**Naoki Kobayashi James Worrell (Eds.)**

# **Foundations of Software Science and Computation Structures**

**27th International Conference, FoSSaCS 2024 Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2024 Luxembourg City, Luxembourg, April 6–11, 2024 Proceedings, Part II**

## Lecture Notes in Computer Science 14575

Founding Editors

Gerhard Goos, Germany Juris Hartmanis, USA

## Editorial Board Members

Elisa Bertino, USA Wen Gao, China

Bernhard Steffen , Germany Moti Yung , USA

## Advanced Research in Computing and Software Science Subline of Lecture Notes in Computer Science

Subline Series Editors

Giorgio Ausiello, University of Rome 'La Sapienza', Italy Vladimiro Sassone, University of Southampton, UK

Subline Advisory Board

Susanne Albers, TU Munich, Germany Benjamin C. Pierce, University of Pennsylvania, USA Bernhard Steffen , University of Dortmund, Germany Deng Xiaotie, Peking University, Beijing, China Jeannette M. Wing, Microsoft Research, Redmond, WA, USA More information about this series at https://link.springer.com/bookseries/558

Naoki Kobayashi • James Worrell Editors

# Foundations of Software Science and Computation Structures

27th International Conference, FoSSaCS 2024 Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2024 Luxembourg City, Luxembourg, April 6–11, 2024 Proceedings, Part II

Editors Naoki Kobayashi The University of Tokyo Tokyo, Japan

James Worrell University of Oxford Oxford, UK

ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-031-57230-2 ISBN 978-3-031-57231-9 (eBook) https://doi.org/10.1007/978-3-031-57231-9

© The Editor(s) (if applicable) and The Author(s) 2024. This book is an open access publication.

Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Paper in this product is recyclable.

## ETAPS Foreword

Welcome to the 27th ETAPS! ETAPS 2024 took place in Luxembourg City, the beautiful capital of Luxembourg.

ETAPS 2024 is the 27th instance of the European Joint Conferences on Theory and Practice of Software. ETAPS is an annual federated conference established in 1998, and consists of four conferences: ESOP, FASE, FoSSaCS, and TACAS. Each conference has its own Program Committee (PC) and its own Steering Committee (SC). The conferences cover various aspects of software systems, ranging from theoretical computer science to foundations of programming languages, analysis tools, and formal approaches to software engineering. Organising these conferences in a coherent, highly synchronized conference programme enables researchers to participate in an exciting event, having the possibility to meet many colleagues working in different directions in the field, and to easily attend talks of different conferences. On the weekend before the main conference, numerous satellite workshops took place that attracted many researchers from all over the globe.

ETAPS 2024 received 352 submissions in total, 117 of which were accepted, yielding an overall acceptance rate of 33%. I thank all the authors for their interest in ETAPS, all the reviewers for their reviewing efforts, the PC members for their contributions, and in particular the PC (co-)chairs for their hard work in running this entire intensive process. Last but not least, my congratulations to all authors of the accepted papers!

ETAPS 2024 featured the unifying invited speakers Sandrine Blazy (University of Rennes, France) and Lars Birkedal (Aarhus University, Denmark), and the invited speakers Ruzica Piskac (Yale University, USA) for TACAS and Jérôme Leroux (Laboratoire Bordelais de Recherche en Informatique, France) for FoSSaCS. Invited tutorials were provided by Tamar Sharon (Radboud University, the Netherlands) on computer ethics and David Monniaux (Verimag, France) on abstract interpretation.

As part of the programme we had the first ETAPS industry day. The goal of this day was to bring industrial practitioners into the heart of the research community and to catalyze the interaction between industry and academia. The day was organized by Nikolai Kosmatov (Thales Research and Technology, France) and Andrzej Wa sowski (IT University of Copenhagen, Denmark).

ETAPS 2024 was organized by the SnT - Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg. The University of Luxembourg was founded in 2003. The university is one of the best and most international young universities with 6,000 students from 130 countries and 1,500 academics from all over the globe. The local organisation team consisted of Peter Y.A. Ryan (general chair), Peter B. Roenne (organisation chair), Maxime Cordy and Renzo Gaston Degiovanni (workshop chairs), Magali Martin and Isana Nascimento (event manager), Marjan Skrobot (publicity chair), and Afonso Arriaga (local proceedings chair). This team also organised the online edition of ETAPS 2021, and now we are happy that they agreed to also organise a physical edition of ETAPS.

ETAPS 2024 is further supported by the following associations and societies: ETAPS e.V., EATCS (European Association for Theoretical Computer Science), EAPLS (European Association for Programming Languages and Systems), and EASST (European Association of Software Science and Technology).

The ETAPS Steering Committee consists of an Executive Board, and representatives of the individual ETAPS conferences, as well as representatives of EATCS, EAPLS, and EASST. The Executive Board consists of Marieke Huisman (Twente, chair), Andrzej Wa sowski (Copenhagen), Thomas Noll (Aachen), Jan Kofroň (Prague), Barbara König (Duisburg), Arnd Hartmanns (Twente), Caterina Urban (Inria), Jan Křetínský (Munich), Elizabeth Polgreen (Edinburgh), and Lenore Zuck (Chicago).

Other members of the steering committee are: Maurice ter Beek (Pisa), Dirk Beyer (Munich), Artur Boronat (Leicester), Luı s Caires (Lisboa), Ana Cavalcanti (York), Ferruccio Damiani (Torino), Bernd Finkbeiner (Saarland), Gordon Fraser (Passau), Arie Gurfinkel (Waterloo), Reiner Hähnle (Darmstadt), Reiko Heckel (Leicester), Marijn Heule (Pittsburgh), Joost-Pieter Katoen (Aachen and Twente), Delia Kesner (Paris), Naoki Kobayashi (Tokyo), Fabrice Kordon (Paris), Laura Kovács (Vienna), Mark Lawford (Hamilton), Tiziana Margaria (Limerick), Claudio Menghi (Hamilton and Bergamo), Andrzej Murawski (Oxford), Laure Petrucci (Paris), Peter Y.A. Ryan (Luxembourg), Don Sannella (Edinburgh), Viktor Vafeiadis (Kaiserslautern), Stephanie Weirich (Pennsylvania), Anton Wijs (Eindhoven), and James Worrell (Oxford).

I would like to take this opportunity to thank all authors, keynote speakers, attendees, organizers of the satellite workshops, and Springer Nature for their support. ETAPS 2024 was also generously supported by a RESCOM grant from the Luxembourg National Research Foundation (project 18015543). I hope you all enjoyed ETAPS 2024.

Finally, a big thanks to both Peters, Magali and Isana and their local organization team for all their enormous efforts to make ETAPS a fantastic event.

April 2024 Marieke Huisman ETAPS SC Chair ETAPS e.V. President

## Preface

This volume contains the papers presented at the 27th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS 2024), which was held during April 8–11, 2024 in Luxembourg City, Luxembourg. The conference is dedicated to foundational research with a clear significance for software science and brings together research on theories and methods to support the analysis, integration, synthesis, transformation, and verification of programs and software systems.

In addition to an invited talk by Jérôme Leroux (Laboratoire Bordelais de Recherche en Informatique, France) on "Ackermannian Completion of Separators", the program consisted of 24 talks on contributed papers, selected from 79 submissions. Each submission was assessed by three or more Program Committee members, with the help of external reviewers. The conference management system EasyChair was used to handle the submissions, to conduct the electronic Program Committee discussions, and to assist with the assembly of the proceedings.

We wish to thank all the authors who submitted papers for consideration, the members of the Program Committee for their conscientious work, and all additional reviewers who assisted the Program Committee in the evaluation process. We would also like to thank Andrzej Murawski, the FoSSaCS Steering Committee Chair for various pieces of advice, and the members of the ESOP/FASE/FoSSaCS joint Artifact Evaluation Committee for the artifact evaluation. Finally, we would like to thank the ETAPS organization for providing an excellent environment for FoSSaCS, the other conferences and the workshops.

February 2024 Naoki Kobayashi James Worrell

## Organization

## Program Committee Chairs


## Program Committee


## ESOP/FASE/FoSSaCS Joint Artifact Evaluation Committee

### AEC Co-chairs


#### AEC Members

Michael Schröder TU Wien, Austria Wenjia Ye University of Hong Kong, China

Arwa Hameed Alsubhi University of Glasgow, UK Levente Bajczi Budapest University of Technology and Economics,

Hungary James Baxter University of York, UK Matthew Alan Le Brun University of Glasgow, UK Laura Bussi University of Pisa, Italy Gustavo Carvalho Universidade Federal de Pernambuco, Brazil Chanhee Cho Carnegie Mellon University, USA Ryan Doenges Northeastern University, USA Zainab Fatmi University of Oxford, UK Luke Geeson University College London, UK Hans-Dieter Hiep Leiden University, Belgium Philipp Joram Tallinn University of Technology, Estonia Ulf Kargén Linköping University, Sweden Hiroyuki Katsura University of Tokyo, Japan Calvin Santiago Lee Reykjavík University, Iceland Livia Lestingi Politecnico di Milano, Italy Nuno Macedo University of Porto and INESC TEC, Portugal Kristóf Marussy Budapest University of Technology and Economics, Hungary Ivan Nikitin University of Glasgow, UK Hugo Pacheco University of Porto, Portugal Lucas Sakizloglou Brandenburgische Technische Universität Cottbus-Senftenberg, Germany Michael Schwarz TU Munich, Germany

## Additional Reviewers

Abraham, Erika Ajdarow, Michal An, Jie Asada, Kazuyuki Avanzini, Martin Balasubramanian, A. R. Barbosa, João Basold, Henning Batz, Kevin Beohar, Harsh Bertrand, Nathalie Beyersdorff, Olaf Bohn, León Bonelli, Eduardo Bonsangue, Marcello Breuvart, Flavien Bruyère, Véronique Carette, Titouan Chadha, Rohit Clemente, Lorenzo Cockett, Robin Czerwiński, Wojciech D'Osualdo, Emanuele Dagnino, Francesco De Moura, Flavio L. C. De, Abhishek Di Stasio, Antonio Espírito Santo, José Fahrenberg, Uli Feng, Yuan Fijalkow, Nathanaël Filiot, Emmanuel Fokkink, Wan Frumin, Daniil Galal, Zeinab Geatti, Luca Geuvers, Herman van Glabbeek, Rob van Gool, Sam Goy, Alexandre Guha, Shibashis Guttenberg, Roland Hague, Matthew

Hainry, Emmanuel Harper, Robert Hausmann, Daniel Hedges, Jules Hinrichsen, Jonas Kastberg Ho, Hsi-Ming Jaber, Guilhem Jafarrahmani, Farzad Jakl, Tomas Jancar, Petr Kanazawa, Makoto Kaposi, Ambrus Katsumata, Shin-Ya Kavvos, Alex Keiren, Jeroen J. A. Kelmendi, Edon Klaška, David Klock Ii, Felix S. Knight, Sophia Koutavas, Vasileios Krivine, Jean König, Barbara Laurent, Olivier Leroux, Jérôme Lhote, Nathan Li, Yong Long, Huan Lopez, Aliaume Loreti, Michele Maarand, Hendrik Madnani, Khushraj Mallik, Kaushik Martens, Jan Marti, Johannes Mascle, Corto Mazzocchi, Nicolas McDermott, Dylan Melliès, Paul-André Mery, Daniel Michaliszyn, Jakub Michielini, Vincent Miculan, Marino Moot, Richard

Morawska, Barbara Mulder, Ike Nguy ễn, L ê Th ành D ũng Novotn ý, Petr Paquet, Hugo Piedeleu, Robin Pinto, Lu í s Proen ça, Jos é P érez, Jorge A. Rehak, Vojtech Riba, Colin Rivas, Exequiel Rogalewicz, Adam Rot, Jurriaan Rowe, Reuben Sakayori, Ken Sarkis, Ralph Schmid, Todd Schmitz, Sylvain Schr öder, Lutz Sin 'Ya, Ryoma

Skrzypczak, Micha ł Soboci ński, Pawe ł Staton, Sam Stein, Dario Takagi, Tsubasa Tini, Simone Totzke, Patrick Urbat, Henning Valencia, Frank Vandenhove, Pierre Varacca, Daniele Veltri, Niccol ò Ventura, Daniel Waga, Masaki Wagemaker, Jana Wan, Cheng-Syuan Weil-Kennedy, Chana Winskel, Glynn Witkowski, Piotr Wi ßmann, Thorsten Wolter, Frank

## Contents – Part II

#### Types and Programming Languages




## Contents – Part I

### Invited Talk


#### Automata and Synthesis


xvi Contents – Part I


**Types and Programming Languages**

## **From Rewrite Rules to Axioms in the** *λΠ***-Calculus Modulo Theory**

Valentin Blot<sup>1</sup> , Gilles Dowek<sup>1</sup> , Thomas Traversié1,2(B) , and Théo Winterhalter<sup>1</sup>

<sup>1</sup> Université Paris-Saclay, Inria, ENS Paris-Saclay, CNRS, LMF, Gif-sur-Yvette, France

{valentin.blot,gilles.dowek,thomas.traversie,theo.winterhalter}@inria.fr <sup>2</sup> Université Paris-Saclay, CentraleSupélec, MICS, Gif-sur-Yvette, France

**Abstract.** The *λΠ*-calculus modulo theory is an extension of simply typed *λ*-calculus with dependent types and user-defned rewrite rules. We show that it is possible to replace the rewrite rules of a theory of the *λΠ*-calculus modulo theory by equational axioms, when this theory features the notions of proposition and proof, while maintaining the same expressiveness. To do so, we introduce in the target theory a heterogeneous equality, and we build a translation that replaces each use of the conversion rule by the insertion of a transport. At the end, the theory with rewrite rules is a conservative extension of the theory with axioms.

**Keywords:** Rewrite rules · Equality · Logical Framework.

## **1 Introduction**

For Poincaré, the reasoning by which we deduce that 2+2 = 4 is not a meaningful proof, but a simple verifcation. He concludes that the goal of exact sciences is to "dispense with these direct verifcations" [20]. Far from being solely a philosophical issue, this principle impacts the foundations of logical systems and in particular the choice between *axioms* and *rewrite rules*. For instance, in systems with axioms *x*+succ *y* = succ (*x*+*y*) and *x*+0 = *x*, we can *prove* that 2+2 = 4. On the other hand, in systems with rewrite rules *x*+succ *y ,*→ succ (*x*+*y*) and *x*+0 *,*→ *x*, we just need to prove 4 = 4 as we can *compute* that (2 + 2 = 4) ≡ (4 = 4). In that respect, logical systems with computation rules are convenient tools for making proofs. That is why rewrite rules have been added to systems such as Agda [5] or Coq [12] and why Dowek [9,10] developed Deduction modulo theory, an extension of frst-order logic that mixes computation and proof. Since logical systems with rewrite rules are more user-friendly, one may ask whether or not the results are the same as in axiomatic logical systems.

Rewrite rules are at the core of the *λΠ*-calculus modulo theory, an extension of simply typed *λ*-calculus with dependent types and user-defnable rewrite rules [6]. The combination of *β*-reduction and of the rewrite rules of a signature *Σ* forms the conversion ≡*βΣ*. If we know that *t* : *A* with conversion *A* ≡*βΣ B*, then we can derive that *t* : *B*. In this system, a theory is a set of rewrite rules, together with a set of axioms (that are typed constants). The *λΠ*-calculus modulo theory is a powerful logical framework in which many theories can be expressed, such as Predicate logic, Simple type theory or the Calculus of constructions [3]. It is the theory behind the Dedukti language [2,16] and the Lambdapi proof assistant.

In this paper, we choose to study the replacement of rewrite rules by axioms in the *λΠ*-calculus modulo theory. Since it is a logical framework, the result applies to many theories. Moreover, as Dedukti is geared towards the interoperability between proof systems, if we want to exchange proofs between a system with rewrite rules and a system without rewrite rules *via* Dedukti, we need to replace rewrite rules by axioms in the *λΠ*-calculus modulo theory. Working in this logical framework rather than in an extension of Martin-Löf type theory [17] is therefore relevant on both theoretical and practical levels, but complicates the task as the *λΠ*-calculus modulo theory does not feature identity types or an infnite hierarchy of sorts.

One method to replace rewrite rules by axioms is to mimic the behavior of the conversion rule using transports: if we have *t* : *A* and *A* ≡*βΣ B* with *p* an equality between *A* and *B*, then we can deduce that transp *p t* : *B*, but we do not directly have *t* : *B*. However trivial this seems, we face several challenges when trying to demonstrate it fully: the insertion of transports in terms and types is difcult due to the presence of dependent types, and the building of transports is involved as we cannot have inside the *λΠ*-calculus modulo theory an equality between types.

A similar problem is the elimination of equality refection from extensional systems. Equality refection states that *ℓ* = *r* implies *ℓ* ≡ *r*, just like *ℓ ,*→ *r* implies *ℓ* ≡ *r* in systems with rewrite rules. In extensional systems, typing is eased by a more powerful conversion. Hofmann [14,15] investigated categorically the problem. Oury [19] developed a translation of proofs from an extensional version of the Calculus of Constructions to the Calculus of Inductive Constructions with equality axioms. Winterhalter, Sozeau and Tabareau [23,24] built upon this result to reduce the number of axioms needed.

The replacement of rewrite rules by axioms paves the way for the interpretation of a theory into another inside the *λΠ*-calculus modulo theory. Indeed, when interpreting a theory into another, we represent each constant of the source theory by a term in the target theory, but we cannot generally do the same for rewrite rules. We can however pre-process the source theory to replace its rewrite rules by axioms, and then interpret it. The interpretation of theories allows to prove relative consistency and relative normalization theorems [8].

*Contribution.* The main contribution of this paper is the translation of a theory with rewrite rules to a theory with equational axioms. To do so, we restrict the theories considered to theories with an encoding of the notions of proposition and proof inside the *λΠ*-calculus modulo theory. So as to compare objects that possibly do not have the same type, we defne a heterogeneous equality—following the one defned by McBride [18]. The restriction considered allows us to build an equality between particular types—called small types. We defne a type system with typed conversion for the *λΠ*-calculus modulo theory, so that the proofs are done by induction on the derivation trees more easily.

*Outline of the paper.* In Section 2, we present the *λΠ*-calculus modulo theory, we detail a prelude encoding of the notions of proposition and proof in it, and we identify the assumptions made on the considered theories. The heterogeneous equality and the equality between small types are presented in Section 3. The replacement of rewrite rules by axioms and the translation of terms, judgments and theories are presented in Section 4.

## **2 Theories in the** *λΠ***-Calculus Modulo Theory**

In this section, we give a more detailed overview of the *λΠ*-calculus modulo theory [6] and its type system. In particular, we present an encoding of the notions of proposition and proof in the *λΠ*-calculus modulo theory [3]. We characterize small types—a subclass of types for which we can defne an equality.

#### **2.1 The** *λΠ***-Calculus Modulo Theory**

The *λΠ*-calculus, also known as the Edinburgh Logical Framework [13], is an extension of simply typed *λ*-calculus with dependent types. The *λΠ*-calculus modulo theory (*λΠ/*≡) [6] is an extension of the *λΠ*-calculus, in which userdefnable rewrite rules have been added [7]. Its syntax is given by:


where *c* is a constant and *x* is a variable (ranging over disjoint sets), *C* and *r* are terms, *D* is a closed term (*i.e.* a term with no free variables) and *ℓ* is a term such that *ℓ* = *c t*<sup>1</sup> *. . . t<sup>k</sup>* with *c* a constant. TYPE and KIND are two sorts: terms of type TYPE are called types, and terms of type KIND are called kinds. *Πx* : *A. B* is a dependent product, *λx* : *A. t* is an abstraction and *t u* is an application. *Πx* : *A. B* is simply written *A* → *B* if *x* does not appear in *B*. Signatures and contexts are fnite sequences, and are written ⟨⟩ when empty. Signatures contain both typed constants and rewrite rules (written *ℓ ,*→ *r*). *λΠ/*≡ is a logical framework, in which *Σ* is fxed by the user depending on the logic they are working in.

The relation *,*→*βΣ* is generated by *β*-reduction and by the rules of *Σ*. More explicitly, *,*→*βΣ* is the smallest relation, closed by context, such that if *t* rewrites to *u* for some rule in *Σ* or by *β*-reduction then *t ,*→*βΣ u*. Conversion ≡*βΣ* is the refexive, symmetric, and transitive closure of *,*→*βΣ*.

#### **2.2 The Type System of the** *λΠ***-Calculus Modulo Theory**

We introduce in Figs. 1 and 2 typing rules for *λΠ/*≡. Fig. 1 presents the usual typing rules while Fig. 2 focuses on the conversion rules. We write ⊢ *Γ* when the context *Γ* is well formed and *Γ* ⊢ *t* : *A* when *t* is of type *A* in the context *Γ*. ⟨⟩ ⊢ *t* : *A* is simply written ⊢ *t* : *A*. The notation (⊢ *Γ*1) ≡ (⊢ *Γ*2) means that *Γ*<sup>1</sup> and *Γ*<sup>2</sup> are both well formed, have the same length and have the same variables with convertible types. We write (*Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> : *A*1) ≡ (*Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> : *A*2) when *t*<sup>1</sup> and *t*<sup>2</sup> are convertible with *Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> : *A*<sup>1</sup> and *Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> : *A*2. In particular, convertible terms *t*<sup>1</sup> ≡ *t*<sup>2</sup> are authorized to have diferent types—provided that both types are convertible—and to be typed in diferent contexts—provided that both contexts are convertible. In ConvRule, *x* is a vector representing the free variables of *ℓ*. The standard weakening rule and substitution lemma can be derived from this type system.

⊢ ⟨⟩ [Empty] ⊢ *Γ Γ* ⊢ *A* : *s* ⊢ *Γ, x* : *A* [Decl] *x /*∈ *Γ* ⊢ *Γ Γ* ⊢ TYPE : KIND [Sort] ⊢ *Γ* ⊢ *A* : *s Γ* ⊢ *c* : *A* [Const] *c* : *A* ∈ *Σ* ⊢ *Γ Γ* ⊢ *x* : *A* [Var] *x* : *A* ∈ *Γ Γ* ⊢ *A* : TYPE *Γ, x* : *A* ⊢ *B* : *s Γ* ⊢ *Πx* : *A. B* : *s* [Prod] *Γ* ⊢ *A* : TYPE *Γ, x* : *A* ⊢ *B* : *s Γ, x* : *A* ⊢ *t* : *B Γ* ⊢ *λx* : *A. t* : *Πx* : *A. B* [Abs] *Γ* ⊢ *t* : *Πx* : *A. B Γ* ⊢ *u* : *A Γ* ⊢ *t u* : *B*[*x* 7→ *u*] [App] *Γ* ⊢ *t* : *A* (*Γ* ⊢ *A* : *s*) ≡ (*Γ* ⊢ *B* : *s*) *Γ* ⊢ *t* : *B* [Conv]

**Fig. 1.** Typing rules of the *λΠ*-calculus modulo theory

#### **Lemma 1 (Substitution).**


*Γ* ⊢ *u* : *A* (*Γ* ⊢ *u* : *A*) ≡ (*Γ* ⊢ *u* : *A*) [ConvRefl] (*Γ* ⊢ *u* : *A*) ≡ (*Γ* ⊢ *v* : *B*) (*Γ* ⊢ *v* : *B*) ≡ (*Γ* ⊢ *u* : *A*) [ConvSym] (*Γ* ⊢ *u* : *A*) ≡ (*Γ* ⊢ *v* : *B*) (*Γ* ⊢ *v* : *B*) ≡ (*Γ* ⊢ *w* : *C*) (*Γ* ⊢ *u* : *A*) ≡ (*Γ* ⊢ *w* : *C*) [ConvTrans] (⊢ *Γ*1) ≡ (⊢ *Γ*2) (*Γ*<sup>1</sup> ⊢ *A*<sup>1</sup> : *s*) ≡ (*Γ*<sup>2</sup> ⊢ *A*<sup>2</sup> : *s*) (⊢ *Γ*1*, x* : *A*1) ≡ (⊢ *Γ*2*, x* : *A*2) [ConvDecl] *x /*∈ *Γ*1*, Γ*<sup>2</sup> (⊢ *Γ*1) ≡ (⊢ *Γ*2) ⊢ *A* : *s* (*Γ*<sup>1</sup> ⊢ *c* : *A*) ≡ (*Γ*<sup>2</sup> ⊢ *c* : *A*) [ConvConst] *c* : *A* ∈ *Σ* (⊢ *Γ*1) ≡ (⊢ *Γ*2) (*Γ*<sup>1</sup> ⊢ *x* : *A*1) ≡ (*Γ*<sup>2</sup> ⊢ *x* : *A*2) [ConvVar] *x* : *A*<sup>1</sup> ∈ *Γ*1*, x* : *A*<sup>2</sup> ∈ *Γ*<sup>2</sup> (*Γ*<sup>1</sup> ⊢ *A*<sup>1</sup> : TYPE) ≡ (*Γ*<sup>2</sup> ⊢ *A*<sup>2</sup> : TYPE) (*Γ*1*, x* : *A*<sup>1</sup> ⊢ *B*<sup>1</sup> : *s*) ≡ (*Γ*2*, x* : *A*<sup>2</sup> ⊢ *B*<sup>2</sup> : *s*) (*Γ*<sup>1</sup> ⊢ *Πx* : *A*1*. B*<sup>1</sup> : *s*) ≡ (*Γ*<sup>2</sup> ⊢ *Πx* : *A*2*. B*<sup>2</sup> : *s*) [ConvProd] (*Γ*<sup>1</sup> ⊢ *A*<sup>1</sup> : TYPE) ≡ (*Γ*<sup>2</sup> ⊢ *A*<sup>2</sup> : TYPE) (*Γ*1*, x* : *A*<sup>1</sup> ⊢ *B*<sup>1</sup> : *s*) ≡ (*Γ*2*, x* : *A*<sup>2</sup> ⊢ *B*<sup>2</sup> : *s*) (*Γ*1*, x* : *A*<sup>1</sup> ⊢ *t*<sup>1</sup> : *B*1) ≡ (*Γ*2*, x* : *A*<sup>2</sup> ⊢ *t*<sup>2</sup> : *B*2) (*Γ*<sup>1</sup> ⊢ *λx* : *A*1*. t*<sup>1</sup> : *Πx* : *A*1*. B*1) ≡ (*Γ*<sup>2</sup> ⊢ *λx* : *A*2*. t*<sup>2</sup> : *Πx* : *A*2*. B*2) [ConvAbs] (*Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> : *Πx* : *A*1*. B*1) ≡ (*Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> : *Πx* : *A*2*. B*2) (*Γ*<sup>1</sup> ⊢ *u*<sup>1</sup> : *A*1) ≡ (*Γ*<sup>2</sup> ⊢ *u*<sup>2</sup> : *A*2) (*Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> *u*<sup>1</sup> : *B*1[*x* 7→ *u*1]) ≡ (*Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> *u*<sup>2</sup> : *B*2[*x* 7→ *u*2]) [ConvApp] *Γ* ⊢ *A* : TYPE *Γ, x* : *A* ⊢ *t* : *B Γ, x* : *A* ⊢ *B* : *s Γ* ⊢ *u* : *A* (*Γ* ⊢ (*λx* : *A. t*) *u* : *B*[*x* 7→ *u*]) ≡ (*Γ* ⊢ *t*[*x* 7→ *u*] : *B*[*x* 7→ *u*]) [ConvBeta] *x* : *B* ⊢ *ℓ* : *A x* : *B* ⊢ *r* : *A Γ* ⊢ *t* : *B* (*Γ* ⊢ *ℓ*[*x* 7→ *t*] : *A*[*x* 7→ *t*]) ≡ (*Γ* ⊢ *r*[*x* 7→ *t*] : *A*[*x* 7→ *t*]) [ConvRule] *ℓ ,*→ *r* ∈ *Σ Γ* ⊢ *u* : *A* (*Γ* ⊢ *A* : *s*) ≡ (*Γ* ⊢ *B* : *s*) (*Γ* ⊢ *u* : *A*) ≡ (*Γ* ⊢ *u* : *B*) [ConvConv]

**Fig. 2.** Convertibility rules of the *λΠ*-calculus modulo theory

8 V. Blot et al.

**–** *If we have* (*Γ*1*, x* : *A*1*, ∆*<sup>1</sup> ⊢ *t*<sup>1</sup> : *B*1) ≡ (*Γ*2*, x* : *A*2*, ∆*<sup>2</sup> ⊢ *t*<sup>2</sup> : *B*2) *and Γ*<sup>1</sup> ⊢ *u* : *A*1*, then* (*Γ*1*, ∆*1[*x* 7→ *u*] ⊢ *t*1[*x* 7→ *u*] : *B*1[*x* 7→ *u*]) ≡ (*Γ*2*, ∆*2[*x* 7→ *u*] ⊢ *t*2[*x* 7→ *u*] : *B*2[*x* 7→ *u*])*.*

*Proof.* We proceed by induction on the typing derivation.

We chose to present a type system with *typed* conversion (written ≡)—so as to easily do proofs on the derivations—while the usual type system for *λΠ/* ≡ features *untyped* conversion (written ≡*βΣ*). The equivalence between type systems with typed conversion and type systems with untyped conversion has been a longstanding question: Geuvers and Werner [11] investigated the case of Pure Type Systems with *βη*-convertibility, Adams [1] proved the equivalence in the case of functional Pure Type Systems, and Siles [21,22] later proved the equivalence in the general case of the Pure Type Systems. The case of *λΠ/*≡, in which we have *β*-convertibility but also user-defned rewrite rules, remains to be investigated.

We write |*Σ*| for the set of constants of *Σ*, and *Λ*(*Σ*) for the set of terms *t* whose constants belong to |*Σ*|. We say that T = *Σ* is a theory when for each rule *ℓ ,*→ *r* ∈ *Σ* we have *ℓ* and *r* in *Λ*(*Σ*), when *,*→*βΣ* is confuent on *Λ*(*Σ*), and when every rule of *Σ* preserves typing in *Σ* (that is when for all context *Γ* and for all term *A* ∈ *Λ*(*Σ*), if *Γ* ⊢ *ℓ* : *A* then *Γ* ⊢ *r* : *A*).

*Example 1 (Natural numbers and lists).* We can defne in *λΠ/*≡ a partial theory of natural numbers and indexed lists of natural numbers. nat represents the type of natural numbers and list represents the dependent type of indexed lists of natural numbers. cons adds a new element to a list, concat concatenates two lists, and isRev checks if the frst given list is the reverse of the second.

nat : TYPE 0 : nat succ : nat → nat + : nat → nat → nat *x* + 0 *,*→ *x x* + succ *y ,*→ succ (*x* + *y*) list : nat → TYPE nil : list 0 cons : *Πx* : nat*.* list *x* → nat → list (succ *x*) isRev : *Πx* : nat*.* list *x* → list *x* → TYPE concat : *Πx, y* : nat*.* list *x* → list *y* → list (*x* + *y*)

In the context *ℓ* : list (succ 0), we have concat (succ 0) 0 *ℓ* nil of type list (succ 0+ 0). If we want to compare *ℓ* and this new list with isRev, we cannot directly do it because they do not have the same type. However, we can use the conversion rule with list (succ 0 + 0) ≡*βΣ* list (succ 0). This conversion derives from the rewrite rule *x* + 0 *,*→ *x* instantiated with *x* := succ 0.

#### **2.3 A Prelude Encoding for the** *λΠ***-Calculus Modulo Theory**

It is possible to introduce in *λΠ/*≡ the notions of proposition and proof [3]. In particular, this encoding—called prelude encoding—gives the possibility to quantify on certain propositions through codes, which is not possible inside the standard *λΠ/*≡. This encoding is defned by following signature.

**Defnition 1.** *The signature Σpre contains the following constants and rewrite rules:*

$$\begin{array}{ll} \mathit{Set} \mathrel{} \; \mathsf{TYPE} & o \mathrel{} \; \mathsf{Set} \\ El \mathrel{} \; Set \to \mathsf{TYPE} & Prf : El \mathrel{} \; \mathsf{El} \; o \to \mathsf{TYPE} \\ \wedge\_{d} :: \Pi x : Set . \; (El \; x \to Set) \to Set & \Rightarrow\_{d} : \Pi x : El \; o. \; (Prf \; x \to El \; o) \to \mathsf{El} \; o \\ \pi : \Pi x : El \; o. \; (Prf \; x \to Set) \to Set & \forall : \Pi x : Set. \; (El \; x \to El \; o) \to \mathsf{El} \; o \\ \end{array}$$
  $El \; (x \hookrightarrow\_{d} y) \longmapsto \Pi z : El \; x . \; El \; (y \; z) \qquad \begin{array}{ll} \forall : \Pi x : Set . (El \; x \to El \; o) \to \Pi z \; (\exists y \; z) \end{array}$   $El \; (x \twoheadrightarrow \mathit{Id} \; z \; y) \longmapsto \Pi z : Pf \; x . \; Prf \; (y \; z)$   $El \; (\pi \; x \; y) \mapsto \Pi z : El \; x . \; Prf \; (y \; z)$ 

We declare the constant *Set*, which represents the universe of types, along with the injection *El* that maps terms of type *Set* into TYPE. *o* is a term of type *Set* such that *El o* defnes the universe of propositions. The injection *Prf* maps propositions into TYPE. ⇝*<sup>d</sup>* (respectively ⇒*d*) is written infx and is used to represent dependent function types between terms of type *Set* (respectively *El o*). The symbol *π* (respectively ∀) is used to represent dependent function types between elements of type *El o* and *Set* (respectively *Set* and *El o*).

The main advantage of this encoding is that it allows us to quantify on propositions. Indeed, in *λΠ/*≡, we cannot quantify on TYPE. Instead, we can quantify on objects of type *El o*, and then inject them into TYPE using *Prf* .

#### **2.4 Small Types and Small Derivations**

As we work in *λΠ/*≡ rather than in an extension of Martin-Löf type theory, we do not have a pre-defned equality. Moreover, we cannot defne an equality between types since such object would have type TYPE → TYPE → TYPE, which is not allowed in *λΠ/*≡.

If we want to compare types *Prf a* and *Prf b*, we cannot do it directly, but we can compare *a* and *b* (that are of type *El o*). We can proceed similarly to compare types *El a* and *El b* (with *a* and *b* of type *Set*). In that respect, we want types to be into a special form—called small type—that takes advantages of the prelude encoding, so as to compare them if necessary. To put types of the prelude encoding into this special form, we use the reverse of the rewrite rules of *Σpre* to represent dependent types with the symbols ⇝*d*, ⇒*d*, *π* and ∀ whenever it is possible. This is achieved by the partial function *ν*, defned by:

$$\nu(Set) = Set \qquad \qquad \nu(Prf \ a) = Prf \ a \qquad \qquad \nu(El \ a) = El \ a$$

*ν*(*Πx* : *A. B*) = *Prf* (*a* ⇒*<sup>d</sup>* (*λx* : *Prf a. b*)) if *ν*(*A*) = *Prf a* and *ν*(*B*) = *Prf b El* (*a* ⇝*<sup>d</sup>* (*λx* : *El a. b*)) if *ν*(*A*) = *El a* and *ν*(*B*) = *El b Prf* (∀ *a* (*λx* : *El a. b*)) if *ν*(*A*) = *El a* and *ν*(*B*) = *Prf b El* (*π a* (*λx* : *Prf a. b*)) if *ν*(*A*) = *Prf a* and *ν*(*B*) = *El b Πx* : *ν*(*A*)*. ν*(*B*) otherwise

Therefore, when *ν*(*A*) is defned, we have *A* ≡*βΣpre ν*(*A*). Note that *ν* is partial because we do not handle the case where a type is a *β*-reducible expression, as in practice we will not have types under *λ*-abstraction form.

10 V. Blot et al.

To continue to characterize a particular form of types, we defne the three following grammars:

$$\mathcal{S} ::= Set \mid \mathcal{S} \to \mathcal{S} \qquad\qquad \mathcal{P} ::= Pf \ a \mid \mathcal{P} \to \mathcal{S} \mid \Pi z : \mathcal{S} . \mathcal{P}$$

$$\mathcal{E} ::= El \ b \mid \mathcal{E} \to \mathcal{S} \mid \Pi z : \mathcal{S} . \mathcal{E}$$

with *a* : *El o* and *b* : *Set*. The notation *A* ∈ S means that *A* is generated by the grammar S. The grammar S generates types that only contain *Set*. Therefore, if *ν*(*A*) ∈ S then *ν*(*A*) = *A*. The grammars P and E generate types that contain a central symbol *Prf* or *El*.

**Defnition 2 (Small type, Small context).** *A type A is small when ν*(*A*) *is defned and ν*(*A*) ∈ S ∪ P ∪ E*. In that case, ν*(*A*) *is called the small form of A. A context Γ is small when for every x* : *A* ∈ *Γ we have that A is a small type.*

*Example 2. Prf a* → *Prf b*, with *a, b* : *El o*, is a small type since its small form *Prf* (*a*⇒*d*(*λz. b*)) is generated by the grammar P. The type *Πx* : *Prf b. El c*, with *c* : *Set* depending on *x*, is a small type since its small form *El* (*π b* (*λx* : *Prf b. c*)) is generated by the grammar E. The type *Prf a* → *Set* → *Prf b* is not small, since *ν*(*Prf a* → *Set* → *Prf b*) = *Prf a* → *Set* → *Prf b /*∈ S ∪ P ∪ E.

We would ideally like all the types to be small, so that we can compare them if necessary. Therefore, if *Γ* ⊢ *t* : *A*, we want *A* to be a small type, or *t* to be a small type and *A* = TYPE. However, small types are built using the constants of *Σpre*. In particular, the type of the constants *o*, ⇝*d*, ⇒*<sup>d</sup>* and ∀ are small, but the types of *π*, *Prf* and *El* are not. Note that the type of an application of *π*, *Prf* or *El* is small. We thus come up with the following notion.

**Defnition 3 (Small judgment).** ⊢ *Γ is a small judgment when Γ is a small context. Γ* ⊢ *t* : *A is a small judgment when Γ is a small context and when*


(*Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> : *A*1) ≡ (*Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> : *A*2) *is a small judgment when Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> : *A*<sup>1</sup> *and Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> : *A*<sup>2</sup> *are small.*

**Defnition 4 (Small derivation).** *A small derivation is a derivation in which all the judgments are small.*

### **2.5 Theories with Prelude Encoding**

We defne the theories we will consider in the rest of the paper: theories that features the prelude encoding inside *λΠ/*≡.

**Defnition 5 (Theory with prelude encoding).** *We say that a theory* T = *Σ in the λΠ/*≡ *is a theory with prelude encoding when:*


A theory with prelude encoding is a theory with the constants and rewrite rules *Σpre*, and additional user-defned constants and rewrite rules. To ensure that *Σ*<sup>T</sup> is encoded *inside* the prelude encoding, we can only defne new constants whose types are small. We do not allow the use of rewrite rules *ℓ ,*→ *r* when *ℓ* has TYPE in its type. In particular, we cannot defne new rewrite rules on *Prf* or *El* and change the behavior of these constants. It follows that the three grammars S, P and E generate disjoint types.

In the following examples, we present three theories with prelude encoding in *λΠ/*≡. The examples of predicate logic and set theory illustrate that the restrictions considered are generally respected, even for expressive theories.

*Example 3 (Predicate logic).* Predicate logic can be encoded in a theory with prelude encoding. We declare constants for tautology and contradiction ⊤*,* ⊥ : *El o*, for negation ¬ : *El o* → *El o*, for conjunction and disjunction ∧*,* ∨ : *El o* → *El o* → *El o*, and for existential quantifcation ∃ : *Πz* : *Set.* (*El z* → *El o*) → *El o*. The semantics of tautology is defned by the rewrite rule ⊤ *,*→ ∀ *o* (*λx* : *El o. x*⇒ *x*), which is equivalent to the more common form *Prf* ⊤ *,*→ *Πz* : *El o. Prf z* → *Prf z*. The rewrite rule *Prf* (*A*∧*B*) *,*→ *ΠP* : *El o.* (*Prf A* → *Prf B* → *Prf P*) → *Prf P* can be encoded by *A* ∧ *B ,*→ ∀ *o* (*λP.* (*A* → *B* → *P*) → *P*). The rule *Prf* (¬*A*) *,*→ *Prf A* → *Prf* ⊥ is forbidden, but ¬*A ,*→ *A* ⇒ ⊥ is allowed. We proceed similarly the other rewrite rules.

*Example 4 (Natural numbers and lists).* We can defne our small theory of natural numbers and lists in the prelude encoding, by replacing TYPE by *Set* (in the universe of types) or *El o* (in the universe of propositions), and by adding *El* and *Prf* at the necessary positions.

nat : *Set* 0 : *El* nat succ : *El* nat → *El* nat + : *El* nat → *El* nat → *El* nat

$$\mathsf{list} \colon El \; \mathsf{nat} \to Set \qquad \qquad x + 0 \hookrightarrow x \qquad \qquad x + \mathsf{succ} \; y \hookrightarrow \mathsf{succ} \; (x + y) \colon$$

nil : *El* (list 0) cons : *Πx* : *El* nat*. El* list *x* → *El* nat → *El* (list (succ *x*))

$$\text{is} \mathsf{Re}\,\mathsf{v}: Hx: El \,\mathsf{nat}. \,El \,\left(\mathsf{list}\,\,x\right) \to El \,\left(\mathsf{list}\,\,x\right) \to El \,\,\circ\,\Box$$

concat : *Πx, y* : *El* nat*. El* (list *x*) → *El* (list *y*) → *El* (list (*x* + *y*))

*Example 5 (Set theory).* The implementation in Dedukti of set theory [4] is a theory with prelude encoding. In this implementation, sets are represented by a more primitive notion of pointed graphs: we have graph and node of type *Set*. The predicate *η* : *El* graph → *El* node → *El* node → *El o* is such that *η a x y* is the proposition asserting that there is an edge in *a* from *y* to *x*. The operator root : *El* graph → *El* node returns the root of a, which is a node.

In practice, the derivations of small judgments are small derivations. As we consider theories with prelude encoding, the only way of introducing a judgment that is not small is through *λ*-abstractions. For instance in Example 4 the judgment ⊢ *El* (list ((*λx* : *El* nat*. λy* : *Set. x*) 0 nat)) : TYPE is small, but in its derivation we have ⊢ *λx* : *El* nat*. λy* : *Set. x* : *El* nat → *Set* → *El* nat which is not a small judgment. However, ⊢ *El* (list 0) : TYPE admits a small derivation. If the derivation is not small, we can in practice apply *β*-reduction on the fragments of the derivation that are not small to obtain a small derivation.

## **3 Equalities**

Since we want to replace rewrite rules *ℓ ,*→ *r* by equational axioms *ℓ* = *r*, we need to defne an equality in the target theory. In this section, we present a heterogeneous equality and a method to compare small types. The heterogeneous equality is necessary to compare objects that do not have the same type. Although we cannot defne an equality between types in *λΠ/*≡, it is possible to develop an equality between small types, taking advantage of their structure.

#### **3.1 Heterogeneous Equality**

In our development, we need to have an equality between two translations of the same term. However, the two translations do not necessarily have the same type, as we may have introduced transports over the course of the translation. To that end, we defne a heterogeneous equality inspired by the one of McBride [18]. Our heterogeneous equality is defned by the constant schemas heq*A,B* : *A* → *B* → *El o* where *A* and *B* are of type TYPE. We write *u <sup>A</sup>*≈*<sup>B</sup> v* for *Prf* (heq*A,B u v*). Heterogeneous equality is refexive, symmetric, and transitive.

ref*<sup>A</sup>* : *Πu* : *A. u <sup>A</sup>*≈*<sup>A</sup> u* sym*A,B* : *Πu* : *A. Πv* : *B. u <sup>A</sup>*≈*<sup>B</sup> v* → *v <sup>B</sup>*≈*<sup>A</sup> u* trans*A,B,C* : *Πu* : *A. Πv* : *B. Πw* : *C. u <sup>A</sup>*≈*<sup>B</sup> v* → *v <sup>B</sup>*≈*<sup>C</sup> w* → *u <sup>A</sup>*≈*<sup>C</sup> w*

When two objects have the same type, heterogeneous equality acts as Leibniz equality. In particular, we can replace *u* by *v* in the universes of propositions and types. The result of a Leibniz substitution on *t* remains equal to *t*.

$$\begin{array}{l} \mathsf{leib}\_{A}^{\mathsf{Prf}} \,:\, \Pi u, v:A.\,\Pi p:u\,\,\_{A}\approx\_{A} v.\,\, \Pi P:A\to\,\, \Pi\,\, o.\,\, Pr f\,\,(P\,\,u)\to\,\, Pr f\,\,(P\,\,v)\\ \mathsf{eq1eleib}\_{A}^{\mathsf{Prf}}:\,\, \Pi u, v:A.\,\, \Pi p:u\,\,\_{A}\approx\_{A} v.\,\, \Pi P:A\to\,\,\, \Pi t:\,\, \mathcal{P}rf\,\,(P\,\,u).\\ \mathsf{leib}\_{A}^{\mathsf{Prf}}\,\,u\,\,v\,\,p\,\,P\,\,t\,\,\_{Prf\,\,(P\,\,v)}\approx\_{Prf\,\,(P\,\,u)} t\end{array}$$

The same axiom schemas exist for the universe of types, with superscript El instead of Prf, *El* instead of *Prf* , and *Set* instead of *El o*.

Finally, we add axioms for the congruence of each constructor of *λΠ/*≡.

*Application constructor.* For the application, we take:

$$\begin{array}{c} \mathsf{supp}\_{A\_{1},A\_{2},B\_{1},B\_{2}} : \varPi t\_{1} : (\varPi x : A\_{1}. \ B\_{1}). \ \varPi t\_{2} : (\varPi x : A\_{2}. \ B\_{2}). \\ \qquad \qquad \varPi u\_{1} : A\_{1}. \ \varPi u\_{2} : A\_{2}. \ t\_{1} \approx t\_{2} \to u\_{1} \approx u\_{2} \\ \qquad \qquad \to t\_{1} \ u\_{1} \ \_{B\_{1}[x \mapsto u\_{1}]} \approx \sideset{}{^{\ast}}{}\_{t\_{2}} u\_{2} \end{array}$$

For the *λ*-abstraction and *Π*-type constructors, we cannot directly build equality axioms. Indeed, if we want to defne an equality between functional terms *t*<sup>1</sup> of type *Πx* : *A*1*. B*<sup>1</sup> and *t*<sup>2</sup> of type *Πx* : *A*2*. B*2, we need to ensure that types *A*<sup>1</sup> and *A*<sup>2</sup> are equal. Therefore, we would like to have

$$\begin{array}{c} \mathsf{fun}\_{A\_1, A\_2, B\_1, B\_2} : \varPi t\_1 : (\varPi x : A\_1. \ B\_1). \ \varPi t\_2 : (\varPi y : A\_2. \ B\_2). \ A\_1 \approx A\_2\\ \to (\varPi x : A\_1. \ \varPi y : A\_2. \ x \approx y \to t\_1 \ x \approx t\_2 \ y) \\ \to t\_1 \approx t\_2 \end{array}$$

but we cannot take such an axiom, since the heterogeneous equality is not defned to compare objects that have type TYPE, and *A*<sup>1</sup> ≈ *A*<sup>2</sup> is therefore ill typed. This shortcoming is addressed by developing an equality between small types.

#### **3.2 Equality between Small Types**

We cannot build an equality between types, since such an equality would have type TYPE → TYPE → TYPE, which is impossible in *λΠ/*≡. An option would be to take axiom schemas *A* ≈ *B* for every equality between types *A* and *B*. Such an equality would be too far from standard and would require additional axioms to build transports. An alternative is to defne an equality between small types. By construction, if *ν*(*A*) ∈ P, then *ν*(*A*) is generated from *Prf a* for some *a* : *El o*, and if *ν*(*A*) ∈ E, then *ν*(*A*) is generated from *El a* for some *a* : *Set*. If the small form of *A* contains *Prf a* and the small form of *B* contains *Prf b*, then we want an equality between *a* and *b*. We defne the partial function *κ* on small forms by

$$\kappa(\operatorname{Prf } a\_1, \operatorname{Prf } a\_2) = a\_1 \approx a\_2 \qquad \qquad \kappa(\operatorname{El } a\_1, \operatorname{El } a\_2) = a\_1 \approx a\_2$$

$$\kappa(S, S) = \operatorname{True} \text{ if } S \in \mathcal{S} \qquad \qquad \kappa(T\_1 \to S, T\_2 \to S) = \kappa(T\_1, T\_2) \text{ if } S \in \mathcal{S}$$

$$\kappa(\operatorname{Itz} : S. \operatorname{T}\_1, \operatorname{IIz} : S. \operatorname{T}\_2) = \operatorname{Itz} : S. \ \kappa(T\_1, T\_2) \text{ if } S \in \mathcal{S}$$

where True := *ΠP* : *El o. Prf P* → *Prf P*, so we can always give a witness of *κ*(*S, S*) if *S* ∈ S. By convention, we simply write *κ*(*A, B*) for the result of *κ*(*ν*(*A*)*, ν*(*B*)).

*Example 6. κ*(*Πx* : *Set. Prf P* → *Prf Q, Πx* : *Set. Prf R*) = *Πx* : *Set.* (*P* ⇒*<sup>d</sup> λz* : *P. Q*) ≈ *R* since *ν*(*Πx* : *Set. Prf P* → *Prf Q*) = *Πx* : *Set. Prf* (*P* ⇒*<sup>d</sup>* (*λz* : *P. Q*)).

We can now go back to the defnition of equality axioms for the constructors of *λΠ/*≡.

*Function constructor.* If *A*<sup>1</sup> and *A*<sup>2</sup> are small types, we can take *κ*(*A*1*, A*2). We do not compare objects of type TYPE anymore, but objects that have either type *El o* or type *Set*. The axiom schema for the function constructor is thus:

$$\begin{array}{c} \mathsf{fun}\_{A\_1, A\_2, B\_1, B\_2} : \varPi t\_1 : (\varPi x : A\_1. \ B\_1). \ \varPi t\_2 : (\varPi y : A\_2. \ B\_2). \ \kappa(A\_1, A\_2) \\ \to (\varPi x : A\_1. \ \varPi y : A\_2. \ x \approx y \to t\_1 \ x \approx t\_2 \ y) \\ \to t\_1 \approx t\_2 \end{array}$$

This axiom schema is a generalization of the *functional extensionality* principle with distinct domains *A*<sup>1</sup> and *A*<sup>2</sup> in the case of heterogeneous equality. Functional extensionality states that two pointwise-equal functions are equal. If the domains *A*<sup>1</sup> and *A*<sup>2</sup> are generated by S, then they are syntactically equal and we can derive a simpler axiom schema:

$$\begin{array}{c} \mathsf{fun}\_{A,B\_1,B\_2} : \varPi t\_1 : (\varPi x : A. \ B\_1). \ \varPi t\_2 : (\varPi x : A. \ B\_2). \ (\varPi x : A. \ t\_1 \ x \approx t\_2 \ x) \\ \to t\_1 \approx t\_2 \end{array}$$

*Π-type constructor.* The congruence axiom for dependent types aims at building *κ*(*Πx* : *A*1*. B*1*, Πx* : *A*<sup>2</sup> *B*2). There are diferent cases depending on the grammars generating *ν*(*A*1), *ν*(*A*2), *ν*(*B*1) and *ν*(*B*2). If *ν*(*A*1), *ν*(*A*2), *ν*(*B*1), *ν*(*B*2) ∈ S, then *Πx* : *A*1*. B*<sup>1</sup> and *Πx* : *A*2*. B*<sup>2</sup> are syntactically equal and we can build an object of type True. If *ν*(*A*1), *ν*(*A*2) ∈ S and *ν*(*B*1), *ν*(*B*2) ∈ P ∪ E, then *A*<sup>1</sup> = *A*<sup>2</sup> and *κ*(*Πx* : *A*1*. B*1*, Πx* : *A*<sup>2</sup> *B*2) = *Πx* : *A*1*. κ*(*B*1*, B*2). If *ν*(*A*1), *ν*(*A*2) ∈ P ∪ E and *ν*(*B*1), *ν*(*B*2) ∈ S, then *B*<sup>1</sup> = *B*<sup>2</sup> and *κ*(*Πx* : *A*1*. B*1*, Πx* : *A*<sup>2</sup> *B*2) = *κ*(*A*1*, A*2). If *ν*(*A*1), *ν*(*A*2), *ν*(*B*1), *ν*(*B*2) ∈ P ∪ E, then there are four cases, corresponding to ⇝*d*, ⇒*d*, *π* and ∀. For instance, if *ν*(*A*1), *ν*(*A*2), *ν*(*B*1) and *ν*(*B*2) are all generated by E, then necessarily we have *ν*(*A*1) = *El a*1, *ν*(*A*2) = *El a*2, *ν*(*B*1) = *El b*<sup>1</sup> and *ν*(*B*2) = *El b*2. Therefore *κ*(*Πx* : *A*1*. B*1*, Πx* : *A*2*. B*2) := (*a*1⇝*d*(*λx* : *El a*1*. b*1)) ≈ (*a*2⇝*d*(*λy* : *El a*2*. b*2)). The axiom is:

$$\begin{array}{lcl} \mathsf{pred}\_{\curvearrowright\_{d}} : \varPi a\_{1}, a\_{2} : Set. \ \Pi b\_{1} : (El \ a\_{1} \to Set). \ \Pi b\_{2} : (El \ a\_{2} \to Set). \ a\_{1} \approx a\_{2} \\ \qquad \to \begin{pmatrix} \varPi x : El \ a\_{1}. \ \varPi y : El \ a\_{2}. \ x \approx y \to b\_{1} \ x \approx b\_{2} \ y \end{pmatrix} \\ \to \begin{pmatrix} a\_{1} \leadsto\_{d} b\_{1} \end{pmatrix} \approx \begin{pmatrix} a\_{2} \leadsto\_{d} b\_{2} \end{pmatrix} \end{array}$$

Note that this axiom is derivable from the previous axioms. We proceed similarly for the cases ⇒*d*, *π* and ∀.

We write *Σeq* for the signature formed by the axiom schemas defning the heterogeneous equality. Refexivity, symmetry, and transitivity are standard axioms of equality. We have also added axioms stating that a heterogeneous equality comparing two objects of the same type acts like Leibniz equality. Finally, we have an axiom for the application constructor and one axiom for the abstraction constructor—that is functional extensionality. Both axioms are used by Oury [19], who also assumes the uniqueness of identity proofs principle that entails the Leibniz principle we use.

## **4 Replacing Rewrite Rules**

When working in theories with prelude encoding, rewriting originates from the rewrite rules of *Σpre* (which are generic rewrite rules), from the rewrite rules *Σ*<sup>T</sup> (which are defned by the user) and from *β*-reduction. The goal of this work is to replace the user-defned rewrite rules *Σ*<sup>T</sup> by equational axioms. In the rest of the paper, we write ⊢<sup>R</sup> for a derivation inside the source theory—the theory with user-defned rewrite rules—and ⊢ for a derivation inside the target theory—the theory with axioms instead of user-defned rewrite rules.

We now have all the tools to replace rewrite rules by equational axioms. To do so, we build suitable transports, such that if *Γ* ⊢ *t* : *A* and *Γ* ⊢ *p* : *κ*(*A, B*), then *Γ* ⊢ transp *p t* : *B*. The goal is to insert such transports into the terms instead of using conversion with the rules of *Σ*<sup>T</sup> . In the signature, each rewrite rule *ℓ ,*→ *r* is replaced by the equational axiom *ℓ* ≈ *r*.

#### **4.1 Transports**

If we have *Γ* ⊢ *t* : *A* and *Γ* ⊢ *p* : *κ*(*A, B*), we want to transport *t* from *A* to *B*, that is to build a term transp *p t* such that *Γ* ⊢ transp *p t* : *B*. A paramount result is that *t* and transp *p t* are heterogeneously equal.

**Lemma 2 (Transport).** *Given Γ* ⊢ *t* : *A and Γ* ⊢ *p* : *κ*(*A, B*) *with A and B small types, there exists* transp *p t, called transport of t along p, such that:*

**–** *Γ* ⊢ transp *p t* : *B,*

**–** *there exists* eqTransp *such that Γ* ⊢ eqTransp *p t* : transp *p t <sup>B</sup>*≈*<sup>A</sup> t.*

*Proof. A* and *B* are small types and we have an equality *κ*(*A, B*). If *A, B* ∈ S then *ν*(*A*) = *ν*(*B*) = *A* = *B* and we take transp *p t* := *t* and eqTransp *p t* := ref*<sup>A</sup> t*. Otherwise, by construction of *κ*, we know that *ν*(*A*)*, ν*(*B*) ∈ P, or *ν*(*A*)*, ν*(*B*) ∈ E, and that *ν*(*A*) and *ν*(*B*) have the same structure. Moreover, using *A* ≡*βΣpre ν*(*A*), we have *Γ* ⊢ *t* : *ν*(*A*). We proceed by induction on the grammar P (we proceed similarly for the grammar E).


16 V. Blot et al.

**–** If *ν*(*A*) = *Πz* : *S. A*′ and *ν*(*B*) = *Πz* : *S. B*′ with *A*′ *, B*′ ∈ P and *S* ∈ S, then we have *κ*(*A, B*) = *Πz* : *S. κ*(*A*′ *, B*′ ). By weakening and application, we have *Γ, z* : *S* ⊢ *p z* : *κ*(*A*′ *, B*′ ). By induction we have transp (*p z*) (*t z*) : *B*′ and eqTransp (*p z*) (*t z*) : transp (*p z*) (*t z*) ≈ *t z* in the context *Γ, z* : *S*. We take transp *p t* := *λz* : *S.* transp (*p z*) (*t z*). We obtain *λz* : *S.* transp (*p z*) (*t z*) ≈ *t* using fun and ≡*βΣpre* . ⊓⊔

The transport of *t* from *A* to *B* depends on the small form of *A* and *B*. In that respect, there exists a diferent transport for each possible family of small form, and such transport is indexed over an equality of a small type.

#### **4.2 Translation of Terms**

To translate a theory with rewrite rules into a theory with equational axioms, we add transports at the proper locations in the terms and types. If we have *Γ* ⊢<sup>R</sup> *t* : *A* in the source theory, we want to fnd *Γ*, *t* and *A* that are translations of *Γ*, *t* and *A*, and such that *Γ* ⊢ *t* : *A* in the target theory.

We add transports in a term by induction on a typing derivation—which is not unique—so we may have diferent translations for a same term. As such, we defne a relation *◁* where *t ◁ t* states that *t* is a translation of *t*. The relation is defned by induction on the terms of *λΠ/*≡. Variables, constants, TYPE and KIND are translations of themselves. The translations of *λ*-abstractions *λx* : *A. t*, dependent types *Πx* : *A. B* and applications *t u* rely on the translations of *t*, *u*, *A* and *B*. The most important part of the defnition is that the translation is stable by transports: if *t* is a translation of *t*, then transp *p t* is also a translation of *t*, with *p* typically an equality. This relation captures all possible translations, but some are not correct as they may not be well typed. For instance, *λx* : *A. t* is not a valid translation of *λx* : *A. t* when the variable *x* used in *t* does not expect type *A* but another translation *A*′ .

**Defnition 6.** *The translation relation ◁ is defned by:*

*x ◁ x c ◁ c* TYPE *◁* TYPE KIND *◁* KIND *A ◁ A t ◁ t* (*λx* : *A. t*) *◁* (*λx* : *A. t*) *A ◁ A B ◁ B* (*Πx* : *A. B*) *◁* (*Πx* : *A. B*) *t ◁ t u ◁ u* (*t u*) *◁* (*t u*) *t ◁ t* (transp *p t*) *◁ t*

*where p is an arbitrary term.*

Due to the typing rules of *λΠ/*≡, transports for objects that have TYPE in their type do not exist. Therefore, the only well-typed translations of TYPE, KIND, *Set*, *Prf* and *El* are themselves, and the well-typed translations of *Πx* : *A. B* are of the form *Πx* : *A. B* with *A ◁ A* and *B ◁ B*. It follows that a well-typed translation of a small type is still a small type. In particular, if *A* ∈ S then for any *A* we have *A* := *A*; if *ν*(*A*) ∈ P then *ν*(*A*) ∈ P; and if *ν*(*A*) ∈ E then *ν*(*A*) ∈ E.

We extend the relation to contexts and signatures. For each rewrite rule *ℓ ,*→ *r* of a signature, we have *x* : *B* ⊢<sup>R</sup> *ℓ* : *A* and *x* : *B* ⊢<sup>R</sup> *r* : *A*, for some *B* and *A*, and some *x* representing the free variables of *ℓ*. The translation of the rewrite rule *ℓ ,*→ *r* is given by the equational axiom eq*ℓr* : *Πx* : *B. ℓ <sup>A</sup>*≈*<sup>A</sup> r*. Since the type of a term is not unique in *λΠ/*≡, we have made a choice of *B* and *A*, which is not a problem as we will see in the proof of Theorem 1.

**Defnition 7.** *◁ is defned on contexts and signatures by:*

$$\begin{array}{ccccccccc}\hline\hline\langle\rangle\rightsquigarrow\rangle & & \overline{(\overline{\Gamma},x:\overline{A})\lhd(\Gamma,x:A)} & & \overline{(\overline{\Sigma},c:\overline{A})\lhd(\Sigma,c:A) \\\\ \hline\hline\end{array}$$

$$\begin{array}{ccccccccc}\overline{\Sigma}\lhd\Sigma&\overline{\ell}\lhd\ell&\overline{r}\lhd\overline{r}&\overline{B}\lhd\overline{B}&\overline{A}\lhd A\\ \hline\hline(\overline{\Sigma},\mathsf{eq}\_{\ell r}:\Pi x:\overline{B}.\ \overline{\ell}\ \overline{A}\simeq\_{\overline{A}}\overline{r})\lhd(\Sigma,\ell\hookrightarrow r) & & \\\hline\end{array}$$

**Lemma 3.** *If t ◁ t and u ◁ u then t*[*x* 7→ *u*] *◁ t*[*x* 7→ *u*]*.*

*Proof.* By induction on the derivation of *t ◁ t*. For the case with the transport, we can prove that (transp *p t*)[*x* 7→ *u*] = transp *p*[*x* 7→ *u*] *t*[*x* 7→ *u*]. ⊓⊔

**Defnition 8 (Relation** ∼**).** *We say that t*<sup>1</sup> ∼ *t*<sup>2</sup> *when there exists some t such that t*<sup>1</sup> *◁ t and t*<sup>2</sup> *◁ t.*

#### **Lemma 4.** ∼ *is an equivalence relation.*

*Proof.* ∼ is refexive, symmetric and transitive. When proving transitivity we exploit the fact that whenever *t ◁ u*<sup>1</sup> and *t ◁ u*2, we have *u*<sup>1</sup> = *u*2. Refexivity is proved by induction on the term. ⊓⊔

An important result we need to prove is that two well-typed translations *t*<sup>1</sup> and *t*<sup>2</sup> of the same term *t* are heterogeneously equal. By construction, both terms do not necessarily have the same type or the same context. We will always consider *Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> : *A*<sup>1</sup> and *Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> : *A*2, where *Γ*<sup>1</sup> and *Γ*<sup>2</sup> have the same length and the same variables (with possibly diferent types). The equality between *t*<sup>1</sup> and *t*<sup>2</sup> must be typed in some context, but *Γ*<sup>1</sup> and *Γ*<sup>2</sup> are not sufcient. That is why we defne a common context *Γ*<sup>1</sup> *⋆ Γ*<sup>2</sup> (written Pack *Γ*<sup>1</sup> *Γ*<sup>2</sup> in the work of Winterhalter *et al.* [23]) by duplicating each variable and by assuming a witness of heterogeneous equality between these two duplicates. More precisely, we partially defne *⋆* by induction on small contexts:

$$
\Diamond \star \Diamond := \Diamond
$$

(*Γ*1*, x* : *A*1) *⋆* (*Γ*2*, x* : *A*2) := *Γ*<sup>1</sup> *⋆ Γ*2*, x*<sup>1</sup> : *A*1[*γ*1]*, x*<sup>2</sup> : *A*2[*γ*2]*, p<sup>x</sup>* : *x*<sup>1</sup> ≈ *x*<sup>2</sup>

where *γ*<sup>1</sup> substitutes variables *z* by *z*<sup>1</sup> and *γ*<sup>2</sup> substitutes variables *z* by *z*2. We write *γ*<sup>12</sup> for the substitution that replaces the variables *z*<sup>1</sup> and *z*<sup>2</sup> by *z* and the variable *p<sup>z</sup>* by ref *z*.

**Lemma 5.** *If Γ ⋆ Γ* ⊢ *t* : *A, then we can derive Γ* ⊢ *t*[*γ*12] : *A*[*γ*12]*.*

*Proof.* We proceed by induction on the length of *Γ*. If we have ⟨⟩ *⋆* ⟨⟩ ⊢ *t* : *A* then by defnition we have ⟨⟩ ⊢ *t* : *A*. Suppose that we have (*Γ, x* : *B*) *⋆* (*Γ, x* : *B*) ⊢ *t* : *A*. We apply successively Lemma 1 to replace *x*<sup>2</sup> and *x*<sup>1</sup> by *x* and then *p<sup>x</sup>* by ref *x*. ⊓⊔

The following lemma states that two translations of a same term are heterogeneously equal.

**Lemma 6 (Equal translations).** *Let t*<sup>1</sup> ∼ *t*<sup>2</sup> *such that Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> : *A*<sup>1</sup> *and Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> : *A*<sup>2</sup> *with Γ*<sup>1</sup> *and Γ*<sup>2</sup> *small contexts.*


*Proof.* We proceed by induction on the derivation of *t*<sup>1</sup> ∼ *t*2. We show two interesting cases.

**–** Transport (transp *p t*1) ∼ *t*<sup>2</sup>

We have *Γ*<sup>1</sup> ⊢ transp *p t*<sup>1</sup> : *A*<sup>1</sup> and *Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> : *A*2. By inversion of typing, we have *Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> : *A*′ <sup>1</sup> and *Γ*<sup>1</sup> ⊢ *p* : *κ*(*A*′ 1 *, A*1). By induction there exists some *p<sup>t</sup>* such that *Γ*<sup>1</sup> *⋆ Γ*<sup>2</sup> ⊢ *p<sup>t</sup>* : *t*1[*γ*1] ≈ *t*2[*γ*2]. We also have *Γ*<sup>1</sup> ⊢ eqTransp *p t*<sup>1</sup> : transp *p t*<sup>1</sup> ≈ *t*1. We derive that *Γ*<sup>1</sup> *⋆Γ*<sup>2</sup> ⊢ (eqTransp *p t*1)[*γ*1] : (transp *p t*1)[*γ*1] ≈ *t*1[*γ*1]. We conclude using transitivity.

**–** Application (*t*<sup>1</sup> *u*1) ∼ (*t*<sup>2</sup> *u*2)

Suppose that *t*<sup>1</sup> *u*<sup>1</sup> and *t*<sup>2</sup> *u*<sup>2</sup> are small types. Then the only possible cases are *t*<sup>1</sup> = *t*<sup>2</sup> = *Prf* or *t*<sup>1</sup> = *t*<sup>2</sup> = *El*. If *t*<sup>1</sup> = *t*<sup>2</sup> = *Prf* , then we have *Γ*<sup>1</sup> ⊢ *Prf u*<sup>1</sup> : TYPE and *Γ*<sup>2</sup> ⊢ *Prf u*<sup>2</sup> : TYPE. Since *κ*(*Prf u*1*,Prf u*2) = *u*<sup>1</sup> ≈ *u*2, the result is simply the induction hypothesis *Γ*<sup>1</sup> *⋆ Γ*<sup>2</sup> ⊢ *p* : *u*1[*γ*1] ≈ *u*2[*γ*2]. We proceed similarly for *El u*<sup>1</sup> ∼ *El u*2.

Suppose that we have *Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> *u*<sup>1</sup> : *T*<sup>1</sup> and *Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> *u*<sup>2</sup> : *T*<sup>2</sup> with *Γ* ⊢ *T*<sup>1</sup> : TYPE and *Γ* ⊢ *T*<sup>2</sup> : TYPE. Then by inversion of typing we have *Γ*<sup>1</sup> ⊢ *u*<sup>1</sup> : *B*<sup>1</sup> and *Γ*<sup>2</sup> ⊢ *u*<sup>2</sup> : *B*<sup>2</sup> and *Γ*<sup>1</sup> ⊢ *t*<sup>1</sup> : *Πx* : *A*1*. B*<sup>1</sup> and *Γ*<sup>2</sup> ⊢ *t*<sup>2</sup> : *Πx* : *A*2*. B*2, with *T*<sup>1</sup> ≡*βΣpre B*1[*x* 7→ *u*1] and *T*<sup>2</sup> ≡*βΣpre B*2[*x* 7→ *u*2]. By induction hypotheses, we have *Γ*<sup>1</sup> *⋆ Γ*<sup>2</sup> ⊢ *p<sup>t</sup>* : *t*1[*γ*1] ≈ *t*2[*γ*2] and *Γ*<sup>1</sup> *⋆ Γ*<sup>2</sup> ⊢ *p<sup>u</sup>* : *u*1[*γ*1] ≈ *u*2[*γ*2]. We conclude using app. ⊓⊔

#### **4.3 Translation of Judgments**

In Section 4.2 we have seen all the possible translations for *terms*. However, the only translations that matter are the translations of *judgments*: context formation judgments and typing judgments.

**Defnition 9.** *For any* <sup>⊢</sup><sup>R</sup> *<sup>Γ</sup> we defne a set* <sup>J</sup>⊢<sup>R</sup> *<sup>Γ</sup>*<sup>K</sup> *of valid judgments such that* <sup>⊢</sup> *<sup>Γ</sup>* <sup>∈</sup> <sup>J</sup>⊢<sup>R</sup> *<sup>Γ</sup>*<sup>K</sup> *if and only if Γ ◁ Γ. For any <sup>Γ</sup>* <sup>⊢</sup><sup>R</sup> *<sup>t</sup>* : *<sup>A</sup> we defne a set* <sup>J</sup>*<sup>Γ</sup>* <sup>⊢</sup><sup>R</sup> *<sup>t</sup>* : *<sup>A</sup>*<sup>K</sup> *of valid judgments such that <sup>Γ</sup>* <sup>⊢</sup> *<sup>t</sup>* : *<sup>A</sup>* <sup>∈</sup> <sup>J</sup>*<sup>Γ</sup>* <sup>⊢</sup><sup>R</sup> *<sup>t</sup>* : *<sup>A</sup>*<sup>K</sup> *if and only if* <sup>⊢</sup> *<sup>Γ</sup>* <sup>∈</sup> <sup>J</sup>⊢<sup>R</sup> *<sup>Γ</sup>*K*, t ◁ t and A ◁ A.*

We are now able to prove that it is possible to switch between two translations of a small type.

**Lemma 7 (Switching translations).** *Suppose that we have A a small type, <sup>Γ</sup>* <sup>⊢</sup> *<sup>t</sup>* : *<sup>A</sup>* <sup>∈</sup> <sup>J</sup>*<sup>Γ</sup>* <sup>⊢</sup><sup>R</sup> *<sup>t</sup>* : *<sup>A</sup>*<sup>K</sup> *and <sup>Γ</sup>* <sup>⊢</sup> *<sup>A</sup>*′ : TYPE <sup>∈</sup> <sup>J</sup>*<sup>Γ</sup>* <sup>⊢</sup><sup>R</sup> *<sup>A</sup>* : TYPE<sup>K</sup> *with <sup>Γ</sup> a small context. Then there exists t* ′ *such that Γ* ⊢ *t* ′ : *<sup>A</sup>*′ <sup>∈</sup> <sup>J</sup>*<sup>Γ</sup>* <sup>⊢</sup><sup>R</sup> *<sup>t</sup>* : *<sup>A</sup>*K*.*

*Proof.* If *ν*(*A*) ∈ S, then *A* := *A* and *A*′ := *A*, and we take *t* ′ := *t*. If *ν*(*A*) ∈ P, then *ν*(*A*)*, ν*(*A*′ ) ∈ P (this is similar for E). As *A* and *A*′ are two translations of *A*, we have *A* ∼ *A*′ . From Lemma 6, we have *Γ ⋆ Γ* ⊢ *p* : *κ*(*A*[*γ*1]*, A*′ [*γ*2]). Using Lemma 5 we obtain *Γ* ⊢ *p*[*γ*12] : *κ*(*A, A*′ ). Using Lemma 2, there exists some transp *p*[*γ*12] *t ◁ t* (since *t ◁ t*) such that *Γ* ⊢ transp *p*[*γ*12] *t* : *A*′ . ⊓⊔

#### **4.4 Translation of Theories**

Now that we have translated terms and judgments, we want to translate theories, so that the translation of every provable judgment in the source theory is provable in the target theory. The target theory T *ax* = *Σpre* ∪ *Σeq* ∪ *Σ*<sup>T</sup> is obtained by adding the axioms of equality to the signature, and by translating *Σ*<sup>T</sup> . To do so, we translate each typed constant and rewrite rule one by one. At the end, the rewrite rules of *Σ*<sup>T</sup> have been replaced by equational axioms.

The paramount result of this paper is the following theorem. The frst item concerns context formation. The second item is about the translation of typing judgments. The third item focuses on convertible contexts. The fourth and ffth items are about the conversion rules. It is worth noting that in the second item we use the universal quantifer on *Γ* instead of using the existential quantifer. We have opted for the universal quantifer so we can obtain the induction hypotheses for a common context.

**Theorem 1 (Elimination of the rewrite rules).** *Let a theory* T = *Σ in λΠ/*≡ *such that* T *is a theory with prelude encoding and such that all the derivations considered are small derivations. There exists a signature Σ*<sup>T</sup> *◁ Σ*<sup>T</sup> *such that the theory* T *ax* = *Σpre* ∪ *Σeq* ∪ *Σ*<sup>T</sup> *satisfes:*


20 V. Blot et al.

*5. If* (*Γ*<sup>1</sup> <sup>⊢</sup><sup>R</sup> *<sup>u</sup>*<sup>1</sup> : TYPE) <sup>≡</sup> (*Γ*<sup>2</sup> <sup>⊢</sup><sup>R</sup> *<sup>u</sup>*<sup>2</sup> : TYPE)*, then for every* <sup>⊢</sup> *<sup>Γ</sup>*<sup>1</sup> <sup>∈</sup> <sup>J</sup>⊢<sup>R</sup> *<sup>Γ</sup>*<sup>1</sup><sup>K</sup> *and* <sup>⊢</sup> *<sup>Γ</sup>*<sup>2</sup> <sup>∈</sup> <sup>J</sup>⊢<sup>R</sup> *<sup>Γ</sup>*<sup>2</sup>K*, we have <sup>Γ</sup>*<sup>1</sup> <sup>⊢</sup> *<sup>u</sup>*<sup>1</sup> : TYPE <sup>∈</sup> <sup>J</sup>*Γ*<sup>1</sup> <sup>⊢</sup><sup>R</sup> *<sup>u</sup>*<sup>1</sup> : TYPE<sup>K</sup> *and <sup>Γ</sup>*<sup>2</sup> <sup>⊢</sup> *<sup>u</sup>*<sup>2</sup> : TYPE <sup>∈</sup> <sup>J</sup>*Γ*<sup>2</sup> <sup>⊢</sup><sup>R</sup> *<sup>u</sup>*<sup>2</sup> : TYPE<sup>K</sup> *and there exists some <sup>p</sup> such that Γ*<sup>1</sup> *⋆ Γ*<sup>2</sup> ⊢ *p* : *κ*(*u*1[*γ*1]*, u*2[*γ*2])*.*

*Proof.* The proof of the fve items is done by induction on the typing derivations, assuming the existence of *Σ*<sup>T</sup> . We show three relevant cases.

**–** Prod:

$$\frac{\begin{array}{c} \Gamma \vdash\_{\mathcal{R}} A : \mathsf{TYPE} \qquad \Gamma, x : A \vdash\_{\mathcal{R}} B : s \end{array}}{\begin{array}{c} \Gamma \vdash\_{\mathcal{R}} \Pi x : A. \; B : s \end{array}}$$

Take <sup>⊢</sup> *<sup>Γ</sup>* <sup>∈</sup> <sup>J</sup>⊢<sup>R</sup> *<sup>Γ</sup>*K. By induction hypothesis, we have *<sup>Γ</sup>* <sup>⊢</sup> *<sup>A</sup>* : TYPE <sup>∈</sup> <sup>J</sup>*<sup>Γ</sup>* <sup>⊢</sup><sup>R</sup> *<sup>A</sup>* : TYPEK. We have (*Γ , x* : *<sup>A</sup>*) *<sup>◁</sup>* (*Γ, x* : *<sup>A</sup>*) and we know that the only translation of sort *s* is itself, therefore by induction hypothesis we have *Γ , x* : *<sup>A</sup>* <sup>⊢</sup> *<sup>B</sup>* : *<sup>s</sup>* <sup>∈</sup> <sup>J</sup>*Γ, x* : *<sup>A</sup>* <sup>⊢</sup><sup>R</sup> *<sup>B</sup>* : *<sup>s</sup>*K. We conclude that *<sup>Γ</sup>* <sup>⊢</sup> *Πx* : *A. <sup>B</sup>* : *<sup>s</sup>* using the Prod rule.

**–** Conv:

*Γ* ⊢<sup>R</sup> *t* : *A* (*Γ* ⊢<sup>R</sup> *A* : *s*) ≡ (*Γ* ⊢<sup>R</sup> *B* : *s*) *Γ* ⊢<sup>R</sup> *t* : *B*

Take <sup>⊢</sup> *<sup>Γ</sup>* <sup>∈</sup> <sup>J</sup>⊢<sup>R</sup> *<sup>Γ</sup>*K. As we consider small derivations, either *<sup>A</sup>* is a small type or *A* and *B* are the same type.

If *A* is a small type, then by induction hypothesis we have *Γ ⋆ Γ* ⊢ *p* : *κ*(*A*[*γ*1]*, B*[*γ*2]). By Lemma 5 we obtain *Γ* ⊢ *p*[*γ*12] : *κ*(*A, B*). By Lemma 7 and induction hypothesis we have *<sup>Γ</sup>* <sup>⊢</sup> *<sup>t</sup>* : *<sup>A</sup>* <sup>∈</sup> <sup>J</sup>*<sup>Γ</sup>* <sup>⊢</sup><sup>R</sup> *<sup>t</sup>* : *<sup>A</sup>*K. Thanks to Lemma 2, there exists some *t* ′ such that *Γ* ⊢ *t* ′ : *<sup>B</sup>* <sup>∈</sup> <sup>J</sup>*<sup>Γ</sup>* <sup>⊢</sup><sup>R</sup> *<sup>t</sup>* : *<sup>B</sup>*K.

If *A* and *B* are the same type, then no conversion is needed and the result is simply given the induction hypothesis *Γ* ⊢ *t* : *A*.

**–** ConvRefl:

$$\frac{\Gamma \vdash\_{\mathcal{R}} u:A}{(\Gamma \vdash\_{\mathcal{R}} u:A) \equiv (\Gamma \vdash\_{\mathcal{R}} u:A)}$$

Take <sup>⊢</sup> *<sup>Γ</sup>* <sup>∈</sup> <sup>J</sup>⊢<sup>R</sup> *<sup>Γ</sup>*K. By induction hypothesis, we have *<sup>Γ</sup>* <sup>⊢</sup> *<sup>u</sup>* : *<sup>A</sup>* <sup>∈</sup> <sup>J</sup>*<sup>Γ</sup>* <sup>⊢</sup><sup>R</sup> *<sup>u</sup>* : *<sup>A</sup>*K.

If *Γ* ⊢<sup>R</sup> *A* : TYPE, then we build *Γ ⋆ Γ* ⊢ *p* : *u*[*γ*1] ≈ *u*[*γ*2] using all the congruence rules of ≈.

We proceed similarly for the case *A* = TYPE.

The existence of *Σ*<sup>T</sup> is proved by induction on the length of *Σ*<sup>T</sup> , using the previous fve items and ⟨⟩ *◁* ⟨⟩. ⊓⊔

**Corollary 1 (Preservation).** *If* <sup>⊢</sup><sup>R</sup> *<sup>t</sup>* : *<sup>A</sup> and* <sup>⊢</sup> *<sup>A</sup>* : *<sup>s</sup>* <sup>∈</sup> <sup>J</sup>⊢<sup>R</sup> *<sup>A</sup>* : *<sup>s</sup>*K*, then there exists t such that* ⊢ *t* : *A.*

*Proof.* By Theorem 1 we have ⊢ *t* ′ : *<sup>A</sup>*′ <sup>∈</sup> <sup>J</sup>⊢<sup>R</sup> *<sup>t</sup>* : *<sup>A</sup>*K. Using Lemma 7 with *<sup>A</sup>* := *<sup>A</sup>*, we have some *<sup>t</sup>* such that <sup>⊢</sup> *<sup>t</sup>* : *<sup>A</sup>* <sup>∈</sup> <sup>J</sup>⊢<sup>R</sup> *<sup>t</sup>* : *<sup>A</sup>*K. ⊓⊔

We directly derive the two following conservativity and consistency results. We say that a theory T<sup>2</sup> is conservative over a theory T<sup>1</sup> when every formula in the common language of T<sup>1</sup> and T<sup>2</sup> that is provable in T<sup>2</sup> is also provable in T1.

**Corollary 2 (Conservativity).** T *is a conservative extension of* T *ax .*

**Corollary 3 (Relative consistency).** *If* T *ax is consistent then* T *is also consistent.*

## **5 Conclusion**

*Discussion.* In this paper, we showed that it is possible to replace user-defned rewrite rules by equational axioms, in the case of the *λΠ*-calculus modulo theory. This result works for theories with prelude encoding—which is satisfed by expressive theories such as predicate logic and set theory—and for small derivations—which is in practice the case. So as to replace rewrite rules by equational axioms, we have defned a heterogeneous equality with standard axioms refexivity, symmetry, transitivity, Leibniz principle—and congruences for each constructor. At the end, the theory with rewrite rules is a conservative extension of the theory with axioms.

*Related work.* The similar problem of the translation from an extensional system to an intensional system has been investigated by Oury [19]. He proposed a translation from the Extensional Calculus of Constructions to the Calculus of Inductive Constructions with additional axioms that defne a heterogeneous equality. Winterhalter, Sozeau and Tabareau provided a translation from extensional type theory to intensional type theory [23,24]. They took advantage of the presence of dependent pairs to encode a heterogeneous equality, unlike Oury who defned it with axioms.

In this paper, we have shown the existence of a translation from a theory with rewrite rules to a theory with equational axioms. Technical challenges appear as we are not in an extensional type system. In particular, Oury and Winterhalter *et al.* had a homogeneous equality in their source theory and introduce a heterogeneous equality in the target theory. In this work, the source theory does not contain a homogeneous equality, and the target theory only contains a heterogeneous equality.

The major diference with previous works is that we are in a logical framework without an infnite hierarchy of sorts *s<sup>i</sup>* : *s<sup>i</sup>*+1 for *i* ∈ N. In *λΠ/*≡, we only have TYPE : KIND, which is the reason why we cannot defne an equality between types. As such an equality is of paramount importance in the transports, we have considered a subclass of types—called small types—for which we can defne an equality. However, it is worth noting that the sorts of *λΠ/*≡ allowed a simplifcation: by construction, there is no transports on types, so the translation of a dependent function type is directly a dependent function type.

## **References**


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## Light Genericity

## Beniamino Accattoli<sup>1</sup> and Adrienne Lancelot1,2(B)

1 Inria & LIX, Ecole Polytechnique, UMR 7161, Palaiseau, France {beniamino.accattoli,adrienne.lancelot}@inria.fr

<sup>2</sup> Université Paris Cité, CNRS, IRIF, F-75013, Paris, France

Abstract. To better understand Barendregt's genericity for the untyped call-by-value λ-calculus, we start by frst revisiting it in call-by-name, adopting a lighter statement and establishing a connection with contextual equivalence. Then, we use it to give a new, lighter proof of maximality of head contextual equivalence, i.e. that H<sup>∗</sup> is a maximal consistent equational theory. We move on to call-by-value, where we adapt these results and also introduce a new notion dual to light genericity, that we dub co-genericity. Lastly, we give alternative proofs of (co-)genericity based on applicative bisimilarity.

Keywords: lambda-calculus · semantics · call-by-value.

## 1 Introduction

Barendregt's genericity lemma [14, Prop. 14.3.24] is a classic result in the theory of the untyped λ-calculus. It expresses the fact that meaningless terms—also called unsolvable terms, a notion generalizing the bad behaviour of the paradigmatic looping term Ω := (λx.xx)(λx.xx)—are sort of black holes for evaluation: if evaluation should ever enter them, it would never get out. This is specifed somewhat dually, saying that if a term t containing a meaningless term u evaluates to a normal form, that is, if t is observable, then replacing u with any other term in t gives a term t ′ that is also observable. Roughly, if one can observe a term containing a black hole then evaluation never enters the black hole.

Genericity is arguably more than a lemma, but it is so labeled because its main use is as a tool in Barendregt's proofs of collapsibility of meaningless terms, that is, the fact that the equational theory H equating all meaningless terms is consistent, i.e. it does not equate all terms. Such collapsibility is one of the cornerstones of the semantics of the untyped λ-calculus.

Recap about Meaningless Terms. Meaningless terms were frst studied in the 1970s, by Wadsworth [45,46] and Barendregt [12,13], while working on denotational models and the representation of partial recursive functions (PRFs). The starting point is that the natural choice of representing the being undefned of PRFs considered as the paradigmatic meaningless computation—with terms not having a normal form leads to a problematic representation of PRFs. The issue is visible also at the equational level, as all theories collapsing all diverging terms are

inconsistent. Wadsworth and Barendregt then identify the class of unsolvable terms as a better notion of meaningless terms: the representation of PRFs using them as undefned terms is better behaved, they are collapsible, and in particular they are identifed in Scott's frst D<sup>∞</sup> model of the untyped λ-calculus.

Unsolvable terms are defned via a contextual property, but they are also characterized as being diverging for head β-reduction →h, rather than plain β-reduction →β. The dual notion of solvable terms, which are terminating for head reduction, are taken as the right notion of defned term, replacing the natural but misleading idea that β-normal forms are the right notion of defned term.

Barendregt classic book from the 1980s [14] is built around the concept of (un)solvability. Visser and Statman noted that (un)solvability is not the only partition of terms providing good representations of PRFs and being collapsible, as summarized by Barendregt [15]. Typically, (in)scrutable terms, frst studied by Paolini and Ronchi della Rocca [38,36,41] (under the name (non-)potentially valuable terms), provide an alternative good partition. In call-by-name (CbN), (in)scrutable terms correspond to weak head normalizing/diverging terms.

This Paper. The work presented here stems from the desire to obtain genericity for the untyped call-by-value λ-calculus. Perhaps surprisingly, the call-by-value (shortened to CbV) λ-calculus behaves quite diferently with respect to meaningless terms. Accattoli and Guerrieri's recent study of meaningless terms in CbV [6] indeed stresses two key diferences: genericity fails in CbV, and collapsibility fails as well, as any equational theory equating CbV meaningless terms is inconsistent, if one considers as meaningless the CbV analogous of unsolvable terms. Accattoli and Guerrieri also show that collapsibility can be recovered by adopting a diferent notion of meaningless terms, namely CbV inscrutable terms, but they do not prove genericity for them.

In this paper, we do prove a genericity result for inscrutable terms, and also provide a new proof of their collapsibility. These results, however, are only a small part of the contributions of this paper.

Contribution 1: the Very Statement of Genericity. We start by focussing on the statement of genericity. The literature contains various versions. The one used by Barendregt for proving collapsibility is the following (where unsolvable terms are identifed with →h-diverging terms), here dubbed as heavy:

Heavy genericity: let u be →h-diverging and C be a context such that C⟨u⟩ →<sup>∗</sup> <sup>β</sup> n with n β-normal. Then, C⟨t⟩ →<sup>∗</sup> <sup>β</sup> n for all t.

In Takahashi's elegant proof of heavy genericity [44]—which is an inspiration for our work—the following statement is called fundamental property of unsolvable λ-terms, which we here consider as an alternative, lighter statement for genericity:

Light genericity: let u be →h-diverging and C be a context such that C⟨u⟩ is →h-normalizing. Then, C⟨t⟩ is →h-normalizing for all t.

We adopt the lighter statement as the proper one for genericity for three reasons:

26 B. Accattoli, A. Lancelot


We then adapt Takahashi's proof of heavy genericity to the light case.

Contribution 2: (Open) Contextual Equivalence/Pre-Order. Once one adopts the light statement, a connection with contextual equivalence becomes evident. Precisely, consider the contextual pre-order (that is, the asymmetric variant of contextual equivalence) induced by head reduction:

Head contextual pre-order: t ≾<sup>h</sup> <sup>C</sup> u if C⟨t⟩ →h-normalizing implies C⟨u⟩ →h-normalizing, for all closing contexts C.

Light genericity seems to rephrase that →h-diverging terms are minimum terms with respect to ≾<sup>h</sup> C . There is however a small yet non-trivial glitch: contextual pre-orders/equivalences are defned using closing contexts, while genericity is defned using arbitrary, possibly open contexts. Is the closing requirement essential in the defnition of contextual notions? To our knowledge, this question has not been addressed in the literature. In fact, there is no absolute answer for all cases, as it depends on the notion of observation and on the underlying calculus.

We show that, for head reduction, open and closed contextual notions do coincide, what we refer to as the fact that head reduction is openable. As it is often the case with behavioral notions, proving head reduction openable cannot be done by simply unfolding the defnitions, and requires some work.

The proof that we provide is—we believe—particularly elegant. It is obtained as the corollary of a further contribution, the revisitation of another classic result from the theory of the untyped λ-calculus, described next.

Contribution 3: Maximality. Barendregt proves that open head contextual equivalence—what he denotes as the equational theory H<sup>∗</sup>—is maximal among consistent equational theories, i.e. any extension of H<sup>∗</sup> is inconsistent (moreover, H<sup>∗</sup> is the unique maximum theory among those collapsing unsolvable terms). His proof uses Böhm theorem, an important and yet non-trivial result. We give a new proof based only on light genericity, which is an arguably simpler result than Böhm theorem, obtained adapting a similar result for CbV by Egidi et al. [19].

Contribution 4: Call-by-Value. Finally, we study the CbV case, adopting inscrutable terms as notion of meaningless terms. In Plotkin's original CbV calculus

[40], however, these terms cannot be characterized as diverging for some strategy. Moreover, in Plotkin's calculus evaluation is not openable, that is, open and closed contextual notions do not coincide. In both cases, the issue is connected to the management of open terms.

We then adopt Accattoli and Paolini's value substitution calculus (VSC) [9], which is an extension of Plotkin's calculus solving its well-known issues with open terms and having the same (closed) contextual equivalence. Therein, inscrutable terms are characterized as those diverging for weak evaluation →w.

For the VSC, we prove light genericity for →w-diverging terms. We use a diferent technique with respect to the CbN case, namely we rely on Ehrhard's CbV multi types [20] (multi types are also known as non-idempotent intersection types), because Takahashi's technique does not easily adapt to the CbV case. We also give a proof of maximality (essentially Egidi et al. [19]'s argument used as blueprint for the CbN case) from which it follows that evaluation in the VSC is openable, in contrast with evaluation in Plotkin's calculus.

As hinted at above, it is relevant that in CbV we study light genericity rather than the heavy variant because the notion of full normal form in the CbV case is less standard. Firstly, it difers between Plotkin's calculus and the VSC. Secondly, it also difers between various refnements of Plotkin's calculus that can properly manage open terms, as discussed by Accattoli et al. [7].

Contribution 5: Co-Genericity. A diference between the head CbN case and weak CbV case is given by an interesting class of terms, those evaluating to an infnite sequence of abstractions, that is, such that t →<sup>∗</sup> <sup>β</sup> λx.t′ with t ′ having the same property. Such terms are →h-diverging (thus head CbN meaningless), but →w-normalizing (CbV meaningful), and hereditarily so. We prove that these →w-super (normalizing) terms are maximum elements of the CbV contextual pre-order, and the statement of this fact is a new notion of co-genericity:

Co-Genericity: let t be →w-super and C be a context such that C⟨u⟩ is →w-normalizing for some u. Then, C⟨t⟩ is →w-normalizing.

We then show a strengthened collapsibility result: all →w-diverging terms and all →w-super terms can be consistently collapsed.

Contribution 6: Alternative Proofs via Applicative Bisimilarity. Lastly, we show a diferent route to proving light genericity and co-genericity—in CbV, but the technique is general—by exploiting the link with contextual pre-orders. Namely, we give a second proof that weak CbV evaluation is openable in the VSC without using light genericity, and then we use the soundness of CbV applicative bisimilarity with respect to the (closed) contextual pre-order for giving very simple proofs of light genericity and co-genericity.

Related Work. There are many proofs of CbN genericity in the literature (but they do not all prove the same statement<sup>3</sup> ): a topological one by Barendregt [14,

<sup>3</sup> Sometimes, one fnds the following genericity as application statement: let u be →h-diverging and s be such that su →<sup>∗</sup> <sup>β</sup> n with n β-normal. Then, st →<sup>∗</sup> <sup>β</sup> n for all

Prop. 14.3.24], via intersection types by Ghilezan [24], rewriting-based ones by Takahashi [44], Kuper [30], Kennaway et al. [28], and Endrullis and de Vrijer [21], and via Taylor expansion by Barbarossa and Manzonetto [11]. Salibra studies a generalization to an infnitary λ-calculus [43]. García-Pérez and Nogueira prove partial genericity for Plotkin's CbV λ-calculus [23] using a diferent notion of meaningless terms, not as well-behaved as CbV inscrutable terms.

The most famous application of genericity is the collapsibility of meaningless terms. Another application is Folkerts's invertibility of terms for λη [22].

Independently, Arrial, Guerrieri, and Kesner developed an alternative study of genericity in both CbN and CbV [10].

Proofs. Most proofs are omitted and can be found in the technical report [8].

## 2 Preliminaries

In this paper, we consider two languages, the λ-calculus and the value substitution calculus. Here we give abstract defnitions that apply to both. We then refer to a generic language L of host reduction →L⊆ L × L together with an evaluation strategy discussed below. Terms of both languages are considered modulo αrenaming. Capture-avoiding substitution is noted <sup>t</sup>{xu}.

Evaluation Strategies. An evaluation strategy for us is a relation →s⊆→<sup>L</sup> which is either deterministic or has the diamond property, which, according to Dal Lago and Martini [18], is defned as follows: a relation →<sup>r</sup> is diamond if u<sup>1</sup> <sup>r</sup>← t →<sup>r</sup> u<sup>2</sup> and u<sup>1</sup> ̸= u<sup>2</sup> imply u<sup>1</sup> →<sup>r</sup> s <sup>r</sup>← u<sup>2</sup> for some s. If →<sup>r</sup> is diamond then it is confuent, all its reductions to normal form (if any) have the same length, and if there is one such reduction from t then there are no diverging reductions from t; essentially, the diamond property is a weakened notion of determinism.

