A Synthetic Axiomatization of Map Theory Chantal Berline, Klaus Grue

A synthetic axiomatization of Map Theory Chantal Berline, Klaus Grue

To cite this version:

Chantal Berline, Klaus Grue. A synthetic axiomatization of Map Theory. 2012. hal-00678410v1

HAL Id: hal-00678410 https://hal.archives-ouvertes.fr/hal-00678410v1 Preprint submitted on 12 Mar 2012 (v1), last revised 15 Jan 2016 (v3)

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. A synthetic axiomatization of Map Theory$

Chantal Berlinea, Klaus Grueb,1,∗ aCNRS, PPS, UMR 7126, Univ Paris Diderot, Sorbonne Paris Cit´e,F-75205 Paris, France bDIKU, Universitetsparken 1, DK-2100 Copenhagen East, Denmark

Abstract This paper presents a subtantially simplified axiomatization of Map Theory and proves the consistency of this axiomatization in ZFC under the assumption that there exists an inaccessible ordinal. Map Theory axiomatizes lambda calculus plus Hilbert’s epsilon operator. All theorems of ZFC set theory including the axiom of foundation are provable in Map Theory, and if one omits Hilbert’s epsilon operator from Map Theory then one is left with a computer programming language. Map Theory fulfills Church’s original aim of introducing lambda calculus. Map Theory is suited for reasoning about classical mathematics as well as computer programs. Furthermore, Map Theory is suited for eliminating the barrier between classical mathematics and computer science rather than just supporting the two fields side by side. Map Theory axiomatizes a universe of “maps”, some of which are “wellfounded”. The class of wellfounded maps in Map Theory corresponds to the universe of sets in ZFC. Previous versions of Map Theory had axioms which populated the class of wellfounded maps, much like the power set axiom et.al. populates the universe of ZFC. The new axiomatization of Map Theory is “synthetic” in the sense that the class of wellfounded maps is defined inside Map Theory rather than being introduced through axioms. Keywords: lambda calculus, foundation of mathematics, map theory

Contents

1 Introduction 4

2 Preview of MT 6 2.1 Relation to ZFC ...... 6

$This document is a collaborative eﬀort. ∗Corresponding author Email addresses: [email protected] (Chantal Berline), [email protected] (Klaus Grue) 1Present address: Rovsing A/S, Dyregaardsvej 2, DK-2740 Skovlunde, Denmark

Preprint submitted to Elsevier February 16, 2012 2.2 Recursion ...... 8 2.3 Russell’s paradox ...... 8 2.4 Programming ...... 9

3 Informal semantics 9 3.1 Introduction ...... 9 3.2 Syntax ...... 10 3.3 Computation ...... 10 3.4 Further constructs ...... 11 3.5 Programs ...... 13 3.6 Equality ...... 13 3.7 Extensionality ...... 14 3.8 Hilbert’s choice operator ...... 14 3.9 Pure existence revisited ...... 15

4 Axioms and inference rules 15 4.1 Elementary axioms and inference rules ...... 16 4.2 Monotonicity and Minimality ...... 16 4.3 Extensionality ...... 18 4.4 Axioms on E ...... 19 4.5 Quantiﬁcation axioms ...... 20 4.6 The deﬁnition of ψ ...... 21

5 Comparing MT and MT0 23 5.1 Axioms and rules of MT0 ...... 23 5.2 Axioms and rules of MT ...... 24 5.3 Proof theoretical strength ...... 25 5.4 Models of MT versus models of MT0 ...... 25 5.5 Levels of diﬃculty of the groups of axioms ...... 25 5.6 Models of subsystems of MT ...... 26

6 Approach 27

7 The κ-Scott semantics 29 7.1 Notation ...... 29 7.2 κ-Scott semantics ...... 29 7.3 κ-Scott domains ...... 29 7.4 κ-continuous functions ...... 30 7.5 Syntactic monotonicity ...... 30 7.6 κ-open sets ...... 30 7.7 Reﬂexive objects and models of pure λ-calculus ...... 31 7.8 Tarski’s minimal ﬁxed point operators ...... 31

2 8 Premodels of Map Theory 32 8.1 The domain equation Eqκ ...... 32 8.2 Premodels ...... 32 8.3 Standard and canonical models of MT0 ...... 34 8.4 Towards modelling the quantiﬁcation axioms ...... 35 8.5 Towards modelling of Mono, Min, and Ext ...... 35

9 Building the canonical κ-premodel 36 9.1 Pcs’s ...... 36 9.2 Pcs generators ...... 37 9.3 The web of the canonical κ-premodel ...... 38 9.4 Some properties of the web ...... 38 9.5 The domain of the canonical κ-premodel ...... 39 9.6 The canonical κ-premodel ...... 39 9.7 Tying up a loose end ...... 39

10 Canonical premodels satisfy Mono, Min, and Ext 40 10.1 A characterization of the order of M via application ...... 40 10.2 Ext ...... 41 10.3 λ-deﬁnability of the order of M ...... 41 10.4 Y and minimality ...... 42

11 Concepts for proving UBT and LBT 42 11.1 Main theorem ...... 42 11.2 Elementary observations ...... 43 11.3 Duals, boundaries, closure, and functions ...... 44 11.4 Cardinality ...... 44 11.5 Hierarchies ...... 44 11.6 Self-extensionality ...... 45 11.7 Restriction ...... 46 11.8 Closure properties of Oσ(Φ) ...... 47

12 Proof of the Upper Bound Theorem (UBT) 48 12.1 Flat order ...... 48 12.2 Limited size ...... 49 12.3 Proof of UBT ...... 50

13 Proof of the Lower Bound Theorem (LBT) 51 13.1 A countable collection of maps ...... 52 13.2 Characteristic maps ...... 52 13.3 Cardinality ...... 53 13.4 Pairs ...... 53 13.5 Analysis of s ...... 53 13.6 Lower bounds ...... 55 13.7 Beth numbers ...... 56 13.8 Growth lemma ...... 57

3 13.9 Proof of the lower bound theorem ...... 61

A Computational properties of canonical pre-models 61 A.1 Introduction of Tc and auxiliary concepts ...... 61 A.2 Parallel constructs ...... 62 A.3 Deﬁnition of Tp and Tc ...... 63 A.4 Semantic and syntactic existence ...... 64 A.5 Computational adequacy ...... 65 A.6 Soundness ...... 67 A.7 Full abstraction ...... 68 A.8 Negative results ...... 68

B Summary of MT 72 B.1 Syntax ...... 72 B.2 Deﬁnitions ...... 72 B.3 Axioms and inference rules ...... 73

C Index 74

1. Introduction

Map theory is an axiomatic theory which consists of a computer programming language plus Hilbert’s epsilon operator. All theorems of ZFC set theory including the axiom of foundation are provable in Map Theory, and if one omits Hilbert’s epsilon operator from Map Theory then one is left with a computer programming language, c.f. Section 2.4. Map Theory is suited for reasoning about classical mathematics as well as computer programs. Furthermore, Map Theory is suited for eliminating the barrier between classical mathematics and computer science rather than just supporting the two fields side by side. The first version of Map Theory [8], which we will call MT0 in this paper, had complex axioms and a complex model. [3] provided a simpler model. The present paper provides a simpler and more synthetic, while more powerful, axiomatization that we will call MT, and proves the consistency of the enhanced system starting from the minimal (or canonical) models of MT0 built in [3]. Map Theory is an axiomatic system, but it does not rely on propositional and first order predicate calculus. Rather, it is an equational theory which relies on untyped lambda calculus. In particular, models of Map Theory are also models of untyped lambda calculus. We shall refer to elements of such models as maps. As for λ-calculus, programming is made possible in Map Theory by the adjunction of compatible reduction rules. Map Theory generates quantifiers and first order calculus via a construct ε, whose semantics is that of Hilberts choice operator acting over a universe ψˆ of “wellfounded maps”. ε is axiomatized throught the “quantification axioms” (four equations).

4 Apart from ε, MT and MT0 have in common a few elementary constructs and related axioms which take care of the computational part of Map Theory, and simultaneously bear some other meanings [8]. Some “sugar” has also been added to MT, but this is inessential. Apart from ε and the elementary constructs, MT0 has only one construct φ, ˆ which is in spirit the characteristic function of ψ. MT0 has the power to embody ZFC because φ satisfies ten equations, each axiomatizing one, specific closure property of ψˆ, and it also has one inference rule for wellfoundedness. Having ten axioms, even if most of them are very simple, was acceptable (after all ZFC also has many existence axioms) but not satisfactory in that all the closure properties are instances of a single, although non-axiomatizable, Generic Closure Property (GCP, [3]). GCP was one of the founding intuitions behind Map Theory (c.f. [8]), it was satisfied in our models of MT0, and our desire was to reflect it at the level of syntax. With the present MT not only do we solve this problem (whence “synthetic”) but also eliminate the construct φ, the ten axioms, and the inference rule, replacing them by ... nothing (whence “simpler”). Moreover, the new system is stronger than MT0. That one construct, ten axioms, and a rule can be replaced by nothing should be taken with three grains of salt as explained in the following. The main trick is that we take ψˆ to be the smallest universe satisfying GCP, and the characteristic function ψ of that universe happens to be defininable from other MT constructs. The first grain of salt is that when we eliminate φ, we replace it by ψ in the quantification axioms. The second grain of salt is that for defining ψ we need to add a construct E (“pure existence”) and its related axioms. However, and in contrast to φ, E is very simple to describe, to axiomatize, and to model, so the cost of that is small. The third grain of salt is that the definition of ψ also requires a minimal fixed point operator. Fixed point operators come for free with untyped λ-calculus, but forcing minimality at the level of syntax requires to axiomatize it w.r.t. some pertinent and MT-definable order. This too can be done, and at a rather low syntactic and semantic cost. Finding the right MT was of course already a challenge, but proving its consistency was another one. Fortunately, the consistency of a system only has to be proved once, while hopefully the system will be used many times, so having a simpler system is a gain, even if its consistency proof is demanding. To give an idea of the difficulty of finding an appropriate and consistent MT, it is worth to recall here that a first “synthetic” version of MT, called MTc, conceived in the same spirit, was present in [9], that many proofs have been developed in it (which should be easy to translate to MT), but that the consistency of MTc is still an open problem. We will soon come back to MTc below. The consistency proof of MT starts from a (canonical) model of MT0, and then occupies several sections. Not all models of MT0 can be enriched to a model of MT; in fact MT has necessarily much fewer models than MT0. Section 2 gives a preview of MT. Section 3 presents the semantics of MT in- formally. Section 4 presents the axioms and inference rules. Section 5 compares

5 MT to MT0 and discusses the axioms. The remaining sections prove the consistency. Appendix A addresses the adequacy, soundness, and full abstraction of canonical pre-models with respect to the programming language underlying MT. Appendix B summarizes the axioms and rules of MT. Appendix C contains an index.

Relation to other systems

MT0 was the ﬁrst system fulﬁlling Church’s original aim at the origin of the creation of (untyped) λ-calculus. Church’s aim was to give a common and untyped foundation to mathematics and computation, based on functions (viewed as rules) and application, in place of sets and membership. As is well known, Church’s general axiomatic system was soon proved inconsistent, but its computational part (the now usual untyped λ-calculus) had an immense impact on computer science. The various intuitions behind Map Theory, its very close links to Church’s system, its advantages w.r.t. ZFC, including an integrated programming language, and a much richer expressive power (classes, operators, constructors, etc. also quite directly live in Map Theory), all this was developed in [3, 8]. For a comparison of Map Theory with other foundational+computational systems see [3, 8] and also Section 2.1 below. For a version of MT0 with antifoundation axioms a la Aczel [1], see [15, 16]. In the present paper we will hence concentrate on: giving enough of the intuitions on Map Theory to motivate the reader, to deepen the understanding of in which sense MT is an improvement over MT0, and to support the technical developments that we will have to implement in order to prove the consistency of MT. Finally, we will also explore the computational properties of the simplest (“canonical”) models of the equational theory MT, w.r.t. the computational rules which are behind it.

2. Preview of MT

2.1. Relation to ZFC MT is a Hilbert style axiomatic system which comprises syntactic definitions of terms and well-formed formulas as well as axioms and inference rules. MT has two terms T and F which denote truth and falsehood, respectively, and MT formulas have form A = B where A and B are MT terms. We shall refer to such formulas as equations. Set membership of ZFC is definable as a term e of MT such that exy = T iff the set represented by x belongs to the set represented by y. We shall use the infix notation x∈ÿ for exy. Also definable in MT are universal quantification ∀¨, negation¬ ¨, implication⇒ ¨ , the empty set ∅¨, and so on. In MT it is trivial to prove T =¬ ¨F and F =¬ ¨T, and one cannot (Theorem 2.1.1) prove T = F. For suitable definitions of set membership and so on, each formula A of ZFC becomes a term A¨ of MT. The general idea is that if A holds in ZFC then A¨ = T should hold in MT (Theorem 2.1.2). As an example,

6 ∀x: x6∈∅ is a formula of ZFC, ∀¨x: x6∈¨∅¨ is the corresponding term of MT, and (∀¨x: x6∈¨∅¨) = T holds in MT. The term ∀¨x: x6∈¨∅¨ is shorthand for ∀¨(λx. ¬¨(x∈¨∅¨). We now make the statements above more precise. Let ZFC+SI denote ZFC extended with the assumption that there exists an inaccessible ordinal. Let σ be the smallest inaccessible. Let ¬SI be the assumption that there exist no inaccessible ordinals. Let Vσ be the usual model of ZFC+¬SI in ZFC+SI. Let M be the canonical model of MT in ZFC+SI built in Section 9. The present paper proves:

Theorem 2.1.1 (Main Theorem). M satisﬁes all the axioms and inference rules of MT and does not satisfy T = F. This proves the consistency of MT.

For arbitrary, closed formulas A of ZFC we have:

Theorem 2.1.2. Vσ satisfies A iff M satisfies A¨ = T.

Theorem 2.1.2 follows easily from [3, Appendix A.4] and the fact that M builds on top of the model built in [3]. As a technicality, MT and MT0 have slightly diﬀerent syntax, but for closed formulas A of ZFC, A¨ only uses constructs common to MT and MT0, and Theorem 2.1.2 carries over from MT0 to MT without changing the deﬁnition of A¨.

Conjecture 2.1.3. If A is provable in ZFC+¬SI then A¨ = T is provable in MT.

Conjecture 2.1.3 is supported by the following:

Theorem 2.1.4 ([8]). If A is provable in ZFC then A¨ = T is provable in MT0.

Theorem 2.1.5 ([9]). If A is provable in ZFC then A¨ = T is provable in MTc where MTc is the version of Map Theory deﬁned in [9].

MTc resembles MT, but all attempts at proving MTc consistent have failed. A proof of (¬SI) = T in MTc should be easy. To prove Conjecture 2.1.3 one has to prove (¬SI) = T in MT and to translate the proof of Theorem 2.1.5 to MT. This remains to be done. It is not really intended that MT should prove (¬SI) = T; it is rather a side effect. The original MT0 was designed as “as flexible as ZFC”, and is in particular consistent with SI = T as well as (¬SI) = T. The MT0 system has a constant φ and a group of φ-axioms which comprises the three wellfoundedness axioms, the seven construction axioms, and the inference rule of transfinite induction of [8]. MT replaces the constant φ by a closed term ψ and omits the φ-axioms. That makes MT more rigid than MT0 and in particular makes (¬SI) = T provable. The definition of ψ is somewhat analogous to the definition of the minimal Vσ in ZFC (σ the first inaccessible).

7 2.2. Recursion MT has a number of advantages over ZFC. One is that it allows to combine unrestricted∪ recursion with arbitrary set constructors. As an example, suppose x∪¨y, ¨ x, {˙x}˙, and {A˙ | x∈B¨ }˙ are the binary union, unary union, unit set, and replacement set operators of ZFC, respectively, translated to MT. One may deﬁne the ordinal successor x0 thus in MT:

x0 ≡ x ∪¨ {˙x}˙

And then one may deﬁne the set rank operator ρ(x) thus: ∪ ¨ ρ(x) ≡ {˙ρ(y)0 | y∈¨x}˙

In this paper, ≡ is used for definitions. In MT, definitions are allowed to be recursive like the definition of ρ above where the defined concept ρ appears in the right hand side of its own definition. Recursive definitions in MT are shorthand for direct (i.e. non-recursive) definitions which involve the fixed point operator (c.f. Section 3.2). ZFC only permits direct definitions and includes no fixed point operator. ZFC permits definition by transfinite induction, which resembles primitive recursion, but does not support unrestricted recursion like MT does. The definition of ρ in MT above does not rely on ordinals or transfinite induction. Rather, in MT, one may define ρ as above and then use it to define the class Ord of ordinals:

Ord(x) ≡ ∃¨y: x∈¨ρ(y)

As another example, in MT we may use Hilbert’s choice operator ε recursively to well-order any set A:

f(α) ≡ εx: x ∈¨ g(α) g(α) ≡ A \¨ {˙f(γ) | γ∈¨α}˙ x ≺ y ≡ ∃¨α: x ∈¨ A\¨g(α) ∧¨ y ∈¨ g(α)

Above, A is a wellfounded map of MT and ≺ well-orders the set represented by A. εx: B chooses if possible a wellfounded x such that B is true, c.f. Section 4.5.

2.3. Russell’s paradox In naive set theory, define S ≡ {x|x 6∈ x} and R ≡ S ∈ S. We have x ∈ S ⇔ x 6∈ x and R ⇔ S ∈ S ⇔ S 6∈ S ⇔ ¬R which is Russell’s paradox. The paradox states that negation has a fixed point, which is impossible in a consistent, two-valued logic. In ZFC, the paradox is avoided by banning S, but that is not an option in MT which allows recursion. As an example, one may define Russell’s paradoxical statement R thus in MT:

R ≡ ¬R¨

8 In MT, if R = T then R =¬ ¨T = F and if R = F then R =¬ ¨F = T so R equals neither T nor F. Indeed, MT has a ﬁxed point operator Y and an element ⊥ playing, among others, the role of the third logical value “undeﬁnedness”; and it is indeed provable in MT that R = Y¬¨ = ⊥.

2.4. Programming Another advantage of MT over ZFC is that if one removes Hilbert’s ε from the core syntax of MT then one is left with a Turing complete computer programming language. This language is a type free lambda calculus with uhr-elements and the programs are closed ε-free MT-terms. The present paper is about MT as an equational axiomatic theory. That MT can be used for programming should be seen here as motivation only. When speaking of programming with MT it is understood that we have furthermore included compatible reduction rules (c.f. Section 3.3). We now elaborate on the programming motivations. Having a computer programming language as a syntactical subset of the theory allows to reason about programs without having to model the programs mathematically. That simplifies the field of program semantics considerably. For a simple example of programming and reasoning in MT, see Example 4.2.1. Map Theory also provides good support for reasoning about languages different from its own. Since MT contains a computer programming language, a programmer may ask questions like:

• Is is possible to implement arbitrary algorithms eﬃciently in the language?

• Is it possible to download compiler, linker, and runtime system for the language? • Is it possible in the language e.g. to receive mouse clicks from a user, to write bytes to a disk, and to display graphics on a screen?

The answers to these questions are yes, c.f. http://lox.la/. Sections 3.3–3.7 describe the computational aspects of MT. Appendix A proves some results on computational adequacy, soundness, and full abstraction. http://lox.la/ elaborates on MT as a programming language.

3. Informal semantics

3.1. Introduction To introduce ZFC one will typically give some examples of finite sets first. Actually, ZFC is nothing but the theory of finite sets extended by an infinite set ω. Likewise, MT is nothing but the theory of computable functions extended with Hilbert’s non-computable epsilon operator.

9 3.2. Syntax The syntax of variables, terms, and well-formed formulas of MT reads:

V ::= x | y | z | · · · T ::= V | λV.T | T T | T | if[T , T , T ] | ⊥ | YT | T kT | ET | εT W ::= T = T

λx.A denotes lambda abstraction and fx denotes functional application. T denotes truth. Falsehood F is not included in the syntax; we define it by F ≡ λx.T. if denotes selection; we have if[T, b, c] = b and if[λx.A, b, c] = c. ⊥ denotes undefinedness or infinite looping. Y denotes a fixed point operator; we have Yf = f(Yf) for all f. k denotes parallel or; a k b equals T if a or b or both equal T. E denotes pure existence; we have Ep = T iff px = T for some x. We say that x is wellfounded if ψx = T where we define ψ in Section 4.6. ε denotes Hilbert’s choice operator; under reasonable conditions, εp is a wellfounded x such that px = T. In Section 8 we introduce the notions of standard quasimodels of MT and the more restricted notion of canonical models, where the latter are unique up to the choice of a regular cardinal κ. Canonical models satisfy all axioms and inference rules of MT. Standard quasimodels satisfy some (possibly all) of the axioms and inference rules. Now let YCurry = λf.(λx.f(xx))(λx.f(xx)) and ⊥Curry = YCurryλx.x. In canonical models of MT we will prove that

Yf = YCurryf ⊥ = ⊥Curry = (λx. xx)(λx. xx)

Thus, without loss of power and consistency, one might omit ⊥ and Y from the syntax and use YCurry and ⊥Curry instead. Doing so, however, would reduce the number of possible models of MT. Thus, we include ⊥ and Y in the syntax and prove the two equations above as separate theorems which are only guaranteed in canonical models. Inclusion of ⊥ and Y also simpliﬁes the consistency proof since modelling of Yf and proving Yf = YCurryf can be treated separately. We shall use MTdef to denote the version of MT where we omit ⊥ and Y from the syntax. Parallel or k is neither needed for developing ZFC in MT nor convenient when programming. Parallel or is merely included for the sake of a full abstraction result. We use full abstraction for explaining equality in Section 3.6.

3.3. Computation The constructs λx.A, ab, T, and if[a, b, c] together with adequate reduction rules (deﬁned below) form a computer programming language. The language is Turing complete in the sense that any recursive function can be expressed in it. In the following, A, B, and C denote terms, a, b, c, and r denote closed terms, and x, y, and z denote variables. hA | x := Bi denotes substitution with renaming of bound variables as needed.

10 From a theoretical point of view, and very remote from the implementation in [10], one can deﬁne the programming language by the smallest relation →1 which satisﬁes:

TB →1 T (λx.A)B →1 hA | x := Bi if[T, B, C] →1 B if[λx.A, B, C] →1 C A →1 R ⇒ AB →1 RB A →1 R ⇒ if[A, B, C] →1 if[R, B, C]

As an example of a reduction, if[λx.x, λy.y, λz.z]T reduces to T:

if[λx.x, λy.y, λz.z]T →1 (λz.z)T →1 T We have speciﬁed leftmost reduction order so that e.g. if[T, T, (λx.xx)(λx.xx)] reduces to T without (λx.xx)(λx.xx) being reduced. Suppose a →1 b. Under this assumption, a = b is provable in MT using only elementary axioms and inference rules. Hence, a = b holds in all models of MT. Also, a = b holds in all standard quasimodels, even those which do not model all of MT (c.f. Section 5.4). That holds for the deﬁnition of a →1 b given above as well as for the extensions given in the following. We use λxy.A to denote λx.λy.A. Furthermore, application AB is left associative and has higher priority than λx.A so λxy.ABC means λx.λy.((AB)C). We shall say that a term is a root normal term if it has form T or λx.A. Reduction stops when a root normal term is reached. As an example, (λxy.x)((λx.xx)(λx.xx)) reduces to λy.(λx.xx)(λx.xx) which is not reduced further. We shall refer to terms of form T and λx.A as true and function normal terms, respectively.

