The aim of the Parsifal team is to develop and exploit *proof
theory* and *type theory* in the specification and
verification of computational systems.

*Expertise*: the team conducts basic research in proof
theory and type theory. In particular, the team is developing
results that help with automated deduction and with the
manipulation and communication of formal proofs.

*Design*: based on experience with computational systems
and theoretical results, the team develops new logical principles,
new proof systems, and new theorem proving environments.

*Implementation*: the team builds prototype systems to
help validate basic research results.

*Examples*: the design and implementation efforts are
guided by examples of specification and verification problems.
These examples not only test the success of the tools but also
drive investigations into new principles and new areas of proof
theory and type theory.

The foundational work of the team focuses on *structural* and
*analytic* proof theory, *i.e.*, the study of formal
proofs as algebraic and combinatorial structures and the study of
proof systems as deductive and computational formalisms. The main
focus in recent years has been the study of the *sequent
calculus* and of the *deep inference* formalisms.

An important research question is how to reason about computational
specifications that are written in a *relational* style. To
this end, the team has been developing new approaches to dealing
with induction, co-induction, and generic quantification. A second
important question is of *canonicity* in deductive systems,
*i.e.*, when are two derivations “essentially the same”? This
crucial question is important not only for proof search, because it
gives an insight into the structure and an ability to manipulate the
proof search space, but also for the communication of *proof
objects* between different reasoning agents such as automated
theorem provers and proof checkers.

Important application areas currently include:

Meta-theoretic reasoning on functional programs, such as terms
in the

Reasoning about behaviors in systems with concurrency and
communication, such as the *etc.*

Combining interactive and automated reasoning methods for induction and co-induction

Verification of distributed, reactive, and real-time algorithms that are often specified using modal and temporal logics

Representing proofs as documents that can be printed, communicated, and checked by a wide range of computational logic systems.

There are two broad approaches for computational specifications. In
the *computation as model* approach, computations are encoded as
mathematical structures containing nodes, transitions, and state.
Logic is used to *describe* these structures, that is, the
computations are used as models for logical expressions. Intensional
operators, such as the modals of temporal and dynamic logics or the
triples of Hoare logic, are often employed to express propositions
about the change in state.

The *computation as deduction* approach, in contrast, expresses
computations logically, using formulas, terms, types, and proofs as
computational elements. Unlike the model approach, general logical
apparatus such as cut-elimination or automated deduction becomes
directly applicable as tools for defining, analyzing, and animating
computations. Indeed, we can identify two main aspects of logical
specifications that have been very fruitful:

*Proof normalization*, which treats the state of a
computation as a proof term and computation as normalization of the
proof terms. General reduction principles such as

*Proof search*, which views the state of a computation as a
a structured collection of formulas, known as a *sequent*, and
proof search in a suitable sequent calculus as encoding the dynamics
of the computation. Logic programming is based on proof
search , and different proof search
strategies can be used to justify the design of new and different
logic programming languages .

While the distinction between these two aspects is somewhat informal, it helps to identify and classify different concerns that arise in computational semantics. For instance, confluence and termination of reductions are crucial considerations for normalization, while unification and strategies are important for search. A key challenge of computational logic is to find means of uniting or reorganizing these apparently disjoint concerns.

An important organizational principle is structural proof theory,
that is, the study of proofs as syntactic, algebraic and
combinatorial objects. Formal proofs often have equivalences in
their syntactic representations, leading to an important research
question about *canonicity* in proofs – when are two proofs
“essentially the same?” The syntactic equivalences can be used to
derive normal forms for proofs that illuminate not only the proofs
of a given formula, but also its entire proof search space. The
celebrated *focusing* theorem of
Andreoli identifies one such normal form
for derivations in the sequent calculus that has many important
consequences both for search and for computation. The combinatorial
structure of proofs can be further explored with the use of
*deep inference*; in particular, deep inference allows access
to simple and manifestly correct cut-elimination procedures with
precise complexity bounds.

