Sequent Calculi for Skeptical Reasoning in Predicate Default Logic and Other Nonmonotonic Logics ∗

Robert Saxon Milnikel ([email protected]) Department of Mathematics, Kenyon College

Abstract. Sequent calculi for skeptical consequence in predicate default logic, predicate stable model logic programming, and infinite autoepistemic theories are presented and proved sound and complete. While skeptical consequence is decidable in the finite propositional case of all three formalisms, the move to predicate or 1 infinite theories increases the complexity of skeptical reasoning to being Π1-complete. This implies the need for sequent rules with countably many premises, and such rules are employed.

Keywords: Default logic, Stable models, Autoepistemic logic, Sequent calculus

AMS Subject Classiﬁcations: 03B42, 68N17, 68T27

1. Introduction

Skeptical consequence is a notion common to all forms of nonmonotonic reasoning. Every nonmonotonic formalism permits different world views to be justified using the same set of facts and principles; the skeptical consequences of a framework are the notions common to all world views associated with that framework. Our purpose in this paper is to present a Gentzen-style sequent calculus (incorporating some infinitary rules) which will allow us to deduce the skeptical consequences of a given framework. Such sequent calculi (with purely finite rules) were defined for several types of nonmonotonic systems by Bonatti and Olivetti in [6], but they restricted their attention to finite propositional systems for which skeptical consequence is decidable. We will adapt and extend their systems to accommodate infinite predicate systems. We will focus on three types of nonmonotonic reasoning: stable model logic programming (due to Gelfond and Lifschitz, [8]), default logic (due to Reiter, [22]), and autoepistemic logic (due to Moore, [19]). In all three cases, when one steps from the finite and propositional to the predicate and potentially infinite, finding the set of skeptical 1 consequences of a framework goes from being decidable to being Π1- complete, at the same level of the computability hierarchy as true arithmetic. This result was proved for stable model logic program-

∗ This paper grew directly out of the author’s dissertation, written under the direction of Anil Nerode.

c 2004 Kluwer Academic Publishers. Printed in the Netherlands.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.1 2 R.S. Milnikel ming by Marek, Nerode, and Remmel in [13], but it translates to the other systems quite easily. (The reader should be aware that there will be a few computability theoretic ideas and motivations discussed in this introductory section, but that they may be considered “deep background” and will not be a part of the exposition of the main ideas.) 1 0 Π1 sets correspond to finite-path computable (or Π1) subtrees of ω<ω in a very natural way. See [7] for an excellent exposition. This makes skeptical consequence a natural fit for sequent calculi with infinitary rules, since a sequent proof is, at its core, a finite-path tree. Bonatti and Olivetti also addressed credulous consequence (“Can this notion be a part of some world view?”) in their paper, but in the cases they were interested in, this question was also decidable. In our more 1 general context, credulous reasoning is Σ1-complete, not a natural type of question to address with trees-as-proofs. (One could write a sequent 1 calculus for credulous reasoning in Π2 logic, but this would take us too far afield.) Why do we plan to address the nonmonotonic formalisms listed earlier and not others? Default logic, autoepistemic logic, and circumscription are historically the most established frameworks, with stable model logic programming now as widely studied as those three. We will begin with stable model logic programming because it has the simplest classical monotonic base over which the nonmonotonicity is layered. This will permit us to focus on the distinctly nonmonotonic parts of the skeptical sequent calculus in our first encounter with such systems. The reason for excluding circumscription (due to McCarthy, [15]) is easily stated: Skeptical consequence for predicate circumscription was 1 1 shown by Schlipf in [23] to be Π2-complete, not Π1-complete like the 1 other systems mentioned. As I said earlier, a Π2 sequent calculus would take us far beyond the intended scope of this paper. We will also not be discussing Marek, Nerode, and Remmel’s nonmonotone rule systems (see [12]) or McDermott and Doyle’s nonmonotonic modal logics (see [16]). The reasons are twofold in each case. Nonmonotone rule systems have not entered the mainstream of the nonmonotonic reasoning literature, and are also essentially isomorphic to propositional stable model logic programming. The systems of McDermott and Doyle are also not as central to the field as some other formalisms, and would benefit from a more specific study in the context of Artemov’s logic of proofs (see [3]). Why does the move from the propositional to the predicate entail such an enormous increase in complexity? Because in general, it also implies a move from a finite set of rules to an infinite one. In predicate logic programming, an open variable is viewed as an abbreviation for all values which that variable might take on. The standard approach

fulldefaultsequent.tex; 18/06/2004; 16:12; p.2 Predicate Nonmonotone Sequent Calculi 3 is to make each of those possible instantiations explicit, turning a finite predicate logic program over an infinite domain into an infinite program. In default logic, there has been debate since Reiter first defined the framework in 1980 about how to treat unbounded variables in the rules. Reiter ([22]) advocated treating open variables (at least in the negative premises of a default rule) in the same way that they are treated in logic programs: as abbreviations for the same rule with each ground term of the language substituted. Again, this can turn a finite default theory into an infinite grounded one. This is the definition we will use in this paper. However, there is some quite justified criticism of this ap- : MP (x) proach. Under these definitions, the default theory ( , ¬P (a)) P (x) does not imply (∀x)[P (x) ↔ x 6= a]. Lifschitz, in [10], defines extensions (the possible world views associated with default logic) relative to fixed domains. For finite theories and finite domains, everything is decidable, but over infinite domains this is no longer the case. In [18], it is shown that skeptical reasoning over countable domains using 1 Lifschitz’ definition of extension is Π2-complete, the same level as for circumscription. Because nonmonotonic logics deal not only with proof but with lack of proof, we will need not only standard monotone sequent calculi, but also rule systems for showing a lack of proof. (We will call these antisequent calculi, using the terminology of Bonatti from [5].) While propositional provability and lack of provability are decidable, predicate provability is only recursively enumerable, and hence predicate non- 1 provability is co-r.e. Just as Σ1 sets do not lend themselves naturally 1 to tree-based proofs, neither do co-r.e. sets. However, while Σ1 sets 1 required a jump to Π2 logic, co-r.e. sets are easily accommodated in 1 the Π1 framework within which we will already be working. Bringing such enormously powerful logical machinery to bear on such a relatively simple problem may seem like overkill, but it works out quite naturally. The reader is thus warned that infinitary proofs will appear throughout the paper, even when talking about something as simple as lack of a standard predicate logic proof. When discussing autoepistemic logic, we limit ourselves to the propositional case, but with a potentially infinite theory. This puts us at the 1 same Π1 level of complexity as for stable model logic programming and default logic. Predicate autoepistemic logic is discussed in the literature (see, for example, [9]), and the interested reader should not find it difficult to combine the rules specific to predicate logic (from the discussion of default logic) with the results about propositional autoepistemic logic.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.3 4 R.S. Milnikel

We will begin in Section 2 with some preliminary definitions and results about the types of nonmonotonic systems we will consider in this paper. Section 3 presents rudimentary sequent and antisequent calculi for Horn programs, continues with a sequent calculus for skeptical reasoning in stable model logic programming, and concludes with a proof of the soundness and completeness of this calculus. Section 4 concentrates on finding an antisequent calculus for classical predicate logic, and concludes with a very brief treatment of a sequent calculus for skeptical reasoning in default logic. The nonmonotonic aspects of stable model logic programming and default logic are so similar that the sequent calculi are nearly identical and no proof is necessary for the soundness and completeness theorems in this case. Section 5 presents a sequent calculus for skeptical reasoning in infinite propositional autoepistemic theories, and proves soundness and completeness theorems for this calculus. Section 6 looks toward further directions for research.

2. Preliminaries

We will be working with systems based on a variety of languages, both predicate and propositional. We will assume that the reader has some familiarity with classical propositional and predicate logic, including the notion of a Herbrand base for a given predicate language, the standard sequent calculus LK for propositional logic, and the modal operator L.

2.1. Stable Model Logic Programming

Logic programming is a broad and widely studied subfield of computer science. We will concentrate here on only one aspect – finding models of a program given a particular interpretation of negation. For a more general introduction, see [2], [11], or [21]. Definition 2.1. A logic program clause is an expression of the form

p ← q1, . . . , qm, not r1,..., not rn, where p, the qi’s, and the rj’s are atomic formulas of some predicate or propositional language L. If p, all qi’s, and all rj’s are ground atomic formulas, then the clause is called ground.A logic program is a set of logic program clauses. In general, logic programs may deﬁned over a predicate language, but in practice, the ﬁrst step in dealing with a predicate logic program P is to look at ground(P ), the grounding of P . To obtain the grounding

fulldefaultsequent.tex; 18/06/2004; 16:12; p.4 Predicate Nonmonotone Sequent Calculi 5 of a program, one replaces each clause with the set of propositional clauses obtained by all ground substitutions whose domains include all variables appearing in P . (Details can be found in any of the general references cited above.) The principal result here is that a subset M of the Herbrand base of the general logic program is a Herbrand model of the program if and only if M is a model of its propositional grounding. One noteworthy effect of grounding a program is that a finite predicate program in a language with an infinite number of ground terms can have an infinite grounding. Example 2.2. Let L be a language with one constant 0, one unary function S, three unary relations A, A, and B, and three binary relations G, L, and N. Following convention, we will let n stand for n S’s followed by a 0. Let finite program P consist of the following nine clauses:

− L(x, Sx) ← − L(x, Sy) ← L(x, y) − G(Sx, x) ← − G(Sx, y) ← G(x, y) − N(x, y) ← L(x, y) − N(x, y) ← G(x, y) − A(x) ← not A(x) − A(y) ← A(x),N(x, y) − B(0) ← A(x)

The first six clauses make sure that N(x, y) will be true exactly if x 6= y. The next finds some element x so that A(x) is not proven and establishes A(x) for that x. The penultimate clause establishes A(y) for all y 6= x once A(x) has been established for some x. The final clause establishes B(0) if A(x) has been established for any x. Each of these nine clauses has an infinite grounding. The program ground(P ) consists of the union of the groundings of all of the clauses. We won’t address each, but let us look at A(x) ← not A(x) and A(y) ← A(x),N(x, y). The grounding of A(x) ← not A(x) consists of:

− A(0) ← not A(0) − A(1) ← not A(1)

fulldefaultsequent.tex; 18/06/2004; 16:12; p.5 6 R.S. Milnikel

− A(2) ← not A(2) − A(3) ← not A(3) . .

The grounding of A(y) ← A(x),N(x, y) consists of:

− A(0) ← A(0),N(0, 0) − A(1) ← A(0),N(0, 1) − A(0) ← A(1),N(1, 0) − A(2) ← A(0),N(0, 2) − A(1) ← A(1),N(1, 1) − A(0) ← A(2),N(2, 0) − A(3) ← A(0),N(0, 3) − A(2) ← A(1),N(1, 2) − A(1) ← A(2),N(2, 1) − A(0) ← A(3),N(3, 0) . .

Because we will come back to this example throughout this section and the next, let us also set up some shorthand, using HP to refer to the Horn portion of ground(P ), the ground instantiations of all clauses of P except A(x) ← not A(x). Although there are debates about the proper way to deal with negation in logic programs, the interpretation of Horn programs—programs consisting entirely of Horn clauses—is straightforward. A logic program clause p ← q1, . . . , qm, not r1,..., not rn, is called Horn if m ≥ 0 and n = 0. Deﬁnition 2.3. Let P be a Horn program in language L. We will say that a set M ⊆ BH (where BH is the Herbrand base of L) is a Herbrand model of P if for each clause

p ← q1, . . . , qm of ground(P ), p ∈ M whenever {q1, . . . , qm} ⊆ M.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.6 Predicate Nonmonotone Sequent Calculi 7

It is a well-known fact that Horn programs have least Herbrand models. The reader man see any of the general references on logic programs for a proof. Also, because we will need the fact later, let us mention the analog of the Compactness Theorem for Horn programs. If p is in the least model of a Horn program P , then there is some ﬁnite P 0 ⊆ ground(P ) such that p is in the least model of P 0. The basic idea for the interpretation of negation we will be interested in, proposed in part by Apt ([1]) and more fully by Gelfond and Lifschitz ([8]), is to interpret a clause

p ← q1, . . . , qm, not r1,..., not rn as “if all qi are true (derived), and no ri is true (derivable), then p is true (can be derived).” To formalize this interpretation, we will guess at a model of a program P . We will boldly assume that our guess is a model of the interpretation we just outlined. Based on that assumption, we will be concerned only with clauses in which none of the rj’s appear in our guessed-at model. If from the remaining clauses, we can derive all and only the elements of our guessed-at model, our guess was a good one.

