a tier-based typed programming language characterizing
TRANSCRIPT
HAL Id: hal-02881308https://hal.inria.fr/hal-02881308
Submitted on 25 Jun 2020
HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.
Lβarchive ouverte pluridisciplinaire HAL, estdestinΓ©e au dΓ©pΓ΄t et Γ la diffusion de documentsscientifiques de niveau recherche, publiΓ©s ou non,Γ©manant des Γ©tablissements dβenseignement et derecherche franΓ§ais ou Γ©trangers, des laboratoirespublics ou privΓ©s.
A tier-based typed programming languagecharacterizing Feasible Functionals
Emmanuel Hainry, Bruce Kapron, Jean-Yves Marion, Romain PΓ©choux
To cite this version:Emmanuel Hainry, Bruce Kapron, Jean-Yves Marion, Romain PΓ©choux. A tier-based typed program-ming language characterizing Feasible Functionals. LICS β20 - 35th Annual ACM/IEEE Symposium onLogic in Computer Science, Jul 2020, SaarbrΓΌcken, Germany. pp.535-549, οΏ½10.1145/3373718.3394768οΏ½.οΏ½hal-02881308οΏ½
A tier-based typed programming languagecharacterizing Feasible FunctionalsEmmanuel Hainry
[email protected]Γ© de Lorraine, CNRS, Inria, LORIA, F-54000
Nancy, France
Bruce M. [email protected] of Victoria
Canada
Jean-Yves [email protected]
UniversitΓ© de Lorraine, CNRS, LORIA, F-54000 Nancy,France
Romain PΓ©[email protected]
UniversitΓ© de Lorraine, CNRS, Inria, LORIA, F-54000Nancy, France
AbstractThe class of Basic Feasible Functionals BFF2 is the type-2counterpart of the class FP of type-1 functions computablein polynomial time. Several characterizations have been sug-gested in the literature, but none of these present a program-ming language with a type system guaranteeing this com-plexity bound.We give a characterization of BFF2 based on animperative language with oracle calls using a tier-based typesystem whose inference is decidable. Such a characteriza-tion should make it possible to link higher-order complexitywith programming theory. The low complexity (cubic in thesize of the program) of the type inference algorithm con-trasts with the intractability of the aforementioned methodsand does not restrain strongly the expressive power of thelanguage.
Keywords: Feasible functionals, BFF,implicit computationalcomplexity, tiering, type-2, type system.
1 IntroductionType-2 computational complexity aims to study classes offunctions that take type-1, i.e. function, arguments. The no-tion of feasibility for type-2 functionals was first studied in[Constable 1973] and in [Mehlhorn 1976] using subrecur-sive formalisms. Later, [Cook and Kapron 1989; Cook andUrquhart 1993] provided characterizations of polynomialtime complexity at all finite types based on programminglanguages with explicit bounds and applied typed lambda-calculi, respectively. The class characterized in these workswas christened the Basic Feasible Functionals, BFF for short.
It was shown in [Kapron and Cook 1991, 1996] that, simi-larly to type-1, feasible type-2 functions correspond to theprograms computed in time polynomial in the size of theirinput. In this setting, the polynomial bound is a type-2 func-tion as the size of a type-1 input is itself a type-1 object. Thischaracterization lended support to the notion that at typelevel 2, the Basic Feasible Functionals (BFF2) are the correctgeneralization of FP to type-2.
Nevertheless, these characterizations are faced by at leasttwo problems:
1. Characterizations using a general model of compu-tation (whether machine- or program-based) requireexternally imposed and explicit resource bounding, ei-ther by a type-2 polynomial [FΓ©rΓ©e et al. 2015; Kapronand Cook 1991, 1996] or a bounding function withinthe class [Constable 1973; Mehlhorn 1976]. This is anal-ogous to a shortcoming in Cobhamβs characterizationof the class of (type 1) polynomial time computablefunctions FP [Cobham 1965]. Such bounding requireseither a prior knowledge of program complexity or acheck on type-2 polynomial time constraints, whichis highly intractable;
2. There is no natural programming language for thesecharacterizations as they rely on machines or functionalgebras and cannot be adapted directly to programs.Some attempts have been made to provide program-ming languages for characterizing BFF2. These lan-guages are problematic either due to a need to providesome form of explicit external bounding [Cook andKapron 1989] or from including unnatural constructsor type-2 recursion patterns [Cook and Urquhart 1993;Danner and Royer 2006; Irwin et al. 2001] which se-verely constrain the way in which type-2 programsmay be written. All these distinct approaches wouldmake it difficult for a non-expert programmer to usethese formalisms as programming languages.
A solution to Problem (1) was suggested in [Kawamuraand Steinberg 2017] by constraining Cookβs definition ofOracle Polynomial Time (OPT) [Cook 1992], which allowstype-1 polynomials to be substituted for type-2 polynomials.To achieve this, oracle Turing machines are required to havea polynomial step count: on any input, the length of theircomputations is bounded by a type-1 polynomial in the sizeof their input and themaximal size of any answer returned bythe oracle. However BFF2 is known to be strictly included inOPT. In [Kawamura and Steinberg 2017], OPT is constrainedby only allowing computations in which oracle return values
Hainry et al.
increase in size a constant number of times, resulting in aclass they called SPT (strong polynomial time). This class isstrictly contained in BFF2. BFF2 is recovered in [Kapron andSteinberg 2018], which considers a dual restriction, calledfinite lookahead revision, on machines: on any input, thenumber of oracle calls on input of increasing size is boundedby a constant. The class of functions computed by machineshaving polynomial step count and finite lookahead revisionis called MPT. The type-2 restriction of the simply-typedlambda closure of functions in MPT (and SPT) characterizesexactly BFF2.Problem (2) has been extensively tackled by the Implicit
Computational Complexity community for type-1 complex-ity. This line of work provides machine independent char-acterizations that eliminate the external explicit bound andwas initiated by the works [Bellantoni and Cook 1992] and[Leivant and Marion 1993]. However, none of these workshas been adapted to the case of type-2 complexity in a trac-table approach. To this day, tractable implicit characteriza-tions of type-2 complexity classes are still missing.
Our contribution. We provide the first tractable charac-terization of type-2 polynomial time using a typed imperativelanguage with oracle calls. Each oracle call comes with an as-sociated input bound which aims at bounding the size of theoracle input. However the size of the oracle answer, whichis unpredictable, remains unbounded and, consequently, thelanguage can be used in practice.The characterization is inspired by the tier-based type
system of [Marion 2011] characterizing FP. Consequently,it relies on a non-interference principle and is also inspiredby the type system of [Volpano et al. 1996] guaranteeingconfidentiality and integrity policies by ensuring that valuesof high level variables do not depend on values of low levelvariables during a program execution. In our context, thelevel is called a tier.
Let JSTK be the set of functions computed by typable (alsocalled safe, see Definition 4.3) and terminating programs andlet _(π )2 be the type-2 restriction of the simply-typed lambdaclosure of terms with constants in π . The characterizationof BFF2 is as follows:
Theorem 1.1. _(JSTK)2 = BFF2 .
Soundness (_(JSTK)2 β BFF2, Theorem 7.6) is demon-strated by showing that each function of JSTK is in Kapron-Steinbergβs MPT class [Kapron and Steinberg 2018]. Thetype system makes use of several tiers and is designed toenforce a tier-based non-interference result (Theorem 5.3)and generalizes the operator type discipline of [Marion 2011]to ensure the polynomial step count property (Corollary 5.6)and the finite lookahead revision property (Theorem 5.8),two non-trivial semantic properties. Two important pointsto stress are that: i) these properties are enforced staticallyon programs as consequences of being typable (whereas they
were introduced in [Kapron and Steinberg 2018] as pure se-mantic requirements on machines); ii) the enforcement offinite lookahead revision through the use of tiering is a newnon-trivial result.Completeness (BFF2 β _(JSTK)2, Theorem 8.6) is shown
using an alternative characterization: _(FP βͺ {I β²})2 = BFF2,where I β² is a bounded iterator that is polynomially equiv-alent to the recursor R of [Cook and Urquhart 1993], asdemonstrated in [Kapron and Steinberg 2019]. The simula-tion of FP is performed by showing that our type systemstrictly embeds the tier-based type system of [Marion andPΓ©choux 2014]. Consequently, our type system also providesa characterization of FP (Theorem 8.4) with strictly more ex-pressive power when restricted to type-1 programs. Finally,a typable and terminating program computing the boundediterator functional I β² is exhibited. As in [Kapron and Stein-berg 2018], the simply-typed lambda-closure is mandatoryto achieve completeness as oracle composition is not allowedby the syntax of the language.The tractability of the type system is proved in Theo-
rem 9.2, where type inference is shown to be to be solvablein cubic time in the size of the program. As a consequence ofthe decidability of type inference for simply typed lambda-calculus [Mitchell 1991], we obtain the first decidable (upto a termination assumption) programming language basedcharacterization of type-2 polynomial. While the termina-tion assumption is obviously not decidable, it is the mostgeneral condition for the result to hold. However, it can bereplaced without loss of completeness by combining our typesystem with automatic termination provers for imperativeprograms, for example [Cook et al. 2006; Lee et al. 2001].The price to pay is a loss of expressive power. Hence thispaper provides a new approach for reasoning about type-2feasibility automatically, in contrast to related works.
