key: cord-0053365-pidm2kjy
authors: Bohrer, Brandon; Platzer, André
title: Constructive Game Logic
date: 2020-04-18
journal: Programming Languages and Systems
DOI: 10.1007/978-3-030-44914-8_4
sha: 0141ad217f9ff6c93e6f52f22a961db7c7c355e2
doc_id: 53365
cord_uid: pidm2kjy

Game Logic is an excellent setting to study proofs-about-programs via the interpretation of those proofs as programs, because constructive proofs for games correspond to effective winning strategies to follow in response to the opponent’s actions. We thus develop Constructive Game Logic, which extends Parikh’s Game Logic (GL) with constructivity and with first-order programs à la Pratt’s first-order dynamic logic (DL). Our major contributions include: 1. a novel realizability semantics capturing the adversarial dynamics of games, 2. a natural deduction calculus and operational semantics describing the computational meaning of strategies via proof-terms, and 3. theoretical results including soundness of the proof calculus w.r.t. realizability semantics, progress and preservation of the operational semantics of proofs, and Existential Properties on support of the extraction of computational artifacts from game proofs. Together, these results provide the most general account of a Curry-Howard interpretation for any program logic to date, and the first at all for Game Logic.

Two of the most essential tools in theory of programming languages are program logics, such as Hoare calculi [29] and dynamic logics [45] , and the Curry-Howard correspondence [17, 31] , wherein propositions correspond to types, proofs to functional programs, and proof term normalization to program evaluation. Their intersection, the Curry-Howard interpretation of program logics, has received surprisingly little study. We undertake such a study in the setting of Game Logic (GL) [38] , because this leads to novel insights, because the Curry-Howard correspondence can be explained particularly intuitively for games, and because our first-order GL is a superset of common logics such as first-order Dynamic Logic (DL).

Constructivity and program verification have met before: Higher-order constructive logics [16] obey the Curry-Howard correspondence and are used to develop verified functional programs. Program logics are also often embedded in constructive proof assistants such as Coq [48] , inheriting constructivity from their metalogic. Both are excellent ways to develop verified software, but we study something else.

We study the computational content of a program logic itself. Every fundamental concept of computation is expected to manifest in all three of logic, type systems, and category theory [27] . Because dynamics logics (DL's) such as GL have shown that program execution is a first-class construct in modal logic, the theorist has an imperative to explore the underlying notion of computation by developing a constructive GL with a Curry-Howard interpretation.

The computational content of a proof is especially clear in GL, which generalizes DL to programmatic models of zero-sum, perfect-information games between two players, traditionally named Angel and Demon. Both normal-play and misère-play games can be modeled in GL. In classical GL, the diamond modality α φ and box modality [α]φ say that Angel and Demon respectively have a strategy to ensure φ is true at the end of α, which is a model of a game. The difference between classical GL and CGL is that classical GL allows proofs that exclude the middle, which correspond to strategies which branch on undecidable conditions. CGL proofs can branch only on decidable properties, thus they correspond to strategies which are effective and can be executed by computer. Effective strategies are crucial because they enable the synthesis of code that implements a strategy. Strategy synthesis is itself crucial because even simple games can have complicated strategies, and synthesis provides assurance that the implementation correctly solves the game. A GL strategy resolves the choices inherent in a game: a diamond strategy specifies every move made by the Angel player, while a box strategy specifies the moves the Demon player will make.

In developing Constructive Game Logic (CGL), adding constructivity is a deep change. We provide a natural deduction calculus for CGL equipped with proof terms and an operational semantics on the proofs, demonstrating the meaning of strategies as functional programs and of winning strategies as functional programs that are guaranteed to achieve their objective no matter what counterstrategy the opponent follows. While the proof calculus of a constructive logic is often taken as ground truth, we go a step further and develop a realizability semantics for CGL as programs performing winning strategies for game proofs, then prove the calculus sound against it. We adopt realizability semantics in contrast to the winning-region semantics of classical GL because it enables us to prove that CGL satisfies novel properties (Section 8). The proof of our Strategy Property (Theorem 2) constitutes an (on-paper) algorithm that computes a player's (effective) strategy from a proof that they can win a game. This is the key test of constructivity for CGL, which would not be possible in classical GL. We show that CGL proofs have two computational interpretations: the operational semantics interpret an arbitrary proof (strategy) as a functional program which reduces to a normal-form proof (strategy), while realizability semantics interpret Angel strategies as programs which defeat arbitrary Demonic opponents.

While CGL has ample theoretical motivation, the practical motivations from synthesis are also strong. A notable line of work on dGL extends first-order GL to hybrid games to verify safety-critical adversarial cyber-physical systems [42] . We have designed CGL to extend smoothly to hybrid games, where synthesis provides the correctness demanded by safety-critical systems and the synthesis of correct monitors of the external world [36] .

Constructive Modal Logics. A major contribution of CGL is our constructive semantics for games, not to be confused with game semantics [1] , which are used to give programs semantics in terms of games. We draw on work in semantics for constructive modal logics, of which two main approaches are intuitionistic Kripke semantics and realizability semantics.

An overview of Intuitionistic Kripke semantics is given by Wijesekera [52] . Intuitionistic Kripke semantics are parameterized over worlds, but in contrast to classical Kripke semantics, possible worlds represent what is currently known of the state. Worlds are preordered by w 1 ≥ w 2 when w 1 contains at least the knowledge in w 2 . Kripke semantics were used in Constructive Concurrent DL [53] , where both the world and knowledge of it change during execution. A key advantage of realizability semantics [37, 33] is their explicit interpretation of constructivity as computability by giving a realizer, a program which witnesses a fact. Our semantics combine elements of both: Strategies are represented by realizers, while the game state is a Kripke world. Constructive set theory [2] aids in understanding which set operations are permissible in constructive semantics.

Modal semantics have also exploited mathematical structures such as: i) Neighborhood models [8] , topological models for spatial logics [7] , and temporal logics of dynamical systems [20] . ii) Categorical [3] , sheaf [28] , and pre-sheaf [23] models. iii) Coalgebraic semantics for classical Propositional Dynamic Logic (PDL) [19] . While games are known to exhibit algebraic structure [25] , such laws are not essential to this work. Our semantics are also notable for the seamless interaction between a constructive Angel and a classical Demon.

CGL is first-order, so we must address the constructivity of operations that inspect game state. We consider rational numbers so that equality is decidable, but our work should generalize to constructive reals [11, 13] .