Type theory is another important organizational principle, but most
popular type systems are generally designed for either search or for
normalization. To give some examples, the Coq
system that implements the Calculus of Inductive
Constructions (CIC) is designed to facilitate the expression of
computational features of proofs directly as executable functional
programs, but general proof search techniques for Coq are rather
primitive. In contrast, the Twelf system
that is based on the LF type theory (a subsystem of the CIC), is
based on relational specifications in canonical form (*i.e.*,
without redexes) for which there are sophisticated automated
reasoning systems such as meta-theoretic analysis tools, logic
programming engines, and inductive theorem provers. In recent years,
there has been a push towards combining search and normalization in
the same type-theoretic framework. The Beluga
system , for example, is an extension of
the LF type theory with a purely computational meta-framework where
operations on inductively defined LF objects can be expressed as
functional programs.

The Parsifal team investigates both the search and the normalization aspects of computational specifications using the concepts, results, and insights from proof theory and type theory.

The team has spent a number of years in designing a strong new logic that can be used to reason (inductively and co-inductively) on syntactic expressions containing bindings. This work is based on earlier work by McDowell, Miller, and Tiu , and on more recent work by Gacek, Miller, and Nadathur . The Parsifal team, along with our colleagues in Minneapolis, Canberra, Singapore, and Cachen, have been building two tools that exploit the novel features of this logic. These two systems are the following.

Abella, which is an interactive theorem prover for the full logic.

Bedwyr, which is a model checker for the “finite” part of the logic.

We have used these systems to provide formalize reasoning of a number
of complex formal systems, ranging from programming languages to the

During 2014, the Abella system has been extended with a number of new features. A number of new significant examples have been implemented in Abella and an extensive tutorial for it has been written .

The team is developing a framework for defining the semantics of proof evidence. With this framework, implementers of theorem provers can output proof evidence in a format of their choice: they will only need to be able to formally define that evidence's semantics. With such semantics provided, proof checkers can then check alleged proofs for correctness. Thus, anyone who needs to trust proofs from various provers can put their energies into designing trustworthy checkers that can execute the semantic specification.

In order to provide our framework with the flexibility that this
ambitious plan requires, we have based our design on the most recent
advances within the theory of proofs. For a number of years, various
team members have been contributing to the design and theory of
*focused proof systems*
and we have
adopted such proof systems as the corner stone for our framework.

We have also been working for a number of years on the implementation of computational logic systems, involving, for example, both unification and backtracking search. As a result, we are also building an early and reference implementation of our semantic definitions.

Deep inference , is a novel methodology for presenting deductive systems. Unlike traditional formalisms like the sequent calculus, it allows rewriting of formulas deep inside arbitrary contexts. The new freedom for designing inference rules creates a richer proof theory. For example, for systems using deep inference, we have a greater variety of normal forms for proofs than in sequent calculus or natural deduction systems. Another advantage of deep inference systems is the close relationship to categorical proof theory. Due to the deep inference design one can directly read off the morphism from the derivations. There is no need for a counter-intuitive translation.

The following research problems are investigated by members of the Parsifal team:

Find deep inference system for richer logics. This is necessary for making the proof theoretic results of deep inference accessible to applications as they are described in the previous sections of this report.

Investigate the possibility of focusing proofs in deep inference. As described before, focusing is a way to reduce the non-determinism in proof search. However, it is well investigated only for the sequent calculus. In order to apply deep inference in proof search, we need to develop a theory of focusing for deep inference.

Proof nets and atomic flows are abstract (graph-like) presentations of proofs such that all "trivial rule permutations" are quotiented away. Ideally the notion of proof net should be independent from any syntactic formalism, but most notions of proof nets proposed in the past were formulated in terms of their relation to the sequent calculus. Consequently we could observe features like “boxes” and explicit “contraction links”. The latter appeared not only in Girard's proof nets for linear logic but also in Robinson's proof nets for classical logic. In this kind of proof nets every link in the net corresponds to a rule application in the sequent calculus.

Only recently, due to the rise of deep inference, new kinds of proof nets have been introduced that take the formula trees of the conclusions and add additional “flow-graph” information (see e.g., , and . On one side, this gives new insights in the essence of proofs and their normalization. But on the other side, all the known correctness criteria are no longer available.

This directly leads to the following research questions investigated by members of the Parsifal team:

Finding (for classical logic) a notion of proof nets that is deductive, i.e., can effectively be used for doing proof search. An important property of deductive proof nets must be that the correctness can be checked in linear time. For the classical logic proof nets by Lamarche and Straßburger this takes exponential time (in the size of the net).

Studying the normalization of proofs in classical logic using atomic flows. Although there is no correctness criterion they allow to simplify the normalization procedure for proofs in deep inference, and additionally allow to get new insights in the complexity of the normalization.

