneous semi-automatic proof system for verifying distributed algorithms .

On a more foundational level, the team has been developing many new insights into the structure of proofs and the proof search spaces. Two directions, in particular, present tantalizing possibilities:

The concept of *multi-focusing*
can be used to expose concurrency in computational behavior, which
can in turn be exploited to prune areas of the proof search space
that explore irrelevant interleavings of concurrent actions.

The use of *bounded search*, where the bounds can be
shown to be complete by meta-theoretic analysis, can be used to
circumvent much of the non-determinism inherent in
resource-sensitive logics such as linear logic. The lack of proofs
of a certain bound can then be used to justify the presence or
absence of properties of the encoded computations.

Much of the theoretical work on automated reasoning has been motivated by examples and implementations, and the Parsifal team intends to continue to devote significant effort in these directions.

There has been increasing interest in the use of formal methods to provide proofs of properties of programs and programming languages. Tony Hoare's Grand Challenge titled “Verified Software: Theories, Tools, Experiments” has as a goal the construction of “verifying compilers” for a world where programs would only be produced with machine-verified guarantees of adherence to specified behavior. Guarantees could be given in a number of ways: proof certificates being one possibility.

The Parsifal team has developed several tools and techniques for
reasoning about the meta-theory of programming languages. One of the
most important requirements for programming languages is the ability
to reason about data structures with binding constructs up to

Now that the Abella system has been in circulation among colleagues during the past couple of years, there are many aspects of the methodology that now need to be addressed. During the summer of 2011, the team employed three interns Carnegie Mellon University and McGill University to work on different aspects of Abella. Particular focus was given to better ways to manipulate specification-logic contexts in the reasoning-logic and with finding ways to have Abella output a proper proof object (different from the scripts that are used to find a proof).

Our colleague Alwen Tiu from the Australian National University has also been building on our Bedwyr model checking tool so that we can build on top of it his SPEC system for doing model checking of spi-calculus expressions. We have adopted his enhancements to Bedwyr and are developing further improvements within the context of the BATT project (see Section ).

Members of the Parsifal team have shown how to specify a large variety of proof systems—including natural deduction, the sequent calculus, and various tableau and free deduction systems—uniformly using either focused linear logic , or focused intuitionistic logic as the meta-language. In the presence of induction and co-induction, arbitrary finite computations can be embedded into single synthetic steps . Additional work shows that this same framework can also capture resolution refutations as well as Pratt primality certificates.

An important application then of this work in designing synthetic
inference systems based on classical and intuitionistic logic is
that of designing a *broad spectrum proof certificate*. The
definition of proof certificates can be remarkably flexible within
the simple setting of focused proofs.

The most important implications of such a certificate format would be that most of the worlds theorem provers should be able to print out their proofs and communication them to other provers: these other provers could then check such certificates by expanding the synthetic connectives they contain down into a small and fixed set of “micro” inference rules.

Automated reasoning uses a broad range of techniques whose soundness and completeness relate to the existence of proofs. The research programme of the ANR PSI project at Parsifal is to build a finer-grained connection by specifying automated reasoning techniques as the step-by-step construction of proofs, as we know it from proof theory and logic programming. The goal is to do this in a unifying framework, namely proof-search in a polarized and focussed logic. One of the advantages of this is to combine those techniques more easily. Another one is to envisage extending those techniques.

For instance, SAT-modulo-Theory problems require the combination of logical reasoning with domain-specific decision procedures. So in the PSI project we study how to incorporate the call to decision procedures in proof-theoretical framework like the focussed sequent calculus, and the proof-search mechanisms that are related to it.

In the same spirit we also study how to handle existential variables and equality, for which specific automated reasoning techniques have been designed (superposition / paramodulation calculi).

Abella is an interactive theorem prover based on the two-level logic logic approach. It consists of a sophisticated reasoning logic that supports induction, co-induction, and generic reasoning, and a specification logic that is based on logic programming. Abella was initially designed to reason about simple second-order Lambda Prolog programs, which is sufficient for the computational specifications.

