The team investigates applications of recent results in proof theory to the design of logical frameworks and automated theorem proving systems. It develops the Dedukti logical framework and the iProver modulo and Zenon modulo automated theorem proving systems.

*Deduction modulo* is a formulation of predicate logic
where deduction is performed modulo an equivalence relation defined on
propositions. A typical example is the equivalence relation relating
propositions differing only by a re-arrangement of brackets around
additions, relating, for instance, the propositions *purely computational*.

Deduction modulo was proposed at the end of the 20th century as a tool to simplify the completeness proof of equational resolution. Soon, it was noticed that this idea was also present in other areas of logic, such as Martin-Löf's type theory, where the equivalence relation is definitional equality, Prawitz' extended natural deduction, etc. More generally, Deduction modulo gives an account on the way reasoning and computation are articulated in a formal proof, a topic slightly neglected by logic, but of prime importance when proofs are computerized.

The early research on Deduction modulo focused on the design of general proof search methods—Resolution modulo, tableaux modulo, etc.—that could be applied to any theory formulated in Deduction modulo, to general proof normalization and cut elimination results, to the definitions of models taking the difference between reasoning and computation into account, and to the definition of specific theories—simple type theory, arithmetic, some versions of set theory, etc.—as purely computational theories.

A new turn with Deduction modulo was taken when the idea of reasoning modulo an
arbitrary equivalence relation was applied to typed

This led to the development of a general proof-checker based on the

A thesis, which is at the root of our research effort, and which was
already formulated in is that proof-checkers should be
theory independent. This is for instance expressed in the title of
our invited talk at Icalp 2012: *A theory independent Curry-De
Bruijn-Howard correspondence*. Such a theory independent
proof-checker is called a *Logical Framework*.

Using a single prover to check proofs coming from different provers naturally led to investigate how these proofs could interact one with another. This issue is of prime importance because developments in proof systems are getting bigger and, unlike other communities in computer science, the proof-checking community has given little effort in the direction of standardization and interoperability. On a longer term we believe that, for each proof, we should be able to identify the systems in which it can be expressed.

Deduction modulo has originally been proposed to solve a problem in
automated theorem proving and some of the early work in this area
focused on the design of an automated theorem proving method called
*Resolution modulo*, but this method was so complex that it was
never implemented. This method was simplified in 2010
and it could
then be implemented. This implementation that builds on the
iProver effort is called iProver modulo.

iProver modulo gave surprisingly good results , so that we use it now to search for proofs in many areas: in the theory of classes—also known as B set theory—, on finite structures, etc. Similar ideas have also been implemented for the tableau method with in particular several extensions of the Zenon automated theorem prover. More precisely, two extensions have been realized: the first one is called SuperZenon and is an extension to superdeduction (which is a variant of Deduction modulo), and the second one is called ZenonModulo , and is an extension to Deduction modulo. Both extensions have been extensively tested over first-order problems (of the TPTP library), and also provide good results in terms of number of proved problems. In particular, these tools provide good performances in set theory, so that SuperZenon has been successfully applied to verify B proof rules of Atelier B (work in collaboration with Siemens). Similarly, we plan to apply ZenonModulo in the framework of the BWare project to verify B proof obligations coming from the modeling of industrial applications.

More generally, we believe that proof-checking and automated theorem proving have a lot to learn from each other, because a proof is both a static linguistic object justifying the truth of a proposition and a dynamic process of proving this proposition.

The idea of Deduction modulo is that computation plays a major role in the foundations of mathematics. This led us to investigate the role played by computation in other sciences, in particular in physics. Some of this work can be seen as a continuation of Gandy's on the fact that the physical Church-Turing thesis is a consequence of three principles of physics, two well-known: the homogeneity of space and time, and the existence of a bound on the velocity of information, and one more speculative: the existence of a bound on the density of information.

This led us to develop physically oriented models of computations.

In parallel with this effort in logic and in the development of proof checkers and automated theorem proving systems, we always have been interested in using such tools. One of our favorite application domain is the safety of aerospace systems. Together with César Muñoz' team in Nasa-Langley, we have proved the correctness of several geometric algorithms used in air traffic control.

This has led us sometimes to develop such algorithms ourselves, and sometimes to develop tools for automating these proofs.

