Bounded Linear Logic, Revisited

We present QBAL, an extension of Girard, Scedrov and Scott's bounded linear logic. The main novelty of the system is the possibility of quantifying over resource variables. This generalization makes bounded linear logic considerably more flexible, while preserving soundness and completeness for polynomial time. In particular, we provide compositional embeddings of Leivant's RRW and Hofmann's LFPL into QBAL.


Introduction
After two decades from the pioneering works that started it [3,12,13], implicit computational complexity is now an active research area at the intersection of mathematical logic and computer science.Its aim is the study of machine-free characterizations of complexity classes.The correspondence between an ICC system and a complexity class holds only extensionally, i.e., the class of functions (or problems) which are representable in the system equals the complexity class.Usually, the system is a fragment or subsystem of a larger programming language or logical system, the base system, in which other functions besides the ones in the complexity class can be represented.Sometimes, one of the two inclusions is shown by proving that any program (or proof) can be reduced with a bounded amount of resources; in this case, we say that the system is intensionally sound.On the other hand, ICC systems are very far from being intensionally complete: there are many programs (or proofs) in the base system which are not in the ICC system, even if they can be evaluated with the prescribed complexity bounds.Observe that this does not contradict extensional completeness, since many different programs or proofs compute the same function.
Of course, a system that captures all and only the programs of the base system running within a prescribed complexity bound will in all but trivial cases (e.g., empty base system) fail to be recursively enumerable.Thus, in practice, one strives to improve intensional expressivity by capturing important classes of examples and patterns.
An obstacle towards applying ICC characterizations of complexity classes to programming language theory is their poor intensional expressive power: most ICC systems do not capture natural programs and therefore are not useful in practice.This problem has been already considered in the literature.Some papers try to address the poor intensional expressive power of ICC systems by defining new languages or logics allowing to program in ways which are not allowed in existing ICC systems.This includes quasi-interpretations [14] and LFPL, by the second author [9].Other papers analyze the intensional expressive power of existing systems either by studying necessary conditions on captured programs or, more frequently, by studying relations between existing ICC systems.One nice example is Murawski and Ong's paper [15], in which the authors prove that a subsystem BC − of Bellantoni and Cook's function algebra BC [3] can be embedded into light affine logic [1] and that the embedding cannot be extended to the whole BC.In this work, we somehow combine the two approaches, by showing that: • A new logical system, called Quantified Bounded Affine Logic (QBAL for short) can be defined as a generalization of Girard, Scedrov and Scott's bounded linear logic (BLL, [7]), itself the first characterization of polynomial time computable functions as a fragment of Girard's linear logic [5].• QBAL is intensionally at least as expressive as two heterogeneous, existing systems, namely Leivant's RRW [13] and LFPL.
Bounded linear logic has received relatively little attention in the past [10,16].This is mainly due to its syntax, which is more involved than the one of other complexityrelated fragments of linear logic appeared more recently [6,11,4].In bounded linear logic, polynomials are part of the syntax and, as a consequence, computation time is controlled explicitly; in other words, BLL cannot be claimed to be a truly implicit characterization of polynomial time.Moreover, it seems that BLL is not expressive enough to embed any existing ICC system corresponding to polynomial time (except Lafont's SLL [11], which anyway was conceived as a very small fragment of BLL).
QBAL is obtained by endowing BLL with bounded quantification on resource variables.In other words, formulas of QBAL includes the ones of BLL, plus formulas like ∃x : {x ≤ y 2 }.A or ∀x, y : {x ≤ z, y ≤ z 3 }.B.Rules governing bounded quantification can be easily added to BLL, preserving its good properties: QBAL is still a characterization of the polytime functions in an extensional sense.Bounded quantification on resource variables, on the other hand, has tremendous consequences from an intensional point of view: both RRW and LFPL can be compositionally embedded into QBAL.This means, arguably, that programs in either RRW or LFPL can be rewritten in QBAL without major changes, i.e., by mimicking their syntactic structure.Similar results are unlikely to hold for BLL, as argued in sections 6 and 7 below.
Logical systems like QBAL or BLL cannot be considered as practical programming languages, although proofs can be interpreted as programs in the sense of Curry and Howard: the syntax is too complicated and the potential programmer would have to provide quantitative information in the form of polynomials while writing programs.On the other hand, considering BLL or QBAL as type systems for the (linear) lambda calculus is interesting, although type inference would be undecidable in general.In this paper, we advocate the usefulness of QBAL as an intermediate language in which to prove soundness results about other ICC systems.
For all these reasons, QBAL is not just another system capturing polynomial time computable functions.
The rest of this paper is organized as follows: • In Section 2 the syntax of QBAL is introduced, and some interesting properties of the system are proved, together with some examples on how to write programs as proofs of QBAL.• Section 3 introduces a set-theoretic semantics for QBAL, which is exploited in Section 4 to show polytime soundness of the system.• Section 5 contains some informal discussion about compositional embeddings.