The goal of combining model checking with inductive and co-inductive theorem in a rather appealing one. The strengths of systems in these two different systems are strikingly different. A model checker is capable of exploring a finite space automatically: such a tool can repeatedly explores all possible cases for how a computational space can be explored. On the other hand, a theorem prover might be able to prove clever things about a search space. For example, a model checker could attempt to discover whether or not there exists a winning strategy for, say, tic-tac-toe while an inductive theorem prover might be able to prove that if there is a winning strategy from one board then there is a winning strategy from any symmetric version of that board. Of course, being about to combine proofs from these system could drastically reduce the state exploration and proof certificate that needs to be produced to prove the existence of winning strategies.

Our first step to providing an integration of model checking and
(inductive) theorem proving was to develop a strong logic, we call

The tabling mechanism of Bedwyr has been extended so that its it can make use of previously proved lemmas. Thus, when a goal to prove that some board position has a winning strategy, the lemma can to conclude yes if some symmetric board position is already in the table.

For more about recent progress on providing checkable proof
certificates for model checking, see the web site for Bedwyr
http://

Traditionally, theorem provers—whether interactive or automatic—are usually monolithic: if any part of a formal development was to be done in a particular theorem prover, then all parts of it would need to be done in that prover. Increasingly, however, formal systems are being developed to integrate the results returned from several, independent and high-performing, specialized provers: see, for example, the integration of Isabelle with an SMT solver as well as the Why3 and ESC/Java systems.

Within the Parsifal team, we have been working on foundational aspects
of this problem of integrating different provers. As we have
described above, we have been developing a formal framework for
defining the semantics of proof evidence. We have also been working
on building prototype checkers of proof evidence which are capable to
executing such formal definitions. The proof definition language
described in the papers , is
currently given an implementation in the

Using

Instead of integrating different provers by exchanging proof
evidence and relying on a back-end proof-checker, another approach
to integration consists in re-implementing the theorem proving
techniques as proof-search strategies, on an architecture that
guarantees correctness. Focused systems can serve as the basis of
such an architecture, identifying points of choice and backtrack and
providing primitives for the exploration of the search space. These
form a trusted *Application Programming Interface* that can be
used to program and experiment various proof-search heuristics
without worrying about correctness. No proof-checking is needed if
one trusts the implementation of the API.

Following the description, in this framework, of quantifier-free techniques such as DPLL(T) , we are now exploring how the architecture can be adapted to accommodate techniques that handle quantifiers. In particular, unification-based or triggers-based techniques , .

This approach has led to the development of the Psyche engine.

Main web-site: http://

Abella is an interactive theorem prover for reasoning about data
structures with binding constructs using the *two-level logic approach* by means of a
specification logic based on the logic programming language

In 2014, the following additions were made to the system.

A new translation layer was added to Abella's specification
layer, which was used to build an interface to the LF dependent
type theory . This extension was documented
in the following paper: . A number of
examples of the use of this new specification language are
available at the following URL: http://

Two minor releases were made, versions 2.0.2 and 2.0.3, that fixed a number of bugs and added several convenience features. Consult the change log for more details.

Accompanying these additions were the following publications.

A new comprehensive tutorial for the Abella system has been
accept to appear in the *Journal of Formalized
Reasoning* .

The new tactical plugin architecture and the dynamic contexts plugin of Abella in the following paper: .

The use of co-induction and higher-order relations to formalize the meta-theory of various bisimulation-up-to techniques for common process calculi: .

Main web-site: http://

Quentin Heath has continued to maintain and enhance this model checking system. In particular, the tabling mechanism has been extended and formalized to a greater extent. The tabling mechanism is now able to use Horn clause lemmas in order to increase the power of the table. For example, given this enhancement it is possible to tell Bedwyr that if a given board position (in some game) has a winning strategy then symmetric versions of that board also have winning strategies. Thus, when a given board position is recognized as winning, then table will understand that all symmetric versions of that board are winning.

Significant energies have also gone into trying to understand how cyclic proofs (recognized using the tabling mechanism) can be turned into certifiable proof evidence. Good results are currently developed for treating bisimulation and non-reachability: in these cases, cyclic proofs are used to supply invariants for induction and co-induction.

Psyche (*Proof-Search factorY for Collaborative HEuristics*) is a
modular proof-search engine whose first version, 1.0, was released in
2012:

http://

The engine implements the ideas developed in the section “Trustworthy implementations of theorem proving techniques” above, and was the object of the system description .