Set theory appears to be an appropriate theory for automated theorem provers based on Deduction modulo, in particular the several extensions of Zenon (SuperZenon and ZenonModulo). Modeling techniques using set theory are therefore good candidates to assess these tools. This is what we have done with the B method whose formalism relies on set theory. A collaboration with Siemens has been developed to automatically verify the B proof rules of Atelier B . From this work presented in the Doctoral dissertation of Mélanie Jacquel, the SuperZenon tool has been designed in order to be able to reason modulo the B set theory. As a sequel of this work, we contribute to the BWare project whose aim is to provide a mechanized framework to support the automated verification of B proof obligations coming from the development of industrial applications. In this context, we have recently designed ZenonModulo , (Pierre Halmagrand's PhD thesis, which has started on October 2013) to deal with the B set theory. In this work, the idea is to manually transform the B set theory into a theory modulo and provide it to ZenonModulo in order to verify the proof obligations of the BWare project.

Termination is an important property to verify, especially in critical applications. Automated termination provers use more and more complex theoretical results and external tools (e.g. sophisticated SAT solvers) that make their results not fully trustable and very difficult to check. To overcome this problem, a language for termination certificates, called CPF, has been developed since several years now. Deducteam develops a formally certified tool, Rainbow, based on the Coq library CoLoR, that is able to automatically verify the correctness of such termination certificates.

Deducteam released a new version of Dedukti, more efficient, and with new features (e.g. higher-order patterns, confluence checking).

Deducteam develops several kinds of tools or libraries:

Proof checkers:

Dedukti: proof checker for the

Sukerujo: extension of Dedukti with syntactic constructions for records, strings, lists, etc.

Rainbow: CPF termination certificate verifier

Tools for translating into Dedukti's proof format proofs coming from various other provers:

Coqine translates Coq proofs

Focalide translates Focalize proofs

Holide translates OpenTheory proofs (HOL-Light, HOL4, ProofPower)

Krajono translates Matita proofs

Sigmaid translates ς-calculus

Automated theorem provers:

iProverModulo: theorem prover based on polarized resolution modulo

SuperZenon: extension of Zenon using superdeduction

ZenonArith: extension of Zenon using the simplex algorithm for arithmetic

ZenonModulo: extension of Zenon using deduction modulo and producing Dedukti proofs

Zipperposition: superposition prover featuring arithmetic and induction

HOT: automated termination prover for higher-order rewrite systems

Libraries or generation tools:

CoLoR: Coq library on rewriting theory and termination

Logtk: library for first-order automated reasoning

mSat: modular SAT/SMT solver with proof output

Moca: generator of construction functions for types with relations on constructors

In the following, we only details software that received improvements in 2015.

In addition, Shuai Wang developed the ProofCloud prototype, a proof retrieval engine for verified higher order proofs. ProofCloud provides a fast proof searching service for mathematicians and computer scientists for the reuse of proofs and proof packages. Using ProofCloud, he conducted a statistical analysis of the OpenTheory repository.

Autotheo is a tool that transforms axiomatic theories into polarized rewriting systems, thus making them usable in iProver Modulo. It supports several strategies to orient the axioms, some of them being proved to be complete, in the sense that ordered polarized resolution modulo the resulting systems is refutationally complete, some others being merely heuristics. In practice, Autotheo takes a TPTP input file and produces an input file for iProver Modulo.

Contact: Guillaume Burel

URL: http://

In 2015, we extended Autotheo so that it prints a derivation of the transformation of the axioms into rewriting rules. This derivation is in TSTP format and includes the CNF conversions obtained from the prover E.

CoLoR is Coq library on rewriting theory and termination. It provides many definitions and theorems on various mathematical structures (quasi-ordered sets, relations, ordered semi-rings, etc.), data structures (lists, vectors, matrices, polynomials, finite graphs), term structures (strings, first-order terms, lambda-terms, etc.), transformation techniques (dependency pairs, semantic labeling, etc.) and (non-)termination criteria (polynomial and matrix interpretations, recursive path ordering, computability closure, etc.).

Contact: Frédéric Blanqui

In 2015, CoLoR has been enriched and improved in various ways:

Its compilation time has been improved by about 20%.

The results on computability have been extended to

It has been enriched by a library on finite and infinite sets, and a proof of the infinite Ramsey's theorem .

CoLoR is now available on OPAM.

Coqine translates Coq proofs into Dedukti proofs.

Contact: Guillaume Burel

URL: http://

The addition of higher-order pattern matching in Dedukti allowed the encoding of universes.