Intuitionistic modalities also appear in dynamic-epistemic logic (DEL) [21] , but that work is interested primarily in proof-theoretic semantics while we employ realizability semantics to stay firmly rooted in computation. Intuitionistic Kripke semantics have also been applied to multimodal System K with iteration [14] , a weak fragment of PDL.

Constructivity and Dynamic Logic. With CGL, we bring to fruition several past efforts to develop constructive dynamic logics. Prior work on PDL [18] sought an Existential Property for Propositional Dynamic Logic (PDL), but they questioned the practicality of their own implication introduction rule, whose side condition is non-syntactic. One of our results is a first-order Existential Property, which Degen cited as an open problem beyond the methods of their day [18] . To our knowledge, only one approach [32] considers Curry-Howard or functional proof terms for a program logic. While their work is a notable precursor to ours, their logic is a weak fragment of PDL without tests, monotonicity, or unbounded iteration, while we support not only PDL but the much more powerful first-order GL. Lastly, we are preceded by Constructive Concurrent Dynamic Logic, [53] which gives a Kripke semantics for Concurrent Dynamic Logic [41] , a proper fragment of GL. Their work focuses on an epistemic interpretation of constructivity, algebraic laws, and tableaux. We differ in our use of realizability semantics and natural deduction, which were essential to developing a Curry-Howard interpretation for CGL. In summary, we are justified in claiming to have the first Curry-Howard interpretation with proof terms and Existential Properties for an expressive program logic, the first constructive game logic, and the only with first-order proof terms.

While constructive natural deduction calculi map most directly to functional programs, proof terms can be generated for any proof calculus, including a wellknown interpretation of classical logic as continuation-passing style [26] . Proof terms have been developed [22] for a Hilbert calculus for dL, a dynamic logic (DL) for hybrid systems. Their work focuses on a provably correct interchange format for classical dL proofs, not constructive logics.

We define the language of CGL, consisting of terms, games, and formulas. The simplest terms are program variables x, y ∈ V where V is the set of variable identifiers. Globally-scoped mutable program variables contain the state of the game, also called the position in game-theoretic terminology. All variables and terms are rational-valued (Q); we also write B for the set of Boolean values {0, 1} for false and true respectively. Definition 1 (Terms). A term f, g is a rational-valued computable function over the game state. We give a nonexhaustive grammar of terms, specifically those used in our examples:

where q ∈ Q is a rational literal, x a program variable, f +g a sum, f ·g a product. Division-with-remainder is intended for use with integers, but we generalize the standard notion to support rational arguments. Quotient f /g is integer even when f and g are non-integer, and thus leaves a rational remainder f mod g. Divisors g are assumed to be nonzero.

A game in CGL is played between a constructive player named Angel and a classical player named Demon. Our usage of the names Angel and Demon differs subtly from traditional GL usage for technical reasons. Our Angel and Demon are asymmetric: Angel is "our" player, who must play constructively, while the "opponent" Demon is allowed to play classically because our opponent need not be a computer. At any time some player is active, meaning their strategy resolves all decisions, and the opposite player is called dormant. Classical GL identifies Angel with active and Demon with dormant; the notions are distinct in CGL.

Definition 2 (Games). The set of games α, β is defined recursively as such:

In the test game ?φ, the active player wins if they can exhibit a constructive proof that formula φ currently holds. If they do not exhibit a proof, the dormant player wins by default and we informally say the active player "broke the rules". In deterministic assignment games x := f, neither player makes a choice, but the program variable x takes on the value of a term f . In nondeterministic assignment games x := * , the active player picks a value for x : Q. In the choice game α ∪ β, the active player chooses whether to play game α or game β. In the sequential composition game α; β, game α is played first, then β from the resulting state. In the repetition game α * , the active player chooses after each repetition of α whether to continue playing, but loses if they repeat α infinitely. Notably, the exact number of repetitions can depend on the dormant player's moves, so the active player need not know, let alone announce, the exact number of iterations in advance. In the dual game α d , the active player becomes dormant and vice-versa, then α is played. We parenthesize games with braces {α} when necessary. Sequential and nondeterministic composition both associate to the right, i.e., α ∪ β ∪ γ ≡ {α ∪ {β ∪ γ}}. This does not affect their semantics as both operators are associative, but aids in reading proof terms.

Definition 3 (CGL Formulas). The set of CGL formulas φ (also ψ, ρ) is given recursively by the grammar:

The defining constructs in CGL (and GL) are the modalities α φ and [α]φ. These mean that the active or dormant Angel (i.e., constructive) player has a constructive strategy to play α and achieve postcondition φ. This paper does not develop the modalities for active and dormant Demon (i.e., classical) players because by definition those cannot be synthesized to executable code. We assume the presence of interpreted comparison predicates ∼ ∈ {≤, <, =, =, >, ≥}.

The standard connectives of first-order constructive logic can be derived from games and comparisons. Verum (tt) is defined 1 > 0 and falsum (ff) is 0 > 1.

= * ]φ, and existential quantification ∃x φ is defined x := * φ. As usual in logic, equivalence φ ↔ ψ can also be defined (φ → ψ) ∧ (ψ → φ). As usual in constructive logics, negation ¬φ is defined φ → ff, and inequality is defined by f = g ≡ ¬(f = g). We will use the derived constructs freely but present semantics and proof rules only for the core constructs to minimize duplication. Indeed, it will aid in understanding of the proof term language to keep the definitions above in mind, because the proof terms for many first-order programs follow those from first-order constructive logic.

For convenience, we also write derived operators where the dormant player is given control of a single choice before returning control to the active player. The dormant choice α ∩ β, defined {α d ∪ β d } d , says the dormant player chooses which branch to take, but the active player is in control of the subgames. We write φ y x (likewise for α and f ) for the renaming of x for y and vice versa in formula φ, and write φ f x for the substitution of term f for program variable x in φ, if the substitution is admissible (Def. 9 in Section 6).

We demonstrate the meaning and usage of the CGL constructs via examples, culminating in the two classic games of Nim and cake-cutting.

