sign in sign up
<<
Home , Sequent

Complete Sequent Calculi for Induction and Infinite Descent

James Brotherston∗ Alex Simpson† Dept. of Computing LFCS, School of Informatics, Imperial College, London, UK University of Edinburgh, Scotland, UK

Abstract In this paper we study and compare proof-theoretic founda- tions for these two quite different styles of reasoning. This paper compares two different styles of reasoning In the case of classical first-order logic, Gentzen’s se- with inductively defined predicates, each style being encap- quent calculus LK provides an elegant proof system that sulated by a corresponding proof system. is well-suited to the goal-directed approach to proof con- The first system supports traditional proof by induction, struction employed in many proof assistants. Each logical with induction rules formulated as sequent rules for intro- constant is specified by two types of basic rule, introduc- ducing inductively defined predicates on the left of sequents. ing the constant on the left and on the right of sequents We show this system to be cut-free complete with respect to respectively. Gentzen’s well-known cut-elimination theo- a natural class of Henkin models; the eliminability of cut rem implies that direct proofs, using these rules alone, are follows as a corollary. sufficient to derive any valid sequent. In addition to its theo- The second system uses infinite (non-well-founded) retical elegance, this has implications for proof search, with proofs to represent arguments by infinite descent. In this the locally applicable proof rules thereby constrained by the system, the left rules for inductively defined predicates are logical constants appearing in the current goal. simple case-split rules, and an infinitary, global condition In a previous paper by the first author [2], Gentzen’s on proof trees is required to ensure soundness. We show LK was extended to obtain two proof systems for classical this system to be cut-free complete with respect to standard first-order logic with inductively defined predicates: (i) a models, and again infer the eliminability of cut. system containing explicit proof rules embodying the stan- The second infinitary system is unsuitable for formal rea- dard induction principles; and (ii) a system without induc- soning. However, it has a natural restriction to proofs given tion rules, but instead allowing circular arguments subject to by regular trees, i.e. to those proofs representable by finite soundness constraints. The main contributions of [2] were graphs. This restricted “cyclic” system subsumes the first the formulation of the second “cyclic” proof system, and system for proof by induction. We conjecture that the two the demonstration that the second system subsumes the first systems are in fact equivalent, i.e., that proof by induction (i.e., cyclic proof was shown to be at least as powerful as is equivalent to regular proof by infinite descent. proof by explicit induction). The equivalence of the two systems was posed as a conjecture. As the main contribution of the present paper, we es- 1 Introduction tablish completeness and cut-eliminability results for these two approaches to inductive reasoning. Aside from their in- Many concepts in mathematics and computer science are trinsic technical interest, our results demonstrate the calculi most naturally formulated using inductive definitions. Thus from [2] as being canonical ones embodying the two styles proof support for inductive definitions is an essential com- of reasoning. We hope that our results will help to stimulate ponent of proof assistants and theorem provers. Often, li- wider interest in such systems. braries are provided containing collections of useful induc- In Section 3, we recall the system for induction from [2], tion principles associated with a given of inductive def- here called LKID, in which the right-hand rules for induc- initions, see e.g. [16, 9, 18]. In other cases, mechanisms tively defined predicates simply reflect the closure condi- permitting “cyclic” proof arguments are used, with intricate tions on the predicate, and the left-hand rules embody the conditions imposed to ensure soundness, see e.g. [23, 17, 8]. natural induction principle for the predicate in question. ∗ A closely related precursor is Martin-L¨of’s natural deduc- Research undertaken while a PhD student at LFCS, School of Infor- matics, University of Edinburgh, supported by an EPSRC PhD studentship. tion system for with (iterated) inductive †Research supported by an EPSRC Advanced Research Fellowship. definitions [13], in which induction rules are included as elimination rules for inductively defined predicates. As is tem are: (i) it is sound (the proof is somewhat more techni- well known, elimination rules in serve the cal then the informal argument above), and (ii) it subsumes same purpose as left-introduction rules in sequent calculus. proof by induction. Since one might well dream