Deﬁnition 2.4 (Reduct of a Logic Program). Let M be a subset of BH , the Herbrand base of some predicate language.

1. A clause p ← q1, . . . , qm, not r1,..., not rn

is irrelevant with respect to M if at least one rj is in M. 2. Let P be a logic program. The reduct of P with respect to M, denoted by P M , is obtained from ground(P ) by:

a) Removing all clauses that are irrelevant with respect to M.

b) Removing each premise not rj from the remaining clauses.

What remains after taking the reduct P M of a program P is a ground Horn program.

Deﬁnition 2.5 (Stable Model). Let P be a logic program and let M be a subset of BH , the Herbrand base of the language of P . The set M is a stable model of P if M coincides with the least model of the reduct P M .

Stable models of a program P are the “good guesses” for models alluded to earlier.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.7 8 R.S. Milnikel

Example 2.6. Let us reexamine Example 2.2 in light of these two deﬁnitions to get a sense of what the stable models of P might be.

− Let M1 ⊇ {A(3), A(3)}. We can see that M1 is not a stable model of P , since P M1 will not include A(3) ←, the Horn reduct of A(3) ← not A(3). There is no other rule in all of ground(P ) with conclusion A(3), so P M1 is not suﬃcient to prove A(3).

− Let M2 ⊇ {A(1),A(3)}. We can see that M2 is not a stable model of P , since we require M2 to be closed under all rules in M P 2 ⊇ HP . Because A(1) ∈ M2, A(3) ← A(1),N(1, 3) ∈ HP , and there are also in HP clauses suﬃcient to prove N(1, 3), we see that A(3) ∈ M2, putting us back in the case of M1.

M − Let M3 = {A(0), A(1), A(2), A(3),...}. In this case, P 3 = HP . The least model of HP includes no elements of the form A(n) or A(n) for any n. So M3 is not a stable model of P .

− Let M4 be the least model of HP . Because A(n) ∈/ M4 for all M n, P 4 = HP ∪ {A(0) ← ,A(1) ← ,A(2) ← ,A(3) ← ,...}. Thus both A(n) and A(n) are in the least model of P M4 for all n, and this is considerably more than was in M4 to begin with. Thus, M4 is not a stable model of P .

0 0 − Let M5 = {A(3),B(0)} ∪ {A(n)|n 6= 3}, and let M5 be M5 M together with the least model of HP . This makes P 5 = HP ∪

{A(3) ← }. It turns out that the least model of PM5 is exactly M5, and M5 is a stable model.

We will assume without any more formal proof that all stable models of P are similar to M5, with diﬀerent numbers substituted for 3.

2.2. Default Logic

Default logic is one of the most intuitive and widely-studied nonmonotonic formalisms. Default logics are built upon classical propositional or predicate logic, and we will assume the reader is familiar with the languages and the basics of axiomatic treatments of these logics.

Deﬁnition 2.7 (Default). Let L be a predicate language. A default is a triple hϕ, Ψ, θi where ϕ and θ are formulas from L and Ψ = {ψ1, . . . , ψn} is a ﬁnite set of formulas from L. A default is usually written ϕ : Mψ , . . . , Mψ 1 m , θ

fulldefaultsequent.tex; 18/06/2004; 16:12; p.8 Predicate Nonmonotone Sequent Calculi 9 with the intended interpretation “if ϕ is true and each ψi is possible, conclude θ.” The formula ϕ will be called the prerequisite of the default, Ψ the justifications, and θ the conclusion. If d contains formulas with unbounded variables, we will refer to the default as open. A default that is not open is closed. A default theory is a pair (D,W ), where D is a set of defaults and W is a set of formulas of L. Note that we do not restrict D or W to being finite. If both D and W are finite, we will refer to (D,W ) as a finite default theory. If D contains open defaults, we will call (D,W ) an open default theory. If D consists entirely of closed defaults, we will call (D,W ) closed. As was the case with logic programs, we will not want to work directly with default rules with open formulas, but will look at a default with an open formula among its prerequisite, justifications, and conclusion as an abbreviation for the set of groundings of that formula. ϕ; Mψ , . . . , Mψ Let d = 1 n be an open default. The grounding of d, θ denoted ground(d), will be the set of closed defaults obtained by replacing each unbounded variable x occurring in d by some ground term t of L, and doing so uniformly throughout the default. (If d is not open, let ground(d) = {d}.) Let us define the grounding of a set D of defaults to be the set of all defaults occurring in the grounding of some default in D. (So ground(D) = S{ground(d)|d ∈ D}.) We will occasionally abuse notation by writing ground((D,W )) for (ground(D),W ). Note that D = ground(D) if D is closed. One effect of grounding is that if L contains an infinite number of ground terms, then even when D is finite, ground(D) might be infinite. So just as for logic programs, a finite open default theory can lead to an infinite grounding. It will simplify work we will do later to look at sets which contain both defaults and formulas. We can define the language Ldef as the union of all formulas in L with the collection of all defaults constructed from formulas of L. This will allow us to express the default theory (D,W ) as the single set D ∪ W in Ldef . The intended reading of a default should put the reader in mind of our interpretation of negation in logic programs. Indeed, default logic is basically stable model logic programming using not only the language of classical logic but the rules of deduction in that logic as well. (Many would counter that the situation is in fact the reverse, that stable model logic programming is default logic with the classical deduction removed. There are good arguments on each side and, happily, we do not need to resolve the issue in this forum.)

fulldefaultsequent.tex; 18/06/2004; 16:12; p.9 10 R.S. Milnikel ϕ : Default rules without justifications ( ) are monotonic and classi- θ cal in nature. It should not cause confusion if we conflate these with ϕ classical rules of inference of the form . When such rules arise from θ ϕ : Mψ , . . . , Mψ considering a default 1 n in a context in which the θ ψi’s are guaranteed to be possible, we will call them residues. We will define Lres analogously to Ldef , as the formulas of L taken together with residues built from L. Residues behave like Horn program clauses, and just as Horn programs have least Herbrand models and classical sets of formulas have deductive closures, so too we can define the closure of a subset of Lres. We will say that the closure of a set Γ ⊆ Lres, denoted Cl(Γ), is the least set T of formulas of L which is deductively closed, Γ∩L ⊆ T , and ϕ has the additional property that if ∈ Γ and ϕ ∈ T then θ ∈ T . θ We are now in a position to define reducts of default theories and extensions for default theories precisely on analogy with reducts and stable models of logic programs. Definition 2.8 (Reduct of a Default Theory). Let S be a set of formulas of L.

1. A default ϕ : Mψ1, . . . , Mψn θ is irrelevant with respect to S if ¬ψj ∈ S for at least one ψj. 2. Let Γ be a closed default theory (in Ldef ). The reduct of Γ with respect to S, denoted by ΓS, is obtained from Γ by:

a) Removing all defaults that are irrelevant with respect to S. b) Replacing each remaining default

ϕ : Mψ1, . . . , Mψn θ ϕ with its residue . θ

What remains after taking the reduct ΓS of a default theory Γ is a residue theory. Deﬁnition 2.9 (Default Extension). Let Γ = D ∪ W be a closed default theory. We say that a set of formulas S of L is a default extension for Γ if S = Cl(ΓS). We will say that S is an extension of open default theory Γ if S is an extension of ground(Γ).

fulldefaultsequent.tex; 18/06/2004; 16:12; p.10 Predicate Nonmonotone Sequent Calculi 11

2.3. Stable Theories and Autoepistemic Logic

Moore’s autoepistemic logic ([19]) is an approach alternative to those above which tries to capture the intuitions behind positive and negative introspection more directly. The difference between this approach and the others we have presented so far is that we use our context both positively and negatively to reflect positive and negative introspection. In many ways, this is the most straightforward and intuitive approach one can take. The language for autoepistemic logic will be LL, a propositional language L extended by the modal operator L. However, we will not be interested in traditional modal interpretations of LL, but in a strictly propositional interpretation, in which every formula of the form Lϕ is treated as an independently valued proposition. (Traditional modal logic will come up once, very briefly. The premise of a proposition will be that a theory T ∈ LL is consistent with S5. If the reader is not familiar with modal logics in general, this proposition and its use in the midst of the final proof of the paper can safely be skimmed.) The analogue in autoepistemic logic of a stable model or extension is a stable expansion. A stable expansion is a special sort of stable theory. Before we define stable expansions, let us define stable theories and list some of their elementary properties. Most of these results are due to Moore ([20]). Proofs can be found in [14].

Deﬁnition 2.10. A propositionally deductively closed theory T ⊆ LL is called stable if it meets the following two criteria:

− For every ϕ ∈ LL, if ϕ ∈ T then Lϕ ∈ T .

− For every ϕ ∈ LL, if ϕ∈ / T then ¬Lϕ ∈ T . To state the results we want, we will need several further deﬁnitions.

Deﬁnition 2.11. − The L-depth of a formula ϕ ∈ LL, denoted dL(ϕ), is deﬁned recursively.

• If ϕ ∈ L, then dL(ϕ) = 0.

• If ϕ = ¬ψ, then dL(ϕ) = dL(ψ).

• If ϕ = ψ1 ∨ ψ2, ϕ = ψ1 ∧ ψ2, or ϕ = ψ1 → ψ2, then dL(ϕ) = max{dL(ψ1), dL(ψ2)}.

• If ϕ = Lψ, then dL(ϕ) = dL(ψ) + 1.

− LL,n = {ϕ ∈ LL|dL(ϕ) ≤ n}.

− Given T ⊆ LL,[T ]n = T ∩ LL,n.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.11 12 R.S. Milnikel

Proposition 2.12. Let T ⊆ LL be stable. For every integer n ≥ 0,

[T ]n+1 = Th([T ]n ∪ {Lϕ|ϕ ∈ [T ]n} ∪ {¬Lϕ|ϕ ∈ LL,n \ [T ]n}) ∩ LL,n+1.

Proposition 2.13. Let U ⊆ LL be consistent with S5. Then there is a unique stable and consistent theory T such that U ⊆ T . Proposition 2.14. If T is a stable consistent theory, then

T = Th([T ]0 ∪ {Lϕ|ϕ ∈ T } ∪ {¬Lϕ|ϕ∈ / T }). Proposition 2.15. If T is a stable consistent theory, then for every ϕ ∈ LL, either Lϕ ∈ T or ¬Lϕ ∈ T , and not both. We will now deﬁne stable expansions, the main object of study in autoepistemic logic.

Deﬁnition 2.16 (Stable Expansion). A set of formulas T ⊆ LL is a stable expansion of A ⊆ LL if and only if T is a consistent set of formulas for which T = Th(A ∪ {Lϕ|ϕ ∈ T } ∪ {¬Lϕ|ϕ∈ / T }).

2.4. Skeptical Consequence

If we think of stable models or extensions or stable expansions as coherent, justified points of view in a framework represented by the rules of the logic program or default theory or autoepistemic theory, there are two important sets of formulas we want to take note of: those which can be part of some coherent, justified point of view, and those which must be part of any coherent, justified point of view. If you take as your set of conclusions things which are present in at least one stable model (or extension or stable expansion), you are reasoning credulously or bravely (both terms are widely used). If, on the other hand, you believe only those facts true in all stable models (or extensions or stable expansions), you are reasoning skeptically or cautiously. (The standard contrasts are credulous vs. skeptical reasoning and brave vs. cautious reasoning.) A question arises: What is the set of skeptical consequences of a logic program P if P has no stable models? One might be tempted to consider the set of skeptical consequences empty, but it is generally accepted that this is not the approach to use. On the contrary, if P has no stable models, every element p of the Herbrand base is considered a skeptical consequence of P . The most intuitive argument for this is to look at the sentence “p is a member of every stable model of P ”. It is vacuously true if there are no stable models of P . Of course, this same argument applies equally well to default and autoepistemic logic. We will be concerned in this paper only with skeptical consequence, so we will limit the formal definitions to that term.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.12 Predicate Nonmonotone Sequent Calculi 13

Deﬁnition 2.17 (Skeptical Consequence).