Nondeterministic Programs. Every (possibly nondeterministic) program is also a one-player game. For example, the program n := 0; {n := n + 1} * can nondeterministically sets n to any natural number because Angel has a choice whether to continue after every repetition of the loop, but is not allowed to continue forever. Conversely, games are like programs where the environment (Demon) is adversarial, and the program (Angel) strategically resolves nondeterminism to overcome the environment. The Demon player sets the value of a tossed coin, but does so adversarially, not randomly, since strategies in CGL are pure strategies. The Angel player has perfect knowledge of coin and can set guess equivalently, thus easily passing the test guess = coin, unlike a real coin toss. Partial information games are interesting future work that could be implemented by limiting the variables visible in a strategy.

Nim. Nim is the standard introductory example of a discrete, 2-player, zerosum, perfect-information game. We consider misère play (last player loses) for a version of Nim that is also known as the subtraction game. The constant Nim defines the game Nim.

The game state consists of a single counter c containing a natural number, which each player chooses (∪) to reduce by 1, 2, or 3 (c := c − k). The counter is nonnegative, and the game repeats as long as Angel wishes, until some player empties the counter, at which point that player is declared the loser (?c > 0).

Suppose c ≡ 1 (mod 4), Then the dormant player has a strategy to ensure c ≡ 1 (mod 4) as an invariant. That is, the following CGL formula is valid (true in every state):

This implies the dormant player wins the game because the active player violates the rules once c = 1 and no move is valid. We now state the winning region for an active player.

Proposition 2 (Active winning region). Suppose c ∈ {0, 2, 3} (mod 4) initially, and the active player controls the loop duration. Then the active player can achieve c ∈ {2, 3, 4}:

At that point, the active player will win in one move by setting c = 1 which forces the dormant player to set c = 0 and fail the test ?c > 0.

Cake-cutting. Another classic 2-player game, from the study of equitable division, is the cake-cutting problem [40] : The active player cuts the cake in two, then the (initially-)dormant player gets first choice of a piece. This is an optimal protocol for splitting the cake in the sense that the active player is incentivized to split the cake evenly, else the dormant player could take the larger piece. Cake-cutting is also a simple use case for fractional numbers. The constant CC defines the cake-cutting game. Here x is the relative size (from 0 to 1) of the first piece, y is the size of the second piece, a is the size of the active player's piece, and d is the size of dormant player's piece.

The game is played only once. The active player picks the division of the cake, which must be a fraction 0 ≤ x ≤ 1. The dormant player then picks which slice goes to whom.

The active player has a tight strategy to achieve a 0.5 cake share, as stated in Proposition 3.

Proposition 3 (Active winning region). The following formula is valid:

The dormant player also has a computable strategy to achieve exactly 0.5 share of the cake (Proposition 4). Division is fair because each player has a strategy to get their fair 0.5 share.

Proposition 4 (Dormant winning region). The following formula is valid:

Computability and Numeric Types. Perfect fair division is only achieved for a, d ∈ Q because rational equality is decidable. Trichotomy (a < 0.5∨a = 0.5∨a > 0.5) is a tautology, so the dormant player's strategy can inspect the active player's choice of a. Notably, we intend to support constructive reals in future work, for which exact equality is not decidable and trichotomy is not an axiom. Future work on real-valued CGL will need to employ approximate comparison techniques as is typical for constructive reals [11, 13, 51] . The examples in this section have been proven [12] using the calculus defined in Section 5.

We now develop the semantics of CGL. In contrast to classical GL, whose semantics are well-understood [38] , the major semantic challenge for CGL is capturing the competition between a constructive Angel and classical Demon. We base our approach on realizability semantics [37, 33] , because this approach makes the relationship between constructive proofs and programs particularly clear, and generating programs from CGL proofs is one of our motivations.

Unlike previous applications of realizability, games feature two agents, and one could imagine a semantics with two realizers, one for each of Angel and Demon. However, we choose to use only one realizer, for Angel, which captures the fact that only Angel is restricted to a computable strategy, not Demon. Moreover, a single realizer makes it clear that Angel cannot inspect Demon's strategy, only the game state, and also simplifies notations and proofs. Because Angel is computable but Demon is classical, our semantics has the flavor both of realizability semantics and of a traditional Kripke semantics for programs.

The semantic functions employ game states ω ∈ S where we write S for the set of all states. We additionally write , ⊥ ∈ S (not to be confused with formulas tt and ff) for the pseudo-states and ⊥ indicating that Angel or Demon respectively has won the game early by forcing the other to fail a test.

Each ω ∈ S maps each x ∈ V to a value ω(x) ∈ Q. We write ω v x for the state that agrees with ω except that x is assigned value v where v ∈ Q.

A term f is a computable func- tion of the state, so the interpretation [[f ]]ω of term f in state ω is f (ω).

To define the semantics of games, we first define realizers, the programs which implement strategies. The language of realizers is a higher-order lambda calculus where variables can range over game states, numbers, or realizers which realize a give proposition φ. Gameplay proceeds in continuation-passing style: invoking a realizer returns another realizer which performs any further moves. We describe the typing constraints for realizers informally, and say a is a α φ-realizer (a ∈ α φ Rz) if it provides strategic decisions exactly when α φ demands them.

Definition 5 (Realizers). The syntax of realizers a, b, c ∈ Rz (where Rz is the set of all realizers) is defined coinductively:

where x is a program (or realizer) variable and f is a term over the state ω. The Roman a, b, c should not be confused with the Greek α, β, γ which range over games. Realizers have access to the game state ω, expressed by lambda realizers (λω : S. a(ω)) which, when applied in a state ν, compute the realizer a with ν substituted for ω. State lambdas λ are distinguished from propositional and first-order lambdas Λ. The unit realizer () makes no choices and is understood as a unit tuple. Units () realize f ∼ g because rational comparisons, in contrast to real comparisons, are decidable. Conditional strategic decisions are realized by if (f (ω)) a else b for computable function f : S → B, and execute a if f returns truth, else b. Realizer (λω :

for all ω. The first component determines which branch is taken, while the second component is a continuation which must be able to play the corresponding branch. Realizer (λω : S. f (ω)) can also be a x := * φ-realizer, which requires f (ω) ∈ Q × (φ Rz) for all ω. The first component determines the value of x while the second component demonstrates the postcondition φ. The pair realizer (a, b) realizes both Angelic tests ?φ ψ and dormant choices [α ∪ β]φ. It is identified with a pair of realizers: (a, b) ∈ Rz×Rz.