Syntax
In this section, we present the syntax of QBAL, together with some of its main properties.
In the following, we adhere to the notation adopted in the relevant literature on BLL [7,10].
2.1.Resource Polynomials and Constraints.Polynomials appears explicitly in the formulas of QBAL, exactly as in BLL.A specific notation for polynomials was introduced in [7], and will be adopted here.In the following, N is the set of natural numbers.Sometimes, we use the vector notation x, which stands for the sequence x 1 , . . ., x n , where n is assumed to be known from the context.
• Given a set X of resource variables, a resource monomial over X is any finite product of binomial coefficients where the resource variables x 1 , . . ., x m are pairwise distinct and n 1 , . . ., n m are natural numbers.• A resource polynomial over X is any finite sum of monomials over X. FV (p) denotes the set of resource variables in a resource polynomial p.
Resource polynomials are notations for polynomials with rational coefficients.However, by construction, every resource polynomial maps natural numbers to natural numbers.An example of a resource polynomial on {x} (actually a monomial) is Resource polynomials satisfy some nice closure properties: Lemma 2.2.All constant functions and the identity are resource polynomials.Moreover, resource polynomials are closed under binary sums, binary products, composition, and bounded sums.
Proof.Every constant function n is simply the resource polynomial 1 + . . .+ 1 The identity is the resource polynomial x 1 .
Closure under binary sums is trivial.To prove closure under products, it suffices to show that the product of two monomials (on the same variable) is a resource polynomial, but this boils down to show that the product of two binomial coefficients x n and x m can be expressed itself as a resource polynomial.Actually, if m ≤ n, then where p is a resource polynomial not mentioning the variable y (but possibly mentioning x) can be formed by observing that Closure by composition can be proved similarly.
As a consequence, every polynomial with natural number coefficients is a resource polynomial.The main reason why resource polynomials were originally chosen as a notation for polynomials in BLL [7] was closure under bounded sums, a property which is not true in more traditional notation schemes.We follow the original paper here.
Already in BLL, an order relation on resource polynomials is an essential ingredient in defining the syntax of formulas and proof.In QBAL, the notion is even more important: two polynomials can be compared unconditionally or with an implicit assumption in the form of a set of constraints.

Definition 2.3 (Constraints).
• A constraint is an inequality in the form p ≤ q, where p and q are resource polynomials.
A constraint p ≤ q holds (and we write |= p ≤ q) if it is true in the standard model.The expression p < q stands for the constraint p + 1 ≤ q.Variables in p appear negatively, while those in q appear positively in every constraint p ≤ q. • A constraint set is a finite set of constraints.Constraint sets are denoted with letters like C , D or E .A constraint p ≤ q is a consequence of a constraint set C (and we write C |= p ≤ q) if p ≤ q is logical consequence of C .For every constraint sets C and D, C |= D iff C |= p ≤ q for every constraint p ≤ q in D.
• For each constraint set C , we define an order ⊑ C on resource polynomials by imposing p ⊑ C q iff C |= p ≤ q.
Resource polynomials are ordered extensionally: p ≤ q holds if p is smaller than q in the standard model of arithmetic.This definition is different from the one from [7] which is weaker but syntactical, defining p to be smaller or equal to q if and only if q − p is itself a resource polynomial.This choice is motivated by the necessity of reasoning about resource polynomials under some assumptions in a constraint set.On the other hand, it has some consequences for the decidability of type checking, discussed in Section 2.
where x / ∈ FV (p), α ranges over a countable class of atoms (each with an arity n).We will restrict ourselves to bounded first order quantification.In other words, whenever we write ∀(x 1 , . . ., x n ) : C .A or ∃(x 1 , . . ., x n ) : C .A we implicitly assume that for every i there is a resource polynomial p i not containing the variables x 1 , . . ., x n such that C |= {x 1 ≤ p 1 , . . ., x n ≤ p n }.
Checking the boundedness condition on formulas is undecidable in general (see Section 2.4 for further discussion).The notions of a free atom or a free resource variable in a formula are defined as usual, keeping in mind that ∀x, ∃x and !x<p act as binders for resource variables, while ∀α acts as a binder for atoms.
Notice that resource polynomials and the variables in them can occur inside constraints, constraint sets and formulas.The following definition becomes natural: Definition 2.6 (Positive and Negative Occurrences).The definition of a positive (or negative) free occurrence of a variable in a formula A proceeds by induction on A: • All the variables in FV (p 1 ) ∪ . . .∪ FV (p n ) occur positively in α(p 1 , . . ., p n ).
• Polarities are propagated through compound formulas by noting that ⊸ is negative in the first slot, !x<p is negative in p and ∀x:C is negative in C .All other slots are positive.We omit the detailed definition.
For example, the first occurrence of x in ∀y:{y≤x}.β(z)⊸ α(x, y) is negative while the second one is positive; the only occurrence of z is negative; all occurrences of y are bound.
When resource variables occur positively in a formula, one can substitute the formula for an atom in another formula: Definition 2.7 (Substitution).Let B be a formula where the free variables x 1 , . . ., x n occur only positively.Then A{B/α(x 1 , . . ., x n )} denotes the formula obtained by replacing every free occurrence of α(p 1 , . . ., p n ) with B{p 1 /x 1 , . . ., p n /x n } inside A.
As an example , if A is α(p) ⊸ α(p + 1) and B is ∃x : {x ≤ y}.β(y), then A{B/α(y)} is (∃x : {x ≤ p}.β(p)) ⊸ (∃x : {x ≤ p + 1}.β(p + 1)).Formulas can be compared with respect to assumptions in the form of a constraint set: Definition 2.8 (Ordering Formulas).The order ⊑ C on resource polynomials can be extended to an order on formulas as follows: Please observe that if A ⊑ C B, then A and B have the same "logical skeleton" and only differ in the corresponding resource polynomials and constraint sets.Resource polynomials in positive position are smaller in A, while those in negative position are smaller in B.Moreover, constraint sets in positive position are stronger in A, while those in negative position are stronger in B. Consider, as an example, the constraint set C = {x ≤ y + 1}.It is easy to check that Intuitively, ⊑ C can be seen as a subtyping relation such that subtypes of a formula A are those formulas which are "smaller" than A whenever the constraints in C hold.This is in accordance to, e.g., the way ⊑ C is defined on implicational formulas, which is very reminiscent of the usual rule defining subtyping for arrow types.
The order relations ⊑ C satisfy some basic properties: Lemma 2.9 (Strengthening and Transitivity).
Proof.Strengthening can be proved by an induction on A. Some cases: Transitivity can be handled itself by induction on the structure of A. Some cases: Some other auxiliary results about the relations ⊑ C will be useful in the following.We give them here.First of all, we can perform substitution of resource polynomials for resource variables in formulas being sure that the underlying order is preserved: Lemma 2.10 (Monotonicity, I).If A is a formula where the variables x 1 , . . ., x n occur only positively (negatively, respectively), p i ⊑ C q i for every i and On the other hand, the same polynomial can be substituted in formulas, again preserving the underlying order: Proof.By induction on A. Some interesting cases:  Finally, substitution of formulas for atoms preserves itself the order ⊑ C : Lemma 2.12 (Monotonicity, III).If C is a formula where the free variables x 1 , . . ., x n occur only positively, α is an atom with arity n and A ⊑ C B, then A{C/α} ⊑ C B{C/α}.
Proof.By induction on A. Some cases: The thesis easily follows from Lemma 2.10.