Dedukti is a proof-checker for the

Dedukti's core is based on the standard algorithm for type-checking semi-full pure type systems and implements a state-of-the-art reduction machine inspired from Matita's and modified to deal with rewrite rules.

Dedukti's input language features term declarations and definitions (opaque or not) and rewrite rule definitions. A basic module system allows the user to organize his project in different files and compile them separately.

Contact: Olivier Hermant

The new version of Dedukti (v2.5) brings two major improvements.

First the typing of rewrite rules has been completely reworked. It can now check a large class of rewrite rules including rules whose left-hand sides are not algebraic nor well-typed. Moreover the typing context do not need to be given with the rewrite rule anymore, as it is inferred by Dedukti, and therefore it is more convenient for the user.

Second, Dedukti can now be interfaced with automatic confluence checkers in order to check that the rewrite system generated by the rewrite rules together with beta reduction is confluent. This verification is important as the soundness of the program relies on this hypothesis.

Focalide is an extension of the FoCaLize compiler which produces Dedukti files.

Contact: Raphaël Cauderlier

Focalide has been improved to support FoCaLiZe proofs found by Zenon using the Dedukti backend for Zenon. This backend has been improved by a simple typing mechanism in order to work with Focalide. Focalide has also been updated again to work with the latest version of FoCaLiZe.

Holide translates HOL proofs to Dedukti proofs, using the OpenTheory standard (common to HOL Light and HOL4).

Contact: Guillaume Burel

Shuai Wang fixed a number of problems, especially in the translation of type variables, allowing us to translate more libraries.

iProver Modulo is an extension of the automated theorem prover iProver originally developed by Konstantin Korovin at the University of Manchester. It implements ordered polarized resolution modulo, a refinement of the resolution method based on deduction modulo. It takes as input a proposition in predicate logic and a clausal rewriting system defining the theory in which the formula has to be proved. Normalization with respect to the term rewriting rules is performed very efficiently through translation into OCaml code, compilation and dynamic linking. Experiments have shown that ordered polarized resolution modulo dramatically improves proof search compared to using raw axioms. iProver Modulo is also able to produce proofs that can be checked by Dedukti, therefore improving confidence.

Contact: Guillaume Burel

URL: http://

In 2015, we improved its integration with Autotheo.

Krajono translates Matita proofs into Dedukti proofs.

Contact: Guillaume Burel

First working version able to translate the Matita library on arithmetics.

mSAT is a modular, proof-producing, SAT and SMT core based on Alt-Ergo Zero, written in OCaml. The solver accepts user-defined terms, formulas and theory, making it a good tool for experimenting. This tool produces resolution proofs as trees in which the leaves are user-defined proof of lemmas.

Contact: Guillaume Bury

mSAT now provides a functor for generating a McSat solver, outputs a model or a proof, and provides a push/pop functionality.

Zenon Modulo is an extension of the automated theorem prover Zenon. Compared to Super Zenon, it can deal with rewrite rules both over propositions and terms. Like Super Zenon, Zenon Modulo is able to deal with any first-order theory by means of a similar heuristic.

Contact: Pierre Halmagrand

In 2015, we extended Zenon Modulo to polymorphism. Moreover, it can now take TPTP-TFF1 problems as input, and output Dedukti's proofs.

Guillaume Bury continued to improve an extension of Zenon with arithmetic.

Zipperposition is an implementation of the superposition method that relies on the library Logtk for basic logic data structures and algorithms. Zipperposition is designed as a testbed for extensions to superposition, and can currently deal with polymorphic typed logic, integer arithmetic and total orderings.

Contact: Simon Cruanes

In 2015, we extended Zipperposition to structural induction.

Another extension of CPO, to dependently typed terms, has been developed by Jean-Pierre Jouannaud and Jianqi Li in .

Jean-Pierre Jouannaud and Albert Rubio showed
in how to modify recursive path orders
for higher-order terms which, like CPO, include

Gaëtan Gilbert and Olivier Hermant have introduced a constructive way to perform proof normalization through completeness proofs .

Frédéric Blanqui formalized Ramsey's proof of the (infinite) Ramsey's
theorem (see http://

Jean-Pierre Jouannaud, in collaboration with Jiaxiang Liu, has started a program in order to enable confluence proofs in

Gaëtan Gilbert, supervised by Arnaud Spiwack, wrote a prototype of a principle unification and type inference mechanism for Dedukti, based on a monadic API. This prototype separates with an abstraction barrier a unifier kernel which implements correct unification primitives from the unification algorithm and heuristics. The unification algorithm is written in a style which closely mirrors a pen-and-paper deduction rule presentation.