A dormant realizer waits and remembers the active Demon's moves, because they typically inform Angel's strategy once Angel resumes action. The first-order realizer (Λx :

x is a φ-realizer for every v ∈ Q; Demon tells Angel the desired value of x, which informs Angel's continuation b. The higher-order realizer (Λx : φ Rz. b) realizes [?φ]ψ when b c x realizes ψ for every φ-realizer c. Demon announces the realizer for φ which Angel's continuation b may inspect. Tuples are inspected with projections π L (a) and π R (a). A lambda is inspected by applying arguments a ω for state-lambdas, a v for first-order, and a b for higher-order. Realizers for sequential compositions α; β φ (likewise [α; β]φ) are α β φ-realizers: first α is played, and in every case the continuation must play β before showing φ. Realizers for repetitions α * are streams containing α-realizers, possibly infinite by virtue of coinductive syntax. Active loop realizer ind(x. a) is the least fixed point of the

x is a recursive call which must be invoked only in accordance with some well-order. We realize dormant loops with gen(a, x.b, x.c), coinductively generated from initial value a, update b, and post-step c with variable x for current generator value.

Active loops must terminate, so α * φ-realizers are constructed inductively using any well-order on states. Dormant loops must be played as long as the opponent wishes, so [α * ]φ-realizers are constructed coinductively, with the invariant that φ has a realizer at every iteration.

A state ω paired with a realizer a that continues the game is called a possibility. A region (written X, Y, Z) is a set of possibilities. We write [[φ]] ⊆ φ Rz × S for the region which realizes formula φ. A formula φ is valid iff some a uniformly realizes every state, i.e.,

The game semantics are region-oriented, i.e., they process possibilities in bulk, though Angel commits to a strategy from the start. The region X α : ℘(Rz × S) is the union of all end regions of game α which arise when active Angel commits to an element of X, then Demon plays adversarially. In X[[α]] : ℘(Rz×S) Angel is the dormant player, but it is still Angel who commits to an element of X and Demon who plays adversarially. Recall that pseudo-states and ⊥ represent early wins by each Angel and Demon, respectively. The definitions below implicitly assume ⊥, / ∈ X, they extend to the case ⊥ ∈ X (likewise ∈ X) using the equations (

That is, if Demon has already won by forcing an Angel violation initially, any remaining game can be skipped with an immediate Demon victory, and vice-versa. The game semantics exploit the Angelic projections Z 0 , Z 1 and Demonic projections Z [0] , Z [1] , which represent binary decisions made by a constructive Angel and a classical Demon, respectively. The Angelic projections, which are defined Z 0 = {(π R (a), ω) | π L (a)(ω) = 0, (a, ω) ∈ Z} and Z 1 = {(π R (a), ω) | π L (a)(ω) = 1, (a, ω) ∈ Z}, filter by which branch Angel chooses with π L (a)(ω) ∈ B, then project the remaining strategy π R (a). The Demonic projections, which are defined

, ω) | (a, ω) ∈ Z}, contain the same states as Z, but project the realizer to tell Angel which branch Demon took.

Comparisons f ∼ g defer to the term semantics, so the interesting cases are the game modalities. Both [α]φ and α φ ask whether Angel wins α by following the given strategy, and differ only in whether Demon vs. Angel is the active player, thus in both cases every Demonic choice must satisfy Angel's goal, and early Demon wins are counted as Angel losses.

Definition 7 (Angel game forward semantics). We inductively define the region X α : ℘(Rz × S) in which α can end when active Angel plays X:

Definition 8 (Demon game forward semantics). We inductively define the region X[[α]] : ℘(Rz × S) in which α can end when dormant Angel plays X:

Angelic tests ?φ end in the current state ω with remaining realizer π R (a) if Angel can realize φ with π L (a), else end in ⊥. Angelic deterministic assignments consume no realizer and simply update the state, then end. Angelic nondeterministic assignments x := * ask the realizer π L (a) to compute a new value for x from the current state. Angelic compositions α; β first play α, then β from the resulting state using the resulting continuation. Angelic choice games α ∪ β use the Angelic projections to decide which branch is taken according to π L (a). The realizer π R (a) may be reused between α and β, since π R (a) could just invoke π L (a) if it must decide which branch has been taken. This definition of Angelic choice (corresponding to constructive disjunction) captures the reality that realizers in CGL, in contrast with most constructive logics, are entitled to observe a game state, but they must do so in computable fashion.

Repetition Semantics. In any GL, the challenge in defining the semantics of repetition games α * is that the number of iterations, while finite, can depend on both players' actions and is thus not known in advance, while the DL-like semantics of α * as the finite reflexive, transitive closure of α gives an advancenotice semantics. Classical GL provides the no-advance-notice semantics as a fixed point [38] , and we adopt the fixed point semantics as well. The Angelic choice whether to stop (Z 0 ) or iterate the loop (Z 1 ) is analogous to the case for α ∪ β.

Duality Semantics. To play the dual game α d , the active and dormant players switch roles, then play α. In classical GL, this characterization of duality is interchangeable with the definition of α d as the game that Angel wins exactly when it is impossible for Angel to lose. The characterizations are not interchangeable in CGL because the Determinacy Axiom (all games have winners) of GL is not valid in CGL:

Remark 1 (Indeterminacy). Classically equivalent determinacy axiom schemata ¬ α ¬φ → [α]φ and α ¬φ ∨ [α]φ of classical GL are not valid in CGL, because they imply double negation elimination.

Remark 2 (Classical duality). In classical GL, Angelic dual games are characterized by the axiom schema α d φ ↔ ¬ α ¬φ, which is not valid in in CGL. It is

The determinacy axiom is not valid in CGL, so we take α d ↔ [α]φ as primary.

Demon wins a Demonic test by presenting a realizer b as evidence that the precondition holds. If he cannot present a realizer (i.e., because none exists), then the game ends in so Angel wins by default. Else Angel's higher-order realizer a consumes the evidence of the pre-condition, i.e., Angelic strategies are entitled to depend (computably) on how Demon demonstrated the precondition. Angel can check that Demon passed the test by executing b. The Demonic repetition game α * is defined as a fixed-point [42] with Demonic projections. Computationally, a winning invariant for the repetition is the witness of its winnability.

The remaining cases are innocuous by comparison. Demonic deterministic assignments x := f deterministically store the value of f in x, just as Angelic assignments do. In demonic nondeterministic assignment x := * , Demon chooses to set x to any value. When Demon plays the choice game α ∪ β, Demon chooses classically between α and β. The dual game α d is played by Demon becoming dormant and Angel become active in α.