Psyche's proof-search mechanism is simply the incremental construction of proof-trees in the polarized and focused sequent calculus. Its architecture organizes an interaction between a trusted universal kernel and smart plugins that are meant be efficient at solving certain kinds of problems:

The kernel contains the mechanisms for exploring the proof-search space in a sound and complete way, taking into account branching and backtracking. The output of Psyche comes from the (trusted) kernel and is therefore correct by construction. The plugins then drive the kernel by specifying how the branches of the search space should be explored, depending on the kind of problem that is being treated. The quality of the plugin is how fast it drives the kernel towards the final answer.

In 2014, major developments were achieved in Psyche, whose version 2.0 was released on 20th September 2014. It is now equipped with the machinery to handle quantifiers and quantifier-handling techniques. Concretely, it uses meta-variables to delay the instantiation of existential variables, and constraints on meta-variables are propagated through the various branches of the search-space, in a way that allows local backtracking. The kernel, of about 800 l.o.c., is purely functional.

Dale Miller's 1994 LICS paper titled “A Multiple-Conclusion Meta-Logic” was a co-recipient of the LICS Test of Time Award.

Last year we have shown deductive systems for all intuitionistic modal logics in the modal S5-cube using logical rules in nested sequents . This year we managed to exhibit fully modular systems. That is to say that there is a bijective correspondence between the modal axioms and the inference rules in the deductive system. This is achieved by using a combination of structural and logical rules. This result has been presented at AiML 2014 .

In the propositional case, “constructive” and “intuitionistic”
logic are usually considered the same. However, in the presence of the
modalities

The calculus of structures has mainly be used for “classical” logics that come with a De Morgan duality. The reason is that all normalization procedures developed so far for the calculus of structures rely on this De Morgan duality.

In this work, we give two proof systems for implication-only intuitionistic logic in the calculus of structures. The first is a direct adaptation of the standard sequent calculus to the deep inference setting. It comes with a cut elimination procedure that is similar to the one from the sequent calculus, using a non-local rewriting. The second system is the symmetric completion of the first, as normally given in deep inference for logics with a De Morgan duality: all inference rules have duals, as cut is dual to the identity axiom. For this symmetric system we prove a generalization of cut elimination, that we call symmetric normalization, where all rules dual to standard ones are permuted up in the derivation. The result is a decomposition theorem having cut elimination and interpolation as corollaries. This work has been presented at the CSL-LICS 2014 conference .

Free theorems are a means of type-based reasoning and are
being successfully applied for typed functional programming languages
like Haskell, e.g., for program transformation and generally establishing semantic properties , .
As a simple example, for every
polymorphic function

Previous work has investigated free theorems for such a language, Curry , phenomenologically and provides intuition for premises of free theorems as well as counterexamples. Proof of the positive claims has been elusive so far, mainly because Curry's type system fails to reflect the key feature: nondeterminism. This avoidance is convenient for programmers, as they do not have to distinguish between deterministic and nondeterministic values. However, it is a hindrance to formal reasoning: the conditions identified in include a notion of determinism, and hence it is a serious weakness of the type system not to capture this.

In a joint work with colleagues at the University of Bonn, published
in , we have developed an intermediate language, called SaLT, that
allowed us to prove a *Parametricity Theorem* which could be used
to derive free theorems for Curry.

This work is the result of the PHC Procope collaboration with the University of Bonn (duration 2012-2013).

In discrete quantum causal dynamics, quantum
systems are viewed as discrete structures, namely directed acyclic
graphs. In such a graph, events are considered as vertices and edges
depict propagation between events. Evolution is described as happening
between a special family of space-like slices, which were referred to
as locative slices in . Such slices are not so large as to result
in acausal influences, but large enough to capture nonlocal
correlations. It was an open problem whether such slices can be captured by a deductive system, such that proof search corresponds to quantum evolution.
In a joint work with Blute, Guglielmi, Ivanov,
and Panangaden, Straßburger has shown that the logic *seq* encodes
causal precedence. With this interpretation, the locative slices are
precisely the derivable strings of formulas. Several new technical results
about

The size of proofs of the propositional pigeonhole principle over various systems is a topic of much interest in the proof complexity literature. In particular, it has received notable attention in recent years from the deep inference community, where its classification over the system KS appears as an open problem in numerous publications. In we construct quasipolynomial-size proofs of the propositional pigeonhole principle in the deep inference system KS, addressing this question by matching the best known upper bound for the more general class of monotone proofs.