up many Nonetheless, it is only recently that sequent calculus coun- other proof systems enjoying these two properies, such re- terparts of Martin-L¨of’s system have been explicitly con- sults do not, by themselves, provide much evidence that the sidered, by McDowell, Miller and Tiu [14, 21]. Ours is a cyclic proof system is in any sense canonical. simple classical analogue of these intuitionistic systems. In this paper, we take a different perspective. Rather than considering the cyclic system as basic, we instead present, Our main new result about LKID is a completeness ω result, for cut-free proofs, relative to a natural class of in Section 4, an infinitary proof system LKID , based on “Henkin models” for inductive predicates (Theorem 3.6). the same proof rules as the cyclic system, but in which The eliminability of cut in LKID follows as an immedi- proofs are possibly infinite (non-well-founded) trees of rule ate corollary. These results serve to endorse the natural- instances. As with the cyclic system, the global trace condi- ity of LKID: completeness shows that no proof princi- tion of [2] (which transfers verbatim to infinite trees) is im- ples are missing, and cut-eliminability vindicates the for- posed on trees to guarantee soundness (the soundness proof mulation of the proof rules. The latter result may come of [2] generalises immediately). The benefit of considering the infinitary system is borne out by the second main result as a surprise to some, since there is a fairly popular mis- ω conception — possibly arising from the well-known need of the paper: the system LKID is complete relative to the for generalisation in inductive proof (see e.g. [4]) — that usual “standard” models of inductively defined predicates (Theorem 4.9). Again, this completeness result holds for cut-elimination is impossible in the presence of inductive ω definitions. However, readers familiar with [13, 14, 21] cut-free proofs, and so the eliminability of cut for LKID will not be surprised, since these papers contain analo- follows. The proof of completeness is outlined in Section 5. Having argued for the canonicity of the infinitary sys- gous normalization/cut-elimination theorems for related in- ω tuitionistic systems. Their proofs, however, are based on tem LKID , the cyclic system of [2] can be appreciated as arising in a very natural way: it is simply the restriction Tait’s “computability” method, and do not readily adapt to ω our classical setting. Compared with such proofs, our se- of LKID to regular proof trees, i.e. to trees representable mantic approach suffers from the weakness of not establish- by finite (cyclic) graphs. Over such finite representations, ing that any particular cut-elimination strategy terminates, the soundness condition is decidable (although complete- but, in compensation, it establishes a completeness result of ness is necessarily lost), and hence the restricted proof sys- tem is suitable for formal reasoning (a property that clearly independent interest. ω Sections 4–6 concern the second approach to inductive does not extend to LKID ). In fact, the soundness con- proof based on circular reasoning. Following [23], it is nat- dition appears to subsume various heuristic conditions for ural to view this approach as a formalisation of proof by “in- cyclic proofs adopted in the theorem proving literature (see finite descent” ala` Fermat. For natural numbers, infinite de- e.g. [23, 17, 8]). In Section 6, we briefly consider the induced cyclic proof scent exploits the fact that, since there are no infinite strictly ω system, here called CLKID , in order to reprise the con- decreasing sequences of numbers, any case in a proof that ω furnishes such a sequence can be ignored as contradictory. jecture from [2] that LKID and CLKID are equivalent. This technique can be extended to general inductively de- The significance of this conjecture seems to be enhanced by the results of the present paper. Indeed, if one accepts that fined predicates: any case of a proof which yields an infi- ω nite sequence of “unfoldings” of some inductively defined LKID and CLKID canonically embody the two styles of predicate can likewise be dismissed. In [2], this principle reasoning, then the conjecture can be understood informally is implemented by replacing the induction rules of LKID as asserting that proof by induction is equivalent to regular with simple “case split” rules (which unfold inductively de- proof by infinite descent. We end the paper by stating this fined predicates on the left of sequents), and by allowing conjecture formally and commenting on the apparent diffi- proofs to be cyclic graphs rather than finite trees. In gen- culties its proof poses. eral, such proof graphs are not sound. However, the global Due to space constraints, only outline proofs of our main trace condition of [2] requires that, for a graph to qualify results are included in this paper. Full proofs can be found as a