Rules.
A QBAL judgement is an expression in the form Γ ⊢ C A, where C is a constraint set, Γ is a multiset of formulas and A is a formula.The meaning of such an expression is the following: A is a consequence of the formulas in Γ, provided the constraints in C hold.
Rules of inference for QBAL are in Figure 1.All rules except first order ones are the natural generalizations of BLL rules.In particular, observe that the only rules modifying the underlying constraint set(s) are P !, R ∀x , L ∀x , R ∃x and L ∃x .The multiplicative connectives are governed by the usual rules from intuitionistic linear logic.The modality !, on the other hand, is a functor governed by the following axioms, which come from BLL: Moreover, given a constraint set C , it holds that !p A ⊸! q A whenever q ⊑ C p. Weakening holds for every formula, contrary to what happens in BLL; as is usual in systems derived from linear logic, this does not break good quantitative properties like polynomial time soundness.Rules W , X, P !, D ! and N !capture the just described behaviour.Observe how rule P !allows to take advantage of the inequality x < q in the premise.
First order quantification on resource variables, on the other hand, is governed by the four inference rules R ∀x , L ∀x , R ∃x and L ∃x .Let us consider, as an example, rule R ∀x , which can be read as follows: if A can be inferred from Γ provided C ∪ D hold and the variables x do not appear in Γ nor in C , then A holds for every value of x satisfying C .Notice that BLL can be embedded into QBAL: for every BLL proof π : Γ ⊢ A, there is a QBAL proof π : Γ ⊢ ∅ A: this can be proved by an easy induction on π.

Axiom and Cut
If π is a proof of QBAL, then |π| is the number of rule instances in π.
2.4.On Decidability of Proof Checking.The problem of checking the correctness of a proof is undecidable in QBAL, since the correctness of a formula is itself an undecidable problem: remember that a formula like ∃x : C .A is correct only if an inequality x ≤ p can be deduced from C for some polynomial p.Moreover, the relation |= between constraint sets is undecidable.This is in contrast to what happens in more implicit ICC systems or in BLL itself, where conditional equality ⊑ C is replaced by unconditional inequality and p ≤ q iff q − p is a resource polynomial.
We do not see undecidability of proof checking as a fundamental problem of QBAL for at least two reasons: • On the one hand, the main role of QBAL is the one of a metasystem in which to prove quantitative properties of other systems.As a consequence, it is crucial to keep the system as expressive as possible.• On the other hand, simple, decidable fragments of QBAL can possibly be built by considering decidable, although necessarily incomplete, formal systems for assertions in the form C ⊢ p ≤ q (or, more generally, C ⊢ D) and by imposing that bounds on quantified variables are given explicitly when forming existential or universal formulas.This, however, is a topic outside the scope of this paper, which we leave for future work.The way we define QBAL is, in other words, similar to the one Xi adopts when he introduces Dependent ML [19].
2.5.QBAL and Second Order Logic.Second order intuitionistic logic can be presented as a context-independent sequent calculus with explicit structural rules [17], LJ.Rules of LJ are in Figure 2.There is a forgetful map [•] from the space of QBAL proofs to the space of LJ proofs.In particular ⊸ corresponds to → and ⊗ corresponds to ∧. Essentially, [π] has the same structure as π, except for exponential and first order rules, which have no formal correspondence in LJ.From our point of view, if [π] = [ρ], then π and ρ correspond to the same program, i.e.QBAL can be seen as a proper decoration of second order logic proofs with additional information which is not necessary to perform the underlying computation.

Axiom, Cut and Structural Rules
Properties.QBAL inherits some nice properties from BLL.In particular, proofs can be manipulated in a uniform way by altering their conclusion without changing their structure, i.e., without changing the underlying second order logic proof.First of all, a useful transformation is the strengthening of the underlying constraint set C : Proof.An easy induction on π.As an example, if π consists of an instance of rule A, then the thesis follows from Lemma 2.9.As another example, take a proof π : Γ ⊢ C ∀x : D.A obtained from ρ : Γ ⊢ C ∪E A applying rule R ∀x .We can assume without losing generality that x / ∈ FV (D).From D |= C , it follows that D ∪ E |= C ∪ E , from which the thesis easily follows.
QBAL is monotone with respect to the relation ⊑ C on formulas.