3.4. Further constructs One may extend the programming language by the constructs ⊥, Ya, a k b, and Ea. One cannot extend the language by εa because ε cannot be seen as computable. In the following, a, b, c, f, and r denote closed, epsilon free terms. The constructs ⊥ and Y may be deﬁned or may be included in the syntax. If they are deﬁned, they need no reduction rules. If they are included in the syntax, their reduction rules read:

⊥ →1 ⊥ Yf →1 f(Yf)

11 The construct a k b can be computed thus: Reduce a and b in parallel. If one of them reduces to T, halt the other reduction and return T. If both reduce to function normal terms, return λx.T. The construct Ea can be computed thus: Reduce ab for all closed terms b in parallel. If ab reduces to T for some b, halt all reductions and return T. Otherwise, proceed computing indefinitely. The construct Ea is not very useful in computer programs since Ea either loops indefinitely or returns T. The construct a k b is slightly more useful since it has two possible return values, T and λx.T, but it is still not a pop- ular programming construct, and few programming languages support it. The implementation in [10] supports neither Ea nor a k b. The construct Ea is needed for defining ψ and so is indirectly needed for axiomatizing Hilbert’s choice operator ε. The construct a k b is included for the sake of full abstraction. Reduction rules for a k b read:

T k b →1 T (λx.A) k b →1 if[b, T, λx.T] a →1 r ⇒ (a k b) →1 (b k r) A reduction rule for Ea is more complicated. To reduce Ea we need to reduce ab for all closed terms b in parallel. Now deﬁne

S ≡ C1 ≡ λxyz.xz(yz) K ≡ C2 ≡ λxy.x C3 ≡ T C4 ≡ λxyz.if[x, y, z] C5 ≡ ⊥ C6 ≡ λx.Yx C7 ≡ λxy.(x k y) C8 ≡ λx.Ex We shall refer to terms built up from the eight combinators above plus functional application as combinator terms. Every closed, epsilon free term of MT is computationally equivalent to a combinator term. Thus, we may compute Ea by applying a to all combinator terms b:

1 Ea → aC1 k · · · k aC8 k Ex.Ey.a(xy) a →1 r ⇒ Ea →1 Er

Above, Ex.A denotes E(λx.A). To see how E works, ﬁrst note that Ea by deﬁnition reduces to

aC1 k · · · k aC8 k Ex.Ey.a(xy) Second note that the last factor Ex.Ey.a(xy) in turn reduces to

Ey.a(C1y) k · · · k Ey.a(C8y) k Eu.Ev.Ey.a((uv)y)

12 Third note that the ﬁrst factor Ey.a(C1y) in turn reduces to

a(C1C1) k · · · k a(C1C8) k Eu.Ev.a(C1(uv))

The penultimate factor a(C1C8) shows that a, among other, is applied to the combinator term C1C8. In general, reduction of Ea causes a to be applied to all combinator terms in parallel. We have now given reduction rules for reducing arbitrary closed, epsilon free terms. We shall give no reduction rules for εa since, as mentioned, it is not computable.

3.5. Programs We shall refer to closed, ε-free MT terms as MT programs. Likewise, we shall refer to closed, ε-free MTdef terms as MTdef programs and to closed, ε- and φ-free MT0 terms as MT0 programs. The programs of each of the theories are exactly the closed terms which are reducible by machine. Here we do not require reduction to terminate: a machine is supposed to loop indeﬁnitely when reducing e.g. ⊥, and ⊥ is counted among the programs.

3.6. Equality Wellformed formulas of MT have form a = b where a and b are terms. We now present some of the intuition behind equality. Let Nt be the set of MT programs that reduce to T, let Nf be the set of MT programs that reduce to function normal form, and let N⊥ be the set of the remaining MT programs. For MT programs a and b we deﬁne root equivalence a ∼ b thus:

a ∼ b ⇔ (a ∈ Nt ⇔ b ∈ Nt) ∧ (a ∈ Nf ⇔ b ∈ Nf ) ∧ (a ∈ N⊥ ⇔ b ∈ N⊥) In the deﬁnition above, each conjunct follows from the other two, so one could omit one of the conjuncts. We say that the MT programs a and b are observationally equal, written a =obs b, if ca ∼ cb for all MT programs c. Intuitively, equality of MT is observational equality. Technically, matters are a bit more complicated: Let Mκ be the MT canonical κ-model as deﬁned in Sections 7–9. Modelling ε requires σ < κ for an inaccessible σ, but modelling the other constructs just requires κ ≥ ω. Now let a =κ b denote Mκ |= a = b. We have:

Theorem 3.6.1 (Full Abstraction of Mω). a =obs b ⇔ a =ω b for MT programs a and b. See Appendix A for a proof and for related positive and negative results. Full abstraction may help understanding MT minus Hilbert’s epsilon operator. Now for a, b ∈ Mκ deﬁne

a ∼κ b ⇔ (a =κ T ⇔ b =κ T) ∧ (a =κ ⊥ ⇔ b =κ ⊥) κ ∀ ∈M ∼ Let a =obs b denote c κ: ca κ cb. The closest one can get to full abstraction in the general case reads:

13 κ ⇔ ∈ M ≥ Fact 3.6.2. a =obs b a =κ b for a, b κ, κ ω, κ regular.

The fact follows trivially from the deﬁnition of Mκ, c.f. Section 9.7.

3.7. Extensionality Two MT programs a and b happen to be observationally equivalent iﬀ

ay1 ··· yn ∼ by1 ··· yn for all n ≥ 0 and all MT programs y1, . . . , yn. That follows from Theorem 10.1.2 and Appendix A and provides another intuitive description of equality. We also have:

Fact 3.7.1. Let a, b ∈ Mκ. We have ca ∼κ cb for all c ∈ Mκ iﬀ ay1 ··· yn ∼κ by1 ··· yn for all n ≥ 0 and all y1, . . . , yn ∈ Mκ.

Fact 3.7.1 follows from Theorem 10.1.2. The ZFC equivalent of Fact 3.7.1 reads:

a ∈ c ⇔ b ∈ c for all sets c iﬀ y ∈ a ⇔ y ∈ b for all sets y

We shall refer to Fact 3.7.1 as semantic extensionality; we express it axiomati- cally in Section 4.3.

3.8. Hilbert’s choice operator To explain ε, we shall resort to a standard model M as presented in Section 8.3 (in particular, we may use the canonical model Mκ, κ regular, κ > σ, σ inaccessible). We shall refer to elements of M as maps. For all closed MT terms A let A denote the element of M denoted by A. Let ψˆ = {x∈M | ψx = T} where we deﬁne ψ in Section 4.6. We shall refer to elements of ψˆ as wellfounded maps. ˆ As before, let Vσ be the usual model of ZFC inside ZFC+SI. The set ψ is ˆ a big set in the sense that there exists a surjective function Z: ψ → Vσ which allows to represent all sets of Vσ by wellfounded maps. We shall say that p ∈ M is total, written Total(p), if ∀x∈ψˆ: px =6 ⊥. We shall use ε to denote the intended interpretation of Hilbert’s choice operator εp. ε is a function of type ε: M → M. For all p ∈ M, ε has the following properties:

ε(p) = ⊥ if ¬Total(p) ε(p) ∈ ψˆ if Total(p) p(ε(p)) = T if Total(p) ∧ ∃x∈ψˆ: px = T ε(p) = εq if Total(p) ∧ Total(q) ∧ ∀x∈ψˆ:(px = T ⇔ qx = T)

In other words, ε is a Hilbert choice operator over ψˆ. The last property above is Ackermann’s axiom. The strictness requirement that εp = ⊥ if ¬Total(p) has two motivations. First, MT includes an inference rule which implies that application is monotonic

14 for a certain order p q so ε must be monotonic in the sense that p q must imply εp εq. Strictness together with Ackermann’s axiom and the definition of p q given later is sufficient to ensure monotonicity of ε. Second, the strictness requirement simplifies the quantification axioms stated later. When comparing with [3] note that the present ψ is analogous to the φ of [3] and the present ψˆ is analogous to the Φ of [3]. The Ψ of [3] is unrelated to ψ and ψˆ.

3.9. Pure existence revisited

Let M and Mκ be as above. Pure existence E is designed to satisfy in M that Ep = T if px = T for some x and Ep = ⊥ otherwise (c.f. Section 4.4). So Ep = T in M iff px = T for some x ∈ M while the reduction rule for Ep given in Section 3.4 gives that Ep = T iff px = T for some program x. We now compare these two notions of existential quantification. Define

Esemantic ≡ λp. Ep Esyntactic ≡ λp. [ pC1 k · · · k pC8 k Esyntactic λu. Esyntactic λv. p(uv)]

We have

Esemantic p = T iﬀ px = T for some map x Esyntactic p = T iﬀ px = T for some program x

Mω happens to be a simple and very pertinent model for modelling the computational and elementary part of MT even if Mω is not a model of the full theory. We will see this later on, and we will prove in Appendix A that, among other nice properties, Mω satisﬁes Esemantic = Esyntactic (c.f. Lemma A.4.1). Now, this equation can be proved to be false in Mκ, κ > ω (c.f. Theorem A.8.1 and its proof), and more generally should be false in all the models of MT built from standard premodels, for a similar reason (these models are in a sense “too big”). The E of MT is the semantic one. The computational intuition behind E that we provided at the end of Section 3.4 is valid in Mω but does not hold in full MT.

4. Axioms and inference rules

MT has ﬁve groups of axioms and inference rules:

1. Elementary axioms and inference rules 2. Monotonicity and minimality 3. Extensionality 4. Axioms on E 5. Quantiﬁcation axioms

15 4.1. Elementary axioms and inference rules Let A, B, and C be (possibly open) terms and let x and y be variables. Let A =α B denote that A and B are identical except for naming of bound variables. Let 1 ≡ λxy.xy. The ﬁrst set of axioms and inference rules of MT reads:

Trans A = B; A = C ` B = C Sub B = C ` AB = AC Gen A = B ` λx.A = λx.B A1 TB = T A2 (β)(λx.A)B = C if C =α hA | x := Bi A3 ⊥B = ⊥ I1 if[T, B, C] = B I2 if[λx.A, B, C] = C I3 if[⊥, B, C] = ⊥ QND AT = BT; A(1C) = B(1C); A⊥ = B⊥ ` AC = BC P1 T k B = T P2 A k T = T P3 λx.A k λy.B = λz.T Y YA = A(YA)

Quartum Non Datur (QND) approximates that every map x satisﬁes x = T or x = ⊥ or x = 1x, there is no fourth possibility.

Example 4.1.1. As an example of use of QND, deﬁne

F ≡ λx.T ≈x ≡ if[x, T, F] x ∧ y ≡ if[x, if[y, T, F], if[y, F, F]]

Using the deﬁnitions above, QND allows to prove the following:

x ∧ y = y ∧ x (x ∧ y) ∧ z = x ∧ (y ∧ z) x ∧ x = ≈x

4.2. Monotonicity and Minimality Deﬁne: x ↓ y ≡ if[x, if[y, T, ⊥], if[y, ⊥, λz.(xz) ↓ (yz)]] x y ≡ x = x ↓ y

The recursive deﬁnition of x ↓ y is shorthand for:

x ↓ y ≡ (Yλfxy.if[x, if[y, T, ⊥], if[y, ⊥, λz.f(xz)(yz)]])xy

16 In canonical models, x y coincides with the order of the model and x ↓ y is the greatest lower bound of x and y. The rules of Monotonicity and Minimality read:

Mono B C ` AB AC Min AB B ` YA B

Example 4.2.1. We now introduce a primitive representation of natural numbers. We first do so semantically. Let M be a model of MT. We shall refer to elements of M as maps. We shall say that a map x is wellfounded w.r.t. a set G of maps if, for all y1, y2,... ∈ G there exists a natural number n such that xy1 ··· yn = T. We shall say that a map x is a natural number map if it is wellfounded w.r.t. {T}. Thus, x is a natural number map if z }|n { x TT ··· T = T for some natural number n. As examples, λxyz.T is a natural number map and λxyz.⊥ is not. We shall say that a natural number map x represents the smallest n which satisfies the equation above so λxyz.T represents ‘three’. We now formalize natural numbers in MT in the sense that we give a number of syntactic definitions which allow to reason formally about natural numbers in MT. The definitions read: 0 ≡ T K ≡ λxy. x x0 ≡ Kx $ ≡ λfx. if[x, T, f(xT)] ω ≡ Y$ x =ω y ≡ if[x, if[y, T, F], if[y, F, xT =ω yT]] E ≡ λx. x =ω x

As an example, 000 denotes one among many maps which represents ‘two’. The semantics of ω in the model M is that ωx = T if x is a natural number map and ωx = ⊥ otherwise. For that reason we shall refer to ω as the characteristic map of the set of natural number maps (c.f. Deﬁnition 4.6.1). For natural number maps x and y we have (x =ω y) = T iﬀ x and y represent the same number. In MT, we can prove $E = λx. if[x, T, xT =ω xT]. Furthermore, we can prove E = (λx. x =ω x) = λx. if[x, if[x, T, F], if[x, F, xT =ω xT]] = λx. if[x, T, xT =ω xT] where the latter equality requires QND. Hence, we can prove $E = E so $E E (c.f. Example 4.3.2). Hence, we can prove ω E by Min. Semantically, ω E expresses that (x =ω x) = T for all natural number maps: For each natural number map x we have ωx = T and ωx Ex which shows Ex = T.

17 Thus, the syntactic statement ω E formalizes the semantic statement that every natural number equals itself and the syntactic statement ω E has a formal proof in MT. From a program correctness point of view we have now defined a program x =ω y inside MT and then proved ω E which expresses that (x =ω x) = T for all natural number maps x. While this is a very simple example and even though space does not even permit to write out proofs in details, this still gives a first, small example of the fact that MT allows programming and reasoning inside the same framework. For a continuation of the present example which uses quantifiers see Example 4.5.2. Note that the definition of x =ω y only uses the four constructs λx. A, ab, T, and if[ a , b , c ], so one can compile the program x =ω y and run it on arguments x and y using the system described in [10]. In other logical frameworks than MT, given a recursive program like x =ω y, proofs of theorems like (x =ω x) = T for all natural numbers x usually requires some sort of Peano induction. In MT, induction is expressed by Min. Above, we applied Min to the characteristic function ω of natural number maps to get something equivalent to Peano induction (c.f. [9, Section 7.13]). Applying Min to the characteristic map ψ defined in Section 4.6 yields an induction scheme which resembles but is stronger than transfinite induction (c.f. [9, Section 9.13]).

4.3. Extensionality Recall ≈x ≡ if[ x , T , F ] from Example 4.1.1. For all (possibly open) terms A, B, and C (possibly containing epsilon), the inference rule of extensionality reads:

Ext For variables x, y not free in A and B we have ≈(Ax) = ≈(Bx); Axy=AC; Bxy=BC ` Ax = Bx

Note that if the premises of Ext hold and if c = λxy. C then we have e.g.

≈(Axy1y2) = ≈(A(cxy1)y2) = ≈(A(c(cxy1)y2)) = ≈(B(c(cxy1)y2)) = ≈(B(cxy1)y2) = ≈(Bxy1y2)

More generally, we have ≈(Axy1 ··· yn) = ≈(Axy1 ··· yn). Now, canonical models M have the semantic extensionality property that if a, b ∈ M and if

≈(ay1 ··· yn) = ≈(by1 ··· yn) for all natural numbers n and all y1, . . . , yn ∈ M then a = b. Rule Ext is a syntactical approximation of that fact which works in those cases where one can find a C for which one can prove the premises of Ext. It is typically rather difficult to find a witness C but it is possible more often than one should expect. The relation between Ext and semantic extensionality is: The premises of Ext entail ≈(Axy1 ··· yn) = ≈(Bxy1 ··· yn) which by semantic extensionality entail Ax = Bx which is exactly the conclusion of Ext.

18 Extensionality in MT corresponds to extensionality in set theory, where the latter says that if y ∈ a ⇔ y ∈ b then a = b. Here, P ⇔ Q of set theory corresponds to ≈P = ≈Q in MT and y ∈ a of set theory corresponds to ay1 ··· yn in MT.

Example 4.3.1. Let i ≡ λx. if[ x , T , λy. i(xy) ] and I ≡ λx. x. To prove ix = Ix by Ext take C to be xy and prove ≈(ix) = ≈(Ix), ixy = i(xy), and Ixy = I(xy). The two ﬁrst statements above can be proved using QND and the third is trivial.

Example 4.3.2. Ext allows to prove x ↓ x = x, x ↓ y = y ↓ x, and x ↓ (y ↓ z) = (x ↓ y) ↓ z. Those results are useful since they entail x x, x y; y x ` x = y, and x y; y z ` x z. (For proofs, see [9]).

When developing ZFC in MT, Ext plays a marginal but essential role [9]. In Example 4.2.1, Min replaced usual Peano induction and Min was used in the essential step in proving (x =ω x) = T, but Ext was also in play for proving $E E from $E = E. Likewise, when developing ZFC, the results listed in Example 4.3.2 are used in many places. Among other, it is used for proving the MT version of transﬁnite induction which in turn is used for proving most of the proper axioms of ZFC. Concerning Ext, the development of ZFC only depends on the results listed in Example 4.3.2 and does not make other use of Ext.

Example 4.3.3. Ext also allows to prove F2 = F3 where

F2 ≡ λx.λy.F2 F3 ≡ λx.λy.λz.F3

F2 and F3 both denote λx1.λx2.λx3. ··· and we have F2 =obs F3. Thus, F2 and F3 provide an example of two pure lambda terms which are provably equal in MT and observationally equal from the point of view of a computer, but not beta equivalent in lambda calculus.

4.4. Axioms on E Pure existence E is designed to satisfy Ex = T if xy = T for some y and Ex = ⊥ if xy = T for no y in standard models. Its axiomatization is a syntactical approximation of this. Now deﬁne:

x ◦ y ≡ λz.x(yz) χ ≡ λx.λz.if[xz, T, ⊥] x → y ≡ if[x, y, F] = if[x, T, F]

The axioms on E read:

ET ET = T EB E⊥ = ⊥ EX Ex = E(χx) EC E(x ◦ y) → Ex

19 Axioms ET and EB are natural since Tx = T and ⊥x = ⊥ are axioms of MT. EX says that Ex does not care about the value of xy if xy =6 T. EC says that if x(yz) = T for some z then xw = T for some w.

4.5. Quantification axioms Define: !x ≡ if[x, T, T] ¬¨x ≡ if[x, F, T] ∃¨p ≡ ≈(p(εp)) ∃¨x: A ≡ ∃¨λx.A ∀¨x: A ≡ ¬¨∃¨x:¬A ¨ εx: A ≡ ελx.A ∀¨p ≡ ∀¨x: px Note that ∀, ∃, and ¬ are part of the syntax of ZFC+SI whereas ∀¨, ∃¨, and¬ ¨ are terms of MT. The quantifier axioms depend on a term ψ which will be defined in Section 4.6. Recall ψˆ ≡ {x ∈ M | ψx = T}. In canonical models, for maps p, we have ∀¨p = T if ∀x∈ψˆ: px = T ∀¨p = ⊥ if ∃x∈ψˆ: px = ⊥ ∀¨p = F otherwise Hence, ∀¨ expresses universal quantification over ψˆ. Likewise, ∃¨ expresses existential quantification over ψˆ. The quantification axioms read:

Elim (∀¨x: px) ∧ ψy → py Ackermann εx: px = εx:(ψx ∧ px) StrictE ψ(εx: px) = ∀¨x: !(px) StrictA !(∀¨x: px) = ∀¨x: !(px)

Above, p, x, and y are variables of MT. Example 4.5.1. As we shall see, elements of ψˆ are wellfounded w.r.t. ψˆ (see Example 4.2.1 for the deﬁnition of wellfoundedness with respect to a set). This allows to use elements of ψˆ to represent sets of ZFC. We deﬁne the set represented by x ∈ ψˆ thus: Z[T] ≡ ∅ Z[x] ≡ {Z[xz] | z ∈ ψˆ} if x =6 T

For the usual model Vσ of ZFC in ZFC+SI and canonical models M of MT ˆ we have Vσ = {Z[x] | x ∈ ψ} (c.f. [3, Appendix A.4]) so all sets of ZFC are representable by wellfounded maps x ∈ ψˆ. Now define: x⇒¨ y ≡ if[x, if[y, T, F], if[y, T, T]] x⇔¨ y ≡ if[x, if[y, T, F], if[y, F, T]] x∈ÿ ≡ if[y, F, ∃¨z: x ¨=yz] x ¨=y ≡ ∀¨z:(z∈¨x⇔¨ z∈ÿ)

20 For x, y ∈ ψˆ we have (x∈ÿ) = T iff Z[x] ∈ Z[y] and (x ¨=y) = T iff Z[x] = Z[y]. An equivalent definition of ¨=reads:

x ¨=y ≡ if[x, if[y, T, F], if[y, F, (∀¨u∃¨v: xu ¨=yv) ∧ (∀¨v∃¨u: xu ¨=yv)]]

The latter formulation of ¨=resembles that of =ω in Example 4.2.1. Using ∈¨,¬ ¨,⇒ ¨ , and ∀¨ we may now express all wellformed formulas of ZFC in MT. All closed theorems of ZFC are satisﬁed by the standard model M of MT (Theorem 2.1.2). As a conjecture (Conjecture 2.1.3), closed theorems of ZFC+¬SI are provable in MT.

Example 4.5.2. As a continuation of Example 4.2.1, deﬁne x + y ≡ if[x, y, (xT) + y0]

Having a quantiﬁer in MT allows to prove in MT e.g. that the term

∀¨x, y: x + y =ω y + x equals T. The proof involves a proof of ∀ÿ: x + y =ω y + x by induction in x (or, more precisely, a proof of ω λx.∀ÿ: x + y =ω y + x by Min). The proof requires the ability to apply induction to a statement which contains both a quantifier (∀¨) and recursive programs (+ and =)ω and thus requires the ability to mix recursive programs and quantifiers as is possible in MT.

4.6. The definition of ψ We conclude the presentation of axioms by defining ψ. Like in Section 3.8 let M be any standard model of MT. We first define some auxiliary concepts.

Deﬁnition 4.6.1. (a) a ∈ M is a characteristic map if a ∈ F and ax ∈ {T, ⊥} for all x ∈ M. (b) Dom[a] = {x ∈ M | ax = T} (c) a ∈ M is a characteristic map of S ⊆ M if a is a characteristic map and S = Dom[a].

In Example 4.2.1 we referred to ω as “the characteristic map of the set of natural number maps”.

Deﬁnition 4.6.2. (a) t ≡ λfy. Ex. fxy (b) x ! y ≡ if[ x , y , ⊥ ] (c) D ≡ λx. if[ x , T , T ] (d) f / g ≡ if[ f , T , λx. gx !(fx / g)]

The intuitions behind Definition 4.6.2 are as follows. t satisfies Dom[ta] = ∪x∈MDom[ax]. x ! y is y guarded by x in the sense that if x = T then x ! y = y and if x =6 T then x ! y = ⊥. Dx is true if x is “defined”, i.e. if x =6 ⊥.