− A ground atomic formula p in predicate language L is in the set of skeptical consequences of a logic program P if for every stable model M of P , p ∈ M. − A formula ϕ predicate language L is in the set of skeptical consequences of a default theory (D,W ) if for every extension S of (D,W ), ϕ ∈ S.

− A formula ϕ in propositional modal language LL is in the set of skeptical consequences of autoepistemic theory A if for every stable expansion T of A, ϕ ∈ T . Example 2.18. We will continue to exploit Example 2.2. We saw in Example 2.6 that stable models of P all look like {A(n0),B(0)} ∪ {A(n)|n 6= n0}, along with some statements about G, L, and N. The only items common to all of these are B(0) plus the consequences of HP , making {B(0)} ∪ Cl(HP ) the set of skeptical consequences of P . There is no compactness theorem for skeptical consequence. By that we mean that although in each particular stable model M of P , some ﬁnite portion of P M was used to prove B(0), there is no ﬁnite portion of ground(P ) which is responsible for B(0) being present in all stable models.

3. An Inﬁnitary Sequent Calculus for Skeptical Stable Model Logic Programming

Throughout this section, we will assume that we are working in a countable language L with Herbrand base BH . The definition of a stable model insists that certain members of M BH be derivable (that P be sufficient to derive all members of M) and that others not be derivable (that P M not be able to derive any member of BH \M). Thus, as we accumulate information about potential stable models by backtracking through a sequent proof, we will find that we need to establish, at various points, both derivability and non-derivability. Because of the compactness of classical monotone derivability, establishing derivability will be straightforward. Estab- lishing non-derivability, on the other hand, will be quite complicated. However, when we limit ourselves to finite sets of premises, derivability and non-derivability are decidable and relatively straightforward to establish. Following Bonatti and Olivetti’s model ([6]), as we will

fulldefaultsequent.tex; 18/06/2004; 16:12; p.13 14 R.S. Milnikel do for most of the rest of the paper, let us begin our exploration of nonmonotonic inference with rules for monotone derivability and non-derivability.

3.1. Finite Monotone Sequents and Antisequents for Logic Programs

We will be interested in when a finite set of ground program clauses Γ can and can not prove some element (or one of several elements) of BH . We will define a monotone logic program sequent as a pair hΓ, ∆i, usually written Γ ` ∆, where Γ is a finite set of ground Horn program clauses and ∆ is a finite subset of BH . We will say that a sequent Γ ` ∆ is true if some element of ∆ is in the unique least model of Γ. Just as it was safe when talking about residues to conflate justification- ϕ : ϕ free defaults with propositional rules of inference , so it will be θ θ safe here to conflate elements p ∈ BH with program clauses p ←. Provability in Horn Logic Programming is so straightforward that we will need only axiom and one sequent rule. A sequent Γ ` ∆ is an axiom if and only if Γ ∩ ∆ 6= ∅. Our only rule of inference will be Γ ` q , ∆ ... Γ ` q , ∆ Γ, p ` ∆ 1 m . Γ, (p ← q1, . . . , qm) ` ∆ Proposition 3.1. Monotone logic program sequent Γ ` ∆ is derivable if and only if it is true.

Proof. To show that derivable sequents are true, we must establish the soundness of our axiom and of our rule. The soundness of the axiom is apparent. If p ∈ Γ ∩ ∆, then p ← is a rule of program Γ and p will be an element of any model of Γ. The soundness of our rule is almost as apparent. Assume that Γ ` qi, ∆ is true for 1 ≤ i ≤ m, and that Γ, p ` ∆ is true, but that Γ, (p ← q1, . . . , qm) ` ∆ is not true. There is a Herbrand model M of Γ, (p ← q1, . . . , qm) which excludes all elements of ∆. By the deﬁnition of Herbrand model, any model of Γ, (p ← q1, . . . , qm) is a model of Γ, so M is a model of Γ excluding all elements of ∆. By the truth of each of the sequents Γ ` qi, ∆, any model of Γ which excludes all of ∆ must therefore include {q1, . . . , qm}. Thus M is a model of Γ, (p ← q1, . . . , qm) which contains all of {q1, . . . , qm}. That means p ∈ M and M is a model of Γ, p. By the truth of Γ, p ` ∆, M must include some element of ∆. This is our desired contradiction. We will show by induction on the number n of rules p ← q1, . . . , qm in Γ with m > 0 that if Γ ` ∆ is not provable, it is not true. If n = 0 and Γ ` ∆ is not provable, then both Γ and ∆ are, in eﬀect, subsets of

fulldefaultsequent.tex; 18/06/2004; 16:12; p.14 Predicate Nonmonotone Sequent Calculi 15

BH and Γ ∩ ∆ = ∅. In that case, Γ itself is a model of Γ which excludes all members of ∆. Now let us assume that n > 0. If Γ, (p ← q1, . . . , qm) ` ∆ is not provable, then either Γ, p ` ∆ is not provable or Γ ` qi, ∆ is not provable for some 1 ≤ i ≤ m. By our induction hypothesis, any of the sequents just listed which is unprovable is also not true. Thus, either there is a model M of Γ, p which excludes all of ∆ or there is a model M of Γ which excludes not only all of ∆ but also excludes some qi. In either case, M is a model of Γ, (p ← q1, . . . , qm) which excludes all of ∆ and hence Γ, (p ← q1, . . . , qm) ` ∆ is not true.

Example 3.2. Continuing to use the language of Example 2.2, let us give a sequent proof that A(0),B(0) ← A(0) ` B(0).

A(0) ` B(0),A(0) A(0),B(0) ` B(0) A(0),B(0) ← A(0) ` B(0) Both premises, in this case, are axioms.

Antisequents will be defined in a way quite similar to sequents. A monotone logic program antisequent is a pair hΓ, ∆i usually written Γ 0 ∆ with Γ a finite ground Horn program and ∆ a finite subset of BH . An antisequent Γ 0 ∆ will be considered true if there is a model of Γ which excludes all of ∆. Although we will again need only one axiom scheme, Γ ` ∆ with Γ ⊆ BH and Γ ∩ ∆ = ∅, we will need two antisequent rules: Γ ∆ Γ q Γ, p ∆ 0 0 i (for any 1 ≤ i ≤ m) and 0 . Γ, (p ← q1, . . . , qm) 0 ∆ Γ, (p ← q1, . . . qm) 0 ∆ Proposition 3.3. Monotone logic program antisequent Γ 0 ∆ is provable if and only if it is true.

Proof. Again, the soundness of the axiom is apparent. If Γ ⊆ BH and Γ ∩ ∆ = ∅, then Γ itself is a model of Γ excluding ∆. The soundness of each of the rules is also easy to see. If there are models M 0 and M 00 of Γ excluding all of ∆ and some qi respectively, then M, the least model of Γ, will exclude all of ∆ and at least one of the qi’s. That means that M is a model of Γ, (p ← q1, . . . , qm) which excludes all of ∆. Even more simple is the other rule. Any model of Γ, p is also a model of Γ, (p ← q1, . . . , qm), so if there is a model of Γ, p which excludes ∆, the same model will also be a model of Γ, (p ← q1, . . . , qm) which excludes ∆. To show that any antisequent Γ 0 ∆ which is not derivable is false we will again use induction on the number n of rules in Γ which are of

fulldefaultsequent.tex; 18/06/2004; 16:12; p.15 16 R.S. Milnikel the form p ← q1, . . . , qm with m > 0. If n = 0, Γ ⊆ BH but Γ 0 ∆ is not provable, so Γ ∩ ∆ 6= ∅. Of course any p ∈ Γ (technically p ← is in Γ) will be a member of any model of Γ, so if Γ ∩ ∆ 6= ∅, no model of Γ will exclude all of ∆. If n > 0, assume that Γ, (p ← q1, . . . , qm) 0 ∆ is not derivable. This means that either Γ 0 ∆ is not provable or Γ 0 qi is not provable for all 1 ≤ i ≤ m (and by inductive hypothesis not true). Thus, either it is the case that every model of Γ contains some element of ∆ or it is the case that every model of Γ contains all of {q1, . . . , qm}. By the non-derivability of Γ, (p ← q1, . . . , qm) 0 ∆ we also know that Γ, p 0 ∆ is not derivable and by induction not true. This means that every model of Γ, p contains some element of ∆. Let M be any model of Γ, (p ← q1, . . . , qm). Because M is a model of Γ, either it contains some element of ∆, or it contains all of {q1, . . . , qm}. If M is a model of p ← q1, . . . , qm and {q1, . . . , qm} ⊆ M, then p ∈ M. If M is a model of Γ and p ∈ M, then M is a model of Γ, p and thus contains some element of ∆. We have just shown that any model of Γ, (p ← q1, . . . , qm) contains some element of ∆ and thus that Γ, (p ← q1, . . . , qm) 0 ∆ is not true.

Example 3.4. Continuing to use the language of Example 2.2, let us show that A(3), (A(0) ← A(6),N(6, 0)), (G(7, 4) ← G(6, 4)) 0 A(0).

A(3),G(7, 4) 0 A(0) A(3),G(7, 4) 0 A(6) A(3),G(7, 4), (A(0) ← A(6),N(6, 0)) 0 A(0) A(3), (G(7, 4) ← G(6, 4)), (A(0) ← A(6),N(6, 0)) 0 A(0) Both top sequents are axioms.

3.2. Skeptical Sequent Calculus

One can think of Gentzen proof systems as failed exhaustive searches for countermodels. Thus, what we will want to do as we search for a countermodel to the claim “All stable models of program P contain p” is keep track of which elements of BH are in and out of our potential countermodel to the claim. We will want to make sure that all elements of BH we would like to see in our potential countermodel do, in fact, have proofs; and we want also to make sure that all elements of BH we plan to exclude do not have proofs. Finally, we will use our increas- ing information about the potential countermodel to determine which clauses of P will be dismissed as irrelevant and which will be retained as Horn clauses in the reduct.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.16 Predicate Nonmonotone Sequent Calculi 17

The sequents for skeptical reasoning for logic programs will be triples hΣ, Γ, ∆i, usually notated Σ; Γ|∼∆. This notation is drawn directly from [6]. The sets Γ and ∆ are fairly straightforward. Γ is a ground logic program and ∆ is a subset of BH , neither necessarily finite. The set Σ is more complicated. In Bonatti and Olivetti’s formulation, it was a finite collection provability constraints of the form Lp or ¬Lp where p ∈ BH . The intention was to suggest the modal operator L, and indicate whether p was in or out of our potential countermodel, as it exists so far. We will need to extend the notion of a provability constraint to be more explicit than “p can be proved.” We will need to be able to say “p can be proved from these specific rules.” Thus, in addition to provability constraints of the form Lp and ¬Lp (which we will call implicit provability constraints), we will also include explicit provability constraints LΓp where Γ is a finite ground Horn program. The intended meaning of LΓp is “Γ ` p.” Together, explicit and implicit provability constraints will be known as general provability constraints. We can now finally describe Σ as a finite set of general provability constraints. We will say that a M ⊆ BH satisfies Lp if p ∈ M and satisfies ¬Lp if p∈ / M. We will say that M satisfies LΓp if p ∈ M and in addition Γ ` p. The reader may wonder why we do not need explicit provability constraints of the form ¬LΓp. We will be making claims both of the form “p has a proof” and of the form “p has no proof”. To contradict a claim of the form “p has no proof,” it is necessary simply to exhibit a single proof of p. On the other hand, to contradict a claim of the form “p has a proof,” we must look at all possible proofs of p, that is, all (relevant) explicit proof constraints. Before we proceed to the axioms and rules for the skeptical sequent calculus, let us establish the meaning of the sequents. We will say that Σ; Γ|∼∆ is true if every stable model M of the program Γ which satisfies all constraints in Σ includes at least one member of ∆. Thus, p is a skeptical consequence of the logic program P if ∅; ground(P )|∼p is a true sequent. (As usual, we will abuse notation by writing p for {p} and ∆, p for ∆ ∪ {p} in sequents.) We are now finally in a position to define the sequent calculus for skeptical reasoning in stable model logic programming. This calculus incorporates three sorts of sequents, in fact: monotone logic program sequents, monotone logic program antisequents, and the skeptical reasoning sequents just defined. The sequent calculus for skeptical reasoning will include all axioms and rules of the monotone sequent and antisequent calculi, plus five new rules. (No additional axioms will be necessary. The leaves of every proof tree will be monotone sequent and antisequent axioms.)

fulldefaultsequent.tex; 18/06/2004; 16:12; p.17 18 R.S. Milnikel

Deﬁnition 3.5 (Skeptical Sequent Calculus—Logic Program- ming). The axioms of the skeptical sequent calculus are monotone logic program sequents Γ ` ∆ with Γ ⊆ BH and Γ ∩ ∆ 6= ∅; and monotone logic program antisequents Γ 0 ∆ with Γ ⊆ BH and Γ ∩ ∆ = ∅. The rules are:

0. The three rules of the monotone sequent and antisequent calculi. Σ0, Γ0 ` ∆0 1. where Γ0 ⊆ Γ is a finite ground Horn program, Σ0 ⊆ Σ; Γ|∼∆ 00 0 ({p|Lp ∈ Σ} ∪ {p|LΓ00 p ∈ Σ for some Γ }), and ∆ ⊆ ∆ is finite. Σ0, Γ0 ` p 2. where Γ0 ⊆ Γ is a finite ground Horn program, Σ0 ⊆ ¬Lp, Σ; Γ|∼∆ 00 ({p|Lp ∈ Σ} ∪ {p|LΓ00 p ∈ Σ for some Γ }).