Proposition 2.14 (Monotonicity). If
Proof.By induction on |π|.Some interesting cases are the following ones: By definition, q i ⊑ D r i for every i and s ⊑ D p.By the side condition to the premise of π (and by transitivity of ⊑ D ), we obtain s ⊑ D r i for every i.Moreover, we have C i ⊑ D∪{x<q i } A i for every i and B ⊑ D∪{x<s} D. This implies C i ⊑ D∪{x<s} A i for every i, because and by Lemma 2.9.Now, since D ∪ {x < s} |= D ∪ {x < p} |= C , we can obtain, by Proposition 2.13, a proof σ of A 1 , . . ., A n ⊢ D∪{x<s} B such that |σ| < |π|.Then, we can easily apply the induction hypothesis on σ and conclude.This concludes the proof.
Another useful transformation on proofs is the substitution of resource polynomials for free variables.Proof.By induction on π.An interesting case is the following one: But formulas themselves can be substituted (for atoms) into a proof: Proposition 2.16 (Substitution for Atoms).If π : A 1 , . . ., A n ⊢ C B is a proof, C is a formula where the free variables x 1 , . . ., x m occur only positively and α is an atom with arity m, then there is a proof π{C/α} : A 1 {C/α}, . . ., A n {C/α} ⊢ C B{C/α} such that Proof.By induction on π.Some interesting cases are the following ones: α} by Lemma 2.12.As a consequence: where, without losing generality, y can be chosen as fresh variables not appearing among the ones in x nor in C. Applying the induction hypothesis to ρ, we obtain a proof of Γ{C/α} ⊢ C D{q/y}{C/α}.But, by the assumptions above, D{q/y}{C/α} = D{C/α}{q/y}.
The thesis follows.
• Suppose that π is where, as usual, y can be chosen as fresh variables not appearing among the ones in x, nor in C. Applying the induction hypothesis to ρ, we obtain a proof of Γ{C/α}, D{C/α} ⊢ C ∪D E{C/α}.
By the assumptions above, variables in y do not appear free in Γ{C/α} nor in E{C/α} nor in C {C/α}: they are either in Γ, E, C or in C. The thesis follows.This concludes the proof.2.7.Cut-Elimination.A nice application of the results we have just given is cut-elimination.Indeed, the new rules R ∀x , L ∀x , R ∃x and L ∃x do not cause any problem in the cut-elimination process.For example, the cut can be eliminated as follows: where σ is obtained by applying Proposition 2.13 to π{p/x} : Γ ⊢ C ∪D{p/x} A{p/x}, itself obtained from π applying Proposition 2.15.In this paper, we will not study cutelimination.And polynomial time soundness will be itself proved semantically.
2.8.Programming in QBAL.The Curry-Howard correspondence allows to see BLL and QBAL as programming languages endowed with rich type systems.In particular, following the usual impredicative encoding of data into second order intuitionistic logic, natural numbers can be represented as cut-free proofs of the formula However, only natural numbers less or equal to p are representable this way.This can be generalized to any word algebra.Given a word algebra W, we will denote by ε W the only 0-ary constructor of W and by c 1 W , . . ., c w W the 1-ary constructors of the same algebra.Notice that these objects can be thought of both as term formers and as (0-ary or unary) functions on terms.Terms of a free algebra W of length at most p can be represented as cut-free proofs of the formula Functions on natural numbers can be represented by proofs with conclusion N x ⊢ N p , where p is a resource polynomial depending on x, only.More generally, functions on the word algebra W can be represented by proofs with conclusion W x ⊢ W p .For example, all constructors c This will be essential to prove Lemma 7.1.
2.9.Unbounded First Order Quantification is Unsound.One may wonder why quantification on numerical variables is restricted to be bounded (see Definition 2.5).The reason is very simple: in presence of unbounded quantification, QBAL would immediately become unsound.To see that, define N ∞ to be the formula ∃(x) : ∅.N x .The composition of the successor with itself yields a proof with conclusion N x ⊢ N x+2 which, by rules R ∃x and L ∃x , becomes a proof with conclusion N ∞ ⊢ N ∞ .Iterating it, we obtain a proof of N x ⊢ N ∞ which represents the function n → 2n.But by rule L ∃x , it can be turned into a proof of N ∞ ⊢ N ∞ , and iterating it again we obtain a proof representing the exponential function.The boundedness assumption will be indeed critical in Section 4, where we establish that any functions which is representable in QBAL is polynomial time computable.It is not clear whether unbounded existential quantification would be sufficient to embed the whole of second order intuitionistic logic into QBAL.

Set-Theoretic Semantics
In this Section, we give a set-theoretic semantics for QBAL.We assume that our ambient settheory is constructive.This way we have a set of sets U which contains the natural numbers, closed under binary products, function spaces and U -indexed products.An alternative to assuming a constructive ambient set theory consists of replacing plain sets with PERs (partial equivalence relations) or domains or similar structures.See [10] for a more detailed discussion on this issue.
Formulas of QBAL can be interpreted as sets as follows, where ρ is an environment mapping atoms to sets: Please observe that the interpretation of any formula A is completely independent from the resource polynomials appearing in A.
To any QBAL proof π of A 1 , . . ., A n ⊢ C B we can associate a set-theoretic function π ρ : A 1 ⊗ . . .⊗ A n ρ → B ρ by induction on π, in the obvious way.π ρ is equal to the set-theoretic semantics of [π] as a proof of second order intuitionistic logic.Set-theoretic semantics of proofs is preserved by cut-elimination: if π reduces to σ by cut-elimination, then π ρ = σ ρ .
Observe that A ρ only depends on the values of ρ on atoms appearing free in A. So, in particular, is independent on ρ and on q, since N q is a closed formula.Similarly for W q ρ .Actually, there are functions ϕ N : N → N p and ψ N : N p → N such that ψ N • ϕ N is the identity on natural numbers.They are defined as follows: where A C is the projection of A on the component C whenever A is some product D∈U B. So, given a proof π : N x ⊢ N p , the numeric function represented by π is simply ψ N • π • ϕ N .Similar arguments hold for functions with conclusion W x ⊢ W p .