21 f / g is a kind of “transitive restriction” of the function f to the domain G = Dom[g] in the following sense: Suppose x1, . . . , xn ∈ G and fx1 ··· xn ∈ F then { fx ··· x y if y ∈ G (f / g)x ··· x y ∼ 1 n 1 n ⊥ otherwise where root equality u ∼ v was defined in Section 3.6. One may also think of f / g as a projection in the sense that (f / g) / g = f / g M f. The intuitions given above hold in all standard models M, c.f. Section 11.7 and Fact 13.3.2(b). ⇓ f / g equals Gf of [3]. In Section 3.8 we defined ψˆ = {x∈M | ψx = T}. We now go on to define ψ. To do so we need to define a number of auxiliary terms. In M, the terms ψ, s, S, S¯, P , Q, R, R1, and R0 will have the following properties:

y ∈ ψˆ iff ψy = T by definition of ψˆ y ∈ ψˆ iff say = T for some a y ∈ ψˆ iff Ssay = T for some a y ∈ ψˆ iff Ssψay¯ = T for some a y ∈ ψˆ if P y = T y ∈ ψˆ if Q(sa)y = T for some a y ∈ ψˆ if Rsψbcy = T for some b, c ˆ y ∈ ψ if ψc = T and R1sψbc = T and R0sψbcy = T for some b, c

For all a, b, and c, we will have that ψ, sa, Ssa, Ssψa¯ , P , Q(sa), Rsψbc, and R0sψbc are characteristic maps. For all a, Dom[sa] will be essentially σ-small in the sense that there exists a set A ⊆ ψˆ of cardinality less than σ such that Dom[sa] = {w ∈ ψˆ | ∃u∈A: u w}. The function Q mentioned above will have the property that if Dom[v] is essentially σ-small and if Qvy = T then y is wellfounded. See Sections 11–13 for proofs. The deﬁnition of ψ and the auxiliary terms reads:

Deﬁnition 4.6.3. (a) ψ ≡ ts (b) s ≡ YS (c) S ≡ λf. Sf¯ (tf) (d) S¯ ≡ λfθa. if[ a , P , if[ aT ,Q(f(aF)) , Rfθ(aT)(aF)]] (e) P ≡ λy. if[ y , T , ⊥ ] (f) Q ≡ λv. Dv ! λy. ∀¨z. v(y(z / v)) (g) R ≡ λfθbc. θc ! R1fθbc ! R0fθbc ¨ (h) R1 ≡ λfθbc. ∀z. D(f(b(cz / θ))) (i) R0 ≡ λfθbcy. Ez. (θz ! f(b(cz / θ))y)

The definition of ψ replaces the φ-axioms of MT0 (ten axioms and one inference rule). The definition of ψ in MT corresponds to the following in ZFC: the null set axiom, the pair set axiom, the power set axiom, the union set axiom, the axiom of replacement, the axiom of infinity, and the axiom of restriction.

22 Note that s = YS = S(YS) = Ss = Ss¯ (ts) = Ssψ¯ . Hence, in (d-i) above one may think of f and θ as s and ψ, respectively. We have ψy = tsy = Ea. say. So, in M, y is wellfounded iﬀ say = T for some a.

Example 4.6.4. We now prove that T is wellfounded by proving sTT = T. To do so we first prove say = Ssψay¯ as follows: say = (YS)ay = S(YS)ay = Ssay = Ss¯ (ts)ay = Ssψay¯ . Then we note that sTT = Ssψ¯ TT = P T = T. We now prove that λu.T is wellfounded by proving that s(T::T)(λu.T) = T: Define b::c ≡ λz. if[ z , b , c ]. We have (b::c)T = b and (b::c)F = c. Hence, if D(sc) = T then s(T::c)y = Ssψ¯ (T::c)y = Q(sc)y = ∀¨z. sc(y(z / sc)). Hence, s(T::T)(λu.T) = ∀¨z. sT((λu.T)(z / sT)) = sTT = T. Recall that we defined 0 = T, 1 = λu.T, 2 = λuv. T, and so on in Exam- ple 4.2.1. We have now proved that 0 and 1 are wellfounded. Furthermore, s(T::(T::T))2 = T proves that 2 is wellfounded. We may go on and prove that 3 is wellfounded and so on into the transfinite. For the complete development, see the proof of Theorem 11.1.3 in Section 13.

The ability of MT to model ZFC stems from several sources. First, the quantification axioms reference ψ in a way which forces MT quantifiers to quantify over the universe ψˆ = {x∈M | ψx = T}. Second, as shown in Example 4.6.4, recursive use of s = YS populates ψˆ, putting a lower bound on the size of the universe. Third, the minimality of Y permits a kind of transfinite induction over ψˆ, putting an upper bound on the size of the universe. Fourth, Ext plays a marginal but essential role in that it forces to be a partial order. When modelling ZFC in MT, one may define ∈¨,¬ ¨,⇒ ¨ , and ∀¨ as in Section 4.5. Then, to prove e.g. the power set axiom one may find an MT term P(x) such that P(x) represents the power set of the set represented by x. Then one may prove ∀¨x, y:(y∈P¨ (x)⇔ ¨ ∀¨z:(z∈ÿ⇒¨ z∈x)) and ∀¨x: ψ(P(x)) from which the power set axiom is easy to prove. Proving ∀¨x: ψ(P(x)) makes use of the second point above by using that ψ makes the universe big enough to contain P(x). But it also uses the third point above because the proof requires a kind of transfinite induction in x and thereby uses that the universe is so small that all sets have powersets.

5. Comparing MT and MT0

We now deepen the comparison between MT and MT0 which was only hinted at in the introduction.

5.1. Axioms and rules of MT0

MT0 consisted of only three groups of axioms, using constructors T, ⊥, if, ε, and φ (the innocuous k could have been added as well):

• Elementary axioms and rules (same as for MT).

23 • Quantiﬁcation axioms.

• The φ-axioms

The φ-axioms comprise the three wellfoundedness axioms, the seven construction axioms, and the inference rule of transﬁnite induction of [8]. The role of the φ-axioms was to force φ to behave as the characteristic function of the universe Φ of wellfounded sets. Most of the φ-axioms were easy (e.g. φT = T), two were highly non-obvious, and the rule was just expressing wellfoundation. But in fact all were (independent) instances of a single recursive set-theoretical equation Φ = Fσ(Φ) on Φ which involves an inaccessible cardinal σ and will be recalled in Deﬁnition 8.3.2. This recursive equation was the formalization in M of the main intuition behind map theory, which was, as for Church ([4, 5]) to have a universe whose primitives were the notions of “functions and application” instead of “sets and membership”.

5.2. Axioms and rules of MT The next intended step was hence to succeed to reflect the equation on Φ at the axiomatic level. This resulted in the present MT, where φ is now replaced by the MT-term ψ, whose definition requires the supplementary constructs Y and E. E is easy to axiomatize and to model, so the real technical cost is the addition of the extra rules Ext, Mono, and Min, and the (hard) proof that ψ truly represents Φ. Mono and Min force the constant Y to behave, at the level of the syntax, as a fixed point operator which is minimal w.r.t. the syntactic order . MT consists of five groups of axioms and rules, and uses constructors T, ⊥, if, k, Y, E, and ε:

• Elementary axioms and rules plus Y is a ﬁxed point operator. • Axioms on E.

• Axioms of Monotonicity (Mono) and Minimality (Min). • The inference rule of Extensionality (Ext).

• Quantiﬁcation axioms

2 The quantification axioms are the same as for MT0 except that the φ of MT0 is replaced by ψ in MT; but the proof that these axioms can be satisfied is much harder and very different, c.f. Section 8.4.

2This variant, containing 4 axioms, already appears in [3, Appendix C], and is equivalent to the original set of 5+1 axioms where the ﬁve ones were stated in [8] and the sixth one, as pointed out by Thierry Vall´ee,was used but not stated in [8]

24 5.3. Proof theoretical strength

MT0 can prove neither SI = T nor (¬SI) = T since it can be consistently extended by either one. In contrast, (¬SI) = T is conjectured to be provable in MT (Conjecture 2.1.3). Furthermore, MT can prove more pure lambda terms equivalent (e.g. F2 = F3, c.f. Example 4.3.3, which we conjecture is not provable in MT0). MT is very likely stronger than MT0:

0 0 Conjecture 5.3.1. If A = B is provable in MT0 and if A and B arise from A and B, respectively, by replacing all occurrences of φ by ψ, then A0 = B0 is provable in MT.

If (¬SI) = T is provable in MT then Conjecture 2.1.3 follows from Conjecture 5.3.1 and Theorem 2.1.4. Conjecture 5.3.1 is true if the φ-axioms of MT0 are provable in MT. Less support exists for Conjecture 5.3.1 than for Conjecture 2.1.3.

5.4. Models of MT versus models of MT0 Now let κ ≥ ω be a regular cardinal. Modelling ε requires an inaccessible σ < κ, while modelling the other constructs only requires κ ≥ ω. Sections 7–9 recall the notions of κ-Scott semantics and κ-continuity and introduce a number of concepts which have the following names and forms:

Underlying set M0 κ-Scott domain M1 = (M0, ≤) κ-premodel M2 = (M1, A, λ) Canonical κ-premodel A particular κ-premodel M3 M2 MT0 standard κ-σ-quasimodel 0 = ( , T, if, ε, φ) 2 MT0 canonical κ-σ-quasimodel same as above where M is canonical MT standard κ-σ-quasimodel M3 = (M2, T, if, ε, ⊥, Y, k, E) MT canonical κ-σ-quasimodel same as above where M2 is canonical

M M0 M1 M2 M3 M3 We use to denote any one of , , , 0, and , depending on context. For MT0 (MT) κ-σ-quasimodels we drop “quasi” when the quasimodel satisfies MT0 (MT), and we drop σ when σ is understood. As stated in Theorem 8.3.5, when σ is inaccessible, all MT0 standard κ-σ- quasimodels satisfy MT0. The main result of the present paper is that when σ is the first inaccessible, all MT canonical κ-σ-quasimodels satisfy MT. Thus, satisfying MT is harder than satisfying MT0: One both needs canonicity and needs that σ is the first inaccessible.

5.5. Levels of difficulty of the groups of axioms We now move on to consider the “difficulty” of the group of elementary axioms, the group of E-axioms, and so on. “Difficulty” is a multi-dimensional notion. When looking at groups of axioms it is natural to ask oneself the following questions:

25 • Naturality. Are the axioms intuitive or “natural” in some sense, i.e. is there a natural or simple or motivated intuition behind?

• Strength, here in the following sense: where is the existence of an inaccessible cardinal σ required? Which axioms can we model at not cost? meaning here that κ = ω would be enough, and/or that they can be modeled in all premodels?

• Conceptual hardness. Do we need to introduce original and/or high level tools for modeling them?

• Technical hardness. Do we need diﬃcult computations?

The Elementary Axioms are natural (if one is used to λ-calculus) and can be modelled at not cost (i.e. in any κ-premodel, κ ≥ ω); the four E-axioms are at first look purely technical, in fact they are easy from all the above points of view, the reason being that they are just four instances of a single, simple intuition, which allows us to model them easily and at “no cost”. Of course, all the axioms of MT are natural in some sense, since they were designed from semantical and computational intuitions (c.f. [8]), but this naturality can be lost when approximating the ideas through formalization. Mono and Min are semantically natural (syntactically a little less because of the definition of ), and can be modelled at no cost in terms of strength (κ ≥ ω), but fixing a syntactic definition of the order induces a technical cost which drastically reduces the class of possible models, c.f. Section 7.5. Concerning the quantifier axioms, it is interesting to note that replacing φ of MT0 by ψ in MT induces no change in strength in the sense that an inaccessible is used (and apparently needed) for modelling MT0 as well as MT, but that they are conceptually somewhat harder for MT (because they refer to the defined ψ which incorporates the φ-axioms) and technically much harder (c.f. Sections 11–13). We pursue and summarize the comparison between MT and MT0 in the following section.

5.6. Models of subsystems of MT

Recall from Section 3.2 that MTdef is the version of MT where Y and ⊥ are omitted and are replaced by YCurry and ⊥Curry, respectively. This concerns mainly A3, I3, QND, Mono, Min, Elim, Ackermann, and StrictE where Y or ⊥ appear explicitly or implicitly. We now introduce two subsystems of MT for which we keep the same syntax and which hence have the same terms. First, MT− is MT from which the quantiﬁer axioms are removed. Second, MT−− is MT− from which Ext, Mono, and Min are removed. We have:

• Modeling MT−− can be done from any κ-premodel, κ ≥ ω.

• Modeling MT− can be done from any canonical κ-premodel, κ ≥ ω

26 • Modeling MT and MTdef can be done from any canonical κ-premodel, κ > σ, using the ﬁrst inaccessible σ.

• Modelling MT0 can be done from any κ-premodel, κ > σ, using any inaccessible σ.

6. Approach

The aim of the rest of this paper is to show that some of the models of MT0 in [3] (the canonical ones) can be adjusted into models of MT. Models have to be adjusted because MT0 and MT have different syntax. Among others, MT0 does not have the E of MT and MT does not have the φ of MT0. To go from a model of MT0 to a model of MT one must first delete the interpretation of φ and then add interpretations of ⊥, Y, k, and E. One then has to check that all axioms and inference rules of MT are satisfied under adequate hypotheses on the model of MT0 one started from. The most difficult part will be to show that the quantifier axioms can be satisfied when replacing the construct φ of MT0 by the defined term ψ of MT. We delay as far as possible the specialization to canonical models. Working like this first increases our conceptual understanding, but will moreover facilitate for the future the design of consistent variations of Map Theory that users might wish to introduce. We work in ZFC+SI where SI asserts the existence of an inaccessible ordinal.

κ-premodels For all regular cardinals κ ≥ ω, [3] defines the notion of κ-premodels of map theory. The notion of a κ-premodel reflects the basic intuitions which were behind map theory. In particular, all the constructors of MT and MT0, namely ⊥, T, if, k, Y, E, ε, and φ have natural interpretations as functions in all premodels, as we will see. The definition of a κ-premodel (c.f. Section 8.2) involves Scott’s semantics, which is the most classical mathematical way for modeling type-free λ-calculus. Looking for a model as powerful as a model of ZFC, we will have to use general- izations (weakenings) of Scott’s semantics, called here κ-Scott semantics (where Scott semantics is the case κ = ω). Until specified otherwise, κ is any regular cardinal such that κ ≥ ω. κ-Scott semantics will be treated in more detail in Section 7. A κ-premodel has a domain which is a partially ordered set plus some structure which indicates how to interpret lambda abstraction, functional application, T, ⊥, and arbitrary κ-continuous constructs. A κ-premodel is a reflexive object in κ-Scott semantics, which furthermore satisfies a simple domain equation Eqκ (c.f. Section 8.1). As explained in [3, Section 3], the role of Eqκ is to force standard models to satisfy the elementary axioms and rules of MT0 (or MT).

27 Canonical κ-premodels For all regular cardinals κ ≥ ω, [3, Section 8] constructs a canonical κ- premodel of Map Theory. This was done in [3] in order to prove the existence of κ-premodels, which was the ﬁrst step of the consistency proof of MT0. The next step in [3] was to prove that all κ-premodels, κ > σ, σ inaccessible, could be enriched to MT0 models. For each regular κ ≥ ω there are many κ-premodels but only one canonical one. The canonical κ-premodel is the minimal solution to Eqκ. It is computationally adequate for the computational part of MT0 in the sense described in Section A.5. In the present paper, canonical κ-premodels play an even more crucial role than in [3], since it is only the canonical κ-premodels, κ > σ, σ the ﬁrst inaccessible, that we prove can be enriched to MT models. Canonical κ-premodels admit an elementary and direct construction which we will recall in the sequel. By “elementary” we mean in particular that the construction uses no category theory which is crucial for being able to work in practice with the model.3

MT0 standard κ-models Given an inaccessible ordinal σ and a regular cardinal κ > σ, [3, Sections 4 and 7] deﬁnes a method for enriching any κ-premodel to a model of MT0. The method adds interpretations of T, if, ε, and φ to the κ-premodel in such a way that all the axioms and inference rules of MT0 are satisﬁed. We shall refer to models constructed this way as MT0 standard models. The function interpreting if is κ-continuous for all regular κ ≥ ω. The function interpreting ε is only κ-continuous if κ > σ for some inaccessible ordinal σ.

MT standard κ-quasimodels Later, we adjust MT0 standard models by deleting the interpretation of φ and adding interpretations of ⊥, Y, k, and E by κ-continuous functions (κ ≥ ω) in an obvious way. We shall refer to the result of that as MT standard quasimodels. Such MT standard quasimodels need not satisfy all axioms and inference rules of MT but they do satisfy some of them.

The MT canonical κ-model Mκ Given an inaccessible ordinal σ and a regular cardinal κ > σ, one may enrich the canonical κ-premodel into an MT standard quasimodel. If σ is the ﬁrst inaccessible ordinal then the quasimodel can be proved to satisfy all axioms and inference rules of MT. Hence, we shall refer to the model constructed this way as the MT canonical κ-model Mκ.

3A classical but far less feasible alternative would have been to build the canonical model as an inverse limit of an ordinal sequence, similar to what Scott did with his ﬁrst model D∞ in the case κ = ω.

28 Summary To summarize, the notions of κ-premodels and canonical κ-premodels are the same for MT and MT0. The notions of models of MT and MT0 differ slightly due to differences in syntax. Furthermore, for canonical models of MT we assume that σ is the first inaccessible.

7. The κ-Scott semantics

7.1. Notation Let ω denote the set of finite ordinals (i.e. the set of natural numbers). For all sets G let G<ω denote the set of tuples (i.e. finite sequences) of elements of G. Let h i denote the empty tuple. For all sets G let Gω denote the set of infinite sequences of elements of G. Let f: G → H denote that f is a total function from G to H. Given any partially ordered or preordered set (R, ≤) and S ⊆ R, we let ↑S and ↓S be respectively the upward and downward closure of S for ≤ in R. We shall say that a set G is κ-small if G has cardinality smaller than κ. Let P(G) denote the power set of G and let Pκ(G) denote the set of κ-small subsets of G.

7.2. κ-Scott semantics The κ-Scott category is the Cartesian closed category whose objects are the κ-Scott domains and morphisms the κ-continuous functions. As κ grows there are more and more κ-Scott domains and κ-continuous functions. The theory of Scott domains (case κ = ω) is well known, and its κ-analogue was developed in full details in [3]. For the reader familiar with Scott domain theory, passing from Scott to κ-Scott is straightforward and just amounts to changing everywhere “finite” by “κ-small”. The regularity of κ is essential. We recall some key definitions and results in the following. κ-Scott semantics was first used around 1987-89 in [6, 7] and was used independently in [3], but Scott was aware of the notion from the beginning, and κ-Scott semantics appeared in German lecture notes by Scott which are proba- bly lost now.

7.3. κ-Scott domains Let (D, ≤) be a partially ordered set (p.o. for short). A subset S of D is κ-directed if all its κ-small subsets have an upper bound in S. The p.o. (D, ≤) is a κ-Scott domain if it has a least (or bottom) element, is such that all κ- directed and all upper-bounded subsets have sups (suprema), and ﬁnally if it is κ-algebraic as deﬁned below. As κ grows there are more and more κ-Scott domains. The simplest example of κ-Scott domains is that of the full powerset (P(D), ⊆) of some set D, which is a κ-Scott domain for all κ. The domain underlying the canonical model M of MT0 will not be a full power set, but will still be a set of sets, ordered by inclusion.

29 An element u of D is compact (resp. prime) if, whenever u ≤ sup(S) for some κ-directed (upper bounded) set S, then u ≤ v for some v ∈ S. D is κ- algebraic if for every u ∈ D the set of compact elements below u is κ-directed, and has u as its sup. A κ-Scott domain is prime-algebraic if each element of D is the sup of the primes below it.

Deﬁnition 7.3.1. K(D) is the set of compact elements of the κ-Scott domain D.

(P(D), ⊆) and M are prime algebraic κ-Scott domains. The compact elements of (P(D), ⊆) are the κ-small subsets of D and its primes are the singletons. In the case of M, compact elements are downward closures of adequate κ-small subsets of D, while primes are downward closures of singletons.

7.4. κ-continuous functions A function between two κ-Scott domains is κ-continuous if it is monotone and commutes with all sups of non-empty κ-directed sets. 0 0 Given κ-Scott domains D, D we use [D →κ D ] to denote the κ-Scott domain whose carrier set is the set of κ-continuous functions from D to D0 ordered pointwise. As κ grows there are more and more κ-continuous functions.

7.5. Syntactic monotonicity Monotonicity, which was part of the founding intuitions behind map theory (c.f. [8]) comes for free in models living in Scott’s semantics, but of course only relative to the order x M y of the underlying domain. In MT, monotonicity is explicitly required in the axiomatisation (by Mono), but necessarily for a syntactic order. We shall prove (Theorem 8.5.2) that the syntactic order x y coincides with the model order x M y in canonical κ-quasimodels and we shall conclude (Corollary 8.5.3) that the canonical κ- quasimodel satisﬁes Mono. The Mono rule was not part of MT0.

7.6. κ-open sets G ⊆ D is κ-open if G = ↑K for some set K ⊆ K(D). Equivalently, G is κ-open if G = ↑G and whenever G contains sup(S) for some directed set S then it contains some element of S. This deﬁnes a topology, the κ-Scott topology, and the κ-continuous functions, as deﬁned above, are exactly the functions which are continuous with respect to this topology. Finally, it is easy to check, and crucial to note, that the intersection of a κ-small family of κ-open sets is still κ-open. G ⊆ D is essentially κ-small if V ⊆ G ⊆ ↑V for some κ-small V . It follows that G is an essentially κ-small open set if and only if G = ↑K for some κ-small K ⊆ K(D).

30 7.7. Reflexive objects and models of pure λ-calculus By definition a reflexive object of the κ-category is a triple (M, A, λ) where M is a κ-Scott domain and A: M → [M →κ M] and λ:[M →κ M] → M are two morphisms such that A ◦ λ is the identity. This gives a model of untyped λ-calculus, i.e. of rules Trans, Sub, Gen, and A2, when we use A and λ to interpret the pure λ-terms, in the standard way (c.f. Section 9.6). Most of the time A(u)(v) will be abbreviated as uv, and uv1 ··· vn will mean ((··· ((u)v1) ···)vn). Furthermore, uw¯ ≡ uw1 ··· wn ifw ¯ = w1 ··· wn (n ≥ 0). All n-ary κ-continuous functions, n ∈ ω, can be internalized in M: for any such f there is an element v ∈ M such that f(u1, . . . , un) = vu1 ··· un for all u1, . . . , un ∈ M. In the case n = 1 we can take v = λ(f).

7.8. Tarski’s minimal ﬁxed point operators

Let D be a κ-Scott domain and let f ∈ [D →κ D]. If κ = ω then f has a fixed point and even has a minimal such. That does not always hold for κ > ω. As an example, (ω, ≤) is a κ-Scott domain for all regular κ > ω but the successor function has no fixed point. We now turn to sufficient conditions for the existence of fixed points. For all f ∈ [D →κ D], x ∈ D, and ordinals α define f α(x) = sup{f(f β(x)) | β ∈ α} whenever the sup exists. Furthermore, define

κ YTarski(f) ≡ f (⊥)

We shall say that v is a pre-ﬁxed point of f if f(v) M v.

Lemma 7.8.1. If f κ(⊥) is defined then f α(⊥) is defined for all α, f α(⊥) = f κ(⊥) for all α > κ, f has a fixed (and pre-fixed) point, it has a unique minimal κ fixed (and pre-fixed) point, and YTarski(f) = f (⊥) is that minimal fixed point.

Proof of 7.8.1 Easy and classical.

Lemma 7.8.2. (a) If κ = ω then YTarski ∈ [D →κ D] → D is total. (b) If f has a fixed point then YTarski(f) is defined. (c) If there are A, λ making (D, A, λ) a reflexive object then YTarski is total and κ-continuous.

Proof of 7.8.2 (a) Easy. (b) Note that if f has a fixed point x then x is an upper bound for each {f(f β(⊥)) | β ∈ α} which thus has a sup because D is κ-Scott. (c) Totality follows from (b) because YCurryλ(f) is a fixed point where YCurry is definable when A and λ exist. Continuity can be proved by a rather standard proof (which can be found e.g. in [15]).

31 Now suppose M = (D, A, λ) is a reﬂexive object and deﬁne YTarski ∈ M by

YTarski ≡ λ(YTarski ◦ A) where ◦ is composition.

Corollary 7.8.3. (a) YTarskiu = u(YTarskiu) (Y) (b) uv M v ⇒ YTarskiu M v (Min)

Proof of 7.8.3 First note that A ◦ λ is the identity since M is reflexive so YTarskiu ≡ A(λ(YTarski ◦A))(u) = (YTarski ◦A)(u). Then (a) and (b) follow from the fact that YTarski is the minimal fixed and pre-fixed operator.

YTarski would hence be a good candidate for interpreting Y, provided the syntactic order x y and the model order x M y coincide, as they do when M is canonical.