The characterization of Theorem 1.1 is extensionally com-plete: all functions of BFF2 are computed by a typable andterminating program. It is not intensionally complete: thereare false negatives as discussed in Example 6.4. This incom-pleteness is a consequence of the decidability of type in-ference as providing intensionally complete descriptions ofpolynomial time is known to be a Ξ£0
2-complete problem inthe arithmetical hierarchy [HΓ‘jek 1979].
Outline. Β§4 is devoted to presenting the type system tech-nical developments and main intuitions. Β§5 states the typesystem main properties. Β§6 presents several examples thatwill help the reader to understand the underlying subtlemechanisms. Soundness and completeness are proved in Β§7and Β§8, respectively. The decidability of type inference isshown in Β§9. Future work is discussed in Β§10.
A tier-based PL characterizing BFF2
2 Related workImplicit Computational Complexity (ICC). has lead to
the development of several techniques such as interpreta-tions [Bonfante et al. 2011], light logics [Girard 1998], mwp-bounds [Ben-Amram et al. 2008; Jones and Kristiansen 2009],and tiering [Hainry and PΓ©choux 2015; Leivant 1995; Leivantand Marion 2013; Marion 2011]. These tools are restricted totype-1 complexity. Whereas the light logic approach can dealwith programs at higher types, its applications are restrictedto type-1 complexity classes such as FP [Baillot and Mazza2010; Baillot and Terui 2004] or polynomial space [Gaboardiet al. 2008]. Interpretations were extended to higher-orderpolynomials in [Baillot and Lago 2016] to study FP andadapted in [FΓ©rΓ©e et al. 2015; Hainry and PΓ©choux 2017]to BFF2. However, by essence, all these characterizations use(at least) type-2 polynomials and cannot be considered astractable.
Other characterizations of BFF2. The characterizationsof [Cook and Kapron 1989; Irwin et al. 2001] are based on asimple imperative programming language that enforces anexplicit external bound on the size of oracle outputs withinloops. This restriction is impractical from a programmingperspective as the size of oracle outputs cannot be predicted.In this paper, the bound is programmer friendly by its implicitnature and because it only constraints the size of the oracleinput. Function algebra characterizations were developedin [Cook and Urquhart 1993; Kapron and Steinberg 2019]:the recursion schemes are not natural and cannot be used inpractice by a programmer. Several characterizations [Kapronand Cook 1991, 1996] using type-2 polynomials were alsodeveloped but they focus on machines rather than programs.
3 Imperative programming language withoracles
Syntax and semantics. Consider a set V of variablesand a set O of operators op of fixed arity ππ (op). For no-tational convenience, operators are used both in infix andprefix notations. Let π‘ denote a tuple of π elements (vari-ables, expressions, words, ...) π‘1, . . . , π‘π , where π is given bythe context.Expressions and commands are defined by the grammar
of Figure 1, where x, y β V, op, βΎ β O, and π is a single oraclesymbol. LetV(pπ ) be the set of variables occurring in theprogram pπ . An expression of the shape π (e1 βΎ e2) is calledan oracle call. e1 is called the input data, e2 is called the inputbound and e1 βΎ e2 is called the input. We write π β pπ in thespecial case where no oracle call appears in pπ .Let W = Ξ£β be the set of words over a finite alphabet
Ξ£ such that {0, 1} β Ξ£. The symbol π denotes the emptyword. The length of a word w (tuple π‘ ) is denoted |w | (|π‘ |,respectively). Given two words w and v inW let v.w denotethe concatenation of v and w. For a given symbol π β Ξ£, let
ππ be defined inductively by π0 = π and ππ+1 = π.ππ . Let β΄be the sub-word relation overW, which is defined by v β΄ w,if there are u and uβ² such that w = u.v.uβ².
A total function JopK :Wππ (op) βW is associated to eachoperator. Constants may be viewed as operators of arity zero.For a given word w β W and an integer π, let wβΎπ be
the word obtained by truncating w to its first min(π, |π€ |)symbols and then padding with a word of the form 10π toobtain a word of size exactly π + 1. For example, 1001βΎ0 = 1,1001βΎ1 = 11, 1001βΎ2 = 101, and 1001βΎ6 = 1001100. De-fine βv,w β W, JβΎK(π£,π€) = π£βΎ |π€ | . Padding ensures that|JβΎK(π£,π€) | = |w | + 1. The syntax of programs enforces thatoracle calls are always performed on input data padded bythe input bound. Combined with the above property, thisensures that oracle calls are always performed on input datawhose size does not exceed the size of the input bound plusone.
The oracle symbol π computes a total function fromW toW, called an oracle function. In order to lighten notation, wewill make no distinction between the oracle symbol π andthe oracle function it represents.
A store ` is a partial map from V toW. Let πππ(`) be thedomain of `. Let ` [x1 β w1, . . . , xπ β wπ] be a notation forthe store ` β² satisfying βx β dom(`) β {x1, . . . , xπ}, ` β²(x) =` (x) and βxπ β {x1, . . . , xπ}, ` β²(xπ ) = wπ . Let `0 be the storedefined by βx β dom(`0), `0 (x) = π . The size of a store ` isdefined by |` | = Ξ£xβdom(`) |` (x) |.
The operational semantics of the language is deterministicand is given in Figure 2. The judgment ` β¨ e β w meansthat the expression e is evaluated to the word w β W withrespect to the store ` The judgment ` β¨ c β ` β² expressesthat, under the input store `, the command c terminates andoutputs the store ` β². In rule (Seq) of Figure 2, it is implicitlyassumed that c1 is not a sequence.Given a derivation ππ : ` β¨ pπ β w, let |ππ | denote the
size of the derivation, that is the number of nodes in thederivation tree rooted at ` β¨ pπ β w. Note that |ππ | corre-sponds to the number of steps in a sequential execution of pπ ,initializedwith store `. On the other hand, with no restrictionon operators this measure is too coarse to correspond, evenasymptotically, to running time. With suitable restriction,there is a correspondence, given in Proposition 7.5 below.
A program pπ such thatV(pπ ) = {x} computes the partialfunction JpπK β W |x | β W, defined by JpπK(w) = π€ ifβππ , ππ : `0 [x1 β w1, . . . , x |x | β w |x |] β¨ pπ β w. In thespecial case where, for any oracle π , JpπK is a total function,the program pπ is said to be terminating.A second order function π : (W β W) β (W β W) is
computed by a program pπ if for any oracle function π βWβW and word w β W, π (π) (w) = JpπK(w).
Neutral and positive operators. We define two classesof operators called neutral and positive. This categorizationof operators will be used in Β§4.2 where the admissible types
Hainry et al.
Expressions e, e1, . . . ::= x | op(e) | π (e1 βΎ e2)Commands c, c1, c2 ::= skip | x := e | c1; c2 | if(e){c1} else {c2} | while(e){c}Programs pπ ::= c return x
Figure 1. Syntax of imperative programs with oracles
(Var)` β¨ xβ ` (x)
βπ β€ ππ (op), ` β¨ eπ β wπ (Op)` β¨ op(e) β JopK(w)
` β¨ e1 β v ` β¨ e2 β w π (JβΎK(v,w)) = u(Orc)
` β¨ π (e1 βΎ e2) β u
(Skip)` β¨ skipβ `
` β¨ c1 β `1 `1 β¨ c2 β `2 (Seq)` β¨ c1; c2 β `2
` β¨ eβ w(Asg)
` β¨ x := eβ ` [xβ w]
` β¨ eβ w ` β¨ cw β ` β² w β {0, 1}(Cond)
` β¨ if(e){c1} else {c0} β ` β²` β¨ eβ 0
(Wh0)` β¨ while(e){c} β `
` β¨ eβ 1 ` β¨ c; while(e){c} β ` β²(Wh1)
` β¨ while(e){c} β ` β²` β¨ cβ ` β²
` β¨ c return xβ ` β²(x)(Prg)
Figure 2. Big step operational semantics
for operators will depend on their category in the type sys-tem.
Definition 3.1 (Neutral and positive operators).
β’ An operator op is neutral if:1. either JopK :Wππ (op) β {0, 1} is a predicate;2. or βw β Wππ (op) , βπ β€ ππ (op), JopK(w) β΄ wπ ;β’ An operator op is positive if there is a constant πop s.t.:βwππ (op) β W, |JopK(w) | β€ maxπ |wπ | + πop.
A neutral operator is always a positive operator but theconverse is not true. In the remainder, we name positiveoperators those operators that are positive but not neutral.
Example 3.2. The operator == tests whether or not itsarguments are equal and the operator pred computes thepredecessor.
J==K(w, v) ={1 if v = w0 otherwise
JpredK(v) ={π if v = π
u if v = π.u, π β Ξ£
Both operators are neutral. JsucπK(v) = π .v, for π β {0, 1}, isa positive operator since |JsucπK(v) | = |π .v | = |v | + 1.