QBAL and Polynomial Time
In this section we show that all functions on natural numbers definable in QBAL are polynomial time computable.To this end, we follow the semantic approach in [10] which we now summarizes.4.1.Realizability Sets.Let X be a finite set of resource variables.We write V(X) for N X -the elements of V(X) are called valuations (over X).If η ∈ V(X) and c ∈ N then η[x → c] denotes the valuation which maps x to c and acts like η otherwise.We assume some reasonable encoding of valuations as natural numbers allowing them to be passed as arguments to algorithms.
If C is a constraint set involving at most the variables in X (over X) then V C (X) (or simply V C ) is the set of valuations in V(X) satisfying all the constraints in C .
We write P(X) for the set of resource polynomials over X.If p ∈ P(X) and η ∈ V(X) we write p(η) for the number obtained by evaluating p with x → η(x) for each x ∈ X.A substitution σ : X → Y is a function mapping any variable in Y to a polynomial in P(X).Given a substitution σ : X → Y and a valuation η ∈ V(X), the valuation σ[η] ∈ V(Y ) assigns to every variable y ∈ Y the natural number σ(y)(η).
We assume known the untyped lambda calculus as defined e.g. in [2].A lambda term is affine linear if each variable (free or bound) appears at most once (up to α-congruence).For example, λx.λy.yx and λx.λy.y and λx.xy are affine linear while the term λx.xx is not.Notice that every affine linear term t is strongly normalisable in less than |t| steps where |t| is the size of the term.Moreover, the size |s| of any reduct of t is at most |t|.The runtime of the computation leading to the normal form is therefore O(|t| 2 ).We will henceforth use the expression affine linear term for an affine linear lambda term which is in normal form.If s, t are affine linear terms, then their application st is defined as the normal form of the lambda term st.Notice that the application st can be computed in time O((|s| + |t|) 2 ).
If s, t are affine linear terms we write s⊗t for the affine linear term λf.f st.If t is an affine linear term possibly containing the free variables x, y then we write λx⊗y.t for λu.u(λxλy.t).Notice that (λx⊗y.t)(u⊗v)= t{u/x, v/y}.
More generally, if (t i ) i<n is a family of affine linear terms, we write i<n t i and λ i<n x i .tfor λf.f t 0 t 1 . . .t n−1 , respectively, λu.u(λx 0 λx 1 . . .λx n−1 .t).Again, (λ We write Λ a for the set of closed affine linear terms.
There is a canonical way of representing terms of any word algebra W as affine linear terms, which is attributed to Dana Scott [18].If the unary constructors of the word algebra W are c 1 W , . . ., c w W and ε W is the only 0-ary constructor of W, the terms of W are mapped to affine linear terms as follows: . . .λx w .λy.y; ∀i ∈ {1, . . ., w}. c i W s = λx 1 . . . .λx w .λy.x i s .As an example, the natural number 2 seen as a term of the word algebra N becomes 2 = λx.λy.x(λx.λy.x(λx.λy.y))Definition 4.1 (Realizability Set).Let X be a finite set of resource variables.A realizability set over X is a pair A = (|A|, A ) where |A| is a set and A ⊆ V(X) × Λ a × |A| is a ternary relation between valuations over X, affine lambda terms, and the set |A|.We write η, t A a for (η, t, a) ∈ A .Given a substitution σ from X to Y and a realizability set A over Y , then a new realizability set A[σ] over X is defined by The intuition behind η, t A a is that a is an abstract semantic value, η measures the abstract size of a, and the affine linear term t encodes the abstract value a.This is a generalization of what normally happens in realizability models, where A is a binary relation between realizers and denotations.
• The realizability set N x over {x} of tally natural numbers ("of size at most x") is defined by: |N x | = N and η, t Nx n if t = n and η(x) ≥ n; • The realizability set W x over {x} of free terms of W ("of length at most x") is defined by: |W x | = W and η, t Wx w if t = w and η(x) ≥ |w|.
These realizability sets N x and W x turn out to be retracts of the denotations of the eponymous BLL formulas from Section 2.8.

Definition 4.3 (Positive and Negative Variables).
Let A be a realizability set over X.We say that x ∈ X is positive (negative, respectively) in A, if for all η, µ ∈ V(X), t ∈ Λ a , a ∈ |A| where η and µ agree on X \ {x} and η(x) ≤ µ(x) (η(x) ≥ µ(x), respectively), η, t A a implies µ, t A a.
We notice that x is positive in N x and W x .Indeed, if e.g.η, t Nx n and η(x) ≤ µ(x), then µ(x) ≥ η(x) ≥ n and µ, t Nx n by definition.
Realizability sets can be thought of as the object of a category whose arrows are functions, themselves realized by affine linear terms, one for every possible valuation of the underlying resource variables: Definition 4.4 (Morphisms).Let A, B be realizability sets over some set X. A morphism from A to B is a function f : |A| → |B| satisfying the following conditions: • there exist a function e : V(X) → Λ a , an algorithm A and a resource polynomial q such that for every η ∈ V(X), A computes e(η) in time bounded by q(η); • for each η ∈ V(X), t ∈ Λ a , a ∈ |A|, we have η, t A a implies η, e(η)t B f (a).
In this case we say that e witnesses f and write A → f e B where in the notation the algorithm A computing e is presumed to exist.
Noticeably, morphisms compose.The following definitions summarises the interpretation of formulas according to [10].First of all, multiplicative connectives ⊗ and ⊸ correspond to constructions on realizability sets: Definition 4.5 (Multiplicatives).Let A, B be realizability sets over X.Then the following are realizability sets over X: Another logical connective needs to be justified, namely the exponential modality: Lastly, a semantical counterpart of second order universal quantification must be defined.The following are essential preliminary definitions.Definition 4.7 (Second Order Environments).Let X be a set of resource variables.A second-order environment over X is a partial function ρ which assigns to a second-order variable α of arity n a pair (l, C) such that: • l = (y 1 , . . ., y n ) is an n-tuple of pairwise different resource variables not occurring in X; • C is a realizability set over X ∪ {y 1 , . . ., y n } in which the y i are positive.For a second-order environment ρ we write |ρ| for the mapping α → |C| when ρ(α) = (l, C).If σ : X → Y is a substitution and ρ is a second-order environment over Y we define a second-order environment ρ[σ] over X by ρ[σ](α) = (l, C[σ]) when ρ(α) = (l, C).We assume here that the variables in l are not contained in Y .Otherwise, the substitution cannot be defined.
Using these semantic constructions one defines for each formula A with free resource variables contained in X and second-order environment ρ over X, a realizability set A B ρ over X in such a way that | A B ρ | = A |ρ| (where |ρ| is the assignment of sets to atoms obtained from ρ in the obvious way), that is to say, the underlying set of the realizability set interpreting a formula A coincides with the set-theoretic meaning of A (see Section 3): where ρ(α) = ((y 1 , . . ., y n ), C) and σ(y i ) = p i ; where η, t f C for all (l, C); , where ξ x : X ∪ {x} → X is the substitution mapping any variable in X into the same variable as an element of P(X ∪ {x}).
The main result of [10] then asserts that if π is a proof (in BLL) of a sequent Γ ⊢ B then the function π |ρ| is a morphism from Γ B ρ to B B ρ (where we interpret a context Γ as a ⊗-product over its components as usual).From this, polynomial time soundness is a direct corollary since polynomial time computability is built into the notion of a morphism.
It thus only remains to extend the realizability model to cover the constructs of QBAL which we do in the next section.