8. Premodels of Map Theory

8.1. The domain equation Eqκ 0 0 0 Given a κ-Scott domain D we denote by D ⊕⊥0 {T } the κ-Scott domain obtained by adding to D0 an element T0 which we decide to be incomparable to all the elements of D0, and a bottom element ⊥0 which we decide to be below T0 and all the elements of D0.

0 D' D → D ⊕ 0 { } Deﬁnition 8.1.1. Eqκ is the domain equation [ κ ] ⊥ T . ' Eqκ asserts that the two sides of are order isomorphic κ-Scott domains. It is the most natural semantic counterpart of rule QND, and the heart of the notion of a premodel. Proving the existence of solutions of Eqκ within Scott’s semantics is a well mastered technique, and passing from ω to κ is straightforward. Eqκ admits moreover a minimal solution, which will be re-built in Section 9.

8.2. Premodels In this subsection κ is any regular cardinal, and we do not need any σ. M M → M ⊕ 0 Given a solution of Eqκ and an order isomorphism λ from [ κ ] ⊥ {T0} to M, let T and ⊥ denote λ(T0) and λ(⊥0), respectively. Thus, ⊥ is the bottom element of M while T only compares to ⊥. The following theorem is easy to prove and the details can be found in [3, Section 3.1]: M Theorem 8.2.1. Let be a solution of Eqκ and let λ be an order isomorphism 0 from [M →κ M] ⊕⊥0 {T } to M. There exists a reﬂexive object (M, A, λ) such that (a) for all u ∈ M we have A(T)(u) = T and A(⊥)(u) = ⊥. (b) F ≡ {λ(f) | f ∈ [M → M]} = {u∈M | u = 1u} = M \ {⊥, T} (c) F and {T} are disjoint κ-open subsets of M.

32 Note that in (b) above, only the last equation uses that M is a solution to Eqκ. The ﬁrst equation is classic. In fact F is the isomorphic image of [M →κ M] under λ, and λx.⊥ ≡ λ(x 7→ ⊥) is the bottom element of F. Conversely, any object (M, A, λ) satisfying the above theorem can easily be turned into a solution of Eqκ. Deﬁnition 8.2.2. A κ-premodel M2 is a triple (M1, A, λ) satisfying the above requirements.

Deﬁnition 8.2.3. The canonical κ-premodel is the premodel associated to the minimal solution to Eqκ. Deﬁnition 8.2.3 will become more concrete in Section 9.6.

Theorem 8.2.4. Given any κ-premodel M (κ ≥ ω), there are elements if, k, and E in M such that M satisﬁes the elementary axioms and rules of MT and the axioms on E when the syntactic constructs ⊥, T , if, k, and E are interpreted by ⊥, T, if, k, and E, respectively.

Proof. M satisfies rules Trans, Sub, Gen, and A2 since it is a reflexive object of a Cartesian closed category, M satisfies A1 and A3 and rule QND by Theorem 8.2.1. We now turn to the axioms concerning if, k, and E. The argument is the same for the three constructors, and the case of if was already treated in [3]. The function If defined by If(u, v, w) = v if u = T, w if u ∈ F, and ⊥ if u = ⊥ is clearly κ-continuous. Hence, there is some element if ∈ M such that ifuvw = If(u, v, w) for all u, v, w ∈ M. Then it is easy to see that M satisfies Axioms I1, I2, and I3. The function Paror defined by Paror(u, v) = T if u or v is T, λx.T if u, v ∈ F, and ⊥ otherwise is clearly κ-continuous. Hence, there is some element k ∈ M such that kuv = Paror(u, v) for all u, v ∈ M. Then it is easy to see that M satisfies Axioms P1, P2, and P3. The function Exist defined by Exist(u) = T if uv = T for some v ∈ M and ⊥ otherwise is clearly κ-continuous. Hence, there is some element E ∈ M such that Eu = Exist(u) for all u ∈ M. Then it is easy to see that M satisfies the four axioms on E. 2 We now turn to Y and to the monotonicity and minimality axioms Mono and Min.

Theorem 8.2.5. Given any κ-premodel M (κ ≥ ω), when the syntactic construct Y is interpreted by YTarski, M satisﬁes the Monotonicity and the Mini- mality axioms for the model order M (but possibly not for the syntactic order ).

Proof. Monotonicity is for free when M lives in Scott’s semantics and the rest follows from Corollary 7.8.3. 2 We now turn to the quantiﬁer axioms. These axioms were easy to model in MT0 (the diﬃculty was carried by some of the φ-axioms), but in MT they

33 become very difficult to model since the constant φ of MT0 is replaced here by a complex term ψ, whose definition involves ε and Y. Our trick will be to use that they hold for the characteristic function φ of Φ, and to prove later on (Sections 12 and 13) that, provided σ is the first inaccessible cardinal, ψ and φ coincide in all premodels when Y is interpreted as in the proof above (i.e. by YTarski). Recall Dom[w] ≡ {u∈M | wu = T} from Definition 4.6.1 and define:

Deﬁnition 8.2.6. For U ⊆ M and w ∈ M we let: (a) wU ≡ {wu | u ∈ U} (b) χU : M → M is deﬁned by χU (x) = T if x ∈ U and χU (x) = ⊥ otherwise.

Remark 8.2.7. (a) Dom[w] is a κ-open set for all w ∈ M (b) χU is κ-continuous iﬀ U is κ-open

Theorem 8.2.8 ([3]). Let M be a κ-premodel (κ ≥ ω), and let Φ ⊆ M be such that Φ = ↑U for some κ-small set U such that T ∈ U and ⊥ 6∈ U. Then there is an ε ∈ M such that, when the syntactical ε is interpreted by this ε, M satisﬁes the quantiﬁer axioms, but for φ ≡ λ(χΦ) instead of the MT-term ψ.

Proof. Sketch of proof (details in [3, Section 4.1]): Let ξ be a choice function on Φ, i.e. a function ξ: P(Φ) → Φ such that ξ(V ) ∈ V for all non-empty V ⊆ Φ. Let e: M → Φ∪{⊥} be deﬁned by: e(u) = ⊥ if ⊥ ∈ uΦ, e(u) = T if uΦ ⊆ F, and e(u) = ξ{x∈Φ | ux = T} otherwise. Then e is κ-continuous (it is already clear that u M v implies e(u) = ⊥ or e(u) = e(v)) and can hence be internalized by an element ε ∈ M which has the required properties. 2

8.3. Standard and canonical models of MT0 We suppose now that there is some inaccessible σ such that σ < κ. And we recall the method which allows us to enrich any κ-premodel into a model of MT0, under this hypothesis. We deﬁne σ-small sets and essentially σ-small sets as was done for κ (c.f. Section 7.1 and 7.6), and we note that a κ-open set O is essentially σ-small if and only if O = ↑K for some σ-small set of compact elements of M.

Deﬁnition 8.3.1. [3] For any U, V, H ⊆ M where H is open we let: (a) Oσ(U) be the set of all essentially σ-small open subsets of U (b) U → V ≡ {x∈M | xU ⊆ V } ◦ ≡ { ∈M | ∀ ∈ ω∃ ∈ ··· } (c) U x u∪1, . . . , un,... U n ω: xu1 un = T ◦ σ (d) Fσ(H) ≡ {T} ∪ {G → G | G ∈ O (H)}

Deﬁnition 8.3.2. Φ ⊆ M is the smallest solution of the equation Φ = Fσ(Φ).

Definition 8.3.2 is equivalent to the definition used in [3] and several other definitions as studied in [3]. The property Φ = Fσ(Φ) is called the Generic Closure Property (GCP) in [3].

34 Theorem 8.3.3 ([3]). Φ is an essentially κ-small open subset of M.

Deﬁnition 8.3.4. An MT0 standard κ-σ-quasimodel is a tuple (M, T, if, ε, φ) where M is a κ-premodel, T, if, and ε are deﬁned as in the previous section, and φ = λ(χΦ).

Theorem 8.3.5 ([3]). If σ is inaccessible and κ > σ then any MT0 standard κ-σ-quasimodel satisﬁes MT0.

Thus, we can drop “quasi” for σ inaccessible, κ > σ. For each κ, MT0 has many κ-models but of course only one canonical κ-model: the one corresponding to the minimal solution to Eqκ. We now proceed to MT models.

8.4. Towards modelling the quantification axioms Now define ψˆ = Dom[ψ]. To model the quantification axioms of MT it remains to show that, if σ is the first inaccessible cardinal, then ψˆ = Φ. This is by far the most difficult proof of the paper, and it is split into two parts, called the Upper Bound Theorem (UBT) and the Lower Bound Theorem (LBT). UBT says ψˆ ⊆ Φ. It puts an upper bound on ψˆ and is proved in Section 12. The proof uses the existence of an inaccessible σ (actually, the mere definition of Φ needs it). The proof also uses that the construct Y (which is part of the definition of ψ) is interpreted by YTarski. LBT says Φ ⊆ ψˆ. It puts a lower bound on ψˆ and is proved in Section 13. The proof of LBT uses UBT and also uses the assumption that σ is the first inaccessible ordinal (the proof of UBT does not use it). UBT and LBT together entail the following:

Theorem 8.4.1. If σ is the first inaccessible and κ > σ, then: (a) Any MT standard κ-σ-quasimodel M satisfies the quantifier axioms of MT. (b) If M is furthermore canonical then it satisfies the quantifier axioms of MTdef .

As already noticed in the introduction, MTdef is a priori more diﬃcult to model than MT. Fortunately, canonical models M are suited for it. Indeed, (b) above follows from (a) plus the results stated in Section 8.5.

Remark 8.4.2. We avoid using Ψ for Dom[ψ] because Ψ has another meaning in [3].

8.5. Towards modelling of Mono, Min, and Ext Modelling Mono, Min, and Ext can be done in ZFC (no inaccessible is needed), but canonicity is crucial here.

Theorem 8.5.1. For all κ ≥ ω the canonical κ-quasimodel M satisﬁes Ext.

35 Proof. Section 10.2 2 Now recall that we define the syntactic order and the syntactic infimum ↓ in a roundabout way in that we define ↓ first and then define as the order induced by ↓. Theorem 8.5.2 is equally roundabout:

Theorem 8.5.2. For all κ ≥ ω the canonical κ-quasimodel M satisfies that infimum in the model coincides with the syntactic infimum ↓ and, as a corollary, the model order M coincides with the syntactic order .

Proof. Section 10.3 2

Now recall that Y is interpreted by YTarski.

Corollary 8.5.3. M satisﬁes Mono and Min of MT.

Theorem 8.5.4. For all κ ≥ ω, the canonical κ-quasimodel M satisﬁes

YTarski = YCurry

Proof. Section 10.4 2

Corollary 8.5.5. M satisﬁes Yf = YCurryf and ⊥ = ⊥Curry.

Corollary 8.5.6. M satisﬁes Mono and Min of MTdef .

9. Building the canonical κ-premodel

The aim is here to recall the elementary construction we gave in [3, Section 8] of the canonical premodel, i.e. of the minimal solution of the domain equation Eqκ (which proves in passing the existence of such a solution). This premodel is a webbed model in the sense that it is built as an (enriched) powerset of some lower level structure, called its web, which here can be taken to be a reﬂexive pcs. The terminology of “webbed model” was introduced in [2] and pcs’s are deﬁned below.

9.1. Pcs’s h ≤ _ i ≤ _ A pre-pcs is a tuple D = DD, D, ^D for which D and ^D are binary relations on DD. A pcs is a pre-pcs D = hD, ≤, ^_i with the following properties: Partial order ≤ is reﬂexive and transitive. Coherence ^_ is reﬂexive and symmetric. 0 0 0 0 Compatibility x ≤ x ∧ y ≤ y ∧ x ^_ y ⇒ x ^_ y. 0 0 0 0 From now on, D = hD, ≤, ^_i and D = hD , ≤ , ^_ i denote pre-pcs’s. D is a sub-pcs of D0, written D v D0, if the following hold:

D ⊆ D0 ∀x, y∈D: x ≤ y ⇔ x ≤0 y 0 ∀x, y∈D: x ^_ y ⇔ x ^_ y

36 A set S of pre-pcs’s is a chain if ∀D, D0∈S: D v D0 ∨ D0 v D. For all pre-pcs’s D, all u, v ⊆ D, and p ∈ D deﬁne ≤∗ ⇔ ∀ ∈ ∃ ∈ ≤ u D v x u y v: x D y _∗ ⇔ ∀ ∈ ∀ ∈ _ u ^D v x u y v: x ^D y ⇔ _∗ CohDu u ^D u ↓ { ∈ | ∃ ∈ ≤ } Du = y D x u: y x ↓ ↓ { } Dp = D p I {↓ | ⊆ ∧ } (D) = Du u D CohDu Above I(D) denotes the set of coherent, initial segments of D.

Fact 9.1.1. For all pcs’s D, (I(D), ⊆) is a prime algebraic κ-Scott domain {↓ | ∈ } {↓ | ∈ whose sets of prime and compact elements are Dp p D and Du u κ P (D) ∧ CohDu}, respectively.

The goal of Section 9.2–9.3 is to deﬁne a pcs P such that (I(P), ⊆) satisﬁes Eqκ.

9.2. Pcs generators Let D ]D0 denote disjoint union (i.e. D ∪D0 when D ∩D0 = ∅ and undeﬁned otherwise). Let D, D0 be pre-pcs’s and let S be a set of such structures. We ∪ ⊕ 0 → 0 Pκ now deﬁne the pre-pcs’s U(t), Df , S, D D , D D , and coh(D): ≤ _ R DR x R y x ^R y U(t) {t} true true Df D]{f} x=f ∨ x≤y x=f ∨ y=f ∨ x^_y ∪ ∪ ∃ ∈ ≤ ∃ ∈ _ S D∈SDD D S: x Dy D S: x^Dy 0 0 0 0 D⊕D D]D x≤y ∨ x≤ y x^_y ∨ x^_ y 0 0 0 0 D→D D×D y1≤x1 ∧ x2≤ y2 x1^_6 y1 ∨ x2^_ y2 Pκ { ∈Pκ | } ∗ _∗ coh(D) a (D) CohDa x y x^ y As an example of reading the table, the fourth line says that D ⊕ D0 is the unique pre-pcs R for which

0 DR = D∪D 0 x≤Ry ⇔ x, y ∈ DR ∧ (x≤y ∨ x≤ y) _ ⇔ ∈ ∧ _ ∨ _0 x^Ry x, y DR (x^y x^ y) 0 0 0 In the line defining D→D , we define D × D = {hx1, x2i | x1 ∈ D ∧ x2 ∈ D }. 0 For all x ∈ D × D we define x1 and x2 to be the first and second component, respectively, of the tuple x. Under reasonable conditions, the above pre-pcs’s are pcs’s:

Fact 9.2.1. U(t) is a pcs for all objects t (of ZFC).

Fact 9.2.2. If D is a pcs and f 6∈ D then Df is a pcs.

37 Fact 9.2.3. If S is a chain of pcs’s then ∪S is a pcs.

Fact 9.2.4. If D and D0 are pcs’s and D and D0 are disjoint, then D ⊕ D0 is a pcs.

Fact 9.2.5. If D and D0 are pcs’s then D → D0 is a pcs. Pκ Fact 9.2.6. If D is a pcs and κ is a cardinal, then coh(D) is a pcs.

9.3. The web of the canonical κ-premodel Now let κ be a regular cardinal greater than σ and, for all pre-pcs’s D, define Pκ → ⊕ H(D) = ( coh(D) D)f U(t) 0 Furthermore let Eqκ be the equation H(P) = P 0 I ⊆ Fact 9.3.1. If a pcs P satisfies Eqκ then ( (P), ) satisfies Eqκ. Now define

P0 = h∅, ∅, ∅i Pβ+1 = H(Pβ) Pδ = ∪{Pβ | β ∈ δ} P = Pκ

It is easy to prove by transﬁnite induction that Pβ is a pcs, that {Pβ | β ∈ δ} is 0 a chain of pcs’s, and that the pcs P is the minimal solution of Eqκ. Note that P1 = {t, f}. We deﬁne the rank rk(p) of p ∈ P as the smallest ordinal α for which p ∈ Pα. Recall that P0 = ∅ and P1 = {t, f} (as sets).

9.4. Some properties of the web ↓ ↓ ≡ Pκ ∈ From now on means P. Deﬁne C coh(P). For p P anda ¯ = <ω ha1, . . . , ani ∈ C let `(¯a) denote n (i.e. the length ofa ¯) and deﬁne

ha,¯ pi ≡ ha1,... han, pi ...i In particular, ha,¯ pi = p if `(¯a) = 0. Using that there are no decreasing inﬁnite sequences of ordinals we easily get:

Lemma 9.4.1 ([3]). For each p ∈ P there is a unique decomposition of p as p = ha,¯ ti or p = ha,¯ fi where a¯ ∈ C<ω.

For p = ha,¯ ti (p = ha,¯ fi) we deﬁne `(p) = `(¯a) + 1 and refer to t (f) as the head of p.

Remark 9.4.2. ha, pi ≤ r ∈ P implies r = hb, qi for some b, q. ha, pi ≤ hb, qi iﬀ b ⊆ ↓a and p ≤ q.

38 9.5. The domain of the canonical κ-premodel The κ-Scott domain M of the canonical κ-premodel is deﬁned by

M ≡ (I(P), ⊆)

We have:

Fact 9.5.1. Mp = {↓p | p ∈ P} is the set of prime maps of M. Mc = {↓a | a ∈ C} is the set of compact maps of M. In M, sups are unions and infs are intersections.

Mc was called K(M) in Section 7.3.

9.6. The canonical κ-premodel 0 0 0 0 0 0 Let T and ⊥ be arbitrary objects such that T =6 ⊥ and T , ⊥ 6∈ [M →κ M]. Then deﬁne λ, T, ⊥, and A by

λ(T0) ≡ T ≡ {t} λ(h) ≡ {f} ∪ {ha, pi ∈ C × P | p ∈ h(↓a)} for h ∈ [M →κ M] λ(⊥0) ≡ ⊥ ≡ ∅ A(T)(v) = T for v ∈ M A(u)(v) = {p∈P | ∃a⊆v: ha, pi ∈ u} for u ∈ F, v ∈ M A(⊥)(v) = ⊥ for v ∈ M

We have:

Fact 9.6.1. 0 (a) λ :[M →κ M] ⊕⊥0 {T } → M is an order isomorphism. M (b) is the minimal solution to Eqκ. (c) (M, A, λ) is a reﬂexive object.

Deﬁnition 9.6.2. The canonical κ-premodel is the triple (M, A, λ) with λ and A deﬁned as above. Mκ is the associated MT canonical κ-quasimodel (c.f. Section 5.4).

Note that we have T = {t}, ⊥ = ∅, and F = M\{T, ⊥} with F deﬁned as for Theorem 8.2.1. We have:

Fact 9.6.3. (a) u ∈ F iﬀ u ∈ M and f ∈ u. (b) ⊥, T, {f} ∈ Mc and {f} models λx.⊥.

9.7. Tying up a loose end ∼ κ Now recall the deﬁnitions of a κ b, a =obs b, and a =κ b from Section 3.6. Note that if ∀c∈Mκ: ca ∼κ cb then, in particular, (↓h{p}, ti)a = T ⇔ ↓h{ } i ∈ ⇔ ∈ κ ⇒ ( p , t )b = T so p a p b. Thus, a =obs b a =κ b which is the non-trivial direction of Fact 3.6.2.

39 10. Canonical premodels satisfy Mono, Min, and Ext

In Section 10 we only suppose κ ≥ ω, and that M is the canonical κ-premodel described above; in particular its domain is the minimal solution of Eqκ. We prove that M satisﬁes Mono, Min, and Ext, that the model order ⊆ coincides with the syntactic order , and that we can eliminate the constant Y in favor of Curry’s paradoxical combinator. Monotonicity of application w.r.t. ⊆ will be used constantly, most often without mention.

10.1. A characterization of the order of M via application The following applicative characterization of the model order ⊆ of M is the key for proving later on that the model order coincides with the syntactical order and that M satisﬁes Ext.

Deﬁnition 10.1.1. Let r = λu. if[u, T, λx.⊥].

Thus in M we have that ru = T if u = T, ru = ∅ if u = ∅, and ru = {f} if u ∈ F.

Theorem 10.1.2. For all u, v ∈ M the following are equivalent: (i) u ⊆ v (ii) For all w¯ ∈ M<ω we have r(uw¯) ⊆ r(vw¯)

Proof. (i) ⇒ (ii) because application is monotone. (ii) ⇒ (i). Let U = M \ {∅, T, {f}}. The only non-trivial case is when u ∈ U. Let V be the set of triples (u, v, p) such that u ∈ U, u and v satisfy (ii), and p ∈ u \ v. Note that v ∈ F and p =6 t, f. Suppose V =6 ∅, choose a triple (u, v, p) ∈ V such that `(p) is minimal. Since `(p) ≥ 2 let (c, q) ∈ C × P be such that p = hc, qi, which implies `(q) < `(p) and q ∈ (↓p)w ⊆ uw, where w ≡ ↓c. Since the pair (uw, vw) satisﬁes (ii), by the minimality hypothesis we have that q ∈ vw. Now, by deﬁnition of application in M, and since v =6 T, there is a c0 ⊆ ↓c ≡ w such that hc0, qi ∈ v and p = hc, qi ≤ hc0, q0i ∈ v, thus p ∈ v.A contradiction which proves V = ∅, i.e. (ii) ⇒ (i). 2

Corollary 10.1.3. For all u, v ∈ M we have (i) u ⊆ v iﬀ r(u) ⊆ r(v) and ∀w:(uw ⊆ vw) (ii) u = v iﬀ r(u) = r(v) and ∀w:(uw = vw)

Proof. (i) is an immediate consequence of the theorem, from which (ii) follows. In fact both are also direct consequences of the fact that M was a premodel (M is not required to be canonical for the corollary). 2

40 10.2. Ext Theorem 10.2.1. M |= Ext

Proof. Let A and B be two MT-terms that do not contain x and y free and suppose there is an MT-term C[x, y] such that (for all assignments of values to free variables) M |= ∀w∀v:(Awv = AC[w/x, v/y] ∧ Bwv = BC[w/x, v/y]). The task is to prove that M |= ∀w:(Aw = Bw) under the hypothesis that M |= ∀w:(r(Aw) = r(Bw)). Now, the hypothesis on A and B obviously imply that, given w ∈ M, the elements Aw and Bw satisfy point (ii) of Theorem 10.1.2; by (i) we hence have Aw ⊆ Bw. Similarly, Bw ⊆ Aw so Aw = Bw. 2

10.3. λ-deﬁnability of the order of M Theorem 10.3.1. M |= ∀u∀v:(u ↓ v = u ∩ v).

Proof. If one of u, v is equal to ⊥ or T or {f} then it is easy to check that the equality holds. Let V be the set of triples (u, v, p) such that p falsiﬁes u ↓ v = u ∩ v (i.e. p is in one of u ↓ v and u ∩ v, but not both). Suppose V =6 ∅ and choose (u, v, p) ∈ V such that `(p) is minimal. Thanks to the preceding remarks, u, v are diﬀerent from T, ⊥, and {f}, so p =6 t, p =6 f, and u ↓ v = λz.(uz ↓ vz). Let (c, q) ∈ C × P be such that p = hc, qi, and w = ↓c. Then q ∈ (↓p)w. Suppose p ∈ u ↓ v. Then q ∈ (u ↓ v)w = (uw) ↓ (vw). By the minimality hypothesis q ∈ (uw) ∩ (vw), and, since u =6 T and v =6 T there are c0 ⊆ w and c00 ⊆ w such that hc0, qi ∈ u and hc00, qi ∈ v. Since w ≡ ↓c we have p ≤ hc0, qi ∈ u and p ≤ hc00, qi ∈ v, hence p ∈ u ∩ v. Suppose now that p ∈ u ∩ v. Then q ∈ (u ∩ v)w ⊆ (uw) ∩ (vw). By the minimality hypothesis q ∈ (uw) ↓ (vw) = (u ↓ v)w. Hence there is a c0 ⊆ w such that hc0, qi ∈ (u ↓ v). Since w ≡ ↓c we have p ≤ hc0, qi ∈ u ↓ v. We have reached a contradiction, hence V = ∅. 2

Corollary 10.3.2. M |= ∀u∀v:(u v ⇔ u ⊆ v).