Semantics Examples. The realizability semantics of games are subtle on a first read, so we provide examples of realizers. In these examples, the state argument ω is implicit, and we refer to ω(x) simply as x for brevity.

Recall that [?φ]ψ and φ → ψ are equivalent. For any φ, the identity function (Λx : φ Rz. x) is a φ → φ-realizer: for every φ-realizer x which Demon presents, Angel can present the same x as evidence of φ. This confirms expected behavior per propositional constructive logic: the identity function is the proof of selfimplication.

In example formula x := * d ; {x := x ∪ x := −x} x ≥ 0, Demon gets to set x, then Angel decides whether to negate x in order to make it nonnegative. It is realized by Λx : Q. ((if (x < 0) 1 else 0), ()): Demon announces the value of x, then Angel's strategy is to check the sign of x, taking the right branch when x is negative. Each branch contains a deterministic assignment which consumes no realizer, then the postcondition x ≥ 0 has trivial realizer ().

Consider the formula {x := x + 1} * x > y, where Angel's winning strategy is to repeat the loop until x > y, which will occur as x increases. The realizer is ind(w. (if (x > y) (0, ()) else (1, w), ())), which says that Angel stops the loop if x > y and proves the postcondition with a trivial strategy. Else Angel continues the loop, whose body consumes no realizer, and supplies the inductive call w to continue the strategy inductively.

Consider the formula [?x > 0; {x := x + 1} * ]∃y (y ≤ x ∧ y > 0) for a subtle example. Our strategy for Angel is to record the initial value of x in y, then maintain a proof that y ≤ x as x increases. This strategy is represented by Λw : (x > 0) Rz. gen((x, ((), w)), z.(π L (z), ((), π R (π R (z)))), z.z). That is, initially Demon announces a proof w of x > 0. Angel specifies the initial element of the realizer stream by witnessing ∃y (y ≤ x∧y > 0) with c 0 = (x, ((), w)), where the first component instantiates y = x, the trivial second component indicates that y ≤ y trivially, and the third component reuses w as a proof of y > 0. Demon can choose to repeat the loop arbitrarily. When Demon demands the k'th repetition, z is bound to c k−1 to compute c k = (π L (z), ((), π R (π R (z)))), which plays the next iteration. That is, at each iteration Angel witnesses ∃y (y ≤ x ∧ y > 0) by assigning the same value (stored in π L (z)) to y, reproving y ≤ x with (), then reusing the proof (stored in π R (π R (z))) that y > 0.

Having settled on the meaning of a game in Section 4, we proceed to develop a calculus for proving CGL formulas syntactically. The goal is twofold: the practical motivation, as always, is that when verifying a concrete example, the realizability semantics provide a notion of ground truth, but are impractical for proving large formulas. The theoretical motivation is that we wish to expose the computational interpretation of the modalities α φ and [α]φ as the types of the players' respective winning strategies for game α that has φ as its goal condition. Since CGL is constructive, such a strategy constructs a proof of the postcondition φ.

To study the computational nature of proofs, we write proof terms explicitly: the main proof judgement Γ M : φ says proof term M is a proof of φ in context Γ , or equivalently a proof of sequent (Γ φ). We write M, N, O (sometimes A, B, C) for arbitrary proof terms, and p, q, , r, s, g for proof variables, that is variables that range over proof terms of a given proposition. In contrast to the assignable program variables, the proof variables are given their meaning by substitution and are scoped locally, not globally. We adapt propositional proof terms such as pairing, disjoint union, and lambda-abstraction to our context of game logic. To support first-order games, we include first-order proof terms and new terms for features: dual, assignment, and repetition games.

We now develop the calculus by starting with standard constructs and working toward the novel constructs of CGL. The assumptions p in Γ are named, so that they may appear as variable proof-terms p. We write Γ y x and M y x for the renaming of program variable x to y and vice versa in context Γ or proof term M, respectively. Proof rules for state-modifying constructs explicitly perform renamings, which both ensures they are applicable as often as possible and also ensures that references to proof variables support an intuitive notion of lexical scope. Likewise Γ f

x and M f x are the substitutions of term f for program variable x. We use distinct notation to substitute proof terms for proof variables while avoiding capture: [N/p]M substitutes proof term N for proof variable p in proof term M . Some proof terms such as pairs prove both a diamond formula and a box formula. We write M, N and [M, N ] respectively to distinguish the terms or [M, N ] to treat them uniformly. Likewise we abbreviate [α] φ when the same rule works for both diamond and box modalities, using [ α ]φ to denote its dual modality. The proof terms x := f y x in p. M and [x := f y x in p. M ] introduce an auxiliary ghost variable y for the old value of x, which improves completeness without requiring manual ghost steps.

The propositional proof rules of CGL are in Fig. 1 α φ and β φ) is the choice α ∪ β φ. The introduction rules for injections are ∪ I1 and ∪ I2, and case-analysis is performed with rule ∪ E, with two branches that prove a common consequence We now begin considering non-propositional rules, starting with the simplest ones. The majority of the rules in Fig. 2 , while thoroughly useful in proofs, * C Γ A : α * φ Γ, s : φ B : ψ Γ, g : α α * φ C : [50] , where an explicit operation is used to expand and collapse the recursive definition of a type. Rules * C, * S, * G are the destructor and injectors for α * φ, which are similar to those for α ∪ β φ. The duality rules ( [ d ] I) say the dual game is proved by proving the game where roles are reversed. The sequencing rules ( [;] I) say a sequential game is played by playing the first game with the goal of reaching a state where the second game is winnable.

Among these rules, monotonicity M is especially computationally rich. The notation Γ y BV(α) says that in the second premiss, the assumptions in Γ have all bound variables of α (written BV(α)) renamed to fresh variables y for completeness. In practice, Γ usually contains some assumptions on variables that are not bound, which we wish to access without writing them explicitly in φ. Rule M is used to execute programs right-to-left, giving shorter, more efficient proofs. It can also be used to derive the Hoare-logical sequential composition rule, which is frequently used to reduce the number of case splits. Note that like every GL, CGL is subnormal, so the modal modus ponens axiom K and Gödel generalization (or necessitation) rule G are not sound, and M takes over much of the role they usually serve. On the surface, M simply says games are monotonic: a game's goal proposition may freely be replaced with a weaker one. From a computational perspective, Section 7 will show that rule M can be (lazily) eliminated. Moreover, M is an admissible rule, one whose instances can all be derived from existing rules. When proofs are written right-to-left with M, the normalization relation translates them to left-to-right normal proofs. Note also that in checking M • p N, the context Γ has the bound variables α renamed freshly to some y within N, as required to maintain soundness across execution of α.