We make significant use of monotone formulae computing boolean threshold functions, an idea previously considered in works of Atserias et al. The main construction, monotone proofs witnessing the symmetry of such functions, involves an implementation of merge-sort in the design of proofs in order to tame the structural behavior of atoms, and so the complexity of normalization. Proof transformations from previous work on atomic flows are then employed to yield appropriate KS proofs.

As further results we show that our constructions can be applied to
provide quasipolynomial-size KS proofs of the parity principle and the
generalized pigeonhole principle. These bounds are inherited for the
class of monotone proofs, and we are further able to construct

The sequent calculus is often criticized for requiring proofs to contain large
amounts of low-level syntactic details that can obscure the essence of a given
proof.
Because each inference rule introduces only a single connective, sequent
proofs can separate closely related steps—such as instantiating a block of
quantifiers—by irrelevant noise.
Moreover, the sequential nature of sequent proofs forces proof steps that are
syntactically non-interfering and permutable to nevertheless be written in
some arbitrary order.
The sequent calculus thus lacks a notion of *canonicity*: proofs that
should be considered essentially the same may not have a common syntactic
form.
To fix this problem, many researchers have proposed replacing the sequent
calculus with proof structures that are more parallel or geometric.
Proof-nets, matings, and atomic flows are examples of such
*revolutionary* formalisms.
In , we propose, instead, an
*evolutionary* approach to recover canonicity within the
sequent calculus, which we illustrate for classical first-order
logic.
The essential element of our approach is the use of a *multi-focused*
sequent calculus as the means for abstracting away low-level details
from classical cut-free sequent proofs.
We show that, among the multi-focused proofs, the *maximally
multi-focused* proofs that collect together all possible
parallel foci are canonical.
Moreover, if we start with a certain focused sequent proof system,
such proofs are isomorphic to *expansion proofs*—a well
known, minimalistic, and parallel generalization of Herbrand
disjunctions—for classical first-order logic.
This technique appears to be a systematic way to recover the “essence of
proof” from within sequent calculus proofs.

The standard proof theory for logics with equality and fixpoints suffers from limitations of the sequent calculus, where reasoning is separated from computational tasks such as unification or rewriting. We propose in an extension of the calculus of structures, a deep inference formalism, that supports incremental and contextual reasoning with equality and fixpoints in the setting of linear logic. This system allows deductive and computational steps to mix freely in a continuum which integrates smoothly into the usual versatile rules of multiplicative-additive linear logic in deep inference.

Hypothetical judgments go hand-in-hand with higher-order abstract syntax for
meta-theoretic reasoning.
Such judgments have two kinds of assumptions: those that are statically known
from the specification, and the *dynamic assumptions* that result from
building derivations out of the specification clauses.
These dynamic assumptions often have a simple regular structure of repetitions
of *blocks* of related assumptions, with each block generally involving
one or several variables and their properties, that are added to the context
in a single backchaining step.
Reflecting on this regular structure can let us derive a number of structural
properties about the elements of the context.

The *two-level logic approach* (*2LLA*) to reasoning about
computational specifications, as implemented by the Abella theorem
prover, represents derivations of a *specification language* as
an inductive definition in a *reasoning logic*.
This approach has traditionally been formulated with the
specification and reasoning logics having the *same* type
system, and only the formulas being translated.
However, requiring identical type systems limits the approach in two
important ways: (1) every change in the specification language's
type system requires a corresponding change in that of the reasoning
logic, and (2) the same reasoning logic cannot be used with two
specification languages at once if they have incompatible type
systems.
In , we propose a technique based on
*adequate* encodings of the types and judgments of a typed
specification language in terms of a simply typed higher-order logic
program, which is then used for reasoning about the specification
language in the usual *2LLA*.
Moreover, a single specification logic implementation can be used as
a basis for a number of other specification languages just by varying
the encoding.
We illustrate our technique with an implementation of the LF
dependent type theory as a new specification language for Abella,
co-existing with its current simply typed higher-order hereditary
Harrop specification logic, without modifying the type system of its
reasoning logic.