Corollary 10.3.3. In M the binary κ-continuous function inf is deﬁnable by a λ-term (using if, ⊥, and T), and hence the model order ⊆ is equationally deﬁnable.

Remark 10.3.4. It is interesting to compare this last result (which only applies to canonical premodels of MT) to the following one, which deserves to be known: the order of a reflexive Scott domain is always definable by a first order formula using only application (and which is the same for all these domains). This result, proved by Plotkin in 1972, and only published twenty years later in [14], was rediscovered independently by Kerth [11], who proved that it also holds in Berry’s and Girard’s stable semantics, and Ehrhard’s strongly stable semantics [12] (with different formulas).

41 10.4. Y and minimality

We now show that M interprets Curry’s fixed point combinator as YTarski. A first proof was worked out by Thierry Vallée(private communication, 2002), the present one is slightly more direct.

Deﬁnition 10.4.1. For all u ∈ M and ordinals α let uα ≡ ↓(u ∩ Pα) ∈ M.

Lemma 10.4.2. For all u, v ∈ M we have: (i) u0 = ∅ and uκ = u. (ii) uδv = ∪β<δ(uβv) for all limit ordinals δ. (iii) uβ+1v = uβ+1vβ for all ordinals β.

Proof. (ii) ∪β<δ(uβv) ⊆ uδv by monotonicity. Now assume p ∈ uδv. Choose a ⊆ v such that ha, pi ∈ uδ ≡ ↓(u ∩ Pδ). Choose q ∈ u ∩ Pδ such that ha, pi ≤ q. 0 0 0 0 Choose β < δ such that q ∈ Pβ. Choose a , p such that q = ha , p i. We have 0 0 0 0 p ≤ p and a ⊆ ↓a, c.f. Remark 9.4.2. Now p ≤ p ∈ (↓q)(↓a ) ⊆ uβv so p ∈ uβv. (iii) uβ+1vβ ⊆ uβ+1v by monotonicity. Now assume p ∈ uβ+1v. Choose a ⊆ v such that ha, pi ∈ uβ+1 ≡ ↓(u ∩ Pβ+1). Choose q ∈ u ∩ Pβ+1 such that ha, pi ≤ q. Choose a0, p0 such that q = ha0, p0i. We have p ≤ p0 and 0 0 a ⊆ ↓a, c.f. Remark 9.4.2. Furthermore, q ∈ Pβ+1 implies a ⊆ Pβ. Now 0 0 p ≤ p ∈ (↓q)(↓a ) ⊆ uβ+1vβ so p ∈ uβ+1vβ. 2

Theorem 10.4.3. M |= YCurry = YTarski.

Proof. Since YTarski acts as the least ﬁxed point operator on M it is enough to prove that, for all u ∈ M, we have ww ⊆ YTarskiu, where w ≡ λx.u(xx). We prove wαw ⊆ YTarskiu by induction on α ≤ κ. The case α = 0 is clear and the limit case is by Lemma 10.4.2(ii). If α = β + 1 we have wβ+1w = wβ+1wβ ⊆ wwβ = u(wβwβ) ⊆ u(wβw) ⊆ u(YTarskiu) = YTarskiu, the ﬁrst equality coming from Lemma 10.4.2(iii) and the last inclusion by induction hypothesis. 2

Remark 10.4.4. Most usual models are stratified, in the sense (very roughly speaking) that it is possible to find a way of decomposing them in such a way that each u is the inf of an increasing sequence uα, α ∈ κ (usually κ = ω) satisfying all the properties listed in Lemma 10.4.2 except u1v = u1v0. This last equation is really the key point here as for, say, Scott’s first model D∞, for which it holds; it is false for Park’s variant of D∞, which does not satisfy Min.

11. Concepts for proving UBT and LBT

11.1. Main theorem In the following, σ denotes the smallest inaccessible ordinal (in [3], σ denotes an arbitrary, inaccessible ordinal). Let κ be a regular cardinal greater than σ. We work in a standard κ-model M. We refer to elements of M as maps. Unless otherwise noted, variables range over M.

42 Deﬁne Φ and φ as in [3]. φ satisﬁes { T when x ∈ Φ φx = ⊥ otherwise

Recall Deﬁnition 4.6.1 and 4.6.3 and deﬁne ψˆ = Dom[ψ]. The elements of Φ ˆ and ψ are the wellfounded maps of MT0 and MT, respectively. We now prove that the two notions of wellfoundedness coincide:

Theorem 11.1.1 (Main Theorem). ψˆ = Φ (or, equivalently, ψ = φ)

To do so, we prove that Φ is both an upper and a lower bound of ψˆ:

Theorem 11.1.2 (Upper Bound Theorem/UBT). ψˆ ⊆ Φ.

Theorem 11.1.3 (Lower Bound Theorem/LBT). Φ ⊆ ψˆ.

We prove UBT and LBT in Sections 12 and 13, respectively. Section 11 analyzes ψ and Φ. The proof of LBT uses UBT (e.g. Fact 13.6.2(c) and Lemma 13.8.3(e)). The proof of LBT uses that σ is the smallest inaccessible ordinal (in Lemma 13.7.3).

11.2. Elementary observations Fact 11.2.1. (a) ⊥ M y (b) x M y ∧ x = T ⇒ y = T (c) x M y ∧ x ∈ F ⇒ y ∈ F

Fact 11.2.2. (a) (Ex. A) = T ⇔ ∃x∈M:(A = T) (b) (∀¨x. A) = T ⇔ ∀x∈Φ: (A = T) (c) φx = T ⇔ x ∈ Φ

Fact 11.2.3. (a) (x ! y) =6 ⊥ ⇔ x = T ∧ y =6 ⊥ (b) (x ! y) =6 ⊥ ⇒ x ! y = y (c) (x ! y)! z = x !(y ! z) (d) (x ! y ! z) =6 ⊥ ⇔ x = T ∧ y = T ∧ z =6 ⊥ (e) (x ! y ! z) =6 ⊥ ⇒ x ! y ! z = z

Fact 11.2.4. (a) Dx = T ⇔ x =6 ⊥

Fact 11.2.5. (a) Dom[tf] = ∪x∈MDom[fx]

43 11.3. Duals, boundaries, closure, and functions Deﬁnition 11.3.1. Let G, H ⊆ M ◦ (a) G ≡ {g∈M | ∀x0, x1,... ∈G∃n∈ω: gx0 ··· xn = T} for G =6 ∅ (b) ∅◦ ≡ M \ {⊥} δ (c) G ≡ {g∈G | ∀f∈G:(f M g ⇒ f = g)} ↑ (d) G ≡ {h∈M | ∃g∈G: g M h} (e) G → H = {f∈M | ∀x∈G: fx ∈ H}

We shall refer to G◦, Gδ, and G↑ as the dual, boundary, and upward closure, respectively, of G. Definition (e) above repeats Definition 8.3.1(b). Definition (a) above repeats Definition 8.3.1(c). Definition (b) above makes explicit how to understand ∅◦.

Fact 11.3.2. (a) G ⊆ H ⇒ H◦ ⊆ G◦ (b) G ⊆ H ⇒ G◦◦ ⊆ H◦◦ (c) G0 ⊆ G ∧ H ⊆ H0 ⇒ G → H ⊆ G0 → H0 (d) G ⊆ H ⇒ G◦ → G ⊆ H◦ → H (e) G =6 ∅ ⇒ G◦ = G → G◦ (f) G ⊆ H ⊆ H◦◦ ⇒ G◦ → G ⊆ H◦ → H◦◦ = H◦◦

Lemma 11.3.3. G◦δ↑ = G◦ for all open G.

Proof of 11.3.3 Trivial for G = ∅. Follows from [3, Theorem 6.1.11] for G =6 ∅.

11.4. Cardinality

We shall use G

Lemma 11.4.1. (a) If G ∈ Oσ(M) then G◦ ∈ Oσ(M). (b) If G ∈ Oσ(Φ) then G◦ → G ∈ Oσ(Φ).

Proof of 11.4.1 (a) [3, Theorem 6.1.11]. (b) This follows directly from the deﬁnition of Φ (Deﬁnition 8.3.2).

11.5. Hierarchies Deﬁnition 11.5.1.

(a) Φ0 = {T} ◦ (b) Φα0 = Φα → Φα (c) Φδ = ∪β∈δΦβ for limit ordinals δ. (d) H0 = {T}

44 ◦◦ (e) Hα0 = Hα (f) Hδ = ∪β∈δHβ for limit ordinals δ.

Lemma 11.5.2. (a) α ∈ β ⇒ Φα ⊆ Φβ (b) α ∈ β ⇒ Hα ⊆ Hβ (c) Φα ⊆ Hα (d) Φ = Φσ = Hσ σ (e) ∀G∈O (Φ)∃α∈σ: G ⊆ Φα ⊆ Hα (f) Φ ⊆ Φ◦ ⊆ H ⊆ ⊆ ◦ ⊆ H◦ ⊆ ◦ (g) Φα α Φ Φ α Φα Proof of 11.5.2 (a) By transfinite induction using Fact 11.3.2(d). (b) By transfinite induction using Fact 11.3.2(b). ◦◦ (c) We have Hα ⊆ Hα0 = Hα by Lemma 11.5.2(b) and Definition 11.5.1(e). Hence, Φα ⊆ Hα by transfinite induction using Fact 11.3.2(f). (d) For Φ = Φσ see the proof of [3, Lemma A.1.1]. For Hσ ⊆ Φ see [3, Theorem A.2.1] and its proof. Φσ ⊆ Hσ is given by (c). (e) For each g ∈ G let ρ(g) be the smallest ordinal for which g ∈ Φρ(g). Take α = ∪g∈Gρ(g). (f) [3, Theorem 7.1.1]. (g) Follows trivially from (a-d,f) and Fact 11.3.2(a).

11.6. Self-extensionality We now recall the definition of self-extensionality plus some auxiliary concepts from [3, Appendix A.2]. First recall r = λu. if[u, T, λx.⊥] from Definition 10.1.1. Then recall the definition of x =G y from [3]:

<ω Deﬁnition 11.6.1. x =G y iﬀ ∀z¯∈G : r(xz¯) = r(yz¯)

Note that x = y iﬀ x =M y according to Theorem 10.1.2. Now the deﬁnition of self-extensionality reads:

Deﬁnition 11.6.2. G ⊆ M is self-extensional if (a) ∅= 6 G ∈ Oσ(Φ) (b) G ⊆ G◦◦ (c) x =G y ⇒ x ↓ y ∈ G for all x, y ∈ G

The name “self-extensionality” refers to the property x =G y ⇒ x =Φ y which follows from property (c) above. Note that G◦◦ = G◦ → G◦◦ for all G [3, Fact 6.2.1].

Lemma 11.6.3. (a) Hα is self-extensional for all α ∈ σ. (b) For all G ∈ Oσ(Φ) there exists a self-extensional H such that G ⊆ H. σ (c) Hα ∈ O (Φ) for all α ∈ σ.

45 (d) ∀G∈Oσ(Φ): G◦◦ ∈ Oσ(Φ).

Proof of 11.6.3 (a) By transﬁnite induction in α using [3, Corollary 6.1.6 and Theorem A.2.1]. (b) Follows from (a) and Lemma 11.5.2(e). (c) Follows from (a) and the deﬁnition of self-extensionality. ◦◦ ◦◦ (d) Choose α ∈ σ such that G ⊆ Hα. We have G ⊆ Hα ⇒ G ⊆ Hα = ◦◦ Hα0 ⊆ Φ. Furthermore, G is open and essentially σ-small according to Lemma 11.4.1(a).

11.7. Restriction Recall that f / g ≡ if[ f , T , λx. gx !(fx / g) ] (Deﬁnition 4.6.2(d)). If ⇓ G = Dom[g] then f / g equals Gf of [3]. Two maps x, y ∈ M are said to be incompatible if they have no upper bound in M w.r.t. M. We have:

Lemma 11.7.1. Let G = Dom[g] =6 ∅. (a) G◦δ = {f/g | f ∈ G◦} (b) G◦δ is a set of pairwise incompatible elements.

Proof of 11.7.1 [3, Theorem 6.1.11].

Lemma 11.7.2. Let G = Dom[g] and f ∈ G◦. (a) f / g M f 0 0 (b) f M f ⇒ f / g = f / g

Proof of 11.7.2 (a) By lemma [3, Lemma 6.1.9]. 0 0 (b) Assume f M f . Now f / g M f / g by monotonicity. Furthermore, f 0 ∈ G◦ because G◦ is upward closed. Thus, f / g = f 0 / g by Lemma 11.7.1.

Lemma 11.7.3. Let G = Dom[g] ⊆ Φ. (a) {f / g | f ∈ Φ} ⊆ G◦δ (b) {f / g | f ∈ Φ} = G◦δ if G is self-extensional. (c) {az / φ | z ∈ Φ} ∈ Pσ(Φ◦δ) if a ∈ Φ.

Proof of 11.7.3 (a) G ⊆ Φ gives Φ ⊆ Φ◦ ⊆ G◦ by Lemma 11.5.2(f) and Fact 11.3.2(a). We conclude using Lemma 11.7.1. ∈ ◦δ ⇑∗ (b) We now prove the reverse inclusion of (a). Let x G and take y = Gx ⇑∗ where G is deﬁned in [3, Section A.2]. According to [3, Lemma A.2.4] ◦◦ ◦◦ we have y ∈ G and x M y. Lemma 11.6.3(d) and y ∈ G gives y ∈ Φ. From Lemma 11.7.2 we have y/g M y. From (a) we have y/g ∈ G◦δ. According to Lemma 11.7.1, G◦δ is a set of incompatible ◦δ ◦δ maps. Hence, x ∈ G , y/g ∈ G , x M y, and y/g M y gives x = y/g ∈ {f / g | f ∈ Φ}.

46 ◦ ◦ ∈ 0 → ⊆ (c) Choose α < σ such that a Φα = Φα Φα. Since Φ Φα (c.f. Lemma 11.5.2) we have aΦ ⊆ Φα ⊆ Φ. Let A = {az / φ | z ∈ Φ} = {x / φ | x ∈ aΦ}. By (a) we have A ⊆ Φ◦δ. From Lemma 11.6.3(a) σ ↑ we have Hα ∈ O (Φ). Choose K

Lemmas 11.7.3 (a) and (b) are central; they are used thus: 11.7.3(b) ⇒ 11.8.1(c,d) ⇒ 12.2.1(b,e) ⇒ 12.3.5 ⇒ 12.3.6 ⇒ UBT. 11.7.3(a) ⇒ 11.8.1(b) ⇒ 13.5.2(c) ⇒ 13.6.3 ⇒ 13.8.4 ⇒ LBT.

11.8. Closure properties of Oσ(Φ) For θ ∈ M let θˆ denote Dom[θ]. This is consistent with ψˆ = Dom[ψ]. We use below the deﬁnitions of P , Q, and R given in Deﬁnition 4.6.3 and Φ = Dom[φ]. We have:

Lemma 11.8.1. (a) Qv =6 ⊥ ⇒ Dom[Qv] = K → Dom[v] where K = {z / v | z ∈ Φ}. (b) Dom[v] ∈ Oσ(Φ) ∧ Qv =6 ⊥ ⇒ Dom[Qv] ⊇ Dom[v]◦ → Dom[v]. (c) Dom[v] ∈ Oσ(Φ) ∧ Qv =6 ⊥ ⇒ Dom[Qv] = Dom[v]◦ → Dom[v] if Dom[v] is self-extensional. (d) Dom[v] ∈ Oσ(Φ) ⇒ Dom[Qv] ∈ Oσ(Φ). 6 ⊥ ⇒ ∪ (e) Rfθbc = Dom[Rfθbc] = z∈θˆDom[f(b(cz / θ))] (f) Dom[P ] = {T}

Proof of 11.8.1 (a) Qv =6 ⊥ and the definition of Q gives Dv = T. We have y ∈ Dom[Qv] ⇔ Qvy = T Definition of Dom ⇔ ∀¨z. v(y(z / v)) = T Dv = T and the definition of Q ⇔ ∀z∈Φ: v(y(z / v)) = T Properties of ∀¨ ⇔ ∀z∈Φ: y(z / v) ∈ Dom[v] Definition of Dom ⇔ y ∈ K → Dom[v] Definition of K and → (b) Follows from (a) and Lemma 11.7.3(a) (c) Follows from (a) and Lemma 11.7.3(b). (d) Using Lemma 11.6.3(b), choose H ∈ Oσ(Φ) such that H is open, self- extensional, and contains Dom[v] as a subset. Let w be the characteristic map of H. Now v M w so Qv M Qw by monotonicity. Hence, Dom[Qv] ⊆ Dom[Qw] = Dom[w]◦ → Dom[w] ∈ Oσ(Φ) by 11.8.1(c) and 11.4.1(b). Thus, Dom[Qv] ⊆ Φ. It remains to prove Dom[Qv] ∈ Oσ(M). If v = ⊥ then Dom[Qv] = ∅ ∈ Oσ(M). Now assume v =6 ⊥. Let σ G = Dom[v]. Assume G ∈ O (Φ). Choose a σ-small H ⊆ Mc such that G = ↑H and let K be as in (a). Now K and K → H are σ-small and Dom[Qv] = K → ↑H = ↑(K → H) ∈ Oσ(M). (e) Rfθbc =6 ⊥ and the definition of R gives θc = T and R1fθbc = T. Now:

47 y ∈ Dom[Rfθbc] ⇔ Rfθbcy = T Definition of Dom ⇔ R0fθbcy = T θc = T, R1fθbc = T, and definition of R. ⇔ Ez. (θz ! f(b(cz / θ))y) = T Definition of R0 ⇔ ∃z∈M: θz ! f(b(cz / θ))y = T Properties of E ⇔ ∃z∈M: θz = T ∧ f(b(cz / θ))y = T Properties of guards ⇔ ∃z∈M: z ∈ θˆ ∧ f(b(cz / θ))y = T Definition of θˆ ⇔ ∃z∈θˆ: f(b(cz / θ))y = T Trivial ⇔ ∃z∈θˆ: y ∈ Dom[f(b(cz / θ))] Definition of Dom ⇔ ∈ ∪ y z∈θˆDom[f(b(cz / θ)))] Trivial (f) Trivial: x ∈ Dom[P ] ⇔ P x = T ⇔ if[ x , T , ⊥ ] = T ⇔ x = T.

12. Proof of the Upper Bound Theorem (UBT)

Recall that UBT states that ψˆ ⊆ Φ. In this section we only need that σ is inaccessible, that M is an MT standard κ-quasimodel where κ > σ is regular, that Y acts as YTarski, the least ﬁxed point operator of M w.r.t. the model order M, and that application is monotonic w.r.t. M.

12.1. Flat order For u, v ∈ M deﬁne the “ﬂat order” u ≤⊥ v thus:

Deﬁnition 12.1.1. u ≤⊥ v ⇔ u = ⊥ ∨ u = v

We have u ≤⊥ v ⇒ u M v.

Lemma 12.1.2. Assume (1) a M b (2) ∀c, d∈M:(c M d ⇒ fc ≤⊥ gd) (3) θ M φ We have (4) Sfθa¯ ≤⊥ Sgθb¯

Proof of 12.1.2 The lemma is trivial if Sfθa¯ = ⊥. Now assume (5) Sfθa¯ =6 ⊥ From (5) and the deﬁnition of S¯ we have that (6), (7), or (8) holds: (6) a = T (7) a ∈ F ∧ aT = T (8) a ∈ F ∧ aT ∈ F We proceed by a proof by cases Case 1. Assume (6). From (1) and (6) we have b = T. By the deﬁnition of S¯ we then have Sfθa¯ = P = Sgθb¯ which proves Sfθa¯ ≤⊥ Sgθb¯ . Case 2. Assume (7). We have (9) b ∈ F ∧ bT = T by 1, 7 (10) Sfθa¯ = Q(f(aF)) by 7, def. of S¯

48 (11) Sgθb¯ = Q(g(bF)) by 9, def. of S¯ (12) Q(f(aF)) =6 ⊥ by 5, 10 (13) f(aF) =6 ⊥ by 12, def. of Q (14) f(aF) ≤⊥ g(bF) by 1, 2 (15) f(aF) = g(bF) by 13, 14 (16) Sfθa¯ = Sgθb¯ by 10, 11, 15 (17) Sfθa¯ ≤⊥ Sgθb¯ by 16 Case 3. Assume (8). We have (18) b ∈ F ∧ bT ∈ F by 1, 8 (19) Sfθa¯ = θ(aF)! R1fθ(aT)(aF)! R0fθ(aT)(aF) by 8, def. of S¯ (20) Sgθb¯ = θ(bF)! R1gθ(bT)(bF)! R0gθ(bT)(bF) by 18, def. of S¯ (21) θ(aF) = T by 5, 19 (22) θ(aF) = θ(bF) by 1, 21 (23) R1fθ(aT)(aF) = T by 5, 19 ¨ (24) ∀z. D(f(aT(aFz / θ))) = T by 23, def. of R1 (25) ∀z∈Φ: f(aT(aFz / θ)) =6 ⊥ by 24 (26) ∀z∈θˆ: f(aT(aFz / θ)) =6 ⊥ by 3, 25 (27) ∀z∈θˆ: f(aT(aFz / θ)) = g(bT(bFz / θ)) by 1, 2, 26 (28) R1fθ(aT)(aF) = R1gθ(bT)(bF) by 27, def. of R1 (29) R0fθ(aT)(aF) = R0gθ(bT)(bF) by 27, def. of R0 (30) Sfθa¯ = Sgθb¯ by 19, 20, 22, 28, 29 (31) Sfθa¯ ≤⊥ Sgθb¯ by 30

12.2. Limited size

Lemma 12.2.1. Assume f, a, b, c, v, θ ∈ M, θ M φ, and ∀x∈M: Dom[fx] ∈ Oσ(Φ). We have: (a) Dom[P ] ∈ Oσ(Φ) (b) Dom[Q(fv)] ∈ Oσ(Φ) (c) Dom[Rfθbc] ∈ Oσ(Φ) (d) Sfθa¯ ∈ {⊥,P,Q(f(aF)), Rfθ(aT)(aF)} (e) Dom[Sfθa¯ ] ∈ Oσ(Φ)

Proof of 12.2.1 (a) Follows from 11.8.1(f) (b) Follows from 11.8.1(d). (c) If Rfθbc = ⊥ then Dom[Rfθbc] = ∅ ∈ Oσ(Φ). Now assume Rfθbc =6 ⊥. From the deﬁnition of R we have θc = T so c ∈ Φ. Hence, {cz / φ | z ∈ Φ} ⊆ Φ◦δ is σ-small by Lemma 11.7.3(c). Thus, {b(cz / φ) | z ∈ Φ} is { | ∈ ˆ} ∪ σ-small so b(cz / φ) z θ is also σ-small. Hence, z∈θˆDom[f(b(cz / φ))] ∈ Oσ(Φ). Combined with 11.8.1(e) this gives Dom[Rfθbc] ∈ Oσ(Φ). (d) Sfθay¯ = if[ a , P , if[ aT ,Q(f(aF)) , Rfθ(aT)(aF)]]y Deﬁnition of S¯ ∈ {⊥,P,Q(f(aF)), Rfθ(aT)(aF)} Properties of if (e) Follows from 12.2.1(a-d).

49 12.3. Proof of UBT For UBT we need the minimality of Y w.r.t. M, i.e. that Y is interpreted as YTarski.