4 Type systemIn this section, we introduce a tier based type system, themain contribution of the paper, that allows to provide a char-acterization of type-2 polynomial time complexity ([Kapronand Cook 1991, 1996; Mehlhorn 1976]).
4.1 Tiers and typing judgmentsAtomic types are elements of the totally ordered set (N, βͺ―, 0,β¨,β§) where N = {0, 1, 2, . . .} is the set of natural num-bers, called tiers, in accordance with the data ramificationprinciple of [Leivant 1995], βͺ― is the usual ordering on inte-gers and β¨ and β§ are the max and min operators over inte-gers. Let βΊ be defined by βΊ := βͺ― β© β . We use the symbolsk, kβ², . . . , k1, k2, . . . to denote tier variables. For a finite setof tiers, {k1, . . . , kπ}, let β¨ππ=1kπ (β§ππ=1kπ , respectively) denotek1 β¨ . . . β¨ kπ (k1 β§ . . . β§ kπ , respectively).
A variable typing environment Ξ is a finite mapping fromV to N, which assigns a single tier to each variable.An operator typing environment Ξ is a mapping that
associates to each operator op and each tier k β N a setof admissible operator types Ξ(op) (k), where the operatortypes corresponding to the operator op are of the shapek1 β . . . kππ (op) β kβ², with kπ , kβ² β N.Let dom(Ξ) (resp. dom(Ξ)) denote the set of variables
typed by Ξ (resp. operators typed by Ξ).Typing judgments are either command typing judgments
of the shape Ξ,Ξ β’ c : (k, kππ, kππ’π‘ ) or expression typing judg-ments of the shape Ξ,Ξ β’ e : (k, kππ, kππ’π‘ ). The meaning ofsuch a typing judgment is that the expression tier or com-mand tier is k, the innermost tier is kππ , and the outermosttier is kππ’π‘ . The innermost (resp. outermost) tier is the tierof the innermost (resp. outermost) while loop guard wherethe expression or command is located.A type system preventing flows from k2 to k1, whenever
k2 βΊ k1 holds, is presented in Figure 3.A typing derivation π 3 Ξ,Ξ β’ c : (k, kππ, kππ’π‘ ) is a tree
whose root is the typing judgment Ξ,Ξ β’ c : (k, kππ, kππ’π‘ )
A tier-based PL characterizing BFF2
and whose children are obtained by applications of the typ-ing rules. Due to the rule (OP) of Figure 3, that allows severaladmissible types for operators, typing derivations are, ingeneral, not unique. However the two typing rules for whileloops (W) and (W0) are mutually exclusive because of thenon-overlapping requirements for kππ’π‘ in Figure 3. The nota-tion π will be used whenever mentioning the root of a typingderivation is not explicitly needed.
4.2 Safe environments and programsThe typing rules of Figure 3 are not restrictive enough inthemselves to guarantee polynomial time computation, evenfor type-1. Indeed operators need to be restricted to pre-vent exponential programs from being typable (see counter-Example 6.2). The current subsection introduces such a re-striction, called safe.
Definition 4.1 (Safe operator typing environment). An op-erator typing environment Ξ is safe if for each op β dom(Ξ),op is neutral or positive and JopK is a polynomial time com-putable function, and for each kππ β N, and for each k1 β. . . kππ (op) β k β Ξ(op) (kππ), the two conditions belowhold:
1. k βͺ― β§ππ (op)π=1 kπ βͺ― β¨ππ (op)π=1 kπ βͺ― kππ ,
2. if the operator op is positive then k βΊ kππ .
Example 4.2. Consider the operators ==, pred and sucπ ofExample 3.2. For a safe typing environment Ξ, it holds thatΞ(==) (1) = {1 β 1 β 1} βͺ {k β kβ² β 0 | k, kβ² βͺ― 1}, as== is neutral. However 0β 1β 1 β Ξ(==) (1) as it breaksCondition (1) of Definition 4.1 since the operator output tierhas to be smaller than each of its operand tier (i.e. 1 ΜΈβͺ― 0β§ 1).It also holds that Ξ(pred) (2) = {2β k | k βͺ― 2} βͺ {1β
k | k βͺ― 1} βͺ {0β 0}.For the positive operator sucπ , we have Ξ(sucπ ) (1) =
{1 β 0, 0 β 0}. 1 β 1 β Ξ(sucπ ) (1) as the operatoroutput tier has to be strictly smaller than 1, due to Condition(2) of Definition 4.1. Applying the same restriction, it holdsthat Ξ(sucπ ) (2) = {2β 1, 2β 0, 1β 1, 1β 0, 0β 0}.Definition 4.3 (Safe program). Given Ξ a variable typingenvironment and Ξ a safe operator typing environment, theprogram pπ = c return x is a safe program if there arek, kππ, kππ’π‘ such that π 3 Ξ,Ξ β’ c : (k, kππ, kππ’π‘ ).Definition 4.4. Let ST be the set of safe and terminatingprograms and JSTK be the set of functionals computed byprograms in ST:
JSTK = {_π._w1. Β· Β· Β· _π€πJpπK(w1, . . . ,wπ) | pπ β ST}.
4.3 Some intuitionsBefore providing a formal treatment of the type system mainproperties in Β§5, we provide the reader with a brief intuitionof types, that are triplets of tiers (k, kππ, kππ’π‘ ), in a typingderivation obtained by applying the typing rules of Figure 3:
β’ k is the tier of the expression or command under con-sideration. It is used to prevent data flows from lowertiers to higher tiers in control flow statements andassignments. By safety and by rules (OP) and (OR),expression tiers are structurally decreasing. Conse-quently, rule (A) ensures that data can only flow fromhigher tiers to lower tiers. Command tiers are struc-turally increasing and, consequently, an assignmentof a higher tier variable can never be controlled by alower tier in a conditional or while statement.β’ kππ is the tier of the innermost while loop containingthe expression or command under consideration, pro-vided it exists. It is used to allow declassification (i.e. arelease of some information at a lower tier to a highertier) to occur in the program by allowing an operatorto have types depending on the context. Moreover, theinnermost tier restricts the return types of operatorsand oracle calls:β in rule (OR), the return type k is strictly smaller thankππ ,
β in rule (OP), for a positive operator, the return typek is strictly smaller than kππ .
This forbids programs from iterating on a data whosesize can increase during the iteration.β’ kππ’π‘ is the tier of the outermost while loop containingthe expression or command under consideration, pro-vided it exists. Its purpose is to bound by a constantthe number of lookahead revisions (that is the numberof times a query to the oracle may increase in size)allowed in oracle calls. By rule (OR), all oracle inputbounds have a tier equal to the tier of the outermostwhile loop where they are called. Hence, the size ofthe data stored in the input bound cannot increase in afixed while loop and it can increase at most a constantnumber of times.
There are two rules (W) and (W0) for while loops. (W) isthe standard rule and updates the innermost tier with thetier of the while loop guard under consideration. (W0) is aninitialization rule that allows the programmer to instantiateby default the main command with outermost tier 0 as it hasno outermost while. It could be sacrificed for simplicity butat the price of a worse expressive power.
5 Properties of safe programsWe now show the main properties of safe programs:
β’ a standard non-interference property in Β§5.2 ensuringthat computations on higher tiers do not depend onlower tiers (Theorem 5.3).β’ a polynomial time property in Β§5.3 ensuring that ter-minating programs terminate in time polynomial inthe input size and maximal oracleβs output size (Theo-rem 5.5).
Hainry et al.
Ξ(x) = k(V)
Ξ,Ξ β’ x : (k, kππ, kππ’π‘ )k1 β Β· Β· Β· β kππ (op) β k β Ξ(op) (kππ) βπ β€ ππ (op), Ξ,Ξ β’ eπ : (kπ , kππ, kππ’π‘ )
(OP)Ξ,Ξ β’ op(e) : (k, kππ, kππ’π‘ )
Ξ,Ξ β’ e1 : (k, kππ, kππ’π‘ ) Ξ,Ξ β’ e2 : (kππ’π‘ , kππ, kππ’π‘ ) k βΊ kππ β§ k βͺ― kππ’π‘ (OR)Ξ,Ξ β’ π (e1 βΎ e2) : (k, kππ, kππ’π‘ )
(SK)Ξ,Ξ β’ skip : (0, kππ, kππ’π‘ )
Ξ,Ξ β’ c1 : (k, kππ, kππ’π‘ ) Ξ,Ξ β’ c2 : (k, kππ, kππ’π‘ ) (S)Ξ,Ξ β’ c1; c2 : (k, kππ, kππ’π‘ )
Ξ,Ξ β’ x : (k1, kππ, kππ’π‘ ) Ξ,Ξ β’ e : (k2, kππ, kππ’π‘ ) k1 βͺ― k2 (A)Ξ,Ξ β’ x := e : (k1, kππ, kππ’π‘ )
Ξ,Ξ β’ c : (k, kππ, kππ’π‘ ) (SUB)Ξ,Ξ β’ c : (k+1, kππ, kππ’π‘ )
Ξ,Ξ β’ e : (k, kππ, kππ’π‘ ) Ξ,Ξ β’ c1 : (k, kππ, kππ’π‘ ) Ξ,Ξ β’ c0 : (k, kππ, kππ’π‘ ) (C)Ξ,Ξ β’ if(e){c1} else {c0} : (k, kππ, kππ’π‘ )
Ξ,Ξ β’ e : (k, kππ, kππ’π‘ ) Ξ,Ξ β’ c : (k, k, kππ’π‘ ) 1 βͺ― k βͺ― kππ’π‘ (W)Ξ,Ξ β’ while(e){c} : (k, kππ, kππ’π‘ )
Ξ,Ξ β’ e : (k, kππ, k) Ξ,Ξ β’ c : (k, k, k) 1 βͺ― k(W0)
Ξ,Ξ β’ while(e){c} : (k, kππ, 0)
Figure 3. Tier-based type system
β’ a finite lookahead revision property in Β§5.4 ensuringthat, for any oracle and any input, the number of or-acle calls on input of increasing size is bounded by aconstant (Theorem 5.8).