Éric Uzena, supervised by David Delahaye and Arnaud Spiwack, wrote a prototype of an extension of Dedukti with associative and commutative symbols and rewriting modulo associativity and commutativity of these symbols.

Ali Assaf, Guillaume Burel, Raphaël Cauderlier, David Delahaye, Gilles Dowek, Catherine Dubois, Frédéric Gilbert, Pierre Hamalgrand, Olivier Hermant, and Ronan Saillard have written a synthetic paper on the Dedukti system and on the expression of theories in this system. This paper is submitted to publication.

Ali Assaf proved that Cousineau and Dowek's embedding of functional pure type systems is conservative with respect to the original systems, using a new notion of reducibility called relative normalization. Together with Cousineau and Dowek's original result on the preservation of typing, this result justifies the use of the

Ali Assaf's translation of the calculus of inductive constructions to the

Ali Assaf and Guillaume Burel presented their translation of HOL to Dedukti at the PxTP 2015 workshop . This translation, which is based on the translation of pure type systems by Cousineau and Dowek , is implemented in the automated translation tool Holide.

Raphaël Cauderlier and Catherine Dubois' translation of object calculus and subtyping to Dedukti, which was presented at the TYPES conference in 2014, has been published in the post-proceedings of TYPES 2014 .

Guillaume Burel, Gilles Dowek and Ying Jiang have introduced a general framework to prove the decidability of reachability and provability problems. This framework uses an analogy between the objects recognized by an automaton and cut-free proofs. Various aspects of this work have been published at FroCoS , LPAR , and another paper is in preparation.

Gilles Dowek's paper on the definition of the classical connectives and quantifiers has been published .

Arnaud Spiwack gave a predicative shallow embedding of a weak version of system

Arnaud Spiwack developped a topos-theoretic methodology to reason equationally on circuit languages. Results that hold for combinational circuits are lifted to sequential circuits thanks to a transfer principle. This approach allows, in particular, to simplify reasoning about more complex temporal gates than the unit delay. These results aim at enriching the compiler of the Faust audio signal processing programming language, which features such complex temporal gates.

For the sake of reliability, the kernels of Interactive Theorem Provers (ITPs) are kept relatively small in general. On top of the kernel, additional symbols and inference rules are defined. Some dependency analysis of symbols of HOL Light indicates that the depth of dependency could be reduced by introducing a few more symbols to the kernel. Shuai Wang showed that extending the kernel of HOL Light is a successful attempt to reduce proof size and speed up proof-checking. More specifically, symbols and inference rules of universal quantification and implication were added to the kernel. This approach has been proved to give equivalent proof-checking results with the size of the proof files reduced to 24% on average and a speedup of 38% for proof-checking overall.

Pablo Arrighi and Gilles Dowek have studied the expression of mecanic motions in cellular automata. Part of this work has been published in TPNC and another paper is in preparation.

Arnaud Spiwack developped a variant of Turing machine where the tape is replaced by an unlabeled tree. The additional structure makes combining machines much easier, making it tractable to give explicit descriptions of rather complex machines. The cost model of these machines models that of purely functional programming languages, making it possible to compare mathematically the complexity of imperative algorithms and of purely functional algorithms.

We are coordinators of the ANR-NFSC contract Locali with the Chinese Academy of Sciences.

We are members of the ANR BWare, which started on September 2012 (David Delahaye is the national leader of this project). The aim of this project is to provide a mechanized framework to support the automated verification of proof obligations coming from the development of industrial applications using the B method. The methodology used in this project consists in building a generic platform of verification relying on different theorem provers, such as first-order provers and SMT solvers. We are in particular involved in the introduction of Deduction modulo in the first-order theorem provers of the project, i.e. Zenon and iProver, as well as in the backend for these provers with the use of Dedukti.

We are members of the ANR Tarmac on models of computation, coordinated by Pierre Valarcher.

Jim Lipton, professor at Wesleyan University (USA) has visited Deducteam from 9 to 14 March 2015.

Gaetan Gilbert did an internship with Arnaud Spiwack and Olivier Hermant.

Shuai Wang did an internship with Gilles Dowek.