We refer to a generic evaluation strategy with →<sup>s</sup> or simply with s, and we also simply call it a strategy, and usually we omit the underlying language. The conversion relation =<sup>s</sup> associated to a strategy s is the smallest equivalence relation containing →s. We say that t is:


We say that s is:


t. Genericity as application is weaker than heavy/light genericity, and cannot be directly used to infer the collapsibility of →h-diverging terms.

Contexts. An essential tool in our study shall be contexts, which are terms where a sub-term has been replaced by a hole ⟨·⟩. For instance, for the λ-calculus they are defned as follows: C, C′ ::= ⟨·⟩ | tC | Ct | λx.C. The basic operation on contexts is the plugging C⟨t⟩ of a term t in C, which simply replaces ⟨·⟩ with t in C, possibly capturing variables. For instance, (λx.⟨·⟩)⟨xy⟩ = λx.xy. Note that plugging cannot be expressed as capture-avoiding substitution since (λx.z){zxy} <sup>=</sup> λx′ .xy ̸= λx.xy.

Contextual Equivalences and Pre-Orders. The standard of reference for program equivalences is contextual equivalence. The following defnition slightly generalizes the standard one as to catch also the open case studied in this paper.

Defnition 1 (Open and Closed Contextual Pre-Order and Equivalence). Given an evaluation strategy s, we defne the open contextual pre-order ≾<sup>s</sup> CO and open contextual equivalence ≃<sup>s</sup> CO as follows:


The closed variants, simply called contextual pre-order ≾<sup>s</sup> C and contextual equivalence ≃<sup>s</sup> C , are defned as above but restricting to contexts C such that C⟨t⟩ and C⟨t ′ ⟩ are closed terms. We say that s is openable if ≾<sup>s</sup> CO and ≾<sup>s</sup> C coincide.

It follows from the defnitions that ≾<sup>s</sup> CO⊆≾<sup>s</sup> C , and similarly for the equivalences, while the other direction is not obvious, and can indeed fail. For instance, if p<sup>w</sup> is weak evaluation in Plotkin's CbV λ-calculus (to be defned in Sect. 5) and δ := λz.zz then we have Ω<sup>l</sup> := (λx.δ)(yy)δ ≾ pw C δδ =: Ω but Ω<sup>l</sup> ̸≾ pw CO Ω. That is, p<sup>w</sup> is not openable. To our knowledge, the notion of openable strategy is new.

(In)Equational Theories. A relation is compatible if t R u implies C⟨t⟩ R C⟨u⟩ for any context C and any terms t and u. A term t is minimum for a pre-order ≤ if for all u ∈ L, t ≤ u. We denote abstract inequational theories with the symbol ≤<sup>T</sup> to distinguish them from known program pre-orders, denoted with ≾<sup>P</sup> .

Defnition 2 (Inequational s-theory). Let s be an evaluation strategy. An inequational s-theory ≤<sup>s</sup> T is a compatible pre-order on terms containing s-conversion. An inequational s-theory ≤<sup>s</sup> T is called:


The notions of s-ground and s-adequate theories generalize to an abstract and inequational framework the λ-calculus notions of sensible and semi-sensible theories (whose non-abstract inequational versions are studied in particular in the recent book by Barendregt and Manzonetto [16]), up to a very minor diference: the defnitions in the literature sometimes also ask for consistency which we treat independently. An equational theory is a symmetric inequational theory.

Remark 1. Any open contextual pre-order ≾<sup>s</sup> CO is s-adequate: if t ≾<sup>s</sup> CO u then, by considering the empty context, t s-normalizing implies u s-normalizing. Closed contextual pre-orders, instead, are not necessarily adequate: for weak evaluation p<sup>w</sup> in Plotkin's calculus, Ω<sup>l</sup> ≾ pw <sup>C</sup> Ω, Ω<sup>l</sup> is pw-normal, and Ω is pw-diverging.

Lastly, we show under which conditions the contextual pre-orders ≾<sup>s</sup> CO and ≾s C are consistent inequational s-theories.

Proposition 1. Let L be a confuent language and s be a normalizing and stabilizing strategy. Then ≾<sup>s</sup> CO and ≾<sup>s</sup> C (resp. ≃<sup>s</sup> CO and ≃<sup>s</sup> C ) are inequational (resp. equational) s-theories. Moreover, if s is consistent then ≾<sup>s</sup> CO, ≾<sup>s</sup> C , ≃<sup>s</sup> CO, and ≃<sup>s</sup> C are consistent.

## 3 Light Genericity and Collapsibility

As working notion of genericity, we adopt the following abstract light version.

Defnition 3 (Light genericity). Let s be an evaluation strategy. Light sgenericity is the following property: if u is s-diverging and C is a context such that C⟨u⟩ is s-normalizing, then C⟨t⟩ is s-normalizing for all t. Concisely: sdiverging terms are minimums for ≾<sup>s</sup> CO. Very concisely: ≾<sup>s</sup> CO is s-ground.

We now show that light genericity is enough to obtain the main application of Barendregt's heavier notion, that is, that s-diverging terms can be consistently equated (when s is consistent, which is a very mild hypothesis verifed by all strategies of interest), by showing that they are contextually equivalent. In both the closed and open variants, independently of whether the strategy is openable.

Proposition 2 (Collapsibility). Let s be a consistent evaluation strategy satisfying light genericity. Then:


Proposition 3 (Characterization of minimum terms for ≾<sup>s</sup> CO). Let s be a consistent evaluation strategy satisfying light genericity. Then the minimum terms for ≾<sup>s</sup> CO are exactly the s-diverging terms.

Proof. By light genericity, s-diverging terms are minimums for ≾<sup>s</sup> CO. Conversely, by consistency of s there exists a s-diverging term t. Let u be a minimum for ≾<sup>s</sup> CO. Then u ≾<sup>s</sup> CO t, hence u is s-diverging by s-adequacy of ≾<sup>s</sup> CO (given by Remark 1). ⊓⊔


Fig. 1. Call-by-Name calculus.

The characterization of minimum terms does not hold in the closed case, because the closed contextual pre-order is not necessarily adequate (Remark 1). For weak evaluation p<sup>w</sup> in Plotkin's calculus, indeed, Ω<sup>l</sup> is a minimum term for ≾ pw C and it is pw-normal. The characterization lifts when s is openable.

## 4 The Head Call-by-Name Case

Here we revisit two results from the theory of the λ-calculus, and use them to prove that head evaluation is openable. The frst result is genericity for unsolvable terms—that is, head-diverging terms—for which we give a proof of light genericity. The second result is the maximality of the open head contextual pre-order.

The host language L here is the λ-calculus and the evaluation strategy s is the head strategy h. Both are defned in Fig. 1.

Solvability and Head Reduction. In the literature, the original notion of meaningful terms are the solvable ones, characterized by Wadsworth as those terminating for head reduction [46]; meaningless terms are their complement.

Defnition 4 ((Un)Solvable terms). A term t is solvable if there is a head context H such that H⟨t⟩ →<sup>∗</sup> β I = λx.x, and unsolvable otherwise.

Theorem 1 (Operational characterization of solvability, [46]). t is solvable (resp. unsolvable) if and only if t is h-normalizing (resp. h-diverging).

Apart from the proof of Thm. 4.1 below, we shall always use the operational characterization and never refer to solvability itself.

Head Contextual Pre-Orders are Inequational. It is well-known that the λcalculus is confuent, that head normal forms are stable by reduction (that is, h is stabilizing), and that the following normalization theorem holds (for a recent simple proof of this classic result see Accattoli et al. [3]). These facts and Prop. 1 give that the contextual pre-orders are inequational h-theories.

Theorem 2 (Head normalization). If t →<sup>∗</sup> β t ′ and t ′ is h-normal then t is h-normalizing.

Proposition 4. The head pre-orders ≾<sup>h</sup> CO and ≾<sup>h</sup> C are inequational h-theories.

Proofs of Genericity. In his book [14], Barendregt gives two proofs that hdiverging terms can be consistently equated, both using heavy genericity (defned in the introduction). A frst one [14, Lemma 16.1.8-thm 16.1.9] uses it to show that the minimal equational theory equating them, noted H, is consistent. This proof is where the heavy part of genericity is used. A second proof [14, Lemma 16.2.3] exploits the consistency of ≃<sup>h</sup> CO (noted H<sup>∗</sup> in [14]), which is trivial, and uses genericity to show that H ⊆≃<sup>h</sup> CO, i.e. that ≃<sup>h</sup> CO equates all h-diverging terms.

The second proof in [14] uses heavy genericity, but the heavy aspect is in fact not needed for the proof to go through. The abstract result of the previous section, indeed, follows essentially the same reasoning and uses only light genericity.

We now prove light genericity for head reduction, via a direct proof, using the rewriting properties of head reduction.

Head Light Genericity via Takahashi's Technique. Our proof of light genericity adapts Takahashi's simple technique for heavy genericity [44]. We stress that two standard and crucial properties of head reduction are at work in Takahashi's proof, despite the fact that she does not point them out, namely the head normalization theorem (Theorem 2) and the following property.

Proposition 5 (Head substitutivity). If t →<sup>∗</sup> <sup>h</sup> <sup>u</sup> then <sup>t</sup>{xs} →<sup>∗</sup> <sup>h</sup> <sup>u</sup>{xs}, for all t, u, s.

Firstly, we prove genericity for h-normal forms, via a simple induction on the structure of normal forms, using an auxiliary lemma [8, Lemma 4].

Proposition 6 (Normal genericity). Let u be h-diverging and s be any term.

1. If <sup>r</sup> is a rigid term and <sup>r</sup>{xu} is <sup>h</sup>-normalizing then <sup>r</sup>{xs} is a rigid term.

2. If <sup>h</sup> is <sup>h</sup>-normal and <sup>h</sup>{xu} is <sup>h</sup>-normalizing then <sup>h</sup>{xs} is <sup>h</sup>-normal.

We can now prove (light) genericity, which is done in two steps. The frst one simply lifts h-normal genericity to non-h-normal terms, obtaining a substitutionbased version of genericity. The second one turns the substitution-based statement into a context-based statement, and its proof is what we shall refer to as Takahashi's trick. For the sake of clarity, note that the two statements are not immediately equivalent, since substitution is a capture-avoiding operation while context plugging may capture free variables.

#### Theorem 3 (Light genericity). Let u be h-diverging and s be any term.


have both <sup>t</sup>{xu} →<sup>∗</sup> <sup>h</sup> <sup>h</sup>{xu} and <sup>t</sup>{xs} →<sup>∗</sup> <sup>h</sup> <sup>h</sup>{xs}. Note that <sup>t</sup>{xu} <sup>h</sup>-normalizing implies <sup>h</sup>{xu} <sup>h</sup>-normalizing. By normal genericity (Prop. 6), <sup>h</sup>{xs} is <sup>h</sup>-normal. Therefore, <sup>t</sup>{xs} is <sup>h</sup>-normalizing.

2. Let fv(u) ∪ fv(s) = {x1, . . . , xk}, and y be a variable fresh with respect to fv(u) ∪ fv(s) ∪ fv(C) and not captured by C. Note that u¯ := λx1. . . . λxk.u is a closed term. Consider t := C⟨yx<sup>1</sup> . . . xk⟩, and note that:

$$t\{y \leftarrow \bar{u}\} = C\langle \bar{u}x\_1 \ldots x\_k \rangle = C\langle (\lambda x\_1 \ldots \lambda x\_k.u)x\_1 \ldots x\_k \rangle \to\_{\beta}^k C\langle u \rangle.$$

The fact that u is h-diverging implies that u¯ is also h-diverging. If C⟨u⟩ is <sup>h</sup>-normalizing then so is <sup>t</sup>{yu¯} by the <sup>h</sup>-normalization theorem (Theorem 2). By genericity as substitution, <sup>t</sup>{y<sup>s</sup> ′} is h-normalizing for every s ′ . In particular, take s ′ := <sup>s</sup>¯ <sup>=</sup> λx1. . . . λxk.s, then <sup>t</sup>{ys¯} <sup>h</sup>-normalizes to some <sup>h</sup> and note that <sup>t</sup>{ys¯} →<sup>∗</sup> <sup>β</sup> C⟨s⟩. Since β is confuent and h is stabilizing, there exists a h-normal form h ′ such that h →<sup>∗</sup> <sup>β</sup> h ′ and C⟨s⟩ →<sup>∗</sup> <sup>β</sup> h ′ . By the h-normalization theorem (Theorem 2), C⟨s⟩ is h-normalizing. ⊓⊔

Maximality of ≾<sup>h</sup> CO. Barendregt shows that ≃<sup>h</sup> CO is a maximal consistent theory, that is, that equating more terms would yield an inconsistent theory [14, Thm 16.2.6]. Later on, Barendregt and Manzonetto refne the result for ≾<sup>h</sup> CO [16], by using the same technique, which relies on Böhm theorem. We present here a new proof of maximality based only on light genericity and not needing Böhm theorem, which is a heavier property, thus obtaining an arguably simpler proof. It is inspired by the proof of maximality for CbV by Egidi et al. [19].


Maximality and Head is Openable. From maximality of ≾<sup>h</sup> CO it elegantly follows that ≾<sup>h</sup> CO and ≾<sup>h</sup> C coincide. To our knowledge, there is no such result in the 34 B. Accattoli, A. Lancelot

Language Root rule Terms Λ ∋ t, u, s ::= v | tu Values v, v′ ::= <sup>x</sup> <sup>|</sup> λx.t (λx.t)<sup>v</sup> 7→<sup>β</sup><sup>v</sup> <sup>t</sup>{xv} Weak Evaluation p<sup>w</sup> Weak Ctxs E ::= ⟨·⟩ | Et | tE t 7→<sup>β</sup><sup>v</sup> t ′ E⟨t⟩ →<sup>p</sup><sup>w</sup> E⟨t ′ ⟩ Strong Evaluation Strong Ctxs C ::= ⟨·⟩ | Ct | tC | λx.C t 7→<sup>β</sup><sup>v</sup> t ′ C⟨t⟩ →<sup>β</sup><sup>v</sup> C⟨t ′ ⟩

Fig. 2. Plotkin's CbV and Weak Evaluation pw.

literature but it is folklore for CbN. Note that, despite the apparently trivial proof that we provide below, the equivalence of ≾<sup>h</sup> CO and ≾<sup>h</sup> C is not a trivial fact, as the crucial inclusion ≾<sup>h</sup> <sup>C</sup> ⊆ ≾<sup>h</sup> CO cannot be proved directly from the defnitions of the pre-orders—in our proof, the non-trivial aspect is encapsulated in the use of maximality. Paolini proves that closed theories can be uniquely extended to open terms [37], but this does not imply that the extension of the closed contextual pre-order coincides with the open contextual pre-order.

Proposition 7 (Head evaluation is openable). Open and closed head contextual pre-orders coincide: ≾<sup>h</sup> CO = ≾<sup>h</sup> C .

Proof. Firstly, ≾<sup>h</sup> CO ⊆ ≾<sup>h</sup> C follows from the defnitions. Secondly, by maximality of ≾<sup>h</sup> CO (Theorem 4) and since ≾<sup>h</sup> C is consistent (because I ̸≾<sup>h</sup> <sup>C</sup> Ω), we have that the two pre-orders must coincide, i.e. ≾<sup>h</sup> CO = ≾<sup>h</sup> C . ⊓⊔

## 5 Weak Call-by-Value and the VSC

We now turn our attention to the CbV case, for which the literature has already extensively discussed two issues that arise when adapting the CbN case to Plotkin's CbV λ-calculus, recalled after the defnition of the calculus.

Plotkin's CbV λ-Calculus. Plotkin's CbV λ-calculus is defned in Fig. 2, following the modern presentation by Dal Lago and Martini [18] rather than Plotkin's original one [40]. We also defne its weak evaluation strategy →<sup>p</sup><sup>w</sup> .

Issue 1: CbV Unsolvable Terms Are Not Collapsible. As pointed out by Accattoli and Guerrieri [6], the CbV variant of unsolvable terms is not a good notion of meaningless terms, as their identifcation induces an inconsistent equational theory. The solution amounts to switching to a diferent notion of meaningless terms, the inscrutable ones (that coincide with the non-potentially valuable terms of Paolini and Ronchi della Rocca [38,36,41]), which are collapsible [6].

Defnition 5 (Testing contexts). Testing contexts are defned by the following grammar T ::= ⟨·⟩ | (λx.T)t | T t.

Defnition 6 ((In)Scrutable terms). A term t is scrutable if there is a testing context T and a value v such that T⟨t⟩ →<sup>∗</sup> β<sup>v</sup> v, and inscrutable otherwise.


Fig. 3. Weak Value Substitution Calculus.

Issue 2: CbV Inscrutable Terms Have No Operational Characterization in Plotkin's CbV. The term Ω<sup>l</sup> := (λx.δ)(yy)δ is inscrutable but →β<sup>v</sup> -normal. Therefore, in Plotkin's CbV there cannot be any operational characterization of inscrutable terms via a notion of divergence, as instead happens in CbN (Thm. 1). This fact is a real drawback, and boils down to the well-known inability of Plotkin's calculus to deal with open terms, which is also the reason why—as we have pointed out in Sect. 2—the closed and open contextual notions induced by weak evaluation in Plotkin's calculus do not coincide.

The solution amounts to switching to a refned CbV λ-calculus, extending Plotkin's as to better deal with open terms while retaining the same notion of contextual equivalence, as we now explain.

The VSC. Accattoli and Paolini's value substitution calculus (VSC) [9], defned in Figure 3, is exactly one such framework.

Intuitively, the VSC is a CbV λ-calculus extended with let-expressions, as is common for CbV λ-calculi such as Moggi's one [33,34]. We do however replace a let-expression let x = u in t with a more compact explicit substitution (ES for short) notation <sup>t</sup>[xu], which binds <sup>x</sup> in <sup>t</sup> and that has precedence over abstraction and application (that is, λx.t[yu] stands for λx.(t[yu]) and ts[yu] for <sup>t</sup>(s[yu])). Moreover, our let/ES does not fx an order of evaluation between t and u, in contrast to many papers in the literature (e.g. Sabry and Wadler [42] or Levy et al. [32]) where u is evaluated frst.

The reduction rules of VSC are slightly unusual as they use contexts both to allow one to reduce redexes located in sub-terms, which is standard, and to defne the redexes themselves, which is less standard—these kind of rules is called at a distance. The rationale is that the rewriting rules are designed to mimic cutelimination on proof nets, via Girard's CbV translation (A ⇒ B) <sup>v</sup> =!(A<sup>v</sup> ⊸ B<sup>v</sup> ) of intuitionistic logic into linear logic [25], see Accattoli [2].

Examples of steps: (λx.y)[yt]<sup>u</sup> 7→<sup>m</sup> <sup>y</sup>[xu][yt] and (λz.xx)[xy[yt]] 7→<sup>e</sup> (λz.yy)[yt]. One with on-the-fy <sup>α</sup>-renaming is (λx.y)[yt]<sup>y</sup> 7→<sup>m</sup> <sup>z</sup>[xy][zt].

A key point is that β-redexes are decomposed via ESs, indeed 7→<sup>β</sup><sup>v</sup> is simulated as (λx.t)<sup>v</sup> 7→<sup>m</sup> <sup>t</sup>[xv] 7→<sup>e</sup> <sup>t</sup>{xv}. Note that the by-value restriction is on ESredexes, not on β-redexes, because only values can be substituted. The VSC is a conservative refnement for both closed and open terms: its weak evaluation on closed terms terminates if and only if Plotkin's →<sup>p</sup><sup>w</sup> does, hence the closed contextual pre-orders coincide (Prop. 8.3 below). On open terms, the VSC can simulate every →<sup>p</sup><sup>w</sup> step, but not vice-versa (which is why we adopt the VSC).

The Characterization of Inscrutable Terms. In the VSC, (in)scrutable terms admit an operational characterization, due to Accattoli and Paolini [9].

Theorem 5 (Operational characterization of (in)scrutability, [9]). t is scrutable (resp. inscrutable) if and only if t is w-normalizing (resp. w-diverging).

Apart from the proof of Thm. 8 below and Prop. 15 in Section 10, we shall always use the operational characterization and never refer to scrutability itself.

Weak Contextual Pre-Orders Are Inequational. The VSC is confuent and its weak strategy w is diamond [9]. Moreover, w is stabilizing and the normalization theorem below holds. These facts and Prop. 1 give that the contextual pre-orders are inequational w-theories. Moreover, the closed pre-order coincides with the one on Plotkin's calculus<sup>4</sup> .

Proposition 8. 1. Weak normalization, [6]: if t →<sup>∗</sup> vsc t ′ and t ′ is w-normal then t is w-normalizing.


## 6 Light Genericity for Weak Call-by-Value

Here, we prove a new result: light genericity for weak evaluation in the VSC.

Takahashi's Technique Does Not Really Scale Up. Proving CbV light genericity via Takahashi's technique is not as elegant as for CbN. We did develop such a proof, but it is considerably more involved than for CbN. There are various reasons. Firstly, the substitutivity property of Prop. 5 does not hold in CbV. Substitutivity for values does hold, but one really needs general substitutivity. Secondly, Takahashi's trick lifting genericity as substitutions to genericity as contexts also breaks, because it is based on adding abstractions, which do not change unsolvability but do afect inscrutability. Thirdly, head reduction reduces only on the head, while weak reduction reduces in all sub-terms out of abstractions, which raises additional difculties. Therefore, we follow a diferent approach.

<sup>4</sup> The closed CbV contextual pre-order in Carraro and Guerrieri's shufing calculus [17], studied by Kerinec et al. in [29], also coincides with ≾ w <sup>C</sup>=≾ pw C . Moreover, the open pre-order of the shufing calculus coincides with the one of the VSC. These facts follow easily from results relating the three calculi in [26,4,6].

Light Genericity 37

Linear Types L, L′ ::= M → N Multi Types M, N ::= [L1, . . . , Ln] n ≥ 0

$$\begin{array}{llll} \frac{\Gamma; x: [L] \vdash x: L}{\Gamma \vdash \lambda x. t: M \to N} & \lambda & \frac{(\Gamma \vdash v: L\_i)\_{i \in I} \quad I \text{ finite} \\ & \frac{\Gamma \vdash t: [M \to N]}{\Gamma \vdash \Delta \vdash tu: N} \quad \otimes & \frac{\Gamma; x: M \vdash v: \mathfrak{h}\_{i \in I} \quad \Delta \vdash u: M}{\Gamma \mathbin{\vee} \Delta \vdash tu: N} \quad \mathsf{es} \\ \end{array}$$

Fig. 4. Call-by-Value Multi Type System for VSC.

Light Genericity via Multi Types. We provide a proof of light genericity relying on Accattoli and Guerrieri's characterization of w-diverging terms [6] via Ehrhard's CbV multi types [20] (multi types are also known as non-idempotent intersection types). The idea behind the proof is very simple: we show that multi types induce a pre-order ≾type contained in the open contextual pre-order, that is, ≾type⊆≾<sup>w</sup> CO, and that w-diverging terms are minimum elements for ≾type, which implies that they are minimums for ≾<sup>w</sup> CO. The proof itself is very simple as well. What is less simple is the characterization of w-diverging terms via multi types, which however we use as a black box from the literature. The same technique can be used also in CbN, since h-diverging terms can also be characterized via multi types.

Our argument via multi types is similar to Ghilezan's one based on intersection types for CbN [24], even if the details are quite diferent: she proves a diferent statement, namely heavy genericity in its as-application variant (see the footnote at page 5), and she uses intersection types (which are idempotent, or non-linear). We use multi types because the result from the literature that we exploit is based on them, but the proof technique could also be based on intersection types (once the result from the literature is adapted, which is possible).

CbV Multi Types. We introduce the bare minimum about CbV multi types, since here they are used only as a tool, not as an object of study. For more, see [5,6].

The defnition of the multi type system for the VSC is in Figure 4. Multi types M are defned by mutual induction with linear types L. Multi types are fnite multi-sets [L1, . . . , Ln], which intuitively denote the intersection L<sup>1</sup> ∩ . . . ∩ Ln, where the intersection ∩ is a commutative, associative and non-idempotent (A ∩ A ̸= A) operator, the neutral element of which is [ ], the empty multi set. Note that there is no ground type, its role is played by the empty multi type [ ].

Typing judgments have shape Γ ⊢ t:T where T is a linear or a multi type and Γ is a typing context, that is, an assignment of multi types to a fnite set of variables (Γ = x<sup>1</sup> :M1, . . . , x<sup>n</sup> :Mn). A typing derivation π ▷ Γ ⊢ t:M is a tree built from the rules in Figure 4 which ends with the typing judgment Γ ⊢ t:M.

Typing Rules. Linear types only type values, via the rules ax and λ. To give a multi type to value v, one has to use the many rule, turning an indexed family of linear types for v into a multi type. Note that any value can be typed with the empty multi type [ ]. The symbol ⊎ is the disjoint union operator on multi sets (corresponding to the intersection operator when intersections are multi-sets).

#### 38 B. Accattoli, A. Lancelot

Characterization of Termination. The key property of CbV multi types is that typability characterizes termination with respect to weak evaluation →w; therefore w-diverging terms are simply the untypable ones. The characterization is proved via subject reduction and expansion.

### Theorem 6 (Characterization of termination, [6]).

1. Subject reduction and expansion: let t →vsc u. Then Γ ⊢ t:M if Γ ⊢ u:M.

2. t is →w-normalizing if and only if there exists Γ and M such that Γ ⊢ t:M.

Type Pre-order. The type pre-order is defned as follows.

Defnition 7 (Type pre-order). The type pre-order t ≾type t ′ holds if Γ ⊢ t:M implies Γ ⊢ t ′ :M for all Γ and M.

Point 2 of Thm. 6 ensures that ≾type is both w-ground—which is the key point of the proof technique—and w-adequate. We also show that ≾type is an inequational w-theory. Point 1 of Thm. 6 implies that ≾type contains w-conversion. Compatibility holds because ≾type is defned via a compositional type system.

Proposition 9. The type pre-order ≾type is a w-ground, w-adequate, and consistent inequational w-theory.

Adequacy and compatibility of ≾type imply that ≾type⊆≾<sup>w</sup> CO, hence minimum elements of ≾type are minimum for ≾<sup>w</sup> CO.

Theorem 7. Light genericity for w: ≾<sup>w</sup> CO is w-ground.

## 7 CbV Maximality

Here, we use light genericity to prove maximality of ≾<sup>w</sup> CO and the fact that w is openable, adapting the proofs for the head case.

Maximality of ≾<sup>w</sup> CO. The following result adapts to our setting a result of Accattoli and Guerrieri [6, Thm 6.5], itself adapting a result by Egidi et al. [19, Prop 35].


2. From Point 1 and CbV light genericity (Thm. 7.3), as in the head case. ⊓⊔

The proof of Thm. 8.1 is similar to the one of the CbN case, but it is not the same argument: the CbN one relies on solvability, reduction to the identity, and head context closure; the CbV one relies on scrutability, reduction to a value, a diferent context closure, and on the fact that diverging arguments cannot be erased in CbV. Therefore, our proofs of maximality cannot be done abstractly.

The fact that weak evaluation is openable then follows as in the head case.

Proposition 10 (Weak evaluation is openable in the VSC). Open and closed weak contextual pre-orders coincide: ≾<sup>w</sup> CO = ≾<sup>w</sup> C .

## 8 Co-Genericity

Here, we study a new notion dual to light genericity, which we dub co-genericity.

s-Super Terms. In the λ-calculus (both in CbN and CbV) there are terms reducing to an infnite sequence of abstractions using strong evaluation. For instance, let δ<sup>λ</sup> := λx.λy.xx, then Ω<sup>λ</sup> := δλδ<sup>λ</sup> is one such term. Indeed its weak evaluation gives Ω<sup>λ</sup> 7→β<sup>v</sup> λy.Ωλ. Now, the new copy of Ω<sup>λ</sup> shall itself (strongly) reduce to λy.Ωλ, and so on, producing λy.λy.λy. . . .. Such a behavior, when seen with respect to weak evaluation, is a form of hereditary, or super normalization.

Note that the example can be generalized by using δkλ := λx.λy1. . . . λyk.xx instead of δλ, obtaining a family of terms Ωkλ := δkλδkλ all producing infnitely many head abstractions and with no (fnite) reduct in common. As for meaningless terms, it is natural to wonder whether these super meaningful terms can all be consistently collapsed. In the literature, super terms appear in weak CbN as maximum (⊤) elements in Lévy-Longo trees [31]—but we are not aware of a proof that these ⊤-enriched Lévy-Longo trees induce a consistent equational theory—and in the hierarchy of unsolvable terms [35,1] as unsolvable terms of order ∞. In CbV, we believe that super terms have not been studied.

Here we connect the collapsibility of super terms to a sort of dual variant of light genericity. We start by setting up the concept of super normalization abstractly. It is specifc to weak strategies and makes sense also for weak CbN.

Defnition 8 (s-super terms). Let s be a weak strategy. A term t is s-super (normalizing) if, co-inductively, t →<sup>∗</sup> <sup>s</sup> λx.t′ and t ′ is s-super.

Co-genericity is the property stating that s-super terms are maximum elements for ≾<sup>s</sup> CO, that shall be captured by the following notion of being s-roof. As expected, a term t is maximum for a pre-order ≤ if for all u ∈ L, u ≤ t.

Defnition 9. Let s be a weak strategy. An inequational s-theory ≤<sup>s</sup> T is called:


Defnition 10 (Co-genericity). Let s be a weak strategy. Co-s-genericity is the following property: if u is s-super and C is a context such that C⟨t⟩ is snormalizing for some t, then C⟨u⟩ is s-normalizing. Concisely: s-super terms are maximum for ≾<sup>s</sup> CO. Very concisely: ≾<sup>s</sup> CO is s-roof.

Note that there cannot be a heavy co-genericity property mentioning strong normal forms because s-super terms are diverging for strong s-evaluation, by definition. Co-genericity is thus enabled by the switch from heavy to light genericity.

As for light genericity, co-genericity is enough to prove that s-super terms can be consistently equated (as soon as s is consistent).

Proposition 11 (Co-collapsibility). Let s be a consistent weak strategy satisfying co-genericity. Then ≃<sup>s</sup> CO equates all s-super terms and it is consistent.

A weak strategy s is super consistent if there exists a s-super term.

Proposition 12 (Characterization of maximum terms for ≾<sup>s</sup> CO). Let s be a super consistent weak strategy satisfying co-genericity. If ≾<sup>s</sup> CO is super s-adequate then the maximum terms for ≾<sup>s</sup> CO are exactly the s-super terms.

Proof. By co-genericity, s-super terms are maximal for ≾<sup>s</sup> CO. For the other direction, let t be a s-super term, which exists by super consistency of s, and let u be maximal for ≾<sup>s</sup> CO. Then t ≾<sup>s</sup> CO u. By super s-adequacy, u is s-super. ⊓⊔

The two following sections present independent proofs of co-genericity for weak evaluation in the VSC. We do not use multi types for good reasons: w-super terms are not maximum for ≾type, see the technical report [8, Prop. 18].

## 9 CbV Co-Genericity via Takahashi's Technique

In this section, we prove co-genericity for weak evaluation in the VSC adapting Takahashi's technique for genericity.

Co-Genericity via Normal Forms. The proof of co-genericity for CbV is based on a key property of w-super terms with respect to w-normal forms, akin to the normal genericity lemma of the CbN case. Then co-genericity follows via Takahashi's trick, which is not problematic here, since w-super terms are stable by adding head abstractions. Another difculty arises in CbV, however, which is discussed in the technical report [8, p.27] before the proof of the following lemma.

Lemma 1 (Key property of w-super terms). Let s be a w-super term. If <sup>n</sup> is a <sup>w</sup>-normal form then <sup>n</sup>{xs} is <sup>w</sup>-normalizing.

As CbV evaluation only validate value-substitutivity (substitutivity restricted to values: if <sup>t</sup> <sup>→</sup><sup>w</sup> <sup>u</sup> then for all v t{xv} →<sup>w</sup> <sup>u</sup>{xv}), the statement of cogenericity as substitution is split into two points.

Lemma 2 (Co-genericity). Let u be any term, s be a w-super term, v be any value, and v ′ be a w-super value.


Super w-Adequacy for ≾<sup>w</sup> CO. Co-genericity states that w-super terms are maximal for ≾<sup>w</sup> CO. For the full characterization (Prop. 12), we need super adequacy and super consistency. Super consistency is easily verifed as Ω<sup>λ</sup> exists.

### Proposition 13 (Super w-Adequacy).


## 10 CbV (Co-)Genericity via Applicative Similarity

In this section, we present alternative proofs of genericity and co-genericity for weak evaluation in the VSC. We use a well-known tool developed to study Plotkin's CbV contextual equivalence ≃ pw C , namely the CbV variant [27,39] of Abramsky's applicative (bi)similarity [1].

The following defnition difers slightly from the literature on two points. Firstly, we use a well known equivalent defnition that does not ask that the results of evaluation are similar (which is a fact needed for the defnition of applicative simulations, but not for applicative similarity). Secondly, we replace Plotkin's CbV by the VSC, which are equivalent for closed terms.

Defnition 11 (Applicative similarity [1]). Applicative similarity t ≾<sup>w</sup> AS u is the relation on closed terms defned by: if t v<sup>1</sup> . . . v<sup>n</sup> is w-normalizing then u v<sup>1</sup> . . . v<sup>n</sup> is w-normalizing, for all n ∈ **N** and v1, . . . , v<sup>n</sup> closed values. Applicative similarity is extended to open terms via closing substitutions: t ≾<sup>w</sup> AS u if tσ ≾<sup>w</sup> AS uσ for all substitutions of values σ closing t and u.

From the following lemma, it follows easily that w-diverging and w-super terms are minimum and maximum for ≾<sup>w</sup> AS.

Lemma 3. If <sup>t</sup> is <sup>w</sup>-diverging (resp. <sup>w</sup>-super) then so are <sup>t</sup>{xv} and tv.

Proposition 14. 1. Minimums: w-diverging terms are minimum for ≾<sup>w</sup> AS. 2. Maximums: w-super terms are maximum for ≾<sup>w</sup> AS.


Proving (co-)genericity amounts to show that the results of the previous proposition transfer to ≾<sup>w</sup> CO. This can be done by showing ≾<sup>w</sup> AS⊆≾<sup>w</sup> CO via:

42 B. Accattoli, A. Lancelot


Soundness of ≾<sup>w</sup> AS is a non-trivial result in the literature, established by Howe's method [27,39], which we here use as a black box. About openability, we proved it in Sect. 7 but that proof uses light genericity (and maximality), which is our goal here, so we have to re-prove openability without using light genericity.

w is Openable without Light Genericity. We know that ≾<sup>w</sup> CO⊆≾<sup>w</sup> C , thus we only have to show the other inclusion, which follows from w-adequacy of ≾<sup>w</sup> C .

Proposition 15. The inequational theory ≾<sup>w</sup> C is w-adequate, hence w is openable.

Proof. The proof is in [8, p.32], here we only give the idea for w-adequacy. Let t ≾<sup>w</sup> <sup>C</sup> u with t w-normalizing. Then, we use the operational characterization of scrutability (Thm. 5) to build a closing context C such that C⟨t⟩ is w-normalizing and such that if u were w-diverging, so would be C⟨u⟩. ⊓⊔

(Co-)genericity via Applicative Similarity. The three points above are established, and so we obtain new proofs of light genericity and co-genericity.

Proposition 16 (CbV light (co-)genericity). ≾<sup>w</sup> CO is w-ground and w-roof.

## 11 Conclusions

We develop in this paper a theory of light genericity, which is as powerful as heavy genericity for proving the collapsibility of meaningless terms, it is connected to contextual pre-orders, and dualizable as co-genericity.

We also provide light proofs of the maximality of open contextual pre-orders, which in turn provide an elegant proof of the fact that the closed and open contextual pre-orders coincide. Lastly, we show that CbV applicative similarity can be used for alternative simple proofs of light (co-)genericity. These simple proofs via applicative similarity are easily adaptable to the (weak) CbN case.

Summing up, our work paints Barendregt's genericity with a fresh, modern hue, connecting it to program equivalences and maximality, following an abstract approach and providing neat proofs.

Acknowledgements. To Giulio Manzonetto and Gabriele Vanoni for feedback on a frst draft, and to Victor Arrial for helpful discussions about genericity.

## References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## Logical Predicates in Higher-Order Mathematical Operational Semantics

Sergey Goncharov1,⋆ , Alessio Santamaria , Lutz Schroder 2 ¨ <sup>1</sup>,⋆⋆ , Stelios Tsampas ,⋆ ⋆ ⋆ and Henning Urbat1,† 1(B)

> <sup>1</sup> Friedrich-Alexander-Universit¨at Erlangen-N¨urnberg, Erlangen, Germany sergey.goncharov,lutz.schroder,stelios.tsampas@fau.de, henning.urbat @fau.de { }

<sup>2</sup> University of Sussex, Brighton, UK a.santamaria@sussex.ac.uk

Abstract. We present a systematic approach to logical predicates based on universal coalgebra and higher-order abstract GSOS, thus making a frst step towards a unifying theory of logical relations. We start with the observation that logical predicates are special cases of *coalgebraic invariants* on mixed-variance functors. We then introduce the notion of a *locally maximal logical refnement* of a given predicate, with a view to enabling inductive reasoning, and identify sufcient conditions on the overall setup in which locally maximal logical refnements canonically exist. Finally, we develop induction-up-to techniques that simplify inductive proofs via logical predicates on systems encoded as (certain classes of) higher-order GSOS laws by identifying and abstracting away from their boiler-plate part.

## 1 Introduction

Logical relations are arguably the most widely used method for reasoning on higher-order languages. Historically, early examples of logical relations [44,46,47,51,55,56,58,59] were based on denotational semantics, before the method evolved into logical relations based on operational semantics [7,17,34,50,52,53]. Today, operationally-based logical relations are ubiquitous and serve purposes ranging from strong normalization proofs [6] and safety properties [21,22] to reasoning about contextual equivalence [5,60] and formally verifed compilation [8,33,45,48], in a variety of settings such as efectful [37], probabilistic [4,10,63], and diferential programming [15,40,41].

Unfortunately, despite the extensive literature, there is a distinct lack of a general formal theory of (operational) logical relations. As a reasoning method, logical relations are applied in a largely empirical manner, more so because their core principles are well understood on an intuitive level. For example, there is typically no formal notion of a logical predicate or relation; instead, if a predicate or relation is defned by induction on

c The Author(s) 2024

N. Kobayashi and J. Worrell (Eds.): FoSSaCS 2024, LNCS 14575, pp. 47– 9, 2024. https://doi.org/10.1007/978-3-031-57231-9\_<sup>3</sup> 9

<sup>⋆</sup> Supported by Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – project number 501369690

<sup>⋆⋆</sup> Supported by Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – project numbers 419850228

<sup>⋆ ⋆ ⋆</sup> Supported by Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – project numbers 419850228 and 527481841

<sup>†</sup> Supported by Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – project number 470467389

types and maps "related inputs to related outputs", it then meets the informal criteria to be called "logical". However, the empirical character of logical relations is problematic for two main reasons: (i) complex machinery associated to logical relations needs to be re-established anew on a per-case basis, and (ii) it is hard to abstract and simplify said machinery, even though certain parts of proofs via logical relations seem generic.

Recently, *Higher-order Mathematical Operational Semantics* [24], or *higher-order abstract GSOS*, has emerged as a unifying approach to the operational semantics of higher-order languages. In this framework, languages are represented as *higher-order GSOS laws*, a form of distributive law of a syntax functor Σ over a mixed-variance behaviour bifunctor *B*. In further work [62], an abstract form of *Howe's method* [16,31,32] for higher-order abstract GSOS has been identifed, in which an otherwise complex and application-specifc operational technique is, at the same time, lifted to an appropriate level of generality and reduced to a simple *lax bialgebra* condition.

In the present paper, we work towards establishing a theory of logical relations based on coalgebra and higher-order abstract GSOS, starting from *logical predicates*, understood as unary logical relations. In more detail, we present the following contributions:


(ii) The development of efcient reasoning techniques on logical predicates, which we call *induction up-to* (Theorems 34 and 36), for higher-order GSOS laws satisfying a *relative fatness* condition (Defnition 30).

We illustrate (ii) by providing proofs of strong normalization for typed combinatory logic and type safety for the simply typed λ-calculus which, thanks to the use of our up-to techniques, are signifcantly shorter and simpler than standard arguments found in the literature. Finally, we exploit the genericity of our framework to study strong normalization on the level of higher-order GSOS laws (Theorem 42). We note that the implementation of typed languages as higher-order GSOS laws as such is also novel.

Full proofs and additional details can be found in the arXiv version [25] of our paper.

*Related work* While denotational logical relations have been studied in categorical generality, e.g. [27,28,29,38], general abstract foundations of operational logical relations are far less developed. In recent work [13,14], Dagnino and Gavazzo introduce a categorical notion of operational logical relations that is largely orthogonal to ours, in particular regarding the parametrization of the framework: In *op. cit.*, the authors work with a fxed *fne-grain call-by-value* language [42], parametrized by a signature of generic efects, while the notion of logical relation is kept variable and in fact is parametrized over a fbration; contrastingly, we keep to the traditional notion of logical relation but parametrize over the syntax and semantics of the language. Moreover, we work with a small-step operational semantics, whereas the semantics used in *op. cit.* is an axiomatically defned categorical evaluation semantics.

## 2 Preliminaries

#### 2.1 Category Theory

Familiarity with basic category theory [43] (e.g. functors, natural transformations, (co)limits, monads) is assumed. We review some concepts and notation.

*Notation.* Given objects *<sup>X</sup>*1, *<sup>X</sup>*<sup>2</sup> in a category <sup>C</sup>, we write *<sup>X</sup>*<sup>1</sup> <sup>×</sup> *<sup>X</sup>*<sup>2</sup> for the product and ⟨*f*1, *<sup>f</sup>*2⟩: *<sup>X</sup>* <sup>→</sup> *<sup>X</sup>*<sup>1</sup> <sup>×</sup> *<sup>X</sup>*<sup>2</sup> for the pairing of *<sup>f</sup><sup>i</sup>* : *X* → *X<sup>i</sup>* , *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, 2. We let *<sup>X</sup>*<sup>1</sup> <sup>+</sup> *<sup>X</sup>*<sup>2</sup> denote the coproduct, inl: *<sup>X</sup>*<sup>1</sup> <sup>→</sup> *<sup>X</sup>*1+*X*<sup>2</sup> and inr: *<sup>X</sup>*<sup>2</sup> <sup>→</sup> *<sup>X</sup>*1+*X*<sup>2</sup> the injections, [*g*<sup>1</sup>, *<sup>g</sup>*2]: *<sup>X</sup>*1+*X*<sup>2</sup> <sup>→</sup> *<sup>X</sup>* the copairing of *g<sup>i</sup>* : *<sup>X</sup><sup>i</sup>* <sup>→</sup> *<sup>X</sup>*, *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, 2, and <sup>∇</sup> <sup>=</sup> [id*<sup>X</sup>*, id*X*]: *<sup>X</sup>* <sup>+</sup> *<sup>X</sup>* <sup>→</sup> *<sup>X</sup>* the codiagonal. The *slice category* <sup>C</sup>/*X*, where *<sup>X</sup>* ∈ C, has as objects all pairs (*Y*, *<sup>p</sup><sup>Y</sup>* ) of an object *<sup>Y</sup>* ∈ C and a morphism *<sup>p</sup><sup>Y</sup>* : *<sup>Y</sup>* <sup>→</sup> *<sup>X</sup>*, and a morphism from (*Y*, *<sup>p</sup><sup>Y</sup>* ) to (*Z*, *<sup>p</sup>Z*) is a morphism *<sup>f</sup>* : *<sup>Y</sup>* <sup>→</sup> *<sup>Z</sup>* of <sup>C</sup> such that *<sup>p</sup><sup>Y</sup>* <sup>=</sup> *<sup>p</sup><sup>Z</sup>* · *<sup>f</sup>* . The *coslice category X*/<sup>C</sup> is defned dually.

*Extensive categories.* A category C is *(fnitely) extensive* [12] if it has fnite coproducts and for every fnite family of objects *X<sup>i</sup>* (*i* ∈ *I*) the functor *E* : Q *<sup>i</sup>*∈*<sup>I</sup>* <sup>C</sup>/*X<sup>i</sup>* → C/ ` *<sup>i</sup>*∈*<sup>I</sup> X<sup>i</sup>* sending (*p<sup>i</sup>* : *Y<sup>i</sup>* → *Xi*)*i*∈*<sup>I</sup>* to ` *<sup>i</sup>*∈*<sup>I</sup> p<sup>i</sup>* : ` *<sup>i</sup> Y<sup>i</sup>* → ` *<sup>i</sup> X<sup>i</sup>* is an equivalence of categories. A *countably extensive* category satisfes the analogous property for countable coproducts. In extensive categories, coproduct injections inl, inr are monic, and coproducts of monomorphisms are monic; generally, coproducts behave like disjoint unions of sets.

Example 1. Examples of countably extensive categories include the category Set of sets and functions; the category Set<sup>C</sup> of presheaves on a small category C and natural transformations; and the categories of posets and monotone maps, nominal sets and equivariant maps, and metric spaces and non-expansive maps, respectively.

*Algebras.* Given an endofunctor *<sup>F</sup>* on a category <sup>C</sup>, an *F-algebra* is a pair (*A*, *<sup>a</sup>*) consisting of an object *<sup>A</sup>* and a morphism *<sup>a</sup>*: *FA* <sup>→</sup> *<sup>A</sup>* (the *structure*). A *morphism* from (*A*, *<sup>a</sup>*) to an *<sup>F</sup>*-algebra (*B*, *<sup>b</sup>*) is a morphism *<sup>h</sup>*: *<sup>A</sup>* <sup>→</sup> *<sup>B</sup>* of <sup>C</sup> such that *<sup>h</sup>* · *<sup>a</sup>* <sup>=</sup> *<sup>b</sup>* · *Fh*. Algebras for *F* and their morphisms form a category Alg(*F*), and an *initial F*-algebra is simply an initial object in that category. We denote the initial *<sup>F</sup>*-algebra by µ*<sup>F</sup>* if it exists, and its structure by ι: *<sup>F</sup>*(µ*F*) <sup>→</sup> µ*F*. Initial algebras admit the *structural induction principle*: the algebra µ*<sup>F</sup>* has no proper subalgebras, that is, every *<sup>F</sup>*-algebra monomorphism *<sup>m</sup>*: (*A*, *<sup>a</sup>*) <sup>↣</sup> (µ*F*, ι) is an isomorphism.

More generally, a *free F-algebra* on an object *X* of C is an *F*-algebra (*F* <sup>⋆</sup>*X*, ι*<sup>X</sup>*) together with a morphism <sup>η</sup>*<sup>X</sup>* : *<sup>X</sup>* <sup>→</sup> *<sup>F</sup>* <sup>⋆</sup>*<sup>X</sup>* of <sup>C</sup> such that for every algebra (*A*, *<sup>a</sup>*) and every *h*: *X* → *A* in C, there exists a unique *F*-algebra morphism *h* ♯ : (*F* <sup>⋆</sup>*X*, ι*<sup>X</sup>*) <sup>→</sup> (*A*, *<sup>a</sup>*) such that *h* = *h* ♯ · η*<sup>X</sup>*. If free algebras exist on every object, their formation induces a monad *F* ⋆ : C → C, the *free monad* generated by *<sup>F</sup>*. Every *<sup>F</sup>*-algebra (*A*, *<sup>a</sup>*) yields an Eilenberg-Moore algebra <sup>b</sup>*a*: *<sup>F</sup>* <sup>⋆</sup>*A* → *A* as the free extension of id*<sup>A</sup>* : *A* → *A*.

The most familiar example of functor algebras are algebras for a signature. Given a set *<sup>S</sup>* of *sorts*, an *<sup>S</sup> -sorted algebraic signature* consists of a set Σ of operation symbols together with a map ar: Σ <sup>→</sup> *<sup>S</sup>* <sup>⋆</sup> <sup>×</sup> *<sup>S</sup>* associating to every <sup>f</sup> <sup>∈</sup> <sup>Σ</sup> its *arity*. We write <sup>f</sup>: *<sup>s</sup>*<sup>1</sup> × · · · × *<sup>s</sup><sup>n</sup>* <sup>→</sup> *<sup>s</sup>* if ar(f) <sup>=</sup> (*s*<sup>1</sup>, . . . , *<sup>s</sup><sup>n</sup>*, *<sup>s</sup>*), and <sup>f</sup>: *<sup>s</sup>* if *<sup>n</sup>* <sup>=</sup> 0 (in which case <sup>f</sup> is called a *constant*). Every signature Σ induces a polynomial functor on the category Set*<sup>S</sup>* of *<sup>S</sup>* -sorted sets, denoted by the same letter <sup>Σ</sup>, given by (Σ*X*)*<sup>s</sup>* <sup>=</sup> ` f: *s*1···*sn*→*s* Q*<sup>n</sup> <sup>i</sup>*=<sup>1</sup> *X<sup>s</sup><sup>i</sup>* for *X* ∈ Set*<sup>S</sup>* and *<sup>s</sup>* <sup>∈</sup> *<sup>S</sup>* . An algebra for the functor Σ is precisely an algebra for the signature <sup>Σ</sup>, viz. an *<sup>S</sup>* -sorted set *<sup>A</sup>* <sup>=</sup> (*As*)*s*∈*<sup>S</sup>* in Set*<sup>S</sup>* equipped with an operation f *A* : Q*<sup>n</sup> <sup>i</sup>*=<sup>1</sup> *<sup>A</sup>s<sup>i</sup>* <sup>→</sup> *<sup>A</sup><sup>s</sup>* for every <sup>f</sup>: *<sup>s</sup>*<sup>1</sup> · · · *<sup>s</sup><sup>n</sup>* <sup>→</sup> *<sup>s</sup>* in <sup>Σ</sup>. Morphisms of <sup>Σ</sup>-algebras are *<sup>S</sup>* -sorted maps respecting the algebraic structure. Given an *S* -sorted set *X* of variables, the free algebra Σ <sup>⋆</sup>*<sup>X</sup>* is the Σ-algebra of Σ-terms with variables from *<sup>X</sup>*; more precisely, (Σ <sup>⋆</sup>*X*)*<sup>s</sup>* is inductively defned by *<sup>X</sup><sup>s</sup>* <sup>⊆</sup> (<sup>Σ</sup> <sup>⋆</sup>*X*)*<sup>s</sup>* and <sup>f</sup>(*t*1, . . . , *<sup>t</sup>n*) <sup>∈</sup> (<sup>Σ</sup> <sup>⋆</sup>*X*)*<sup>s</sup>* for all f: *s*<sup>1</sup> · · · *s<sup>n</sup>* → *s* and *<sup>t</sup><sup>i</sup>* <sup>∈</sup> (<sup>Σ</sup> <sup>⋆</sup>*X*)*s<sup>i</sup>* . In particular, the free algebra on the empty set is the initial algebra µΣ; it is formed by all *closed terms* of the signature. For every Σ-algebra (*A*, *<sup>a</sup>*), the induced Eilenberg-Moore algebra <sup>b</sup>*a*: Σ <sup>⋆</sup>*A* → *A* is given by the map that evaluates terms over *A* in the algebra *A*.

*Coalgebras.* Dual to the notion of algebra, a *coalgebra* for an endofunctor *F* on C is a pair (*C*, *<sup>c</sup>*) of an object *<sup>C</sup>* (the *state space*) and a morphism *<sup>c</sup>* : *<sup>C</sup>* <sup>→</sup> *FC* (the *structure*).

## 2.2 Higher-Order Abstract GSOS

We summarize the framework of higher-order abstract GSOS [24], which extends the original, frst-order counterpart introduced by Turi and Plotkin [61]. In higher-order abstract GSOS, the operational semantics of a higher-order language is presented in the form of a *higher-order GSOS law*, a categorical structure parametric in

(1) a category C with fnite products and coproducts;

(2) an object *V* ∈ C of *variables*;

(3) an endofunctor Σ : C → C, where Σ <sup>=</sup> *<sup>V</sup>* <sup>+</sup> Σ ′ for some endofunctor Σ ′ , such that free Σ-algebras exist on every object (hence Σ generates a free monad Σ ⋆ );

(4) a mixed-variance bifunctor *B*: C op × C → C.

The functors Σ and *<sup>B</sup>* represent the *syntax* and the *behaviour* of a higher-order language. The motivation behind *B* having two arguments is that transitions have labels, which behave contravariantly, and poststates, which behave covariantly; in term models the objects of labels and states will coincide. The presence of an object *V* of variables is a technical requirement for the modelling of languages with variable binding [19,20], such as the λ-calculus. An object of *<sup>V</sup>*/C, the coslice category of *V-pointed objects*, is thought of as a set *X* of programs with an embedding *p<sup>X</sup>* : *V* → *X* of the variables. In point-free calculi, e.g. xTCL as introduced below, we put *V* = 0 (the initial object).

Defnition 2. <sup>A</sup> *(V-pointed) higher-order GSOS law* of Σ over *<sup>B</sup>* is a family of morphisms (1) that is dinatural in (*X*, *<sup>p</sup>X*) <sup>∈</sup> *<sup>V</sup>*/<sup>C</sup> and natural in *<sup>Y</sup>* ∈ C:

$$\varrho\_{(X,p\_X),Y} \colon \Sigma(X \times B(X,Y)) \to B(X, \Sigma^\star(X+Y)) \tag{1}$$

Notation 3. (i) In (1), we have implicitly applied the forgetful functor *<sup>V</sup>*/C → *<sup>C</sup>* at (*X*, *<sup>p</sup>X*). In addition, we write <sup>ϱ</sup>*<sup>X</sup>*,*<sup>Y</sup>* for <sup>ϱ</sup>(*X*,*pX*),*<sup>Y</sup>* if the point *<sup>p</sup><sup>X</sup>* is clear from the context. (ii) For (*A*, *<sup>a</sup>*) <sup>∈</sup> Alg(Σ), we view *<sup>A</sup>* as *<sup>V</sup>*-pointed by *<sup>p</sup><sup>A</sup>* <sup>=</sup> *V* inl −→ *<sup>V</sup>* <sup>+</sup> <sup>Σ</sup> ′*<sup>A</sup>* <sup>=</sup> Σ*<sup>A</sup> a* −→ *A* .

Informally, <sup>ϱ</sup>*<sup>X</sup>*,*<sup>Y</sup>* assigns to an operation of the language with formal arguments from *<sup>X</sup>* having specifed next-step behaviours in *<sup>B</sup>*(*X*, *<sup>Y</sup>*) (i.e. with labels in *<sup>X</sup>* and formal poststates in *<sup>Y</sup>*) a next-step behaviour in *<sup>B</sup>*(*X*, Σ<sup>⋆</sup> (*X* + *Y*)), i.e. with the same labels, and with poststates being program terms mentioning variables from both *X* and *Y*. Every

$$\begin{array}{cc} \begin{array}{c} \mathsf{e} \stackrel{\scriptstyle \mathsf{w} \; \prime \rightarrow \; \mathsf{r}}{\mathsf{e}} \end{array} & \begin{array}{c} \begin{array}{c} \mathcal{S}\_{\tau\_{1},\tau\_{2},\tau\_{3}} \ \stackrel{\scriptstyle \mathsf{r}}{\longrightarrow} \mathcal{S}\_{\tau\_{1},\tau\_{2},\tau\_{3}}(t) \end{array} \\ \end{array} \\ \begin{array}{c} \begin{array}{c} \mathcal{S}\_{\tau\_{1},\tau\_{2},\tau\_{3}}(p,q) \stackrel{\scriptstyle \mathsf{l}}{\longrightarrow}(p,t)(q,t) \end{array} \\ \end{array} & \begin{array}{c} \begin{array}{c} \mathcal{K}\_{\tau\_{1},\tau\_{2}} \stackrel{\scriptstyle \mathsf{l}}{\longrightarrow} \mathcal{K}\_{\tau\_{1},\tau\_{2}}(p) \end{array} \\ \end{array} & \begin{array}{c} \begin{array}{c} p \rightarrow p' \\ p \stackrel{\scriptstyle p}{\Longrightarrow} \mathcal{S}\_{\tau\_{1},\tau\_{2}}(p) \stackrel{\scriptstyle \mathsf{l}}{\longrightarrow} \mathcal{S}\_{\tau\_{1},\tau\_{2}}(p) \end{array} \\ \end{array} \\ \end{array} & \begin{array}{c} \begin{array}{c} p \stackrel{\scriptstyle p \rightarrow p'}{\Longrightarrow} \mathcal{S}\_{\tau\_{1},\tau\_{2}}(p) \stackrel{\scriptstyle \mathsf{l}}{\longrightarrow} \mathcal{S}\_{\tau\_{1},\tau\_{2}}(p) \stackrel{\scriptstyle \mathsf{l}}{\longrightarrow} \mathcal{S}\_{\tau\_{1},\tau\_{2}}(p) \end{array} \\ \end{array} \\ \end{array}$$

Fig. 1. (Call-by-name) operational semantics of xTCL.

higher-order GSOS law (1) induces a canonical *operational model* γ: µΣ <sup>→</sup> *<sup>B</sup>*(µΣ, µΣ), viz. a *<sup>B</sup>*(µΣ, <sup>−</sup>)-coalgebra on the initial algebra µΣ, defned by *primitive recursion* [36, Prop. 2.4.7] as the unique morphism γ making the following diagram commute:

Σ(µΣ) µΣ Σ(µΣ <sup>×</sup> *<sup>B</sup>*(µΣ, µΣ)) *<sup>B</sup>*(µΣ, Σ<sup>⋆</sup> (µΣ <sup>+</sup> µΣ)) *<sup>B</sup>*(µΣ, µΣ) Σ⟨id, γ⟩ ι γ <sup>ϱ</sup>µΣ,µΣ *<sup>B</sup>*(µΣ,ˆι·<sup>Σ</sup> <sup>⋆</sup>∇)

Here, we regard the initial algebra (µΣ, ι) as *<sup>V</sup>*-pointed as explained in Notation 3.

*Simply Typed SKI Calculus.* We illustrate the ideas behind higher-order abstract GSOS with an extended version of the simply typed SKI calculus [30], a typed combinatory logic which we call xTCL. It is expressively equivalent to the simply typed λ-calculus but does not use variables; hence it avoids the complexities associated to variable binding and substitution in the λ-calculus, which we treat in Section 4.2. The set Ty of *types* is inductively defned as

$$\mathsf{Ty} \coloneqq \mathsf{unit} \mid \mathsf{Ty} \twoheadrightarrow \mathsf{Ty}.\tag{2}$$

The constructor \_ is right-associative, i.e. <sup>τ</sup><sup>1</sup> \_ <sup>τ</sup><sup>2</sup> \_ <sup>τ</sup><sup>3</sup> is parsed as <sup>τ</sup><sup>1</sup> \_ (τ<sup>2</sup> \_ <sup>τ</sup><sup>3</sup>). The terms of xTCL are formed over the Ty-sorted signature Σ whose operation symbols are listed below, with τ, τ<sup>1</sup>, τ<sup>2</sup>, τ<sup>3</sup> ranging over all types in Ty:

$$\begin{array}{ll} \mathsf{e} \colon \mathsf{unit} & \mathsf{approx} \mathsf{p} \mathsf{p}\_{\tau\_{1},\tau\_{2}} \colon (\tau\_{1} \to \tau\_{2}) \times \tau\_{1} \to \tau\_{2} \\\ S\_{\tau\_{1},\tau\_{2},\tau\_{3}} \colon (\tau\_{1} \to \tau\_{2} \to \tau\_{3}) \to (\tau\_{1} \to \tau\_{2}) \to \tau\_{1} \to \tau\_{3} & K\_{\tau\_{1},\tau\_{2}} \colon \tau\_{1} \to \tau\_{2} \to \tau\_{1} \\\ S\_{\tau\_{1},\tau\_{2},\tau\_{3}}^{\prime} \colon (\tau\_{1} \to \tau\_{2} \to \tau\_{3}) \to ((\tau\_{1} \to \tau\_{2}) \to \tau\_{1} \to \tau\_{3}) & K\_{\tau\_{1},\tau\_{2}}^{\prime} \colon \tau\_{1} \to (\tau\_{2} \to \tau\_{1}) \\\ S\_{\tau\_{1},\tau\_{2},\tau\_{3}}^{\prime} \colon (\tau\_{1} \to \tau\_{2} \to \tau\_{3}) \times (\tau\_{1} \to \tau\_{2}) \to (\tau\_{1} \to \tau\_{3}) & I\_{\tau} \colon \tau \to \tau \end{array}$$

We let Tr <sup>=</sup> µΣ denote the Ty-sorted set of closed Σ-terms. Informally, app represents function application (we write *s t* for app(*s*, *<sup>t</sup>*)), and the constants *<sup>I</sup>*τ, *<sup>K</sup>*τ1,τ<sup>2</sup> , *<sup>S</sup>* <sup>τ</sup>1,τ2,τ<sup>3</sup> represent the λ-terms λ*t*. *<sup>t</sup>*, λ*t*. λ*s*. *<sup>t</sup>* and λ*t*. λ*s*. λ*u*. (*s u*) (*t u*), respectively. The operational semantics of xTCL involves three kinds of transitions: ✓ −→, *t* −→ and −→. It is presented in Figure 1; here, *<sup>p</sup>*, *<sup>p</sup>* ′ , *<sup>q</sup>*, *<sup>t</sup>* range over terms in Tr of appropriate type. Intuitively, *<sup>s</sup>* ✓ −→ identifes *s* as an explicitly irreducible term; *s t* −→ *r* states that *s* acts as a function mapping *t* to *r*; and *s* → *t* indicates that *s* reduces to *t*. Our use of labelled transitions in higher-order operational semantics is inspired by work on bisimilarity in the λcalculus [1,26]. The use of *K* ′ , *S* ′ and *S* ′′ does not impact the behaviour of programs, except for possibly adding more unlabelled transitions. For example, the standard rule *S tse* → (*te*)(*se*) for the *S*-combinator is rendered as the chain of transitions *S tse* → *S* ′ (*t*) *se* → *S* ′′(*t*, *<sup>s</sup>*) *<sup>e</sup>* <sup>→</sup> (*te*)(*se*). The transition system for xTCL is deterministic: for every term *s*, either *s* ✓ −→, or there exists a unique *t* such that *s* → *t*, or for each appropriately typed *t* there exists a unique *s<sup>t</sup>* such that *s t* −→ *s<sup>t</sup>* . Therefore, given

$$B\_{\tau}(X,Y) = Y\_{\tau} + D\_{\tau}(X,Y),\tag{3}$$

$$D\_{\text{unit}}(X, Y) = 1 = \{\ast\} \qquad \text{and} \qquad D\_{\tau\_1 \to \tau\_2}(X, Y) = Y^{X\_{\tau\_1}}\_{\tau\_2}, \tag{4}$$

the operational rules in Figure 1 determine a SetTy-morphism γ: Tr <sup>→</sup> *<sup>B</sup>*(Tr, Tr):

$$\begin{aligned} \gamma\_{\mathsf{uni}}(s) &= \mathsf{i}\mathsf{m}(\*) \\ \gamma\_{\mathsf{r}}(s) &= \mathsf{i}\mathsf{m}(t) \\ \gamma\_{\mathsf{r}\_{1}\to\mathsf{r}\_{2}}(s) &= \mathsf{i}\mathsf{m}(\mathsf{i}t.\,\mathsf{s}\_{t}) \end{aligned} \qquad \begin{aligned} \text{if }\mathsf{s}\stackrel{\leadsto}{\longrightarrow} \text{where }\mathsf{s}\text{: }\mathsf{u}\mathsf{n}\text{\;}, \\ \text{if }\mathsf{s}\longrightarrow t \text{ where }\mathsf{s},t\mathsf{t}.\,\mathsf{ \tau}, \\ \text{if }\mathsf{s}\stackrel{\mathsf{t}}{\longrightarrow} \mathsf{s}\_{t}\text{ for }\mathsf{s}\text{: }\mathsf{\tau}\_{1}\to\mathsf{\tau}\_{2}\text{ and }t\mathsf{t}.\,\mathsf{ \tau}\_{1}. \end{aligned} \qquad \begin{aligned} \mathsf{i}\mathsf{w}\mathsf{i}\mu\_{\mathsf{u}} &\coloneqq \mathsf{i}\mathsf{w}\mathsf{i}, \\ \mathsf{i}\mathsf{w}\mathsf{i}\mathsf{i} &= \mathsf{i}\mathsf{w}\mathsf{i} \end{aligned} \qquad \begin{aligned} \mathsf{i}\mathsf{w}\mathsf{i}\mu\_{\mathsf{u}} &\coloneqq \mathsf{i}\mathsf{w}\mathsf{i}\mathsf{i}. \,\mathsf{w}\mathsf{i}\mathsf{i} \end{aligned}$$

Proposition 4. *The object assignments* (3) *and* (4) *extend to mixed-variance bifunctors*

$$B, D \colon (\mathbf{Set}^{\sf T})^{\rm op} \times \mathbf{Set}^{\sf T} \to \mathbf{Set}^{\sf T}. \tag{6}$$

The semantics of xTCL in Figure 1 corresponds to a (0-pointed) higher-order GSOS law of the syntax functor Σ over the behaviour bifunctor *<sup>B</sup>*, i.e. to a family of maps (1) dinatural in *<sup>X</sup>* <sup>∈</sup> SetTy and natural in *<sup>Y</sup>* <sup>∈</sup> SetTy. The maps <sup>ϱ</sup>*<sup>X</sup>*,*<sup>Y</sup>* are cotuples defned by distinguishing cases on the constructors <sup>e</sup>, *<sup>S</sup>*, *<sup>S</sup>* ′ , *S* ′′ , *<sup>K</sup>*, *<sup>K</sup>* ′ , *<sup>I</sup>*, app of xTCL, and each component of ϱ is determined by the rules that apply to the corresponding constructor. We provide a few illustrative cases; see [25, p. 25], for a complete defnition.

$$\varrho\_{X,Y} \colon \Sigma(X \times B(X,Y)) \to B(X, \Sigma^\star(X+Y)) \tag{7}$$

$$
\varrho \ge\_\text{x.y.} (\mathcal{S}^{\prime\prime}\_{\tau\_1,\tau\_2,\tau\_3}((p,f),(q,g))) = \lambda t. (p \, t) \, (q \, t) \tag{8}
$$

$$\varrho\_{\mathbf{X},\mathbf{Y}}\left(\left(p,f\right)\left(q,\mathbf{g}\right)\right) = f(q) \qquad \qquad \qquad \text{if } f \colon Y\_{\tau\_2}^{\mathbf{X}\_{\tau\_1}} \tag{9}$$

$$\varrho\_{X,Y}\left(\left(p,f\right)\left(q,\mathbf{g}\right)\right) = fq \tag{10.1} \\ \qquad \text{if } f \colon Y\_{\tau\_1 \to \tau\_2} \tag{10.2}$$

The operational model γ: Tr <sup>→</sup> *<sup>B</sup>*(Tr, Tr) of ϱ coincides with the coalgebra (5).

Remark 5. The rules for application in Figure 1 implement the call-by-name evaluation strategy. Other strategies can be captured by varying the rules and consequently the corresponding higher-order GSOS law. For the call-by-value strategy, one replaces the last rule with (11) and (12) below and modifes clause (9) in the defnition of ϱ accordingly. One can also model the traditional view of combinatory logic as a rewrite system [30] where any redex can be reduced, no matter how deeply. This amounts to specifying a maximally nondeterministic strategy by adding the rule (13) below to Figure 1. Notably, this makes the operational model nondeterministic, and hence the corresponding higher-order GSOS law relies on the behaviour functor P*B* instead of the original *B* given by (3), where P is the powerset functor.

$$\begin{array}{ccccc} p \stackrel{!}{\longrightarrow} p' & q \rightarrow q'\\ \hline p \stackrel{!}{\longrightarrow} p \stackrel{!}{q'} & (11) \end{array} \quad \begin{array}{ccccc} p \stackrel{q}{\longrightarrow} p' & q \stackrel{!}{\longrightarrow} q'\\ \hline p \stackrel{!}{q} \to p' \end{array} \quad (12) \quad \begin{array}{ccccc} q \stackrel{!}{\longrightarrow} q'\\ \hline p \stackrel{!}{q} \to p \stackrel{!}{q'} \end{array} \quad (13)$$

## 3 Coalgebraic Logical Predicates

#### 3.1 Predicate Lifting

Predicates and relations on coalgebras are often most conveniently modelled through *predicate* and *relation liftings* [39] of the underlying type functors. In the following we introduce a framework of predicate liftings for mixed-variance bifunctors, adapting existing notions of relation lifting [62], which enables reasoning about "higher-order" coalgebras, such as operational models of higher-order GSOS laws. The following global assumptions ensure that predicates and relations behave in an expected manner:

Assumptions 6. From now on, we fx C to be a complete, well-powered and extensive category in which, additionally, strong epimorphisms are stable under pullbacks.

The categories of Example 1 satisfy these assumptions. Since C is complete and wellpowered, every morphism *f* admits a (strong epi, mono)-factorization *f* = *m*· *e* [11, Prop. 4.4.3]; we call *m* the *image* of *f* . The category Pred(C) of *predicates* over C has as objects all monics (predicates) *P* ↣ *X* from C, and as morphisms (*p*: *P* ↣ *X*) → (*q*: *Q* ↣ *Y*) all pairs (*<sup>f</sup>* : *<sup>X</sup>* <sup>→</sup> *<sup>Y</sup>*, *<sup>f</sup>* <sup>|</sup>*<sup>P</sup>* : *<sup>P</sup>* <sup>→</sup> *<sup>Q</sup>*) such that *<sup>q</sup>* · *<sup>f</sup>* <sup>|</sup>*<sup>P</sup>* <sup>=</sup> *<sup>f</sup>* · *<sup>p</sup>* (so *<sup>f</sup>* <sup>|</sup>*<sup>P</sup>* is uniquely determined by *f*). (Co)products in Pred(C) are lifted from C. The *fber* Pred*X*(C) is the subcategory of all monics *<sup>P</sup>* <sup>↣</sup> *<sup>X</sup>* for fxed *<sup>X</sup>* and morphisms (id*<sup>X</sup>*, <sup>−</sup>). It is is preordered by *<sup>p</sup>* <sup>≤</sup> *<sup>q</sup>* if *<sup>p</sup>* factors through *<sup>q</sup>*; identifying *<sup>p</sup>*, *<sup>q</sup>* if *<sup>p</sup>* <sup>≤</sup> *<sup>q</sup>* and *<sup>q</sup>* <sup>≤</sup> *<sup>p</sup>*, we regard Pred*X*(C) as a poset. Since C is complete and well-powered, Pred*X*(C) is a complete lattice; we write V for meets (i.e. pullbacks) and W for joins. We will also write *f* ⋆ [*P*] for the *inverse image* of a predicate *p*: *P* ↣ *X* under *f* : *Y* → *X*, i.e. the pullback of *p* along *f* . The *direct image <sup>f</sup>* ⋆[*Q*] of *<sup>q</sup>*: *<sup>Q</sup>* <sup>↣</sup> *<sup>Y</sup>* under *<sup>f</sup>* : *<sup>Y</sup>* <sup>→</sup> *<sup>X</sup>* is the image of the composite *<sup>f</sup>* · *<sup>p</sup>*: *<sup>Q</sup>* <sup>→</sup> *<sup>X</sup>*. This yields an adjunction between Pred*X*(C) and Pred*<sup>Y</sup>* (C), i.e. *Q* ≤ *f* ⋆ [*P*] i<sup>f</sup> *<sup>f</sup>* ⋆[*Q*] <sup>≤</sup> *<sup>P</sup>*.

<sup>A</sup> *predicate lifting* of an endofunctor Σ : C → C is an endofunctor Σ : Pred(C) <sup>→</sup> Pred(C) making the left-hand diagram below commute; similarly, a *predicate lifting* of a mixed-variance bifunctor *B*: C op × C → C is a bifunctor *B*: Pred(C) op × Pred(C) → Pred(C) making the right-hand diagram below commute. Here |−| is the forgetful functor sending *p*: *P* ↣ *X* to *X*.

$$\begin{array}{c} \mathbf{Pred}(C) \xleftarrow{\overline{\Sigma}} \mathbf{Pred}(C) \\ \qquad \mid \quad \quad \quad \quad \quad \quad \quad \quad \mathbf{Pred}(C)^{\otimes} \times \mathbf{Pred}(C) \xrightarrow{\overline{\overline{B}}} \mathbf{Pred}(C) \\ \mathcal{C} \xleftarrow{\underline{\Sigma}} \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad C^{\otimes} \times C \xrightarrow{\begin{array}{c} \overline{\overline{B}} \\ \end{array}} \mathbf{C}^{\otimes} \end{array} \qquad \begin{array}{c} \mathbf{Pred}(C) \\ \qquad \mid \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad C^{\otimes} \end{array}$$

We denote by Σ both the action on predicates and on the corresponding objects in <sup>C</sup>, i.e. Σ(*p*: *<sup>P</sup>* <sup>↣</sup> *<sup>X</sup>*): Σ*<sup>P</sup>* <sup>↣</sup> Σ*X*.

Every endofunctor Σ on <sup>C</sup> admits a canonical predicate lifting Σ mapping *<sup>p</sup>*: *<sup>P</sup>* <sup>↣</sup> *<sup>X</sup>* to the image Σ*p*: Σ*<sup>P</sup>* <sup>↣</sup> Σ*<sup>X</sup>* of Σ*p*: Σ*<sup>P</sup>* <sup>→</sup> Σ*<sup>X</sup>* [36]. Note that Σ*<sup>p</sup>* <sup>=</sup> Σ*<sup>p</sup>* if Σ preserves monos. In the remainder we will only consider canonical liftings of endofunctors.

Proposition 7. *If* Σ *preserves strong epis, then* Σ ⋆ <sup>=</sup> Σ<sup>⋆</sup>.

The canonical predicate liftings for mixed-variance bifunctors are slightly more complex. Similarly to the case of relation liftings of such functors developed in recent work [62], their construction involves suitable pullbacks.

Proposition 8. *Every bifunctor B*: C op × C → C *admits a canonical predicate lifting B*: Pred(C) op <sup>×</sup> Pred(C) <sup>→</sup> Pred(C) *sending* (*p*: *<sup>P</sup>* <sup>↣</sup> *<sup>X</sup>*, *<sup>q</sup>*: *<sup>Q</sup>* <sup>↣</sup> *<sup>Y</sup>*) *to the predicate <sup>m</sup>P*,*<sup>Q</sup>* : *<sup>B</sup>*(*P*, *<sup>Q</sup>*) <sup>↣</sup> *<sup>B</sup>*(*X*, *<sup>Y</sup>*)*, the image of the morphism rP*,*<sup>Q</sup> given by the pullback below:*

$$\overline{B}(P,\mathcal{Q}) \xrightarrow[m\_{P,\mathcal{Q}}]{\epsilon\_{P,\mathcal{Q}}} \xrightarrow[r\_{P,\mathcal{Q}}]{\epsilon\_{P,\mathcal{Q}}} \xrightarrow[\mathcal{B}(X,Y)]{B(P,\mathcal{Q})} \tag{15}$$

If *<sup>B</sup>* preserves monos in the covariant argument, then *<sup>B</sup>*(id, *<sup>q</sup>*) is monic and, since monos are pullback-stable, *<sup>B</sup>*(*P*, *<sup>Q</sup>*) is simply the predicate *<sup>r</sup><sup>P</sup>*,*<sup>Q</sup>* : *<sup>T</sup><sup>P</sup>*,*<sup>Q</sup>* <sup>↣</sup> *<sup>B</sup>*(*X*, *<sup>Y</sup>*).

Example 9. The bifunctors *B* and *D* of (3) and (4) have canonical predicate liftings

$$
\overline{B}\_{\tau}(P, \underline{Q}) = \underline{Q}\_{\tau} + \overline{D}\_{\tau}(P, \underline{Q}) \quad \text{where} \tag{16}
$$

$$\overline{D}\_{\text{unft}}(P,\mathcal{Q}) = 1,\quad \overline{D}\_{\tau\_1 \to \tau\_2}(P,\mathcal{Q}) = \{ f \colon X\_{\tau\_1} \to Y\_{\tau\_2} \mid \forall \mathbf{x} \in P\_{\tau\_1} . f(\mathbf{x}) \in \mathcal{Q}\_{\tau\_2} \} \subseteq Y\_{\tau\_2}^{X\_{\tau\_1}} \dots (17)$$

Predicate liftings allow us to generalize *coalgebraic invariants* [36, §6.2], viz. predicates on the state space of a coalgebra that are closed under the coalgebra structure in a suitable sense, from endofunctors to mixed-variance bifunctors:

Notation 10. For the remainder of the paper, we fx a mixed-variance bifunctor *B*: C op × C → C and a predicate lifting *B*: Pred(C) op × Pred(C) → Pred(C).

Defnition 11 (Coalgebraic invariant). Let *<sup>c</sup>* : *<sup>Y</sup>* <sup>→</sup> *<sup>B</sup>*(*X*, *<sup>Y</sup>*) be a *<sup>B</sup>*(*X*, <sup>−</sup>)-coalgebra. Given predicates *S* ↣ *X*, *P* ↣ *Y*, we say that *P* is an *S -relative (B-)invariant (for c)* if *P* ≤ *c* ⋆ [*B*(*S*, *<sup>P</sup>*)], equivalently, *<sup>c</sup>*⋆[*P*] <sup>≤</sup> *<sup>B</sup>*(*S*, *<sup>P</sup>*). (Mention of *<sup>B</sup>* is usually omitted.)

Coalgebraic invariants will feature centrally in our notion of logical predicate.

#### 3.2 Logical Predicates via Lifted Bifunctors

As a reasoning device, the method of logical predicates (which are unary logical relations) typically applies to the following scenario: One has an operational semantics on an inductively defned set µΣ of Σ-terms and a target predicate *<sup>P</sup>* <sup>↣</sup> µΣ to be proved, in the sense that one wants to show *<sup>P</sup>* <sup>=</sup> µΣ. Logical predicates come into play when a direct proof of *<sup>P</sup>* <sup>=</sup> µΣ by structural induction is not possible. The classical example of such a predicate is *strong normalization* [23,59]. The idea is to strengthen *P*, obtaining a predicate featuring a certain "logical" structure that does allow for a proof by induction. We now develop this scenario in our abstract bifunctorial setting.

Defnition 12 (Coalgebraic logical predicate). Suppose that *<sup>c</sup>* : *<sup>X</sup>* <sup>→</sup> *<sup>B</sup>*(*X*, *<sup>X</sup>*) is a *<sup>B</sup>*(*X*, <sup>−</sup>) coalgebra with state space *X*. A predicate *P* ↣ *X* is *logical (for c)* if it is a *P*-relative *B*-invariant (as per Def. 11), i.e. *P* ≤ *c* ⋆ [*B*(*P*, *<sup>P</sup>*)], equivalently, *<sup>c</sup>*⋆[*P*] <sup>≤</sup> *<sup>B</sup>*(*P*, *<sup>P</sup>*).

In applications, *<sup>c</sup>* is the operational model γ: µΣ <sup>→</sup> *<sup>B</sup>*(µΣ, µΣ) of a higher-order language, or some coalgebra derived from it. The self-referential nature of logical predicates (as relative to themselves) is meant to cater for the property that "inputs in *P* are mapped to outputs in *P*". The following example from xTCL illustrates this:

Example 13. For *B* given by (3) and its canonical lifting *B*, a predicate *P* ↣ Tr is logical for the operational model <sup>γ</sup>: Tr <sup>→</sup> *<sup>B</sup>*(Tr, Tr) from (5) if <sup>γ</sup>⋆[*P*] <sup>≤</sup> *<sup>B</sup>*(*P*, *<sup>P</sup>*), that is,

$$(\gamma\_{\text{unit}})\_\star \lbrack P\_{\text{unit}} \rbrack \le P\_{\text{unit}} + 1,$$

$$(\forall \tau\_1, \tau\_2. (\gamma\_{\tau\_1 \to \tau\_2})\_\star \lbrack P\_{\tau\_1 \to \tau\_2} \rbrack \le P\_{\tau\_1 \to \tau\_2} + \{f \colon \text{Tr}\_{\tau\_1} \to \text{Tr}\_{\tau\_2} \mid \forall s \in P\_{\tau\_1}. \newline f(s) \in P\_{\tau\_2}\},$$

using the description of *B* from Example 9. More explicitly, this means that

– if *<sup>s</sup>* <sup>∈</sup> *<sup>P</sup>*τ and *<sup>s</sup>* <sup>→</sup> *<sup>t</sup>* then *<sup>t</sup>* <sup>∈</sup> *<sup>P</sup>*τ; – if *<sup>s</sup>* <sup>∈</sup> *<sup>P</sup>*τ1\_τ<sup>2</sup> and *s t* −→ *<sup>u</sup>*, then *<sup>t</sup>* <sup>∈</sup> *<sup>P</sup>*τ<sup>1</sup> implies *<sup>u</sup>* <sup>∈</sup> *<sup>P</sup>*τ<sup>2</sup> .

As we can see in the second clause, function terms that satisfy *P* produce outputs that satisfy *P* on all inputs that satisfy *P*. This is the key property of any logical predicate.

Defning a suitable logical predicate (or relation) is the centerpiece of various sophisticated arguments in higher-order settings. One standard application of logical predicates are proofs of strong normalization, which we now illustrate in the case of xTCL. For the operational model γ: Tr <sup>→</sup> *<sup>B</sup>*(Tr, Tr) and terms *<sup>r</sup>*, *<sup>s</sup>*, *<sup>t</sup>* of compatible type, put


Coalgebraically, this associates a *weak operational model*eγ: Tr → P*B*(Tr, Tr) to γ, where <sup>e</sup>γ(*t*) <sup>=</sup> {*<sup>t</sup>* ′ | *t* ⇒ *t* ′ } ∪ {γ(*<sup>t</sup>* ′ ) | *t* ⇒ *t* ′ , γ(*t* ′ ) <sup>∈</sup> *<sup>D</sup>*(Tr, Tr)}.

*Strong normalization* of xTCL asserts that ⇓ = Tr: every term eventually reduces to a function or explicitly terminates. We now devise three diferent logical predicates on Tr, each of which provides a proof of that property. The idea is to refne the target predicate ⇓ ↣ Tr to a logical predicate, for which showing that it is totally true will be facilitated by its invariance w.r.t. a corresponding coalgebra structure. Our frst example will be based on the following notion of refnement:

Defnition 14 (Locally maximal logical refnement). Let *<sup>c</sup>* : *<sup>X</sup>* <sup>→</sup> *<sup>B</sup>*(*X*, *<sup>X</sup>*) be a coalgebra and let *P* ↣ *X* be a predicate. A predicate □*P* ↣ *X* is a *locally maximal logical refnement of P* if (i) □*P* ≤ *P*, (ii) □*P* is logical (i.e. a □*P*-relative *B*-invariant), and (iii) for every predicate *Q* ≤ *P* that is a □*P*-relative *B*-invariant, one has *Q* ≤ □*P*.

Example 15. We defne the predicate □⇓ <sup>↣</sup> Tr, i.e. a family of subsets □⇓τ <sup>⊆</sup> Tr<sup>τ</sup> (<sup>τ</sup> <sup>∈</sup> Ty), by induction on the structure of the type <sup>τ</sup>: we put □⇓unit <sup>=</sup> ⇓unit, and we take □⇓τ1\_τ<sup>2</sup> to be the greatest subset of Trτ1\_τ<sup>2</sup> satisfying

$$\Box \Downarrow\_{\tau\_1 \to \tau\_2} (t) \implies \Downarrow\_{\tau\_1 \to \tau\_2} (t) \land \begin{cases} \Box \Downarrow\_{\tau\_1 \to \tau\_2} (t') & \text{if } \quad t \to t'\\ \Box \Downarrow\_{\tau\_1} (s) \implies \Box \Downarrow\_{\tau\_2} (t') & \text{if } \quad t \xrightarrow{s} t' \end{cases}$$

From this defnition it is not difcult to verify by induction on the type that

□⇓ is a locally maximal logical refnement of ⇓. (18)

Our goal is to show that □⇓ is a subalgebra of µΣ, equivalently Σ(□⇓) <sup>≤</sup> ι ⋆ [□⇓], which then implies □⇓ = Tr and hence ⇓ = Tr by structural induction. Taking the partition Σ <sup>=</sup> Ξ <sup>+</sup> ∆ where Ξ is the part of the signature for application and ∆ is the part of the signature for the remaining term constructors, we separately prove Ξ(□⇓) <sup>≤</sup> ι ⋆ [□⇓] and ∆(□⇓) <sup>≤</sup> ι ⋆ [□⇓]. It sufces to come up with □⇓-relative invariants *<sup>A</sup>*,*<sup>C</sup>* ⊆ ⇓ such that Ξ(□⇓) <sup>≤</sup> ι ⋆ [*A*] and ∆(□⇓) <sup>≤</sup> ι ⋆ [*C*]. Then by (18) we can conclude *<sup>A</sup>*,*<sup>C</sup>* <sup>⊆</sup> □⇓, so

$$
\overline{\Xi}(\Box \mathbb{U}) \le \iota^\star[A] \le \iota^\star[\Box \mathbb{U}] \qquad \text{and} \qquad \overline{A}(\Box \mathbb{U}) \le \iota^\star[C] \le \iota^\star[\Box \mathbb{U}].
$$

Let us record for further reference what it means for *Q* ↣ Tr to be a □⇓-relative invariant contained in ⇓. Given *<sup>t</sup>* <sup>∈</sup> *<sup>Q</sup>*τ, the following must hold:

$$(1)\ \mathbb{J}\_{\tau}t, (2)\ \text{if}\ t \to t' \text{ then } \mathcal{Q}\_{\tau}(t'), (3)\ \text{if}\ t \colon \tau\_1 \to \tau\_2 \text{ and } t \xrightarrow{s} t' \text{ and } \Box \mathbb{J}\_{\tau\_1}\text{s then } \mathcal{Q}\_{\tau\_2}(t').$$

We frst put *<sup>A</sup>* <sup>=</sup> □⇓ ∨ (<sup>ι</sup> · inl)⋆[Ξ□⇓], and prove (1)–(3) for *<sup>Q</sup>* <sup>=</sup> *<sup>A</sup>*. So let *<sup>t</sup>* <sup>∈</sup> *<sup>A</sup>*τ; we distinguish cases on the disjunction defning *<sup>A</sup>*. If □⇓τ *t*, then (1)–(3) follow easily by defnition. Otherwise, we have *<sup>t</sup>* <sup>=</sup> *p q* such that □⇓τ1\_τ<sup>2</sup> *<sup>p</sup>* and □⇓τ<sup>1</sup> *q*.


Next, we show that *<sup>C</sup>* <sup>=</sup> □⇓∨(ι·inr)⋆[∆(□⇓)] is a □⇓-relative invariant. We consider two representative cases; the remaining cases are handled similarly.


Note that the defnition of □⇓ uses both induction (over the structure of types) and coinduction (by taking at every type the greatest predicate satisfying some property).

Example 16. We give an alternative logical predicate defned purely inductively. It resembles Plotkin's original concept of logical relation [55]. We defne ⇛ ↣ Tr by

$$\begin{aligned} \Downarrow\_{\mathsf{unit}}(t) &\iff \Downarrow\_{\mathsf{unit}}(t),\\ \Downarrow\_{\tau\_1 \to \tau\_2}(t) &\iff \Downarrow\_{\tau\_1 \to \tau\_2} t \land (\forall s \colon \tau\_1. \, t \stackrel{s}{\Rightarrow} t' \land \Downarrow\_{\tau\_1}(s) \implies \Downarrow\_{\tau\_2}(t')). \end{aligned} \tag{19}$$

It is evidently logical for the restriction ˜˜γ: Tr → P*D*(Tr, Tr) of the weak operational model to labelled transitions, given by ˜˜γ(*t*) :<sup>=</sup> {γ(*<sup>t</sup>* ′ )} if *t* ⇒ *t* ′ and γ(*<sup>t</sup>* ′ ) <sup>∈</sup> *<sup>D</sup>*(Tr, Tr), and ˜˜γ(*t*) :<sup>=</sup> <sup>∅</sup> otherwise. A proof of strong normalization using ⇛ is given in [25, App. A].

Example 17. A more popular (cf. [57,58]) and subtly diferent variant of ⇛ for proving strong normalization goes back to Tait [59]. We defne SN ↣ Tr by

$$\begin{aligned} \text{SN}\_{\text{unit}}(t) &\Longleftrightarrow \text{!!}\_{\text{unit}}(t) \\ \text{SN}\_{\tau\_1 \to \tau\_2}(t) &\Longleftrightarrow \text{!!}\_{\tau\_1 \to \tau\_2}(t) \land (\forall s \colon \tau\_1.\text{SN}\_{\tau\_1}(s) &\Longrightarrow \text{SN}\_{\tau\_2}(ts)) \end{aligned} \tag{20}$$

Unlike ⇛ , it is not immediate that SN is logical for ˜˜γ (see [25, App. A]). For a proof of strong normalization based on SN in the context of the λ-calculus, see [57, Sec. 2].

While all three logical predicates □⇓, ⇛ , SN are eligible for proving strong normalization, with proofs of similar length and complexity, the predicate □⇓ arguably has the most generic favour, as it depends neither on a system-specifc notion of weak transition (which appears in the defnition of ⇛ ) nor on the syntax of the language (such as the application operator appearing in the defnition of SN). Thus, our abstract categorical approach to logical predicates will be based on a generalization of □⇓.

#### 3.3 Constructing Logical Predicates

Our abstract coalgebraic notion of logical predicate (Defnition 12) is parametric in the bifunctor *B* and its lifting *B* and decoupled from any specifc syntax. Next, we develop a systematic construction that promotes a predicate *P* to a logical predicate, specifcally to a locally maximal refnement of *P*, generalizing □⇓ in Example 15. The construction proceeds in two stages. First, we fx the contravariant argument of the lifted bifunctor *B* and construct a greatest coalgebraic invariant w.r.t. the resulting endofunctor [36, §6.3]:

Defnition 18 (Relative henceforth). Let *<sup>c</sup>* : *<sup>Y</sup>* <sup>→</sup> *<sup>B</sup>*(*X*, *<sup>Y</sup>*) and let *<sup>S</sup>* <sup>↣</sup> *<sup>X</sup>* be a predicate. The *(S -)relative henceforth modality* sends *P* ↣ *Y* to □*<sup>B</sup>*,*<sup>c</sup>* (*S*, *<sup>P</sup>*) <sup>↣</sup> *<sup>Y</sup>*, which is the supremum in Pred*<sup>Y</sup>* (C) of all *S* -relative invariants contained in *P*:

$$\square^{\overline{B},c}(S,P) = \bigvee \{ \mathcal{Q} \le P \mid \mathcal{Q} \text{ is an } S \text{ -relative } \overline{B}\text{-invariant for } c\}. \tag{21}$$

We will omit the superscripts *<sup>B</sup>*, *<sup>c</sup>* when they are irrelevant or clear from the context.

Proposition 19. *The predicate* □(*S*, *<sup>P</sup>*) *is the greatest <sup>S</sup> -relative B-invariant contained in P. Moreover, the map* (*S*, *<sup>P</sup>*) 7→ □(*S*, *<sup>P</sup>*) *is antitone in S and monotone in P.*

*Proof.* The frst statement follows from the Knaster-Tarski theorem since □(*S*, *<sup>P</sup>*) is the greatest fxed point □(*S*, *<sup>P</sup>*) <sup>=</sup> ν*G*. *<sup>P</sup>* <sup>∧</sup> *<sup>c</sup>* ⋆ [*B*(*S*,*G*)] in the complete lattice Pred*<sup>Y</sup>* (C). The second statement holds due to the mixed variance of the predicate lifting *B*. □

The relative henceforth modality only yields relative invariants. To obtain a logical predicate, i.e. an invariant relative to itself, we move to the second stage of our construction, which is based on ultrametric semantics, see e.g. [9]. Let us briefy recall some terminology. A metric space (*X*, *<sup>d</sup>* : *<sup>X</sup>* <sup>×</sup> *<sup>X</sup>* <sup>→</sup> <sup>R</sup>) is 1*-bounded* if *<sup>d</sup>*(*x*, *<sup>y</sup>*) <sup>≤</sup> 1 for all *<sup>x</sup>*, *<sup>y</sup>*, an *ultrametric space* if *<sup>d</sup>*(*x*, *<sup>y</sup>*) <sup>≤</sup> max{*d*(*x*,*z*), *<sup>d</sup>*(*z*, *<sup>y</sup>*)} for all *<sup>x</sup>*, *<sup>y</sup>*,*z*, and *complete* if every Cauchy sequence converges. A map *<sup>f</sup>* : (*X*, *<sup>d</sup>*) <sup>→</sup> (*<sup>X</sup>* ′ , *d* ′ ) between metric spaces is *nonexpansive* if *d* ′ (*f*(*x*), *<sup>f</sup>*(*y*)) <sup>≤</sup> *<sup>d</sup>*(*x*, *<sup>y</sup>*) for all *<sup>x</sup>*, *<sup>y</sup>*, and *contractive* if there exists

*<sup>c</sup>* <sup>∈</sup> [0, 1), called a *contraction factor*, such that *<sup>d</sup>* ′ (*f*(*x*), *<sup>f</sup>*(*y*)) <sup>≤</sup> *<sup>c</sup>* · *<sup>d</sup>*(*x*, *<sup>y</sup>*) for all *<sup>x</sup>*, *<sup>y</sup>*. A family of maps (*f<sup>i</sup>* : *X* → *X* ′ )*i*∈*<sup>I</sup>* is *uniformly contractive* if there exists *<sup>c</sup>* <sup>∈</sup> [0, 1) such that each *f<sup>i</sup>* is contractive with factor *c*. By Banach's fxed point theorem, every contractive endomap *f* : *X* → *X* on a non-empty complete metric space has a unique fxed point.

#### Defnition 20. The category C is *predicate-contractive* if


$$d(\bigwedge\_{i \in I} P^i, \bigwedge\_{i \in I} Q^i) \le \sup\_{i \in I} d(P^i, \mathcal{Q}^i).$$

Here (*P <sup>i</sup>* ↣ *X*)*i*∈*<sup>I</sup>* is *co-well-ordered* if each nonempty subfamily has a greatest element.

Example 21. The category C = SetTy is predicate-contractive when equipped with the ultrametric on Pred*X*(C) given by *<sup>d</sup>*(*P*, *<sup>Q</sup>*) <sup>=</sup> <sup>2</sup> −*n* for *<sup>P</sup>*, *<sup>Q</sup>* <sup>↣</sup> *<sup>X</sup>*, where *<sup>n</sup>* <sup>=</sup> inf{♯τ <sup>|</sup> *<sup>P</sup>*τ , *<sup>Q</sup>*τ} and ♯τ is the size of <sup>τ</sup>, defned by <sup>♯</sup>unit <sup>=</sup> 1 and <sup>♯</sup>(τ<sup>1</sup> \_ <sup>τ</sup><sup>2</sup>) <sup>=</sup> ♯τ<sup>1</sup> <sup>+</sup> ♯τ<sup>2</sup>. By convention, inf ∅ = ∞ and 2−∞ = 0. To see predicate-contractivity, frst note that a function F : Pred*<sup>Y</sup>* (C) → Pred*X*(C) is non-expansive if

$$\inf \{ \sharp \tau \mid (\mathcal{F}P)\_{\tau} \neq (\mathcal{F}Q)\_{\tau} \} \geq \inf \{ \sharp \tau \mid P\_{\tau} \neq \mathcal{Q}\_{\tau} \} \qquad \text{for all } P, \mathcal{Q} \longmapsto Y, \mathcal{Q}$$

and contractive (necessarily with factor at most 1/2) i<sup>f</sup> that inequality holds strictly.