5.1 NotationsLet us first introduce some preliminary notations. Let E(π)(res. C(π)) be the set of expressions (respectively commands)occurring in π, for π β {pπ , c}. Let A(c) be the set of vari-ables that are assigned to in c, e.g.,A(x := y; y := z) = {x, y}.Let ππ (e) andV(e) be the set of operators in expression eand the set of variables in expression e, respectively.
5.2 Non-interferenceWe now show that the type system provides classical non-interference properties.
In a safe program, only variables of tier higher than k canbe accessed to evaluate an expression of tier k.
Lemma 5.1 (Simple security). Given a safe program pπ withrespect to the typing environments Ξ,Ξ, for any expressione β E(pπ ), if Ξ,Ξ β’ e : (k, kππ, kππ’π‘ ), then for all x β V(e),k βͺ― Ξ(x).
Proof. By structural induction on expressions. β‘
There is no equivalent lemma for commands because ofthe subtyping rule (SUB).The confinement Lemma expresses the fact that com-
mands of tier k cannot write in variables of strictly highertier.
Lemma 5.2 (Confinement). Given a safe program pπ withrespect to the typing environments Ξ,Ξ, for any c β C(pπ ),if Ξ,Ξ β’ c : (k, kππ, kππ’π‘ ), then for all x β A(c), Ξ(x) βͺ― k.
Proof. By contradiction. β‘
For a given variable typing environment Ξ and a given tierk, we define an equivalence relation on stores by: ` βΞk ` β²
if dom(`) = dom(` β²) = dom(Ξ) and for each x β dom(Ξ), ifk βͺ― Ξ(x) then ` (x) = ` β²(x).We introduce a non-interference Theorem ensuring that
the values of tier k variables during the evaluation of a pro-gram do not depend on values of tier kβ² variables for kβ² βΊ k.
Theorem 5.3 (Non-interference). Given a safe programc return x with respect to the typing environments Ξ,Ξ.For any stores `1 and `2 if `1 βΞk `2, `1 β¨ c β ` β²1 and`2 β¨ cβ ` β²2 then ` β²1 βΞk ` β²2.
Proof. By structural induction on program derivations, usingLemma 5.1 and Lemma 5.2. β‘
5.3 Polynomial step countIn this section, we show that terminating and safe programshave a runtime polynomially bounded by the size of theinput store and the maximal size of answers returned by theoracle in the course of execution.
Definition 5.4. Let πpπ` be the maximum of |` | and the
maximum size of an oracle answer in the derivation ππ : ` β¨pπ β u. Formally,
πpπ` = max
(v,w) βπΆ (ππ )( |` |,max{|π (JβΎK(v,w)) |}),
where πΆ (ππ ) is the set of pairs (v,w) such that` β¨ e1 β v ` β¨ e2 β w
` β¨ π (e1 βΎ e2) β π (JβΎK(v,w)) β ππ .
A program pπ has a polynomial step count if there is apolynomial π such that for any store ` and any oracle π ,ππ : ` β¨ pπ β w, |ππ | = π (π (πpπ
` )).
We show that a safe program has a polynomial step counton terminating computations.
A tier-based PL characterizing BFF2
Theorem 5.5. Given a safe program pπ with respect to thetyping environments Ξ,Ξ, there is a polynomial π such thatfor any derivation ππ : ` β¨ pπ β w, |ππ | = π (π (πpπ
` )).Proof. By induction on the tier of a command using non-interference Theorem (5.3) and the stratification propertiesof the type system. β‘
The proof of the above Theorem is similar to proofs ofpolynomiality in [Marion 2011] and [Marion and PΓ©choux2014]. There are only two main distinctions:β’ As strictly more than 2 tiers are allowed, the innermosttier kππ is used to ensure that operators and oracle callsare stratified: In a while loop of innermost tier kππ thereturn type of an oracle or positive operator is alwaysstrictly smaller than kππ . Hence the results of suchcomputations cannot be assigned to variables whosetier is equal to kππ .β’ Oracle calls may return a value whose size is notbounded by the program input. This is the reason whyπ
pπ` has to be considered as an input of the time bound.
Corollary 5.6. Given a program pπ , if pπ β ST then pπ hasa polynomial step count.
5.4 Finite lookahead revisionIn this section, we show that, whereas terminating and safeprograms may perform a polynomial number (in the sizeof the input and the maximal size of the oracle answers) oforacle calls during their execution, they may only perform aconstant number of oracle calls on input data of increasingsize.
Definition 5.7. Given a program pπ , let (ππππ ) be the se-
quence of oracle input values JβΎK(v,w) in a rule (OR) ob-tained by a left-to-right depth-first search of the deriva-tion ππ : ` β¨ pπ β w. Let ππ ((ππππ )) = #{π | |πππ
π| >
maxπ<π ( |πππ
π|)}.
pπ has finite lookahead revision if there is a constant πsuch that for any oracle π and for any derivation ππ , wehave ππ ((ππππ )) β€ π .
Note that the left-to-right depth-first search in a derivationexactly corresponds to the order of a sequential executionof a command.
Theorem 5.8 (Finite lookahead revision). Given a programpπ , if pπ is safe with respect to the typing environments Ξ,Ξthen it has finite lookahead revision.
Proof. Using simple security (5.1) and confinement (5.2) Lem-mata, and the stratification properties of the type system. β‘
6 ExamplesIn this section, we provide several examples and counter-
examples, starting with programs with no oracle calls inorder to illustrate how the type system works. Some of its
restrictions in terms of expressive power are also discussed inExample 6.4. In the typing derivations, we sometimes omitthe environments, writing β’ instead of Ξ,Ξ β’ in order tolighten the notations. Moreover, for notational convenience,we will use labels for expression tiers. For example, ek meansthat e is of tier k. Also, to make the presentation of theexamples lighter, we will work over the unary integers ratherthan all ofW. In particular, a value v denotes 1v, and 0 denotesπ . Also, with this convention, JpredK(v) = max{0, vβ1} andJsuc1K(v) = v + 1.
Example 6.1 (Addition). Consider the simple program ofFigure 4a, with no oracle, computing the unary addition.This program is safe with respect to the typing derivation ofFigure 5.
The while loop is guarded by x > 0. If the main commandis typed by (1, 1, 0) then the expression x > 0 is of tier 1 bythe typing rule (W0). Consequently, the variable x is forcedto be of tier 1 using the type 1 β 1 for the operator > 0in the (OP) rule. 1 β 1 β Ξ(> 0) (1) holds as the operator> 0 is neutral. One application of the subtyping rule (SUB) isperformed for the sequence to be typed as the subcommandsare required to have homogeneous types.In the subderivation π1 of Figure 5, the pred operator
is used with the type 1 β 1 in the (OP) rule. This use isauthorized as, pred is neutral and, consequently, 1 β 1 βΞ(pred) (1). As a consequence, the rule (A) in π1 can bederived as the tier of the assigned variable x (equal to 1) issmaller than the tier of the expression pred(x) (also equalto 1).Now consider the subderivation π2 of Figure 5. The only
distinction between π2 and π1 is that the operator suc1 ispositive. Consequently, with an innermost tier of 1, the type1β 1 is not authorized for such an operator (since 1β 1 β
Ξ(suc1) (1)). Indeed, by Example 4.2, Ξ(suc1) (1) = {1 β0, 0β 0}. The type 1β 0 is ruled out as it would require anon-homogeneous type for y. Consequently, the rule (OP)is applied on type 0β 0 and the variable y must be of tier0. Notice that the program could also be typed by assigninghigher tiers k and kβ² such that kβ² βΊ k, to x and y, respectively.
Example 6.2 (Exponential). The program of Figure 4b, com-puting the exponential, is not safe.