Γ0 0 p 3. where Γ0 is a finite ground Horn program. LΓ0 p, Σ; Γ|∼∆ 0 0 0 0 {LΓ0 p, Σ, Σ0;Γ0, (Γ \ Γ )|∼∆|Γ ⊆ Γ is finite} 4. 0 where Γ0 = {p ← Lp, Σ; Γ|∼∆ 0 0 0 q1, . . . , qm| p ← q1, . . . , qm, not r1,..., not rn ∈ Γ },Σ0 = {¬Lr|r = 0 rj for some p ← q1, . . . , qm, not r1,..., not rn ∈ Γ and some 1 ≤ j ≤ n}. ¬Lr ,..., ¬Lr , Σ; Γ, (p ← q , . . . , q )|∼∆ Lr , Σ; Γ|∼∆ ··· Lr , Σ; Γ|∼∆ 5. 1 n 1 m 1 n Σ; Γ, (p ← q1, . . . , qm, not r1,..., not rn)|∼∆ The reader may recall from the introduction that we noted that infinitary rules of inference would be necessary in some cases. When applied to a sequent with an infinite Γ, rule 4 has infinitely many premises. Let us examine what each of these rules accomplishes, thinking of ourselves as traversing a completed proof backwards, from conclusions to premises, examining each branch as a failed attempt to find a coun- terexample to the assertion made at the root of the tree. Just as we are moving backwards through the proof, let us also move backwards through the rules. Rule 5 says: “Either clause p ← q1, . . . , qm, not r1,..., not rn is relevant or it is not. If it is relevant, make sure that the context reflects that, and put the reduct p ← q1, . . . , qm into our list of usable Horn clauses. If it is not relevant, it must be because one of the rj’s is in the context.” Rule 4 says: “If we are asserting that p is in the stable model we are trying to build, it must have a proof from the available clauses.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.18 Predicate Nonmonotone Sequent Calculi 19

Because in different stable models, it might have different proofs, we will need to examine each possible proof independently. If non-Horn clauses from Γ are used, update the context to reflect their usability and replace them in Γ with their reducts.” Rule 3 says: “If we have said that Γ0 ` p and yet we can show that Γ0 0 p, show this and stop.” Rule 2 says: “If we have said that p has no proof, and yet from what we already know about the potential stable model we are building we can show that that model must contain p, show this and stop.” Rule 1 says: “If from what we already know about the potential stable model we are building, we can show that a member of ∆ must be in that stable model, show this and stop.” Before we state and prove the soundness and completeness theorems for the skeptical sequent calculus, let us finish the journey started in Example 2.2 and continued in Examples 2.6, 2.18, 3.2, and 3.4. Because of the complexity of the example, the long lists of clauses involved, and the infinite numbers of premises, we will not write out a complete proof, or even assemble the parts we will look at in detail. We will consider the sequents we will need on an individual basis and leave it to the reader to assemble the proof in something like its entirety. Example 3.6. We stated in Example 2.18 that B(0) is in the set of skeptical consequences of program P from Example 2.2. Let us now show how our skeptical sequent calculus would prove this. We will again use the abbreviation HP to refer to the entire Horn portion of ground(P ). The sequent we want to prove, then is:

; HP , (A(0) ← not A(0)), (A(1) ← not A(1)), (A(2) ← not A(2)),... |∼B(0). We will prove this sequent by rule 5. The two premises we will need are:

¬LA(0); HP ,A(0), (A(1) ← not A(1)), (A(2) ← not A(2)),... |∼B(0) and

LA(0); HP , (A(1) ← not A(1)), (A(2) ← not A(2)),... |∼B(0). These sequents will have very diﬀerent proofs. We can prove the former by means of rule 2, since A(0) and B(0) ← A(0) are among the Horn clauses in the Γ of the sequent, and we saw in Example 3.2 a proof of A(0), (B(0) ← A(0)) ` B(0). The latter we will prove by means of rule 4, which will have inﬁnitely many premises, each of the form 0 0 0 L 0 , Σ ;Γ , (Γ \ Γ )|∼B(0) Γ0 0 0

fulldefaultsequent.tex; 18/06/2004; 16:12; p.19 20 R.S. Milnikel where

Γ = HP ∪{(A(1) ← not A(1)), (A(2) ← not A(2)), (A(3) ← not A(3)),...}. We will look at a few representative premises. In each case, writing out the sequent with Γ0 and the other terms expanded to ﬁt the particular case would be unwieldy, so we will simply use the template above and 0 refer to Γ0 and so forth by name. − In the case that Γ0 consists of A(3) ← not A(3) and A(0) ← 0 A(3),N(3, 0) plus enough of HP to prove N(3, 0), Γ0 will consist of A(3) and A(0) ← A(3),N(3, 0) together with the rest of the 0 0 Horn portions of Γ .Σ0 will consist of ¬LA(3). 0 In this case, the premise can be proved using rule 1, since A(3) ∈ Γ0 and B(0) ← A(3) ∈ (Γ \ Γ0), and A(3), (B(0) ← A(3)) ` B(0). − In the case that Γ0 consists of A(3) ← not A(3), A(0) ← A(3),N(3, 0), and A(4) ← not A(4), plus enough of HP to prove N(3, 0), we could proceed just as in the above case. We do have another option open to us in this case, though, which will illustrate the use of rule 0 0 2. Γ0 will include both A(3) and A(4), while Σ0 will consist of both ¬LA(3) and ¬LA(4). 0 0 By taking A(3) from Γ0 and the relevant portions of HP from Γ\Γ , we can show that A(3), (A(4) ← A(3),N(3, 4)), (N(3, 4) ← L(3, 4)),L(3, 4) ` A(4) and use rule 2 to prove the desired sequent.

0 0 − In the case that Γ is drawn entirely from HP , say Γ consists of 0 0 G(7, 4) ← G(6, 4) and A(0) ← A(6),N(6, 0), we see that Γ0 = Γ , 0 and we can show Γ0 0 A(0). That is to say we can prove (G(7, 4) ← G(6, 4)), (A(0) ← A(6),N(6, 0)) 0 A(0) and use rule 3 to prove our sequent.

We have seen that we can derive at least some of the sequents which are rule 4 premises using rules 1, 2, and 3. In fact, all of the inﬁnite set of premises of our particular application of rule 4 can be proved using these three rules. One application of rule 4 gets us one of our two premises of our desired case of rule 5, and the other was proved directly by rule 2. With one application of rule 5, our deduction is complete. Theorem 3.7. If a stable model logic programming skeptical reasoning sequent Σ; Γ|∼∆ is provable then it is true.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.20 Predicate Nonmonotone Sequent Calculi 21

Proof. We will establish the soundness of each of our rules:

0. The soundness of the monotone sequent and antisequent rules has already been established.

1. Any stable model M of Γ satisfying Σ will contain Σ0 and will be 0 0 closed under all clauses of Γ , so if any subset of BH containing Σ and closed under Γ0 must contain an element of ∆, then of course M must contain an element of ∆.

2. Any stable model M of Γ satisfying Σ will contain Σ0 and will be closed under all clauses of Γ0 and so must contain p. Thus, there will be no stable model of Γ satisfying Σ and ¬Lp, and the conclusion is vacuously true.

3. If Γ0 0 p, then it is impossible for any subset M of BH to satisfy

LΓ0 p, and thus the conclusion is vacuously true. 4. Suppose that the conclusion of the rule, Lp, Σ; Γ|∼∆, were false. That is, assume that there is a stable model M of Γ satisfying Σ with M ∩ ∆ = ∅ and p ∈ M. Because p is in the least Herbrand M 0 M model of Γ , there must be some finite Γ0 ⊆ Γ such that p is in 0 0 the least Herbrand model of Γ0. Define Γ as the set of clauses of 0 0 Γ whose M-reducts form Γ0. Because Γ consists entirely of rules 0 which survive the M-reduction process, and because of the way Σ0 was defined, we get essentially for free that M is a stable model 0 0 0 of Γ0 ∪ (Γ \ Γ ) satisfying Σ0 ∪ Σ. M is therefore a witness that 0 0 0 L 0 p, Σ , Σ; Γ , (Γ \ Γ )|∼∆ is false. Thus, if all premises of rule 4 Γ0 0 0 are true, so is the conclusion.

5. Suppose that the conclusion of the rule,

Σ; Γ, (p ← q1, . . . , qm, not r1,..., not rn)|∼∆,

were false. That is, suppose that there is a stable model M of program Γ, (p ← q1, . . . , qm, not r1,..., not rn) satisfying the constraints Σ and M ∩∆ = ∅. If {r1, . . . , rn}∩M = ∅, then M is also a stable model of Γ, (p ← q1, . . . , qm). (Because {r1, . . . , rn} ∩ M = ∅, the reduct p ← q1, . . . , qm of p ← q1, . . . , qm, not r1,..., not rn M would appear in Γ , so M must satisfy p ← q1, . . . , qm.) Thus, if {r1, . . . , rm}∩M = ∅, M witnesses that ¬Lr1,..., ¬Lrm, Σ; Γ, (p ← q1, . . . , qm)|∼∆ is false. If, on the other hand rj ∈ M, then M is also a stable model of Γ (because p ← q1, . . . , qm, not r1,..., not rn would be excluded in any reduction using M as context). Thus, if

fulldefaultsequent.tex; 18/06/2004; 16:12; p.21 22 R.S. Milnikel

rj ∈ M, M witnesses that Lrj, Σ; Γ|∼∆ is false. What we have just shown is that if the conclusion of rule 5 is false, so is some premise. This completes the argument for the soundness of the rules.

Theorem 3.8. A stable model logic programming skeptical reasoning sequent Σ; Γ|∼∆ is true then it is provable.

Proof. We will show the contrapositive of our completeness theorem. Let us assume that sequent Σ0;Γ0|∼∆0 has no proof. We will build a failed attempt at a proof which will be guaranteed to have at least one branch not terminating in an axiom. The context developed on this branch will be a witness to the falsehood of Σ0;Γ0|∼∆0. Choose an arbitrary well-ordering of the tree ω<ω, and let us work on extending the attempt at a proof we have so far by working on the sequent whose position is least in that ordering. We will also want to well-order BH and the rules of Γ0 in some way. If the sequent Σ; Γ|∼∆ under consideration has a proof under rule 1, 2, or 3 from true premises, make Σ; Γ|∼∆ the conclusion of that rule and finish out the proof above that point. (If the premises of the rule were true, they are guaranteed to have finite proofs by the completeness of the sequent and antisequent calculi, so completing the proof above that point can be done in a finite number of steps.) 1 If the sequent Σ; Γ|∼∆ whose branch we are trying to extend has at least one Lp ∈ Σ that is not a LΓ0 p, or has at least one non-Horn rule in Γ, we will be guaranteed that there are rules of type 4 or 5 with conclusion Σ; Γ|∼∆. If no rules of type 1, 2, or 3 with the appropriate conclusion (and true premises) can be found, extend the proof attempt with either rule 4 or rule 5, if possible. If there are an even number of sequents below the present one (and if it may be applied) use rule 4; if there are an odd number of sequents below the present one (and it may be applied) use rule 5. When using rule 4, work with the Lp which appeared earliest in the development of the proof attempt. (If more than one appeared at the same time, choose the one whose p is least in the chosen ordering of BH .) When using rule 5, work with the clause from Γ which is least in your ordering of Γ0. (Since no non-Horn rule ever gets added as we extend our proof attempt, all non-Horn rules in Γ will come from Γ0.)