Deﬁnition 12.3.1. Deﬁne sα ∈ M by: (a) s0 = ⊥ (b) sα0 = Ss¯ α(tsα) (c) sδ = supα∈δ sα for limit ordinals δ

Note that tsα denotes the map t applied to the map sα. Above, α is a free t variable in sα but a bound variable in supα∈δ sα. Fact 12.3.2. (a) α ≤ β ⇒ sα M sβ (b) supα∈δ sα exists (c) s = YS = sκ (d) ψ = tsκ ¯ ¯ We now define θα for all ordinals α and all θ ∈ M. We shall use θα for θ = φ ¯ ¯ and θ = ψ. In the case θ = φ we are going to have sα M φα and tφκ M φ ¯ so that ψ = tsκ M tφκ M φ which is the essence of UBT. ¯ Definition 12.3.3. For ordinals α and for θ ∈ M define θα thus: ¯ (a) θ0 = ⊥ ¯ ¯ (b) θα0 = S¯θαθ ¯ ¯ (c) θδ = supα∈δ θα for limit ordinals δ Fact 12.3.4. ¯ ¯ (a) α ≤ β ⇒ θα M θβ ¯ (b) supα∈δ θα exists. ¯ (c) s = ψκ. ¯ (d) ψ = tψκ.

Lemma 12.3.5. For θ M φ and for all ordinals β we have ¯ σ (a) ∀u∈M: Dom[θβu] ∈ O (Φ) ¯ ¯ (b) ∀γ∈β∀u, v∈M:(u M v ⇒ θγ u ≤⊥ θβv) Proof of 12.3.5 We now prove (a) and (b) together using complete induction. The proof has six parts: We prove (a) and (b) for β = 0, we prove (b) and (a) for β = δ assuming (a) and (b) for β < δ for limit ordinals δ, and we prove (a) and (b) for β = α0 assuming (a) and (b) for β ≤ α. The proof of (b) for β = α0 in turn uses induction in γ. Recall that Dom[u] is open for all u ∈ M, c.f. Remark 8.2.7. ¯ σ Proof of (a) for β = 0: Dom[θβu] = Dom[⊥] = ∅ ∈ O (Φ). Proof of (b) for β = 0: Trivial. Proof of (b) for β = δ: Assume γ ∈ δ, u, v ∈ M, and u M v. The proof is ¯ ¯ ¯ ¯ trivial for θγ u = ⊥. Now assume θγ u =6 ⊥. (b) for β < δ gives θγ u ≤⊥ θβv if ¯ ¯ ¯ ¯ ¯ ¯ γ ≤ β < δ so θγ u = θβv if γ ≤ β < δ. Thus, θγ u = θδv so θγ u ≤⊥ θδv.

50 ¯ Proof of (a) for β = δ: Assume u ∈ M. If θβu = ⊥ for all β < δ then ¯ ¯ σ ¯ ¯ ¯ θδ = ⊥ so Dom[θδu] = ∅ ∈ O (Φ). If θγ u =6 ⊥ for some γ < δ then θγ u = θβu ¯ ¯ ¯ σ for γ ≤ β < δ as above so θγ u = θδu. (a) for β < δ gives θγ u ∈ O (Φ) so ¯ σ θδu ∈ O (Φ). 0 ¯ Proof of (a) for β = α : From (a) for β = α we have ∀u∈M: Dom[θαu] ∈ σ ¯ ¯ σ O (Φ). Thus, Dom[θα0 u] = Dom[S¯θαθu] ∈ O (Φ) by 12.2.1(e). Proof of (b) for β = α0: The proof is by induction in γ, but we only use the inductive hypothesis on γ in the limit case. In the successor case we use the inductive hypothesis on β. ¯ ¯ For γ = 0 we have θγ u = ⊥ ≤⊥ θα0 v. If γ ∈ β = α0 is a successor ordinal then letγ ˜ be the predecessor of γ. Now 0 0 γ˜ = γ ∈ β = α soγ ˜ ∈ α. From (b) applied toγ ˜ and α we have ∀c, d∈M:(c M ¯ ¯ ¯ ¯ ¯ ¯ d ⇒ θγ˜c ≤⊥ θαd). Thus, by 12.1.2 we have θγ u = S¯θγ˜θu ≤⊥ S¯θαθv = θα0 v. Now let be a limit ordinal and assume ¯ ¯ (c) ∀u, v∈M:(u M v ⇒ θγ u ≤⊥ θα0 v) ¯ for all γ ∈ . Assume u, v ∈ M and u M v. If θγ u = ⊥ for all γ ∈ then ¯ ¯ ¯ ¯ ¯ ¯ θu = ⊥ ≤⊥ θα0 v. If θγ u =6 ⊥ for some γ ∈ then θu = θγ u ≤⊥ θα0 v by (c). Lemma 12.3.6. For ordinals α and a ∈ M we have ¯ (a) tφα M φ ¯ (b) sα M φα (c) ψ M φ (d) Dom[sa] ∈ Oσ(Φ) Proof of 12.3.6 ¯ σ ¯ (a) From Lemma 12.3.5(a) we have Dom[φαu] ∈ O (Φ). Hence, φαuv = ¯ T ⇒ v ∈ Φ. Using the properties of E we get (Eu.φαuv) = T ⇒ v ∈ Φ ¯ ¯ and (Eu.φαuv) ∈ {⊥, T}. Hence, tφα M φ using the definition of t (Definition 4.6.2(a)). (b) The proof is by transfinite induction in α. The cases where α is zero ¯ or a limit ordinal are trivial. We now assume sα M φα and prove ¯ ¯ sα0 M φα0 . From Lemma 12.3.6(a) we have tφα M φ. From sα M ¯ ¯ φα and monotonicity we have tsα M tφα. Hence, tsα M φ and ¯ ¯ sα0 = Ss¯ α(tsα) M S¯φαφ = φα0 . ¯ (c) ψ = tsκ M tφκ M φ by Fact 12.3.2(d), Lemma 12.3.6(b), and 12.3.6(a). ¯ σ (d) We have ψ M φ by (c) so Dom[ψκa] ∈ O (Φ) by Lemma 12.3.5(a). σ ¯ Thus, Dom[sa] ∈ O (Φ) since s = ψκ by Fact 12.3.4(c). The Upper Bound Theorem (Theorem 11.1.2) follows trivially from Lemma 12.3.6(c) above. Lemma 12.3.6(d) is a strengthening of UBT which we shall need for proving LBT.

13. Proof of the Lower Bound Theorem (LBT) Having proved UBT, we proceed by proving LBT, thus completing the proof of the Main Theorem. As already mentioned, the proof of LBT uses UBT (e.g.

51 Fact 13.6.2(c) and Lemma 13.8.3(e)) and that σ is the smallest inaccessible (only used in Lemma 13.7.3).

13.1. A countable collection of maps Deﬁnition 13.1.1.

(a) T0 ≡ T (b) Tn+1 ≡ λx. Tn (c) N ≡ {T0, T1, T2,...}

13.2. Characteristic maps Recall that we refer to elements of χ ≡ (M → {T, ⊥}) ∩ F as characteristic maps. For G ⊆ M we have Dom[g] = G for at most one g ∈ χ. We shall refer to that g, if any, as the characteristic map of G. Deﬁne χ⊥ ≡ χ ∪ {⊥}. Also recall the following facts:

Fact 13.2.1. (a) For g, h ∈ χ we have g M h ⇔ Dom[g] ⊆ Dom[h] (b) φ is the characteristic map of Φ (c) ψ is the characteristic map of ψˆ (d) h ∈ χ⊥ ∧ g M h ⇒ g ∈ χ⊥

Lemma 13.2.2. (a) sa = Ssψa¯ (b) sa ∈ χ⊥ (c) sa M ψ (d) If Dom[sa] =6 ∅ then sa M sb ⇔ Dom[sa] ⊆ Dom[sb].

Proof of 13.2.2 (a) sa = YSa Definition of s = S(YS)a Property of Y = Ssa Definition of s = Ss¯ (ts)a Definition of S = Ssψa¯ Definition of ψ (b) From if[ y , T , ⊥ ] M T we have P = λy. if[ y , T , ⊥ ] M λy. T = T1. ¨ From QT1 = DT1 ! λy. ∀z. T1(y(z / v)) = λy. T = T we have QT1 M T1. From Ez. · · · M T we have RT2(tT2)a = λy. Ez. · · · M λy. T. From S¯T2(tT2)a = if[ a , P , if[ aT ,Q(T2(aF )) ,RT2(tT2)a ] ] we have S¯T2(tT2)a ∈ {⊥,P,QT1,RT2(tT2)a} and S¯T2(tT2)a M T1. Hence, ST2 = λa. S¯T2(tT2)a M λa. T1 = T2 so, by the minimality of Y we have s = YS M T2 and sa M T2a = T1. sa M T1 combined with T1 ∈ χ gives sa ∈ χ⊥. (c) From ψ = ts we have Dom[ψ] = ta∈MDom[sa] so Dom[sa] ⊆ Dom[ψ] which proves sa M ψ.

52 (d) If sa =6 ⊥ and sb =6 ⊥ then the lemma follows from 13.2.1(a) and 13.2.2(b). The lemma is trivially true if sa = ⊥. Actually, sa M sb ⇔ Dom[sa] ⊆ Dom[sb] only fails for (sa = λx.⊥) ∧ (sb = ⊥), which is prevented by Dom[sa] =6 ∅.

13.3. Cardinality Deﬁnition 13.3.1. For all g, h ∈ M deﬁne f // g ≡ {x / g | x ∈ Dom[f]}.

Fact 13.3.2. Assume Dom[g] ⊆ Dom[h] (a) gy ! z = gy !(hy ! z) (b) f / g = (f / h) / g

Recall from Section 11.4 that G

Lemma 13.3.3. 0 0 (a) Dom[h] ⊆ Dom[h ] ⇒ g // h ≤c g // h 0 0 0 0 (b) Dom[g] ⊆ Dom[g ] ∧ Dom[h] ⊆ Dom[h ] ⇒ g // h ≤c g // h

Proof of 13.3.3 (a) Deﬁne k(x) = x / h. We prove the lemma by proving that k is a surjective function from g // h0 to g // h: Suppose y ∈ g // h = {x / h | x ∈ Dom[g]}. Select x ∈ Dom[g] such that y = x / h. Deﬁne z = x / h0. We have z ∈ {x / h0 | x ∈ Dom[g]} = g / h0 and k(z) = (x / h0) / h = x / h = y. 0 0 (b) Dom[g] ⊆ Dom[g ] trivially gives g // h ≤c g // h which combined with 0 0 13.3.3(a) gives g // h ≤c g // h .

13.4. Pairs Deﬁne x::y ≡ λz. if[ z , x , y ].

Fact 13.4.1. (a) (x::y) ∈ F (b) (x::y)T = x (c) (x::y)F = y

13.5. Analysis of s Lemma 13.5.1. (a) sT = P (b) Dom[sT] = {T}

Proof of 13.5.1 (a) sT = Ssψa¯ 13.2.2(a) = P Deﬁnition of S¯ (b) Dom[sT] = Dom[P ] 13.5.1(a) = {T } 11.8.1(f)

53 Lemma 13.5.2. (a) s(T::a) = Q(sa) (b) sa =6 ⊥ ⇒ Q(sa) =6 ⊥ (c) sa =6 ⊥ ⇒ Dom[s(T::a)] ⊇ Dom[sa]◦ → Dom[sa]

Proof of 13.5.2 (a) s(T::a) = Ssψ¯ (T::a) 13.2.2(a) = Q(s((T::a)F)) Definition of S¯ = Q(sa) 13.4.1(c) (b) From sa =6 ⊥ we have D(sa) = T so Q(sa) = D(sa)! λy. ··· Definition of Q = T ! λy. ··· From the assumption = λy. ··· Definition of guards =6 ⊥ Trivial (c) We have Dom[sa] ∈ Oσ(Φ) by 12.3.6(d) and Q(sa) =6 ⊥ by 13.5.2(b). Hence, Dom[s(T::a)] = Q(sa) 13.5.2(a) ⊇ Dom[sa]◦ → Dom[sa] 11.8.1(b)

Lemma 13.5.3. Assume f ∈ F, ψa = T, and ∀z∈Φ: s(f(az / ψ)) =6 ⊥ (a) R1sψ(f::a) = T (b) s(f::a) = λy. Ez. (ψz ! s(f(az / ψ))y) (c) s(f::a) =6 ⊥ ∪ (d) Dom[s(f::a)] = z∈ψˆDom[s(f(az / ψ))] Proof of 13.5.3

(a) R1sψ(f::a) ¨ = ∀z. D(s((f::a)T((f::a)Fz / ψ))) = T Definition of R1 = ∀¨z. D(s(f(az / ψ))) = T 13.4.1 = T Third assumption (b) s(f::a) = Ssψ¯ (f::a) 13.2.2(a) = Rsψ(f::a) Definition of S¯ = ψ((f::a)F)! R1sψ(f::a)! R0sψ(f::a) Definition of R = ψa ! R1sψ(f::a)! R0sψ(f::a) 13.4.1 = R1sψ(f::a)! R0sψ(f::a) Second assumption = R0sψ(f::a) 13.5.3(a) = λy. Ez. (θz ! s((f::a)T((f::a)Fz / θ))y) Definition of R0 = λy. Ez. (θz ! s(f(az / θ))y) 13.4.1 (c) Follows from 13.5.3(b)

54 (d) y ∈ Dom[s(f::a)] ⇔ s(f::a)y = T Definition of Dom ⇔ Ez. (ψz ! s(f(az / ψ))y) = T 13.5.3(b) ⇔ ∃z∈M:(ψz ! s(f(az / ψ))y) = T Properties of E ⇔ ∃z∈M:(ψz = T ∧ s(f(az / ψ))y) = T Properties of guards ⇔ ∃z∈M:(z ∈ Dom[ψ] ∧ s(f(az / ψ))y) = T Definition of Dom ⇔ ∃z∈M:(z ∈ ψˆ ∧ s(f(az / ψ))y) = T Definition of ψˆ ⇔ ∃z∈ψˆ: s(f(az / ψ))y = T Trivial ⇔ ∃z∈ψˆ: y ∈ Dom[s(f(az / ψ))] Definition of Dom ⇔ ∈ ∪ y z∈ψˆDom[s(f(az / ψ))] Definition of Dom

13.6. Lower bounds Recall f // g ≡ {x / g | x ∈ Dom[f]} from Deﬁnition 13.3.1. Now deﬁne:

Deﬁnition 13.6.1. self[ g ] ≡ g // g

Fact 13.6.2. Suppose x ∈ Φ and G = Dom[g] ⊆ Φ and let b be any map. (a) x / g ∈ G◦δ (Lemma 11.7.3(a)) (b) self[ g ] ⊆ G◦δ (c) self[ sb ] ⊆ Dom[sb]◦δ (because of UBT)

A key to proving LBT is to prove that self[ sb ] can have arbitrarily large cardinality below σ which uses both that self[ sb ] can be large and that σ is the smallest inaccessible.

Lemma 13.6.3. (a) self[ sT ] = {T} (b) self[ sb ] =6 ∅ ⇒ sb =6 ⊥ (c) T ∈ self[ sb ] ⇒ 2 ≤c self[ s(T::b)] (d) 2 ≤c self[ sb ] ⇒ ω ≤c s(T::b) // sb (e) 2 ≤c self[ sb ] ⇒ P(self[ sb ]) ≤c s(T::b) // sb

Proof of 13.6.3 (a) self[ sT ] = sT // sT Definition of self[ x ] = {x / sT | x ∈ Dom[sT]} Definition of x // y = {x / sT | x ∈ T} 13.5.1(b) = {T / sT} Trivial = {T} Definition of x / y (b) We have self[ ⊥ ] = ⊥ // ⊥ = {x / ⊥ | x ∈ Dom[⊥]} = {x / ⊥ | x ∈ ∅} = ∅. Hence, self[ x ] =6 ∅ ⇒ x =6 ⊥ ⇒ x =6 ⊥. (c) Assume T ∈ self[ sb ]. Let G = Dom[sb]. We have T ∈ self[ sb ] = sb // sb = {x / sb | x ∈ Dom[sb]} so ∃x∈Dom[sb]: x / sb = T. Since x / sb = T holds only for x = T this proves T ∈ Dom[sb] = G. From T ∈ self[ sb ] and 13.6.3(b) we have sb =6 ⊥ so Dom[s(T::b)] ⊇ G◦ → G by 13.5.2(c). Since T ∈ G we have {T, λx. T} ⊆ G◦ → G ⊆ Dom[s(T::b)]. Now let

55 H = self[ s(T::b) ] and u = (λx. T) / s(T::b). We have (λx. T) / s(T::b) ∈ F so {T, u} has two, distinct elements. Furthermore, self[ s(T::b) ] = s(T::b) // s(T::b) = {x / s(T::b) | x ∈ Dom[s(T::b)]} ⊇ {x / s(T::b) | x ∈ {T, λx. T}} = {T / s(T::b), (λx. T) / s(T::b)} = {T, u} proving self[ s(T::b)] ≥c 2. (d) Let G = Dom[sb] and V = self[ sb ]. Assume 2 ≤c self[ sb ] = V . Choose u, v ∈ V such that u =6 v. We have {u, v} ⊆ self[ sb ] = sb // sb = {x / sb | x ∈ Dom[sb]} = {x / sb | x ∈ G}. Choose p, q ∈ G such that p / sb = u and q / sb = v. From self[ sb ] =6 ∅ we have sb =6 ⊥ by 13.6.3(b) so Dom[s(T::b)] ⊇ G◦ → G. Now define z }|n { fn = λx.if[ x uu ··· u , p , q ] ◦ We have fn ∈ G → G ⊆ Dom[s(T::b)] for all n ∈ ω. Now define z }|n { gn = λx.if[ x uu ··· u , u , v ] We have gn = fn / sb ∈ s(T::b) // sb and all the gn are distinct, proving ω ≤c s(T::b) // sb. (e) Define G, V , u, v, p, and q as above. Assume 2 ≤c self[ sb ] = V . According to [3], V ⊆ G◦δ is a set of incompatible, compact maps. For all W ⊆ V let fW be the unique element of F for which  p if x ∈ W ↑ ∈ ◦δ \ ↑ fW x =  q if x (G W ) ⊥ otherwise ◦ We have fW ∈G → G ⊆ Dom[s(T::b)] for all W ⊆ G. Now define  u if x ∈ W ↑ ∈ ◦δ \ ↑ gW x =  v if x (G W ) ⊥ otherwise We have gW = fW / sb ∈ s(T::b) // sb and all the gW are distinct, proving P(V ) ≤c s(T::b) // sb.

13.7. Beth numbers For all ordinals α we now give a non-standard definition of the Beth number/cardinal Bα. The definition is non-standard in that B0 and B1 are non- standard and Bα is shifted two places for finite α. We use card(S) to denote the cardinality of S (i.e. the smallest ordinal equinumerous to S).

Deﬁnition 13.7.1. (a) B0 ≡ 1 (b) B1 ≡ 2 (c) B2 ≡ ω (d) Bα0 = card(P(Bα)) for α ≥ 2 (e) Bδ ≡ ∪α∈δBα for limit ordinals δ

We proceed by giving some deﬁnitions related to co-ﬁnality.

Deﬁnition 13.7.2.

56 (a) cf(α) denotes the co-ﬁnality of α, i.e. cf(α) is the smallest ordinal such that there exists an f: cf(α) → α which is unlimited in α. (b) ccf(α) denotes the smallest ordinal β such that cf(α) ≤c Bβ.

Thus cf(α) is always a cardinal and ≤c could be replaced by ≤ in (b) above. ccf(α) does not need to be a cardinal. We note that cf(α) = 1 if α is a successor ordinal and that cf(α) = α if, among others, α is 0, 1, ω, or an inﬁnite successor cardinal. We recall that an ordinal α is a regular cardinal if, by deﬁnition, cf(α) = α ≥ ω. Finally recall that σ is inaccessible if σ > ω and σ is a regular cardinal and γ < σ ⇒ P(γ)

Lemma 13.7.3. (a) α ≤c Bα (b) ccf(α) ≤ cf(α) ≤ α (c) ccf(α) < α or α = 0 or α is inaccessible. (d) ccf(α) < α if σ is the ﬁrst inaccessible and 0 < α < σ.

Proof of 13.7.3 (a) By induction in α (b) By (a), cf(α) ≤c Bcf(α). Hence, ccf(α) ≤ cf(α) by the deﬁnition of ccf(α). cf(α) ≤ α follows from the deﬁnition of cf(α). (c) Assume ccf(α) <6 α and α =6 0. We now prove that α is inaccessible. We have α = cf(α) = ccf(α) from (b). From ccf(1) = 0, ccf(ω) = 2, and ccf(γ) = 1 for 1 < γ < ω we have α > ω. Since cf(α) = α > ω it remains to prove γ < α ⇒ P(γ)

13.8. Growth lemma

We now define bα such that Dom[sbα] and self[ sbα ] are growing in α and such that ∀γ∈σ∃β∈σ: γ ≤c self[ sbβ ]. For defining bα we will use two auxiliary maps cα and dα defined in Definition 13.8.2 and three auxiliary functions fα, gα, and hα defined as follows:

Definition 13.8.1. (a) Choose fα: cf(α) → α such that fα is unlimited in α (this is possible by the definition of cf(α)). (b) Choose gα: self[ sbccf(α) ] → cf(α) such that gα is surjective if cardinality permits and non-surjective otherwise. ◦δ (c) Choose hα: Dom[sbα] → Dom[sbα] such that hαy/sbα = y when y ∈ self[ sbα ]. We define hα only if Dom[sbα] =6 ∅. From Fact 13.6.2(c) recall ◦δ self[ sbα ] ⊆ Dom[sbα] . Recall that self[ sbα ] = {x / sbα | x ∈ Dom[sbα]} by definition so that the choice of hα is possible.

Deﬁnition 13.8.2.

57 (a) b0 ≡ T (b) bα0 ≡ T::bα (c) bδ ≡ cδ::dccf(δ) for limit ordinals δ F (d) Let cα be the{ unique element of for which b if x / sb ∈ self[ sb ] c x ≡ fα(gα(x/sbccf(α))) ccf(α) ccf(α) α ⊥ otherwise (e) If Dom[sbα] =6{ ∅ let dα be the unique element of F for which h (x / sb ) if x / sb ∈ Dom[sb ]◦δ d x ≡ α α α α α ⊥ otherwise

Lemma 13.8.3. For (b)-(f) assume Dom[sbα] =6 ∅ (a) cαx = cα(x / sbccf(α)) (b) {dαx / sbα | x ∈ Dom[sbα]} = self[ sbα ] ◦ (c) dα ∈ Dom[sbα] → Dom[sbα] (d) ψdα = T (e) {dαx / sbα | x ∈ Φ} = self[ sbα ] ˆ (f) {dαx / sbα | x ∈ ψ} = self[ sbα ] Proof of 13.8.3 (a) From Fact 13.3.2 we have f / g = (f / g) / g. The lemma follows from x / sbccf(α) = (x / sbccf(α)) / sbccf(α) and the definition of cα. (b) Assume Dom[sbα] =6 ∅. Assume x ∈ Dom[sbα]. We have Dom[sbα] ⊆ Φ ◦δ by UBT so x / sbα ∈ self[ sbα ] ⊆ Dom[sbα] by Fact 13.6.2(a). The definition of dα gives dαx = hα(x / sbα). The definition of hα gives hαy / sbα = y if y ∈ self[ sbα ], so hα(x / sbα) / sbα = x / sbα. Thus, dαx / sbα = hα(x / sbα) / sbα = x / sbα. Hence, {dαx / sbα | x ∈ Dom[sbα]} = {x / sbα | x ∈ Dom[sbα]} = self[ sbα ]. ◦ ◦δ (c) Assume Dom[sbα] =6 ∅. If x ∈ Dom[sbα] then x / sbα ∈ Dom[sbα] by Lemma 11.7.1(a). Thus, dαx = hα(x / sbα) ∈ Dom[sbα] by the definitions of dα and hα. ◦ (d) Assume Dom[sbα] =6 ∅. Now sbα =6 ⊥. dα ∈ Dom[sbα] → Dom[sbα] ⊆ Dom[s(T::bα)] follows from sbα =6 ⊥, (c), and Lemma 13.5.2(c), proving ψdα = T. (e) Proof of ⊇: Follows from (b) and Φ ⊇ Dom[sbα]. Proof of ⊆: Assume z ∈ {dαx / sbα | x ∈ Φ}. Choose x ∈ Φ such that z = dαx / sbα. Like in the ◦δ proof of (b) we have x / sbα ∈ Dom[sbα] and dαx = hα(x / sbα). The ◦δ definition of hα and x / sbα ∈ Dom[sbα] gives hα(x / sbα) ∈ Dom[sbα]. Thus, z = dαx / sbα = hα(x / sbα) / sbα ∈ self[ sbα ]. ˆ (f) From ψ = ts we have Dom[sbα] ⊆ ψ. The lemma follows from (b), (e), ˆ and Dom[sbα] ⊆ ψ ⊆ Φ. Lemma 13.8.4. For all α ∈ σ we have: (a) Bα ≤c self[ sbα ] 00 (b) ∀β∈α ∀γ∈β: Dom[sbγ ] ⊆ Dom[sbβ] Proof of 13.8.4 We prove the conjunction of (a) and (b) by transfinite induction up to σ.