By contradiction, suppose that it can be typed with respectto the typing environments Ξ and Ξ. Let Ξ(x), Ξ(y) and Ξ(z)be kx, ky and kz, respectively.The subcommand z := y enforces kz βͺ― ky by the typing
derivation of Figure 6a.The subcommand y := suc1 (y) enforces the constraint
ky βΊ kππ , kππ being the command innermost tier, by thetyping derivation of Figure 6b. Indeed, as suc1 is a positiveoperator, by Condition 2 of Definition 4.1, ky βΊ kππ has to besatisfied for ky β ky β Ξ(suc1) (kππ) to hold.The innermost while loop enforces the constraint kππ βͺ―
kz in the typing derivation of Figure 6c. First, notice that
Hainry et al.
while(x > 0)1{x1 := pred(x)1;y0 := suc1 (y)0
}return y
(a) Unary addition
while(x > 0){z := y;while(z > 0){
z := pred(z);y := suc1 (y)
};x := pred(x)
}return y
(b) Exponential
c1 : while(x > 0)2{x2 := pred(x)2;y1 := suc1 (suc1 (y))1
} ;c2 : while(y > 0)1{
y1 := pred(y)1;z0 := suc1 (suc1 (z))0
}return z
(c) Multiple tiers
y0 := x1;z0 := 0;while(x >= 0)1{
if(π (y0 βΎ x1) == 0)0{z0 := 1}else {skip};x1 := pred(x)1
}return z
(d) Oracle
x := 0; z := 0;while(y >= x){
if(π (y βΎ x) == 0){z := 1}else {skip};x := suc1 (x)
}return z
(e) No finite lookahead revision
x3 := π; y2 := x3; z2 := 0;while(x3 >= 0){
z2 := max(π (y2 βΎ x3)2, z2);x3 := pred(x3)
}; v1 := z2; u0 := 0;while(z2 >= 0){
w1 := π (v1 βΎ z2)1;while(w1 >= 0){
u0 := suc1 (u)0; w1 := pred(w1)}; z2 := pred(z)2
}return u
(f) Multiple tiers and oracle
Figure 4. Examples
only the rule (W) can be applied to this subderivation as thecorresponding subcommand is already contained inside awhile loop and, consequently, 1 βͺ― kππ’π‘ is enforced by theoutermost while loop using rule (W) or rule (W0). Second,the tier of this subcommand is equal to the innermost tierkππ of subcommand y := suc1 (y) (in π2). Indeed, rules (W)and (W0) are the only typing rules updating the innermosttier and there is no while loop in between. Finally, in the rule(OP), as > 0 is neutral, Condition 1 of Definition 4.1 enforcesthat kππ βͺ― kz βͺ― kβ²ππ holds for the program to be typed.Putting all the above constraints together, we obtain the
contradiction kz βͺ― ky βΊ kππ βͺ― kz. Consequently, the pro-gram cannot be typed.
Example 6.3 (Multiple tiers). Consider the program of Fig-ure 4c illustrating the use of multiple tiers.The program is safe with respect to the variable typing
environment Ξ such that Ξ(x) = 2, Ξ(y) = 1 and Ξ(z) = 0.The main command can be typed by (2, 2, 0) in the derivationof Figure 7a, provided that c1 and c2 are the commandscorresponding to the first while loop and second while loop,respectively.
The derivation π1 corresponding to the first while loop isdescribed in Figure 7b. The subderivation π11 can be built eas-ily using rules (A), (OP), and (V) as pred is neutral and can begiven the type 2β 2 in Ξ(pred) (2) (see Example 4.2). The
subderivation π12 can be built using the same rules as suc1is positive and can be given the type 1β 1 in Ξ(suc1) (2)(see Example 4.2 again). π12 requires the prior application ofsubtyping rule (SUB) as the tier of the assignment is equalto Ξ(y) = 1.
The derivation π2, described in Figure 7c, can be obtainedin a similar way by taking the type 1 β 1 for the neutraloperator pred in Ξ(pred) (1) and the type 0 β 0 for thepositive operator suc1 in Ξ(suc1) (1). The initial subtypingrule is required as it is not possible to derive β’ y > 0 : (2, 2, 2)with the requirement that Ξ(y) = 1.
It is worth noticing that the above program cannot betyped with only two tiers {0, 1}. Indeed, the first while loopenforces that Ξ(y) βΊ Ξ(x) and the second while loop en-forces that Ξ(z) βΊ Ξ(y). More generally, the program can betyped by (k+2, k+2, 0) or (k+2, k+2, k+2), for any tier k.
Example 6.4 (Oracle). For a given input x and a given oracleπ , the program of Figure 4d computes whether there existsa unary integer π of size smaller than |x| such that π (π) = 0.This program is safe and can be typed by (1, 1, 0) under
the variable typing environment Ξ such that Ξ(x) = 1 andΞ(y) = Ξ(z) = 0. The constants 0 and 1 can be considered tobe neutral operators of zero arity and, hence, can be givenany tier smaller than the innermost tier. It is easy to verifythat the commands z := 1, skip, and x := pred(x) can be
A tier-based PL characterizing BFF2
typed by (0, 1, 1), (0, 1, 1), and (1, 1, 1), respectively, usingtyping rules (OP), (SK), and (A).The conditional subcommand can be typed as described
in Figure 8.The while loop will be typed using rule (π0). Conse-
quently, the inner command can be typed by (1, 1, 1) afterapplying subtyping once.
Notice that the equivalent program obtained by swappingx and y in the oracle input (i.e. π (x βΎ y)) is not typable asthe tier of x has to be strictly smaller than the innermost tierin typing rule (OR). Although this requirement restricts theexpressive power of the type system, it is strongly needed asit prevents uncontrolled loops on oracle outputs to occur. Inparticular, commands of the shape while(x > 0){x := π (x βΎx)} are rejected by the type system.
Note that the program of Figure 4d is typable as the oraclecalls are performed in a decreasing order and, hence, doesnot break the finite lookahead revision property presentedin Β§5.4.
Now consider the equivalent program of Figure 4e whereoracle calls are performed in increasing order. This programis not a safe program.
Suppose, by contradiction, that it can be typedwith respectto a safe operator typing environment. The innermost tier kof the commands under the while will be equal to the tierof the guard y >= x, independently of whether rule (W) orrule (W0) is used to type the while command.
Moreover, x has a tier kx such that k βͺ― kx, using rule (OP)on the guard and, by definition of safe typing environments.
Now suc1 is a positive operator and, consequently, by rule(OP) and, by definition of safe typing environments again,suc1 (x) has a tier ksuc1 (x) strictly smaller than the innermosttier, i.e. ksuc1 (x) βΊ k. By typing rule (A), in order to be typed,the command x := suc1 (x) enforces kx βͺ― ksuc1 (x) . Hence, weobtain a contradiction: k βΊ k.
Example 6.5 (Multiple tiers with oracle). The program ofFigure 4f computes the function Ξ£
maxππ₯=0 π (π₯)
π=0 π (π).This program can be typed by (3, 3, 0) under the variable
type assignment Ξ such that Ξ(x) = 3, Ξ(y) = Ξ(z) = 2,Ξ(v) = Ξ(w) = 1, and Ξ(u) = 0.The first while loop will be typed using rule (W0). Conse-
quently, its inner command is typed by (3, 3, 3). As the maxoperator is neutral, it can be given the type 2 β 2 β 2 βΞ(max) (3). The oracle call is typable as the input data y hasa tier strictly small than the innermost tier (3) and the inputbound has tier equal to the outermost tier (3).
The second while loop can be typed using rule (W0) afterapplying subtyping rule (SUB). Consequently, its inner com-mand is typed by (2, 2, 2). The oracle call is performed oninput data of strictly smaller tier (1) and on input bound oftier equal to the outermost tier (2). The inner while loop canbe typed using rule (W) and thus updates the innermost tier
to 1. Consequently, suc1 is enforced to be of tier 0 β 0 inthe inner command.
7 SoundnessIn this section, we show a soundness result: the type-2 simplytyped lambda-closure of programs in ST is included in theclass of basic feasible functionals BFF2 [Kapron and Cook1991, 1996; Mehlhorn 1976]. For that purpose, we use thecharacterization of [Kapron and Steinberg 2018] based onmoderately polynomial time (MPT) functionals. We showthat terminating and safe program can be simulated by oracleTuring machines with a polynomial step count and a finitelookahead revision. We discuss briefly the requirement ofthe lambda-closure in Β§7.2.
7.1 Moderately Polynomial Time FunctionalsWe consider oracle Turing machinesππ with one query tapeand one answer tape for oracle calls. If a query is written onthe query tape and the machine enters a query state, thenthe oracleβs answer appears on the answer tape in one step.
Definition 7.1. Given an oracle TMππ and an input a, letπ
ππ
a be the maximum of the size of the input a and of thebiggest oracle answer in the run of machine on input a withoracle π . A machineππ has:β’ a polynomial step count if there is a polynomial πsuch that for any input a and oracle π ,π runs in timebounded by π (πππ
a ).β’ a finite lookahead revision if there exists a naturalnumber π β N such that for any oracle and any input,in the run of the machine, it happens at most π timesthat a query is posed whose size exceeds the size of allprevious queries.
Definition 7.2 (Moderately Polynomial Time). MPT is theclass of second order functionals computable by an oracle TMwith a polynomial step count and finite lookahead revision.