1 0 This procedure is not effective, but a careful inspection will show it to be Π1, if there is some priority assigned to the possible deductions using rules 1, 2, and 3. 0 Thus, a proof can be considered as a finite-path Π1 tree. We knew that such a proof 1 search existed from the fact that skeptical reasoning is in Π1 and from facts in [7]. 0 One can also find in [7] a procedure for turning Π1 tree searches into computable tree searches.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.22 Predicate Nonmonotone Sequent Calculi 23

Of course, if no rule at all has conclusion Σ; Γ|∼∆, leave the sequent alone. Since we assumed that the sequent Σ0;Γ0|∼∆0 has no proof, there will be at least some branch of our attempted proof tree which was expanded using only rules 4 and 5 and which therefore does not terminate in an axiom. Select one of these branches. Let us deﬁne Γ∗ to be the set of all Horn clauses which appear in the Γ of a sequent Σ; Γ|∼∆ anywhere along the selected branch. We will show that M = Cl(Γ∗) is a stable model of Γ satisfying Σ and excluding ∆ for every sequent Σ; Γ|∼∆ in our selected branch. Once this is accomplished, the proof will be complete, since M will be a witness that the sequent Σ0;Γ0|∼∆0 which we could not prove is false. To establish that M is a stable model of Γ satisfying Σ and excluding all of ∆, we need to establish the following:

(A) that M satisﬁes Lp (and LΓ0 p) for each such in Σ, (B) that M satisﬁes ¬Lp for each such in Σ, (C) that Cl(ΓM ) = M, and (D) that M ∩ ∆ = ∅.

Let us address each of these points.

(A) For each p for which Lp appears in Σ, LΓ0 p appears somewhere in the selected path, with Γ0 a subset of the set of Horn clauses appearing in the sequent in which it first appears. (This is due to 0 rule 4.) If Γ 0 p, we could terminate the branch of the tree with a 0 valid proof of Γ 0 p based on rule 3. We chose this branch because such a termination could not occur, so Γ0 ` p. By the way Γ∗ was defined, Γ0 ⊆ Γ∗, so we know that p ∈ Cl(Γ∗) = M. Thus, M satisfies the requirements Lp. (The additional condition that we need to satisfy the requirement LΓ0 p for requirements of that type in Σ is that Γ0 ` p, for which we just presented a justification.) (B) Assume that ¬Lp is in Σ and that p ∈ Cl(Γ∗). By the compactness of proofs from Horn clauses, there is some finite subset Γ0 of Γ∗ such that Γ0 ` p. Because the length of our selected branch is at most ω, any finite subset of Γ∗ must be entirely present in the Γ00 of a sequent Σ00;Γ00|∼∆00 appearing at a finite stage of the construction. If both of our assumptions were true, we could terminate this branch with (a proof of) the monotone sequent Γ0 ` p, but we chose this branch because that was impossible. Thus, if ¬Lp ∈ Σ, it must be that p∈ / Cl(Γ∗) and so M satisfies the requirement ¬Lp.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.23 24 R.S. Milnikel

(C) We will show that ΓM = Γ∗. This is suﬃcient to establish point (C): Cl(ΓM ) = Cl(Γ∗) = M. As a preliminary observation, let us note that for no p are both Lp and ¬Lp in Σ0 for any sequent Σ0;Γ0|∼∆0 in our selected branch, for if they were, we could terminate our branch immediately with the monotone sequent p ` p by rule 2. Let us assume that the Horn reduct of rule

p ← q1, . . . , qm, not r1,..., not rn ∈ Γ is in Γ∗ but not in ΓM . That means that at some point in the development of our selected branch, either by rule 4 or by rule 5, 0 0 0 p ← q1, . . . , qm was placed into a sequent Σ ;Γ |∼∆ . When either of those rules is used to expand a potential proof, {¬Lr1,..., ¬Lrn} 0 M is added to Σ . On the other hand, if p ← q1, . . . qm is not in Γ , it must be because rj ∈ M for some 1 ≤ j ≤ n. This would mean that M does not satisfy Σ0 for the sequent Σ0;Γ0|∼∆0 on our selected branch. In demonstrating point (B), we showed that this can not happen. Now let us assume that the Horn reduct of rule

p ← q1, . . . , qm, not r1,..., not rn ∈ Γ is in ΓM but not in Γ∗. That it is not in Γ∗ means that at some point in the development of our selected branch, the clause was deleted when we moved to sequent Σ0;Γ0|∼∆0 by rule 5. That could 0 not happen without Lrj being added to Σ at the same time. On M the other hand, because p ← q1, . . . , qm is in Γ , it must mean 0 that no rj is in M. That means that M does not satisfy Σ for the sequent Σ0;Γ0|∼∆0 on our selected branch. In demonstrating point (A), we showed that this can not happen. (D) Assume that p ∈ ∆ ∩ Cl(Γ∗). Repeating the argument from part (B), we arrive at the same contradiction, this time based on rule 1 instead of rule 2. This tells us that ∆ ∩ M = ∅.

All conditions for M = Cl(Γ∗) to be a stable model of Γ satisfying Σ and disjoint from ∆ are satisﬁed, and we see that any unprovable sequent is not true.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.24 Predicate Nonmonotone Sequent Calculi 25

4. Skeptical Sequent Calculus for Default Logic

In moving from logic programs to default logic, the nonmonotonic aspects are unchanged. It is only the monotone proofs in the underlying logic which are now more complicated. This will be reﬂected in the fact that the monotone sequent calculi will be more complicated, but the rules added for skeptical reasoning will be essentially identical to those used for stable model logic programming. The similarity is so great that we will state the soundness and completeness theorem for the skeptical sequent calculus for default logic without proof, since the proof would be a nearly word-for-word repetition of the proof for the skeptical sequent calculus for logic programming. Throughout this section, we will be working in a predicate language L without equality.

4.1. An Antisequent Calculus for Predicate Logic

Because of the way extensions of open default theories are defined, the general case of skeptical default reasoning for even finite predicate default theories will necessitate infinitary sequent rules. For this reason, 1 we will not hesitate to bring the enormous Π1 power of infinitary se- 0 quent rules to bear on our comparatively simple Π1 problem of showing that there is no proof in the sequent calculus LK of the sequent Γ ` ∆. Bonatti in [5] presented an antisequent calculus for propositional logic, and our antisequent calculus will be the one of that paper extended by four rules, the counterparts of the four rules for quanti- fiers from Gentzen’s LK. We assume that the reader is familiar with Gentzen’s sequent calculus LK. However, because there are many mi- nor variations of LK, and because we will be referring to specific rules often in this section, we will explicitly state the version we are using, drawn from [4]. In this formulation, a sequent Γ ` ∆ is an axiom if and only if Γ ∩ ∆ 6= ∅. The rules are to be found in Table I. (In the table, t is a term of L and we must restrict v to variables which do not occur free in Γ ∪ ∆.) An antisequent is a pair hΓ, ∆i of finite sets of formulas, denoted Γ 0 ∆. We will call Γ 0 ∆ true if there is a model of Γ in which all of the formulas of ∆ are false. We have the benefit of the Soundness and Completeness Theorems for LK, which tell us that Γ 0 ∆ is true if and only if Γ ` ∆ is false if and only if Γ ` ∆ is not derivable in LK. An antisequent Γ 0 ∆ will be considered an axiom of our antisequent calculus if Γ ∪ ∆ consists entirely of atomic formulas and Γ ∩ ∆ = ∅. The rules for the antisequent calculus can be found in Table II.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.25 26 R.S. Milnikel

Table I. Rules of the Sequent Calculus LK

Γ ` ∆, ϕ Γ, ϕ ` ∆ (¬ `) (` ¬) Γ, ¬ϕ ` ∆ Γ ` ∆, ¬ϕ

Γ, ϕ, ψ ` ∆ Γ ` ∆, ϕ Γ ` ∆, ψ (∧ `) (` ∧) Γ, ϕ ∧ ψ ` ∆ Γ ` ∆, ϕ ∧ ψ

Γ, ϕ ` ∆ Γ, ψ ` ∆ Γ ` ∆, ϕ, ψ (∨ `) (` ∨) Γ, ϕ ∨ ψ ` ∆ Γ ` ∆, ϕ ∨ ψ

Γ ` ∆, ϕ Γ, ψ ` ∆ Γ, ϕ ` ∆, ψ (→`) (`→) Γ, ϕ → ψ ` ∆ Γ ` ∆, ϕ → ψ

Γ, ϕ(t) ` ∆ Γ ` ∆, ϕ(v) (∀ `) (` ∀) Γ, (∀x)ϕ(x) ` ∆ Γ ` ∆, (∀x)ϕ(x)

Γ, ϕ(v) ` ∆ Γ ` ∆, ϕ(t) (∃ `) (` ∃) Γ, (∃x)ϕ(x) ` ∆ Γ ` ∆, (∃x)ϕ(x)

The usual proviso that v may not be free in Γ ∪ ∆ applies to 0 ∀ and ∃ 0. Showing that the antisequent calculus is sound is the counterpart to showing the classical sequent calculus LK complete, and vice versa. Fortunately, we have the Soundness and Completeness Theorems of LK to rely on in our proof.

Theorem 4.1. If antisequent Γ 0 ∆ is provable, then it is true.

Proof. To show that if an antisequent is derivavable, it is true, we will limit ourselves to an in-depth examination of the soundness of only three rules, (∧ 0), (0 •∧), and (∀ 0). Proving the soundness of the last these rules will rely heavily on the soundness and completeness of LK.

− To show (∧ 0) sound, let us assume that the premise is true and show the conclusion is true. For Γ, ϕ, ψ 0 ∆ to be true, there must be a model of Γ ∪ {ϕ, ψ} in which every formula of ∆ is false. This same structure is also a model of Γ ∪ {ϕ ∧ ψ} in which every formula of ∆ is false, so the antisequent Γ, ϕ ∧ ψ 0 ∆ is true.

− To show (0 •∧) sound, let us assume that the premise is true and show that the conclusion is true. For Γ 0 ∆, ϕ to be true, there

fulldefaultsequent.tex; 18/06/2004; 16:12; p.26 Predicate Nonmonotone Sequent Calculi 27

Table II. Rules of the Antisequent Calculus

Γ 0 ∆, ϕ Γ, ϕ 0 ∆ (¬ 0) (0 ¬) Γ, ¬ϕ 0 ∆ Γ 0 ∆, ¬ϕ

Γ, ϕ, ψ 0 ∆ Γ 0 ∆, ϕ (∧ 0) (0 •∧) Γ, ϕ ∧ ψ 0 ∆ Γ 0 ∆, ϕ ∧ ψ

Γ 0 ∆, ψ (0 ∧•) Γ 0 ∆, ϕ ∧ ψ

Γ, ϕ 0 ∆ Γ 0 ∆, ϕ, ψ (•∨ 0) (0 ∨) Γ, ϕ ∨ ψ 0 ∆ Γ 0 ∆, ϕ ∨ ψ

Γ, ψ 0 ∆ (∨• 0) Γ, ϕ ∨ ψ 0 ∆

Γ 0 ∆, ϕ Γ, ϕ 0 ∆, ψ (• →0) (0→) Γ, ϕ → ψ 0 ∆ Γ 0 ∆, ϕ → ψ

Γ, ψ 0 ∆ (• →0) Γ, ϕ → ψ 0 ∆

{Γ, ϕ(t) 0 ∆|t is a term in L} Γ 0 ∆, ϕ(v) (∀ 0) (0 ∀) Γ, (∀x)ϕ(x) 0 ∆ Γ 0 ∆, (∀x)ϕ(x)

Γ, ϕ(v) 0 ∆ {Γ 0 ∆, ϕ(t)|t is a term in L} (∃ 0) (0 ∃) Γ, (∃x)ϕ(x) 0 ∆ Γ 0 ∆, (∃x)ϕ(x)

must be a model of Γ in which every formula of ∆ ∪ {ϕ} is false. Of course, if ϕ is false in the model, so is ϕ ∧ ψ, so the same model tells us that the sequent Γ 0 ∆, ϕ ∧ ψ is also true.