Next, we consider first-order rules, i.e., those which deal with first-order programs that modify program variables. The first-order rules are given in Fig. 3 . In : * E, FV(ψ) are the free variables of ψ, the variables which can influence its meaning. Nondeterministic assignment provides quantification over rational- While this notation is suggestive, the difference vs. the function proof term (λp : φ. M ) is essential: the proof term M is checked (resp. evaluated) in a state where the program variable x has changed from its initial value. For soundness, [: * ]I renames x to fresh program variable y throughout context Γ, written Γ y x . This means that M can freely refer to all facts of the full context, but they now refer to the state as it was before x received a new value. Elimination [: * ]E then allows instantiating x to a term f . Existential quantification is introduced by : * I whose proof term f y x : * p. M is like a dependent pair plus bound renaming of x to y. The witness f is an arbitrary computable term, as always. We write f x : * M for short when y is not referenced in M . It is eliminated in : * E by unpacking the pair, with side condition x / ∈ FV(ψ) for soundness. The assignment rules [:=] I do not quantify, per se, but always update x to the value of the term f, and in doing so introduce an assumption that x and f (suitably renamed) are now equal. In : * I and [:=] I, program variable y is fresh. * I The looping rules in Fig. 4 , especially * I, are arguably the most sophisticated in CGL. Rule * I provides a strategy to repeat a game α until the postcondition φ holds. This is done by exhibiting a convergence predicate ϕ and termination metric M with terminal value 0 and well-ordering . Proof term A shows ϕ holds initially. Proof term B guarantees M decreases with every iteration where M 0 is a fresh metric variable which is equal to M at the antecedent of B and is never modified. Proof term C allows any postcondition φ which follows from convergence ϕ ∧ M = 0. Proof term for(p : ϕ(M) = A; q. B; C){α} suggests the computational interpretation as a for-loop: proof A shows the convergence predicate holds in the initial state, B shows that each step reduces the termination metric while maintaining the predicate, and C shows that the postcondition follows from the convergence predicate upon termination. The game α repeats until convergence is reached (M = 0). By the assumption that metrics are well-founded, convergence is guaranteed in finitely (but arbitrarily) many iterations.

A naïve, albeit correct, reading of rule * I says M is literally some term f . If lexicographic or otherwise non-scalar metrics should be needed, it suffices to interpret ϕ and M 0 M as formulas over several scalar variables. Rule FP says α * φ is a least pre-fixed-point. That is, if we wish to show a formula ψ holds now, we show that ψ is any pre-fixed-point, then it must hold as it is no lesser than φ. Rule [ * ]I is the well-understood induction rule for loops, which applies as well to repeated games. Premiss O ensures [ * ]I supports any provable postcondition, which is crucial for eliminating M in Lemma 7. The elimination form for [α * ]φ is simply [ * ]E. Like any program logic, reasoning in CGL consists of first applying program-logic rules to decompose a program until the program has been entirely eliminated, then applying first-order logic principles at the leaves of the proof. The constructive theory of rationals is undecidable because it can express the undecidable [47] classical theory of rationals. Thus facts about rationals require proof in practice. For the sake of space and since our focus is on program reasoning, we defer an axiomatization of rational arithmetic to future work. We provide a (non-effective!) rule FO which says valid first-order formulas are provable.

An effective special case of FO is split (Fig. 4) , which says all term comparisons are decidable. Rule split can be generalized to decide termination metrics (M = 0 ∨ M 0). Rule iG says the value of term f can be remembered in fresh ghost variable x:

Rule iG can be defined using arithmetic and with quantifiers:

What's Novel in the CGL Calculus? CGL extends first-order reasoning with game reasoning (sequencing [32] , assignments, iteration, and duality). The combination of first-order reasoning with game reasoning is synergistic: for example, repetition games are known to be more expressive than repetition systems [42] . We give a new natural-deduction formulation of monotonicity. Monotonicity is admissible and normalization translates monotonicity proofs into monotonicityfree proofs. In doing so, normalization shows that right-to-left proofs can be (lazily) rewritten as left-to-right. Additionally, first-order games are rife with changing state, and soundness requires careful management of the context Γ . The extended version [12] uses our calculus to prove the example formulas.

Full versions of proofs outlined in this paper are given in the extended version [12] . We have introduced a proof calculus for CGL which can prove winning strategies for Nim and CC. For any new proof calculus, it is essential to convince ourselves of our soundness, which can be done within several prominent schools of thought. In proof-theoretic semantics, for example, the proof rules are taken as the ground truth, but are validated by showing the rules obey expected properties such as harmony or, for a sequent calculus, cut-elimination. While we will investigate proof terms separately (Section 8), we are already equipped to show soundness by direct appeal to the realizability semantics (Section 4), which we take as an independent notion of ground truth. We show soundness of CGL proof rules against the realizability semantics, i.e., that every provable naturaldeduction sequent is valid. An advantage of this approach is that it explicitly connects the notions of provability and computability! We build up to the proof of soundness by proving lemmas on structurality, renaming and substitution.

Lemma 1 (Structurality). The structural rules W, X, and C are admissible, i.e., the conclusions are provable whenever the premisses are provable.

Proof summary. Each rule is proved admissible by induction on M . Observe that the only premisses regarding Γ are of the form Γ (p) = φ, which are preserved under weakening. Premisses are trivially preserved under exchange because contexts are treated as sets, and preserved modulo renaming by contraction as it suffices to have any assumption of a given formula, regardless its name. The context Γ is allowed to vary in applications of the inductive hypothesis, e.g., in rules that bind program variables. Some rules discard Γ in checking the subterms inductively, in which case the IH need not be applied at all.

Lemma 2 (Uniform renaming). Let M y x be the renaming of program variable x to y (and vice-versa) within M , even when neither x nor y is fresh.

Proof summary. Straightforward induction on the structure of M . Renaming within proof terms (whose definition we omit as it is quite tedious) follows the usual homomorphisms, from which the inductive cases follow. In the case that M is a proof variable z, then Γ y x (z) = Γ (z) y x from which the case follows. The interesting cases are those which modify program variables, e.g., z := f w z in p. M . The bound variable z is renamed to z y x , while the auxiliary variable w is α-varied if necessary to maintain freshness. Renaming then happens recursively in M .