The set of functionals over wordsW is defined to be theset of functions of type π1 β . . . β ππ β W, where theeach type ππ is defined inductively by π ::=W | π β π .Suppose given a countably infinite number of variables
π₯π , π¦π , . . ., for each type π . For a given class of functionalsπ , let _(π ) be the set of closed simply typed lambda-termsgenerated inductively as follows:β’ for each type π , variables π₯π , π¦π , . . . are terms,β’ each functional πΉ β π of type π is a term,β’ for any term π‘ of type π β² and variable π₯π , _π₯ .π‘ is a termof type π β π β²,β’ for any terms π‘ of type π β π β² and π of type π , π‘ π is aterm of type π β².
Each lambda-term of type π represents a functional of typeπ and terms are considered up to π½ and [ equivalence. Thelevel of a type is defined inductively by πππ£ (W) = 0 and
Hainry et al.
Ξ(x) = 1(V)
β’ x : (1, 1, 1)(OP)
β’ x > 0 : (1, 1, 1)
Ξ(x) = 1(V)
β’ x : (1, 1, 1)
Ξ(x) = 1(V)
β’ x : (1, 1, 1)(OP)
β’ pred(x) : (1, 1, 1)(A)
π13 β’ x := pred(x) : (1, 1, 1)
Ξ(y) = 0(V)
β’ y : (0, 1, 1)
Ξ(y) = 0(V)
β’ y : (0, 1, 1)(OP)
β’ suc1 (y) : (0, 1, 1) (A)π23 β’ y := suc1 (y) : (0, 1, 1) (SUB)β’ y := suc1 (y) (1, 1, 1) (S)
β’ x := pred(x); y := suc1 (y) : (1, 1, 1) (W0)β’ while(x > 0){x := pred(x); y := suc1 (y)} : (1, 1, 0)
Figure 5. Typing derivation of Example 6.1 (Figure 4a)
Ξ(z) = kz (V)β’ z : (kz, kππ, kππ’π‘ )
Ξ(y) = ky(V)
β’ y : (ky, kππ, kππ’π‘ )(A) provided that kz βͺ― ky
π13 β’ z := y : (kz, kππ, kππ’π‘ )(a) Derivation π1
Ξ(y) = ky(V)
β’ y : (ky, kππ, kππ’π‘ )ky β ky β Ξ(suc1) (kππ)
Ξ(y) = ky(V)
β’ y : (ky, kππ, kππ’π‘ )(OP)
β’ suc1 (y) : (ky, kππ, kππ’π‘ )(A)
π23 β’ y := suc1 (y) : (ky, kππ, kππ’π‘ )(b) Derivation π2
Ξ(z) = kz (V)β’ z : (kz, kβ²ππ, kππ’π‘ ) (OP)β’ z > 0 : (kππ, kβ²ππ, kππ’π‘ )
...(S)
β’ z := pred(z); y := suc1 (y) : (kππ, kππ, kππ’π‘ )(W)
π33 β’ while(z > 0){z := pred(z); y := suc1 (y)} : (kππ, kβ²ππ, kππ’π‘ )(c) Derivation π3
Figure 6. Typing derivation of Example 6.2 (Figure 4b)
πππ£ (π β π β²) = max(πππ£ (π) + 1, πππ£ (π β²)). For a given class offunctionals π , let π2 be the set of functionals of level 2.
Lemma 7.3 (Monotonicity). Given two classes π,π of func-tionals,if π β π then _(π )2 β _(π )2.
For a given functional πΉ of type π1 β . . .β ππ βW andvariablesππ of type ππ , we will use the notation πΉ (π1, . . . , ππ)as a shorthand notation for πΉ (π1) . . . (ππ).We are now ready to state the characterization of Basic
Feasible Functionals in terms of moderately polynomial timefunctions.
Theorem 7.4 ([Kapron and Steinberg 2018]).
_(MPT)2 = BFF2 .
7.2 Proof of soundnessAt this point we are able to give a clearer statement of therelationship between the size of a derivation for a safe pro-gram pπ and the running time of a corresponding sequentialexecution of pπ . To make this precise, the running time of
ππ for a given input π β W is just the number of steps thatit takes to terminate on with oracle π , starting with π on itsinput tape (or undefined if the computation does not termi-nate). Given a store `, this may appropriately be encoded bya single input π` . We then have
Proposition 7.5. Suppose that pπ is a safe program. Thereare an oracle TMππ and a polynomial π such that for anyderivation ππ : ` β¨ pπ β w, ππ on input π` simulates theexecution of pπ with initial store ` in time π (π ( |ππ |)).
Proof. By induction on the structure of the derivation. β‘
Theorem 7.6 (Soundness). _(JSTK)2 β BFF2.
Proof. First, we can show that JSTK β MPT using Theo-rem 5.5 and Theorem 5.8, and observing thatMPT is stablethrough oracle padding. By Lemma 7.3 and Theorem 7.4,_(JSTK)2 β _(MPT)2 = BFF2. β‘
Notice that the lambda-closure of JSTK is mandatory forcharacterizing BFF2 as it is well-known thatMPT is strictly
A tier-based PL characterizing BFF2
π1...(W0)
π13 β’ c1 : (2, 2, 0)
π2...(W0)
π23 β’ c2 : (2, 2, 0) (S)β’ c1; c2 : (2, 2, 0)
(a) Main derivation
Ξ(x) = 2(V)
β’ x : (2, 2, 2)(OP)
β’ x > 0 : (2, 2, 2)
π11...(A)
β’ x := pred(x) : (2, 2, 2)
π12...(A)
β’ y := suc1 (suc1 (y)) : (1, 2, 2) (SUB)β’ y := suc1 (suc1 (y)) : (2, 2, 2) (S)
β’ x := pred(x); y := suc1 (suc1 (y)) : (2, 2, 2) (W0)β’ c1 : (2, 2, 0)(b) Derivation π1
Ξ(y) = 1(V)
β’ y : (1, 2, 1)(OP)
β’ y > 0 : (1, 2, 1)
π21...(A)
β’ y := pred(y) : (1, 1, 1)
π22...(A)
β’ z := suc1 (suc1 (z)) : (0, 1, 1) (SUB)β’ z := suc1 (suc1 (z)) : (1, 1, 1) (S)
β’ y := pred(y); z := suc1 (suc1 (z)) : (1, 1, 1) (W0)β’ c2 : (1, 2, 0) (SUB)β’ c2 : (2, 2, 0)
(c) Derivation π2
Figure 7. Typing derivation of Example 6.3 (Figure 4c)
0β 1β 0 β Ξ(==) (1)
Ξ(y) = 0(V)
β’ y : (0, 1, 1)Ξ(x) = 1
(V)β’ x : (1, 1, 1)
(OR)β’ π (y βΎ x) : (0, 1, 1)
(OP)β’ 0 : (1, 1, 1)
(OP)β’ π (y βΎ x) == 0 : (0, 1, 1)
.
.
.(C)
β’ if(π (y βΎ x) == 0){z := 1} else {skip} : (0, 1, 1)
Figure 8. Typing derivation of example 6.4 (Figure 4d)
included in BFF2. In particular, the following example takenfrom [Kapron and Steinberg 2018] and computing a functionof BFF2 cannot be typed as all our oracle calls have inputbounds.
Example 7.7. The functional πΉ defined below is in BFF2 butnot in MPT.
πΉ (π, π) = π
πΉ (π, suc1 (π)) = π β¦ π (πΉ (π, π) βΎ π (π))
Consequently, πΉ is not in JSTK, since JSTK β MPT. Indeed,the outermost oracle call is performed without any oracleinput bound and clearly cannot be captured by typable pro-grams.
8 Completenesses at type-1 and type-2Completeness is demonstrated in two steps. First, we showthat each type 1 polynomial time computable function FP canbe computed by a terminating program in ST, with no oraclecalls. For that purpose, we show that the 2-tier sequentialversion of the type system of [Marion and PΓ©choux 2014],characterizing FP, is a strict subsystem of the type system ofFigure 3. Second, we show that the bounded iterator func-tional I β² of [Kapron and Steinberg 2019] can be simulatedby a terminating and typable program in ST. The complete-ness follows as the type-2 simply typed lambda-closure ofthe bounded iterator I β² and the functions of FP provides analternative characterization of BFF2.
Hainry et al.
8.1 A characterization of FPFor that purpose, we consider the 2-tier based characteriza-tion of FP in [Marion and PΓ©choux 2014], restricted to onesingle thread. Let πΌ, π½ be tier variables ranging over {0, 1}.The type system is provided in Figure 9, where πΌ stands forπΌ1 β . . .β πΌππ (op) , with πΌπ β {0, 1}.
In this particular context, the notion of 2-tier safe programis defined as follows. A 2-tier operator typing environmentΞ is a mapping that associates to each operator op a set ofoperator types Ξ(op), of the shape πΌ β πΌ , with πΌ β {0, 1}.