Éric Uzena did an internship with Arnaud Spiwack and David Delahaye.

Olivier Hermant is a visiting professor at Wesleyan University (USA) since September 2015.

Gilles Dowek was PC chair of TLCA-RTA.

Gilles Dowek was PC member of CADE, ICTAC and eMoocs.

Guillaume Burel was PC member of PxTP'15 and IWIL'15.

Frédéric Blanqui has reviewed papers for TYPES'14 post-proceedings and LICS'15.

Guillaume Burel has reviewed a paper for Tableaux'15.

Olivier Hermant has reviewed papers for Tableaux'15 and CADE-25, a project for ANR (second phase) and pre-projects for ANR (first phase).

Gilles Dowek is an editor of TCS.

Frédéric Blanqui reviewed a paper for TCS.

Guillaume Burek reviewed a paper for Formal Aspects of Computing.

Olivier Hermant reviewed a paper for TCS.

Gilles Dowek was invited to DCM and Tools for teaching logic.

Gilles Dowek has been a consultant for the Conseil Scientifique des Programmes.

Gilles Dowek is the President of the Scientific board of the Société Informatique de France.

Gilles Dowek is a member of the Commission de réflexion sur l'éthique de la recherche en sciences et technologies du numérique d'Allistène (CERNA).

Master: Pierre Halmagrand, Initiation à la Méthode B, 54 HETD, M2, CNAM.

License: Frédéric Gilbert, Les principes des langages de programmation, 40, L3, Ecole Polytechnique.

License: Raphaël Cauderlier, Introduction aux Bases de Données Relationnelles, 21, L2, UPMC.

License: Raphaël Cauderlier, Projet (Application) : Android, 42, L2, UPMC.

License: Raphaël Cauderlier, Eléments de programmation 1, 58, L1, UPMC.

Licence: Guillaume Burel, Programmation avancée, 25.5 HETD, L3, ENSIIE.

Licence: Guillaume Burel, Logique, 10.5 HETD, L3, ENSIIE.

Licence: Guillaume Burel, Projet informatique, 22.75 HETD, L3, ENSIIE.

Master: Guillaume Burel, Systèmes et langages formels, 8.75 HETD, M1, ENSIIE.

Master: Guillaume Burel, Compilation, 24.5 HETD, M1, ENSIIE.

Master: Guillaume Burel, Preuve, Analyse statique, Vérification run-time, 13 HETD, M2 CILS, Paris-Saclay.

Licence: Guillaume Burel is in charge of the 4th and 5th semesters of the engineering degree at ENSIIE, and was responsible for the final engineer internship until September, 2015.

Gilles Dowek has given a course at the MPRI.

Gilles Dowek has been teaching at ENS-Cachan.

Gilles Dowek has given various talks about teaching informatics in primary and secondary education.

Gilles Dowek has participated to several training sessions for high school teachers with La Main à la Pâte.

Licence: Olivier Hermant, Introduction to Programming in Python, 100 HETD, L1-L3, Wesleyan University, USA.

PhD: Simon Cruanes, Extending Superposition with Integer Arithmetic, Structural Induction, and Beyond , defended at École polytechnique on September the 10th, supervised by Guillaume Burel and Gilles Dowek.

PhD: Bruno Bernardo, An implicit Calculus of Constructions with dependent sums and decidable type inference , defended at École polytechnique on September the 18th, supervised by Bruno Barras and Gilles Dowek.

PhD: Ali Assaf, A framework for defining computational higher-order logics , defended at École polytechnique on September 28, 2015, supervised by Gilles Dowek and Guillaume Burel.

PhD: Kailiang Ji, Model Checking and Theorem Proving , defended at Paris Diderot on September 25, 2015, supervised by Gilles Dowek.

PhD: Ronan Saillard, Typechecking in the

PhD in progress: Guillaume Bury, Deduction Modulo Theory, started October 1st, 2015, supervised by David Delahaye and Gilles Dowek.

PhD in progress: Raphaël Cauderlier, Object-oriented mechanisms for interoperability of proof systems, started September 1st, 2013, supervised by Catherine Dubois.

Gilles Dowek is a member of the prix Le Monde de la Recherche Universitaire.

Gilles Dowek has given various popular science talks.

Gilles Dowek writes a monthy chronicle in Pour la Science.

Gilles Dowek is a a member of the Scientific board of La Main à la Pâte.