− To show (∀ 0) sound, let us assume that the conclusion is false. We will show that some premise must also be false. To say that the conclusion of the rule Γ, (∀x)ϕ(x) 0 ∆ is false is to say that Γ, (∀x)ϕ(x) ` ∆ is true. By the completeness of LK, we know that Γ, (∀x)ϕ(x) ` ∆ has a derivation. Let us show by induction on the depth n of the derivation of Γ, (∀x)ϕ(x) ` ∆ that for some term t in L it must also be the case that Γ, ϕ(t) ` ∆ is derivable. That will ﬁnish the argument for (∀ 0), because Γ, ϕ(t) ` ∆ derivable means Γ, ϕ(t) ` ∆ true, which in turn means Γ, ϕ(t) 0 ∆ false. So

fulldefaultsequent.tex; 18/06/2004; 16:12; p.27 28 R.S. Milnikel

by assuming the conclusion of (∀ 0) false, we can show that some premise must also have been false. If n = 0, then Γ, (∀x)ϕ(x) ` ∆ is an axiom of LK. Either (∀x)ϕ(x) ∈ ∆ or Γ ∩ ∆ 6= ∅. Of course, if Γ ∩ ∆ 6= ∅, then Γ, ϕ(t) ` ∆ for any term t. On the other hand, if (∀x)ϕ(x) ∈ ∆, let ∆ = ∆0, (∀x)ϕ(x). The following is a deduction of Γ, ϕ(x) ` ∆ as long as x is not free in Γ ∪ ∆0: Γ, ϕ(x) ` ∆0, ϕ(x) (` ∀). Γ, ϕ(x) ` ∆0, (∀x)ϕ(x) (If x is free in Γ∪∆0, rename variables to get around the problem.) In this case, the term t is x. If n = k + 1, we again face two cases, only one of which has much content. If the last step of the derivation of Γ, (∀x)ϕ(x) ` ∆ involved the use of the LK rule (∀ `) on formula ϕ, then the definition of that rule tells us immediately that for some term t, there must have been a derivation of Γ, ϕ(t) ` ∆. On the other hand, if the last step of the derivation of Γ, (∀x)ϕ(x) ` ∆ involved formulas entirely from Γ and/or ∆, then the derivation with the last step excluded is a k-step derivation of Γ0, (∀x)ϕ(x) ` ∆0 for some Γ0 and ∆0. By induction hypothesis, there is a derivation of Γ0, ϕ(t) ` ∆0 for some term t. Apply the same rule that finished the k + 1 step proof to extend the proof of Γ0, ϕ(t) ` ∆0 to a proof of Γ, ϕ(t) ` ∆. The demonstration of soundness for each of the other propositional rules is as straightforward as for the first two above, and one can make very similar inductive arguments for the remaining three quantifier rules.

The reader may notice that the induction in the argument for the soundness of (∀ 0) bears a resemblance to portions of the proof of the cut-elimination theorem, often a major ingredient in proofs of the completeness of LK. Just as the proof of the soundness of the antisequent calculus evokes the proof of the completeness of LK, the proof of the completeness of the antisequent calculus will mirror the proof of the soundness of LK. The completeness proof will involve a na¨ıve induction on the total number of connectives, unary and binary, in an unprovable antisequent Γ 0 ∆. The inductive portion of our argument will break down into cases which match up precisely with the rules for connectives in LK. Again, we will look at only three cases of the inductive step. The reader interested in the details of each step is invited to consider any standard proof of the soundness of LK, see how our argument parallels that proof in those cases, and extrapolate.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.28 Predicate Nonmonotone Sequent Calculi 29

Theorem 4.2. If antisequent Γ 0 ∆ is true, then it can be proved.

Proof. Let us show that if there is no derivation of Γ 0 ∆, then it is not true. We will show this by induction on the total number n of connectives and quantiﬁers in Γ 0 ∆. If n = 0, then all formulas of Γ 0 ∆ are atomic, but Γ 0 ∆ is not an axiom. That means that Γ ∩ ∆ 6= ∅, and so it would be impossible to have a model of Γ which did not satisfy at least one formula of ∆, making Γ 0 ∆ false. If n = k + 1, let us look at the various possibilities for the k + 1st connective or quantiﬁer. It could be any of ¬, ∧, ∨, →, ∀, ∃, and it could be on the left or right side of the 0. Let us look at a few of these cases in detail. The pattern of reasoning should become obvious.

st − If the k + 1 connective is ∧ on the left side of the 0, then 0 0 Γ = Γ , ϕ ∧ ψ, and Γ , ϕ ∧ ψ 0 ∆ is not derivable. This means 0 that Γ , ϕ, ψ 0 ∆ is also not derivable, since if it were, we’d have a 0 0 derivation of Γ , ϕ ∧ ψ 0 ∆. Since Γ , ϕ, ψ 0 ∆ has only k connec- 0 tives, we can use our inductive hypothesis to say that Γ , ϕ, ψ 0 ∆ 0 0 is false. If Γ , ϕ, ψ 0 ∆ is false, then Γ , ϕ, ψ ` ∆ is true (and derivable). By the soundness of LK,Γ0, ϕ ∧ ψ ` ∆ is also true, 0 making Γ , ϕ ∧ ψ 0 ∆ false.

st − If the k + 1 connective is ∧ on the right side of the 0, then 0 0 ∆ = ∆ , ϕ ∧ ψ, and Γ 0 ∆ , ϕ ∧ ψ is not derivable. This means that 0 0 neither Γ 0 ∆ , ϕ nor Γ 0 ∆ , ψ are derivable. By our inductive hypothesis, neither antisequent is true, and so both Γ ` ∆, ϕ and Γ ` ∆, ψ are true (and hence derivable). By the soundness of LK, 0 Γ ` ∆, ϕ ∧ ψ is also true, making Γ 0 ∆ , ϕ ∧ ψ false.

st − If the k + 1 connective is ∀ on the right side of the 0, then 0 0 Γ = Γ , (∀x)ϕ(x) and Γ , (∀x)ϕ(x) 0 ∆ is not derivable. This 0 tells us that for some term t in language L,Γ , ϕ(t) 0 ∆ is not derivable. By our inductive hypothesis, this antisequent is not true, and so Γ0, ϕ(t) ` ∆ is true and derivable. By the soundness of LK, 0 0 Γ , (∀x)ϕ(x) ` ∆ is true, and so Γ , (∀x)ϕ(x) 0 ∆ is false.

Those three cases plus an inspection of how closely the rules of the antisequent calculus mirror those of LK should give the reader the ﬂavor of the full argument.

Example 4.3. Let us show that (∀x)(P (x) ∨ Q(x)) 0 (∀y)(P (y)) ∨ (∀z)(Q(z)) for unary relations P and Q. The following is a partial proof, with an inﬁnite number of premises remaining at the top.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.29 30 R.S. Milnikel

{P (t) ∨ Q(t) 0 P (y),Q(z)|t is a term of L} (∀x)(P (x) ∨ Q(x)) 0 P (y),Q(z) (∀x)(P (x) ∨ Q(x)) 0 P (y), (∀z)(Q(z)) (∀x)(P (x) ∨ Q(x)) 0 (∀y)(P (y)), (∀z)(Q(z)) (∀x)(P (x) ∨ Q(x)) 0 (∀y)(P (y)) ∨ (∀z)(Q(z)) We are left with an inﬁnite number of premises of the form P (t) ∨ Q(t) 0 P (y),Q(z) to prove. By rules (•∨ 0) and (∨• 0), we need to be able to show only either P (t) 0 P (y),Q(z) or Q(t) 0 P (y),Q(z). As long as t 6= y, P (t) 0 P (y),Q(z) is an axiom. If t = y, Q(t) 0 P (y),Q(z) is an axiom. This provides us with proofs of all of the inﬁnitely many premises of the form P (t) ∨ Q(t) 0 P (y),Q(z) and completes the proof.

4.2. A Sequent Calculus and an Antisequent Calculus for Residues

The sequent calculus for monotone proofs based on predicate logic will be the standard propositional sequent calculus LK extended by two rules for dealing with residues, very closely related to our one-rule sequent calculus for Horn programs. A residue sequent is a pair hΓ, ∆i where both Γ ⊆ Lres and ∆ ⊆ L are finite, and is usually written Γ ` ∆. We say that Γ ` ∆ is true if W ∆ ∈ Cl(Γ). If we extend the classical predicate sequent calculus LK (restricted to L) by the following two rules about residues, we obtain a sequent calculus for residues. Γ ` ∆ Γ ` ϕ Γ, θ ` ∆ ϕ ϕ Γ, θ ` ∆ Γ, θ ` ∆ This sequent calculus for residues was defined by Bonatti and Olivetti in [6], and they proved this theorem about it: Theorem 4.4. Γ ` ∆ is derivable in the sequent calculus for residues if and only if it is true. Their proof was based on the soundness and completeness of propositional rather than predicate logic, but the proof in either case is identical, and quite similar to the proof of Proposition 3.1. We can also extend antisequents to deductions from residues. A residue antisequent will be a pair of finite sets Γ ⊆ Lres and ∆ ⊆ L written Γ 0 ∆. And just as the residue sequent Γ ` ∆ was considered W true if ∆ ∈ Cl(Γ), we will consider the residue antisequent Γ 0 ∆ to be true if W ∆ ∈/ Cl(Γ). Just as we extended the classical sequent

fulldefaultsequent.tex; 18/06/2004; 16:12; p.30 Predicate Nonmonotone Sequent Calculi 31 calculus (limited to L) by two rules to produce a sound and complete residue sequent calculus, we will also extend the predicate antisequent calculus (again limited to L) by the two rules below to produce a sound and complete residue antisequent calculus.

Γ 0 ∆ Γ 0 ϕ Γ, θ 0 ∆ ϕ ϕ Γ, θ 0 ∆ Γ, θ ` ∆ Bonatti and Olivetti proved the following in [6]:

Theorem 4.5. Antisequent Γ 0 ∆ is derivable in the antisequent calculus of residues if and only if it is true. Again, their proof was for a residue antisequent calculus built over propositional rather than predicate logic, but the same proof works here. It is very similar to the proof of Proposition 3.3.

4.3. Skeptical Sequent Calculus

As was alluded to in Section 2, stable model logic programming and default logic differ only in the complexity of the monotone logic underlying each. The nonmonotone parts of all definitions are identical, modulo changes in notation. For this reason, the definitions of skeptical sequents and of the skeptical sequent calculus for default logic will be essentially identical to the analogous definitions for stable model logic programming. The proof of the soundness and completeness of the skeptical sequent calculus would be identical to the one for logic programs (nearly no changes in notation would even be necessary), so it will be omitted. The sequents for skeptical reasoning for default logic will be triples hΣ, Γ, ∆i, usually notated Σ; Γ|∼∆. Γ is a closed predicate default theory, and ∆ is a set of formulas of L, neither necessarily finite. Σ is once again a finite set of provability constraints. In the default logic context, provability constraints are of the form Lϕ, LΓϕ, or ¬Lϕ where ϕ ∈ L and Γ ∈ Lres is finite. We will say that a theory T ⊆ L satisfies Lϕ if ϕ ∈ T and satisfies ¬Lϕ if ϕ∈ / T . We will say that T satisfies LΓϕ if ϕ ∈ T and in addition Γ ` ϕ. We will say that Σ; Γ|∼∆ is true if every extension S of Γ ⊆ Ldef which satisfies all constraints in Σ includes at least one member of ∆. Thus, ϕ is a skeptical consequence of the default theory (D,W ) if ∅; ground((D,W ))|∼ϕ is a true sequent. As before, this calculus incorporates three sorts of sequents: residue sequents, residue antisequents, and the skeptical reasoning sequents just defined. The sequent calculus for skeptical reasoning will include

fulldefaultsequent.tex; 18/06/2004; 16:12; p.31 32 R.S. Milnikel all axioms and rules of the residue sequent and antisequent calculi, plus ﬁve new rules. (No additional axioms will be necessary. The leaves of every proof tree will be classical predicate sequent and antisequent axioms.)