proof, every infinite path through the graph must enjoy in the first author’s recent PhD thesis [3]. the property that some inductively-defined predicate is un- folded infinitely often along the path. This condition guar- 2. Syntax and of first-order logic antees soundness since, intuitively, it ensures that all such with inductive definitions (FOLID) infinite paths can be disregarded from the proof for infinite descent reasons, leaving only finite ones behind. In this section we give the syntax and semantics of clas- The main results in [2] concerning the cyclic proof sys- sical first-order logic with inductively defined predicates, FOLID. Of the many possible definitional frameworks, we The standard of the inductive predicates choose to work with ordinary (mutual) inductive definitions, (cf. [1]) is obtained as usual by considering prefixed points specified by simple “productions” in the style of Martin- of a monotone operator constructed from the definition set L¨of [13]. This choice keeps the logic relatively simple, Φ. For standard models, this least fixed point can be con- while including many important examples. structed in iterative approximant stages. The languages we consider are the standard (countable) Definition 2.3 (Definition set operator). Let M with do- first-order languages, except that we designate finitely many main D be a first-order structure for Σ, and for each of the predicate symbols of the language as inductive.A i ∈{1,...,n},letki be the arity of the inductive pred- predicate symbol not designated as inductive is called ordi- icate symbol Pi. Then partition Φ into disjoint subsets nary. For the remainder of this paper we consider a fixed Φ1,...,Φn ⊆ Φ by: language Σ with inductive predicate symbols P1,...,Pn. Terms of Σ are defined as usual; we write t(x1,...,xn) for u Φi = { ∈ Φ | Pi appears in v} a term all of whose variables are contained in {x1,...,xn}. v The interpretation of the elements of Σ is as usual given Let each rule set Φi be indexed by r with 1 ≤ r ≤|Φi|,and by a first-order structure M with domain D; we write XM for each rule Φi,r, say of the form (Def) specified above, to denote the interpretation of the Σ-symbol X in M.Like- k k k define ϕi,r :(P(D 1 ) × ...×P(D n )) →P(D i ),where wise, variables are interpreted as elements of D by an envi- P(·) is powerset, by: ronment ρ;weextendρ to all terms of Σ in the standard way ρ[x → d] ρ M M M M M and write for an environment defined exactly as ϕi,r (X1,...,Xn)={ t (x) | Q1 u1 (x),...,Qh uh (x), except that ρ[x → d](x)=d. The formulas of FOL are M M ID t1 (x) ∈ Xj1 ,...,tm (x) ∈ Xjm } the usual formulas of first-order logic with equality.1 We then write M |=ρ F for the standard semantic satisfaction Then define the function ϕi for each i ∈{1,...,n} by ϕ (X ,...,X )= ϕ (X ,...,X ) relation for formulas of FOLID. i 1 n r i,r 1 n , whence the def- Our proof systems will be interpreted relative to only inition set operator for Φ is the operator ϕΦ, with domain k k those structures in which inductive predicates have their in- and codomain P(D 1 ) × ...×P(D n ), defined by: tended meanings, as specified by definition sets for the pred- ϕ (X ,...,X )=(ϕ (X ,...,X ),...,ϕ (X ,...,X )) icates, adapted from [13]. Φ 1 n 1 1 n n 1 n πn i Definition 2.1 (Inductive definition set). An inductive def- In the definition below, we write i for the th projection πn(X ,...,X )=X inition set Φ for Σ is a finite set of productions, which are function i 1 n i, and we extend union to rules of the form: the corresponding pointwise operations on n-tuples of sets. M D Q1(u1(x)) ...Qh(uh(x)) Pj1(t1(x)) ...Pjm(tm(x)) Definition 2.4 (Approximants). Let with domain be (Def) a first-order structure for Σ,andletϕΦ be the definition Pi(t(x)) α set operator for Φ. Define an ordinal-indexed set (ϕΦ ⊆  β P(Dk1 )×...×P(Dkn )) ϕα = ϕ (ϕ ) where j1,...,jm,i ∈{1,...,n},andQ1,...,Qh are or- α≥0 by Φ β<α Φ Φ (note 0 n α dinary predicate symbols, and the bold vector notation ab- that this implies ϕΦ =(∅,...,∅)). Then the set πi (ϕΦ) is th α breviates sequences of terms. called the α approximant of Pi, written as Pi . Example 2.2. We define the predicates N,E and O via the Definition 2.5 (Standard model). A first-order structure productions: M is said to be a standard model for (Σ, Φ) if for all i ∈{1,...,n}, P M = P α .2 Nx Ex Ox i α i N0 Nsx E0 Osx Esx Definition 2.5 fixes a standard interpretation of the in- ductive predicates. However, we shall also be interested in k In structures in which all “numerals” s 0 for k ≥ 0 are non-standard Henkin models of FOLID in which the least interpreted as distinct elements, the predicates N, E and O fixed point of the operator for the inductive predicates is correspond to the properties of being a natural, even and constructed with respect to a chosen class of sets of tuples odd number respectively. over the domain of interpretation. This approach is based on an idea originally employed by Henkin who obtained From this point onwards we consider an arbitrary fixed completeness theorems for higher-order calculi by consid- inductive definition set Φ for Σ and, when we need to con- ering validity with respect to his more general notion of sider an arbitrary production in Φ, will always use the ex- model [10]. Our application in Section 3 is similar. plicit format of (Def) above.  