This immediately implies clause (2) of Defnition 20: inverse images in SetTy are computed pointwise, and *<sup>f</sup>*τ ⋆ [*P*τ] , *<sup>f</sup>*τ ⋆ [*Q*τ] implies *<sup>P</sup>*τ , *<sup>Q</sup>*τ for *<sup>f</sup>* : *<sup>X</sup>* <sup>→</sup> *<sup>Y</sup>* and *<sup>P</sup>*, *<sup>Q</sup>* <sup>↣</sup> *<sup>Y</sup>*. Similarly, since intersections are computed pointwise, clause (3) amounts to

$$\inf \{ \sharp \tau \mid \bigcap\_{i \in I} P^i\_\tau \neq \bigcap\_{i \in I} \mathcal{Q}^i\_\tau \} \ge \inf \{ \sharp \tau \mid \exists i \in I \colon P^i\_\tau \neq \mathcal{Q}^i\_\tau \},$$

which is clearly true, for if T *<sup>i</sup>*∈*<sup>I</sup> P i* τ , T *<sup>i</sup>*∈*<sup>I</sup> Q i* τ then *P i* τ , *<sup>Q</sup> i* τ for some *i* ∈ *I*.

Defnition 22 (Contractive lifting). Suppose that C is predicate-contractive. The predicate lifting *B*: Pred(C) op × Pred(C) → Pred(C) is *contractive* if for every *S* ↣ *X* the map *<sup>B</sup>*(*S*, <sup>−</sup>) is non-expansive, and the family (*B*(−, *<sup>P</sup>*))*P*↣*<sup>X</sup>* is uniformly contractive.

Proposition 23. *Let <sup>B</sup> be contractive and <sup>c</sup>* : *<sup>X</sup>* <sup>→</sup> *<sup>B</sup>*(*X*, *<sup>X</sup>*)*. For every <sup>S</sup>* <sup>↣</sup> *X, the map* □*<sup>B</sup>*,*<sup>c</sup>* (*S*, <sup>−</sup>) *is non-expansive, and the family* (□*<sup>B</sup>*,*<sup>c</sup>* (−, *<sup>P</sup>*))*P*↣*<sup>X</sup> is uniformly contractive.*

Contractive liftings allow us to augment every predicate *P* to a logical predicate:

Defnition 24 (Henceforth). Let *<sup>B</sup>* be contractive and *<sup>c</sup>* : *<sup>X</sup>* <sup>→</sup> *<sup>B</sup>*(*X*, *<sup>X</sup>*). For each predicate *P* ↣ *X* we defne □*<sup>B</sup>*,*<sup>c</sup>P* ↣ *X* (where we usually omit the superscripts) to be the unique fxed point of the contractive endomap

$$S \mapsto \Box^{\overline{R},c}(S,P) \quad \text{on} \quad \mathbf{Pred}\_X(\mathcal{C}). \tag{22}$$

Theorem 25. *The predicate* □*P is the unique locally maximal logical refnement of P.*

*Proof.* By (22), □*<sup>P</sup>* is the unique predicate satisfying □*<sup>P</sup>* <sup>=</sup> □(□*P*, *<sup>P</sup>*). By (21), this equality says that □*P* is the greatest □*P*-relative invariant contained in *P*, as needed. □ Example 26. Let *B* be the behaviour bifunctor on SetTy given by (3). Its canonical lifting *<sup>B</sup>* (Example 9) is contractive because *<sup>B</sup>*τ1\_τ<sup>2</sup> (*P*, *<sup>Q</sup>*) depends only on *<sup>P</sup>*τ<sup>1</sup> , *<sup>Q</sup>*τ<sup>2</sup> , *<sup>Q</sup>*τ1\_τ<sup>2</sup> ; in other words, *B* decreases the size of types in the contravariant argument and does not increase it in the covariant argument. Given a coalgebra *<sup>c</sup>* : *<sup>X</sup>* <sup>→</sup> *<sup>B</sup>*(*X*, *<sup>X</sup>*) and *P* ↣ *X*, the fxed point □*B*,*cP* is given by the Ty-indexed family of greatest fxed points

$$\begin{aligned} \Box P\_{\mathsf{unft}} &= \nu G.P\_{\mathsf{unft}} \wedge c\_{\mathsf{unft}}\,\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{?}}}}}}}}}}}}}}}\,\mathsf{\mathsf{\mathsf{\mathsf{\mathsf{I}}}}}}\,\mathsf{\mathsf{\mathsf{I}}}}\,\mathsf{\mathsf{\mathsf{I}}}\\ \Box P\_{\mathsf{\mathsf{\mathsf{\mathsf{I}}}\mapsto\mathsf{\mathsf{\mathsf{\mathsf{I}}}}} &= \nu G.P\_{\mathsf{\mathsf{\mathsf{I}}}\mapsto\mathsf{\mathsf{\mathsf{\mathsf{I}}}}\,\mathsf{\mathsf{\mathsf{I}}}} \wedge c\_{\mathsf{\mathsf{\mathsf{I}}}\mapsto\mathsf{\mathsf{\mathsf{I}}}}\,\mathsf{\mathsf{\mathsf{I}}}\,\mathsf{\mathsf{\mathsf{I}}}\,\mathsf{\mathsf{I}} + \langle f\colon\mathsf{Tr}\_{\mathsf{\mathsf{T}}\_{1}} \to \mathsf{Tr}\_{\mathsf{\mathsf{\mathsf{I}}}}\,\mid\,\mathsf{\mathsf{\mathsf{I}}}\,\mathsf{s} \in \Box P\_{\mathsf{\mathsf{I}}},f(s) \in \Box P\_{\mathsf{\mathsf{I}}}\rangle \rfloor. \end{aligned}$$

This follows from Theorem 25 since the above predicate is clearly a locally maximal refnement of *<sup>P</sup>*. By instantiating *<sup>c</sup>* to the operational model γ: µΣ <sup>→</sup> *<sup>B</sup>*(µΣ, µΣ) of xTCL and taking *P* = ⇓, we recover the defnition of □⇓ in Example 15.

Example 27. The logical predicate ⇛ ↣ Tr of Example 16 is precisely □⇓ for P*D* w.r.t. its canonical lifting and the coalgebra ˜˜γ: Tr → P*D*(Tr, Tr). More generally, for a coalgebra *<sup>c</sup>* : *<sup>X</sup>* → P*D*(*X*, *<sup>X</sup>*), the predicate □*<sup>P</sup>* is inductively defned as follows:

$$\begin{aligned} \Box P\_{\text{unit}} &= P\_{\text{unit}},\\ \Box P\_{\tau\_1 \to \tau\_2} &= P\_{\tau\_1 \to \tau\_2} \land c\_{\tau\_1 \to \tau\_2} \, ^\star [\! \langle F \subseteq X\_{\tau\_2}^{X\_{\tau\_1}} \; \vert \; \forall f \in F. \, s \in \Box P\_{\tau\_1} \implies f(s) \in \Box P\_{\tau\_2} \rangle]. \end{aligned}$$

Remark 28. The construction of logical predicates for typed languages is enabled by the "type-decreasing" nature of the associated behaviour bifunctors. In untyped settings, e.g. for *<sup>B</sup>*(*X*, *<sup>Y</sup>*) <sup>=</sup> *<sup>Y</sup>* <sup>+</sup> *<sup>Y</sup> <sup>X</sup>* on Set modelling untyped combinatory logic [24], the canonical lifting *B* is not contractive, hence the fxed point □*P* in general fails to exist.

Remark 29. The forgetful functor |−|: Pred(C) → C forms a complete lattice fbration [35], equivalently a topological functor [2], and all notions and results of the present subsection extend to that level of generality. We leave the details for future work, as our reasoning techniques found in the upcoming sections are tailored to logical predicates.

We are now in a position to state precisely what a proof via logical predicates is in our framework. Given the operational model γ: µΣ <sup>→</sup> *<sup>B</sup>*(µΣ, µΣ) of a higher-order language, a predicate lifting *<sup>B</sup>*, and a target predicate *<sup>P</sup>* <sup>↣</sup> µΣ, a *proof of <sup>P</sup> via logical predicates* is a proof that □*<sup>P</sup>* forms a subalgebra of the initial algebra µΣ, which means

$$
\overline{\Sigma}(\Box P) \le \iota^\star[\Box P], \quad \text{equivalently} \quad \iota\_\star[\overline{\Sigma}(\Box P)] \le \Box P. \tag{23}
$$

Then □*<sup>P</sup>* <sup>=</sup> µΣ by structural induction, whence *<sup>P</sup>* <sup>=</sup> µΣ because □*<sup>P</sup>* <sup>≤</sup> *<sup>P</sup>*.

Up to this point, we have streamlined and formalized coalgebraic logical predicates as a certain abstract construction on predicates (Defnition 24) and presented proofs by coalgebraic logical predicates as standard structural induction on said construction. This presentation is indeed that of an abstract method: the various parts of the problem setting, namely the syntax, the behaviour and its predicate lifting, as well as the operational semantics, are all parameters. In the next section, we exploit the parametric and generic nature of this method in two main ways. First, we present up-to techniques that simplify the proof goal (23) as much as possible. Second, we look to instantiate our method to problems on *classes of higher-order languages*, as opposed to reasoning about operational models of individual languages such as xTCL or the λ-calculus.

## 4 Logical Predicates and Higher-Order Abstract GSOS

As indicated before, substantial parts of the proof of strong normalization in Example 15 look generic. Specifcally, the properties (2) and (3) established for *Q* = *A* and *Q* = *C* are independent of the choice of predicate *P* = ⇓ in □*P*. Moreover, these steps are either obvious or follow immediately from the operational rules of xTCL: the predicates *A* and *C* being invariants can be attributed to the fact that except for terms of the form *S* ′′(−, <sup>−</sup>), all terms evolve either to a variable or to some fat term such as *<sup>p</sup>* ′ *q*. The core of the proof, which is tailored to the choice of *P*, lies in proving property (1).

As it turns out, for a class of higher-order GSOS laws that we call *relatively fat higher-order GSOS laws*, conditions (2) and (3) are automatic. This insight leads us to a powerful up-to technique that simplifes proofs via logical predicates.

#### 4.1 Relatively Flat Higher-Order GSOS Laws

The following defnition abstracts the restricted nature of the rules of xTCL to the level of higher-order GSOS laws. For simplicity, we confne ourselves to 0-pointed laws, however all the results of this subsection easily extend to the *V*-pointed case.

Defnition 30. Let Σ : C → C be a syntax functor of the form Σ <sup>=</sup> ` *<sup>j</sup>*∈*<sup>J</sup>* Σ*<sup>j</sup>* , where (*J*, <sup>≺</sup>) is a non-empty well-founded strict partial order, and put <sup>Σ</sup><sup>≺</sup>*<sup>k</sup>* <sup>=</sup> ` *<sup>j</sup>*≺*<sup>k</sup>* Σ*<sup>j</sup>* . A *relatively fat (*0*-pointed) higher-order GSOS law* of Σ over *<sup>B</sup>* is a *<sup>J</sup>*-indexed family of morphisms

$$\varrho\_{X,Y}^j \colon \Sigma\_j(X \times B(X,Y)) \to B(X, \Sigma\_{\leq j}^\star(X+Y) + \Sigma\_j \Sigma\_{\leq j}^\star(X+Y)) \tag{24}$$

dinatural in *X* ∈ C and natural in *Y* ∈ C.

We put *<sup>e</sup><sup>j</sup>*,*<sup>X</sup>* <sup>=</sup> [in<sup>♯</sup> ≺*j* , ι · in*<sup>j</sup>* · Σ*<sup>j</sup>*(in<sup>♯</sup> ≺*j* )]: Σ ⋆ ≺*j <sup>X</sup>* <sup>+</sup> Σ*<sup>j</sup>*Σ ⋆ ≺*j <sup>X</sup>* <sup>→</sup> Σ <sup>⋆</sup>*X* where in≺*<sup>j</sup>* : <sup>Σ</sup><sup>≺</sup>*<sup>j</sup>* <sup>→</sup> <sup>Σ</sup> and in*<sup>j</sup>* : <sup>Σ</sup>*<sup>j</sup>* <sup>→</sup> <sup>Σ</sup> are the coproduct injections, with free extensions in<sup>♯</sup> ≺*j* : Σ ⋆ <sup>≺</sup>*<sup>j</sup>* <sup>→</sup> <sup>Σ</sup> ⋆ and in♯ *j* : Σ ⋆ *<sup>j</sup>* <sup>→</sup> <sup>Σ</sup> ⋆ . Every relatively fat higher-order GSOS law (24) determines an ordinary higher-order GSOS law of Σ over *<sup>B</sup>* with components

$$\varrho\_{X,Y} = \coprod\_{j \in J} \Sigma\_j(X \times B(X,Y)) \xrightarrow{\coprod\_{j \in J} \varrho\_{X,Y}^j} \coprod\_{j \in J} B(X, \Sigma\_{\prec j}^\star(X+Y) + \Sigma\_j \Sigma\_{\prec j}^\star(X+Y)),$$

$$\xrightarrow{[B(X, \varepsilon\_{jX+Y})]\_{j \in J}} B(X, \Sigma^\star(X+Y)).$$

When we interpret a higher-order GSOS law as a set of operational rules, relative fatness means that the operations of the language can be ranked in a way that every term <sup>f</sup>(−, · · · , <sup>−</sup>) with <sup>f</sup> of rank *<sup>j</sup>* evolves into a term that uses only operations of strictly lower rank, except possibly its head symbol which may have the same rank *j*.

Example 31. xTCL is relatively fat: put *<sup>J</sup>* <sup>=</sup> {<sup>0</sup> <sup>≺</sup> <sup>1</sup>}, let <sup>Σ</sup><sup>0</sup> contain application, and let <sup>Σ</sup><sup>1</sup> contain all other operation symbols. This is immediate from the rules in Figure 1.

Defnition 32. Suppose that each <sup>Σ</sup>*<sup>j</sup>* preserves strong epimorphisms. A *predicate lifting* of (24) is a relatively fat 0-pointed higher-order GSOS law (ϱ *j* )*j*∈*<sup>J</sup>* of <sup>Σ</sup> <sup>=</sup> ` *<sup>j</sup>* <sup>Σ</sup>*<sup>j</sup>* over *<sup>B</sup>* where for every *<sup>P</sup>* <sup>↣</sup> *<sup>X</sup>* and *<sup>Q</sup>* <sup>↣</sup> *<sup>Y</sup>* the Pred(C)-morphism ϱ *j P*,*Q* is carried by ϱ *j X*,*Y* .

Remark 33. (1) The condition on <sup>Σ</sup>*<sup>j</sup>* ensures <sup>Σ</sup>*<sup>j</sup>* ⋆ = Σ ⋆ *j* (Proposition 7), so that the frst component of ϱ *j P*,*Q* has type Σ*j*(*<sup>X</sup>* <sup>×</sup> *<sup>B</sup>*(*X*, *<sup>Y</sup>*)) <sup>→</sup> *<sup>B</sup>*(*X*, Σ<sup>⋆</sup> ≺*j* (*<sup>X</sup>* <sup>+</sup> *<sup>Y</sup>*) <sup>+</sup> Σ*j*Σ ⋆ ≺*j* (*X* + *Y*)).

(2) Liftings are unique if they exist: since ϱ *j P*,*Q* is a Pred(C)-morphism, it is determined by its frst component ϱ *j X*,*Y* . Moreover, the (di)naturality of ϱ *j* follows from that of ϱ *j* .

(3) For the canonical lifting *<sup>B</sup>*, a lifting (ϱ *j* )*j*∈*<sup>J</sup>* of (<sup>ϱ</sup> *j* )*j*∈*<sup>J</sup>* always exists [25, App. D].

The following theorem establishes a sound up-to technique for logical predicates. It states that for operational models of relatively fat laws, the proof goal (23) can be established by checking a substantially relaxed property.

Theorem 34 (Induction up to □). *Let* γ: µΣ <sup>→</sup> *<sup>B</sup>*(µΣ, µΣ) *be the operational model of a relatively fat* 0*-pointed higher-order GSOS law that admits a predicate lifting. Then for every predicate P* <sup>↣</sup> µΣ *and every locally maximal logical refnement* □γ,*<sup>B</sup>P,*

$$
\overline{\Sigma}(\Box^{\gamma,\overline{B}}P) \le \iota^\star[P] \qquad implies \quad \overline{\Sigma}(\Box^{\gamma,\overline{B}}P) \le \iota^\star[\Box^{\gamma,\overline{B}}P] \quad (hence \ P = \mu \Sigma).
$$

We stress that the theorem applies to any refnement □γ,*<sup>B</sup>P* and does not assume a specifc construction (e.g. that of Section 3.3). The up-to technique facilitates proofs via logical predicates quite dramatically. For illustration, we revisit strong normalization:

Example 35. We give an alternative proof of strong normalization of xTCL (cf. Example 15) via induction up to □. Hence it sufces to prove

$$
\overline{\Sigma}(\Box \Downarrow \Downarrow \iota^\star \textsf{[\downarrow]}, \iota)
$$

which states that a term is terminating if all of its subterms are in the logical predicate □⇓. This is clear for terms that are not applications, since they immediately terminate (cf. Figure 1). Now consider an application *p q* such that □τ1\_τ<sup>2</sup>⇓(*p*) and □τ<sup>1</sup>⇓(*q*). Since □⇓ is a logical predicate contained in ⇓, this entails that *p q* =⇒ *p* ′ for a (unique) term *p* ′ , and that □⇓τ<sup>2</sup> *p* ′ , hence ⇓τ<sup>2</sup> *p* ′ . Since *p q* ⇒ *p* ′ , it follows that ⇓τ<sup>2</sup> *p q*.

Analogous reasoning shows that xTCL is strongly normalizing under the callby-value and the maximally nondeterministic evaluation strategy (Remark 5). In the latter case, strong normalization means that every term must eventually terminate, independently of the order of evaluation.

The reader should compare the above compact argument to the laborious original proof given in Example 15. Our up-to technique can be seen to precisely isolate the non-trivial core of the proof, while providing its generic parts for free. For a further application – type safety of the simply typed λ-calculus – see Section 4.2.

## 4.2 λ-Laws

We proceed to explain how our theory of logical predicates applies to languages with variables and binders. We highlight the core ideas and technical challenges in the case of the λ-calculus, and briefy sketch their categorical generalization; a full exposition can be found in [25, App. E]. Let STLC be the simply typed call-by-name λ-calculus with the set Ty of types given by (2) and operational rules

$$\frac{t \to t'}{t \, s \to t's} \qquad \qquad \frac{t \, s \, t \, s'}{(\lambda \mathbf{x} \colon \tau\_1 \, t) \, s \to t \, [s/\mathbf{x}]} \tag{25}$$

where *<sup>s</sup>*, *<sup>t</sup>*, *<sup>t</sup>* ′ range over λ-terms of appropriate type, and [−/−] denotes capture-avoiding substitution. To model STLC in higher-order abstract GSOS, we follow ideas by Fiore [18]. Our base category C is the presheaf category (SetF/Ty) Ty where F denotes the category of fnite cardinals and functions, and the set Ty is regarded as a discrete category. An object Γ: *<sup>n</sup>* <sup>→</sup> Ty of <sup>F</sup>/Ty is a *typed context*, associating to each variable *<sup>x</sup>* <sup>∈</sup> *<sup>n</sup>* a type; we put <sup>|</sup>Γ<sup>|</sup> :<sup>=</sup> *<sup>n</sup>* . A presheaf *<sup>X</sup>* <sup>∈</sup> (Set<sup>F</sup>/Ty) Ty associates to each context Γ and each type <sup>τ</sup> a set *<sup>X</sup>*τ(Γ) whose elements we think of as terms of type <sup>τ</sup> in context <sup>Γ</sup>.

The syntax of STLC is captured by the functor Σ : (Set<sup>F</sup>/Ty) Ty → (Set<sup>F</sup>/Ty) Ty where

$$\begin{aligned} \Sigma\_{\text{unft}}X &= V\_{\text{unft}} + K\_1 + \coprod\_{\tau \in \mathbb{T}\_{\text{Y}}} X\_{\tau \multimap \text{virt}} \times X\_{\tau}, \\ \Sigma\_{\tau\_1 \multimap \tau\_2}X &= V\_{\tau\_1 \multimap \tau\_2} + \delta\_{\tau\_2}^{\tau\_1}X + \coprod\_{\tau \in \mathbb{T}\_{\text{Y}}} X\_{\tau \multimap \tau\_1 \multimap \tau\_2} \times X\_{\tau}. \end{aligned} \tag{26}$$

Here *<sup>K</sup>*<sup>1</sup> <sup>∈</sup> Set<sup>F</sup>/Ty is the constant presheaf on 1, *<sup>V</sup>* is given by *<sup>V</sup>*τ(Γ) <sup>=</sup> {*<sup>x</sup>* ∈ |Γ| | <sup>Γ</sup>(*x*) <sup>=</sup> τ}, and δ by (δ τ1 <sup>τ</sup><sup>2</sup>*X*)(Γ) <sup>=</sup> *<sup>X</sup>*τ<sup>2</sup> (<sup>Γ</sup> <sup>+</sup> <sup>τ</sup>ˇ1) with (−) <sup>+</sup> <sup>τ</sup>ˇ<sup>1</sup> denoting context extension by a variable of type τ1. Informally, *<sup>K</sup>*1, *<sup>V</sup>* and δ represent the constant <sup>e</sup>: unit, variables, and λ-abstraction, respectively. The initial algebra for Σ is the presheaf Λ of λ-terms, i.e. <sup>Λ</sup>τ(Γ) is the set of <sup>λ</sup>-terms (modulo <sup>α</sup>-equivalence) of type <sup>τ</sup> in context <sup>Γ</sup> [18].

The behaviour bifunctor *B* λ : ((Set<sup>F</sup>/Ty) Ty) op × (Set<sup>F</sup>/Ty) Ty → (Set<sup>F</sup>/Ty) Ty for STLC has two separate components: it is given by a product

$$B^d(X,Y) = \langle \langle X, Y \rangle \rangle \times B(X,Y) \tag{27}$$

$$\begin{aligned} \text{where} \\ \text{where} \\ B(X,Y) = (K\_1 + Y + D(X,Y), \\ D\_{\text{unft}}(X,Y) = K\_1 \end{aligned} \qquad \begin{aligned} \text{( $X,Y$ )}\_{\tau}(I) = \textbf{Set}^{\mathbb{F}/\text{V}}(\prod\_{x \in [I]} X\_{\Gamma(x)}, Y\_{\tau}), \\ \text{and} \\ D\_{\tau 1 \to \tau \tau}(X,Y) = Y\_{\tau 2}^{X\_{\tau\_1}}, \end{aligned}$$

and *Y X*τ1 τ2 is an exponential object in Set<sup>F</sup>/Ty. The bifunctor ⟨⟨−, −⟩⟩ models an abstract substitution structure; for instance, every <sup>λ</sup>-term *<sup>t</sup>* <sup>∈</sup> <sup>Λ</sup>τ(Γ) induces a natural transformation Q *<sup>x</sup>*∈|Γ<sup>|</sup> <sup>Λ</sup>Γ(*x*) <sup>→</sup> <sup>Λ</sup><sup>τ</sup> in ⟨⟨Λ, Λ⟩⟩<sup>τ</sup> (Γ) mapping a tuple (*t*<sup>1</sup>, . . . , *<sup>t</sup>*<sup>|</sup>Γ<sup>|</sup>) to the term obtained by simultaneous substitution of the terms *t<sup>i</sup>* for the variables of *t*. The summands of the bifunctor *<sup>B</sup>* abstract from the possible operational behaviour of λ-terms: a term may explicitly terminate, reduce, get stuck (e.g. if it is a variable), or act as a function.

The operational rules (25) of STLC can be encoded into a *V*-pointed higher-order GSOS law of Σ over *<sup>B</sup>* λ , similar to the untyped λ-calculus treated in earlier work [24]. The operational model ⟨ϕ, γ⟩: Λ <sup>→</sup> ⟨⟨Λ, Λ⟩⟩×*B*(Λ, Λ) is the coalgebra whose components ϕ, γ describe the substitution structure and the operational behaviour of λ-terms.

At this point, a key technical issue can be observed: the canonical predicate lifting ⟨⟨−, −⟩⟩ is not contractive. Indeed, given *<sup>P</sup>* <sup>↣</sup> *<sup>X</sup>*, *<sup>Q</sup>* <sup>↣</sup> *<sup>Y</sup>*, the predicate ⟨⟨*P*, *<sup>Q</sup>*⟩⟩τ consists of all natural transformations Q *<sup>x</sup>*∈|Γ<sup>|</sup> *<sup>X</sup>*Γ(*x*) <sup>→</sup> *<sup>Y</sup>*<sup>τ</sup> that restrict to <sup>Q</sup> *<sup>x</sup>*∈|Γ<sup>|</sup> *<sup>P</sup>*Γ(*x*) <sup>→</sup> *<sup>Q</sup>*τ, and this expression depends on *<sup>P</sup>*Γ(*x*) where the type <sup>Γ</sup>(*x*) may be of higher complexity than <sup>τ</sup>. In particular, we conclude that *B*<sup>λ</sup> is not contractive. In contrast, the canonical lifting *<sup>B</sup>* is contractive and hence □γ,*B<sup>P</sup>* exists for every *<sup>P</sup>* <sup>↣</sup> Λ (Defnition 24). However, it is well-known that logical predicates do not do the trick for inductive proofs in the λ-calculus, see e.g. [57, p. 9] and [49, p. 150]; rather, one needs to prove the *open extension* of the logical predicate, which is the larger predicate

$$\{\Box^{\gamma,\overline{B}}P = \phi^\star[\{\Box^{\gamma,\overline{B}}P, \Box^{\gamma,\overline{B}}P\}].$$

The standard proof method is then to show □· γ,*<sup>B</sup><sup>P</sup>* <sup>=</sup> Λ directly by structural induction. However, this can be greatly simplifed by the following up-to-principle, which works with the original predicate □γ,*<sup>B</sup><sup>P</sup>* and forms a counterpart of Theorem 34 for the λcalculus:

Theorem 36 (Induction up to □· ). *Let P* <sup>↣</sup> <sup>Λ</sup> *be a predicate. Then*

$$
\overline{\Sigma}(\Box^{\gamma,\overline{B}}) \le \iota^\star[P] \qquad implies \qquad \overline{\Sigma}(\Box^{\gamma,\overline{B}}P) \le \iota^\star[\Box^{\gamma,\overline{B}}P] \quad (hence \ P = \Lambda).
$$

Remark 37. Concretely, the theorem states that to prove *<sup>P</sup>* <sup>=</sup> Λ, it sufces to prove that (1) variables satisfy *P*, (2) the unit expression e: unit satisfes *P*, (3) for all application terms *p q* such that □τ1\_τ<sup>2</sup>*P*(Γ)(*p*) and □τ<sup>1</sup>*P*(Γ)(*q*), we have *<sup>P</sup>*τ<sup>2</sup> (Γ)(*p q*), and (4) for all <sup>λ</sup>-abstractions <sup>λ</sup>*<sup>x</sup>* : <sup>τ</sup>1. *<sup>t</sup>* such that *<sup>t</sup>* <sup>∈</sup> □τ<sup>2</sup>*P*(Γ, *<sup>x</sup>*), we have *<sup>P</sup>*τ1\_τ<sup>2</sup> (Γ)(λ*<sup>x</sup>* : τ1. *<sup>t</sup>*).

Example 38. We prove type safety for STLC via induction up to □· . Thus consider the predicate Safe <sup>↣</sup> Λ that is constantly true on open terms and given by

$$\forall t \in \text{Safe}\_{\tau}(\mathcal{Q}) \iff (\forall e. t \Rightarrow e \implies (e \text{ is not an application}) \lor \exists r. e \to r),$$

on closed terms. We only need to check the conditions (1)–(4) of Remark 37. Conditions (1), (2), (4) are clear since variables are open terms and the term e: unit and λ-abstractions do not reduce. The only interesting clause is (3) for the empty context. Thus let *p q* be a closed application term with *<sup>p</sup>* <sup>∈</sup> □Safeτ1\_τ<sup>2</sup> (∅) and *<sup>q</sup>* <sup>∈</sup> □Safeτ<sup>1</sup> (∅); we need to show *p q* <sup>∈</sup> Safeτ<sup>2</sup> (∅). We proceed by case distinction on *p q* ⇒ *e*:

(a) *p* ⇒ *p* ′ and *e* = *p* ′ *q*. Then *p* ′ <sup>∈</sup> □Safeτ1\_τ<sup>2</sup> (∅) by invariance, in particular *p* ′ is safe, so *p* ′ is either not an application or reduces. In the former case, *p* ′ is necessarily a λ-abstraction since it is closed and not of type unit. Thus, in both cases, *<sup>e</sup>* reduces.

(b) *<sup>p</sup>* <sup>⇒</sup> λ*x*.*<sup>p</sup>* ′ and *p* ′ [*q*/*x*] <sup>⇒</sup> *<sup>e</sup>*. Since □Safe is a logical predicate, from *<sup>p</sup>* <sup>∈</sup> □Safeτ1\_τ<sup>2</sup> (∅) and *<sup>q</sup>* <sup>∈</sup> □τ<sup>1</sup>Safe(∅) we can deduce *<sup>p</sup>* ′ [*q*/*x*] <sup>∈</sup> □τ<sup>2</sup>Safe(∅), whence *<sup>e</sup>* <sup>∈</sup> □τ<sup>2</sup>Safe(∅). In particular, *<sup>e</sup>* is safe, which implies that *<sup>e</sup>* is either not an application or reduces.

As an exercise, we invite the reader to prove strong normalization of STLC via induction up to □· . The reader should compare these short and simple proofs with more traditional ones, see e.g. [57].

All the above results and observations for STLC can be generalized and developed at the level of general higher-order abstract GSOS laws. To this end, we frst abstract the behaviour functor (27) to a functor of the form *<sup>B</sup>*(*X*, *<sup>Y</sup>*) <sup>=</sup> (*<sup>X</sup> <sup>Y</sup>*) <sup>×</sup> *<sup>B</sup>* ′ (*X*, *<sup>Y</sup>*), where (−) (−) is the internal hom-functor of a suitable closed monoidal structure on the base category C. In the case of STLC, this structure is given by Fiore's *substitution tensor* [18]. Second, we observe that the higher-order GSOS law of STLC is an instance of a special kind of law that we coin *relatively fat* <sup>λ</sup>*-laws*. The induction-up-to-□· technique of Theorem 36 then can be shown to hold for operational models of relatively fat λ-laws. More details can be found in [25, App. E].

## 5 Strong Normalization for Deterministic Systems, Abstractly

The high level of generality in which the theory of logical predicates is developed above enables reasoning uniformly about whole families of languages and behaviours. In this section, we narrow our focus to deterministic systems and establish a general strong normalization criterion, which can be checked in concrete instances by mere inspection of the operational rules corresponding to higher-order abstract GSOS laws.

Throughout this section, we fx a 0-pointed higher-order GSOS law ϱ of a signature endofunctor Σ : C → C over a behaviour bifunctor *<sup>B</sup>*: <sup>C</sup> op × C → C, where

$$B(X,Y) = Y + D(X,Y) \quad \text{for some} \quad D \colon \mathcal{C}^{\textsf{op}} \times \mathcal{C} \to \mathcal{C}.$$

For instance, the type functor (3) for xTCL is of that form. The operational model γ: µΣ <sup>→</sup> µΣ <sup>+</sup> *<sup>D</sup>*(µΣ, µΣ) has an *<sup>n</sup>*-step extension γ (*n*) : µΣ <sup>→</sup> µΣ <sup>+</sup> *<sup>D</sup>*(µΣ, µΣ), for each *<sup>n</sup>* <sup>∈</sup> <sup>N</sup>, where γ (0) is the left coproduct injection and γ (*n*+1) is the composite

$$
\mu \Sigma \xrightarrow{\gamma} \mu \Sigma + D(\mu \Sigma, \mu \Sigma) \xrightarrow{\gamma^{(n)} + \mathsf{id}} \mu \Sigma + D(\mu \Sigma, \mu \Sigma) + D(\mu \Sigma, \mu \Sigma) \xrightarrow{|\mathsf{id} + \mathsf{v}|} \mu \Sigma + D(\mu \Sigma, \mu \Sigma).
$$

We regard *<sup>D</sup>*(µΣ, µΣ) as a predicate on *<sup>B</sup>*(µΣ, µΣ) via the right coproduct injection, which is monic by extensivity of <sup>C</sup>, and defne the following predicates on µΣ:

$$\Downarrow\_n = (\gamma^{(n)})^\star [D(\mu \Sigma, \mu \Sigma)] \qquad \text{and} \qquad \Downarrow = \bigvee\_n \Downarrow\_n \Downarrow\_n$$

In xTCL, these are the predicates of strong normalization or strong normalization after at most *n* steps, resp. Accordingly, we defne strong normalization abstractly as follows:

Defnition 39. The higher-order GSOS law ϱ is *strongly normalizing* if ⇓ <sup>=</sup> µΣ.

We next identify two natural conditions on the law ϱ that together ensure strong normalization. The frst roughly asserts that for a term *<sup>t</sup>* <sup>=</sup> <sup>f</sup>(*x*<sup>1</sup>, . . . , *<sup>x</sup>n*) whose variables *<sup>x</sup><sup>i</sup>* are non-progressing, the term *t* is either non-progressing or it progresses to a variable.

Defnition 40. The higher-order GSOS law <sup>ϱ</sup> is *simple* if its components <sup>ϱ</sup>*<sup>X</sup>*,*<sup>Y</sup>* restrict to morphisms ϱ 0 *X*,*Y* as in the diagram below, where η is the unit of the free monad Σ ⋆ :

$$\begin{aligned} \Sigma(X \times D(X, Y)) &= -\overset{\mathcal{G}^0\_{X, Y}}{\longrightarrow} -\Sigma + Y + D(X, \Sigma^\star(X + Y)) \\ \Sigma^\sharp(\mathsf{id} \times (Y + D(X, Y)) & \xrightarrow{\mathcal{G} \times Y} \Sigma^\star(X + Y) + D(X, \Sigma^\star(X + Y)) \end{aligned}$$

The second condition asserts that the rules represented by the higher-order GSOS law remain sound when strong transitions are replaced by weak ones. In the following, the *graph* of a morphism *<sup>f</sup>* : *<sup>A</sup>* <sup>→</sup> *<sup>B</sup>* is the image gra(*f*) <sup>↣</sup> *<sup>A</sup>* <sup>×</sup> *<sup>B</sup>* of ⟨id, *<sup>f</sup>*⟩: *<sup>A</sup>* <sup>→</sup> *<sup>A</sup>* <sup>×</sup> *<sup>B</sup>*.

Defnition 41. The higher-order GSOS law ϱ *respects weak transitions* if for every *n* ∈ N, the graph of the composite below is contained in W *<sup>k</sup>* gra(<sup>γ</sup> (*k*) · ι).

$$\Sigma(\mu\Sigma) \xrightarrow{\Sigma(\text{id},\gamma^{(n)})} \Sigma(\mu\Sigma \times B(\mu\Sigma,\mu\Sigma)) \xrightarrow{\mathcal{C}\mu\Sigma,\mu\Sigma} B(\mu\Sigma,\Sigma^{\star}(\mu\Sigma + \mu\Sigma)) \xrightarrow{B(\text{id},\hat{\mu}\cdot\Sigma^{\star}\nabla)} B(\mu\Sigma,\mu\Sigma)$$

Note that the higher-order GSOS law for xTCL is simple and respects weak transitions. Thus, strong normalization of xTCL is an instance of the following strong normalization theorem for higher-order abstract GSOS. Concerning its conditions, an ω*-directed union* is a colimit of an <sup>ω</sup>-chain *<sup>X</sup>*<sup>0</sup> <sup>↣</sup> *<sup>X</sup>*<sup>1</sup> <sup>↣</sup> *<sup>X</sup>*<sup>2</sup> <sup>↣</sup> · · · of monics. We say that monos in <sup>C</sup> are ω*-smooth* if any such colimit has monic injections, and moreover for every compatible cocone of monos, the mediating morphism is monic. This property holds in every locally fnitely presentable category [3, Prop. 1.62], e.g. sets, posets, or presheaves.

Theorem 42 (Strong normalization). *Suppose that the following conditions hold:*


*Then the higher-order GSOS law* ϱ *is strongly normalizing.*

Recall that condition (4) holds if *B* is contractive (Theorem 25). The proof uses the induction-up-to-□ technique and a careful categorical abstraction of Example 35.

## 6 Conclusion and Future Work

Our work presents the initial steps towards a unifying, efcient theory of logical relations for higher-order languages based on higher-order abstract GSOS. This theory can be broadened in various directions. One obvious direction would be to extend our theory from predicates to relations. Binary logical relations are often utilized as sound (and sometimes complete) relations w.r.t. *contextual equivalence*. Additional generalizations are suggested by the large amount of existing work on logical relations. One important direction is to generalize the type system to cover, e.g., recursive types, parametric polymorphism, or dependent types. Supporting recursive types will presumably require an adaptation of the method of step-indexing [17] to our abstract setting. Another point of interest is to apply and extend our framework to efectful (e.g. probabilistic) settings [40,54], including e.g. an efectful version of the criterion of Section 5.

As indicated in Remark 29, large parts of our development in Section 3 can be reformulated in fbrational terms. This has the potential merit of enabling abstract reasoning about higher-order programs in metric and diferential settings as done in previous work on fne-grain call-by-value [13,14]. In future work, we aim to develop such a generalization, and to explore the connection between our weak transition semantics and the general evaluation semantics used in *op. cit.*

## References


<sup>68</sup> S. Goncharov, A. Santamaria, L. Schro¨der, S. Tsampas, H. Urbat


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## On Basic Feasible Functionals and the Interpretation Method<sup>⋆</sup>

Patrick Baillot<sup>1</sup> , Ugo Dal Lago2,3 , Cynthia Kop<sup>4</sup> , and Deivid Vale4(B)

<sup>1</sup> Univ. Lille, CNRS, Inria, Centrale Lille, UMR 9189 CRIStAL, F-59000 Lille, France patrick.baillot@univ-lille.fr <sup>2</sup> University of Bologna, Bologna, Italy ugo.dallago@unibo.it Radboud University Nijmegen, Nijmegen, The Netherlands {c.kop,deividvale}@cs.ru.nl INRIA Sophia Antipolis, albonne, France 3 V 4

Abstract. The class of basic feasible functionals (BFF) is the analog of FP (polynomial time functions) for type-2 functionals, that is, functionals that can take (frst-order) functions as arguments. BFF can be defned through Oracle Turing machines with running time bounded by second-order polynomials. On the other hand, higher-order term rewriting provides an elegant formalism for expressing higher-order computation. We address the problem of characterizing BFF by higher-order term rewriting. Various kinds of interpretations for frst-order term rewriting have been introduced in the literature for proving termination and characterizing (frst-order) complexity classes. In this paper, we consider a recently introduced notion of cost–size interpretations for higher-order term rewriting and see defnitions as ways of computing functionals. We then prove that the class of functionals represented by higher-order terms admitting a certain kind of cost–size interpretation is exactly BFF.

Keywords: Basic Feasible Functions · Higher-Order Term Rewriting · Tuple Interpretations · Computational Complexity

## 1 Introduction

Computational complexity classes, and in particular those relating to polynomial time and space [20,11] capture the concept of a feasible problem, and as such have been scrutinized with great care by the scientifc community in the last ffty years. The fact that even apparently simple problems, such as nontrivial separation between those classes, remain open today has highlighted the need for a comprehensive study aimed at investigating the deep nature of computational complexity. The so-called implicit computational complexity [8,30,33,13,4] fts into this picture, and is concerned with characterizations of complexity classes based on tools from mathematical logic and the theory of programming languages.

<sup>⋆</sup> This work is supported by the NWO TOP project "Implicit Complexity through Higher-Order Rewriting", NWO 612.001.803/7571, the NWO VIDI project "Constrained Higher-Order Rewriting and Program Equivalence", NWO VI.Vidi.193.075, and the ERC CoG "Diferential Program Semantics", GA 818616.

https://doi.org/10.1007/978-3-031-57231-9\_<sup>4</sup>

One of the areas involved in this investigation is certainly that of term rewriting [34], which has proved useful as a tool for the characterization of complexity classes. In particular, the class FP (i.e., of polytime frst-order functions) has been characterized through variations of techniques originally introduced for termination, e.g., the interpretation method [31,29], path orders [15], or dependency pairs [16]. Some examples of such characterizations can be found in [7,9,10,1,3].

After the introduction of FP, it became clear that the study of computational complexity also applies to higher-order functionals, which are functions that take not only data but also other functions as inputs. The pioneering work of Constable [12], Mehlhorn [32], and Kapron and Cook [22] laid the foundations of the so-called higher-order complexity, which remains a prolifc research area to this day. Some motivations for this line of work can be found e.g. in computable analysis [24], NP search problems [6], and programming language theory [14].

There have been several proposals for a class of type-two functionals that correctly generalizes FP. However, the most widely accepted one is the class BFF of basic feasible functionals. This class can be characterized based on function algebras, similar to Cobham-style, but it can also be described using Oracle Turing machines. The class BFF was then the object of study by the research community, which over the years has introduced a variety of characterizations, e.g., in terms of programming languages with restricted recursion schemes [21,14], typed imperative languages [17,18], and restricted forms of iteration in OTMs [23]. An investigation of higher-order complexity classes employing the higher-order interpretation method (in the context of a pure higher-order functional language) was also proposed in [19]. However, this paper does not provide a characterization of the standard BFF class. Instead, it characterizes a newly proposed class SFF<sup>2</sup> (Safe Feasible Functionals) which is defned as the restriction of BFF to argument functions in FP (see Sect. 4.2 and the conclusion in [19]).

The studies cited above present structurally complex programming languages and logical systems, precisely due to the presence of higher-order functions. It is not currently known whether it is possible to give a characterization of BFF in terms of mainstream concepts of rewriting theory, although the latter has long been known to provide tools for the modeling and analysis of functional programs with higher-order functions [25].

This paper goes precisely in that direction by showing that the interpretation method in the form studied by Kop and Vale [27,26] provides the right tools to characterize BFF. More precisely, we consider a class of higher-order rewriting systems admitting cost–size tuple interpretations (with some mild upper-bound conditions on their cost and size components) and show that this class contains exactly the functionals in BFF. Such a characterization could not have been obtained employing classical integer interpretations as e.g. in [9] because BFF crucially relies on some conditions both on size and on time. This is the main contribution of our paper, formally stated in Theorem 2.

We believe that a beneft of this characterization is that it opens the way to efectively handling programs or executable specifcations implementing BFF functions, in full generality. For instance, we expect that such a characterization 72 P. Baillot et al.

could be integrated into rewriting-based tools for complexity analysis of term rewriting systems such as e.g. [2].

Our result is proved in two parts. We frst prove that if any term rewriting system in this class computes a higher-order functional, then this functional has to be in BFF (soundness). Conversely, we prove that all functionals in BFF are computed by this class of rewriting systems (completeness). We argue that the key ingredient towards achieving this characterization is the ability to split the dual notions of cost and size given by the usage of tuple interpretations.

## 2 Preliminaries

#### 2.1 Higher-Order Rewriting

We roughly follow the defnition of simply-typed term rewriting system [28] (STRS): terms are applicative, and we limit our interest to second-order STRSs where all rules have base type. Reductions follow an innermost evaluation strategy.

Let B be a nonempty set whose elements are called base types and range over ι, κ, ν. The set T(B) of simple types over B is defned by the grammar T(B) := B | T(B) ⇒ T(B). Types from T(B) are ranged over by σ, τ, ρ. The ⇒ type constructor is right-associative, so we write σ ⇒ τ ⇒ ρ for (σ ⇒ (τ ⇒ ρ)). Hence, every type σ can be written as σ<sup>1</sup> ⇒ · · · ⇒ σ<sup>n</sup> ⇒ ι. We may write such types as ⃗σ ⇒ ι. The order of a type is: ord(ι) = 0 for ι ∈ B and ord(σ ⇒ τ ) = max(1 + ord(σ), ord(τ )). A signature F is a triple (B, Σ, typeOf) where B is a set of base types, Σ is a nonempty set of symbols, and typeOf : Σ −→ T(B). For each type σ, we assume given a set X<sup>σ</sup> of countably many variables and assume that X<sup>σ</sup> ∩ X<sup>τ</sup> = ∅ if σ ̸= τ . We let X denote ∪σX<sup>σ</sup> and assume that Σ ∩ X = ∅.

The set T(F, X) — of terms built from F and X — collects those expressions s for which a judgment s : σ can be deduced using the following rules:

$$\text{(ax)} \begin{array}{c} x \in \mathbb{X}\_{\sigma} \\ x \mathrel{\mathop{:} \sigma} \end{array} \text{(f-ax)} \begin{array}{c} \mathsf{f} \in \Sigma \\ \hline \end{array} \begin{array}{c} \mathsf{type0f}(\mathsf{f}) = \sigma \\ \hline \end{array} \begin{array}{c} \begin{array}{c} s : \sigma \Rightarrow \tau \\ (s\ \mathsf{t}) : \tau \end{array} \end{array} \begin{array}{c} \begin{array}{c} t : \sigma \\ \hline \end{array} \end{array}$$

As usual, application of terms is left-associative, so we write s t u for ((s t) u). Let vars(s) be the set of variables occurring in s. A term s is ground if vars(s) = ∅. The head symbol of a term f s<sup>1</sup> · · · s<sup>n</sup> is f. We say t is a subterm of s (written s ⊵ t) if either (a) s = t, or (b) s = s ′ s ′′ and s ′ ⊵ t or s ′′ ⊵ t. It is a proper subterm of s if s ̸= t. For a term s, pos(s) is the set of positions in s: pos(x) = pos(f) = {♯} and pos(s t) = {♯} ∪ {1 · u | u ∈ pos(s)} ∪ {2 · u | u ∈ pos(t)}. For p ∈ pos(s), the subterm s|<sup>p</sup> at position p is given by: s|<sup>♯</sup> = s and (s<sup>1</sup> s2)|i·<sup>p</sup> = s<sup>i</sup> |p.

In this paper, we require that for all f ∈ Σ, ord(typeOf(f)) ≤ 2, so w.l.o.g., f : (⃗ι<sup>1</sup> ⇒ κ1) ⇒ · · · ⇒ (⃗ι<sup>k</sup> ⇒ κk) ⇒ ν<sup>1</sup> ⇒ · · · ⇒ ν<sup>l</sup> ⇒ ι. Hence, in a fully applied term f s<sup>1</sup> . . . s<sup>k</sup> t<sup>1</sup> . . . t<sup>l</sup> we say the s<sup>i</sup> are the arguments of type-1 and the t<sup>j</sup> are the arguments of type-0 for f. A substitution γ is a type-preserving map from variables to terms such that {x ∈ X | γ(x) ̸= x} is fnite. We extend γ to terms as usual: xγ = γ(x), fγ = f, and (s t)γ = (sγ) (tγ). A context C is a term with a single occurrence of a variable □; the term C[s] is obtained by replacing □ by s.

A rewrite rule ℓ → r is a pair of terms of the same type such that ℓ = f ℓ<sup>1</sup> · · · ℓ<sup>m</sup> and vars(ℓ) ⊇ vars(r). It is left-linear if no variable occurs more than once in ℓ. A simply-typed term rewriting system (F, R) is a set of rewrite rules R over T(F, X). In this paper, we require that all rules have base type. An STRS is innermost orthogonal if all rules are left-linear, and for any two distinct rules ℓ<sup>1</sup> → r1, ℓ<sup>2</sup> → r2, there are no substitutions γ, δ such that ℓ1γ = ℓ2δ. A reducible expression (redex) is a term of the form ℓγ for a rule ℓ → r and substitution γ. The innermost rewrite relation induced by R is defned as follows:


We write →<sup>+</sup> <sup>R</sup> for the transitive closure of →R. An STRS R is innermost terminating if no infnite rewrite sequence s →<sup>R</sup> t →<sup>R</sup> . . . exists. It is innermost confuent if s →<sup>+</sup> <sup>R</sup> t and s →<sup>+</sup> <sup>R</sup> u implies that some v exists with t →<sup>+</sup> <sup>R</sup> v and u →<sup>+</sup> <sup>R</sup> v. It is well-known that innermost orthogonality implies innermost confuence. In this paper, we will typically drop the "innermost" adjective and simply refer to terminating/orthogonal/confuent STRSs.

Example 1. Let B = {nat} and 0 : nat,s : nat ⇒ nat, add, mult : nat ⇒ nat ⇒ nat, and funcProd : (nat ⇒ nat) ⇒ nat ⇒ nat ⇒ nat. We then let R be given by:

add 0 y → y add (s x) y → s(add x y) mult 0 y → 0 mult(s x) y → add y (mult x y) funcProd F 0 y → y funcProd F (s x) y → funcProd F x (mult y (F x))

Hereafter, we write ⌜n⌝ for the term s(s(. . . 0 . . .)) with n ss.

#### 2.2 Cost–Size Interpretations

For sets A and B, we write A −→ B for the set of functions from A to B. A quasiordered set (A, ⊒) consists of a nonempty set A and a refexive and transitive relation ⊒ on A. For quasi-ordered sets (A1, ⊒1) and (A2, ⊒2), we write A<sup>1</sup> =⇒ A<sup>2</sup> for the set of functions f ∈ A<sup>1</sup> −→ A<sup>2</sup> such that f(x) ⊒<sup>2</sup> f(y) whenever x ⊒<sup>1</sup> y, i.e., A<sup>1</sup> =⇒ A<sup>2</sup> is the space of functions that preserve quasi-ordering.

For every ι ∈ B, let a quasi-ordered set (S<sup>ι</sup> , ⊒ι) be given. We extend this to T(B) by defning Sσ⇒<sup>τ</sup> = (S<sup>σ</sup> =⇒ S<sup>τ</sup> , ⊒σ⇒<sup>τ</sup> ) where f ⊒σ⇒<sup>τ</sup> g if f(x) ⊒<sup>τ</sup> f(x) for any x ∈ Sσ. Given a function J <sup>s</sup> mapping f ∈ Σ to some J s <sup>f</sup> ∈ StypeOf(f) and a valuation α mapping x ∈ X<sup>σ</sup> to Sσ, we can map each term s : σ to an element of s s <sup>α</sup> = J s s s s ).

<sup>S</sup><sup>σ</sup> naturally as follows: (a) <sup>J</sup>x<sup>K</sup> <sup>α</sup> <sup>=</sup> <sup>α</sup>(x); (b) <sup>J</sup>f<sup>K</sup> f ; (c) <sup>J</sup>s t<sup>K</sup> <sup>α</sup> <sup>=</sup> <sup>J</sup>s<sup>K</sup> α (JtK α For every type σ with ord(σ) ≤ 2, we defne C<sup>σ</sup> as follows: (a) C<sup>κ</sup> = N for κ ∈ B; (b) Cι⇒<sup>τ</sup> = S<sup>ι</sup> =⇒ C<sup>τ</sup> for ι ∈ B; and (c) Cσ⇒<sup>τ</sup> = C<sup>σ</sup> =⇒ S<sup>σ</sup> =⇒ C<sup>τ</sup> if ord(σ) = 1. We want to interpret terms s : σ where both σ and all variables occurring in s are of type order either 0 or 1, as is the case for the left- and right-hand side of rules. Thus, we let J <sup>c</sup> be a function mapping f ∈ Σ to some J c <sup>f</sup> ∈ CtypeOf(f) and assume given, for each type <sup>σ</sup>, valuations <sup>α</sup> : <sup>X</sup><sup>σ</sup> −→ S<sup>σ</sup> and ζ : X<sup>σ</sup> −→ Cσ. We then defne:

$$\begin{split} \left[ \left\| x \, s\_{1} \cdots s\_{n} \right\|\_{\alpha, \zeta}^{\mathbf{c}} = \zeta(x) (\left\| s\_{1} \right\|\_{\alpha}^{\mathbf{s}}, \dots, \left\| s\_{n} \right\|\_{\alpha}^{\mathbf{s}}) \right. \\ \left[ \left\| \left. s\_{1} \cdots \left. s\_{k} \, t\_{1} \cdots \left. t\_{n} \right\|\_{\alpha, \zeta}^{\mathbf{c}} = \mathcal{J}\_{\mathbf{f}}^{\mathbf{c}} (\left\| s\_{1} \right\|\_{\alpha, \zeta}^{\mathbf{c}}, \left\| s\_{1} \right\|\_{\alpha}^{\mathbf{s}}, \dots, \left\| s\_{k} \right\|\_{\alpha, \zeta}^{\mathbf{c}}, \left\| s\_{k} \right\|\_{\alpha}^{\mathbf{s}}, \left\| t\_{1} \right\|\_{\alpha}^{\mathbf{s}}, \dots, \left\| t\_{n} \right\|\_{\alpha}^{\mathbf{s}}) \right] \right. \end{split}$$

We let cost(s)α,ζ = <sup>P</sup>{Jt<sup>K</sup> c α,ζ <sup>|</sup> <sup>s</sup> <sup>⊵</sup> <sup>t</sup> and <sup>t</sup> is a non-variable term of base type}. This is all well-defned under our assumptions that all variables have a type of order 0 or 1, and f : (⃗ι<sup>1</sup> ⇒ κ1) ⇒ · · · ⇒ (⃗ι<sup>k</sup> ⇒ κk) ⇒ ν<sup>1</sup> ⇒ · · · ⇒ ν<sup>l</sup> ⇒ ι. We also defne cost′ (s)α,ζ = <sup>P</sup>{Jt<sup>K</sup> c α,ζ <sup>|</sup> <sup>s</sup> <sup>⊵</sup> <sup>t</sup> and t /<sup>∈</sup> <sup>X</sup> is of base type not in normal form}.

A cost–size interpretation F for a second order signature F = (B, Σ, typeOf) is a choice of a quasi-ordered set S<sup>ι</sup> , for each ι ∈ B, along with cost- and sizeinterpretations J <sup>c</sup> and J <sup>s</sup> defned as above. Let (F, R) be an STRS over F. We say (F, R) is compatible with a cost–size interpretation if for any valuations α and <sup>ζ</sup>, we have (a) <sup>J</sup>ℓ<sup>K</sup> c α,ζ <sup>&</sup>gt; cost(r)α,ζ and (b) <sup>J</sup>ℓ<sup>K</sup> s <sup>α</sup> <sup>⊒</sup> <sup>J</sup>r<sup>K</sup> s α , for all rules ℓ → r in R. In this case we say such cost–size interpretation orients all rules in R.

Theorem 1 (Innermost Compatibility). Suppose R is an STRS compatible with a cost–size interpretation F, then for any valuations α and ζ we have cost′ (s)α,ζ > cost′ (t)α,ζ and <sup>J</sup>s<sup>K</sup> s <sup>α</sup> <sup>⊒</sup> <sup>J</sup>t<sup>K</sup> s <sup>α</sup> whenever s →<sup>R</sup> t.

From compatibility, we have that if s<sup>0</sup> →<sup>R</sup> · · · →<sup>R</sup> sn, then n ≤ cost′ (s0). Hence, cost′ (s) bounds the derivation height of s. This follows from [26, Corollary 34], although we signifcantly simplifed the presentation: the limitation to secondorder fully applied rules and the lack of abstraction terms allow us to avoid many of the complexities in [26]. We also adapted it to innermost rather than call-by-value evaluation. A correctness proof of this version is supplied in [5]. Since α and ζ are universally quantifed, we typically omit them, and just write x instead of α(x) and F c instead of ζ(F).

Example 2. We let Snat = (N, ≥) and assign J s <sup>0</sup> = 0 and J s <sup>s</sup> = λλx.x + 1, as well as J c <sup>0</sup> = 0 and J c <sup>s</sup> <sup>=</sup> λλx.0. This gives us <sup>J</sup>⌜n⌝<sup>K</sup> <sup>s</sup> = n for all n ∈ N, and <sup>J</sup>⌜n⌝<sup>K</sup> <sup>c</sup> = cost(n) = 0. Now, we let J s add = λλxy.x + y and J s mult = λλxy.x ∗ y; then indeed <sup>J</sup>ℓ<sup>K</sup> <sup>s</sup> <sup>≥</sup> <sup>J</sup>r<sup>K</sup> s for the frst four rules of Example <sup>1</sup> (e.g., <sup>J</sup>mult(<sup>s</sup> <sup>x</sup>) <sup>y</sup><sup>K</sup> <sup>s</sup> = (<sup>x</sup> + 1) <sup>∗</sup> <sup>y</sup> <sup>≥</sup> <sup>y</sup> + (<sup>x</sup> <sup>∗</sup> <sup>y</sup>) = <sup>J</sup>add <sup>y</sup> (mult x y)<sup>K</sup> s ). Moreover, let us choose J c add = λλxy.x + 1 and J c mult <sup>=</sup> λλxy.x <sup>∗</sup> <sup>y</sup> <sup>+</sup> <sup>x</sup> + 1. Then also <sup>J</sup>ℓ<sup>K</sup> <sup>c</sup> > cost(r) for all rules; for example, <sup>J</sup>mult(<sup>s</sup> <sup>x</sup>) <sup>y</sup><sup>K</sup> <sup>c</sup> = (x + 1) ∗ y + 2 ∗ x + 3 > (y + 1) + (x ∗ y + 2 ∗ x + 1) = <sup>J</sup>add <sup>y</sup> (mult x y)<sup>K</sup> <sup>c</sup> <sup>+</sup>Jmult x y<sup>K</sup> <sup>c</sup> = cost(add y (mult x y)). Regarding funcProd, we can orient both rules by choosing J s funcProd <sup>=</sup> λλF xy.y <sup>∗</sup> max(F(x), 1)<sup>x</sup> and J c funcProd <sup>=</sup> λλF Gxy.<sup>2</sup> <sup>∗</sup> <sup>x</sup> <sup>∗</sup> <sup>y</sup> <sup>∗</sup> max(F(x), 1)<sup>x</sup>+1 <sup>+</sup> <sup>x</sup> <sup>∗</sup> <sup>G</sup>(x) + 2 <sup>∗</sup> <sup>x</sup> + 1. This works due to the monotonicity assumption, which provides, e.g., G(x+ 1) ≥ G(x). (This function is not polynomial, but that is allowed in the general case.)

#### 2.3 Basic Feasible Functionals

We assume familiarity with Turing machines. In this paper, we consider deterministic multi-tape Turing machines. Those are, conceptually, machines consisting of a fnite set of states, one or more (but a fxed number of) right-infnite tapes divided into cells. Each tape is equipped with a tape head that scans the symbols on the tape's cells and may write on it. The head can move to the left or right. Let W = {0, 1} ∗ . A k-ary Oracle Turing Machine (OTM) is a deterministic multitape Turing machine with at least 2k + 1 tapes: one main tape for (input/output),

k designated query tapes, and k designated answer tapes. It also has k distinct query states q<sup>i</sup> and k answer states a<sup>i</sup> .

A computation with a k-ary OTM M requires k fxed oracle functions f1, . . . , f<sup>k</sup> : W −→ W. We write Mf⃗ to denote a run of M with these functions. A run of Mf⃗ on w starts with w written in the main tape. It ends when the machine halts, and yields the word that is written in the main tape as output. As usual, we only consider machines that halt on all inputs. The computation proceeds as usual for non-query states. To query the value of f<sup>i</sup> on w, the machine writes w on the corresponding query tape and enters the query state q<sup>i</sup> . Then, in one step, the machine transitions to the answer state a<sup>i</sup> as follows: (a) the query value w written in the query tape for f<sup>i</sup> is read; (b) the contents of the answer tape for f<sup>i</sup> are changed to fi(w); (c) the query value w is erased from the query tape; and (d) the head of the answer tape is moved to its frst symbol. The running time of Mf⃗ on w is the number of steps used in the computation.

A type-1 function is a mapping in W −→ W. A type-2 functional of rank (k, l) is a mapping in (W −→ W) <sup>k</sup> −→ W<sup>l</sup> −→ W.

Defnition 1. We say an OTM M computes a type-2 functional Ψ of rank (k, l) if for all type-1 functions f1, . . . , f<sup>k</sup> and x1, . . . , x<sup>l</sup> ∈ W, whenever Mf1,...,f<sup>k</sup> is started with x1, . . . , x<sup>l</sup> written on its main tape (separated by blanks), it halts with Ψ(f1, . . . , fk, x1, . . . , xl) written on its main tape.

Defnition 2. Let {F1, . . . , Fk} be a set of type-1 variables and {x1, . . . , xl} a set of type-0 variables. The set Pol<sup>2</sup> N [F1, . . . , Fk; x1, . . . , x<sup>l</sup> ] of second-order polynomials over N with indeterminates F1, . . . , Fk, x1, . . . , x<sup>l</sup> is generated by:

$$P, Q \coloneqq n \mid x \mid P + Q \mid P \ast Q \mid F(Q)$$

where n ∈ N, x ∈ {x1, . . . , xl}, and F ∈ {F1, . . . , Fk}.

Notice that a polynomial expression can be viewed as a type-2 functional in the natural way, e.g., P(F, x) = 3 ∗ F(x) + x is a second-order polynomial functional. Given w ∈ W, we write |w| for its length and defne the length |f| of f : W −→ W as |f| = λλn. max |y|≤n |f(y)|. This allows us to defne BFF as the class of functionals computable by OTMs with running time bounded by a second-order polynomial.

Defnition 3. A type-2 functional Ψ is in BFF if there exist an OTM M and a second-order polynomial P such that M computes Ψ and for all ⃗f and ⃗x: the running time of M<sup>f</sup>1,...,f<sup>k</sup> on x1, . . . , x<sup>l</sup> is at most P(|f1|, . . . , |fk|, |x1|, . . . , |x<sup>l</sup> |).

## 3 Statement of the Main Result

The main result of this paper roughly states that BFF consists exactly of those type-2 functionals computed by an STRS compatible with a polynomially bounded cost–size tuple interpretation. To formally state this result, we must frst defne what it means for an STRS to compute a type-2 functional and defne precisely the class of cost–size interpretations we are interested in.

Indeed, let us start by encoding words in W as terms. We let bit,word ∈ B and introduce symbols o, i : bit and [] : word, :: : bit ⇒ word ⇒ word. Then for instance 001 is encoded as the term :: o (:: o (:: i [])). We use the cleaner list-like notation [o; o; i] in practice. Let w denote the term encoding of a word w. Next, we encode type-1 functions as a possibly infnite set of one-step rewrite rules.

Defnition 4. Consider a type-1 function f : W −→ W and let S<sup>f</sup> : word ⇒ word be a fresh function symbol. A set of rules R<sup>f</sup> defnes f by way of S<sup>f</sup> if for each w ∈ W there is exactly one rule of the form S<sup>f</sup> w → f(w) in R<sup>f</sup> .

Henceforth, we assume given that our STRS (F, R) at hand is such that F contains o, i, [], :: typed as above and a distinguished symbol F : (word ⇒ word) <sup>k</sup> ⇒ word<sup>l</sup> <sup>⇒</sup> word. Given type-1 functions <sup>f</sup>1, . . . , fk, we write <sup>F</sup>f⃗ for <sup>F</sup> extended with function symbols Sf<sup>i</sup> : word <sup>⇒</sup> word, with <sup>1</sup> <sup>≤</sup> <sup>i</sup> <sup>≤</sup> <sup>k</sup>, and let <sup>R</sup>+f⃗ <sup>=</sup> R ∪ <sup>S</sup><sup>k</sup> <sup>i</sup>=1 R<sup>f</sup> . Now we can defne the notion of type-2 computability for such STRSs.

Defnition 5. Let (F, R) be an STRS. We say that F computes the type-2 functional Ψ in (F, R) if for all type-1 functions f1, . . . , f<sup>k</sup> and all w1, . . . , w<sup>l</sup> ∈ W, F Sf<sup>1</sup> · · · Sf<sup>k</sup> w<sup>1</sup> · · ·w<sup>l</sup> →<sup>+</sup> R+f⃗ u, where u = Ψ(f1, . . . , fk, w1, . . . , wl).

Next, we defne what we mean by polynomially bounded interpretation.

Defnition 6. We say an STRS (F, R) admits a polynomially bounded interpretation if (F, R) is compatible with a cost–size interpretation such that:


Finally, we can formally state our main result.

Theorem 2. A type-2 functional Ψ is in BFF if and only if there exists a fnite orthogonal STRS (F, R) such that the distinguished symbol F computes Ψ in (F, R) and R admits a polynomially bounded cost–size interpretation.

We prove this result in two parts. First, we prove soundness in Section 4 which states that every type-2 functional computed by an STRS as above is in BFF. Then in Section 5 we prove completeness which states that every functional in BFF can be computed by such an STRS. In order to simplify proofs, we only consider type-2 functions of rank (1,1). We claim that the results can be easily generalized, but the proofs become more tedious when handling multiple arguments.

Example 3. Let us consider the type-2 functional defned by Ψ := λλfx. P i<|x| f(i).

Notice that Ψ adds all f(i) over each word i ∈ W whose value (as a natural number) is smaller than the length of x. This functional was proved to lie in BFF in [21], where the authors utilized an encoding of Ψ as a BTLP<sup>2</sup> program. We can encode Ψ as an STRS as follows. Let us consider ancillary symbols lengthOf : word ⇒ nat and toBin : nat ⇒ word. The former computes the length of a given

word and the latter converts a number from unary to binary representation. We also consider rules for addition on binary words, i.e., +<sup>B</sup> : word ⇒ word ⇒ word, which we use in infx notation below.

$$\begin{aligned} \mathsf{compute}\ F\ x\ \mathsf{0}\ acc &\to \ acc\\ \mathsf{compute}\ F\ x\ (\mathsf{s}\ i)\ acc &\to \mathsf{compute}\ F\ x\ (acc +\_{\mathsf{B}}\ F(\mathsf{toB}\ \mathsf{in}\ i))\\ \mathsf{start}\ F\ x &\to \mathsf{compute}\ F\ x\ (\mathsf{lengthOf}\ x)\ [] \end{aligned}$$

Now, if we want to compute Ψ(f, x) we simply reduce the term start S<sup>f</sup> x to normal form. To show that this system is in BFF via our rewriting formalism, we need to exhibit a cost–size tuple interpretation for it that satisfes Defnition 6, see [5, Example 3].

## 4 Soundness

In order to prove soundness, let us consider a fxed fnite orthogonal STRS R admitting a polynomially bounded cost–size interpretation such that it computes a type-2 functional Ψ. We proceed to show that Ψ is in BFF roughly as follows:


#### 4.1 Interpreting The Extended STRS, Polynomially

Our frst goal is to provide a polynomially bounded cost–size interpretation to the extended system R+<sup>f</sup> . We start with the observation that the size interpretation of words in W is proportional to their length. Indeed, since J s :: = λλxy.x + y + c (Defnition 6) let µ := max(J s o ,J s i ) +c and ν := J s []. Consequently, for all w ∈ W:

$$|w| \le \left\| \underline{\mathbf{w}} \right\|^{\mathfrak{s}} \le \mu \ast |w| + \nu \tag{1}$$

Recall that by Defnition 4 the extended system R+<sup>f</sup> has possibly infnitely many rules of the form Sfw → f(w). Such rules S<sup>f</sup> represent calls for an oracle to compute f in a single step. Thus, we set their cost to 1. The size should be given by the length of the oracle output, taking the overhead of interpretation into account. Hence, we obtain:

$$\mathcal{J}\_{\mathbb{S}\_f}^{\mathfrak{c}} = \lambda x. 1 \qquad \mathcal{J}\_{\mathbb{S}\_f}^{\mathfrak{s}} = \lambda x. \mu \ast |f|(x) + \nu$$

This is weakly monotonic because |f| is. It orients the rules in R<sup>f</sup> because <sup>J</sup>S<sup>f</sup> <sup>w</sup><sup>K</sup> <sup>c</sup> = 1 <sup>&</sup>gt; 0 = cost(f(w)), and <sup>J</sup>S<sup>f</sup> <sup>w</sup><sup>K</sup> <sup>s</sup> <sup>=</sup> <sup>µ</sup> ∗ |f|(Jw<sup>K</sup> s ) + ν ≥ µ ∗ |f|(|w|) + ν ≥ <sup>µ</sup> ∗ |f(w)<sup>|</sup> <sup>+</sup> <sup>ν</sup> by defnition of <sup>|</sup>f|, which is superior or equal to <sup>J</sup>f(w)<sup>K</sup> s .

As J c F is bounded by a second-order polynomial λλFcF <sup>s</sup>x.P, we can let D(F, n) := P(λλx.1, λλx.µ∗F(x)+ν, µ∗n+ν). Then D is a second-order polynomial, and D(|f|, |w|) ≥ J <sup>c</sup> F (J c Sf ,J s Sf , <sup>J</sup>w<sup>K</sup> s ) = cost(F S<sup>f</sup> w). By Theorem 1 we see:

Lemma 1. There exists a second-order polynomial D so that D(|f|, |w|) bounds the derivation height of F S<sup>f</sup> w for any f ∈ W −→ W and w ∈ W.

Notice that this lemma does not imply that Ψ is in BFF. It only guarantees that there is a polynomial bound to the number of rewriting steps for such systems. However, it does not immediately follow that this number is a reasonable bound for the actual computational cost of simulating a reduction on an OTM. Consider for example a rule f (s n)t → f n (c t t). Every step doubles the size of the term. A naive implementation – which copies the duplicated term in each step – would take exponential time. Moreover, a single step using the oracle can create a very large output, which is not considered part of the cost of the reduction, even though an OTM would be unable to use it without frst fully reading it.

Therefore, in order to prove soundness, we show how to realize a reasonable implementation of rewriting w.r.t. OTMs. In essence, we will show that (1) oracle calls are not problematic in the presence of polynomially bounded interpretations, and (2) we can handle duplication with an appropriate representation of rewriting.

#### 4.2 Bounding The Oracle Input

We frst deal with the reasonability of oracle calls. We will show that there exists a second-order polynomial B such that if an oracle call S<sup>f</sup> x occurs anywhere along the reduction F S<sup>f</sup> w →<sup>+</sup> <sup>R</sup> v, then |x| ≤ B(|f|, |w|). From this, we know that the growth of the overall term size during an oracle call is at most |f|(B(|f|, |w|)).

Let P again be the polynomial bounding J c F . Since P is a second-order polynomial, each occurrence of a sub-expression F c (E) in P is a second-order polynomial, and so is E. Let us enumerate these arguments as E1, . . . , En. We can then form the new polynomial Q defned as

$$Q := \sum\_{i} E\_i \quad \text{where occurrences of } F^c(E\_j') \text{ inside } E\_i \text{ are replaced by 1.}$$

We let B(G, y) := Q(λλz.µ ∗ G(z) + ν, µ ∗ y + ν).

Example 4. If P = λλF<sup>c</sup>F <sup>s</sup>x.x ∗F c (3 + F s (9 ∗ x)) + F c (12) ∗F c (3 + x ∗F c (2)) + 5, then Q = 3 + F s (9 ∗ x) + 12 + 3 + x ∗ 1 + 2 = 20 + F s (9 ∗ x) + x. We have B(G, x) = 20+µ∗G(9∗(µ∗x+ν))+ν+(µ∗x+ν) = 20+2∗ν+G(9∗µ∗x+9∗ν)+µ∗x.

Now B gives an upper bound to the argument values for F c that are considered: if a function difers from J c Sf only on argument values greater than B(|f|, |w|), then we can use it in P and obtain the same result. Formally:

Lemma 2. Fix f, w. Let G ∈ N −→ N with G(z) = 1 if z ≤ B(|f|, |w|). Then P(G,J s Sf , <sup>J</sup>w<sup>K</sup> s ) = P(J c Sf ,J s Sf , <sup>J</sup>w<sup>K</sup> s ).

This is proved by induction on the form of P, using that G is never applied on arguments larger than B(|f|, |w|). Lemma 2 is used in the following key result:

Lemma 3 (Oracle Subterm Lemma). Let f : W −→ W be a type-1 function and w ∈ W. If F S<sup>f</sup> w →<sup>∗</sup> R+<sup>f</sup> C[S<sup>f</sup> x] for some context C, then |x| ≤ B(|f|, |w|).

Proof. In view of a contradiction, suppose there exist f, w, and x such that F S<sup>f</sup> w →<sup>∗</sup> R+<sup>f</sup> C[S<sup>f</sup> x] for some context C, and |x| > B(|f|, |w|). Let us now construct an alternative oracle: let 0 : nat,s : nat ⇒ nat, S ′ f : word ⇒ word and helper : nat ⇒ nat ⇒ nat, and for N := D(|f|, |w|), let R′ f,w be given by:

$$\begin{array}{ll} \mathsf{S}'\_{f} \underline{\mathsf{x}} \rightarrow \mathsf{f}(\mathsf{x}) & \text{if } |x| \leq B(|f|, |w|) \\ \mathsf{S}'\_{f} \underline{\mathsf{x}} \rightarrow \mathsf{helper} \, ^\mathsf{T} \mathsf{N} \, ^\mathsf{T} \underline{\mathsf{f}(\mathsf{x})} \text{ otherwise} \\ \end{array} \text{\(\mathsf{h}\,\mathsf{per}\, \mathsf{0}\,\, \mathsf{r}\\$\,\, ^\mathsf{T} \mathsf{f}(\mathsf{x})\text{ otherwise} \end{array} \text{\(\mathsf{h}\,\mathsf{per}\, \mathsf{0}\,\, y \rightarrow y\)}$$

Where ⌜N⌝ is the unary number encoding of N as introduced in Section 2.1. Notice that by defnition, the rules for S ′ <sup>f</sup> will produce f(x) in one step if |x| ≤ B(|f|, |w|), but they will take N + 2 steps otherwise. Also observe that S<sup>f</sup> and S ′ f behave the same; that is, S<sup>f</sup> x and S ′ f x have the same normal form on any input x. We extend the interpretation function of the original signature with:

$$\begin{array}{cccc} \mathcal{J}\_{\mathbb{S}\_f^\epsilon}^\mathbf{c} = \lambda x. \begin{cases} 1 & \text{if } x \le B(|f|, |n|) \\ N + 2 \text{ if } x > B(|f|, |n|) \end{cases} & \mathcal{J}\_{\mathbb{S}\_f^\epsilon}^\mathbf{s} = \mathcal{J}\_{\mathbb{S}\_f}^\mathbf{s}(y) \\\\ \mathcal{I}\_{\text{helper}}^\mathbf{c} = \lambda xy. x + 1 & \mathcal{J}\_{\text{helper}}^\mathbf{s} = \lambda xy. y \qquad \mathcal{J}\_0^\mathbf{s} = 0 \qquad \mathcal{J}\_\mathbf{s}^\mathbf{s} = \lambda x. x + 1 \end{array}$$

We easily see that this orients all rules in Rf,w. Then, by Lemma 2, cost(F S′ <sup>f</sup> w) ≤ P(J c S ′ f ,J s S ′ f , <sup>J</sup>w<sup>K</sup> s ) = P(J c Sf ,J s Sf , <sup>J</sup>w<sup>K</sup> s ) ≤ D(|f|, |w|) = N. Yet, as we have F S<sup>f</sup> w →<sup>∗</sup> R+<sup>f</sup> C[S<sup>f</sup> x], we also have F S<sup>f</sup> w →R∪R′ f,w C ′ [S ′ f x], where C ′ is obtained from C by replacing all occurrences of S<sup>f</sup> by S ′ f . Since |x| > B(|f|, |w|) by assumption, the reduction F S′ <sup>f</sup> w →<sup>∗</sup> R∪R′ f,w C[S ′ <sup>f</sup> w] →<sup>∗</sup> R∪Rf,w′ C[f(x)] takes strictly more than N steps, contradicting Theorem 1. ⊓⊔

#### 4.3 Graph Rewriting

J

Lemma 1 guarantees that if R is compatible with a suitable interpretation, then at most polynomially many R+<sup>f</sup> -steps can be performed starting in F S<sup>f</sup> w. However, as observed in Section 4.1, this does not yet imply that a type-2 functional computed by an STRS with such an interpretation is in BFF. To simulate a reduction on an OTM, we must fnd a representation whose size does not increase too much in any given step. The answer is graph rewriting.

Defnition 7. A term graph for a signature Σ is a tuple (V, label, succ, Λ) with V a fnite nonempty set of vertices; Λ ∈ V a designated vertex called the root; label : V −→ Σ ∪ {@} a partial function with @ fresh; and succ : V −→ V ∗

Fig. 1: A term graph, its simplifed version, and two graphs with sharing

a total function such that succ(v) = v1v<sup>2</sup> when label(v) = @ and succ(v) = ε otherwise. We view this as a directed graph, with an edge from v to v ′ if v ′ ∈ succ(v), and require that this graph is acyclic (i.e., there is no path from any v to itself ). Given term graph G, we will often directly refer to VG, labelG, etc.

Term graphs can be denoted visually in an intuitive way. For example, using Σ from Example 1, the graph with V = {v0, . . . , v4}, label = {v0, v<sup>1</sup> 7→ @, v<sup>2</sup> 7→ add}, succ = {v<sup>0</sup> 7→ v v , v <sup>1</sup> <sup>4</sup> <sup>1</sup> 7→ v v , v , v , v <sup>2</sup> <sup>3</sup> <sup>3</sup> <sup>4</sup> <sup>5</sup> 7→ ε} and Λ = v <sup>0</sup> is pictured in Figure 1a. We use ⊥ to indicate unlabeled vertices and a circle for Λ. We will typically omit vertex names, as done in Figure 1b. Note that the defnition allows multiple vertices to have the same vertex as successor; these successor vertices with in-degree > 1 are shared. Two examples are denoted in Figures 1c and 1d.

Each term has a natural representation as a tree. Formally, for a term s we let [s]<sup>G</sup> = (pos(s), label, succ, ♯) where label(p) = @ if s|<sup>p</sup> = s1s<sup>2</sup> and label(p) = f if s|<sup>p</sup> = f; label(p) is not defned if s|<sup>p</sup> is a variable; and succ(p) = (1·p)(2·p) if s|<sup>p</sup> = s<sup>1</sup> s<sup>2</sup> and succ(p) = ε otherwise. Essentially, [s]<sup>G</sup> maintains the positioning structure of s and forgets variable names. For example, Figure 1b denotes both [add x y]<sup>G</sup> and [add x x]G.

Our next step is to reduce term graphs using rules. We limit interest to left-linear rules, which includes all rules in R+<sup>f</sup> (as R is orthogonal, and the rules in R<sup>f</sup> are ground). To defne reduction, we will need some helper defnitions.

Defnition 8. Let G = (V, label, succ, Λ), v ∈ V . The subgraph reach(G, v) of G rooted at v is the term graph (V ′ , label′ , succ′ , v) where V ′ contains those v ′ ∈ V such that a path from v to v ′ exists, and label′ , succ′ are respectively the limitations of label and succ to V ′ .

Defnition 9. A homomorphism between two term graphs G and H is a function ϕ : V<sup>G</sup> −→ V<sup>H</sup> with ϕ(ΛG) = ΛH, and for v ∈ V<sup>G</sup> such that labelG(v) is defned, labelH(ϕ(v)) = labelG(v) and succH(ϕ(v)) = ϕ(v1). . . ϕ(vk) when succG(v) = v<sup>1</sup> . . . vk. (If labelG(v) is undefned, succH(ϕ(v)) may be anything.)

Defnition 10. A redex in G is a triple (ρ, v, ϕ) consisting of some rule ρ = ℓ → r ∈ R+<sup>f</sup> , a vertex v in VG, and a homomorphism ϕ : [ℓ]<sup>G</sup> −→ reach(G, v).

Defnition 11. Let G be a term graph and v1, v<sup>2</sup> vertices in G. The redirection of v<sup>1</sup> to v<sup>2</sup> is the term graph G[v<sup>1</sup> ≫ v2] ≡ (VG, labelG, succG′ , Λ′ <sup>G</sup>) with

$$\mathtt{succ}\_{G'}(v)\_i = \begin{cases} v\_2, & \text{if } \mathtt{succ}\_G(v)\_i = v\_1 \\ \mathtt{succ}\_G(v)\_i, & \text{otherwise} \end{cases} \qquad \Lambda'\_G = \begin{cases} v\_2 & \text{if } \Lambda\_G = v\_1 \\ \Lambda\_G & \text{otherwise} \end{cases}$$

That is, we replace every reference to v<sup>1</sup> by a reference to v2. With these defnitions in hand, we can defne contraction of term graphs:

Defnition 12. Let G be a term graph, and (ρ, v, ϕ) a redex in G with ρ ∈ R+<sup>f</sup> , such that no other vertex v ′ in reach(G, v) admits a redex (so v is an innermost redex position). Denote a<sup>x</sup> for the position of variable x in ℓ, and recall that a<sup>x</sup> is a vertex in [ℓ]G. By left-linearity, a<sup>x</sup> is unique for x ∈ vars(ℓ). The contraction of (ρ, v, ϕ) in G is the term graph J produced after the following steps: H (building), I (redirection), and J (garbage collection).

(building) Let H = (VH, labelH, succH, ΛG) where:

	- labelH(p) = f if r|<sup>p</sup> = f and labelH(p) = @ otherwise
	- succH(p) = ε if r|<sup>p</sup> = f; otherwise, succH(p) = ψ(1 · p)ψ(2 · p) Here, ψ(q) = q if r|<sup>q</sup> is not a variable; if r|<sup>q</sup> = x then ψ(q) = ϕ(ax).

(redirection) If r is a variable x (so H = G), then let I = G[v ≫ ϕ(ax)]. Otherwise, let I = H[v ≫ ♯], so with all references to v redirected to the root vertex for r.

(garbage collection) Let J := reach(I, Λ<sup>I</sup> ) (so remove unreachable vertices).

We then write G ⇝ J in one step, and G ⇝<sup>n</sup> J for the n-step reduction.

We illustrate this with two examples. First, we aim to rewrite the graph of Figure 2a with a rule add 0 y → y at vertex v. Since the right-hand side is a variable, the building phase does nothing. The result of the redirection phase is given in Figure 2b, and the result of the garbage collection in Figure 2c.

Fig. 2: Reducing a graph with the rule add 0 y → y

#### 82 P. Baillot et al.

Second, we consider a reduction by mult(s x) y → add y (mult x y). Figure 3a shows the result of the building phase, with the vertices and edges added during this phase in red. Redirection sets the root to the squared node (the root of the right-hand side), and the result after garbage collection is in Figure 3b.

Fig. 3: Reducing a term graph with substantial sharing

Note that, even when a term graph G is not a tree, we can fnd a corresponding term: we assign a variable var (v) to each unlabeled vertex v in G, and let:

$$\theta(v) = \begin{cases} \theta(v\_1)\,\theta(v\_2) \text{ if } \mathtt{1ab\bullet1}(v) = \emptyset \text{ and } \mathtt{succ}(v) = v\_1 v\_2\\ \mathsf{f} & \text{if } \mathtt{1ab\bullet1}(v) = \mathtt{f}\\ var(v) & \text{if } \mathtt{1ab\bullet1}(v) \text{ is undefined} \end{cases}$$

Then we may defne [G] −1 <sup>G</sup> = θ(ΛG). For a linear term, clearly [[s]G] −1 <sup>G</sup> = s (modulo variable renaming). We make the following observation:

Lemma 4. Assume given a term graph G such that there is a path from Λ<sup>G</sup> to every vertex in VG, and let [G] −1 <sup>G</sup> = s. If G ⇝ H then [G] −1 <sup>G</sup> →<sup>+</sup> R+<sup>f</sup> [H] −1 G . Moreover, if s →<sup>R</sup>+<sup>f</sup> t for some t, then there exists H such that G ⇝ H.

Consequently, if →<sup>R</sup>+<sup>f</sup> is terminating, then so is ⇝; and if [s]<sup>G</sup> ⇝<sup>n</sup> G for some ground term s then s →<sup>∗</sup> R+<sup>f</sup> [G] −1 G in at least n steps. Notice that if G does not admit any redex, then [G] −1 G is in normal form. Moreover, since R+<sup>f</sup> = R ∪ R<sup>f</sup> is orthogonal (as R is orthogonal and the R<sup>f</sup> rules are non-overlapping) and therefore confuent, this is the unique normal form of s. We conclude:

Corollary 1. If [F S<sup>f</sup> w]<sup>G</sup> ⇝<sup>n</sup> G, then n ≤ D(|f|, |w|); and if G is in normal form, then [G] −1 <sup>G</sup> = Ψ(f,w).

#### 4.4 Bringing Everything Together

We are now ready to complete the soundness proof following the recipe at the start of the section. Towards the third bullet point, we make the following observation.

Lemma 5. There is a constant a such that, whenever G ⇝ H by a rule in R, then |H| ≤ |G| + a, where |G| denotes the total number of nodes in the graph G.

Proof. In a step using a rule ℓ → r, the number of nodes in the graph can be increased at most by |[r]G|. As there are only fnitely many rules in R, we can let a be the number of nodes in the largest graph for a right-hand side r. ⊓⊔

To see that graph rewriting with S<sup>f</sup> can be implemented in an efcient way, we observe that the size of any intermediary graph in the reduction [Gw]<sup>G</sup> →<sup>+</sup> <sup>R</sup> [q]<sup>G</sup> is polynomially bounded by a second-order polynomial over |f|, |w|:

Lemma 6. There is a second-order polynomial Q such that if [F S<sup>f</sup> w]<sup>G</sup> ⇝<sup>∗</sup> H, then |H| ≤ Q(|f|, |w|).

Proof. Let Q(F, x) := x + D(F, x) ∗ (a + F(B(F, x))), where D is the polynomial from Lemma 1, a is the constant from Lemma 5, and B is the polynomial from Section 4.2. This sufces, because there are at most D(|f|, |w|) steps (Lemma 1, Corollary corollary 1), each of which increases the graph size by at most max(a, |f|(B(|f|, |w|))). ⊓⊔

All in all, we are fnally ready to prove the soundness side of the main theorem:

Theorem 3. Let R be a fnite orthogonal STRS admitting a polynomially bounded interpretation. If F computes a type-2 functional Ψ, then Ψ ∈ BFF.

Proof. Given (F, R), we can construct an OTM M so that for a given f ∈ W −→ W, the machine M<sup>f</sup> executed on w ∈ W computes the normal form of F S<sup>f</sup> w under →<sup>R</sup>+<sup>f</sup> using graph rewriting. We omit the exact construction, but observe:


By Lemma 6, graph sizes are bounded by a polynomial over |f|, |w|, so using the above reasoning, the same holds for the cost of each reduction step. In summary: the total cost of M<sup>f</sup> running on w is bounded by a second-order polynomial in terms of |f| and |w|. As M<sup>f</sup> simulates R+<sup>f</sup> via graph rewriting and R+<sup>f</sup> computes Ψ, M also computes Ψ. By Defnition 3, Ψ is in BFF. ⊓⊔

## 5 Completeness

Recall from Section 3 that to prove completeness we have to show the following: if a given type-2 functional Ψ is in BFF, then there exists an orthogonal STRS

that computes Ψ and admits a polynomially bounded interpretation. We prove this by providing an encoding of OTMs as STRSs that admit a polynomially bounded interpretation.

The encoding is divided into three steps. In Section 5.1, we will defne the function symbols that will allow us to encode any possible machine confguration as terms. In Section 5.2, we will encode transitions as reduction rules that rewrite confguration terms. Lastly, we will design an STRS to simulate a complete execution of an OTM in polynomially many steps. Achieving this polynomial bound is non-trivial and is done in Sections 5.3–5.4.

Henceforth, we assume given a fxed OTM M, and a second-order polynomial PM, such that M operates in time PM. For simplicity, we assume the machine has only three tapes (one input/output tape, one query tape, one answer tape); that each non-oracle transition only operates on one tape (i.e., reading/writing and moving the tape head); and that we only have tape symbols {0, 1, B}.

## 5.1 Representing Confgurations

Following 3, we have o, i : bit, :: : bit ⇒ word ⇒ word and [] : word. To represent a (partial) tape, we also introduce b : bit for the blank symbol. Now for instance a tape with content 011B01BB · · · (followed by infnitely many blanks) may be represented as the list [o; i; i; b; o; i] of type word. We may also add an arbitrary number of blanks at the end of the representation; e.g., [o; i; i; b; o; i; b; b].

We can think of a tape confguration — the combination of a tape and the position of the tape head — as a fnite word w<sup>1</sup> . . . wp−1#wpwp+1 . . . w<sup>k</sup> (followed by infnitely many blanks). Here, the tape's head is reading the symbol wp. We can split this tape into two components: the left word w<sup>1</sup> . . . wp−1, and the right word w<sup>p</sup> . . . wk. To represent a tape confguration, we introduce three symbols:

$$\mathsf{L} : \mathsf{word} \Rightarrow \mathsf{left} \qquad \mathsf{R} : \mathsf{word} \Rightarrow \mathsf{right} \\ \qquad \qquad \mathsf{split} : \mathsf{left} \Rightarrow \mathsf{right} \Rightarrow \mathsf{right} \Rightarrow \mathsf{tape}$$

Here, L, R hold the content of the left and right split of the tape, respectively. While we technically do not need these two constructors (we could have split : word ⇒ word ⇒ tape), they serve to make confgurations more human-readable. For convenience in rewriting transitions, later on, we will encode the left side of the split in reverse order. Specifcally, we encode w<sup>1</sup> . . . wp−1#wpwp+1 . . . w<sup>k</sup> as

$$\mathfrak{split}(\mathsf{L}\left[w\_{p-1};\ldots;w\_2;w\_1\right]) \left(\mathbb{R}\left[w\_p;\ldots;w\_{k-1};w\_k\right]\right)$$

The symbol currently being read is the frst element of the list below R; in case of R [], this symbol is B. For a concrete example, a tape confguration 1B0#10 is represented by: split(L [o; b; i]) (R [i; o]). Since we have assumed an OTM with three tapes, a confguration of the machine at any moment is a tuple (q, t1, t2, t3), with q a state and t1, t2, t<sup>3</sup> tape confgurations. To represent machine confgurations, we introduce, for each state q, a symbol q : tape ⇒ tape ⇒ tape ⇒ confg. Thus, a confguration (q, t1, t2, t3) is represented by a term q T<sup>1</sup> T<sup>2</sup> T3.

Example 5. The initial confguration for a machine M<sup>f</sup> on input w is a tuple (q0, #w, #B, #B). This is represented by the term

initial(w) := q<sup>0</sup> (split(L []) (R w)) (split(L []) (R [])) (split(L []) (R []))

To interpret the symbols from this section, we let (S<sup>ι</sup> , ⊒ι) := (N, ≥) for all ι, let J c <sup>f</sup> = λλx<sup>1</sup> . . . xm.0 whenever f takes m arguments, and for the sizes:

$$\begin{array}{ccccc} \mathcal{J}^{\mathsf{s}}\_{\mathsf{o}} = 0 & \mathcal{J}^{\mathsf{s}}\_{\mathsf{b}} = 0 & \mathcal{J}^{\mathsf{s}}\_{\mathsf{l}} = \lambda x.x & \mathcal{J}^{\mathsf{s}}\_{\mathsf{v}} = \lambda xy.x + y + 1 & \mathcal{J}^{\mathsf{s}}\_{\mathsf{q}} = \lambda xyz.x + y \\\ \mathcal{J}^{\mathsf{s}}\_{\mathsf{i}} = 0 & \mathcal{J}^{\mathsf{s}}\_{\mathsf{[l}]} = 0 & \mathcal{J}^{\mathsf{s}}\_{\mathsf{R}} = \lambda x.x & \mathcal{J}^{\mathsf{s}}\_{\mathsf{split}} = \lambda x.xy.x + y & \text{(for all states } q) \end{array}$$

Hence, <sup>J</sup>w<sup>K</sup> <sup>s</sup> = |w|, which satisfes the requirements of Theorem 2; the size of a tape confguration w<sup>1</sup> . . . wp−1#w<sup>p</sup> . . . w<sup>k</sup> is k, and the size of a confguration is the size of its frst and second tapes combined. We do not include the third tape, as it does not directly afect either the result yielded by the fnal confguration (this is read from the frst tape), nor the size of a word the oracle f is applied on.

#### 5.2 Executing The Machine

A single step in an OTM can either be an oracle call (a transition from the query state to the answer state), or a traditional step: we assume that an OTM M has a fxed set T of transitions q r/i, d ====⇒<sup>t</sup> l where q is the input state, l the output state, t ∈ {1, 2, 3} the tape considered (recall that we have assumed that a non-oracle transition only operates on one tape), r, i ∈ {0, 1, B} respectively the symbol being read and the symbol being written, and d ∈ {L, R} the direction for the read head of tape t to move. We will model the computation of M as rules that simulate the small step semantics for the machine.

To encode a single transition, let step : (word ⇒ word) ⇒ confg ⇒ confg. For any transition of the form q r/i, L ====⇒ 1 l (so a transition operating on tape 1, and moving left), we introduce a rule (where we write 0 = o, 1 = i, B = b):

$$\mathtt{Setp}\,F\left(\mathtt{q}\left(\mathtt{split}\left(\mathbb{L}\left(x::y\right)\right)\left(\mathbb{R}\left(\underline{v}::z\right)\right)\right)u\,v\right) \to \mathtt{1}\left(\mathtt{split}\left(\mathbb{L}\left.y\right)\left(\mathbb{R}\left(x::\underline{v}::z\right)\right)\right)u\,v$$

Moreover, for transitions q B/w, L =====⇒ 1 l (so where B is read), we add a rule:

$$\mathtt{Setp}\,F\left(\mathtt{q}\left(\mathtt{split}\left(\mathtt{L}\left(x::y\right)\right)\left(\mathtt{R}\left[]\right)\right)u\,v\right)\to\mathtt{1}\left(\mathtt{split}\left(\mathtt{L}\left y\right)\left(\mathtt{R}\left(x::\ddot{\mathtt{j}}::\right]\right)\right)\right)u\,v$$

These rules respectively handle the steps where a tape confguration is changed from u<sup>1</sup> . . . up−1up#rup+2 . . . u<sup>k</sup> to u<sup>1</sup> . . . up−1#upiup+2 . . . uk, and where a tape confguration is changed from u<sup>1</sup> . . . uk# to u<sup>1</sup> . . . #uki.

Transitions where d = R, or on the other two tapes, are encoded similarly.