During 2012, as part of the RAPT Associated Team, Chaudhuri and Yuting Wang (intern from Univ. Minnesota) have been working on extending the expressive power of both levels of the Abella system. The following modifications have been made.

We have extended the specification logic to support the full Lambda Prolog, which can be used to provide succinct higher-order specifications that tend to be unnatural and difficult to reason about with only second-order Lambda Prolog programs.

We have extended the type system of Abella from simple types to parametrically polymorphic types. This is a significant improvement in the user-friendliness of the system as a lot of code does not have to be manually monomorphised and duplicated any more.

We have experimented with extending the type system of Abella even further to higher-order predicate quantification. The theoretical basis of this work is a part of ongoing research, although we already have a number of examples of practical benefits of this extension.

Finally, several improvements have been made to Abella's proof language to make the proofs more robust and reusable. We intend to make a more drastic change to the proof language in the future that will make proofs more declarative and high level.

The core development of Abella has also been centralized, with a
single canonical repository and a new web-page:
http://

The next version of Abella, version 2.0, is in beta testing with expected release early in 2013.

During 2012, Quentin Heath has made the following important improvements to the Bedwyr model checking system.

The concrete syntaxs for Bedwyr and Abella have been unified. Now, both systems can load the definitions and theorems developed in the other system. Eventually, we expect to have our model checker (Bedwyr) and interactive theorem prover (Abella) share theories and proofs.

The documentation, distribution, and testing of Bedwyr were all improved, greatly increasing the usability of this system.

The underlying support for logic has also been increased. In
particular, the Bedwyr system contains a *tabling* mechanism which
is capable of remembering past successful proofs (it can even support
a finite failure as a successful proof of a negation). The most
recent version of Bedwyr allows one to actually program the table in
rather sophisticated ways. For example, simple lemmas can be loaded
into the table and these lemmas can be used to greatly extend the
range of what is tabled (remembered). We are currently examining
different trade-offs between different styles of reasoning in the
table (backchaining vs forwardchaining).

The work of Heath is being done in the context of the BATT ADJ project funded by Inria.

See also the web page http://

Psyche (*Proof-Search factorY for Collaborative
HEuristics*) is a modular programme for universal proof-search
in classical logic. The motivation is twofold:

On the one hand, prove some mathematics of the broadest range while making the most of problem-specific techniques; On the other hand, gain high confidence about the correctness of the proofs produced without having to rely on a proof-checker.

The architecture is that of an interaction between a trusted universal kernel and smart plugins that are meant be efficient at solving certain kinds of problems:

The kernel contains the mechanisms for exploring the proof-search space in a sound and complete way, taking into account branching and backtracking. The output of Psyche comes from the (trusted) kernel and is therefore correct by construction. The plugins then drive the kernel by specifying how the branches of the search space should be explored, depending on the kind of problem that is being treated. The quality of the plugin is then measured by how fast it drives the kernel towards the final answer.

Version 1.0 of Psyche (released 4/9/2012) handles classical propositional logic, and its proof-search mechanism is simply the incremental construction of proof-trees in the polarised and focussed sequent calculus. The mechanism is driven by a plugin that emulates the behaviour of a SAT-solver (DPLL), with non-trivial features such as the eager application of the Unit Propagation rule, conflict analysis, backjumping and clause learning.

Psyche's input for that kind of SAT-problem is a file given in the standard DIMACS format.

See also the web page http://

The *sequent calculus* is often criticized as a proof syntax
because it contains a lot of noise. It records the precise minute
sequence of operations that was used to construct a proof, even when
the order of some proof steps in the sequence is irrelevant and when
some of the steps are unnecessary or involve detours. These features
lead to several technical problems: for example, cut-elimination in
the classical sequent calculus LK, as originally developed by
Gentzen, is not confluent, and hence proof composition in LK is not
associative. Many people choose to discard the sequent calculus when
attempting to design a better proof syntax with the desired
properties.

