The project-team investigates applications of proof theory to the design of logical frameworks, to interoperability between proof systems, and to the development of system-independent proof libraries.

To achieve these goals, we develop a logical framework Dedukti, where several theories can be expressed, systems translating proofs between external proof systems and Dedukti theories, tools to migrate proofs within Dedukti from one theory to another, tools to prove the confluence, the termination, and the consistency of theories expressed in Dedukti, and tools to develop proofs directly in Dedukti.

*Deduction modulo theory* is a formulation of predicate logic where
deduction is performed modulo an equivalence relation defined on
propositions. A typical example is the equivalence relation relating
propositions differing only by a re-arrangement of brackets around
additions, relating, for instance, the propositions

Deduction modulo theory was proposed at the end of the 20th century as a tool to simplify the completeness proof of equational resolution . Soon, it was noticed that this idea was also present in other areas of logic, such as Martin-Löf’s type theory, where the equivalence relation is definitional equality, Prawitz’ extended natural deduction, etc. . More generally, Deduction modulo theory gives an account on the way reasoning and computation are articulated in a formal proof, a topic slightly neglected by logic, but of prime importance when proofs are computerized.

The early research on Deduction modulo theory focused on the design of general proof search methods—Resolution modulo theory, tableaux modulo theory, etc.—that could be applied to any theory formulated in Deduction modulo theory, to general proof normalization and cut elimination results, to the definitions of models taking the difference between reasoning and computation into account, and to the definition of specific theories—simple type theory, arithmetic, some versions of set theory, etc.—as purely computational theories.

A new turn with Deduction modulo theory was taken when the idea of reasoning modulo an arbitrary equivalence relation was applied to typed λ-calculi with dependent types, that permits to express proofs as algorithms, using the Brouwer-Heyting-Kolmogorov interpretation and the Curry-de Bruijn-Howard correspondence . It was shown in 2007, that extending the simplest λ-calculus with dependent types, the λΠ-calculus, with an equivalence relation (more precisely a congruence), led to a calculus, called the λΠ-calculus modulo theory, that permits to simulate many other λ-calculi, such as the Calculus of Constructions, designed to express proofs in specific theories.

This led to the development of a logical framework based on the λΠ-calculus modulo theory , that could be used to verify proofs coming from different proof systems, such as Coq , HOL , etc. To emphasize the versatility of this system, we called it Dedukti—“to deduce” in Esperanto. This system is currently developed together with companion systems, Coqine, Krajono, Holide, Focalide, and Zenonide, that permits to translate proofs from Coq, HOL, Focalize, and Zenon, to Dedukti. Other tools, such as Zenon Modulo, directly output proofs that can be checked by Dedukti. Dedukti proofs can also be exported to several other systems. All this is presented in .

A thesis, which is at the root of our research effort, and which was
already formulated in , is that proof checkers should be theory
independent. This is for instance expressed in the title of our
invited talk at ICALP 2012: *A theory independent Curry-De
Bruijn-Howard correspondence* . Such a theory independent proof checker
is called a logical framework.

Part of our research effort is focused on improving the λΠ-calculus modulo theory, for instance allowing to define congruences with associative and commutative rewriting.

Another part of our research effort is focused on the automatic analysis of theories to prove their confluence, termination, and consistency automatically .

Using a single prover to check proofs coming from different provers naturally leads to investigate how these proofs can interact one with another. This issue is of prime importance because developments in proof systems are getting bigger and, unlike other communities in computer science, the proof checking community has given little effort in the direction of standardization and interoperability.

For each proof, independently of the system in which it has been developed, we should be able to identify the systems in which it can be expressed. For instance, we have shown that many proofs developed in the Matita prover did not use the full strength of the logic of Matita and could be exported, for instance, to the systems of the HOL family, that are based on a weaker logic.

Rather than importing proofs from one system, transforming them, and exporting them to another system, we can use the same tools to develop system-independant proof librairies. In such a library, each proof is labeled with the logics in which it can be expressed and so with the systems in which it can be used.

If our main goal with Dedukti is to import, transform, and export proofs developed in other systems, we want also, in some cases, to develop proofs interactively directly in Dedukti. This leads to the development of a tactic system, called Demon, on top of Dedukti.

In parallel with this effort in logic and in the development of proof checkers and automated theorem proving systems, we always have been interested in using such tools. One of our favorite application domain is the safety of aerospace systems. Together with César Muñoz' team in Nasa-Langley, we have proved the correctness of several geometric algorithms used in air traffic control.

This has led us sometimes to develop such algorithms ourselves, and sometimes to develop tools for automating these proofs.