Substitution will use proofs of coincidence and bound effect lemmas.

Only the free variables of an expression influence its semantics.

Lemma 4 (Bound effect). Only the bound variables of a game are modified by execution.

Summary. By induction on the expression, in analogy to [43] . The latter condition can be relaxed in practice [44] to requiring φ does not mention x under bindings of free variables.

Lemma 5 (Arithmetic-term substitution). If Γ M : φ and the substitu-

Summary. By induction on M . Admissibility holds recursively, and so can be assumed at each step of the induction. For non-atomic M that bind no variables, the proof follows from the inductive hypotheses. For M that bind variables, we appeal to Lemma 3 and Lemma 4.

Just as arithmetic terms are substituted for program variables, proof terms are substituted for proof variables. Soundness of the proof calculus exploits renaming and substitution.

Theorem 1 (Soundness of proof calculus). If Γ M : φ then (Γ φ) is valid. As a special case for empty context ·, if · M : φ, then φ is valid.

Proof summary. By induction on M . Modus ponens case A B reduces to Lemma 6. Cases that bind program variables, such as assignment, hold by Lemma 5 and Lemma 2. Rule W is employed when substituting under a binder.

We have now shown that the CGL proof calculus is sound, the sine qua non condition of any proof system. Because soundness was w.r.t. a realizability semantics, we have shown CGL is constructive in the sense that provable formulas correspond to realizable strategies, i.e., imperative programs executed in an adversarial environment. We will revisit constructivity again in Section 8 from the perspective of proof terms as functional programs.

The Curry-Howard interpretation of games is not complete without exploring the interpretation of proof simplification as normalization of functional programs. To this end, we now introduce a structural operational semantics for CGL proof terms. This semantics provides a view complementary to the realizability semantics: not only do provable formulas correspond to realizers, but proof terms can be directly executed as functional programs, resulting in a normal proof term. The chief subtlety of our operational semantics is that in contrast to realizer execution, proof simplification is a static operation, and thus does not inspect game state. Thus the normal form of a proof which branches on the game state is, of necessity, also a proof which branches on the game state. This static-dynamic phase separation need not be mysterious: it is analogous to the monadic phase separation between a functional program which returns an imperative command vs. the execution of the returned command. While the primary motivation for our operational semantics is to complete the Curry-Howard interpretation, proof normalization is also helpful when implementing software tools which process proof artifacts, since code that consumes a normal proof is in general easier to implement than code that consumes an arbitrary proof.

The operational semantics consist of two main judgments: M normal says that M is a normal form, while M → M says that M reduces to term M in one step of evaluation. A normal proof is allowed a case operation at the top-level, either case A of ⇒ B | r ⇒ C or case * A of s ⇒ B | g ⇒ C . Normal proofs M without state-casing are called simple, written M simp. The requirement that cases are top-level ensures that proofs which differ only in where the case was applied share a common normal form, and ensures that β-reduction is never blocked by a case interceding between introduction-elimination pairs. Top-level case analyses are analogous to case-tree normal forms in lambda calculi with coproducts [4] . Reduction of proof terms is eager.

Definition 10 (Normal forms). We say M is simple, written M simp, if eliminators occur only under binders. We say M is normal,

that inspects the state. Subterms B and C need not be normal since they occur under the binding of or r (resp. s or g).

That is, a normal term has no top-level beta-redexes, and state-dependent cases are top-level. We consider rules [ * ]R, [: * ]I, [?]I, and [:=] I binding. Rules such as * I have multiple premisses but bind only one. While [ * ]R does not introduce a proof variable, it is rather considered binding to prevent divergence, which is in keeping with a coinductive understanding of formula [α * ]φ. If we did not care whether terms diverge, we could have made [ * ]R non-binding.

For the sake of space, this section focuses on the β-rules (Fig. 5) . The full calculus, given in the extended version [12] , includes structural and commutingconversion rules, as well as what we call monotonicity conversion rules: a proof term M • p N is simplified by structural recursion on M . The capture-avoiding substitution of M for p in N is written [M/p]N (Lemma 6). The propositional cases λφβ, λβ, caseβL, caseβR, π 1 β, and π 2 β are standard reductions for applications, cases, and projections. Projection terms π 1 M and π 2 M should not be confused with projection realizers π L (a) and π R (a). Rule unpackβ makes the witness of an existential available in its client as a ghost variable.

Rule FPβ, repβ, and forβ reduce introductions and eliminations of loops. Rule FPβ, which reduces a proof FP(A, s. B, g. C) says that if α * has already terminated according to A, then B proves the postcondition. Else the inductive step C applies, but every reference to the IH g is transformed to a recursive application of FP. If A uses only * S and * G, then FP(A, s. B, g. C) reduces to a simple term, else if A uses * I, then FP(A, s. B, g. C) reduces to a case. Rule repβ says loop induction (M rep p : J. N in O) reduces to a delayed pair We discuss the structural, commuting conversion, and monotonicity conversion rules for left injections as an example, with the full calculus in [12] . Structural rule ·S evaluates term M under an injector. Commuting conversion rule [ ·] C normalizes an injection of a case to a case with injectors on each branch. Monotonicity conversion rule [ ·] • simplifies a monotonicity proof of an injection to an injection of a monotonicity proof. We now complete the study of CGL's constructivity. We validate the operational semantics on proof terms by proving that progress and preservation hold, and thus the CGL proof calculus is sound as a type system for the functional programming language of CGL proof terms.

Lemma 7 (Progress). If · M : φ, then either M is normal or M → M for some M .

Summary. By induction on the proof term M . If M is an introduction rule, by the inductive hypotheses the subterms are well-typed. If they are all simple, then M simp. If some subterm (not under a binder) steps, then M steps by a structural rule. Else some subterm is an irreducible case expression not under a binder, it lifts by the commuting conversion rule. If M is an elimination rule, structural and commuting conversion rules are applied as above. Else by Def. 10 the subterm is an introduction rule, and M reduces with a β-rule. Lastly, if M has form A• x B and A simp, then by Def. 10 A is an introduction form, thus reduced by some monotonicity conversion rule. We gave two understandings of proofs in CGL, as imperative strategies and as functional programs. We now give a final perspective: CGL proofs support synthesis in principle, one of our main motivations. Formally, the Existential Property (EP) and Disjunction Property (DP) justify synthesis [18] for existentials and disjunctions: whenever an existential or disjunction has a proof, then we can compute some instance or disjunct that has a proof. We state and prove an EP and DP for CGL, then introduce a Strategy Property, their counterpart for synthesizing strategies from game modalities. It is important to our EP that terms are arbitrary computable functions, because more simplistic term languages are often too weak to witness the existentials they induce.