Next, we encode oracle calls. Recall that, to query the machine for the value of f at u, we write u on the second tape, move its head to the leftmost position, and enter the query state. Then, the content of this tape is erased and the image of f over u is written in the third tape. Visually, this step is represented as:

$$(\mathtt{query}, \langle \mathtt{tape}\_1 \rangle, v\_1 \dots v\_p \# \mathtt{upB} \dots, \langle \mathtt{tape}\_3 \rangle) \leadsto (\mathtt{answer}, \langle \mathtt{tape}\_1 \rangle, \# \mathtt{B}, \# \mathtt{f}(\mathtt{u})) $$

This is implemented by the following rules:

$$\begin{array}{c} \mathsf{step}\,F\left(\mathsf{query}\,t\_{1}\left(\mathsf{split}\,x\left(\mathsf{R}\,y\right)\right)t\_{3}\right) \to \mathsf{answer}\,t\_{1}\left(\mathsf{split}\left(\mathsf{L}\left[\right]\right)\left(\mathsf{R}\left[\right]\right)\right) \\ \qquad \left(\mathsf{split}\left(\mathsf{L}\left[\right]\right)\left(\mathsf{R}\left(F\left(\mathsf{clean}\,y\right)\right)\right)\right) \end{array}$$

$$\begin{array}{ccc} \mathsf{clena}\left(\mathsf{o}::x\right) \to \mathsf{o}::(\mathsf{clean}\,x) & \mathsf{clean}\left(\mathsf{b}::x\right) \to \left[\right] \\ \mathsf{clena}\left(\mathsf{i}::x\right) \to \mathsf{i}::(\mathsf{clean}\,x) & \mathsf{clean}\left[] \to \left[] \end{array} \right.$$

Here, clean : word ⇒ word turns a word that may have blanks in it into a bitstring, by reading until the next blank; for instance replacing [o; i; b; i] by [o; i].

The various step rules, as well as the clean rules, are non-overlapping because we consider deterministic OTMs. They are also left-linear, and are oriented using:

$$\begin{array}{lll} \mathcal{J}^{\mathsf{s}}\_{\mathsf{clean}} = \lambda x.x & \mathcal{J}^{\mathsf{c}}\_{\mathsf{clean}} = \lambda x.x + 1 \\ \mathcal{J}^{\mathsf{s}}\_{\mathsf{step}} = \lambda Fx.x + 1 & \mathcal{J}^{\mathsf{c}}\_{\mathsf{step}} = \lambda F^{c}F^{s}x.F^{c}(x) + x + 2 \end{array}$$

(Note that J s step is so simple because the size of a confguration does not include the size of the answer tape.) From the rules, the following result is obvious:

Lemma 7. Let M<sup>f</sup> be an OTM and C, C′ be machine confgurations of M<sup>f</sup> such that C ⇝ C ′ . Then step S<sup>f</sup> [C] →<sup>+</sup> <sup>R</sup> [C ′ ], where [C] is the term encoding of C.

#### 5.3 A Bound on the Number of Steps

To generalize from performing a single step of the machine to tracing a full computation on the machine level, the natural idea would be to defne rules such as:

execute F (q x y z) → execute F (step(q x y z)) for q ̸= end execute F (end (split(L x) (R w)) y z) → clean w

Then, reducing execute S<sup>f</sup> initial(w) to normal form simulates a full OTM execution of M<sup>f</sup> on input w. Unfortunately, this rule does not admit an interpretation, as it may be non-terminating. A solution could be to give execute an additional argument ⌜N⌝ suggesting an execution in at most N steps; this argument would ensure termination, and could be used to fnd an interpretation.

The challenge, however, is to compute a bound on the number of steps in the OTM: the obvious thought is to compute PM(|f|, |w|), but this cannot in general be done in polynomial time because the STRS does not have access to |f|: since |f|(i) = max{x ∈ N | |x| ≤ i}, there are exponentially many choices for x.

To solve this, and following [22, Proposition 2.3], we observe that it sufces to know a bound for f(x) for only those x on which the oracle is actually questioned. That is, for A ⊆ W, let |f|<sup>A</sup> = λλn. max{|f(x)| | x ∈ A ∧ |x| ≤ n}. Then:

Lemma 8. Suppose an OTM M<sup>f</sup> runs in time bounded by PM(|f|, |w|) on input w. If M<sup>f</sup> transitions in N steps from its initial state to some confguration C, calling the oracle only on words in A ⊆ W, then N ≤ PM(|f|A, |w|).

Proof (Sketch). We construct f ′ with f ′ (x) = 0 if x /∈ A and f ′ (x) = f(x) if x ∈ A. Then |f ′ | = |f|A, and M<sup>f</sup> ′ runs the same on input w as M<sup>f</sup> does. ⊓⊔

Now, for A encoded as a term A (using symbols ∅ : set, setcons : word ⇒ set ⇒ set), we can compute |f|<sup>A</sup> using the rules below, where we use unary integers as in Example 1 (0 : nat,s : nat ⇒ nat), and defned symbols len : word ⇒ nat, max : nat ⇒ nat ⇒ nat, limit : word ⇒ nat ⇒ word, retif : word ⇒ nat ⇒ word ⇒ word, tryapply : (word ⇒ word) ⇒ word ⇒ nat ⇒ nat, tryall : (word ⇒ word) ⇒ set ⇒ nat ⇒ nat. By design, retif x ⌜n⌝ y reduces to y if |x| ≤ n and to [] otherwise; tryapply S<sup>f</sup> x ⌜n⌝ reduces to the unary encoding of |F|{x}(n) and tryall a x ⌜n⌝ yields |F|A(n).


tryapply F a n → len (retif a n (F (limit a n))) tryall F ∅ n → 0 tryall F (setcons a tl) n → max (tryapply F a n) (tryall F tl n)

An interpretation is provided in [5]. Importantly, the limit function ensures that, in tryall F n we never apply F to a word w with |w| > n. Therefore we can let <sup>J</sup>A<sup>K</sup> <sup>s</sup> = |A|, the number of words in A, and have J s tryall = λλF an.F(n) and J c tryall = λλFcF <sup>s</sup>an.1 + a + F c (n) + 2 ∗ F s (n) + 2 ∗ n + 6.

Now, for a given second-order polynomial P, fxed f, n, and a term A encoding a set A ⊆ W, we can construct a term Θ<sup>P</sup> S<sup>f</sup> ;⌜n⌝;A that computes P(|f|A, n) using tryall and the functions add, mult from Example 1. By induction on P, we have JΘP S<sup>f</sup> ;⌜n⌝;A K s = P(|f|, n), while its cost is bounded by a polynomial over |f|, n, |A|.

#### 5.4 Finalising Execution

Now, we can defne execution in a way that can be bounded by a polynomial interpretation. We let execute : (word ⇒ word) ⇒ nat ⇒ nnat ⇒ nat ⇒ set ⇒ confg ⇒ word and will defne rules to reduce expressions execute F n m z a c where


Using helper symbols F ′ : (word ⇒ word) ⇒ nat ⇒ confg ⇒ word, execute′ : (word ⇒ word) ⇒ nat ⇒ nnat ⇒ nat ⇒ set ⇒ confg ⇒ word, extract : tape ⇒ word and minus : nat ⇒ nnat ⇒ nat, we introduce the rules:

F F w → F ′ F (len w) (q<sup>0</sup> (split(L []) (R w)) (split(L []) (R [])) (split(L []) (R []))) F ′ F z c → execute F ΘPM+1 F ;z;∅ o z ∅ c

execute F (s n) m z a (q t<sup>1</sup> t<sup>2</sup> t3) → execute F n (n m) z (step F (q t<sup>1</sup> t<sup>2</sup> t3)) for q ∈ { / query, end} execute F (s n) m z a (query t<sup>1</sup> t<sup>2</sup> t3) → execute′ F n (n m) z (setcons(extractt2) a) (query t<sup>1</sup> t<sup>2</sup> t3) execute′ F n m z a c → execute F (minus Θ PM+1 <sup>F</sup> ;z;<sup>a</sup> m) m z a (step F c) execute F n m z a (end t<sup>1</sup> t<sup>2</sup> t3) → extractt<sup>1</sup> extract(split(L x) (R y)) → clean y minus x o → x minus 0 (n y) → o minus(s x) (n y) → minus x y

That is, an execution on F S<sup>f</sup> w starts by computing the length of w and PM(|f|∅, |w|), and uses these as arguments to execute. Each normal transition lowers the number n of steps we are allowed to do and increases the number n of steps we have done. Each oracle transition updates A, and either lowers n by one, or updates it to the new value PM(|f|A, |w|) − m, since we have already done m steps. Once we read the fnal state, the answer is read of the frst tape.

For the interpretation, note that the unusual size set of nnat allows us to choose J s minus = λλxy. max(x − y, 0) without losing monotonicity. Hence, in every step execute F n m z a c, the value max(PM(JF<sup>K</sup> s , <sup>J</sup>z<sup>K</sup> s ) + 1 <sup>−</sup> <sup>J</sup>m<sup>K</sup> s , <sup>J</sup>n<sup>K</sup> s ) decreases by at least one. Since <sup>J</sup>ΘPM+1F; <sup>z</sup>; <sup>a</sup><sup>K</sup> s <sup>=</sup> <sup>P</sup>M(JF<sup>K</sup> s , <sup>J</sup>z<sup>K</sup> s ) regardless of a, we can use this component as part of the interpretation. The full interpretation functions for execute and F are long and complex, so we will not supply them here. They can be found in [5]. We will only conclude the other side of Theorem 2:

Theorem 4. If Ψ ∈ BFF, then there exists a fnite orthogonal STRS R such that F computes Ψ in R and R admits a polynomially bounded interpretation.

## 6 Conclusions and Future Work

In this paper, we have shown that BFF can be characterized through second-order term rewriting systems admitting polynomially bounded cost–size interpretations. This is arguably the frst characterization of the basic feasible functionals purely in terms of rewriting theoretic concepts.

For the purpose of presentation, we have imposed some mild restrictions that we believe are not essential in practice. In future extensions, we can eliminate these restrictions, such as allowing lambda-abstraction, non-base type rules, and higher-order functions (assuming that F is still second-order). We can also allow arbitrary inductive data structures as input.

Another direction we defnitely wish to explore is the characterization of polynomial time complexity for functionals of order strictly higher than two. It is well known that the underlying theory in this case becomes less robust than in type-2 complexity. As such, it is not clear which of the existing proposals for complexity classes of higher-order polytime complexity we can hope to capture within our framework.

## References


90 P. Baillot et al.


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Logic and Proofs**

## Succinctness of Cosafety Fragments of LTL via Combinatorial Proof Systems

Luca Geatti1(B) , Alessio Mansutti<sup>2</sup> , and Angelo Montanari (B) 1(B)

> <sup>1</sup> University of Udine, Udine, Italy luca.geatti,angelo.montanari @uniud.it 2 IMDEA Software Institute, Madrid, Spain alessio.mansutti@imdea.org { }

Abstract. This paper focuses on succinctness results for fragments of Linear Temporal Logic with Past (LTL) devoid of binary temporal operators like until, and provides methods to establish them. We prove that there is a family of cosafety languages (Ln)n≥<sup>1</sup> such that L<sup>n</sup> can be expressed with a pure future formula of size O(n), but it requires formulae of size 2<sup>Ω</sup>(n) to be captured with past formulae. As a by-product, such a succinctness result shows the optimality of the pastifcation algorithm proposed in [Artale et al., KR, 2023].

We show that, in the considered case, succinctness cannot be proven by relying on the classical automata-based method introduced in [Markey, Bull. EATCS, 2003]. In place of this method, we devise and apply a combinatorial proof system whose deduction trees represent LTL formulae. The system can be seen as a proof-centric (one-player) view on the games used by Adler and Immerman to study the succinctness of CTL.

Keywords: Temporal logics · LTL · Succinctness · Proof systems.

## 1 Introduction

Linear Temporal Logic with Past (LTL [17,23]) is the de-facto standard language for the specifcation, verifcation, and synthesis of reactive systems [19]. Concerning these reasoning tasks, two fundamental subsets of LTL-defnable languages come into play, namely, safety and cosafety languages. Safety languages express properties stating that "something bad never happens"; cosafety languages, instead, express the fact that "something good will eventually happen". The crucial feature of cosafety (resp., safety) languages is that checking a fnite prefx of an infnite trace sufces to establish whether the entire trace belongs (resp., does not belong) to the language. Such an ability of reducing reasoning over infnite words to the fnite case plays a fundamental role in lowering the complexity of reasoning tasks [16]. Because of this, while LTL was commonly interpreted over infnite traces, recent work mainly considers its fnite trace semantics [8,18,22].

In what follows, given a set of temporal operators S, we write LTL[S] for the set of all LTL formulae in negation normal form whose temporal operators are restricted to those in S. Similarly, we denote with F(LTL[S]) the set of formulae of the form F(α), with α ∈ LTL[S]. Here, F is the future modality (a.k.a. eventually).

There are two notable syntactic characterizations of the cosafety languages of LTL. The frst one is a pure future characterization given by the logic LTL[X,U] featuring modalities next X and until U. The second one is an eventually pure past<sup>3</sup> characterisation given by the logic F(pLTL), where pLTL is the pure past fragment of LTL, that is, the restriction of LTL to past modalities. Analogous characterizations have been provided for safety languages.

As for applications, F(pLTL) is considered to be much more convenient than LTL[X,U], because, starting from an (eventually) pure past formula of size n, it is possible to build an equivalent deterministic fnite automaton of singly exponential size in n [7]. In the case of LTL[X,U], such an automaton may have size doubly exponential in n [16]. This computational advantage of pure past formulae originated a recent line of research that focuses on the pastifcation problem, i.e., the problem of translating an input pure future formula for a cosafety (or safety) language into an equivalent pure past (equivalently, eventually pure past) formula. While the best known algorithm for LTL[X,U] is triply exponential [7], a singly exponential pastifcation algorithm to transform LTL[X, F] formulae into <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>]) ones has been recently developed in [4]. Here, modalities yesterday Y and once O are the "temporal reverses" of modalities X and F, respectively, whereas the weak yesterday operator <sup>Y</sup><sup>e</sup> is the dual of <sup>Y</sup> (we formally defne the semantics of all these modalities in Section 2). No super-polynomial lower bounds for these pastifcation problems are known.

While the above two characterisations of cosafety languages have been thoroughly studied in the last decades in terms of expressiveness [6] and complexity [2], their succinctness is still poorly understood. To the best of our knowledge, the only known result is the one in [3] showing that F(pLTL) can be exponentially more succinct than LTL[X,U] — note that lower bounds to pastifcation problems require the opposite direction.<sup>4</sup>

In this paper, we study the succinctness of LTL[F] against <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]), where H is the dual of O, as well as the succinctness of their reverse logics [3], that is, the succinctness of <sup>F</sup>(LTL[O]) against LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>]. For these fragments of LTL, we establish the following two results.

Theorem 1. <sup>F</sup>(LTL[O]) can be exponentially more succinct than LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>].

Theorem 2. LTL[F] can be exponentially more succinct than <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]).

The two theorems prove an incomparability result about the succinctness of the characterizations of cosafety languages in the pure future and eventually pure past fragments of LTL. Theorem 1 and Theorem 2 hold for both the fnite and infnite trace semantics of LTL (however, due to lack of space, we report the proof of Theorem 1 only in the case of fnite traces). As a corollary, Theorem 2 implies that the pastifcation algorithm proposed in [4] is optimal.

<sup>3</sup> "Eventually pure past" refers to formulae of the form F(α), with α pure past formula.

<sup>4</sup> A logic L can be exponentially more succinct than a logic L ′ whenever there is a family of languages (Ln)n≥<sup>1</sup> such that L<sup>n</sup> can be expressed in L with a formula of size polynomial in n, whereas expressing L<sup>n</sup> in L ′ requires formulae of size 2<sup>Ω</sup>(n) .

Succinctness of Cosafety Fragments of LTL via Combinatorial Proof Systems 97

#### Corollary 1. The pastifcation of LTL[X, <sup>F</sup>] into <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]) is in <sup>2</sup> Θ(n) .

To prove Theorem 1, we devise and apply a combinatorial proof system. 5 Given two sets of fnite traces A and B, with the proof system one can establish whether there is a formula <sup>φ</sup> in LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>] that separates <sup>A</sup> from <sup>B</sup>, that is, φ is satisfed by all traces in A (written A |= φ) and violated by all traces in B (written B |=φ). A proof obtained by applying k rules of the proof system corresponds to the existence of one such separating formula φ of size k.

The proposed combinatorial proof system can be seen as a reformulation in terms of proofs of the games introduced by Adler and Immerman to show that CTL<sup>+</sup> is Θ(n)! more succinct than CTL [1]. They are two-player games that extend Ehrenfeucht–Fra¨ıss´e games for quantifer depth in a way that captures the notion of formula size instead. However, unlike Ehrenfeucht–Fra¨ıss´e ones, in Adler–Immerman games one of the two players (the duplicator) has always a trivial strategy. With our proof system, we show that removing the duplicator from the game yields a natural one-player game based on building proofs.

To prove Theorem 1 by applying the proposed proof system, we provide, for every n ≥ 1, a formula Φ<sup>n</sup> in F(LTL[O]) of size linear in n and two sets of traces A<sup>n</sup> and B<sup>n</sup> such that A<sup>n</sup> |= Φ<sup>n</sup> and B<sup>n</sup> |=Φn, and then we show that the smallest deduction tree that separates A<sup>n</sup> from B<sup>n</sup> has size at least 2n. This implies that all formulas of LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>] capturing <sup>Φ</sup><sup>n</sup> are of size at least 2n.

Once Theorem 1 is established, one can prove Theorem 2 by "reversing" the direction of time, building correspondences between formulae of LTL[F] and FLTL[O], and between formulae of <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]) and LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>].

In the context of LTL, the main technique to prove "future against past" succinctness discrepancies is arguably the automata method introduced by Markey in [20]. At its core, such a method exploits the fact that pure future formulae of LTL can be translated into nondeterministic B¨uchi automata of exponential size, and thus no property requiring a doubly exponential size automaton can be represented succinctly. The introduction of our proof system raises the question of whether Markey's method can be applied to establish our succinctness results. We prove that it cannot be used in our context. In order to obtain such a result, the key observation is that, given a cosafety formula Fψ, a deterministic B¨uchi automaton (DBA) for Fψ of size ℓ, and a prefx Π consisting of k temporal operators among X, F, and G, the minimal DBA for the formula ΠFψ has size polynomial in k and ℓ.

Synopsis. Section 2 introduces the necessary background. Section 3 discusses the languages we use to prove Theorem 1. Section 4 introduces the combinatorial proof system. In Section 5 we prove Theorem 1. In Section 6 we prove Theorem 2 and Corollary 1. The limits of the automata-based method to prove succinctness lower bounds are discussed in Section 7. Related and future work are discussed in Section 8. An extended version of the paper, complete of all proofs, can be found in [13].

<sup>5</sup> We use the term "combinatorial" for our proof system to conform with the terminology from the Workshop "Combinatorial Games in Finite Model Theory", LICS'23.

## 2 Preliminaries

In this section, we introduce background knowledge on LTL focusing on fnite traces. All defnitions admit a natural extension to the setting of infnite traces.

Let Σ be a fnite alphabet. We denote by Σ<sup>∗</sup> the set of all fnite words over Σ and by Σ<sup>+</sup> the subset of fnite non-empty words. We use the term trace as a synonym of word. A language L over Σ is a subset of Σ<sup>∗</sup> . Let σ = ⟨w0, w1, . . . , wn⟩ be a word in Σ<sup>∗</sup> . We denote by |σ| the length of σ, that is, n+1. A position in σ is an element in the set pos(σ) := [0, n]. For every i ∈ pos(σ), we denote by σ[i] ∈ Σ the letter w<sup>i</sup> , and by σ[i⟩ the word ⟨w<sup>i</sup> , . . . , wn⟩. We say that position j of σ has type τ ∈ Σ whenever σ[j] = τ . Given two traces σ<sup>1</sup> and σ2, we write σ<sup>1</sup> ⊑ σ<sup>2</sup> whenever σ<sup>1</sup> is a sufx of σ2, that is, there is j ∈ pos(σ2) such that σ<sup>1</sup> = σ2[j⟩. Given a word σ ′ ∈ Σ<sup>∗</sup> , we denote the concatenation of σ ′ to σ as σ ·σ ′ , or simply σσ′ . Given two languages L and L ′ , we defne L · L′ := {σ · σ ′ | σ ∈ L, σ′ ∈ L′ }. We sometimes apply the concatenation to a word and a language; in these cases the word is implicitly converted into a singleton language, e.g., σ · L := {σ} · L. With A ⊆fn B we denote the fact that A is a fnite subset of the set B.

Linear Temporal Logic with Past. In the following, we introduce syntax and semantics of Linear Temporal Logic with Past (LTL) restricted to those operators that we are going to use throughout the paper. In particular, we omit the future operators until and release, and their past counterparts (since and triggers). Let AP be a fnite set of atomic propositions. The syntax of the formulae over AP is generated by the following grammar:

$$\begin{aligned} \varphi &:= p \mid \neg p \mid \varphi \lor \varphi \mid \varphi \land \varphi & \text{Boolean connectives} \\ & \mid \mathsf{X}\varphi \mid \mathsf{X}\varphi \mid \mathsf{F}\varphi \mid \mathsf{G}\varphi & \text{future operators} \\ & \mid \mathsf{Y}\varphi \mid \mathsf{Y}\varphi \mid \mathsf{O}\varphi \mid \mathsf{H}\varphi & \text{post operators} \end{aligned}$$

where <sup>p</sup> ∈ AP. The temporal operators are respectively called: <sup>X</sup>, next; <sup>X</sup>e, weak next; <sup>F</sup>, future; <sup>G</sup>, globally; <sup>Y</sup>, yesterday; <sup>Y</sup>e, weak yesterday; <sup>O</sup>, once; <sup>H</sup>, historically. For the rest of the paper, we let OP := {X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>, <sup>Y</sup>, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>}.

For every formula φ, we defne the size of φ, denoted by size(φ), inductively defned as follows: (i) size(p) := 1 and size(¬p) := 1, (ii) size(⊗φ) := size(φ) + 1, for ⊗ ∈ OP, and (iii) size(φ<sup>1</sup> ⊕ φ2) := size(φ1)+ size(φ2) + 1 for ⊕ ∈ {∨, ∧}.

We focus on the interpretation of LTL formulae over fnite non-empty traces over the alphabet 2AP . From now on, we set the alphabet Σ to be 2AP . Given a word σ ∈ Σ<sup>+</sup>, the satisfaction of a formula φ by σ at time point / position i ∈ pos(σ), denoted by σ, i |= φ, is defned as follows:


Succinctness of Cosafety Fragments of LTL via Combinatorial Proof Systems 99

7. σ, i |= Fφ if there exists i ≤ j < |σ| such that σ, j |= φ; 8. σ, i |= Gφ if for all i ≤ j < |σ|, it holds σ, j |= φ; 9. σ, i |= Yφ if i > 0 and σ, i − 1 |= φ; 10. σ, i <sup>|</sup><sup>=</sup> <sup>Y</sup>e<sup>φ</sup> if either <sup>i</sup> = 0 or σ, i <sup>−</sup> <sup>1</sup> <sup>|</sup><sup>=</sup> <sup>φ</sup>; 11. σ, i |= Oφ if there exists 0 ≤ j ≤ i such that σ, j |= φ; 12. σ, i |= Hφ if for all 0 ≤ j ≤ i, it holds σ, j |= φ.

For every formula φ, we say that a trace σ satisfes φ, written σ |= φ, if σ, 0 |= φ. The language of φ, denoted by L(φ), is the set of words σ ∈ Σ<sup>+</sup> such that σ |= φ. Given two formulae φ and ψ, we say that φ is equivalent to ψ, written φ ≡ ψ, whenever L(φ) = L(ψ).

Fragments of LTL. Given a set of operators S ⊆ OP, we denote by LTL[S] the set of formulae only using temporal operators from S. When dealing with a concrete S, we omit the curly brackets and write, e.g., LTL[X, F] instead of LTL[{X, F}]. Whenever S contains only future operators (resp., past operators), the logic LTL[S] is called a pure future (resp., pure past) fragment of LTL. Finally, we denote by F(LTL[S]) (resp., G(LTL[S])) the set of formulae of the form F(α) (resp., G(α)), where α is a formula of LTL[S]. A language L ⊆ Σ<sup>∗</sup> is a cosafety language whenever L = K · Σ<sup>∗</sup> , for some K ⊆ Σ<sup>∗</sup> . A language L is a safety language whenever its complement L is a cosafety language. For every formula <sup>φ</sup> in the fragments LTL[X, <sup>F</sup>] and <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]), it holds that <sup>L</sup>(φ) is a cosafety language. Similarly, for every formula <sup>φ</sup> in the fragments LTL[Xe, <sup>G</sup>] and <sup>G</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]), it holds that <sup>L</sup>(φ) is a safety language.

The pastifcation problem. Given two sets <sup>S</sup> ⊆ {X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>} and <sup>S</sup> ′ ⊆ {Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>}, the pastifcation problem for LTL[S] into F(LTL[S ′ ]) asks, given an input formula φ ∈ LTL[S], to return a formula ψ from F(LTL[S ′ ]) such that φ ≡ ψ. An algorithm for the pastifcation problem is said to be of k-exponential size (for k ∈ N fxed) whenever the output formula ψ is such that size(ψ) ∈ exp<sup>k</sup> 2 (poly(size(φ))), where exp<sup>k</sup> (.) is the k-th iteration of the base-2 tetration function given by exp<sup>0</sup> (n) = n and exp<sup>i</sup>+1(n) = 2exp<sup>i</sup> (n) . In [4], an exponential time, 1-exponential size, pastifcation algorithm for LTL[X, <sup>F</sup>] into <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>]) is presented.

Succinctness. Given two sets S, S′ ⊆ OP, we say that LTL[S] can be exponentially more succinct than LTL[S ′ ] if there is a family of languages (Ln)n≥<sup>1</sup> such that, for every n ≥ 1, L<sup>n</sup> ⊆ Σ<sup>+</sup> n , for some alphabet Σn, and:

– there is φ ∈ LTL[S] such that L(φ) = L<sup>n</sup> and size(φ) ∈ poly(n), and

– for every ψ ∈ LTL[S ′ ], if L(ψ) = L<sup>n</sup> then size(ψ) ∈ 2 Ω(n) .

It is worth noticing that the above-given syntax for LTL is already in negation normal form, that is, negation may only appear in front of atomic propositions. Allowing negations to occur freely in the formula neither increase expressiveness nor succinctness, as the grammar above is already closed under dual operators, e.g., Gφ ≡ ¬F¬φ, and the size of a formula does not depend on the number of negations occurring in literals. Because of this, all results given in the paper continue to hold when negation is added to the language.

## 3 A problematic cosafety language for LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>]

We now describe the property that we will exploit to prove that F(LTL[O]) can be exponentially more succinct than LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>] (Theorem 1). More precisely, we defne a family of F(LTL[O]) formulae (Φn)n≥<sup>1</sup> such that, for every n ≥ 1, Φ<sup>n</sup> has size in O(n) and captures a property requiring a formula of size at least 2<sup>n</sup> to be expressed in LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>] (as we will see in Section 5).

Let n ≥ 1. We consider the alphabet of 2n + 2 distinct atomic propositions AP := {p, <sup>e</sup> <sup>q</sup>e} ∪ <sup>P</sup> <sup>∪</sup> <sup>Q</sup>, with <sup>P</sup> := {p1, . . . , pn} and <sup>Q</sup> := {q1, . . . , qn}. For all n ≥ 1, the formula Φ<sup>n</sup> of F(LTL[O]) is defned as follows:

$$\Phi\_n := \mathsf{F}\left(\widetilde{q} \wedge \bigwedge\_{i=1}^n \left( \left( q\_i \wedge \mathsf{O}(\widetilde{p} \wedge p\_i) \right) \vee \left( \neg q\_i \wedge \mathsf{O}(\widetilde{p} \wedge \neg p\_i) \right) \right) \right) .$$

Observe that, for every n ≥ 1, size(Φn) belongs to O(n). The formula Φ<sup>n</sup> is satisfed by those traces σ ∈ Σ<sup>+</sup> where there is a position j ∈ pos(σ) such that (i) <sup>q</sup><sup>e</sup> <sup>∈</sup> <sup>σ</sup>[j] and (ii) for every <sup>i</sup> <sup>∈</sup> [1, n] there is a position <sup>k</sup><sup>i</sup> <sup>∈</sup> [0, j] such that <sup>p</sup><sup>e</sup> <sup>∈</sup> <sup>σ</sup>[k<sup>i</sup> ] and q<sup>i</sup> ∈ σ[j] if and only if p<sup>i</sup> ∈ σ[k<sup>i</sup> ]. Notice that each k<sup>i</sup> ∈ [0, j] depends on an index i ∈ [1, n]. Therefore, for distinct i, j ∈ [1, n] the positions k<sup>i</sup> and k<sup>j</sup> might difer. This feature is crucial to get a language which has a compact defnition in <sup>F</sup>(LTL[O]), but is hard to capture for LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>].

As a matter of fact, requiring the various k<sup>i</sup> to coincide yields a formula Ψ<sup>n</sup> characterising the property: "the trace σ has two positions j ≥ k such that <sup>p</sup><sup>e</sup> <sup>∈</sup> <sup>σ</sup>[k], <sup>q</sup><sup>e</sup> <sup>∈</sup> <sup>σ</sup>[j] and, for every <sup>i</sup> <sup>∈</sup> [1, n], <sup>q</sup><sup>i</sup> <sup>∈</sup> <sup>σ</sup>[j] if and only if <sup>p</sup><sup>i</sup> <sup>∈</sup> <sup>σ</sup>[k]". This formula is known to require exponential size in LTL [20], and therefore in F(LTL[O]) as well. In a sense, the asymmetry obtained by relaxing the uniqueness of the position k above is what makes Φ<sup>n</sup> being easily expressible in F(LTL[O]), but difcult to characterise in LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>]. The same trick, applied to position j instead of position k, can be used to obtain a family of formulae that can be represented in an exponentially more succinct way in LTL[F] than in <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]). This form of "temporal duality" is what we will ultimately exploit in Section 6 to prove Theorem 2.

The following lemma shows that Φ<sup>n</sup> can be expressed in LTL[F] (and thus in LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>] as well) with a formula of exponential size.

Lemma 1. For every n ≥ 1, there is a formula Φ ′ n in LTL[F] such that Φ ′ <sup>n</sup> ≡ Φ<sup>n</sup> and size(Φ ′ n ) < 2 <sup>n</sup>+1(n + 2)<sup>2</sup> .

Proof sketch. Given τ ∈ 2 <sup>P</sup> , we write τ for the element of 2<sup>Q</sup> such that p<sup>i</sup> ∈ τ if and only if q<sup>i</sup> ∈ τ , for every i ∈ [1, n]. Then, the formula Φ ′ n is defned as follows:

$$\Phi\_n' := \bigvee\_{\tau \in 2^P} \left( \bigwedge\_{p \in \tau} \mathsf{F} (\widetilde{p} \wedge p \wedge \mathsf{F} (\widetilde{q} \wedge \psi\_{\overline{\tau}})) \wedge \bigwedge\_{p \in P\backslash \tau} \mathsf{F} (\widetilde{p} \wedge \neg p \wedge \mathsf{F} (\widetilde{q} \wedge \psi\_{\overline{\tau}})) \right),$$
 
$$\text{where } \psi\_{\overline{\tau}} := (\bigwedge\_{q \in \tau} q \wedge \bigwedge\_{q \in Q\backslash \overline{\tau}} \neg q). \tag{7}$$

## 4 A combinatorial proof system for LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>]

In this section, we introduce the proof system that we will later employ to prove Theorem 1, and discuss its connection with Adler–Immerman games [1].

Further notation. Let A ⊆ Σ+, with Σ := 2AP for some set of propositions AP. We defne A<sup>X</sup> := {σ[1⟩ : σ ∈ A s.t. |σ| ≥ 2}, i.e., the set of non-empty traces obtained from A by stepping each trace one position to the right. We defne A<sup>G</sup> := {σ[j⟩ : σ ∈ A and j ∈ pos(σ)}, i.e., the set of all sufxes of the traces in A. We say that a map f : A → N is a future point for A whenever f(σ) ∈ pos(σ) for every σ ∈ A. We write F<sup>A</sup> for the set of all maps that are future points for A. Given a future point f for A and σ ∈ A with f(σ) = i, we defne σ f := σ[i⟩ and A<sup>f</sup> := {σ f : σ ∈ A}. Note that, by defnition, A<sup>G</sup> = S f∈F<sup>A</sup> A<sup>f</sup> .

For a formula φ of LTL, we write A |= φ whenever (σ, 0) |= φ for every σ ∈ A, and A |=φ whenever (σ, 0) ̸|= φ for every σ ∈ A. Given two sets of traces A, B ⊆ Σ<sup>+</sup> we say that φ separates A from B whenever A |= φ and B |=φ. We write ⟨·, ·⟩<sup>S</sup> <sup>⊆</sup> <sup>Σ</sup><sup>+</sup> <sup>×</sup> <sup>Σ</sup><sup>+</sup> for the separable relation on <sup>S</sup> <sup>⊆</sup> OP, i.e., the binary relation holding on pairs (A, B) whenever there is some formula from LTL[S] that separates A from B. Note that, when A and B are fnite sets and X ∈ S, deciding whether ⟨A, B⟩<sup>S</sup> holds is trivial.

Lemma 2. Let A, B <sup>⊆</sup> <sup>Σ</sup><sup>+</sup> and <sup>S</sup> <sup>⊆</sup> OP. Then, ⟨A, B⟩<sup>S</sup> implies A ∩ B = ∅. Moreover, if <sup>A</sup> and <sup>B</sup> are fnite sets and <sup>X</sup> <sup>∈</sup> <sup>S</sup>, <sup>A</sup> <sup>∩</sup> <sup>B</sup> <sup>=</sup> <sup>∅</sup> implies ⟨A, B⟩<sup>S</sup> .

Proof sketch. For the frst statement, clearly if A∩B ̸= ∅ then it is not possible to separate A from B. To prove the second statement, one defnes a disjunction φ of formulae, each characterising an element in A. For instance, for AP = {p, q}, the trace {p}{q} can be characterised with the formula (p∧¬q)∧X(q∧¬p∧Xe⊥), where ⊥ := p ∧ ¬p. Then, φ separates A from B.

We mainly consider the relation ⟨·, ·⟩<sup>S</sup> with <sup>S</sup> being the set {X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>}, and thus from now on simply write ⟨·, ·⟩ when considering this concrete choice of S.

#### 4.1 The proof system

The combinatorial proof system that we defne is a natural-deduction-style proof system. It is made of several inference rules of the form <sup>H</sup><sup>1</sup> <sup>H</sup><sup>2</sup> ... H<sup>n</sup> C , to be read as "if the hypotheses H1, . . . , H<sup>n</sup> hold, then the consequence C holds". As usual, proofs within the proof system have a tree-like presentation. An example of such a deduction tree is given in Figure 2, where a := {p} and b := ∅, with p ∈ AP. This is a deduction tree for the term ⟨{abaa, aaaa}, {aaab}⟩, which we call the root of the deduction tree. In Figure 2, to the root it is applied the rule Or, with hypotheses ⟨{abaa}, {aaab}⟩ and ⟨{aaaa}, {aaab}⟩. In turn, these two hypotheses are derived in the deduction tree by eventually reaching applications to the rule Atomic. A deduction tree is always closed: all maximal paths from the root ends with an application of the rule Atomic. This means that a rule of the proof system must be applied to each term ⟨A, B⟩ appearing in the tree. We call a tree a partial deduction tree if this property is not enforced, namely when there might be unproven terms ⟨A, B⟩. The size of a deduction tree is the number of rules in it. For instance, the tree in Figure 2 has size 5.

We defne the inference rules of the proof system in Figure 1. Let us briefy describe these rules. The Atomic rule allows deriving ⟨A, B⟩ if every trace in A 102 L. Geatti et al.

$$\begin{array}{cccc} \text{ATromic} & \frac{A \vdash \alpha \quad B \parallel \alpha}{\langle A, B \rangle} \, \alpha \quad \text{Iteral} & \text{On } \frac{\{A\_1, B\} \quad \langle A\_2, B \rangle}{\langle A\_1 \psi \, A\_2, B \rangle} & \text{AND } \frac{\{A, B\_1\} \quad \langle A, B\_2 \rangle}{\langle A, B\_1 \cup B\_2 \rangle} \\\\ \text{NEX7 } & \frac{\{A^X, B^X\} \quad A \subseteq \Sigma \cdot \Sigma^+}{\langle A, B \rangle} & \text{WeAKNEX} \, \frac{\{A^X, B^X\} \quad B \subseteq \Sigma \cdot \Sigma^+}{\langle A, B \rangle} \\\\ & \text{FUTURE } \frac{\{A^f, B^G\}}{\langle A, B \rangle} \, f \in \mathcal{F}\_A & \text{GLOBALIY } \frac{\{A^G, B^f\}}{\langle A, B \rangle} \, f \in \mathcal{F}\_B \end{array}$$

Fig. 1. The combinatorial proof system. Here, A, B ⊆ Σ +.

$$\begin{array}{cc} \text{ATOMC} & \xrightarrow{\{baa\} \mid = \neg p \qquad \{aab\} \perp \neg p} \\ \text{NExr} & \xrightarrow{\{\{baa\}, \{aab\}\}} & \xrightarrow{\{aaaa, aaa, aa, aa\} \mid = p \qquad \{b\} \perp p} \\ \text{OR} & \xrightarrow{\{\{abaa\}, \{aaab\}\}} & \overline{\{\{aaaaa, aaa, aa, a\}, \{b\}\}} \\ & & \overline{\{\{abaa, aaaa\}, \{aaab\}\}} \end{array} \\ \text{ATOMC} \\ \begin{array}{cc} \text{ATOMC} & \text{ATOMC} \\ \text{OR} & \text{ATOMC} \\ \text{OR} & \text{ATOMC} \end{array} \\ \text{ATO} & \xrightarrow{\{\text{TAA}, \{\text{T}\}\}} & \text{ATO} \\ \text{ATO} & \xrightarrow{\{\text{T}\}\text{AT}} & \text{ATO} \\ \text{T} & & \text{ATO} \parallel \text{T} \qquad \{\text{T}\} \perp \text{T} \\ & & \langle \text{T}, \text{A} \rangle \text{B} \rangle \\ & & & \langle \text{T}, \text{B} \rangle \text{B} \rangle \\ & & & \langle \text{T} \rangle \text{B} \rangle \text{B} \rangle \end{array}$$

Fig. 2. A deduction tree proving ⟨{abaa, aaaa}, {aaab}⟩. Here, a := {p} and b := ∅.

satisfes some literal α and every trace in B violates α. The Or rule corresponds the case of A being separable from B via a formula of the form φ<sup>1</sup> ∨ φ2. In this and the rule And, ⊎ stands for the union of disjoint sets. Intuitively, Or can be applied by proving that φ<sup>1</sup> separates a set A<sup>1</sup> ⊆ A from B and that φ<sup>2</sup> separates the set A\A<sup>1</sup> from B. The Next rule allows separating A from B with a formula of the form Xφ, by checking whether the sets obtained by stepping all traces in A and B to next time point are separable by φ. The condition is necessary to ensure that all traces in A have a next time point. The Future rule separates A from B by following this principle: if the set obtained by choosing one sufx for every trace in A is separable from the set of all sufxes of the traces in B, then there is a formula of the form Fφ separating A from B. The rules And, WeakNext and Globally are designed to be duals of the rules Or, Next and Future, respectively. A ⊆ Σ · Σ <sup>+</sup>

By using the proof system one can derive whether a pair of (fnite or infnite) sets of traces (A, B) is in the separable relation ⟨·, ·⟩. Because of Lemma 2, this is not, however, a particularly useful application. Instead, the proof system is to be used to derive non-trivial lower (or upper) bounds on the size of the minimal formula that separates A from B. This is done by studying the sizes of the possible deduction trees of ⟨A, B⟩ in the proof system.

For instance, the deduction tree of Figure 2 shows that there is a formula φ having size(φ) = 5 and separating {abaa, aaaa} from {aaab}. This formula is found by simply reading bottom-up, starting from the root, the rules in the deduction tree, associating to each rule the homonymous operator of LTL. In the case of the tree in Figure 2 we have φ := (X¬p) ∨ Gp. Note that the formula φ is not the smallest separating formula, because the formula XXGp also separates {abaa, aaaa} from {aaab} and corresponds to a tree of size 4.

The correspondence between deduction trees and formulae is formalised in the next theorem (we remark that A and B below do not need to be fnite sets). Theorem 3. Consider A, B ⊆ Σ+. Then, the term ⟨A, B⟩ has a deduction tree of size <sup>k</sup> if and only if there is a formula <sup>φ</sup> of LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>] separating <sup>A</sup> from B and such that size(φ) = k.

Proof sketch. We leave to the reader the proof of the left to right direction of the theorem (shown by induction on k), as it is not required to establish lower bounds on the sizes of formulae, and focus instead on the right to left direction.

Consider a LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>] formula <sup>φ</sup> that separates <sup>A</sup> and <sup>B</sup>. We construct a deduction tree of size size(φ). We proceed by structural induction on φ.

base case: φ literal. The deduction tree consists of a single rule Atomic.

induction step, case: φ = φ<sup>1</sup> ∨ φ2. Defne A<sup>1</sup> := {a ∈ A : a |= φ1} and A<sup>2</sup> := A \ A1. From A |= φ and B |=φ we get A<sup>i</sup> |= φ<sup>i</sup> and B |=φ<sup>i</sup> for both i ∈ {1, 2}. By induction hypothesis ⟨A<sup>i</sup> , B⟩ has a deduction tree of size size(φi). By applying the rule And, we obtain a deduction tree for ⟨A, B⟩ having size size(φ1) + size(φ2) + 1 = size(φ).

induction step, case: φ = Xψ. Since A |= Xψ, for every σ ∈ A we have |σ| ≥ 2 every σ ′ ∈ B, if |σ ′ | ≥ 2 then (σ ′ , 1) ̸|= ψ. By defnition of BX, we have B<sup>X</sup> |=ψ. By induction hypothesis, ⟨AX, BX⟩ has a deduction tree of size size(ψ). We apply the rule Next to obtain a deduction tree of ⟨A, B⟩ of size size(ψ) + 1 = size(φ). and (σ, 1) |= ψ. By definition of A<sup>X</sup>, A ⊆ Σ ·Σ<sup>+</sup> and A<sup>X</sup> |= ψ. From B |=Xψ, for

induction step: φ = Fψ. Since A |= Fψ, for every σ ∈ A there is j<sup>σ</sup> ∈ pos(σ) such that (σ, jσ) |= ψ. Let f ∈ F<sup>A</sup> be the map given by f(σ) = j<sup>σ</sup> for every σ ∈ A. We have A<sup>f</sup> |= ψ. We show that B<sup>G</sup> |=ψ. Ad absurdum, suppose there is σ<sup>1</sup> ∈ B<sup>G</sup> such that σ<sup>1</sup> |= ψ. By defnition of B<sup>G</sup> there is σ<sup>2</sup> ∈ B such that σ<sup>1</sup> ⊑ σ2. Then, (σ2, 0) |= Fψ. However, this contradicts the fact that B |=Fψ. Therefore, B<sup>G</sup> |=ψ. By induction hypothesis, ⟨A<sup>f</sup> , BG⟩ has a deduction tree of size size(ψ). By applying the rule Future, we obtain a deduction tree for ⟨A, B⟩ of size size(ψ) + 1 = size(φ).

induction step, cases <sup>φ</sup> <sup>=</sup> <sup>φ</sup><sup>1</sup> <sup>∧</sup> <sup>φ</sup>2, <sup>φ</sup> <sup>=</sup> <sup>X</sup>e<sup>ψ</sup> and <sup>φ</sup> <sup>=</sup> <sup>G</sup>ψ. The cases for <sup>φ</sup> <sup>=</sup> <sup>φ</sup><sup>1</sup> <sup>∧</sup> <sup>φ</sup>2, <sup>φ</sup> <sup>=</sup> <sup>X</sup>e<sup>ψ</sup> and <sup>φ</sup> <sup>=</sup> <sup>G</sup><sup>ψ</sup> are analogous to the cases <sup>φ</sup> <sup>=</sup> <sup>φ</sup><sup>1</sup> <sup>∨</sup> <sup>φ</sup>2, φ = Xψ and φ = Fψ, respectively.

The right to left direction of Theorem 3 implies the following corollary that highlights how our proof system is used for formulae sizes lower bounds.

Corollary 2. Consider a formula <sup>φ</sup> in LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>]. Suppose that (i) there are A, B ⊆ Σ<sup>+</sup> such that φ separates A from B, and (ii) every deduction tree of ⟨A, B⟩ has size at least k. Then, size(φ) ≥ k.

#### 4.2 Connections with the Adler–Immerman games

As outlined in Section 1, our proof system can be seen as an adaptation of the games for CTL introduced by Adler and Immerman in [1]. We now illustrate this connection. Readers that are mostly interested in seeing our proof system in action may want to skip to Section 5.

The Adler–Immerman games extend the classical Ehrenfeucht–Fra¨ıss´e games in order to bound the sizes of the formulae that separate two (sets of) structures, instead of their quantifer depths. As in the Ehrenfeucht–Fra¨ıss´e games, the Adler–Immerman games are two-player games between a spoiler and a duplicator. The game arena is a pair of sets of structures (A, B), and at each round of the game the spoiler choses a rule r to play (there is one rule for each Boolean connective and operator of the logic) and plays on one set of structures accordingly to what r dictates. The duplicator replies on the other set, again accordingly to r. The goal of the spoiler is to separate A from B (i.e., to show ⟨A, B⟩ in the context of CTL) in fewer rounds as possible, whereas the duplicator must prolong the game as much as she can. The length of the minimal game corresponds to the size of the minimal formula separating A from B. The main diference between an Adler–Immerman game and an Ehrenfeucht–Fra¨ıss´e game is that, in the former, in each round the duplicator is allowed to make copies of the structures in the set she is playing on, and to play diferently in each of these copies. This extra power given to the duplicator is why the games end up capturing the notion of size of a formula.

In the setting of the Adler–Immerman games, the rule for the operator F in LTL would be spelled as follows: "For each structure σ ∈ A, the spoiler moves to a future position of σ (i.e., σ[j⟩ for some j ∈ pos(σ)). The duplicator answers by frst making as many copies of elements in B as she wants, and then selects a future position for each of these copies". Because she can make copies, the duplicator has a trivial optimal strategy: at each round, copy the structures in B as much as possible, choosing a diferent position in each copy. The rule for F the simplifes to "For each structure σ ∈ A, the spoiler moves to a future position of σ. The duplicator answers with BG", which corresponds to our rule Future.

While Adler and Immerman discuss the fact that the duplicator has a trivial optimal strategy, they do not restate the games with only one player (mainly to not lose the similarity with the Ehrenfeucht–Fra¨ıss´e games). Our work shows that removing the duplicator yields a natural one-player game based on building proofs within a proof system. We think that this proof-system view has a few merits over the games. When proving lower bounds, it reduces the clumsiness of discussing the various moves of the spoiler and the replies of the duplicator. The combinatorics is of course still there, but not the players, and this substantially simplifes the exposition. Second, the proof system resembles the way in which one reasons about the algorithmic problem of separating A from B. For instance, the algorithm presented in [21] uses decision trees for solving this problem. These decision trees, when they encode a formula from LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>], can be easily translated into proofs in our proof system. We discuss more this line of work connected with LTL formulae learning and explainable planning in Section 8.

## 5 The exponential lower bound for Φ<sup>n</sup>

In this section, we show that, for every <sup>n</sup> <sup>≥</sup> 1, all formulae of LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>] characterising the F(LTL[O]) formula Φ<sup>n</sup> defned in Section 3 have size at least 2<sup>n</sup>. According to the defnition of Φn, we consider a set of 2n + 2 distinct atomic propositions AP := {p, <sup>e</sup> <sup>q</sup>e}∪<sup>P</sup> <sup>∪</sup>Q, with <sup>P</sup> := {p1, . . . , pn} and <sup>Q</sup> := {q1, . . . , qn}; and Σ := 2AP . Throughout the section, let α(n) := 2<sup>n</sup>+1(n + 2)<sup>2</sup> , i.e., the upper bound given in Lemma 1 for one of these formulae.

Following Corollary 2, to prove the exponential lower bound we


#### 5.1 Setting up the sets of traces A and B

We defne the sets of types <sup>T</sup><sup>P</sup> := {<sup>τ</sup> <sup>∈</sup> <sup>Σ</sup> : <sup>p</sup><sup>e</sup> <sup>∈</sup> <sup>τ</sup> and <sup>τ</sup> <sup>⊆</sup> <sup>P</sup> ∪ {pe}} and <sup>T</sup><sup>Q</sup> := {<sup>τ</sup> <sup>∈</sup> <sup>Σ</sup> : <sup>q</sup><sup>e</sup> <sup>∈</sup> <sup>τ</sup> and <sup>τ</sup> <sup>⊆</sup> <sup>Q</sup> ∪ {qe}}. Similarly to what done in the proof of Lemma 1, we write (·) for the involution on T<sup>P</sup> ∪ T<sup>Q</sup> sending a type τ ∈ T<sup>Q</sup> into the (only) type τ ∈ T<sup>P</sup> with q<sup>i</sup> ∈ τ if and only if p<sup>i</sup> ∈ τ , for every i ∈ [1, n].

Throughout the section, we fx a (arbitrary) strict total order ≺ on the elements of TQ. Then, we denote by E ∈ (∅α(n) ·TQ) 2 n ·∅α(n) the (only) fnite word enumerating all elements in TQ, with respect to the order ≺. Note that, in E, between any two subsequent elements of T<sup>Q</sup> there are α(n) positions of type ∅. This "padding" added to the enumeration is required to handle the rules Next and WeakNext. Given τ ∈ TQ, we write E|<sup>−</sup><sup>τ</sup> for the trace obtained from E by eliminating the only position of type τ , together with the α(n) positions of type ∅ preceding it. So, E<sup>−</sup><sup>τ</sup> belongs to (∅α(n) · TQ) 2 <sup>n</sup>−1 · ∅α(n) .

For instance, consider the case of n = 2, so Q = {q1, q2} and α(n) = 128. Suppose {qe} ≺ {q, q <sup>e</sup> <sup>1</sup>} ≺ {q, q <sup>e</sup> <sup>2</sup>} ≺ {q, q <sup>e</sup> <sup>1</sup>, q2} to be the strict order on <sup>T</sup>Q. Then,

$$\begin{split} \mathcal{E} &= \mathcal{Q}^{128} \cdot \{\widetilde{q}\} \cdot \mathcal{Q}^{128} \cdot \{\widetilde{q}, q\_1\} \cdot \mathcal{Q}^{128} \cdot \{\widetilde{q}, q\_2\} \cdot \mathcal{Q}^{128} \cdot \{\widetilde{q}, q\_1, q\_2\} \cdot \mathcal{Q}^{128}, \\ \mathcal{E}|\_{-\{\widetilde{q}, q\_2\}} &= \mathcal{Q}^{128} \cdot \{\widetilde{q}\} \cdot \mathcal{Q}^{128} \cdot \{\widetilde{q}, q\_1\} \cdot \mathcal{Q}^{128} \cdot \{\widetilde{q}, q\_1, q\_2\} \cdot \mathcal{Q}^{128}. \end{split}$$

For the rest of the paper, we denote with A and B the sets:

$$\mathbf{A} := \{ \mathcal{Q}^j \cdot \overline{\tau} \cdot \mathcal{E} : j \in \mathbb{N}, \tau \in T\_Q \}, \qquad \mathbf{B} := \{ \mathcal{Q}^j \cdot \overline{\tau} \cdot (\mathcal{E}|\_{-\tau}) : j \in \mathbb{N}, \tau \in T\_Q \}.$$

Lemma 3. The formula Φ<sup>n</sup> separates A from B.

Proof. Let j ∈ N and τ ∈ TQ. In a nutshell, the fact that ∅<sup>j</sup> · τ · E |= Φ<sup>n</sup> follows from the fact that τ occurs in E, and from the position corresponding to τ one can refer back to τ and fnd in this way a position satisfying p<sup>i</sup> if and only if q<sup>i</sup> ∈ τ , for every i ∈ [1, n]. However, since τ is removed from E|<sup>−</sup><sup>τ</sup> , we see that b := ∅<sup>j</sup> · τ · (E|<sup>−</sup><sup>τ</sup> ) ̸|= Φn: indeed, b[j] = τ corresponds to the only position in <sup>b</sup> satisfying <sup>p</sup>e, but <sup>τ</sup> does not appear in <sup>b</sup> (since it does not appear in E|<sup>−</sup><sup>τ</sup> ). Therefore, A |= Φ<sup>n</sup> and B |=Φn.

#### 5.2 Separating A from B requires an exponential proof

We now show that every deduction tree for ⟨A, B⟩ has size at least 2<sup>n</sup>. To do so, we use a relation ≈ that, roughly speaking, states what elements (a, b) ∈ A<sup>G</sup>×B<sup>G</sup> are similar enough to require a non-trivial proof in order to be separated using the proof system. Formally, for a, b ∈ Σ<sup>+</sup>, we write a ≈ b whenever:

a and b are in the language ∅<sup>u</sup> · ρ · ∅α(n) · Σ<sup>∗</sup> , for some u ∈ N and ρ ∈ T<sup>Q</sup> ∪ T<sup>P</sup> .

The central issue in the proof of the lower bound is counting how many of these pairs a ≈ b are preserved when applying the rules of the proof system. This count is done inductively on the size of the deduction tree, and allows us to derive the following lemma.

Lemma 4. Let r1, t1, . . . , rm, t<sup>m</sup> ∈ N and let τ1, . . . , τ<sup>m</sup> ∈ T<sup>Q</sup> be pairwise distinct sets. Consider A ⊆ AG, B := {(∅t<sup>i</sup> · τ<sup>i</sup> · E|<sup>−</sup>τ<sup>i</sup> )[ri⟩ : i ∈ [1, m]}, and C := {(a, b) ∈ A×B : a ≈ b}. Every deduction tree for ⟨A, B⟩ has size at least |C|+ 1.

Proof. Below, suppose that ⟨A, B⟩ has a deduction tree (else the statement is trivially true). In particular, let T be a minimal deduction tree for ⟨A, B⟩, and assume it has size s. Note that the hypothesis that τ1, . . . , τ<sup>m</sup> are distinct implies |B| ≤ 2 <sup>n</sup>, which in turn implies |C| < 2 <sup>n</sup> (by defnition of ≈, for every b ∈ B there is at most one a ∈ A<sup>G</sup> such that a ≈ b). Then, w.l.o.g. we can assume s ≤ α(n); otherwise the lemma follows trivially.

During the proof, we write ≺ for the strict total order on elements of T<sup>Q</sup> used to construct the trace E enumerating TQ. Before continuing the proof of the lemma, we highlight a useful property of the elements of C.

Claim 1. Let (a, b) ∈ C and i ∈ [1, m] with b = (∅t<sup>i</sup> · τ<sup>i</sup> · E|<sup>−</sup>τ<sup>i</sup> )[ri⟩. Then, b = ∅<sup>u</sup> · ρ · ∅α(n) · σ, for some u ∈ N, ρ ∈ {τi} ∪ {τ ∈ T<sup>Q</sup> : τ ≺ τi} and σ ∈ Σ<sup>∗</sup> .

In a nutshell, this claim tells us that for every (a, b) ∈ C we have b ̸⊑ E.

Let us go back to the proof of Lemma 4. If A = ∅ or m = 0 then C = ∅ and the lemma follows trivially. Below, let us assume A ̸= ∅ and m ≥ 1. We prove the statement by induction on the size s of T .

In the base case s = 1, T is a simple application of the rule Atomic. This means that for every a ∈ A and b ∈ B we have a[0] ̸= b[0]. By defnition of ≈, this implies C = ∅, and therefore s ≥ |C| + 1.

Let us then consider the induction step s ≥ 2. Note that if |C| ≤ 1 then the statement follows trivially. Hence, below, we assume |C| ≥ 2. We split the proof depending on the rule applied to the root ⟨A, B⟩ of T . Since s ≥ 2, this rule cannot be Atomic. We omit the cases for Or and And, as they simply follow the induction hypothesis, and focus on the rules related to temporal operators.

• case: rules Next and WeakNext. We consider Next and WeakNext together, as both require ⟨A<sup>X</sup>, B<sup>X</sup>⟩. Perhaps surprisingly, this case is non-trivial. The main difculty stems from the fact that C ′ := {(a, b) ∈ A<sup>X</sup> × B<sup>X</sup> : a ≈ b} might in principle even be empty, and thus applying the induction hypothesis on ⟨A<sup>X</sup>, B<sup>X</sup>⟩ is unhelpful for concluding that s ≥ |C| + 1. We now show how to circumvent this issue. The minimal deduction tree for ⟨A<sup>X</sup>, B<sup>X</sup>⟩ has size s − 1. Within this deduction tree, consider the maximal partial deduction tree T ′ rooted at ⟨A<sup>X</sup>, B<sup>X</sup>⟩ and made solely of applications of the rules And, Or, Next, and WeakNext. Let ⟨A1, B1⟩, . . . , ⟨Aq, Bq⟩ be the leafs of such a tree. Let j ∈ [1, q]. In the tree T , to ⟨A<sup>j</sup> , B<sup>j</sup> ⟩ it is applied a rule among Atomic, Future and Globally. Let ξ<sup>j</sup> ≥ 1 be the number of Next and WeakNext rules used in the path of T from ⟨A, B⟩ to ⟨A<sup>j</sup> , B<sup>j</sup> ⟩. Note that, from s ≤ α(n), we have ξ<sup>j</sup> ≤ α(n). We defne the following two sets C<sup>j</sup> and N<sup>j</sup> , whose role is essentially to "track" the evolution of pairs in C with respect to A<sup>j</sup> × B<sup>j</sup> :

$$\begin{aligned} C\_j &:= \{ (a[\xi\_j], b[\xi\_j]) \in A\_j \times B\_j : (a, b) \in C, \ a[\xi\_j] \approx b[\xi\_j] \}, \\ N\_j &:= \{ (a[\xi\_j], b[\xi\_j]) \in A\_j \times B\_j : (a, b) \in C, \ a[\xi\_j] \not\approx b[\xi\_j] \}. \end{aligned}$$

The minimal deduction tree for ⟨A<sup>j</sup> , B<sup>j</sup> ⟩ has size s<sup>j</sup> ≥ |C<sup>j</sup> | + 1; by induction hypothesis. Claims 2 to 4 below highlight a series of properties on the sets C<sup>j</sup> and N<sup>j</sup> from which we derive s ≥ |C| + 1.

Claim 2. For every j ∈ [1, q], if C<sup>j</sup> ∪ N<sup>j</sup> ̸= ∅ then the rule applied to ⟨A<sup>j</sup> , B<sup>j</sup> ⟩ in T is either Future or Globally.

As already said, the rule applied to ⟨A<sup>j</sup> , B<sup>j</sup> ⟩ is among the rules Atomic, Future and Globally. Then, showing that a[0] = b[0] for every (a, b) ∈ Cj∪N<sup>j</sup> excludes the rule Atomic.

Claim 3. For every j ∈ [1, q], |N<sup>j</sup> | ≤ 1.

The proof of this claim is by contradiction, assuming the existence of distinct (a1, b1),(a2, b2) ∈ N<sup>j</sup> . In the proof, we analyse structural properties of the traces a1, a2, b<sup>1</sup> and b2, and consider several cases depending on such properties (for instance, one case split depends on whether a<sup>1</sup> ⊑ a2). In all these cases, we reach a contradiction with either (a1, b1) ̸= (a2, b2) or Claim 2.

Claim 4. |C| ≤ P<sup>q</sup> <sup>j</sup>=1|C<sup>j</sup> ∪ N<sup>j</sup> |.

The claim follows as soon as one proves the following two statements:


Item 1 is by induction on the size of T ′ . Similarly to Claim 3, the proof of Item 2 again requires to consider many cases, and uses properties of ≈, E and E|<sup>−</sup>τ<sup>i</sup> .

Thanks to Claims 3 and 4, one can then prove s ≥ |C| + 1, concluding the proof for the rules Next and WeakNext:

s ≥ 1 + P<sup>q</sup> <sup>j</sup>=1 s<sup>j</sup> by defnition of T and T ′ ≥ 1 + P<sup>q</sup> <sup>j</sup>=1(|C<sup>j</sup> | + 1) by s<sup>j</sup> ≥ |C<sup>j</sup> | + 1 (induction hypothesis) ≥ 1 + P<sup>q</sup> <sup>j</sup>=1(|C<sup>j</sup> ∪ N<sup>j</sup> |) by |N<sup>j</sup> | ≤ 1 (Claim 3) ≥ |C| + 1 by |C| ≤ P<sup>q</sup> <sup>j</sup>=1|C<sup>j</sup> ∪ N<sup>j</sup> | (Claim 4).

• case: rule Future. Let f ∈ F<sup>A</sup> be the future point used when applying this rule. Defne C ′ := {(a ′ , b′ ) ∈ A<sup>f</sup> × B<sup>G</sup> : a ′ ≈ b ′}. The minimal deduction tree for ⟨A<sup>f</sup> , B<sup>G</sup>⟩ has size s − 1. By induction hypothesis, s − 1 ≥ |C ′ | + 1, i.e., s ≥ |C ′ | + 2. We divide the proof into two cases.

Case 1: for every a ′ ∈ A<sup>f</sup> , a ′ ̸⊑ E. By defnition of ≈, every (a, b) ∈ C is such that a and b belong to the language ∅<sup>u</sup> · τ<sup>i</sup> · ∅α(n) · Σ<sup>∗</sup> for some u ∈ N, and i ∈ [1, m]. Since a <sup>f</sup> ̸⊑ E, we must have f(a) ≤ u + 1. Then, a <sup>f</sup> ≈ b[f(a)⟩. Note that distinct (a, b) ∈ C concern distinct τ<sup>i</sup> with i ∈ [1, m], and therefore, together with b[f(a)⟩ ∈ BG, one concludes that |C ′ | ≥ |C|; and so s ≥ |C| + 2.

Case 2: there is a ′ ∈ A<sup>f</sup> such that a ′ ⊑ E. Let us denote with <sup>e</sup><sup>a</sup> the element in A<sup>f</sup> such that <sup>e</sup><sup>a</sup> <sup>⊑</sup> <sup>a</sup> for every <sup>a</sup> <sup>∈</sup> <sup>A</sup><sup>f</sup> . The existence of such an element follows directly from the fact that a ′ ⊑ E for some a ′ ∈ A<sup>f</sup> .

Let I ⊆ [1, m] be the subset of those indices i ∈ [1, m] for which there is a pair (a ′ , b′ ) ∈ C such that b ′ = (∅t<sup>i</sup> · τ<sup>i</sup> · E|τ<sup>i</sup> )[ri⟩. Without loss of generality, suppose I = {1, . . . , q} for some q ≤ m, and that τ<sup>1</sup> ≺ τ<sup>2</sup> ≺ · · · ≺ τq; recall that all these types are pairwise distinct. By defnition of ≈, for every b ′ ∈ B there is at most one a ′ ∈ A<sup>G</sup> such that a ′ ≈ b ′ , and therefore q = |C|. To conclude the proof it sufces to show |C ′ | ≥ q −1. We do so by establishing a series of claims. Recall that we are assuming |C| ≥ 2, so in particular C and I are non-empty.

Claim 5. There are u ∈ N, ρ ∈ T<sup>Q</sup> and σ ∈ (2Q) ∗ s.t. <sup>e</sup><sup>a</sup> <sup>=</sup> <sup>∅</sup><sup>u</sup> · ρ · ∅α(n) · σ. Moreover, ρ ⪯ τ<sup>i</sup> for every i ∈ I.

The frst statement of this claim is established from the defnition of <sup>e</sup>a. The second statement is proven by contradiction. In particular, assuming that there is i ∈ I such that τ<sup>i</sup> ≺ ρ yields a contradiction with Claim 1.

Below, we write u, ρ and σ for the objects appearing in Claim 5. Note that, from τ<sup>1</sup> ≺ · · · ≺ τq, the second statement of Claim 5 implies ρ ≺ τ<sup>2</sup> · · · ≺ τq. For i ∈ [2, q], let (a ′ i , b′ i ) denote the pair in C such that b ′ <sup>i</sup> = (∅t<sup>i</sup> · τ<sup>i</sup> · E|ρ<sup>i</sup> )[ri⟩.

Claim 6. For each <sup>i</sup> <sup>∈</sup> [2, q] there is <sup>ℓ</sup> <sup>∈</sup> <sup>N</sup> such that <sup>e</sup><sup>a</sup> <sup>≈</sup> <sup>b</sup> ′′ <sup>i</sup> with b ′′ i := b ′ i [ℓ⟩. Moreover, every type in {τ2, . . . , τq} \ {τi} appears in some position of b ′′ i .

This claim is proven using Claims 1 and 5 and properties of E|<sup>−</sup>τ<sup>i</sup> .

Since all types τ2, . . . , τ<sup>q</sup> are pairwise distinct, from the second statement in Claim 6 we conclude that b ′′ i ̸= b ′′ j for every two distinct i, j ∈ I \ {i1}. Then, the frst statement in Claim 6 entails |C ′ | ≥ q − 1.

• case: rule Globally. Let f ∈ F<sup>A</sup> be the future point used when applying this rule. The minimal deduction tree for ⟨A<sup>G</sup>, B<sup>f</sup> ⟩ has size s − 1. We defne C ′ := {(a ′ , b′ ) ∈ A<sup>G</sup> × B<sup>f</sup> : a ′ ≈ b ′}. By induction hypothesis, s − 1 ≥ |C ′ | + 1, i.e., s ≥ |C ′ | + 2. To conclude the proof it sufces to show that |C ′ | ≥ |C| − 1 (in fact, we prove |C ′ | ≥ |C|). Let {(a1, b1), . . . ,(a<sup>|</sup>C<sup>|</sup> , b<sup>|</sup>C<sup>|</sup>)} = C.

Claim 7. For every j ∈ [1, |C|], b f j is not a sufx of E. More precisely, given i ∈ [1, m] such that b<sup>j</sup> = (∅<sup>t</sup><sup>i</sup> · τ<sup>i</sup> · E|<sup>−</sup>τ<sup>i</sup> )[ri⟩, we have b f <sup>j</sup> <sup>=</sup> <sup>∅</sup><sup>u</sup> · ρ · ∅α(n) · σ, for some u ∈ N, ρ ∈ {τi} ∪ {τ ∈ T<sup>P</sup> : τ ≺ τi} and σ ∈ Σ<sup>∗</sup> .

See the similarities between this claim and Claim 1. The frst statement is proven by contradiction, deriving an absurdum with the existence of T . The second statement follows from the defnition of E|<sup>−</sup>τ<sup>i</sup> .

Succinctness of Cosafety Fragments of LTL via Combinatorial Proof Systems 109

Starting from Claim 7, we conclude that (i) for every j ̸= k ∈ [1, |C|], b f j ̸= b f k , and (ii) for every j ∈ [1, |C|] there is ℓ ∈ N such that a<sup>j</sup> [ℓ⟩ ≈ b f j . This directly implies |C ′ | ≥ |C|. This concludes both the proof of the case Globally and the proof of the lemma.

Together, Lemmas 3 and 4 yield an exponential lower bound for all formulae of LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>] characterising <sup>Φ</sup><sup>n</sup> (Lemma 5), which in turn implies Theorem 1.

#### Lemma 5. Let <sup>Ψ</sup><sup>n</sup> <sup>∈</sup> LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>]. If <sup>Ψ</sup><sup>n</sup> <sup>≡</sup> <sup>Φ</sup><sup>n</sup> then size(Ψn) <sup>≥</sup> <sup>2</sup> n.

Proof. We defne the sets A = {τ · E : τ ∈ TQ} and B = {τ · E<sup>−</sup><sup>τ</sup> : τ ∈ TQ}. Observe that A ⊆ A ⊆ A<sup>G</sup> and B ⊆ B. Let C = {(a, b) ∈ A × B : a ≈ b}. From the defnition of ≈, |C| = 2n. We apply Lemma 4, and conclude that the minimal deduction tree for ⟨A, B⟩ has size at least 2<sup>n</sup> (in fact, 2<sup>n</sup> + 1). Since A ⊆ A and B ⊆ B, the same holds for the minimal deduction tree for ⟨A, B⟩. Then, the theorem follows from Corollary 2 and Lemma 3.

While we do not prove it formally, we claim that Theorem 1 also holds for infnite traces. It is in fact quite simple to see this: all traces in A and B, have a sufx of the form ∅α(n) . Roughly speaking, these suitably long sufxes are added to make the far-end of the traces in A and B indistinguishable at the level of formulae, so that they cannot be used in deduction trees to separate A from B. Then, to prove Theorem 1 for infnite traces, it sufces to update the proof system to handle these structures and consider an infnite sufx ∅<sup>ω</sup> instead. The proof of Lemma 4 goes through with no signifcant change.

A second observation: traces in A and B are closed under taking arbitrary long prefxes of the form ∅<sup>j</sup> . This feature is not used to prove Lemma 5 (see the defnition of A and B in the proof). However, these prefxes play a role in the next section, when studying the succinctness of <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]) on infnite traces.

## 6 Theorem 2: a 2<sup>n</sup> lower bound for LTL[F] pastifcation

In this section, we rely on Lemma 5 to prove Theorem 2 and Corollary 1.

Theorem 2 is proven by relying on a "future–past duality" between future and past fragments of LTL. Given a trace σ ∈ Σ<sup>+</sup> we defne the reverse of σ, written σ <sup>−</sup>, as the trace satisfying σ <sup>−</sup>[i] = σ[|σ| − i] for every i ∈ pos(σ). The reverse of a language L ⊆ Σ<sup>+</sup> is defned as the language L <sup>−</sup> := {σ <sup>−</sup> : σ ∈ L}. Clearly, (L −) <sup>−</sup> <sup>=</sup> <sup>L</sup>. Given a set of temporal operators <sup>S</sup> ⊆ {X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>}, we write S <sup>−</sup> for the set of temporal operators among {Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>} such that <sup>S</sup> <sup>−</sup> contains Y (resp. <sup>Y</sup>e; <sup>O</sup>; <sup>H</sup>) if and only if <sup>S</sup> contains <sup>X</sup> (resp. <sup>X</sup>e; <sup>F</sup>; <sup>G</sup>). For fnite traces, the following lemma, proves that if there is a family of languages (Ln)n≥<sup>1</sup> that can be compactly defned in <sup>F</sup>(LTL[O]) but explodes in LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>], then the family (L − n )n≥<sup>1</sup> can be compactly defned in LTL[F] but explodes in <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]).

Lemma 6. Let L ⊆ <sup>Σ</sup><sup>+</sup>, <sup>S</sup> ⊆ {X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>}, and <sup>φ</sup> be a formula in <sup>F</sup>(LTL[<sup>S</sup> <sup>−</sup>]). There is a formula ψ in F(LTL[S]) such that L(ψ) = L(φ) <sup>−</sup> and size(ψ) = size(φ).

Theorem 2 follows by applying Lemma 6 on the family of formulae (Φn)n≥<sup>1</sup> defned in Section 3, and by relying on the exponential lower bounds of Lemma 5. The sequence of languages showing that LTL[F] can be exponentially more succinct than <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]) is given by (L(Φn) <sup>−</sup>)n≥1.

Next, we extend Theorem 2 to the case of infnite traces. As usual, let Σ<sup>ω</sup> be the set of all infnite traces over the fnite alphabet Σ. We denote with L ω (φ) the language of φ, when φ is interpreted over infnite traces (we refer the reader to, e.g., [2] for the semantics of LTL on infnite traces).

Lemma 7. The family of languages of infnite traces (L(Φn) <sup>−</sup> · Σω)n≥<sup>1</sup> is such that, for every n ≥ 1, (i) there is a formula φ of LTL[F] such that size(φ) ∈ O(n) and L ω (φ) = L(Φn) <sup>−</sup> · <sup>Σ</sup>ω, and (ii) for every formula <sup>ψ</sup> in <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]), if L ω (ψ) = L(Φn) <sup>−</sup> · Σ<sup>ω</sup> then size(ψ) ≥ 2 n.

Item (i) in the lemma above follows by applying Lemma 6 and exploiting the fact that formulae φ in LTL[F] satisfy L ω (φ) = L(φ)·Σ<sup>ω</sup> and L(φ) = L(φ) · Σ<sup>∗</sup> (cf. [2, Defnition 5 and Lemma 5]). The proof of Item (ii) is instead quite subtle. One would like to use the hypothesis L ω (ψ) = L(Φn) <sup>−</sup>·Σ<sup>ω</sup> and that L(ψ) is a cosafety language to derive L(ψ) = L(Φn) <sup>−</sup>. However, note that nothing prevents L(ψ) to be equal to L(Φn) <sup>−</sup> ·Σ, and as it stands we do not have bounds for characterising this language. We apply instead the following strategy. We consider the family of structures A′ := {a <sup>−</sup> · ∅<sup>ω</sup> : a ∈ A} and B′ := {b <sup>−</sup> · ∅<sup>ω</sup> : b ∈ B}. Note that A′ ⊆ L ω (ψ) and B′∩L<sup>ω</sup> (ψ) = <sup>∅</sup>. Since <sup>ψ</sup> is of the form <sup>F</sup>(α) with <sup>α</sup> <sup>∈</sup> LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>], we can, roughly speaking, study the efects of applying to A′ and B′ a variant of the rule Future for infnite words and that does not "forget the past", and then reverse all traces in the resulting sets (A′ ) <sup>f</sup> and (B′ ) <sup>G</sup>. In this way, we obtain two sets of fnite traces <sup>A</sup><sup>e</sup> <sup>⊆</sup> <sup>A</sup> and <sup>B</sup><sup>e</sup> <sup>⊆</sup> <sup>B</sup> (this is where the prefxes <sup>∅</sup><sup>j</sup> discussed at the end of Section 5 play a role). We show that the hypotheses of Lemma 4 apply to <sup>A</sup><sup>e</sup> and a set <sup>B</sup><sup>b</sup> <sup>⊆</sup> <sup>B</sup><sup>e</sup> for which the set {(a, b) <sup>∈</sup> <sup>A</sup><sup>e</sup> <sup>×</sup> <sup>B</sup><sup>b</sup> : <sup>a</sup> <sup>≈</sup> <sup>b</sup>} has size at least 2<sup>n</sup> − 1. By Corollary 2, we get that α, and thus ψ, is of size at least 2n.

Lemma 7 shows that Theorem 2 holds over infnite traces as well. Together with the 2<sup>O</sup>(n) upper bound for the pastifcation problem for LTL[X, F] into <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>]) established<sup>6</sup> in [4], this entails Corollary 1.

## 7 The automata method does not work for F(LTL[O])

In this section we show that the classical method introduced by Markey in [20] to prove "future against past" succinctness discrepancies in fragments of LTL cannot be used to prove the results in Section 5, namely that F(LTL[O]) can be exponentially more succinct than LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>]. Due to space constraints, we assume a basic familiarity with non-deterministic B¨uchi automata (NBAs) (and deterministic B¨uchi automata, DBAs), which are central tools in [20]. Moreover,

<sup>6</sup> To be more precise, in [4] the authors only provide a 2<sup>O</sup>(<sup>n</sup> <sup>2</sup>) upper bound for their algorithm. Their analysis can however be easily improved to 2<sup>O</sup>(n) .

we work on LTL on infnite traces, as done in [20], and write φ ≡<sup>ω</sup> ψ whenever L ω (φ) = L ω (ψ). We write L ω (A) for the language of an NBA A.

Proposition 1 below summarises the method in [20], which is parametric on a fxed prefx Π of operators among X, F and G. Given two fragments F, F′ of LTL, with F ′ pure future, to apply the method one has to provide the two families of formulae (Φn)n≥1∈F and (Φ ′ n )n≥1∈F ′ , as well as the family of minimal NBAs (An)n≥1, satisfying the hypotheses of Proposition 1. In [20], this is done for F = LTL and F ′ set as the pure future fragment of LTL, using the prefx Π = G.

Proposition 1 (Markey's method [20]). Let F, F′ be fragments of LTL, with F ′ pure future. Consider two families of formulae (Φn)n≥1∈F, (Φ ′ n )n≥1∈F ′ , and a family of minimal NBAs (An)n≥1, such that

$$\text{size}(A\_n) \in 2^{2^{\Omega(n)}}, \quad \text{size}(\Phi\_n) \in \text{poly}(n), \quad \Phi\_n \equiv\_{\omega} \Phi\_n', \quad \mathcal{L}^{\omega}(\varPi(\Phi\_n')) = \mathcal{L}^{\omega}(A\_n).$$

Then, size(Φ ′ n ) ∈ 2 size(Φn) <sup>Ω</sup>(1) and F can be exponentially more succinct than F ′ .

The consequence size(Φ ′ n ) ∈ 2 size(Φn) <sup>Ω</sup>(1) obtained in Proposition 1 follows directly from the fact that, from every pure future LTL formula φ, one can build an NBA A of size 2<sup>O</sup>(size(φ)) such that L ω (A) = L ω (φ) [26]. Then, the hypotheses size(An) ∈ 2 2 Ω(n) and L ω (Π(Φ ′ n )) = L ω (An) imply size(Φ ′ n ) ∈ 2 Ω(n) .

To show that Proposition 1 cannot be used to derive that F := F(LTL[O]) can be exponentially more succinct than F ′ := LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>], it sufces to show that no families (Φn)n≥1∈F, (Φ ′ n )n≥1∈F ′ and (An)n≥<sup>1</sup> achieve the hypotheses required by Proposition 1, no matter the temporal prefx Π. We do so by establishing that whenever size(Φn) ∈ poly(n) and Φ<sup>n</sup> ≡<sup>ω</sup> Φ ′ n , the minimal deterministic B¨uchi automaton for L ω (Π(Φ ′ n )) has size in 2<sup>O</sup>(poly(n)). Therefore, no family of minimal NBAs (An)n≥<sup>1</sup> such that size(An) ∈ 2 2 Ω(n) can also satisfy the hypothesis L ω (Π(Φ ′ n )) = L ω (An). Here is the formal statement:

Theorem 4. Let Π be a prefx of k temporal operators among X, F and G. Let φ be a formula of <sup>F</sup>(LTL[O]), and <sup>ψ</sup> be a formula of LTL[X, <sup>X</sup>e, <sup>F</sup>, <sup>G</sup>], with <sup>φ</sup> <sup>≡</sup><sup>ω</sup> <sup>ψ</sup>. The minimal DBA for L ω (Π(ψ)) is of size in (k + 1) · 2 O(size(φ)) .

The proof of this theorem is divided into three steps.

As a frst step, one shows that ψ ≡<sup>ω</sup> Fψ; which essentially follows from the fact that ψ ≡<sup>ω</sup> φ with φ ∈ F(LTL[O]). Together with tautologies of LTL such as FGFψ ′ ≡<sup>ω</sup> GFψ ′ , FXψ ′ ≡<sup>ω</sup> XFψ ′ and GXψ ′ ≡<sup>ω</sup> XGψ ′ , the equivalence ψ ≡<sup>ω</sup> Fψ let us rearrange Π into a prefx of the form either X <sup>j</sup>GF or X <sup>j</sup>F, for some j ≤ k. Let us focus on the former (more challenging) case of Π = X <sup>j</sup>GF.

The second step required for the proof is to bound the size of the minimal DBA A recognising L ω (Fψ). Thanks to the equivalences φ ≡<sup>ω</sup> ψ ≡<sup>ω</sup> Fψ, such a DBA has size exponential in size(φ) by the following lemma.

Lemma 8. Let φ in F(LTL[O]). There is a DBA for L ω (φ) of size 2 O(size(φ)) .

#### 112 L. Geatti et al.

Starting from A, the third and last step of the proof requires constructing a DBA for L ω (X <sup>j</sup>GFψ) of size in (j + 1) · 2 <sup>O</sup>(size(φ)). The treatment for the prefx X j is simple, so this step is mostly dedicated to constructing a DBA for L ω (GFψ). In the case of LTL, it is known that closing an NBA under the globally operator G might lead to a further exponential blow-up (in fact, this is one of the reasons Markey's method is possible in the frst place). However, because φ is in F(LTL[O]), and it is thus a cosafety language (and so ψ is a cosafety language too), it turns out that the size of the minimal DBA for L ω (GFψ) is in O(size(A)).

Lemma 9. Let ψ be in LTL, such that L ω (ψ) is a cosafety language. Let A be a DBA for L ω (Fψ). The minimal DBA for L ω (GFψ) has size in O(size(A)).

Thanks to Lemma 9, the proof of Theorem 4 can be easily completed. To prove this lemma, one modifes A by redirecting all transitions exiting a fnal state so that they mimic the transitions exiting the initial state of the automaton. The reason why the obtained automaton recognises L ω (GFψ) uses in a crucial way the fact that ψ and Fψ are cosafety languages.

## 8 Related and Future Work

The proof systems we use in this work to establish Theorem 2 and Theorem 1 are strongly related to recent work in two seemingly disconnected areas of computer science: (i) combinatorial games for formulae lower bounds of frst-order logics and (ii) learning of LTL formulae in explainable planning and program synthesis.

Combinatorial games. We have already discussed the connections between our proof system and the CTL<sup>+</sup> games by Adler and Immerman [1]. Recently, Fagin and coauthors [9,10] have looked at combinatorial games that allow to count the number of quantifers required to express a property in frst-order logic. While these games simplify Adler–Immerman games, they come with a drawback: by design, they implicitly look at how to express properties with frst-order formulae in prenex normal form, and they are not able to give any bound on the quantifer-free part of such formulae. It seems then not possible to use these types of games in the context of LTL. One could in principle consider translations of LTL formulas into a prenex fragment of S1S. However, since S1S is both more expressive and more succinct than LTL [25], concluding that LTL[F] can be exponentially more succinct than <sup>F</sup>(LTL[Y, <sup>Y</sup>e, <sup>O</sup>, <sup>H</sup>]) will ultimately require analysing structural properties of the quantifer-free part of the S1S formulae.

Closer to the case of LTL are the games on linear orders (implicitly) used by Grohe and Schweikartdt in [14]. These are formula-size games for a fxed number of variables of frst-order logic. Using our notation, the method used to derive lower bounds in [14] relies on defning a function ω from terms of the form ⟨A, B⟩ to N that acts as a sub-additive measure with respect to the rules of the proof system. For instance, according to the rule Or, ω should satisfy ω(⟨A, B⟩) ≤ ω(⟨A1, B⟩) + ω(⟨A2, B⟩), whenever A = A<sup>1</sup> ⊎ A2. One can use a sub-additive measure ω to conclude that the minimal deduction tree for ⟨A, B⟩, if it exists, has size at least ω(⟨A, B⟩). When restricted to the objects in Lemma 4, one can show that the function ω(⟨A, B⟩) := |{(a, b) ∈ A × B : a ≈ b}| + 1 is a sub-additive measure with respect to the rules Atomic, Or, And, Future and Globally (this is implicit in the proof of Lemma 4). However, it is not a sub-additive measure for the rules Next and WeakNext: as stressed in the proof, we might have ω(⟨AX, B<sup>X</sup>⟩) = 1 even for ω(⟨A, B⟩) arbitrary large. This partially explains why the proof of Lemma 4 turned out to be quite involved.

In view of the optimality of the algorithm in [4] (Corollary 1), the main open problem regarding pastifcation is the optimality of the triply-exponential time procedure given in [7] for the pastifcation of LTL[X,U] into F(pLTL). As far as we are aware, no super-polynomial lower bound for this problem is known. Our proof system, properly extended with rules for the until and release operators, might be able to tackle this issue. Obtaining a matching triply-exponential lower bound might however be impossible: when restricted to propositional logic, our proof system is equivalent to the communication games introduced by Karchmer and Wigderson [15]. It is well-known that these games cannot prove super-quadratic lower bounds for formulae sizes, and one should expect similar limitations for temporal logics, albeit with respect to some function that is at least exponential.

LTL formulae learning. Motivated by the practical issue of understanding a complex system starting from its execution traces, several recent works study the algorithmic problem of fnding an LTL formula separating two fnite sets of traces, see e.g. [21,5,24,11,12]. In light of Theorem 3, this problem is equivalent to fnding a proof in (possibly variations of) our combinatorial proof system. We believe that this simple observation will turn out to be quite fruitful for both the "combinatorial games" and the "formula learning" communities. From our experience, tools such as the one developed in [21,5,24] are quite useful when studying combinatorial lower bounds, as they can be used to empirically test whether families of structures are difcult to separate, before attempting a formal proof. In our case, we have used the tool in [21] while searching for the structures and formulae we ended up using in Section 5, and discarded several other candidates thanks to the evidences the tool gave us. On the other side of the coin, combinatorial proof systems can be seen as a common foundational framework for all these formulae-learning procedures. With this in mind, we believe that the techniques developed for proving lower bounds in works such as [14] might be of help for improving these procedures, for example using the minimization of a sub-additive measure as a heuristic.

Acknowledgements Luca Geatti and Angelo Montanari acknowledge the support from the 2023 Italian INdAM-GNCS project "Analisi simbolica e numerica di sistemi ciberfsici", ref. no. CUP E53C22001930001. Angelo Montanari acknowledges the support of the MUR PNRR project FAIR - Future AI Research (PE00000013) funded by the NextGenerationEU. Alessio Mansutti is supported by the C´esar Nombela grant 2023-T1/COM-29001, funded by the Madrid Regional Government, and by the grant PID2022-138072OB-I00, funded by MCIN/AEI/10.13039/501100011033 (FEDER, EU).

#### 114 L. Geatti et al.

## References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## A Resolution-Based Interactive Proof System for UNSAT

Philipp Czerner , Javier Esparza , and Valentin Krasotin (B)

> {czerner,esparza,krasotin}@in.tum.de Technical University of Munich, Munich, Germany

Abstract. Modern SAT or QBF solvers are expected to produce correctness certifcates. However, certifcates have worst-case exponential size (unless NP = coNP), and at recent SAT competitions the largest certifcates of unsatisfability are starting to reach terabyte size.

Recently, Couillard, Czerner, Esparza, and Majumdar have suggested to replace certifcates with interactive proof systems based on the IP = PSPACE theorem. They have presented an interactive protocol between a prover and a verifer for an extension of QBF. The overall running time of the protocol is linear in the time needed by a standard BDDbased algorithm, and the time invested by the verifer is polynomial in the size of the formula. (So, in particular, the verifer never has to read or process exponentially long certifcates). We call such an interactive protocol competitive with the BDD algorithm for solving QBF.

While BDD-algorithms are state-of-the-art for certain classes of QBF instances, no modern (UN)SAT solver is based on BDDs. For this reason, we initiate the study of interactive certifcation for more practical SAT algorithms. In particular, we address the question whether interactive protocols can be competitive with some variant of resolution. We present two contributions. First, we prove a theorem that reduces the problem of fnding competitive interactive protocols to fnding an arithmetisation of formulas satisfying certain commutativity properties. (Arithmetisation is the fundamental technique underlying the IP = PSPACE theorem.) Then, we apply the theorem to give the frst interactive protocol for the Davis-Putnam resolution procedure.

## 1 Introduction

Automated reasoning tools should provide evidence of their correct behaviour. A substantial amount of research has gone into proof-producing automated reasoning tools [12,17,16,10,3]. These works defne a notion of "correctness certifcate" and adapt the reasoning engine to produce independently checkable certifcates. For example, SAT solvers produce either a satisfying assignment or a proof of unsatisfability in some proof system, e.g. resolution (see [12] for a survey).

Current tools may produce certifcates for UNSAT with hundreds of GiB or even, in extreme cases, hundreds of TiB [13]. This makes checking the certifcate, or even sending it to a verifer, computationally expensive. Despite much progress on reducing the size of proofs and improving the efciency of checking proofs (see e.g. [11,12]), this problem is of fundamental nature: unless NP = coNP, which is considered very unlikely, certifcates for UNSAT have worst-case exponential size in the size of the formula.

The IP = PSPACE theorem, proved in 1992 by Shamir [18], presents a possible fundamental solution to this problem: interactive proofs<sup>1</sup> . A language is in IP if there exists a sound and complete interactive proof protocol between two agents, Prover and Verifer, that Verifer can execute in randomised polynomial time [7,2,15,1]. Completeness means that, for any input in the language, an honest prover that truthfully follows the protocol will convince Verifer to accept the input. Soundness means that, for any input not in the language, Verifer will reject it with high probability, no matter how Prover behaves. "Conventional" certifcation is the special case of interactive proof in which Prover sends Verifer only one message, the certifcate, and Verifer is convinced with probability 1. The IP = PSPACE theorem implies the existence of interactive proof protocols for UNSAT in which Verifer only invests polynomial time in the size of the formula. In particular, Verifer must never check exponentially long certifcates from Prover, as is the case for conventional certifcation protocols in which Prover generates a proof in the resolution, DRAT, or any other of the proof systems found in the literature, and Verifer checks each step of the proof.

Despite its theoretical promise, the automated reasoning community has not yet developed tools for UNSAT or QBF with interactive proof protocols. In a recent paper [5], Couillard, Czerner, Esparza, and Majumdar venture a possible explanation. They argue that all interactive certifcation protocols described in the literature have been designed to prove asymptotic complexity results, for which it sufces to use honest provers that construct the full truth table of the formula. Such provers are incompatible with automated reasoning tools, which use more sophisticated data structures and heuristics. To remedy this, Couillard et al. propose to search for interactive proof protocols based on algorithms closer to those used in automatic reasoning tools. In [5], they consider the standard BDD-based algorithm for QBF and design an interactive proof protocol based on it.

While BDDs are still considered interesting for QBF, the consensus is that they are not state-of-the-art for UNSAT due to their high memory consumption. In this paper we initiate the study of interactive certifcation for SAT-solving algorithms closer to the ones used in tools. For this, given an algorithm Alg and an interactive protocol P, both for UNSAT, we say that P is competitive for Alg if the ratio between the runtime of Prover in P and the runtime of Alg on inputs of length n is bounded by a polynomial in n. So, loosely speaking, if P is competitive with Alg, then one can add interactive verifcation to Alg with only polynomial overhead. The general question we address is: which algorithms for UNSAT have competitive interactive proof protocols?

Our frst contribution is a generic technique that, given an algorithm for UN-SAT satisfying certain conditions, constructs a competitive interactive protocol.

<sup>1</sup> In our context it would be more adequate to speak of interactive certifcation, but we use the standard terminology.

Let us be more precise. We consider algorithms for UNSAT that, given a formula φ0, construct a sequence φ0, φ1, ..., φ<sup>k</sup> of formulas such that φ<sup>i</sup> is equisatisfable to φi+1, and there is a polynomial algorithm that decides if φ<sup>k</sup> is unsatisfable. Our interactive protocols are based on the idea of encoding the formulas in this sequence as polynomials over a fnite feld in such a way that the truth value of the formula for a given assignment is determined by the value of the polynomial on that assignment. The encoding procedure is called arithmetisation. We introduce the notion of an arithmetisation compatible with a given algorithm. Loosely speaking, compatibility means that for each step φ<sup>i</sup> 7→ φi+1, there is an operation on polynomials mimicking the operation on formulas that transforms φi into φi+1. We show that the problem of fnding a competitive interactive protocol for a given algorithm Alg for UNSAT reduces to fnding an arithmetisation compatible with Alg.

In our second contribution, we apply our technique to construct the frst interactive protocol competitive with a simplifed version of the well-known Davis-Putnam procedure (see e.g. section 2.9 of [9]). Our version fxes a total order on variables, resolves exhaustively with respect to the next variable, say x, and then "locks" all clauses containing x or ¬x, ensuring that they are never resolved again w.r.t. any variable. We show that, while standard arithmetisations are not compatible with Davis-Putnam, a non-standard arithmetisation is. In our opinion, this is the main insight of our paper: in order to fnd interactive protocols for sophisticated algorithms for UNSAT, one can very much proft from non-standard arithmetisations.

The paper is structured as follows. Section 2 contains preliminaries. Section 3 presents interactive proof systems and defnes interactive proof systems competitive with a given algorithm. Section 4 defnes our version of the Davis-Putnam procedure. Section 5 introduces arithmetisations, and defnes arithmetisations compatible with a given algorithm. Section 6 presents an interactive proof system for Davis-Putnam. Section 7 contains conclusions.

## 2 Preliminaries

Multisets. A multiset over a set S is a mapping m: S → N. We also write multisets using set notation, for example we write {x, x, y} or {2 · x, y}. Given two multisets m<sup>1</sup> and m2, we defne m<sup>1</sup> ⊕ m<sup>2</sup> as the multiset given by (m<sup>1</sup> ⊕ m2)(s) = m1(s) + m2(s) for every s ∈ S, and m<sup>1</sup> ⊖ m<sup>2</sup> as the multiset given by (m<sup>1</sup> ⊖ m2)(s) = max{0, m1(s) − m2(s)} for every s ∈ S.

Formulas, CNF, and resolution. A Boolean variable has the form x<sup>i</sup> where i = 1, 2, 3, .... Boolean formulas are defned inductively: true, false and variables are formulas; if φ and ψ are formulas, then so are ¬φ, φ ∨ ψ, and φ ∧ ψ. A literal is a variable or the negation of a variable. A formula φ is in conjunctive normal form (CNF) if it is a conjunction of disjunctions of literals. We represent a formula in CNF as a multiset of clauses where a clause is a multiset of literals. For example, the formula (x ∨ x ∨ x ∨ ¬y) ∧ z ∧ z is represented by the multiset {{3x, ¬y}, 2{z}}.

Remark 1. Usually CNF formulas are represented as sets of clauses, which are defned as sets of literals. Algorithms that manipulate CNF formulas using the set representation are assumed to silently remove duplicate formulas or duplicate literals. In this paper, due to the requirements of interactive protocols, we need to make these steps explicit. In particular, we use multiset notation for clauses. For example, C(x) denotes the number of occurrences of x in C.

We assume in the paper that formulas are in CNF. Abusing language, we use φ to denote both a (CNF) formula and its multiset representation.

Resolution. Resolution is a proof system for CNF formulas. Given a variable x, a clause C containing exactly one occurrence of x and a clause C ′ containing exactly one occurrence of ¬x, the resolvent of C and C ′ with respect to x is the clause Resx(C, C′ ) := (C ⊖ {x}) ⊕ (C ′ ⊖ {¬x}).

For example, Resx({x, ¬y, z}, {¬x, ¬w}) = {¬y, z, ¬w}. It is easy to see that C ∧ C ′ and Resx(C, C′ ) are equisatisfable. A resolution refutation for a formula φ is a sequence of clauses ending in the empty clause whose elements are either clauses of φ or resolvents of two previous clauses in the sequence. It is well known that φ is unsatisfable iff there exists a resolution refutation for it. There exist families of formulas, like the pigeonhole formulas, for which the length of the shortest resolution refutation grows exponentially in the size of the formula, see e.g. [8,4].

Polynomials. Interactive protocols make extensive use of polynomials over a fnite feld F. Let X be a fnite set of variables. We use x, y, z, ... for variables and p, p1, p2, ... for polynomials. We use the following operations on polynomials:


A (partial) assignment is a (partial) mapping σ : X → F. We write Π<sup>σ</sup> p for π[x1:=σ(x1)]...π[xk:=σ(xk)] p, where x1, ..., x<sup>k</sup> are the variables for which σ is defned. Additionally, we call a (partial) assignment σ binary if σ(x) ∈ {0, 1} for each x ∈ X.

The following lemma is at the heart of all interactive proof protocols. Intuitively, it states that if two polynomials are diferent, then they are diferent for almost every input. Therefore, by picking an input at random, one can check polynomial equality with high probability.