Termination is an important property to verify, especially in critical applications. Automated termination provers use more and more complex theoretical results and external tools (e.g. sophisticated SAT solvers) that make their results not fully trustable and very difficult to check. To overcome this problem, a language for termination certificates, called CPF, has been developed. Deducteam develops a formally certified tool, Rainbow, based on the Coq library CoLoR, that is able to automatically verify the correctness of some of these termination certificates.

Keyword: Automated deduction

Scientific Description: Transformation of axiomatic theories into rewriting systems that can be used by iProverModulo.

Functional Description: Autotheo is a tool that transforms axiomatic theories into polarized rewriting systems, thus making them usable in iProverModulo. It supports several strategies to orient the axioms, some of them being proved to be complete, in the sense that ordered polarized resolution modulo the resulting systems is refutationally complete, some others being merely heuristics. In practice, Autotheo takes a TPTP input file and produces an input file for iProverModulo.

News Of The Year: Used by iProverModulo in its participation at the CASC-26 competition.

Participant: Guillaume Burel

Partner: ENSIIE

Contact: Guillaume Burel

Publication: Consistency Implies Cut Admissibility

URL: http://

*Coq Library on Rewriting and termination*

Keywords: Coq - Formalisation

Functional Description: CoLoR is a Coq library on rewriting theory and termination. It provides many definitions and theorems on various mathematical structures (quasi-ordered sets, relations, ordered semi-rings, etc.), data structures (lists, vectors, matrices, polynomials, finite graphs), term structures (strings, first-order terms, lambda-terms, etc.), transformation techniques (dependency pairs, semantic labeling, etc.) and (non-)termination criteria (polynomial and matrix interpretations, recursive path ordering, computability closure, etc.).

News Of The Year: 2017: Port to Coq 8.6 and 8.7.

Authors: Frédéric Blanqui and Sébastien Hinderer

Contact: Frédéric Blanqui

Publications: CoLoR: a Coq library on well-founded rewrite relations and its application to the automated verification of termination certificates - Automated Verification of Termination Certificates - CoLoR: a Coq library on rewriting and termination

*Coq In dEdukti*

Keywords: Higher-order logic - Formal methods - Proof

Functional Description: CoqInE is a plugin for the Coq software translating Coq proofs into Dedukti terms. It provides a Dedukti signature file faithfully encoding the underlying theory of Coq (or a sufficiently large subset of it). Current development is mostly focused on implementing support for Coq universe polymorphism. The generated ouput is meant to be type-checkable using the latest version of Dedukti.

Contact: Guillaume Burel

URL: http://

Keyword: Logical Framework

Functional Description: Dedukti is a proof-checker for the LambdaPi-calculus modulo. As it can be parametrized by an arbitrary set of rewrite rules, defining an equivalence relation, this calculus can express many different theories. Dedukti has been created for this purpose: to allow the interoperability of different theories.

Dedukti's core is based on the standard algorithm for type-checking semi-full pure type systems and implements a state-of-the-art reduction machine inspired from Matita's and modified to deal with rewrite rules.

Dedukti's input language features term declarations and definitions (opaque or not) and rewrite rule definitions. A basic module system allows the user to organize his project in different files and compile them separately.

Dedukti features matching modulo beta for a large class of patterns called Miller's patterns, allowing for more rewriting rules to be implemented in Dedukti.

Participants: François Thiré, Gaspard Ferey, Guillaume Genestier and Rodolphe Lepigre

Contact: François Thiré

Publications: Dedukti:un vérificateur de preuves universel -
Rewriting Modulo

Keyword: Proof

Functional Description: Holide translates HOL proofs to Dedukti[OT] proofs, using the OpenTheory standard (common to HOL Light and HOL4). Dedukti[OT] being the encoding of OpenTheory in Dedukti.

Contact: Guillaume Burel

*Higher-Order Termination*

Functional Description: HOT is an automated termination prover for higher-order rewriting, based on the notion of computability closure.

Contact: Frédéric Blanqui

Keywords: Automated deduction - Automated theorem proving

Scientific Description: Integration of ordered polarized resolution modulo theory into the prover iProver.

Functional Description: iProver Modulo is an extension of the automated theorem prover iProver originally developed by Konstantin Korovin at the University of Manchester. It implements ordered polarized resolution modulo theory, a refinement of the resolution method based on deduction modulo theory. It takes as input a proposition in predicate logic and a clausal rewriting system defining the theory in which the formula has to be proved. Normalization with respect to the term rewriting rules is performed very efficiently through translation into OCaml code, compilation and dynamic linking. Experiments have shown that ordered polarized resolution modulo dramatically improves proof search compared to using raw axioms.