Subexponential logic is a variant of linear logic with a family of
exponential connectives—called *subexponentials*—that are
indexed and arranged in a pre-order.
Each subexponential has or lacks associated structural properties of
weakening and contraction.
In , we show that classical
propositional multiplicative linear logic extended with one
unrestricted and two incomparable linear subexponentials can encode
the halting problem for two register Minsky machines, and is hence
undecidable.

Type isomorphisms are a pervasive notion of Theoretical Computer Science. In functional programming, two data types being isomorphic means that we can coerce data and programs back-and-forth between two specifications without loss of information. In Constructive Mathematics, two sets are of the same cardinality exactly when they are isomorphic as types. In the proof theory of intuitionistic logic, two formulas are strongly equivalent precisely when they are isomorphic as types.

However, the theory of simple types made from functions, products, and sums, is well understood only when we do not treat functions and sums at the same time. Fiore, Di Cosmo, and Balat , presented a “negative” results: the theory of those type isomorphisms is not finitely axiomatizable. To establish the result, they used the work around the Tarski High School Algebra Problem from Mathematical Logic.

We showed that the picture is not so dark by presenting a positive result: the theory is recursively axiomatizable and decidable. The proofs exploit further the deep theory around Tarski's Problem. This work was presented at the Joint Meeting of the Twenty-Third EACSL Annual Conference on Computer Science Logic (CSL) and the Twenty-Ninth Annual ACM/IEEE Symposium on Logic in Computer Science (LICS) in Vienna, Austria .

The previous work on type isomorphisms showed a way to treat the problem of identity/canonicity of proofs for intuitionistic logic with disjunction, or, equivalently, the problem of the (non-)existence of a canonical eta-long normal form for lambda calculus with if-expressions, which is a long standing open question.

One can see this from the perspective of focusing sequent calculi. The asynchronous phase of proof search is an oriented application of type isomorphisms (by the formulas-as-types correspondence). As we already know that, in the absence of disjunction (sum types), a cut-free focused derivation is eta-long and unique (when the data provided by the synchronous phase is the same), what is necessary in order to handle disjunction is to propagate isomorphisms further than what usual sequent calculus allows. This is related in spirit to deep inference, but more conservative. An implementation of a canonical normalizer and a paper on the topic is under way.

We also intend to use the method to give a proof of focused cut-elimination for the sequent calculi LJF and LKF (at least, for the Sigma-2 fragment) extended with induction. A formal proof in Agda is under development.

Updating previous work, we showed that one can develop a
realizability interpretation for the

This is known to be possible, in principle, by a 1979 result of Schwichtenberg. However, up to day no method that avoids both bar recursion (Spector) and control operators (Krivine) has been known. In fact, we propose to treat control operators as a meta-mathematical technique, rather than to have them in the language of realizers as classical realizability does; we provide a formal proof in Agda that control operators can be completely normalized away from System T while preserving essential equations.

This result is part of a work in theorem proving, whose purpose is to
provide a theoretical basis for the handling of quantifiers in
presence of a theory for which we have specific decision
procedures. Inspired by the way first-order unifiers are generated and
propagated in automated reasoning techniques such as *tableaux*
methods, we sought to generalise these mechanisms to the presence of a
theory: We introduced a axiomatic notion of constraint system and a
sequent calculus introducing meta-variables and propagating
constraints. We then identified the axioms that should be satisfied
by the theory's decision procedure, in order for the sequent calculus
to be sound and complete. This provides the theoretical basis for the
development of Psyche 2.0. This result is submitted for publication.

This result is part of the effort to build meaningful semantics for classical proofs, here based on a polarisation of logical formulae: positive or negative.

First, we showed this at a level of abstraction where formulae are no longer made of syntax, yet we also extended the approach so that it could treat quantifiers.

Second, we connected this interpretation to realisability semantics, more precisely orthogonality models, where positive formulae are interpreted as sets of data, and negative formulae are interpreted as their orthogonal sets.

Our construction of orthogonality models for the focused systems LKF and LJF describe the pattern-matching process of cut-elimination in terms of orthogonality. This result has been proved in the Coq proof assistant and forms the second part of .

We have continued to develop our approach to Foundational Proof Certificates (FPCs). This framework allows defining proof evidence in a general fashion. Proofs in both intuitionistic and classical logics are definable in this framework. We originally have written two different kernels for checking these results but more recently we have found that we can exploit an encoding due to Chaudhuri that enables us to only implement the intuitionistic kernel and then simply encode the classical formulas so that they operator directly on the intuitionistic kernel. This encoding allows for a much more precise and simple means for encoding classical logic into intuitionistic logic than the more familiar double negation translations.