Definition 8.1. A program is 2-tier safe if it can be typedusing 2-tier operator typing environment Ξ satisfying, forany op β dom(Ξ), JππK β FP, op is either positive or neutral,and for each πΌ1 β . . .β πΌππ (op) β πΌ β Ξ(op):β’ πΌ βͺ― β§π=1,ππΌπ ,β’ and if op is positive but not neutral then πΌ = 0
Let 2ST be the set of 2-tier safe and terminating programs andJ2STK be the set of functions computed by these programs.
Theorem 8.2 (Theorem 7 of [Marion and PΓ©choux 2014]).
J2STK = FP.
Now we show the following inclusion.
Lemma 8.3. 2ST β ST.
Proof. By an easy induction on the type derivation. β‘
Let JSTK1 be defined as the set of type-1 functions com-puted by safe and terminating programs with no oracle calls,JSTK1 = {_π€.JpπK(π€) | π β pπ and pπ β ST}.
Theorem 8.4. FP = JSTK1 .
Proof. ByTheorem 8.2, for any function π in FP is computableby a 2-tier safe and terminating program pπ with no oraclecalls, i.e. π = _π€.JpπK(π€). By Lemma 8.3, pπ is in ST and,consequently, π β JSTK1. Conversely, by Corollary 5.6, ifpπ β ST then pπ has a polynomial step count. More precisely,if π β pπ and pπ β ST has a polynomial time step count andruns in time bounded by π ( |π€ |), for some polynomial π , asthere is no oracle call. Consequently, JSTK1 β FP. β‘
Note that the completeness part of the above Theorem(FP β JSTK1) can also be proved directly by simulating poly-nomials over unary numbers and Turing Machines with aprogram in ST as in the completeness proof of [Marion 2011].
8.2 Type two iteration[Kapron and Steinberg 2019] introduces a bounded iteratorfunctional I β² of type (W β W) β W β W β W β Wdefined by I β²(πΉ, π, π, π) = (_π₯ .πΉ (ππππ(π₯, π))) |π | (π), whereππππ is a functional of type W β W β W defined by
ππππ(π, π) ={π, if |π | < |π |,π, otherwise.
They use Cookβs notion [Cook 1992] of polynomial timereducibility to show that this functional is polynomial time-equivalent to the recursor R of [Cook and Urquhart 1993].As a consequence of Cook-Urquhart Theorem, the followingcharacterization is obtained.Theorem 8.5 ([Kapron and Steinberg 2019]).
_(FP βͺ {I β²})2 = BFF2 .
Theorem 8.6 (Type-2 completeness). BFF2 β _(JSTK)2.Proof. By Theorem 8.4, FP = JSTK1 β _(JSTK)1 as any func-tion π β JSTK1 is of the shape _π€.JpπK(π€), for pπ β ST, and,consequently π = (_π.π ) π β _(JSTK)1.
Now we show that I β² can be computed by a terminatingprogram in ST. For that purpose, assume that ππππ is an op-erator of our language. ππππ is neutral, by definition. Theprogram ππ‘π , written in Figure 11, computes the functional_π._π._π._π.I β²(π, π, π, π) and can be typed by (1, 1, 0), as de-scribed in Figure 10, under the typing environment Ξ suchthat Ξ(π) = Ξ(π) = 1, Ξ(x) = Ξ(π) = 0 and operator typingenvironment Ξ such that 0 β 1 β 0 β Ξ(ππππ) (1) and1β 1 β Ξ(> 0) (1), and 1β 1 β Ξ(pred) (1). Note that thesimulation uses the padded oracle variant π of π .As FP β _(JSTK)1 and I β² β JSTK. We have that _(FP βͺ{I β²})2 β _(JSTK)2 and the result follows by Theorem 8.5.
β‘
To illustrate the need of the type-2 lambda closure forachieving completeness, consider a variant of Example 7.7:
πΉ β²(π, π) = π
πΉ β²(π, suc1 (π)) = π β¦ π (ππππ(πΉ β²(π, π), π (π)))This functional is in BFF2 but neither in MPT nor in STas, by essence, it has no finite lookahead revision. Indeed,the outermost oracle call input data is not bounded and it-erated linearly in the input. However it can be computedby _π._π.(I β² (_π₯.π (π π₯)) π (π) π π) and is in _(JSTK)2, asI β² = Jππ‘πK β JSTK, ππ‘π being the program in the proof ofTheorem 8.6, and computes the functional _π._π.πΉ β²(π, π).
9 Other propertiesThe type system of Figure 3 enjoys several other propertiesof interest. First, completeness can be achieved using only 2tiers (at the price of a worst expressive power). Second, typeinference is decidable in polynomial time in the size of theprogram.
Let JSTkK be the subset of functional of JSTK computableby terminating and typable programs using tiers boundedby k. Formally, pπ β STk if and only if pπ is terminatingand Ξ,Ξ β’ pπ : (kβ², kβ²ππ, kβ²ππ’π‘ ) for a safe operator typingenvironment Ξ and a variable typing environment Ξ suchthat βx β V(pπ ), Ξ(x) βͺ― k.We can show that tiers allow strictly more expressive
power in terms of captured programs. However tiers greaterthan 1 are equivalent from an extensional point of view.
A tier-based PL characterizing BFF2
Ξ(x) = πΌ(V2)
Ξ,Ξ β’2 x : πΌ
βπ β€ π, Ξ,Ξ β’2 eπ : πΌπ πΌ β πΌ β Ξ(op)(OP2)
Ξ,Ξ β’2 op(e1, . . . , eππ (op) ) : πΌΞ,Ξ β’2 x : πΌ Ξ,Ξ β’2 e : π½ πΌ βͺ― π½
(A2)Ξ,Ξ β’2 x := e : πΌ
(SK2)Ξ,Ξ β’2 skip : πΌ
Ξ,Ξ β’2 c : πΌ Ξ,Ξ β’2 cβ² : π½(S2)
Ξ,Ξ β’2 c; cβ² : πΌ β¨ π½
Ξ,Ξ β’2 e : πΌ Ξ,Ξ β’2 c : πΌ Ξ,Ξ β’2 cβ² : πΌ (C2)Ξ,Ξ β’2 if(e){c} else {cβ²} : πΌ
Ξ,Ξ β’2 e : 1 Ξ,Ξ β’2 c : πΌ(W2)
Ξ,Ξ β’2 while(e){c} : 1
Figure 9. 2-tier-based type system for 2ST
...
Ξ(x) = 0(V)
β’ x : (0, 1, 1)
Ξ(x) = 0(V)
β’ x : (0, 1, 1)Ξ(π) = 1
(V)β’ π : (1, 1, 1)
(OP)β’ ππππ(x, π) : (0, 1, 1)
Ξ(π) = 1(V)
β’ π : (1, 1, 1)(OR)
β’ π (ππππ(x, π) βΎ π) : (0, 1, 1)(A)
β’ x := π (ππππ(x, π) βΎ π) : (0, 1, 1)(SUB)
β’ x := π (ππππ(x, π) βΎ π) : (1, 1, 1)...(S)
β’ x := π (ππππ(x, π) βΎ π); π := pred(π) : (1, 1, 1)(W0)
β’ while(π > 0){x := π (ππππ(x, π) βΎ π); π := pred(π)} : (1, 1, 0)
Figure 10. Program simulation I β²
x0 := π0;while(π β π)1{
x0 := π (ππππ(x, π)0 βΎ π1)0;π1 := pred(π)1}
}return x
Figure 11. Program ππ‘π
Proposition 9.1. The following properties hold:1. βk βͺ° 0, STk β STk+1,2. βk βͺ° 1, _(JSTkK)2 = BFF2.
Theorem 9.2. Given a program pπ and a safe operator typ-ing environment Ξ, deciding if there exists a variable typingenvironment Ξ such that pπ β ST can be done in time cubicin the size of the program.
Proof. Using a reduction to 2-SAT. β‘
10 Conclusion and future workWe have presented the first tractable characterization of theclass of type-2 polynomial time computable functionals BFF2based on a simple imperative programming language. Thischaracterization does not require any explicit or externalresource bound and its restriction to type-1 provides analternative characterization of the class FP.
The presented type system can be generalized to programswith a constant number of oracles (the typing rule for oraclesremains unchanged). However the lambda closure is manda-tory for completeness as illustrated by Example 7.7. An open
issue of interest is to get rid of this closure in order to obtaina characterization of BFF2 in terms of a pure imperative pro-gramming language. Indeed, in our context, programs canbe viewed as a simply typed lambda-terms with typable andterminating imperative procedure calls. One suggestion isto study to which extent oracle composition can be addeddirectly to the program syntax.Another issue of interest is to study whether this non-
interference based approach could be extended (or adaptedwithin the context of light logics) to characterize BFF2 in apurely functional language. We leave these open issues asfuture work.
AcknowledgmentsThe authors would like to thank the anonymous referees fortheir feedback. Kapron was supported in part by a NSERCDiscovery Grant.