2 α ω For the form of production considered, we have α Pi = Pi ,i.e. 1The inclusion of equality in the language is a minor departure from [2]. the closure ordinal is at most ω. However, we shall never exploit this. Definition 2.6 (Henkin class). Let M with domain D be a as given in many sources (see e.g. [7, 5]), together with the structure for Σ.AHenkin class for M is a family of sets following rules for explicit substitution and equality, cf. [6]. k H = {Hk | k ∈ N}, where for each k ∈ N, Hk ⊆P(D ) Γ ∆ and: (Subst) (=R) Γ[θ] ∆[θ] Γ t = t, ∆ (H1) {(d, d) | d ∈ D}∈H2; (H2) if Q is an ordinary/inductive predicate symbol of arity Γ[u/x, t/y] ∆[u/x, t/y] M k then {(d1,...,dk) | Q (d1,...,dk)}∈Hk; (=L) Γ[t/x, u/y],t= u ∆[t/x, u/y] (H3) if R ∈ Hk+1 and d ∈ D then {(d1,...,dk) | (d1,...,dk,d) ∈ R}∈Hk; To these rules we add rules for introducing inductive predicates on the left and right of sequents. (H4) if R ∈ Hk and t1(x1,...,xm),...,tk(x1,...,xm) M First, for each production Φi,r ∈ Φ, say (Def), there is a are terms then {(d1,...,dm) | (t1 (d1,...,dm),..., M sequent calculus right introduction rule for Pi: tk (d1,...,dm)) ∈ R}∈Hm; k Γ Q u (u), ∆ ... Γ Q u (u), ∆ (H5) if R ∈ Hk then R = D \ R ∈ Hk; 1 1 h h Γ Pj1 t1(u), ∆ ... Γ Pjm tm(u), ∆ (H6) if R1,R2 ∈ Hk then R1 ∩ R2 ∈ Hk; (PiRr) Γ Pit(u), ∆ (H7) if R ∈ Hk+1 then {(d1,...,dk) | ∃d.(d1,...,dk,d) ∈ R}∈Hk. Definition 3.1 (Mutual dependency). Define the binary re- lation Prem on the inductive predicate symbols of Σ as the Lemma 2.7. If H = {Hk | k ∈ N} is a Henkin class least relation satisfying: whenever Pi occurs in the conclu- for a structure M, ρ is an environment for M, F is a for- sion of some production in Φ,andPj occurs amongst the mula of FOLID and x1,...,xk are distinct variables, then premises of that production, then Prem(Pi,Pj) holds. Also {(d ,...,d ) | M |= F }∈H ∗ 1 k ρ[x1→d1,...,xk→dk] k. define Prem to be the reflexive-transitive closure of Prem. Then two predicate symbols Pi and Pj are mutually depen- H M ∗ ∗ Definition 2.8 ( -point / prefixed point). Let be a struc- dent if both Prem (Pi,Pj) and Prem (Pj,Pi) hold. ture for Σ and let H be a Henkin class for M.Alsolet ki be the arity of the inductive predicate symbol Pi for Now to obtain an instance of the left-introduction rule P each i ∈{1,...,n}.Then(X1,...,Xn) is said to be for any inductive predicate j, we first associate with ev- Pi zi ki an H-point if Xi ∈ Hki for each i ∈{1,...,n}.andis ery inductive predicate a tuple of distinct variables k P said to be a prefixed point of the monotone operator ϕΦ if (called induction variables), where i is the arity of i.Fur- P ϕΦ(X1,...,Xn) ⊆ (X1,...,Xn). thermore, we associate to every predicate i that is mutually dependent with Pj an arbitrary formula (called an induc- Lemma 2.9. Let H be a Henkin class for a Σ-structure tion hypothesis) Fi. Next, define the formula Gi for each M.Thenif(X1,...,Xn) is an H-point then so is i ∈{1,...,n} by: ϕΦ(X1,...,Xn).  Fi if Pi and Pj are mutually dependent Gi = Definition 2.10 (Henkin model). Let M be a first-order Pizi otherwise structure for Σ and H be a Henkin class for M. (M,H) We write Git,wheret is any tuple of ki terms, to mean is said to be a Henkin model for (Σ, Φ) if there exists a Gi[t/zi]. Then an instance of the induction rule for Pj has least prefixed H-point µH.ϕΦ of ϕΦ, and for each i ∈ M n the following schema: {1,...,n}, Pi = πi .µH.ϕΦ. minor premises Γ,Fju ∆ It is a standard result for inductive definitions that the (Ind Pj) k k Γ,P u ∆ least prefixed point of ϕΦ in P(D 1 ) × ...×P (D n ) is j α given by the union of the approximants of ϕΦ, α ϕΦ. Thus k where the premise Γ,Fju ∆ is called the major premise, a standard model is a Henkin model (with Hk = P(D )). and for each production of Φ having in its conclusion a predicate Pi that is mutually dependent with Pj, say (Def), 3. LKID: a proof system for induction there is a corresponding minor premise:

Γ,Q1u1(x),...,Qhuh(x), We use sequents of the form Γ ∆,whereΓ, ∆ are finite Gj1 t1(x),...,Gjm tm(x) Fit(x), ∆ sets of formulas, and use the notation Γ[θ] to mean that the substitution θ of terms for free variables is applied to all where x ∈ FV(Γ ∪∆ ∪{Pju}) for all x ∈ x (FV(·) being formulas in Γ. We use the standard sequent calculus rules the usual free variable function on sets of formulas). The induction rule for a predicate Pj can be seen to em- Proof. If Γ ∆ is provable in LKID, it is Henkin valid by body the natural principle of rule induction over the produc- soundness (Proposition 3.5), and hence cut-free provable in tions defining Pj. LKID by Theorem 3.6.