In recent years, there has been a project at Parsifal to recover some of these alternative proof syntaxes by imposing a certain abstraction over sequent proofs. The earliest example of this was in , where we showed a class of sequent proofs that were isomorphic to proof nets for multiplicative linear logic. In 2012, we were able to obtain a similar result for first-order classical logic, wherein we defined a class of sequent proofs that are isomorphic to expansion trees, a generalization of Herbrand disjunctions that is in some sense a minimalistic notion of proof for classical logic. This result was published at the CSL 2012 conference and a journal version is in preparation.

Our technique for recovering these dramatically different proof
structures directly in the sequent calculus involves the use of
*maximal multi-focusing* which gives a syntactic
characterization of those sequent proofs that: (1) have a “don't
care” ordering of proof steps where the order does not matter, and
(2) groups larger logical steps, called *actions*, into a
maximally parallel form where only important orderings of actions
are recorded. This technique was pioneered at Parsifal, and we have
barely scratched the surface of its applications.

An important engineering question in the ProofCert project is that
of communicating, manipulating, and storing formal proof
certificates. A fully detailed proof certificate, especially one
generated by proof search, can be very large. Using such proofs
would require a high bandwidth interface between the proof producer
and consumer, which limits the scalability of the *ensemble of
proving systems* approach. It is therefore natural to ask if there
are more compact formats for proof certificates. The ideal format
would have a tunable level of detail, so that the size of the
certificates can be tailored to the application domain.

Suppose the proof consumer is equipped with some proof search
capabilities. What then needs to be transmitted to the consumer to
guarantee that it can check a proof within desired complexity
bounds? It turns out that there is a systematic and general answer
to this problem: use *focusing* and record only the
“decision” rules of focusing in the proof certificate. From a high
level perspective, this answer is equivalent to designing a proof
system where the contraction rules are carefully bounded.

In a paper that appeared in the J. of Automated Reasoning, Gacek,
Miller, and Nadathur described the foundations and
architecture of a new interactive theorem prover capable of reasoning
with rich collections of inductive and coinductive relations. This
prover, called Abella, also contains the “generic” quantifier

A novel aspect of Abella is that it can define provability in various
simple logics and can also reason about provability in such logics.
The current system includes a *specification logic* that is a
(restricted) intuitionistic logic programming language (a sublanguage
of *reasoning logic*, and it is capable of
reasoning about provability in the specification language.

This approach to reasoning about computation has interesting applications. For example, the reasoning logic is aware of the fact that the cut and substitution rules can be eliminated in the specification logic. As a consequence, the notoriously difficult "substitution lemmas" that occur repeated in the study of operational semantics are proved essentially for free (that is, they are an immediate consequence of cut-elimination).

Programs that must deal with floating point programs and their associate errors can have erratic behavior. In particular, a program that yields outputs that depend continuously on their inputs (in an idealized arithmetic setting) can behave non-continuously when using floating point arithmetic. There are few tools for reasoning about program correctness in a setting that allows for such discontinuous operators.

It is well-known that cut-elimination in the sequent calculus for classical first-order logic is in its most general form, is neither confluent nor strongly normalizing. But if one takes a coarser (and mathematically more realistic) look at cut-free proofs, one can analyze which witnesses they choose for which quantifiers, or in other words: one can only consider the Herbrand-disjunction of a cut-free proof. This yields a surprising confluence result for a natural class of proofs: all (possibly infinitely many) normal forms of the non-erasing cut reduction lead to the same Herbrand-disjunction. This result has been presented at CSL 2012 .

A curious aspect of Girard's proof nets for multiplicative
linear logic without units is that, despite being a canonical representation
of proof, their categorical semantics is not obvious—this in contrast to
the situation *with* units, where star-autonomous categories form a
natural semantics, but no canonical proof nets are known.

In the middle of the past decade several proposals for a categorical
semantics of proof nets, a notion of *semi-star-autonomous* categories,
were investigated: by Robin Houston and Dominic Hughes, by Kosta Došen,
and by François Lamarche and Lutz Straßburger.