Lemma 1 (Schwartz-Zippel Lemma). Let p1, p<sup>2</sup> be distinct univariate polynomials over F of degree at most d ≥ 0. Let r be selected uniformly at random from F. The probability that p1(r) = p2(r) holds is at most d/|F|.

Proof. Since p<sup>1</sup> ̸= p2, the polynomial p := p<sup>1</sup> −p<sup>2</sup> is not the zero polynomial and has degree at most d. Therefore p has at most d zeros, and so the probability of p(r) = 0 is at most d/|F|. ⊓⊔

## 3 Interactive Proof Systems

An interactive protocol is a sequence of interactions between two parties: Prover and Verifer. Prover has unbounded computational power, whereas Verifer is a randomised, polynomial-time algorithm. Initially, the parties share an input x that Prover claims belongs to a given language L (e.g. UNSAT). The parties alternate in sending messages to each other according to a protocol. Intuitively, Verifer repeatedly asks Prover to send informations. At the end of the protocol, Verifer accepts or rejects the input.

Formally, let V, P denote (randomised) online algorithms, i.e. given a sequence of inputs m1, m2, ... ∈ {0, 1} ∗ they compute a sequence of outputs, e.g. V (m1), V (m1, m2), .... We say that (m1, ..., m2k) is a k-round interaction, with m1, ..., m2<sup>k</sup> ∈ {0, 1} ∗ , if mi+1 = V (m1, ..., mi) for odd i and mi+1 = P(m1, ..., mi) for even i.

The output outV,P,k(x) is m2k, where (m1, ..., m2k) is a k-round interaction with m<sup>1</sup> = x. We also defne the Verifer-time vtimeV,P,k(x) as the expected time it takes V to compute m2, m4, ..., m2<sup>k</sup> for any k-round interaction (m1, ..., m2k) with m<sup>1</sup> = x. We defne the Prover-time ptimeV,P,k(x) analogously.

Let L be a language and p : N → N a polynomial. A tuple (V, PH, p) is an interactive protocol for L if for each x ∈ {0, 1} <sup>∗</sup> of length n we have vtimeV,PH,p(n)(x) ∈ O(poly n) and:


The completeness property ensures that if the input belongs to the language L, then there is an "honest" Prover P<sup>H</sup> who can always convince Verifer that indeed x ∈ L. If the input does not belong to the language, then the soundness property ensures that Verifer rejects the input with high probability no matter how a (dishonest) Prover tries to convince it.

IP is the class of languages for which there exists an interactive protocol. It is known that IP = PSPACE [15,18], that is, every language in PSPACE has a polynomial-round interactive protocol. The proof exhibits an interactive protocol for the language QBF of true quantifed boolean formulas; in particular, the honest Prover is a polynomial-space, exponential-time algorithm.

#### 3.1 Competitive Interactive Protocols

In an interactive protocol there are no restrictions on the running time of Prover. The existence of an interactive protocol for some coNP-complete problem in which Prover runs in polynomial time would imply e.g. NP ⊆ BPP. Since this is widely believed to be false, Provers are allowed to run in exponential time, as in the proofs of [15,18]. However, while all known approaches for UNSAT use exponential time in the worst case, some perform much better in practice than others. For example, the Provers of [15,18] run in exponential time in the best case. This motivates our next defnition: instead of stating that Prover must always be efcient, we say that it must have a bounded overhead compared to some given algorithm Alg.

Formally, let L ⊆ {0, 1} <sup>∗</sup> be a language, let Alg be an algorithm for L, and let (V, PH, p) be an interactive protocol for L. We say that (V, PH, p) is competitive with Alg if for every input x ∈ {0, 1} <sup>∗</sup> of length n we have ptimeV,PH,p(n) (x) ∈ O(poly(n)T(x)), where T(x) is the time it takes Alg to run on input x.

Recently, Couillard, Czerner, Esparza and Majumdar [5] have constructed an interactive protocol for QBF that is competitive with BDDSolver, the straightforward BDD-based algorithm that constructs a BDD for the satisfying assignments of each subformula, starting at the leaves of the syntax tree and progressively moving up. In this paper, we will investigate UNSAT and give an interactive protocol that is competitive with DavisPutnam, a decision procedure for UNSAT based on a restricted version of resolution.

## 4 The Davis-Putnam Resolution Procedure

We introduce the variant of resolution for which we later construct a competitive interactive protocol. It is a version of the Davis-Putnam procedure [6,9]<sup>2</sup> . Recall that in our setting, clauses are multisets, and given a clause C and a literal l, C(l) denotes the number of occurrences of l in C.

Defnition 1. Let x be a variable. Full x-resolution is the procedure that takes as input a formula φ satisfying C(x)+C(¬x) ≤ 1 for every clause C, and returns the formula Rx(φ) computed as follows:


Full x-cleanup is the procedure that takes as input a formula φ satisfying C(x) + C(¬x) ≤ 2 for every clause C, and returns the formula Cx(φ) computed as follows:


The Davis-Putnam resolution procedure is the algorithm for UNSAT that, given a total order x<sup>1</sup> ≺ x<sup>2</sup> ≺ · · · ≺ x<sup>n</sup> on the variables of an input formula φ, executes Algorithm 1. The algorithm assumes that φ is a set of sets of literals, that is, clauses contain no duplicate literals, and φ contains no duplicate clauses. We let □ denote the empty clause.

<sup>2</sup> In Harrison's book [9], the Davis-Putnam procedure consists of three rules. The version in Defnition 1 uses only Rule III, which is sometimes called the Davis-Putnam resolution procedure. Unfortunately, at the time of writing this paper, the Wikipedia article for the Davis-Putnam algorithm uses a diferent terminology (even though it cites [9]): it calls the three-rule procedure the Davis-Putnam algorithm, and the algorithm consisting only of Rule III the Davis-Putnam procedure.



Table 1. Run of DavisPutnam on an input φ, and arithmetisation of the intermediate formulas.

Observe that while the initial formula contains no duplicate clauses, the algorithm may create them, and they are not removed.

Example 1. Table 1 shows on the left a run of DavisPutnam on a formula φ with three variables and six clauses. The right column is explained in Section 6.1.

It is well-known that the Davis-Putnam resolution procedure is complete, but we give a proof suitable for our purposes. Let φ[x := true] denote the result of replacing all occurrences of x in φ by true and all occurrences of ¬x by false. Defne φ[x := false] reversely. Further, let ∃xφ be an abbreviation of φ[x := true] ∨ φ[x := false]. We have:

Lemma 2. Let x be a variable and φ a formula in CNF such that C(x) + C(¬x) ≤ 1 for every clause C. Then Rx(φ) ≡ ∃xφ.

Proof. Let C1, ..., C<sup>k</sup> be the clauses of φ. We have

∃xφ ≡ φ[x := true] ∨ φ[x := false]

$$\begin{aligned} & \text{A Resolution-based Intermediate Prof System for UNAT} & \quad 123 \\ \equiv & \left( \bigwedge\_{i \in [k]} C\_i [x := true] \right) \vee \left( \bigwedge\_{j \in [k]} C\_j [x := false] \right) \\ \equiv & \bigwedge\_{i, j \in [k]} \left( C\_i [x := true] \vee C\_j [x := false] \right) \\ \equiv & \bigwedge\_{i, j \in [k]} C\_i \wedge \bigwedge\_{i, j \in [k], \neg x \in C\_i, x \in C\_j} \left( C\_i [x := true] \vee C\_j [x := false] \right) \\ \equiv & R\_x(\varphi) . \end{aligned}$$

For the second-to-last equivalence, consider a clause C<sup>i</sup> containing neither x nor ¬x. Then C<sup>i</sup> ∨ C<sup>i</sup> is a clause of V i,j∈[k] Ci [x := true] ∨ C<sup>j</sup> [x := false] , and it subsumes any other clause of the form C<sup>i</sup> ∨ C<sup>j</sup> . The frst conjunct of the penultimate line contains these clauses. Furthermore, if C<sup>i</sup> contains x or if C<sup>j</sup> contains ¬x, then the disjunction C<sup>i</sup> [x := true] ∨ C<sup>j</sup> [x := false] is a tautology and can thus be ignored. It remains to consider the pairs (C<sup>i</sup> , C<sup>j</sup> ) of clauses such that ¬x ∈ C<sup>i</sup> and x ∈ C<sup>j</sup> . This is the second conjunct. ⊓⊔

Lemma 3. Let x be a variable and φ a formula in CNF such that C(x) + C(¬x) ≤ 2 for every clause C. Then Cx(φ) ≡ φ.

Proof. Since x ∨ ¬x ≡ true, a clause containing both x and ¬x is valid and thus can be removed. Furthermore, duplicates of x in a clause can be removed because x ∨ x ≡ x. ⊓⊔

## Theorem 1. DavisPutnam is sound and complete.

Proof. Let φ be a formula over the variables x1, ..., xn. By Lemmas 2 and 3, after termination the algorithm arrives at a formula without variables equivalent to ∃x<sup>n</sup> · · · ∃x1φ. This fnal formula is equivalent to the truth value of whether φ is satisfable; that is, φ is unsatisfable iff the fnal formula contains the empty clause. ⊓⊔

## 5 Constructing Competitive Interactive Protocols for UNSAT

We consider algorithms for UNSAT that, given a formula, execute a sequence of macrosteps. Throughout this section, we use DavisPutnam as running example.

Defnition 2. A macrostep is a partial mapping M that transforms a formula φ into a formula M(φ) equisatisfable to φ.

The frst macrostep is applied to the input formula. The algorithm accepts if the formula returned by the last macrostep is equivalent to false. Clearly, all these algorithms are sound.

Example 2. The macrosteps of DavisPutnam are R<sup>x</sup> and C<sup>x</sup> for each variable x. On a formula with n variables, DavisPutnam executes exactly <sup>n</sup>(n+1) 2 macrosteps.

We present an abstract design framework to obtain competitive interactive protocols for these macrostep-based algorithms. As in [15,18,5], the framework is based on arithmetisation of formulas. Arithmetisations are mappings that assign to a formula a polynomial with integer coefcients. In protocols, Verifer asks Prover to return the result of evaluating polynomials obtained by arithmetising formulas not over the integers, but over a prime feld Fq, where q is a sufciently large prime. An arithmetisation is useful for the design of protocols if the value of the polynomial on a binary input, that is, an assignment that assigns 0 or 1 to every variable, determines the truth value of the formula under the assignment. We are interested in the following class of arithmetisations, just called arithmetisations for brevity:

Defnition 3. Let F and P denote the sets of formulas and polynomials over a set of variables. An arithmetisation is a mapping A: F → P such that for every formula φ and every assignment σ to its variables:

(a) σ satisfes φ iff ΠσA(φ) = 0, <sup>3</sup> and

(b) ΠσA(φ) (mod q) can be computed in time O(|φ| polylog q) for any prime q.

In particular, two formulas φ, ψ over the same set of variables are equivalent if and only if for every binary assignment σ, ΠσA(φ) and ΠσA(ψ) are either both zero or both nonzero.

Example 3. Let A be the mapping inductively defned as follows:

$$\begin{aligned} \mathcal{A}(true) &:= 0 & \mathcal{A}(\neg x) &:= x & \mathcal{A}(\varphi\_1 \wedge \varphi\_2) &:= \mathcal{A}(\varphi\_1) + \mathcal{A}(\varphi\_2), \\ \mathcal{A}(false) &:= 1 & \mathcal{A}(x) &:= 1 - x & \mathcal{A}(\varphi\_1 \vee \varphi\_2) &:= \mathcal{A}(\varphi\_1) \cdot \mathcal{A}(\varphi\_2). \end{aligned}$$

For example, A((x ∨ false) ∧ ¬x)) = ((1 − x) · 1) + x = 1. It is easy to see that A is an arithmetisation in the sense of Defnition 3. Notice that A can map equivalent formulas to diferent polynomials. For example, A(¬x) = x and A(¬x ∧ ¬x) = 2x.

We defne when an arithmetisation A is compatible with a macrostep M.

Defnition 4. Let A: F → P be an arithmetisation and let M : F → F be a macrostep. A is compatible with M if there exists a partial mapping P<sup>M</sup> : P → P and a pivot variable x ∈ X satisfying the following conditions:

(a) P<sup>M</sup> simulates M: For every formula φ where M(φ) is defned, we have A(M(φ)) = PM(A(φ)).

<sup>3</sup> In most papers one requires that σ satisfes φ iff ΠσA(φ) = 1. Because of our later choice of arithmetisations, we prefer ΠσA(φ) = 0.


An arithmetisation A is compatible with Alg if it is compatible with every macrostep executed by Alg.

Graphically, an arithmetisation A is compatible with M if there exists a mapping P<sup>M</sup> such that the following diagram commutes:

$$\begin{array}{c} \bullet \xrightarrow{\mathcal{A}} \xrightarrow{\mathcal{A}} \bullet \xrightarrow{\Pi\_{\sigma}} \xrightarrow{\Pi\_{\sigma}} \xrightarrow{\operatorname{mod}q} \bullet\\ \bullet \xrightarrow{\mathcal{A}} \xrightarrow{\mathcal{A}} \bullet \xrightarrow{\operatorname{\mathcal{I}}\_{M}} \xrightarrow{\operatorname{\mathcal{I}}\_{\sigma}} \xrightarrow{\operatorname{\mathcal{I}}\_{\bullet}} \xrightarrow{\operatorname{\mathcal{I}}\_{M}} \end{array}$$

We can now state and prove the main theorem of this section.

Theorem 2. Let Alg be an algorithm for UNSAT and let A be an arithmetisation compatible with Alg such that for every input φ

(a) Alg executes a sequence of k ∈ O(poly|φ|) macrosteps, which compute a sequence φ0, φ1, ..., φ<sup>k</sup> of formulas with φ<sup>0</sup> = φ,

.


Then there is an interactive protocol for UNSAT that is competitive with Alg.

To prove Theorem 2, we frst defne a generic interactive protocol for UNSAT depending only on Alg and A, and then prove that it satisfes the properties of an interactive proof system: if φ is unsatisfable and Prover is honest, Verifer always accepts; and if φ is satisfable, then Verifer accepts with probability at most 2 −|φ| , regardless of Prover.

#### 5.1 Interactive Protocol

The interactive protocol for a given algorithm Alg operates on polynomials over a prime fnite feld, instead of the integers. Given a prime q, we write Aq(p) := A(p) (mod q) for the polynomial over F<sup>q</sup> (the fnite feld with q elements) that one obtains by taking the coefcients of A(p) modulo q.

At the start of the protocol, Prover sends Verifer a prime q, and then exchanges messages with Verifer about the values of polynomials over Fq, with the goal of convincing Verifer that A(φk) ̸= 0 by showing Aq(φk) ̸= 0 instead. The

<sup>4</sup> We implicitly extend P<sup>M</sup> to polynomials over F<sup>q</sup> in the obvious way: we consider the input p as a polynomial over Z by selecting the smallest representative in N for each coefcient, apply PM, and then take the coefcients of the output polynomial modulo q.

following lemma demonstrates that this is both sound and complete; (a) shows that a dishonest Prover cannot cheat in this way, and (b) shows that an honest Prover can always convince Verifer.

#### Lemma 4. Let φ<sup>k</sup> be the last formula computed by Alg.

(a) For every prime q, we have that Aq(φk) ̸= 0 implies that φ is unsatisfable. (b) If φ is unsatisfable, then there exists a prime q s.t. Aq(φk) ̸= 0.

Proof. For every prime q, if Aq(φk) ̸= 0 then A(φk) ̸= 0. For the converse, pick any prime q larger than A(φk). ⊓⊔

We let φ = φ0, φ1, ..., φ<sup>k</sup> denote the sequence of formulas computed by Alg, and d the bound on the polynomials A(φi) of Theorem 2. Observe that the formulas in the sequence can be exponentially larger than φ, and so Verifer cannot even read them. For this reason, during the protocol Verifer repeatedly sends Prover partial assignments σ chosen at random, and Prover sends back to Verifer claims about the formulas of the sequence of the form ΠσAq(φi) = w. The frst claim is about φk, the second about φk−1, and so on. Verifer stores the current claim by maintaining variables i, w, and σ. The protocol guarantees that the claim about φ<sup>i</sup> reduces to the claim about φi−1, in the following sense: if a dishonest Prover makes a false claim about φ<sup>i</sup> but a true claim about φi+1, Verifer detects with high probability that the claim about φ<sup>i</sup> is false and rejects. Therefore, in order to make Verifer accept a satisfable formula φ, a dishonest Prover must keep making false claims, and in particular make a false last claim about φ<sup>0</sup> = φ. The protocol also guarantees that a false claim about φ<sup>0</sup> is always detected by Verifer.

The protocol is described in Table 2. It presents the steps of Verifer and an honest Prover.

Example 4. In the next section we use the generic protocol of Table 2 to give an interactive protocol for Alg := DavisPutnam, using an arithmetisation called B. Table 3 shows a possible run of this protocol on the formula φ of Table 1. We can already explain the shape of the run, even if B is not defned yet.

Recall that on input φ, DavisPutnam executes six steps, shown on the left column of Table 1, that compute the formulas φ1, ..., φ6. Each row of Table 3 corresponds to a round of the protocol. In round i, Prover sends Verifer the polynomial p<sup>i</sup> corresponding to the claim ΠσAq(φi) (column Honest Prover). Verifer performs a check on the claim (line with ?=). If the check passes, Verifer updates σ and sends it to Prover as the assignment to be used for the next claim.

#### 5.2 The interactive protocol is correct and competitive with Alg

We need to show that the interactive protocol of Table 2 is correct and competitive with Alg. We do so by means of a sequence of lemmas. Lemmas 6-8 bound the error probability of Verifer and the running time of both Prover and Verifer as a function of the prime q. Lemma 9 shows that Prover can efciently compute a suitable prime. The last part of the section combines the lemmas to prove Theorem 2.

	- 4.1 Let x denote the pivot variable of M<sup>i</sup> and set σ ′ to the partial assignment that is undefned on x and otherwise matches σ. Prover sends the polynomial p := Πσ′Aq(φi−1), which is a univariate polynomial in x.
	- 4.2 If the degree of p exceeds d or π[x:=σ(x)]P<sup>M</sup><sup>i</sup> (p) ̸= w, Verifer rejects. Otherwise, Verifer chooses an r ∈ F<sup>q</sup> uniformly at random and updates w := π[x:=r]p and σ(x) := r.

Table 2. An interactive protocol for an algorithm for UNSAT describing the behaviour of Verifer and the honest Prover.

Completeness. We start by establishing that an honest Prover can always convince Verifer.

Lemma 5. If φ is unsatisfable and Prover is honest (i.e. acts as described in Table 2), then Verifer accepts with probability 1.

Proof. We show that Verifer accepts. First we show that Verifer does not reject in step 2, i.e. that Aq(φk) ̸= 0. Since φ is unsatisfable by assumption, by Defnition 2 we have that φ<sup>k</sup> is unsatisfable. Then, Defnition 3(a) implies Aq(φk) ̸= 0 (note that Aq(φk) is constant, by Theorem 2(c)).

Let us now argue that the claim Verifer tracks (i.e., the claim given by the current values of the variables) is always true. In step 3, it is initialised with w := Aq(φk), so the claim is true at that point.

In each step 4.2, Verifer checks π[x:=σ(x)]P<sup>M</sup><sup>i</sup> (p) ?= w. As Prover is honest, it sent p := Πσ′Aq(φi−1) in the previous step; so the check is equivalent to

$$\begin{aligned} w &\stackrel{?}{=} \pi\_{[x:=\sigma(x)]} P\_{M\_i} (\Pi\_{\sigma'} \mathcal{A}\_q(\varphi\_{i-1})) & \text{(Definition 4(b))}\\ &= \Pi\_\sigma P\_{M\_i} (\mathcal{A}\_q(\varphi\_{i-1})) & \text{(Definition 4(a,c))}\\ &= \Pi\_\sigma \mathcal{A}\_q (M\_i(\varphi\_{i-1})) = \Pi\_\sigma \mathcal{A}\_q(\varphi\_i) \end{aligned}$$

By induction hypothesis w = ΠσAq(φi) holds, and thus Verifer does not reject.

When Verifer updates the claim, it selects a random number r. Due to p = Πσ′Aq(φi−1), the new claim will hold for all possible values of r.

In step 5, we still have the invariant that the claim is true, so Verifer will accept. ⊓⊔ Probability of error. Establishing soundness is more involved. The key idea of the proof (which is the same idea as for other interactive protocols) is that for Verifer to accept erroneously, the claim it tracks must at some point be true. However, initially the claim is false. It thus sufces to show that each step of the algorithm is unlikely to turn a false claim into a true one.

Lemma 6. Let A, d, k as in Theorem 2. If φ is satisfable, then for any Prover, honest or not, Verifer accepts with probability at most dk/q ∈ O(poly(|φ|)/q).

Proof. Let i ∈ {k, ..., 1}, let σ, w denote the values of these variables at the beginning of step 4.1 in iteration i, and let σ ′ , w′ denote the corresponding (updated) values at the end of step 4.2.

We say that Prover tricks Verifer at iteration i if the claim tracked by Verifer was false at the beginning of step 4 and is true at the end, i.e. ΠσAq(φi) ̸= w and Πσ′Aq(φi−1) = w ′ .

The remainder of the proof is split into three parts.

(a) If Verifer accepts, it was tricked.


Part (a). If φ is satisfable, then so is φ<sup>k</sup> (Defnition 2), and thus ΠσAq(φk) = 0 (Defnition 3(a); also note that ΠσAq(φk) is constant). Therefore, in step 2 Prover either claims ΠσAq(φk) = 0 and Verifer rejects, or the initial claim in step 3 is false.

If Verifer is never tricked, the claim remains false until step 5 is executed, at which point Verifer will reject. So to accept, Verifer must be tricked.

Part (b). Let i ∈ {k, ..., 1} and assume that the claim is false at the beginning of iteration i of step 4. Now there are two cases. If Prover sends the polynomial p = Πσ′Aq(φi−1), then, as argued in the proof of Lemma 5, Verifer's check is equivalent to w ?= ΠσAq(φi), which is the current claim. However, we have assumed that the claim is false, so Verifer would reject. Hence, Prover must send a polynomial p ̸= Πσ′Aq(φi−1) (of degree at most d) to trick Verifer.

By Lemma 1, the probability that Verifer selects an r with π[x:=r]p = π[x:=r]Πσ′Aq(φi−1) is at most d/q. Conversely, with probability at least 1− d/q, the new claim is false as well and Verifer is not tricked in this iteration.

Part (c). We have shown that the probability that Verifer is tricked in one iteration is at most d/q. By union bound, Verifer is thus tricked with probability at most dk/q, as there are k iterations. By conditions (a) and (b) of Theorem 2, we get dk/q ∈ O(poly(|φ|)/q). ⊓⊔

Running time of Verifer. The next lemma estimates Verifer's running time in terms of |φ| and q.

Lemma 7. Verifer runs in time O(poly(|φ| log q)).

Proof. Verifer performs operations on polynomials of degree at most d with coefcients in Fq. So a polynomial can be represented using d log q bits, and arithmetic operations are polynomial in that representation. Additionally, Verifer needs to execute PM<sup>i</sup> for each i, which can also be done in polynomial time (Defnition 4(c)). There are k ∈ O(poly|φ|) iterations.

Finally, Verifer checks the claim ΠσAq(φ) = w for some assignment σ and w ∈ Fq. Defnition 3 ensures that this takes O(|φ| polylog q) time. The overall running time is therefore in O(poly(|φ|d log q)). The fnal result follows from condition (b) of Theorem 2. ⊓⊔

Running time of Prover. We give a bound on the running time of Prover, excluding the time needed to compute the prime q.

Lemma 8. Assume that A is an arithmetisation satisfying the conditions of Theorem 2. Let T denote the time taken by Alg on φ. The running time of Prover, excluding the time needed to compute the prime q, is O(T poly|φ| log q)).

Proof. After picking the prime q, Prover has to compute ΠσAq(φi) for diferent i ∈ [k] and assignments σ. The conditions of Theorem 2 guarantee that this can be done in time O(|φ<sup>i</sup> | polylog q) ⊆ O(|φ<sup>i</sup> | poly(|φ| log q)). We have P i |φ<sup>i</sup> | ≤ T, as Alg needs to write each φ<sup>i</sup> during its execution. The total running time follows by summing over i. ⊓⊔

Computing the prime q. The previous lemmas show the dependence of Verifer's probability of error and the running times of Prover and Verifer as a function of |φ| and q. Our fnal lemma gives a procedure for Prover to compute a suitable prime q. Together with the previous lemmas, this will easily yield Theorem 2.

Lemma 9. For every c > 0 there exists a procedure for Prover to fnd a prime q ∈ 2 O(|φ|) such that q ≥ 2 <sup>c</sup>|φ<sup>|</sup> and Aq(φk) ̸= 0 in expected time O(T|φ|), where T is the running time of Alg.

Proof. Assume wlog. that c > 1. Prover frst runs Alg to compute φ<sup>k</sup> and then chooses a prime q with 2 <sup>c</sup>|φ<sup>|</sup> ≤ q < 2 <sup>c</sup>|φ|+1 uniformly at random; thus q ∈ 2 O(|φ|) is guaranteed. If Prover arrives at Aq(φk) = 0, Prover chooses another prime q in the same way, until one is chosen s.t. Aq(φk) ̸= 0.

Since |A(φk)| ≤ 2 2 |φ| , A(φk) is divisible by at most 2 <sup>|</sup>φ<sup>|</sup> diferent primes. Using the prime number theorem, there are Ω(2<sup>c</sup>|φ<sup>|</sup>/c|φ|) primes 2 <sup>c</sup>|φ<sup>|</sup> ≤ q < 2 <sup>c</sup>|φ|+1, so the probability that the picked q divides A(φk) is O(c|φ|/2 (c−1)|φ| ).

Therefore, for any c > 1 this probability is at most, say, 1/2 for sufciently large |φ|. In expectation, Prover thus needs to test 2 primes q, and each test takes time O(|φk| polylog q) (see Defnition 3(b)), which is in O(T|φ|). ⊓⊔ Proof of Theorem 2. We can now conclude the proof of the theorem.

Completeness was already proved in Lemma 5.

Soundness. We need to ensure that the error probability is at most 2 −|φ| . By Lemma 6, the probability p of error satisfes p ≤ dk/q, where dk ∈ O(poly(|φ|)). So there is a ξ > 0 with dk ≤ 2 ξ|φ| . Using c := 1 + ξ as constant for Lemma 9, we are done.

Verifer's running time. By Lemma 7, Verifer runs in time O(poly(|φ| log q)). Using the prime q ∈ 2 <sup>O</sup>(|φ|) of Lemma 9, the running time is O(poly(|φ|).

Competitivity. By Lemma 8, Prover runs in time O(T poly(|φ| log q)) plus the time need to compute the prime, which, by Lemma 9, is in O(T poly(|φ|)). Again using q ∈ O(2<sup>|</sup>φ<sup>|</sup> ), we fnd that the protocol is competitive with Alg. ⊓⊔

## 6 An Interactive Proof System Competitive with the Davis-Putnam Resolution Procedure

In order to give an interactive proof system for the Davis-Putnam resolution procedure, it sufces to fnd an arithmetisation which is compatible with the full x-resolution step R<sup>x</sup> and the full x-cleanup step C<sup>x</sup> such that all properties of Theorem 2 are satisfed. In this section, we present such an arithmetisation.

## 6.1 An arithmetisation compatible with R<sup>x</sup> and C<sup>x</sup>

We fnd an arithmetisation compatible with both R<sup>x</sup> and Cx. Let us frst see that the arithmetisation of Example 3 does not work.

Example 5. The arithmetisation A of Example 3 is not compatible with Rx. To see this, let φ = (¬x ∨ ¬y) ∧ (x ∨ ¬z) ∧ ¬w. We have Rx(φ) = (¬y ∨ ¬z) ∧ ¬w, A(Rx(φ)) = yz + w, and A(φ) = xy + (1 − x)z + w = x(y − z) + z + w. If A were compatible with Rx, then there would exist an operation P<sup>R</sup><sup>x</sup> on polynomials such that P<sup>R</sup><sup>x</sup> (x(y − z) + z + w) = yz + w by Defnition 4(a), and from Defnition 4(b), we get P<sup>R</sup><sup>x</sup> (Πσ(x(y − z) + z + w)) = Πσ(yz + w) for all partial assignments σ : {y, z, w} → Z. For σ := {y 7→ 1, z 7→ 0, w 7→ 1}, it follows that P<sup>R</sup><sup>x</sup> (x + 1) = 1, but for σ := {y 7→ 2, z 7→ 1, w 7→ 0}, it follows that P<sup>R</sup><sup>x</sup> (x + 1) = 2, a contradiction.

We thus present a non-standard arithmetisation.

Defnition 5. The arithmetisation B of a CNF formula φ is the recursively defned polynomial

$$\begin{aligned} \mathcal{B}(true) &:= 0 & \mathcal{B}(x) &:= 1 - x & \mathcal{B}(\varphi\_1 \wedge \varphi\_2) &:= \mathcal{B}(\varphi\_1) + \mathcal{B}(\varphi\_2), \\ \mathcal{B}(false) &:= 1 & \mathcal{B}(\neg x) &:= x^3 & \mathcal{B}(\varphi\_1 \vee \varphi\_2) &:= \mathcal{B}(\varphi\_1) \cdot \mathcal{B}(\varphi\_2). \end{aligned}$$

Example 6. The right column of Table 1 shows the polynomials obtained by applying B to the formulas on the left. For example, we have B(φ5) = B(¬z ∧ ¬z ∧ z) = 2B(¬z) + B(z) = 2z <sup>3</sup> + 1 − z.

We frst prove that B is indeed an arithmetisation.

Proposition 1. For every formula φ and every assignment σ : X → {0, 1} to the variables X of φ, we have that σ satisfes φ if ΠσB(φ) = 0.

Proof. We prove the statement by induction on the structure of φ. The statement is trivially true for φ ∈ {true, false, x, ¬x}. For φ = φ<sup>1</sup> ∨ φ2, we have

σ satisfes φ ⇔ σ satisfes φ<sup>1</sup> ∨ φ<sup>2</sup> ⇔ σ satisfes φ<sup>1</sup> or σ satisfes φ<sup>2</sup>

$$\begin{aligned} &\stackrel{IH}{\Leftrightarrow} \Pi\_{\sigma} \mathcal{B}(\varphi\_1) = 0 \lor \Pi\_{\sigma} \mathcal{B}(\varphi\_2) = 0 \Leftrightarrow \Pi\_{\sigma} \mathcal{B}(\varphi\_1) \cdot \Pi\_{\sigma} \mathcal{B}(\varphi\_2) = 0 \\ &\Leftrightarrow \Pi\_{\sigma} \mathcal{B}(\varphi\_1 \lor \varphi\_2) = 0 \Leftrightarrow \Pi\_{\sigma} \mathcal{B}(\varphi) = 0, \end{aligned}$$

and for φ = φ<sup>1</sup> ∧ φ2, we have

σ satisfes φ ⇔ σ satisfes φ<sup>1</sup> ∧ φ<sup>2</sup> ⇔ σ satisfes φ<sup>1</sup> and σ satisfes φ<sup>2</sup> IH ⇔ ΠσB(φ1) = 0 ∧ ΠσB(φ2) = 0 ⇔ ΠσB(φ1) + ΠσB(φ2) = 0 ⇔ ΠσB(φ<sup>1</sup> ∧ φ2) = 0 ⇔ ΠσB(φ) = 0.

The equivalence ΠσB(φ1) = 0 ∧ ΠσB(φ2) = 0 ⇔ ΠσB(φ1) + ΠσB(φ2) = 0 holds because ΠσB(φ) cannot be negative for binary assignments σ. ⊓⊔

B is compatible with Rx. We exhibit a mapping γ<sup>x</sup> : P → P satisfying the conditions of Defnition 4 for the macrostep Rx. Recall that R<sup>x</sup> is only defned for formulas φ in CNF such that C(x) + C(¬x) ≤ 1 for every clause C. Since arithmetisations of such formulas only have an x 3 term, an x term, and a constant term, it sufces to defne γ<sup>x</sup> for polynomials of the form a3x <sup>3</sup> + a1x + a0.

Lemma 10. Let γ<sup>x</sup> : P → P be the partial mapping defned by γx(a3x <sup>3</sup> + a1x + a0) := −a3a<sup>1</sup> + a<sup>1</sup> + a0. The mapping γ<sup>x</sup> witnesses that B is polynomially compatible with the full resolution macrostep Rx.

Proof. We show that γ<sup>x</sup> satisfes all properties of Defnition 4. Let φ be a formula in CNF such that C(x) + C(¬x) ≤ 1 for every clause C (see Defnition 1). Then φ is of the form

$$\varphi = \left(\bigwedge\_{i \in [k]} x \vee a\_i\right) \wedge \left(\bigwedge\_{j \in [l]} \neg x \vee b\_j\right) \wedge c\_l$$

where a<sup>i</sup> , b<sup>j</sup> are disjunctions not depending on x and c is a conjunction of clauses not depending on x. We have Rx(φ) = V i∈[k], j∈[l] (a<sup>i</sup> ∨ b<sup>j</sup> ) ∧ c. Now

$$\mathcal{B}(\varphi) = \sum\_{i \in [k]} (1 - x)a\_i + \sum\_{j \in [l]} x^3 b\_j + c = \sum\_{j \in [l]} b\_j x^3 - \sum\_{i \in [k]} a\_i x + \sum\_{i \in [k]} a\_i + c$$

132 P. Czerner, J. Esparza, V. Krasotin

and thus

$$\begin{aligned} \gamma\_x(\mathcal{B}(\varphi)) &= \left(\sum\_{j \in [l]} b\_j \right) \left(\sum\_{i \in [k]} a\_i \right) - \sum\_{i \in [k]} a\_i + \sum\_{i \in [k]} a\_i + c \\ &= \sum\_{i \in [k], \ j \in [l]} a\_i b\_j + c = \mathcal{B}(R\_x(\varphi)). \end{aligned}$$

This proves (a). Since γ<sup>x</sup> does not depend on variables other than x, (b) is also given. (c) and (d) are trivial. ⊓⊔

B is compatible with Cx. We exhibit a mapping δ<sup>x</sup> : P → P satisfying the conditions of Defnition 4 for the cleanup macrostep Cx. Recall that C<sup>x</sup> is only defned for formulas φ in CNF such that C(x) + C(¬x) ≤ 2 for every clause C. Arithmetisations of such formulas are polynomials of degree at most 6 in each variable, and so it sufces to defne δ<sup>x</sup> for these polynomials.

Lemma 11. Let δ<sup>x</sup> : P → P be the partial mapping defned by

$$
\delta\_x(a\_6x^6 + a\_5x^5 + \dots + a\_1x + a\_0) := (a\_6 + a\_4 + a\_3)x^3 + (a\_2 + a\_1)x + a\_0.
$$

The mapping δ<sup>x</sup> witnesses that B is polynomially compatible with Cx.

Proof. We show that δ<sup>x</sup> satisfes all properties of Defnition 4. We start with (a). Since B(C∧C ′ ) = B(C)+B(C ′ ) for clauses C, C′ and δx(p1+p2) = δx(p1)+δx(p2), it sufces to show that δx(B(C)) = B(Cx(C)) for all clauses C of φ. Now let C be a clause of φ. We assume that C(x) + C(¬x) ≤ 2 (see Defnition 1).


This proves (a). Since δ<sup>x</sup> does not depend on variables other than x, (b) is also given. Parts (c) and (d) are trivial. ⊓⊔

As observed earlier, DavisPutnam does not remove duplicate clauses; that is, Prover maintains a multiset of clauses that may contain multiple copies of a clause. We show that the number of copies is at most double-exponential in |φ|.

Lemma 12. Let φ be the input formula, and let φ<sup>k</sup> be the last formula computed by DavisPutnam. Then A(φk) ∈ 2 2 O(|φ|) .

Proof. Let n<sup>C</sup> (ψ) be the number of clauses in a formula ψ, let x be a variable. Then n<sup>C</sup> (Cx(ψ)) ≤ n<sup>C</sup> (ψ) because a cleanup step can only change or delete clauses. Moreover, n<sup>C</sup> (Rx(ψ)) = nxn<sup>¬</sup><sup>x</sup> − n<sup>x</sup> − n<sup>¬</sup><sup>x</sup> + n<sup>C</sup> (ψ) where n<sup>x</sup> and n<sup>¬</sup><sup>x</sup> are the numbers of clauses in ψ which contain x and ¬x, respectively. We get

A Resolution-Based Interactive Proof System for UNSAT 133


Table 3. Run of the instance of the interactive protocol of Table 2 for DavisPutnam, using the arithmetisation B of Defnition 5.

n<sup>C</sup> (Rx(ψ)) ≤ (n<sup>x</sup> + n<sup>¬</sup>x) <sup>2</sup> − (n<sup>x</sup> + n<sup>¬</sup>x) + n<sup>C</sup> (ψ). Since n<sup>x</sup> + n<sup>¬</sup><sup>x</sup> ≤ n<sup>C</sup> (ψ), it follows that n<sup>C</sup> (Rx(ψ)) ≤ (n<sup>C</sup> (ψ))<sup>2</sup> . Now let n be the number of variables. Since φ<sup>k</sup> is reached after n resolution steps, it follows that B(φk) = n<sup>C</sup> (φk) ≤ n<sup>C</sup> (φ) 2 n ∈ 2 2 O(|φ|) . ⊓⊔

Proposition 2. There exists an interactive protocol for UNSAT that is competitive with DavisPutnam.

Proof. We show that the B satisfes all properties of Theorem 2. On an input formula φ over n variables, DavisPutnam executes n resolution steps R<sup>x</sup> and n(n − 1)/2 cleanup steps Cx, which gives n(n + 1)/2 macrosteps in total and proves (a).

Since φ does not contain any variable more than once per clause and since cleanup steps w.r.t. all remaining variables are applied after every resolution step, resolution steps can only increase the maximum degree of B(φi) to at most 6 (from 3). Hence the maximum degree of B(φi) is at most 6 for any i, showing (b).

Furthermore, since Rx(φi) does not contain any occurrence of x, and resolution steps are performed w.r.t. all variables, φ<sup>k</sup> does not contain any variables, so φ<sup>k</sup> = {a · □} for some a ∈ N where □ is the empty clause. Together with Lemma 12, (c) follows. ⊓⊔

Instantiating Theorem 2 with B yields an interactive protocol competitive with DavisPutnam. Table 3 shows a run of this protocol on the formula φ of Table 1. Initially, Prover runs DavisPutnam on φ, computing the formulas φ1, ..., φ6. Then, during the run of the protocol, it sends to Verifer polynomials of the form Πσ′Bq(φi−1) for the assignments σ ′ chosen by Verifer.

## 7 Conclusions

We have presented the frst technique for the systematic derivation of interactive proof systems competitive with a given algorithm for UNSAT. More precisely, we have shown that such systems can be automatically derived from arithmetisations satisfying a few commutativity properties. In particular, this result indicates that non-standard arithmetisations can be key to obtaining competitive interactive proof systems for practical algorithms. We have applied our technique to derive the frst interactive proof system for the Davis-Putnam resolution procedure, opening the door to interactive proof systems for less restrictive variants of resolution.

Lovasz et al. have shown that given a refutation by the Davis-Putnam resolution procedure, one can extract a multi-valued decision diagram, polynomial in the size of the refutation, in which the path for a given truth assignment leads to a clause false under that assignment (that is, to a clause witnessing that the assignment does not satisfy the formula) [14]. This suggests a possible connection between our work and the work of Couillard et al. in [5]. As mentioned in the introduction, [5] presents an interactive proof system competitive with the algorithm for UNSAT that iteratively constructs a BDD for the formula (starting at the leaves of its syntax tree, and moving up at each step), and returns "unsatisfable" iff the BDD for the root of the tree only contains the node 0. We conjecture that a future version of our systematic derivation technique could subsume both [5] and this paper.

Acknowledgments. We thank the anonymous reviewers for their comments and Albert Atserias for helpful discussions.

## References

1. Arora, S., Barak, B.: Computational Complexity: A Modern Approach. Cambridge University Press (2006), https://theory.cs.princeton.edu/complexity/book.pdf


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## Craig Interpolation for Decidable First-Order Fragments

Balder ten Cate<sup>1</sup> and Jesse Comer2(B)

1 ILLC, University of Amsterdam, Amsterdam 1098 XH, The Netherlands <sup>2</sup> University of Pennsylvania, Philadelphia, PA 19104, USA jacomer@seas.upenn.edu

Abstract. We show that the guarded-negation fragment (GNFO) is, in a precise sense, the smallest extension of the guarded fragment (GFO) with Craig interpolation. In contrast, we show that the smallest extension of the two-variable fragment (FO<sup>2</sup> ), and of the forward fragment (FF) with Craig interpolation, is full frst-order logic. Similarly, we also show that all extensions of FO<sup>2</sup> and of the futed fragment (FL) with Craig interpolation are undecidable.

Keywords: Craig interpolation · Decidability · Abstract model theory.

## 1 Introduction

The study of decidable fragments of frst-order logic (FO) is a topic with a long history, dating back to the early 1900s ([40,52], cf. also [16]), and more actively pursued since the 1990s. Inspired by Vardi [55], who asked "what makes modal logic so robustly decidable?" and Andreka et al. [1], who asked "what makes modal logic tick?" many decidable fragments have been introduced and studied over the last 25 years that take inspiration from modal logic (ML), which itself can be viewed as a fragment of FO that features a restricted form of quantifcation. These include the following fragments, each of which naturally generalizes modal logic in a diferent way: the two-variable fragment (FO<sup>2</sup> ) [42], the guarded fragment (GFO) [1], and the unary negation fragment (UNFO) [22]. Further decidable extensions of these fragments were subsequently identifed, including the two-variable fragment with counting quantifers (C<sup>2</sup> ) [29] and the guarded negation fragment (GNFO) [4]. The latter can be viewed as a common generalization of GFO and UNFO. Many decidable logics used in computer science and AI, including various description logics and rule-based languages, can be translated into GNFO and/or C<sup>2</sup> . In this sense, GNFO and C<sup>2</sup> are convenient tools for explaining the decidability of other logics. Extensions of GNFO have been studied that push the decidability frontier even further (for instance with fxed-point operators and using clique-guards), but these fall outside the scope of this paper.

In an earlier line of investigation, Quine identifed the decidable futed fragment (FL) [51], the frst of several ordered logics which have been the subject of recent interest [47,48,49,50,44]. The idea behind ordered logics is to restrict the order in which variables are allowed to occur in atomic formulas and quantifers.

Fig. 1. Landscape of decidable fragments of FO with ( ) and without ( ) CIP. The inclusion marked (∗) holds only for sentences and self-guarded formulas.

Another recently introduced decidable fragment that falls in this family is the forward fragment (FF), whose syntax strictly generalizes that of FL. Both FL and FF have the fnite model property (FMP) [44] and embed ML [34], but are incomparable in expressive power to GFO [45], FO<sup>2</sup> , and UNFO.<sup>3</sup>

Ideally, an FO-fragment is not only decidable, but also model-theoretically well behaved. A particularly important model-theoretic property of logics is the Craig Interpolation Property (CIP). It states that, for all formulas φ, ψ, if φ |= ψ, then there exists a formula ϑ such that φ |= ϑ and ϑ |= ψ, and such that all nonlogical symbols occurring in ϑ occur both in φ and in ψ. Craig [24] proved in 1957 that FO itself has this property (hence the name). Several refnements of Craig's result have subsequently been obtained (e.g., [43,10]). These have found applications in various areas of computer science and AI, including formal verifcation, modular hard/software specifcation and automated deduction [41,18,31], and are emerging as a new prominent technology in databases [53,12] and knowledge representation [39,21,37]. While we have described CIP here as a model theoretic property, it also has a proof-theoretic interpretation. Indeed, it has been argued that CIP is an indicator for the existence of nice proof systems [32].

Turning our attention to the decidable fragments of FO we mentioned earlier, it turns out that, although GFO is in many ways model-theoretically wellbehaved [1], it lacks CIP [33]. Likewise, FO<sup>2</sup> lacks CIP [23] and the same holds for C 2 ([35, Example 2] yields a counterexample). Both FF and FL lack CIP [7]. On the other hand, UNFO and GNFO have CIP [22,3]. Figure 1 summarizes these known results. Note that we restrict attention to relational signatures without constant symbols and function symbols. Some of the results depend on this restriction. Other known results not refected in Figure 1 (to avoid clutter) are that

<sup>3</sup> Specifcally, the FO-sentence ∃xy(R(x, y)∧R(y, x)) belongs to GFO, FO<sup>2</sup> and UNFO, but is not expressible in FF, since the structure consisting of two points with symmetric edges and the structure (Z, S) with S the successor relation, are "infx bisimilar," as described in [7].

the intersection of GFO and FO<sup>2</sup> (also known as GFO<sup>2</sup> ) has CIP [33]. Similarly, the intersection of FF with GFO and the intersection of FL with GFO (known as GFF and GFL, respectively) have CIP [7].

When a logic L lacks CIP, the question naturally arises as to whether there exists a more expressive logic L ′ that has CIP. If such an L ′ exists, then, in particular, interpolants for valid L-implications can be found in L ′ . This line of analysis is sometimes referred to as Repairing Interpolation [2]. If L ′ is an FO-fragment, and our aim is to repair interpolation by extension, then there is a trivial solution: FO itself is an extension of L satisfying CIP. We will instead consider the following refnement of the question: can a natural extension L ′ of L be identifed which satisfes CIP while retaining decidability? We will answer this question for three of the fragments depicted in Figure 1 that lack CIP, by identifying the minimal natural extension L ′ of L satisfying CIP. Our main results can be stated informally as follows:


The precise statements of these results will be given in the respective sections. They involve some natural closure assumptions on the logics in question, and, for the undecidability results, some assumptions regarding the efective computability of the translation between the extension and the logic that it extends.

These results give us a clear sense of where, in the larger landscape of decidable fragments of FO, we may fnd logics that enjoy CIP. What makes the above results remarkable is that, from the defnition of the Craig interpolation property, it doesn't appear to follow that a logic without CIP would have a unique minimal extension with CIP. Note that a valid implication may have many possible interpolants, and the Craig interpolation property merely requires the existence of one such interpolant. Nevertheless, the above results show that, in the case FO<sup>2</sup> , GFO, and FF, such a unique minimal extension indeed exists (assuming suitable closure properties, which will be spelled out in detail in the next sections).

Related Work. Several other approaches have been proposed for dealing with logics that lack CIP. One approach is to weaken CIP. For example, it was shown in [33] that GFO satisfes a weak, "modal" form of Craig interpolation, where, roughly speaking, only the relation symbols that occur in non-guard positions in the interpolant are required to occur both in the premise and the conclusion. As it turns out, this weakening of CIP is strong enough to entail the (nonprojective) Beth Defnability Property, which is one important use case of CIP. See also Section 7 for further discussion of weak forms of CIP.

Another recent approach [35] is to develop algorithms for testing whether an interpolant exists for a given entailment. That is, rather than viewing Craig interpolation as a property of logics, the existence of interpolants is studied as an algorithmic problem at the level of individual entailments. The interpolant existence problem turns out to be indeed decidable (although of higher complexity than the satisfability problem) for both GFO and FO<sup>2</sup> [35].

Additional results are known for UNFO and GNFO beyond the fact that they have CIP. In particular, CIP holds for their fxed-point extensions [9,8], interpolants can be constructed efectively, and tight bounds are known on the size of interpolants and the computational complexity of computing them [11].

Our paper can be viewed as an instance of abstract model theory for fragments of FO. One large driving force behind the development of abstract model theory was the identifcation of extensions of FO which satisfy desirable modeltheoretic properties, such as the compactness theorem, the Löwenheim-Skolem, and Craig interpolation. One takeaway from this line of research is that CIP is scarce among many "reasonable" FO-extensions. An early result of Lindström showed that FO-extensions with fnitely many generalized quantifers and satisfying the downward Löwenheim-Skolem property do not have the Beth property (and hence fail to satisfy CIP) [38]. Similarly, Caicedo [17], generalizing an early result by Friedman [26], established a strong negative CIP result that applies to arbitrary proper FO-extensions with monadic generalized quantifers. For a survey of negative interpolation results among FO-extensions, see [54]. These negative results not only show that CIP is scarce among extensions of FO, they also provide clues as to where, within the space of all extensions, one may hope to fnd logics with CIP. Our results can be viewed similarly, except that they pertain to (extensions of) fragments of FO.

Our results can also be appreciated as characterizations of GNFO and of FO. While traditional Lindström-style characterizations are maximality theorems (e.g., FO is a maximal logic having the compactness and Löwenheim-Skolem properties), our results can be viewed as minimality theorems (e.g., GNFO is the minimal logic extending GFO and having CIP).

Some prior work exists that studies abstract model theory for (extensions of) fragments of FO. Most closely related is [19], which studies modal logics and hybrid logics. Among other things, it was shown in [19] that the smallest extension of modal logic with the diference operator (ML(D)) which satisfes CIP is full frst-order logic. Additionally, in [28], the authors identifed minimal extensions of various fragments of propositional linear temporal logic (PLTL) with CIP. Furthermore, it was shown in [19] that every abstract logic extending GFO with CIP can express all FO sentences and formulas with one free variable, and is thus undecidable. A crucial diference between this result and ours is that [19] assumes signatures with constant symbols and concerns a stronger version of CIP, interpolating not only over relation symbols but also over constant symbols. In contrast, we only consider purely relational signatures without constant symbols. Other prior work on abstract model theory for fragments of FO are [13,15,27]. Repairing interpolation has also been pursued in the context of quantifed modal logics, which typically lack CIP; in [2], the authors showed that CIP can be repaired for such logics by adding nominals, @-operators and the ↓-binder.

Outline. Section 2 introduces the abstract model-theoretic framework. In Sections 3, 4, and 5, we repair interpolation for FO<sup>2</sup> , GFO, and FF, respectively. In Section 6, we provide results showing that, even with weak expressive assumptions, extensions of FO<sup>2</sup> and FL with CIP are undecidable. In Section 7, we discuss the implications and limitations of our results, and future directions.

## 2 Preliminaries

We assume familiarity with the syntax and semantics of FO. Signatures are denoted by σ and τ , and are assumed to be relational and fnite. If φ contains only relation symbols occurring in σ, then we write M, g |= φ to denote that a σ-structure M satisfes φ under the variable assignment g. We write x<sup>i</sup> , y<sup>i</sup> , z<sup>i</sup> , u<sup>i</sup> to denote variables, and x, y, z, u to denote tuples of variables. We write a<sup>i</sup> , b<sup>i</sup> , c<sup>i</sup> to denote elements of structures and a, b, c to denote tuples of such elements. Given a tuple of elements a = a1, . . . , a<sup>n</sup> in a structure M, a tuple of variables x = x1, . . . , xn, and a variable assignment g, we write g[x/a] to denote the variable assignment which is the same as g except that g(xi) = a<sup>i</sup> for each i ≤ n. In order to state our main results precisely, we must formally defne what we mean by extensions L ′ of L (where L is some fragment of FO that lacks CIP). One option is to let L ′ range over fragments of FO that syntactically include L. However, as it turns out, our main results apply even to extensions that are not themselves contained in FO. We therefore opt, instead, to work with an abstract defnition of logics, as typically used in abstract model theory.

Abstract Logics. An abstract logic (or logic) is a pair (L, |=L), where L is a map from relational signatures σ to collections of formulas, and |=<sup>L</sup> is a ternary satisfaction relation. A formula of an abstract logic (L, |=L) is an element of L(σ) for some fnite relational signature σ. L must be monotone: if σ ⊆ τ , then L(σ) ⊆ L(τ ). Each formula φ has an associated fnite set of free variables free(φ), and we write φ(x) or φ(x1, . . . , xk) to denote that the free variables of φ are exactly those in the tuple x = x1, . . . , xk. As in the case of FO, a formula φ is a sentence if free(φ) = ∅. We write sig(φ) to denote the least signature σ such that φ ∈ L(σ). The ternary satisfaction relation |=<sup>L</sup> is defned over triples (M, g, φ), where φ is an L-formula, M is a τ -structure such that sig(φ) ⊆ τ , and g is a variable assignment with free(φ) ⊆ dom(g); we write M, g |=<sup>L</sup> φ if this relation holds between these objects. The notions of logical consequence and logical equivalence for abstract logics are defned completely analogously to FO. In later sections, we will prefer to suppress the subscript L in the notation for the satisfaction relation and write L to denote an abstract logic (L, |=L). Furthermore, we often write φ ∈ L rather than φ ∈ L(σ), leaving the signature implicit.

All abstract logics L are assumed to satisfy the reduct property and the renaming property. The reduct property states that if σ ⊆ τ , then for all φ ∈ L(σ), all τ -structures M, and all assignments g, if M, g |=<sup>L</sup> φ, then M ↾ σ, g |=<sup>L</sup> φ. In other words, the truth of a formula of an abstract logic L in a structure depends only on the interpretations of the symbols in the signature of that formula. The

renaming property states that if ρ : σ → τ is an injective map preserving the arity of relation symbols, then for each formula φ ∈ L(σ), there is a formula ψ ∈ L(τ ) such that for all τ -structures M, we have that M, g |=<sup>L</sup> ψ if and only if ρ −1 [M], g |=<sup>L</sup> φ, where ρ −1 [M] is the σ-structure with the same domain as M where, for each R ∈ σ, we have that R<sup>ρ</sup> −1 [M] = ρ(R)M. Intuitively, the renaming property states that if a formula over a signature σ can be expressed in a logic L, then the formula obtained by renaming all of its relation symbols can also be expressed in L.

For arbitrary abstract logics L, the Craig interpolation property states that if φ |=<sup>L</sup> ψ for L-formulas φ and ψ, then there exists a formula ϑ ∈ L(sig(φ)∩sig(ψ)) with free(ϑ) = free(φ) ∩ free(ψ) such that φ |=<sup>L</sup> ϑ and ϑ |=<sup>L</sup> ψ.

We say a formula φ of a logic L expresses a formula ψ of a logic L ′ if free(φ) = free(ψ), sig(φ) = sig(ψ), and for all structures M and assignments g, we have that M, g |=<sup>L</sup> φ if and only if M, g |=L′ ψ. We say that a logic L ′ is an extension of a logic L (notation: L ⪯ L ′ ) if L ′ can express all formulas of L. An FOfragment can then be precisely defned, without reference to syntax, as a logic of which FO is an extension. We say that L ′ is a sentential extension of L (notation: L ⪯sent L ′ ) if L ′ can express all sentences of L.

Let <sup>L</sup> be a logic and <sup>ψ</sup>(x1, . . . , xn) be an <sup>L</sup>-formula. We write <sup>J</sup>ψK<sup>M</sup> for the collection of tuples (a1, . . . , an) ∈ M<sup>n</sup> such that there exists an assignment g where M, g |= ψ and g(xi) = a<sup>i</sup> for each i ≤ n. Given formulas ψ1, . . . , ψ<sup>k</sup> ∈ L(σ), a σ-structure M, and relation symbols R1, . . . , R<sup>k</sup> ∈ σ with |free(ψi)| = arity(Ri) for each i ≤ k, we defne M[R1/ψ1, . . . , Rk/ψk] to be the σ-structure with the same domain as M and such that R M[R1/ψ1,...,Rk/ψk] <sup>i</sup> <sup>=</sup> <sup>J</sup>ψiK<sup>M</sup> for each <sup>i</sup> <sup>≤</sup> <sup>k</sup>. We now describe a syntax-free notion of uniform substitution for formulas of an abstract logic.

Defnition 2.1. Let L be a logic and φ ∈ L(σ) with R1, . . . , R<sup>k</sup> ∈ sig(φ), where for each i ≤ k, we have that R<sup>i</sup> is a ki-ary relation symbol. Furthermore, let ψ1, . . . , ψ<sup>k</sup> ∈ L(σ) be formulas with |free(ψi)| = k<sup>i</sup> for each i ≤ k. We say that L expresses the substitution of ψ1, . . . , ψ<sup>k</sup> for R1, . . . , R<sup>k</sup> in φ if there exists a formula χ ∈ L(σ) such that, for every σ-structure M,

$$M, g \vdash \chi \iff M[R\_1/\psi\_1, \dots, R\_k/\psi\_k], g \vdash \varphi.$$

Most studies in abstract logic assume that the logics under study are regular, roughly meaning that they can express atomic formulas, Boolean connectives, and existential quantifcation. In other words, to study regular logics is to study extensions of FO. Since we are interested in a more fne-grained view of logics including FO-fragments, these assumptions are too strong. As a result, the frst step of studying extensions of FO-fragments from the perspective of abstract logic is to identify natural expressive assumptions for those extensions which are strictly weaker than regularity. We do this in the respective sections.

Some of our proofs will use second-order quantifcation (for expository reasons only), and we recall the semantics of these quantifers here. Given a formula φ ∈ L(σ ∪ {P}) of some abstract logic L, we can form new formulas ∃P φ and ∀P φ with signature σ and the same free variables as φ. Given a σ-structure M and an assignment g, the semantics of these formulas are defned as follows:

$$\begin{aligned} M, g \mid \exists P \varphi &\text{ if there is a } \sigma \cup \{P\}\text{-expansion } M' \text{ of } M\\ &\text{such that } M', g \mid = \varphi, \text{ and} \\\ M, g \mid = \forall P \varphi &\text{ if for all } \sigma \cup \{P\}\text{-expansion } M' \text{ of } M, \\ &\text{ we have that } M', g \mid = \varphi. \end{aligned}$$

If L itself does not allow second-order quantifcation, we can view ∃P φ and ∀P φ as elements of L ′ (σ) for a suitable extension L ′ of L. In particular, if φ is an FO-formula, then ∃P φ and ∀P φ are formulas of second-order logic (SO).

## 3 Repairing Interpolation for FO<sup>2</sup>

The two-variable fragment (FO<sup>2</sup> ) consists of all FO-formulas containing only two variables, say, x and y, where we allow for nested quantifers that reuse the same variable (as in ∃xy(R(x, y) ∧ ∃x(R(y, x))), expressing the existence of a path of length 2). In this context, as is customary, we restrict attention to relations of arity at most 2. It is known that FO<sup>2</sup> is decidable [42] but does not have CIP [23].

## 3.1 Natural Extensions of FO<sup>2</sup>

While FO<sup>2</sup> is restricted to only two variables and predicates of arity as most 2, it has no restriction on its connectives: it is fully closed under Boolean connectives and existential and universal quantifcation. Because of this fact, we will consider in this section those abstract logics which are strong extensions of FO<sup>2</sup> .

Defnition 3.1. We say that a logic L ′ strongly extends a logic L if L ′ extends L and, for each formula φ ∈ L ′ with R1, . . . , R<sup>k</sup> ∈ sig(φ), where φ expresses some ψ ∈ L, and all formulas ψ1, . . . , ψ<sup>k</sup> ∈ L ′ , we have that L ′ expresses the substitution of ψ1, . . . , ψ<sup>k</sup> for R1, . . . , R<sup>k</sup> in φ (cf. Defnition 2.1).

Intuitively, Defnition 3.1 means that L ′ can express uniform substitutions of its formulas into formulas of L. In other words, the notion of a strong extension is a syntax-free way to say that L ′ extends L and is closed under the connectives of L. In particular, if L strongly extends FO<sup>2</sup> , then L can express all of the usual frst-order connectives: for ψ<sup>0</sup> and ψ<sup>1</sup> expressible in L, it must also be the case that ¬ψ0, ψ<sup>0</sup> ∧ ψ1, and ∃xψ<sup>0</sup> are expressible in L, under the usual semantics of these connectives. Clearly FO<sup>2</sup> is the smallest strong extension of itself.

## 3.2 Finding the Minimal Extension of FO<sup>2</sup> with CIP

Recall that we write L ⪯sent L ′ if every sentence of L is expressible in L ′ . Our main result in this section is the following.

Theorem 3.1. If L is a strong extension of FO<sup>2</sup> with CIP, then FO ⪯sent L.

Proof. We will show by induction on the complexity of formulas that, for every FO-formula φ(x<sup>1</sup> . . . , xn) there is a sentence ψ ∈ L over an extended signature containing additional unary predicates P1, . . . , Pn, that is equivalent to

$$\exists x\_1 \dots x\_n ((\bigwedge\_{i=1}^n P\_i(x\_i) \land \forall y (P\_i(y) \to y = x\_i)) \land \varphi(x\_1, \dots, x\_n)).$$

In other words, ψ is a sentence expressing that φ holds under an assignment of its free variables to some tuple of elements which uniquely satisfy the P<sup>i</sup> predicates. In the case that n = 0 (i.e., the case that φ is a sentence), we then have that ψ is equivalent to φ, which shows that F O ⪯sent L.

The base case of the induction is straightforward (recall that we restrict attention to relations of arity at most 2). The induction step for the Boolean connectives is straightforward as well (using the fact that L is a strong extension of FO<sup>2</sup> , and thus can express all connectives of FO<sup>2</sup> ). In fact, the only nontrivial part of the argument is the induction step for the existential quantifer. Let φ(x1, . . . , xn) be of the form ∃xn+1φ ′ (x1. . . . , xn, xn+1). By the inductive hypothesis, there is an L-sentence ψ with sig(ψ) = sig(φ ′ ) ∪ {P1, . . . , Pn+1}, where P1, . . . , Pn+1 are unary predicates not in sig(φ ′ ), which is equivalent to

$$\exists x\_1 \dots x\_n \exists x\_{n+1} (\left(\bigwedge\_{i \le n+1} P\_i(x\_i) \land \forall y (P\_i(y) \to y = x\_i)\right) \land \varphi'(x\_1, \dots, x\_n, x\_{n+1})).$$

Now, let ψ ′ be obtained from ψ by replacing every occurrence of Pn+1 by P ′ for some fresh unary predicate P ′ ; this is expressible in L by the renaming property. Furthermore, let

$$\begin{aligned} \gamma(x) &:= \psi \wedge P\_{n+1}(x), \text{ and} \\ \chi(x) &:= (P'(x) \wedge \forall y (P'(y) \to y = x)) \to \psi'. \end{aligned}$$

(where x is either of the two variables we have at our disposal; it does not matter which). Since L strongly extends FO<sup>2</sup> , both can be written as an L-formula. Then

$$
\gamma(x) \mid = \chi(x).
$$

Let ϑ(x) ∈ L be an interpolant. Observe that since Pn+1 occurs only in γ(x) and P ′ only in χ(x), the following second-order entailment is also valid:

$$\exists P\_{n+1}\gamma(x) \vdash \vartheta(x) \vdash \forall P'\chi(x).$$

It is not hard to see that ∃Pn+1γ(x) and ∀P ′χ(x) are equivalent. Indeed, both are satisfed in a structure M under an assignment g precisely if M′ , g |= φ, where M′ is the expansion of M in which Pn+1 denotes the singleton set {g(xn+1)}. It then follows that ϑ(x), being sandwiched between the two, is also equivalent to ∃Pn+1γ(x). This implies that ϑ(x) is the unique interpolant (up to logical equivalence) of the entailment γ(x) |= χ(x), and so it is expressible in L. Then since L strongly extends FO<sup>2</sup> , it can express ∃xϑ(x). We claim that this sentence satisfes the requirement of our claim. To see this, observe that ∃xϑ(x) is equivalent to ∃x∃Pn+1γ(x), which is equivalent to ∃Pn+1ψ, which clearly satisfes the requirement of our claim. ⊓⊔

## 4 Repairing Interpolation for GFO

The guarded fragment (GFO) [1] allows formulas in which all quantifers are "guarded." Formally, a guard for a formula φ is an atomic formula α whose free variables include all free variables of φ. Following [30], we allow α to be an equality. More generally, by an ∃-guard for φ, we will mean a possibly-existentiallyquantifed atomic formula ∃xβ whose free variables include all free variables of φ. The formulas of GFO are generated by the following grammar:

$$\varphi := \top \mid R(\overline{x}) \mid x = y \mid \varphi \land \psi \mid \varphi \lor \psi \mid \neg \varphi \mid \exists \overline{x} (\alpha \land \varphi),$$

where, in the last clause, α is a guard for φ. Note again that we do not allow constants and function symbols.

In the guarded-negation fragment (GNFO) [4], arbitrary existential quantifcation is allowed, but every negation is required to be guarded. More precisely, the formulas of GNFO are generated by the following grammar:

$$\varphi := \top \mid R(\overline{x}) \mid x = y \mid \varphi \land \varphi \mid \varphi \lor \varphi \mid \exists x \varphi \mid \alpha \land \neg \varphi,$$

where, in the last clause, α is a guard for φ.

As is customary, the above defnitions are phrased in terms of ordinary guards α. However, it is easy to see that if we allow for ∃-guards, this would not afect the expressive power (or computational complexity) of these logics in any way. This is because, when the variables in the tuple x do not occur free in φ, as is the case when ∃xβ is an ∃-guard for φ, then we can write ∃xβ ∧ φ equivalently as ∃x(β ∧ φ). In other words, an ∃-guard is as good as an ordinary guard. We call an FO-formula self-guarded if it is either a sentence or it is of the form α∧φ where α is an ∃-guard for φ.

In this section, we will require the notions of conjunctive queries (CQs) and unions of conjunctive queries (UCQs). A CQ is an FO-formula of the form

$$
\varphi(x\_1, \ldots, x\_n) := \exists y\_1 \ldots \exists y\_m (\bigwedge\_{i \in I} \alpha\_i),
$$

where each α<sup>i</sup> is an atomic relation, possibly an equality, whose free variables are among {x1, . . . , xn, y1, . . . , ym}. The collection of all CQs is expressively equivalent to the fragment FO<sup>∃</sup>,<sup>∧</sup> of frst-order logic, which is generated by the following grammar:

$$\varphi := R(x\_1, \ldots, x\_k) \mid x = y \mid \varphi \land \varphi \mid \exists x \varphi \dots$$

A UCQ is a fnite disjunction of CQs. Importantly, GNFO can be alternatively characterized as the smallest logic which can express every UCQ and is closed under guarded negation [4]. This is made explicit in the following expressively equivalent grammar for GNFO:

$$\varphi := \top \mid R(\overline{x}) \mid x = y \mid \alpha \land \neg \varphi \mid q[R\_1/\varphi\_1, \dots, R\_n/\varphi\_n],$$

where q is a UCQ with relation symbols R1, . . . , R<sup>n</sup> and φ1, . . . , φ<sup>n</sup> are selfguarded formulas with the appropriate number of free variables and generated by the same recursive grammar. We refer to this as the UCQ syntax for GNFO.

#### 4.1 Natural Extensions of GFO

Unlike FO<sup>2</sup> , guarded fragments are peculiar in that they are not closed under substitution. For example, ∃xy(R(x, y) ∧ ¬S(x, y)) belongs to GFO, but if we substitute x = x ∧ y = y for R(x, y), we obtain ∃xy(x = x ∧ y = y ∧ ¬S(x, y)), which does not belong to GFO (and is not even expressible in GNFO). GFO and GNFO are, however, closed under self-guarded substitution: we can uniformly substitute self-guarded formulas for atomic relations. We generalize the notion of a self-guarded formula to abstract logics L as follows: a formula φ(x) ∈ L(σ) with free(φ) = {x1, . . . , xk} is self-guarded if there is a n-ary relation symbol G ∈ σ, where n ≥ k, and a tuple of variables y containing exactly the variables free(φ) ∪ {z1, . . . , zm}, such that for all σ-structures M and assignments g,

$$M, g \vdash \varphi \implies M, g \mid = \exists z\_1 \dots \exists z\_m G(\overline{y}) .$$

Intuitively, we can think of a self-guarded L-formula as a conjunction of the form α ∧ ψ, where α is an ∃-guard for ψ. We can then capture the notion of self-guarded substitution for abstract logics by the following defnition.

Defnition 4.1. We say that an abstract logic L expresses self-guarded substitutions if, for each formula φ ∈ L with R1, . . . , R<sup>k</sup> ∈ sig(φ), and all selfguarded formulas ψ1, . . . , ψ<sup>k</sup> ∈ L, we have that L can express the substitution of ψ1, . . . , ψ<sup>k</sup> for R1, . . . , R<sup>k</sup> in φ (cf. Defnition 2.1).

It was shown in [4] that every self-guarded GFO-formula is expressible in GNFO. In particular, this applies to all GFO-sentences and GFO-formulas with at most one free variable (since all such formulas can be equivalently written as x = x ∧ φ). It is therefore common to treat GNFO as an extension of GFO. To make this precise, we say that L ′ is a self-guarded extension of L if L ′ can express all self-guarded formulas of L (notation: L ⪯sg L ′ ). In Figure 1, the line marked (\*) indicates that GNFO extends GFO in this weaker sense. Furthermore, it is worth noting that GNFO is also not closed under implication, while GFO is. If it were, then GNFO would be able to express full negation (using formulas of the form φ → ⊥). However, GFO and GNFO both have disjunction and conjunction in common. We formalize all of these considerations into the following notion.

Defnition 4.2. A guarded logic is a logic L such that


Clearly, GFO and GNFO are both guarded logics. Furthermore, observe that the smallest guarded logic consists of all conjunctions and disjunctions of selfguarded formulas of GFO.

#### 4.2 Finding the Minimal Extension of GFO with CIP

Our main result in this section is the following.

Theorem 4.1. Let L be a guarded logic with CIP. Then GNFO ⪯ L.

In other words, loosely speaking, GNFO is the smallest extension of GFO with CIP. It is based on similar ideas as the proof of Theorem 3.1, but the argument is more intricate. The main thrust of the argument will be to show that our abstract logic L can express all positive existential formulas, from which it will follow easily that L is able to express all formulas in the UCQ syntax for GNFO. Toward this end, the main technical result is the following proposition.

Proposition 4.1. Let L be a logic with CIP that can express atomic formulas, guarded quantifcation, conjunction, and unary implication. Then FO<sup>∃</sup>,<sup>∧</sup> ⪯ L.

Here, we say that a logic L can express guarded quantifcation if, whenever φ ∈ L and α is a guard for φ, L can express ∃x(α∧φ); we say that L can express unary implications if, whenever φ ∈ L and α is an atomic formula with only one free variable, L can express α → φ.

The following defnition is used in the proof of Proposition 4.1.

Defnition 4.3. Let φ be a formula in FO<sup>∃</sup>,<sup>∧</sup>, let y = y1, . . . , y<sup>n</sup> be a tuple of distinct variables, and let P = P1, . . . , P<sup>n</sup> be a tuple of unary predicates of the same length. Then BINDy7→<sup>P</sup> (φ) is defned recursively as follows:

$$\begin{array}{ll} \mathsf{BIND}\_{\overline{y}\mapsto\overline{P}}(\alpha) &= \exists \overline{y} (\alpha \land \bigwedge\_{1\le i\le n} P\_i(y\_i)) \\ \mathsf{BIND}\_{\overline{y}\mapsto\overline{P}}(\phi \land \psi) = \mathsf{BIND}\_{\overline{y}\mapsto\overline{P}}(\phi) \land \mathsf{BIND}\_{\overline{y}\mapsto\overline{P}}(\psi) \\ \mathsf{BIND}\_{\overline{y}\mapsto\overline{P}}(\exists z\psi) &= \exists z (\mathsf{BIND}\_{\overline{y}\mapsto\overline{P}}(\psi)), \end{array}$$

where α is an atomic formula (possibly an equality).

The BINDy→<sup>P</sup> operation applied to a formula φ ∈ FO<sup>∃</sup>,<sup>∧</sup> wraps each atomic subformula of φ with quantifers for the variables in y, and adds additional unary predicates for these variables. Thus, the free variables of BINDy7→<sup>P</sup> (φ), for y = y1, . . . , yn, are exactly free(φ) \ {y1, . . . , yn}, which justifes our use of the word "BIND". The utility of this defnition is due to the following fact: for any φ ∈ FO<sup>∃</sup>,<sup>∧</sup>, whenever M, g |= BINDy→<sup>P</sup> (φ), and the interpretation in M of each unary predicate P<sup>i</sup> in P is a singleton, then M, g′ |= φ, where g ′ is the extension of g which maps each y<sup>i</sup> to the unique element satisfying P<sup>i</sup> (cf. Propositions 4.3, 4.4). The following proposition is a simple consequence of the defnition of BIND.

Proposition 4.2. For all FO<sup>∃</sup>,<sup>∧</sup>-formulas φ and for all x, y and P , Q, if x and y are disjoint, then BINDxy7→<sup>P</sup> <sup>Q</sup>(φ) ≡ BINDx7→<sup>P</sup> (BINDy7→Q(φ)).

A formula φ is clean if no free variable of φ also occurs bound in φ, and φ does not contain two quantifers for the same variable. Every FO-formula is equivalent to a clean FO-formula, and all subformulas of a clean formula are also clean. We now state two technical propositions, whose proofs can be found in the full version of this paper [20].

Proposition 4.3. For every clean FO∃,∧-formula φ, for every tuple of distinct variables y = y1, . . . , y<sup>n</sup> (with each y<sup>i</sup> ∈ free(φ)), and for every tuple of unary predicates P = P1, . . . , Pn, we have that

$$\left(\bigwedge\_{i=1,\ldots,n} P\_i(y\_i)\right) \vdash \varphi \to \mathcal{B} \mathsf{IND}\_{\overline{y}\mapsto\overline{P}}(\varphi).$$

Proposition 4.4. For every clean FO∃,∧-formula φ(x, y) with y = y1, . . . , y<sup>n</sup> distinct from x, and for every n-tuple of unary predicates P = P1, . . . , P<sup>n</sup> not occurring in φ, we have that

$$\exists x \varphi(x,\overline{y}) \equiv \forall \overline{P} \Big( \bigwedge\_{i=1...n} P\_i(y\_i) \Big) \to \exists x \mathcal{B} \mathsf{IND}\_{\overline{y} \mapsto \overline{P}}(\varphi(x,\overline{y})) \Big).$$

The following lemma enables the proof of Proposition 4.1.

Lemma 4.1. Let L be an FO-fragment which can express atomic formulas and is closed under guarded quantifcation, conjunction, and unary implication. If L can express a formula φ ∈ FO<sup>∃</sup>,<sup>∧</sup> and all of its subformulas, then for all tuples y of variables, we have that L can express BINDy7→<sup>P</sup> (φ).

Proof. We show by strong induction on the complexity of clean FO<sup>∃</sup>,<sup>∧</sup>-formulas φ that this proposition holds.

### Base Case

Suppose φ is an atomic formula. Fix an arbitrary tuple y = y<sup>1</sup> . . . , yn. Then

$$\mathsf{BIND}\_{\overline{y}\mapsto\mathsf{F}}(\varphi) \equiv \exists \overline{y} (\varphi \land \bigwedge\_{1 \le i \le n} P\_i(y\_i)),$$

which L can express by closure under conjunction and guarded quantifcation.

### Inductive Step

Suppose inductively that, for all formulas ψ of lesser complexity than φ, and all tuples z of variables, we have that L can express BINDz7→<sup>P</sup> (ψ). Fix an arbitrary tuple y of variables.

Suppose that φ = ψ<sup>1</sup> ∧ ψ2. Since L can express φ and all of its subformulas, it can also express ψ1, ψ2, and all of their subformulas. Then by the inductive hypothesis, L can express BINDy7→<sup>P</sup> (ψ1) and BINDy7→<sup>P</sup> (ψ2). Then by closure under conjunctions, L can express BINDy7→<sup>P</sup> (ψ1) ∧ BINDy7→<sup>P</sup> (ψ2), which is the same as BINDy7→<sup>P</sup> (φ) (cf. Defnition 4.3).

Now suppose that φ(x, y) = ∃zψ(x, y, z), where the (possibly empty) tuple x consists of all free variables of φ not in the tuple y. We need to show that L can express BINDy7→<sup>P</sup> (φ(x, y)), which is the same as ∃z(BINDy7→<sup>P</sup> (ψ(x, y, z))) (cf. Defnition 4.3). Since L can express φ and all of its subformulas, it can also express ψ and all of its subformulas. Then, by the inductive hypothesis, L can express BINDy7→<sup>P</sup> (ψ), whose free variables are those in the tuple xz, as well as BINDxy7→QP (ψ), whose only free variable is z. Since L is closed under conjunction and guarded quantifcation, it follows that L can express

$$\gamma(\overline{x}) := \exists z (G(\overline{x}, z) \land \mathsf{BIND}\_{\overline{y} \mapsto \overline{P}}(\psi)) \quad \text{and} \quad \exists z (z = z \land \mathsf{BIND}\_{\overline{x} \overline{y} \mapsto \overline{QP}}(\psi)),$$

where G is a fresh relation symbol not occurring in ψ. Then by closure under unary implications, we have that L can also express

$$\chi(\overline{x}) := \left(\bigwedge\_i Q\_i(x\_i)\right) \to \exists z (z = z \land \mathsf{BIND}\_{\overline{x\overline{y}} \leftrightarrow \overline{QP}}(\psi)).$$

Claim: γ(x) |= χ(x)

Proof of claim: By Proposition 4.2,

$$\mathsf{BIND}\_{\overline{x}\overline{y}\mapsto\overline{QP}}(\psi) \equiv \mathsf{BIND}\_{\overline{x}\mapsto\overline{Q}}(\mathsf{BIND}\_{\overline{y}\mapsto\overline{P}}(\psi)).\tag{1}$$

Then by applying Proposition 4.3 and inverting the hypotheses, we have

$$\mathsf{BIND}\_{\overline{y}\mapsto\overline{P}}(\psi) \vdash \left(\bigwedge\_{i} Q\_{i}(x\_{i})\right) \rightarrow \mathsf{BIND}\_{\overline{x}\overline{y}\mapsto\overline{QP}}(\psi) .$$

From this, it follows (because z is distinct from x<sup>i</sup> variables) that

$$\exists z(\mathsf{BIND}\_{\overline{y}\mapsto\overline{P}}(\psi)) \vdash \left(\bigwedge\_{i} Q\_{i}(x\_{i})\right) \rightarrow \exists z \mathsf{BIND}\_{\overline{xy}\mapsto\overline{QP}}(\psi),$$

and therefore γ(x) |= χ(x). This concludes the proof of the claim.

Since L can express both γ(x) and χ(x), we have by the Craig interpolation property that L can express some Craig interpolant ϑ(x). Since G and the Q<sup>i</sup> predicates do not occur in φ, they do not occur in ϑ(x), and therefore, the following second-order implication is valid:

$$
\exists G\gamma(\overline{x}) \vdash \vartheta(\overline{x}) \vdash \forall \overline{Q}\chi(\overline{x}) .
$$

It is easy to see that ∃Gγ(x) ≡ ∃zBINDy7→<sup>P</sup> (ψ). Similarly, it follows from Proposition 4.4 and equation (1) that ∀Qχ(x) ≡ ∃zBINDy7→<sup>P</sup> (ψ). Therefore, ϑ(x) ≡ ∃zBINDy7→<sup>P</sup> (ψ). In particular, ∃zBINDy7→<sup>P</sup> (ψ) is expressible in L. ⊓⊔

We are now ready to prove Proposition 4.1, restated below.

Proposition 4.1. Let L be a logic with CIP that can express atomic formulas, guarded quantifcation, conjunction, and unary implication. Then FO<sup>∃</sup>,<sup>∧</sup> ⪯ L.

Proof. By strong induction on the complexity of FO<sup>∃</sup>,<sup>∧</sup>-formulas. The base case is immediate, since L can express all atomic formulas. For the inductive step, if φ := ψ<sup>1</sup> ∧ψ2, then by the inductive hypothesis, L can express ψ<sup>1</sup> and ψ2, and so by closure under conjunction, L can express φ. Now suppose φ(y) := ∃x(ψ(x, y)). By the inductive hypothesis, together with closure under guarded quantifcation, L can express

$$\gamma(\overline{y}) := \exists x (G(x, \overline{y}) \land \psi).$$

Furthermore, by Lemma 4.1, L can express BINDy7→<sup>P</sup> (ψ), and therefore, by closure under guarded quantifcation and unary implications, L can express

$$\chi(\overline{y}) := \left(\bigwedge\_{i} P\_{i}(y\_{i})\right) \to \exists x (x = x \land \text{BIND}\_{\overline{y} \mapsto \overline{P}}(\psi))\,.$$

Claim: γ(y) |= χ(y).

Proof of claim: It is clear that γ(y) |= ∃xψ. Furthermore, by Proposition 4.3, ψ |= V <sup>i</sup> Pi(yi) 7→ BINDy7→<sup>P</sup> (ψ), from which it follows that ∃xψ |= χ(y) (since the variable x is distinct from y1, . . . , yn). Therefore, γ(y) |= χ(y).

Let ϑ(y) be an interpolant for γ(y) |= χ(y) in L. Since G and the predicates in P do not occur in ψ, the following second-order entailments are valid:

$$\exists G \exists x (G(x,\overline{y}) \land \psi) \vdash \vartheta(\overline{y}) \vdash \forall \overline{P}(\big(\bigwedge\_{i} P\_{i}(y\_{i})\big) \rightarrow \exists x \textsf{BIND}\_{\overline{y} \leftrightarrow \overline{P}}(\psi)).$$

It is easy to see that

$$\exists G \exists x (G(x,\overline{y}) \land \psi) \equiv \exists x \psi.$$

Furthermore, by Proposition 4.4,

$$\psi \equiv \forall \overline{P}(\bigwedge\_{i} P\_{i}(y\_{i})) \to \mathsf{BIND}\_{\overline{y} \mapsto \overline{P}}(\psi)).$$

from which it follows (since x is distinct from y1, . . . , yn) that

$$\exists x \psi \equiv \forall \overline{P}(\bigwedge\_{i} P\_{i}(y\_{i})) \to \exists x \mathsf{BIND}\_{\overline{y} \mapsto \overline{P}}(\psi)).$$

Therefore, ϑ(y) ≡ φ(y), and so we are done. ⊓⊔

Our main result follows easily from Proposition 4.1, the closure properties of guarded logics, and the UCQ characterization of GNFO.

#### Theorem 4.1. Let L be a guarded logic with CIP. Then GNFO ⪯ L.

Proof. L can express self-guarded GFO-formulas, so it can express formulas of the form ∃xβ, where β is an atomic formula. Then since L can express selfguarded substitution, L can express guarded quantifcation. Furthermore, L can express all self-guarded formulas of the form α ∧ ¬β, where α and β are atomic formulas such that free(α) = free(β). Furthermore, for every formula φ expressible in L with free(φ) ⊆ free(α), α ∧ φ is a self-guarded formula. Thus by expressibility of self-guarded substitution, L can also express α ∧ ¬(α ∧ φ), which

is equivalent to α ∧ ¬φ; hence L can express guarded negation. If L can express φ, then by expressibility of guarded negation and disjunction, it can also express the formula (x = x ∧ ¬P(x)) ∨ φ, which is equivalent to P(x) → φ. Hence L can express unary implications. Therefore, by Proposition 4.1, L can express all formulas in FO∃,∧. Then by expressibility of disjunction, L can express all unions of conjunctive queries. The result then follows immediately from the UCQ-syntax for GNFO, by closure under self-guarded substitution. ⊓⊔

## 5 Repairing Interpolation for FF

The futed fragment (FL) [51] is an ordered logic, in which all occurrences of variables in atomic formulas and quantifers must follow a fxed order. In the context of ordered logics, we assume a fxed infnite sequence of variables X = ⟨xi⟩i∈Z<sup>+</sup> . A sufx n-atom is an atomic formula of the form R(x<sup>j</sup> , . . . , xn), where x<sup>j</sup> , . . . , x<sup>n</sup> is a fnite contiguous subsequence of X. FL is defned by the following recursion.

Defnition 5.1. For each n ∈ N, defne collections of formulas FL<sup>n</sup> as follows:


We set FL = S <sup>n</sup>∈<sup>N</sup> FL<sup>n</sup> .

The forward fragment (FF), introduced in [6], is a syntactic generalization of FL. We say that R(x<sup>j</sup> , . . . , xk) is an infx n-atom if x<sup>j</sup> , . . . , x<sup>n</sup> is a fnite contiguous subsequence of X and k ≤ n. FF is defned by the following recursion.

Defnition 5.2. For each n ∈ N, defne collections of formulas FF<sup>n</sup> as follows:


We set FF = S <sup>n</sup>∈<sup>N</sup> FF<sup>n</sup> .

In contrast to the other logics we have seen, FL and FF do not allow the primitive equality symbol. It can be seen by a simple formula induction that every formula in FF<sup>k</sup> can be expressed by a formula in FF<sup>n</sup> for every n > k; it follows easily that FF can express arbitrary Boolean combinations of its formulas. However, FL cannot: P(x1) and P(x2) are in FL, but P(x1) ∧ P(x2) is not expressible in FL. Although FF contains formulas which are not in FL, it is known that FF and FL are expressively equivalent at the level of sentences [7]. Furthermore, the satisfability problems for FL and FF are decidable [48,7].

#### 152 B. ten Cate, J. Comer

#### 5.1 Natural Extensions of FF

Given a formula φ, we write gfv(φ) to denote the greatest n ∈ Z <sup>+</sup> such that x<sup>n</sup> occurs free in φ; if φ is a sentence, then we set gfv(φ) = 0. We defne forward logics to capture the notion of a natural extension of FF.

Defnition 5.3. A forward logic is an abstract logic L such that


We refer to the last property of a forward logic as expressibility of ordered quantifcation. Clearly FF is a forward logic, and every forward logic extends FF.

#### 5.2 Finding the Minimal Extension of FF with CIP

Unlike the other fragments we have seen, one peculiar property of FF is that the logic is not closed under variable substitutions. This can be seen simply by considering relational atoms: for a 3-ary relational symbol R, the formula R(x1, x2, x3) is in FF, but the formula R(x3, x1, x2) is not. Before proving our main theorem, we prove the following lemma asserting that whenever a formula is expressible in a forward logic L satisfying CIP, the result of making arbitrary substitutions for the free variables of the formula is also expressible in L.

Lemma 5.1. Let L be a forward logic satisfying CIP, and let φ(xi<sup>1</sup> , . . . , xi<sup>k</sup> ) be a formula of frst-order logic expressible in L, where xi<sup>1</sup> , . . . , xi<sup>k</sup> is not necessarily a contiguous subsequence of variables. Then for every map

$$
\pi: \{i\_1, \ldots, i\_k\} \to \mathbb{Z}^+,
$$

we have that L can also express φ(xπ(i1) , . . . , xπ(ik)). In other words, L is closed under renamings of free variables.

Proof. For brevity, let x = x<sup>i</sup><sup>1</sup> , . . . , x<sup>i</sup><sup>k</sup> , and let π(x) = xπ(i1) , . . . , xπ(ik) . Without loss of generality, assume that i<sup>1</sup> ≤ · · · ≤ i<sup>k</sup> (we can do this since the notation φ(x<sup>i</sup><sup>1</sup> , . . . , x<sup>i</sup><sup>k</sup> ) only indicates that the variables occur free, but says nothing about where or in what order they occur in the formula). Since L can express φ(x), it can evidently express the following formulas, by the defnition of a forward logic:

$$\gamma(\overline{x}) \coloneqq \bigwedge\_{m \le k} G\_m(x\_{i\_m}) \land \forall x\_{i\_1} \dots \forall x\_{i\_k} \left( \bigwedge\_{m \le k} G\_m(x\_{\pi(i\_m)}) \to \varphi(\overline{x}) \right)$$

$$\chi(\overline{x}) \coloneqq \bigwedge\_{m \le k} P\_m(x\_{i\_m}) \to \exists x\_{i\_1} \dots \exists x\_{i\_k} \left( \varphi(\overline{x}) \land \bigwedge\_{m \le k} P\_m(x\_{\pi(i\_m)}) \right)$$

Clearly γ |= χ, and so there exists an interpolant ϑ. Hence

$$\exists G\_1 \dots G\_k \gamma \mid = \vartheta \mid = \forall P\_1 \dots P\_k \chi$$

is a valid second-order entailment. Furthermore, it is easy to see that

$$\exists G\_1 \dots G\_k \gamma \equiv \forall P\_1 \dots P\_k \chi \equiv \varphi \dots$$

Therefore, φ(xπ(i1) , . . . , xπ(ik)) is expressible in L. ⊓⊔

We now prove our main theorem, which follows easily from Lemma 5.1.

Theorem 5.1. Let L be a forward logic satisfying CIP. Then FO ⪯ L.

Proof. We proceed by formula induction on FO-formulas φ. For the base case, clearly L can express all atomic FO-formulas by applying Lemma 5.1 to an appropriate infx atom. For the inductive step, the Boolean cases are immediate since L can express all Boolean combinations. Hence the only interesting case is when φ := ∃xkψ for some formula ψ. By the inductive hypothesis, L can express ψ. Applying Lemma 5.1, L can also express φ ′ , the result of substituting xn+1 for all free occurrences of xk, where n = gfv(φ), and leaving all other free variables the same. Then by expressibility of ordered quantifcation, L can express ∃xn+1φ ′ , which is equivalent to φ. ⊓⊔

## 6 Undecidability of Extensions of FO<sup>2</sup> and FL with CIP

In Section 3, we showed that every strong extension of FO<sup>2</sup> with CIP can express all sentences of FO, and in Section 5, we showed that every forward logic with CIP can express all formulas of FO. These results suggest the undecidability of the satisfability problems for such logics. In this section, we formalize this idea, showing that extensions of FO<sup>2</sup> and FL with CIP and satisfying very limited expressive assumptions are undecidable. These results rely primarily on known results on the undecidability of FO<sup>2</sup> and FL with additional transitive relations.

Proposition 6.1. Every abstract logic L with CIP extending FO<sup>2</sup> or FL can express the following formulas:

$$\begin{aligned} \psi\_0(x\_1) &:= \forall x\_2 \forall x\_3 (R(x\_1, x\_2) \land R(x\_2, x\_3) \to R(x\_1, x\_3)), \text{ and} \\ \psi\_1 &:= \neg \forall x\_1 \forall x\_2 \forall x\_3 (R(x\_1, x\_2) \land R(x\_2, x\_3) \to R(x\_1, x\_3)). \end{aligned}$$

The proof of Proposition 6.1 can be found in the full version of this paper [20]. We also need two additional defnitions. First, an efective translation from a logic L to a logic L ′ is a computable function which takes formula of φ ∈ L as input and outputs an equivalent formula φ ′ ∈ L ′ . Second, we say that a logic L has efective conjunction if there is a computable function taking formulas φ, ψ ∈ L as input and outputting a formula χ ∈ L which is equivalent to φ ∧ ψ.

154 B. ten Cate, J. Comer

Theorem 6.1. Let L be an extension of FL which satisfes CIP. Suppose further that there is an efective translation from FL to L, and L has efective conjunction. The satisfability problem for L is undecidable if either


Proof. Let χ be the sentence asserting the transitivity of the relation R. Since L has CIP and extends FL, it can express both ψ0(x1) and ψ<sup>1</sup> by Proposition 6.1. If L can express ordered quantifcation, it can express ∀x1ψ0(x1), which is equivalent to χ. If L can express negation, then it can express ¬ψ1, which is also equivalent to χ. Since L, as an abstract logic, can express χ and is closed under predicate renamings, it can express that any number of binary relations are transitive. Let χ1, χ2, and χ<sup>3</sup> be sentences expressing transitivity of binary relation symbols R1, R2, and R3, respectively. Let tr be an efective translation from FL to L. Then a formula φ of FL with three designated transitive relations is satisfable if and only if tr(φ)∧χ1∧χ2∧χ<sup>3</sup> is satisfable. Since tr is computable and L is efectively closed under conjunction, this reduction is computable. Since the satisfability problem for FL with three transitive relations is undecidable [46], the satisfability problem for L is undecidable. ⊓⊔

It is also known that satisfability is undecidable for F O<sup>2</sup> -formulas with two transitive relations [36]. Using this fact, along with Proposition 6.1, we obtain the following theorem, by a similar proof to that of Theorem 6.1.

Theorem 6.2. Let L be an extension of FO<sup>2</sup> which satisfes CIP. Suppose further that there is an efective translation from FO<sup>2</sup> to L, and L has efective conjunction. The satisfability problem for L is undecidable if either


We remark that all forward logics and strong extensions of FO<sup>2</sup> with CIP, assuming appropriate efective translations and efective conjunction, meet the requirements of Theorems 6.1 and 6.2, and hence are undecidable.

## 7 Discussion

In the introduction, we mentioned several results indicating the failure of CIP among many natural proper extension of FO. In [14], van Benthem points out that there is a similar scarcity among FO-fragments as well. Our results in Sections 3 and 5 may be interpreted as additional confrmation of this observation. Furthermore, one tends to study proper fragments of FO for their desirable computational properties, and so our broader undecidability results show that CIP fails for large swaths of decidable FO-fragments. However, there are a few notable fragments for which the determination of a minimal extension satisfying CIP is still open, such as FL and the quantifer prefx fragments.

One limitation of our methodology and results is their dependence on a definition of Craig interpolation which mandates the existence of interpolants between proper formulas, while many practical applications only require CIP for sentences. Throughout this paper, we have established expressibility of a formula ϑ in a logic L by induction (and by constructing two formulas φ and ψ such that φ |= ψ and arguing that every interpolant is equivalent to ϑ). In general, this method is difcult to apply unless free variables are allowed; it is not clear how to apply this type of inductive argument if we were only concerned with the existence of interpolants for sentences of the logic.

There are several well-studied properties strictly weaker than CIP. The ∆ interpolation property (also known as Suslin-Kleene interpolation) holds for a logic L if, whenever φ |= ψ, and (intuitively speaking) there is only one possible interpolant ϑ up to logical equivalence for this entailment, then L contains a formula equivalent to ϑ [5]. It is not hard to see that, unlike the Craig interpolation property, every logic L has a unique extension, denoted ∆(L), satisfying the ∆-interpolation property. In fact, in our proofs we only rely on ∆-interpolation; every application of the assumption that some abstract logic L satisfes CIP yields a provably unique interpolant, up to logical equivalence. Therefore, all of our results hold also when CIP is replaced by ∆-interpolation.

Two additional weakenings of CIP are the projective and non-projective Beth defnability properties. The projective Beth property states, roughly, that whenever a σ∪τ∪{R}-theory Σ implicitly defnes a relation R in terms of the relations in σ, then Σ entails an explicit defnition of R in terms of σ (the non-projective Beth property being the special case for τ = ∅). Many practical applications of CIP in database theory and knowledge representation require only the projective Beth property. It is not immediately clear how to extend our methodology to a systematic study of the (projective) Beth property among decidable FO-fragments. Indeed, GFO already satisfes the non-projective Beth property [33]. Given their applications, an interesting avenue of future work is to map the landscape of FO-fragments satisfying these properties. In the other direction, minimal extensions of logics with uniform interpolation (a strengthening of CIP) were studied in [25], although with limited results so far (cf. [25, Thm. 14]). Some of the minimal extensions of PLTL fragments with CIP identifed in [28], however, do satisfy uniform interpolation.

Acknowledgements. We thank Jean Jung, Frank Wolter, and Malvin Gattinger for feedback on an earlier draft, and we thank Ian Pratt-Hartmann and Michael Benedikt for helpful remarks during a related workshop presentation. Balder ten Cate is supported by EU Horizon 2020 grant MSCA-101031081.