Deﬁnition 4.6 (Skeptical Sequent Calculus—Default Logic). The axioms of the skeptical sequent calculus are classical predicate sequents Γ ` ∆ with Γ ∩ ∆ 6= ∅; and predicate antisequents Γ 0 ∆ with Γ ∪ ∆ all atomic formulas and Γ ∩ ∆ = ∅. The rules are:

0. The rules of LK and the antisequent rules from Table II, all limited to sequents and antisequents in L; plus the two pairs of additional rules for residue sequents and antisequents. Σ0, Γ0 ` ∆0 1. where Γ0 ⊆ Γ ∩ Lres is finite, Σ0 ⊆ ({ϕ|Lϕ ∈ Σ} ∪ Σ; Γ|∼∆ 00 0 {ϕ|LΓ00 ϕ ∈ Σ for some Γ }), and ∆ ⊆ ∆ is finite. Σ0, Γ0 ` ϕ 2. where Γ0 ⊆ Γ ∩ Lres is finite, Σ0 ⊆ ({ϕ|Lϕ ∈ Σ} ∪ ¬Lϕ, Σ; Γ|∼∆ 00 {ϕ|LΓ00 ϕ ∈ Σ for some Γ }).

Γ0 0 ϕ res 3. where Γ0 ⊆ L is ﬁnite. LΓ0 ϕ, Σ; Γ|∼∆ 0 0 0 0 {LΓ0 ϕ, Σ, Σ0;Γ0, (Γ \ Γ )|∼∆|Γ ⊆ Γ is ﬁnite} 4. 0 where Lϕ, Σ; Γ|∼∆ ϕ ϕ; Mψ , . . . , Mψ Γ0 = { | 1 n ∈ Γ0} and Σ0 = {¬L¬ψ|ψ = ψ for 0 θ θ 0 j ϕ : Mψ , . . . , Mψ some 1 n ∈ Γ0 and some 1 ≤ j ≤ n}. θ ϕ ¬L¬ψ1,..., ¬L¬ψn, Σ; Γ, |∼∆ L¬ψ1, Σ; Γ|∼∆ ··· L¬ψn, Σ; Γ|∼∆ 5. θ ϕ : Mψ , . . . , Mψ Σ; Γ, 1 n |∼∆ θ Theorem 4.7. A default logic skeptical reasoning sequent Σ; Γ|∼∆ is true if and only if it is provable.

5. Skeptical Sequent Calculus for Autoepistemic Logic

Since autoepistemic logic—as we will consider it—is built over a base of propositional logic in the modal language LL, we do not need to

fulldefaultsequent.tex; 18/06/2004; 16:12; p.32 Predicate Nonmonotone Sequent Calculi 33 establish any more monotone sequent or antisequent calculi. We can use the propositional portions of LK and its antisequent counterpart given in Tables I and II in Section 4.1. The difference in dealing with autoepistemic logic is that the provability constraints, expressed in our previous types of sequents as L-formulas, are the very objects of the theory. Thus, we do not want to construct our sequents in three parts, but only two, the traditional Γ and ∆ of a sequent Γ|∼∆. However, in dealing with lack of proof, we will need not only to assert that such-and- such proposition is proved, but to state explicitly how it was proved. Were we dealing explicitly with a full nonmonotonic modal logic, we might want to incorporate Artemov’s logic of proofs ([3]), but for our purposes, it will be sufficient to build our skeptical sequents out of a combination of formulas and classical sequents. A sequent for skeptical reasoning in autoepistemic logic will be a pair hΓ, ∆i, usually written Γ|∼∆, where Γ ⊆ LL ∪ {[Γ0 ` ∆0]|Γ0 ∪ ∆0 ⊆ LL is finite} and ∆ ⊆ LL. (Because, as before, our sequent calculus rules will incorporate monotone sequent and antisequent rules, we enclose the classical sequents which are elements of a larger sequent in [brackets]. This is not an ideal notational situation, but [Γ0 ` ∆0] will be true as part of a larger sequent if and only if Γ0 ` ∆0 is true as its own independent sequent, so there should not be any confusion.) The meaning of a sequent Γ|∼∆ will be: If monotone sequents in Γ are true, then each stable expansion of Γ ∩ LL contains some member of ∆. The other notion that we will need is that of an L-subformula. ψ is an L-subformula of ϕ if ψ is a subformula of ϕ of the form Lϕ0. We will denote by LS(ϕ) the set of subformulas of ϕ. We will also define LS(Φ) = S{LS(ϕ)|ϕ ∈ Φ}. A last standard bit of shorthand: LΦ = {Lϕ|ϕ ∈ Φ} and ¬LΦ = {¬Lϕ|ϕ ∈ Φ}.

Deﬁnition 5.1 (Skeptical Sequent Calculus—Autoepistemic Logic). The axioms of the skeptical sequent calculus for autoepistemic logic are the axioms of the classical sequent calculus LK and of its counterpart antisequent calculus, all restricted to the modal propositional language LL. The rules of the sequent calculus are:

0. The propositional rules of the classical sequent and antisequent calculi. Γ0 ` ∆0 1. where Γ0 ⊆ Γ ∩ L is ﬁnite and ∆0 ⊆ ∆ is ﬁnite. Γ|∼∆ L

¬Lϕ, Γ0 ` ϕ 2. where Γ0 ⊆ Γ ∩ L is ﬁnite. ¬Lϕ, Γ|∼∆ L

fulldefaultsequent.tex; 18/06/2004; 16:12; p.33 34 R.S. Milnikel

Γ0 0 ϕ 3. where Γ0 ⊆ LL is ﬁnite. [Γ0 ` ϕ], Γ|∼∆ {[Γ ,LΦ, ¬LΨ ` θ],LΦ, ¬LΨ, Γ|∼∆|Γ ⊆ Γ ∩ L ,LΦ ∪ LΨ ⊆ LS(Γ ∪ {Lθ}) are ﬁnite} 4. 0 0 L . Lθ, Γ|∼∆ Lϕ, Γ|∼∆ ¬Lϕ, Γ|∼∆ 5. where Lϕ ∈ LS(Γ ∪ ∆). Γ|∼∆

We will conclude this section with the expected soundness and completeness theorems for the skeptical sequent calculus for autoepistemic logic. Theorem 5.2. If autoepistemic logic skeptical reasoning sequent Γ|∼∆ is derivable, then it is true.

Proof. We will establish the soundness of each of our rules:

0. The soundness of the classical propositional sequent and antisequent calculi have already been established.

0 1. Because any stable expansion T of Γ∩LL will contain Γ and will be closed under propositional provability, T must contain an element of ∆.

0 2. Any stable model T of {¬Lϕ} ∪ Γ ∩ LL will contain Γ and will be closed under propositional provability, and hence will contain ϕ. Because T is a stable model it will also contain Lϕ. Thus, T will contain Lϕ and ¬Lϕ, making T inconsistent. Because stable models are, by deﬁnition, consistent, there is no such T and the conclusion is vacuously true.

3. If Γ0 0 ϕ, then it is not the case that Γ0 ` ϕ, and the conclusion is vacuously true. 4. Suppose that the conclusion of the rule, Lθ, Γ|∼∆, were false. That is, assume that there is a stable expansion T of Γ∩LL with T ∩∆ = ∅ and θ ∈ T . (We need Lθ ∈ T . Were T stable and θ∈ / T , then ¬Lθ ∈ T and T would be inconsistent.) Because θ is a propositional consequence of Γ ∩ LL ∪ {Lϕ|ϕ ∈ T } ∪ {¬Lϕ|ϕ∈ / T }, it must be a propositional consequence of some ﬁnite subset thereof. It should be clear to the reader familiar with propositional logic that formulas Lϕ and ¬Lϕ which are not in LS(Γ∪{Lθ}) will play no part in this propositional proof. Choose a speciﬁc proof of θ. Let Φ be the set of ϕ ∈ T such that Lϕ is used in this proof, let Ψ be the set of ψ∈ / T

fulldefaultsequent.tex; 18/06/2004; 16:12; p.34 Predicate Nonmonotone Sequent Calculi 35

such that ¬Lψ is used in the proof, and let Γ0 be the formulas from Γ∩LL used in the proof. Obviously, [Γ0,LΦ, ¬LΨ ` θ] is true by our choice of Φ, Ψ, and Γ0. T itself will be a witness to the falsehood of [Γ0,LΦ, ¬LΨ ` θ],LΦ, ¬LΨ, Γ|∼∆, because T is a stable model of Γ ∩ LL ∪ {Lϕ|ϕ ∈ Φ} ∪ {¬Lψ|ψ ∈ Ψ} which has empty intersection with ∆. This will be a premise of rule 4 which is false. Thus, if all premises of rule 4 are true, so is the conclusion. (In this rule and the next, we don’t have to worry about classical 0 0 sequent [Γ0 ` θ ] ∈ Γ being false, since we assumed the conclusion of rule 4 false, and had any classical sequent in Γ been false, the skeptical sequent would have been vacuously true.)

5. Suppose that the conclusion of the rule, Γ|∼∆, were false. That is, suppose that there is a stable expansion T of Γ∩LL with T ∩∆ = ∅. Either ϕ ∈ T or ϕ∈ / T . If ϕ ∈ T , then T is a stable expansion of Lϕ, Γ with empty intersection with ∆. If ϕ∈ / T , then T is a stable expansion of ¬Lϕ, Γ with empty intersection with T . If the conclusion of rule 5 is false, so is one of its two premises. Thus if both premises are true, so is the conclusion.

Theorem 5.3. An autoepistemic logic skeptical reasoning sequent Γ|∼∆ is true then it is provable.

Proof. The proof of this theorem will be somewhat similar to that of Theorem 3.8. Again, we will show the contrapositive of our completeness theorem. Let us assume that sequent Γ0|∼∆ has no proof. We will build a failed attempt at a proof which will be guaranteed to have at least one branch not terminating in an axiom. The Γ developed on this branch will be a witness to the falsehood of Γ0|∼∆. We will start with Γ0|∼∆ and build a proof attempt, expanding each sequent with the premises of some rule having that sequent as a conclusion, if possible. We will be constructing a countably branching tree, so we will need to work in some suitable ordering of ω<ω. If the sequent Γ|∼∆ under consideration has a proof under rule 1, 2, or 3 from true premises, make Γ|∼∆ the conclusion of that rule and ﬁnish out the proof above that point. If the sequent Γ|∼∆ whose branch we are trying to extend has at least one Lθ ∈ Γ or has at least one Lϕ ∈ LS(Γ ∪ ∆) such that neither Lϕ nor ¬Lϕ is in Γ, we will be guaranteed that there are rules of type 4 or 5 with conclusion Γ|∼∆. If no rules of type 1, 2, or 3 with the appropriate conclusion (and true premises) can be found, extend the proof attempt with either rule 4 or rule 5, if possible. If there are an even number of sequents below the present one (and if it may be

fulldefaultsequent.tex; 18/06/2004; 16:12; p.35 36 R.S. Milnikel applied) use rule 4; if there are an odd number of sequents below the present one (and it may be applied) use rule 5. When using rule 4, work with the Lθ which appeared earliest in the development of the proof attempt. (If more than one appeared at the same time, choose the one whose θ is least in some ordering of LL.) When using rule 5, work with the ϕ least in your ordering of LL. Of course, if no rule at all has conclusion Γ|∼∆, leave the sequent alone. Since we assumed that the sequent Γ0|∼∆ has no proof, there will be at least some branch of our attempted proof tree which was expanded using only rules 4 and 5 and which therefore does not terminate in an axiom. Select one of these branches. (Note that neither rule 4 nor rule 5 affects ∆, so while Γ will expand as we traverse the branch, ∆ will remain constant.) ∗ Let us define Γ to be the set of all formulas of LL which appear in the Γ of a sequent Γ|∼∆ anywhere along the selected branch. We will show that Th(Γ∗) can be extended to a stable theory which is a stable expansion of Γ for each sequent Γ|∼∆ in our selected branch and which excludes all of ∆. Let us select an arbitrary Γ|∼∆. The first step in this procedure will be to show Th(Γ∗) consistent with S5. To accomplish this, we’ll use several claims.