News Of The Year: Participation at the automated-theorem-prover competition CASC-26 Integration of version 2.5 of iProver, adding support for types (TFF0)

Participant: Guillaume Burel

Partner: ENSIIE

Contact: Guillaume Burel

Publications: A Shallow Embedding of Resolution and Superposition Proofs into the ??-Calculus Modulo - Experimenting with deduction modulo

URL: http://

Keyword: Propositional logic

Functional Description: mSAT is a modular, proof-producing, SAT and SMT core based on Alt-Ergo Zero, written in OCaml. The solver accepts user-defined terms, formulas and theory, making it a good tool for experimenting. This tool produces resolution proofs as trees in which the leaves are user-defined proof of lemmas.

Contact: Guillaume Bury

Publication: mSAT:An OCaml SAT Solver

*Termination certificate verifier*

Keywords: Demonstration - Code generation - Verification

Functional Description: Rainbow is a set of tools for automatically verifying the correctness of termination certificates expressed in the CPF format used in the annual international competition of termination tools. It contains: a tool xsd2coq for generating Coq data types for representing XML files valid with respect to some XML Schema, a tool xsd2ml for generating OCaml data types and functions for parsing XML files valid with respect to some XML Schema, a tool for translating a CPF file into a Coq script, and a standalone Coq certified tool for verifying the correctness of a CPF file.

Author: Frédéric Blanqui

Contact: Frédéric Blanqui

Publications: Automated verification of termination certificates - Automated verification of termination certificates

Keyword: Proof

Functional Description: Krajono translates Matita proofs into Dedukti[CiC] (encoding of CiC in Dedukti) terms.

Contact: François Thiré

Keywords: Automated theorem proving - First-order logic - Propositional logic

Functional Description: Archsat is an automated theorem prover aimed at studying the integration of first-order theorem prover technologies, such as rewriting, into SMT solvers.

Contact: Guillaume Bury

G. Dowek has given a semantic criterion for the termination of the λΠ-calculus modulo theory. This result has been published in .

A. Assaf, G. Dowek, J.-P. Jouannaud and J. Liu have given a confluence criterion for untyped higher-order rewrite systems, and demonstrated some applications to the λΠ-calculus modulo theory.

G. Dowek has given an invited talk at PxTP where he has presented a state of the art of the production of system-independent proof libraries. This paper has been published in the proceedings of PxTP .

During his internship , A. Defourné extended F. Blanqui's prototype of proof assistant based on Dedukti by developing a tactic for calling external provers through Why3 . He also started to study a simple rewriting tactic.

During his internship, R. Bocquet studied unification in the λΠ-calculus modulo rewriting, and started to implement a prototype.

During his internship , G. Genestier studied the possibility to use the Size-Change Principle in order to prove termination in the λΠ-calculus modulo rewriting. This work led to an adaptation of the criterion developped in his thesis by Wahlstedt to a calculus containing dependant types. He also implemented a prototype of a weak version of the criterion.

During the first three months of his postdoc, R. Lepigre proposed a new implementation of Dedukti , based on the Bindlib library for the representation of structures with binders . The libraries generated for Dedukti are compatible with this new implementation, and can be type-checked with minor modifications.

During the first months of his PhD, G. Férey adapted the higher-order pattern matching and convertibility checking algorithms to implemented support for rewriting modulo associative-commutative (AC) symbols in Dedukti.

F. Thiré has finished to implement a translation of an arithmetic library from Matita to OpenTheory. This work can be decomposed in two steps: A first step goes from Matita to a new logic called STTforall while a second step goes from STTforall to OpenTheory. This translation will be described in two separate papers. The first paper that will be submitted to FSCD 2018 describe the logic STTforall and its translation to HOL while the second paper explains the translation from Matita to STTforall. STTforall is a very simple logic and so, it is easy to translate proofs from this logic to other proofs assistants. For example, a translation from STTforall to Coq has also been implemented by F. Thiré. Two new tools have been implemented to make these translations:

Dkmeta is a tool that translates terms thanks to the rewrite engine of Dedukti

Ediloh is a tool that translates terms from STTforall them in OpenTheory

F.Gilbert developed a first prototype for the extraction of proofs
from the proof assistant PVS that can be verified externally. The
system PVS is based on the dichotomy between a *type-checker*
and a *prover*. This proof extraction mechanism is built by
instrumenting the PVS *prover*, but does not contain any
typing information from the *type-checker* at this
stage. Proofs can be built for any PVS theory. However, some
reasoning steps rely on unverified assumptions. For a restricted
fragment of PVS, the proofs are exported to Dedukti, and the
unverified assumptions are proved externally using the automated
theorem prover MetiTarski. This work has been published and
presented in .

F. Blanqui revised his paper on “size-based termination of higher-order rewrite systems” submitted to the Journal of Functional Programming . This paper provides a general and modular criterion for the termination of simply-typed λ-calculus extended with function symbols defined by user-defined rewrite rules. Following a work of Hughes, Pareto and Sabry for functions defined with a fixpoint operator and pattern-matching , several criteria use typing rules for bounding the height of arguments in function calls. In this paper, we extend this approach to rewriting-based function definitions and more general user-defined notions of size.

