Model checkers such as FDR have been extremely effective in checking for, and finding, attacks on cryptographic protocols -- see, for example [16, 20] and many of the papers in [7]. Their use in proving protocols has, on the other hand, generally been limited to showing that a given small instance, usually restricted by the finiteness of some set of resources such as keys and nonces, is free of attacks. While for specific protocols there are frequently good reasons for supposing that this will find any attack, it leaves a substantial gap in the method. The purpose of this paper is to show how techniques borrowed from data independence and related fields can be used to achieve the illusion that nodes can call upon an infinite supply of different nonces, keys, etc., even though the actual types used for these things remain finite. It is thus possible to create models of protocols in which nodes do not have to stop after a small number of runs, and to claim that a finite-state r...

The concept of relations over sets is generalized to relations over an arbitrary category, and used to investigate the abstraction (or logical-relations) theorem, the identity extension lemma, and parametric polymorphism, for Cartesian-closed-category models of the simply typed lambda calculus and PL-category models of the polymorphic typed lambda calculus. Treatments of Kripke relations and of complete relations on domains are included.

This is a preprint of a paper that has been submitted to Information and Computation.

Abstract not found

Research into providing support for long term data in lazy functional programming systems is presented in this thesis. The motivation for this work has been to reap the benefits of integrating lazy functional programming languages and persistence. The benefits are . the programmer need not write code to support long term data since this is provided as part of the programming system . persistent data can be used in a type safe way since the programming language type system applies to data with the whole range of persistence . the benefits of lazy evaluation are extended to the full lifetime of a data value. Whilst data is reachable, any evaluation performed on the data persists. A data value changes monotonically from an unevaluated state towards a completely evaluated state over time. . interactive data intensive applications such as functional databases can be developed. These benefits are realised by the development of models for persistence in lazy functional programming systems. Tw...

1. Introduction 1.1 Background and motivation Abstract types are a powerful feature of modern programminglanguages. They arise when the implementation of a collection of types and accompanying functions, often called a module, ispartly hidden by an interface. The creation and manipulation of an abstract data type are then constrained by the functions declared inits interface.

this paper is to present a new paradox for Type Theory, which is a type-theoretic refinement of Reynolds' result [24] that there is no set-theoretic model of polymorphism. We discuss then one application of this paradox, which shows unexpected connections between the principle of excluded middle and the axiom of description in impredicative Type Theories. 1 Minimal and Polymorphic Higher-Order Logic

Type abstraction and intensional type analysis are features seemingly at odds—type abstraction is intended to guarantee parametricity and representation independence, while type analysis is inherently non-parametric. Recently, however, several researchers have proposed and implemented “dynamic type, one should also be able to generate at run time a fresh type name, which may be used as a dynamic representative of the abstract type for purposes of type analysis. The question remains: in a language with non-parametric polymorphism, does dynamic type generation provide us with the same kinds of abstraction guarantees that we get from parametric polymorphism? Our goal is to provide a rigorous answer to this question. We define a step-indexed Kripke logical relation for a language with both non-parametric polymorphism (in the form of type-safe cast) and dynamic type generation. Our logical relation enables us to establish parametricity and representation independence results, even in a non-parametric setting, by attaching arbitrary relational interpretations to dynamically-generated type names. In addition, we explore how programs that are provably equivalent in a more traditional parametric logical relation may be “wrapped” systematically to produce terms that are related by our non-parametric relation, and vice versa. This leads us to a novel “polarized” form of our logical relation, which enables us to distinguish formally between positive and negative notions of parametricity.

Introduction to the Polymorphic Lambda Calculus John C. Reynolds Carnegie Mellon University December 23, 1994 The polymorphic (or second-order) typed lambda calculus was invented by Jean-Yves Girard in 1971 [11, 10], and independently reinvented by myself in 1974 [24]. It is extraordinary that essentially the same programming language was formulated independently by the two of us, especially since we were led to the language by entirely different motivations. In my own case, I was seeking to extend conventional typed programming languages to permit the definition of "polymorphic" procedures that could accept arguments of a variety of types. I started with the ordinary typed lambda calculus and added the ability to pass types as parameters (an idea that was "in the air" at the time, e.g. [4]). For example, as in the ordinary typed lambda calculus one can write f int!int : x int : f(f (x)) to denote the "doubling" function for the type int, which accepts a function from integers

We prove, in the context of simple type theory, that logical relations are sound and complete for data abstraction as given by equational specifications. Specifically, we show that two implementations of an equationally specified abstract type are equivalent if and only if they are linked by a suitable logical relation. This allows us to introduce new types and operations of any order on those types, and to impose equations between terms of any order. Implementations are required to respect these equations up to a general form of contextual equivalence, and two implementations are equivalent if they produce the same contextual equivalence on terms of the enlarged language. Logical relations are introduced abstractly, soundness is almost automatic, but completeness is more difficult, achieved using a variant of Jung and Tiuryn's logical relations of varying arity. The results are expressed and proved categorically.