ReferencesBengt Aspvall, Michael F. Plass, and Robert Endre Tarjan. 1979. A linear-time
algorithm for testing the truth of certain quantified boolean formulas.Inform. Process. Lett. 8, 3 (1979), 121β123. https://doi.org/10.1016/0020-0190(79)90002-4
Patrick Baillot and Ugo Dal Lago. 2016. Higher-order interpretations andprogram complexity. Inf. Comput. 248 (2016), 56β81. https://doi.org/10.1016/j.ic.2015.12.008
Patrick Baillot and DamianoMazza. 2010. Linear logic by levels and boundedtime complexity. Theor. Comput. Sci. 411, 2 (2010), 470β503. https://doi.org/10.1016/j.tcs.2009.09.015
Patrick Baillot and Kazushige Terui. 2004. Light Types for Polynomial TimeComputation in Lambda-Calculus. In Logic in Computer Science, LICS2004. IEEE, 266β275. https://doi.org/10.1109/LICS.2004.1319621
Hainry et al.
Stephen Bellantoni and Stephen Cook. 1992. A New Recursion-TheoreticCharacterization of the Polytime Functions. Computational Complexity2 (1992), 97β110. https://doi.org/10.1007/BF01201998
Amir M. Ben-Amram, Neil D. Jones, and Lars Kristiansen. 2008. Linear,Polynomial or Exponential? Complexity Inference in Polynomial Time.In Logic and Theory of Algorithms. Springer, 67β76.
Guillaume Bonfante, Jean-Yves Marion, and Jean-Yves Moyen. 2011. Quasi-interpretations a way to control resources. Theor. Comput. Sci. 412, 25(2011), 2776β2796. https://doi.org/10.1016/j.tcs.2011.02.007
Alan Cobham. 1965. The intrinsic computational difficulty of functions. InProceedings of the International Conference on Logic, Methodology, andPhilosophy of Science, Y. Bar-Hillel (Ed.). North-Holland, Amsterdam,24β30.
Robert L. Constable. 1973. Type two computational complexity. In Proc.5th annual ACM Symposium on Theory of Computing. ACM, 108β121.https://doi.org/10.1145/800125.804041
Byron Cook, Andreas Podelski, and Andrey Rybalchenko. 2006. TERMI-NATOR: beyond safety. In International Conference on Computer AidedVerification. Springer, 415β418. https://doi.org/10.1007/11817963_37
Stephen A Cook. 1992. Computability and complexity of higher typefunctions. In Logic from Computer Science. Springer, 51β72. https://doi.org/10.1007/978-1-4612-2822-6_3
Stephen A. Cook and Bruce M. Kapron. 1989. Characterizations of thebasic feasible functionals of finite type. In 30th Annual Symposium onFoundations of Computer Science (FOCS 1989). IEEE, 154β159. https://doi.org/10.1109/SFCS.1989.63471
Stephen A. Cook and Alasdair Urquhart. 1993. Functional interpretationsof feasibly constructive arithmetic. Ann. Pure Appl. Logic 63, 2 (1993),103β200. https://doi.org/10.1016/0168-0072(93)90044-E
Norman Danner and James S. Royer. 2006. Adventures in time and space. InProceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principlesof Programming Languages, POPL 2006. ACM, 168β179. https://doi.org/10.1145/1111037.1111053
Shimon Even, Alon Itai, and Adi Shamir. 1976. On the Complexity ofTimetable and Multicommodity Flow Problems. SIAM J. Comput. 5, 4(1976), 691β703. https://doi.org/10.1137/0205048
Hugo FΓ©rΓ©e, Emmanuel Hainry, Mathieu Hoyrup, and Romain PΓ©choux.2015. Characterizing polynomial time complexity of stream programsusing interpretations. Theor. Comput. Sci. 585 (2015), 41β54. https://doi.org/10.1016/j.tcs.2015.03.008
Marco Gaboardi, Jean-Yves Marion, and Simona Ronchi Della Rocca. 2008.A logical account of pspace. In Proceedings of the 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2008.ACM, 121β131. https://doi.org/10.1145/1328438.1328456
Jean-Yves Girard. 1998. Light Linear Logic. Inf. Comput. 143, 2 (1998),175β204. https://doi.org/10.1006/inco.1998.2700
Emmanuel Hainry, Jean-Yves Marion, and Romain PΓ©choux. 2013. Type-based complexity analysis for fork processes. In International Conferenceon Foundations of Software Science and Computational Structures (FoSSaCS2013). Springer, 305β320. https://doi.org/10.1007/978-3-642-37075-5_20
Emmanuel Hainry and Romain PΓ©choux. 2015. Objects in Polynomial Time.In Programming Languages and Systems - 13th Asian Symposium, APLAS2015 (Lecture Notes in Computer Science). Springer, 387β404. https://doi.org/10.1007/978-3-319-26529-2_21
Emmanuel Hainry and Romain PΓ©choux. 2017. Higher order interpretationfor higher order complexity. In LPAR-21, 21st International Conference onLogic for Programming, Artificial Intelligence and Reasoning. EasyChair,269β285. https://doi.org/10.29007/1tkw
Petr HΓ‘jek. 1979. Arithmetical Hierarchy and Complexity of Computation.Theor. Comput. Sci. 8 (1979), 227β237.
Robert J. Irwin, James S. Royer, and Bruce M. Kapron. 2001. On characteri-zations of the basic feasible functionals (Part I). J. Funct. Program. 11, 1(2001), 117β153. https://doi.org/10.1017/S0956796800003841
Neil D. Jones and Lars Kristiansen. 2009. A Flow Calculus of Mwp-boundsfor Complexity Analysis. ACM Trans. Comput. Logic 10, 4 (2009), 28:1β28:41. https://doi.org/10.1145/1555746.1555752
Bruce M. Kapron and Stephen A. Cook. 1991. A New Characterization ofMehlhornβs Polynomial Time Functionals (Extended Abstract). In 32ndAnnual Symposium on Foundations of Computer Science, San Juan, PuertoRico, 1-4 October 1991. IEEE, 342β347. https://doi.org/10.1109/SFCS.1991.185389
Bruce M. Kapron and Stephen A. Cook. 1996. A New Characterizationof Type-2 Feasibility. SIAM J. Comput. 25, 1 (1996), 117β132. https://doi.org/10.1137/S0097539794263452
Bruce M. Kapron and Florian Steinberg. 2018. Type-two polynomial-timeand restricted lookahead. In Logic in Computer Science, LICS 2018. ACM,579β588. https://doi.org/10.1145/3209108.3209124
Bruce M. Kapron and Florian Steinberg. 2019. Type-two iteration withbounded query revision. In Proceedings Third Joint Workshop on Develop-ments in Implicit Computational complExity and Foundational & PracticalAspects of Resource Analysis, DICE-FOPARA@ETAPS 2019 (EPTCS). 61β73.https://doi.org/10.4204/EPTCS.298.5
Akitoshi Kawamura and Florian Steinberg. 2017. Polynomial Running Timesfor Polynomial-Time Oracle Machines. In 2nd International Conferenceon Formal Structures for Computation and Deduction, FSCD 2017. SchlossDagstuhl - Leibniz-Zentrum fuer Informatik, 23:1β23:18. https://doi.org/10.4230/LIPIcs.FSCD.2017.23
Chin Soon Lee, Neil D. Jones, and Amir M. Ben-Amram. 2001. The size-change principle for program termination. In Conference Record of POPL2001: The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Pro-gramming Languages. ACM, 81β92. https://doi.org/10.1145/360204.360210
Daniel Leivant. 1995. Ramified recurrence and computational complexityI: Word recurrence and poly-time. In Feasible Mathematics II, PeterClote and Jeffrey B. Remmel (Eds.). BirkhΓ€user, Boston, MA, 320β343.https://doi.org/10.1007/978-1-4612-2566-9_11
Daniel Leivant and Jean-Yves Marion. 2013. Evolving Graph-Structures andTheir Implicit Computational Complexity. In Automata, Languages, andProgramming - 40th International Colloquium, ICALP 2013, Proceedings,Part II (Lecture Notes in Computer Science). Springer, 349β360. https://doi.org/10.1007/978-3-642-39212-2_32
Daniel Leivant and Jean-Yves Marion. 1993. Lambda Calculus Characteriza-tions of Poly-Time. Fundam. Inform. 19, 1/2 (1993), 167β184.
Jean-Yves Marion. 2011. A Type System for Complexity Flow Analysis. InLogic in Computer Science, LICS 2011. IEEE Computer Society, 123β132.https://doi.org/10.1109/LICS.2011.41
Jean-Yves Marion and Romain PΓ©choux. 2014. Complexity Information Flowin a Multi-threaded Imperative Language. In Theory and Applications ofModels of Computation, TAMC 2014 (Lecture Notes in Computer Science).Springer, 124β140. https://doi.org/10.1007/978-3-319-06089-7_9
Kurt Mehlhorn. 1976. Polynomial and abstract subrecursive classes. J.Comp. Sys. Sci. 12, 2 (1976), 147β178. https://doi.org/10.1016/S0022-0000(76)80035-9
John C Mitchell. 1991. Type inference with simple subtypes. J. Funct.Program. 1, 3 (1991), 245β285.
Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A sound typesystem for secure flow analysis. Journal of computer security 4, 2-3 (1996),167β187. https://doi.org/10.3233/JCS-1996-42-304