4.2.
Extending the Realizability Model to QBAL.The notion of a realizability set above is adequate to model formulas of QBAL.The notion of a morphism, however, should be slightly generalized in order to capture constraints: Definition 4.8 (C -Morphisms).Let A, B be realizability sets over some set X and C a constraint set over X.A function f : |A| → |B| is a C -morphism from A to B iff the following conditions hold: • there exist a function e : V C (X) → Λ a and an algorithm A such that A computes e(η) from η in time bounded by q(η) for some resource polynomial q; • for each η ∈ V C (X), t ∈ Λ a , a ∈ |A|, we have that η, t A a implies η, e(η)t B f (a).
In order to define realizability sets ∀y:C .A and ∃y:C .A, we fix some encoding of environments η as affine lambda terms using the • encoding of natural numbers.As an example, the environment η on {x 0 , . . ., x n−1 } could be encoded as i<n η(x i ) ; this clearly relies on a total order on resource variables.We do not notationally distinguish environments from their encodings.Definition 4.9 (First-order Quantification).Let X, Y be disjoint sets of variables.Let A be a realizability set over X ∪ Y and C a constraint set over X ∪ Y where we put Y = {y 1 , . . ., y n } and y = (y 1 , . . ., y n ).Furthermore, for each i = 1, . . ., n let p i ∈ P(X) be such that C |= {y ≤ p}.
Recall that ∀y:C .A and ∃y:C .A are well-formed only if there are resource polynomials p such that C |= y < p.Therefore, the set {µ | η∪µ ∈ V C } is finite and in fact computable in polynomial time from η. Indeed, its cardinality at most We are now able to prove the main result of this Section: Theorem 4.10.Let π be a proof of a sequent Γ ⊢ C B and ρ a mapping of atoms to realizability sets.Then The proof is by induction on derivations.We only show the cases that differ significantly from the development in [10].Case P ! .For simplicity, suppose that n = 1, q 1 = p and A 1 = A. The induction hypothesis shows that π |ρ| is a C -morphism from A B ρ to B B ρ witnessed by e.As in the proof of the main result in [10], we define ρ witnessed by d.The remaining cases are the four rules for first order quantifiers.In each case, we assume by the induction hypothesis that π is a morphism realizing the premise of the rule and let e be its witness.We have to show that π is a morphism realizing the conclusion of the rule.Note that the set-theoretic meaning of a proof does not change upon application of any of the quantifier rules.Case R ∀x .Suppose that η ∈ V C and η, t γ Γ B ρ γ.Now suppose η ∪ µ ∈ V D .By the induction hypothesis η∪µ, e(η∪µ)t γ A B ρ π (γ).We thus define d by d(η) = u where u ∈ Λ a is such that utµ = e(η ∪ µ)t whenever η ∪ µ ∈ V C .Recall that for a given η there are only q(η) such µ (for a fixed resource polynomial q), so that t can be constructed as a big case distinction over all those µ.It is then clear that d is polynomial time computable and realizes the conclusion of the rule.
Corollary 4.11.Every function on word algebras representable in QBAL is polynomial time computable.

On Compositional Embeddings
In this Section, we justify our emphasis on compositional embeddings.An embedding of a logical system or programming language L into QBAL is a function • from the space of proofs (or programs) of L into the space of proofs for QBAL.Clearly, for an embedding to be relevant from a computational point of view, any proof π of L should be mapped to an equivalent proof π , e.g., π = π .The existence of an embedding of L into QBAL implicitly proves that QBAL is extensionally at least as powerful as L. Such an embedding • is not necessarily computable nor natural.But whenever L is a sound and complete ICC characterization of polynomial time, a large class of proofs or programs of L can be mapped to QBAL, since the classes of definable first order functions are exactly the same in L and QBAL.Indeed, QBAL is both extensionally sound (see Section 4) and extensionally complete (since BLL can be compositionally embedded into it).
Typically, one would like to go beyond extensionality and prove that QBAL is intensionally as powerful as L.And if this is the goal, • should be easily computable.Ideally, we would like • to act homeomorphically on the space of proofs of L. In other words, whenever a proof π of L is obtained applying a proof-forming rule R to ρ 1 , . . ., ρ n , then π should be obtainable from ρ 1 , . . ., ρ n in a uniform way, i.e., dependently on R but independently on ρ 1 , . . ., ρ n .An embedding satisfying the above constraint is said to be strongly compositional.The embeddings we will present in the following two sections are only weakly compositional: [ π ] can be uniformly built from [ ρ 1 ], . . ., [ ρ n ] whenever π is obtained applying R to ρ 1 , . . ., ρ n .We believe that the existence of a weakly compositional embedding of L into QBAL is sufficient to guarantee that QBAL is intensionally as powerful as L because, as we pointed out in Section 2.5, [π] can be thought as the program hidden in the proof π.

Embedding LFPL
LFPL is a calculus for non-size-increasing computation introduced by the second author [9].It allows to capture natural algorithms computing functions such that the size of the result is smaller or equal to the size of the arguments.This way, polynomial time soundness is guaranteed despite the possibility of arbitrarily nested recursive definitions.
We here show that a core subset of LFPL can be compositionally embedded into QBAL.LFPL types are generated by the following grammar: Rules for LFPL in natural-deduction style are in Figure 3.We omit terms, since the computational content of type derivations is implicit in their skeleton.The set-theoretic se-