The present effort by Willem Heijltjes and Lutz Straßburger completes the notion in such a way that proof nets constitute the *free* semi-star-autonomous category.

Starting from the study of Linear Logic proof nets, a new approach to explicit substitutions for ł-calculus has recently been introduced by Accattoli and D. Kesner . This approach has been systematically explored by Accattoli and his co-authors.

The rewriting theory of these new explicit substitutions *at a
distance* has been studied in and
. In Accattoli and Kesner
study the preservation of *head* reduction followed
by a non-head reduction.

Applications of explicit substitutions at a distance have been studied in , , . In Accattoli and Dal Lago show that the length of the head reduction in calculi at a distance is a measure of time complexity. More precisely, they show that such a quantity is polynomially related (in both directions) to the cost of evaluating with Turing Machines. This result is an important step forward towards the solution of the long-standing open problem of finding a time cost model for ł-calculus.

In Accattoli and Paolini apply substitutions
at a distance in a call-by-value setting. They show that in this new
framework there is a natural characterization of *solvability*,
an important notion related to denotational semantics and the
representation of partial recursive functions. In
(a work presented to a workshop and currently
submitted to the post-proceedings of the workshop) Accattoli shows the
tight relations between the framework in and
linear logic proof nets, providing a new characterization of the proof
nets representing the call-by-value

Finally, in Accattoli and Kesner introduce a
calculus generalizing many different extensions of

In the PSI project, we have designed a version of the focussed sequent calculus (for first-order classical logic) that can call external decision procedures. Since the last Activity Report, we have finished proving the essential meta-theory for it: soundness, invertibility of asynchronous rules, cut-elimination, the fact that polarities do not affect provability but only the shape of proofs, and finally completeness.

The first properties are the object of , while the latter ones have been obtained later in 2012.

A side-product of this meta-theory is a technical device that could be
used to encode other techniques from automated reasoning like
*connection tableaux*.

Secondly, we have encoded the SMT-solving algorithm DPLL(T) as the incremental construction of proof-trees in that sequent calculus , . A very interesting aspect of the encodings is that the basic rules of DPLL(T) makes use of cuts on atoms in sequent calculus, while the advanced jrules (e.g. backjumping) makes use of general cuts. This sheds a new light on the computational speed-ups that those advanced rules provide.

We have done the encoding for two distinct presentations of DPLL(T) in the literature, and we have formalised the connection between those two descriptions .

For the last five or six years there has been a surge of interest in finding models for the identity type in Martin-Löf type theory, and it has been clear for some time that there was a tight connection with path objects in abstract homotopy theory. A lot of proposals have been made, but there are very few semantics that fit the necessary requirements of having dependent products and also an identity type which is fully stable under substitution. The most famous model of the sort is the one proposed by Voevodsky, in his Univalent Foundations project, which uses for base category the category of simplicial sets and models dependent types by the means of Kan Fibrations. In François Lamarche proposes another such model, where the base category is the category of small categories, and dependent types are modelled with Grothendieck bifibrations (maps between categories that are Grothendieck fibrations as well as their duals between the opposite categories). The full requirements of modelling Martin-Löf type theory are met. Calculations show that the model shows some amount of degeneracy “in dimensions above 2” for the associativity of equality (which should not be strict in any dimension), which is a great improvement over the models on strict groupoids and strict

Title: ProofCert: Broad Spectrum Proof Certificates

Type: IDEAS

Instrument: ERC Advanced Grant (Advanced)

Duration: January 2012 - December 2016

Coordinator: Inria (France)

Abstract: The ProofCert proposal aims at building a foundation that will allow a broad spectrum of formal methods—ranging from automatic model checkers to interactive theorem provers—to work together to establish formal properties of computer systems. This project starts with a wonderful gift to us from decades of work by logicians and proof theorist: their efforts on logic and proof has given us a universally accepted means of communicating proofs between people and computer systems. Logic can be used to state desirable security and correctness properties of software and hardware systems and proofs are uncontroversial evidence that statements are, in fact, true. The current state-of-the-art of formal methods used in academics and industry shows, however, that the notion of logic and proof is severely fractured: there is little or no communication between any two such systems. Thus any efforts on computer system correctness is needlessly repeated many times in the many different systems: sometimes this work is even redone when a given prover is upgraded. In ProofCert, we will build on the bedrock of decades of research into logic and proof theory the notion of proof certificates. Such certificates will allow for a complete reshaping of the way that formal methods are employed.