Example 3.2. The induction rule for the “natural number” Although cut is eliminable, LKID does not enjoy the predicate N defined in Example 2.2 is: subformula property because of the induction rules. This is an unavoidable phenomenon, and corresponds to the well- Γ F 0, ∆Γ,Fx Fsx,∆Γ,Ft ∆ known need for generalising induction hypotheses in induc- (Ind N) Γ,Nt ∆ tive arguments. Nevertheless, cut-eliminability for LKID remains a useful property for constraining proof search; where F is the induction hypothesis associated with the see [14] for related discussion in the intuitionistic case. predicate N. This is one way of writing the usual induc- Also, one can show that the eliminability of cut in LKID tion scheme for N in sequent calculus style. implies the consistency of Peano Arithmetic, so there can be no straightforward combinatorial proof of the result. A Example 3.3. The induction rule (Ind E)forthe“even proof of this fact, together with a discussion of the con- number” predicate E defined in Example 2.2 is: nections between Corollary 3.7 and Takeuti’s Conjecture (cut-elimination for second-order sequent calculus), ap- Γ F 0, ∆Γ,Fx Hsx,∆Γ,Hx Fsx,∆Γ,Ft ∆ pears in [3], section 3.4. Γ,Et ∆ 4. LKIDω: a proof system for infinite descent where F and H are the formulas associated with the (mutu- E O ω ally dependent) predicates and respectively. We now turn to our infinitary system LKID formalizing a version of proof by infinite descent. The proof rules of the Definition 3.4 (Henkin validity). Let (M,H) be a Henkin system are the rules of LKID described in Section 3, except model for (Σ, Φ). A sequent Γ ∆ is said to be true in that for each inductive predicate Pi of Σ, the induction rule (M,H) if for all environments ρ, whenever M |=ρ J for all (Ind Pi) of LKID is replaced by the case-split rule: J ∈ Γ then M |=ρ K for some K ∈ ∆. A sequent is said to be Henkin valid if it is true in all Henkin models. case distinctions (Case Pi) Proposition 3.5 (Henkin soundness of LKID). If there is Γ,Piu ∆ Γ ∆ Γ ∆ an LKID proof of then is Henkin valid. where for each production having predicate Pi in its con- clusion, say (Def), there is a corresponding case distinction: Proof. A full proof appears in section 3.2 of [3]. Γ, u = t(x),Q1u1(x),...,Qhuh(x), We say that a sequent Γ ∆ is cut-free provable iff there Pj1 t1(x),...,Pjm tm(x) ∆ is an LKID proof of Γ ∆ that does not contain any in- stances of the cut or substitution rules. Our main new result where x ∈ FV(Γ∪∆∪{Piu}) for all x ∈ x. The formulas about LKID is the following. Pj1 t1(x),...,Pjm tm(x) occurring in a case distinction are said to be case-descendants of the active formula Piu. Theorem 3.6 (Cut-free Henkin completeness of LKID). If Γ ∆ is Henkin valid, then it is cut-free provable in LKID. Example 4.1. TheruleforN from Example 2.2 is:

The proof is an extension of the direct style of completeness Γ,t=0 ∆Γ,t= sx, Nx ∆ (Case N) proof for Gentzen’s LK as given in e.g. [5]. Briefly, suppos- Γ,Nt ∆ ing that Γ ∆ is not cut-free provable in LKID, one uses a uniform proof-search procedure to construct a sequence of Example 4.2. TheruleforE from Example 2.2 is: underivable sequents Γi ∆i, which can together be used to build a syntactic countermodel to the original sequent. Γ,t=0 ∆Γ,t= sx, Ox ∆ (Case E) The required modifications in our case concern the rules Γ,Et ∆ for equality and inductively defined predicates, and also the need to construct a Henkin class over the model. A fully Our proof system will involve infinite proofs. By a detailed proof appears in section 3.3 of [3]. derivation tree, we mean a possibly infinite tree of sequents in which each parent sequent is obtained as the conclusion Corollary 3.7 (Eliminability of cut for LKID). If Γ ∆ is of an inference rule with its children as premises. We distin- provable in LKID then it is cut-free provable. guish between “leaves” and “buds” in the tree. By a leaf we mean an axiom, i.e. the conclusion of a 0-premise inference rule. By a bud we mean any sequent occurrence in the tree (etc.) . that is not the conclusion of a proof rule. . N ω ω (Case ) Definition 4.3 (LKID pre-proof). An LKID pre-proof of Nx1 Ex1,Ox1 a sequent Γ ∆ is a (possibly infinite) derivation tree D, (OR1) ω Nx1 Ox1,Osx1 constructed according to the proof rules of LKID ,such (ER1) (ER2) that Γ ∆ appears at the root of D and D has no buds. E0,O0 Nx1 Esx1,Osx1 (=L) (=L) D ω x0 =0 Ex0,Ox0 x0 =sx1,Nx1 Ex0,Ox0 Definition 4.4 (Trace). Let be an LKID pre-proof and N (Γ ∆ ) D (Γ ∆ ) (Case ) let i i be a path in .Atrace following i i Nx0 Ex0,Ox0 is a sequence (τi) such that, for all i: Figure 1. Portion of an LKIDω proof • τi = Pji ti ∈ Γi,whereji ∈{1,...,n}; • if Γi ∆i is the conclusion of (Subst) then τi = ω τi+1[θ],whereθ is the substitution associated with the Lemma 4.7. Let D be an LKID pre-proof of Γ0 ∆0, and rule instance; let M be a standard model such that Γ0 ∆0 is in M • if Γi ∆i is the conclusion of (=L) with active for- under the environment ρ0 (say). Then there is an infinite mula t = u then there is a formula F and variables x, y path (Γi ∆i)i≥0 in D and an infinite sequence (ρi)i≥0 of such that τi = F [t/x, u/y] and τi+1 = F [u/x, t/y]; environments such that: • if Γi ∆i is the conclusion of a case-split rule then 1. for all i, Γi ∆i is false in Mi under ρi; either τi+1 = τi,orτi is the active formula of the rule τi+1 τi instance and is a case-descendant of .Inthe 2. if there is a trace (τi = Pji ti)i≥n following latter case, i is said to be a progress point of the trace; some tail (Γi ∆i)i≥n of (Γi ∆i)i≥0, then the • if Γi ∆i is the conclusion of any other rule then sequence (αi)i≥n of ordinals defined by αi = τ = τ α ρ (t ) ∈ P α i+1 i. least s.t. i i ji , is non-increasing. Further- more, if j is a progress point of (τi) then αj+1 <αj . An infinitely progressing trace is a trace having infinitely many progress points. Proposition 4.8 (Soundness). If there is an LKIDω proof of ω ω Definition 4.5 (LKID proof). An LKID pre-proof D is Γ ∆ then Γ ∆ is valid relative to standard models. an LKIDω proof if it satisfies the global trace condition:for ω every infinite path in D, there is an infinitely progressing Proof. (Sketch) Let D be an LKID proof of Γ ∆.If trace following some tail of the path. Γ ∆ is not valid, i.e. false in some standard model M un- der some environment ρ0, then we can apply Lemma 4.7 to Example 4.6. Let N,E and O be the predicates given in (Γ ∆ ) (ρ ) ω construct infinite sequences i i i≥0 and i i≥0 sat- Example 2.2. Figure 1 gives the initial part of an LKID isfying properties 1. and 2. of the lemma. As (Γi ∆i)i≥0 Nx Ex ,Ox proof of the sequent 0 0 0. The sequence is a path in D, there is an infinitely progressing trace fol- (Nx ,Nx ,Nx ,Nx ,Nx ) 0 1 1 1 1 is a trace following the dis- lowing some tail of the path by Definition 4.5, so by the played portion of the path in this pre-proof from the root second property of the lemma we can construct an infinite sequent along the right-hand branch. This trace progresses descending chain of ordinals, which is a . because the second element Nx1 of the trace is a case- descendant of its first element Nx0. One can easily see that Note that the essential use of approximants in Lemma 4.7 by continuing the expansion of this derivation, we obtain an means that our soundness argument only works for stan- ω infinite tree with exactly one infinite branch. Furthermore, dard models. In fact, our main result about LKID is that there is clearly a trace along this branch with infinitely many it is complete with respect to standard models. Indeed, we progress points: (Nx0,Nx1,...,Nx1,Nx2,...),sothe sharpen this result slightly. We say that a derivation tree is pre-proof thus obtained is indeed an LKIDω proof. recursive if it is decidable whether a finite sequence of num- ω bers corresponds to a path up the tree from the root (each The system LKID is a direct extension of the cyclic number indicating the choice of rule premise determining proof system of [2] to infinite proof trees, and the soundness ω the path) and there is a recursive function mapping finite argument for LKID is virtually identical to the soundness paths in the tree to the sequents labelling their end nodes. proof for the cyclic system. We briefly outline the argu- ment, since it is helpful in understanding the global trace Theorem 4.9 (Cut-free completeness of LKIDω). If Γ ∆ condition. The following lemma is a consequence of the is valid with respect to standard models of (Σ, Φ),thenit local soundness of the proof rules. has a recursive cut-free proof in LKIDω. An outline proof is given in Section 5. used at two points. First, it is needed to show that no se- Although the completeness theorem shows that every quent on the branch is cut-free provable. Second, it is used valid sequent has a proof given by a recursive derivation to show that the countermodel invalidates the induced limit tree, the set of valid sequents relative to standard models is sequent. non-arithmetic (one can encode true arithmetic). Thus there ω Definition 5.1 (Schedule). An LKID -schedule element for is no way of effectively enumerating any complete subclass Σ is defined as follows: of recursive proofs. Hence LKIDω is (unsurprisingly) not suitable for formal reasoning. • any formula of the form ¬F , F1 ∧ F2, F1 ∨ F2,or ω The closest analogue of Theorem 4.9 we are aware of in F1 → F2 is a LKID -schedule element; the literature appears in [15]. There, certain refutations are • for any term t of Σ,variablex, and formula F, the pairs ω defined, which can be seen as providing an analogous proof ∀xF, t and ∃xF, t are LKID -schedule elements; ω system to LKID for Kozen’s propositional µ-calculus [11]. • if Pi is an inductive predicate symbol of arity ki, t is a Indeed, refutations are formulated using a trace-based proof sequence of ki terms of Σ,andr is a number such that ω condition very similar to Defn. 4.5. (Other similar condi- Φi,r ∈ Φ, then the pair Pit,r is an LKID -schedule tions appear in [12, 19].) One of the main results of [15] is element; a completeness theorem for refutations. Nevertheless, the • for any terms t and u, variables x and y, and finite sets situations are quite different in many respects. The propo- of formulas Γ and ∆, the tuple t = u, x, y, Γ, ∆ is ω sition µ-calculus is decidable, whereas validity (w.r.t. stan- an LKID -schedule element. dard models) in our first-order logic is non-arithmetic. Also, An LKIDω-schedule for Σ is then a recursive enumeration the proof of completeness in [15] is by reduction to Borel (Ei)i≥0 of schedule elements of Σ such that every schedule determinacy, whereas ours, presented in Section 5, is direct. element of Σ appears infinitely often in the enumeration. ω ω Corollary 4.10 (Cut-eliminability for LKID ). If Γ ∆ is Henceforth,weassumeafixedLKID -schedule (Ei)i≥0 ω provable in LKID then it is cut-free provable. and sequent Γ ∆.

Note that, unlike in LKID, cut-free proofs in LKIDω are Definition 5.2 (Search tree). We define an infinite sequence (T ) T quite constrained: every formula appearing in a cut-free of i i≥0 of derivation trees such that 0 is the single-node ω Γ ∆ T T i ≥ 0 LKID proof is either a subformula of a formula appear- tree and i isasubtreeof i+1 for all .We T ing in the root sequent, or related to such a formula by a inductively assume we have constructed j and show how T finite number of definitional unfoldings. While not entail- to construct j+1. ω T ing a true subformula property, cut-eliminability for LKID In general j+1 will be obtained by replacing certain bud T nonetheless remains close to the spirit of Girard’s “purity of nodes of j with derivation trees, whence it is clear that T methods” ideal [7]. j+1 is also a derivation tree as required. Firstly, we re- place any bud of Tj that is an instance of the conclusion of an axiom rule with the derivation consisting of a single in- 5. Outline proof of Theorem 4.9 stance of that axiom. Let F be the formula component of Ej,thejth element in the schedule for Σ. We replace any In this section, we outline our proof (the full details of bud of Tj that contains F with the derivation obtained by which appear in section 4.3 of [3]) of cut-free completeness applying the sequent rule (−L) or (−R) as appropriate with for LKIDω with respect to standard models. As in Theo- active formula F , performing any required instantations us- rem 3.6, our proof extends the direct style of completeness ing the extra information in Ej as appropriate. ω argument for first-order logic as in e.g. [5], but, for LKID , For example, if F is of the form Ej = Piu,r,then   but various additional complications arise from the need to Tj+1 is obtained by first replacing every bud Γ ∆ in Tj  consider infinite proofs and the global trace condition im- that satisfies Piu ∈ Γ with the derivation: posed upon them. case distinctions Given an arbitrary sequent Γ ∆, we construct a recur- (Case Pi) Γ ∆ sive, possibly infinite LKIDω derivation tree corresponding Γ ∆ to an exhaustive search for a cut-free proof of .If Φi,r ω and then, assuming is of the form (Def), and only if we this tree is not an LKID proof, then either it contains a bud have u = t(u) for some u, replacing every bud Γ ∆ of  node or there exists an infinite branch on the tree that causes the resulting tree that satisfies Piu ∈ ∆ with the derivation: the global trace condition to fail. We use the bud node or in-       finite branch as appropriate to construct a standard model in Γ Q1u1(u ), ∆ ... Γ Qhuh(u ), ∆ Γ P t (u), ∆ ... Γ P t (u), ∆ which Γ ∆ is false. In the latter case, the fact that there j1 1 jm m (PiRr) is no infinitely progressing trace along the infinite branch is Γ ∆ Note that the above construction is performed in such π . way that ensures that each sequent in the tree is a subsequent .   