We have also started to develop the second phase of defining proof evidence that was proposed in the ProofCert proposal: the definition of proofs that require fixed points (induction / co-induction). We now have two different kernels being developed on top of the Bedwyr model checker that are checking (and in some cases, proving) theorems involving induction, reachability, and bisimulation.

The Matita theorem prover is an implementation of the Calculus of
Inductive Constructions that is meant to be more accessible (as an
implementation) than the Coq system. In an effort to make the Matita
kernel more accessible and more flexible, the implementers of that
system are experimenting with using a logic programming language
similar to *when*
declarations are needed. Such a

Title: ProofCert: Broad Spectrum Proof Certificates

Duration: January 2012 - December 2016

Type: IDEAS

Instrument: ERC Advanced Grant

Coordinator: Dale Miller

Abstract:
There is little hope that the world will know secure software if we
cannot make greater strides in the practice of formal methods:
hardware and software devices with errors are routinely turned against
their users. The ProofCert proposal aims at building a foundation
that will allow a broad spectrum of formal methods—ranging from
automatic model checkers to interactive theorem provers—to work
together to establish formal properties of computer systems. This
project starts with a wonderful gift to us from decades of work by
logicians and proof theorist: their efforts on logic and proof has
given us a *universally accepted* means of communicating proofs
between people and computer systems. Logic can be used to state
desirable security and correctness properties of software and hardware
systems and proofs are uncontroversial evidence that statements are,
in fact, true. The current state-of-the-art of formal methods
used in academics and industry shows, however, that the notion of logic
and proof is severely fractured: there is little or no communication
between any two such systems. Thus any efforts on computer system
correctness is needlessly repeated many time in the many different
systems: sometimes this work is even redone when a given prover is
upgraded. In ProofCert, we will build on the bedrock of decades of
research into logic and proof theory the notion of *proof
certificates*. Such certificates will allow for a complete
reshaping of the way that formal methods are employed.
Given the infrastructure and tools envisioned in this proposal, the
world of formal methods will become as dynamic and responsive as the
world of computer viruses and hackers has become.

Members of the team have applied for the following three international projects. All three are still pending, the final results are not currently know.

A generic ANR proposal for collaboration between several French sites and the University of Bologna.

A proposal to ANR and JCJC (Japan).

A proposal to the Ministry of Education, Singapore for collaboration with the Nanyang Technological University.

Chuck Liang (Professor from Hofstra University, NY, USA) visited for three weeks 26 May – 20 June 2014 and for another week starting 15 December.

Gopalan Nadathur (Professor from the University of Minnesota) visited 2 - 11 July.

Mary Southern (PhD candidate at the University of Minnesota, USA), May – Aug 2014

Internship supervised by K. Chaudhuri.

Yuting Wang (PhD candidate at the University of Minnesota, USA), May – Aug 2014

K. Chaudhuri and L. Straßburger co-chaired the 3rd International Workshop on Structures and Deduction (SD), which was associated with the Federated Logic Colloquium (FLoC) and part of the Vienna Summer of Logic (VSL 2014), Vienna, Austria.

D. Miller was a PC chair for the Joint Meeting of the 23rd EACSL Annual Conference on Computer Science Logic (CSL14) and the 29th ACM/IEEE Symposium on Logic in Computer Science (LICS14), 14-18 July, Vienna.

K. Chaudhuri was Publicity co-chair for CSL-LICS 2014.

K. Chaudhuri was on the Program Committees of:

30th International Conference on Logic Programming (ICLP)

4th ACM-SIGPLAN Conference on Certified Programs and Proofs (CPP)

9th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice (LFMTP)

3rd International Workshop on Linearity

D. Ilik was on the Program Committee of the 16th International Symposium on Principles and Practice of Declarative Programming (PPDP 2014), Canterbury, United Kingdom.

D. Miller was on the Program Committee of WoLLIC 2014: Workshop on Logic, Language, Information and Computation, Valparaiso Chile, 1-4 September.

L. Straßburger was the Program Committee of the 18th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS).

S. Graham-Lengrand was a reviewer for the following conferences:

International Joint Conference on Automated Reasoning (IJCAR 2014)

Conferences on Intelligent Computer Mathematics (CICM 2014).