58 Base case. Suppose α = 0. We now prove (a). B0 = 1 Definition of B ≤c {T} Trivial = self[ sT ] 13.6.3(a) = self[ sb0 ] Definition of b = self[ sbα ] α = 0 To prove (b) for α = 0 we merely have to prove Dom[sb0] ⊆ Dom[sb1]. From 13.5.1(a) we have sT = P which gives sT =6 ⊥. Hence, by 13.5.2(b) we have Dom[s(T::T)] = Dom[sT]◦ → Dom[sT]. T ∈ Dom[sT] by 13.5.1(b) combined with the definition of X → Y gives T ∈ Dom[sT]◦ → Dom[sT] so T ∈ Dom[s(T::T)] which proves {T} ⊆ Dom[s(T::T)]. Hence, Dom[sb0] = Dom[sT] Definition of b = {T} 13.5.1(b) ⊆ Dom[s(T::T)] See above = Dom[s(T::b0)] Definition of b = Dom[sb1] Definition of b Induction step. Assume (1) Bα ≤c self[ sbα ] 00 (2) ∀β∈α ∀γ∈β: Dom[sbγ ] ⊆ Dom[sbβ] 0 To prove (2) in which α is replaced by α it is sufficient to prove Dom[sbα0 ] ⊆ Dom[sbα00 ]. From (1) we have Dom[sbα] =6 ∅. Then, from (2) and 13.2.2(d) we have sbα M sbα0 . Hence, sbα0 = s(T::bα) Definition of b = Q(sbα) 13.5.2(a) MQ(sbα0 ) Monotonicity = s(T::bα0 ) 13.5.2(a) = sbα00 Definition of b From sbα0 M sbα00 and 13.2.2(d) we have Dom[sbα0 ] ⊆ Dom[sbα00 ] as required. We now prove (3) Bα0 ≤c self[ sbα0 ] From 13.6.3(a) we have T ∈ self[ sT ]. From 13.6.3(c) we have B1 = 2 ≤c self[ s(T::T) ] = self[ sb1 ] so (3) holds for α = 0. For α = 1 we have Dom[sb1] ⊆ Dom[sb2] from (2). Hence, we may prove (3) for α = 1 as follows: B2 = ω Definition of B ≤c s(T::b1) // sb1 13.6.3(d) = sb2 // sb1 Definition of b ≤c sb2 // sb2 13.3.3(a) and Dom[sb1] ⊆ Dom[sb2] = self[ b2 ] Definition of self Now assume α ≥ 2. From 2 ≤c self[ b1 ], (2), and 13.3.3(b) we have 2 ≤c self[ bα ]

59 Bα0 = P(Bα) Definition of B ≤c P(self[ sbα ]) (1) ≤c s(T::bα) // sbα 13.6.3(e) = sbα0 // sbα Definition of b ≤c sbα0 // sbα0 13.3.3(a) and (2) = self[ sbα0 ] Definition of self Limit case. Suppose δ ∈ σ is a limit ordinal. For all α ∈ δ assume (4) Bα ≤c self[ sbα ] 00 (5) ∀β∈α ∀γ∈β: Dom[sbγ ] ⊆ Dom[sbβ] From 13.7.3(d) we have ccf(δ) ∈ δ. Hence, by the definition of ccf and (4) we have cf(δ) ≤c Bccf(δ) ≤c self[ sbccf(δ) ] so gδ: self[ sbccf(δ) ] → cf(δ) is surjective according to 13.8.1(b). From ccf(δ) ∈ δ and (4) we have Dom[sbccf(δ)] =6 ∅ so the conditions in 13.8.1(c), 13.8.2(e), and 13.8.3 (b)-(f) are satisfied. We have ∀z∈Φ: s(cδ(dccf(δ)z / ψ)) =6 ⊥ ⇔ ∀z∈Φ: s(cδ(dccf(δ)z / ψ / sbccf(δ))) =6 ⊥ 13.8.3(a) ⇔ ∀z∈Φ: s(cδ(dccf(δ)z / sbccf(δ))) =6 ⊥ 13.3.2(b) and 13.2.2(c) ⇔ ∀z∈self[ sbccf(δ) ]: s(cδz) =6 ⊥ 13.8.3(e) ⇔ ∀ ∈ 6 ⊥ z self[ sbccf(δ) ]: sbfδ (gδ (z)) = 13.8.2(d) ⇔ ∀ ∈ 6 ⊥ z cf(δ): sbfδ (z) = 13.8.1(b) ⇔ true (4) Hence, we have (6) ∀z∈Φ: s(cδ(dccf(δ)z / ψ)) =6 ⊥ Furthermore, Dom[sbδ] = Dom[s(cδ::dccf(δ))] Definition of b ∪ = z∈ψˆDom[s(cδ(dccf(δ)z / ψ))] 13.5.3(d), 13.8.3(d), and (6) ∪ = z∈ψˆDom[s(cδ(dccf(δ)z / ψ / sbccf(δ)))] 13.8.3(a) ∪ = z∈ψˆDom[s(cδ(dccf(δ)z / sbccf(δ)))] 13.3.2(b) and 13.2.2(c) = ∪ ˆ Dom[s(c y)] Trivial y∈{dccf(δ)z/sbccf(δ)|z∈ψ} ccf(δ) ∪ = y∈self[ sbccf(δ) ]Dom[s(cδy)] 13.8.3(f) ∪ = y∈self[ sbccf(δ) ]Dom[sbfδ (gδ (y))] 13.8.2(d) ∪ = γ∈cf(δ)Dom[sbfδ (γ)] 13.8.1(b) = ∪γ∈δDom[sbγ ] 13.7.2(a) and (5) Hence, we have ∀γ∈δ: Dom[sbγ ] ⊆ Dom[sbδ] and ∀γ∈δ: sbγ M sbδ. Like in the deduction step, the latter implies ∀γ∈δ: sbγ0 M sbδ0 and ∀γ∈δ: Dom[sbγ0 ] ⊆ Dom[sbδ0 ]. The latter implies Dom[sbδ] = ∪γ∈δDom[sbγ ] ⊆ Dom[sbδ0 ]. Hence, we have proved (2) in which α is replaced by δ. From ∀γ∈δ: Dom[sbγ ] ⊆ Dom[sbδ], 13.3.3(b), and (4) we have ∀γ∈δ: Bγ ≤c self[ sbγ ] ≤c self[ sbδ ]. Hence, Bδ = ∪γ∈δBγ ≤c self[ sbδ ] which completes the proof.

60 13.9. Proof of the lower bound theorem To prove the lower bound theorem (Theorem 11.1.3) it is suﬃcient to prove

∀G∈Oσ(ψˆ): G◦ → G ⊆ ψˆ

σ ˆ To do so, assume G ∈ O (ψ). Choose α ∈ δ such that G ≤c self[ sbα ]. Let h: self[ sbα ] → G be surjective. For all x ∈ G choose ix ∈ M such that x ∈ Dom[six]. Let c be the unique element of F for which { i if x / sb ∈ self[ sb ] cx ≡ h(x/sbα) α α ⊥ otherwise

By a proof similar to the limit case of 13.8.4 we have G ⊆ Dom[s(c::dα)]. Hence, ◦ ◦ ˆ G → G ⊆ Dom[s(T::c::dα)] by 13.5.2(c) so G → G ⊆ ψ as required.

A. Computational properties of canonical pre-models

We now proceed to compare the observational, computational behavior of programs with their semantics as deﬁned by the canonical models. Let Mκ be the MT canonical κ-model. Modelling ε requires κ > σ for an inaccessible σ, but modelling the other constructs just requires κ ≥ ω. Now assume κ ≥ ω. For all MT, MTdef , and MT0 programs d let d denote the interpretation of d in Mκ.

A.1. Introduction of Tc and auxiliary concepts Pω ∈ ⊆ Let Cω = coh(Pω). Recall from Section 9.5 that if p Pω P then ↓p ∈ M is a prime map and if c ∈ Cω ⊆ C then ↓c ∈ M is a compact map. For p ∈ Pω and c ∈ Cω we now proceed to deﬁne MTdef programs Tp, Tc, χp, and χc which satisfy:

Tp = ↓p Tc = {↓c T if ↓p M x χpx = { ⊥ otherwise T if ↓c M x χ x = c ⊥ otherwise

To define the terms above, we also define a number of auxiliary concepts. For ∈ h i h 0 0 i n n ω and for n-tuples c1, . . . , cn and c1, . . . , cn in Cω we define h i _ h 0 0 i ⇔ _ 0 ∧ · · · ∧ _ 0 c1, . . . , cn ^ c1, . . . , cn c1 ^ c1 cn ^ cn and

↓hc1, . . . , cni = h↓c1,..., ↓cni

61 h i h 0 0 i Mn For m1, . . . , mn and m1, . . . , mn in we deﬁne h i h 0 0 i ⇔ 0 ∧ · · · ∧ 0 m1, . . . , mn M m1, . . . , mn m1 M m1 mn M mn 0 ∈ Pω n For sets of n-tuples s, s (Cω) we deﬁne

0 0 0 0 s ^_ s ⇔ ∃c¯∈s∃c¯ ∈s :c ¯ ^_ c¯ 0 ∈ 0 ∈ 0 ∈ n 0 ∈ Pω n _6 0 For p, p Pω, c, c Cω,c, ¯ c¯ Cω, and s, s (Cω) for which p ^ p , 0 0 0 c ^_6 c ,c ¯ ^_6 c¯ , and s ^_6 s we are going to deﬁne MTdef programs δpp0 , δcc0 , δc¯c¯0 , and δss0 which satisfy:

δpp0 x = T if ↓p M x 0 δpp0 x = F if ↓p M x δcc0 x = T if ↓c M x 0 δcc0 x = F if ↓c M x δc¯c¯0 x1 ··· xn = T if ↓c¯ M hx1, . . . , xni 0 δc¯c¯0 x1 ··· xn = F if ↓c¯ M hx1, . . . , xni δss0 x1 ··· xn = T if ∃c¯∈s: ↓c¯ M hx1, . . . , xni 0 0 0 δss0 x1 ··· xn = F if ∃c¯ ∈s : ↓c¯ M hx1, . . . , xni

∈ n ∈ Pω n Finally, forc ¯ Cω, and s (Cω) we are going to deﬁne MTdef programs χc¯, and χs which satisfy: { T if ↓c¯ M hx1, . . . , xni χc¯x1 ··· xn = { ⊥ otherwise T if ∃c¯ ∈ s: ↓c¯ M hx , . . . , x i χ x ··· x = 1 n s 1 n ⊥ otherwise

A.2. Parallel constructs As a supplement to parallel or deﬁne parallel and:

x & y = ¬(¬x k ¬y)

∪ ∪ n ∪ Pω n Let be a choice function over Pω Cω Cω (Cω). For ﬁnite subsets Z of n Pω n ∈ Pω, Cω, C∑ω, or (Cω)∏ and for MTdef programs az, z Z, deﬁne the MTdef programs z∈Z az and z∈Z az thus: { ∑ F ∑ if Z = ∅ z∈Z az = k { aZ z∈Z\{Z} az otherwise ∏ T ∏ if Z = ∅ z∈Z az = aZ & z∈Z\{Z} az otherwise

62 A.3. Deﬁnition of Tp and Tc 0 ∈ 0 ∈ ∈ 0 ∈ n 0 ∈ Pω n For p, p Pω, c, c Cω, n ω,c, ¯ c¯ Cω, and s, s (Cω) we deﬁne 0 0 0 0 the following MTdef programs by induction in the set rank of p, p , c, c , c,¯ c¯ , s, s :

Tt = T Tf = λx. ⊥Curry Thc,pi = λx. if[ χcx , Tp , ⊥Curry ] χt = λx. if[ x , T , ⊥Curry ] χf = λx. if[ x , ⊥Curry , T ] T χhc,pi = λx. χp∏(x c) ⊥ χc = λx. if[ p∈c χpx , T , Curry ] ··· ··· χhc1,···,cni = λx1 xn. χ∑c1 x1 & & χcn xn ··· ··· χs = λx1 xn. c¯∈s χc¯x1 xn δtp = λx. if[ x , T , F ] if p =6 t 6 δpt = λx. ∏if[ x , F∑, T ] if p = t 0 0 0 _6 δc,c = λx. p∈c ∑p0∈c0 δ∏pp x if c ^ c 0 0 ··· 0 ··· _6 δs,s = λx1 xn. c¯∈s c¯0∈s0 δc¯c¯ x1 xn if s ^ s 0 0 0 0 0 T h i 6 h i Above, the deﬁnitions of δhc,pihc ,p i, δc¯c¯ , and c are missing. For c, p ^_ c , p deﬁne

δhc,pihc0,p0i = λx. δpp0 (xTc∪c0 ) 0 0 0 0 In the definition above note that hc, pi^_ 6 hc , p i implies c ^_ c and p ^_6 p . 0 0 0 From c ^_ c we have c ∪ c ∈ C and the set rank of c ∪ c is the larger of the set ranks of c and c0. Thus, the set rank of c∪c0 is smaller than one of the set ranks 0 0 of hc, pi and hc , p i which makes it legal to use Tc∪c0 in the recursive definition. h ··· i 6_ h 0 0 i For c1, , cn ^ c1, . . . , cn define

δh ··· ih 0 0 i = λx ··· x . δ 0 x c1, ,cn c1,...,cn 1 n cici i ∈ { } _6 0 where i 1, . . . , n is the smallest index for which ci ^ ci. To define Tc, recall the definition of hc,¯ pi from Section 9.4 and define { ∈ n | ∃ ∈ h i ∈ } def(n, c) = c¯ Cω p P: c,¯ p c { ∈ n | h i ∈ } true(n, c) = c¯ Cω c,¯ t c false(n, c) = def(n, c) \ true(n, c)

Now let ` be the smallest natural number for which def(`, c) is empty and then deﬁne the monstrous MTdef program Tc thus:

Tc = if[ δtrue(0,c)false(0,c) , χtrue(0,c) , χfalse(0,c) ! λx1. if[ δtrue(1,c)false(1,c)x1 , χtrue(1,c)x1 , χfalse(1,c)x1 ! λx2. if[ δtrue(2,c)false(2,c)x1x2 , χtrue(2,c)x1x2 , χfalse(2,c)x1x2 ! λx3. . . ··· ⊥ ··· if[ δtrue(`,c)false(`,c)x1 x` , χtrue(1,c)x1···x` , Curry ] ]]]

In the deﬁnition above, δtrue(`,c)false(`,c)x1 ··· x` = δ∅∅x1 ··· x` = F.

63 0 ∈ 0 ∈ 0 ∈ n 0 ∈ Pω n Theorem A.3.1. Let p, p Pω, c, c Cω, c,¯ c¯ Cω, and s, s (Cω) 0 0 0 0 satisfy p ^_6 p , c ^_6 c , c¯ ^_6 c¯ , and s ^_6 s . Under these conditions, Tp, Tc, χp, χc, χc¯, χs, δpp0 , δcc0 , δc¯c¯0 , and δss0 have the properties stated in Section A.1.

Proof. By induction in α we have that the theorem holds for all p, p0, c, c0,c ¯, c¯0, s, and s0 of set rank less than α. 2

Corollary A.3.2. For p ∈ Pω and c ∈ Cω the MTdef programs Tp and Tc satisfy Tp = ↓p and Tc = ↓c.

Now recall the combinators C1,..., C8, deﬁned in Section 3.4 where C1 and C2 are the usual S and K combinators, respectively. We shall refer to terms built up from these combinators and functional application as MT combinator programs. We refer to C5- and C6-free MT combinator terms as MTdef combinator programs, where C5 and C6 are the combinators corresponding to ⊥ and Yf, respectively. ∈ T 0 For all c Cω let c denote the result of applying abstraction elimination T T 0 T 0 T using S and K to c. Thus, the MTdef combinator program c satisﬁes c = c, so we have:

∈ ∈ T 0 Corollary A.3.3. For p Pω and c Cω the MTdef combinator programs p T 0 T 0 ↓ T 0 ↓ and c satisfy p = p and c = c.

Corollaries A.3.2 and A.3.3 of course also hold for MT. They do not hold for MT0 because parallel or is missing in MT0.

A.4. Semantic and syntactic existence As promissed in Section 3.9:

Lemma A.4.1. Mω |= Esemantic = Esyntactic

Proof of A.4.1 Both Esemantic and Esyntactic are characteristic functions. They satisfy

Esemantic p = T iﬀ px = T for some map x Esyntactic p = T iﬀ px = T for some program x

Thus we need to prove

px = T for some map x iﬀ px = T for some program x

The direction ⇐ is trivial. To see ⇒ note that if px = T for some map x then py = T for some y ∈ Cω so pTy = T.

Corollary A.4.2. Mω |= Ea = Esemantic a = Esyntactic a.

64 A.5. Computational adequacy

Recall the notions of Nt, Nf , and N⊥ from Section 3.6.

Deﬁnition A.5.1. M is computationally adequate for a set T of MT0, MTdef , or MT programs if

a ∈ Nt ⇔ M |= a = T a ∈ Nf ⇔ M |= a = λx. ax a ∈ N⊥ ⇔ M |= a = ⊥ for all a in T , where Nt, Nf , and N⊥ are deﬁned using the reduction rules of MT0, MTdef , and MT, respectively.

As we shall see in a moment, Mκ is computationally adequate for MT0 programs, for E-free MTdef programs, and for E-free MT programs. Any term a satisﬁes one of a ∈ Nt, a ∈ Nf , and a ∈ N⊥, and one of M |= a = T, M |= a = λx.ax, and M |= a = ⊥ (c.f. Section 8.2), so each of the three statements of Deﬁnition A.5.1 follows from the two other ones. Each statement has a trivial direction:

a ∈ Nt ⇒ M |= a = T a ∈ Nf ⇒ M |= a = λx. ax a ∈ N⊥ ⇐ M |= a = ⊥

Furthermore, if

a ∈ N⊥ ⇒ M |= a = ⊥ then

a ∈ Nt ⇐ M |= a = T a ∈ Nf ⇐ M |= a = λx. ax follows trivially. The notion of computational adequacy of a model, as well as the notion of full abstraction, were introduced by Plotkin in [13] (for a paradigmatic simply typed lambda calculus called PCF). The deﬁnition of computational adequacy given above is equivalent to the one in [13] which merely requires a ∈ N⊥ ⇔ M |= a = ⊥. However, MT is an untyped lambda-calculus, which, for the problems treated in this appendix, considerably increases the technicality of the proofs. Recall that Mκ denotes the canonical κ-model. Theorem B.0.2 of [3] states:

Theorem A.5.2. Mκ is computationally adequate for MT0 programs.

Likewise, we have:

Theorem A.5.3. Mκ is computationally adequate for E-free MTdef programs.

65 The proof of Theorem A.5.3 is the same as the proof in [3] of Theorem A.5.2 above with the following modiﬁcations: First, one has to include parallel or the relevant places. Second, the proof of Lemma B.0.4 of [3], which is by structural induction, has one more case, namely one for parallel or. Finally, we have:

Theorem A.5.4. Mκ is computationally adequate for E-free MT programs.

Proof of A.5.4 The theorem follows trivially from

(Mκ |= a =6 ⊥) ⇒ a ∈ Nt ∪ Nf which we prove in the following. Let ⊥˜ be the term

(λx. xx)(λx. xx) ˜ ˜ Thus, ⊥ is ⊥Curry (c.f. Section 3.2). For terms f let Y{f} be the term

(λx. f(xx))(λx. f(xx)) where x is chosen such that x is not free in f. Since Mκ is canonical we have ˜ ˜ Mκ |= ⊥ = ⊥ and Mκ |= Yf = Y{f}. For all terms b of MT we deﬁne the ⊥Y-less transform [b] of b to be the term which results when replacing all occurrences of ⊥ and Yf in b by ⊥˜ and Y˜{f}, ˜ ˜ respectively. In Mκ we have [⊥] = ⊥ = ⊥ and [Yf] = Y{[f]} = Y[f]. This allows to prove Mκ |= [a] = a for all terms a by structural induction. 1 For all E-free MT programs b,[b] is an E-free MTdef program. Deﬁne b → c as in Section 3.3 and 3.4. We have:

⊥ →1 ⊥ in MT Yf →1 f(Yf) in MT ˜ 1 ˜ ⊥ → ⊥ in MTdef ˜ 1 ˜ Y{f} → f(Y{f}) in MTdef 1 [⊥] → [⊥] in MTdef 1 [Yf] → [f(Yf)] in MTdef

1 1 In general, if b → c in MT then [b] → [c] in MTdef by structural induction in b and c. Let a be an MT program and assume Mκ |= a =6 ⊥. Now Mκ |= [a] =6 ⊥. Recall that for each a, a →1 b holds for at most one b (up to naming of bound variables). Let a1, a2,... be the unique longest finite or infinite sequence such 1 1 1 1 1 that a → a1 → a2 → · · · in MT. By Theorem A.5.3, the sequence [a] → [a1] → 1 [a2] → · · · is finite and ends with a term in root normal form (i.e. is T or an 1 1 1 abstraction). Hence, a → a1 → a2 → · · · has the same property, so a ∈ Nt ∪Nf .

For programs that may contain E we have:

66 Theorem A.5.5. Mω is computationally adequate for MTdef programs and for MT programs.

Proof of A.5.5 The proof is similar to that of A.5.4. Define a →3 d ⇔ ∃b, c: a →1 ∗ b ∧ b →1 c ∧ c →1 d and let a → b be the transitive closure of a →1 b. Recall the definition of Esyntactic from Section 3.9. The definition is recursive and thus implicitly uses Y. Now define ˜ ˜ E ≡ Y{λf, a. aC1 k · · · k aC7 k a(λx. fx) k f(λx. f(λy. a(xy)))} ˜ We have Esyntactic = E and ˜ 3 ˜ ˜ ˜ Ea → aC1 k · · · k aC7 k a(λx. Ex) k E(λx. E(λy. a(xy))) For all terms b of MT we define the E-less transform [b] to be the term which ˜ ˜ results when replacing all occurences of Ea by Ea. In Mω we have [Ea] = E[a] = Esyntactic [a] = E[a]. This allows to prove Mω |= [a] = a by structural induction. ∗ If b →1 c in MT then [b] →1 [c] or [b] →3 [c] in MT and, in any case, [b] → [c]. The theorem follows from Mω |= a =6 ⊥ ⇒ a ∈ Nt ∪ Nf which we now 1 1 1 prove. Assume Mω |= a =6 ⊥. Let a → a1 → a2 → · · · be the unique reduction ∗ ∗ ∗ sequence for a. Now [a] → [a1] → [a2] → · · · is finite by A.5.4, so a ∈ Nt ∪ Nf . The case κ > ω is open:

Open Question A.5.6. Is Mκ computationally adequate for MTdef programs and for MT programs for κ > ω ?