− Claim 1: Γ∗ is consistent. Justiﬁcation: If Γ∗ weren’t consistent, then it would have to have been inconsistent by some ﬁnite stage in the development of the branch. We could have used rule 1 to terminate the branch at the point where the inconsistency entered.

− Claim 2: If Lϕ ∈ Th(Γ∗), then Lϕ ∈ Γ∗. Justiﬁcation: Γ∗ consists of Γ plus some formulas of the form Lψ and ¬Lψ. If Lϕ ∈ Th(Γ∗), but Lϕ∈ / Γ∗, it must have been because some formula of Γ was used to prove Lϕ. (Th refers to propositional provability and Lϕ is treated as a propositional atom, so this is the only explanation.) That means that Lϕ is the conclusion of some implication in Γ, and is therefore in LS(Γ). Because of the way Γ∗ was deﬁned, for every Lψ ∈ LS(Γ), either Lψ ∈ Γ∗ or ¬Lψ ∈ Γ∗. Because Γ∗ is consistent, if Lϕ ∈ LS(Γ) ∩ Th(Γ∗), then Lϕ ∈ Γ∗.

− Claim 3: If ¬Lϕ ∈ Th(Γ∗), then ¬Lϕ ∈ Γ∗. Justiﬁcation: Same as for claim 2.

− Claim 4: If Lϕ ∈ Γ∗, then ϕ ∈ Th(Γ∗).

fulldefaultsequent.tex; 18/06/2004; 16:12; p.36 Predicate Nonmonotone Sequent Calculi 37

Justification: By rule 4, if Lϕ ∈ Γ∗, then so is [Γ0 ` ϕ] for some finite Γ0 ⊆ Γ∗. Were Γ0 ` ϕ false, then the branch could have been terminated using rule 3. Since the branch could not be terminated, it must be that Γ0 ` ϕ, and hence ϕ ∈ Th(Γ∗). − Claim 5: If ¬Lϕ ∈ Γ∗, then ϕ∈ / Th(Γ∗). Justification: If ϕ were in Th(Γ∗), then for some Γ0|∼∆ on the selected branch, it would be the case that Γ0 ` ϕ and ¬Lϕ ∈ Γ0, and the branch could have been terminated using rule 2. − Claim 6: If Lϕ ∈ Th(Γ∗), then ϕ ∈ Th(Γ∗). Justification: Immediate from claims 2 and 4. − Claim 7: If ¬Lϕ ∈ Th(Γ∗), then ϕ∈ / Th(Γ∗). Justification: Immediate from claims 3 and 5.

We can now easily show Th(Γ∗) to be consistent with S5.

− To be inconsistent with axiom k, we would need L(ϕ → ψ), Lϕ, and ¬Lψ in Th(Γ∗). By claims 6 and 7 above, this would put ϕ → ψ and ϕ in Th(Γ∗) and leave ψ out of Th(Γ∗). So Th(Γ∗) is consistent with axiom k. − To be inconsistent with axiom t, we would need Lϕ ∈ Th(Γ∗) and ϕ∈ / Th(Γ∗), contradicting claim 6. − To be inconsistent with axiom 4, we would need Lϕ ∈ Th(Γ∗) and ¬LLϕ ∈ Th(Γ∗). Claim 7 tells us that Lϕ∈ / Th(Γ∗), which is impossible, so Th(Γ∗) is consistent with axiom 4. − To be inconsistent with axiom 5, we would need ¬L¬Lϕ and ¬Lϕ both in Th(Γ∗). The former, with claim 7, tells us that ¬Lϕ∈ / Th(Γ∗), so it must be that Th(Γ∗) is consistent with axiom 5.

We can now say by Proposition 2.13 that Th(Γ∗) can be extended to a unique consistent stable theory T . Finally, we need to show T to be a stable expansion of Γ. Let us deﬁne S = Th(Γ ∪ {Lϕ|ϕ ∈ T } ∪ {¬Lϕ|ϕ∈ / T }). If we can show that S = T , then we will have shown T to be a stable expansion of Γ. That S ⊆ T is fairly clear. We know that Γ ⊆ Th(Γ∗) ⊆ T . Because T is stable, both {Lϕ|ϕ ∈ T } ⊆ T and {¬Lϕ|ϕ∈ / T } ⊆ T and T is propositionally closed. To show T ⊆ S, let us ﬁrst show that for each Lϕ ∈ Γ∗, ϕ ∈ T . Because T extends Γ∗, if Lϕ ∈ Γ∗, then Lϕ ∈ T . If it were the case

fulldefaultsequent.tex; 18/06/2004; 16:12; p.37 38 R.S. Milnikel that ϕ∈ / T , then by the stability of T , we would also have ¬Lϕ ∈ T . Because we know T to be consistent, this can not happen. A nearly identical argument shows that for each ¬Lϕ ∈ Γ∗, ϕ∈ / T . Now, to show T ⊆ S, we’ll make use of Proposition 2.14, which says that T = Th([T ]0 ∪ {Lϕ|ϕ ∈ T } ∪ {¬Lϕ|ϕ∈ / T }). ∗ Thus, all we need to show is that [T ]0 ⊆ S. Because Th(Γ ) was consis- ∗ tent with S5, so is [Th(Γ )]0. Since each U ⊆ LL consistent with S5 is ∗ contained in a unique stable theory T , it must be that [T ]0 = [Th(Γ )]0. So what we need to show is that any propositional formula in Th(Γ∗) can be proved from Γ, {Lϕ|ϕ ∈ T }, and {¬Lϕ|ϕ∈ / T }. We just argued that any L and ¬L formulas in Γ∗ are to be found in the latter two sets, and of course any formula of Γ∗ which is not of one of these two types must have come from Γ itself. We have shown not only that ∗ ∗ [Th(Γ )]0 ⊆ S, but that Th(Γ ) ⊆ S. One last step will complete the proof. We need to show that T excludes all formulas of ∆. By rule 5, we know that Γ∗ contained either Lϕ or ¬Lϕ for all formulas Lϕ ∈ LS(∆). We also know that [T ]0 = ∗ [Th(Γ )]0. Were it possible to prove any formula of ∆ from T , it would have been possible to prove that formula from Γ∗. Were it possible to prove some formula of ∆ from Γ∗, it would have been possible to prove that formula from Γ0 for some sequent Γ0|∼∆ on our chosen branch. Had this been possible, we could have terminated the branch using rule 1. Since we could not, it must be that Th(Γ∗) ∩ ∆ = ∅, and hence T ∩ ∆ = ∅.

6. Further Directions For Research

We have now seen sequent calculi for skeptical reasoning in stable model logic programming, default logic, and autoepistemic logic. One obvious direction to go to extend this work would be to do the same for predicate circumscription. As we noted in the introduction, this would 1 require a Π2 sequent calculus. Just as, we hope, the calculi presented here will aid in the understanding of the subtlety of skeptical reasoning 1 in the logics discussed, a Π2 sequent calculus for circumscription might oﬀer insights into that framework. One distinguishing feature of the calculi presented above is that in each case, the assertion that p or ϕ simply has a proof is not enough. We must look at all possible proofs of p (or ϕ). This necessity to take an assertion of the existence of a proof and explicate it with an actual proof fairly calls out for a connection with Artemov’s logic of proofs

fulldefaultsequent.tex; 18/06/2004; 16:12; p.38 Predicate Nonmonotone Sequent Calculi 39

(see [3]). Because the logic of proofs has such a strong connection with modal logic, McDermott and Doyle’s nonmonotonic modal logics are the natural candidates for the ﬁrst study of such a connection.

Acknowledgements

Although this paper is newly written and the notation is so modiﬁed as to make the connections obscure, the core ideas presented herein were to be found in my doctoral dissertation, [17], written under the direction of Anil Nerode. I would like to take this opportunity to thank him for the support, help, and encouragement he oﬀered throughout my graduate career.

References

1. Apt, K. R.: 1987, ‘Introduction to Logic Programming’. Technical Report TR-97-35, University of Texas. 2. Apt, K. R.: 1990, ‘Logic Programming’. In: J. van Leeuwen (ed.): Handbook of Theoretical Computer Science. Cambridge, MA: MIT Press, pp. 493–574. 3. Artemov, S. N.: 2001, ‘Explicit Provability and Constructive Semantics’. Bull. Symbolic Logic 7, 1–36. 4. Barwise, J.: 1977, ‘An Introduction to First-Order Logic’. In: J. Barwise (ed.): Handbook of Mathematical Logic. Amsterdam: North-Holland, pp. 5–46. 5. Bonatti, P.: 1993, ‘A Gentzen System for Non-Theorems’. Technical Report CD-TR 93/52, Christian Doppler Labor f¨urExpertensysteme. 6. Bonatti, P. and N. Olivetti: 2002, ‘Sequent Calculi for Propositional Nonmono- tonic Logics’. ACM Trans. Comput. Log. pp. 226–278. 0 7. Cenzer, D. and J. B. Remmel: 1998, ‘Π1 Classes in Mathematics’. In: Y. L. Ershov, S. S. Goncharov, V. W. Marek, A. Nerode, and J. B. Remmel (eds.): Handbook of Recursive Mathematics, Vol. 2. Amsterdam: North-Holland, pp. 623–821. 8. Gelfond, M. and V. Lifschitz: 1988, ‘The Stable Semantics for Logic Programs’. In: R. A. Kowalski and K. A. Bowen (eds.): Proceedings of the 5th Annual Symposium on Logic Programming. pp. 1070–1080. 9. Konolige, K.: 1994, ‘Autoepistemic Logic’. In: D. M. Gabbay, C. J. Hogger, and J. A. Robinson (eds.): Handbook of Logic in Artiﬁcial Intelligence and Logic Programming, Vol. 3. Oxford: Clarendon Press, pp. 217–296. 10. Lifschitz, V.: 1990, ‘On Open Defaults’. In: J. W. Lloyd (ed.): Computational Logic. Symposium Proceedings. pp. 80–95. 11. Lloyd, J. W.: 1987, Foundations of Logic Programming. Berlin: Springer-Verlag, second edition. 12. Marek, V. W., A. Nerode, and J. B. Remmel: 1990, ‘Nonmonotonic Rule Systems I’. Ann. Math. Art. Int. 1, 241–273. 13. Marek, V. W., A. Nerode, and J. B. Remmel: 1994, ‘The Stable Models of a Predicate Logic Program’. J. Log. Prog. 21, 129–154.

fulldefaultsequent.tex; 18/06/2004; 16:12; p.39 40 R.S. Milnikel

14. Marek, V. W. and M. Truszczy´nski: 1993, Nonmonotonic Logic: Context- Dependent Reasoning. Berlin: Springer Verlag. 15. McCarthy, J.: 1980, ‘Circumscription — A form of Nonmonotonic Reasoning’. Art. Int. 13, 27–39. 16. McDermott, D. and J. Doyle: 1980, ‘Nonmonotonic Logic I’. Art. Int. 13, 41–72. 17. Milnikel, R. S.: 1999, ‘Nonmonotonic Logic: A Monotonic Approach’. Ph.D. thesis, Cornell University. 18. Milnikel, R. S.: 2003, ‘The Complexity of Predicate Default Logic Over a Countable Domain’. Ann. Pure Appl. Logic 120, 151–163. 19. Moore, R. C.: 1984, ‘Possible-World Semantics for the Autoepistemic Logic’. In: R. Reiter (ed.): Proceedings of the Workshop on Non-Monotonic Reasoning. pp. 344–354. 20. Moore, R. C.: 1985, ‘Semantical Considerations on Non-Monotonic Logic’. Art. Int. 25, 75–94. 21. Nerode, A. and R. A. Shore: 1997, Logic for Applications. Berlin: Springer- Verlag, second edition. 22. Reiter, R.: 1980, ‘A Logic for Default Reasoning’. Art. Int. 13, 81–132. 23. Schlipf, J. S.: 1987, ‘Decidability and Deﬁnability with Circumscription’. Ann. Pure Appl. Logic 35, 173–191.

Address for Oﬀprints: Robert Milnikel Department of Mathematics Kenyon College Gambier, OH 43022 USA

fulldefaultsequent.tex; 18/06/2004; 16:12; p.40