## References

1. Andréka, H., Németi, I., van Benthem, J.: Modal languages and bounded fragments of predicate logic. Journal of Philosophical Logic 27 (06 1998). https://doi.org/ 10.1023/A:1004275029985


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# Clones, closed categories, and combinatory logic‹

Philip Saville(B)

Department of Computer Science, University of Oxford, Oxford, UK philip.saville@cs.ox.ac.uk http://www.philipsaville.co.uk/

Abstract. We explain how to recast the semantics of the simply-typed λ-calculus, and its linear and ordered variants, using multi-ary structures. We defne universal properties for multicategories, and use these to derive familiar rules for products, tensors, and exponentials. Finally we outline how to recover both the category-theoretic syntactic model and its semantic interpretation from the multi-ary framework. We then use these ideas to study the semantic interpretation of combinatory logic and the simply-typed λ-calculus without products. We introduce extensional SK-clones and show these are sound and complete for both combinatory logic with extensional weak equality and the simply-typed λcalculus without products. We then show such SK-clones are equivalent to a variant of closed categories called SK-categories, so the simply-typed λ-calculus without products is the internal language of SK-categories.

Keywords: categorical semantics · abstract clones · lambda calculus · combinatory logic · closed categories · cartesian closed categories

## 1 Introduction

Lambek's correspondence between cartesian closed categories and the simplytyped λ-calculus is one of the central pillars of categorical semantics. One way of stating it categorically is to say that the syntax of typed λ-terms over a signature of base types and constants forms the free cartesian closed category (for a readable overview, see [27,9]). The existence of this syntactic model gives completeness: if an equation holds in every model, it holds in the free one, and hence in the syntax. The free property then gives soundness: for any interpretation of basic types and constants in a cartesian closed category pC, Π, ñq one has a functor <sup>J</sup>´<sup>K</sup> from the syntactic model to <sup>C</sup>, which is exactly the semantic interpretation of λ-terms. The fact this functor is required to preserve cartesian closed structure amounts to showing that the semantic interpretation is sound with respect to the usual βη-laws. All this justifes calling the simply-typed λ-calculus the internal language of cartesian closed categories.

This framework is powerful, but hides a fundamental mismatch: morphisms A Ñ B in a category are unary—they have just one input—but terms-in-context

<sup>‹</sup> Supported by the Air Force Ofce of Scientifc Research under award number FA9550-21-1-0038.

such as x<sup>1</sup> : A1, . . . , x<sup>n</sup> : A<sup>n</sup> \$ t : B can have many inputs. The standard solution (e.g. [9,23]) is to use categorical products to model contexts, so a term t as above corresponds to a map <sup>ś</sup><sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> Ñ B out of the product.

Despite its evident success, this solution remains somewhat unsatisfactory, in two ways (see also [21]). First, it forces us to confate two diferent syntactic classes, namely contexts and product types. As a result, some encoding is required to construct the syntactic model: the interpretation of x : A, y : B \$ t : C is a term in context p : A ˆ B. This adds complexity to the construction, and results in the somewhat unintuitive fact that the semantic interpretation of a term t in the syntactic model may not be just t itself. In turn, this complicates the proof of completeness.

Second, we are forced to include products in our type theory if we want a category-theoretic internal language—even though the calculus without products likely has a stronger claim to being called 'the' simply-typed λ-calculus (e.g. see Church's original defnition [8]). This raises the question: what categorical structure has the simply-typed λ-calculus without products as its internal language?

This paper. This paper has three main aims. First, to explain how removing the mismatch between terms-in-context and morphisms outlined above clarifes the semantic interpretation of simply-typed λ-calculi. To achieve this, one needs to move from the unary setting of categories to a multi-ary setting, in which we have multimaps A1, . . . , A<sup>n</sup> Ñ B. These ideas are not new, but are under-appreciated, and I hope this will provide self-contained introduction for a wider audience. Second, to initiate a multi-ary investigation of the semantics of (cartesian) combinatory logic, in the style of Hyland's investigation of similar ideas for the untyped λ-calculus ([18,19]). Finally, to use these results to defne a categorical semantics for the simply-typed λ-calculus without products.

Outline. In Sections 2 to 6, we explain how the multi-ary perspective yields a slick way to derive the unary semantic interpretation and syntactic model, together with soundness and completeness results (Section 4.2). We also show how important type-theoretic constructions such as products and exponentials can be derived from the semantics. This framework accommodates diferent choices of structural rules, such as whether the language is ordered, linear, or cartesian.

The idea of using multi-ary constructions goes back to Lambek ([25,26]), and has recently been exploited to great efect in a very general setting by Shulman [40]. Particular cases can also be found in the works of Hyland ([18,19]), Hyland & de Paiva [20] and Blanco & Zeilberger [7]. A reader familiar with these approaches will likely be unsurprised by the technical development below. However, we believe these ideas deserve to be more widely known, so spend time making them explicit in a concrete setting.

In Section 7 we introduce a multi-ary model of (cartesian) combinatory logic, called SK-clones, and prove that the sub-category of extensional SK-clones is equivalent to the category of closed clones modelling simply-typed λ-calculus without products. This provides a categorical statement of the classical correspondence between λ-calculus and extensional combinatory logic (e.g. [5,15]).

Finally, in Section 8 we introduce a version of Eilenberg & Kelly's closed categories ([11,10]), called SK-categories, and show that the category of SKcategories is equivalent to the category of extensional SK-clones, and so to the category of closed clones. Hence, SK-categories are a categorical model for the simply-typed λ-calculus without products. SK-categories are a cartesian version of the prounital-closed categories of Uustalu, Veltri & Zeilberger ([43,44]), which in turn are closely related to an (incomplete) suggestion of Shulman's [39].

Jacobs has also isolated a structure that is sound and complete for simplytyped λ-calculus without products [21]. His approach, which fts into his elegant general framework [22], is also predicated on a careful distinction between contexts and products. His models are certain indexed categories, with the contexts encoded by the indexing: this makes them feel closer to multi-ary structures. In SK-categories, by contrast, contexts are modelled within the category itself by using the closed structure (cf. [35, §4.4]). Moreover, unlike other work relating closed categories to multi-ary structures, SK-categories do not force us to include a unit object in the corresponding type theory (cf. [31]).

Technical preliminaries. For a set S we write S ‹ for the set of fnite sequences over S, and use Greek letters Γ, ∆, . . . to denote elements of S ‹ . The empty string is denoted ˛, and the length of Γ by |Γ|. Where the length of a sequence is clear, we write simply A' for A1, . . . , An. Contexts are assumed to be ordered lists.

We call multimaps of the form A Ñ B unary and a multimap ˛ Ñ B nullary.

We defne a signature S to be a set |S| of basic sorts with sets SpΓ; Bq of constants <sup>c</sup> : <sup>Γ</sup> <sup>Ñ</sup> <sup>B</sup> for each ` Γ, B˘ P |S| ‹ ˆ |S|. A homomorphism of signatures f : S Ñ S 1 is a map |f| : |S| Ñ |S 1 | with maps SpA1, . . . , An; Bq Ñ S 1 <sup>p</sup>fA1, . . . , fAn; fB<sup>q</sup> for each ` <sup>p</sup>A1, . . . , Anq, B˘ P |S| ‹ ˆ |S|. We write Sig for the category of signatures and their homomorphisms. One could also consider versions of higher-order constants, which may use the language's constructs. This extension does not change the theory signifcantly, and would require introducing multiple categories of signatures, so we do not seek this extra generality here (for an outline of this more general approach, see e.g. [38, §5.3.1]).

We assume familiarity with the simply-typed λ-calculus, as in e.g. [9]. We denote the simply-typed λ-calculus with constants and base types given by a signature S, and both product and exponential types modulo αβη-equality, by Λ ˆ,Ñ S . We write Λ ˆ S and Λ<sup>Ñ</sup> S for the fragments with just products and just exponentials, respectively. Here we focus on the typed cases: the untyped versions both in the syntax and the multi-ary models—are recovered by fxing a single base type ‹ such that Θp‹, . . . , ‹q " ‹ for each type constructor Θ.

We also assume familiarity with the basics of cartesian categories, cartesian closed categories, and monoidal categories, as in e.g. [30,27]. To avoid having to treat the unit type as a special case, cartesian categories are assumed to have <sup>n</sup>-ary products <sup>ś</sup> n for all n P N. We also work with functors preserving structure strictly: this simplifes the exposition without any great loss of generality. Thus, MonCat, SMonCat and CartCat denote the categories of monoidal categories, symmetric monoidal categories, and cartesian categories, respectively, with functors preserving all the data on the nose.

## 2 Multicategories and clones

We begin with an intuitive overview of the place of multi-ary structures in semantics. A multi-ary structure has multimaps A1, . . . , A<sup>n</sup> Ñ B with multiple inputs and one output; unlike the morphisms in a category, multimaps correspond directly to terms-in-context. As a result, it is often easier to construct a multi-ary free model than it is to construct a unary one, and the interpretation of a term-in-context t in the free model is given by t itself. Moreover, every multi-ary structure gives rise to a unary one by restricting to multimaps with one input. The multi-ary semantics therefore factors the unary one, as shown:

One can then 'read of' the syntactic category, together with a guarantee that it has the right structure, by restricting the free multi-ary structure to unary maps. Similarly, the usual semantic interpretation in (say) a cartesian closed category C is exactly the interpretation that arises by extending C to a multi-ary structure. This gives an algebraic justifcation for encoding contexts as products: this is how one extends a cartesian closed category to a multi-ary structure. (For the details of these points, see Section 4.2.)

The multi-ary perspective also provides a unifying framework for type theories with diferent structural rules. The simply-typed λ-calculus is cartesian: it admits the structural rules of weakening, contraction, and permutation (as in e.g. [9, Fig. 3.2]). The corresponding multi-ary structures are certain abstract clones. Ordered type theories (e.g. [24,36]), also known as planar type theories (e.g. [2,46]), do not admit weakening, contraction, or permutation, and correspond to certain multicategories. Linear type theories (e.g. [16]), which admit only permutation, correspond to certain symmetric multicategories (see also the alternative 'tangled' option in [33]). Since abstract clones and symmetric multicategories may be seen as special cases of multicategories, we can develop a theory of how to add structure to cartesian, linear, and ordered type theories by analysing how to add structure to multicategories.

#### 2.1 Multicategories, clones, and their internal languages

We now introduce multicategories and abstract clones and show how they correspond to certain type theories. An even more general framework for syntax, allowing multi-ary domains and codomains as well as both cartesian and linear contexts, is provided by Shulman's recent work with polycategories [40]. Clones, and their correspondence with syntax, also play a key role in the 'algebraic syntax' programme of Fiore and collaborators initiated in [13] (see e.g. [12,3,4]).

Defnition 1 ([25]). A multicategory M consists of a set |M| of objects and sets MpΓ; Bq of multimaps for every Γ P |M| ‹ and B P |M|, together with

1. An identity multimap Id<sup>A</sup> P MpA; Aq for every A P |M|;

2. For any A1, . . . , An, B P |M| and p∆<sup>i</sup> P |M| ‹ q<sup>i</sup>"1,...,n, a composition map

$$\begin{aligned} \mathsf{M}(A\_1, \ldots, A\_n; B) \times \prod\_{i=1}^n \mathsf{M}(\Delta\_i; A\_i) &\to \mathsf{M}(\Delta\_1, \ldots, \Delta\_n; B) \\ \left(t, (u\_1, \ldots, u\_n)\right) &\mapsto t \circ \langle u\_1, \ldots, u\_n \rangle \end{aligned}$$

subject to an associativity law and two unit laws (see e.g. [28, p. 35]). A multicategory functor f : M Ñ N consists of a map |f| : |M| Ñ |N| with maps fA',B : MpA1, . . . , An; Bq Ñ NpfA1, . . . fAn; fBq for every A1, . . . , An, B P |M|, such that substitution and the identity are preserved (see e.g. [28, p. 39]).

Defnition 2 ([32,20]). A symmetric multicategory consists of a multicategory M together with a symmetric group action: for each A1, . . . , A<sup>n</sup> P |M| and σ P S<sup>n</sup> one has p´q ' σ : MpA1, . . . , An; Bq Ñ MpAσ1, . . . , Aσn; Bq compatible with substitution and satisfying unit and associativity laws (e.g. [28, p. 54]). A symmetric multicategory functor is a multicategory functor which preserves the action.

We write Multicat (resp. SMulticat) for the category of (symmetric) multicategories and their functors, and write t : Γ Ñ B for t P MpΓ; Bq.

Example 1. Every monoidal category pC, b, Iq induces a multicategory T C. The objects are those of C, with multimaps pT CqpA1, . . . , An; Bq :" Cp Â<sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> , Bq for a chosen n-ary bracketing of the tensor product. This determines functors MonCat Ñ Multicat, and SMonCat Ñ SMulticat (see e.g. [28, p. 39]); we denote both of these by T .

Lambek [25] essentially observed that every multicategory has an internal language, as follows. One identifes multimaps t : A1, . . . , A<sup>n</sup> Ñ B with terms x<sup>1</sup> : A1, . . . , x<sup>n</sup> : A<sup>n</sup> \$ t : B, for a fxed ordering of an infnite set of variables tx1, x2, . . . u. The identity Id<sup>A</sup> is identifed with the variable x : A, and the composition operation becomes a formal substitution operation on the language. Stated in this way, the three axioms become well-known properties of substitution: the unit laws say xrus " u and trx1, . . . , xns " t, and the associativity law is a linear version of the so-called Substitution Lemma (e.g. [5, Lemma 2.1.16]).

The next result shows this terminology does not difer too much from the notion of internal language in the introduction. For a signature S and Γ :" px<sup>i</sup> : Aiq<sup>i</sup>"1,...,n, write O<sup>S</sup> for the ordered language generated by the two rules on the left below, and L<sup>S</sup> for the linear language generated by all three rules:

$$\frac{c \in \mathcal{S}(\Gamma; B) \qquad (\Delta\_i \vdash u\_i : A\_i)\_{i=1,\dots,n}}{\Delta\_1, \dots, \Delta\_n \vdash c^\S(u\_1,\dots,u\_n) : B} \quad \frac{\Theta, x: A, y: B, \Delta \vdash t : C}{\Theta, y: B, x: A, \Delta \vdash t : C}$$

Substitution is defned as usual, so that the following rule is admissible:

$$\frac{x\_1: A\_1, \dots, x\_n: A\_n \vdash t: B \qquad (\Delta\_i \vdash u\_i: A\_i)\_{i=1,\dots,n}}{\Delta\_1, \dots, \Delta\_n \vdash t[u\_1/x\_1, \dots, u\_n/x\_n]: B} \tag{2}$$

With this rule as composition, O<sup>S</sup> and L<sup>S</sup> defne a syntactic multicategory SynpO<sup>S</sup> q and a syntactic symmetric multicategory SynpL<sup>S</sup> q, respectively. These defne left adjoints to the functors Multicat Ñ Sig and SMulticat Ñ Sig sending a (symmetric) multicategory M to the signature with objects |M| and constants ␣ MpΓ; Bq ( ΓP|M| ‹,BP|M| ; we denote both these functors by U.

Lemma 1. SynpO<sup>S</sup> q (resp. SynpL<sup>S</sup> q) is the free multicategory (resp. symmetric multicategory) on S.

Thus, the internal language of a symmetric multicategory is the core of Abramsky's linear λ-calculus [1]. To recover a cartesian language, we use (multisorted) abstract clones. These difer from multicategories in that the result of substituting pu<sup>i</sup> : ∆ Ñ Aiqi"1,<sup>2</sup> into t : A1, A<sup>2</sup> Ñ B yields a multimap of type ∆ Ñ B, not ∆, ∆ Ñ B. Abstract clones are equivalently cartesian multicategories (see e.g. [18]), but this formulation is less natural syntactically: it amounts to adding explicit duplication and deletion operations to the language.

Defnition 3. An abstract clone C consists of a set |C| of sorts and sets CpΓ; Bq of multimaps for every Γ P |C| ‹ and B P |C|, together with


$$\mathbb{C}(A\_1, \dots, A\_n; B) \times \prod\_{i=1}^n \mathbb{C}(\Delta; A\_i) \to \mathbb{C}(\Delta; B)$$
 
$$\left(t, (u\_1, \dots, u\_n)\right) \mapsto t[u\_1, \dots, u\_n]$$

subject to an associativity law and two unit laws for any t P CpA1, . . . , An; Bq, ` u<sup>i</sup> P CpB1, . . . , Bm; Aiq ˘ i"1,...,n and ` v<sup>j</sup> P CpΘ; B<sup>j</sup> q ˘ j"1,...,m :

$$t\left(t[u\_{\bullet}]\right)[v\_{\bullet}] = t\left[\dots, u\_{i}[v\_{\bullet}], \dots\right] \quad , \ \mathfrak{p}\_{i}^{A\_{\bullet}}[u\_{1}, \dots, u\_{n}] = u\_{i} \quad , \ t[\mathfrak{p}\_{1}^{A\_{\bullet}}, \dots, \mathfrak{p}\_{n}^{A\_{\bullet}}] = t$$

A homomorphism of clones f : C Ñ D consists of a map |f| : |C| Ñ |D| and maps fA',B : CpA1, . . . , An; Bq Ñ DpfA1, . . . fAn; fBq for every A1, . . . , An, B P |C|, such that fpp A' i q " p pfAq' i and f ` tru1, . . . , uns ˘ " pf tqrfu1, . . . , funs. We write Clone for the category of clones and clone homomorphisms.

Example 2 (cf. Example 1). Any cartesian category pC, Πq determines a clone PC with sorts the objects of C and pPCq ` A1, . . . , An; B ˘ :" Cp ś<sup>n</sup> <sup>i</sup>"<sup>1</sup>A<sup>i</sup> ; Bq.

We distinguish between clones and multicategories by using r. . .s for a clone's substitution operation and x. . .y for a multicategory's composition operation. Every multicategory, and hence every clone, has an underlying category.

Defnition 4. The nucleus M of a multicategory or clone M is the category with the same objects and MpA, Bq :" MpA; Bq. This defnes functors p´q : Multicat Ñ Cat and p´q : Clone Ñ Cat to the category of small categories.

The internal language of a clone is a cartesian version of that for multicategories. Write Λ<sup>S</sup> for the language below; substitution is defned as usual.

$$\frac{(i = 1, \ldots, n)}{(x\_1 : A\_1, \ldots, x\_n : A\_n \vdash x\_i : A\_i} \quad \frac{c \in \mathcal{S}(\Gamma; B) \qquad (\Delta \vdash u\_i : A\_i)\_{i = 1, \ldots, n}}{\Delta \vdash c^\S(u\_1, \ldots, u\_n) : B}$$

Identifying variables with projections, we get a syntactic clone SynpΛ<sup>S</sup> q.

Lemma 2. The canonical forgetful functor U : Clone Ñ Sig has a left adjoint, and the free clone on S is SynpΛ<sup>S</sup> q.

Example 3. The languages Λ ˆ S , Λ<sup>Ñ</sup> S and Λ ˆ,Ñ S each induce syntactic clones we denote by SynpΛ ˆ S q, SynpΛ<sup>Ñ</sup> S q and SynpΛ ˆ,Ñ S q, respectively.

## 3 Universal properties for multicategories

In this section we generalise the categorical notion of universal arrows (as in e.g. [30, §3]) to give a notion of universal property for multicategories. This will provide a uniform way to introduce new connectives to a type theory. One could also defne the required conditions directly (see [7,40]), but here we wish to emphasise that they arise from category-theoretic ideas.

Defnition 5 (cf. [17]). Let f : M Ñ N be a multicategory functor.


We extend this defnition—and hence our notion of universal property—to clones by using the next observation (cf. the fact a cartesian category is monoidal).

Lemma 3. There is a faithful functor M : Clone Ñ Multicat sending a clone C to the multicategory with the same objects and hom-sets, and composition given using substitution in C and the projections.

Defnition 5 does not involve 'global' conditions like naturality, so is particularly amenable to a type-theoretic interpretation. As in the categorical setting, however, it can be rephrased using natural isomorphisms (cf. [30, §3.2]).

Lemma 4. Let f : M Ñ N be a multicategory functor.


$$\begin{array}{c} \mathsf{M}(B;R) \xrightarrow{\phi\_{B}} \begin{array}{c} \mathsf{N}(fB;X) \\ \end{array} \longrightarrow \begin{array}{c} \mathsf{N}(fB;X) \\ \end{array} \qquad \begin{array}{c} \mathsf{M}(R;B) \xrightarrow{\psi\_{B}} \mathsf{N}(X\_{1},\ldots,X\_{n};fB) \\ \end{array} \\ \mathsf{M}(A\_{1},\ldots,A\_{n};R) \xrightarrow[\phi\_{A\_{\bullet}}] \begin{array}{c} \mathsf{N}(fA\_{1},\ldots,fA\_{n};X) \\ \end{array} \qquad \begin{array}{c} \mathsf{N}(u)\circ(-) \\ \end{array} \end{array}$$

A corollary is that giving a right adjoint to a multicategory functor f : N Ñ M in Hermida's 2-category of multicategories [17] is equivalent to giving a mapping g<sup>0</sup> : |M| Ñ |N| and a universal arrow fgpXq Ñ X from f to X for each X P |N|.

## 4 Product structure

We now have enough to defne products for multicategories, and hence for clones. An n-ary product is exactly a limit over the discrete category with n objects. Rephrasing in terms of universal arrows (e.g. [30, §3]) we get that equipping a category C with n-ary products is exactly equipping it with a universal arrow from the diagonal functor ∆pn<sup>q</sup> : C Ñ C <sup>ˆ</sup><sup>n</sup> to pA1, . . . , Anq for every A1, . . . , A<sup>n</sup> P C.

Since Multicat has fnite products defned in much the same way as the category of small categories Cat, we may make the following defnition. The prefx 'cartesian' is already used for multicategories, so we use 'finite-products'.

Defnition 6. An fp-multicategory is a multicategory M equipped with a universal arrow ` <sup>ś</sup><sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> ,pπ A' 1 , . . . , πA' n q ˘ from the diagonal functor ∆pn<sup>q</sup> : M Ñ Mˆ<sup>n</sup> to pA1, . . . , Anq for every n P N and A1, . . . , A<sup>n</sup> P |M|.

Asking for M to have fnite products is equivalent to asking for a product object <sup>ś</sup><sup>n</sup> <sup>i</sup>"<sup>1</sup> <sup>A</sup><sup>i</sup> and unary multimaps ` π A' i : ś<sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> Ñ A<sup>i</sup> ˘ i"1,...,n for each A1, . . . , A<sup>n</sup> P |M|, such that composition induces isomorphisms M ` Γ; ś<sup>n</sup> <sup>i</sup>"1A<sup>i</sup> ˘ ś – n <sup>i</sup>"<sup>1</sup> <sup>M</sup>pΓ; <sup>A</sup>iq. In the internal language, this amounts to the following rules:

pi " 1, . . . , nq p : ś<sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> \$ π A' i ppq : A<sup>i</sup> , pΓ \$ t<sup>i</sup> : Aiqi"1,...,n Γ \$ xt, . . . , tny : ś<sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> π A' i ppq " xt1, . . . , tny ‰ " t<sup>i</sup> , @ π A' 1 ppqrus, . . . , πA' n ppqrus D " u (3)

We can now derive the rules for & in linear λ-calculus [1]. Indeed, given Γ, x : A<sup>i</sup> , Θ \$ t : B, from (3) we get Γ, p : ś<sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> , Θ \$ trπ A' i ppq{xs : B. This suggests the following. Let O& S (resp. L & S ) be the extension of O<sup>S</sup> (resp. L<sup>S</sup> ) with

$$\begin{array}{c} \begin{array}{l} \Gamma, x\_{i}: A\_{i}, \Theta \vdash t: C \\ \hline \Gamma, \Delta, \Theta \vdash \textbf{1} \texttt{et } x\_{i} \texttt{ be } p\_{i} \text{ of } u \text{ in } t: C \end{array} \end{array} \quad , \quad \begin{array}{l} \begin{array}{l} (\Gamma \vdash t\_{i}: A\_{i})\_{i=1,\ldots,n} \\ \hline \Gamma \vdash \langle t\_{1}, \ldots, t\_{n} \rangle : \& \&\_{i=1}^{n} A\_{i} \end{array} \end{array}$$
 
$$\begin{array}{l} \textbf{1} \texttt{et } x\_{i} \text{ be } p\_{i} \text{ of } \langle u\_{i} \rangle\_{i=1}^{n} \text{ in } t = t[u\_{i}/x\_{i}] \end{array} , \\ \begin{array}{l} \langle \textbf{1} \texttt{et } x\_{i} \text{ be } p\_{i} \text{ of } u \text{ in } x\_{i} \rangle\_{i=1}^{n} = u \end{array}$$

where we write xuiy n i"1 for xu1, . . . , uny. This syntax defnes a free property. To see this, say a multicategory functor f (strictly) preserves fnite products if it preserves all the data on the nose, so that fp ś<sup>n</sup> <sup>i</sup>"<sup>1</sup>Aiq " <sup>ś</sup><sup>n</sup> i"1 fA<sup>i</sup> , fpπ A' i q " π fA' i , and fpxt1, . . . , tnyq " xf t1, . . . , f tny. Write fpMulticat for the category of fp-multicategories and product-preserving functors, and fpSMulticat for the subcategory of symmetric multicategories with fnite products, with functors preserving both structures.

Lemma 5. The composite forgetful functor fpMulticat Ñ Multicat Ñ Sig has a left adjoint, and the free fp-multicategory on S is SynpO& S q. This extends to symmetric structure: replace fpMulticat by fpSMulticat and O& by L &.

Returning to the cartesian setting, we defne products in a clone using the corresponding structure for multicategories and Lemma 3.

Defnition 7. A cartesian clone pC, Πq is a clone C equipped with a choice of fnite products on MC. A (strict) homomorphism of cartesian clones is a clone homomorphism f that strictly preserves all the product structure. We write CartClone for the category of cartesian clones and strict homomorphisms.

Writing πiptq for the multimap π A' i rts, the rules (3) translate directly to the usual product rules of λ-calculus. So cartesian clones exactly capture Λ ˆ.

Lemma 6. The composite forgetful functor CartClone Ñ Clone Ñ Sig has a left adjoint, and SynpΛ ˆ S q is the free cartesian clone on S.

Using the characterisation of universal arrows in terms of natural isomorphisms we get the following refnement of Example 2.

Example 4. For any cartesian category pC, Πq the induced clone PC is cartesian, essentially by defnition; this extends to a functor P : CartCat Ñ CartClone. Moreover, if pC, Πq is a cartesian clone, then so is its nucleus C. Hence p´q restricts to a functor CartClone Ñ CartCat.

The two functors in this example are actually adjoints, yielding our frst version of the schema in (1). The unit is identity-on-objects and sends t : A1, . . . , A<sup>n</sup> Ñ B to trπ A' 1 , . . . , πA' n s : ś<sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> Ñ B.

Proposition 1. The functor p´q : CartClone Ñ CartCat fts into the following diagram of adjunctions:

$$\mathbf{\color{red}{Sig}} \xleftarrow{\begin{matrix} \mathbf{\color{red}{F}} \\ \hline \mathbf{\color{red}{U}} \end{matrix}} \mathbf{\color{matrix}{Cart}} \mathbf{\color{matrix}{Cilone}} \xleftarrow{\begin{matrix} \overline{(-)} \\ \hline \mathbf{\color{red}{\mathcal{P}}} \end{matrix}} \mathbf{\color{red}{Cart}} \mathbf{\color{red}{Cart}} \mathbf{\color{red}{Cart}} $$

Moreover, U ˝ P is equal to the canonical forgetful functor CartCat Ñ Sig. Hence, the free cartesian category on S is canonically isomorphic to SynpΛ ˆ S q.

#### 4.1 Cartesian structure from representability

In the preceding section we defned products using a multi-ary version of the familiar universal property. There is another way to defne 'monoidal structure' in a multicategory: Hermida's representability [17]. From the perspective of linear logic, the fnite product structure explored above corresponds to the additive conjunction &; Hermida's representability will correspond to the multiplicative conjunction b. We shall also see that, for clones, the two are equivalent.

Defnition 8. A representable multicategory is a multicategory M equipped with a universal arrow ´ TpX1, . . . , Xnq, ρ<sup>X</sup>' : X1, . . . , X<sup>n</sup> Ñ TpX1, . . . , Xnq ¯ from X1, . . . , X<sup>n</sup> to the identity id<sup>M</sup> for each X1, . . . , X<sup>n</sup> P |M|; we write T n <sup>i</sup>"<sup>1</sup> X<sup>i</sup> for TpX1, . . . , Xnq. These universal arrows must be closed under composition, so

$$\{X\_1, \ldots, X\_n, Y\_1, \ldots, Y\_m \xrightarrow{\langle \rho \chi\_\bullet, \rho \chi\_\bullet \rangle} \mathcal{T}\_{i=1}^n X\_i, \mathcal{T}\_{j=1}^m Y\_j \xrightarrow{\rho} \mathcal{T}\left(\mathcal{T}\_{i=1}^n X\_i, \mathcal{T}\_{j=1}^m Y\_j\right)\}$$

must also be universal. A representable multicategory functor f is a multicategory functor that preserves all the universal arrows, so that fpT n <sup>i</sup>"<sup>1</sup> Aiq " T n i"1 fAi, fpρA' q " ρfA' and fpt #q " f t#. Write RepMulticat for the category of representable multicategories, and SRepMulticat for the category of representable multicategories whose underlying multicategories are also symmetric, with functors preserving both structures.

Example 5 (cf. Example 1). The multicategory T C induced by a monoidal category pC, b, Iq is representable. We therefore obtain functors MonCat Ñ RepMulticat and SMonCat Ñ SRepMulticat; we denote them both T .

A representable multicategory is a multicategory equipped with rules which are dual to those in (3) in the sense that the universal arrow goes the other direction. Indeed, writing x<sup>1</sup> b. . .bx<sup>n</sup> for ρA' , and let px1, . . . , xnq be p in t for t #, and extending this to all terms by

$$u\_1 \otimes \dots \otimes u\_n := (x\_1 \otimes \dots \otimes x\_n)[u\_1/x\_1, \dots, u\_n/x\_n]$$

$$\mathbf{1et}\left(x\_1, \dots, x\_n\right)\mathbf{be}\ u\ \mathbf{in}\ t := \left(\mathbf{1et}\left(x\_1, \dots, x\_n\right)\ \mathbf{be}\ p\ \mathbf{in}\ t\right)[u/p]$$

we obtain the following rules, where Γ :" px<sup>i</sup> : Aiqi"1,...,n:

$$\frac{(\Delta\_{i}\vdash u\_{i}:A\_{i})\_{i=1,\ldots,n}}{\Delta\_{1},\ldots,\Delta\_{n}\vdash\bigotimes\_{i=1}^{n}u\_{i}:\bigotimes\_{i=1}^{n}A\_{i}}\ ,\ \frac{\Lambda,\Gamma,\Theta\vdash t:B\qquad\Delta\vdash u:\bigotimes\_{i=1}^{n}A\_{i}}{\Lambda,\Delta,\Theta\vdash\mathbf{1et}\ (x\_{1},\ldots,x\_{n})\ \mathbf{be}\ u\ \mathbf{in}\ t:B}\tag{4}$$

let px1, . . . , xnq be p in trb<sup>n</sup> <sup>i</sup>"1xi{ps " t , let px1, . . . , xnq be b n <sup>i</sup>"1x<sup>i</sup> in t " t

We write O b S (resp. L b S ) for the extension of O<sup>S</sup> (resp. L<sup>S</sup> ) with these rules. This is essentially the tensor fragment of Abramsky's linear λ-calculus [1]. The connection with multicategories was already made in by Hyland & de Paiva [20], who showed this type theory arises from Lambek's monoidal multicategories [26].

Lemma 7. The composite forgetful functor RepMulticat Ñ Multicat Ñ Sig has a left adjoint, and the free representable multicategory on S is the syntactic multicategory SynpO b S q. The same holds for symmetric structure, if one replaces RepMulticat by SRepMulticat and O<sup>b</sup> by L b.

Combining this lemma with Lemma 5, one sees that a multicategory equipped with representable and fnite-product structure corresponds to a linear type theory with both b and &.

We can also obtain a linear version of Proposition 1. Hermida [17] showed that the 2-category of representable multicategories is 2-equivalent to the 2-category of monoidal categories, and Weber showed this extends to the symmetric case [45]. From these constructions one can extract functors T : RepMulticat Ñ MonCat and Tsym : SRepMulticat Ñ SMonCat sending a (symmetric) representable multicategory to a (symmetric) monoidal structure on its nucleus, together with equivalences RepMulticat » MonCat and SRepMulticat » SMonCat. So we get the following.

Proposition 2. The functors N and Nsym ft into the following diagram of adjunctions, where in each case the right-hand adjunction is an equivalence:

Moreover, U ˝ T and U ˝ Tsym are both equal to the canonical forgetful functor to Sig. Hence, the free monoidal (resp. symmetric monoidal) category on a signature S is canonically isomorphic to N ` SynpO b S q ˘ (resp. N ` SynpL b S q ˘ ).

We now turn to studying representability in the cartesian setting.

Defnition 9. A representable clone is a clone C equipped with a choice of representable structure on MC. A representable clone homomorphism is a clone homomorphism which preserves the representable structure as in Defnition 8.

A cartesian clone makes the projections primitive (recall (3)), but a representable clone makes the pairing operation primitive (recall (4)). It turns out these perspectives are equivalent. In the proof-theoretic setting such ideas are well-studied (cf. the equivalence of G-systems and N-systems in [42, §3.3]); the categorical statement has also been made by Pisani [34] and Shulman [40].

Proposition 3. Equipping a clone C with representable structure is equivalent to equipping C with cartesian structure.

In Proposition 2 we gave an equivalence of categories but in Proposition 1 we only gave an adjunction. We can now upgrade the latter to an equivalence. Indeed, p´q˝P is equal to the identity. On the other hand, if pC, Πq is a cartesian clone then by Proposition 3 and Lemma 4 we have a multi-natural isomorphism CpA1, . . . , An; Bq – Cp ś<sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> ; Bq " PpCqpA1, . . . , An; Bq.

Corollary 1 ([34]). The functors P and p´q of Proposition 1 defne an adjoint equivalence CartClone » CartCat.

### 4.2 Recovering the semantic interpretation and syntactic model

We now show how the usual semantic interpretation, syntactic model, and soundness and completeness results can be derived from the multi-ary framework. Although we shall not pursue the point in detail for reasons of space, essentially the same argument holds for all the calculi considered in this paper.

Semantic interpretation and soundness. We recover the usual semantic interpretation of Λ <sup>ˆ</sup> in a cartesian category by Lemma 6 and Example 4 as follows. Let U : CartCat Ñ Sig be the functor sending a cartesian category pC, Πq to the signature with objects those of <sup>C</sup> and constants ␣ Cp ś<sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> , Bq ( A1,...,An,BPC . An interpretation s : S Ñ UC of basic types and constants in C is exactly an interpretation s : S Ñ UpPCq in the induced cartesian clone. The unique extension <sup>s</sup>J´<sup>K</sup> : Synp<sup>Λ</sup> ˆ S q Ñ PC sends a term x<sup>1</sup> : A1, . . . , x<sup>n</sup> : A<sup>n</sup> \$ t : B to a multimap ś <sup>s</sup>Jx<sup>1</sup> : <sup>A</sup>1, . . . , x<sup>n</sup> : <sup>A</sup><sup>n</sup><sup>K</sup> <sup>Ñ</sup> <sup>s</sup>JB<sup>K</sup> in PC, which is exactly a map n i"1 <sup>s</sup>JA<sup>i</sup><sup>K</sup> <sup>Ñ</sup> <sup>s</sup>JB<sup>K</sup> in <sup>C</sup>. It is not hard to show this coincides with the usual, inductively defned semantic interpretation. Unlike with the unary approach, we do not need to prove soundness with respect to βη as a separate lemma: this holds immediately from the fact <sup>s</sup>J´<sup>K</sup> is a cartesian clone homomorphism.

Moreover, for any objects A1, . . . , A<sup>n</sup> in a cartesian clone one can construct a 'multi-isomorphism' <sup>p</sup>A1, . . . , Anq – <sup>ś</sup><sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> (see [38, Lemma 4.2.16]). Hence, in a cartesian simple type theory with products, contexts must coincide with product types. Together with the preceding, this provides a mathematical explanation for the identifcation of contexts and product types in the interpretation of Λ <sup>ˆ</sup>,<sup>Ñ</sup>.

Syntactic model. We extract the construction from Proposition 1. For a signature S the cartesian category SynpΛ ˆ S q has objects the types of Λ ˆ S and morphisms A Ñ B given by αβη-equivalence classes of terms x : A \$ t : B for a fxed variable x. Composition is substitution and the identity on A is the variable x : A. The projections are x : ś<sup>n</sup> <sup>i</sup>"<sup>1</sup> A<sup>i</sup> \$ π A' i pxq : A<sup>i</sup> and the pairing of the maps px : C \$ t<sup>i</sup> : Aiqi"1,<sup>2</sup> is x : C \$ xt1, t2y : A<sup>1</sup> ˆ A2. The usual proofs that this is indeed cartesian (see e.g. [9, Chapter 3]) have been replaced by the simple observation of Example 4.

Completeness. Once again, the proof is largely category-theoretic. Note frst that the functor p´q : CartClone Ñ CartCat is faithful. One can prove this directly using Proposition 3 or infer it from Corollary 1 and the fact any equivalence is fully faithful. In any case, it follows by standard results (e.g. [37, Lemma 4.5.13]) that the unit η <sup>1</sup> of the adjunction p´q % P is monic. Just as in Cat, any monomorphism of clones is injective on objects and injective on multimaps. It sufces, therefore, to fnd a semantic interpretation <sup>ι</sup>J´<sup>K</sup> which is equal to a component of η 1 . This is accomplished by the next lemma.

Lemma 8. Let C D E F % U F 1 % U 1 be adjunctions with units η : id<sup>C</sup> ñ UF and η 1 : id<sup>D</sup> ñ U<sup>1</sup>F 1 . Then for any C P C, the unit η 1 F C : F C Ñ U<sup>1</sup>F <sup>1</sup>F C is the unique map h such that the following diagram commutes:

$$\begin{array}{c} \text{UFC - } \overset{\text{U}h}{\dashv} \text{-} \begin{array}{c} \text{UU'}F'F'\\ \uparrow\\ C \xrightarrow{\text{U}\eta\_{FC}} \text{UFC} \end{array} \end{array}$$

In the setting of Proposition 1 this lemma implies that the component η 1 F S : SynpΛ ˆ S q Ñ P ` SynpΛ ˆ S qq of the unit for the adjunction p´q % P is exactly the unique cartesian clone homomorphism <sup>ι</sup>J´<sup>K</sup> extending the obvious interpretation ι :" S ãÑ SynpΛ ˆ S q of base types and constants in the free cartesian category. By our preceding discussion, this clone homomorphism is injective on multimaps: so if <sup>ι</sup>Jt<sup>K</sup> " <sup>ι</sup>J<sup>t</sup> 1 <sup>K</sup> then <sup>t</sup> " <sup>t</sup> 1 in SynpΛ ˆ S q, hence t "βη t 1 .

## 5 Closed structure

To defne closed structure, we follow Lambek's defnition and simply upgrade the hom-set defnition of exponentials to multicategories.

Defnition 10 ([26]). A closed multicategory is a multicategory M equipped with an object rA, Bs and multimap evalA,B : rA, Bs, A Ñ B for every A, B P |M|, such that composition induces isomorphisms as shown:

$$\mathsf{M}(\varGamma, A; B) \xleftarrow[\varGamma\_{A,B} \circ \lozenge (-), \varPi\_A) \tag{5}$$

A (strict) closed multicategory functor is a multicategory functor f which preserves all the data: fprA, Bsq " rfA, fBs, fpevalA,Bq " evalfA,fB and fpΛtq " Λpf tq. We write ClMulticat for the category of closed multicategories and their functors, and ClSMulticat for the category of symmetric multicategories with closed structure, and functors preserving both of these.

Example 6. If pC, b, I,r´, "sq is a closed (symmetric) monoidal category then the induced (symmetric) multicategory T C is also closed.

Closed multicategories allow us to model exponentials without requiring a tensor product. Writing out the rules in the internal language, we get the map Λ <sup>A</sup> in (5) as the usual abstraction rule, and the evaluation map as the application f : A ⊸ B, x : A \$ f x : B. We then see that ∆, f : A ⊸ B, x : A \$ urf x{ys : C whenever ∆, y : B \$ u : C, so we recover a small adaptation of Abramsky's rules for exponentials. Write <sup>O</sup><sup>⊸</sup><sup>S</sup> (resp. <sup>L</sup><sup>⊸</sup><sup>S</sup> ) for the extension of O<sup>S</sup> (resp. L<sup>S</sup> ) with the following rules and the βη-laws familiar from Λ<sup>Ñ</sup>:

$$\frac{\Delta, y:B \vdash u:C \qquad \Theta \vdash t:A \multimap B \qquad \Gamma \vdash v:A}{\Delta, \Theta, \Gamma \vdash u[t \, v/y]:C} \,, \, \frac{\Gamma, x:A \vdash t:B}{\Gamma \vdash \lambda x. \, t:A \multimap B}$$

Lemma 9 ([20]). The composite forgetful functor ClMulticat Ñ Multicat Ñ Sig has a left adjoint, and the free closed multicategory on S is the syntactic multicategory SynpO<sup>⊸</sup><sup>S</sup> q. The same holds for symmetric structure, if one replaces ClMulticat by ClSMulticat and O<sup>⊸</sup> by L<sup>⊸</sup>.

For the cartesian case, we follow the same procedure as in Section 4.

Defnition 11. A closed clone is a clone C equipped with a closed structure on MC. We write ClClone for the category of closed clones and clone homomorphisms preserving the closed structure as in Defnition 10.

Example 7. If pC, Π, ñq is a cartesian closed category, the clone PC is closed.

Defnition 11 recovers the usual βη-laws for exponentials in Λ<sup>Ñ</sup>, complete with the weakenings that are usually implicit. Writing f x for eval, we get the following equations in the internal language when Γ :" px<sup>i</sup> : Aiq<sup>i</sup>"1,...,n: " ‰ " ‰

$$(f\,x)[(\lambda x\,.t)[x\_1/x\_1,\dots,x\_n/x\_n]/f,x/x] = t\,,\,\lambda x\,.(f\,x)[t\,[x\_1/x\_1,\dots,x\_n/x\_n]/f] = t$$

Lemma 10. The composite forgetful functor ClClone Ñ Clone Ñ Sig has a left adjoint, and the free closed clone on S is the syntactic clone SynpΛ<sup>Ñ</sup> S q.

## 6 Cartesian closed structure

The development above makes defning cartesian closed structure straightforward. For reasons of space we restrict ourselves to the cartesian case, but similar remarks apply to the linear and ordered cases.

Defnition 12. A cartesian closed clone is a clone equipped with both closed structure and cartesian structure. We write CCClone for the category of cartesian closed clones and homomorphisms that strictly preserve both structures.

By Lemmas 6 and 10, we already have a free property .

Lemma 11. The composite forgetful functor CCClone Ñ Clone Ñ Sig has a left adjoint, and SynpΛ ˆ,Ñ S q is the free cartesian closed clone on S.

The nucleus of any cartesian closed clone pC, Π, ñq is also cartesian closed:

CpA ˆ B, Cq " CpA ˆ B; Cq – CpA, B; Cq – CpA; B ñ Cq " CpA, B ñ Cq

Similarly, by Examples 4 and 7, for any cartesian closed category pC, Π, ñq the induced category PC is cartesian closed. Proposition 1 then restricts as follows.

Proposition 4. The functor p´q : CCClone Ñ CCCat fts into the following diagram, in which the right-hand adjunction is an equivalence:

$$\mathbf{Sig} \xleftarrow[^{\mathrm{F}}]{\mathrm{F}} \mathbf{CCClone} \xleftarrow[^{\overline{(-)}}{\longleftrightarrow}]{} \mathbf{CCCat}$$

Moreover, U˝P is equal to the canonical forgetful functor CCCat Ñ Sig. Hence, the free cartesian closed category on S is canonically isomorphic to SynpΛ ˆ,Ñ S q.

As in Section 4.2, the preceding two results are enough to recover the sound semantic interpretation of Λ <sup>ˆ</sup>,<sup>Ñ</sup>, and the usual syntactic model.

## 7 Cartesian combinatory logic and SK-clones

In this section we begin a multi-ary investigation of cartesian combinatory logic, and give a categorical statement of the classical correspondence between combinatory logic and Λ<sup>Ñ</sup> (for which see e.g. [15,6]). In Section 8 we shall use this to defne SK-categories and show they are sound and complete for Λ<sup>Ñ</sup>.

We briefy recapitulate the rules of typed combinatory logic CL<sup>S</sup> over a signature S; for a fuller account see e.g. [6]. Types are as in Λ<sup>Ñ</sup>. Terms are given by the grammar t, u ::" x ˇ <sup>ˇ</sup> <sup>c</sup> <sup>P</sup> <sup>S</sup>pΓ; <sup>B</sup><sup>q</sup> ˇ <sup>ˇ</sup>pt u<sup>q</sup> ˇ ˇS ˇ <sup>ˇ</sup>K: we have variables, constants and an application operation as in Λ<sup>Ñ</sup> and, for any context Γ and types A, B and C, two combinators Γ \$ S Γ A,B,C : ` A ñ pB ñ Cq ˘ ñ ` pA ñ Cq ñ pA ñ Cq ˘ and Γ \$ K Γ A,B : A ñ pB ñ Aq. Substitution is as in Λ<sup>Ñ</sup>, where the combinators Z P tS,Ku satisfy Zru1{x1, . . . , un{xns " Z so that Z <sup>Γ</sup> is the weakening of Z ˛ .

#### 174 P. Saville

The correlate of β-equality is weak equality "w, which is the smallest congruence containing S x y z " px zq py zq and Kx y " x. The correlate of βη-equality is extensional weak equality "wext, which extends "<sup>w</sup> with the rule

$$\frac{t \, x\_1 \, \cdots \, x\_n = t' \, x\_1 \, \cdots \, x\_n \qquad x\_1, \dots, x\_n \text{ not free in } t \text{ or } t'}{t = t'} \text{ ext} \tag{6}$$

We write CL<sup>w</sup> for combinatory logic with weak equality and CLwext for combinatory logic with extensional weak equality. The usual encoding of CL<sup>w</sup> in Λ<sup>Ñ</sup> sends S and K to λf . λg . λx .pf xq pg xq and λx . λy . x, respectively.

The next defnition may be obtained by seeing that CL<sup>w</sup> can be presented as an algebraic theory, and that clones are equivalent to algebraic theories (e.g. [29,41]). We implicitly bracket application to the left, so t¨ u ¨ v :" pt¨ uq ¨ v. We also write p´q∆;<sup>Θ</sup> for the weakening map CpΓ; Bq Ñ Cp∆, Γ, Θ; Bq sending t to t " p ∆,Γ,Θ |∆|`1 , . . . , p ∆,Γ,Θ |∆|`|Γ| , ‰ ; when Γ is empty we write just p´q<sup>∆</sup> .

Defnition 13. An SK-clone is a clone C equipped with a mapping r´, "s : |C| ˆ |C| Ñ |C|, nullary multimaps SA,B,C P C ` ˛; " rA,rB, Css,rrA, Bs,rA, Css‰˘ and KA,B P C ` ˛;rA,rB, Ass˘ for every A, B, C P |C|, and a binary application operation p´ ¨ "q : CpΓ;rA, Bsq ˆ CpΓ; Aq Ñ CpΓ; Bq for every Γ P |C| ‹ and B P |C|, such that the following axioms hold whenever they are well-typed:

$$(t \cdot u)[v\_1, \dots, v\_n] = t[v\_1, \dots, v\_n] \cdot u[v\_1, \dots, v\_n] \quad , \quad (\mathbb{K}\_{A,B})^{A,B} \cdot \mathfrak{p}\_1 \cdot \mathfrak{p}\_2 = \mathfrak{p}\_1$$

$$(\mathbb{S}\_{A,B,C})^{[A,[B,C]],[A,B],A} \cdot \mathfrak{p}\_1 \cdot \mathfrak{p}\_2 \cdot \mathfrak{p}\_3 = (\mathfrak{p}\_1 \cdot \mathfrak{p}\_3) \cdot (\mathfrak{p}\_2 \cdot \mathfrak{p}\_3)$$

A homomorphism of SK-clones is a clone homomorphism that preserves application, S and K: fpSA,B,C q " SfA,fB,fC , fpKA,Bq " KfA,fB and fpt¨ uq " f t¨ fu. We write SKClone for the category of SK-clones and their homomorphisms.

Lemma 12. The composite forgetful functor SKClone Ñ Clone Ñ Sig has a left adjoint, and the free SK-clone on S is the syntactic clone SynpCL<sup>w</sup> S q.

A core feature of the syntax of combinatory logic, which is at the heart of the correspondence between the terms of CLwext and Λ<sup>Ñ</sup>, is the admissibility of bracket extension algorithms (see e.g. [5, §7.1]). To express this in the typed setting, we use the following notation. For a binary operation r´, "s on a set S we defne r´; "s : S ‹ ˆ S Ñ S inductively as follows:

$$\left[\circ;B\right] := B \quad , \quad \left[A;B\right] := \left[A,B\right] \quad , \quad \left[I',A;B\right] := \left[I';\left[A,B\right]\right]$$

With this notation, bracket abstraction amounts to saying that if Γ :" px<sup>i</sup> : Aiq<sup>i</sup>"1,...,n and Γ \$ t : B in CL<sup>w</sup> , there exists a closed term ˛ \$ t c : rΓ; Bs such that pt c q Γ x<sup>1</sup> . . . x<sup>n</sup> "<sup>w</sup> t. The extensionality axiom (6) then says that t c is unique: in other words, t ÞÑ t <sup>Γ</sup> x<sup>1</sup> . . . x<sup>n</sup> is an isomorphism.

We now translate this into clone-theoretic terms. For any SK-clone C we obtain the operation t ÞÑ t <sup>Γ</sup> x<sup>1</sup> . . . x<sup>n</sup> as the composite below:

$$i\_{\Gamma;B} := \left( \mathbb{C}(\diamond; [\Gamma; B]) \xrightarrow{\le^{\Gamma}} \mathbb{C}(\Gamma; [\Gamma; B]) \xrightarrow{(-)\cdot\mathfrak{p}\_1^{\Gamma}\cdot...\mathfrak{p}\_{|\Gamma|}^{\Gamma}} \mathbb{C}(\Gamma; B) \right) \tag{7}$$

For Γ :" ˛ this is just the identity. The admissibility of bracket abstraction in the syntax of CL<sup>w</sup> is then captured by the next lemma. Typically bracket abstraction algorithms restrict to closed constants, because an open constant may have no corresponding closed term. We restrict in the same way. Call a signature S nullary if SpΓ; Aq " H whenever Γ ‰ ˛, and write Sig<sup>0</sup> ãÑ Sig for the full subcategory of nullary signatures.

Lemma 13. Let S be a nullary signature. Then for any Γ P |SynpCL<sup>w</sup> S q|‹ and B P |SynpCL<sup>w</sup> S q| there exists a map p´q<sup>c</sup> such that <sup>i</sup>Γ;<sup>B</sup> ˝ p´q<sup>c</sup> " idSynpCL<sup>w</sup> S q .

Because bracket abstraction is defned by induction on the syntax, we cannot straightforwardly defne it in an arbitrary SK-clone. We can, however, consider the sub-category of SK-clones (= semantic models of CL<sup>w</sup> ) which admit bracket abstraction in the sense that each iΓ;<sup>B</sup> has a retraction. The extensional models are then those for which this retract p´q<sup>c</sup> also satisfes uniqueness.

Defnition 14. An SK-clone C is extensional if for every Γ P |C| ‹ and B P |C| the map iΓ;<sup>B</sup> defned in (7) is invertible. We write SKCloneext for the full subcategory of SKClone consisting of just the extensional SK-clones.

Lemma 14. The composite forgetful functor SKCloneext Ñ Clone Ñ Sig<sup>0</sup> has a left adjoint, and the free extensional SK-clone on a nullary signature S is the syntactic clone SynpCLwext S q.

### 7.1 Extensional SK-clones are closed clones

In this section we outline why SKCloneext is equivalent to ClClone, thereby giving a category-theoretic equivalence not just between the syntax of CLwext and Λ<sup>Ñ</sup> but also between their models. The proof uses extensionality or the ηlaw to pass from arbitrary multimaps to nullary ones, from which one can build a strict closed clone. We shall rely heavily on the following simple observation.

Lemma 15. Let C be a clone and X :" ␣ XpΓ; Bq ( ΓP|C| ‹,BP|C| a family of sets together with an isomorphism ␣ νΓ;<sup>A</sup> : CpΓ; Aq Ñ XpΓ; Aq ( Γ,A between X and the hom-sets of <sup>C</sup> in the functor category " |C| ‹ ˆ |C|, Set‰ . Then X acquires a canonical clone structure and ν becomes an isomorphism of clones.

We now introduce strict closed clones.

Defnition 15. A strict closed clone is a closed clone pC, ñ, evalq such that every Λ <sup>A</sup> : CpΓ, A; Bq Ñ CpΓ, A ñ Bq is the identity. We write ι : ClClonest ãÑ ClClone for the full subcategory consisting of just the strict closed clones.

Any closed clone pC, ñ, evalq determines a strict closed clone SC and a clone isomorphism λ<sup>C</sup> : C Ñ SC by applying Lemma 15 to the isomorphisms CpΓ; Bq – Cp˛; Γ ñ Bq arising from the closed structure. This extends to a functor S : ClClone Ñ ClClonest sending f : pC, ñ, evalq Ñ pD, ñ, evalq to the composite λ<sup>D</sup> ˝ f ˝ λ ´1 C . A short calculation shows that the isomorphisms λ make S : ClClone ⇆ ClClonest : ι into an equivalence of categories.

We play a similar game for turning extensional SK-clones into (strict) closed clones. Indeed, for any extensional SK-clone we have isomorphisms CpΓ; Bq – Cp˛;rΓ; Bsq defning a strict closed clone LC with pLCqpΓ; Bq :" Cp˛;rΓ; Bsq, and hence a functor L : SKCloneext Ñ ClClonest in a similar fashion to S.

Finally, for any closed clone pC, ñ, evalq we get an extensional SK-clone EC with the same underlying clone by taking application to be application in ΛÑ, so t¨ u :" evalA,Brt, us, and encoding the combinators as usual.

Theorem 1. There exist equivalences of categories

$$\text{SKClOone}\_{\text{ext}} \xleftarrow[\xleftarrow{\simeq}]{\text{L}} \text{ClClone}\_{\text{st}} \xleftarrow[\xleftarrow{\simeq}]{\iota} \text{ClClone}...$$

## 8 A categorical model of Λ<sup>Ñ</sup>

In Propositions 1 and 4 we recovered a unary semantic interpretation of Λ <sup>ˆ</sup> and Λ <sup>ˆ</sup>,<sup>Ñ</sup> from our clone-theoretic ones. But we do not have a corresponding result for Λ<sup>Ñ</sup>. In this section we fll this gap: we introduce SK-categories and show they play the role for Λ<sup>Ñ</sup> that cartesian closed categories play for Λ <sup>ˆ</sup>,<sup>Ñ</sup>. Our defnition is inspired by closed categories ([11,10]), which axiomatise an 'internal' version of the hom-functor Cp´, "q in the form of a functor r´, "s : C op ˆC Ñ C. Closed categories have a unit object, corresponding to requiring a unit type (cf. [31]); our defnition avoids this (see also [39,43]).

Recall that in the presence of contravariance, dinaturality and extranaturality are the right replacements for naturality (see e.g. [30, §IX.4]).

Defnition 16. An SK-category consists of a category C and functors r´, "s : C op ˆ C Ñ C and U : C Ñ Set, together with


This data is subject to the condition that U ˝ r´, "s " Cp´, "q : C op ˆ C Ñ Set and the 7 axioms of Figure 1a. An SK-functor pF, ϕ, ψq is a functor F : C Ñ D with natural transformations as below, such that the axioms of Figure 1b hold.

We call pF, ϕ, ψq strict if ϕ is the identity, and write SKCat for the category of SK-categories and strict SK-functors.

(a) Axioms for an SK-category. In (1) the unlabelled arrow is the canonical map xxπ1π1, π2y, xπ2π1, π2yy : pX ˆ Y q ˆ Z Ñ pX ˆ Zq ˆ pX ˆ Zq. In (3) we write xid<sup>C</sup> y for the set map ˚ ÞÑ id<sup>C</sup> : 1 Ñ UrC, Cs.

(b) Axioms for an SK-functor

Fig. 1: Extra axioms for Defnition 16

#### 178 P. Saville

We think of UC as the set of multimaps ˛ Ñ C and ε as a formal application operation p´ ¨ "q. Axioms (1) and (2) are the weak equality laws from CL. Axioms (3) and (4) ensure compatibility between the category structure and the corresponding CL constructions: for example, axiom (3) implies Upfqpxq " f ¨ x, and axiom (4) says that composition coincides with S pK ´q p"q, corresponding to the weak equality S pKfq g x " f pg xq. Axioms (5) – (7) are coherence laws.

Every extensional SK-clone determines an SK-category. Because we follow [11] and ask for an equality UrA, Bs " CpA, Bq in the defnition of SK-categories, but in general an extensional SK-clone pC,r´, "s, S,K, ¨q only has an isomorphism CpA; Bq – Cp˛;rA, Bsq, we need to strictify in the same manner as Section 7.1. As a notational shorthand, we write I, B and B 1 for the closed multimaps satisfying the equations below in the internal language of C (see e.g. [15,6]):

$$\mathsf{R}^A \cdot x = x \,, \, \mathsf{B}^{B \Rightarrow C, A \Rightarrow B, A} \cdot x \cdot y \cdot z = x \cdot (y \cdot z) \,, \, (\mathsf{B}')^{A \Rightarrow B, B \Rightarrow C, A} \cdot x \cdot y \cdot z = y \cdot (x \cdot z)$$

The category NC has objects |C| and hom-sets pNCqpA, Bq :" Cp˛;rA, Bsq (cf. [14]). The identity on A is I<sup>A</sup> and the composite of t and t 1 is B ¨t¨t 1 . For U we take UA :" Cp˛; Aq with the action on maps given by application. For r´, "s the action on objects is given by the SK-structure, with the action on maps given by rX, ts :" B ¨t and rt, Xs :" B 1 ¨t. The maps S and K are given by the corresponding combinators, and ε is the application operation in C. This extends to a functor N : SKCloneext Ñ SKCat.

The internal language of SK-categories is CLwext, and hence Λ<sup>Ñ</sup>. We write U for the functor which sends an SK-category pC, U,r´, "s, S, K, εq to the signature with base types |C| and constants UrΓ, Bs.

Proposition 5. The forgetful functor U : SKCat Ñ Sig has a left adjoint, and the free SK-category on S is N ` SynpCLwext S q ˘ – pN ˝ Eq ` SynpΛ<sup>Ñ</sup> S q ˘ .

Using Theorem 1, we now obtain a version of Propositions 1 and 4 for Λ<sup>Ñ</sup>.

Theorem 2. The composite N ˝ ι : ClClonest Ñ SKCat is invertible; hence we get the diagram below, in which the right-hand adjunction is an equivalence:

$$\mathbf{\color{red}{Sig \xright \xright \xright \xright \xright \xright \xvdashmath \xright \xvdashmath \xright \xvdashmath \xright \xvdash} \begin{pmatrix} \begin{array}{c} \text{\xrightarrow} \\ \xRightarrow{\text{\xrightarrow}} \end{array} \mathbf{\color{red}{\mathbf{S}K} \mathbf{Cat}} $$

Moreover, U ˝ Cl is equal to the forgetful functor SKCat Ñ Sig, so the free SK-category on S is canonically isomorphic to pN ˝ EqpSynpΛ<sup>Ñ</sup> S qq.

Recall that a closed monoidal category is a monoidal category pD, b, Iq such that every p´q b D has a right adjoint rD, ´s, and that in a closed category C giving every rC, ´s a C-enriched left adjoint is equivalent to giving closed monoidal structure ([11,10,43]). Theorem 2 and Proposition 4 imply a cartesian version.

Corollary 2. Equipping a category C with cartesian closed structure is equivalent to equipping C with SK-structure and natural isomorphisms CpI,rC, Dsq – CpC, Dq and CpC b D, Eq – CpC,rD, Esq for every C, D, E P C.

Acknowledgements. I thank Nathanael Arkor and Dylan McDermott for useful discussions on early drafts of this paper, and the reviewers for their many useful comments. I am grateful to Nayan Rajesh for pointing out the adjunctions between cartesian categories and cartesian clones, and between cartesian closed categories and cartesian closed clones, are in fact equivalences. Finally, I thank Marcelo Fiore for introducing me to clones.

## References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Infinite-State Systems**

## Reachability in Fixed VASS: Expressiveness and Lower Bounds

Andrei Draghici(B) , Christoph Haase , and Andrew Ryzhikov

Department of Computer Science, University of Oxford, Oxford, UK andrei.draghici@stcatz.ox.ac.uk

Abstract. The recent years have seen remarkable progress in establishing the complexity of the reachability problem for vector addition systems with states (VASS), equivalently known as Petri nets. Existing work primarily considers the case in which both the VASS as well as the initial and target confgurations are part of the input. In this paper, we investigate the reachability problem in the setting where the VASS and the fnal confguration are fxed and only the initial confguration is variable. We show that fxed VASS fully express arithmetic with counting on initial segments of the natural numbers. It follows that there is a very weak reduction from any fxed such number-theoretic predicate (e.g. square-freeness or "N<sup>1</sup> is the number of primes smaller than N2") to reachability in fxed VASS where confgurations are presented in unary. If confgurations are given in binary, we show that there is a fxed VASS with fve counters whose reachability problem is PSPACE-hard.

## 1 Introduction

Vector addition systems with states (VASS), equivalently known as Petri nets, are a fundamental model of computation. A VASS comprises a fnite-state controller with a fnite number of counters ranging over the non-negative integers. When a transition is taken, counters can be updated by adding an integer, provided that the resulting counter values are all non-negative; otherwise the transition blocks. Given two confgurations of a VASS, each consisting of a control state and an assignment of values to the counters, the reachability problem asks whether there is a path connecting the two confgurations in the infnite transition system induced by the VASS. The VASS reachability problem has been one of the most intriguing problems in theoretical computer science and studied for more than ffty years. In the 1970s, Lipton showed this problem EXPSPACE-hard [18]. Ever since the 1980s [19, 14, 16], the reachability problem has been known to be decidable, albeit with non-elementary complexity. This wide gap between the EXPSPACE lower bound and a non-elementary upper bound persisted for many years, until a recent series of papers established various non-elementary lower bounds [5, 6, 15], and resulted in matching a recently established upper bound [17], showing the VASS reachability problem Ackermann-complete. The lower bounds for this result require an unbounded number of counters, but even for a fxed number of counters, the Petri net reachability problem requires non-elementary time [6, 7, 15].

Main results. The main focus of this paper is to investigate the reachability problem for fxed VASS, where the VASS under consideration and the fnal confguration are fxed and only the initial confguration forms the input to a reachability query. Here, it is crucial to distinguish between the encoding of numbers used to represent counter values in confgurations: in unary encoding, the representation length of a natural number n ∈ N is its magnitude n whereas in binary encoding the bit length of n ∈ N is ⌈log n⌉ + 1. It turns out that establishing meaningful lower bounds under unary encoding of confgurations is a rather delicate issue; a full discussion is deferred to Section 4. As a frst step, we establish a tight correspondence between reachability in VASS and the frstorder theory of initial segments of N with the arithmetical relations addition (+), multiplication (×) and counting quantifers. An initial segment in N is a set N = {0, . . . , N} for some arbitrary but fxed N ∈ N \ {0}. Relations defnable in this family of structures are known as rudimentary relations and contain many important number-theoretic relations, cf. [9] and the references therein. For instance, the fxed formula PRIME(x) ≡ ¬(x = 0) ∧ ¬(x = 1) ∧ ∀y < x ∀z < x ¬(x = y × z) evaluates to true in N precisely for all prime numbers up to N. The formula ∃ <sup>=</sup>zy (y < x) ∧ PRIME(y) evaluates to true if and only if there exist exactly z prime numbers smaller than x.

Given a fxed rudimentary relation Φ(x1, . . . , xk), we show how to construct a fxed VASS V and fxed polynomials p1, . . . , p<sup>m</sup> such that Φ(n1, . . . , nk) evaluates to true in N if and only if there is a run in V starting in (p1(N, n1, . . . , nk), . . . , pm(N, n1, . . . , nk)) and ending in a zero vector. It thus follows that reachability in fxed VASS under unary encoding of confgurations is at least as hard as evaluating any rudimentary relation under unary encoding of numbers. Hence, reachability queries in fxed VASS can, e.g., determine primality and squarefreeness of a number given in unary. From those developments, it is already possible to infer that reachability in fxed VASS with confgurations encoded in binary is hard for every level of the polynomial hierarchy by a reduction from the validity problem for short Presburger arithmetic [21]. In fact, we can establish a PSPACE lower bound for reachability in a fxed VASS with fve counters with confgurations encoded in binary, by a generic reduction allowing to simulate space-bounded computations of arbitrary Turing machines encoded as natural numbers. A recent conjecture of Jecker [13] states that for every VASS V, there exists a fxed constant C such that if a target confguration is reachable from an initial confguration, then there exists a witnessing path whose length is bounded by C · m, where m is the maximum constant appearing in the initial and fnal confgurations. Thus, assuming Jecker's conjecture, reachability in fxed VASS under binary encoding of confgurations would be PSPACE-complete. In the course of our work, we were not able to fnd any evidence that this conjecture is false. It is also worth noting that while all our results assume that the fnal confguration is fxed to a zero vector, we did not fnd any stronger lower bounds for the case where the fnal confguration is variable, and only the VASS is fxed.

Related work. To the best of our knowledge, the reachability problem for fxed VASS has not yet been systematically explored. Closest to the topics of this paper is the work by Rosier and Yen [22], who conducted a multi-parameter analysis of the complexity of the boundedness and coverability problems for VASS.

However, the study of the computation power of other fxed machines has a long history in the theory of computation. The two classical decision problems for a computation model are membership (also called the word problem) and reachability. Membership asks whether a given machine accepts a given input; the (generic) reachability problem asks whether given an initial and a target confguration, there is a path in the transition system induced by a given machine from the initial confguration to the target confguration. The most prominent example of a reachability problem is the halting problem for diferent kinds of machines. Classically, the computational complexity of such problems assumes that both the computational model and its input word (for membership) or confgurations (for reachability) are part of the input. However, these are two separate parameters. For example, in database theory, the database size and the query size are often considered separately, since the complexity of algorithms may depend very diferently on these two parameters, and the sizes of these two parameters in applications can also vary a lot [26]. One approach to study such phenomena is to fx either the database or the query. More generally, the feld of parameterised complexity studies the computational difculty of a problem with respect to multiple parameters of the input.

Returning to our setting, this means fxing either the machine or its input. In this paper, we concentrate on the former. The question can then be seen as follows: in relation to a problem such as membership or reachability, which machine is the hardest one in the given computation model? For some models, the answer easily follows from the existence of universal machines, i.e., machines which are able to simulate any other machine from their class. A classical example here is a universal Turing machine. Sometimes the ability to simulate all other machines has to be relaxed, for example as for Greibach's hardest context-free language [11]. Greibach showed that there exists a fxed context-free grammar such that a membership query for any other context-free grammar can be efciently reduced to a membership query for this grammar. Similar results are known for two-way non-deterministic pushdown languages [23, 4].

## 2 Preliminaries

We denote by Z and N the set of integers and non-negative integers, respectively. For N ∈ N we write N to denote the set {0, . . . , N}. By [n, m] we defne the set of integers between n and m: [n, m] = {k ∈ Z | n ≤ k ≤ m}. By 0 we denote the zero vector (0, 0 . . . , 0) whose dimension is clear from the context.

Counter automata. A d-counter automaton is a tuple A = (Q, ∆, ζ, q0, q<sup>f</sup> ), where Q is a fnite set of states, ∆ ⊆ Q × Z <sup>d</sup> × Q is the transition relation, ζ : ∆ → [1, d] ∪ {⊤} is a function indicating which counter is tested for zero along a transition (⊤ meaning no counter is tested), q<sup>0</sup> ∈ Q is the initial state, and q<sup>f</sup> ∈ Q is the fnal state. We assume that q<sup>f</sup> does not have outgoing transitions.

The set of confgurations of A is C(A) := {(q, n1, . . . , nd) : q ∈ Q, n<sup>i</sup> ∈ N, 1 ≤ i ≤ n}. A run ϱ of a counter automaton A from a confguration c<sup>1</sup> ∈ C(A) to cn+1 ∈ C(A) is a sequence of confgurations interleaved with transitions

$$\varrho = c\_1 \xrightarrow{t\_1} c\_2 \xrightarrow{t\_2} \dots \xrightarrow{t\_n} c\_{n+1}$$

such that for all 1 ≤ i ≤ n, c<sup>i</sup> = (q, m1, . . . , md) and ci+1 = (r, m′ 1 , . . . , m′ d ),

– t<sup>i</sup> = (q,(z1, . . . , zd), r) with m′ <sup>j</sup> = m<sup>j</sup> + z<sup>j</sup> for all 1 ≤ j ≤ d; and – m<sup>j</sup> = 0 if ζ(ti) = j.

Observe that we can without loss of generality assume that each transition t ∈ ∆ is of one of the two types:


We say that A is a vector addition system with states of dimension d (d-VASS) if A cannot perform any zero tests, i.e., ζ is the constant function assigning ⊤ to all transitions. We can now formally defne the main decision problem we study in this paper.

Problem 1. Fixed VASS zero-reachability Fixed: d-VASS A. Input: A vector x ∈ N <sup>d</sup> of initial values of the counters. Output: YES if and only if A has a run from (q0, x) to (q<sup>f</sup> , 0).

Counter programs. For ease of presentation, we use the notion of counter programs presented e.g. in [5], which are equivalent to VASS, and allow for presenting VASS (and counter automata) in a serialised way. A counter program is a primitive imperative program that executes arithmetic operations on a fnite number of counter variables. Formally, a counter program consists of a fnite set X of global counter variables (called counters subsequently for brevity) ranging over the natural numbers, and a fnite sequence 1, . . . , m of line numbers (subsequently lines for brevity), each associated with an instruction manipulating the values of the counters or a control fow operation. Each instruction is in of one the following forms:

1: goto 2 or 4 2: x −= 3 3: goto 1 4: x += 1 5: halt

Fig. 1. Example of a counter program.


We write goto L as an abbreviation for goto L or L, and also allow statements of the form goto L<sup>1</sup> or L<sup>2</sup> or . . . or Lk. Moreover, the line with the largest number is a special instruction halt. In our examples of counter programs, we usually omit this last line if it is not referenced explicitly.

An example of a counter program is given in Figure 1. This counter program uses a single counter x and consists of fve lines. Starting in line 1, the program non-deterministically loops and decrements the counter x by three every time, until it increments x by one and terminates.

To be able to compose counter programs, we describe the operation of substitution, which substitutes a given line (which we always assume to have a skip instruction) of a counter program with the "code" of another counter program. Formally, let C1, C<sup>2</sup> be counter programs with m<sup>1</sup> and m<sup>2</sup> lines respectively. The result of substituting line k, 1 ≤ k ≤ m<sup>1</sup> −1, of C<sup>1</sup> with C<sup>2</sup> is a counter program C ′ <sup>1</sup> with m<sup>1</sup> +m<sup>2</sup> −1 lines obtained, intuitively, by calling C<sup>2</sup> as a sub-routine in this line and when it halts returning control back to C1. Formally, the instruction corresponding to a line L, 1 ≤ L < m<sup>1</sup> + m2, is defned as follows:


The line numbers in goto instructions are changed accordingly. We also consider a substitution of several counter programs. When specifying counter programs, to denote substitution of another counter program we just write its name instead of an instruction in a line. Also, we write C1; C<sup>2</sup> for


and C<sup>1</sup> or C<sup>2</sup> as syntactic sugar for the counter program:


When C is a counter program, we write loop C as an abbreviation for the counter program

1: goto 2 or 4

2: C

3: goto 1

Hence, the counter program in Figure 1 corresponds to

1: loop

```
2: x −= 3
```
3: x += 1

We use indentation to mark the scope of the loop instruction. We also assume that if several instructions share the same line and are separated by a semicolon, they all belong to the scope of a loop.

#### 190 Andrei Draghici, Christoph Haase, Andrew Ryzhikov

Runs of counter programs. Exactly as in the case of VASS, a confguration of a counter program is an element (L, f) ∈ N × N <sup>X</sup> , where L ∈ N is a program line with a corresponding instruction, and f: X → N is a counter valuation. The semantics of counter programs are defned in a natural way: after executing the instructions on the line L, we either non-deterministically go to one of the specifed lines (if the instruction on line L is a goto instruction), or, otherwise, we go to the line L + 1. After executing the last line, we stop.

One can view a counter program as a VASS by treating line numbers as states and defning transitions as specifed by the counter program, each labelled with the respective instruction. It is also easy to see how to convert a VASS into a counter program.

A run of a counter program is a sequence ϱ: (L1, f1) −→ (L2, f2) −→ . . . −→ (Ln, fn) of confgurations defned naturally according to the described semantics. For example, (1, {x 7→ 7}) −→ (4, {x 7→ 7}) −→ (5, {x 7→ 8}) is a run of the counter program in Figure 1. Given a run ϱ: (L1, f1) −→ (L2, f2) −→ . . . −→ (Ln, fn), we say that ϱ is terminating if L<sup>1</sup> = 1 and the instruction on line L<sup>n</sup> is halt, and zero-terminating if additionally fn(x) = 0 for all x ∈ X . We denote by valend(ϱ, x) := fn(x) the value of the counter x at the end of a terminating run. Sometimes, we also want to talk about the value of a counter at a specifc point during the execution of a run and defne vali(ϱ, x) to be the value of the counter x right before we execute the instruction on line i in the run ϱ for the frst time, i.e. vali(ϱ, x) := fk(x), where k is the smallest index such that L<sup>k</sup> = i. For instance, in the example above, we have valend(ϱ, x) = 8 and val4(ϱ, x) = 7. We often construct counter programs that admit exactly one run ϱ from a given initial confguration to a target confguration. In such a setting, we may omit the reference to ϱ and simply write valend(x) and vali(x). The efect ef(ϱ): X → Z of a run ϱ starting in (1, f1) and ending in (n, fn) is a map such that ef(ϱ, x) = fn(x) − f1(x) for all x ∈ X .

For counter programs, the zero-reachability problem is as follows.

Problem 2. Fixed counter program zero-reachability Fixed: Counter program C.

Input: A vector x ∈ N <sup>d</sup> of initial values of the counters.

Output: YES if and only if C has a zero-terminating run from x.

## 3 Implementation of zero tests

The structure of runs in arbitrary counter programs is very complicated and hard to analyse, and hence it is difcult to force a counter program to have a prescribed behaviour. One of the common ways to deal with this issue is to introduce some restricted zero tests, that is, some gadgets that guarantee that if a run reaches a certain confguration, then along this run, the values of some counters are zero at prescribed positions. In this section, summarising [5], we describe such a gadget in the case where the values of counters are bounded by a given number. The number of zero tests that can be performed this way is also bounded. For a counter v, we call this gadget zero-test(v), and later on we will use it as a single instruction to test that the value of v is zero before executing it.

In Section 4, the assumption that the values of the counters are bounded comes from the the fact that the corresponding values of the variables in rudimentary arithmetic are bounded. In Section 5, we enforce this property for more powerful models of computation and show how to simulate them with VASS.

Let N ∈ N be an upper bound on the value of a counter v. Then, we can introduce a counter ˆv and enforce the invariant f(v)+f(ˆv) = N to hold in all the confgurations of any run of our counter program. We achieve this by ensuring that every line containing an instruction of type v += c must be followed by a line with a ˆv −= c instruction. From now on, we make the convention that the instruction v += c is an abbreviation for v += c; ˆv −= c. This allows us to remove the hatted counters from our future counter programs whenever it is convenient for us, which will ease readability. So, if we choose an initial confguration in which f(v) + f(ˆv) = N, we have that this invariant holds whenever the zero-test gadget is invoked.

We introduce auxiliary counters u1, u<sup>2</sup> that will be tested for zero only in the fnal confguration, and hence have no hat counterpart. In the following, the instruction zero-test(v) denotes the following gadget:

1: loop 2: v += 1; ˆv −= 1; u<sup>2</sup> −= 1 3: loop 4: v −= 1; ˆv += 1; u<sup>2</sup> −= 1 5: u<sup>1</sup> −= 2

Consider an initial confguration in which f(u1) = 2n and f(u2) = 2n · N for some n > 0. Initially, it is true that f(u2) = f(u1) · N.

Lemma 1 ([5]). There exists a run of the counter program zero-test(v) that starts in a confguration with f(u2) ≥ 2, f(u2) = f(u1) · N, and ends in a confguration with f(u2) = f(u1) · N if and only if f(v) = 0 in the initial confguration.

Proof. The invariant f(v) +f(ˆv) = N ensures that the loops on line 1 and line 3 can each decrease the value of u<sup>2</sup> by at most N. Moreover, this can only happen if f(v) = 0 in the initial confguration. ⊓⊔

From a confguration with f(u2) = f(u1) · N, a run "incorrectly" executing the zero-test(v) subroutine can only reach a confguration with f(u2) > f(u1) · N. Observe that from such a confguration, we can never reach a confguration respecting the invariant f(u2) = f(u1)·N if the values of u1, u<sup>2</sup> are only changed by zero-test(v) instructions. Now, consider a counter v and a counter program C that modifes the values of counters u<sup>1</sup> and u<sup>2</sup> only through the zero-test(v) instruction. If we start in a confguration in which f(u1) = 2n and f(u2) = 2n·N for some n > 0, and we are guaranteed that any run of C cannot execute more than n zero-test(v) instructions, then after any run of C, we have that f(u2) = f(u1) · N only if the value of the counter v was zero at the beginning of every zero-test(v) instruction. If all the counters that we are interested in are bounded by the same value N, we can use a single pair of counters u1, u<sup>2</sup> to perform zero tests on all our counters. We subsequently call the counters u<sup>1</sup> and u<sup>2</sup> testing counters. To summarise, using this technique, we can perform n zero tests on counters bounded by N via a reachability query in a VASS.

Given a confguration (L, f), we say that (L, f) is a valid confguration if f respects the condition that f(u2) = f(u1)· N. A valid run is a run that starts in a valid confguration and ends in a valid confguration. Also, a counter program admits a valid run if there exists a valid run that reaches the terminal instruction halt. Observe that in every valid run the zero-test() subroutine does not change the value of the counter which is tested for zero, that is, this value remains zero. Only the values of the testing counters are changed.

We now introduce components. Informally, a component is a counter program acting as a subroutine such that, if it is invoked in a confguration fulflling the invariants required for valid runs, upon returning, those invariants still hold. Formally, a component is a counter program such that:


We conclude this section with Lemma 2, which states that sequential composition and non-deterministic branching of components yields components. We will subsequently implicitly make use of this obvious lemma without referring to it.

Lemma 2. If C1, C<sup>2</sup> are components then both C1; C<sup>2</sup> and C<sup>1</sup> or C<sup>2</sup> are also components.

Remark 1. Let V be a fxed VASS, and s = (q0, n), t = (q<sup>f</sup> ,m) be a pair of its confgurations. Given s and t, the Fixed VASS coverability problem asks where there exists a run in V from s to a confguration t ′ = (q<sup>f</sup> ,m′ ) such that m′ ≥ m componentwise. Note that when simulating zero tests as described above, for each counter x except u1, u2, we have a counter ˆx such that the sum of the values of x and ˆx is always the same and is known in advance. Since the values of u1, u<sup>2</sup> are never increased, we can introduce in the same way the counters ˆu1, uˆ2, initially set to zero, so that ui+ ˆu<sup>i</sup> is constant for i = 1, 2. Hence, by requiring that the fnal value of ˆx is at least the initial value of x, we make sure that the fnal value of x is equal to zero. Thus, in this setting, reachability queries reduce to coverability queries.

## 4 Rudimentary arithmetic and unary VASS

In this section, we provide a lower bound for the zero-reachability problem for a VASS when the input confguration is encoded in unary. We observe that there is a close relationship between this problem and deciding validity of a formula of frst-order arithmetic with counting, addition, and multiplication on an initial segment of N, also known as rudimentary arithmetic with counting [9].

#### 4.1 Rudimentary arithmetic with counting

For the remainder of this section, all the structures we consider are relational. We denote by FO(+, ×) the frst-order theory of the structure ⟨N, +, ×⟩, where + and × are the natural ternary addition and multiplication relations. When interpreted over initial segments of N, i.e. sets {0, 1, . . . , N}, for some fxed N ∈ N, the family of the frst-order theories is known as rudimentary arithmetic. Note that, in particular, for a predicate x + y = z to hold, all of x, y, z must be at most N. It thus might seem that after we fx N, a formula Φ(x) can only express facts about numbers up to N. However, as discussed in [25] and [9], this can be improved to quantifying over variables up to N<sup>d</sup> for any fxed d using (N +1)-ary representations of numbers. In other words, for any fxed d and formula Φ(x), there exists a formula Φ′ (x) such that for any N ∈ N and x ∈ N n , we have that ⟨N, +, ×⟩ |= Φ′ (x) if ⟨N d , +, ×⟩ |= Φ(x).

Rudimentary arithmetic can be extended with counting quantifers. As described in [25], let rudimentary FOunC(+, ×) be rudimentary FO(+, ×) extended with counting quantifers of the form ∃ >xy φ(y). In this expression, the variable x is free and the variable y is bounded by the quantifer. The semantics of this expression is that there exist more than x diferent values of y such that the formula φ(y) is satisfed. The paper [25] actually uses the counting quantifer ∃ <sup>=</sup>xy φ(y) to state that the number of such values is exactly x, which can be expressed as (x = 0 ∧ ¬∃y φ(y)) ∨ ((∃ >x′ y φ(y)) ∧ (x ′ + 1 = x) ∧ ¬∃>xy φ(y)).

Moreover, FOunC(+, ×) can be extended to FOk-aryC(+, ×), FO(+, ×) with k-ary counting quantifers ∃ <sup>=</sup>xy φ(y). In this expression, x, y are vectors of the same dimension, and similarly to the previous case, all the variables of x are free and all the variables of y are bounded by the quantifer. The semantics is that the k-tuple x is the (N + 1)-ary representation of the number of k-tuples y that satisfy φ(y). As shown in [3], rudimentary FOunC(+, ×) and rudimentary FOk-aryC(+, ×) have the same expressive power. In order to have a meaningful reduction to fxed VASS, we are interested in the following decision problem:

Problem 3. Fixed rudimentary FOk-aryC(+, ×) validity Fixed: Φ(x) ∈ FOk-aryC(+, ×). Input: N ∈ N and x ∈ N n given in unary. Output: YES if and only if ⟨N, +, ×⟩ |= Φ(x).

#### 4.2 Reductions between unary languages

In order to study decision problems whose input is, for some constant k, a k-tuple of numbers presented in unary, and hence to analyse languages corresponding to them, we need a notion of reductions that are weaker compared to the standard ones that are widely used in computational complexity. The reason is that classical problems involving numbers represented in unary, such as Unary Subset Sum [8], have as an input a variable-length sequence of numbers given in unary. Hence, languages of such problems are in fact binary, as we need a delimiter symbol to separate the elements of the sequence. It is not clear how a reasonable reduction from such a language to a language consisting of k-tuples of numbers for a fxed k would look like. In particular, note that unary Fixed VASS zero-reachability is not the unary "counterpart" of binary Fixed VASS zero-reachability in the classical sense. Conversely, arithmetic properties of a single number, e.g. primality or square-freeness, require very low computational resources if the input is represented in unary. Hence, the notion of a reduction between such "genuinely unary" languages has to be very weak.

In view of this discussion, we introduce the following kind of reduction. Given k > 0, a k-tuple unary language is a subset L ⊆ N k . We say that L is a tuple unary language if L is a k-tuple unary language for some k > 0. Let L ⊆ N <sup>k</sup> and M ⊆ N <sup>ℓ</sup> be tuple unary languages, we say that L arithmetically reduces to M if there are fxed polynomials p1, . . . , pℓ: N <sup>k</sup> → N such that (m1, . . . , mk) ∈ L if and only if (p1(m1, . . . , mk), . . . , pℓ(m1, . . . , mk)) ∈ M.

We believe that this reduction is sensible for the following informal reasons. Polynomials can be represented as arithmetic circuits. To the best of our knowledge, there are no known lower bounds for, e.g. comparing the output of two arithmetic circuits with all input gates having value one [1], suggesting that evaluating a polynomial is a computationally weak operation. Moreover, in the light of sets of numbers defnable in rudimentary arithmetic, it seems implausible that applying a polynomial transformation makes, e.g. deciding primality of a number substantially easier.

For a formula Φ, let L<sup>Φ</sup> be the tuple unary language of yes-instances for Fixed rudimentary FOk-aryC(+, ×) validity. Also, for a counter program C, defne L<sup>C</sup> as the tuple unary language of yes-instance for the Fixed counter program zero-reachability problem. The remainder of this section is devoted to proving the following theorem.

Theorem 1. For every formula Φ of rudimentary FOk-aryC(+, ×), there exists a counter program C such that L<sup>Φ</sup> arithmetically reduces to L<sup>C</sup> .

This theorem can be viewed in two diferent contexts. On the one hand, it relates the computational complexity of the two problems using a very weak reduction as described above. On the other hand, it also relates the expressivity of two formalisms. Namely, the set of satisfying assignments for formulas of rudimentary arithmetic is at most as expressive as the composition of polynomial transformations with the sets of initial confgurations for zero-reachable runs in counter programs. In particular, it shows that fxed VASS can, up to a polynomial transformation, decide number-theoretic properties such as primality, squarefreeness, see [9] for further examples. Note that by Remark 1, an analogue of Theorem 1 holds for tuple unary languages of yes-instances of Fixed VASS coverability.

### 4.3 Components for arithmetic operations

Since there is no straightforward way to model negation with a counter program, we need to provide gadgets for both the predicates + and × of rudimentary FOk-aryC(+, ×) and their negations, and hence design a separate component

for each literal. However, these components may change the values of the counters representing frst-order variables, and since a frst-order variable might appear in multiple literals, we frst provide a gadget to copy the value of a chosen counter to some auxiliary counter before it can be manipulated.

Copy. We provide a counter program Copy[x, x′ ] with the following properties:


We implement Copy[x, x′ ] as follows:

```
1: loop
2: x
       ′ −= 1
3: zero-test(x
              ′
               )
4: loop
5: x −= 1; x
               ′ += 1;t += 1
6: zero-test(x)
7: loop
8: t −= 1; x += 1
9: zero-test(t)
```
The loop on line 1 ensures that val4(x ′ ) = 0. We do not do this for the auxiliary counter t because any valid run sets valend(t) = 0. Observe that Copy[x, x′ ] admits a valid run if and only if the loop on line 4 is executed val1(x) many times and the loop on line 7 is executed val4(t) = val1(x) many times which happens if and only if valend(x ′ ) = valend(x) = val1(x). Moreover, any valid run performs 3 calls to the zero-test() subroutine, so Copy[x, x′ ] is a component.

Addition. We defne a counter program Addition[x, y, z] that enables us to check whether the value stored in counter z is equal to the sum of the values stored in x, y. Formally, it has following properties:


We implement Addition[x, y, z] as follows:


It is easy to see that the frst property is fulflled by the counter program and that Addition[x, y, z] is a component because any run performs exactly 12 class to zero-test() (9 calls on line 1, and 3 calls on line 5). The last property is true based on the properties of Copy. The component for the negation of the addition predicate is defned similarly.

Multiplication. We now defne a counter program Multiplication[x, y, z] with the following properties:


We implement Multiplication[x, y, z] as follows:

```
1: Copy[x, x′
               ]; Copy[y, y′
                             ]; Copy[z, z′
                                           ]
```

```
2: loop
3: loop
4: x
         ′ −= 1;t += 1; z
                       ′ −= 1
5: zero-test(x
               ′
               )
6: loop
7: x
         ′ += 1;t −= 1;
8: zero-test(t)
9: y
      ′ −= 1
```

```
10: zero-test(y
                  ′
                   ); zero-test(z
                                   ′
                                    )
```
Observe that the loop on line 3 of any valid run must be executed val1(x) val1(x) many times in order to pass the zero test on line 5. The efect of this loop is then to decrease the value of z ′ by val1(x) and to set the value of t to val1(x). Next, the loop on line 6 must be executed val5(t) = val1(x) many times to pass the zero test on line 8, so the value of x ′ is set to val1(x) and the value of t is set again to zero. Hence, the efect of lines 3-8 is to subtract val1(x) from the value of z ′ without changing the value of x ′ . Finally, any valid run passes the test on line 10 if and only if the loop on line 2 is executed val1(y) many times, which happens if and only if val1(z) = val1(x) · val1(y). Since we argued that the loop on line 2 is executed val1(y) many times, we conclude that any valid run of Multiplication[x, y, z] performs at most 2N + 9 calls to zero-test(), so Multiplication[x, y, z] is a component. Again, the last property is ensured by the properties of Copy. The defnition of ¬Multiplication[x, y, z] is similar.

### 4.4 Components for quantifcation

We defne the remaining components that we need in order to prove Theorem 1. These components allow us to existentially and universally quantify over variables in a bounded range.

Existential quantifers. We start with a counter program Exists[v] with the following properties:


We defne Exists[v] as follows:

1: loop v −= 1

```
2: zero-test(v)
```

```
3: loop v += 1
```
It is easy to see that both properties hold, since Exists[v] performs exactly one call to the zero-test() subroutine.

Universal quantifers. While the component used for simulating existential quantifcation can be sequentially composed with a component for a subformula, universal quantifcation requires directly integrating the component over whose variable we universally quantify. Let C[v] be a component that may access the counter v, test it for zero, and change its value on intermediate steps, but has overall efect zero on counter v. We write ForAll[v] : C[v] for the following counter program:

```
1: loop
```

```
2: v −= 1
3: zero-test(v)
4: loop
5: C[v]
6: v += 1
```

```
7: zero-test(ˆv)
```
The properties of ForAll[v] : C[v] are as follows:


Notice that the instruction on line 7 tests if val7(v) = N. Thus, any valid run that passes the test on line 7 must be able to execute C[v] for all values of v ∈ N. Moreover, since C[v] is a component, we know that the number of calls to zero-test() it makes is polynomial in N. Denote this number by B. Then ForAll[v] : C[v] executes at most N · B + 1 many calls to zero-test() and it is thus a component.

Counting quantifers. Finally, we design a component which is an extension of the ForAll[v] : C[v] component, where, as in the case of ForAll, C[v] has overall efect zero on v. Formally, ExistsC[x, v] : C[v] component has the following properties:


We write ExistsC[x, v] : C[v] for the following counter program:

198 Andrei Draghici, Christoph Haase, Andrew Ryzhikov


The branching on line 5 checks whether val1(x) = N. If so, C[v] must have a valid run for all values of v, which is checked on line 7. Otherwise, the instructions on line 13 ensure that the value of x ′ can be decremented if only if C[v] admits at least one valid run with the current value of v. Moreover, the zero test on line 14 is passed if and only if C[v] admitted a valid run for more than val1(x) diferent values. Similarly to the ForAll case, since C[v] is a component, we have that it makes at most a polynomial number of calls to zero-test(). If we denote this number by B, the maximum number of calls to zero-test() performed by ExistsC[x, v] : C[v] is bounded by N · B + 5. Hence, it is indeed a component.

#### 4.5 Putting it all together

Having defned all the building blocks above, we now prove Theorem 1, which is a consequence of the following lemma.

Lemma 3. For any formula Φ(x) of FOk-aryC(+, ×), there exists a component C over k counters and polynomials p1, . . . , p<sup>k</sup> : N × N <sup>n</sup> → N such that for any N ∈ N and x ∈ N <sup>n</sup>, ⟨N, +, ×⟩ |= Φ(x) if and only if C admits a valid run from the initial confguration (p1(N, x), . . . , pk(N, x)).

Proof. We prove this statement by structural induction on subformulas of Φ. As shown in [3], rudimentary FOunC(+, ×) has the same expressive power as rudimentary FOk-aryC(+, ×). Since in our setting the formula is fxed, we can thus assume that Φ ∈ FOunC(+, ×). Moreover, it is easy to see that we can assume that only ∃ >x is used as a counter quantifer, since ∃ =x can easily be defned using it as described above. Finally, we can assume that negations appear in Φ only in front of arithmetic predicates. In particular, ¬∃>xy φ(y) is equivalent to (∃ >x′ y ¬φ(y)) ∧ (x + x ′ = N).

The counters of the component C are defned to be:


We initialise them as follows:


Assume frst that a subformula φ of Φ consists of a single literal. Then, by using the previously defned components, we can construct a fxed component C ′ corresponding to this literal. In C ′ , for every valid initial confguration (L, f), there exists a valid run starting in it if and only if φ is true under the assignment of the values of the counters in (L, f) to the corresponding variables in φ. If φ is a Boolean combination of multiple literals, by simulating conjunction via sequential composition and disjunction by non-deterministic branching, we can construct a component C<sup>φ</sup> with the same property.

We now need to show how to simulate the quantifers. Let C be the component constructed for φ. We then take

$$\begin{array}{llll} - & \text{for } \exists y \; \varphi: & - \text{ for } \forall y \; \varphi: & - \text{ for } \exists^{>x} y \; \varphi: \\ 1: & \text{Exists}[y\_C] & \text{1: } \text{ForALLL}[y\_C]: & \text{1: } \text{ExistsC}[x\_C, y\_C]: \\ 2: & C[y\_C] & \text{2: } \quad C[y\_C] & \text{2: } \quad C[y\_C] \end{array}$$

As noted above, to be able to use these components, we need to make sure that C[y<sup>C</sup> ] has overall zero efect on the value of y<sup>C</sup> . This is indeed true, since the only place where the value of a counter y<sup>C</sup> is changed by a subroutine is in the component corresponding to the quantifer bounding y.

The counter program C starts with a component C<sup>0</sup> that initialises the counters a corresponding to the constants of Φ(x) by a sequence of instruction of the type a += c for a corresponding constant c appearing in Φ(x). Finally, we let C = C0; C1. By the properties established above, it is clear that C admits a valid run starting with f<sup>1</sup> defned above if and only if Φ(x) is valid. To see that C is a component, it remains to note that at every step of the structural induction the number of calls to zero-test() is polynomial in N. Hence, there exists a polynomial P(N) such that the overall number calls to zero-test() performed by C is bounded by P(N). We conclude by reminding that we use this polynomial to initialise the value of the testing counter u2. ⊓⊔

To prove Theorem 1, add a loop repeating zero tests at the end of C, thus setting the values of the testing counters to zero if and only if the invariant described in Section 3 holds. After that, set to zero all the remaining counters (including the hatted counters) by decrementing them in loops. A run in thus constructed counter program is zero-accepting if and only if it is valid.