A.6. Soundness

Recall from Section 3.6 that a =κ b is shorthand for Mκ |= a = b.

Theorem A.6.1 (Soundness of Mκ and Mω). (a) a =κ b ⇒ a =obs b for E-free MT programs a and b. (b) a =ω b ⇒ a =obs b for all MT programs a and b. (c) a =κ b ⇒ a =obs b for E-free MTdef programs a and b. (d) a =ω b ⇒ a =obs b for all MTdef programs a and b. (e) a =κ b ⇒ a =obs b for all MT0 programs a and b.

Note that observational equality a =obs b of MT, MTdef , and MT0 is true if ca ∼ cb for all MT, MTdef , and MT0 programs c, respectively, so the notions of observational equality are slightly diﬀerent. Also note that MT0 does not have E in its syntax, so all MT0 programs are born E-free. Proof of A.6.1 Soundness follows trivially from computational adequacy. We only prove (a). Assume a =κ b. Assume c is an MT program. We have ca =κ cb so ca =κ T ⇔ cb =κ T and, by Theorem A.5.4, ca ∈ Nt ⇔ cb ∈ Nt. Likewise, ca ∈ Nf ⇔ cb ∈ Nf and ca ∈ N⊥ ⇔ cb ∈ N⊥. Thus, ca ∼ cb for all MT programs c which, by deﬁnition of =obs, gives a =obs b. Above, we use computational adequacy to prove soundness, and Open Question A.5.6 may be restated thus:

67 Open Question A.6.2.

(a) a =κ b ⇒ a =obs b for MT programs a and b and κ > ω ? (b) a =κ b ⇒ a =obs b for MTdef programs a and b and κ > ω ?

A.7. Full abstraction

Deﬁnition A.7.1. A model M is fully abstract for MT/MTdef /MT0 if a =obs b ⇔ M |= a = b for all MT/MTdef /MT0 programs a and b.

We now state and prove that Mω is fully abstract for MT:

Theorem A.7.2 (Full Abstraction of Mω). a =obs b ⇔ a =ω b for MT programs a and b.

Proof. (⇐) follows from Theorem A.6.1. (⇒) Assume a =obs b. Assume p ∈ Pω. From a =obs b we have Th{p},tia ∈ Nt ⇔ Th{p},tib ∈ Nt. Hence, by Theorem A.5.4, Th{p},tia =ω T ⇔ Th{p},tib =ω T. Thus, by Corollary A.3.2, (↓h{p}, ti)a = T ⇔ (↓h{p}, ti)b = T so p ∈ a ⇔ p ∈ b for all p ∈ Pω. Hence, a = b and a =ω b. 2 Theorem A.7.2 also holds for MTdef , i.e. Mω is also fully abstract for MTdef . MT0 lacks parallel or and Theorem A.7.2 does not hold for MT0, i.e. Mω is not fully abstract for MT0. As a counterexample, take a = λx. if[ xT⊥∧¨x⊥T∧¨¬¨xFF , T , ⊥ ] b = λx. ⊥

The map a above is a parallel or tester, i.e. ax = T if xuv is the parallel or of u and v. We have a =obs b in MT0.

A.8. Negative results

We now prove that Mκ is not fully abstract for MT for κ > ω, κ regular:

Theorem A.8.1. If κ > ω, κ regular, then there exist MT programs a and b for which a =obs b and a =6 κ b.

Proof. Take a = Esemantic = λx. Ex. Take b = Esyntactic so that b = λx. (xC1 k · · · k xC8 k bλu. bλv. x(uv)), c.f. Section 3.4 and 3.9. We first prove a =obs b. According to Theorem A.7.2 is is enough to prove a =ω b. Furthermore, a and b are both characteristic maps, so it is enough to prove ap =ω T ⇔ bp =ω T for all p ∈ Mω. Now ap =ω T iff px =ω T for some x ∈ Mω and bp =ω T iff px =ω T for some MT program x. If px =ω T for some x ∈ Mω then pc =ω T for some compact c ∈ Mω so pTc =ω T proving bp =ω T. Hence, ap =ω T ⇒ bp =ω T. If bp =ω T then px =ω T for some MT program x so px =ω T for some x ∈ Mω proving ap =ω T. Hence, bp =ω T ⇒ ap =ω T which ends the proof of a =ω b. We then prove a =6 κ b. Let t0 ≡ t and tn+1 ≡ h∅, tni for n ∈ N. We have ti ^_ tj ⇔ i = j. Now let g ∈ N → N be non-computable. Let Q ≡ {h{ti}, tg(i)i | i ∈ N}, q = ↓Q, and p = ↓hQ, ti. We have p, q ∈ Mκ and pq =κ T

68 so ap =κ T. Furthermore, px =κ T for no program x since g is non-computable, so bp =6 κ T proving a =6 κ b. 2 Theorem A.8.1 is not too surprising since E quantiﬁes over Mκ whereas the computable approximation b in the proof essentially quantiﬁes over {↓p | p ∈ Pω}. We may however strengthen the theorem above as follows:

Theorem A.8.2. If κ > ω, κ regular, then there exist E-free MT programs a and b for which a =obs b and a =6 κ b.

The proof of Theorem A.8.2 spans the rest of this section. 0 0 Let I = ↓{h{p}, pi | p ∈ Pω}, i.e. let I be the smallest element of Mκ for 0 0 0 which I (↓p) = ↓p for all p ∈ Pω. I is compact but I 6∈ Cω. As we shall see in a moment, there exists an MT-term b which denotes I0. To prove the lemma, we take a = λx.x and we take b to be a term which 0 denotes I . Now a =obs b is true and a =κ b is false. The rest of the proof is a definition of a b which denotes I0. The definition is long and technical. Sections A.1–A.3 define Tp in ZFC. We now reflect that definition in MT. Recall (x::y)T = x and (x::y)F = y. Let (x1, . . . , xn) be shorthand for x1:: ··· ::xn::T. We shall refer to (x1, . . . , xn) as a list and use lists to represent finite sets. We now port the constructs of Section A.2 from ZFC to MT: ∑ ∑ A ≡ 0 A ∑x∈y y(λx. ) ∑ 0 ≡ k 0 ∏ ya if∏[ y , F , a(yT) (yF)a ] A ≡ 0 A x∈y y(λx. ) ∏0 ∏0 ya ≡ if[ y , T , a(yT)& (yF)a ] ∑ ∏ Above, ( ) expresses existential (universal) quantification. We also need a strict version of universal quantification: ∧ ∧ A ≡ 0 A x∈y y(λx. ) ∧0 ∧0 ya ≡ if[ y , T , a(yT)∧¨ (yF)a ]

We now proceed to port the deﬁnitions of Pω and Cω from ZFC to MT. We represent the elements Pω thus:

t ≡ T f ≡ T::T hc, pi ≡ T::c::p

Recall that x::y is right associative so that T::c::p is shorthand for T::(c::p). We have hc, piFT = c and hc, piFF = p. Elements of Cω are ﬁnite sets of elements of Pω, so we represent them by lists. As an example, (h(t), ti, h(f), fi) represents the element of Cω whose downward closure is the interpretation of λx. if[ x , T , λy. ⊥ ].

69 A list like (t, f) does not represent an element of Cω since t and f are _ _ incoherent. We now deﬁne the coherence relations ^0 (^1) on Pω (Cω): _ ≡ p ^0 q if[ p , if[ q , T , F ] , if[ q , F , if[ pF , T , if[ qF , T , _ ⇒ _ ∧ p∧FT ^1 qFT ¨ pFF ^0 qFF]]]] _ ≡ _ c ^1 d p∈c q∈d p ^0 q

The definitions above allow to define characteristic maps χ , χ , and χ <ω Pω Cω Cω <ω which test for membership of Pω, Cω, and Cω , respectively: ≡ ∧¨ χPω p if[ pF , T ,∧ χCω (pFT) χPω (pFF)] ≡ _ ∧¨ χCω c c ^1 c p∈c χPω p χ <ω c¯ ≡ if[c ¯ , T , χ (¯cT) ∧¨ χ <ω (¯cF)] Cω Cω Cω We now port the definitions in Section A.3 from ZFC to MT. The definitions of Tt, Tf , and Thc,pi in Section A.3 define Tp for all p ∈ Pω. Below, T0p is the MT translation of the ZFC construct Tp:

T0p ≡ if[ p , T , if[ pF , λx. ⊥Curry , λx. if[ χ1(pFT)x , T0(pFF) , ⊥Curry ]]]

The deﬁnitions of χp, χc, χc¯, and χs of Section A.3 translate into the following:

χ0px ≡ if[ p , if[ x , T , ⊥Curry ] , if[ pF , if[ x , ⊥Curry , T ] , T ∧ χ0(pFF)(x 1(pFT))]] ≡ χ1cx p∈c χ0px ≡ χ2c¯x¯ if∑[c ¯ , T , c¯T(¯xT)& χ2(¯cF)(¯xF)] ≡ χ3sx¯ c¯∈s χ2c¯x¯ The union of two sets represented by lists is a classical:

c ∪ d ≡ if[ c , d , cT::(cF ∪ d)]

The discriminator constructs δpp0 , δcc0 , δc¯c¯0 , and δss0 of Section A.3 translate into the following:

0 δ0pp x ≡ if[ p , if[ x , T , F ] , if[ pF , if[ x , F , T ] , 0 T ∪ 0 ∏ δ0∑(pFF)(p FF)(x( 1(pFT p FT)))]] 0 ≡ 0 δ1cc x p∈c p0∈c0 δ0pp x 0 ≡ _ 0 0 0 δ2c¯c¯ x¯ ∑if[c ¯T ^∏1 c¯ T , δ2(¯cF)(¯c F)(¯xF) , δ1(¯cT)(¯c T)(¯xT)] 0 ≡ 0 δ3ss x¯ c¯∈s c¯0∈s0 δ2c¯c¯ x¯ The empty set and the singleton set is straightforward: ∅ ≡ T {x} ≡ x::T

70 The ZFC construct def(n, c) of Section A.3 translates into the MT construct defxc¯ below where we represent the natural number n in the ZFC construct by a listx ¯ of length n in the MT construct. defxc¯ ≡ if[ c , ∅ , def0x¯(cT)T ∪ defx¯(cF)] def0xc¯ c¯ ≡ if[x ¯ , {c¯} , if[ pF , ∅ , def0(¯xF)(pFF)(pFT::¯c)]] def(n, c) is a set of tuples and defxc¯ is a list of lists. If (p1, . . . , pn) is an element of def(n, c) then (pn, . . . , p1) is an element of defxc¯ . Note the list reversal. Note that the parameterc ¯ of def0 accumulates a list in reverse order. Use of such accumulating parameters is a standard trick in functional programming. We now proceed: truexc¯ ≡ if[ c , ∅ , true0x¯(cT)T ∪ truex¯(cF)] true0xc¯ c¯ ≡ if[x ¯ , if[ p , {c¯} , ∅ ] , if[ pF , ∅ , true0(¯xF)(pFF)(pFT::¯c)]] falsexc¯ ≡ if[ c , ∅ , false0x¯(cT)T ∪ falsex¯(cF)] false0xc¯ c¯ ≡ if[x ¯ , if[ p , ∅ , {c¯} ] , if[ pF , ∅ , false0(¯xF)(pFF)(pFT::¯c)]]

We now define T1c which corresponds to Tc in Section A.3. We do so using an accumulating parameterx ¯ which accumulates (xn, . . . , x1) where x1, . . . , xn are the bound variables in the definition of Tc in Section A.3. The definition reads: T ≡ T 0 1c 1 cT T 0 ≡ ⊥ 1 cx¯ if[ χ3(defxc¯ )¯x , Curry , if[ δ3(truexc¯ )(falsexc¯ )¯x , χ3(truexc¯ )¯x , T 0 χ3(falsexc¯ )¯x ! λx. 1 c(x::¯x)]] This completes the port of Sections A.1–A.3 from ZFC to MT. We now define constructs with the following properties:

applyx(yn, . . . , y1) = xy1 ··· yn (cn, . . . , c1) 7→ p = hc1, · · · hcn, pi · · ·i Note the list reversal. The definitions read: applyxy¯ ≡ if[y ¯ , x , applyx(¯yF)(¯yT)] c¯ 7→ p ≡ if[c ¯ , p , c¯F 7→ (T::¯cT::p)] Finally, we may define a term b which denotes I0 where I0 is the smallest element 0 of Mκ for which I (↓p) = ↓p for all p ∈ Pω. The definition uses an accumulating parametery ¯: bx ≡ b0xT 0 ≡ ∧ 7→ ∧ b xy¯ if[ applyxy¯ , Ec¯: χC<ω c¯¨χ0(¯c t)x¨χ2c¯y¯ , ω 0 Ec¯: χ <ω c¯∧¨χ (¯c 7→ f)x∧¨χ c¯y¯ ! λy. b x(y::¯y)] Cω 0 2

As an example, if bxy1 ··· yn−1 6∈ {T, ⊥} and xy1 ··· xn = T then 0 bxy1 ··· yn = b xTy1 ··· yn 0 = b x(yn, . . . , y1) = Ec¯: χ <ω c¯∧¨χ (¯c 7→ t)x∧¨χ c¯(y , . . . , y ) Cω 0 2 n 1 ··· ∈ <ω Thus, in the situation above, bxy1 yn returns T iﬀ there exists ac ¯ Cω such that ↓(¯c 7→ t) M x and ↓c¯ M (y1, . . . , yn).

71 B. Summary of MT B.1. Syntax V ::= x | y | z | · · · T ::= V | λV.T | T T | T | if[T , T , T ] | ⊥ | Y | T kT | ET | εT W ::= T = T

B.2. Deﬁnitions A, B, C,... denote (possibly open) terms. a, b, . . . z, θ denote variables.

Elementary deﬁnitions ⊥ ≡ (λx. xx)(λx. xx) (Only in MTdef ) Y ≡ λf. (λx. f(xx))(λx. f(xx)) (Only in MTdef ) λxy. A ≡ λx. λy. A F ≡ λx. T 1 ≡ λxy.xy x ↓ y ≡ if[x, if[y, T, ⊥], if[y, ⊥, λz.(xz) ↓ (yz)]] x y ≡ x = x ↓ y ≈x ≡ if[ x , T , F ] x ◦ y ≡ λz.x(yz) χ ≡ λx.λz.if[xz, T, ⊥] x → y ≡ if[x, y, F] = if[x, T, F] !x ≡ if[x, T, T] ¬¨x ≡ if[x, F, T]

Quantiﬁcation ∃¨p ≡ ≈(p(εp)) ∃¨x: A ≡ ∃¨λx. A ∀¨x: A ≡ ¬¨∃¨x:¬A ¨ εx: A ≡ ελx. A ∀¨p ≡ ∀¨x: px Ex. A ≡ Eλx. A

The deﬁnition of ψ ψ ≡ ts s ≡ YS S ≡ λf. Sf¯ (tf) S¯ ≡ λfθa. if[ a , P , if[ aT ,Q(f(aF)) , Rfθ(aT)(aF)]] P ≡ λy. if[ y , T , ⊥ ] Q ≡ λv. Dv ! λy. ∀¨z. v(y(z / v)) R ≡ λfθbc. θc ! R1fθbc ! R0fθbc ¨ R1 ≡ λfθbc. ∀z. D(f(b(cz / θ))) R0 ≡ λfθbcy. Ez. (θz ! f(b(cz / θ))y) t ≡ λfy. Ex. fxy x ! y ≡ if[ x , y , ⊥ ] D ≡ λx. if[ x , T , T ] f / g ≡ if[ f , T , λx. gx !(fx / g)]

72 B.3. Axioms and inference rules Elementary axioms and inference rules Trans A = B; A = C ` B = C Sub B = C ` AB = AC Gen A = B ` λx.A = λx.B A1 TB = T A2 (β)(λx.A)B = C if C =α hA | x := Bi A3 ⊥B = ⊥ I1 if[T, B, C] = B I2 if[λx.A, B, C] = C I3 if[⊥, B, C] = ⊥ QND AT = BT; A(1C) = B(1C); A⊥ = B⊥ ` AC = BC P1 T k B = T P2 A k T = T P3 λx.A k λy.B = λz.T

YYA = A(YA) (Not needed in MTdef )

Monotonicity and minimality Mono B C ` AB AC Min AB B ` YA B

Extensionality Ext if x and y are not free in A and B then ≈(Ax) = ≈(Bx); Axy=AC; Bxy=BC ` Ax = Bx

Axioms on E ET ET = T EB E⊥ = ⊥ EX Ex = E(χx) EC E(x ◦ y) → Ex

Quantiﬁcation axioms Elim (∀¨x: px) ∧ ψy → py Ackermann εx: px = εx:(ψx ∧ px) StrictE ψ(εx: px) = ∀¨x: !(px) StrictA !(∀¨x: px) = ∀¨x: !(px)

73 C. Index

M, 30 Greek letters, 73 x y, 16 ε, 10, 14 εx: A, 20 Double dot constructs, 73 ˆ θ, 47 ∃¨p, 20 λ(h), 31, 32, 39 ∃¨x: A, 20 A λx. , 10 ∀¨p, 20 Φ, 34, 43 ∀¨x: A, 20 φ, 43 ¬¨x, 20 χ, 19, 34 x ¨=y, 20 ψ, 10, 22 x⇒¨ y, 20 ψˆ, 14, 35 x∈¨y, 20 ω, 17, 29 Superscript set constructs, 73 Arrows, 73 G↑, 44 0 ◦ [D →κ D ], 30 G , 34, 44 f: G → H (ZFC function type), 29 Gδ, 44 A →1 B, 11 Gω, 29 G → H (set of maps), 34, 44 G<ω, 29 x → y (implication), 19 ↓x, 29, 37, 38 Other nulary constructs, 73 ↓ x y, 16 0, 17 ↑ x, 29 ⊥, 10, 32, 39 ⊥Curry, 10 Equal signs/Equivalences, 73 h i, 29

G =c H, 44 1, 16 hA | x := Bi, 10 t, 21 A =α B, 16 a =obs b, 13 Other unary constructs, 73 a =κ b, 13 !x, 20 a ∼ b, 13 0 ω x , 17 x = y, 17 ≈x, 16, 18 A = B, 10 Other binary constructs, 73 Order relations, 73 x ◦ y, 19 G < H, 44 _ c x ^D y, 36 ≤ G c H, 44 x ∧ y, 16 ≤ D, 36 x ! y, 21

74 A k B, 10, 33 guard, 21 AB (functional application), 10 f // g, 53 head, 38 f / g, 21 I, 37 A, 31, 32, 39 if, 10, 33 abstract, fully, 68 inaccessible ordinal, 57 Ackermann’s axiom, 14 incompatible, 46 adequate, computationally, 65 K φ-axioms, 7, 24 , 30

bottom, 29 `, 38 LBT, 35, 43 C, 38 Lower Bound Theorem, 35, 43 c: G < H, 44 c M c: G = H, 44 , 14, 25, 39 c M c: G ≤ H, 44 c, 39 c M canonical model, see model, canonical κ, 13, 39 M card(S), 56 p, 39 cardinal, regular, 57 map, characteristic, 17, 21, 52 characteristic map, 17, 21, 52 Min, 17 compact, 30 minimality, 16 computationally adequate, 65 model, 25 κ-continuous, 25, 30 canonical, 10, 25, 28, 33, 35, 39 MT, 25, 28 Curry: ⊥Curry, 10 MT0, 28, 35 D, 21 pre-, 25, 27, 33, 39 Dom, 21, 34 quasi-, 10, 25, 28, 35 standard, 10, 14, 25, 28, 35 E, 10, 33 Mono, 17 Ex.A, 12 monotonicity, 16, 30 Esemantic , 15 MT, 4 Esyntactic , 15 MT model, see model, MT Eqκ, 32 MT0 model, see model, MT0 0 Eqκ, 38 MT program, 13 essentially κ-small, 30 MT0, 4 essentially σ-small, 22, 34, 44 MTdef , 10 Ext, 18 Extensionality, 18 normal term, function, 11 extensionality, semantic, 14 normal term, root, 11 normal term, true, 11 F, 16 F, 32, 39 Oσ, 34 Fσ, 34 obs: a =obs b, 13 fully abstract, 68 observationally equal, 13 function normal term, 11 κ-open, 30 ordinal, inaccessible, 57

75 P , 22 Y, 10 P, 29 YCurry, 10 Pκ, 29 Pκ ZFC, 4 coh, 37 p.o., 29 ZFC+SI, 7, 27 partially ordered set, 29 pcs, 36 premodel, see model, pre- prime, 30 program, MT, 13

Q, 22 quasimodel, see model, quasi-

R, 22 r, 40 R0, 22 R1, 22 rank, 38 reﬂexive object, 31 regular cardinal, 57 rk(p), 38 root equivalence, 13 root normal term, 11

S, 22 S¯, 22 s, 22 κ-Scott domain, 25, 29 κ-Scott semantics, 25, 29 self[ g ], 55 semantic extensionality, 14 κ-small, 29 σ-small, 34 standard model, see model, standard

T, 10, 32, 39 Tarski’s ﬁxed point operator, 31 true normal term, 11

t, 21 UBT, 35, 43 Upper Bound Theorem, 35, 43

wellfounded map, 14 wellfounded w.r.t. a set G of maps, 17

76 [1] P. Aczel. Non-Well-Founded Sets, volume 14 of Lecture Notes. CSLI, 333 Ravenswood Avenue, Menlo Park, CA 94025, USA, 1988.

[2] C. Berline. From computation to foundations via functions and application : the lambda-calculus and its webbed models. Theoretical Computer Science, 249:81–161, 2000. [3] C. Berline and K. Grue. A κ-denotational semantics for Map Theory in ZFC+SI. Theoretical Computer Science, 179(1–2):137–202, June 1997. [4] A. Church. A set of postulates for the foundations of logic I. Ann. Math., 1933. [5] A. Church. A set of postulates for the foundations of logic II. Ann. Math., 1934. [6] R.C. Flagg. κ-continuous lattices and comprehension principles for Frege structures. Annals of Pure and Applied Logic, 36:1–16, 1987. [7] R.C. Flagg and J. Myhill. A type-free system extending ZFC. Annals of Pure and Applied Logic, 43:79–97, 1989. [8] K. Grue. Map theory. Theoretical Computer Science, 102(1):1–133, July 1992. [9] K. Grue. Map theory with classical maps. Technical Report 02/21, DIKU, Universitetsparken 1, DK-2100 Copenhagen, Denmark, 2002. http://www.diku.dk/~grue/papers/classical/classical.html. [10] K. Grue. Logiweb. In Fairouz Kamareddine, editor, Mathematical Knowl- edge Management Symposium 2003, volume 93 of Electronic Notes in The- oretical Computer Science, pages 70–101. Elsevier, 2004. [11] Rainer Kerth. Définissabilitédans les domaines réflexifs. Comptes rendus de l’Acadmie des sciences. Série1, Mathématique, 318(7):685–688, 1994.

[12] Rainer Kerth. Isomorphisme et équivalence équationelleentre modélesdu lambda-calcul. Ph.D thesis, UniversitéParis 7, 1995.

[13] G. Plotkin. LCF considered as a programming language. Theoretical Com- puter Science, 5(3):223–255, December 1977.

[14] G. Plotkin. Set-theoretical and other elementary models of the lambda- calculus (in a collection of contributions in honour of Corrado Bohm on the occasion of his 70th birthday). Theoretical Computer Science, 121(1- 2):159–192, 1993.

[15] Thierry Vall´ee.”Map theory” et antifondation. Electr. Notes Theor. Com- put. Sci., 79:1–260, 2003. (Ph.D. Thesis, Universit´eParis 7, 2001).

77 [16] Thierry Vall´ee. Map theory: From well-foundation to antifoundation. In Proceedings of the 6th Workshop on domains (WD6), volume 73 of Electron. Notes Theor. Comput. Sci., pages 217–245, Amsterdam, The Netherlands, The Netherlands, October 2004. Elsevier Science Publishers B. V.