Axiom, Base Types and Weakening
, while the operators ⊗ and ⊸ are interpreted as usual.Notice that the interpretation of an LFPL formula does not depend on any environment ρ.This way, any LFPL proof π : A 1 , . . ., A n ⊢ B can be given a semantics π : A 1 ⊗ . . .⊗ A n → B , itself independent on any ρ.For example, rule T corresponds to iteration, while rule E ⊸ corresponds to function application.LFPL types can be translated to QBAL formulas in the following way: Please observe that the interpretation of any LFPL formulas is parametrized by two resource polynomials p and q.If a variable x occurs in p, but not in q, then x occurs only positively in A q p : this can be proved by an easy induction on the structure of A. The correspondence scales from types to proofs: Theorem 6.1.LFPL can be embedded into QBAL.In other words, for every LFPL proof π : A 1 , . . ., A n ⊢ B, there exists a QBAL proof Proof.As expected, the proof goes by induction on π.
• If the only rule in π is A, then π is simply the axiom where σ : N b y ⊢ N b y+1 is the QBAL proof for the successor on natural numbers inherited from BLL and ρ is obtained by first strengthening σ into a proof of N b y ⊢ {x+y≤b,1≤b,1≤x} N b y+1 (by Proposition 2.13) and then applying to it Proposition 2.14, after observing that where σ can be obtained from ρ by Proposition 2.13 and Proposition 2.14, because U. DAL LAGO AND M. HOFMANN • If the last rule in π is E ⊸ and the immediate premises of π are ρ and σ, then π is where θ and ξ can be obtained from ρ and σ , respectively, by applying Proposition 2.13.
• If the last rule in π is I ⊸ and the immediate premise of π is ρ, then π is where σ can be obtained from ρ by applying Proposition 2.13.• If the last rule in π is I ⊗ and the immediate premises of π are ρ and σ, then π is where θ and ξ can be obtained from ρ and σ , respectively, by Proposition 2.13.• If the last rule in π is E ⊗ and the immediate premises of π are ρ and σ, then π is where ξ can be obtained from ρ by Proposition 2.13 and Proposition 2.14 and can be obtained from σ by Proposition 2.13.• If the last rule in π is T and the immediate premises of π are ρ and σ, then π is where θ and ξ can be obtained from ρ and σ , respectively, by Proposition 2.13 and σ can be easily built.This concludes the proof.Proposition 6.2.The correspondence • is weakly compositional.
Proof.A quick inspection on the proof of Theorem 6.1 shows that π cannot be obtained uniformly from ρ 1 , . . ., ρ 1 (where ρ 1 , . . ., ρ n are the immediate sub-proofs of π), because results like Proposition 2.13 or Proposition 2.14 are often applied to ρ 1 , . . ., ρ n before they are plugged together (in a uniform way) to obtain π .All the results in Section 2.6, however, transform proofs to proofs preserving the underlying LJ proof.As a consequence the embedding is weakly compositional.
One may ask whether such an embedding might work for BLL proper.We believe this to be unlikely for several reasons.In particular, it seems that BLL lacks a mechanism for turning the information about the size of the manipulated objects from being global to being local.In QBAL, this rôle is played by first order quantifiers.As an example, consider the split function for lists of natural numbers that splits a list into two lists, one containing the even entries and one containing the odd entries.The type of that function in LFPL is L(N) ⊸ L(N) ⊗ L(N) where L(•) denotes the type of lists that we have elided from our formal treatment for the sake of simplicity.In QBAL this function gets the type The only conceivable BLL formula for this function is L x (N y ) ⊸ L x (N y ) ⊗ L x (N y ).In LFPL and in QBAL we can compose the split function with "append" yielding a function of type L x (N y ) ⊸ L x (N y ) that can be iterated.In BLL this composition receives the type L x (N y ) ⊸ L 2x (N y ) which of course is not allowed in an iteration.But a hypothetical compositional embedding of LFPL into BLL would have to be able to mimic this construction.

Embedding RRW
Ramified recurrence on words (RRW) is a function algebra extensionally corresponding to polynomial time functions introduced by Leivant in the early nineties [13].Bellantoni and Cook's algebra BC can be easily embedded into RRW.
Let W be a word algebra, let c 1 W , . . ., c w W be the unary constructors of W and let ε W be the only 0-ary constructor of W. id denotes the identity function on W. If m is a natural number and 1 ≤ i ≤ m, π m i denotes the i-th projection on m arguments in W. Given a n-ary function g on W and n m-ary functions f 1 , . . ., f n on W, we can define the m-ary composition of g and f 1 , . . ., f n , denoted comp(g, f 1 , . . ., f n ), as follows: Given an n-ary function f ε W on W and n + 2-ary functions f c 1 W , . . ., f c w W on W, we can define an n + 1-ary function g, denoted rec(f c 1 W , . . ., f c w W , f ε W ), by primitive recursion as follows: We can generate functions starting from id, π m i , ε W and c W by freely applying composition, primitive recursion and conditional.
Not every function obtained this way is in RRW: indeed, they correspond to primitive recursive functions on W. In Figure 4, a formal system for judgements in the form ⊢ f : W i 1 × . . .× W in → W i (where i 1 , . . ., i n , i are natural numbers) is defined.If such a judgement can be derived from the rules in Figure 4, then f is said to be an RRW function (the definition of RRW given here is slightly different but essentially equivalent to the original one [13]).Leivant [13] proved that RRW functions are exactly the polytime computable functions on W. But RRW can be compositionally embedded into QBAL, at least in a weak sense.Before embarking in the proof of that, however, we need a preliminary result.
Lemma 7.1 (Contraction Lemma).Every word algebra is duplicable, i.e., for every word algebra W there is a proof π Proof.For simplicity, consider the algebra N of natural numbers.The proof we are looking for is the following: where σ are ρ are the proofs corresponding to 0 and the successor coming from BLL.This concludes the proof.
The following is the main result of this section: Theorem 7.2.RRW can be embedded into QBAL.Suppose, in other words, that and that i < i j 1 , . . ., i jm , while i = i k 1 , . . ., i k h .Then, there exist a QBAL proof π and a resource polynomial q such that π : W x 1 , . . ., W xn ⊢ {x k 1 ≤x,...,x k h ≤x} W q(x j 1 ,...,x jm )+x . where