Title: Structural and computational proof theory

Duration: 01/01/2011 – 31/12/2013

Partners:

University Paris VII, PPS (PI: Michel Parigot)

Inria Saclay–IdF, EPI Parsifal (PI: Lutz Straßburger)

University of Innsbruck, Computational Logic Group (PI: Georg Moser)

Vienna University of Technology, Theory and Logic Group (PI: Matthias Baaz)

Total funding by the ANR: 242 390,00 EUR (including 12 000 EUR pôle de compétivité: SYSTEMTIC Paris région)

This project is a consortium of four partners, two French and two Austrian, who are all internationally recognized for their work on structural proof theory, but each coming from a different tradition. One of the objective of the project is build a bridge between these traditions and develop new proof-theoretic tools and techniques of structural proof theory having a strong potential of applications in computer science, in particular at the level of the models of computation and the extraction of programs and effective bounds from proofs.

On one side, there is the tradition coming from mathematics, which is mainly concerned with first-order logic, and studies, e.g., Herbrand's theorem, Hilbert's epsilon-calculus, and Goedel's Dialectica interpretation. On the other side, there is the tradition coming from computer science, which is mainly concerned with propositional systems, and studies, e.g., Curry-Howard isomorphism, algebraic semantics, linear logic, proof nets, and deep inference. A common ground of both traditions is the paramount role played by analytic proofs and the notion of cut elimination. We will study the inter-connections of these different traditions, in particular we focus on different aspects and developments in deep inference, the Curry-Howard correspondence, term-rewriting, and Hilbert's epsilon calculus. As a byproduct this project will yield a mutual exchange between the two communities starting from this common ground, and investigate, for example, the relationship between Herbrand expansions and the computational interpretations of proofs, or the impact of the epsilon calculus on proof complexity.

Besides the old, but not fully exploited, tools of proof theory, like the epsilon-calculus or Dialectica interpretation, the main tool for our research will be deep inference. Deep inference means that inference rules are allowed to modify formulas deep inside an arbitrary context. This change in the application of inference rules has drastic effects on the most basic proof theoretical properties of the systems, like cut elimination. Thus, much of the early research on deep inference went into reestablishing these fundamental results of logical systems. Now, deep inference is a mature paradigm, and enough theoretical tools are available to think to applications. Deep inference provides new properties, not available in shallow deduction systems, namely full symmetry and atomicity, which open new possibilities at the computing level that we intend to investigate in this project. We intend to investigate the precise relation between deep inference and term rewriting, and hope to develop a general theory of analytic calculi in deep inference. In this way, this project is a natural continuation of the ANR project INFER which ended in May 2010.

Title: From Proofs to Counterexamples for Programming

Duration: 01/01/2012 – 31/12/2013

German Partner: University of Bonn, Institute for Computer Science (Department III)

Finding counterexamples is an endeavor which is as important as proving theorems. But while the latter has seen a huge amount of research effort—we have nowadays a large quantity of tools for automated and interactive theorem proving—the former has mainly been neglegted by proof theorists. One of the reasons is that finding counterexamples or countermodels has been considered a model theoretical activity, rather than a proof theoretical one. Only recently, researchers have begun to explore the well-known duality between "proof search" and "search for countermodels" in a purely proof theoretical way. The main objective of this collaboration is to develop the necessary proof theory for automatically generating such counterexamples in a more general setting.