of all its premises. Γ ⊆ Γk+1 ∆k+1 ⊇ ∆ The search tree for Γ ∆ is then defined to be Tω,the (R) T Γj ⊆ Γk ∆k ⊇ ∆j infinite tree obtained by considering the limit as i →∞of . (T ) . the sequence of (finite) derivation trees i i≥0. By con- ... Γ ∆ ... struction, the search tree is recursive and cut-free. (R) Γ ∆ Henceforth in the proof, we assume that the search tree Γ ⊆ Γ ∆ ⊇ ∆ . ω j j . Tω is not an LKID proof. If Tω is not even a pre-proof, . . then it contains some bud, for which we write Γω ∆ω. . T Otherwise, ω is a pre-proof but not a proof. In this case, Figure 2. Part of the proof of Lemma 5.3. the global trace condition fails, so there exists an infinite path π =(Γi ∆i)i≥0 in Tω such that there is no infinitely  progressing trace following any tail of π. We call this π the (τ,...,τ,τ ) is a (progressing) trace following the subpath Tω Γω = Γi ∆ω = (Γ ∆ ,...,Γ ∆ ) π T untraceable branch of .Define i≥0 and kn kn kn+1 kn+1 of in ω. i≥0 ∆i. (Note that we have Γi ⊆ Γi+1 and ∆i ⊆ ∆i+1 Since T is a proof, there is an infinitely progressing trace  by construction of Tω.) In either case, we call Γω ∆ω the following some tail of the constructed path π in T .By limit sequent. Strictly speaking Γω ∆ω is not a sequent piecing together the induced trace segments in Tω defined since the sets Γω, ∆ω may be infinite. We say that such above, it follows that there then is an infinitely progressing an infinite “sequent” is cut-free provable to mean that some trace following some tail of the untraceable path π in Tω. finite subsequent has a cut-free proof. But this contradicts the defining property of π.Sothere ω cannot exist a cut-free LKID proof of Γi ∆i. Lemma 5.3. The sequent Γω ∆ω is not cut-free provable. Definition 5.4. Define the relation ∼ to be the smallest con- Proof. (Sketch) The case that Γω ∆ω is a bud node is gruence relation on terms of Σ that satisfies: t1 ∼ t2 when- easy (if it were cut-free provable some schedule element ever (t1 = t2) ∈ Γω. We write [t] for the equivalence class would apply to it contradicting it being a bud node). So we of t with respect to ∼,i.e. [t]={u | t ∼ u}.Ift = assume that Tω is a pre-proof but not a proof and let π = (t1,...,tk) then we shall write [t] to mean ([t1],...,[tk]). (Γi ∆i)i≥0 be the untraceable branch. It suffices to show Γ ∆ that no i i has a cut-free proof. So, for contradiction, Lemma 5.5. If t ∼ u then, for any formula F , it holds that T Γ ∆ we assume that is a cut-free proof of i i. Γω F [t/x] Γω F [u/x]   is cut-free provable if and only if Let Γ ∆ be any node in T , let (R) be the rule applied is cut-free provable. in T with active formula F (say) and conclusion Γ ∆,   and suppose Γ ⊆ Γj and ∆ ⊆ ∆j for some j ≥ i.AsF Proof. By induction on the conditions defining t ∼ u. appears infinitely often on the schedule according to which Tω is constructed, it follows that there is a k ≥ j such that Definition 5.6 (Counter-interpretation). Define a standard F is the active formula of an instance of (R) in Tω with model Mω for Σ by: conclusion Γk ∆k. Since the untraceable branch is in- finite, it follows that (R) is not an axiom. Therefore, for • the domain of Mω is the set of equivalence classes of some premise Γ ∆ of the considered instance of rule Σ-terms w.r.t. ∼;   (R) in T ,wehaveΓ ⊆ Γk+1 and ∆ ⊆ ∆k+1.This • for any function symbol f in Σ of arity k ≥ 0, M situation is illustrated in Figure 2. Since Γi ⊆ Γi+1 and f ω ([t1],...,[tk]) = [f(t1,...,tk)];  ∆i ⊆ ∆i+1 for all i ≥ 0, it follows that if (τ,τ ) is a (pro- • for any ordinary predicate symbol Q in Σ of ar-     Γ ∆ Γ ∆ Mω gressing) trace following the edge ( , ) in ity k, Q ([t1],...,[tk]) ⇔∃u1,...,uk.t1 ∼  T ,then(τ,...,τ,τ ) is a (progressing) trace following the u1,...,tk ∼ uk and Q(u1,...,uk) ∈ Γω. subpath (Γj ∆j,...,Γk ∆k, Γk+1 ∆k+1) of π. Now since the root of T is Γi ∆i and trivially (This fixes an interpretation for P1,...,Pn since Mω is a Γi ⊆ Γi and ∆i ⊆ ∆i, we can repeat the argument in standard model.) Also, we define an environment ρω for the preceding paragraph infinitely often to obtain a path Mω by ρω(x)=[x] for all variables x.Then(Mω,ρω) is    Γ ∆ π =(Γj ∆j)j≥0 in T and a sequence k0