As proved in [3], rudimentary FOk-aryC(<) has the same expressive power as FOk-aryC(+, ×). Hence, an alternative proof for Theorem 1 is to express k-ary counting quantifers without the need for components for addition and multiplication. However, this approach is more technical and less insightful.

## 5 A universal VASS for polynomial space computations

The goal of this section is to show that there is a fxed 5-VASS whose zeroreachability problem is PSPACE-hard, provided that the initial confguration is encoded in binary. Let us frst remark that we can actually use the techniques developed in the previous section to prove that for every i, there exists a fxed VASS V<sup>i</sup> such that deciding zero-reachability for V<sup>i</sup> is Σ<sup>P</sup> i -hard. A result by Nguyen and Pak [21] shows that for every i, there is a formula Φ<sup>i</sup> of so-called short Presburger arithmetic such that deciding Φ<sup>i</sup> is Σ<sup>P</sup> i -hard. Applying bounds on quantifer elimination established in [27], it can be shown that quantifcation for formulas of short Presburger arithmetic relativises in a certain sense to an initial segment N for some N ∈ N whose bit length is polynomial in the size of Φi . Hence, by combining the results from [21] with Lemma 3, it is possible to show that zero-reachability for fxed binary VASS is hard for the polynomial hierarchy. We do not explore this method further because we can actually construct a fxed binary VASS such that the zero-reachability problem is PSPACE-hard for it and which has a smaller number of counters than the fxed binary VASS obtained from showing NP-hardness via the reduction from short Presburger arithmetic outlined above.

We proceed with our construction as follows. We start with the halting problem for Turing machines (TMs) working in polynomial space and show that this problem is PSPACE-hard even if the space complexity of the TM is bounded by the length of its encoding and its input is empty. In Proposition 2, we then reformulate the halting problem as follows: given the encoding of such a machine as an input to a universal one-tape TM U, does U accept?

We then use two consecutive simulation. First, we simulate U with a 3 counter automaton A (Proposition 3), and then simulate A with an 5-VASS V (Theorem 2). To be able to apply the technique described in Section 3, we make sure that the space complexity stays linear in the size of the input throughout these simulations. This implies that both the upper bound on the value of the counters and the required number of zero tests are polynomial in the size of the input, which enables us to establish a polynomial time reduction. As a result we obtain a VASS V which, in a certain sense, can simulate arbitrary polynomialspace computations.

To provide the reduction, we then show how to transform in polynomial time the input of the problem we started with, the halting problem for polynomialspace TMs, into a zero-reachability query for V.

#### 5.1 The halting problem for space-bounded TMs

The goal of this subsection is to show that there exists a fxed polynomialspace TM whose halting problem is PSPACE-complete. Note that using standard arguments, we can assume that M below always halts.

Proposition 1 ([2, Section 4.2]). The following problem is PSPACE-complete: given a TM M, an input word w and a number n encoded in unary, decide if M accepts w in at most n space.

We fx some way of encoding, using an alphabet of size at least two, of Turing machines and we denote by |M| the length of the encoding of M, which we call the size of M. Given a TM M, we say that it is |M|-space-bounded if on every input it halts using at most |M| space. Given M, an input word w and a number n encoded in unary, it is easy to construct a |M|-space-bounded TM M′ such that if M accepts w in space at most n, then M′ accepts on the empty input, otherwise M′ rejects on the empty input. Moreover, the size of M′ is polynomial in |M|, |w| and 2n.

Indeed, M′ can be constructed as follows. When run on the empty input, it writes w on some tape, and then runs M treating this tape as the input tape. Additionally, it initialises another tape with n written in unary, and before each step of M it checks that the space used by the tape where M is simulated does not exceed n. If it does, it immediately rejects. It is easy to see that such a TM is |M′ |-space-bounded and satisfes the required conditions.

Hence we get that the following problem is PSPACE-complete: given a |M| space-bounded TM M, does M accept on the empty input? Observe that from the construction above we can assume that M has a special representation such that the fact that it is |M|-space-bounded can be checked in polynomial time.

Let U be a one-tape universal TM. This TM has a single read-write tape, which in the beginning contains the input, that is, a description of a TM M it is going to simulate. If M is |M|-space-bounded (and represented as mentioned in the previous paragraph), U simulates M on the empty input in space linear in |M| [2, Claim 1.6], otherwise U rejects. That is, in this space, U accepts or rejects depending on whether M accepts or rejects the empty word. Hence we get the following proposition.

Proposition 2. There exists a fxed linear-space TM U such that the question whether U halts on a given input is PSPACE-complete.

#### 5.2 From TMs to a counter automata

In the previous subsection, we obtained a PSPACE-complete problem which already resembles the form of the reachability problem for a fxed counter program: given a fxed linear-space TM U, does it accept a given input? In this section we show how to simulate U with a fxed counter automaton A, and in the next section we show how to simulate A with a fxed binary VASS V.

Let A be a counter automaton. We say that A is deterministic if for every confguration (q, n1, . . . , nd) there is at most one transition that A can take from this confguration. Suppose that A is deterministic, and that its fnal state q<sup>f</sup> does not have any outgoing transitions. Let n = (n1, . . . , nd) ∈ N d . We treat A as an acceptor for such vectors. We say that A works in time t and space s on n if the unique run starting in the confguration (q0, n1, . . . , nd) ends in a state without outgoing transitions, has length t, and the bit length of the largest value of a counter along this run is s. If this run ends in q<sup>f</sup> , we say that A accepts this vector, otherwise we say that it rejects it. In all our constructions we make sure that there are no infnite runs. Note that, as in the case of TMs, we measure space complexity in the bit length of the values of the counters, and not in their actual values.

Let Σ be a fnite alphabet. Let us bijectively assign a natural number to each word over Σ as follows. First, assign a natural number between 1 and |Σ| to each symbol in Σ. Then w can be considered as a number in base |Σ|+1, with the least signifcant digit corresponding to the frst letter of w. We denote this number by num(w).

Let M be a TM, and w be its input. We can transform w into a vector (num(w), 0, . . . , 0), which will be the input of a deterministic counter automaton A. We say that A simulates M if w is accepted by M if and only if the corresponding vector is accepted by A. We say that this simulation is in linear space if there exists a constant c such that if the space complexity of M is s on some input, then the space complexity of A on the corresponding input is cs.

The proof of the following proposition uses the techniques described in the proofs of [10, Theorem 4.3(a)] and [12, Theorem 2.4].

Proposition 3. For every one-tape TM M, there exists a deterministic 3 counter automaton A that simulates it in linear space.

Proof. The idea of the proof is as follows. Two counters of A, call them ℓ and r, represent the content of the tape of M to the left and to the right of the reading head. They are encoded similarly to the way we encode the input word. Namely, let w1aw2, where w1, w<sup>2</sup> ∈ Σ <sup>∗</sup> and a ∈ Σ, be the content of the tape at some moment of time, with the working head in the position of the letter a. Denote by w R 1 the reversal of the word w. Then ℓ stores num(w R 1 ), r stores num(w2), and a is stored in the fnite memory of the underlying fnite automaton.

Now, to make a step to the left, we do the following. First, we need to add a to the end of the word encoded by the value of r. This is done by multiplying the value of r by |Σ|+1 and adding num(a) to it. Next, we need to extract the last letter of the word encoded by the value of ℓ, and remove this letter. To do so, we do the opposite of what we did for r: this letter is the residue of dividing the value of ℓ by |Σ|+1, and the new value of ℓ is the result of this division.

The reason we need the third counter x is to perform these multiplications and divisions. Namely, to divide the value of a counter ℓ by a constant c, we repeat the following until it is no longer possible: subtract c from the value of ℓ and add one to the value of x. When the value of ℓ becomes smaller than c, we get the result of the division in the counter x, and the remainder in ℓ. Multiplication by a constant is done similarly. Observe that by construction the largest value of a counter of A at any moment of time is at most (|Σ|+1)<sup>S</sup>, where S is the maximal amount of space M uses on given input. The bit length of this number is linear in S, hence A simulates M in linear space. ⊓⊔

By simulating U from Proposition 2 with a counter automaton A, we get the following statement.

Corollary 1. There exists a fxed 3-counter automaton A working in linear space such that the zero-reachability problem for it is PSPACE-complete.

For 2-counter automata, no such result is known. Informally speaking, such automata are exponentially slower than 3-counter automata: the known simulation requires storing the values of the three counters x, y, z as 2x3 y5 z [20]. They are also less expressive: for example, 2-counter automata cannot compute the function 2<sup>n</sup> [24], while for 3-counter automata this is trivial. It is worth noting the developments of the next subsection imply that a lower bound for fxed 2-counter automata translates into a lower bound for fxed 4-VASS.

#### 5.3 From counter automata to VASS

To go from a counter automaton to a VASS, we need to simulate zero tests with a VASS. In general, this is not possible. However, the space complexity of the counter automaton in Corollary 1 is linear, so the values of all its counters are bounded by a polynomial in the bit length of the input. The number of zero tests A performs does not exceed its time complexity, which is at most exponential in the space complexity. However, this is not a problem, since all the values are provided and stored in binary. The bit length of the number of zero tests is thus polynomial in the input, and hence the testing counters described in Section 3 can be initialised with a polynomial time reduction, hence obtaining PSPACE-hardness of the zero-reachability problem in fxed 8-VASS.

Moreover, a more advanced technique of quadratic pairs described in [7] allows to deduce the same result for 5-VASS. Namely, a slight variation of [7, Lemma 2.7] states that given a 3-counter automaton A working in linear space, one can construct a 5-VASS V such that fxed zero-reachability in A can be reduced in polynomial time to fxed zero-reachability in V. The same reasoning as before shows that we can initialise the counters of V to account for enough zero tests. Hence we get the main result of this section.

Theorem 2. There exists a fxed 5-VASS such that the Fixed VASS zeroreachability problem for it is PSPACE-hard assuming that the input confguration is given in binary.

By Remark 1 and by further inspecting the construction in [7, Lemma 2.7], together with the PSPACE upper bound for coverability in fxed VASS with confgurations given in binary established in [22], we moreover obtain the following corollary.

Corollary 2. There exists a fxed 6-VASS such that the Fixed VASS coverability problem for it is PSPACE-complete assuming that the input confgurations are given in binary.

Acknowledgements. We would like to thank anonymous reviewers for their useful comments on the content and presentation of the paper. This work is part of a project that has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (Grant agreement No. 852769, ARiAT).

## References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## From Innermost to Full Almost-Sure Termination of Probabilistic Term Rewriting<sup>⋆</sup>

Jan-Christoph Kassing(B) , Florian Frohn(B) , and J¨urgen Giesl(B)

LuFG Informatik 2, RWTH Aachen University, Aachen, Germany {kassing,florian.frohn}@cs.rwth-aachen.de giesl@informatik.rwth-aachen.de ,

Abstract. There are many evaluation strategies for term rewrite systems, but proving termination automatically is usually easiest for innermost rewriting. Several syntactic criteria exist when innermost termination implies full termination. We adapt these criteria to the probabilistic setting, e.g., we show when it sufces to analyze almost-sure termination (AST) w.r.t. innermost rewriting to prove full AST of probabilistic term rewrite systems. These criteria also apply to other notions of termination like positive AST. We implemented and evaluated our new contributions in the tool AProVE.

## 1 Introduction

Termination analysis is one of the main tasks in program verifcation, and techniques and tools to analyze termination of term rewrite systems (TRSs) automatically have been studied for decades. While a direct application of classical reduction orderings is often too weak, these orderings can be used successfully within the dependency pair (DP) framework [3, 20]. This framework allows for modular termination proofs by decomposing the original termination problem into sub-problems whose termination can then be analyzed independently using diferent techniques. Thus, DPs are used in essentially all current termination tools for TRSs (e.g., AProVE [21], MuTerm [25], NaTT [46], TTT2 [33]). To allow certifcation of termination proofs with DPs, they have been formalized in several proof assistants and there exist several corresponding certifcation tools for termination proofs with DPs (e.g., CeTA [43]).

On the other hand, probabilistic programs are used to describe randomized algorithms and probability distributions, with applications in many areas, see, e.g., [23]. To use TRSs also for such programs, probabilistic term rewrite systems (PTRSs) were introduced in [4, 9, 10]. In the probabilistic setting, there are several notions of "termination". In this paper, we mostly focus on analyzing almost-sure termination (AST), i.e., we want to prove automatically that the probability for termination is 1.

<sup>⋆</sup> funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) - 235950644 (Project GI 274/6-2) and the DFG Research Training Group 2236 UnRAVeL

Supplementary Information The online version contains supplementary material available at https://doi.org/10.1007/978-3-031-57231-9 10.

While there exist many automatic approaches to prove (P)AST of imperative programs on numbers (e.g., [2, 5, 11, 16, 22, 26–28, 36–38, 40]), there are only few automatic approaches for programs with complex non-tail recursive structure [8, 12, 13]. The approaches that are also suitable for algorithms on recursive data structures [7, 35, 45] are mostly specialized for specifc data structures and cannot easily be adjusted to other (possibly user-defned) ones, or are not yet fully automated.

For innermost AST (i.e., AST restricted to rewrite sequences where one only evaluates at innermost positions), we recently presented an adaption of the DP framework which allows us to beneft from a similar modularity as in the non-probabilistic setting [29, 32]. Unfortunately, there is no such modular powerful approach available for full AST (i.e., AST when considering arbitrary rewrite sequences). Up to now, full AST of PTRSs can only be proved via a direct application of orderings [4, 29], but there is no corresponding adaption of dependency pairs. (As explained in [29], a DP framework to analyze full instead of innermost AST would be "considerably more involved".) Indeed, also in the non-probabilistic setting, innermost termination is usually substantially easier to prove than full termination, see, e.g., [3, 20]. To lift innermost termination proofs to full rewriting, in the non-probabilistic setting, there exist several sufcient criteria which ensure that innermost termination implies full termination [24].

Up to now no such results were known in the probabilistic setting. Our paper presents the frst sufcient criteria for PTRSs which ensure that AST coincide for full and innermost rewriting, and we also show similar results for other rewrite strategies like leftmost-innermost rewriting. We focus on criteria that can be checked automatically, so we can combine our results with the DP framework for proving innermost AST of PTRSs [29, 32]. In this way, we obtain a modular powerful technique that can also prove AST for full rewriting automatically.

We will also consider the stronger notion of positive almost-sure termination (PAST) [10, 42], which requires that the expected runtime is fnite, and show that our criteria for the relationship between full and innermost probabilistic rewriting hold for PAST as well. In contrast to AST, PAST is not modular, i.e., the sequence of two programs that are PAST may yield a program that is not PAST (see, e.g., [27]). Therefore, up to now there is no variant of DPs that allows to prove PAST of PTRSs, but there only exist techniques to apply polynomial or matrix orderings directly [4].

We start with preliminaries on term rewriting in Sect. 2. Then we recapitulate PTRSs based on [4, 10, 14, 15, 29] in Sect. 3. In Sect. 4 we show that the properties of [24] that ensure equivalence of innermost and full termination do not sufce in the probabilistic setting and extend them accordingly. In particular, we show that innermost and full AST coincide for PTRSs that are non-overlapping and linear. This result also holds for PAST, as well as for strategies like leftmost-innermost evaluation. In Sect. 5 we show how to weaken the linearity requirement in order to prove full AST for larger classes of PTRSs. The implementation of our criteria in the tool AProVE is evaluated in Sect. 6. We refer to [30] for all proofs.

## 2 Preliminaries

We assume familiarity with term rewriting [6] and regard (possibly infnite) TRSs over a (possibly infnite) signature Σ and a set of variables V. Consider the TRS R<sup>d</sup> that doubles a natural number (represented by the terms s and O) with the rewrite rules d(s(x)) → s(s(d(x))) and d(O) → O as an example. A TRS R induces a rewrite relation →<sup>R</sup> ⊆ T (Σ, V) × T (Σ, V) on terms where s →<sup>R</sup> t holds if there is a position π, a rule ℓ → r ∈ R, and a substitution σ such that s|<sup>π</sup> = ℓσ and t = s[rσ]π. A rewrite step s →<sup>R</sup> t is an innermost rewrite step (denoted s <sup>i</sup> →<sup>R</sup> t) if all proper subterms of the used redex ℓσ are in normal form w.r.t. R (i.e., they do not contain redexes themselves and thus, they cannot be reduced with →R). For example, we have d(s(d(s(O)))) <sup>i</sup> →<sup>R</sup><sup>d</sup> d(s(s(s(d(O))))).

Let < be the prefx ordering on positions and let ≤ be its refexive closure. Then for two parallel positions τ and π we defne τ ≺ π if we have i < j for the unique i, j such that χ.i ≤ τ and χ.j ≤ π, where χ is the longest common prefx of τ and π. An innermost rewrite step s <sup>i</sup> →<sup>R</sup> t at position π is leftmost (denoted s li →<sup>R</sup> t) if there exists no redex at a position τ with τ ≺ π.

We call a TRS R strongly (innermost/leftmost innermost) normalizing (SN / iSN / liSN) if →<sup>R</sup> ( <sup>i</sup> →<sup>R</sup> / li →R) is well founded. SN is also called "terminating" and iSN/liSN are called "innermost/leftmost innermost terminating". If every term t ∈ T (Σ, V) has a normal form (i.e., we have t →<sup>∗</sup> <sup>R</sup> t ′ where t ′ is in normal form) then we call R weakly normalizing (WN). Two terms s, t are joinable via R (denoted s ↓<sup>R</sup> t) if there exists a term w such that s →<sup>∗</sup> <sup>R</sup> w ←<sup>∗</sup> <sup>R</sup> t. Two rules ℓ<sup>1</sup> → r1, ℓ<sup>2</sup> → r<sup>2</sup> ∈ R with renamed variables such that V(ℓ1) ∩ V(ℓ2) = ∅ are overlapping if there exists a non-variable position π of ℓ<sup>1</sup> such that ℓ1|<sup>π</sup> and ℓ<sup>2</sup> are unifable with a mgu σ. If (ℓ<sup>1</sup> → r1) = (ℓ<sup>2</sup> → r2), then we require that π ̸= ε. R is non-overlapping (NO) if it has no overlapping rules. As an example, the TRS R<sup>d</sup> is non-overlapping. A TRS is left-linear (LL) (right-linear, RL) if every variable occurs at most once in the left-hand side (right-hand side) of a rule. A TRS is linear if it is both left- and right-linear. A TRS is non-erasing (NE) if in every rule, all variables of the left-hand side also occur in the right-hand side.

Next, we recapitulate the relations between iSN, SN, liSN, and WN in the non-probabilistic setting. We start with the relation between iSN and SN.

Counterexample 1 (Toyama's Counterexample [44]). The TRS R<sup>1</sup> with the rules f(a, b, x) → f(x, x, x), g → a, and g → b is not SN since we have f(a, b, g) →<sup>R</sup><sup>1</sup> f(g, g, g) →<sup>R</sup><sup>1</sup> f(a, g, g) →<sup>R</sup><sup>1</sup> f(a, b, g) →<sup>R</sup><sup>1</sup> . . . But the only innermost rewrite sequences starting with f(a, b, g) are f(a, b, g) <sup>i</sup> →<sup>R</sup><sup>1</sup> f(a, b, a) <sup>i</sup> →<sup>R</sup><sup>1</sup> f(a, a, a) and f(a, b, g) <sup>i</sup> →<sup>R</sup><sup>1</sup> f(a, b, b) <sup>i</sup> →<sup>R</sup><sup>1</sup> f(b, b, b), i.e., both reach normal forms in the end. Thus, R<sup>1</sup> is iSN as we have to rewrite the inner g before we can use the f-rule.

The frst property known to ensure equivalence of SN and iSN is orthogonality. A TRS is orthogonal if it is non-overlapping and left-linear.

Theorem 2 (From iSN to SN (1), [41]). If a TRS R is orthogonal, then R is SN if R is iSN.

Then, in [24] it was shown that one can remove the left-linearity requirement.

Theorem 3 (From iSN to SN (2), [24]). If a TRS R is non-overlapping, then R is SN if R is iSN.

Finally, [24] also refned Thm. 3 further. A TRS R is an overlay system (OS) if its rules may only overlap at the root position, i.e., π = ε. For Ex. 1 one can see that the overlaps occur at non-root positions, i.e., R<sup>1</sup> is not an overlay system. Furthermore, a TRS is locally confuent (or weakly Church-Rosser, abbreviated WCR) if for all terms s, t1, t<sup>2</sup> such that t<sup>1</sup> <sup>R</sup>← s →<sup>R</sup> t<sup>2</sup> the terms t<sup>1</sup> and t<sup>2</sup> are joinable. So R<sup>1</sup> is not WCR, as we have f(a, b, a) <sup>R</sup>1← f(a, b, g) →<sup>R</sup><sup>1</sup> f(a, b, b), but f(a, b, a) ̸ ↓ <sup>R</sup><sup>1</sup> f(a, b, b). If a TRS has both of these properties, then iSN and SN are again equivalent.

Theorem 4 (From iSN to SN (3), [24]). If a TRS R is a locally confuent overlay system, then R is SN if R is iSN.

Thm. 4 is stronger than Thm. 3 as every non-overlapping TRS is a locally confuent overlay system. We recapitulate the relation between WN and SN next.

Counterexample 5. Consider the TRS R<sup>2</sup> with the rules f(x) → b and a → f(a). This TRS is not SN since we can always rewrite the inner a to get a →<sup>R</sup><sup>2</sup> f(a) →<sup>R</sup><sup>2</sup> f(f(a)) →<sup>R</sup><sup>2</sup> . . ., but it is WN since we can also rewrite the outer f(. . .) before we use the a-rule twice, resulting in the term b, which is a normal form. For the TRS R<sup>3</sup> with the rules f(a) → b and a → f(a), the situation is similar.

The TRS R<sup>2</sup> from Ex. 5 is erasing and R<sup>3</sup> is overlapping. For TRSs with neither of those two properties, SN and WN are equivalent.

Theorem 6 (From WN to SN [24]). If a TRS R is non-overlapping and non-erasing, then R is SN if R is WN.

Finally, we look at the diference between rewrite strategies that use an ordering for parallel redexes like leftmost innermost rewriting compared to just innermost rewriting. It turns out that such an ordering does not interfere with termination at all.

Theorem 7 (From liSN to iSN [34]). For all TRSs R we have that R is iSN if R is liSN.

The relations between the diferent properties for non-probabilistic TRSs (given in Thm. 4, 6, and 7) are summarized below.

## 3 Probabilistic Term Rewriting

In this section, we recapitulate probabilistic TRSs [4, 10, 29]. In contrast to TRSs, a PTRS has fnite multi-distributions<sup>1</sup> on the right-hand sides of its rewrite rules.<sup>2</sup> A fnite multi-distribution µ on a set A ̸= ∅ is a fnite multiset of pairs (p : a), where 0 < p ≤ 1 is a probability and a ∈ A, such that P (p:a)∈µ p = 1. FDist(A) is the set of all fnite multi-distributions on A. For µ ∈ FDist(A), its support is the multiset Supp(µ) = {a | (p : a) ∈ µ for some p}. A probabilistic rewrite rule is a pair ℓ → µ ∈ T (Σ, V) × FDist(T (Σ, V)) such that ℓ ̸∈ V and V(r) ⊆ V(ℓ) for every r ∈ Supp(µ). A probabilistic TRS (PTRS) is a (possibly infnite) set S of probabilistic rewrite rules. Similar to TRSs, the PTRS S induces a rewrite relation →<sup>S</sup> ⊆ T (Σ, V) × FDist(T (Σ, V)) where s →<sup>S</sup> {p<sup>1</sup> : t1, . . . , p<sup>k</sup> : tk} if there is a position π, a rule ℓ → {p<sup>1</sup> : r1, . . . , p<sup>k</sup> : rk} ∈ S, and a substitution σ such that s|<sup>π</sup> = ℓσ and t<sup>j</sup> = s[rjσ]<sup>π</sup> for all 1 ≤ j ≤ k. We call s →<sup>S</sup> µ an innermost rewrite step (denoted s <sup>i</sup> →<sup>S</sup> µ) if all proper subterms of the used redex ℓσ are in normal form w.r.t. S. We have s li →<sup>S</sup> µ if the rewrite step s <sup>i</sup> →<sup>S</sup> µ at position π is leftmost (i.e., there is no redex at a position τ with τ ≺ π). For example, the PTRS Srw with the only rule g → {1/<sup>2</sup> : c(g, g), <sup>1</sup>/<sup>2</sup> : ⊥} corresponds to a symmetric random walk on the number of g-symbols in a term.

As in [4, 14, 15, 29], we lift →<sup>S</sup> to a rewrite relation between multi-distributions in order to track all probabilistic rewrite sequences (up to non-determinism) at once. For any 0 < p ≤ 1 and any µ ∈ FDist(A), let p·µ = {(p· q : a) | (q : a) ∈ µ}.

Defnition 8 (Lifting). The lifting ⇒ ⊆ FDist(T (Σ, V)) × FDist(T (Σ, V)) of a relation → ⊆ T (Σ, V) × FDist(T (Σ, V)) is the smallest relation with:


For a PTRS S, we write ⇒<sup>S</sup> , <sup>i</sup> ⇒<sup>S</sup> , and li ⇒<sup>S</sup> for the liftings of →<sup>S</sup> , <sup>i</sup> →<sup>S</sup> , and li →<sup>S</sup> , respectively.

Example 9. For example, we obtain the following ⇒<sup>S</sup>rw -rewrite sequence (which is also a <sup>i</sup> ⇒<sup>S</sup>rw -sequence, but not a li ⇒<sup>S</sup>rw -sequence).

{1 : g} ⇒<sup>S</sup>rw {1/<sup>2</sup> : c(g, g), <sup>1</sup>/<sup>2</sup> : ⊥} ⇒<sup>S</sup>rw {1/<sup>4</sup> : c(c(g, g), g), <sup>1</sup>/<sup>4</sup> : c(⊥, g), <sup>1</sup>/<sup>2</sup> : ⊥} ⇒<sup>S</sup>rw {1/<sup>8</sup> : c(c(g, g), c(g, g)), <sup>1</sup>/<sup>8</sup> : c(c(g, g), ⊥), <sup>1</sup>/<sup>8</sup> : c(⊥, c(g, g)), <sup>1</sup>/<sup>8</sup> : c(⊥, ⊥), <sup>1</sup>/<sup>2</sup> : ⊥}

<sup>1</sup> The restriction to fnite multi-distributions allows us to simplify the handling of PTRSs in the proofs.

<sup>2</sup> A diferent form of probabilistic rewrite rules was proposed in PMaude [1], where numerical extra variables in right-hand sides of rules are instantiated according to a probability distribution.

To express the concept of almost-sure termination, one has to determine the probability for normal forms in a multi-distribution.

Defnition 10 (|µ|<sup>S</sup> ). For a PTRS S, NF<sup>S</sup> ⊆ T (Σ, V) denotes the set of all normal forms w.r.t. S. For any µ ∈ FDist(T (Σ, V)), let |µ|<sup>S</sup> = P (p:t)∈µ,t∈NF<sup>S</sup> p.

Example 11. Consider {1/<sup>8</sup> : c(c(g, g), c(g, g)), /<sup>8</sup> : c(c(g, g), ⊥), /<sup>8</sup> : c(⊥, c(g, g)), /<sup>8</sup> : c(⊥, ⊥), /<sup>2</sup> : ⊥} = µ from Ex. 9. Then |µ|<sup>S</sup>rw = <sup>1</sup>/<sup>8</sup> + <sup>1</sup>/<sup>2</sup> = <sup>5</sup>/8, since c(⊥, ⊥) and ⊥ are both normal forms w.r.t. Srw.

Defnition 12 (AST). Let S be a PTRS and ⃗µ = (µn)n∈<sup>N</sup> be an infnite ⇒<sup>S</sup> -rewrite sequence, i.e., µ<sup>n</sup> ⇒<sup>S</sup> µn+1 for all n ∈ N. We say that ⃗µ converges with probability limn→∞ |µn|<sup>S</sup> . S is almost-surely terminating (AST) ( innermost AST (iAST) / leftmost innermost AST (liAST)) if limn→∞ |µn|<sup>S</sup> = 1 holds for every infnite ⇒<sup>S</sup> - ( <sup>i</sup> ⇒<sup>S</sup> - / li ⇒<sup>S</sup> -) rewrite sequence (µn)n∈<sup>N</sup>. To highlight the consideration of AST for full (instead of innermost) rewriting, we also speak of full AST (fAST) instead of "AST". We say that S is weakly AST (wAST) if for every term t there exists an infnite ⇒<sup>S</sup> -rewrite sequence (µn)n∈<sup>N</sup> with limn→∞ |µn|<sup>S</sup> = 1 and µ<sup>0</sup> = {1 : t}.

Example 13. For every infnite extension (µn)n∈<sup>N</sup> of the ⇒<sup>S</sup>rw -rewrite sequence in Ex. 9, we have limn→∞ |µn|<sup>S</sup> = 1. Indeed, Srw is fAST and thus also iAST, liAST, and wAST.

Next, we defne positive almost-sure termination that considers the expected derivation length edl(⃗µ) of a rewrite sequence ⃗µ, i.e., the expected number of steps until one reaches a normal form. For PAST, we require that the expected derivation lengths of all possible rewrite sequences are fnite. In the following defnition, (1 − |µn|<sup>S</sup> ) is the probability of terms that are not in normal form w.r.t. S after the n-th step.

Defnition 14 (edl, PAST). Let S be a PTRS and ⃗µ = (µn)n∈<sup>N</sup> be an infnite ⇒<sup>S</sup> -rewrite sequence. By edl(⃗µ) = P<sup>∞</sup> <sup>n</sup>=0(1−|µn|<sup>S</sup> ) we denote the expected derivation length of ⃗µ. S is positively almost-surely terminating (PAST) ( innermost PAST (iPAST) / leftmost innermost AST (liPAST)) if edl(⃗µ) is fnite for every infnite ⇒<sup>S</sup> - ( <sup>i</sup> ⇒<sup>S</sup> - / li ⇒<sup>S</sup> -) rewrite sequence ⃗µ = (µn)n∈N. <sup>3</sup> Again, we also speak of full PAST (fPAST) when considering PAST for the full rewrite relation ⇒<sup>S</sup> . We say that S is weakly PAST (wPAST) if for every term t there exists an infnite ⇒<sup>S</sup> -rewrite sequence ⃗µ = (µn)n∈<sup>N</sup> such that edl(⃗µ) is fnite and µ<sup>0</sup> = {1 : t}.

It is well known that PAST implies AST, but not vice versa.

Example 15. For every infnite extension ⃗µ = (µn)n∈<sup>N</sup> of the ⇒<sup>S</sup>rw -rewrite sequence in Ex. 9, the expected derivation length edl(⃗µ) is infnite, hence Srw is not PAST w.r.t. any of the strategies regarded in this paper.

<sup>3</sup> This defnition is from [4], where it is also explained why this defnition of PAST is equivalent to the one of, e.g., [10].

In [4, 18], PAST was strengthened further to bounded or strong almost-sure termination (SAST). Indeed, our results on PAST can also be adapted to SAST (see [30]).

Many properties of TRSs from Sect. 2 can be lifted to PTRSs in a straightforward way: A PTRS S is right-linear (non-erasing) if the TRS {ℓ → r | ℓ → µ ∈ S, r ∈ Supp(µ)} has the respective property. Moreover, all properties that just consider the left-hand sides, e.g., left-linearity, being non-overlapping, orthogonality, and being an overlay system, can be lifted to PTRSs directly as well, since their rules again only have a single left-hand side.

## 4 Relating Variants of AST

Our goal is to relate AST of full rewriting to restrictions of fAST, i.e., to iAST (Sect. 4.1), wAST (Sect. 4.2), and liAST (Sect. 4.3). More precisely, we want to fnd properties of PTRSs which are suitable for automated checking and which guarantee that two variants of AST are equivalent. Then for example, we can use existing tools that analyze iAST in order to prove fAST. Clearly, we have to impose at least the same requirements as in the non-probabilistic setting, as every TRS R can be transformed into a PTRS S by replacing every rule ℓ → r with ℓ → {1 : r}. Then R is SN / iSN / liSN if S is fAST / iAST / liAST. While we mostly focus on AST, all results and counterexamples in this section also hold for PAST.

#### 4.1 From iAST to fAST

Again, we start by analyzing the relation between iAST and fAST. The following example shows that Thm. 2 does not carry over to the probabilistic setting, i.e., orthogonality is not sufcient to ensure that iAST implies fAST.

Counterexample 16 (Orthogonality Does Not Sufce). Consider the orthogonal PTRS S<sup>1</sup> with the two rules:

$$\mathfrak{g} \to \{ \text{ $^3$ } / 4 : \mathfrak{d}(\mathfrak{g}), \text{ $^1$ } / 4 : \perp \} \qquad \qquad \qquad \qquad \mathfrak{d}(x) \to \{ 1 : \mathfrak{c}(x, x) \} \text{ $^1$ }$$

This PTRS is not fAST (and thus, also not fPAST), as we have {1 : g} ⇒<sup>2</sup> S<sup>1</sup> {3/<sup>4</sup> : c(g, g), <sup>1</sup>/<sup>4</sup> : ⊥}, which corresponds to a random walk biased towards non-termination (since <sup>3</sup> <sup>4</sup> > 1 2 ).

However, the d-rule can only duplicate normal forms in innermost evaluations. To see that S<sup>1</sup> is iPAST (and thus, also iAST), consider the following rewrite sequence ⃗µ:

$$\{1:\mathsf{g}\} \stackrel{\mathrm{i}}{\Longrightarrow} \mathrm{\_{S\_{1}}} \{ \Diamond \langle \mathsf{4}:\mathsf{d}(\mathsf{g}),\mathsf{1}/\mathsf{4}:\bot\} \stackrel{\mathrm{i}}{\Longrightarrow} \mathrm{\_{S\_{1}}} \{ \langle \mathsf{3}/\mathsf{4} \rangle^{2}:\mathsf{d}(\mathsf{d}(\mathsf{g})),\mathsf{1}/\mathsf{4}:\mathsf{d}(\bot),\mathsf{1}/\mathsf{4}:\bot\} \stackrel{\mathrm{i}}{\Longrightarrow} \mathrm{\_{S\_{1}}} \ldots \mathrm{\_{S\_{1}}} \mathrm{\_{S\_{1}}} \{ \langle \mathsf{6}:\mathsf{d}(\mathsf{g}),\mathsf{1}/\mathsf{4}:\mathsf{d}(\mathsf{g}),\mathsf{1}/\mathsf{4}:\mathsf{d}(\mathsf{g}) \} \stackrel{\mathrm{i}}{\Longrightarrow} \mathrm{\_{S\_{1}}} \{ \langle \mathsf{6}:\mathsf{d}(\mathsf{g}),\mathsf{1}/\mathsf{4}:\mathsf{d}(\mathsf{g}) \rangle \} \stackrel{\mathrm{i}}{\Longrightarrow} \mathrm{\_{S\_{1}}} \ldots \mathrm{\_{S\_{1}}} \mathrm{\_{S\_{1}}} \{ \langle \mathsf{6}:\mathsf{d}(\mathsf{g}),\mathsf{1}/\mathsf{4}:\mathsf{d}(\mathsf{g}) \rangle \} \stackrel{\mathrm{i}}{\longrightarrow} \mathrm{\_{S\_{1}}} \ldots \mathrm{\_{S\_{1}}} \mathrm{\_{S\_{1}}} \{ \langle \mathsf{6}:\mathsf{d}(\mathsf{g}),\mathsf{1}/\mathsf{4}:\mathsf{d}(\mathsf{g}) \rangle \} \stackrel{\mathrm{i}}{\longrightarrow} \mathrm{\_{S\_{1}}} \ldots \mathrm{\_{S\_{1}}} \mathrm{\_{S\_{1}}} \ldots \mathrm{\_{S\_{1}}} \mathrm{\_{S\_{1}}} \ldots \mathrm{\_{S\_{1}}} \mathrm{\_{S\_{1}}} \ldots \mathrm{\_$$

We can also view this rewrite sequence as a tree:

The branch to the right that starts with ⊥ stops after 0 innermost steps, the branch that starts with d(⊥) stops after 1 innermost steps, the branch that starts with d(d(⊥)) stops after 2 innermost steps, and so on. So if we start with the term d <sup>n</sup>(⊥), then we reach a normal form after n steps, and we reach d <sup>n</sup>(⊥) after n + 1 steps from the initial term g, where d <sup>n</sup>(⊥) = d(. . .(d | {z } n-times (⊥)). . .). Hence, for

every k ∈ N we have |µ2·k+1|<sup>S</sup><sup>1</sup> = |µ2·k+2|<sup>S</sup><sup>1</sup> = P<sup>k</sup> n=0 <sup>1</sup>/<sup>4</sup> · ( 3/4) <sup>n</sup> and thus

$$\begin{array}{ll} \text{ed}(\vec{\mu}) = \sum\_{n=0}^{\infty} (1 - |\mu\_n|\_{\mathcal{S}\_1}) &= 1 + 2 \cdot \sum\_{k \in \mathbb{N}} (1 - |\mu\_{2 \cdot k + 1}|\_{\mathcal{S}\_1}) \\ = 1 + 2 \cdot \sum\_{k \in \mathbb{N}} (1 - \sum\_{n=0}^{k} 1/4 \cdot (3/4)^n) = 1 + 2 \cdot \sum\_{k \in \mathbb{N}} (3/4)^{k+1} \\ = (2 \cdot \sum\_{k \in \mathbb{N}} (3/4)^k) - 1 &= 7 \end{array}$$

Analogously, in all other innermost rewrite sequences, the d-rule can also only duplicate normal forms. Thus, all possible innermost rewrite sequences have fnite expected derivation length. Therefore, S<sup>1</sup> is iPAST and thus, also iAST. The latter can also be proved automatically by our implementation of the probabilistic DP framework for iAST [29] in AProVE.

To construct a counterexample for AST of S1, we exploited the fact that S<sup>1</sup> is not right-linear. Indeed, requiring right-linearity yields our desired result. For reasons of space, here we only give a proof sketch. As mentioned, all full proofs can be found in [30].

Theorem 17 (From iAST/iPAST to fAST/fPAST (1)). If a PTRS S is orthogonal and right-linear (i.e., non-overlapping and linear), then:

$$\begin{aligned} \mathcal{S} \quad &is \, fAST \Longleftrightarrow \mathcal{S} \quad \& \, \, iAST\\ \mathcal{S} \, &is \, fPAST \Longleftrightarrow \mathcal{S} \; \, is \,\, iPAST \end{aligned} $$

Proof Sketch. We only have to prove the non-trivial direction "⇐=". The proofs for all theorems in this section (for both AST and PAST) follow a similar structure. We always iteratively replace rewrite steps by steps that use the desired strategy and ensure that this does not increase the probability of termination (resp. the expected derivation length). For this replacement, we lift the corresponding construction from the non-probabilistic to the probabilistic setting. However, this

cannot be done directly but instead, we have to regard the "limit" of a sequence of transformation steps.

We frst consider fAST and iAST. Let S be a PTRS that is non-overlapping, linear, and not fAST. Thus, there exists an infnite rewrite sequence ⃗µ = (µn)n∈<sup>N</sup> such that limn→∞ |µn|<sup>S</sup> = c for some c ∈ R with 0 ≤ c < 1. Our goal is to transform this sequence into an innermost sequence that converges at most with probability c. If the sequence is not yet an innermost one, then in (µn)n∈<sup>N</sup> at least one rewrite step is performed with a redex that is not an innermost redex. Since S is non-overlapping, we can replace a frst such non-innermost rewrite step with an innermost rewrite step using a similar construction as in the nonprobabilistic setting. In this way, we result in a rewrite sequence ⃗µ (1) = (µ (1) <sup>n</sup> )n∈<sup>N</sup> with limn→∞ |µ (1) <sup>n</sup> |<sup>S</sup> = limn→∞ |µn|<sup>S</sup> = c. Here, linearity is needed to ensure that the probability of termination does not increase during this replacement. We can then repeat this replacement for every non-innermost rewrite step, i.e., we again replace a frst non-innermost rewrite step in (µ (1) <sup>n</sup> )n∈<sup>N</sup> to obtain (µ (2) <sup>n</sup> )n∈<sup>N</sup> with the same termination probability, etc. In the end, the limit of all these rewrite sequences limi→∞(µ (i) <sup>n</sup> )n∈<sup>N</sup> is an innermost rewrite sequence that converges with probability at most c < 1, and hence, the PTRS S is not innermost AST.

For fPAST and iPAST, we start with an infnite rewrite sequence ⃗µ such that edl(⃗µ) = ∞. Again, we replace the frst non-innermost rewrite step with an innermost rewrite step using exactly the same construction as before to obtain ⃗µ (1), etc., since ⃗µ (1) does not only have the same termination probability as ⃗µ, but we also have edl(⃗µ (1)) ≥ edl(⃗µ). In the end, the limit of all these rewrite sequences limi→∞ ⃗µ (i) is an innermost rewrite sequence such that edl(limi→∞ ⃗µ (i) ) ≥ edl(⃗µ) = ∞, and hence, the PTRS S is not innermost PAST. ⊓⊔

One may wonder whether we can remove the left-linearity requirement from Thm. 17, as in the non-probabilistic setting. It turns out that this is not possible.

Counterexample 18 (Left-Linearity Cannot be Removed). Consider the PTRS S<sup>2</sup> with the rules:

$$\mathsf{f}(x,x) \to \{1: \mathsf{f}(\mathsf{a},\mathsf{a})\} \qquad\qquad\qquad\qquad\qquad\mathsf{a} \to \{1/2: \mathsf{b},1/2: \mathsf{c}\}$$

S<sup>2</sup> is not fAST (hence also not fPAST), since {1 : f(a, a)} ⇒<sup>S</sup><sup>2</sup> {1 : f(a, a)} ⇒<sup>S</sup><sup>2</sup> . . . is an infnite rewrite sequence that converges with probability 0. However, it is iPAST (and hence, iAST) since the corresponding innermost sequence has the form {1 : f(a, a)} <sup>i</sup> ⇒<sup>S</sup><sup>2</sup> { 1 2 : f(b, a), 1 2 : f(c, a)} <sup>i</sup> ⇒<sup>S</sup><sup>2</sup> { 1 4 : f(b, b), 1 4 : f(b, c), 1 4 : f(c, b), 1 4 : f(c, c)}. Here, the last distribution contains two normal forms f(b, c) and f(c, b) that did not occur in the previous rewrite sequence. Since all innermost rewrite sequences keep on adding such normal forms after a certain number of steps for each start term, they always have fnite expected derivation length and thus, converge with probability 1 (again, iAST can be shown automatically by AProVE). Note that adding the requirement of being non-erasing would not help to get rid of the left-linearity either, as shown by the PTRS S<sup>3</sup> which results from S<sup>2</sup> by replacing the f-rule with f(x, x) → {1 : d(f(a, a), x)}.

The problem here is that although we rewrite both occurrences of a with the same rewrite rule, the two a-symbols are replaced by two diferent terms (each with a probability > 0). This is impossible in the non-probabilistic setting.

Next, one could try to adapt Thm. 4 to the probabilistic setting (when requiring linearity in addition). So one could investigate whether iAST implies fAST for PTRSs that are linear locally confuent overlay systems. A PTRS S is locally confuent if for all multi-distributions µ, µ1, µ<sup>2</sup> such that µ<sup>1</sup> ⇔<sup>S</sup> µ ⇒<sup>S</sup> µ2, there exists a multi-distribution µ ′ such that µ<sup>1</sup> ⇒<sup>∗</sup> <sup>S</sup> µ ′ ⇔∗ <sup>S</sup> µ2, see [14]. Note that in contrast to the probabilistic setting, there are non-overlapping PTRSs that are not locally confuent (e.g., the variant S ′ <sup>2</sup> of S<sup>2</sup> that consists of the rules f(x, x) → {1 : d} and a → {1/<sup>2</sup> : b, <sup>1</sup>/<sup>2</sup> : c}, since we have {1 : d} ⇔S′ 2 {1 : f(a, a)} ⇒S′ 2 {1/<sup>2</sup> : f(b, a), <sup>1</sup>/<sup>2</sup> : f(c, a)} and the two resulting multi-distributions are not joinable). Thus, such an adaption of Thm. 4 would not subsume Thm. 17.

In contrast to the proof of Thm. 2, the proof of Thm. 4 relies on a minimality requirement for the used redex. In the non-probabilistic setting, whenever a term t starts an infnite rewrite sequence, then there exists a position π of t such that there is an infnite rewrite sequence of t starting with the redex t|π, but no infnite rewrite sequence of t starting with a redex at a position τ > π which is strictly below π. In other words, if t starts an infnite rewrite sequence, then there is a "minimal" infnite rewrite sequence starting in t, i.e., as soon as one reduces a proper subterm of one of the redexes in the sequence, then one obtains a term which is terminating. However, such minimal infnite sequences do not always exist in the probabilistic setting.

Example 19 (No Minimal Infnite Rewrite Sequence for AST). Reconsider the PTRS S<sup>1</sup> from Ex. 16, which is not fAST. However, there is no "minimal" rewrite sequence with convergence probability < 1 such that one rewrite step at a proper subterm of a redex would modify the multi-distribution in such a way that now only rewrite sequences with convergence probability 1 are possible. We have {1 : g} ⇒<sup>S</sup><sup>1</sup> {3/<sup>4</sup> : d(g), <sup>1</sup>/<sup>4</sup> : ⊥}. In Ex. 16, we now alternated between the d- and the g-rule, resulting in a biased random walk, i.e., we obtained {3/<sup>4</sup> : d(g), <sup>1</sup>/<sup>4</sup> : ⊥} ⇒<sup>S</sup><sup>1</sup> {3/<sup>4</sup> : c(g, g), <sup>1</sup>/<sup>4</sup> : ⊥} ⇒<sup>S</sup><sup>1</sup> {3/<sup>4</sup> : c(d(g), g), <sup>1</sup>/<sup>4</sup> : ⊥} ⇒<sup>S</sup><sup>1</sup> . . . The steps with the d-rule use redexes that have g as a proper subterm.

However, there does not exist any "minimal" non-fAST sequence. If we rewrite the proper subterm g of a redex d(g), then this still yields a multi-distribution that is not fAST, i.e., it can still start a rewrite sequence with convergence probability < 1. For example, we have {3/<sup>4</sup> : d(g), <sup>1</sup>/<sup>4</sup> : ⊥} ⇒<sup>S</sup><sup>1</sup> {( <sup>3</sup>/4) 2 : d(d(g)), <sup>1</sup>/<sup>4</sup> · <sup>3</sup>/<sup>4</sup> : d(⊥), <sup>1</sup>/<sup>4</sup> : ⊥}, but the obtained multi-distribution still contains the subterm g, and thus, one can still continue the rewrite sequence in such a way that its convergence probability is < 1. Again, the same example also shows that there is no "minimal" non-fPAST sequence.

It remains open whether one can also adapt Thm. 4 to the probabilistic setting (e.g., if one can replace non-overlappingness in Thm. 17 by the requirement of locally confuent overlay systems). There are two main difculties when trying to adapt the proof of this theorem to PTRSs. First, the minimality requirement cannot be imposed in the probabilistic setting, as discussed above. In the nonprobabilistic setting, this requirement is needed to ensure that rewriting below a position that was reduced in the original (minimal) infnite rewrite sequence leads to a strongly normalizing rewrite sequence. Second, the original proof of Thm. 4 uses Newman's Lemma [39] which states that local confuence implies confuence for strongly normalizing terms t, and thus it implies that t has a unique normal form. Local confuence and adaptions of the unique normal form property for the probabilistic setting have been studied in [14, 15], which concluded that obtaining an analogous statement to Newman's Lemma for PTRSs that are AST (or PAST) would be very difcult. The reason is that one cannot use well-founded induction on the length of a rewrite sequence of a PTRS that is AST (or PAST), since these rewrite sequences may be infnite.

#### 4.2 From wAST to fAST

Next, we investigate wAST. Since iAST implies wAST, we essentially have the same problems as for innermost AST, i.e., in addition to non-overlappingness, we need linearity, as seen in Ex. 16 and 18, as S<sup>1</sup> and S<sup>3</sup> are iAST (and hence wAST) but not fAST, while they are non-overlapping and non-erasing, but not linear. Furthermore, we need non-erasingness as we did in the non-probabilistic setting for the same reasons, see Ex. 5.

Theorem 20 (From wAST/wPAST to fAST/fPAST). If a PTRS S is non-overlapping, linear, and non-erasing, then

$$\begin{aligned} \mathcal{S} \quad &is \ fAST \Longleftrightarrow \mathcal{S} \quad \& \ i \ wAST \\ \mathcal{S} \quad &is \ fPAST \Longleftrightarrow \mathcal{S} \quad \& \ i \ wPAST \end{aligned}$$

#### 4.3 From liAST to fAST

Finally, we look at leftmost-innermost AST as an example for a rewrite strategy that uses an ordering for parallel redexes. In contrast to the non-probabilistic setting, it turns out that liAST and iAST are not equivalent in general. The counterexample is similar to Ex. 18, which illustrated that fAST and iAST are not equivalent without left-linearity.

Counterexample 21. Consider the PTRS S<sup>4</sup> with the fve rules:

$$\begin{aligned} \mathsf{a} &\rightarrow \{1: \mathsf{c}\_{1}\} \\ \mathsf{a} &\rightarrow \{1: \mathsf{c}\_{2}\} \end{aligned} \qquad \begin{aligned} \mathsf{b} &\rightarrow \{1/2: \mathsf{d}\_{1}, 1/2: \mathsf{d}\_{2}\} \\ \mathsf{f}(\mathsf{c}\_{1}, \mathsf{d}\_{1}) &\rightarrow \{1: \mathsf{f}(\mathsf{a}, \mathsf{b})\} \\ \mathsf{f}(\mathsf{c}\_{2}, \mathsf{d}\_{2}) &\rightarrow \{1: \mathsf{f}(\mathsf{a}, \mathsf{b})\} \end{aligned}$$

This PTRS is not iAST (and hence not iPAST) since there exists the infnite rewrite sequence {1 : f(a, b)} <sup>i</sup> ⇒<sup>S</sup><sup>4</sup> {1/<sup>2</sup> : f(a, d1), <sup>1</sup>/<sup>2</sup> : f(a, d2)} <sup>i</sup> ⇒<sup>2</sup> S<sup>4</sup> {1/<sup>2</sup> : f(c1, d1), <sup>1</sup>/<sup>2</sup> : f(c2, d2)} <sup>i</sup> ⇒<sup>2</sup> S<sup>4</sup> {1/<sup>2</sup> : f(a, b), <sup>1</sup>/<sup>2</sup> : f(a, b)} <sup>i</sup> ⇒<sup>S</sup><sup>4</sup> . . ., which converges with probability 0. It frst "splits" the term f(a, b) with the b-rule, and then applies one of the two diferent a-rules to each of the resulting terms. In contrast, when applying a leftmost innermost rewrite strategy, we have to decide which a-rule to use. For example, we have {1 : f(a, b)} li ⇒<sup>S</sup><sup>4</sup> {1 : f(c1, b)} li ⇒<sup>S</sup><sup>4</sup> {1/<sup>2</sup> : f(c1, d1), <sup>1</sup>/<sup>2</sup> : f(c1, d2)}. Here, the second term f(c1, d2) is a normal form. Since

all leftmost innermost rewrite sequences keep on adding such normal forms after a certain number of steps for each start term, the PTRS is liAST (and also liPAST).

The counterexample above can easily be adapted to variants of innermost rewriting that impose diferent orders on parallel redexes like, e.g., rightmost innermost rewriting.

However, liAST and iAST are again equivalent for non-overlapping TRSs. For such TRSs, at most one rule can be used to rewrite at a given position, which prevents the problem illustrated in Ex. 21.

Theorem 22 (From liAST/liPAST to iAST/iPAST). If a PTRS S is non-overlapping, then S is iAST ⇐⇒ S is liAST

 $\mathcal{S}$  is  $iPAST \Longleftrightarrow \mathcal{S}$  is  $liPAST$ 

The relations between the diferent properties for AST of PTRSs (given in Thm. 17, 20, and 22) are summarized below. An analogous fgure also holds for PAST.

## 5 Improving Applicability

In this section, we improve the applicability of Thm. 17, which relates fAST and iAST. The results of Sect. 5.1 allow us to remove the requirement of left-linearity by modifying the rewrite relation to simultaneous rewriting. Then in Sect. 5.2 we show that the requirement of right-linearity can be weakened to spareness if one only considers rewrite sequences that start with basic terms.

#### 5.1 Removing Left-Linearity by Simultaneous Rewriting

First, we will see that we do not need to require left-linearity if we allow the simultaneous reduction of several copies of identical redexes. For a PTRS S, this results in the notion of simultaneous rewriting, denoted <sup>S</sup> . While <sup>i</sup> <sup>S</sup> overapproximates <sup>i</sup> →<sup>S</sup> , existing techniques for proving iAST [29, 32] (except for the rewriting processor<sup>4</sup> ) do not distinguish between both notions of rewriting, i.e., these techniques even prove that every rewrite sequence with the lifting <sup>i</sup> <sup>S</sup> of i <sup>S</sup> converges with probability 1. So for non-overlapping and right-linear PTRSs, these techniques can be used to prove innermost almost-sure termination w.r.t.

<sup>4</sup> This processor is an optional transformation technique which was added in [32] when improving the DP framework further since it sometimes helps to increase power, but all other (major) DP processors do not distinguish between <sup>i</sup> →<sup>S</sup> and <sup>i</sup> S .

<sup>S</sup> , which then implies fAST. The following example illustrates our approach for handling non-left-linear PTRSs by applying the same rewrite rule at parallel positions simultaneously.

Example 23 (Simultaneous Rewriting). Reconsider the PTRS S<sup>2</sup> from Ex. 18 with the rules f(x, x) → {1 : f(a, a)} and a → {1/<sup>2</sup> : b, <sup>1</sup>/<sup>2</sup> : c} which is iAST, but not fAST. Our new rewrite relation <sup>S</sup><sup>2</sup> allows us to reduce several copies of the same redex simultaneously, so that we get {1 : f(a, a)} i <sup>S</sup><sup>2</sup> { 1 2 : f(b, b), 1 2 : f(c, c)} <sup>i</sup> 2 S<sup>2</sup> {1/<sup>2</sup> : f(a, a), <sup>1</sup>/<sup>2</sup> : f(a, a)}, i.e., this <sup>i</sup> S<sup>2</sup> -sequence converges with probability 0 and thus, S<sup>2</sup> is not iAST w.r.t. <sup>S</sup><sup>2</sup> . Note that we simultaneously reduced both occurrences of a in the frst step.

Defnition 24 (Simultaneous Rewriting). Let S be a PTRS. A term s rewrites simultaneously to a multi-distribution µ = {p<sup>1</sup> : t1, . . . , p<sup>k</sup> : tk} (denoted s <sup>S</sup> µ) if there is a non-empty set of parallel positions Π, a rule ℓ → {p<sup>1</sup> : r1, . . . , p<sup>k</sup> : rk} ∈ S, and a substitution σ such that s|<sup>π</sup> = ℓσ and t<sup>j</sup> = s[rjσ]<sup>π</sup> for every position π ∈ Π and for all 1 ≤ j ≤ k. We call s <sup>S</sup> µ an innermost simultaneous rewrite step (denoted s i <sup>S</sup> µ) if all proper subterms of the redex ℓσ are in normal form w.r.t. S.

Clearly, if the set of positions Π from Def. 24 is a singleton, then the resulting simultaneous rewrite step is an "ordinary" probabilistic rewrite step, i.e., →<sup>S</sup> ⊆ <sup>S</sup> and <sup>i</sup> →<sup>S</sup> ⊆ i S .

Corollary 25 (From <sup>S</sup> to →<sup>S</sup> ). If S is fAST (iAST) w.r.t. <sup>S</sup> , i.e., every infnite <sup>S</sup> - (resp. <sup>i</sup> <sup>S</sup> -) rewrite sequence converges with probability 1, then S is fAST (iAST). Analogously, if S is fPAST (iPAST) w.r.t. <sup>S</sup> , i.e., every infnite <sup>S</sup> - (resp. <sup>i</sup> <sup>S</sup> -) rewrite sequence has fnite expected derivation length, then S is fPAST (iPAST).

However, the converse of Cor. 25 does not hold. Ex. 23 shows that <sup>i</sup> <sup>S</sup> allows for rewrite sequences that are not possible with <sup>i</sup> →<sup>S</sup> , and the following example shows the same for <sup>S</sup> and →<sup>S</sup> .

Counterexample 26. Consider the PTRS S<sup>2</sup> with the three rules:

$$\begin{aligned} \mathsf{f}(\mathsf{b},\mathsf{b}) &\to \{1: \mathsf{f}(\mathsf{a},\mathsf{a})\} \\ \mathsf{f}(\mathsf{c},\mathsf{c}) &\to \{1: \mathsf{f}(\mathsf{a},\mathsf{a})\} \end{aligned} \qquad\qquad\qquad\qquad\qquad\qquad\qquad\mathsf{a}\to\{1/2:\mathsf{b},1/2:\mathsf{c}\}$$

This PTRS is fAST. But as in Ex. 23, we have {1 : f(a, a)} i S<sup>2</sup> { 1 2 : f(b, b), 1 2 : f(c, c)} <sup>i</sup> 2 S<sup>2</sup> {1/<sup>2</sup> : f(a, a), <sup>1</sup>/<sup>2</sup> : f(a, a)}, i.e., there are rewrite sequences with i S<sup>2</sup> and thus, also with <sup>S</sup><sup>2</sup> that converge with probability 0. Hence, S<sup>2</sup> is not iAST or fAST w.r.t. <sup>S</sup><sup>2</sup> . Again, the same example also shows that fPAST and fPAST w.r.t. simultaneous rewriting are not equivalent either.

Note that this kind of simultaneous rewriting is diferent from the "ordinary" parallelism used for non-probabilistic rewriting, which is typically denoted by →||. There, one may reduce multiple parallel redexes in a single rewrite step. Here, we do not only allow reducing multiple redexes, but in addition we "merge" the corresponding terms in the multi-distributions that result from rewriting

the diferent redexes. Because of this merging, we only allow the simultaneous reduction of equal redexes, whereas "ordinary" parallel rewriting allows the simultaneous reduction of arbitrary parallel redexes. For example, for S<sup>2</sup> from Ex. 18 we have {1 : f(a, a)} i <sup>S</sup><sup>2</sup> { 1 2 : f(b, b), 1 2 : f(c, c)}, whereas using ordinary parallel rewriting we would get {1 : f(a, a)} <sup>i</sup> ⇒||S<sup>2</sup> { 1 4 : f(b, b), 1 4 : f(b, c), 1 4 : f(c, b), 1 4 : f(c, c)}.

The following theorem shows that indeed, we do not need to require leftlinearity when moving from iAST/iPAST w.r.t. <sup>S</sup> to fAST/fPAST w.r.t. →<sup>S</sup> .

Theorem 27 (From iAST/iPAST to fAST/fPAST (2)). If a PTRS S is non-overlapping and right-linear, then

$$\begin{aligned} \mathcal{S} \text{ is } fAST & \Longleftrightarrow \mathcal{S} \text{ is } iAST \ w.r.t. \longmapsto \mathcal{S} \\ \mathcal{S} \text{ is } fPAST & \Longleftrightarrow \mathcal{S} \text{ is } iPAST \ w.r.t. \longmapsto \mathcal{S} \end{aligned}$$

Proof Sketch. We use an analogous construction as for the proof of Thm. 17, but in addition, if we replace a non-innermost rewrite step by an innermost one, then we check whether in the original rewrite sequence, the corresponding innermost redex is "inside" the substitution used for the non-innermost rewrite step. In that case, if this rewrite step applied a non-left-linear rule, then we identify all other (equal) innermost redexes and use <sup>i</sup> <sup>S</sup> to rewrite them simultaneously (as we did for the innermost redex a in Ex. 23). ⊓⊔

Note that Ex. 26 shows that the direction " =⇒ " does not hold in Thm. 27. The following example shows that right-linearity in Thm. 27 cannot be weakened to the requirement that S is non-duplicating (i.e., that no variable occurs more often in a term on the right-hand side of a rule than on its left-hand side).

Counterexample 28 (Non-Duplicating Does Not Sufce). Let d(f(a, a) 3 ) abbreviate d(f(a, a), f(a, a), f(a, a)). Consider the PTRS S<sup>5</sup> with the four rules:

$$\begin{aligned} \mathsf{f}(x,x) &\to \{1: \mathsf{g}(x,x)\} \\ \mathsf{a} &\to \{1/2: \mathsf{b}, 1/2: \mathsf{c}\} \end{aligned} \qquad \begin{aligned} \mathsf{g}(\mathsf{b},\mathsf{c}) &\to \{1: \mathsf{d}(\mathsf{f}(\mathsf{a},\mathsf{a})^3)\} \\ \mathsf{g}(\mathsf{c},\mathsf{b}) &\to \{1: \mathsf{d}(\mathsf{f}(\mathsf{a},\mathsf{a})^3)\} \end{aligned}$$

S<sup>5</sup> is not fAST (and thus, also not fPAST), since the infnite rewrite sequence {1 : f(a, a)} ⇒<sup>S</sup><sup>5</sup> {1 : g(a, a)} ⇒<sup>2</sup> S<sup>5</sup> {1/<sup>4</sup> : g(b, b), <sup>1</sup>/<sup>4</sup> : g(b, c), <sup>1</sup>/<sup>4</sup> : g(c, b), <sup>1</sup>/<sup>4</sup> : g(c, c)} ⇒<sup>2</sup> S<sup>5</sup> {1/<sup>4</sup> : g(b, b), <sup>1</sup>/<sup>4</sup> : d(f(a, a) 3 ), <sup>1</sup>/<sup>4</sup> : d(f(a, a) 3 ), <sup>1</sup>/<sup>4</sup> : g(c, c)} can be seen as a biased random walk on the number of f(a, a)-subterms that is not AST. However, for every innermost evaluation with <sup>i</sup> →<sup>S</sup><sup>5</sup> or i <sup>S</sup><sup>5</sup> we have to rewrite the inner a-symbols frst. Afterwards, the f-rule can only be used on redexes f(t, t) where the resulting term g(t, t) is a normal form. Thus, S<sup>5</sup> is iPAST (and hence, iAST) w.r.t. <sup>S</sup><sup>5</sup> .

Note that for wAST, the direction of the implication in Cor. 25 is reversed, since wAST requires that for each start term, there exists an infnite rewrite sequence that is almost-surely terminating, whereas fAST requires that all infnite rewrite sequences are almost-surely terminating. Thus, if there exists an infnite ⇒<sup>S</sup> -rewrite sequence that converges with probability 1 (showing that S is wAST), then this is also a valid <sup>S</sup> -rewrite sequence that converges with probability 1 (showing that S is wAST w.r.t. <sup>S</sup> ).

Corollary 29 (From →<sup>S</sup> to <sup>S</sup> for wAST/wPAST). If S is wAST (wPAST), then S is wAST (wPAST) w.r.t. <sup>S</sup> .

One may wonder whether simultaneous rewriting could also be used to improve Thm. 20 by removing the requirement of left-linearity, but Ex. 30 shows this is not possible.

Counterexample 30. Consider the non-left-linear PTRS S<sup>6</sup> with the two rules:

$$\mathfrak{g} \to \{ ^3 / 4 : \mathfrak{d}(\mathfrak{g}, \mathfrak{g}), ^1 / 4 : \perp \} \qquad \qquad \qquad \mathfrak{d}(x, x) \to \{ 1 : x \}$$

This PTRS is not fAST (and thus, also not fPAST), as we have {1 : g} ⇒<sup>S</sup><sup>6</sup> {3/<sup>4</sup> : d(g, g), <sup>1</sup>/<sup>4</sup> : ⊥}, which corresponds to a random walk biased towards non-termination if we never use the d-rule (since <sup>3</sup> <sup>4</sup> > 1 2 ). However, if we always use the d-rule directly after the g-rule, then we essentially end up with a PTRS whose only rule is g → {3/<sup>4</sup> : c(g), <sup>1</sup>/<sup>4</sup> : ⊥}, which corresponds to fipping a biased coin until heads comes up. This proves that S<sup>6</sup> is wPAST and hence, also wAST. As S<sup>6</sup> is non-overlapping, right-linear, and non-erasing, this shows that a variant of Thm. 20 without the requirement of left-linearity needs more than just moving to simultaneous rewriting.

#### 5.2 Weakening Right-Linearity to Spareness

To improve our results further, we introduce the notion of spareness. The idea of spareness is to require that variables which occur non-linear in right-hand sides may only be instantiated by normal forms. We already used spareness for non-probabilistic TRSs in [17] to fnd classes of TRSs where innermost and full runtime complexity coincide. For a PTRS S, we decompose its signature Σ = Σ<sup>C</sup> ⊎ Σ<sup>D</sup> such that f ∈ Σ<sup>D</sup> if f = root(ℓ) for some rule ℓ → µ ∈ S. The symbols in Σ<sup>C</sup> and Σ<sup>D</sup> are called constructors and defned symbols, respectively.

Defnition 31 (Spareness). Let ℓ → µ ∈ S. A rewrite step ℓσ →<sup>S</sup> µσ is spare if σ(x) is in normal form w.r.t. S for every x ∈ V that occurs more than once in some r ∈ Supp(µ). A ⇒<sup>S</sup> -sequence is spare if each of its →<sup>S</sup> -steps is spare. S is spare if each ⇒<sup>S</sup> -sequence that starts with {1 : t} for a basic term t is spare. A term t ∈ T (Σ, V) is basic if t = f(t1, . . . , tn) such that f ∈ Σ<sup>D</sup> and t<sup>i</sup> ∈ T (Σ<sup>C</sup> , V) for all 1 ≤ i ≤ n.

Example 32. Consider the PTRS S<sup>7</sup> with the two rules:

$$\mathbf{g} \rightarrow \{ ^3 / 4 : \mathbf{d}(\bot), ^1 / 4 : \mathbf{g} \} \qquad \qquad \qquad \qquad \mathbf{d}(x) \rightarrow \{ 1 : \mathbf{c}(x, x) \}$$

It is similar to the PTRS S<sup>1</sup> from Ex. 16, but we exchanged the symbols g and ⊥ in the right-hand side of the g-rule. This PTRS is orthogonal but duplicating due to the d-rule. However, in any rewrite sequence that starts with {1 : t} for a basic term t we can only duplicate the constructor symbol ⊥ but no defned symbol. Hence, S<sup>7</sup> is spare.

In general, it is undecidable whether a PTRS is spare, since spareness is already undecidable for non-probabilistic TRSs. However, there exist computable sufcient conditions for spareness, see [17].

If a PTRS is spare, and we start with a basic term, then we will only duplicate normal forms with our duplicating rules. This means that the duplicating rules do not infuence the (expected) runtime and, more importantly for AST, the probability of termination. As in [17], which analyzed runtime complexity, we have to restrict ourselves to rewrite sequences that start with basic terms. So we only consider start terms where a single algorithm is applied to data, i.e., we may not have any nested defned symbols in our start terms. This leads to the following theorem, where "on basic terms" means that one only considers rewrite sequences that start with {1 : t} for a basic term t. It can be proved by an analogous limit construction as in the proof of Thm. 17.

Theorem 33 (From iAST/iPAST to fAST/fPAST (3)). If a PTRS S is orthogonal and spare, then

> S is fAST on basic terms ⇐⇒ S is iAST on basic terms S is fPAST on basic terms ⇐⇒ S is iPAST on basic terms

While iAST on basic terms is the same as iAST in general, the requirement of basic start terms is real restriction for fAST, i.e., there exists PTRSs that are fAST on basic terms, but not fAST in general.

Counterexample 34. Consider the PTRS S<sup>8</sup> with the two rules:

g → {3/<sup>4</sup> : s(g), <sup>1</sup>/<sup>4</sup> : ⊥} f(s(x)) → {1 : c(f(x), f(x))}

This PTRS behaves similarly to S<sup>1</sup> (see Ex. 16). It is not fAST (and thus, also not fPAST), as we have {1 : f(g)} ⇒<sup>2</sup> S<sup>8</sup> {3/<sup>4</sup> : c(f(g), f(g)), <sup>1</sup>/<sup>4</sup> : f(⊥)}, which corresponds to a random walk biased towards non-termination (since <sup>3</sup> <sup>4</sup> > 1 2 ).

However, the only basic terms for this PTRS are g and f(t) for terms t that do not contain g or f. A sequence starting with g corresponds to fipping a biased coin and a sequence starting with f(t) will clearly terminate. Hence, S<sup>8</sup> is fAST (and even fPAST) on basic terms. Furthermore, note that S<sup>8</sup> is iPAST (and thus, also iAST) analogous to S1. This shows that Thm. 33 cannot be extended to fAST or fPAST in general.

One may wonder whether Thm. 33 can nevertheless be used in order to prove fAST of a PTRS S on all terms by using a suitable transformation from S to another PTRS S ′ such that S is fAST on all terms if S ′ is fAST on basic terms.

There is an analogous diference in the complexity analysis of non-probabilistic term rewrite systems. There, the concept of runtime complexity is restricted to rewrite sequences that start with a basic term, whereas the concept of derivational complexity allows arbitrary start terms. In [19], a transformation was presented that extends any (non-probabilistic) TRS R by so-called generator rules G(R) such that the derivational complexity of R is the same as the runtime complexity of R ∪ G(R), where G(R) are considered to be relative rules whose rewrite steps

do not "count" for the complexity. This transformation can indeed be reused to move from fAST on basic terms to fAST in general.

Lemma 35. A PTRS S is fAST if S ∪ G(S) is fAST on basic terms.

For every defned symbol f, the idea of the transformation is to introduce a new constructor symbol cons<sup>f</sup> and for every function symbol f it introduces a new defned symbol enc<sup>f</sup> . As an example for S<sup>8</sup> from Ex. 32, then instead of starting with the non-basic term c(g, f(g)), we start with the basic term encc(consg, consf(consg)), its so-called basic variant. The new defned symbol enc<sup>c</sup> is used to frst build the term c(g, f(g)) at the beginning of the rewrite sequence, i.e., it converts all occurrences of cons<sup>f</sup> for f ∈ Σ<sup>D</sup> back into the defned symbol f, and then we can proceed as if we started with the term c(g, f(g)) directly. For this conversion, we need another new defned symbol argenc that iterates through the term and replaces all new constructors cons<sup>f</sup> by the original defned symbol f. Thus, we defne the generator rules as in [19] (just with trivial probabilities in the right-hand sides ℓ → {1 : r}), since we do not need any probabilities during this initial construction of the original start term.

Defnition 36 (Generator Rules G(S)). Let S be a PTRS over the signature Σ. Its generator rules G(S) are the following set of rules

{enc<sup>f</sup> (x1, . . . , xn) → {1 : f(argenc(x1), . . . , argenc(xn))} | f ∈ Σ}


where x1, . . . , x<sup>n</sup> are pairwise diferent variables and where the function symbols argenc, cons<sup>f</sup> , and enc<sup>f</sup> are fresh (i.e., they do not occur in S). Moreover, we defne Σ<sup>G</sup>(S) = {enc<sup>f</sup> | f ∈ Σ} ∪ {argenc} ∪ {cons<sup>f</sup> | f ∈ ΣD}.

Example 37. For the PTRS S<sup>8</sup> from Ex. 34, we obtain the following generator rules G(S8):

$$\begin{array}{c} \mathsf{enc\_g} \to \{1:\mathsf{g}\} \\ \mathsf{enc\_f}(x\_1) \to \{1:\mathsf{f}(\mathsf{argmax}(x\_1))\} \\ \mathsf{enc\_c}(x\_1, x\_2) \to \{1:\mathsf{c}(\mathsf{argmax}(x\_1), \mathsf{argmax}(x\_2))\} \\ \mathsf{enc\_s}(x\_1) \to \{1:\mathsf{s}(\mathsf{argmax}(x\_1))\} \\ \mathsf{enc\_s} \to \{1:\mathsf{s}(\mathsf{argmax}(x\_1))\} \\ \mathsf{argmax}(\mathsf{cons}\_{\mathsf{g}}(x\_1)) \to \{1:\mathsf{f}(\mathsf{argmax}(x\_1))\} \\ \mathsf{argmax}(\mathsf{c}(x\_1, x\_2)) \to \{1:\mathsf{c}(\mathsf{argmax}(x\_1), \mathsf{argmax}(x\_2))\} \\ \mathsf{argenc}(\mathsf{s}(x\_1)) \to \{1:\mathsf{s}(\mathsf{argmax}(x\_1))\} \\ \mathsf{argenc}(\bot) \to \{1:\bot\} \end{array}$$

As mentioned, using the symbols cons<sup>f</sup> and enc<sup>f</sup> , as in [19] every term over Σ can be transformed into a basic term over Σ ∪ Σ<sup>G</sup>(S) .

However, even if S is spare, the PTRS S ∪ G(S) is not guaranteed to be spare, although the generator rules themselves are right-linear. The problem is that

the generator rules include a rule like encf(x1) → {1 : f(argenc(x1))} where a defned symbol argenc occurs below the duplicating symbol f on the right-hand side. Indeed, while S<sup>8</sup> is spare, S<sup>8</sup> ∪ G(S8) is not. For example, when starting with the basic term encf(s(consg)), we have

$$\begin{array}{c} \{1: \mathsf{enc}\_{\mathsf{f}}(\mathsf{s}(\mathsf{cons}\_{\mathsf{g}}))\} \implies\_{\mathcal{G}(\mathcal{S}\_{\mathsf{8}})}^{2} \{1: \mathsf{f}(\mathsf{s}(\mathsf{argenc}(\mathsf{cons}\_{\mathsf{g}})))\} \\ \implies\_{\mathcal{S}\_{\mathsf{8}}} \quad \{1: \mathsf{c}(\mathsf{f}(\mathsf{argenc}(\mathsf{cons}\_{\mathsf{g}})), \mathsf{f}(\mathsf{argenc}(\mathsf{cons}\_{\mathsf{g}})))\}, \end{array}$$

where the last step is not spare. In general, S ∪ G(S) is guaranteed to be spare if S is right-linear. So we could modify Thm. 33 into a theorem which states that S is fAST on all terms if S ∪ G(S) is iAST on basic terms (and thus, on all terms) for orthogonal and right-linear PTRSs S. However, this theorem would be subsumed by Thm. 17, where we already showed the equivalence of fAST and iAST if S is orthogonal and right-linear. Indeed, our goal in Thm. 33 was to fnd a weaker requirement than right-linearity. Hence, such a transformational approach to move from fAST on all start terms to fAST on basic terms does not seem viable for Thm. 33.

Finally, we can also combine our results on simultaneous rewriting and spareness to relax both left- and right-linearity in case of basic start terms. The proof for the following theorem combines the proofs for Thm. 27 and Thm. 33.

Theorem 38 (From iAST/iPAST to fAST/fPAST (4)). If S is nonoverlapping and spare, then

S is fAST on basic terms ⇐= S is iAST w.r.t. <sup>S</sup> on basic terms S is fPAST on basic terms ⇐= S is iPAST w.r.t. <sup>S</sup> on basic terms

## 6 Conclusion and Evaluation

In this paper, we presented numerous new results on the relationship between full and restricted forms of AST, including several criteria for PTRSs such that innermost AST implies full AST. All of our results also hold for PAST, and all of our criteria are suitable for automation (for spareness, there exist sufcient conditions that can be checked automatically).

We implemented our new criteria in our termination prover AProVE [21]. For every PTRS, one can indicate whether one wants to analyze its termination behavior for all start terms or only for basic start terms. Up to now, AProVE's main technique for termination analysis of PTRSs was the probabilistic DP framework from [29, 32] which however can only prove iAST. If one wants to analyze fAST for a PTRS S, then AProVE now frst tries to prove that the conditions of Thm. 33 are satisfed if one is restricted to basic start terms, or that the conditions of Thm. 17 hold if one wants to consider arbitrary start terms. If this succeeds, then we can use the full probabilistic DP framework in order to prove iAST, which then implies fAST. Otherwise, we try to prove all conditions of Thm. 38 or Thm. 27, respectively. If this succeeds, then we can use most of the processors from the probabilistic DP framework to prove iAST, which again implies fAST. If none of these theorems can be applied, then AProVE tries to prove fAST using a direct application of polynomial orderings [29]. Note that for AST w.r.t. basic start terms, Thm. 33 generalizes Thm. 17 and Thm. 38 generalizes Thm. 27, since right-linearity implies spareness.

For our evaluation, we compare the old AProVE without any of the new theorems (which only uses direct applications of polynomial orderings to prove fAST), to variants of AProVE where we activated each of the theorems individually, and fnally to the new AProVE strategy explained above. The following diagram shows the theoretical subsumptions of each of these strategies for basic start terms, where an arrow from strategy A to strategy B means that B is strictly better than A.

$$\underbrace{\text{John AProVE}}\_{\text{Thm. 27} \xrightarrow{\text{Thm. 33}} \text{Thm. 38}} \underbrace{\text{Jm. 33}}\_{\text{new AProVE}}$$

We used the benchmark set of 100 PTRSs from [32], and extended it by 15 new PTRSs that contain all the examples presented in this paper and some additional examples which illustrate the power of each strategy. AProVE can prove iAST for 93 of these 118 PTRSs. The following table shows for how many of these 93 PTRSs the respective strategy allows us to conclude fAST for basic start terms from AProVE's proof of iAST.


From the 61 examples that we can solve by using both Thm. 33 and Thm. 38 in "new AProVE", 5 examples (that are all right-linear) can only be solved by Thm. 33, 3 examples (where one is right-linear and the others only spare) can only be solved by Thm. 38, and 53 examples can be solved by both. If one considers arbitrary start terms, then the new AProVE can conclude fAST (using only Thm. 17 and Thm. 27) for 49 examples.

Currently, we only use the switch from full to innermost rewriting as a preprocessing step before applying the DP framework. As future work, we want to develop a processor within the DP framework that can perform this switch in a modular way. Then, the criteria of our theorems do not have to be required for the whole PTRS anymore, but just for specifc sub-problems within the termination proof. This, however, requires developing a DP framework for fAST directly, which we will investigate in future work.

For details on our experiments, our collection of examples, and for instructions on how to run our implementation in AProVE via its web interface or locally, we refer to:

https://aprove-developers.github.io/InnermostToFullAST/

In addition, an artifact is available at [31].

Acknowledgements. We thank Stefan Dollase for pointing us to [19].

## References


<sup>226</sup> J.-C. Kassing, F. Frohn, J. Giesl


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## Dimension-Minimality and Primality of Counter Nets⋆⋆⋆

Shaull Almagor1(B) , Guy Avni2(B) , Henry Sinclair-Banks3(B) , and Asaf Yeshurun1(B)

<sup>1</sup> Technion, Haifa, Israel

shaull@technion.ac.il, asafyeshurun@campus.technion.ac.il <sup>2</sup> Department of Computer Science, University of Haifa, Haifa, Israel gavni@cs.haifa.ac.il

<sup>3</sup> Centre for Discrete Mathematics and its Applications (DIMAP) & Department of Computer Science, University of Warwick, Coventry, UK

h.sinclair-banks@warwick.ac.uk

Abstract. A k-Counter Net (k-CN) is a fnite-state automaton equipped with k integer counters that are not allowed to become negative, but do not have explicit zero tests. This language-recognition model can be thought of as labelled vector addition systems with states, some of which are accepting. Certain decision problems for k-CNs become easier, or indeed decidable, when the dimension k is small. Yet, little is known about the efect that the dimension k has on the class of languages recognised by k-CNs. Specifcally, it would be useful if we could simplify algorithmic reasoning by reducing the dimension of a given CN.

To this end, we introduce the notion of dimension-primality for k-CN, whereby a k-CN is prime if it recognises a language that cannot be decomposed into a fnite intersection of languages recognised by d-CNs, for some d < k. We show that primality is undecidable. We also study two related notions: dimension-minimality (where we seek a single languageequivalent d-CN of lower dimension) and language regularity. Additionally, we explore the trade-ofs in expressiveness between dimension and non-determinism for CN.

## 1 Introduction

A k-dimensional Counter Net (k-CN) is a fnite-state automaton equipped with k integer counters that are not allowed to become negative, but do not have explicit zero tests (see Fig. 1a for an example). This language-recognition model can be thought of as an alphabet-labelled Vector Addition System with States (VASS), some of whose states are accepting [7]. A k-CN A over alphabet Σ

c The Author(s) 2024

<sup>⋆</sup> S. Almagor was supported by the ISRAEL SCIENCE FOUNDATION (grant No. 989/22), G. Avni was supported by the ISRAEL SCIENCE FOUNDATION (grant No. 1679/21), H. Sinclair-Banks was supported by EPSRC Standard Research Studentship (DTP), grant number EP/T5179X/1.

<sup>⋆⋆</sup> The full version can be found on https://arxiv.org/abs/2307.14492

N. Kobayashi and J. Worrell (Eds.): FoSSaCS 2024, LNCS 14575, pp. 229–249, 2024. https://doi.org/10.1007/978-3-031-57231-9\_<sup>11</sup>

accepts a word w ∈ Σ<sup>∗</sup> if there is a run of A on w that ends in an accepting state in which the counters stay non-negative. The language of A is the set L(A) of words accepted by A.

Counter nets are a natural model of concurrency and are closely related and equivalent, in some senses — to labelled Petri Nets. These models have received signifcant attention over the years [6,7,13,14,17,19,27], with specifc interest in the one-dimensional case, often referred to as one-counter nets [20,21,1,2]. Unfortunately, most decision problems for k-CNs are notoriously difcult and are often undecidable [1,2]. In particular, k-CNs subsume VASS and Petri nets, for which many problems are known to be Ackermann-complete, for example see the recent breakthrough in the complexity of reachability in VASS [11,25].

In many cases, the complexity of decision problems for VASS, sometimes with extensions, depends on the dimension, with low dimensions admitting more tractable solutions. [9,8,10,16]. For example, reachability in dimensions one and two is NP-complete [18] and PSPACE-complete [4], respectively, when counter updates are encoded in binary.

A natural question, therefore, is whether we can decrease the dimension of a given a k-CN whilst maintaining its language, to facilitate reasoning about it. More generally, the trade-of between expressiveness and the dimension of Counter Nets is poorly understood. We tackle this question in this work by introducing two approaches. The frst is straightforward dimension-minimality: given a k-CN, does there exist a d-CN B recognising the same language for some d < k?

The second approach is primality: given a k-CN, does there exist some d < k and d-CNs B1, . . . , B<sup>n</sup> such that L(A) = T<sup>n</sup> <sup>i</sup>=1 L(Bi)? That is, we ask whether the language of A can be decomposed as an intersection of languages recognised by several lower-dimension CNs. We also consider compositeness, the dual of primality. Intuitively, in a composite k-CN the usage of the counters can be "split" across several lower-dimension CNs, allowing for properties (such as universality) to be checked on each conjunct separately.

Example 1. We illustrate the model and the defnition of compositeness. Consider the 2-CN A depicted in Fig. 1a, and consider a word w = a <sup>m</sup>#b <sup>n</sup>#c k . We have that A has an accepting run on w if m ≥ n and m ≥ k. Indeed, if m < n, the frst counter drops below 0 while cycling in the second state and so the run is "stuck", and similarly if m < k. It is not hard to show that there is no 1-CN that recognizes the language of A. However, Fig. 1b shows two 1-CNs B<sup>1</sup> and B<sup>2</sup> such that L(B) = L(B1) ∩ L(B2). Indeed, a word w = a <sup>m</sup>#b <sup>n</sup>#c <sup>k</sup> ∈ L(B1) if m ≥ n, and w ∈ L(B2) if m ≥ k.

Note that the decomposition in Example 1 is obtained by "splitting" the counters between the two 1-CNs. This raises the question of whether such splittings are always possible. As we show in Proposition 1, for deterministic k-CNs (k-DCNs) this is indeed the case. In general, however, it is not hard to fnd examples where a k-CN cannot simply be split to an intersection by projecting on each counter. This however, does not rule out that other decompositions are

(a) A composite 2-CN. (b) Two 1-CNs showing compositeness of the 2-CN.

Fig. 1: A composite 2-CN whose language is {a <sup>m</sup>#b <sup>n</sup>#c k | m ≥ n ∧ m ≥ k} and its decomposition into two 1-CNs recognising the languages {a <sup>m</sup>#b <sup>n</sup>#c k | m ≥ n} and {a <sup>m</sup>#b <sup>n</sup>#c k | m ≥ k}.

possible. Our main result, Theorem 1, gives an example of a prime 2-CN. That is, a 2-CN whose language cannot be expressed as an intersection of 1-CNs.

The notion of primality has been studied for regular languages in [24,23,22], the exact complexity of deciding primality is still open. There, an automaton is composite if it can be written as an intersection of fnite automata with fewer states. In this work we introduce primality for CNs. We focus on dimension as a measure of size, a notion which does not exist for regular languages. Thus, unlike regular languages, the diferences between prime and composite CNs is not only in succinctness, but actually in expressiveness, as we later demonstrate.

We parameterise primality and compositeness by the dimension d and the number n of lower-dimension factors. Thus, a k-CN A is (d, n)-composite if it can be written as the intersection above. Then, A is composite if it is (d, n)-composite for some d < k and n ∈ N. Under this view, dimension-minimality is a special case of compositeness, namely A is dimension-minimal if it is not (k − 1, 1) composite. Another particular problem captured by compositeness is regularity. Indeed, L(A) is regular if and only if A is (0, 1)-composite, since 0-CNs are just NFAs. Since regularity is already undecidable for 1-CNs [2,28], it follows that deciding whether a k-CN is (d, n)-composite is undecidable. Moreover, it follows that both primality and dimension-minimality are undecidable for 1-CNs.

The undecidability of the above problems is not surprising, as the huge difference in expressive power between 1-CNs and regular languages is well understood. In contrast, even the expressive power diference between 1-CNs and 2-CNs is poorly understood, let alone what efect the dimension has on the expressive power beyond regular languages. Already, 1-VASS and 2-VASS are known to have fat equivalents with respect to reachability [26,4], but the complexity difers greatly.

Our goal in this work is to shed light on these diferences. In Section 4, we give a concrete example of a prime 2-CN, which turns out to be technically challenging. This example is the heart of our technical contribution, and we emphasise that we do not currently have a proved example of a prime 3-CN, let alone for general k-CN (although we conjecture a candidate for such languages). We consider this an interesting open problem, as it highlights the type of pumping machinery that is currently missing from the VASS/CN reasoning arsenal. The technical intricacy in proving our example suggests that generalising it is highly nontrivial. Indeed, proving this claim would require intricate pumping arguments, which are notoriously difcult even for low-dimensional CNs [9].

Using our example, we obtain in Section 5, the undecidability of primality and of dimension-minimality for 2-CNs. To complement this, we show in Theorem 3, that regularity of k-DCNs is decidable. In Section 6, we explore trade-ofs in expressiveness of CNs with increasing dimension and with nondeterminism. In particular, we show that there is a strict hierarchy of expressiveness with respect to the dimension. We conclude with a discussion in Section 7. For brevity, some proofs only appear in the full version of the paper.

## 2 Preliminaries

We denote the non-negative integers {0, 1, . . .} by N. We write vectors in bold, e.g., e ∈ Z k , and e[i] is the i-th coordinate. We use [k] = {1, . . . , k} for k ≥ 1. We use Σ<sup>∗</sup> to denote the set of all words over an alphabet Σ, and |w| is the length of w ∈ Σ<sup>∗</sup> .

A k-dimensional Counter Net (k-CN) A is a quintuple A = ⟨Σ, Q, Q0, δ, F⟩ where Σ is a fnite alphabet, Q is a fnite set of states, Q<sup>0</sup> ⊆ Q is the set of initial states, δ ⊆ Q × Σ × Z <sup>k</sup> × Q is a set of transitions, and F ⊆ Q are the accepting states. A k-CN is deterministic, denoted k-DCN, if |Q0| = 1, and for every p ∈ Q and σ ∈ Σ there is at most one transition of the form (p, σ, v, q) ∈ δ. For a transition (p, σ, v, q) ∈ δ, we refer to v ∈ Z <sup>k</sup> as its efect.

An N-confguration (resp. Z-confguration) of a k-CN A is a pair (q, v) ∈ Q × N k (resp. (q, v) ∈ Q × Z k ) representing the current state and values of the counters. A transition (p, σ, e, q) ∈ δ is valid from N-confguration (q, v) if v+e ∈ N k , i.e., if all k counters remain non-negative after the transition. A Z-run ρ of A on w is a sequence of Z-confgurations ρ = (q0, v0),(q1, v1), . . . ,(qn, vn) such that (q<sup>i</sup> , σ<sup>i</sup> , vi+1−v<sup>i</sup> , qi+1) ∈ δ for every 0 ≤ i ≤ n−1, we may also say that ρ reads w = σ0σ<sup>1</sup> · · · σn. An N-run is a Z-run that visits only N-confgurations. Note that all the transitions in an N-run are valid. We may omit N or Z from the run when it does not matter. For a run ρ = (q0, v0),(q1, v1), . . . ,(qn, vn) of A, we denote (q0, v0) <sup>ρ</sup><sup>→</sup> (qn, <sup>v</sup>n). We defne the efect of <sup>ρ</sup> to be ef(ρ) = <sup>v</sup><sup>n</sup> <sup>−</sup> <sup>v</sup>0.

An N-run ρ is accepting if q<sup>0</sup> ∈ Q0, v<sup>0</sup> = 0, and q<sup>n</sup> ∈ F. We say that A accepts w if there is an accepting N-run of A on w. The language of A is L(A) = {w ∈ Σ<sup>∗</sup> | A accepts w}. We say that A is unambiguous if it has at most one accepting run on any given word. Otherwise we say that it is ambiguous.

An infx π = (qk, vk),(qk+1, vk+1), . . . ,(qk+n, vk+n) of a run ρ is a cycle if q<sup>k</sup> = qk+<sup>n</sup> and is a simple cycle if it does not contain a cycle as a proper infx. When discussing an infx π of a 1-CN – we write that π is > 0, ≥ 0, or < 0 if ef(π) > 0, ef(π) ≥ 0, or ef(π) < 0, respectively.

## 3 Primality and Compositeness

We begin by presenting our main defnitions, followed by some introductory properties.

Defnition 1 (Compositeness, Primality, and Dimension-Minimality). Consider a k-CN A, and let d, n ∈ N. We say that A is (d, n)-composite if there exist d-CNs B1, . . . , B<sup>n</sup> such that L(A) = T<sup>n</sup> <sup>i</sup>=1 L(Bi). If A is (d, n)-composite for some d < k and n ∈ N, we say A is composite. Otherwise, A is prime. If A is not (k − 1, 1)-composite, we say that A is dimension-minimal. We also extend the defnition of primality to languages, and say that a language L is prime if there is an integer d > 0 such that L = L(A) for some d-CN A, but there are no (d − 1)-CNs B1, . . . B<sup>n</sup> such that L = T<sup>n</sup> <sup>i</sup>=1 L(Bi).

Remark 1. Note that the special case where A is (0, n)-composite coincides with the regularity of L(A), and hence also with being (0, 1)-composite.

Observe that in Fig. 1 we in fact show a composite 2-DCN. We now show that every k-DCN is (1, k)-composite, by projecting to each of the counters separately. In particular, a k-DCN is prime only when k = 1 and it recognises a non-regular language, or when k = 0. Formally, consider a k-DCN D = ⟨Σ, Q, Q0, δ, F⟩ and let 1 ≤ i ≤ k. We defne the i-projection to be the 1-DCN D|<sup>i</sup> = ⟨Σ, Q, Q0, δ|<sup>i</sup> , F⟩ where δ|<sup>i</sup> = {(p, σ, v[i], q) | (p, σ, v, q) ∈ δ}.

Proposition 1. Every k-DCN D is (1, k)-composite, and L(D) = T<sup>k</sup> <sup>i</sup>=1 L(D|i).

Proof. Let w ∈ L(D) and let ρ be the accepting run of D on w, then the projection of ρ on counter i induces an accepting run of D|<sup>i</sup> on w, thus w ∈ T<sup>k</sup> <sup>i</sup>=1 L(D|i). Note that this direction does not use the determinism of D.

Conversely, let w ∈ T<sup>k</sup> <sup>i</sup>=1 L(D|i), then each D|<sup>i</sup> has an accepting run ρ<sup>i</sup> on w. Since the structure of all the D|<sup>i</sup> is identical to that of D, all the runs ρ<sup>i</sup> have identical state sequences, and therefore are also a Z-run of D on w. Moreover, due to this being a single N-run in each D|<sup>i</sup> , it follows that all counter values remain non-negative in the corresponding run of D on w. Hence, this is an accepting N-run of D on w, so w ∈ L(D). ⊓⊔

Remark 2 (Unambiguous Counter Nets are Composite). The proof of Proposition 1 applies also to structurally unambiguous CNs, i.e. CNs whose underlying automaton, disregarding the counters, is unambiguous. Thus, every unambiguous CN is (1, k)-composite.

Consider k-CNs B1, . . . , Bn. By taking their product, we can construct a k·n-CN A such that L(A) = T<sup>n</sup> <sup>i</sup>=1 L(Bi). In particular, if each B<sup>i</sup> is a 1-DCN, then A is an n-DCN. Combining this with Proposition 1, we can deduce the following (proof can be found in the full version).

Proposition 2. A k-DCN is dimension-minimal if and only if it is not (1, k−1) composite.

## 4 A Prime Two-Counter Net

In this section we present our main technical contribution, namely an example of a prime 2-CN. The technical difculty arises from the need to prove that this example cannot be decomposed as an intersection of nondeterministic 1- CNs. Since intersection has a "universal favour", and nondeterminism has an "existential favour", we have a sort of "quantifer alternation" which is often a source of difculty.

The importance of this example is threefold. First, it enables us to show that primality is undecidable in Section 5. Second, it ofers intuition on what makes a language prime. Third, we suspect that the techniques developed here will be useful in other settings when reasoning about nondeterministic automata, perhaps with counters.

We start by presenting the prime 2-CN, followed by an overview of the proof, before delving into the details.

Example 2. Consider the 2-CN P over alphabet Σ = {a, b, c, #} depicted in Fig. 2. Intuitively, P starts by reading segments of the form a <sup>m</sup>#, where in each segment it nondeterministically chooses whether to increase the frst or second counter by m. Then, it reads b <sup>m</sup><sup>b</sup> c <sup>m</sup><sup>c</sup> and accepts if the value of the frst and second counter is at least m<sup>b</sup> and mc, respectively. Thus, P accepts a word if its a <sup>m</sup># segments can be partitioned into two sets I and I so that the combined lengths of the segments in I (resp. I) is at least the length of the b segment (resp. c segment). For example, a <sup>10</sup>#a <sup>20</sup>#a <sup>15</sup>#b <sup>15</sup>c <sup>30</sup> ∈ L(P), since segments 1 and 2 have length 30, matching c <sup>30</sup> and segment 3 matches b <sup>15</sup>. However, a <sup>10</sup>#a <sup>20</sup>#a <sup>15</sup>#b <sup>21</sup>c <sup>21</sup> ∈ L/ (P), since in any partition of {10, 20, 15}, one set will have sum lower than 21. More precisely, we have the following:

$$\mathcal{L}(\mathcal{P}) = \{a^{m\_1} \# a^{m\_2} \# \dots \# a^{m\_t} \# b^{m\_b} c^{m\_c} \mid \exists I \subseteq [t] \text{ s.t. } \sum\_{i \in I} m\_i \ge m\_b \land \sum\_{i \notin I} m\_i \ge m\_c\}$$

Fig. 2: The prime 2-CN P for Example 2 and Theorem 1.