Title: Extending the Realm of the Curry-Howard-Correspondence

Duration: 01/01/2011 – 31/12/2012

Swiss Partner: University of Bern, Institut für Informatik und angewandte Mathematik (IAM)

The Curry-Howard correspondence between proofs and programs is probably the most interesting and surprising connection between mathematics and computer science. It was discovered in the 1960s, but its main development started in the 1980s. The basis of the correspondence is a correspondence between intuitionistic proofs and typed functional programs (written as terms of lambda-calculus).

Our goal is to develop such a correspondence for new formalisms, like hypersequents, nested sequents and deep inference, in order to better understand their proofs and, we hope, either to discover new programming constructs or to give a new logical interpretation to existing ones.

Title: Applying Recent Advances in Proof Theory for Specification and Reasoning

Inria principal investigator: Kaustuv Chaudhuri

International Partner:

Institution: McGill University (Canada)

Laboratory: School of Computer Science

Researcher: Prof. Brigitte Pientka

International Partner:

Institution: Carnegie Mellon University (United States)

Laboratory: Department of Computer Science

Researcher: Prof. Frank Pfenning

International Partner:

Institution: University of Minnesota (United States)

Laboratory: Department of Computer Science and Engineering

Researcher: Prof. Gopalan Nadathur

Duration: 2011 - 2013

Many aspects of computation systems, ranging from operational semantics, interaction, and various forms of static analysis, are commonly specified using inference rules, which themselves are formalized as theories in a logical framework. While such a use of logic can yield sophisticated, compact, and elegant specifications, formal reasoning about these logic specifications presents a number of difficulties. The RAPT project will address the problem of reasoning about logic specifications by bringing together three different research teams, combining their backgrounds in type theory, proof theory, and the building of computational logic systems. We plan to develop new methods for specifying computation that allow for a range of specification logics (eg, intuitionistic, linear, ordered) as well as new means to reason inductively and co-inductively with such specifications. New implementations of reasoning systems are planned that use interactive techniques for deep meta-theoretic reasoning and fully automated procedures for a range of useful theorems.

Title: Interactive Resource Analysis

webpage: http://

Inria principal investigator: Dale Miller

Inria Partner:

Institution: Inria

Team: FOCUS

Researcher: Ugo Dal Lago

Inria Partner:

Institution: Inria

Team: pi.r2

Researcher: Pierre-Louis Curien

Duration: 2011 - 2013

This project aims at putting together ideas from Implicit Computational Complexity and Interactive Theorem Proving, in order to develop new methodologies for handling quantitative properties related to program resource consumption, like execution time and space. The task of verifying and certifying quantitative properties is undecidable as soon as the considered programming language gets close to a general purpose language. So, full-automatic techniques in general cannot help in classifying programs in a precise way with respect to the amount of resources used and moreover in several cases the programmer will not gain any relevant information on his programs. In particular, this is the case for all the techniques based on the study of structural constraints on the shape of programs, like many of those actually proposed in the field of implicit computational complexity. To overcome these limitations, we aim at combining the ideas developed in the linear logic approach to implicit computational complexity with the ones of interactive theorem proving, getting rid of the intrinsic limitations of the automatic techniques. In the obtained framework, undecidability will be handled through the system's user, who is asked not only to write the code, but also to drive the semi-automatic system in finding a proof for the quantitative properties of interest. In order to reduce the user effort and allow him to focus only on the critical points of the analysis, our framework will integrate implicit computational complexity techniques as automatic decision procedures for particular scenarios. Moreover, in order to be widely applicable, the modularity of the framework will permit to deal with programs written in different languages and to consider different computational resources. The kind of study proposed by this project has been almost neglected so far. Here, we aim at providing such a framework for both theoretic investigations and for testing in practice the effectiveness of the approach.

Brigitte Pientka, Associate Professor, McGill University

February 21 – 24

Gopalan Nadathur, Professor, University of Minnesota

July 10 – 12

Elaine Pimentel, Associate Professor, Universidade Federal de Minas Gerais

June 6 – July 17

Chuck Liang, Professor, Hofstra University

March 6 – May 6 and December 17 – 24

Yuting WANG (May – August)

Subject: Development of the Abella theorem prover.