Some interesting cases:
• Consider the identity function id.Clearly: We partition the sequence i 1 , . . ., i n into three sequences containing elements which are equal to i, strictly greater than i and strictly smaller than i, respectively: Clearly, n = h + v + b.Similarly for the sequence j 1 , . . ., j m : j t 1 , . . ., j te j c 1 , . . ., j c l j z 1 , . . ., j z d Again, m = e + d + l.By induction hypothesis, there are proofs π g , π f 1 , . . ., π fn with the appropriate conclusions.Now, consider the proofs π f k 1 , . . ., π f k h : they are the ones such that i = i k 1 , . . ., i k h .By Proposition 2.14, we can assume that their conclusion is exactly the same, i.e., the polynomials r k 1 , . . ., r k h in the rhs are indeed the same polynomial r.
In other words, we have proofs . . .
Observe how, in all the three cases, the proof corresponding to f is structurally the same.This concludes the proof.
Quite interestingly, the proof of Theorem 7.2 is very similar in structure to the proof of polynomial time soundness for BC given in [3], which is based on the following observation: the size of the output of a BC function is bounded by a polynomial on the sizes of normal arguments plus the maximum of sizes of safe arguments.This cannot be formalized in BLL, because the resource polynomials do not include any function computing the maximum of its arguments.On the other hand, this can be captured in QBAL by way of constraints.
Proof.The proof is essentially identical to the one of Proposition 6.2.

Conclusions
We presented QBAL, a new ICC system embedding two distinct and unrelated systems for impredicative recursion in the sense of [8], namely ramified recurrence and non-size increasing computation.QBAL allows to overcome the main weakness of BLL, namely that all resource variables are global.In the authors' view, this constitutes the first step towards unifying ICC systems into a single framework.The next step consists in defining an embedding of light linear logic into QBAL and the authors are currently investigating on that.
From A ⊑ C ∪{x<q} B and r ⊑ C q, it follows by strengthening that A ⊑ C ∪{x<r} B. By the induction hypothesis, A ⊑ C ∪{x<r} C. The thesis follows, once we observe that r ⊑ C p by transitivity.•If ∀x : D.A ⊑ C ∀x : E .B and ∀x : E .B ⊑ C ∀x : F .C, then C ∪ E |= D, C ∪ F |= E , x / ∈ FV (C ), A ⊑ C ∪E B and B ⊑ C ∪F C. Since C ∪ F |= C ∪ E , A ⊑ C ∪F Bby strengthening.By the induction hypothesis, A ⊑ C ∪F C. The thesis follows observing that C ∪ F |= D. • If ∃x : D.A ⊑ C ∃x : E .B and ∃x : E .B ⊑ C ∃x : F .C, then C ∪ D |= E , C ∪ E |= F , x / ∈ FV (C ), A ⊑ C ∪D B and B ⊑ C ∪E C. Since C ∪ D |= C ∪ E , B ⊑ C ∪D C by strengthening.By the induction hypothesis, A ⊑ C ∪D C. The thesis follows observing that C ∪ D |= F .This concludes the proof.
n i=1 p i (η), and the size of any of its elements is at most |η| + n i=1 p i (η).

Figure 4 :
Figure 4: RRW as a formal system.
Proof.Take any constraint r ≤ t in C and suppose x 1 , ..., x n occur positively in C .Then x 1 , ..., x n can occur in t but they cannot occur in r.So:(r ≤ t){p/x} = r ≤ (t{p/x}) (r ≤ t){q/x} = r ≤ (t{q/x}) Now, since p i ⊑ D q i for every i,t{p/x} ⊑ D t{q/x}.As a consequence, C {p/x} ∪ D |= C {q/x}.Analogously if x 1 , . . ., x n occur only negatively in C .2.2.Formulas.Resource polynomials, constraints and constraint sets are the essential ingredients in the definition of QBAL formulas: Definition 2.5.Formulas of QBAL are defined as follows: and A ⊑ C ∪{x<q} B. By induction hypothesis, A ⊑ D∪{x<q} B. We can assume that x / ∈ FV (D).Finally, q ⊑ D p.The thesis easily follows.• If ∀x : D.A ⊑ C ∀x : E .B and F |= C , then C ∪ E |= D, x / ∈ FV (C ) and A ⊑ C ∪E B. Again, we can assume that x / ∈ FV (C ).Since F ∪E |= C ∪E , we can apply the induction hypothesis, obtaining A ⊑ F ∪E B, from which the thesis easily follows.
x / ∈ FV (C ), then A{p/x} ⊑ C A{q/x} (A{q/x} ⊑ C A{p/x}, respectively).Proof.By induction on A. Let's just check the most interesting cases: • If A = ∃y : D.B, then the variables in y can be assumed to be distinct from x 1 . . ., x n .Now, suppose that x 1 , . . ., x n occur only positively in A. Then, by induction hypothesis, B{p/x} ⊑ C B{q/x}.Moreover, by Lemma 2.4, D{p/x} ∪ C |= D{q/x}.By definition, this implies A{p/x} ⊑ C A{q/x}.Similarly if x 1 , . . ., x n occur only negatively in A. • If A = ∀y : D.B, then we can proceed exactly in the same way.This concludes the proof.
and x can be assumed not to appear among the variables in x nor the ones in p. Then: By induction hypothesis, C{p/x} ⊑ C {p/x}∪{x<r{p/x}} D{p/x}.Moreover, r{p/x} ⊑ C {p/x} q{p/x}.The thesis follows.
• Suppose that π is ρ : Γ, C ⊢ C ∪D D y ∈ FV (Γ) ∪ FV (D) ∪ FV (C ) Γ, ∃y : D.C ⊢ C D L ∃xwhere, as usual, y can be chosen as fresh variables not appearing among the ones in x, nor in p. Applying the induction hypothesis to ρ, we obtain a proof of Γ{p/x}, C{p/x} ⊢ C {p/x}∪D{p/x} D{p/x}.By the assumptions above, variables in y do not appear free in Γ{p/x} nor in D{p/x} nor in C {p/x}.The thesis follows.This concludes the proof.