G. Burel developed a general framework, focusing with selection, of which various logical systems are instances: ordinary focusing, refinements of resolution, deduction modulo theory, superdeduction and beyond . This strengthens links between sequent calculi and resolution methods.

F. Gilbert developed a constructivization algorithm, taking as input the classical proof of some formula and generating as output, whenever possible, a constructive proof of the same formula. This result has been published and presented in .

G. Bury presented the mSAT library at the OCaml workshop during the International Conference on Functional Programming . This library provides an efficient SAT/SMT solver core written in OCaml, and presented as a functor to allow instantiation with different theories.

R. Lepigre submitted a paper describing the

A. Díaz-Caro and G. Dowek have developed a type system for the λ-calculus that permits to distinguish duplicable terms from non duplicable ones. This work has been presented at Theory and Practice of Natural Computing .

This is an ANR for junior researcher Liesbeth Demol (CNRS, UMR 8163 STL, University Lille 3) to which G. Dowek participates. The subject is: “What is a program? Historical and Philosophical perspectives”. This project aims at developing the first coherent analysis and pluralistic understanding of “program” and its implications to theory and practice.

** FoQCoSS**

Title: Foundations of Quantum Computation: Syntax and Semantics

International Partners (Institution - Laboratory - Researcher):

Universidad Nacional de Quilmes (Argentina) - Alejandro Díaz-Caro

CNRS (France) - Simon Perdrix

Universidade Federal de Santa Maria (Brazil) - Juliana Kaizer Vizzotto

Duration: 2016 - 2017

Start year: 2016

The design of quantum programming languages involves the study of many characteristics of languages which can be seen as special cases of classical systems: parallelism, probabilistic systems, non-deterministic systems, type isomorphisms, etc. This project proposes to study some of these characteristics, which are involved in quantum programming languages, but also have a more immediate utility in the study of nowadays systems. In addition, from a more foundational point of view, we are interested in the implications of computer science principles for quantum physics. For example, the consequences of the Church-Turing thesis for Bell-like experiments: if some of the parties in a Bell-like experiment use a computer to decide which measurements to make, then the computational resources of an eavesdropper have to be limited in order to have a proper observation of non-locality. The final aim is to open a new direction in the search for a framework unifying computer science and quantum physics.

A. Díaz-Caro (Universidad Nacional de Quilmes, Argentina) visited Deducteam 3 weeks.

F. Thiré has visited the Computation and Logic Group at McGill University for three months.

G. Dowek has visited the university of Quilmes in Buenos Aires for two weeks.

G. Dowek has visited the Pontifical University at Rio for three weeks.

G. Burel was a member of the 12th International Workshop on the Implementation of Logics.

G. Burel, S. Martiel, and F. Gilbert rewiewed submissions to the Logic In Computer Science conference.

G. Burel reviewed submissions to the Formal Structures for Computation and Deduction conference.

G. Burel reviewed articles for the Computer Journal and the Journal of Logic and Computation.

G. Burel gave an invited lecture at the 28th Journées Francophones des Langages Applicatifs, entitled “Exprimer ses théories en Dedukti, le vérificateur de preuves universel”.

G. Dowek is a member of the scientific concil of La Société Inforamatique de France.

G. Dowek is a member of the scientific concil of La Main à la Pâte.

G. Dowek is a member of the Commission de réflexion sur l’Éthique de la Recherche en sciences et technologies du Numérique d’Allistene.

F. Blanqui is co-director of the pole 4 (programming: models, algorithms, languages and architectures) of Paris-Saclay University's doctoral school on computer science.

F. Blanqui is referent of LSV PhD students.

F. Blanqui gave a M1 course (16h) on rewriting theory in the MPRI at the ENS Paris-Saclay.

F. Blanqui gave a M1 course (21h) on language theory at the ENSIIE.

G. Dowek's paper *Rules and derivations in an elementary logic
course* has been published in the IfCoLog Journal of Logics and
their Applications .

F. Blanqui supervised the internships of A. Defourné and R. Bocquet.

F. Blanqui and O. Hermant supervised the internship of G. Genestier.

F. Blanqui and O. Hermant supervise the PhD of G. Genestier.

G. Dowek supervises the PhD of G. Férey and F. Gilbert.

G. Dowek and D. Delahaye supervise the PhD of G. Bury.

G. Dowek and S. Graham-Lengrand supervise the PhD of F. Thiré.

F. Blanqui was member of the jury for the best scientific production of the year within Paris-Saclay University's doctoral school on computer science.

F. Blanqui has been in the jury for the PhD of R. Lepigre on “Semantics and Implementation of an Extension of ML for Proving Programs”, Chambéry.