Example 1 (Rich terms help). Formulas over polynomial terms can have nonpolynomial witnesses.

Let φ ≡ (x = y ∧ x ≥ 0) ∨ (x = −y ∧ x < 0). Then f = |x| witnesses ∃y : Q φ. Disjunction strategies can depend on the state, so naïve DP does not hold.

Example 2 (Naïve DP). When Γ M :(φ ∨ ψ) there need not be N such that Γ N : φ or Γ N : ψ.

Consider φ ≡ x > 0 and ψ ≡ x < 1. Then · split [x, 0] () :(φ ∨ ψ), but neither x < 1 nor x > 0 is valid, let alone provable. . Now let f = π L (c a) and b = π R (c a) and the result is immediate by the semantics of disjunction.

Following the same approach, we generalize to a Strategy Property. In CGL, strategies are represented by realizers, which implement every computation made throughout the game. Thus, to show provable games have computable winning strategies, it suffices to exhibit realizers. Summary. From proof term M and Theorem 1, we have a realizer for formula α φ or [α]φ, respectively. We proceed by induction on α: the realizer b a contains all realizers applied in the inductive cases composed with their continuations that prove φ in each base case.

While these proofs, especially EP and DP, are short and direct, we note that this is by design: the challenge in developing CGL is not so much the proofs of this section, rather these proofs become simple because we adopted a realizability semantics. The challenge was in developing the semantics and adapting the proof calculus and theory to that semantics.

In this paper, we developed a Constructive Game Logic CGL, from syntax and realizability semantics to a proof calculus and operational semantics on the proof terms. We developed two understandings of proofs as programs: semantically, every proof of game winnability corresponds to a realizer which computes the game's winning strategy, while the language of proof terms is also a functional programming language where proofs reduce to their normal forms according to the operational semantics. We completed the Curry-Howard interpretation for games by showing Existential, Disjunction, and Strategy properties: programs can be synthesized that decide which instance, disjunct, or moves are taken in existentials, disjunctions, and games. In summary, we have developed the most comprehensive Curry-Howard interpretation of any program logic to date, for a much more expressive logic than prior work [32] . Because CGL contains constructive Concurrent DL and first-order DL as strict fragments, we have provided a comprehensive Curry-Howard interpretation for them in one fell swoop. The key insights behind CGL should apply to the many dynamic and Hoare logics used in verification today.

Synthesis is the immediate application of CGL. Motivations for synthesis include security games [40] , concurrent programs with demonic schedulers (Concurrent Dynamic Logic), and control software for safety-critical cyber-physical systems such as cars and planes. In general, any kind of software program which must operate correctly in an adversarial environment can benefit from game logic verification. The proofs of Theorem 2 and Theorem 3 constitute an (on-paper) algorithm which performs synthesis of guaranteed-correct strategies from game proofs. The first future work is to implement this algorithm in code, providing much-needed assurance for software which is often mission-critical or safetycritical. This paper focused on discrete CGL with one numeric type simply because any further features would distract from the core features. Real applications come from many domains which add features around this shared core.

The second future work is to extend CGL to hybrid games, which provide compelling applications from the domain of adversarial cyber-physical systems. This future work will combine the novel features of CGL with those of the classical logic dGL. The primary task is to define a constructive semantics for differential equations and to give constructive interpretations to the differential equation rules of dGL. Previous work on formalizations of differential equations [34] suggests differential equations can be treated constructively. In principle, existing proofs in dGL might happen to be constructive, but this does not obviate the present work. On the contrary, once a game logic proof is shown to fall in the constructive fragment, our work gives a correct synthesis guarantee for it too!

Full abstraction for PCF

The generalised type-theoretic interpretation of constructive set theory

Categorical and Kripke semantics for constructive S4 modal logic

Normalization by evaluation for typed lambda calculus with coproducts

Alternating-time temporal logic

Logic of strategies: What and how? In: van Benthem

Modal logics of space

A propositional dynamic logic for instantial neighborhood models

Logic, Rationality, and Interaction -6th International Workshop, LORI 2017

Dynamic logics of evidence-based beliefs

Foundations of constructive analysis

Constructive hybrid games

Techniques of constructive analysis

A fragment of intuitionistic dynamic logic

Strategy logic

The calculus of constructions

Combinatory logic

Towards intuitionistic dynamic logic

Towards a coalgebraic interpretation of propositional dynamic logic

The intuitionistic temporal logic of dynamical systems

A proof-theoretic semantic analysis of dynamic epistemic logic

A logic of proofs for differential dynamic logic: Toward independently checkable proof certificates for dynamic logics

Presheaf semantics and independence results for some non-classical first-order logics

Strategies made explicit in dynamic game logic. Workshop on Logic and Intelligent Interaction at ESSLLI pp

The basic algebra of game equivalences

A formulae-as-types notion of control

The holy trinity

A first order modal logic and its sheaf models

An axiomatic basis for computer programming

A logic for strategic reasoning

The formulae-as-types notion of construction

Strong normalization of program-indexed lambda calculus

Constructive Kripke semantics and realizability

The Picard algorithm for ordinary differential equations in Coq

Synthesis of strategies using the Hoare logic of angelic and demonic nondeterminism

ModelPlex: Verified runtime validation of verified cyber-physical system models

Realizability: A historical essay

Propositional game logic

A modal logic for coalitional power in games

Game logic -an overview

Concurrent dynamic logic

Differential game logic

A complete uniform substitution calculus for differential dynamic logic

Uniform substitution for differential game logic

Semantical considerations on floyd-hoare logic

Dynamic logic on games with structured strategies

Definability and decision problems in arithmetic

The Coq development team: The Coq proof assistant reference manual

Games in dynamic-epistemic logic

Typed compilation of recursive datatypes

Computable Analysis -An Introduction

Constructive modal logics I

Tableaux for constructive concurrent dynamic logic

), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use

This research was sponsored by the AFOSR under grant number FA9550-16-1-0288. The authors were also funded by the NDSEG Fellowship and Alexander von Humboldt Foundation, respectively.