Institution: University of Minnesota (United States)

Florence Clerc (March – July)

Subject: Relating double-negation translations and focused proof systems

Institution: Master Parisien de Recherche en Informatique

Zakaria Chihani (April – September)

Subject: Proof certificates for some basic proof systems in classical logic

Institution: Master Parisien de Recherche en Informatique

Stefan Hetzl has visited the Vienna University of Technology four times, for a total of 36 days, within the framework of the FWF/ANR Structural project.

Dale Miller served as Program Committee Chair for the following three meetings: CPP 2012: Second International Conference on Certified Programs and Proofs, 13-15 December, Kyoto, Japan; IJCAR 2012: International Joint Conference on Automated Reasoning, Manchester, UK, June; FICS 2012: Fixed Points in Computer Science (a satellite workshop of ETAPS 2012), Tallinn, Estonia, 24 March.

Dale Miller served on the Program Committees of the following three meetings: LFMTP’12: Workshop on Logical Frameworks and Meta-Languages: Theory and Practice, 9 September, Copenhagen, Denmark; LAM 2012: Fifth International Workshop on Logics, Agents, and Mobility, June, Hamburg, Germany; LPAR-18: The 18th International Conference on Logic for Programming, Artificial Intelligence and Reasoning. Merida, Venezuela, 11-15 March.

Dale Miller organized the Special Session on Structural Proof Theory and Computing at the 2012 Annual Meeting of the Association of Symbolic Logic (ASL), Madison, Wisconsin, 31 March - 3 April.

Kaustuv Chaudhuri and Stefan Hetzl organized the Collegium Logicum 2012 workshop at Inria Saclay during 15–16 November

Kaustuv Chaudhuri and Brigitte Pientka organized the RAPT/PROMIS workshop in Montreal, Canada, during 14–18 October

Dale Miller gave an invited talk at the Journees nationales du GDR-IM, 25-26 January 2012, University of Paris 7.

Dale Miller gave an invited talk at the ANR-DFG Hypothese Workshop titled Different Aspects of Proof Theory, ENS Paris, 3 May 2012.

Dale Miller gave research talks at the following venues: Summer Workshop on Proof Theory, Pisa, Italy, 12-15 June; CHocCoLa seminar, ENS Lyon, 15 March; Workshop on Certificates and Computation, ITU Copenhagen, 12 March; Department of Mathematics, Carnegie Mellon University, 5 April.

Licence : Stéphane Graham-Lengrand teaches 50 hours (eq. TD) in L3 at Ecole Polytechnique in the course “INF431: Algorithmique et programmation”.

Master : Dale Miller taught 12 hours at MPRI (Master Parisien de Recherche en Informatique) in the Course 2-1: Logique linéaire et paradigmes logiques du calcul.

Master : Stéphane Graham-Lengrand teaches 36 hours (eq. TD) in M1 at Ecole Polytechnique in the course “INF551: Computer-aided reasoning”, and 15 hours (eq. TD) in M2 at Master Parisien de Recherche en Informatique (MPRI) on “Curry-howard correspondence for classical logic”.

PhD in progress :

Zakaria Chihani, since October 2012, supervisor: Dale Miller

Mahfuza Farooque, since October 2010, co-supervisor: Stéphane Graham-Lengrand

Ivan Gazeau, since October 2009, co-supervisor: Dale Miller

Nicolas Guenot, since October 2008, supervisor: Lutz Straßburger

Hernán-Pablo Vanzetto, since October 2010, co-supervisor: Kaustuv Chaudhuri

Dale Miller served as a reporter for the habilitation of Stefan Hetzl (Fall 2012) and was the president of the jury for the habilitation of Frédéric Blanqui, 13 July 2012.

Dale Miller served as a member of the PhD jury for Robert Simmons, Carnegie Mellon University, 22 October 2012. He was also “rapporteur” for the PhD of Nicolas Pouillard, University of Paris 7, 13 January 2012.