L. Straßburger was reviewer for the following conferences:

7th International Joint Conference on Automated Reasoning (IJCAR 2014)

41st International Colloquium on Automata, Languages and Programming (ICALP 2014)

Joint meeting of the 23rd EACSL Annual Conference on Computer Science Logic and the 29th Annual ACM/IEEE Symposium on Logic in Computer Science (CSL-LICS 2014)

F. Lamarche was a reviewer for the following conferences:

Joint International Conferences, Rewriting Techniques and Applications, Typed Lambda Calculus and Applications (RTA - TLCA 2014)

18th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS).

D. Ilik was a reviewer for the following conferences:

16th International Symposium on Principles and Practice of Declarative Programming (PPDP 2014), Canterbury, United Kingdom

18th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS 2015)

20th Conference "Types for Proofs and Programs" (TYPES 2014)

24th European Symposium on Programming (ESOP 2015)

Joint International Conferences, Rewriting Techniques and Applications, Typed Lambda Calculus and Applications (RTA - TLCA 2014)

D. Miller was Editor-in-Chief of the ACM Transactions on Computational Logic.

S. Graham-Lengrand was guest editor for the special issue on computational logic in honour of Roy Dyckhoff, in the *Journal of Logic and Computation* (2014)

D. Miller is on the editorial board of the following
journals: *ACM Transactions on Computational Logic*,
*Journal of Automated Reasoning* (Springer),
*Theory and Practice of Logic Programming* (Cambridge University
Press), and *Journal of Applied Logic* (Elsevier).

S. Graham-Lengrand was a reviewer for the following journals:

Logic Journal of the IGPL (OUP)

Information and Computation (Elsevier)

Acta Informatica (Springer)

Theoretical Computer Science (Elsevier).

L. Straßburger was reviewer for the following journals:

Archive for Mathematical Logic (Springer)

ACM Transactions on Computational Logic (ACM-ToCL)

F. Lamarche was reviewer for the following journal:

Annals of Pure and Applied Logic (Elsevier).

D. Ilik was reviewer for the following journals:

Logic Journal of the IGPL (OUP)

Mathematical Reviews (MathSciNet)

Theoretical Computer Science (Elsevier)

Zentralblatt MATH

D. Miller was reviewer for the Studia Logica journal.

Licence: K. Chaudhuri, “*INF 321 : Les principes des langages de programmation*”, 40 hours eq. TD, L3, Ecole polytechnique, France

Licence: S. Graham-Lengrand, “*INF431: Algorithmique et programmation*”, 50 hours eq. TD, L3, Ecole Polytechnique, France.

Licence: S. Graham-Lengrand, “*INF412: Les bases de la programmation et de l'algorithmique*”, 32 hours eq. TD, L3, Ecole Polytechnique, France.

Master: S. Graham-Lengrand, “*INF551: Computer-aided reasoning*”, 36 hours eq. TD, M1, Ecole Polytechnique, France.

Master: S. Graham-Lengrand, “*Curry-howard correspondence for classical logic*”, 12 hours eq. TD, M2, Master Parisien de Recherche en Informatique, France.

Master: D. Miller, “*MPRI 2-1: Logique linéaire et paradigmes logiques du calcul*”, 12 hours, M2, Master Parisien de Recherche en Informatique, France.

PhD: Hernán Vanzetto, “*Automatisation des preuves et
synthèse des types pour la théorie des ensembles dans le contexte
de TLA ${}^{+}$*”, Université de Lorraine, 4 Dec 2014; supervised
by Stephan Merz (Inria Lorraine) and K. Chaudhuri

PhD in progress: Sonia Marin, 1 Nov 2014, supervised by L. Straßburger and D. Miller

PhD in progress: Roberto Blanco, Zakaria Chihani, and Quentin Heath, supervised by D. Miller

L. Straßburger was external reviewer and jury member for the PhD of Roman Krenický, University of Manchester, UK. Defence date: April 28, 2014.

S. Graham-Lengrand was a jury member for the PhD of Luis Pino Duque, École Polytechnique, France. Defence date: September 25, 2014.

D. Miller was a reporter for the following two PhD theses: Taus Brock-Nannestad (IT University of Copenhagen, 12 September 2014) and Thanos Tsouanas (ENS Lyon, 2 July 2014).