### Theorem 1. P is prime.

The high-level intuition behind Theorem 1 is that any 1-CN can either guess a subset of segments that covers m<sup>b</sup> or mc, but not both, and in order to make sure the choices between two 1-CNs form a partition, we need to fx the partition in advance. This is only possible if the number of segments is a priori fxed, which is not true (c.f., Remark 3). This intuition, however, is far from a proof.

#### 4.1 Overview of the Proof of Theorem 1

Assume by way of contradiction that P is not a prime 2-CN. Thus, there exist 1-CNs V1, . . . V<sup>k</sup> such that L(P) = T <sup>1</sup>≤j≤<sup>k</sup> L(V<sup>j</sup> ). Throughout the proof, we focus on words of the form a <sup>m</sup>1#a <sup>m</sup>2# · · · #a <sup>m</sup>k+1#b <sup>m</sup><sup>b</sup> c m<sup>c</sup> for positive integers {mi} k+1 <sup>i</sup>=1 , mb, mc. We index the a <sup>m</sup><sup>i</sup> segments of these words, so a m<sup>i</sup> is the i-th segment. Note that we focus on words with k + 1 many a segments, one more than the number of V<sup>j</sup> factors in the intersection. It is useful to think about each segment as "paying" for either b or c. Then, a word is accepted if there is a way to choose for each segment whether it pays for b or c, such that there is sufcient budget for both.

Let i ∈ [k + 1] and j ∈ [k]. We say that the i-th segment is bad in V<sup>j</sup> if, intuitively, we can pump the length m<sup>i</sup> of segment i whilst pumping both m<sup>b</sup> and m<sup>c</sup> to unbounded lengths, such that the resulting words are accepted by V<sup>j</sup> (see Defnition 2 for the formal defnition). For example, consider the word a <sup>10</sup>#a <sup>10</sup>#a <sup>10</sup>#b <sup>20</sup>c <sup>10</sup> ∈ L(P). If the second segment is bad for V<sup>j</sup> then there exist x, y, z > 0 such that for every t, tb, t<sup>c</sup> ∈ N it holds that the word a <sup>10</sup>#a 10+tx#a <sup>10</sup>#b 20+tby c 10+tcz is in L(V<sup>j</sup> ). Observe that such behaviour is undesirable, since for large enough t, tb, tc, the resulting word is not in L(P). Note, however, that the existence of such a bad segment is not a contradiction by itself, since the resulting pumped words might not be accepted by some other 1-CN Vj ′ .

In order to reach a contradiction, we need to show the existence of a segment i that is bad for every V<sup>j</sup> . Moreover, we must also show that arbitrarily increasing m<sup>i</sup> , mb, m<sup>c</sup> can be simultaneously achieved in all the V<sup>j</sup> together (i.e., the above x, y, z > 0 are the same for all V<sup>j</sup> ). This would create a contradiction since all the V<sup>j</sup> accept a word that is not in L(P). Our goal is therefore to establish a robust and precise defnition of a "bad" segment, then fnd a word w comprising k + 1 segments where one of the segments is bad for every V<sup>j</sup> , and pumping the words in each segment can be done synchronously.

#### 4.2 Pumping Arguments in One-Counter Nets

In this section we establish some pumping results for 1-CN which will be used in the proof of Theorem 1. Throughout this section, we consider a 1-CN V = ⟨Σ, Q, Q0, δ, F⟩.

Our frst lemma states the intuitive fact that without > 0 cycles, the counter value of a run is bounded (proof can be found in the full version).

Lemma 1. Let (q, n) be a confguration of V, let W be the maximal positive update in V, σ ∈ Σ, and N ∈ N. If an N-run ρ of V on σ <sup>N</sup> from confguration (q, n) does not traverse any > 0 cycle, then the maximal possible counter value anywhere along ρ is n + W|Q|.

The next lemma shows that long-enough runs must contain ≥ 0 cycles.

Lemma 2. Let σ ∈ Σ and (q, n) be an N-confguration of V. Then there exists N ∈ N such that for all N′ ≥ N, every N-run of V on σ N′ from (q, n) traverses a ≥ 0 cycle.

Proof. Let W be the maximal positive transition update in V, we show that N = |Q|(n+|Q| ·W) satisfes the requirements. Assume by way of contradiction that V can read σ <sup>N</sup> via an N-run ρ = (q0, n<sup>0</sup> = n) <sup>ρ</sup><sup>→</sup> (q<sup>N</sup> , n<sup>N</sup> ) that only traverses < 0 cycles.

Since ρ visits N + 1 states, then by the Pigeonhole Principle, there exists a state p ∈ Q that is visited m ≥ (N + 1)/|Q| > N/|Q| many times in ρ.

Consider all the indices 0 ≤ i<sup>1</sup> < i<sup>2</sup> < . . . < i<sup>m</sup> ≤ N such that p = qi<sup>1</sup> = . . . = qim. Each run segment (qi<sup>1</sup> , ni<sup>1</sup> ) → (qi<sup>2</sup> , ni<sup>2</sup> ), . . . ,(qim−<sup>1</sup> , nim−<sup>1</sup> ) → (qim, nim) is a cycle in ρ, and therefore must have negative efect. Thus ni<sup>1</sup> > ni<sup>2</sup> > . . . > ni<sup>m</sup> ≥ 0, so in particular ni<sup>1</sup> ≥ ni<sup>m</sup> + m −1 ≥ 0 (as each cycle has efect at most −1). Moreover, ni<sup>1</sup> < n + |Q| · W since the prefx (q0, n) → (qi<sup>1</sup> , ni<sup>1</sup> ) cannot contain a non-negative cycle. However, since m > N/|Q| = n + |Q| · W and ni<sup>1</sup> ≥ ni<sup>m</sup> + m − 1 ≥ n + |Q| · W, we get n + |Q| · W < n + |Q| · W which is a contradiction.

Next, we show that runs with ≥ 0 and > 0 cycles have "pumpable" infxes.

Lemma 3. Let σ ∈ Σ and consider a > 0 (resp. ≥ 0) cycle π = (q0, c0) σ→ (q1, c1) <sup>σ</sup>→ . . .(q<sup>n</sup> = q0, cn) on σ <sup>n</sup> that induces an N-run. Then, there is a sequence of (not necessarily contiguous) indices 0 ≤ i<sup>1</sup> ≤ . . . ≤ i<sup>k</sup> ≤ n such that qi1 <sup>σ</sup><sup>→</sup> <sup>q</sup>i<sup>2</sup> <sup>σ</sup>→ · · · <sup>q</sup>i<sup>k</sup> is a simple > 0 (resp. ≥ 0) cycle with some efect e > 0 (resp. e ≥ 0). In addition, this simple cycle is "pumpable" from the frst occurrence of qi1 in π; namely, for all m ∈ N there is a run π<sup>m</sup> obtained from π by traversing the cycle m times so that ef(πm) = ef(π) + em.

Proof. We prove the ≥ 0 case, the > 0 case can be proved mutatis mutandis.

We defne π<sup>m</sup> = (q0, c0) <sup>σ</sup><sup>→</sup> . . .(q<sup>i</sup><sup>1</sup> , c<sup>i</sup><sup>1</sup> ) <sup>σ</sup><sup>→</sup> . . .(q<sup>i</sup><sup>1</sup> , c<sup>i</sup><sup>1</sup> + em) <sup>σ</sup>→ . . .(qn, c<sup>n</sup> + em). The proof is now by induction on the length of π.

The base of the induction is a cyclic N-run of length 2. In this case π = (q0, c0) <sup>σ</sup>→ (q<sup>1</sup> = q0, c1) is itself a ≥ 0 simple cycle that is infnitely pumpable from (q0, c0).

We now assume correctness for length n, and discuss π = (q0, c0) <sup>σ</sup>→ (q1, c1) σ→ . . .(q<sup>n</sup> = q0, cn) of length n + 1. Let 0 ≤ j<sup>1</sup> < j<sup>2</sup> ≤ n be indices such that q<sup>j</sup><sup>1</sup> = q<sup>j</sup><sup>2</sup> , for a maximal j1. Note that the cycle τ = (q<sup>j</sup><sup>1</sup> , c<sup>j</sup><sup>1</sup> ) <sup>σ</sup><sup>→</sup> . . .(q<sup>j</sup><sup>2</sup> , c<sup>j</sup><sup>2</sup> ) must be simple. If j<sup>1</sup> = 0 and j<sup>2</sup> = n, then π itself is a simple ≥ 0 cycle, and the pumping argument is straightforward. Otherwise τ is nested. We now split into two cases, based on whether ef(τ ) ≥ 0.

1. τ is ≥ 0: then the induction hypothesis applies on τ . We take the guaranteed constants j<sup>1</sup> ≤ i<sup>1</sup> ≤ . . . ≤ i<sup>k</sup> ≤ j2, which apply to π as well.

⊓⊔

2. τ is < 0: then we remove τ from π to obtain π ′ = (q0, c0) <sup>σ</sup><sup>→</sup> . . .(qj<sup>1</sup> , cj<sup>1</sup> ) σ→ (qj2+1, c′ <sup>j</sup>2+1) <sup>σ</sup>→ . . .(qn, c′ n ), such that c ′ <sup>i</sup> ≥ c<sup>i</sup> for all j<sup>2</sup> + 1 ≤ i ≤ n. The induction hypothesis applies on π ′ , so let i1, . . . , i<sup>k</sup> be the guaranteed constants. Note that i<sup>1</sup> ≤ j1, since the cycle removed when obtaining π ′ from π is the last occurrence of a repetition of states in π. We therefore know that qi<sup>1</sup> <sup>σ</sup><sup>→</sup> <sup>q</sup>i<sup>2</sup> <sup>σ</sup>→ · · · <sup>q</sup>i<sup>k</sup> is a simple ≥ 0 cycle in π ′ – which applies to π as well. In addition, it is infnitely pumpable from N-confguration (qi<sup>1</sup> , ci<sup>1</sup> ) in π ′ for i<sup>1</sup> ≤ j1. Indeed, since π and π ′ coincide up to and including (qj<sup>1</sup> , cj<sup>1</sup> ) between π and π ′ - this cycle is infnitely pumpable in π as well. ⊓⊔

The simple cycle in Lemma 3 has length k < |Q|. By pumping it <sup>|</sup>Q|! k times we obtain a pumpable cycle of length |Q|!, allowing us to conclude with the following.

Corollary 1. Let ρ be an N-run of V on σ <sup>n</sup> that traverses a ≥ 0 cycle. For every m ∈ N, we can construct an N-run ρ ′ of V on σ n+m|Q|! such that ef(ρ ′ ) ≥ ef(ρ) by pumping a ≥ 0 simple cycle in ρ.

#### 4.3 Good and Bad Segments

We lift the colour scheme<sup>4</sup> of > 0 and ≥ 0 to words and runs as follows. For a word w = uv and a run ρ, we write e.g., uv to denote that ρ traverses a > 0 cycle when reading u, then a ≥ 0 cycle when reading v. Note that this does not preclude other cycles, e.g., there could also be negative cycles in the u part, etc. That is, the colouring is not unique, but represents elements of the run.

Recall our assumption that L(P) = T <sup>1</sup>≤j≤<sup>k</sup> L(V<sup>j</sup> ), and for all j ∈ [k] denote V<sup>j</sup> = ⟨Σ, Q<sup>j</sup> , I<sup>j</sup> , δ<sup>j</sup> , F<sup>j</sup> ⟩. Let Qmax = max{|Q<sup>j</sup> |}<sup>k</sup> <sup>j</sup>=1 and denote α = Qmax!. Further recall that we focus on words of the form a <sup>m</sup>1#a <sup>m</sup>2# · · · #a <sup>m</sup>k+1#b <sup>m</sup><sup>b</sup> c m<sup>c</sup> for integers {mi} k+1 <sup>i</sup>=1 , mb, m<sup>c</sup> <sup>∈</sup> <sup>N</sup>, and that we refer to the infx <sup>a</sup> <sup>m</sup><sup>i</sup> as the i-th segment, for 1 ≤ i ≤ k + 1. We proceed to formally defne good and bad segments.

Defnition 2 (Good and Bad Segments). The i-th segment is bad in V<sup>j</sup> if there exist constants {mi} k+1 <sup>i</sup>=1 , mb, m<sup>c</sup> <sup>∈</sup> <sup>N</sup> such that the following hold.

	- (i) a <sup>m</sup>1#a <sup>m</sup>2# · · · a <sup>m</sup>i−1#a <sup>m</sup>i#a <sup>m</sup>i+1# · · · #a <sup>m</sup>k+1#b <sup>m</sup><sup>b</sup> c m<sup>c</sup> ,
	- (ii) a <sup>m</sup>1#a <sup>m</sup>2# · · · a <sup>m</sup>i−1#a <sup>m</sup>i#a <sup>m</sup>i+1# · · · #a <sup>m</sup>k+1#b <sup>m</sup><sup>b</sup> c m<sup>c</sup> , or
	- (iii) a <sup>m</sup>1#a <sup>m</sup>2# · · · a <sup>m</sup>i−1#a <sup>m</sup>i#a <sup>m</sup>i+1# · · · #a <sup>m</sup>k+1#b <sup>m</sup><sup>b</sup> c m<sup>c</sup> .

The i-th segment is good in V<sup>j</sup> if it is not bad in V<sup>j</sup> .

<sup>4</sup> The colours were chosen as accessible for the colourblind. For a greyscale-friendly version, see the full paper.

Lemma 4 formalises the intuition that a bad segment can be pumped simultaneously with both the b and c segments, giving rise to a word accepted by V<sup>j</sup> but rejected by P.

Intuitively, Forms (ii) and (iii) indicate that all segments are bad. Indeed, the i-th segment has a ≥ 0 cycle, so it can be pumped safely, and in Form (ii) both b and c can be pumped using ≥ 0 cycles. Whereas in Form (iii) we can pump b using a > 0 cycle, and can use it to compensate for pumping c, even if the latter requires iterating a negative cycle.

Form (i) is the interesting case, where we use a > 0 cycle in the i-th segment to compensate for pumping both b and c. The requirement that all segments up to the i-th are ≥ 0 is at the core of our proof and is explained in Section 4.4.

Lemma 4. Suppose the l-th segment is bad in V<sup>j</sup> , then there exist x, y, z ∈ N, that are multiples of α, such that for every n ∈ N the following word w is accepted by V<sup>j</sup> .

$$w\_n = a^{m\_1} \# a^{m\_2} \# \cdots \# a^{m\_{l-1}} \# a^{m\_l + xn} \# a^{m\_{l+1}} \# \cdots \# a^{m\_{k+1}} \# b^{m\_b + yn} c^{m\_c + zn}$$

Proof. We can choose z = α, then take y to be large enough so that Form (iii) runs can compensate for negative cycles in c <sup>z</sup> using > 0 cycles in b y , whilst not decreasing the counters in Form (ii) runs. We can indeed fnd such a y ∈ N that is a multiple of α, since α is divisible by all lengths of simple cycles. Finally, we choose x so that Form (i) runs can compensate for c <sup>z</sup> and b <sup>y</sup> using > 0 cycles on a x in the l-th segment, again whilst not decreasing the counters in Forms (ii) and (iii). ⊓⊔

Recall that our goal is to show that there is a segment l ∈ [k + 1] that is bad in every V<sup>j</sup> , for j ∈ [k]. In Lemma 5, We show that each V<sup>j</sup> has at most one good segment. Therefore, there are at most k good segments in total, leaving at least one segment that is bad in every V<sup>j</sup> , as desired.

Lemma 5. Let j ∈ [k] and 0 ≤ r < s ≤ k + 1. Then the r-th or s-th segment is bad in V<sup>j</sup> .

Proof. Since j is fxed, denote V<sup>j</sup> = ⟨Σ, Q, Q0, δ, F⟩. We inductively defne constants {ni} k+1 <sup>i</sup>=1 , nb, n<sup>c</sup> <sup>∈</sup> <sup>N</sup> as follows. Suppose that <sup>n</sup><sup>1</sup> is a large-enough multiple of α so that Lemma 2 guarantees a ≥ 0 cycle in any accepting run of V<sup>j</sup> on a n<sup>1</sup> from some (q0, 0) with q<sup>0</sup> ∈ Q0. Now, assume that we have defned n1, . . . nl−1, and consider the word u = a <sup>n</sup>1#a <sup>n</sup>2# · · · #a <sup>n</sup>l−1#. Defne n = |u| · W where W is the maximal update of any transition of V<sup>j</sup> . Since u consists of <sup>n</sup> <sup>W</sup> letters, n + 1 is greater than any counter value that can be observed in any run of V<sup>j</sup> on u. We defne n<sup>l</sup> to be a multiple of α large enough so that Lemma 2 guarantees a ≥ 0 cycle when reading a nl from any confguration of the form {(q, n′ ) | q ∈ Q, n′ ≤ n + 1}. We set n<sup>b</sup> = n<sup>c</sup> = α, the choice of nb, n<sup>c</sup> is somewhat arbitrary. Finally, we set w = a <sup>n</sup>1# · · · #a <sup>n</sup>k+1#b <sup>n</sup><sup>b</sup> c n<sup>c</sup> .

Now, for every x ∈ N, we obtain from w a word w<sup>x</sup> by pumping xα many a's in the r-th and s-th segments and pumping xα many b's and c's in their segments. That is, let n ′ <sup>i</sup> = n<sup>i</sup> + xα for i ∈ {r, s} and n ′ <sup>i</sup> = n<sup>i</sup> for i /∈ {r, s}, and let n ′ <sup>b</sup> = n<sup>b</sup> + xα and n ′ <sup>c</sup> = n<sup>c</sup> + xα, then w<sup>x</sup> = a n ′ <sup>1</sup># · · · #a n ′ <sup>k</sup>+1#b n ′ b c n ′ c . Observe that w<sup>x</sup> ∈ L(P). Indeed, since n<sup>r</sup> ≥ n<sup>b</sup> = α and n<sup>s</sup> ≥ n<sup>c</sup> = α we have that n<sup>r</sup> + xα ≥ n<sup>b</sup> + xα and n<sup>s</sup> + xα ≥ n<sup>c</sup> + xα, so the r-th and s-th segments can already pay for the b's and c's, respectively. In particular, w<sup>x</sup> ∈ L(V<sup>j</sup> ) via some accepting N-run ρx.

We choose a particular value of x, as follows. Consider x and suppose some accepting N-run ρ<sup>x</sup> as above does not traverse a > 0 cycle neither in r-th nor s-th segment. By Lemma 1, the maximal possible counter value of ρ<sup>x</sup> after reading

$$a^{n\_1} \# \dots \# a^{n\_r + x\alpha} \# \dots \# a^{n\_s + x\alpha} \# \dots \# a^{n\_{k+1}} \# \dots$$

is M<sup>b</sup> = (k + 1 + P z∈[k+1]\{r,s} nz) · W + 2|Q| · W. Crucially, this value does not depend on x. Further, if there is no > 0 cycle in the segment of b's as well, again the maximal counter value of ρ up to the c segment is bounded by M<sup>c</sup> = (k + 2 + P z∈[k+1]\{r,s} nz) · W + 3|Q| · W, that is independent of x and Mb. By Lemma 2, we can now choose x large enough to satisfy that for every accepting N-run ρ<sup>x</sup> on wx:


Having fxed x, we claim that for the constants of wx, one of the r-th or s-th segment is bad in V<sup>j</sup> . By construction, Lemma 2 guarantees that ρ<sup>x</sup> has ≥ 0 cycles in segments 1, . . . r − 1. If ρ<sup>x</sup> has a > 0 cycle in segment r, then ρ<sup>x</sup> is of Form (i):

$$a^{n\_1} \# a^{n\_2} \# \dots \# a^{n\_{r-1}} \# a^{n\_r + x\alpha} \# \dots \# a^{n\_s + x\alpha} \# \dots \# a^{n\_k + 1} \# b^{n\_b + x\alpha} c^{n\_c + x\alpha}$$

and so the r-th segment must be bad in V<sup>j</sup> .

Otherwise, if ρ<sup>x</sup> does not have a > 0 cycle in the r-th segment, then the construction in Lemma 2 guarantees ≥ 0 cycles in segments indexed r, r+1, . . . , s−1. Indeed, for the r-th segment, we are guaranteed a ≥ 0 cycle reading a n<sup>r</sup> , all the more for a <sup>n</sup>r+xα. As for segments indexed r + 1, . . . s − 1, if ρ<sup>x</sup> does not have a > 0 cycle in the r-th segment, then the maximal efect of segment r is |Q| · W. However, nr+1 was constructed to guarantee a ≥ 0 cycle even in case the efect of segment r is W n<sup>r</sup> ≥ W α ≥ W|Q|.

If there is a > 0 cycle in segment s, then ρ<sup>x</sup> is again of Form (i):

$$a^{n\_1} \# a^{n\_2} \# \dots \# a^{n\_{s-1}} \# a^{n\_s + x\alpha} \# a^{n\_{s+1}} \# \dots \# a^{n\_{k+1}} \# b^{n\_b + x\alpha} c^{m\_c + x\alpha}$$

and so the s-th segment must be bad in V<sup>j</sup> .

Otherwise, using the same arguments as for the r-th segment, we have that segments indexed s + 1, . . . , k + 1 each contain a ≥ 0 cycle. In this case we are left with the b and c segments. The choice of x guarantees a ≥ 0 cycle in the b segment. If ρ<sup>x</sup> traverses a > 0 cycle in the b segment, then w<sup>x</sup> is of Form (iii).

$$a^{n\_1} \# a^{n\_2} \# \cdots \# a^{n\_{k+1}} \# b^{n\_b + x\alpha} c^{n\_c + x\alpha}$$

Finally, if there are no > 0 cycles in the b segment, then the choice of x again guarantees a ≥ 0 cycle in the c segment, so w<sup>x</sup> is of Form (ii).

$$a^{n\_1} \# a^{n\_2} \# \cdots \# a^{n\_{k+1}} \# b^{n\_b + x\alpha} c^{n\_c + x\alpha}$$

In the two latter cases, both the r-th and the s-th segments are bad in V<sup>j</sup> . ⊓⊔

#### 4.4 Proof of Theorem 1

Given Lemma 5, we now know that each V<sup>j</sup> has at most one good segment. Therefore, all 1-CNs V1, . . . , V<sup>k</sup> together have at most k good segments. Recall that the words we focus on have k+1 segments, and therefore there is at least one segment, say the l-th segment, that is bad in every V<sup>j</sup> . Note, however, that this segment may correspond to diferent constants in each V<sup>j</sup> . That is, there exists constants {m j i , m j b , m<sup>j</sup> c | i ∈ [k + 1], j ∈ [k]} witnessing that the l-th segment is bad for each V<sup>j</sup> . We group the V<sup>j</sup> according to the form of their accepting runs ρ<sup>j</sup> (see Defnition 2):


We now fnd constants resulting in a single word for which the l-th segment is bad in every V<sup>j</sup> . First, for i ∈ [k+1]\{l}, we defne M<sup>i</sup> = max{m j i | j ∈ [k]}, note that these values are still multiples of α. Similarly, we defne M<sup>c</sup> = max{m<sup>j</sup> c | j ∈ [k]}. It remains to fx new constants L and B, which we do in phases in the following. The resulting word is then

$$w = a^{M\_1} \# \cdots \# a^{M\_{l-1}} \# a^L \# a^{M\_{l+1}} \# \cdots \# a^{M\_{k+1}} \# b^B c^{M\_c}.$$

Most steps in the analysis below are based on Lemma 3 and Corollary 1. We frst, partially, handle Form (iii) runs. For such V<sup>j</sup> , there is an accepting N-run ρ<sup>j</sup> on

$$a^{m\_1^j} \# \cdots \# a^{m\_{l-1}^j} \# a^{m\_l^j} \# a^{m\_{l+1}^j} \# \cdots \# a^{m\_{k+1}^j} \# b^{m\_b^j} c^{m\_c^j}$$

By pumping ≥ 0 cycles as per Corollary 1 in all segments except l we obtain an accepting N-run ρ ′ j on

$$a^{M\_1} \# \cdots \# a^{M\_{l-1}} \# a^{m\_l^j} \# a^{M\_{l+1}} \# \cdots \# a^{M\_{k+1}} \# b^{m\_b^j} c^{m\_c^j}.$$

We now pump arbitrary cycles in the c segment to construct a Z-run ρ ′′ j on

> a <sup>M</sup>1# · · · #a <sup>M</sup>l−1#a m<sup>j</sup> <sup>l</sup> #a <sup>M</sup>l+1# · · · #a <sup>M</sup>k+1#b m<sup>j</sup> b c M<sup>c</sup> .

Next, we compensate for possible negative cycles in the c segment by pumping a > 0 cycle in the b segment. Thus, we construct an N-run ρ ′′′ j on

> a <sup>M</sup>1# · · · #a <sup>M</sup>l−1#a m<sup>j</sup> <sup>l</sup> #a <sup>M</sup>l+1# · · · #a <sup>M</sup>k+1#b Bc M<sup>c</sup> ,

where B is chosen to be large enough such that ρ ′′′ j is an N-run for all V<sup>j</sup> , j ∈ [k]. Note that it remains to fx L.

We now turn to Form (i) with a similar process we start with an accepting N-run ρ<sup>j</sup> on

$$a^{m\_1^j} \# \cdots \# a^{m\_{l-1}^j} \# a^{m\_l^j} \# a^{m\_{l+1}^j} \# \cdots \# a^{m\_{k+1}^j} \# b^{m\_b^j} c^{m\_c^j} \dots$$

Pump ≥ 0 cycles in segments indexed 1, . . . , l − 1 to obtain an accepting N-run ρ ′ j on

$$a^{M\_1} \# \cdots \# a^{M\_{l-1}} \# a^{m\_l^j} \# a^{m\_{l+1}^j} \# \cdots \# a^{m\_{k+1}^j} \# b^{m\_b^j} c^{m\_c^j} \dots$$

Now, obtain a Z-run ρ ′′ <sup>j</sup> by pumping arbitrary cycles in the remaining segments, including the b segment.

$$a^{M\_1} \# \cdots \# a^{M\_{l-1}} \# a^{m\_l^j} \# a^{M\_{l+1}} \# \cdots \# a^{M\_{k+1}} \# b^B c^{M\_C}$$

Again, compensate for negative cycles by taking L large enough so that pumping > 0 cycles in the l-th segment yields an accepting N-run ρ ′′′ j on

a <sup>M</sup>1# · · · #a <sup>M</sup>l−1#a <sup>L</sup>#a <sup>M</sup>l+1# · · · #a <sup>M</sup>k+1#b Bc M<sup>c</sup> .

We now return to Form (iii) and fx the l-th segment by pumping ≥ 0 cycles to construct an accepting N-run on

> a <sup>M</sup>1# · · · #a <sup>M</sup>l−1#a <sup>L</sup>#a <sup>M</sup>l+1# · · · #a <sup>M</sup>k+1#b Bc M<sup>c</sup> .

We are left with Form (ii), which are the most straightforward to handle. We simply pump ≥ 0 cycles in all segments to construct an accepting N-run ρ ′ j on a <sup>M</sup>1# · · · #a <sup>M</sup>l−1#a <sup>L</sup>#a <sup>M</sup>l+1# · · · #a <sup>M</sup>k+1#b Bc M<sup>c</sup> .

Note that the requirement for all segments before the l-th to be ≥ 0 is crucial, otherwise we won't be able to pump all the cycles in all forms simultaneously.

We now have that w is accepted by every V<sup>j</sup> , and the l-th segment is bad for all V<sup>j</sup> . By applying Lemma 4 for each of the V<sup>j</sup> and taking global constants to be the products of the respective constants x, y, z > 0 for each V<sup>j</sup> , we now obtain X, Y, Z ∈ N, multiples of α, such that for every n ∈ N the word

$$w\_n = a^{M\_1} \# \dots \# a^{M\_{l-1}} \# a^{L+Xn} \# a^{M\_{l+1}} \# \dots \# a^{M\_{k+1}} \# b^{B+Yn} c^{M\_c+Zn} \in \mathcal{L}(\mathcal{V}\_j)$$

is accepted by every V<sup>j</sup> , for every j ∈ [k].

Finally, we choose n large enough to satisfy P <sup>i</sup>∈[k+1]\{l} M<sup>i</sup> < min{B + Y n, M<sup>c</sup> + Zn}, so that w<sup>n</sup> ∈ L / (P). This is possible because, w.l.o.g, the l-th segment can only pay for b, and the remaining segments [k + 1] \ {l} cannot pay for c. This contradicts the assumption that L(P) = T <sup>j</sup>∈[k] L(V<sup>j</sup> ), concluding the proof of Theorem 1. ⊓⊔

Remark 3 (Unbounded Compositeness). The proof of Theorem 1 shows that if words with k+1 segments are allowed, then the language is not (1, k)-composite, we use this to establish primality. By intersecting L(P) with words that allow at most k + 1 segments, we obtain a language that is not (1, k)-composite, but it is not hard to show that it is (1, 2 <sup>k</sup>+1)-composite. This demonstrates that a 2-CN can be composite, but may require unboundedly many factors.

The intuition behind Theorem 1 is that separate counters are needed to keep track of the elements that "cover" b <sup>m</sup><sup>b</sup> and c m<sup>c</sup> . Extending this idea to k-CN, we require that the a segments are partitioned to k diferent sets that cover k "targets".

Conjecture 1. The following language is the language of a prime k-CN:

$$L\_k = \{a^{m\_1} \# a^{m\_2} \# \cdots \# a^{m\_t} \# b\_1^{n\_1} \# b\_2^{n\_2} \cdots \# b\_k^{n\_k} \mid \\
$$

$$\exists I\_1, \ldots, I\_k \subseteq [t] \; \forall i \in [k], \; \sum\_{j \in I\_i} m\_j \ge n\_i \; \land \forall i \ne j, \; I\_i \cap I\_j = \emptyset\}$$

While constructing a k-CN for L<sup>k</sup> is a simple extension of Example 2, proving that it is indeed prime does not seem to succumb to our techniques, and we leave it as an important open problem (see Section 7).

## 5 Primality of Counter Nets is Undecidable

In this section we consider the primality and dimension-minimality decision problems: given a k-CN A, decide whether A is prime and whether A is dimensionminimal, respectively.

We use our prime 2-CN from Example 2 and the results of Section 4 to show that both problems are undecidable. Our proof is by reduction from the containment problem<sup>5</sup> for 1-CN: given two 1-CN A, B over alphabet Σ, decide whether L(A) ⊆ L(B). This problem was shown to be undecidable in [20].

We begin by describing the reduction that applies to both problems. Consider an instance of 1-CN containment with two 1-CNs A and B over the alphabet Σ. We construct a 2-CN C as follows. Let Λ be the alphabet of the 2-CN from Example 2 and Theorem 1, and let \$ ∈/ Σ ∪ Λ be a fresh symbol. Intuitively, C accepts words of the form u\$v when either u ∈ L(A) and v is accepted by P starting from the maximal counter A ended with on u, or when u ∈ L(B) and v ∈ Λ ∗ .

Formally, we convert A and B to 2-CNs A′ and B ′ by adding a counter and never modifying its value, so a transition (p, σ, v, q) in A becomes (p, σ,(v, 0), q)) in A′ , for example. We construct a 2-CN C as follows (see Fig. 3). We take A′ , B ′ , and P, and for every accepting state q of A′ we introduce a transition (q, \$, 0, p0) where p<sup>0</sup> is an initial state of P. We then add a new accepting state q<sup>⊤</sup> and add the transitions (q⊤, λ, 0, q⊤) for every letter λ ∈ Λ, in other words q<sup>⊤</sup> is an accepting sink for Λ. We also add transitions (s, \$, 0, q⊤) from every accepting state s of B ′ . The initial states are those of A′ and B ′ , and the accepting states are those of P and q⊤.

Theorem 2. Primality and dimension-minimality are undecidable, already for 2-CN.

Proof. We prove the theorem by establishing that C is not prime if and only if L(A) ⊆ L(B), and C is not dimension-minimal if and only if L(A) ⊆ L(B).

<sup>5</sup> Actually, the complement thereof.

Fig. 3: The reduction from 1-CN non-containment to 2-CN primality and dimension-minimality. The dashed accepting states are those of A′ and B ′ , and are not accepting in the resulting construction.

Assume that L(A) ⊆ L(B), then the component of C containing A′ and P (Fig. 3 left) becomes redundant. Since the component containing B ′ and q<sup>⊤</sup> only makes use of one counter, C is composite. Formally, we claim that L(C) = {u\$v | u ∈ L(B) ∧ v ∈ Λ <sup>∗</sup>}. Indeed, if w ∈ L(C) then w = u\$v so either u ∈ L(A′ ) = L(A) or u ∈ L(B), but since L(A) ⊆ L(B), this is equivalent to u ∈ L(B), and in this case there is simply no condition on v ∈ Λ ∗ . Since the second counter is not used in component containing B ′ and q<sup>⊤</sup> (Fig. 3 right), we can construct a 1-CN equivalent to C by projecting on the frst counter and just deleting the component containing A′ and P completely. It follows that in this case C is not dimension-minimal, and therefore is not prime either.

For the converse, assume that L(A) ̸⊆ L(B), and let u ∈ L(A)\L(B). Denote m = max{ef(ρ) | ρ is an accepting run of A on u}. Thus, for a word v ∈ Λ <sup>∗</sup> we have that u\$v ∈ L(C) if and only if v is accepted in P with initial counter m. Assume by way of contradiction that C is not prime, then we can write L(C) as an intersection of languages of 1-CNs. Loosely speaking, this will create a contradiction as we will be able to argue that P is not prime. More precisely, take v = a <sup>m</sup>1#a <sup>m</sup>2# · · · #a <sup>m</sup>k+1#b <sup>m</sup><sup>b</sup> c m<sup>c</sup> for integers {mi} k+1 <sup>i</sup>=1 , mb, m<sup>c</sup> <sup>∈</sup> <sup>N</sup> and consider words of the form u\$v. Our analysis from Section 4—specifcally the arguments used in the proof Lemma 5—on u\$v can show, mutatis mutandis, that the language of P is not composite regardless of any fxed initial counter value (an analogue of Theorem 1).

We thus have that C is prime, and in particular C is dimension-minimal, concluding the correctness of the reduction. ⊓⊔

To contrast the undecidability of primality in nondeterministic CNs, we turn our attention to a decidable fragment of primality, for which we focus on deterministic CNs. Recall that by Proposition 1, a k-DCN is dimension minimal if and only if it is not (1, k −1)-composite. Thus, dimension-minimality "captures" primality. We show that regularity, which is equivalent to being (0, 1)-composite, is decidable for k-DCNs for every dimension k.

For dimension one, regularity is already known to be decidable in EXPSPACE, even for history-deterministic 1-CNs [5, Theorem 19]. History-determinism is a restricted form of nondeterminism; history-deterministic CNs are less expressive than nondeterministic CNs but more expressive than DCNs. However, already for k ≥ 2, regularity is undecidable for history-deterministic k-CNs [5, Theorem 20].

Theorem 3. Regularity of k-DCN is decidable and is in EXPSPACE.

We provide further details, including a proof of Theorem 3, in the full version. In short, we translate our k-DCN into a regularity preserving Vector Addition System (VAS) and use results on VAS regularity from [3, Theorem 4.5]. We remark that an alternative approach may be taken by adapting the results of [12] on regularity of VASS, although this seems more technically challenging because CNs have accepting states.

## 6 Expressiveness Trade-Ofs between Dimensions and Nondeterminism

Theorem 1 implies that 2-CNs are more expressive than 1-CNs, and that nondeterministic models are more expressive than deterministic ones. In particular, a k-DCN can be decomposed by projection (Proposition 1), and have decidable regularity (Theorem 3). It is therefore interesting to study the interplay between increasing the dimension and introducing nondeterminism. In this section we present two results: frst, we show that dimension and nondeterminism, are incomparable notions, in a sense. Second, we show that increasing the dimension strictly increases expressiveness, for both CNs and DCNs. We remark that the latter may seem like an intuitive and simple claim. However, to the best of our knowledge it has never been proved, and moreover, it requires a nontrivial approach to pumping with several counters.

We start by showing that nondeterminism can sometimes compensate for low dimension. Let k ∈ N and Σ = {a1, . . . , ak, b1, . . . , bk, c}; consider the language L<sup>k</sup> = {a n<sup>1</sup> 1 a n<sup>2</sup> 2 · · · a n<sup>k</sup> k bic <sup>m</sup> | i ∈ [k] ∧ n<sup>i</sup> ≥ m}. It is easy to construct a k-DCN as well as a 1-CN for Lk, as depicted by Figs. 4 and 5 for k = 3. To construct a 1-CN we guess which b<sup>i</sup> will be later read, and verify the guess using the single counter in the a n<sup>i</sup> i part.

$$\bigoplus\_{a\_2,(0,1,0)} \bigoplus\_{a\_3,(0,0,1)} \bigoplus\_{a\_{3,(0,0,1)}} \bigoplus\_{\substack{0 \le b < c,(-1,0,0) \\ a\_3,(0,0,1)}} c, (-1,0,0)$$

Fig. 4: A 3-DCN for L<sup>3</sup> = {a n<sup>1</sup> 1 a n<sup>2</sup> 2 a n<sup>3</sup> 3 bic <sup>m</sup> | i ∈ [3] ∧ n<sup>i</sup> ≥ m}. Intuitively, the 3-DCN counts the number of occurrences of each letter, and decreases the appropriate counter once the letter b<sup>i</sup> selects it.

We now show that Lk's dimension cannot be minimised whilst maintaining determinism.

Theorem 4. L<sup>k</sup> is not recognisable by a (k − 1)-DCN.

Proof. Assume by way of contradiction that there exists a (k − 1)-DCN D = ⟨Σ, Q, Q0, δ, F⟩ such that L(D) = Lk. Let n > |Q| and for every i ∈ [k] consider

Fig. 5: A 1-CN for L<sup>3</sup> = {a n<sup>1</sup> 1 a n<sup>2</sup> 2 a n<sup>3</sup> 3 bic <sup>m</sup> | i ∈ [3] ∧ n<sup>i</sup> ≥ m}. Intuitively, the CN guesses which b<sup>i</sup> will be seen, and counts the respective occurrences of the letter ai . Then, once b<sup>i</sup> is seen, the counter is decreased on c.

the word w<sup>i</sup> = a n 1 a n 2 · · · a n k bic <sup>n</sup> ∈ Lk. Since D is deterministic and n > |Q|, all of the accepting runs on the w<sup>i</sup> coincide up to the b<sup>i</sup> part and have cycles in each a n i segment as well as in the c <sup>n</sup> segment (the latter may difer according to i). Let M be the product of the lengths of all these cycles.

First, observe that the cycles in all of the a n i segments cannot decrease any counter. Indeed, otherwise by pumping such a cycle for large enough t > 0 times, there would not exist an N-run on words with the prefx a n 1 · · · a n <sup>i</sup>−1a n+tM i . This creates a contradiction since, with an appropriate sufx, such words can be accepted.

Thus, all a<sup>i</sup> cycles have non-negative efects for all counters. Indeed, for each counter i – associate with i the minimal segment index whose cycle strictly increases i. Since there are k−1 counters and k segments this map is not surjective, in other words, there is a segment (without loss of generality, the a<sup>k</sup> segment) such that every counter that is increased in the a<sup>k</sup> cycle is also increased in a previous segment. Therefore, there exist s, t > 0 such that the word

$$a\_1^{n+sM}a\_2^{n+sM} \cdots a\_{k-1}^{s+sM} a\_k^n b\_k c^{n+tM} \notin L\_k$$

is accepted by D, which is a contradiction.

We now turn to show that conversely, dimension can sometimes compensate for nondeterminism. Moreover, we show that there is a strict hierarchy of expressiveness with respect to dimension. Specifcally, for k ∈ N consider the language H<sup>k</sup> = {a m<sup>1</sup> 1 a m<sup>2</sup> 2 · · · a m<sup>k</sup> k b n<sup>1</sup> 1 b n<sup>2</sup> 2 · · · b n<sup>k</sup> k | ∀1 ≤ i ≤ k, m<sup>i</sup> ≥ ni}.

Theorem 5. H<sup>k</sup> is recognisable by a k-DCN, but not by a (k − 1)-CN.

Proof (sketch). Constructing a k-DCN for H<sup>k</sup> is straightforward, by using the i-th counter to check that m<sup>i</sup> ≥ n<sup>i</sup> , for each i ∈ [k].

We turn to argue that H<sup>k</sup> is not recognisable by a (k − 1)-CN (See the full version for a complete proof). Assume by way of contradiction that A =

⟨Σ, Q, Q0, δ, F⟩ is a (k − 1)-CN with L(A) = Hk. We frst observe that there exists m<sup>1</sup> ∈ N large enough so that every run of A on a m<sup>1</sup> <sup>1</sup> must traverse a nonnegative cycle, i.e., a cycle whose overall efect is u<sup>1</sup> ∈ Z k−1 such that u1[i] ≥ 0 for all i ∈ [k − 1]. Indeed, this is immediate by a "uniformly bounded" version of Dickson's lemma [15]; any long-enough "controlled" sequence of vectors in N k−1 must contain an r-increasing chain, for any r ∈ N.

By repeating this argument we can ultimately fnd m1, . . . , m<sup>k</sup> such that any run of A on a m<sup>1</sup> 1 a m<sup>2</sup> 2 · · · a m<sup>k</sup> k traverses a non-negative cycle in each a<sup>j</sup> segment for j ∈ [k]. Consider now the word w = a m<sup>1</sup> 1 a m<sup>2</sup> 2 · · · a m<sup>k</sup> k b m<sup>1</sup> 1 b m<sup>2</sup> 2 · · · b m<sup>k</sup> <sup>k</sup> ∈ Hk, then there exists an accepting run ρ of A on w such that for each j ∈ [k], the run ρ traverses a non-negative cycle in segment a<sup>j</sup> , with efect u<sup>j</sup> ∈ N k−1 .

Consider the vectors u1, . . . ,uk. We claim that there exists ℓ ∈ [k] such that the support of u<sup>ℓ</sup> is covered by u1, . . . ,uℓ−<sup>1</sup> in the following sense: for every counter i ∈ [k−1], if uℓ[i] > 0, then there exists j < ℓ such that u<sup>j</sup> [i] > 0. Indeed, this holds since otherwise every u<sup>j</sup> must contribute a fresh positive coordinate to the union of supports of the previous vectors, but there are k vectors and only k − 1 coordinates.

Next, observe that since each u<sup>j</sup> is a non-negative cycle taken in ρ, then it can be pumped without decreasing any following counters, and hence induce an accepting run on a pumped word. Intuitively, we now proceed by pumping all the u<sup>j</sup> cycles for j < ℓ for some large-enough number of times M, which enables us to remove one iteration of the cycle with efect u<sup>ℓ</sup> while maintaining an accepting run on a word of the form:

$$w' = a\_1^{m\_1 + M d\_1} a\_2^{m\_2 + M d\_2} \cdots a\_{\ell - 1}^{m\_{\ell - 1} + M d\_{\ell - 1}} a\_\ell^{m\_\ell - d\_\ell} a\_{\ell + 1}^{m\_{\ell + 1}} \cdots a\_k^{m\_k} b\_1^{m\_1} b\_2^{m\_2} \cdots b\_k^{m\_k}.$$

Since m<sup>ℓ</sup> > mℓ−dℓ, the b<sup>ℓ</sup> segment is longer than the a<sup>ℓ</sup> segment. Thus w ′ ∈/ Hk, this yields a contradiction. ⊓⊔

Apart from showing that nondeterminism cannot always compensate for increased dimension, Theorem 5 also shows that for every dimension k, there are languages recognisable by a (k + 1)-DCN (and in particular by a (k + 1)-CN), but not by any k-CN (and in particular not by any k-DCN). Thus, we obtain the following hierarchy.

Corollary 2. For every k ∈ N, k-CNs (resp. k-DCNs) are strictly less expressive than (k + 1)-CNs (resp. (k + 1)-DCNs).

## 7 Discussion

Broadly, this work explores the interplay between the dimension of a CN and its expressive power. This is done by studying the dimension-minimality problem, where we ask whether the dimension of a given CN can be decreased while preserving its language, and by the more involved primality problem, which allows a decomposition to multiple CNs of lower dimension. We show that both primality and dimension-minimality are undecidable. Moreover, they remain undecidable

even when we discard the degenerate dimension 0 case, which corresponds to fnite memory, i.e., regular languages. On the other hand, this degenerate case is one where we can show decidability for DCNs.

This work also highlights a technical shortcoming of current understanding of high-dimensional CNs: pumping arguments in the presence of k dimensions and nondeterminism are very involved, and are (to our best eforts) insufcient to prove Conjecture 1. To this end, we present novel pumping arguments in the proof of Theorem 1 and to some extent in the proof of Theorem 5, which make progress towards pumping in the presence of k dimensions and nondeterminism.

## References


248 S. Almagor et al.


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## Parameterized Broadcast Networks with Registers: from NP to the Frontiers of Decidability<sup>⋆</sup>

Lucie Guillou<sup>1</sup> , Corto Mascle<sup>2</sup> , and Nicolas Waldburger3(B)

1 IRIF, CNRS, Universit´e Paris Cit´e, Paris, France guillou@irif.fr <sup>2</sup> LaBRI, Universit´e de Bordeaux, Bordeaux, France corto.mascle@labri.fr 3 IRISA, Universit´e de Rennes, Rennes, France nicolas.waldburger@irisa.fr

Abstract. We consider the parameterized verifcation of networks of agents which communicate through unreliable broadcasts. In this model, agents have local registers whose values are unordered and initially distinct and may therefore be thought of as identifers. When an agent broadcasts a message, it appends to the message the value stored in one of its registers. Upon reception, an agent can store the received value or test it for equality against one of its own registers. We consider the coverability problem, where one asks whether a given state of the system may be reached by at least one agent. We establish that this problem is decidable, although non-primitive recursive. We contrast this with the undecidability of the closely related target problem where all agents must synchronize on a given state. On the other hand, we show that the coverability problem is NP-complete when each agent only has one register.

Keywords: Parameterized verifcation · Well quasi-orders · Distributed systems

## 1 Introduction

We consider Broadcast Networks of Register Automata (BNRA), a model for networks of agents communicating by broadcasts. These systems are composed of an arbitrary number of agents whose behavior is specifed with a fnite automaton. This automaton is equipped with a fnite set of private registers that contain values from an infnite unordered set. Initially, registers all contain distinct values, so these values can be used as identifers. A broadcast message is composed of a symbol from a fnite alphabet along with the value of one of the sender's registers. When an agent broadcasts a message, any subset of agents may receive it; this models unreliable systems with unexpected crashes and disconnections. Upon reception, an agent may store the received value or test it for equality with one of its register values. For example, an agent can check that several received messages have the same value.

c The Author(s) 2024

<sup>⋆</sup> Partly supported by ANR project PaVeDyS (ANR-23-CE48-0005).

N. Kobayashi and J. Worrell (Eds.): FoSSaCS 2024, LNCS 14575, pp. 250–270, 2024. https://doi.org/10.1007/978-3-031-57231-9\_<sup>12</sup>

This model was introduced in [10], as a natural extension of Reconfgurable Broadcast Networks [12]. In [10], the authors established that coverability is undecidable if the agents are allowed to send two values per message. They moreover claimed that, with one value per message, coverability was decidable and PSPACE-complete; however, the proof turned out to be incorrect [22]. As we will see, the complexity of that problem is in fact much higher.

In this paper we establish the decidability of the coverability problem and its completeness for the hyper-Ackermannian complexity class Fω<sup>ω</sup> , showing that the problem has nonprimitive recursive complexity. The lower bound comes from lossy channel systems, which consist (in their simplest version) of a fnite automaton that uses an unreliable FIFO memory from which any letter may be erased at any time [3, 8, 26]. We further establish that our model lies at the frontier of decidability by showing undecidability of the target problem (where all agents must synchronize in a given state). We contrast these results with the NP-completeness of the coverability problem if each agent has only one register.

Related work Broadcast protocols are a widely studied class of systems in which processes are represented by nodes of a graph and can send messages to their neighbors in the graph. There are many versions depending on how one models processes, the communication graph, the shape of messages... A model with a fully connected communication graph and messages ranging over a fnite alphabet was presented in [13]. When working with parameterized questions over this model (i.e., working with systems of arbitrary size), many basic problems are undecidable [14]; similar negative results were found for Ad Hoc Networks where the communication graph is fxed but arbitrary [12]. This lead the community to consider Reconfgurable Broadcast Networks (RBN) where a broadcast can be received by an arbitrary subset of agents [12].

Parameterized verifcation problems over RBN have been the subject of extensive study in recent years, concerning for instance reachability questions [5, 11], liveness [9] or alternative communication assumptions [4]; however, RBN have weak expressivity, in particular because agents are anonymous. In [10], RBN were extended to BNRA, the model studied in this article, by the addition of registers allowing processes to exchange identifers.

Other approaches exist to defne parameterized models with registers [6], such as dynamic register automata in which processes are allowed to spawn other processes with new identifers and communicate integers values [1]. While basic problems on these models are in general undecidable, some restrictions on communications allow to obtain decidability [2, 20].

Parameterized verifcation problems often relate to the theory of well quasiorders and the associated high complexities obtained from bounds on the length of sequences with no increasing pair (see for example [25]). In particular, our model is linked to data nets, a classical model connected to well-quasi-orders. Data nets are Petri nets in which tokens are labeled with natural numbers and can exchange and compare their labels using inequality tests [18]; in this model, the coverability problem is Fωωω -complete [15]. When one restricts data nets to only equality tests, the coverability problem becomes Fω<sup>ω</sup> -complete [21]. Data nets with equality tests do not subsume BNRA. Indeed, in data nets, each process can only carry one integer at a time, and problems on models of data nets where tokens carry tuples of integers are typically undecidable [17].

Overview We start with the model defnition and some preliminary results in Section 2. As our decidability proof is quite technical, we start by proving decidability of the coverability problem in a subcase called signature protocols in Section 3. We then rely on the intuitions built in that subcase to generalize the proof to the general case in Section 4. We also show the undecidability of the closely-related target problem. Finally, we prove the NP-completeness of the coverability problem for protocols with one register in Section 5. Due to space constraints, a lot of proofs, as well as some technical defnitions, are only sketched in this version. Detailed proofs can be found in the full version, available here.

In this document, each notion is linked to its defnition using the knowledge package. On electronic devices, clicking on words or symbols allows to access their defnitions.

## 2 Preliminaries

## 2.1 Defnitions of the Model

A Broadcast Network of Register Automata (BNRA) [10] is a model describing broadcast networks of agents with local registers. A fnite transition system describes the behavior of an agent; an agent can broadcast and receive messages with integer values, store them in local registers and perform (dis)equality tests. There are arbitrarily many agents. When an agent broadcasts a message, every other agent may receive it, but does not have to do so.

Defnition 1. A protocol with r registers is a tuple P = (Q,M, ∆, q0) with Q a fnite set of states, q<sup>0</sup> ∈ Q an initial state, M a fnite set of message types and ∆ ⊆ Q × Op × Q a fnite set of transitions, with operations Op =

{br(m, i), rec(m, i, ∗), rec(m, i, ↓), rec(m, i, =), rec(m, i, ̸=)|m ∈ M, 1 ≤ i ≤ r}.

Label br stands for broadcasts and rec for receptions. In a reception rec(m, i, α), α is its action. The set of actions is Actions := {=, ̸=, ↓, ∗}, where '=' is an equality test, '̸=' is a disequality test, ' ↓ ' is a store action and '∗' is a dummy action with no efect. The size of P is |P| := |Q| + |M| + |∆| + r.

We now defne the semantics of those systems. Essentially, we have a fnite set of agents with r registers each; all registers initially contain distinct values. A step consists of an agent broadcasting a message that other agents may receive.

Defnition 2 (Semantics). Let (Q,M, ∆, q0) be a protocol with r registers, and A a fnite non-empty set of agents. A confguration over A is a function

Fig. 1: Example of a protocol.

γ : A → Q×N <sup>r</sup> mapping each agent to its state and its register values. We write st(γ) for the state component of γ and data(γ) for its register component.

An initial confguration γ is one where for all a ∈ A, st(γ)(a) = q<sup>0</sup> and data(γ)(a, i) ̸= data(γ)(a ′ , i′ ) for all (a, i) ̸= (a ′ , i′ ).

Given a fnite non-empty set of agents A and two confgurations γ, γ′ over A, a step γ −→ γ ′ is defned when there exist m ∈ M, a<sup>0</sup> ∈ A and i ∈ [1, r] such that (st(γ)(a0), br(m, i),st(γ ′ )(a0)) ∈ ∆, data(γ)(a0) = data(γ ′ )(a0) and, for all a ̸= a0, either γ ′ (a) = γ(a) or there exists (st(γ)(a), rec(m, j, α),st(γ ′ )(a)) ∈ ∆ s.t. data(γ ′ )(a, j′ ) = data(γ)(a, j′ ) for j ′ ̸= j and:


A run over A is a sequence of steps ρ : γ<sup>0</sup> −→ γ<sup>1</sup> −→ · · · −→ γ<sup>k</sup> with γ0, . . . , γ<sup>k</sup> confgurations over A. We write γ<sup>0</sup> <sup>∗</sup>−→ γ<sup>k</sup> when there exists such a run. A run is initial when γ<sup>0</sup> is an initial confguration.

Remark 3. In our model, agents may only send one value per message. Indeed, coverability is undecidable if agents can broadcast several values at once [10].

Example 4. Figure 1 shows a protocol with 2 registers. Let A = {a1, a2}. We denote by ⟨st(γ)(a1), data(γ)(a1),st(γ)(a2), data(γ)(a2)⟩ a confguration γ over A. The following sequence is an initial run:

$$\begin{aligned} \langle q\_0, (1,2), q\_0, (3,4) \rangle &\to \langle q\_1, (1,2), q\_2, (1,4) \rangle \to \langle q\_3, (1,4), q\_3, (1,4) \rangle \\ &\to \langle q\_4, (1,4), q\_3, (1,4) \rangle \to \langle q\_4, (1,4), q\_4, (1,4) \rangle \end{aligned}$$

The broadcast messages are, in this order: (m2, 1) by a1, (m3, 4) by a2, (m4, 1) by a<sup>2</sup> and (m4, 1) by a1. In this run, each broadcast message is received by the other agent; in general, however, this does not have to be true. ⊓⊔

Remark 5. From a run ρ : γ<sup>0</sup> <sup>∗</sup>−→ γ, we can build a larger run ρ ′ in which, for each agent a of ρ, there are arbitrarily many extra agents in ρ ′ that end in the same state as a, all with distinct register values. To obtain this, ρ ′ make many copies of ρ run in parallel on disjoint sets of agents. Because all these copies of ρ do not interact with one another and because all agents start with distinct values in initial confgurations, the diferent copies of ρ have no register values in common. This property is called copycat principle: if state q is coverable, then for all n there exists an augmented run which puts n agents on q.

Defnition 6. The coverability problem Cover asks, given a protocol P and a state q<sup>f</sup> , whether there is a fnite non-empty set of agents A, an initial run γ0 <sup>∗</sup>−→ γ<sup>f</sup> over A that covers q<sup>f</sup> , i.e., there is a ∈ A such that st(γ<sup>f</sup> )(a) = q<sup>f</sup> .

The target problem Target asks, given a protocol P and a state q<sup>f</sup> , whether there is there is a fnite non-empty set of agents A and an initial run γ<sup>0</sup> <sup>∗</sup>−→ γ<sup>f</sup> over A such that, for every a ∈ A, st(γ<sup>f</sup> )(a) = q<sup>f</sup> , i.e., all agents end on q<sup>f</sup> .

Example 7. Let P the protocol of Figure 1. As proven in Example 4, (P, q4) is a positive instance of Cover and Target. However, let P ′ the protocol obtained from P by removing the loop on q4; (P ′ , q4) becomes a negative instance of Target. Indeed, there must be an agent staying on q<sup>3</sup> to broadcast m4. Also, (P, q5) is a negative instance of Cover: we would need to be able to have one agent on q<sup>2</sup> and one agent on q<sup>0</sup> with the same value in their frst registers. However, an agent in q<sup>0</sup> has performed no transition so it cannot share register values with other agents. ⊓⊔

Remark 8. In [10], the authors consider the query problem where one looks for a run reaching a confguration satisfying some queries. In fact, this problem exponentially reduces to Cover hence our complexity result of Fω<sup>ω</sup> also holds for the query problem. In the case with one register, one can even fnd a polynomialtime reduction hence our NP result also holds with queries.

We fnally introduce signature BNRA, an interesting restriction of our model where register 1 is broadcast-only and all other registers are reception-only. Said otherwise, the frst register acts as a permanent identifer with which agents sign their messages. An example of such a protocol is displayed in Fig. 2. Under this restriction, a message is composed of a message type along with the identifer of the sender. This restriction is relevant for pedagogical purposes: we will see that it falls into the same complexity class as the general case but makes the decidability procedure simpler.

Defnition 9 (Signature protocols). A signature protocol with r registers is a protocol P = (Q,M, ∆, q0) where register 1 appears only in broadcasts in ∆ and registers i ≥ 2 appear only in receptions in ∆.

#### 2.2 Classical Defnitions

Fast-growing hierarchy For α an ordinal in Cantor normal form, we denote by F<sup>α</sup> the class of functions corresponding to level α in the Fast-Growing Hierarchy. We denote by F<sup>α</sup> the associated complexity class and use the notion of Fαcompleteness. All these notions are defned in [23]. We will specifcally work with complexity class Fω<sup>ω</sup> . For readers unfamiliar with these notions, Fω<sup>ω</sup> -complete problems are decidable but with very high complexity (non-primitive recursive, and even much higher than the Ackermann class Fω).

We highlight that our main result is the decidability of the problem. We show that the problem lies in Fω<sup>ω</sup> because it does not complicate our decidability proof signifcantly; also, it fts nicely into the landscape of high-complexity problems arising from well quasi-orders.

Well-quasi orders For our decidability result, we rely on the theory of well quasi-orders in the context of subword ordering. Let Σ be a fnite alphabet, w1, w<sup>2</sup> ∈ Σ<sup>∗</sup> , w<sup>1</sup> is a subword of w2, denoted w<sup>1</sup> ⪯ w2, when w<sup>1</sup> can be obtained from w<sup>2</sup> by erasing some letters. A sequence of words w0, w1, . . . is good if there exist i < j such that w<sup>i</sup> ⪯ w<sup>j</sup> , and bad otherwise. Higman's lemma [16] states that every bad sequence of words over a fnite alphabet is fnite, but there is no uniform bound. In order to bound the length of all bad sequences, one must bound the growth of the sequence of words. We will use the following result, known as the Length function theorem [24]:

Theorem 10 (Length function theorem [24]). Let Σ a fnite alphabet and g : N → N a primitive recursive function. There exists a function f ∈ Fω|Σ|−<sup>1</sup> such that, for all n ∈ N, every bad sequence w1, w2, . . . such that |w<sup>i</sup> | ≤ g (i) (n) for all i has at most f(n) terms (where g (i) denotes g applied i times).

#### 2.3 A Complexity Lower Bound for COVER Using LCS

Lossy channel systems (LCS) are systems where fnite-state processes communicate by sending messages from a fnite alphabet through lossy FIFO channels. Unlike in the non-lossy case [7], reachability of a state is decidable for lossy channel systems [3], but has non-primitive recursive complexity [26] and is in fact Fω<sup>ω</sup> -complete [8]. By simulating LCS using BNRA, we obtain our Fω<sup>ω</sup> lower bound for the coverability problem:

## Proposition 11. Cover for signature BNRA is Fω<sup>ω</sup> -hard.

Proof sketch. Given an LCS L, we build a signature protocol P with two registers. Each agent starts by receiving a foreign identifer and storing it in its second register; using equality tests, it then only accepts messages with this identifer. Each agent has at most one predecessor, so the communication graph is a forest where messages propagate from roots to leaves. Each branch simulates an execution of L. Each agent of the branch simulates a step of the execution: it receives from its predecessor a confguration of L, chooses the next confguration of L and broadcasts it, sending frst the location of L and then, letter by letter, the content of the channel. It could be that some messages are not received, hence the lossiness. ⊓⊔

## 3 Coverability Decidability for Signature Protocols

This section and the next one are dedicated to the proof of our main result:

Theorem 12. Cover for BNRA is decidable and Fω<sup>ω</sup> -complete.

For the sake of clarity, in this section, we will frst focus on the case of signature BNRA. As a preliminary, we start by defning a notion of local run meant to represent the projection of a run onto a given agent.

#### 3.1 Local runs

A local confguration is a pair (q, ν) ∈ Q × N r . An internal step from (q, ν) to (q ′ , ν′ ) with transition δ ∈ ∆, denoted (q, ν) int(δ) −−−→ (q ′ , ν′ ), is defned when ν = ν ′ and δ = (q, br(m, i), q′ ) is a broadcast. A reception step from (q, ν) to (q ′ , ν′ ) with transition δ ∈ ∆ and value v ∈ N, denoted (q, ν) ext(δ,v) −−−−→ (q ′ , ν′ ), is defned when δ is of the form (q, rec(m, j, α), q′ ) with ν(j ′ ) = ν ′ (j ′ ) for all j ′ ̸= j and:

– if α = '∗' then ν(j) = ν ′ (j), – if α = ' ↓ ' then ν ′ (j) = v, – if α = '=' then ν(j) = ν ′ (j) = v, – if α = '̸=' then ν(j) = ν ′ (j) ̸= v.

Such a reception step corresponds to receiving message (m, v); in a local run, one does not specify the origin of a received message. A local step (q, ν) −→ (q ′ , ν′ ) is either a reception step or an internal step. A local run u is a sequence of local

steps denoted (q0, ν0) <sup>∗</sup>−→ (q, ν). Its length |u| is its number of steps.

A value v ∈ N appearing in u is initial if it appears in ν<sup>0</sup> and non-initial otherwise. For v ∈ N, the v-input Inv(u) (resp. v-output Outv(u)) is the sequence m<sup>0</sup> · · · m<sup>ℓ</sup> ∈ M<sup>∗</sup> of message types received (resp. broadcast) with value v in u.

#### 3.2 Unfolding Trees

We frst prove decidability of Cover for signature BNRA. Note that, in signature protocols, the initial values of reception-only registers are not relevant as they can never be shared with other agents. We deduce from this idea the following informal observation:

Observation 13 In signature BNRA, when some agent receives a message, it can compare the value of the message only with the ones of previously received messages, i.e., check whether the sender is the same.

If we want to turn a local run u of an agent a into an actual run, we must match a's receptions with broadcasts. Because of Observation 13, what matters is not the actual values of the receptions in u but which ones are equal to which. Therefore, for a value v received in u, if m<sup>1</sup> . . . m<sup>k</sup> ∈ M<sup>∗</sup> are the message types received in u with value v in this order, it means that to execute u, a need another agent a ′ to broadcast messages types m<sup>1</sup> to mk, all with the same value. We describe what an agent needs from other agents as a set of specifcations which are words of M<sup>∗</sup> .

Parameterized broadcast networks with registers 257

Fig. 2: Example of a signature protocol.

To represent runs, we consider unfolding trees that abstract runs by representing such specifcations, dependencies between them and how they are carried out. In this tree, each node is assigned a local run and the specifcation that it carries out. Because of copycat arguments, we will in fact be able to duplicate agents so that each agent only accomplishes one task, hence the tree structure.

Defnition 14. An unfolding tree τ over P is a fnite tree where nodes µ have three labels:


Moreover, all nodes µ in τ must satisfy the three following conditions:


Lastly, given τ an unfolding tree, we defne its size by |τ | := P µ∈τ |µ| where |µ| := |lr(µ)| + |spec(µ)|. Note that the size of τ takes into account the size of its nodes, so that a tree τ can be stored in space polynomial in |τ | (renaming the values appearing in τ if needed).

We explain this defnition. Condition (i) enforces that the local run cannot cheat by receiving its initial values. Condition (ii) expresses that lr(µ) broadcasts (at least) the messages of spec(µ). We can use the subword relation ⪯ (instead of equality) because messages do not have to be received. Condition (iii) expresses that, for each value v received in the local run lr(µ), µ has a child who is able to broadcast the sequence of messages that lr(µ) receives with value v.

Example 15. Figure 2 provides an example of a signature protocol. Let A = {a1, a2, a3}. We denote a confguration γ by ⟨st(γ)(a1),(data(γ)(a1)), st(γ)(a2),(data(γ)(a2)),st(γ)(a3),(data(γ)(a3))⟩. Irrelevant register values are denoted by . Let ρ be the run over A of initial confguration ⟨q0,(1, , ), q0,(2, , ), q0,(3, , )⟩ where the following occurs:

Fig. 3: Example of an unfolding tree derived from ρ. Grids correspond to local runs, a column of a grid is a local confguration. Transition δij is the transition between state q<sup>i</sup> and state q<sup>j</sup> , for example δ<sup>01</sup> = (q0, rec(rdy, 2, ↓), q1). If δ is a reception of m ∈ M, ext(δ, v) corresponds to receiving message (m, v); if δ is a broadcast of m ∈ M, int(δ) corresponds to broadcasting (m, id) where id is the value in the frst register of the agent. Initial values of reception-only registers are irrevelant and written as ' '. Colors correspond to message types.


Figure 3 provides an unfolding tree derived from ρ by applying a procedure introduced later. Because agents a<sup>2</sup> and a<sup>3</sup> broadcast to several other agents, they each correspond to several nodes of the tree.

We explain why this tree is an unfolding tree. Condition (i) is trivially satisfed. Condition (ii) holds at every node because the local run of each node exactly broadcasts the specifcation of the node. Condition (iii) is satisfed at µ1: In2(lr(µ1)) = rdy · go = spec(µ2) and In3(lr(µ1)) = rdy · hlt = spec(µ3). It is also satisfed at µ2, µ<sup>3</sup> and µ<sup>5</sup> because their local runs only receive rdy and they each have a child with specifcation rdy. It is trivially satisfed at µ<sup>4</sup> and µ<sup>6</sup> as their local runs have no reception. ⊓⊔ Lemma 16. Given a signature protocol P with a state q<sup>f</sup> , q<sup>f</sup> is coverable in P if and only if there exists an unfolding tree whose root is labelled by a local run covering q<sup>f</sup> . We call such an unfolding tree a coverability witness.

Proof. Given a run ρ, agent a satisfes a specifcation w ∈ M<sup>∗</sup> in ρ if the sequence of message types broadcast by a admits w as subword.

Let τ be a coverability witness. We prove the following property by strong induction on the depth of µ: for every µ in τ , there exists a run ρ with an agent a whose local run in ρ is lr(µ) and who satisfes specifcation spec(µ). This is trivially true for leaves of τ because their local runs have no reception (by condition (iii)) hence are actual runs by themselves. Let µ a node of τ , u := lr(µ) and v1, . . . , v<sup>c</sup> the values received in u. These values are non-initial thanks to condition (i); applying condition (iii) gives the existence of corresponding children µ1, . . . , µ<sup>c</sup> in τ . We apply the induction hypothesis on the subtrees rooted in µ1, . . . , µ<sup>c</sup> to obtain runs ρ1, . . . , ρ<sup>c</sup> satisfying the specifcations of the children of µ. Up to renaming agents, we can assume the set of agents of these runs are disjoint; up to renaming values, we can assume that v<sup>j</sup> = val(µ<sup>j</sup> ) for all j and that all agents start with distinct values. We build an initial run ρ whose agents is the union of the agents of the c runs along with a fresh agent a. In ρ, we make ρ<sup>1</sup> to ρ<sup>c</sup> progress in parallel and make a follow the local run u, matching each reception with value v<sup>j</sup> in u with a broadcast in ρ<sup>j</sup> . This is possible because, for all j, Inv<sup>j</sup> (u) ⪯ spec(µ<sup>j</sup> ) ⪯ Outv<sup>j</sup> (ρ<sup>j</sup> ) (by (ii)).

Conversely, we prove the following by induction on the length of ρ: for every initial run ρ, for every agent a in ρ and for every v ∈ N, there exists an unfolding tree whose root has as local run the projection of ρ onto a and as specifcation the v-output of a in ρ. If ρ is the empty run, consider the unfolding tree with a single node whose local run and specifcation are empty. Suppose now that ρ has non-zero length, let a an agent in ρ, v ∈ N and let ρ<sup>p</sup> the prefx run of ρ of length |ρ| − 1. Let τ<sup>1</sup> the unfolding tree obtained by applying the induction hypothesis to ρp, a and v, and consider τ<sup>2</sup> obtained by simply appending the last step of a in ρ to the local run at the root of τ1. If this last step is a broadcast, we obtain an unfolding tree; if the broadcast value is v, we append the broadcast message type to the specifcation at the root of τ<sup>2</sup> and we are done. Suppose that, in the last step of ρ, a performs a reception (q, rec(m, i, α), q′ ) of a message (m, v′ ). We might need to adapt τ<sup>2</sup> to respect condition (iii) at the root. Let a ′ the agent broadcasting in the last step of ρ. Let τ<sup>3</sup> the unfolding tree obtained by applying the induction to ρp, a ′ and v ′ . Let τ<sup>4</sup> the unfolding tree obtained by appending the last broadcast to the local run at the root of τ<sup>3</sup> and the corresponding message type to the specifcation at the root of τ3. Attaching τ<sup>4</sup> below the root of τ<sup>2</sup> gives an unfolding tree satisfying the desired properties. ⊓⊔

The unfolding tree τ of Figure 3 is built from ρ of Example 15 using the previous procedure. Observe that the unfolding tree τ is a coverability witness for q4. However, one can fnd a smaller coverability witness. Indeed, in the right branch of τ , µ<sup>5</sup> and µ<sup>6</sup> have the same specifcation, therefore µ<sup>5</sup> can be deleted and replaced with µ6. More generally, we would have also been able to shorten the tree if we had spec(µ5) ⪯ spec(µ6).

Remark 17. With the previous notion of coverability witness, the root has to cover q<sup>f</sup> but may have an empty specifcation. However, we will later need the length of the specifcation of a node to be equal to the number of tasks that it must carry out. For this reason, we will, in the rest of this paper, consider that the roots of coverability witnesses have a specifcation of length 1. This can be formally achieved by introducing a new message type m<sup>f</sup> that may only be broadcast from q<sup>f</sup> and require that, at the root, spec = m<sup>f</sup> .

## 3.3 Bounding the Size of a Coverability Witness

In all the following, we fx a positive instance (P, q<sup>f</sup> ) of Cover with r+1 registers (i.e., r registers used for reception) and a coverability witness τ of minimal size. We turn the observation above into an argument that will be useful towards bounding the length of branches of a coverability witness:

Lemma 18. If a coverability witness τ for (P, q<sup>f</sup> ) of minimal size has two nodes µ, µ′ with µ a strict ancestor of µ ′ then spec(µ) cannot be a subword of spec(µ ′ ).

Proof. Otherwise, replacing the subtree rooted in µ with the one rooted in µ ′ would contradict minimality of τ . ⊓⊔

We would now like to use the Length function theorem to bound the height of τ , using the previous lemma. To do so, we need a bound on the size of a node with respect to its depth. The following lemma bounds the number of steps of a local run between two local confgurations: we argue that if the local run is long enough we can replace it with a shorter one that can be executed using the same input. This will in turn bound the length of a local run of a node with respect to the size of its specifcation, which is the frst step towards our goal.

Lemma 19. There exists a primitive recursive function ψ so that, for every local run u : (q, ν) <sup>∗</sup>−→ (q ′ , ν′ ), there exists u ′ : (q, ν) <sup>∗</sup>−→ (q ′ , ν′ ) with |u ′ | < ψ(|P|, r) and for all value v ′ ∈ N, there exists v ∈ N such that In<sup>v</sup> ′ (u ′ ) ⪯ Inv(u).

Proof. Let ψ(n, 0) = n + 1 and ψ(n, k + 1) = 2 ψ(n, k) · (|∆| <sup>2</sup> <sup>ψ</sup>(n,k) + 1) + 1 for all k. Observe that ψ(n, k) is a tower of exponentials of height k, which is primitive-recursive although non-elementary. A register i ≥ 2 is active in a local run u if u has some ' ↓ ' action on register i. Let u a local run, k the number of active registers in u, n := |P| and M := ψ(n, k). We prove by induction on the number k of active registers in u that if |u| ≥ ψ(n, k) then u can be shortened.

If k = 0, any state repetition can be removed. Suppose that |u| > ψ(n, k + 1) and that the set I of active registers of u is such that |I| = k + 1. If there exists an infx run of u of length M with only k active registers, we shorten u using the induction hypothesis. Otherwise, every sequence of M steps in u has a ' ↓ ' on every register of I. Because |u| > 2M (|∆| <sup>2</sup><sup>M</sup> + 1), u contains at least |∆| <sup>2</sup><sup>M</sup> + 1 disjoint sequences of length 2M and some s ∈ ∆<sup>2</sup><sup>M</sup> appears twice: in infx run u<sup>1</sup> frst, then in infx run u2. We build a shorter run u ′ by removing all steps between u<sup>1</sup> and u<sup>2</sup> and merging u<sup>1</sup> and u<sup>2</sup> (see Fig. 4). We need suitable values

Fig. 4: Illustration of the proof of Lemma 19.

for the reception steps in s in the shortened run u ′ . For a given register i ∈ I, we would like to pick a ' ↓ ' step on register i in s, use values from u<sup>1</sup> before that step and values from u<sup>2</sup> after that step. This would guarantee that all equality and disequality tests still pass. However, there is an issue if a value v appears in several registers in u. For example, if v<sup>1</sup> = v<sup>2</sup> = v in Figure 4, we might interleave receptions of v on registers 2 and 4: if we had a ext(rec(m1, 2, =), v) in u<sup>1</sup> and a ext(rec(m2, 4, =), v) in u2, we could have m<sup>1</sup> before m<sup>2</sup> in Inv(u) but m<sup>1</sup> after m<sup>2</sup> in Inv(u ′ ), so that we do not have Inv(u ′ ) ⪯ Inv(u). We solve this issue by introducing fresh values between values of u<sup>1</sup> and values of u2; because |s| = 2M, there is a ' ↓ ' for each register in I in each half of s. In the shortened run u ′ , before the frst ' ↓ ' on register i (excluded), we use values of u1, and after the last ' ↓ ' on register i (included), we use values of u2. For every value v appearing in register i between these two steps in u1, we select a fresh value v<sup>f</sup> (i.e., a value that does not appear anywhere in the run) and consistently replace v with v<sup>f</sup> (hatched blocks in Fig. 4). With this technique, receptions with values from u<sup>1</sup> and receptions with values from u<sup>2</sup> cannot get interleaved in u ′ . Therefore, for every value that appeared in u, we have Inv(u ′ ) ⪯ Inv(u). Also, for every fresh value v ′ there is a value v such that In<sup>v</sup> ′ (u ′ ) ⪯ Inv(u). Moreover, u ′ is shorter than u; we conclude by iterating this shortening procedure. ⊓⊔

Using the previous lemma, we will bound the size of a node in τ with respect to its specifcation therefore with respect to its parent's size. By induction, we will then obtain a bound depending on the depth, and apply the Length function theorem to bound the height of the tree.

Lemma 20. For all nodes µ, µ′ in τ :


Proof. Thanks to Remark 17, we assume that the specifcation at the root is of length 1. For the frst item, by minimality of τ , lr(µ) ends with the last broadcast required by spec(µ); we identify in lr(µ) the broadcast steps witnessing spec(µ) and shorten the local run between these steps using Lemma 19. We thus obtain |lr(µ)| ≤ ψ(|P|, r)|spec(µ)|, proving 1. For the second item, by minimality of τ , |spec(µ)| ≤ maxv∈<sup>N</sup> |Inv(lr(µ ′ ))| ≤ |lr(µ ′ )| ≤ ψ(|P|, r)|spec(µ ′ )|. ⊓⊔

## Proposition 21. There exists a function f of class Fω|M|−<sup>1</sup> s.t. |τ | ≤ f(|P|).

Proof. Let n := |P|, let r + 1 be the number of registers in P. Thanks to Lemma 18, for all µ ̸= µ ′ in τ with µ ancestor of µ ′ , spec(µ) is not a subword of spec(µ ′ ). Let µ1, . . . , µ<sup>m</sup> the node appearing in a branch of τ , from root to leaf. The sequence spec(µ1), . . . , spec(µm) is a bad sequence. For all i ∈ [1, m], |spec(µi+1)| ≤ ψ(n, r)|spec(µi)| by Lemma 20. By direct induction, |spec(µi)| is bounded by g (i) (n) where g : n 7→ n ψ(n, n) is a primitive recursive function. Let h of class Fω|M|−<sup>1</sup> the function obtained when applying the Length function theorem on g and M; we have m ≤ h(n).

By immediate induction, thanks to Lemma 20.2, for every node µ at depth d, |spec(µ)| ≤ ψ(n, r) <sup>d</sup>+1 which, by Lemma 20.1 and because d ≤ h(n), bounds the size of every node by h ′ (n) = ψ(n, n) <sup>h</sup>(n)+2. By minimality of τ , the number of children of a node is bounded by the number of values appearing in its local run hence by h ′ (n), so the total number of nodes in τ is bounded by h ′ (n) h(n)+1 and the size of τ by f(n) := h ′ (n) <sup>h</sup>(n)+2. Because Fω|M|−<sup>1</sup> is closed under composition with primitive-recursive functions, f is in Fω|M|−<sup>1</sup> . ⊓⊔

The previous argument shows that Cover for signature protocols is decidable and lies in complexity class Fω<sup>ω</sup> . Because the hardness from Proposition 11 holds for signature protocols, Cover is in fact complete for this complexity class.

We now extend this method to the general case.

## 4 Coverability Decidability in the General Case

#### 4.1 Generalizing Unfolding Trees

In the general case, a new phenomenon appears: an agent may broadcast a value that it did not initially have but that it has received and stored. In particular, an agent starting with value v could broadcast v then require someone else to make a broadcast with value v as well. For example, in the run described in Example 4, 1 is initially a value of a<sup>1</sup> that a<sup>2</sup> receives and rebroadcasts to a1.

We now have two types of specifcations. Boss specifcations describe the task of broadcasting with one of its own initial values; this is the specifcation we had in signature protocols and, as before, it consists of a word bw ∈ M<sup>∗</sup> describing a sequence of message types that should be all broadcast with the same value. Follower specifcations describe the task of broadcasting with a noninitial value received previously. More precisely, a follower specifcation is a pair (fw, fm) ∈ M<sup>∗</sup> × M asking to broadcast a message (fm, v) under the condition of previously receiving the sequence of message types fw with value v.

A key idea is that, if an agent that had v initially receives some message (m, v), then intuitively we can isolate a subset of agents that did not have v initially but that are able to broadcast (m, v) after receiving a sequence of messages with that value. We can then copy them many times in the spirit of the copycat principle. Each copy receives the necessary sequence of messages in parallel, and they then provide us with an unbounded supply of messages (m, v). In short, if an agent broadcasts (m, v) while not having v as an initial value, then we can consider that we have an unlimited supply of messages (m, v).

Example 22. Assume that A = {a1, a2, a3} and let v be initial for a1. Consider an execution where the broadcasts with value v are: a<sup>1</sup> broadcasts a · b, then a<sup>2</sup> broadcasts c, then a<sup>1</sup> broadcasts a 3 then a<sup>3</sup> broadcasts b. The follower specifcation of a2's task would be of the form (w, c) where w ⪯ a · b: a<sup>2</sup> must be able to broadcast (c, v) once a · b has been broadcast with value v. By contrast, a3's follower specifcation would be of the form (w · w ′ , c) where w ⪯ a · b and w ′ ∈ {a, c} ∗ is a subword of a 3 enriched with as many c as desired, because a<sup>2</sup> may be cloned at will. For example, one could have w = b and w ′ = c·a·c 4 ·a·c 2 . This idea is formalized in the full version of the paper with the notion of decomposition. Using this notion, the previous condition becomes: w · w ′ admits decomposition (a · b, c, a 3 ). ⊓⊔

In our new unfolding trees, a node is either a boss node or a follower node, depending on its type of specifcation. A boss node with a boss specifcation bw must broadcast that sequence of message types with one of its initial values. A follower node µ with follower specifcation (fw, fm) is allowed to receive sequence of messages fw with value val(µ) (which must be non-initial) without it being broadcast by its children. Other conditions are similar to the ones for signature protocols: if µ is a node and v ̸= val(µ) a non-initial value received in its local run, µ must have a boss child broadcasting this word. Moreover, for each (m, v) received where v is an initial value of the local run, µ must have a follower child that is able to broadcast (m, v) after receiving messages sent previously with value v; the formal statement is more technical because it takes into account the observation of Example 22. The formal defnition of unfolding tree is given in the full version.

Example 23. Figure 5 depicts the unfolding tree associated to a<sup>1</sup> in the run of Example 4. Follower node µ<sup>3</sup> can have a m<sup>2</sup> reception that is not matched by its children because m<sup>2</sup> is in fw(µ3). µ<sup>1</sup> broadcasts (m2, 1) before receiving (m4, 1) hence the follower specifcation of µ<sup>3</sup> witnesses broadcast of (m4, 1). ⊓⊔

A coverability witness is again an unfolding tree whose root covers q<sup>f</sup> (or broadcasts a message m<sup>f</sup> , see Remark 17), with the extra condition that the root is a boss node (a follower node implicitly relies on its parent's ability to broadcast).

Proposition 24. An instance of Cover (P, q<sup>f</sup> ) is positive if and only if there exists a coverability witness for that instance.

264 L. Guillou, C. Mascle, N. Waldburger

Fig. 5: Example of an unfolding tree. δri (resp. δbi) denotes the reception (resp. broadcast) transition of message m<sup>i</sup> in the protocol described in Fig. 1. Values that are never broadcast are omitted and written as ' '.

Proof sketch. The proof is quite similar to the one of Lemma 16, but is made more technical by the addition of follower nodes. When translating an unfolding tree to a run, if the root of the tree is a follower node µ of specifcation (fw, fm), then we actually obtain a partial run, i.e., a run except that the receptions from fw are not matched by broadcasts in the run. We then combine this partial run with the run corresponding to the parent of µ and with the runs of other children of µ so that every reception is matched with a broadcast. For the translation from run to tree, we inductively construct the tree by extracting from the run the agents and values responsible for satisfying the specifcations of each node and analyzing the messages they receive to determine their set of children (as in Example 22). ⊓⊔

Bounding the Size of the Unfolding Tree. Our aim is again to bound the size of a minimal coverability witness. In the following, we fx an instance (P, q<sup>f</sup> ) with r registers and a coverability witness of minimal size. We start by providing new conditions under which a branch can be shortened; for boss specifcations, it is the condition of Lemma 18 but for follower specifcations, the subword relation goes the opposite direction because the shorter the requirement fw, the better.

Lemma 25. Let µ ̸= µ ′ be two nodes of τ such that µ is an ancestor of µ ′ . If one of those conditions holds, then τ can be shortened (contradicting its minimality):


We can generalize Lemma 19 to bound the size of a node by the number of messages that it must broadcast times a primitive-recursive function ψ(|P|, r). The proof is more technical than the one of Lemma 19 but the idea is essentially

Fig. 6: Rearrangement of a tree. The root is in red, black solid arrows connect parents to children, blue dashed arrows highlight that long words of messages are sent upwards.

the same. The formal statement is given below. One can therefore bound the size of a node with respect to the size of the nodes that it must broadcast to.

Lemma 26. There exists a primitive recursive function ψ such that, for every protocol P with r registers, for all local runs u<sup>0</sup> : (q0, ν0) <sup>∗</sup>−→ (q, ν), u : (q, ν) ∗−→ (q ′ , ν′ ), u<sup>f</sup> : (q ′ , ν′ ) <sup>∗</sup>−→ (q<sup>f</sup> , ν<sup>f</sup> ), there exists a local run u ′ : (q, ν) <sup>∗</sup>−→ (q ′ , ν′ ) with |u ′ | ≤ ψ(|P|, r) and for all v ′ ∈ N:


It is however now much harder than in the signature case to bound the size of the coverability witness. Indeed, the broadcasts no longer go only from children to parents in the unfolding tree. If µ<sup>p</sup> is the parent of µc, then µ<sup>c</sup> broadcasts to µ<sup>p</sup> if µ<sup>c</sup> is a boss node, but µ<sup>p</sup> broadcasts to µ<sup>c</sup> if µ<sup>c</sup> is a follower node, in which case µ<sup>c</sup> only broadcasts one message to µp. Therefore, we cannot in general bound |µp| with respect to |µc| nor |µc| with respect to |µp|, making us unable to apply the Length function theorem immediately.

This leads us to arrange the unfolding tree so that long broadcast sequences are sent upwards, using the notion of altitude depicted in Figure 6, formally defned as follows. The altitude of the root is 0, the altitude of a boss node is the altitude of its parent minus one, and the altitude of a follower node is the altitude of its parent plus one. We denote the altitude of µ by alt(µ). This way the nodes of maximal altitude are the ones that do not need to send long sequences of messages. We will bound the size of nodes with respect to their altitude, from the highest to the lowest, and then use the Length function theorem to bound the maximal and minimal altitudes. We present here a sketch of the proof.

Let altmax ≥ 0 (resp. altmin ≤ 0) denote the maximum (resp. minimum) altitude in τ . We frst bound the size of a node with respect to the diference between its altitude and altmax.

Lemma 27. There is a primitive recursive function f<sup>0</sup> such that, for every node µ of τ , |µ| ≤ f0(|P| + altmax − alt(µ)).

Proof sketch. We proceed by induction on the altitude, from highest to lowest. A node of maximal altitude has at most one message to broadcast (a follower node must broadcast one message to its parent), so its size is bounded by ψ(|P|, r) by Lemma 26 (applying the Lemma to its local run minus its fnal step, i.e., the step making the broadcast to its parent). Let µ be a node of τ whose neighbors of higher altitude have size bounded by K. We claim that |µ| ≤ (ψ(|P|, r) + 2) (|M| r K + K), with ψ the primitive-recursive function defned in Lemma 26. The idea is similar to the one for Lemma 20. The neighbors of higher altitude are the nodes which require sequences of messages from µ. Their size bounds the number of messages that µ needs to send; we then apply Lemma 26 to bound the size of the local run of µ. We fnally obtain f<sup>0</sup> by iteratively applying the inequality above. ⊓⊔

We now bound altmax and altmin:

## Lemma 28. altmax and |altmin| are bounded by a function of class Fω|M| .

Proof sketch. We frst bound altmax. Consider a branch of τ that has a node at altitude altmax. We follow this branch from the root to a node of altitude altmax: for every j ∈ [1, altmax], let µ<sup>j</sup> be the frst node of the branch that has altitude j. All such nodes are necessarily follower nodes as they are above their parent. Sequence µaltmax, . . . , µ2, µ<sup>1</sup> is so that the ith term is at altitude altmax − i hence its size is bounded by f0(|P| + i) (Lemma 27). With the observation of Lemma 25, we retrieve from the follower specifcations of this sequence of nodes a bad sequence and we apply the Length function theorem to bound altmax. This yields in turn a bound on the size of the root of τ . In order to bound altmin, we proceed similarly, using boss nodes this time. We follow a branch from the root to a node of altitude altmin. The sequence of nodes that are lower than all previous ones yields a sequence of boss specifcations, which is a bad sequence by Lemma 25, and whose growth can be bounded using Lemma 27 and the bound on altmax. We apply the Length function theorem to bound |altmin|. ⊓⊔

Once we have bounded altmax and altmin, we can infer a bound on the size of all nodes (Lemma 27), and then on the length of branches: by minimality, a branch cannot have two nodes with the same specifcation. The bound on the size of the tree then follows from the observation that bounding the size of nodes of τ also allows to bound their number of children.

We obtain a computable bound (of the class Fω<sup>ω</sup> ) on the size of a minimal coverability witness if it exists. Our decidability procedure computes that bound, enumerates all trees of size below the bound and checks for each of them whether it is coverability witness. This yields the main result of this paper:

Theorem 12. Cover for BNRA is decidable and Fω<sup>ω</sup> -complete.

#### 4.2 Undecidability of the target problem

A natural next problem, after Cover, is the target problem (Target). Our Cover procedure heavily relies on the ability to add agents at no cost. For Target we need to guarantee that those agents can then reach the target state, which makes the problem harder. In fact, Target is undecidable, which indicates that our model lies at the frontier of decidability.

## Proposition 29. Target is undecidable for BNRA, even with two registers.

Proof sketch. We simulate a Minsky machine with two counters. As in Proposition 11, each agent starts by storing some other agent's identifer, called its "predecessor". It then only accepts messages from its predecessor. As there are fnitely many agents, there is a cycle in the predecessor graph.

In a cycle, we use the fact that all agents must reach state q<sup>f</sup> to simulate faithfully a run of the machine: agents alternate between receptions and broadcasts so that, in the end, they have received and sent the same number of messages, implying that no message has been lost along the cycle. We then simulate the machine by having an agent (the leader) choose transitions and the other ones simulate the counter values by memorizing a counter (1 or 2) and a binary value (0 or 1). For instance, an increment of counter 1 takes the form of a message propagated in the cycle from the leader until it fnds an agent simulating counter 1 and having bit 0. This agent switches to 1 and sends an acknowledgment that propagates back to the leader. ⊓⊔

## 5 Cover in 1-BNRA

In this section, we establish the NP-completeness of the restriction of Cover to BNRA with one register per agent, called 1-BNRA. Here we simply sketch the key observations that allow us to abstract runs into short witnesses, leading to an NP algorithm for the problem.

In 1-BNRA, thanks to the copycat principle, any message can be broadcast with a fresh value, therefore one can always circumvent '̸=' tests. In the end, our main challenge for 1-BNRA is '=' tests upon reception. For this reason, we look at clusters of agents that share the value in their registers.

Consider a run in which some agent a reaches some state q,; we can duplicate a many times to have an unlimited supply of agents in state q. Now assume that, at some point in the run, agent a stored a received value. Consider the last storing action performed by a: a was in a state q<sup>1</sup> and performed transition (q1, rec(m, 1, ↓), q2) upon reception of a message (m, v). Because we can assume that we have an unlimited supply of agents in q<sup>1</sup> thanks to the copycat principle, we can make as many agents as we want take transition (q1, rec(m, 1, ↓), q2) at the same time as a by receiving the same message (m, v). These new agents end up in q<sup>2</sup> with value v, and then follow a along every transition until they all reach q, still with value v. In summary, because a has stored a value in the run, we can have an unlimited supply of agents in state q with the same value as a.

Following those observations, we defne an abstract semantics with abstract confgurations of the form (S, b, K) with S, K ⊆ Q and b ∈ Q ∪ {⊥}. The frst component S is a set of states that we know we can cover (hence we can assume that there are arbitrarily many agents in all these states). We start with S = {q0} and try to increase it. To do so, we use the two other components (the gang) to keep track of the set of agents sharing a value v: b (the boss) is the state of the agent which had that value at the start, K (the clique) is the set of states covered by other agents with that value. As mentioned above, we may assume that every state of K is flled with as many agents with value v as we need. We will thus defne abstract steps which allow to simulate steps of the agents with the value we are following. When they cover states outside of S, we may add those to S and reset b to q<sup>0</sup> and K to ∅, to then start following another value. We can bound the length of relevant abstract runs, and thus use them as witnesses for our NP upper bound.

The NP lower bound follows from a reduction from 3SAT. An agent a sends a sequence of messages representing a valuation, with its identifer, to other agents who play the role of an external memory by broadcasting back the valuation. This then allows a to check the satisfaction of a 3SAT formula.

Theorem 30. The coverability problem for 1-BNRA is NP-complete.

## 6 Conclusion

We established the decidability (and Fω<sup>ω</sup> -completeness) of the coverability problem for BNRA, as well as the NP-completeness of the problem for 1-BNRA. Concerning future work, one may want to push decidability further, for instance by enriching our protocols with inequality tests, as done in classical models such as data nets [15]. Reductions of other distributed models to this one are also being studied.

Acknowledgements. We are grateful to Arnaud Sangnier for encouraging us to work on BNRA, for the discussions about his work in [10] and for his valuable advice. We also thank Philippe Schnoebelen for the interesting discussion and Sylvain Schmitz for the exchange on complexity class Fω<sup>ω</sup> and related topics.

## References


Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Author Index**

#### **A**

Accattoli, Beniamino II-24 Almagor, Shaull I-191, II-229 Austin, Pete I-79 Avni, Guy II-229

#### **B**

Baillot, Patrick II-70 Basold, Henning I-121 Birkmann, Fabian I-144 Blot, Valentin II-3 Bose, Sougata I-79

#### **C**

Comer, Jesse II-137 Czerner, Philipp II-116

#### **D**

Dafni, Neta I-191 Dal Lago, Ugo II-70 Dowek, Gilles II-3 Doyen, Laurent I-34 Draghici, Andrei II-185

#### **E**

Esparza, Javier II-116

#### **F**

Frohn, Florian II-206

#### **G**

Gaba, Pranshu I-34 Geatti, Luca II-95 Giesl, Jürgen II-206 Goncharov, Sergey II-47 Guha, Shibashis I-34 Guillou, Lucie II-250

#### **H**

Haase, Christoph II-185 Hausmann, Daniel I-13, I-55

#### **J**

Jacobs, Bart I-101 Jankola, Marek I-234

#### **K**

Kassing, Jan-Christoph II-206 Kop, Cynthia II-70 Krasotin, Valentin II-116 Kupferman, Orna I-256

#### **L**

Laarman, Alfons I-121 Lancelot, Adrienne II-24 Lehaut, Mathieu I-55 Leroux, Jérôme I-3 Leshkowitz, Ofer I-256

#### **M**

Mansutti, Alessio II-95 Mascle, Corto II-250 Milius, Stefan I-144 Montanari, Angelo II-95

#### **P**

Piterman, Nir I-13, I-55 Prakash, Aditya I-212

**R**

Ryzhikov, Andrew II-185

#### **S**

Sa˘glam, Irmak I-13 Samuelson, Richard I-166 Santamaria, Alessio II-47 Saville, Philip II-160 Schmuck, Anne-Kathrin I-13 Schröder, Lutz II-47 Shamash Halevy, Naama I-256 Sinclair-Banks, Henry II-229 Stein, Dario I-166 Strejˇcek, Jan I-234

© The Editor(s) (if applicable) and The Author(s) 2024 N. Kobayashi and J. Worrell (Eds.): FoSSaCS 2024, LNCS 14575, pp. 271–272, 2024. https://doi.org/10.1007/978-3-031-57231-9

#### **T**

ten Cate, Balder II-137 Totzke, Patrick I-79 Traversié, Thomas II-3 Tsampas, Stelios II-47

#### **U**

Urbat, Henning I-144, II-47

**V** Vale, Deivid II-70 Villoria, Alejandro I-121

#### **W**

Waldburger, Nicolas II-250 Winterhalter, Théo II-3

#### **Y**

Yeshurun, Asaf II-229